fix(operator,portal): env-driven sign-out URLs + host labels (no more .local in prod)

Operator sign-out hardcoded the dev Authentik end-session URL, so prod
logout landed on auth.dezky.local. Mirror the portal's env-driven pattern
(NUXT_PUBLIC_AUTH_URL/NUXT_PUBLIC_OPERATOR_URL with .local fallbacks).
Expose authUrl/operatorUrl via public runtimeConfig and use them for the
Authentik admin links and the cosmetic host labels (sidebar, eyebrows,
auth-page hints). Portal: signed-out + webmail copy now derive their hosts
from runtime config (new public.mailUrl, NUXT_PUBLIC_MAIL_URL in prod).

apps/operator/components/OpSidebar.vue

@@ -1,4 +1,5 @@
 <script setup lang="ts">
+const operatorHost = new URL(useRuntimeConfig().public.operatorUrl).host
 import type { IconName } from './UiIcon.vue'
 
 interface NavItem {
@@ -45,7 +46,7 @@ const isSection = (r: NavRow): r is NavSection => 'sec' in r
       <span class="tile"><NodeMark :size="22" fg="#F4F3EE" accent="#D4FF3A" /></span>
       <div v-if="!collapsed" class="brand-meta">
         <div class="brand-name">dezky · ops</div>
-        <div class="brand-host">operator.dezky.local</div>
+        <div class="brand-host">{{ operatorHost }}</div>
       </div>
     </div>
 

apps/operator/nuxt.config.ts

@@ -16,6 +16,15 @@ export default defineNuxtConfig({
 
   modules: ['nuxt-oidc-auth'],
 
+  runtimeConfig: {
+    public: {
+      // Overridable at runtime via NUXT_PUBLIC_AUTH_URL / NUXT_PUBLIC_OPERATOR_URL
+      // (both set in production). Used for Authentik links and host labels.
+      authUrl: AUTH_URL,
+      operatorUrl: OPERATOR_URL,
+    },
+  },
+
   css: ['~/assets/styles/tokens.css', '~/assets/styles/base.css'],
 
   // Auto-import from the shared packages/ui workspace in addition to the

apps/operator/pages/auth/login.vue

@@ -1,4 +1,5 @@
 <script setup lang="ts">
+const operatorHost = new URL(useRuntimeConfig().public.operatorUrl).host
 // O.3 scaffolding login. Real visual treatment lands in O.4 with the full
 // design system port. For now: minimal dark-themed bounce to Authentik.
 
@@ -18,7 +19,7 @@ async function signIn() {
         Authentik-issued tokens · platform-admin group required · MFA when enrolled.
       </p>
       <button class="primary" @click="signIn">Sign in</button>
-      <p class="hint">operator.dezky.local</p>
+      <p class="hint">{{ operatorHost }}</p>
     </div>
   </div>
 </template>

apps/operator/pages/index.vue

@@ -1,4 +1,5 @@
 <script setup lang="ts">
+const operatorHost = new URL(useRuntimeConfig().public.operatorUrl).host
 import type { Tenant } from '~/types/tenant'
 import type { Partner } from '~/types/partner'
 import type { PlatformUser } from '~/types/user'
@@ -65,7 +66,7 @@ function fmtDate(d: string) {
 <template>
   <div>
     <PageHeader
-      eyebrow="Operator · operator.dezky.local"
+      :eyebrow="`Operator · ${operatorHost}`"
       title="Platform overview"
       :subtitle="`${stats.tenants} tenants · ${stats.partners} partners · ${stats.users} platform users`"
     >

apps/operator/pages/not-authorized.vue

@@ -1,4 +1,5 @@
 <script setup lang="ts">
+const operatorHost = new URL(useRuntimeConfig().public.operatorUrl).host
 // Shown when an authenticated-but-non-operator session reaches the operator
 // portal (see middleware/require-platform-admin.global.ts). The account is
 // valid in Authentik but lacks platformAdmin — e.g. a partner or tenant user
@@ -42,7 +43,7 @@ onMounted(() => {
         continue.
       </p>
       <button class="primary" type="button" @click="signOut">Sign out now</button>
-      <p class="hint">operator.dezky.local</p>
+      <p class="hint">{{ operatorHost }}</p>
     </div>
   </div>
 </template>

apps/operator/pages/operator-team.vue

@@ -1,4 +1,5 @@
 <script setup lang="ts">
+const authUrl = useRuntimeConfig().public.authUrl
 import type { PlatformUser } from '~/types/user'
 
