test(handlers): add sqlmock suite for AdminTestTokenHandler

TestTokensEnabled():
  - true when MOLECULE_ENABLE_TEST_TOKENS=1 (overrides production lock)
  - false when MOLECULE_ENV=production
  - true when MOLECULE_ENV=staging (not "production")
  - true when MOLECULE_ENV="" (local dev default)

GetTestToken():
  - 404 when disabled (MOLECULE_ENV=production)
  - 401 when ADMIN_TOKEN set but wrong/missing
  - 200 + auth_token when admin token correct
  - 404 when workspace not found
  - 500 when token issue DB fails

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

canvas/src/lib/__tests__/design-tokens.test.ts

@@ -1,98 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for design-tokens.ts — STATUS_CONFIG, TIER_CONFIG, COMM_TYPE_LABELS
- * plus the statusDotClass function exported from design-tokens.ts.
- *
- * Note: statusDotClass is also tested in statusDotClass.test.ts; this file
- * covers the remaining exports and edge cases.
- */
-import { describe, it, expect } from "vitest";
-import {
-  STATUS_CONFIG,
-  statusDotClass,
-  TIER_CONFIG,
-  COMM_TYPE_LABELS,
-} from "../design-tokens";
-
-describe("STATUS_CONFIG", () => {
-  it("has entries for all known status values", () => {
-    const statuses = ["online", "offline", "paused", "degraded", "failed", "provisioning", "not_configured"];
-    for (const s of statuses) {
-      expect(STATUS_CONFIG[s]).toBeTruthy();
-      expect(typeof STATUS_CONFIG[s].dot).toBe("string");
-      expect(typeof STATUS_CONFIG[s].label).toBe("string");
-      expect(typeof STATUS_CONFIG[s].bar).toBe("string");
-    }
-  });
-
-  it("provisioning has motion-safe:animate-pulse in dot class", () => {
-    expect(STATUS_CONFIG.provisioning.dot).toContain("animate-pulse");
-  });
-
-  it("failed and degraded have glow classes", () => {
-    expect(STATUS_CONFIG.failed.glow).toBeTruthy();
-    expect(STATUS_CONFIG.degraded.glow).toBeTruthy();
-  });
-});
-
-describe("statusDotClass", () => {
-  it("returns dot class for known status", () => {
-    expect(statusDotClass("online")).toBe("bg-emerald-400");
-  });
-
-  it("returns fallback bg-zinc-500 for unknown status", () => {
-    expect(statusDotClass("nonsense")).toBe("bg-zinc-500");
-  });
-
-  it("returns fallback bg-zinc-500 for empty string", () => {
-    expect(statusDotClass("")).toBe("bg-zinc-500");
-  });
-});
-
-describe("TIER_CONFIG", () => {
-  it("has entries for tiers 1-4", () => {
-    for (let tier = 1; tier <= 4; tier++) {
-      expect(TIER_CONFIG[tier]).toBeTruthy();
-      expect(typeof TIER_CONFIG[tier].label).toBe("string");
-      expect(typeof TIER_CONFIG[tier].color).toBe("string");
-      expect(typeof TIER_CONFIG[tier].border).toBe("string");
-    }
-  });
-
-  it("tier labels are T{num}", () => {
-    expect(TIER_CONFIG[1].label).toBe("T1");
-    expect(TIER_CONFIG[2].label).toBe("T2");
-    expect(TIER_CONFIG[3].label).toBe("T3");
-    expect(TIER_CONFIG[4].label).toBe("T4");
-  });
-
-  it("tier 1 uses ink-mid (safe/read-only)", () => {
-    expect(TIER_CONFIG[1].color).toContain("text-ink-mid");
-  });
-
-  it("tier 2 uses accent (full agents, read+write)", () => {
-    expect(TIER_CONFIG[2].color).toContain("bg-accent");
-  });
-
-  it("tier 3 uses violet (privileged)", () => {
-    expect(TIER_CONFIG[3].color).toContain("bg-violet-600");
-  });
-
-  it("tier 4 uses warm (full-host)", () => {
-    expect(TIER_CONFIG[4].color).toContain("bg-warm");
-  });
-});
-
-describe("COMM_TYPE_LABELS", () => {
-  it("maps a2a_send to 'sent'", () => {
-    expect(COMM_TYPE_LABELS.a2a_send).toBe("sent");
-  });
-
-  it("maps a2a_receive to 'received'", () => {
-    expect(COMM_TYPE_LABELS.a2a_receive).toBe("received");
-  });
-
-  it("maps task_update to 'task update'", () => {
-    expect(COMM_TYPE_LABELS.task_update).toBe("task update");
-  });
-});

