feat(bootstrap-kit): edge + apps + AI batch — slot 35 (W2.K4) (#261)

Per docs/BOOTSTRAP-KIT-EXPANSION-PLAN.md §2.6 + §2.7, W2.K4 is the
14-slot batch (35-48) covering Tier 8 (edge) + Tier 9 (apps + AI
runtime). Pre-flight chart-existence check found that only `bp-coraza`
(slot 35) currently has an authored chart — the remaining 13 platform
directories (stunner/knative/kserve/vllm/llm-gateway/anthropic-adapter/
bge/nemo-guardrails/temporal/openmeter/livekit/matrix/librechat) contain
README scaffolding only, no Chart.yaml or blueprint.yaml.

Per the W2 dispatch rule (skip slots whose chart isn't ready, file an
issue, ship what is ready), this PR ships slot 35 only and tracks the
13 missing charts as separate issues. Each missing-chart issue links
back to this PR and to the BOOTSTRAP-KIT-EXPANSION-PLAN.md slot row so
follow-up work has a clean DAG anchor.

Slot 35 — bp-coraza
- chart: platform/coraza/chart/ (1.0.0, scratch chart wiring
  ghcr.io/corazawaf/coraza-spoa:0.7.0 as Deployment + Service)
- dependsOn: bp-cilium (01) [L7 enforcement substrate],
             bp-cert-manager (02) [TLS issuers for SPOA listeners]
- HR knobs: install/upgrade.disableWait: true (event-driven readiness
  via Flux dependsOn graph; per session-2026-04-30 architectural
  decision, never use blanket `spec.timeout: Nm` watchdogs).
- Replicated to all 3 cluster trees: _template, otech.omani.works,
  omantel.omani.works.

Validation
- python3 yaml.safe_load_all on all 6 touched files: OK
- kubectl kustomize on all 3 bootstrap-kit dirs: OK
  (Namespace + HelmRepository + HelmRelease bp-coraza render cleanly)

Co-authored-by: hatiyildiz <269457768+hatiyildiz@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

clusters/_template/bootstrap-kit/35-coraza.yaml

@@ -0,0 +1,70 @@
+# bp-coraza — Catalyst bootstrap-kit Blueprint #35 (W2.K4 — Tier 8: edge).
+# OWASP-licensed Web Application Firewall, ModSecurity-rule-compatible.
+# Speaks the HAProxy SPOE protocol; sits in front of Cilium Gateway / HAProxy
+# fronts to enforce WAF policies on inbound traffic to Sovereign-facing
+# services (keycloak, grafana, stalwart, marketplace).
+#
+# Wrapper chart: platform/coraza/chart/
+# Catalyst-curated values: platform/coraza/chart/values.yaml
+# Reconciled by: Flux on the new Sovereign's k3s control plane.
+#
+# dependsOn:
+#   - bp-cilium — Coraza enforces L7 policy via Cilium L7 proxy / Gateway
+#     API; Cilium must be Ready (CNI + Gateway controller) before WAF
+#     evaluation hooks become reachable.
+#   - bp-cert-manager — Issuers must be reconciled so any TLS-fronted SPOA
+#     listeners (per-Sovereign overlays) come up with valid certs.
+#
+# install/upgrade.disableWait: true — Coraza-spoa Deployment Ready signal
+# is event-driven via the Flux dependsOn graph (downstream HRs check
+# Ready=True on this HR). Per session-2026-04-30 architectural decision,
+# we never use blanket `spec.timeout: Nm` watchdogs.
+
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: coraza
+  labels:
+    catalyst.openova.io/sovereign: SOVEREIGN_FQDN_PLACEHOLDER
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: bp-coraza
+  namespace: flux-system
+spec:
+  type: oci
+  interval: 15m
+  url: oci://ghcr.io/openova-io
+  secretRef:
+    name: ghcr-pull
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: bp-coraza
+  namespace: flux-system
+spec:
+  interval: 15m
+  releaseName: coraza
+  targetNamespace: coraza
+  dependsOn:
+    - name: bp-cilium
+    - name: bp-cert-manager
+  chart:
+    spec:
+      chart: bp-coraza
+      version: 1.0.0
+      sourceRef:
+        kind: HelmRepository
+        name: bp-coraza
+        namespace: flux-system
+  install:
+    disableWait: true
+    remediation:
+      retries: 3
+  upgrade:
+    disableWait: true
+    remediation:
+      retries: 3

clusters/_template/bootstrap-kit/kustomization.yaml

@@ -39,3 +39,4 @@ resources:
   - 32-sigstore.yaml
   - 33-syft-grype.yaml
   - 34-velero.yaml
+  - 35-coraza.yaml

