.gitea/workflows/e2e-staging-canvas.yml

@@ -167,16 +167,30 @@ jobs:
       - if: needs.detect-changes.outputs.canvas == 'true'
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - name: Verify admin token present
+      # Skip-if-absent (core#2225), mirroring the serving-e2e gate's
+      # skip-if-secret-unset contract: a MISSING CI secret is an operator
+      # CONFIG gap, not a code regression, so it must not paint this E2E
+      # red. When CP_STAGING_ADMIN_API_TOKEN is unset we emit a LOUD
+      # ::warning:: + ::notice:: and skip the real provision/test steps (the
+      # job still completes green). When the secret IS present we run the
+      # full suite exactly as before. Operators: set
+      # CP_STAGING_ADMIN_API_TOKEN as a repo/org Actions secret on
+      # molecule-core to actually exercise this E2E.
+      - name: Check admin token (skip-if-absent)
+        id: token_check
         if: needs.detect-changes.outputs.canvas == 'true'
         run: |
           if [ -z "$MOLECULE_ADMIN_TOKEN" ]; then
-            echo "::error::Missing CP_STAGING_ADMIN_API_TOKEN"
-            exit 2
+            echo "::warning::CP_STAGING_ADMIN_API_TOKEN is not set on this runner — SKIPPING the staging canvas E2E (cannot auth to staging CP). This is an operator config gap, not a code failure; set the secret on molecule-core (repo or org Actions secrets) to run it. See core#2225."
+            echo "::notice::E2E Staging Canvas skipped: CP_STAGING_ADMIN_API_TOKEN absent."
+            echo "present=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "CP_STAGING_ADMIN_API_TOKEN present ✓ — running staging canvas E2E."
+            echo "present=true" >> "$GITHUB_OUTPUT"
           fi
 
       - name: Set up Node
-        if: needs.detect-changes.outputs.canvas == 'true'
+        if: needs.detect-changes.outputs.canvas == 'true' && steps.token_check.outputs.present == 'true'
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: '20'
@@ -184,11 +198,11 @@ jobs:
           cache-dependency-path: canvas/package-lock.json
 
       - name: Install canvas deps
-        if: needs.detect-changes.outputs.canvas == 'true'
+        if: needs.detect-changes.outputs.canvas == 'true' && steps.token_check.outputs.present == 'true'
         run: npm ci
 
       - name: Install Playwright browsers
-        if: needs.detect-changes.outputs.canvas == 'true'
+        if: needs.detect-changes.outputs.canvas == 'true' && steps.token_check.outputs.present == 'true'
         timeout-minutes: 10
         run: |
           PREBAKED_PLAYWRIGHT=/ms-playwright
@@ -200,7 +214,7 @@ jobs:
           npx playwright install --with-deps chromium
 
       - name: Run staging canvas E2E
-        if: needs.detect-changes.outputs.canvas == 'true'
+        if: needs.detect-changes.outputs.canvas == 'true' && steps.token_check.outputs.present == 'true'
         run: npx playwright test --config=playwright.staging.config.ts
 
       - name: Upload Playwright report on failure

canvas/e2e/staging-setup.ts

@@ -241,7 +241,14 @@ export default async function globalSetup(_config: FullConfig): Promise<void> {
       name: "E2E Canvas Test",
       runtime: "hermes",
       tier: 2,
-      model: "gpt-4o",
+      // Provider-registry SSOT (internal#718) registers ONLY Kimi models for
+      // the hermes runtime — `moonshot/kimi-k2.6` is the platform-managed
+      // entry (workspace-server/internal/providers/providers.yaml, hermes ->
+      // platform). The old `gpt-4o` was never a registered hermes model and
+      // now 422s UNREGISTERED_MODEL_FOR_RUNTIME (core#2225). This workspace
+      // defaults closed to platform_managed (see the boot-shape note below),
+      // so a platform-namespaced model id is the registry-correct choice.
+      model: "moonshot/kimi-k2.6",
     }),
   });
   if (ws.status >= 400 || !ws.body?.id) {
@@ -264,7 +271,7 @@ export default async function globalSetup(_config: FullConfig): Promise<void> {
   // CP proxy env absent) made a platform_managed workspace ABORT AT BOOT
   // with MISSING_PLATFORM_PROXY when MOLECULE_LLM_BASE_URL /
   // MOLECULE_LLM_USAGE_TOKEN are not present in the tenant's env. The
-  // canvas E2E creates a bare hermes/gpt-4o workspace, which defaults
+  // canvas E2E creates a bare hermes/moonshot platform workspace, which defaults
   // closed to platform_managed (workspace_provision.go:~1009), and the
   // staging tenant does not carry the CP proxy env — so the agent never
   // starts. Pre-#2162 this same workspace booted credential-less (the bug