feat(source/cloud-storage): add Cloud Storage source with list_objects and read_object tools

Adds a new project-scoped `cloud-storage` source using ADC, plus two read-only
tools: `cloud-storage-list-objects` (with prefix/delimiter/pagination) and
`cloud-storage-read-object` (with HTTP-style byte range and base64 payload).

Introduces a GCS-aware error classifier in `cloudstoragecommon` that splits
failures into Agent errors (missing bucket/object, bad request, unsatisfiable
range) and Server errors (auth, IAM denial, quota, 5xx, cancellation) per
DEVELOPER.md, replacing the coarse-grained `util.ProcessGcpError`.

Ships YAML-parse unit tests, an error-classifier unit test, a range-parser unit
test, a live-GCS integration test (12 sub-tests, UUID-suffixed bucket with
self-cleanup), docs under `docs/en/integrations/cloud-storage/`, and a
`cloud-storage` CI shard.

The remaining 12 tools from the approved design doc land in follow-up PRs.

Author: huangjiahua

.ci/integration.cloudbuild.yaml

@@ -448,6 +448,34 @@ steps:
           exit 0
         fi
 
+  - id: "cloud-storage"
+    name: golang:1
+    waitFor: ["compile-test-binary", "detect-changes"]
+    entrypoint: /bin/bash
+    env:
+      - "GOPATH=/gopath"
+      - "CLOUD_STORAGE_PROJECT=$PROJECT_ID"
+      - "SERVICE_ACCOUNT_EMAIL=$SERVICE_ACCOUNT_EMAIL"
+    secretEnv: ["CLIENT_ID"]
+    volumes:
+      - name: "go"
+        path: "/gopath"
+    args:
+      - -c
+      - |
+        PATTERN="cloudstorage|internal/server/|.ci/"
+
+        if grep -qE "$$PATTERN" /workspace/changed_files.txt; then
+          echo "Relevant changes detected. Running Cloud Storage tests..."
+          .ci/test_with_coverage.sh \
+            "Cloud Storage" \
+            cloudstorage \
+            cloudstorage
+        else
+          echo "No relevant changes for Cloud Storage. Skipping shard."
+          exit 0
+        fi
+
   - id: "postgres"
     name: golang:1
     waitFor: ["compile-test-binary", "detect-changes"]

cmd/internal/imports.go

@@ -83,6 +83,8 @@ import (
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/cloudsqlpg/vectorassistdefinespec"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/cloudsqlpg/vectorassistgeneratequery"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/cloudsqlpg/vectorassistmodifyspec"
+	_ "github.com/googleapis/mcp-toolbox/internal/tools/cloudstorage/cloudstoragelistobjects"
+	_ "github.com/googleapis/mcp-toolbox/internal/tools/cloudstorage/cloudstoragereadobject"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/cockroachdb/cockroachdbexecutesql"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/cockroachdb/cockroachdblistschemas"
 	_ "github.com/googleapis/mcp-toolbox/internal/tools/cockroachdb/cockroachdblisttables"
@@ -261,6 +263,7 @@ import (
 	_ "github.com/googleapis/mcp-toolbox/internal/sources/cloudsqlmssql"
 	_ "github.com/googleapis/mcp-toolbox/internal/sources/cloudsqlmysql"
 	_ "github.com/googleapis/mcp-toolbox/internal/sources/cloudsqlpg"
+	_ "github.com/googleapis/mcp-toolbox/internal/sources/cloudstorage"
 	_ "github.com/googleapis/mcp-toolbox/internal/sources/cockroachdb"
 	_ "github.com/googleapis/mcp-toolbox/internal/sources/couchbase"
 	_ "github.com/googleapis/mcp-toolbox/internal/sources/dataplex"

