feat(control-plane): harden host-scoped reconcile and acceptance evidence

- add batch-scoped reconcile_runs persistence and queries - route batch detail and reconcile writes through batch_id/host_id - refresh production boards with host-scope acceptance artifacts - include latest real-host acceptance evidence for self_service and subscription
2026-05-18 22:22:22 +08:00
parent 71cbaf5fa6
commit 85d495dd16
332 changed files with 5561 additions and 422 deletions
--- a/scripts/build_local_image.sh
+++ b/scripts/build_local_image.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+IMAGE_TAG="${IMAGE_TAG:-sub2api-cn-relay-manager:local}"
+BINARY_PATH="${BINARY_PATH:-$ROOT_DIR/bin/sub2api-cn-relay-manager}"
+
+mkdir -p "$(dirname "$BINARY_PATH")"
+
+echo "[1/2] building linux binary -> $BINARY_PATH"
+(
+  cd "$ROOT_DIR"
+  GOTOOLCHAIN=local CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
+    go build -trimpath -ldflags='-s -w' -o "$BINARY_PATH" ./cmd/server
+)
+
+echo "[2/2] building OCI image -> $IMAGE_TAG"
+(
+  cd "$ROOT_DIR"
+  docker build -f Dockerfile.local -t "$IMAGE_TAG" .
+)
+
+echo "done: $IMAGE_TAG"
--- a/scripts/real_host_acceptance.sh
+++ b/scripts/real_host_acceptance.sh
@@ -0,0 +1,265 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+TIMESTAMP="$(date +%Y%m%d_%H%M%S)"
+ARTIFACT_DIR="${ARTIFACT_DIR:-$ROOT_DIR/artifacts/real-host-acceptance/$TIMESTAMP}"
+DRY_RUN="${DRY_RUN:-0}"
+SKIP_ROLLBACK="${SKIP_ROLLBACK:-0}"
+
+require_var() {
+  local name="$1"
+  if [[ -z "${!name:-}" ]]; then
+    echo "missing required env: $name" >&2
+    exit 1
+  fi
+}
+
+json_get() {
+  local key="$1"
+  python3 -c 'import json, sys
+key = sys.argv[1]
+data = json.load(sys.stdin)
+value = data
+for part in key.split("."):
+    if isinstance(value, dict):
+        value = value.get(part)
+    else:
+        value = None
+        break
+if value is None:
+    sys.exit(2)
+if isinstance(value, (dict, list)):
+    print(json.dumps(value, ensure_ascii=False))
+else:
+    print(value)
+' "$key"
+}
+
+save_json() {
+  local name="$1"
+  local payload="$2"
+  mkdir -p "$ARTIFACT_DIR"
+  printf '%s\n' "$payload" > "$ARTIFACT_DIR/$name.json"
+}
+
+curl_json() {
+  local method="$1"
+  local path="$2"
+  local payload="${3:-}"
+  local url="${CRM_BASE_URL%/}$path"
+  if [[ "$DRY_RUN" == "1" ]]; then
+    echo "[dry-run] $method $url" >&2
+    if [[ -n "$payload" ]]; then
+      printf '%s\n' "$payload" > /dev/stderr
+    fi
+    printf '{"dry_run":true,"method":"%s","url":"%s"}\n' "$method" "$url"
+    return 0
+  fi
+  if [[ -n "$payload" ]]; then
+    curl -fsS -X "$method" \
+      -H "Authorization: Bearer $CRM_ADMIN_TOKEN" \
+      -H 'Content-Type: application/json' \
+      "$url" \
+      -d "$payload"
+  else
+    curl -fsS -X "$method" \
+      -H "Authorization: Bearer $CRM_ADMIN_TOKEN" \
+      "$url"
+  fi
+}
+
+build_host_auth_payload() {
+  python3 - <<'PY'
+import json, os
+host_type = os.environ['HOST_AUTH_TYPE']
+host_token = os.environ['HOST_AUTH_TOKEN']
+print(json.dumps({"type": host_type, "token": host_token}, ensure_ascii=False))
+PY
+}
+
+build_host_credentials_payload() {
+  python3 - <<'PY'
+import json, os
+payload = {
+    "host_base_url": os.environ["HOST_BASE_URL"],
