fix: aws profile bedrock auth

[zulrang]

Summary

• Adds aws_profile auth method to the Bedrock provider, allowing users to authenticate using an AWS profile name (SSO, IAM, etc.) instead of requiring a bearer token
• Follows the existing GoogleAdc pattern: new AuthMethod::AwsProfile variant, AuthDetails::AwsProfile, and AwsProfileStrategy that validates profile credentials
• Modifies BedrockProvider to support both bearer token (existing) and profile-based SigV4 authentication via a BedrockAuthMode enum
• Fixes marker handling in the login flow so non-API-key auth methods (ADC, AWS Profile) don't get overwritten by existing credentials

Changes across 15+ files

• Domain (forge_domain): AwsProfile variants in AuthMethod and AuthDetails enums
• Infra (forge_infra): AwsProfileStrategy with SSO credential validation
• Provider (forge_repo): BedrockAuthMode enum, dual auth path in init()
• Services (forge_services): Fixed marker overwrite bug in provider_auth.rs
• UI (forge_main): "AWS Profile (SSO/IAM)" display name, skip API key prompt for markers
• Config: provider.json updated with "aws_profile" auth method for bedrock
• Dependencies: sso feature added to aws-config workspace dep

Test plan

• Unit tests: test_new_with_aws_profile_credentials, test_new_with_empty_aws_profile_fails
• Integration test: test_real_sso_profile_converse (ignored in CI, validated manually with core-test-bedrock SSO profile)
• E2E: forge provider login bedrock → select AWS Profile → enter profile name + region → no API key prompt → login succeeds
• E2E: Existing bearer token auth path unaffected
• Full test suite: 268 forge_repo tests pass

Closes #2830

[CLAassistant]

All committers have signed the CLA.

[amitksingh1490]

Hey @zulrang does this PR worked for you.

[github-actions]

Action required: PR inactive for 5 days.
Status update or closure in 10 days.

[Qkessler]

Hi all! Would love to see this PR come to fruition. What's missing?

[amitksingh1490]

@Qkessler I want someone to test this change using aws-profile login. And test with Anthropic models

[Qkessler]

Any docs to build locally I can try on my x86_64 machine? Should cargo install --path . do it?

[Qkessler]

Cc @amitksingh1490

[amitksingh1490]

@Qkessler clone the repo and cargo run will start a repl

[Qkessler]

Sadly, the current PR state doesn't work for me. Here's what the set up process looks like after cargo r:

● [07:37:36] Configure Bedrock
Multiple authentication methods available
? Enter AWS_REGION: eu-central-1
? Enter AWS_PROFILE: bedrock-enrikes
● [07:37:48] ERROR: Authentication completion failed: Failed to resolve credentials for profile 'bedrock-enrikes': the credentials provider was not properly configured. Try running 'aws sso login --profile bedrock-enrikes'

There's aws-profiles that are triggered through particular credential commands. For example, on this bedrock-enrikes profile, here's what ~/.aws/config looks like:

[profile bedrock-enrikes]
credential_process=<binary_name> credentials print --profile=bedrock-enrikes
region=eu-central-1

cc @amitksingh1490

[tillmannheigel]

Worked for me successfully with Azure AD SAML-based credentials (with temporary STS credentials in ~/.aws/credentials).

[gunnarsundberg]

using this branch as my daily driver with bedrock. i don't have permissions for using an api key so this is a lifesaver. thanks! 😊

[amitksingh1490]

Thanks @zulrang
For confirmation
@tillmannheigel @Qkessler @gunnarsundberg