feat: complete node-agent pipeline, TLS proxy, billing cancel, password reset

Node-agent — full render pipeline (items 1-3):
- render-svc: ClaimedJob now includes aep_download_url (presigned MinIO GET,
  2h TTL, path=templates/{original_project_id}/template.aep)
- render-svc: POST /v1/internal/render/jobs/:id/output-upload-url
  allocates Export row + returns presigned MinIO PUT URL + export_id
- render-svc: db.CreateExportForJob() inserts export row with 30-day retention
- render-svc: InternalHandler now owns minio client (templatesBucket + exportsBucket)
  MINIO_TEMPLATES_BUCKET env var (default flatrender-templates)
- node-agent: runner/download.go — DownloadFile() + UploadFile() (stdlib only)
- node-agent: client.GetOutputUploadURL() + ClaimedJob.AEPDownloadURL field
- node-agent: runJob() full flow: download AEP → render → get upload URL →
  PUT output to MinIO → Complete(export_id)
  All steps are non-fatal with fallback (AEP miss → mock, upload fail → no export)

TLS reverse proxy (item 15):
- Caddyfile: three virtual hosts (DOMAIN, API_DOMAIN, STORAGE_DOMAIN)
  auto-TLS via Let's Encrypt; security headers; 512MB upload limit on API
- docker-compose.v2.yml: caddy:2-alpine service, ports 80/443/443udp,
  caddy_data + caddy_config volumes; env vars DOMAIN/API_DOMAIN/STORAGE_DOMAIN/ACME_EMAIL
- .env.v2.example: new Caddy + MINIO_TEMPLATES_BUCKET entries

Billing portal (item 5):
- Identity: POST /v1/users/me/plan/cancel — sets cancelled_at, auto_renew=false
  (access continues to expiry); 404 when no active plan
- POST /api/billing/cancel — frontend proxy, validates auth
- GET /api/billing/portal — redirects to /dashboard/settings?tab=billing
- SettingsBilling: "Cancel plan" button with confirm dialog + optimistic UI,
  "Change plan" button; becomes "use client" component

Password reset UI (item 7):
- POST /api/auth/password-reset — proxies /v1/auth/password/reset/request
  (always 200, anti-enumeration)
- POST /api/auth/password-reset-confirm — proxies /v1/auth/password/reset/confirm
- AuthPageContent: "Forgot password?" link on sign-in tab opens 2-step reset flow
  (email → OTP+new-password) without leaving the auth page

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

services/node-agent/cmd/agent/main.go

@@ -28,6 +28,7 @@ import (
 	"net/http"
 	"os"
 	"os/signal"
+	"path/filepath"
 	"runtime"
 	"sync"
 	"syscall"
@@ -227,12 +228,20 @@ func (a *Agent) tryClaimAndRun(ctx context.Context) {
 func (a *Agent) runJob(ctx context.Context, job *client.ClaimedJob) {
 	log.Printf("[job %s] starting render", job.JobID)
 
-	// In a full implementation, the agent would:
-	// 1. Fetch the saved project from the studio service
-	// 2. Download the .aep template from MinIO
-	// 3. Inject user customisations into the composition via JSXB/AE scripting
-	// Then call runner.Run().
-	// For the skeleton we pass an empty AEPFilePath, which triggers mock mode.
+	// ── Step 1: Download .aep template ───────────────────────────────────────
+	aepPath := ""
+	if job.AEPDownloadURL != "" && a.cfg.AEPath != "" {
+		localAEP := filepath.Join(a.cfg.WorkDir, "templates", job.JobID, "template.aep")
+		dlCtx, dlCancel := context.WithTimeout(ctx, 10*time.Minute)
+		n, dlErr := runner.DownloadFile(dlCtx, job.AEPDownloadURL, localAEP)
+		dlCancel()
+		if dlErr != nil {
+			log.Printf("[job %s] AEP download failed (%v) — falling back to mock", job.JobID, dlErr)
+		} else {
+			log.Printf("[job %s] AEP downloaded (%d bytes) → %s", job.JobID, n, localAEP)
+			aepPath = localAEP
+		}
+	}
 
 	rJob := &runner.Job{
 		JobID:          job.JobID,
@@ -242,7 +251,7 @@ func (a *Agent) runJob(ctx context.Context, job *client.ClaimedJob) {
 		FrameRate:      job.FrameRate,
 		HasMusic:       job.HasMusic,
 		HasVoiceover:   job.HasVoiceover,
-		AEPFilePath:    "", // TODO: download from MinIO
+		AEPFilePath:    aepPath,
 	}
 
 	onProgress := func(ctx context.Context, pct int, msg string) error {
@@ -259,6 +268,7 @@ func (a *Agent) runJob(ctx context.Context, job *client.ClaimedJob) {
 		return nil
 	}
 
+	// ── Step 2: Render ───────────────────────────────────────────────────────
 	outputPath, err := runner.Run(ctx, a.cfg.AEPath, a.cfg.WorkDir, rJob, onProgress, onPreview)
 	if err != nil {
 		if ctx.Err() != nil {
@@ -273,17 +283,33 @@ func (a *Agent) runJob(ctx context.Context, job *client.ClaimedJob) {
 		}
 		return
 	}
-
 	log.Printf("[job %s] render done → %s", job.JobID, outputPath)
 
-	// In full production: upload outputPath to MinIO, create an Export record,
-	// pass the export UUID to Complete(). Skeleton passes nil (no export yet).
-	completeCtx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-	defer cancel()
-	if err := a.orch.Complete(completeCtx, job.JobID, nil); err != nil {
+	// ── Step 3: Get presigned upload URL + upload output to MinIO ─────────────
+	var exportID *string
+	uploadCtx, uploadCancel := context.WithTimeout(context.Background(), 5*time.Minute)
+	defer uploadCancel()
+
+	uploadInfo, urlErr := a.orch.GetOutputUploadURL(uploadCtx, job.JobID)
+	if urlErr != nil {
+		log.Printf("[job %s] get upload URL failed: %v — completing without export", job.JobID, urlErr)
+	} else {
+		log.Printf("[job %s] uploading output to %s", job.JobID, uploadInfo.ObjectKey)
+		if _, upErr := runner.UploadFile(uploadCtx, uploadInfo.UploadURL, outputPath); upErr != nil {
+			log.Printf("[job %s] upload failed: %v — completing without export", job.JobID, upErr)
+		} else {
+			log.Printf("[job %s] upload complete (export %s)", job.JobID, uploadInfo.ExportID)
+			exportID = &uploadInfo.ExportID
+		}
+	}
+
+	// ── Step 4: Report complete ───────────────────────────────────────────────
+	completeCtx, completeCancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer completeCancel()
+	if err := a.orch.Complete(completeCtx, job.JobID, exportID); err != nil {
 		log.Printf("[job %s] complete report error: %v", job.JobID, err)
 	} else {
-		log.Printf("[job %s] reported as completed", job.JobID)
+		log.Printf("[job %s] reported as completed (export=%v)", job.JobID, exportID)
 	}
 }