chore(bootstrap-kit): remove slot 95 bp-stalwart-sovereign (Phase-2 deferred) (#958)

The bp-stalwart-sovereign chart's post-install Job times out on fresh
Sovereigns (observed on otech113) and blocks the entire bootstrap-kit
Kustomization. Phase-2 Sovereign-local mail (umbrella #924) is OUT OF
SCOPE for the current Phase-1 cutover.

Phase-1 Console PIN/magic-link delivery already works through the
mothership SMTP relay path:
  - products/catalyst/chart/values.yaml#sovereign.smtp.* defaults to
    mail.openova.io:587 / noreply@openova.io
  - products/catalyst/bootstrap/api/internal/handler/sovereign_smtp_seed.go
    seeds those bytes into catalyst-system/sovereign-smtp-credentials at
    bootstrap, so bp-catalyst-platform's `lookup` resolves on first
    reconcile without waiting for a Sovereign-local Stalwart.

This commit:
  - Deletes clusters/_template/bootstrap-kit/95-bp-stalwart-sovereign.yaml
  - Updates the kustomization.yaml resource list with a comment block
    documenting the deferral and the canonical re-entry conditions.
  - Updates scripts/expected-bootstrap-deps.yaml so check-bootstrap-deps.sh
    no longer expects the slot. Audit re-runs clean (0 drift, 0 cycles).

The chart itself stays at platform/stalwart-sovereign/ for future
Phase-2 work; only the bootstrap slot is removed.

Refs: #883 #924

Co-authored-by: Hatice Yildiz <hatiyildiz@openova.io>

clusters/_template/bootstrap-kit/95-bp-stalwart-sovereign.yaml

@@ -1,128 +0,0 @@
-# bp-stalwart-sovereign — Catalyst bootstrap-kit slot 95.
-# Sovereign-local Stalwart for Sovereign Console mail (PIN/magic-link
-# delivery, ops alerts, the noreply@<sovereignFQDN> system mailbox).
-#
-# Phase-2 follow-up to #883: replaces the mothership Stalwart relay
-# (mail.openova.io:587) with a Sovereign-local instance. After this
-# slot installs, Sovereign Console PIN delivery originates from
-# `noreply@<sovereignFQDN>` with per-Sovereign SPF/DKIM/DMARC posture,
-# eliminating the mothership-as-SPOF for Sovereign Console login.
-#
-# Distinct from bp-stalwart-tenant (per-SME/vcluster instance):
-#   - bp-stalwart-tenant: customer mailboxes, OIDC SSO via per-tenant
-#     Keycloak realm, exposed at `mail.<sme-domain>`.
-#   - bp-stalwart-sovereign (THIS SLOT): single instance per Sovereign,
-#     scoped to Sovereign Console system mail. NO Keycloak OIDC, NO
-#     webmail UI — Sovereign Console is the only consumer.
-#
-# Slot 95 (NOT slot 12): the chart's post-install Job materialises the
-# `catalyst-system/sovereign-smtp-credentials` mirror Secret AFTER
-# bp-catalyst-platform (slot 13) has created the catalyst-system
-# namespace. bp-catalyst-platform's `lookup` against that Secret runs
-# every Flux reconcile (~1 min), so the chart-rendered SMTP coordinates
-# take effect on the next reconcile after this slot first installs.
-# Until then the Phase-1 mothership-creds-seeded bytes (catalyst-api
-# `sovereign_smtp_seed.go`) keep PIN delivery working — graceful
-# cutover with no downtime.
-#
-# Wrapper chart: platform/stalwart-sovereign/chart/
-# Reconciled by: Flux on the new Sovereign's k3s control plane.
-#
-# dependsOn:
-#   - bp-cert-manager — provides the cert-manager.io CRDs / ClusterIssuer
-#                       referenced by the Sovereign wildcard cert that
-#                       covers `mail.<sovereignFQDN>` (the wildcard
-#                       chain rendered by bp-catalyst-platform 1.4.0+'s
-#                       per-zone cert template). Without cert-manager
-#                       Ready the wildcard SAN never materialises and
-#                       MTA STARTTLS handshakes fail.
-#   - bp-catalyst-platform — the chart materialises a Secret in the
-#                       `catalyst-system` namespace; the namespace must
-#                       exist (created by slot 13) before the post-
-#                       install Job's apply hits the K8s API.
-#
-# Per docs/INVIOLABLE-PRINCIPLES.md #4 (never hardcode) every URL/zone
-# is operator-overridable. ${SOVEREIGN_FQDN} is substituted by Flux
-# envsubst at the per-Sovereign apply time.
-
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: stalwart-sovereign
-  labels:
-    catalyst.openova.io/sovereign: ${SOVEREIGN_FQDN}
----
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: HelmRepository
-metadata:
-  name: bp-stalwart-sovereign
-  namespace: flux-system
-spec:
-  type: oci
-  interval: 15m
-  url: oci://ghcr.io/openova-io
-  secretRef:
-    name: ghcr-pull
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: bp-stalwart-sovereign
-  namespace: flux-system
-spec:
-  interval: 15m
-  releaseName: stalwart-sovereign
-  targetNamespace: stalwart-sovereign
-  dependsOn:
-    - name: bp-cert-manager
-    - name: bp-catalyst-platform
-  chart:
-    spec:
-      chart: bp-stalwart-sovereign
-      # 0.1.0 (#924): initial release — Sovereign-local Stalwart for
-      # Sovereign Console mail. Materialises
-      # catalyst-system/sovereign-smtp-credentials so bp-catalyst-platform
-      # 1.4.17+'s `lookup` against that Secret picks up the per-Sovereign
-      # SMTP coordinates on the next Flux reconcile.
-      version: 0.1.0
-      sourceRef:
-        kind: HelmRepository
-        name: bp-stalwart-sovereign
-        namespace: flux-system
-  # Event-driven install per docs/INVIOLABLE-PRINCIPLES.md #3. Stalwart
-  # itself is single-pod and starts in seconds; the long pole is the
-  # post-install Job's wait for the admin API readiness probe (60 s
-  # ceiling enforced inside the Job).
-  install:
-    disableWait: true
-    remediation:
-      retries: 3
-  upgrade:
-    disableWait: true
-    remediation:
-      retries: 3
-  values:
-    # Per-Sovereign FQDN — drives the SMTP sender domain
-    # (`noreply@<sovereignFQDN>`), the public MX hostname
-    # (`mail.<sovereignFQDN>`), and the DKIM signing domain.
-    global:
-      sovereignFQDN: ${SOVEREIGN_FQDN}
-    # ─── Storage class for the RocksDB spool ───────────────────────
-    # Empty = cluster default. Per-Sovereign overlay sets the
-    # canonical class (e.g. `hcloud-volumes` on Hetzner Sovereigns,
-    # `local-path` on contabo / k3s). Inviolable Principle #4.
-    persistence:
-      spool:
-        storageClassName: ""
-    # ─── Soft-launch SPF/DMARC posture ─────────────────────────────
-    # `~all` (SPF soft-fail) + `quarantine` (DMARC quarantine, not
-    # reject) at first install so the orchestrator-side DNS-record
-    # registration race (sub-PR follow-up) does not hard-bounce the
-    # first send-pin emails. Operators flip to `-all` + `reject` via
-    # per-Sovereign overlay once propagation is verified.
-    dns:
-      spf:
-        policy: "~all"
-      dmarc:
-        policy: "quarantine"

