feat: portal redesign, pricing catalog, partner-staff invites

- portal: new admin/ and partner/ surfaces with full component library
  (AppLauncher, Avatar, Badge, Card, Modal, Tabs, etc.), composables,
  layouts, partner-routing middleware, and supporting server APIs
- pricing: Price schema/module with operator CRUD, pricing.vue catalog UI,
  Subscription extended with cycle/currency/perSeatAmount/seats snapshots
  for stable MRR aggregation
- partner staff: User.partnerId, invite-partner-user DTO and flow,
  /partners/:slug/users endpoints, InvitePartnerUserModal, shared
  dezky-partner-staff Authentik group
- /me: partner-aware endpoint returning user + partner context so portal
  can route between end-user and partner-admin surfaces
- tenant: seats field for portfolio displays and future MRR calculations
- operator: pricing page, signed-out page, useMe/useToast composables,
  ToastStack

services/platform-api/src/users/users.controller.ts

@@ -45,9 +45,11 @@ export class UsersController {
 
   // The signed-in user's own profile — bootstraps the user record on first call,
   // and syncs name/email/tenants/platformAdmin from the JWT on every subsequent call.
+  // Adds a `partner` field when User.partnerId is set so the portal can decide
+  // whether to render the partner-admin surface or the end-user surface.
   @Get('me')
   async me(@CurrentUser() jwt: AuthentikJwtPayload) {
-    return this.users.upsertFromAuthentik({
+    return this.users.meWithPartner({
       subject: jwt.sub,
       email: jwt.email ?? jwt.preferred_username ?? jwt.sub,
       name: jwt.name ?? jwt.preferred_username ?? jwt.email ?? jwt.sub,
@@ -56,6 +58,9 @@ export class UsersController {
     })
   }
 
+  // Partner-scoped endpoints live in PartnerMeController under /me/partner.
+  // Identity endpoints (above) stay here.
+
   @Post()
   async create(@Body() dto: CreateUserDto, @CurrentUser() jwt: AuthentikJwtPayload) {
     const actor = await this.actor.resolve(jwt)