test(router): set ADMIN_TOKEN in TestTestTokenRoute_RequiresAdminAuth_WhenTokensExist

The test asserts that AdminAuth rejects an unauthenticated request to
the test-token route once any workspace token exists in the DB. It
sets MOLECULE_ENV=development to enable the handler's gate.

After this branch's AdminAuth Tier-1b hatch (middleware/devmode.go),
MOLECULE_ENV=development + empty ADMIN_TOKEN becomes the explicit
fail-open signal for local dev — so the request correctly passes
AdminAuth and falls through to the handler, which then 500s on an
unmocked DB lookup instead of the expected 401.

The security property the test is protecting (no bearer → 401 when
tokens exist) corresponds to the SaaS configuration where
ADMIN_TOKEN is always set. Setting ADMIN_TOKEN in the test suppresses
the dev-mode hatch and reaches AdminAuth's Tier-2 bearer check,
which correctly aborts 401 with "admin auth required".

No production behaviour change — the test is now verifying the path
that actually runs in production (MOLECULE_ENV=production +
ADMIN_TOKEN set).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

workspace-server/internal/router/admin_test_token_route_test.go

@@ -49,6 +49,13 @@ func setupRouterTestDB(t *testing.T) sqlmock.Sqlmock {
 // would reach the handler and mint a new bearer for any workspace UUID.
 func TestTestTokenRoute_RequiresAdminAuth_WhenTokensExist(t *testing.T) {
 	t.Setenv("MOLECULE_ENV", "development") // enable the handler itself
+	// Explicit ADMIN_TOKEN so AdminAuth's dev-mode fail-open branch
+	// (middleware/devmode.go::isDevModeFailOpen) does NOT fire — we're
+	// testing the production-like security property that once any
+	// workspace token exists, an unauthenticated request is rejected.
+	// Setting ADMIN_TOKEN is the operator's opt-in to #684 closure and
+	// is what hosted SaaS tenants always have set.
+	t.Setenv("ADMIN_TOKEN", "test-admin-secret-not-presented-by-caller")
 	mock := setupRouterTestDB(t)
 
 	// HasAnyLiveTokenGlobal: platform has one enrolled workspace.