Validate production config secrets

[h1065153539-create]

Summary

• Adds production-only validation for required secrets in tools/config_generator.py.
• Rejects empty or placeholder-like database.password, redis.password, and auth.jwt_secret values without printing secret values.
• Adds --override-json so production callers and tests can provide real secret values before output is accepted.
• Adds missing, placeholder, and valid secret fixtures plus unittest coverage, and documents the production behavior in operations notes.

Validation

• python3 -m py_compile tools/config_generator.py tools/test_config_generator_secrets.py passed.
• python3 -m unittest tools/test_config_generator_secrets.py -v passed.
• CLI smoke confirmed default production config exits non-zero, placeholder values exit non-zero without leaking values, and valid overrides produce masked output.
• Diagnostic artifacts included: diagnostic/build-4981a8ee.logd and diagnostic/build-4981a8ee.json.

Security

• Error output lists only key names, not values.
• Non-production config generation remains compatible.
• Default masked output remains the default even for valid production overrides.

Closes #1

[Soengkit]

Closing this PR because the linked fork issue is only a closed payout tracker for an already submitted upstream PR. This fork is not an active bounty intake or payment authority, and it is not accepting external submissions or payment details here.