docs: add least-privilege deployment roles and deployment guide

Add DEPLOYMENT_ROLES.md with least-privilege IAM policies for the
CloudFormation execution role (IaCRole-AgentCore and IaCRole-Fargate),
derived from analysis of all CDK constructs and handler code.

Add DEPLOYMENT_GUIDE.md covering deployment choices, step-by-step
setup, scale-to-zero analysis, and complete AWS services inventory.

Update COST_MODEL.md with accurate VPC endpoint count (11, not 7),
additional always-on costs (WAF, dashboard, alarms, secrets), and
scale-to-zero characteristics section. Baseline updated from ~$85-90
to ~$118-122/month.

Update ARCHITECTURE.md cross-reference table with new documents.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: scottschreckengaust

docs/design/ARCHITECTURE.md

@@ -202,6 +202,9 @@ Each concept has a **source-of-truth document** and one or more documents that r
 | Adaptive model router | ROADMAP.md (Iter 5) | COST_MODEL.md |
 | Capability-based security | ROADMAP.md (Iter 5) | SECURITY.md |
 | Live session replay | ROADMAP.md (Iter 4) | API_CONTRACT.md |
+| Deployment roles and least-privilege IaC | DEPLOYMENT_ROLES.md | SECURITY.md, COST_MODEL.md, Deployment guide |
+| Scale-to-zero and idle cost analysis | Deployment guide (Scale-to-zero analysis) | COST_MODEL.md, NETWORK_ARCHITECTURE.md |
+| AWS services inventory | Deployment guide (AWS services inventory) | COMPUTE.md, NETWORK_ARCHITECTURE.md |
 
 ### Per-repo model selection
 

docs/design/COST_MODEL.md

@@ -11,12 +11,22 @@ These costs are incurred regardless of task volume:
 | Component | Estimated cost | Notes |
 |---|---|---|
 | NAT Gateway (1×) | ~$32/month | Fixed hourly cost + data processing. Single AZ (see [NETWORK_ARCHITECTURE.md](./NETWORK_ARCHITECTURE.md)). |
-| VPC Interface Endpoints (7×) | ~$50/month | $0.01/hr per endpoint per AZ. |
+| VPC Interface Endpoints (11×, 2 AZs) | ~$77/month | $0.01/hr per endpoint per AZ. 7 base + 4 Fargate-specific (ECS, ECS Agent, ECS Telemetry, Step Functions). |
 | VPC Flow Logs | ~$3/month | CloudWatch ingestion. |
+| WAF v2 Web ACL | ~$5/month | Base monthly charge for web ACL + managed rule groups. |
+| CloudWatch Dashboard | ~$3/month | Per-dashboard charge. |
 | DynamoDB (on-demand, idle) | ~$0/month | Pay-per-request; no cost when idle. |
+| Secrets Manager | ~$0.40/secret/month | Per-secret monthly charge. |
+| CloudWatch Alarms | ~$0.10/alarm/month | Per standard alarm. |
 | CloudWatch Logs retention | ~$1–5/month | Depends on log volume. 90-day retention. |
 | API Gateway (idle) | ~$0/month | Pay-per-request. |
-| **Total baseline** | **~$85–90/month** | |
+| **Total baseline** | **~$118–122/month** | |
+
+If deploying AgentCore only (no Fargate stack), the 4 Fargate-specific VPC endpoints can be removed, reducing the baseline to ~$90–95/month.
+
+### Scale-to-zero characteristics
+
+Most platform components are fully serverless and incur zero cost when idle: DynamoDB (PAY_PER_REQUEST), Lambda, API Gateway, Step Functions, ECS Fargate (cluster is free), AgentCore Runtime (per-session), Bedrock (per-token), and Cognito (free tier). The always-on cost floor (~$118/month) is dominated by VPC networking infrastructure (NAT Gateway + interface endpoints) which is required for private subnet connectivity to AWS services and GitHub. See the [Deployment guide](../guides/DEPLOYMENT_GUIDE.md) for the full scale-to-zero breakdown.
 
 ## Per-task variable costs
 
@@ -85,6 +95,8 @@ For multi-user deployments, cost should be attributable to individual users and
 
 ## Reference
 
+- [Deployment guide](../guides/DEPLOYMENT_GUIDE.md) — Deployment choices, scale-to-zero analysis, AWS services inventory.
+- [DEPLOYMENT_ROLES.md](./DEPLOYMENT_ROLES.md) — Least-privilege IAM policies for deployment.
 - [NETWORK_ARCHITECTURE.md](./NETWORK_ARCHITECTURE.md) — VPC infrastructure cost breakdown.
 - [ORCHESTRATOR.md](./ORCHESTRATOR.md) — Polling cost analysis.
 - [COMPUTE.md](./COMPUTE.md) — Compute option billing models.