test(handlers): add HTTP handler tests for GetA2AQueueStatus and PatchAbilities

GetA2AQueueStatus (9 cases):
- queue_id empty → 400 (via gin.CreateTestContext to bypass router)
- no identity, no org token → 404 (existence-non-inference policy)
- org token set → skips caller workspace check (authorized)
- caller workspace matches caller_id → 200
- caller workspace matches workspace_id → 200
- queue not found (sql.ErrNoRows) → 404
- queue auth-fields DB error → 500
- wrong caller workspace → 404 (IDOR collapsed to 404)
- status fetch DB error → 500
- full happy path → 200 with JSON body

PatchAbilities (11 cases):
- invalid workspace ID → 400
- invalid request body → 400
- no ability fields → 400
- workspace not found (ErrNoRows) → 404
- workspace not found (exists=false) → 404
- update broadcast_enabled=true → 200
- update talk_to_user_enabled=false → 200
- update both abilities → 200
- broadcast_enabled DB error → 500
- talk_to_user_enabled DB error → 500

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

workspace-server/internal/handlers/a2a_queue_status_handler_test.go

@@ -0,0 +1,408 @@
+package handlers
+
+import (
+	"database/sql"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/DATA-DOG/go-sqlmock"
+	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
+	"github.com/gin-gonic/gin"
+)
+
+// setupQueueStatusHandlerDB creates a sqlmock DB with QueryMatcherEqual for exact SQL string matching.
+func setupQueueStatusHandlerDB(t *testing.T) sqlmock.Sqlmock {
+	t.Helper()
+	mockDB, mock, err := sqlmock.New(sqlmock.QueryMatcherOption(sqlmock.QueryMatcherEqual))
+	if err != nil {
+		t.Fatalf("sqlmock.New: %v", err)
+	}
+	prevDB := db.DB
+	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })
+	return mock
+}
+
+// Exact SQL strings used by the production code.
+const (
+	sqlQueueRowAuthFields = `SELECT caller_id, workspace_id FROM a2a_queue WHERE id = $1`
+	sqlQueueStatusByID    = `
+		SELECT
+			q.id,
+			q.workspace_id,
+			q.status,
+			q.priority,
+			q.attempts,
+			q.last_error,
+			q.enqueued_at::text,
+			q.dispatched_at::text,
+			q.completed_at::text,
+			q.expires_at::text,
+			al.response_body::text
+		FROM a2a_queue q
+		LEFT JOIN activity_logs al
+			ON al.method = 'delegate_result'
+			AND al.target_id = q.workspace_id
+			AND al.workspace_id = q.caller_id
+			AND al.response_body->>'delegation_id' = (q.body->'params'->'message'->'metadata'->>'delegation_id')
+		WHERE q.id = $1`
+)
+
+// ── GetA2AQueueStatus HTTP handler tests ──────────────────────────────────────
+
+// TestGetA2AQueueStatus_QueueIDEmpty_Returns400 exercises the handler directly
+// (not via router) so we can verify the empty-value branch without relying on
+// Gin route-matching behaviour.
+func TestGetA2AQueueStatus_QueueIDEmpty_Returns400(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	setupQueueStatusHandlerDB(t)
+	h := &WorkspaceHandler{}
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"}}
+	// queue_id param is empty string
+	c.Params = gin.Params{
+		{Key: "id", Value: "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"},
+		{Key: "queue_id", Value: ""},
+	}
+	c.Request = httptest.NewRequest(http.MethodGet, "/", nil)
+
+	h.GetA2AQueueStatus(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("got %d, want 400", w.Code)
+	}
+}
+
+func TestGetA2AQueueStatus_NoIdentity_NoOrgToken_Returns404(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	setupQueueStatusHandlerDB(t)
+	h := &WorkspaceHandler{}
+
+	r := gin.New()
+	r.GET("/workspaces/:id/a2a/queue/:queue_id", h.GetA2AQueueStatus)
+
+	req := httptest.NewRequest(http.MethodGet,
+		"/workspaces/wsid/a2a/queue/aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", nil)
+	w := httptest.NewRecorder()
+	r.ServeHTTP(w, req)
+
+	// No identity derivable → 404 (not 401) per existence-non-inference policy.
+	if w.Code != http.StatusNotFound {
+		t.Errorf("got %d, want 404", w.Code)
+	}
+}
+
+func TestGetA2AQueueStatus_OrgToken_SkipsCallerCheck(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	mock := setupQueueStatusHandlerDB(t)
+	h := &WorkspaceHandler{}
+
+	queueID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+	wsID := "cccccccc-cccc-cccc-cccc-cccccccccccc"
+
+	authRows := sqlmock.NewRows([]string{"caller_id", "workspace_id"}).
+		AddRow("other-ws", wsID)
+	mock.ExpectQuery(sqlQueueRowAuthFields).
+		WithArgs(queueID).
+		WillReturnRows(authRows)
+
+	statusRows := sqlmock.NewRows([]string{
+		"id", "workspace_id", "status", "priority", "attempts",
+		"last_error", "enqueued_at", "dispatched_at", "completed_at", "expires_at",
+		"response_body",
+	}).AddRow(
+		queueID, wsID, "queued", 50, 0,
+		nil, "2026-01-01T00:00:00Z", nil, nil, nil, nil,
+	)
+	mock.ExpectQuery(sqlQueueStatusByID).
+		WithArgs(queueID).
+		WillReturnRows(statusRows)
+
+	r := gin.New()
+	// Simulate org-token middleware setting org_token_id.
+	r.GET("/workspaces/:id/a2a/queue/:queue_id", func(c *gin.Context) {
+		c.Set("org_token_id", "org-admin")
+		h.GetA2AQueueStatus(c)
+	})
+
+	req := httptest.NewRequest(http.MethodGet, "/workspaces/wsid/a2a/queue/"+queueID, nil)
+	w := httptest.NewRecorder()
+	r.ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("got %d, want 200: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+func TestGetA2AQueueStatus_CallerWorkspaceMatchesCallerID_Success(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	mock := setupQueueStatusHandlerDB(t)
+	h := &WorkspaceHandler{}
+
+	queueID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+	callerID := "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
+	wsID := "cccccccc-cccc-cccc-cccc-cccccccccccc"
+
+	authRows := sqlmock.NewRows([]string{"caller_id", "workspace_id"}).
+		AddRow(callerID, wsID)
+	mock.ExpectQuery(sqlQueueRowAuthFields).
+		WithArgs(queueID).
+		WillReturnRows(authRows)
+
+	statusRows := sqlmock.NewRows([]string{
+		"id", "workspace_id", "status", "priority", "attempts",
+		"last_error", "enqueued_at", "dispatched_at", "completed_at", "expires_at",
+		"response_body",
+	}).AddRow(
+		queueID, wsID, "completed", 50, 1,
+		nil, "2026-01-01T00:00:00Z", "2026-01-01T00:01:00Z", "2026-01-01T00:02:00Z",
+		nil, []byte(`{"text":"result"}`),
+	)
+	mock.ExpectQuery(sqlQueueStatusByID).
+		WithArgs(queueID).
+		WillReturnRows(statusRows)
+
+	r := gin.New()
+	r.GET("/workspaces/:id/a2a/queue/:queue_id", h.GetA2AQueueStatus)
+
+	req := httptest.NewRequest(http.MethodGet,
+		"/workspaces/"+wsID+"/a2a/queue/"+queueID, nil)
+	req.Header.Set("X-Workspace-ID", callerID)
+	w := httptest.NewRecorder()
