fix: make media uploads work behind docker

- add S3_PUBLIC_ENDPOINT_URL for browser-reachable presigned urls

- support both public/internal file url validation

- configure MinIO bucket CORS in minio-init

- update env examples and docs

README.md

@@ -36,7 +36,7 @@ celery -A app.celery_app:celery_app worker --loglevel=info
 Run full stack (web + api + worker + postgres + redis + minio + mailpit):
 
 1. cp .env.docker.example .env
-2. edit `.env` (`SECRET_KEY`, passwords, domain)
+2. edit `.env` (`SECRET_KEY`, passwords, domain, `S3_PUBLIC_ENDPOINT_URL`)
 3. docker compose up -d --build
 2. Open:
    - Web: http://localhost
@@ -49,3 +49,5 @@ Run full stack (web + api + worker + postgres + redis + minio + mailpit):
 Use production override to close internal ports (postgres/redis/minio/mailpit/backend):
 
 docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d --build
+
+For media uploads from browser, `S3_PUBLIC_ENDPOINT_URL` must be reachable by users (for example `https://storage.example.com` or `http://SERVER_IP:9000`).