chore: initial scaffold with running local stack and portal auth

Brings up Dezky's local development environment end-to-end:

Infrastructure (docker-compose):
- Traefik v3.7 reverse proxy with mkcert TLS (v3.2 couldn't speak Docker API 1.54)
- Postgres + Mongo + Redis with healthchecks and init script for per-service users
- Authentik 2025.10 (server + worker) as OIDC IdP
- Stalwart v0.16 mail server (image renamed from stalwartlabs/mail-server)
- OCIS 7.0 with PROXY_TLS=false and OCIS_CONFIG_DIR=/etc/ocis so init writes
  where the server reads
- Collabora office, plus the portal + provisioning service stubs
- Docker network aliases on Traefik so containers resolve auth.dezky.local etc.
  through the network (not host /etc/hosts)
- Docker socket mount parameterized for macOS Docker Desktop symlink path

Authentik provisioning (done via API after stack boot):
- ocis-provider (public client) + OCIS Files application
- dezky-portal provider (confidential) + Dezky Portal application
- Admin API token bound to akadmin manually since 2025.10's
  AUTHENTIK_BOOTSTRAP_TOKEN env var doesn't auto-materialize a token row

Portal (apps/portal):
- Nuxt 3 with nuxt-oidc-auth 1.0.0-beta.11 against generic 'oidc' preset
- Global auth middleware; login at /auth/oidc/login redirects to Authentik
- Visual implementation of Claude Design 'Auth' canvas: AuthShell, NodeMark,
  Auth* sub-components, design tokens as CSS custom properties
- Pages: auth/login, auth/expired, auth/disabled, index (post-login landing)
- mkcert root CA mounted into the portal so Node fetch trusts Authentik's
  self-signed cert (NODE_EXTRA_CA_CERTS) — dev only

Docs:
- AUTHENTIK-SETUP.md updated with manual token bind + portal provider scripted
  alternative
- NEXT-STEPS.md: Phase 1 and Phase 2 marked done with file locations and
  dev-mode caveats

Dev-mode shortcuts that need to be revisited before prod:
- skipAccessTokenParsing on the OIDC config
- NODE_EXTRA_CA_CERTS mkcert mount
- Bootstrap password still the generated value in .env
- Authentik admin token (dezky-bootstrap-token) is non-expiring

infrastructure/docker-compose/configs/postgres/init.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+# Dezky PostgreSQL initialization
+# Creates databases and users for Authentik and OCIS.
+# Passwords come from env vars set in docker-compose.yml.
+
+set -e
+
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+    -- Authentik
+    CREATE USER authentik WITH PASSWORD '${AUTHENTIK_DB_PASSWORD}';
+    CREATE DATABASE authentik WITH OWNER authentik ENCODING 'UTF8' LC_COLLATE 'C' LC_CTYPE 'C' TEMPLATE template0;
+    GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik;
+
+    -- OCIS (reserved for future use; OCIS uses internal storage in dev)
+    CREATE USER ocis WITH PASSWORD '${OCIS_DB_PASSWORD}';
+    CREATE DATABASE ocis WITH OWNER ocis ENCODING 'UTF8' TEMPLATE template0;
+    GRANT ALL PRIVILEGES ON DATABASE ocis TO ocis;
+EOSQL
+
+# Grant schema permissions inside each newly created DB
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname authentik <<-EOSQL
+    GRANT ALL ON SCHEMA public TO authentik;
+EOSQL
+
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname ocis <<-EOSQL
+    GRANT ALL ON SCHEMA public TO ocis;
+EOSQL
+
+echo "Dezky PostgreSQL initialization complete."

