RAILIANCE-WP-0003 T02-T06: provision shared apps-pg cnpg cluster

Adds the shared CloudNativePG cluster apps-pg for S5 application
databases:
- helm/apps-pg-cluster.yaml — Cluster CR, PG 16, 1 instance, 10Gi
- helm/apps-pg-networkpolicies.yaml — egress-to-kube-api +
  ingress-from-cnpg-operator + label-based ingress opt-in
  (railiance.io/postgres-client=apps-pg)
- helm/apps-pg-secret.sops.yaml.template — bootstrap credential
  template (encrypt with SOPS before committing the real .sops.yaml)
- Makefile targets: apps-pg-deploy, apps-pg-status (with cnpg-plugin
  fallback), apps-pg-shell (apps_admin/apps_meta), apps-pg-logs
- docs/apps-pg.md (codex) — consumer onboarding contract clarifying
  the CNPG 1.28 role/database lifecycle boundary

Also fixes helm/gitea-db-cluster.yaml: spec.postgresql.version is not
a valid CNPG v1 field (strict decoding rejects it). Replaced with
spec.imageName matching the live cluster (postgresql:18.1-system-trixie)
so make db-deploy is a no-op instead of an apply rejection.

Live state at commit time: Cluster apps-pg in healthy state, primary
apps-pg-1 Running, smoke-tested via psql from a labeled temp ns.

Co-Authored-By: codex <noreply@openai.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

helm/apps-pg-cluster.yaml

@@ -0,0 +1,44 @@
+---
+# Shared CNPG Cluster for S5 application databases (RAILIANCE-WP-0003).
+# Owned by railiance-platform (S3). Operator lives in cnpg-system.
+#
+# Apply: kubectl apply -f helm/apps-pg-cluster.yaml
+# Status: kubectl cnpg status apps-pg -n databases   (requires cnpg kubectl plugin)
+#         or: kubectl get cluster apps-pg -n databases -o wide
+#
+# Pre-condition: apps-pg-credentials Secret must exist in databases ns.
+#   See helm/apps-pg-secret.sops.yaml.template for the bootstrap recipe.
+#
+# Consumer onboarding: see docs/apps-pg.md. The bootstrap role apps_admin
+# and meta DB apps_meta exist only to anchor the cluster; per-app roles
+# and databases are added through the documented onboarding contract.
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: apps-pg
+  namespace: databases
+  labels:
+    app.kubernetes.io/name: apps-pg
+    app.kubernetes.io/component: database
+    app.kubernetes.io/managed-by: manual
+    railiance.io/layer: s3-platform
+    railiance.io/role: shared-apps-database
+spec:
+  instances: 1   # bump to 3 when node RAM > 8GB
+  imageName: ghcr.io/cloudnative-pg/postgresql:16
+  storage:
+    size: 10Gi
+  bootstrap:
+    initdb:
+      database: apps_meta
+      owner: apps_admin
+      secret:
+        name: apps-pg-credentials
+  # HA replica + connection pooler are deferred (RAILIANCE-WP-0003 Notes):
+  # managed:
+  #   services:
+  #     additional:
+  #       - selectorType: rw
+  #         serviceTemplate:
+  #           metadata:
+  #             name: apps-pg-pooler-rw