Adds bearer token authentication for the Bedrock Converse API, enabling
users to authenticate with an API key instead of SigV4/IAM credentials.
When a bearer token is available (via `options.bearerToken` or the
`AWS_BEARER_TOKEN_BEDROCK` env var), the provider:
1. Sets dummy credentials to prevent SDK credential resolution errors
2. Injects middleware after SigV4 signing that replaces the Authorization
header with `Bearer <token>` and removes SigV4-specific headers
This uses the official `bedrock:CallWithBearerToken` IAM action, which
is a documented AWS feature for API key auth on Bedrock endpoints.
Use case: users who receive a Bedrock API key (bearer token) from the
AWS console or their admin, without having IAM access keys or instance
roles. Similar to how ANTHROPIC_API_KEY works for direct Anthropic API.
Required IAM permission on the token's identity:
bedrock:CallWithBearerToken
Tested: Bearer token successfully authenticates against Bedrock Converse
API (returns correct 403 for missing IAM permission, not auth format error).
SigV4 path is unchanged when no bearer token is set.