[plugin] Fix: lambda-deploy update path now verifies the execution role exists

[sebsto]

Problem

The lambda-deploy plugin's update path never verifies that the function's execution role still exists. Lambda validates the execution role lazily — only at invoke time, not when a function is created or updated — so a redeploy against a function whose role was deleted (for example by a previous lambda-deploy --delete, which removes both the function and its role) succeeds silently. The function is left pointing at a non-existent role and fails at invoke time with:

An error occurred (AccessDeniedException) when calling the Invoke operation:
The role defined for the function cannot be assumed by Lambda.

The role was only ever resolved/created on the create path, so once the auto-managed role went missing there was no way to recover via redeploy, and no diagnostic pointing at the cause.

Fix

• On the update path, verify the function's configured execution role still exists in IAM before updating the code. If it is gone, stop the deployment with a clear error that names the function and role and suggests the recovery action (delete + redeploy so the role is recreated).
• The existence check now reuses the GetFunction response already fetched to determine create-vs-update, so the verification adds no extra GetFunction call — functionExists(...) -> Bool became existingFunctionConfiguration(...) -> FunctionConfiguration? and the configuration is carried downstream.
• New helpers: roleName(fromARN:) (extracts the role name from an execution-role ARN, handling nested paths and partitions) and verifyExecutionRoleExists(...) (maps IAM NoSuchEntity to the actionable executionRoleMissing error).

Tests

Added a property-test suite covering roleName(fromARN:) — valid ARNs including service-role/nested paths and the aws-us-gov partition, plus malformed/empty ARNs that must return nil.

All AWSLambdaPluginHelperTests pass (75 tests); the AWSLambdaPluginHelper target builds clean on Swift 6.4.