feat(api): .NET 10 multi-tenant REST API

Full backend implementation:
- Multi-tenant cafe/restaurant management (menus, orders, tables, staff)
- POS order flow with ZarinPal and Snappfood payment integration
- OTP authentication via Kavenegar SMS
- QR digital menu with public discover/finder endpoints
- Customer loyalty, coupons, CRM
- PostgreSQL via EF Core, Redis for caching/sessions
- Background jobs, webhook handlers
- Full migration history

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

src/Meezi.API/Controllers/BranchTablesController.cs

@@ -0,0 +1,253 @@
+using FluentValidation;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Meezi.API.Models.Tables;
+using Meezi.API.Services;
+using Meezi.Core.Enums;
+using Meezi.Core.Interfaces;
+using Meezi.Shared;
+
+namespace Meezi.API.Controllers;
+
+[Route("api/cafes/{cafeId}/branches/{branchId}/tables")]
+public class BranchTablesController : CafeApiControllerBase
+{
+    private readonly ITableService _tables;
+    private readonly IValidator<CreateBranchTableRequest> _createTableValidator;
+    private readonly IValidator<PatchBranchTableRequest> _patchTableValidator;
+    private readonly IValidator<CreateTableSectionRequest> _createSectionValidator;
+    private readonly IValidator<PatchTableSectionRequest> _patchSectionValidator;
+    private readonly IValidator<SetTableCleaningRequest> _cleaningValidator;
+
+    public BranchTablesController(
+        ITableService tables,
+        IValidator<CreateBranchTableRequest> createTableValidator,
+        IValidator<PatchBranchTableRequest> patchTableValidator,
+        IValidator<CreateTableSectionRequest> createSectionValidator,
+        IValidator<PatchTableSectionRequest> patchSectionValidator,
+        IValidator<SetTableCleaningRequest> cleaningValidator)
+    {
+        _tables = tables;
+        _createTableValidator = createTableValidator;
+        _patchTableValidator = patchTableValidator;
+        _createSectionValidator = createSectionValidator;
+        _patchSectionValidator = patchSectionValidator;
+        _cleaningValidator = cleaningValidator;
+    }
+
+    [HttpGet("board")]
+    public async Task<IActionResult> GetBoard(
+        string cafeId,
+        string branchId,
+        ITenantContext tenant,
+        [FromQuery] bool activeOnly = true,
+        CancellationToken ct = default)
+    {
+        if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
+        if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
+            return Forbid();
+
+        var data = await _tables.GetBranchTableBoardAsync(cafeId, branchId, activeOnly, ct);
+        return Ok(new ApiResponse<IReadOnlyList<TableBoardDto>>(true, data));
+    }
+
+    [HttpGet]
+    public async Task<IActionResult> GetTables(
+        string cafeId,
+        string branchId,
+        ITenantContext tenant,
+        CancellationToken ct = default)
+    {
+        if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
+        if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
+            return Forbid();
+
+        var data = await _tables.GetBranchTablesAsync(cafeId, branchId, ct);
+        if (data is null) return NotFoundError("Branch not found.");
+        return Ok(new ApiResponse<IReadOnlyList<TableDto>>(true, data));
+    }
+
+    [HttpPost]
+    [Authorize(Roles = "Manager,Owner")]
+    public async Task<IActionResult> CreateTable(
+        string cafeId,
+        string branchId,
+        [FromBody] CreateBranchTableRequest request,
+        ITenantContext tenant,
+        CancellationToken ct)
+    {
+        if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
+        if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
+            return Forbid();
+
+        var validation = await _createTableValidator.ValidateAsync(request, ct);
+        if (!validation.IsValid) return BadRequest(ValidationError(validation));
+
+        var result = await _tables.CreateBranchTableAsync(cafeId, branchId, request, ct);
+        return BranchOpResult(result);
+    }
+
+    [HttpPatch("{id}")]
+    [Authorize(Roles = "Manager,Owner")]
+    public async Task<IActionResult> PatchTable(
+        string cafeId,
+        string branchId,
+        string id,
+        [FromBody] PatchBranchTableRequest request,
+        ITenantContext tenant,
+        CancellationToken ct)
+    {
+        if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
+        if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
+            return Forbid();
+
+        var validation = await _patchTableValidator.ValidateAsync(request, ct);
+        if (!validation.IsValid) return BadRequest(ValidationError(validation));
+
+        var result = await _tables.PatchBranchTableAsync(cafeId, branchId, id, request, ct);
+        return BranchOpResult(result);
+    }
+
+    [HttpDelete("{id}")]
+    [Authorize(Roles = "Manager,Owner")]
+    public async Task<IActionResult> DeleteTable(
+        string cafeId,
+        string branchId,
+        string id,
+        ITenantContext tenant,
+        CancellationToken ct)
+    {
