fix: preserve original error messages for invalid/missing credentials

Restore the "Check your env vars" hint for InvalidClientTokenId and
the "Or set env vars" fallback for no-credentials case. Dynamic
version-aware guidance is only used for expired credentials where
users are most likely to need aws login instructions.

Author: Abhimanyu Siwach

src/cli/aws/account.ts

@@ -55,10 +55,9 @@ export async function detectAccount(): Promise<string | null> {
     }
 
     if (code === 'InvalidClientTokenId' || code === 'SignatureDoesNotMatch') {
-      const guidance = await getAwsLoginGuidance();
       throw new AwsCredentialsError(
         'AWS credentials are invalid.',
-        `AWS credentials are invalid.\n\nTo fix this:\n  ${guidance}`
+        'AWS credentials are invalid.\n\nTo fix this:\n  1. Check your AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY\n  2. Or run: aws login'
       );
     }
 
@@ -83,7 +82,7 @@ export async function validateAwsCredentials(): Promise<void> {
     const guidance = await getAwsLoginGuidance();
     throw new AwsCredentialsError(
       'No AWS credentials configured.',
-      `No AWS credentials configured.\n\nTo fix this:\n  ${guidance}`
+      `No AWS credentials configured.\n\nTo fix this:\n  ${guidance}\n  Or set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables`
     );
   }
 }