Improve AWS error reporting and document proxy support

[GrahamCampbell]

Unhandled AWS service errors, such as an access denial while polling the remote state stack, previously rendered as framework crashes with full stack traces. The exception tokenizer now classifies errors carrying an own $metadata property as user errors and, when no code is present, synthesizes a stable one from the AWS error name, for example AWS_ACCESS_DENIED; explicit codes are preserved, and the gate is strict so genuine bugs keep their stack traces. This matches the behavior osls ships, and the stack trace remains available in the verbose log either way.

The getAwsErrorCode helper was duplicated inline in three state modules; it now lives in src/utils/aws/ and is exported alongside the other AWS utilities, with the three consumers importing it from there. The behavior is unchanged.

The README gains a note that compose honors the same proxy, custom certificate authority, and timeout environment variables as osls for its own AWS requests, linking to the new proxy section in the osls credentials guide. While touching those links it turned out the existing documentation links pointed at a main branch that does not exist on the osls repository, so they returned not-found pages; they now point at 4.x.