feat: complete node-agent pipeline, TLS proxy, billing cancel, password reset

Node-agent — full render pipeline (items 1-3):
- render-svc: ClaimedJob now includes aep_download_url (presigned MinIO GET,
  2h TTL, path=templates/{original_project_id}/template.aep)
- render-svc: POST /v1/internal/render/jobs/:id/output-upload-url
  allocates Export row + returns presigned MinIO PUT URL + export_id
- render-svc: db.CreateExportForJob() inserts export row with 30-day retention
- render-svc: InternalHandler now owns minio client (templatesBucket + exportsBucket)
  MINIO_TEMPLATES_BUCKET env var (default flatrender-templates)
- node-agent: runner/download.go — DownloadFile() + UploadFile() (stdlib only)
- node-agent: client.GetOutputUploadURL() + ClaimedJob.AEPDownloadURL field
- node-agent: runJob() full flow: download AEP → render → get upload URL →
  PUT output to MinIO → Complete(export_id)
  All steps are non-fatal with fallback (AEP miss → mock, upload fail → no export)

TLS reverse proxy (item 15):
- Caddyfile: three virtual hosts (DOMAIN, API_DOMAIN, STORAGE_DOMAIN)
  auto-TLS via Let's Encrypt; security headers; 512MB upload limit on API
- docker-compose.v2.yml: caddy:2-alpine service, ports 80/443/443udp,
  caddy_data + caddy_config volumes; env vars DOMAIN/API_DOMAIN/STORAGE_DOMAIN/ACME_EMAIL
- .env.v2.example: new Caddy + MINIO_TEMPLATES_BUCKET entries

Billing portal (item 5):
- Identity: POST /v1/users/me/plan/cancel — sets cancelled_at, auto_renew=false
  (access continues to expiry); 404 when no active plan
- POST /api/billing/cancel — frontend proxy, validates auth
- GET /api/billing/portal — redirects to /dashboard/settings?tab=billing
- SettingsBilling: "Cancel plan" button with confirm dialog + optimistic UI,
  "Change plan" button; becomes "use client" component

Password reset UI (item 7):
- POST /api/auth/password-reset — proxies /v1/auth/password/reset/request
  (always 200, anti-enumeration)
- POST /api/auth/password-reset-confirm — proxies /v1/auth/password/reset/confirm
- AuthPageContent: "Forgot password?" link on sign-in tab opens 2-step reset flow
  (email → OTP+new-password) without leaving the auth page

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

services/render/internal/db/db.go

@@ -519,6 +519,57 @@ func (s *Store) ClaimJob(ctx context.Context, nodeID uuid.UUID, region string) (
 	return s.getJobByIDInternal(ctx, jobID)
 }
 
+// CreateExportForJob allocates a new Export row for a completed render job.
+// The export starts with a placeholder path `exports/{export_id}/output.mp4`.
+// The node agent uploads the MP4 to that MinIO path, then calls CompleteJob
+// with the returned export_id.
+func (s *Store) CreateExportForJob(ctx context.Context, jobID uuid.UUID) (*models.Export, error) {
+	// Look up the job to get tenant/user/project context
+	job, err := s.getJobByIDInternal(ctx, jobID)
+	if err != nil {
+		return nil, fmt.Errorf("job not found: %w", err)
+	}
+
+	exportID := uuid.New()
+	path := fmt.Sprintf("exports/%s/output.mp4", exportID)
+	now := time.Now()
+	autoDelete := now.AddDate(0, 0, 30) // 30-day retention
+
+	_, err = s.pool.Exec(ctx, `
+		INSERT INTO render.exports
+			(id, tenant_id, user_id, saved_project_id, original_project_id,
+			 render_job_id, path, file_extension, file_type, render_quality,
+			 create_type, size_bytes, produce_date, auto_delete_date,
+			 delete_notified, created_at)
+		VALUES
+			($1, $2, $3, $4, $5,
+			 $6, $7, 'mp4', 'video', $8,
+			 'render', 0, $9, $10,
+			 false, $9)`,
+		exportID, job.TenantID, job.UserID, job.SavedProjectID, job.OriginalProjectID,
+		job.ID, path, job.Quality,
+		now, autoDelete,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("create export: %w", err)
+	}
+
+	return &models.Export{
+		ID:             exportID,
+		TenantID:       job.TenantID,
+		UserID:         job.UserID,
+		SavedProjectID: job.SavedProjectID,
+		Path:           path,
+		FileExtension:  "mp4",
+		FileType:       "video",
+		RenderQuality:  job.Quality,
+		CreateType:     "render",
+		ProduceDate:    now,
+		AutoDeleteDate: autoDelete,
+		CreatedAt:      now,
+	}, nil
+}
+
 // UpdateJobPreview stores a base64-encoded preview frame for a running job.
 // Called by the node agent every N frames to power the live preview UI.
 func (s *Store) UpdateJobPreview(ctx context.Context, jobID uuid.UUID, imageB64 string) error {

services/render/internal/handlers/internal.go

@@ -1,22 +1,35 @@
 package handlers
 
 import (
+	"context"
+	"fmt"
 	"net/http"
+	"time"
 
