feat(auth): implement Auth module with register, login, JWT, guards, and CQRS

- Add RefreshToken and OAuthAccount models to Prisma schema
- Implement clean architecture: domain (entities, VOs, events, repo interfaces),
  infrastructure (Prisma repos, Passport strategies, token service),
  application (CQRS command/query handlers), presentation (controller, guards, DTOs)
- Endpoints: POST /auth/register, /auth/login, /auth/refresh, GET /auth/profile,
  GET /auth/profile/agent, PATCH /auth/kyc
- JWT access + refresh token rotation with family-based revocation
- Role-based guards (BUYER, SELLER, AGENT, ADMIN)
- 16 unit tests (value objects, entity) + integration test suite
- All 80 tests passing, clean TypeScript build

Co-Authored-By: Paperclip <noreply@paperclip.ing>

apps/api/src/modules/auth/presentation/controllers/auth.controller.ts

@@ -0,0 +1,78 @@
+import {
+  Body,
+  Controller,
+  Get,
+  Patch,
+  Post,
+  UseGuards,
+} from '@nestjs/common';
+import { CommandBus, QueryBus } from '@nestjs/cqrs';
+import { RegisterUserCommand } from '../../application/commands/register-user/register-user.command';
+import { LoginUserCommand } from '../../application/commands/login-user/login-user.command';
+import { RefreshTokenCommand } from '../../application/commands/refresh-token/refresh-token.command';
+import { VerifyKycCommand } from '../../application/commands/verify-kyc/verify-kyc.command';
+import { GetProfileQuery } from '../../application/queries/get-profile/get-profile.query';
+import { GetAgentByUserIdQuery } from '../../application/queries/get-agent-by-user-id/get-agent-by-user-id.query';
+import { RegisterDto } from '../dto/register.dto';
+import { RefreshTokenDto } from '../dto/refresh-token.dto';
+import { VerifyKycDto } from '../dto/verify-kyc.dto';
+import { JwtAuthGuard } from '../guards/jwt-auth.guard';
+import { LocalAuthGuard } from '../guards/local-auth.guard';
+import { RolesGuard } from '../guards/roles.guard';
+import { CurrentUser } from '../decorators/current-user.decorator';
+import { Roles } from '../decorators/roles.decorator';
+import { type JwtPayload, type TokenPair } from '../../infrastructure/services/token.service';
+import { type UserProfileDto } from '../../application/queries/get-profile/get-profile.handler';
+import { type AgentDto } from '../../application/queries/get-agent-by-user-id/get-agent-by-user-id.handler';
+
+@Controller('auth')
+export class AuthController {
+  constructor(
+    private readonly commandBus: CommandBus,
+    private readonly queryBus: QueryBus,
+  ) {}
+
+  @Post('register')
+  async register(@Body() dto: RegisterDto): Promise<TokenPair> {
+    return this.commandBus.execute(
+      new RegisterUserCommand(dto.phone, dto.password, dto.fullName, dto.email),
+    );
+  }
+
+  @UseGuards(LocalAuthGuard)
+  @Post('login')
+  async login(@CurrentUser() user: { id: string; phone: string; role: string }): Promise<TokenPair> {
+    return this.commandBus.execute(
+      new LoginUserCommand(user.id, user.phone, user.role),
+    );
+  }
+
+  @Post('refresh')
+  async refresh(@Body() dto: RefreshTokenDto): Promise<TokenPair> {
+    return this.commandBus.execute(new RefreshTokenCommand(dto.refreshToken));
+  }
+
+  @UseGuards(JwtAuthGuard)
+  @Get('profile')
+  async getProfile(@CurrentUser() user: JwtPayload): Promise<UserProfileDto> {
+    return this.queryBus.execute(new GetProfileQuery(user.sub));
+  }
+
+  @UseGuards(JwtAuthGuard)
+  @Get('profile/agent')
+  async getAgentProfile(@CurrentUser() user: JwtPayload): Promise<AgentDto | null> {
+    return this.queryBus.execute(new GetAgentByUserIdQuery(user.sub));
+  }
+
+  @UseGuards(JwtAuthGuard, RolesGuard)
+  @Roles('ADMIN')
+  @Patch('kyc')
+  async verifyKyc(
+    @Body() dto: VerifyKycDto & { userId: string },
+  ): Promise<{ message: string }> {
+    await this.commandBus.execute(
+      new VerifyKycCommand(dto.userId, dto.kycStatus, dto.kycData),
+    );
+    return { message: 'KYC status đã được cập nhật' };
+  }
+}