docs(openapi): clarify AAL2 requirement for password/email updates when MFA is enabled

[toklas495]

This PR documents existing Supabase Auth behavior where updating email or password requires an AAL2 session when MFA (TOTP or SMS) is enabled.

Sessions obtained from password recovery links are AAL1 by default and will be rejected by PUT /user when attempting to update email or password.

This change does NOT modify runtime behavior. It clarifies the contract in the OpenAPI spec to avoid confusion.

Related issue:

• #2091 resetPasswordForEmail + MFA: Cannot update password due to AAL2 requirement