Add tenant-aware image policy and migration framework

[RavenLLevitt]

Summary

• add a formal tenant-aware image policy document for image ingestion, storage key layout, variant generation, format strategy (AVIF/WebP/JPEG), cache/security controls, and rollout requirements
• add a dedicated migration runbook for moving legacy image URLs to v2 tenant-scoped assets with dual-read/cutover/rollback guidance
• add backend/services/imagePolicyService.js as enforceable policy code for deterministic key generation and role/entity validation
• add unit tests for the new image policy service
• lock migration decisions: bucket-owned assets only, 30-day legacy retention, no GIF support, signed private delivery, and event-image migration staged until Events-Backend alignment
• remove GIF from current imageUploadService MIME allowlist to align immediate validation behavior with policy defaults

Testing

• npm --prefix backend run test:unit

Notes

• this PR intentionally provides policy + migration architecture and a shared policy module; route-level ingestion pipeline conversion (sharp transforms + dual-write schema wiring) is the next implementation step