feat(auth): add DEVELOPER + PARK_OPERATOR roles with owner scoping (B2B accounts)

Two new B2B roles for CĐT (project developers) and KCN operators, provisioned by
admin. Each account owns a subset of ProjectDevelopment / IndustrialPark records
and can CRUD them from the dashboard; admin retains full access.

Phase 1 — Schema
- Extend UserRole enum with DEVELOPER + PARK_OPERATOR (before ADMIN)
- ProjectDevelopment.ownerId FK (User, ON DELETE SET NULL) + index
- IndustrialPark.ownerId FK + index
- Migration 20260420030000

Phase 2a — Backend authorization
- CreateProjectCommand + CreateIndustrialParkCommand accept ownerId; controllers
  auto-set it to the caller's user id when role=DEVELOPER / PARK_OPERATOR
- Update + Delete commands gain (requesterUserId, requesterRole) and enforce
  ADMIN-or-owner via ForbiddenException; reassigning ownerId is admin-only
- Search params gain optional ownerId filter wired through Prisma repos
- New endpoints: GET /projects/mine/list, GET /industrial/parks/mine/list
- user-rate-limit guard: add DEVELOPER + PARK_OPERATOR entries (300/window)

Phase 2b — Admin provision
- ProvisionDeveloperCommand/Handler: create user (role=DEVELOPER), pre-validate
  target projects have no existing owner, batch-assign ownerId
- ProvisionParkOperatorCommand/Handler: same for PARK_OPERATOR + IndustrialPark
- POST /admin/accounts/developers, POST /admin/accounts/park-operators (admin-only)
- DTOs with phone/password/fullName/email + optional {project,park}Ids[]

Phase 2c — Project stats for developer dashboard
- GetProjectStatsQuery + handler: aggregates linkedListingCount, activeListingCount,
  totalInquiries, unreadInquiries, savedByUsers via Property → Listing → Inquiry chain
- GET /projects/:id/stats — admin sees all, DEVELOPER only their own (403 otherwise)

Phase 3 — Frontend
- Dashboard layout role-aware: DEVELOPER sees "Dự án của tôi" + CRM + Profile (hides
  listings/analytics/subscription); PARK_OPERATOR sees "KCN của tôi" equivalent
- /projects dashboard page switches to duAnApi.searchMine() when role=DEVELOPER
- /industrial-parks page switches to industrialApi.searchMine() when role=PARK_OPERATOR
- Admin nav gains "Tài khoản CĐT" + "Tài khoản KCN" entries
- New pages /admin/accounts/developers + /admin/accounts/park-operators with
  checkbox-based multi-select for linking entities
- adminApi.provisionDeveloper + provisionParkOperator + types
- duAnApi.searchMine + getStats; industrialApi.searchMine
- Login demo accounts list includes CĐT Vingroup + KCN VSIP

Phase 4 — Seed (prisma/seed-b2b-accounts.ts)
- DEVELOPER "CĐT Vingroup" (+84912000001) owns 4 projects
- DEVELOPER "CĐT Masterise Homes" (+84912000003) owns 2 projects
- PARK_OPERATOR "Vận hành KCN VSIP" (+84912000002) owns 2 seeded KCN
- Password Velik@2026 for all

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

apps/api/src/modules/admin/admin.module.ts

@@ -8,6 +8,8 @@ import { ApproveKycHandler } from './application/commands/approve-kyc/approve-ky
 import { ApproveListingHandler } from './application/commands/approve-listing/approve-listing.handler';
 import { BanUserHandler } from './application/commands/ban-user/ban-user.handler';
 import { BulkModerateListingsHandler } from './application/commands/bulk-moderate-listings/bulk-moderate-listings.handler';
+import { ProvisionDeveloperHandler } from './application/commands/provision-developer/provision-developer.handler';
+import { ProvisionParkOperatorHandler } from './application/commands/provision-park-operator/provision-park-operator.handler';
 import { RejectKycHandler } from './application/commands/reject-kyc/reject-kyc.handler';
 import { RejectListingHandler } from './application/commands/reject-listing/reject-listing.handler';
 import { UpdateAiSettingsHandler } from './application/commands/update-ai-settings/update-ai-settings.handler';
@@ -46,6 +48,8 @@ const CommandHandlers = [
   RejectKycHandler,
   BulkModerateListingsHandler,
   UpdateAiSettingsHandler,
+  ProvisionDeveloperHandler,
+  ProvisionParkOperatorHandler,
 ];
 
 const QueryHandlers = [

apps/api/src/modules/admin/application/commands/provision-developer/provision-developer.command.ts

@@ -0,0 +1,18 @@
+/**
+ * Admin command: create a DEVELOPER (CĐT) user account and optionally link
+ * existing `ProjectDevelopment` records to that user as owner.
+ *
+ * Flow: admin picks phone/email/fullName/password, optionally an array of
+ * projectIds. Handler creates the user, then batch-assigns those projects'
+ * `ownerId`. Projects already owned by someone else are rejected.
+ */
+export class ProvisionDeveloperCommand {
+  constructor(
+    public readonly phone: string,
+    public readonly password: string,
+    public readonly fullName: string,
+    public readonly email: string | null,
+    /** Project ids to assign as owned by the new developer (optional). */
+    public readonly projectIds: string[],
+  ) {}
+}

apps/api/src/modules/admin/application/commands/provision-developer/provision-developer.handler.ts

@@ -0,0 +1,103 @@
+import { ConflictException, Inject } from '@nestjs/common';
+import { CommandHandler, type ICommandHandler } from '@nestjs/cqrs';
+import { createId } from '@paralleldrive/cuid2';
+import { PrismaService, ValidationException } from '@modules/shared';
+import { USER_REPOSITORY, type IUserRepository } from '../../../../auth/domain/repositories/user.repository';
+import { UserEntity } from '../../../../auth/domain/entities/user.entity';
+import { Email } from '../../../../auth/domain/value-objects/email.vo';
+import { HashedPassword } from '../../../../auth/domain/value-objects/hashed-password.vo';
+import { Phone } from '../../../../auth/domain/value-objects/phone.vo';
+import { ProvisionDeveloperCommand } from './provision-developer.command';
+
+export interface ProvisionDeveloperResult {
+  userId: string;
+  phone: string;
+  email: string | null;
+  fullName: string;
+  linkedProjectIds: string[];
+}
+
+@CommandHandler(ProvisionDeveloperCommand)
+export class ProvisionDeveloperHandler
+  implements ICommandHandler<ProvisionDeveloperCommand, ProvisionDeveloperResult>
+{
+  constructor(
+    @Inject(USER_REPOSITORY) private readonly userRepo: IUserRepository,
+    private readonly prisma: PrismaService,
+  ) {}
+
+  async execute(cmd: ProvisionDeveloperCommand): Promise<ProvisionDeveloperResult> {
+    // Validate + hash auth fields.
+    const phoneResult = Phone.create(cmd.phone);
+    if (phoneResult.isErr) throw new ValidationException(phoneResult.unwrapErr());
+    const phone = phoneResult.unwrap();
+
+    let email: Email | undefined;
+    if (cmd.email) {
+      const emailResult = Email.create(cmd.email);
+      if (emailResult.isErr) throw new ValidationException(emailResult.unwrapErr());
+      email = emailResult.unwrap();
+    }
+
+    const passwordResult = await HashedPassword.fromPlain(cmd.password);
+    if (passwordResult.isErr) throw new ValidationException(passwordResult.unwrapErr());
+    const passwordHash = passwordResult.unwrap();
+
+    // Uniqueness.
+    if (await this.userRepo.findByPhone(phone.value)) {
+      throw new ConflictException('Số điện thoại đã được đăng ký');
+    }
+    if (email && (await this.userRepo.findByEmail(email.value))) {
+      throw new ConflictException('Email đã được đăng ký');
+    }
+
+    // Pre-validate project ownership before creating the user — avoids
+    // orphaning a user if any target project is already owned by someone else.
+    if (cmd.projectIds.length > 0) {
+      const rows = await this.prisma.projectDevelopment.findMany({
+        where: { id: { in: cmd.projectIds } },
+        select: { id: true, ownerId: true, name: true },
+      });
+      const byId = new Map(rows.map((r) => [r.id, r]));
+      const missing = cmd.projectIds.filter((id) => !byId.has(id));
+      if (missing.length > 0) {
+        throw new ValidationException(
+          `Không tìm thấy dự án: ${missing.join(', ')}`,
+        );
+      }
+      const occupied = rows.filter((r) => r.ownerId && r.ownerId !== null);
+      if (occupied.length > 0) {
+        throw new ConflictException(
+          `Các dự án đã có CĐT khác quản lý: ${occupied.map((r) => r.name).join(', ')}`,
+        );
+      }
+    }
+
+    // Create the user (role=DEVELOPER).
+    const user = UserEntity.createNew(
+      createId(),
+      phone,
+      cmd.fullName,
+      passwordHash,
+      email,
+      'DEVELOPER',
+    );
+    await this.userRepo.save(user);
+
+    // Link projects.
+    if (cmd.projectIds.length > 0) {
+      await this.prisma.projectDevelopment.updateMany({
+        where: { id: { in: cmd.projectIds } },
+        data: { ownerId: user.id },
+      });
+    }
+
+    return {
+      userId: user.id,
+      phone: user.phone.value,
+      email: user.email?.value ?? null,
+      fullName: user.fullName,
+      linkedProjectIds: cmd.projectIds,
+    };
+  }
+}

apps/api/src/modules/admin/application/commands/provision-park-operator/provision-park-operator.command.ts

