feat: V2 microservices stack — backend services, gateway, JWT auth

Add full V2 architecture: identity, content, studio (.NET 10) and file,
render, notification, gateway (Go) services with vendored deps, plus DB
migrations, event/API contracts, and an init-db script.

Wire the Next.js frontend to the gateway: server-side JWT auth routes
(login/register/refresh/logout/me), gateway fetch helper, and session/
cookie/jwt helpers under src/lib.

Containerize the stack via docker-compose.v2.yml and per-service
Dockerfiles. Base images resolve through a Nexus mirror (Docker Hub) and
MCR directly; npm/NuGet pull from Nexus groups. Self-host fonts via
next/font/local to avoid Google Fonts (geo-blocked).

Add CI workflow and ignore .env.v2, *.stackdump, and .NET bin/obj.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

services/identity/FlatRender.IdentitySvc/Controllers/PaymentsController.cs

@@ -0,0 +1,159 @@
+using FlatRender.IdentitySvc.Application.Services;
+using FlatRender.IdentitySvc.Application.Services.Interfaces;
+using FlatRender.IdentitySvc.Models.Requests;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+
+namespace FlatRender.IdentitySvc.Controllers;
+
+[ApiController]
+[Route("v1")]
+public class PaymentsController(IPaymentService paymentService) : ControllerBase
+{
+    // ── Helpers ───────────────────────────────────────────────────────────────────
+
+    private Guid GetUserId() => Guid.Parse(
+        User.FindFirst(System.Security.Claims.ClaimTypes.NameIdentifier)?.Value
+        ?? User.FindFirst("sub")?.Value
+        ?? throw new UnauthorizedAccessException());
+
+    private bool IsAdmin => User.FindFirst("is_admin")?.Value == "true";
+
+    // ── Listing ───────────────────────────────────────────────────────────────────
+
+    /// <summary>GET /v1/payments — list the caller's payment history</summary>
+    [Authorize]
+    [HttpGet("payments")]
+    public async Task<IActionResult> List(
+        [FromQuery] int page = 1,
+        [FromQuery] int page_size = 20)
+        => Ok(await paymentService.GetUserPaymentsAsync(GetUserId(), page, page_size));
+
+    /// <summary>GET /v1/payments/{id} — get a single payment</summary>
+    [Authorize]
+    [HttpGet("payments/{id:guid}")]
+    public async Task<IActionResult> GetById(Guid id)
+        => Ok(await paymentService.GetByIdAsync(id, GetUserId()));
+
+    // ── ZarinPal flow ─────────────────────────────────────────────────────────────
+
+    /// <summary>
+    /// GET /v1/payments/gateway/zarinpal?payment_id={id}
+    /// Initiates a ZarinPal payment and redirects the browser to zarinpal.com.
+    /// Called from the frontend after PurchasePlan returns the redirect URL.
+    /// </summary>
+    [Authorize]
+    [HttpGet("payments/gateway/zarinpal")]
+    public async Task<IActionResult> InitiateZarinPal([FromQuery] Guid payment_id)
+    {
+        var redirectUrl = await paymentService.InitiateZarinPalAsync(payment_id, GetUserId());
+        return Redirect(redirectUrl);
+    }
+
+    /// <summary>
+    /// GET /v1/payments/callback/zarinpal?Authority={a}&amp;Status={s}
+    /// ZarinPal calls this URL after the user completes (or cancels) payment.
+    /// Verifies with ZarinPal, activates the plan, then redirects to the frontend.
+    /// </summary>
+    [AllowAnonymous]
+    [HttpGet("payments/callback/zarinpal")]
+    public async Task<IActionResult> ZarinPalCallback(
+        [FromQuery] string Authority,
+        [FromQuery] string Status)
+    {
+        var frontendUrl = await paymentService.HandleZarinPalCallbackAsync(Authority, Status);
+        return Redirect(frontendUrl);
+    }
+
