test(e2e): add coverage for agent profile, KYC, payment callbacks, media upload, and listing moderation

Fills coverage gaps for untested API endpoints:
- GET /auth/profile/agent (auth + unauth)
- PATCH /auth/kyc (admin-only guard tests)
- POST /payments/callback/:provider (VNPay, MoMo, ZaloPay webhooks)
- POST /listings/:id/media (multipart upload validation)
- PATCH /listings/:id/moderate (admin-only moderation)

Co-Authored-By: Paperclip <noreply@paperclip.ing>

e2e/api/listings-moderate.spec.ts

@@ -0,0 +1,66 @@
+import { test, expect, registerUser, createListing } from '../fixtures';
+
+test.describe('PATCH /listings/:id/moderate — Listing moderation (admin only)', () => {
+  let accessToken: string;
+  let listingId: string;
+
+  test.beforeAll(async ({ request }) => {
+    const { accessToken: token } = await registerUser(request);
+    accessToken = token;
+
+    const { listing } = await createListing(request, token);
+    listingId = listing.id;
+  });
+
+  test('rejects unauthenticated moderation', async ({ request }) => {
+    const res = await request.patch(`/listings/${listingId}/moderate`, {
+      data: {
+        action: 'approve',
+        moderationScore: 95,
+        notes: 'Looks good',
+      },
+    });
+
+    expect(res.status()).toBe(401);
+  });
+
+  test('rejects moderation from non-admin user', async ({ request }) => {
+    const res = await request.patch(`/listings/${listingId}/moderate`, {
+      data: {
+        action: 'approve',
+        moderationScore: 95,
+        notes: 'Attempted non-admin moderation',
+      },
+      headers: { Authorization: `Bearer ${accessToken}` },
+    });
+
+    expect(res.ok()).toBeFalsy();
+    expect([401, 403]).toContain(res.status());
+  });
+
+  test('rejects moderation with invalid action', async ({ request }) => {
+    const res = await request.patch(`/listings/${listingId}/moderate`, {
+      data: {
+        action: 'INVALID_ACTION',
+        notes: 'Invalid action test',
+      },
+      headers: { Authorization: `Bearer ${accessToken}` },
+    });
+
+    expect(res.ok()).toBeFalsy();
+    expect([400, 401, 403]).toContain(res.status());
+  });
+
+  test('rejects moderation for non-existent listing', async ({ request }) => {
+    const res = await request.patch('/listings/non-existent-id/moderate', {
+      data: {
+        action: 'reject',
+        notes: 'Non-existent listing',
+      },
+      headers: { Authorization: `Bearer ${accessToken}` },
+    });
+
+    expect(res.ok()).toBeFalsy();
+    expect([400, 401, 403, 404]).toContain(res.status());
+  });
+});