feat: add ArgoCD bootstrap with ApplicationSet pattern

- Add root ApplicationSet using Git Directory Generator
- Configure AppProjects for infrastructure and apps separation
- Add cert-manager with Let's Encrypt ClusterIssuers (staging/prod)
- Add SOPS configuration for age-encrypted secrets
- Add bootstrap documentation (docs/BOOTSTRAP.md)
- Scaffold infrastructure dirs (networking, storage, monitoring)
- Update README with quick start and architecture

GitOps pattern: directories auto-discovered by ArgoCD ApplicationSets
Reference: CNCF App-of-Apps best practices 2025

.sops.yaml

@@ -0,0 +1,31 @@
+# .sops.yaml
+# SOPS configuration for encrypting Kubernetes secrets
+# Generate age key: age-keygen -o key.txt
+# Export: export SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt
+# Encrypt: sops -e -i secret.yaml
+# Decrypt: sops -d secret.yaml
+#
+# Reference: https://github.com/getsops/sops
+
+creation_rules:
+  # Infrastructure secrets (networking, storage, monitoring)
+  - path_regex: infrastructure/.*/.*secret.*\.yaml$
+    encrypted_regex: ^(data|stringData)$
+    age: >-
+      age1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+
+  # Application secrets
+  - path_regex: apps/.*/.*secret.*\.yaml$
+    encrypted_regex: ^(data|stringData)$
+    age: >-
+      age1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+
+  # Cluster-specific secrets
+  - path_regex: clusters/.*/.*secret.*\.yaml$
+    encrypted_regex: ^(data|stringData)$
+    age: >-
+      age1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+
+# NOTE: Replace the age public key above with your actual key
+# The encrypted_regex ensures only data/stringData fields are encrypted,
+# leaving metadata readable for GitOps tooling