feat: add Material URL proxy for unified presigned URL replacement

Replace direct S3 presigned URLs with Redis-backed material URLs that
proxy file downloads through the API server. This restores protocol
compatibility for encrypted projects (which previously returned null
for public_url) while also unifying the URL format for non-encrypted
projects.

- Add MaterialService (token generation, Redis storage, S3 download+decrypt)
- Add GET /api/v1/material/:token endpoint (public, no auth required)
- Update ArtifactHandler.GetArtifact to always return material URLs
- Update SessionService.GetMessages to use material URLs for assets
- Update AgentSkillsService.GetFile to use material URLs for binary files
- Revert docs/SDK changes that were workarounds for missing public_url

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: GenerQAQ

docs/content/docs/(guides)/store/(features)/skill.mdx

@@ -130,38 +130,20 @@ for (const fileInfo of skillDetails.fileIndex || []) {
 result = client.skills.get_file(skill_id=skill.id, file_path="SKILL.md")
 print(result.content.raw)
 
-# Binary files return a URL or base64-encoded content
+# Binary files return a URL instead
 result = client.skills.get_file(skill_id=skill.id, file_path="images/diagram.png")
-if result.raw_content:
-    # Encryption enabled — binary content returned as base64
-    import base64
-    data = base64.b64decode(result.raw_content)
-elif result.url:
-    # No encryption — presigned URL for direct download
-    print(result.url)
+print(result.url)
 ```
 
 ```typescript title="TypeScript"
 const fileResult = await client.skills.getFile({ skillId: skill.id, filePath: "SKILL.md" });
 console.log(fileResult.content?.raw);
 
-// Binary files return a URL or base64-encoded content
+// Binary files return a URL instead
 const imageResult = await client.skills.getFile({ skillId: skill.id, filePath: "images/diagram.png" });
-if (imageResult.raw_content) {
-    // Encryption enabled — binary content returned as base64
-    const buffer = Buffer.from(imageResult.raw_content, 'base64');
-} else if (imageResult.url) {
-    // No encryption — presigned URL for direct download
-    console.log(imageResult.url);
-}
+console.log(imageResult.url);
 ```
 </CodeGroup>
-
-The SDK uses a 3-way fallback when downloading skill files:
-1. **`content.raw`** — text content, returned inline
-2. **`raw_content`** — base64-encoded binary content (when envelope encryption is enabled)
-3. **`url`** — presigned S3 URL for direct download (when encryption is off)
-
 </Step>
 
 <Step title="Delete skill">

docs/content/docs/(guides)/tool/(features)/disk_tools.mdx

@@ -135,10 +135,6 @@ while (true) {
 {"filename": "report.pdf", "file_path": "/", "expire": 3600}
 ```
 
-<Note>
-When **envelope encryption** is enabled on the project, presigned URLs cannot be generated because files are encrypted at rest with a per-project key. In this case the tool returns a message directing the LLM to use the API download endpoint instead.
-</Note>
-
 ### grep_disk
 
 Search file contents with regex:

docs/content/docs/(guides)/tool/(features)/skill_tools.mdx

@@ -133,10 +133,6 @@ Returns: Skill ID, description, and file index with MIME types.
 
 Returns: File content (text) or presigned URL (binary).
 
-<Note>
-When **envelope encryption** is enabled, binary files are returned as base64-encoded content (`raw_content` field) instead of a presigned URL, since encrypted objects cannot be served directly from S3. The tool presents the content inline to the LLM regardless of delivery method.
-</Note>
-
 <Warning>
 **Read-only:** These tools can only read skill content. To execute skill scripts, use [Sandbox Tools](/tool/bash_tools#mounting-agent-skills).
 </Warning>

src/client/acontext-py/src/acontext/agent/disk.py

@@ -455,11 +455,10 @@ def execute(self, ctx: DiskContext, llm_arguments: dict) -> str:
             expire=expire,
         )
 
-        if result.public_url:
-            return f"Public download URL for '{normalized_path}{filename}' (expires in {expire}s):\n{result.public_url}"
+        if not result.public_url:
+            raise RuntimeError("Failed to get public URL: server did not return a URL.")
 
