infra: decommission foolery agent UI

User no longer actively using foolery. Removed:
- TF stack stacks/foolery (Cloudflare DNS, Traefik IngressRoute,
  Authentik forward-auth integration, K8s Service+Endpoints)
- Devvm systemd unit /etc/systemd/system/foolery.service
- Runtime at ~/.local/share/foolery and launcher ~/.local/bin/foolery
- Stale foolery reference in .claude/CLAUDE.md auth="required" examples

Uptime Kuma [External] foolery monitor will auto-prune on next
external-monitor-sync reconcile.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.claude/CLAUDE.md

@@ -29,7 +29,7 @@ Violations cause state drift, which causes future applies to break or silently r
 - **New services need CI/CD** and **monitoring** (Prometheus/Uptime Kuma)
 - **New service**: Use `setup-project` skill for full workflow
 - **Ingress**: `ingress_factory` module. **Auth** (`auth` string enum, default `"required"` — fail-closed). Pick by asking "what gates the app?":
-  - `auth = "required"` — Authentik forward-auth gates every request. Use when the backend has **no built-in user auth** and Authentik is the only thing standing between strangers and the app (prowlarr, qbittorrent, netbox, phpipam, k8s-dashboard, foolery, any admin UI shipped without its own login).
+  - `auth = "required"` — Authentik forward-auth gates every request. Use when the backend has **no built-in user auth** and Authentik is the only thing standing between strangers and the app (prowlarr, qbittorrent, netbox, phpipam, k8s-dashboard, any admin UI shipped without its own login).
   - `auth = "app"` — the backend handles its own user authentication (NextAuth, Django, OAuth, bearer-token API, etc.); Authentik would only break it. No middleware attached; the app's own login is the gate. Examples: immich, linkwarden, tandoor, freshrss, affine, actualbudget, audiobookshelf, novelapp. **Functionally identical to `"none"`** — the distinct name exists to record intent at the call site.
   - `auth = "public"` — Authentik anonymous binding via the dedicated `public` outpost (routes via `traefik-authentik-forward-auth-public` → `ak-outpost-public.authentik.svc:9000`). Strangers auto-bound to `guest`; logged-in users keep their identity in `X-authentik-username`. **Only works for top-level browser navigation** — CORS preflight rejects XHR/fetch and automation can't replay the cookie dance. Audit trail, not a gate.
   - `auth = "none"` — no Authentik, no own-auth claim. Use for Anubis-fronted content (Anubis is the gate), native-client APIs (Git, `/v2/`, WebDAV/CalDAV, CardDAV), webhook receivers, OAuth callbacks, and Authentik outposts themselves.

stacks/foolery/main.tf

@@ -1,78 +0,0 @@
-variable "tls_secret_name" {
-  type      = string
-  sensitive = true
-}
-
-resource "kubernetes_namespace" "foolery" {
-  metadata {
-    name = "foolery"
-    labels = {
-      "istio-injection" : "disabled"
-      tier = local.tiers.aux
-      "keel.sh/enrolled" = "true"
-    }
-  }
-  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: goldilocks-vpa-auto-mode ClusterPolicy stamps this label on every namespace
-    ignore_changes = [metadata[0].labels["goldilocks.fairwinds.com/vpa-update-mode"]]
-  }
-}
-
-module "tls_secret" {
-  source          = "../../modules/kubernetes/setup_tls_secret"
-  namespace       = kubernetes_namespace.foolery.metadata[0].name
-  tls_secret_name = var.tls_secret_name
-}
-
-# Service + Endpoints to reverse-proxy to Foolery at 10.0.10.10:3210
-resource "kubernetes_service" "foolery" {
-  metadata {
-    name      = "foolery"
-    namespace = kubernetes_namespace.foolery.metadata[0].name
-    labels = {
-      app = "foolery"
-    }
-  }
-
-  spec {
-    port {
-      name        = "http"
-      port        = 80
-      target_port = 3210
-    }
-  }
-}
-
-resource "kubernetes_endpoints" "foolery" {
-  metadata {
-    name      = "foolery"
-    namespace = kubernetes_namespace.foolery.metadata[0].name
-  }
-
-  subset {
-    address {
-      ip = "10.0.10.10"
-    }
-    port {
-      name = "http"
-      port = 3210
-    }
-  }
-}
-
-module "ingress" {
-  source          = "../../modules/kubernetes/ingress_factory"
-  dns_type        = "proxied"
-  namespace       = kubernetes_namespace.foolery.metadata[0].name
-  name            = "foolery"
-  tls_secret_name = var.tls_secret_name
-  auth            = "required"
-  extra_annotations = {
-    "gethomepage.dev/enabled"      = "true"
-    "gethomepage.dev/name"         = "Foolery"
-    "gethomepage.dev/description"  = "Agent orchestration control room"
-    "gethomepage.dev/icon"         = "mdi-robot"
-    "gethomepage.dev/group"        = "AI"
-    "gethomepage.dev/pod-selector" = ""
-  }
-}

stacks/foolery/secrets

@@ -1 +0,0 @@
-../../secrets

stacks/foolery/terragrunt.hcl

@@ -1,3 +0,0 @@
-include "root" {
-  path = find_in_parent_folders()
-}