feat(cedar-hitl): Cedar-wasm layer + wire approval tables into agent stack

Activates the agent-side approval path and ships the Lambda layer
Chunk 5's REST handlers need.

Cedar-wasm Lambda layer (§15.2 task 10)
----------------------------------------

``CedarWasmLayer`` bundles ``@cedar-policy/cedar-wasm@4.10.0`` into
``/opt/nodejs/node_modules/`` so Lambdas can
``require('@cedar-policy/cedar-wasm/nodejs')`` without shipping the
4 MB wasm binary in every function package. A dedicated
``cdk/layers/cedar-wasm/`` directory carries a minimal ``package.json``
pinning the exact version — bundling runs ``npm install --omit=dev``
against that manifest, so the layer build is hermetic from any
``cdk/node_modules/`` drift.

The bundler has two fallbacks:
  - Docker (``public.ecr.aws/sam/build-nodejs22.x``) for CI / prod
    deploys.
  - Local-npm fallback for environments without Docker (unit-test
    synths + `cdk synth` on runners that lack Docker). The local
    path is safe here because the layer ships pure JS + a prebuilt
    wasm binary — no native build step.

Three constants exposed from the module:
  - ``CEDAR_WASM_VERSION`` — single source of truth for the pinned
    version; tests assert this matches both ``cdk/package.json`` and
    the layer manifest, so the three places the version lives stay
    in sync.
  - ``CEDAR_WASM_MIN_LAMBDA_MEMORY_MB`` — 512 MB floor for attaching
    Lambdas per §15.2 task 10.
  - ``CedarWasmLayer.layer`` — the underlying ``LayerVersion`` for
    Chunk 5 handlers to attach via ``fn.addLayers(...)``.

Agent stack wiring (§15.2 task 19)
------------------------------------

``agent.ts`` now instantiates:
  - ``TaskApprovalsTable`` (prior commit) — grants RW to the runtime
    so ``pre_tool_use_hook`` can TransactWriteItems + ConsistentRead
    the PENDING row.
  - ``SlackUserMappingTable`` (prior commit) — not granted to the
    runtime; only the link-user Lambda (Chunk 5) writes here.
  - ``CedarWasmLayer`` — the layer's asset lands in the synthed
    template so Chunk 5 handlers can reference ``.layer`` without
    causing a new asset on their deploy.

New runtime env vars:
  - ``TASK_APPROVALS_TABLE_NAME`` — consumed by
    ``task_state._require_tables``; its absence previously raised
    ``ApprovalTablesUnavailable`` → hook DENY. Now set, so the
    approval path is live on deploy.
  - ``AGENTCORE_MAX_LIFETIME_S = '28800'`` — 8 hours, matching
    ``lifecycleConfiguration.maxLifetime``. Consumed by the hook's
    ``_remaining_maxlifetime_s`` for the maxLifetime ceiling clip
    (§6.5). Kept in sync with the lifecycle via a direct test
    assertion so drift surfaces at build time.

New CfnOutputs: ``TaskApprovalsTableName``, ``SlackUserMappingTableName``,
``CedarWasmLayerArn``. Each is useful for post-deploy smoke tests
(`aws dynamodb describe-table` / `aws lambda get-layer-version`).

Tests: +8 layer tests + 9 agent-stack assertions.

Layer:
  - LayerVersion resource count.
  - Compatible runtimes (nodejs20/22).
  - Description carries the pinned version.
  - CEDAR_WASM_VERSION matches ``cdk/package.json``.
  - CEDAR_WASM_VERSION matches ``layers/cedar-wasm/package.json``.
  - CEDAR_WASM_MIN_LAMBDA_MEMORY_MB ≥ 512.
  - Custom description override works.
  - ``.layer`` exposes a real ``LayerVersion``.

Agent stack:
  - Table count updated from 6 → 8.
  - TaskApprovalsTable schema match (task_id PK / request_id SK,
    user_id-status-index GSI presence).
  - SlackUserMappingTable single-key schema.
  - LayerVersion count + compatibleRuntimes.
  - Three new CfnOutputs present.
  - TASK_APPROVALS_TABLE_NAME env var on the runtime.
  - AGENTCORE_MAX_LIFETIME_S == '28800' (drift guard).

Carry-forward
-------------
- ``TASK_STARTED_AT`` is the other input the hook's
  ``_remaining_maxlifetime_s`` consumes — it's a PER-TASK value the
  orchestrator must stamp at invocation time, not a stack-level env
  var. Chunk 5's orchestrator changes need to add it to the runtime
  invocation payload / session env. For now the hook's fallback
  ("unknown, don't clip") keeps approvals functional.
- Chunk 5 will attach the CedarWasmLayer onto ApproveTaskFn,
  DenyTaskFn, GetPoliciesFn, CreateTaskFn and assert
  ``memorySize >= CEDAR_WASM_MIN_LAMBDA_MEMORY_MB`` for each.

Author: scoropeza

cdk/layers/cedar-wasm/README.md

@@ -0,0 +1,39 @@
+# Cedar-wasm Lambda layer source
+
+This directory is consumed by
+[`cdk/src/constructs/cedar-wasm-layer.ts`](../../src/constructs/cedar-wasm-layer.ts)
+to build a Lambda layer that carries `@cedar-policy/cedar-wasm`.
+
+## Why a separate directory
+
+The layer build is hermetic: it runs `npm install --omit=dev` from
+`package.json` in this directory, independent of
+`cdk/node_modules/`. Keeping a dedicated `package.json` here means a
+stale top-level install cannot leak into the layer bundle.
+
+## Keeping the version in sync
+
+The pinned version here **must match** the `@cedar-policy/cedar-wasm`
+entry in `cdk/package.json`. Drift would let the Lambda-side wasm
+engine and the rest of the CDK package disagree — the parity contract
+(§15.6, decision #23) catches this in CI only for the wasm-vs-cedarpy
+direction, not for two wasm copies in the same stack.
+
+Update process when bumping cedar-wasm:
+
+1. Bump `cdk/package.json` in the repo root install.
+2. Bump `cdk/layers/cedar-wasm/package.json` to the same version.
+3. Bump `CEDAR_WASM_VERSION` in `cdk/src/constructs/cedar-wasm-layer.ts`.
+4. Run `contracts/cedar-parity/` tests on both sides; they fail if the
+   wasm vs cedarpy engine outputs diverge.
+
+## Layout produced
+
+```
+/opt/nodejs/node_modules/@cedar-policy/cedar-wasm/
+  nodejs/cedar_wasm.js
+  nodejs/cedar_wasm_bg.wasm
+  ...
+```
+
+Lambdas using the layer `require('@cedar-policy/cedar-wasm/nodejs')`.

cdk/layers/cedar-wasm/package.json

@@ -0,0 +1,9 @@
+{
+  "name": "cedar-wasm-lambda-layer",
+  "version": "1.0.0",
+  "private": true,
+  "description": "Lambda layer bundling @cedar-policy/cedar-wasm for Cedar HITL policy handlers. Pinned version must match cdk/package.json.",
+  "dependencies": {
+    "@cedar-policy/cedar-wasm": "4.10.0"
+  }
+}

