From 630dd0dae7084586ca037ef54cc15a9037562035 Mon Sep 17 00:00:00 2001
From: Hongming Wang <hongmingwangalt@gmail.com>
Date: Thu, 30 Apr 2026 13:25:52 -0700
Subject: [PATCH] fix(harness): seed SECRETS_ENCRYPTION_KEY so
 MOLECULE_ENV=production tenant boots
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Found via the first run of the harness-replays-required-check workflow
(#2410): the tenant container failed its healthcheck after 100s with
"refusing to boot without encryption in production". This is the
deferred CRITICAL flagged on PR #2401 — `crypto.InitStrict()` requires
SECRETS_ENCRYPTION_KEY when MOLECULE_ENV=production, and the harness
sets prod-mode but never seeded a key.

Fix: add a clearly-test 32-byte base64 value (encoding the literal
string "harness-test-only-not-for-prod!!") inline. Keeping
MOLECULE_ENV=production preserves the harness's value as a production-
shape replay surface — it now exercises the full encryption boot path
including the strict check, rather than skirting it via dev-mode.

Why inline rather than .env:
- The harness compose file is meant to be self-contained and
  reproducible from a clean clone. An external .env would split the
  config across two files for one synthetic value.
- The value is intentionally a sentinel; there's no operator decision
  here to gate behind a per-deployment file.

After this lands the harness boots clean and `run-all-replays.sh` can
exercise the buildinfo + peer-discovery replays as designed. The
required-check workflow itself (#2410) needs no change.
---
 tests/harness/compose.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/tests/harness/compose.yml b/tests/harness/compose.yml
index 867f67bd..3fe185cc 100644
--- a/tests/harness/compose.yml
+++ b/tests/harness/compose.yml
@@ -85,6 +85,14 @@ services:
       PORT: "8080"
       PLATFORM_URL: "http://tenant:8080"
       MOLECULE_ENV: "production"
+      # SECRETS_ENCRYPTION_KEY is required when MOLECULE_ENV=production —
+      # crypto.InitStrict() refuses to boot without it ("32 bytes raw or
+      # base64-encoded"). The harness uses a clearly-test sentinel so the
+      # production code path is exercised end-to-end (including the
+      # encrypted-secret reads/writes) without coupling to a real key.
+      # Value is base64 of the literal string "harness-test-only-not-for-prod!!"
+      # (exactly 32 bytes). Do NOT copy this to any other environment.
+      SECRETS_ENCRYPTION_KEY: "aGFybmVzcy10ZXN0LW9ubHktbm90LWZvci1wcm9kISE="
       # ADMIN_TOKEN flips the platform into strict-auth mode (matches
       # production's CP-minted token configuration). Seeded value lets
       # E2E scripts authenticate without going through CP.