feat(skills/update-stack): drop ledger condition + auto-derive scan from tree roots

[PierreBrisorgueil]

Goal

Two coupled changes to /update-stack step 3ter drift gate:

1. Drop ledger condition — block on ANY shared non-test file divergence vs upstream devkit-node/master, no DOWNSTREAM_PATCHES.md exception.
2. Auto-derive scan from tree roots — replace hardcoded module list (modules/home auth users tasks uploads billing lib config/defaults) with modules lib config. Per-file git ls-tree on upstream already filters downstream-only files.

Why

User decision 2026-06-02 (see memory feedback_no_dev_in_shared_modules): drift in shared files must never happen, not be documented.

The hardcoded scan list silently missed modules/audit, modules/core, modules/organizations. Re-audit on trawl_node with corrected scan surfaced 1 undeclared drift (modules/core/doc/index.yml — trawl-specific OpenAPI tags).

Mirrors pierreb-projects/infra#37 (PRF Phase 0.5 gate) — same logic, this is the /update-stack-time enforcement counterpart.

Operational impact

• trawl_node /update-stack will BLOCK on modules/core/doc/index.yml until that drift is resolved (revert / promote-up / relocate per the 3 alternatives).
• Other downstreams (comes_node, montaine_node, pierreb_node, ism_node) — re-audit pending; may surface their own drifts.

Cross-refs

• Memory: feedback_no_dev_in_shared_modules
• Plan: infra/docs/superpowers/plans/2026-05-30-trawl-devkit-perfect-alignment.md Task E.2
• Sister PR (infra): pierreb-projects/infra#37 (merged)
• Original gate: feat(skills/update-stack): block on undeclared drift vs upstream #3760