docs: design public password reset route

docs/superpowers/specs/2026-05-26-poyee-app-password-reset-public-route-design.md

@@ -0,0 +1,50 @@
+# Poyee App Password Reset Public Route Design
+
+## Goal
+
+Permit unauthenticated requests to the password reset endpoint on the DEV
+`dev.ahxpm.com` ingress route:
+
+`/py-app/api/account/password/reset`
+
+All other account API requests remain subject to the existing OIDC middleware.
+
+## Current Routing
+
+The manifest `k3s-INFRA/DEV/traefik-rules/poyee-app/IngressRoute.yaml` defines:
+
+- A public route with `poyee-app-v2-strip` and `poyee-app-cors-header`.
+- A fallback `/py-app/` route that also invokes `ahx-oidc.authn-app`.
+
+The Jenkins deployment configuration identifies these `k3s-INFRA/DEV/traefik-rules`
+manifests as the route source applied to the `ahxpm` namespace.
+
+## Design
+
+Append the following exact path matcher to the existing public route's OR
+expression:
+
+```text
+Path(`/py-app/api/account/password/reset`)
+```
+
+The endpoint will retain the existing strip-prefix and CORS behavior while it
+will no longer reach `ahx-oidc.authn-app`. Exact matching deliberately excludes
+other `/py-app/api/account/` endpoints from public access.
+
+## Alternatives Considered
+
+1. Add the exact matcher to the existing public route. This is recommended
+   because it is minimal and reuses the established public-route middleware.
+2. Add a separate public route for password reset. This is behaviorally valid
+   but duplicates the same service and middleware configuration.
+3. Add an account-level `PathPrefix` public matcher. This is rejected because
+   it would remove authentication from endpoints outside password reset.
+
+## Validation
+
+After editing the local manifest:
+
+- Review the diff to ensure only the exact password reset path was added.
+- Parse the YAML locally to detect formatting or syntax errors.
+- Do not apply or deploy the manifest without separate explicit authorization.