This PR introduces a dedicated RESET_PASSWORD capability to the USERS resource
in FGAP v2 (Fine-Grained Admin Permissions), enabling precise control over
password reset operations.

Key changes:

• Added RESET_PASSWORD scope to AdminPermissionsSchema for USERS.
• Extended UserPermissionEvaluator and UserPermissions to expose canResetPassword()
  and requireResetPassword().
• Implemented full FGAP v2 evaluation for RESET_PASSWORD in UserPermissionsV2:
  • Deny-overrides decision model.
  • Secure-by-default behavior when policies exist.
  • Optional fallback to legacy MANAGE_USERS via fgap.v2.resetPassword.fallbackToManageUsers (default=false).
• Updated UserResource.resetPassword() to require RESET_PASSWORD instead of MANAGE_USERS.
• getAccess(user) now includes resetPassword flag for UI control.
• Preserved self-service password change (caller == target user) without FGAP checks.
• Added utility to detect policies referencing RESET_PASSWORD scope.
• Enhanced auditing/logging for allow/deny decisions.

Behavior changes:

• When FGAP v2 is enabled and a RESET_PASSWORD policy exists, MANAGE_USERS alone
  no longer grants password reset rights.
• Explicit DENY policies always override ALLOW.
• Self-service flows remain unaffected.
• When no RESET_PASSWORD policies are present:
  • fallback=false → deny by default.
  • fallback=true → allow if MANAGE_USERS is granted.

Includes:

• Configuration key: fgap.v2.resetPassword.fallbackToManageUsers (bool, default=false).
• Unit and integration tests covering all decision paths.
• Admin Console support via access.resetPassword flag (hides Reset Password button when false).
• Migration hook to optionally create a default DENY policy for RESET_PASSWORD upon FGAP v2 enablement.

This change strengthens password reset governance by ensuring
policy-based control and removing implicit MANAGE_USERS inheritance
when fine-grained permissions are in effect.