fix(ci): canonicalize 5 staging-e2e workflows + 1 doc to CP_STAGING_ADMIN_API_TOKEN

Completes the `MOLECULE_STAGING_ADMIN_TOKEN` -> `CP_STAGING_ADMIN_API_TOKEN`
rename started in PR#461 (sweep-stale-e2e-orgs). The org secret store
holds `CP_STAGING_ADMIN_API_TOKEN` (populated, Class-A); the stale name
`MOLECULE_STAGING_ADMIN_TOKEN` does NOT exist there, so every workflow
below was exiting 2 at the token-presence check on each run.

Files touched (17 refs total):
- .gitea/workflows/e2e-staging-saas.yml      (3 refs)
- .gitea/workflows/e2e-staging-sanity.yml    (3 refs)
- .gitea/workflows/e2e-staging-external.yml  (3 refs)
- .gitea/workflows/e2e-staging-canvas.yml    (3 refs)
- .gitea/workflows/canary-staging.yml        (3 refs)
- tests/e2e/STAGING_SAAS_E2E.md              (2 refs — heading + body)

Per-file change shape (identical):
- `secrets.MOLECULE_STAGING_ADMIN_TOKEN` -> `secrets.CP_STAGING_ADMIN_API_TOKEN`
  in both the workflow-level `env:` block and the always-run teardown
  safety-net step's `env:` block.
- `::error::MOLECULE_STAGING_ADMIN_TOKEN ...` diagnostic strings updated
  so log-tail consumers (Loki SOPRefireRule, orchestrator triage loop)
  grep for the live secret name.

Out of scope (intentional):
- .gitea/workflows/sweep-stale-e2e-orgs.yml — covered by PR#461,
  merge-conflict risk if touched here.
- `continue-on-error: true` on these 5 workflows — different scope.
  PR#461 dropped it on sweep-stale because the janitor is critical and
  failing silently masked an EC2 leak. These 5 are advisory E2E +
  canary; their `continue-on-error` is the RFC #219 §1 "surface without
  blocking" contract and is correct to keep until those gates are
  promoted to required-checks separately.
- .github/workflows/ mirror — repo reads .gitea/ only (per
  reference_molecule_core_actions_gitea_only); a Category-B/C delete
  sweep (RFC internal#219 §1) is already in flight in a separate set of
  branches.

Verification performed locally before commit:
- `yaml.safe_load` parses cleanly on all 5 modified workflows.
- Duplicate-key detector run on every modified workflow — no env-block
  collisions (cf. feedback_porter_script_env_block_collision).
- `grep -rln 'MOLECULE_STAGING_ADMIN_TOKEN' .gitea/ scripts/ tests/ docs/ runbooks/`
  returns only sweep-stale-e2e-orgs.yml (PR#461 scope) and one
  historical-rename mention in STAGING_SAAS_E2E.md body.

Tier: medium (multi-workflow consistency fix; staging E2E currently
red). References: internal#322 (EC2-leak root-fix; PR#461 covered the
janitor half), molecule-core#459 (REQUEST_CHANGES on opposite-direction
canonicalization — adjudication confirmed `CP_STAGING_ADMIN_API_TOKEN`
is the direction).

.gitea/workflows/canary-staging.yml

@@ -63,7 +63,7 @@ jobs:
 
     env:
       MOLECULE_CP_URL: https://staging-api.moleculesai.app
-      MOLECULE_ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
+      MOLECULE_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
       # MiniMax is the canary's PRIMARY LLM auth path post-2026-05-04.
       # Switched from hermes+OpenAI after #2578 (the staging OpenAI key
       # account went over quota and stayed dead for 36+ hours, taking
@@ -109,7 +109,7 @@ jobs:
       - name: Verify admin token present
         run: |
           if [ -z "$MOLECULE_ADMIN_TOKEN" ]; then
-            echo "::error::MOLECULE_STAGING_ADMIN_TOKEN not set"
+            echo "::error::CP_STAGING_ADMIN_API_TOKEN not set"
             exit 2
           fi
 
@@ -234,7 +234,7 @@ jobs:
       - name: Teardown safety net
         if: always()
         env:
-          ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
+          ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
         run: |
           set +e
           # Slug prefix matches what test_staging_full_saas.sh emits

.gitea/workflows/e2e-staging-canvas.yml

@@ -124,7 +124,7 @@ jobs:
     env:
       CANVAS_E2E_STAGING: '1'
       MOLECULE_CP_URL: https://staging-api.moleculesai.app
-      MOLECULE_ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
+      MOLECULE_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
 
     defaults:
       run:
@@ -145,7 +145,7 @@ jobs:
         if: needs.detect-changes.outputs.canvas == 'true'
         run: |
           if [ -z "$MOLECULE_ADMIN_TOKEN" ]; then
-            echo "::error::Missing MOLECULE_STAGING_ADMIN_TOKEN"
+            echo "::error::Missing CP_STAGING_ADMIN_API_TOKEN"
             exit 2
           fi
 
