🐛 fix: restore file access URL policy

[tjx666]

💻 Change Type

• ✨ feat
• 🐛 fix
• ♻️ refactor
• 💄 style
• 👷 build
• ⚡️ perf
• ✅ test
• 📝 docs
• 🔨 chore

🔗 Related Issue

Fixes #15143

🔀 Description of Change

• Restore file access URL resolution through FileService after the previous revert.
• Keep /f/:id as a temporary presigned file proxy by adding a cached presigned preview URL API.
• Pass file IDs through message file URL post-processing so server-side consumers can use stable /f/:id access URLs.
• Clarify the S3 public URL fallback branch with an explicit public URL base guard.

🧪 How to Test

• Tested locally
• Added/updated tests
• No tests needed

bunx vitest run --silent='passed-only' 'src/app/(backend)/f/[id]/route.test.ts' 'src/server/services/file/__tests__/index.test.ts' 'src/server/services/file/impls/s3.test.ts' 'src/server/routers/lambda/__tests__/file.test.ts' 'src/server/services/aiAgent/__tests__/execAgent.files.test.ts'\ncd packages/database && bunx vitest run --silent='passed-only' 'src/models/__tests__/messages/message.query.test.ts'\n```\n\n#### 📸 Screenshots / Videos\n\nN/A\n\n#### 📝 Additional Information\n\nThis re-applies the file access URL policy while keeping file proxy redirects temporary instead of switching `/f/:id` to public URLs when public S3 settings are present.

[sourcery-ai]

Sorry @tjx666, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4080af3f71

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve the proxy redirect's short expiry

When /f/:id is hit, this now omits the expiresIn argument, so the helper falls back to S3_PREVIEW_URL_EXPIRE_IN (7200 seconds by default in src/envs/file.ts) instead of the previous explicit 300-second proxy URL. Because this endpoint is public by file id and returns a direct S3 redirect, anyone who captures the Location header now gets much longer direct object access than the route previously allowed; pass the short proxy TTL through the cached helper to keep the old access policy.

Useful? React with 👍 / 👎.