chore: initial public snapshot for github upload

scripts/supply-gate/.env.example

@@ -0,0 +1,14 @@
+API_BASE_URL="https://staging.example.com"
+OWNER_BEARER_TOKEN="replace-me-owner-token"
+VIEWER_BEARER_TOKEN="replace-me-viewer-token"
+ADMIN_BEARER_TOKEN="replace-me-admin-token"
+
+TEST_PROVIDER="openai"
+TEST_MODEL="gpt-4o"
+TEST_ACCOUNT_ALIAS="sup_acc_cmd"
+TEST_CREDENTIAL_INPUT="sk-test-replace-me"
+TEST_PAYMENT_METHOD="alipay"
+TEST_PAYMENT_ACCOUNT="tester@example.com"
+TEST_SMS_CODE="123456"
+
+SUPPLIER_DIRECT_TEST_URL=""

scripts/supply-gate/common.sh

@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+ENV_FILE_DEFAULT="${ROOT_DIR}/scripts/supply-gate/.env"
+ENV_FILE="${1:-${ENV_FILE_DEFAULT}}"
+
+if [[ ! -f "${ENV_FILE}" ]]; then
+  echo "missing env file: ${ENV_FILE}"
+  echo "copy scripts/supply-gate/.env.example to scripts/supply-gate/.env and edit it."
+  exit 1
+fi
+
+# shellcheck disable=SC1090
+source "${ENV_FILE}"
+
+require_bin() {
+  local b="$1"
+  if ! command -v "${b}" >/dev/null 2>&1; then
+    echo "missing required binary: ${b}"
+    exit 1
+  fi
+}
+
+require_var() {
+  local n="$1"
+  if [[ -z "${!n:-}" ]]; then
+    echo "missing required env var: ${n}"
+    exit 1
+  fi
+}
+
+json_get() {
+  local expr="$1"
+  jq -r "${expr} // empty"
+}
+
+init_artifact_dir() {
+  local case_id="$1"
+  local dir="${ROOT_DIR}/tests/supply/artifacts/${case_id}"
+  mkdir -p "${dir}"
+  echo "${dir}"
+}
+
+curl_json() {
+  local method="$1"
+  local url="$2"
+  local token="$3"
+  local data="${4:-}"
+  if [[ -n "${data}" ]]; then
+    curl -sS -X "${method}" \
+      -H "Authorization: Bearer ${token}" \
+      -H "Content-Type: application/json" \
+      -d "${data}" \
+      "${url}"
+  else
+    curl -sS -X "${method}" \
+      -H "Authorization: Bearer ${token}" \
+      "${url}"
+  fi
+}

scripts/supply-gate/run_all.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+ENV_FILE="${1:-${SCRIPT_DIR}/.env}"
+
+bash "${SCRIPT_DIR}/sup004_accounts.sh" "${ENV_FILE}"
+bash "${SCRIPT_DIR}/sup005_packages.sh" "${ENV_FILE}"
+bash "${SCRIPT_DIR}/sup006_settlements.sh" "${ENV_FILE}"
+bash "${SCRIPT_DIR}/sup007_boundary.sh" "${ENV_FILE}"
+
+echo "SUP-004~SUP-007 scripts finished."
+echo "next: fill reports in tests/supply/*.md and reports/supply_gate_review_2026-03-31.md"

scripts/supply-gate/sup004_accounts.sh

@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+# shellcheck disable=SC1091
+source "${SCRIPT_DIR}/common.sh" "${1:-}"
+
+require_bin curl
+require_bin jq
+require_var API_BASE_URL
+require_var OWNER_BEARER_TOKEN
+require_var TEST_PROVIDER
+require_var TEST_CREDENTIAL_INPUT
+
+ART_DIR="$(init_artifact_dir "sup004")"
+
+VERIFY_REQ="$(jq -n \
+  --arg p "${TEST_PROVIDER}" \
+  --arg ct "api_key" \
+  --arg cred "${TEST_CREDENTIAL_INPUT}" \
+  '{provider:$p,account_type:$ct,credential_input:$cred}')"
+
+VERIFY_RESP="$(curl_json POST "${API_BASE_URL}/api/v1/supply/accounts/verify" "${OWNER_BEARER_TOKEN}" "${VERIFY_REQ}")"
+echo "${VERIFY_RESP}" > "${ART_DIR}/01_verify.json"
+
+CREATE_REQ="$(jq -n \
+  --arg p "${TEST_PROVIDER}" \
+  --arg ct "api_key" \
+  --arg cred "${TEST_CREDENTIAL_INPUT}" \
+  --arg alias "${TEST_ACCOUNT_ALIAS:-sup_acc_cmd}" \
+  '{provider:$p,account_type:$ct,credential_input:$cred,account_alias:$alias,risk_ack:true}')"
+
+CREATE_RESP="$(curl_json POST "${API_BASE_URL}/api/v1/supply/accounts" "${OWNER_BEARER_TOKEN}" "${CREATE_REQ}")"
+echo "${CREATE_RESP}" > "${ART_DIR}/02_create.json"
+ACCOUNT_ID="$(echo "${CREATE_RESP}" | json_get '.data.account_id')"
+
+if [[ -z "${ACCOUNT_ID}" ]]; then
+  echo "create account failed: missing account_id"
+  exit 1
+fi
+
+ACTIVATE_RESP="$(curl_json POST "${API_BASE_URL}/api/v1/supply/accounts/${ACCOUNT_ID}/activate" "${OWNER_BEARER_TOKEN}")"
+echo "${ACTIVATE_RESP}" > "${ART_DIR}/03_activate.json"
+
+SUSPEND_RESP="$(curl_json POST "${API_BASE_URL}/api/v1/supply/accounts/${ACCOUNT_ID}/suspend" "${OWNER_BEARER_TOKEN}")"
+echo "${SUSPEND_RESP}" > "${ART_DIR}/04_suspend.json"
+
+AUDIT_RESP="$(curl_json GET "${API_BASE_URL}/api/v1/supply/accounts/${ACCOUNT_ID}/audit-logs?page=1&page_size=20" "${OWNER_BEARER_TOKEN}")"
+echo "${AUDIT_RESP}" > "${ART_DIR}/05_audit_logs.json"
+
+cat > "${ART_DIR}/summary.txt" <<EOF
+SUP-004 account flow executed.
+account_id=${ACCOUNT_ID}
+artifacts:
+  ${ART_DIR}/01_verify.json
+  ${ART_DIR}/02_create.json
+  ${ART_DIR}/03_activate.json
+  ${ART_DIR}/04_suspend.json
+  ${ART_DIR}/05_audit_logs.json
+EOF
+
+echo "done: ${ART_DIR}"

