feat: portal redesign, pricing catalog, partner-staff invites

- portal: new admin/ and partner/ surfaces with full component library
  (AppLauncher, Avatar, Badge, Card, Modal, Tabs, etc.), composables,
  layouts, partner-routing middleware, and supporting server APIs
- pricing: Price schema/module with operator CRUD, pricing.vue catalog UI,
  Subscription extended with cycle/currency/perSeatAmount/seats snapshots
  for stable MRR aggregation
- partner staff: User.partnerId, invite-partner-user DTO and flow,
  /partners/:slug/users endpoints, InvitePartnerUserModal, shared
  dezky-partner-staff Authentik group
- /me: partner-aware endpoint returning user + partner context so portal
  can route between end-user and partner-admin surfaces
- tenant: seats field for portfolio displays and future MRR calculations
- operator: pricing page, signed-out page, useMe/useToast composables,
  ToastStack

apps/portal/server/api/auth/sign-out.get.ts

@@ -0,0 +1,42 @@
+// Sign-out. Ends both the portal session and the Authentik IdP session so
+// "Sign in again" always requires fresh credentials — even for the next
+// person at the same browser.
+//
+// Flow:
+//   1. Read the id_token off the local session (needed as id_token_hint).
+//   2. Clear the local nuxt-oidc-auth session (cookie + persistent store).
+//   3. 302 the BROWSER to Authentik's end-session endpoint with
+//      post_logout_redirect_uri=/signed-out.
+//
+// Why the browser redirect (not server-to-server):
+// Authentik's session cookie lives on auth.dezky.local. Only a response
+// FROM that host can set/clear it — a server-side fetch invalidates the
+// session record but leaves the browser cookie intact, so the next OIDC
+// authorize succeeds silently. A 302 through Authentik fixes that: the
+// browser visits auth.dezky.local, receives Set-Cookie clearing the
+// session, then bounces back to /signed-out (the URL is in the provider's
+// redirect_uris list — see infrastructure setup).
+//
+// The brief URL-bar flash through auth.dezky.local is acceptable: no
+// Authentik UI renders (it's a redirect chain), and the Traefik middleware
+// on the authentik service would catch any stray landing on the dashboard
+// anyway.
+
+import { getUserSession, clearUserSession } from 'nuxt-oidc-auth/runtime/server/utils/session.js'
+
+const END_SESSION = 'https://auth.dezky.local/application/o/dezky-portal/end-session/'
+const POST_LOGOUT_REDIRECT = 'https://app.dezky.local/signed-out'
+
+export default defineEventHandler(async (event) => {
+  const session = await getUserSession(event).catch(() => ({} as any))
+  const idToken: string | undefined = (session as any).idToken
+
+  await clearUserSession(event).catch(() => {})
+
+  const params = new URLSearchParams({
+    post_logout_redirect_uri: POST_LOGOUT_REDIRECT,
+    ...(idToken && { id_token_hint: idToken }),
+  })
+
+  return sendRedirect(event, `${END_SESSION}?${params.toString()}`, 302)
+})

apps/portal/server/api/partner/activity.get.ts

@@ -0,0 +1,28 @@
+// Partner-scoped audit feed for the dashboard's Activity card.
+// Forwards to platform-api /me/partner/activity which OR's
+// partnerSlug + the partner's tenant slugs.
+
+import { getUserSession } from 'nuxt-oidc-auth/runtime/server/utils/session.js'
+
+export default defineEventHandler(async (event) => {
+  const session = await getUserSession(event).catch(() => null)
+  const accessToken = (session as { accessToken?: string } | null)?.accessToken
+  if (!accessToken) {
+    throw createError({ statusCode: 401, statusMessage: 'Not signed in' })
+  }
+
+  const base = process.env.PLATFORM_API_INTERNAL_URL ?? 'http://platform-api:3001'
+  const q = getQuery(event)
+  const params = new URLSearchParams()
+  if (q.limit) params.set('limit', String(q.limit))
+  if (q.before) params.set('before', String(q.before))
+  const qs = params.toString()
+  try {
+    return await $fetch(`${base}/me/partner/activity${qs ? '?' + qs : ''}`, {
+      headers: { Authorization: `Bearer ${accessToken}` },
+    })
+  } catch (err: unknown) {
+    const e = err as { statusCode?: number; data?: unknown }
+    throw createError({ statusCode: e.statusCode ?? 500, data: e.data })
+  }
+})

apps/portal/server/api/partner/mrr.get.ts

@@ -0,0 +1,23 @@
+// Monthly Recurring Revenue for the signed-in partner. Forwards to
+// platform-api /me/partner/mrr which sums active subscriptions
+// across the partner's tenants and normalizes to monthly DKK.
+
+import { getUserSession } from 'nuxt-oidc-auth/runtime/server/utils/session.js'
+
+export default defineEventHandler(async (event) => {
+  const session = await getUserSession(event).catch(() => null)
+  const accessToken = (session as { accessToken?: string } | null)?.accessToken
+  if (!accessToken) {
+    throw createError({ statusCode: 401, statusMessage: 'Not signed in' })
+  }
+
+  const base = process.env.PLATFORM_API_INTERNAL_URL ?? 'http://platform-api:3001'
+  try {
+    return await $fetch(`${base}/me/partner/mrr`, {
+      headers: { Authorization: `Bearer ${accessToken}` },
+    })
+  } catch (err: unknown) {
+    const e = err as { statusCode?: number; data?: unknown }
+    throw createError({ statusCode: e.statusCode ?? 500, data: e.data })
+  }
+})

