diff --git a/clusters/noble/apps/README.md b/clusters/noble/apps/README.md
new file mode 100644
index 0000000..8a3583d
--- /dev/null
+++ b/clusters/noble/apps/README.md
@@ -0,0 +1,7 @@
+# Argo CD — optional applications (non-bootstrap)
+
+**Base cluster configuration** (CNI, MetalLB, ingress, cert-manager, storage, observability stack, policy, Vault, etc.) is installed by **`ansible/playbooks/noble.yml`** from **`clusters/noble/bootstrap/`** — not from here.
+
+**`noble-root`** (`clusters/noble/bootstrap/argocd/root-application.yaml`) points at **`clusters/noble/apps`**. Add **`Application`** manifests (and optional **`AppProject`** definitions) under this directory only for workloads that are additive and do not subsume the Ansible-managed platform.
+
+For an app-of-apps pattern, use a second-level **`Application`** that syncs a subdirectory (for example **`optional/`**) containing leaf **`Application`** resources.
diff --git a/clusters/noble/apps/kustomization.yaml b/clusters/noble/apps/kustomization.yaml
index 7ed8a4f..8b13fe6 100644
--- a/clusters/noble/apps/kustomization.yaml
+++ b/clusters/noble/apps/kustomization.yaml
@@ -1,17 +1,6 @@
-# Plain Kustomize only (namespaces + extra YAML). Helm installs are driven by **ansible/playbooks/noble.yml**
-# (role **noble_platform**) — avoids **kustomize --enable-helm** in-repo.
+# Argo CD **noble-root** syncs this directory. Add **Application** / **AppProject** manifests only for
+# optional workloads that do not replace Ansible bootstrap (CNI, ingress, storage, core observability, etc.).
+# Helm value files for those apps can live in subdirectories here (for example **./homepage/values.yaml**).
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-
-resources:
-  - kube-prometheus-stack/namespace.yaml
-  - loki/namespace.yaml
-  - fluent-bit/namespace.yaml
-  - sealed-secrets/namespace.yaml
-  - external-secrets/namespace.yaml
-  - vault/namespace.yaml
-  - kyverno/namespace.yaml
-  - headlamp/namespace.yaml
-  - grafana-loki-datasource/loki-datasource.yaml
-  - vault/unseal-cronjob.yaml
-  - vault/cilium-network-policy.yaml
+resources: []
diff --git a/clusters/noble/bootstrap/argocd/apps/README.md b/clusters/noble/bootstrap/argocd/apps/README.md
deleted file mode 100644
index 706feeb..0000000
--- a/clusters/noble/bootstrap/argocd/apps/README.md
+++ /dev/null
@@ -1,17 +0,0 @@
-# Argo CD — app-of-apps children (optional GitOps only)
-
-**Core platform is Ansible-managed** — see repository **`ansible/README.md`** and **`ansible/playbooks/noble.yml`**.
-
-This directory’s **`kustomization.yaml`** has **`resources: []`** so **`noble-root`** (if applied) does not reconcile Helm charts or cluster add-ons. **Add `Application` manifests here only** for apps you want Argo to manage (for example, sample workloads or third-party charts not covered by the bootstrap playbook).
-
-| Previous (removed) | Now |
-|--------------------|-----|
-| **`noble-kyverno`**, **`noble-kyverno-policies`**, **`noble-platform`** | Installed by Ansible roles **`noble_kyverno`**, **`noble_kyverno_policies`**, **`noble_platform`** |
-
-If you previously synced **`noble-root`** with the old child manifests, delete stale Applications on the cluster:
-
-```bash
-kubectl delete application -n argocd noble-platform noble-kyverno noble-kyverno-policies --ignore-not-found
-```
-
-Then re-apply **`root-application.yaml`** so Argo matches this repo.
diff --git a/clusters/noble/bootstrap/argocd/apps/kustomization.yaml b/clusters/noble/bootstrap/argocd/apps/kustomization.yaml
deleted file mode 100644
index dc245a5..0000000
--- a/clusters/noble/bootstrap/argocd/apps/kustomization.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-# Intentionally empty: core platform (CNI, ingress, storage, observability, policy, etc.) is
-# installed by **ansible/playbooks/noble.yml** — not by Argo CD. Add optional Application
-# manifests here only for workloads you want GitOps-managed.
