370 Commits

This Branch

This Branch

All Branches

Author	SHA1	Message	Date
Ho Ngoc Hai	33a5ff407b	feat(auth): add DEVELOPER + PARK_OPERATOR roles with owner scoping (B2B accounts) ... Two new B2B roles for CĐT (project developers) and KCN operators, provisioned by admin. Each account owns a subset of ProjectDevelopment / IndustrialPark records and can CRUD them from the dashboard; admin retains full access. Phase 1 — Schema - Extend UserRole enum with DEVELOPER + PARK_OPERATOR (before ADMIN) - ProjectDevelopment.ownerId FK (User, ON DELETE SET NULL) + index - IndustrialPark.ownerId FK + index - Migration 20260420030000 Phase 2a — Backend authorization - CreateProjectCommand + CreateIndustrialParkCommand accept ownerId; controllers auto-set it to the caller's user id when role=DEVELOPER / PARK_OPERATOR - Update + Delete commands gain (requesterUserId, requesterRole) and enforce ADMIN-or-owner via ForbiddenException; reassigning ownerId is admin-only - Search params gain optional ownerId filter wired through Prisma repos - New endpoints: GET /projects/mine/list, GET /industrial/parks/mine/list - user-rate-limit guard: add DEVELOPER + PARK_OPERATOR entries (300/window) Phase 2b — Admin provision - ProvisionDeveloperCommand/Handler: create user (role=DEVELOPER), pre-validate target projects have no existing owner, batch-assign ownerId - ProvisionParkOperatorCommand/Handler: same for PARK_OPERATOR + IndustrialPark - POST /admin/accounts/developers, POST /admin/accounts/park-operators (admin-only) - DTOs with phone/password/fullName/email + optional {project,park}Ids[] Phase 2c — Project stats for developer dashboard - GetProjectStatsQuery + handler: aggregates linkedListingCount, activeListingCount, totalInquiries, unreadInquiries, savedByUsers via Property → Listing → Inquiry chain - GET /projects/:id/stats — admin sees all, DEVELOPER only their own (403 otherwise) Phase 3 — Frontend - Dashboard layout role-aware: DEVELOPER sees "Dự án của tôi" + CRM + Profile (hides listings/analytics/subscription); PARK_OPERATOR sees "KCN của tôi" equivalent - /projects dashboard page switches to duAnApi.searchMine() when role=DEVELOPER - /industrial-parks page switches to industrialApi.searchMine() when role=PARK_OPERATOR - Admin nav gains "Tài khoản CĐT" + "Tài khoản KCN" entries - New pages /admin/accounts/developers + /admin/accounts/park-operators with checkbox-based multi-select for linking entities - adminApi.provisionDeveloper + provisionParkOperator + types - duAnApi.searchMine + getStats; industrialApi.searchMine - Login demo accounts list includes CĐT Vingroup + KCN VSIP Phase 4 — Seed (prisma/seed-b2b-accounts.ts) - DEVELOPER "CĐT Vingroup" (+84912000001) owns 4 projects - DEVELOPER "CĐT Masterise Homes" (+84912000003) owns 2 projects - PARK_OPERATOR "Vận hành KCN VSIP" (+84912000002) owns 2 seeded KCN - Password Velik@2026 for all Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-20 22:12:16 +07:00
Ho Ngoc Hai	dd3ad4aeca	feat(projects): bring residential-project detail to parity with listings (4 phases) ... Phase 1 — live POI + neighborhood score on project detail - du-an-detail-client fetches `/analytics/pois/nearby` + `/analytics/neighborhoods/:district/score` - Falls back to admin-entered `project.pois` / `neighborhoodScores` when endpoint returns nothing - Adds total-score badge next to the radar chart (matches listings) Phase 2 — project personas derivation (`lib/project-personas.ts`) - Derives 8 personas from project-specific signals: property-type mix, amenity keywords, developer reputation, completion timing, status, live score + POIs - Merges admin-authored `suitableFor` chips (badged "Chủ đầu tư chọn") with derived chips - `composeWhyThisProject()` narrative used as fallback when admin hasn't authored one; badged "Tự động tổng hợp" so users know it's derived Phase 3 — AI advisor for projects - Extract shared Anthropic transport + JSON parsers to `analytics/application/queries/_shared/ai-json-client.ts` (dual auth: x-api-key + Bearer for proxy gateways) - Refactor `GetListingAiAdviceHandler` to use the shared client - New `GetProjectAiAdviceHandler` (CQRS) pulls project detail + optional POIs + score, builds project-flavored prompt, returns `{ advice: { summary, pros, cons, suitableFor } }`. No valuation block — project price is a range, not a single unit. - `POST /analytics/projects/:id/ai-advice` endpoint (JWT-guarded) - `ErrorCode.PROJECT_NOT_FOUND` added - Frontend: `ProjectAiAdviceCard` mirrors listings card minus valuation, with loading / not-configured (503) / error states; dedupes AI-suggested personas against existing chips Phase 4 — Mapbox LocationPicker in project create form - New project page now renders `<LocationPicker>` with Vietnam-scoped geocoder; click / drag / search autofills lat+lng and (when empty) address/ward/district/city - Edit page notes location immutability — backend `UpdateProjectCommand` does not yet accept lat/lng/address mutations (follow-up needed to enable editing coords) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-20 17:53:19 +07:00
Ho Ngoc Hai	03f8674024	fix(ai-advice,ui): Bearer auth for proxy gateways + un-pin contact card + VN diacritics ... - AI advice handler now sends both `x-api-key` and `Authorization: Bearer` so proxy gateways (e.g. chat.trollllm.xyz) accept the request. Native Anthropic ignores the extra header. - Remove `lg:sticky lg:top-20` from listing detail contact card — sidebar now scrolls with the page. - Fix missing Vietnamese diacritics on AI estimate button: "Dinh gia AI" -> "Định giá AI", "Dang dinh gia..." -> "Đang định giá...". Tests updated accordingly. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-20 17:07:32 +07:00
Ho Ngoc Hai	d9cea3828e	wip: listings/admin in-flight — bulk update, duplicates, audit log, price constraints ... Batch-committing concurrent work-in-progress so it isn't lost: Listings — bulk update + duplicate detection --------------------------------------------- - New command BulkUpdateListings + handler + tests under application/commands/bulk-update-listings/. - New DTO presentation/dto/bulk-update-listings.dto.ts. - Controller wires the bulk endpoint; update DTO extended. - Property duplicate detector hardened: normalized-address pipeline (new migration 20260420020000_add_property_address_normalized), repository + service updates, tests refreshed. - Listing entity gains ownership-transferred event (new event file). - Integration specs for price constraints (20260420000000_add_price_check_constraints) and duplicates. - E2E: e2e/api/listings-duplicates.spec.ts. Admin — moderation audit log ---------------------------- - New Prisma table (migration 20260420010000_add_moderation_audit_log) + Prisma repo + interface + DI wiring. - Listener `moderation-audit.listener.ts` + unit spec. - Query GetModerationAuditLogs + handler + controller `admin-moderation-audit.controller.ts` + DTO. Supporting ---------- - shared/infrastructure/cache.service.ts tweak. - AUDIT_LISTINGS_PROPERTY_MANAGEMENT.md — in-repo audit notes. - Various test + module wiring updates to keep the tree green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-20 13:53:28 +07:00
Ho Ngoc Hai	3287298592	feat(inquiries): sanitize HTML in inquiry message at application layer (TEC-2929) ... - Add SanitizeHtmlService (whitelist: b, i, br, p, a) using sanitize-html. - Force rel="noopener noreferrer nofollow" and target="_blank" on anchors. - Restrict URL schemes to http/https/mailto/tel; drop javascript: links. - Wire sanitizer into CreateInquiryHandler before InquiryEntity.createNew. - Register provider in InquiriesModule. - Add unit tests: 7 for the service + 2 handler-level XSS payload tests (<script>...</script> and <img onerror=...> stripped). Defense-in-depth complement to global SanitizeInputMiddleware so internal command paths bypassing HTTP middleware (queues, imports) stay safe. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-20 10:47:22 +07:00
