PoC v2: blast radius incl. AWS IAM
  /file?p=...  /env  /whoami  /imds
  /aws-token   IMDSv2 PUT
  /aws-role    /iam/info + role list
  /aws-creds   AccessKey + SecretKey + Token (raw, sensitive)
  /aws-identity STS GetCallerIdentity (via boto3)