feat(iac): scaffold orca-platform layout (M1.1)

Lands manifests/, overlays/, dns/, scripts/, Makefile per M1.1. Bundles yourplatform.com→breakpilot.com rename. vms/ removed (out-of-scope for Orca).

Refs: M1.1

.gitea/workflows/ci.yaml

@@ -1,5 +1,6 @@
-# CI for orca-platform (IaC). `shared` always runs; `validate` activates
-# when at least one Orca manifest lands.
+# CI for orca-platform (IaC).
+# `shared` always runs (commitlint + gitleaks + trivy fs).
+# `validate` always runs (parses every manifest + overlay + vm spec).
 name: ci
 
 on:
@@ -53,18 +54,18 @@ jobs:
           TRIVY_VERSION=0.70.0
           curl -fsSL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" \
             | tar -xz -C /tmp trivy
-          /tmp/trivy fs --severity HIGH,CRITICAL --exit-code 1 --no-progress --skip-dirs node_modules,target,dist .
+          /tmp/trivy fs --severity HIGH,CRITICAL --exit-code 1 --no-progress --skip-dirs node_modules,target,dist,.orca-out .
 
   validate:
     runs-on: docker
-    if: hashFiles('**/*.orca.yaml','**/*.orca.yml','manifests/**') != ''
     steps:
       - uses: actions/checkout@v4
 
-      - name: install orca
+      - name: setup python
+        shell: bash
         run: |
-          curl -fsSL https://orca.meghsakha.com/install.sh | sh
-          orca version
+          which python3
+          python3 --version
 
-      - name: orca validate
-        run: orca validate ./
+      - name: make validate
+        run: make validate