fix: make plans list public, fix frontend healthcheck IPv6

PlansController had a class-level [Authorize] that gated the public
plans list, contradicting the gateway's optionalAuth on /plans. Mark
List/GetById [AllowAnonymous] and resolve tenant optionally so
anonymous callers receive global plans (purchase/current-plan stay
authenticated).

Frontend container stayed "unhealthy" because busybox wget resolves
localhost to IPv6 [::1] while the Next.js standalone server binds
IPv4 only. Use 127.0.0.1 in the healthcheck.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

services/identity/FlatRender.IdentitySvc/Controllers/PlansController.cs

@@ -11,15 +11,16 @@ namespace FlatRender.IdentitySvc.Controllers;
 [Authorize]
 public class PlansController(IPlanService planService) : ControllerBase
 {
+    [AllowAnonymous]
     [HttpGet("plans")]
     [ProducesResponseType(typeof(object), 200)]
     public async Task<IActionResult> List([FromQuery] string? scope)
     {
-        var tenantId = GetTenantId();
-        var plans = await planService.ListAsync(tenantId, scope);
+        var plans = await planService.ListAsync(GetTenantIdOrNull(), scope);
         return Ok(new { data = plans });
     }
 
+    [AllowAnonymous]
     [HttpGet("plans/{planId:guid}")]
     [ProducesResponseType(typeof(PlanResponse), 200)]
     public async Task<IActionResult> GetById(Guid planId)
@@ -43,4 +44,7 @@ public class PlansController(IPlanService planService) : ControllerBase
 
     private Guid GetTenantId() => Guid.Parse(User.FindFirst("tenant_id")?.Value
         ?? throw new UnauthorizedAccessException());
+
+    private Guid? GetTenantIdOrNull() => User.FindFirst("tenant_id")?.Value is { } t && Guid.TryParse(t, out var id)
+        ? id : null;
 }