infra: move Kong to gateway server, fix MinIO internal path

- infrastructure/kong/: Kong declarative config for gateway server
  All service URLs use http://192.168.1.222:PORT (internal server)
  admin-service gets extended timeouts (300s) for large uploads
- docker-compose.yml: admin-service uses MINIO_ENDPOINT=192.168.1.200:9200
  Plain HTTP via Nginx internal proxy (no SSL, no extra_hosts needed)

New upload path:
  Browser → Nginx:443 → Kong:48080 (local) → admin-service(LAN) → MinIO:9200(local)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/docker-compose.yml

@@ -353,16 +353,14 @@ services:
       - DB_USERNAME=genex
       - DB_PASSWORD=${DB_PASSWORD}
       - DB_NAME=genex
-      - MINIO_ENDPOINT=oss.gogenex.com  # Use domain; extra_hosts maps it to 192.168.1.200 (gateway LAN IP) inside container
+      - MINIO_ENDPOINT=192.168.1.200  # MinIO on gateway — internal HTTP proxy (Nginx :9200 → MinIO:9100, no SSL)
-      - MINIO_PORT=443
+      - MINIO_PORT=9200
-      - MINIO_USE_SSL=true
+      - MINIO_USE_SSL=false
       - MINIO_ACCESS_KEY=genex-admin
       - MINIO_SECRET_KEY=genex-minio-secret
       - MINIO_BUCKET=app-releases
       - OSS_BASE_URL=https://oss.gogenex.com  # Public download base URL for app packages
       - JWT_ACCESS_SECRET=dev-access-secret-change-in-production
-    extra_hosts:
-      - "oss.gogenex.com:192.168.1.200"  # Bypass public DNS; route MinIO via gateway LAN IP (port 443 Nginx → localhost:9100)
     depends_on:
       postgres:
         condition: service_healthy

infrastructure/kong/docker-compose.yml

@@ -0,0 +1,26 @@
+services:
+  kong:
+    image: kong:3.6-ubuntu
+    container_name: genex-kong
+    restart: unless-stopped
+    environment:
+      KONG_DATABASE: "off"
+      KONG_DECLARATIVE_CONFIG: /etc/kong/kong.yml
+      KONG_PROXY_ACCESS_LOG: /dev/stdout
+      KONG_ADMIN_ACCESS_LOG: /dev/stdout
+      KONG_PROXY_ERROR_LOG: /dev/stderr
+      KONG_ADMIN_ERROR_LOG: /dev/stderr
+      KONG_PROXY_LISTEN: "0.0.0.0:8080"
+      KONG_ADMIN_LISTEN: "127.0.0.1:8001"
+      # Large file upload support
+      KONG_NGINX_PROXY_PROXY_REQUEST_BUFFERING: "off"
+      KONG_NGINX_PROXY_CLIENT_MAX_BODY_SIZE: "500m"
+    volumes:
+      - ./kong.yml:/etc/kong/kong.yml:ro
+    ports:
+      - "127.0.0.1:48080:8080"
+    healthcheck:
+      test: ["CMD", "kong", "health"]
+      interval: 10s
+      timeout: 5s
+      retries: 5

