feat(utilization-category): scope reads to planning audience

docs/route-access-matrix.md

@@ -115,6 +115,16 @@ Reasoning:
 - `list` already exposes `_count.children` and `_count.projects`, and `getTree` reveals the full client hierarchy used in planning and reporting flows
 - detailed client reads add parent/child structure plus project counts, so they should align with the explicit planning audience instead of broad authenticated access
 
+### `packages/api/src/router/utilization-category.ts`
+
+- `list`, `getById`: `planning-read`
+- create and update: `admin-only`
+
+Reasoning:
+
+- the categories feed project configuration and planning/reporting workflows instead of broad self-service screens
+- `getById` includes `_count.projects`, so the detailed read should not remain a generic authenticated route
+
 ## Assistant Parity Rule
 
 - assistant tool visibility must never widen the audience of the backing router