feat: harden runtime import and frontend verification workflows

scripts/test/test_real_host_scripts.sh

@@ -271,6 +271,8 @@ run_test_verify_quality_gates_script() {
   [[ -f "$threshold_file" ]] || fail "missing $threshold_file"
 
   script_contents="$(cat "$script")"
+  assert_contains "$script_contents" "test_tksea_portal_assets.sh"
+  assert_contains "$script_contents" "verify_frontend_smoke.sh"
   assert_contains "$script_contents" "gofmt -l ."
   assert_contains "$script_contents" "go vet ./..."
   assert_contains "$script_contents" "go test -cover ./internal/..."
@@ -520,6 +522,8 @@ EOF
   CRM_HOST_BASE="http://127.0.0.1:18093" \
   REMOTE_HOST_BASE="http://127.0.0.1:18093" \
   HOST_NAME="human-friendly-host-name" \
+  REMOTE_PG_CONTAINER="sub2api-fresh-deepseek-20260519_115244-postgres-1" \
+  REMOTE_REDIS_CONTAINER="sub2api-fresh-deepseek-20260519_115244-redis-1" \
   ROOT="$artifact_dir/root" \
   ART="$artifact_dir/run" \
   PACK_PATH="$pack_dir" \
@@ -580,7 +584,8 @@ EOF
   assert_contains "$ssh_contents" "http://127.0.0.1:18093/v1/chat/completions"
   assert_not_contains "$ssh_contents" "http://127.0.0.1:18087/v1/models"
   assert_not_contains "$ssh_contents" "http://127.0.0.1:18087/v1/chat/completions"
-  assert_not_contains "$ssh_contents" "user-key"
+  assert_contains "$ssh_contents" "Authorization: Bearer user-key"
+  assert_not_contains "$ssh_contents" "Authorization: Bearer sk-rel"
 
   local provider_status
   provider_status="$(cat "$artifact_dir/run/13-provider-status.json")"
@@ -1055,6 +1060,314 @@ EOF
   assert_contains "$summary" '"fallback_recent_failover_count": 1'
 }
 
+run_test_verify_portal_catalog_ui_script() {
+  local tmpdir fakebin artifact_dir stdout_file
+  tmpdir="$(mktemp -d)"
+  trap 'rm -rf "$tmpdir"' RETURN
+  fakebin="$tmpdir/bin"
+  artifact_dir="$tmpdir/artifacts"
+  stdout_file="$tmpdir/verify_portal_catalog_ui.stdout.txt"
+  mkdir -p "$fakebin" "$artifact_dir"
+
+  cat > "$fakebin/curl" <<'EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+url=""
+output_file=""
+prev=""
+for arg in "$@"; do
+  case "$prev" in
+    -o) output_file="$arg"; prev=""; continue ;;
+  esac
+  case "$arg" in
+    -o) prev="$arg"; continue ;;
+    http://*|https://*) url="$arg" ;;
+  esac
+done
+write_body() {
+  local body="$1"
+  if [[ -n "$output_file" ]]; then
+    printf '%s\n' "$body" > "$output_file"
+  else
+    printf '%s\n' "$body"
+  fi
+}
+case "$url" in
+  http://portal.example.com/)
+    write_body '<html><title>Sub2API 多模型接入中心</title><body>逻辑分组目录</body></html>'
+    ;;
+  http://crm.example.com/api/portal/logical-groups)
+    write_body '{"logical_groups":[{"logical_group_id":"portal-group-001","display_name":"Portal Group 001"}]}'
+    ;;
+  http://crm.example.com/api/portal/logical-groups/portal-group-001/models)
+    write_body '{"public_models":[{"public_model":"gpt-5.4"}]}'
+    ;;
+  http://proxy.example.com/auth/me)
+    write_body '{"code":0,"data":{"id":42,"email":"portal@example.com"}}'
+    ;;
+  http://proxy.example.com/groups/available)
+    write_body '{"code":0,"data":[{"id":101,"name":"Portal Group"}]}'
+    ;;
+  http://proxy.example.com/subscriptions)
+    write_body '{"code":0,"data":[{"id":1,"group_id":101,"status":"active"}]}'
+    ;;
+  "http://proxy.example.com/keys?page=1&page_size=20")
+    write_body '{"code":0,"data":{"items":[{"id":1,"group_id":101,"key":"sk-visible"}]}}'
+    ;;
+  *)
+    echo "unexpected curl url: $url" >&2
+    exit 1
+    ;;
+esac
+EOF
+  chmod +x "$fakebin/curl"
+
+  PATH="$fakebin:$PATH" \
+  PORTAL_PAGE_URL="http://portal.example.com/" \
+  PORTAL_CATALOG_BASE="http://crm.example.com/api/portal" \
+  PORTAL_PROXY_BASE="http://proxy.example.com" \
+  PORTAL_ACCESS_TOKEN="portal-token" \
+  ARTIFACT_DIR="$artifact_dir" \
+  bash "$ROOT_DIR/scripts/acceptance/verify_portal_catalog_ui.sh" >"$stdout_file"
+
+  local summary
+  summary="$(cat "$artifact_dir/99-summary.json")"
+  assert_contains "$summary" '"page_title_seen": true'
+  assert_contains "$summary" '"logical_group_count": 1'
+  assert_contains "$summary" '"first_logical_group_id": "portal-group-001"'
+  assert_contains "$summary" '"user_projection_checked": true'
+  assert_contains "$summary" '"key_count": 1'
+}
+
+run_test_verify_public_portal_browser_script() {
+  local tmpdir fakebin artifact_dir stdout_file
+  tmpdir="$(mktemp -d)"
+  trap 'rm -rf "$tmpdir"' RETURN
+  fakebin="$tmpdir/bin"
+  artifact_dir="$tmpdir/artifacts"
+  stdout_file="$tmpdir/verify_public_portal_browser.stdout.txt"
+  mkdir -p "$fakebin" "$artifact_dir"
+
+  cat > "$fakebin/curl" <<'EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+url=""
+output_file=""
+prev=""
+for arg in "$@"; do
+  case "$prev" in
+    -o) output_file="$arg"; prev=""; continue ;;
+  esac
+  case "$arg" in
+    -o) prev="$arg"; continue ;;
+    http://*|https://*) url="$arg" ;;
+  esac
+done
+write_body() {
+  local body="$1"
+  if [[ -n "$output_file" ]]; then
+    printf '%s\n' "$body" > "$output_file"
+  else
+    printf '%s\n' "$body"
+  fi
+}
+case "$url" in
+  http://portal.example.com/portal/)
+    write_body '<html><title>Sub2API 多模型接入中心</title><body>逻辑分组目录 申请 Key 依赖状态</body></html>'
+    ;;
+  http://crm.example.com/api/portal/logical-groups)
+    write_body '{"logical_groups":[{"logical_group_id":"portal-group-001","display_name":"Portal Group 001"}]}'
+    ;;
+  http://crm.example.com/api/portal/logical-groups/portal-group-001/models)
+    write_body '{"public_models":[{"public_model":"gpt-5.4"}]}'
+    ;;
+  http://proxy.example.com/auth/me)
+    write_body '{"code":0,"data":{"id":42,"email":"portal@example.com"}}'
+    ;;
+  http://proxy.example.com/groups/available)
+    write_body '{"code":0,"data":[{"id":101,"name":"Portal Group"}]}'
+    ;;
+  http://proxy.example.com/subscriptions)
+    write_body '{"code":0,"data":[{"id":1,"group_id":101,"status":"active"}]}'
+    ;;
+  "http://proxy.example.com/keys?page=1&page_size=20")
+    write_body '{"code":0,"data":{"items":[{"id":1,"group_id":101,"key":"sk-visible"}]}}'
+    ;;
+  *)
+    echo "unexpected curl url: $url" >&2
+    exit 1
+    ;;
+esac
+EOF
+  cat > "$fakebin/chromium" <<'EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+printf '%s\n' '<html><title>Sub2API 多模型接入中心</title><body>逻辑分组目录 申请 Key 依赖状态 可直接申请 可申请，调用前需确认状态 待补开通 待人工整理 仅目录可见</body></html>'
+EOF
+  chmod +x "$fakebin/curl" "$fakebin/chromium"
+
+  PATH="$fakebin:$PATH" \
+  CHROMIUM_BIN="$fakebin/chromium" \
+  PUBLIC_PORTAL_PAGE_URL="http://portal.example.com/portal/" \
