[local/test] Multipart upload to disk
Query path is the relative object key (e.g. userId/developer_agent_images/uuid.png). Multipart field file is the binary body. Used when GoogleStorageProvider.getUploadFileSignedUrl returns an uploadUrl pointing at mcp-main instead of hooks/GCS.
Authorizations
User JWT access token issued by POST /api/auth/verify or POST /api/auth/social/verify. Routes that accept both auth modes declare api-key and bearer-jwt security schemes.
Headers
HMAC-SHA256 signature: HMAC-SHA256(secretKey, timestamp + METHOD + path + body). Optional -- when omitted, HMAC verification is skipped.
Request timestamp in epoch milliseconds. Required when x-signature is provided. Rejected if drift exceeds 5 minutes.