[codex] Add selected PassRole finding fixture for live binding

[InfoSecHack]

Summary

• add a sanitized local fixture for selecting one IAMScope passrole_lambda finding/path for live-result binding
• pin the selected generated finding ID, finding key, verdict, severity, source/target selector, and required check states
• add focused tests that reconstruct the fixture into FactGraph, run the existing PassRoleLambdaReasoner, and verify the pinned finding and safety boundaries

Boundary

• local fixture/test only
• no live AWS, Terraform, AWS CLI, STS, Lambda API, or iam:PassRole calls
• no new reasoners or benchmark semantic changes
• no broad IAMScope correctness, broad PassRole correctness, exploitability, downstream authorization, production readiness, composite score, or pass/fail benchmark label claims

Selected finding

• finding_id: 5e08bf418146ae29259115f672b8960bf3b38ce07ec5cd57c5638019e126dc50
• pattern_id: passrole_lambda
• expected_verdict: validated
• severity: critical

Validation

• python -m pytest -q tests/test_passrole_lambda_live_binding_fixture.py
• grep proving no non-synthetic 12-digit account ids in the new fixture/test
• ./scripts/check.sh
• ./scripts/test_fast.sh
• git diff --check