feat(ocis): persistent sessions + flat primary surfaces

- Request offline_access for the ocis-web client (WEB_OIDC_SCOPE) so the web
  SPA gets a refresh token and renews silently instead of dropping the session
  (no surprise logouts; the "no permission to upload" symptom was the
  expired-token state). The ocis-provider already has the offline_access scope
  mapping; its access-token validity is bumped 5m → 1h (refresh 30d).
- Flatten the remaining brand gradients in index.html: the active sidebar
  highlight (.oc-background-primary-gradient) and primary buttons
  (.oc-button-primary-filled) are now solid carbon (text stays light/readable).
- Document the offline_access + token-validity provider settings in
  AUTHENTIK-SETUP.md (the provider lives in Authentik's DB, not git).

docs/AUTHENTIK-SETUP.md

@@ -42,9 +42,19 @@ Each Dezky service that uses SSO needs an OIDC provider configured in Authentik.
      https://files.dezky.local/oidc-callback
      ```
    - **Signing Key:** `authentik Self-signed Certificate`
-   - **Scopes:** openid, profile, email
+   - **Scopes:** openid, profile, email, **offline_access**
+   - **Advanced → Token validity:**
+     - Access token: `hours=1` (default `minutes=5` is too short and causes frequent silent refreshes)
+     - Refresh token: `days=30`
 5. Save
 
+> **Why offline_access + token validity:** without `offline_access` the OCIS web
+> client gets no refresh token, so when the short-lived access token expires the
+> session can't renew and the user is logged out (and the upload UI shows "no
+> permission"). With it, the SPA silently refreshes for up to the 30-day refresh
+> window. OCIS must also request the scope — set on the `ocis` service in
+> docker-compose: `WEB_OIDC_SCOPE: openid profile email offline_access`.
+
 ### 3.2 Create OCIS application
 
 1. Go to **Applications** → **Applications**

infrastructure/docker-compose/configs/ocis/web-core/index.html

@@ -79,7 +79,7 @@
     <link rel="modulepreload" crossorigin="" href="./js/chunks/NoContentMessage-BpxTDAzR.mjs"/>
     <link rel="modulepreload" crossorigin="" href="./js/chunks/SearchBarFilter-On9swWiz.mjs"/>
     <link rel="stylesheet" crossorigin="" href="./assets/style-D1bLdTZ9.css"/>
-  <style id="dezky-overrides">.versions{display:none!important}</style></head>
+  <style id="dezky-overrides">.versions{display:none!important}.oc-background-primary-gradient,.oc-button-primary-filled{background:var(--oc-color-swatch-primary-gradient)!important}.oc-background-primary-gradient:hover:not([disabled]),.oc-background-primary-gradient:focus:not([disabled]),.oc-button-primary-filled:hover:not([disabled]),.oc-button-primary-filled:focus:not([disabled]){background:var(--oc-color-swatch-primary-gradient-hover)!important}</style></head>
   <body>
     <div id="splash-incompatible" class="splash-banner splash-hide">
       <div class="oc-card oc-border oc-rounded oc-width-large oc-text-center">

infrastructure/docker-compose/docker-compose.yml

@@ -326,6 +326,11 @@ services:
       PROXY_TLS: "false"  # Traefik terminates TLS; OCIS speaks plain HTTP internally
       OCIS_OIDC_ISSUER: https://auth.dezky.local/application/o/ocis/
       WEB_OIDC_CLIENT_ID: ocis-web
+      # Request offline_access so the web client gets a refresh token and renews
+      # silently instead of dropping the session (no surprise logouts). The
+      # ocis-provider already has the offline_access scope mapping + a 30-day
+      # refresh validity; default scope is "openid profile email".
+      WEB_OIDC_SCOPE: openid profile email offline_access
       PROXY_AUTOPROVISION_ACCOUNTS: "true"
       PROXY_USER_OIDC_CLAIM: preferred_username
       PROXY_USER_CS3_CLAIM: username