clusters/omantel.omani.works/bootstrap-kit/35-coraza.yaml

@@ -0,0 +1,70 @@
+# bp-coraza — Catalyst bootstrap-kit Blueprint #35 (W2.K4 — Tier 8: edge).
+# OWASP-licensed Web Application Firewall, ModSecurity-rule-compatible.
+# Speaks the HAProxy SPOE protocol; sits in front of Cilium Gateway / HAProxy
+# fronts to enforce WAF policies on inbound traffic to Sovereign-facing
+# services (keycloak, grafana, stalwart, marketplace).
+#
+# Wrapper chart: platform/coraza/chart/
+# Catalyst-curated values: platform/coraza/chart/values.yaml
+# Reconciled by: Flux on the new Sovereign's k3s control plane.
+#
+# dependsOn:
+#   - bp-cilium — Coraza enforces L7 policy via Cilium L7 proxy / Gateway
+#     API; Cilium must be Ready (CNI + Gateway controller) before WAF
+#     evaluation hooks become reachable.
+#   - bp-cert-manager — Issuers must be reconciled so any TLS-fronted SPOA
+#     listeners (per-Sovereign overlays) come up with valid certs.
+#
+# install/upgrade.disableWait: true — Coraza-spoa Deployment Ready signal
+# is event-driven via the Flux dependsOn graph (downstream HRs check
+# Ready=True on this HR). Per session-2026-04-30 architectural decision,
+# we never use blanket `spec.timeout: Nm` watchdogs.
+
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: coraza
+  labels:
+    catalyst.openova.io/sovereign: SOVEREIGN_FQDN_PLACEHOLDER
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: bp-coraza
+  namespace: flux-system
+spec:
+  type: oci
+  interval: 15m
+  url: oci://ghcr.io/openova-io
+  secretRef:
+    name: ghcr-pull
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: bp-coraza
+  namespace: flux-system
+spec:
+  interval: 15m
+  releaseName: coraza
+  targetNamespace: coraza
+  dependsOn:
+    - name: bp-cilium
+    - name: bp-cert-manager
+  chart:
+    spec:
+      chart: bp-coraza
+      version: 1.0.0
+      sourceRef:
+        kind: HelmRepository
+        name: bp-coraza
+        namespace: flux-system
+  install:
+    disableWait: true
+    remediation:
+      retries: 3
+  upgrade:
+    disableWait: true
+    remediation:
+      retries: 3

clusters/omantel.omani.works/bootstrap-kit/kustomization.yaml

@@ -39,3 +39,4 @@ resources:
   - 32-sigstore.yaml
   - 33-syft-grype.yaml
   - 34-velero.yaml
+  - 35-coraza.yaml

clusters/otech.omani.works/bootstrap-kit/35-coraza.yaml

@@ -0,0 +1,70 @@
+# bp-coraza — Catalyst bootstrap-kit Blueprint #35 (W2.K4 — Tier 8: edge).
+# OWASP-licensed Web Application Firewall, ModSecurity-rule-compatible.
+# Speaks the HAProxy SPOE protocol; sits in front of Cilium Gateway / HAProxy
+# fronts to enforce WAF policies on inbound traffic to Sovereign-facing
+# services (keycloak, grafana, stalwart, marketplace).
+#
+# Wrapper chart: platform/coraza/chart/
+# Catalyst-curated values: platform/coraza/chart/values.yaml
+# Reconciled by: Flux on the new Sovereign's k3s control plane.
+#
+# dependsOn:
+#   - bp-cilium — Coraza enforces L7 policy via Cilium L7 proxy / Gateway
+#     API; Cilium must be Ready (CNI + Gateway controller) before WAF
+#     evaluation hooks become reachable.
+#   - bp-cert-manager — Issuers must be reconciled so any TLS-fronted SPOA
+#     listeners (per-Sovereign overlays) come up with valid certs.
+#
+# install/upgrade.disableWait: true — Coraza-spoa Deployment Ready signal
+# is event-driven via the Flux dependsOn graph (downstream HRs check
+# Ready=True on this HR). Per session-2026-04-30 architectural decision,
+# we never use blanket `spec.timeout: Nm` watchdogs.
+
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: coraza
+  labels:
+    catalyst.openova.io/sovereign: SOVEREIGN_FQDN_PLACEHOLDER
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: bp-coraza
+  namespace: flux-system
+spec:
+  type: oci
+  interval: 15m
+  url: oci://ghcr.io/openova-io
+  secretRef:
+    name: ghcr-pull
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: bp-coraza
+  namespace: flux-system
+spec:
+  interval: 15m
+  releaseName: coraza
+  targetNamespace: coraza
+  dependsOn:
+    - name: bp-cilium
+    - name: bp-cert-manager
+  chart:
+    spec:
+      chart: bp-coraza
+      version: 1.0.0
+      sourceRef:
+        kind: HelmRepository
+        name: bp-coraza
+        namespace: flux-system
+  install:
+    disableWait: true
+    remediation:
+      retries: 3
+  upgrade:
+    disableWait: true
+    remediation:
+      retries: 3

clusters/otech.omani.works/bootstrap-kit/kustomization.yaml

@@ -39,3 +39,4 @@ resources:
   - 32-sigstore.yaml
   - 33-syft-grype.yaml
   - 34-velero.yaml
+  - 35-coraza.yaml