fix: harden trust edge truthfulness

[TacoRocket]

What Changed

This fixes several review findings across the completed Phase 1 through Phase 3 surfaces.

• hardens auth-policies so unreadable Conditional Access does not imply missing enforcement
• broadens role-trusts to enumerate readable Graph trust edges directly instead of only seeded principal-bound items
• makes workloads and related help wording stop implying Azure-managed hostnames are automatically reachable
• keeps unreadable optional storage child counts explicit instead of silently rendering them as zero
• makes storage output deterministic and refreshes the affected golden artifacts
• records a future follow-on note for explicit role-trusts scale modes

Why It Changed

The clean-context review pass found several cases where AzureFox could overstate what it truly knew from the current evidence path, plus one role-trusts scope gap where the implementation was narrower than the documented trust-edge boundary.

This change set brings the shipped behavior back in line with the roadmap's trustworthiness and partial-read expectations.

Impact

• auth-policies findings are now more truthful under partial Graph visibility
• role-trusts is broader and closer to the intended Phase 1 trust-edge scope
• workload/help wording is more precise about visible endpoint paths versus proven reachability
• storage output is clearer under partial reads and more stable for deterministic JSON consumers

Validation

• python3 -m ruff check src tests scripts
• PYTHONPATH=src python3 scripts/generate_schemas.py
• PYTHONPATH=src python3 -m pytest
• pre-push guardrail: 133 passed, 2 deselected

Follow-On

Recommend updating the sister repo now, before new Phase 3 follow-on depth lands, so it can catch up to the corrected evidence boundaries and wording at a stable checkpoint.