feat(provisioner): loadPersonaTokenFile fallback for env-file-less personas

The new prod-team personas (agent-dev-a, agent-dev-b, agent-pm) ship
only `token` + `universal-auth.env` (Infisical UA bootstrap), no `env`
file. loadPersonaEnvFile silently no-ops on them today. With this
fallback, GITEA_TOKEN/USER/EMAIL get populated from the token file
when no env file exists.

Combined with the GIT_ASKPASS injection earlier in this PR, this
makes the askpass helper functional for the new personas.

workspace-server/internal/handlers/org_helpers.go

@@ -218,6 +218,14 @@ func loadWorkspaceEnv(orgBaseDir, filesDir string) map[string]string {
 // check, or when the env file does not exist (workspaces without a role —
 // or running on hosts that don't ship the bootstrap dir — keep their old
 // behavior).
+//
+// Token-file fallback: the newer prod-team personas (agent-dev-a,
+// agent-dev-b, agent-pm) ship `token` + `universal-auth.env` only — no
+// legacy plaintext `env` file. When the env-file load produces zero rows,
+// loadPersonaTokenFile fills in GITEA_TOKEN / GITEA_USER / GITEA_USER_EMAIL
+// from the token file so the GIT_ASKPASS helper has something to emit.
+// The env-file form remains authoritative when present (it may carry
+// richer rows like GITEA_TOKEN_SCOPES / GITEA_SSH_KEY_PATH).
 func loadPersonaEnvFile(role string, out map[string]string) {
 	if !isSafeRoleName(role) {
 		if role != "" {
@@ -229,7 +237,61 @@ func loadPersonaEnvFile(role string, out map[string]string) {
 	if root == "" {
 		root = "/etc/molecule-bootstrap/personas"
 	}
+	before := len(out)
 	parseEnvFile(filepath.Join(root, role, "env"), out)
+	if len(out) == before {
+		// No env-file rows landed (file absent, or present-but-empty).
+		// Try the token-only persona shape used by the prod-team
+		// identities. Existing keys in out are preserved.
+		loadPersonaTokenFile(role, out)
+	}
+}
+
+// loadPersonaTokenFile populates GITEA_TOKEN / GITEA_USER / GITEA_USER_EMAIL
+// from a persona dir that ships only the bare `token` file — the shape used
+// by the production agent personas (agent-dev-a, agent-dev-b, agent-pm).
+// Those dirs do not carry an `env` file because their non-Gitea creds come
+// from Infisical Universal Auth at runtime (universal-auth.env), so the
+// historical loadPersonaEnvFile path silently no-ops on them.
+//
+// File layout: $MOLECULE_PERSONA_ROOT/<role>/token (mode 600, plain text).
+// The token contents become GITEA_TOKEN (whitespace-trimmed); the role
+// name becomes GITEA_USER; GITEA_USER_EMAIL is synthesised as
+// <role>@<gitIdentityEmailDomain> to match the email shape that
+// applyAgentGitIdentity uses for its slug-derived authorship addresses.
+//
+// Silent no-op when the role fails the safe-segment check, when the
+// token file does not exist, or when its contents are empty after
+// trimming. Existing keys in out are not overwritten — the caller's
+// later .env layers and any prior loadPersonaEnvFile rows always win.
+func loadPersonaTokenFile(role string, out map[string]string) {
+	if out == nil {
+		return
+	}
+	if !isSafeRoleName(role) {
+		return
+	}
+	root := os.Getenv("MOLECULE_PERSONA_ROOT")
+	if root == "" {
+		root = "/etc/molecule-bootstrap/personas"
+	}
+	data, err := os.ReadFile(filepath.Join(root, role, "token"))
+	if err != nil {
+		return
+	}
+	token := strings.TrimSpace(string(data))
+	if token == "" {
+		return
+	}
+	if _, ok := out["GITEA_TOKEN"]; !ok {
+		out["GITEA_TOKEN"] = token
+	}
+	if _, ok := out["GITEA_USER"]; !ok {
+		out["GITEA_USER"] = role
+	}
+	if _, ok := out["GITEA_USER_EMAIL"]; !ok {
+		out["GITEA_USER_EMAIL"] = role + "@" + gitIdentityEmailDomain
+	}
 }
 
