feat(ocis): persistent sessions + flat primary surfaces

- Request offline_access for the ocis-web client (WEB_OIDC_SCOPE) so the web
  SPA gets a refresh token and renews silently instead of dropping the session
  (no surprise logouts; the "no permission to upload" symptom was the
  expired-token state). The ocis-provider already has the offline_access scope
  mapping; its access-token validity is bumped 5m → 1h (refresh 30d).
- Flatten the remaining brand gradients in index.html: the active sidebar
  highlight (.oc-background-primary-gradient) and primary buttons
  (.oc-button-primary-filled) are now solid carbon (text stays light/readable).
- Document the offline_access + token-validity provider settings in
  AUTHENTIK-SETUP.md (the provider lives in Authentik's DB, not git).

infrastructure/docker-compose/docker-compose.yml

@@ -326,6 +326,11 @@ services:
       PROXY_TLS: "false"  # Traefik terminates TLS; OCIS speaks plain HTTP internally
       OCIS_OIDC_ISSUER: https://auth.dezky.local/application/o/ocis/
       WEB_OIDC_CLIENT_ID: ocis-web
+      # Request offline_access so the web client gets a refresh token and renews
+      # silently instead of dropping the session (no surprise logouts). The
+      # ocis-provider already has the offline_access scope mapping + a 30-day
+      # refresh validity; default scope is "openid profile email".
+      WEB_OIDC_SCOPE: openid profile email offline_access
       PROXY_AUTOPROVISION_ACCOUNTS: "true"
       PROXY_USER_OIDC_CLAIM: preferred_username
       PROXY_USER_CS3_CLAIM: username