test(external_connection): add BuildExternalConnectionPayload + externalPlatformURL coverage

- TestBuildExternalConnectionPayload_HappyPath: verifies workspace_id,
  platform_url, auth_token, registry_endpoint, heartbeat_endpoint.
- TestBuildExternalConnectionPayload_TrailingSlashStripped: one trailing
  slash removed from platform URL input.
- TestBuildExternalConnectionPayload_EmptyAuthToken: empty token is valid
  for read-only "show instructions again" path.
- TestBuildExternalConnectionPayload_SnippetsStamped: all 8 snippet fields
  have {{PLATFORM_URL}} and {{WORKSPACE_ID}} substituted, no raw placeholders.
- TestExternalPlatformURL_EnvVarTakesPrecedence: EXTERNAL_PLATFORM_URL env
  wins over all request-based fallbacks.
- TestExternalPlatformURL_XForwardedProtoAndHost: X-Forwarded-{Proto,Host}
  headers override scheme/host.
- TestExternalPlatformURL_HTTPSNoHeaders: TLS nil → http, TLS set → https.
- TestExternalPlatformURL_HTTPNoTLS: explicit host + nil TLS → http://host.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

canvas/src/components/settings/SecretRow.tsx

@@ -3,24 +3,16 @@ import { useState, useCallback, useRef, useEffect } from 'react';
 import type { Secret, SecretGroup } from '@/types/secrets';
 import { useSecretsStore } from '@/stores/secrets-store';
 import { StatusBadge } from '@/components/ui/StatusBadge';
+import { RevealToggle } from '@/components/ui/RevealToggle';
 import { KeyValueField } from '@/components/ui/KeyValueField';
 import { ValidationHint } from '@/components/ui/ValidationHint';
 import { TestConnectionButton } from '@/components/ui/TestConnectionButton';
 import { validateSecretValue } from '@/lib/validation/secret-formats';
 import { SERVICES } from '@/lib/services';
 
+const AUTO_HIDE_MS = 30_000;
 const VALIDATION_DEBOUNCE_MS = 400;
 
-// Secret values are write-only from the browser: the server List endpoint
-// "Never exposes values", there is no per-secret decrypt route, and the
-// only decrypted path (GET /secrets/values) is bulk + token-gated for
-// remote agents. The old eye/RevealToggle was a dead affordance — it
-// flipped its own icon but could never reveal anything, which read as
-// "this doesn't work" (esp. once clicked → eye-with-slash). We show an
-// honest static indicator instead; rotation is via Edit.
-const WRITE_ONLY_TITLE =
-  'Value is write-only and cannot be revealed — use Edit to replace/rotate it';
-
 interface SecretRowProps {
   secret: Secret;
   workspaceId: string;
@@ -39,12 +31,28 @@ export function SecretRow({ secret, workspaceId }: SecretRowProps) {
   const setSecretStatus = useSecretsStore((s) => s.setSecretStatus);
 
   const isEditing = editingKey === secret.name;
+  const [revealed, setRevealed] = useState(false);
   const [editValue, setEditValue] = useState('');
   const [validationError, setValidationError] = useState<string | null>(null);
   const [isSaving, setIsSaving] = useState(false);
   const [saveError, setSaveError] = useState<string | null>(null);
   const debounceRef = useRef<ReturnType<typeof setTimeout>>(undefined);
   const editBtnRef = useRef<HTMLButtonElement>(null);
+  const revealTimerRef = useRef<ReturnType<typeof setTimeout>>(undefined);
+
+  // Auto-hide revealed value after 30s
+  useEffect(() => {
+    if (revealed) {
+      clearTimeout(revealTimerRef.current);
+      revealTimerRef.current = setTimeout(() => setRevealed(false), AUTO_HIDE_MS);
+      return () => clearTimeout(revealTimerRef.current);
+    }
+  }, [revealed]);
+
+  // Reset revealed state when panel closes (session-only)
+  useEffect(() => {
+    return () => setRevealed(false);
+  }, []);
 
