Stamp the caller's user and authorizing group onto AWS Bedrock requests via the
X-Amzn-Bedrock-Request-Metadata header (reusing the JSONMetadata identity-inject
shape with a Bedrock-charset sanitizer), so spend can be attributed in AWS Cost
Management. Add a per-provider metadata_disabled flag (default off) that
suppresses identity metadata injection while leaving catalog routing headers
intact.