fix: aws safe_read calls discard user input, breaking CLI install flow (#1613)

safe_read() outputs via stdout and takes only one argument (the prompt).
Three call sites in aws/lib/common.sh incorrectly passed a variable name
as a second argument instead of using command substitution:

  safe_read "prompt" varname    # BUG: varname never assigned
  varname=$(safe_read "prompt") # CORRECT: captures stdout

This caused:
- Install prompt always defaulting to "y" (user's "n" was ignored)
- AWS credentials never being captured after CLI install, leaving
  AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY empty, so the
  install-then-configure code path always failed silently

Agent: code-health

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

aws/lib/common.sh

@@ -232,7 +232,7 @@ ensure_aws_cli() {
     if ! command -v aws &>/dev/null; then
         log_warn "AWS CLI is not installed."
         local install_choice
-        safe_read "Install AWS CLI now? [Y/n] " install_choice || install_choice="y"
+        install_choice=$(safe_read "Install AWS CLI now? [Y/n] ") || install_choice="y"
         install_choice="${install_choice:-y}"
 
         case "${install_choice}" in
@@ -244,8 +244,8 @@ ensure_aws_cli() {
                     # Installed — now prompt for credentials
                     log_info "Run 'aws configure' to set your AWS credentials."
                     local access_key secret_key
-                    safe_read "AWS Access Key ID: " access_key || return 1
-                    safe_read "AWS Secret Access Key: " secret_key || return 1
+                    access_key=$(safe_read "AWS Access Key ID: ") || return 1
+                    secret_key=$(safe_read "AWS Secret Access Key: ") || return 1
                     export AWS_ACCESS_KEY_ID="${access_key}"
                     export AWS_SECRET_ACCESS_KEY="${secret_key}"
                     export AWS_DEFAULT_REGION="${region}"