fix(ci): skip github.ref-gated jobs in ci_job_names (mc#958 mc#959)

Adds `github.ref` as a skip condition in ci_job_names(), matching the
existing github.event_name skip. Jobs gated on github.ref (e.g.
canvas-deploy-reminder: only runs on pushes to refs/heads/main) never
execute in a PR context, so flagging them as missing from
all-required.needs: is a false positive that triggers mc#958/mc#959.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.gitea/scripts/ci-required-drift.py

@@ -13,8 +13,9 @@ Sources:
 Three failure classes:
   F1  Job in (A) is not under the sentinel's `needs:` — sentinel
       doesn't gate it, so a red job on that name can sneak through.
-      Ignores jobs whose `if:` references `github.event_name` (those
-      run only on specific events and may be `skipped` legitimately).
+      Ignores jobs whose `if:` references `github.event_name` or
+      `github.ref` (those run only on specific events or refs and may
+      be `skipped` legitimately).
   F2  Context in (B) corresponds to no emitter — i.e. there's no job
       in ci.yml whose runtime status-name maps to that context.
       A stale required-check name is silent: protection demands a
@@ -203,12 +204,17 @@ def ci_jobs_all(ci_doc: dict) -> set[str]:
 
 def ci_job_names(ci_doc: dict) -> set[str]:
     """Set of job keys in ci.yml MINUS the sentinel itself MINUS jobs
-    whose `if:` gates on `github.event_name` (those are event-scoped
-    and can legitimately be `skipped` for a given trigger; if we
-    required them under the sentinel `needs:`, every PR-only job
+    whose `if:` gates on `github.event_name` or `github.ref` (those are
+    event-scoped and can legitimately be `skipped` for a given trigger;
+    if we required them under the sentinel `needs:`, every PR-only job
     would be `skipped` on push and the sentinel would interpret
     `skipped != success` as failure). RFC §4 spec.
 
+    `github.ref` is the companion gate for jobs that run only on direct
+    pushes to specific branches (e.g. `github.ref == 'refs/heads/main'`).
+    These never execute in a PR context, so flagging them as missing
+    from `all-required.needs:` is a false positive (mc#958 / mc#959).
+
     Used for F1 (jobs missing from sentinel needs). NOT used for F1b
     (typos in needs) — see `ci_jobs_all` for that."""
     jobs = ci_doc.get("jobs")
@@ -221,7 +227,9 @@ def ci_job_names(ci_doc: dict) -> set[str]:
             continue
         if isinstance(v, dict):
             gate = v.get("if")
-            if isinstance(gate, str) and "github.event_name" in gate:
+            if isinstance(gate, str) and (
+                "github.event_name" in gate or "github.ref" in gate
+            ):
                 continue
         names.add(k)
     return names

.gitea/scripts/gitea-merge-queue.py

@@ -47,6 +47,15 @@ REQUIRED_CONTEXTS_RAW = _env(
         "sop-checklist / all-items-acked (pull_request)"
     ),
 )
+# Required contexts for push (main/staging) runs. The push CI uses the same
+# aggregator names with " (push)" suffix. Checking these explicitly instead of
+# the combined state avoids false-pause when non-blocking jobs (e.g. Platform
+# Go with continue-on-error: true due to mc#774) have failed — their failures
+# pollute the combined state but do not block merges.
+PUSH_REQUIRED_CONTEXTS_RAW = _env(
+    "PUSH_REQUIRED_CONTEXTS",
+    default="CI / all-required (push)",
+)
 
 OWNER, NAME = (REPO.split("/", 1) + [""])[:2] if REPO else ("", "")
 API = f"https://{GITEA_HOST}/api/v1" if GITEA_HOST else ""
@@ -118,16 +127,24 @@ def required_contexts(raw: str) -> list[str]:
     return [part.strip() for part in raw.split(",") if part.strip()]
 
 
+def push_required_contexts() -> list[str]:
+    """Required contexts for push (branch) CI runs. See PUSH_REQUIRED_CONTEXTS_RAW."""
+    return required_contexts(PUSH_REQUIRED_CONTEXTS_RAW)
+
+
 def status_state(status: dict) -> str:
     return str(status.get("status") or status.get("state") or "").lower()
 
 
 def latest_statuses_by_context(statuses: list[dict]) -> dict[str, dict]:
+    # Gitea /statuses endpoint returns entries in ascending id order (oldest
+    # first). We need the LAST occurrence of each context, so iterate in
+    # reverse to prefer newer entries.
     latest: dict[str, dict] = {}
-    for status in statuses:
+    for status in reversed(statuses):
         context = status.get("context")
-        if isinstance(context, str) and context not in latest:
-            latest[context] = status
+        if isinstance(context, str):
+            latest[context] = status  # overwrite: reverse order → newest wins
     return latest
 
