Narrow merge train policy import authority

[shiny-code-bot]

Summary

• require dedicated merge_train.policy_import authority for /v1/merge-train/policies/import
• seed that dedicated action for the manual Merge Train Policy Import workflow instead of broad self-deploy authority
• document that merge-train policy import does not inherit Launchplane self-deploy authority
• add regression coverage proving self-deploy authority cannot import merge-train policies

Refs #1049

Validation

• uv run python -m unittest tests.test_service.LaunchplaneServiceTests.test_merge_train_policy_import_endpoint_writes_active_record tests.test_service.LaunchplaneServiceTests.test_merge_train_policy_import_endpoint_dry_run_does_not_write_record tests.test_service.LaunchplaneServiceTests.test_merge_train_policy_import_endpoint_rejects_self_deploy_authority tests.test_service.LaunchplaneServiceTests.test_merge_train_policy_import_endpoint_rejects_non_launchplane_product tests.test_product_onboarding.ProductOnboardingTests.test_launchplane_seed_import_workflow_owns_seed_writes
• uv run --extra dev ruff check control_plane/service.py tests/test_service.py
• bash -n scripts/deploy/ensure-authz-grants.sh
• git diff --check
• docker run --rm -v "$PWD:/repo" -w /repo rhysd/actionlint:1.7.7 -config-file .github/actionlint.yaml .github/workflows/deploy-launchplane.yml .github/workflows/merge-train-policy-import.yml
• JetBrains changed-file inspection: clean

Operator note

Existing persisted broad authz policy rules are not removed by this PR, but /v1/merge-train/policies/import now ignores launchplane_service_deploy.execute and requires merge_train.policy_import.