Improve access review effective entitlement gates

[danyili2632]

Summary

• addresses [REVIEW] access-review: add effective entitlement expansion evidence gates #1404 by adding an effective entitlement expansion step before certification decisions
• adds evidence gates for direct entitlements, transitive paths, dynamic/birthright rules, inherited cloud bindings, local app/database grants, resource ACLs, effective permissions, certifier visibility, and unresolved graph nodes
• updates the findings table and summary categories so reports capture expansion evidence and Not Evaluable cases instead of approving direct-group-only reviews
• adds references for Microsoft Graph transitive membership, Google Cloud Policy Analyzer, and AWS IAM Access Analyzer unused access

Validation

• git diff --check
• verified required markers for AR-EFF checks, effective entitlement expansion, transitive path, dynamic rule, inherited cloud binding, effective permission, certifier visibility, unresolved graph nodes, and references
• verified Markdown fence count is balanced

Bounty

• Target tier: Improver Moderate ($100) if accepted
• Preferred payment method: crypto, Base USDC 0x6CBF4b5cb88b8C2B7af776Bc2B073163B5d3C08A