crowdsec: register kvsync + firewall bouncer keys in LAPI

Seeds two new bouncers at LAPI startup (BOUNCER_KEY_kvsync, BOUNCER_KEY_firewall)
from Vault secret/platform, mirroring the existing BOUNCER_KEY_traefik wiring.
These are the two halves of the real enforcement that replaces the dead Yaegi
plugin: kvsync authenticates the LAPI->Cloudflare-KV sync (proxied edge Worker),
firewall authenticates the cs-firewall-bouncer DaemonSet (direct-host nftables).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

stacks/crowdsec/modules/crowdsec/values.yaml

@@ -135,6 +135,14 @@ lapi:
     # the prior manual registration was lost in the MySQL→PostgreSQL migration).
     - name: BOUNCER_KEY_traefik
       value: "${INGRESS_CROWDSEC_API_KEY}"
+    # Real enforcement path that replaces the dead Traefik Yaegi plugin:
+    #   kvsync   -> LAPI->Cloudflare-KV sync CronJob (proxied hosts, edge Worker)
+    #   firewall -> cs-firewall-bouncer DaemonSet (direct hosts, in-kernel nftables drop)
+    # Registered at LAPI startup (idempotent across the 3 replicas / restarts).
+    - name: BOUNCER_KEY_kvsync
+      value: "${KVSYNC_CROWDSEC_API_KEY}"
+    - name: BOUNCER_KEY_firewall
+      value: "${FIREWALL_CROWDSEC_API_KEY}"
   dashboard:
     enabled: true
     env: