Add Tencent Cloud CSIP service

[632661265flynn-dotcom]

Summary

• Add a Tencent Cloud CSIP OctoBus service for Cloud Security Center read-only APIs.
• Implement Tencent Cloud API 3.0 TC3-HMAC-SHA256 signing for the csip service, defaulting to version 2022-11-21 and endpoint https://csip.tencentcloudapi.com.
• Expose common Describe* actions for alerts, assets, risk center, access key risk, COS alarms, skill scan result, and multi-account queries.
• Add a constrained InvokeReadOnlyAction helper that only allows Describe* actions.

Closes #243

Tests

• npm run validate -- --service-dir tencent__csip
• npm test -- --service-dir tencent__csip
• npm run import:check
• npm run pack:check

Live verification evidence (redacted)

Secrets, signatures, and real asset identifiers are masked. Request path, method, headers, status code, and response structure are kept visible.

联调证据：Tencent CSIP DescribeCSIPRiskStatistics 跑通

Request

POST https://csip.tencentcloudapi.com
Authorization: TC3-HMAC-SHA256 Credential=AKIDgLMJ/2026-06-25/csip/tc3_request, SignedHeaders=content-type;host, Signature=**
Content-Type: application/json; charset=utf-8
Host: csip.tencentcloudapi.com
X-TC-Action: DescribeCSIPRiskStatistics
X-TC-Version: 2022-11-21
X-TC-Timestamp: 1782413979
X-TC-Region: ap-guangzhou

{}

Response HTTP/1.1 200 OK

{
"Response": {
"Data": {
"PortTotal": 0,
"PortHighLevel": 0,
"VULTotal": 0,
"VULHighLevel": 0,
"WeakPasswordTotal": 0,
"WeakPasswordHighLevel": 0,
"WebsiteTotal": 0,
"WebsiteHighLevel": 0,
"CFGTotal": 0,
"CFGHighLevel": 0,
"HostBaseLineRiskTotal": 0,
"HostBaseLineRiskHighLevel": 0,
"PodBaseLineRiskTotal": 0,
"PodBaseLineRiskHighLevel": 0,
"LastScanTime": "",
"ServerTotal": 0,
"ServerHighLevel": 0
},
"RequestId": "dbb0d0e0-9069-4509-98a3-097ee02bf13c"
}
}

联调证据：Tencent CSIP DescribePublicIpAssets 跑通

Request

POST https://csip.tencentcloudapi.com
Authorization: TC3-HMAC-SHA256 Credential=AKIDgLMJ/2026-06-25/csip/tc3_request, SignedHeaders=content-type;host, Signature=**
Content-Type: application/json; charset=utf-8
Host: csip.tencentcloudapi.com
X-TC-Action: DescribePublicIpAssets
X-TC-Version: 2022-11-21
X-TC-Timestamp: 1782413979
X-TC-Region: ap-guangzhou

{}

Response HTTP/1.1 200 OK

{
"Response": {
"AppIdList": [],
"AssetLocationList": [],
"AssetTypeList": [],
"Data": [],
"DefenseStatusList": [],
"IpTypeList": [],
"RegionList": [],
"RequestId": "6e1ae5f2-b210-45c5-bf1e-62e1a6c36884",
"Total": 0
}
}

Review follow-up

Addressed the adapter review feedback in follow-up commits:

• Use AbortController-backed fetch timeouts and map aborts to DEADLINE_EXCEEDED.
• Keep the timeout active through response body parsing so slow or stalled bodies cannot hang handlers.
• Add regression coverage for body-stream aborts raised via the fetch signal.

Validation run for tencent__csip:

• npm test -- --service-dir tencent__csip
• npm run validate -- --service-dir tencent__csip
• git diff --check

API documentation coverage follow-up:

• Expanded the Tencent CSIP proto/API allowlist from the official SDK/API surface to cover the remaining safe read-only Describe actions, while excluding token-like or otherwise sensitive actions.
• Re-ran npm test -- --service-dir tencent__csip, npm run validate -- --service-dir tencent__csip, and git diff --check.

