fix(core): make e2e auth explicit after token bootstrap

2026-05-20 15:20:31 -07:00
parent f13a675408
commit 4c290f49f2
2 changed files with 30 additions and 9 deletions
@@ -366,6 +366,9 @@ jobs:
            exit 1
          fi
          echo "Migrations OK"
+      - name: Run today's-PR-coverage E2E (mc#1525/1535/1536/1539/1542 fix-specific assertions)
+        if: needs.detect-changes.outputs.api == 'true'
+        run: bash tests/e2e/test_today_pr_coverage_e2e.sh
      - name: Run E2E API tests
        if: needs.detect-changes.outputs.api == 'true'
        run: bash tests/e2e/test_api.sh
@@ -387,9 +390,6 @@ jobs:
      - name: Run poll-mode chat upload E2E (RFC #2891)
        if: needs.detect-changes.outputs.api == 'true'
        run: bash tests/e2e/test_poll_mode_chat_upload_e2e.sh
-      - name: Run today's-PR-coverage E2E (mc#1525/1535/1536/1539/1542 fix-specific assertions)
-        if: needs.detect-changes.outputs.api == 'true'
-        run: bash tests/e2e/test_today_pr_coverage_e2e.sh
      - name: Dump platform log on failure
        if: failure() && needs.detect-changes.outputs.api == 'true'
        run: cat workspace-server/platform.log || true
@@ -25,6 +25,13 @@ source "$(dirname "$0")/_lib.sh"  # sets BASE default + helpers
 PASS=0
 FAIL=0
 TIMEOUT="${E2E_TIMEOUT:-60}"
+ADMIN_BEARER="${MOLECULE_ADMIN_TOKEN:-${ADMIN_TOKEN:-}}"
+ADMIN_AUTH=()
+[ -n "$ADMIN_BEARER" ] && ADMIN_AUTH=(-H "Authorization: Bearer $ADMIN_BEARER")
+WS_A_TOKEN=""
+WS_B_TOKEN=""
+WS_A_AUTH=()
+WS_B_AUTH=()

 check() {
  local desc="$1" expected="$2" actual="$3"
@@ -75,15 +82,26 @@ echo "--- A. Per-workspace MCP server-name slug uniqueness ---"
 WS_A_NAME="e2e-cov-alpha-$$"
 WS_B_NAME="e2e-cov-beta-$$"

-R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" \
+R=$(curl -s -X POST "$BASE/workspaces" "${ADMIN_AUTH[@]}" -H "Content-Type: application/json" \
  -d "{\"name\":\"$WS_A_NAME\",\"tier\":1}")
 check "POST /workspaces (alpha)" '"status":"provisioning"' "$R"
 WS_A_ID=$(echo "$R" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))")
+if [ -n "$WS_A_ID" ]; then
+  WS_A_TOKEN=$(e2e_mint_test_token "$WS_A_ID" 2>/dev/null || true)
+  [ -n "$WS_A_TOKEN" ] && WS_A_AUTH=(-H "Authorization: Bearer $WS_A_TOKEN")
+  if [ -z "$ADMIN_BEARER" ] && [ -n "$WS_A_TOKEN" ]; then
+    ADMIN_AUTH=(-H "Authorization: Bearer $WS_A_TOKEN")
+  fi
+fi

-R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" \
+R=$(curl -s -X POST "$BASE/workspaces" "${ADMIN_AUTH[@]}" -H "Content-Type: application/json" \
  -d "{\"name\":\"$WS_B_NAME\",\"tier\":1}")
 check "POST /workspaces (beta)" '"status":"provisioning"' "$R"
 WS_B_ID=$(echo "$R" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))")
+if [ -n "$WS_B_ID" ]; then
+  WS_B_TOKEN=$(e2e_mint_test_token "$WS_B_ID" 2>/dev/null || true)
+  [ -n "$WS_B_TOKEN" ] && WS_B_AUTH=(-H "Authorization: Bearer $WS_B_TOKEN")
+fi

