Add AWS third-party trust fixtures

[jddark62]

Summary

Adds AWS-specific third-party AssumeRole trust evidence gates to aws-review.

This includes:

• A third-party AWS trust evidence table covering trusted principal scope, ExternalId/source constraints, permission scope, session duration, last-used data, owner/contract evidence, Access Analyzer review, and offboarding status.
• Not Evaluable reason codes for missing live role exports, ExternalId rotation evidence, service-principal source constraints, OIDC/SAML claim constraints, AssumeRole/session evidence, lifecycle records, and sensitive read-only exposure scope.
• Report output fields for evidence confidence and Not Evaluable reasons.
• Seven YAML calibration fixtures covering valid vendor ExternalId evidence, missing ExternalId, stale post-offboarding access, missing SourceArn/SourceAccount constraints, broad OIDC subjects, long vendor sessions, and sensitive read-only exposure.

Validation

• git diff --check
• Skill frontmatter YAML parse
• Fixture YAML parse: 7 YAML blocks
• Markdown fence balance check
• Public-file privacy scan
• AWS documentation references checked for confused deputy, third-party role access, and STS AssumeRole

/claim #1330

Payment details can be coordinated privately after maintainer acceptance.