restricted_paths: refactor access log data

Summary:
## This stack
This stack moves restricted paths toward AclManifest-backed restriction lookup and Shadow-mode comparison logging while keeping existing `RestrictedPaths` public APIs and config-backed enforcement behavior stable. The end state is that path and manifest access checks can evaluate both the legacy config/manifest-id-store source and the new AclManifest source, log source-prefixed comparison results to Scuba, and still return config-authoritative authorization results while Shadow mode is being validated.

## This diff (no-op)
This diff factors restricted-path Scuba logging around internal log-data structs so that normal access logging and Shadow source-comparison logging can share the same field-writing path. The aggregate authorization fields stay optional in this diff, preserving the existing behavior where config-source errors still emit error-only Shadow comparison rows without top-level authorization fields.

Reviewed By: lmvasquezg

Differential Revision: D104058058

fbshipit-source-id: c50b697d54fa9250285b89b90d8d5dab86506896

Author: gustavoavena