Update ATVM status reporting and credential handling docs

- change ATVM status formatting to the approved Markdown-table template with SUMMARY:, HOSTS:, TIMING:, and NOTES:
- document that normal status requests print locally only unless explicitly asked to send to Mattermost
- document Mattermost defaults and posting rules, including only sending after full run completion
- document the controller-side systemd watcher design for future automation
- add the secrets migration/cleanup review doc
- ignore .env.credentials.local in git and reflect the move toward using that local credentials file instead of hardcoded secrets

atvm/docs/automation/guide.md

@@ -174,6 +174,19 @@ When asked for one VM or a VM set:
 - If monitoring was not requested, run commands and report execution success/failure and any errors.
 - If monitoring was requested, do not terminate processes automatically; only terminate if the operator explicitly instructs termination.
 
+## Mattermost Status Posting
+- Treat a normal ATVM status request as local-only output by default.
+- When the operator asks to send ATVM automation run status to Mattermost, use the local defaults from `/home/aw/code/cds/.env.credentials.local`.
+- Default Mattermost variables:
+  - `MATTERMOST_ATVM_WEBHOOK`
+  - `MATTERMOST_ATVM_CHANNEL`
+- Treat these as the default destination for ATVM automation run-status posts unless the operator explicitly overrides them.
+- Send the final ATVM run status only after the run has fully completed, regardless of whether the run passed or failed.
+- Do not send interim or in-progress ATVM run status updates to Mattermost unless the operator explicitly asks for that.
+- Use the same ATVM status layout that would be shown to the operator locally when posting to Mattermost.
+- Default status template: `/home/aw/code/cds/atvm/docs/automation/status-template.md`
+- Do not post to Mattermost unless the operator explicitly asks for the run status to be sent there.
+
 ## Status Reporting Format
 When the operator asks for the status of an ATVM automation run, report in this order:
 1. Heading/title using the run `build_name`.
@@ -193,8 +206,11 @@ When the operator asks for the status of an ATVM automation run, report in this
 
 Status-report expectations:
 - Use the same display layout for every ATVM automation status response regardless of test type (`e2e`, `systemOS`, `reboot`, `migrateops`, and others).
+- Use `/home/aw/code/cds/atvm/docs/automation/status-template.md` as the default template for both local status output and Mattermost status posts.
+- The default ATVM status template uses Markdown tables for `SUMMARY:`, `HOSTS:`, and `TIMING:` and uses `NOTES:` for flat operator-facing notes.
 - Treat references to the "ATVM automation run" or "automation run" as referring to this ATVM folder workflow and the automation VM at `192.168.3.190`, not to Cirrus project operations such as the `atvm - cypress` project.
 - Treat a status request as a request for live status by default.
+- Unless the operator explicitly asks to send the status to Mattermost, print the status only in the local terminal response.
 - Use the live automation VM state when available.
 - If no automation is currently running, fall back to the most recent historical run artifacts and logs.
 - Prefer local automation evidence in this order: active runner processes, live automation-VM files, shell history for the last launch command, then historical reporter artifacts.
@@ -228,3 +244,4 @@ Status-report expectations:
 - Use `Notes` for extra context beyond the machine-specific same-line failure description.
 - Base the completion estimate on the full remaining machine count and recent per-machine runtime visible in the run log.
 - Make the estimate explicitly refer to completion of the entire remaining run, not only the current machine/spec.
+- When the operator also asks to send the status to Mattermost, send this same final status output to the configured Mattermost destination only after the run has fully completed.