Client layer: follow S3 region redirects.

AWS answers a request aimed at the wrong region with a redirect that names the right one: 400 AuthorizationHeaderMalformed carrying a <Region> element (the endpoint is reachable but the request was signed for the wrong region), or 301 PermanentRedirect carrying an <Endpoint> element (the request must go to a different host). The correct region is also echoed in the x-amz-bucket-region header. This layer detects those, rewrites the request (signing region and/or host) and retries once, so the inner signing layer re-signs for the new target.

It is placed above the retry layer and below signing. Single-region S3-compatible stores never emit these responses, so the layer is a no-op there. Host rewriting follows AWS's virtual-hosted <Endpoint> and keeps the path, so it targets virtual-hosted addressing (the AWS default). Streamed response bodies are left untouched; detection then relies on the x-amz-bucket-region header.