Repair Browser Credential Injection

Some active browser-backed account connections hold encrypted username_password credentials, but the static-secret injection registry either does not include the connector or expects an older credential shape. A run can therefore fail with missing process env vars while a valid per-connection stored credential sits unused. The owner-facing dashboard can then ask for reauth or credential repair when the reference needs a runtime mapping fix.

The reference implementation SHALL resolve a connection's static-secret credential from the encrypted per-connection store through one shared seam for every run-launch path — scheduled, retry, and manual. A run path SHALL NOT silently depend on process-global credential environment variables when the connection holds an active stored credential, and an empty-string environment variable value SHALL NEVER shadow a store-recovered value (the stored credential is merged last into the connector child environment).