Refactor noble.yml playbook to apply Argo CD Application manifests after all Helm roles, ensuring proper resource ownership and avoiding SSA conflicts. Update related documentation to reflect the new execution order and clarify the role of Argo CD in the deployment process.

ansible/roles/noble_argocd/tasks/applications_post_platform.yml

@@ -1,6 +1,7 @@
 ---
-# Run after **noble_platform** Helm + `kubectl apply -k clusters/noble/bootstrap` so leaf **Application**
-# CRs are not reconciled by Argo before **helm upgrade** (avoids SSA conflicts with **argocd-controller**).
+# Run from **ansible/playbooks/noble.yml** *after* roles **noble_platform**, **noble_authentik**, **noble_trivy**,
+# **noble_velero** (see play **tasks:**). Leaf **Application** CRs must not be reconciled before Ansible Helm
+# finishes, or **argocd-controller** can SSA resources without Helm release metadata (e.g. Trivy ServiceAccount).
 - name: Apply Argo CD root Application (app-of-apps)
   ansible.builtin.command:
     argv: