chore(services): rename services/provisioning -> services/platform-api

O.0 prep from OPERATOR-PLAN.md. Mechanical refactor before adding partner
management and operator-specific endpoints. The service now owns more than
just provisioning orchestration (it'll soon own partners, tenant lifecycle
actions, multi-audience JWT validation), so the name 'platform-api' reflects
its scope better.

What changed:
- Directory: services/provisioning/ -> services/platform-api/
- Package: @dezky/provisioning -> @dezky/platform-api
- Docker: container_name dezky-provisioning -> dezky-platform-api;
  compose service key 'provisioning' -> 'platform-api'; volume
  provisioning_node_modules -> platform_api_node_modules
- Portal: PROVISIONING_INTERNAL_URL env var -> PLATFORM_API_INTERNAL_URL,
  default URL http://provisioning:3001 -> http://platform-api:3001 in all
  three proxy routes (me.get.ts, tenants/index.post.ts, tenants/[slug]/
  reconcile.post.ts), plus NUXT_API_BASE updated
- Health endpoint service identifier and main.ts log lines updated to
  'dezky-platform-api'
- Docs swept: README, CLAUDE.md, SERVICES.md, AUTHENTIK-SETUP.md,
  NEXT-STEPS.md, TROUBLESHOOTING.md, OPERATOR-PLAN.md, traefik/dynamic.yml

What deliberately stays:
- Internal module names ProvisioningService / ProvisioningModule (those
  describe an orchestration sub-concern, not the service's purpose)
- Tenant.provisioningStatus / provisioningErrors field names (state
  per integration, not service name)
- File services/platform-api/src/tenants/provisioning.service.ts
- 'Hetzner provisioning' references in production-prep docs (infrastructure
  provisioning, unrelated)

Verified end-to-end after rename: /api/me returns 200 with profile + 2
tenants + subscription, /api/tenants/dezky/reconcile returns 200 with
Authentik integration still ok.

OPERATOR-PLAN.md O.0 checkboxes ticked.

docs/AUTHENTIK-SETUP.md

@@ -130,9 +130,9 @@ EOF
 
 Note: Stalwart's OIDC integration is configured in `infrastructure/docker-compose/configs/stalwart/config.toml`. For local dev with internal users, OIDC is optional.
 
-## 4. Get the API token for provisioning service
+## 4. Get the API token for platform-api
 
-The provisioning service needs to call Authentik's API to create tenants, users, and applications. `.env` holds a pre-generated value in `AUTHENTIK_BOOTSTRAP_TOKEN`, but Authentik 2025.10 does **not** materialize that env var into a usable API token on first boot. You need to create the token once and bind it to `akadmin`.
+platform-api needs to call Authentik's API to create tenants, users, and applications. `.env` holds a pre-generated value in `AUTHENTIK_BOOTSTRAP_TOKEN`, but Authentik 2025.10 does **not** materialize that env var into a usable API token on first boot. You need to create the token once and bind it to `akadmin`.
 