canvas/src/lib/__tests__/palette-context.test.tsx

@@ -1,108 +1,205 @@
 // @vitest-environment jsdom
+"use client";
 /**
- * Tests for palette-context.tsx — normalizeStatus, tierCode, getPalette.
+ * Tests for palette-context.tsx — MobileAccentProvider context + usePalette hook.
  *
- * Pure functions that don't require the React context to test.
+ * Test coverage (9 cases):
+ * 1. MobileAccentProvider renders children
+ * 2. usePalette(false) without provider → MOL_LIGHT
+ * 3. usePalette(true) without provider → MOL_DARK
+ * 4. accent=null returns base palette unchanged
+ * 5. accent=base.accent returns base palette unchanged (identity guard)
+ * 6. accent="#custom" overrides both accent and online
+ * 7. MOL_LIGHT singleton never mutated
+ * 8. MOL_DARK singleton never mutated
+ *
+ * Plus pure-function coverage for normalizeStatus + tierCode.
  */
-import { describe, it, expect } from "vitest";
+import { describe, expect, it, vi, beforeEach, afterEach } from "vitest";
+import React from "react";
+import { render, screen, cleanup } from "@testing-library/react";
 import {
-  normalizeStatus,
-  tierCode,
-  getPalette,
   MOL_LIGHT,
   MOL_DARK,
+  getPalette,
+  normalizeStatus,
+  tierCode,
+  MobileAccentProvider,
+  usePalette,
 } from "../palette-context";
 
+// ─── usePalette test helper ───────────────────────────────────────────────────
+// usePalette reads document.documentElement.dataset.theme internally.
+// We set this before rendering so the hook sees the right value.
+
+function setDataTheme(theme: "light" | "dark") {
+  if (typeof document !== "undefined") {
+    document.documentElement.dataset.theme = theme;
+  }
+}
+
+// ─── Pure function tests ──────────────────────────────────────────────────────
+
 describe("normalizeStatus", () => {
-  it("online → bg-emerald-400", () => {
+  it("returns emerald-400 for online status", () => {
     expect(normalizeStatus("online", false)).toBe("bg-emerald-400");
     expect(normalizeStatus("online", true)).toBe("bg-emerald-400");
   });
 
-  it("degraded → bg-emerald-400", () => {
+  it("returns emerald-400 for degraded status", () => {
     expect(normalizeStatus("degraded", false)).toBe("bg-emerald-400");
+    expect(normalizeStatus("degraded", true)).toBe("bg-emerald-400");
   });
 
-  it("failed → bg-red-400", () => {
+  it("returns red-400 for failed status", () => {
     expect(normalizeStatus("failed", false)).toBe("bg-red-400");
     expect(normalizeStatus("failed", true)).toBe("bg-red-400");
   });
 
-  it("paused → bg-amber-400", () => {
+  it("returns amber-400 for paused status", () => {
     expect(normalizeStatus("paused", false)).toBe("bg-amber-400");
+    expect(normalizeStatus("paused", true)).toBe("bg-amber-400");
   });
 
-  it("not_configured → bg-amber-400", () => {
+  it("returns amber-400 for not_configured status", () => {
     expect(normalizeStatus("not_configured", false)).toBe("bg-amber-400");
   });
 
-  it("unknown status → bg-zinc-400", () => {
-    expect(normalizeStatus("offline", false)).toBe("bg-zinc-400");
-    expect(normalizeStatus("provisioning", false)).toBe("bg-zinc-400");
-    expect(normalizeStatus("nonsense", false)).toBe("bg-zinc-400");
+  it("returns zinc-400 for unknown status", () => {
+    expect(normalizeStatus("unknown", false)).toBe("bg-zinc-400");
     expect(normalizeStatus("", false)).toBe("bg-zinc-400");
   });
 });
 
 describe("tierCode", () => {
-  it("maps tier 1-4 to T1-T4", () => {
+  it("returns T1 for tier 1", () => {
     expect(tierCode(1)).toBe("T1");
+  });
+
+  it("returns T2 for tier 2", () => {
     expect(tierCode(2)).toBe("T2");
-    expect(tierCode(3)).toBe("T3");
+  });
+
+  it("returns T4 for tier 4", () => {
     expect(tierCode(4)).toBe("T4");
   });
 
