publish-gate + tuya-bridge ghcr cutover prep (ADR-0002 infra#15)

publish-gate: gitleaks + trufflehog (full history) + PII heuristics;
CLEAN verdict gates any public flip, DIRTY = stays private. tuya-bridge:
ghcr-credentials pull secret + image base -> ghcr; namespace added to
the ghcr-credentials allowlist as a safety net (new ghcr packages
default PRIVATE even from public repos — prune after visibility flip).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

stacks/kyverno/modules/kyverno/ghcr-credentials.tf

@@ -13,6 +13,10 @@
 locals {
   ghcr_private_namespaces = [
     "tripit",
+    # tuya-bridge runs a PUBLIC-decision image, but new ghcr packages default
+    # PRIVATE until their visibility is flipped (UI) — safety net so pulls
+    # work from the first deploy; prune once the package is public.
+    "tuya-bridge",
     "f1-stream",
     "job-hunter",
     "instagram-poster",

stacks/tuya-bridge/main.tf

@@ -3,7 +3,7 @@ resource "kubernetes_namespace" "tuya-bridge" {
     name = "tuya-bridge"
     labels = {
       "istio-injection" : "disabled"
-      tier = local.tiers.cluster
+      tier               = local.tiers.cluster
       "keel.sh/enrolled" = "true"
     }
   }
@@ -75,8 +75,13 @@ resource "kubernetes_deployment" "tuya-bridge" {
         image_pull_secrets {
           name = "registry-credentials"
         }
+        # ghcr image (ADR-0002 off-infra builds); secret cloned by the kyverno
+        # sync-ghcr-credentials policy (safety net while the package is private).
+        image_pull_secrets {
+          name = "ghcr-credentials"
+        }
         container {
-          image             = "forgejo.viktorbarzin.me/viktor/tuya_bridge:${var.image_tag}"
+          image             = "ghcr.io/viktorbarzin/tuya_bridge:${var.image_tag}"
           image_pull_policy = "IfNotPresent"
           name              = "tuya-bridge"
           port {