cdk/src/constructs/cedar-wasm-layer.ts

@@ -0,0 +1,156 @@
+/**
+ *  MIT No Attribution
+ *
+ *  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ *  Permission is hereby granted, free of charge, to any person obtaining a copy of
+ *  the Software without restriction, including without limitation the rights to
+ *  use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+ *  the Software, and to permit persons to whom the Software is furnished to do so.
+ *
+ *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ *  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ *  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ *  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ *  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ *  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ *  SOFTWARE.
+ */
+
+import { execSync } from 'node:child_process';
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { DockerImage } from 'aws-cdk-lib';
+import * as lambda from 'aws-cdk-lib/aws-lambda';
+import { Construct } from 'constructs';
+
+/**
+ * Pinned Cedar-wasm version — kept in sync with the top-level
+ * ``cdk/package.json`` entry. Mismatch would let the agent-side
+ * ``cedarpy`` engine and the Lambda-side ``cedar-wasm`` engine drift,
+ * defeating the parity contract (design decision #23, §15.6).
+ *
+ * Reading this from a constant (rather than the caller passing it)
+ * lets the tests assert we ship the right version without duplicating
+ * the number across files.
+ */
+export const CEDAR_WASM_VERSION = '4.10.0';
+
+/**
+ * Minimum memory the Lambda attaching this layer should be configured
+ * with. Cedar-wasm needs ≥512 MB headroom (§15.2 task 10 note); callers
+ * wiring this layer onto a Lambda should cross-check their function's
+ * memorySize against this constant.
+ */
+export const CEDAR_WASM_MIN_LAMBDA_MEMORY_MB = 512;
+
+/**
+ * Properties for CedarWasmLayer construct.
+ */
+export interface CedarWasmLayerProps {
+  /**
+   * Layer description. Defaults to a design-linked description so
+   * ``aws lambda get-layer-version`` output is self-documenting.
+   */
+  readonly description?: string;
+}
+
+/**
+ * Lambda layer bundling `@cedar-policy/cedar-wasm` for the REST-side
+ * policy handlers (Chunk 5: ApproveTaskFn / DenyTaskFn / GetPoliciesFn /
+ * CreateTaskFn).
+ *
+ * Layout produced:
+ *
+ * ```
+ * /opt/nodejs/node_modules/@cedar-policy/cedar-wasm/
+ *   nodejs/cedar_wasm.js
+ *   nodejs/cedar_wasm_bg.wasm
+ *   ... (package.json + d.ts + README)
+ * ```
+ *
+ * Lambdas attaching this layer ``require('@cedar-policy/cedar-wasm/nodejs')``
+ * and load the wasm module transparently. The wasm binary is ~4 MB; a
+ * shared layer keeps each individual function package small so cold
+ * starts stay fast.
+ *
+ * Bundling uses ``npm install`` against a minimal ``package.json`` that
+ * pins the exact ``CEDAR_WASM_VERSION``. The source-side ``cdk/package.json``
+ * is the canonical pin; this construct re-declares the version string in
+ * a layer-local manifest to keep bundling hermetic (no reliance on yarn
+ * workspace resolution).
+ *
+ * Runtime compatibility is the union of Node.js 20 and 22 — older
+ * runtimes lack the subtle WebAssembly support cedar-wasm relies on.
+ *
+ * See §15.2 task 10 and §15.6.
+ */
+export class CedarWasmLayer extends Construct {
+  /**
+   * The underlying Lambda layer. Attach to functions via
+   * ``fn.addLayers(cedarWasmLayer.layer)``.
+   */
+  public readonly layer: lambda.LayerVersion;
+
+  constructor(scope: Construct, id: string, props: CedarWasmLayerProps = {}) {
+    super(scope, id);
+
+    // Bundling source: a small directory with a package.json that pins
+    // cedar-wasm at CEDAR_WASM_VERSION. The bundling command does
+    // `npm install --omit=dev` and lands the result under /opt/nodejs.
+    //
+    // Using an inline source directory (rather than depending on
+    // cdk/package.json being resolved at bundle time) keeps this layer
+    // fully hermetic: a stale `cdk/node_modules/` cannot leak into the
+    // layer build.
+    const layerSourceDir = path.join(__dirname, '..', '..', 'layers', 'cedar-wasm');
+
+    this.layer = new lambda.LayerVersion(this, 'Layer', {
+      code: lambda.Code.fromAsset(layerSourceDir, {
+        bundling: {
+          image: DockerImage.fromRegistry('public.ecr.aws/sam/build-nodejs22.x:latest'),
+          command: [
+            'bash',
+            '-c',
+            [
+              'cp -r . /asset-output',
+              'mkdir -p /asset-output/nodejs',
+              'cp /asset-output/package.json /asset-output/nodejs/package.json',
+              'cd /asset-output/nodejs && npm install --omit=dev',
+              'rm /asset-output/package.json',
+            ].join(' && '),
+          ],
+          // Fall back to a local-npm bundle when Docker is unavailable
+          // (e.g. `cdk synth` in CI runners that lack Docker). The
+          // local hook mirrors the Docker commands using the host's
+          // npm, which is acceptable here because the layer only ships
+          // pure JS + a prebuilt wasm binary — no native build step.
+          local: {
+            tryBundle(outputDir: string): boolean {
+              try {
+                fs.cpSync(layerSourceDir, outputDir, { recursive: true });
+                fs.mkdirSync(path.join(outputDir, 'nodejs'), { recursive: true });
+                fs.copyFileSync(
+                  path.join(outputDir, 'package.json'),
+                  path.join(outputDir, 'nodejs', 'package.json'),
+                );
+                execSync('npm install --omit=dev', {
+                  cwd: path.join(outputDir, 'nodejs'),
+                  stdio: 'ignore',
+                });
+                fs.rmSync(path.join(outputDir, 'package.json'));
+                return true;
+              } catch {
+                return false;
+              }
+            },
+          },
+        },
+      }),
+      compatibleRuntimes: [lambda.Runtime.NODEJS_20_X, lambda.Runtime.NODEJS_22_X],
+      description:
+        props.description
+        ?? `@cedar-policy/cedar-wasm@${CEDAR_WASM_VERSION} for Cedar HITL policy Lambdas (§15.2 task 10)`,
+    });
+  }
+}

