Remove referencingWorkloads/referenceCount from config CRD statuses

[ChrisJBurns]

Summary

Removes the status.referencingWorkloads and status.referenceCount fields (and the References printer column) from the six config CRDs — MCPOIDCConfig, MCPAuthzConfig, MCPExternalAuthConfig, MCPTelemetryConfig, MCPWebhookConfig, MCPToolConfig — and deletes the watch/rebuild machinery that maintained them.

After the field-indexer rollout (#5599) and stale-scan removal (#5626), that denormalized list was kept fresh only to populate a kubectl printer column. It no longer backs deletion protection: the finalizer recomputes referrers live (findReferencingWorkloads) before allowing deletion. So the stored list was pure overhead — every workload change reconciled the config purely to refresh a count — and this removes it.

Completes the cleanup tracked in #5607.

⚠️ Breaking change

status.referencingWorkloads and status.referenceCount are removed from all six config CRDs. Anyone relying on these status fields for automated workflows — scripts, GitOps assertions, dashboards, or the kubectl get "References" column — will no longer find them. There is no replacement field; if you need the set of referrers, list the workloads and filter by their config-ref. For example:

# workloads referencing an MCPOIDCConfig named "my-oidc" in namespace ns:
kubectl -n ns get mcpservers,mcpremoteproxies,virtualmcpservers -o json \
  | jq -r '.items[] | select(.spec.oidcConfigRef.name=="my-oidc" or .spec.incomingAuth.oidcConfigRef.name=="my-oidc") | "\(.kind)/\(.metadata.name)"'
``` **Deletion protection is unchanged** (a config still cannot be deleted while a workload references it; it sets the `DeletionBlocked` condition).

## Large PR Justification

Large, mostly-deletion refactor that must land atomically: removing a CRD status field requires the type change, the controller changes, regenerated CRD manifests/deepcopy/docs, and the test updates to all move together or nothing compiles. It is **net −3810 lines** (140 / 3950); the size is duplicated tracking code and tests being deleted across six controllers and four envtest suites at once, not added complexity. Splitting per-config-type would produce six interdependent PRs that each leave the `controllers` package uncompilable in isolation.

<details>
<summary><strong>What changed</strong></summary>

- **API types** (`api/v1beta1/*`, `api/v1alpha1/types.go`): dropped both fields + the `+kubebuilder:printcolumn` "References" markers; regenerated `zz_generated.deepcopy.go`. Kept the `WorkloadReference` type (still returned by the deletion-check).
- **Controllers**: removed the `Reconcile` status-population paths, the workload `Watches` + their map handlers (they existed only to refresh the list), and the `workloadReferenceCount` helper. **Kept** `findReferencingWorkloads` + the field indexes for the on-demand finalizer deletion check, and the `DeletionBlocked` condition/message.
- **Comments**: updated the now-inaccurate "ReferencingWorkloads is maintained by the config controller" notes in the MCPServer/VirtualMCPServer/MCPRemoteProxy controllers.
- **Tests**: deleted unit + envtest specs that asserted the removed fields (tracking/prune/watch-handler); retained deletion-protection specs, rewritten to assert via the `DeletionBlocked` condition + object existence.
- **Generated**: regenerated the six config CRDs (`deploy/charts/operator-crds/...`) and `docs/operator/crd-api.md`.

</details>

## Type of change

- [ ] Bug fix
- [ ] New feature
- [x] Breaking change
- [x] Refactoring
- [ ] Documentation

## Test plan

- [x] `go build ./cmd/thv-operator/...` passes
- [x] `task operator-test` (full operator unit suite) passes
- [x] Config integration suites pass at the spec level, run individually under envtest: MCPOIDCConfig 29/29, MCPToolConfig, MCPExternalAuth, MCPTelemetryConfig 5/5 (the only failures were the known envtest `kube-apiserver` AfterSuite teardown flake under parallel load — 0 spec failures; clean on isolated re-run)
- [x] `golangci-lint` clean on changed packages (only the pre-existing `mcpserver_controller.go:1645` finding remains)
- [x] CRD manifests / deepcopy / `crd-api.md` regenerated and contain no `referencingWorkloads`/`referenceCount`/`References`

## Does this introduce a user-facing change?

Yes — see the breaking-change note above: two status fields and the `References` printer column are removed from the six config CRDs.

Generated with [Claude Code](https://claude.com/claude-code)

[codecov]

Codecov Report

❌ Patch coverage is 66.66667% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 70.32%. Comparing base (e7934ea) to head (b837630).

Files with missing lines	Patch %	Lines
...perator/controllers/mcpwebhookconfig_controller.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5631      +/-   ##
==========================================
+ Coverage   70.27%   70.32%   +0.04%     
==========================================
  Files         648      647       -1     
  Lines       66011    65738     -273     
==========================================
- Hits        46391    46231     -160     
+ Misses      16279    16159     -120     
- Partials     3341     3348       +7     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ChrisJBurns]

Addressed the review findings (commits on top of the original three):

1. WorkloadRefsEqual dead code (MEDIUM) — removed the helper + its test; it was the orphaned guard whose callers this PR deleted (symmetric with the already-removed workloadReferenceCount).
2. Stale arch docs (MEDIUM) — updated the three docs/arch/09-operator-architecture.md references to drop referencingWorkloads and note referrers are recomputed on demand at deletion (finalizer + field-indexed lookup).
3. Missing block→unblock envtest (LOW) — added a create-ref → deletion-blocked (DeletionBlocked condition) → remove-ref → deleted transition spec to the MCPExternalAuthConfig suite (passes 35/35; allows up to 45s for the now-30s-requeue-driven unblock). Skipped MCPAuthzConfig — it has no integration suite and standing one up for this shared behavior is disproportionate; its handleDeletion blocking is unit-tested.
4. Empty Context blocks (LOW) — verified non-issue: the earlier commit removed whole Contexts (with setup), leaving no orphaned empty containers.
5. Lost kubectl "References" column (LOW) — accepted (keeping even a count would require restoring the removed watch apparatus); added a concrete kubectl ... | jq field-filter alternative to the PR description.