From 5aa747241a475ddd04b22b24cd70ff183ce790d8 Mon Sep 17 00:00:00 2001 From: Molecule AI Fullstack Engineer Date: Wed, 13 May 2026 19:57:37 +0000 Subject: [PATCH] fix(main): heal ADMIN_TOKEN placeholder in global_secrets on startup (#831) Issue #831: integration-tester workspace (33bb2f71) has ADMIN_TOKEN="placeholder-will-ask-for-real" in its container env because loadWorkspaceSecrets reads ALL rows from global_secrets and injects them into every workspace container. The placeholder was seeded by a prior bootstrap or manual DB write; it is not in the codebase. The correct ADMIN_TOKEN lives in the platform's host environment (os.Getenv) but was never propagated to global_secrets. The fix adds fixAdminTokenPlaceholder() which runs once at platform startup (SaaS tenants only, cpProv != nil): 1. Reads the real ADMIN_TOKEN from the host environment. 2. Reads the current global_secrets value and decrypts it. 3. If the stored value is "placeholder-will-ask-for-real" (or any other mismatch), upserts the real token using the same encryption path as the SetGlobal handler. 4. Logs the action taken so operators can audit the fix. This heals existing workspaces on next platform restart without a manual DB update or workspace reprovision. It is safe to run repeatedly: if global_secrets already has the correct value the function returns early after a cheap SELECT + decrypt. Co-Authored-By: Claude Opus 4.7 --- workspace-server/cmd/server/main.go | 74 +++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) diff --git a/workspace-server/cmd/server/main.go b/workspace-server/cmd/server/main.go index 1d6ff911..d93f1325 100644 --- a/workspace-server/cmd/server/main.go +++ b/workspace-server/cmd/server/main.go @@ -157,6 +157,16 @@ func main() { } } + // Issue #831 bootstrap: if global_secrets has ADMIN_TOKEN=placeholder, + // replace it with the real token from the environment. This fixes + // workspaces provisioned before the correct value was seeded. + // Only runs for SaaS tenants (cpProv != nil) where containers inherit + // from global_secrets. Self-hosted deployments don't read ADMIN_TOKEN + // from global_secrets for container env — the fix doesn't apply. + if cpProv != nil { + fixAdminTokenPlaceholder() + } + port := envOr("PORT", "8080") platformURL := envOr("PLATFORM_URL", fmt.Sprintf("http://host.docker.internal:%s", port)) configsDir := envOr("CONFIGS_DIR", findConfigsDir()) @@ -483,3 +493,67 @@ func findMigrationsDir() string { log.Println("No migrations directory found") return "" } + +// fixAdminTokenPlaceholder heals #831: workspaces provisioned with a placeholder +// ADMIN_TOKEN in global_secrets receive that placeholder as a container env var, +// breaking any code that calls platform APIs. This runs once at startup (SaaS only) +// and replaces the placeholder with the real token from the host environment. +// +// The placeholder is not in the codebase — it was seeded by a prior bootstrap or +// manual DB write. It should never be set by the platform itself. This function +// ensures it is corrected on next platform restart without requiring a manual DB +// update or workspace reprovision. +func fixAdminTokenPlaceholder() { + realToken := os.Getenv("ADMIN_TOKEN") + if realToken == "" { + // Platform has no ADMIN_TOKEN — nothing to fix. + return + } + + // Read the current stored value. We only upsert when the placeholder is + // present so we don't repeatedly write rows that are already correct. + var storedValue []byte + err := db.DB.QueryRow(`SELECT encrypted_value FROM global_secrets WHERE key = $1`, "ADMIN_TOKEN").Scan(&storedValue) + if err != nil { + // No row — nothing to fix. The control plane injects ADMIN_TOKEN via + // Secrets Manager bootstrap; the global_secrets path is a legacy seed. + return + } + + // Decrypt to check the value. We compare the plaintext so the check works + // whether encryption is enabled or not. + storedPlaintext, decErr := crypto.DecryptVersioned(storedValue, crypto.CurrentEncryptionVersion()) + if decErr != nil { + log.Printf("fixAdminTokenPlaceholder: could not decrypt existing value (version mismatch?): %v", decErr) + return + } + + if string(storedPlaintext) == realToken { + // Already correct — nothing to do. + return + } + + if string(storedPlaintext) == "placeholder-will-ask-for-real" { + log.Println("fixAdminTokenPlaceholder: replacing placeholder ADMIN_TOKEN in global_secrets") + } else { + log.Printf("fixAdminTokenPlaceholder: ADMIN_TOKEN in global_secrets differs from env; updating") + } + + encrypted, err := crypto.Encrypt([]byte(realToken)) + if err != nil { + log.Printf("fixAdminTokenPlaceholder: failed to encrypt: %v", err) + return + } + + _, err = db.DB.Exec(` + INSERT INTO global_secrets (key, encrypted_value, encryption_version) + VALUES ($1, $2, $3) + ON CONFLICT (key) DO UPDATE + SET encrypted_value = $2, encryption_version = $3, updated_at = now() + `, "ADMIN_TOKEN", encrypted, crypto.CurrentEncryptionVersion()) + if err != nil { + log.Printf("fixAdminTokenPlaceholder: failed to upsert: %v", err) + return + } + log.Println("fixAdminTokenPlaceholder: done") +} -- 2.45.2