don't leak password hashes

graph/converters.go

@@ -28,7 +28,6 @@ func convertUser(u models.User) *model.User {
 	return &model.User{
 		ID:        strconv.FormatUint(uint64(u.ID), 10),
 		Email:     u.Email,
-		Password:  u.Password,
 		Roles:     roles,
 		CreatedAt: u.CreatedAt.String(),
 		UpdatedAt: u.UpdatedAt.String(),

graph/schema.graphqls

@@ -5,7 +5,6 @@
 type User {
   id: ID!
   email: String!
-  password: String!
   roles: [Role!]!
   createdAt: String!
   updatedAt: String!

mcp/testdata/snapshots/TestMCP_Introspect-UserType

@@ -4,7 +4,7 @@ introspect_user
   "result": {
     "content": [
       {
-        "text": "Type: User (Object)\n\nFields:\n  id: ID!\n  email: String!\n  password: String!\n  roles: [Role!]\n  createdAt: String!\n  updatedAt: String!\n",
+        "text": "Type: User (Object)\n\nFields:\n  id: ID!\n  email: String!\n  roles: [Role!]\n  createdAt: String!\n  updatedAt: String!\n",
         "type": "text"
       }
     ]