docs(platform): add policy configs, runbooks, ops scripts and platform documentation

Config policies (16 files): alert_routing, architecture_pressure, backlog,
cost_weights, data_governance, incident_escalation, incident_intelligence,
network_allowlist, nodes_registry, observability_sources, rbac_tools_matrix,
release_gate, risk_attribution, risk_policy, slo_policy, tool_limits, tools_rollout

Ops (22 files): Caddyfile, calendar compose, grafana voice dashboard,
deployments/incidents logs, runbooks for alerts/audit/backlog/incidents/sofiia/voice,
cron jobs, scripts (alert_triage, audit_cleanup, migrate_*, governance, schedule),
task_registry, voice alerts/ha/latency/policy

Docs (30+ files): HUMANIZED_STEPAN v2.7-v3 changelogs and runbooks,
NODA1/NODA2 status and setup, audit index and traces, backlog, incident,
supervisor, tools, voice, opencode, release, risk, aistalk, spacebot

Made-with: Cursor

ops/Caddyfile

@@ -0,0 +1,38 @@
+# Caddyfile for Radicale CalDAV Server
+
+# Global options
+{
+    email {$CADDY_ACME_EMAIL:admin@daarion.space}
+    on_demand_tls
+}
+
+# HTTP to HTTPS redirect
+http:// {
+    redir https://{host}{uri} 308
+}
+
+# CalDAV HTTPS endpoint
+https://caldav.daarion.space {
+    # Reverse proxy to Radicale
+    reverse_proxy radicale:5232
+    
+    # Security headers
+    header {
+        X-Frame-Options "SAMEORIGIN"
+        X-Content-Type-Options "nosniff"
+        X-XSS-Protection "1; mode=block"
+        Referrer-Policy "strict-origin-when-cross-origin"
+        Content-Security-Policy "default-src 'self'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'"
+    }
+    
+    # Basic auth for Radicale
+    basic_auth {
+        {$CADDY_BASIC_AUTH}
+    }
+    
+    # TLS settings
+    tls {
+        min_version tls1.2
+        cipher_suites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+    }
+}