feat(api): .NET 10 multi-tenant REST API

Full backend implementation:
- Multi-tenant cafe/restaurant management (menus, orders, tables, staff)
- POS order flow with ZarinPal and Snappfood payment integration
- OTP authentication via Kavenegar SMS
- QR digital menu with public discover/finder endpoints
- Customer loyalty, coupons, CRM
- PostgreSQL via EF Core, Redis for caching/sessions
- Background jobs, webhook handlers
- Full migration history

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

src/Meezi.API/Controllers/BillingController.cs

@@ -0,0 +1,106 @@
+using FluentValidation;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Meezi.API.Models.Billing;
+using Meezi.API.Services;
+using Meezi.Core.Interfaces;
+using Meezi.Shared;
+
+namespace Meezi.API.Controllers;
+
+[ApiController]
+public class BillingController : ControllerBase
+{
+    private readonly IBillingService _billing;
+    private readonly IValidator<SubscribeRequest> _subscribeValidator;
+
+    public BillingController(IBillingService billing, IValidator<SubscribeRequest> subscribeValidator)
+    {
+        _billing = billing;
+        _subscribeValidator = subscribeValidator;
+    }
+
+    [Authorize]
+    [HttpPost("api/billing/subscribe")]
+    public async Task<IActionResult> Subscribe(
+        [FromBody] SubscribeRequest request,
+        ITenantContext tenant,
+        CancellationToken ct)
+    {
+        if (string.IsNullOrEmpty(tenant.CafeId))
+            return Unauthorized();
+        if (tenant.Role != Core.Enums.EmployeeRole.Owner)
+        {
+            return StatusCode(403, new ApiResponse<object>(false, null,
+                new ApiError("OWNER_REQUIRED", "Only the cafe owner can manage subscription billing.")));
+        }
+
+        var validation = await _subscribeValidator.ValidateAsync(request, ct);
+        if (!validation.IsValid)
+        {
+            var first = validation.Errors.First();
+            return BadRequest(new ApiResponse<object>(false, null, new ApiError("VALIDATION_ERROR", first.ErrorMessage, first.PropertyName)));
+        }
+
+        var (data, code, message) = await _billing.InitiateSubscriptionAsync(tenant.CafeId, request, ct);
+        if (data is null)
+            return BadRequest(new ApiResponse<object>(false, null, new ApiError(code ?? "ERROR", message ?? "Failed.")));
+
+        return Ok(new ApiResponse<SubscribeResponse>(true, data));
+    }
+
+    [AllowAnonymous]
+    [HttpGet("api/billing/verify")]
+    public async Task<IActionResult> Verify(
+        [FromQuery] string Authority,
+        [FromQuery] string? Status,
+        CancellationToken ct)
+    {
+        var result = await _billing.VerifyZarinPalAsync(Authority, Status, ct);
+        return Redirect(result.RedirectUrl);
+    }
+
+    [AllowAnonymous]
+    [HttpGet("api/billing/verify/snapppay")]
+    public async Task<IActionResult> VerifySnappPay(
+        [FromQuery] string? paymentToken,
+        [FromQuery] string? state,
+        CancellationToken ct)
+    {
+        var result = await _billing.VerifySnappPayAsync(paymentToken, state, ct);
+        return Redirect(result.RedirectUrl);
+    }
+
+    [AllowAnonymous]
+    [HttpGet("api/billing/verify/tara")]
+    public async Task<IActionResult> VerifyTara(
+        [FromQuery] string? traceNumber,
+        [FromQuery] string? status,
+        CancellationToken ct)
+    {
+        var result = await _billing.VerifyTaraAsync(traceNumber, status, ct);
+        return Redirect(result.RedirectUrl);
+    }
+
+    [Authorize]
+    [HttpGet("api/billing/payment-methods")]
+    public async Task<IActionResult> PaymentMethods(CancellationToken ct)
+    {
+        var methods = await _billing.GetPaymentMethodsAsync(ct);
+        return Ok(new ApiResponse<IReadOnlyList<PaymentMethodDto>>(true, methods));
+    }
+
+    [Authorize]
+    [HttpGet("api/billing/status")]
+    public async Task<IActionResult> Status(ITenantContext tenant, CancellationToken ct)
+    {
+        if (string.IsNullOrEmpty(tenant.CafeId) || tenant.PlanTier is null)
+            return Unauthorized();
+
+        var data = await _billing.GetStatusAsync(tenant.CafeId, tenant.PlanTier.Value, ct);
+        if (data is null)
+            return NotFound(new ApiResponse<object>(false, null, new ApiError("NOT_FOUND", "Cafe not found.")));
+
+        return Ok(new ApiResponse<BillingStatusDto>(true, data));
+    }
+}