scripts/supply-gate/sup005_packages.sh

@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+# shellcheck disable=SC1091
+source "${SCRIPT_DIR}/common.sh" "${1:-}"
+
+require_bin curl
+require_bin jq
+require_var API_BASE_URL
+require_var OWNER_BEARER_TOKEN
+require_var TEST_PROVIDER
+require_var TEST_MODEL
+require_var TEST_CREDENTIAL_INPUT
+
+ART_DIR="$(init_artifact_dir "sup005")"
+
+# ensure an account exists
+CREATE_ACC_REQ="$(jq -n \
+  --arg p "${TEST_PROVIDER}" \
+  --arg ct "api_key" \
+  --arg cred "${TEST_CREDENTIAL_INPUT}" \
+  '{provider:$p,account_type:$ct,credential_input:$cred,account_alias:"sup_pkg_acc",risk_ack:true}')"
+CREATE_ACC_RESP="$(curl_json POST "${API_BASE_URL}/api/v1/supply/accounts" "${OWNER_BEARER_TOKEN}" "${CREATE_ACC_REQ}")"
+echo "${CREATE_ACC_RESP}" > "${ART_DIR}/00_create_account.json"
+ACCOUNT_ID="$(echo "${CREATE_ACC_RESP}" | json_get '.data.account_id')"
+if [[ -z "${ACCOUNT_ID}" ]]; then
+  echo "failed to create account for package flow"
+  exit 1
+fi
+
+DRAFT_REQ="$(jq -n \
+  --argjson sid "${ACCOUNT_ID}" \
+  --arg model "${TEST_MODEL}" \
+  '{supply_account_id:$sid,model:$model,total_quota:1000,price_per_1m_input:5,price_per_1m_output:10,valid_days:30,max_concurrent:10,rate_limit_rpm:60}')"
+
+DRAFT_RESP="$(curl_json POST "${API_BASE_URL}/api/v1/supply/packages/draft" "${OWNER_BEARER_TOKEN}" "${DRAFT_REQ}")"
+echo "${DRAFT_RESP}" > "${ART_DIR}/01_draft.json"
+PACKAGE_ID="$(echo "${DRAFT_RESP}" | json_get '.data.package_id')"
+if [[ -z "${PACKAGE_ID}" ]]; then
+  echo "failed to create package draft"
+  exit 1
+fi
+
+PUBLISH_RESP="$(curl_json POST "${API_BASE_URL}/api/v1/supply/packages/${PACKAGE_ID}/publish" "${OWNER_BEARER_TOKEN}")"
+echo "${PUBLISH_RESP}" > "${ART_DIR}/02_publish.json"
+
+PAUSE_RESP="$(curl_json POST "${API_BASE_URL}/api/v1/supply/packages/${PACKAGE_ID}/pause" "${OWNER_BEARER_TOKEN}")"
+echo "${PAUSE_RESP}" > "${ART_DIR}/03_pause.json"
+
+UNLIST_RESP="$(curl_json POST "${API_BASE_URL}/api/v1/supply/packages/${PACKAGE_ID}/unlist" "${OWNER_BEARER_TOKEN}")"
+echo "${UNLIST_RESP}" > "${ART_DIR}/04_unlist.json"
+
+BATCH_REQ="$(jq -n \
+  --argjson pid "${PACKAGE_ID}" \
+  '{items:[{package_id:$pid,price_per_1m_input:6,price_per_1m_output:12}]}')"
+BATCH_RESP="$(curl_json POST "${API_BASE_URL}/api/v1/supply/packages/batch-price" "${OWNER_BEARER_TOKEN}" "${BATCH_REQ}")"
+echo "${BATCH_RESP}" > "${ART_DIR}/05_batch_price.json"
+
+CLONE_RESP="$(curl_json POST "${API_BASE_URL}/api/v1/supply/packages/${PACKAGE_ID}/clone" "${OWNER_BEARER_TOKEN}")"
+echo "${CLONE_RESP}" > "${ART_DIR}/06_clone.json"
+CLONE_ID="$(echo "${CLONE_RESP}" | json_get '.data.package_id')"
+
+cat > "${ART_DIR}/summary.txt" <<EOF
+SUP-005 package flow executed.
+account_id=${ACCOUNT_ID}
+package_id=${PACKAGE_ID}
+clone_package_id=${CLONE_ID}
+artifacts:
+  ${ART_DIR}/01_draft.json
+  ${ART_DIR}/02_publish.json
+  ${ART_DIR}/03_pause.json
+  ${ART_DIR}/04_unlist.json
+  ${ART_DIR}/05_batch_price.json
+  ${ART_DIR}/06_clone.json
+EOF
+
+echo "done: ${ART_DIR}"

scripts/supply-gate/sup006_settlements.sh

@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+# shellcheck disable=SC1091
+source "${SCRIPT_DIR}/common.sh" "${1:-}"
+
+require_bin curl
+require_bin jq
+require_var API_BASE_URL
+require_var OWNER_BEARER_TOKEN
+require_var TEST_PAYMENT_METHOD
+require_var TEST_PAYMENT_ACCOUNT
+require_var TEST_SMS_CODE
+
+ART_DIR="$(init_artifact_dir "sup006")"
+
+BILLING_RESP="$(curl_json GET "${API_BASE_URL}/api/v1/supplier/billing?page=1&page_size=20" "${OWNER_BEARER_TOKEN}")"
+echo "${BILLING_RESP}" > "${ART_DIR}/01_billing.json"
+
+WITHDRAW_REQ="$(jq -n \
+  --arg pm "${TEST_PAYMENT_METHOD}" \
+  --arg pa "${TEST_PAYMENT_ACCOUNT}" \
+  --arg sms "${TEST_SMS_CODE}" \
+  '{withdraw_amount:10,payment_method:$pm,payment_account:$pa,sms_code:$sms}')"
+
+WITHDRAW_RESP="$(curl_json POST "${API_BASE_URL}/api/v1/supply/settlements/withdraw" "${OWNER_BEARER_TOKEN}" "${WITHDRAW_REQ}")"
+echo "${WITHDRAW_RESP}" > "${ART_DIR}/02_withdraw_create.json"
+SETTLEMENT_ID="$(echo "${WITHDRAW_RESP}" | json_get '.data.settlement_id')"
+if [[ -z "${SETTLEMENT_ID}" ]]; then
+  echo "failed to create settlement withdraw"
+  exit 1
+fi
+
+CANCEL_RESP="$(curl_json POST "${API_BASE_URL}/api/v1/supply/settlements/${SETTLEMENT_ID}/cancel" "${OWNER_BEARER_TOKEN}")"
+echo "${CANCEL_RESP}" > "${ART_DIR}/03_withdraw_cancel.json"
+
+STATEMENT_RESP="$(curl_json GET "${API_BASE_URL}/api/v1/supply/settlements/${SETTLEMENT_ID}/statement" "${OWNER_BEARER_TOKEN}")"
+echo "${STATEMENT_RESP}" > "${ART_DIR}/04_statement.json"
+
+EARNINGS_RESP="$(curl_json GET "${API_BASE_URL}/api/v1/supply/earnings/records?page=1&page_size=20" "${OWNER_BEARER_TOKEN}")"
+echo "${EARNINGS_RESP}" > "${ART_DIR}/05_earnings_records.json"
+
+cat > "${ART_DIR}/summary.txt" <<EOF
+SUP-006 settlement flow executed.
+settlement_id=${SETTLEMENT_ID}
+artifacts:
+  ${ART_DIR}/01_billing.json
+  ${ART_DIR}/02_withdraw_create.json
+  ${ART_DIR}/03_withdraw_cancel.json
+  ${ART_DIR}/04_statement.json
+  ${ART_DIR}/05_earnings_records.json
+EOF
+
+echo "done: ${ART_DIR}"

