chore: initial scaffold with running local stack and portal auth

Brings up Dezky's local development environment end-to-end:

Infrastructure (docker-compose):
- Traefik v3.7 reverse proxy with mkcert TLS (v3.2 couldn't speak Docker API 1.54)
- Postgres + Mongo + Redis with healthchecks and init script for per-service users
- Authentik 2025.10 (server + worker) as OIDC IdP
- Stalwart v0.16 mail server (image renamed from stalwartlabs/mail-server)
- OCIS 7.0 with PROXY_TLS=false and OCIS_CONFIG_DIR=/etc/ocis so init writes
  where the server reads
- Collabora office, plus the portal + provisioning service stubs
- Docker network aliases on Traefik so containers resolve auth.dezky.local etc.
  through the network (not host /etc/hosts)
- Docker socket mount parameterized for macOS Docker Desktop symlink path

Authentik provisioning (done via API after stack boot):
- ocis-provider (public client) + OCIS Files application
- dezky-portal provider (confidential) + Dezky Portal application
- Admin API token bound to akadmin manually since 2025.10's
  AUTHENTIK_BOOTSTRAP_TOKEN env var doesn't auto-materialize a token row

Portal (apps/portal):
- Nuxt 3 with nuxt-oidc-auth 1.0.0-beta.11 against generic 'oidc' preset
- Global auth middleware; login at /auth/oidc/login redirects to Authentik
- Visual implementation of Claude Design 'Auth' canvas: AuthShell, NodeMark,
  Auth* sub-components, design tokens as CSS custom properties
- Pages: auth/login, auth/expired, auth/disabled, index (post-login landing)
- mkcert root CA mounted into the portal so Node fetch trusts Authentik's
  self-signed cert (NODE_EXTRA_CA_CERTS) — dev only

Docs:
- AUTHENTIK-SETUP.md updated with manual token bind + portal provider scripted
  alternative
- NEXT-STEPS.md: Phase 1 and Phase 2 marked done with file locations and
  dev-mode caveats

Dev-mode shortcuts that need to be revisited before prod:
- skipAccessTokenParsing on the OIDC config
- NODE_EXTRA_CA_CERTS mkcert mount
- Bootstrap password still the generated value in .env
- Authentik admin token (dezky-bootstrap-token) is non-expiring

infrastructure/docker-compose/configs/stalwart/config.toml

@@ -0,0 +1,91 @@
+# Stalwart Mail Server — Local Development Configuration
+#
+# This is a minimal config for local dev. Production config will have:
+#   - Real TLS certs (Let's Encrypt)
+#   - DKIM signing with real keys
+#   - SPF/DMARC enforcement
+#   - Rspamd integration
+#   - Hetzner Object Storage for blob storage
+#
+# Reference: https://stalw.art/docs
+
+[server]
+hostname = "mail.dezky.local"
+
+[server.listener]
+"smtp" = { bind = "[::]:25", protocol = "smtp" }
+"submission" = { bind = "[::]:587", protocol = "smtp", tls.implicit = false }
+"submissions" = { bind = "[::]:465", protocol = "smtp", tls.implicit = true }
+"imap" = { bind = "[::]:143", protocol = "imap", tls.implicit = false }
+"imaps" = { bind = "[::]:993", protocol = "imap", tls.implicit = true }
+"sieve" = { bind = "[::]:4190", protocol = "managesieve" }
+"http" = { bind = "[::]:8080", protocol = "http" }
+
+# ─────────────────────────────────────────────────────────────────
+# Storage — RocksDB embedded for local dev (single-binary simplicity)
+# Production will use PostgreSQL backend
+# ─────────────────────────────────────────────────────────────────
+[store."rocksdb"]
+type = "rocksdb"
+path = "/opt/stalwart/data"
+compression = "lz4"
+
+[storage]
+data = "rocksdb"
+fts = "rocksdb"
+blob = "rocksdb"
+lookup = "rocksdb"
+directory = "internal"
+
+# ─────────────────────────────────────────────────────────────────
+# Directory — internal user store for local dev
+# Production will wire OIDC to Authentik
+# ─────────────────────────────────────────────────────────────────
+[directory."internal"]
+type = "internal"
+store = "rocksdb"
+
+# ─────────────────────────────────────────────────────────────────
+# TLS — Self-signed in dev, Traefik terminates the public-facing HTTPS
+# ─────────────────────────────────────────────────────────────────
+[certificate."default"]
+cert = "%{file:/opt/stalwart/etc/tls/cert.pem}%"
+private-key = "%{file:/opt/stalwart/etc/tls/key.pem}%"
+default = true
+
+# ─────────────────────────────────────────────────────────────────
+# Authentication for local development
+# ─────────────────────────────────────────────────────────────────
+[authentication]
+fallback-admin.user = "admin"
+fallback-admin.secret = "$env{STALWART_ADMIN_PASSWORD}"
+
+# ─────────────────────────────────────────────────────────────────
+# Resolver — use the Docker DNS for local dev
+# ─────────────────────────────────────────────────────────────────
+[resolver]
+type = "system"
+preserve-intermediates = true
+concurrency = 2
+
+# ─────────────────────────────────────────────────────────────────
+# Logging
+# ─────────────────────────────────────────────────────────────────
+[tracer."stdout"]
+type = "stdout"
+level = "info"
+ansi = false
+enable = true
+
+# ─────────────────────────────────────────────────────────────────
+# Spam filtering — disabled in dev (no Rspamd configured)
+# Production: integrate Rspamd via milter
+# ─────────────────────────────────────────────────────────────────
+[spam-filter]
+enable = false
+
+# ─────────────────────────────────────────────────────────────────
+# Local development hint:
+# After first boot, create your first mailbox by visiting
+# https://mail.dezky.local and using admin credentials.
+# ─────────────────────────────────────────────────────────────────