inject PasswordHasher into CreateUser and AuthenticateUser

Replace direct password_hash and password_verify calls with the
injected PasswordHasher so the bcrypt cost can be substituted out
in tests. Production wiring is handled by the container's autowiring
of BcryptPasswordHasher.

This commit alone breaks the test suite because the existing tests
construct these use cases without the new dependency; the next
commit restores green by introducing FakePasswordHasher.

app/User/UseCases/AuthenticateUser.php

@@ -2,6 +2,7 @@
 
 namespace App\User\UseCases;
 
+use App\Auth\PasswordHasher;
 use App\Exceptions\BadRequestException;
 use App\Exceptions\UnauthorizedException;
 use App\User\User;
@@ -12,6 +13,7 @@ class AuthenticateUser
 {
     public function __construct(
         private UserRepository $userRepo,
+        private PasswordHasher $passwordHasher,
     ) {}
 
     /**
@@ -35,7 +37,7 @@ class AuthenticateUser
             throw new UnauthorizedException('invalid credentials');
         }
 
-        $passwordMatches = password_verify(
+        $passwordMatches = $this->passwordHasher->verify(
             $request->password,
             $user->getPasswordHash()
         );

app/User/UseCases/CreateUser.php

@@ -2,6 +2,7 @@
 
 namespace App\User\UseCases;
 
+use App\Auth\PasswordHasher;
 use App\Exceptions\BadRequestException;
 use App\User\User;
 use App\User\UserRepository;
@@ -11,6 +12,7 @@ class CreateUser
 {
     public function __construct(
         private UserRepository $userRepo,
+        private PasswordHasher $passwordHasher,
     ) {}
 
     /**
@@ -39,7 +41,7 @@ class CreateUser
 
         return $this->userRepo->create(new CreateUserDto(
             email: $email,
-            passwordHash: password_hash($dto->password, PASSWORD_DEFAULT),
+            passwordHash: $this->passwordHasher->hash($dto->password),
             isAdmin: $dto->isAdmin,
         ));
     }