-        # Encryption enabled — no presigned URL
-        return f"File '{normalized_path}{filename}' is available. Use the download API endpoint to retrieve its content."
+        return f"Public download URL for '{normalized_path}{filename}' (expires in {expire}s):\n{result.public_url}"
 
     async def async_execute(self, ctx: AsyncDiskContext, llm_arguments: dict) -> str:
         """Get a public download URL for a file (async)."""
@@ -479,10 +478,10 @@ async def async_execute(self, ctx: AsyncDiskContext, llm_arguments: dict) -> str
             expire=expire,
         )
 
-        if result.public_url:
-            return f"Public download URL for '{normalized_path}{filename}' (expires in {expire}s):\n{result.public_url}"
+        if not result.public_url:
+            raise RuntimeError("Failed to get public URL: server did not return a URL.")
 
-        return f"File '{normalized_path}{filename}' is available. Use the download API endpoint to retrieve its content."
+        return f"Public download URL for '{normalized_path}{filename}' (expires in {expire}s):\n{result.public_url}"
 
 
 class GrepArtifactsTool(BaseTool):

src/client/acontext-py/src/acontext/resources/async_skills.py

@@ -170,9 +170,6 @@ async def download(
 
             if resp.content is not None:
                 file_dest.write_text(resp.content.raw, encoding="utf-8")
-            elif resp.raw_content is not None:
-                import base64
-                file_dest.write_bytes(base64.b64decode(resp.raw_content))
             elif resp.url is not None:
                 async with httpx.AsyncClient() as http:
                     r = await http.get(resp.url)

src/client/acontext-py/src/acontext/resources/skills.py

@@ -172,9 +172,6 @@ def download(
 
             if resp.content is not None:
                 file_dest.write_text(resp.content.raw, encoding="utf-8")
-            elif resp.raw_content is not None:
-                import base64
-                file_dest.write_bytes(base64.b64decode(resp.raw_content))
             elif resp.url is not None:
                 r = httpx.get(resp.url)
                 r.raise_for_status()

src/client/acontext-py/src/acontext/types/skill.py

@@ -64,14 +64,6 @@ class GetSkillFileResp(BaseModel):
         None,
         description="Parsed file content if available (present if file is parseable)",
     )
-    raw_content: str | None = Field(
-        None,
-        description="Base64-encoded binary content (present when encryption is enabled for non-text files)",
-    )
-    content_mime: str | None = Field(
-        None,
-        description="MIME type of raw_content",
-    )
 
 
 class DownloadSkillToSandboxResp(BaseModel):

src/client/acontext-ts/src/agent/disk.ts

@@ -290,12 +290,11 @@ export class DownloadFileTool extends AbstractBaseTool {
       expire,
     });
 
-    if (result.public_url) {
-      return `Public download URL for '${normalizedPath}${filename}' (expires in ${expire}s):\n${result.public_url}`;
+    if (!result.public_url) {
+      throw new Error('Failed to get public URL: server did not return a URL.');
     }
 
-    // Encryption enabled — no presigned URL, content available via API proxy
-    return `File '${normalizedPath}${filename}' is available. Use the download API endpoint to retrieve its content.`;
+    return `Public download URL for '${normalizedPath}${filename}' (expires in ${expire}s):\n${result.public_url}`;
   }
 }
 

src/client/acontext-ts/src/resources/skills.ts

@@ -156,10 +156,6 @@ export class SkillsAPI {
 
       if (resp.content) {
         await fs.writeFile(fileDest, resp.content.raw, 'utf-8');
-      } else if (resp.raw_content) {
-        // Binary content returned as base64 (when encryption is enabled)
-        const buffer = Buffer.from(resp.raw_content, 'base64');
-        await fs.writeFile(fileDest, buffer);
       } else if (resp.url) {
         const r = await fetch(resp.url);
         if (!r.ok) {

src/client/acontext-ts/src/types/skill.ts

@@ -47,8 +47,6 @@ export const GetSkillFileRespSchema = z.object({
   mime: z.string(),
   url: z.string().nullable().optional(),
   content: FileContentSchema.nullable().optional(),
-  raw_content: z.string().nullable().optional(), // base64-encoded binary content (when encryption enabled)
-  content_mime: z.string().nullable().optional(),
 });
 
 export type GetSkillFileResp = z.infer<typeof GetSkillFileRespSchema>;