feat: SOPS + age encrypted secrets structure

- .sops.yaml with 3 age keys (admin, dev, prod)
- infra/gitea/values/*.enc.yaml — per-env encrypted Helm values
- infra/kargo/values/*.enc.yaml — per-env encrypted Kargo admin secrets
- kargo/credentials/*.enc.yaml — per-env encrypted git credentials (ksops)
- infra/kargo-credentials/ — ArgoCD app for deploying Kargo creds via ksops
- All repoURLs point to deploy-app-kargo-private

Structure from deploy-app-kargo (reference), adapted for SOPS workflow

kargo/credentials/ksops-generator.yaml

@@ -0,0 +1,20 @@
+# ksops generator: decrypts SOPS-encrypted K8s Secret manifests
+# ArgoCD repo-server must have ksops + sops + age installed
+#
+# Dev cluster uses: *.dev.enc.yaml
+# Prod cluster uses: *.prod.enc.yaml
+#
+# Which files to decrypt is controlled by the kustomization overlay
+# in the cluster-specific branch (infra/stage/dev or infra/stage/prod)
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: kargo-git-credentials
+  annotations:
+    config.kubernetes.io/function: |
+      exec:
+        path: ksops
+files:
+  - git-creds-infra.dev.enc.yaml
+  - git-creds-ci.dev.enc.yaml
+  - git-creds-test-env.dev.enc.yaml