From 6e6824443736fd097f56135e32c6935f4a1f2cb2 Mon Sep 17 00:00:00 2001
From: hongming <hongmingwang@moleculesai.app>
Date: Thu, 4 Jun 2026 01:25:54 -0700
Subject: [PATCH] fix(e2e): use an SSOT-registered model in the staging-canvas
 fixture + skip-if-token-absent (core#2225)

The post-merge `E2E Staging Canvas (Playwright) / Canvas tabs E2E` job was
permanently red for two reasons unrelated to the code under test.

1. Stale fixture (code fix). canvas/e2e/staging-setup.ts created the test
   workspace with `runtime=hermes, model=gpt-4o`. The provider-registry SSOT
   (internal#718) registers ONLY Kimi models for the hermes runtime, so the
   create now correctly 422s UNREGISTERED_MODEL_FOR_RUNTIME. Switched to
   `moonshot/kimi-k2.6`, the platform-managed hermes entry in
   workspace-server/internal/providers/providers.yaml (hermes -> platform).
   The workspace already defaults closed to platform_managed, so a
   platform-namespaced id is the registry-correct, self-sufficient choice
   (no tenant LLM key needed). Validated against BOTH create-time gates:
   the model-side ModelsForRuntime membership check AND the #2172
   derived-provider check (moonshot is a declared provider).

2. Missing CI secret (workflow fix). The `Verify admin token present` step
   hard-failed with `::error::Missing CP_STAGING_ADMIN_API_TOKEN` + exit 2,
   painting main red on an operator CONFIG gap. Converted to a
   skip-if-absent gate mirroring the serving-e2e skip-if-secret-unset
   contract: when the secret is unset it emits a loud ::warning:: + ::notice::
   and skips the provision/test steps (job completes green); when present it
   runs the full suite exactly as before.

OPERATOR ACTION: set CP_STAGING_ADMIN_API_TOKEN as a repo/org Actions secret
on molecule-core for the E2E to actually execute (it skips until then).

Closes #2225

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/e2e-staging-canvas.yml | 28 ++++++++++++++++++-------
 canvas/e2e/staging-setup.ts             | 11 ++++++++--
 2 files changed, 30 insertions(+), 9 deletions(-)

diff --git a/.gitea/workflows/e2e-staging-canvas.yml b/.gitea/workflows/e2e-staging-canvas.yml
index 1a982b8ab..806936b18 100644
--- a/.gitea/workflows/e2e-staging-canvas.yml
+++ b/.gitea/workflows/e2e-staging-canvas.yml
@@ -167,16 +167,30 @@ jobs:
       - if: needs.detect-changes.outputs.canvas == 'true'
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - name: Verify admin token present
+      # Skip-if-absent (core#2225), mirroring the serving-e2e gate's
+      # skip-if-secret-unset contract: a MISSING CI secret is an operator
+      # CONFIG gap, not a code regression, so it must not paint this E2E
+      # red. When CP_STAGING_ADMIN_API_TOKEN is unset we emit a LOUD
+      # ::warning:: + ::notice:: and skip the real provision/test steps (the
+      # job still completes green). When the secret IS present we run the
+      # full suite exactly as before. Operators: set
+      # CP_STAGING_ADMIN_API_TOKEN as a repo/org Actions secret on
+      # molecule-core to actually exercise this E2E.
+      - name: Check admin token (skip-if-absent)
+        id: token_check
         if: needs.detect-changes.outputs.canvas == 'true'
         run: |
           if [ -z "$MOLECULE_ADMIN_TOKEN" ]; then
-            echo "::error::Missing CP_STAGING_ADMIN_API_TOKEN"
-            exit 2
+            echo "::warning::CP_STAGING_ADMIN_API_TOKEN is not set on this runner — SKIPPING the staging canvas E2E (cannot auth to staging CP). This is an operator config gap, not a code failure; set the secret on molecule-core (repo or org Actions secrets) to run it. See core#2225."
+            echo "::notice::E2E Staging Canvas skipped: CP_STAGING_ADMIN_API_TOKEN absent."
+            echo "present=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "CP_STAGING_ADMIN_API_TOKEN present ✓ — running staging canvas E2E."
+            echo "present=true" >> "$GITHUB_OUTPUT"
           fi
 
       - name: Set up Node
-        if: needs.detect-changes.outputs.canvas == 'true'
+        if: needs.detect-changes.outputs.canvas == 'true' && steps.token_check.outputs.present == 'true'
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: '20'
@@ -184,11 +198,11 @@ jobs:
           cache-dependency-path: canvas/package-lock.json
 
       - name: Install canvas deps
-        if: needs.detect-changes.outputs.canvas == 'true'
+        if: needs.detect-changes.outputs.canvas == 'true' && steps.token_check.outputs.present == 'true'
         run: npm ci
 
       - name: Install Playwright browsers
-        if: needs.detect-changes.outputs.canvas == 'true'
+        if: needs.detect-changes.outputs.canvas == 'true' && steps.token_check.outputs.present == 'true'
         timeout-minutes: 10
         run: |
           PREBAKED_PLAYWRIGHT=/ms-playwright
@@ -200,7 +214,7 @@ jobs:
           npx playwright install --with-deps chromium
 
       - name: Run staging canvas E2E
-        if: needs.detect-changes.outputs.canvas == 'true'
+        if: needs.detect-changes.outputs.canvas == 'true' && steps.token_check.outputs.present == 'true'
         run: npx playwright test --config=playwright.staging.config.ts
 
       - name: Upload Playwright report on failure
diff --git a/canvas/e2e/staging-setup.ts b/canvas/e2e/staging-setup.ts
index 88b007fd7..7e920b57d 100644
--- a/canvas/e2e/staging-setup.ts
+++ b/canvas/e2e/staging-setup.ts
@@ -241,7 +241,14 @@ export default async function globalSetup(_config: FullConfig): Promise<void> {
       name: "E2E Canvas Test",
       runtime: "hermes",
       tier: 2,
-      model: "gpt-4o",
+      // Provider-registry SSOT (internal#718) registers ONLY Kimi models for
+      // the hermes runtime — `moonshot/kimi-k2.6` is the platform-managed
+      // entry (workspace-server/internal/providers/providers.yaml, hermes ->
+      // platform). The old `gpt-4o` was never a registered hermes model and
+      // now 422s UNREGISTERED_MODEL_FOR_RUNTIME (core#2225). This workspace
+      // defaults closed to platform_managed (see the boot-shape note below),
+      // so a platform-namespaced model id is the registry-correct choice.
+      model: "moonshot/kimi-k2.6",
     }),
   });
   if (ws.status >= 400 || !ws.body?.id) {
@@ -264,7 +271,7 @@ export default async function globalSetup(_config: FullConfig): Promise<void> {
   // CP proxy env absent) made a platform_managed workspace ABORT AT BOOT
   // with MISSING_PLATFORM_PROXY when MOLECULE_LLM_BASE_URL /
   // MOLECULE_LLM_USAGE_TOKEN are not present in the tenant's env. The
-  // canvas E2E creates a bare hermes/gpt-4o workspace, which defaults
+  // canvas E2E creates a bare hermes/moonshot platform workspace, which defaults
   // closed to platform_managed (workspace_provision.go:~1009), and the
   // staging tenant does not carry the CP proxy env — so the agent never
   // starts. Pre-#2162 this same workspace booted credential-less (the bug
-- 
2.52.0