From e2e4e49685d9a0d99a3db2e78efd102570a11b81 Mon Sep 17 00:00:00 2001
From: "Molecule AI Dev Engineer A (Kimi)"
 <dev-engineer-a-kimi@agents.moleculesai.app>
Date: Sat, 6 Jun 2026 19:56:25 +0000
Subject: [PATCH] fix(e2e): wire admin bearer token into chat-seed workspace
 creation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

POST /workspaces in seedWorkspace now carries the same admin cred
(E2E_ADMIN_TOKEN || ADMIN_TOKEN) that mintWorkspaceToken uses.
Aligns chat fixture with PR #2291 fail-closed auth; unauthenticated
create no longer silently 401s in E2E runs.

Narrow diff — no AdminAuth loosening.
---
 canvas/e2e/fixtures/chat-seed.ts | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/canvas/e2e/fixtures/chat-seed.ts b/canvas/e2e/fixtures/chat-seed.ts
index fb79a909f..755e7ae48 100644
--- a/canvas/e2e/fixtures/chat-seed.ts
+++ b/canvas/e2e/fixtures/chat-seed.ts
@@ -27,9 +27,13 @@ export async function seedWorkspace(echoURL: string): Promise<SeededWorkspace> {
   // 1. Create external workspace pointing at the in-process echo runtime.
   const runId = Math.random().toString(36).slice(2, 8);
   const wsName = `Chat E2E Agent ${runId}`;
+  const adminToken = process.env.E2E_ADMIN_TOKEN ?? process.env.ADMIN_TOKEN;
   const createRes = await fetch(`${PLATFORM_URL}/workspaces`, {
     method: "POST",
-    headers: { "Content-Type": "application/json" },
+    headers: {
+      "Content-Type": "application/json",
+      ...(adminToken ? { Authorization: `Bearer ${adminToken}` } : {}),
+    },
     body: JSON.stringify({
       name: wsName,
       tier: 1,
-- 
2.52.0