 # external/connection returns the install-snippet. The per-workspace
 # fix (mc#1535) derives the MCP name as molecule-<slug>; mc#1536 extends
@@ -91,8 +109,10 @@ WS_B_ID=$(echo "$R" | python3 -c "import sys,json; print(json.load(sys.stdin).ge
 # grep the `claude mcp add` line, and assert the names differ.
 if [ -n "$WS_A_ID" ] && [ -n "$WS_B_ID" ]; then
  SNIPPET_A=$(curl -s --max-time "$TIMEOUT" \
+    "${ADMIN_AUTH[@]}" \
    "$BASE/workspaces/$WS_A_ID/external/connection")
  SNIPPET_B=$(curl -s --max-time "$TIMEOUT" \
+    "${ADMIN_AUTH[@]}" \
    "$BASE/workspaces/$WS_B_ID/external/connection")

  MCP_A=$(echo "$SNIPPET_A" | python3 -c "
@@ -212,7 +232,7 @@ echo "--- B. GIT_ASKPASS + GIT_HTTP_* env injection (mc#1525 + mc#1542) ---"
 if [ -n "${WS_A_ID:-}" ]; then
  # Wait briefly for provisioning to expose the container.
  for _ in 1 2 3 4 5 6 7 8 9 10; do
-    R=$(curl -s "$BASE/workspaces/$WS_A_ID")
+    R=$(curl -s "${ADMIN_AUTH[@]}" "$BASE/workspaces/$WS_A_ID")
    STATUS=$(echo "$R" | python3 -c "import sys,json; print(json.load(sys.stdin).get('status',''))" 2>/dev/null)
    [ "$STATUS" = "online" ] && break
    sleep 1
@@ -225,7 +245,7 @@ if [ -n "${WS_A_ID:-}" ]; then
  # acceptable for the dev platform). The point is that the KEYS are
  # propagated by the post-#1542 provisioner — pre-#1542 these keys
  # were absent entirely.
-  DEBUG=$(curl -s "$BASE/admin/workspaces/$WS_A_ID/debug" 2>/dev/null || true)
+  DEBUG=$(curl -s "${ADMIN_AUTH[@]}" "$BASE/admin/workspaces/$WS_A_ID/debug" 2>/dev/null || true)
  if [ -n "$DEBUG" ] && echo "$DEBUG" | grep -q "workspace_secrets"; then
    # Presence-only check: KEY in the secrets map, value MAY be empty
    # in dev where no persona is bound.
@@ -261,6 +281,7 @@ if [ -n "${WS_A_ID:-}" ]; then
  # The expected response shape post-fix is a structured failure (HTTP
  # 4xx or success:false JSON) — NOT a queued task that round-trips.
  R=$(curl -s --max-time 10 -X POST "$BASE/workspaces/$WS_A_ID/delegate" \
+    "${WS_A_AUTH[@]}" \
    -H "Content-Type: application/json" \
    -d "{\"target_workspace_id\":\"$WS_A_ID\",\"task\":\"self-echo-test\"}" 2>&1)
  # Either the API gate (delegation.go) rejects, OR the inbox guard
@@ -281,7 +302,7 @@ if [ -n "${WS_A_ID:-}" ]; then
  # an inboxable peer_agent kind. The /activity endpoint is the inbox
  # poller's source-of-truth.
  sleep 2
-  AL=$(curl -s "$BASE/workspaces/$WS_A_ID/activity" 2>/dev/null || echo '[]')
+  AL=$(curl -s "${WS_A_AUTH[@]}" "$BASE/workspaces/$WS_A_ID/activity" 2>/dev/null || echo '[]')
  # Count rows where source_id == workspace_id AND method != "delegate_result".
  ECHO_COUNT=$(echo "$AL" | python3 -c "
 import sys, json
@@ -315,7 +336,7 @@ echo
 echo "--- Cleanup ---"
 for wid in "${WS_A_ID:-}" "${WS_B_ID:-}"; do
  [ -n "$wid" ] || continue
-  curl -s -X DELETE "$BASE/workspaces/$wid?confirm=true" > /dev/null || true
+  curl -s -X DELETE "$BASE/workspaces/$wid?confirm=true" "${ADMIN_AUTH[@]}" > /dev/null || true
  echo "deleted $wid"
 done