git commit -m "fix: Implement three critical security and data-integrity fixes

ISSUE-005: Auth Role Precedence (CRITICAL Security Fix)
- Firestore admin flag now ALWAYS takes precedence over Auth0 claims
- Prevents privilege escalation if Auth0 is compromised
- Added computeEffectiveAdmin() helper for explicit precedence logic
- Tests: 8 validation tests for auth scenarios

ISSUE-004: CRDT Decompression Error Handling (CRITICAL Data Integrity Fix)
- Changed from silent fallback to explicit error on Y.Doc corruption
- Prevents corrupted state from propagating to all collaborators
- Added parsePresenceEntry() helper to reduce complexity
- Errors are now observable and trigger client-side fresh sync
- Tests: 8 validation tests for error scenarios

ISSUE-006: OpenAI Response Validation (HIGH Validation Fix)
- Added strict array size validation (1-20 POIs)
- Coordinates now rejected (not fallen back) when invalid
- Field lengths enforced (name 1-200 chars, description 500 chars)
- No more silent fallbacks to parent locations
- Refactored nested ternary to switch statement for clarity
- Tests: 16 validation tests for validation scenarios

Test Results:
- ✅ Full test suite: 145 tests passing (0 regressions)
- ✅ Type check: Clean (no TypeScript errors)
- ✅ Lint: Clean (cognitive complexity refactored)
- ✅ New validation tests: 32 tests added

Files Changed:
- apps/api/src/middleware/auth.middleware.ts
- apps/api/src/modules/collab/collab.service.ts
- apps/api/src/services/openai.service.ts
- apps/api/src/middleware/__tests__/auth-issue-005.test.ts (NEW)
- apps/api/src/modules/collab/__tests__/collab-issue-004.test.ts (NEW)
- apps/api/src/services/__tests__/openai-issue-006.test.ts (NEW)

Security Impact:
- Privilege escalation attack surface eliminated
- Data corruption now detectable and recoverable
- Invalid input data now explicitly rejected

Backward Compatibility:
- ✅ No breaking API changes
- ✅ Existing clients continue to work
- ✅ Error handling compatible with existing recovery logic
"