fix(P0): security hardening + critical bug fixes across 22 services

Wave 1 — 6 parallel agents fixing P0 issues from code audit:

Auth (18 services secured):
- Added JWT Bearer auth + [Authorize] to all unprotected controllers
- Webhook endpoints (Facebook/WhatsApp/Zalo/X) stay [AllowAnonymous]
- Health checks remain public for Docker/K8s probes
- Services: catalog, order, booking, fnb-engine, inventory, social,
  ads-manager, ads-serving, ads-billing, ads-tracking, ads-analytics,
  mkt-facebook, mkt-whatsapp, mkt-x, mkt-zalo, promotion

Template artifacts (4 services):
- mission-service: myservice_db → mission_service
- mkt-facebook: Dockerfile MyService.API → FacebookService.API
- mkt-whatsapp: MyServiceContext.cs → WhatsAppServiceContext.cs
- promotion: UserSecretsId fixed

Critical handler bugs (7 fixes):
- ads-tracking: TrackPixelEventHandler now persists to DB
- ads-tracking: RecordConversion endpoint exposed via controller
- booking: UpdateResource now applies Name + Capacity changes
- ads-manager: ListPendingAds uses correct enum (pending_review)
- mining: BanMiner calls Ban() not Suspend()
- mining: ResetMinerStreak now actually resets streak
- mkt-x: 8 missing repository DI registrations added

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

services/ads-analytics-service-net/src/AdsAnalyticsService.API/Program.cs

@@ -86,6 +86,29 @@ try
             name: "postgresql",
             tags: ["db", "postgresql"]);
 
+    // EN: Add JWT Bearer authentication via IAM IdentityServer OIDC discovery
+    // VI: Thêm JWT Bearer authentication qua IAM IdentityServer OIDC discovery
+    var jwtAuthority = builder.Configuration["Jwt:Authority"] ?? "http://localhost:5001";
+    builder.Services.AddAuthentication(Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerDefaults.AuthenticationScheme)
+        .AddJwtBearer(options =>
+        {
+            options.Authority = jwtAuthority;
+            options.RequireHttpsMetadata = false;
+            options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
+            {
+                ValidateIssuer = false,
+                ValidateAudience = false,
+                ValidateLifetime = true,
+                // EN: In Development, skip signature validation to allow Docker IAM tokens
+                // VI: Trong Development, bỏ qua validate signature để chấp nhận token từ Docker IAM
+                ValidateIssuerSigningKey = builder.Environment.IsDevelopment() ? false : true,
+                SignatureValidator = builder.Environment.IsDevelopment()
+                    ? (token, _) => new Microsoft.IdentityModel.JsonWebTokens.JsonWebToken(token)
+                    : null,
+            };
+        });
+    builder.Services.AddAuthorization();
+
     // EN: Add CORS / VI: Thêm CORS
     builder.Services.AddCors(options =>
     {
@@ -116,13 +139,17 @@ try
     app.UseCors();
     app.UseRouting();
 
-    // EN: Map health check endpoints / VI: Map health check endpoints
-    app.MapHealthChecks("/health");
+    // EN: Add authentication & authorization middleware / VI: Thêm middleware xác thực & phân quyền
+    app.UseAuthentication();
+    app.UseAuthorization();
+
+    // EN: Map health check endpoints (anonymous) / VI: Map health check endpoints (không cần xác thực)
+    app.MapHealthChecks("/health").AllowAnonymous();
     app.MapHealthChecks("/health/live", new()
     {
         Predicate = _ => false // EN: Just checks app is running / VI: Chỉ kiểm tra app đang chạy
-    });
-    app.MapHealthChecks("/health/ready");
+    }).AllowAnonymous();
+    app.MapHealthChecks("/health/ready").AllowAnonymous();
 
     // EN: Map controllers / VI: Map controllers
     app.MapControllers();