fix(stacks): self-guard resource names to prevent multi-stack collisions

[mayakost]

Summary

Port of aws-samples/sample-autonomous-cloud-coding-agents#70 — fixes multi-stack name collisions by making each resource self-guard its own name length, rather than imposing a central stackName length limit.

Closes #1.

Changes

Resource	Before	After
Runtime (agentcore.Runtime)	jean_cloude (static)	`jean_cloude_${stackName}`.replace(/[^a-zA-Z0-9_-]/g, '_').slice(0, 48)
Guardrail (bedrock.Guardrail)	task-input-guardrail (static)	`task-input-guardrail-${stackName}`.slice(0, 50)
Memory (agentcore.Memory)	bgagent_memory (static)	`bgagent_memory_${stackName}`.replace(/[^a-zA-Z0-9_]/g, '_').slice(0, 48)
Model Invocation Logging	onCreate + onUpdate + onDelete	onDelete removed — account-level singleton must not be deleted on stack teardown
Gitleaks	—	Added allowlist entry for test fixture signing secret in slack-verify.test.ts

Build & Test Results

• tsc --noEmit: ✅ passes (0 errors)
• mise run security:secrets (gitleaks): ✅ passes (no leaks found)
• jest (handler/shared tests): ✅ 467 passed, 1 pre-existing failure unrelated to this change (context-hydration edge case)
• jest (bundled Lambda tests): ⚠️ 126 pre-existing failures — all fail with spawnSync yarn ENOENT because yarn is not on the system PATH during Jest's asset-bundling step. Confirmed pre-existing by running the same tests against main before applying changes.

Decisions

• Guardrail sanitization: Guardrail names allow hyphens (-) so no character sanitization is needed, only .slice(0, 50). Runtime and Memory names restrict to [a-zA-Z0-9_] (no hyphens), so CDK stack names with hyphens are sanitized to underscores.
• onDelete removal scope: Only the Bedrock model invocation logging onDelete is removed — it is a true account-level singleton. The DnsFirewall and Blueprint onDelete handlers are resource-scoped (per-VPC firewall config, per-repo DDB row) and are left untouched.
• IAM policy: Removed bedrock:DeleteModelInvocationLoggingConfiguration from the policy statement since the action is no longer invoked.

Agent notes

What went well:

• The issue description was precise with exact resource names, limits, and which changes to make
• The gitleaks --report-path flag made it easy to identify the exact file/line triggering the detection
• TypeScript compiled cleanly on the first attempt after all changes

What was difficult:

• yarn is not on PATH in this environment — had to create a ~/bin/yarn wrapper to run yarn install and understand test failures. Many Jest test failures in construct tests are pre-existing infra issues, not regressions.
• The background Jest run initially produced an empty output file; had to re-run synchronously to get results

Patterns discovered:

• All resource name limits come from the respective AWS service APIs (AgentCore runtime: 48 chars, Bedrock guardrail: 50 chars, AgentCore memory: 48 chars)
• The codebase uses mise //cdk:test as the canonical test command but it shells out to yarn test, requiring yarn in PATH
• gitleaks allowlists use targetRules for rule-scoped allowlisting and paths for file-scoped scoping — both can be combined

Suggestions for future tasks:

• Consider adding a yarn shim to the CI/dev container to unblock the Jest bundling tests
• The 1 pre-existing context-hydration test failure (memoryId not provided path) may be worth investigating separately
• A smoke-test deploying two stacks side-by-side would validate this change end-to-end

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.