feat(app): add shared object storage foundation (#752)

## 배경
`app` / `common` 레이어에서 공통 object storage foundation이 필요해서, storage 계약과
provider adapter를 먼저 올리는 PR입니다.

이번 PR은 foundation만 다룹니다.
- 공통 storage contract
- provider별 adapter wiring
- blob backing store
- compression / smoke / 회귀 테스트
- backend reference 문서

상위 asset metadata 모델과 서비스별 attachment 통합은 의도적으로 제외했습니다.

## 이번 PR에서 포함한 범위
- `common`
  - `ObjectStoragePort`
  - `StorageUri`
  - `StoreObjectRequest`, `OpenDownloadRequest`, `DownloadHandle`
- `app`
  - `S3CompatibleObjectStorageAdapter`
  - `MinioObjectStorageAdapter`
  - `TencentCosObjectStorageAdapter`
  - `BlobObjectStorageAdapter`
  - `ObjectStorageRegistry`
  - blob backing store migration / entity / repository
- 문서
  - `docs/reference/backend/object-storage.md`
  - 관련 backend index 갱신
  - MinIO smoke / compression 작업 메모 추가

## 주요 변경
- `storage_uri`는 public URL이 아니라 internal locator로만 사용합니다.
- backend alias는 논리 이름 `minio` / `tencent-cos` / `blob`으로 정리했습니다.
- S3-compatible adapter는 metadata round-trip을 보장합니다.
- MinIO는 path-style access를 강제합니다.
- blob backend는 bucket-qualified target을 reject합니다.
- blob download도 `filename` / `disposition` 계약을 맞췄습니다.
- `Content-Disposition`은 filename이 없어도 `attachment` / `inline`을 유지하고,
filename이 있으면 ASCII fallback + `filename*` UTF-8 encoding을 사용합니다.
- oversized blob 업로드는 configurable limit로 방어합니다.
- `blob`는 텍스트 계열 payload에 대해 선택적 `GZIP` compression을 지원합니다.
- `S3CompatibleObjectStorageAdapter.head()`는 provider 편차를 고려해 header /
metadata / range / list fallback을 사용합니다.
- env-gated `MinIO` smoke test를 추가했습니다.

## MinIO smoke 메모
- 이 개발기에서는 `39000` 포트를 `ZscalerTunnel`이 이미 점유하고 있었습니다.
- 그래서 `http://127.0.0.1:39000`은 MinIO가 아니라 `Proxy-Agent: Ztunnel/1.0`
응답이 나왔습니다.
- 실제 smoke는 `39100:9000`으로 MinIO를 띄워서 검증했습니다.
- smoke test는 endpoint env를 그대로 사용하므로 특정 포트 고정에 의존하지 않습니다.

## 설정/기본값
- local profile 기본 provider: `minio`
- dev / ci 기본 provider: `blob`
- prod profile 기본 provider: `blob`
- `Tencent COS` adapter는 wiring과 테스트까지 포함하지만, 운영 기본값 전환은 별도 판단으로 남겨뒀습니다.

## 리뷰 반영
이번 PR에서 리뷰로 반영한 핵심은 아래입니다.
- blob adapter의 `readBytes()` 제거 및 max size guard 추가
- `BlobStoredObjectEntity.id` non-nullable 정리
- S3 metadata round-trip 반영
- MinIO path-style wiring 강제 및 회귀 테스트 추가
- blob bucket-qualified target reject
- `Content-Disposition` filename 없는 케이스까지 보강
- backend alias를 `minio` / `tencent-cos` / `blob`으로 정리
- 실제 MinIO smoke에서 드러난 port 하드코딩 assertion 제거

## 검증
아래 focused suite로 확인했습니다.

```bash
RUN_MINIO_SMOKE_TEST=true \
MINIO_SMOKE_TEST_ENDPOINT=http://127.0.0.1:39100 \
MINIO_SMOKE_TEST_REGION=us-east-1 \
MINIO_SMOKE_TEST_ACCESS_KEY=minio \
MINIO_SMOKE_TEST_SECRET_KEY=minio123 \
MINIO_SMOKE_TEST_BUCKET=deck-smoke \
./gradlew --no-build-cache :common:test --tests "io.deck.common.api.storage.StorageUriTest" \
  :app:test --tests "io.deck.app.storage.blob.BlobObjectStorageAdapterTest" \
  --tests "io.deck.app.storage.s3.S3CompatibleObjectStorageAdapterTest" \
  --tests "io.deck.app.storage.minio.MinioObjectStorageSmokeTest"
```

또한 fresh DB에서 `app` migration만 지정해 blob backing store migration을 검증했습니다.

## 주의 사항
- `:app` Gradle Flyway task는 기본적으로
`db/migration/ci-seed/V9999__ci-seed.sql`까지 함께 스캔합니다.
- 이번 fresh migration 검증은
`-Dflyway.locations=filesystem:src/main/resources/db/migration/app`로
`app` migration만 지정해서 확인했습니다.

## 이번 PR에서 제외한 범위
- `StoredAsset` 공통 자산 메타데이터 모델
- `PUBLIC` / `PRIVATE` asset serving 정책
- `meetpie og_image`의 object storage 이전
- `meetpie` namecard 내부 이미지의 persisted `imageUrl/data:image` 제거
- `deskpie` note/file attachment 통합

## 후속 설계
상위 자산 모델과 서비스 통합 방향은 별도 이슈로 분리했습니다.
- #756
- #756

---------

Co-authored-by: JK <jk@chequer.io>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: 3 people

backend/app/build.gradle.kts

@@ -58,6 +58,10 @@ dependencies {
     // Cache
     implementation(libs.caffeine)
 
+    // AWS SDK
+    implementation(platform(libs.aws.bom))
+    implementation(libs.aws.s3)
+
     // Database
     runtimeOnly(libs.postgresql)
     implementation("org.springframework.boot:spring-boot-starter-flyway")

backend/app/src/main/kotlin/io/deck/app/config/ObjectStorageConfig.kt

@@ -0,0 +1,206 @@
+package io.deck.app.config
+
+import io.deck.app.storage.ObjectStorageRegistry
+import io.deck.app.storage.blob.BlobObjectStorageAdapter
+import io.deck.app.storage.blob.BlobStoredObjectPayloadRepository
+import io.deck.app.storage.blob.BlobStoredObjectRepository
+import io.deck.app.storage.cos.TencentCosObjectStorageAdapter
+import io.deck.app.storage.minio.MinioObjectStorageAdapter
+import io.deck.common.api.config.ObjectStorageProperties
+import io.deck.common.api.storage.ObjectStoragePort
+import org.springframework.beans.factory.ObjectProvider
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty
+import org.springframework.boot.context.properties.EnableConfigurationProperties
+import org.springframework.context.annotation.Bean
+import org.springframework.context.annotation.Configuration
+import org.springframework.context.annotation.Primary
+import software.amazon.awssdk.auth.credentials.AwsBasicCredentials
+import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider
+import software.amazon.awssdk.regions.Region
+import software.amazon.awssdk.services.s3.S3Client
+import software.amazon.awssdk.services.s3.S3Configuration
+import software.amazon.awssdk.services.s3.presigner.S3Presigner
+import java.net.URI
+
+@Configuration(proxyBeanMethods = false)
+@EnableConfigurationProperties(ObjectStorageProperties::class)
+class ObjectStorageConfig {
+    @Bean(name = ["minioS3Client"], destroyMethod = "close")
+    @ConditionalOnProperty(
+        prefix = "app.object-storage.minio",
+        name = ["endpoint", "region", "access-key", "secret-key"],
+    )
+    fun minioS3Client(properties: ObjectStorageProperties): S3Client =
+        buildS3Client(
+            endpoint = properties.minio.endpoint,
+            region = properties.minio.region,
+            accessKey = properties.minio.accessKey,
+            secretKey = properties.minio.secretKey,
+            pathStyleAccess = true,
+        )
+
+    @Bean(name = ["minioS3Presigner"], destroyMethod = "close")
+    @ConditionalOnProperty(
+        prefix = "app.object-storage.minio",
+        name = ["endpoint", "region", "access-key", "secret-key"],
+    )
+    fun minioS3Presigner(properties: ObjectStorageProperties): S3Presigner =
+        buildS3Presigner(
+            endpoint = properties.minio.endpoint,
+            region = properties.minio.region,
+            accessKey = properties.minio.accessKey,
+            secretKey = properties.minio.secretKey,
+            pathStyleAccess = true,
+        )
+
+    @Bean(name = ["tencentCosS3Client"], destroyMethod = "close")
+    @ConditionalOnProperty(
+        prefix = "app.object-storage.cos",
+        name = ["endpoint", "region", "secret-id", "secret-key"],
+    )
+    fun tencentCosS3Client(properties: ObjectStorageProperties): S3Client =
+        buildS3Client(
+            endpoint = properties.cos.endpoint,
+            region = properties.cos.region,
+            accessKey = properties.cos.secretId,
+            secretKey = properties.cos.secretKey,
+            pathStyleAccess = properties.cos.pathStyleAccess,
+        )
+
+    @Bean(name = ["tencentCosS3Presigner"], destroyMethod = "close")
+    @ConditionalOnProperty(
+        prefix = "app.object-storage.cos",
+        name = ["endpoint", "region", "secret-id", "secret-key"],
+    )
+    fun tencentCosS3Presigner(properties: ObjectStorageProperties): S3Presigner =
+        buildS3Presigner(
+            endpoint = properties.cos.endpoint,
+            region = properties.cos.region,
+            accessKey = properties.cos.secretId,
+            secretKey = properties.cos.secretKey,
+            pathStyleAccess = properties.cos.pathStyleAccess,
+        )
+
+    @Bean(name = ["minioObjectStoragePort"])
+    @ConditionalOnProperty(
+        prefix = "app.object-storage.minio",
+        name = ["endpoint", "region", "access-key", "secret-key"],
+    )
+    fun minioObjectStoragePort(
+        properties: ObjectStorageProperties,
+        minioS3Client: S3Client,
+        minioS3Presigner: S3Presigner,
+    ): MinioObjectStorageAdapter =
+        MinioObjectStorageAdapter(
+            backend = MINIO_BACKEND,
+            bucket = properties.bucket,
+            properties = properties.minio,
+            s3Client = minioS3Client,
+            presigner = minioS3Presigner,
+        )
+
+    @Bean(name = ["tencentCosObjectStoragePort"])
+    @ConditionalOnProperty(
+        prefix = "app.object-storage.cos",
