fix(provision): harden batch scoping and remote43 import validation

scripts/test_real_host_scripts.sh

@@ -35,6 +35,14 @@ run_test_build_subscription_access_prep_sql() {
   local quoted_sql
   quoted_sql="$(build_bind_api_key_group_sql "sk-o'reilly" 7)"
   assert_contains "$quoted_sql" "WHERE key = 'sk-o''reilly'"
+
+  local auth_cache_key balance_cache_key subscription_cache_key
+  auth_cache_key="$(build_api_key_auth_cache_key 'user-key')"
+  balance_cache_key="$(build_user_balance_cache_key 42)"
+  subscription_cache_key="$(build_subscription_billing_cache_key 42 7)"
+  assert_contains "$auth_cache_key" "apikey:auth:"
+  assert_contains "$balance_cache_key" "billing:balance:42"
+  assert_contains "$subscription_cache_key" "billing:sub:42:7"
 }
 
 run_test_real_host_acceptance_after_import_hook() {
@@ -157,8 +165,8 @@ case "$cmd" in
   *"select k.key from users u join api_keys k on k.user_id=u.id"*)
     printf '%s\n' 'user-key'
     ;;
-  *"curl -sS -D /tmp/import_headers.txt"*"/api/providers/deepseek/import"*)
-    printf '%s\n' '{"batch_id":123,"batch_status":"partially_succeeded","access_status":"broken"}' > /tmp/import_body.json
+  *"/api/providers/deepseek/import"*)
+    printf '%s\n' '{"batch_id":123,"batch_status":"partially_succeeded","access_status":"broken","group":{"id":"7","name":"DeepSeek 默认分组"}}' > /tmp/import_body.json
     printf '%s\n' 'HTTP/1.1 200 OK' > /tmp/import_headers.txt
     ;;
   "cat /tmp/import_headers.txt")
@@ -167,8 +175,18 @@ case "$cmd" in
   "cat /tmp/import_body.json")
     cat /tmp/import_body.json
     ;;
-  *"curl -sS -H 'Authorization: Bearer *** http://127.0.0.1:18088/api/import-batches/123"*)
-    printf '%s\n' '{"managed_resources":[{"ResourceType":"group","HostResourceID":"7","ResourceName":"DeepSeek 默认分组"}]}'
+  *"/api/import-batches/123"*)
+    printf '%s\n' '{"managed_resources":[{"ResourceType":"account","HostResourceID":"8","ResourceName":"deepseek-01"}]}'
+    ;;
+  *"curl -sS -D /tmp/models_headers.txt"*)
+    printf '%s\n' 'HTTP/1.1 200 OK' > /tmp/models_headers.txt
+    printf '%s\n' '{"data":[{"id":"gpt-4"},{"id":"gpt-4.1"}]}' > /tmp/models_body.json
+    ;;
+  "cat /tmp/models_headers.txt")
+    cat /tmp/models_headers.txt
+    ;;
+  "cat /tmp/models_body.json")
+    cat /tmp/models_body.json
     ;;
   *"curl -sS -D /tmp/chat_headers.txt"*)
     printf '%s\n' 'HTTP/1.1 200 OK' > /tmp/chat_headers.txt
@@ -180,16 +198,16 @@ case "$cmd" in
   "cat /tmp/chat_body.json")
     cat /tmp/chat_body.json
     ;;
-  *"curl -sS -H 'Authorization: Bearer *** http://127.0.0.1:18088/api/providers/deepseek/status"*)
+  *"/api/providers/deepseek/status"*)
     printf '%s\n' '{"status":"ready"}'
     ;;
-  *"curl -sS -H 'Authorization: Bearer *** http://127.0.0.1:18088/api/providers/deepseek/access/status"*)
+  *"/api/providers/deepseek/access/status"*)
     printf '%s\n' '{"latest_access_status":"subscription_ready"}'
     ;;
-  *"curl -sS -X POST -H 'Authorization: Bearer *** -H 'Content-Type: application/json' http://127.0.0.1:18088/api/providers/deepseek/access/preview"*)
