From 88c929875e20c9c83e069950739540d4a55d7220 Mon Sep 17 00:00:00 2001
From: Molecule AI Core-BE <core-be@agents.moleculesai.app>
Date: Thu, 23 Apr 2026 22:52:17 +0000
Subject: [PATCH] fix(#1877): nil provisioner guard in issueAndInjectToken
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fix panic in TestIssueAndInjectToken_HappyPath where h.provisioner is nil
(the handler was created without a real provisioner in unit tests).
Add nil guard so the pre-write step is skipped gracefully — token is still
injected into ConfigFiles as before, and the runtime-side 401 retry handles
any race.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../internal/handlers/workspace_provision.go          | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/workspace-server/internal/handlers/workspace_provision.go b/workspace-server/internal/handlers/workspace_provision.go
index 98e70875..0ebb0503 100644
--- a/workspace-server/internal/handlers/workspace_provision.go
+++ b/workspace-server/internal/handlers/workspace_provision.go
@@ -405,10 +405,13 @@ func (h *WorkspaceHandler) issueAndInjectToken(ctx context.Context, workspaceID
 	// Option B (issue #1877): write token to volume BEFORE ContainerStart.
 	// Pre-write eliminates the race window where a restarted container could
 	// read a stale /configs/.auth_token before WriteFilesToContainer runs.
-	// This call is best-effort — if it fails we still log and fall through;
-	// the runtime's heartbeat.py will retry on 401 if needed.
-	if writeErr := h.provisioner.WriteAuthTokenToVolume(ctx, workspaceID, token); writeErr != nil {
-		log.Printf("Provisioner: warning — pre-write token to volume failed for %s: %v (token still injected via WriteFilesToContainer after start)", workspaceID, writeErr)
+	// This call is best-effort — if it fails (or provisioner is nil in tests)
+	// we still log and fall through; the runtime's heartbeat.py will retry
+	// on 401 if needed.
+	if h.provisioner != nil {
+		if writeErr := h.provisioner.WriteAuthTokenToVolume(ctx, workspaceID, token); writeErr != nil {
+			log.Printf("Provisioner: warning — pre-write token to volume failed for %s: %v (token still injected via WriteFilesToContainer after start)", workspaceID, writeErr)
+		}
 	}
 	log.Printf("Provisioner: injected fresh auth token for workspace %s into config volume", workspaceID)
 }