@@ -0,0 +1,13 @@
+/**
+ * Admin command: create a PARK_OPERATOR user account and optionally link
+ * existing `IndustrialPark` records to that user as owner.
+ */
+export class ProvisionParkOperatorCommand {
+  constructor(
+    public readonly phone: string,
+    public readonly password: string,
+    public readonly fullName: string,
+    public readonly email: string | null,
+    public readonly parkIds: string[],
+  ) {}
+}

apps/api/src/modules/admin/application/commands/provision-park-operator/provision-park-operator.handler.ts

@@ -0,0 +1,95 @@
+import { ConflictException, Inject } from '@nestjs/common';
+import { CommandHandler, type ICommandHandler } from '@nestjs/cqrs';
+import { createId } from '@paralleldrive/cuid2';
+import { PrismaService, ValidationException } from '@modules/shared';
+import { USER_REPOSITORY, type IUserRepository } from '../../../../auth/domain/repositories/user.repository';
+import { UserEntity } from '../../../../auth/domain/entities/user.entity';
+import { Email } from '../../../../auth/domain/value-objects/email.vo';
+import { HashedPassword } from '../../../../auth/domain/value-objects/hashed-password.vo';
+import { Phone } from '../../../../auth/domain/value-objects/phone.vo';
+import { ProvisionParkOperatorCommand } from './provision-park-operator.command';
+
+export interface ProvisionParkOperatorResult {
+  userId: string;
+  phone: string;
+  email: string | null;
+  fullName: string;
+  linkedParkIds: string[];
+}
+
+@CommandHandler(ProvisionParkOperatorCommand)
+export class ProvisionParkOperatorHandler
+  implements ICommandHandler<ProvisionParkOperatorCommand, ProvisionParkOperatorResult>
+{
+  constructor(
+    @Inject(USER_REPOSITORY) private readonly userRepo: IUserRepository,
+    private readonly prisma: PrismaService,
+  ) {}
+
+  async execute(cmd: ProvisionParkOperatorCommand): Promise<ProvisionParkOperatorResult> {
+    const phoneResult = Phone.create(cmd.phone);
+    if (phoneResult.isErr) throw new ValidationException(phoneResult.unwrapErr());
+    const phone = phoneResult.unwrap();
+
+    let email: Email | undefined;
+    if (cmd.email) {
+      const emailResult = Email.create(cmd.email);
+      if (emailResult.isErr) throw new ValidationException(emailResult.unwrapErr());
+      email = emailResult.unwrap();
+    }
+
+    const passwordResult = await HashedPassword.fromPlain(cmd.password);
+    if (passwordResult.isErr) throw new ValidationException(passwordResult.unwrapErr());
+    const passwordHash = passwordResult.unwrap();
+
+    if (await this.userRepo.findByPhone(phone.value)) {
+      throw new ConflictException('Số điện thoại đã được đăng ký');
+    }
+    if (email && (await this.userRepo.findByEmail(email.value))) {
+      throw new ConflictException('Email đã được đăng ký');
+    }
+
+    if (cmd.parkIds.length > 0) {
+      const rows = await this.prisma.industrialPark.findMany({
+        where: { id: { in: cmd.parkIds } },
+        select: { id: true, ownerId: true, name: true },
+      });
+      const byId = new Map(rows.map((r) => [r.id, r]));
+      const missing = cmd.parkIds.filter((id) => !byId.has(id));
+      if (missing.length > 0) {
+        throw new ValidationException(`Không tìm thấy KCN: ${missing.join(', ')}`);
+      }
+      const occupied = rows.filter((r) => r.ownerId && r.ownerId !== null);
+      if (occupied.length > 0) {
+        throw new ConflictException(
+          `Các KCN đã có đơn vị vận hành khác: ${occupied.map((r) => r.name).join(', ')}`,
+        );
+      }
+    }
+
+    const user = UserEntity.createNew(
+      createId(),
+      phone,
+      cmd.fullName,
+      passwordHash,
+      email,
+      'PARK_OPERATOR',
+    );
+    await this.userRepo.save(user);
+
+    if (cmd.parkIds.length > 0) {
+      await this.prisma.industrialPark.updateMany({
+        where: { id: { in: cmd.parkIds } },
+        data: { ownerId: user.id },
+      });
+    }
+
+    return {
+      userId: user.id,
+      phone: user.phone.value,
+      email: user.email?.value ?? null,
+      fullName: user.fullName,
+      linkedParkIds: cmd.parkIds,
+    };
+  }
+}

apps/api/src/modules/admin/presentation/controllers/admin.controller.ts

@@ -15,6 +15,10 @@ import { AdjustSubscriptionCommand } from '../../application/commands/adjust-sub
 import { type AdjustSubscriptionResult } from '../../application/commands/adjust-subscription/adjust-subscription.handler';
 import { BanUserCommand } from '../../application/commands/ban-user/ban-user.command';
 import { type BanUserResult } from '../../application/commands/ban-user/ban-user.handler';
+import { ProvisionDeveloperCommand } from '../../application/commands/provision-developer/provision-developer.command';
+import { type ProvisionDeveloperResult } from '../../application/commands/provision-developer/provision-developer.handler';
+import { ProvisionParkOperatorCommand } from '../../application/commands/provision-park-operator/provision-park-operator.command';
+import { type ProvisionParkOperatorResult } from '../../application/commands/provision-park-operator/provision-park-operator.handler';
 import { UpdateAiSettingsCommand } from '../../application/commands/update-ai-settings/update-ai-settings.command';
 import { UpdateUserStatusCommand } from '../../application/commands/update-user-status/update-user-status.command';
 import { type UpdateUserStatusResult } from '../../application/commands/update-user-status/update-user-status.handler';
@@ -36,6 +40,8 @@ import { AdjustSubscriptionDto } from '../dto/adjust-subscription.dto';
 import { BanUserDto } from '../dto/ban-user.dto';
 import { GetAuditLogsQueryDto } from '../dto/get-audit-logs-query.dto';
 import { GetUsersQueryDto } from '../dto/get-users-query.dto';
+import { ProvisionDeveloperDto } from '../dto/provision-developer.dto';
+import { ProvisionParkOperatorDto } from '../dto/provision-park-operator.dto';
 import { RevenueStatsDto } from '../dto/revenue-stats.dto';
 import { UpdateAiSettingsDto } from '../dto/update-ai-settings.dto';
 import { UpdateUserStatusDto } from '../dto/update-user-status.dto';
@@ -200,6 +206,58 @@ export class AdminController {
     );
   }
 
