feat(creds): implement NK-WP-0004 Credential Management Foundation

- .sops.yaml + keys/age.pub: SOPS age encryption for all secrets/ paths
- .gitignore: broad secrets/ catch-all (any depth)
- .githooks/pre-commit: blocks unencrypted secrets/, *.env outside bootstrap/,
  and known plaintext patterns (PI_SECRET_KEY=, LLDAP_JWT_SECRET=, etc.)
- Makefile: full credential lifecycle (creds-init/generate/bundle/apply/verify/
  status/rotate) + SOPS helpers (sops-setup/edit/encrypt/decrypt/rotate/check-secrets)
  + hooks/hooks-test
- creds-apply.sh: runs create-secrets.sh in dependency order (postgresql → lldap →
  authelia → privacyidea), skips keycape with printed instructions, updates state
- creds-verify.sh: checks all K8s secrets exist, updates creds-state.yaml
- creds-status.sh: human-readable state table from creds-state.yaml
- creds-rotate.sh: guided rotation for all 9 secret types with impact descriptions
  and atomic multi-component update sequences
- creds-state.yaml: committable state file tracking generation, bundle, KeePassXC
  confirmation, per-component apply status, enckey and pi-admin bootstrap flags

NK-WP-0003-T01 unblocked. /creds-bootstrap skill registered separately.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

sso-mfa/bootstrap/creds-status.sh

@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+# creds-status.sh — print a human-readable credential state table.
+#
+# Usage:
+#   bash sso-mfa/bootstrap/creds-status.sh
+#   make creds-status
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+STATE_FILE="${1:-$SCRIPT_DIR/creds-state.yaml}"
+
+if [[ ! -f "$STATE_FILE" ]]; then
+    echo "ERROR: creds-state.yaml not found: $STATE_FILE" >&2
+    echo "       This file is created at repo init — check your working directory." >&2
+    exit 1
+fi
+
+# Simple key extractors (no yaml lib dependency)
+top_val()    { grep -E "^$1:" "$STATE_FILE" | sed 's/^[^:]*: *//' | sed 's/ *#.*//' | tr -d '"'; }
+nested_val() { grep -E "^  $1:" "$STATE_FILE" | sed 's/^[^:]*: *//' | sed 's/ *#.*//' | tr -d '"'; }
+
+status_icon() {
+    case "$1" in
+        true)  echo "✔" ;;
+        false) echo "✗" ;;
+        null)  echo "—" ;;
+        *)     echo "?" ;;
+    esac
+}
+
+echo "=== net-kingdom Credential State ==="
+echo ""
+
+generated_at="$(top_val generated_at)"
+bundle_at="$(top_val bundle_at)"
+keepass_confirmed="$(top_val keepass_confirmed)"
+
+printf "  %-30s %s\n" "Generated at:"      "${generated_at:-—}"
+printf "  %-30s %s\n" "Bundle at:"         "${bundle_at:-—}"
+printf "  %-30s %s  %s\n" "KeePassXC confirmed:" \
+    "$(status_icon "$keepass_confirmed")" \
+    "$([ "$keepass_confirmed" = "false" ] && echo "(set keepass_confirmed: true manually)" || true)"
+echo ""
+
+echo "  Secrets applied:"
+for component in postgres lldap authelia privacyidea keycape; do
+    val="$(nested_val "$component")"
+    note=""
+    [[ "$component" == "keycape" && "$val" == "false" ]] && \
+        note=" (requires PI_ADMIN_TOKEN — post-T04)"
+    printf "    %-28s %s%s\n" "$component" "$(status_icon "$val")" "$note"
+done
+echo ""
+
+enckey="$(top_val enckey_bootstrapped)"
+pi_admin="$(top_val pi_admin_created)"
+
+printf "  %-30s %s%s\n" "enckey bootstrapped:" \
+    "$(status_icon "$enckey")" \
+    "$([ "$enckey" = "false" ] && echo "  ← TIME-SENSITIVE once pod is live" || true)"
+printf "  %-30s %s\n" "pi-admin created:" "$(status_icon "$pi_admin")"
+
+echo ""
+echo "Run 'make creds-verify' to refresh state from the live cluster."