feat(auth): enforce operator/partner platform isolation

A partner or tenant admin could complete the dezky-operator OIDC flow and
land on the operator portal. The platform-api OperatorGuard already 403s
their data, but the login/UI layer had no authorization check at all — the
only gate was a manual Authentik UI setting with nothing in git enforcing it.

Close it with defense-in-depth across three independent layers:

1. IdP — operator-application.yaml blueprint binds an
   ak_is_group_member("dezky-platform-admins") policy to the dezky-operator
   app, so Authentik denies the OIDC flow for non-admins. The blueprint also
   provisions the provider + application (state: created, so a fresh env is
   built from code while an existing hand-made provider is left untouched).
   Wire OPERATOR_OIDC_* into both authentik containers and mount the
   blueprints dir on the worker (it applies blueprints, and previously lacked
   the mount).

2. Operator app — require-platform-admin.global.ts requires platformAdmin and
   routes a non-admin to not-authorized.vue, which triggers a full sign-out
   (local + Authentik IdP) for shared-workstation safety. Fails open on a
   transient /api/me error by design, to avoid mass-signout on platform-api
   restarts; layers 1 and 3 contain the exposure.

3. platform-api — OperatorGuard (unchanged) requires dezky-operator audience
   plus platformAdmin resolved from the DB on every request.

Also harden the partner surface: it shares the dezky-portal client with tenant
users so it has no IdP gate, and its /partner/* route middleware now fails
CLOSED when identity can't be confirmed.

Docs (AUTHENTIK-SETUP.md) and .env.example updated; the operator client secret
must be set before first boot since the blueprint now consumes it.

infrastructure/docker-compose/docker-compose.yml

@@ -206,6 +206,12 @@ services:
       AUTHENTIK_BOOTSTRAP_EMAIL: admin@dezky.local
       AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD}
       AUTHENTIK_BOOTSTRAP_TOKEN: ${AUTHENTIK_BOOTSTRAP_TOKEN}
+      # Consumed by the operator-application blueprint's !Env references when
+      # it create-provisions the dezky-operator OAuth provider on a fresh
+      # environment. On an existing environment the provider already exists and
+      # the blueprint's state:created leaves it untouched, so these are unused.
+      OPERATOR_OIDC_CLIENT_ID: ${OPERATOR_OIDC_CLIENT_ID}
+      OPERATOR_OIDC_CLIENT_SECRET: ${OPERATOR_OIDC_CLIENT_SECRET}
     volumes:
       - authentik_media:/media
       - authentik_certs:/certs
@@ -249,10 +255,16 @@ services:
       AUTHENTIK_POSTGRESQL__NAME: authentik
       AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
       AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
+      # The worker is what discovers and applies blueprints, so it needs both
+      # the blueprints mount (below) and the !Env values the operator-application
+      # blueprint references when provisioning the provider on a fresh env.
+      OPERATOR_OIDC_CLIENT_ID: ${OPERATOR_OIDC_CLIENT_ID}
+      OPERATOR_OIDC_CLIENT_SECRET: ${OPERATOR_OIDC_CLIENT_SECRET}
     volumes:
       - authentik_media:/media
       - authentik_certs:/certs
       - authentik_templates:/templates
+      - ./configs/authentik/blueprints:/blueprints/custom:ro
     networks: [dezky]
     depends_on:
       postgres: