refactor: reduce complexity of execute_safe_outputs in execute.rs

[github-actions]

What was complex

execute_safe_outputs in src/execute.rs had a cognitive complexity of 34 (threshold: 25), driven by:

1. A debug-logging block with an if !ctx.allowed_repositories.is_empty() branch directly in the function body
2. A deeply triply-nested if let tool_name / if let (executed, max) / if let Some(result) budget-enforcement block
3. A if result.is_warning() / else if result.success / else chain inside an already-nested match Ok arm
4. A minor for+if-let queued-entries loop adding additional nesting cost

What changed

Four focused helper functions were extracted — no logic was altered:

Helper	What it does
log_execution_context(safe_output_dir, ctx)	Emits Stage 3 startup debug logs, including the conditional allowed-repositories list
log_queued_entries(entries)	Logs each queued entry name at debug level before execution starts
enforce_budget(entry, budgets, total, i)	Flattens the triple if let nesting via ?-chaining; mutates the counter and returns Option<ExecutionResult>
log_and_print_entry_result(i, total, tool_name, result)	Handles the if/else if/else result-logging block extracted from the deeply-nested match arm

The main loop shrinks from ~70 lines to ~15 lines of straightforward sequencing.

Before / after complexity

	Complexity
Before	34 (flagged by clippy::cognitive_complexity)
After	below 25 (no longer flagged)

Verification

cargo test     # all 79 tests pass
cargo clippy --all-targets --all-features   # clean, no new warnings
cargo clippy ... -W clippy::cognitive_complexity   # execute.rs no longer appears

Warning

⚠️ Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• dev.azure.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "dev.azure.com"

See Network Configuration for more information.

Generated by Cyclomatic Complexity Reducer · ● 1.7M · ◷