+    "pack_path": os.environ["PACK_PATH"],
+    "provider_id": os.environ["PROVIDER_ID"],
+}
+if os.environ.get("HOST_API_KEY"):
+    payload["host_api_key"] = os.environ["HOST_API_KEY"]
+if os.environ.get("HOST_BEARER_TOKEN"):
+    payload["host_bearer_token"] = os.environ["HOST_BEARER_TOKEN"]
+if os.environ.get("ACCESS_API_KEY"):
+    payload["access_api_key"] = os.environ["ACCESS_API_KEY"]
+if os.environ.get("ACCESS_MODE"):
+    payload["access_mode"] = os.environ["ACCESS_MODE"]
+if os.environ.get("MODE"):
+    payload["mode"] = os.environ["MODE"]
+if os.environ.get("SUBSCRIPTION_DAYS"):
+    payload["subscription_days"] = int(os.environ["SUBSCRIPTION_DAYS"])
+if os.environ.get("SUBSCRIPTION_USERS"):
+    payload["subscription_users"] = [x.strip() for x in os.environ["SUBSCRIPTION_USERS"].split(',') if x.strip()]
+if os.environ.get("KEYS"):
+    payload["keys"] = [x.strip() for x in os.environ["KEYS"].split(',') if x.strip()]
+print(json.dumps(payload, ensure_ascii=False))
+PY
+}
+
+require_var CRM_BASE_URL
+require_var CRM_ADMIN_TOKEN
+require_var HOST_NAME
+require_var HOST_BASE_URL
+require_var PACK_PATH
+require_var PROVIDER_ID
+
+MODE="${MODE:-partial}"
+ACCESS_MODE="${ACCESS_MODE:-self_service}"
+SUBSCRIPTION_DAYS="${SUBSCRIPTION_DAYS:-30}"
+
+if [[ -n "${HOST_BEARER_TOKEN:-}" ]]; then
+  HOST_AUTH_TYPE="${HOST_AUTH_TYPE:-bearer}"
+  HOST_AUTH_TOKEN="${HOST_AUTH_TOKEN:-$HOST_BEARER_TOKEN}"
+elif [[ -n "${HOST_API_KEY:-}" ]]; then
+  HOST_AUTH_TYPE="${HOST_AUTH_TYPE:-apikey}"
+  HOST_AUTH_TOKEN="${HOST_AUTH_TOKEN:-$HOST_API_KEY}"
+else
+  echo "missing host credential: set HOST_API_KEY or HOST_BEARER_TOKEN" >&2
+  exit 1
+fi
+
+export CRM_BASE_URL CRM_ADMIN_TOKEN HOST_NAME HOST_BASE_URL PACK_PATH PROVIDER_ID
+export HOST_AUTH_TYPE HOST_AUTH_TOKEN MODE ACCESS_MODE SUBSCRIPTION_DAYS
+export HOST_API_KEY HOST_BEARER_TOKEN ACCESS_API_KEY SUBSCRIPTION_USERS KEYS
+
+mkdir -p "$ARTIFACT_DIR"
+echo "artifacts: $ARTIFACT_DIR"
+
+HOST_AUTH_JSON="$(build_host_auth_payload)"
+export HOST_AUTH_JSON
+CREATE_HOST_PAYLOAD="$(python3 - <<'PY'
+import json, os
+host_auth = json.loads(os.environ['HOST_AUTH_JSON'])
+print(json.dumps({
+    'name': os.environ['HOST_NAME'],
+    'base_url': os.environ['HOST_BASE_URL'],
+    'auth': host_auth,
+}, ensure_ascii=False))
+PY
+)"
+
+if RESP_EXISTING_HOST="$(curl_json GET "/api/hosts/$HOST_NAME" 2>/dev/null)"; then
+  RESP_CREATE_HOST="$RESP_EXISTING_HOST"
+else
+  RESP_CREATE_HOST="$(curl_json POST /api/hosts "$CREATE_HOST_PAYLOAD")"
+fi
+save_json 01-create-host "$RESP_CREATE_HOST"
+HOST_ID="$(printf '%s' "$RESP_CREATE_HOST" | json_get host_id || true)"
+HOST_ID="${HOST_ID:-$HOST_NAME}"
+
+echo "host_id=$HOST_ID"
+
+PROBE_PAYLOAD="$(python3 - <<'PY'
+import json, os
+print(json.dumps({'auth': json.loads(os.environ['HOST_AUTH_JSON'])}, ensure_ascii=False))
+PY
+)"
+RESP_PROBE="$(curl_json POST "/api/hosts/$HOST_ID/probe" "$PROBE_PAYLOAD")"
+save_json 02-probe-host "$RESP_PROBE"
+
+INSTALL_PAYLOAD="$(python3 - <<'PY'
+import json, os
+payload = {
+    'host_base_url': os.environ['HOST_BASE_URL'],
+    'pack_path': os.environ['PACK_PATH'],
+}
+if os.environ.get('HOST_API_KEY'):
+    payload['host_api_key'] = os.environ['HOST_API_KEY']
+if os.environ.get('HOST_BEARER_TOKEN'):