 	"github.com/flatrender/render-svc/internal/db"
 	"github.com/flatrender/render-svc/internal/models"
 	"github.com/flatrender/render-svc/internal/notifier"
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
+	"github.com/minio/minio-go/v7"
 )
 
 type InternalHandler struct {
-	store    *db.Store
-	notifier *notifier.Client // may be nil — notifications are best-effort
+	store           *db.Store
+	notifier        *notifier.Client // may be nil — notifications are best-effort
+	minio           *minio.Client
+	templatesBucket string // bucket that holds .aep project files
+	exportsBucket   string // bucket that receives rendered MP4 outputs
 }
 
-func NewInternalHandler(store *db.Store, n *notifier.Client) *InternalHandler {
-	return &InternalHandler{store: store, notifier: n}
+func NewInternalHandler(store *db.Store, n *notifier.Client, mc *minio.Client, templatesBucket, exportsBucket string) *InternalHandler {
+	return &InternalHandler{
+		store:           store,
+		notifier:        n,
+		minio:           mc,
+		templatesBucket: templatesBucket,
+		exportsBucket:   exportsBucket,
+	}
 }
 
 // completeRequest is the body for POST .../complete
@@ -241,6 +254,21 @@ func (h *InternalHandler) Claim(c *gin.Context) {
 		return
 	}
 
+	// Generate presigned AEP download URL. AEP files are stored at
+	// templates/{original_project_id}/template.aep in the templates bucket.
+	// Errors are non-fatal — node agent falls back to mock render when URL is empty.
+	aepURL := ""
+	if h.minio != nil {
+		objectKey := fmt.Sprintf("templates/%s/template.aep", job.OriginalProjectID)
+		purl, perr := h.minio.PresignedGetObject(
+			context.Background(), h.templatesBucket, objectKey,
+			2*time.Hour, nil,
+		)
+		if perr == nil {
+			aepURL = purl.String()
+		}
+	}
+
 	c.JSON(http.StatusOK, models.ClaimedJob{
 		JobID:          job.ID,
 		SavedProjectID: job.SavedProjectID,
@@ -249,6 +277,43 @@ func (h *InternalHandler) Claim(c *gin.Context) {
 		FrameRate:      job.FrameRate,
 		HasMusic:       job.HasMusic,
 		HasVoiceover:   job.HasVoiceover,
+		AEPDownloadURL: aepURL,
+	})
+}
+
+// POST /v1/internal/render/jobs/:job_id/output-upload-url
+// Node agent calls this after rendering to get a presigned MinIO PUT URL.
+// Creates an Export record in the DB and returns the export_id + upload URL.
+func (h *InternalHandler) OutputUploadURL(c *gin.Context) {
+	jobID, err := uuid.Parse(c.Param("job_id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, models.APIError{Code: "bad_request", Message: "invalid job_id"})
+		return
+	}
+
+	export, err := h.store.CreateExportForJob(c.Request.Context(), jobID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, models.APIError{Code: "internal_error", Message: err.Error()})
+		return
+	}
+
+	expiry := 2 * time.Hour
+	purl, err := h.minio.PresignedPutObject(
+		context.Background(), h.exportsBucket, export.Path, expiry,
+	)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, models.APIError{
+			Code:    "presign_error",
+			Message: "could not generate upload URL",
+		})
+		return
+	}
+
+	c.JSON(http.StatusOK, models.OutputUploadURLResponse{
+		ExportID:  export.ID,
+		UploadURL: purl.String(),
+		ObjectKey: export.Path,
+		ExpiresAt: time.Now().Add(expiry),
 	})
 }
 

services/render/internal/models/models.go

@@ -415,6 +415,17 @@ type ClaimedJob struct {
 	FrameRate      int       `json:"frame_rate"`
 	HasMusic       bool      `json:"has_music"`
 	HasVoiceover   bool      `json:"has_voiceover"`
+	// AEPDownloadURL is a presigned MinIO GET URL for the .aep project file.
+	// Valid for 2 hours. Empty when the template is not yet uploaded.
+	AEPDownloadURL string `json:"aep_download_url,omitempty"`
+}
+
+// OutputUploadURLResponse is returned by POST .../output-upload-url.
+type OutputUploadURLResponse struct {
+	ExportID  uuid.UUID `json:"export_id"`
+	UploadURL string    `json:"upload_url"`
+	ObjectKey string    `json:"object_key"`
+	ExpiresAt time.Time `json:"expires_at"`
 }
 
 type CacheUpdateRequest struct {