feat: V2 microservices stack — backend services, gateway, JWT auth

Add full V2 architecture: identity, content, studio (.NET 10) and file,
render, notification, gateway (Go) services with vendored deps, plus DB
migrations, event/API contracts, and an init-db script.

Wire the Next.js frontend to the gateway: server-side JWT auth routes
(login/register/refresh/logout/me), gateway fetch helper, and session/
cookie/jwt helpers under src/lib.

Containerize the stack via docker-compose.v2.yml and per-service
Dockerfiles. Base images resolve through a Nexus mirror (Docker Hub) and
MCR directly; npm/NuGet pull from Nexus groups. Self-host fonts via
next/font/local to avoid Google Fonts (geo-blocked).

Add CI workflow and ignore .env.v2, *.stackdump, and .NET bin/obj.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

services/notification/cmd/server/main.go

@@ -0,0 +1,96 @@
+package main
+
+import (
+	"context"
+	"log"
+	"net/http"
+	"os"
+
+	"github.com/flatrender/notification-svc/internal/db"
+	"github.com/flatrender/notification-svc/internal/handlers"
+	"github.com/flatrender/notification-svc/internal/middleware"
+	"github.com/gin-gonic/gin"
+	"github.com/jackc/pgx/v5/pgxpool"
+)
+
+func getEnv(key, fallback string) string {
+	if v := os.Getenv(key); v != "" {
+		return v
+	}
+	return fallback
+}
+
+func main() {
+	dbURL := getEnv("DATABASE_URL", "postgres://postgres:postgres@localhost:5432/flatrender?search_path=notification,public")
+	jwtSecret := getEnv("JWT_SECRET", "change-me")
+	serviceToken := getEnv("SERVICE_TOKEN", "internal-service-secret")
+	port := getEnv("PORT", "8080")
+
+	pool, err := pgxpool.New(context.Background(), dbURL)
+	if err != nil {
+		log.Fatalf("connect db: %v", err)
+	}
+	defer pool.Close()
+	if err := pool.Ping(context.Background()); err != nil {
+		log.Fatalf("ping db: %v", err)
+	}
+
+	store := db.NewStore(pool)
+	notifH := handlers.NewNotificationHandler(store)
+	prefH := handlers.NewPreferenceHandler(store)
+	tplH := handlers.NewTemplateHandler(store)
+
+	r := gin.Default()
+
+	r.GET("/health", func(c *gin.Context) {
+		if err := pool.Ping(c.Request.Context()); err != nil {
+			c.JSON(http.StatusServiceUnavailable, gin.H{"status": "down", "error": err.Error()})
+			return
+		}
+		c.JSON(http.StatusOK, gin.H{"status": "ok"})
+	})
+
+	auth := middleware.JWTAuth(jwtSecret)
+	admin := middleware.RequireAdmin()
+
+	// Service-to-service calls: Bearer token must equal SERVICE_TOKEN
+	serviceAuth := func(c *gin.Context) {
+		hdr := c.GetHeader("Authorization")
+		if len(hdr) > 7 && hdr[7:] == serviceToken {
+			c.Next()
+			return
+		}
+		// Also accept regular JWT with admin flag
+		auth(c)
+	}
+
+	v1 := r.Group("/v1")
+
+	// ── Notification feed (user) ──────────────────────────────────────────────
+	notifs := v1.Group("/notifications", auth)
+	{
+		notifs.GET("", notifH.List)
+		notifs.GET("/unread-count", notifH.UnreadCount)
+		notifs.POST("/seen-all", notifH.MarkAllSeen)
+		notifs.GET("/:id", notifH.Get)
+		notifs.POST("/:id/seen", notifH.MarkSeen)
+		notifs.POST("/:id/click", notifH.MarkClicked)
+		notifs.DELETE("/:id", notifH.Delete)
+	}
+
+	// ── Preferences (user) ────────────────────────────────────────────────────
+	notifs.GET("/preferences", prefH.List)
+	notifs.PUT("/preferences", prefH.Upsert)
+
+	// ── Templates (admin) ─────────────────────────────────────────────────────
+	v1.GET("/notification-templates", auth, admin, tplH.List)
+	v1.PUT("/notification-templates", auth, admin, tplH.Upsert)
+
+	// ── Internal: create notification (service-to-service) ───────────────────
+	v1.POST("/internal/notifications", serviceAuth, notifH.CreateInternal)
+
+	log.Printf("notification-svc listening on :%s", port)
+	if err := r.Run(":" + port); err != nil {
+		log.Fatalf("server: %v", err)
+	}
+}