feat(api): secure proxy download route for S3 files (#3171)

Author: maxgfr

.claude/rules/automation.md

@@ -65,6 +65,10 @@ Before reporting ANY task as done, launch **4 parallel agents**:
 
 If any fails → fix → re-run. Only report completion when all 4 pass.
 
+### Before every push — format & lint check
+
+Before pushing code (`git push`), **always** run `pnpm check:write` (or `pnpm lint:check && pnpm format:check` to verify). The auto-lint hook catches most issues after individual edits, but does not guarantee the final state is clean. A final check before push prevents CI failures.
+
 **Bonus: Next.js runtime check** — if the dev server is running, also call `nextjs_call(get_errors)` via the `next-devtools` MCP to catch runtime/compilation errors not visible in `pnpm typecheck`.
 
 > **Junior-proof policy:** Agents are always in the pipeline — a junior cannot "forget" to run them. The agent itself decides if there is work to do based on the modified files. Zero overhead when not relevant, zero chance of skipping when relevant.

.claude/skills/analyse/SKILL.md

@@ -71,4 +71,4 @@ Present a structured plan:
 
 # Step 4 — Validate
 
-Ask the user to validate, adjust, or ask questions about the plan. Once approved, the user runs `/implement` to execute it.
+Ask the user to validate, adjust, or ask questions about the plan. Once approved, run `/implement` next to execute it.

.claude/skills/implement/SKILL.md

@@ -5,7 +5,9 @@ description: "Implement a GitHub issue: fetch, branch, code, validate. Usage: /i
 
 # /implement
 
-Implements a GitHub issue end-to-end: understand the issue, code it, validate it.
+Implements a GitHub issue end-to-end: code it and validate it.
+
+> **Prerequisite**: Run `/analyse` first to generate a plan. This skill executes the plan, it does not re-analyze the issue.
 
 ## Arguments
 
@@ -67,4 +69,4 @@ Run the quality gates and fix loop as defined in `.claude/rules/automation.md`.
 
 If the dev server is running, also run `pnpm test:lighthouse` (must score 100% accessibility).
 
-Done. Code is validated and ready to ship via `/ship`.
+Done. Code is validated and ready to ship — run `/ship` next.

.claude/skills/ship/SKILL.md

@@ -33,7 +33,7 @@ Analyze commits on the branch. Decide whether to **split** into multiple PRs bas
 - Unrelated concerns mixed together (e.g. refactor + feature + bugfix)
 - Large diff that would be hard to review as a single PR
 
-If the commits form a single cohesive change, create one PR. If not, split.
+If the commits form a single cohesive change, create one PR. If splitting seems appropriate, **always ask for user confirmation before proceeding** — never split without explicit approval.
 
 ---
 
@@ -44,16 +44,10 @@ If the commits form a single cohesive change, create one PR. If not, split.
 Push and create PR targeting `alpha` (`--base alpha`). Use this body template:
 
 ```
+fix #{N}
+
 ## Summary
 <1-3 bullet points from the issue/commits>
-
-Closes #{N}
-
-## Quality gates
-- [x] Typecheck / Tests / Lint
-- [x] Structural / RGAA / Security audit
-
-Generated with [Claude Code](https://claude.com/claude-code)
 ```
 
 ### Split PRs

.github/workflows/e2e.yaml

@@ -21,7 +21,9 @@ jobs:
       EGAPRO_PROCONNECT_ISSUER: ${{ secrets.EGAPRO_PROCONNECT_ISSUER }}
       EGAPRO_WEEZ_API_URL: ${{ secrets.EGAPRO_WEEZ_API_URL }}
       EGAPRO_SUIT_API_URL: ${{ secrets.EGAPRO_SUIT_API_URL }}
-      EGAPRO_SUIT_API_KEY: ${{ secrets.EGAPRO_SUIT_API_KEY }}
+      # Deterministic dev value matching the E2E test's hardcoded key.
+      # The real secret is only needed in deployed environments.
+      EGAPRO_SUIT_API_KEY: dev-suit-api-key-minimum-32-chars-long
       S3_ENDPOINT: http://localhost:9000
       S3_REGION: us-east-1
       S3_ACCESS_KEY_ID: minioadmin