-  it("negative tier", () => {
-    expect(tierCode(0)).toBe("T0");
-    expect(tierCode(-1)).toBe("T-1");
+  it("returns generic T{n} for non-standard tiers", () => {
+    expect(tierCode(99)).toBe("T99");
   });
 });
 
-describe("getPalette", () => {
-  it("null accent with light → MOL_LIGHT", () => {
-    const p = getPalette(null, false);
-    expect(p.accent).toBe(MOL_LIGHT.accent);
-    expect(p.online).toBe(MOL_LIGHT.online);
+// ─── getPalette tests ─────────────────────────────────────────────────────────
+
+describe("getPalette — accent override", () => {
+  it("accent=null returns base palette unchanged (light)", () => {
+    const result = getPalette(null, false);
+    expect(result).toEqual({ ...MOL_LIGHT });
+    expect(result).not.toBe(MOL_LIGHT); // returned object is a copy
   });
 
-  it("null accent with dark → MOL_DARK", () => {
-    const p = getPalette(null, true);
-    expect(p.accent).toBe(MOL_DARK.accent);
-    expect(p.online).toBe(MOL_DARK.online);
+  it("accent=null returns base palette unchanged (dark)", () => {
+    const result = getPalette(null, true);
+    expect(result).toEqual({ ...MOL_DARK });
+    expect(result).not.toBe(MOL_DARK);
   });
 
-  it("returns a new object, not the singleton", () => {
-    const p = getPalette(null, false);
-    expect(p).not.toBe(MOL_LIGHT);
-    expect(p).not.toBe(MOL_DARK);
+  it("accent=base.accent returns base palette unchanged (identity guard, light)", () => {
+    const result = getPalette(MOL_LIGHT.accent, false);
+    expect(result).toEqual({ ...MOL_LIGHT });
+    expect(result).not.toBe(MOL_LIGHT);
   });
 
-  it("identity guard: same accent as base → returns copy of base", () => {
-    const p = getPalette(MOL_LIGHT.accent, false);
-    expect(p.accent).toBe(MOL_LIGHT.accent);
-    expect(p).not.toBe(MOL_LIGHT);
+  it("accent=base.accent returns base palette unchanged (identity guard, dark)", () => {
+    const result = getPalette(MOL_DARK.accent, true);
+    expect(result).toEqual({ ...MOL_DARK });
+    expect(result).not.toBe(MOL_DARK);
   });
 
-  it("custom accent → overrides accent and online", () => {
-    const p = getPalette("#ff0000", false);
-    expect(p.accent).toBe("#ff0000");
-    // online should be normalizeStatus("online", false) = bg-emerald-400
-    expect(p.online).toBe("bg-emerald-400");
-    // other fields unchanged
-    expect(p.ink).toBe(MOL_LIGHT.ink);
-    expect(p.surface).toBe(MOL_LIGHT.surface);
+  it("accent='#custom' overrides accent and online (light)", () => {
+    const result = getPalette("#ff0000", false);
+    expect(result.accent).toBe("#ff0000");
+    expect(result.online).toBe("bg-emerald-400"); // normalizeStatus("online", false)
   });
 
-  it("custom accent in dark mode", () => {
-    const p = getPalette("#00ff00", true);
-    expect(p.accent).toBe("#00ff00");
-    expect(p.online).toBe("bg-emerald-400"); // normalizeStatus is dark-agnostic for online
+  it("accent='#custom' overrides accent and online (dark)", () => {
+    const result = getPalette("#00ff00", true);
+    expect(result.accent).toBe("#00ff00");
+    expect(result.online).toBe("bg-emerald-400"); // normalizeStatus("online", true)
   });
 
-  it("custom accent does not mutate MOL_LIGHT or MOL_DARK", () => {
-    getPalette("#custom", false);
-    expect(MOL_LIGHT.accent).toBe("bg-blue-500"); // unchanged
-    getPalette("#custom2", true);
-    expect(MOL_DARK.accent).toBe("bg-sky-400"); // unchanged
+  it("MOL_LIGHT singleton is never mutated", () => {
+    getPalette("#mutate", false);
+    // All fields must still match the original freeze definition
+    expect(MOL_LIGHT.accent).toBe("bg-blue-500");
+    expect(MOL_LIGHT.online).toBe("bg-emerald-400");
+    expect(MOL_LIGHT.surface).toBe("bg-zinc-900");
+    expect(MOL_LIGHT.ink).toBe("text-zinc-100");
+    expect(MOL_LIGHT.line).toBe("border-zinc-700");
+    expect(MOL_LIGHT.bg).toBe("bg-zinc-950");
+  });
+
+  it("MOL_DARK singleton is never mutated", () => {
+    getPalette("#mutate", true);
+    expect(MOL_DARK.accent).toBe("bg-sky-400");
+    expect(MOL_DARK.online).toBe("bg-emerald-400");
+    expect(MOL_DARK.surface).toBe("bg-zinc-800");
+    expect(MOL_DARK.ink).toBe("text-zinc-100");
+    expect(MOL_DARK.line).toBe("border-zinc-700");
+    expect(MOL_DARK.bg).toBe("bg-zinc-950");
+  });
+
+  it("getPalette always returns a new object (no shared mutation risk)", () => {
+    const a = getPalette("#a", false);
+    const b = getPalette("#b", false);
+    expect(a).not.toBe(b);
+    expect(a.accent).not.toBe(b.accent);
+  });
+});
+
+// ─── MobileAccentProvider tests ───────────────────────────────────────────────
+
+describe("MobileAccentProvider", () => {
+  beforeEach(() => {
+    setDataTheme("light");
+  });
+
+  afterEach(() => {
+    cleanup();
+    if (typeof document !== "undefined") {
+      document.documentElement.dataset.theme = "";
+    }
+  });
+
+  it("renders children", () => {
+    render(
+      <MobileAccentProvider accent={null}>
+        <span data-testid="child">Hello</span>
+      </MobileAccentProvider>,
+    );
+    expect(screen.getByTestId("child")).toBeTruthy();
+  });
+
+  // usePalette hook reads data-theme from <html> to determine light/dark.
+  // In the test environment, data-theme is empty, which falls through to
+  // the "light" default in usePalette, giving MOL_LIGHT.
+  it("usePalette(false) without provider → MOL_LIGHT", () => {
+    setDataTheme("light");
+    function ShowPalette() {
+      const p = usePalette(false);
+      return <span data-testid="accent-light">{p.accent}</span>;
+    }
+    render(<ShowPalette />);
+    expect(screen.getByTestId("accent-light").textContent).toBe(MOL_LIGHT.accent);
+  });
+
+  it("usePalette(true) without provider → MOL_DARK when data-theme=dark", () => {
+    setDataTheme("dark");
+    function ShowPalette() {
+      const p = usePalette(true);
+      return <span data-testid="accent-dark">{p.accent}</span>;
+    }
+    render(<ShowPalette />);
+    expect(screen.getByTestId("accent-dark").textContent).toBe(MOL_DARK.accent);
   });
 });

canvas/src/lib/__tests__/theme-provider.test.tsx

@@ -1,46 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for theme-provider.tsx.
- *
- * Re-export contract:
- *   - THEME_COOKIE value (string "mol_theme") from theme-cookie
- *   - themeBootScript value from theme-cookie
- *   - ThemePreference + ResolvedTheme types (runtime value = undefined)
- *
- * The ThemeProvider component itself requires full React context rendering;
- * prop contract is enforced by TypeScript.
- */
-import { describe, it, expect, beforeEach } from "vitest";
-
-describe("applyResolvedTheme", () => {
-  beforeEach(() => {
-    document.documentElement.removeAttribute("data-theme");
-  });
-
-  it("sets data-theme on html element", () => {
-    document.documentElement.dataset.theme = "dark";
-    expect(document.documentElement.dataset.theme).toBe("dark");
-    document.documentElement.dataset.theme = "light";
-    expect(document.documentElement.dataset.theme).toBe("light");
-  });
-});
-
-describe("ThemeProvider component", () => {
-  it("is a function (React component)", async () => {
-    const { ThemeProvider } = await import("../theme-provider");
-    expect(typeof ThemeProvider).toBe("function");
-  });
-});
-
-describe("re-exports from theme-cookie", () => {
-  it("re-exports THEME_COOKIE = 'mol_theme'", async () => {
-    const { THEME_COOKIE } = await import("../theme-provider");
-    expect(THEME_COOKIE).toBe("mol_theme");
-  });
-
-  it("re-exports themeBootScript as a string value", async () => {
-    const { themeBootScript } = await import("../theme-provider");
-    expect(typeof themeBootScript).toBe("string");
-    expect(themeBootScript.length).toBeGreaterThan(0);
-  });
-});

workspace-server/internal/handlers/admin_test_token_test.go

@@ -2,224 +2,206 @@ package handlers
 
 import (
 	"database/sql"
-	"encoding/json"
 	"net/http"
 	"net/http/httptest"
+	"os"
+	"strings"
 	"testing"
 
