Replace CiliumNetworkPolicies with Istio AuthorizationPolicies, point
the thelounge HTTPRoute at the istio-external gateway, and give each
workload a dedicated ServiceAccount for precise mTLS identity.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>