chore(services): rename services/provisioning -> services/platform-api

O.0 prep from OPERATOR-PLAN.md. Mechanical refactor before adding partner
management and operator-specific endpoints. The service now owns more than
just provisioning orchestration (it'll soon own partners, tenant lifecycle
actions, multi-audience JWT validation), so the name 'platform-api' reflects
its scope better.

What changed:
- Directory: services/provisioning/ -> services/platform-api/
- Package: @dezky/provisioning -> @dezky/platform-api
- Docker: container_name dezky-provisioning -> dezky-platform-api;
  compose service key 'provisioning' -> 'platform-api'; volume
  provisioning_node_modules -> platform_api_node_modules
- Portal: PROVISIONING_INTERNAL_URL env var -> PLATFORM_API_INTERNAL_URL,
  default URL http://provisioning:3001 -> http://platform-api:3001 in all
  three proxy routes (me.get.ts, tenants/index.post.ts, tenants/[slug]/
  reconcile.post.ts), plus NUXT_API_BASE updated
- Health endpoint service identifier and main.ts log lines updated to
  'dezky-platform-api'
- Docs swept: README, CLAUDE.md, SERVICES.md, AUTHENTIK-SETUP.md,
  NEXT-STEPS.md, TROUBLESHOOTING.md, OPERATOR-PLAN.md, traefik/dynamic.yml

What deliberately stays:
- Internal module names ProvisioningService / ProvisioningModule (those
  describe an orchestration sub-concern, not the service's purpose)
- Tenant.provisioningStatus / provisioningErrors field names (state
  per integration, not service name)
- File services/platform-api/src/tenants/provisioning.service.ts
- 'Hetzner provisioning' references in production-prep docs (infrastructure
  provisioning, unrelated)

Verified end-to-end after rename: /api/me returns 200 with profile + 2
tenants + subscription, /api/tenants/dezky/reconcile returns 200 with
Authentik integration still ok.

OPERATOR-PLAN.md O.0 checkboxes ticked.

infrastructure/docker-compose/docker-compose.yml

@@ -29,7 +29,7 @@ volumes:
   ocis_config:
   ocis_data:
   portal_node_modules:
-  provisioning_node_modules:
+  platform_api_node_modules:
 
 services:
   # ─────────────────────────────────────────────────────────────────
@@ -361,7 +361,8 @@ services:
       NUXT_PORT: 3000
       NUXT_PUBLIC_AUTH_URL: https://auth.dezky.local
       NUXT_PUBLIC_PORTAL_URL: https://app.dezky.local
-      NUXT_API_BASE: http://provisioning:3001
+      NUXT_API_BASE: http://platform-api:3001
+      PLATFORM_API_INTERNAL_URL: http://platform-api:3001
       MONGODB_URI: mongodb://root:${MONGO_ROOT_PASSWORD}@mongo:27017/dezky?authSource=admin
       # OIDC (confidential client) — used by Nuxt server middleware
       NUXT_OIDC_CLIENT_ID: ${PORTAL_OIDC_CLIENT_ID}
@@ -389,11 +390,12 @@ services:
       - traefik.http.services.portal.loadbalancer.server.port=3000
 
   # ─────────────────────────────────────────────────────────────────
-  # Provisioning service — NestJS worker for tenant lifecycle
+  # platform-api — NestJS service. Owns tenants, partners, users,
+  # subscriptions, and provisioning orchestration.
   # ─────────────────────────────────────────────────────────────────
-  provisioning:
+  platform-api:
     image: node:20-alpine
-    container_name: dezky-provisioning
+    container_name: dezky-platform-api
     restart: unless-stopped
     working_dir: /app
     command: sh -c "corepack enable && corepack prepare pnpm@latest --activate && pnpm install && pnpm start:dev"
@@ -414,8 +416,8 @@ services:
       # Trust mkcert root CA for Node fetch (dev only)
       NODE_EXTRA_CA_CERTS: /etc/ssl/mkcert-root.pem
     volumes:
-      - ../../services/provisioning:/app
-      - provisioning_node_modules:/app/node_modules
+      - ../../services/platform-api:/app
+      - platform_api_node_modules:/app/node_modules
       - ./certs/mkcert-root.pem:/etc/ssl/mkcert-root.pem:ro
     networks: [dezky]
     depends_on: