Seal remaining Gitea secrets: API token, runner token, pull secret

All placeholder secrets replaced with real sealed values:
- argocd-gitea-token: API token for ArgoCD PR generator
- gitea-runner-token: registration token for in-cluster runner
- gitea-pull-secret: registry credentials for app image pulls

apps/api/k8s/base/gitea-pull-secret-sealed.yaml

@@ -1,11 +1,3 @@
-# PLACEHOLDER: Re-seal with Gitea registry credentials
-# kubectl create secret docker-registry gitea-pull-secret \
-#   --namespace apps \
-#   --docker-server=gitea.coreworlds.io \
-#   --docker-username=lazorgurl \
-#   --docker-password=<token> \
-#   --dry-run=client -o yaml | kubeseal --format yaml \
-#     --controller-namespace kube-system --controller-name sealed-secrets-helm
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
@@ -14,7 +6,7 @@ metadata:
   namespace: apps
 spec:
   encryptedData:
-    .dockerconfigjson: PLACEHOLDER_SEAL_ME
+    .dockerconfigjson: AgCMSSXv3CHy2MKH1kZFyMAe6wd5paliMm27DxO2ASjX+UVWCIybUf+dm3CINIwx9BpgmmP+XOvJ+J7uMEXYiLB6sq6SpeiTvk0K02cm7i70vlAi6InjTPeqnUVKOB/XIGruS4+VttcnqXHZupzbHZJDha3Z4/t0GONvmXrG98pGTR/aSSxMRcZpQRmSylmAZ8m5Tm9VOlwgvlok643S1O/AbZWPs5gpLstfQB9ejUvVFJADVLZX3hXvlp56ksDLPw+7tVr4OFt1YmVbsQBrss50nYmHapB4LMQvtKkMPF8Gm1YOlDHa+sNKvQb2ikaIbUikHbDXXs4rEF1utzSena4YDtb7c/as0im0REkPblB+avxTTXm5ygR3gqaty+D29Iplx6n3cD06gorv4rced+wrrvEu4kzvJpRlcF2a/EkwFTtY3qHfH9m1E6uyJ2U4QoklAvR7lOQBWpdS7h2gq2cerGC/N3LM3z6DHZOHIr+HtmhxugaoyWgblWya4BXtIa3z6ws/l1S3OFu0cuKUA4D3jVcM/Zr4tPjjA4p9HhclcJ9RyOgZoZn+emwmuNnMTO8dRtRzv3F4kjKh3h+wWY3CYmQADLaykIWjIjz2VqHvvruNMm8iKdEcG6VrT8kWeZBdc65ozcbLouzoj/OKe8rgLPrEEN2NsNxe/cQSQI6W81Uc4N7K20qL/0kmF8sl/rsOZwRjVHXvVAZn1mfoukqEyLHoTNh6rjnWp1Po8gcCdxz4RImEFbbOUYxTpYhVf0FHGeuYA92fLvezAyrsd9UatJf9lYj/NH9IX7Ek0isvWcxvEdQ9bf6TeGiU3is+gxj8VXog1K0q71zFEGP3Gtx4R1uP75+ZbLHWlM0GhyeduvqBqBLtDbXZHeif9p/PTDVkdzcuZGJcvNwh/pwrsFD6klCHyNMXeizDWM+O7LM2AVfaw+kmMUoYPqeNHmMX
   template:
     metadata:
       name: gitea-pull-secret

apps/web/k8s/base/gitea-pull-secret-sealed.yaml

@@ -1,11 +1,3 @@
-# PLACEHOLDER: Re-seal with Gitea registry credentials
-# kubectl create secret docker-registry gitea-pull-secret \
-#   --namespace apps \
-#   --docker-server=gitea.coreworlds.io \
-#   --docker-username=lazorgurl \
-#   --docker-password=<token> \
-#   --dry-run=client -o yaml | kubeseal --format yaml \
-#     --controller-namespace kube-system --controller-name sealed-secrets-helm
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
@@ -14,7 +6,7 @@ metadata:
   namespace: apps
 spec:
   encryptedData:
-    .dockerconfigjson: PLACEHOLDER_SEAL_ME
+    .dockerconfigjson: AgCMSSXv3CHy2MKH1kZFyMAe6wd5paliMm27DxO2ASjX+UVWCIybUf+dm3CINIwx9BpgmmP+XOvJ+J7uMEXYiLB6sq6SpeiTvk0K02cm7i70vlAi6InjTPeqnUVKOB/XIGruS4+VttcnqXHZupzbHZJDha3Z4/t0GONvmXrG98pGTR/aSSxMRcZpQRmSylmAZ8m5Tm9VOlwgvlok643S1O/AbZWPs5gpLstfQB9ejUvVFJADVLZX3hXvlp56ksDLPw+7tVr4OFt1YmVbsQBrss50nYmHapB4LMQvtKkMPF8Gm1YOlDHa+sNKvQb2ikaIbUikHbDXXs4rEF1utzSena4YDtb7c/as0im0REkPblB+avxTTXm5ygR3gqaty+D29Iplx6n3cD06gorv4rced+wrrvEu4kzvJpRlcF2a/EkwFTtY3qHfH9m1E6uyJ2U4QoklAvR7lOQBWpdS7h2gq2cerGC/N3LM3z6DHZOHIr+HtmhxugaoyWgblWya4BXtIa3z6ws/l1S3OFu0cuKUA4D3jVcM/Zr4tPjjA4p9HhclcJ9RyOgZoZn+emwmuNnMTO8dRtRzv3F4kjKh3h+wWY3CYmQADLaykIWjIjz2VqHvvruNMm8iKdEcG6VrT8kWeZBdc65ozcbLouzoj/OKe8rgLPrEEN2NsNxe/cQSQI6W81Uc4N7K20qL/0kmF8sl/rsOZwRjVHXvVAZn1mfoukqEyLHoTNh6rjnWp1Po8gcCdxz4RImEFbbOUYxTpYhVf0FHGeuYA92fLvezAyrsd9UatJf9lYj/NH9IX7Ek0isvWcxvEdQ9bf6TeGiU3is+gxj8VXog1K0q71zFEGP3Gtx4R1uP75+ZbLHWlM0GhyeduvqBqBLtDbXZHeif9p/PTDVkdzcuZGJcvNwh/pwrsFD6klCHyNMXeizDWM+O7LM2AVfaw+kmMUoYPqeNHmMX
   template:
     metadata:
       name: gitea-pull-secret

