feat: remove OTP gate from transactions, fix categories auth, add implementation plan

- Remove OtpGateGuard from transactions controller (OTP verified at login)
- Fix categories controller to use authenticated user instead of TEMP_USER_ID
- Add comprehensive implementation plan document
- Update .env.example with WEB_APP_URL
- Prepare for admin dashboard development

apps/api/prisma/schema.prisma

@@ -5,7 +5,7 @@ generator client {
 datasource db {
   provider          = "postgresql"
   url               = env("DATABASE_URL")
-  shadowDatabaseUrl = env("SHADOW_DATABASE_URL")
+  shadowDatabaseUrl = env("DATABASE_URL_SHADOW")
 }
 
 model User {
@@ -13,11 +13,19 @@ model User {
   createdAt       DateTime      @default(now())
   updatedAt       DateTime      @updatedAt
   status          String        @default("active")
-  email           String?       @unique
+  email           String        @unique
+  emailVerified   Boolean       @default(false)
+  passwordHash    String?
   name            String?
   avatarUrl       String?
+  phone           String?       @unique
   defaultCurrency String?
   timeZone        String?
+  // OTP/MFA fields
+  otpEmailEnabled    Boolean       @default(false)
+  otpWhatsappEnabled Boolean       @default(false)
+  otpTotpEnabled     Boolean       @default(false)
+  otpTotpSecret      String?
   authAccounts    AuthAccount[]
   categories      Category[]
   Recurrence      Recurrence[]