refactor(scripts): move CI helpers out of scripts/ci-guards/

The 'Regression guards' loop step in ci.yml runs:
    for g in scripts/ci-guards/*.sh; do bash "$g"; done

Per the directory's own contract (scripts/ci-guards/README.md), every
script there MUST be runnable bare with no args / no env. Three files
violated that contract — they're helpers consumed by specific CI job
steps with arguments, not regression guards. They were misplaced.

Moved (git mv):
  scripts/ci-guards/vendor-e2e-skip-check.sh         → scripts/
  scripts/ci-guards/vendor-e2e-skip-allowlist.txt    → scripts/
  scripts/ci-guards/coverage-pr-comment.sh           → scripts/

Updated ci.yml call sites:
  - deploy-vendor-e2e job: bash scripts/vendor-e2e-skip-check.sh $LOG
  - go-build-and-test job: bash scripts/coverage-pr-comment.sh

Tightened scripts/vendor-e2e-skip-check.sh arg parse from a silent
default ('LOG=${1:-test-output.log}') to a mandatory-arg form
('LOG=${1:?usage: ...}') so misuse fails loud at parse time rather
than at the missing-file check.

Updated scripts/ci-guards/README.md contract to spell out the
guard-vs-helper distinction explicitly; lists current helpers under
scripts/ for future-author guidance.

Verified locally: 'for g in scripts/ci-guards/*.sh; do bash $g; done'
returns clean (22 guards pass) on HEAD post-move.

Closes the regression-guards-loop failure that surfaced in CI run
25192163943 (job 73864471346 'Frontend Build').

scripts/ci-guards/README.md

@@ -16,8 +16,11 @@ Every script in this directory MUST:
 1. Be exit-code 0 on a clean repo (no regression present).
 2. Be exit-code non-zero on regression, with a `::error::` annotation
    prefix so PR reviewers see the failing line in the GitHub Actions UI.
-3. Be runnable from repo root via `bash scripts/ci-guards/<id>.sh` —
-   no implicit `cd` requirement, no env-var requirement.
+3. **Be runnable from repo root via `bash scripts/ci-guards/<id>.sh`
+   with NO arguments and NO env-var requirements.** The CI loop step
+   (`for g in scripts/ci-guards/*.sh; do bash "$g"; done`) iterates
+   every `.sh` here without args; any script that requires an arg or
+   env var WILL fail in that loop.
 4. Carry a head-comment block matching the in-source justification
    from the original ci.yml entry: the audit-finding reference, the
    closure rationale, the exempt-surface list (if any).
@@ -25,6 +28,22 @@ Every script in this directory MUST:
 6. Produce no output on the happy path beyond a final
    `echo "<id>: clean."` confirmation line.
 
+### Helpers vs guards
+
+Scripts that consume input artifacts (a test-output log, a
+`coverage.out` file) or env vars (`PR_NUMBER`, `GH_TOKEN`) are
+HELPERS, not guards. They live in `scripts/`, NOT `scripts/ci-guards/`.
+
+Current helpers:
+- `scripts/vendor-e2e-skip-check.sh` — consumes `test-output.log`
+  arg from the deploy-vendor-e2e job
+- `scripts/coverage-pr-comment.sh` — consumes `coverage.out` +
+  `PR_NUMBER` + `GH_TOKEN` env from the go-build-and-test job
+- `scripts/check-coverage-thresholds.sh` — consumes `coverage.out`
+  + `.github/coverage-thresholds.yml`
+- `scripts/qa-doc-part-count.sh` + `scripts/qa-doc-seed-count.sh` —
+  invoked via `make verify-docs` pre-tag, not in CI
+
 ## Adding a new guard
 
 1. Drop a new `<id>.sh` in this directory with the head-comment block