awoooi/scripts/demo-multisig-flow.sh

#!/bin/bash
#
# HITL Multi-Sig Demo Flow
# ========================
# 展示完整的 CRITICAL 簽核流程
#
# 使用方式:
#   1. 確保 API 和 Web 都已啟動
#   2. 執行此腳本
#

set -e

API_URL="${API_URL:-http://localhost:8000}"

echo "=============================================="
echo "  HITL Multi-Sig Demo Flow"
echo "=============================================="
echo ""
echo "API URL: $API_URL"
echo ""

# Step 1: Create a CRITICAL approval
echo "Step 1: Creating CRITICAL approval..."
echo ""

APPROVAL_RESPONSE=$(curl -s -X POST "$API_URL/api/v1/approvals" \
  -H "Content-Type: application/json" \
  -d '{
    "action": "DROP TABLE user_sessions",
    "description": "清除所有用戶 session 以強制重新登入。此操作將影響所有線上用戶。",
    "risk_level": "critical",
    "blast_radius": {
      "affected_pods": 0,
      "estimated_downtime": "0",
      "related_services": ["auth-service", "api-gateway", "user-service"],
      "data_impact": "destructive"
    },
    "dry_run_checks": [
      {"name": "RBAC Check", "passed": true, "message": "db-admin"},
      {"name": "Syntax Check", "passed": true},
      {"name": "Backup Available", "passed": false, "message": "No recent backup!"}
    ],
    "requested_by": "OpenClaw"
  }')

APPROVAL_ID=$(echo "$APPROVAL_RESPONSE" | jq -r '.id')
echo "Created approval: $APPROVAL_ID"
echo "Status: $(echo "$APPROVAL_RESPONSE" | jq -r '.status')"
echo "Required signatures: $(echo "$APPROVAL_RESPONSE" | jq -r '.required_signatures')"
echo "Current signatures: $(echo "$APPROVAL_RESPONSE" | jq -r '.current_signatures')"
echo ""

# Step 2: First signature
echo "Step 2: First signer (Alice CTO) signs..."
echo ""

SIGN1_RESPONSE=$(curl -s -X POST "$API_URL/api/v1/approvals/$APPROVAL_ID/sign" \
  -H "Content-Type: application/json" \
  -d '{
    "signer_id": "alice-001",
    "signer_name": "Alice Chen (CTO)",
    "comment": "已確認風險，建議在低流量時段執行"
  }')

echo "Sign result: $(echo "$SIGN1_RESPONSE" | jq -r '.message')"
echo "Status: $(echo "$SIGN1_RESPONSE" | jq -r '.approval.status')"
echo "Signatures: $(echo "$SIGN1_RESPONSE" | jq -r '.approval.current_signatures')/$(echo "$SIGN1_RESPONSE" | jq -r '.approval.required_signatures')"
echo "Execution triggered: $(echo "$SIGN1_RESPONSE" | jq -r '.execution_triggered')"
echo ""

# Step 3: Check pending
echo "Step 3: Check pending approvals..."
echo ""

PENDING_RESPONSE=$(curl -s "$API_URL/api/v1/approvals/pending")
echo "Pending count: $(echo "$PENDING_RESPONSE" | jq -r '.count')"
echo ""

# Step 4: Second signature
echo "Step 4: Second signer (Bob CISO) signs..."
echo ""

SIGN2_RESPONSE=$(curl -s -X POST "$API_URL/api/v1/approvals/$APPROVAL_ID/sign" \
  -H "Content-Type: application/json" \
  -d '{
    "signer_id": "bob-002",
    "signer_name": "Bob Wu (CISO)",
    "comment": "CISO 核准。已通知 DBA 團隊待命。"
  }')

echo "Sign result: $(echo "$SIGN2_RESPONSE" | jq -r '.message')"
echo "Status: $(echo "$SIGN2_RESPONSE" | jq -r '.approval.status')"
echo "Signatures: $(echo "$SIGN2_RESPONSE" | jq -r '.approval.current_signatures')/$(echo "$SIGN2_RESPONSE" | jq -r '.approval.required_signatures')"
echo "Execution triggered: $(echo "$SIGN2_RESPONSE" | jq -r '.execution_triggered')"
echo ""

# Step 5: Final check
echo "Step 5: Final check - pending approvals..."
echo ""

FINAL_PENDING=$(curl -s "$API_URL/api/v1/approvals/pending")
echo "Pending count: $(echo "$FINAL_PENDING" | jq -r '.count')"
echo ""

echo "=============================================="
echo "  Multi-Sig Demo Complete!"
echo "=============================================="
echo ""
echo "✅ CRITICAL approval created"
echo "✅ First signature (1/2) - still PENDING"
echo "✅ Second signature (2/2) - APPROVED"
echo "✅ Execution triggered"
echo ""