Further downrank docs/tests/config findings by default

[EgemennSahin]

Problem

The agent repo lab found that docs/tests/config-like files can still appear with risk wording. They should remain visible for auditability, but they should not create action-required pressure unless the repo explicitly configures them as runtime prompt, scenario, or agent input.

Evidence from tested repos

From .agentdiff/agent-repo-lab/latest/report.md:

• vercel-labs/lead-agent: README.md was flagged as agent_entrypoint/docs_example with state_mutation and external_side_effect risk wording.

This is useful as a noise signal for agentdiff. It is not a claim that the external repo has a bug or vulnerability.

Proposed fix

Further downrank docs/tests/config findings by default:

• Keep them visible in reports.
• Prefer informational language for docs/examples/tests/config unless reachable from runtime agent code or explicitly configured.
• Preserve suppression suggestions with reason and expires.
• Avoid action-required severity for README/docs-only agent vocabulary unless stronger runtime evidence exists.

Acceptance criteria

• npm test passes.
• npm run lab:agent-repos still has 0 crashes.
• The cited vercel-labs/lead-agent README-style finding is lower pressure or clearly informational.
• Suppressed/low-confidence findings remain visible; they do not disappear silently.
• Runtime reachable high-risk tools are not downranked accidentally.

Non-goals

• Do not delete docs/test/config findings entirely.
• Do not add a complex suppression expression language.
• Do not accuse external repos of unsafe behavior.
• Do not require installs, API keys, or live model calls.