chore: initial scaffold with running local stack and portal auth

Brings up Dezky's local development environment end-to-end:

Infrastructure (docker-compose):
- Traefik v3.7 reverse proxy with mkcert TLS (v3.2 couldn't speak Docker API 1.54)
- Postgres + Mongo + Redis with healthchecks and init script for per-service users
- Authentik 2025.10 (server + worker) as OIDC IdP
- Stalwart v0.16 mail server (image renamed from stalwartlabs/mail-server)
- OCIS 7.0 with PROXY_TLS=false and OCIS_CONFIG_DIR=/etc/ocis so init writes
  where the server reads
- Collabora office, plus the portal + provisioning service stubs
- Docker network aliases on Traefik so containers resolve auth.dezky.local etc.
  through the network (not host /etc/hosts)
- Docker socket mount parameterized for macOS Docker Desktop symlink path

Authentik provisioning (done via API after stack boot):
- ocis-provider (public client) + OCIS Files application
- dezky-portal provider (confidential) + Dezky Portal application
- Admin API token bound to akadmin manually since 2025.10's
  AUTHENTIK_BOOTSTRAP_TOKEN env var doesn't auto-materialize a token row

Portal (apps/portal):
- Nuxt 3 with nuxt-oidc-auth 1.0.0-beta.11 against generic 'oidc' preset
- Global auth middleware; login at /auth/oidc/login redirects to Authentik
- Visual implementation of Claude Design 'Auth' canvas: AuthShell, NodeMark,
  Auth* sub-components, design tokens as CSS custom properties
- Pages: auth/login, auth/expired, auth/disabled, index (post-login landing)
- mkcert root CA mounted into the portal so Node fetch trusts Authentik's
  self-signed cert (NODE_EXTRA_CA_CERTS) — dev only

Docs:
- AUTHENTIK-SETUP.md updated with manual token bind + portal provider scripted
  alternative
- NEXT-STEPS.md: Phase 1 and Phase 2 marked done with file locations and
  dev-mode caveats

Dev-mode shortcuts that need to be revisited before prod:
- skipAccessTokenParsing on the OIDC config
- NODE_EXTRA_CA_CERTS mkcert mount
- Bootstrap password still the generated value in .env
- Authentik admin token (dezky-bootstrap-token) is non-expiring

.env.example

@@ -0,0 +1,46 @@
+# ─────────────────────────────────────────────────────────────────
+# Dezky Local Development — Environment Variables
+# ─────────────────────────────────────────────────────────────────
+#
+# Copy this file to .env and fill in the values.
+# Generate secure random values with: openssl rand -hex 32
+#
+# DO NOT commit .env to git.
+# ─────────────────────────────────────────────────────────────────
+
+# ────────────────────────────────────────
+# Database root passwords
+# ────────────────────────────────────────
+POSTGRES_ROOT_PASSWORD=changeme_use_openssl_rand
+MONGO_ROOT_PASSWORD=changeme_use_openssl_rand
+REDIS_PASSWORD=changeme_use_openssl_rand
+
+# ────────────────────────────────────────
+# Per-service DB passwords
+# ────────────────────────────────────────
+AUTHENTIK_DB_PASSWORD=changeme_use_openssl_rand
+OCIS_DB_PASSWORD=changeme_use_openssl_rand
+
+# ────────────────────────────────────────
+# Authentik
+# ────────────────────────────────────────
+# AUTHENTIK_SECRET_KEY must be 50+ chars
+AUTHENTIK_SECRET_KEY=changeme_run_openssl_rand_hex_50
+AUTHENTIK_BOOTSTRAP_PASSWORD=admin_change_this_after_first_login
+# AUTHENTIK_BOOTSTRAP_TOKEN is used by the provisioning service to call Authentik API
+AUTHENTIK_BOOTSTRAP_TOKEN=changeme_use_openssl_rand_hex_32
+
+# ────────────────────────────────────────
+# Stalwart Mail
+# ────────────────────────────────────────
+STALWART_ADMIN_PASSWORD=changeme_use_openssl_rand
+
+# ────────────────────────────────────────
+# OCIS
+# ────────────────────────────────────────
+OCIS_ADMIN_PASSWORD=changeme_use_openssl_rand
+
+# ────────────────────────────────────────
+# Collabora
+# ────────────────────────────────────────
+COLLABORA_ADMIN_PASSWORD=changeme_use_openssl_rand