FLEX-WP-0007: production registry fixture, tests, and sync runbook

Add production_registry_snapshot.json from ops-warden inventory with CI
coverage for real actors, IAM subject binding, ttl_out_of_bounds, and
unknown_actor_resource. Extend serve contract tests with /healthz and
publish the registry sync contract for operator deployment.

examples/ops-warden/README.md

@@ -32,3 +32,18 @@ flex-auth check --registry examples/ops-warden/registry_snapshot.json --policy e
 
 The fixture public-key fingerprints are examples only. Do not put real keys,
 OpenBao tokens, or private signing material in these files.
+
+
+## Production Registry Fixture
+
+production_registry_snapshot.json is a non-secret fixture generated by
+ops-warden for FLEX-WP-0007 coverage. It mirrors the current production actor
+names used by ops-warden inventory and should be refreshed when that inventory
+changes.
+
+Validate both registries locally:
+
+    flex-auth load-registry --file examples/ops-warden/registry_snapshot.json
+    flex-auth load-registry --file examples/ops-warden/production_registry_snapshot.json
+
+The production sync contract is documented in docs/ops-warden-registry-sync.md.