Make make up work end-to-end + real success-rate canary

[ykstorm]

What changed

• Self-contained /metrics demo workload (apps/demo, Express + prom-client) emitting http_requests_total{service,code,method,path} — the canary subject. No private buyerchat dependency; anyone who clones can run it. + ServiceMonitor.
• Ordered bootstrap.sh with kubectl wait gates: kind → tigera-operator → Calico → nodes Ready → namespaces → sealed-secrets → SealedSecrets → ArgoCD → app-of-apps → Synced. Namespace mismatch (workload vs SealedSecret) unified.
• Real canary analysis: helm/demo AnalysisTemplate computes sum(rate(http_requests_total{code=~"2.."}[2m]))/sum(rate(http_requests_total[2m])) from Prometheus — not the old up{} liveness check.
• README honesty: ~12–15 min (not 10), single-node (not 3-node), dropped 'dashboards pre-imported'. + docs/CLAIM_AUDIT.md.

Static verification (all green)

• demo app: node --check OK, unit tests 2/2 pass
• helm lint helm/demo → 0 failed
• helm template helm/demo -f values.dev.yaml → renders Rollout + AnalysisTemplate (real query) + Service + ServiceMonitor; default values → Deployment (mutual exclusion correct)

⏳ LIVE VERIFY PENDING — make up has not yet been run on a cluster. A follow-up will attach the live kubectl get pods -A + a canary-rollout screenshot (and correct any ingress hostnames to what actually resolves) before merge.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[ykstorm]

Live verify — partial (real bugs fixed, full canary blocked by local RAM)

Ran make up against local Docker (kind, single node). It got the cluster up — node Ready, Calico, sealed-secrets, ingress-nginx, cert-manager, kube-prometheus-stack (Prometheus healthy), ArgoCD, and the demo Rollout all installed — and surfaced two real bugs that static review missed, now fixed in this PR:

1. sealed-secrets — the bitnami-labs.github.io/sealed-secrets Helm index returns 404; switched to installing the controller from the upstream release manifest.
2. kube-prometheus-stack — grafana can take >300s to become Available; raised the helm --wait timeout to 600s.

Full canary money-shot (10→100 with success-rate analysis) is blocked by host resources, not code: Docker Desktop here is allocated 3.5 GB, and below ~4 GB the controllers (argo-rollouts, kps-operator, tigera-operator, argocd-repo-server) lose their API watches and crash-loop (clean exit 0, not OOM) — so the Rollout controller can't drive the canary. Documented the ~6 GB floor in the README.

To finish: bump Docker Desktop memory to ≥6 GB + restart, re-run make up, then capture the canary progression + Prometheus success-rate. Holding the merge until that lands.