Every meaningful change to BadassHOA, dated and categorized.
Board members are no longer auto-listed on /{slug}/ — they have to explicitly opt in via /dashboard/directory.php (Edit member → "Show in Meet your board"). Default is off. Migration 011 added show_on_public_landing to users; existing rows default to 0 so nobody is exposed without consent.
User edit form on /admin/users.php now has a Change Password section. Set a new bcrypt-hashed password directly, or click Generate Random for a 14-char password from a non-ambiguous charset (no I/l/O/0). Saving invalidates any outstanding password-reset tokens for that user. Audit-logged separately as user.password_changed_admin.
Added /forgot.php and /reset.php with SHA-256 hashed tokens, 1-hour TTL, single-use, anti-enumeration messaging. Plus a 'Change your password' card on /dashboard/settings.php for already-logged-in users. Outstanding password reset tokens are invalidated when the user changes their password.