修复生成图片签名地址重复换签

将 refreshKey 调整为 signed URL 缓存版本号，同一路径同版本复用未过期签名地址。

让完整阿里云 OSS generated 地址在 hook 中先归一并走 read-url 换签。

补充前端回归测试，覆盖相同 refreshKey 不重复换签和完整 OSS 地址不裸写入图片。

更新运维文档与 Hermes 记忆，明确 refreshKey 不是每次绕过签名缓存。

src/services/assetReadUrlService.test.ts

@@ -223,6 +223,51 @@ describe('assetReadUrlService', () => {
     );
   });
 
+  test('resolveAssetReadUrl reuses signed url for the same refreshKey version', async () => {
+    vi.useFakeTimers();
+    vi.setSystemTime(new Date('2099-01-01T00:00:00Z'));
+    vi.spyOn(globalThis, 'fetch').mockResolvedValue(
+      new Response(
+        JSON.stringify({
+          ok: true,
+          data: {
+            read: {
+              objectKey:
+                'generated-puzzle-assets/puzzle-session-1/candidate-1/asset-1/image.png',
+              signedUrl: 'https://signed.example.com/puzzle.png?x-oss-signature=stable',
+              expiresAt: '2099-01-01T00:10:00Z',
+            },
+          },
+          error: null,
+          meta: {
+            apiVersion: '2026-04-08',
+            routeVersion: '2026-04-08',
+            latencyMs: 1,
+            timestamp: '2099-01-01T00:00:00Z',
+          },
+        }),
+        {
+          status: 200,
+          headers: {
+            'Content-Type': 'application/json',
+          },
+        },
+      ),
+    );
+
+    const source =
+      '/generated-puzzle-assets/puzzle-session-1/candidate-1/asset-1/image.png';
+    const first = await resolveAssetReadUrl(source, {
+      refreshKey: 'asset-version-1',
+    });
+    const second = await resolveAssetReadUrl(source, {
+      refreshKey: 'asset-version-1',
+    });
+
+    expect(first).toBe(second);
+    expect(globalThis.fetch).toHaveBeenCalledTimes(1);
+  });
+
   test('getSignedAssetReadUrl reuses cached signed url before expiry', async () => {
     vi.useFakeTimers();
     vi.setSystemTime(new Date('2099-01-01T00:00:00Z'));