feat(03-02): extend StorageBackend ABC and MinIOBackend with presigned PUT and stat_object

- Add generate_presigned_put_url and stat_object abstract methods to StorageBackend ABC
- Extend MinIOBackend with dual client (self._client internal + self._public_client public)
- MinIOBackend.__init__ accepts optional public_endpoint param (RESEARCH.md Finding 3)
- generate_presigned_put_url uses self._public_client for browser-resolvable URLs
- stat_object uses self._client.stat_object and returns .size (authoritative, T-03-05)
- get_storage_backend() passes public_endpoint=settings.minio_public_endpoint
- config.py adds minio_public_endpoint field (RESEARCH.md Finding 3)
- docker-compose.yml: MINIO_API_CORS_ALLOW_ORIGIN on minio service (T-03-09)
- docker-compose.yml: MINIO_PUBLIC_ENDPOINT on backend service
- docker-compose.yml: new celery-beat service (RESEARCH.md Finding 10)

backend/storage/__init__.py

@@ -17,11 +17,17 @@ def get_storage_backend() -> StorageBackend:
 
     secure=False is correct for Docker internal HTTP traffic between containers
     (RESEARCH.md Pattern 3).
+
+    public_endpoint is the browser-resolvable hostname for presigned PUT URLs.
+    RESEARCH.md Finding 3 — dual-client pattern: internal endpoint for all
+    server-side operations; public endpoint for generate_presigned_put_url only.
     """
+    public_ep = settings.minio_public_endpoint or None
     return MinIOBackend(
         endpoint=settings.minio_endpoint,
         access_key=settings.minio_access_key,
         secret_key=settings.minio_secret_key,
         bucket=settings.minio_bucket,
         secure=False,
+        public_endpoint=public_ep,
     )