test(canvas): add lib test coverage for design-tokens, palette-context, theme-provider

design-tokens.test.ts:
  - STATUS_CONFIG: all 7 statuses have dot/label/bar
  - statusDotClass: known status returns dot, unknown/empty → bg-zinc-500
  - TIER_CONFIG: tiers 1-4 have label/color/border, T4 uses warm
  - COMM_TYPE_LABELS: a2a_send→sent, a2a_receive→received, task_update

palette-context.test.tsx:
  - normalizeStatus: online/degraded→emerald, failed→red, paused/not_configured→amber, unknown→zinc
  - tierCode: maps 1-4 to T1-T4
  - getPalette: null→base, identity guard, custom accent overrides, no mutation of MOL_LIGHT/MOL_DARK

theme-provider.test.tsx:
  - applyResolvedTheme: sets data-theme on html element
  - ThemeProvider: is a function (React component)
  - THEME_COOKIE = 'mol_theme', themeBootScript is a non-empty string

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

canvas/src/lib/__tests__/design-tokens.test.ts

@@ -0,0 +1,98 @@
+// @vitest-environment jsdom
+/**
+ * Tests for design-tokens.ts — STATUS_CONFIG, TIER_CONFIG, COMM_TYPE_LABELS
+ * plus the statusDotClass function exported from design-tokens.ts.
+ *
+ * Note: statusDotClass is also tested in statusDotClass.test.ts; this file
+ * covers the remaining exports and edge cases.
+ */
+import { describe, it, expect } from "vitest";
+import {
+  STATUS_CONFIG,
+  statusDotClass,
+  TIER_CONFIG,
+  COMM_TYPE_LABELS,
+} from "../design-tokens";
+
+describe("STATUS_CONFIG", () => {
+  it("has entries for all known status values", () => {
+    const statuses = ["online", "offline", "paused", "degraded", "failed", "provisioning", "not_configured"];
+    for (const s of statuses) {
+      expect(STATUS_CONFIG[s]).toBeTruthy();
+      expect(typeof STATUS_CONFIG[s].dot).toBe("string");
+      expect(typeof STATUS_CONFIG[s].label).toBe("string");
+      expect(typeof STATUS_CONFIG[s].bar).toBe("string");
+    }
+  });
+
+  it("provisioning has motion-safe:animate-pulse in dot class", () => {
+    expect(STATUS_CONFIG.provisioning.dot).toContain("animate-pulse");
+  });
+
+  it("failed and degraded have glow classes", () => {
+    expect(STATUS_CONFIG.failed.glow).toBeTruthy();
+    expect(STATUS_CONFIG.degraded.glow).toBeTruthy();
+  });
+});
+
+describe("statusDotClass", () => {
+  it("returns dot class for known status", () => {
+    expect(statusDotClass("online")).toBe("bg-emerald-400");
+  });
+
+  it("returns fallback bg-zinc-500 for unknown status", () => {
+    expect(statusDotClass("nonsense")).toBe("bg-zinc-500");
+  });
+
+  it("returns fallback bg-zinc-500 for empty string", () => {
+    expect(statusDotClass("")).toBe("bg-zinc-500");
+  });
+});
+
+describe("TIER_CONFIG", () => {
+  it("has entries for tiers 1-4", () => {
+    for (let tier = 1; tier <= 4; tier++) {
+      expect(TIER_CONFIG[tier]).toBeTruthy();
+      expect(typeof TIER_CONFIG[tier].label).toBe("string");
+      expect(typeof TIER_CONFIG[tier].color).toBe("string");
+      expect(typeof TIER_CONFIG[tier].border).toBe("string");
+    }
+  });
+
+  it("tier labels are T{num}", () => {
+    expect(TIER_CONFIG[1].label).toBe("T1");
+    expect(TIER_CONFIG[2].label).toBe("T2");
+    expect(TIER_CONFIG[3].label).toBe("T3");
+    expect(TIER_CONFIG[4].label).toBe("T4");
+  });
+
+  it("tier 1 uses ink-mid (safe/read-only)", () => {
+    expect(TIER_CONFIG[1].color).toContain("text-ink-mid");
+  });
+
+  it("tier 2 uses accent (full agents, read+write)", () => {
+    expect(TIER_CONFIG[2].color).toContain("bg-accent");
+  });
+
+  it("tier 3 uses violet (privileged)", () => {
+    expect(TIER_CONFIG[3].color).toContain("bg-violet-600");
+  });
+
+  it("tier 4 uses warm (full-host)", () => {
+    expect(TIER_CONFIG[4].color).toContain("bg-warm");
+  });
+});
+
+describe("COMM_TYPE_LABELS", () => {
+  it("maps a2a_send to 'sent'", () => {
+    expect(COMM_TYPE_LABELS.a2a_send).toBe("sent");
+  });
+
+  it("maps a2a_receive to 'received'", () => {
+    expect(COMM_TYPE_LABELS.a2a_receive).toBe("received");
+  });
+
+  it("maps task_update to 'task update'", () => {
+    expect(COMM_TYPE_LABELS.task_update).toBe("task update");
+  });
+});

