Bug fixes

• The Organization > Event Handler action type now degrades cleanly when the event principal does not correspond to a Guardrails profile resource (direct admin logins, GCP service accounts, federated identities). Previously the profile lookup failed the input query and the event was silently dropped; the lookup now returns null and the inline falls back to the unidentified resource, matching the AWS and Azure equivalents.
• GCP organization policies now land under the scope they were set at. The Organization Policy > Discovery control runs once per organization, folder, and project (instead of only at the organization), and each per-policy resource is parented under the scope where the policy was applied rather than always under the organization. Existing org-scope-parented folder and project policies are reparented in place on the next discovery run.
• Project-scope and folder-scope GCP organization policy update events now propagate to the CMDB via push within seconds instead of waiting for the five-minute poller cycle. The Organization Policy > Router action type's targets list now includes project and folder resource types in addition to organization, so the router fires for events at any scope where the policy was applied.
• Fixed a broken selection in the Project > Router action type's input query that returned a 400 when requesting subfields under the project resource's parent field. The project schema exposes parent as a scalar (turbot__gcp__project_parent) — subfield selections fail with Field "parent" must not have a selection since type "turbot__gcp__project_parent" has no subfields, which caused the entire input query to fail and rolled back every queued command silently. The parent's type URI is now resolved via a separate resource(id: $.item.turbot.parentId) lookup, preserving the isStandalone check in the inline (which determines whether resourcemanager.projects.move should preserve or update the Guardrails parent).
• Fixed Project > Router so it correctly dispatches a project CMDB refresh on organization policy events. The router's resource AKA derivation built gcp://cloudresourcemanager.googleapis.com/{protoPayload.resourceName}, which for org-policy events is the policy path (projects/N/policies/X) rather than the project path — the dispatched AKA resolved to no resource and turbot.control.run silently no-op'd. The router now uses the running router instance's own target AKA ($.item.turbot.akas[0]) for org-policy events, since the Project event handler raises those events on the project's AKA. The project resource's orgPolicyMap now refreshes via push as expected.
• Fixed Project > Router failing silently on every event because its inline called require("semver"). The Guardrails worker's inline runtime does not bundle semver, so the require threw Cannot find module 'semver', which caused the entire action to fail and every queued command (project CMDB dispatch, resource updates) to roll back silently. Replaced the semver-based workspaceVersion >= 5.56.0 comparison with a manual numeric major/minor parse with the same semantics. No external dependency required.