 
@@ -193,16 +210,23 @@ def evaluate_merge_readiness(
     required_contexts: list[str],
     pr_has_current_base: bool,
 ) -> MergeDecision:
-    main_state = str(main_status.get("state") or "").lower()
-    if main_state != "success":
-        return MergeDecision(False, "pause", f"main status is {main_state or 'missing'}")
+    # Check push-required contexts explicitly instead of combined state.
+    # Combined state can be "failure" due to non-blocking jobs
+    # (continue-on-error: true) that don't actually gate merges.
+    # CI / all-required (push) is the authoritative gate — it respects
+    # continue-on-error and correctly aggregates all blocking failures.
+    main_latest = latest_statuses_by_context(main_status.get("statuses") or [])
+    main_ok, main_bad = required_contexts_green(main_latest, push_required_contexts())
+    if not main_ok:
+        return MergeDecision(False, "pause", "main required contexts not green: " + ", ".join(main_bad))
     if not pr_has_current_base:
         return MergeDecision(False, "update", "PR head does not contain current main")
 
-    pr_state = str(pr_status.get("state") or "").lower()
-    if pr_state != "success":
-        return MergeDecision(False, "wait", f"PR combined status is {pr_state or 'missing'}")
-
+    # Check explicit required contexts instead of combined state. Combined state
+    # can be "failure" due to non-blocking jobs with continue-on-error: true
+    # (e.g. publish-runtime-autobump/pr-validate, qa-review on stale tokens).
+    # The required_contexts list is the authoritative gate — it includes only
+    # the checks that actually block merges.
     latest = latest_statuses_by_context(pr_status.get("statuses") or [])
     ok, missing_or_bad = required_contexts_green(latest, required_contexts)
     if not ok:
@@ -220,10 +244,37 @@ def get_branch_head(branch: str) -> str:
 
 
 def get_combined_status(sha: str) -> dict:
-    _, body = api("GET", f"/repos/{OWNER}/{NAME}/commits/{sha}/status")
-    if not isinstance(body, dict):
+    """Combined status + all individual statuses for `sha`.
+
+    The /status endpoint caps the `statuses` array at 30 entries (Gitea
+    default page size), so we fetch the full list via /statuses with a
+    higher limit. The combined `state` still comes from /status.
+    """
+    _, combined = api("GET", f"/repos/{OWNER}/{NAME}/commits/{sha}/status")
+    if not isinstance(combined, dict):
         raise ApiError(f"status for {sha} response not object")
-    return body
+    # Fetch full statuses list; 200 covers >99% of real-world runs.
+    # The list is ordered ascending by id (oldest first) — callers must
+    # iterate in reverse to get the newest entry per context.
+    # Best-effort: large repos (main with 550+ statuses) may time out.
+    # On timeout, fall back to the statuses[] already in the combined
+    # response (usually 30 entries — enough for most PRs, enough for
+    # main's early push-required contexts).
+    try:
+        _, all_statuses = api(
+            "GET",
+            f"/repos/{OWNER}/{NAME}/commits/{sha}/statuses",
+            query={"limit": "50"},
+        )
+        if isinstance(all_statuses, list):
+            combined["statuses"] = all_statuses
+    except (ApiError, urllib.error.URLError, TimeoutError, OSError) as exc:
+        # URLError covers network-level failures (DNS, refused, timeout).
+        # TimeoutError and OSError cover socket-level timeouts.
+        sys.stderr.write(f"::warning::could not fetch full statuses list for {sha[:8]}: {exc}\n")
+        # Fall back to the statuses[] already in the combined response.
+        pass
+    return combined
 
 
 def list_queued_issues() -> list[dict]:
@@ -294,8 +345,12 @@ def process_once(*, dry_run: bool = False) -> int:
     contexts = required_contexts(REQUIRED_CONTEXTS_RAW)
     main_sha = get_branch_head(WATCH_BRANCH)
     main_status = get_combined_status(main_sha)
-    if str(main_status.get("state") or "").lower() != "success":
-        print(f"::notice::queue paused: {WATCH_BRANCH}@{main_sha[:8]} is not green")
+    # Check push-required contexts explicitly instead of combined state.
+    # See evaluate_merge_readiness for rationale.
+    main_latest = latest_statuses_by_context(main_status.get("statuses") or [])
+    main_ok, main_bad = required_contexts_green(main_latest, push_required_contexts())
+    if not main_ok:
+        print(f"::notice::queue paused: {WATCH_BRANCH}@{main_sha[:8]} required contexts not green: {', '.join(main_bad)}")
         return 0
 
