feat(iac): scaffold orca-platform layout (M1.1)

Lands the per-VM × per-service manifest tree, per-env overlays, VM specs
for SysEleven provisioning, DNS zone placeholder, plan/apply/validate
scripts, and a Makefile.

Structure (per INFRASTRUCTURE.md §2 + IMPLEMENTATION_PLAN.md M1.1):
- manifests/{vm-edge,vm-control,vm-data,stage}/<service>.toml — 35 stubs
- overlays/{dev,stage,prod}/overlay.toml — env-selection rules
- vms/{vm-edge,vm-control,vm-data,stage}.toml — OpenStack flavor/IP/firewall
- dns/yourplatform.com.zone.template — PowerDNS zone (body lands in M0.3)
- cluster.toml.tmpl — cluster-level config rendered per env
- scripts/validate.sh — TOML parse + structural sanity
- scripts/plan.sh — merge manifests + overlay → .orca-out/<env>/
- scripts/apply.sh — push to Orca controller (no-op until M1.2)
- Makefile — validate / plan / apply / diff / clean

Each manifest header names the milestone that finalises its real values;
images today are 'placeholder' for services that need their own repo to
exist first. make validate stays green; apply gates on ORCA_API_URL.

CI workflow swapped from the broken 'orca validate' to 'make validate',
which calls a Python TOML parser plus structural checks (placement.node
matches vm dir, resources.memory present, no mis-nested keys).

Refs: M1.1

overlays/README.md

@@ -0,0 +1,9 @@
+# Overlays
+
+Per-env *sparse* deltas applied on top of `manifests/`. Concept: each overlay
+file may set just the fields that differ from the base manifest. The merge
+script in `scripts/plan.sh` produces the final per-env service set at
+`.orca-out/<env>/`.
+
+For now the overlays are placeholder structures — concrete deltas land with
+the milestones that introduce real images and replica counts (M4.1, M5.1, M6.x).

overlays/dev/overlay.toml

@@ -0,0 +1,11 @@
+# Dev overlay — placeholder.
+#
+# Dev runs everything in docker-compose on the developer's laptop, not via
+# Orca. This overlay exists so `make plan ENV=dev` is symmetric with stage/
+# prod, but it does not yet point at real images.
+#
+# Real dev wiring lives in the per-service repos' `make dev` target.
+
+[env]
+name = "dev"
+api_url = ""  # no orca controller; apply is a no-op

overlays/prod/overlay.toml

@@ -0,0 +1,15 @@
+# Prod overlay.
+#
+# Selects manifests under vm-edge / vm-control / vm-data. Stage manifests
+# (manifests/stage/) are excluded from prod apply.
+
+[env]
+name = "prod"
+api_url = "${ORCA_PROD_API_URL}"
+
+[deploy]
+include_dirs = ["manifests/vm-edge", "manifests/vm-control", "manifests/vm-data"]
+
+[image]
+# Default tag for prod; release.yaml retags `env-stage` → `v$VERSION` + `env-prod`.
+default_tag = "env-prod"

overlays/stage/overlay.toml

@@ -0,0 +1,16 @@
+# Stage overlay.
+#
+# Stage maps to the single 'stage' VM, app plane only. Selects only the
+# services under manifests/stage/.
+
+[env]
+name = "stage"
+api_url = "${ORCA_STAGE_API_URL}"
+
+# Service filter: only deploy manifests under this directory.
+[deploy]
+include_dirs = ["manifests/stage"]
+
+[image]
+# Default image tag for stage builds. Per-service overrides may land later.
+default_tag = "env-stage"