feat: bring up local dev stack — all services running

- Ory Hydra + Kratos: fixed secret management, DSN config, DB migrations,
  OAuth2Client CRD (helm template skips crds/ dir), login-ui env vars
- SeaweedFS: added s3.json credentials file via -s3.config CLI flag
- OpenBao: standalone mode with auto-unseal sidecar, keys in K8s secret
- OpenSearch: increased memory to 1.5Gi / JVM 1g heap
- Gitea: SSL_MODE disable, S3 bucket creation fixed
- Hive: automountServiceAccountToken: false (Lima virtiofs read-only rootfs quirk)
- LiveKit: API keys in values, hostPort conflict resolved
- Linkerd: native sidecar (proxy.nativeSidecar=true) to avoid blocking Jobs
- All placeholder images replaced: pingora→nginx:alpine, login-ui→oryd/kratos-selfservice-ui-node

Full stack running: postgres, valkey, openbao, opensearch, seaweedfs,
kratos, hydra, gitea, livekit, hive (placeholder), login-ui

base/data/openbao-keys-placeholder.yaml

@@ -0,0 +1,9 @@
+# Placeholder secret — replaced by the init script after `bao operator init`.
+# Exists so the auto-unseal sidecar's volume mount doesn't block pod startup.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: openbao-keys
+  namespace: data
+type: Opaque
+data: {}