feat: Add user management and self-service password change

[marevol]

Summary

Add admin-only user management (CRUD, activate/deactivate, password reset) and self-service password change for all authenticated users, with full frontend UI and i18n support.

Changes Made

Backend (11 files)

• UserViewSet — Full CRUD with per-action permissions: IsAdminUser for management, IsAuthenticated for self-service password change
• DenyApiKeyAccess permission — Unconditionally blocks API key auth on user management endpoints (API keys with read/write scopes cannot access these endpoints)
• Service layer (user_service.py) — Business logic for create, activate, deactivate, and password reset
• Serializers (serializers/user.py) — 5 serializers for list, create, update, admin password reset, and self password change with Django password validation
• Admin resource visibility — OwnedResourceMixin / CreatedByResourceMixin bypass for is_staff users, allowing admins to view all projects and resources
• is_staff on auth endpoint — Exposed on /auth/user/ so frontend can determine admin status

Frontend (8 files)

• UserManagementPage — DataTable with create user dialog, deactivate confirmation, and password reset dialog (admin only)
• PasswordChangePage — Self-service password change with old/new/confirm validation (all users)
• Async router guard — Fetches user profile before checking requiresAdmin meta, preventing redirect on page reload
• Admin sidebar section — Conditionally shown for is_staff users
• i18n — English and Japanese translations for all user management strings

Tests (1 file, 14 cases)

• User list permissions (admin, regular, anonymous)
• User create permissions
• Deactivate/activate lifecycle (including self-deactivation guard)
• Admin password reset
• Self-service password change (valid + wrong old password)
• API key blocking (with realistic read/write scopes)
• Admin project visibility

Testing

# Backend tests — all 14 pass
cd backend && uv run pytest recotem/tests/test_user_management.py -v

# Linting — clean
ruff check backend/
ruff format --check backend/

Breaking Changes

None — additive changes only. Existing endpoints and behavior are unchanged.

Additional Notes

• No database migration needed — uses existing Django User model fields (is_staff, is_active, date_joined, last_login)
• pagination_class = None on UserViewSet since this is an admin-only endpoint with limited users
• DELETE method excluded from UserViewSet; deactivation (is_active=False) is used instead of hard delete