feat: add allow_custom_keys support, requestBulkUploadUrls mutation, auto-path derivation

[pyramation]

Summary

Phase 3a + 3b of the storage roadmap: adds allow_custom_keys support to the presigned URL plugin, the requestBulkUploadUrls mutation, and auto-path derivation from custom keys.

Custom key support (Phase 3a):

• requestUploadUrl now accepts an optional key input field
• When allow_custom_keys=true on the bucket, clients can provide a custom S3 key (e.g., reports/2024/Q1.pdf)
• When key is omitted, falls back to content-hash-based dedup (today's behavior)
• Custom key validation: no traversal (..), no leading /, max 1024 chars, regex-validated
• Re-uploading to an existing custom key auto-creates a new version (links via previous_version_id)
• RequestUploadUrlPayload now includes previousVersionId field

Bulk upload mutation (Phase 3b):

• New requestBulkUploadUrls mutation — batch presigned URL generation
• Enforces maxBulkFiles and maxBulkTotalSize from storage module config (nullable DB columns with plugin-level defaults: 100 files / 1GB)
• Shared processSingleFile() logic between single and bulk mutations

Auto-path derivation:

• When allow_custom_keys=true AND has_path_shares=true, path ltree column auto-derived from S3 key directory (e.g., reports/2024/Q1/revenue.pdf → reports.2024.Q1)

Cache/type updates:

• Storage module queries now select has_path_shares, max_bulk_files, max_bulk_total_size
• Bucket config queries now select allow_custom_keys

Review & Testing Checklist for Human

• Verify custom key validation rejects path traversal (..), leading /, null bytes, and keys > 1024 chars
• Verify dedup works in both modes: content_hash lookup in hash mode, key+version chain in custom mode
• Verify bulk upload limits enforcement (maxBulkFiles, maxBulkTotalSize) returns correct errors
• Verify auto-path derivation produces correct ltree values from S3 key directory portions
• Run upload integration tests with MinIO: cd graphql/server-test && pnpm test -- upload.integration
• Test that allow_custom_keys=false (default) rejects custom keys with CUSTOM_KEY_NOT_ALLOWED error

Notes

• Depends on constructive-db PR refactor: replace process.env with getEnvOptions() in graphile-llm #1011 (schema: allow_custom_keys, content_hash, bulk limit columns) which depends on PR docs: update graphile-llm README with standard header #1010 (version_history computed function)
• New GraphQL types: BulkUploadFileInput, RequestBulkUploadUrlsInput, BulkUploadFilePayload, RequestBulkUploadUrlsPayload
• Codegen regeneration deferred until schema changes are merged in constructive-db

Link to Devin session: https://app.devin.ai/sessions/ffa3ed8652fc412f976accbdc229c88d
Requested by: @pyramation

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring