feat: cache AccessDenied error for count tokens

[opieter-aws]

Description

Cache AccessDeniedException errors from Bedrock's CountTokens API to avoid repeated failing calls. When the caller's IAM role lacks bedrock:CountTokens permission, the first call now caches the failure and all subsequent calls skip the API, falling back to heuristic token estimation. The same "try only once" behavior was already in place for models that don't support CountTokens (ValidationException).

The warning log includes the full Bedrock error message so users can identify the exact IAM role and missing permission.

Related Issues

Port of TypeScript: strands-agents/sdk-typescript#1032

Documentation PR

N/A

Type of Change

New feature

Testing

How have you tested the change? Verify that the changes do not break functionality or introduce warnings in consuming repositories: agents-docs, agents-tools, agents-cli

• I ran hatch run prepare

Checklist

• I have read the CONTRIBUTING document
• I have added any necessary tests that prove my fix is effective or my feature works
• I have updated the documentation accordingly
• I have added an appropriate example to the documentation to outline the feature, or no new docs are needed
• My changes generate no new warnings
• Any dependent changes have been merged and published

---

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[github-actions]

Assessment: Approve

Clean, well-scoped change that follows the existing ValidationException caching pattern. The rename from _UNSUPPORTED_COUNT_TOKENS_MODELS to _SKIP_COUNT_TOKENS_MODELS appropriately reflects the broader semantics, tests are comprehensive (caching, logging, non-caching for transient errors), and all modified lines have coverage.

No issues found.