refactor(cli): /simplify pass on lambda policies

Adds a typed TrustPolicyDocument / TrustPolicyStatement pair so
buildRoleTrustPolicy can return a real type instead of unknown. The
trust-policy shape has a Principal field that the generic
PolicyStatement doesn't model, but it was previously punted via a
return unknown rather than a parallel type.

Test cleanup: drop the `as {...}` casts that the previous return-
unknown signature forced.

Author: jrusso1020

packages/cli/src/commands/lambda/policies.test.ts

@@ -55,14 +55,10 @@ describe("policies — buildPolicyDocument", () => {
 
 describe("policies — buildRoleTrustPolicy", () => {
   it("returns a sts:AssumeRole statement scoped to the requested service", () => {
-    const trust = buildRoleTrustPolicy("cloudformation") as {
-      Statement: { Action: string; Principal: { Service: string } }[];
-    };
+    const trust = buildRoleTrustPolicy("cloudformation");
     expect(trust.Statement[0]!.Action).toBe("sts:AssumeRole");
     expect(trust.Statement[0]!.Principal.Service).toBe("cloudformation.amazonaws.com");
-    const lambdaTrust = buildRoleTrustPolicy("lambda") as {
-      Statement: { Principal: { Service: string } }[];
-    };
+    const lambdaTrust = buildRoleTrustPolicy("lambda");
     expect(lambdaTrust.Statement[0]!.Principal.Service).toBe("lambda.amazonaws.com");
   });
 });

packages/cli/src/commands/lambda/policies.ts

@@ -36,6 +36,22 @@ interface PolicyDocument {
   Statement: PolicyStatement[];
 }
 
+/**
+ * Trust-policy shape consumed by `policies role`. Has a `Principal`
+ * field (which generic `PolicyStatement` does not model) — keep it as
+ * a separate type rather than polluting the action-policy shape.
+ */
+interface TrustPolicyStatement {
+  Effect: "Allow";
+  Principal: { Service: string };
+  Action: "sts:AssumeRole";
+}
+
+interface TrustPolicyDocument {
+  Version: "2012-10-17";
+  Statement: TrustPolicyStatement[];
+}
+
 /**
  * Actions the CLI needs to deploy/invoke/destroy the stack. Keep this
  * sorted alphabetically inside each service so diffs stay readable.
@@ -166,13 +182,8 @@ export function buildPolicyDocument(): PolicyDocument {
   };
 }
 
-/**
- * Trust policy a service-linked IAM role consumes (used by `policies role`).
- * Returned as a structurally-correct `Allow sts:AssumeRole` with the named
- * service principal attached — the `Principal` field is an IAM-specific
- * extension not modelled by our generic `PolicyStatement` type.
- */
-export function buildRoleTrustPolicy(principal: "lambda" | "cloudformation"): unknown {
+/** Trust policy a service-linked IAM role consumes (used by `policies role`). */
+export function buildRoleTrustPolicy(principal: "lambda" | "cloudformation"): TrustPolicyDocument {
   const Service = principal === "lambda" ? "lambda.amazonaws.com" : "cloudformation.amazonaws.com";
   return {
     Version: "2012-10-17",