[codex] Add AWS Bedrock provider authentication

[HAYDEN-OAI]

Summary

• add an OpenAI::Providers.bedrock provider for Amazon Bedrock's OpenAI-compatible API
• support bearer credentials, static AWS credentials, refreshable credential providers, named profiles, and the standard AWS credential chain, including ~/.aws/credentials
• sign each request attempt with SigV4 and prevent signed requests from following redirects or authenticating a different origin
• isolate provider routing and authentication from ambient OpenAI client configuration
• add RBI/RBS types, setup documentation, a runnable example, a shared SigV4 fixture, and focused regression tests

Why

The Ruby SDK did not have a supported provider-authentication path for AWS Bedrock, so applications could not use their normal AWS credentials file or runtime credential chain with the standard OpenAI client. This brings Ruby in line with the provider architecture used by the Node and Python SDKs.

Linear: SDK-78

User impact

Ruby users can now construct the normal client with OpenAI::Providers.bedrock(...) and use AWS environment credentials, shared credentials/config files, named profiles, SSO or assume-role profiles, workload identities, explicit static credentials, or refreshable providers. AWS authentication loads aws-sdk-core as an optional dependency; bearer authentication does not require it.

Provider authentication is applied immediately before every transport attempt, so retries receive fresh credentials and a fresh signature over the exact serialized body and retry headers.

Validation

• focused Bedrock, client, and workload-identity suites: 60 runs, 226 assertions, 0 failures, 0 errors
• Bedrock implementation coverage: 98.7% lines, 96.5% branches, 100% methods
• provider registry coverage: 100% lines, branches, and methods
• RuboCop and type checks pass
• git diff --check passes
• gem package isolation check passes

The full generated resource suite requires the local Prism mock server on localhost:4010; without it, those tests stop on expected connection errors. CI provisions that dependency.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4af7fdf180

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[jliccini]

Inline review of the default Bedrock endpoint.

[jliccini]

Approving but noting that the URL thing Codex found might be important. I am not a Bedrock expert but the Ruby lgtm

[jliccini]

Ruby truthiness and optional-value validation review.

[jliccini]

Ruby exception-boundary review.

[jliccini]

Ruby public-type and exception-contract review.