Implement local oracle i001 fixture correction

[InfoSecHack]

Summary

• Implement the local-only oracle-i-001 fixture correction from Option A.
• Split the old shared uncertainty_probe Terraform source into:
  • uncertainty_resource_probe / uncertainty-resource-probe for wildcard resource-scope uncertainty with no permission boundary.
  • uncertainty_boundary_probe / uncertainty-boundary-probe for boundary/session uncertainty rows with the session-context boundary.
• Move oracle-i-001 comparator mapping to iamscope-prodlike-v1-uncertainty-resource-probe and keep expected behavior inconclusive.
• Update static oracle fixture support files, README notes, and focused tests.

Boundaries

• No live AWS.
• No Terraform apply/destroy/plan.
• No AWS CLI, STS, Lambda, or iam:PassRole calls.
• No reasoner changes.
• No new oracle rows, composite score, or pass/fail benchmark label.

Validation

• Focused prod-like oracle fixture / Terraform source / comparator tests: 35 passed
• terraform fmt -check in sandbox Terraform source: passed
• Synthetic local comparator CLI run: oracle-i-001 matched as inconclusive; no mismatches in the small local sample
• ./scripts/check.sh: passed
• ./scripts/test_fast.sh: 1999 passed
• git diff --check: passed
• Account/ARN hygiene scans: clean
• Terraform/raw artifact scan: clean