Add AWS CLI v2 for headless SSO/Bedrock authentication

Includes device-code flow docs for browser-less SSO login from
remote/Docker environments.

Dockerfile

@@ -33,6 +33,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     sudo \
     locales \
     procps \
+    unzip \
     && ln -s /usr/bin/fdfind /usr/local/bin/fd \
     && rm -rf /var/lib/apt/lists/*
 
@@ -53,6 +54,18 @@ RUN curl -fsSL https://deb.nodesource.com/setup_${NODE_VERSION}.x | bash - && \
 RUN npm install -g opencode-ai@${OPENCODE_VERSION} && \
     opencode --version
 
+# ── AWS CLI v2 (for SSO/Bedrock authentication) ─────────────────────
+RUN ARCH=$(case "${TARGETARCH}" in \
+      amd64) echo "x86_64" ;; \
+      arm64) echo "aarch64" ;; \
+      *) echo "x86_64" ;; \
+    esac) && \
+    curl -fsSL "https://awscli.amazonaws.com/awscli-exe-linux-${ARCH}.zip" -o /tmp/awscli.zip && \
+    unzip -q /tmp/awscli.zip -d /tmp && \
+    /tmp/aws/install && \
+    rm -rf /tmp/aws /tmp/awscli.zip && \
+    aws --version
+
 # ── Optional: Python ─────────────────────────────────────────────────
 ARG INSTALL_PYTHON=false
 RUN if [ "${INSTALL_PYTHON}" = "true" ]; then \

README.md

@@ -30,6 +30,7 @@ docker compose run --rm devbox
 - **MCP server support** — Node.js included for `npx`-based MCP servers
 - **Non-root user** — runs as `developer` (UID 1000) with sudo
 - **Optional runtimes** — Python, Go via build args (Node.js always included — required for opencode v1.x)
+- **AWS CLI v2** — built-in SSO/Bedrock authentication with headless device-code flow
 - **Multi-arch** — amd64 and arm64
 
 ## Configuration
@@ -70,6 +71,25 @@ docker compose build --build-arg INSTALL_PYTHON=true --build-arg INSTALL_GO=true
 | `INSTALL_PYTHON` | `false` | Python 3 + pip + venv |
 | `INSTALL_GO` | `false` | Go toolchain |
 
+## AWS Bedrock Authentication
+
+When using AWS Bedrock as your LLM provider, you need to authenticate via AWS SSO from inside the container. Since the container runs headless (no browser), use the device-code flow:
+
+```bash
+# Start the container interactively
+docker compose run --rm devbox bash
+
+# Authenticate — prints a URL and code you open in your local browser
+aws sso login --sso-session <your-sso-session> --use-device-code
+
+# Once approved in the browser, start opencode
+opencode
+```
+
+The `--use-device-code` flag outputs a URL and short code instead of trying to open a browser. Copy the URL into any browser (on your laptop, phone, etc.), enter the code, and complete the 2FA flow. The CLI in the container picks up the session automatically.
+
+SSO sessions typically last 8–12 hours before requiring re-authentication.
+
 ## Architecture
 
 ```
@@ -80,7 +100,8 @@ Host Machine
 
 Container (Debian bookworm)
 ├── opencode binary
-├── git, ssh, ripgrep, fd, jq, curl
+├── AWS CLI v2 (SSO + Bedrock auth)
+├── git, ssh, ripgrep, fd, jq, curl, fzf
 ├── Node.js (for MCP servers)
 ├── entrypoint.sh (SSH perms, git config, provider setup)
 └── /workspace ← your code lives here