scripts/supply-gate/sup007_boundary.sh

@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+# shellcheck disable=SC1091
+source "${SCRIPT_DIR}/common.sh" "${1:-}"
+
+require_bin curl
+require_bin jq
+require_var API_BASE_URL
+require_var OWNER_BEARER_TOKEN
+
+ART_DIR="$(init_artifact_dir "sup007")"
+
+# 1) 平台凭证主路径访问（应可用）
+MAIN_RESP="$(curl_json POST "${API_BASE_URL}/api/v1/chat/completions" "${OWNER_BEARER_TOKEN}" '{"model":"gpt-4o","messages":[{"role":"user","content":"ping"}]}')"
+echo "${MAIN_RESP}" > "${ART_DIR}/01_main_path_with_platform_token.json"
+
+# 2) 外部 query key 请求（应被拒绝）
+set +e
+QUERY_RESP="$(curl -sS -w "\nHTTP_STATUS:%{http_code}\n" \
+  "${API_BASE_URL}/v1beta/models?key=test-query-key" 2>&1)"
+set -e
+echo "${QUERY_RESP}" > "${ART_DIR}/02_external_query_key_attempt.txt"
+
+# 3) 可选：直连上游探测（应失败/阻断）
+if [[ -n "${SUPPLIER_DIRECT_TEST_URL:-}" ]]; then
+  set +e
+  DIRECT_RESP="$(curl -sS -m 8 -w "\nHTTP_STATUS:%{http_code}\n" "${SUPPLIER_DIRECT_TEST_URL}" 2>&1)"
+  set -e
+  echo "${DIRECT_RESP}" > "${ART_DIR}/03_direct_supplier_probe.txt"
+fi
+
+# 4) 响应样本脱敏扫描（简单规则）
+SCAN_TARGETS=("${ART_DIR}/01_main_path_with_platform_token.json" "${ART_DIR}/02_external_query_key_attempt.txt")
+if [[ -n "${SUPPLIER_DIRECT_TEST_URL:-}" ]]; then
+  SCAN_TARGETS+=("${ART_DIR}/03_direct_supplier_probe.txt")
+fi
+
+LEAK_COUNT=0
+for f in "${SCAN_TARGETS[@]}"; do
+  if grep -Eiq "(sk-[A-Za-z0-9]{10,}|api[_-]?key[\"'= :]+[A-Za-z0-9_-]{8,}|Bearer [A-Za-z0-9._-]{20,})" "${f}"; then
+    echo "sensitive pattern found in ${f}" >> "${ART_DIR}/04_redaction_scan.txt"
+    LEAK_COUNT=$((LEAK_COUNT + 1))
+  fi
+done
+
+if [[ "${LEAK_COUNT}" -eq 0 ]]; then
+  echo "redaction scan passed" > "${ART_DIR}/04_redaction_scan.txt"
+fi
+
+cat > "${ART_DIR}/summary.txt" <<EOF
+SUP-007 boundary checks executed.
+artifacts:
+  ${ART_DIR}/01_main_path_with_platform_token.json
+  ${ART_DIR}/02_external_query_key_attempt.txt
+  ${ART_DIR}/04_redaction_scan.txt
+optional:
+  ${ART_DIR}/03_direct_supplier_probe.txt
+leak_count=${LEAK_COUNT}
+EOF
+
+echo "done: ${ART_DIR}"