fix(auth): silent session renewal + 401 auto-recovery

Idle sessions died and left a broken page: when the access token expired,
nuxt-oidc-auth's automatic refresh had no refresh token to use — neither
Authentik provider carried the offline_access scope mapping (and the
operator never requested the scope), so the module cleared the session
and every /api call 401'd until a manual F5 happened to re-auth through
Authentik's still-alive SSO session.

Fix 1: offline_access end to end — scope mapping attached to both live
providers (and blueprints, prod + dev), operator now requests the scope.
Sessions renew server-side for up to 30 days of activity (Redis store +
pinned token key from earlier make the refresh tokens durable).

Fix 2: client plugin in both apps — a 401 from /api sends the browser
through /auth/oidc/login instead of leaving dead buttons; invisible when
Authentik's session is alive, a clean sign-in screen when it isn't.
Loop-guarded. Full sign-out behavior unchanged.

apps/operator/nuxt.config.ts

@@ -76,7 +76,9 @@ export default defineNuxtConfig({
         logoutUrl: `${AUTH_URL}/application/o/${OPERATOR_OIDC_APP_SLUG}/end-session/`,
         openIdConfiguration:
           `${AUTH_URL}/application/o/${OPERATOR_OIDC_APP_SLUG}/.well-known/openid-configuration`,
-        scope: ['openid', 'profile', 'email', 'groups'],
+        // offline_access: refresh tokens for silent session renewal — without
+        // it, an expired access token kills the session (dead UI until F5).
+        scope: ['openid', 'profile', 'email', 'groups', 'offline_access'],
         userNameClaim: 'preferred_username',
         responseType: 'code',
         grantType: 'authorization_code',