chore(operator): O.9 verification + roll follow-ups into NEXT-STEPS

- Add _verify-token.get.ts to both operator and portal — decodes the
  access token stored in the nuxt-oidc-auth session and echoes iss/aud/
  sub/groups. Used to confirm operator tokens carry aud=dezky-operator
  and portal tokens carry aud=dezky-portal. Listed in NEXT-STEPS.md as
  throwaway, to be removed when proper verification surfaces exist.
- OPERATOR-PLAN.md O.9 marked done with the actual claims captured + the
  Mongo-side verification of attach + suspend flows.
- NEXT-STEPS.md: replaced the "Operator portal — out-of-band track"
  section with a "shipped + follow-ups" version. The 9-item follow-up
  list (impersonation, audit, flags, incidents, support, partner
  portal, env switcher, on-call, workspace impersonation) is now the
  authoritative roadmap, not buried inside OPERATOR-PLAN.md.

docs/OPERATOR-PLAN.md

@@ -474,17 +474,41 @@ forward as bearer to platform-api.
       overrides in tokens.css.
 - [x] Layout wires ⌘K + ⌘[ globally. Topbar reads env from `useTweaks`.
 
-### O.9 · Verification
+### O.9 · Verification ✓
 
-- [ ] Sign in to `operator.dezky.local` as akadmin via the new OAuth client
-- [ ] Confirm JWT audience is `dezky-operator` (decode in DevTools, post
-      response back)
-- [ ] Create a real Partner via the UI, see it in Mongo
-- [ ] Attach the `acme` tenant to that partner; verify count goes 0 → 1
-- [ ] Suspend a tenant from the Danger tab; confirm `status: 'suspended'`
-      in Mongo
-- [ ] Sign in to `app.dezky.local` simultaneously in another browser
-      profile, confirm the customer portal still works and that customer
-      token's `aud` is `dezky-portal`
-- [ ] Tick all the relevant follow-up tasks in NEXT-STEPS.md as remaining
-      work, file separate issues if anything was deferred
+All smokes ran end-to-end on 2026-05-24 against the live local stack.
+
+- [x] Signed in to `operator.dezky.local` as akadmin via the
+      `dezky-operator` OAuth client.
+- [x] JWT audience confirmed via `GET /api/_verify-token`:
+      ```
+      iss: https://auth.dezky.local/application/o/dezky-operator/
+      aud: dezky-operator
+      sub: bc865e33...
+      groups: [authentik Admins, dezky, dezky-platform-admins]
+      ```
+- [x] Created `verify-msp` Partner via the UI ("New partner" modal) — verified
+      in Mongo: `_id: 6a129d6a44c0f44fddda34bf`, `marginPct: 15`.
+- [x] Attached `acme` tenant via the Attach modal on the partner detail page;
+      Mongo confirmed `tenants.acme.partnerId == partners.verify-msp._id` and
+      the customers count in the UI rose from 0 → 1.
+- [x] Suspended `acme` from the Danger tab — Mongo confirmed
+      `tenants.acme.status == 'suspended'`. Resumed it back to `active`
+      afterwards so the dev tenant stays usable.
+- [x] Signed in to `app.dezky.local` in a parallel tab; `GET /api/_verify-token`
+      there returned `aud: dezky-portal`, `iss: .../dezky-portal/`. Both
+      sessions coexist; each app uses its own per-app issuer + audience.
+      `GET /api/me` on the portal still returns profile + tenants +
+      subscriptions correctly.
+- [x] Follow-up tasks rolled into NEXT-STEPS.md under
+      "Follow-ups before operator hits production".
+
+### Throwaway artifacts left behind for now
+
+These were added during O.9 verification and can be ripped out when the
+relevant production gates land:
+
+- `apps/operator/server/api/_verify-token.get.ts` — JWT claim echo
+- `apps/portal/server/api/_verify-token.get.ts` — JWT claim echo
+- `apps/operator/server/api/operator-smoke-test.post.ts` — O.3-era audience check
+- `apps/portal/server/api/partners/index.post.ts` — O.2-era audience-deny verifier