feat(auth): enforce operator/partner platform isolation

A partner or tenant admin could complete the dezky-operator OIDC flow and
land on the operator portal. The platform-api OperatorGuard already 403s
their data, but the login/UI layer had no authorization check at all — the
only gate was a manual Authentik UI setting with nothing in git enforcing it.

Close it with defense-in-depth across three independent layers:

1. IdP — operator-application.yaml blueprint binds an
   ak_is_group_member("dezky-platform-admins") policy to the dezky-operator
   app, so Authentik denies the OIDC flow for non-admins. The blueprint also
   provisions the provider + application (state: created, so a fresh env is
   built from code while an existing hand-made provider is left untouched).
   Wire OPERATOR_OIDC_* into both authentik containers and mount the
   blueprints dir on the worker (it applies blueprints, and previously lacked
   the mount).

2. Operator app — require-platform-admin.global.ts requires platformAdmin and
   routes a non-admin to not-authorized.vue, which triggers a full sign-out
   (local + Authentik IdP) for shared-workstation safety. Fails open on a
   transient /api/me error by design, to avoid mass-signout on platform-api
   restarts; layers 1 and 3 contain the exposure.

3. platform-api — OperatorGuard (unchanged) requires dezky-operator audience
   plus platformAdmin resolved from the DB on every request.

Also harden the partner surface: it shares the dezky-portal client with tenant
users so it has no IdP gate, and its /partner/* route middleware now fails
CLOSED when identity can't be confirmed.

Docs (AUTHENTIK-SETUP.md) and .env.example updated; the operator client secret
must be set before first boot since the blueprint now consumes it.

apps/operator/middleware/require-platform-admin.global.ts

@@ -0,0 +1,52 @@
+// Authorization gate for the operator portal.
+//
+// nuxt-oidc-auth's global middleware only proves *authentication* — "does
+// this browser hold a valid dezky-operator session?". It says nothing about
+// whether the person is actually an operator. Without this middleware, anyone
+// who completes the dezky-operator OIDC flow (a partner, a tenant admin, any
+// Authentik user) lands on the full operator shell. The platform-api still
+// 403s their data calls via OperatorGuard, but *being on the operator app at
+// all* is the violation — and it leaves only the Authentik application policy
+// standing between a non-admin and the UI. This is the second, in-app layer.
+//
+// Runs after 00.auth.global (nuxt-oidc-auth), so by the time we get here the
+// session exists. We resolve the operator's own profile and require
+// platformAdmin=true. A signed-in non-admin is fully signed out (local +
+// Authentik IdP) — never silently left with a live operator session on what
+// may be a shared workstation — and shown /not-authorized.
+//
+// /api/me is SSR-safe via useRequestFetch (it forwards the session cookie),
+// so there's no flash of operator chrome before the redirect.
+
+export default defineNuxtRouteMiddleware(async (to) => {
+  // Public surfaces: the login bounce, the sign-out landing, and the
+  // not-authorized page itself must stay reachable without the check.
+  if (
+    to.path.startsWith('/auth/') ||
+    to.path === '/signed-out' ||
+    to.path === '/not-authorized'
+  ) {
+    return
+  }
+
+  const { fetchMe, isPlatformAdmin } = useMe()
+  const me = await fetchMe()
+
+  // fetchMe() collapses every failure to null — both "not signed in" and
+  // "signed in, but /api/me (→ platform-api) errored transiently". We let BOTH
+  // through here. The not-signed-in case is handled by the OIDC middleware's
+  // bounce to login. The API-error case is a DELIBERATE fail-OPEN: failing
+  // closed would bounce every operator to /not-authorized — and thus fully
+  // sign them out — on any platform-api restart, a self-inflicted mass-signout
+  // on routine deploys. The exposure from failing open is contained by the
+  // other two layers: Authentik's application policy stops a non-admin from
+  // ever obtaining a session (layer 1), and OperatorGuard 403s every data call
+  // regardless of what the UI renders (layer 3). See docs/AUTHENTIK-SETUP.md →
+  // "Operator portal isolation". (The partner middleware fails CLOSED instead
+  // because the partner surface has no layer-1 IdP gate.)
+  if (!me) return
+
+  if (!isPlatformAdmin.value) {
+    return navigateTo('/not-authorized')
+  }
+})

