feat: bootstrap 2 users, tenant, org-scoped tokens, platform admin UI

Bootstrap script now creates:
- SaaS Owner (admin/admin) with platform-admin role
- Tenant Admin (camel/camel) in Example Tenant org
- Traditional Web App for cameleer3-server OIDC
- DB records: tenant, default environment, license
- Configures cameleer3-server OIDC via its admin API
All credentials configurable via env vars.

Backend:
- Fix LogtoManagementClient resource URL (https://default.logto.app/api)
- Add getUserRoles/getUserOrganizations to LogtoManagementClient
- Add GET /api/me endpoint (user info, platform admin status, tenants)
- Add GET /api/tenants list-all for platform admins
- Remove insecure X-header forwarding from Traefik

Frontend:
- Org-scoped tokens: getAccessToken(resource, orgId) for tenant context
- OrgResolver component populates org store from /api/me
- useOrganization Zustand store (currentOrgId + currentTenantId)
- Platform admin sidebar section + AdminTenantsPage
- View Dashboard link points to cameleer3-server on port 8081

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

ui/src/main.tsx

@@ -1,6 +1,6 @@
 import React, { useState, useEffect, useCallback } from 'react';
 import ReactDOM from 'react-dom/client';
-import { LogtoProvider, useLogto } from '@logto/react';
+import { LogtoProvider, UserScope, useLogto } from '@logto/react';
 import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
 import { BrowserRouter } from 'react-router';
 import { ThemeProvider, ToastProvider, BreadcrumbProvider, GlobalFilterProvider, CommandPaletteProvider, Spinner } from '@cameleer/design-system';
@@ -8,6 +8,7 @@ import '@cameleer/design-system/style.css';
 import { AppRouter } from './router';
 import { fetchConfig } from './config';
 import { setTokenProvider, setLogoutHandler } from './api/client';
+import { useOrgStore } from './auth/useOrganization';
 
 const queryClient = new QueryClient({
   defaultOptions: {
@@ -19,15 +20,44 @@ const queryClient = new QueryClient({
 });
 
 function TokenSync({ resource }: { resource: string }) {
-  const { getAccessToken, isAuthenticated, signOut } = useLogto();
+  const { getAccessToken, isAuthenticated, signOut, fetchUserInfo } = useLogto();
+  const { currentOrgId, setCurrentOrg, setOrganizations } = useOrgStore();
 
+  // After auth, resolve user's organizations from Logto
+  useEffect(() => {
+    if (!isAuthenticated) {
+      setOrganizations([]);
+      setCurrentOrg(null);
+      return;
+    }
+
+    fetchUserInfo().then((info) => {
+      const orgData = (info as Record<string, unknown>)?.organization_data as
+        Array<{ id: string; name: string }> | undefined;
+      const orgs = orgData ?? [];
+      setOrganizations(orgs.map((o) => ({ id: o.id, name: o.name })));
+
+      // Auto-select if user has exactly one org
+      if (orgs.length === 1 && !currentOrgId) {
+        setCurrentOrg(orgs[0].id);
+      }
+    }).catch(() => {
+      // fetchUserInfo may fail if token is being refreshed
+    });
+  }, [isAuthenticated]);
+
+  // Set token provider — org-scoped if org selected, plain otherwise
   useEffect(() => {
     if (isAuthenticated && resource) {
-      setTokenProvider(() => getAccessToken(resource));
+      if (currentOrgId) {
+        setTokenProvider(() => getAccessToken(resource, currentOrgId));
+      } else {
+        setTokenProvider(() => getAccessToken(resource));
+      }
     } else {
       setTokenProvider(null);
     }
-  }, [isAuthenticated, getAccessToken, resource]);
+  }, [isAuthenticated, getAccessToken, resource, currentOrgId]);
 
   const handleLogout = useCallback(() => {
     signOut(window.location.origin + '/login');
@@ -66,7 +96,11 @@ function App() {
         endpoint: config.logtoEndpoint,
         appId: config.logtoClientId,
         resources: config.logtoResource ? [config.logtoResource] : [],
-        scopes: ['openid', 'profile', 'email', 'offline_access'],
+        scopes: [
+          'openid', 'profile', 'email', 'offline_access',
+          UserScope.Organizations,
+          UserScope.OrganizationRoles,
+        ],
       }}
     >
       <TokenSync resource={config.logtoResource} />