CES-108: clarify registry-overlay auto-rollout docs

[cesaregarza]

Summary

• Clarifies that registry-overlay syncs auto-roll the control-plane Deployments through the CES-108 PostSync hook, so overlay-only changes no longer require a separate manual rollout step.
• Records the workload-identity secret-path boundary: token re-mints roll workload Deployments via agent-workloads-secrets, while the CP-read HMAC verify seed remains a rare operator rotation outside the overlay hook.
• Updates generated grant-ownership docs and helper-generated PR wording so future overlay PRs do not imply a manual CP restart.

Tests

• UV_CACHE_DIR=/tmp/uv-cache uv run python -m unittest tests.test_grant_ownership tests.test_workload_enablement
• UV_CACHE_DIR=/tmp/uv-cache uv run python scripts/generate_grant_ownership.py --check
• git diff --check
• UV_CACHE_DIR=/tmp/uv-cache uv run python -m unittest discover -s tests

Verification Note

• This PR addresses the CES-108 documentation and recorded-decision gaps only. The remaining Done gate is still live verification via the CES-113 registry-digest metric / next overlay-content sync; no live cluster action is performed here.

[cesaregarza]

Advise-review (operator-gated): low-risk docs refinement — one sequencing caveat.

This updates the docs + generator strings (docs/grant-ownership.md, docs/mandate-apply.md, the overlay README, and the grant_ownership.py/set_grant.py generators) to describe registry-overlay changes as auto-rolling the control-plane via the CES-108 PostSync hook, replacing the old 'requires a manual control-plane restart' language. The re-mint boundary is correctly preserved — overlay-only changes still don't move image/manifest/code digests and don't require token re-minting; the generated PR-body string and doc strings stay in sync.

Caveat before merge: CES-108 is still In Verification. These docs now assert the auto-rollout as current behavior ('no separate manual rollout step'), so they should land together with CES-108's live-verification rather than ahead of it — otherwise an operator trusting 'no manual restart' could skip a step the hook isn't yet confirmed to perform live. The pre-existing overlay README already referenced the PostSync hook, so this likely refines already-true text; just worth confirming the hook is deployed + verified (a good live-verify checkpoint for CES-108 itself: change an overlay key, sync, confirm the CP Deployments roll automatically). Docs-only, no authority surface — safe once that's confirmed.

[cesaregarza]

Updated this PR to address the sequencing caveat from review and the CES-154 live data point.

Changes after the rebase/amend:

• Docs no longer claim registry-overlay sync auto-rollout as already verified current behavior.
• The overlay README and generated grant/edit wording now say the CES-108 PostSync hook is the intended rollout path, but operators must confirm the Deployment rollout after sync and run a manual restart if the hook did not fire until CES-108 live verification closes.
• Future generated PR bodies now use overlay-only: verify CP rollout after sync, no re-mint instead of saying CP auto-rolls.

Validation after rebase onto current main:

• env UV_CACHE_DIR=/tmp/uv-cache-splattop uv run python -m unittest tests.test_grant_ownership tests.test_workload_enablement -> 11 passed
• env UV_CACHE_DIR=/tmp/uv-cache-splattop uv run python scripts/generate_grant_ownership.py --check -> passed
• env UV_CACHE_DIR=/tmp/uv-cache-splattop uv run python -m unittest discover -s tests -> 45 passed
• git diff --check origin/main..HEAD -> passed