[User Story] Create R2 buckets for staging and prod sysext images

[noahwhite]

Story Summary

As a platform maintainer, I want separate R2 buckets for each environment (dev, staging, prod), so that credentials are isolated and environment access is properly scoped.

---

✅ Acceptance Criteria

• Create ghost-staging-sysext-images R2 bucket
• Create ghost-prod-sysext-images R2 bucket
• Configure public access for both buckets
• Set up custom domain DNS records:
  • ghost-staging-sysext-images.separationofconcerns.dev
  • ghost-sysext-images.separationofconcerns.dev (prod uses short name)
• Create separate R2 API tokens per bucket (one for each environment)
• Store R2 credentials in Bitwarden with environment-prefixed names

---

📝 Additional Context

• The dev bucket ghost-dev-sysext-images already exists
• Separate buckets enable bucket-scoped R2 API tokens for security isolation
• Each environment's credentials should be accessible only to that environment's pipelines
• DNS records need to be added to Cloudflare via Terraform

---

📦 Definition of Ready

• Acceptance criteria defined
• No unresolved external dependencies
• Story is estimated
• Team has necessary skills and access
• Priority is clear
• Business value understood

---

✅ Definition of Done

• All acceptance criteria met
• Unit/integration tests written & passing
• Peer-reviewed (PR approved)
• Docs updated (if applicable)
• Verified in staging (if needed)
• No critical bugs/regressions

[linear]

GHO-39