@@ -207,7 +207,7 @@ jobs:
       - name: Teardown safety net
         if: always() && needs.detect-changes.outputs.canvas == 'true'
         env:
-          ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
+          ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
         run: |
           set +e
           STATE_FILE=".playwright-staging-state.json"

.gitea/workflows/e2e-staging-external.yml

@@ -89,7 +89,7 @@ jobs:
 
     env:
       MOLECULE_CP_URL: https://staging-api.moleculesai.app
-      MOLECULE_ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
+      MOLECULE_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
       E2E_RUN_ID: "${{ github.run_id }}-${{ github.run_attempt }}"
       E2E_KEEP_ORG: ${{ github.event.inputs.keep_org && '1' || '0' }}
       E2E_STALE_WAIT_SECS: ${{ github.event.inputs.stale_wait_secs || '180' }}
@@ -104,7 +104,7 @@ jobs:
             # missing — silent skip would mask infra rot. Manual dispatch
             # gets the same hard-fail; an operator running this on a fork
             # without secrets configured needs to know up-front.
-            echo "::error::MOLECULE_STAGING_ADMIN_TOKEN secret not set (Railway staging CP_ADMIN_API_TOKEN)"
+            echo "::error::CP_STAGING_ADMIN_API_TOKEN secret not set (Railway staging CP_ADMIN_API_TOKEN)"
             exit 2
           fi
           echo "Admin token present ✓"
@@ -129,7 +129,7 @@ jobs:
       - name: Teardown safety net (runs on cancel/failure)
         if: always()
         env:
-          ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
+          ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
         run: |
           set +e
           orgs=$(curl -sS "$MOLECULE_CP_URL/cp/admin/orgs" \

.gitea/workflows/e2e-staging-saas.yml

@@ -86,7 +86,7 @@ jobs:
       # Single admin-bearer secret drives provision + tenant-token
       # retrieval + teardown. Configure in
       # Settings → Secrets and variables → Actions → Repository secrets.
-      MOLECULE_ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
+      MOLECULE_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
       # MiniMax is the PRIMARY LLM auth path post-2026-05-04. Switched
       # from hermes+OpenAI default after #2578 (the staging OpenAI key
       # account went over quota and stayed dead for 36+ hours, taking
@@ -122,7 +122,7 @@ jobs:
       - name: Verify admin token present
         run: |
           if [ -z "$MOLECULE_ADMIN_TOKEN" ]; then
-            echo "::error::MOLECULE_STAGING_ADMIN_TOKEN secret not set (Railway staging CP_ADMIN_API_TOKEN)"
+            echo "::error::CP_STAGING_ADMIN_API_TOKEN secret not set (Railway staging CP_ADMIN_API_TOKEN)"
             exit 2
           fi
           echo "Admin token present ✓"
@@ -189,7 +189,7 @@ jobs:
       - name: Teardown safety net (runs on cancel/failure)
         if: always()
         env:
-          ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
+          ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
         run: |
           # Best-effort: find any e2e-YYYYMMDD-* orgs matching this run and
           # nuke them. Catches the case where the script died before

.gitea/workflows/e2e-staging-sanity.yml

@@ -42,7 +42,7 @@ jobs:
 
     env:
       MOLECULE_CP_URL: https://staging-api.moleculesai.app
-      MOLECULE_ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
+      MOLECULE_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
       E2E_MODE: canary
       E2E_RUNTIME: hermes
       E2E_RUN_ID: "sanity-${{ github.run_id }}"
@@ -54,7 +54,7 @@ jobs:
       - name: Verify admin token present
         run: |
           if [ -z "$MOLECULE_ADMIN_TOKEN" ]; then
-            echo "::error::MOLECULE_STAGING_ADMIN_TOKEN not set"
+            echo "::error::CP_STAGING_ADMIN_API_TOKEN not set"
             exit 2
           fi
 
@@ -118,7 +118,7 @@ jobs:
       - name: Teardown safety net
         if: always()
         env:
-          ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
+          ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
         run: |
           set +e
           orgs=$(curl -sS "$MOLECULE_CP_URL/cp/admin/orgs" \

tests/e2e/STAGING_SAAS_E2E.md

@@ -49,9 +49,9 @@ Runs the harness with `E2E_INTENTIONAL_FAILURE=1`, which poisons the tenant admi
 
 Set in **Settings → Secrets and variables → Actions → Repository secrets**:
 
-### `MOLECULE_STAGING_ADMIN_TOKEN`
+### `CP_STAGING_ADMIN_API_TOKEN`
 
-The `CP_ADMIN_API_TOKEN` env currently set on the Railway staging molecule-platform → controlplane service.
+The `CP_ADMIN_API_TOKEN` env currently set on the Railway staging molecule-platform → controlplane service. (Org-store secret name was renamed from `MOLECULE_STAGING_ADMIN_TOKEN` per #430 Class-E canonicalization; PR#461 + the canonicalize-rest follow-up swept the workflows.)
 
 ```
 railway variables --environment staging --service controlplane --kv | grep CP_ADMIN_API_TOKEN