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources: []
diff --git a/clusters/noble/apps/cert-manager/README.md b/clusters/noble/bootstrap/cert-manager/README.md
similarity index 100%
rename from clusters/noble/apps/cert-manager/README.md
rename to clusters/noble/bootstrap/cert-manager/README.md
diff --git a/clusters/noble/apps/cert-manager/clusterissuer-letsencrypt-prod.yaml b/clusters/noble/bootstrap/cert-manager/clusterissuer-letsencrypt-prod.yaml
similarity index 100%
rename from clusters/noble/apps/cert-manager/clusterissuer-letsencrypt-prod.yaml
rename to clusters/noble/bootstrap/cert-manager/clusterissuer-letsencrypt-prod.yaml
diff --git a/clusters/noble/apps/cert-manager/clusterissuer-letsencrypt-staging.yaml b/clusters/noble/bootstrap/cert-manager/clusterissuer-letsencrypt-staging.yaml
similarity index 100%
rename from clusters/noble/apps/cert-manager/clusterissuer-letsencrypt-staging.yaml
rename to clusters/noble/bootstrap/cert-manager/clusterissuer-letsencrypt-staging.yaml
diff --git a/clusters/noble/apps/cert-manager/kustomization.yaml b/clusters/noble/bootstrap/cert-manager/kustomization.yaml
similarity index 100%
rename from clusters/noble/apps/cert-manager/kustomization.yaml
rename to clusters/noble/bootstrap/cert-manager/kustomization.yaml
diff --git a/clusters/noble/apps/cert-manager/namespace.yaml b/clusters/noble/bootstrap/cert-manager/namespace.yaml
similarity index 100%
rename from clusters/noble/apps/cert-manager/namespace.yaml
rename to clusters/noble/bootstrap/cert-manager/namespace.yaml
diff --git a/clusters/noble/apps/cert-manager/values.yaml b/clusters/noble/bootstrap/cert-manager/values.yaml
similarity index 100%
rename from clusters/noble/apps/cert-manager/values.yaml
rename to clusters/noble/bootstrap/cert-manager/values.yaml
diff --git a/clusters/noble/apps/cilium/README.md b/clusters/noble/bootstrap/cilium/README.md
similarity index 100%
rename from clusters/noble/apps/cilium/README.md
rename to clusters/noble/bootstrap/cilium/README.md
diff --git a/clusters/noble/apps/cilium/values-kpr.yaml b/clusters/noble/bootstrap/cilium/values-kpr.yaml
similarity index 100%
rename from clusters/noble/apps/cilium/values-kpr.yaml
rename to clusters/noble/bootstrap/cilium/values-kpr.yaml
diff --git a/clusters/noble/apps/cilium/values.yaml b/clusters/noble/bootstrap/cilium/values.yaml
similarity index 100%
rename from clusters/noble/apps/cilium/values.yaml
rename to clusters/noble/bootstrap/cilium/values.yaml
diff --git a/clusters/noble/apps/external-secrets/README.md b/clusters/noble/bootstrap/external-secrets/README.md
similarity index 100%
rename from clusters/noble/apps/external-secrets/README.md
rename to clusters/noble/bootstrap/external-secrets/README.md
diff --git a/clusters/noble/apps/external-secrets/examples/vault-cluster-secret-store.yaml b/clusters/noble/bootstrap/external-secrets/examples/vault-cluster-secret-store.yaml
similarity index 100%
rename from clusters/noble/apps/external-secrets/examples/vault-cluster-secret-store.yaml
rename to clusters/noble/bootstrap/external-secrets/examples/vault-cluster-secret-store.yaml
diff --git a/clusters/noble/apps/external-secrets/namespace.yaml b/clusters/noble/bootstrap/external-secrets/namespace.yaml
similarity index 100%
rename from clusters/noble/apps/external-secrets/namespace.yaml
rename to clusters/noble/bootstrap/external-secrets/namespace.yaml
diff --git a/clusters/noble/apps/external-secrets/values.yaml b/clusters/noble/bootstrap/external-secrets/values.yaml
similarity index 100%
rename from clusters/noble/apps/external-secrets/values.yaml
rename to clusters/noble/bootstrap/external-secrets/values.yaml
diff --git a/clusters/noble/apps/fluent-bit/namespace.yaml b/clusters/noble/bootstrap/fluent-bit/namespace.yaml
similarity index 100%
rename from clusters/noble/apps/fluent-bit/namespace.yaml
rename to clusters/noble/bootstrap/fluent-bit/namespace.yaml
diff --git a/clusters/noble/apps/fluent-bit/values.yaml b/clusters/noble/bootstrap/fluent-bit/values.yaml
similarity index 100%
rename from clusters/noble/apps/fluent-bit/values.yaml
rename to clusters/noble/bootstrap/fluent-bit/values.yaml
diff --git a/clusters/noble/apps/grafana-loki-datasource/loki-datasource.yaml b/clusters/noble/bootstrap/grafana-loki-datasource/loki-datasource.yaml
similarity index 100%
rename from clusters/noble/apps/grafana-loki-datasource/loki-datasource.yaml
rename to clusters/noble/bootstrap/grafana-loki-datasource/loki-datasource.yaml
diff --git a/clusters/noble/apps/headlamp/README.md b/clusters/noble/bootstrap/headlamp/README.md
similarity index 100%
rename from clusters/noble/apps/headlamp/README.md
rename to clusters/noble/bootstrap/headlamp/README.md
diff --git a/clusters/noble/apps/headlamp/namespace.yaml b/clusters/noble/bootstrap/headlamp/namespace.yaml
similarity index 100%
rename from clusters/noble/apps/headlamp/namespace.yaml
rename to clusters/noble/bootstrap/headlamp/namespace.yaml
diff --git a/clusters/noble/apps/headlamp/values.yaml b/clusters/noble/bootstrap/headlamp/values.yaml
similarity index 100%
rename from clusters/noble/apps/headlamp/values.yaml
rename to clusters/noble/bootstrap/headlamp/values.yaml
diff --git a/clusters/noble/apps/kube-prometheus-stack/namespace.yaml b/clusters/noble/bootstrap/kube-prometheus-stack/namespace.yaml
similarity index 100%
rename from clusters/noble/apps/kube-prometheus-stack/namespace.yaml
rename to clusters/noble/bootstrap/kube-prometheus-stack/namespace.yaml
diff --git a/clusters/noble/apps/kube-prometheus-stack/values.yaml b/clusters/noble/bootstrap/kube-prometheus-stack/values.yaml
similarity index 100%
rename from clusters/noble/apps/kube-prometheus-stack/values.yaml
rename to clusters/noble/bootstrap/kube-prometheus-stack/values.yaml
diff --git a/clusters/noble/apps/kube-vip/kustomization.yaml b/clusters/noble/bootstrap/kube-vip/kustomization.yaml
similarity index 100%
rename from clusters/noble/apps/kube-vip/kustomization.yaml
rename to clusters/noble/bootstrap/kube-vip/kustomization.yaml
diff --git a/clusters/noble/apps/kube-vip/vip-daemonset.yaml b/clusters/noble/bootstrap/kube-vip/vip-daemonset.yaml
similarity index 100%
rename from clusters/noble/apps/kube-vip/vip-daemonset.yaml
rename to clusters/noble/bootstrap/kube-vip/vip-daemonset.yaml
diff --git a/clusters/noble/apps/kube-vip/vip-rbac.yaml b/clusters/noble/bootstrap/kube-vip/vip-rbac.yaml
similarity index 100%
rename from clusters/noble/apps/kube-vip/vip-rbac.yaml
rename to clusters/noble/bootstrap/kube-vip/vip-rbac.yaml
diff --git a/clusters/noble/bootstrap/kustomization.yaml b/clusters/noble/bootstrap/kustomization.yaml
new file mode 100644
index 0000000..7ed8a4f
--- /dev/null
+++ b/clusters/noble/bootstrap/kustomization.yaml
@@ -0,0 +1,17 @@
+# Plain Kustomize only (namespaces + extra YAML). Helm installs are driven by **ansible/playbooks/noble.yml**
+# (role **noble_platform**) — avoids **kustomize --enable-helm** in-repo.
