feat: complete node-agent pipeline, TLS proxy, billing cancel, password reset

Node-agent — full render pipeline (items 1-3):
- render-svc: ClaimedJob now includes aep_download_url (presigned MinIO GET,
  2h TTL, path=templates/{original_project_id}/template.aep)
- render-svc: POST /v1/internal/render/jobs/:id/output-upload-url
  allocates Export row + returns presigned MinIO PUT URL + export_id
- render-svc: db.CreateExportForJob() inserts export row with 30-day retention
- render-svc: InternalHandler now owns minio client (templatesBucket + exportsBucket)
  MINIO_TEMPLATES_BUCKET env var (default flatrender-templates)
- node-agent: runner/download.go — DownloadFile() + UploadFile() (stdlib only)
- node-agent: client.GetOutputUploadURL() + ClaimedJob.AEPDownloadURL field
- node-agent: runJob() full flow: download AEP → render → get upload URL →
  PUT output to MinIO → Complete(export_id)
  All steps are non-fatal with fallback (AEP miss → mock, upload fail → no export)

TLS reverse proxy (item 15):
- Caddyfile: three virtual hosts (DOMAIN, API_DOMAIN, STORAGE_DOMAIN)
  auto-TLS via Let's Encrypt; security headers; 512MB upload limit on API
- docker-compose.v2.yml: caddy:2-alpine service, ports 80/443/443udp,
  caddy_data + caddy_config volumes; env vars DOMAIN/API_DOMAIN/STORAGE_DOMAIN/ACME_EMAIL
- .env.v2.example: new Caddy + MINIO_TEMPLATES_BUCKET entries

Billing portal (item 5):
- Identity: POST /v1/users/me/plan/cancel — sets cancelled_at, auto_renew=false
  (access continues to expiry); 404 when no active plan
- POST /api/billing/cancel — frontend proxy, validates auth
- GET /api/billing/portal — redirects to /dashboard/settings?tab=billing
- SettingsBilling: "Cancel plan" button with confirm dialog + optimistic UI,
  "Change plan" button; becomes "use client" component

Password reset UI (item 7):
- POST /api/auth/password-reset — proxies /v1/auth/password/reset/request
  (always 200, anti-enumeration)
- POST /api/auth/password-reset-confirm — proxies /v1/auth/password/reset/confirm
- AuthPageContent: "Forgot password?" link on sign-in tab opens 2-step reset flow
  (email → OTP+new-password) without leaving the auth page

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/app/api/auth/password-reset-confirm/route.ts

@@ -0,0 +1,29 @@
+import { NextResponse } from "next/server";
+import { gatewayFetch } from "@/lib/api/gateway";
+
+export const dynamic = "force-dynamic";
+
+/** POST /api/auth/password-reset-confirm — confirm reset with OTP + new password */
+export async function POST(request: Request) {
+  let body: unknown;
+  try { body = await request.json(); } catch {
+    return NextResponse.json({ error: "Invalid JSON" }, { status: 400 });
+  }
+  const { email, otp, new_password } = body as { email?: string; otp?: string; new_password?: string };
+  if (!email || !otp || !new_password) {
+    return NextResponse.json({ error: "email, otp, and new_password are required" }, { status: 400 });
+  }
+
+  const res = await gatewayFetch("/v1/auth/password/reset/confirm", {
+    method: "POST",
+    body: JSON.stringify({ email, otp, new_password }),
+  });
+  const data = await res.json().catch(() => null) as { message?: string } | null;
+  if (!res.ok) {
+    return NextResponse.json(
+      { error: data?.message ?? "Invalid or expired code" },
+      { status: res.status }
+    );
+  }
+  return NextResponse.json({ ok: true });
+}

src/app/api/auth/password-reset/route.ts

@@ -0,0 +1,24 @@
+import { NextResponse } from "next/server";
+import { gatewayFetch } from "@/lib/api/gateway";
+
+export const dynamic = "force-dynamic";
+
+/** POST /api/auth/password-reset  — request a password reset OTP email */
+export async function POST(request: Request) {
+  let body: unknown;
+  try { body = await request.json(); } catch {
+    return NextResponse.json({ error: "Invalid JSON" }, { status: 400 });
+  }
+  const { email } = body as { email?: string };
+  if (!email) return NextResponse.json({ error: "email required" }, { status: 400 });
+
+  const res = await gatewayFetch("/v1/auth/password/reset/request", {
+    method: "POST",
+    body: JSON.stringify({ email }),
+  });
+  // Always return 200 to avoid user enumeration
+  if (!res.ok && res.status !== 404) {
+    return NextResponse.json({ error: "Request failed" }, { status: 500 });
+  }
+  return NextResponse.json({ ok: true });
+}

src/app/api/billing/cancel/route.ts

@@ -0,0 +1,32 @@
+import { NextResponse } from "next/server";
+import { gatewayUrl } from "@/lib/api/gateway";
+import { getAccessToken } from "@/lib/auth/session";
+
+export const runtime = "nodejs";
+
+/** POST /api/billing/cancel — cancel the current active plan. */
+export async function POST() {
+  const token = await getAccessToken();
+  if (!token) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+
+  const res = await fetch(gatewayUrl("/v1/users/me/plan/cancel"), {
+    method: "POST",
+    cache: "no-store",
+    headers: {
+      Accept: "application/json",
+      Authorization: `Bearer ${token}`,
+    },
+  });
+
+  if (!res.ok) {
+    const err = (await res.json().catch(() => null)) as { error?: string } | null;
+    return NextResponse.json(
+      { error: err?.error ?? "Failed to cancel plan" },
+      { status: res.status }
+    );
+  }
+
+  return NextResponse.json({ ok: true });
+}

src/app/api/billing/portal/route.ts

@@ -0,0 +1,14 @@
+import { redirect } from "next/navigation";
+
+export const runtime = "nodejs";
+
+/**
+ * GET /api/billing/portal
+ *
+ * In the Stripe era this redirected to a Stripe-hosted portal.
+ * With V2 (ZarinPal / SnapPay) the portal is in-app — redirect to the
+ * billing tab in settings.
+ */
+export async function GET() {
+  redirect("/dashboard/settings?tab=billing");
+}