feat(platform-api): multi-audience JWT + Partner CRUD + tenant lifecycle (O.2)

JwtAuthGuard now accepts a comma-separated AUTHENTIK_AUDIENCE
('dezky-portal,dezky-operator'). jose.jwtVerify takes an array and succeeds
on any match — both customer-portal and operator-portal tokens validate
against this service. Per-endpoint guards restrict further.

New OperatorGuard enforces operator-only mutations:
  1. JWT audience claim includes 'dezky-operator' (proof from the token
     alone that this is a privileged session)
  2. ActorService-resolved User has platformAdmin=true (DB check so
     revocation works without waiting for the token to expire)
Both required; either alone is insufficient.

Partner module:
  - Partner schema: slug, name, domain, status, marginPct, contactInfo,
    billingInfo. marginPct is one number per partner (decided in grilling)
  - CRUD endpoints under @UseGuards(JwtAuthGuard, OperatorGuard) — every
    partner mutation requires operator scope
  - GET /partners returns each row with a computed customers count from
    aggregating Tenant.partnerId. MRR aggregation deferred until
    Subscription gains a price column
  - GET /partners/:slug/tenants for the partner detail view
  - DELETE soft-terminates (status='terminated') — never hard-delete
    because tenants may still reference the partner

Tenant changes:
  - partnerId?: Types.ObjectId (ref Partner, indexed sparse) added to
    Tenant schema
  - UpdateTenantDto accepts partnerId so PATCH can attach/detach
  - POST /tenants/:slug/suspend and /resume — operator-only via
    OperatorGuard. PATCH already covers plan/domains/partnerId changes

Smoke test: customer-portal session sends POST /api/partners through the
portal proxy → 403 "This endpoint requires an operator-scoped token". The
positive test (operator-token → 200) waits for O.3 when there's an
operator app to mint the right token.

apps/portal/server/api/partners/index.post.ts is a temporary verification
proxy — delete once the operator portal exists.

services/platform-api/src/partners/partners.controller.ts

@@ -0,0 +1,60 @@
+import {
+  Body,
+  Controller,
+  Delete,
+  Get,
+  HttpCode,
+  Param,
+  Patch,
+  Post,
+  UseGuards,
+} from '@nestjs/common'
+import { JwtAuthGuard } from '../auth/jwt-auth.guard.js'
+import { OperatorGuard } from '../auth/operator.guard.js'
+import { CreatePartnerDto } from './dto/create-partner.dto.js'
+import { UpdatePartnerDto } from './dto/update-partner.dto.js'
+import { PartnersService } from './partners.service.js'
+
+// Partners are operator-managed only. Every endpoint requires an
+// operator-scoped token (aud === 'dezky-operator') plus platformAdmin on the
+// resolved user. A self-serve partner portal (partner.dezky.local) is a
+// future surface and will hit different endpoints scoped to "this partner's
+// own customers" rather than the full set.
+@Controller('partners')
+@UseGuards(JwtAuthGuard, OperatorGuard)
+export class PartnersController {
+  constructor(private readonly partners: PartnersService) {}
+
+  @Post()
+  create(@Body() dto: CreatePartnerDto) {
+    return this.partners.create(dto)
+  }
+
+  @Get()
+  async findAll() {
+    const rows = await this.partners.findAllWithStats()
+    return rows.map((r) => ({ ...r.partner.toObject(), customers: r.customers }))
+  }
+
+  @Get(':slug')
+  async findOne(@Param('slug') slug: string) {
+    const row = await this.partners.findOneWithStats(slug)
+    return { ...row.partner.toObject(), customers: row.customers }
+  }
+
+  @Get(':slug/tenants')
+  listTenants(@Param('slug') slug: string) {
+    return this.partners.listTenants(slug)
+  }
+
+  @Patch(':slug')
+  update(@Param('slug') slug: string, @Body() dto: UpdatePartnerDto) {
+    return this.partners.update(slug, dto)
+  }
+
+  @Delete(':slug')
+  @HttpCode(204)
+  async terminate(@Param('slug') slug: string) {
+    await this.partners.terminate(slug)
+  }
+}