feat: SOPS + age encrypted secrets structure

- .sops.yaml with 3 age keys (admin, dev, prod)
- infra/gitea/values/*.enc.yaml — per-env encrypted Helm values
- infra/kargo/values/*.enc.yaml — per-env encrypted Kargo admin secrets
- kargo/credentials/*.enc.yaml — per-env encrypted git credentials (ksops)
- infra/kargo-credentials/ — ArgoCD app for deploying Kargo creds via ksops
- All repoURLs point to deploy-app-kargo-private

Structure from deploy-app-kargo (reference), adapted for SOPS workflow

kargo/ci/verification/runner-health.yaml

@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AnalysisTemplate
+metadata:
+  name: runner-health
+  namespace: ci
+spec:
+  metrics:
+    - name: runner-deployment-exists
+      provider:
+        job:
+          spec:
+            backoffLimit: 0
+            template:
+              spec:
+                serviceAccountName: kargo-verifier
+                restartPolicy: Never
+                containers:
+                  - name: check
+                    image: alpine/k8s:1.35.1
+                    command: ["/bin/sh", "-c"]
+                    args:
+                      - |
+                        echo "Checking gitea-runner deployment..."
+                        kubectl get deployment gitea-runner -n gitea-runner -o jsonpath='{.metadata.name}' && echo " exists" || exit 1
+                        echo "Runner health check passed"