feat(sandbox+bootstrap-kit): slot 61 bp-sandbox HR (deploys sandbox-controller on Sovereigns, gated SANDBOX_ENABLED) (#1634)
Wires PR #1622's platform/sandbox/chart/ into bootstrap-kit so that
sandbox-controller actually deploys on Sovereigns. Without this slot,
the chart ships but no HelmRelease installs it — Sandbox CRs sit
unhandled.
- NEW clusters/_template/bootstrap-kit/61-bp-sandbox.yaml — HelmRepository
+ HelmRelease for the `sandbox` chart (name comes from
platform/sandbox/chart/Chart.yaml `name: sandbox`).
- dependsOn: bp-vcluster-helmrepo (slot 60, Wave 2 per-Sandbox vCluster
source), bp-catalyst-platform (slot 13, catalyst-system Namespace +
catalyst-gitea-token Secret).
- targetNamespace: catalyst-system (where the controller lives).
- values.enabled gated default-OFF via ${SANDBOX_ENABLED:-false}
(matches platform/sandbox/chart/values.yaml `enabled: false`).
- env.hostCluster + env.sovereignFQDN fed from canonical
SOVEREIGN_REGION_CANONICAL_LABEL + SOVEREIGN_FQDN substitutes.
- MODIFY kustomization.yaml — register 61-bp-sandbox.yaml after slot 60.
- MODIFY scripts/expected-bootstrap-deps.yaml — declare slot 61 with
depends_on=[bp-vcluster-helmrepo, bp-catalyst-platform]; validator
reports drift=0/cycles=0.
NO chart Chart.yaml bump (Wave 1 chart stays at 0.1.0).
`helm template` + `kubectl kustomize` render clean.
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
9690ff8351