merge: integrate origin/main (33 commits incl. AUTH_ENABLED) into feat/agent-skills-runtime

Brings AUTH_ENABLED + Basic-auth-via-URL-credentials support, S3/Garage,
hardening tmpfs/skill-deps, slim CI, etc. into our skills feature branch.
Required for LibreChat dev compat (PR #12767 dropped X-API-Key from
uploadCodeEnvFile — see security-toolkit#96 for the corresponding LibreChat
workaround).

Conflicts resolved (5 zones in 4 files, all in src/services/sandbox/* +
src/services/programmatic.py, none in auth/middleware):

1. src/services/sandbox/executor.py (lang-with-/proc list):
   COMBINED — keep ("java", "rs", "py", "python", "bash"). OURS gave /proc
   to Python (legacy DOCX/PPTX/XLSX skill path), THEIRS gave it to bash
   (LibreChat bash_tool migration). Both paths coexist on this fork until
   skills are migrated to bash exclusively.

2. src/services/sandbox/executor.py (NODE_PATH):
   THEIRS — use deps_root for consistency with PYTHONPATH/PIP_TARGET/GOPATH
   already on this branch. /opt/skill-deps is auto-created at startup by
   _startup_egress_proxy when ENABLE_SANDBOX_NETWORK=true (which we have).

3. src/services/sandbox/nsjail.py (seccomp bind syscall):
   COMBINED — same logic as conflict 1: ("py", "python", "java", "bash")
   are exempt from bind blocking, because LibreOffice (soffice) uses
   AF_UNIX sockets between oosplash and soffice.bin, regardless of which
   language invokes it. Variable renamed to seccomp_policy (THEIRS, more
   explicit).

4. src/services/programmatic.py (PTC wrapper, /proc + tmpfs hardening):
   COMBINED SELECTIVELY — keep OURS on /proc accessibility (PTC may invoke
   LibreOffice for skills) AND take THEIRS on the tmpfs/skill-deps
   hardening (BUG-007 + BUG-008): noexec,nosuid,nodev on /tmp, /var/tmp,
   /run/lock, /var/lib/php/sessions; nosuid,nodev bind on skill-deps.

5. src/services/sandbox/pool.py (REPL pool wrapper, /proc + tmpfs):
   COMBINED SELECTIVELY — same as conflict 4. Note: upstream comment
   "REPL is Python-only, always safe to mask /proc" doesn't hold for this
   fork because Python skills shell out to soffice which requires /proc.

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>

Author: 3 people

.env.example

@@ -6,19 +6,42 @@
 API_KEY=your-secure-api-key-here-change-this-in-production
 # API_KEYS=key1,key2,key3  # Additional API keys (comma-separated)
 # MASTER_API_KEY=your-secure-master-key  # Required for admin dashboard CLI
+#
+# AUTH_ENABLED=true        # Set to false to disable x-api-key/Basic auth checks
+#                          # on user endpoints. Use only when running behind a
+#                          # trusted network boundary. /api/v1/admin/* still
+#                          # requires MASTER_API_KEY regardless.
+#
+# Three ways clients can authenticate when AUTH_ENABLED=true:
+#   1. x-api-key: <key>                                 (recommended for proxies)
+#   2. Authorization: Basic base64("<key>:")            (LibreChat URL credentials)
+#      e.g. LIBRECHAT_CODE_BASEURL=https://<key>@your-api/v1
+#   3. (none, when AUTH_ENABLED=false)
+
+# ── Sandbox network access (skill installs) ───────────────────
+# When ENABLE_SANDBOX_NETWORK=true, sandboxes can reach the internet but only
+# through an inline allowlist proxy that permits PyPI, npm, Go modules, and
+# crates.io. Required for skills that pip/npm/go install dependencies at
+# runtime. Off by default (sandboxes are isolated).
+#
+# ENABLE_SANDBOX_NETWORK=false
+# SANDBOX_EGRESS_PORT=18443                       # local-only, sandbox -> proxy
+# SANDBOX_EGRESS_ALLOWLIST=                       # comma-separated extra hosts
+# SKILL_DEPS_PATH=/opt/skill-deps                 # backing volume mount
 
 # ── Redis ───────────────────────────────────────────────────────
 REDIS_HOST=localhost
 REDIS_PORT=6379
 # REDIS_PASSWORD=
 # REDIS_URL=redis://localhost:6379/0  # Alternative to individual settings
 
-# ── MinIO / S3 ─────────────────────────────────────────────────
-MINIO_ENDPOINT=localhost:9000
-MINIO_ACCESS_KEY=minioadmin
-MINIO_SECRET_KEY=minioadmin
-# MINIO_SECURE=false
-# MINIO_BUCKET=code-interpreter-files
+# ── S3 Storage (Garage) ────────────────────────────────────────
+S3_ENDPOINT=localhost:3900
+S3_ACCESS_KEY=GKminioadmin0000
+S3_SECRET_KEY=minioadminsecret
+# S3_SECURE=false
+# S3_BUCKET=code-interpreter-files
+# S3_REGION=garage
 
 # ── Execution Limits ───────────────────────────────────────────
 # MAX_EXECUTION_TIME=30    # Seconds (default: 30)
@@ -35,7 +58,7 @@ MINIO_SECRET_KEY=minioadmin
 # PORT=8000                # External host port published by docker compose
 
 # ── SSL/HTTPS ──────────────────────────────────────────────────
-# HTTPS works the same with docker-compose.yml and docker-compose.prod.yml:
+# HTTPS configuration:
 # 1. SSL_CERTS_PATH is a host path mounted to /app/ssl inside the container
 # 2. SSL_CERT_FILE and SSL_KEY_FILE must be container paths under /app/ssl
 #