feat(ecr-assets): add support for docker build context (#36930)

### Issue # (if applicable)

Fixes #31598

### Reason for this change



Add support for docker's `--build-context` flag in docker builds. This is useful for a few reasons outlined in the linked issue (and other similar issues), such as:

- Sharing files from directories outside the Docker build directory
- Using specific image versions as build contexts (`docker-image://alpine:latest`)  
- Referencing remote URLs as build contexts

### Description of changes


Adds support for Docker's `--build-context` flag when building Docker image assets. This allows users to specify additional named build contexts that can be referenced in Dockerfiles via `COPY --from=<name>`.

- Added `buildContexts` (optional `Record<string, string>`) to `DockerBuildOptions`, `DockerImageAssetOptions`, `DockerImageAssetInvalidationOptions`, and `DockerImageAssetSource`
- Updated `DockerImage.fromBuild()` to pass `--build-context key=value` flags to the docker build command
- Wired `buildContexts` through the full asset pipeline: `DockerImageAsset` → synthesizer → asset manifest → cloud assembly schema
- Added token validation for `buildContexts` keys and values (same as `buildArgs`)
- Added `buildContexts` to asset hash invalidation (controllable via `invalidation.buildContexts`)
- Added `ASSET_RESOURCE_METADATA_DOCKER_BUILD_CONTEXTS_KEY` metadata constant
- Updated the `aws-ecr-assets` README with documentation and usage example

In terms of design decisions, this follows the same pattern as `buildArgs`.

The necessary changes to the CLI have been released: aws/aws-cdk-cli#1128

### Describe any new or updated permissions being added


N/A

### Description of how you validated changes



Integration test

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: cogwirrel

packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/demo-image-build-context/context/hello.txt

@@ -0,0 +1 @@
+Hello from build context!

packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/demo-image-build-context/image/Dockerfile

@@ -0,0 +1,6 @@
+FROM public.ecr.aws/docker/library/python:3.12-slim
+EXPOSE 8000
+WORKDIR /src
+ADD . /src
+COPY --from=mycontext hello.txt /src/hello.txt
+CMD ["python3", "index.py"]

packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/demo-image-build-context/image/index.py

@@ -0,0 +1,41 @@
+#!/usr/bin/python
+import sys
+import textwrap
+import http.server
+import socketserver
+
+PORT = 8000
+
+# Read the file that was copied from the build context
+try:
+    with open('/src/hello.txt', 'r') as f:
+        context_message = f.read().strip()
+except FileNotFoundError:
+    context_message = 'ERROR: hello.txt not found - build context may not have worked'
+
+
+class Handler(http.server.SimpleHTTPRequestHandler):
+    def do_GET(self):
+        self.send_response(200)
+        self.send_header('Content-Type', 'text/html')
+        self.end_headers()
+        self.wfile.write(textwrap.dedent('''\
+            <!doctype html>
+            <html><head><title>It works</title></head>
+            <body>
+                <h1>Hello from the integ test container with build context</h1>
+                <p>Message from build context: {message}</p>
+                <img src="https://media.giphy.com/media/nFjDu1LjEADh6/giphy.gif">
+            </body>
+            ''').format(message=context_message).encode('utf-8'))
+
+
+def main():
+    httpd = http.server.HTTPServer(("", PORT), Handler)
+    print("serving at port", PORT)
+    print("message from build context:", context_message)
+    httpd.serve_forever()
+
+
+if __name__ == '__main__':
+    main()

packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/DockerBuildContextTestDefaultTestDeployAssert7E73C929.assets.json

@@ -0,0 +1,100 @@
+{
+ "Resources": {
+  "MyUserDC45028B": {
+   "Type": "AWS::IAM::User"
+  },
+  "MyUserDefaultPolicy7B897426": {
+   "Type": "AWS::IAM::Policy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": [
+        "ecr:BatchCheckLayerAvailability",
+        "ecr:BatchGetImage",
+        "ecr:GetDownloadUrlForLayer"
+       ],
+       "Effect": "Allow",
+       "Resource": {
+        "Fn::Join": [
+         "",
+         [
+          "arn:",
+          {
+           "Ref": "AWS::Partition"
+          },
+          ":ecr:",
+          {
+           "Ref": "AWS::Region"
+          },
+          ":",
+          {
+           "Ref": "AWS::AccountId"
+          },
+          ":repository/",
+          {
+           "Fn::Sub": "cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}"
+          }
+         ]
+        ]
+       }
+      },
+      {
+       "Action": "ecr:GetAuthorizationToken",
+       "Effect": "Allow",
+       "Resource": "*"
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PolicyName": "MyUserDefaultPolicy7B897426",
+    "Users": [
+     {
+      "Ref": "MyUserDC45028B"
+     }
+    ]
+   }
+  }
+ },
+ "Outputs": {
+  "ImageUri": {
+   "Value": {
+    "Fn::Sub": "${AWS::AccountId}.dkr.ecr.${AWS::Region}.${AWS::URLSuffix}/cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}:21592aa0c60f855735949fa2ddd50ccfe5c2662eea8c60a4c95742dbc5aa3206"
+   }
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}