Fix P0-P2 bugs: Gremlin injection, property mismatches, Neptune auth, collector correctness

[Shasheen8]

Foundation fixes across the platform

• Gremlin injection eliminated in graph-writer, incremental-collector, policy-evaluator, and API neptune-client — all queries now use Gremlin bindings instead of string interpolation
• Risk rules fixed — all 10 rules rewritten with correct snake_case property names and vertex labels matching collector output; rules now reference edges that actually exist (ATTACHED_TO→CONTAINS→GRANTS instead of non-existent ALLOWS_ACCESS_TO)
• Neptune auth added to API service — reads NEPTUNE_AUTH_SECRET_ARN and fetches credentials from Secrets Manager
• Stub getSecret removed from types.ts that returned hardcoded fake credentials
• Collector correctness — fixed malformed SG edge ARN, VPC flow logs now actually queried via DescribeFlowLogs, Security Hub findings fully paginated, ExternalId added to cross-account AssumeRoleCommand calls
• Collector enhancements — HAS_IAM_ROLE edges added for EC2 and Lambda, port_from/port_to on SecurityGroupRule, is_in_vpc/has_internet_access on Lambda, has_wildcard_resource/has_wildcard_action on IamPolicyStatement, is_publicly_accessible on RDS
• CDK — SecurityGraphEksStack conditionally instantiated, DynamoDB tables exposed as stack properties
• CI — fixed release workflow paths (lambdas/risk-engine → packages/risk-engine)
• API — CORS middleware added with configurable allowed origins, Gremlin validator extended with ARN param validation
• Compliance — duplicate CIS controls removed (1.9, 1.16, 1.17, 1.18), DynamoDB client instances deduplicated in compliance engine
• Cleanup — removed conflicting .eslintrc.json, dead neptune-client-lite.ts, compiled artifacts from git tracking
• UI — fixed downloadReport to use NEXT_PUBLIC_API_URL instead of relative path
• ARCHITECTURE.md — updated diagram, vertex/edge schema, and risk rule properties to match code