[codex] Add org membership uncertainty to synthetic principals

[InfoSecHack]

Summary

• Adds explicit org_membership_status for trust-policy synthetic principals: member,
  on_member, or unknown.
• Wires pipeline collection completeness into synthetic node resolution so absent accounts are confirmed non-members only for full-org collection.
• Preserves legacy org_member / is_external fields, using None when membership is unknown instead of falsely asserting external/non-member.
• Adds resolver and pipeline-shaped tests covering complete, partial, standalone, wildcard, external-account, IAMRole, and IAMUser synthetic nodes.

Root Cause

Synthetic principal nodes previously treated absence from known_account_ids as proof that an account was external/non-member. In partial, skipped, filtered, or standalone collection, that absence can mean the account was not collected or the org context is incomplete.

Validation

• python -m pytest -q tests/test_cross_account.py tests/resolver/test_org_membership_uncertainty.py tests/test_cross_account_reasoner.py tests/test_pipeline.py tests/test_golden_findings.py
• ./scripts/check.sh
• ./scripts/test_fast.sh
• git diff --check
• account/ARN hygiene scans
• Terraform/raw artifact scan