 // isSafeRoleName accepts a single path segment of [A-Za-z0-9_-]+. Rejects

workspace-server/internal/handlers/org_persona_env_test.go

@@ -164,3 +164,181 @@ func TestIsSafeRoleName_Acceptance(t *testing.T) {
 		}
 	}
 }
+
+// TestLoadPersonaTokenFile_TokenOnlyPersona: the prod-team personas
+// (agent-dev-a / agent-dev-b / agent-pm) ship `token` only — no `env`
+// file. loadPersonaEnvFile's fallback path must populate GITEA_TOKEN /
+// GITEA_USER / GITEA_USER_EMAIL from the token contents + role name so
+// the GIT_ASKPASS helper has something to emit.
+func TestLoadPersonaTokenFile_TokenOnlyPersona(t *testing.T) {
+	root := t.TempDir()
+	roleDir := filepath.Join(root, "agent-dev-a")
+	if err := os.MkdirAll(roleDir, 0o755); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(filepath.Join(roleDir, "token"),
+		[]byte("token-bytes-redacted\n"), 0o600); err != nil {
+		t.Fatal(err)
+	}
+	t.Setenv("MOLECULE_PERSONA_ROOT", root)
+
+	out := map[string]string{}
+	loadPersonaEnvFile("agent-dev-a", out)
+
+	want := map[string]string{
+		"GITEA_TOKEN":      "token-bytes-redacted",
+		"GITEA_USER":       "agent-dev-a",
+		"GITEA_USER_EMAIL": "agent-dev-a@" + gitIdentityEmailDomain,
+	}
+	if len(out) != len(want) {
+		t.Fatalf("got %d keys, want %d: %#v", len(out), len(want), out)
+	}
+	for k, v := range want {
+		if out[k] != v {
+			t.Errorf("out[%q] = %q; want %q", k, out[k], v)
+		}
+	}
+}
+
+// TestLoadPersonaTokenFile_EnvFileWins: when BOTH an env file and a
+// token file exist in the same persona dir, the env file is the more-
+// specific declaration and wins outright — the fallback must not fire
+// at all. This pins precedence so a persona later migrated to the
+// richer env-file form (carrying GITEA_TOKEN_SCOPES / GITEA_SSH_KEY_PATH)
+// doesn't get its token silently overridden by the fallback.
+func TestLoadPersonaTokenFile_EnvFileWins(t *testing.T) {
+	root := t.TempDir()
+	roleDir := filepath.Join(root, "agent-dev-b")
+	if err := os.MkdirAll(roleDir, 0o755); err != nil {
+		t.Fatal(err)
+	}
+	envBody := "GITEA_USER=env-form-user\nGITEA_TOKEN=env-form-token\n" +
+		"GITEA_USER_EMAIL=env-form@example.invalid\nGITEA_TOKEN_SCOPES=write:repository\n"
+	if err := os.WriteFile(filepath.Join(roleDir, "env"), []byte(envBody), 0o600); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(filepath.Join(roleDir, "token"),
+		[]byte("token-form-token\n"), 0o600); err != nil {
+		t.Fatal(err)
+	}
+	t.Setenv("MOLECULE_PERSONA_ROOT", root)
+
+	out := map[string]string{}
+	loadPersonaEnvFile("agent-dev-b", out)
+
+	if out["GITEA_USER"] != "env-form-user" {
+		t.Errorf("env file should win for GITEA_USER; got %q", out["GITEA_USER"])
+	}
+	if out["GITEA_TOKEN"] != "env-form-token" {
+		t.Errorf("env file should win for GITEA_TOKEN; got %q", out["GITEA_TOKEN"])
+	}
+	if out["GITEA_USER_EMAIL"] != "env-form@example.invalid" {
+		t.Errorf("env file should win for GITEA_USER_EMAIL; got %q", out["GITEA_USER_EMAIL"])
+	}
+	if out["GITEA_TOKEN_SCOPES"] != "write:repository" {
+		t.Errorf("env file extras must be preserved; got GITEA_TOKEN_SCOPES=%q", out["GITEA_TOKEN_SCOPES"])
+	}
+}
+
+// TestLoadPersonaTokenFile_NeitherFile: persona dir exists but ships
+// neither env nor token — silent no-op. This is the legitimate case
+// for a partially-provisioned persona during bootstrap; callers expect
+// an empty map, no error, no log noise.
+func TestLoadPersonaTokenFile_NeitherFile(t *testing.T) {
+	root := t.TempDir()
+	roleDir := filepath.Join(root, "agent-pm")
+	if err := os.MkdirAll(roleDir, 0o755); err != nil {
+		t.Fatal(err)
+	}
+	t.Setenv("MOLECULE_PERSONA_ROOT", root)
+
+	out := map[string]string{}
+	loadPersonaEnvFile("agent-pm", out)
+	if len(out) != 0 {
+		t.Errorf("expected empty out when neither env nor token exists; got %#v", out)
+	}
+}
+
+// TestLoadPersonaTokenFile_EmptyToken: a token file with only
+// whitespace must be treated as absent — never emit
+// GITEA_TOKEN="" / GITEA_USER=<role> / GITEA_USER_EMAIL=<role>@... because
+// that would set GITEA_USER without a usable token, and the askpass
+// helper would then prompt with an empty password. Silent no-op is the
+// correct behavior — let downstream auth fall through to its existing
+// "no credentials available" path.
+func TestLoadPersonaTokenFile_EmptyToken(t *testing.T) {
+	root := t.TempDir()
+	roleDir := filepath.Join(root, "agent-dev-a")
+	if err := os.MkdirAll(roleDir, 0o755); err != nil {
+		t.Fatal(err)
+	}
+	// Whitespace-only contents: spaces, tabs, newlines.
+	if err := os.WriteFile(filepath.Join(roleDir, "token"),
+		[]byte("   \t\n  \n"), 0o600); err != nil {
+		t.Fatal(err)
+	}
+	t.Setenv("MOLECULE_PERSONA_ROOT", root)
+
+	out := map[string]string{}
+	loadPersonaEnvFile("agent-dev-a", out)
+	if len(out) != 0 {
+		t.Errorf("expected empty out when token file is whitespace-only; got %#v", out)
+	}
+}
+
+// TestLoadPersonaTokenFile_TrimsWhitespace: tokens shipped from the
+// operator-host bootstrap kit may have a trailing newline (the
+// canonical `printf "%s\n" "$token" > token` shape). The fallback must
+// trim leading + trailing whitespace so the askpass helper emits the
+// raw token bytes — Gitea's PAT validator rejects tokens with embedded
+// whitespace.
+func TestLoadPersonaTokenFile_TrimsWhitespace(t *testing.T) {
+	root := t.TempDir()
+	roleDir := filepath.Join(root, "agent-dev-b")
+	if err := os.MkdirAll(roleDir, 0o755); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(filepath.Join(roleDir, "token"),
+		[]byte("\n  raw-token-bytes  \n\n"), 0o600); err != nil {
+		t.Fatal(err)
+	}
+	t.Setenv("MOLECULE_PERSONA_ROOT", root)
+
+	out := map[string]string{}
+	loadPersonaEnvFile("agent-dev-b", out)
+	if out["GITEA_TOKEN"] != "raw-token-bytes" {
+		t.Errorf("token whitespace not trimmed; got %q", out["GITEA_TOKEN"])
+	}
+}
+
+// TestLoadPersonaTokenFile_RejectsUnsafeRole: defense-in-depth — even
+// in the fallback path, role names that fail isSafeRoleName must not
+// touch the filesystem. Mirrors TestLoadPersonaEnvFile_RejectsTraversal.
+func TestLoadPersonaTokenFile_RejectsUnsafeRole(t *testing.T) {
+	root := t.TempDir()
+	// Plant a token at /tmp/.../token so a bad traversal would reach it.
+	if err := os.WriteFile(filepath.Join(root, "token"),
+		[]byte("stolen-token\n"), 0o600); err != nil {
+		t.Fatal(err)
+	}
+	t.Setenv("MOLECULE_PERSONA_ROOT", filepath.Join(root, "personas"))
+
+	for _, bad := range []string{"..", "../personas", "/abs", "with/slash", "."} {
+		out := map[string]string{}
+		loadPersonaTokenFile(bad, out)
+		if len(out) != 0 {
+			t.Errorf("role %q should have been rejected; got %#v", bad, out)
+		}
+	}
+}
+
+// TestLoadPersonaTokenFile_NilMapSafe: callers pass a fresh map in
+// practice, but defense-in-depth — a nil map must not panic.
+func TestLoadPersonaTokenFile_NilMapSafe(t *testing.T) {
+	defer func() {
+		if r := recover(); r != nil {
+			t.Fatalf("nil map caused panic: %v", r)
+		}
+	}()
+	loadPersonaTokenFile("agent-dev-a", nil)
+}