feat(portal): customer-admin surface on real data + Stripe billing + session resilience

Access & navigation
- Gate partner-mode strictly to partner staff so admins/end-users never inherit
  leftover partner-view state; purge stale session entry on hydrate.
- Role-driven admin entry: useMe.isTenantAdmin, Admin/Personal tiles in the app
  launcher, and an /admin route guard in the global middleware (fail closed).
- Drop the duplicate user identity block from the sidebar footer.

Admin pages on real data
- New tenant-scoped, membership-gated endpoints: GET /tenants/:slug/{audit,users,
  invoices}; useTenant composable resolves the active workspace + subscription.
- Dashboard: real seats, spend (cycle-normalized + minor-units), plan, renewal,
  and recent audit; unbacked sections removed.
- Users & groups: real members; Groups/Invitations/Service accounts shown as
  honest "coming soon".
- Subscription & invoices: real plan hero, invoice history, and billing details.

Stripe payment method (Elements + SetupIntent)
- StripeClient: publishable key + getDefaultCard/createSetupIntent/setDefaultCard.
- CustomerBillingController + BillingService methods (ensure-customer on demand).
- Portal: PaymentMethodModal, useStripeJs (CDN load), proxies; hidePostalCode.

Editable billing details & whitelabel branding
- PATCH /tenants/:slug/billing-info (narrow: company/VAT/country/email).
- TenantBranding schema/service + GET/PUT /tenants/:slug/branding: real product
  name, accent colour, and per-tenant email-template overrides.
- Branding preview + sidebar workspace mark wired to real name/plan/seats/colour
  with YIQ auto-contrast (readableOn util).

Session resilience
- Request offline_access so Authentik issues a refresh token (automaticRefresh).
- Silent refresh + single retry on 401 for writes (useApiFetch, incl. partner
  pages) and reads (useMe.fetchMe) — no redirect, no lost input.
- Modal backdrop closes only on press+release on the backdrop (no more
  drag-select-to-close).

services/platform-api/src/integrations/stripe.client.ts

@@ -12,11 +12,15 @@ export class StripeClient {
   private readonly logger = new Logger(StripeClient.name)
   private readonly secretKey?: string
   private readonly webhookSecret?: string
+  // Publishable key is safe to hand to the browser — it's how the portal mounts
+  // Stripe Elements. Exposed via getter so the billing endpoints can return it.
+  readonly publishableKey?: string
   private _stripe?: Stripe
   readonly enabled: boolean
 
   constructor(config: ConfigService) {
     this.secretKey = config.get<string>('STRIPE_SECRET_KEY')
+    this.publishableKey = config.get<string>('STRIPE_PUBLISHABLE_KEY')
     this.webhookSecret = config.get<string>('STRIPE_WEBHOOK_SECRET')
     this.enabled = config.get<string>('BILLING_STRIPE_ENABLED') === 'true' && !!this.secretKey
     if (!this.enabled) {
@@ -138,6 +142,59 @@ export class StripeClient {
     return res.data
   }
 
+  // ── Payment methods (customer-admin "card on file" flow) ──────────────────
+
+  // The customer's default card, if any. Prefers the invoice-settings default;
+  // falls back to the first attached card. Returns null when none is on file.
+  async getDefaultCard(customerId: string): Promise<{
+    brand: string
+    last4: string
+    expMonth: number
+    expYear: number
+  } | null> {
+    const customer = await this.stripe.customers.retrieve(customerId, {
+      expand: ['invoice_settings.default_payment_method'],
+    })
+    if (customer.deleted) return null
+
+    let pm = customer.invoice_settings?.default_payment_method as Stripe.PaymentMethod | null
+    if (!pm || typeof pm === 'string') {
+      const list = await this.stripe.paymentMethods.list({ customer: customerId, type: 'card', limit: 1 })
+      pm = list.data[0] ?? null
+    }
+    if (!pm?.card) return null
+    return {
+      brand: pm.card.brand,
+      last4: pm.card.last4,
+      expMonth: pm.card.exp_month,
+      expYear: pm.card.exp_year,
+    }
+  }
+
+  // SetupIntent to collect a card off-session for future invoices. The portal
+  // confirms it client-side with Stripe Elements using the returned secret.
+  async createSetupIntent(customerId: string): Promise<string> {
+    const si = await this.stripe.setupIntents.create({
+      customer: customerId,
+      payment_method_types: ['card'],
+      usage: 'off_session',
+    })
+    if (!si.client_secret) throw new Error('SetupIntent has no client_secret')
+    return si.client_secret
+  }
+
+  // After a SetupIntent succeeds, make the new card the customer's default for
+  // invoices (and for the active subscription, if any). The PM is already
+  // attached to the customer by the SetupIntent.
+  async setDefaultCard(customerId: string, paymentMethodId: string, subscriptionId?: string): Promise<void> {
+    await this.stripe.customers.update(customerId, {
+      invoice_settings: { default_payment_method: paymentMethodId },
+    })
+    if (subscriptionId) {
+      await this.stripe.subscriptions.update(subscriptionId, { default_payment_method: paymentMethodId })
+    }
+  }
+
   constructWebhookEvent(rawBody: Buffer | string, signature: string): Stripe.Event {
     if (!this.webhookSecret) throw new Error('Stripe webhook secret not configured')
     return this.stripe.webhooks.constructEvent(rawBody, signature, this.webhookSecret)