fix(protocol-matrix): restore live probe auth header
Some checks failed
CI / Quality Gates (push) Has been cancelled
CI / Lint (push) Has been cancelled
CI / Security Scan (push) Has been cancelled
CI / Docker Build (push) Has been cancelled
CI / Build & Test (push) Has been cancelled
CI / Release (push) Has been cancelled

This commit is contained in:
phamnazage-jpg
2026-06-11 21:52:24 +08:00
parent 47ced19c7b
commit bdfbaff2a7
6 changed files with 80 additions and 24 deletions

View File

@@ -24,28 +24,20 @@
- 本地已完成并验证的整改:
- `/v1/chat/completions` 上游失败不再包装成 `200/ok`
- `allowed_models` 已在公网 chat 入口强制校验
- `expires_at` 已在公网 chat 入口强制校验
- 成功 chat 后会更新 `last_used_at`
- `pause` handler 已接入请求体 `reason`
- 同一 `subject + logical_group` 不再复用同一宿主 key现改为每条 key record 持久化独立 `managed_identity_selector``create/reset/pause/resume` 走当前 selector
- 新增 migration`internal/store/migrations/0016_user_keys_managed_identity_selector.sql`
- 本地验证2026-06-08 当前运行):
- `gofmt -w` 目标文件通过
- `go vet ./...` 通过
- `go test ./internal/app ./internal/store/sqlite ./tests/integration/... -count=1` 通过
- 当前线上阻塞
- **已解决** (2025-06-09): vNext.4 Trusted-Subject 安全链实施完成
- 新文件: `internal/app/portal_auth.go` - Portal user session 认证模块
- 变更: `http_api.go`, `bootstrap.go`, `.env.example`, `nginx.sub.tksea.top.conf.example`
- 前端: `index.html` 添加 CRM session 登录/登出
- 文档: `docs/TRUSTED_SUBJECT_DEPLOY_GUIDE.md` 完整部署指南
- 本地验证: `go test ./internal/app -run TestPortal` 全部通过
- **待 remote43 部署**:
- 需更新 nginx 配置(添加 cookie-to-header map
- 需更新 `.env.crm`(配置 TRUSTED\_\* 环境变量)
- 需生成并同步 64 字符 hex secret
- 详见部署指南文档
- user key `allowed_models` / `expires_at` / `last_used_at` / `pause reason` 已进入真实调用链
- `subject + logical_group` 的多条 key record 已改为独立 `managed_identity_selector`
- Portal admin 本地配置默认只保留非敏感字段;旧 localStorage 敏感脏数据会在读取时自动剔除
- managed subscription identity 已加入宿主管理凭证派生 secret salt不再只由 `selector + groupID` 可预测重建
- CI 继续以 `scripts/test/verify_quality_gates.sh` 为主门禁Docker 健康契约已移除 `--version || true` 假验证portal 部署脚本必须显式加载 `scripts/deploy/.env.deploy`
- 最新本地验证证据:
- `bash scripts/test/test_tksea_portal_assets.sh` → PASS
- `bash scripts/test/verify_quality_gates.sh` → PASS
- `go test ./internal/host/sub2api -run 'Test(EnsureSubscriptionAccessManagedProbeWithMock|PauseResumeManagedSubscriptionAccessWithMock|BuildManagedSubscriptionIdentityUsesSecretSalt)' -count=1` → PASS
- `go test ./internal/store/sqlite -run 'TestUserKeysRepo(UpdateSecret|RejectsMalformedAllowedModelsJSON)' -count=1` → PASS
- 当前仍有两个未闭环缺口:线上 trusted-subject/user-key 真验,以及 High-6 更强秘密模型未落地
- remote43 trusted-subject 生产改链已落地,但公网 create/chat/pause/resume/delete 真验尚未完成
- 仓内 nginx 示例/部署指南已修正为 `$cookie_crm_subject`;旧的 `crm_session -> subject` 方案已判定为错误
- High-6 当前仅收敛到“宿主管理凭证 salt”阶段未达到随机秘密持久化
## 2026-06-05 vNext.2 / V2-4 真实闭环
@@ -3141,3 +3133,10 @@
- 本轮新增发现:
- `kimi-a7m``asxs` 在“本机直连协议层”上都能返回 `responses=200`,因此此前的阻塞不应再被笼统表述为“协议不支持”;更可能是生产宿主出口、供应商运行状态或接入路径问题
- `deepseek-chat-official``models_has_smoke_model=false`,说明 `/v1/models` 返回集合与 `smoke_test_model=deepseek-chat` 存在命名/别名差异;后续 model pool 设计必须显式区分“可调用模型名”和“models 列表曝光名”
- 2026-06-11 live probe 修复与复验:
- 根因已确认:`scripts/acceptance/verify_host_protocol_matrix.sh` 之前把脱敏值 `Authorization: Bearer ***` 直接发给 upstream导致 live probe 假性 `401/auth_failed`
- 修复后真实请求改为发送 `Bearer <api_key>`artifact 里的 `request_headers.txt` 仍保持 `***` 脱敏
- 回归门禁已补强:`scripts/test/test_host_protocol_matrix_script.sh` 现在会在 fake curl 收到脱敏 Authorization 头时直接失败
- 新证据:`artifacts/host-capability/20260611_203027-live-fixcheck/protocol-matrix-summary.json`
- 当前真实结果:`minimax-m2-7-official` 已从假性 `401/auth_failed` 收敛为真实 upstream 状态 `models=200, chat=429, responses=500, error_code=rate_limited`
- 结论host protocol matrix 的 live probe 路径已恢复可信;剩余未绿是上游 key/quota 状态,不是脚本探测链路