Root-mounted app intercepts built-in reset-password route

Summary
When a PowerShell Universal app is mounted at /, the built-in reset-password route can be intercepted by the app route surface. This prevents the normal reset-password page from loading when a local user's password has expired or when navigating directly to the reset-password URL.

The issue started in 5.5.0 and persists through the current version 2026.2.0.

To Reproduce
Create an app mounted at / with app-level PageNotFound and NotAuthorized handlers.

New-PSUApp -Name 'ResetPasswordRootRouteRepro' -BaseUrl '/' -Authenticated -Content {
New-UDApp `
-Title 'Reset Password Root Route Repro' `
-PageNotFound {
New-UDTypography -Text 'Custom PageNotFound'
} `
-NotAuthorized {
New-UDTypography -Text 'Custom NotAuthorized'
} `
-Content {
New-UDTypography -Text 'Home Page'
}
}

Then browse to the built-in reset-password route.
/reset-password?username=admin

Expected Behavior
The built-in reset-password page should load normally, even when an app is mounted at /.
The reset-password route is part of the integrated authentication flow, so it should not be handled by the app's PageNotFound or NotAuthorized handlers.

Actual Behavior
When the app is mounted at /, the built-in reset-password route is intercepted by the app route surface.

Workaround
Mount the app at a non-root base URL instead of / if the built-in reset-password flow needs to remain available.
For example, use a base URL such as /app or another non-root path.

Suggested Fix Direction
The built-in /reset-password route should probably be reserved ahead of root-mounted app routing, similar to how other integrated platform routes are protected from app catch-all behavior.

If root-mounted apps are expected to own this route, then the documentation should call out that apps mounted at / can interfere with built-in authentication routes such as /reset-password.