fix(attribution): manageStorage 工具无法获取永久公网访问地址，Agent 误用临时 URL 作为 publicUrl (issue_moj9bllm_n90yq7)

CodeBuddy Attribution Bot · CodeBuddy Attribution Bot · commit 9039aa915e5b · 2026-04-29T07:48:16.000+08:00
diff --git a/config/.claude/skills/cloudbase-platform/SKILL.md b/config/.claude/skills/cloudbase-platform/SKILL.md
@@ -107,6 +107,15 @@ Use this skill for **CloudBase platform knowledge** when you need to:
    - Combine with static hosting file paths to construct final access addresses
    - **Important**: If access address is a directory, it must end with `/`
 
+3. **Cloud Storage Public URL**:
+   - **CRITICAL**: `manageStorage(action=upload)` and `queryStorage(action=url)` return `temporaryUrl` which is a temporary signed URL that expires (default 1 hour). Do NOT use this as a permanent public URL.
+   - To get the permanent public access URL for a cloud storage object:
+     1. Call `envQuery(action=info)` to get environment details
+     2. Extract the storage CDN domain from `EnvInfo.Storages[0].CdnDomain` (e.g., `your-env-id.tcb.qcloud.la`)
+     3. Construct the public URL: `https://{CdnDomain}/{cloudPath}`
+   - Example: If `CdnDomain` is `env-xxx.tcb.qcloud.la` and `cloudPath` is `uploads/avatar.jpg`, the public URL is `https://env-xxx.tcb.qcloud.la/uploads/avatar.jpg`
+   - Note: The public URL is accessible only if the storage bucket ACL allows public read (default is `PRIVATE` which requires signed URLs)
+
 ## Environment and Authentication
 
 1. **SDK Initialization**:
diff --git a/config/source/guideline/cloudbase/SKILL.md b/config/source/guideline/cloudbase/SKILL.md
@@ -330,7 +330,7 @@ For better UI/UX design, consider reading the `ui-design` skill which provides:
 - **MySQL (Tool)**: `relational-database-tool`
 
 ### Storage Skills
-- **Cloud Storage (Web)**: `cloud-storage-web` - Upload, download, temporary URLs, file management
+- **Cloud Storage (Web)**: `cloud-storage-web` - Upload, download, temporary URLs, file management. **Note**: For permanent public URLs, use `envQuery(action=info)` to get `EnvInfo.Storages[0].CdnDomain` and construct `https://{CdnDomain}/{cloudPath}`
 
 ### AI Skills
 - **AI Model (Web)**: `ai-model-web` - Text generation and streaming via @cloudbase/js-sdk
diff --git a/config/source/skills/cloudbase-platform/SKILL.md b/config/source/skills/cloudbase-platform/SKILL.md
@@ -107,6 +107,15 @@ Use this skill for **CloudBase platform knowledge** when you need to:
    - Combine with static hosting file paths to construct final access addresses
    - **Important**: If access address is a directory, it must end with `/`
 
+3. **Cloud Storage Public URL**:
+   - **CRITICAL**: `manageStorage(action=upload)` and `queryStorage(action=url)` return `temporaryUrl` which is a temporary signed URL that expires (default 1 hour). Do NOT use this as a permanent public URL.
+   - To get the permanent public access URL for a cloud storage object:
+     1. Call `envQuery(action=info)` to get environment details
+     2. Extract the storage CDN domain from `EnvInfo.Storages[0].CdnDomain` (e.g., `your-env-id.tcb.qcloud.la`)
+     3. Construct the public URL: `https://{CdnDomain}/{cloudPath}`
+   - Example: If `CdnDomain` is `env-xxx.tcb.qcloud.la` and `cloudPath` is `uploads/avatar.jpg`, the public URL is `https://env-xxx.tcb.qcloud.la/uploads/avatar.jpg`
+   - Note: The public URL is accessible only if the storage bucket ACL allows public read (default is `PRIVATE` which requires signed URLs)
+
 ## Environment and Authentication
 
 1. **SDK Initialization**:
diff --git a/mcp/src/tools/storage.ts b/mcp/src/tools/storage.ts
@@ -69,7 +69,7 @@ export function registerStorageTools(server: ExtendedMcpServer) {
     "queryStorage",
     {
       title: "查询存储信息",
-      description: "查询云存储信息，支持列出目录文件、获取文件信息、获取临时下载链接等只读操作。返回的文件信息包括文件名、大小、修改时间、下载链接等。",
+      description: "查询云存储信息，支持列出目录文件、获取文件信息、获取临时下载链接等只读操作。返回的文件信息包括文件名、大小、修改时间、下载链接等。注意：action=url 返回的 temporaryUrl 是临时签名链接，有效期由 maxAge 参数决定（默认1小时）。如需获取永久公网访问地址，请使用 envQuery(action=info) 查询环境信息，从返回的 EnvInfo.Storages[0].CdnDomain 字段获取存储桶 CDN 域名，然后拼接为 https://{CdnDomain}/{cloudPath} 格式的公网访问地址。",
       inputSchema: queryStorageInputSchema,
       annotations: {
         readOnlyHint: true,
@@ -207,7 +207,7 @@ export function registerStorageTools(server: ExtendedMcpServer) {
     "manageStorage",
     {
       title: "管理存储文件",
-      description: "管理云存储文件，仅用于 COS/Storage 对象，不用于静态网站托管。支持上传文件/目录、下载文件/目录、删除文件/目录等操作。删除操作需要设置force=true进行确认，防止误删除重要文件。",
+      description: "管理云存储文件，仅用于 COS/Storage 对象，不用于静态网站托管。支持上传文件/目录、下载文件/目录、删除文件/目录等操作。删除操作需要设置force=true进行确认，防止误删除重要文件。注意：上传后返回的 temporaryUrl 是临时签名链接，有效期1小时后会过期。如需获取永久公网访问地址，请使用 envQuery(action=info) 查询环境信息，从返回的 EnvInfo.Storages[0].CdnDomain 字段获取存储桶 CDN 域名，然后拼接为 https://{CdnDomain}/{cloudPath} 格式的公网访问地址。",
       inputSchema: manageStorageInputSchema,
       annotations: {
         readOnlyHint: false,
@@ -264,7 +264,8 @@ export function registerStorageTools(server: ExtendedMcpServer) {
                     cloudPath: input.cloudPath,
                     isDirectory: input.isDirectory,
                     temporaryUrl: fileUrls[0]?.url || "",
-                    expireTime: "1小时"
+                    expireTime: "1小时",
+                    note: "temporaryUrl 是临时签名链接，1小时后过期。如需永久公网访问地址，请调用 envQuery(action=info) 获取 EnvInfo.Storages[0].CdnDomain，拼接为 https://{CdnDomain}/{cloudPath}"
                   },
                   message: `Successfully uploaded ${input.isDirectory ? 'directory' : 'file'} from '${input.localPath}' to '${input.cloudPath}'`
                 }, null, 2)
