[FEATURE]: Add AWS Profile support for Bedrock client #268
Description
Is your feature request related to a problem? Please describe.
Yes. Previously, Bedrock auth required a static bearer token (AWS_BEARER_TOKEN_BEDROCK). This excludes users who authenticate via AWS SSO, IAM roles, assumed roles, or any other credential type managed by the AWS credential provider chain, which is the standard for teams and CI environments. Those users had no supported path to use Shannon with Bedrock.
Describe the solution you'd like
When using profile auth, users set CLAUDE_CODE_USE_BEDROCK=1, AWS_PROFILE=, and AWS_REGION in .env (no bearer token needed). On ./shannon start, the CLI detects the profile mode and automatically mounts ~/.aws/config, ~/.aws/credentials, and ~/.aws/sso/ read-only into the container, so the AWS SDK inside the worker resolves credentials the same way the host would. The shannon setup wizard also gains an auth method selector choosing "AWS Profile" prompts for a profile name and validates credentials immediately before saving.
Which CLI mode does this apply to?
Both
Describe alternatives you've considered
Passing AWS credentials as environment variables directly (e.g. AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) — but this doesn't support SSO or role-based flows and requires manual credential extraction. Alternatively, running the container with host network access to rech AWS endpoints for SSO refresh but that's a larger security surface than bind mounting only the ~/.aws/ directory read-only.
Additional context
No response