[CI] Allow verified Dependabot dependency PRs through PR Contract

[newtontech]

Problem

Dependabot PRs #216-#221 are all blocked only by the PR Contract / contract job while their substantive CI checks pass. The current contract requires every PR body to include Fixes|Closes|Resolves #<issue-number> plus test evidence. Dependabot-generated bodies do not naturally include repository issue references, so dependency-only maintenance PRs cannot pass even when build, tests, lint, security, and governance smoke checks are green.

Scope

Update .github/workflows/pr-contract.yml so dependency bot PRs can pass when they are dependency-only and otherwise covered by the normal CI matrix. Keep the existing issue-link and test-evidence requirements for human/agent feature work.

Acceptance Criteria

• Dependabot PRs authored by dependabot[bot] can satisfy the contract without a Fixes #... issue link when their changed files are dependency/config/workflow maintenance files.
• Human and agent PRs still require Fixes|Closes|Resolves #<issue-number>.
• Code-changing PRs still require tests or an explicit no-test justification.
• The contract prints clear evidence explaining why a Dependabot PR was exempted.
• Add a local regression script or documented dry-run command so this behavior can be checked without waiting for GitHub Actions.

Current Evidence

• PRs chore(deps): bump actions/checkout from 4 to 6 #216-chore(deps-dev): bump @types/jsdom from 28.0.0 to 28.0.3 #221 fail PR Contract / contract only.
• Other checks on those PRs pass, including TypeScript tests, build/package, pre-commit, security scan, VS Code extension tests, LSP integration where present, and governance smoke.
• Current failing rule is in .github/workflows/pr-contract.yml, where the body is always required to match (Fixes|Closes|Resolves) #[0-9]+.

Out of Scope

• Do not weaken requirements for agent/human feature branches.
• Do not auto-merge Dependabot PRs in this change.
• Do not bypass security scans, lint, tests, or build checks.