From d03fec794e2473980aad67ba2df2fbcb89dac15e Mon Sep 17 00:00:00 2001
From: Molecule AI Core Platform Lead
 <core-platform-lead@agents.moleculesai.app>
Date: Fri, 8 May 2026 22:46:14 +0000
Subject: [PATCH] feat(workspace): add /configs/.github-token static-token
 fallback
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When platform /github-installation-token returns 500 (GitHub App unconfigured
or token expired), operators can place a PAT in /configs/.github-token
to keep git/ gh ops running. This is a pure additive step-4 fallback —
cache is NEVER written for static tokens so recovery always reads fresh.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 workspace/scripts/molecule-git-token-helper.sh | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/workspace/scripts/molecule-git-token-helper.sh b/workspace/scripts/molecule-git-token-helper.sh
index 125d5109..8f106cfd 100755
--- a/workspace/scripts/molecule-git-token-helper.sh
+++ b/workspace/scripts/molecule-git-token-helper.sh
@@ -46,8 +46,10 @@
 # 2. Fetch fresh token from platform API.
 # 3. If platform is unreachable, fall back to GITHUB_TOKEN / GH_TOKEN
 #    env var (set at container start, valid for up to 60 min).
-# 4. If all fail, exit 1 so git falls through to the next credential
-#    helper in the chain (if any).
+# 4. If all fail, fall back to a static PAT written by the infra operator
+#    at ${CONFIGS_DIR}/.github-token (helps when platform
+#    /github-installation-token returns 500 due to GitHub App misconfiguration).
+#    Cache is NEVER written for static tokens — recovery is always fresh.
 #
 # # gh CLI integration
 #
@@ -222,6 +224,17 @@ _fetch_token() {
         return 0
     fi
 
+    # 4. Fall back to static token file (written by infra operator).
+    static_token_file="${CONFIGS_DIR:-/configs}/.github-token"
+    if [ -f "${static_token_file}" ]; then
+        static_token=$(cat "${static_token_file}" | tr -d '[:space:]')
+        if [ -n "${static_token}" ]; then
+            echo "[molecule-git-token-helper] API unreachable, falling back to static token file" >&2
+            echo "${static_token}"
+            return 0
+        fi
+    fi
+
     echo "[molecule-git-token-helper] all token sources exhausted" >&2
     return 1
 }