feat(operator): scaffold apps/operator Nuxt app + multi-issuer JWT (O.3)

New Nuxt 3 app at apps/operator/ — internal admin portal on its own domain
(operator.dezky.local), own OAuth client (dezky-operator), own session
secrets, own cookies. Customer and operator surfaces can't decrypt each
other's session state.

OAuth flow verified end-to-end:
  - GET / → middleware redirect to /auth/login
  - User clicks Sign in → /auth/oidc/login → bounces to Authentik with
    client_id=dezky-operator, scope includes 'groups'
  - Authentik checks dezky-platform-admins group binding (added in O.1),
    silent-reauths via the existing auth.dezky.local session
  - Returns to /auth/oidc/callback with code, exchanges for token,
    creates session cookie on operator.dezky.local
  - Lands on pages/index.vue placeholder dashboard

Smoke test 'Create partner "test-partner"' button on the placeholder home
exercises the full operator-only authorization chain:
  - 1st call: 200, partner created in Mongo
  - 2nd call: 409 'already exists' (idempotency holds, token still valid)
  - Same call from the customer portal: 403 'requires operator-scoped
    token' (audience guard rejects dezky-portal aud)

JwtAuthGuard now multi-issuer in addition to multi-audience. Each
Authentik OAuth provider mints tokens with its own per-app iss URL
(.../application/o/<slug>/), so the guard accepts a comma-separated
AUTHENTIK_ISSUER. The audience-only fix from O.2 wasn't sufficient —
issuer is validated separately by jose.jwtVerify and was still pinned
to dezky-portal alone, yielding 'unexpected iss claim value' rejections.

Compose changes: new 'operator' service (Node 20 alpine, pnpm install +
nuxt dev, mkcert CA mount, traefik labels for operator.dezky.local +
TLS); new operator_node_modules volume; operator.dezky.local added to
traefik's Docker network aliases. Distinct OPERATOR_NUXT_OIDC_* session
secrets pulled from .env (gitignored, generated via openssl).

Real operator screens (sidebar, topbar, tenants, partners, etc.) come
in O.4. This commit is pure scaffolding + the security boundary proof.

infrastructure/docker-compose/docker-compose.yml

@@ -30,6 +30,7 @@ volumes:
   ocis_data:
   portal_node_modules:
   platform_api_node_modules:
+  operator_node_modules:
 
 services:
   # ─────────────────────────────────────────────────────────────────
@@ -54,6 +55,7 @@ services:
           - traefik.dezky.local
           - auth.dezky.local
           - app.dezky.local
+          - operator.dezky.local
           - api.dezky.local
           - files.dezky.local
           - mail.dezky.local
@@ -389,6 +391,47 @@ services:
       - traefik.http.routers.portal.tls=true
       - traefik.http.services.portal.loadbalancer.server.port=3000
 
+  # ─────────────────────────────────────────────────────────────────
+  # Operator portal — internal admin app at operator.dezky.local.
+  # Separate from the customer portal: own OAuth client (dezky-operator),
+  # own session secrets, own cookie domain. Audience-gated mutations on
+  # platform-api require the token this app mints.
+  # ─────────────────────────────────────────────────────────────────
+  operator:
+    image: node:20-alpine
+    container_name: dezky-operator
+    restart: unless-stopped
+    working_dir: /app
+    command: sh -c "corepack enable && corepack prepare pnpm@latest --activate && pnpm install && pnpm dev"
+    environment:
+      NODE_ENV: development
+      NUXT_HOST: 0.0.0.0
+      NUXT_PORT: 3000
+      NUXT_PUBLIC_AUTH_URL: https://auth.dezky.local
+      # OIDC — dezky-operator OAuth client (separate from dezky-portal)
+      NUXT_OIDC_CLIENT_ID: ${OPERATOR_OIDC_CLIENT_ID}
+      NUXT_OIDC_CLIENT_SECRET: ${OPERATOR_OIDC_CLIENT_SECRET}
+      NUXT_OIDC_ISSUER: ${OPERATOR_OIDC_ISSUER}
+      NUXT_OIDC_REDIRECT_URI: https://operator.dezky.local/auth/oidc/callback
+      # Session encryption — distinct from portal so the two surfaces can't
+      # decrypt each other's session cookies
+      NUXT_OIDC_TOKEN_KEY: ${OPERATOR_NUXT_OIDC_TOKEN_KEY}
+      NUXT_OIDC_SESSION_SECRET: ${OPERATOR_NUXT_OIDC_SESSION_SECRET}
+      NUXT_OIDC_AUTH_SESSION_SECRET: ${OPERATOR_NUXT_OIDC_AUTH_SESSION_SECRET}
+      # Reach platform-api internally for the server-side token-forwarding proxy
+      PLATFORM_API_INTERNAL_URL: http://platform-api:3001
+      NODE_EXTRA_CA_CERTS: /etc/ssl/mkcert-root.pem
+    volumes:
+      - ../../apps/operator:/app
+      - operator_node_modules:/app/node_modules
+      - ./certs/mkcert-root.pem:/etc/ssl/mkcert-root.pem:ro
+    networks: [dezky]
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.operator.rule=Host(`operator.dezky.local`)
+      - traefik.http.routers.operator.tls=true
+      - traefik.http.services.operator.loadbalancer.server.port=3000
+
   # ─────────────────────────────────────────────────────────────────
   # platform-api — NestJS service. Owns tenants, partners, users,
   # subscriptions, and provisioning orchestration.
@@ -409,8 +452,10 @@ services:
       STALWART_ADMIN_USER: admin
       STALWART_ADMIN_PASSWORD: ${STALWART_ADMIN_PASSWORD}
       OCIS_API_URL: https://files.dezky.local
-      # JWT validation against Authentik for portal-issued access tokens
-      AUTHENTIK_ISSUER: https://auth.dezky.local/application/o/dezky-portal/
+      # JWT validation against Authentik for portal-issued access tokens.
+      # Issuers are comma-separated — each Authentik OAuth provider issues tokens
+      # with its own per-app issuer URL, so we accept both portal and operator.
+      AUTHENTIK_ISSUER: https://auth.dezky.local/application/o/dezky-portal/,https://auth.dezky.local/application/o/dezky-operator/
       # Comma-separated list of accepted JWT audiences. Tokens issued for either
       # the customer portal or the operator portal are valid against this service;
       # per-endpoint guards further restrict operator-only mutations.