feat: portal redesign, pricing catalog, partner-staff invites

- portal: new admin/ and partner/ surfaces with full component library
  (AppLauncher, Avatar, Badge, Card, Modal, Tabs, etc.), composables,
  layouts, partner-routing middleware, and supporting server APIs
- pricing: Price schema/module with operator CRUD, pricing.vue catalog UI,
  Subscription extended with cycle/currency/perSeatAmount/seats snapshots
  for stable MRR aggregation
- partner staff: User.partnerId, invite-partner-user DTO and flow,
  /partners/:slug/users endpoints, InvitePartnerUserModal, shared
  dezky-partner-staff Authentik group
- /me: partner-aware endpoint returning user + partner context so portal
  can route between end-user and partner-admin surfaces
- tenant: seats field for portfolio displays and future MRR calculations
- operator: pricing page, signed-out page, useMe/useToast composables,
  ToastStack

apps/operator/server/api/auth/sign-out.get.ts

@@ -0,0 +1,35 @@
+// Sign-out for the operator portal. Same shape as the customer portal's
+// sign-out (apps/portal/server/api/auth/sign-out.get.ts) — ends BOTH the
+// local nuxt-oidc-auth session AND the Authentik IdP session so the next
+// person at the same browser must re-enter credentials. Required for
+// shared-workstation safety; operator portal carries elevated privileges.
+//
+// Flow:
+//   1. Read the id_token off the local session (needed as id_token_hint).
+//   2. Clear the local session (cookie + persistent store).
+//   3. 302 the BROWSER through Authentik's dezky-operator end-session URL
+//      with post_logout_redirect_uri=/signed-out.
+//
+// The brief URL-bar flash to auth.dezky.local is unavoidable: that's the
+// only host that can clear the Authentik session cookie (server-to-server
+// invalidation alone leaves the browser cookie, which would let the next
+// visit silently re-authorize).
+
+import { getUserSession, clearUserSession } from 'nuxt-oidc-auth/runtime/server/utils/session.js'
+
+const END_SESSION = 'https://auth.dezky.local/application/o/dezky-operator/end-session/'
+const POST_LOGOUT_REDIRECT = 'https://operator.dezky.local/signed-out'
+
+export default defineEventHandler(async (event) => {
+  const session = await getUserSession(event).catch(() => ({} as any))
+  const idToken: string | undefined = (session as any).idToken
+
+  await clearUserSession(event).catch(() => {})
+
+  const params = new URLSearchParams({
+    post_logout_redirect_uri: POST_LOGOUT_REDIRECT,
+    ...(idToken && { id_token_hint: idToken }),
+  })
+
+  return sendRedirect(event, `${END_SESSION}?${params.toString()}`, 302)
+})

apps/operator/server/api/me.get.ts

@@ -0,0 +1,26 @@
+// Operator identity proxy. Same shape as the portal's /api/me — pulls
+// /users/me from platform-api with the signed-in operator's access token,
+// plus tenants + subscriptions for context. Consumed by the useMe()
+// composable; no UI surface uses it yet, but the path is here so any
+// future middleware / layout that needs profile data has a known endpoint.
+
+import { getUserSession } from 'nuxt-oidc-auth/runtime/server/utils/session.js'
+
+export default defineEventHandler(async (event) => {
+  const session = await getUserSession(event).catch(() => null)
+  const accessToken = (session as { accessToken?: string } | null)?.accessToken
+  if (!accessToken) {
+    throw createError({ statusCode: 401, statusMessage: 'Not signed in or no access token' })
+  }
+
+  const base = process.env.PLATFORM_API_INTERNAL_URL ?? 'http://platform-api:3001'
+  const headers = { Authorization: `Bearer ${accessToken}` }
+
+  const [profile, tenants, subscriptions] = await Promise.all([
+    $fetch(`${base}/users/me`, { headers }),
+    $fetch(`${base}/tenants`, { headers }),
+    $fetch(`${base}/subscriptions`, { headers }),
+  ])
+
+  return { profile, tenants, subscriptions }
+})

apps/operator/server/api/partners/[slug]/users.get.ts

@@ -0,0 +1,6 @@
+import { platformApi } from '~~/server/utils/platform-api'
+
+export default defineEventHandler(async (event) => {
+  const slug = getRouterParam(event, 'slug')
+  return platformApi(event, `/partners/${slug}/users`)
+})

apps/operator/server/api/partners/[slug]/users.post.ts

@@ -0,0 +1,7 @@
+import { platformApi } from '~~/server/utils/platform-api'
+
+export default defineEventHandler(async (event) => {
+  const slug = getRouterParam(event, 'slug')
+  const body = await readBody(event)
+  return platformApi(event, `/partners/${slug}/users`, { method: 'POST', body })
+})

apps/operator/server/api/prices/[id].delete.ts

@@ -0,0 +1,6 @@
+import { platformApi } from '~~/server/utils/platform-api'
+
+export default defineEventHandler(async (event) => {
+  const id = getRouterParam(event, 'id')
+  return platformApi(event, `/prices/${id}`, { method: 'DELETE' })
+})

apps/operator/server/api/prices/[id].patch.ts

@@ -0,0 +1,7 @@
+import { platformApi } from '~~/server/utils/platform-api'
+
+export default defineEventHandler(async (event) => {
+  const id = getRouterParam(event, 'id')
+  const body = await readBody(event)
+  return platformApi(event, `/prices/${id}`, { method: 'PATCH', body })
+})

apps/operator/server/api/prices/index.get.ts

@@ -0,0 +1,7 @@
+import { platformApi } from '~~/server/utils/platform-api'
+
+export default defineEventHandler(async (event) => {
+  const q = getQuery(event)
+  const includeInactive = q.includeInactive === 'true'
+  return platformApi(event, `/prices${includeInactive ? '?includeInactive=true' : ''}`)
+})

apps/operator/server/api/prices/index.post.ts

@@ -0,0 +1,6 @@
+import { platformApi } from '~~/server/utils/platform-api'
+
+export default defineEventHandler(async (event) => {
+  const body = await readBody(event)
+  return platformApi(event, '/prices', { method: 'POST', body })
+})