wfctl refresh-outputs should update existing routed secrets when explicitly requested

[intel352]

Context

workflow-compute staging recovery exposed a gap in wfctl infra apply --refresh --refresh-outputs: prerequisite apply recreated/refreshed the hosted GitHub runner provider, but routed GitHub secrets already existed, so wfctl logged already exists — skipped and left COMPUTE_GITHUB_RUNNER_PROVIDER_URL stale.

That stale URL caused the server to keep calling the old provider app endpoint and the hosted runner smoke failed with App Platform upstream 503 during POST /v1/adapters/github-runner/registrations.

Expected

When the user explicitly asks for output refresh, routed output sinks should be reconciled, not treated like first-create-only bootstrap writes.

Scope

• Define --refresh-outputs semantics for existing routed secrets.
• Update existing GitHub secret values when the managed output value changed.
• Keep normal/non-refresh applies conservative if preserving existing secret values is desired.
• Add tests covering existing secret overwritten only in explicit refresh-output mode.

Invariants

• --refresh-outputs updates stale routed outputs even when the secret/resource already exists.
• Normal apply should not unexpectedly overwrite user-managed secret values unless the config/contract explicitly says it owns them.
• Logs distinguish created, updated, unchanged, and skipped output routes.