Lands the minimum surface so a developer can:
cd platform/orca-platform && make dev-up
cd platform/tenant-registry && make dev
cd platform/portal && make install && make dev
open http://acme.localhost:3000
and complete a real OIDC sign-in against the breakpilot-dev realm.
Layout:
src/middleware.ts host→slug URL rewrite; backstage carve-out
src/auth.ts Auth.js v5 Keycloak provider; passes
tenant_id/slug/org_roles/products/plan/status
claims through to the session
src/app/api/auth/[...nextauth]/ Auth.js handlers (GET, POST)
src/app/layout.tsx root html shell
src/app/page.tsx apex landing
src/app/[slug]/layout.tsx fetches tenant via lib/tenant-registry
src/app/[slug]/page.tsx redirect to /dashboard
src/app/[slug]/dashboard/page.tsx
signed-out → Sign in with Keycloak
signed-in → welcome + Sign out
src/lib/host.ts testable host parser (apex/tenant/backstage)
src/lib/tenant-registry.ts fetch client for the Go service
Tooling:
vitest 13 tests, 100% coverage of src/lib/
Next.js 15 build compiles all routes; output: standalone
ESLint flat config next/core-web-vitals + next/typescript
Real RBAC enforcement, the rest of the customer-area surfaces, and the
backstage shell land per the M5.2 / M10.1 schedule. This is just enough
to be the first thing a developer codes in.
Refs: M5.1 (skeleton)
