feat: remove OTP gate from transactions, fix categories auth, add implementation plan

- Remove OtpGateGuard from transactions controller (OTP verified at login)
- Fix categories controller to use authenticated user instead of TEMP_USER_ID
- Add comprehensive implementation plan document
- Update .env.example with WEB_APP_URL
- Prepare for admin dashboard development

apps/api/.env.example

@@ -1,16 +1,22 @@
 # Database Configuration
-DATABASE_URL="postgresql://username:password@localhost:5432/tabungin_dev"
-SHADOW_DATABASE_URL="postgresql://username:password@localhost:5432/tabungin_shadow"
+DATABASE_URL="postgresql://user:password@localhost:5432/tabungin?schema=public"
+DATABASE_URL_SHADOW="postgresql://user:password@localhost:5432/tabungin_shadow?schema=public"
 
-# Firebase Admin SDK Configuration
-# Get these from Firebase Console > Project Settings > Service Accounts
-FIREBASE_PROJECT_ID=your_project_id
-FIREBASE_CLIENT_EMAIL=firebase-adminsdk-xxxxx@your_project_id.iam.gserviceaccount.com
-FIREBASE_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\nYOUR_PRIVATE_KEY_HERE\n-----END PRIVATE KEY-----\n"
+# JWT Authentication (generate a random 32+ character string for production)
+JWT_SECRET=your-super-secret-jwt-key-change-this-in-production
 
-# API Configuration
-PORT=3000
-WEB_APP_URL=http://localhost:5173
+# Exchange Rate API
+EXCHANGE_RATE_URL=https://api.exchangerate-api.com/v4/latest/IDR
 
-# Development User ID (run seed script to create this user)
-TEMP_USER_ID=16b74848-daa3-4dc9-8de2-3cf59e08f8e3
+# Google OAuth (for "Continue with Google")
+GOOGLE_CLIENT_ID=your-google-client-id
+GOOGLE_CLIENT_SECRET=your-google-client-secret
+GOOGLE_CALLBACK_URL=http://localhost:3001/api/auth/google/callback
+
+# OTP Webhook URLs (n8n)
+OTP_SEND_WEBHOOK_URL=https://your-n8n-instance.com/webhook/send-otp
+OTP_SEND_WEBHOOK_URL_TEST=https://your-n8n-instance.com/webhook-test/send-otp
+
+# App Configuration
+PORT=3001
+WEB_APP_URL=http://localhost:5174