sync: pull 33 commits from usnavy13/main (incl. AUTH_ENABLED, Basic auth via URL credentials)

Merges upstream usnavy13/LibreCodeInterpreter:main into On-Behalf-AI:main.

Notable upstream changes pulled:
- 67d2a18 feat: AUTH_ENABLED flag + Basic auth via URL credentials (LibreChat dev compat)
- 64b4494 refactor: Replace MinIO with S3-compatible storage (Garage)
- 9bf6479 feat: Sandbox network access for skill installations
- 3b5794b feat(files): Update file upload restrictions and session limits
- e85e9e8 fix: Match LibreChat's Unicode sanitization
- 74bb001 chore: Simplify CI/CD — remove nightly, lean PR checks, keep release pipeline
- 8323225 chore: Consolidate compose files, update docs for S3/Garage

Conflict resolution:
- .github/workflows/nightly.yml — accepted upstream deletion (74bb001).
  Our local commit 1032ee9 ("on-change+weekly schedule") aimed to reduce GHA
  minute consumption; upstream's full removal goes in the same direction.
  Going forward we rely on ci.yml (lean PR checks) + release.yml.

Preserved On-Behalf-AI customizations:
- .gitleaks.toml (whitelist upstream test fixtures + docs)
- ci/nightly-on-change-weekly history (commits remain in tree even though
  the file is now deleted)

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>

Author: 3 people

.env.example

@@ -6,19 +6,42 @@
 API_KEY=your-secure-api-key-here-change-this-in-production
 # API_KEYS=key1,key2,key3  # Additional API keys (comma-separated)
 # MASTER_API_KEY=your-secure-master-key  # Required for admin dashboard CLI
+#
+# AUTH_ENABLED=true        # Set to false to disable x-api-key/Basic auth checks
+#                          # on user endpoints. Use only when running behind a
+#                          # trusted network boundary. /api/v1/admin/* still
+#                          # requires MASTER_API_KEY regardless.
+#
+# Three ways clients can authenticate when AUTH_ENABLED=true:
+#   1. x-api-key: <key>                                 (recommended for proxies)
+#   2. Authorization: Basic base64("<key>:")            (LibreChat URL credentials)
+#      e.g. LIBRECHAT_CODE_BASEURL=https://<key>@your-api/v1
+#   3. (none, when AUTH_ENABLED=false)
+
+# ── Sandbox network access (skill installs) ───────────────────
+# When ENABLE_SANDBOX_NETWORK=true, sandboxes can reach the internet but only
+# through an inline allowlist proxy that permits PyPI, npm, Go modules, and
+# crates.io. Required for skills that pip/npm/go install dependencies at
+# runtime. Off by default (sandboxes are isolated).
+#
+# ENABLE_SANDBOX_NETWORK=false
+# SANDBOX_EGRESS_PORT=18443                       # local-only, sandbox -> proxy
+# SANDBOX_EGRESS_ALLOWLIST=                       # comma-separated extra hosts
+# SKILL_DEPS_PATH=/opt/skill-deps                 # backing volume mount
 
 # ── Redis ───────────────────────────────────────────────────────
 REDIS_HOST=localhost
 REDIS_PORT=6379
 # REDIS_PASSWORD=
 # REDIS_URL=redis://localhost:6379/0  # Alternative to individual settings
 
-# ── MinIO / S3 ─────────────────────────────────────────────────
-MINIO_ENDPOINT=localhost:9000
-MINIO_ACCESS_KEY=minioadmin
-MINIO_SECRET_KEY=minioadmin
-# MINIO_SECURE=false
-# MINIO_BUCKET=code-interpreter-files
+# ── S3 Storage (Garage) ────────────────────────────────────────
+S3_ENDPOINT=localhost:3900
+S3_ACCESS_KEY=GKminioadmin0000
+S3_SECRET_KEY=minioadminsecret
+# S3_SECURE=false
+# S3_BUCKET=code-interpreter-files
+# S3_REGION=garage
 
 # ── Execution Limits ───────────────────────────────────────────
 # MAX_EXECUTION_TIME=30    # Seconds (default: 30)
@@ -35,7 +58,7 @@ MINIO_SECRET_KEY=minioadmin
 # PORT=8000                # External host port published by docker compose
 
 # ── SSL/HTTPS ──────────────────────────────────────────────────
-# HTTPS works the same with docker-compose.yml and docker-compose.prod.yml:
+# HTTPS configuration:
 # 1. SSL_CERTS_PATH is a host path mounted to /app/ssl inside the container
 # 2. SSL_CERT_FILE and SSL_KEY_FILE must be container paths under /app/ssl
 #