fix: limit CP template config transport

workspace-server/internal/provisioner/cp_provisioner.go

@@ -248,6 +248,11 @@ func (p *CPProvisioner) Start(ctx context.Context, cfg WorkspaceConfig) (string,
 
 const cpConfigFilesMaxBytes = 12 << 10
 
+func isCPTemplateConfigFile(name string) bool {
+	name = filepath.ToSlash(filepath.Clean(name))
+	return name == "config.yaml" || strings.HasPrefix(name, "prompts/")
+}
+
 func collectCPConfigFiles(cfg WorkspaceConfig) (map[string]string, error) {
 	files := make(map[string]string)
 	total := 0
@@ -301,6 +306,9 @@ func collectCPConfigFiles(cfg WorkspaceConfig) (map[string]string, error) {
 			if err != nil {
 				return err
 			}
+			if !isCPTemplateConfigFile(rel) {
+				return nil
+			}
 			data, err := os.ReadFile(path)
 			if err != nil {
 				return err

workspace-server/internal/provisioner/cp_provisioner_test.go

@@ -1,6 +1,7 @@
 package provisioner
 
 import (
+	"bytes"
 	"context"
 	"encoding/base64"
 	"encoding/json"
@@ -221,6 +222,9 @@ func TestStart_SendsTemplateAndGeneratedConfigFiles(t *testing.T) {
 	if err := os.WriteFile(filepath.Join(tmpl, "config.yaml"), []byte("name: template\n"), 0o600); err != nil {
 		t.Fatal(err)
 	}
+	if err := os.WriteFile(filepath.Join(tmpl, "adapter.py"), bytes.Repeat([]byte("x"), cpConfigFilesMaxBytes), 0o600); err != nil {
+		t.Fatal(err)
+	}
 	if err := os.Mkdir(filepath.Join(tmpl, "prompts"), 0o700); err != nil {
 		t.Fatal(err)
 	}
@@ -261,6 +265,9 @@ func TestStart_SendsTemplateAndGeneratedConfigFiles(t *testing.T) {
 	if got := body.ConfigFiles["prompts/system.md"]; got != wantPrompt {
 		t.Errorf("prompt payload = %q, want %q", got, wantPrompt)
 	}
+	if _, ok := body.ConfigFiles["adapter.py"]; ok {
+		t.Error("non-config template file adapter.py must not be sent to CP")
+	}
 }
 
 // TestStart_Non201ReturnsStructuredError — when CP returns 401 with a