forked from molecule-ai/molecule-core
fullstack-engineer
5aa747241a
Issue #831: integration-tester workspace (33bb2f71) has ADMIN_TOKEN="placeholder-will-ask-for-real" in its container env because loadWorkspaceSecrets reads ALL rows from global_secrets and injects them into every workspace container. The placeholder was seeded by a prior bootstrap or manual DB write; it is not in the codebase. The correct ADMIN_TOKEN lives in the platform's host environment (os.Getenv) but was never propagated to global_secrets. The fix adds fixAdminTokenPlaceholder() which runs once at platform startup (SaaS tenants only, cpProv != nil): 1. Reads the real ADMIN_TOKEN from the host environment. 2. Reads the current global_secrets value and decrypts it. 3. If the stored value is "placeholder-will-ask-for-real" (or any other mismatch), upserts the real token using the same encryption path as the SetGlobal handler. 4. Logs the action taken so operators can audit the fix. This heals existing workspaces on next platform restart without a manual DB update or workspace reprovision. It is safe to run repeatedly: if global_secrets already has the correct value the function returns early after a cheap SELECT + decrypt. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>