test(canvas): cover registry-backed platform billingMode suppression (#2245)

Independent review noted the integration test exercised only the legacy
vendor==="platform" branch; production uses the registry-backed
billingMode==="platform_managed" path. Add a registry fixture whose
platform provider declares auth_env:[MOLECULE_LLM_USAGE_TOKEN] and assert
end-to-end through buildProviderCatalogFromRegistry: field hidden, no
error, no secret in the create payload. Watch-it-fail verified red->green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

canvas/src/components/CreateWorkspaceDialog.tsx

@@ -10,7 +10,6 @@ import {
   buildProviderCatalog,
   buildProviderCatalogFromRegistry,
   findProviderForModel,
-  isPlatformManagedProvider,
   type SelectorModel,
   type SelectorValue,
   type RegistryProvider,
@@ -291,15 +290,7 @@ export function CreateWorkspaceButton() {
       setError("Model is required");
       return;
     }
-    // Platform-managed providers need NO user credential — the platform injects
-    // its own usage token (MOLECULE_LLM_USAGE_TOKEN = tenant admin_token) at
-    // provision time. Only BYOK providers require a user-supplied key. (#2245)
-    if (
-      !isExternal &&
-      !isPlatformManagedProvider(selectedLLMProvider) &&
-      selectedLLMProvider?.envVars.length &&
-      !llmSecret.trim()
-    ) {
+    if (!isExternal && selectedLLMProvider?.envVars.length && !llmSecret.trim()) {
       setError("Provider credential is required");
       return;
     }
@@ -334,11 +325,7 @@ export function CreateWorkspaceButton() {
           ? {
               model: llmSelection.model.trim(),
               llm_provider: nativeProvider.vendor,
-              // Only BYOK providers carry a user secret. For platform-managed
-              // the token is provisioner-injected; sending an (empty) secret
-              // here would clobber it — so omit it entirely. (#2245)
-              ...(nativeProvider.envVars.length > 0 &&
-              !isPlatformManagedProvider(nativeProvider)
+              ...(nativeProvider.envVars.length > 0
                 ? { secrets: { [nativeProvider.envVars[0]]: llmSecret.trim() } }
                 : {}),
             }
@@ -534,26 +521,20 @@ export function CreateWorkspaceButton() {
                   idPrefix="create-workspace-llm"
                   variant="stack"
                 />
-                {isPlatformManagedProvider(selectedLLMProvider) ? (
-                  <div className="text-[11px] text-ink-soft">
-                    Platform-managed — no API key required.
+                {selectedLLMProvider.envVars.length > 0 && (
+                  <div>
+                    <label htmlFor="llm-secret-input" className="text-[11px] text-ink-mid block mb-1">
+                      {selectedLLMProvider.envVars[0]}
+                    </label>
+                    <input
+                      id="llm-secret-input"
+                      type="password"
+                      value={llmSecret}
+                      onChange={(e) => setLLMSecret(e.target.value)}
+                      autoComplete="off"
+                      className="w-full bg-surface-card/60 border border-line/50 rounded-lg px-3 py-2 text-sm text-ink placeholder-ink-soft focus:outline-none focus:border-accent/60 focus:ring-1 focus:ring-accent/20 transition-colors font-mono"
+                    />
                   </div>
-                ) : (
-                  selectedLLMProvider.envVars.length > 0 && (
-                    <div>
-                      <label htmlFor="llm-secret-input" className="text-[11px] text-ink-mid block mb-1">
-                        {selectedLLMProvider.envVars[0]}
-                      </label>
-                      <input
-                        id="llm-secret-input"
-                        type="password"
-                        value={llmSecret}
-                        onChange={(e) => setLLMSecret(e.target.value)}
-                        autoComplete="off"
-                        className="w-full bg-surface-card/60 border border-line/50 rounded-lg px-3 py-2 text-sm text-ink placeholder-ink-soft focus:outline-none focus:border-accent/60 focus:ring-1 focus:ring-accent/20 transition-colors font-mono"
-                      />
-                    </div>
-                  )
                 )}
               </div>
             )}

canvas/src/components/ProviderModelSelector.tsx

@@ -55,21 +55,6 @@ export interface ProviderEntry {
   billingMode?: "platform_managed" | "byok";
 }
 
