Ensure client-secret reset submits as POST for non-admin client owners

[Copilot]

Non-admin users could trigger “Reset client secret” from the UI, but the request path could degrade into a non-POST flow and hit a 405 Method Not Allowed on /clients/{id}/reset. As a result, secrets were not rotated and old credentials remained valid.

• Reset form hardening (server-rendered template)

  • Updated the client details reset form to include explicit HTML form semantics (action + method="post") in addition to htmx attributes.
  • This preserves correct behavior for owner flows (/my-clients → client details) and guarantees the reset endpoint receives POST requests.

• Coverage for non-admin owner flow

  • Added an e2e scenario for a regular user creating a personal client, resetting its secret, and asserting:
    • request method is POST to /clients/{uid}/reset
    • returned secret is newly rotated (different from prior secret)

<form
  th:data-hx-post="|/clients/${client.clientUid()}/reset|"
  th:action="|/clients/${client.clientUid()}/reset|"
  th:method="post"
  data-hx-target="body">
  <div th:replace="~{common/form-csrf}"></div>
  <button class="outline contrast" data-loading-disable>Reset client secret</button>
</form>