Scope live target runtime sync to product expectations

[cbusillo]

Summary

• scope live-target-runtime desired env to the selected product profile lane's expected runtime keys and runtime managed-secret bindings
• require the legacy CLI apply-live-target path to provide --product so it cannot bypass product scoping
• evaluate runtime key-safety against matching global/context/instance runtime secret bindings and document the service boundary

Agent review fixes

• closed the CLI bypass by threading required product through the CLI wrapper
• moved Postgres schema setup inside close-safe try/finally blocks
• reused the canonical runtime key-safety environment classifier
• covered context-scoped runtime managed secrets in safety evaluation/tests
• updated service-boundary docs to say profile-declared keys are the sync boundary

Validation

• uv run --extra dev ruff check control_plane/live_target_runtime.py control_plane/service.py control_plane/cli_runtime_environments.py control_plane/cli.py tests/test_service.py tests/test_runtime_environments.py tests/test_dokploy.py
• uv run --extra dev ruff format --check control_plane/live_target_runtime.py control_plane/service.py control_plane/cli_runtime_environments.py control_plane/cli.py tests/test_service.py tests/test_runtime_environments.py tests/test_dokploy.py
• uv run --extra dev mypy control_plane tests
• npx --yes markdownlint-cli2 docs/secrets.md docs/service-boundary.md
• uv run python -m unittest (1,972 tests)