[monkeyscan]

本次变更将 Tencent Cloud CSIP 服务中的 fetch 超时机制从非标准的 timeoutMs 选项迁移为标准的 AbortController + signal 模式，并新增 DEADLINE_EXCEEDED gRPC 错误码映射。主要改动包括：

1. 服务代码 (tencent-csip.js)：

   • 新增 DEADLINE_EXCEEDED 到 grpcCodeFor 映射。
   • 使用 AbortController 和 setTimeout 替代 fetch 的 timeoutMs 参数。
   • 在 catch 中识别 AbortError / TimeoutError 并抛出 DEADLINE_EXCEEDED 错误。
   • 在 finally 中清理 setTimeout，避免定时器泄漏。

2. 测试代码 (tencent-csip.test.js)：

   • 同步更新 expectGrpcError 辅助函数以支持 DEADLINE_EXCEEDED。
   • 验证 fetch 调用不再包含 timeoutMs，而是传递了 signal。
   • 新增对超时场景抛出 DEADLINE_EXCEEDED 的测试用例。

整体设计合理，使用了 Web 标准的 AbortController 机制，错误码映射完整，资源清理（clearTimeout）到位，测试覆盖了新增行为。未发现明显的正确性、安全性或回归风险。

[monkeyscan]

本次 PR 将 parseTencentResponse(res) 的调用从 try...catch 外部移入 try 块内部，使得 fetch 成功后 response body 读取阶段因 abort/timeout 产生的异常能够被统一捕获并正确抛出 DEADLINE_EXCEEDED 错误。同时新增了 err.legacyCode 的提前判断以保留部分历史异常的原始行为。测试文件补充了对应的 body stream timeout 场景验证。整体逻辑合理，修复了之前 body stream 超时未被捕获的问题。

[monkeyscan]

本次PR为腾讯CSIP服务的 READ_ONLY_ACTIONS 列表大规模扩容，在 tencent-csip.js 中新增约130个Describe类只读接口，并在 tencent_csip.proto 中补充了对应的RPC定义。变更属于纯增量的API适配，不涉及核心业务逻辑修改，主要是扩展了read-only adapter的API覆盖范围。JS中的列表按字母顺序重新排序，提升了可维护性。经比对，发现JS与proto之间存在一处不一致：新增的 DescribeAccessKeyRisk 存在于JS常量中，但在proto新增RPC定义中缺失，可能导致运行时调用该接口失败。

[monkeyscan]

JS 新增的 DescribeAccessKeyRisk 在 proto 中缺少对应 RPC 定义

在 tencent-csip.js 的 READ_ONLY_ACTIONS 中新增了 DescribeAccessKeyRisk，但在 tencent_csip.proto 中并没有找到对应的 RPC 定义（proto 中仅有 DescribeAccessKeyAlarm、DescribeAccessKeyAlarmDetail、DescribeAccessKeyAsset、DescribeAccessKeyRiskDetail 等，唯独缺少 DescribeAccessKeyRisk）。这会导致当 read-only adapter 尝试通过 gRPC 调用该接口时，因 proto service 中不存在对应方法而失败。

Problem code:

Changed code at services/tencent__csip/src/tencent-csip.js:15

Recommendation:
请在 tencent_csip.proto 的 Tencent_CSIP service 中补充缺失的 RPC 定义：rpc DescribeAccessKeyRisk(TencentCloudRequest) returns (TencentCloudResponse) {}。添加位置建议放在 DescribeAccessKeyAsset 与 DescribeAccessKeyRiskDetail 之间，以保持与 JS 列表一致的字母顺序。

Suggested diff:

--- a/services/tencent__csip/proto/tencent_csip.proto
+++ b/services/tencent__csip/proto/tencent_csip.proto
@@ -24,6 +24,7 @@ service Tencent_CSIP {
   rpc DescribeAccessKeyAlarmDetail(TencentCloudRequest) returns (TencentCloudResponse) {}
   rpc DescribeAccessKeyAsset(TencentCloudRequest) returns (TencentCloudResponse) {}
+  rpc DescribeAccessKeyRisk(TencentCloudRequest) returns (TencentCloudResponse) {}
   rpc DescribeAccessKeyRiskDetail(TencentCloudRequest) returns (TencentCloudResponse) {}
   rpc DescribeAccessKeyUserDetail(TencentCloudRequest) returns (TencentCloudResponse) {}