M1 foundation: fix proxy, pool HTTP clients, split services, add ApiError + RLS

- Fix proxy body forwarding, round-robin load balancing, response streaming
- Pool reqwest::Client in proxy, control, and gateway (no per-request alloc)
- Harden CORS in gateway/main.rs (was allow_origin(Any), now uses ALLOWED_ORIGINS)
- Add common/src/error.rs: ApiError type with structured JSON responses
- Add common/src/rls.rs: RlsTransaction extractor for deduplicated RLS setup
- Fix tracing in all standalone binaries (EnvFilter instead of unused var)
- Dockerfile multi-stage: separate worker-runtime, control-runtime, proxy-runtime targets
- docker-compose.yml: split into worker/system/proxy services with health checks
- Fix Grafana port mapping in pillar-system (3030:3000)
- Add config/prometheus.yml and config/vmagent.yml
- Add .env.example with all required variables
- 55 tests pass (49 run + 6 ignored integration tests requiring external services)

Made-with: Cursor

.env.example

@@ -1,5 +1,17 @@
+# Required
+JWT_SECRET=your-super-secret-key-at-least-32-chars-long!!
+ADMIN_PASSWORD=changeme
 DATABASE_URL=postgres://admin:admin_password@localhost:5433/madbase_control
 DEFAULT_TENANT_DB_URL=postgres://postgres:postgres@localhost:5432/postgres
-PORT=8001
-HOST=0.0.0.0
-JWT_SECRET=supersecret
+
+# Storage (MinIO for dev, Hetzner/AWS for production)
+S3_ENDPOINT=http://localhost:9000
+S3_ACCESS_KEY=minioadmin
+S3_SECRET_KEY=minioadmin
+S3_BUCKET=madbase
+S3_REGION=us-east-1
+
+# Optional
+REDIS_URL=redis://localhost:6379
+RUST_LOG=info
+ALLOWED_ORIGINS=http://localhost:3000,http://localhost:8000