+    // ── SnapPay flow ──────────────────────────────────────────────────────────────
+
+    /// <summary>
+    /// GET /v1/payments/gateway/snappay?payment_id={id}
+    /// Initiates a SnapPay payment and redirects the browser to snappay.ir.
+    /// </summary>
+    [Authorize]
+    [HttpGet("payments/gateway/snappay")]
+    public async Task<IActionResult> InitiateSnapPay([FromQuery] Guid payment_id)
+    {
+        var redirectUrl = await paymentService.InitiateSnapPayAsync(payment_id, GetUserId());
+        return Redirect(redirectUrl);
+    }
+
+    /// <summary>
+    /// GET /v1/payments/callback/snappay?paymentToken={t}&amp;shapSnapStatus={s}
+    /// SnapPay calls this URL after the user completes (or cancels) payment.
+    /// Verifies with SnapPay, activates the plan, then redirects to the frontend.
+    /// </summary>
+    [AllowAnonymous]
+    [HttpGet("payments/callback/snappay")]
+    public async Task<IActionResult> SnapPayCallback(
+        [FromQuery] string paymentToken,
+        [FromQuery] string shapSnapStatus)
+    {
+        var frontendUrl = await paymentService.HandleSnapPayCallbackAsync(paymentToken, shapSnapStatus);
+        return Redirect(frontendUrl);
+    }
+
+    // ── Tara flow ─────────────────────────────────────────────────────────────────
+
+    /// <summary>
+    /// GET /v1/payments/gateway/tara?payment_id={id}
+    /// Initiates a Tara payment and redirects the browser to tara.ir.
+    /// </summary>
+    [Authorize]
+    [HttpGet("payments/gateway/tara")]
+    public async Task<IActionResult> InitiateTara([FromQuery] Guid payment_id)
+    {
+        var redirectUrl = await paymentService.InitiateTaraAsync(payment_id, GetUserId());
+        return Redirect(redirectUrl);
+    }
+
+    /// <summary>
+    /// GET /v1/payments/callback/tara?token={t}&amp;status={s}
+    /// Tara calls this URL after the user completes (or cancels) payment.
+    /// Verifies with Tara, activates the plan, then redirects to the frontend.
+    /// </summary>
+    [AllowAnonymous]
+    [HttpGet("payments/callback/tara")]
+    public async Task<IActionResult> TaraCallback(
+        [FromQuery] string token,
+        [FromQuery] string status)
+    {
+        var frontendUrl = await paymentService.HandleTaraCallbackAsync(token, status);
+        return Redirect(frontendUrl);
+    }
+
+    // ── Stripe webhook ────────────────────────────────────────────────────────────
+
+    /// <summary>
+    /// POST /v1/payments/webhook/stripe
+    /// Receives Stripe webhook events.  Must be reachable from the public internet.
+    /// Register this URL in your Stripe dashboard under Developers → Webhooks.
+    /// </summary>
+    [AllowAnonymous]
+    [HttpPost("payments/webhook/stripe")]
+    public async Task<IActionResult> StripeWebhook()
+    {
+        using var reader = new StreamReader(Request.Body);
+        var payload   = await reader.ReadToEndAsync();
+        var signature = Request.Headers["Stripe-Signature"].ToString();
+        await paymentService.HandleStripeWebhookAsync(payload, signature);
+        return Ok();
+    }
+
+    // ── Admin ─────────────────────────────────────────────────────────────────────
+
+    /// <summary>
+    /// POST /v1/admin/payments/{id}/refund
+    /// Issues a refund for a payment. Admin-only.
+    /// </summary>
+    [Authorize]
+    [HttpPost("admin/payments/{id:guid}/refund")]
+    public async Task<IActionResult> Refund(Guid id, [FromBody] IssueRefundRequest request)
+    {
+        if (!IsAdmin) return Forbid();
+        var result = await paymentService.IssueRefundAsync(
+            id, request.AmountMinor, request.Reason, request.RefundTo);
+        return Ok(result);
+    }
+}