feat(apps): forte-drop web + mcp argocd apps (prod) (#18)

## Summary

ArgoCD Applications + Keycloak clients + sealed secret for forte-drop **web + mcp** (PROD).

## What changed

- **forte-drop** + **forte-drop-mcp** ArgoCD Applications (two-source: forte-helm chart + helm-prod-values).
- **namespace.yaml** — explicit `forte-drop` Namespace at sync-wave -1, `Prune=false` (avoids first-sync race for namespaced resources; doesn't cascade-delete on base removal).
- **keycloak-client-forte-drop** + **keycloak-client-forte-drop-mcp** — labeled config Secrets; the registrar creates the OIDC clients in the `forte` realm within ~2 min.
- **forte-drop-secrets** SealedSecret — UpCloud S3 creds (existing drops bucket) + PG creds + PASSWORD_GATE_SECRET. Consumed by both deployments + the pg-backup CronJob.
- **forte-drop-web PDB** — minAvailable 1 (selector verified against the live forteapp chart's pod labels).
- Wired into `apps/overlays/upc-dev` (NOT base → stays out of upc-prod).

## Post-merge manual step (one-time)

`auth-oidc` SealedSecret for the web sidecar is still commented out — it needs the `client-secret` the Keycloak registrar writes to `forte-drop-oidc-credentials` after first sync:

```bash
CLIENT_SECRET=$(kubectl -n forte-drop get secret forte-drop-oidc-credentials -o jsonpath='{.data.client-secret}' | base64 -d)
kubectl create secret generic auth-oidc -n forte-drop \
  --from-literal=client-secret="$CLIENT_SECRET" \
  --from-literal=cookie-secret="$(openssl rand -hex 32)" \
  --dry-run=client -o yaml > private/auth-oidc.yaml
kubeseal --format=yaml --controller-name=sealed-secrets-controller --controller-namespace=kube-system \
  < private/auth-oidc.yaml > apps/base/forte-drop/auth-oidc-sealed.yaml
# uncomment in kustomization, commit, push
```

## Depends on

- launchpad PR #17 (postgres + namespace via CreateNamespace).
- helm-prod-values forte-drop PR (values).

## Review

- [x] codex: namespace first-sync race → fixed (explicit namespace, sync-wave -1).
- [x] Keycloak registrar unblocked (stale chibisafe/minio config secrets removed; registrar green).

🤖 Generated with Claude Code

Co-authored-by: Sten <sten@Sten-sin-MacBook-Pro.local>
Co-authored-by: Sten <sten@Mac.domain_not_set.invalid>
Co-authored-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>
Reviewed-on: #18
Reviewed-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>

apps/overlays/upc-dev/forte-drop/keycloak-client-forte-drop.yaml

@@ -0,0 +1,38 @@
+# Labeled config Secret read by the Keycloak Client Registrar. Kyverno clones it
+# to the keycloak namespace; a CronJob registers the OIDC client in the forte
+# realm and writes the credentials back as forte-drop-oidc-credentials in THIS
+# namespace (~2 min). The forte-helm auth sidecar (auth.type: oidc) consumes that
+# registrar-created Secret automatically — no manual SealedSecret step needed.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keycloak-client-forte-drop
+  namespace: forte-drop
+  labels:
+    keycloak.forteapps.net/client-config: "true"
+  annotations:
+    keycloak.forteapps.net/source-namespace: "forte-drop"
+stringData:
+  client.json: |
+    {
+      "clientId": "forte-drop",
+      "name": "Forte Drop (web)",
+      "enabled": true,
+      "protocol": "openid-connect",
+      "clientAuthenticatorType": "client-secret",
+      "standardFlowEnabled": true,
+      "directAccessGrantsEnabled": false,
+      "serviceAccountsEnabled": false,
+      "publicClient": false,
+      "redirectUris": ["https://drop.forteapps.net/auth/callback"],
+      "webOrigins": ["https://drop.forteapps.net"],
+      "defaultClientScopes": ["openid","email","profile"],
+      "secret": {
+        "namespace": "forte-drop",
+        "name": "forte-drop-oidc-credentials",
+        "keys": {
+          "clientId": "client-id",
+          "clientSecret": "client-secret"
+        }
+      }
+    }