+  PUBLIC_PORTAL_CATALOG_BASE="http://crm.example.com/api/portal" \
+  PUBLIC_PORTAL_PROXY_BASE="http://proxy.example.com" \
+  PORTAL_ACCESS_TOKEN="portal-token" \
+  ARTIFACT_DIR="$artifact_dir" \
+  bash "$ROOT_DIR/scripts/acceptance/verify_public_portal_browser.sh" >"$stdout_file"
+
+  local summary
+  summary="$(cat "$artifact_dir/99-summary.json")"
+  assert_contains "$summary" '"dependency_panel_seen": true'
+  assert_contains "$summary" '"page_title_seen": true'
+  assert_contains "$summary" '"logical_group_count": 1'
+  assert_contains "$summary" '"user_projection_checked": true'
+  assert_contains "$summary" '"result": "pass"'
+}
+
+run_test_verify_accounts_admin_ui_script() {
+  local tmpdir fakebin artifact_dir stdout_file
+  tmpdir="$(mktemp -d)"
+  trap 'rm -rf "$tmpdir"' RETURN
+  fakebin="$tmpdir/bin"
+  artifact_dir="$tmpdir/artifacts"
+  stdout_file="$tmpdir/verify_accounts_admin_ui.stdout.txt"
+  mkdir -p "$fakebin" "$artifact_dir"
+
+  cat > "$fakebin/curl" <<'EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+method="GET"
+url=""
+output_file=""
+prev=""
+for arg in "$@"; do
+  case "$prev" in
+    -X) method="$arg"; prev=""; continue ;;
+    -o) output_file="$arg"; prev=""; continue ;;
+  esac
+  case "$arg" in
+    -X|-o) prev="$arg"; continue ;;
+    http://*|https://*) url="$arg" ;;
+  esac
+done
+write_body() {
+  local body="$1"
+  if [[ -n "$output_file" ]]; then
+    printf '%s\n' "$body" > "$output_file"
+  else
+    printf '%s\n' "$body"
+  fi
+}
+case "$method $url" in
+  "GET http://portal.example.com/accounts.html")
+    write_body '<html><title>Provider Accounts Admin</title><body>Provider Accounts Admin</body></html>'
+    ;;
+  "GET http://crm.example.com/api/provider-accounts?limit=50")
+    write_body '{"provider_accounts":[{"id":1,"provider_id":"gpt-asxs-shadow-lab","status":"active","binding_state":"conflict"}]}'
+    ;;
+  "GET http://crm.example.com/api/provider-accounts/1/binding-candidates")
+    write_body '{"binding_candidates":[{"route_id":"primary-1"},{"route_id":"fallback-1"}]}'
+    ;;
+  *)
+    echo "unexpected curl request: $method $url" >&2
+    exit 1
+    ;;
+esac
+EOF
+  chmod +x "$fakebin/curl"
+
+  PATH="$fakebin:$PATH" \
+  CRM_BASE="http://crm.example.com" \
+  CRM_ADMIN_TOKEN="token" \
+  ACCOUNTS_PAGE_URL="http://portal.example.com/accounts.html" \
+  ARTIFACT_DIR="$artifact_dir" \
+  bash "$ROOT_DIR/scripts/acceptance/verify_accounts_admin_ui.sh" >"$stdout_file"
+
+  local summary
+  summary="$(cat "$artifact_dir/99-summary.json")"
+  assert_contains "$summary" '"page_title_seen": true'
+  assert_contains "$summary" '"account_count": 1'
+  assert_contains "$summary" '"selected_account_id": "1"'
+  assert_contains "$summary" '"binding_candidate_count": 2'
+}
+
+run_test_verify_frontend_acceptance_matrix_script() {
+  local tmpdir matrix_dir browser_script portal_script public_portal_browser_script accounts_script route_script provider_script stdout_file
+  tmpdir="$(mktemp -d)"
+  trap 'rm -rf "$tmpdir"' RETURN
+  matrix_dir="$tmpdir/matrix"
+  stdout_file="$tmpdir/verify_frontend_acceptance_matrix.stdout.txt"
+  browser_script="$tmpdir/browser.sh"
+  portal_script="$tmpdir/portal.sh"
+  public_portal_browser_script="$tmpdir/public-portal-browser.sh"