apps/operator/pages/not-authorized.vue

@@ -0,0 +1,130 @@
+<script setup lang="ts">
+// Shown when an authenticated-but-non-operator session reaches the operator
+// portal (see middleware/require-platform-admin.global.ts). The account is
+// valid in Authentik but lacks platformAdmin — e.g. a partner or tenant user
+// who completed the dezky-operator OIDC flow.
+//
+// We do NOT leave them parked here with a live session: that's the
+// shared-workstation risk the full-sign-out rule guards against. We trigger the
+// same full sign-out the UserMenu uses — clearing both the local
+// nuxt-oidc-auth session and the Authentik IdP session (so this also ends their
+// SSO session in any other tab — intended for an elevated context).
+//
+// A short delay lets them actually read why before the redirect through
+// Authentik fires; the button is an immediate-out fallback. The timer is
+// cleared on unmount so a manual click can't double-fire it.
+
+definePageMeta({ layout: 'blank', auth: false, oidcAuth: { enabled: false } })
+
+const SIGN_OUT_DELAY_MS = 2200
+
+function signOut() {
+  return navigateTo('/api/auth/sign-out', { external: true })
+}
+
+onMounted(() => {
+  const timer = setTimeout(signOut, SIGN_OUT_DELAY_MS)
+  onBeforeUnmount(() => clearTimeout(timer))
+})
+</script>
+
+<template>
+  <div class="shell">
+    <div class="card">
+      <div class="badge">
+        <UiIcon name="shield" :size="22" />
+      </div>
+      <p class="eyebrow">dezky · ops</p>
+      <h1>Not an operator account</h1>
+      <p class="lead">
+        This account doesn't have operator access. For your security we're
+        signing you out completely — sign in with an operator account to
+        continue.
+      </p>
+      <button class="primary" type="button" @click="signOut">Sign out now</button>
+      <p class="hint">operator.dezky.local</p>
+    </div>
+  </div>
+</template>
+
+<style scoped>
+.shell {
+  min-height: 100vh;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  padding: 32px;
+  background: var(--bg);
+}
+
+.card {
+  background: var(--surface);
+  border: 1px solid var(--border);
+  border-radius: 12px;
+  padding: 36px 36px 32px;
+  width: 100%;
+  max-width: 420px;
+  text-align: center;
+  box-shadow: 0 24px 60px rgba(0, 0, 0, 0.4);
+}
+
+.badge {
+  width: 48px;
+  height: 48px;
+  border-radius: 12px;
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  background: rgba(240, 88, 88, 0.12);
+  color: var(--bad);
+  margin: 0 auto 16px;
+}
+
+.eyebrow {
+  font-family: var(--font-mono);
+  font-size: 11px;
+  letter-spacing: 0.18em;
+  text-transform: uppercase;
+  color: var(--text-mute);
+  margin: 0 0 10px 0;
+}
+
+h1 {
+  font-family: var(--font-display);
+  font-weight: 600;
+  font-size: 24px;
+  letter-spacing: -0.02em;
+  line-height: 1.15;
+  margin: 0;
+}
+
+.lead {
+  font-size: 13px;
+  color: var(--text-dim);
+  line-height: 1.55;
+  margin: 14px 0 26px;
+}
+
+.primary {
+  display: block;
+  width: 100%;
+  height: 42px;
+  background: var(--accent);
+  color: var(--accent-fg);
+  border: none;
+  border-radius: 7px;
+  font-weight: 600;
+  font-size: 13px;
+  font-family: inherit;
+  cursor: pointer;
+}
+.primary:hover { filter: brightness(0.96); }
+
+.hint {
+  font-family: var(--font-mono);
+  font-size: 10px;
+  letter-spacing: 0.06em;
+  color: var(--text-mute);
+  margin: 22px 0 0 0;
+}
+</style>