[codex] Document local test fixture secrets

README.ja.md

@@ -152,13 +152,18 @@ npx cdn-security build
 ### 4. テスト
 
 ```bash
+export EDGE_ADMIN_TOKEN=ci-build-token-not-for-deploy
+export ORIGIN_SECRET=ci-origin-secret-not-for-deploy
+
 npm run test:runtime
 npm run test:unit
 npm run test:drift
 npm run test:security-baseline
 ```
 
 CI と同じ runtime / unit / drift / security-baseline チェックを実行します。
+`EDGE_ADMIN_TOKEN` は組み込み admin `static_token` gate を含む生成 artifact に必要です。
+`ORIGIN_SECRET` は origin-auth fixture policy を含む drift / release 系チェックで必要です。
 
 ### 4.5 環境診断（初回デプロイ前の任意実行、推奨）
 

README.md

@@ -161,13 +161,19 @@ This validates the policy and generates Edge Runtime code into `dist/edge/`.
 ### 4. Test
 
 ```bash
+export EDGE_ADMIN_TOKEN=ci-build-token-not-for-deploy
+export ORIGIN_SECRET=ci-origin-secret-not-for-deploy
+
 npm run test:runtime
 npm run test:unit
 npm run test:drift
 npm run test:security-baseline
 ```
 
 Runs runtime, unit, drift, and security-baseline checks used by CI.
+`EDGE_ADMIN_TOKEN` is required by generated artifacts that include the built-in
+admin `static_token` gate. `ORIGIN_SECRET` is required by origin-auth fixture
+policies used by the broader drift/release checks.
 
 ### 4.5 Diagnose (optional but recommended before first deploy)
 

docs/test-strategy.ja.md

@@ -17,10 +17,23 @@
 
 ## local workflow
 
+- generated artifact や release gate 系チェックを実行する前に、CI と同じ用途の
+  fixture secret を設定します。
+
+  ```bash
+  export EDGE_ADMIN_TOKEN=ci-build-token-not-for-deploy
+  export ORIGIN_SECRET=ci-origin-secret-not-for-deploy
+  ```
+
 - Vitest の focused check: `npm run test:vitest`
 - 既存 unit suite: `npm run test:unit`
 - release gate 全体: `npm run test:all`
 
+`EDGE_ADMIN_TOKEN` は `static_token` 認証ゲートを含む CloudFront Functions artifact
+に焼き込まれます。`ORIGIN_SECRET` は drift / release gate で使う origin-auth fixture
+向けです。これらの値は local / CI 検証専用であり、production build では deploy 用の
+secret を使ってください。
+
 `CI=true` の場合、Vitest は `reports/vitest-junit.xml` に JUnit output を出します。
 
 ## 移行方針

docs/test-strategy.md

@@ -19,10 +19,23 @@ Node scripts, while introducing Vitest for focused compiler contract tests.
 
 ## Local workflow
 
+- Export the CI-style fixture secrets before running generated-artifact or
+  release-gate checks:
+
+  ```bash
+  export EDGE_ADMIN_TOKEN=ci-build-token-not-for-deploy
+  export ORIGIN_SECRET=ci-origin-secret-not-for-deploy
+  ```
+
 - Run focused Vitest checks with `npm run test:vitest`.
 - Run legacy unit coverage with `npm run test:unit`.
 - Run the full release gate with `npm run test:all`.
 
+`EDGE_ADMIN_TOKEN` is baked into CloudFront Function artifacts for policies
+with `static_token` auth gates. `ORIGIN_SECRET` covers origin-auth fixtures used
+by drift and release-gate checks. These fixture values are for local/CI
+validation only; production builds must use deployment secrets.
+
 Vitest writes JUnit output to `reports/vitest-junit.xml` when `CI=true`.
 
 ## Migration policy