test(scripts): harden remote43 managed-probe validation

scripts/import_remote43_provider.sh

@@ -19,7 +19,7 @@ HOST_NAME="${HOST_NAME:-remote43-current-host}"
 REMOTE_HOST_ENV_FILE="${REMOTE_HOST_ENV_FILE:-/home/ubuntu/sub2api-host-validation-fresh-deepseek-20260519_115244/.env}"
 REMOTE_PG_CONTAINER="${REMOTE_PG_CONTAINER:-sub2api-relaymgr-pg}"
 REMOTE_REDIS_CONTAINER="${REMOTE_REDIS_CONTAINER:-sub2api-relaymgr-redis}"
-PACK_PATH="${PACK_PATH:-/home/ubuntu/sub2api-cn-relay-manager/packs/openai-cn-pack}"
+PACK_PATH="${PACK_PATH:-$ROOT_DIR/packs/openai-cn-pack}"
 ROOT="${ROOT:-$ROOT_DIR/artifacts/real-host-acceptance}"
 ART="${ART:-$ROOT/$(date +%Y%m%d_%H%M%S)_remote43_${provider_id}_key_import}"
 MIN_BALANCE="${MIN_BALANCE:-10}"
@@ -46,6 +46,53 @@ ssh_cmd() {
   ssh -i "$KEY" -o StrictHostKeyChecking=no "$REMOTE" "$cmd"
 }
 
+build_managed_subscription_identity_json() {
+  local selector="$1"
+  local group_id="$2"
+  python3 - "$selector" "$group_id" <<'PY'
+import hashlib, json, sys
+
+selector, group_id = sys.argv[1:3]
+
+def sanitize(value: str) -> str:
+    value = value.strip().lower()
+    chars = []
+    last_dash = False
+    for ch in value:
+        if ('a' <= ch <= 'z') or ('0' <= ch <= '9'):
+            chars.append(ch)
+            last_dash = False
+        elif not last_dash:
+            chars.append('-')
+            last_dash = True
+    return ''.join(chars).strip('-')
+
+def truncate(value: str, max_len: int) -> str:
+    if len(value) <= max_len:
+        return value
+    return value[:max_len].strip('-')
+
+normalized = selector.strip().lower() + '|' + group_id.strip()
+digest = hashlib.sha256(normalized.encode('utf-8')).hexdigest()
+prefix = sanitize(selector) or 'relay-sub'
+prefix = truncate(prefix, 24)
+short_hash = digest[:16]
+key_hash = digest[:32]
+username = truncate(f"{prefix}-{short_hash[:8]}", 32)
+print(json.dumps({
+    'email': f"{prefix}-{short_hash}@sub2api.local",
+    'username': username,
+    'custom_key': 'sk-relay-' + key_hash,
+    'key_name': truncate(username + '-key', 48),
+}, ensure_ascii=False))
+PY
+}
+
+remote_lookup_managed_subscription_user_id() {
+  local email="$1"
+  remote_pg_query "select id from users where email = $(sql_literal "$email") order by id desc limit 1;"
+}
+
 crm_curl_json() {
   local method="$1"
   local path="$2"
@@ -344,6 +391,11 @@ for item in batch_obj.get('managed_resources', []):
 raise SystemExit('missing managed group in import response and batch detail')
 PY
 )"
+managed_identity_json="$(build_managed_subscription_identity_json "$sub_uid" "$subscription_group_id")"
+managed_user_email="$(printf '%s' "$managed_identity_json" | python3 -c 'import json,sys; print(json.load(sys.stdin)["email"])')"
+managed_probe_key="$(printf '%s' "$managed_identity_json" | python3 -c 'import json,sys; print(json.load(sys.stdin)["custom_key"])')"
+managed_user_id="$(remote_lookup_managed_subscription_user_id "$managed_user_email")"
+managed_user_id="${managed_user_id##*$'\n'}"
 auth_cache_key="$(build_api_key_auth_cache_key "$sub_key")"
 balance_cache_key="$(build_user_balance_cache_key "$sub_uid")"
 subscription_cache_key="$(build_subscription_billing_cache_key "$sub_uid" "$subscription_group_id")"
@@ -360,11 +412,15 @@ remote_pg_exec "$prep_sql" > "$ART/06-subscription-access-prep.psql.txt"
   printf 'subscription_cache_key=%s\n' "$subscription_cache_key"
   ssh_cmd "sudo -n docker exec $REMOTE_REDIS_CONTAINER_Q redis-cli DEL $auth_cache_key $balance_cache_key $subscription_cache_key"
 } > "$ART/07-redis-targeted-invalidation.txt"
-remote_fetch_group_state "$subscription_group_id" "$sub_uid" "$sub_key" "$ART/08-subscription-group-state.json"
+if [[ -n "$managed_user_id" ]]; then
+  remote_fetch_group_state "$subscription_group_id" "$managed_user_id" "$managed_probe_key" "$ART/08-subscription-group-state.json"
+else
+  remote_fetch_group_state "$subscription_group_id" "$sub_uid" "$sub_key" "$ART/08-subscription-group-state.json"
+fi
 
-python3 - "$ART/01-runtime-context.json" "$CRM_BASE" "$HOST_BASE" "$CRM_HOST_BASE" "$provider_id" "$sub_uid" "$sub_key" "$subscription_group_id" "$admin_uid" <<'PY'
+python3 - "$ART/01-runtime-context.json" "$CRM_BASE" "$HOST_BASE" "$CRM_HOST_BASE" "$provider_id" "$sub_uid" "$sub_key" "$subscription_group_id" "$admin_uid" "$managed_user_email" "$managed_probe_key" "$managed_user_id" <<'PY'
 import json, sys, pathlib
-path, crm, host, crm_host, provider_id, sub_uid, sub_key, group_id, admin_uid = sys.argv[1:10]
+path, crm, host, crm_host, provider_id, sub_uid, sub_key, group_id, admin_uid, managed_user_email, managed_probe_key, managed_user_id = sys.argv[1:13]
 pathlib.Path(path).write_text(json.dumps({
   'crm_base': crm,
   'host_base': host,
@@ -374,6 +430,9 @@ pathlib.Path(path).write_text(json.dumps({
   'subscription_user_key_prefix': sub_key[:12],
   'subscription_group_id': group_id,
   'admin_user_id': admin_uid,
+  'managed_user_email': managed_user_email,
+  'managed_user_id': managed_user_id,
+  'managed_probe_key_prefix': managed_probe_key[:18],
 }, ensure_ascii=False, indent=2), encoding='utf-8')
 PY
 
@@ -387,11 +446,11 @@ print(json.dumps({
 }, ensure_ascii=False))
 PY
 )"
-ssh_cmd "curl -sS -D /tmp/models_headers.txt -o /tmp/models_body.json -H 'Authorization: Bearer $sub_key' $HOST_BASE/v1/models"
+ssh_cmd "curl -sS -D /tmp/models_headers.txt -o /tmp/models_body.json -H 'Authorization: Bearer $managed_probe_key' $HOST_BASE/v1/models"
 ssh_cmd "cat /tmp/models_headers.txt" > "$ART/09-models.headers.txt"
 ssh_cmd "cat /tmp/models_body.json" > "$ART/10-models.body.json"
 
-ssh_cmd "curl -sS -D /tmp/chat_headers.txt -o /tmp/chat_body.json -H 'Authorization: Bearer $sub_key' -H 'Content-Type: application/json' $HOST_BASE/v1/chat/completions -d $(printf %q "$probe_payload")"
+ssh_cmd "curl -sS -D /tmp/chat_headers.txt -o /tmp/chat_body.json -H 'Authorization: Bearer $managed_probe_key' -H 'Content-Type: application/json' $HOST_BASE/v1/chat/completions -d $(printf %q "$probe_payload")"
 ssh_cmd "cat /tmp/chat_headers.txt" > "$ART/11-chat.headers.txt"
 ssh_cmd "cat /tmp/chat_body.json" > "$ART/12-chat.body.json"