+    payload['host_bearer_token'] = os.environ['HOST_BEARER_TOKEN']
+print(json.dumps(payload, ensure_ascii=False))
+PY
+)"
+RESP_INSTALL="$(curl_json POST /api/packs/install "$INSTALL_PAYLOAD")"
+save_json 03-install-pack "$RESP_INSTALL"
+
+PREVIEW_PAYLOAD="$(python3 - <<'PY'
+import json, os
+payload = {
+    "host_base_url": os.environ["HOST_BASE_URL"],
+    "pack_path": os.environ["PACK_PATH"],
+    "provider_id": os.environ["PROVIDER_ID"],
+    "mode": os.environ.get("MODE", "partial"),
+}
+if os.environ.get("HOST_API_KEY"):
+    payload["host_api_key"] = os.environ["HOST_API_KEY"]
+if os.environ.get("HOST_BEARER_TOKEN"):
+    payload["host_bearer_token"] = os.environ["HOST_BEARER_TOKEN"]
+if os.environ.get("KEYS"):
+    payload["keys"] = [x.strip() for x in os.environ["KEYS"].split(',') if x.strip()]
+print(json.dumps(payload, ensure_ascii=False))
+PY
+)"
+RESP_PREVIEW="$(curl_json POST "/api/providers/$PROVIDER_ID/preview-import" "$PREVIEW_PAYLOAD")"
+save_json 04-preview-import "$RESP_PREVIEW"
+
+IMPORT_PAYLOAD="$(build_host_credentials_payload)"
+RESP_IMPORT="$(curl_json POST "/api/providers/$PROVIDER_ID/import" "$IMPORT_PAYLOAD")"
+save_json 05-import "$RESP_IMPORT"
+BATCH_ID="$(printf '%s' "$RESP_IMPORT" | json_get batch_id || true)"
+
+echo "batch_id=${BATCH_ID:-unknown}"
+
+ACCESS_PREVIEW_PAYLOAD="$(python3 - <<'PY'
+import json, os
+payload = {
+    'provider_id': os.environ['PROVIDER_ID'],
+    'mode': os.environ.get('ACCESS_MODE', 'self_service'),
+}
+print(json.dumps(payload, ensure_ascii=False))
+PY
+)"
+RESP_ACCESS_PREVIEW="$(curl_json POST "/api/providers/$PROVIDER_ID/access/preview" "$ACCESS_PREVIEW_PAYLOAD")"
+save_json 06-access-preview "$RESP_ACCESS_PREVIEW"
+
+RESP_ACCESS_STATUS="$(curl_json GET "/api/providers/$PROVIDER_ID/access/status")"
+save_json 07-access-status "$RESP_ACCESS_STATUS"
+
+RESP_PROVIDER_STATUS="$(curl_json GET "/api/providers/$PROVIDER_ID/status")"
+save_json 08-provider-status "$RESP_PROVIDER_STATUS"
+
+RECONCILE_PAYLOAD="$(python3 - <<'PY'
+import json, os
+payload = {
+    "host_base_url": os.environ["HOST_BASE_URL"],
+    "pack_path": os.environ["PACK_PATH"],
+    "provider_id": os.environ["PROVIDER_ID"],
+}
+if os.environ.get("HOST_API_KEY"):
+    payload["host_api_key"] = os.environ["HOST_API_KEY"]
+if os.environ.get("HOST_BEARER_TOKEN"):
+    payload["host_bearer_token"] = os.environ["HOST_BEARER_TOKEN"]
+if os.environ.get("ACCESS_API_KEY"):
+    payload["access_api_key"] = os.environ["ACCESS_API_KEY"]
+print(json.dumps(payload, ensure_ascii=False))
+PY
+)"
+RESP_RECONCILE="$(curl_json POST "/api/providers/$PROVIDER_ID/reconcile" "$RECONCILE_PAYLOAD")"
+save_json 09-reconcile "$RESP_RECONCILE"
+
+if [[ -n "$BATCH_ID" && "$DRY_RUN" != "1" ]]; then
+  RESP_BATCH_DETAIL="$(curl_json GET "/api/import-batches/$BATCH_ID")"
+  save_json 10-batch-detail "$RESP_BATCH_DETAIL"
+fi
+
+if [[ "$SKIP_ROLLBACK" != "1" && -n "$BATCH_ID" ]]; then
+  ROLLBACK_PAYLOAD="$(python3 - <<'PY'
+import json, os
+print(json.dumps({'auth': json.loads(os.environ['HOST_AUTH_JSON'])}, ensure_ascii=False))
+PY
+)"
+  RESP_ROLLBACK="$(curl_json POST "/api/import-batches/$BATCH_ID/rollback" "$ROLLBACK_PAYLOAD")"
+  save_json 11-rollback "$RESP_ROLLBACK"
+fi
+
+echo "acceptance flow completed"