feat(devtools): deploy Penpot + MCP server, wildcard TLS via DNS-01

Penpot (designer.sunbeam.pt):
- Frontend/backend/exporter deployments with OIDC-only auth via Hydra
- VSO-managed DB, S3, and app secrets from OpenBao
- PostgreSQL user/db in CNPG postInitSQL
- Hydra Maester enabledNamespaces extended to devtools

Penpot MCP server (mcp-designer.sunbeam.pt):
- Pre-built Node.js image pushed to Gitea registry
- Auth-gated via Pingora auth_request → Hydra /userinfo
- WebSocket path for browser plugin connection

Wildcard TLS:
- Switched cert-manager from HTTP-01 (per-SAN) to DNS-01 via Scaleway webhook
- Certificate collapsed to *.sunbeam.pt + sunbeam.pt
- Added scaleway-certmanager-webhook Helm chart
- VSO secret for Scaleway DNS API credentials in cert-manager namespace
- Added cert-manager to OpenBao VSO auth role

base/devtools/penpot-mcp.Dockerfile

@@ -0,0 +1,12 @@
+FROM node:22-alpine
+RUN npm install -g pnpm@latest @penpot/mcp@latest && \
+    cd /usr/local/lib/node_modules/@penpot/mcp && \
+    pnpm -r install && \
+    pnpm run build
+ENV PENPOT_MCP_REMOTE_MODE=true \
+    PENPOT_MCP_SERVER_HOST=0.0.0.0 \
+    PENPOT_MCP_SERVER_PORT=4401 \
+    PENPOT_MCP_WEBSOCKET_PORT=4402
+EXPOSE 4401 4402
+WORKDIR /usr/local/lib/node_modules/@penpot/mcp
+CMD ["pnpm", "run", "start"]