Full ensure after config strip

[timtalbot]

Parent: #208

Summary

After stripping control room fields from ptd.yaml, run a full ptd ensure of all steps to converge the entire workload to its severed state. This is simpler than cherry-picking individual steps and catches any hidden control room dependencies.

Context

The actual control room coupling points in code are:

Connection	Ensure step	What changes
Mimir password sync to control room	persistent	updateControlRoomMimirPassword is skipped
Alloy metrics remote_write to control room Mimir	helm	Alloy config regenerated without control_room block

Confirmed non-issues: Loki logs are local-only (no control room shipping). Team Operator Helm values have no control room references. OIDC providers are self-contained per cluster. Cross-account IAM trust is not Pulumi-managed — handled via a customer-facing runbook.

Running all steps rather than just the affected ones is the safer approach and avoids maintaining a list of "affected steps" that could drift.

Note: lib/eject/control_room.go currently lists phantom couplings (Loki, Team Operator, OIDC) that don't exist in the codebase. This file should be updated to match reality as part of this work.

Requirements

• Run full ptd ensure <target> (all steps) after config strip
• --dry-run support: in dry-run mode, run ptd ensure <target> --dry-run to preview what Pulumi would change across all steps, without applying

Dependencies

• Requires Nil-safe control room handling in Go ensure steps #239 (Go steps must tolerate nil control room)
• Requires Conditional control room in Alloy config #240 (Alloy must generate valid config without control room)

Acceptance Criteria

• Full ensure completes cleanly with empty control room config
• All steps tolerate the absence of control room fields
• Dry-run mode shows a preview of Pulumi changes without applying