   // Debounced validation
   useEffect(() => {
@@ -125,15 +133,11 @@ export function SecretRow({ secret, workspaceId }: SecretRowProps) {
           {secret.masked_value}
         </span>
         <div className="secret-row__actions">
-          <span
-            data-testid="write-only-indicator"
-            className="secret-row__write-only"
-            role="img"
-            aria-label={`${secret.name} value is write-only and cannot be revealed; use Edit to replace it`}
-            title={WRITE_ONLY_TITLE}
-          >
-            🔒
-          </span>
+          <RevealToggle
+            revealed={revealed}
+            onToggle={() => setRevealed((r) => !r)}
+            label={`Toggle reveal ${secret.name}`}
+          />
           <StatusBadge status={secret.status} />
           <button
             type="button"

canvas/src/components/settings/__tests__/SecretRow.test.tsx

@@ -138,54 +138,14 @@ describe("SecretRow — display mode", () => {
     expect(document.querySelector('[role="row"]')).toBeTruthy();
   });
 
-  it("has Copy, Edit, Delete buttons", () => {
+  it("has Reveal, Copy, Edit, Delete buttons", () => {
     render(<SecretRow secret={GITHUB_SECRET} workspaceId="ws-1" />);
+    expect(screen.getByTestId("reveal-toggle")).toBeTruthy();
     expect(screen.getByRole("button", { name: /copy/i })).toBeTruthy();
     expect(screen.getByRole("button", { name: /edit/i })).toBeTruthy();
     expect(screen.getByRole("button", { name: /delete/i })).toBeTruthy();
   });
 
-  // Regression: the reveal/eye control was a dead affordance. Clicking it
-  // flipped its own icon (eye → eye-with-slash) but never revealed the value,
-  // because secret values are write-only from the browser (server List
-  // "Never exposes values"; there is no per-secret decrypt endpoint and the
-  // client has no plaintext-fetch function). The honest fix removes the
-  // toggle and shows a static "write-only / cannot be revealed" indicator.
-  // See internal tracking issue + internal#210/#211.
-  it("does NOT render a reveal/eye toggle (values are write-only)", () => {
-    render(<SecretRow secret={GITHUB_SECRET} workspaceId="ws-1" />);
-    expect(screen.queryByTestId("reveal-toggle")).toBeNull();
-    expect(
-      screen.queryByRole("button", { name: /toggle reveal/i }),
-    ).toBeNull();
-  });
-
-  it("shows a write-only indicator explaining the value cannot be revealed", () => {
-    render(<SecretRow secret={ANTHROPIC_SECRET} workspaceId="ws-1" />);
-    const indicator = screen.getByTestId("write-only-indicator");
-    expect(indicator).toBeTruthy();
-    // Affordance must be honest: explain it cannot be revealed and that
-    // Edit is the rotate path. It must not be a clickable button.
-    const title = indicator.getAttribute("title") ?? "";
-    expect(title.toLowerCase()).toMatch(/write-only|cannot be revealed/);
-    expect(indicator.tagName).not.toBe("BUTTON");
-  });
-
-  it("write-only indicator is present for the Anthropic/OAuth-token row too", () => {
-    // The reported bug singled out CLAUDE_CODE_OAUTH_TOKEN (anthropic group);
-    // the fix is group-agnostic — every row gets the same honest affordance.
-    const OAUTH_SECRET = {
-      name: "CLAUDE_CODE_OAUTH_TOKEN",
-      masked_value: "••••••••••••••••9d2a",
-      group: "anthropic" as const,
-      status: "unverified" as const,
-      updated_at: "2024-01-04",
-    };
-    render(<SecretRow secret={OAUTH_SECRET} workspaceId="ws-1" />);
-    expect(screen.queryByTestId("reveal-toggle")).toBeNull();
-    expect(screen.getByTestId("write-only-indicator")).toBeTruthy();
-  });
-
   it("shows invalid status correctly", () => {
     render(<SecretRow secret={CUSTOM_SECRET} workspaceId="ws-1" />);
     expect(screen.getByTestId("status-badge").getAttribute("data-status")).toBe("invalid");

canvas/src/components/tabs/chat/hooks/__tests__/useChatSend.test.tsx

@@ -1,209 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for useChatSend — the canvas user→agent send hook.
- *
- * Behavioural focus: the poll-mode ("queued") path. When the target
- * workspace is an external / MCP-registered agent (delivery_mode=poll,
- * e.g. an operator laptop running the molecule MCP channel), the
- * platform's POST /workspaces/:id/a2a returns a synthetic
- * {status:"queued", delivery_mode:"poll"} envelope IMMEDIATELY with no
- * reply — the real reply arrives later over the AGENT_MESSAGE
- * WebSocket push.
- *
- * Pre-fix the hook treated that synthetic envelope as a terminal
- * response and called releaseSendGuards() → `sending` went false the
- * instant the POST returned → the "agent is working" indicator
- * vanished and the external turn looked dead. This suite pins the
- * fixed contract:
- *
- *   - a real reply still clears `sending` (regression guard)
- *   - a poll "queued" envelope KEEPS `sending` true (no terminal
- *     clear) so the existing thinking indicator persists
- *   - the eventual reply path (releaseSendGuards, the same call the
- *     AGENT_MESSAGE WS push makes via useChatSocket) clears it
- *   - an offline poll agent that never replies eventually surfaces an
- *     honest error instead of an infinite spinner
- *
- * Plus pure-function coverage for the poll-envelope detector.
- *
- * Root cause: workspace-server a2a_proxy.go:402 poll-mode
- * short-circuit returns {status:"queued"} synchronously.
- */
-import {
-  describe,
-  it,
-  expect,
-  vi,
-  beforeEach,
-  afterEach,
-  type Mock,
-} from "vitest";
-import { act, renderHook, cleanup } from "@testing-library/react";
-
-const { mockApiPost } = vi.hoisted(() => ({ mockApiPost: vi.fn() }));
-
-vi.mock("@/lib/api", () => ({
-  api: { post: mockApiPost },
-}));
-
-vi.mock("../uploads", () => ({
-  uploadChatFiles: vi.fn(),
-}));
-
-// Import AFTER mocks.
-import {
-  useChatSend,
-  isPollQueuedResponse,
-  extractReplyText,
-  POLL_QUEUED_REPLY_TIMEOUT_MS,
-} from "../useChatSend";
-
-const flush = () => act(async () => { await Promise.resolve(); });
-
-describe("isPollQueuedResponse", () => {
-  it("is true only for the synthetic poll-mode queued envelope", () => {
-    expect(isPollQueuedResponse({ status: "queued", delivery_mode: "poll" })).toBe(true);
-  });
-
-  it("is false for a real agent reply", () => {
-    expect(
-      isPollQueuedResponse({ result: { parts: [{ kind: "text", text: "hi" }] } }),
-    ).toBe(false);
-  });
-
-  it("is false for null / undefined / partial shapes", () => {
-    expect(isPollQueuedResponse(null)).toBe(false);
-    expect(isPollQueuedResponse(undefined)).toBe(false);
-    // status=queued without delivery_mode=poll is NOT the poll envelope
-    // — don't accidentally swallow a real reply that happens to carry
-    // an unrelated status field.
-    expect(isPollQueuedResponse({ status: "queued" })).toBe(false);
-    expect(isPollQueuedResponse({ delivery_mode: "poll" })).toBe(false);
-  });
-});
-
-describe("extractReplyText (regression guard — unchanged by fix)", () => {
-  it("collects text parts from result", () => {
-    expect(
-      extractReplyText({ result: { parts: [{ kind: "text", text: "hello" }] } }),
-    ).toBe("hello");
-  });
-  it("returns empty for the poll-queued envelope", () => {
-    expect(extractReplyText({ status: "queued", delivery_mode: "poll" })).toBe("");
-  });
-});
-
-describe("useChatSend — poll-mode in-progress state", () => {
-  beforeEach(() => {
-    vi.useFakeTimers();
-    mockApiPost.mockReset();
-  });
-  afterEach(() => {
-    vi.runOnlyPendingTimers();
-    vi.useRealTimers();
-    cleanup();
-  });
-
-  const setup = () => {
-    const onUserMessage = vi.fn();
-    const onAgentMessage = vi.fn();
-    const { result } = renderHook(() =>
-      useChatSend("ws-ext-1", {
-        getHistoryMessages: () => [],
-        onUserMessage,
-        onAgentMessage,
-      }),
-    );
-    return { result, onUserMessage, onAgentMessage };
-  };
-
-  it("a real reply clears `sending` (regression guard)", async () => {
-    mockApiPost.mockResolvedValue({
-      result: { parts: [{ kind: "text", text: "real reply" }] },
-    });
-    const { result, onAgentMessage } = setup();
-
-    await act(async () => {
-      void result.current.sendMessage("hi");
-    });
-    await flush();
-
-    expect(onAgentMessage).toHaveBeenCalledTimes(1);
-    expect(result.current.sending).toBe(false);
-  });
-
-  it("keeps `sending` true on a poll 'queued' envelope (no terminal clear)", async () => {
-    mockApiPost.mockResolvedValue({ status: "queued", delivery_mode: "poll" });
-    const { result, onAgentMessage } = setup();
-
-    await act(async () => {
-      void result.current.sendMessage("hi external agent");
-    });
-    await flush();
-
-    // The POST resolved, but it was only a queued ack — the indicator
-    // must stay up and no agent bubble should be rendered yet.
-    expect(result.current.sending).toBe(true);
-    expect(onAgentMessage).not.toHaveBeenCalled();
-    expect(result.current.error).toBeNull();
-  });
-
-  it("releaseSendGuards (the AGENT_MESSAGE-push path) clears the poll in-progress state", async () => {
-    mockApiPost.mockResolvedValue({ status: "queued", delivery_mode: "poll" });
-    const { result } = setup();
-
-    await act(async () => {
-      void result.current.sendMessage("hi");
-    });
-    await flush();
-    expect(result.current.sending).toBe(true);
-
-    // Simulate the terminal AGENT_MESSAGE WebSocket push arriving:
-    // useChatSocket's onAgentMessage / onSendComplete call
-    // releaseSendGuards. That must clear the in-progress state AND the
-    // safety timer (asserted by the next test).
-    act(() => {
-      result.current.releaseSendGuards();
-    });
-    expect(result.current.sending).toBe(false);
-  });
-
-  it("surfaces an honest error if a poll agent never replies (safety timeout)", async () => {
-    mockApiPost.mockResolvedValue({ status: "queued", delivery_mode: "poll" });
-    const { result } = setup();
-
-    await act(async () => {
-      void result.current.sendMessage("hi");
-    });
-    await flush();
-    expect(result.current.sending).toBe(true);
-
-    act(() => {
-      vi.advanceTimersByTime(POLL_QUEUED_REPLY_TIMEOUT_MS + 1000);
-    });
-
-    expect(result.current.sending).toBe(false);
-    expect(result.current.error).toMatch(/queued/i);
-  });
-
-  it("does NOT fire the safety error when the reply arrives before timeout", async () => {
-    mockApiPost.mockResolvedValue({ status: "queued", delivery_mode: "poll" });
-    const { result } = setup();
-
-    await act(async () => {
-      void result.current.sendMessage("hi");
-    });
-    await flush();
-
-    // Reply arrives (releaseSendGuards) well before the timeout.
-    act(() => {
-      result.current.releaseSendGuards();
-    });
-    act(() => {
-      vi.advanceTimersByTime(POLL_QUEUED_REPLY_TIMEOUT_MS + 1000);
-    });
-
-    expect(result.current.error).toBeNull();
-    expect(result.current.sending).toBe(false);
-  });
-});

canvas/src/components/tabs/chat/hooks/useChatSend.ts

@@ -1,6 +1,6 @@
 "use client";
 
-import { useCallback, useEffect, useRef, useState } from "react";
+import { useCallback, useRef, useState } from "react";
 import { api } from "@/lib/api";
 import { uploadChatFiles } from "../uploads";
 import { createMessage, type ChatMessage, type ChatAttachment } from "../types";
@@ -22,42 +22,8 @@ interface A2AResponse {
     parts?: A2APart[];
     artifacts?: Array<{ parts: A2APart[] }>;
   };
-  /** Synthetic poll-mode envelope. The platform returns this
-   *  immediately (HTTP 200) when the target workspace is registered
-   *  delivery_mode=poll — an external / MCP-registered agent with no
-   *  public URL (e.g. an operator's laptop running the molecule MCP
-   *  channel). The request has only been QUEUED into activity_logs;
-   *  the agent will pick it up on its next poll and the real reply
-   *  arrives asynchronously over the AGENT_MESSAGE WebSocket push
-   *  (consumed by useChatSocket). See workspace-server
-   *  a2a_proxy.go:402 (poll-mode short-circuit) and
-   *  a2a_proxy_helpers.go:516 (logA2AReceiveQueued). */
-  status?: string;
-  delivery_mode?: string;
 }
 
-/** True when `resp` is the platform's synthetic poll-mode "queued"
- *  envelope rather than a real agent reply. For these the send is
- *  acknowledged-but-pending: the user's message landed and the agent
- *  is working, but there is no reply yet — the terminal AGENT_MESSAGE
- *  push will arrive later over the WebSocket. Treating this as a
- *  terminal response (the pre-fix behaviour) cleared the "agent is
- *  working" indicator the instant the POST returned, so an external
- *  workspace turn looked dead even though work had not started. */
-export function isPollQueuedResponse(resp: A2AResponse | null | undefined): boolean {
-  return !!resp && resp.status === "queued" && resp.delivery_mode === "poll";
-}
-
-/** Hard ceiling on how long the "agent is working" indicator stays up
- *  for a poll-mode turn with no reply. The terminal AGENT_MESSAGE push
- *  normally clears it well before this. The cap exists so a poll-mode
- *  workspace that is offline / never consumes its queue doesn't pin a
- *  spinner forever — at which point we surface an honest, actionable
- *  error instead of an opaque dead spinner. Generous because poll
- *  agents (an operator laptop) can legitimately take minutes to wake,
- *  poll, and respond; the goal is "eventually honest", not fail-fast. */
-export const POLL_QUEUED_REPLY_TIMEOUT_MS = 15 * 60 * 1000;
-
 export function extractReplyText(resp: A2AResponse): string {
   const collect = (parts: A2APart[] | undefined): string => {
     if (!parts) return "";
@@ -93,29 +59,14 @@ export function useChatSend(workspaceId: string, options: UseChatSendOptions) {
   const sendInFlightRef = useRef(false);
   const sendingFromAPIRef = useRef(false);
   const sendTokenRef = useRef(0);
-  // Safety-net timer armed only for poll-mode ("queued") turns: the
-  // POST returns immediately with no reply, so the normal
-  // POST-resolves-→-clear-spinner path can't drive the indicator. The
-  // terminal AGENT_MESSAGE WebSocket push clears it via
-  // releaseSendGuards (which also clears this timer); the timer is the
-  // backstop for an offline poll agent that never consumes its queue.
-  const pollTimeoutRef = useRef<ReturnType<typeof setTimeout> | null>(null);
   const optionsRef = useRef(options);
   optionsRef.current = options;
 
-  const clearPollTimeout = useCallback(() => {
-    if (pollTimeoutRef.current !== null) {
-      clearTimeout(pollTimeoutRef.current);
-      pollTimeoutRef.current = null;
-    }
-  }, []);
-
   const releaseSendGuards = useCallback(() => {
-    clearPollTimeout();
     setSending(false);
     sendingFromAPIRef.current = false;
     sendInFlightRef.current = false;
-  }, [clearPollTimeout]);
+  }, []);
 
   const clearError = useCallback(() => setError(null), []);
 
@@ -195,33 +146,6 @@ export function useChatSend(workspaceId: string, options: UseChatSendOptions) {
             sendInFlightRef.current = false;
             return;
           }
-          // Poll-mode ("queued") turn: the message landed and the
-          // external/MCP agent will pick it up on its next poll, but
-          // there is NO reply in this response. Pre-fix this fell
-          // through to releaseSendGuards() below and the "agent is
-          // working" indicator vanished the instant the POST returned —
-          // an external-workspace turn looked dead even though work had
-          // not started. Instead, keep `sending` true so the existing
-          // thinking indicator (the same one internal agents use)
-          // persists as a "received — agent is working" state; the
-          // terminal AGENT_MESSAGE WebSocket push (consumed by
-          // useChatSocket → onAgentMessage / onSendComplete →
-          // releaseSendGuards) clears it when the real reply arrives,
-          // exactly the path an internal async reply already uses.
-          if (isPollQueuedResponse(resp)) {
-            clearPollTimeout();
-            pollTimeoutRef.current = setTimeout(() => {
-              if (sendTokenRef.current !== myToken) return;
-              if (!sendingFromAPIRef.current) return;
-              releaseSendGuards();
-              setError(
-                "No response yet from this agent — it may be offline or " +
-                  "busy. Your message was delivered and is queued; the " +
-                  "reply will appear here if the agent picks it up.",
-              );
-            }, POLL_QUEUED_REPLY_TIMEOUT_MS);
-            return;
-          }
           const replyText = extractReplyText(resp);
           const replyFiles = extractFilesFromTask(
             (resp?.result ?? {}) as Record<string, unknown>,
@@ -243,15 +167,9 @@ export function useChatSend(workspaceId: string, options: UseChatSendOptions) {
           setError("Failed to send message — agent may be unreachable");
         });
     },
-    [workspaceId, sending, uploading, clearPollTimeout],
+    [workspaceId, sending, uploading],
   );
 
-  // Drop the poll-mode safety timer on unmount / workspace switch so a
-  // stale timeout can't fire setError against a panel the user has
-  // already navigated away from. sendTokenRef guards correctness if it
-  // ever did fire; this just avoids the wasted timer + setState churn.
-  useEffect(() => clearPollTimeout, [clearPollTimeout]);
-
   return {
     sending,
     uploading,

workspace-server/internal/handlers/external_connection_test.go

@@ -1,8 +1,12 @@
 package handlers
 
 import (
+	"crypto/tls"
+	"net/http/httptest"
 	"strings"
 	"testing"
+
+	"github.com/gin-gonic/gin"
 )
 
 // TestExternalTemplates_NoMoleculeOrgIDPlaceholder pins the invariant
@@ -118,3 +122,153 @@ func TestExternalTemplates_NoBrokenMoleculeAIGitHubURLs(t *testing.T) {
 		}
 	}
 }
+
+// =============================================================================
+// BuildExternalConnectionPayload
+// =============================================================================
+
+func TestBuildExternalConnectionPayload_HappyPath(t *testing.T) {
+	payload := BuildExternalConnectionPayload(
+		"https://platform.example.com/",
+		"ws-123",
+		"tok-secret-abc",
+	)
+
+	if payload["workspace_id"] != "ws-123" {
+		t.Errorf("workspace_id = %v; want ws-123", payload["workspace_id"])
+	}
+	if payload["platform_url"] != "https://platform.example.com" {
+		t.Errorf("platform_url = %v; want https://platform.example.com", payload["platform_url"])
+	}
+	if payload["auth_token"] != "tok-secret-abc" {
+		t.Errorf("auth_token = %v; want tok-secret-abc", payload["auth_token"])
+	}
+	if payload["registry_endpoint"] != "https://platform.example.com/registry/register" {
+		t.Errorf("registry_endpoint = %v", payload["registry_endpoint"])
+	}
+	if payload["heartbeat_endpoint"] != "https://platform.example.com/registry/heartbeat" {
+		t.Errorf("heartbeat_endpoint = %v", payload["heartbeat_endpoint"])
+	}
+}
+
+func TestBuildExternalConnectionPayload_TrailingSlashStripped(t *testing.T) {
+	// TrimSuffix only removes one trailing slash; multiple slashes stay.
+	// This is intentional — the function documents this behavior.
+	payload := BuildExternalConnectionPayload(
+		"https://platform.example.com/",
+		"ws-456",
+		"tok",
+	)
+	if payload["platform_url"] != "https://platform.example.com" {
+		t.Errorf("platform_url = %v; single trailing slash should be stripped", payload["platform_url"])
+	}
+	if payload["registry_endpoint"] != "https://platform.example.com/registry/register" {
+		t.Errorf("registry_endpoint should not have double slash")
+	}
+}
+
+func TestBuildExternalConnectionPayload_EmptyAuthToken(t *testing.T) {
+	// Empty token is valid for "show instructions again" read-only path
+	payload := BuildExternalConnectionPayload(
+		"https://platform.example.com",
+		"ws-789",
+		"",
+	)
+	if payload["workspace_id"] != "ws-789" {
+		t.Errorf("workspace_id = %v", payload["workspace_id"])
+	}
+	if payload["auth_token"] != "" {
+		t.Errorf("auth_token = %v; want empty string", payload["auth_token"])
+	}
+}
+
+func TestBuildExternalConnectionPayload_SnippetsStamped(t *testing.T) {
+	payload := BuildExternalConnectionPayload(
+		"https://platform.example.com",
+		"ws-test",
+		"tok-test",
+	)
+
+	for _, key := range []string{
+		"curl_register_template",
+		"python_snippet",
+		"claude_code_channel_snippet",
+		"universal_mcp_snippet",
+		"hermes_channel_snippet",
+		"codex_snippet",
+		"openclaw_snippet",
+		"kimi_snippet",
+	} {
+		v, ok := payload[key].(string)
+		if !ok {
+			t.Errorf("%s is not a string", key)
+			continue
+		}
+		if strings.Contains(v, "{{PLATFORM_URL}}") {
+			t.Errorf("%s still contains unsubstituted {{PLATFORM_URL}}", key)
+		}
+		if strings.Contains(v, "{{WORKSPACE_ID}}") {
+			t.Errorf("%s still contains unsubstituted {{WORKSPACE_ID}}", key)
+		}
+		// Should contain the stamped values
+		if !strings.Contains(v, "https://platform.example.com") {
+			t.Errorf("%s does not contain stamped platform URL", key)
+		}
+		if !strings.Contains(v, "ws-test") {
+			t.Errorf("%s does not contain stamped workspace ID", key)
+		}
+	}
+}
+
+// =============================================================================
+// externalPlatformURL
+// =============================================================================
+
+func TestExternalPlatformURL_EnvVarTakesPrecedence(t *testing.T) {
+	t.Setenv("EXTERNAL_PLATFORM_URL", "https://external.example.com")
+	c, _ := gin.CreateTestContext(httptest.NewRecorder())
+	c.Request = httptest.NewRequest("GET", "/", nil)
+
+	got := externalPlatformURL(c)
+	if got != "https://external.example.com" {
+		t.Errorf("got %q; want EXTERNAL_PLATFORM_URL value", got)
+	}
+}
+
+func TestExternalPlatformURL_XForwardedProtoAndHost(t *testing.T) {
+	c, _ := gin.CreateTestContext(httptest.NewRecorder())
+	c.Request = httptest.NewRequest("GET", "/", nil)
+	c.Request.Header.Set("X-Forwarded-Proto", "https")
+	c.Request.Header.Set("X-Forwarded-Host", "tenant.example.com")
+
+	got := externalPlatformURL(c)
+	if got != "https://tenant.example.com" {
+		t.Errorf("got %q; want https://tenant.example.com", got)
+	}
+}
+
+func TestExternalPlatformURL_HTTPSNoHeaders(t *testing.T) {
+	c, _ := gin.CreateTestContext(httptest.NewRecorder())
+	c.Request = httptest.NewRequest("GET", "/", nil)
+	c.Request.Host = "platform.example.com"
+	// TLS set → https scheme (regardless of host)
+	c.Request.TLS = &tls.ConnectionState{}
+
+	got := externalPlatformURL(c)
+	if got != "https://platform.example.com" {
+		t.Errorf("got %q; want https://platform.example.com (TLS set)", got)
+	}
+}
+
+func TestExternalPlatformURL_HTTPNoTLS(t *testing.T) {
+	c, _ := gin.CreateTestContext(httptest.NewRecorder())
+	c.Request = httptest.NewRequest("GET", "/", nil)
+	c.Request.Host = "localhost:8080"
+	// TLS nil → http
+	c.Request.TLS = nil
+
+	got := externalPlatformURL(c)
+	if got != "http://localhost:8080" {
+		t.Errorf("got %q; want http://localhost:8080", got)
+	}
+}