The production flow should email a short-lived, hashed reset token and never reveal whether an email exists.