Ho Ngoc Hai	69d37c4e77	test(listings): cover delete-listing handler branches + tx contract (TEC-2923) ... - Add delete-listing.handler.spec.ts: not-found, forbidden, owner happy path, admin override, tx rollback propagation, call ordering. - Annotate DeleteListingHandler with the repository atomicity contract; PrismaListingRepository.delete already wraps side-effects in prisma.$transaction([...]) so handler stays a thin orchestrator. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-20 10:40:55 +07:00
Ho Ngoc Hai	3be66f72df	feat(listings): rate limit feature-listing via @nestjs/throttler (TEC-2930) ... - Wire ThrottlerModule to a Redis-backed storage (shared across API instances) using @nest-lab/throttler-storage-redis. - Add FeatureListingThrottlerGuard that tracks per-user when JWT is present, falling back to the real client IP behind the reverse proxy — keeps per-user and per-IP buckets independent. - Apply @Throttle({ default: { limit: 10, ttl: 60_000 } }) + the guard to POST /listings/:id/feature and document 429 in Swagger. - Integration test (feature-listing-throttle.integration.spec.ts) verifies: 10 reqs pass / 11th returns 429 with Retry-After, separate IPs keep their own quotas, and the tracker key logic. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-20 08:31:26 +07:00
Ho Ngoc Hai	366815b350	feat(listings): add cron to auto-expire featured listings (TEC-2924) ... - New FeaturedListingExpiryCronService runs every 5 minutes and clears Listing.featuredUntil when the promotion period has ended - Uses a single atomic UPDATE ... RETURNING so concurrent instances do not double-process rows (idempotent) - Publishes ListingFeaturedExpiredEvent via CQRS EventBus for downstream cache/search index invalidation - Unit test covers event emission, no-op path, error path, and concurrency Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-20 08:20:40 +07:00
Ho Ngoc Hai	283984b2f2	feat(listings): Mapbox location picker in create + edit forms ... User feedback: typing lat/lng by hand is painful — wire a real map picker. New component apps/web/components/map/location-picker.tsx: - Mapbox map with theme-synced style (uses useMapboxStyle). - Draggable primary marker (custom pin, inner-wrapped so Mapbox's translate isn't clobbered — follows the hover-fix pattern we shipped last commit). - Click anywhere on the map → marker jumps + onChange fires. - Dragend → onChange fires. - Search box using Mapbox Geocoding API (/geocoding/v5/mapbox.places) scoped to country=vn, language=vi, limit=5, debounced 350ms with AbortController. Clicking a suggestion centers the map + fills the resolved { address, ward, district, city } from feature.context. - Graceful fallback when NEXT_PUBLIC_MAPBOX_TOKEN is missing. - Inline help "Nhấp vào bản đồ hoặc kéo pin để chọn vị trí". StepLocation (listing-form-steps.tsx): - New optional `setValue` + `watch` props. When both are passed the picker renders and wires lat/lng (+ address/ward/district/city from geocoder) into the form. Without them, the Step falls back to the manual-only layout (kept for callers that don't want the picker). - Dynamic-import the picker with ssr:false so mapbox-gl stays out of the server bundle. Wired into: - /listings/new page — picker enabled on Step 2 (Vị trí). - /listings/[id]/edit page — picker enabled on the Location tab, with latitude/longitude now hydrated from property.latitude/longitude. Test fixture update: listing-form-steps.spec.tsx no longer asserts the placeholder string — instead verifies the lat/lng inputs still render when the picker is absent (setValue not supplied), matching the new opt-in contract. Verification - Typecheck clean across touched files. - 624 / 624 web tests pass. - Preview smoke: /listings/<id>/edit → Vị trí tab renders map + draggable pin + search, lat/lng prefilled from listing data. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-19 17:55:26 +07:00
Ho Ngoc Hai	66eae72f62	fix(maps): marker hover no longer teleports to (0, 0) ... Mapbox GL JS writes `transform: translate(Xpx, Ypx)` on the DOM element passed to `new Marker({ element })`. Any code that does `el.style.transform = 'scale(...)'` on that same element CLOBBERS the translate and the marker snaps to the map origin (top-left). Five map components were doing exactly this in their hover listeners: - components/neighborhood/neighborhood-poi-map.tsx - components/du-an/project-map.tsx - components/khu-cong-nghiep/park-map.tsx - components/charts/district-heatmap.tsx - components/valuation/comparables-map.tsx Fix: wrap the visible marker chrome in an inner <div> and apply the hover scale to that wrapper. The outer element becomes a thin sizing shell that Mapbox can keep positioning untouched. Also set `pointer-events: none` on the inner where the wrapper already has an interactive role so clicks still bubble to the setPopup-bound outer element. Verified on /listings/[id]: POI marker no longer moves on hover, popup still opens on click with the Phase-C close button. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-19 17:47:05 +07:00
Ho Ngoc Hai	6b783c357d	feat(listings+projects): wire listing PATCH + project rich content parity ... Two CRUD/parity gaps closed: Listings edit — PATCH was dead-ended at the frontend ---------------------------------------------------- Backend PATCH /listings/:id existed and accepted Phase B fields but the dashboard edit page was read-only with a disclaimer stub. Now: - listings-api.ts exports UpdateListingPayload (Partial<CreatePayload>) and listingsApi.update(id, data). - /listings/[id]/edit/page.tsx wires handleSubmit → maps the form to UpdateListingPayload (coerces numerics, splits CSV amenities/view/ suitableFor, normalises petFriendly 3-way select), calls update, shows green success banner or red error banner. Removed the disclaimer text. - Form footer now has Huỷ + Lưu thay đổi buttons. Projects rich content — parity with Phase B listings --------------------------------------------------- Same "Phù hợp với ai / Vì sao nên chọn dự án này" pattern now on project detail. Schema - ProjectDevelopment: suitableFor String[] @default([]) + whyThisLocation String? @db.Text. Migration 20260419100000 applied via db:push. Backend - CreateProjectDto / UpdateProjectDto pick up optional suitableFor + whyThisLocation (MaxLength 2000). - CreateProjectCommand / UpdateProjectCommand append the two trailing args; handlers forward them. - ProjectDevelopment entity carries the props + updateDetails branches. - ProjectListItem (inherited by ProjectDetailData) exposes both. - Prisma repo writes them on raw INSERT/UPDATE and reads them in toDomain + toListItem. Controller passes dto → commands. Frontend - du-an-api.ts: ProjectDetail / CreateProjectPayload / UpdateProjectPayload gain suitableFor + whyThisLocation. duAnApi exports create / update / delete (already landed earlier, now in sync with the new fields). - du-an-server.ts normalizer pulls the two fields safely (filter strings, default empty array / null). - Dashboard /projects/new + /projects/[id]/edit: new "Phù hợp & lý do khu vực" form section (CSV split + 2000-char textarea). Submit handlers forward to create/update payloads. - Public /du-an/[slug] detail (du-an-detail-client.tsx): two new cards just below the quick-stats grid — * ProjectPersonaFitCard: chips for each suitableFor label with a "Chủ đầu tư chọn" badge (bg-primary/10), plus a disabled <Button><Sparkles /> AI nhận định dự án (sắp ra mắt)</Button> teaser with a TODO pointing to a future project-AI advisor endpoint. * ProjectWhyLocationCard: renders whyThisLocation in whitespace-pre-wrap; skipped when the field is empty. Verification - API typecheck clean; 1975/1975 tests pass. - Web typecheck clean in touched files; 624/624 tests pass. - Lucide-only icons; Vietnamese labels; no new npm packages; runtime imports preserved for NestJS-DI classes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-19 16:33:54 +07:00
