fix(#1877): nil provisioner guard in issueAndInjectToken

Fix panic in TestIssueAndInjectToken_HappyPath where h.provisioner is nil
(the handler was created without a real provisioner in unit tests).
Add nil guard so the pre-write step is skipped gracefully — token is still
injected into ConfigFiles as before, and the runtime-side 401 retry handles
any race.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

workspace-server/internal/handlers/workspace_provision.go

@@ -405,10 +405,13 @@ func (h *WorkspaceHandler) issueAndInjectToken(ctx context.Context, workspaceID
 	// Option B (issue #1877): write token to volume BEFORE ContainerStart.
 	// Pre-write eliminates the race window where a restarted container could
 	// read a stale /configs/.auth_token before WriteFilesToContainer runs.
-	// This call is best-effort — if it fails we still log and fall through;
-	// the runtime's heartbeat.py will retry on 401 if needed.
-	if writeErr := h.provisioner.WriteAuthTokenToVolume(ctx, workspaceID, token); writeErr != nil {
-		log.Printf("Provisioner: warning — pre-write token to volume failed for %s: %v (token still injected via WriteFilesToContainer after start)", workspaceID, writeErr)
+	// This call is best-effort — if it fails (or provisioner is nil in tests)
+	// we still log and fall through; the runtime's heartbeat.py will retry
+	// on 401 if needed.
+	if h.provisioner != nil {
+		if writeErr := h.provisioner.WriteAuthTokenToVolume(ctx, workspaceID, token); writeErr != nil {
+			log.Printf("Provisioner: warning — pre-write token to volume failed for %s: %v (token still injected via WriteFilesToContainer after start)", workspaceID, writeErr)
+		}
 	}
 	log.Printf("Provisioner: injected fresh auth token for workspace %s into config volume", workspaceID)
 }