Update documentation and playbook to clarify Trivy Operator installation via Argo CD, removing direct Ansible role references. Adjust README and related files to reflect the new deployment order and ensure proper resource ownership, enhancing overall clarity for users.

ansible/playbooks/noble.yml

@@ -4,8 +4,9 @@
 # Run from repo **ansible/** directory:  ansible-playbook playbooks/noble.yml
 #
 # Tags: repos, cilium, csi_snapshot, metrics, longhorn, metallb, kube_vip, traefik, cert_manager, newt,
-#       argocd, kyverno, kyverno_policies, platform, authentik, trivy, velero, landing, all (default)
+#       argocd, kyverno, kyverno_policies, platform, authentik, velero, landing, all (default)
 # Argo leaf **Application** CRs are applied in play **tasks:** after **noble_velero** (Ansible Helm first, then GitOps).
+# Trivy Operator is **not** installed here — sync **noble-trivy-operator** from Argo (app-of-apps) after deploy.
 - name: Noble cluster — platform stack (Ansible-managed)
   hosts: localhost
   connection: local
@@ -231,13 +232,11 @@
       tags: [platform, observability, apps]
     - role: noble_authentik
       tags: [authentik, sso, oauth, oidc]
-    - role: noble_trivy
-      tags: [trivy, security, scanning]
     - role: noble_velero
       tags: [velero, backups]
 
   tasks:
-    # Leaf Application CRs must exist only after all Ansible Helm in this play (platform, authentik, trivy, …)
+    # Leaf Application CRs must exist only after all Ansible Helm in this play (platform, authentik, velero, …)
     # so argocd-controller does not SSA resources before Helm owns them; then Argo can take over (manual → auto).
     - name: Apply Argo CD root / bootstrap / leaf Application manifests (post–Ansible Helm)
       ansible.builtin.include_role: