fix: harden deepseek official remote43 import closure

scripts/import_remote43_provider.sh

@@ -9,6 +9,7 @@ key_file="${4:-}"
 ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 # shellcheck disable=SC1091
 source "$ROOT_DIR/scripts/host_access_prep_lib.sh"
+ARTIFACT_REDACTION_SCRIPT="$ROOT_DIR/scripts/artifact_redaction.py"
 
 KEY="${KEY:-/home/long/下载/zjsea.pem}"
 REMOTE="${REMOTE:-ubuntu@43.155.133.187}"
@@ -326,12 +327,11 @@ PY
   remote_pg_query "$sql" > "$output_path"
 }
 
-write_json_file "$ART/00-local-key-source.json" "$(python3 - <<'PY' "$key_source" "$provider_id" "$upstream_key"
+write_json_file "$ART/00-local-key-source.json" "$(python3 - <<'PY' "$ARTIFACT_REDACTION_SCRIPT" "$key_source" "$provider_id" "$upstream_key"
 import json, sys
-source, provider_id, key = sys.argv[1:4]
-from pathlib import Path
+redaction_script, source, provider_id, key = sys.argv[1:5]
 import subprocess
-result = subprocess.check_output([sys.executable, 'scripts/artifact_redaction.py', 'redact-key', key], text=True)
+result = subprocess.check_output([sys.executable, redaction_script, 'redact-key', key], text=True)
 redacted = json.loads(result)
 print(json.dumps({
   'source': source,
@@ -555,10 +555,10 @@ subscription_cache_key="$(build_subscription_billing_cache_key "$sub_uid" "$subs
 
 prep_sql="$(build_subscription_access_prep_sql "$sub_uid" "$sub_key" "$subscription_group_id" "$MIN_BALANCE" "$SUBSCRIPTION_DAYS" "$admin_uid" "$SUBSCRIPTION_NOTES")"
 remote_pg_exec "$prep_sql" > "$ART/06-subscription-access-prep.psql.txt"
-write_json_file "$ART/05-subscription-access-prep.summary.json" "$(python3 - <<'PY' "$sub_uid" "$subscription_group_id" "$MIN_BALANCE" "$SUBSCRIPTION_DAYS" "$sub_key"
+write_json_file "$ART/05-subscription-access-prep.summary.json" "$(python3 - <<'PY' "$ARTIFACT_REDACTION_SCRIPT" "$sub_uid" "$subscription_group_id" "$MIN_BALANCE" "$SUBSCRIPTION_DAYS" "$sub_key"
 import json, subprocess, sys
-sub_uid, group_id, min_balance, subscription_days, sub_key = sys.argv[1:6]
-redacted = json.loads(subprocess.check_output([sys.executable, 'scripts/artifact_redaction.py', 'redact-key', sub_key], text=True))
+redaction_script, sub_uid, group_id, min_balance, subscription_days, sub_key = sys.argv[1:7]
+redacted = json.loads(subprocess.check_output([sys.executable, redaction_script, 'redact-key', sub_key], text=True))
 print(json.dumps({
   'subscription_user_id_hash': __import__('hashlib').sha256(sub_uid.encode('utf-8')).hexdigest(),
   'subscription_group_id': int(group_id),

scripts/remote43_patched_stack_lib.sh

@@ -70,11 +70,14 @@ render_remote43_crm_env() {
   local crm_port="$1"
   local sqlite_dsn="$2"
   local admin_token="$3"
+  local sqlite_dsn_q admin_token_q
+  printf -v sqlite_dsn_q '%q' "$sqlite_dsn"
+  printf -v admin_token_q '%q' "$admin_token"
 
   cat <<EOF
 SUB2API_CRM_LISTEN_ADDR=127.0.0.1:$crm_port
-SUB2API_CRM_SQLITE_DSN=$sqlite_dsn
-SUB2API_CRM_ADMIN_TOKEN=$admin_token
+SUB2API_CRM_SQLITE_DSN=$sqlite_dsn_q
+SUB2API_CRM_ADMIN_TOKEN=$admin_token_q
 SUB2API_CRM_RECONCILE_WORKER_ENABLED=false
 EOF
 }

scripts/test_real_host_scripts.sh

@@ -686,7 +686,11 @@ run_test_remote43_patched_stack_renderers() {
   assert_contains "$host_env" "DATABASE_HOST=stack-pg"
   assert_contains "$host_env" "REDIS_HOST=stack-redis"
   assert_contains "$crm_env" "SUB2API_CRM_LISTEN_ADDR=127.0.0.1:18143"
+  assert_contains "$crm_env" "SUB2API_CRM_SQLITE_DSN="
   assert_contains "$crm_env" "SUB2API_CRM_ADMIN_TOKEN=crm-token"
+  local sourced_dsn
+  sourced_dsn="$(bash -lc 'set -a; source /dev/stdin; set +a; printf "%s" "$SUB2API_CRM_SQLITE_DSN"' <<<"$crm_env")"
+  [[ "$sourced_dsn" == "file:/tmp/sub2api.db?_foreign_keys=on" ]] || fail "crm env dsn did not survive bash source"
   assert_contains "$bootstrap" 'rm -f "$DATA_DIR/install.lock" "$DATA_DIR/config.yaml" "$DATA_DIR/.installed"'
   assert_contains "$bootstrap" '-v "$HOST_BINARY:/app/sub2api:ro"'
   assert_contains "$bootstrap" '-p "127.0.0.1:$HOST_PORT:$HOST_CONTAINER_PORT"'