[codex] add managed Amazon Bedrock login and logout

[celia-oai]

Why

The provider-scoped auth stack can report whether Amazon Bedrock is using a Codex-managed API key, but app-server clients still cannot establish or remove that managed credential. This adds the follow-up account RPC flow while deliberately leaving runtime provider reloading to a later change.

Depends on #27751.

Stack: #27443 → #27689 → #27751 → this PR.

What changed

• add amazonBedrock to v2 account/login/start, including API key and region validation and generated schemas
• persist the Bedrock API key and write model_provider = "amazon-bedrock" to the active user config/profile before returning
• activate the credential immediately only when app-server already started on Bedrock; otherwise preserve startup runtime/account state and require restart
• make managed logout remove only managed Bedrock auth and clear the user-layer provider only while it is still amazon-bedrock
• keep AWS-managed logout as a no-op and preserve replacement non-Bedrock auth
• add compensation for cross-store failures and reject provider selections that remain overridden
• document notification and restart behavior

Runtime provider/config reload for loaded sessions, account reads, history filters, and notifications is intentionally out of scope for this PR.

Test plan

• just test -p codex-app-server
• just test -p codex-app-server-protocol
• just test -p codex-login
• just test -p codex-model-provider