test(external_connection): add BuildExternalConnectionPayload + externalPlatformURL coverage

- TestBuildExternalConnectionPayload_HappyPath: verifies workspace_id,
  platform_url, auth_token, registry_endpoint, heartbeat_endpoint.
- TestBuildExternalConnectionPayload_TrailingSlashStripped: one trailing
  slash removed from platform URL input.
- TestBuildExternalConnectionPayload_EmptyAuthToken: empty token is valid
  for read-only "show instructions again" path.
- TestBuildExternalConnectionPayload_SnippetsStamped: all 8 snippet fields
  have {{PLATFORM_URL}} and {{WORKSPACE_ID}} substituted, no raw placeholders.
- TestExternalPlatformURL_EnvVarTakesPrecedence: EXTERNAL_PLATFORM_URL env
  wins over all request-based fallbacks.
- TestExternalPlatformURL_XForwardedProtoAndHost: X-Forwarded-{Proto,Host}
  headers override scheme/host.
- TestExternalPlatformURL_HTTPSNoHeaders: TLS nil → http, TLS set → https.
- TestExternalPlatformURL_HTTPNoTLS: explicit host + nil TLS → http://host.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

canvas/src/components/settings/SecretRow.tsx

@@ -3,24 +3,16 @@ import { useState, useCallback, useRef, useEffect } from 'react';
 import type { Secret, SecretGroup } from '@/types/secrets';
 import { useSecretsStore } from '@/stores/secrets-store';
 import { StatusBadge } from '@/components/ui/StatusBadge';
+import { RevealToggle } from '@/components/ui/RevealToggle';
 import { KeyValueField } from '@/components/ui/KeyValueField';
 import { ValidationHint } from '@/components/ui/ValidationHint';
 import { TestConnectionButton } from '@/components/ui/TestConnectionButton';
 import { validateSecretValue } from '@/lib/validation/secret-formats';
 import { SERVICES } from '@/lib/services';
 
+const AUTO_HIDE_MS = 30_000;
 const VALIDATION_DEBOUNCE_MS = 400;
 
-// Secret values are write-only from the browser: the server List endpoint
-// "Never exposes values", there is no per-secret decrypt route, and the
-// only decrypted path (GET /secrets/values) is bulk + token-gated for
-// remote agents. The old eye/RevealToggle was a dead affordance — it
-// flipped its own icon but could never reveal anything, which read as
-// "this doesn't work" (esp. once clicked → eye-with-slash). We show an
-// honest static indicator instead; rotation is via Edit.
-const WRITE_ONLY_TITLE =
-  'Value is write-only and cannot be revealed — use Edit to replace/rotate it';
-
 interface SecretRowProps {
   secret: Secret;
   workspaceId: string;
@@ -39,12 +31,28 @@ export function SecretRow({ secret, workspaceId }: SecretRowProps) {
   const setSecretStatus = useSecretsStore((s) => s.setSecretStatus);
 
   const isEditing = editingKey === secret.name;
+  const [revealed, setRevealed] = useState(false);
   const [editValue, setEditValue] = useState('');
   const [validationError, setValidationError] = useState<string | null>(null);
   const [isSaving, setIsSaving] = useState(false);
   const [saveError, setSaveError] = useState<string | null>(null);
   const debounceRef = useRef<ReturnType<typeof setTimeout>>(undefined);
   const editBtnRef = useRef<HTMLButtonElement>(null);
+  const revealTimerRef = useRef<ReturnType<typeof setTimeout>>(undefined);
+
+  // Auto-hide revealed value after 30s
+  useEffect(() => {
+    if (revealed) {
+      clearTimeout(revealTimerRef.current);
+      revealTimerRef.current = setTimeout(() => setRevealed(false), AUTO_HIDE_MS);
+      return () => clearTimeout(revealTimerRef.current);
+    }
+  }, [revealed]);
+
+  // Reset revealed state when panel closes (session-only)
+  useEffect(() => {
+    return () => setRevealed(false);
+  }, []);
 
   // Debounced validation
   useEffect(() => {
@@ -125,15 +133,11 @@ export function SecretRow({ secret, workspaceId }: SecretRowProps) {
           {secret.masked_value}
         </span>
         <div className="secret-row__actions">
-          <span
-            data-testid="write-only-indicator"
-            className="secret-row__write-only"
-            role="img"
-            aria-label={`${secret.name} value is write-only and cannot be revealed; use Edit to replace it`}
-            title={WRITE_ONLY_TITLE}
-          >
-            🔒
-          </span>
+          <RevealToggle
+            revealed={revealed}
+            onToggle={() => setRevealed((r) => !r)}
+            label={`Toggle reveal ${secret.name}`}
+          />
           <StatusBadge status={secret.status} />
           <button
             type="button"

canvas/src/components/settings/__tests__/SecretRow.test.tsx

@@ -138,54 +138,14 @@ describe("SecretRow — display mode", () => {
     expect(document.querySelector('[role="row"]')).toBeTruthy();
   });
 
-  it("has Copy, Edit, Delete buttons", () => {
+  it("has Reveal, Copy, Edit, Delete buttons", () => {
     render(<SecretRow secret={GITHUB_SECRET} workspaceId="ws-1" />);
+    expect(screen.getByTestId("reveal-toggle")).toBeTruthy();
     expect(screen.getByRole("button", { name: /copy/i })).toBeTruthy();
     expect(screen.getByRole("button", { name: /edit/i })).toBeTruthy();
     expect(screen.getByRole("button", { name: /delete/i })).toBeTruthy();
   });
 
-  // Regression: the reveal/eye control was a dead affordance. Clicking it
-  // flipped its own icon (eye → eye-with-slash) but never revealed the value,
-  // because secret values are write-only from the browser (server List
-  // "Never exposes values"; there is no per-secret decrypt endpoint and the
-  // client has no plaintext-fetch function). The honest fix removes the
-  // toggle and shows a static "write-only / cannot be revealed" indicator.
-  // See internal tracking issue + internal#210/#211.
-  it("does NOT render a reveal/eye toggle (values are write-only)", () => {
-    render(<SecretRow secret={GITHUB_SECRET} workspaceId="ws-1" />);
-    expect(screen.queryByTestId("reveal-toggle")).toBeNull();
-    expect(
-      screen.queryByRole("button", { name: /toggle reveal/i }),
-    ).toBeNull();
-  });
-
-  it("shows a write-only indicator explaining the value cannot be revealed", () => {
-    render(<SecretRow secret={ANTHROPIC_SECRET} workspaceId="ws-1" />);
-    const indicator = screen.getByTestId("write-only-indicator");
-    expect(indicator).toBeTruthy();
-    // Affordance must be honest: explain it cannot be revealed and that
-    // Edit is the rotate path. It must not be a clickable button.
-    const title = indicator.getAttribute("title") ?? "";
-    expect(title.toLowerCase()).toMatch(/write-only|cannot be revealed/);
-    expect(indicator.tagName).not.toBe("BUTTON");
-  });
-
-  it("write-only indicator is present for the Anthropic/OAuth-token row too", () => {
-    // The reported bug singled out CLAUDE_CODE_OAUTH_TOKEN (anthropic group);
-    // the fix is group-agnostic — every row gets the same honest affordance.
-    const OAUTH_SECRET = {
-      name: "CLAUDE_CODE_OAUTH_TOKEN",
-      masked_value: "••••••••••••••••9d2a",
-      group: "anthropic" as const,
-      status: "unverified" as const,
-      updated_at: "2024-01-04",
-    };
-    render(<SecretRow secret={OAUTH_SECRET} workspaceId="ws-1" />);
-    expect(screen.queryByTestId("reveal-toggle")).toBeNull();
-    expect(screen.getByTestId("write-only-indicator")).toBeTruthy();
-  });
-
   it("shows invalid status correctly", () => {
     render(<SecretRow secret={CUSTOM_SECRET} workspaceId="ws-1" />);
     expect(screen.getByTestId("status-badge").getAttribute("data-status")).toBe("invalid");

canvas/src/components/tabs/chat/__tests__/useChatSocket.errorDetail.test.ts

@@ -1,204 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for actionable error rendering in useChatSocket (issue #1420).
- *
- * When a workspace agent returns an error on a canvas message/send, the canvas
- * should surface the actionable error_detail (e.g. oauth_org_not_allowed)
- * rather than the opaque "Agent error (Exception) — see workspace logs for details."
- * fallback. Falls back to summary, then a generic hint.
- */
-import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
-import { renderHook, act } from "@testing-library/react";
-import React from "react";
-import { useChatSocket, type UseChatSocketCallbacks } from "../hooks/useChatSocket";
-import { emitSocketEvent, _resetSocketEventListenersForTests } from "@/store/socket-events";
-import type { WSMessage } from "@/store/socket";
-
-// Silence React StrictMode double-invoke noise.
-const WARN = console.warn;
-beforeEach(() => { console.warn = () => {}; });
-afterEach(() => { console.warn = WARN; });
-
-beforeEach(() => {
-  _resetSocketEventListenersForTests();
-  vi.useFakeTimers();
-  vi.setSystemTime(new Date("2026-05-18T10:00:00Z"));
-});
-afterEach(() => {
-  vi.useRealTimers();
-  _resetSocketEventListenersForTests();
-});
-
-const WORKSPACE_ID = "00000000-0000-0000-0000-000000000001";
-
-function makeActivityErrorEvent(
-  workspaceId: string,
-  overrides: Partial<{
-    error_detail: string;
-    summary: string;
-    method: string;
-    status: string;
-  }> = {},
-): WSMessage {
-  const {
-    error_detail = "",
-    summary = "",
-    method = "message/send",
-    status = "error",
-  } = overrides;
-  return {
-    event: "ACTIVITY_LOGGED",
-    workspace_id: workspaceId,
-    timestamp: "2026-05-18T10:00:00Z",
-    payload: {
-      activity_type: "a2a_receive",
-      method,
-      status,
-      target_id: workspaceId,
-      duration_ms: 500,
-      summary,
-      ...(error_detail ? { error_detail } : {}),
-    } as Record<string, unknown>,
-  };
-}
-
-describe("useChatSocket actionable error rendering", () => {
-  it("calls onSendError with error_detail when present in the payload", () => {
-    const onSendError = vi.fn();
-    const callbacks: UseChatSocketCallbacks = { onSendError };
-    renderHook(() => useChatSocket(WORKSPACE_ID, callbacks));
-
-    act(() => {
-      emitSocketEvent(
-        makeActivityErrorEvent(WORKSPACE_ID, {
-          error_detail: "403 Forbidden: oauth_org_not_allowed — Your organization has disabled Claude subscription access. Use an API key instead.",
-        }),
-      );
-    });
-
-    expect(onSendError).toHaveBeenCalledTimes(1);
-    expect(onSendError.mock.calls[0][0]).toContain("oauth_org_not_allowed");
-    expect(onSendError.mock.calls[0][0]).not.toContain("workspace logs");
-    expect(onSendError.mock.calls[0][0]).not.toContain("Agent error (Exception)");
-  });
-
-  it("falls back to summary when error_detail is absent", () => {
-    const onSendError = vi.fn();
-    const callbacks: UseChatSocketCallbacks = { onSendError };
-    renderHook(() => useChatSocket(WORKSPACE_ID, callbacks));
-
-    act(() => {
-      emitSocketEvent(
-        makeActivityErrorEvent(WORKSPACE_ID, {
-          summary: "A2A request to ws-agent failed: connection refused",
-        }),
-      );
-    });
-
-    expect(onSendError).toHaveBeenCalledTimes(1);
-    expect(onSendError.mock.calls[0][0]).toBe("A2A request to ws-agent failed: connection refused");
-  });
-
-  it("falls back to generic hint when neither error_detail nor summary is present", () => {
-    const onSendError = vi.fn();
-    const callbacks: UseChatSocketCallbacks = { onSendError };
-    renderHook(() => useChatSocket(WORKSPACE_ID, callbacks));
-
-    act(() => {
-      emitSocketEvent(makeActivityErrorEvent(WORKSPACE_ID, {}));
-    });
-
-    expect(onSendError).toHaveBeenCalledTimes(1);
-    expect(onSendError.mock.calls[0][0]).toContain("Agent error");
-    // Should NOT be the old opaque phrase
-    expect(onSendError.mock.calls[0][0]).not.toContain("workspace logs");
-    expect(onSendError.mock.calls[0][0]).not.toContain("Agent error (Exception)");
-  });
-
-  it("does NOT call onSendError for other workspaces", () => {
-    const onSendError = vi.fn();
-    const callbacks: UseChatSocketCallbacks = { onSendError };
-    renderHook(() => useChatSocket(WORKSPACE_ID, callbacks));
-
-    act(() => {
-      emitSocketEvent(
-        makeActivityErrorEvent("00000000-0000-0000-0000-000000000099", {
-          error_detail: "some provider error",
-        }),
-      );
-    });
-
-    expect(onSendError).not.toHaveBeenCalled();
-  });
-
-  it("does NOT call onSendError for ok status", () => {
-    const onSendError = vi.fn();
-    const callbacks: UseChatSocketCallbacks = { onSendError };
-    renderHook(() => useChatSocket(WORKSPACE_ID, callbacks));
-
-    act(() => {
-      emitSocketEvent(
-        makeActivityErrorEvent(WORKSPACE_ID, {
-          status: "ok",
-          error_detail: "this should not appear",
-        }),
-      );
-    });
-
-    expect(onSendError).not.toHaveBeenCalled();
-  });
-
-  it("does NOT call onSendError when error_detail is an empty string", () => {
-    const onSendError = vi.fn();
-    const callbacks: UseChatSocketCallbacks = { onSendError };
-    renderHook(() => useChatSocket(WORKSPACE_ID, callbacks));
-
-    act(() => {
-      emitSocketEvent(
-        makeActivityErrorEvent(WORKSPACE_ID, {
-          error_detail: "",
-          summary: "",
-        }),
-      );
-    });
-
-    // Empty strings are falsy — falls through to the generic hint
-    expect(onSendError).toHaveBeenCalledTimes(1);
-    expect(onSendError.mock.calls[0][0]).toContain("Agent error");
-    expect(onSendError.mock.calls[0][0]).not.toContain("workspace logs");
-  });
-
-  it("prefers error_detail over summary (error_detail is more actionable)", () => {
-    const onSendError = vi.fn();
-    const callbacks: UseChatSocketCallbacks = { onSendError };
-    renderHook(() => useChatSocket(WORKSPACE_ID, callbacks));
-
-    act(() => {
-      emitSocketEvent(
-        makeActivityErrorEvent(WORKSPACE_ID, {
-          error_detail: "403: api_key_expired",
-          summary: "A2A request failed",
-        }),
-      );
-    });
-
-    expect(onSendError).toHaveBeenCalledTimes(1);
-    expect(onSendError.mock.calls[0][0]).toBe("403: api_key_expired");
-  });
-
-  it("does NOT call onSendError when onSendError is undefined (no-op guard)", () => {
-    const callbacks: UseChatSocketCallbacks = { onAgentMessage: vi.fn() };
-    expect(() =>
-      renderHook(() => useChatSocket(WORKSPACE_ID, callbacks)),
-    ).not.toThrow();
-
-    act(() => {
-      emitSocketEvent(
-        makeActivityErrorEvent(WORKSPACE_ID, {
-          error_detail: "some error",
-        }),
-      );
-    });
-    // No error thrown even without onSendError
-  });
-});

canvas/src/components/tabs/chat/hooks/useChatSocket.ts

@@ -53,7 +53,6 @@ export function useChatSocket(
         const targetId = (p.target_id as string) || "";
         const durationMs = p.duration_ms as number | undefined;
         const summary = (p.summary as string) || "";
-        const errorDetail = typeof p.error_detail === "string" ? p.error_detail : "";
 
         let line = "";
         if (type === "a2a_receive" && method === "message/send") {
@@ -68,14 +67,9 @@ export function useChatSocket(
             const own = (targetId || msg.workspace_id) === workspaceId;
             if (own) {
               callbacksRef.current.onSendComplete?.();
-              // Prefer the actionable error_detail from the workspace agent
-              // (e.g. "403 Forbidden: oauth_org_not_allowed ...") over the
-              // opaque generic. Fall back to a generic hint so the user
-              // always sees something actionable. Closes #1420.
-              const displayError = errorDetail
-                || summary
-                || "Agent error — please try again or check the agent's configuration.";
-              callbacksRef.current.onSendError?.(displayError);
+              callbacksRef.current.onSendError?.(
+                "Agent error (Exception) — see workspace logs for details.",
+              );
             }
           }
         } else if (type === "a2a_send") {

