#!/bin/bash # # HITL Multi-Sig Demo Flow # ======================== # 展示完整的 CRITICAL 簽核流程 # # 使用方式: # 1. 確保 API 和 Web 都已啟動 # 2. 執行此腳本 # set -e API_URL="${API_URL:-http://localhost:8000}" echo "==============================================" echo " HITL Multi-Sig Demo Flow" echo "==============================================" echo "" echo "API URL: $API_URL" echo "" # Step 1: Create a CRITICAL approval echo "Step 1: Creating CRITICAL approval..." echo "" APPROVAL_RESPONSE=$(curl -s -X POST "$API_URL/api/v1/approvals" \ -H "Content-Type: application/json" \ -d '{ "action": "DROP TABLE user_sessions", "description": "清除所有用戶 session 以強制重新登入。此操作將影響所有線上用戶。", "risk_level": "critical", "blast_radius": { "affected_pods": 0, "estimated_downtime": "0", "related_services": ["auth-service", "api-gateway", "user-service"], "data_impact": "destructive" }, "dry_run_checks": [ {"name": "RBAC Check", "passed": true, "message": "db-admin"}, {"name": "Syntax Check", "passed": true}, {"name": "Backup Available", "passed": false, "message": "No recent backup!"} ], "requested_by": "OpenClaw" }') APPROVAL_ID=$(echo "$APPROVAL_RESPONSE" | jq -r '.id') echo "Created approval: $APPROVAL_ID" echo "Status: $(echo "$APPROVAL_RESPONSE" | jq -r '.status')" echo "Required signatures: $(echo "$APPROVAL_RESPONSE" | jq -r '.required_signatures')" echo "Current signatures: $(echo "$APPROVAL_RESPONSE" | jq -r '.current_signatures')" echo "" # Step 2: First signature echo "Step 2: First signer (Alice CTO) signs..." echo "" SIGN1_RESPONSE=$(curl -s -X POST "$API_URL/api/v1/approvals/$APPROVAL_ID/sign" \ -H "Content-Type: application/json" \ -d '{ "signer_id": "alice-001", "signer_name": "Alice Chen (CTO)", "comment": "已確認風險,建議在低流量時段執行" }') echo "Sign result: $(echo "$SIGN1_RESPONSE" | jq -r '.message')" echo "Status: $(echo "$SIGN1_RESPONSE" | jq -r '.approval.status')" echo "Signatures: $(echo "$SIGN1_RESPONSE" | jq -r '.approval.current_signatures')/$(echo "$SIGN1_RESPONSE" | jq -r '.approval.required_signatures')" echo "Execution triggered: $(echo "$SIGN1_RESPONSE" | jq -r '.execution_triggered')" echo "" # Step 3: Check pending echo "Step 3: Check pending approvals..." echo "" PENDING_RESPONSE=$(curl -s "$API_URL/api/v1/approvals/pending") echo "Pending count: $(echo "$PENDING_RESPONSE" | jq -r '.count')" echo "" # Step 4: Second signature echo "Step 4: Second signer (Bob CISO) signs..." echo "" SIGN2_RESPONSE=$(curl -s -X POST "$API_URL/api/v1/approvals/$APPROVAL_ID/sign" \ -H "Content-Type: application/json" \ -d '{ "signer_id": "bob-002", "signer_name": "Bob Wu (CISO)", "comment": "CISO 核准。已通知 DBA 團隊待命。" }') echo "Sign result: $(echo "$SIGN2_RESPONSE" | jq -r '.message')" echo "Status: $(echo "$SIGN2_RESPONSE" | jq -r '.approval.status')" echo "Signatures: $(echo "$SIGN2_RESPONSE" | jq -r '.approval.current_signatures')/$(echo "$SIGN2_RESPONSE" | jq -r '.approval.required_signatures')" echo "Execution triggered: $(echo "$SIGN2_RESPONSE" | jq -r '.execution_triggered')" echo "" # Step 5: Final check echo "Step 5: Final check - pending approvals..." echo "" FINAL_PENDING=$(curl -s "$API_URL/api/v1/approvals/pending") echo "Pending count: $(echo "$FINAL_PENDING" | jq -r '.count')" echo "" echo "==============================================" echo " Multi-Sig Demo Complete!" echo "==============================================" echo "" echo "✅ CRITICAL approval created" echo "✅ First signature (1/2) - still PENDING" echo "✅ Second signature (2/2) - APPROVED" echo "✅ Execution triggered" echo ""