feat(provision): automated user provisioning via Authentik webhook

- Expand CI Vault policy: write secret/data/platform + Transit SOPS keys
- Add Woodpecker provision-user.yml pipeline (manual event, API-triggered)
- Add env vars to webhook-handler deployment for Woodpecker/Authentik integration
- Update add-user skill with automated flow documentation
- Update Woodpecker repo ID list in CLAUDE.md

stacks/vault/main.tf

@@ -327,10 +327,24 @@ resource "vault_policy" "ci" {
     path "secret/metadata/*" {
       capabilities = ["list"]
     }
+    # Allow CI to write k8s_users during automated user provisioning
+    path "secret/data/platform" {
+      capabilities = ["create", "read", "update"]
+    }
     # Allow CI to get dynamic K8s deploy tokens for user namespaces
     path "kubernetes/creds/*-deployer" {
       capabilities = ["read"]
     }
+    # SOPS state encrypt/decrypt (per-stack Transit keys)
+    path "transit/encrypt/sops-state-*" {
+      capabilities = ["update"]
+    }
+    path "transit/decrypt/sops-state-*" {
+      capabilities = ["update"]
+    }
+    path "transit/keys/sops-state-*" {
+      capabilities = ["read"]
+    }
   EOT
 }