feat: zitadel provisioning script + project-audience scope

app/plugins/auth.client.ts

@@ -5,9 +5,15 @@ import { useZitadelAuth } from "@kuns/zitadel-auth/vue";
 // router guard that redirects unauthenticated users to the Zitadel hosted login.
 export default defineNuxtPlugin(() => {
   const cfg = useRuntimeConfig().public;
+  const scopes = ["openid", "profile", "email"];
+  if (cfg.zitadelProjectId) {
+    // Force the project id into the access token's `aud` for backend validation.
+    scopes.push(`urn:zitadel:iam:org:project:id:${cfg.zitadelProjectId}:aud`);
+  }
   const auth = useZitadelAuth(useRouter() as never, {
     clientId: cfg.zitadelClientId as string,
     issuer: cfg.zitadelIssuer as string,
+    scopes,
   });
   return { provide: { auth } };
 });