scripts/supply-gate/sup007_boundary.sh

#!/usr/bin/env bash
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
# shellcheck disable=SC1091
source "${SCRIPT_DIR}/common.sh" "${1:-}"

require_bin curl
require_bin jq
require_var API_BASE_URL
require_var OWNER_BEARER_TOKEN

ART_DIR="$(init_artifact_dir "sup007")"

# 1) 平台凭证主路径访问（应可用）
MAIN_RESP="$(curl_json POST "${API_BASE_URL}/api/v1/chat/completions" "${OWNER_BEARER_TOKEN}" '{"model":"gpt-4o","messages":[{"role":"user","content":"ping"}]}')"
echo "${MAIN_RESP}" > "${ART_DIR}/01_main_path_with_platform_token.json"

# 2) 外部 query key 请求（应被拒绝）
set +e
QUERY_RESP="$(curl -sS -w "\nHTTP_STATUS:%{http_code}\n" \
  "${API_BASE_URL}/v1beta/models?key=test-query-key" 2>&1)"
set -e
echo "${QUERY_RESP}" > "${ART_DIR}/02_external_query_key_attempt.txt"

# 3) 可选：直连上游探测（应失败/阻断）
if [[ -n "${SUPPLIER_DIRECT_TEST_URL:-}" ]]; then
  set +e
  DIRECT_RESP="$(curl -sS -m 8 -w "\nHTTP_STATUS:%{http_code}\n" "${SUPPLIER_DIRECT_TEST_URL}" 2>&1)"
  set -e
  echo "${DIRECT_RESP}" > "${ART_DIR}/03_direct_supplier_probe.txt"
fi

# 4) 响应样本脱敏扫描（简单规则）
SCAN_TARGETS=("${ART_DIR}/01_main_path_with_platform_token.json" "${ART_DIR}/02_external_query_key_attempt.txt")
if [[ -n "${SUPPLIER_DIRECT_TEST_URL:-}" ]]; then
  SCAN_TARGETS+=("${ART_DIR}/03_direct_supplier_probe.txt")
fi

LEAK_COUNT=0
for f in "${SCAN_TARGETS[@]}"; do
  if grep -Eiq "(sk-[A-Za-z0-9]{10,}|api[_-]?key[\"'= :]+[A-Za-z0-9_-]{8,}|Bearer [A-Za-z0-9._-]{20,})" "${f}"; then
    echo "sensitive pattern found in ${f}" >> "${ART_DIR}/04_redaction_scan.txt"
    LEAK_COUNT=$((LEAK_COUNT + 1))
  fi
done

if [[ "${LEAK_COUNT}" -eq 0 ]]; then
  echo "redaction scan passed" > "${ART_DIR}/04_redaction_scan.txt"
fi

cat > "${ART_DIR}/summary.txt" <<EOF
SUP-007 boundary checks executed.
artifacts:
  ${ART_DIR}/01_main_path_with_platform_token.json
  ${ART_DIR}/02_external_query_key_attempt.txt
  ${ART_DIR}/04_redaction_scan.txt
optional:
  ${ART_DIR}/03_direct_supplier_probe.txt
leak_count=${LEAK_COUNT}
EOF

echo "done: ${ART_DIR}"
chore: initial public snapshot for github upload 2026-03-26 20:06:14 +08:00			`#!/usr/bin/env bash`
			`set -euo pipefail`

			`SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"`
			`# shellcheck disable=SC1091`
			`source "${SCRIPT_DIR}/common.sh" "${1:-}"`

			`require_bin curl`
			`require_bin jq`
			`require_var API_BASE_URL`
			`require_var OWNER_BEARER_TOKEN`

			`ART_DIR="$(init_artifact_dir "sup007")"`

			`# 1) 平台凭证主路径访问（应可用）`
			`MAIN_RESP="$(curl_json POST "${API_BASE_URL}/api/v1/chat/completions" "${OWNER_BEARER_TOKEN}" '{"model":"gpt-4o","messages":[{"role":"user","content":"ping"}]}')"`
			`echo "${MAIN_RESP}" > "${ART_DIR}/01_main_path_with_platform_token.json"`

			`# 2) 外部 query key 请求（应被拒绝）`
			`set +e`
			`QUERY_RESP="$(curl -sS -w "\nHTTP_STATUS:%{http_code}\n" \`
			`"${API_BASE_URL}/v1beta/models?key=test-query-key" 2>&1)"`
			`set -e`
			`echo "${QUERY_RESP}" > "${ART_DIR}/02_external_query_key_attempt.txt"`

			`# 3) 可选：直连上游探测（应失败/阻断）`
			`if [[ -n "${SUPPLIER_DIRECT_TEST_URL:-}" ]]; then`
			`set +e`
			`DIRECT_RESP="$(curl -sS -m 8 -w "\nHTTP_STATUS:%{http_code}\n" "${SUPPLIER_DIRECT_TEST_URL}" 2>&1)"`
			`set -e`
			`echo "${DIRECT_RESP}" > "${ART_DIR}/03_direct_supplier_probe.txt"`
			`fi`

			`# 4) 响应样本脱敏扫描（简单规则）`
			`SCAN_TARGETS=("${ART_DIR}/01_main_path_with_platform_token.json" "${ART_DIR}/02_external_query_key_attempt.txt")`
			`if [[ -n "${SUPPLIER_DIRECT_TEST_URL:-}" ]]; then`
			`SCAN_TARGETS+=("${ART_DIR}/03_direct_supplier_probe.txt")`
			`fi`

			`LEAK_COUNT=0`
			`for f in "${SCAN_TARGETS[@]}"; do`
			`if grep -Eiq "(sk-[A-Za-z0-9]{10,}\|api[_-]?key[\"'= :]+[A-Za-z0-9_-]{8,}\|Bearer [A-Za-z0-9._-]{20,})" "${f}"; then`
			`echo "sensitive pattern found in ${f}" >> "${ART_DIR}/04_redaction_scan.txt"`
			`LEAK_COUNT=$((LEAK_COUNT + 1))`
			`fi`
			`done`

			`if [[ "${LEAK_COUNT}" -eq 0 ]]; then`
			`echo "redaction scan passed" > "${ART_DIR}/04_redaction_scan.txt"`
			`fi`

			`cat > "${ART_DIR}/summary.txt" <<EOF`
			`SUP-007 boundary checks executed.`
			`artifacts:`
			`${ART_DIR}/01_main_path_with_platform_token.json`
			`${ART_DIR}/02_external_query_key_attempt.txt`
			`${ART_DIR}/04_redaction_scan.txt`
			`optional:`
			`${ART_DIR}/03_direct_supplier_probe.txt`
			`leak_count=${LEAK_COUNT}`
			`EOF`

			`echo "done: ${ART_DIR}"`