fix(cdk): self-guard resource names to prevent multi-stack collisions

[mayakost]

Summary

Port of aws-samples#70.

Fixes multi-stack name collisions by making each resource self-guard its own name length, rather than imposing a central `stackName` length limit.

Resource	Change
Runtime	``jean_cloude_${sanitizedStackName}``.slice(0, 48)`
Guardrail	``task-input-guardrail-${stackName}``.slice(0, 50)`
Memory	``bgagent_memory_${sanitizedStackName}``.slice(0, 48)`
Model Invocation Logging	Removed `onDelete` (account-level singleton) + removed `bedrock:DeleteModelInvocationLoggingConfiguration` from IAM policy
Gitleaks	Added allowlist for test fixture Slack signing secrets

Closes #1.

Build and test results

• `mise //cdk:compile` ✅ — TypeScript compilation passes

• `mise //cdk:test` (agent stack + agent-memory suites directly) ✅ — 45/45 tests pass

• Full `mise //cdk:test` — 1169/1170 tests pass; 1 pre-existing failure:

  `hydrateContext › excludes memory_context when memoryId is not provided` — fails because the CI container has `MEMORY_ID=bgagent_memory-U6LJ8JEx5K` set in the environment. The `context-hydration.ts` handler falls back to `process.env.MEMORY_ID` when no `memoryId` option is passed, so the test fails when `MEMORY_ID` is set. Running with `MEMORY_ID=` unset passes the test. This failure is pre-existing and unrelated to this PR.

• Initial `mise run build` was already failing before this PR (Python `botocore` type-check errors in `agent/`)

Decisions made

• Runtime and Memory names — invalid characters (non-alphanumeric, non-underscore) are replaced with `` to satisfy the AgentCore `[a-zA-Z0-9]` naming constraint.
• Guardrail name — the raw stackName is appended and sliced at 50 characters. CDK stack names are typically alphanumeric+hyphen, so no sanitization beyond slicing is needed.
• `onDelete` removal — tearing down one stack should not disable Bedrock model invocation logging for other stacks sharing the same account. The `bedrock:DeleteModelInvocationLoggingConfiguration` IAM action was also removed since it is no longer needed.
• Gitleaks — added `stopwords` allowlist entry for `test-signing-secret` to cover both `test-signing-secret` (in `slack-events.test.ts`) and `test-signing-secret-abc123` (in `slack-verify.test.ts`).

Agent notes

What went well

• The issue description was precise about which resources to fix and what the guard logic should be, making implementation straightforward.
• Existing tests were well-structured; all directly relevant tests passed without modification.
• Pre-existing test failure was quickly isolated to a container environment variable rather than code.

What was difficult

• `yarn` was not installed in the agent container; had to install via `npm install -g yarn --prefix /tmp/yarn-install`.
• The initial `mise run build` was already failing (Python `botocore` type errors in `agent/tests/`), unrelated to these changes.

Patterns discovered

• Resource name sanitization: `name.replace(/[^a-zA-Z0-9_]/g, '_').slice(0, N)` for underscore-based names.
• `MISE_EXPERIMENTAL=1` is required for namespaced tasks like `//cdk:compile`.
• Tests use CDK assertion pattern (`Template.fromStack`); handler tests are separate from construct tests.

Suggestions for future tasks

• Add tests asserting resource name length limits to guard against regressions.
• Pre-install `yarn` in the agent container to avoid the workaround.
• The `context-hydration.test.ts` test should clear `process.env.MEMORY_ID` in `beforeEach` to be environment-agnostic.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.