fix(screenshot): krokoko PR-241 review — scope IAM + cosmetic Vercel mention

Closes aws-samples#94 (the existing 'scope IAM down from bedrock-agentcore:*'
followup task).

Addresses krokoko's PR aws-samples#241 review:

1. (BLOCKING per review #1) IAM action wildcard — narrow
   bedrock-agentcore:* to the three calls the screenshot processor
   actually makes:
   - StartBrowserSession (control plane, public CLI command)
   - StopBrowserSession (control plane, public CLI command)
   - ConnectBrowserAutomationStream (SigV4-presigned WSS dial; not
     in the public CLI list but verified live against the deployed
     dev stack — IAM accepts the action name)

   Resource wildcard remains because AgentCore Browser sessions are
   ephemeral with no stable ARN; the IAM5 suppression on the construct
   already documents that.

   Previous behaviour granted every AgentCore action surface (memory,
   runtime, gateway, identity, code-interpreter) the screenshot path
   doesn't use. Tightening to the call set leaves a precise audit
   surface; if a future API change needs another action, IAM denies
   with the action name in CloudTrail and we add it explicitly.

2. (NIT per review aws-samples#7) Stale 'Vercel' wording on ScreenshotBucketName
   CfnOutput description, plus an adjacent comment in agent.ts that
   said 'Vercel-style preview deploys'. Both replaced with
   provider-agnostic phrasing — the pipeline listens for any provider
   that posts deployment_status (Vercel, Amplify, Netlify, GitHub
   Actions custom CD).

No behavioural change in either fix.

Author: isadeks

cdk/src/constructs/github-screenshot-integration.ts

@@ -186,13 +186,29 @@ export class GitHubScreenshotIntegration extends Construct {
 
     // AgentCore Browser session lifecycle + automation-stream connect.
     // The data-plane API doesn't support per-resource ARNs (sessions
-    // are ephemeral), so wildcards are required — annotated with a
-    // cdk-nag suppression below. The wildcard set covers
-    // `ConnectBrowserAutomationStream` (the SigV4-presigned WSS dial)
-    // which lives under the same prefix but isn't visible in the
-    // public CLI command list.
+    // are ephemeral), so the resource wildcard is required — annotated
+    // with a cdk-nag suppression below.
+    //
+    // Actions are scoped to the three calls the handler actually makes:
+    // - StartBrowserSession + StopBrowserSession (REST control plane,
+    //   in the public CLI command list)
+    // - ConnectBrowserAutomationStream (the SigV4-presigned WSS dial;
+    //   not in the public CLI command list, but verified live against
+    //   the deployed dev stack — IAM accepts the action name even
+    //   though aws cli help doesn't surface it)
+    //
+    // Previously this used `bedrock-agentcore:*` which granted the
+    // entire AgentCore action surface (memory, runtime, gateway,
+    // identity, code-interpreter). Per krokoko's PR #241 review item
+    // #1: scope down to least privilege. If a future API change adds a
+    // call we need, IAM will deny with the specific action name in
+    // CloudTrail and we can add it explicitly.
     this.webhookProcessorFn.addToRolePolicy(new iam.PolicyStatement({
-      actions: ['bedrock-agentcore:*'],
+      actions: [
+        'bedrock-agentcore:StartBrowserSession',
+        'bedrock-agentcore:StopBrowserSession',
+        'bedrock-agentcore:ConnectBrowserAutomationStream',
+      ],
       resources: ['*'],
     }));
 

cdk/src/stacks/agent.ts

@@ -836,11 +836,12 @@ export class AgentStack extends Stack {
     });
 
     // --- GitHub deployment-status → screenshot pipeline ---
-    // Listens for Vercel-style preview deploys, screenshots the
-    // `deployment.environment_url` via AgentCore Browser, posts the
-    // image into a fresh PR comment. Default-on: any repo whose
-    // GitHub webhook is configured will get screenshotted on
-    // successful preview deploys; no opt-in flag.
+    // Listens for GitHub deployment_status events from any provider
+    // (Vercel, Amplify Hosting, Netlify, GitHub Actions custom CD),
+    // screenshots the `deployment.environment_url` via AgentCore
+    // Browser, posts the image into a fresh PR comment. Default-on:
+    // any repo whose GitHub webhook is configured will get
+    // screenshotted on successful preview deploys; no opt-in flag.
     const githubScreenshot = new GitHubScreenshotIntegration(this, 'GitHubScreenshotIntegration', {
       api: taskApi.api,
       githubTokenSecret,
@@ -864,7 +865,7 @@ export class AgentStack extends Stack {
 
     new CfnOutput(this, 'ScreenshotBucketName', {
       value: githubScreenshot.screenshotBucket.bucket.bucketName,
-      description: 'Private S3 bucket hosting Vercel-preview screenshots (served via CloudFront)',
+      description: 'Private S3 bucket hosting preview-deploy screenshots (served via CloudFront)',
     });
 
     new CfnOutput(this, 'ScreenshotCloudFrontDomain', {