workspace-server/internal/handlers/a2a_proxy.go

@@ -399,21 +399,7 @@ func (h *WorkspaceHandler) proxyA2ARequest(ctx context.Context, workspaceID stri
 	// (no Do(), no maybeMarkContainerDead). The response is a synthetic
 	// {status:"queued"} envelope so the caller (canvas, another workspace)
 	// knows delivery is acknowledged but pending consumption.
-	deliveryMode, deliveryModeErr := lookupDeliveryMode(ctx, workspaceID)
-	if deliveryModeErr != nil {
-		// internal#497 fail-closed: a real DB/context error on the
-		// delivery-mode read MUST NOT silently fall through to the push
-		// dispatch path — that is exactly what silently misrouted every
-		// poll-mode peer for 5 days under the ce2db75f regression. Surface
-		// a structured error so the delegation is marked failed (loud +
-		// retryable) instead of dispatched to the wrong path.
-		log.Printf("ProxyA2A: delivery-mode lookup failed for %s: %v — failing closed", workspaceID, deliveryModeErr)
-		return 0, nil, &proxyA2AError{
-			Status:   http.StatusServiceUnavailable,
-			Response: gin.H{"error": "delivery-mode lookup failed; refusing to dispatch to avoid silent misrouting"},
-		}
-	}
-	if deliveryMode == models.DeliveryModePoll {
+	if lookupDeliveryMode(ctx, workspaceID) == models.DeliveryModePoll {
 		if logActivity {
 			h.logA2AReceiveQueued(ctx, workspaceID, callerID, body, a2aMethod)
 		}

workspace-server/internal/handlers/a2a_proxy_helpers.go

@@ -468,64 +468,40 @@ func parseUsageFromA2AResponse(body []byte) (inputTokens, outputTokens int64) {
 	return 0, 0
 }
 
-// lookupDeliveryMode returns the workspace's delivery_mode.
-//
-// internal#497 / RFC#497 fail-closed (SURGICAL scope): the *specific*
-// failure mode that hid the ce2db75f regression for 5 days is now
-// propagated instead of silently swallowed — a CONTEXT error
-// (context.Canceled / context.DeadlineExceeded). Under ce2db75f the
-// detached delegation goroutine ran on a cancelled request context, every
-// `SELECT delivery_mode` failed `context canceled`, this function returned
-// push, the poll-mode short-circuit in proxyA2ARequest was skipped, and
-// poll-mode peers (e.g. an operator laptop on molecule-mcp-claude-channel)
-// silently never got their a2a_receive inbox row. A transient,
-// systematic-once-triggered context cancellation became permanent
-// invisible misrouting. Returning that error lets the caller fail loud
-// (mark the delegation failed) instead of mis-dispatching.
-//
-// Scope is deliberately narrow: only ctx errors propagate. Other DB
-// errors retain the long-standing documented "fall back to push (today's
-// synchronous behavior)" contract — that path is loud + recoverable
-// (502 / SSRF reject / restart), unlike the silent poll-mode drop, and
-// the surrounding proxy (incl. the sibling checkWorkspaceBudget) is
-// intentionally built around that fail-open-to-push behavior. Widening
-// further is an RFC#497 follow-up, not part of this P0 fix.
-//
-// A genuinely *absent* configuration is NOT an error and still resolves to
-// push (the safe synchronous default): sql.ErrNoRows, a NULL/empty column,
-// or an unrecognised value all return (push, nil).
+// lookupDeliveryMode returns the workspace's delivery_mode. On any DB
+// error or missing row it returns DeliveryModePush — the fail-closed
+// default. "Closed" here means "fall back to today's behavior (synchronous
+// dispatch)" rather than "fall back to drop the request silently into
+// activity_logs where the agent might never see it." A poll-mode workspace
+// that briefly reads as push will get its A2A request dispatched to the
+// stored URL (or a 502 if no URL); a push-mode workspace that briefly
+// reads as poll would get its request silently queued with no dispatch.
+// The first failure is loud + recoverable; the second is silent.
 //
 // The function is intentionally lookup-only — it never mutates the row.
 // The register handler (registry.go) is the only writer for delivery_mode.
 //
 // See #2339 PR 1 for the column + register-flow side; this is the
 // proxy-side read used for the short-circuit in proxyA2ARequest.
-func lookupDeliveryMode(ctx context.Context, workspaceID string) (string, error) {
+func lookupDeliveryMode(ctx context.Context, workspaceID string) string {
 	var mode sql.NullString
 	err := db.DB.QueryRowContext(ctx,
 		`SELECT delivery_mode FROM workspaces WHERE id = $1`, workspaceID,
 	).Scan(&mode)
 	if err != nil {
-		// internal#497: a context cancellation/deadline MUST NOT be
-		// swallowed into a silent push default — that is the exact 5-day
-		// silent-misrouting vector. Propagate so the caller fails closed.
-		if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
-			log.Printf("ProxyA2A: lookupDeliveryMode(%s) context error (%v) — failing closed (NOT defaulting to push)", workspaceID, err)
-			return "", err
-		}
 		if !errors.Is(err, sql.ErrNoRows) {
-			log.Printf("ProxyA2A: lookupDeliveryMode(%s) failed (%v) — defaulting to push (non-ctx DB error; legacy fail-open-to-push contract)", workspaceID, err)
+			log.Printf("ProxyA2A: lookupDeliveryMode(%s) failed (%v) — defaulting to push", workspaceID, err)
 		}
-		return models.DeliveryModePush, nil
+		return models.DeliveryModePush
 	}
 	if !mode.Valid || mode.String == "" {
-		return models.DeliveryModePush, nil
+		return models.DeliveryModePush
 	}
 	if !models.IsValidDeliveryMode(mode.String) {
 		log.Printf("ProxyA2A: workspace %s has invalid delivery_mode=%q — defaulting to push", workspaceID, mode.String)
-		return models.DeliveryModePush, nil
+		return models.DeliveryModePush
 	}
-	return mode.String, nil
+	return mode.String
 }
 
 // logA2AReceiveQueued records a poll-mode "queued" A2A receive into

workspace-server/internal/handlers/a2a_proxy_test.go

@@ -2228,18 +2228,12 @@ func TestProxyA2A_PushMode_NoShortCircuit(t *testing.T) {
 	}
 }
 
-// TestProxyA2A_PollMode_FailsClosedToPush verifies the LEGACY safety
-// contract is PRESERVED for non-context DB errors: a generic DB error
-// reading delivery_mode still defaults to push (today's behavior), NOT
-// poll. Failing to push means a poll-mode workspace briefly attempts a
-// real dispatch — visible failure (502 / SSRF rejection / restart
-// cascade), not a silent drop into activity_logs where the agent might
-// never look. Loud > silent, recoverable > lost.
-//
-// internal#497 narrows the fail-closed change to *context* errors only
-// (the actual ce2db75f regression vector); generic DB errors keep this
-// long-standing fail-open-to-push contract. The ctx-error fail-closed is
-// covered by TestLookupDeliveryMode_ContextCanceled_FailsClosed.
+// TestProxyA2A_PollMode_FailsClosedToPush verifies the safety contract:
+// a DB error reading delivery_mode must default to push (the existing
+// behavior), NOT poll. Failing to push means a poll-mode workspace
+// briefly attempts a real dispatch — visible failure (502 / SSRF
+// rejection / restart cascade), not a silent drop into activity_logs
+// where the agent might never look. Loud > silent, recoverable > lost.
 func TestProxyA2A_PollMode_FailsClosedToPush(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t) // empty Redis — forces resolveAgentURL DB lookup
@@ -2250,8 +2244,7 @@ func TestProxyA2A_PollMode_FailsClosedToPush(t *testing.T) {
 
 	expectBudgetCheck(mock, wsID)
 
-	// lookupDeliveryMode hits a generic (non-context) DB error → must
-	// still default push (legacy contract preserved by internal#497).
+	// lookupDeliveryMode hits a transient DB error → must default push.
 	mock.ExpectQuery("SELECT delivery_mode FROM workspaces WHERE id").
 		WithArgs(wsID).
 		WillReturnError(sql.ErrConnDone)
@@ -2275,7 +2268,7 @@ func TestProxyA2A_PollMode_FailsClosedToPush(t *testing.T) {
 		var resp map[string]interface{}
 		_ = json.Unmarshal(w.Body.Bytes(), &resp)
 		if resp["status"] == "queued" {
-			t.Errorf("generic DB error on delivery_mode lookup silently queued the request — must fail-open-to-push, got body: %s", w.Body.String())
+			t.Errorf("DB error on delivery_mode lookup silently queued the request — must fail-closed-to-push, got body: %s", w.Body.String())
 		}
 	}
 
@@ -2284,37 +2277,6 @@ func TestProxyA2A_PollMode_FailsClosedToPush(t *testing.T) {
 	}
 }
 
-// TestLookupDeliveryMode_ContextCanceled_FailsClosed is the internal#497
-// regression test for the SECONDARY defect. It pins the exact invariant
-// that hid the ce2db75f regression for 5 days: when the delivery_mode read
-// fails because the context was cancelled (precisely what happened in the
-// detached delegation goroutine running on a returned request context),
-// lookupDeliveryMode MUST return an error and MUST NOT silently return
-// "push". Returning push there is what skipped the poll-mode short-circuit
-// and silently dropped 100% of poll-mode peer deliveries.
-//
-// A pre-cancelled context makes QueryRowContext fail with
-// context.Canceled deterministically — no DB rows are mocked because the
-// query never reaches a result.
-func TestLookupDeliveryMode_ContextCanceled_FailsClosed(t *testing.T) {
-	mock := setupTestDB(t)
-	// The query fails on the cancelled ctx before matching; provide a
-	// permissive expectation so sqlmock doesn't complain about the attempt.
-	mock.ExpectQuery("SELECT delivery_mode FROM workspaces WHERE id").
-		WillReturnError(context.Canceled)
-
-	ctx, cancel := context.WithCancel(context.Background())
-	cancel() // simulate the HTTP handler having returned (request ctx dead)
-
-	mode, err := lookupDeliveryMode(ctx, "ws-poll-peer")
-	if err == nil {
-		t.Fatalf("internal#497 regression: lookupDeliveryMode swallowed a context error and returned mode=%q with nil err — this is the exact 5-day silent-misrouting vector", mode)
-	}
-	if mode == models.DeliveryModePush {
-		t.Errorf("internal#497 regression: context error must NOT default to push (got mode=%q)", mode)
-	}
-}
-
 // ==================== a2aClient ResponseHeaderTimeout config ====================
 
