feat(domains): reserve the platform namespace + one workspace per domain

dezky.eu doubles as the platform's infrastructure domain AND the company's
own employee mail domain (added to the dezky tenant via the normal Domains
flow). Guard rails in DomainsService.add:
- a domain already used by ANY other workspace is rejected — Stalwart's
  idempotent ensureDomain would otherwise silently share one mail domain
  (and its mailboxes) between tenants
- the PLATFORM_TENANT_DOMAIN apex is claimable only by the dezky tenant;
  everything under it (per-tenant service domains, auth/api/mail/* infra
  hosts) is reserved outright

Set PLATFORM_TENANT_DOMAIN=dezky.eu in the prod ConfigMap (was unset, so
prod service domains would have been {slug}.dezky.local) and align the
seeded dezky tenant's display domain with the environment.

infrastructure/production/fleet/apps/platform-api-config.yaml

@@ -14,6 +14,10 @@ data:
   STALWART_API_URL: "http://10.42.0.1:8080"
   STALWART_ADMIN_USER: "admin"
   STALWART_PROVISIONING_ENABLED: "true"
+  # Base for per-tenant service mail domains ({slug}.dezky.eu) AND the
+  # reserved namespace for customer domains: only the dezky tenant may claim
+  # the apex; nothing under it can be added as a customer domain.
+  PLATFORM_TENANT_DOMAIN: "dezky.eu"
   # JWT validation for portal/operator-issued access tokens. Public Authentik
   # URLs on purpose: the token `iss` claim is the public URL, and the pod can
   # hairpin to it through the node's public IP.