+  // ── B2B Account Provisioning ──────────────────────────────────────
+
+  @Post('accounts/developers')
+  @ApiOperation({
+    summary: 'Tạo tài khoản CĐT (DEVELOPER) — admin only',
+    description:
+      'Tạo mới một user với role=DEVELOPER và tuỳ chọn gán quyền sở hữu các ProjectDevelopment hiện có. Dự án đã có owner khác sẽ bị từ chối.',
+  })
+  @ApiResponse({ status: 201, description: 'Tạo tài khoản CĐT thành công' })
+  @ApiResponse({ status: 400, description: 'Dữ liệu không hợp lệ' })
+  @ApiResponse({ status: 401, description: 'Chưa xác thực' })
+  @ApiResponse({ status: 403, description: 'Yêu cầu role ADMIN' })
+  @ApiResponse({ status: 409, description: 'Số điện thoại/email đã tồn tại hoặc dự án đã có CĐT khác' })
+  async provisionDeveloper(
+    @Body() dto: ProvisionDeveloperDto,
+  ): Promise<ProvisionDeveloperResult> {
+    return this.commandBus.execute(
+      new ProvisionDeveloperCommand(
+        dto.phone,
+        dto.password,
+        dto.fullName,
+        dto.email ?? null,
+        dto.projectIds ?? [],
+      ),
+    );
+  }
+
+  @Post('accounts/park-operators')
+  @ApiOperation({
+    summary: 'Tạo tài khoản vận hành KCN (PARK_OPERATOR) — admin only',
+    description:
+      'Tạo mới một user với role=PARK_OPERATOR và tuỳ chọn gán quyền vận hành các IndustrialPark hiện có.',
+  })
+  @ApiResponse({ status: 201, description: 'Tạo tài khoản PARK_OPERATOR thành công' })
+  @ApiResponse({ status: 400, description: 'Dữ liệu không hợp lệ' })
+  @ApiResponse({ status: 401, description: 'Chưa xác thực' })
+  @ApiResponse({ status: 403, description: 'Yêu cầu role ADMIN' })
+  @ApiResponse({ status: 409, description: 'Số điện thoại/email đã tồn tại hoặc KCN đã có đơn vị khác' })
+  async provisionParkOperator(
+    @Body() dto: ProvisionParkOperatorDto,
+  ): Promise<ProvisionParkOperatorResult> {
+    return this.commandBus.execute(
+      new ProvisionParkOperatorCommand(
+        dto.phone,
+        dto.password,
+        dto.fullName,
+        dto.email ?? null,
+        dto.parkIds ?? [],
+      ),
+    );
+  }
+
   // ── Audit Logs ──
 
   @Get('audit-logs')

apps/api/src/modules/admin/presentation/dto/provision-developer.dto.ts

@@ -0,0 +1,41 @@
+import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger';
+import {
+  ArrayUnique,
+  IsArray,
+  IsEmail,
+  IsOptional,
+  IsString,
+  MinLength,
+} from 'class-validator';
+
+export class ProvisionDeveloperDto {
+  @ApiProperty({ example: '+84912000001' })
+  @IsString()
+  phone!: string;
+
+  @ApiProperty({ example: 'Velik@2026', minLength: 8 })
+  @IsString()
+  @MinLength(8)
+  password!: string;
+
+  @ApiProperty({ example: 'CĐT Vinhomes' })
+  @IsString()
+  fullName!: string;
+
+  @ApiPropertyOptional({ example: 'cdt-vinhomes@goodgo.vn' })
+  @IsOptional()
+  @IsEmail()
+  email?: string;
+
+  @ApiPropertyOptional({
+    type: [String],
+    description:
+      'ID các dự án sẽ gán quyền sở hữu cho CĐT này (dự án phải chưa có owner).',
+    example: ['seed-project-001', 'seed-project-005'],
+  })
+  @IsOptional()
+  @IsArray()
+  @ArrayUnique()
+  @IsString({ each: true })
+  projectIds?: string[];
+}

apps/api/src/modules/admin/presentation/dto/provision-park-operator.dto.ts

@@ -0,0 +1,41 @@
+import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger';
+import {
+  ArrayUnique,
+  IsArray,
+  IsEmail,
+  IsOptional,
+  IsString,
+  MinLength,
+} from 'class-validator';
+
+export class ProvisionParkOperatorDto {
+  @ApiProperty({ example: '+84912000002' })
+  @IsString()
+  phone!: string;
+
+  @ApiProperty({ example: 'Velik@2026', minLength: 8 })
+  @IsString()
+  @MinLength(8)
+  password!: string;
+
+  @ApiProperty({ example: 'Vận hành KCN VSIP' })
+  @IsString()
+  fullName!: string;
+
+  @ApiPropertyOptional({ example: 'kcn-vsip@goodgo.vn' })
+  @IsOptional()
+  @IsEmail()
+  email?: string;
+
+  @ApiPropertyOptional({
+    type: [String],
+    description:
+      'ID các KCN sẽ gán quyền vận hành cho user này (KCN phải chưa có owner).',
+    example: ['seed-park-001'],
+  })
+  @IsOptional()
+  @IsArray()
+  @ArrayUnique()
+  @IsString({ each: true })
+  parkIds?: string[];
+}

apps/api/src/modules/industrial/application/commands/create-industrial-park/create-industrial-park.command.ts

@@ -30,5 +30,6 @@ export class CreateIndustrialParkCommand {
     public readonly targetIndustries: string[],
     public readonly description: string | null,
     public readonly descriptionEn: string | null,
+    public readonly ownerId: string | null = null,
   ) {}
 }

apps/api/src/modules/industrial/application/commands/create-industrial-park/create-industrial-park.handler.ts

@@ -59,6 +59,7 @@ export class CreateIndustrialParkHandler implements ICommandHandler<CreateIndust
         description: cmd.description,
         descriptionEn: cmd.descriptionEn,
         isVerified: false,
+        ownerId: cmd.ownerId,
       },
       now,
       now,

apps/api/src/modules/industrial/application/commands/delete-industrial-park/delete-industrial-park.command.ts

@@ -1,3 +1,9 @@
+import type { UserRole } from '@prisma/client';
+
 export class DeleteIndustrialParkCommand {
-  constructor(public readonly id: string) {}
+  constructor(
+    public readonly id: string,
+    public readonly requesterUserId: string,
+    public readonly requesterRole: UserRole,
+  ) {}
 }

apps/api/src/modules/industrial/application/commands/delete-industrial-park/delete-industrial-park.handler.ts

@@ -1,4 +1,4 @@
-import { Inject } from '@nestjs/common';
+import { ForbiddenException, Inject } from '@nestjs/common';
 import { type ICommandHandler, CommandHandler } from '@nestjs/cqrs';
 import { NotFoundException } from '@modules/shared';
 import {
@@ -20,6 +20,14 @@ export class DeleteIndustrialParkHandler implements ICommandHandler<DeleteIndust
       throw new NotFoundException('Khu công nghiệp', cmd.id);
     }
 
+    // Authorisation: ADMIN may delete anything; PARK_OPERATOR may delete only
+    // parks they own.
+    if (cmd.requesterRole !== 'ADMIN') {
+      if (cmd.requesterRole !== 'PARK_OPERATOR' || entity.ownerId !== cmd.requesterUserId) {
+        throw new ForbiddenException('Bạn không có quyền xoá KCN này');
+      }
+    }
+
     await this.repo.delete(cmd.id);
   }
 }

apps/api/src/modules/industrial/application/commands/update-industrial-park/update-industrial-park.command.ts

@@ -1,8 +1,11 @@
-import type { IndustrialParkStatus } from '@prisma/client';
+import type { IndustrialParkStatus, UserRole } from '@prisma/client';
 
 export class UpdateIndustrialParkCommand {
   constructor(
     public readonly id: string,
+    /** User performing the update. Used to enforce ownership for PARK_OPERATOR role. */
+    public readonly requesterUserId: string,
+    public readonly requesterRole: UserRole,
     public readonly name?: string,
     public readonly nameEn?: string | null,
     public readonly developer?: string,
@@ -22,5 +25,7 @@ export class UpdateIndustrialParkCommand {
     public readonly description?: string | null,
     public readonly descriptionEn?: string | null,
     public readonly isVerified?: boolean,
+    /** Admin-only: reassign the owning PARK_OPERATOR user. Null to unassign. */
+    public readonly ownerId?: string | null,
   ) {}
 }

apps/api/src/modules/industrial/application/commands/update-industrial-park/update-industrial-park.handler.ts

@@ -1,4 +1,4 @@
-import { Inject } from '@nestjs/common';
+import { ForbiddenException, Inject } from '@nestjs/common';
 import { type ICommandHandler, CommandHandler } from '@nestjs/cqrs';
 import { NotFoundException } from '@modules/shared';
 import {
@@ -20,6 +20,17 @@ export class UpdateIndustrialParkHandler implements ICommandHandler<UpdateIndust
       throw new NotFoundException('Industrial park', cmd.id);
     }
 
