Hard cutover of infrastructure to Fly and S3

[joyzoursky]

Summary

• Complete the hard cutover of skytest-agent runtime and repo surfaces away from Helm/GCS assumptions toward Fly process groups and S3-compatible storage.
• Strengthen runtime/API security guards (auth, ownership, URL safety, trusted client IP handling).
• Harden CI policy and verification workflows, and finalize local infra/docs alignment.
• Remove the remaining Supabase wording in runtime repo docs to keep provider references neutral.

Changes

• Infrastructure/runtime storage migration:
  • remove infra/helm/* assets
  • migrate object storage runtime from GCS path to S3-compatible implementation
  • update local docker stack and operator docs for Postgres + MinIO
• Security and behavior fixes:
  • tighten team membership and ownership protections
  • enforce trusted Fly client IP preference for rate limiting
  • improve runtime URL guard behavior and tests
  • fix queued-run URL template validation path
• CI/ops hardening:
  • update workflow controls and add secret scan workflow
  • repair load-gate workflow and MinIO image tag handling
• Documentation:
  • clean up predeploy guidance
  • replace remaining Supabase-specific wording with provider-neutral Postgres wording

Validation

• npm run verify (from repo root) ✅
  • includes lint, type-check, Prisma generate, and npm audit --audit-level=moderate --package-lock-only
• rg -n "supabase|Supabase" -S . --hidden --glob '!.git' ✅ (no matches)

Breaking Changes

• Helm deployment artifacts under infra/helm/ are removed.
• Runtime storage implementation no longer includes the prior GCS path (object-store-gcs.ts removed); S3-compatible storage is the supported runtime path.