fix fresh-host acceptance and document real-host debugging learnings

internal/pack/loader.go

@@ -12,6 +12,8 @@ import (
 	"strings"
 )
 
+const envAllowInsecureProviderBaseURL = "SUB2API_CRM_ALLOW_INSECURE_PROVIDER_BASE_URLS"
+
 type Manifest struct {
 	PackID         string `json:"pack_id"`
 	Version        string `json:"version"`
@@ -155,6 +157,8 @@ func loadProviders(root string, providersDir string) ([]ProviderManifest, error)
 
 func validateProviders(providers []ProviderManifest) error {
 	seen := make(map[string]struct{}, len(providers))
+	allowInsecureBaseURL := strings.EqualFold(strings.TrimSpace(os.Getenv(envAllowInsecureProviderBaseURL)), "1") ||
+		strings.EqualFold(strings.TrimSpace(os.Getenv(envAllowInsecureProviderBaseURL)), "true")
 	for _, provider := range providers {
 		providerID := strings.TrimSpace(provider.ProviderID)
 		missingDefaultModel := firstMissingDefaultModel(provider.DefaultModels, provider.ChannelTemplate.ModelMapping)
@@ -163,7 +167,7 @@ func validateProviders(providers []ProviderManifest) error {
 			return fmt.Errorf("provider manifest: provider_id is required")
 		case strings.TrimSpace(provider.DisplayName) == "":
 			return fmt.Errorf("provider %q: display_name is required", providerID)
-		case !strings.HasPrefix(strings.TrimSpace(provider.BaseURL), "https://"):
+		case !hasAllowedProviderBaseURL(strings.TrimSpace(provider.BaseURL), allowInsecureBaseURL):
 			return fmt.Errorf("provider %q: base_url must use https", providerID)
 		case strings.TrimSpace(provider.Platform) == "":
 			return fmt.Errorf("provider %q: platform is required", providerID)
@@ -198,6 +202,13 @@ func validateProviders(providers []ProviderManifest) error {
 	return nil
 }
 
+func hasAllowedProviderBaseURL(baseURL string, allowInsecureBaseURL bool) bool {
+	if strings.HasPrefix(baseURL, "https://") {
+		return true
+	}
+	return allowInsecureBaseURL && strings.HasPrefix(baseURL, "http://")
+}
+
 func validateChecksums(root string, checksumFile string) error {
 	path := filepath.Join(root, checksumFile)
 	file, err := os.Open(path)

internal/pack/loader_test.go

@@ -82,6 +82,23 @@ func TestLoadDirRejectsInvalidProviderSchema(t *testing.T) {
 	}
 }
 
+func TestLoadDirAllowsInsecureProviderBaseURLWhenExplicitlyEnabled(t *testing.T) {
+	t.Setenv(envAllowInsecureProviderBaseURL, "1")
+
+	packDir := createPackFixture(t, map[string]string{
+		"pack.json":               `{"pack_id":"openai-cn-pack","version":"1.0.0","vendor":"x","target_host":"sub2api","min_host_version":"0.1.126","max_host_version":"0.2.x","providers_dir":"providers","checksum_file":"checksums.txt"}`,
+		"providers/deepseek.json": `{"provider_id":"deepseek","display_name":"DeepSeek","base_url":"http://insecure.example.com","platform":"openai","account_type":"apikey","default_models":["deepseek-v4-pro"],"smoke_test_model":"deepseek-v4-pro","group_template":{"name":"g","rate_multiplier":1},"channel_template":{"name":"c","model_mapping":{"deepseek-v4-pro":"deepseek-v4-pro"}},"plan_template":{"name":"p","price":1,"validity_days":30,"validity_unit":"day"},"import":{"supports_multi_key":true,"supports_strict":true,"supports_partial":true}}`,
+	})
+
+	loaded, err := LoadDir(packDir)
+	if err != nil {
+		t.Fatalf("LoadDir() error = %v, want insecure http provider accepted when explicitly enabled", err)
+	}
+	if len(loaded.Providers) != 1 || loaded.Providers[0].BaseURL != "http://insecure.example.com" {
+		t.Fatalf("LoadDir() providers = %+v, want insecure provider retained", loaded.Providers)
+	}
+}
+
 func TestLoadDirRejectsSmokeTestModelMissingFromChannelMapping(t *testing.T) {
 	packDir := createPackFixture(t, map[string]string{
 		"pack.json":               `{"pack_id":"openai-cn-pack","version":"1.0.0","vendor":"x","target_host":"sub2api","min_host_version":"0.1.126","max_host_version":"0.2.x","providers_dir":"providers","checksum_file":"checksums.txt"}`,