chore: initial scaffold with running local stack and portal auth

Brings up Dezky's local development environment end-to-end:

Infrastructure (docker-compose):
- Traefik v3.7 reverse proxy with mkcert TLS (v3.2 couldn't speak Docker API 1.54)
- Postgres + Mongo + Redis with healthchecks and init script for per-service users
- Authentik 2025.10 (server + worker) as OIDC IdP
- Stalwart v0.16 mail server (image renamed from stalwartlabs/mail-server)
- OCIS 7.0 with PROXY_TLS=false and OCIS_CONFIG_DIR=/etc/ocis so init writes
  where the server reads
- Collabora office, plus the portal + provisioning service stubs
- Docker network aliases on Traefik so containers resolve auth.dezky.local etc.
  through the network (not host /etc/hosts)
- Docker socket mount parameterized for macOS Docker Desktop symlink path

Authentik provisioning (done via API after stack boot):
- ocis-provider (public client) + OCIS Files application
- dezky-portal provider (confidential) + Dezky Portal application
- Admin API token bound to akadmin manually since 2025.10's
  AUTHENTIK_BOOTSTRAP_TOKEN env var doesn't auto-materialize a token row

Portal (apps/portal):
- Nuxt 3 with nuxt-oidc-auth 1.0.0-beta.11 against generic 'oidc' preset
- Global auth middleware; login at /auth/oidc/login redirects to Authentik
- Visual implementation of Claude Design 'Auth' canvas: AuthShell, NodeMark,
  Auth* sub-components, design tokens as CSS custom properties
- Pages: auth/login, auth/expired, auth/disabled, index (post-login landing)
- mkcert root CA mounted into the portal so Node fetch trusts Authentik's
  self-signed cert (NODE_EXTRA_CA_CERTS) — dev only

Docs:
- AUTHENTIK-SETUP.md updated with manual token bind + portal provider scripted
  alternative
- NEXT-STEPS.md: Phase 1 and Phase 2 marked done with file locations and
  dev-mode caveats

Dev-mode shortcuts that need to be revisited before prod:
- skipAccessTokenParsing on the OIDC config
- NODE_EXTRA_CA_CERTS mkcert mount
- Bootstrap password still the generated value in .env
- Authentik admin token (dezky-bootstrap-token) is non-expiring

apps/portal/pages/auth/disabled.vue

@@ -0,0 +1,86 @@
+<script setup lang="ts">
+definePageMeta({ auth: false })
+
+const route = useRoute()
+const accountEmail = computed(() => (route.query.email as string) || 'this account')
+</script>
+
+<template>
+  <AuthShell>
+    <div class="badge" data-tone="bad">
+      <UiIcon name="shield" :size="28" />
+    </div>
+    <AuthHeading
+      eyebrow="Access denied"
+      title="This account is suspended"
+    >
+      <template #body>
+        The account <b>{{ accountEmail }}</b> has been suspended by a workspace admin.
+        Contact them if you think this is wrong.
+      </template>
+    </AuthHeading>
+
+    <div class="admin-card">
+      <div class="admin-eyebrow">Workspace admin</div>
+      <div class="admin-name">Your administrator</div>
+      <div class="admin-email">contact via your organization</div>
+    </div>
+
+    <AuthButton variant="dark">
+      <template #leading>
+        <UiIcon name="mail" :size="14" />
+      </template>
+      Email your admin
+    </AuthButton>
+
+    <AuthFooterLink>
+      <NuxtLink to="/auth/login">← sign in with a different account</NuxtLink>
+    </AuthFooterLink>
+  </AuthShell>
+</template>
+
+<style scoped>
+.badge {
+  width: 56px;
+  height: 56px;
+  border-radius: 14px;
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  margin: 0 0 18px 0;
+}
+
+.badge[data-tone='bad'] {
+  background: rgba(226, 48, 48, 0.1);
+  color: var(--bad);
+}
+
+.admin-card {
+  padding: 14px;
+  background: var(--bg);
+  border: 1px solid var(--border);
+  border-radius: 6px;
+  margin-bottom: 18px;
+}
+
+.admin-eyebrow {
+  font-family: var(--font-mono);
+  font-size: 10px;
+  color: var(--text-mute);
+  letter-spacing: 0.12em;
+  text-transform: uppercase;
+  margin-bottom: 6px;
+}
+
+.admin-name {
+  font-size: 13px;
+  font-weight: 500;
+}
+
+.admin-email {
+  font-family: var(--font-mono);
+  font-size: 12px;
+  color: var(--text-dim);
+  margin-top: 2px;
+}
+</style>