feat: portal redesign, pricing catalog, partner-staff invites

- portal: new admin/ and partner/ surfaces with full component library
  (AppLauncher, Avatar, Badge, Card, Modal, Tabs, etc.), composables,
  layouts, partner-routing middleware, and supporting server APIs
- pricing: Price schema/module with operator CRUD, pricing.vue catalog UI,
  Subscription extended with cycle/currency/perSeatAmount/seats snapshots
  for stable MRR aggregation
- partner staff: User.partnerId, invite-partner-user DTO and flow,
  /partners/:slug/users endpoints, InvitePartnerUserModal, shared
  dezky-partner-staff Authentik group
- /me: partner-aware endpoint returning user + partner context so portal
  can route between end-user and partner-admin surfaces
- tenant: seats field for portfolio displays and future MRR calculations
- operator: pricing page, signed-out page, useMe/useToast composables,
  ToastStack

apps/portal/nuxt.config.ts

@@ -9,6 +9,18 @@ export default defineNuxtConfig({
 
   css: ['~/assets/styles/tokens.css', '~/assets/styles/base.css'],
 
+  // Auto-import from the shared packages/ui workspace in addition to the
+  // app's own components/. /shared-packages is bind-mounted in
+  // docker-compose.yml — outside containers the same files live at
+  // <repo>/packages/ui/components/. The local dir keeps the default
+  // directory-based prefix (so components/partner/InviteTeammateModal.vue
+  // stays <PartnerInviteTeammateModal>); the shared dir uses no prefix so
+  // CountrySelect.vue is just <CountrySelect>.
+  components: [
+    '~/components',
+    { path: '/shared-packages/ui/components', pathPrefix: false },
+  ],
+
   app: {
     head: {
       link: [
@@ -39,19 +51,35 @@ export default defineNuxtConfig({
     },
     middleware: {
       globalMiddlewareEnabled: true,
-      customLoginPage: true,
+      // Unauthenticated users land directly on the Authentik login flow.
+      // Authentik is Dezky-branded and serves as the single sign-on entry
+      // point for every Dezky app (portal, OCIS files, mail, chat). Direct
+      // navigation to auth.dezky.local or the post-login dashboard
+      // (/if/user/) is short-circuited by a Traefik middleware on the
+      // authentik service that redirects to app.dezky.local — see
+      // infrastructure/docker-compose/docker-compose.yml.
+      customLoginPage: false,
     },
     providers: {
       // Generic OIDC against our Authentik instance (provider preset key MUST be one of
       // apple, auth0, cognito, entra, github, keycloak, logto, microsoft, oidc, paypal, zitadel).
       oidc: {
-        clientId: process.env.NUXT_OIDC_CLIENT_ID || '',
-        clientSecret: process.env.NUXT_OIDC_CLIENT_SECRET || '',
-        redirectUri: process.env.NUXT_OIDC_REDIRECT_URI || '',
+        // The root .env uses PORTAL_OIDC_* (operator uses OPERATOR_OIDC_*) so
+        // both apps can share one .env. docker-compose remaps these to
+        // NUXT_OIDC_* per-container; locally we just read them directly.
+        clientId: process.env.PORTAL_OIDC_CLIENT_ID || process.env.NUXT_OIDC_CLIENT_ID || '',
+        clientSecret: process.env.PORTAL_OIDC_CLIENT_SECRET || process.env.NUXT_OIDC_CLIENT_SECRET || '',
+        redirectUri: process.env.NUXT_OIDC_REDIRECT_URI || 'https://app.dezky.local/auth/oidc/callback',
         authorizationUrl: 'https://auth.dezky.local/application/o/authorize/',
         tokenUrl: 'https://auth.dezky.local/application/o/token/',
         userInfoUrl: 'https://auth.dezky.local/application/o/userinfo/',
-        logoutUrl: 'https://auth.dezky.local/application/o/dezky-portal/end-session/',
+        // Logout is handled by our custom /api/auth/sign-out endpoint, not the
+        // module's RP-initiated chain. Authentik 2025.10 doesn't reliably
+        // honor `post_logout_redirect_uri` from the provider invalidation
+        // flow, so we end the local session ourselves and bounce to a
+        // Dezky-branded /signed-out page that fires Authentik's end-session
+        // in a hidden iframe for a clean IdP logout in the background.
+        logoutUrl: '',
         // Discovery URL — used by id_token validation to fetch JWKS + issuer
         openIdConfiguration:
           'https://auth.dezky.local/application/o/dezky-portal/.well-known/openid-configuration',
@@ -65,6 +93,11 @@ export default defineNuxtConfig({
         // Expose access token in the server-side session so Nitro route handlers can
         // forward it to platform-api. Token never reaches the browser.
         exposeAccessToken: true,
+        // ALSO expose the id_token — needed so the logout handler can populate
+        // `id_token_hint` on the RP-initiated logout URL. Without it Authentik
+        // can't verify the request comes from a known session and falls back
+        // to its "You've logged out" confirmation page.
+        exposeIdToken: true,
       },
     },
   },
@@ -85,5 +118,11 @@ export default defineNuxtConfig({
     routeRules: {
       '/api/**': { cors: true },
     },
+    // Persist nuxt-oidc-auth's session store on disk so HMR / restarts don't
+    // sign out everyone in dev. Memory driver (the default) is fine in prod
+    // when there's one long-running container per instance.
+    storage: {
+      oidc: { driver: 'fs', base: '.nuxt/oidc-store' },
+    },
   },
 })