Document prod-like oracle i001 fixture conflict triage

[InfoSecHack]

Summary

• Forensically triage the v3/current-main oracle-i-001 mismatch.
• Record decision: fixture_should_change_to_make_row_truly_inconclusive.
• Keep oracle expectation and comparator result unchanged: expected inconclusive, emitted blocked, category oracle_mismatch.
• Link the new triage note from the v3 prod-like collect-and-compare checkpoint.

Evidence

• Oracle row intends wildcard target resource-scope uncertainty.
• Terraform currently attaches a permission boundary to uncertainty_probe.
• Boundary allows only IAM read/list actions, creating complete-confidence blockers for lambda:CreateFunction and iam:PassRole.
• Emitted finding fails no_boundary_blocks_lambda_create_function and no_boundary_blocks_passrole with complete-confidence boundary evidence.
• This is documented as fixture/oracle expectation conflict, not automatically an IAMScope false positive and not an oracle correction to improve counts.

Validation

• Focused oracle/comparator tests: 17 passed
• Comparator rerun against /tmp/iamscope-prodlike-v3-collection/findings.json: completed
• Comparator summary remains: oracle_match=5, oracle_mismatch=1, environmental_extra=12, unmapped_sandbox_extra=2, not_currently_live_comparable=14, unsupported_static_only=4
• Targeted triage grep: passed
• Account/ARN hygiene scans: clean
• Terraform/raw artifact scan: clean
• ./scripts/check.sh: passed
• ./scripts/test_fast.sh: 1996 passed
• git diff --check: passed