From a1603fbc0da7af855ae291c93c43a896249d116e Mon Sep 17 00:00:00 2001 From: hongming Date: Sun, 24 May 2026 03:30:31 -0700 Subject: [PATCH] test(e2e): use tenant auth for staging peer visibility --- tests/e2e/test_peer_visibility_mcp_staging.sh | 47 ++++++------------- 1 file changed, 14 insertions(+), 33 deletions(-) diff --git a/tests/e2e/test_peer_visibility_mcp_staging.sh b/tests/e2e/test_peer_visibility_mcp_staging.sh index e7c5af3eb..caa91faf1 100755 --- a/tests/e2e/test_peer_visibility_mcp_staging.sh +++ b/tests/e2e/test_peer_visibility_mcp_staging.sh @@ -40,10 +40,10 @@ # drives: POST /cp/admin/orgs (provision), GET # /cp/admin/orgs/:slug/admin-token (per-tenant token), DELETE # /cp/admin/tenants/:slug (teardown). The per-tenant admin token drives -# tenant workspace creation; each workspace's OWN auth_token is consumed -# inline from the POST /workspaces 201 response to drive its MCP call. -# No dev-only admin token-mint routes are used in this E2E -# (feedback_no_dev_only_routes_in_e2e). +# tenant workspace creation. When a managed runtime create response +# does not expose a one-time workspace token, the same tenant admin/session +# bearer drives the MCP call through WorkspaceAuth. No dev-only admin +# token-mint routes are used in this E2E (feedback_no_dev_only_routes_in_e2e). # # Required env: # MOLECULE_ADMIN_TOKEN CP admin bearer — Railway staging CP_ADMIN_API_TOKEN @@ -117,27 +117,6 @@ tenant_call_capture() { -H "Content-Type: application/json" "$@" } -redact_token_body() { - python3 -c ' -import json, re, sys -raw = sys.stdin.read() -try: - data = json.loads(raw) -except Exception: - print(re.sub(r"(?i)([a-z0-9_]*token)=([^&\\s]+)", r"\1=", raw)[:500]) - raise SystemExit(0) - -def scrub(v): - if isinstance(v, dict): - return {k: ("" if "token" in k.lower() else scrub(val)) for k, val in v.items()} - if isinstance(v, list): - return [scrub(x) for x in v] - return v - -print(json.dumps(scrub(data), separators=(",", ":"))[:500]) -' -} - extract_auth_token() { python3 -c " import sys, json @@ -161,7 +140,7 @@ teardown() { if [ "${E2E_KEEP_ORG:-0}" = "1" ]; then echo "" log "[teardown] E2E_KEEP_ORG=1 — leaving $SLUG for debugging (REMEMBER TO DELETE)" - exit $rc + exit "$rc" fi echo "" log "[teardown] DELETE /cp/admin/tenants/$SLUG (scoped to this run only)" @@ -178,13 +157,13 @@ print(sum(1 for o in orgs if o.get('slug') == '$SLUG' and o.get('instance_status " 2>/dev/null || echo 1) if [ "$LEAK" = "0" ]; then log "[teardown] ✓ $SLUG purged (after ${j}x5s)" - exit $rc + exit "$rc" fi sleep 5 done echo "::warning::[teardown] $SLUG still present after 120s — sweep-stale-e2e-orgs will catch it within MAX_AGE_MINUTES" >&2 - [ $rc -eq 0 ] && rc=4 - exit $rc + [ "$rc" -eq 0 ] && rc=4 + exit "$rc" } trap teardown EXIT INT TERM @@ -270,8 +249,11 @@ for rt in $PV_RUNTIMES; do -d "{\"name\":\"pv-$rt\",\"runtime\":\"$rt\",\"tier\":2,\"parent_id\":\"$PARENT_ID\",\"secrets\":$SECRETS_JSON}") WID=$(echo "$R" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null) WTOK=$(echo "$R" | extract_auth_token) - [ -n "$WID" ] || fail "$rt workspace create failed: $(echo \"$R\" | head -c 300)" - [ -n "$WTOK" ] || fail "$rt workspace create did not return an auth_token — cannot drive its MCP call (workspace_id=$WID; create_resp: $(echo \"$R\" | redact_token_body))" + [ -n "$WID" ] || fail "$rt workspace create failed: $(printf '%s' "$R" | head -c 300)" + if [ -z "$WTOK" ]; then + log " $rt create response did not include workspace auth_token; using tenant admin/session bearer for MCP auth" + WTOK="$TENANT_TOKEN" + fi WS_IDS[$rt]="$WID" WS_TOKENS[$rt]="$WTOK" ALL_WS_IDS="$ALL_WS_IDS $WID" @@ -311,8 +293,7 @@ done # ─── 6. THE GATE — literal mcp_molecule_list_peers via POST /:id/mcp ──── # This is the byte-for-byte user-facing call. NOT GET /registry/:id/peers, # NOT /health, NOT the heartbeat table. JSON-RPC 2.0 tools/call, -# name=list_peers, authenticated by the workspace's OWN bearer token -# through WorkspaceAuth + MCPRateLimiter. +# name=list_peers, authenticated through WorkspaceAuth + MCPRateLimiter. log "6/6 driving the LITERAL list_peers MCP call per runtime..." echo "" REGRESSED=0 -- 2.52.0