Hard cut over infra to Fly and S3 deployment

[joyzoursky]

Summary

• Hard-cut over deployment/runtime assumptions from the previous stack to Fly + Supabase, and align repository automation/docs to that direction.
• Migrate web object storage from GCS-specific implementation to an S3-backed implementation with MinIO-compatible local development support.
• Close security and runtime gaps across API ownership/auth checks, rate limiting IP trust handling, URL validation, and runtime env handling.

Changes

• Storage/runtime
• Replaced object-store-gcs.ts with object-store-s3.ts and updated storage factory/config wiring.
• Added local S3 smoke validation script and updated docker compose defaults for MinIO.
• Infrastructure/deploy/docs
• Removed infra/helm/ surfaces from the repo and updated CI/load-gate/release workflows and maintainers docs for hard-cutover readiness.
• Added and tightened security-oriented workflow coverage (secret-scan, pinned action refs, workflow hardening updates).
• API/security/runtime hardening
• Added/expanded auth and ownership checks for MCP, teams, and file endpoints plus associated route tests.
• Updated rate-limit client IP extraction to trust Fly-Client-IP.
• Tightened URL/template security validation for dispatch/runtime/MCP execution paths.
• Hardened runtime worker/browser environment handling and health/dependency readiness paths.

Validation

• npm run verify (repo root): failed
• Lint + TypeScript compile in @skytest/web: passed during verify.
• Dependency audit (npm audit --audit-level=moderate --package-lock-only): failed with 3 high-severity vulnerabilities currently in lockfile transitive deps (fast-xml-parser via @aws-sdk/xml-builder, socket.io-parser).
• Manual: not run.

Breaking Changes

• Removed Helm deployment assets under infra/helm/; Helm-based deployment path is no longer available from this repository.
• Storage runtime moved from GCS-specific implementation to S3; environments relying on old GCS wiring must migrate to S3-compatible configuration.

Risks

• Current dependency audit failures remain unresolved and may block strict security gates.
• Broad cross-cutting scope (infra + runtime + security) increases regression risk without additional integration/staging smoke coverage.
• Hard cutover assumptions may impact operators still using pre-cutover deployment/storage workflows.

Follow-ups

• Remediate lockfile vulnerabilities and re-run npm run verify to green.
• Run end-to-end staging smoke for S3 storage operations and runtime dispatch flow on Fly/Supabase target environment.
• Confirm operator migration completion for any remaining Helm/GCS-based references outside this repository.