feat(compute): add ComputeStrategy interface with ECS Fargate backend (#8)

* feat(orchestrator): extract ComputeStrategy interface from hardcoded AgentCore logic

Introduce ComputeStrategy interface with SessionHandle/SessionStatus types
and resolveComputeStrategy factory. Extract AgentCoreComputeStrategy from
orchestrator.ts. Refactor orchestrate-task handler to use strategy pattern
for session lifecycle (start/poll/stop). Pure refactor — no behavior change,
identical CloudFormation output.

* fix(ci): pass GITHUB_TOKEN to mise to avoid API rate limits

The mise install step downloads tools (trivy) from GitHub releases.
Without GITHUB_TOKEN, unauthenticated requests hit the 60 req/hr
rate limit, causing flaky CI failures.

* fix(ci): set GITHUB_API_TOKEN for mise tool downloads

Mise uses GITHUB_API_TOKEN (not GITHUB_TOKEN) for authenticated
GitHub API requests when downloading aqua tools like trivy.

* fix(ci): disable security-only tools in build workflow

Trivy, grype, semgrep, osv-scanner, and gitleaks are only needed for
security scanning tasks, not for the build/test/synth pipeline. Disable
them via MISE_DISABLE_TOOLS to avoid GitHub API rate limits when mise
tries to download them on every PR build.

* fix: address PR review comments

- Keep gitleaks and osv-scanner enabled in CI build (only disable
  trivy/grype/semgrep which need GitHub API downloads)
- Remove unused @aws-sdk/client-bedrock-agentcore mock from
  orchestrate-task.test.ts (SDK is no longer imported by orchestrator)
- Update PR description to note additive strategy_type event field

* fix: address Alain's PR review findings

1. Single source of truth for runtimeArn — removed constructor param,
   strategy now reads exclusively from blueprintConfig.runtime_arn
2. Lazy singleton for BedrockAgentCoreClient — module-level shared
   client avoids creating new TLS sessions per invocation
3. ComputeType union type ('agentcore' | 'ecs') with exhaustive switch
   and never-pattern in resolveComputeStrategy
4. Differentiated error handling in stopSession — ResourceNotFoundException
   (info), ThrottlingException/AccessDeniedException (error), others (warn)
5. Added logger.info('Session started') after full invoke+transition+event
   sequence in orchestrate-task.ts
6. Added start-session-composition.test.ts with integration tests for
   happy path, error path (failTask), and partial failure (transitionTask throws)
7. pollSession now throws NotImplementedError instead of returning stale
   'running' status — clear signal for future developers

* fix: resolve ESLint errors in test files

- Replace require() with ES import for BedrockAgentCoreClient mock
- Fix import ordering in start-session-composition test

* feat(compute): implement ECS Fargate backend via ComputeStrategy pattern

Wire ECS Fargate as a compute backend behind the existing ComputeStrategy
interface, using the existing durable Lambda orchestrator. No separate
stacks or Step Functions — ECS is a strategy option alongside AgentCore.

Changes:
- EcsComputeStrategy: startSession (RunTask), pollSession (DescribeTasks
  state mapping), stopSession (StopTask with graceful error handling)
- EcsAgentCluster construct: ECS Cluster (container insights), Fargate
  task def (2 vCPU/4GB/ARM64), security group (TCP 443 egress only),
  CloudWatch log group, task role (DynamoDB, SecretsManager, Bedrock)
- TaskOrchestrator: optional ECS props for env vars and IAM policies
  (ecs:RunTask/DescribeTasks/StopTask conditioned on cluster ARN,
  iam:PassRole conditioned on ecs-tasks.amazonaws.com)
- Orchestrator polling: ECS compute-level crash detection alongside
  existing DDB polling (non-fatal, wrapped in try/catch)
- AgentStack: conditional ECS infrastructure (ABCA_ENABLE_ECS env var)
- Full test coverage: 15 ECS strategy tests, 9 construct tests,
  5 orchestrator ECS tests. All 563 tests pass.

Deployed and verified: stack deploys cleanly, CDK synth passes cdk-nag,
agent task running on AgentCore path unaffected.

* fix: address Copilot PR review comments on PR #8

- Keep gitleaks/osv-scanner enabled in CI (only disable trivy/grype/semgrep)
- Type ComputeStrategy.type and SessionHandle.strategyType as ComputeType
- Trim/filter ECS_SUBNETS to handle whitespace and trailing commas
- Handle undefined exit code in ECS pollSession (container never started)
- Scope iam:PassRole to specific ECS task/execution role ARNs
- Validate all-or-nothing ECS props in TaskOrchestrator constructor
- Remove dead hasEcsBlueprint detection; document env-flag driven approach
- Add comment noting strategy_type as additive event field

* fix: remove duplicate ECS validation block after rebase

* fix: remove local-docs from repo and add to .gitignore

* fix(ecs): override container command to run agent in batch mode

The ECS container's default CMD starts uvicorn server:app which waits
for HTTP POST to /invocations — but in standalone ECS nobody sends that
request, leaving the agent idle. Override the container command to invoke
entrypoint.run_task() directly with the full orchestrator payload via
AGENT_PAYLOAD env var. Also add GITHUB_TOKEN_SECRET_ARN to the ECS task
definition base environment.

* chore(pr): address review

* chore(project): update docs

---------

Co-authored-by: bgagent <bgagent@noreply.github.com>

Author: MichaelWalker-git

.github/workflows/build.yml

@@ -18,6 +18,7 @@
     "@aws-cdk/mixins-preview": "2.238.0-alpha.0",
     "@aws-sdk/client-bedrock-agentcore": "^3.1021.0",
     "@aws-sdk/client-bedrock-runtime": "^3.1021.0",
+    "@aws-sdk/client-ecs": "^3.1021.0",
     "@aws-sdk/client-dynamodb": "^3.1021.0",
     "@aws-sdk/client-lambda": "^3.1021.0",
     "@aws-sdk/client-secrets-manager": "^3.1021.0",

.gitignore

@@ -0,0 +1,156 @@
+/**
+ *  MIT No Attribution
+ *
+ *  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ *  Permission is hereby granted, free of charge, to any person obtaining a copy of
+ *  the Software without restriction, including without limitation the rights to
+ *  use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+ *  the Software, and to permit persons to whom the Software is furnished to do so.
+ *
+ *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ *  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ *  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ *  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ *  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ *  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ *  SOFTWARE.
+ */
+
+import { RemovalPolicy } from 'aws-cdk-lib';
+import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as ecr_assets from 'aws-cdk-lib/aws-ecr-assets';
+import * as ecs from 'aws-cdk-lib/aws-ecs';
+import * as iam from 'aws-cdk-lib/aws-iam';
+import * as logs from 'aws-cdk-lib/aws-logs';
+import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
+import { NagSuppressions } from 'cdk-nag';
+import { Construct } from 'constructs';
+
+export interface EcsAgentClusterProps {
+  readonly vpc: ec2.IVpc;
+  readonly agentImageAsset: ecr_assets.DockerImageAsset;
+  readonly taskTable: dynamodb.ITable;
+  readonly taskEventsTable: dynamodb.ITable;
+  readonly userConcurrencyTable: dynamodb.ITable;
+  readonly githubTokenSecret: secretsmanager.ISecret;
+  readonly memoryId?: string;
+}
+
+export class EcsAgentCluster extends Construct {
+  public readonly cluster: ecs.Cluster;
+  public readonly taskDefinition: ecs.FargateTaskDefinition;
+  public readonly securityGroup: ec2.SecurityGroup;
+  public readonly containerName: string;
+  public readonly taskRoleArn: string;
+  public readonly executionRoleArn: string;
+
+  constructor(scope: Construct, id: string, props: EcsAgentClusterProps) {
+    super(scope, id);
+
+    this.containerName = 'AgentContainer';
+
+    // ECS Cluster with Fargate capacity provider and container insights
+    this.cluster = new ecs.Cluster(this, 'Cluster', {
+      vpc: props.vpc,
+      containerInsights: true,
+    });
+
+    // Security group — egress TCP 443 only
+    this.securityGroup = new ec2.SecurityGroup(this, 'TaskSG', {
+      vpc: props.vpc,
+      description: 'ECS Agent Tasks - egress TCP 443 only',
+      allowAllOutbound: false,
+    });
+
+    this.securityGroup.addEgressRule(
+      ec2.Peer.anyIpv4(),
+      ec2.Port.tcp(443),
+      'Allow HTTPS egress (GitHub API, AWS services)',
+    );
+
+    // CloudWatch log group for agent task output
+    const logGroup = new logs.LogGroup(this, 'TaskLogGroup', {
+      retention: logs.RetentionDays.THREE_MONTHS,
+      removalPolicy: RemovalPolicy.DESTROY,
+    });
+
+    // Task execution role (used by ECS agent to pull images, write logs)
+    // CDK creates this automatically via taskDefinition, but we need to
+    // grant additional permissions to the task role.
+
+    // Fargate task definition
+    this.taskDefinition = new ecs.FargateTaskDefinition(this, 'TaskDef', {
+      cpu: 2048,
+      memoryLimitMiB: 4096,
+      runtimePlatform: {
+        cpuArchitecture: ecs.CpuArchitecture.ARM64,
+        operatingSystemFamily: ecs.OperatingSystemFamily.LINUX,
+      },
+    });
+
+    // Container
+    this.taskDefinition.addContainer(this.containerName, {
+      image: ecs.ContainerImage.fromDockerImageAsset(props.agentImageAsset),
+      logging: ecs.LogDrivers.awsLogs({
+        logGroup,
+        streamPrefix: 'agent',
+      }),
+      environment: {
+        CLAUDE_CODE_USE_BEDROCK: '1',
+        TASK_TABLE_NAME: props.taskTable.tableName,
+        TASK_EVENTS_TABLE_NAME: props.taskEventsTable.tableName,
+        USER_CONCURRENCY_TABLE_NAME: props.userConcurrencyTable.tableName,
+        LOG_GROUP_NAME: logGroup.logGroupName,
+        GITHUB_TOKEN_SECRET_ARN: props.githubTokenSecret.secretArn,
+        ...(props.memoryId && { MEMORY_ID: props.memoryId }),
+      },
+    });
+
+    // Task role permissions
+    const taskRole = this.taskDefinition.taskRole;
+
+    // DynamoDB read/write on task tables
+    props.taskTable.grantReadWriteData(taskRole);
+    props.taskEventsTable.grantReadWriteData(taskRole);
+    props.userConcurrencyTable.grantReadWriteData(taskRole);
+
+    // Secrets Manager read for GitHub token
+    props.githubTokenSecret.grantRead(taskRole);
+
+    // Bedrock model invocation
+    taskRole.addToPrincipalPolicy(new iam.PolicyStatement({
+      actions: [
+        'bedrock:InvokeModel',
+        'bedrock:InvokeModelWithResponseStream',
+      ],
+      resources: ['*'],
+    }));
+
+    // CloudWatch Logs write
+    logGroup.grantWrite(taskRole);
+
+    // Expose role ARNs for scoped iam:PassRole in the orchestrator
+    this.taskRoleArn = taskRole.roleArn;
+    this.executionRoleArn = this.taskDefinition.executionRole!.roleArn;
+
+    NagSuppressions.addResourceSuppressions(this.taskDefinition, [
+      {
+        id: 'AwsSolutions-IAM5',
+        reason: 'DynamoDB index/* wildcards generated by CDK grantReadWriteData; Bedrock InvokeModel requires * resource; Secrets Manager wildcards from CDK grantRead; CloudWatch Logs wildcards from CDK grantWrite',
+      },
+      {
+        id: 'AwsSolutions-ECS2',
+        reason: 'Environment variables contain table names and configuration, not secrets — GitHub token is fetched from Secrets Manager at runtime',
+      },
+    ], true);
+
+    NagSuppressions.addResourceSuppressions(this.cluster, [
+      {
+        id: 'AwsSolutions-ECS4',
+        reason: 'Container insights is enabled via the containerInsights prop',
+      },
+    ], true);
+  }
+}

cdk/package.json

@@ -100,6 +100,12 @@ export interface TaskApiProps {
    * First ARN is also passed as `RUNTIME_ARN` when the task record has no `agent_runtime_arn`.
    */
   readonly agentCoreStopSessionRuntimeArns?: string[];
+
+  /**
+   * ECS cluster ARN for cancel-task to stop ECS-backed tasks.
+   * When provided, the cancel Lambda gets `ECS_CLUSTER_ARN` env var and `ecs:StopTask` permission.
+   */
+  readonly ecsClusterArn?: string;
 }
 
 /**
@@ -329,6 +335,9 @@ export class TaskApi extends Construct {
     if (stopSessionArns.length > 0) {
       cancelTaskEnv.RUNTIME_ARN = stopSessionArns[0]!;
     }
+    if (props.ecsClusterArn) {
+      cancelTaskEnv.ECS_CLUSTER_ARN = props.ecsClusterArn;
+    }
 
     const cancelTaskFn = new lambda.NodejsFunction(this, 'CancelTaskFn', {
       entry: path.join(handlersDir, 'cancel-task.ts'),
@@ -363,6 +372,18 @@ export class TaskApi extends Construct {
       }));
     }
 
