fix(deploy): link external Identity providers for CDK wiring

[kaise1]

Summary

• Resolve existing AgentCore Identity credential providers by credentials[].name when no local credential value is available
• Write linked provider metadata into agentcore/.cli/deployed-state.json so CDK-managed resources can consume provider ARNs
• Add API key/OAuth link-path tests and document the deploy credential behavior

Motivation

Some AgentCore resources are configured through CDK/CloudFormation and require credential provider ARNs at deploy time. A concrete example is gateway target outbound auth, where the CDK construct maps outboundAuth.credentialName to an apiKeyCredentialProvider.providerArn or oauthCredentialProvider.providerArn.

Before this change, deploy could only populate those ARNs through the local secret sync path: values from agentcore/.env.local or process env would create or update AgentCore Identity credential providers, and the returned ARN would be written to deployed state. That made it difficult to manage infrastructure through CLI/CDK while keeping credential provider secrets externally managed, for example through the AgentCore console, another project, or internal IaC/security workflows.

This change adds a secretless link path: when local secret values are absent, deploy looks up an existing AgentCore Identity credential provider by name and records its ARN in deployed state for CDK wiring.

Scope

This does not change the agent runtime credential retrieval path. Agent code can already request credentials by provider name, for example with @requires_api_key(provider_name=...). This change is for deploy/CDK wiring where a provider ARN is required, such as gateway target outbound auth.

If local credential values are present, deploy preserves the existing create/update behavior. The link path is used only when the matching local secret values are absent.

Manual verification

• Created an existing AgentCore Identity API key credential provider named OpenAIManualLinkCodexTokyo in ap-northeast-1 via the AWS console
• Created a minimal AgentCore project whose agentcore.json references that credential name
• Left agentcore/.env.local empty and unset the matching process env var
• Ran agentcore deploy --target default --diff --yes --verbose
• Confirmed Creating credentials... succeeded
• Confirmed agentcore/.cli/deployed-state.json contains the linked credentialProviderArn
• Verified the not-found path fails clearly when neither .env.local nor an existing provider is available

Test plan

• npm test -- src/cli/operations/identity/__tests__/api-key-credential-provider.test.ts src/cli/operations/deploy/__tests__/pre-deploy-identity.test.ts
• npm run typecheck
• npm run lint (0 errors, existing warnings only)
• npm run build
• npx prettier --check docs/commands.md docs/configuration.md src/cli/commands/deploy/actions.ts src/cli/operations/deploy/pre-deploy-identity.ts src/cli/operations/deploy/__tests__/pre-deploy-identity.test.ts src/cli/operations/identity/api-key-credential-provider.ts src/cli/operations/identity/__tests__/api-key-credential-provider.test.ts src/cli/operations/identity/index.ts src/cli/tui/hooks/useCdkPreflight.ts
• git diff --check (CRLF warnings only)

[kaise1]

Closing in favor of #973, which uses the clearer branch name ix/link-external-identity-providers.