apps/portal/server/api/partner/tenants.get.ts

@@ -0,0 +1,23 @@
+// Partner customer-list for the customer portal's /partner/customers page.
+// Forwards the user's access token to platform-api /me/partner/tenants.
+// Returns 403 if the caller isn't partner staff.
+
+import { getUserSession } from 'nuxt-oidc-auth/runtime/server/utils/session.js'
+
+export default defineEventHandler(async (event) => {
+  const session = await getUserSession(event).catch(() => null)
+  const accessToken = (session as { accessToken?: string } | null)?.accessToken
+  if (!accessToken) {
+    throw createError({ statusCode: 401, statusMessage: 'Not signed in' })
+  }
+
+  const base = process.env.PLATFORM_API_INTERNAL_URL ?? 'http://platform-api:3001'
+  try {
+    return await $fetch(`${base}/me/partner/tenants`, {
+      headers: { Authorization: `Bearer ${accessToken}` },
+    })
+  } catch (err: unknown) {
+    const e = err as { statusCode?: number; data?: unknown }
+    throw createError({ statusCode: e.statusCode ?? 500, data: e.data })
+  }
+})

apps/portal/server/api/partner/tenants.post.ts

@@ -0,0 +1,27 @@
+// Partner-staff self-serve customer create. Forwards the user's access
+// token to platform-api POST /me/partner/tenants, which scopes the
+// new tenant to the caller's partner regardless of what the body says.
+// Returns the created tenant doc.
+
+import { getUserSession } from 'nuxt-oidc-auth/runtime/server/utils/session.js'
+
+export default defineEventHandler(async (event) => {
+  const session = await getUserSession(event).catch(() => null)
+  const accessToken = (session as { accessToken?: string } | null)?.accessToken
+  if (!accessToken) {
+    throw createError({ statusCode: 401, statusMessage: 'Not signed in' })
+  }
+
+  const body = await readBody(event)
+  const base = process.env.PLATFORM_API_INTERNAL_URL ?? 'http://platform-api:3001'
+  try {
+    return await $fetch(`${base}/me/partner/tenants`, {
+      method: 'POST',
+      headers: { Authorization: `Bearer ${accessToken}` },
+      body,
+    })
+  } catch (err: unknown) {
+    const e = err as { statusCode?: number; data?: unknown }
+    throw createError({ statusCode: e.statusCode ?? 500, data: e.data })
+  }
+})

apps/portal/server/api/partner/users.get.ts

@@ -0,0 +1,25 @@
+// Partner team listing for the customer portal's /partner/team page.
+// Forwards the user's access token to platform-api /me/partner/users —
+// that endpoint resolves the partner from the caller's User.partnerId, so
+// no partner slug needs to leak into the URL. Returns 403 if the caller
+// isn't partner staff.
+
+import { getUserSession } from 'nuxt-oidc-auth/runtime/server/utils/session.js'
+
+export default defineEventHandler(async (event) => {
+  const session = await getUserSession(event).catch(() => null)
+  const accessToken = (session as { accessToken?: string } | null)?.accessToken
+  if (!accessToken) {
+    throw createError({ statusCode: 401, statusMessage: 'Not signed in' })
+  }
+
+  const base = process.env.PLATFORM_API_INTERNAL_URL ?? 'http://platform-api:3001'
+  try {
+    return await $fetch(`${base}/me/partner/users`, {
+      headers: { Authorization: `Bearer ${accessToken}` },
+    })
+  } catch (err: unknown) {
+    const e = err as { statusCode?: number; data?: unknown }
+    throw createError({ statusCode: e.statusCode ?? 500, data: e.data })
+  }
+})

apps/portal/server/api/prices.get.ts

@@ -0,0 +1,24 @@
+// Read-only price catalog for the portal. Partner-staff need to see active
+// prices to render the customer-create wizard's Plan step. The platform-api
+// /prices GET is open to any authenticated JWT (operator-only mutations are
+// guarded separately), so a portal-aud token works fine here.
+
+import { getUserSession } from 'nuxt-oidc-auth/runtime/server/utils/session.js'
+
+export default defineEventHandler(async (event) => {
+  const session = await getUserSession(event).catch(() => null)
+  const accessToken = (session as { accessToken?: string } | null)?.accessToken
+  if (!accessToken) {
+    throw createError({ statusCode: 401, statusMessage: 'Not signed in' })
+  }
+
+  const base = process.env.PLATFORM_API_INTERNAL_URL ?? 'http://platform-api:3001'
+  try {
+    return await $fetch(`${base}/prices`, {
+      headers: { Authorization: `Bearer ${accessToken}` },
+    })
+  } catch (err: unknown) {
+    const e = err as { statusCode?: number; data?: unknown }
+    throw createError({ statusCode: e.statusCode ?? 500, data: e.data })
+  }
+})