fix: sso.go BuildSSOLoginCmd creates temp dir before validating profile — leak risk

[nathanhuh]

Summary

`BuildSSOLoginCmd()` in `internal/services/aws/sso.go` creates a temporary directory at line 310 before performing profile validation. If validation fails and a new early-return path is added later, the temp dir will leak because the cleanup function is returned to the caller rather than guaranteed internally.

Details

• Cleanup function is returned as a third return value — placing the burden on every caller to `defer cleanup()`
• Profile checks at lines 305–308 currently run before the error path that calls cleanup, but the ordering is fragile
• Any refactor or new early-return path added above line 327 will silently skip cleanup

Checklist

• Move profile existence/validity checks (lines 305–308) to before the `os.MkdirTemp` call at line 310
• Ensure cleanup is called internally on any error return before the function returns
• Add a comment at the return site documenting that callers must `defer cleanup()` for the success path
• Add a test case that verifies the temp dir is removed when an error occurs

References

• `internal/services/aws/sso.go:304-335`

Raised from senior code review (2026-05-12).

[YoungJinJung]

@Unic-bot: assign me

[github-actions]

@YoungJinJung has been assigned to this issue.