Store OpenTofu state in self-hosted MinIO: S3 backend config, native locking, least-privilege policies, and guards against a CI apply that destroys infra.
