[codex] add prod-like sandbox lifecycle checkpoint

[InfoSecHack]

Summary

• add sanitized checkpoint for one controlled prod-like IAM sandbox Terraform apply/destroy lifecycle run
• document 39 IAM-only resources added and 39 destroyed, with prefix cleanup checks returning no remaining IAM users, roles, or local policies
• preserve explicit non-claims around IAMScope accuracy, oracle comparison, broad correctness, exploitability, production readiness, composite scoring, and pass/fail labels

Boundaries

• docs-only
• no Terraform commands run by Codex
• no live AWS, AWS CLI, STS, Lambda, or iam:PassRole calls
• no raw logs, Terraform state/lock/plan/output artifacts, account IDs, IAM ARNs, or raw AWS outputs committed

Validation

• required checkpoint grep: passed
• account/ARN hygiene greps: clean
• Terraform/live artifact find scan: clean
• ./scripts/check.sh: passed
• ./scripts/test_fast.sh: 1923 passed
• git diff --check: passed
• git status --short: clean before commit except new checkpoint file