fix(safety): trigger guard on partial extraction

[j7an]

Summary

• Adds scripts/classify-touched-paths.sh: filters dependency-relevant paths down to those extract-deps.sh does NOT parse.
• Embeds the helper inline into dependency-cooldown.yml and dependency-safety.yml.
• Restructures the Layer 3 fail-loud guard into two composed conditions: unsupported paths touched (issue Fail-loud guard should fire on partial-extraction (mixed supported/unsupported lockfiles) #62) OR all touched paths supported but extraction yielded zero rows (issue fix(cooldown): extract-deps skips uv.lock & TOML lockfile bumps, silently marking scan clean #52, preserved).
• Adds bats unit coverage for the helper, chain integration tests for the guard's input values, and a static assertion for the workflow YAML guard ordering.

Why

A grouped Dependabot PR mixing a supported file (e.g. uv.lock) and an unsupported one (e.g. package-lock.json) was bypassing the existing fail-loud guard: DEPS_TSV was non-empty (from the supported file), so the guard's if [ -z DEPS_TSV ] gate skipped, and the unsupported file's dep-relevant changes were silently ignored — the gate could resolve to success and auto_merge_ok=true.

This is the same failure shape as #52 but for partial extraction rather than empty extraction.

Test plan

• bats tests/classify-touched-paths.bats (24 helper unit cases)
• bats tests/dep-guard-chain.bats (5 chain integration cases including Fail-loud guard should fire on partial-extraction (mixed supported/unsupported lockfiles) #62 repro)
• bats tests/guard-shape.bats (5 workflow YAML shape assertions)
• bats tests/ (full local suite)
• ./scripts/check-inline-sync.sh (12 OK lines)
• ./scripts/lint-workflow-call.sh

Fixes #62.