fix(security): remove MinIO hardcoded credentials & add presigned URL support

- Remove hardcoded minioadmin/minioadmin_secret fallback from docker-compose.yml,
  require MINIO_ACCESS_KEY/MINIO_SECRET_KEY env vars (fail-fast with :? syntax)
- Align docker-compose.yml env var names with .env.example (MINIO_ACCESS_KEY/SECRET_KEY)
- Update CI e2e workflow to use GitHub vars with non-default fallbacks
- Update .env.test to use non-default test credentials
- Add @aws-sdk/s3-request-presigner and getPresignedUploadUrl() method to
  MinioMediaStorageService for properly signed client-side uploads
- Remove hardcoded credentials from dev-environment docs

Co-Authored-By: Paperclip <noreply@paperclip.ing>

docs/dev-environment.md

@@ -130,7 +130,7 @@ curl http://localhost:8108/health
 ### MinIO
 
 - **API**: `http://localhost:9000`
-- **Console**: `http://localhost:9001` (login: `minioadmin` / `minioadmin_secret`)
+- **Console**: `http://localhost:9001` (login with `MINIO_ACCESS_KEY` / `MINIO_SECRET_KEY` from your `.env`)
 
 ### AI Services