infrastructure/docker-compose/configs/stalwart/config.toml

@@ -0,0 +1,91 @@
+# Stalwart Mail Server — Local Development Configuration
+#
+# This is a minimal config for local dev. Production config will have:
+#   - Real TLS certs (Let's Encrypt)
+#   - DKIM signing with real keys
+#   - SPF/DMARC enforcement
+#   - Rspamd integration
+#   - Hetzner Object Storage for blob storage
+#
+# Reference: https://stalw.art/docs
+
+[server]
+hostname = "mail.dezky.local"
+
+[server.listener]
+"smtp" = { bind = "[::]:25", protocol = "smtp" }
+"submission" = { bind = "[::]:587", protocol = "smtp", tls.implicit = false }
+"submissions" = { bind = "[::]:465", protocol = "smtp", tls.implicit = true }
+"imap" = { bind = "[::]:143", protocol = "imap", tls.implicit = false }
+"imaps" = { bind = "[::]:993", protocol = "imap", tls.implicit = true }
+"sieve" = { bind = "[::]:4190", protocol = "managesieve" }
+"http" = { bind = "[::]:8080", protocol = "http" }
+
+# ─────────────────────────────────────────────────────────────────
+# Storage — RocksDB embedded for local dev (single-binary simplicity)
+# Production will use PostgreSQL backend
+# ─────────────────────────────────────────────────────────────────
+[store."rocksdb"]
+type = "rocksdb"
+path = "/opt/stalwart/data"
+compression = "lz4"
+
+[storage]
+data = "rocksdb"
+fts = "rocksdb"
+blob = "rocksdb"
+lookup = "rocksdb"
+directory = "internal"
+
+# ─────────────────────────────────────────────────────────────────
+# Directory — internal user store for local dev
+# Production will wire OIDC to Authentik
+# ─────────────────────────────────────────────────────────────────
+[directory."internal"]
+type = "internal"
+store = "rocksdb"
+
+# ─────────────────────────────────────────────────────────────────
+# TLS — Self-signed in dev, Traefik terminates the public-facing HTTPS
+# ─────────────────────────────────────────────────────────────────
+[certificate."default"]
+cert = "%{file:/opt/stalwart/etc/tls/cert.pem}%"
+private-key = "%{file:/opt/stalwart/etc/tls/key.pem}%"
+default = true
+
+# ─────────────────────────────────────────────────────────────────
+# Authentication for local development
+# ─────────────────────────────────────────────────────────────────
+[authentication]
+fallback-admin.user = "admin"
+fallback-admin.secret = "$env{STALWART_ADMIN_PASSWORD}"
+
+# ─────────────────────────────────────────────────────────────────
+# Resolver — use the Docker DNS for local dev
+# ─────────────────────────────────────────────────────────────────
+[resolver]
+type = "system"
+preserve-intermediates = true
+concurrency = 2
+
+# ─────────────────────────────────────────────────────────────────
+# Logging
+# ─────────────────────────────────────────────────────────────────
+[tracer."stdout"]
+type = "stdout"
+level = "info"
+ansi = false
+enable = true
+
+# ─────────────────────────────────────────────────────────────────
+# Spam filtering — disabled in dev (no Rspamd configured)
+# Production: integrate Rspamd via milter
+# ─────────────────────────────────────────────────────────────────
+[spam-filter]
+enable = false
+
+# ─────────────────────────────────────────────────────────────────
+# Local development hint:
+# After first boot, create your first mailbox by visiting
+# https://mail.dezky.local and using admin credentials.
+# ─────────────────────────────────────────────────────────────────

infrastructure/docker-compose/configs/traefik/dynamic.yml

@@ -0,0 +1,51 @@
+# Traefik dynamic configuration — TLS certificates and middleware
+#
+# Uses the wildcard mkcert certificate for all *.dezky.local hostnames.
+# This file is watched and reloaded automatically by Traefik.
+
+tls:
+  certificates:
+    - certFile: /certs/dezky.local.pem
+      keyFile: /certs/dezky.local-key.pem
+      stores:
+        - default
+
+  stores:
+    default:
+      defaultCertificate:
+        certFile: /certs/dezky.local.pem
+        keyFile: /certs/dezky.local-key.pem
+
+http:
+  middlewares:
+    # Strong security headers for all services
+    secure-headers:
+      headers:
+        frameDeny: false  # OCIS/Collabora need iframes
+        sslRedirect: true
+        browserXssFilter: true
+        contentTypeNosniff: true
+        forceSTSHeader: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: 15552000
+        customFrameOptionsValue: "SAMEORIGIN"
+
+    # CORS for API calls between portal and provisioning service
+    cors:
+      headers:
+        accessControlAllowMethods:
+          - "GET"
+          - "POST"
+          - "PUT"
+          - "PATCH"
+          - "DELETE"
+          - "OPTIONS"
+        accessControlAllowOriginListRegex:
+          - "^https://([a-z0-9-]+\\.)?dezky\\.local$"
+        accessControlAllowHeaders:
+          - "Content-Type"
+          - "Authorization"
+          - "X-Requested-With"
+        accessControlMaxAge: 86400
+        addVaryHeader: true

infrastructure/docker-compose/configs/traefik/traefik.yml

@@ -0,0 +1,43 @@
+# Traefik static configuration for Dezky local development
+#
+# Provides TLS termination using mkcert-generated wildcard certificate.
+# Auto-discovers services via Docker labels.
+
+global:
+  checkNewVersion: false
+  sendAnonymousUsage: false
+
+api:
+  dashboard: true
+  insecure: true  # OK for local dev only — exposes dashboard on :8080
+
+log:
+  level: INFO
+
+accessLog: {}
+
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+          permanent: true
+
+  websecure:
+    address: ":443"
+    http:
+      tls: {}
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false
+    network: dezky
+    watch: true
+
+  file:
+    filename: /etc/traefik/dynamic.yml
+    watch: true