Add Volcengine Cloud Firewall service

[632661265flynn-dotcom]

Summary

• Add a Volcengine Cloud Firewall (fw_center) OctoBus service package.
• Implement Volcengine OpenAPI V4 signing and read-only RPCs for address books, internet boundary policies, VPC/NAT firewall policies, DNS policies, protected assets, policy analysis, and route policy queries.
• Register the service in the tentacles dispatcher and package metadata.
• Add unit coverage for signing, protobuf Struct payload normalization, read-only action validation, response conversion, and error mapping.

Fixes #286

Tests

• npm run validate -- --service-dir volcengine__cloud-firewall
• npm test -- --service-dir volcengine__cloud-firewall
• npm run import:check
• npm run pack:check

Live check

Using temporary environment variables only, representative read-only actions reached the Volcengine Cloud Firewall business API and returned Service.NotOpened / 云防火墙服务未开通 for the test account. This indicates the endpoint, service code, API version, and request signing path are working, but the account has not enabled Cloud Firewall.

Live verification status: blocked by product enablement

I could not provide a successful business response for this account because Volcengine Cloud Firewall is not enabled for the tested account. The request still reached the documented Cloud Firewall business API and returned a product-level Service.NotOpened error, which verifies the endpoint, service code, API version, Action routing, and request signing path.

Reference documentation:

• Cloud Firewall API overview: https://www.volcengine.com/docs/6516/162387
• Cloud Firewall request structure: https://www.volcengine.com/docs/6516/1311781
• Cloud Firewall product overview: https://www.volcengine.com/docs/6516/76355
• Cloud Firewall quick start / product enablement flow: https://www.volcengine.com/docs/6516/162410

联调阻塞证据：AssetList 到达业务 API，但账号未开通云防火墙

Request

POST https://fw-center.volcengineapi.com/?Action=AssetList&Version=2021-09-06
Authorization: HMAC-SHA256 Credential=AKLTlZjk/20260625/cn-beijing/fw_center/request, SignedHeaders=content-type;host;x-content-sha256;x-date, Signature=**
Content-Type: application/json
Host: fw-center.volcengineapi.com
X-Date: 20260625T192148Z
X-Content-Sha256: 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

{}

Response HTTP/1.1 400 Bad Request

{
"ResponseMetadata": {
"RequestId": "20260626032148E9ED231475F84393D3B7",
"Action": "AssetList",
"Version": "2021-09-06",
"Service": "fw_center",
"Region": "cn-beijing",
"Error": {
"CodeN": 20001,
"Code": "Service.NotOpened",
"Message": "云防火墙服务未开通。"
}
}
}

Additional product-enablement checks

The same signed request path was also checked with other read-only Cloud Firewall APIs and returned the same product enablement block:

• DescribeVpcs -> HTTP 400 Service.NotOpened
• QueryUserAlarmConfig -> HTTP 400 Service.NotOpened
• DescribeAddressBook -> HTTP 400 Service.NotOpened

This is different from a signing, endpoint, or Action mismatch. If the signature, service code, API version, or endpoint were wrong, the gateway would return authentication/signature/route errors instead of a Cloud Firewall product error with Service: fw_center and the requested Action echoed in ResponseMetadata.

Review follow-up

Addressed the adapter review feedback in follow-up commits:

• Use AbortController-backed fetch timeouts and map aborts to DEADLINE_EXCEEDED.
• Keep the timeout active through response body parsing so slow or stalled bodies cannot hang handlers.
• Reject nested GET query parameter values before signing/building URLs.
• Add regression coverage for body-stream aborts raised via the fetch signal.
• Replace deprecated global escape() in Volcengine URI signing with RFC3986-safe encodeURIComponent handling.

Validation run for volcengine__cloud-firewall:

• npm test -- --service-dir volcengine__cloud-firewall
• npm run validate -- --service-dir volcengine__cloud-firewall
• git diff --check

[monkeyscan]

本次 PR 新增了一个 Volcengine Cloud Firewall 的 OctoBus 服务包，包含 proto 定义、服务配置、签名与请求实现、CLI 入口及测试。核心实现位于 volcengine-cloud-firewall.js，主要完成：

1. 基于 Volcengine 风格的 HMAC-SHA256 请求签名；
2. 只读 Action 白名单校验（Get*, Desc*, Describe*, List*, Query*, Search* 及 AssetList）；
3. 预定义 RPC 方法与 InvokeReadOnlyAction 通用只读调用；
4. protobuf Struct / Value 的归一化与反序列化；
5. 错误映射（权限、参数、不可用、未知）。

整体结构清晰，白名单与密钥校验逻辑合理。但发现两处较明显的问题：

• uriEscape 使用了已废弃的全局 escape 函数，且正则中存在逆序字符范围，可能导致签名 canonical request 中的特殊字符编码不符合预期；
• fetch 调用传入了非标准的 timeoutMs 选项，在 Node.js 原生 fetch 下会被忽略，导致配置的超时失效。

测试覆盖了主要路径，但未覆盖 URI 转义 edge case 与 GET 请求下嵌套对象 payload 的场景。

[monkeyscan]

本次 PR 修复了 Volcengine Cloud Firewall 适配器中的两个历史问题：

1. 将 fetch 的非标准选项 timeoutMs 替换为标准的 AbortController + signal 机制，使配置的超时真正生效，并新增了 DEADLINE_EXCEEDED gRPC 错误码映射。
2. 修复了 uriEscape 函数：移除了已废弃的全局 escape 函数和存在逆序范围的正则，改为对 encodeURIComponent 未编码的 !'()* 进行显式百分号编码，使 URI 编码严格符合 RFC 3986，避免签名验证失败。

此外，PR 在 queryParamsToString 中新增了 assertQueryParamValue 校验，拒绝将嵌套对象传入 GET 查询参数，增强了参数安全性，并补充了对应的单元测试。

整体评估：变更方向正确，修复了明确的可靠性与兼容性问题。但 AbortController 的引入带来了一个潜在的竞态条件：若响应头在超时临界点返回，res.text() 可能因 signal 中断而抛出 AbortError，该错误未被转换为 DEADLINE_EXCEEDED。

[monkeyscan]

这个 PR 修复了 invokeVolcengine 中 AbortController 超时信号与 parseVolcengineResponse 之间的竞态条件问题。之前 parseVolcengineResponse 位于 try...catch 块之外，当 fetch 已返回响应头但读取响应体时超时信号触发，res.text() 抛出的 AbortError 未被捕获并转换为 DEADLINE_EXCEEDED，而是直接向上游传播。修改后将 parseVolcengineResponse 移入 try 块内，并增加 err.legacyCode 判断以保留已结构化的错误（如 UNKNOWN），同时新增了对应的测试用例验证响应体流超时场景。整体改动合理、测试覆盖到位，未发现新的问题。