feat: add IaC support for high-confidence AWS rules

[axonstone]

Summary

• Added IaC support for the high-confidence AWS discovery rules across @cloudburn/rules and @cloudburn/sdk.
• Extended the AWS static dataset registry and shared rule metadata so the affected rules now evaluate Terraform and CloudFormation inputs alongside live discovery.
• This was needed to close the gap between discovery-mode coverage and static scan coverage for rules that can be evaluated conservatively from IaC alone.

Diagram

flowchart LR
  IaC[Terraform / CloudFormation] --> Parser[parseIaC]
  Parser --> Registry[AWS static dataset registry]
  Registry --> Datasets[Normalized static datasets]
  Datasets --> Rules[Dual-mode AWS rules]
  Rules --> Findings[IaC findings]

Loading

Scope

• cloudburn (cli)
• @cloudburn/sdk
• @cloudburn/rules
• docs/community files

Release Notes

• Added a .changeset/*.md file for published package changes
• No published package changes in this PR

Verification

• pnpm lint
• pnpm typecheck
• pnpm test
• pnpm build
• pnpm verify

Boundary Checks

• No engine/parser/provider logic added to @cloudburn/rules
• CLI delegates scan logic to SDK
• README/CONTRIBUTING/docs updated when behavior changed

Related Issues

None.

[axonstone]

roborev: Combined Review (55811d5)

Verdict: No High or Critical findings identified across the combined reviews.

Multiple agents reviewed the diff, including two security-focused reviews, and none reported any High or Critical issues.

Medium-severity concerns were reported by one reviewer, but they are omitted here per the requested severity filter.

---

Synthesized from 4 reviews (agents: claude-code, codex | types: default, security)

[devin-ai-integration]

Devin Review found 0 new potential issues.

View 13 additional findings in Devin Review.

[devin-ai-integration]

Devin Review found 0 new potential issues.

View 17 additional findings in Devin Review.