+  accounts_script="$tmpdir/accounts.sh"
+  route_script="$tmpdir/route.sh"
+  provider_script="$tmpdir/provider.sh"
+
+  cat > "$browser_script" <<'EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+mkdir -p "$ARTIFACT_DIR"
+printf '%s\n' '{"result":"pass","page_title_seen":true}' > "$ARTIFACT_DIR/99-summary.json"
+EOF
+  cat > "$portal_script" <<'EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+mkdir -p "$ARTIFACT_DIR"
+printf '%s\n' '{"logical_group_count":1,"page_title_seen":true}' > "$ARTIFACT_DIR/99-summary.json"
+EOF
+  cat > "$public_portal_browser_script" <<'EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+mkdir -p "$ARTIFACT_DIR"
+printf '%s\n' '{"page_title_seen":true,"dependency_panel_seen":true,"result":"pass"}' > "$ARTIFACT_DIR/99-summary.json"
+EOF
+  cat > "$accounts_script" <<'EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+mkdir -p "$ARTIFACT_DIR"
+printf '%s\n' '{"account_count":1,"page_title_seen":true}' > "$ARTIFACT_DIR/99-summary.json"
+EOF
+  cat > "$route_script" <<'EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+mkdir -p "$ARTIFACT_DIR"
+printf '%s\n' '{"control_plane_group_id":"lg-1","health_ui_group_id":"lg-2","data_plane_group_id":"lg-3"}' > "$ARTIFACT_DIR/summary.json"
+EOF
+  cat > "$provider_script" <<'EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+mkdir -p "$ARTIFACT_DIR"
+printf '%s\n' '{"page_title_seen":true,"import_batch_id":321}' > "$ARTIFACT_DIR/99-summary.json"
+EOF
+  chmod +x "$browser_script" "$portal_script" "$public_portal_browser_script" "$accounts_script" "$route_script" "$provider_script"
+
+  CRM_BASE="http://crm.example.com" \
+  CRM_ADMIN_TOKEN="token" \
+  SHADOW_HOST_ID="shadow-host-1" \
+  SHADOW_GROUP_ID="shadow-group-1" \
+  SUBSCRIPTION_USER_ID="42" \
+  ACCESS_API_KEY="sk-access" \
+  PROVIDER_KEYS="sk-provider-1" \
+  RUN_PUBLIC_PORTAL_BROWSER="1" \
+  MATRIX_DIR="$matrix_dir" \
+  BROWSER_SMOKE_SCRIPT="$browser_script" \
+  PORTAL_ACCEPTANCE_SCRIPT="$portal_script" \
+  PUBLIC_PORTAL_BROWSER_SCRIPT="$public_portal_browser_script" \
+  ACCOUNTS_ACCEPTANCE_SCRIPT="$accounts_script" \
+  ROUTE_MATRIX_SCRIPT="$route_script" \
+  PROVIDER_ADMIN_SCRIPT="$provider_script" \
+  bash "$ROOT_DIR/scripts/acceptance/verify_frontend_acceptance_matrix.sh" >"$stdout_file"
+
+  local summary
+  summary="$(cat "$matrix_dir/summary.json")"
+  assert_contains "$summary" '"browser_smoke"'
+  assert_contains "$summary" '"status": "ok"'
+  assert_contains "$summary" '"portal_public_browser"'
+  assert_contains "$summary" '"portal": ['
+  assert_contains "$summary" '"providers": ['
+}
+
 run_test_remote43_patched_stack_renderers() {
   # shellcheck disable=SC1091
   source "$ROOT_DIR/scripts/deploy/remote43_patched_stack_lib.sh"
@@ -1183,6 +1496,10 @@ run_test_verify_route_control_plane_script
 run_test_verify_route_data_plane_script
 run_test_verify_provider_admin_actions_script
 run_test_verify_route_health_ui_script
+run_test_verify_portal_catalog_ui_script
+run_test_verify_public_portal_browser_script
+run_test_verify_accounts_admin_ui_script
+run_test_verify_frontend_acceptance_matrix_script
 run_test_remote43_patched_stack_renderers
 run_test_setup_remote43_patched_stack_dry_run
 run_test_verify_quality_gates_script