feat: V2 microservices stack — backend services, gateway, JWT auth

Add full V2 architecture: identity, content, studio (.NET 10) and file,
render, notification, gateway (Go) services with vendored deps, plus DB
migrations, event/API contracts, and an init-db script.

Wire the Next.js frontend to the gateway: server-side JWT auth routes
(login/register/refresh/logout/me), gateway fetch helper, and session/
cookie/jwt helpers under src/lib.

Containerize the stack via docker-compose.v2.yml and per-service
Dockerfiles. Base images resolve through a Nexus mirror (Docker Hub) and
MCR directly; npm/NuGet pull from Nexus groups. Self-host fonts via
next/font/local to avoid Google Fonts (geo-blocked).

Add CI workflow and ignore .env.v2, *.stackdump, and .NET bin/obj.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

src/lib/auth/cookies.ts

@@ -0,0 +1,33 @@
+import { type NextResponse } from "next/server";
+
+import { ACCESS_TOKEN_COOKIE, REFRESH_TOKEN_COOKIE } from "@/lib/auth/constants";
+
+const REFRESH_MAX_AGE = 60 * 60 * 24 * 30; // 30 days, matches Identity refresh TTL
+
+/** Write the Identity access + refresh tokens as httpOnly cookies on a response. */
+export function setAuthCookies(
+  res: NextResponse,
+  accessToken: string,
+  refreshToken: string,
+  accessExpiresIn: number
+): NextResponse {
+  const secure = process.env.NODE_ENV === "production";
+  const base = { httpOnly: true, sameSite: "lax", secure, path: "/" } as const;
+  res.cookies.set(ACCESS_TOKEN_COOKIE, accessToken, {
+    ...base,
+    maxAge: accessExpiresIn,
+  });
+  res.cookies.set(REFRESH_TOKEN_COOKIE, refreshToken, {
+    ...base,
+    maxAge: REFRESH_MAX_AGE,
+  });
+  return res;
+}
+
+/** Expire both auth cookies (logout / failed refresh). */
+export function clearAuthCookies(res: NextResponse): NextResponse {
+  for (const name of [ACCESS_TOKEN_COOKIE, REFRESH_TOKEN_COOKIE]) {
+    res.cookies.set(name, "", { httpOnly: true, path: "/", maxAge: 0 });
+  }
+  return res;
+}