feat(harness): add Gemini and OpenAI model-provider samples

[di-brasil]

Summary

Adds two AgentCore CLI harness samples that show how to run a harness on
non-default model providers, under 01-features/01-harness/01-advanced-examples/:

• 08-gemini-model-provider — Google Gemini (gemini-2.5-flash) via the
  gemini provider, with the API key stored in AgentCore Identity.
• 09-openai-model-provider — OpenAI GPT-OSS (openai.gpt-oss-20b-1:0)
  via the bedrock provider (served through Amazon Bedrock; IAM auth, no API key).

Both were tested end-to-end on @aws/agentcore@1.0.0-preview.12 in us-west-2
(deploy + live invoke).

What each sample includes

• README.md — the verified, step-by-step CLI flow (create --no-agent →
  add credential/add harness → set deployment target → deploy → invoke),
  prerequisites, cleanup, and notes.
• demo.sh — a runnable script that prints each command and its real output,
  built for screen recording. The AWS account ID is masked as <ACCOUNT>
  throughout (including inside ARNs), and the Gemini API key is never printed.
• images/*.gif — a recording of demo.sh running the full flow.
• GIF-SHOTLIST.md — frames to capture for a Console walkthrough.

Notes

• Gemini needs a Google AI Studio API key; OpenAI-on-Bedrock needs Bedrock model
  access for the GPT-OSS model (no key).
• Harness is in preview; samples target the four preview regions
  (IAD / PDX / SYD / FRA).
• A .gitignore in each folder keeps local demo.env / *.mov out of git.

Testing

• agentcore deploy + agentcore invoke run end-to-end for both providers.
• Gemini → "I am a large language model, trained by Google."
• OpenAI GPT-OSS → "I'm ChatGPT, a large language model trained by OpenAI."

[github-actions]

Latest scan for commit: b32642b | Updated: 2026-06-08 17:01:22 UTC

Security Scan Results

Scan Metadata

• Project: ASH
• Scan executed: 2026-06-08T17:01:09+00:00
• ASH version: 3.0.0

Summary

Scanner Results

The table below shows findings by scanner, with status based on severity thresholds and dependencies:

Column Explanations:

Severity Levels (S/C/H/M/L/I):

• Suppressed (S): Security findings that have been explicitly suppressed/ignored and don't affect the scanner's pass/fail status
• Critical (C): The most severe security vulnerabilities requiring immediate remediation (e.g., SQL injection, remote code execution)
• High (H): Serious security vulnerabilities that should be addressed promptly (e.g., authentication bypasses, privilege escalation)
• Medium (M): Moderate security risks that should be addressed in normal development cycles (e.g., weak encryption, input validation issues)
• Low (L): Minor security concerns with limited impact (e.g., information disclosure, weak recommendations)
• Info (I): Informational findings for awareness with minimal security risk (e.g., code quality suggestions, best practice recommendations)

Other Columns:

• Time: Duration taken by each scanner to complete its analysis
• Action: Total number of actionable findings at or above the configured severity threshold that require attention

Scanner Results:

• PASSED: Scanner found no security issues at or above the configured severity threshold - code is clean for this scanner
• FAILED: Scanner found security vulnerabilities at or above the threshold that require attention and remediation
• MISSING: Scanner could not run because required dependencies/tools are not installed or available
• SKIPPED: Scanner was intentionally disabled or excluded from this scan
• ERROR: Scanner encountered an execution error and could not complete successfully

Severity Thresholds (Thresh Column):

• CRITICAL: Only Critical severity findings cause scanner to fail
• HIGH: High and Critical severity findings cause scanner to fail
• MEDIUM (MED): Medium, High, and Critical severity findings cause scanner to fail
• LOW: Low, Medium, High, and Critical severity findings cause scanner to fail
• ALL: Any finding of any severity level causes scanner to fail

Threshold Source: Values in parentheses indicate where the threshold is configured:

• (g) = global: Set in the global_settings section of ASH configuration
• (c) = config: Set in the individual scanner configuration section
• (s) = scanner: Default threshold built into the scanner itself

Statistics calculation:

• All statistics are calculated from the final aggregated SARIF report
• Suppressed findings are counted separately and do not contribute to actionable findings
• Scanner status is determined by comparing actionable findings to the threshold

Scanner	S	C	H	M	L	I	Time	Action	Result	Thresh
bandit	0	0	0	0	0	0	388ms	0	PASSED	MED (g)
cdk-nag	0	0	0	0	0	0	6.5s	0	PASSED	MED (g)
cfn-nag	0	0	0	0	0	0	8ms	0	PASSED	MED (g)
checkov	0	0	0	0	0	0	4.7s	0	PASSED	MED (g)
detect-secrets	0	0	0	0	0	0	795ms	0	PASSED	MED (g)
grype	0	0	0	0	0	0	47.8s	0	PASSED	MED (g)
npm-audit	0	0	0	0	0	0	157ms	0	PASSED	MED (g)
opengrep	0	0	0	0	0	0	<1ms	0	SKIPPED	MED (g)
semgrep	0	0	0	0	0	0	<1ms	0	MISSING	MED (g)
syft	0	0	0	0	0	0	2.0s	0	PASSED	MED (g)