fix(attribution): Skill 文档未清晰说明 HTTP 云函数的代码编写规范 (issue_mns1xuxr_arrdn2)

Author: CodeBuddy Attribution Bot

config/source/skills/cloud-functions/SKILL.md

@@ -54,6 +54,8 @@ Keep local `references/...` paths for files that ship with the current skill dir
 - Forgetting that runtime cannot be changed after creation.
 - Using cloud functions as the first answer for Web login.
 - Forgetting that HTTP Functions must ship `scf_bootstrap`, listen on port `9000`, and include dependencies.
+- Forgetting to configure function security rules after creating an HTTP Function. Default rules reject anonymous callers with `EXCEED_AUTHORITY`. Use `managePermissions(action="updateResourcePermission", resourceType="function")` to allow public access.
+- Mismatching the `scf_bootstrap` Node.js binary path with the function runtime (e.g. using `/var/lang/node18/bin/node` but setting `runtime: "Nodejs16.13"`).
 
 ### Minimal checklist
 
@@ -177,10 +179,21 @@ exports.main = async (event, context) => {
 
 ```js
 const http = require("http");
+const { URL } = require("url");
+
+function sendJson(res, statusCode, data) {
+  res.writeHead(statusCode, { "Content-Type": "application/json; charset=utf-8" });
+  res.end(JSON.stringify(data));
+}
 
 const server = http.createServer((req, res) => {
-  res.writeHead(200, { "Content-Type": "application/json" });
-  res.end(JSON.stringify({ ok: true, message: "hello from http function" }));
+  const url = new URL(req.url || "/", "http://127.0.0.1");
+
+  if (req.method === "GET" && url.pathname === "/") {
+    sendJson(res, 200, { ok: true, message: "hello from http function" });
+  } else {
+    sendJson(res, 404, { error: "Not Found" });
+  }
 });
 
 server.listen(9000);
@@ -193,6 +206,8 @@ server.listen(9000);
 /var/lang/node18/bin/node index.js
 ```
 
+The `scf_bootstrap` binary path must match the runtime — see the full mapping table in `./references/http-functions.md`.
+
 `cloudfunctions/hello-http/package.json`
 
 ```json

config/source/skills/cloud-functions/checklist.md

@@ -8,15 +8,18 @@ Use this checklist before creating or updating a CloudBase function.
    - Event Function: `exports.main(event, context)`, SDK/timer driven
    - HTTP Function: `req` / `res`, listens on port `9000`
 2. Pick the runtime before creation and state it explicitly.
-3. For HTTP Functions, confirm `scf_bootstrap` exists and the service listens on port `9000`.
+3. For HTTP Functions, confirm `scf_bootstrap` exists and the Node.js binary path matches the runtime (e.g. `Nodejs18.15` → `/var/lang/node18/bin/node`).
 4. Confirm the function root path points to the parent directory, not the function directory itself.
-5. If the request is really for a long-running container service, reroute to `cloudrun-development`.
+5. For HTTP Functions that need anonymous access, configure the function security rule with `managePermissions(action="updateResourcePermission", resourceType="function")` after creation. Default rules reject anonymous callers with `EXCEED_AUTHORITY`.
+6. If the request is really for a long-running container service, reroute to `cloudrun-development`.
 
 ## Common failure patterns
 
 - Choosing the wrong function type and compensating later.
 - Mixing Event Function and HTTP Function handler shapes in the same implementation.
 - Forgetting that runtime cannot be changed after creation.
+- Mismatching the `scf_bootstrap` Node.js binary path with the function runtime.
+- Forgetting to configure function security rules for HTTP Functions that need anonymous access.
 - Treating Cloud Functions as the default answer for Web authentication.
 
 ## Done criteria

config/source/skills/cloud-functions/references/http-functions.md

@@ -35,6 +35,16 @@ Requirements:
 - Use LF line endings.
 - Make it executable with `chmod +x scf_bootstrap`.
 
+The `scf_bootstrap` Node.js binary path must match the function runtime. Use this mapping:
+
+| Runtime value | `scf_bootstrap` binary path |
+| --- | --- |
+| `Nodejs20.19` | `/var/lang/node20/bin/node` |
+| `Nodejs18.15` | `/var/lang/node18/bin/node` |
+| `Nodejs16.13` | `/var/lang/node16/bin/node` |
+
+If the user specifies "Node.js 18", use runtime `Nodejs18.15` and the path `/var/lang/node18/bin/node`.
+
 ## Minimal Node.js example
 
