chore: initial scaffold with running local stack and portal auth

Brings up Dezky's local development environment end-to-end:

Infrastructure (docker-compose):
- Traefik v3.7 reverse proxy with mkcert TLS (v3.2 couldn't speak Docker API 1.54)
- Postgres + Mongo + Redis with healthchecks and init script for per-service users
- Authentik 2025.10 (server + worker) as OIDC IdP
- Stalwart v0.16 mail server (image renamed from stalwartlabs/mail-server)
- OCIS 7.0 with PROXY_TLS=false and OCIS_CONFIG_DIR=/etc/ocis so init writes
  where the server reads
- Collabora office, plus the portal + provisioning service stubs
- Docker network aliases on Traefik so containers resolve auth.dezky.local etc.
  through the network (not host /etc/hosts)
- Docker socket mount parameterized for macOS Docker Desktop symlink path

Authentik provisioning (done via API after stack boot):
- ocis-provider (public client) + OCIS Files application
- dezky-portal provider (confidential) + Dezky Portal application
- Admin API token bound to akadmin manually since 2025.10's
  AUTHENTIK_BOOTSTRAP_TOKEN env var doesn't auto-materialize a token row

Portal (apps/portal):
- Nuxt 3 with nuxt-oidc-auth 1.0.0-beta.11 against generic 'oidc' preset
- Global auth middleware; login at /auth/oidc/login redirects to Authentik
- Visual implementation of Claude Design 'Auth' canvas: AuthShell, NodeMark,
  Auth* sub-components, design tokens as CSS custom properties
- Pages: auth/login, auth/expired, auth/disabled, index (post-login landing)
- mkcert root CA mounted into the portal so Node fetch trusts Authentik's
  self-signed cert (NODE_EXTRA_CA_CERTS) — dev only

Docs:
- AUTHENTIK-SETUP.md updated with manual token bind + portal provider scripted
  alternative
- NEXT-STEPS.md: Phase 1 and Phase 2 marked done with file locations and
  dev-mode caveats

Dev-mode shortcuts that need to be revisited before prod:
- skipAccessTokenParsing on the OIDC config
- NODE_EXTRA_CA_CERTS mkcert mount
- Bootstrap password still the generated value in .env
- Authentik admin token (dezky-bootstrap-token) is non-expiring

apps/portal/assets/styles/tokens.css

@@ -0,0 +1,56 @@
+/* Dezky design tokens — workspace surface (light/bone).
+   Ported from project/platform-tokens.jsx (THEMES.light + ACCENTS.signal). */
+
+:root {
+  /* Surface */
+  --bg: #F4F3EE;          /* bone */
+  --surface: #FAFAF7;     /* paper */
+  --elevated: #FFFFFF;
+  --border: #E6E4DC;      /* fog */
+  --border-hi: #D4D2C8;
+
+  /* Text */
+  --text: #0A0A0A;        /* carbon */
+  --text-dim: rgba(10, 10, 10, 0.55);
+  --text-mute: rgba(10, 10, 10, 0.4);
+
+  /* Sidebar (always-dark for brand consistency) */
+  --side-bg: #0A0A0A;
+  --side-surf: #141413;
+  --side-text: #F4F3EE;
+
+  /* Brand accent */
+  --accent: #D4FF3A;      /* signal */
+  --accent-fg: #0A0A0A;
+  --signal: #D4FF3A;
+
+  /* Semantic */
+  --ok: #1F8A5B;
+  --warn: #E89A1F;
+  --bad: #E23030;
+  --info: #2A6FDB;
+
+  /* Type */
+  --font-sans: 'Inter', -apple-system, BlinkMacSystemFont, sans-serif;
+  --font-display: 'Inter Tight', 'Inter', sans-serif;
+  --font-mono: 'JetBrains Mono', ui-monospace, 'Menlo', monospace;
+
+  /* Field input surface */
+  --input-bg: var(--bg);
+}
+
+[data-theme='dark'] {
+  --bg: #0A0A0A;
+  --surface: #141413;
+  --elevated: #1C1C1A;
+  --border: #262622;
+  --border-hi: #33332E;
+  --text: #F4F3EE;
+  --text-dim: rgba(244, 243, 238, 0.72);
+  --text-mute: rgba(244, 243, 238, 0.45);
+  --ok: #34C77B;
+  --warn: #F0B14A;
+  --bad: #F05858;
+  --info: #4D8BE8;
+  --input-bg: rgba(244, 243, 238, 0.04);
+}