docs/en/integrations/cloud-storage/_index.md

@@ -0,0 +1,4 @@
+---
+title: "Cloud Storage"
+weight: 1
+---

docs/en/integrations/cloud-storage/source.md

@@ -0,0 +1,69 @@
+---
+title: "Cloud Storage Source"
+linkTitle: "Source"
+type: docs
+weight: 1
+description: >
+  Cloud Storage is Google Cloud's managed service for storing unstructured objects (files) in buckets. Toolbox connects at the project level, allowing tools to list, read, and manage objects across any bucket the credentials can access.
+no_list: true
+---
+
+## About
+
+[Cloud Storage][gcs-docs] is Google Cloud's managed service for storing
+unstructured data (blobs) in containers called *buckets*. Buckets live in a GCP
+project; objects are addressed by `gs://<bucket>/<object>`.
+
+If you are new to Cloud Storage, you can try the
+[quickstart][gcs-quickstart] to create a bucket and upload your first objects.
+
+The Cloud Storage source is configured at the **project** level. Individual
+tools take a `bucket` parameter, so a single configured source can operate
+against any bucket the underlying credentials are authorized for.
+
+[gcs-docs]: https://cloud.google.com/storage/docs
+[gcs-quickstart]: https://cloud.google.com/storage/docs/discover-object-storage-console
+
+## Available Tools
+
+{{< list-tools >}}
+
+## Requirements
+
+### IAM Permissions
+
+Cloud Storage uses [Identity and Access Management (IAM)][iam-overview] to
+control access to buckets and objects. Toolbox uses your
+[Application Default Credentials (ADC)][adc] to authorize and authenticate when
+interacting with Cloud Storage.
+
+In addition to [setting the ADC for your server][set-adc], ensure the IAM
+identity has the appropriate role for the tools being exposed. Common roles:
+
+- `roles/storage.objectViewer` — read-only access to objects (sufficient for
+  `cloud-storage-list-objects` and `cloud-storage-read-object`)
+- `roles/storage.objectUser` — read and write access to objects
+- `roles/storage.admin` — full control, including bucket management
+
+See [Cloud Storage IAM roles][gcs-iam] for the full list.
+
+[iam-overview]: https://cloud.google.com/storage/docs/access-control/iam
+[adc]: https://cloud.google.com/docs/authentication#adc
+[set-adc]: https://cloud.google.com/docs/authentication/provide-credentials-adc
+[gcs-iam]: https://cloud.google.com/storage/docs/access-control/iam-roles
+
+## Example
+
+```yaml
+kind: source
+name: my-gcs-source
+type: "cloud-storage"
+project: "my-project-id"
+```
+
+## Reference
+
+| **field** | **type** | **required** | **description**                                                                 |
+|-----------|:--------:|:------------:|---------------------------------------------------------------------------------|
+| type      |  string  |     true     | Must be "cloud-storage".                                                        |
+| project   |  string  |     true     | Id of the GCP project the configured source is associated with (e.g. "my-project-id"). |

docs/en/integrations/cloud-storage/tools/_index.md

@@ -0,0 +1,4 @@
+---
+title: "Tools"
+weight: 2
+---

docs/en/integrations/cloud-storage/tools/cloud-storage-list-objects.md

@@ -0,0 +1,56 @@
+---
+title: "cloud-storage-list-objects"
+type: docs
+weight: 1
+description: >
+  A "cloud-storage-list-objects" tool lists objects in a Cloud Storage bucket, with optional prefix filtering and delimiter-based grouping.
+---
+
+## About
+
+A `cloud-storage-list-objects` tool returns the objects in a
+[Cloud Storage bucket][gcs-buckets]. It supports the usual GCS listing options:
+
+- `prefix` — filter results to objects whose names begin with the given string.
+- `delimiter` — group results by this character (typically `/`) so subdirectory-like
+  "common prefixes" are returned separately from the leaf objects.
+- `max_results` / `page_token` — paginate through large listings.
+
+The response is a JSON object with `objects` (the full object metadata as
+returned by the Cloud Storage API — fields such as `Name`, `Size`, `ContentType`,
+`Updated`, `StorageClass`, `MD5`, etc.), `prefixes` (the common prefixes when
+`delimiter` is set), and `nextPageToken` (empty when there are no more pages).
+
+[gcs-buckets]: https://cloud.google.com/storage/docs/buckets
+
+## Compatible Sources
+
+{{< compatible-sources >}}
+
+## Parameters
+
+| **parameter** | **type** | **required** | **description**                                                                                                   |
+|---------------|:--------:|:------------:|-------------------------------------------------------------------------------------------------------------------|
+| bucket        |  string  |     true     | Name of the Cloud Storage bucket to list objects from.                                                            |
+| prefix        |  string  |    false     | Filter results to objects whose names begin with this prefix.                                                     |
+| delimiter     |  string  |    false     | Delimiter used to group object names (typically '/'). When set, common prefixes are returned as `prefixes`.       |
+| max_results   | integer  |    false     | Maximum number of objects to return per page. A value of 0 uses the API default (1000); the maximum allowed is 1000. |
+| page_token    |  string  |    false     | A previously-returned page token for retrieving the next page of results.                                         |
+
+## Example
+
+```yaml
+kind: tool
+name: list_objects
+type: cloud-storage-list-objects
+source: my-gcs-source
+description: Use this tool to list objects in a Cloud Storage bucket.
+```
+
+## Reference
+
+| **field**   | **type** | **required** | **description**                                         |
+|-------------|:--------:|:------------:|---------------------------------------------------------|
+| type        |  string  |     true     | Must be "cloud-storage-list-objects".                   |
+| source      |  string  |     true     | Name of the Cloud Storage source to list objects from.  |
+| description |  string  |     true     | Description of the tool that is passed to the LLM.      |

