feat(client): sign presigned URLs against a public endpoint

[cjimti]

Problem

Client builds its presign client from the same s3.Client used for data operations, so presigned URLs are signed against Config.Endpoint. In clustered deployments Endpoint is an internal/cluster address (for example a SeaweedFS service DNS name like http://seaweedfs-s3:8333). Presigned URLs handed back to a browser or an external agent therefore point at a host that is not resolvable or reachable from outside the cluster, so the download fails.

Change

Add an optional public-facing endpoint used only when signing presigned URLs:

• Config.PresignEndpoint (env S3_PRESIGN_ENDPOINT) in pkg/client/config.go. When set, presigned URLs sign against it; when empty it falls back to Endpoint, preserving prior behavior. Added to FromEnv, Clone, and a PresignBaseEndpoint() helper.
• In New (pkg/client/client.go), when PresignEndpoint is set, build a dedicated presign client whose BaseEndpoint is the public endpoint (carrying UsePathStyle over). Data operations keep using the internal-Endpoint client. With no presign endpoint configured, both are the same client, so behavior is unchanged.

This is safe for path-style addressing because the SigV4 query signature on a presigned URL does not cover the host, so swapping the base endpoint on the presign client still yields a signature that validates against the public host.

Stdlib vulnerability fix

make verify (govulncheck) flagged two reachable Go standard-library vulnerabilities because the build floated to the unpatched go1.26.3 toolchain (go.mod had no toolchain directive):

• GO-2026-5039 — net/textproto, reachable via Client.GetObject -> io.ReadAll
• GO-2026-5037 — crypto/x509, reachable via the same path and main

Pinned toolchain go1.26.4 (the patched release) in go.mod. actions/setup-go honors it via go-version-file: go.mod, and CI now installs the patched toolchain. govulncheck reports 0 reachable vulnerabilities.

Tests

TestNew_PresignEndpoint (pkg/client/client_test.go) builds a real client via New (presigning is local, no network) and asserts:

• with PresignEndpoint set, the signed URL host is the public endpoint;
• with it empty, the host falls back to Endpoint.

Verified adversarially: reverting the client.go change makes the test fail with the internal host (http://internal:8333) instead of the public host.

make verify passes end to end (tidy, lint, test, coverage, security, deadcode, build-check).

Downstream

Enables the consuming platform to hand out externally reachable presigned URLs by setting S3_PRESIGN_ENDPOINT / PresignEndpoint to the public S3 address while keeping the internal endpoint for data traffic. The platform-side wiring (a public_endpoint config mapped to PresignEndpoint) lands once this is released.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.08%. Comparing base (4c809da) to head (321746c).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #109      +/-   ##
==========================================
+ Coverage   87.03%   87.08%   +0.04%     
==========================================
  Files          39       39              
  Lines        2167     2175       +8     
==========================================
+ Hits         1886     1894       +8     
  Misses        173      173              
  Partials      108      108              

Files with missing lines	Coverage Δ
pkg/client/client.go	95.61% <100.00%> (+0.11%)	⬆️
pkg/client/config.go	100.00% <100.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.