 func TestA2AClientResponseHeaderTimeout(t *testing.T) {

workspace-server/internal/handlers/activity.go

@@ -672,13 +672,6 @@ func logActivityExec(ctx context.Context, exec activityExecutor, broadcaster eve
 		if len(params.ToolTrace) > 0 {
 			payload["tool_trace"] = json.RawMessage(params.ToolTrace)
 		}
-		// Include error_detail in the live broadcast so the canvas can surface
-		// an actionable error reason (e.g. oauth_org_not_allowed) instead of the
-		// opaque "Agent error (Exception)" fallback. The runtime's
-		// report_activity helper caps this at 4096 chars.
-		if params.ErrorDetail != nil {
-			payload["error_detail"] = *params.ErrorDetail
-		}
 		// Include request/response bodies in the live broadcast so the
 		// canvas's Agent Comms panel can render the actual task text
 		// and reply text immediately, instead of falling back to the

workspace-server/internal/handlers/activity_test.go

@@ -934,93 +934,6 @@ func TestLogActivity_Broadcast_IncludesRequestAndResponseBodies(t *testing.T) {
 	}
 }
 
-// TestLogActivity_Broadcast_IncludesErrorDetail pins the fix for #1420:
-// error_detail was stored in the DB but never included in the live
-// ACTIVITY_LOGGED WebSocket broadcast, so the canvas could only show
-// "Agent error (Exception) — see workspace logs for details." without
-// surfacing the actionable error reason (e.g. oauth_org_not_allowed).
-func TestLogActivity_Broadcast_IncludesErrorDetail(t *testing.T) {
-	mock := setupTestDB(t)
-	defer mock.ExpectationsWereMet()
-
-	mock.ExpectExec("INSERT INTO activity_logs").
-		WillReturnResult(sqlmock.NewResult(1, 1))
-
-	cb := &recordingBroadcaster{}
-	srcID := "ws-canvas"
-	tgtID := "ws-agent"
-	method := "message/send"
-	summary := "A2A request to ws-agent failed"
-	errorDetail := "403 Forbidden: oauth_org_not_allowed — Your organization has disabled Claude subscription access. Use an API key or ask your admin to enable access."
-	status := "error"
-
-	LogActivity(context.Background(), cb, ActivityParams{
-		WorkspaceID:  srcID,
-		ActivityType: "a2a_receive",
-		SourceID:     &srcID,
-		TargetID:     &tgtID,
-		Method:       &method,
-		Summary:      &summary,
-		Status:       status,
-		ErrorDetail:  &errorDetail,
-	})
-
-	if len(cb.calls) != 1 {
-		t.Fatalf("expected 1 broadcast, got %d", len(cb.calls))
-	}
-	payload := cb.calls[0].payload
-	if payload["activity_type"] != "a2a_receive" {
-		t.Errorf("activity_type = %v, want a2a_receive", payload["activity_type"])
-	}
-	ed, ok := payload["error_detail"].(string)
-	if !ok {
-		t.Fatalf("error_detail missing from broadcast payload: got %#v", payload["error_detail"])
-	}
-	if ed != errorDetail {
-		t.Errorf("error_detail = %q, want %q", ed, errorDetail)
-	}
-	if payload["status"] != status {
-		t.Errorf("status = %v, want %q", payload["status"], status)
-	}
-}
-
-// TestLogActivity_Broadcast_OmitsNilErrorDetail verifies that when
-// ErrorDetail is nil the broadcast does not include an empty error_detail key
-// (matching the same omission pattern as request_body/response_body above).
-func TestLogActivity_Broadcast_OmitsNilErrorDetail(t *testing.T) {
-	mock := setupTestDB(t)
-	defer mock.ExpectationsWereMet()
-
-	mock.ExpectExec("INSERT INTO activity_logs").
-		WillReturnResult(sqlmock.NewResult(1, 1))
-
-	cb := &recordingBroadcaster{}
-	srcID := "ws-canvas"
-	tgtID := "ws-agent"
-	method := "message/send"
-	summary := "A2A request succeeded"
-	status := "ok"
-
-	LogActivity(context.Background(), cb, ActivityParams{
-		WorkspaceID:  srcID,
-		ActivityType: "a2a_receive",
-		SourceID:     &srcID,
-		TargetID:     &tgtID,
-		Method:       &method,
-		Summary:      &summary,
-		Status:       status,
-		// ErrorDetail intentionally omitted (nil)
-	})
-
-	if len(cb.calls) != 1 {
-		t.Fatalf("expected 1 broadcast, got %d", len(cb.calls))
-	}
-	payload := cb.calls[0].payload
-	if _, present := payload["error_detail"]; present {
-		t.Errorf("error_detail should be omitted when nil, got %v", payload["error_detail"])
-	}
-}
-
 // TestLogActivityTx_DefersBroadcastUntilCommitHook pins the #149
 // contract: LogActivityTx returns a commitHook that the caller MUST
 // invoke after tx.Commit(); the broadcast MUST NOT fire from inside

workspace-server/internal/handlers/delegation.go

@@ -162,32 +162,8 @@ func (h *DelegationHandler) Delegate(c *gin.Context) {
 		},
 	})
 
