Harden devops trusted input proof follow-ups

[TacoRocket]

What changed

This follow-up tightens the DevOps trusted-input proof model that feeds chains deployment-path.

It improves evidence handling for:

• cross-project and org-scoped Azure Artifacts feeds
• secure-file use versus secure-file administration
• cross-project template repositories
• cross-project pipeline artifact producer control
• deployment-path wording when only bounded trusted-input proof exists

Why it changed

deployment-path now has a stricter proof bar: high priority should be reserved for definition edit or proven trusted-input poisoning, and bounded states should stay bounded.

This patch closes several places where DevOps trusted-input proof needed to be more exact so deployment-path rows stay truthful about what is proven, what remains missing, and what the operator should review next.

User impact

Operators should get:

• more accurate trusted-input proof for DevOps sources
• better handling of cross-project references
• less overstated wording for secure-file and artifact-backed paths
• deployment-path follow-ups that stay aligned with the current proof boundary

Validation

• python3 -m pytest -o cache_dir=/tmp/pytest-cache-codex tests/test_collectors.py tests/test_chain_semantics.py tests/test_terminal_ux.py
• python3 -m pytest -o cache_dir=/tmp/pytest-cache-codex-smoke tests/test_cli_smoke.py
• pre-push guardrail suite: 274 passed, 2 deselected
• clean-context semantic review: no implementation-vs-plan drift found