feat(operator): scaffold apps/operator Nuxt app + multi-issuer JWT (O.3)

New Nuxt 3 app at apps/operator/ — internal admin portal on its own domain
(operator.dezky.local), own OAuth client (dezky-operator), own session
secrets, own cookies. Customer and operator surfaces can't decrypt each
other's session state.

OAuth flow verified end-to-end:
  - GET / → middleware redirect to /auth/login
  - User clicks Sign in → /auth/oidc/login → bounces to Authentik with
    client_id=dezky-operator, scope includes 'groups'
  - Authentik checks dezky-platform-admins group binding (added in O.1),
    silent-reauths via the existing auth.dezky.local session
  - Returns to /auth/oidc/callback with code, exchanges for token,
    creates session cookie on operator.dezky.local
  - Lands on pages/index.vue placeholder dashboard

Smoke test 'Create partner "test-partner"' button on the placeholder home
exercises the full operator-only authorization chain:
  - 1st call: 200, partner created in Mongo
  - 2nd call: 409 'already exists' (idempotency holds, token still valid)
  - Same call from the customer portal: 403 'requires operator-scoped
    token' (audience guard rejects dezky-portal aud)

JwtAuthGuard now multi-issuer in addition to multi-audience. Each
Authentik OAuth provider mints tokens with its own per-app iss URL
(.../application/o/<slug>/), so the guard accepts a comma-separated
AUTHENTIK_ISSUER. The audience-only fix from O.2 wasn't sufficient —
issuer is validated separately by jose.jwtVerify and was still pinned
to dezky-portal alone, yielding 'unexpected iss claim value' rejections.

Compose changes: new 'operator' service (Node 20 alpine, pnpm install +
nuxt dev, mkcert CA mount, traefik labels for operator.dezky.local +
TLS); new operator_node_modules volume; operator.dezky.local added to
traefik's Docker network aliases. Distinct OPERATOR_NUXT_OIDC_* session
secrets pulled from .env (gitignored, generated via openssl).

Real operator screens (sidebar, topbar, tenants, partners, etc.) come
in O.4. This commit is pure scaffolding + the security boundary proof.

apps/operator/nuxt.config.ts

@@ -0,0 +1,76 @@
+// Nuxt 3 configuration for the Dezky operator portal.
+// Separate app from apps/portal — different OAuth client, different cookies,
+// different domain, stricter authorization. See docs/OPERATOR-PLAN.md.
+
+export default defineNuxtConfig({
+  compatibilityDate: '2026-01-01',
+  devtools: { enabled: true },
+
+  modules: ['nuxt-oidc-auth'],
+
+  css: ['~/assets/styles/tokens.css', '~/assets/styles/base.css'],
+
+  app: {
+    head: {
+      htmlAttrs: { 'data-theme': 'dark' },
+      link: [
+        { rel: 'preconnect', href: 'https://fonts.googleapis.com' },
+        { rel: 'preconnect', href: 'https://fonts.gstatic.com', crossorigin: '' },
+        {
+          rel: 'stylesheet',
+          href: 'https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&family=Inter+Tight:wght@400;500;600;700&family=JetBrains+Mono:wght@400;500;600;700&display=swap',
+        },
+      ],
+    },
+  },
+
+  oidc: {
+    defaultProvider: 'oidc',
+    session: {
+      expirationCheck: true,
+      automaticRefresh: true,
+    },
+    middleware: {
+      globalMiddlewareEnabled: true,
+      customLoginPage: true,
+    },
+    providers: {
+      // Generic OIDC against the dezky-operator Authentik client. Same shape
+      // as the customer portal's config but pointed at a different provider
+      // and a different audience.
+      oidc: {
+        clientId: process.env.NUXT_OIDC_CLIENT_ID || '',
+        clientSecret: process.env.NUXT_OIDC_CLIENT_SECRET || '',
+        redirectUri: process.env.NUXT_OIDC_REDIRECT_URI || '',
+        authorizationUrl: 'https://auth.dezky.local/application/o/authorize/',
+        tokenUrl: 'https://auth.dezky.local/application/o/token/',
+        userInfoUrl: 'https://auth.dezky.local/application/o/userinfo/',
+        logoutUrl: 'https://auth.dezky.local/application/o/dezky-operator/end-session/',
+        openIdConfiguration:
+          'https://auth.dezky.local/application/o/dezky-operator/.well-known/openid-configuration',
+        scope: ['openid', 'profile', 'email', 'groups'],
+        userNameClaim: 'preferred_username',
+        responseType: 'code',
+        grantType: 'authorization_code',
+        pkce: true,
+        skipAccessTokenParsing: true,
+        exposeAccessToken: true,
+      },
+    },
+  },
+
+  vite: {
+    server: {
+      hmr: {
+        protocol: 'wss',
+        clientPort: 443,
+      },
+    },
+  },
+
+  nitro: {
+    routeRules: {
+      '/api/**': { cors: true },
+    },
+  },
+})