feat: nginx reverse proxy, Spotify import, overlay system, UI overhaul

- Add nginx as single entry point: /api/* → backend, /* → web
- NEXT_PUBLIC_API_URL="" so all API calls are relative (go through nginx)
- Add Spotify playlist import (Client Credentials OAuth, up to 500 tracks)
- Add Yandex/Spotify tabbed import UI on /playlists
- Add stream overlay system (SSE + polling fallback, 9 styles)
- Reorganize pages into (main) route group
- Add QueuePanel, VersionsPanel, Toaster components
- Add overlay settings tab in /settings

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

apps/backend/internal/config/config.go

@@ -7,25 +7,29 @@ import (
 )
 
 type Config struct {
-	Port      string
-	DBHost    string
-	DBPort    string
-	DBUser    string
-	DBPass    string
-	DBName    string
-	JWTSecret string
+	Port           string
+	DBHost         string
+	DBPort         string
+	DBUser         string
+	DBPass         string
+	DBName         string
+	JWTSecret      string
+	AllowedOrigins string
+	CookieSecure   bool
 }
 
 func Load() *Config {
 	_ = godotenv.Load()
 	return &Config{
-		Port:      getEnv("PORT", "8080"),
-		DBHost:    getEnv("DB_HOST", "localhost"),
-		DBPort:    getEnv("DB_PORT", "5432"),
-		DBUser:    getEnv("DB_USER", "partymix"),
-		DBPass:    getEnv("DB_PASSWORD", "partymix"),
-		DBName:    getEnv("DB_NAME", "partymix"),
-		JWTSecret: getEnv("JWT_SECRET", "change-me-in-production"),
+		Port:           getEnv("PORT", "8080"),
+		DBHost:         getEnv("DB_HOST", "localhost"),
+		DBPort:         getEnv("DB_PORT", "5432"),
+		DBUser:         getEnv("DB_USER", "partymix"),
+		DBPass:         getEnv("DB_PASSWORD", "partymix"),
+		DBName:         getEnv("DB_NAME", "partymix"),
+		JWTSecret:      getEnv("JWT_SECRET", "change-me-in-production"),
+		AllowedOrigins: getEnv("ALLOWED_ORIGINS", "http://localhost:3001,http://localhost:3000"),
+		CookieSecure:   getEnv("COOKIE_SECURE", "false") == "true",
 	}
 }