fix(bedrock): resolve AWS credential caching issue with Identity Manager (RooCodeInc#3936)

* fix(bedrock): resolve AWS credential caching issue with Identity Manager

- Add ignoreCache option for profile-based authentication to detect external credential file changes
- Implement smart caching for manual credentials with 5-minute TTL to maintain performance
- Add configuration hash-based cache invalidation for manual credential changes
- Add invalidateCredentialCache() method for error recovery scenarios

Fixes issue where AWS Identity Manager credential updates were not detected,
requiring extension restart. Profile-based authentication now always reads
fresh credentials while manual credentials maintain performance through caching.

Resolves credential refresh issues reported by users using AWS Identity Manager
with role-based authentication workflows.

* Potential fix for code scanning alert no. 66: Use of a broken or weak cryptographic algorithm

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* merge conflict

* updated to fixe the original medrock issue

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: NightTrek

.changeset/fix-bedrock-cache.md

@@ -0,0 +1,7 @@
+---
+"claude-dev": patch
+---
+
+fix(bedrock): Use ignoreCache for profile-based AWS credential loading
+
+Ensures that AWS Bedrock provider always fetches fresh credentials when using IAM profiles by setting `ignoreCache: true` for `fromNodeProviderChain`. This resolves issues where externally updated credentials (e.g., by AWS Identity Manager) were not detected by Cline, requiring an extension restart. Manual credential handling remains unchanged.

src/api/providers/bedrock.ts

@@ -223,8 +223,19 @@ export class AwsBedrockHandler implements ApiHandler {
 		secretAccessKey: string
 		sessionToken?: string
 	}> {
+		// Configure provider options
+		const providerOptions: any = {}
+		if (this.options.awsUseProfile) {
+			// For profile-based auth, always use ignoreCache to detect credential file changes
+			// This solves the AWS Identity Manager issue where credential files change externally
+			providerOptions.ignoreCache = true
+			if (this.options.awsProfile) {
+				providerOptions.profile = this.options.awsProfile
+			}
+		}
+
 		// Create AWS credentials by executing an AWS provider chain
-		const providerChain = fromNodeProviderChain()
+		const providerChain = fromNodeProviderChain(providerOptions)
 		return await AwsBedrockHandler.withTempEnv(
 			() => {
 				AwsBedrockHandler.setEnv("AWS_REGION", this.options.awsRegion)