docs/en/integrations/cloud-storage/tools/cloud-storage-read-object.md

@@ -0,0 +1,50 @@
+---
+title: "cloud-storage-read-object"
+type: docs
+weight: 2
+description: >
+  A "cloud-storage-read-object" tool reads the content of a Cloud Storage object and returns it as a base64-encoded string, optionally constrained to a byte range.
+---
+
+## About
+
+A `cloud-storage-read-object` tool fetches the bytes of a single
+[Cloud Storage object][gcs-objects] and returns them base64-encoded so that
+arbitrary binary content can be round-tripped through JSON safely. For large
+objects, prefer the optional `range` parameter to read only the bytes you need.
+
+This tool is intended for small-to-medium textual or binary content an LLM can
+process directly. For bulk downloads of large files to the local filesystem,
+use `cloud-storage-download-object` (coming in a follow-up release).
+
+[gcs-objects]: https://cloud.google.com/storage/docs/objects
+
+## Compatible Sources
+
+{{< compatible-sources >}}
+
+## Parameters
+
+| **parameter** | **type** | **required** | **description**                                                                                                                                   |
+|---------------|:--------:|:------------:|---------------------------------------------------------------------------------------------------------------------------------------------------|
+| bucket        |  string  |     true     | Name of the Cloud Storage bucket containing the object.                                                                                           |
+| object        |  string  |     true     | Full object name (path) within the bucket, e.g. `path/to/file.txt`.                                                                               |
+| range         |  string  |    false     | Optional HTTP byte range, e.g. `bytes=0-999` (first 1000 bytes), `bytes=-500` (last 500 bytes), or `bytes=500-` (from byte 500 to end). Empty reads the full object. |
+
+## Example
+
+```yaml
+kind: tool
+name: read_object
+type: cloud-storage-read-object
+source: my-gcs-source
+description: Use this tool to read the content of a Cloud Storage object.
+```
+
+## Reference
+
+| **field**   | **type** | **required** | **description**                                         |
+|-------------|:--------:|:------------:|---------------------------------------------------------|
+| type        |  string  |     true     | Must be "cloud-storage-read-object".                    |
+| source      |  string  |     true     | Name of the Cloud Storage source to read the object from. |
+| description |  string  |     true     | Description of the tool that is passed to the LLM.      |

go.mod

@@ -16,6 +16,7 @@ require (
 	cloud.google.com/go/logging v1.13.2
 	cloud.google.com/go/longrunning v0.9.0
 	cloud.google.com/go/spanner v1.89.0
+	cloud.google.com/go/storage v1.62.1
 	github.com/ClickHouse/clickhouse-go/v2 v2.44.0
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.55.0
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/trace v1.31.0
@@ -96,7 +97,7 @@ require (
 	cloud.google.com/go/auth v0.19.0 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
 	cloud.google.com/go/compute/metadata v0.9.0 // indirect
-	cloud.google.com/go/iam v1.6.0 // indirect
+	cloud.google.com/go/iam v1.7.0 // indirect
 	cloud.google.com/go/monitoring v1.24.3 // indirect
 	cloud.google.com/go/trace v1.11.7 // indirect
 	dario.cat/mergo v1.0.2 // indirect
@@ -184,7 +185,7 @@ require (
 	github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.14 // indirect
-	github.com/googleapis/gax-go/v2 v2.20.0 // indirect
+	github.com/googleapis/gax-go/v2 v2.21.0 // indirect
 	github.com/gorilla/websocket v1.5.3 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 // indirect
 	github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c // indirect

