Retire managed secret placeholders on config apply

[cbusillo]

Summary

• retire disabled runtime managed-secret placeholders from active runtime lookups after product-config writes the configured secret
• make product-config fail closed if an existing configured duplicate would leave runtime key-safety ambiguous
• preserve configured bindings during product onboarding seed re-imports and keep existing binding creation timestamps stable
• document the placeholder-to-managed-secret lifecycle

Validation

• uv run --extra dev ruff check control_plane/product_config.py control_plane/workflows/product_onboarding.py tests/test_runtime_environments.py tests/test_product_onboarding.py tests/test_product_onboarding_service.py
• uv run --extra dev ruff format --check control_plane/product_config.py control_plane/workflows/product_onboarding.py tests/test_runtime_environments.py tests/test_product_onboarding.py tests/test_product_onboarding_service.py
• uv run --extra dev mypy control_plane tests
• npx --yes markdownlint-cli2 docs/secrets.md
• uv run python -m unittest tests.test_runtime_environments tests.test_product_onboarding tests.test_product_onboarding_service
• uv run python -m unittest (1,971 tests)

Review

• Agent review found a real configured-duplicate gap in the first implementation; this PR now fails closed before writing if that post-apply state would be ambiguous.
• Agent review also found created-at churn on onboarding re-import; this PR now preserves existing binding creation timestamps.

Follow-up after deploy

• Configure the real DISCORD_TOKEN managed secret for discord-blue/prod through product-config/operator UI or a private local-operator source.
• Re-run live-target-runtime dry-run/apply for discord-blue/prod.