+    // Authorisation: ADMIN may edit anything. PARK_OPERATOR may edit only
+    // parks they own. Reassigning `ownerId` is admin-only.
+    if (cmd.requesterRole !== 'ADMIN') {
+      if (cmd.requesterRole !== 'PARK_OPERATOR' || entity.ownerId !== cmd.requesterUserId) {
+        throw new ForbiddenException('Bạn không có quyền chỉnh sửa KCN này');
+      }
+      if (cmd.ownerId !== undefined) {
+        throw new ForbiddenException('Chỉ admin có thể chuyển quyền sở hữu KCN');
+      }
+    }
+
     entity.updateDetails({
       name: cmd.name,
       nameEn: cmd.nameEn,
@@ -40,6 +51,7 @@ export class UpdateIndustrialParkHandler implements ICommandHandler<UpdateIndust
       description: cmd.description,
       descriptionEn: cmd.descriptionEn,
       isVerified: cmd.isVerified,
+      ...(cmd.ownerId !== undefined && { ownerId: cmd.ownerId }),
     });
 
     await this.repo.update(entity);

apps/api/src/modules/industrial/application/queries/list-industrial-parks/list-industrial-parks.handler.ts

@@ -24,6 +24,7 @@ export class ListIndustrialParksHandler implements IQueryHandler<ListIndustrialP
       minAreaHa: query.minAreaHa,
       maxRentUsdM2: query.maxRentUsdM2,
       targetIndustry: query.targetIndustry,
+      ownerId: query.ownerId,
       page: query.page,
       limit: query.limit,
     });

apps/api/src/modules/industrial/application/queries/list-industrial-parks/list-industrial-parks.query.ts

@@ -11,5 +11,6 @@ export class ListIndustrialParksQuery {
     public readonly targetIndustry?: string,
     public readonly page: number = 1,
     public readonly limit: number = 20,
+    public readonly ownerId?: string,
   ) {}
 }

apps/api/src/modules/industrial/domain/entities/industrial-park.entity.ts

@@ -35,6 +35,7 @@ export interface IndustrialParkProps {
   description: string | null;
   descriptionEn: string | null;
   isVerified: boolean;
+  ownerId: string | null;
 }
 
 export class IndustrialParkEntity extends AggregateRoot<string> {
@@ -71,6 +72,7 @@ export class IndustrialParkEntity extends AggregateRoot<string> {
   private _description: string | null;
   private _descriptionEn: string | null;
   private _isVerified: boolean;
+  private _ownerId: string | null;
 
   constructor(id: string, props: IndustrialParkProps, createdAt: Date, updatedAt: Date) {
     super(id, createdAt, updatedAt);
@@ -107,6 +109,7 @@ export class IndustrialParkEntity extends AggregateRoot<string> {
     this._description = props.description;
     this._descriptionEn = props.descriptionEn;
     this._isVerified = props.isVerified;
+    this._ownerId = props.ownerId;
   }
 
   get name() { return this._name; }
@@ -142,6 +145,7 @@ export class IndustrialParkEntity extends AggregateRoot<string> {
   get description() { return this._description; }
   get descriptionEn() { return this._descriptionEn; }
   get isVerified() { return this._isVerified; }
+  get ownerId() { return this._ownerId; }
 
   updateDetails(props: Partial<IndustrialParkProps>): void {
     if (props.name !== undefined) this._name = props.name;
@@ -167,6 +171,7 @@ export class IndustrialParkEntity extends AggregateRoot<string> {
     if (props.description !== undefined) this._description = props.description;
     if (props.descriptionEn !== undefined) this._descriptionEn = props.descriptionEn;
     if (props.isVerified !== undefined) this._isVerified = props.isVerified;
+    if (props.ownerId !== undefined) this._ownerId = props.ownerId;
     this.updatedAt = new Date();
   }
 }

apps/api/src/modules/industrial/domain/repositories/industrial-park.repository.ts

@@ -11,6 +11,7 @@ export interface IndustrialParkSearchParams {
   minAreaHa?: number;
   maxRentUsdM2?: number;
   targetIndustry?: string;
+  ownerId?: string;
   page?: number;
   limit?: number;
 }
@@ -42,6 +43,7 @@ export interface IndustrialParkListItem {
   targetIndustries: string[];
   latitude: number;
   longitude: number;
+  ownerId: string | null;
 }
 
 export interface IndustrialParkDetailData {
@@ -79,6 +81,7 @@ export interface IndustrialParkDetailData {
   description: string | null;
   descriptionEn: string | null;
   isVerified: boolean;
+  ownerId: string | null;
   listingCount: number;
   createdAt: Date;
   updatedAt: Date;

apps/api/src/modules/industrial/infrastructure/repositories/prisma-industrial-park.repository.ts

@@ -71,7 +71,7 @@ export class PrismaIndustrialParkRepository implements IIndustrialParkRepository
         "landRentUsdM2Year", "rbfRentUsdM2Month", "rbwRentUsdM2Month",
         "managementFeeUsd", infrastructure, connectivity, incentives,
         "targetIndustries", "existingTenants", certifications, media, documents,
-        description, "descriptionEn", "isVerified", "createdAt", "updatedAt"
+        description, "descriptionEn", "isVerified", "ownerId", "createdAt", "updatedAt"
       ) VALUES (
         ${entity.id}, ${entity.name}, ${entity.nameEn}, ${entity.slug},
         ${entity.developer}, ${entity.operator}, ${entity.status}::"IndustrialParkStatus",
@@ -90,7 +90,7 @@ export class PrismaIndustrialParkRepository implements IIndustrialParkRepository
         ${entity.media ? JSON.stringify(entity.media) : null}::jsonb,
         ${entity.documents ? JSON.stringify(entity.documents) : null}::jsonb,
         ${entity.description}, ${entity.descriptionEn},
-        ${entity.isVerified}, ${entity.createdAt}, ${entity.updatedAt}
+        ${entity.isVerified}, ${entity.ownerId}, ${entity.createdAt}, ${entity.updatedAt}
       )
     `;
   }
@@ -118,6 +118,7 @@ export class PrismaIndustrialParkRepository implements IIndustrialParkRepository
         "targetIndustries" = ${entity.targetIndustries}::text[],
         description = ${entity.description}, "descriptionEn" = ${entity.descriptionEn},
         "isVerified" = ${entity.isVerified},
+        "ownerId" = ${entity.ownerId},
         "updatedAt" = ${entity.updatedAt}
       WHERE id = ${entity.id}
     `;
@@ -156,6 +157,10 @@ export class PrismaIndustrialParkRepository implements IIndustrialParkRepository
       conditions.push(`$${paramIndex++} = ANY("targetIndustries")`);
       values.push(params.targetIndustry);
     }
+    if (params.ownerId) {
+      conditions.push(`"ownerId" = $${paramIndex++}`);
+      values.push(params.ownerId);
+    }
     if (params.query) {
       conditions.push(`(name ILIKE $${paramIndex} OR "nameEn" ILIKE $${paramIndex} OR developer ILIKE $${paramIndex} OR province ILIKE $${paramIndex})`);
       values.push(`%${params.query}%`);
@@ -306,6 +311,7 @@ export class PrismaIndustrialParkRepository implements IIndustrialParkRepository
         description: row.description,
         descriptionEn: row.descriptionEn,
         isVerified: row.isVerified,
+        ownerId: row.ownerId,
       },
       row.createdAt,
       row.updatedAt,
@@ -332,6 +338,7 @@ export class PrismaIndustrialParkRepository implements IIndustrialParkRepository
       targetIndustries: row.targetIndustries ?? [],
       latitude: Number(row.lat),
       longitude: Number(row.lng),
+      ownerId: row.ownerId,
     };
   }
 
@@ -371,6 +378,7 @@ export class PrismaIndustrialParkRepository implements IIndustrialParkRepository
       description: row.description,
       descriptionEn: row.descriptionEn,
       isVerified: row.isVerified,
+      ownerId: row.ownerId,
       listingCount: row.listingCount ?? 0,
       createdAt: row.createdAt,
       updatedAt: row.updatedAt,
@@ -414,6 +422,7 @@ interface RawPark {
   description: string | null;
   descriptionEn: string | null;
   isVerified: boolean;
+  ownerId: string | null;
   createdAt: Date;
   updatedAt: Date;
 }

apps/api/src/modules/industrial/presentation/controllers/industrial-parks.controller.ts

