feat: V2 microservices stack — backend services, gateway, JWT auth

Add full V2 architecture: identity, content, studio (.NET 10) and file,
render, notification, gateway (Go) services with vendored deps, plus DB
migrations, event/API contracts, and an init-db script.

Wire the Next.js frontend to the gateway: server-side JWT auth routes
(login/register/refresh/logout/me), gateway fetch helper, and session/
cookie/jwt helpers under src/lib.

Containerize the stack via docker-compose.v2.yml and per-service
Dockerfiles. Base images resolve through a Nexus mirror (Docker Hub) and
MCR directly; npm/NuGet pull from Nexus groups. Self-host fonts via
next/font/local to avoid Google Fonts (geo-blocked).

Add CI workflow and ignore .env.v2, *.stackdump, and .NET bin/obj.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

src/lib/auth/session.ts

@@ -0,0 +1,62 @@
+import { cookies } from "next/headers";
+
+import { gatewayFetch } from "@/lib/api/gateway";
+import { ACCESS_TOKEN_COOKIE } from "@/lib/auth/constants";
+import { decodeJwt, isJwtExpired, type JwtClaims } from "@/lib/auth/jwt";
+
+export interface Session {
+  userId: string;
+  email?: string;
+  tenantId?: string;
+  isAdmin: boolean;
+  claims: JwtClaims;
+}
+
+/** Raw access token from the httpOnly cookie (for proxying to the gateway). */
+export async function getAccessToken(): Promise<string | null> {
+  const store = await cookies();
+  return store.get(ACCESS_TOKEN_COOKIE)?.value ?? null;
+}
+
+/**
+ * Decode the current session from the access-token cookie. Returns null when there is
+ * no token, it is malformed, or it has expired. Use in server components / layouts to
+ * guard rendering; the gateway is still the authority on every API call.
+ */
+export async function getSession(): Promise<Session | null> {
+  const token = await getAccessToken();
+  if (!token) return null;
+  const claims = decodeJwt(token);
+  if (!claims || isJwtExpired(claims) || !claims.sub) return null;
+  return {
+    userId: String(claims.sub),
+    email: claims.email ? String(claims.email) : undefined,
+    tenantId: claims.tenant_id ? String(claims.tenant_id) : undefined,
+    isAdmin: String(claims.is_admin) === "true",
+    claims,
+  };
+}
+
+export interface IdentityUser {
+  id: string;
+  email?: string | null;
+  full_name?: string | null;
+  avatar_url?: string | null;
+  is_admin?: boolean;
+  [key: string]: unknown;
+}
+
+/**
+ * Fetch the full current-user profile from Identity (`/v1/users/me`) using the access
+ * cookie. Returns null when signed out or the token is rejected — use this as the
+ * authoritative server-side guard (it validates the token against the service).
+ */
+export async function getCurrentUser(): Promise<IdentityUser | null> {
+  const token = await getAccessToken();
+  if (!token) return null;
+  const res = await gatewayFetch("/v1/users/me", {
+    headers: { Authorization: `Bearer ${token}` },
+  });
+  if (!res.ok) return null;
+  return (await res.json().catch(() => null)) as IdentityUser | null;
+}