Implement path-based Flux scoping for workload isolation

[dapperdivers]

Context

Instead of splitting the repo by concern (media, AI, etc.), use path-scoped Flux Kustomizations for blast radius reduction and independent reconciliation.

SDLC Integration

This becomes more valuable with our PR-based workflow:

1. flux-local (already implemented) validates Kustomization changes statically on PR
2. Path-based scoping means a broken media change can't take down AI or security
3. vCluster can test specific domain changes in isolation before merge

Changes

Split the single cluster-apps Kustomization into domain-scoped Kustomizations:

• apps-media, apps-ai, apps-security, apps-observability, etc.
• Each reconciles independently with its own health checks
• Failures are isolated to their domain

Tasks

• Design domain-scoped Kustomization structure
• Split cluster-apps into domain Kustomizations
• Verify flux-local workflow handles the new structure
• Test with a deliberate bad change to verify blast radius isolation
• Update CODEOWNERS to match domain scoping

[dapperdivers]

Decision: This should be tested in the dev vCluster (#2537) before applying to production. Splitting the root Kustomization changes Flux reconciliation behavior and dependency ordering — needs validation first.

Current structure already has per-namespace kustomizations, so the change is primarily at the kubernetes/flux/cluster/ks.yaml level — splitting cluster-apps into domain-scoped Kustomizations (apps-media, apps-ai, etc.).