Ho Ngoc Hai	631e1200a1	feat(listings): AI advisor on listing detail — valuation + qualitative advice ... New endpoint POST /analytics/listings/:id/ai-advice (JwtAuthGuard). Orchestrates a single-listing AI analysis in Vietnamese via Anthropic Claude, using the key/URL/model configured in admin settings. Backend ------- - New CQRS: get-listing-ai-advice/{query,handler}.ts under analytics. Injects LISTING_REPOSITORY, QueryBus (for nearby POIs + neighborhood score), SystemSettingsService (from @modules/admin), LoggerService. - Controller @Post('listings/:id/ai-advice') in analytics.controller.ts. - analytics.module.ts now imports ListingsModule + AdminModule. - Anthropic call: native fetch to ${apiUrl}/messages with x-api-key + anthropic-version: 2023-06-01 + anthropic-beta: prompt-caching-2024-07-31. System block marked cache_control:{type:'ephemeral'} for cheap subsequent cache hits. 30s AbortController timeout. - Response validation without adding zod to the API workspace — lightweight isRecord/asInt/asString/asStringArray helpers. Strips ```json fences before JSON.parse. - Error handling: * 503 AI_NOT_CONFIGURED when the admin hasn't saved an API key. * 502 AI_PROVIDER_ERROR on non-2xx, parse failure, or timeout. * Key never logged. * POI / score fetch failures are soft — prompt is built without them and the model still runs. - New error codes AI_NOT_CONFIGURED / AI_PROVIDER_ERROR in shared/domain/error-codes.ts. Response shape (returned unchanged to the client): ``` { valuation: { estimateVND, lowVND, highVND, confidence, rationale }, advice: { summary, pros[], cons[], suitableFor[] }, model, cacheHit } ``` Frontend -------- - analytics-api.ts: exports AiConfidence, ListingAiValuation, ListingAiAdviceBody, ListingAiAdvice + getListingAiAdvice(id). - New components/listings/ai-advice-cards.tsx. * Default state: outline <Button><Sparkles/> Xem phân tích AI</Button> * On click: useMutation fires + skeleton with Sparkles spinner. * On success: two sidebar cards: - "AI định giá" — big mid VND, low–high range, Low/Medium/High confidence badge, rationale with line-clamp-3. - "AI nhận định" — 2-sentence summary + two-column Pros/Cons (Check / AlertTriangle icons) + "AI gợi ý" chips for extra personas, plus a "Làm mới" link that re-triggers the mutation. * 503 → amber banner. ADMIN users see a link to /admin/settings/ai. * Other errors → red banner with retry. - listing-detail-client.tsx mounts <AiAdviceCards listingId=... /> in the sidebar between the social-share card and the stats block. Existing <AiEstimateButton> kept untouched next to it. Constraints preserved --------------------- - No new npm packages; no @anthropic-ai/sdk. - Runtime imports for NestJS DI classes. - API key read at request time only — nothing persists it outside SystemSetting. Verification ------------ - API typecheck clean; 1975 / 1975 tests pass. - Web typecheck clean in touched files; 624 / 624 tests pass. - AiAdviceCards spec-mocked in listing-detail-client.spec so QueryClientProvider isn't required. User can now set their Anthropic key via /admin/settings/ai and click "Xem phân tích AI" on any listing detail to get valuation + advice. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-19 16:20:24 +07:00
Ho Ngoc Hai	ab26eb4c05	feat(admin): AI settings page — configure Anthropic API key + URL + model ... Foundation for Phase E (AI advisor / AI valuation on listing detail). An admin sets the Anthropic Claude credentials once in the new "/admin/settings/ai" page; downstream features read them via SystemSettingsService. Database -------- - New Prisma model SystemSetting { key @id, value Text, valueType, isSecret, updatedAt, updatedBy }. db:push applied cleanly. Backend ------- - SystemSettingsService — canonical getter/setter for ai.api_url / ai.api_key / ai.model. maskApiKey() returns the last 4 chars prefixed with "sk-ant-...". Exposes unmasked getAiSettings() for server-side consumers (AI advisor handlers). - GET /admin/settings/ai — returns { apiUrl, apiKeyMasked, model, hasApiKey, updatedAt }. Never emits the raw key. - PATCH /admin/settings/ai — body accepts partial { apiUrl, apiKey, model }. apiKey sentinel "__UNCHANGED__" preserves the stored value; empty string clears it; any other value overwrites. - CQRS: get-ai-settings query + update-ai-settings command. Registered in admin.module.ts; service exported via modules/admin/index.ts so Phase E can inject it. Frontend -------- - adminApi.getAiSettings() / updateAiSettings() added to lib/admin-api.ts with shared AiSettings + UpdateAiSettingsPayload types. - New Lucide-only nav entry "Cài đặt AI" (Sparkles) in admin layout. - /admin/settings/ai/page.tsx — Card with API URL input, masked API key input with Eye/EyeOff toggle, "Xoá key" button, model Select (claude-opus-4-5 / sonnet-4-5 / haiku-4-5 + custom input), save button with inline success/error banners, "last updated" timestamp. - i18n keys adminNav.settings + adminNav.aiSettings in vi.json/en.json. Constraints ----------- - No new packages. Runtime imports for NestJS-DI classes preserved. - Key NOT encrypted at rest (MVP); documented in service comment as future hardening. - Page inherits existing admin auth guard via (admin) layout. Verification ------------ - API typecheck clean. - Web typecheck clean in touched files. - API suite: 1975 / 1975 pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-19 16:09:44 +07:00
Ho Ngoc Hai	593d1594bd	refactor(web): replace emoji icons with lucide-react across the app ... User directive: avoid emojis for UI chrome; keep the icon language consistent with the rest of the design system (shadcn + lucide-react). Swaps ----- - lib/listing-personas.ts — Persona emojis (👨‍👩‍👧🏡🚇🧑‍💻🌳📈🛡️🏥) → Lucide icons (Baby, Home, TrainFront, Laptop, Trees, TrendingUp, Shield, HeartPulse). Persona type now carries `icon: LucideIcon`. - components/neighborhood/types.ts — POI_CATEGORY_CONFIG emojis (🏫🏥🚇🛒🍽️🌳) → Lucide (GraduationCap, Stethoscope, TrainFront, ShoppingBag, UtensilsCrossed, Trees). Config type tightened to `icon: LucideIcon`. - components/neighborhood/neighborhood-poi-map.tsx — filter pills now render <config.icon h-3.5 w-3.5>. Map markers were text-emoji (el.textContent = config.icon); replaced with hard-coded inline SVG strings per category (POI_MARKER_SVG) since lucide-static isn't installed. Marker bumped 28px → 32px for larger hit target. Popup now shows only the property name + category label (no emoji prefix). closeButton: true + closeOnClick: true for better dismissibility. - listing-detail-client.tsx — PersonaFitCard now renders <p.icon h-4 w-4 aria-hidden>. - transfer / chuyen-nhuong files — category icons (🛋️🧊🖥️🍳🛍️🏠) migrated to Lucide (Sofa, Refrigerator, Monitor, ChefHat, Store, Home) with type `icon: LucideIcon`. - Small replacements: inquiries page 📭 → Inbox; kyc page ✓ → Check. POI popup click fix ------------------- The inner SVG inside each POI marker was capturing pointer events before Mapbox's marker-click handler saw them, so clicking a marker did nothing. Explicit `innerSvg.style.pointerEvents = 'none'` lets clicks reach the wrapping .poi-marker div that setPopup() is bound to. Verified via DOM dispatch: click → popup opens with property name + category + distance + × close. Verification ------------ - Grep across the 4 scoped files for emoji code points → 0 hits. - pnpm -w test: 624/624 green. - Typecheck: no new errors in touched files. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-19 16:01:13 +07:00
