feat(worldbuilder): add fc-worldbuilder ArgoCD app

FlowerCore.WorldBuilder runtime deploy: Namespace + Longhorn PVC + Deployment
+ Service + step-ca Certificate + Traefik IngressRoute. ArgoCD ApplicationSet
picks up apps/worldbuilder/ within ~3 minutes.

Source: D:\git\FlowerCore\FlowerCore.WorldBuilder@6ed6d26

Initial image: localhost/fc-worldbuilder:v202605062048 (already imported on
all 3 RKE2 nodes via ctr images import).

DNS preflight done: worldbuilder.iamworkin.lan -> 10.0.56.200 (Traefik VIP)
in pfSense Unbound (FlowerCore.DNS provider was 502 at deploy time, fell back
to direct pfSense PHP exec via diag_command.php).

ImageGen backend: BLUEJAY-WS http://10.0.56.20:8188 (R9700 / gfx1201 / ROCm
7.2.1). One real branding render confirmed working 2026-05-06T20:36:47Z.

Memory references in README:
- feedback_pfsense_dns_required_for_acme
- feedback_rke2_image_import_per_node_scp
- feedback_k8s_probes_must_not_hit_openapi
- feedback_k8s_probes_behind_auth_middleware
- feedback_dataprotection_keys_persist_to_app_dbcontext

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

apps/worldbuilder/README.md

@@ -0,0 +1,60 @@
+# FlowerCore.WorldBuilder
+
+ArgoCD-managed manifest for FlowerCore.WorldBuilder.Web — comic / storyboard
+authoring service that drives ComfyUI for panel image generation and
+QuestPDF for letter / A4 export.
+
+Source: `D:\git\FlowerCore\FlowerCore.WorldBuilder` (master)
+
+## Deployment order
+
+1. **DNS preflight** — `worldbuilder.iamworkin.lan -> 10.0.56.200` MUST exist
+   in pfSense Unbound before this manifest is applied, or cert-manager
+   HTTP-01 silently exponential-backs-off ~2h.
+   Memory: `feedback_pfsense_dns_required_for_acme`.
+2. **Image import to ALL RKE2 nodes** — pod can schedule to any of
+   `rke2-server` (10.0.56.11), `rke2-agent1` (10.0.56.12),
+   `rke2-agent2` (10.0.56.13). Build with:
+   ```bash
+   bash deploy/build.sh   # in FlowerCore.WorldBuilder repo
+   podman save localhost/fc-worldbuilder:v<TAG> -o /tmp/fc-worldbuilder-v<TAG>.tar
+   for h in 10.0.56.11 10.0.56.12 10.0.56.13; do
+     scp /tmp/fc-worldbuilder-v<TAG>.tar fcadmin@$h:/tmp/
+     ssh fcadmin@$h \
+       "sudo /var/lib/rancher/rke2/bin/ctr -a /run/k3s/containerd/containerd.sock \
+         -n k8s.io images import /tmp/fc-worldbuilder-v<TAG>.tar"
+   done
+   ```
+   Memory: `feedback_rke2_image_import_per_node_scp`.
+3. **Bump image tag** in `worldbuilder.yaml` and git push.
+   ArgoCD ApplicationSet picks up within ~3 minutes.
+4. **First production render** — open `https://worldbuilder.iamworkin.lan`,
+   create World → Character → Storyboard → ExportJob, confirm artifact
+   downloads. ComfyUI lives on BLUEJAY-WS at `http://10.0.56.20:8188`.
+
+## Health probes
+
+- `startupProbe` + `readinessProbe`: `httpGet /healthz` (registered explicitly
+  in Program.cs — anonymous, no DB or OpenAPI dependency).
+- `livenessProbe`: `tcpSocket` as a cheap fallback.
+  Memory: `feedback_k8s_probes_must_not_hit_openapi`,
+  `feedback_k8s_probes_behind_auth_middleware`.
+
+## Storage
+
+- Longhorn RWO PVC `worldbuilder-data` (5Gi) mounted at `/data`. SQLite DB
+  lives at `/data/worldbuilder.db`, generated images under `/data/gallery/`,
+  PDF/PNG exports under `/data/exports/`.
+- DataProtection keys persist to the same SQLite via
+  `AddFlowerCoreDataProtection<WorldBuilderDbContext>` — explicit migration
+  `20260429133417_Initial` already creates `fc_dp_keys`.
+  Memory: `feedback_dataprotection_keys_persist_to_app_dbcontext`,
+  `feedback_intranet_dataprotection_table_must_have_explicit_migration`.
+
+## Image generation backend
+
+`FlowerCore:WorldBuilder:ImageGeneration:BaseUrl=http://10.0.56.20:8188` —
+ComfyUI runs on BLUEJAY-WS Windows (R9700 / gfx1201 / ROCm 7.2.1). Pod reaches
+the workstation directly across the 10.0.56.0/24 VLAN (no Podman-style host-
+filter issues — K8s pods route via Calico, which is L3-routed across the
+VLAN).