remove default values from user constructors

Forcing every call site to be explicit about admin status and
password eliminates a class of bugs where an unintended
isAdmin=false or empty passwordHash could silently slip through.
The CreateUserTest case that asserted the isAdmin default is
dropped since the default no longer exists.

tests/e2e/Controllers/AuthControllerTest.php

@@ -63,6 +63,7 @@ class AuthControllerTest extends TestCase
         $this->createUser->execute(new CreateUserRequest(
             email: 'existing@test.com',
             password: 'password1',
+            isAdmin: false,
         ));
 
         $this->controller = new AuthController();