     issue = choose_next_queued_issue(

.gitea/workflows/ci.yml

@@ -146,6 +146,10 @@ jobs:
     # the diagnostic step with its own continue-on-error: true (line 203).
     # Flip confirmed by CI / Platform (Go) status = success on main HEAD 363905d3.
     continue-on-error: false
+    # Job-level ceiling. The go test step below runs with a per-step 10m timeout;
+    # this cap catches any step that leaks past that. Set well above 10m so
+    # the per-step timeout is the active constraint.
+    timeout-minutes: 15
     defaults:
       run:
         working-directory: workspace-server
@@ -190,7 +194,11 @@ jobs:
         continue-on-error: true
       - if: needs.changes.outputs.platform == 'true'
         name: Run tests with race detection and coverage
-        run: go test -race -coverprofile=coverage.out ./...
+        # Explicit timeout: cold runner cache causes OOM kills at ~4m39s on the
+        # full ./... suite with race detection + coverage. A 10m per-step timeout
+        # lets the suite complete on cold cache (~5-7m) while failing cleanly
+        # instead of OOM-killing. The job-level timeout (15m) is a backstop.
+        run: go test -race -timeout 10m -coverprofile=coverage.out ./...
 
       - if: needs.changes.outputs.platform == 'true'
         name: Per-file coverage report

.gitea/workflows/gitea-merge-queue.yml

@@ -48,4 +48,9 @@ jobs:
           REQUIRED_CONTEXTS: >-
             CI / all-required (pull_request),
             sop-checklist / all-items-acked (pull_request)
+          # Push-side required contexts. Checking CI / all-required (push)
+          # explicitly instead of the combined state avoids false-pause when
+          # non-blocking jobs (continue-on-error: true) have failed — those
+          # failures pollute combined state but do not gate merges.
+          PUSH_REQUIRED_CONTEXTS: CI / all-required (push)
         run: python3 .gitea/scripts/gitea-merge-queue.py

canvas/src/lib/design-tokens.ts

@@ -21,8 +21,8 @@ export function statusDotClass(status: string): string {
 export const TIER_CONFIG: Record<number, { label: string; color: string; border: string }> = {
   1: { label: "T1", color: "text-ink-mid bg-surface-card border border-line", border: "text-ink-mid border-line" },
   2: { label: "T2", color: "text-white bg-accent border border-accent-strong", border: "text-accent border-accent" },
-  3: { label: "T3", color: "text-white bg-violet-600 border border-violet-700", border: "text-violet-600 border-violet-500" },
-  4: { label: "T4", color: "text-white bg-warm border border-warm", border: "text-warm border-warm" },
+  3: { label: "T3", color: "text-white bg-violet-600 border border-violet-700", border: "text-white border-violet-500" },
+  4: { label: "T4", color: "text-white bg-warm border border-warm", border: "text-white border-warm" },
 };
 
 export const COMM_TYPE_LABELS: Record<string, string> = {

workspace-server/internal/handlers/channels_test.go

@@ -15,6 +15,7 @@ import (
 
 	sqlmock "github.com/DATA-DOG/go-sqlmock"
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/channels"
+	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
 	"github.com/gin-gonic/gin"
 )
 
@@ -364,6 +365,20 @@ func TestChannelHandler_Discover_MissingToken(t *testing.T) {
 }
 
 func TestChannelHandler_Discover_UnsupportedType(t *testing.T) {
+	// Set up db.DB so PausePollersForToken (called inside Discover) doesn't panic.
+	mockDB, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("sqlmock: %v", err)
+	}
+	t.Cleanup(func() { mockDB.Close() })
+	prevDB := db.DB
+	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB })
+
+	mock.ExpectQuery(`SELECT id, channel_config FROM workspace_channels WHERE enabled = true AND workspace_id`).
+		WithArgs("ws-test").
+		WillReturnRows(sqlmock.NewRows([]string{"id", "channel_config"}))
+
 	handler := NewChannelHandler(newTestChannelManager())
 
