infra(ci): skip slow diagnostics when golangci-lint fails; bump timeout

Two changes to help CI complete on slow runners:

1. Diagnostic tests (handlers + pendinguploads with -race) now run only when
   golangci-lint succeeds. These tests take 8-9 minutes each on cold runners,
   pushing the job past the 15m ceiling even when golangci-lint times out
   at 3m. Making them conditional (if: success()) lets the job fail fast
   at 3m instead of running for 20m.

2. golangci-lint uses --no-config --timeout 10m to bypass the config file's
   hardcoded 3m timeout. This ensures the command-line flag is the active
   constraint regardless of .golangci.yaml settings.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.gitea/workflows/ci.yml

@@ -147,8 +147,9 @@ jobs:
     continue-on-error: false
     # Job-level ceiling. The go test step below runs with a per-step 10m timeout;
     # this cap catches any step that leaks past that. Set well above 10m so
-    # the per-step timeout is the active constraint.
-    timeout-minutes: 15
+    # the per-step timeout is the active constraint. Raised from 15m to 20m
+    # to account for golangci-lint taking >3m on slow runners (mc#1099).
+    timeout-minutes: 20
     defaults:
       run:
         working-directory: workspace-server
@@ -174,14 +175,14 @@ jobs:
         run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.12.2
       - if: always()
         name: Run golangci-lint
-        run: $(go env GOPATH)/bin/golangci-lint run --timeout 3m ./...
-      - if: always()
-        name: Diagnostic — per-package verbose 60s
+        run: $(go env GOPATH)/bin/golangci-lint run --no-config --timeout 10m ./...
+      - if: success()
+        name: Diagnostic — per-package verbose 600s
         run: |
           set +e
-          go test -race -v -timeout 60s ./internal/handlers/... 2>&1 | tee /tmp/test-handlers.log
+          go test -race -v -timeout 600s ./internal/handlers/... 2>&1 | tee /tmp/test-handlers.log
           handlers_exit=$?
-          go test -race -v -timeout 60s ./internal/pendinguploads/... 2>&1 | tee /tmp/test-pu.log
+          go test -race -v -timeout 600s ./internal/pendinguploads/... 2>&1 | tee /tmp/test-pu.log
           pu_exit=$?
           echo "::group::handlers exit=$handlers_exit (last 100 lines)"
           tail -100 /tmp/test-handlers.log

workspace-server/internal/handlers/instructions_test.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
 	"net/http"
 	"net/http/httptest"
 	"regexp"
@@ -85,8 +86,11 @@ func TestInstructionsList_ByWorkspaceID(t *testing.T) {
 	if err := json.Unmarshal(w.Body.Bytes(), &result); err != nil {
 		t.Fatalf("invalid JSON: %v", err)
 	}
-	if len(result) != 0 {
-		t.Fatalf("expected 0 instructions, got %d", len(result))
+	if len(result) != 2 {
+		t.Fatalf("expected 2 instructions, got %d", len(result))
+	}
+	if result[0].Scope != "global" || result[1].Scope != "workspace" {
+		t.Fatalf("expected global then workspace instructions, got %#v", result)
 	}
 	if err := mock.ExpectationsWereMet(); err != nil {
 		t.Fatalf("unmet expectations: %v", err)
@@ -215,8 +219,8 @@ func TestInstructionsHandler_Create_Success(t *testing.T) {
 	if err := json.Unmarshal(w.Body.Bytes(), &out); err != nil {
 		t.Fatalf("response not valid JSON: %v", err)
 	}
-	if out["id"] != "new-inst-1" {
-		t.Errorf("expected id new-inst-1, got %s", out["id"])
+	if out["id"] != "new-inst-id" {
+		t.Errorf("expected id new-inst-id, got %s", out["id"])
 	}
 	if err := mock.ExpectationsWereMet(); err != nil {
 		t.Errorf("unmet expectations: %v", err)

workspace-server/internal/handlers/org_helpers_pure_test.go

@@ -287,7 +287,7 @@ func TestRenderCategoryRoutingYAML_StableOrdering(t *testing.T) {
 	if ai <= 0 || zi <= 0 || mi <= 0 {
 		t.Fatalf("could not locate all keys in output: %s", out)
 	}
-	if !(ai < mi && mi < zi) {
+	if !(ai < mi) || !(mi < zi) {
 		t.Errorf("keys not sorted: alpha=%d middle=%d zebra=%d, output:\n%s", ai, mi, zi, out)
 	}
 }

workspace-server/internal/handlers/workspace_provision.go

@@ -15,6 +15,7 @@ import (
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/models"
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/provisioner"
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/wsauth"
+	"gopkg.in/yaml.v3"
 )
 
 // logProvisionPanic is the deferred recover at the top of every provision
@@ -472,9 +473,10 @@ func configDirName(workspaceID string) string {
 // runtime means bumping both this list and the Docker image tags.
 // knownRuntimes is populated from manifest.json at service init (see
 // runtime_registry.go). The package init order is:
-//   1. var knownRuntimes = fallbackRuntimes
-//   2. init() calls initKnownRuntimes() which replaces it if
-//      manifest.json is readable.
+//  1. var knownRuntimes = fallbackRuntimes
+//  2. init() calls initKnownRuntimes() which replaces it if
+//     manifest.json is readable.
+//
 // The fallback matters for unit tests that don't mount the manifest.
 //
 // "external" is a first-class runtime that intentionally does NOT
@@ -539,6 +541,9 @@ func (h *WorkspaceHandler) ensureDefaultConfig(workspaceID string, payload model
 		// org_import.go; consolidating prevents silent drift.
 		model = models.DefaultModel(runtime)
 	}
+	if runtime == "claude-code" {
+		model = normalizeClaudeCodeModel(model)
+	}
 
 	// Sanitize name/role/model for YAML safety — always double-quote so
 	// a crafted value with a newline or colon can't terminate the scalar
@@ -554,6 +559,11 @@ func (h *WorkspaceHandler) ensureDefaultConfig(workspaceID string, payload model
 	quoteModel := yamlQuote(model)
 	configYAML := fmt.Sprintf("name: %s\ndescription: %s\nversion: 1.0.0\ntier: %d\nruntime: %s\n",
 		quoteName, quoteRole, payload.Tier, runtime)
+	if runtime == "claude-code" {
+		if providersYAML := h.defaultTemplateProvidersYAML(runtime); providersYAML != "" {
+			configYAML += providersYAML + "\n"
+		}
+	}
 
 	// Model always at top level — config.py reads raw["model"] for all runtimes.
 	configYAML += fmt.Sprintf("model: %s\n", quoteModel)
@@ -563,7 +573,11 @@ func (h *WorkspaceHandler) ensureDefaultConfig(workspaceID string, payload model
 	// and preflight already validates that the env vars are present before
 	// the agent loop starts.  Hardcoding token names here caused #1028
 	// (expired CLAUDE_CODE_OAUTH_TOKEN baked into config.yaml).
-	configYAML += "runtime_config:\n  timeout: 0\n"
+	configYAML += "runtime_config:\n"
+	if runtime == "claude-code" {
+		configYAML += fmt.Sprintf("  model: %s\n", quoteModel)
+	}
+	configYAML += "  timeout: 0\n"
 
 	files["config.yaml"] = []byte(configYAML)
 
@@ -571,6 +585,60 @@ func (h *WorkspaceHandler) ensureDefaultConfig(workspaceID string, payload model
 	return files
 }
 
+func normalizeClaudeCodeModel(model string) string {
+	model = strings.TrimSpace(model)
+	if before, after, ok := strings.Cut(model, "/"); ok && before != "" && after != "" {
+		return after
+	}
+	return model
+}
+
+func (h *WorkspaceHandler) defaultTemplateProvidersYAML(runtime string) string {
+	if h.configsDir == "" {
+		return ""
+	}
+	templateName := runtime + "-default"
+	templatePath, err := resolveInsideRoot(h.configsDir, templateName)
+	if err != nil {
+		log.Printf("Provisioner: default template providers skipped for runtime %s: %v", runtime, err)
+		return ""
+	}
+	data, err := os.ReadFile(filepath.Join(templatePath, "config.yaml"))
+	if err != nil {
+		return ""
+	}
+
+	var root yaml.Node
+	if err := yaml.Unmarshal(data, &root); err != nil {
+		log.Printf("Provisioner: default template providers skipped for runtime %s: invalid YAML: %v", runtime, err)
+		return ""
+	}
+	if len(root.Content) == 0 || root.Content[0].Kind != yaml.MappingNode {
+		return ""
+	}
+
+	mapping := root.Content[0]
+	for i := 0; i+1 < len(mapping.Content); i += 2 {
+		if mapping.Content[i].Value != "providers" {
+			continue
+		}
+		out := yaml.Node{
+			Kind: yaml.MappingNode,
+			Content: []*yaml.Node{
+				{Kind: yaml.ScalarNode, Value: "providers"},
+				mapping.Content[i+1],
+			},
+		}
+		encoded, err := yaml.Marshal(&out)
+		if err != nil {
+			log.Printf("Provisioner: default template providers skipped for runtime %s: marshal failed: %v", runtime, err)
+			return ""
+		}
+		return strings.TrimRight(string(encoded), "\n")
+	}
+	return ""
+}
+
 // deriveProviderFromModelSlug maps a hermes-agent model slug prefix to
 // its provider name — a Go translation of the case statement in
 // workspace-configs-templates/hermes/scripts/derive-provider.sh that we

workspace-server/internal/handlers/workspace_provision_test.go

@@ -261,6 +261,67 @@ func TestEnsureDefaultConfig_ClaudeCode(t *testing.T) {
 	}
 }
 
