feat(bootstrap): ADR framework and least-privilege decision record

[scottschreckengaust]

Parent

Sub-issue 1 of #120 (RFC: Least-privilege CDK bootstrap policies as code)
Depends on: #129 (ADR framework + ADR-001 stacked PRs)

Branch strategy

feat/bootstrap-adr → targets feat/adr-framework

Estimated review time: ~15 min

Summary

Write ADR-002 documenting the design decisions from RFC #120 (least-privilege bootstrap policies). The ADR framework and docs/decisions/ directory are established by #129 — this issue only adds the decision record.

Deliverables

• Create docs/decisions/002-least-privilege-bootstrap-policies.md — records:
  • Why policies as code (not documentation-only)
  • Why triple-layer versioning (semver + hash + action-set)
  • Why Aspect + preflight (two-layer validation)
  • Why cdk/src/bootstrap/ location (agent routing, testability, co-location)
  • Why custom bootstrap template (single-command operator experience)
• Sync Starlight mirrors (mise //docs:sync)

Acceptance criteria

• ADR-002 captures the "why" behind all major design choices from RFC RFC: Least-privilege CDK bootstrap policies as code (with preflight validation) #120
• Follows the template established in docs/decisions/README.md (from feat(docs): ADR framework + ADR-001 stacked pull requests methodology #129)
• References ADR-001 (stacked PRs) as the delivery methodology
• Starlight mirrors are up to date
• mise run build passes

[mayakost]

LGTM