fix: resolve 10 bugs across scripts

- manage_runner.sh: fix RUNNER_DEFAULT_IMAGE clobbering by renaming
  per-runner var to RUNNER_SECTION_IMAGE; .env fallback now works
- manage_runner.sh: render native runner config.yaml before registration
  so act_runner can read it during --config flag
- manage_runner.sh: add SSH credential validation for remote hosts
  (fail early with clear error instead of cryptic SSH failure)
- phase1/phase2: add UNRAID_DB_IP/FEDORA_DB_IP to conditional
  require_vars when DB_TYPE != sqlite3
- cleanup.sh: only clear manifest when all actions for host succeeded;
  failed actions are preserved for retry
- phase8_cutover.sh: strip empty environment: block from Caddy
  docker-compose when TLS_MODE=existing
- phase5_migrate_pipelines.sh, phase5_teardown.sh, phase9_teardown.sh:
  wrap cd+git in subshells so working directory is always restored
- phase3_post_check.sh: handle both string and numeric runner status
  from Gitea API (offline vs 2)
- configure_env.sh: fix TOTAL_PROMPTS base count (63->64) and move
  DB/repo count adjustments before their prompts are shown

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

phase9_teardown.sh

@@ -79,13 +79,14 @@ for repo in "${REPOS[@]}"; do
 
   if [[ -f "${CLONE_DIR}/.gitea/workflows/security-scan.yml" ]]; then
     rm -f "${CLONE_DIR}/.gitea/workflows/security-scan.yml"
-    cd "$CLONE_DIR"
-    git config user.name "Gitea Migration"
-    git config user.email "migration@gitea.local"
-    git add -A
-    git commit -q -m "Remove security scanning workflow (teardown)"
-    git_with_auth git push -q origin HEAD
-    cd "$SCRIPT_DIR"
+    (
+      cd "$CLONE_DIR"
+      git config user.name "Gitea Migration"
+      git config user.email "migration@gitea.local"
+      git add -A
+      git commit -q -m "Remove security scanning workflow (teardown)"
+      git_with_auth git push -q origin HEAD
+    )
     log_success "Removed security-scan.yml from ${repo}"
   fi