feat(audit): add pricing signature guards and reporting

Add snapshot, signature, and drift guard support for Vertex AI, Cloudflare Workers AI, and Perplexity API, backed by a queryable audit table and recent-window view.

This commit also wires the audit query layer into daily signal materialization and report generation so structure drift becomes a first-class signal instead of a log-only artifact.

scripts/import_cloudflare_pricing.go

@@ -0,0 +1,58 @@
+//go:build llm_script
+
+package main
+
+import (
+	"database/sql"
+	"flag"
+	"fmt"
+	"os"
+	"time"
+)
+
+func main() {
+	loadSubscriptionImportEnv()
+
+	var url string
+	var fixture string
+	var dryRun bool
+	var timeoutSeconds int
+	var snapshotOnly bool
+	var snapshotOut string
+	var signatureOut string
+
+	flag.StringVar(&url, "url", defaultCloudflarePricingFetchURL, "Cloudflare Workers AI 官方价格 markdown")
+	flag.StringVar(&fixture, "fixture", "", "Cloudflare Workers AI 价格样例文件")
+	flag.BoolVar(&dryRun, "dry-run", false, "仅解析并打印摘要，不写入数据库")
+	flag.BoolVar(&snapshotOnly, "snapshot-only", false, "仅抓取并落盘 Cloudflare 价格页快照与结构签名")
+	flag.StringVar(&snapshotOut, "snapshot-out", "", "Cloudflare 原始 markdown 快照输出路径")
+	flag.StringVar(&signatureOut, "signature-out", "", "Cloudflare 结构签名 JSON 输出路径")
+	flag.IntVar(&timeoutSeconds, "timeout", 20, "请求超时（秒）")
+	flag.Parse()
+
+	cfg := cloudflarePricingImportConfig{
+		URL:          url,
+		Fixture:      fixture,
+		DryRun:       dryRun,
+		Timeout:      time.Duration(timeoutSeconds) * time.Second,
+		SnapshotOnly: snapshotOnly,
+		SnapshotOut:  snapshotOut,
+		SignatureOut: signatureOut,
+	}
+
+	var db *sql.DB
+	var err error
+	if !cfg.DryRun && !cfg.SnapshotOnly {
+		db, err = subscriptionImportDB()
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "open db: %v\n", err)
+			os.Exit(1)
+		}
+		defer db.Close()
+	}
+
+	if err := runCloudflarePricingImport(cfg, db, os.Stdout); err != nil {
+		fmt.Fprintf(os.Stderr, "import_cloudflare_pricing: %v\n", err)
+		os.Exit(1)
+	}
+}