chore: remove dead pnpm-lockfile parsing utilities (#1231)

`socket pnpm` on main routes through `sfw` (Socket Firewall) via
`spawnSfwDlx`/`spawnSfw`; nothing in main's runtime reads or parses
the pnpm-lock.yaml itself. The three utility modules below were
exported but had zero production callers — only each other and their
unit tests.

Removed:
  * `packages/cli/src/utils/pnpm/lockfile.mts`
      exported: extractOverridesFromPnpmLockSrc,
                extractPurlsFromPnpmLockfile, isPnpmDepPath,
                parsePnpmLockfile, parsePnpmLockfileVersion,
                readPnpmLockfile, stripLeadingPnpmDepPathSlash,
                stripPnpmPeerSuffix.
  * `packages/cli/src/utils/socket/alerts.mts`
      exported: getAlertsMapFromPnpmLockfile, getAlertsMapFromPurls,
                and their option types.
  * `packages/cli/src/utils/ecosystem/spec.mts`
      exported: idToNpmPurl, idToPurl, resolvePackageVersion.

Also removed the accompanying unit-test files and a stale
`scanning.test.mts` whose header claimed to cover
`utils/pnpm/scanning.mts` (which doesn't exist) but actually
exercised the dead lockfile/alerts helpers.

Verified before deletion:
  * `grep -r` across `packages/cli/src` finds zero external imports
    of any symbol from the three modules — only the three files
    importing each other and their own tests.
  * `pnpm run type` clean.
  * `pnpm --filter @socketsecurity/cli run test:unit` — 339 files
    pass (was 343 — the 4 difference matches the deleted test files).

If a future flow needs pnpm-lockfile parsing in main, it should be
written fresh against the current architecture rather than resurrected
from this dead chain.

Author: jdalton