+    if (props.ecsClusterArn) {
+      cancelTaskFn.addToRolePolicy(new iam.PolicyStatement({
+        actions: ['ecs:StopTask'],
+        resources: ['*'],
+        conditions: {
+          ArnEquals: {
+            'ecs:cluster': props.ecsClusterArn,
+          },
+        },
+      }));
+    }
+
     // Repo table read for onboarding gate
     if (props.repoTable) {
       props.repoTable.grantReadData(createTaskFn);

cdk/src/constructs/ecs-agent-cluster.ts

@@ -112,6 +112,21 @@ export interface TaskOrchestratorProps {
    * Bedrock Guardrail version. Required when guardrailId is provided.
    */
   readonly guardrailVersion?: string;
+
+  /**
+   * ECS Fargate compute strategy configuration.
+   * When provided, ECS-related env vars and IAM policies are added to the orchestrator.
+   * All fields are required — this makes the all-or-nothing constraint self-evident at the type level.
+   */
+  readonly ecsConfig?: {
+    readonly clusterArn: string;
+    readonly taskDefinitionArn: string;
+    readonly subnets: string;
+    readonly securityGroup: string;
+    readonly containerName: string;
+    readonly taskRoleArn: string;
+    readonly executionRoleArn: string;
+  };
 }
 
 /**
@@ -173,6 +188,13 @@ export class TaskOrchestrator extends Construct {
         ...(props.memoryId && { MEMORY_ID: props.memoryId }),
         ...(props.guardrailId && { GUARDRAIL_ID: props.guardrailId }),
         ...(props.guardrailVersion && { GUARDRAIL_VERSION: props.guardrailVersion }),
+        ...(props.ecsConfig && {
+          ECS_CLUSTER_ARN: props.ecsConfig.clusterArn,
+          ECS_TASK_DEFINITION_ARN: props.ecsConfig.taskDefinitionArn,
+          ECS_SUBNETS: props.ecsConfig.subnets,
+          ECS_SECURITY_GROUP: props.ecsConfig.securityGroup,
+          ECS_CONTAINER_NAME: props.ecsConfig.containerName,
+        }),
       },
       bundling: {
         externalModules: ['@aws-sdk/*'],
@@ -213,6 +235,33 @@ export class TaskOrchestrator extends Construct {
       resources: runtimeResources,
     }));
 
+    // ECS compute strategy permissions (only when ECS is configured)
+    if (props.ecsConfig) {
+      this.fn.addToRolePolicy(new iam.PolicyStatement({
+        actions: [
+          'ecs:RunTask',
+          'ecs:DescribeTasks',
+          'ecs:StopTask',
+        ],
+        resources: ['*'],
+        conditions: {
+          ArnEquals: {
+            'ecs:cluster': props.ecsConfig.clusterArn,
+          },
+        },
+      }));
+
+      this.fn.addToRolePolicy(new iam.PolicyStatement({
+        actions: ['iam:PassRole'],
+        resources: [props.ecsConfig.taskRoleArn, props.ecsConfig.executionRoleArn],
+        conditions: {
+          StringEquals: {
+            'iam:PassedToService': 'ecs-tasks.amazonaws.com',
+          },
+        },
+      }));
+    }
+
     // Per-repo Secrets Manager grants (e.g. per-repo GitHub tokens from Blueprints)
     for (const [index, secretArn] of (props.additionalSecretArns ?? []).entries()) {
       const secret = secretsmanager.Secret.fromSecretCompleteArn(
@@ -264,7 +313,7 @@ export class TaskOrchestrator extends Construct {
       },
       {
         id: 'AwsSolutions-IAM5',
-        reason: 'DynamoDB index/* wildcards generated by CDK grantReadWriteData; AgentCore runtime/* required for sub-resource invocation; Secrets Manager wildcards generated by CDK grantRead; AgentCore Memory wildcards generated by CDK grantRead/grantWrite',
+        reason: 'DynamoDB index/* wildcards generated by CDK grantReadWriteData; AgentCore runtime/* required for sub-resource invocation; Secrets Manager wildcards generated by CDK grantRead; AgentCore Memory wildcards generated by CDK grantRead/grantWrite; ECS RunTask/DescribeTasks/StopTask conditioned on cluster ARN; iam:PassRole scoped to ECS task/execution roles and conditioned on ecs-tasks.amazonaws.com',
       },
     ], true);
   }

