feat(credential): 支持从函数计算请求头静默刷新 STS 临时凭证

[OhYee]

部署在函数计算（FC）时，最新轮转的 STS 通过每次请求的 x-fc-* 头下发。新增
请求级凭证 overlay（contextvars），让所有 Config/client 在凭证过期后静默使用 最新 STS，对外 SDK API 零破坏。

• Config 凭证 getter 改为懒解析：显式 > 请求级 overlay（仅 ambient）> 环境变量
• 控制面 OpenAPI client 改用 credential provider、TableStore 改用 credentials_provider、MCP/OpenAPI httpx 签名器持有 Config 实时取证（去静态凭证）
• 新增 StsRefreshMiddleware：解析 FC 头注入请求级 overlay；默认仅 FC 启用、 要求完整三元组，防止头注入与凭证混用
• AgentInvoker 同步 handler/生成器路径 copy_context 传播 overlay
• AGENTS.md 增加"一律用 credential provider、禁止静态凭证"强制约定；新增单测

Thank you for creating a pull request to contribute to Serverless Devs agentrun-sdk-python code! Before you open the request please answer the following questions to help it be more easily integrated. Please check the boxes "[ ]" with "[x]" when done too.
Please select one of the PR types below to complete

---

Fix bugs

Bug detail

The specific manifestation of the bug or the associated issue.

Pull request tasks

• Add test cases for the changes
• Passed the CI test

---

Update docs

Reason for update

Why do you need to update your documentation?

Pull request tasks

• Update Chinese documentation
• Update English documentation

---

Add contributor

Contributed content

• Code
• Document

Content detail

if content_type == 'code' || content_type == 'document':
    please tell us `PR url`，like: https://github.com/Serverless-Devs/agentrun-sdk-python/pull/1
else:
    please describe your contribution in detail

---

Others

Reason for update

Why do you need to update your documentation?

[Copilot]

Pull request overview

This PR introduces a request-scoped STS credential “overlay” (via contextvars) intended for Function Compute (FC) deployments where rotated STS credentials are delivered on each request through x-fc-* headers, enabling silent refresh without breaking existing SDK APIs.

Changes:

• Added per-request STS overlay (credential_context) and updated Config credential getters to lazily resolve credentials with priority: explicit > request overlay (ambient only) > environment variables.
• Switched Alibaba Cloud OpenAPI and TableStore client wiring to dynamic credential providers (avoiding “frozen” static credentials), and refactored httpx RAM signing auth to hold Config and fetch live credentials per request.
• Added StsRefreshMiddleware to inject/reset the overlay from request headers, plus AgentInvoker context propagation for sync handlers/generators executed in threadpool.

Reviewed changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
tests/unittests/utils/test_control_api.py	Updates expectations to validate OpenAPI clients receive a credential provider instead of static AK/SK/STS.
tests/unittests/utils/test_config.py	Adjusts tests for lazy credential resolution behavior in Config getters.
tests/unittests/test_sts_refresh.py	Adds comprehensive unit tests for overlay priority, middleware behavior, and live-signing behavior.
tests/unittests/conversation_service/test_session_store.py	Updates TableStore wiring tests to validate credentials_provider behavior.
AGENTS.md	Documents enforced conventions: provider-based credentials and request overlay refresh rules.
agentrun/utils/ram_signature/auth.py	Introduces shared httpx RAM auth that signs per request using live Config getters.
agentrun/utils/credential_providers.py	Adds an Alibaba Cloud OpenAPI credentials provider backed by Config.
agentrun/utils/credential_context.py	Adds contextvars-backed STS credential overlay utilities and data model.
agentrun/utils/control_api.py	Migrates control-plane OpenAPI client construction to provider-based credentials injection.
agentrun/utils/config.py	Implements lazy credential getters with request overlay support and “ambient” gating.
agentrun/toolset/api/mcp.py	Refactors MCP toolset RAM signing to use shared AgentrunRamAuth with live credentials.
agentrun/tool/api/openapi.py	Refactors OpenAPI tool RAM signing to use shared AgentrunRamAuth.
agentrun/tool/api/mcp.py	Refactors MCP tool RAM signing to use shared AgentrunRamAuth.
agentrun/server/sts_middleware.py	Adds middleware to extract FC STS headers and inject/reset request overlay.
agentrun/server/server.py	Installs STS refresh middleware into the server app.
agentrun/server/invoker.py	Propagates contextvars into executor threads for sync handlers and sync generators.
agentrun/memory_collection/memory_conversation.py	Updates TableStore async client creation to use dynamic credentials_provider.
agentrun/conversation_service/utils.py	Adds TableStore CredentialsProvider adapter + updates build_ots_clients to use it.
agentrun/conversation_service/session_store.py	Updates session store initialization to pass Config into OTS client builders (provider-based).
agentrun/conversation_service/__session_store_async_template.py	Mirrors session store changes in the codegen template.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.