Forcing every call site to be explicit about admin status and
password eliminates a class of bugs where an unintended
isAdmin=false or empty passwordHash could silently slip through.
The CreateUserTest case that asserted the isAdmin default is
dropped since the default no longer exists.
Replace direct password_hash and password_verify calls with the
injected PasswordHasher so the bcrypt cost can be substituted out
in tests. Production wiring is handled by the container's autowiring
of BcryptPasswordHasher.
This commit alone breaks the test suite because the existing tests
construct these use cases without the new dependency; the next
commit restores green by introducing FakePasswordHasher.
