feat: auth service + security audit fixes + cleanup legacy services

Major changes:
- Add auth-svc: JWT auth, register/login/refresh, password reset
- Add auth UI: modals, pages (/login, /register, /forgot-password)
- Add usage tracking (usage_metrics table, daily limits)
- Add tiered rate limiting (free/pro/business)
- Add LLM usage limits per tier

Security fixes:
- All repos now require userID for Update/Delete operations
- JWT middleware in chat-svc, llm-svc, agent-svc, discover-svc
- ErrNotFound/ErrForbidden errors for proper access control

Cleanup:
- Remove legacy TypeScript services/ directory
- Remove computer-svc (to be reimplemented)
- Remove old deploy/docker configs

New files:
- backend/cmd/auth-svc/main.go
- backend/internal/auth/{types,repository}.go
- backend/internal/usage/{types,repository}.go
- backend/pkg/middleware/{llm_limits,ratelimit_tiered}.go
- backend/webui/src/components/auth/*
- backend/webui/src/app/(auth)/*

Made-with: Cursor

backend/deploy/docker/docker-compose.yml

@@ -1,6 +1,27 @@
 version: '3.8'
 
 services:
+  auth-svc:
+    build:
+      context: ../..
+      dockerfile: deploy/docker/Dockerfile.all
+    environment:
+      - SERVICE=auth-svc
+      - PORT=3050
+      - DATABASE_URL=postgres://gooseek:gooseek@postgres:5432/gooseek?sslmode=disable
+      - JWT_SECRET=${JWT_SECRET}
+    ports:
+      - "3050:3050"
+    depends_on:
+      - postgres
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:3050/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+    networks:
+      - gooseek
+
   api-gateway:
     build:
       context: ../..
@@ -8,23 +29,26 @@ services:
     environment:
       - SERVICE=api-gateway
       - PORT=3015
+      - AUTH_SVC_URL=http://auth-svc:3050
       - CHAT_SVC_URL=http://chat-svc:3005
       - MASTER_AGENTS_SVC_URL=http://agent-svc:3018
       - SEARCH_SVC_URL=http://search-svc:3001
       - LLM_SVC_URL=http://llm-svc:3020
       - SCRAPER_SVC_URL=http://scraper-svc:3021
       - THREAD_SVC_URL=http://thread-svc:3027
-      - COMPUTER_SVC_URL=http://computer-svc:3030
       - DISCOVER_SVC_URL=http://discover-svc:3002
       - FINANCE_HEATMAP_SVC_URL=http://finance-heatmap-svc:3033
       - LEARNING_SVC_URL=http://learning-svc:3034
+      - ADMIN_SVC_URL=http://admin-svc:3040
+      - JWT_SECRET=${JWT_SECRET}
     ports:
       - "3015:3015"
     depends_on:
+      - auth-svc
       - chat-svc
       - agent-svc
       - thread-svc
-      - computer-svc
+      - admin-svc
     networks:
       - gooseek
 
@@ -187,53 +211,6 @@ services:
     networks:
       - gooseek
 
-  computer-svc:
-    build:
-      context: ../..
-      dockerfile: deploy/docker/Dockerfile.all
-    environment:
-      - SERVICE=computer-svc
-      - PORT=3030
-      - COMPUTER_SVC_PORT=3030
-      - DATABASE_URL=postgres://gooseek:gooseek@postgres:5432/gooseek?sslmode=disable
-      - REDIS_URL=redis://redis:6379
-      - OPENAI_API_KEY=${OPENAI_API_KEY}
-      - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
-      - GEMINI_API_KEY=${GEMINI_API_KEY}
-      - TIMEWEB_API_BASE_URL=${TIMEWEB_API_BASE_URL}
-      - TIMEWEB_AGENT_ACCESS_ID=${TIMEWEB_AGENT_ACCESS_ID}
-      - TIMEWEB_API_KEY=${TIMEWEB_API_KEY}
-      - TELEGRAM_BOT_TOKEN=${TELEGRAM_BOT_TOKEN}
-      - SANDBOX_IMAGE=python:3.11-slim
-      - BROWSER_SVC_URL=http://browser-svc:3050
-    ports:
-      - "3030:3030"
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-      - checkpoints:/data/checkpoints
-    depends_on:
-      - postgres
-      - redis
-      - browser-svc
-    networks:
-      - gooseek
-
-  browser-svc:
-    build:
-      context: ../..
-      dockerfile: deploy/docker/Dockerfile.all
-    environment:
-      - SERVICE=browser-svc
-      - PORT=3050
-      - BROWSER_SVC_PORT=3050
-    ports:
-      - "3050:3050"
-    volumes:
-      - screenshots:/tmp/gooseek-screenshots
-      - recordings:/tmp/gooseek-recordings
-    networks:
-      - gooseek
-
   labs-svc:
     build:
       context: ../..
@@ -304,14 +281,60 @@ services:
     networks:
       - gooseek
 
+  admin-svc:
+    build:
+      context: ../..
+      dockerfile: deploy/docker/Dockerfile.all
+    environment:
+      - SERVICE=admin-svc
+      - PORT=3040
+      - ADMIN_SVC_PORT=3040
+      - DATABASE_URL=postgres://gooseek:gooseek@postgres:5432/gooseek?sslmode=disable
+      - JWT_SECRET=${JWT_SECRET}
+      - AUTH_SVC_URL=${AUTH_SVC_URL}
+      - MINIO_ENDPOINT=minio:9000
+      - MINIO_ACCESS_KEY=minioadmin
+      - MINIO_SECRET_KEY=minioadmin
+      - MINIO_BUCKET=gooseek
+      - MINIO_USE_SSL=false
+    ports:
+      - "3040:3040"
+    depends_on:
+      - postgres
+      - minio
+    networks:
+      - gooseek
+
+  minio:
+    image: minio/minio:latest
+    command: server /data --console-address ":9001"
+    environment:
+      - MINIO_ROOT_USER=minioadmin
+      - MINIO_ROOT_PASSWORD=minioadmin
+    volumes:
+      - minio-data:/data
+    ports:
+      - "9000:9000"
+      - "9001:9001"
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+    networks:
+      - gooseek
+
   webui:
     build:
       context: ../../webui
       dockerfile: Dockerfile
+      args:
+        - NEXT_PUBLIC_DISABLED_ROUTES=${NEXT_PUBLIC_DISABLED_ROUTES:-/travel,/medicine,/finance,/learning,/spaces,/history}
     environment:
       - NODE_ENV=production
       - API_URL=http://api-gateway:3015
       - NEXT_PUBLIC_API_URL=
+      - NEXT_PUBLIC_DISABLED_ROUTES=${NEXT_PUBLIC_DISABLED_ROUTES:-/travel,/medicine,/finance,/learning,/spaces,/history}
     ports:
       - "3000:3000"
     depends_on:
@@ -379,7 +402,5 @@ volumes:
   postgres-data:
   redis-data:
   file-storage:
-  checkpoints:
-  screenshots:
-  recordings:
   podcasts:
+  minio-data: