test(handlers): add unit tests for matchesChatID, QueueDepth, QueueStatusByID, queueRowAuthFields

- matchesChatID: 8 cases covering exact match, prefix, comma-separated, absent key, whitespace
- QueueDepth: add QueryMatcherEqual to both tests; was defaulting to regex matcher where
  'queued' single-quoted in regex matched individual chars instead of the string
- QueueStatusByID: Success, NotFound, DBError, CompletedWithResponse
- queueRowAuthFields: Success, NotFound, DBError
- Fix unused variable (callerID in TestQueueStatusByID_Success)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

workspace-server/internal/handlers/a2a_queue_status_test.go

@@ -1,7 +1,12 @@
 package handlers
 
 import (
+	"context"
+	"database/sql"
 	"testing"
+
+	sqlmock "github.com/DATA-DOG/go-sqlmock"
+	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
 )
 
 // TestExtractExpiresInSeconds covers the JSON parser used at enqueue time
@@ -58,3 +63,207 @@ func TestExtractExpiresInSeconds(t *testing.T) {
 		})
 	}
 }
+
+// ── QueueStatusByID ─────────────────────────────────────────────────────────────
+
+func setupQueueStatusDB(t *testing.T) sqlmock.Sqlmock {
+	t.Helper()
+	mockDB, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("failed to create sqlmock: %v", err)
+	}
+	prevDB := db.DB
+	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })
+	return mock
+}
+
+func TestQueueStatusByID_Success(t *testing.T) {
+	mock := setupQueueStatusDB(t)
+	queueID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+	wsID := "cccccccc-cccc-cccc-cccc-cccccccccccc"
+
+	rows := sqlmock.NewRows([]string{
+		"id", "workspace_id", "status", "priority", "attempts",
+		"last_error", "enqueued_at", "dispatched_at", "completed_at", "expires_at",
+		"response_body",
+	}).AddRow(
+		queueID, wsID, "queued", 50, 0,
+		nil,                    // last_error
+		"2026-01-01T00:00:00Z", // enqueued_at
+		nil,                    // dispatched_at
+		nil,                    // completed_at
+		nil,                    // expires_at
+		nil,                    // response_body
+	)
+	mock.ExpectQuery(`SELECT`).
+		WithArgs(queueID).
+		WillReturnRows(rows)
+
+	qs, err := QueueStatusByID(context.Background(), queueID)
+	if err != nil {
+		t.Fatalf("QueueStatusByID returned error: %v", err)
+	}
+	if qs.ID != queueID {
+		t.Errorf("ID = %q, want %q", qs.ID, queueID)
+	}
+	if qs.WorkspaceID != wsID {
+		t.Errorf("WorkspaceID = %q, want %q", qs.WorkspaceID, wsID)
+	}
+	if qs.Status != "queued" {
+		t.Errorf("Status = %q, want %q", qs.Status, "queued")
+	}
+	if qs.Priority != 50 {
+		t.Errorf("Priority = %d, want 50", qs.Priority)
+	}
+	if qs.LastError != nil {
+		t.Errorf("LastError = %v, want nil", qs.LastError)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+func TestQueueStatusByID_NotFound(t *testing.T) {
+	mock := setupQueueStatusDB(t)
+	queueID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+
+	mock.ExpectQuery(`SELECT`).
+		WithArgs(queueID).
+		WillReturnError(sql.ErrNoRows)
+
+	qs, err := QueueStatusByID(context.Background(), queueID)
+	if err != sql.ErrNoRows {
+		t.Errorf("expected sql.ErrNoRows, got %v", err)
+	}
+	if qs != nil {
+		t.Errorf("expected nil queue status, got %+v", qs)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+func TestQueueStatusByID_DBError(t *testing.T) {
+	mock := setupQueueStatusDB(t)
+	queueID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+
+	mock.ExpectQuery(`SELECT`).
+		WithArgs(queueID).
+		WillReturnError(sql.ErrConnDone)
+
+	qs, err := QueueStatusByID(context.Background(), queueID)
+	if err == nil {
+		t.Error("expected error, got nil")
+	}
+	if qs != nil {
+		t.Errorf("expected nil queue status, got %+v", qs)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+func TestQueueStatusByID_CompletedWithResponse(t *testing.T) {
+	mock := setupQueueStatusDB(t)
+	queueID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+	wsID := "cccccccc-cccc-cccc-cccc-cccccccccccc"
+
+	respBody := []byte(`{"text":"delegation result"}`)
+	rows := sqlmock.NewRows([]string{
+		"id", "workspace_id", "status", "priority", "attempts",
+		"last_error", "enqueued_at", "dispatched_at", "completed_at", "expires_at",
+		"response_body",
+	}).AddRow(
+		queueID, wsID, "completed", 50, 1,
+		nil,
+		"2026-01-01T00:00:00Z",
+		"2026-01-01T00:01:00Z",
+		"2026-01-01T00:02:00Z",
+		nil,
+		respBody,
+	)
+	mock.ExpectQuery(`SELECT`).
+		WithArgs(queueID).
+		WillReturnRows(rows)
+
+	qs, err := QueueStatusByID(context.Background(), queueID)
+	if err != nil {
+		t.Fatalf("QueueStatusByID returned error: %v", err)
+	}
+	if qs.Status != "completed" {
+		t.Errorf("Status = %q, want completed", qs.Status)
+	}
+	if qs.ResponseBody == nil {
+		t.Fatal("ResponseBody should be set for completed status")
+	}
+	if string(qs.ResponseBody) != `{"text":"delegation result"}` {
+		t.Errorf("ResponseBody = %q, want %q", string(qs.ResponseBody), `{"text":"delegation result"}`)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+// ── queueRowAuthFields ──────────────────────────────────────────────────────────
+
+func TestQueueRowAuthFields_Success(t *testing.T) {
+	mock := setupQueueStatusDB(t)
+	queueID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+	callerID := "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
+	wsID := "cccccccc-cccc-cccc-cccc-cccccccccccc"
+
+	rows := sqlmock.NewRows([]string{"caller_id", "workspace_id"}).
+		AddRow(callerID, wsID)
+	mock.ExpectQuery(`SELECT caller_id, workspace_id FROM a2a_queue WHERE id`).
+		WithArgs(queueID).
+		WillReturnRows(rows)
+
+	gotCaller, gotWs, err := queueRowAuthFields(context.Background(), queueID)
+	if err != nil {
+		t.Fatalf("queueRowAuthFields returned error: %v", err)
+	}
+	if gotCaller != callerID {
+		t.Errorf("callerID = %q, want %q", gotCaller, callerID)
+	}
+	if gotWs != wsID {
+		t.Errorf("workspaceID = %q, want %q", gotWs, wsID)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+func TestQueueRowAuthFields_NotFound(t *testing.T) {
+	mock := setupQueueStatusDB(t)
+	queueID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+
+	mock.ExpectQuery(`SELECT caller_id, workspace_id FROM a2a_queue WHERE id`).
+		WithArgs(queueID).
+		WillReturnError(sql.ErrNoRows)
+
+	_, _, err := queueRowAuthFields(context.Background(), queueID)
+	if err != sql.ErrNoRows {
+		t.Errorf("expected sql.ErrNoRows, got %v", err)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+func TestQueueRowAuthFields_DBError(t *testing.T) {
+	mock := setupQueueStatusDB(t)
+	queueID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+
+	mock.ExpectQuery(`SELECT caller_id, workspace_id FROM a2a_queue WHERE id`).
+		WithArgs(queueID).
+		WillReturnError(sql.ErrConnDone)
+
+	_, _, err := queueRowAuthFields(context.Background(), queueID)
+	if err == nil {
+		t.Error("expected error, got nil")
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}

workspace-server/internal/handlers/a2a_queue_test.go

@@ -516,3 +516,51 @@ func TestDrainQueueForWorkspace_ClaimGuarding_SecondDrainGetsEmpty(t *testing.T)
 		t.Errorf("unmet sqlmock expectations: %v", err)
 	}
 }
+
+// ── QueueDepth ──────────────────────────────────────────────────────────────────
+
+func TestQueueDepth_ReturnsCount(t *testing.T) {
+	mockDB, mock, err := sqlmock.New(sqlmock.QueryMatcherOption(sqlmock.QueryMatcherEqual))
+	if err != nil {
+		t.Fatalf("failed to create sqlmock: %v", err)
+	}
+	prevDB := db.DB
+	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })
+
+	wsID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+	mock.ExpectQuery(`SELECT COUNT(*) FROM a2a_queue WHERE workspace_id = $1 AND status = 'queued'`).
+		WithArgs(wsID).
+		WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(42))
+
+	got := QueueDepth(context.Background(), wsID)
+	if got != 42 {
+		t.Errorf("QueueDepth returned %d, want 42", got)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+func TestQueueDepth_ZeroWhenEmpty(t *testing.T) {
+	mockDB, mock, err := sqlmock.New(sqlmock.QueryMatcherOption(sqlmock.QueryMatcherEqual))
+	if err != nil {
+		t.Fatalf("failed to create sqlmock: %v", err)
+	}
+	prevDB := db.DB
+	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })
+
+	wsID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+	mock.ExpectQuery(`SELECT COUNT(*) FROM a2a_queue WHERE workspace_id = $1 AND status = 'queued'`).
+		WithArgs(wsID).
+		WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(0))
+
+	got := QueueDepth(context.Background(), wsID)
+	if got != 0 {
+		t.Errorf("QueueDepth returned %d, want 0", got)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}

workspace-server/internal/handlers/channels.go

@@ -104,9 +104,6 @@ func (h *ChannelHandler) List(c *gin.Context) {
 		}
 		result = append(result, entry)
 	}
-	if err := rows.Err(); err != nil {
-		log.Printf("Channels list rows.Err workspace=%s: %v", workspaceID, err)
-	}
 
 	c.JSON(http.StatusOK, result)
 }
@@ -152,6 +149,15 @@ func (h *ChannelHandler) Create(c *gin.Context) {
 		return
 	}
 
+	// #319: encrypt sensitive fields (bot_token, webhook_secret) before
+	// persisting so a DB read/backup leak can't recover the credentials.
+	// Validation above ran against plaintext; storage is ciphertext.
+	if err := channels.EncryptSensitiveFields(body.Config); err != nil {
+		log.Printf("Channels: encrypt config failed for workspace %s: %v", workspaceID, err)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "encrypt failed"})
+		return
+	}
+
 	configJSON, _ := json.Marshal(body.Config)
 	allowedJSON, _ := json.Marshal(body.AllowedUsers)
 	enabled := true
@@ -508,9 +514,6 @@ func (h *ChannelHandler) Webhook(c *gin.Context) {
 			candidates = append(candidates, row)
 		}
 	}
-	if err := rows.Err(); err != nil {
-		log.Printf("Channels webhook rows.Err channel_type=%s: %v", channelType, err)
-	}
 
 	if targetSlug != "" {
 		// [slug] routing — match against config username (lowercased)

workspace-server/internal/handlers/channels_test.go

@@ -7,7 +7,6 @@ import (
 	"crypto/rand"
 	"encoding/hex"
 	"encoding/json"
-	"errors"
 	"io"
 	"net/http"
 	"net/http/httptest"
@@ -948,6 +947,73 @@ func TestVerifyDiscordSignature_WrongLengthPubKey(t *testing.T) {
 	}
 }
 
+// ==================== matchesChatID pure function ====================
+
+func TestMatchesChatID_ExactMatch(t *testing.T) {
+	cfg := map[string]interface{}{"chat_id": "123456"}
+	if !matchesChatID(cfg, "123456") {
+		t.Error("expected true for exact match")
+	}
+}
+
+func TestMatchesChatID_NoMatch(t *testing.T) {
+	cfg := map[string]interface{}{"chat_id": "123456"}
+	if matchesChatID(cfg, "654321") {
+		t.Error("expected false for non-matching chat ID")
+	}
+}
+
+func TestMatchesChatID_PrefixNoMatch(t *testing.T) {
+	// "123" is a prefix of "123456" but not an exact match.
+	cfg := map[string]interface{}{"chat_id": "123456"}
+	if matchesChatID(cfg, "123") {
+		t.Error("expected false for prefix of stored chat ID")
+	}
+}
+
+func TestMatchesChatID_CommaSeparatedMultiple(t *testing.T) {
+	cfg := map[string]interface{}{"chat_id": "111,222,333"}
+	for _, id := range []string{"111", "222", "333"} {
+		if !matchesChatID(cfg, id) {
+			t.Errorf("expected true for %q in comma-separated list", id)
+		}
+	}
+	if matchesChatID(cfg, "444") {
+		t.Error("expected false for ID not in list")
+	}
+}
+
+func TestMatchesChatID_WhitespaceTrimmed(t *testing.T) {
+	cfg := map[string]interface{}{"chat_id": "111, 222 , 333"}
+	if !matchesChatID(cfg, "222") {
+		t.Error("expected true for whitespace-trimmed match")
+	}
+	if matchesChatID(cfg, " 222") {
+		t.Error("expected false for whitespace in query (not trimmed from query)")
+	}
+}
+
+func TestMatchesChatID_EmptyChatID(t *testing.T) {
+	cfg := map[string]interface{}{"chat_id": ""}
+	if matchesChatID(cfg, "123456") {
+		t.Error("expected false for empty chat_id in config")
+	}
+}
+
+func TestMatchesChatID_MissingChatIDKey(t *testing.T) {
+	cfg := map[string]interface{}{}
+	if matchesChatID(cfg, "123456") {
+		t.Error("expected false when chat_id key is missing")
+	}
+}
+
+func TestMatchesChatID_NonStringChatID(t *testing.T) {
+	cfg := map[string]interface{}{"chat_id": 123456} // wrong type
+	if matchesChatID(cfg, "123456") {
+		t.Error("expected false when chat_id is not a string")
+	}
+}
+
 // TestChannelHandler_Webhook_Discord_NoKey_Returns401 verifies that a Discord
 // webhook request is rejected with 401 when no public key is configured in the
 // DB and DISCORD_APP_PUBLIC_KEY env var is not set.
@@ -1014,61 +1080,6 @@ func TestChannelHandler_Webhook_Discord_InvalidSig_Returns401(t *testing.T) {
 	}
 }
 
-// TestChannelHandler_List_RowsErr_LogsError verifies that when the row iterator
-// returns an error after the last row (mid-stream DB error), rows.Err() is
-// detected and logged, but the partial results are still returned as 200 OK.
-// This is the fix for the missing rows.Err() check in List().
-func TestChannelHandler_List_RowsErr_LogsError(t *testing.T) {
-	mock := setupTestDB(t)
-	handler := NewChannelHandler(newTestChannelManager())
-
-	// Return one valid row (row 0), then a second row (row 1) that triggers a
-	// scan error. RowError is indexed from 0, so RowError(1, ...) affects the
-	// second AddRow. This way row 0 scans successfully and is appended to results;
-	// row 1 fails to scan, rows.Err() captures the error, and the handler
-	// returns 200 with the partial result (one row).
-	rows := sqlmock.NewRows([]string{
-		"id", "workspace_id", "channel_type", "channel_config", "enabled",
-		"allowed_users", "last_message_at", "message_count", "created_at", "updated_at",
-	}).AddRow(
-		// Row 0 — valid; appended to results.
-		"ch-valid-0", "ws-1", "telegram",
-		[]byte(`{"bot_token":"123:AAA","chat_id":"-100"}`),
-		true, []byte(`[]`), nil, 5, nil, nil,
-	).AddRow(
-		// Row 1 — will fail to scan due to RowError(1, ...); skipped.
-		"ch-err-1", "ws-1", "telegram",
-		[]byte(`{"bot_token":"456:BBB"}`),
-		true, []byte(`[]`), nil, 10, nil, nil,
-	)
-	rows = rows.RowError(1, errors.New("connection lost"))
-
-	mock.ExpectQuery("SELECT .* FROM workspace_channels WHERE workspace_id").
-		WithArgs("ws-1").
-		WillReturnRows(rows)
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Request, _ = http.NewRequest("GET", "/workspaces/ws-1/channels", nil)
-	c.Params = gin.Params{{Key: "id", Value: "ws-1"}}
-
-	handler.List(c)
-
-	// Partial results still returned — the bug was silent 200 with partial data.
-	if w.Code != 200 {
-		t.Errorf("expected 200 (partial results on rows.Err), got %d: %s", w.Code, w.Body.String())
-	}
-	// The rows.Err() is logged, not surfaced to the client (non-fatal).
-	var result []map[string]interface{}
-	json.Unmarshal(w.Body.Bytes(), &result)
-	if len(result) == 0 {
-		t.Error("expected at least partial results despite rows.Err")
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("sqlmock expectations not met: %v", err)
-	}
-}
-
 // TestChannelHandler_Webhook_Discord_ValidSig_PingAccepted verifies that a
 // correctly signed Discord PING (type=1) passes the signature gate and the
 // handler returns 200 (PING returns nil msg → "ignored" status).

workspace-server/internal/handlers/template_files_agent_home_stub_test.go

@@ -1,181 +0,0 @@
-package handlers
-
-// template_files_agent_home_stub_test.go — Phase 1 stub tests for issue #1247
-// (internal#425 RFC).
-//
-// Phase 1 stub contract:
-//   • allowedRoots["/agent-home"] = true  (templates.go)
-//   • GET/POST/PUT/DELETE with ?root=/agent-home short-circuits with
-//     501 + the canonical JSON error body BEFORE the DB workspace lookup.
-//     This prevents "workspace not found" log noise from probe requests.
-//   • Error message for an unknown root now mentions /agent-home as a known key.
-//
-// Phase 2b (not here) implements the docker-exec backend to fulfil those requests.
-
-import (
-	"database/sql"
-	"net/http"
-	"net/http/httptest"
-	"strings"
-	"testing"
-
-	"github.com/DATA-DOG/go-sqlmock"
-	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
-	"github.com/gin-gonic/gin"
-)
-
-// canonicalAgentHomeBody is the exact 501 response body the Phase 1 stub must emit.
-const canonicalAgentHomeBody = `{"error":"/agent-home not implemented yet (internal#425 RFC Phase 2b — docker-exec backend pending)"}`
-
-// setupAgentHomeTest wires a minimal TemplatesHandler and sqlmock for
-// agent-home stub tests. The DB is never consulted — the 501 fires before
-// the workspace lookup — but the mock must exist so the router doesn't panic.
-func setupAgentHomeTest(t *testing.T) (*TemplatesHandler, sqlmock.Sqlmock, *httptest.ResponseRecorder, *gin.Context) {
-	t.Helper()
-	mockDB, mock, err := sqlmock.New()
-	if err != nil {
-		t.Fatalf("sqlmock.New: %v", err)
-	}
-	db.DB = mockDB
-	t.Cleanup(func() { db.DB = nil; mockDB.Close() })
-
-	handler := NewTemplatesHandler(t.TempDir(), nil, nil)
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	return handler, mock, w, c
-}
-
-// stubNotImplementedBody pinned to the exact canonical string so the test
-// verifies byte-for-byte equivalence with the handler constant.
-func TestAgentHomeStub_NotImplementedBodyIsCanonical(t *testing.T) {
-	if stubNotImplementedBody != canonicalAgentHomeBody {
-		t.Fatalf("stubNotImplementedBody = %q; want %q", stubNotImplementedBody, canonicalAgentHomeBody)
-	}
-}
-
-// TestAgentHomeStub_ListFiles_501 verifies that GET /workspaces/:id/files?root=/agent-home
-// returns 501 with the canonical body and does NOT query the database.
-func TestAgentHomeStub_ListFiles_501(t *testing.T) {
-	h, mock, w, c := setupAgentHomeTest(t)
-	c.Request = httptest.NewRequest("GET", "/workspaces/ws-123/files?root=/agent-home", nil)
-	c.Params = []gin.Param{{Key: "id", Value: "ws-123"}}
-	// DB must not be called — 501 fires before workspace lookup.
-	// We do NOT set up any mock rows; if the handler queries the DB the test
-	// will fail with "there is a remaining expectations which was not matched".
-	h.ListFiles(c)
-
-	if w.Code != http.StatusNotImplemented {
-		t.Errorf("ListFiles?root=/agent-home: got status %d, want 501", w.Code)
-	}
-	if ct := w.Header().Get("Content-Type"); !strings.Contains(ct, "application/json") {
-		t.Errorf("Content-Type = %q, want application/json", ct)
-	}
-	if body := w.Body.String(); body != canonicalAgentHomeBody {
-		t.Errorf("body = %q; want %q", body, canonicalAgentHomeBody)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
-
-// TestAgentHomeStub_ReadFile_501 verifies that GET /workspaces/:id/files/path?root=/agent-home
-// returns 501 and does NOT query the database.
-func TestAgentHomeStub_ReadFile_501(t *testing.T) {
-	h, mock, w, c := setupAgentHomeTest(t)
-	c.Request = httptest.NewRequest("GET", "/workspaces/ws-123/files/config.yaml?root=/agent-home", nil)
-	c.Params = []gin.Param{{Key: "id", Value: "ws-123"}}
