feat(repo-providers): add AWS CodeCommit as a third git platform

[jonwiggins]

Summary

Adds AWS CodeCommit support alongside GitHub and GitLab so agents can clone, push, and open PRs against repos hosted in AWS CodeCommit. Closes #527.

CodeCommit returned to full GA in Nov 2025 with new-customer signups reopened, Git LFS coming in Q1 2026, and additional regions in Q3 2026 — this is an active surface, not a sunset target.

Approach

The existing three-layer abstraction (GitPlatform interface → per-provider classes → factory) made this clean. The third provider drops in symmetrically:

• Auth: HTTPS clone URLs + the AWS CLI credential helper (!aws codecommit credential-helper $@); API ops via @aws-sdk/client-codecommit.
• Credentials: stored as workspace/global secrets (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, optional AWS_SESSION_TOKEN, AWS_REGION) with a workload-identity sentinel that defers to the SDK's default chain (IRSA on EKS, instance profile, env).
• PR creation: agent runs aws codecommit create-pull-request directly — no third-party CLI wrapper needed.
• Reviews: APPROVED maps to UpdatePullRequestApprovalState(APPROVE); REQUEST_CHANGES / COMMENT post via PostCommentForPullRequest with a prefix in the body.
• Inline comments: positioned via location.{filePath, filePosition, relativeFileVersion=AFTER}; falls back to a top-level comment on error so feedback is never silently dropped.

Graceful degradation

CodeCommit doesn't have native CI, issues, or webhooks. Where the abstraction expects them:

• getCIChecks() returns []. The reconciler at reconcile-repo.ts:462 already treats checksStatus="none" as merge-eligible, so auto-merge still fires.
• listIssues() returns []; mutating issue methods throw a clear "not supported" error.
• No webhook plumbing — relies on the existing 30s PR-watcher poll. EventBridge integration is a future follow-up.
• reviewTrigger="on_pr" is recommended over the default on_ci_pass for CodeCommit repos (since CI never reports). Documented in CLAUDE.md.

What's in this PR

• Types + parser: GitPlatformType extended; parseRepoUrl/parsePrUrl recognise git-codecommit.<region>.amazonaws.com (HTTPS + SSH) and console PR URLs.
• CodeCommitPlatform (≈400 lines) implementing all 14 GitPlatform methods.
• codecommit-credential-service for AWS cred resolution.
• AWS CLI v2 added to the agent base image (amd64 + arm64).
• repo-init.sh and agent-entrypoint.sh configure git config credential.helper '!aws codecommit credential-helper \$@' when the URL is a CodeCommit repo.
• Prompt templates: new GIT_PLATFORM_CODECOMMIT / CODECOMMIT_REPO / BASE_BRANCH vars wired through task-worker.ts, review-service.ts, pr-review-service.ts.
• Setup wizard: new CodeCommit panel (region, access key, secret, session token, validate button, repo picker).
• API: POST /api/setup/validate/aws-credentials and POST /api/setup/repos/codecommit.
• Helm: documents EKS IRSA via serviceAccount.annotations.

Tests

• 30/30 URL parser tests (3 new CodeCommit cases)
• 18/18 new CodeCommitPlatform unit tests using aws-sdk-client-mock
• 20/20 prompt-template tests (2 new CodeCommit cases)
• 184/184 OpenAPI route registry tests (route count bumped 169 → 171)
• Full suite: pnpm format:check, pnpm turbo typecheck (12/12), pnpm turbo test (2089/2089), pnpm turbo build, and apps/web next build all green.

Follow-ups (not blocking this PR, but blocking real use)

• Agent base image needs to be rebuilt and pushed to GHCR before CodeCommit users can run tasks. Run `./images/build.sh` and bump tags.
• Inline-comment positioning is mock-tested only. The PostCommentForPullRequest location call hasn't been exercised against a live CodeCommit PR. The fallback path (top-level comment) should keep us safe if positioning fails, but worth verifying on the first real review.
• CodePipeline integration for real CI status (currently always []).
• EventBridge → webhook for instant PR-state updates instead of 30s polling.

Test plan

• CI: format / typecheck / test / build all pass
• Manual e2e against a live CodeCommit repo:
  • Setup wizard CodeCommit panel validates credentials successfully
  • CodeCommit repo can be added via URL form
  • Manual task pod clones the repo (check repo-init.sh log lines)
  • Agent commits, pushes, runs aws codecommit create-pull-request successfully
  • Task transitions to `pr_opened` with the correct console PR URL
  • PR watcher polls and sees the PR; auto-merge fires when enabled (since checksStatus="none")
  • Code-review subtask posts a review comment on the CodeCommit PR
  • Closing the PR transitions the task to `failed`