feat(cdk): single source of truth for invocable Bedrock models, context-overridable (#433)

[isadeks]

Summary

Lowers the friction of choosing which Claude models the agent can use, and fixes a latent drift bug — without loosening the per-model least-privilege scoping.

Before: the invocable-model set was hardcoded in two places that had to stay identical by hand — the AgentCore runtime grantInvoke blocks in stacks/agent.ts and BEDROCK_MODEL_IDS in constructs/ecs-agent-cluster.ts (whose own comment said "kept in sync with the AgentCore runtime grants in agent.ts"). Adding a model meant editing CDK in two spots and redeploying; a repo pinned to an ungranted model (e.g. Opus 4.8) 403s at invoke.

After: one source of truth, constructs/bedrock-models.ts:

• DEFAULT_BEDROCK_MODEL_IDS — today's three (Sonnet 4.6, Opus 4, Haiku 4.5), unchanged default.
• resolveBedrockModelIds(node) — returns the bedrockModels CDK context array when set, else the default. Both grant sites derive from it, so the AgentCore runtime and ECS task role can't drift.

Operators add a model via cdk.json context (or -c bedrockModels='[…]') + redeploy — no construct edits.

Preserves the security posture (does NOT revert hardening)

ecs-agent-cluster.ts deliberately scopes Bedrock to explicit foundation-model + inference-profile ARNs (it replaced a Resource: '*' wildcard, with a regression test). This PR keeps that — the shared list still produces explicit per-model ARNs, never a wildcard. Account-level Bedrock model access remains the outer authorization gate. Malformed context (non-array / empty / non-string entries) fails synth loudly rather than silently granting nothing.

Tests

• bedrock-models.test.ts — resolver: default set, context override, and validation throws (non-array / empty / empty-string entry).
• ecs-agent-cluster.test.ts — new test: a bedrockModels context override changes the granted ARNs and never widens to *; existing "scoped, no wildcard" hardening test retained.
• Full mise //cdk:test: 122 suites / 2203 pass; mise //cdk:eslint clean.

Notes for reviewers

• Pure refactor of the grant source + new opt-in context; default behavior (the three models) is byte-for-byte unchanged in synth.
• Adding a brand-new model still requires the account to have Bedrock access enabled for it (separate from IAM) — documented in the /onboard-repo skill (see docs(onboarding): X-Ray gate, arm64/binfmt, failed-create teardown, and mise papercuts block first-time setup #431/docs(onboarding): operator-path fixes across QUICK_START + /setup + /onboard-repo skills #432).

Fixes #433

[krokoko]

Thanks for this — the refactor is clean and solves the real drift problem without loosening the per-model IAM scoping. A few notes from review:

Looks good

• Single source of truth in bedrock-models.ts with both grant sites deriving from resolveBedrockModelIds() — exactly what feat(cdk): make the runtime's invocable Bedrock model set stack-configurable (one list, not two hardcoded arrays) #433 asked for on the IAM side.
• Fail-fast validation on malformed context is a nice touch.
• ECS override test confirms replace-not-append behavior and that we still never widen to *.

Suggestions (non-blocking)

1. AgentStack test — Issue feat(cdk): make the runtime's invocable Bedrock model set stack-configurable (one list, not two hardcoded arrays) #433's acceptance criteria mention context-override propagation to both backends. The new ECS test covers one side; a matching AgentStack assertion (runtime execution role gets the override ARNs, defaults excluded) would close that loop.
2. Context ID format — The resolver expects bare foundation-model IDs (anthropic.claude-opus-4-8), not us.-prefixed inference-profile IDs. Worth calling out in docs (docs(skills): audit deploy/submit-task/troubleshoot/status — stale claims, node PATH, onboard path #435?) since the issue text used the us. form — operators following that example would synth invalid ARNs (us.us.…).
3. WORKFLOW_MODEL_ALLOWLIST — Still a third hardcoded list for workflow YAML admission. Doesn't block the repo onboard --model path (repo model_id isn't gated), but custom workflows pinning a newly added model would still fail at create-task. Might be worth a follow-up or a short comment in bedrock-models.ts.
4. Stale comment — workflows.ts still references BEDROCK_MODEL_IDS in ecs-agent-cluster.ts; could point at bedrock-models.ts after merge.

CI — integ-smoke failed on missing AWS credentials in the runner (infra flake), unrelated to this diff. Build/security checks passed.

Happy to approve once the AgentStack test lands (or if you prefer to track that as a fast follow-up). Nice work on keeping the security posture intact.

[isadeks]

Thanks for the thorough review! Addressed in the latest push (d6f2ee7):

1. AgentStack test (blocking) — added two tests in agent.test.ts: the runtime execution role gets the default model grants, and a bedrockModels context override propagates to the runtime (overridden model present, defaults absent, never *). Together with the existing ECS test, both backends are now covered per feat(cdk): make the runtime's invocable Bedrock model set stack-configurable (one list, not two hardcoded arrays) #433's acceptance criteria.
2. us.-prefix gotcha — turned it into a fail-fast: resolveBedrockModelIds now rejects region-prefixed IDs (us./eu./apac.) with a message pointing at the bare ID, since both grant sites derive the us.-profile ARN themselves (the us.us.… footgun you flagged). JSDoc clarified + test added. Good catch — the issue text's us. example would indeed have mis-synthed.
3. WORKFLOW_MODEL_ALLOWLIST — left as-is for this PR (it gates workflow-YAML admission, not the repo onboard --model path), but added a comment noting it's a separate hand-maintained list and that a custom workflow pinning a context-added model would still need it here. Consolidating it with bedrock-models.ts is worth a follow-up — happy to file one.
4. Stale comment — workflows.ts now points at bedrock-models.ts instead of the removed BEDROCK_MODEL_IDS.

Full //cdk:test is at 2206 passing. The integ-smoke red is the same OIDC-credentials infra flake. Ready for another look.