cdk/src/constructs/task-api.ts

@@ -19,6 +19,7 @@
 
 import { BedrockAgentCoreClient, StopRuntimeSessionCommand } from '@aws-sdk/client-bedrock-agentcore';
 import { DynamoDBClient } from '@aws-sdk/client-dynamodb';
+import { ECSClient, StopTaskCommand } from '@aws-sdk/client-ecs';
 import { DynamoDBDocumentClient, GetCommand, PutCommand, UpdateCommand } from '@aws-sdk/lib-dynamodb';
 import type { APIGatewayProxyEvent, APIGatewayProxyResult } from 'aws-lambda';
 import { ulid } from 'ulid';
@@ -31,10 +32,12 @@ import { computeTtlEpoch } from './shared/validation';
 
 const ddb = DynamoDBDocumentClient.from(new DynamoDBClient({}));
 const agentCoreClient = new BedrockAgentCoreClient({});
+const ecsClient = new ECSClient({});
 const TABLE_NAME = process.env.TASK_TABLE_NAME!;
 const EVENTS_TABLE_NAME = process.env.TASK_EVENTS_TABLE_NAME!;
 const TASK_RETENTION_DAYS = Number(process.env.TASK_RETENTION_DAYS ?? '90');
 const RUNTIME_ARN = process.env.RUNTIME_ARN;
+const ECS_CLUSTER_ARN = process.env.ECS_CLUSTER_ARN;
 
 /**
  * DELETE /v1/tasks/{task_id} — Cancel a task.
@@ -107,19 +110,57 @@ export async function handler(event: APIGatewayProxyEvent): Promise<APIGatewayPr
       throw condErr;
     }
 
-    // 6b. Stop AgentCore runtime session so the container winds down (best-effort)
-    if (wasRunning && runtimeSessionId && agentRuntimeArn) {
-      try {
-        await agentCoreClient.send(new StopRuntimeSessionCommand({
-          runtimeSessionId: runtimeSessionId,
-          agentRuntimeArn: agentRuntimeArn,
-        }));
-        logger.info('StopRuntimeSession invoked after cancel', { task_id: taskId, request_id: requestId });
-      } catch (stopErr) {
-        logger.warn('StopRuntimeSession failed after cancel (session may already be gone)', {
+    // 6b. Stop the compute session so the container winds down (best-effort)
+    if (wasRunning && runtimeSessionId) {
+      const computeType = record.compute_type;
+      if (computeType === 'ecs') {
+        // ECS-backed task — stop the Fargate task
+        const clusterArn = record.compute_metadata?.clusterArn ?? ECS_CLUSTER_ARN;
+        const taskArn = record.compute_metadata?.taskArn;
+        if (clusterArn && taskArn) {
+          try {
+            await ecsClient.send(new StopTaskCommand({
+              cluster: clusterArn,
+              task: taskArn,
+              reason: 'Cancelled by user',
+            }));
+            logger.info('ECS StopTask invoked after cancel', { task_id: taskId, ecs_task_arn: taskArn, request_id: requestId });
+          } catch (stopErr) {
+            logger.warn('ECS StopTask failed after cancel (task may already be stopped)', {
+              task_id: taskId,
+              request_id: requestId,
+              error: stopErr instanceof Error ? stopErr.message : String(stopErr),
+            });
+          }
+        } else {
+          logger.warn('ECS task cancel skipped: missing clusterArn or taskArn in compute_metadata', {
+            task_id: taskId,
+            request_id: requestId,
+            has_cluster: !!clusterArn,
+            has_task: !!taskArn,
+          });
+        }
+      } else if (agentRuntimeArn) {
+        // AgentCore-backed task (default)
+        try {
+          await agentCoreClient.send(new StopRuntimeSessionCommand({
+            runtimeSessionId: runtimeSessionId,
+            agentRuntimeArn: agentRuntimeArn,
+          }));
+          logger.info('StopRuntimeSession invoked after cancel', { task_id: taskId, request_id: requestId });
+        } catch (stopErr) {
+          logger.warn('StopRuntimeSession failed after cancel (session may already be gone)', {
+            task_id: taskId,
+            request_id: requestId,
+            error: stopErr instanceof Error ? stopErr.message : String(stopErr),
+          });
+        }
+      } else {
+        logger.warn('Running task has no recognized compute backend to stop', {
           task_id: taskId,
           request_id: requestId,
-          error: stopErr instanceof Error ? stopErr.message : String(stopErr),
+          compute_type: computeType,
+          has_runtime_arn: !!agentRuntimeArn,
         });
       }
     }