fc-apple-mdm: add NanoHUB GitOps workload

apps/fc-apple-mdm/1password-item.yaml

@@ -0,0 +1,32 @@
+# Runtime secret placeholder for the self-hosted Apple MDM substrate.
+#
+# OnePasswordItem operator syncs this item into a Kubernetes Secret with the
+# same name. Expected fields for MDM-N1:
+#   NANOHUB_API_KEY
+#
+# Optional fields for later lanes:
+#   NANOHUB_WEBHOOK_URL
+#   APNS_MDM_CERT_PEM
+#   APNS_MDM_KEY_PEM
+#   APNS_MDM_TOPIC
+#   SCEP_CA_CERT_PEM
+#   SCEP_CA_KEY_PEM
+#   PROFILE_SIGNING_CERT_PEM
+#   PROFILE_SIGNING_KEY_PEM
+#
+# Do not commit APNs, SCEP, profile-signing, webhook, or API key material to
+# Git. MDM-N1 only consumes NANOHUB_API_KEY and optional NANOHUB_WEBHOOK_URL.
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: fc-apple-mdm-runtime
+  namespace: fc-apple-mdm
+  labels:
+    app.kubernetes.io/name: fc-apple-mdm
+    app.kubernetes.io/component: secrets
+    app.kubernetes.io/part-of: flowercore
+    app.kubernetes.io/managed-by: argocd
+    flowercore.io/tenant-id: system
+    flowercore.io/created-by: bluejay-infra
+spec:
+  itemPath: "vaults/IAmWorkin/items/FlowerCore Apple MDM Runtime"