Add AWS CLI v2 for headless SSO/Bedrock authentication

Includes device-code flow docs for browser-less SSO login from
remote/Docker environments.

README.md

@@ -30,6 +30,7 @@ docker compose run --rm devbox
 - **MCP server support** — Node.js included for `npx`-based MCP servers
 - **Non-root user** — runs as `developer` (UID 1000) with sudo
 - **Optional runtimes** — Python, Go via build args (Node.js always included — required for opencode v1.x)
+- **AWS CLI v2** — built-in SSO/Bedrock authentication with headless device-code flow
 - **Multi-arch** — amd64 and arm64
 
 ## Configuration
@@ -70,6 +71,25 @@ docker compose build --build-arg INSTALL_PYTHON=true --build-arg INSTALL_GO=true
 | `INSTALL_PYTHON` | `false` | Python 3 + pip + venv |
 | `INSTALL_GO` | `false` | Go toolchain |
 
+## AWS Bedrock Authentication
+
+When using AWS Bedrock as your LLM provider, you need to authenticate via AWS SSO from inside the container. Since the container runs headless (no browser), use the device-code flow:
+
+```bash
+# Start the container interactively
+docker compose run --rm devbox bash
+
+# Authenticate — prints a URL and code you open in your local browser
+aws sso login --sso-session <your-sso-session> --use-device-code
+
+# Once approved in the browser, start opencode
+opencode
+```
+
+The `--use-device-code` flag outputs a URL and short code instead of trying to open a browser. Copy the URL into any browser (on your laptop, phone, etc.), enter the code, and complete the 2FA flow. The CLI in the container picks up the session automatically.
+
+SSO sessions typically last 8–12 hours before requiring re-authentication.
+
 ## Architecture
 
 ```
@@ -80,7 +100,8 @@ Host Machine
 
 Container (Debian bookworm)
 ├── opencode binary
-├── git, ssh, ripgrep, fd, jq, curl
+├── AWS CLI v2 (SSO + Bedrock auth)
+├── git, ssh, ripgrep, fd, jq, curl, fzf
 ├── Node.js (for MCP servers)
 ├── entrypoint.sh (SSH perms, git config, provider setup)
 └── /workspace ← your code lives here