Move secret validation to compile-time for release builds

[ChristianPavilonis]

Summary

• Move placeholder secret rejection from an unconditional runtime gate to a compile-time check in build.rs that only fires for release builds, so cargo build --release fails fast if secrets have not been overridden.
• Guard the runtime reject_placeholder_secrets() call with #[cfg(not(debug_assertions))] so debug/test builds work with the default trusted-server.toml placeholders without needing env var overrides.
• Keep a runtime safety net for release builds while eliminating the DX friction of setting secrets for local development.

Changes

File	Change
crates/common/build.rs	Add release-only reject_placeholder_secrets() call after merging settings (checks PROFILE == "release")
crates/common/src/settings_data.rs	Guard runtime reject_placeholder_secrets() with #[cfg(not(debug_assertions))]; update test to expect success in debug mode
crates/common/src/settings.rs	Update doc comment on validate_secret_key to describe new compile-time + runtime behavior

Closes

Closes #524

Test plan

• cargo test --workspace — 669 passed
• cargo clippy --all-targets --all-features -- -D warnings
• cargo fmt --all -- --check
• JS tests: cd crates/js/lib && npx vitest run — 272 passed
• JS format: cd crates/js/lib && npm run format
• Docs format: cd docs && npm run format
• WASM build: cargo build --bin trusted-server-fastly --release --target wasm32-wasip1 (with secret env vars set)

Checklist

• Changes follow CLAUDE.md conventions
• No unwrap() in production code — use expect("should ...")
• Uses tracing macros (not println!)
• New code has tests
• No secrets or credentials committed

[ChristianPavilonis]

Closing, just reverting the check.