chore(release): harden deploy-prod trigger and tag/ref guards

[ggfevans]

Parent

Part of #1276

Summary

Harden production deployment workflow triggers so prod deploys only occur from explicit release tags/approved release paths.

Problem

deploy-prod.yml supports workflow_dispatch; without strict guards, manual runs can bypass intended tag-driven release flow.

Acceptance Criteria

• Add explicit guard that blocks deploy unless ref/tag matches allowed release pattern (v*).
• Define and enforce behavior for manual dispatch (tag input validation and ref verification).
• Ensure mutable tags (latest / persist) are only published from valid release context.
• Add clear failure messaging when guard conditions are not met.
• Document expected operational runbook for manual recovery vs normal releases.

Notes

This issue is about release safety, not changing deployment architecture.