Set a new password via the email reset link

• Given a valid reset deep-link is opened, when the app handles the URI, then the new-password form is displayed with password and confirm-password fields
• Given the new-password form, when the user enters matching passwords that meet minimum strength requirements and submits, then the password is updated and a success confirmation is shown
• Given the success confirmation, when 3 seconds elapse or the user taps 'Back to login', then they are navigated to the Login Screen
• Given the user enters non-matching passwords, when they submit the form, then an inline error 'Passwords do not match' is shown and no API call is made
• Given an expired or already-used reset token, when the app processes the deep-link, then an expiry error is shown with a button to request a new reset email
• Given the new-password form, when a screen reader is active, then both password fields have descriptive labels including password strength requirements

Completing the end-to-end password reset loop is required for the self-service reset flow to have any value. Without deep-link handling and the new-password form, users who request a reset email are left unable to complete the process, creating a broken experience that forces manual coordinator or admin intervention. Expiry handling with clear guidance prevents silent failures where users try a reset link hours later and receive no actionable feedback, which is a common source of confusion for less digitally fluent users.

• Password Reset Screen ui
• Auth Service service
• Auth Repository data
• Supabase Auth infrastructure