 const { data: users, pending, refresh } = await useFetch<PlatformUser[]>('/api/users', {
@@ -41,7 +42,7 @@ async function onInvited() {
           <template #leading><UiIcon name="refresh" :size="13" /></template>
           Refresh
         </UiButton>
-        <a href="https://auth.dezky.local/if/admin/" target="_blank" rel="noopener" class="link">
+        <a :href="`${authUrl}/if/admin/`" target="_blank" rel="noopener" class="link">
           <UiButton variant="secondary">
             <template #leading><UiIcon name="external" :size="13" /></template>
             Manage in Authentik

apps/operator/pages/pricing.vue

@@ -1,4 +1,5 @@
 <script setup lang="ts">
+const operatorHost = new URL(useRuntimeConfig().public.operatorUrl).host
 // Pricing catalog editor. Operator-only. Each (plan, cycle) is a single row
 // with three independent per-currency amounts (DKK / EUR / USD). Operator
 // types clean round numbers in each currency — no FX derivation. Empty cells
@@ -233,7 +234,7 @@ const sortedPrices = computed<PriceRow[]>(() =>
 <template>
   <div>
     <PageHeader
-      eyebrow="Operator · operator.dezky.local"
+      :eyebrow="`Operator · ${operatorHost}`"
       title="Pricing catalog"
       subtitle="One row per plan + cycle, with independent prices per currency. Editing an amount re-prices live customers on that currency at their next billing cycle (no mid-cycle charge) and applies to all new subscriptions."
     >

apps/operator/pages/settings.vue

@@ -45,7 +45,7 @@ const lastSignIn = computed(() => {
   return new Date(iat * 1000)
 })
 
-const AUTHENTIK = 'https://auth.dezky.local'
+const AUTHENTIK = useRuntimeConfig().public.authUrl
 const links = [
   {
     icon: 'key' as const,

apps/operator/pages/signed-out.vue

@@ -1,4 +1,5 @@
 <script setup lang="ts">
+const operatorHost = new URL(useRuntimeConfig().public.operatorUrl).host
 // Sign-out landing for the operator portal. /api/auth/sign-out cleared the
 // local session and bounced through Authentik's end-session endpoint, which
 // ended the IdP session. By the time we render here the user has no
@@ -24,7 +25,7 @@ function signInAgain() {
         ready — Authentik will ask for fresh credentials.
       </p>
       <button class="primary" type="button" @click="signInAgain">Sign in again</button>
-      <p class="hint">operator.dezky.local</p>
+      <p class="hint">{{ operatorHost }}</p>
     </div>
   </div>
 </template>

apps/operator/server/api/auth/sign-out.get.ts

@@ -10,15 +10,20 @@
 //   3. 302 the BROWSER through Authentik's dezky-operator end-session URL
 //      with post_logout_redirect_uri=/signed-out.
 //
-// The brief URL-bar flash to auth.dezky.local is unavoidable: that's the
+// The brief URL-bar flash to the Authentik host is unavoidable: that's the
 // only host that can clear the Authentik session cookie (server-to-server
 // invalidation alone leaves the browser cookie, which would let the next
 // visit silently re-authorize).
 
 import { getUserSession, clearUserSession } from 'nuxt-oidc-auth/runtime/server/utils/session.js'
 
-const END_SESSION = 'https://auth.dezky.local/application/o/dezky-operator/end-session/'
+// Environment-driven so one build serves dev (.local) and prod (.eu) — same
-const POST_LOGOUT_REDIRECT = 'https://operator.dezky.local/signed-out'
+// pattern as the customer portal's sign-out.
+const AUTH_URL = (process.env.NUXT_PUBLIC_AUTH_URL || 'https://auth.dezky.local').replace(/\/$/, '')
+const OPERATOR_URL = (process.env.NUXT_PUBLIC_OPERATOR_URL || 'https://operator.dezky.local').replace(/\/$/, '')
+const OIDC_APP_SLUG = process.env.OPERATOR_OIDC_APP_SLUG || 'dezky-operator'
+const END_SESSION = `${AUTH_URL}/application/o/${OIDC_APP_SLUG}/end-session/`
+const POST_LOGOUT_REDIRECT = `${OPERATOR_URL}/signed-out`
 
 export default defineEventHandler(async (event) => {
   const session = await getUserSession(event).catch(() => ({} as any))

