v0.51.547 — Release TF (re-auth before disabling password auth)

Release v0.51.547 — Release TF (re-auth before disabling password authentication)

Ships #3581 (starship-s). Maintainer-approved (in-scope operator-hardening per the concept rubric; visual + product sign-off given). Security-boundary guard, gated authoritative.

Added

• Re-enter your current password before turning off or clearing password authentication. A "sudo-mode" re-auth on POST /api/settings (403 without the current password) for any change/clear/passwordless transition. First-time setup + env-var-locked instances unaffected. Adds an optional "I've reviewed this risk" acknowledgment that quiets the unauthenticated-instance nav warning. Guards against a hijacked/unattended session silently removing auth. Thanks @starship-s.

Gate

• Full pytest suite: 9879 passed, 0 failed (incl. the new 286-line test_auth_settings_safety.py driving real 403/409/200)
• Codex: SAFE TO SHIP — single guarded password-hash writer, no bypass route, no fails-open
• Opus: SAFE — all three disable vectors covered (change/clear/passwordless), constant-time re-auth vs the current (cache-fresh) hash, correct skips (onboarding + env-lock 409), the acknowledgment flag is provably cosmetic, full DOM/i18n coverage, zero regression when auth off
• Visual sign-off: maintainer-approved (Settings → System auth panel + acknowledge-risk flow)