feat(sources): allow editing CalDAV sources

Closes #72. Today the source row supports test/sync/remove and
write-back-calendar selection but not editing the connection itself.
Typo'd URL? Username mistake? Periodic CalDAV password rotation? The
only path was delete-and-readd, which loses the synced events cache,
the write-back configuration, and any per-event-type calendar
selections that referenced calendars under the old source.

Adds an Edit affordance on each source row (web) and a `calrs source
update` command (CLI). The web POST and the CLI both go through small
DB updates that scope by user_id (web) or by id-prefix (CLI matching
existing convention).

Notable details:

- Password field is optional; empty means "keep existing". The web
  handler decrypts the stored blob to feed the connection-test client
  with credentials sync will use afterwards. The CLI uses an explicit
  --password flag that prompts via rpassword (so password isn't echoed
  and isn't visible in shell history).
- URL still passes validate_caldav_url (SSRF guard); the connection
  test still respects the existing "Skip connection test" checkbox.
- After URL or username changes, both surfaces hint that a manual
  sync is recommended to refresh the discovered calendar list. No
  automatic re-sync — the discovery flow's resolve_url() already
  re-resolves hrefs from the server origin, so the next manual sync
  self-heals.
- Edit button only shown for sources the user owns; the GET handler
  scopes by user_id and redirects on access mismatch.

Tests: 4 new web handler tests (form pre-fill, blank-password keeps
existing, password rotation re-encrypts, cross-user access blocked).
583 tests total (up from 579), all green on pre-commit. Clippy clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: olivierlambert

src/commands/source.rs

@@ -40,6 +40,23 @@ pub enum SourceCommands {
         /// Source ID
         id: String,
     },
+    /// Update a source's connection details
+    Update {
+        /// Source ID (or unique prefix)
+        id: String,
+        /// New display name
+        #[arg(long)]
+        name: Option<String>,
+        /// New CalDAV URL
+        #[arg(long)]
+        url: Option<String>,
+        /// New username
+        #[arg(long)]
+        username: Option<String>,
+        /// Prompt for a new password (use this for scripted password rotation)
+        #[arg(long)]
+        password: bool,
+    },
 }
 
 #[derive(Tabled)]
@@ -160,6 +177,73 @@ pub async fn run(pool: &SqlitePool, key: &[u8; 32], cmd: SourceCommands) -> Resu
                 }
             }
         }
+        SourceCommands::Update {
+            id,
+            name,
+            url,
+            username,
+            password,
+        } => {
+            let existing: Option<(String, String, String, String, String)> = sqlx::query_as(
+                "SELECT id, name, url, username, password_enc FROM caldav_sources WHERE id LIKE ? || '%'",
+            )
+            .bind(&id)
+            .fetch_optional(pool)
+            .await?;
+
+            let (full_id, current_name, current_url, current_username, current_password_enc) =
+                match existing {
+                    Some(t) => t,
+                    None => {
+                        println!("{} No source found matching '{}'", "✗".red(), id);
+                        return Ok(());
+                    }
+                };
+
+            let url_or_username_changed = url.is_some() || username.is_some();
+            let new_name = name.unwrap_or(current_name);
+            let new_url = url.unwrap_or(current_url);
+            let new_username = username.unwrap_or(current_username);
+
+            if password {
+                let new_pw = rpassword::prompt_password("New password: ").unwrap_or_default();
+                if new_pw.is_empty() {
+                    bail!("Password is required when --password is set");
+                }
+                let new_enc = crate::crypto::encrypt_password(key, &new_pw)?;
+                sqlx::query(
+                    "UPDATE caldav_sources SET name = ?, url = ?, username = ?, password_enc = ? WHERE id = ?",
+                )
+                .bind(&new_name)
+                .bind(&new_url)
+                .bind(&new_username)
+                .bind(&new_enc)
+                .bind(&full_id)
+                .execute(pool)
+                .await?;
+            } else {
+                let _ = current_password_enc;
+                sqlx::query(
+                    "UPDATE caldav_sources SET name = ?, url = ?, username = ? WHERE id = ?",
+                )
+                .bind(&new_name)
+                .bind(&new_url)
+                .bind(&new_username)
+                .bind(&full_id)
+                .execute(pool)
+                .await?;
+            }
+
+            println!("{} Source updated: {}", "✓".green(), new_name);
+
+            if url_or_username_changed {
+                println!(
+                    "{}",
+                    "  URL or username changed — run `calrs sync` to refresh the calendar list."
+                        .dimmed()
+                );
+            }
+        }
         SourceCommands::Test { id } => {
             let source: Option<(String, String, String, String)> = sqlx::query_as(
                 "SELECT url, username, password_enc, name FROM caldav_sources WHERE id LIKE ? || '%'",