apps/portal/nuxt.config.ts

@@ -49,6 +49,7 @@ export default defineNuxtConfig({
       authUrl: process.env.NUXT_PUBLIC_AUTH_URL,
       portalUrl: process.env.NUXT_PUBLIC_PORTAL_URL,
       bookingUrl: process.env.NUXT_PUBLIC_BOOKING_URL || 'https://booking.dezky.local',
+      mailUrl: process.env.NUXT_PUBLIC_MAIL_URL || 'https://mail.dezky.local',
     },
   },
 

apps/portal/pages/admin/users.vue

@@ -1,4 +1,5 @@
 <script setup lang="ts">
+const mailHost = new URL(useRuntimeConfig().public.mailUrl as string).host
 // Users & groups. The Users tab is real — workspace members come from
 // /api/tenants/:slug/users (platform-api UserDocument). The Groups,
 // Invitations and Service-accounts tabs have no backend yet (no Group /
@@ -902,7 +903,7 @@ async function submitCreateMailbox() {
       <div v-if="resetResult" class="invite-result">
         <div class="ir-check"><UiIcon name="key" :size="20" /></div>
         <div class="ir-title">Password reset</div>
-        <p class="ir-sub">Share this securely. It works for both sign-in and webmail at <Mono>mail.dezky.local</Mono>.</p>
+        <p class="ir-sub">Share this securely. It works for both sign-in and webmail at <Mono>{{ mailHost }}</Mono>.</p>
         <div class="cred">
           <div class="cred-row">
             <span class="cred-k">Email</span><Mono class="cred-v">{{ resetResult.email }}</Mono>
@@ -1011,7 +1012,7 @@ async function submitCreateMailbox() {
       <div v-if="mailboxResult" class="invite-result">
         <div class="ir-check"><UiIcon name="check" :size="22" :stroke-width="2.5" /></div>
         <div class="ir-title">{{ mailboxResult.email }} is ready</div>
-        <p class="ir-sub">Share these securely. They sign in to webmail at <Mono>mail.dezky.local</Mono> with this password — their portal sign-in is unchanged.</p>
+        <p class="ir-sub">Share these securely. They sign in to webmail at <Mono>{{ mailHost }}</Mono> with this password — their portal sign-in is unchanged.</p>
         <div class="cred">
           <div class="cred-row">
             <span class="cred-k">Mailbox</span><Mono class="cred-v">{{ mailboxResult.email }}</Mono>
@@ -1045,7 +1046,7 @@ async function submitCreateMailbox() {
       <div v-else-if="inviteResult" class="invite-result">
         <div class="ir-check"><UiIcon name="check" :size="22" :stroke-width="2.5" /></div>
         <div class="ir-title">{{ inviteResult.email }} is ready</div>
-        <p class="ir-sub">Share these credentials securely. They sign in to the portal and to webmail at <Mono>mail.dezky.local</Mono>.</p>
+        <p class="ir-sub">Share these credentials securely. They sign in to the portal and to webmail at <Mono>{{ mailHost }}</Mono>.</p>
         <div class="cred">
           <div class="cred-row">
             <span class="cred-k">Email</span><Mono class="cred-v">{{ inviteResult.email }}</Mono>

apps/portal/pages/signed-out.vue

@@ -1,4 +1,5 @@
 <script setup lang="ts">
+const portalHost = new URL(useRuntimeConfig().public.portalUrl as string).host
 // Sign-out landing. /api/auth/sign-out cleared the local session and bounced
 // through Authentik's end-session endpoint, which ended the IdP session.
 // At this point the user has no portal session and no Authentik session —
@@ -30,7 +31,7 @@ function signInAgain() {
 
     <AuthFooterLink>
       Closing the tab? Your data stays put on
-      <span class="mono">app.dezky.local</span>.
+      <span class="mono">{{ portalHost }}</span>.
     </AuthFooterLink>
   </AuthShell>
 </template>

infrastructure/production/fleet/apps/portal.yaml

@@ -39,6 +39,8 @@ spec:
               value: https://app.dezky.eu
             - name: NUXT_PUBLIC_BOOKING_URL
               value: https://booking.dezky.eu
+            - name: NUXT_PUBLIC_MAIL_URL
+              value: https://mail.dezky.eu
             # Cluster-internal address of platform-api for the nitro proxy.
             - name: PLATFORM_API_INTERNAL_URL
               value: http://platform-api.dezky-apps.svc.cluster.local:3001