From d88c160e565d88bacd27c69bfa5a39b9044cc7dc Mon Sep 17 00:00:00 2001 From: Hongming Wang Date: Sat, 2 May 2026 04:35:47 -0700 Subject: [PATCH] test(e2e): wire SaaS auth headers (TENANT_ADMIN_TOKEN + TENANT_ORG_ID) The harness needs Authorization + X-Molecule-Org-Id (per-tenant, NOT CP_ADMIN_API_TOKEN) when targeting *.moleculesai.app subdomains. Existing single-Origin-header form silent-failed with 404 against staging tenants since the SaaS edge WAF rewrites unauthenticated /workspaces calls to Next.js (per reference_saas_waf_origin_header.md). Switch to a headers array so multiple -H flags compose cleanly with curl arg-quoting, and document the env var contract at the top of the script. Co-Authored-By: Claude Opus 4.7 (1M context) --- scripts/test-all-runtimes-a2a-e2e.sh | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/scripts/test-all-runtimes-a2a-e2e.sh b/scripts/test-all-runtimes-a2a-e2e.sh index 20f6f2a5..013ceead 100755 --- a/scripts/test-all-runtimes-a2a-e2e.sh +++ b/scripts/test-all-runtimes-a2a-e2e.sh @@ -30,10 +30,17 @@ set -euo pipefail PLATFORM="${PLATFORM:-${1:-http://localhost:8080}}" HERMES_PROVIDER_KEY="${OPENROUTER_API_KEY:-${HERMES_API_KEY:-}}" PEER_OPENAI_KEY="${OPENAI_API_KEY:-}" -ORIGIN_HEADER="" +# SaaS auth chain — TENANT_ADMIN_TOKEN + TENANT_ORG_ID required when +# hitting *.moleculesai.app (per-tenant ADMIN_TOKEN, NOT +# CP_ADMIN_API_TOKEN). Optional for localhost. +TENANT_ADMIN_TOKEN="${TENANT_ADMIN_TOKEN:-}" +TENANT_ORG_ID="${TENANT_ORG_ID:-}" +EXTRA_HEADERS=() case "$PLATFORM" in https://*.moleculesai.app|https://*.moleculesai.app/*) - ORIGIN_HEADER="-H Origin:$PLATFORM" + EXTRA_HEADERS+=("-H" "Origin: $PLATFORM") + [ -n "$TENANT_ADMIN_TOKEN" ] && EXTRA_HEADERS+=("-H" "Authorization: Bearer $TENANT_ADMIN_TOKEN") + [ -n "$TENANT_ORG_ID" ] && EXTRA_HEADERS+=("-H" "X-Molecule-Org-Id: $TENANT_ORG_ID") ;; esac @@ -60,7 +67,7 @@ check() { } curl_p() { - /usr/bin/curl -s $ORIGIN_HEADER "$@" + /usr/bin/curl -s "${EXTRA_HEADERS[@]}" "$@" } wait_online() {