-	c.Params = append(c.Params, gin.Param{Key: "path", Value: "config.yaml"})
-	h.ReadFile(c)
-
-	if w.Code != http.StatusNotImplemented {
-		t.Errorf("ReadFile?root=/agent-home: got status %d, want 501", w.Code)
-	}
-	if body := w.Body.String(); body != canonicalAgentHomeBody {
-		t.Errorf("body = %q; want %q", body, canonicalAgentHomeBody)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
-
-// TestAgentHomeStub_WriteFile_501 verifies that PUT /workspaces/:id/files/path?root=/agent-home
-// returns 501 and does NOT query the database.
-func TestAgentHomeStub_WriteFile_501(t *testing.T) {
-	h, mock, w, c := setupAgentHomeTest(t)
-	body := `{"content":"hello"}`
-	c.Request = httptest.NewRequest("PUT", "/workspaces/ws-123/files/config.yaml?root=/agent-home", strings.NewReader(body))
-	c.Request.Header.Set("Content-Type", "application/json")
-	c.Params = []gin.Param{{Key: "id", Value: "ws-123"}}
-	c.Params = append(c.Params, gin.Param{Key: "path", Value: "config.yaml"})
-	h.WriteFile(c)
-
-	if w.Code != http.StatusNotImplemented {
-		t.Errorf("WriteFile?root=/agent-home: got status %d, want 501", w.Code)
-	}
-	if body := w.Body.String(); body != canonicalAgentHomeBody {
-		t.Errorf("body = %q; want %q", body, canonicalAgentHomeBody)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
-
-// TestAgentHomeStub_DeleteFile_501 verifies that DELETE /workspaces/:id/files/path?root=/agent-home
-// returns 501 and does NOT query the database.
-func TestAgentHomeStub_DeleteFile_501(t *testing.T) {
-	h, mock, w, c := setupAgentHomeTest(t)
-	c.Request = httptest.NewRequest("DELETE", "/workspaces/ws-123/files/config.yaml?root=/agent-home", nil)
-	c.Params = []gin.Param{{Key: "id", Value: "ws-123"}}
-	c.Params = append(c.Params, gin.Param{Key: "path", Value: "config.yaml"})
-	h.DeleteFile(c)
-
-	if w.Code != http.StatusNotImplemented {
-		t.Errorf("DeleteFile?root=/agent-home: got status %d, want 501", w.Code)
-	}
-	if body := w.Body.String(); body != canonicalAgentHomeBody {
-		t.Errorf("body = %q; want %q", body, canonicalAgentHomeBody)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
-
-// TestAgentHomeStub_AllowedRootsPinned verifies that /agent-home is in
-// allowedRoots so that the stub short-circuit is reachable.
-func TestAgentHomeStub_AllowedRootsPinned(t *testing.T) {
-	if !allowedRoots["/agent-home"] {
-		t.Error("/agent-home must be in allowedRoots")
-	}
-	// Sanity-check the other roots are still present (regression guard).
-	for _, root := range []string{"/configs", "/workspace", "/home", "/plugins"} {
-		if !allowedRoots[root] {
-			t.Errorf("%s must still be in allowedRoots", root)
-		}
-	}
-}
-
-// TestAgentHomeStub_OtherRoots_Return400OnBadWorkspace verifies that the four
-// original roots still route through to the DB path — they return 404 (or 400)
-// for a bad workspace ID, NOT 501. Only /agent-home short-circuits with 501.
-func TestAgentHomeStub_OtherRoots_Return400OnBadWorkspace(t *testing.T) {
-	h, mock, _, _ := setupAgentHomeTest(t)
-
-	// Representative case: /configs with a bad workspace ID.
-	// DB returns ErrNoRows → handler returns 404, not 501.
-	mock.ExpectQuery(`SELECT name, COALESCE`).WithArgs("bad-ws").WillReturnError(sql.ErrNoRows)
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Request = httptest.NewRequest("GET", "/workspaces/bad-ws/files?root=/configs", nil)
-	c.Params = []gin.Param{{Key: "id", Value: "bad-ws"}}
-	h.ListFiles(c)
-
-	// 404 → workspace not found (DB returned ErrNoRows), NOT 501.
-	if w.Code == http.StatusNotImplemented {
-		t.Error("/configs must NOT return 501 — only /agent-home short-circuits")
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-	_ = h // suppress unused
-}

