feat(auth): add DEVELOPER + PARK_OPERATOR roles with owner scoping (B2B accounts)

Two new B2B roles for CĐT (project developers) and KCN operators, provisioned by
admin. Each account owns a subset of ProjectDevelopment / IndustrialPark records
and can CRUD them from the dashboard; admin retains full access.

Phase 1 — Schema
- Extend UserRole enum with DEVELOPER + PARK_OPERATOR (before ADMIN)
- ProjectDevelopment.ownerId FK (User, ON DELETE SET NULL) + index
- IndustrialPark.ownerId FK + index
- Migration 20260420030000

Phase 2a — Backend authorization
- CreateProjectCommand + CreateIndustrialParkCommand accept ownerId; controllers
  auto-set it to the caller's user id when role=DEVELOPER / PARK_OPERATOR
- Update + Delete commands gain (requesterUserId, requesterRole) and enforce
  ADMIN-or-owner via ForbiddenException; reassigning ownerId is admin-only
- Search params gain optional ownerId filter wired through Prisma repos
- New endpoints: GET /projects/mine/list, GET /industrial/parks/mine/list
- user-rate-limit guard: add DEVELOPER + PARK_OPERATOR entries (300/window)

Phase 2b — Admin provision
- ProvisionDeveloperCommand/Handler: create user (role=DEVELOPER), pre-validate
  target projects have no existing owner, batch-assign ownerId
- ProvisionParkOperatorCommand/Handler: same for PARK_OPERATOR + IndustrialPark
- POST /admin/accounts/developers, POST /admin/accounts/park-operators (admin-only)
- DTOs with phone/password/fullName/email + optional {project,park}Ids[]

Phase 2c — Project stats for developer dashboard
- GetProjectStatsQuery + handler: aggregates linkedListingCount, activeListingCount,
  totalInquiries, unreadInquiries, savedByUsers via Property → Listing → Inquiry chain
- GET /projects/:id/stats — admin sees all, DEVELOPER only their own (403 otherwise)

Phase 3 — Frontend
- Dashboard layout role-aware: DEVELOPER sees "Dự án của tôi" + CRM + Profile (hides
  listings/analytics/subscription); PARK_OPERATOR sees "KCN của tôi" equivalent
- /projects dashboard page switches to duAnApi.searchMine() when role=DEVELOPER
- /industrial-parks page switches to industrialApi.searchMine() when role=PARK_OPERATOR
- Admin nav gains "Tài khoản CĐT" + "Tài khoản KCN" entries
- New pages /admin/accounts/developers + /admin/accounts/park-operators with
  checkbox-based multi-select for linking entities
- adminApi.provisionDeveloper + provisionParkOperator + types
- duAnApi.searchMine + getStats; industrialApi.searchMine
- Login demo accounts list includes CĐT Vingroup + KCN VSIP

Phase 4 — Seed (prisma/seed-b2b-accounts.ts)
- DEVELOPER "CĐT Vingroup" (+84912000001) owns 4 projects
- DEVELOPER "CĐT Masterise Homes" (+84912000003) owns 2 projects
- PARK_OPERATOR "Vận hành KCN VSIP" (+84912000002) owns 2 seeded KCN
- Password Velik@2026 for all

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

apps/api/src/modules/projects/application/queries/get-project-stats/get-project-stats.handler.ts

