diff --git a/infrastructure/production/fleet/apps/platform-api-config.yaml b/infrastructure/production/fleet/apps/platform-api-config.yaml
index c3c906f..3d4fd98 100644
--- a/infrastructure/production/fleet/apps/platform-api-config.yaml
+++ b/infrastructure/production/fleet/apps/platform-api-config.yaml
@@ -23,7 +23,10 @@ data:
   # (PLATFORM_TENANT_SLUG) may claim the apex; nothing under it can be added
   # as a customer domain.
   PLATFORM_TENANT_DOMAIN: "dezky.eu"
-  PLATFORM_TENANT_SLUG: "dezky"
+  PLATFORM_TENANT_SLUG: "dezky-aps"
+  # No auto-seeded tenants in production — the dezky company tenant is
+  # created and owned through the operator like any other.
+  SEED_ENABLED: "false"
   # JWT validation for portal/operator-issued access tokens. Public Authentik
   # URLs on purpose: the token `iss` claim is the public URL, and the pod can
   # hairpin to it through the node's public IP.
diff --git a/infrastructure/production/fleet/apps/platform-api.yaml b/infrastructure/production/fleet/apps/platform-api.yaml
index 016069d..55cf120 100644
--- a/infrastructure/production/fleet/apps/platform-api.yaml
+++ b/infrastructure/production/fleet/apps/platform-api.yaml
@@ -21,7 +21,7 @@ spec:
       annotations:
         # Bump to force a rolling restart when only the ConfigMap changed —
         # pods read it as env, which is only resolved at container start.
-        dezky.eu/config-rev: "3"
+        dezky.eu/config-rev: "4"
     spec:
       containers:
         - name: platform-api