feat(backup): enable the daily backup CronJob on prod (Vault creds wired)

tools#5 granted the erp prod Vault policy read on kvv2/data/longhorn/gcs-backup
(applied + verified: 1 changed, 0 destroyed). So the CronJob's VaultStaticSecret
can now resolve the GCS creds.

- backup.enabled: true (prod), vaultS3Path: longhorn/gcs-backup.
- sandbox overlay keeps backup.enabled: false (reproducible; its env policy wasn't
  granted the read).

ArgoCD will deploy the CronJob + ConfigMap + VaultStaticSecret in the erp namespace.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

chart/values-sandbox.yaml

@@ -38,3 +38,9 @@ ingress:
       paths:
         - path: /
           pathType: Prefix
+
+# The sandbox is reproducible (iso-prod refresh), so it needs no offsite backup —
+# and its env=sandbox Vault policy wasn't granted read on the GCS creds path
+# (only prod was, tools#5). Keep the CronJob off here.
+backup:
+  enabled: false

chart/values.yaml

@@ -138,9 +138,11 @@ affinity: {}
 # `auth` Vault role must be granted read on kvv2/<vaultS3Path>). The manual
 # orchestrator ops/backup/dolibarr-backup.sh works today without this.
 backup:
-  enabled: false
+  enabled: true
   schedule: "0 3 * * *"        # daily 03:00 UTC
   bucket: arcodange-backup
   pgHost: "192.168.1.202"      # direct Postgres host (matches ops/sandbox + ops/backup)
   image: postgres:16-alpine
-  vaultS3Path: erp/backup      # kvv2/<this> → AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY / AWS_ENDPOINTS
+  # Shared GCS HMAC creds; the erp prod Vault policy was granted read on this path
+  # (tools#5: kv_read_paths). VSO reads kvv2/data/longhorn/gcs-backup.
+  vaultS3Path: longhorn/gcs-backup