feat(03-02): extend StorageBackend ABC and MinIOBackend with presigned PUT and stat_object

- Add generate_presigned_put_url and stat_object abstract methods to StorageBackend ABC
- Extend MinIOBackend with dual client (self._client internal + self._public_client public)
- MinIOBackend.__init__ accepts optional public_endpoint param (RESEARCH.md Finding 3)
- generate_presigned_put_url uses self._public_client for browser-resolvable URLs
- stat_object uses self._client.stat_object and returns .size (authoritative, T-03-05)
- get_storage_backend() passes public_endpoint=settings.minio_public_endpoint
- config.py adds minio_public_endpoint field (RESEARCH.md Finding 3)
- docker-compose.yml: MINIO_API_CORS_ALLOW_ORIGIN on minio service (T-03-09)
- docker-compose.yml: MINIO_PUBLIC_ENDPOINT on backend service
- docker-compose.yml: new celery-beat service (RESEARCH.md Finding 10)

backend/storage/minio_backend.py

@@ -11,10 +11,13 @@ The human-readable filename is NEVER passed into this module — only the
 file extension (derived by the caller from Path(original_name).suffix.lower())
 reaches here.
 """
+from __future__ import annotations
+
 import asyncio
 import io
 import uuid
 from datetime import timedelta
+from typing import Optional
 
 from minio import Minio
 
@@ -35,6 +38,7 @@ class MinIOBackend(StorageBackend):
         secret_key: str,
         bucket: str,
         secure: bool = False,
+        public_endpoint: Optional[str] = None,
     ) -> None:
         self._bucket = bucket
         self._client = Minio(
@@ -43,6 +47,15 @@ class MinIOBackend(StorageBackend):
             secret_key=secret_key,
             secure=secure,  # False for Docker internal HTTP traffic between containers
         )
+        # Second client for presigned URL generation — uses browser-accessible hostname.
+        # Falls back to internal client endpoint if not configured.
+        # RESEARCH.md Finding 3 — dual-client pattern to avoid Docker hostname pitfall (T-03-10).
+        self._public_client = Minio(
+            endpoint=(public_endpoint or endpoint),
+            access_key=access_key,
+            secret_key=secret_key,
+            secure=secure,
+        )
 
     async def put_object(
         self,
@@ -104,3 +117,32 @@ class MinIOBackend(StorageBackend):
             return await asyncio.to_thread(self._client.bucket_exists, self._bucket)
         except Exception:
             return False
+
+    async def generate_presigned_put_url(
+        self, object_key: str, expires_minutes: int = 15
+    ) -> str:
+        """Return a presigned PUT URL using the public-endpoint client.
+
+        Uses self._public_client so the returned URL contains a browser-resolvable
+        hostname (not the Docker-internal 'minio:9000' address).
+        RESEARCH.md Finding 2: presigned_put_object(bucket, key, expires=timedelta).
+        RESEARCH.md Finding 3: dual-client pattern for Docker hostname pitfall (T-03-10).
+        """
+        return await asyncio.to_thread(
+            self._public_client.presigned_put_object,
+            self._bucket,
+            object_key,
+            timedelta(minutes=expires_minutes),
+        )
+
+    async def stat_object(self, object_key: str) -> int:
+        """Return the authoritative file size in bytes from MinIO stat.
+
+        Calls self._client.stat_object (internal endpoint) and returns .size.
+        RESEARCH.md Finding 5: stat_object returns .size as int (authoritative).
+        Raises minio.error.S3Error(code='NoSuchKey') if the object does not exist.
+        """
+        result = await asyncio.to_thread(
+            self._client.stat_object, self._bucket, object_key
+        )
+        return result.size