fix: Route all banner API calls through Next.js proxy (SSL cert fix)

Browser blocks direct calls to backend-compliance:8093 due to
self-signed SSL certificate. All banner API calls now go through
Next.js API proxy at /api/sdk/v1/banner/* which runs server-side.

- New catch-all proxy: /api/sdk/v1/banner/[[...path]]/route.ts
  Maps to backend-compliance:8002/api/compliance/banner/*
- Preview page: uses /api/sdk/v1/banner/ instead of https://macmini:8093
- CMP Dashboard: uses proxy for banner stats + compliance proxy for DSR/einwilligungen
- Fixes: banner not closeable due to API errors, consent not saving

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

admin-compliance/app/sdk/cmp/page.tsx

@@ -11,11 +11,10 @@ import Link from 'next/link'
  * but with EWR-Only as unique differentiator.
  */
 
-const API_BASE = typeof window !== 'undefined'
-  ? (process.env.NEXT_PUBLIC_SDK_URL || `${window.location.protocol}//${window.location.hostname}:8093`)
-  : ''
+// Use Next.js API proxy to avoid SSL cert issues
+const BANNER_API = '/api/sdk/v1/banner'
 const TENANT_ID = '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
-const HEADERS = { 'X-Tenant-ID': TENANT_ID }
+const HEADERS = { 'x-tenant-id': TENANT_ID }
 
 interface BannerStats { total_consents: number; category_acceptance: Record<string, { count: number; rate: number }> }
 interface ConsentStats { total_consents: number; active_consents: number; revoked_consents: number; unique_users: number; conversion_rate: number }
@@ -59,12 +58,13 @@ export default function CMPDashboardPage() {
 
   useEffect(() => {
     async function load() {
-      const f = (url: string) => fetch(`${API_BASE}${url}`, { headers: HEADERS }).then(r => r.ok ? r.json() : null).catch(() => null)
+      const fb = (path: string) => fetch(`${BANNER_API}/${path}`, { headers: HEADERS }).then(r => r.ok ? r.json() : null).catch(() => null)
+      const fa = (path: string) => fetch(`/api/sdk/v1/compliance/${path}`, { headers: HEADERS }).then(r => r.ok ? r.json() : null).catch(() => null)
       const [banner, consent, dsr, siteList] = await Promise.all([
-        f('/banner/admin/stats/preview-test-site'),
-        f('/einwilligungen/consents/stats'),
-        f('/dsr/stats'),
-        f('/banner/admin/sites'),
+        fb('admin/stats/preview-test-site'),
+        fa('einwilligungen/consents/stats'),
+        fa('dsr/stats'),
+        fb('admin/sites'),
       ])
       setBannerStats(banner)
       setConsentStats(consent)

admin-compliance/app/sdk/cookie-banner/preview/page.tsx

@@ -17,9 +17,8 @@ import {
  * This page runs OUTSIDE the SDK layout to simulate a real website experience.
  */
 
-const API_BASE = typeof window !== 'undefined'
-  ? (process.env.NEXT_PUBLIC_SDK_URL || `${window.location.protocol}//${window.location.hostname}:8093`)
-  : ''
+// Use Next.js API proxy to avoid SSL cert issues with direct backend calls
+const API_BASE = '/api/sdk/v1/banner'
 const SITE_ID = 'preview-test-site'
 const TENANT_ID = '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
 
@@ -63,7 +62,7 @@ export default function CookieBannerPreviewPage() {
       try {
         const res = await fetch(
           `${API_BASE}/banner/consent?site_id=${SITE_ID}&device_fingerprint=${fingerprint}`,
-          { headers: { 'X-Tenant-ID': TENANT_ID } },
+          { headers: { 'x-tenant-id': TENANT_ID } },
         )
         if (res.ok) {
           const data = await res.json()
@@ -91,7 +90,7 @@ export default function CookieBannerPreviewPage() {
     try {
       const res = await fetch(`${API_BASE}/banner/consent`, {
         method: 'POST',
-        headers: { 'Content-Type': 'application/json', 'X-Tenant-ID': TENANT_ID },
+        headers: { 'Content-Type': 'application/json', 'x-tenant-id': TENANT_ID },
         body: JSON.stringify({
           site_id: SITE_ID,
           device_fingerprint: fingerprint,