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - kube-prometheus-stack/namespace.yaml
+  - loki/namespace.yaml
+  - fluent-bit/namespace.yaml
+  - sealed-secrets/namespace.yaml
+  - external-secrets/namespace.yaml
+  - vault/namespace.yaml
+  - kyverno/namespace.yaml
+  - headlamp/namespace.yaml
+  - grafana-loki-datasource/loki-datasource.yaml
+  - vault/unseal-cronjob.yaml
+  - vault/cilium-network-policy.yaml
diff --git a/clusters/noble/apps/kyverno/README.md b/clusters/noble/bootstrap/kyverno/README.md
similarity index 100%
rename from clusters/noble/apps/kyverno/README.md
rename to clusters/noble/bootstrap/kyverno/README.md
diff --git a/clusters/noble/apps/kyverno/namespace.yaml b/clusters/noble/bootstrap/kyverno/namespace.yaml
similarity index 100%
rename from clusters/noble/apps/kyverno/namespace.yaml
rename to clusters/noble/bootstrap/kyverno/namespace.yaml
diff --git a/clusters/noble/apps/kyverno/policies-values.yaml b/clusters/noble/bootstrap/kyverno/policies-values.yaml
similarity index 100%
rename from clusters/noble/apps/kyverno/policies-values.yaml
rename to clusters/noble/bootstrap/kyverno/policies-values.yaml
diff --git a/clusters/noble/apps/kyverno/values.yaml b/clusters/noble/bootstrap/kyverno/values.yaml
similarity index 100%
rename from clusters/noble/apps/kyverno/values.yaml
rename to clusters/noble/bootstrap/kyverno/values.yaml
diff --git a/clusters/noble/apps/loki/namespace.yaml b/clusters/noble/bootstrap/loki/namespace.yaml
similarity index 100%
rename from clusters/noble/apps/loki/namespace.yaml
rename to clusters/noble/bootstrap/loki/namespace.yaml
diff --git a/clusters/noble/apps/loki/values.yaml b/clusters/noble/bootstrap/loki/values.yaml
similarity index 100%
rename from clusters/noble/apps/loki/values.yaml
rename to clusters/noble/bootstrap/loki/values.yaml
diff --git a/clusters/noble/apps/longhorn/kustomization.yaml b/clusters/noble/bootstrap/longhorn/kustomization.yaml
similarity index 100%
rename from clusters/noble/apps/longhorn/kustomization.yaml
rename to clusters/noble/bootstrap/longhorn/kustomization.yaml
diff --git a/clusters/noble/apps/longhorn/namespace.yaml b/clusters/noble/bootstrap/longhorn/namespace.yaml
similarity index 100%
rename from clusters/noble/apps/longhorn/namespace.yaml
rename to clusters/noble/bootstrap/longhorn/namespace.yaml
diff --git a/clusters/noble/apps/longhorn/values.yaml b/clusters/noble/bootstrap/longhorn/values.yaml
similarity index 100%
rename from clusters/noble/apps/longhorn/values.yaml
rename to clusters/noble/bootstrap/longhorn/values.yaml
diff --git a/clusters/noble/apps/metallb/README.md b/clusters/noble/bootstrap/metallb/README.md
similarity index 100%
rename from clusters/noble/apps/metallb/README.md
rename to clusters/noble/bootstrap/metallb/README.md
diff --git a/clusters/noble/apps/metallb/ip-address-pool.yaml b/clusters/noble/bootstrap/metallb/ip-address-pool.yaml
similarity index 100%
rename from clusters/noble/apps/metallb/ip-address-pool.yaml
rename to clusters/noble/bootstrap/metallb/ip-address-pool.yaml
diff --git a/clusters/noble/apps/metallb/kustomization.yaml b/clusters/noble/bootstrap/metallb/kustomization.yaml
similarity index 100%
rename from clusters/noble/apps/metallb/kustomization.yaml
rename to clusters/noble/bootstrap/metallb/kustomization.yaml
diff --git a/clusters/noble/apps/metallb/namespace.yaml b/clusters/noble/bootstrap/metallb/namespace.yaml
similarity index 100%
rename from clusters/noble/apps/metallb/namespace.yaml
rename to clusters/noble/bootstrap/metallb/namespace.yaml
diff --git a/clusters/noble/apps/metrics-server/values.yaml b/clusters/noble/bootstrap/metrics-server/values.yaml
similarity index 100%
rename from clusters/noble/apps/metrics-server/values.yaml
rename to clusters/noble/bootstrap/metrics-server/values.yaml
diff --git a/clusters/noble/apps/newt/README.md b/clusters/noble/bootstrap/newt/README.md
