feat: comprehensive seed, Lucide icons, grouped dashboard nav, API fixes

- Rewrite prisma/seed.ts to populate all 27 models with realistic
  Vietnamese real estate data (8 users with login, 10 properties,
  10 listings, orders, payments, reviews, notifications, etc.)
- Replace all emoji icons with Lucide React SVG icons across frontend
  for consistent rendering, sizing, and accessibility
- Redesign dashboard nav: grouped sidebar with section headers,
  primary/secondary split on desktop, icon-only secondary items
- Replace language switcher flag emoji with Globe icon
- Replace SVG theme toggle with Lucide Moon/Sun icons
- Fix API startup: graceful fallback for Sentry profiling, Google OAuth,
  and Zalo OAuth when credentials are not configured
- Relax rate limiting in development mode (10k req/min)
- Fix listings API to include media[] array in search response
- Add optional chaining for property.media across frontend components
- Update OAuth strategy tests to match graceful fallback behavior

Co-Authored-By: Claude Opus 4 (1M context) <noreply@anthropic.com>

apps/api/src/modules/auth/infrastructure/__tests__/google-oauth.strategy.spec.ts

@@ -45,13 +45,12 @@ describe('GoogleOAuthStrategy', () => {
     vi.unstubAllEnvs();
   });
 
-  it('throws if GOOGLE_CLIENT_ID is missing', () => {
+  it('creates strategy with dummy config when GOOGLE_CLIENT_ID is missing', async () => {
     vi.stubEnv('GOOGLE_CLIENT_ID', '');
-    // Reset module to pick up new env
-    expect(async () => {
-      const { GoogleOAuthStrategy } = await import('../strategies/google-oauth.strategy');
-      new GoogleOAuthStrategy(mockOAuthService as unknown as OAuthService);
-    }).rejects.toThrow('GOOGLE_CLIENT_ID');
+    const { GoogleOAuthStrategy } = await import('../strategies/google-oauth.strategy');
+    const strategy = new GoogleOAuthStrategy(mockOAuthService as unknown as OAuthService);
+    // Strategy should still be created (graceful fallback with dummy values)
+    expect(strategy).toBeDefined();
   });
 
   it('creates strategy with correct config', async () => {

apps/api/src/modules/auth/infrastructure/__tests__/zalo-oauth.strategy.spec.ts

@@ -30,18 +30,18 @@ describe('ZaloOAuthStrategy', () => {
     vi.restoreAllMocks();
   });
 
-  it('throws if ZALO_APP_ID is missing', () => {
+  it('creates strategy with dummy config when ZALO_APP_ID is missing', () => {
     vi.stubEnv('ZALO_APP_ID', '');
     const mockLogger = { log: vi.fn(), warn: vi.fn(), error: vi.fn(), debug: vi.fn(), verbose: vi.fn() };
-    expect(() => new ZaloOAuthStrategy(mockOAuthService as unknown as OAuthService, mockLogger as any))
-      .toThrow('ZALO_APP_ID');
+    const strategy = new ZaloOAuthStrategy(mockOAuthService as unknown as OAuthService, mockLogger as any);
+    expect(strategy).toBeDefined();
   });
 
-  it('throws if ZALO_APP_SECRET is missing', () => {
+  it('creates strategy with dummy config when ZALO_APP_SECRET is missing', () => {
     vi.stubEnv('ZALO_APP_SECRET', '');
     const mockLogger = { log: vi.fn(), warn: vi.fn(), error: vi.fn(), debug: vi.fn(), verbose: vi.fn() };
-    expect(() => new ZaloOAuthStrategy(mockOAuthService as unknown as OAuthService, mockLogger as any))
-      .toThrow('ZALO_APP_SECRET');
+    const strategy = new ZaloOAuthStrategy(mockOAuthService as unknown as OAuthService, mockLogger as any);
+    expect(strategy).toBeDefined();
   });
 
   describe('getAuthorizationUrl', () => {

apps/api/src/modules/auth/infrastructure/strategies/google-oauth.strategy.ts

@@ -11,7 +11,15 @@ export class GoogleOAuthStrategy extends PassportStrategy(Strategy, 'google') {
     const callbackURL = process.env['GOOGLE_CALLBACK_URL'] ?? '/auth/google/callback';
 
     if (!clientID || !clientSecret) {
-      throw new Error('GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET environment variables are required');
+      // Use dummy values so the app can start without Google OAuth configured.
+      // The Google login route will be non-functional until real credentials are set.
+      super({
+        clientID: 'NOT_CONFIGURED',
+        clientSecret: 'NOT_CONFIGURED',
+        callbackURL,
+        scope: ['email', 'profile'],
+      });
+      return;
     }
 
     super({

apps/api/src/modules/auth/infrastructure/strategies/zalo-oauth.strategy.ts

@@ -49,7 +49,11 @@ export class ZaloOAuthStrategy {
     const appSecret = process.env['ZALO_APP_SECRET'];
 
     if (!appId || !appSecret) {
-      throw new Error('ZALO_APP_ID and ZALO_APP_SECRET environment variables are required');
+      // Allow app to start without Zalo OAuth configured — routes will be non-functional.
+      this.appId = 'NOT_CONFIGURED';
+      this.appSecret = 'NOT_CONFIGURED';
+      this.callbackUrl = process.env['ZALO_CALLBACK_URL'] ?? '/auth/zalo/callback';
+      return;
     }
 
     this.appId = appId;