cdk/src/stacks/agent.ts

@@ -34,13 +34,16 @@ import { Construct } from 'constructs';
 import { AgentMemory } from '../constructs/agent-memory';
 import { AgentVpc } from '../constructs/agent-vpc';
 import { Blueprint } from '../constructs/blueprint';
+import { CedarWasmLayer } from '../constructs/cedar-wasm-layer';
 import { ConcurrencyReconciler } from '../constructs/concurrency-reconciler';
 import { DnsFirewall } from '../constructs/dns-firewall';
 import { FanOutConsumer } from '../constructs/fanout-consumer';
 import { RepoTable } from '../constructs/repo-table';
+import { SlackUserMappingTable } from '../constructs/slack-user-mapping-table';
 import { StrandedTaskReconciler } from '../constructs/stranded-task-reconciler';
 // import { EcsAgentCluster } from '../constructs/ecs-agent-cluster';
 import { TaskApi } from '../constructs/task-api';
+import { TaskApprovalsTable } from '../constructs/task-approvals-table';
 import { TaskDashboard } from '../constructs/task-dashboard';
 import { TaskEventsTable } from '../constructs/task-events-table';
 import { TaskNudgesTable } from '../constructs/task-nudges-table';
@@ -62,10 +65,23 @@ export class AgentStack extends Stack {
     const taskTable = new TaskTable(this, 'TaskTable');
     const taskEventsTable = new TaskEventsTable(this, 'TaskEventsTable');
     const taskNudgesTable = new TaskNudgesTable(this, 'TaskNudgesTable');
+    // Cedar HITL approval-gate state (design §10.1). Agent writes PENDING
+    // rows + GSI query powers `bgagent pending`; Chunk 5 wires the
+    // Approve/Deny Lambdas + fan-out consumer.
+    const taskApprovalsTable = new TaskApprovalsTable(this, 'TaskApprovalsTable');
+    // Cedar HITL Slack → Cognito mapping (§11.2). Written only via the
+    // user-initiated OAuth link handler (Chunk 5).
+    const slackUserMappingTable = new SlackUserMappingTable(this, 'SlackUserMappingTable');
     const userConcurrencyTable = new UserConcurrencyTable(this, 'UserConcurrencyTable');
     const webhookTable = new WebhookTable(this, 'WebhookTable');
     const repoTable = new RepoTable(this, 'RepoTable');
 
