refactor: move forge trust updates to lambda

[edersonbrilhante]

Description

Split Forge trust validation into a two-Lambda flow to allow IAM trust policy propagation before validation runs.

The scheduled preparer Lambda updates Forge role trust policies to temporarily allow the validator Lambda role to assume them, verifies the trust policy update is visible, and sends a delayed SQS message. The validator Lambda is invoked from SQS, assumes each Forge role, validates tenant role assume/tag-session behavior, and removes the temporary trust statement after each run.

This moves the temporary trust relationship mutation out of Terraform to prevent noisy applies. Terraform was repeatedly detecting Forge trust policy drift because the validator change was temporary and Forge/Terraform kept trying to override the IAM role trust policy back to the declared state.

This also updates shared Splunk extraction/dashboard config for the new Lambda names and the new delayed validation log payload.

Type of Change

• Bug Fix
• New Feature
• Breaking Change
• Refactor
• Documentation
• Other (please describe)

Checklist

• I have read the contributing guidelines
• Existing issues have been referenced (where applicable)
• I have verified this change is not present in other open pull requests
• Functionality is documented
• All code style checks pass
• New code contribution is covered by automated tests
• All new and existing tests pass