feat(admin): affiliate/personal discounts, user-videos, internal routes, authz

Closes the remaining legacy-admin gaps:
- Users «مدیریت» modal: create personal discount or affiliate code (owner_user_id +
  owner_profit_percentage on existing /v1/discounts), and view the user's saved
  projects ("videos") via new admin GET /v1/saved-projects/by-user/{id} (studio)
- Internal routes admin (/admin/routes): CRUD on content.internal_routes
  (RoutesController + CmsService + gateway /v1/routes/*)
- Security: lock identity UsersController Search + Ban to [Authorize(Roles="Admin")]

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

services/identity/FlatRender.IdentitySvc/Controllers/UsersController.cs

@@ -40,6 +40,7 @@ public class UsersController(IUserService userService) : ControllerBase
         => Ok(await userService.GetByIdAsync(userId));
 
     [HttpGet]
+    [Authorize(Roles = "Admin")]
     [ProducesResponseType(typeof(PagedResponse<UserResponse>), 200)]
     public async Task<IActionResult> Search(
         [FromQuery] string? q,
@@ -49,6 +50,7 @@ public class UsersController(IUserService userService) : ControllerBase
         => Ok(await userService.SearchAsync(q, tenantId, page, pageSize));
 
     [HttpPost("{userId:guid}/ban")]
+    [Authorize(Roles = "Admin")]
     [ProducesResponseType(204)]
     public async Task<IActionResult> Ban(Guid userId, [FromBody] BanUserRequest request)
     {