chore(services): rename services/provisioning -> services/platform-api

O.0 prep from OPERATOR-PLAN.md. Mechanical refactor before adding partner
management and operator-specific endpoints. The service now owns more than
just provisioning orchestration (it'll soon own partners, tenant lifecycle
actions, multi-audience JWT validation), so the name 'platform-api' reflects
its scope better.

What changed:
- Directory: services/provisioning/ -> services/platform-api/
- Package: @dezky/provisioning -> @dezky/platform-api
- Docker: container_name dezky-provisioning -> dezky-platform-api;
  compose service key 'provisioning' -> 'platform-api'; volume
  provisioning_node_modules -> platform_api_node_modules
- Portal: PROVISIONING_INTERNAL_URL env var -> PLATFORM_API_INTERNAL_URL,
  default URL http://provisioning:3001 -> http://platform-api:3001 in all
  three proxy routes (me.get.ts, tenants/index.post.ts, tenants/[slug]/
  reconcile.post.ts), plus NUXT_API_BASE updated
- Health endpoint service identifier and main.ts log lines updated to
  'dezky-platform-api'
- Docs swept: README, CLAUDE.md, SERVICES.md, AUTHENTIK-SETUP.md,
  NEXT-STEPS.md, TROUBLESHOOTING.md, OPERATOR-PLAN.md, traefik/dynamic.yml

What deliberately stays:
- Internal module names ProvisioningService / ProvisioningModule (those
  describe an orchestration sub-concern, not the service's purpose)
- Tenant.provisioningStatus / provisioningErrors field names (state
  per integration, not service name)
- File services/platform-api/src/tenants/provisioning.service.ts
- 'Hetzner provisioning' references in production-prep docs (infrastructure
  provisioning, unrelated)

Verified end-to-end after rename: /api/me returns 200 with profile + 2
tenants + subscription, /api/tenants/dezky/reconcile returns 200 with
Authentik integration still ok.

OPERATOR-PLAN.md O.0 checkboxes ticked.

services/platform-api/src/users/users.controller.ts

@@ -0,0 +1,102 @@
+import {
+  Body,
+  Controller,
+  Delete,
+  ForbiddenException,
+  Get,
+  HttpCode,
+  Param,
+  Patch,
+  Post,
+  UseGuards,
+} from '@nestjs/common'
+import { ConfigService } from '@nestjs/config'
+import { ActorService } from '../auth/actor.service.js'
+import { CurrentUser } from '../auth/current-user.decorator.js'
+import { JwtAuthGuard } from '../auth/jwt-auth.guard.js'
+import type { AuthentikJwtPayload } from '../auth/jwt-payload.interface.js'
+import { CreateUserDto } from './dto/create-user.dto.js'
+import { UpdateUserDto } from './dto/update-user.dto.js'
+import { UsersService } from './users.service.js'
+
+// Authentik group name that grants platform-wide admin in Dezky. This is the ONLY
+// place we look at the JWT's groups claim outside of /users/me — and even here it's
+// just for the bootstrap: the resulting platformAdmin boolean on the User doc is
+// what every other endpoint reads.
+const ADMIN_BOOTSTRAP_GROUP_DEFAULT = 'dezky-platform-admins'
+
+@Controller('users')
+@UseGuards(JwtAuthGuard)
+export class UsersController {
+  private readonly adminBootstrapGroup: string
+
+  constructor(
+    private readonly users: UsersService,
+    private readonly actor: ActorService,
+    config: ConfigService,
+  ) {
+    this.adminBootstrapGroup =
+      config.get<string>('PLATFORM_ADMIN_BOOTSTRAP_GROUP') ?? ADMIN_BOOTSTRAP_GROUP_DEFAULT
+  }
+
+  // The signed-in user's own profile — bootstraps the user record on first call,
+  // and syncs name/email/tenants/platformAdmin from the JWT on every subsequent call.
+  @Get('me')
+  async me(@CurrentUser() jwt: AuthentikJwtPayload) {
+    return this.users.upsertFromAuthentik({
+      subject: jwt.sub,
+      email: jwt.email ?? jwt.preferred_username ?? jwt.sub,
+      name: jwt.name ?? jwt.preferred_username ?? jwt.email ?? jwt.sub,
+      tenantSlugs: jwt.groups ?? [],
+      platformAdmin: jwt.groups?.includes(this.adminBootstrapGroup) ?? false,
+    })
+  }
+
+  @Post()
+  async create(@Body() dto: CreateUserDto, @CurrentUser() jwt: AuthentikJwtPayload) {
+    const actor = await this.actor.resolve(jwt)
+    if (!actor.platformAdmin) {
+      throw new ForbiddenException('Only platform admins can create users directly')
+    }
+    return this.users.create(dto)
+  }
+
+  @Get()
+  async findAll(@CurrentUser() jwt: AuthentikJwtPayload) {
+    const actor = await this.actor.resolve(jwt)
+    if (actor.platformAdmin) return this.users.findAll()
+    return this.users.findAllForTenants(actor.tenantIds)
+  }
+
+  @Get(':subject')
+  async findOne(@Param('subject') subject: string, @CurrentUser() jwt: AuthentikJwtPayload) {
+    const actor = await this.actor.resolve(jwt)
+    if (subject !== jwt.sub && !actor.platformAdmin) {
+      throw new ForbiddenException('Cannot read other users')
+    }
+    return this.users.findOneBySubject(subject)
+  }
+
+  @Patch(':subject')
+  async update(
+    @Param('subject') subject: string,
+    @Body() dto: UpdateUserDto,
+    @CurrentUser() jwt: AuthentikJwtPayload,
+  ) {
+    const actor = await this.actor.resolve(jwt)
+    if (!actor.platformAdmin) {
+      throw new ForbiddenException('Only platform admins can update users')
+    }
+    return this.users.update(subject, dto)
+  }
+
+  @Delete(':subject')
+  @HttpCode(204)
+  async deactivate(@Param('subject') subject: string, @CurrentUser() jwt: AuthentikJwtPayload) {
+    const actor = await this.actor.resolve(jwt)
+    if (!actor.platformAdmin) {
+      throw new ForbiddenException('Only platform admins can deactivate users')
+    }
+    await this.users.deactivate(subject)
+  }
+}