- GCP: scanAllProjects now collects projects whose IAM policy cannot be
  fetched and collapses them into a single UNCERTAIN finding listing all
  inaccessible project IDs in Detail, instead of one finding per project.
  Adds tests for single-project failure, multi-project collapse, and
  mixed access+failure scenarios.

- AWS: enumerate named profiles from ~/.aws/credentials (bare [name]
  sections) and ~/.aws/config ([profile name] sections), deduplicate,
  then check each profile concurrently via --profile flag. Root-account
  profiles emit CRITICAL; high-risk-policy profiles emit HIGH with
  'profile:<name>' suffix on the Resource and Detail fields.
  AWSScanner gains a HomeDir field (overridable in tests). Adds tests
  for profile high-risk detection, root-profile detection, unusable
  profiles (silent), missing config files (no crash), and deduplication.

- aws.go: remove scanNamedProfiles result wrapper struct, use [][]models.Finding directly
- aws.go: scanAttachedPolicies now returns []models.Finding (not models.ScanResult)
- aws.go: extract accountOrUnknown() helper to deduplicate account == "" fallback
- aws.go: fix correctness bug — named profiles are now scanned even when the default
  credential chain fails (rc != 0); scanner only skips if both default and all profiles
  yield nothing
- aws.go: cap goroutine concurrency in scanNamedProfiles with semaphore (maxConcurrency=10)
- aws_test.go: remove unused '_ = result' in TestAWSScanner_ProfileDeduplication
- aws_test.go: add TestAWSScanner_ProfilesOnlyNoDefault regression test
- gcp.go: listProjects now returns ([]string, error) instead of ([]string, string)
- gcp.go: large-project notice moved from LOW finding to stderr — it is a UX message,
  not a risk, and must not inflate confirmed_total
- gcp.go: cap goroutine concurrency in scanAllProjects with semaphore (maxConcurrency=10)
- gcp_test.go: update TestGCPScanner_LargeProjectWarning to assert no LOW finding appears
- scan.go: add maxConcurrency = 10 constant shared by both scanners

Adds a collapsible severity policy section under 'What It Scans' that
codifies the CRITICAL vs HIGH distinction (total/unscoped blast radius vs.
scoped/conditional access). Also removes em dashes and tightens phrasing
in comments across cli, models, output, and scan packages.

…h no high-risk policies

The scanner was using len(findings)==0 to decide whether to skip in the
default-chain-unauthenticated path. A profile that authenticates but has
no admin policies produces no findings, so the scanner incorrectly returned
skipped, hiding the fact that AWS was reachable via that profile.

Fix: track anyAuthenticated separately in profileScanResult and use that
to gate the skip decision. Add regression test covering the authenticated
profile + no-high-risk-policy case.

…zure and GCP scanners

Renames /agentscan to /agentcheck in .gitignore to match the project rename.
Adds comments to Azure and GCP scanners explaining why only the active
subscription/account is scanned, and why that is the correct behaviour.

…descriptions

…hten example description