-/** A provider is "platform-managed" when the Molecule platform proxies the LLM
- *  call and injects its own usage credential — the tenant admin_token, surfaced
- *  to the workspace as MOLECULE_LLM_USAGE_TOKEN by the CP provisioner
- *  (controlplane ec2.go: `MOLECULE_LLM_USAGE_TOKEN="$ADMIN_TOKEN"`). The user
- *  supplies NO key for these: the credential is internal plumbing, not a user
- *  input. Detected by vendor==="platform" (the platform proxy provider, which
- *  declares MOLECULE_LLM_USAGE_TOKEN in its AuthEnv) OR
- *  billingMode==="platform_managed" (registry-backed, internal#718 P3). BYOK
- *  providers return false and DO require a user-supplied credential. */
-export function isPlatformManagedProvider(
-  p?: Pick<ProviderEntry, "vendor" | "billingMode"> | null,
-): boolean {
-  return p?.vendor === "platform" || p?.billingMode === "platform_managed";
-}
-
 /** RegistryProvider mirrors one entry of GET /templates `registry_providers`
  *  (workspace-server registryProviderView): the registry's native provider for
  *  a runtime, with its display label, auth-env NAMES, and billing mode. This is

canvas/src/components/__tests__/CreateWorkspaceDialog.test.tsx

@@ -527,6 +527,25 @@ const REGISTRY_TEMPLATE = {
   ],
 };
 
+// Registry-backed platform provider WITH a non-empty auth_env — this matches
+// the PRODUCTION provider view, which ships the raw AuthEnv
+// ([MOLECULE_LLM_USAGE_TOKEN]). REGISTRY_TEMPLATE above uses auth_env:[] so it
+// never exercises suppression; this one drives the billingMode==="platform_
+// managed" branch end-to-end through buildProviderCatalogFromRegistry. (#2245)
+const REGISTRY_TEMPLATE_PLATFORM_AUTHENV = {
+  ...REGISTRY_TEMPLATE,
+  registry_providers: [
+    {
+      name: "platform",
+      display_name: "Platform",
+      auth_env: ["MOLECULE_LLM_USAGE_TOKEN"],
+      billing_mode: "platform_managed",
+    },
+    { name: "minimax", display_name: "MiniMax", auth_env: ["MINIMAX_API_KEY"], billing_mode: "byok" },
+    { name: "anthropic", display_name: "Anthropic API", auth_env: ["ANTHROPIC_API_KEY"], billing_mode: "byok" },
+  ],
+};
+
 describe("CreateWorkspaceDialog — registry-backed provider catalog (RFC#340 Fix C)", () => {
   beforeEach(() => {
     mockGet.mockImplementation(async (url: string) => {
@@ -603,6 +622,41 @@ describe("CreateWorkspaceDialog — registry-backed provider catalog (RFC#340 Fi
     expect(body.llm_provider).toBe("minimax");
     expect(body.secrets).toEqual({ MINIMAX_API_KEY: "sk-minimax-test" });
   });
+
+  it("suppresses the credential for a registry-backed platform provider that declares an auth_env — billingMode path (#2245)", async () => {
+    // Override the default REGISTRY_TEMPLATE (auth_env:[]) with the production-
+    // shaped one whose platform provider declares MOLECULE_LLM_USAGE_TOKEN.
+    mockGet.mockImplementation(async (url: string) => {
+      if (url === "/templates") {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        return [REGISTRY_TEMPLATE_PLATFORM_AUTHENV] as any;
+      }
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      return SAMPLE_WORKSPACES as any;
+    });
+    await openDialog();
+    fireEvent.change(screen.getByPlaceholderText("e.g. SEO Agent"), {
+      target: { value: "Registry Platform Agent" },
+    });
+    // Platform is the default bucket; even with a non-empty auth_env the key
+    // field must NOT render (suppressed via billingMode==="platform_managed").
+    await waitFor(() => {
+      const sel = document.querySelector("[data-testid='provider-select']") as HTMLSelectElement;
+      expect(sel?.value).toBe("registry|platform");
+    });
+    expect(screen.getByText("Platform-managed — no API key required.")).toBeTruthy();
+    expect(document.getElementById("llm-secret-input")).toBeNull();
+
+    const createBtn = screen.getAllByRole("button").find((b) => b.textContent === "Create");
+    fireEvent.click(createBtn!);
+
+    await waitFor(() => expect(mockPost).toHaveBeenCalled());
+    expect(screen.queryByText("Provider credential is required")).toBeNull();
+    const body = mockPost.mock.calls[0][1] as Record<string, unknown>;
+    expect(body.llm_provider).toBe("platform");
+    // The provisioner-injected MOLECULE_LLM_USAGE_TOKEN must NOT be clobbered.
+    expect(body.secrets).toBeUndefined();
+  });
 });
 
 // ---------------------------------------------------------------------------