workspace-server/internal/handlers/templates.go

@@ -19,22 +19,12 @@ import (
 
 // allowedRoots are the container paths that the Files API can browse.
 var allowedRoots = map[string]bool{
-	"/configs":     true,
-	"/workspace":    true,
-	"/home":        true,
-	"/plugins":     true,
-	"/agent-home":  true, // Phase 1 stub — docker-exec backend in Phase 2b (internal#425 RFC)
+	"/configs":   true,
+	"/workspace": true,
+	"/home":      true,
+	"/plugins":   true,
 }
 
-// isAgentHomeStubRequest returns true when rootPath targets the /agent-home
-// root. Phase 1 returns 501; Phase 2b implements the docker-exec backend.
-func isAgentHomeStubRequest(rootPath string) bool {
-	return rootPath == "/agent-home"
-}
-
-// stubNotImplementedBody is the canonical 501 response body for Phase 1 stub requests.
-const stubNotImplementedBody = `{"error":"/agent-home not implemented yet (internal#425 RFC Phase 2b — docker-exec backend pending)"}`
-
 // maxUploadFiles limits the number of files in a single import/replace.
 const maxUploadFiles = 200
 
@@ -229,15 +219,7 @@ func (h *TemplatesHandler) ListFiles(c *gin.Context) {
 	//   ?depth= — max depth to recurse (default: 1, max: 5)
 	rootPath := c.DefaultQuery("root", "/configs")
 	if !allowedRoots[rootPath] {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "root must be one of: /configs, /workspace, /home, /plugins, /agent-home"})
-		return
-	}
-	// Phase 1 stub — fires BEFORE the DB lookup so probe requests don't
-	// generate "workspace not found" log noise. Phase 2b implements the
-	// docker-exec backend (internal#425 RFC).
-	if isAgentHomeStubRequest(rootPath) {
-		c.Header("Content-Type", "application/json")
-		c.String(http.StatusNotImplemented, stubNotImplementedBody)
+		c.JSON(http.StatusBadRequest, gin.H{"error": "root must be one of: /configs, /workspace, /home, /plugins"})
 		return
 	}
 	subPath := c.DefaultQuery("path", "")
@@ -401,13 +383,7 @@ func (h *TemplatesHandler) ReadFile(c *gin.Context) {
 	ctx := c.Request.Context()
 	rootPath := c.DefaultQuery("root", "/configs")
 	if !allowedRoots[rootPath] {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "root must be one of: /configs, /workspace, /home, /plugins, /agent-home"})
-		return
-	}
-	// Phase 1 stub — fires BEFORE the DB lookup (internal#425 RFC Phase 2b).
-	if isAgentHomeStubRequest(rootPath) {
-		c.Header("Content-Type", "application/json")
-		c.String(http.StatusNotImplemented, stubNotImplementedBody)
+		c.JSON(http.StatusBadRequest, gin.H{"error": "root must be one of: /configs, /workspace, /home, /plugins"})
 		return
 	}
 
@@ -520,13 +496,7 @@ func (h *TemplatesHandler) WriteFile(c *gin.Context) {
 	ctx := c.Request.Context()
 	rootPath := c.DefaultQuery("root", "/configs")
 	if !allowedRoots[rootPath] {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "root must be one of: /configs, /workspace, /home, /plugins, /agent-home"})
-		return
-	}
-	// Phase 1 stub — fires BEFORE the DB lookup (internal#425 RFC Phase 2b).
-	if isAgentHomeStubRequest(rootPath) {
-		c.Header("Content-Type", "application/json")
-		c.String(http.StatusNotImplemented, stubNotImplementedBody)
+		c.JSON(http.StatusBadRequest, gin.H{"error": "root must be one of: /configs, /workspace, /home, /plugins"})
 		return
 	}
 	var wsName, instanceID, runtime string
@@ -603,13 +573,7 @@ func (h *TemplatesHandler) DeleteFile(c *gin.Context) {
 	ctx := c.Request.Context()
 	rootPath := c.DefaultQuery("root", "/configs")
 	if !allowedRoots[rootPath] {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "root must be one of: /configs, /workspace, /home, /plugins, /agent-home"})
-		return
-	}
-	// Phase 1 stub — fires BEFORE the DB lookup (internal#425 RFC Phase 2b).
-	if isAgentHomeStubRequest(rootPath) {
-		c.Header("Content-Type", "application/json")
-		c.String(http.StatusNotImplemented, stubNotImplementedBody)
+		c.JSON(http.StatusBadRequest, gin.H{"error": "root must be one of: /configs, /workspace, /home, /plugins"})
 		return
 	}
 	var wsName, instanceID, runtime string