Fix Phase 3 UAT blockers: MinIO presigned URL hostname, CORS, admin flush→commit, auth refresh race

Bugs fixed:
- minio_backend.py: generate_presigned_put_url and presigned_get_url used internal
  _client (minio:9000) instead of _public_client (localhost:9000). Browser received
  ERR_NAME_NOT_RESOLVED. Fixed by using _public_client with region='us-east-1' to
  skip region-discovery HTTP request from inside the container.

- docker-compose.yml: MINIO_API_CORS_ALLOW_ORIGIN was set from CORS_ORIGINS which
  uses pydantic JSON list format '["http://localhost:5173"]'. MinIO expected a plain
  string and never matched the origin. Fixed to use FRONTEND_URL instead.

- admin.py: All write handlers (create_user, update_user_status, update_user_quota,
  update_ai_config) used session.flush() without session.commit(). Changes appeared
  to succeed (response reflected in-memory state) but rolled back on session close.
  Fixed by replacing flush() with commit() in all four write handlers.

- auth.js: Concurrent refresh() calls from QuotaBar and App.vue on page reload caused
  a token rotation race — first call rotated the cookie, second arrived with stale
  cookie and cleared accessToken. Fixed by deduplicating with a shared in-flight
  promise (_refreshInFlight).

Phase 3 UAT: 9/10 pass. UAT-3 (QuotaBar visual) pending browser confirmation.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/api/admin.py

@@ -205,7 +205,7 @@ async def create_user(
         used_bytes=0,
     )
     session.add(quota)
-    await session.flush()
+    await session.commit()
 
     return {
         "id": str(new_user.id),
@@ -254,7 +254,7 @@ async def update_user_status(
         await revoke_all_refresh_tokens(session, user.id)
 
     session.add(user)
-    await session.flush()
+    await session.commit()
 
     return {
         "id": str(user.id),
@@ -346,7 +346,7 @@ async def update_user_quota(
 
     quota.limit_bytes = body.limit_bytes
     session.add(quota)
-    await session.flush()
+    await session.commit()
 
     response: dict = {
         "user_id": str(quota.user_id),
@@ -378,7 +378,7 @@ async def update_ai_config(
     user.ai_provider = body.ai_provider
     user.ai_model = body.ai_model
     session.add(user)
-    await session.flush()
+    await session.commit()
 
     return {
         "id": str(user.id),

backend/storage/minio_backend.py

@@ -47,14 +47,16 @@ class MinIOBackend(StorageBackend):
             secret_key=secret_key,
             secure=secure,
         )
-        # MINIO_SERVER_URL on MinIO rewrites the presigned URL host at the server side,
-        # so both clients can point at the internal endpoint — the signature is valid
-        # for localhost:9000 because MinIO itself generated it that way (T-03-10).
+        # Public client uses the browser-resolvable hostname (localhost:9000) so
+        # presigned URLs contain a host the browser can reach (T-03-10).
+        # region="us-east-1" avoids a region-discovery GET to the public endpoint,
+        # which is unreachable from inside the backend Docker container.
         self._public_client = Minio(
             endpoint=(public_endpoint or endpoint),
             access_key=access_key,
             secret_key=secret_key,
             secure=secure,
+            region="us-east-1",
         )
 
     async def put_object(
@@ -103,9 +105,9 @@ class MinIOBackend(StorageBackend):
     async def presigned_get_url(
         self, object_key: str, expires_minutes: int = 60
     ) -> str:
-        """Return a time-limited pre-signed download URL."""
+        """Return a time-limited pre-signed download URL with a browser-resolvable hostname."""
         return await asyncio.to_thread(
-            self._client.presigned_get_object,
+            self._public_client.presigned_get_object,
             self._bucket,
             object_key,
             timedelta(minutes=expires_minutes),
@@ -123,14 +125,12 @@ class MinIOBackend(StorageBackend):
     ) -> str:
         """Return a presigned PUT URL with a browser-resolvable hostname.
 
-        Generates the URL via the internal client (minio:9000 — reachable from
-        the backend container), then rewrites the host to the public endpoint
-        (localhost:9000 — reachable from the browser). T-03-10 / Finding 3.
+        Uses _public_client (localhost:9000) so the browser can resolve the host.
+        The MinIO Python SDK generates presigned URLs client-side; MINIO_SERVER_URL
+        on the container does NOT rewrite SDK-generated URLs (T-03-10 / Finding 3).
         """
-        # MINIO_SERVER_URL on the MinIO container causes it to embed the public
-        # hostname (localhost:9000) in signed URLs, so the internal client suffices.
         return await asyncio.to_thread(
-            self._client.presigned_put_object,
+            self._public_client.presigned_put_object,
             self._bucket,
             object_key,
             timedelta(minutes=expires_minutes),