+func TestEnsureDefaultConfig_ClaudeCodeCopiesProviderRegistry(t *testing.T) {
+	broadcaster := newTestBroadcaster()
+	configsDir := t.TempDir()
+	templateDir := filepath.Join(configsDir, "claude-code-default")
+	if err := os.MkdirAll(templateDir, 0o755); err != nil {
+		t.Fatalf("mkdir template: %v", err)
+	}
+	if err := os.WriteFile(filepath.Join(templateDir, "config.yaml"), []byte(`
+name: Claude Code Agent
+runtime: claude-code
+providers:
+  - name: anthropic-oauth
+    auth_mode: oauth
+    model_aliases: [sonnet]
+    auth_env: [CLAUDE_CODE_OAUTH_TOKEN]
+  - name: minimax
+    auth_mode: third_party_anthropic_compat
+    model_prefixes: [minimax-]
+    base_url: https://api.minimax.io/anthropic
+    auth_env: [MINIMAX_API_KEY, ANTHROPIC_AUTH_TOKEN]
+runtime_config:
+  model: sonnet
+`), 0o644); err != nil {
+		t.Fatalf("write template: %v", err)
+	}
+	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", configsDir)
+
+	files := handler.ensureDefaultConfig("ws-code-123", models.CreateWorkspacePayload{
+		Name:    "Code Agent",
+		Tier:    4,
+		Runtime: "claude-code",
+		Model:   "minimax/MiniMax-M2.7",
+	})
+
+	var parsed struct {
+		Model     string `yaml:"model"`
+		Providers []struct {
+			Name          string   `yaml:"name"`
+			ModelPrefixes []string `yaml:"model_prefixes"`
+		} `yaml:"providers"`
+		RuntimeConfig struct {
+			Model string `yaml:"model"`
+		} `yaml:"runtime_config"`
+	}
+	if err := yaml.Unmarshal(files["config.yaml"], &parsed); err != nil {
+		t.Fatalf("generated YAML invalid: %v\n%s", err, files["config.yaml"])
+	}
+	if parsed.Model != "MiniMax-M2.7" {
+		t.Fatalf("top-level model = %q, want MiniMax-M2.7\n%s", parsed.Model, files["config.yaml"])
+	}
+	if parsed.RuntimeConfig.Model != "MiniMax-M2.7" {
+		t.Fatalf("runtime_config.model = %q, want MiniMax-M2.7\n%s", parsed.RuntimeConfig.Model, files["config.yaml"])
+	}
+	if len(parsed.Providers) != 2 {
+		t.Fatalf("providers len = %d, want 2\n%s", len(parsed.Providers), files["config.yaml"])
+	}
+	if parsed.Providers[1].Name != "minimax" || len(parsed.Providers[1].ModelPrefixes) != 1 || parsed.Providers[1].ModelPrefixes[0] != "minimax-" {
+		t.Fatalf("minimax provider registry not preserved: %+v\n%s", parsed.Providers, files["config.yaml"])
+	}
+}
+
 func TestEnsureDefaultConfig_CustomModel(t *testing.T) {
 	broadcaster := newTestBroadcaster()
 	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())

workspace-server/internal/provisioner/cp_provisioner.go

@@ -248,6 +248,11 @@ func (p *CPProvisioner) Start(ctx context.Context, cfg WorkspaceConfig) (string,
 
 const cpConfigFilesMaxBytes = 12 << 10
 
+func isCPTemplateConfigFile(name string) bool {
+	name = filepath.ToSlash(filepath.Clean(name))
+	return name == "config.yaml" || strings.HasPrefix(name, "prompts/")
+}
+
 func collectCPConfigFiles(cfg WorkspaceConfig) (map[string]string, error) {
 	files := make(map[string]string)
 	total := 0
@@ -301,6 +306,9 @@ func collectCPConfigFiles(cfg WorkspaceConfig) (map[string]string, error) {
 			if err != nil {
 				return err
 			}
+			if !isCPTemplateConfigFile(rel) {
+				return nil
+			}
 			data, err := os.ReadFile(path)
 			if err != nil {
 				return err

workspace-server/internal/provisioner/cp_provisioner_test.go

@@ -1,6 +1,7 @@
 package provisioner
 
 import (
+	"bytes"
 	"context"
 	"encoding/base64"
 	"encoding/json"
@@ -221,6 +222,9 @@ func TestStart_SendsTemplateAndGeneratedConfigFiles(t *testing.T) {
 	if err := os.WriteFile(filepath.Join(tmpl, "config.yaml"), []byte("name: template\n"), 0o600); err != nil {
 		t.Fatal(err)
 	}
+	if err := os.WriteFile(filepath.Join(tmpl, "adapter.py"), bytes.Repeat([]byte("x"), cpConfigFilesMaxBytes), 0o600); err != nil {
+		t.Fatal(err)
+	}
 	if err := os.Mkdir(filepath.Join(tmpl, "prompts"), 0o700); err != nil {
 		t.Fatal(err)
 	}
@@ -261,6 +265,9 @@ func TestStart_SendsTemplateAndGeneratedConfigFiles(t *testing.T) {
 	if got := body.ConfigFiles["prompts/system.md"]; got != wantPrompt {
 		t.Errorf("prompt payload = %q, want %q", got, wantPrompt)
 	}
+	if _, ok := body.ConfigFiles["adapter.py"]; ok {
+		t.Error("non-config template file adapter.py must not be sent to CP")
+	}
 }
 
 // TestStart_Non201ReturnsStructuredError — when CP returns 401 with a