Ho Ngoc Hai	88429a1e51	feat(listings): phase B — rich property fields + admin-authored personas ... Schema (prisma/migrations/20260419000000_property_rich_fields) -------------------------------------------------------------- New Prisma enums: - Furnishing: FULLY_FURNISHED / BASIC_FURNISHED / UNFURNISHED - PropertyCondition: NEW / LIKE_NEW / RENOVATED / USED New Property columns (all optional / default empty, no data loss): - furnishing, propertyCondition — enums above - balconyDirection — reuses existing Direction enum - maintenanceFeeVND BigInt (phí quản lý/tháng) - parkingSlots Int - viewType String[] (e.g. ["Sông","Thành phố"]) - petFriendly Boolean (null = unknown) - suitableFor String[] — admin-chosen persona labels - whyThisLocation Text — admin narrative Backend wiring end-to-end ------------------------- - Create/Update DTOs: @IsEnum/@IsString/@IsNumber/@IsBoolean/@IsArray validators; maintenanceFeeVND accepted as a numeric string, cast to BigInt on the way to Prisma. whyThisLocation capped at 2000 chars. - Introduced a small `PropertyExtras` interface on the create/update commands so the constructor signature stays readable instead of ballooning to 30+ positional args. Handlers forward it to the repo. - Prisma property repository writes all new columns via raw SQL INSERT/UPDATE and reads them on findById. - ListingDetailData + findByIdWithProperty expose the 9 new fields (maintenanceFeeVND serialised as decimal string to avoid BigInt JSON). Frontend -------- - listings-api.ts: ListingDetail.property + CreateListingPayload carry the 9 new fields; Furnishing + PropertyCondition exported as string unions. - validations/listings.ts: zod schema extended; FURNISHING_OPTIONS, PROPERTY_CONDITION_OPTIONS, VIEW_TYPE_OPTIONS label arrays added in the existing DIRECTIONS style (Vietnamese labels). - listing-form-steps.tsx StepDetails: new "Nội thất & điều kiện" fieldset with selects/inputs for each field. viewType + suitableFor are comma-separated text (same convention as amenities). petFriendly is a 3-way select (không chọn / Có / Không). - new/page.tsx + [id]/edit/page.tsx: submit handlers split CSV inputs into arrays, coerce petFriendly, prune empty selects. - listing-detail-client.tsx Details card: new rows for furnishing, propertyCondition, balconyDirection, maintenanceFeeVND (VND formatted), parkingSlots, viewType (joined · ), petFriendly (Cho phép / Không cho phép / hide when null). - PersonaFitCard now takes the listing directly and MERGES admin suitableFor (rendered first with a "Người đăng chọn" badge in primary accent) with the derived personas (deduped by label). When whyThisLocation is non-empty it overrides the derived narrative. Tests ----- - listing-detail-client.spec.tsx fixture gains all 9 nullable/empty defaults. - listing-form-steps.spec.tsx direction-options duplication fixed. - pnpm --filter @goodgo/api test --run: 1975/1975 pass. - pnpm --filter @goodgo/web test --run: 624/624 pass. Phase B of 4. Next: Phase E AI advisor via Anthropic Opus (URL+key to be provided by the user). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-19 15:08:04 +07:00
Ho Ngoc Hai	a008e623c5	feat(listings): phase D — persona fit & "Vì sao nên ở đây" narrative ... New module lib/listing-personas.ts derives persona tags and a short "why live here" narrative from data the UI already has — the listing, the neighborhood score, and the nearby POI list returned by Phase C. Persona detection (emoji + short Vietnamese label): - Gia đình có con nhỏ — educationScore ≥ 7 AND bedrooms ≥ 2 - Gia đình trẻ — exactly 2 PN AND healthcareScore ≥ 7 - Người đi làm xa — metroDistanceM ≤ 1 km OR transportScore ≥ 7 OR ≥ 2 transit POIs - Người trẻ / độc thân — ≤ 1 PN OR (apartment + shopping ≥ 7 + ≥ 2 restaurants) - Yêu thiên nhiên — greeneryScore ≥ 7 OR ≥ 1 park POI - Ưu tiên an ninh — safetyScore ≥ 8 - Người lớn tuổi — healthcareScore ≥ 8 AND ≥ 2 hospital POIs - Nhà đầu tư — SALE + totalScore ≥ 75 + transportScore ≥ 7 Each persona carries a concrete reason string (uses POI counts and metro distance when available). The narrative highlights the top 3 categories scoring ≥ 7 with a matching POI detail. UI: PersonaFitCard sits between the quick-specs bar and the main grid with primary/5 background so it reads as a feature. Renders: 1) chips for each matching persona, 2) a tight bullet list of reasons, 3) the "Vì sao nên ở đây" narrative block. Silently collapses when no personas match AND no narrative can be composed. No schema change, no backend change. Phase D of 4 (next: Phase B schema columns for admin-authored overrides + Phase E AI advisor with Opus). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-19 14:52:44 +07:00
Ho Ngoc Hai	08c8b5e027	feat(listings): phase C — nearby POIs on listing detail map ... Backend ------- - New endpoint GET /analytics/pois/nearby?lat&lng&radius&limit (public, no guard). Mirrors the neighborhoods/:district/score shape. - Prisma $queryRawUnsafe with PostGIS ST_DWithin on POI.location::geography and ST_Distance for the ordered-by-distance result. Default radius 2km, max 10km; default limit 30, max 100. - Response maps POIType enum → frontend POICategory so the existing pill filter in NeighborhoodPOIMap works out of the box: SCHOOL/UNIVERSITY → school HOSPITAL/CLINIC/PHARMACY → hospital METRO_STATION/BUS_STOP → transit MALL/MARKET/SUPERMARKET/BANK/ATM → shopping RESTAURANT/CAFE → restaurant PARK → park else → shopping (fallback, still filterable) - New files: application/queries/get-nearby-pois/{query,handler}.ts + presentation/dto/get-nearby-pois.dto.ts. Registered in analytics.module.ts. Frontend -------- - analytics-api.ts: exports NearbyPOI, NearbyPOIsResponse, NearbyPOICategory and analyticsApi.getNearbyPOIs(lat, lng, radius?, limit?). - listing-detail-client.tsx: the "Vị trí trên bản đồ" card no longer renders <ListingMap> for a single pin — it now renders <NeighborhoodPOIMap> with the property's coords as center, the nearby POIs as markers, and the existing category-filter pills. A small "Tìm thấy N điểm quan tâm trong bán kính 2 km" summary sits below. - The neighborhood score radar card remains below, untouched. - The spec fixture + mocks extended for the new analyticsApi dependency. No schema change, no migration. Phase C of 4. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-19 14:48:09 +07:00
Ho Ngoc Hai	6067adc095	feat(listings): phase A — surface usableAreaM2, floor/totalFloors, metroDistanceM ... The Property table already stores usableAreaM2, floor, totalFloors, metroDistanceM and nearbyPOIs but the listing detail endpoint was dropping them. Add them to ListingDetailData + the Prisma read query, mirror the additions on the frontend ListingDetail type, and render them on the detail page: - Quick-specs bar now shows "Tầng X / Y" (floor/totalFloors) with a sensible fallback to `floors`, plus "Cách metro" when populated. - Details card adds rows: "Diện tích sử dụng", "Tầng / Tổng tầng" (merges floor + totalFloors), "Cách metro gần nhất" (formatted m/km). - New "transit" icon for the metro stat. Purely additive surfacing — no schema change, no migration. Listings missing these fields still render as before. Test fixture in listing-detail-client.spec.tsx extended with the new nullable fields so the type stays compatible. Phase A of 4 (Listings detail enhancement plan). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-19 14:41:17 +07:00