infra/kubernetes/argocd/argocd-gitea-token-sealed.yaml

@@ -1,5 +1,3 @@
-# PLACEHOLDER: Re-seal with Gitea API token for PR generator
-# ./scripts/seal-secret.sh argocd-gitea-token argocd token=<gitea-api-token>
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
@@ -8,7 +6,7 @@ metadata:
   namespace: argocd
 spec:
   encryptedData:
-    token: PLACEHOLDER_SEAL_ME
+    token: AgAAkJ90zxscN8Oe1ImwFvdYFfEYAxjkCyuf9g1aGvYRByq9ctQqC8JB9OiECK14Cof6S5iJMi3cH4+BV4X5gNrOipfFyvmQHMs0aEKwi/darwP0aHq2VOMAPK2GsLrtNYbhChbzTfuB5hlfCr/AVLWHrA3q8qArejcrw9UEeatWlCrzzugww8ROlMa1ozNIqGHFiqdYQDSuD0SlJ4V5m3W/6Y88zfjZzB7KvjTYsU81Hf06m3fZ04sGxuiuTfy+JxfQrKjRubJGyi2QEK534XXf/wy2Cs5c8+TaCVlxzAPNjeHAku8GsXRnHfdLXSjQSSpe7WeqtKJJ8AHFNXZQIngBD3tdYxA8NoYMgFE0vUS5RTgT7CL84wi5gpK+at7kwNmRJHMw22b2qPl/tMsohtEmjr/DiFJob5coB4c3RLVlmhvdf3jASc77RKoPE2REt+2D8Lsj7VUW+ZDQBSHOSgGqu593tRj0bu3bFkd+/3bI8O6XS0E5GtTbXYqpN1mDGVdi8n5ncd5AQmkQ2Wf0dKgh1Za1qtH3Vo/ELUiRfBZufsHzgEpKxM0jcW4tnS3/1MDJmB3KW2v6kCPDpRH82FTvGtqt3YaQ7+IB1wyQj0SkMkG/mQf1oi0Oo8i4T59HboDtdyqfaMI949CQcYsrnXPFOhHbUAlA87tB+9TiDD87yauP0MCyhTSQjNJJIqjxl58PEkTA4KZioCIq5iBDHtMUZ4bcP8OS+Y8UUIZtZ6HgNUHXkgr6IQ+7
   template:
     metadata:
       name: argocd-gitea-token

infra/kubernetes/platform/gitea-runner/gitea-runner-token-sealed.yaml

@@ -1,5 +1,3 @@
-# PLACEHOLDER: Generate token from Gitea admin panel, then re-seal with:
-# ./scripts/seal-secret.sh gitea-runner-token platform token=<registration-token>
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
@@ -8,7 +6,7 @@ metadata:
   namespace: platform
 spec:
   encryptedData:
-    token: PLACEHOLDER_SEAL_ME
+    token: AgCHDopgQ5g3/nGkAWEFZOgxO2aMQ0Nd0IAgkKn4QXqcz9167z+rtSNzdl0wFCYXRaFHIN6gStUkd/n7SDf+LE22/nKoKwGgpMX2oLzNgojQ3NgEX3gYkVpYqkzm9/sK+ZplM+/2JI2/po/yPdjK8PEQGozfDByKW8Rc75ogwaIfAGYcTjh1QavHlEn+omkOmFkhBR7jpLx9vugQjdXbz/K/qkHBrdDLncFpOuCXvt+c3XqCKYEyqn4vf3gznF2ju8FgmbFutDqiXDD3/T8alMXone0zTk6NXWYBoJaOtOO7Vll+CS/dwHNyn+9S1RvmNHr1HwPejq9XfUmTpzO8Wv/UxhjfXQW8yvIv9Wty/oAXTnnceH8MhmKz9DNwZTvgH+dZdetR9m9e77xuA9WMapVy9Rz3kvyJdgl+eMuO8pJcf+DBqrHqlL99/LAFLlZdfEp/ADcXBmkymr0Sqv0cA1/rL4M5jFmSUPYDUdA3TVLLq3GmUM4MYgI9D7eDqXqbXk00DcjiH+62qbAAe/t3en45qi9Y13eepMTC/mCVt1XW2J1fZYwJEvWSEjWmggNYDPmNJ7nA1L+h+Wt0tIN77XoxVpSs1Zatp3DdIQY2AWla7SDG1Q35ztBhkTvehfhnf0EOO4fmMiaQwnef49wW0ZZIS6bjGF3bPIkB2S4SOsNW0YgDa5nglYjFbNNc2I6gq7buVHfJ6JepJXng6idEJu44VuarxC7kz47x172zq8PiWimCOHEgSPXn
   template:
     metadata:
       name: gitea-runner-token