fix: instant CMS uploads + heritage dark/light + ISR caching

Eliminates the need to run "docker compose build" after uploading
images via HQ Command. Heritage page now respects light/dark mode.

CACHE INVALIDATION
- New helper src/lib/revalidate.ts called from /api/assets and
  /api/public-upload after every upload, delete, folder create
- Pages switch from force-dynamic to ISR with revalidate=60
  (regenerated on demand whenever content changes, plus 60s safety)
- Nginx now sends "max-age=300, must-revalidate" instead of "expires 30d"
  on /cases/, /applications/, /news/, /parts/, /footage/, /operations-inbox/
  so browsers revalidate via If-Modified-Since (304s on unchanged files)
- Next.js Image Optimizer aligned with same TTL via minimumCacheTTL=300
  and adds /_next/image location block in Nginx for correct headers

HERITAGE DARK/LIGHT FIX (Bug #8)
- Replaces hardcoded #0A0A0C / #00F0FF / text-white with proper
  light + dark variants throughout markdown renderer (tables, lists,
  headings, blockquotes, paragraphs, images)
- Hero section, navigation pill, and CMS-driven sections now switch
  with the global theme toggle

SECURITY HARDENING
- Server actions bodySizeLimit reduced from 500MB to 50MB
  (large uploads still go through /api/assets which uses Nginx 500MB cap)

DEPLOY NOTES
- Run on VPS:
    git pull
    docker compose up -d --build app
    docker compose exec nginx nginx -s reload
- No DB schema changes in this commit. Existing 2FA users / data untouched.

nginx/conf.d/flux.conf

@@ -36,6 +36,7 @@ server {
 
     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
 
+    # Next.js bundles use content hashing — safe to cache forever
     location /_next/static/ {
         proxy_pass http://nextjs;
         expires 365d;
@@ -43,6 +44,17 @@ server {
         access_log off;
     }
 
+    # Next.js image optimizer — short cache, browser revalidates
+    location /_next/image {
+        proxy_pass http://nextjs;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+        add_header Cache-Control "public, max-age=300, must-revalidate" always;
+    }
+
     location /hq-command/login {
         limit_req zone=login burst=10 nodelay;
         proxy_pass http://nextjs;
@@ -104,46 +116,50 @@ server {
         access_log off;
     }
     
-    # Serve uploaded assets directly from disk (bypass Next.js)
+    # ─────────────────────────────────────────────────────────────────
+    # User-uploaded assets — served directly from disk (bypass Next.js)
+    #
+    # Cache strategy: short max-age + must-revalidate.
+    # Browser caches for 5 minutes, then asks Nginx "did this change?"
+    # via If-Modified-Since. Nginx auto-replies 304 (Not Modified) if the
+    # file's mtime is unchanged, or serves the new file if it changed.
+    # This means new CMS uploads appear within ~5 min without rebuild
+    # AND saved bandwidth on unchanged files.
+    # ─────────────────────────────────────────────────────────────────
 
     location /cases/ {
         alias /srv/cases/;
-        expires 30d;
-        add_header Cache-Control "public";
+        add_header Cache-Control "public, max-age=300, must-revalidate" always;
         access_log off;
     }
 
     location /applications/ {
         alias /srv/applications/;
-        expires 30d;
-        add_header Cache-Control "public";
+        add_header Cache-Control "public, max-age=300, must-revalidate" always;
         access_log off;
     }
 
     location /news/ {
         alias /srv/news/;
-        expires 30d;
-        add_header Cache-Control "public";
+        add_header Cache-Control "public, max-age=300, must-revalidate" always;
         access_log off;
     }
 
     location /parts/ {
         alias /srv/parts/;
-        expires 30d;
-        add_header Cache-Control "public";
+        add_header Cache-Control "public, max-age=300, must-revalidate" always;
         access_log off;
     }
 
     location /operations-inbox/ {
         alias /srv/operations-inbox/;
-        expires 7d;
+        add_header Cache-Control "private, max-age=60, must-revalidate" always;
         access_log off;
     }
 
     location /footage/ {
         alias /srv/footage/;
-        expires 30d;
-        add_header Cache-Control "public";
+        add_header Cache-Control "public, max-age=300, must-revalidate" always;
         access_log off;
     }