feat(analytics): integrate Langfuse with Keycloak SSO

Add certifai-langfuse OIDC client to Keycloak realm export and configure
the Langfuse Docker service with Keycloak SSO env vars (shared realm,
account linking, local auth disabled). Replace the iframe-based analytics
page with an informational landing since cross-origin SSO breaks in
iframes. Users open Langfuse in a new tab where the active Keycloak
session authenticates them transparently.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

assets/i18n/de.json

@@ -118,7 +118,16 @@
     "agents_col_name": "Name",
     "agents_col_id": "ID",
     "agents_col_description": "Beschreibung",
-    "agents_col_status": "Status"
+    "agents_col_status": "Status",
+    "analytics_status_connected": "Verbunden",
+    "analytics_status_not_connected": "Nicht verbunden",
+    "analytics_config_hint": "Setzen Sie LANGFUSE_URL in .env, um eine Verbindung herzustellen",
+    "analytics_sso_hint": "Langfuse nutzt Keycloak-SSO. Sie werden automatisch mit Ihrem CERTifAI-Konto angemeldet.",
+    "analytics_quick_actions": "Schnellaktionen",
+    "analytics_traces": "Traces",
+    "analytics_traces_desc": "Alle LLM-Aufrufe, Latenzen und Token-Verbrauch anzeigen und filtern.",
+    "analytics_dashboard": "Dashboard",
+    "analytics_dashboard_desc": "Ueberblick ueber Kosten, Qualitaetsmetriken und Nutzungstrends."
   },
   "org": {
     "title": "Organisation",