[codex] Respect unknown org membership in cross-account trust

[InfoSecHack]

Summary

• Updates cross_account_trust to prefer explicit org_membership_status over legacy org_member booleans.
• Keeps member sources on the existing same-org severity downgrade path.
• Keeps non-member sources on the confirmed external path.
• Makes unknown org membership visible in trace, title, exit reason, and finding assumptions without wording it as confirmed external.
• Adds pipeline-shaped tests using parser output plus _run_resolution and FactGraph.

Root Cause

After tri-state synthetic principal metadata was added, the cross-account trust reasoner still consumed legacy org_member semantics and used binary title wording. Unknown org membership could therefore be reported as an external cross-account trust in the finding title even though the verdict path was already conservative.

Validation

• python -m pytest -q tests/integration/test_cross_account_org_membership_status.py tests/test_cross_account_reasoner.py tests/test_cross_account.py tests/resolver/test_org_membership_uncertainty.py tests/integration/test_full_pipeline_reasoner_verdicts.py tests/test_golden_findings.py
• ./scripts/check.sh
• ./scripts/test_fast.sh
• git diff --cached --check
• account/ARN hygiene scans
• Terraform/raw artifact scan