feat: V2 microservices stack — backend services, gateway, JWT auth

Add full V2 architecture: identity, content, studio (.NET 10) and file,
render, notification, gateway (Go) services with vendored deps, plus DB
migrations, event/API contracts, and an init-db script.

Wire the Next.js frontend to the gateway: server-side JWT auth routes
(login/register/refresh/logout/me), gateway fetch helper, and session/
cookie/jwt helpers under src/lib.

Containerize the stack via docker-compose.v2.yml and per-service
Dockerfiles. Base images resolve through a Nexus mirror (Docker Hub) and
MCR directly; npm/NuGet pull from Nexus groups. Self-host fonts via
next/font/local to avoid Google Fonts (geo-blocked).

Add CI workflow and ignore .env.v2, *.stackdump, and .NET bin/obj.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

src/app/api/auth/refresh/route.ts

@@ -0,0 +1,36 @@
+import { cookies } from "next/headers";
+import { NextResponse } from "next/server";
+
+import { gatewayFetch } from "@/lib/api/gateway";
+import { REFRESH_TOKEN_COOKIE } from "@/lib/auth/constants";
+import { clearAuthCookies, setAuthCookies } from "@/lib/auth/cookies";
+
+export const dynamic = "force-dynamic";
+
+export async function POST() {
+  const refreshToken = (await cookies()).get(REFRESH_TOKEN_COOKIE)?.value;
+  if (!refreshToken) {
+    return NextResponse.json({ error: "Not authenticated." }, { status: 401 });
+  }
+
+  const res = await gatewayFetch("/v1/auth/refresh", {
+    method: "POST",
+    body: JSON.stringify({ refresh_token: refreshToken }),
+  });
+  const data = await res.json().catch(() => null);
+
+  if (!res.ok || !data?.access_token) {
+    // Refresh token invalid/expired/rotated — force re-login.
+    return clearAuthCookies(
+      NextResponse.json({ error: "Session expired." }, { status: 401 })
+    );
+  }
+
+  const out = NextResponse.json({ ok: true, user: data.user });
+  return setAuthCookies(
+    out,
+    data.access_token,
+    data.refresh_token,
+    data.expires_in ?? 900
+  );
+}