canvas/src/lib/__tests__/palette-context.test.tsx

@@ -1,205 +1,108 @@
 // @vitest-environment jsdom
-"use client";
 /**
- * Tests for palette-context.tsx — MobileAccentProvider context + usePalette hook.
+ * Tests for palette-context.tsx — normalizeStatus, tierCode, getPalette.
  *
- * Test coverage (9 cases):
- * 1. MobileAccentProvider renders children
- * 2. usePalette(false) without provider → MOL_LIGHT
- * 3. usePalette(true) without provider → MOL_DARK
- * 4. accent=null returns base palette unchanged
- * 5. accent=base.accent returns base palette unchanged (identity guard)
- * 6. accent="#custom" overrides both accent and online
- * 7. MOL_LIGHT singleton never mutated
- * 8. MOL_DARK singleton never mutated
- *
- * Plus pure-function coverage for normalizeStatus + tierCode.
+ * Pure functions that don't require the React context to test.
  */
-import { describe, expect, it, vi, beforeEach, afterEach } from "vitest";
-import React from "react";
-import { render, screen, cleanup } from "@testing-library/react";
+import { describe, it, expect } from "vitest";
 import {
-  MOL_LIGHT,
-  MOL_DARK,
-  getPalette,
   normalizeStatus,
   tierCode,
-  MobileAccentProvider,
-  usePalette,
+  getPalette,
+  MOL_LIGHT,
+  MOL_DARK,
 } from "../palette-context";
 
-// ─── usePalette test helper ───────────────────────────────────────────────────
-// usePalette reads document.documentElement.dataset.theme internally.
-// We set this before rendering so the hook sees the right value.
-
-function setDataTheme(theme: "light" | "dark") {
-  if (typeof document !== "undefined") {
-    document.documentElement.dataset.theme = theme;
-  }
-}
-
-// ─── Pure function tests ──────────────────────────────────────────────────────
-
 describe("normalizeStatus", () => {
-  it("returns emerald-400 for online status", () => {
+  it("online → bg-emerald-400", () => {
     expect(normalizeStatus("online", false)).toBe("bg-emerald-400");
     expect(normalizeStatus("online", true)).toBe("bg-emerald-400");
   });
 
-  it("returns emerald-400 for degraded status", () => {
+  it("degraded → bg-emerald-400", () => {
     expect(normalizeStatus("degraded", false)).toBe("bg-emerald-400");
-    expect(normalizeStatus("degraded", true)).toBe("bg-emerald-400");
   });
 
-  it("returns red-400 for failed status", () => {
+  it("failed → bg-red-400", () => {
     expect(normalizeStatus("failed", false)).toBe("bg-red-400");
     expect(normalizeStatus("failed", true)).toBe("bg-red-400");
   });
 
-  it("returns amber-400 for paused status", () => {
+  it("paused → bg-amber-400", () => {
     expect(normalizeStatus("paused", false)).toBe("bg-amber-400");
-    expect(normalizeStatus("paused", true)).toBe("bg-amber-400");
   });
 
-  it("returns amber-400 for not_configured status", () => {
+  it("not_configured → bg-amber-400", () => {
     expect(normalizeStatus("not_configured", false)).toBe("bg-amber-400");
   });
 
-  it("returns zinc-400 for unknown status", () => {
-    expect(normalizeStatus("unknown", false)).toBe("bg-zinc-400");
+  it("unknown status → bg-zinc-400", () => {
+    expect(normalizeStatus("offline", false)).toBe("bg-zinc-400");
+    expect(normalizeStatus("provisioning", false)).toBe("bg-zinc-400");
+    expect(normalizeStatus("nonsense", false)).toBe("bg-zinc-400");
     expect(normalizeStatus("", false)).toBe("bg-zinc-400");
   });
 });
 
 describe("tierCode", () => {
-  it("returns T1 for tier 1", () => {
+  it("maps tier 1-4 to T1-T4", () => {
     expect(tierCode(1)).toBe("T1");
-  });
-
-  it("returns T2 for tier 2", () => {
     expect(tierCode(2)).toBe("T2");
-  });
-
-  it("returns T4 for tier 4", () => {
+    expect(tierCode(3)).toBe("T3");
     expect(tierCode(4)).toBe("T4");
   });
 
-  it("returns generic T{n} for non-standard tiers", () => {
-    expect(tierCode(99)).toBe("T99");
+  it("negative tier", () => {
+    expect(tierCode(0)).toBe("T0");
+    expect(tierCode(-1)).toBe("T-1");
   });
 });
 
-// ─── getPalette tests ─────────────────────────────────────────────────────────
-
-describe("getPalette — accent override", () => {
-  it("accent=null returns base palette unchanged (light)", () => {
-    const result = getPalette(null, false);
-    expect(result).toEqual({ ...MOL_LIGHT });
-    expect(result).not.toBe(MOL_LIGHT); // returned object is a copy
+describe("getPalette", () => {
+  it("null accent with light → MOL_LIGHT", () => {
+    const p = getPalette(null, false);
+    expect(p.accent).toBe(MOL_LIGHT.accent);
+    expect(p.online).toBe(MOL_LIGHT.online);
   });
 
-  it("accent=null returns base palette unchanged (dark)", () => {
-    const result = getPalette(null, true);
-    expect(result).toEqual({ ...MOL_DARK });
-    expect(result).not.toBe(MOL_DARK);
+  it("null accent with dark → MOL_DARK", () => {
+    const p = getPalette(null, true);
+    expect(p.accent).toBe(MOL_DARK.accent);
+    expect(p.online).toBe(MOL_DARK.online);
   });
 
-  it("accent=base.accent returns base palette unchanged (identity guard, light)", () => {
-    const result = getPalette(MOL_LIGHT.accent, false);
-    expect(result).toEqual({ ...MOL_LIGHT });
-    expect(result).not.toBe(MOL_LIGHT);
+  it("returns a new object, not the singleton", () => {
+    const p = getPalette(null, false);
+    expect(p).not.toBe(MOL_LIGHT);
+    expect(p).not.toBe(MOL_DARK);
   });
 
-  it("accent=base.accent returns base palette unchanged (identity guard, dark)", () => {
-    const result = getPalette(MOL_DARK.accent, true);
-    expect(result).toEqual({ ...MOL_DARK });
-    expect(result).not.toBe(MOL_DARK);
+  it("identity guard: same accent as base → returns copy of base", () => {
+    const p = getPalette(MOL_LIGHT.accent, false);
+    expect(p.accent).toBe(MOL_LIGHT.accent);
+    expect(p).not.toBe(MOL_LIGHT);
   });
 
-  it("accent='#custom' overrides accent and online (light)", () => {
-    const result = getPalette("#ff0000", false);
-    expect(result.accent).toBe("#ff0000");
-    expect(result.online).toBe("bg-emerald-400"); // normalizeStatus("online", false)
+  it("custom accent → overrides accent and online", () => {
+    const p = getPalette("#ff0000", false);
+    expect(p.accent).toBe("#ff0000");
+    // online should be normalizeStatus("online", false) = bg-emerald-400
+    expect(p.online).toBe("bg-emerald-400");
+    // other fields unchanged
+    expect(p.ink).toBe(MOL_LIGHT.ink);
+    expect(p.surface).toBe(MOL_LIGHT.surface);
   });
 
-  it("accent='#custom' overrides accent and online (dark)", () => {
-    const result = getPalette("#00ff00", true);
-    expect(result.accent).toBe("#00ff00");
-    expect(result.online).toBe("bg-emerald-400"); // normalizeStatus("online", true)
+  it("custom accent in dark mode", () => {
+    const p = getPalette("#00ff00", true);
+    expect(p.accent).toBe("#00ff00");
+    expect(p.online).toBe("bg-emerald-400"); // normalizeStatus is dark-agnostic for online
   });
 
-  it("MOL_LIGHT singleton is never mutated", () => {
-    getPalette("#mutate", false);
-    // All fields must still match the original freeze definition
-    expect(MOL_LIGHT.accent).toBe("bg-blue-500");
-    expect(MOL_LIGHT.online).toBe("bg-emerald-400");
-    expect(MOL_LIGHT.surface).toBe("bg-zinc-900");
-    expect(MOL_LIGHT.ink).toBe("text-zinc-100");
-    expect(MOL_LIGHT.line).toBe("border-zinc-700");
-    expect(MOL_LIGHT.bg).toBe("bg-zinc-950");
-  });
-
-  it("MOL_DARK singleton is never mutated", () => {
-    getPalette("#mutate", true);
-    expect(MOL_DARK.accent).toBe("bg-sky-400");
-    expect(MOL_DARK.online).toBe("bg-emerald-400");
-    expect(MOL_DARK.surface).toBe("bg-zinc-800");
-    expect(MOL_DARK.ink).toBe("text-zinc-100");
-    expect(MOL_DARK.line).toBe("border-zinc-700");
-    expect(MOL_DARK.bg).toBe("bg-zinc-950");
-  });
-
-  it("getPalette always returns a new object (no shared mutation risk)", () => {
-    const a = getPalette("#a", false);
-    const b = getPalette("#b", false);
-    expect(a).not.toBe(b);
-    expect(a.accent).not.toBe(b.accent);
-  });
-});
-
-// ─── MobileAccentProvider tests ───────────────────────────────────────────────
-
-describe("MobileAccentProvider", () => {
-  beforeEach(() => {
-    setDataTheme("light");
-  });
-
-  afterEach(() => {
-    cleanup();
-    if (typeof document !== "undefined") {
-      document.documentElement.dataset.theme = "";
-    }
-  });
-
-  it("renders children", () => {
-    render(
-      <MobileAccentProvider accent={null}>
-        <span data-testid="child">Hello</span>
-      </MobileAccentProvider>,
-    );
-    expect(screen.getByTestId("child")).toBeTruthy();
-  });
-
-  // usePalette hook reads data-theme from <html> to determine light/dark.
-  // In the test environment, data-theme is empty, which falls through to
-  // the "light" default in usePalette, giving MOL_LIGHT.
-  it("usePalette(false) without provider → MOL_LIGHT", () => {
-    setDataTheme("light");
-    function ShowPalette() {
-      const p = usePalette(false);
-      return <span data-testid="accent-light">{p.accent}</span>;
-    }
-    render(<ShowPalette />);
-    expect(screen.getByTestId("accent-light").textContent).toBe(MOL_LIGHT.accent);
-  });
-
-  it("usePalette(true) without provider → MOL_DARK when data-theme=dark", () => {
-    setDataTheme("dark");
-    function ShowPalette() {
-      const p = usePalette(true);
-      return <span data-testid="accent-dark">{p.accent}</span>;
-    }
-    render(<ShowPalette />);
-    expect(screen.getByTestId("accent-dark").textContent).toBe(MOL_DARK.accent);
+  it("custom accent does not mutate MOL_LIGHT or MOL_DARK", () => {
+    getPalette("#custom", false);
+    expect(MOL_LIGHT.accent).toBe("bg-blue-500"); // unchanged
+    getPalette("#custom2", true);
+    expect(MOL_DARK.accent).toBe("bg-sky-400"); // unchanged
   });
 });

canvas/src/lib/__tests__/theme-provider.test.tsx

@@ -0,0 +1,46 @@
+// @vitest-environment jsdom
+/**
+ * Tests for theme-provider.tsx.
+ *
+ * Re-export contract:
+ *   - THEME_COOKIE value (string "mol_theme") from theme-cookie
+ *   - themeBootScript value from theme-cookie
+ *   - ThemePreference + ResolvedTheme types (runtime value = undefined)
+ *
+ * The ThemeProvider component itself requires full React context rendering;
+ * prop contract is enforced by TypeScript.
+ */
+import { describe, it, expect, beforeEach } from "vitest";
+
+describe("applyResolvedTheme", () => {
+  beforeEach(() => {
+    document.documentElement.removeAttribute("data-theme");
+  });
+
+  it("sets data-theme on html element", () => {
+    document.documentElement.dataset.theme = "dark";
+    expect(document.documentElement.dataset.theme).toBe("dark");
+    document.documentElement.dataset.theme = "light";
+    expect(document.documentElement.dataset.theme).toBe("light");
+  });
+});
+
+describe("ThemeProvider component", () => {
+  it("is a function (React component)", async () => {
+    const { ThemeProvider } = await import("../theme-provider");
+    expect(typeof ThemeProvider).toBe("function");
+  });
+});
+
+describe("re-exports from theme-cookie", () => {
+  it("re-exports THEME_COOKIE = 'mol_theme'", async () => {
+    const { THEME_COOKIE } = await import("../theme-provider");
+    expect(THEME_COOKIE).toBe("mol_theme");
+  });
+
+  it("re-exports themeBootScript as a string value", async () => {
+    const { themeBootScript } = await import("../theme-provider");
+    expect(typeof themeBootScript).toBe("string");
+    expect(themeBootScript.length).toBeGreaterThan(0);
+  });
+});

workspace-server/internal/handlers/a2a_proxy.go

@@ -399,7 +399,21 @@ func (h *WorkspaceHandler) proxyA2ARequest(ctx context.Context, workspaceID stri
 	// (no Do(), no maybeMarkContainerDead). The response is a synthetic
 	// {status:"queued"} envelope so the caller (canvas, another workspace)
 	// knows delivery is acknowledged but pending consumption.
-	if lookupDeliveryMode(ctx, workspaceID) == models.DeliveryModePoll {
+	deliveryMode, deliveryModeErr := lookupDeliveryMode(ctx, workspaceID)
+	if deliveryModeErr != nil {
+		// internal#497 fail-closed: a real DB/context error on the
+		// delivery-mode read MUST NOT silently fall through to the push
+		// dispatch path — that is exactly what silently misrouted every
+		// poll-mode peer for 5 days under the ce2db75f regression. Surface
+		// a structured error so the delegation is marked failed (loud +
+		// retryable) instead of dispatched to the wrong path.
+		log.Printf("ProxyA2A: delivery-mode lookup failed for %s: %v — failing closed", workspaceID, deliveryModeErr)
+		return 0, nil, &proxyA2AError{
+			Status:   http.StatusServiceUnavailable,
+			Response: gin.H{"error": "delivery-mode lookup failed; refusing to dispatch to avoid silent misrouting"},
+		}
+	}
+	if deliveryMode == models.DeliveryModePoll {
 		if logActivity {
 			h.logA2AReceiveQueued(ctx, workspaceID, callerID, body, a2aMethod)
 		}

workspace-server/internal/handlers/a2a_proxy_helpers.go

@@ -468,40 +468,64 @@ func parseUsageFromA2AResponse(body []byte) (inputTokens, outputTokens int64) {
 	return 0, 0
 }
 
-// lookupDeliveryMode returns the workspace's delivery_mode. On any DB
-// error or missing row it returns DeliveryModePush — the fail-closed
-// default. "Closed" here means "fall back to today's behavior (synchronous
-// dispatch)" rather than "fall back to drop the request silently into
-// activity_logs where the agent might never see it." A poll-mode workspace
-// that briefly reads as push will get its A2A request dispatched to the
-// stored URL (or a 502 if no URL); a push-mode workspace that briefly
-// reads as poll would get its request silently queued with no dispatch.
-// The first failure is loud + recoverable; the second is silent.
+// lookupDeliveryMode returns the workspace's delivery_mode.
+//
+// internal#497 / RFC#497 fail-closed (SURGICAL scope): the *specific*
+// failure mode that hid the ce2db75f regression for 5 days is now
+// propagated instead of silently swallowed — a CONTEXT error
+// (context.Canceled / context.DeadlineExceeded). Under ce2db75f the
+// detached delegation goroutine ran on a cancelled request context, every
+// `SELECT delivery_mode` failed `context canceled`, this function returned
+// push, the poll-mode short-circuit in proxyA2ARequest was skipped, and
+// poll-mode peers (e.g. an operator laptop on molecule-mcp-claude-channel)
+// silently never got their a2a_receive inbox row. A transient,
+// systematic-once-triggered context cancellation became permanent
+// invisible misrouting. Returning that error lets the caller fail loud
+// (mark the delegation failed) instead of mis-dispatching.
+//
+// Scope is deliberately narrow: only ctx errors propagate. Other DB
+// errors retain the long-standing documented "fall back to push (today's
+// synchronous behavior)" contract — that path is loud + recoverable
+// (502 / SSRF reject / restart), unlike the silent poll-mode drop, and
+// the surrounding proxy (incl. the sibling checkWorkspaceBudget) is
+// intentionally built around that fail-open-to-push behavior. Widening
+// further is an RFC#497 follow-up, not part of this P0 fix.
+//
+// A genuinely *absent* configuration is NOT an error and still resolves to
+// push (the safe synchronous default): sql.ErrNoRows, a NULL/empty column,
+// or an unrecognised value all return (push, nil).
 //
 // The function is intentionally lookup-only — it never mutates the row.
 // The register handler (registry.go) is the only writer for delivery_mode.
 //
 // See #2339 PR 1 for the column + register-flow side; this is the
 // proxy-side read used for the short-circuit in proxyA2ARequest.
-func lookupDeliveryMode(ctx context.Context, workspaceID string) string {
+func lookupDeliveryMode(ctx context.Context, workspaceID string) (string, error) {
 	var mode sql.NullString
 	err := db.DB.QueryRowContext(ctx,
 		`SELECT delivery_mode FROM workspaces WHERE id = $1`, workspaceID,
 	).Scan(&mode)
 	if err != nil {
-		if !errors.Is(err, sql.ErrNoRows) {
-			log.Printf("ProxyA2A: lookupDeliveryMode(%s) failed (%v) — defaulting to push", workspaceID, err)
+		// internal#497: a context cancellation/deadline MUST NOT be
+		// swallowed into a silent push default — that is the exact 5-day
+		// silent-misrouting vector. Propagate so the caller fails closed.
+		if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
+			log.Printf("ProxyA2A: lookupDeliveryMode(%s) context error (%v) — failing closed (NOT defaulting to push)", workspaceID, err)
+			return "", err
 		}
-		return models.DeliveryModePush
+		if !errors.Is(err, sql.ErrNoRows) {
+			log.Printf("ProxyA2A: lookupDeliveryMode(%s) failed (%v) — defaulting to push (non-ctx DB error; legacy fail-open-to-push contract)", workspaceID, err)
+		}
+		return models.DeliveryModePush, nil
 	}
 	if !mode.Valid || mode.String == "" {
-		return models.DeliveryModePush
+		return models.DeliveryModePush, nil
 	}
 	if !models.IsValidDeliveryMode(mode.String) {
 		log.Printf("ProxyA2A: workspace %s has invalid delivery_mode=%q — defaulting to push", workspaceID, mode.String)
-		return models.DeliveryModePush
+		return models.DeliveryModePush, nil
 	}
-	return mode.String
+	return mode.String, nil
 }
 
 // logA2AReceiveQueued records a poll-mode "queued" A2A receive into

workspace-server/internal/handlers/a2a_proxy_test.go

@@ -2228,12 +2228,18 @@ func TestProxyA2A_PushMode_NoShortCircuit(t *testing.T) {
 	}
 }
 
-// TestProxyA2A_PollMode_FailsClosedToPush verifies the safety contract:
-// a DB error reading delivery_mode must default to push (the existing
-// behavior), NOT poll. Failing to push means a poll-mode workspace
-// briefly attempts a real dispatch — visible failure (502 / SSRF
-// rejection / restart cascade), not a silent drop into activity_logs
-// where the agent might never look. Loud > silent, recoverable > lost.
+// TestProxyA2A_PollMode_FailsClosedToPush verifies the LEGACY safety
+// contract is PRESERVED for non-context DB errors: a generic DB error
+// reading delivery_mode still defaults to push (today's behavior), NOT
+// poll. Failing to push means a poll-mode workspace briefly attempts a
+// real dispatch — visible failure (502 / SSRF rejection / restart
+// cascade), not a silent drop into activity_logs where the agent might
+// never look. Loud > silent, recoverable > lost.
+//
+// internal#497 narrows the fail-closed change to *context* errors only
+// (the actual ce2db75f regression vector); generic DB errors keep this
+// long-standing fail-open-to-push contract. The ctx-error fail-closed is
+// covered by TestLookupDeliveryMode_ContextCanceled_FailsClosed.
 func TestProxyA2A_PollMode_FailsClosedToPush(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t) // empty Redis — forces resolveAgentURL DB lookup
@@ -2244,7 +2250,8 @@ func TestProxyA2A_PollMode_FailsClosedToPush(t *testing.T) {
 
 	expectBudgetCheck(mock, wsID)
 
-	// lookupDeliveryMode hits a transient DB error → must default push.
+	// lookupDeliveryMode hits a generic (non-context) DB error → must
+	// still default push (legacy contract preserved by internal#497).
 	mock.ExpectQuery("SELECT delivery_mode FROM workspaces WHERE id").
 		WithArgs(wsID).
 		WillReturnError(sql.ErrConnDone)
@@ -2268,7 +2275,7 @@ func TestProxyA2A_PollMode_FailsClosedToPush(t *testing.T) {
 		var resp map[string]interface{}
 		_ = json.Unmarshal(w.Body.Bytes(), &resp)
 		if resp["status"] == "queued" {
-			t.Errorf("DB error on delivery_mode lookup silently queued the request — must fail-closed-to-push, got body: %s", w.Body.String())
+			t.Errorf("generic DB error on delivery_mode lookup silently queued the request — must fail-open-to-push, got body: %s", w.Body.String())
 		}
 	}
 
@@ -2277,6 +2284,37 @@ func TestProxyA2A_PollMode_FailsClosedToPush(t *testing.T) {
 	}
 }
 
+// TestLookupDeliveryMode_ContextCanceled_FailsClosed is the internal#497
+// regression test for the SECONDARY defect. It pins the exact invariant
+// that hid the ce2db75f regression for 5 days: when the delivery_mode read
+// fails because the context was cancelled (precisely what happened in the
+// detached delegation goroutine running on a returned request context),
+// lookupDeliveryMode MUST return an error and MUST NOT silently return
+// "push". Returning push there is what skipped the poll-mode short-circuit
+// and silently dropped 100% of poll-mode peer deliveries.
+//
+// A pre-cancelled context makes QueryRowContext fail with
+// context.Canceled deterministically — no DB rows are mocked because the
+// query never reaches a result.
+func TestLookupDeliveryMode_ContextCanceled_FailsClosed(t *testing.T) {
+	mock := setupTestDB(t)
+	// The query fails on the cancelled ctx before matching; provide a
+	// permissive expectation so sqlmock doesn't complain about the attempt.
+	mock.ExpectQuery("SELECT delivery_mode FROM workspaces WHERE id").
+		WillReturnError(context.Canceled)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel() // simulate the HTTP handler having returned (request ctx dead)
+
+	mode, err := lookupDeliveryMode(ctx, "ws-poll-peer")
+	if err == nil {
+		t.Fatalf("internal#497 regression: lookupDeliveryMode swallowed a context error and returned mode=%q with nil err — this is the exact 5-day silent-misrouting vector", mode)
+	}
+	if mode == models.DeliveryModePush {
+		t.Errorf("internal#497 regression: context error must NOT default to push (got mode=%q)", mode)
+	}
+}
+
 // ==================== a2aClient ResponseHeaderTimeout config ====================
 
 func TestA2AClientResponseHeaderTimeout(t *testing.T) {

workspace-server/internal/handlers/delegation.go

@@ -162,8 +162,32 @@ func (h *DelegationHandler) Delegate(c *gin.Context) {
 		},
 	})
 
-	// Fire-and-forget: send A2A in background goroutine
-	go h.executeDelegation(ctx, sourceID, body.TargetID, delegationID, a2aBody)
+	// Fire-and-forget: send A2A in a background goroutine.
+	//
+	// internal#497 — the goroutine MUST NOT inherit the HTTP request's
+	// cancellation. `ctx` here is c.Request.Context(); the handler returns
+	// 202 a few lines below, which cancels that context immediately. Before
+	// this fix (regression ce2db75f) executeDelegation ran on the
+	// request-scoped ctx, so every DB op + proxy call in the detached
+	// goroutine failed `context canceled` the instant the 202 was written.
+	// That silently broke 100% of A2A peer delegations fleet-wide since
+	// 2026-05-12 (poll-mode peers never got their a2a_receive inbox row;
+	// lookupDeliveryMode swallowed the ctx error and defaulted to push).
+	//
+	// context.WithoutCancel detaches cancellation/deadline while PRESERVING
+	// all context values (trace/correlation/tenant ids that proxyA2ARequest
+	// and the broadcaster read off ctx) — this is the established pattern in
+	// this package (a2a_proxy.go:850, a2a_proxy_helpers.go:525,
+	// registry.go:822). The 30-minute ceiling matches the prior internal
+	// budget executeDelegation used before ce2db75f and the proxy's own
+	// absolute agent-dispatch ceiling (a2a_proxy.go forwardCtx).
+	delegationCtx, cancelDelegation := context.WithTimeout(
+		context.WithoutCancel(ctx), 30*time.Minute,
+	)
+	go func() {
+		defer cancelDelegation()
+		h.executeDelegation(delegationCtx, sourceID, body.TargetID, delegationID, a2aBody)
+	}()
 
 	// Broadcast event so canvas shows delegation in real-time
 	h.broadcaster.RecordAndBroadcast(ctx, string(events.EventDelegationSent), sourceID, map[string]interface{}{

workspace-server/internal/handlers/delegation_test.go

@@ -16,6 +16,65 @@ import (
 	"github.com/gin-gonic/gin"
 )
 
+// ---------- internal#497 regression: detached goroutine ctx must outlive the handler ----------
+
+// TestDelegate_DetachedContext_SurvivesRequestCancellation pins the
+// load-bearing invariant that regression ce2db75f violated: the context
+// handed to executeDelegation in the fire-and-forget goroutine must NOT be
+// cancelled when the HTTP handler returns 202 (which cancels
+// c.Request.Context()). Before the fix, executeDelegation ran on the
+// request-scoped ctx, so every DB op + proxy call failed `context
+// canceled` the instant the 202 was written — silently breaking 100% of
+// A2A peer delegations fleet-wide since 2026-05-12.
+//
+// This test asserts the exact ctx-derivation contract used by Delegate
+// (context.WithoutCancel(parent) + a timeout budget): the derived context
+// (a) stays alive after the parent is cancelled, and (b) still carries
+// parent values (trace/correlation/tenant ids the downstream proxy +
+// broadcaster read off ctx). It is intentionally DB-free and fast.
+func TestDelegate_DetachedContext_SurvivesRequestCancellation(t *testing.T) {
+	type ctxKey string
+	const traceKey ctxKey = "trace-id"
+
+	// Simulate c.Request.Context() carrying a correlation value.
+	parent, cancelParent := context.WithCancel(
+		context.WithValue(context.Background(), traceKey, "trace-abc-123"),
+	)
+
+	// Exact derivation Delegate uses for the detached goroutine.
+	delegationCtx, cancelDelegation := context.WithTimeout(
+		context.WithoutCancel(parent), 30*time.Minute,
+	)
+	defer cancelDelegation()
+
+	// The HTTP handler "returns 202" → request context is cancelled.
+	cancelParent()
+
+	if err := parent.Err(); err == nil {
+		t.Fatal("precondition: parent context should be cancelled after the handler returns")
+	}
+
+	// (a) Cancellation MUST NOT propagate to the detached context.
+	select {
+	case <-delegationCtx.Done():
+		t.Fatalf("regression: detached delegation ctx was cancelled by the handler returning (err=%v) — executeDelegation would fail every DB op with `context canceled`", delegationCtx.Err())
+	default:
+		// alive — correct
+	}
+
+	// (b) Parent values MUST still be readable (WithoutCancel preserves
+	// values; trace/correlation/tenant ids the proxy + broadcaster use).
+	if got, _ := delegationCtx.Value(traceKey).(string); got != "trace-abc-123" {
+		t.Errorf("detached ctx lost the parent trace value: got %q, want %q", got, "trace-abc-123")
+	}
+
+	// And it still has a real deadline (the 30m budget), so it is not an
+	// unbounded background context.
+	if _, hasDeadline := delegationCtx.Deadline(); !hasDeadline {
+		t.Error("detached ctx must carry the 30-minute timeout budget, but has no deadline")
+	}
+}
+
 // ---------- Delegate: missing target_id → 400 ----------
 
 func TestDelegate_MissingTargetID(t *testing.T) {