+    // Cedar-wasm Lambda layer (§15.2 task 10). Instantiated here so the
+    // asset is in the synthed template; Chunk 5 handlers (Approve,
+    // Deny, GetPolicies, CreateTask) attach the layer via
+    // ``fn.addLayers(cedarWasmLayer.layer)``.
+    const cedarWasmLayer = new CedarWasmLayer(this, 'CedarWasmLayer');
+
     // --trace trajectory storage (design §10.1). Opt-in per task; only
     // written when the submit payload sets ``trace: true``.
     const traceArtifactsBucket = new TraceArtifactsBucket(this, 'TraceArtifactsBucket');
@@ -239,6 +255,15 @@ export class AgentStack extends Stack {
       TASK_TABLE_NAME: taskTable.table.tableName,
       TASK_EVENTS_TABLE_NAME: taskEventsTable.table.tableName,
       NUDGES_TABLE_NAME: taskNudgesTable.table.tableName,
+      // Cedar HITL approval gates (§6.5). Agent's task_state primitives
+      // use this to write PENDING rows + transition tasks to
+      // AWAITING_APPROVAL; absent → hook fails closed with
+      // ``approval_write_failed`` (the `ApprovalTablesUnavailable` path).
+      TASK_APPROVALS_TABLE_NAME: taskApprovalsTable.table.tableName,
+      // Hint for the hook's remaining-maxLifetime calculation (§6.5
+      // pseudocode line 793). Kept in sync with the AgentCore
+      // lifecycle configuration below so drift is visible. 8 hours.
+      AGENTCORE_MAX_LIFETIME_S: '28800',
       USER_CONCURRENCY_TABLE_NAME: userConcurrencyTable.table.tableName,
       // --trace artifact store (§10.1). The agent writes the JSONL
       // trajectory to ``traces/<user_id>/<task_id>.jsonl.gz`` on
@@ -307,6 +332,12 @@ export class AgentStack extends Stack {
     taskTable.table.grantReadWriteData(runtime);
     taskEventsTable.table.grantReadWriteData(runtime);
     taskNudgesTable.table.grantReadWriteData(runtime);
+    // Cedar HITL: the agent writes PENDING rows via TransactWriteItems
+    // (cross-table with TaskTable), reads them with ConsistentRead during
+    // the poll loop, and flips status to TIMED_OUT on deadline. The
+    // grant must be RW because approve/deny Lambdas (Chunk 5) also
+    // need RW; granting twice is idempotent.
+    taskApprovalsTable.table.grantReadWriteData(runtime);
     userConcurrencyTable.table.grantReadWriteData(runtime);
     githubTokenSecret.grantRead(runtime);
     applicationLogGroup.grantWrite(runtime);
@@ -397,6 +428,21 @@ export class AgentStack extends Stack {
       description: 'Name of the DynamoDB task nudges table (Phase 2)',
     });
 
+    new CfnOutput(this, 'TaskApprovalsTableName', {
+      value: taskApprovalsTable.table.tableName,
+      description: 'Name of the DynamoDB task approvals table (Cedar HITL)',
+    });
+
+    new CfnOutput(this, 'SlackUserMappingTableName', {
+      value: slackUserMappingTable.table.tableName,
+      description: 'Name of the DynamoDB slack_user_id → cognito_sub mapping table',
+    });
+
+    new CfnOutput(this, 'CedarWasmLayerArn', {
+      value: cedarWasmLayer.layer.layerVersionArn,
+      description: 'ARN of the Cedar-wasm Lambda layer (consumed by Chunk 5 REST handlers)',
+    });
+
     new CfnOutput(this, 'UserConcurrencyTableName', {
       value: userConcurrencyTable.table.tableName,
       description: 'Name of the DynamoDB user concurrency table',