similarity index 100%
rename from clusters/noble/apps/newt/README.md
rename to clusters/noble/bootstrap/newt/README.md
diff --git a/clusters/noble/apps/newt/namespace.yaml b/clusters/noble/bootstrap/newt/namespace.yaml
similarity index 100%
rename from clusters/noble/apps/newt/namespace.yaml
rename to clusters/noble/bootstrap/newt/namespace.yaml
diff --git a/clusters/noble/apps/newt/values.yaml b/clusters/noble/bootstrap/newt/values.yaml
similarity index 100%
rename from clusters/noble/apps/newt/values.yaml
rename to clusters/noble/bootstrap/newt/values.yaml
diff --git a/clusters/noble/apps/sealed-secrets/README.md b/clusters/noble/bootstrap/sealed-secrets/README.md
similarity index 100%
rename from clusters/noble/apps/sealed-secrets/README.md
rename to clusters/noble/bootstrap/sealed-secrets/README.md
diff --git a/clusters/noble/apps/sealed-secrets/examples/kubeseal-newt-pangolin-auth.sh b/clusters/noble/bootstrap/sealed-secrets/examples/kubeseal-newt-pangolin-auth.sh
similarity index 100%
rename from clusters/noble/apps/sealed-secrets/examples/kubeseal-newt-pangolin-auth.sh
rename to clusters/noble/bootstrap/sealed-secrets/examples/kubeseal-newt-pangolin-auth.sh
diff --git a/clusters/noble/apps/sealed-secrets/namespace.yaml b/clusters/noble/bootstrap/sealed-secrets/namespace.yaml
similarity index 100%
rename from clusters/noble/apps/sealed-secrets/namespace.yaml
rename to clusters/noble/bootstrap/sealed-secrets/namespace.yaml
diff --git a/clusters/noble/apps/sealed-secrets/values.yaml b/clusters/noble/bootstrap/sealed-secrets/values.yaml
similarity index 100%
rename from clusters/noble/apps/sealed-secrets/values.yaml
rename to clusters/noble/bootstrap/sealed-secrets/values.yaml
diff --git a/clusters/noble/apps/traefik/README.md b/clusters/noble/bootstrap/traefik/README.md
similarity index 100%
rename from clusters/noble/apps/traefik/README.md
rename to clusters/noble/bootstrap/traefik/README.md
diff --git a/clusters/noble/apps/traefik/namespace.yaml b/clusters/noble/bootstrap/traefik/namespace.yaml
similarity index 100%
rename from clusters/noble/apps/traefik/namespace.yaml
rename to clusters/noble/bootstrap/traefik/namespace.yaml
diff --git a/clusters/noble/apps/traefik/values.yaml b/clusters/noble/bootstrap/traefik/values.yaml
similarity index 100%
rename from clusters/noble/apps/traefik/values.yaml
rename to clusters/noble/bootstrap/traefik/values.yaml
diff --git a/clusters/noble/apps/vault/README.md b/clusters/noble/bootstrap/vault/README.md
similarity index 100%
rename from clusters/noble/apps/vault/README.md
rename to clusters/noble/bootstrap/vault/README.md
diff --git a/clusters/noble/apps/vault/cilium-network-policy.yaml b/clusters/noble/bootstrap/vault/cilium-network-policy.yaml
similarity index 100%
rename from clusters/noble/apps/vault/cilium-network-policy.yaml
rename to clusters/noble/bootstrap/vault/cilium-network-policy.yaml
diff --git a/clusters/noble/apps/vault/configure-kubernetes-auth.sh b/clusters/noble/bootstrap/vault/configure-kubernetes-auth.sh
similarity index 100%
rename from clusters/noble/apps/vault/configure-kubernetes-auth.sh
rename to clusters/noble/bootstrap/vault/configure-kubernetes-auth.sh
diff --git a/clusters/noble/apps/vault/namespace.yaml b/clusters/noble/bootstrap/vault/namespace.yaml
similarity index 100%
rename from clusters/noble/apps/vault/namespace.yaml
rename to clusters/noble/bootstrap/vault/namespace.yaml
diff --git a/clusters/noble/apps/vault/unseal-cronjob.yaml b/clusters/noble/bootstrap/vault/unseal-cronjob.yaml
similarity index 100%
rename from clusters/noble/apps/vault/unseal-cronjob.yaml
rename to clusters/noble/bootstrap/vault/unseal-cronjob.yaml
diff --git a/clusters/noble/apps/vault/values.yaml b/clusters/noble/bootstrap/vault/values.yaml
similarity index 100%
rename from clusters/noble/apps/vault/values.yaml
rename to clusters/noble/bootstrap/vault/values.yaml