fix(security): harden central fleet checks

[JSONbored]

Summary

• Harden the central aio-fleet / required control-check path so manifest-only app repos are enforced by the aggregate required check.

What changed

• Add trusted validate-repo and verify-caller steps before app-controlled install/generator/pytest steps.
• Run trusted aio-fleet CLI checks from the control-plane checkout instead of the app checkout.
• Include PR integration tests when repos declare integration_pytest_args.
• Keep app-controlled steps on scrubbed environments.
• Expand pinned-action coverage to .yml, .yaml, action.yml, and action.yaml.
• Rebuild on non-dry-run registry publish instead of skipping based only on existing tags.
• Tighten XML/catalog path handling, derived path validation, GitHub token env mapping, and shared-version upstream digest selection.

Why

• The previous aggregate check was not equivalent to the removed app-local/security gates and could miss manifest-only workflow policy violations or mixed upstream digest fallback states.

Validation

• .venv/bin/python -m pytest -q -> 220 passed
• trunk check --no-progress --color=false -> passed
• actionlint .github/workflows/control-plane.yml -> passed
• tofu -chdir=infra/github fmt -check -> passed
• tofu -chdir=infra/github init -backend=false -input=false && tofu -chdir=infra/github validate -> passed
• PoC-shaped central check with malicious .github/workflows/pwn.yaml now fails with central_check_rc=1

Notes

• No registry push was performed locally; registry rebuild behavior is covered by unit tests.