fix(tests): isolate token resolution from real .auth_token on disk

Issue #160: workspace tests fail when MOLECULE_WORKSPACE_TOKEN is set in
the test environment (or when /configs/.auth_token exists on disk, as it
does in a container CI runner).

Root cause:
- test_resolve_token_returns_none_when_missing: monkeypatch.delenv()
  removes the env var, but _resolve_token() falls through to
  configs_dir.resolve()/.auth_token which exists in the container.
- Multi-workspace tests: clear_cache() resets _cached_token, but
  get_token() immediately re-reads /configs/.auth_token and caches
  the real token before the env var is even checked.

Fix:
- test_mcp_doctor: patch configs_dir.resolve() to return a bare tmp_path
  so the disk-file fallback finds nothing.
- Multi-workspace tests: patch platform_auth._token_file() to return a
  non-existent path (via tmp_path) alongside clear_cache(), ensuring
  the env var wins as intended.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

workspace/tests/test_mcp_cli_multi_workspace.py

@@ -184,9 +184,14 @@ class TestPlatformAuthRegistry:
         assert b["Authorization"] == "Bearer tok-b"
         assert a["Origin"] == "https://example.test"
 
-    def test_auth_headers_with_no_arg_uses_legacy_path(self, monkeypatch):
+    def test_auth_headers_with_no_arg_uses_legacy_path(self, monkeypatch, tmp_path):
         import platform_auth
 
+        # Wipe the module-level token cache and redirect _token_file() to a
+        # non-existent path so the env var isolation is clean. Without this,
+        # the real /configs/.auth_token pollutes the result.
+        platform_auth.clear_cache()
+        monkeypatch.setattr(platform_auth, "_token_file", lambda: tmp_path / ".auth_token")
         monkeypatch.setenv("PLATFORM_URL", "https://example.test")
         monkeypatch.setenv("MOLECULE_WORKSPACE_TOKEN", "legacy-tok")
         # Multi-workspace registry populated, but auth_headers() with
@@ -199,10 +204,15 @@ class TestPlatformAuthRegistry:
         assert h["Authorization"] == "Bearer legacy-tok"
 
     def test_auth_headers_with_unknown_workspace_falls_back_to_legacy(
-        self, monkeypatch
+        self, monkeypatch, tmp_path
     ):
         import platform_auth
 
+        # Wipe the module-level token cache and redirect _token_file() to a
+        # non-existent path so the env var isolation is clean. Without this,
+        # the real /configs/.auth_token pollutes the result.
+        platform_auth.clear_cache()
+        monkeypatch.setattr(platform_auth, "_token_file", lambda: tmp_path / ".auth_token")
         monkeypatch.setenv("PLATFORM_URL", "https://example.test")
         monkeypatch.setenv("MOLECULE_WORKSPACE_TOKEN", "legacy-tok")
         platform_auth.register_workspace_token("ws-a", "tok-a")

workspace/tests/test_mcp_doctor.py

@@ -166,9 +166,15 @@ def test_resolve_token_returns_value_and_label_for_env(monkeypatch):
     assert mcp_doctor._resolve_token_summary() == label
 
 
-def test_resolve_token_returns_none_when_missing(monkeypatch):
+def test_resolve_token_returns_none_when_missing(monkeypatch, tmp_path):
     monkeypatch.delenv("MOLECULE_WORKSPACE_TOKEN", raising=False)
     monkeypatch.delenv("MOLECULE_WORKSPACE_TOKEN_FILE", raising=False)
+    # The .auth_token file at /configs/.auth_token (present in container env)
+    # must not pollute the test. Patch configs_dir.resolve() to return a
+    # bare temp dir so the disk-file fallback in _resolve_token() has
+    # nothing to find.
+    import configs_dir
+    monkeypatch.setattr(configs_dir, "resolve", lambda: tmp_path)
     val, label = mcp_doctor._resolve_token()
     assert val is None
     assert label is None