Summary

• Bumps aws-sdk-dynamodb (1.3.0 → 1.106.0) in [dependencies]
• Selectively updates transitive AWS SDK deps to patched versions:
  • aws-sdk-sts: 1.47.0 → 1.99.0
  • aws-sdk-sso: 1.47.0 → 1.95.0
  • aws-sdk-ssooidc: 1.48.0 → 1.97.0

Remediates GHSA-g59m-gf8j-gjf5 (CVSS 3.7) — AWS SDK for Rust region validation bypass.

Note: aws-config dev-dependency version in Cargo.toml is unchanged as a full cargo update breaks cts-common (unrelated vitaminc compatibility issue). The targeted update pulls in patched transitive deps.

Resolves: CIP-2750

Test plan

• cargo check passes
• cargo test — 27/28 pass (1 pre-existing failure on main: test_unseal_all_empty requires env var)
• cargo tree confirms all AWS SDK crates at patched versions