feat(apps): forte-drop web + mcp ArgoCD applications

Two ArgoCD apps from the same forte-drop image:
- forte-drop (web): admin + public drops, sidecar in oidc mode,
  ingress drop-k8s.hackathon.forteapps.net.
- forte-drop-mcp (mcp): MCP-over-HTTP, sidecar in mcp mode,
  ingress mcp.drop-k8s.hackathon.forteapps.net.

Plus two labeled Keycloak client config Secrets — the registrar
creates the OIDC clients in the forte realm within ~2 min.

Sealed secrets (forte-drop-secrets + auth-oidc) added in a
follow-up commit by the maintainer:
  cd /Users/sten/dev/work/forte_k8/launchpad
  kubeseal --format=yaml \
    --controller-name=sealed-secrets-controller \
    --controller-namespace=kube-system \
    < private/forte-drop-secrets.yaml \
    > apps/base/forte-drop/forte-drop-secrets-sealed.yaml
  # auth-oidc: wait for registrar, copy client-secret into private/,
  # then seal as apps/base/forte-drop/auth-oidc-sealed.yaml.
  # (mcp deployment is sidecar type=mcp — no auth-oidc Secret needed;
  # only the web deployment requires it.)

apps/base/forte-drop-mcp/forte-drop-mcp.yaml

@@ -0,0 +1,37 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: forte-drop-mcp
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
+    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
+    notifications.argoproj.io/subscribe.on-degraded.slack: ""
+  labels:
+    app.kubernetes.io/name: forte-drop-mcp
+    app.kubernetes.io/part-of: apps
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  sources:
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
+    path: forteapp
+    targetRevision: HEAD
+    helm:
+      valueFiles:
+      - $values/forte-drop-mcp/values.yaml
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
+    targetRevision: HEAD
+    ref: values
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: forte-drop
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true

apps/base/forte-drop-mcp/keycloak-client-forte-drop-mcp.yaml

@@ -0,0 +1,27 @@
+# MCP audience client. RFC 7591 dynamic-registration capable MCP clients (e.g.,
+# Claude Desktop) discover this via /.well-known/oauth-protected-resource and
+# request tokens with aud=https://mcp.drop-k8s.hackathon.forteapps.net/mcp.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keycloak-client-forte-drop-mcp
+  namespace: forte-drop
+  labels:
+    keycloak.forteapps.net/client-config: "true"
+stringData:
+  client.json: |
+    {
+      "clientId": "forte-drop-mcp",
+      "name": "Forte Drop (MCP)",
+      "enabled": true,
+      "protocol": "openid-connect",
+      "clientAuthenticatorType": "client-secret",
+      "standardFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "serviceAccountsEnabled": false,
+      "publicClient": false,
+      "defaultClientScopes": ["openid","profile","email"],
+      "attributes": {
+        "access.token.lifespan": "3600"
+      }
+    }

apps/base/forte-drop-mcp/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- forte-drop-mcp.yaml
+- keycloak-client-forte-drop-mcp.yaml
+# - auth-oidc-sealed.yaml                   # added in follow-up commit

apps/base/forte-drop/forte-drop.yaml

@@ -0,0 +1,37 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: forte-drop
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
+    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
+    notifications.argoproj.io/subscribe.on-degraded.slack: ""
+  labels:
+    app.kubernetes.io/name: forte-drop
+    app.kubernetes.io/part-of: apps
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  sources:
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
+    path: forteapp
+    targetRevision: HEAD
+    helm:
+      valueFiles:
+      - $values/forte-drop/values.yaml
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
+    targetRevision: HEAD
+    ref: values
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: forte-drop
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true

apps/base/forte-drop/keycloak-client-forte-drop.yaml

@@ -0,0 +1,28 @@
+# Labeled config Secret read by the Keycloak Client Registrar. The registrar will
+# create the OIDC client in the forte realm and write the resulting credentials
+# back into forte-drop-oidc-credentials Secret in this namespace within ~2 min.
+# That client-secret then gets manually copied into the auth-oidc SealedSecret
+# (one-time per cluster; see PR description).
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keycloak-client-forte-drop
+  namespace: forte-drop
+  labels:
+    keycloak.forteapps.net/client-config: "true"
+stringData:
+  client.json: |
+    {
+      "clientId": "forte-drop",
+      "name": "Forte Drop (web)",
+      "enabled": true,
+      "protocol": "openid-connect",
+      "clientAuthenticatorType": "client-secret",
+      "standardFlowEnabled": true,
+      "directAccessGrantsEnabled": false,
+      "serviceAccountsEnabled": false,
+      "publicClient": false,
+      "redirectUris": ["https://drop-k8s.hackathon.forteapps.net/auth/callback"],
+      "webOrigins": ["https://drop-k8s.hackathon.forteapps.net"],
+      "defaultClientScopes": ["openid","email","profile"]
+    }

apps/base/forte-drop/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- forte-drop.yaml
+- keycloak-client-forte-drop.yaml
+# - forte-drop-secrets-sealed.yaml          # added in follow-up commit
+# - auth-oidc-sealed.yaml                   # added in follow-up commit (after Keycloak registrar creates client_secret)

apps/base/kustomization.yaml

@@ -6,3 +6,5 @@ resources:
 - musicman
 - ts-mcp
 - argo-mcp
+- forte-drop
+- forte-drop-mcp