fix: always read fresh credentials from disk on every request

[anasstahr]

Summary

Changes

Remove credential session caching from SessionHolder so that every request reads fresh credentials from disk. Previously, the proxy cached a boto3.Session and only refreshed it reactively after receiving a 401/403 error. Now, SessionHolder.get_session() always creates a new session, ensuring account switches and credential refreshes on disk take effect immediately.

• Replaced mark_needs_refresh() / refresh_if_needed() with a single get_session() method that always returns a fresh session
• Removed reactive 401/403 refresh logic from _handle_error_response (no longer needed)
• Simplified create_transport_with_sigv4 — no longer creates an initial session at startup

User experience

Before: If you switched AWS accounts or refreshed credentials on disk while the proxy was running, the proxy continued using the old cached credentials until they expired and triggered a 401/403. This could result in requests being signed with the wrong account's credentials.

After: Every request reads the current credentials from disk. Switching accounts or refreshing credentials takes effect on the very next request — no 401 roundtrip needed.

Checklist

• I have reviewed the contributing guidelines
• I have performed a self-review of this change
• Changes have been tested
• Changes are documented

Is this a breaking change? (Y/N)

• Yes
• No

Please add details about how this change was tested.

• Did integration tests succeed?
• If the feature is a new use case, is it necessary to add a new integration test case?

Acknowledgment

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[arnewouters]

Does this class still make sense?