Add GCP Cloud Run setup for Ornn install

From the PR description

Summary

• add Cloud Run Dockerfiles and GCP setup/deploy scripts for separate frontend and backend services
• add Ornn-controlled access policy for @ornn.com users plus explicit ALLOWED_EMAILS invites
• document the GCP project/deploy flow in README, AGENTS.md, and docs/gcp-cloud-run.md

GCP state

• created project ornn-mike-20260509 under the ornn.com organization
• linked billing account 010DDD-320728-E0E0B2
• enabled Cloud Run, Cloud Build, Artifact Registry, Secret Manager, and IAM APIs
• created Artifact Registry repo us-central1-docker.pkg.dev/ornn-mike-20260509/mike
• created runtime service account mike-runner@ornn-mike-20260509.iam.gserviceaccount.com with Secret Manager read access

Verification

• bash -n scripts/gcp/setup-project.sh scripts/gcp/deploy-cloud-run.sh
• npm run build --prefix backend
• NEXT_PUBLIC_SUPABASE_URL=https://example.supabase.co NEXT_PUBLIC_SUPABASE_PUBLISHABLE_DEFAULT_KEY=placeholder NEXT_PUBLIC_API_BASE_URL=http://localhost:3001 NEXT_PUBLIC_ALLOWED_EMAIL_DOMAINS=ornn.com NEXT_PUBLIC_ALLOWED_EMAILS=advisor@example.com SUPABASE_SECRET_KEY=placeholder npm run build --prefix frontend
• NEXT_PUBLIC_SUPABASE_URL=https://example.supabase.co NEXT_PUBLIC_SUPABASE_PUBLISHABLE_DEFAULT_KEY=placeholder NEXT_PUBLIC_API_BASE_URL=http://localhost:3001 NEXT_PUBLIC_ALLOWED_EMAIL_DOMAINS=ornn.com NEXT_PUBLIC_ALLOWED_EMAILS=advisor@example.com SUPABASE_SECRET_KEY=placeholder npx eslint src/app/login/page.tsx src/app/signup/page.tsx src/contexts/AuthContext.tsx src/lib/accessPolicy.ts

Full npm run lint --prefix frontend still fails on unrelated existing lint errors outside this change.

Deployment note

Actual Cloud Run deployment still needs the real Supabase URL/keys, R2 credentials, and any model/email provider keys exported before running scripts/gcp/deploy-cloud-run.sh.