fix(e2e): inject OPENAI_API_KEY into workspace secrets

Workspace runtimes (hermes, langgraph, etc.) crash at boot with 'No provider API key found' when no ANTHROPIC_API_KEY / OPENAI_API_KEY / etc. is set. Harness previously sent no secrets → workspace sat in provisioning for 10 min → harness timed out. Console log from staging run 2026-04-21T17:08Z showed the exact crash: ValueError: No Hermes provider API key found. Set any one of: ANTHROPIC_API_KEY, HERMES_API_KEY, NOUS_API_KEY, OPENROUTER_API_KEY, OPENAI_API_KEY, ... Read E2E_OPENAI_API_KEY from env and inject into both parent and child workspace POST bodies via the secrets field (persists as workspace_secret, materialises into container env). Empty key falls through — dev can still run smoke tests, workspace just won't reach online. For CI, a new repo secret MOLECULE_STAGING_OPENAI_KEY needs to be added and passed as E2E_OPENAI_API_KEY in the workflow env. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-21 10:18:02 -07:00 · 2026-04-21 10:18:02 -07:00 · 5be20ac1cf
commit 5be20ac1cf
parent 81c4c02547
1 changed files with 14 additions and 2 deletions
--- a/tests/e2e/test_staging_full_saas.sh
+++ b/tests/e2e/test_staging_full_saas.sh
@ -229,10 +229,22 @@ tenant_call() {
 }

 # ─── 5. Provision parent workspace ─────────────────────────────────────
+# Runtimes like hermes crash at boot with "No provider API key found"
+# if nothing in the standard env-var list is set. Inject the API key
+# from E2E_OPENAI_API_KEY so the runtime can actually start — it's
+# per-workspace secret, so it's persisted as a workspace_secret and
+# materialized into the container env. Missing key falls through to
+# an empty secrets map; workspace will still fail but the error is
+# expected and actionable.
+SECRETS_JSON='{}'
+if [ -n "${E2E_OPENAI_API_KEY:-}" ]; then
+  SECRETS_JSON="{\"OPENAI_API_KEY\":\"$E2E_OPENAI_API_KEY\"}"
+fi
+
 log "5/11 Provisioning parent workspace (runtime=$RUNTIME)..."
 PARENT_RESP=$(tenant_call POST /workspaces \
  -H "Content-Type: application/json" \
-  -d "{\"name\":\"E2E Parent\",\"runtime\":\"$RUNTIME\",\"tier\":2,\"model\":\"gpt-4o\"}")
+  -d "{\"name\":\"E2E Parent\",\"runtime\":\"$RUNTIME\",\"tier\":2,\"model\":\"gpt-4o\",\"secrets\":$SECRETS_JSON}")
 PARENT_ID=$(echo "$PARENT_RESP" | python3 -c "import json,sys; print(json.load(sys.stdin)['id'])")
 log "    PARENT_ID=$PARENT_ID"

@ -242,7 +254,7 @@ if [ "$MODE" = "full" ]; then
  log "6/11 Provisioning child workspace..."
  CHILD_RESP=$(tenant_call POST /workspaces \
    -H "Content-Type: application/json" \
-    -d "{\"name\":\"E2E Child\",\"runtime\":\"$RUNTIME\",\"tier\":2,\"model\":\"gpt-4o\",\"parent_id\":\"$PARENT_ID\"}")
+    -d "{\"name\":\"E2E Child\",\"runtime\":\"$RUNTIME\",\"tier\":2,\"model\":\"gpt-4o\",\"parent_id\":\"$PARENT_ID\",\"secrets\":$SECRETS_JSON}")
  CHILD_ID=$(echo "$CHILD_RESP" | python3 -c "import json,sys; print(json.load(sys.stdin)['id'])")
  log "    CHILD_ID=$CHILD_ID"
 else