+        name = ["endpoint", "region", "secret-id", "secret-key"],
+    )
+    fun tencentCosObjectStoragePort(
+        properties: ObjectStorageProperties,
+        tencentCosS3Client: S3Client,
+        tencentCosS3Presigner: S3Presigner,
+    ): TencentCosObjectStorageAdapter =
+        TencentCosObjectStorageAdapter(
+            backend = TENCENT_COS_BACKEND,
+            bucket = properties.bucket,
+            properties = properties.cos,
+            s3Client = tencentCosS3Client,
+            presigner = tencentCosS3Presigner,
+        )
+
+    @Bean(name = ["blobObjectStoragePort"])
+    fun blobObjectStoragePort(
+        properties: ObjectStorageProperties,
+        objectRepository: BlobStoredObjectRepository,
+        payloadRepository: BlobStoredObjectPayloadRepository,
+    ): BlobObjectStorageAdapter =
+        BlobObjectStorageAdapter(
+            backend = BLOB_BACKEND,
+            objectRepository = objectRepository,
+            payloadRepository = payloadRepository,
+            maxObjectSizeBytes = properties.blob.maxObjectSizeBytes,
+        )
+
+    @Bean
+    fun objectStorageRegistry(
+        minioObjectStoragePort: ObjectProvider<MinioObjectStorageAdapter>,
+        tencentCosObjectStoragePort: ObjectProvider<TencentCosObjectStorageAdapter>,
+        blobObjectStoragePort: BlobObjectStorageAdapter,
+    ): ObjectStorageRegistry =
+        ObjectStorageRegistry(
+            adaptersByBackend = buildMap {
+                minioObjectStoragePort.getIfAvailable()?.let { put(MINIO_BACKEND, it) }
+                tencentCosObjectStoragePort.getIfAvailable()?.let { put(TENCENT_COS_BACKEND, it) }
+                put(BLOB_BACKEND, blobObjectStoragePort)
+            },
+        )
+
+    @Bean
+    @Primary
+    fun objectStoragePort(
+        properties: ObjectStorageProperties,
+        minioObjectStoragePort: ObjectProvider<MinioObjectStorageAdapter>,
+        tencentCosObjectStoragePort: ObjectProvider<TencentCosObjectStorageAdapter>,
+        blobObjectStoragePort: BlobObjectStorageAdapter,
+    ): ObjectStoragePort =
+        when (properties.provider) {
+            ObjectStorageProperties.Provider.MINIO -> {
+                minioObjectStoragePort.getIfAvailable()
+                    ?: throw IllegalStateException("MinIO object storage is not configured")
+            }
+
+            ObjectStorageProperties.Provider.TENCENT_COS -> {
+                tencentCosObjectStoragePort.getIfAvailable()
+                    ?: throw IllegalStateException("Tencent COS object storage is not configured")
+            }
+
+            ObjectStorageProperties.Provider.BLOB -> {
+                blobObjectStoragePort
+            }
+        }
+
+    private fun buildS3Client(
+        endpoint: String,
+        region: String,
+        accessKey: String,
+        secretKey: String,
+        pathStyleAccess: Boolean,
+    ): S3Client =
+        S3Client
+            .builder()
+            .endpointOverride(URI.create(endpoint))
+            .region(Region.of(region))
+            .credentialsProvider(StaticCredentialsProvider.create(AwsBasicCredentials.create(accessKey, secretKey)))
+            .serviceConfiguration(S3Configuration.builder().pathStyleAccessEnabled(pathStyleAccess).build())
+            .build()
+
+    private fun buildS3Presigner(
+        endpoint: String,
+        region: String,
+        accessKey: String,
+        secretKey: String,
+        pathStyleAccess: Boolean,
+    ): S3Presigner =
+        S3Presigner
+            .builder()
+            .endpointOverride(URI.create(endpoint))
+            .region(Region.of(region))
+            .credentialsProvider(StaticCredentialsProvider.create(AwsBasicCredentials.create(accessKey, secretKey)))
+            .serviceConfiguration(S3Configuration.builder().pathStyleAccessEnabled(pathStyleAccess).build())
+            .build()
+
+    private companion object {
+        const val MINIO_BACKEND = "minio"
+        const val TENCENT_COS_BACKEND = "tencent-cos"
+        const val BLOB_BACKEND = "blob"
+    }
+}

backend/app/src/main/kotlin/io/deck/app/storage/ObjectStorageRegistry.kt

@@ -0,0 +1,12 @@
+package io.deck.app.storage
+
+import io.deck.common.api.storage.ObjectStoragePort
+import io.deck.common.api.storage.StorageUri
+
+class ObjectStorageRegistry(
+    private val adaptersByBackend: Map<String, ObjectStoragePort>,
+) {
+    fun find(storageUri: StorageUri): ObjectStoragePort =
+        adaptersByBackend[storageUri.backend]
+            ?: throw IllegalArgumentException("Unsupported storage backend: ${storageUri.backend}")
+}