@@ -2,7 +2,8 @@ import { Body, Controller, Delete, Get, Param, Patch, Post, Query, UseGuards } f
 import { CommandBus, QueryBus } from '@nestjs/cqrs';
 import { ApiBearerAuth, ApiOperation, ApiResponse, ApiTags } from '@nestjs/swagger';
 import { UserRole } from '@prisma/client';
-import { JwtAuthGuard, Roles, RolesGuard } from '@modules/auth';
+import { CurrentUser, JwtAuthGuard, Roles, RolesGuard } from '@modules/auth';
+import type { JwtPayload } from '@modules/auth';
 import { NotFoundException } from '@modules/shared';
 import { AnalyzeIndustrialLocationQuery } from '../../application/queries/analyze-industrial-location/analyze-industrial-location.query';
 import { CreateIndustrialParkCommand } from '../../application/commands/create-industrial-park/create-industrial-park.command';
@@ -50,6 +51,39 @@ export class IndustrialParksController {
     );
   }
 
+  // ── Park Operator endpoints ───────────────────────────────────────
+
+  @ApiOperation({
+    summary: 'KCN của tôi (Park Operator)',
+    description: 'Danh sách KCN mà user hiện tại vận hành. ADMIN dùng endpoint này để xem KCN đã được gán cho mình.',
+  })
+  @ApiResponse({ status: 200, description: 'Danh sách KCN đã lọc theo owner' })
+  @ApiResponse({ status: 401, description: 'Chưa xác thực' })
+  @ApiResponse({ status: 403, description: 'Không có quyền' })
+  @ApiBearerAuth('JWT')
+  @UseGuards(JwtAuthGuard, RolesGuard)
+  @Roles(UserRole.PARK_OPERATOR, UserRole.ADMIN)
+  @Get('parks/mine/list')
+  async listMyParks(
+    @CurrentUser() user: JwtPayload,
+    @Query() dto: SearchIndustrialParksDto,
+  ) {
+    return this.queryBus.execute(
+      new ListIndustrialParksQuery(
+        dto.q,
+        dto.province,
+        dto.region,
+        dto.status,
+        dto.minAreaHa,
+        dto.maxRentUsdM2,
+        dto.targetIndustry,
+        dto.page ?? 1,
+        dto.limit ?? 20,
+        user.sub,
+      ),
+    );
+  }
+
   @ApiOperation({ summary: 'Chi tiết KCN', description: 'Xem chi tiết KCN theo slug hoặc ID' })
   @ApiResponse({ status: 200, description: 'Thông tin chi tiết KCN' })
   @ApiResponse({ status: 404, description: 'Không tìm thấy KCN' })
@@ -124,9 +158,14 @@ export class IndustrialParksController {
   @ApiResponse({ status: 403, description: 'Không có quyền' })
   @ApiBearerAuth('JWT')
   @UseGuards(JwtAuthGuard, RolesGuard)
-  @Roles(UserRole.ADMIN)
+  @Roles(UserRole.ADMIN, UserRole.PARK_OPERATOR)
   @Post('parks')
-  async createPark(@Body() dto: CreateIndustrialParkDto) {
+  async createPark(
+    @CurrentUser() user: JwtPayload,
+    @Body() dto: CreateIndustrialParkDto,
+  ) {
+    // PARK_OPERATOR callers own what they create; admin may leave unassigned.
+    const ownerId = user.role === UserRole.PARK_OPERATOR ? user.sub : null;
     return this.commandBus.execute(
       new CreateIndustrialParkCommand(
         dto.name,
@@ -157,6 +196,7 @@ export class IndustrialParksController {
         dto.targetIndustries,
         dto.description ?? null,
         dto.descriptionEn ?? null,
+        ownerId,
       ),
     );
   }
@@ -168,12 +208,18 @@ export class IndustrialParksController {
   @ApiResponse({ status: 404, description: 'Không tìm thấy tài nguyên' })
   @ApiBearerAuth('JWT')
   @UseGuards(JwtAuthGuard, RolesGuard)
-  @Roles(UserRole.ADMIN)
+  @Roles(UserRole.ADMIN, UserRole.PARK_OPERATOR)
   @Patch('parks/:id')
-  async updatePark(@Param('id') id: string, @Body() dto: UpdateIndustrialParkDto) {
+  async updatePark(
+    @CurrentUser() user: JwtPayload,
+    @Param('id') id: string,
+    @Body() dto: UpdateIndustrialParkDto,
+  ) {
     return this.commandBus.execute(
       new UpdateIndustrialParkCommand(
         id,
+        user.sub,
+        user.role as UserRole,
         dto.name,
         dto.nameEn,
         dto.developer,
@@ -193,6 +239,7 @@ export class IndustrialParksController {
         dto.description,
         dto.descriptionEn,
         dto.isVerified,
+        dto.ownerId,
       ),
     );
   }
@@ -204,10 +251,15 @@ export class IndustrialParksController {
   @ApiResponse({ status: 404, description: 'Không tìm thấy tài nguyên' })
   @ApiBearerAuth('JWT')
   @UseGuards(JwtAuthGuard, RolesGuard)
-  @Roles(UserRole.ADMIN)
+  @Roles(UserRole.ADMIN, UserRole.PARK_OPERATOR)
   @Delete('parks/:id')
-  async deletePark(@Param('id') id: string): Promise<{ success: true }> {
-    await this.commandBus.execute(new DeleteIndustrialParkCommand(id));
+  async deletePark(
+    @CurrentUser() user: JwtPayload,
+    @Param('id') id: string,
+  ): Promise<{ success: true }> {
+    await this.commandBus.execute(
+      new DeleteIndustrialParkCommand(id, user.sub, user.role as UserRole),
+    );
     return { success: true };
   }
 }

apps/api/src/modules/industrial/presentation/dto/update-industrial-park.dto.ts

@@ -120,4 +120,9 @@ export class UpdateIndustrialParkDto {
   @IsOptional()
   @IsBoolean()
   isVerified?: boolean;
+
+  @ApiPropertyOptional()
+  @IsOptional()
+  @IsString()
+  ownerId?: string | null;
 }

apps/api/src/modules/projects/application/commands/create-project/create-project.command.ts

@@ -29,5 +29,11 @@ export class CreateProjectCommand {
     public readonly completionDate: Date | null,
     public readonly suitableFor: string[] = [],
     public readonly whyThisLocation: string | null = null,
+    /**
+     * Owner of the new project. Admin can pass any user id (e.g. when
+     * provisioning a project on behalf of a CĐT). DEVELOPER callers are
+     * forced to their own id. Null = unassigned (admin-managed).
+     */
+    public readonly ownerId: string | null = null,
   ) {}
 }

apps/api/src/modules/projects/application/commands/create-project/create-project.handler.ts

@@ -57,6 +57,7 @@ export class CreateProjectHandler implements ICommandHandler<CreateProjectComman
         suitableFor: cmd.suitableFor ?? [],
         whyThisLocation: cmd.whyThisLocation ?? null,
         isVerified: false,
+        ownerId: cmd.ownerId ?? null,
       },
       now,
       now,

apps/api/src/modules/projects/application/commands/delete-project/delete-project.command.ts

@@ -1,3 +1,9 @@
+import type { UserRole } from '@prisma/client';
+
 export class DeleteProjectCommand {
-  constructor(public readonly id: string) {}
+  constructor(
+    public readonly id: string,
+    public readonly requesterUserId: string,
+    public readonly requesterRole: UserRole,
+  ) {}
 }

apps/api/src/modules/projects/application/commands/delete-project/delete-project.handler.ts

@@ -1,4 +1,4 @@
-import { Inject } from '@nestjs/common';
+import { ForbiddenException, Inject } from '@nestjs/common';
 import { type ICommandHandler, CommandHandler } from '@nestjs/cqrs';
 import { NotFoundException } from '@modules/shared';
 import {
@@ -20,6 +20,14 @@ export class DeleteProjectHandler implements ICommandHandler<DeleteProjectComman
       throw new NotFoundException('Dự án', cmd.id);
     }
 
+    // Authorisation: ADMIN may delete anything; DEVELOPER may delete only
+    // projects they own.
+    if (cmd.requesterRole !== 'ADMIN') {
+      if (cmd.requesterRole !== 'DEVELOPER' || entity.ownerId !== cmd.requesterUserId) {
+        throw new ForbiddenException('Bạn không có quyền xoá dự án này');
+      }
+    }
+
     await this.repo.delete(cmd.id);
   }
 }

apps/api/src/modules/projects/application/commands/update-project/update-project.command.ts

