feat(admin): affiliate/personal discounts, user-videos, internal routes, authz

Closes the remaining legacy-admin gaps:
- Users «مدیریت» modal: create personal discount or affiliate code (owner_user_id +
  owner_profit_percentage on existing /v1/discounts), and view the user's saved
  projects ("videos") via new admin GET /v1/saved-projects/by-user/{id} (studio)
- Internal routes admin (/admin/routes): CRUD on content.internal_routes
  (RoutesController + CmsService + gateway /v1/routes/*)
- Security: lock identity UsersController Search + Ban to [Authorize(Roles="Admin")]

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

services/content/FlatRender.ContentSvc/Controllers/CmsController.cs

@@ -181,3 +181,30 @@ public class FavoritesController(CmsService svc) : ControllerBase
         return NoContent();
     }
 }
+
+[ApiController]
+[Route("v1/routes")]
+public class RoutesController(CmsService svc) : ControllerBase
+{
+    [HttpGet]
+    public async Task<IActionResult> List([FromQuery] Guid? tenantId = null) =>
+        Ok(await svc.GetRoutesAsync(tenantId));
+
+    [Authorize(Roles = "Admin")]
+    [HttpPost]
+    public async Task<IActionResult> Create([FromBody] UpsertRouteRequest req) =>
+        Ok(await svc.CreateRouteAsync(req));
+
+    [Authorize(Roles = "Admin")]
+    [HttpPut("{id:guid}")]
+    public async Task<IActionResult> Update(Guid id, [FromBody] UpsertRouteRequest req) =>
+        Ok(await svc.UpdateRouteAsync(id, req));
+
+    [Authorize(Roles = "Admin")]
+    [HttpDelete("{id:guid}")]
+    public async Task<IActionResult> Delete(Guid id)
+    {
+        await svc.DeleteRouteAsync(id);
+        return NoContent();
+    }
+}