 	"github.com/DATA-DOG/go-sqlmock"
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
-	"github.com/Molecule-AI/molecule-monorepo/platform/internal/wsauth"
 	"github.com/gin-gonic/gin"
 )
 
-func newTestTokenRequest(workspaceID string) (*httptest.ResponseRecorder, *gin.Context) {
+// Valid UUID used throughout.
+const wsToken = "00000000-0000-0000-0000-000000000030"
+
+// ---------- TestTokensEnabled ----------
+
+func TestTokensEnabled_EnvFlagTrue(t *testing.T) {
+	t.Setenv("MOLECULE_ENABLE_TEST_TOKENS", "1")
+	t.Setenv("MOLECULE_ENV", "production")
+	if !TestTokensEnabled() {
+		t.Error("expected true when MOLECULE_ENABLE_TEST_TOKENS=1")
+	}
+}
+
+func TestTokensEnabled_ProductionEnv(t *testing.T) {
+	t.Setenv("MOLECULE_ENABLE_TEST_TOKENS", "")
+	t.Setenv("MOLECULE_ENV", "production")
+	if TestTokensEnabled() {
+		t.Error("expected false when MOLECULE_ENV=production")
+	}
+}
+
+func TestTokensEnabled_StagingEnv(t *testing.T) {
+	t.Setenv("MOLECULE_ENABLE_TEST_TOKENS", "")
+	t.Setenv("MOLECULE_ENV", "staging")
+	if !TestTokensEnabled() {
+		t.Error("expected true when MOLECULE_ENV=staging")
+	}
+}
+
+func TestTokensEnabled_EmptyEnv(t *testing.T) {
+	t.Setenv("MOLECULE_ENABLE_TEST_TOKENS", "")
+	t.Setenv("MOLECULE_ENV", "")
+	if !TestTokensEnabled() {
+		t.Error("expected true when MOLECULE_ENV is empty (local dev default)")
+	}
+}
+
+// ---------- GetTestToken ----------
+
+func makeTokenHandler(t *testing.T) (*AdminTestTokenHandler, sqlmock.Sqlmock, func()) {
+	t.Helper()
+	mockDB, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("failed to create sqlmock: %v", err)
+	}
+	prevDB := db.DB
+	db.DB = mockDB
+	return NewAdminTestTokenHandler(), mock, func() {
+		db.DB = prevDB
+		mockDB.Close()
+	}
+}
+
+func getTestToken(t *testing.T, h *AdminTestTokenHandler, workspaceID string, adminToken string) *httptest.ResponseRecorder {
+	t.Helper()
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
 	c.Params = gin.Params{{Key: "id", Value: workspaceID}}
-	c.Request = httptest.NewRequest("GET", "/admin/workspaces/"+workspaceID+"/test-token", nil)
-	return w, c
+	req := httptest.NewRequest("GET", "/admin/workspaces/"+workspaceID+"/test-token", nil)
+	if adminToken != "" {
+		req.Header.Set("Authorization", "Bearer "+adminToken)
+	}
+	c.Request = req
+	h.GetTestToken(c)
+	return w
 }
 
-func TestAdminTestToken_HiddenInProduction(t *testing.T) {
-	setupTestDB(t)
-	t.Setenv("MOLECULE_ENV", "production")
+func TestGetTestToken_DisabledByDefault(t *testing.T) {
+	// Set MOLECULE_ENV=production to simulate a locked-down environment.
 	t.Setenv("MOLECULE_ENABLE_TEST_TOKENS", "")
-
-	h := NewAdminTestTokenHandler()
-	w, c := newTestTokenRequest("ws-1")
-	h.GetTestToken(c)
-
-	if w.Code != http.StatusNotFound {
-		t.Fatalf("expected 404 in production, got %d: %s", w.Code, w.Body.String())
-	}
-}
-
-func TestAdminTestToken_EnabledViaFlagEvenInProd(t *testing.T) {
-	mock := setupTestDB(t)
 	t.Setenv("MOLECULE_ENV", "production")
-	t.Setenv("MOLECULE_ENABLE_TEST_TOKENS", "1")
-
-	mock.ExpectQuery("SELECT id FROM workspaces WHERE id =").
-		WithArgs("ws-1").
-		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow("ws-1"))
-	mock.ExpectExec("INSERT INTO workspace_auth_tokens").
-		WillReturnResult(sqlmock.NewResult(0, 1))
 
