Proposal: fix-scheduled-run-store-credential-injection

The 2026-06-09 incident: four connections were migrated env→store and verified green via MANUAL runs, but the scheduler's launch path (runtime/scheduler.ts::launchRun → runConnector) never consulted the encrypted per-connection credential store — only controller.runNow resolved staticSecretEnv. When the reference container was recreated without the old secret exports, compose ${VAR:-} mappings left the credential env vars as EMPTY STRINGS, and every scheduled static-secret run raised credentialsrequired ("github needs: GITHUBP..."), auto-cancelled, and reported connectorreportedfailed while valid store rows sat unread.

The reference implementation SHALL resolve a connection's static-secret credential from the encrypted per-connection store through one shared seam for every run-launch path — scheduled, retry, and manual. A run path SHALL NOT silently depend on process-global credential environment variables when the connection holds an active stored credential, and an empty-string environment variable value SHALL NEVER shadow a store-recovered value (the stored credential is merged last into the connector child environment).