feat: add FargateAgentStack as alternative compute backend

Add a new CDK stack that runs autonomous coding agents on AWS Fargate,
orchestrated by Step Functions, as an alternative to AgentCore Runtime.

Key changes:
- Expose shared resources from AgentStack as public properties
- Add FargateAgentCluster construct (ECS cluster, task def, ARM64 container)
- Add TaskStepFunction construct (Step Functions state machine with
  Load → Admit → Hydrate → Transition → RunFargate → Finalize flow)
- Add 6 thin Lambda handlers for Step Functions steps
- Add VPC endpoints for ECS and Step Functions
- Wire FargateAgentStack into main.ts alongside existing AgentStack
- Self-install trivy in security:image task to avoid GitHub API rate limits

Author: MichaelWalker-git

.github/workflows/build.yml

@@ -80,7 +80,7 @@ const project = new awscdk.AwsCdkTypeScriptApp({
   ],
   buildWorkflowOptions: {
     env: {
-      GITHUB_TOKEN: '${{ secrets.PROJEN_GITHUB_TOKEN }}',
+      GITHUB_TOKEN: '${{ secrets.PROJEN_GITHUB_TOKEN || github.token }}',
     },
   },
   gitignore: [

.projenrc.ts

@@ -7,7 +7,6 @@ semgrep = "latest"
 uv = "latest"
 "grype" = "0.109.0"
 osv-scanner = "latest"
-"aqua:aquasecurity/trivy" = "0.69.2"
 
 [env]
 _.python.venv = { path = ".venv", create = true }
@@ -75,10 +74,15 @@ run = [
 
 [tasks."security:image"]
 description = "Scan container image with trivy"
-run = [
-  "docker image inspect bgagent-local:latest >/dev/null 2>&1 || (ARCH=\"$(uname -m)\"; PLATFORM=\"linux/arm64\"; if [ \"$ARCH\" = \"x86_64\" ]; then PLATFORM=\"linux/amd64\"; fi; docker build --build-arg TARGETPLATFORM=\"$PLATFORM\" --build-arg CACHE_BUST=\"$(date +%s)\" -t bgagent-local:latest .)",
-  "trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --severity HIGH,CRITICAL --exit-code 1 bgagent-local:latest",
-]
+run = '''
+#!/usr/bin/env bash
+set -euo pipefail
+TRIVY_VERSION=v0.69.2
+export PATH="$HOME/.local/bin:$PATH"
+command -v trivy >/dev/null 2>&1 || (mkdir -p "$HOME/.local/bin" && curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b "$HOME/.local/bin" "$TRIVY_VERSION")
+docker image inspect bgagent-local:latest >/dev/null 2>&1 || (ARCH="$(uname -m)"; PLATFORM="linux/arm64"; if [ "$ARCH" = "x86_64" ]; then PLATFORM="linux/amd64"; fi; docker build --build-arg TARGETPLATFORM="$PLATFORM" --build-arg CACHE_BUST="$(date +%s)" -t bgagent-local:latest .)
+trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --severity HIGH,CRITICAL --exit-code 1 bgagent-local:latest
+'''
 
 [tasks.quality]
 description = "Run quality checks"

agent/mise.toml

@@ -134,6 +134,10 @@ export class AgentVpc extends Construct {
       { id: 'BedrockRuntimeEndpoint', service: ec2.InterfaceVpcEndpointAwsService.BEDROCK_RUNTIME },
       { id: 'StsEndpoint', service: ec2.InterfaceVpcEndpointAwsService.STS },
       { id: 'XRayEndpoint', service: ec2.InterfaceVpcEndpointAwsService.XRAY },
+      { id: 'EcsEndpoint', service: ec2.InterfaceVpcEndpointAwsService.ECS },
+      { id: 'EcsAgentEndpoint', service: ec2.InterfaceVpcEndpointAwsService.ECS_AGENT },
+      { id: 'EcsTelemetryEndpoint', service: ec2.InterfaceVpcEndpointAwsService.ECS_TELEMETRY },
+      { id: 'StepFunctionsEndpoint', service: ec2.InterfaceVpcEndpointAwsService.STEP_FUNCTIONS },
     ];
 
     for (const ep of interfaceEndpoints) {