feat(cdk): integ-tests Phase 2 — channels & guardrails E2E

[ayushtr-aws]

Component

CDK / infrastructure, API or orchestration, Tooling / CI

Describe the feature

Phase 2 (Channels & guardrails) of the deploy-then-verify integration-test effort started in #236. Builds on Phase 0 (#295, foundation) and Phase 1 (#317, core lifecycle) to cover channel adapters and guardrail behavior on a live stack.

Parent: #236 (Phase 0). Depends on: #317 (Phase 1).

Use case

• Validate channel hand-offs: webhook-driven task creation and Slack/Linear adapters are integration-heavy and poorly covered by mocks.
• Exercise guardrails: the stranded-task reconciler and admission guardrails need deployed-runtime verification under controlled conditions.

Proposed solution

• Webhook create-task: assert a webhook event creates a task and reaches a terminal state (GitHub/Linear webhook → create-task path).
• Slack/Linear adapters: integ coverage with test fixtures or mocked externals for the channel hand-off paths.
• Stranded-task reconciler: verify reconciler behavior under a controlled clock / fixtures if feasible.
• Reuse Phase 1 harness (waitForAssertions(), force teardown, dedicated integ stack).
• Child issues are acceptable to split adapters if scope grows.

Design constraints

Inherits the Phase 0 run policy (.github/workflows/integ.yml), same as #317:

• When it runs: per-PR via workflow_run (after a successful build), path-filtered to PRs touching cdk/** or agent/**; plus on-demand workflow_dispatch (restricted to main). No nightly schedule — per-PR + manual dispatch is the agreed coverage.
• Gate / required check: admin approves the integ environment, then deploy→assert→destroy runs and posts an integ-smoke commit status as a required check; docs/CLI-only PRs get an immediate green (skipped) status.
• Concurrency / stack isolation: single cdk-integ concurrency group (cancel-in-progress: false); dedicated backgroundagent-integ stack name (separate from backgroundagent-dev); integ apps separate from production synth (cdk.out isolation); assertion stacks use DeployAssert.
• External-service fixtures must not require live third-party credentials in CI by default — Slack/Linear/GitHub adapters use test fixtures or mocked externals so the privileged-role run never depends on real channel secrets.
• Local dev path: unchanged — mise //cdk:integ with your own AWS creds.

Other information

• Related: ADR-008 Level 3; ADR-013 Tier 3; docs/design/CEDAR_HITL_GATES.md; @aws-cdk/integ-tests-alpha README.

Acknowledgements

• I may be able to implement this feature
• This might be a breaking change