go.sum

@@ -29,8 +29,8 @@ cloud.google.com/go/firestore v1.21.0 h1:BhopUsx7kh6NFx77ccRsHhrtkbJUmDAxNY3uapW
 cloud.google.com/go/firestore v1.21.0/go.mod h1:1xH6HNcnkf/gGyR8udd6pFO4Z7GWJSwLKQMx/u6UrP4=
 cloud.google.com/go/geminidataanalytics v0.9.0 h1:JeuMqZp4PlD9i0TLv+c2oTZe+UEatmF6oRC582TwxD8=
 cloud.google.com/go/geminidataanalytics v0.9.0/go.mod h1:IUJTO6abmPj5LNZWUqohEEeHmTgLDlIBFwwRC6VJZgM=
-cloud.google.com/go/iam v1.6.0 h1:JiSIcEi38dWBKhB3BtfKCW+dMvCZJEhBA2BsaGJgoxs=
-cloud.google.com/go/iam v1.6.0/go.mod h1:ZS6zEy7QHmcNO18mjO2viYv/n+wOUkhJqGNkPPGueGU=
+cloud.google.com/go/iam v1.7.0 h1:JD3zh0C6LHl16aCn5Akff0+GELdp1+4hmh6ndoFLl8U=
+cloud.google.com/go/iam v1.7.0/go.mod h1:tetWZW1PD/m6vcuY2Zj/aU0eCHNPuxedbnbRTyKXvdY=
 cloud.google.com/go/logging v1.13.2 h1:qqlHCBvieJT9Cdq4QqYx1KPadCQ2noD4FK02eNqHAjA=
 cloud.google.com/go/logging v1.13.2/go.mod h1:zaybliM3yun1J8mU2dVQ1/qDzjbOqEijZCn6hSBtKak=
 cloud.google.com/go/longrunning v0.9.0 h1:0EzbDEGsAvOZNbqXopgniY0w0a1phvu5IdUFq8grmqY=
@@ -39,8 +39,8 @@ cloud.google.com/go/monitoring v1.24.3 h1:dde+gMNc0UhPZD1Azu6at2e79bfdztVDS5lvhO
 cloud.google.com/go/monitoring v1.24.3/go.mod h1:nYP6W0tm3N9H/bOw8am7t62YTzZY+zUeQ+Bi6+2eonI=
 cloud.google.com/go/spanner v1.89.0 h1:r3h5Z5RA8JRPf3HCvA6ujNhREIMhPY+MrDL9mkY8jS0=
 cloud.google.com/go/spanner v1.89.0/go.mod h1:okNuxnp1wdPaVoM5M28Al2irKZLkHhZ2Z+DW6/ZJWGw=
-cloud.google.com/go/storage v1.61.3 h1:VS//ZfBuPGDvakfD9xyPW1RGF1Vy3BWUoVZXgW1KMOg=
-cloud.google.com/go/storage v1.61.3/go.mod h1:JtqK8BBB7TWv0HVGHubtUdzYYrakOQIsMLffZ2Z/HWk=
+cloud.google.com/go/storage v1.62.1 h1:Os0G3XbUbjZumkpDUf2Y0rLoXJTCF1kU2kWUujKYXD8=
+cloud.google.com/go/storage v1.62.1/go.mod h1:cpYz/kRVZ+UQAF1uHeea10/9ewcRbxGoGNKsS9daSXA=
 cloud.google.com/go/trace v1.11.7 h1:kDNDX8JkaAG3R2nq1lIdkb7FCSi1rCmsEtKVsty7p+U=
 cloud.google.com/go/trace v1.11.7/go.mod h1:TNn9d5V3fQVf6s4SCveVMIBS2LJUqo73GACmq/Tky0s=
 dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
@@ -364,8 +364,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/enterprise-certificate-proxy v0.3.14 h1:yh8ncqsbUY4shRD5dA6RlzjJaT4hi3kII+zYw8wmLb8=
 github.com/googleapis/enterprise-certificate-proxy v0.3.14/go.mod h1:vqVt9yG9480NtzREnTlmGSBmFrA+bzb0yl0TxoBQXOg=
-github.com/googleapis/gax-go/v2 v2.20.0 h1:NIKVuLhDlIV74muWlsMM4CcQZqN6JJ20Qcxd9YMuYcs=
-github.com/googleapis/gax-go/v2 v2.20.0/go.mod h1:But/NJU6TnZsrLai/xBAQLLz+Hc7fHZJt/hsCz3Fih4=
+github.com/googleapis/gax-go/v2 v2.21.0 h1:h45NjjzEO3faG9Lg/cFrBh2PgegVVgzqKzuZl/wMbiI=
+github.com/googleapis/gax-go/v2 v2.21.0/go.mod h1:But/NJU6TnZsrLai/xBAQLLz+Hc7fHZJt/hsCz3Fih4=
 github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
 github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7FsgI=
@@ -656,6 +656,8 @@ go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 h1:88Y4s2C8oTui1LGM6bT
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0/go.mod h1:Vl1/iaggsuRlrHf/hfPJPvVag77kKyvrLeD10kpMl+A=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0 h1:3iZJKlCZufyRzPzlQhUIWVmfltrXuGyfjREgGP3UUjc=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0/go.mod h1:/G+nUPfhq2e+qiXMGxMwumDrP5jtzU+mWN7/sjT2rak=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.43.0 h1:TC+BewnDpeiAmcscXbGMfxkO+mwYUwE/VySwvw88PfA=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.43.0/go.mod h1:J/ZyF4vfPwsSr9xJSPyQ4LqtcTPULFR64KwTikGLe+A=
 go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM=
 go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY=
 go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg=