feat: microservices scaffold + Auth Service (Step 1)

- Add shared/ module: config, db, models, schemas, redis utilities
- Add Auth Service (services/auth/): register, login, refresh, me,
  ForwardAuth /verify endpoint for Traefik
- Add Traefik config: ACME/Cloudflare DNS-01, dynamic routing,
  ForwardAuth middleware, sticky sessions for WS Gateway
- Add service scaffolds: ws-gateway, chat, batch-agent, billing (READMEs)
- Add redis>=5.0.0 to requirements.txt
- Monolith app/ is untouched — strangler fig migration

traefik/dynamic/routers.yml

@@ -0,0 +1,143 @@
+# Dynamic routing configuration
+
+http:
+  middlewares:
+    # ForwardAuth: validates JWT via Auth Service, injects identity headers
+    auth-forward:
+      forwardAuth:
+        address: "http://auth:8000/api/v1/auth/verify"
+        trustForwardHeader: true
+        authResponseHeaders:
+          - "X-User-Id"
+          - "X-User-Email"
+          - "X-User-Tier"
+
+    # Rate limiting (basic — per-client IP; upgrade to per-tier later)
+    rate-limit:
+      rateLimit:
+        average: 60
+        burst: 20
+        period: "1m"
+
+    # Strip /api/v1 prefix before forwarding to services
+    strip-api-prefix:
+      stripPrefix:
+        prefixes:
+          - "/api/v1"
+
+  routers:
+    # ── Auth (no ForwardAuth on public endpoints) ──────────────
+    auth-public:
+      rule: "PathPrefix(`/api/v1/auth/register`) || PathPrefix(`/api/v1/auth/login`) || PathPrefix(`/api/v1/auth/refresh`)"
+      entryPoints:
+        - websecure
+      middlewares:
+        - rate-limit
+        - strip-api-prefix
+      service: auth-svc
+      tls: {}
+
+    auth-protected:
+      rule: "PathPrefix(`/api/v1/auth`)"
+      entryPoints:
+        - websecure
+      middlewares:
+        - auth-forward
+        - rate-limit
+        - strip-api-prefix
+      service: auth-svc
+      tls: {}
+
+    # ── WebSocket Gateway (sticky sessions) ────────────────────
+    ws-gateway:
+      rule: "PathPrefix(`/api/v1/ws`)"
+      entryPoints:
+        - websecure
+      middlewares:
+        - rate-limit
+      service: ws-gateway-svc
+      tls: {}
+
+    # ── Chat Service ───────────────────────────────────────────
+    chat:
+      rule: "PathPrefix(`/api/v1/chat`)"
+      entryPoints:
+        - websecure
+      middlewares:
+        - auth-forward
+        - rate-limit
+        - strip-api-prefix
+      service: chat-svc
+      tls: {}
+
+    # ── Batch Agent Service ────────────────────────────────────
+    batch-agent:
+      rule: "PathPrefix(`/api/v1/agents`)"
+      entryPoints:
+        - websecure
+      middlewares:
+        - auth-forward
+        - rate-limit
+        - strip-api-prefix
+      service: batch-agent-svc
+      tls: {}
+
+    # ── Billing Service ────────────────────────────────────────
+    billing-webhook:
+      rule: "PathPrefix(`/api/v1/billing/webhook`)"
+      entryPoints:
+        - websecure
+      middlewares:
+        - rate-limit
+        - strip-api-prefix
+      service: billing-svc
+      tls: {}
+      priority: 10
+
+    billing:
+      rule: "PathPrefix(`/api/v1/billing`)"
+      entryPoints:
+        - websecure
+      middlewares:
+        - auth-forward
+        - rate-limit
+        - strip-api-prefix
+      service: billing-svc
+      tls: {}
+
+    # ── Health (no auth) ───────────────────────────────────────
+    health:
+      rule: "Path(`/api/v1/health`)"
+      entryPoints:
+        - websecure
+      service: auth-svc
+      tls: {}
+
+  services:
+    auth-svc:
+      loadBalancer:
+        servers:
+          - url: "http://auth:8000"
+
+    ws-gateway-svc:
+      loadBalancer:
+        sticky:
+          cookie:
+            name: "ws_affinity"
+        servers:
+          - url: "http://ws-gateway:8000"
+
+    chat-svc:
+      loadBalancer:
+        servers:
+          - url: "http://chat:8000"
+
+    batch-agent-svc:
+      loadBalancer:
+        servers:
+          - url: "http://batch-agent:8000"
+
+    billing-svc:
+      loadBalancer:
+        servers:
+          - url: "http://billing:8000"