feat: add AWS profile support to vault provider and auto-registration

[stack72]

Problem

The AWS vault provider and auto-registration do not support AWS_PROFILE-based authentication:

1. Vault auto-registration (vault_service.ts:ensureDefaultVaults) only checks for AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY + AWS_REGION. If a user relies on AWS_PROFILE for SSO/role-based auth, the automatic aws-sm vault is never created.

2. AWS vault provider (aws_vault_provider.ts) only accepts { region: string } in its config. There is no way to pass a named profile, even though the design doc (design/vaults.md) specifies profile as a supported config option.

3. vault create CLI (vault_create.ts) has no --profile flag for the aws-sm type.

Proposed Solution

Vault auto-registration

• Check AWS_PROFILE as an alternative to explicit AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY
• Also check AWS_DEFAULT_REGION as a region fallback (matches AWS SDK precedence)
• Pass profile through to the vault provider config when AWS_PROFILE is set
• Update error messages to mention AWS_PROFILE as an option

AWS vault provider

• Export an AwsVaultConfig interface: { region: string; profile?: string }
• When profile is set, use fromIni({ profile }) from @aws-sdk/credential-provider-ini
• Add @aws-sdk/credential-provider-ini as a direct import in deno.json (already a transitive dep)

vault create CLI

• Add --profile <profile:string> option
• Resolve from flag or AWS_PROFILE env var
• Include in persisted config when present

Related

• First-class AWS SSO / IAM role assumption support in model execution #371 (first-class AWS SSO support discussion)
• Implements profile support already specified in design/vaults.md lines 168-189

[stack72]

Closing — after investigation, Deno already merges env vars with the parent environment, so AWS_PROFILE is already available to both subprocesses and the AWS SDK credential chain used by the vault provider. No framework changes needed.