@@ -1,8 +1,11 @@
-import type { ProjectDevelopmentStatus } from '@prisma/client';
+import type { ProjectDevelopmentStatus, UserRole } from '@prisma/client';
 
 export class UpdateProjectCommand {
   constructor(
     public readonly id: string,
+    /** User performing the update. Used to enforce ownership for DEVELOPER role. */
+    public readonly requesterUserId: string,
+    public readonly requesterRole: UserRole,
     public readonly name?: string,
     public readonly developer?: string,
     public readonly developerLogo?: string | null,
@@ -27,5 +30,7 @@ export class UpdateProjectCommand {
     public readonly completionDate?: Date | null,
     public readonly suitableFor?: string[],
     public readonly whyThisLocation?: string | null,
+    /** Admin-only: reassign the owning DEVELOPER user. Null to unassign. */
+    public readonly ownerId?: string | null,
   ) {}
 }

apps/api/src/modules/projects/application/commands/update-project/update-project.handler.ts

@@ -1,4 +1,4 @@
-import { Inject } from '@nestjs/common';
+import { ForbiddenException, Inject } from '@nestjs/common';
 import { type ICommandHandler, CommandHandler } from '@nestjs/cqrs';
 import { NotFoundException } from '@modules/shared';
 import {
@@ -20,6 +20,17 @@ export class UpdateProjectHandler implements ICommandHandler<UpdateProjectComman
       throw new NotFoundException('Dự án', cmd.id);
     }
 
+    // Authorisation: ADMIN may edit anything. DEVELOPER may edit only projects
+    // they own. Reassigning `ownerId` is admin-only.
+    if (cmd.requesterRole !== 'ADMIN') {
+      if (cmd.requesterRole !== 'DEVELOPER' || entity.ownerId !== cmd.requesterUserId) {
+        throw new ForbiddenException('Bạn không có quyền chỉnh sửa dự án này');
+      }
+      if (cmd.ownerId !== undefined) {
+        throw new ForbiddenException('Chỉ admin có thể chuyển quyền sở hữu dự án');
+      }
+    }
+
     entity.updateDetails({
       ...(cmd.name !== undefined && { name: cmd.name }),
       ...(cmd.developer !== undefined && { developer: cmd.developer }),
@@ -45,6 +56,7 @@ export class UpdateProjectHandler implements ICommandHandler<UpdateProjectComman
       ...(cmd.isVerified !== undefined && { isVerified: cmd.isVerified }),
       ...(cmd.startDate !== undefined && { startDate: cmd.startDate }),
       ...(cmd.completionDate !== undefined && { completionDate: cmd.completionDate }),
+      ...(cmd.ownerId !== undefined && { ownerId: cmd.ownerId }),
     });
 
     await this.repo.update(entity);

apps/api/src/modules/projects/application/queries/get-project-stats/get-project-stats.handler.ts

@@ -0,0 +1,89 @@
+import { ForbiddenException, Inject } from '@nestjs/common';
+import { type IQueryHandler, QueryHandler } from '@nestjs/cqrs';
+import { NotFoundException, PrismaService } from '@modules/shared';
+import {
+  PROJECT_REPOSITORY,
+  type IProjectRepository,
+} from '../../../domain/repositories/project-development.repository';
+import { GetProjectStatsQuery } from './get-project-stats.query';
+
+export interface ProjectStats {
+  projectId: string;
+  linkedListingCount: number;
+  activeListingCount: number;
+  totalInquiries: number;
+  unreadInquiries: number;
+  savedByUsers: number;
+}
+
+interface StatsRow {
+  linked: bigint;
+  active: bigint;
+  inquiries: bigint;
+  unread: bigint;
+  saves: bigint;
+}
+
+/**
+ * Aggregates project-level metrics for the "Dự án của tôi" dashboard.
+ * Visible to ADMIN (any project) and DEVELOPER (only projects they own).
+ */
+@QueryHandler(GetProjectStatsQuery)
+export class GetProjectStatsHandler
+  implements IQueryHandler<GetProjectStatsQuery, ProjectStats>
+{
+  constructor(
+    @Inject(PROJECT_REPOSITORY)
+    private readonly projectRepo: IProjectRepository,
+    private readonly prisma: PrismaService,
+  ) {}
+
+  async execute(query: GetProjectStatsQuery): Promise<ProjectStats> {
+    const project = await this.projectRepo.findById(query.projectId);
+    if (!project) {
+      throw new NotFoundException('Dự án', query.projectId);
+    }
+
+    if (query.requesterRole !== 'ADMIN') {
+      if (
+        query.requesterRole !== 'DEVELOPER' ||
+        project.ownerId !== query.requesterUserId
+      ) {
+        throw new ForbiddenException('Bạn không có quyền xem thống kê dự án này');
+      }
+    }
+
+    // Single-round-trip aggregate pulling listing + inquiry + savedListing
+    // counts via the Property link.
+    const rows = await this.prisma.$queryRaw<StatsRow[]>`
+      SELECT
+        COUNT(DISTINCT l.id) FILTER (WHERE l.id IS NOT NULL) AS linked,
+        COUNT(DISTINCT l.id) FILTER (WHERE l.status = 'APPROVED') AS active,
+        COUNT(DISTINCT i.id) FILTER (WHERE i.id IS NOT NULL) AS inquiries,
+        COUNT(DISTINCT i.id) FILTER (WHERE i.id IS NOT NULL AND i."isRead" = FALSE) AS unread,
+        COUNT(DISTINCT sl."userId") FILTER (WHERE sl."userId" IS NOT NULL) AS saves
+      FROM "Property" p
+      LEFT JOIN "Listing" l ON l."propertyId" = p.id
+      LEFT JOIN "Inquiry" i ON i."listingId" = l.id
+      LEFT JOIN "SavedListing" sl ON sl."listingId" = l.id
+      WHERE p."projectDevelopmentId" = ${query.projectId}
+    `;
+
+    const row = rows[0] ?? {
+      linked: BigInt(0),
+      active: BigInt(0),
+      inquiries: BigInt(0),
+      unread: BigInt(0),
+      saves: BigInt(0),
+    };
+
+    return {
+      projectId: query.projectId,
+      linkedListingCount: Number(row.linked),
+      activeListingCount: Number(row.active),
+      totalInquiries: Number(row.inquiries),
+      unreadInquiries: Number(row.unread),
+      savedByUsers: Number(row.saves),
+    };
+  }
+}

apps/api/src/modules/projects/application/queries/get-project-stats/get-project-stats.query.ts

@@ -0,0 +1,9 @@
+import type { UserRole } from '@prisma/client';
+
+export class GetProjectStatsQuery {
+  constructor(
+    public readonly projectId: string,
+    public readonly requesterUserId: string,
+    public readonly requesterRole: UserRole,
+  ) {}
+}

apps/api/src/modules/projects/application/queries/list-projects/list-projects.handler.ts

@@ -23,6 +23,7 @@ export class ListProjectsHandler implements IQueryHandler<ListProjectsQuery> {
       district: query.district,
       developer: query.developer,
       isVerified: query.isVerified,
+      ownerId: query.ownerId,
       page: query.page,
       limit: query.limit,
     });

apps/api/src/modules/projects/application/queries/list-projects/list-projects.query.ts

