fix(job-runs): resolve upload path and S3 presigned URL signature errors

[haizhou-zhao]

Summary

These bugs were discovered while using the CLI to submit a local Python file as a Wherobots job (via wherobots job-runs create test_connection.py --name test_connection --watch). All three blocked the upload step before the job could even be created.

Bug 1: /files/dir called with s3:// URI instead of bare bucket name (jobs.go)

The resolveManagedUploadTarget function constructed rootDir as s3://bucket/ and passed it as the dir query parameter. The /files/dir API only accepts a bare bucket name (e.g. wbts-wbc-m97rcg45xi), so the call failed with HTTP 400 InvalidInputException (No storage source found for bucket: s3:).

Fix: Pass the bucket name directly. Also normalize the response path field (which lacks the s3:// prefix) before parsing it with splitS3Path.

Bug 2: /files/upload-url key missing bucket prefix, and wrong upload target directory (jobs.go)

The key sent to /files/upload-url was prefix/name/file, but the API expects the full path starting with the bucket name: bucket/prefix/name/file. Without it, the server parsed the org ID as the bucket and returned HTTP 400 InvalidInputException (No storage source found for bucket: <org_id>).

Additionally, the upload was targeting the org-level managed storage root, which has uploadProtected: true. The actual writable directory per user is bucket/org_id/data/customer-{user_id}/. Added a GET /users/me call to resolve the caller's user ID and navigate to their personal directory before falling back to the legacy root path.

Fix: Prepend bucket to the upload key. Add getMe operation and resolve the user's personal directory first.

Bug 3: Content-Type: application/octet-stream breaks S3 presigned URL signature (upload.go)

AWS S3 Signature Version 2 includes Content-Type in the canonical string used to verify presigned URLs. The presigned URL from /files/upload-url is signed without a Content-Type constraint, but UploadFileToPresignedURL was unconditionally setting Content-Type: application/octet-stream on the PUT request. This caused HTTP 403 SignatureDoesNotMatch on every upload.

Fix: Remove the Content-Type header from the presigned PUT request.

Test plan

• Run wherobots job-runs create <local-script.py> --name <name> --watch and verify it uploads, submits, and streams logs to completion
• Verify the uploaded script appears at s3://bucket/org_id/data/customer-{user_id}/name/script.py
• Verify --upload-path s3://custom/path override still works (code path unchanged)
• Verify --no-upload with an s3:// URI still works (skips upload entirely)

🤖 Generated with Claude Code

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review.

_{Tip: disable this comment in your organization's Code Review settings.}

[haizhou-zhao]

@salty-hambot review

[ClayMav]

@haizhou-zhao was this tested manually?