refactor(apps): registrar-managed oidc creds, drop mcp client, DRY secret

Per platform review (danijel):
- keycloak-client-forte-drop: add the secret{} block telling the
  registrar where to write the credential Secret + key names
  (forte-drop-oidc-credentials, client-id/client-secret). The
  forte-helm oidc sidecar consumes that registrar-created Secret —
  no manual auth-oidc SealedSecret step (removed that NOTE).
- Delete keycloak-client-forte-drop-mcp: auth.type: mcp auto-registers
  the MCP client; no manual config needed.
- Re-seal forte-drop-secrets with all shared env (BASE_DOMAIN, PG*,
  S3_*, PASSWORD_GATE_SECRET) so both deployments get identical values
  via envSecretName (values extraEnv now carries only APP_MODE).

apps/base/forte-drop-mcp/kustomization.yaml

@@ -2,8 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - forte-drop-mcp.yaml
-- keycloak-client-forte-drop-mcp.yaml
-# Note: no auth-oidc Secret needed for type: mcp. The MCP sidecar only validates
-# tokens against the OIDC issuer (RFC 9728 resource server) and never authenticates
-# itself, so it doesn't read a client-secret. forte-drop-secrets (shared with the
-# web deployment) covers PG + S3 creds.
+# No keycloak-client config + no auth-oidc Secret for mcp mode. The chart's
+# auth.type: mcp auto-registers the MCP client; the sidecar is an RFC 9728
+# resource server that validates tokens (no client-secret of its own).
+# forte-drop-secrets (shared with web) covers PG + S3 creds.