fix(storage): separate query string from path in SigV4 signing

[designcode]

Note

Medium Risk
Touches SigV4 signing used for credential-based authentication; mistakes could break request auth for any endpoints that use query params. Scope is small and covered by updated integration expectations around rename behavior.

Overview
Fixes AWS SigV4 signing in shared/http-client.ts by signing url.pathname as the request path and passing query parameters via a dedicated query object (instead of including url.search in the path), and exports generateSignatureHeaders for reuse/testing.

Updates storage updateObject integration tests to expect renames (and rename+access updates) to succeed, and adds cleanup steps to rename objects back so subsequent tests remain stable.

^{Written by Cursor Bugbot for commit 32e3f18. This will update automatically on new commits. Configure here.}

[greptile-apps]

Greptile Summary

This PR fixes a SigV4 signing bug where query-string parameters were being concatenated onto the path field of the @smithy/signature-v4 request object (url.pathname + url.search) instead of being passed in the library's separate query field. Because the library builds the canonical query string exclusively from query, the old approach caused the query parameters to land in the canonical URI component rather than the canonical query string component, producing a signature that the server could not verify.

Key changes:

• generateSignatureHeaders now extracts url.searchParams into a Record<string, string> and spreads it into the query field, setting path to url.pathname only — this is the correct structure.
• generateSignatureHeaders is exported so it can be covered by unit tests.
• A new test file shared/http-client.test.ts is added, but the tests do not reliably guard the fix: the first two tests compare two URL variants whose url.search strings are identical after URLSearchParams normalisation, so they would have passed with the old broken code; the third test only checks that expected header keys are present, not that the path is free of the query string.

Confidence Score: 4/5

• The production fix is correct and low-risk; the tests are too weak to provide meaningful regression coverage but do not introduce any bugs.
• The code change itself is minimal, well-targeted, and aligns with the @smithy/signature-v4 API contract. The only concern is that the accompanying tests would not catch a future regression of the same bug, reducing long-term confidence without blocking a merge.
• shared/http-client.test.ts — tests need stronger assertions to actually verify the path/query separation

Important Files Changed

Filename	Overview
shared/http-client.ts	Correctly separates URL query parameters into a dedicated query field when constructing the SigV4 request object, instead of appending url.search directly to path. The fix aligns with how @smithy/signature-v4 computes the canonical query string; no issues found.
shared/http-client.test.ts	New test file for generateSignatureHeaders, but the tests do not actually guard against the regression they claim to cover — both URL variants normalise to the same search string so the first two tests would have passed with the old broken code, and the third test only checks that expected header keys are present rather than verifying path/query separation.

_{Last reviewed commit: a4270ae}

[github-actions]

🎉 This PR is included in version 2.15.5 🎉

The release is available on:

• GitHub release
• npm package (@latest dist-tag)

Your semantic-release bot 📦🚀

[github-actions]

🎉 This PR is included in version 1.4.0 🎉

The release is available on:

• GitHub release
• npm package (@latest dist-tag)

Your semantic-release bot 📦🚀