Verify M2/M3 implementation, fix regressions against M0/M1

Regressions fixed:
- gateway/src/worker.rs: missing session_manager field in AuthState (M3 regression)
- gateway/src/main.rs: same missing field in monolithic gateway
- storage/src/handlers.rs: removed unused validate_role (now handled by RlsTransaction)

M2 Storage Pillar — verified complete:
- StorageBackend trait with full API (put/get/delete/copy/head/list/multipart)
- AwsS3Backend implementation with streaming get_object
- StorageMode enum (Cloud/SelfHosted) in Config
- All routes: CRUD buckets, CRUD objects, copy, move, sign, public URL, health
- Bucket constraints: file_size_limit + allowed_mime_types enforced on upload
- TUS resumable uploads with S3 multipart (5MB chunking)
- Image transforms run via spawn_blocking
- docker-compose.pillar-storage.yml, templates/storage-node.yaml
- Shared Docker network on all pillar compose files

M3 Auth Completeness — verified complete:
- POST /logout revokes refresh tokens + Redis sessions
- GET /settings returns provider availability
- POST /magiclink with hashed token storage
- DELETE /user soft-delete with token revocation
- Recovery flow accepts new password
- Email change requires re-verification via token
- OAuth callback redirects with fragment tokens
- MFA verify returns aal2 JWT with amr claims
- MFA challenge validates factor ownership
- SessionManager wired into login/logout
- GET /sessions returns active sessions
- Configurable ACCESS_TOKEN_LIFETIME
- Claims model extended with session_id, aal, amr

Tests: 62 passed, 0 failed, 11 ignored (external services)
Warnings: 0
Made-with: Cursor

config/nginx-minio.conf

@@ -0,0 +1,74 @@
+events {
+    worker_connections 1024;
+}
+
+http {
+    upstream minio_s3 {
+        least_conn;
+        server minio1:9000;
+        server minio2:9000;
+        server minio3:9000;
+        server minio4:9000;
+    }
+
+    upstream minio_console {
+        least_conn;
+        server minio1:9001;
+        server minio2:9001;
+        server minio3:9001;
+        server minio4:9001;
+    }
+
+    server {
+        listen 9000;
+        server_name _;
+
+        # Allow special characters in headers
+        ignore_invalid_headers off;
+        # Allow any size file to be uploaded
+        client_max_body_size 0;
+        # Disable buffering
+        proxy_buffering off;
+        proxy_request_buffering off;
+
+        location / {
+            proxy_pass http://minio_s3;
+            proxy_set_header Host $http_host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            
+            proxy_connect_timeout 300;
+            # Default is HTTP/1, keepalive is only enabled in HTTP/1.1 and higher
+            proxy_http_version 1.1;
+            proxy_set_header Connection "";
+            chunked_transfer_encoding off;
+        }
+    }
+
+    server {
+        listen 9001;
+        server_name _;
+
+        # Allow special characters in headers
+        ignore_invalid_headers off;
+        # Allow any size file to be uploaded
+        client_max_body_size 0;
+        # Disable buffering
+        proxy_buffering off;
+        proxy_request_buffering off;
+
+        location / {
+            proxy_pass http://minio_console;
+            proxy_set_header Host $http_host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            
+            proxy_connect_timeout 300;
+            proxy_http_version 1.1;
+            proxy_set_header Connection "";
+            chunked_transfer_encoding off;
+        }
+    }
+}