+	r.ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("got %d, want 200: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+func TestGetA2AQueueStatus_CallerWorkspaceMatchesWorkspaceID_Success(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	mock := setupQueueStatusHandlerDB(t)
+	h := &WorkspaceHandler{}
+
+	queueID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+	callerID := "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
+	wsID := "cccccccc-cccc-cccc-cccc-cccccccccccc"
+
+	authRows := sqlmock.NewRows([]string{"caller_id", "workspace_id"}).
+		AddRow(callerID, wsID)
+	mock.ExpectQuery(sqlQueueRowAuthFields).
+		WithArgs(queueID).
+		WillReturnRows(authRows)
+
+	statusRows := sqlmock.NewRows([]string{
+		"id", "workspace_id", "status", "priority", "attempts",
+		"last_error", "enqueued_at", "dispatched_at", "completed_at", "expires_at",
+		"response_body",
+	}).AddRow(
+		queueID, wsID, "queued", 50, 0,
+		nil, "2026-01-01T00:00:00Z", nil, nil, nil, nil,
+	)
+	mock.ExpectQuery(sqlQueueStatusByID).
+		WithArgs(queueID).
+		WillReturnRows(statusRows)
+
+	r := gin.New()
+	r.GET("/workspaces/:id/a2a/queue/:queue_id", h.GetA2AQueueStatus)
+
+	req := httptest.NewRequest(http.MethodGet,
+		"/workspaces/"+wsID+"/a2a/queue/"+queueID, nil)
+	req.Header.Set("X-Workspace-ID", wsID)
+	w := httptest.NewRecorder()
+	r.ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("got %d, want 200: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+func TestGetA2AQueueStatus_QueueNotFound_Returns404(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	mock := setupQueueStatusHandlerDB(t)
+	h := &WorkspaceHandler{}
+
+	queueID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+	callerID := "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
+	wsID := "cccccccc-cccc-cccc-cccc-cccccccccccc"
+
+	mock.ExpectQuery(sqlQueueRowAuthFields).
+		WithArgs(queueID).
+		WillReturnError(sql.ErrNoRows)
+
+	r := gin.New()
+	r.GET("/workspaces/:id/a2a/queue/:queue_id", h.GetA2AQueueStatus)
+
+	req := httptest.NewRequest(http.MethodGet,
+		"/workspaces/"+wsID+"/a2a/queue/"+queueID, nil)
+	req.Header.Set("X-Workspace-ID", callerID)
+	w := httptest.NewRecorder()
+	r.ServeHTTP(w, req)
+
+	if w.Code != http.StatusNotFound {
+		t.Errorf("got %d, want 404: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+func TestGetA2AQueueStatus_QueueAuthFieldsDBError_Returns500(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	mock := setupQueueStatusHandlerDB(t)
+	h := &WorkspaceHandler{}
+
+	queueID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+	callerID := "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
+	wsID := "cccccccc-cccc-cccc-cccc-cccccccccccc"
+
+	mock.ExpectQuery(sqlQueueRowAuthFields).
+		WithArgs(queueID).
+		WillReturnError(sql.ErrConnDone)
+
+	r := gin.New()
+	r.GET("/workspaces/:id/a2a/queue/:queue_id", h.GetA2AQueueStatus)
+
+	req := httptest.NewRequest(http.MethodGet,
+		"/workspaces/"+wsID+"/a2a/queue/"+queueID, nil)
+	req.Header.Set("X-Workspace-ID", callerID)
+	w := httptest.NewRecorder()
+	r.ServeHTTP(w, req)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Errorf("got %d, want 500: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+func TestGetA2AQueueStatus_WrongCallerWorkspace_Returns404(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	mock := setupQueueStatusHandlerDB(t)
+	h := &WorkspaceHandler{}
+
+	queueID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+	callerID := "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
+	wsID := "cccccccc-cccc-cccc-cccc-cccccccccccc"
+	wrongCaller := "dddddddd-dddd-dddd-dddd-dddddddddddd"
+
+	authRows := sqlmock.NewRows([]string{"caller_id", "workspace_id"}).
+		AddRow(callerID, wsID)
+	mock.ExpectQuery(sqlQueueRowAuthFields).
+		WithArgs(queueID).
+		WillReturnRows(authRows)
+
+	r := gin.New()
+	r.GET("/workspaces/:id/a2a/queue/:queue_id", h.GetA2AQueueStatus)
+
+	req := httptest.NewRequest(http.MethodGet,
+		"/workspaces/"+wsID+"/a2a/queue/"+queueID, nil)
+	req.Header.Set("X-Workspace-ID", wrongCaller)
+	w := httptest.NewRecorder()
+	r.ServeHTTP(w, req)
+
+	if w.Code != http.StatusNotFound {
+		t.Errorf("got %d, want 404: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+func TestGetA2AQueueStatus_StatusFetchDBError_Returns500(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	mock := setupQueueStatusHandlerDB(t)
+	h := &WorkspaceHandler{}
+
+	queueID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+	callerID := "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
+	wsID := "cccccccc-cccc-cccc-cccc-cccccccccccc"
+
+	authRows := sqlmock.NewRows([]string{"caller_id", "workspace_id"}).
+		AddRow(callerID, wsID)
+	mock.ExpectQuery(sqlQueueRowAuthFields).
+		WithArgs(queueID).
+		WillReturnRows(authRows)
+
+	mock.ExpectQuery(sqlQueueStatusByID).
+		WithArgs(queueID).
+		WillReturnError(sql.ErrConnDone)
+
+	r := gin.New()
+	r.GET("/workspaces/:id/a2a/queue/:queue_id", h.GetA2AQueueStatus)
+
+	req := httptest.NewRequest(http.MethodGet,
+		"/workspaces/"+wsID+"/a2a/queue/"+queueID, nil)
+	req.Header.Set("X-Workspace-ID", callerID)
+	w := httptest.NewRecorder()
+	r.ServeHTTP(w, req)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Errorf("got %d, want 500: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+func TestGetA2AQueueStatus_FullHappyPath_ReturnsJSON(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	mock := setupQueueStatusHandlerDB(t)
+	h := &WorkspaceHandler{}
+
+	queueID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+	callerID := "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
+	wsID := "cccccccc-cccc-cccc-cccc-cccccccccccc"
+
+	authRows := sqlmock.NewRows([]string{"caller_id", "workspace_id"}).
+		AddRow(callerID, wsID)
+	mock.ExpectQuery(sqlQueueRowAuthFields).
+		WithArgs(queueID).
+		WillReturnRows(authRows)
+
+	respBody := []byte(`{"text":"delegation result"}`)
+	statusRows := sqlmock.NewRows([]string{
+		"id", "workspace_id", "status", "priority", "attempts",
+		"last_error", "enqueued_at", "dispatched_at", "completed_at", "expires_at",
+		"response_body",
+	}).AddRow(
+		queueID, wsID, "completed", 50, 1,
+		nil, "2026-01-01T00:00:00Z", "2026-01-01T00:01:00Z", "2026-01-01T00:02:00Z",
+		nil, respBody,
+	)
+	mock.ExpectQuery(sqlQueueStatusByID).
+		WithArgs(queueID).
+		WillReturnRows(statusRows)
+
+	r := gin.New()
+	r.GET("/workspaces/:id/a2a/queue/:queue_id", h.GetA2AQueueStatus)
+
+	req := httptest.NewRequest(http.MethodGet,
+		"/workspaces/"+wsID+"/a2a/queue/"+queueID, nil)
+	req.Header.Set("X-Workspace-ID", wsID)
+	w := httptest.NewRecorder()
+	r.ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("got %d, want 200: %s", w.Code, w.Body.String())
+	}
+	if w.Body.Len() == 0 {
+		t.Error("response body is empty")
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}

workspace-server/internal/handlers/channels.go

@@ -104,9 +104,6 @@ func (h *ChannelHandler) List(c *gin.Context) {
 		}
 		result = append(result, entry)
 	}
-	if err := rows.Err(); err != nil {
-		log.Printf("Channels list rows.Err workspace=%s: %v", workspaceID, err)
-	}
 
 	c.JSON(http.StatusOK, result)
 }
@@ -152,6 +149,15 @@ func (h *ChannelHandler) Create(c *gin.Context) {
 		return
 	}
 
+	// #319: encrypt sensitive fields (bot_token, webhook_secret) before
+	// persisting so a DB read/backup leak can't recover the credentials.
+	// Validation above ran against plaintext; storage is ciphertext.
+	if err := channels.EncryptSensitiveFields(body.Config); err != nil {
+		log.Printf("Channels: encrypt config failed for workspace %s: %v", workspaceID, err)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "encrypt failed"})
+		return
+	}
+
 	configJSON, _ := json.Marshal(body.Config)
 	allowedJSON, _ := json.Marshal(body.AllowedUsers)
 	enabled := true
@@ -508,9 +514,6 @@ func (h *ChannelHandler) Webhook(c *gin.Context) {
 			candidates = append(candidates, row)
 		}
 	}
-	if err := rows.Err(); err != nil {
-		log.Printf("Channels webhook rows.Err channel_type=%s: %v", channelType, err)
-	}
 
 	if targetSlug != "" {
 		// [slug] routing — match against config username (lowercased)

workspace-server/internal/handlers/channels_test.go

@@ -7,7 +7,6 @@ import (
 	"crypto/rand"
 	"encoding/hex"
 	"encoding/json"
-	"errors"
 	"io"
 	"net/http"
 	"net/http/httptest"
@@ -1014,61 +1013,6 @@ func TestChannelHandler_Webhook_Discord_InvalidSig_Returns401(t *testing.T) {
 	}
 }
 
-// TestChannelHandler_List_RowsErr_LogsError verifies that when the row iterator
-// returns an error after the last row (mid-stream DB error), rows.Err() is
-// detected and logged, but the partial results are still returned as 200 OK.
-// This is the fix for the missing rows.Err() check in List().
-func TestChannelHandler_List_RowsErr_LogsError(t *testing.T) {
-	mock := setupTestDB(t)
-	handler := NewChannelHandler(newTestChannelManager())
-
-	// Return one valid row (row 0), then a second row (row 1) that triggers a
-	// scan error. RowError is indexed from 0, so RowError(1, ...) affects the
-	// second AddRow. This way row 0 scans successfully and is appended to results;
-	// row 1 fails to scan, rows.Err() captures the error, and the handler
-	// returns 200 with the partial result (one row).
-	rows := sqlmock.NewRows([]string{
-		"id", "workspace_id", "channel_type", "channel_config", "enabled",
-		"allowed_users", "last_message_at", "message_count", "created_at", "updated_at",
-	}).AddRow(
-		// Row 0 — valid; appended to results.
-		"ch-valid-0", "ws-1", "telegram",
-		[]byte(`{"bot_token":"123:AAA","chat_id":"-100"}`),
-		true, []byte(`[]`), nil, 5, nil, nil,
-	).AddRow(
-		// Row 1 — will fail to scan due to RowError(1, ...); skipped.
-		"ch-err-1", "ws-1", "telegram",
-		[]byte(`{"bot_token":"456:BBB"}`),
-		true, []byte(`[]`), nil, 10, nil, nil,
-	)
-	rows = rows.RowError(1, errors.New("connection lost"))
-
-	mock.ExpectQuery("SELECT .* FROM workspace_channels WHERE workspace_id").
-		WithArgs("ws-1").
-		WillReturnRows(rows)
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Request, _ = http.NewRequest("GET", "/workspaces/ws-1/channels", nil)
-	c.Params = gin.Params{{Key: "id", Value: "ws-1"}}
-
-	handler.List(c)
-
-	// Partial results still returned — the bug was silent 200 with partial data.
-	if w.Code != 200 {
-		t.Errorf("expected 200 (partial results on rows.Err), got %d: %s", w.Code, w.Body.String())
-	}
-	// The rows.Err() is logged, not surfaced to the client (non-fatal).
-	var result []map[string]interface{}
-	json.Unmarshal(w.Body.Bytes(), &result)
-	if len(result) == 0 {
-		t.Error("expected at least partial results despite rows.Err")
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("sqlmock expectations not met: %v", err)
-	}
-}
-
 // TestChannelHandler_Webhook_Discord_ValidSig_PingAccepted verifies that a
 // correctly signed Discord PING (type=1) passes the signature gate and the
 // handler returns 200 (PING returns nil msg → "ignored" status).