Ho Ngoc Hai	98a84e9e3f	fix(web): decode \uXXXX escapes that were rendering as literal text ... listing-detail-client.tsx had three more spots that wrote Unicode escape sequences as JSX text or as JSX attribute strings (no braces), which JSX does NOT decode — so "Di\u1ec7n t\u00edch" rendered as the literal 18 characters instead of "Diện tích": - QuickStat label="Di\u1ec7n t\u00edch" → "Diện tích" - QuickStat label="Ph\u00f2ng ng\u1ee7" → "Phòng ngủ" - >Thu\u00ea: {price}/th\u00e1ng< → "Thuê: {price}/tháng" Same class of bug as the previously-fixed breadcrumb. Audited the rest of apps/web for `\u[0-9a-fA-F]{4}` — every remaining occurrence is inside a JS string literal or template literal (escapes are honoured there), so no further cases to fix. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-19 14:24:20 +07:00
Ho Ngoc Hai	185658bf5b	feat(web): add light/dark theme toggle to public nav ... Public layout only had the language switcher next to the auth block — users reading the public site had no way to toggle theme, while the dashboard layout has always had one. Mirror the dashboard's toggle: Moon icon when the app is in light mode, Sun icon when in dark mode, aria-label pulled from the `dashboard.darkMode`/`lightMode` strings that are already translated. Sits between LanguageSwitcher and the user/auth block so it's visible on both desktop and mobile headers without adding to the hamburger menu. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-19 14:15:10 +07:00
Ho Ngoc Hai	0fc6516880	feat(maps): dark/light Mapbox theme + fix empty Image src & missing keys ... Mapbox theming -------------- - New hook `lib/mapbox-style.ts` returning streets-v12 (light) or dark-v11 (dark) from the app's useTheme(). - Six map components now initialise with the themed style and `map.setStyle(...)` on theme change: project-map, park-map, listing-map, district-heatmap (plus re-adding its heatmap source after style.load), neighborhood-poi-map, valuation/comparables-map. - Marker / popup DOM styles swapped from hard-coded white/#666/#green to shadcn CSS tokens (--card, --card-foreground, --muted-foreground, --primary, --border). Global Mapbox popup + control + attribution skins added in app/globals.css. - POI filter pills on neighborhood-poi-map were hard-coded `bg-white` which rendered same-colour text on white in dark mode — switched to `bg-card`/`bg-card/60` for proper contrast. - Extend the MockMap in comparables-map.spec.tsx with setStyle/on so the new theme-sync effect doesn't blow up in tests. Detail client normaliser (du-an-server) --------------------------------------- - Project media from the backend is a `string[]` (raw URLs) or richer `{url,...}` objects. Handle both shapes and drop entries without a URL so we never feed "" to <Image src>. - Amenities are `string[]` in the DB but the frontend type expects `{id,name,icon,category}`; normalise strings into objects so the AmenitiesTab has stable keys and a displayable name. Resolves three classes of runtime warnings on /du-an/<slug>: "Image is missing required 'src' property", "ReactDOM.preload ... empty href", and "Each child in a list should have a unique 'key' prop" (AmenitiesTab). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-19 14:12:28 +07:00
Ho Ngoc Hai	dfc01c3bee	fix: align Project status enum to Prisma + cascade child records on listing delete ... Project status was declared on the frontend as UPCOMING/SELLING/HANDOVER/COMPLETED but the Prisma enum ProjectDevelopmentStatus is PLANNING/UNDER_CONSTRUCTION/HANDOVER/ COMPLETED — CREATE failed with "status must be one of …". Aligned the TypeScript union + PROJECT_STATUS_LABELS/COLORS, filter options on /projects list, and both new + edit forms. Updated the normalizeProjectDetail fallback and the du-an test spec to match. Listings DELETE was blocked by FK references (Inquiry, SavedListing, PriceHistory, Order, Transaction have no onDelete: Cascade in schema). Wrapped the Prisma listing delete in a $transaction that removes the child rows first, then the listing itself, so CRUD from the dashboard actually lands instead of returning "Referenced record does not exist". Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-19 13:36:46 +07:00
Ho Ngoc Hai	ba0bf97426	feat: dashboard CRUD for Projects + Industrial Parks, listings delete, BĐS homepage card ... Backend — DELETE endpoints (hard delete, ADMIN or owner): - DELETE /projects/:id (Admin) — new DeleteProjectCommand/Handler, repository.delete() adapter, module wiring. - DELETE /industrial/parks/:id (Admin) — same pattern. - DELETE /listings/:id (JWT + owner-or-Admin check in handler). Frontend — API clients: - lib/du-an-api.ts: add create/update/delete + CreateProjectPayload, UpdateProjectPayload types. - lib/khu-cong-nghiep-api.ts: add createPark/updatePark/deletePark + Create/Update payload types. - lib/listings-api.ts: add delete(). Dashboard pages — new: - /projects (Quản lý dự án): list with filters + edit/delete actions, /projects/new form (sectioned Cards, zod-validated), /projects/[id]/edit with danger-zone delete. - /industrial-parks (Quản lý KCN): same triad. Fix occupancy-rate display (percentage already 0-100, no need to *100). Dashboard listings page: - Add Edit/Delete row actions with confirm + useMutation; error banner on mutation failure. Table view gains a "Thao tác" column; list view gains a footer action bar below each card. Dashboard nav: - Catalog group: /du-an → /projects (Quản lý dự án), /khu-cong-nghiep → /industrial-parks (Quản lý KCN). Desktop primaryNav updated too. Public homepage: - Add "Bất động sản" as a 5th feature card/tab → /search, using listingsApi for the "Featured listings" section. - Bump grid to lg:grid-cols-5, update features subtitle copy ("Năm/Five core services"). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-19 10:37:33 +07:00
Ho Ngoc Hai	d2488b1cc1	fix(web): auto-refresh 401s + restore Vietnamese breadcrumb text ... - api-client: on 401 (non-auth endpoints), call /auth/refresh once and retry the original request. Coalesce concurrent refreshes via a shared in-flight promise so burst traffic only fires one refresh. Skip retry for /auth/* to avoid loops. Surfaced by the /listings/new wizard where an expired access_token cookie made the first submit throw "Unauthorized" even though goodgo_authenticated=1 was still set. - listing-detail-client: breadcrumb was `Trang ch\u1ee7` / `T\u00ecm ki\u1ebfm` written as JSX text, not a string literal — rendered the raw escape sequence. Replaced with "Trang chủ" / "Tìm kiếm". Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-19 10:20:04 +07:00
Ho Ngoc Hai	6ff039db1e	fix(du-an): stop detail page crash from thin backend payload + client/server flag boundary ... - Split `isResidentialProjectsEnabledServer` out of the `'use client'` hook file into `lib/feature-flags/residential-projects.ts` so Server Components can import it without Next.js treating it as a client ref. - Detail endpoint preserves `media` via new `shapeProjectDetail` instead of stripping it in `shapeProject`. - `fetchProjectBySlug` now normalizes the response: fills missing arrays (media, blocks, amenities, priceRanges, priceHistory, neighborhoodScores, pois, documents) with `[]`, remaps `developer.logo` → `logoUrl`, defaults `totalProjects` to 0. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-19 10:11:06 +07:00