 ### One-time setup
 
@@ -158,7 +158,7 @@ print('Token bound to akadmin')
 "
 ```
 
-Alternative: create the token through the UI — **Directory → Tokens & App passwords → Create**, set `Intent: API`, `User: akadmin`, then copy the key into `.env` and restart the provisioning service.
+Alternative: create the token through the UI — **Directory → Tokens & App passwords → Create**, set `Intent: API`, `User: akadmin`, then copy the key into `.env` and restart platform-api.
 
 ### Verify it works
 
@@ -187,7 +187,7 @@ For local dev, you can either:
 - Tenant subdomain pattern: `{tenant}.auth.dezky.local`
 - More realistic but more setup overhead
 
-For dev, start with Option A. The provisioning service should be built to support Option B from day one (data model includes `tenantId`).
+For dev, start with Option A. platform-api should be built to support Option B from day one (data model includes `tenantId`).
 
 ## 6. Test SSO flow end-to-end
 

docs/NEXT-STEPS.md

@@ -41,15 +41,15 @@ Goal: Users can log in to the portal via Authentik.
 
 ## Phase 3: Tenant data model (week 1-2) — done
 
-- [x] Mongoose schemas in `services/provisioning/src/schemas/` (Tenant, User, Subscription)
+- [x] Mongoose schemas in `services/platform-api/src/schemas/` (Tenant, User, Subscription)
 - [x] Tenant: slug, name, status, plan, domains, authentikGroupId, ocisSpaceId, stalwartDomain, billingInfo
 - [x] User: authentikSubjectId, tenantIds[], email, name, role, active, lastLoginAt
 - [x] Subscription: tenantId, plan, status, stripeCustomerId, stripeSubscriptionId, period dates
 - [x] CRUD endpoints behind `JwtAuthGuard` (validates Authentik JWT via JWKS)
 - [x] Group-based authorization: users see only tenants whose slug matches one of their Authentik `groups`; `dezky-platform-admins` group has global access
 - [x] Idempotent seed (`SeedService`) creates the `dezky` tenant + matching subscription on bootstrap
-- [x] Provisioning exposed at `https://api.dezky.local` (Traefik label, dev only) and via internal `http://provisioning:3001`
-- [x] Portal Nitro route at `/api/me` forwards the user's encrypted access token to provisioning — verified end-to-end
+- [x] platform-api exposed at `https://api.dezky.local` (Traefik label, dev only) and via internal `http://platform-api:3001`
+- [x] Portal Nitro route at `/api/me` forwards the user's encrypted access token to platform-api — verified end-to-end
 
 ### Endpoints
 
@@ -91,9 +91,9 @@ upstream-specific work.
 
 | Concern | File |
 |---|---|
-| Integration clients | `services/provisioning/src/integrations/{authentik,stalwart,ocis}.client.ts` |
-| Orchestration | `services/provisioning/src/tenants/provisioning.service.ts` |
-| `/tenants/:slug/reconcile` | `services/provisioning/src/tenants/tenants.controller.ts` |
+| Integration clients | `services/platform-api/src/integrations/{authentik,stalwart,ocis}.client.ts` |
+| Orchestration | `services/platform-api/src/tenants/provisioning.service.ts` |
+| `/tenants/:slug/reconcile` | `services/platform-api/src/tenants/tenants.controller.ts` |
 | Portal proxy routes | `apps/portal/server/api/tenants/index.post.ts` + `[slug]/reconcile.post.ts` |
 
 ### Quick smoke test

docs/OPERATOR-PLAN.md

@@ -5,7 +5,7 @@ for Dezky staff: managing tenants, partners, operating the platform.
 
 Distinct from the customer portal at `app.dezky.local`. Different OAuth client,
 different cookie domain, different surface — though they share Authentik as the
-IdP and (eventually) the provisioning service as the backend.
+IdP and (eventually) platform-api as the backend.
 
 This file is the running record of decisions made during the design grilling
 session. Updated inline as questions resolve.
@@ -42,7 +42,7 @@ renders against mock-data fixtures until its backend is built.
 
 Two genuinely new things on the backend:
 
-1. **Partner schema and CRUD** in `services/provisioning` — id, name, domain,
+1. **Partner schema and CRUD** in `services/platform-api` — id, name, domain,
    status, customers count (computed), MRR (computed), margin, sinceDate. Tenants
    gain an optional `partnerId` field. The existing `dezky` seed gets no partner.
 2. **Tenant lifecycle actions** beyond create — suspend, resume, change plan,
@@ -247,15 +247,18 @@ In rough priority order:
 Tick boxes as work lands. Each phase is roughly one commit. Phases must be
 done in order — earlier ones unblock later ones.
 
-### O.0 · Prep — service rename
+### O.0 · Prep — service rename ✓
 
-- [ ] Rename `services/provisioning/` → `services/platform-api/`
-- [ ] Update `package.json` name → `@dezky/platform-api`
-- [ ] Update `docker-compose.yml`: container name, service key, network
-      alias, volume names, env var `PROVISIONING_INTERNAL_URL` →
-      `PLATFORM_API_INTERNAL_URL`
-- [ ] Update portal proxy routes to point at `http://platform-api:3001`
-- [ ] Verify customer portal `/api/me` still works end-to-end after rename
+- [x] Rename `services/provisioning/` → `services/platform-api/`
+- [x] Update `package.json` name → `@dezky/platform-api`
+- [x] Update `docker-compose.yml`: container name, service key, volume name,
+      env var `PROVISIONING_INTERNAL_URL` → `PLATFORM_API_INTERNAL_URL`,
+      NUXT_API_BASE points at new hostname
+- [x] Update portal proxy routes to read `PLATFORM_API_INTERNAL_URL` and
+      default to `http://platform-api:3001`
+- [x] Sweep docs (README, CLAUDE.md, SERVICES.md, AUTHENTIK-SETUP.md,
+      NEXT-STEPS.md, TROUBLESHOOTING.md) for stale references
+- [x] Verify customer portal `/api/me` still works end-to-end after rename
 
 ### O.1 · Authentik — operator OAuth client
 

docs/SERVICES.md

@@ -219,7 +219,7 @@ curl -k https://office.dezky.local/hosting/discovery
 
 **Environment:**
 - `NUXT_PUBLIC_AUTH_URL`: Authentik URL (client-side)
-- `NUXT_API_BASE`: provisioning service URL (server-side)
+- `NUXT_API_BASE`: platform-api URL (server-side)
 - `MONGODB_URI`: MongoDB connection string
 
 **Debug:**
@@ -233,12 +233,12 @@ docker compose exec portal sh
 
 ---
 
-## Provisioning Service (NestJS)
+## Platform API (NestJS)
 
-**Container:** `dezky-provisioning`
-**Port:** 3001 (internal only)
-**Source:** `services/provisioning/`
-**Purpose:** Tenant lifecycle, billing webhooks, service orchestration
+**Container:** `dezky-platform-api`
+**Port:** 3001 (also exposed via Traefik at `api.dezky.local`)
+**Source:** `services/platform-api/`
+**Purpose:** Platform control plane — tenants, partners, users, subscriptions, provisioning orchestration, billing webhooks
 
 **Endpoints to implement:**
 - `POST /tenants` — Create tenant
@@ -255,8 +255,8 @@ docker compose exec portal sh
 
 **Debug:**
 ```bash
-docker compose logs -f provisioning
+docker compose logs -f platform-api
 
 # Test health endpoint
-docker compose exec provisioning wget -qO- http://localhost:3001/health
+docker compose exec platform-api wget -qO- http://localhost:3001/health
 ```

docs/TROUBLESHOOTING.md

@@ -203,7 +203,7 @@ export default defineNuxtConfig({
 })
 ```
 
-### NestJS provisioning doesn't restart
+### NestJS platform-api doesn't restart
 
 Same issue. The `start:dev` command uses nodemon under the hood. Make sure your `package.json` has:
 ```json