+        if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
+        if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
+            return Forbid();
+
+        var result = await _tables.DeleteBranchTableAsync(cafeId, branchId, id, ct);
+        return BranchOpResult(result);
+    }
+
+    [HttpPatch("{id}/cleaning")]
+    public async Task<IActionResult> SetCleaning(
+        string cafeId,
+        string branchId,
+        string id,
+        [FromBody] SetTableCleaningRequest request,
+        ITenantContext tenant,
+        CancellationToken ct)
+    {
+        if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
+        if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
+            return Forbid();
+
+        var validation = await _cleaningValidator.ValidateAsync(request, ct);
+        if (!validation.IsValid) return BadRequest(ValidationError(validation));
+
+        var data = await _tables.SetTableCleaningAsync(cafeId, id, request.IsCleaning, ct);
+        if (data is null || data.BranchId != branchId) return NotFoundError();
+        return Ok(new ApiResponse<TableBoardDto>(true, data));
+    }
+
+    [HttpGet("{id}/qr")]
+    public async Task<IActionResult> GetQrPng(
+        string cafeId,
+        string branchId,
+        string id,
+        ITenantContext tenant,
+        CancellationToken ct)
+    {
+        if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
+        if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
+            return Forbid();
+
+        var png = await _tables.GetQrPngAsync(cafeId, id, ct);
+        if (png is null) return NotFoundError();
+        return File(png, "image/png", $"table-{id}-qr.png");
+    }
+
+    [HttpGet("sections")]
+    public async Task<IActionResult> GetSections(
+        string cafeId,
+        string branchId,
+        ITenantContext tenant,
+        CancellationToken ct = default)
+    {
+        if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
+        if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
+            return Forbid();
+
+        var data = await _tables.GetBranchSectionsAsync(cafeId, branchId, ct);
+        if (data is null) return NotFoundError("Branch not found.");
+        return Ok(new ApiResponse<IReadOnlyList<TableSectionDto>>(true, data));
+    }
+
+    [HttpPost("sections")]
+    [Authorize(Roles = "Manager,Owner")]
+    public async Task<IActionResult> CreateSection(
+        string cafeId,
+        string branchId,
+        [FromBody] CreateTableSectionRequest request,
+        ITenantContext tenant,
+        CancellationToken ct = default)
+    {
+        if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
+        if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
+            return Forbid();
+
+        var validation = await _createSectionValidator.ValidateAsync(request, ct);
+        if (!validation.IsValid) return BadRequest(ValidationError(validation));
+
+        var result = await _tables.CreateBranchSectionAsync(cafeId, branchId, request, ct);
+        return BranchOpResult(result);
+    }
+
+    [HttpPatch("sections/{sectionId}")]
+    [Authorize(Roles = "Manager,Owner")]
+    public async Task<IActionResult> PatchSection(
+        string cafeId,
+        string branchId,
+        string sectionId,
+        [FromBody] PatchTableSectionRequest request,
+        ITenantContext tenant,
+        CancellationToken ct = default)
+    {
+        if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
+        if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
+            return Forbid();
+
+        var validation = await _patchSectionValidator.ValidateAsync(request, ct);
+        if (!validation.IsValid) return BadRequest(ValidationError(validation));
+
+        var result = await _tables.PatchBranchSectionAsync(cafeId, branchId, sectionId, request, ct);
+        return BranchOpResult(result);
+    }
+
+    [HttpDelete("sections/{sectionId}")]
+    [Authorize(Roles = "Manager,Owner")]
+    public async Task<IActionResult> DeleteSection(
+        string cafeId,
+        string branchId,
+        string sectionId,
+        ITenantContext tenant,
+        CancellationToken ct = default)
+    {
+        if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
+        if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
+            return Forbid();
+
+        var result = await _tables.DeleteBranchSectionAsync(cafeId, branchId, sectionId, ct);
+        return BranchOpResult(result);
+    }
+
+    private IActionResult BranchOpResult<T>(BranchTableOperationResult<T> result)
+    {
+        if (result.Success && result.Data is not null)
+            return Ok(new ApiResponse<T>(true, result.Data));
+
+        var code = result.ErrorCode ?? "REQUEST_FAILED";
+        var status = code is "TABLE_HAS_OPEN_ORDER" or "TABLE_SECTION_HAS_TABLES"
+            ? StatusCodes.Status409Conflict
+            : StatusCodes.Status400BadRequest;
+        return StatusCode(status,
+            new ApiResponse<object>(false, null, new ApiError(code, result.Message ?? code)));
+    }
+
+}