fix(provider): auto-refresh AWS SSO credentials on expiry

When fromNodeProviderChain throws CredentialsProviderError (expired or
uninitialized SSO session), spawn 'aws sso login [--profile <name>]',
await successful exit, then retry credential resolution transparently.
The AI SDK never sees an error and the session continues uninterrupted.

Detects by error .name (stable SDK contract) not message string.

Author: bainos

packages/opencode/src/provider/provider.ts

@@ -1,5 +1,6 @@
 import z from "zod"
 import os from "os"
+import { spawn } from "child_process"
 import fuzzysort from "fuzzysort"
 import { Config } from "../config"
 import { mapValues, mergeDeep, omit, pickBy, sortBy } from "remeda"
@@ -291,7 +292,23 @@ function custom(dep: CustomDep): Record<string, CustomLoader> {
         // Build credential provider options (only pass profile if specified)
         const credentialProviderOptions = profile ? { profile } : {}
 
-        providerOptions.credentialProvider = fromNodeProviderChain(credentialProviderOptions)
+        const rawProvider = fromNodeProviderChain(credentialProviderOptions)
+        providerOptions.credentialProvider = async () => {
+          try {
+            return await rawProvider()
+          } catch (e) {
+            if (e instanceof Error && e.name === "CredentialsProviderError") {
+              await new Promise<void>((resolve, reject) => {
+                const args = ["sso", "login", ...(profile ? ["--profile", profile] : [])]
+                const child = spawn("aws", args, { stdio: "pipe" })
+                child.on("exit", (code) => (code === 0 ? resolve() : reject(e)))
+                child.on("error", () => reject(e))
+              })
+              return await rawProvider()
+            }
+            throw e
+          }
+        }
       }
 
       // Add custom endpoint if specified (endpoint takes precedence over baseURL)