Description

The dataset detail page has two unsigned fetch() calls in the UI SSR that fail with 403 when the backing storage bucket is private (no public access):

1. File browser listing — fetchManifest performs a plain fetch(url) against the unsigned HTTPS URL from the dataset info location field. S3 (and other private backends) reject with 403, breaking the entire file browser.

2. File preview — The proxy route at /proxy/dataset/file performs a plain fetch(url) for individual file content (images, text, code). Same unsigned fetch, same 403 on private buckets.

Steps to Reproduce

1. Deploy OSMO with a private S3 bucket (S3 Block Public Access enabled — the AWS default)
2. Upload a dataset via a workflow (creates manifest JSON in S3)
3. Navigate to the dataset detail page in the UI (e.g., /datasets/<bucket>/<dataset-name>)
4. Observe "Unable to load files" error (file browser)
5. If file browser is fixed, click any file — observe preview fails (file preview)

Expected Behavior

The file browser should render the file listing and file previews should work, regardless of the bucket's public access settings.

Actual Behavior

The UI SSR throws:

⨯ Error: Failed to fetch manifest: 403
    at c (.next/server/chunks/ssr/_9bf867d7._.js:2:496)

Root Cause

Two locations perform unsigned fetches against storage URLs:

1. src/ui/src/lib/api/server/dataset-actions.production.ts:24:

   const response = await fetch(url);  // plain fetch, no AWS auth

2. src/ui/src/app/proxy/dataset/file/route.impl.production.ts:48,63:

   const upstream = await fetch(result.url);  // same issue for file preview

The location field in the dataset info response is an unsigned HTTPS URL (e.g., https://<bucket>.s3.<region>.amazonaws.com/datasets/<id>/manifests/2.json). The service never generates presigned URLs.