@@ -10,5 +10,7 @@ export class ListProjectsQuery {
     public readonly isVerified: boolean | undefined,
     public readonly page: number,
     public readonly limit: number,
+    /** When set, restrict results to projects owned by this user id. */
+    public readonly ownerId?: string,
   ) {}
 }

apps/api/src/modules/projects/domain/entities/project-development.entity.ts

@@ -33,6 +33,8 @@ export interface ProjectDevelopmentProps {
   suitableFor: string[];
   whyThisLocation: string | null;
   isVerified: boolean;
+  /** Owning DEVELOPER user id; null when not yet assigned (admin-managed). */
+  ownerId: string | null;
 }
 
 export class ProjectDevelopmentEntity extends AggregateRoot<string> {
@@ -67,6 +69,7 @@ export class ProjectDevelopmentEntity extends AggregateRoot<string> {
   private _suitableFor: string[];
   private _whyThisLocation: string | null;
   private _isVerified: boolean;
+  private _ownerId: string | null;
 
   constructor(id: string, props: ProjectDevelopmentProps, createdAt: Date, updatedAt: Date) {
     super(id, createdAt, updatedAt);
@@ -101,6 +104,7 @@ export class ProjectDevelopmentEntity extends AggregateRoot<string> {
     this._suitableFor = props.suitableFor;
     this._whyThisLocation = props.whyThisLocation;
     this._isVerified = props.isVerified;
+    this._ownerId = props.ownerId;
   }
 
   get name() { return this._name; }
@@ -134,6 +138,7 @@ export class ProjectDevelopmentEntity extends AggregateRoot<string> {
   get suitableFor() { return this._suitableFor; }
   get whyThisLocation() { return this._whyThisLocation; }
   get isVerified() { return this._isVerified; }
+  get ownerId() { return this._ownerId; }
 
   updateDetails(props: Partial<ProjectDevelopmentProps>): void {
     if (props.name !== undefined) this._name = props.name;
@@ -160,6 +165,7 @@ export class ProjectDevelopmentEntity extends AggregateRoot<string> {
     if (props.suitableFor !== undefined) this._suitableFor = props.suitableFor;
     if (props.whyThisLocation !== undefined) this._whyThisLocation = props.whyThisLocation;
     if (props.isVerified !== undefined) this._isVerified = props.isVerified;
+    if (props.ownerId !== undefined) this._ownerId = props.ownerId;
     this.updatedAt = new Date();
   }
 }

apps/api/src/modules/projects/domain/repositories/project-development.repository.ts

@@ -10,6 +10,8 @@ export interface ProjectSearchParams {
   district?: string;
   developer?: string;
   isVerified?: boolean;
+  /** When set, restrict results to projects owned by this user id. */
+  ownerId?: string;
   page?: number;
   limit?: number;
 }
@@ -42,6 +44,7 @@ export interface ProjectListItem {
   suitableFor: string[];
   whyThisLocation: string | null;
   isVerified: boolean;
+  ownerId: string | null;
   latitude: number;
   longitude: number;
   propertyCount: number;

apps/api/src/modules/projects/infrastructure/repositories/prisma-project-development.repository.ts

@@ -68,7 +68,8 @@ export class PrismaProjectDevelopmentRepository implements IProjectRepository {
         location, address, ward, district, city,
         "minPrice", "maxPrice", "pricePerM2Range", "totalArea",
         "buildingCount", "floorCount", "unitTypes", media, documents,
-        tags, "suitableFor", "whyThisLocation", "isVerified", "createdAt", "updatedAt"
+        tags, "suitableFor", "whyThisLocation", "isVerified", "ownerId",
+        "createdAt", "updatedAt"
       ) VALUES (
         ${entity.id}, ${entity.name}, ${entity.slug}, ${entity.developer},
         ${entity.developerLogo}, ${entity.totalUnits}, ${entity.completedUnits},
@@ -88,7 +89,8 @@ export class PrismaProjectDevelopmentRepository implements IProjectRepository {
         ${entity.tags}::text[],
         ${entity.suitableFor}::text[],
         ${entity.whyThisLocation},
-        ${entity.isVerified}, ${entity.createdAt}, ${entity.updatedAt}
+        ${entity.isVerified}, ${entity.ownerId},
+        ${entity.createdAt}, ${entity.updatedAt}
       )
     `;
   }
@@ -119,6 +121,7 @@ export class PrismaProjectDevelopmentRepository implements IProjectRepository {
         "suitableFor" = ${entity.suitableFor}::text[],
         "whyThisLocation" = ${entity.whyThisLocation},
         "isVerified" = ${entity.isVerified},
+        "ownerId" = ${entity.ownerId},
         "updatedAt" = ${entity.updatedAt}
       WHERE id = ${entity.id}
     `;
@@ -153,6 +156,10 @@ export class PrismaProjectDevelopmentRepository implements IProjectRepository {
       conditions.push(`"isVerified" = $${paramIndex++}`);
       values.push(params.isVerified);
     }
+    if (params.ownerId) {
+      conditions.push(`"ownerId" = $${paramIndex++}`);
+      values.push(params.ownerId);
+    }
     if (params.query) {
       conditions.push(`(name ILIKE $${paramIndex} OR developer ILIKE $${paramIndex} OR district ILIKE $${paramIndex} OR city ILIKE $${paramIndex})`);
       values.push(`%${params.query}%`);
@@ -223,6 +230,7 @@ export class PrismaProjectDevelopmentRepository implements IProjectRepository {
         suitableFor: row.suitableFor ?? [],
         whyThisLocation: row.whyThisLocation,
         isVerified: row.isVerified,
+        ownerId: row.ownerId,
       },
       row.createdAt,
       row.updatedAt,
@@ -250,6 +258,7 @@ export class PrismaProjectDevelopmentRepository implements IProjectRepository {
       suitableFor: row.suitableFor ?? [],
       whyThisLocation: row.whyThisLocation,
       isVerified: row.isVerified,
+      ownerId: row.ownerId,
       latitude: Number(row.lat),
       longitude: Number(row.lng),
       propertyCount: row.propertyCount ?? 0,
@@ -309,6 +318,7 @@ interface RawProject {
   suitableFor: string[] | null;
   whyThisLocation: string | null;
   isVerified: boolean;
+  ownerId: string | null;
   createdAt: Date;
   updatedAt: Date;
 }

apps/api/src/modules/projects/presentation/controllers/projects.controller.ts

@@ -2,12 +2,15 @@ import { Body, Controller, Delete, Get, Param, Patch, Post, Query, UseGuards } f
 import { CommandBus, QueryBus } from '@nestjs/cqrs';
 import { ApiBearerAuth, ApiOperation, ApiResponse, ApiTags } from '@nestjs/swagger';
 import { UserRole } from '@prisma/client';
-import { JwtAuthGuard, Roles, RolesGuard } from '@modules/auth';
+import { CurrentUser, JwtAuthGuard, Roles, RolesGuard } from '@modules/auth';
+import type { JwtPayload } from '@modules/auth';
 import { NotFoundException } from '@modules/shared';
 import { CreateProjectCommand } from '../../application/commands/create-project/create-project.command';
 import { DeleteProjectCommand } from '../../application/commands/delete-project/delete-project.command';
 import { UpdateProjectCommand } from '../../application/commands/update-project/update-project.command';
 import { GetProjectQuery } from '../../application/queries/get-project/get-project.query';
+import { type ProjectStats } from '../../application/queries/get-project-stats/get-project-stats.handler';
+import { GetProjectStatsQuery } from '../../application/queries/get-project-stats/get-project-stats.query';
 import { ListProjectsQuery } from '../../application/queries/list-projects/list-projects.query';
 import { CreateProjectDto } from '../dto/create-project.dto';
 import { SearchProjectsDto } from '../dto/search-projects.dto';
@@ -78,6 +81,64 @@ export class ProjectsController {
     return { ...result, data: result.data.map(shapeProject) };
   }
 
+  // ── Developer (CĐT) endpoints ─────────────────────────────────────
+
+  @ApiOperation({
+    summary: 'Dự án của tôi (CĐT)',
+    description: 'Danh sách dự án mà user hiện tại là chủ đầu tư. ADMIN dùng endpoint này để xem tất cả dự án mình đã được gán.',
+  })
+  @ApiResponse({ status: 200, description: 'Danh sách dự án đã lọc theo owner' })
+  @ApiResponse({ status: 401, description: 'Chưa xác thực' })
+  @ApiResponse({ status: 403, description: 'Không có quyền' })
+  @ApiBearerAuth('JWT')
+  @UseGuards(JwtAuthGuard, RolesGuard)
+  @Roles(UserRole.DEVELOPER, UserRole.ADMIN)
+  @Get('mine/list')
+  async listMyProjects(
+    @CurrentUser() user: JwtPayload,
+    @Query() dto: SearchProjectsDto,
+  ) {
+    const result = await this.queryBus.execute<
+      ListProjectsQuery,
+      { data: RawProjectListItem[]; total: number; page: number; limit: number; totalPages: number }
+    >(
+      new ListProjectsQuery(
+        dto.q,
+        dto.status,
+        dto.city,
+        dto.district,
+        dto.developer,
+        dto.isVerified,
+        dto.page ?? 1,
+        dto.limit ?? 20,
+        user.sub,
+      ),
+    );
+    return { ...result, data: result.data.map(shapeProject) };
+  }
+
+  @ApiOperation({
+    summary: 'Thống kê dự án (CĐT / admin)',
+    description:
+      'Trả về số listings, inquiries (chưa đọc), users đã lưu. Admin xem được mọi dự án; DEVELOPER chỉ xem được dự án của mình.',
+  })
+  @ApiResponse({ status: 200, description: 'Thống kê dự án' })
+  @ApiResponse({ status: 401, description: 'Chưa xác thực' })
+  @ApiResponse({ status: 403, description: 'Không có quyền' })
+  @ApiResponse({ status: 404, description: 'Không tìm thấy dự án' })
+  @ApiBearerAuth('JWT')
+  @UseGuards(JwtAuthGuard, RolesGuard)
+  @Roles(UserRole.DEVELOPER, UserRole.ADMIN)
+  @Get(':id/stats')
+  async getProjectStats(
+    @CurrentUser() user: JwtPayload,
+    @Param('id') id: string,
+  ): Promise<ProjectStats> {
+    return this.queryBus.execute(
+      new GetProjectStatsQuery(id, user.sub, user.role as UserRole),
+    );
+  }
+
   @ApiOperation({ summary: 'Chi tiết dự án', description: 'Xem chi tiết dự án theo slug hoặc ID' })
   @ApiResponse({ status: 200, description: 'Thông tin chi tiết dự án' })
   @ApiResponse({ status: 404, description: 'Không tìm thấy dự án' })
@@ -94,16 +155,22 @@ export class ProjectsController {
 
