Disable transient runner registration apply

[cbusillo]

Summary

• disables the live runner registration apply shortcut that started run.sh from inside a GitHub Actions job
• makes ready runner registration plans write a terminal failed audit requiring a supervised host maintainer before any token fetch or host command
• makes the manual registration workflow fail when the executor returns an unexpected failed status instead of uploading a green artifact
• documents the systemd/supervised maintainer plan and notes the offline cm-website proof runner was removed from GitHub inventory

Live cleanup

The offline cm-website-chris-testing proof runner was removed from cbusillo/odoo-tenant-cm-website with the GitHub API. Post-delete inventory showed zero runners for that repository.

Verification

• uv run --extra dev ruff format --check control_plane/cli_runner_lanes.py control_plane/workflows/runner_lane_registration_executor.py tests/test_runner_lane_registration.py
• git diff --check
• uv run --extra dev ruff check control_plane/cli_runner_lanes.py control_plane/workflows/runner_lane_registration_executor.py tests/test_runner_lane_registration.py
• uv run --extra dev mypy control_plane/cli_runner_lanes.py control_plane/workflows/runner_lane_registration_executor.py tests/test_runner_lane_registration.py
• uv run python -m unittest tests.test_runner_lane_registration (9 tests)
• uv run python -m unittest tests.test_runner_lane_registration tests.test_service tests.test_filesystem_store tests.test_postgres_store (602 tests)

Follow-up

Next work should implement a supervised runner maintainer: systemd-owned service, narrow root helper/sudo boundary, active service + GitHub online + baseline evidence before completed audit.