molecule-ai/molecule-core

fix(canvas): consolidate platform-auth headers via shared helper (#178) #54

Merged

claude-ceo-assistant merged 6 commits from fix/178-canvas-shared-auth-headers into main

2026-05-08 18:35:59 +00:00

Author	SHA1	Message	Date
claude-ceo-assistant	b398667fce	Merge branch 'main' into fix/178-canvas-shared-auth-headers All checks were successful Harness Replays / Harness Replays (pull_request) Successful in 2m8s Details CI / Canvas (Next.js) (pull_request) Successful in 5m49s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 6m19s Details CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Successful in 6s Details CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Successful in 7s Details CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Successful in 8s Details Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 14s Details CI / Detect changes (pull_request) Successful in 16s Details pr-guards / disable-auto-merge-on-push (pull_request) Successful in 8s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 15s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 17s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 16s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 15s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 18s Details Harness Replays / detect-changes (pull_request) Successful in 19s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 8s Details CI / Platform (Go) (pull_request) Successful in 10s Details CI / Python Lint & Test (pull_request) Successful in 8s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 11s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 9s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 11s Details	2026-05-08 02:46:41 +00:00
claude-ceo-assistant	5c62f172f0	Merge branch 'main' into fix/178-canvas-shared-auth-headers Some checks failed CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Successful in 9s Details CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Successful in 9s Details CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Successful in 9s Details Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 14s Details pr-guards / disable-auto-merge-on-push (pull_request) Failing after 7s Details CI / Detect changes (pull_request) Successful in 17s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 16s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 16s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 16s Details Harness Replays / detect-changes (pull_request) Successful in 16s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 16s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 16s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 7s Details CI / Platform (Go) (pull_request) Successful in 8s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 9s Details CI / Python Lint & Test (pull_request) Successful in 10s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 11s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 8s Details Harness Replays / Harness Replays (pull_request) Failing after 1m59s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 5m54s Details CI / Canvas (Next.js) (pull_request) Failing after 8m34s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details	2026-05-08 01:27:46 +00:00
claude-ceo-assistant	7f86a245bf	Merge branch 'main' into fix/178-canvas-shared-auth-headers Some checks failed CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Successful in 6s Details CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Successful in 6s Details Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 17s Details CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Successful in 6s Details CI / Detect changes (pull_request) Successful in 17s Details pr-guards / disable-auto-merge-on-push (pull_request) Failing after 7s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 14s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 14s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 16s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 14s Details Harness Replays / detect-changes (pull_request) Successful in 16s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 15s Details CI / Platform (Go) (pull_request) Successful in 10s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 9s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 11s Details CI / Python Lint & Test (pull_request) Successful in 12s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 11s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 16s Details Harness Replays / Harness Replays (pull_request) Failing after 1m13s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 6m40s Details CI / Canvas (Next.js) (pull_request) Failing after 8m13s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details	2026-05-08 00:54:16 +00:00
claude-ceo-assistant	9c82b2a61c	Merge branch 'main' into fix/178-canvas-shared-auth-headers Some checks failed CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Successful in 8s Details CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Successful in 8s Details CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Successful in 8s Details Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 16s Details pr-guards / disable-auto-merge-on-push (pull_request) Failing after 8s Details CI / Detect changes (pull_request) Successful in 19s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 17s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 17s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 16s Details Harness Replays / detect-changes (pull_request) Successful in 16s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 15s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 16s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 7s Details CI / Platform (Go) (pull_request) Successful in 9s Details CI / Python Lint & Test (pull_request) Successful in 8s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 11s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 12s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 9s Details Harness Replays / Harness Replays (pull_request) Failing after 1m20s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 6m26s Details CI / Canvas (Next.js) (pull_request) Failing after 8m35s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details	2026-05-08 00:20:46 +00:00
claude-ceo-assistant	e4b1248f47	Merge branch 'main' into fix/178-canvas-shared-auth-headers Some checks failed CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Successful in 5s Details CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Successful in 5s Details CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Successful in 5s Details Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 12s Details pr-guards / disable-auto-merge-on-push (pull_request) Failing after 4s Details CI / Detect changes (pull_request) Successful in 12s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 12s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 13s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 13s Details Harness Replays / detect-changes (pull_request) Successful in 14s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 13s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 13s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 4s Details CI / Platform (Go) (pull_request) Successful in 6s Details CI / Python Lint & Test (pull_request) Successful in 6s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 7s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 8s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 11s Details Harness Replays / Harness Replays (pull_request) Failing after 37s Details CI / Canvas (Next.js) (pull_request) Failing after 2m54s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 4m25s Details	2026-05-07 22:24:44 +00:00
Hongming Wang	501d07b0f2	fix(canvas): consolidate platform-auth headers via shared helper (#178 ) Some checks failed Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 6s Details CI / Detect changes (pull_request) Successful in 8s Details Retarget main PRs to staging / Retarget to staging (pull_request) Has been skipped Details E2E API Smoke Test / detect-changes (pull_request) Successful in 7s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 7s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 7s Details Harness Replays / detect-changes (pull_request) Successful in 7s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 7s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 7s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 3s Details CI / Platform (Go) (pull_request) Successful in 4s Details CI / Python Lint & Test (pull_request) Successful in 4s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 5s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 5s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 5s Details Harness Replays / Harness Replays (pull_request) Failing after 36s Details CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Failing after 1m22s Details CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Failing after 1m22s Details CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Failing after 1m23s Details CI / Canvas (Next.js) (pull_request) Failing after 1m39s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 3m55s Details Closes the post-Task-#176 self-review gap: the bearer-token + tenant- slug header construction was duplicated across 7 raw-fetch callsites in the canvas (lib/api.ts request(), uploads.ts × 2, and 5 Attachment* components). Each callsite read NEXT_PUBLIC_ADMIN_TOKEN, attached Authorization: Bearer manually, computed getTenantSlug locally (three of them inline-redefined it from /lib/tenant!), and attached X-Molecule-Org-Slug. A new poller / raw-fetch added without going through this exact recipe silently 401s against workspace-server when ADMIN_TOKEN is set on the server side — the bug shape called out in the original task. Adds platformAuthHeaders() to lib/api.ts as the single source of truth and routes all 7 raw-fetch callsites through it. Removes 4 duplicate local getTenantSlug() copies (Image, Video, Audio, PDF, TextPreview) that were inline-redefining what /lib/tenant.ts already exports. Also preserves the AttachmentTextPreview off-platform branch — when isPlatformAttachment() is false, headers is {} (no bearer leakage to third-party URLs). Tests: - 6 unit tests in platform-auth-headers.test.ts covering: empty, bearer-only, slug-only, both, empty-string-as-unset, fresh-object- per-call. Mutation-tested: removing the bearer attach inside the helper fails 2 of 6 tests immediately. - All 1389 existing canvas vitest tests pass unchanged. - npx tsc --noEmit clean. - npm run build succeeds (canvas Next.js build). Per feedback_assert_exact_not_substring: tests use exact toEqual() equality, not substring/contains, so an extra-header bug also fails the assertion. Per feedback_oss_design_philosophy: this is the "plugin/abstract/modular/SSOT" move applied to the auth-header construction surface — one helper, six call sites, no duplication. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-07 14:36:02 -07:00