fix(storage): disable acl list objects for new buckets

[designcode]

Note

Medium Risk
Changes default bucket creation behavior by sending ACL_LIST_OBJECTS=false, which may affect callers expecting public buckets to allow unauthenticated listing. Also refactors request header middleware and adds new validation/tests, so any header-setting regressions would surface at runtime.

Overview
Bucket creation now disables directory listing by default by always sending TigrisHeaders.ACL_LIST_OBJECTS=false during createBucket, including for access: 'public' buckets.

The header-setting logic in createBucket is consolidated into a single middleware (tier/consistency/regions/locations/snapshot/fork headers), and a new validation error is returned when sourceBucketSnapshot is provided without sourceBucketName.

Adds bucket-create.integration.test.ts to cover basic creation/listing, public bucket non-listability (expects 403 on unauthenticated ListObjects), snapshot-enabled buckets, fork creation, location variants, combined options, and validation failures.

^{Written by Cursor Bugbot for commit fd890db. This will update automatically on new commits. Configure here.}

[greptile-apps]

Greptile Summary

This PR disables directory listing by default on new buckets by unconditionally setting the ACL_LIST_OBJECTS header to 'false' in the createBucket middleware, and refactors the multiple middleware stack additions into a single consolidated middleware. A new integration test file is added with broad coverage of bucket creation scenarios.

• ACL fix: TigrisHeaders.ACL_LIST_OBJECTS = 'false' is now set for every bucket created, which correctly prevents directory listing by default.
• Middleware consolidation: The three separate command.middlewareStack.add() calls (regions/locations, snapshot, fork) are merged into one, improving readability.
• Behavioral regression: As a side-effect of the refactor, sourceBucketSnapshot is no longer guarded by the sourceBucketName condition — it can now be sent to the server without a source bucket name, which was not possible before.
• Test gap: None of the new integration tests assert that ACL_LIST_OBJECTS is actually disabled on created buckets, leaving the primary fix untested.

Confidence Score: 3/5

• Safe to merge with low risk, but the decoupled sourceBucketSnapshot condition is a regression worth addressing before the release.
• The primary fix is straightforward and correct. The refactor, however, introduces a subtle behavioral change where sourceBucketSnapshot can be sent without sourceBucketName, which could cause unexpected server-side errors for users who pass only sourceBucketSnapshot. Additionally, the new integration test suite doesn't cover the main fix being shipped.
• packages/storage/src/lib/bucket/create.ts — specifically the decoupled sourceBucketSnapshot condition around lines 133–139.

Important Files Changed

Filename	Overview
packages/storage/src/lib/bucket/create.ts	Adds unconditional ACL_LIST_OBJECTS: 'false' header to disable directory listing for new buckets, and consolidates three separate middleware stack additions into one. However, the refactor inadvertently decouples sourceBucketSnapshot from sourceBucketName, allowing the snapshot header to be sent without a source bucket.
packages/storage/src/test/bucket-create.integration.test.ts	New integration test file with good coverage of bucket creation scenarios, but lacks a test asserting the primary fix — that ACL_LIST_OBJECTS is disabled by default on new buckets.

_{Last reviewed commit: ecfabb9}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[github-actions]

🎉 This PR is included in version 2.15.3 🎉

The release is available on:

• GitHub release
• npm package (@latest dist-tag)

Your semantic-release bot 📦🚀

[github-actions]

🎉 This PR is included in version 1.3.1 🎉

The release is available on:

• GitHub release
• npm package (@latest dist-tag)

Your semantic-release bot 📦🚀

[github-actions]

🎉 This PR is included in version 1.1.2 🎉

The release is available on:

• GitHub release
• npm package (@latest dist-tag)

Your semantic-release bot 📦🚀

[github-actions]

🎉 This PR is included in version 1.2.2 🎉

The release is available on:

• GitHub release
• npm package (@latest dist-tag)

Your semantic-release bot 📦🚀