Feature/1175 add minos support

[daniele-20tab]

Summary

Refactor of the Talos bootstrap to align the generated platform repository with
the new Minos architecture used by gs1-one, gs1-procedo, gs1-tendenze.

The old stacks + environments-distribution + deployment-type model is replaced
by clusters (platform) + environment→cluster mapping (services) with
per-cluster multi-select of core providers (AWS, DigitalOcean). The generated
platform repo no longer ships local .tf sources: the OpenTofu modules now live
in minos and are consumed via
the registry.gitlab.com/20tab-open/minos/{platform,service} Docker images +
GitLab Components ${CI_SERVER_FQDN}/components/opentofu/{job-templates,apply}@3.11.0.

Model change

	Before	After
Platform identity	stacks (main/dev) shared by base/cluster/environment stages	clusters (dev, main) with per-cluster core_providers
Service identity	service_slug env-distribution coupled to stacks	service_slug × environment (mapped to a cluster via env_to_cluster)
Deployment	enum digitalocean-k8s / other-k8s	implicit, derived from cluster_core_providers
TFC workspaces	flat ${proj}_${svc}_${stage}_${stack}	grouped under tfe_project "${proj}" with default_execution_mode = "local", named ${proj}_platform_${cluster}_core_${provider} and ${proj}_platform_${cluster}_kubernetes
Vault paths	stacks/${stack}/…, envs/${env}/…	platforms/${cluster}/…, envs/${env}/…, envs/${env}/${service}/…

Generated platform repo (output)

• .gitlab-ci.yml clone of gs1-one/.gitlab-ci.yml (matrix CORE_PROVIDER,
  image: minos/platform, stages core:plan/apply and kubernetes:plan/apply,
  workflow rules require CLUSTER=<slug> on web pipelines).
• minos/${CLUSTER}/core/{aws,digitalocean}.tfvars + minos/${CLUSTER}/kubernetes.tfvars
  generated post-cookiecutter in Python (loop on clusters × providers).
• vault-project.tfvars.example pre-populated for Phase A admin run of
  vault-project.
• Service sub-directories (backend/, frontend/) are populated as independent
  GitLab projects with their own .git by the sub-bootstrappers.
• Removed: terraform/, scripts/deploy/, traefik/, docker-compose.yaml,
  legacy stages-based .gitlab-ci.yml, Terraform-specific .gitignore block.

Internal changes

• bootstrap/collector.py: set_clusters() (multi-cluster + per-cluster
  comma-separated providers), set_envs() (env→cluster mapping). Removed
  set_deployment_type(), set_environments_distribution(), set_kubernetes().
• bootstrap/runner.py: new fields clusters, cluster_core_providers,
  env_to_cluster, python_version, node_version, minos_platform_image,
  minos_service_image, opentofu_component_version, opentofu_version. New
  render_minos_per_cluster_files(). Vault payload moved to per-cluster
  paths. init_subrepo() propagates the new fields to django-cd / nextjs-cd
  sub-runners. init_terraform_cloud() rewrites the local TFC module env vars.
  Dropped set_stacks, collect_tfvars, all register_*_tfvars helpers, and
  the kubernetes_*/deployment_type/environments_distribution fields.
• terraform/terraform-cloud/main.tf: introduces tfe_project.main with
  default_execution_mode = "local", workspaces inherit, provider
  tfe ~> 0.70. Service workspaces are no longer created here — they remain a
  responsibility of the sub-bootstrappers, which are still functional standalone.
• terraform/gitlab/main.tf: dropped REGISTRY_PASSWORD / REGISTRY_USERNAME
  group variables (CI now uses GitLab built-in CI_DEPLOY_*).
• cookiecutter.json: cleaned up of legacy keys, new defaults for cluster
  vocabulary, Minos images, OpenTofu and Python versions.

Sub-bootstrapper alignment

• django-continuous-delivery#… (companion PR): same model, uv-based Dockerfile
  on Python 3.14, pyproject.toml, scripts aligned to gs1-one/api.
• nextjs-continuous-delivery already merged (PR Add cluster-level logging #84) + follow-up branch
  feature/1175-tfc-cloud-followup for the TFC module rewrite.

Both sub-bootstrappers retain their own terraform/terraform-cloud/ modules so
they keep working standalone; Talos passes terraform_cloud_project_create=False
when invoking them, so the TFC project is created once by Talos and reused by
each sub idempotently.

Breaking changes

• The runner CLI options deployment_type, environments_distribution,
  kubernetes_cluster_ca_certificate, kubernetes_host, kubernetes_token
  are gone. Existing automation scripts passing these flags must drop them.
• other-k8s deployment is no longer supported (Minos service module is
  DigitalOcean-only today; can be re-introduced when a generic-k8s Minos
  variant ships).
• TFC provider constraint bumped to ~> 0.70 (needs default_execution_mode
  on tfe_project).
• Vault paths layout changes: existing data under stacks/… is not
  migrated automatically; legacy projects keep their layout, new projects use
  platforms/{cluster}/….

Prerequisites

• Phase A: an admin must run vault-project once per project (the generated
  vault-project.tfvars.example has the correct values pre-filled).
• TFC organization must exist (gs1it-servizi for the GS1 line) or
  terraform_cloud_organization_create=True at bootstrap.

Verification

• docker run --rm --entrypoint python <image> -m unittest discover tests →
  91 tests, 0 failures.
• Smoke-tested cookiecutter rendering inside the bootstrap image: platform
  repo top-level + minos/{dev,main}/core/{aws,digitalocean}.tfvars +
  kubernetes.tfvars generated as expected; vault-project.tfvars.example
  rendered with the correct services list derived from
  backend_service_slug + frontend_service_slug.
• Workspace naming cross-checked with the live TFC API for gs1-one and
  gs1-procedo (gs1it-servizi org).

Post-merge

• Tag legacy/v1 on the previous main head.
• Tag v2.0.0 after merge.
• Update the ~/.claude/plans/1175-handoff.md reference doc if the parallel
  workstream notes change.