renovate: expand to Tier 1 allowlist + 3-day stability delay

Grows the Renovate pilot from 4 apps to a 16-app Tier 1 allowlist of
low-risk leaf apps (no DBs / schema migrations). packageRules keeps the
same 4-rule shape (default-deny, enable, automerge-minor/patch,
major-dashboard-approval) with the expanded package list in all three
Tier 1 rules.

Behavior changes:
- minimumReleaseAge "3 days" on the automerge rule: Renovate won't open
  a minor/patch PR until the tag has been published upstream for 3 days
  (stability gate; chosen over branch protection, which would disable
  automerge entirely).

Image-string corrections vs. the planned list (Renovate matches the
exact image as written in the manifest; verified against the YAML):
- homepage  -> ghcr.io/gethomepage/homepage   (had no registry)
- reloader  -> ghcr.io/stakater/reloader      (had no registry)
- termix    -> ghcr.io/lukegus/termix         (had no registry)

Notes:
- registry.k8s.io/kube-state-metrics/kube-state-metrics is kept in the
  list but currently matches nothing: ksm has no image in this repo
  (only a Prometheus scrape target), so it's a harmless no-op until ksm
  is ever deployed via a manifest here.
- ghcr.io/lukegus/termix uses a non-semver tag (release-1.11.0); watch
  whether Renovate categorizes its updates as minor/patch.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

admin-system/renovate.yaml

@@ -52,36 +52,80 @@ data:
       },
       "packageRules": [
         {
+          "description": "Default-deny everything",
           "matchPackageNames": ["*"],
           "enabled": false
         },
         {
+          "description": "Tier 1: enable updates for low-risk leaf apps",
           "matchPackageNames": [
             "ghcr.io/thomiceli/opengist",
             "louislam/uptime-kuma",
             "f0rc3/gokapi",
-            "docker.io/calcom/cal.com"
+            "docker.io/calcom/cal.com",
+            "advplyr/audiobookshelf",
+            "arcadiatechnology/crafty-4",
+            "codercom/code-server",
+            "ghcr.io/gethomepage/homepage",
+            "ghcr.io/headlamp-k8s/headlamp",
+            "prom/node-exporter",
+            "rommapp/romm",
+            "ghcr.io/stakater/reloader",
+            "privatebin/nginx-fpm-alpine",
+            "flomp/wanderer-db",
+            "flomp/wanderer-web",
+            "registry.k8s.io/kube-state-metrics/kube-state-metrics",
+            "ghcr.io/lukegus/termix"
           ],
           "enabled": true
         },
         {
+          "description": "Tier 1: automerge minor/patch after 3-day stability window",
           "matchPackageNames": [
             "ghcr.io/thomiceli/opengist",
             "louislam/uptime-kuma",
             "f0rc3/gokapi",
-            "docker.io/calcom/cal.com"
+            "docker.io/calcom/cal.com",
+            "advplyr/audiobookshelf",
+            "arcadiatechnology/crafty-4",
+            "codercom/code-server",
+            "ghcr.io/gethomepage/homepage",
+            "ghcr.io/headlamp-k8s/headlamp",
+            "prom/node-exporter",
+            "rommapp/romm",
+            "ghcr.io/stakater/reloader",
+            "privatebin/nginx-fpm-alpine",
+            "flomp/wanderer-db",
+            "flomp/wanderer-web",
+            "registry.k8s.io/kube-state-metrics/kube-state-metrics",
+            "ghcr.io/lukegus/termix"
           ],
           "matchUpdateTypes": ["minor", "patch"],
           "automerge": true,
+          "automergeType": "pr",
           "platformAutomerge": true,
-          "automergeType": "pr"
+          "minimumReleaseAge": "3 days"
         },
         {
+          "description": "Tier 1: major bumps require dashboard approval (no automerge)",
           "matchPackageNames": [
             "ghcr.io/thomiceli/opengist",
             "louislam/uptime-kuma",
             "f0rc3/gokapi",
-            "docker.io/calcom/cal.com"
+            "docker.io/calcom/cal.com",
+            "advplyr/audiobookshelf",
+            "arcadiatechnology/crafty-4",
+            "codercom/code-server",
+            "ghcr.io/gethomepage/homepage",
+            "ghcr.io/headlamp-k8s/headlamp",
+            "prom/node-exporter",
+            "rommapp/romm",
+            "ghcr.io/stakater/reloader",
+            "privatebin/nginx-fpm-alpine",
+            "flomp/wanderer-db",
+            "flomp/wanderer-web",
+            "registry.k8s.io/kube-state-metrics/kube-state-metrics",
+            "ghcr.io/lukegus/termix"
           ],
           "matchUpdateTypes": ["major"],
           "automerge": false,