security: reject common/weak passwords on every set-password path (#31)

Adds a synchronous policy check that blocks (1) the curated >=12-char
common-password list (rockyou top, predictable seasonal, admin defaults),
(2) trivial patterns (single-char repeat, short-pattern repeat, keyboard
or numeric sequences), and (3) passwords containing the user's email
local-part or any name component. Wired into all five password-mutation
sites: first-admin setup, admin createUser/setUserPassword, invite
acceptance, and password-reset.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

packages/api/src/router/user-procedure-support.ts

@@ -3,6 +3,7 @@ import {
   PASSWORD_MAX_LENGTH,
   PASSWORD_MIN_LENGTH,
   PASSWORD_POLICY_MESSAGE,
+  checkPasswordPolicy,
 } from "@capakraken/shared";
 import { PermissionOverrides, SystemRole, resolvePermissions } from "@capakraken/shared/types";
 import { TRPCError } from "@trpc/server";
@@ -121,6 +122,11 @@ export async function createUser(
     throw new TRPCError({ code: "CONFLICT", message: "User with this email already exists" });
   }
 
+  const policy = checkPasswordPolicy(input.password, { email: input.email, name: input.name });
+  if (!policy.ok) {
+    throw new TRPCError({ code: "BAD_REQUEST", message: policy.reason });
+  }
+
   const { hash } = await import("@node-rs/argon2");
   const passwordHash = await hash(input.password);
 
@@ -169,6 +175,11 @@ export async function setUserPassword(
     "User",
   );
 
+  const policy = checkPasswordPolicy(input.password, { email: user.email, name: user.name });
+  if (!policy.ok) {
+    throw new TRPCError({ code: "BAD_REQUEST", message: policy.reason });
+  }
+
   const { hash } = await import("@node-rs/argon2");
   const passwordHash = await hash(input.password);