chore: clean up cloudflared token handling and add pending files

- Remove hardcoded TUNNEL_TOKEN from cloudflared docker-compose.yml
  (now reads from .env via ${TUNNEL_TOKEN:?...})
- Delete backup file that contained raw token
- Add .env.example template for cloudflared
- Add scripts/rollout-cloudflared-token.sh for token rotation
- Add apps/kitestacks-portal/public/flux/index.html (FluxCD status page)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

scripts/rollout-cloudflared-token.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [[ $# -ne 1 ]]; then
+  echo "Usage: $0 '<cloudflare_tunnel_connector_token>'" >&2
+  exit 2
+fi
+
+token="$1"
+monk_dir="${MONK_CLOUDFLARED_DIR:-$HOME/kitestacks-live/docker/cloudflared}"
+kscloud1_host="${KSCLOUD1_HOST:?set KSCLOUD1_HOST, for example user@host}"
+kscloud1_key="${KSCLOUD1_KEY:-$HOME/.ssh/id_ed25519_kscloud1}"
+kscloud1_dir="${KSCLOUD1_CLOUDFLARED_DIR:-/opt/kitestacks/docker/cloudflared}"
+
+if [[ ! -d "$monk_dir" ]]; then
+  echo "Missing monk cloudflared dir: $monk_dir" >&2
+  exit 1
+fi
+
+printf 'TUNNEL_TOKEN=%s\n' "$token" > "$monk_dir/.env"
+perl -0pi -e 's/TUNNEL_TOKEN=[^\n]+/TUNNEL_TOKEN=\${TUNNEL_TOKEN:?set TUNNEL_TOKEN in .env}/' "$monk_dir/docker-compose.yml"
+docker compose -f "$monk_dir/docker-compose.yml" up -d
+
+ssh -F /dev/null -i "$kscloud1_key" -o BatchMode=yes -o StrictHostKeyChecking=accept-new "$kscloud1_host" \
+  "set -euo pipefail
+   cd '$kscloud1_dir'
+   umask 077
+   printf 'TUNNEL_TOKEN=%s\n' '$token' > .env
+   perl -0pi -e 's/TUNNEL_TOKEN=[^\\n]+/TUNNEL_TOKEN=\\\${TUNNEL_TOKEN:?set TUNNEL_TOKEN in .env}/' docker-compose.yml
+   docker compose up -d"
+
+echo "Cloudflared token rolled out to monk and kscloud1."