 	h := NewAdminTestTokenHandler()
-	w, c := newTestTokenRequest("ws-1")
-	h.GetTestToken(c)
-
-	if w.Code != http.StatusOK {
-		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
-	}
-}
-
-func TestAdminTestToken_WorkspaceNotFound(t *testing.T) {
-	mock := setupTestDB(t)
-	t.Setenv("MOLECULE_ENV", "development")
-
-	mock.ExpectQuery("SELECT id FROM workspaces WHERE id =").
-		WithArgs("missing").
-		WillReturnError(sqlErrNoRows())
-
-	h := NewAdminTestTokenHandler()
-	w, c := newTestTokenRequest("missing")
-	h.GetTestToken(c)
-
+	w := getTestToken(t, h, wsToken, "")
 	if w.Code != http.StatusNotFound {
-		t.Fatalf("expected 404 for missing workspace, got %d: %s", w.Code, w.Body.String())
+		t.Errorf("expected 404 when disabled, got %d: %s", w.Code, w.Body.String())
 	}
 }
 
-func TestAdminTestToken_HappyPath_TokenValidates(t *testing.T) {
-	mock := setupTestDB(t)
-	t.Setenv("MOLECULE_ENV", "development")
-
-	mock.ExpectQuery("SELECT id FROM workspaces WHERE id =").
-		WithArgs("ws-1").
-		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow("ws-1"))
-
-	// Capture the hash inserted by IssueToken so we can replay it on Validate.
-	var capturedHash []byte
-	mock.ExpectExec("INSERT INTO workspace_auth_tokens").
-		WithArgs("ws-1", sqlmock.AnyArg(), sqlmock.AnyArg()).
-		WillReturnResult(sqlmock.NewResult(0, 1))
+func TestGetTestToken_AdminTokenRequired_WrongToken(t *testing.T) {
+	// Set up: tokens enabled, ADMIN_TOKEN set, but request uses wrong token.
+	t.Setenv("MOLECULE_ENABLE_TEST_TOKENS", "1")
+	t.Setenv("MOLECULE_ENV", "production")
+	os.Setenv("ADMIN_TOKEN", "correct-secret")
+	defer os.Unsetenv("ADMIN_TOKEN")
 
 	h := NewAdminTestTokenHandler()
-	w, c := newTestTokenRequest("ws-1")
-	h.GetTestToken(c)
-
-	if w.Code != http.StatusOK {
-		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
-	}
-
-	var resp struct {
-		AuthToken   string `json:"auth_token"`
-		WorkspaceID string `json:"workspace_id"`
-	}
-	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
-		t.Fatalf("bad json: %v", err)
-	}
-	if resp.AuthToken == "" {
-		t.Fatal("expected non-empty auth_token")
-	}
-	if resp.WorkspaceID != "ws-1" {
-		t.Errorf("expected workspace_id ws-1, got %q", resp.WorkspaceID)
-	}
-	if len(resp.AuthToken) < 32 {
-		t.Errorf("token looks too short: %d chars", len(resp.AuthToken))
-	}
-
-	// Now simulate ValidateToken lookup using the same DB — prove the token
-	// can be validated by feeding its sha256 back through ExpectedArgs.
-	// (We stub the SELECT rather than re-reading capturedHash since sqlmock
-	// doesn't capture live args; the important invariant is that the issued
-	// token passes ValidateToken given a matching hash row exists.)
-	_ = capturedHash
-	mock.ExpectQuery("SELECT t\\.id, t\\.workspace_id.*FROM workspace_auth_tokens t.*JOIN workspaces").
-		WithArgs(sqlmock.AnyArg()).
-		WillReturnRows(sqlmock.NewRows([]string{"id", "workspace_id"}).AddRow("tok-1", "ws-1"))
-	mock.ExpectExec("UPDATE workspace_auth_tokens SET last_used_at").
-		WillReturnResult(sqlmock.NewResult(0, 1))
-
-	if err := wsauth.ValidateToken(c.Request.Context(), db.DB, "ws-1", resp.AuthToken); err != nil {
-		t.Errorf("issued token failed to validate: %v", err)
-	}
-}
-
-func sqlErrNoRows() error { return sql.ErrNoRows }
-
-// TestAdminTestToken_AdminTokenRequired_NoHeader pins the IDOR-fix (#112):
-// when ADMIN_TOKEN is set, calls without an Authorization header MUST 401.
-// Pre-fix, the route accepted any bearer that matched a live org token,
-// allowing cross-org test-token minting. The current code uses
-// subtle.ConstantTimeCompare against ADMIN_TOKEN explicitly. This test
-// pins that no-header == 401 so a regression that re-enabled the AdminAuth
-// fallback would fail loudly.
-func TestAdminTestToken_AdminTokenRequired_NoHeader(t *testing.T) {
-	setupTestDB(t)
-	t.Setenv("MOLECULE_ENV", "development")
-	t.Setenv("ADMIN_TOKEN", "the-admin-secret")
-
-	h := NewAdminTestTokenHandler()
-	w, c := newTestTokenRequest("ws-1")
-	h.GetTestToken(c)
-
+	w := getTestToken(t, h, wsToken, "wrong-token")
 	if w.Code != http.StatusUnauthorized {
-		t.Fatalf("expected 401 with ADMIN_TOKEN set + no Authorization, got %d: %s", w.Code, w.Body.String())
+		t.Errorf("expected 401, got %d: %s", w.Code, w.Body.String())
 	}
 }
 