 	// #329: workspace_id required — include so we actually reach the
@@ -387,6 +402,20 @@ func TestChannelHandler_Discover_UnsupportedType(t *testing.T) {
 }
 
 func TestChannelHandler_Discover_InvalidBotToken(t *testing.T) {
+	// Set up db.DB so PausePollersForToken (called inside Discover) doesn't panic.
+	mockDB, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("sqlmock: %v", err)
+	}
+	t.Cleanup(func() { mockDB.Close() })
+	prevDB := db.DB
+	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB })
+
+	mock.ExpectQuery(`SELECT id, channel_config FROM workspace_channels WHERE enabled = true AND workspace_id`).
+		WithArgs("ws-test").
+		WillReturnRows(sqlmock.NewRows([]string{"id", "channel_config"}))
+
 	handler := NewChannelHandler(newTestChannelManager())
 
 	body, _ := json.Marshal(map[string]interface{}{

workspace-server/internal/handlers/delegation.go

@@ -262,14 +262,20 @@ func insertDelegationRow(ctx context.Context, c *gin.Context, sourceID string, b
 		"task":          body.Task,
 		"delegation_id": delegationID,
 	})
+	// Store delegation_id in response_body so agent check_delegation_status
+	// (which reads response_body->>delegation_id) can locate this row even
+	// when request_body hasn't propagated yet. Fixes mc#984.
+	respJSON, _ := json.Marshal(map[string]interface{}{
+		"delegation_id": delegationID,
+	})
 	var idemArg interface{}
 	if body.IdempotencyKey != "" {
 		idemArg = body.IdempotencyKey
 	}
 	_, err := db.DB.ExecContext(ctx, `
-		INSERT INTO activity_logs (workspace_id, activity_type, method, source_id, target_id, summary, request_body, status, idempotency_key)
-		VALUES ($1, 'delegation', 'delegate', $2, $3, $4, $5::jsonb, 'pending', $6)
-	`, sourceID, sourceID, body.TargetID, "Delegating to "+body.TargetID, string(taskJSON), idemArg)
+		INSERT INTO activity_logs (workspace_id, activity_type, method, source_id, target_id, summary, request_body, response_body, status, idempotency_key)
+		VALUES ($1, 'delegation', 'delegate', $2, $3, $4, $5::jsonb, $6::jsonb, 'pending', $7)
+	`, sourceID, sourceID, body.TargetID, "Delegating to "+body.TargetID, string(taskJSON), string(respJSON), idemArg)
 	if err == nil {
 		// RFC #2829 #318 — mirror to the durable delegations ledger
 		// (gated by DELEGATION_LEDGER_WRITE; default off → no-op).
@@ -544,10 +550,15 @@ func (h *DelegationHandler) Record(c *gin.Context) {
 		"task":          body.Task,
 		"delegation_id": body.DelegationID,
 	})
+	// Store delegation_id in response_body so agent check_delegation_status
+	// can locate this row. Fixes mc#984.
+	respJSON, _ := json.Marshal(map[string]interface{}{
+		"delegation_id": body.DelegationID,
+	})
 	if _, err := db.DB.ExecContext(ctx, `
-		INSERT INTO activity_logs (workspace_id, activity_type, method, source_id, target_id, summary, request_body, status)
-		VALUES ($1, 'delegation', 'delegate', $2, $3, $4, $5::jsonb, 'dispatched')
-	`, sourceID, sourceID, body.TargetID, "Delegating to "+body.TargetID, string(taskJSON)); err != nil {
+		INSERT INTO activity_logs (workspace_id, activity_type, method, source_id, target_id, summary, request_body, response_body, status)
+		VALUES ($1, 'delegation', 'delegate', $2, $3, $4, $5::jsonb, $6::jsonb, 'dispatched')
+	`, sourceID, sourceID, body.TargetID, "Delegating to "+body.TargetID, string(taskJSON), string(respJSON)); err != nil {
 		log.Printf("Delegation Record: insert failed for %s: %v", body.DelegationID, err)
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to record delegation"})
 		return

workspace-server/internal/handlers/delegation_test.go

@@ -133,9 +133,9 @@ func TestDelegate_Success(t *testing.T) {
 	targetID := "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
 
 	// Expect INSERT into activity_logs for delegation tracking
-	// (6th arg is idempotency_key — nil here since the request omits it)
+	// (6th arg is response_body, 7th is idempotency_key — nil here since the request omits it)
 	mock.ExpectExec("INSERT INTO activity_logs").
-		WithArgs("ws-source", "ws-source", targetID, "Delegating to "+targetID, sqlmock.AnyArg(), nil).
+		WithArgs("ws-source", "ws-source", targetID, "Delegating to "+targetID, sqlmock.AnyArg(), sqlmock.AnyArg(), nil).
 		WillReturnResult(sqlmock.NewResult(0, 1))
 
 	// Expect RecordAndBroadcast INSERT into structure_events
@@ -189,9 +189,9 @@ func TestDelegate_DBInsertFails_Still202WithWarning(t *testing.T) {
 
 	targetID := "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
 
-	// DB insert fails (6th arg = idempotency_key, nil for this test)
+	// DB insert fails (6th arg = response_body, 7th = idempotency_key, nil for this test)
 	mock.ExpectExec("INSERT INTO activity_logs").
-		WithArgs("ws-source", "ws-source", targetID, "Delegating to "+targetID, sqlmock.AnyArg(), nil).
+		WithArgs("ws-source", "ws-source", targetID, "Delegating to "+targetID, sqlmock.AnyArg(), sqlmock.AnyArg(), nil).
 		WillReturnError(fmt.Errorf("database connection lost"))
 
 	// RecordAndBroadcast still fires
@@ -491,6 +491,7 @@ func TestDelegationRecord_InsertsActivityLogRow(t *testing.T) {
 			"550e8400-e29b-41d4-a716-446655440001",               // target_id
 			"Delegating to 550e8400-e29b-41d4-a716-446655440001", // summary
 			sqlmock.AnyArg(), // request_body (jsonb)
+			sqlmock.AnyArg(), // response_body (jsonb) — mc#984 fix
 		).
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	// RecordAndBroadcast INSERT for DELEGATION_SENT
@@ -699,9 +700,9 @@ func TestDelegate_IdempotentFailedRowIsReleasedAndReplaced(t *testing.T) {
 	mock.ExpectExec("DELETE FROM activity_logs").
 		WithArgs("ws-source", "retry-key").
 		WillReturnResult(sqlmock.NewResult(0, 1))
-	// Fresh insert with the same idempotency key.
+	// Fresh insert with the same idempotency key (response_body added as mc#984 fix).
 	mock.ExpectExec("INSERT INTO activity_logs").
-		WithArgs("ws-source", "ws-source", targetID, "Delegating to "+targetID, sqlmock.AnyArg(), "retry-key").
+		WithArgs("ws-source", "ws-source", targetID, "Delegating to "+targetID, sqlmock.AnyArg(), sqlmock.AnyArg(), "retry-key").
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectExec("INSERT INTO structure_events").
 		WillReturnResult(sqlmock.NewResult(0, 1))
@@ -745,9 +746,9 @@ func TestDelegate_IdempotentRaceUniqueViolationReturnsExisting(t *testing.T) {
 	mock.ExpectQuery("SELECT request_body->>'delegation_id', status, target_id").
 		WithArgs("ws-source", "race-key").
 		WillReturnError(fmt.Errorf("sql: no rows in result set"))
-	// Insert loses the race against a concurrent caller.
+	// Insert loses the race against a concurrent caller (response_body added as mc#984 fix).
 	mock.ExpectExec("INSERT INTO activity_logs").
-		WithArgs("ws-source", "ws-source", targetID, "Delegating to "+targetID, sqlmock.AnyArg(), "race-key").
+		WithArgs("ws-source", "ws-source", targetID, "Delegating to "+targetID, sqlmock.AnyArg(), sqlmock.AnyArg(), "race-key").
 		WillReturnError(fmt.Errorf("pq: duplicate key value violates unique constraint \"activity_logs_idempotency_uniq\""))
 	// Re-query returns the winner.
 	mock.ExpectQuery("SELECT request_body->>'delegation_id', status").

workspace-server/internal/handlers/handlers_test.go

@@ -367,7 +367,7 @@ func TestBuildProvisionerConfig_IncludesAwarenessSettings(t *testing.T) {
 		"ws-123",
 		"/tmp/configs/template",
 		map[string][]byte{"config.yaml": []byte("name: test")},
-		models.CreateWorkspacePayload{Tier: 2, Runtime: "claude-code"},
+		models.CreateWorkspacePayload{Tier: 2, Runtime: "claude-code", WorkspaceDir: "/tmp/workspace", WorkspaceAccess: "read_write"},
 		map[string]string{"OPENAI_API_KEY": "sk-test"},
 		"/tmp/plugins",
 		"workspace:ws-123",