core-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity

fix(e2e): stop asserting current_task on public workspace GET (#966)

Browse Source 
PR #966 intentionally stripped current_task, last_sample_error, and
workspace_dir from the public GET /workspaces/:id response to avoid
leaking task bodies to anyone with a workspace bearer. The E2E smoke
test hadn't caught up — it was still asserting "current_task":"..."
on the single-workspace GET, which made every post-#966 CI run fail
with '60 passed, 2 failed'.

Swap the per-workspace asserts to check active_tasks (still exposed,
canonical busy signal) and keep the list-endpoint check that proves
admin-auth'd callers still see current_task end-to-end.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Hongming Wang 2026-04-19 02:19:15 -07:00
parent 896a34429a
commit f32196d351
1 changed files with 11 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
tests/e2e/test_api.sh
View File

@ -259,21 +259,26 @@ R=$(curl -s -X POST "$BASE/registry/heartbeat" -H "Content-Type: application/jso
-d "{\"workspace_id\":\"$ECHO_ID\",\"error_rate\":0.0,\"sample_error\":\"\",\"active_tasks\":1,\"uptime_seconds\":400,\"current_task\":\"Analyzing document\"}")
check "Heartbeat with current_task" '"status":"ok"' "$R"
# Test: Verify current_task in GET /workspaces/:id
# Test: Verify state updates are observable in GET /workspaces/:id.
# current_task itself is stripped from this endpoint as of #966 to avoid
# leaking task bodies via the public-facing GET; active_tasks is still
# the canonical "is it busy" signal here. The list endpoint below covers
# the admin-only current_task visibility path.
R=$(acurl "$BASE/workspaces/$ECHO_ID")
check "current_task visible in workspace" '"current_task":"Analyzing document"' "$R"
check "active_tasks updated" '"active_tasks":1' "$R"
# Test: Clear current_task
# Test: Clear current_task via heartbeat
R=$(curl -s -X POST "$BASE/registry/heartbeat" -H "Content-Type: application/json" -H "Authorization: Bearer $ECHO_TOKEN" \
-d "{\"workspace_id\":\"$ECHO_ID\",\"error_rate\":0.0,\"sample_error\":\"\",\"active_tasks\":0,\"uptime_seconds\":500,\"current_task\":\"\"}")
check "Heartbeat clear current_task" '"status":"ok"' "$R"
R=$(acurl "$BASE/workspaces/$ECHO_ID")
check "current_task cleared" '"current_task":""' "$R"
check "active_tasks cleared" '"active_tasks":0' "$R"
# Test: current_task in workspace list — now admin-auth gated (C1 fix), so a
# workspace bearer token is required once tokens exist anywhere on the platform.
# Test: current_task IS visible in the admin workspace list — the list
# endpoint is admin-auth gated and keeps the full record, so operators
# can still see task progress from the dashboard without exposing it
# over the public per-workspace GET.
R=$(curl -s "$BASE/workspaces" -H "Authorization: Bearer $ECHO_TOKEN")
check "current_task in list response" '"current_task"' "$R"