clusters/_template/bootstrap-kit/kustomization.yaml

@@ -55,12 +55,14 @@ resources:
   # See clusters/_template/bootstrap-kit/80-newapi.yaml for full
   # dependsOn rationale and per-Sovereign override surface.
   - 80-newapi.yaml
-  # bp-stalwart-sovereign (slot 95) — Sovereign-local Stalwart for the
+  # bp-stalwart-sovereign (slot 95) — REMOVED 2026-05-05.
-  # Sovereign Console PIN/magic-link mail surface (Phase-2 follow-up to
+  # Phase-2 Sovereign-local mail (per-Sovereign Stalwart for Console
-  # #883 / umbrella #924). Materialises
+  # PIN/magic-link delivery, umbrella #924) is OUT OF SCOPE for the
-  # `catalyst-system/sovereign-smtp-credentials` so bp-catalyst-platform's
+  # current Phase-1 cutover. The Phase-1 design is mothership SMTP
-  # `lookup` picks up Sovereign-local SMTP coordinates and Console mail
+  # relay (mail.openova.io:587) — see products/catalyst/chart/values.yaml
-  # originates from `noreply@<sovereignFQDN>`. Sequenced AFTER
+  # `sovereign.smtp.*` and the catalyst-api `sovereign_smtp_seed.go`
-  # bp-catalyst-platform (slot 13) so the catalyst-system namespace
+  # path. The chart's post-install Job was timing out on otech113 and
-  # exists when the chart's post-install Job applies the mirror Secret.
+  # blocking the bootstrap-kit Kustomization. Re-introduce this slot
-  - 95-bp-stalwart-sovereign.yaml
+  # only when Phase-2 is explicitly in scope and the chart's readiness
+  # gate is reliable. See platform/stalwart-sovereign/ for the chart
+  # itself (kept in-tree for future Phase-2 work).

scripts/expected-bootstrap-deps.yaml

@@ -335,18 +335,14 @@ slots:
     depends_on: [bp-openbao, bp-keycloak, bp-cnpg]
     wave: present
 
-  # ---- Slot 95 — bp-stalwart-sovereign Sovereign-local Stalwart for the
+  # ---- Slot 95 — bp-stalwart-sovereign REMOVED 2026-05-05.
-  # Sovereign Console PIN/magic-link mail surface. Issue #924 (Phase-2
+  # Phase-2 Sovereign-local mail surface (umbrella #924) is OUT OF SCOPE
-  # follow-up to #883). Sequenced AFTER bp-catalyst-platform (slot 13)
+  # for the current Phase-1 cutover. The chart's post-install Job was
-  # so the chart's post-install Job lands its
+  # timing out on otech113 and blocking the bootstrap-kit Kustomization.
-  # catalyst-system/sovereign-smtp-credentials mirror Secret in an
+  # Phase-1 Console PIN/magic-link delivery uses the mothership SMTP
-  # already-existing namespace; the next bp-catalyst-platform reconcile
+  # relay (mail.openova.io:587) per
-  # picks up the Sovereign-local SMTP coordinates and PIN delivery flips
+  # products/catalyst/chart/values.yaml#sovereign.smtp.* and
-  # from mothership relay (mail.openova.io) to Sovereign-local relay
+  # products/catalyst/bootstrap/api/internal/handler/sovereign_smtp_seed.go.
-  # (mail.<sovereignFQDN>) without operator action. Sequenced AFTER
+  # Re-introduce this slot only when Phase-2 is explicitly back in scope
-  # bp-cert-manager so the wildcard cert covering mail.<sovereignFQDN>
+  # and the chart's readiness gate has been hardened. The chart itself
-  # is already issued before mail-server STARTTLS handshakes start.
+  # remains in-tree at platform/stalwart-sovereign/ for future work.
-  - slot: 95
-    name: bp-stalwart-sovereign
-    depends_on: [bp-cert-manager, bp-catalyst-platform]
-    wave: present