j7an · j7an · May 24, 2026 · May 24, 2026 · May 24, 2026 · May 24, 2026
diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md
@@ -30,8 +30,8 @@ A reusable workflow cannot reliably check out *its own* repo's scripts: in a `wo
 
 `scripts/*.sh` is the source of truth; the inline copy is a derived artifact. **Editing a script means updating its inline copy too**, or `check-inline-sync.sh` fails CI. The sync is byte-for-byte after known normalizations (10-space YAML indent strip, shebang strip, function-wrapper strip). The pairs are listed in `check-inline-sync.sh` (`INLINE_PAIRS`):
 
-- `dependency-cooldown.yml` embeds `extract-deps.sh`, `check-release-age.sh`, `diff-touches-lockfile.sh`, `pr-body-to-deps.sh`
-- `dependency-safety.yml` embeds the same four scripts plus `safety-verdict.sh`
+- `dependency-cooldown.yml` embeds `extract-deps.sh`, `check-release-age.sh`, `diff-touches-lockfile.sh`, `pr-body-to-deps.sh`, `classify-touched-paths.sh`, `pyproject-bump-extract.sh`
+- `dependency-safety.yml` embeds the same six scripts plus `safety-verdict.sh`
 - `tag-release.yml` embeds `bump-version-files.sh`
 
 `lint-workflow-call.sh` is the partner guard: it fails CI if any `workflow_call` file reintroduces a caller-scoped ref as a checkout `ref:`.

diff --git a/.github/workflows/dependency-cooldown.yml b/.github/workflows/dependency-cooldown.yml
diff --git a/.github/workflows/dependency-safety.yml b/.github/workflows/dependency-safety.yml
diff --git a/scripts/check-inline-sync.sh b/scripts/check-inline-sync.sh
@@ -23,6 +23,8 @@ INLINE_PAIRS=(
   ".github/workflows/dependency-safety.yml:scripts/safety-verdict.sh"
   ".github/workflows/dependency-safety.yml:scripts/classify-touched-paths.sh"
   ".github/workflows/tag-release.yml:scripts/bump-version-files.sh"
+  ".github/workflows/dependency-cooldown.yml:scripts/pyproject-bump-extract.sh"
+  ".github/workflows/dependency-safety.yml:scripts/pyproject-bump-extract.sh"
 )
 
 YAML_INDENT="          "  # exactly 10 spaces — matches the `run: |` indent

diff --git a/scripts/classify-touched-paths.sh b/scripts/classify-touched-paths.sh
@@ -29,6 +29,13 @@
 # unsupported and printed to stdout. Layer 2 (PR-body fallback) may still
 # recover deps from some of these for the scan loop, but the guard fires
 # because the diff parser cannot prove the scan was complete.
+#
+# pyproject.toml is path-level unsupported here and may be cleared by
+# scripts/pyproject-bump-extract.sh at the workflow composition layer
+# when its hunks are proven to be bump-only. This script remains
+# path-only and intentionally conservative; the final unsupported set
+# in the workflow is produced by composition, not by this classifier
+# alone.
 
 set -euo pipefail