 ```javascript
@@ -203,6 +213,15 @@ app.all("/{*splat}", (req, res) => {
 
 Express 5 note: `app.all("/{*splat}", (req, res) => {` is the safe catch-all form when you also need to match the root path `/`, because the router is based on `path-to-regexp` rather than the older Express 4 wildcard behavior.
 
+## End-to-end deployment lifecycle
+
+Follow these steps in order when creating an HTTP Function:
+
+1. **Write the function code** — create the directory with `index.js`, `scf_bootstrap`, and `package.json`.
+2. **Deploy with `manageFunctions`** — set `type: "HTTP"`, `protocolType: "HTTP"`, and `runtime` explicitly.
+3. **Configure security rules** — HTTP Functions default to a restrictive security rule. If the function should be publicly accessible (anonymous access), call `managePermissions(action="updateResourcePermission")` with `resourceType="function"`.
+4. **Verify** — call the function URL and confirm it returns the expected response. If you get `EXCEED_AUTHORITY`, the security rule needs to be updated (step 3).
+
 ## Deployment flow
 
 Prefer `manageFunctions` over CLI in agent flows.
@@ -214,12 +233,43 @@ manageFunctions({
     name: "myHttpFunction",
     type: "HTTP",
     protocolType: "HTTP",
+    runtime: "Nodejs18.15",
     timeout: 60
   },
   functionRootPath: "/absolute/path/to/cloudfunctions"
 });
 ```
 
+**Important parameters:**
+
+- `type: "HTTP"` — marks the function as an HTTP Function (not an Event Function).
+- `protocolType: "HTTP"` — the wire protocol. Use `"WS"` for WebSocket.
+- `runtime` — the execution runtime. Must match the `scf_bootstrap` binary path. Default is `"Nodejs18.15"` if omitted, but always set it explicitly to avoid ambiguity.
+- `functionRootPath` — the parent directory of the function folder (e.g. `/path/to/cloudfunctions` if the code lives in `/path/to/cloudfunctions/myHttpFunction/`).
+
+### Security rule configuration
+
+After creating an HTTP Function, it will reject anonymous callers with `EXCEED_AUTHORITY` by default. If the function should be publicly accessible:
+
+```javascript
+managePermissions({
+  action: "updateResourcePermission",
+  resourceType: "function",
+  resourceId: "myHttpFunction",
+  permission: {
+    aclTag: "CUSTOM",
+    rule: "true"
+  }
+});
+```
+
+- `aclTag: "CUSTOM"` with `rule: "true"` allows all callers (anonymous access).
+- Do NOT use `readSecurityRule` / `writeSecurityRule` — those are removed. Use `queryPermissions` / `managePermissions` instead.
+- Security rule semantics for `resourceType="function"` differ from NoSQL database rules. Do not reuse `doc._openid` or `auth.openid` expressions from NoSQL security rules.
+- Official reference: `https://docs.cloudbase.net/cloud-function/security-rules`
+
+If an external caller reports `EXCEED_AUTHORITY`, inspect the function permission first with `queryPermissions(action="getResourcePermission", resourceType="function", resourceId="myHttpFunction")` before widening access.
+
 ### WebSocket
 
 For WebSocket workloads, keep the function type as HTTP and switch `protocolType`:
@@ -264,9 +314,7 @@ manageGateway({
 Before enabling anonymous access, confirm both of these:
 
 1. The access path exists.
-2. The function security rule allows the intended caller identity.
-
-If an external caller reports `EXCEED_AUTHORITY`, inspect the function permission first with `queryPermissions(action="getResourcePermission", resourceType="function")` before widening access.
+2. The function security rule allows the intended caller identity (see Security rule configuration above).
 
 ## SSE and WebSocket notes