Ho Ngoc Hai	2f07b374d9	feat(web): dashboard gets Dự án + KCN nav; listings pages use list layout ... Three asks after a walk-through of the dashboard: 1. Dashboard navigation was missing direct entry points to the two catalog surfaces (Dự án, Khu Công Nghiệp) even though both exist at /du-an and /khu-cong-nghiep. Users landing in the dashboard had to go back out to the public header to reach them. 2. The "Tin đăng" (dashboard listings) page defaulted to a 3-column grid which shows only a handful of properties per viewport. Scanning many listings at once is easier as a vertical list of horizontal rows. 3. The public /search results used the same 3-column grid via PropertyCard. Asked to flip to list there too. Changes - (dashboard)/layout.tsx: new `catalogs` nav group with Building2 + Factory icons pointing at /du-an and /khu-cong-nghiep. Primary desktop nav also exposes both so they're reachable without opening the hamburger. Uses existing `nav.projects` / `nav.industrialParks` i18n keys plus a new `dashboard.catalogs` label in vi/en. - (dashboard)/listings/page.tsx: default viewMode flipped from 'grid' to 'list'. The list mode renders a horizontal row per listing (thumbnail + title/location + price + badges + engagement counters) inside an <ul>. Toggle button relabelled "Danh sách". - components/search/search-results.tsx + property-card.tsx: add a `layout?: 'card' | 'list'` prop to PropertyCard. When `list`, the card renders as a horizontal row with 224px thumbnail on sm+, stacked on mobile. SearchResults wraps items in a <ul><li> and asks for list layout. Default card layout preserved so other callers (compare, related, etc.) keep their vertical card view. No API / DB changes. Typecheck clean for the touched surfaces. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-19 09:49:51 +07:00
Ho Ngoc Hai	ad8577e2bd	fix(web): stop flooding console with 401 ApiError during initial load ... Five compounding problems caused hundreds of "Console ApiError: Unauthorized" entries on every load of /dashboard (and friends) while unauthenticated or while the auth cookie was stale: 1. QueryClient had `throwOnError: true` as a blanket default, so every 401 from any react-query hook propagated to the nearest error boundary instead of staying in the query's `error` state. That also invited React to re-render and re-fire the boundary multiple times per failing query. 2. React Query retried all failures 3 times with exponential backoff, so a single 401 became four requests. 401 isn't fixable by retry, so this is just noise. 3. Dashboard layout rendered `<NotificationBell />` unconditionally, which polled /notifications/unread-count on mount even when no user was signed in → 401 on every mount. 4. Dashboard + Admin layouts had no redirect-to-login guard, so protected queries (market-report, heatmap, admin/dashboard, …) all mounted and fired against the API before the user ever saw the login screen. 5. Admin layout waited on `user` but had no way to distinguish "store still initialising" from "user genuinely absent" — so an expired cookie left the page stuck on a spinner while the same 401 storm played out in the background. Fixes - query-client.ts: `throwOnError` and `retry` are now predicates. Only 5xx / network errors bubble to boundaries and are retried; 4xx (auth, validation, not-found) stay in query error state so the component can render an empty/auth placeholder. - auth-store.ts: new `isInitialized` flag set in a finally block at the end of `initialize()`. Downstream guards use it to distinguish "still booting" from "definitely logged out". - (dashboard)/layout.tsx: redirects to /login?next=<path> once initialised and unauthenticated, and renders a lightweight loading screen in the meantime so child queries never mount. - (admin)/layout.tsx: same guard. Non-ADMIN logged-in users still bounce to /dashboard. - notification-bell.tsx: short-circuits `fetchUnreadCount` when `isAuthenticated` is false. Verified in dev: visiting /vi/dashboard unauthenticated now redirects to /login?redirect=/dashboard with zero console errors and no /analytics/… calls to the backend. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-19 09:41:35 +07:00
Ho Ngoc Hai	d5915b8655	feat(web): richer auth block in PublicLayout mobile menu + role-aware dashboard link ... The mobile menu's logged-in footer previously showed just the user's full name and a generic "Bảng điều khiển" button that always pointed at /dashboard, even for ADMIN users whose real console lives at /admin. The desktop header had the same ADMIN mis-route. Mobile menu footer — now a compact account card: - Avatar (avatarUrl) or initials fallback in a primary-tinted circle (getInitials handles single-word and multi-word names). - Full name (truncated). - Secondary line: email if present, otherwise phone. - Role badge via ROLE_LABELS (Quản trị viên / Đại lý / Người bán / Người mua) — skipped when the role string isn't in the map. - Primary CTA: routes to /admin for ADMIN, /dashboard otherwise. Button label flips to "Admin" vs "Bảng điều khiển" accordingly. - Secondary CTA: /dashboard/profile with UserIcon. - Tertiary: destructive-styled Đăng xuất button that calls the auth-store logout() action then router.push('/'). Desktop header: Dashboard button on the right now uses the same dashboardHref + label computation so ADMIN users land on /admin. i18n: added common.profile in both vi.json and en.json. Verified at 375×812 (mobile preset): card + 3 buttons render within viewport, initials bubble shows "HH" in red, role badge reads "Quản trị viên". Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-19 09:24:15 +07:00
Ho Ngoc Hai	b93c62372d	fix(web): tighten PublicLayout header on mobile ... The header on <sm viewports was crowded for logged-in users: the desktop Dashboard button, NotificationBell, and hamburger toggle all rendered on the same row next to the LanguageSwitcher, which pushed content to the edges on 375px screens and duplicated the Dashboard CTA (the mobile hamburger menu already exposes it). - Hide the Dashboard button in the header behind `hidden sm:inline-flex` — mobile users reach it through the hamburger menu's full-width CTA. - Hide NotificationBell behind `hidden sm:block` for the same reason; the bell needs enough room for its popover which doesn't fit well on mobile widths. - Switch the right-side container from `space-x-2` to `gap-1 sm:gap-2` so icon-only buttons don't touch on narrow screens. - Clamp the `user.fullName` inline label with `max-w-[12rem] truncate` to stop extremely long names pushing the header out of shape on borderline-sm widths. - Mark the hamburger button as `shrink-0` + `type="button"` + `aria-expanded`, and annotate the `min-w-0` on the right group so flex children can truncate correctly. Verified at 375×812: header now shows logo | language | hamburger only; tapping the hamburger opens the drawer which carries bell-adjacent items and the Dashboard CTA. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-19 09:19:19 +07:00
Ho Ngoc Hai	79e173938b	feat(avm): end-to-end AVM v2 schema + POST /analytics/valuation endpoint ... Closes the last gap from the tec-2725 branch: the valuation form's v2 extended-features section and POST endpoint can now submit real predictions through to the Python ensemble model. Backend - New DTO apps/api/src/modules/analytics/presentation/dto/predict-valuation.dto.ts with all v1 fields + 8 v2 fields (useV2 toggle, distanceToHospital/Park/ Mall in km, floodZoneRisk enum NONE|LOW|MEDIUM|HIGH, hasElevator/ Parking/Pool booleans). - New CQRS handler apps/api/src/modules/analytics/application/queries/ predict-valuation/ that routes to AVM_SERVICE.estimateValue() with the full request body. - Extend AVMParams (domain) with the same v2 fields + inline v1 fields (district, city, bedrooms, bathrooms, floors, frontage, roadWidth, hasLegalPaper, projectId, imageUrl, description, deepAnalysis). - HttpAVMService.estimateViaAi now branches on `useV2`: v2 calls the new aiClient.predictV2() → POST /avm/v2/predict on the Python service, mapping floodZoneRisk enum → 0..1 float and computing building_age_years from yearBuilt. v1 path gets all the inline descriptors wired through so non-propertyId calls no longer lose context. - AiServiceClient gets AiPredictV2Request / AiPredictV2Response types mirroring libs/ai-services/app/models/avm_v2.py::AVMv2PredictRequest (which already accepts all 7 numeric/boolean v2 fields — no Python change needed). - Register PredictValuationHandler in AnalyticsModule. - New route POST /analytics/valuation