feat(portal): IT ops /it console and read API proxy

- Role-gated /it page with drift summary and refresh
- Server routes /api/it/drift, inventory, refresh (IT_READ_API_* env)
- Propagate credentials user.role into JWT roles for bootstrap
- Dashboard card for IT roles; document env in .env.example

Made-with: Cursor

portal/.env.example

@@ -5,12 +5,26 @@
 NEXTAUTH_URL=https://sankofa.nexus
 NEXTAUTH_SECRET=generate-with-openssl-rand-base64-32
 
+# Keycloak OIDC (optional). All three must be non-empty or the portal uses credentials only.
 KEYCLOAK_URL=https://keycloak.sankofa.nexus
-KEYCLOAK_REALM=your-realm
-KEYCLOAK_CLIENT_ID=portal-client
-KEYCLOAK_CLIENT_SECRET=your-client-secret
+KEYCLOAK_REALM=master
+KEYCLOAK_CLIENT_ID=sankofa-portal
+KEYCLOAK_CLIENT_SECRET=
+
+# Production email/password login when Keycloak client secret is not set (rotate after enabling SSO).
+PORTAL_LOCAL_LOGIN_EMAIL=portal@sankofa.nexus
+PORTAL_LOCAL_LOGIN_PASSWORD=change-me-strong-password
 
 NEXT_PUBLIC_CROSSPLANE_API=https://crossplane-api.crossplane-system.svc.cluster.local
 NEXT_PUBLIC_ARGOCD_URL=https://argocd.sankofa.nexus
 NEXT_PUBLIC_GRAFANA_URL=https://grafana.sankofa.nexus
 NEXT_PUBLIC_LOKI_URL=https://loki.monitoring.svc.cluster.local:3100
+
+# Cloudflare Turnstile (public site key). When set, unauthenticated Sign In is gated until the widget succeeds.
+# Same widget can be paired with dbis_core IRU inquiry (VITE_CLOUDFLARE_TURNSTILE_SITE_KEY there). Not a DNS API key.
+# NEXT_PUBLIC_CLOUDFLARE_TURNSTILE_SITE_KEY=
+
+# IT inventory read API (proxmox Phase 0). Server-side only — do not use NEXT_PUBLIC_* for the key.
+# Base URL of sankofa-it-read-api (e.g. http://192.168.11.11:8787 or internal NPM upstream).
+# IT_READ_API_URL=http://192.168.11.11:8787
+# IT_READ_API_KEY=