@@ -0,0 +1,89 @@
+import { ForbiddenException, Inject } from '@nestjs/common';
+import { type IQueryHandler, QueryHandler } from '@nestjs/cqrs';
+import { NotFoundException, PrismaService } from '@modules/shared';
+import {
+  PROJECT_REPOSITORY,
+  type IProjectRepository,
+} from '../../../domain/repositories/project-development.repository';
+import { GetProjectStatsQuery } from './get-project-stats.query';
+
+export interface ProjectStats {
+  projectId: string;
+  linkedListingCount: number;
+  activeListingCount: number;
+  totalInquiries: number;
+  unreadInquiries: number;
+  savedByUsers: number;
+}
+
+interface StatsRow {
+  linked: bigint;
+  active: bigint;
+  inquiries: bigint;
+  unread: bigint;
+  saves: bigint;
+}
+
+/**
+ * Aggregates project-level metrics for the "Dự án của tôi" dashboard.
+ * Visible to ADMIN (any project) and DEVELOPER (only projects they own).
+ */
+@QueryHandler(GetProjectStatsQuery)
+export class GetProjectStatsHandler
+  implements IQueryHandler<GetProjectStatsQuery, ProjectStats>
+{
+  constructor(
+    @Inject(PROJECT_REPOSITORY)
+    private readonly projectRepo: IProjectRepository,
+    private readonly prisma: PrismaService,
+  ) {}
+
+  async execute(query: GetProjectStatsQuery): Promise<ProjectStats> {
+    const project = await this.projectRepo.findById(query.projectId);
+    if (!project) {
+      throw new NotFoundException('Dự án', query.projectId);
+    }
+
+    if (query.requesterRole !== 'ADMIN') {
+      if (
+        query.requesterRole !== 'DEVELOPER' ||
+        project.ownerId !== query.requesterUserId
+      ) {
+        throw new ForbiddenException('Bạn không có quyền xem thống kê dự án này');
+      }
+    }
+
+    // Single-round-trip aggregate pulling listing + inquiry + savedListing
+    // counts via the Property link.
+    const rows = await this.prisma.$queryRaw<StatsRow[]>`
+      SELECT
+        COUNT(DISTINCT l.id) FILTER (WHERE l.id IS NOT NULL) AS linked,
+        COUNT(DISTINCT l.id) FILTER (WHERE l.status = 'APPROVED') AS active,
+        COUNT(DISTINCT i.id) FILTER (WHERE i.id IS NOT NULL) AS inquiries,
+        COUNT(DISTINCT i.id) FILTER (WHERE i.id IS NOT NULL AND i."isRead" = FALSE) AS unread,
+        COUNT(DISTINCT sl."userId") FILTER (WHERE sl."userId" IS NOT NULL) AS saves
+      FROM "Property" p
+      LEFT JOIN "Listing" l ON l."propertyId" = p.id
+      LEFT JOIN "Inquiry" i ON i."listingId" = l.id
+      LEFT JOIN "SavedListing" sl ON sl."listingId" = l.id
+      WHERE p."projectDevelopmentId" = ${query.projectId}
+    `;
+
+    const row = rows[0] ?? {
+      linked: BigInt(0),
+      active: BigInt(0),
+      inquiries: BigInt(0),
+      unread: BigInt(0),
+      saves: BigInt(0),
+    };
+
+    return {
+      projectId: query.projectId,
+      linkedListingCount: Number(row.linked),
+      activeListingCount: Number(row.active),
+      totalInquiries: Number(row.inquiries),
+      unreadInquiries: Number(row.unread),
+      savedByUsers: Number(row.saves),
+    };
+  }
+}

apps/api/src/modules/projects/application/queries/get-project-stats/get-project-stats.query.ts

@@ -0,0 +1,9 @@
+import type { UserRole } from '@prisma/client';
+
+export class GetProjectStatsQuery {
+  constructor(
+    public readonly projectId: string,
+    public readonly requesterUserId: string,
+    public readonly requesterRole: UserRole,
+  ) {}
+}

apps/api/src/modules/projects/application/queries/list-projects/list-projects.handler.ts

@@ -23,6 +23,7 @@ export class ListProjectsHandler implements IQueryHandler<ListProjectsQuery> {
       district: query.district,
       developer: query.developer,
       isVerified: query.isVerified,
+      ownerId: query.ownerId,
       page: query.page,
       limit: query.limit,
     });

apps/api/src/modules/projects/application/queries/list-projects/list-projects.query.ts

@@ -10,5 +10,7 @@ export class ListProjectsQuery {
     public readonly isVerified: boolean | undefined,
     public readonly page: number,
     public readonly limit: number,
+    /** When set, restrict results to projects owned by this user id. */
+    public readonly ownerId?: string,
   ) {}
 }