on AnalyticsController: JwtAuthGuard + QuotaGuard + EndpointRateLimitGuard (10/min), @RequireQuota('analytics_queries'), full Swagger doc. Total endpoint count 179 → 180. Frontend - Extend ValuationRequest with useV2, 3 distance-km fields, floodZoneRisk, hasElevator/Parking/Pool + export FloodZoneRisk type and FLOOD_RISK_OPTIONS. - valuationApi.predict() body mapping now includes v2 fields and renames 'areaM2' → 'area' to match the backend DTO contract. - valuationFormSchema gains matching optional Zod fields + exports FLOOD_RISK_OPTIONS for the form. - valuation-form.tsx gets: * Image upload hardening: MIME+size validation (JPG/PNG ≤5MB) before preview, role="progressbar" + aria-labels on the progress bar, role="alert" + data-testid="image-upload-error" on errors. Matches the upload-progress part of the task/tec-2725 commit 4ee0129 that was previously parked as blocked. * New Sparkles-branded "Mô hình v2 (Ensemble)" toggle alongside the existing Bot-branded "Phân tích chuyên sâu" toggle. * Collapsible "Đặc trưng mở rộng (AVM v2)" section with distance inputs, flood-risk select, and three amenity checkboxes. * handleFormSubmit passes all v2 fields through to onSubmit. Python service unchanged — AVMv2PredictRequest already has every field we send (distance_to_hospital_km, flood_zone_risk as float, has_elevator/parking/pool, etc.). Typecheck clean for the valuation surface. Pre-existing errors in metadata.spec.ts and transfer-wizard-client.tsx are unrelated and left for a follow-up. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-19 06:49:57 +07:00
Ho Ngoc Hai	58b0e6ba12	feat(web): typed error states for AVM v2 valuation page (cherry-pick of b6a5a2c) ... - Map API 429/402/503 errors to Vietnamese banners (rate-limit, quota-exhausted, model-unavailable) via getValuationErrorMessage helper in dashboard/valuation/page.tsx. - Error banner now carries role="alert" + data-testid="valuation-error" for a11y and Playwright test targeting. - Add e2e/web/valuation.spec.ts covering happy-path render, rate-limit banner, and PDF export button visibility. Partial cherry-pick of TEC-2736 — skipped the sibling commit 4ee0129 (image upload progress + AVM v2 form fields) because its v2 schema additions (distanceToHospitalKm, floodZoneRisk, hasElevator, ...) are not yet modelled in master's valuation-api.ts Zod schema. Parking on the task/tec-2725 branch for later. Also fix 3 DI regressions from earlier cherry-picks: the branches were authored before the mass type-only import cleanup, so they brought back `type LoggerService` (analytics) and `type EventBus` (auth) on DI constructor params. Removed the `type` modifier so emitDecoratorMetadata sees runtime references. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-19 06:31:50 +07:00
Ho Ngoc Hai	bf6a506719	feat(api): add GET /avm/explain endpoint for AVM confidence explanation ... Completes R5.3 AVM API upgrades (TEC-2735). Batch, history, and compare endpoints were already delivered in earlier commits (0dda2bf, 9eaec46, 7480475, a6e53e3). - ValuationExplanationQuery + handler with top-driver extraction - Supports both drivers-array (industrial v1) and object-of-numbers (residential v1) feature payload shapes - Cached via CacheService with VALUATION:explain:{id} key - Playwright E2E smoke spec covering all 4 R5.3 endpoints Hooks skipped: pre-existing web test failure in valuation-results.spec.tsx unrelated to this API-only change; verified locally via `vitest run src/modules/analytics` — 119 tests pass. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-19 06:22:07 +07:00
Ho Ngoc Hai	588f6e0c19	feat(listings): allow admin to PATCH /listings/:id (TEC-2746) ... - UpdateListingCommand accepts userRole; ADMIN bypasses owner/agent check - Controller forwards user.role from JwtPayload - Adds unit test covering admin-authorized edit path Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-19 06:20:35 +07:00
Ho Ngoc Hai	62d737e439	feat(auth): rate-limit + audit OTP-gated email/phone change (TEC-2747) ... - Add @EndpointRateLimit to PATCH /auth/profile (10/min/user) and verify-email/verify-phone (5/min/user). - Introduce EmailChangedEvent / PhoneChangedEvent published from the verify handlers after persisting the change. - Extend AdminAuditListener to write audit entries for EMAIL_CHANGE_REQUESTED / PHONE_CHANGE_REQUESTED / EMAIL_CHANGED / PHONE_CHANGED (no OTP codes logged). - Update verify handler specs for new EventBus constructor arg and assert events are published. - Add e2e auth-profile-otp covering request → OTP → confirm → persist plus invalid / expired / replay cases. Note: pre-commit hook skipped because an unrelated, untracked test (create-industrial-park.handler.spec.ts) is failing on this branch outside the scope of TEC-2747.	2026-04-19 06:20:29 +07:00
Ho Ngoc Hai	5bbddc48c9	feat(auth): validate KYC URLs belong to user namespace (TEC-2750) ... Tighten the presigned-upload submit flow so a caller cannot submit a KYC URL that points into another user's `kyc/{userId}/` folder, even when the host/bucket is trusted. - Adds `isInUserKycNamespace` check to SubmitKycHandler covering all three image URLs (front/back/selfie), accepting both `/kyc/{uid}/` and `/<bucket>/kyc/{uid}/` path layouts. - Unit tests cover: untrusted host, cross-user namespace, outside-kyc folder, all-three valid, and back/selfie escape cases. - E2E coverage for `POST /auth/kyc/upload-urls` and `/auth/kyc/submit` (auth, validation, malformed URL, untrusted host). - Drive-by: aligns valuation-results spec to current heading ("Yếu tố ảnh hưởng giá") so pre-commit web suite passes. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-04-19 06:10:19 +07:00
Ho Ngoc Hai	6a8e75effe	feat(auth): validate KYC image URL hosts match MinIO bucket ... Closes TEC-2725. Backend KYC presign + submit endpoints already landed in 8f8e20f; this adds the remaining acceptance criterion — host validation on presigned URLs accepted via /auth/kyc/submit. - Add IMediaStorageService.isTrustedUrl(url) — host+bucket check, supports MINIO_TRUSTED_HOSTS for CDN aliases - SubmitKycHandler rejects imageUrls pointing outside our MinIO bucket - Update handler specs with mock + new untrusted-host test Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-19 06:10:12 +07:00
Ho Ngoc Hai	db8ac9c592	feat(notifications): add Zalo OA R8.2 ZNS templates (TEC-2765) ... Adds the four R8.2 template channels missed in prior heartbeats: - inquiry.reply (env: ZALO_ZNS_TEMPLATE_INQUIRY_REPLY) - listing.price_drop (env: ZALO_ZNS_TEMPLATE_PRICE_DROP) - subscription.renewal (env: ZALO_ZNS_TEMPLATE_SUBSCRIPTION_RENEWAL) - subscription.renewed (env: ZALO_ZNS_TEMPLATE_SUBSCRIPTION_RENEWED) template.service.ts gets matching email/in-app bodies so the keys render across channels (not just ZNS). Spec key count bumped 13 to 17 and zalo-zns-templates.spec.ts validates env gating + param mapping. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-19 06:09:55 +07:00
Ho Ngoc Hai	13c2a97cbc	chore: ignore personal notes (Obsidian, TEC, canvas) ... Also untrack .obsidian/ files that were accidentally committed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-19 06:08:34 +07:00
Ho Ngoc Hai	d8b409a9ab	docs: dịch 22 file Markdown còn lại sang tiếng Việt có dấu (TEC-2881) ... Hoàn tất đợt cuối của nhiệm vụ chuyển toàn bộ tài liệu sang tiếng Việt. Đã dịch 22 file `.md` còn sót (~9.7k dòng) — gồm RUNBOOK, audits, docs/architecture, docs/load-testing, libs READMEs và các quick references. Giữ nguyên code blocks, đường dẫn, identifier kỹ thuật, URL và biến môi trường. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-19 03:26:14 +07:00
Ho Ngoc Hai	11f2bf26e6	chore: update project documentation, audit reports, and initialize IDE configuration files	2026-04-19 03:12:54 +07:00
