chore: initial scaffold with running local stack and portal auth

Brings up Dezky's local development environment end-to-end:

Infrastructure (docker-compose):
- Traefik v3.7 reverse proxy with mkcert TLS (v3.2 couldn't speak Docker API 1.54)
- Postgres + Mongo + Redis with healthchecks and init script for per-service users
- Authentik 2025.10 (server + worker) as OIDC IdP
- Stalwart v0.16 mail server (image renamed from stalwartlabs/mail-server)
- OCIS 7.0 with PROXY_TLS=false and OCIS_CONFIG_DIR=/etc/ocis so init writes
  where the server reads
- Collabora office, plus the portal + provisioning service stubs
- Docker network aliases on Traefik so containers resolve auth.dezky.local etc.
  through the network (not host /etc/hosts)
- Docker socket mount parameterized for macOS Docker Desktop symlink path

Authentik provisioning (done via API after stack boot):
- ocis-provider (public client) + OCIS Files application
- dezky-portal provider (confidential) + Dezky Portal application
- Admin API token bound to akadmin manually since 2025.10's
  AUTHENTIK_BOOTSTRAP_TOKEN env var doesn't auto-materialize a token row

Portal (apps/portal):
- Nuxt 3 with nuxt-oidc-auth 1.0.0-beta.11 against generic 'oidc' preset
- Global auth middleware; login at /auth/oidc/login redirects to Authentik
- Visual implementation of Claude Design 'Auth' canvas: AuthShell, NodeMark,
  Auth* sub-components, design tokens as CSS custom properties
- Pages: auth/login, auth/expired, auth/disabled, index (post-login landing)
- mkcert root CA mounted into the portal so Node fetch trusts Authentik's
  self-signed cert (NODE_EXTRA_CA_CERTS) — dev only

Docs:
- AUTHENTIK-SETUP.md updated with manual token bind + portal provider scripted
  alternative
- NEXT-STEPS.md: Phase 1 and Phase 2 marked done with file locations and
  dev-mode caveats

Dev-mode shortcuts that need to be revisited before prod:
- skipAccessTokenParsing on the OIDC config
- NODE_EXTRA_CA_CERTS mkcert mount
- Bootstrap password still the generated value in .env
- Authentik admin token (dezky-bootstrap-token) is non-expiring

README.md

@@ -0,0 +1,115 @@
+# Dezky
+
+> Sovereign workspace platform for European businesses.
+> Mail, files, calendar, video meetings — all EU-hosted, all open source.
+
+## Quick start (local development)
+
+```bash
+# 1. Clone and enter
+git clone <repo-url> dezky
+cd dezky
+
+# 2. Run bootstrap (handles everything)
+./scripts/bootstrap.sh
+
+# 3. Open the portal
+open https://app.dezky.local
+```
+
+The bootstrap script:
+- Checks prerequisites (Docker, mkcert, openssl)
+- Generates wildcard TLS certificate via mkcert
+- Adds /etc/hosts entries (with your permission)
+- Generates secure random secrets in `.env`
+- Pulls Docker images
+- Starts all services in correct order
+- Prints next-step instructions
+
+## Service URLs (local development)
+
+| Service | URL | Purpose |
+|---------|-----|---------|
+| Portal | https://app.dezky.local | Customer-facing landing & launcher |
+| Authentik | https://auth.dezky.local | Identity provider (OIDC/SAML) |
+| Files (OCIS) | https://files.dezky.local | File storage & sharing |
+| Mail (Stalwart) | https://mail.dezky.local | Mail server admin UI |
+| Office | https://office.dezky.local | Collabora Online editor |
+| Traefik | https://traefik.dezky.local | Reverse proxy dashboard |
+
+## What's in this repo
+
+```
+dezky/
+├── apps/portal/                Nuxt 3 customer portal
+├── services/provisioning/      NestJS provisioning worker
+├── packages/                   Shared TypeScript libraries
+├── infrastructure/
+│   └── docker-compose/         Local development stack
+├── scripts/                    Setup, reset, helpers
+└── docs/                       Service references & guides
+```
+
+## Prerequisites
+
+- macOS or Linux (Windows users: use WSL2)
+- Docker Desktop 24+ or OrbStack
+- mkcert (`brew install mkcert`)
+- pnpm 9+ (`brew install pnpm`)
+- Node.js 20+
+- 16 GB RAM recommended
+
+## Common commands
+
+```bash
+# Start everything
+docker compose -f infrastructure/docker-compose/docker-compose.yml up -d
+
+# View logs
+docker compose -f infrastructure/docker-compose/docker-compose.yml logs -f [service]
+
+# Stop everything (keeps data)
+docker compose -f infrastructure/docker-compose/docker-compose.yml down
+
+# Nuke and restart (DESTROYS DATA)
+./scripts/reset.sh
+```
+
+## Architecture
+
+This is a multi-tenant SaaS platform. Each tenant gets:
+- Isolated Authentik OIDC tenant
+- Custom subdomain (e.g. `customer-name.dezky.local`)
+- Mail domain in Stalwart with auto-generated DKIM
+- Dedicated OCIS space hierarchy
+- Branded launcher in the portal
+
+All components are Apache 2.0 / MIT licensed — no per-seat fees, full whitelabel rights.
+
+## Production
+
+The production target is a single Hetzner AX41-NVMe server (€39/mo) with:
+- Stalwart on bare-metal
+- k3s for all other services
+- Hetzner Object Storage (€5/mo) as OCIS S3 backend
+- Storage Box BX11 (€3.20/mo) for Restic backups
+- Storage Box BX11 in Helsinki (€3.20/mo) for DR
+
+See `docs/PRODUCTION-DEPLOYMENT.md` (TBD) for migration plan.
+
+## Stack rationale
+
+These choices are deliberate after extensive license/architecture research. See `CLAUDE.md` for the full reasoning.
+
+| Component | License | Why this one |
+|-----------|---------|--------------|
+| Stalwart Mail | Apache 2.0 | Modern Rust, ActiveSync built-in, JMAP support |
+| OCIS | Apache 2.0 | Cleaner license than Nextcloud (AGPL+trademark) |
+| Zulip | Apache 2.0 | Only truly open-core-free chat option |
+| Authentik | MIT | Better multi-tenancy than Keycloak |
+| Hetzner | N/A | 100% EU sovereignty — core to business |
+
+## License
+
+Application code: MIT (own code)
+Third-party services: see individual service licenses in stack.