v1.3.4 - Account, Organization, and Client View updates

* New hero layout with a clickable Account ID (copy-to-clipboard), account-type badge, status, and join context at a glance.

* sidebar shows every account's place in the hierarchy: Client → Organization → OUs → Account.

* tab surfaces every SCP, Tag, Backup, and related policy reaching the account — direct or inherited — with source badges so inheritance is obvious.

* tab flags Control Tower and AWS Backup delegations in context.

* panel lists only the roles you're actually entitled to, with one-click assumption.

* Three-step Add flow (Info · Inventory Role · Metadata) with post-create inventory status toast.

* Edit page now uses the same tabbed layout as Organizations: Information · Tags & Notes · Inventory Role · Access Roles.

* Chip-style tags, contract number, and notes preserved across inventory runs.

* Client list now shows per-client Organizations and Accounts counts.

* Client → Accounts tab hides "Switch Role" when you have no entitled role — no more dead-end clicks.

* Inline access-role writes on Accounts and Organizations are now validated server-side: role-name, assumption type, External ID format, and intermediate-ARN tenant allowlist — the same rules the assume-role Lambda enforces at use time, now also applied at write time.

* Unknown fields on role entries are stripped with an audit-log entry, closing an injection surface.

* Updates to records missing an owner are rejected outright.

* Client mirrors the server validation so typos surface before the save.