Summary

HTTP temp uploads currently need a hardened public contract:

• raw HTTP callers should not receive or send server-local filesystem paths
• temp uploads should use an opaque upload identifier instead of an absolute temp_path
• raw HTTP directory ingestion should be documented as zip -> temp_upload -> temp_file_id -> target API

Problem

Before this change, temp_upload exposed absolute server paths and downstream APIs accepted temp_path. That leaked host path information and made the HTTP contract depend on server-local filesystem layout.

The docs also did not clearly explain how local directories are handled in HTTP mode.

Expected Behavior

• POST /api/v1/resources/temp_upload returns temp_file_id
• /resources, /skills, and /pack/import accept temp_file_id instead of public temp_path
• server-side validation resolves the upload ID only inside the upload temp directory
• CLI / SDK / console continue to auto-upload local files and directories
• raw HTTP docs clearly explain that local directories must be zipped before upload

Acceptance Criteria

• no HTTP response exposes server-local absolute upload paths
• raw HTTP callers cannot pass direct host filesystem paths to ingest local server data
• raw HTTP local directory examples are documented in both English and Chinese docs