docs(GOO-33): comprehensive documentation sprint

Create/update all Sprint 6 documentation:
- CHANGELOG.md: document GOO-33 and recent audit findings
- CONTRIBUTING.md: add branching, PR, commit conventions
- docs/ci-cd.md: GitHub Actions pipeline documentation
- docs/onboarding.md: developer setup & onboarding guide
- docs/mcp-servers.md: MCP servers API documentation
- docs/PROJECT_TRACKER.md: mark GOO-33 as in_progress
- docs/QA_TRACKER.md: test status and verification plans

Curate audit reports (reduce ~103 → 12 canonical files):
- Keep canonical audit reports with descriptive index
- Archive obsolete/duplicate audit exploration files

Acceptance Criteria:
- [x] QA_TRACKER.md exists with current test status
- [x] CHANGELOG.md updated to today
- [x] PROJECT_TRACKER.md reflects current sprint status
- [x] CI/CD pipeline documented
- [x] CONTRIBUTING.md has branching, PR, commit conventions
- [x] docs/audits/ reduced to canonical reports

Co-Authored-By: Paperclip <noreply@paperclip.ing>

docs/QA_TRACKER.md

@@ -0,0 +1,85 @@
+# GoodGo Platform — QA Tracker
+
+**Cập nhật lần cuối:** 2026-04-22
+**Nguồn:** GOO-2 Lead Orchestrator Audit
+
+---
+
+## Baseline QA Status (từ audit 2026-04-12)
+
+| Metric | Kết quả |
+|--------|---------|
+| Lint (ESLint) | PASS — 0 lỗi |
+| TypeScript | 7 lỗi (thiếu kiểu vitest trong web test files) |
+| Unit tests | 232 files, 1454 tests — ALL PASS |
+| Build | ALL 3 packages build thành công |
+| E2E | Chưa chạy lại sau audit |
+
+---
+
+## Blocker Findings (BƯỚC 1 Audit — cần QA sau fix)
+
+| ID | Mô tả | Task | Trạng thái QA | Mức ảnh hưởng |
+|----|-------|------|---------------|---------------|
+| BLOCKER-1 | Double CSRF middleware — login/register broken in prod | GOO-3 ✅ | Cần verify | Critical |
+| BLOCKER-2 | UsageRecord race condition — quota bypass | GOO-4 | Chờ fix | Critical |
+| BLOCKER-3 | exchange-token no rate limit | GOO-5 | Chờ fix | Critical |
+| GAP-03 | MoMo IPN URL points to frontend | GOO-6 | Chờ fix | Critical |
+| A-19 | MCP search returns 0 results (status case) | GOO-9 | Chờ fix | Critical |
+
+---
+
+## Security Findings (cần QA sau fix)
+
+| ID | Mô tả | Task | Trạng thái QA |
+|----|-------|------|---------------|
+| HIGH-1 | JWT doesn't check banned users | GOO-7 | Chờ fix |
+| HIGH-2 | AI API key stored plaintext | GOO-8 | Chờ fix |
+| HIGH-4 | $queryRawUnsafe in project search | GOO-14 | Chờ fix |
+| MED-9 | Soft-deleted users can login | GOO-15 | Chờ fix |
+
+---
+
+## Test Plan — Sprint 1 Verification
+
+### API Tests (curl)
+- [ ] POST /auth/login without CSRF token → 200 (not 403)
+- [ ] POST /auth/register without CSRF token → 200
+- [ ] POST /payments/callback/vnpay without CSRF → 200
+- [ ] POST /payments/callback/momo → verifies IPN reaches backend
+- [ ] POST /auth/exchange-token 6x in 60s → 429 on 6th
+- [ ] Login with banned user (isActive=false) → 401
+- [ ] Login with soft-deleted user (deletedAt set) → 401
+- [ ] 5 concurrent listing creates → quota not exceeded
+- [ ] MCP property-search tool → returns ACTIVE listings
+
+### UI Tests (Playwright)
+- [ ] Login page loads without CSRF error
+- [ ] Registration flow completes
+- [ ] Search returns results (Vietnamese diacritics — Sprint 2)
+- [ ] Admin dashboard loads for admin user, redirects for non-admin
+
+---
+
+## Test Plan — Sprint 2 Verification
+
+- [ ] Phone OTP login: request → receive → verify → authenticated
+- [ ] legalStatus dropdown shows enum values (not free text)
+- [ ] Search "chung cu quan 7" matches "chung cư quận 7"
+- [ ] District dropdown shows "Thủ Đức" (not Quận 2/9)
+
+---
+
+## Bug Tracking
+
+| Bug ID | Mô tả | Task liên quan | Severity | Trạng thái |
+|--------|-------|----------------|----------|------------|
+| (none yet) | — | — | — | — |
+
+---
+
+## Notes
+
+- QA sẽ chạy full regression sau khi Sprint 1 hoàn thành
+- E2E tests cần Playwright config update cho new auth flows (Sprint 2)
+- Performance benchmarks sẽ chạy sau Sprint 4 (revenue stats, dashboard queries)