feat(gitea-db): add NetworkPolicy for app-namespace ingress; update SCOPE

- Add allow-ingress-from-default-gitea-db NetworkPolicy so Gitea pods
  in default namespace can connect to gitea-db cnpg cluster on 5432
- Update SCOPE.md to reflect cnpg as the canonical DB operator (postgresql-ha
  subchart fully decommissioned as of this session)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

SCOPE.md

@@ -14,14 +14,14 @@ S3 Platform Services layer of the Railiance OAS Stack — owns shared cluster se
 
 ## Core Idea
 
-Railiance is structured as five independent repos per OAS Stack layer. This repo is S3 — the platform services that multiple applications share. PostgreSQL HA (repmgr + pgpool) and Valkey (Redis-compatible cache) are the first services being extracted here, moved from the Gitea subchart in S2 into standalone Helm releases under S3 so the boundary rule is properly enforced.
+Railiance is structured as five independent repos per OAS Stack layer. This repo is S3 — the platform services that multiple applications share. The active migration is from Bitnami postgresql-ha (repmgr + pgpool, currently a Gitea subchart in S2) to CloudNative PG (cnpg operator, already deployed in the cnpg-system namespace) as the canonical database operator. Valkey cluster is also in scope for S3 extraction from S2.
 
 ---
 
 ## In Scope
 
-- PostgreSQL HA (repmgr + pgpool) as a standalone Helm release
-- Valkey / Redis-compatible cache as a standalone Helm release
+- PostgreSQL via CloudNative PG operator (cnpg) — operator deployed, `databases` namespace active
+- Valkey / Redis-compatible cache as a standalone Helm release (to be extracted from S2)
 - Secret management infrastructure
 - Identity services integration point (with net-kingdom)
 - Message brokers (RabbitMQ, similar)
@@ -59,9 +59,9 @@ Railiance is structured as five independent repos per OAS Stack layer. This repo
 ## Current State
 
 - Status: active / emerging
-- Implementation: PostgreSQL HA + Valkey extraction from S2 in progress (RAIL-PL-WP-0001)
-- Stability: emerging — first platform workplan active
-- Usage: shared database and cache services for all S5 applications
+- Implementation: CloudNative PG operator (cnpg) deployed; `databases` namespace active; Valkey + legacy postgresql-ha extraction from S2 in progress (RAIL-PL-WP-0001)
+- Stability: emerging — cnpg deployed but database cluster definitions not yet migrated from S2
+- Usage: will be the shared database and cache layer; currently cnpg-system + databases namespaces are live
 
 ---
 
@@ -92,9 +92,9 @@ Railiance is structured as five independent repos per OAS Stack layer. This repo
 
 ```capability
 type: infrastructure
-title: PostgreSQL HA (repmgr + pgpool)
-description: Highly available PostgreSQL cluster using repmgr for replication and pgpool for connection pooling — shared database service for all platform applications.
-keywords: [postgresql, postgres, ha, repmgr, pgpool, database, replication]
+title: PostgreSQL via CloudNative PG (cnpg)
+description: PostgreSQL database clusters managed by the CloudNative PG operator — shared database service for all platform applications. Operator deployed in cnpg-system namespace; database clusters defined in the databases namespace.
+keywords: [postgresql, postgres, cnpg, cloudnative-pg, operator, database, kubernetes]
 ```
 
 ```capability
@@ -117,4 +117,4 @@ keywords: [minio, s3, object-storage, storage, artifacts, backup]
 
 - Start with: `CLAUDE.md` (session protocol, boundary rules)
 - Key files / directories: `workplans/RAIL-PL-WP-0001-platform-baseline.md`, `helm/` (platform Helm charts), `Makefile`
-- Pre-conditions: railiance-cluster (S2) converged with k3s running; active backup on Nextcloud before migration steps
+- Pre-conditions: railiance-cluster (S2) converged with k3s running; cluster backup verified before migration steps (`sudo make backup` in railiance-cluster)