feat(app): Next.js 15 + Auth.js v5 portal skeleton

Lands the minimum surface so a developer can:

  cd platform/orca-platform && make dev-up
  cd platform/tenant-registry && make dev
  cd platform/portal && make install && make dev
  open http://acme.localhost:3000

and complete a real OIDC sign-in against the breakpilot-dev realm.

Layout:
  src/middleware.ts                host→slug URL rewrite; backstage carve-out
  src/auth.ts                      Auth.js v5 Keycloak provider; passes
                                   tenant_id/slug/org_roles/products/plan/status
                                   claims through to the session
  src/app/api/auth/[...nextauth]/  Auth.js handlers (GET, POST)
  src/app/layout.tsx               root html shell
  src/app/page.tsx                 apex landing
  src/app/[slug]/layout.tsx        fetches tenant via lib/tenant-registry
  src/app/[slug]/page.tsx          redirect to /dashboard
  src/app/[slug]/dashboard/page.tsx
                                   signed-out → Sign in with Keycloak
                                   signed-in  → welcome + Sign out
  src/lib/host.ts                  testable host parser (apex/tenant/backstage)
  src/lib/tenant-registry.ts       fetch client for the Go service

Tooling:
  vitest                           13 tests, 100% coverage of src/lib/
  Next.js 15 build                 compiles all routes; output: standalone
  ESLint flat config               next/core-web-vitals + next/typescript

Real RBAC enforcement, the rest of the customer-area surfaces, and the
backstage shell land per the M5.2 / M10.1 schedule. This is just enough
to be the first thing a developer codes in.

Refs: M5.1 (skeleton)

.gitignore

@@ -35,3 +35,25 @@ vendor/
 
 # Rust
 **/target/
+
+# Next.js
+.next/
+out/
+.vercel/
+
+# Node
+node_modules/
+*.tsbuildinfo
+next-env.d.ts.tmp
+
+# Coverage
+coverage/
+
+# pnpm
+.pnpm-store/
+
+# Local env
+.env.local
+.env.development.local
+.env.test.local
+.env.production.local