infra: rewrite sst.config.ts to valid SST v3 (Ion) shape

The original file mixed SST v2 syntax (SSTConfig, stacks(), app.stack)
with v3 constructs (sst.aws.Vpc, sst.aws.Postgres, ...). `npx sst diff`
fails immediately on the top-level imports. Rewrites to the v3
$config({ app(), async run() }) form with the platform shim reference,
and along the way:

- Adds sst.aws.Cluster between Vpc and Service (required in v3)
- Switches loadBalancer.public boolean to loadBalancer.ports listener
  array, forwarding 80/http -> 3001/http
- Uses single `image` instead of `containers` map (single-container
  service)
- Threads DATABASE_URL, S3_BUCKET_NAME and all Clerk/model-provider
  secret values into the Fargate task as env vars matching what the
  backend code reads from process.env
- Wires NEXT_PUBLIC_API_BASE_URL + NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY
  through to the Nextjs build
- Adds bastion: true to the VPC so the Drizzle init migration can be
  run against the proxy from a developer laptop via `sst tunnel`
- Adds a FrontendUrl SST secret to break the api<->web URL cycle for
  CORS (set after first deploy, then redeploy)

HTTPS on the API and a custom domain on the Nextjs site are not wired
yet - flagged inline in the config and tracked as a follow-up.

Also commits the root package-lock.json generated by `npm install` for
the sst CLI.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>