fn map_sts_error(status: u16, code: &str, message: &str) -> AppErrorExpand description
Categorize a raw STS SDK error string into the canonical AppError.
Centralized so unit tests can exercise the mapping without a live AWS call.
status is the HTTP status code (0 if unknown); code is the AWS error
code string; message is the human-readable error from the SDK.