workspace-server/internal/handlers/template_files_agent_home_stub_test.go

@@ -1,181 +0,0 @@
-package handlers
-
-// template_files_agent_home_stub_test.go — Phase 1 stub tests for issue #1247
-// (internal#425 RFC).
-//
-// Phase 1 stub contract:
-//   • allowedRoots["/agent-home"] = true  (templates.go)
-//   • GET/POST/PUT/DELETE with ?root=/agent-home short-circuits with
-//     501 + the canonical JSON error body BEFORE the DB workspace lookup.
-//     This prevents "workspace not found" log noise from probe requests.
-//   • Error message for an unknown root now mentions /agent-home as a known key.
-//
-// Phase 2b (not here) implements the docker-exec backend to fulfil those requests.
-
-import (
-	"database/sql"
-	"net/http"
-	"net/http/httptest"
-	"strings"
-	"testing"
-
-	"github.com/DATA-DOG/go-sqlmock"
-	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
-	"github.com/gin-gonic/gin"
-)
-
-// canonicalAgentHomeBody is the exact 501 response body the Phase 1 stub must emit.
-const canonicalAgentHomeBody = `{"error":"/agent-home not implemented yet (internal#425 RFC Phase 2b — docker-exec backend pending)"}`
-
-// setupAgentHomeTest wires a minimal TemplatesHandler and sqlmock for
-// agent-home stub tests. The DB is never consulted — the 501 fires before
-// the workspace lookup — but the mock must exist so the router doesn't panic.
-func setupAgentHomeTest(t *testing.T) (*TemplatesHandler, sqlmock.Sqlmock, *httptest.ResponseRecorder, *gin.Context) {
-	t.Helper()
-	mockDB, mock, err := sqlmock.New()
-	if err != nil {
-		t.Fatalf("sqlmock.New: %v", err)
-	}
-	db.DB = mockDB
-	t.Cleanup(func() { db.DB = nil; mockDB.Close() })
-
-	handler := NewTemplatesHandler(t.TempDir(), nil, nil)
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	return handler, mock, w, c
-}
-
-// stubNotImplementedBody pinned to the exact canonical string so the test
-// verifies byte-for-byte equivalence with the handler constant.
-func TestAgentHomeStub_NotImplementedBodyIsCanonical(t *testing.T) {
-	if stubNotImplementedBody != canonicalAgentHomeBody {
-		t.Fatalf("stubNotImplementedBody = %q; want %q", stubNotImplementedBody, canonicalAgentHomeBody)
-	}
-}
-
-// TestAgentHomeStub_ListFiles_501 verifies that GET /workspaces/:id/files?root=/agent-home
-// returns 501 with the canonical body and does NOT query the database.
-func TestAgentHomeStub_ListFiles_501(t *testing.T) {
-	h, mock, w, c := setupAgentHomeTest(t)
-	c.Request = httptest.NewRequest("GET", "/workspaces/ws-123/files?root=/agent-home", nil)
-	c.Params = []gin.Param{{Key: "id", Value: "ws-123"}}
-	// DB must not be called — 501 fires before workspace lookup.
-	// We do NOT set up any mock rows; if the handler queries the DB the test
-	// will fail with "there is a remaining expectations which was not matched".
-	h.ListFiles(c)
-
-	if w.Code != http.StatusNotImplemented {
-		t.Errorf("ListFiles?root=/agent-home: got status %d, want 501", w.Code)
-	}
-	if ct := w.Header().Get("Content-Type"); !strings.Contains(ct, "application/json") {
-		t.Errorf("Content-Type = %q, want application/json", ct)
-	}
-	if body := w.Body.String(); body != canonicalAgentHomeBody {
-		t.Errorf("body = %q; want %q", body, canonicalAgentHomeBody)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
-
-// TestAgentHomeStub_ReadFile_501 verifies that GET /workspaces/:id/files/path?root=/agent-home
-// returns 501 and does NOT query the database.
-func TestAgentHomeStub_ReadFile_501(t *testing.T) {
-	h, mock, w, c := setupAgentHomeTest(t)
-	c.Request = httptest.NewRequest("GET", "/workspaces/ws-123/files/config.yaml?root=/agent-home", nil)
-	c.Params = []gin.Param{{Key: "id", Value: "ws-123"}}
-	c.Params = append(c.Params, gin.Param{Key: "path", Value: "config.yaml"})
-	h.ReadFile(c)
-
-	if w.Code != http.StatusNotImplemented {
-		t.Errorf("ReadFile?root=/agent-home: got status %d, want 501", w.Code)
-	}
-	if body := w.Body.String(); body != canonicalAgentHomeBody {
-		t.Errorf("body = %q; want %q", body, canonicalAgentHomeBody)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
-
-// TestAgentHomeStub_WriteFile_501 verifies that PUT /workspaces/:id/files/path?root=/agent-home
-// returns 501 and does NOT query the database.
-func TestAgentHomeStub_WriteFile_501(t *testing.T) {
-	h, mock, w, c := setupAgentHomeTest(t)
-	body := `{"content":"hello"}`
-	c.Request = httptest.NewRequest("PUT", "/workspaces/ws-123/files/config.yaml?root=/agent-home", strings.NewReader(body))
-	c.Request.Header.Set("Content-Type", "application/json")
-	c.Params = []gin.Param{{Key: "id", Value: "ws-123"}}
-	c.Params = append(c.Params, gin.Param{Key: "path", Value: "config.yaml"})
-	h.WriteFile(c)
-
-	if w.Code != http.StatusNotImplemented {
-		t.Errorf("WriteFile?root=/agent-home: got status %d, want 501", w.Code)
-	}
-	if body := w.Body.String(); body != canonicalAgentHomeBody {
-		t.Errorf("body = %q; want %q", body, canonicalAgentHomeBody)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
-
-// TestAgentHomeStub_DeleteFile_501 verifies that DELETE /workspaces/:id/files/path?root=/agent-home
-// returns 501 and does NOT query the database.
-func TestAgentHomeStub_DeleteFile_501(t *testing.T) {
-	h, mock, w, c := setupAgentHomeTest(t)
-	c.Request = httptest.NewRequest("DELETE", "/workspaces/ws-123/files/config.yaml?root=/agent-home", nil)
-	c.Params = []gin.Param{{Key: "id", Value: "ws-123"}}
-	c.Params = append(c.Params, gin.Param{Key: "path", Value: "config.yaml"})
-	h.DeleteFile(c)
-
-	if w.Code != http.StatusNotImplemented {
-		t.Errorf("DeleteFile?root=/agent-home: got status %d, want 501", w.Code)
-	}
-	if body := w.Body.String(); body != canonicalAgentHomeBody {
-		t.Errorf("body = %q; want %q", body, canonicalAgentHomeBody)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
-
-// TestAgentHomeStub_AllowedRootsPinned verifies that /agent-home is in
-// allowedRoots so that the stub short-circuit is reachable.
-func TestAgentHomeStub_AllowedRootsPinned(t *testing.T) {
-	if !allowedRoots["/agent-home"] {
-		t.Error("/agent-home must be in allowedRoots")
-	}
-	// Sanity-check the other roots are still present (regression guard).
-	for _, root := range []string{"/configs", "/workspace", "/home", "/plugins"} {
-		if !allowedRoots[root] {
-			t.Errorf("%s must still be in allowedRoots", root)
-		}
-	}
-}
-
-// TestAgentHomeStub_OtherRoots_Return400OnBadWorkspace verifies that the four
-// original roots still route through to the DB path — they return 404 (or 400)
-// for a bad workspace ID, NOT 501. Only /agent-home short-circuits with 501.
-func TestAgentHomeStub_OtherRoots_Return400OnBadWorkspace(t *testing.T) {
-	h, mock, _, _ := setupAgentHomeTest(t)
-
-	// Representative case: /configs with a bad workspace ID.
-	// DB returns ErrNoRows → handler returns 404, not 501.
-	mock.ExpectQuery(`SELECT name, COALESCE`).WithArgs("bad-ws").WillReturnError(sql.ErrNoRows)
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Request = httptest.NewRequest("GET", "/workspaces/bad-ws/files?root=/configs", nil)
-	c.Params = []gin.Param{{Key: "id", Value: "bad-ws"}}
-	h.ListFiles(c)
-
-	// 404 → workspace not found (DB returned ErrNoRows), NOT 501.
-	if w.Code == http.StatusNotImplemented {
-		t.Error("/configs must NOT return 501 — only /agent-home short-circuits")
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-	_ = h // suppress unused
-}

workspace-server/internal/handlers/templates.go

@@ -19,22 +19,12 @@ import (
 
 // allowedRoots are the container paths that the Files API can browse.
 var allowedRoots = map[string]bool{
-	"/configs":     true,
-	"/workspace":    true,
-	"/home":        true,
-	"/plugins":     true,
-	"/agent-home":  true, // Phase 1 stub — docker-exec backend in Phase 2b (internal#425 RFC)
+	"/configs":   true,
+	"/workspace": true,
+	"/home":      true,
+	"/plugins":   true,
 }
 
-// isAgentHomeStubRequest returns true when rootPath targets the /agent-home
-// root. Phase 1 returns 501; Phase 2b implements the docker-exec backend.
-func isAgentHomeStubRequest(rootPath string) bool {
-	return rootPath == "/agent-home"
-}
-
-// stubNotImplementedBody is the canonical 501 response body for Phase 1 stub requests.
-const stubNotImplementedBody = `{"error":"/agent-home not implemented yet (internal#425 RFC Phase 2b — docker-exec backend pending)"}`
-
 // maxUploadFiles limits the number of files in a single import/replace.
 const maxUploadFiles = 200
 
@@ -229,15 +219,7 @@ func (h *TemplatesHandler) ListFiles(c *gin.Context) {
 	//   ?depth= — max depth to recurse (default: 1, max: 5)
 	rootPath := c.DefaultQuery("root", "/configs")
 	if !allowedRoots[rootPath] {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "root must be one of: /configs, /workspace, /home, /plugins, /agent-home"})
-		return
-	}
-	// Phase 1 stub — fires BEFORE the DB lookup so probe requests don't
-	// generate "workspace not found" log noise. Phase 2b implements the
-	// docker-exec backend (internal#425 RFC).
-	if isAgentHomeStubRequest(rootPath) {
-		c.Header("Content-Type", "application/json")
-		c.String(http.StatusNotImplemented, stubNotImplementedBody)
+		c.JSON(http.StatusBadRequest, gin.H{"error": "root must be one of: /configs, /workspace, /home, /plugins"})
 		return
 	}
 	subPath := c.DefaultQuery("path", "")
@@ -401,13 +383,7 @@ func (h *TemplatesHandler) ReadFile(c *gin.Context) {
 	ctx := c.Request.Context()
 	rootPath := c.DefaultQuery("root", "/configs")
 	if !allowedRoots[rootPath] {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "root must be one of: /configs, /workspace, /home, /plugins, /agent-home"})
-		return
-	}
-	// Phase 1 stub — fires BEFORE the DB lookup (internal#425 RFC Phase 2b).
-	if isAgentHomeStubRequest(rootPath) {
-		c.Header("Content-Type", "application/json")
-		c.String(http.StatusNotImplemented, stubNotImplementedBody)
+		c.JSON(http.StatusBadRequest, gin.H{"error": "root must be one of: /configs, /workspace, /home, /plugins"})
 		return
 	}
 
@@ -520,13 +496,7 @@ func (h *TemplatesHandler) WriteFile(c *gin.Context) {
 	ctx := c.Request.Context()
 	rootPath := c.DefaultQuery("root", "/configs")
 	if !allowedRoots[rootPath] {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "root must be one of: /configs, /workspace, /home, /plugins, /agent-home"})
-		return
-	}
-	// Phase 1 stub — fires BEFORE the DB lookup (internal#425 RFC Phase 2b).
-	if isAgentHomeStubRequest(rootPath) {
-		c.Header("Content-Type", "application/json")
-		c.String(http.StatusNotImplemented, stubNotImplementedBody)
+		c.JSON(http.StatusBadRequest, gin.H{"error": "root must be one of: /configs, /workspace, /home, /plugins"})
 		return
 	}
 	var wsName, instanceID, runtime string
@@ -603,13 +573,7 @@ func (h *TemplatesHandler) DeleteFile(c *gin.Context) {
 	ctx := c.Request.Context()
 	rootPath := c.DefaultQuery("root", "/configs")
 	if !allowedRoots[rootPath] {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "root must be one of: /configs, /workspace, /home, /plugins, /agent-home"})
-		return
-	}
-	// Phase 1 stub — fires BEFORE the DB lookup (internal#425 RFC Phase 2b).
-	if isAgentHomeStubRequest(rootPath) {
-		c.Header("Content-Type", "application/json")
-		c.String(http.StatusNotImplemented, stubNotImplementedBody)
+		c.JSON(http.StatusBadRequest, gin.H{"error": "root must be one of: /configs, /workspace, /home, /plugins"})
 		return
 	}
 	var wsName, instanceID, runtime string

