Block MSIG mode with private registry and browser secrets auth

[timothyF95]

Summary

• Add shared validation that rejects --unsigned / --changeset when the resolved registry is off-chain (private registry).
• Add secrets-specific validation that also rejects multisig mode with --secrets-auth=browser.
• Wire checks into cre secrets (create, update, delete, list) and cre workflow (deploy, pause, activate, delete) before command execution.
• Multisig detection uses txn flags (--unsigned, --changeset), not owner type, since private registry finalization can overwrite owner type.