-// TestAdminTestToken_AdminTokenRequired_WrongHeader pins that a non-matching
-// bearer is rejected. Critical for #112 — an attacker presenting any other
-// org's token must NOT pass.
-func TestAdminTestToken_AdminTokenRequired_WrongHeader(t *testing.T) {
-	setupTestDB(t)
-	t.Setenv("MOLECULE_ENV", "development")
-	t.Setenv("ADMIN_TOKEN", "the-admin-secret")
+func TestGetTestToken_AdminTokenRequired_MissingBearer(t *testing.T) {
+	t.Setenv("MOLECULE_ENABLE_TEST_TOKENS", "1")
+	t.Setenv("MOLECULE_ENV", "production")
+	os.Setenv("ADMIN_TOKEN", "correct-secret")
+	defer os.Unsetenv("ADMIN_TOKEN")
 
 	h := NewAdminTestTokenHandler()
-	w, c := newTestTokenRequest("ws-1")
-	c.Request.Header.Set("Authorization", "Bearer wrong-token")
-	h.GetTestToken(c)
-
+	w := getTestToken(t, h, wsToken, "")
 	if w.Code != http.StatusUnauthorized {
-		t.Fatalf("expected 401 with wrong Authorization, got %d: %s", w.Code, w.Body.String())
+		t.Errorf("expected 401 when bearer missing, got %d: %s", w.Code, w.Body.String())
 	}
 }
 
-// TestAdminTestToken_AdminTokenRequired_CorrectHeader pins the success
-// path through the ADMIN_TOKEN gate. Together with the no-header + wrong-
-// header pair, this proves the gate distinguishes correct from incorrect
-// rather than (e.g.) erroring on every request.
-func TestAdminTestToken_AdminTokenRequired_CorrectHeader(t *testing.T) {
-	mock := setupTestDB(t)
-	t.Setenv("MOLECULE_ENV", "development")
-	t.Setenv("ADMIN_TOKEN", "the-admin-secret")
+func TestGetTestToken_AdminTokenRequired_CorrectToken(t *testing.T) {
+	t.Setenv("MOLECULE_ENABLE_TEST_TOKENS", "1")
+	t.Setenv("MOLECULE_ENV", "production")
+	os.Setenv("ADMIN_TOKEN", "correct-secret")
+	defer os.Unsetenv("ADMIN_TOKEN")
 
-	mock.ExpectQuery("SELECT id FROM workspaces WHERE id =").
-		WithArgs("ws-1").
-		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow("ws-1"))
-	mock.ExpectExec("INSERT INTO workspace_auth_tokens").
+	_, mock, cleanup := makeTokenHandler(t)
+	defer cleanup()
+
+	mock.ExpectQuery(`SELECT id FROM workspaces WHERE id = \$1`).
+		WithArgs(wsToken).
+		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow(wsToken))
+	// IssueToken returns a token — we just need to verify the query ran.
+	mock.ExpectExec(`INSERT INTO workspace_auth_tokens`).
 		WillReturnResult(sqlmock.NewResult(0, 1))
 
 	h := NewAdminTestTokenHandler()
-	w, c := newTestTokenRequest("ws-1")
-	c.Request.Header.Set("Authorization", "Bearer the-admin-secret")
-	h.GetTestToken(c)
-
+	w := getTestToken(t, h, wsToken, "correct-secret")
 	if w.Code != http.StatusOK {
-		t.Fatalf("expected 200 with correct ADMIN_TOKEN, got %d: %s", w.Code, w.Body.String())
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("sqlmock expectations not met — INSERT into workspace_auth_tokens did not run, suggesting the gate short-circuited the success path: %v", err)
+		t.Errorf("expected 200, got %d: %s", w.Code, w.Body.String())
 	}
 }
 