   // ── Admin endpoints ───────────────────────────────────────────────
 
-  @ApiOperation({ summary: 'Tạo dự án (admin)', description: 'Tạo mới dự án bất động sản' })
+  @ApiOperation({ summary: 'Tạo dự án', description: 'Admin tạo dự án tuỳ ý; CĐT (DEVELOPER) tạo dự án của mình (tự động gán ownerId).' })
   @ApiResponse({ status: 201, description: 'Dự án đã tạo' })
   @ApiResponse({ status: 400, description: 'Validation error' })
   @ApiResponse({ status: 401, description: 'Chưa xác thực' })
   @ApiResponse({ status: 403, description: 'Không có quyền' })
   @ApiBearerAuth('JWT')
   @UseGuards(JwtAuthGuard, RolesGuard)
-  @Roles(UserRole.ADMIN)
+  @Roles(UserRole.ADMIN, UserRole.DEVELOPER)
   @Post()
-  async createProject(@Body() dto: CreateProjectDto) {
+  async createProject(
+    @CurrentUser() user: JwtPayload,
+    @Body() dto: CreateProjectDto,
+  ) {
+    // DEVELOPER callers own what they create; admin may pass ownerId in DTO
+    // (not yet exposed — use PATCH to reassign) or leave unassigned.
+    const ownerId = user.role === UserRole.DEVELOPER ? user.sub : null;
     return this.commandBus.execute(
       new CreateProjectCommand(
         dto.name,
@@ -133,23 +200,30 @@ export class ProjectsController {
         dto.completionDate ? new Date(dto.completionDate) : null,
         dto.suitableFor ?? [],
         dto.whyThisLocation ?? null,
+        ownerId,
       ),
     );
   }
 
-  @ApiOperation({ summary: 'Cập nhật dự án (admin)', description: 'Cập nhật thông tin dự án' })
+  @ApiOperation({ summary: 'Cập nhật dự án', description: 'Admin cập nhật bất kỳ dự án nào; CĐT (DEVELOPER) chỉ cập nhật dự án mình làm chủ.' })
   @ApiResponse({ status: 200, description: 'Dự án đã cập nhật' })
   @ApiResponse({ status: 401, description: 'Chưa xác thực' })
   @ApiResponse({ status: 403, description: 'Không có quyền' })
   @ApiResponse({ status: 404, description: 'Không tìm thấy tài nguyên' })
   @ApiBearerAuth('JWT')
   @UseGuards(JwtAuthGuard, RolesGuard)
-  @Roles(UserRole.ADMIN)
+  @Roles(UserRole.ADMIN, UserRole.DEVELOPER)
   @Patch(':id')
-  async updateProject(@Param('id') id: string, @Body() dto: UpdateProjectDto) {
+  async updateProject(
+    @CurrentUser() user: JwtPayload,
+    @Param('id') id: string,
+    @Body() dto: UpdateProjectDto,
+  ) {
     return this.commandBus.execute(
       new UpdateProjectCommand(
         id,
+        user.sub,
+        user.role as UserRole,
         dto.name,
         dto.developer,
         dto.developerLogo,
@@ -174,21 +248,27 @@ export class ProjectsController {
         dto.completionDate !== undefined ? (dto.completionDate ? new Date(dto.completionDate) : null) : undefined,
         dto.suitableFor,
         dto.whyThisLocation,
+        dto.ownerId,
       ),
     );
   }
 
-  @ApiOperation({ summary: 'Xóa dự án (admin)', description: 'Xóa vĩnh viễn dự án bất động sản' })
-  @ApiResponse({ status: 200, description: 'Dự án đã xóa' })
+  @ApiOperation({ summary: 'Xoá dự án', description: 'Admin xoá bất kỳ dự án nào; CĐT (DEVELOPER) chỉ xoá dự án của mình.' })
+  @ApiResponse({ status: 200, description: 'Dự án đã xoá' })
   @ApiResponse({ status: 401, description: 'Chưa xác thực' })
   @ApiResponse({ status: 403, description: 'Không có quyền' })
   @ApiResponse({ status: 404, description: 'Không tìm thấy tài nguyên' })
   @ApiBearerAuth('JWT')
   @UseGuards(JwtAuthGuard, RolesGuard)
-  @Roles(UserRole.ADMIN)
+  @Roles(UserRole.ADMIN, UserRole.DEVELOPER)
   @Delete(':id')
-  async deleteProject(@Param('id') id: string): Promise<{ success: true }> {
-    await this.commandBus.execute(new DeleteProjectCommand(id));
+  async deleteProject(
+    @CurrentUser() user: JwtPayload,
+    @Param('id') id: string,
+  ): Promise<{ success: true }> {
+    await this.commandBus.execute(
+      new DeleteProjectCommand(id, user.sub, user.role as UserRole),
+    );
     return { success: true };
   }
 }

apps/api/src/modules/projects/presentation/dto/update-project.dto.ts

@@ -55,4 +55,10 @@ export class UpdateProjectDto {
   @ApiPropertyOptional() @IsOptional() @IsBoolean() isVerified?: boolean;
   @ApiPropertyOptional() @IsOptional() @IsDateString() startDate?: string | null;
   @ApiPropertyOptional() @IsOptional() @IsDateString() completionDate?: string | null;
+
+  @ApiPropertyOptional({
+    description:
+      'Gán / đổi / gỡ CĐT (DEVELOPER user id). Chỉ admin được đổi; null để gỡ.',
+  })
+  @IsOptional() @IsString() ownerId?: string | null;
 }

apps/api/src/modules/projects/projects.module.ts

@@ -4,13 +4,14 @@ import { CreateProjectHandler } from './application/commands/create-project/crea
 import { DeleteProjectHandler } from './application/commands/delete-project/delete-project.handler';
 import { UpdateProjectHandler } from './application/commands/update-project/update-project.handler';
 import { GetProjectHandler } from './application/queries/get-project/get-project.handler';
+import { GetProjectStatsHandler } from './application/queries/get-project-stats/get-project-stats.handler';
 import { ListProjectsHandler } from './application/queries/list-projects/list-projects.handler';
 import { PROJECT_REPOSITORY } from './domain/repositories/project-development.repository';
 import { PrismaProjectDevelopmentRepository } from './infrastructure/repositories/prisma-project-development.repository';
 import { ProjectsController } from './presentation/controllers/projects.controller';
 
 const CommandHandlers = [CreateProjectHandler, UpdateProjectHandler, DeleteProjectHandler];
-const QueryHandlers = [GetProjectHandler, ListProjectsHandler];
+const QueryHandlers = [GetProjectHandler, ListProjectsHandler, GetProjectStatsHandler];
 
 @Module({
   imports: [CqrsModule],

apps/api/src/modules/shared/infrastructure/guards/user-rate-limit.guard.ts

@@ -18,6 +18,8 @@ export const DEFAULT_ROLE_LIMITS: Record<UserRole, number> = {
   BUYER: 100,
   SELLER: 150,
   AGENT: 200,
+  DEVELOPER: 300,
+  PARK_OPERATOR: 300,
   ADMIN: 500,
 };