Drop the standalone MinIO StatefulSet — the cluster already runs one
in the `minio` namespace, exposed at minio.arthurbarre.fr. Use that
with a scoped anydrop user + bucket instead of spinning up a second
instance.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds a "Via AnyDrop" flow for senders who need to reach someone not
present on the mesh. The file is sealed client-side (XChaCha20-Poly1305),
uploaded directly to an in-cluster MinIO bucket via a presigned PUT, and
handed off to the recipient as a URL whose fragment carries the key.
The server only ever sees ciphertext, opaque metadata blobs, and sizes.
- server: transfers table (drizzle migration), /api/transfers CRUD +
consume endpoint, presigned PUT/GET via @aws-sdk/client-s3, cleanup
loop that purges expired + exhausted blobs.
- web: @noble/ciphers sealFile/openFile, high-level sendCloud/receive
helpers, CloudSharePanel on Home, /r/:id receive page, /inbox page
for signed-in users (sent + received tabs).
- k8s: MinIO StatefulSet with bucket-init initContainer, S3 env vars
on the server Deployment (credentials pulled from minio-credentials
Secret).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
