Phase 0: install Keel + Kyverno auto-update annotation injector

Foundation for opt-out-pure auto-update model per
docs/plans/2026-05-16-auto-upgrade-apps-{design,plan}.md.

- New stack `stacks/keel/` deploys Keel via Helm (charts.keel.sh, v1.0.6).
  Polls registries hourly per design decision #8. Default schedule
  overridable per-workload via keel.sh/pollSchedule annotation.
- New Kyverno ClusterPolicy `inject-keel-annotations` mutates Deployments,
  StatefulSets, and DaemonSets in namespaces labeled `keel.sh/enrolled=true`
  with keel.sh/policy=force + trigger=poll + pollSchedule=@every 1h.
- Phase 0 enrolls no namespaces. Phase 1 (next session) labels the
  self-hosted set.
- Per-workload opt-out: label `keel.sh/policy: never` (used by rollback
  runbook and chrome-service-style deliberate pins).
- Keel namespace excluded from the mutate — supervisor self-update has
  too-bad a failure mode (decision #11).
- AGENTS.md: KYVERNO_LIFECYCLE_V2 marker convention added for the
  ignore_changes block enrolled workloads need.
- .claude/CLAUDE.md: docker-images rule flagged as transitional.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

stacks/kyverno/modules/kyverno/keel-annotations.tf

@@ -0,0 +1,82 @@
+# =============================================================================
+# Keel Auto-Update Annotation Injector
+# =============================================================================
+# Design: infra/docs/plans/2026-05-16-auto-upgrade-apps-design.md
+# Plan:   infra/docs/plans/2026-05-16-auto-upgrade-apps-plan.md
+#
+# Mutate policy that adds keel.sh/* annotations to Deployments,
+# StatefulSets and DaemonSets in *opted-in* namespaces. Opt-in is via a
+# label on the namespace:
+#
+#   labels = { "keel.sh/enrolled" = "true" }
+#
+# Phase rollout = label more namespaces. No edit to this file per phase.
+#
+# Workloads can individually opt out with the label keel.sh/policy=never
+# (used by the rollback runbook). The keel namespace itself is always
+# excluded (design decision #11 — supervisor must not auto-update).
+
+resource "kubernetes_manifest" "policy_inject_keel_annotations" {
+  manifest = {
+    apiVersion = "kyverno.io/v1"
+    kind       = "ClusterPolicy"
+    metadata = {
+      name = "inject-keel-annotations"
+      annotations = {
+        "policies.kyverno.io/title"       = "Inject Keel Auto-Update Annotations"
+        "policies.kyverno.io/category"    = "Automation"
+        "policies.kyverno.io/severity"    = "low"
+        "policies.kyverno.io/description" = "Adds keel.sh/policy: force + trigger: poll annotations to workloads in namespaces labeled keel.sh/enrolled=true. Phase rollout per docs/plans/2026-05-16-auto-upgrade-apps-{design,plan}.md."
+      }
+    }
+    spec = {
+      background = true
+      rules = [{
+        name = "add-keel-annotations"
+        match = {
+          any = [{
+            resources = {
+              kinds = ["Deployment", "StatefulSet", "DaemonSet"]
+              namespaceSelector = {
+                matchLabels = {
+                  "keel.sh/enrolled" = "true"
+                }
+              }
+            }
+          }]
+        }
+        exclude = {
+          any = [
+            {
+              resources = {
+                namespaces = ["keel"]
+              }
+            },
+            {
+              resources = {
+                selector = {
+                  matchLabels = {
+                    "keel.sh/policy" = "never"
+                  }
+                }
+              }
+            },
+          ]
+        }
+        mutate = {
+          patchStrategicMerge = {
+            metadata = {
+              annotations = {
+                # `+(...)` only adds if not present; per-workload overrides win.
+                "+(keel.sh/policy)"       = "force"
+                "+(keel.sh/trigger)"      = "poll"
+                "+(keel.sh/pollSchedule)" = "@every 1h"
+              }
+            }
+          }
+        }
+      }]
+    }
+  }
+  depends_on = [helm_release.kyverno]
+}