Narrow product onboarding apply authority

[shiny-code-bot]

Summary

• require dedicated product_onboarding.apply authority for /v1/product-onboarding/apply
• seed that dedicated action for the manual Launchplane Seed Import workflow instead of broad self-deploy authority
• document product onboarding and runtime key-safety as dedicated seed-import apply authorities
• add positive and negative endpoint coverage so broad self-deploy authority cannot apply product onboarding manifests

Refs #1049

Validation

• uv run python -m unittest tests.test_service.LaunchplaneServiceTests.test_product_onboarding_endpoint_writes_full_launchplane_owned_bundle tests.test_service.LaunchplaneServiceTests.test_product_onboarding_endpoint_rejects_self_deploy_authority tests.test_product_onboarding
• uv run --extra dev ruff check control_plane/service.py tests/test_service.py tests/test_product_onboarding.py
• bash -n scripts/deploy/ensure-authz-grants.sh
• git diff --check
• docker run --rm -v "$PWD:/repo" -w /repo rhysd/actionlint:1.7.7 -config-file .github/actionlint.yaml .github/workflows/deploy-launchplane.yml .github/workflows/launchplane-seed-import.yml
• JetBrains changed-file inspection: clean

Operator note

This prevents new seed-import product onboarding authority from riding on launchplane_service_deploy.execute. Any already-persisted broad authz policy rules remain a separate cleanup concern; this route now ignores that broad action for product onboarding apply.