feat(apps): forte-drop web + mcp ArgoCD applications

Two ArgoCD apps from the same forte-drop image:
- forte-drop (web): admin + public drops, sidecar in oidc mode,
  ingress drop-k8s.hackathon.forteapps.net.
- forte-drop-mcp (mcp): MCP-over-HTTP, sidecar in mcp mode,
  ingress mcp.drop-k8s.hackathon.forteapps.net.

Plus two labeled Keycloak client config Secrets — the registrar
creates the OIDC clients in the forte realm within ~2 min.

Sealed secrets (forte-drop-secrets + auth-oidc) added in a
follow-up commit by the maintainer:
  cd /Users/sten/dev/work/forte_k8/launchpad
  kubeseal --format=yaml \
    --controller-name=sealed-secrets-controller \
    --controller-namespace=kube-system \
    < private/forte-drop-secrets.yaml \
    > apps/base/forte-drop/forte-drop-secrets-sealed.yaml
  # auth-oidc: wait for registrar, copy client-secret into private/,
  # then seal as apps/base/forte-drop/auth-oidc-sealed.yaml.
  # (mcp deployment is sidecar type=mcp — no auth-oidc Secret needed;
  # only the web deployment requires it.)

apps/base/forte-drop-mcp/keycloak-client-forte-drop-mcp.yaml

@@ -0,0 +1,27 @@
+# MCP audience client. RFC 7591 dynamic-registration capable MCP clients (e.g.,
+# Claude Desktop) discover this via /.well-known/oauth-protected-resource and
+# request tokens with aud=https://mcp.drop-k8s.hackathon.forteapps.net/mcp.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keycloak-client-forte-drop-mcp
+  namespace: forte-drop
+  labels:
+    keycloak.forteapps.net/client-config: "true"
+stringData:
+  client.json: |
+    {
+      "clientId": "forte-drop-mcp",
+      "name": "Forte Drop (MCP)",
+      "enabled": true,
+      "protocol": "openid-connect",
+      "clientAuthenticatorType": "client-secret",
+      "standardFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "serviceAccountsEnabled": false,
+      "publicClient": false,
+      "defaultClientScopes": ["openid","profile","email"],
+      "attributes": {
+        "access.token.lifespan": "3600"
+      }
+    }