docs: end-to-end installation guide and prerequisite gap fixes

[vigviswa]

Description

Add an end-to-end installation guide and fix documentation gaps that are blocking external customers from deploying Carbide.

Changes:

• New: book/src/manuals/installation-guide.md -- 10-step deployment guide following the validated sequence used by SA/engineering teams, linking to existing docs and filling gaps (REST component deploy order, Vault setup, troubleshooting)
• Updated: helm/PREREQUISITES.md -- Added Vault PKI configuration (forgeca mount, forge-cluster role, K8s auth, policies), AppRole/token generation steps, PostgreSQL user guidance, and Temporal section
• Updated: book/src/manuals/building_bmm_containers.md -- Added container image summary table, registry tagging/push instructions, and REST container build section
• Updated: book/src/manuals/site-setup.md -- Replaced nvcr.io/nvidian references with build-from-source instructions
• Updated: book/src/SUMMARY.md and README.md -- Added links to the new guide

Type of Change

• Add - New feature or capability
• Change - Changes in existing functionality
• Fix - Bug fixes
• Remove - Removed features or deprecated functionality
• [ x ] Internal - Internal changes (refactoring, tests, docs, etc.)

Related Issues (Optional)

Fixes #476

Breaking Changes

• This PR contains breaking changes

Testing

• Unit tests added/updated
• Integration tests added/updated
• Manual testing performed
• [x ] No testing required (docs, internal refactor, etc.)

Additional Notes

Overlaps with #479 on site-setup.md. This PR goes further by adding build-from-source links alongside the registry placeholder format. Based on real customer questions from partner deployments (Vault AppRole/token generation, PostgreSQL user setup, Temporal requirement, nvcr.io access).

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[vigviswa]

Pushed a commit to pass DCO check. Kindly review

[vigviswa]

Thanks for the approval. The DCO check is passing. The "verified signatures" requirement is blocking me from merging. I've set up GPG signing for future commits, but the existing ones in this PR aren't signed. Could you merge this on your end, or let me know if I should re-push with signed commits?

[ajf]

you have to re-push with verified commits, sorry it's a prodsec thing

[github-actions]

🔐 TruffleHog Secret Scan

✅ No secrets or credentials found!

Your code has been scanned for 700+ types of secrets and credentials. All clear! 🎉

🔗 View scan details

_{🕐 Last updated: 2026-03-13 22:29:05 UTC | Commit: 208b244}

[github-actions]

🛡️ Vulnerability Scan

🚨 Found 72 vulnerability(ies)
📊 vs main: 72 (no change)

Severity Breakdown:

• 🔴 Critical/High: 72
• 🟡 Medium: 0
• 🔵 Low/Info: 0

🔗 View full details in Security tab

_{🕐 Last updated: 2026-03-13 22:29:11 UTC | Commit: 208b244}

[github-actions]

This PR has been inactive for 30 days and will be closed soon.
Please push commits or comment to keep it open.

[ajf]

@vigviswa there's some conflicts here - we also probably want @Coco-Ben to review. But if you don't need this anymore, please close.

[vigviswa]

Closing this PR, as due to the docs migration, there have been many changes. Will provide feedback on #1190 & #1227