feat(notifications): add ZaloOaLinkController + migration + schema — TEC-3065

Include files missed from previous commit:
- ZaloOaLinkController (GET /auth/zalo-oa/link, GET /auth/zalo-oa/callback, DELETE)
- prisma/schema.prisma — ZaloAccountLink model + User.zaloAccountLink relation
- prisma/migrations/20260421010000_add_zalo_account_links/migration.sql
- Updated ZaloOaService, webhook controller, notifications module, and specs

Co-Authored-By: Paperclip <noreply@paperclip.ing>

prisma/schema.prisma

@@ -81,6 +81,7 @@ model User {
   ownedProjects        ProjectDevelopment[] @relation("ProjectOwner")
   /// KCN do user này vận hành (role=PARK_OPERATOR).
   ownedIndustrialParks IndustrialPark[]     @relation("IndustrialParkOwner")
+  zaloAccountLink      ZaloAccountLink?
 
   @@index([role])
   @@index([kycStatus])
@@ -145,6 +146,30 @@ model OAuthAccount {
   @@index([userId])
 }
 
+/// Zalo OA account link — stores the OA-scoped access/refresh tokens for sending
+/// template messages to a linked user via ZNS.
+/// Token fields are AES-256-GCM encrypted at the application layer.
+model ZaloAccountLink {
+  id           String   @id @default(cuid())
+  userId       String   @unique
+  user         User     @relation(fields: [userId], references: [id], onDelete: Cascade)
+  /// Zalo user ID scoped to the Official Account (OA UID, not Social Graph UID)
+  zaloUserId   String   @unique
+  /// AES-256-GCM encrypted access token (base64url: iv.tag.ciphertext)
+  accessToken  String
+  /// AES-256-GCM encrypted refresh token (base64url: iv.tag.ciphertext)
+  refreshToken String
+  expiresAt    DateTime
+  /// Unix epoch (seconds) of the last user→OA interaction; used for 24-hour window check
+  lastInteractAt DateTime?
+  createdAt    DateTime @default(now())
+  updatedAt    DateTime @updatedAt
+
+  @@index([zaloUserId])
+  @@index([expiresAt])
+  @@map("zalo_account_links")
+}
+
 model Agent {
   id              String   @id @default(cuid())
   userId          String   @unique