feat: implement AWS temporary session based interactions

[dscanlen]

Description

Implement support for AWS session tokens to enable temporary, role-based interactions with S3-compatible backends. To maintain a seamless user experience, aliases utilizing expired session tokens will be automatically pruned from the configuration upon detection.

Requirements

• Core Alias Updates: Update the Alias configuration to support an optional session token using #[serde(default)] for backward compatibility.
• Security: Implement a custom fmt::Debug for the Alias struct to ensure session tokens and secret keys are scrubbed from logs.
• Credential Injection: Modify S3Client and AdminClient to inject the session token into the AWS credentials provider.
• Error Handling: Introduce a TokenExpired(String) error variant and map AWS ExpiredToken / InvalidToken errors to it.
• CLI Auto-Pruning: Intercept TokenExpired errors at the CLI boundary to log a clear message, automatically remove the dead alias from config.toml, and exit gracefully.

Acceptance Criteria

• rc alias set supports a new --session-token flag.
• Configuration changes include a schema_version bump and a migration path (migrations/).
• schemas/output_v2.json is updated to include the session_token field in the aliasInfo definition.
• Static credentials continue to function normally when the session token is omitted.
• CLI correctly identifies an expired token, logs a helpful warning, deletes the alias, and exits with AUTH_ERROR (Code 4).
• Debug/verbose logs strictly mask the session token as ***REDACTED***.
• Golden tests are successfully regenerated (UPDATE_GOLDEN=1 cargo test --features golden) and pass.
• Pre-commit checks (cargo fmt --all, cargo clippy --workspace -- -D warnings) pass with zero warnings.

Notes

This change impacts the Alias struct in crates/core, triggering the Breaking Change process outlined in AGENTS.md. The aws-sigv4 crate automatically handles the X-Amz-Security-Token header during request signing.

[overtrue]

Thanks for the detailed write-up. I checked the current code path and confirmed the requested support is not present today: aliases only store access key and secret key, S3Client and AdminClient both pass None as the AWS session token, and Alias currently derives Debug.

This is broader than a small bug fix because it changes persisted alias configuration, credential signing, token-expiry error handling, and protected schema/migration behavior. Before implementation, I think the maintainer decision points are: whether temporary session tokens should be persisted in aliases at all, and whether the CLI should automatically delete an alias when AWS returns ExpiredToken or InvalidToken.

I am leaving this as a feature/design issue rather than opening an automated fix PR from this triage pass.

[dscanlen]

Good point on whether it should be part of the alias at all. Perhaps there should be another command similar to Alias to handle ephemeral session based credentials? rc session set that expires when the token does? Happy to have this closed or reworked.

[overtrue]

I checked how similar S3 CLIs handle this before we settle on the design. AWS CLI treats aws_session_token as part of the credential/profile/env chain, not as a per-command S3 option. MinIO mc supports temporary aliases through MC_HOST_<ALIAS> and keeps that outside persistent config. rclone supports an S3 session_token setting and an environment variable override. s5cmd mostly delegates this to the AWS SDK credential chain through profiles, credentials files, environment variables, and IAM roles.

Based on that, I think the safest first step for rc is not a persisted alias.session_token field. A smaller and more compatible design would be to support session-token injection from an environment variable or temporary credential overlay when constructing S3Client / AdminClient, leaving the alias schema unchanged. If we want a native workflow later, rc session set/list/remove could manage ephemeral credentials as an overlay for an alias, and ExpiredToken / InvalidToken should clear only that session state or return AUTH_ERROR, not delete the underlying alias.

This should keep existing aliases and JSON/config schemas backward compatible while avoiding token persistence and accidental credential exposure in logs or debug output.