ADR-0002 Phase D, Vault layer. `erp` gains `envs = ["prod", "sandbox"]`,
which flows into the app_policy module (main.tf:81 `envs = each.value.envs`).
For erp the module now resolves instances = ["erp", "erp-sandbox"], so the
apply:
- ADDS vault_policy.app_non_prod["erp-sandbox"] — the runtime policy
named `erp-sandbox` (read kvv2/data/erp-sandbox/* +
postgres/creds/erp-sandbox*), consumed by the sandbox pod's VSO.
- UPDATES vault_policy.ops["erp"] in place — the `erp-ops` CI policy
gains the erp-sandbox kvv2 data/delete/undelete/destroy/metadata
rules + the erp-sandbox values in the k8s-role allowed_parameter
lists, so CI can manage the sandbox instance. The glob rules
(postgres/roles/erp*, kvv1/cloudflare/erp*, auth/kubernetes/role/erp*)
already covered erp-sandbox, so they don't change.
No destroy/replace. prod `erp` runtime policy + every other app render
byte-identical (their envs still default to ["prod"]).
Diff kept to the single erp line — the pre-existing cms/crowdsec/plausible
alignment is left as-is on main (not reformatting unrelated entries).
D2 of Phase D. D1 (postgres DB+role) = factory#17 (merged). D3 (erp iac
creds + KV) and D4 (ArgoCD) follow.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
