GHSA-jr54-jwhj-55gp

### Summary Sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison.

### Details The unknown-user branch in `auth.service.ts` now performs a `bcrypt.compare` against a fixed dummy hash so the response time of failed sign-ins is approximately independent of whether the address exists. Rate limiting on the sign-in endpoint is implemented in the Enterprise build only and is not affected by this advisory.

### Impact A network-positioned attacker could enumerate registered email addresses by timing sign-in responses. Exploitation requires only the ability to send unauthenticated sign-in requests.

### Credit This issue was reported by [@AndyAnh174](https://github.com/AndyAnh174).