feat(auth): add DEVELOPER + PARK_OPERATOR roles with owner scoping (B2B accounts)

Two new B2B roles for CĐT (project developers) and KCN operators, provisioned by
admin. Each account owns a subset of ProjectDevelopment / IndustrialPark records
and can CRUD them from the dashboard; admin retains full access.

Phase 1 — Schema
- Extend UserRole enum with DEVELOPER + PARK_OPERATOR (before ADMIN)
- ProjectDevelopment.ownerId FK (User, ON DELETE SET NULL) + index
- IndustrialPark.ownerId FK + index
- Migration 20260420030000

Phase 2a — Backend authorization
- CreateProjectCommand + CreateIndustrialParkCommand accept ownerId; controllers
  auto-set it to the caller's user id when role=DEVELOPER / PARK_OPERATOR
- Update + Delete commands gain (requesterUserId, requesterRole) and enforce
  ADMIN-or-owner via ForbiddenException; reassigning ownerId is admin-only
- Search params gain optional ownerId filter wired through Prisma repos
- New endpoints: GET /projects/mine/list, GET /industrial/parks/mine/list
- user-rate-limit guard: add DEVELOPER + PARK_OPERATOR entries (300/window)

Phase 2b — Admin provision
- ProvisionDeveloperCommand/Handler: create user (role=DEVELOPER), pre-validate
  target projects have no existing owner, batch-assign ownerId
- ProvisionParkOperatorCommand/Handler: same for PARK_OPERATOR + IndustrialPark
- POST /admin/accounts/developers, POST /admin/accounts/park-operators (admin-only)
- DTOs with phone/password/fullName/email + optional {project,park}Ids[]

Phase 2c — Project stats for developer dashboard
- GetProjectStatsQuery + handler: aggregates linkedListingCount, activeListingCount,
  totalInquiries, unreadInquiries, savedByUsers via Property → Listing → Inquiry chain
- GET /projects/:id/stats — admin sees all, DEVELOPER only their own (403 otherwise)

Phase 3 — Frontend
- Dashboard layout role-aware: DEVELOPER sees "Dự án của tôi" + CRM + Profile (hides
  listings/analytics/subscription); PARK_OPERATOR sees "KCN của tôi" equivalent
- /projects dashboard page switches to duAnApi.searchMine() when role=DEVELOPER
- /industrial-parks page switches to industrialApi.searchMine() when role=PARK_OPERATOR
- Admin nav gains "Tài khoản CĐT" + "Tài khoản KCN" entries
- New pages /admin/accounts/developers + /admin/accounts/park-operators with
  checkbox-based multi-select for linking entities
- adminApi.provisionDeveloper + provisionParkOperator + types
- duAnApi.searchMine + getStats; industrialApi.searchMine
- Login demo accounts list includes CĐT Vingroup + KCN VSIP

Phase 4 — Seed (prisma/seed-b2b-accounts.ts)
- DEVELOPER "CĐT Vingroup" (+84912000001) owns 4 projects
- DEVELOPER "CĐT Masterise Homes" (+84912000003) owns 2 projects
- PARK_OPERATOR "Vận hành KCN VSIP" (+84912000002) owns 2 seeded KCN
- Password Velik@2026 for all

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

apps/web/lib/admin-api.ts

@@ -196,4 +196,36 @@ export const adminApi = {
 
   updateAiSettings: (body: UpdateAiSettingsPayload) =>
     apiClient.patch<AiSettings>('/admin/settings/ai', body),
+
+  // B2B account provisioning
+  provisionDeveloper: (body: ProvisionDeveloperPayload) =>
+    apiClient.post<ProvisionAccountResult>('/admin/accounts/developers', body),
+
+  provisionParkOperator: (body: ProvisionParkOperatorPayload) =>
+    apiClient.post<ProvisionAccountResult>('/admin/accounts/park-operators', body),
 };
+
+export interface ProvisionDeveloperPayload {
+  phone: string;
+  password: string;
+  fullName: string;
+  email?: string;
+  projectIds?: string[];
+}
+
+export interface ProvisionParkOperatorPayload {
+  phone: string;
+  password: string;
+  fullName: string;
+  email?: string;
+  parkIds?: string[];
+}
+
+export interface ProvisionAccountResult {
+  userId: string;
+  phone: string;
+  email: string | null;
+  fullName: string;
+  linkedProjectIds?: string[];
+  linkedParkIds?: string[];
+}

apps/web/lib/du-an-api.ts

@@ -242,6 +242,29 @@ export const duAnApi = {
     );
   },
 
+  /** DEVELOPER / ADMIN only — returns projects owned by the current user. */
+  searchMine: (params: SearchProjectsParams = {}) => {
+    const query = new URLSearchParams();
+    Object.entries(params).forEach(([key, value]) => {
+      if (value !== undefined && value !== '') query.append(key, String(value));
+    });
+    const qs = query.toString();
+    return apiClient.get<PaginatedResult<ProjectSummary>>(
+      `/projects/mine/list${qs ? `?${qs}` : ''}`,
+    );
+  },
+
+  /** Stats for the "Dự án của tôi" dashboard card — admin + owner only. */
+  getStats: (projectId: string) =>
+    apiClient.get<{
+      projectId: string;
+      linkedListingCount: number;
+      activeListingCount: number;
+      totalInquiries: number;
+      unreadInquiries: number;
+      savedByUsers: number;
+    }>(`/projects/${projectId}/stats`),
+
   getBySlug: (slug: string) =>
     apiClient.get<ProjectDetail>(`/projects/${slug}`),
 

apps/web/lib/khu-cong-nghiep-api.ts

@@ -274,6 +274,18 @@ export const industrialApi = {
     );
   },
 
+  /** PARK_OPERATOR / ADMIN only — returns KCN owned by the current user. */
+  searchMine: (params: SearchIndustrialParksParams = {}) => {
+    const query = new URLSearchParams();
+    Object.entries(params).forEach(([key, value]) => {
+      if (value !== undefined && value !== '') query.append(key, String(value));
+    });
+    const qs = query.toString();
+    return apiClient.get<PaginatedResult<IndustrialParkListItem>>(
+      `/industrial/parks/mine/list${qs ? `?${qs}` : ''}`,
+    );
+  },
+
   getBySlug: (slug: string) =>
     apiClient.get<IndustrialParkDetail>(`/industrial/parks/${slug}`),