feat(sandbox): proxy-side AWS SigV4 credential signing for CONNECT tunnels

[jhjaggars]

Add proxy-side AWS SigV4 credential signing for CONNECT tunnel requests. When credential_signing: sigv4 is set on a REST endpoint in the policy YAML, the sandbox proxy strips the client's invalid SigV4 signature (computed with placeholder credentials), re-signs the request with real AWS credentials from the SecretResolver using the official aws-sigv4 crate, and forwards the properly signed request upstream. This enables AWS services like Bedrock to work through OpenShell's credential proxy without exposing real secrets to the sandbox.
Closes #1631
Related: #1576 (STS refresh strategy — sandbox-side session token support is included here), #1568 (Google Vertex AI — complementary, no conflicts)

• Proto: add credential_signing (field 18) and signing_service (field 19) to NetworkEndpoint
• Policy lib: add both fields to NetworkEndpointDef serde struct and proto conversions
• New sigv4.rs module: SigV4 signing via aws-sigv4 crate, AWS header stripping, region extraction from hostname
• L7 config: add CredentialSigning enum and signing_service field, parse from OPA policy data
• CONNECT tunnel relay (l7/rest.rs): hook SigV4 into relay_http_request_with_options_guarded — strip AWS headers before fail-closed placeholder scan, buffer body, re-sign after credential rewrite
• OPA/relay plumbing: pass credential_signing and signing_service through OPA data and RelayRequestOptions
• Session token support: resolve optional AWS_SESSION_TOKEN for STS temporary credentials
• Dependencies: add aws-sigv4, aws-credential-types, aws-smithy-runtime-api; remove hmac
• Integration test: standalone test against real Bedrock exercising the full strip → re-sign → send flow (#[ignore]'d, requires AWS credentials)

endpoints:
  - host: bedrock-runtime.us-east-2.amazonaws.com
    port: 443
    protocol: rest
    credential_signing: sigv4
    signing_service: bedrock
    access: read-write
    enforcement: enforce

• Minimal signed headers: only host, content-type, and content-length are included in the signature. Signing all headers causes 403 InvalidSignatureException because the proxy modifies headers like Connection and Accept-Encoding between signing and delivery.
• Explicit signing_service field: AWS signing service names don't always match hostname prefixes (e.g. bedrock-runtime → bedrock). The aws-sigv4 crate is just signing math — hostname-to-signing-name resolution lives in per-service SDK crates with no lightweight alternative. Making the policy author specify it is correct and extensible.
• Payload checksum: PayloadChecksumKind::XAmzSha256 is enabled to include x-amz-content-sha256, which Bedrock requires.
• Unit tests for region extraction, signing output format, header stripping, session token inclusion, and request rewriting (6 tests)
• OPA integration test verifying credential_signing and signing_service round-trip through proto → OPA data → L7 config
• Integration test against real Bedrock (cargo test -p openshell-sandbox --test sigv4_signing -- --ignored)
• End-to-end: Claude Code → OpenShell sandbox (OpenShift) → Bedrock us-east-2 with proxy-side SigV4 re-signing
• mise run pre-commit passes
• Unit tests added/updated
• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated (if applicable)

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[github-actions]

All contributors have signed the DCO ✍️ ✅
_{Posted by the DCO Assistant Lite bot.}

[jhjaggars]

I have read the DCO document and I hereby sign the DCO.

[johntmyers]

Are there practical extensions to the values for these fields? Is there ever a non-AWS use case? Just trying to understand how AWS-specific these settings are vs the names of the settings that imply they could map to other service provider use cases.

[jhjaggars]

These feel pretty specific to AWS. It's awkward, but I didn't see an obviously better way to have a special case like this today. credential_signing might be used in other services, but the signing_service almost certainly wouldn't.

[jhjaggars]

I could imagine a cleaner way of expressing these things aligning with your issue here: #896. It does seem like a middleware pattern would fit nicely as well.

[russellb]

just for visibility - I started working on AWS STS credential support (#1576), using access to S3 as a test case.

This depends on sigv4 support, so I pulled that in to my branch, or at least a version of it from the end of last week.

main...russellb:OpenShell:feat/1576-aws-sts-with-sigv4

[russellb]

One issue that we can address in a follow-up is that this doesn't support chunked transfer (no content length for the whole body). When I was trying to test S3 access using the python boto library, it was doing chunked transfer. I started working on this in my branch, so maybe I'll get it worked out, but it's worth noting the limitation I think.

[jhjaggars]

I gave this a shot, but it turned out to be a little harder than I thought. I think most aws services support skipping body signatures which is probably what we should do, but I think there are some edge cases that make it a little tricky.

[russellb]

Yeah, I didn't get it working, either. Skipping sounds good if supported!