fix(demo): close 3 demo-policy gaps in mutation actions (before-launch)

Audit van alle Server Actions revealed drie mutation-paden zonder
isDemo-check, terwijl de demo-policy zegt "demo-user is read-only":

- toggleTodoAction: demo kon eigen todos done/undone toggelen
- archiveCompletedTodosAction: demo kon todos archiveren (bulk)
- leaveProductAction: demo kon productMembership verlaten

Fix: standaard `if (session.isDemo) return { error: 'Niet beschikbaar in
demo-modus' }` toegevoegd, conform de andere mutation-actions.

Andere claim/unclaim/reassign/updateTaskPlan-actions zijn al gedekt via
requireProductWriter() → requireWriter() → demo-throw — nu code-side
geverifieerd voor de hele actions/-tree.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

actions/todos.ts

@@ -47,6 +47,7 @@ export async function createTodoAction(_prevState: unknown, formData: FormData)
 export async function toggleTodoAction(id: string, done: boolean) {
   const session = await getSession()
   if (!session.userId) return { error: 'Niet ingelogd' }
+  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
 
   const todo = await prisma.todo.findFirst({ where: { id, user_id: session.userId } })
   if (!todo) return { error: 'Todo niet gevonden' }
@@ -59,6 +60,7 @@ export async function toggleTodoAction(id: string, done: boolean) {
 export async function archiveCompletedTodosAction() {
   const session = await getSession()
   if (!session.userId) return { error: 'Niet ingelogd' }
+  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
 
   await prisma.todo.updateMany({
     where: { user_id: session.userId, done: true, archived: false },