feat: bootstrap 2 users, tenant, org-scoped tokens, platform admin UI

Bootstrap script now creates:
- SaaS Owner (admin/admin) with platform-admin role
- Tenant Admin (camel/camel) in Example Tenant org
- Traditional Web App for cameleer3-server OIDC
- DB records: tenant, default environment, license
- Configures cameleer3-server OIDC via its admin API
All credentials configurable via env vars.

Backend:
- Fix LogtoManagementClient resource URL (https://default.logto.app/api)
- Add getUserRoles/getUserOrganizations to LogtoManagementClient
- Add GET /api/me endpoint (user info, platform admin status, tenants)
- Add GET /api/tenants list-all for platform admins
- Remove insecure X-header forwarding from Traefik

Frontend:
- Org-scoped tokens: getAccessToken(resource, orgId) for tenant context
- OrgResolver component populates org store from /api/me
- useOrganization Zustand store (currentOrgId + currentTenantId)
- Platform admin sidebar section + AdminTenantsPage
- View Dashboard link points to cameleer3-server on port 8081

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

ui/src/auth/OrgResolver.tsx

@@ -0,0 +1,47 @@
+import { useEffect } from 'react';
+import { Spinner } from '@cameleer/design-system';
+import { useMe } from '../api/hooks';
+import { useOrgStore } from './useOrganization';
+
+/**
+ * Fetches /api/me and populates the org store with platform admin status
+ * and tenant-to-org mapping. Renders children once resolved.
+ */
+export function OrgResolver({ children }: { children: React.ReactNode }) {
+  const { data: me, isLoading, isError } = useMe();
+  const { setIsPlatformAdmin, setOrganizations, setCurrentOrg, currentOrgId } = useOrgStore();
+
+  useEffect(() => {
+    if (!me) return;
+
+    setIsPlatformAdmin(me.isPlatformAdmin);
+
+    // Map tenants: logtoOrgId is the org ID for token scoping, id is the DB UUID
+    const orgEntries = me.tenants.map((t) => ({
+      id: t.logtoOrgId,
+      name: t.name,
+      slug: t.slug,
+      tenantId: t.id,
+    }));
+    setOrganizations(orgEntries);
+
+    // Auto-select if single tenant and no org selected yet
+    if (orgEntries.length === 1 && !currentOrgId) {
+      setCurrentOrg(orgEntries[0].id);
+    }
+  }, [me]);
+
+  if (isLoading) {
+    return (
+      <div style={{ display: 'flex', alignItems: 'center', justifyContent: 'center', minHeight: '100vh' }}>
+        <Spinner />
+      </div>
+    );
+  }
+
+  if (isError) {
+    return null;
+  }
+
+  return <>{children}</>;
+}

ui/src/auth/useAuth.ts

@@ -1,5 +1,6 @@
 import { useLogto } from '@logto/react';
 import { useState, useEffect, useCallback } from 'react';
+import { useOrgStore } from './useOrganization';
 
 interface IdTokenClaims {
   sub?: string;
@@ -14,6 +15,7 @@ interface IdTokenClaims {
 export function useAuth() {
   const { isAuthenticated, isLoading, getIdTokenClaims, signOut, signIn } = useLogto();
   const [claims, setClaims] = useState<IdTokenClaims | null>(null);
+  const { currentTenantId, isPlatformAdmin } = useOrgStore();
 
   useEffect(() => {
     if (isAuthenticated) {
@@ -25,7 +27,8 @@ export function useAuth() {
 
   const username = claims?.username ?? claims?.name ?? claims?.email ?? claims?.sub ?? null;
   const roles = (claims?.roles as string[]) ?? [];
-  const tenantId = (claims?.organization_id as string) ?? null;
+  // tenantId is the DB UUID from the org store (set by OrgResolver after /api/me)
+  const tenantId = currentTenantId;
 
   const logout = useCallback(() => {
     signOut(window.location.origin + '/login');
@@ -37,6 +40,7 @@ export function useAuth() {
     username,
     roles,
     tenantId,
+    isPlatformAdmin,
     logout,
     signIn,
   };

ui/src/auth/useOrganization.ts

@@ -0,0 +1,31 @@
+import { create } from 'zustand';
+
+export interface OrgInfo {
+  id: string;         // Logto org ID (for token scoping)
+  name: string;
+  slug?: string;
+  tenantId?: string;  // DB tenant UUID (for API calls)
+}
+
+interface OrgState {
+  currentOrgId: string | null;      // Logto org ID — used for getAccessToken(resource, orgId)
+  currentTenantId: string | null;   // DB UUID — used for API calls like /api/tenants/{id}
+  organizations: OrgInfo[];
+  isPlatformAdmin: boolean;
+  setCurrentOrg: (orgId: string | null) => void;
+  setOrganizations: (orgs: OrgInfo[]) => void;
+  setIsPlatformAdmin: (value: boolean) => void;
+}
+
+export const useOrgStore = create<OrgState>((set, get) => ({
+  currentOrgId: null,
+  currentTenantId: null,
+  organizations: [],
+  isPlatformAdmin: false,
+  setCurrentOrg: (orgId) => {
+    const org = get().organizations.find((o) => o.id === orgId);
+    set({ currentOrgId: orgId, currentTenantId: org?.tenantId ?? null });
+  },
+  setOrganizations: (orgs) => set({ organizations: orgs }),
+  setIsPlatformAdmin: (value) => set({ isPlatformAdmin: value }),
+}));