+  *"/api/providers/deepseek/access/preview"*)
     printf '%s\n' '{"available":true}'
     ;;
-  *"curl -sS -H 'Authorization: Bearer *** http://127.0.0.1:18088/api/providers/deepseek/reconcile"*)
+  *"/api/providers/deepseek/reconcile"*)
     printf '%s\n' '{"status":"in_sync"}'
     ;;
   *"sudo -n docker exec -i sub2api-relaymgr-pg psql -U sub2api -d sub2api -At -F ''"*)
@@ -197,17 +215,26 @@ case "$cmd" in
     ;;
   *"sudo -n docker exec -i sub2api-relaymgr-pg psql -U sub2api -d sub2api"*)
     CMD="$cmd" LOG_DIR="$log_dir" python3 - <<'PY'
-import base64, os, re, pathlib
+import base64, os, re, pathlib, sys
 cmd = os.environ['CMD']
 log_dir = pathlib.Path(os.environ['LOG_DIR'])
 match = re.search(r"printf '%s' '([^']+)' \| base64 -d", cmd)
 if not match:
     raise SystemExit(f'failed to extract base64 payload from: {cmd}')
-log_dir.joinpath('prep.sql').write_bytes(base64.b64decode(match.group(1)))
+sql = base64.b64decode(match.group(1)).decode()
+log_dir.joinpath('prep.sql').write_text(sql, encoding='utf-8')
+if "select id from users where email like 'relay-sub-%@sub2api.local' and not exists" in sql:
+    print('')
+elif "select k.key from users u join api_keys k on k.user_id=u.id" in sql and "not exists" in sql:
+    print('')
+elif "INSERT INTO users" in sql and "INSERT INTO api_keys" in sql:
+    print('84\tuser-key-fresh')
+else:
+    print('')
 PY
     ;;
-  *"sudo -n docker exec sub2api-relaymgr-redis redis-cli FLUSHDB"*)
-    printf '%s\n' 'OK'
+  *"sudo -n docker exec sub2api-relaymgr-redis redis-cli DEL apikey:auth:"*" billing:balance:"*" billing:sub:"*":7"*)
+    printf '%s\n' '3'
     ;;
   *)
     echo "unexpected ssh command: $cmd" >&2
@@ -223,6 +250,7 @@ EOF
   REMOTE="fake@host" \
   CRM_BASE="http://127.0.0.1:18088" \
   HOST_BASE="http://127.0.0.1:18087" \
+  CRM_HOST_BASE="http://127.0.0.1:18093" \
   ROOT="$artifact_dir/root" \
   ART="$artifact_dir/run" \
   PACK_PATH="/tmp/openai-pack" \
@@ -239,6 +267,18 @@ EOF
   assert_contains "$prep_sql" "UPDATE api_keys"
   assert_contains "$prep_sql" "INSERT INTO user_subscriptions"
   assert_contains "$prep_sql" "group_id = 7"
+  local runtime_context invalidation_log
+  runtime_context="$(cat "$artifact_dir/run/01-runtime-context.json")"
+  assert_contains "$runtime_context" '"crm_host_base": "http://127.0.0.1:18093"'
+  invalidation_log="$(cat "$artifact_dir/run/07-redis-targeted-invalidation.txt")"
+  assert_contains "$invalidation_log" "auth_cache_key=apikey:auth:"
+  assert_contains "$invalidation_log" "balance_cache_key=billing:balance:84"
+  assert_contains "$invalidation_log" "subscription_cache_key=billing:sub:84:7"
+  local models_body chat_body
+  models_body="$(cat "$artifact_dir/run/10-models.body.json")"
+  chat_body="$(cat "$artifact_dir/run/12-chat.body.json")"
+  assert_contains "$models_body" '"id":"gpt-4"'
+  assert_contains "$chat_body" '"content":"pong"'
   [[ -s "$ssh_log" ]] || fail "ssh log was empty"
 }