[codex] Add full-pipeline verdict regressions

[InfoSecHack]

Summary

• Adds hermetic integration regressions built from pipeline-shaped AccountData / OrgData inputs.
• Covers PassRole Lambda iam:PassedToService glob handling, cross-account trust SCP filtering, dangling S3 bucket demotion, SCP source-account scoping, and frozen-artifact replay parity.
• Keeps the slice tests-only: no live AWS, Terraform, benchmark semantic changes, scores, or production claims.

Validation

• python -m pytest -q tests/integration/test_full_pipeline_reasoner_verdicts.py → 6 passed
• python -m pytest -q tests/test_passrole_lambda_reasoner.py tests/test_passrole_ecs_reasoner.py tests/test_cross_account_reasoner.py tests/test_s3_bucket_takeover_reasoner.py tests/test_scp_binder.py → 175 passed
• ./scripts/check.sh → passed
• ./scripts/test_fast.sh → 2005 passed
• git diff --check → passed
• account/ARN hygiene scans → clean
• Terraform/raw artifact scan → clean