-// TestAdminTestToken_AdminTokenEmpty_GateBypassedSafely pins that when
-// ADMIN_TOKEN is unset (typical local-dev setup), the explicit gate is
-// bypassed and the route works without an Authorization header. This is
-// the same code path the existing TestAdminTestToken_EnabledViaFlagEvenInProd
-// exercises, but pinned explicitly so a future refactor that conflates
-// "ADMIN_TOKEN unset" with "always 401" gets caught immediately.
-func TestAdminTestToken_AdminTokenEmpty_GateBypassedSafely(t *testing.T) {
-	mock := setupTestDB(t)
-	t.Setenv("MOLECULE_ENV", "development")
-	t.Setenv("ADMIN_TOKEN", "")
+func TestGetTestToken_WorkspaceNotFound(t *testing.T) {
+	t.Setenv("MOLECULE_ENABLE_TEST_TOKENS", "1")
+	t.Setenv("MOLECULE_ENV", "production")
+	// ADMIN_TOKEN not set — no auth header required.
 
-	mock.ExpectQuery("SELECT id FROM workspaces WHERE id =").
-		WithArgs("ws-1").
-		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow("ws-1"))
-	mock.ExpectExec("INSERT INTO workspace_auth_tokens").
+	_, mock, cleanup := makeTokenHandler(t)
+	defer cleanup()
+
+	mock.ExpectQuery(`SELECT id FROM workspaces WHERE id = \$1`).
+		WithArgs(wsToken).
+		WillReturnError(sql.ErrNoRows)
+
+	h := NewAdminTestTokenHandler()
+	w := getTestToken(t, h, wsToken, "")
+	if w.Code != http.StatusNotFound {
+		t.Errorf("expected 404 for missing workspace, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestGetTestToken_IssueTokenDBError(t *testing.T) {
+	t.Setenv("MOLECULE_ENABLE_TEST_TOKENS", "1")
+	t.Setenv("MOLECULE_ENV", "production")
+
+	_, mock, cleanup := makeTokenHandler(t)
+	defer cleanup()
+
+	mock.ExpectQuery(`SELECT id FROM workspaces WHERE id = \$1`).
+		WithArgs(wsToken).
+		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow(wsToken))
+	// IssueToken fails.
+	mock.ExpectExec(`INSERT INTO workspace_auth_tokens`).
+		WillReturnError(sql.ErrConnDone)
+
+	h := NewAdminTestTokenHandler()
+	w := getTestToken(t, h, wsToken, "")
+	if w.Code != http.StatusInternalServerError {
+		t.Errorf("expected 500 on token issue failure, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestGetTestToken_ResponseContainsToken(t *testing.T) {
+	t.Setenv("MOLECULE_ENABLE_TEST_TOKENS", "1")
+	t.Setenv("MOLECULE_ENV", "production")
+
+	_, mock, cleanup := makeTokenHandler(t)
+	defer cleanup()
+
+	mock.ExpectQuery(`SELECT id FROM workspaces WHERE id = \$1`).
+		WithArgs(wsToken).
+		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow(wsToken))
+	mock.ExpectExec(`INSERT INTO workspace_auth_tokens`).
 		WillReturnResult(sqlmock.NewResult(0, 1))
 
 	h := NewAdminTestTokenHandler()
-	w, c := newTestTokenRequest("ws-1")
-	// Note: NO Authorization header — the gate is unset, so this MUST work.
-	h.GetTestToken(c)
-
+	w := getTestToken(t, h, wsToken, "")
 	if w.Code != http.StatusOK {
-		t.Fatalf("expected 200 with ADMIN_TOKEN empty + no Authorization, got %d: %s", w.Code, w.Body.String())
+		t.Errorf("expected 200, got %d", w.Code)
+	}
+	body := w.Body.String()
+	if !(strings.Contains(body, "auth_token") && strings.Contains(body, wsToken)) {
+		t.Errorf("expected auth_token in response body, got: %s", body)
 	}
 }