* ci(preview): split PR image builds from trusted deploys
* ci(preview): harden preview artifact handoff
Move the preview image artifact into the trusted preview workflow as a no-secret build job, gate deployment on base-trusted workflow definitions, and keep Cloudflare credentials isolated to the deploy-only job.
Also fail closed when the pushed image reference is not written into wrangler.toml and expand the preview deploy guard to enforce the same-run artifact and permission boundaries.
* ci(preview): move preview builds out of privileged trigger
* ci(preview): avoid secret-shaped wrangler env assignments
* ci(preview): keep wrangler credential env explicit
* ci(preview): isolate deployment tooling
Keep PR preview source separate from the deployment toolchain by building a temporary deploy workspace from base-revision preview metadata and PR-owned source.
Add a focused CI guard so future preview workflow edits preserve the trusted tooling split.
* ci(preview): harden workflow guard checks
Address CodeRabbit feedback by making the preview deploy guard assertions collision-proof and more resilient to equivalent GitHub Actions expression and workspace path forms.
* ci(preview): normalize workflow guard paths
* ci(preview): defer workflow guard validation
* revert(preview): restore workflow guard validation
* ci(preview): gate preview deployments
