feat(bootstrap): resource-action-map for synth-time validation

[scottschreckengaust]

Summary

Closes #124
Closes #164

Creates a mapping from CloudFormation resource types to required IAM actions (CRUD lifecycle), scoped to all resource types in this app's synthesized template. Introduces getRequiredBootstrapPolicies() for downstream consumption by the Aspect (#125) and preflight validator (#126). Gates ECS construct on compute_type context variable (replaces comment toggle).

Stack position

PR 5 for #120 — least-privilege CDK bootstrap policies as code

Prior: Custom template generator + compute variants (PR #162, #123)

This PR: Resource-action-map + ECS context gate + required-policies module

Next: CDK Aspect for policy envelope checking (#125)

Key decisions

• ECS context gate (refactor(compute): gate ECS construct on compute_type context instead of comment toggle #164): Construct is always in source, compute_type governs synthesis — no commenting/uncommenting
• getRequiredBootstrapPolicies(computeType): Single function declaring what the app needs, consumed by Aspect and preflight
• Dual-config synth-coverage test: Validates map completeness for both agentcore and ecs configurations
• Map scoped to this app resources (~60 types): Unknown types produce warnings, not errors
• All map actions within configured policy set: Test enforces the map never requires more than policies allow

Deliverables

• Gate ECS construct on compute_type context (refactor(compute): gate ECS construct on compute_type context instead of comment toggle #164)
• cdk/src/bootstrap/required-policies.ts
• cdk/src/bootstrap/preflight/resource-action-map.ts
• cdk/src/bootstrap/preflight/index.ts
• Tests: required-policies, resource-action-map, dual-config synth-coverage
• Investigate SQS gap (queue/policy in template, no SQS actions in policies)

Test plan

• All existing CDK tests pass
• Map covers all resource types in both synth configurations
• All mapped actions exist in the combined policy set (wildcard-aware)
• getRequiredBootstrapPolicies returns correct sets for each compute type
• tsc --noEmit compiles cleanly
• No circular imports between preflight/ and policies/

Open questions

• SQS: AWS::SQS::Queue is in the template but no policy has SQS actions — needs investigation (may require policy update + version bump)

Implementation plan

See: docs/superpowers/plans/2026-05-21-resource-action-map.md

Blocked by: #123 (PR #162)
References: RFC #120, ADR-002

🤖 Generated with Claude Code

[scottschreckengaust]

┌─────────┬──────┬───────────────────────────────────────────┐
│ Commit  │ Task │                   What                    │
├─────────┼──────┼───────────────────────────────────────────┤
│ d3a9804 │ 0    │ ECS context gate (closes #164)            │
├─────────┼──────┼───────────────────────────────────────────┤
│ 5ed8db3 │ 1    │ getRequiredBootstrapPolicies(computeType) │
├─────────┼──────┼───────────────────────────────────────────┤
│ 83099e1 │ 2    │ Resource-action-map (57 CF types)         │
├─────────┼──────┼───────────────────────────────────────────┤
│ ed0cf6b │ 3    │ Dual-config synth-coverage test           │
└─────────┴──────┴───────────────────────────────────────────┘

Note: this branch currently sits on top of feat/bootstrap-template (#162). When #162 merges to main, I'll retarget and rebase per ADR-001 §8 — the scaffold commit
(f46cfb7) will be skippable and the #123 commits will drop out, leaving just the 4 clean #124 commits on main.