deploy: stand up staging cluster + bucket and verify end-to-end

[themightychris]

Carry-forward from the deploy plan (PR #35).

The deploy plan landed the artifacts (Dockerfile, Helm chart, GH Actions workflows, ops docs) but several validation criteria are unverifiable from a dev workstation because they require cluster access and a real bucket. This issue tracks the human-in-the-loop work to actually stand up staging.

Work

• Provision a `codeforphilly-staging` namespace on the existing k8s cluster (`k8s.phl.io` per plan, or whichever cluster the team picks).
• Issue a kubeconfig scoped to that namespace; base64-encode it and store as the staging GitHub Environment secret `KUBECONFIG_STAGING`.
• Generate the per-environment secret values per docs/operations/secrets.md#bootstrapping-a-new-environment (JWT signing key, GitHub OAuth client secret for a staging-only OAuth app, SAML key+cert, SSH deploy key for the data repo).
• Seal them via sealed-secrets and apply to the cluster as Secret `codeforphilly-secrets` (+ `codeforphilly-data-deploy-key` if/when staging needs to push to a real data remote).
• Pick + provision the production bucket (R2 / B2 / S3 / MinIO per docs/operations/deploy.md#bucket-provisioning) and enable versioning (hard requirement). Lifecycle: delete non-current versions after 365 days. Add credentials to the Secret + endpoint/bucket/region to `values.production.yaml`.
• Trigger `deploy-staging.yml` (push to main, or workflow_dispatch). Approve the environment gate on the first run.
• From outside the cluster, verify:
  • `curl https://codeforphilly-rewrite-staging.k8s.phl.io/api/health\` → 200
  • `curl https://codeforphilly-rewrite-staging.k8s.phl.io/api/health/ready\` → 200
  • SPA loads at the root path
  • A test mutation through the UI lands in the staging data remote (when wired)
  • Pod restart preserves the data PVC contents (verifies the PVC mount works)

Out of scope

• Cutover orchestration (cutover-prep plan)
• Production data import (laddr-import plan)
• Production cluster stand-up (same template, separate issue once staging is green)

References

• Plan: plans/deploy.md
• Deploy guide: docs/operations/deploy.md
• Secrets contract: docs/operations/secrets.md
• PR introducing artifacts: feat(deploy): docker + helm chart + CI/CD for staging #35