[codex] Add Amazon Bedrock Responses support

[jim-openai]

Summary

• add first-class BedrockOpenAI / AsyncBedrockOpenAI provider clients
• support Bedrock base URL, region, static bearer token, and refreshable token-provider config
• support Python module config via openai.api_type = "amazon-bedrock" / OPENAI_API_TYPE=amazon-bedrock
• keep Bedrock support thin: SDK adapts auth and base URL, while AWS owns endpoint and feature validation
• add focused tests, docs, and an example

Review Notes

• This rewrite removes the earlier SDK-side endpoint/tool/include/websocket guards. Formerly guarded calls now send requests and surface normal AWS HTTP errors through the standard SDK error pipeline.
• Bedrock does not implicitly reuse OPENAI_API_KEY; it reads AWS_BEARER_TOKEN_BEDROCK unless the caller passes api_key or bedrock_token_provider.
• Generated admin-security routes reuse the Bedrock bearer token so they pass through to AWS instead of failing SDK auth resolution before the request.
• workload_identity stays out of the Bedrock constructors. copy / with_options retain the base copy auth keywords for override typing and reject non-Bedrock auth if passed.
• Kept regional Mantle endpoint derivation for now; no global endpoint behavior is added before AWS defines it.
• Deliberately deferred a separate Bedrock auth/config struct. Inline config keeps this PR small and self-contained; a dedicated struct may age better if AWS adds more auth or endpoint modes.

Testing

• focused Python Bedrock/module tests: 46 passed
• Ruff format/check on touched Python files
• Pyright on src/openai/lib/bedrock.py: 0 errors
• live us-east-2 probes with refreshed Bedrock credentials:
  • earlier same-day openai.gpt-5.5 pass completed static bearer-token SSE and two token-provider responses.create calls
  • current recheck confirmed /v1/models returns 200 and lists openai.gpt-5.4 / openai.gpt-5.5
  • current direct /openai/v1/responses and SDK responses.create probes return Bedrock 500 internal_server_error for both openai.gpt-5.4 and openai.gpt-5.5; SDKs surface normal InternalServerError with request ids, so no SDK workaround was added
  • responses.connect() still passes through and AWS rejects the websocket handshake with HTTP 405

[jim-openai]

@trevorcreech CC for the "early parity/error" detection

[apcha-oai]

Main note is we should consider whether we want errors in the client or not. Philosophically putting these on the client will force users to update later as we cut releases which is slightly not ideal imo.

If AWS is going to 400/404 in these cases think it is better to rely on the server-side (similar to azure) so users can seamlessly get those updates without being forced to update their openai lib as AWS makes updates.

[apcha-oai]

Consider: this is copying azure but may not evolve well to future configurations. See another example like https://github.com/openai/openai-python/blob/main/src/openai/auth/_workload.py#L29-L40

peaceful with this for now though may be better to model within a separate struct and pass that in as config for future config updates

[jim-openai]

IIUC this would require a small change in core. If you're cool with this for now, i'll try to keep change limited to bedrock support, but very open to a follow up change.

[apcha-oai]

Yeah peaceful with following azure for now

[apcha-oai]

This seems a little strict but not sure what AWS's expectations are here, consider defaults

[jim-openai]

Right now bedrock/mantle only supports regional endpoints. Global is shipping within O(weeks), but I don't know the exact implementation yet.

So I think we need to keep this for now.

[apcha-oai]

Ack we can loosen later to optional

[jim-openai]

Pushed new version

[apcha-oai]

Looks good! Only small note is think you will need to readd the workload_identity on copy to keep types happy but other than that looks fine

[apcha-oai]

Ack we can loosen later to optional

[jim-openai]

Updated after follow-up: addressed the copy / with_options typing note by retaining the base copy auth keywords and rejecting non-Bedrock auth if passed; reran focused tests, Ruff, and Pyright. Apologies that I could not complete the planned fresh manual Responses recheck: Bedrock /openai/v1/responses was returning provider-side 500 internal_server_error for both openai.gpt-5.4 and openai.gpt-5.5, reproduced with direct curl and confirmed by others, so I did not add an SDK workaround. The PR body has the current manual probe details.