infrastructure/kong/kong.yml

@@ -0,0 +1,289 @@
+_format_version: "3.0"
+
+# ============================================================
+# Genex Kong API Gateway - Gateway Server Configuration
+# Deployed on: 154.84.135.121 (gateway server)
+# Microservices: http://192.168.1.222:PORT (internal server)
+# ============================================================
+
+services:
+  # --- auth-service (NestJS :3010) ---
+  - name: auth-service
+    url: http://192.168.1.222:4010
+    routes:
+      - name: auth-routes
+        paths:
+          - /api/v1/auth
+        strip_path: false
+
+  # --- user-service (NestJS :3001) ---
+  - name: user-service
+    url: http://192.168.1.222:4001
+    routes:
+      - name: user-routes
+        paths:
+          - /api/v1/users
+        strip_path: false
+      - name: wallet-routes
+        paths:
+          - /api/v1/wallet
+        strip_path: false
+      - name: message-routes
+        paths:
+          - /api/v1/messages
+        strip_path: false
+      - name: admin-user-routes
+        paths:
+          - /api/v1/admin/users
+        strip_path: false
+      - name: admin-dashboard-routes
+        paths:
+          - /api/v1/admin/dashboard
+        strip_path: false
+      - name: admin-system-routes
+        paths:
+          - /api/v1/admin/system
+        strip_path: false
+
+  # --- telemetry-service (NestJS :3011) ---
+  - name: telemetry-service
+    url: http://192.168.1.222:4011
+    routes:
+      - name: telemetry-routes
+        paths:
+          - /api/v1/telemetry
+        strip_path: false
+      - name: admin-telemetry-routes
+        paths:
+          - /api/v1/admin/telemetry
+        strip_path: false
+
+  # --- admin-service (NestJS :3012) ---
+  - name: admin-service
+    url: http://192.168.1.222:4012
+    connect_timeout: 300000
+    write_timeout: 300000
+    read_timeout: 300000
+    routes:
+      - name: app-version-routes
+        paths:
+          - /api/v1/app/version
+        strip_path: false
+      - name: admin-version-routes
+        paths:
+          - /api/v1/admin/versions
+        strip_path: false
+
+  # --- referral-service (NestJS :3013) ---
+  - name: referral-service
+    url: http://192.168.1.222:4013
+    routes:
+      - name: referral-routes
+        paths:
+          - /api/v1/referral
+        strip_path: false
+
+  # --- issuer-service (NestJS :3002) ---
+  - name: issuer-service
+    url: http://192.168.1.222:4002
+    routes:
+      - name: coupon-routes
+        paths:
+          - /api/v1/coupons
+        strip_path: false
+      - name: issuer-routes
+        paths:
+          - /api/v1/issuers
+        strip_path: false
+      - name: issuer-me-routes
+        paths:
+          - /api/v1/issuers/me
+        strip_path: false
+      - name: redemption-routes
+        paths:
+          - /api/v1/redemptions
+        strip_path: false
+      - name: coupon-batch-routes
+        paths:
+          - /api/v1/coupons/batch
+        strip_path: false
+      - name: admin-issuer-routes
+        paths:
+          - /api/v1/admin/issuers
+        strip_path: false
+      - name: admin-coupon-routes
+        paths:
+          - /api/v1/admin/coupons
+        strip_path: false
+      - name: admin-analytics-routes
+        paths:
+          - /api/v1/admin/analytics
+        strip_path: false
+      - name: admin-merchant-routes
+        paths:
+          - /api/v1/admin/merchant
+        strip_path: false
+
+  # --- trading-service (Go :3003) ---
+  - name: trading-service
+    url: http://192.168.1.222:4003
+    routes:
+      - name: trade-routes
+        paths:
+          - /api/v1/trades
+        strip_path: false
+      - name: trades-my-routes
+        paths:
+          - /api/v1/trades/my
+        strip_path: false
+      - name: trades-coupon-transfer-routes
+        paths:
+          - /api/v1/trades/coupons
+        strip_path: false
+      - name: market-maker-routes
+        paths:
+          - /api/v1/mm
+        strip_path: false
+      - name: admin-trade-routes
+        paths:
+          - /api/v1/admin/trades
+        strip_path: false
+      - name: admin-mm-routes
+        paths:
+          - /api/v1/admin/mm
+        strip_path: false
+
+  # --- clearing-service (NestJS :3004) ---
+  - name: clearing-service
+    url: http://192.168.1.222:4004
+    routes:
+      - name: payment-routes
+        paths:
+          - /api/v1/payments
+        strip_path: false
+      - name: admin-finance-routes
+        paths:
+          - /api/v1/admin/finance
+        strip_path: false
+      - name: admin-reports-routes
+        paths:
+          - /api/v1/admin/reports
+        strip_path: false
+
+  # --- compliance-service (NestJS :3005) ---
+  - name: compliance-service
+    url: http://192.168.1.222:4005
+    routes:
+      - name: compliance-routes
+        paths:
+          - /api/v1/compliance
+        strip_path: false
+      - name: dispute-routes
+        paths:
+          - /api/v1/disputes
+        strip_path: false
+      - name: admin-risk-routes
+        paths:
+          - /api/v1/admin/risk
+        strip_path: false
+      - name: admin-compliance-routes
+        paths:
+          - /api/v1/admin/compliance
+        strip_path: false
+      - name: admin-dispute-routes
+        paths:
+          - /api/v1/admin/disputes
+        strip_path: false
+      - name: admin-insurance-routes
+        paths:
+          - /api/v1/admin/insurance
+        strip_path: false
+
+  # --- ai-service (NestJS :3006) ---
+  - name: ai-service
+    url: http://192.168.1.222:4006
+    routes:
+      - name: ai-routes
+        paths:
+          - /api/v1/ai
+        strip_path: false
+
+  # --- notification-service (NestJS :3008) ---
+  - name: notification-service
+    url: http://192.168.1.222:4008
+    routes:
+      - name: notification-routes
+        paths:
+          - /api/v1/notifications
+        strip_path: false
+      - name: announcement-routes
+        paths:
+          - /api/v1/announcements
+        strip_path: false
+      - name: device-token-routes
+        paths:
+          - /api/v1/device-tokens
+        strip_path: false
+      - name: admin-notification-routes
+        paths:
+          - /api/v1/admin/notifications
+        strip_path: false
+      - name: admin-announcement-routes
+        paths:
+          - /api/v1/admin/announcements
+        strip_path: false
+      - name: admin-user-tag-routes
+        paths:
+          - /api/v1/admin/user-tags
+        strip_path: false
+
+  # --- chain-indexer (Go :3009) ---
+  - name: chain-indexer
+    url: http://192.168.1.222:4009
+    routes:
+      - name: chain-routes
+        paths:
+          - /api/v1/chain
+        strip_path: false
+      - name: admin-chain-routes
+        paths:
+          - /api/v1/admin/chain
+        strip_path: false
+
+  # --- translate-service (Go :3007) ---
+  - name: translate-service
+    url: http://192.168.1.222:4007
+    routes:
+      - name: translate-routes
+        paths:
+          - /api/v1/translate
+        strip_path: false
+
+plugins:
+  - name: cors
+    config:
+      origins:
+        - "*"
+      methods:
+        - GET
+        - POST
+        - PUT
+        - PATCH
+        - DELETE
+        - OPTIONS
+      headers:
+        - Accept
+        - Authorization
+        - Content-Type
+        - X-Requested-With
+      exposed_headers:
+        - X-Auth-Token
+      credentials: true
+      max_age: 3600
+
+  - name: rate-limiting
+    config:
+      minute: 100
+      policy: local
+      fault_tolerant: true
+      hide_client_headers: false