fix: queryPermissions 工具查询存储权限返回 resources.empty，未返回当前 aclTag 导致 AI 编造默认值

[binggg]

Attribution issue

• issueId: issue_mojw1xd2_gaiuiu
• category: tool
• canonicalTitle: queryPermissions 工具查询存储权限返回 resources.empty，未返回当前 aclTag 导致 AI 编造默认值
• representativeRun: atomic-js-none-describe-storage-acl/2026-04-29T09-58-47-pbybc0

Automation summary

• root_cause: queryPermissions tool with action="listResourcePermissions" and resourceType="storage" returns resources.empty when resourceIds is not provided. The underlying API describeResourcePermission requires explicit resource identifiers for storage type, but the agent doesn't know which buckets exist. This forces the AI to fall back to forbidden APIs (DescribeStorageACL) or fabricate default aclTag values like "undefined".
• changes: Modified mcp/src/tools/permissions.ts with two fixes: (1) listResourcePermissions: when resourceType="storage" and no resourceIds provided, auto-discover storage bucket names from env.getEnvInfo() and use them as the resources parameter. (2) getResourcePermission: when resourceType="storage" and no resourceId provided, auto-discover the default bucket name. Also updated tool description and parameter descriptions to inform the AI that resourceId/resourceIds are optional for storage type and will be auto-discovered.
• validation: All 12 permissions unit tests pass. All 3 mandatory skill quality tests pass (10 tests total). No TypeScript compilation errors introduced.
• follow_up: None needed — this is a Layer 2

Changed files

• mcp/src/tools/permissions.ts

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: edbc24540d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restore non-storage resourceId validation

This change removed the resourceId presence check for getResourcePermission in all non-storage cases, so calls like resourceType="function" without resourceId now proceed to describeResourcePermission with resources: [undefined] instead of returning the previous clear validation error. That is a regression introduced by this commit and can surface as opaque downstream API failures for callers that omit resourceId on non-storage types.

Useful? React with 👍 / 👎.