-	// Fire-and-forget: send A2A in a background goroutine.
-	//
-	// internal#497 — the goroutine MUST NOT inherit the HTTP request's
-	// cancellation. `ctx` here is c.Request.Context(); the handler returns
-	// 202 a few lines below, which cancels that context immediately. Before
-	// this fix (regression ce2db75f) executeDelegation ran on the
-	// request-scoped ctx, so every DB op + proxy call in the detached
-	// goroutine failed `context canceled` the instant the 202 was written.
-	// That silently broke 100% of A2A peer delegations fleet-wide since
-	// 2026-05-12 (poll-mode peers never got their a2a_receive inbox row;
-	// lookupDeliveryMode swallowed the ctx error and defaulted to push).
-	//
-	// context.WithoutCancel detaches cancellation/deadline while PRESERVING
-	// all context values (trace/correlation/tenant ids that proxyA2ARequest
-	// and the broadcaster read off ctx) — this is the established pattern in
-	// this package (a2a_proxy.go:850, a2a_proxy_helpers.go:525,
-	// registry.go:822). The 30-minute ceiling matches the prior internal
-	// budget executeDelegation used before ce2db75f and the proxy's own
-	// absolute agent-dispatch ceiling (a2a_proxy.go forwardCtx).
-	delegationCtx, cancelDelegation := context.WithTimeout(
-		context.WithoutCancel(ctx), 30*time.Minute,
-	)
-	go func() {
-		defer cancelDelegation()
-		h.executeDelegation(delegationCtx, sourceID, body.TargetID, delegationID, a2aBody)
-	}()
+	// Fire-and-forget: send A2A in background goroutine
+	go h.executeDelegation(ctx, sourceID, body.TargetID, delegationID, a2aBody)
 
 	// Broadcast event so canvas shows delegation in real-time
 	h.broadcaster.RecordAndBroadcast(ctx, string(events.EventDelegationSent), sourceID, map[string]interface{}{

workspace-server/internal/handlers/delegation_test.go

@@ -16,65 +16,6 @@ import (
 	"github.com/gin-gonic/gin"
 )
 
-// ---------- internal#497 regression: detached goroutine ctx must outlive the handler ----------
-
-// TestDelegate_DetachedContext_SurvivesRequestCancellation pins the
-// load-bearing invariant that regression ce2db75f violated: the context
-// handed to executeDelegation in the fire-and-forget goroutine must NOT be
-// cancelled when the HTTP handler returns 202 (which cancels
-// c.Request.Context()). Before the fix, executeDelegation ran on the
-// request-scoped ctx, so every DB op + proxy call failed `context
-// canceled` the instant the 202 was written — silently breaking 100% of
-// A2A peer delegations fleet-wide since 2026-05-12.
-//
-// This test asserts the exact ctx-derivation contract used by Delegate
-// (context.WithoutCancel(parent) + a timeout budget): the derived context
-// (a) stays alive after the parent is cancelled, and (b) still carries
-// parent values (trace/correlation/tenant ids the downstream proxy +
-// broadcaster read off ctx). It is intentionally DB-free and fast.
-func TestDelegate_DetachedContext_SurvivesRequestCancellation(t *testing.T) {
-	type ctxKey string
-	const traceKey ctxKey = "trace-id"
-
-	// Simulate c.Request.Context() carrying a correlation value.
-	parent, cancelParent := context.WithCancel(
-		context.WithValue(context.Background(), traceKey, "trace-abc-123"),
-	)
-
-	// Exact derivation Delegate uses for the detached goroutine.
-	delegationCtx, cancelDelegation := context.WithTimeout(
-		context.WithoutCancel(parent), 30*time.Minute,
-	)
-	defer cancelDelegation()
-
-	// The HTTP handler "returns 202" → request context is cancelled.
-	cancelParent()
-
-	if err := parent.Err(); err == nil {
-		t.Fatal("precondition: parent context should be cancelled after the handler returns")
-	}
-
-	// (a) Cancellation MUST NOT propagate to the detached context.
-	select {
-	case <-delegationCtx.Done():
-		t.Fatalf("regression: detached delegation ctx was cancelled by the handler returning (err=%v) — executeDelegation would fail every DB op with `context canceled`", delegationCtx.Err())
-	default:
-		// alive — correct
-	}
-
-	// (b) Parent values MUST still be readable (WithoutCancel preserves
-	// values; trace/correlation/tenant ids the proxy + broadcaster use).
-	if got, _ := delegationCtx.Value(traceKey).(string); got != "trace-abc-123" {
-		t.Errorf("detached ctx lost the parent trace value: got %q, want %q", got, "trace-abc-123")
-	}
-
-	// And it still has a real deadline (the 30m budget), so it is not an
-	// unbounded background context.
-	if _, hasDeadline := delegationCtx.Deadline(); !hasDeadline {
-		t.Error("detached ctx must carry the 30-minute timeout budget, but has no deadline")
-	}
-}
-
 // ---------- Delegate: missing target_id → 400 ----------
 
 func TestDelegate_MissingTargetID(t *testing.T) {

workspace-server/internal/handlers/external_connection_test.go

@@ -1,8 +1,12 @@
 package handlers
 
 import (
+	"crypto/tls"
+	"net/http/httptest"
 	"strings"
 	"testing"
+
+	"github.com/gin-gonic/gin"
 )
 
