feat: Member permissions, optional phone, public users endpoint

- Allow members to create todos, companies, projects
- Auto-assign creator to resources (companyUsers, projectUsers, todoUsers)
- Add public /api/users endpoint for all authenticated users
- Make phone field optional in personal contacts (schema + validation)
- Update todo routes to use checkTodoAccess for updates

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

src/routes/todo.routes.js

@@ -27,19 +27,18 @@ router.get(
   todoController.getTodoById
 );
 
-// Create new todo (admin only)
+// Create new todo (any authenticated user)
 router.post(
   '/',
-  requireAdmin,
   validateBody(createTodoSchema),
   todoController.createTodo
 );
 
-// Update todo (admin only)
+// Update todo (user must have access to the todo)
 router.patch(
   '/:todoId',
-  requireAdmin,
   validateParams(z.object({ todoId: z.string().uuid() })),
+  checkTodoAccess,
   validateBody(updateTodoSchema),
   todoController.updateTodo
 );