feat(iac): scaffold orca-platform layout (M1.1)

Lands manifests/, overlays/, dns/, scripts/, Makefile per M1.1. Bundles yourplatform.com→breakpilot.com rename. vms/ removed (out-of-scope for Orca).

Refs: M1.1

scripts/apply.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+# `make apply ENV=<env>` — push the resolved manifest set to an Orca controller.
+#
+# Refuses to run unless ORCA_API_URL is set (or read from overlays/<env>).
+# In M1.1 this is a guard; the real call lands once vm-edge has an Orca
+# controller (M1.2).
+
+set -euo pipefail
+
+ENV="${ENV:?usage: make apply ENV=<dev|stage|prod>}"
+case "$ENV" in dev|stage|prod) ;; *) echo "unknown env: $ENV" >&2; exit 2;; esac
+
+ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+cd "$ROOT"
+OUT="$ROOT/.orca-out/$ENV"
+
+if [ ! -d "$OUT" ]; then
+  echo "no resolved manifests at $OUT — run \`make plan ENV=$ENV\` first" >&2
+  exit 1
+fi
+
+if [ -z "${ORCA_API_URL:-}" ]; then
+  echo "ORCA_API_URL not set." >&2
+  echo "M1.2 will provision the controller; until then \`make apply\` is a no-op." >&2
+  echo "Want to dry-run? Use \`make plan ENV=$ENV\` and inspect .orca-out/$ENV/." >&2
+  exit 0  # exit 0 — no-op is the expected M1.1 behaviour
+fi
+
+# Real apply once a controller exists. orca CLI deploys a directory of TOMLs.
+echo "=== apply ENV=$ENV against $ORCA_API_URL ==="
+orca --api "$ORCA_API_URL" deploy --file "$OUT"

scripts/plan.sh

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+# `make plan ENV=<env>` — show what would be deployed for the given env.
+#
+# Merges manifests/ with overlays/<env>/overlay.toml and writes the resolved
+# service set to .orca-out/<env>/. Does NOT contact a cluster.
+#
+# Behavior in M1.1: the merge is a passthrough (overlays are placeholders).
+# A real merge that resolves per-env image tags and replica counts will land
+# alongside the first env-specific delta (M1.2 or later).
+
+set -euo pipefail
+
+ENV="${ENV:?usage: make plan ENV=<dev|stage|prod>}"
+case "$ENV" in dev|stage|prod) ;; *) echo "unknown env: $ENV" >&2; exit 2;; esac
+
+ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+cd "$ROOT"
+OUT="$ROOT/.orca-out/$ENV"
+rm -rf "$OUT"
+mkdir -p "$OUT"
+
+OVERLAY="overlays/$ENV/overlay.toml"
+[ -f "$OVERLAY" ] || { echo "missing $OVERLAY" >&2; exit 1; }
+
+# Read include_dirs from overlay; fall back to all VMs (dev default).
+INCLUDE_DIRS=$(python3 - "$OVERLAY" <<'PY'
+import sys, tomllib
+data = tomllib.load(open(sys.argv[1], 'rb'))
+dirs = data.get('deploy', {}).get('include_dirs')
+if dirs is None:
+    dirs = ['manifests/vm-edge', 'manifests/vm-control', 'manifests/vm-data', 'manifests/stage']
+print('\n'.join(dirs))
+PY
+)
+
+echo "=== plan ENV=$ENV ==="
+echo "overlay:       $OVERLAY"
+echo "include_dirs:"
+echo "$INCLUDE_DIRS" | sed 's/^/  /'
+echo
+
+count=0
+while IFS= read -r dir; do
+  [ -d "$dir" ] || continue
+  for tml in "$dir"/*.toml; do
+    [ -e "$tml" ] || continue
+    rel="${tml#manifests/}"
+    dest="$OUT/$rel"
+    mkdir -p "$(dirname "$dest")"
+    cp "$tml" "$dest"
+    count=$((count+1))
+  done
+done <<< "$INCLUDE_DIRS"
+
+echo "→ wrote $count resolved manifests to .orca-out/$ENV/"
+echo "→ apply with: ORCA_API_URL=<url> make apply ENV=$ENV"

scripts/restore-drill.sh.template

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+# Stub — M1.3 fills this in.
+# Per INFRASTRUCTURE.md §10 Scenario F, a quarterly cold-restore drill is
+# required: pull latest pg_dump from S3, restore into a scratch Postgres,
+# verify row counts, post result to oncall.
+#
+# Concrete steps land with M1.3 (Backups, monitoring, on-call).
+echo "restore drill not implemented yet — see M1.3" >&2
+exit 1

scripts/validate.sh

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+# TOML syntax + structural sanity for every manifest in this repo.
+# Used by `make validate` and by .gitea/workflows/ci.yaml.
+set -euo pipefail
+
+ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+cd "$ROOT"
+
+python3 - "$ROOT" <<'PY'
+import sys, tomllib, pathlib
+root = pathlib.Path(sys.argv[1])
+errs = []
+count = 0
+for p in sorted(root.glob('manifests/**/*.toml')):
+    count += 1
+    try:
+        data = tomllib.load(open(p, 'rb'))
+    except Exception as e:
+        errs.append(f'{p}: TOML parse: {e}')
+        continue
+    svcs = data.get('service')
+    if not svcs:
+        errs.append(f'{p}: no [[service]] block')
+        continue
+    for svc in svcs:
+        for required in ('name', 'image'):
+            if required not in svc:
+                errs.append(f'{p}: service missing required field "{required}"')
+        # forbidden nesting bugs
+        for sub in ('placement', 'resources', 'env', 'volume'):
+            if isinstance(svc.get(sub), dict):
+                for fb in ('depends_on', 'extra_ports', 'cmd', 'mounts'):
+                    if fb in svc[sub]:
+                        errs.append(f'{p}: "{fb}" nested under [service.{sub}] — must be at [[service]] level')
+        # placement.node must match parent vm directory
+        node = (svc.get('placement') or {}).get('node')
+        vm_dir = p.parent.name
+        if node and node != vm_dir:
+            errs.append(f'{p}: placement.node "{node}" mismatches dir "{vm_dir}"')
+        if not node:
+            errs.append(f'{p}: missing placement.node')
+        mem = (svc.get('resources') or {}).get('memory')
+        if not mem:
+            errs.append(f'{p}: missing resources.memory (mandatory per §8 rule 5)')
+# Validate overlays parse too
+for p in sorted(root.glob('overlays/*/overlay.toml')):
+    count += 1
+    try:
+        tomllib.load(open(p, 'rb'))
+    except Exception as e:
+        errs.append(f'{p}: TOML parse: {e}')
+print(f'checked {count} files')
+for e in errs:
+    print('  ', e)
+sys.exit(1 if errs else 0)
+PY