cigen: GitLab renderer lacks plan-guard + per-phase scoped-secrets (parity with GHA/Jenkins/CircleCI)

[intel352]

Follow-up from #804.

cigen/render_gha.go implements two features the GitLab renderer (cigen/render_gitlab.go) does not:

1. Plan-guard — GHA's writeApplyJob greps the plan for replace/destroy of a protected resource and exit 1s (no || true). GitLab emits no such guard, so a GitLab-derived pipeline will apply a destructive plan to a protected resource.
2. Per-phase scoped secrets — GHA branches the apply job's secret set on phase.Scoped (a scoped prereq phase binds only its own subset). GitLab always uses the plan-wide union.

As of #804, the new Jenkins and CircleCI renderers implement both (modeled on GHA). GitLab is now the only renderer missing them — a pre-existing gap, surfaced by the #804 adversarial design review and deliberately left out of #804's scope (jenkins/circleci).

Ask: bring render_gitlab.go to parity — carry the plan-guard into the apply job and branch the variables/secret source on phase.Scoped. Add the equivalent of render_gha_test.go's plan-guard + scoped-phase assertions to render_gitlab_test.go.

Effort: small (mechanical, mirrors the GHA renderer; no Analyze change).

[intel352]

Audit result: current code gap verified on latest origin/main. PR #814 adds GitLab plan-guard parity and scoped-phase variable references with regression tests.