Implement PATCH /api/user endpoint (P1.1)

Add profile update functionality with validation for:
- cycleLength: number, range 21-45 days
- notificationTime: string, HH:MM format (24-hour)
- timezone: non-empty string

Security: Ignores attempts to update non-updatable fields (email, tokens).
Returns updated user profile excluding sensitive fields.

17 tests covering validation, persistence, and security scenarios.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

IMPLEMENTATION_PLAN.md

@@ -26,7 +26,7 @@ This file is maintained by Ralph. Run `./ralph-sandbox.sh plan 3` to generate ta
 | Route | Status | Notes |
 |-------|--------|-------|
 | GET /api/user | **COMPLETE** | Returns user profile with `withAuth()` |
-| PATCH /api/user | 501 | Returns Not Implemented |
+| PATCH /api/user | **COMPLETE** | Updates cycleLength, notificationTime, timezone (17 tests) |
 | POST /api/cycle/period | **COMPLETE** | Logs period start, updates user, creates PeriodLog (8 tests) |
 | GET /api/cycle/current | **COMPLETE** | Returns cycle day, phase, config, daysUntilNextPhase (10 tests) |
 | GET /api/today | **COMPLETE** | Returns decision, cycle, biometrics, nutrition (22 tests) |
@@ -70,7 +70,7 @@ This file is maintained by Ralph. Run `./ralph-sandbox.sh plan 3` to generate ta
 | `src/lib/pocketbase.test.ts` | **EXISTS** - 9 tests (auth helpers, cookie loading) |
 | `src/lib/auth-middleware.test.ts` | **EXISTS** - 6 tests (withAuth wrapper, error handling) |
 | `src/middleware.test.ts` | **EXISTS** - 12 tests (page protection, public routes, static assets) |
-| `src/app/api/user/route.test.ts` | **EXISTS** - 4 tests (GET profile, auth, sensitive field exclusion) |
+| `src/app/api/user/route.test.ts` | **EXISTS** - 21 tests (GET/PATCH profile, auth, validation, security) |
 | `src/app/api/cycle/period/route.test.ts` | **EXISTS** - 8 tests (POST period, auth, validation, date checks) |
 | `src/app/api/cycle/current/route.test.ts` | **EXISTS** - 10 tests (GET current cycle, auth, all phases, rollover, custom lengths) |
 | `src/app/api/today/route.test.ts` | **EXISTS** - 22 tests (daily snapshot, auth, decision, overrides, phases, nutrition, biometrics) |
@@ -149,12 +149,17 @@ These must be completed first - nothing else works without them.
 
 Minimum viable product - app can be used for daily decisions.
 
-### P1.1: PATCH /api/user Implementation
-- [ ] Allow profile updates (cycleLength, notificationTime, timezone)
+### P1.1: PATCH /api/user Implementation ✅ COMPLETE
+- [x] Allow profile updates (cycleLength, notificationTime, timezone)
 - **Files:**
-  - `src/app/api/user/route.ts` - Implement PATCH handler with validation
+  - `src/app/api/user/route.ts` - Implemented PATCH handler with validation
 - **Tests:**
-  - `src/app/api/user/route.test.ts` - Test field validation, persistence
+  - `src/app/api/user/route.test.ts` - 17 tests covering field validation, persistence, security
+- **Validation Rules:**
+  - `cycleLength`: number, range 21-45 days
+  - `notificationTime`: string, HH:MM format (24-hour)
+  - `timezone`: non-empty string
+- **Security:** Ignores attempts to update non-updatable fields (email, tokens)
 - **Why:** Users need to configure their cycle and preferences
 - **Depends On:** P0.1, P0.2
 
@@ -495,6 +500,7 @@ P2.14 Mini calendar
 
 ### API Routes
 - [x] **GET /api/user** - Returns authenticated user profile, 4 tests (P0.4)
+- [x] **PATCH /api/user** - Updates user profile (cycleLength, notificationTime, timezone), 17 tests (P1.1)
 - [x] **POST /api/cycle/period** - Logs period start date, updates user, creates PeriodLog, 8 tests (P1.2)
 - [x] **GET /api/cycle/current** - Returns cycle day, phase, phaseConfig, daysUntilNextPhase, cycleLength, 10 tests (P1.3)
 - [x] **GET /api/today** - Returns complete daily snapshot with decision, biometrics, nutrition, 22 tests (P1.4)