Add presigned URL support for direct S3 downloads (#48)

- Add ORCHARD_DOWNLOAD_MODE config (presigned, redirect, proxy)
- Add ORCHARD_PRESIGNED_URL_EXPIRY config (default: 3600s)
- Add generate_presigned_url() method to S3Storage
- Modify download endpoint to support ?mode= query parameter
- Add /url endpoint for getting presigned URL without redirect
- Add PresignedUrlResponse schema with URL, expiry, and checksums
- Default download mode is now presigned for better performance

CHANGELOG.md

@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 ### Added
+- Added presigned URL support for direct S3 downloads (#48)
+- Added `ORCHARD_DOWNLOAD_MODE` config option (`presigned`, `redirect`, `proxy`) (#48)
+- Added `ORCHARD_PRESIGNED_URL_EXPIRY` config option (default: 3600 seconds) (#48)
+- Added `?mode=` query parameter to override download mode per-request (#48)
+- Added `/api/v1/project/{project}/{package}/+/{ref}/url` endpoint for getting presigned URLs (#48)
+- Added `PresignedUrlResponse` schema with URL, expiry, checksums, and artifact metadata (#48)
 - Added integrity verification workflow design document (#24)
 - Added `sha256` field to API responses for clarity (alias of `id`) (#25)
 - Added `checksum_sha1` field to artifacts table for compatibility (#25)
@@ -14,6 +20,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Compute and store MD5, SHA1, and S3 ETag alongside SHA256 during upload (#25)
 - Added `Dockerfile.local` and `docker-compose.local.yml` for local development (#25)
 - Added migration script `003_checksum_fields.sql` for existing databases (#25)
+### Changed
+- Changed default download mode from `proxy` to `presigned` for better performance (#48)
 
 ## [0.2.0] - 2025-12-15
 ### Changed