fix(auth): remove username leak from public /api/auth/status endpoint (#1055)

The authStatus() controller previously returned the first users
username to unauthenticated clients. The frontend never used this
value — `fetchAuthStatus()` in LoginView.vue discards the return
value entirely. Remove the field to prevent username enumeration.

Changes:
- server: drop `username` from authStatus response body
- server: remove unused `findFirstUser` import
- client: remove `username` from AuthStatus interface

packages/client/src/api/auth.ts

@@ -2,7 +2,6 @@ import { request } from './client'
 
 export interface AuthStatus {
   hasPasswordLogin: boolean
-  username: string | null
   hasUsers?: boolean
 }
 

packages/server/src/controllers/auth.ts

@@ -8,7 +8,6 @@ import {
   countUsers,
   createUser,
   deleteUser,
-  findFirstUser,
   findUserById,
   findUserByUsername,
   listUsers,
@@ -27,10 +26,8 @@ import { listProfileNamesFromDisk } from '../services/hermes/hermes-profile'
  * Check if username/password login is configured (public).
  */
 export async function authStatus(ctx: Context) {
-  const firstUser = findFirstUser()
   ctx.body = {
     hasPasswordLogin: true,
-    username: firstUser?.username || DEFAULT_USERNAME,
     hasUsers: countUsers() > 0,
   }
 }