Add runner registration driver audit path

[cbusillo]

Summary

• Adds typed runner lane registration policy/request/plan/audit contracts with fail-closed blockers.
• Adds a GitHub registration-token adapter and a dry-run-first host executor that never persists token values.
• Adds a Launchplane service audit route, filesystem/Postgres persistence, migration, manual workflow, and docs for the runner-registration proof path.

Closes #1231.

Verification

• uv run python -m unittest tests.test_runner_lane_registration tests.test_filesystem_store tests.test_postgres_store tests.test_service (602 tests)
• uv run --extra dev ruff format --check ...changed Python files...
• uv run --extra dev ruff check ...changed Python files...
• uv run --extra dev mypy ...changed Python files...
• git diff --check
• uv run python -m unittest (2199 tests)

Live Proof Notes

This PR does not perform a live GitHub runner mutation. After merge/deploy, the cm-website proof should run in this order:

1. Add the scoped workflow authz grant for runner_lane_registration_audit.write on .github/workflows/runner-lane-registration.yml.
2. Configure the runner registration GitHub token secret for the workflow.
3. Dispatch runner-lane-registration.yml with mutate=false and inspect the service-backed audit record.
4. Dispatch with mutate=true only after the dry-run audit is reviewed and approved.