docs(deployments/basilica): tenant lifecycle README

Single reference for the multi-tenant provisioning surface introduced
in #224 / #225 / #228:

- Architecture (library / CLI / workflow split + why identity is
  caller-owned)
- Quick start (platform setup + first provision + subsequent lifecycle
  ops via repository_dispatch)
- Tenant config format (YAML schema, ${VAR} / ${VAR:-default}
  substitution rules, optional fields)
- Per-tenant secret injection (both trigger paths, masking, security
  caveats)
- Provider examples (OpenAI, OpenRouter, Anthropic, Gemini, Bedrock
  status)
- Lifecycle ops in detail (provision, status, update, deprovision)
- Update strategies (restart vs recreate + the Basilica
  freshly-provisioned k8s Deployment CR quirk surfaced during live
  testing)
- Operational notes (image publishing, GHCR public visibility,
  ML preload behaviour, orphan cleanup)
- Repo secrets reference
- Troubleshooting table
- File index with concrete file:line references

End-to-end evidence from the 2026-05-17 live verification (tenant
rd-018703, upstream override from OpenAI default to Gemini, proxy / now
serving Google's 404 HTML instead of OpenAI's welcome JSON) is recorded
under "Status" so a future reader can reproduce.

Author: epappas