feat: zero trust SOPS key isolation (deploy-k3s#32)

- Add test-key (age1wtzdf8...) for shared test environment
- Enable mac_only_encrypted: true in .sops.yaml (SOPS >= 3.9.0)
  Allows adding new YAML fields without decryption key
- Re-encrypt all 10 files with mac_only_encrypted metadata
- Strict isolation: dev-key ↔ *.dev.enc.yaml, prod-key ↔ *.prod.enc.yaml
- test-key can only decrypt *.test.enc.yaml (not dev/prod)
- Add dev/verify-sops-isolation.sh — 33-point verification script
- Keep dev/prod files with admin+dev / admin+prod only (no test-key)

Verified: 33/33 isolation checks passed

Co-authored-by: XoR <xor@benadis.ru>

.sops.yaml

@@ -1,28 +1,55 @@
 # SOPS configuration for deploy-app-kargo-private
-# Three age keys: admin (all access), dev (dev/test cluster), prod (prod cluster)
+# Zero Trust key model: dev cannot decrypt prod, prod cannot decrypt dev.
+# Test secrets accessible to both dev and prod.
 #
-# admin: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
-# dev:   age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
-# prod:  age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
+# Keys:
+#   admin: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7  (master, backup/audit)
+#   dev:   age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g  (dev cluster only)
+#   test:  age1wtzdf8k5fhazffq5t5erm0azvp463mzk6fm4vghqwah2lz9sf3eszksf33  (shared test environment)
+#   prod:  age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk  (prod cluster only)
+#
+# Trust model:
+#   *.dev.enc.yaml  → admin + dev           (ONLY dev-admin can decrypt)
+#   *.test.enc.yaml → admin + dev + test + prod (everyone can decrypt)
+#   *.prod.enc.yaml → admin + prod          (ONLY prod-admin can decrypt)
+#   *.shared.enc.yaml → admin + dev + prod  (legacy, both can decrypt)
+#
+# mac_only_encrypted: true — allows adding new YAML keys/structure without
+# having the decryption key. MAC is computed only over encrypted values.
+# This enables dev to add fields to *.prod.enc.yaml without decrypting them.
+# Requires SOPS >= 3.9.0.
 
 creation_rules:
-  # Prod-specific secrets — admin + prod only
-  - path_regex: \.prod\.enc\.yaml$
-    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
-    age: >-
-      age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7,
-      age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
-
-  # Dev-specific secrets — admin + dev only
+  # Dev-specific secrets — ONLY admin + dev can decrypt
   - path_regex: \.dev\.enc\.yaml$
     encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    mac_only_encrypted: true
     age: >-
       age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7,
       age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
 
-  # Shared secrets (e.g. kargo credentials) — all three keys
+  # Test secrets — all keys can decrypt (shared test environment)
+  - path_regex: \.test\.enc\.yaml$
+    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    mac_only_encrypted: true
+    age: >-
+      age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7,
+      age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g,
+      age1wtzdf8k5fhazffq5t5erm0azvp463mzk6fm4vghqwah2lz9sf3eszksf33,
+      age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
+
+  # Prod-specific secrets — ONLY admin + prod can decrypt
+  - path_regex: \.prod\.enc\.yaml$
+    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    mac_only_encrypted: true
+    age: >-
+      age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7,
+      age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
+
+  # Shared secrets (legacy, both clusters) — admin + dev + prod
   - path_regex: \.shared\.enc\.yaml$
     encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|repoURL|username)$
+    mac_only_encrypted: true
     age: >-
       age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7,
       age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g,