feat(render+identity): daily render-limit — consume on submit, refund on admin-stop

Business rule: each user has a daily render limit. Admin-stop refunds the used
charge (not the user's fault); a user's own cancel does not.

- identity: ConsumeRenderChargeAsync / RefundRenderChargeAsync on DailyRemainRenderCount
  with lazy daily reset (mig 24: daily_renders_reset_at). Convention: max=0 ⇒ UNLIMITED,
  so existing 0/0 users keep rendering until an admin sets a real limit.
- identity InternalController (service-token): POST /v1/internal/render-charge/{consume,refund}
- render-svc: identityclient + on Create consume (block 429 when limit reached, fail-open
  on identity outage); on admin Stop refund the job owner; user /cancel unchanged
- compose: IDENTITY_URL for render-svc, ServiceToken for identity-svc

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

docker-compose.v2.yml

@@ -72,6 +72,7 @@ services:
       Jwt__Secret: "${JWT_SECRET}"
       Jwt__Issuer: "flatrender-identity"
       Jwt__Audience: "flatrender"
+      ServiceToken: "${SERVICE_TOKEN:-internal-service-secret}"
       ZarinPal__MerchantId:   "${ZARINPAL_MERCHANT_ID:-}"
       ZarinPal__CallbackUrl:  "${ZARINPAL_CALLBACK_URL:-http://localhost:8080/v1/payments/callback/zarinpal}"
       ZarinPal__Sandbox:      "${ZARINPAL_SANDBOX:-true}"
@@ -189,6 +190,7 @@ services:
       MINIO_USE_SSL: "false"
       MINIO_BUCKET: "${MINIO_BUCKET:-flatrender-exports}"
       NOTIFICATION_URL: "http://notification-svc:8080"
+      IDENTITY_URL: "http://identity-svc:8080"
       SERVICE_TOKEN: "${SERVICE_TOKEN:-internal-service-secret}"
       PORT: "8080"
     depends_on: