fix: limit unmanaged target scans to pattern roots

[shpoont]

Summary

• avoid full-home target walks when unmanaged discovery is enabled on broad targets (for example target: .)
• derive literal scan roots from configured unmanaged patterns and scan only those subtrees
• keep broad scans only for wildcard-first patterns that cannot be rooted
• add tests for prefix extraction, scope overlap, unreadable sibling directories, and outside-root safety
• update user docs to explain rooted scanning behavior

Validation

• go test ./...
• go test -tags=contract ./...
• go test -tags=integration ./...
• bash scripts/ci/run-static-checks.sh true
• bash scripts/ci/run-tests.sh unit linux true
• bash scripts/ci/run-tests.sh integration linux true
• bash scripts/ci/run-tests.sh contract linux true
• bash scripts/ci/coverage-aggregate.sh artifacts/coverage-unit.out artifacts/coverage-integration.out artifacts/coverage-contract.out artifacts/branch-metrics.json