 // TestExternalTemplates_NoMoleculeOrgIDPlaceholder pins the invariant
@@ -118,3 +122,153 @@ func TestExternalTemplates_NoBrokenMoleculeAIGitHubURLs(t *testing.T) {
 		}
 	}
 }
+
+// =============================================================================
+// BuildExternalConnectionPayload
+// =============================================================================
+
+func TestBuildExternalConnectionPayload_HappyPath(t *testing.T) {
+	payload := BuildExternalConnectionPayload(
+		"https://platform.example.com/",
+		"ws-123",
+		"tok-secret-abc",
+	)
+
+	if payload["workspace_id"] != "ws-123" {
+		t.Errorf("workspace_id = %v; want ws-123", payload["workspace_id"])
+	}
+	if payload["platform_url"] != "https://platform.example.com" {
+		t.Errorf("platform_url = %v; want https://platform.example.com", payload["platform_url"])
+	}
+	if payload["auth_token"] != "tok-secret-abc" {
+		t.Errorf("auth_token = %v; want tok-secret-abc", payload["auth_token"])
+	}
+	if payload["registry_endpoint"] != "https://platform.example.com/registry/register" {
+		t.Errorf("registry_endpoint = %v", payload["registry_endpoint"])
+	}
+	if payload["heartbeat_endpoint"] != "https://platform.example.com/registry/heartbeat" {
+		t.Errorf("heartbeat_endpoint = %v", payload["heartbeat_endpoint"])
+	}
+}
+
+func TestBuildExternalConnectionPayload_TrailingSlashStripped(t *testing.T) {
+	// TrimSuffix only removes one trailing slash; multiple slashes stay.
+	// This is intentional — the function documents this behavior.
+	payload := BuildExternalConnectionPayload(
+		"https://platform.example.com/",
+		"ws-456",
+		"tok",
+	)
+	if payload["platform_url"] != "https://platform.example.com" {
+		t.Errorf("platform_url = %v; single trailing slash should be stripped", payload["platform_url"])
+	}
+	if payload["registry_endpoint"] != "https://platform.example.com/registry/register" {
+		t.Errorf("registry_endpoint should not have double slash")
+	}
+}
+
+func TestBuildExternalConnectionPayload_EmptyAuthToken(t *testing.T) {
+	// Empty token is valid for "show instructions again" read-only path
+	payload := BuildExternalConnectionPayload(
+		"https://platform.example.com",
+		"ws-789",
+		"",
+	)
+	if payload["workspace_id"] != "ws-789" {
+		t.Errorf("workspace_id = %v", payload["workspace_id"])
+	}
+	if payload["auth_token"] != "" {
+		t.Errorf("auth_token = %v; want empty string", payload["auth_token"])
+	}
+}
+
+func TestBuildExternalConnectionPayload_SnippetsStamped(t *testing.T) {
+	payload := BuildExternalConnectionPayload(
+		"https://platform.example.com",
+		"ws-test",
+		"tok-test",
+	)
+
+	for _, key := range []string{
+		"curl_register_template",
+		"python_snippet",
+		"claude_code_channel_snippet",
+		"universal_mcp_snippet",
+		"hermes_channel_snippet",
+		"codex_snippet",
+		"openclaw_snippet",
+		"kimi_snippet",
+	} {
+		v, ok := payload[key].(string)
+		if !ok {
+			t.Errorf("%s is not a string", key)
+			continue
+		}
+		if strings.Contains(v, "{{PLATFORM_URL}}") {
+			t.Errorf("%s still contains unsubstituted {{PLATFORM_URL}}", key)
+		}
+		if strings.Contains(v, "{{WORKSPACE_ID}}") {
+			t.Errorf("%s still contains unsubstituted {{WORKSPACE_ID}}", key)
+		}
+		// Should contain the stamped values
+		if !strings.Contains(v, "https://platform.example.com") {
+			t.Errorf("%s does not contain stamped platform URL", key)
+		}
+		if !strings.Contains(v, "ws-test") {
+			t.Errorf("%s does not contain stamped workspace ID", key)
+		}
+	}
+}
+
+// =============================================================================
+// externalPlatformURL
+// =============================================================================
+
+func TestExternalPlatformURL_EnvVarTakesPrecedence(t *testing.T) {
+	t.Setenv("EXTERNAL_PLATFORM_URL", "https://external.example.com")
+	c, _ := gin.CreateTestContext(httptest.NewRecorder())
+	c.Request = httptest.NewRequest("GET", "/", nil)
+
+	got := externalPlatformURL(c)
+	if got != "https://external.example.com" {
+		t.Errorf("got %q; want EXTERNAL_PLATFORM_URL value", got)
+	}
+}
+
+func TestExternalPlatformURL_XForwardedProtoAndHost(t *testing.T) {
+	c, _ := gin.CreateTestContext(httptest.NewRecorder())
+	c.Request = httptest.NewRequest("GET", "/", nil)
+	c.Request.Header.Set("X-Forwarded-Proto", "https")
+	c.Request.Header.Set("X-Forwarded-Host", "tenant.example.com")
+
+	got := externalPlatformURL(c)
+	if got != "https://tenant.example.com" {
+		t.Errorf("got %q; want https://tenant.example.com", got)
+	}
+}
+
+func TestExternalPlatformURL_HTTPSNoHeaders(t *testing.T) {
+	c, _ := gin.CreateTestContext(httptest.NewRecorder())
+	c.Request = httptest.NewRequest("GET", "/", nil)
+	c.Request.Host = "platform.example.com"
+	// TLS set → https scheme (regardless of host)
+	c.Request.TLS = &tls.ConnectionState{}
+
+	got := externalPlatformURL(c)
+	if got != "https://platform.example.com" {
+		t.Errorf("got %q; want https://platform.example.com (TLS set)", got)
+	}
+}
+
+func TestExternalPlatformURL_HTTPNoTLS(t *testing.T) {
+	c, _ := gin.CreateTestContext(httptest.NewRecorder())
+	c.Request = httptest.NewRequest("GET", "/", nil)
+	c.Request.Host = "localhost:8080"
+	// TLS nil → http
+	c.Request.TLS = nil
+
+	got := externalPlatformURL(c)
+	if got != "http://localhost:8080" {
+		t.Errorf("got %q; want http://localhost:8080", got)
+	}
+}