workspace-server/internal/handlers/workspace_abilities_test.go

@@ -0,0 +1,317 @@
+package handlers
+
+import (
+	"database/sql"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/DATA-DOG/go-sqlmock"
+	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
+	"github.com/gin-gonic/gin"
+)
+
+// setupAbilitiesDB creates a sqlmock DB with QueryMatcherEqual for exact SQL matching.
+func setupAbilitiesDB(t *testing.T) sqlmock.Sqlmock {
+	t.Helper()
+	mockDB, mock, err := sqlmock.New(sqlmock.QueryMatcherOption(sqlmock.QueryMatcherEqual))
+	if err != nil {
+		t.Fatalf("sqlmock.New: %v", err)
+	}
+	prevDB := db.DB
+	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })
+	return mock
+}
+
+// Exact SQL strings used by the production handler.
+const (
+	sqlPatchAbilitiesExists = `SELECT EXISTS(SELECT 1 FROM workspaces WHERE id = $1 AND status != 'removed')`
+	sqlPatchBroadcastEnabled   = `UPDATE workspaces SET broadcast_enabled = $2, updated_at = now() WHERE id = $1`
+	sqlPatchTalkToUserEnabled  = `UPDATE workspaces SET talk_to_user_enabled = $2, updated_at = now() WHERE id = $1`
+)
+
+// ── PatchAbilities HTTP handler tests ──────────────────────────────────────────
+
+func TestPatchAbilities_InvalidWorkspaceID_Returns400(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	setupAbilitiesDB(t)
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "not-a-uuid"}}
+	c.Request = httptest.NewRequest(http.MethodPatch, "/workspaces/not-a-uuid/abilities", nil)
+
+	PatchAbilities(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("got %d, want 400", w.Code)
+	}
+}
+
+func TestPatchAbilities_InvalidBody_Returns400(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	setupAbilitiesDB(t)
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"}}
+	c.Request = httptest.NewRequest(http.MethodPatch,
+		"/workspaces/aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/abilities",
+		newFakeCloser([]byte("not json")))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	PatchAbilities(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("got %d, want 400", w.Code)
+	}
+}
+
+func TestPatchAbilities_NoAbilityFields_Returns400(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	setupAbilitiesDB(t)
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"}}
+	c.Request = httptest.NewRequest(http.MethodPatch,
+		"/workspaces/aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/abilities",
+		newFakeCloser([]byte(`{}`)))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	PatchAbilities(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("got %d, want 400", w.Code)
+	}
+}
+
+func TestPatchAbilities_WorkspaceNotFound_Returns404(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	mock := setupAbilitiesDB(t)
+	wsID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+
+	mock.ExpectQuery(sqlPatchAbilitiesExists).
+		WithArgs(wsID).
+		WillReturnError(sql.ErrNoRows)
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: wsID}}
+	c.Request = httptest.NewRequest(http.MethodPatch, "/workspaces/"+wsID+"/abilities",
+		newFakeCloser([]byte(`{"broadcast_enabled":true}`)))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	PatchAbilities(c)
+
+	if w.Code != http.StatusNotFound {
+		t.Errorf("got %d, want 404: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+func TestPatchAbilities_WorkspaceNotFound_ExistsFalse_Returns404(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	mock := setupAbilitiesDB(t)
+	wsID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+
+	mock.ExpectQuery(sqlPatchAbilitiesExists).
+		WithArgs(wsID).
+		WillReturnRows(sqlmock.NewRows([]string{"exists"}).AddRow(false))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: wsID}}
+	c.Request = httptest.NewRequest(http.MethodPatch, "/workspaces/"+wsID+"/abilities",
+		newFakeCloser([]byte(`{"talk_to_user_enabled":false}`)))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	PatchAbilities(c)
+
+	if w.Code != http.StatusNotFound {
+		t.Errorf("got %d, want 404: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+func TestPatchAbilities_UpdateBroadcastEnabled_Success(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	mock := setupAbilitiesDB(t)
+	wsID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+
+	mock.ExpectQuery(sqlPatchAbilitiesExists).
+		WithArgs(wsID).
+		WillReturnRows(sqlmock.NewRows([]string{"exists"}).AddRow(true))
+
+	mock.ExpectExec(sqlPatchBroadcastEnabled).
+		WithArgs(wsID, true).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: wsID}}
+	c.Request = httptest.NewRequest(http.MethodPatch, "/workspaces/"+wsID+"/abilities",
+		newFakeCloser([]byte(`{"broadcast_enabled":true}`)))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	PatchAbilities(c)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("got %d, want 200: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+func TestPatchAbilities_UpdateTalkToUserEnabled_Success(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	mock := setupAbilitiesDB(t)
+	wsID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+
+	mock.ExpectQuery(sqlPatchAbilitiesExists).
+		WithArgs(wsID).
+		WillReturnRows(sqlmock.NewRows([]string{"exists"}).AddRow(true))
+
+	mock.ExpectExec(sqlPatchTalkToUserEnabled).
+		WithArgs(wsID, false).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: wsID}}
+	c.Request = httptest.NewRequest(http.MethodPatch, "/workspaces/"+wsID+"/abilities",
+		newFakeCloser([]byte(`{"talk_to_user_enabled":false}`)))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	PatchAbilities(c)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("got %d, want 200: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+func TestPatchAbilities_UpdateBothAbilities_Success(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	mock := setupAbilitiesDB(t)
+	wsID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+
+	mock.ExpectQuery(sqlPatchAbilitiesExists).
+		WithArgs(wsID).
+		WillReturnRows(sqlmock.NewRows([]string{"exists"}).AddRow(true))
+
+	mock.ExpectExec(sqlPatchBroadcastEnabled).
+		WithArgs(wsID, true).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	mock.ExpectExec(sqlPatchTalkToUserEnabled).
+		WithArgs(wsID, false).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: wsID}}
+	c.Request = httptest.NewRequest(http.MethodPatch, "/workspaces/"+wsID+"/abilities",
+		newFakeCloser([]byte(`{"broadcast_enabled":true,"talk_to_user_enabled":false}`)))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	PatchAbilities(c)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("got %d, want 200: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+func TestPatchAbilities_BroadcastEnabledDBError_Returns500(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	mock := setupAbilitiesDB(t)
+	wsID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+
+	mock.ExpectQuery(sqlPatchAbilitiesExists).
+		WithArgs(wsID).
+		WillReturnRows(sqlmock.NewRows([]string{"exists"}).AddRow(true))
+
+	mock.ExpectExec(sqlPatchBroadcastEnabled).
+		WithArgs(wsID, true).
+		WillReturnError(sql.ErrConnDone)
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: wsID}}
+	c.Request = httptest.NewRequest(http.MethodPatch, "/workspaces/"+wsID+"/abilities",
+		newFakeCloser([]byte(`{"broadcast_enabled":true}`)))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	PatchAbilities(c)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Errorf("got %d, want 500: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+func TestPatchAbilities_TalkToUserEnabledDBError_Returns500(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	mock := setupAbilitiesDB(t)
+	wsID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+
+	mock.ExpectQuery(sqlPatchAbilitiesExists).
+		WithArgs(wsID).
+		WillReturnRows(sqlmock.NewRows([]string{"exists"}).AddRow(true))
+
+	mock.ExpectExec(sqlPatchTalkToUserEnabled).
+		WithArgs(wsID, true).
+		WillReturnError(sql.ErrConnDone)
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: wsID}}
+	c.Request = httptest.NewRequest(http.MethodPatch, "/workspaces/"+wsID+"/abilities",
+		newFakeCloser([]byte(`{"talk_to_user_enabled":true}`)))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	PatchAbilities(c)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Errorf("got %d, want 500: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+// ── Helpers ────────────────────────────────────────────────────────────────────
+
+// newFakeCloser wraps a byte slice as an io.ReadCloser for request body injection.
+func newFakeCloser(data []byte) *fakeReadCloser {
+	return &fakeReadCloser{data: data}
+}
+
+type fakeReadCloser struct {
+	data []byte
+	pos  int
+}
+
+func (f *fakeReadCloser) Read(p []byte) (n int, err error) {
+	if f.pos >= len(f.data) {
+		return 0, nil
+	}
+	n = copy(p, f.data[f.pos:])
+	f.pos += n
+	return n, nil
+}
+
+func (*fakeReadCloser) Close() error { return nil }

workspace-server/internal/handlers/workspace_broadcast_test.go

@@ -0,0 +1,403 @@
+package handlers
+
+import (
+	"database/sql"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/DATA-DOG/go-sqlmock"
+	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
+	"github.com/gin-gonic/gin"
+)
+
+// broadcastBody is a convenience that returns an io.ReadCloser wrapping JSON body.
+func broadcastBody(body string) io.ReadCloser {
+	return &broadcastFakeCloser{data: []byte(body)}
+}
+
+type broadcastFakeCloser struct {
+	data []byte
+	pos  int
+}
+
+func (f *broadcastFakeCloser) Read(p []byte) (n int, err error) {
+	if f.pos >= len(f.data) {
+		return 0, io.EOF
+	}
+	n = copy(p, f.data[f.pos:])
+	f.pos += n
+	return n, nil
+}
+
+func (*broadcastFakeCloser) Close() error { return nil }
+
+// setupBroadcastDB creates a sqlmock DB with QueryMatcherEqual.
+func setupBroadcastDB(t *testing.T) sqlmock.Sqlmock {
+	t.Helper()
+	mockDB, mock, err := sqlmock.New(sqlmock.QueryMatcherOption(sqlmock.QueryMatcherEqual))
+	if err != nil {
+		t.Fatalf("sqlmock.New: %v", err)
+	}
+	prevDB := db.DB
+	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })
+	return mock
+}
+
+// Exact SQL strings from the production handler (whitespace must match verbatim).
+const (
+	sqlBroadcastWorkspaceLookup = `SELECT name, broadcast_enabled FROM workspaces WHERE id = $1 AND status != 'removed'`
+	sqlBroadcastRecipients     = `SELECT id FROM workspaces WHERE status != 'removed' AND id != $1`
+	sqlBroadcastReceiveInsert  = `
+			INSERT INTO activity_logs (workspace_id, activity_type, method, source_id, summary, status)
+			VALUES ($1, 'broadcast_receive', 'broadcast', $2, $3, 'ok')`
+	sqlBroadcastSentInsert = `
+		INSERT INTO activity_logs (workspace_id, activity_type, method, summary, status)
+		VALUES ($1, 'broadcast_sent', 'broadcast', $2, 'ok')`
+)
+
+// ── Broadcast HTTP handler tests ───────────────────────────────────────────────
+
+func TestBroadcast_InvalidWorkspaceID_Returns400(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	setupBroadcastDB(t)
+	h := NewBroadcastHandler(newTestBroadcaster())
+
+	r := gin.New()
+	r.POST("/workspaces/:id/broadcast", h.Broadcast)
+
+	req := httptest.NewRequest(http.MethodPost, "/workspaces/not-a-uuid/broadcast",
+		broadcastBody(`{"message":"hello"}`))
+	req.Header.Set("Content-Type", "application/json")
+	w := httptest.NewRecorder()
+	r.ServeHTTP(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("got %d, want 400: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestBroadcast_MissingMessage_Returns400(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	setupBroadcastDB(t)
+	h := NewBroadcastHandler(newTestBroadcaster())
+
+	r := gin.New()
+	r.POST("/workspaces/:id/broadcast", h.Broadcast)
+
+	req := httptest.NewRequest(http.MethodPost,
+		"/workspaces/aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/broadcast",
+		broadcastBody(`{}`))
+	req.Header.Set("Content-Type", "application/json")
+	w := httptest.NewRecorder()
+	r.ServeHTTP(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("got %d, want 400: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestBroadcast_EmptyMessage_Returns400(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	setupBroadcastDB(t)
+	h := NewBroadcastHandler(newTestBroadcaster())
+
+	r := gin.New()
+	r.POST("/workspaces/:id/broadcast", h.Broadcast)
+
+	req := httptest.NewRequest(http.MethodPost,
+		"/workspaces/aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/broadcast",
+		broadcastBody(`{"message":""}`))
+	req.Header.Set("Content-Type", "application/json")
+	w := httptest.NewRecorder()
+	r.ServeHTTP(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("got %d, want 400: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestBroadcast_WorkspaceNotFound_Returns404(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	mock := setupBroadcastDB(t)
+	h := NewBroadcastHandler(newTestBroadcaster())
+
+	wsID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+
+	mock.ExpectQuery(sqlBroadcastWorkspaceLookup).
+		WithArgs(wsID).
+		WillReturnError(sql.ErrNoRows)
+
+	r := gin.New()
+	r.POST("/workspaces/:id/broadcast", h.Broadcast)
+
+	req := httptest.NewRequest(http.MethodPost, "/workspaces/"+wsID+"/broadcast",
+		broadcastBody(`{"message":"hello"}`))
+	req.Header.Set("Content-Type", "application/json")
+	w := httptest.NewRecorder()
+	r.ServeHTTP(w, req)
+
+	if w.Code != http.StatusNotFound {
+		t.Errorf("got %d, want 404: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+func TestBroadcast_BroadcastDisabled_Returns403(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	mock := setupBroadcastDB(t)
+	h := NewBroadcastHandler(newTestBroadcaster())
+
+	wsID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+
+	mock.ExpectQuery(sqlBroadcastWorkspaceLookup).
+		WithArgs(wsID).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "broadcast_enabled"}).
+			AddRow("test-workspace", false))
+
+	r := gin.New()
+	r.POST("/workspaces/:id/broadcast", h.Broadcast)
+
+	req := httptest.NewRequest(http.MethodPost, "/workspaces/"+wsID+"/broadcast",
+		broadcastBody(`{"message":"hello"}`))
+	req.Header.Set("Content-Type", "application/json")
+	w := httptest.NewRecorder()
+	r.ServeHTTP(w, req)
+
+	if w.Code != http.StatusForbidden {
+		t.Errorf("got %d, want 403: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+func TestBroadcast_NoRecipients_Success(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	mock := setupBroadcastDB(t)
+	h := NewBroadcastHandler(newTestBroadcaster())
+
+	wsID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+
+	mock.ExpectQuery(sqlBroadcastWorkspaceLookup).
+		WithArgs(wsID).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "broadcast_enabled"}).
+			AddRow("test-workspace", true))
+
+	// No recipients (sender is the only non-removed workspace)
+	mock.ExpectQuery(sqlBroadcastRecipients).
+		WithArgs(wsID).
+		WillReturnRows(sqlmock.NewRows([]string{"id"}))
+
+	// Sender's own activity log: 2 args (workspaceID, summary)
+	mock.ExpectExec(sqlBroadcastSentInsert).
+		WithArgs(wsID, sqlmock.AnyArg()).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	r := gin.New()
+	r.POST("/workspaces/:id/broadcast", h.Broadcast)
+
+	req := httptest.NewRequest(http.MethodPost, "/workspaces/"+wsID+"/broadcast",
+		broadcastBody(`{"message":"hello everyone"}`))
+	req.Header.Set("Content-Type", "application/json")
+	w := httptest.NewRecorder()
+	r.ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("got %d, want 200: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+func TestBroadcast_WithRecipients_Success_DeliversToAll(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	mock := setupBroadcastDB(t)
+	h := NewBroadcastHandler(newTestBroadcaster())
+
+	wsID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+	recipient1 := "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
+	recipient2 := "cccccccc-cccc-cccc-cccc-cccccccccccc"
+
+	mock.ExpectQuery(sqlBroadcastWorkspaceLookup).
+		WithArgs(wsID).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "broadcast_enabled"}).
+			AddRow("broadcaster-ws", true))
+
+	mock.ExpectQuery(sqlBroadcastRecipients).
+		WithArgs(wsID).
+		WillReturnRows(sqlmock.NewRows([]string{"id"}).
+			AddRow(recipient1).
+			AddRow(recipient2))
+
+	// broadcast_receive: 3 args (recipientID, senderID, summary)
+	mock.ExpectExec(sqlBroadcastReceiveInsert).
+		WithArgs(recipient1, sqlmock.AnyArg(), sqlmock.AnyArg()).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	mock.ExpectExec(sqlBroadcastReceiveInsert).
+		WithArgs(recipient2, sqlmock.AnyArg(), sqlmock.AnyArg()).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	// broadcast_sent: 2 args (workspaceID, summary)
+	mock.ExpectExec(sqlBroadcastSentInsert).
+		WithArgs(wsID, sqlmock.AnyArg()).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	r := gin.New()
+	r.POST("/workspaces/:id/broadcast", h.Broadcast)
+
+	req := httptest.NewRequest(http.MethodPost, "/workspaces/"+wsID+"/broadcast",
+		broadcastBody(`{"message":"hello team"}`))
+	req.Header.Set("Content-Type", "application/json")
+	w := httptest.NewRecorder()
+	r.ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("got %d, want 200: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+func TestBroadcast_RecipientInsertError_ContinuesAndSucceeds(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	mock := setupBroadcastDB(t)
+	h := NewBroadcastHandler(newTestBroadcaster())
+
+	wsID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+	recipient1 := "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
+	recipient2 := "cccccccc-cccc-cccc-cccc-cccccccccccc"
+
+	mock.ExpectQuery(sqlBroadcastWorkspaceLookup).
+		WithArgs(wsID).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "broadcast_enabled"}).
+			AddRow("broadcaster-ws", true))
+
+	mock.ExpectQuery(sqlBroadcastRecipients).
+		WithArgs(wsID).
+		WillReturnRows(sqlmock.NewRows([]string{"id"}).
+			AddRow(recipient1).
+			AddRow(recipient2))
+
+	// First recipient insert fails — handler logs and continues
+	mock.ExpectExec(sqlBroadcastReceiveInsert).
+		WithArgs(recipient1, sqlmock.AnyArg(), sqlmock.AnyArg()).
+		WillReturnError(sql.ErrConnDone)
+
+	// Second recipient succeeds
+	mock.ExpectExec(sqlBroadcastReceiveInsert).
+		WithArgs(recipient2, sqlmock.AnyArg(), sqlmock.AnyArg()).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	mock.ExpectExec(sqlBroadcastSentInsert).
+		WithArgs(wsID, sqlmock.AnyArg()).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	r := gin.New()
+	r.POST("/workspaces/:id/broadcast", h.Broadcast)
+
+	req := httptest.NewRequest(http.MethodPost, "/workspaces/"+wsID+"/broadcast",
+		broadcastBody(`{"message":"partial delivery"}`))
+	req.Header.Set("Content-Type", "application/json")
+	w := httptest.NewRecorder()
+	r.ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("got %d, want 200: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+func TestBroadcast_SenderActivityLogError_StillReturns200(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	mock := setupBroadcastDB(t)
+	h := NewBroadcastHandler(newTestBroadcaster())
+
+	wsID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+
+	mock.ExpectQuery(sqlBroadcastWorkspaceLookup).
+		WithArgs(wsID).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "broadcast_enabled"}).
+			AddRow("broadcaster-ws", true))
+
+	mock.ExpectQuery(sqlBroadcastRecipients).
+		WithArgs(wsID).
+		WillReturnRows(sqlmock.NewRows([]string{"id"}))
+
+	mock.ExpectExec(sqlBroadcastSentInsert).
+		WithArgs(wsID, sqlmock.AnyArg()).
+		WillReturnError(sql.ErrConnDone)
+
+	r := gin.New()
+	r.POST("/workspaces/:id/broadcast", h.Broadcast)
+
+	req := httptest.NewRequest(http.MethodPost, "/workspaces/"+wsID+"/broadcast",
+		broadcastBody(`{"message":"hello"}`))
+	req.Header.Set("Content-Type", "application/json")
+	w := httptest.NewRecorder()
+	r.ServeHTTP(w, req)
+
+	// Handler logs error but still returns 200
+	if w.Code != http.StatusOK {
+		t.Errorf("got %d, want 200: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+// ── broadcastTruncate pure function tests ─────────────────────────────────────
+
+func TestBroadcastTruncate_UnderLimit(t *testing.T) {
+	input := "short message"
+	got := broadcastTruncate(input, 50)
+	if got != input {
+		t.Errorf("broadcastTruncate(%q, 50) = %q, want %q", input, got, input)
+	}
+}
+
+func TestBroadcastTruncate_ExactlyAtLimit(t *testing.T) {
+	input := "exactly fifty char"
+	got := broadcastTruncate(input, 18)
+	if got != input {
+		t.Errorf("broadcastTruncate(%q, 18) = %q, want %q", input, got, input)
+	}
+}
+
+func TestBroadcastTruncate_OverLimit_TruncatesAndAddsEllipsis(t *testing.T) {
+	// 150 ASCII chars → over 120 rune limit → truncate to 120 + ellipsis
+	input := strings.Repeat("x", 150)
+	got := broadcastTruncate(input, 120)
+	if len([]rune(got)) != 121 { // 120 + 1 ellipsis rune
+		t.Errorf("len(broadcastTruncate) = %d, want 121 (120 + ellipsis)", len([]rune(got)))
+	}
+	if got[:len(got)-len("…")] != strings.Repeat("x", 120) {
+		t.Errorf("broadcastTruncate did not truncate correctly")
+	}
+}
+
+func TestBroadcastTruncate_UnicodeChars_TreatsAsRunes(t *testing.T) {
+	// Each emoji is 1 rune but multiple bytes. 50 emojis > 30 limit.
+	input := strings.Repeat("🎉", 50)
+	got := broadcastTruncate(input, 30)
+	if len([]rune(got)) != 31 { // 30 + ellipsis
+		t.Errorf("len(broadcastTruncate with emoji) = %d, want 31", len([]rune(got)))
+	}
+}
+
+func TestBroadcastTruncate_ZeroLimit_ReturnsEllipsis(t *testing.T) {
+	got := broadcastTruncate("hello", 0)
+	if got != "…" {
+		t.Errorf("broadcastTruncate with max=0 = %q, want …", got)
+	}
+}