Merge pull request #4 from On-Behalf-AI/sync/upstream-2026-05-08

sync: merge usnavy13/main (33 commits, incl. AUTH_ENABLED for LibreChat dev compat)

Author: djuillard

.env.example

@@ -6,19 +6,42 @@
 API_KEY=your-secure-api-key-here-change-this-in-production
 # API_KEYS=key1,key2,key3  # Additional API keys (comma-separated)
 # MASTER_API_KEY=your-secure-master-key  # Required for admin dashboard CLI
+#
+# AUTH_ENABLED=true        # Set to false to disable x-api-key/Basic auth checks
+#                          # on user endpoints. Use only when running behind a
+#                          # trusted network boundary. /api/v1/admin/* still
+#                          # requires MASTER_API_KEY regardless.
+#
+# Three ways clients can authenticate when AUTH_ENABLED=true:
+#   1. x-api-key: <key>                                 (recommended for proxies)
+#   2. Authorization: Basic base64("<key>:")            (LibreChat URL credentials)
+#      e.g. LIBRECHAT_CODE_BASEURL=https://<key>@your-api/v1
+#   3. (none, when AUTH_ENABLED=false)
+
+# ── Sandbox network access (skill installs) ───────────────────
+# When ENABLE_SANDBOX_NETWORK=true, sandboxes can reach the internet but only
+# through an inline allowlist proxy that permits PyPI, npm, Go modules, and
+# crates.io. Required for skills that pip/npm/go install dependencies at
+# runtime. Off by default (sandboxes are isolated).
+#
+# ENABLE_SANDBOX_NETWORK=false
+# SANDBOX_EGRESS_PORT=18443                       # local-only, sandbox -> proxy
+# SANDBOX_EGRESS_ALLOWLIST=                       # comma-separated extra hosts
+# SKILL_DEPS_PATH=/opt/skill-deps                 # backing volume mount
 
 # ── Redis ───────────────────────────────────────────────────────
 REDIS_HOST=localhost
 REDIS_PORT=6379
 # REDIS_PASSWORD=
 # REDIS_URL=redis://localhost:6379/0  # Alternative to individual settings
 
-# ── MinIO / S3 ─────────────────────────────────────────────────
-MINIO_ENDPOINT=localhost:9000
-MINIO_ACCESS_KEY=minioadmin
-MINIO_SECRET_KEY=minioadmin
-# MINIO_SECURE=false
-# MINIO_BUCKET=code-interpreter-files
+# ── S3 Storage (Garage) ────────────────────────────────────────
+S3_ENDPOINT=localhost:3900
+S3_ACCESS_KEY=GKminioadmin0000
+S3_SECRET_KEY=minioadminsecret
+# S3_SECURE=false
+# S3_BUCKET=code-interpreter-files
+# S3_REGION=garage
 
 # ── Execution Limits ───────────────────────────────────────────
 # MAX_EXECUTION_TIME=30    # Seconds (default: 30)
@@ -35,7 +58,7 @@ MINIO_SECRET_KEY=minioadmin
 # PORT=8000                # External host port published by docker compose
 
 # ── SSL/HTTPS ──────────────────────────────────────────────────
-# HTTPS works the same with docker-compose.yml and docker-compose.prod.yml:
+# HTTPS configuration:
 # 1. SSL_CERTS_PATH is a host path mounted to /app/ssl inside the container
 # 2. SSL_CERT_FILE and SSL_KEY_FILE must be container paths under /app/ssl
 #