From 8092e62de43416f115b57e0846c8efad62757ba9 Mon Sep 17 00:00:00 2001
From: "Molecule AI Dev Engineer A (Kimi)"
 <dev-engineer-a-kimi@agents.moleculesai.app>
Date: Fri, 5 Jun 2026 10:03:13 +0000
Subject: [PATCH] fix(ci): set deterministic ADMIN_TOKEN in e2e-chat after PR
 #2291 fail-closed auth

PR #2291 removed dev-mode fail-open auth; the platform server now
requires ADMIN_TOKEN in every environment including development.
e2e-chat.yml was starting the platform with MOLECULE_ENV=development
but no ADMIN_TOKEN, causing all API calls to 401 and the job to fail.

Add a 'Set deterministic admin token' step (mirrors e2e-api.yml):
- ADMIN_TOKEN for the platform server
- MOLECULE_ADMIN_TOKEN for e2e script compatibility
- NEXT_PUBLIC_ADMIN_TOKEN so the canvas dev server sends the matching
  bearer on every API call

Fixes main-red issue #2298 (E2E Chat failure).
---
 .gitea/workflows/e2e-chat.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/.gitea/workflows/e2e-chat.yml b/.gitea/workflows/e2e-chat.yml
index d33f11c30..e3e5583d2 100644
--- a/.gitea/workflows/e2e-chat.yml
+++ b/.gitea/workflows/e2e-chat.yml
@@ -249,6 +249,20 @@ jobs:
           echo "CANVAS_PORT=${CANVAS_PORT}" >> "$GITHUB_ENV"
           echo "Canvas host port: ${CANVAS_PORT}"
 
+      - name: Set deterministic admin token
+        if: needs.detect-changes.outputs.chat == 'true'
+        run: |
+          # PR #2291 made auth fail-closed everywhere (no dev-mode escape).
+          # The platform server requires ADMIN_TOKEN; the canvas requires the
+          # matching NEXT_PUBLIC_ADMIN_TOKEN or every API call 401s.
+          # We set a deterministic per-run value so the ephemeral platform
+          # and canvas are paired correctly.
+          E2E_ADMIN_TOKEN="e2e-chat-admin-${{ github.run_id }}-${{ github.run_attempt }}"
+          echo "ADMIN_TOKEN=${E2E_ADMIN_TOKEN}" >> "$GITHUB_ENV"
+          echo "MOLECULE_ADMIN_TOKEN=${E2E_ADMIN_TOKEN}" >> "$GITHUB_ENV"
+          echo "NEXT_PUBLIC_ADMIN_TOKEN=${E2E_ADMIN_TOKEN}" >> "$GITHUB_ENV"
+          echo "Admin token configured for e2e-chat platform + canvas."
+
       - name: Start platform (background)
         if: needs.detect-changes.outputs.chat == 'true'
         working-directory: workspace-server
-- 
2.52.0