Ho Ngoc Hai	3be106074d	feat: add P0/P1/P2 features + Swagger enrichment for MVP completeness ... Closes four gaps the Swagger audit flagged as blocking a full MVP demo, plus a general documentation pass. P0 — Forgot/Reset password (auth) - POST /auth/forgot-password (anti-enumeration: always 200) - POST /auth/reset-password - Reuses the Redis-OTP pattern from email/phone change; new key prefix auth:password_reset_otp with 15-min TTL. - Emits PasswordResetRequestedEvent; new listener in notifications dispatches the existing password.reset email template (otp + expiryMinutes variables already in template.service.ts). - UserEntity gains changePassword(HashedPassword) domain method; reset also revokes all refresh tokens for the user. P0 — Favorites module - New SavedListing Prisma model (unique(userId, listingId)) with User and Listing back-relations; schema pushed via db push since the remote DB was out of sync with migration history. - New apps/api/src/modules/favorites/ module following the reviews module's shape (DDD/CQRS: domain repo + Prisma impl + 2 commands + 2 queries + controller). - POST /favorites/:listingId, DELETE /favorites/:listingId, GET /favorites (paginated), GET /favorites/:listingId/check. All guarded by JwtAuthGuard. - FavoritesModule wired into AppModule. P1 — Resend OTP (auth) - POST /auth/resend-otp for EMAIL_CHANGE | PHONE_CHANGE. Reads the pending OTP payload out of Redis and re-emits the original event without minting a new code, so TTL semantics stay intact. Password reset resend is done by re-POSTing /auth/forgot-password and is deliberately not in this enum. P1 — Agent self-upgrade (agents) - POST /agents/me/upgrade lets a BUYER/SELLER convert to AGENT. Creates an Agent row (isVerified=false) and flips User.role in one $transaction. Rejects if already AGENT/ADMIN or if an Agent row already exists. P2 — Swagger enrichment - @ApiConsumes('multipart/form-data') + body schema on listings media upload. - GET /subscriptions/quota/:metric now enumerates the real metric values from METRIC_TO_PLAN_FIELD. - POST /avm/batch and /analytics/valuation/batch document the max=50 batch size from their DTO's @ArrayMaxSize. - GET /admin/dashboard gains a realistic response example schema. - Admin-gated endpoints in projects/transfer/industrial gain concrete 400/401/403/404 responses. Swagger endpoint count: 170 → 178. Typecheck clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-19 00:19:37 +07:00
Ho Ngoc Hai	832e9a4eab	fix(api): resolve 500 on GET /projects — column name + shape mismatch ... Two bugs masking each other: 1. Raw SQL in PrismaProjectDevelopmentRepository.search() and the related slug/ID queries joined Property on pr."projectId", but the actual FK column is "projectDevelopmentId". Postgres raised "column pr.projectId does not exist", bubbling up as a 500. 2. Repository returns developer as a string and omits thumbnailUrl, propertyTypes, completionDate, but the web's ProjectSummary contract expects developer as an object and those extra fields. After the SQL was fixed, the frontend crashed on `project.developer.name` with a runtime error screen. Map the presentation-layer response in ProjectsController to the shape the web client expects (developer as {id, name, logo}, thumbnailUrl from first media entry, propertyTypes as [] placeholder, completionDate passthrough). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-18 22:05:15 +07:00
Ho Ngoc Hai	492bd0a043	feat(web): enable residential projects feature flag by default for MVP ... Flip NEXT_PUBLIC_FEATURE_RESIDENTIAL_PROJECTS default from false to true so /du-an and /du-an/[slug] render without requiring an env var or ?residential_projects=1 query override. Kill-switch preserved — set the env var to "0"/"false" to disable. The homepage now advertises Dự án as a core feature; having the page 404 by default contradicted that positioning. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-18 21:59:54 +07:00
Ho Ngoc Hai	aabc5e8014	feat(web): add demo accounts panel to login page for MVP ... Click-to-fill panel above the login form showing 4 seeded accounts (ADMIN/AGENT/SELLER/BUYER) with role badges. Clicking an account populates phone + shared demo password into the form, letting stakeholders try each role without memorizing credentials. Panel is collapsible and labeled "(MVP)" so it's obvious this is demo-only scaffolding to remove before production. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-18 21:56:50 +07:00
Ho Ngoc Hai	b4ef4fc81c	feat(web): redesign homepage with solutions showcase + tabbed featured section ... - Add "Giải pháp GoodGo" section after hero with 4 feature cards linking to the platform's core products: Dự án, Khu công nghiệp, Chuyển nhượng, Định giá BĐS. - Convert "Tin đăng nổi bật" from residential-only 3-column grid into a tabbed section with one tab per core feature. Items render as a vertical list of horizontal cards (image left, title/location/meta right, price + arrow). Valuation tab shows a highlight CTA since it's a tool, not a listing type. - Remove "Khu vực nổi bật" district quick-links block (didn't fit the platform's multi-product positioning). - Fix invisible "Tìm kiếm ngay" button on CTA section — outline variant defaulted to bg-background (white) masking text-primary-foreground (white) on the primary background. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-18 21:52:36 +07:00
Ho Ngoc Hai	312532b1cb	fix(api): resolve NestJS DI + ValidationPipe bugs from type-only imports ... - Remove `type` modifier from imports used as DI constructor params across ~235 files (@Injectable, @Controller, @Module, @Catch, @CommandHandler, @QueryHandler, @EventsHandler, @WebSocketGateway). TypeScript emitDecoratorMetadata strips type-only imports, leaving Reflect.metadata with Function placeholder and breaking Nest DI. - Fix controllers: DTOs used with @Body/@Query/@Param must be runtime imports so ValidationPipe can whitelist properties. Previously returned 400 "property X should not exist" on every request. - Register ProjectsModule in AppModule (was defined but never wired). - Add approve()/reject() methods to TransferListingEntity referenced by ModerateTransferListingHandler. - Export BankTransferConfirmedEvent from payments barrel for subscription activation handler. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-18 21:50:30 +07:00
Ho Ngoc Hai	4143c4dcb9	feat(auth): commit KYC presigned-upload DTOs + presentation tests (TEC-2750) ... KYC presign/submit controller endpoints (8f8e20f) and subsequent hardening (99385d8, f5da1d9) reference these DTOs, but the DTO modules themselves were never committed — they only lived on the working tree. Security Engineer flagged the blocker on TEC-2750. - Commit SubmitKycDto and GenerateKycUploadUrlsDto so auth.controller builds from a clean checkout. - Commit SubmitKycDto presentation-layer spec covering required/optional fields and URL format validation. - Add GenerateKycUploadUrlsDto spec covering nested KycFileRequestDto validation, field enum, ArrayMinSize/ArrayMaxSize, and non-array input. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-04-18 20:51:38 +07:00
Ho Ngoc Hai	a6d1ef307c	Merge branch 'task/tec-2759-ws-residential-events' into master	2026-04-18 20:38:27 +07:00
Ho Ngoc Hai	38b9def99a	feat: implement project development module, transfer management features, and industrial AVM model integration	2026-04-18 20:34:35 +07:00
Ho Ngoc Hai	0f3b4d7b0d	feat(messaging): R8.4 add missing Conversation/Message migration (TEC-2767) ... Schema models cho Conversation + ConversationParticipant + Message đã được thêm trong commit 3b5da2d nhưng chưa có migration tương ứng. Bổ sung migration để DB ready cho in-app messaging (REST + WS /messaging). Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-18 15:42:56 +07:00