[codex] Add finding collection context

[InfoSecHack]

Summary

• Adds explicit per-finding collection_context to indings.json without changing reasoner verdict semantics.
• Threads collection and policy parse failure metadata from live collect and frozen-artifact replay into finding emission.
• Relates failures by source/target account or exact source/target ARN when possible, with deterministic coverage notes for global partial context.
• Regenerates byte-pinned expected findings fixtures for the intentional optional schema addition while preserving public account/ARN hygiene escaping.

Behavior

• Complete graph: graph_collection_complete: true, no related failures, empty notes.
• Partial graph: graph_collection_complete: false, failure booleans set, related structured failure records attached when source/target account or ARN matches.
• Verdicts are not mutated; validated findings can carry partial-data context.

Validation

• python -m pytest -q tests/test_findings_json.py tests/test_replay_findings.py → 49 passed
• python -m pytest -q tests/test_golden_findings.py → 42 passed
• ./scripts/check.sh → passed
• ./scripts/test_fast.sh → 2016 passed
• git diff --check → passed
• account/ARN hygiene scans → clean
• Terraform/raw artifact scan → clean