feat(ocis): persistent sessions + flat primary surfaces

- Request offline_access for the ocis-web client (WEB_OIDC_SCOPE) so the web
  SPA gets a refresh token and renews silently instead of dropping the session
  (no surprise logouts; the "no permission to upload" symptom was the
  expired-token state). The ocis-provider already has the offline_access scope
  mapping; its access-token validity is bumped 5m → 1h (refresh 30d).
- Flatten the remaining brand gradients in index.html: the active sidebar
  highlight (.oc-background-primary-gradient) and primary buttons
  (.oc-button-primary-filled) are now solid carbon (text stays light/readable).
- Document the offline_access + token-validity provider settings in
  AUTHENTIK-SETUP.md (the provider lives in Authentik's DB, not git).

docs/AUTHENTIK-SETUP.md

@@ -42,9 +42,19 @@ Each Dezky service that uses SSO needs an OIDC provider configured in Authentik.
      https://files.dezky.local/oidc-callback
      ```
    - **Signing Key:** `authentik Self-signed Certificate`
-   - **Scopes:** openid, profile, email
+   - **Scopes:** openid, profile, email, **offline_access**
+   - **Advanced → Token validity:**
+     - Access token: `hours=1` (default `minutes=5` is too short and causes frequent silent refreshes)
+     - Refresh token: `days=30`
 5. Save
 
+> **Why offline_access + token validity:** without `offline_access` the OCIS web
+> client gets no refresh token, so when the short-lived access token expires the
+> session can't renew and the user is logged out (and the upload UI shows "no
+> permission"). With it, the SPA silently refreshes for up to the 30-day refresh
+> window. OCIS must also request the scope — set on the `ocis` service in
+> docker-compose: `WEB_OIDC_SCOPE: openid profile email offline_access`.
+
 ### 3.2 Create OCIS application
 
 1. Go to **Applications** → **Applications**