CVE-2026-48036: @hulumi/drift: Drift classifier fails open on adapter errors and over-promotes Mixed verdicts

@hulumi/drift runs four adapters that each ask a different question about whether a resource has drifted (Pulumi-state diff, provider-version change, CloudTrail event, etc.). A classifier combines the adapters’ answers into a verdict like None / none, ConsoleBreakGlass / high, or Mixed / high, and caches the verdict for 6 hours by default.

Two related bugs from one root cause — the classifier only read each adapter’s detected: true/false field and ignored whether the adapter itself succeeded:

1. Cached “all clear” on adapter failure. When an adapter failed (e.g. transient network error from the Automation API), the classifier read detected: false, concluded “no drift”, and cached the verdict as None / none for 6 hours. A single transient failure could mask real console-break-glass mutations for the rest of the window.
2. Mixed verdicts without real evidence. The Mixed / high and ConsoleBreakGlass / high verdicts (incident severity) could fire on the “the CloudTrail probe round-tripped successfully” signal rather than actual evidence that anything had been changed via the console. Normal provider-API churn could end up falsely escalated to incident severity.