feat(auth): add row/size caps + streaming to export-user-data

- Add per-collection row cap (default 10k, env EXPORT_ROW_CAP) via Prisma
  take on all findMany calls
- Add total size cap (default 100MB, env EXPORT_SIZE_CAP_MB); throws
  PayloadTooLargeException (413) when exceeded
- Convert response to Node.js Readable stream piped via NestJS StreamableFile
  to avoid large in-memory buffers
- Export ExportUserDataResult interface (stream + truncated flag) from handler
- Update controller to set Content-Type/Content-Disposition headers and
  return StreamableFile
- Document EXPORT_ROW_CAP and EXPORT_SIZE_CAP_MB env vars in Swagger
- Extend tests: row-cap assertion (take arg), size-cap 413 path, stream assertions

Fixes GOO-223 (M-1 from GOO-200 audit).

Co-Authored-By: Paperclip <noreply@paperclip.ing>

prisma/migrations/20260423140000_add_event_outbox/migration.sql

@@ -0,0 +1,26 @@
+-- RFC-004 Phase 0 (GOO-172): transactional outbox for async messaging backbone.
+-- Producers insert into event_outbox in the same tx as the domain change.
+-- A single relay process (Postgres advisory-lock leader) tails pending rows
+-- and publishes them to Redis Streams, then flips published_at.
+
+CREATE TABLE "event_outbox" (
+    "id" TEXT NOT NULL,
+    "eventId" TEXT NOT NULL,
+    "eventType" TEXT NOT NULL,
+    "aggregateId" TEXT,
+    "envelope" JSONB NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "publishedAt" TIMESTAMP(3),
+    "attempts" INTEGER NOT NULL DEFAULT 0,
+    "lastError" TEXT,
+
+    CONSTRAINT "event_outbox_pkey" PRIMARY KEY ("id")
+);
+
+CREATE UNIQUE INDEX "event_outbox_eventId_key" ON "event_outbox"("eventId");
+
+-- Hot path: relay scans `WHERE publishedAt IS NULL ORDER BY createdAt`.
+CREATE INDEX "event_outbox_publishedAt_createdAt_idx" ON "event_outbox"("publishedAt", "createdAt");
+
+-- Diagnostics: per-type backlog inspection.
+CREATE INDEX "event_outbox_eventType_createdAt_idx" ON "event_outbox"("eventType", "createdAt");

prisma/schema.prisma

@@ -1567,3 +1567,32 @@ model VnAdministrativeAlias {
   @@index([newWardCode])
   @@map("vn_administrative_aliases")
 }
+
+/// Transactional outbox for RFC-004 async messaging backbone (GOO-95).
+/// Producers write one row per domain event in the same Postgres
+/// transaction as the domain state change. A single relay process
+/// (Postgres advisory-lock leader) tails pending rows and publishes
+/// them to Redis Streams, flipping `publishedAt` on success.
+model EventOutbox {
+  id            String    @id @default(cuid())
+  /// UUIDv7 from the envelope — idempotency key + stable cross-runtime id.
+  eventId       String    @unique
+  /// Dotted event type (`payment.completed`). Used by the relay to route.
+  eventType     String
+  /// Aggregate identifier (e.g. paymentId, listingId) — for partitioning / debugging.
+  aggregateId   String?
+  /// Fully-formed `EventEnvelope` JSON ready to XADD. Never mutated after insert.
+  envelope      Json
+  /// When the row was inserted (inside the domain tx).
+  createdAt     DateTime  @default(now())
+  /// When the relay confirmed XADD acceptance. Null = still pending.
+  publishedAt   DateTime?
+  /// Monotonic retry count for the relay (reset on success).
+  attempts      Int       @default(0)
+  /// Last error message on failure — surfaced in admin dashboards / Sentry.
+  lastError     String?
+
+  @@index([publishedAt, createdAt])
+  @@index([eventType, createdAt])
+  @@map("event_outbox")
+}