Switch auth to plain-text password env var (remove bcrypt)

- Replace ADMIN_PASSWORD_HASH with ADMIN_PASSWORD in auth route and docker-compose
- Remove bcryptjs / @types/bcryptjs dependencies
- Delete scripts/hashPassword.ts (no longer needed)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

server/routes/auth.ts

@@ -1,5 +1,4 @@
 import { Router, Request, Response, NextFunction } from 'express';
-import bcrypt from 'bcryptjs';
 import jwt from 'jsonwebtoken';
 import { AppError, ok } from '../types/index';
 import { authMiddleware } from '../middleware/authMiddleware';
@@ -13,7 +12,7 @@ const COOKIE_OPTS = {
   path: '/',
 };
 
-authRouter.post('/login', async (req: Request, res: Response, next: NextFunction) => {
+authRouter.post('/login', (req: Request, res: Response, next: NextFunction) => {
   try {
     const { username, password } = req.body as { username?: string; password?: string };
 
@@ -22,17 +21,13 @@ authRouter.post('/login', async (req: Request, res: Response, next: NextFunction
     }
 
     const adminUsername = process.env.ADMIN_USERNAME;
-    const adminHash = process.env.ADMIN_PASSWORD_HASH;
+    const adminPassword = process.env.ADMIN_PASSWORD;
 
-    if (!adminUsername || !adminHash) {
+    if (!adminUsername || !adminPassword) {
       throw new AppError('Server not configured: admin credentials missing', 500, 'CONFIG_ERROR');
     }
 
-    const usernameMatch = username === adminUsername;
-    // Always run bcrypt to prevent timing attacks even if username is wrong
-    const passwordMatch = await bcrypt.compare(password, adminHash);
-
-    if (!usernameMatch || !passwordMatch) {
+    if (username !== adminUsername || password !== adminPassword) {
       throw new AppError('Invalid username or password', 401, 'INVALID_CREDENTIALS');
     }