Ravi Kumar L 05d4e90f91 🌩️ feat: Strict CloudFront signed cookie enforcement via requireSignedAccess (#13078) ... * feat(cloudfront): add requireSignedAccess to enforce strict signed access Introduces cloudfront.requireSignedAccess (default false). When enabled, initializeCloudFront requires both CLOUDFRONT_KEY_PAIR_ID and CLOUDFRONT_PRIVATE_KEY, rejects the unimplemented imageSigning="url" mode, and initializeFileStorage throws to block startup on any CloudFront init failure. OSS path is unchanged: missing keys still log-and-continue when requireSignedAccess is false. Adds low-noise startup and cookie-issuance logs without leaking signed URLs, policies, signatures, private keys, or cookie values. * fix(cloudfront): reject requireSignedAccess unless imageSigning is "cookies" Previously requireSignedAccess=true was accepted with imageSigning="none" or "url", but setCloudFrontCookies() only runs for "cookies" — leaving strict mode toothless: CloudFront stayed publicly accessible, or image delivery broke on a distribution that actually requires signed access. Adds a Zod refinement plus a runtime guard in initializeCloudFront so the only currently-functional strict configuration is imageSigning "cookies". Signed URL mode can lift this restriction once implemented. * fix(cloudfront): resolve strict access type checks * chore(cloudfront): reduce strict startup log noise --------- Co-authored-by: Danny Avila <danny@librechat.ai>		2026-05-11 23:30:01 -04:00
..
api	🌩️ feat: Strict CloudFront signed cookie enforcement via requireSignedAccess (#13078)	2026-05-11 23:30:01 -04:00
client	📦 chore: Bump @babel/preset-env to v7.29.5 (#13034)	2026-05-08 19:51:06 -04:00
data-provider	🌩️ feat: Strict CloudFront signed cookie enforcement via requireSignedAccess (#13078)	2026-05-11 23:30:01 -04:00
data-schemas	🧯 fix: Bound Permission Superset Cache Inputs (#13065)	2026-05-11 08:39:37 -04:00