feat: Identity — JWT Federation Lifecycle

[Hweinstock]

Problem

The SDK's IdentityClient lets customers exchange tokens and manage credential providers at runtime, but the IAM prerequisites that make these features work have no SDK support. Before @requires_access_token, @requires_iam_access_token, or get_token() can function, customers must:

1. Enable AWS IAM Outbound Web Identity Federation at the account level — an obscure one-time IAM API call (enable_outbound_web_identity_federation) that isn't documented alongside the SDK's identity features
2. Configure the agent's execution role with the correct trust policy (bedrock-agentcore.amazonaws.com as trusted principal) and inline policies for workload token exchange, Secrets Manager access, and JWT signing permissions

Without this, customers follow the SDK docs, try @requires_access_token, get cryptic auth failures, and have to reverse-engineer the IAM setup themselves. The starter toolkit automates this with setup_aws_jwt_federation() and ensure_identity_permissions() — the SDK should provide the same so that identity features work out of the box.

Acceptance Criteria

• Customers can enable AWS IAM Outbound Web Identity Federation (idempotent)
• Customers can check whether JWT federation is enabled and retrieve the issuer URL
• Customers can configure execution role trust policies and inline policies for identity flows
• Customers can configure execution role permissions for AWS JWT signing with audience/algorithm/duration conditions
• All functionality is verified via integration tests running in CI

Relevant Links

• setup_aws_jwt_federation()
• get_aws_jwt_federation_info()
• ensure_identity_permissions()
• ensure_aws_jwt_permissions()