feat: token auto-refresh, studio→render wiring, admin panel (nodes + render queue)

Token auto-refresh (middleware):
- Proactively refresh fr_access when < 120s remain — no more silent 15-min kick
- Inlines /v1/auth/refresh call in middleware, stamps new cookies on response
- /admin/* protected: is_admin JWT claim required, else redirect /dashboard
- apiFetch() (src/lib/api/fetch.ts): client-side 401 → auto-refresh → retry;
  de-duplicates concurrent refresh calls; redirects to /auth on failure

Studio → Render V2 wiring:
- scenes[] no longer sent to POST /api/render (V2 render-svc fetches project
  from Studio service via saved_project_id directly)
- renderRequestSchema.scenes is now optional
- RenderModal uses apiFetch for auto-refresh on 401 during polling

Admin panel (/admin/*):
- Admin layout: server-side is_admin guard + top nav (Nodes, Render Queue)
- /admin/nodes: lists all nodes from GET /v1/nodes with status badges,
  heartbeat age, slot usage, tags; Drain (PATCH status=Draining) + Release actions
- /admin/renders: render job table with step filter tabs; progress bars,
  error messages, Retry + Cancel per-row actions; polls GET /v1/renders
- API proxy routes: /api/admin/nodes/:id/drain|release,
  /api/admin/renders/:id/retry|cancel — all validate is_admin in JWT before proxying

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/lib/api/admin-gateway.ts

@@ -0,0 +1,26 @@
+/**
+ * Server-side helpers for admin API calls that go through the V2 gateway.
+ * These use the current user's access token (is_admin check is done in layout).
+ */
+import { getAccessToken } from "@/lib/auth/session";
+import { gatewayUrl } from "@/lib/api/gateway";
+
+export async function adminFetch(path: string, init?: RequestInit): Promise<Response> {
+  const token = await getAccessToken();
+  return fetch(gatewayUrl(path), {
+    ...init,
+    cache: "no-store",
+    headers: {
+      Accept: "application/json",
+      "Content-Type": "application/json",
+      ...(token ? { Authorization: `Bearer ${token}` } : {}),
+      ...(init?.headers ?? {}),
+    },
+  });
+}
+
+export async function adminGet<T>(path: string): Promise<T | null> {
+  const res = await adminFetch(path);
+  if (!res.ok) return null;
+  return res.json().catch(() => null) as Promise<T | null>;
+}

src/lib/api/fetch.ts

@@ -0,0 +1,55 @@
+/**
+ * Client-side fetch wrapper that transparently handles 401 responses by
+ * attempting one token refresh, then retrying the original request.
+ *
+ * Usage: replace `fetch(...)` with `apiFetch(...)` everywhere in client
+ * components that call internal Next.js API routes (/api/*).
+ *
+ * If the refresh also fails the user is redirected to /auth.
+ */
+
+let refreshing: Promise<boolean> | null = null;
+
+async function doRefresh(): Promise<boolean> {
+  try {
+    const res = await fetch("/api/auth/refresh", {
+      method: "POST",
+      credentials: "same-origin",
+    });
+    return res.ok;
+  } catch {
+    return false;
+  }
+}
+
+/** Deduplicated refresh — at most one in-flight at a time. */
+async function refreshOnce(): Promise<boolean> {
+  if (!refreshing) {
+    refreshing = doRefresh().finally(() => {
+      refreshing = null;
+    });
+  }
+  return refreshing;
+}
+
+export async function apiFetch(
+  input: RequestInfo | URL,
+  init?: RequestInit
+): Promise<Response> {
+  const res = await fetch(input, { credentials: "same-origin", ...init });
+
+  if (res.status !== 401) return res;
+
+  // Try refreshing the token once
+  const refreshed = await refreshOnce();
+  if (!refreshed) {
+    // Session is truly dead — redirect to login
+    const next = encodeURIComponent(window.location.pathname + window.location.search);
+    window.location.href = `/auth?next=${next}`;
+    // Return the original 401 so callers don't hang
+    return res;
+  }
+
+  // Retry the original request with the new cookie
+  return fetch(input, { credentials: "same-origin", ...init });
+}

src/lib/render-schemas.ts

@@ -29,7 +29,9 @@ export const renderSettingsSchema = z.object({
 
 export const renderRequestSchema = z.object({
   projectId: z.string().min(1),
-  scenes: z.array(sceneSchema).min(1),
+  // scenes is no longer sent to the server — V2 render service fetches the
+  // project directly from the Studio service via saved_project_id.
+  scenes: z.array(sceneSchema).optional(),
   settings: renderSettingsSchema,
 });