fix(iam): auth validation in iam http client

[designcode]

Note

Medium Risk
Touches IAM client authentication/validation logic; mistakes could break IAM calls or unintentionally allow unauthenticated requests, though the change is localized to client creation.

Overview
Tightens createIAMClient validation to require either a sessionToken or access-key credentials (accessKeyId + secretAccessKey), and only enforces organizationId when a session token is used.

This unblocks IAM calls that authenticate via access keys while still failing fast on missing/invalid auth configuration, without changing the request logic of individual IAM operations (e.g., whoami, listAccessKeys).

^{Written by Cursor Bugbot for commit 1727b82. This will update automatically on new commits. Configure here.}

[greptile-apps]

Greptile Summary

This PR fixes auth validation in the IAM HTTP client by replacing the ad-hoc skipCheck bypass with a proper dual-auth model that accepts either a session token (with organizationId) or access key credentials (accessKeyId + secretAccessKey).\n\nKey changes:\n- http-client.ts: Removes the skipCheck parameter. The new logic correctly gates on hasCredentials = accessKeyId && secretAccessKey, allowing credentials as a first-class alternative to session tokens. The organizationId requirement is now scoped only to session-token flows, which makes sense since credential-based flows don't need it for routing.\n- whoami.ts: Removes the skipCheck=true workaround. The old bypass was likely there because whoami was called with credentials (not a session token), which the old validation would have rejected since it only checked for sessionToken. The new credential-aware validation renders the skip unnecessary.\n- access-key/list.ts: Minor clarity improvement — explicitly passes false for isManagement instead of leaving it as undefined.\n- package.json / sub-packages: Routine dependency version bumps (commitlint, eslint, vitest, AWS SDK, @tigrisdata/storage).

Confidence Score: 5/5

Safe to merge — logic is correct, no regressions, and the auth validation is strictly improved.

All changes are either straightforward validation improvements or routine dependency bumps. The removal of skipCheck is well-motivated by the new credential-based auth path, no existing valid use-case is broken, and no P0/P1 issues were found.

No files require special attention.

Important Files Changed

Filename	Overview
packages/iam/src/lib/http-client.ts	Core auth validation refactored: removed the skipCheck workaround and added proper credential-based auth (accessKeyId + secretAccessKey) as an alternative to sessionToken; organizationId now only required when using sessionToken.
packages/iam/src/lib/whoami.ts	Removed skipCheck=true workaround; whoami now goes through proper auth validation — now requires either credentials or sessionToken+organizationId.
packages/iam/src/lib/access-key/list.ts	Minor clarity improvement: explicitly passes false for isManagement (previously undefined, which is functionally equivalent).
package.json	Routine dev dependency bumps: commitlint, eslint, typescript-eslint, vitest.
packages/storage/package.json	Routine AWS SDK dependency bumps to 3.1018.0 and smithy/signature-v4 to 5.3.12.
packages/keyv-tigris/package.json	Bumped @tigrisdata/storage peer dependency from ^2.15.3 to ^2.15.6.
packages/react/package.json	Bumped @tigrisdata/storage peer dependency from ^2.15.3 to ^2.15.6.

_{Reviews (1): Last reviewed commit: "fix(iam): auth validation in iam http cl..." | Re-trigger Greptile}

[github-actions]

🎉 This PR is included in version 1.4.1 🎉

The release is available on:

• GitHub release
• npm package (@latest dist-tag)

Your semantic-release bot 📦🚀