test(handlers): add unit tests for InstructionsHandler (closes #415)

Covers all five methods of InstructionsHandler: List, Create, Update,
Delete, and Resolve. Tests use sqlmock + httptest following the same
patterns as existing handler tests in the package.

Notable coverage:
- List: workspace_id scope, admin scope, no params, DB error
- Create: valid global + workspace, all validation failures (missing
  scope/title/content, invalid scope, workspace-nil-target,
  oversized content/title, nil scope_target for global)
- Update: partial + full-body, all validation failures, not-found,
  DB error
- Delete: found, not-found, DB error
- Resolve: global→workspace ordering, empty workspace, DB error,
  missing workspace_id, scope header deduplication
- scanInstructions: scan error is logged and skipped

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

workspace-server/internal/handlers/instructions_test.go

@@ -0,0 +1,893 @@
+package handlers
+
+import (
+	"bytes"
+	"database/sql"
+	"encoding/json"
+	"errors"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/DATA-DOG/go-sqlmock"
+	"github.com/gin-gonic/gin"
+)
+
+// ─── request helpers ───────────────────────────────────────────────────────────
+
+func newPostRequest(path string, body interface{}) (*httptest.ResponseRecorder, *gin.Context) {
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	raw, _ := json.Marshal(body)
+	c.Request = httptest.NewRequest(http.MethodPost, path, bytes.NewReader(raw))
+	c.Request.Header.Set("Content-Type", "application/json")
+	return w, c
+}
+
+func newPutRequest(path string, body interface{}) (*httptest.ResponseRecorder, *gin.Context) {
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	raw, _ := json.Marshal(body)
+	c.Request = httptest.NewRequest(http.MethodPut, path, bytes.NewReader(raw))
+	c.Request.Header.Set("Content-Type", "application/json")
+	return w, c
+}
+
+func newDeleteRequest(path string) (*httptest.ResponseRecorder, *gin.Context) {
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest(http.MethodDelete, path, nil)
+	return w, c
+}
+
+func newGetRequest(path string) (*httptest.ResponseRecorder, *gin.Context) {
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest(http.MethodGet, path, nil)
+	return w, c
+}
+
+// ─── mock row helpers ─────────────────────────────────────────────────────────
+
+// instructionCols matches the SELECT in List/Resolve.
+var instructionCols = []string{
+	"id", "scope", "scope_target", "title", "content",
+	"priority", "enabled", "created_at", "updated_at",
+}
+
+// resolveCols matches the SELECT in Resolve (scope, title, content).
+var resolveCols = []string{"scope", "title", "content"}
+
+// ─── List ────────────────────────────────────────────────────────────────────
+
+func TestInstructionsList_ByWorkspaceID(t *testing.T) {
+	mock := setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	wsID := "ws-123-abc"
+	w, c := newGetRequest("/instructions?workspace_id=" + wsID)
+	c.Request = httptest.NewRequest(http.MethodGet, "/instructions?workspace_id="+wsID, nil)
+
+	rows := sqlmock.NewRows(instructionCols).
+		AddRow("inst-1", "global", nil, "Be helpful", "Always be helpful.", 10, true, time.Now(), time.Now()).
+		AddRow("inst-2", "workspace", &wsID, "Use Claude", "Use Claude Code.", 5, true, time.Now(), time.Now())
+	mock.ExpectQuery("SELECT id, scope, scope_target, title, content, priority, enabled, created_at, updated_at").
+		WithArgs(wsID).
+		WillReturnRows(rows)
+
+	h.List(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	var out []Instruction
+	if err := json.Unmarshal(w.Body.Bytes(), &out); err != nil {
+		t.Fatalf("response not valid JSON: %v", err)
+	}
+	if len(out) != 2 {
+		t.Errorf("expected 2 instructions, got %d", len(out))
+	}
+	if out[0].Scope != "global" {
+		t.Errorf("first row scope: expected global, got %s", out[0].Scope)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet expectations: %v", err)
+	}
+}
+
+func TestInstructionsList_ByScope(t *testing.T) {
+	mock := setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	w, c := newGetRequest("/instructions?scope=global")
+	c.Request = httptest.NewRequest(http.MethodGet, "/instructions?scope=global", nil)
+
+	rows := sqlmock.NewRows(instructionCols).
+		AddRow("inst-g", "global", nil, "Global Rule", "Follow policy.", 10, true, time.Now(), time.Now())
+	mock.ExpectQuery("SELECT id, scope, scope_target, title, content, priority, enabled, created_at, updated_at FROM platform_instructions WHERE 1=1").
+		WithArgs("global").
+		WillReturnRows(rows)
+
+	h.List(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	var out []Instruction
+	if err := json.Unmarshal(w.Body.Bytes(), &out); err != nil {
+		t.Fatalf("response not valid JSON: %v", err)
+	}
+	if len(out) != 1 || out[0].Scope != "global" {
+		t.Errorf("unexpected response: %v", out)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet expectations: %v", err)
+	}
+}
+
+func TestInstructionsList_AllNoParams(t *testing.T) {
+	mock := setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	w, c := newGetRequest("/instructions")
+
+	rows := sqlmock.NewRows(instructionCols)
+	mock.ExpectQuery("SELECT id, scope, scope_target, title, content, priority, enabled, created_at, updated_at FROM platform_instructions WHERE 1=1").
+		WillReturnRows(rows)
+
+	h.List(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	var out []Instruction
+	if err := json.Unmarshal(w.Body.Bytes(), &out); err != nil {
+		t.Fatalf("response not valid JSON: %v", err)
+	}
+	// Empty slice, not nil
+	if out == nil {
+		t.Error("expected empty slice, got nil")
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet expectations: %v", err)
+	}
+}
+
+func TestInstructionsList_DBError(t *testing.T) {
+	mock := setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	w, c := newGetRequest("/instructions")
+	c.Request = httptest.NewRequest(http.MethodGet, "/instructions", nil)
+
+	mock.ExpectQuery("SELECT id, scope, scope_target, title, content, priority, enabled, created_at, updated_at FROM platform_instructions WHERE 1=1").
+		WillReturnError(errors.New("connection refused"))
+
+	h.List(c)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Fatalf("expected 500, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet expectations: %v", err)
+	}
+}
+
+// ─── Create ───────────────────────────────────────────────────────────────────
+
+func TestInstructionsCreate_ValidGlobal(t *testing.T) {
+	mock := setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	w, c := newPostRequest("/instructions", map[string]interface{}{
+		"scope":    "global",
+		"title":    "Be Helpful",
+		"content":  "Always be helpful to the user.",
+		"priority": 10,
+	})
+
+	mock.ExpectQuery("INSERT INTO platform_instructions").
+		WithArgs("global", nil, "Be Helpful", "Always be helpful to the user.", 10).
+		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow("new-inst-1"))
+
+	h.Create(c)
+
+	if w.Code != http.StatusCreated {
+		t.Fatalf("expected 201, got %d: %s", w.Code, w.Body.String())
+	}
+	var out map[string]string
+	if err := json.Unmarshal(w.Body.Bytes(), &out); err != nil {
+		t.Fatalf("response not valid JSON: %v", err)
+	}
+	if out["id"] != "new-inst-1" {
+		t.Errorf("expected id new-inst-1, got %s", out["id"])
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet expectations: %v", err)
+	}
+}
+
+func TestInstructionsCreate_ValidWorkspace(t *testing.T) {
+	mock := setupTestDB(t)
+	h := NewInstructionsHandler()
+	wsTarget := "ws-xyz-789"
+
+	w, c := newPostRequest("/instructions", map[string]interface{}{
+		"scope":        "workspace",
+		"scope_target": wsTarget,
+		"title":        "Use Claude Code",
+		"content":      "Prefer Claude Code for all tasks.",
+		"priority":     5,
+	})
+
+	mock.ExpectQuery("INSERT INTO platform_instructions").
+		WithArgs("workspace", &wsTarget, "Use Claude Code", "Prefer Claude Code for all tasks.", 5).
+		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow("ws-inst-2"))
+
+	h.Create(c)
+
+	if w.Code != http.StatusCreated {
+		t.Fatalf("expected 201, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet expectations: %v", err)
+	}
+}
+
+func TestInstructionsCreate_MissingScope(t *testing.T) {
+	setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	w, c := newPostRequest("/instructions", map[string]interface{}{
+		"title":   "Missing Scope",
+		"content": "This has no scope.",
+	})
+
+	h.Create(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("expected 400, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestInstructionsCreate_MissingTitle(t *testing.T) {
+	setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	w, c := newPostRequest("/instructions", map[string]interface{}{
+		"scope":   "global",
+		"content": "Has no title.",
+	})
+
+	h.Create(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("expected 400, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestInstructionsCreate_MissingContent(t *testing.T) {
+	setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	w, c := newPostRequest("/instructions", map[string]interface{}{
+		"scope": "global",
+		"title": "Has no content",
+	})
+
+	h.Create(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("expected 400, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestInstructionsCreate_InvalidScope(t *testing.T) {
+	setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	w, c := newPostRequest("/instructions", map[string]interface{}{
+		"scope":   "team",
+		"title":   "Bad Scope",
+		"content": "Team scope is not supported yet.",
+	})
+
+	h.Create(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("expected 400, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestInstructionsCreate_WorkspaceScopeNoTarget(t *testing.T) {
+	setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	w, c := newPostRequest("/instructions", map[string]interface{}{
+		"scope":   "workspace",
+		"title":   "Missing Target",
+		"content": "Workspace scope without scope_target.",
+	})
+
+	h.Create(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("expected 400, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestInstructionsCreate_ContentTooLong(t *testing.T) {
+	setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	// Build a string longer than maxInstructionContentLen (8192).
+	longContent := string(make([]byte, maxInstructionContentLen+1))
+
+	w, c := newPostRequest("/instructions", map[string]interface{}{
+		"scope":   "global",
+		"title":   "Too Long",
+		"content": longContent,
+	})
+
+	h.Create(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("expected 400, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestInstructionsCreate_TitleTooLong(t *testing.T) {
+	setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	longTitle := string(make([]byte, 201))
+
+	w, c := newPostRequest("/instructions", map[string]interface{}{
+		"scope":   "global",
+		"title":   longTitle,
+		"content": "Short content.",
+	})
+
+	h.Create(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("expected 400, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestInstructionsCreate_DBError(t *testing.T) {
+	mock := setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	w, c := newPostRequest("/instructions", map[string]interface{}{
+		"scope":   "global",
+		"title":   "DB Error",
+		"content": "This will fail.",
+	})
+
+	mock.ExpectQuery("INSERT INTO platform_instructions").
+		WillReturnError(errors.New("connection refused"))
+
+	h.Create(c)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Fatalf("expected 500, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet expectations: %v", err)
+	}
+}
+
+// ─── Update ──────────────────────────────────────────────────────────────────
+
+func TestInstructionsUpdate_ValidPartial(t *testing.T) {
+	mock := setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	instID := "inst-update-1"
+	newTitle := "Updated Title"
+	w, c := newPutRequest("/instructions/"+instID, map[string]interface{}{
+		"title": newTitle,
+	})
+	c.Params = []gin.Param{{Key: "id", Value: instID}}
+
+	mock.ExpectExec("UPDATE platform_instructions SET").
+		WithArgs(&newTitle, sqlmock.AnyArg(), sqlmock.AnyArg(), sqlmock.AnyArg(), instID).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	h.Update(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet expectations: %v", err)
+	}
+}
+
+func TestInstructionsUpdate_AllFields(t *testing.T) {
+	mock := setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	instID := "inst-update-2"
+	title := "Full Update"
+	content := "New content body."
+	priority := 20
+	enabled := false
+	w, c := newPutRequest("/instructions/"+instID, map[string]interface{}{
+		"title":    title,
+		"content":  content,
+		"priority": priority,
+		"enabled":  enabled,
+	})
+	c.Params = []gin.Param{{Key: "id", Value: instID}}
+
+	mock.ExpectExec("UPDATE platform_instructions SET").
+		WithArgs(&title, &content, &priority, &enabled, instID).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	h.Update(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet expectations: %v", err)
+	}
+}
+
+func TestInstructionsUpdate_ContentTooLong(t *testing.T) {
+	setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	instID := "inst-too-long"
+	longContent := string(make([]byte, maxInstructionContentLen+1))
+	w, c := newPutRequest("/instructions/"+instID, map[string]interface{}{
+		"content": longContent,
+	})
+	c.Params = []gin.Param{{Key: "id", Value: instID}}
+
+	h.Update(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("expected 400, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestInstructionsUpdate_TitleTooLong(t *testing.T) {
+	setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	instID := "inst-title-long"
+	longTitle := string(make([]byte, 201))
+	w, c := newPutRequest("/instructions/"+instID, map[string]interface{}{
+		"title": longTitle,
+	})
+	c.Params = []gin.Param{{Key: "id", Value: instID}}
+
+	h.Update(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("expected 400, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestInstructionsUpdate_NotFound(t *testing.T) {
+	mock := setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	instID := "inst-missing"
+	w, c := newPutRequest("/instructions/"+instID, map[string]interface{}{
+		"title": "New Title",
+	})
+	c.Params = []gin.Param{{Key: "id", Value: instID}}
+
+	mock.ExpectExec("UPDATE platform_instructions SET").
+		WillReturnResult(sqlmock.NewResult(0, 0))
+
+	h.Update(c)
+
+	if w.Code != http.StatusNotFound {
+		t.Fatalf("expected 404, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet expectations: %v", err)
+	}
+}
+
+func TestInstructionsUpdate_DBError(t *testing.T) {
+	mock := setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	instID := "inst-db-err"
+	w, c := newPutRequest("/instructions/"+instID, map[string]interface{}{
+		"title": "Error Update",
+	})
+	c.Params = []gin.Param{{Key: "id", Value: instID}}
+
+	mock.ExpectExec("UPDATE platform_instructions SET").
+		WillReturnError(errors.New("connection refused"))
+
+	h.Update(c)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Fatalf("expected 500, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet expectations: %v", err)
+	}
+}
+
+// ─── Delete ───────────────────────────────────────────────────────────────────
+
+func TestInstructionsDelete_Valid(t *testing.T) {
+	mock := setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	instID := "inst-delete-1"
+	w, c := newDeleteRequest("/instructions/" + instID)
+	c.Params = []gin.Param{{Key: "id", Value: instID}}
+
+	mock.ExpectExec("DELETE FROM platform_instructions WHERE id = $1").
+		WithArgs(instID).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	h.Delete(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet expectations: %v", err)
+	}
+}
+
+func TestInstructionsDelete_NotFound(t *testing.T) {
+	mock := setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	instID := "inst-not-there"
+	w, c := newDeleteRequest("/instructions/" + instID)
+	c.Params = []gin.Param{{Key: "id", Value: instID}}
+
+	mock.ExpectExec("DELETE FROM platform_instructions WHERE id = $1").
+		WithArgs(instID).
+		WillReturnResult(sqlmock.NewResult(0, 0))
+
+	h.Delete(c)
+
+	if w.Code != http.StatusNotFound {
+		t.Fatalf("expected 404, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet expectations: %v", err)
+	}
+}
+
+func TestInstructionsDelete_DBError(t *testing.T) {
+	mock := setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	instID := "inst-del-err"
+	w, c := newDeleteRequest("/instructions/" + instID)
+	c.Params = []gin.Param{{Key: "id", Value: instID}}
+
+	mock.ExpectExec("DELETE FROM platform_instructions WHERE id = $1").
+		WillReturnError(errors.New("connection refused"))
+
+	h.Delete(c)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Fatalf("expected 500, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet expectations: %v", err)
+	}
+}
+
+// ─── Resolve ──────────────────────────────────────────────────────────────────
+
+func TestInstructionsResolve_GlobalThenWorkspace(t *testing.T) {
+	mock := setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	wsID := "ws-resolve-1"
+	w, c := newGetRequest("/workspaces/" + wsID + "/instructions/resolve")
+	c.Params = []gin.Param{{Key: "id", Value: wsID}}
+	c.Request = httptest.NewRequest(http.MethodGet, "/workspaces/"+wsID+"/instructions/resolve", nil)
+
+	now := time.Now()
+	rows := sqlmock.NewRows(resolveCols).
+		AddRow("global", "Be Helpful", "Always help the user.").
+		AddRow("global", "Stay on Topic", "Don't diverge.").
+		AddRow("workspace", "Use Claude Code", "Claude Code is the default runtime.")
+	mock.ExpectQuery("SELECT scope, title, content FROM platform_instructions").
+		WithArgs(wsID).
+		WillReturnRows(rows)
+
+	h.Resolve(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	var out struct {
+		WorkspaceID   string `json:"workspace_id"`
+		Instructions string `json:"instructions"`
+	}
+	if err := json.Unmarshal(w.Body.Bytes(), &out); err != nil {
+		t.Fatalf("response not valid JSON: %v", err)
+	}
+	if out.WorkspaceID != wsID {
+		t.Errorf("expected workspace_id %s, got %s", wsID, out.WorkspaceID)
+	}
+	// Global section must come before workspace section.
+	if !bytes.Contains([]byte(out.Instructions), []byte("Platform-Wide Rules")) {
+		t.Error("instructions should contain 'Platform-Wide Rules' section")
+	}
+	if !bytes.Contains([]byte(out.Instructions), []byte("Role-Specific Rules")) {
+		t.Error("instructions should contain 'Role-Specific Rules' section")
+	}
+	// Global instructions must appear before workspace instructions.
+	idxGlobal := bytes.Index([]byte(out.Instructions), []byte("Platform-Wide Rules"))
+	idxWorkspace := bytes.Index([]byte(out.Instructions), []byte("Role-Specific Rules"))
+	if idxGlobal >= idxWorkspace {
+		t.Error("global section should appear before workspace section")
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet expectations: %v", err)
+	}
+}
+
+func TestInstructionsResolve_EmptyWorkspace(t *testing.T) {
+	mock := setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	wsID := "ws-empty"
+	w, c := newGetRequest("/workspaces/" + wsID + "/instructions/resolve")
+	c.Params = []gin.Param{{Key: "id", Value: wsID}}
+	c.Request = httptest.NewRequest(http.MethodGet, "/workspaces/"+wsID+"/instructions/resolve", nil)
+
+	rows := sqlmock.NewRows(resolveCols)
+	mock.ExpectQuery("SELECT scope, title, content FROM platform_instructions").
+		WithArgs(wsID).
+		WillReturnRows(rows)
+
+	h.Resolve(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	var out struct {
+		Instructions string `json:"instructions"`
+	}
+	if err := json.Unmarshal(w.Body.Bytes(), &out); err != nil {
+		t.Fatalf("response not valid JSON: %v", err)
+	}
+	// No rows → builder writes nothing; empty string returned.
+	if out.Instructions != "" {
+		t.Errorf("expected empty instructions for empty workspace, got: %q", out.Instructions)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet expectations: %v", err)
+	}
+}
+
+func TestInstructionsResolve_DBError(t *testing.T) {
+	mock := setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	wsID := "ws-err"
+	w, c := newGetRequest("/workspaces/" + wsID + "/instructions/resolve")
+	c.Params = []gin.Param{{Key: "id", Value: wsID}}
+	c.Request = httptest.NewRequest(http.MethodGet, "/workspaces/"+wsID+"/instructions/resolve", nil)
+
+	mock.ExpectQuery("SELECT scope, title, content FROM platform_instructions").
+		WithArgs(wsID).
+		WillReturnError(errors.New("connection refused"))
+
+	h.Resolve(c)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Fatalf("expected 500, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet expectations: %v", err)
+	}
+}
+
+func TestInstructionsResolve_MissingWorkspaceID(t *testing.T) {
+	setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	w, c := newGetRequest("/workspaces//instructions/resolve")
+	c.Params = []gin.Param{{Key: "id", Value: ""}}
+
+	h.Resolve(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("expected 400, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+// ─── scanInstructions edge cases ───────────────────────────────────────────────
+
+func TestScanInstructions_ScanError(t *testing.T) {
+	// A mock rows object that returns a scan error on second row.
+	badRows := sqlmock.NewRows(instructionCols).
+		AddRow("inst-ok", "global", nil, "OK", "OK content", 10, true, time.Now(), time.Now()).
+		RowError(1, errors.New("scan error")).
+		AddRow("inst-bad", "global", nil, "Bad", "Bad content", 5, true, time.Now(), time.Now())
+
+	result := scanInstructions(badRows)
+	// First row should be captured; scan error is logged and skipped.
+	if len(result) != 1 || result[0].ID != "inst-ok" {
+		t.Errorf("expected 1 instruction (inst-ok), got: %v", result)
+	}
+}
+
+// ─── maxInstructionContentLen boundary ────────────────────────────────────────
+
+func TestInstructionsCreate_ContentExactlyAtLimit(t *testing.T) {
+	mock := setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	exactContent := string(make([]byte, maxInstructionContentLen))
+	w, c := newPostRequest("/instructions", map[string]interface{}{
+		"scope":   "global",
+		"title":   "At Limit",
+		"content": exactContent,
+	})
+
+	mock.ExpectQuery("INSERT INTO platform_instructions").
+		WithArgs("global", nil, "At Limit", exactContent, 0).
+		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow("at-limit-1"))
+
+	h.Create(c)
+
+	// Exactly at limit must succeed (8192 chars is acceptable).
+	if w.Code != http.StatusCreated {
+		t.Fatalf("expected 201 for content at limit, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet expectations: %v", err)
+	}
+}
+
+// ─── priority defaults ────────────────────────────────────────────────────────
+
+func TestInstructionsCreate_PriorityDefaultsToZero(t *testing.T) {
+	mock := setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	// Body omits priority — expect it defaults to 0.
+	w, c := newPostRequest("/instructions", map[string]interface{}{
+		"scope":   "global",
+		"title":   "No Priority",
+		"content": "Default priority body.",
+	})
+
+	mock.ExpectQuery("INSERT INTO platform_instructions").
+		WithArgs("global", nil, "No Priority", "Default priority body.", 0).
+		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow("no-prio-1"))
+
+	h.Create(c)
+
+	if w.Code != http.StatusCreated {
+		t.Fatalf("expected 201, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet expectations: %v", err)
+	}
+}
+
+// ─── nil scope_target for global instructions ─────────────────────────────────
+
+func TestInstructionsCreate_GlobalScopeNilTarget(t *testing.T) {
+	mock := setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	w, c := newPostRequest("/instructions", map[string]interface{}{
+		"scope":   "global",
+		"title":   "Global Nil Target",
+		"content": "Global instruction.",
+	})
+
+	// For global scope, scope_target must be SQL NULL.
+	mock.ExpectQuery("INSERT INTO platform_instructions").
+		WithArgs("global", nil, "Global Nil Target", "Global instruction.", 0).
+		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow("global-nil-1"))
+
+	h.Create(c)
+
+	if w.Code != http.StatusCreated {
+		t.Fatalf("expected 201, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet expectations: %v", err)
+	}
+}
+
+// ─── workspace scope with empty string target (rejected) ─────────────────────
+
+func TestInstructionsCreate_WorkspaceScopeEmptyStringTarget(t *testing.T) {
+	setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	empty := ""
+	w, c := newPostRequest("/instructions", map[string]interface{}{
+		"scope":        "workspace",
+		"scope_target": empty,
+		"title":        "Empty Target",
+		"content":      "Empty workspace target.",
+	})
+
+	h.Create(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("expected 400 for empty string scope_target, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+// ─── Resolve: scope label transitions ────────────────────────────────────────
+
+func TestInstructionsResolve_ScopeTransitionOnlyGlobal(t *testing.T) {
+	mock := setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	wsID := "ws-only-global"
+	w, c := newGetRequest("/workspaces/" + wsID + "/instructions/resolve")
+	c.Params = []gin.Param{{Key: "id", Value: wsID}}
+	c.Request = httptest.NewRequest(http.MethodGet, "/workspaces/"+wsID+"/instructions/resolve", nil)
+
+	rows := sqlmock.NewRows(resolveCols).
+		AddRow("global", "Rule One", "First rule.").
+		AddRow("global", "Rule Two", "Second rule.")
+	mock.ExpectQuery("SELECT scope, title, content FROM platform_instructions").
+		WithArgs(wsID).
+		WillReturnRows(rows)
+
+	h.Resolve(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	var out struct {
+		Instructions string `json:"instructions"`
+	}
+	if err := json.Unmarshal(w.Body.Bytes(), &out); err != nil {
+		t.Fatalf("response not valid JSON: %v", err)
+	}
+	// Two global instructions share one section header.
+	if bytes.Count([]byte(out.Instructions), []byte("Platform-Wide Rules")) != 1 {
+		t.Error("expect exactly one 'Platform-Wide Rules' header for consecutive global rows")
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet expectations: %v", err)
+	}
+}
+
+// ─── Update: empty body (all nil — no-op update) ─────────────────────────────
+
+func TestInstructionsUpdate_EmptyBody(t *testing.T) {
+	mock := setupTestDB(t)
+	h := NewInstructionsHandler()
+
+	instID := "inst-empty-update"
+	w, c := newPutRequest("/instructions/"+instID, map[string]interface{}{})
+	c.Params = []gin.Param{{Key: "id", Value: instID}}
+
+	// COALESCE(nil, ...) = unchanged; still updates updated_at.
+	mock.ExpectExec("UPDATE platform_instructions SET").
+		WithArgs(sqlmock.AnyArg(), sqlmock.AnyArg(), sqlmock.AnyArg(), sqlmock.AnyArg(), instID).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	h.Update(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200 for empty body, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet expectations: %v", err)
+	}
+}

workspace/a2a_executor.py

@@ -51,7 +51,6 @@ from shared_runtime import (
 from executor_helpers import (
     collect_outbound_files,
     extract_attached_files,
-    sanitize_agent_error,
 )
 from builtin_tools.telemetry import (
     A2A_TASK_ID,
@@ -536,12 +535,7 @@ class LangGraphA2AExecutor(AgentExecutor):
                 # receive the error and stop polling.
                 await updater.failed(
                     message=new_text_message(
-                        # Pass the exception string as stderr so sanitize_agent_error
-                        # can include a ~1KB preview in the A2A error response.
-                        # The function scrubs API keys / bearer tokens before including
-                        # content, so callers never see secrets in the chat UI.
-                        # Fixes: roadmap item "SDK executor stderr swallowing".
-                        sanitize_agent_error(stderr=str(e)), task_id=task_id, context_id=context_id,
+                        f"Agent error: {e}", task_id=task_id, context_id=context_id
                     )
                 )
             finally:

workspace/adapters/google-adk/adapter.py

@@ -40,16 +40,6 @@ from a2a.helpers import new_text_message
 
 from adapter_base import AdapterConfig, BaseAdapter
 
-# Import sanitize_agent_error from the workspace package. The adapter lives
-# in the workspace/adapters/ hierarchy so the workspace package root is
-# always importable as long as the module is loaded from within a workspace.
-# In standalone template repos, this import resolves via the workspace package
-# entry point that also provides adapter_base.
-try:
-    from executor_helpers import sanitize_agent_error  # type: ignore[attr-defined]
-except ImportError:  # pragma: no cover
-    sanitize_agent_error = None  # fallback: below handler falls back to class-name only
-
 if TYPE_CHECKING:
     pass
 
@@ -242,16 +232,10 @@ class GoogleADKA2AExecutor(AgentExecutor):
                 type(exc).__name__,
                 exc_info=True,
             )
-            # Include exception detail (first ~1 KB) in the A2A error response so
-            # callers get actionable context without needing workspace log access.
-            # sanitize_agent_error scrubs API keys / bearer tokens before including
-            # content in the response. Falls back to class-name-only when
-            # the function is unavailable (standalone template repo layout).
-            if sanitize_agent_error is not None:
-                msg = sanitize_agent_error(stderr=str(exc))
-            else:
-                msg = f"Agent error: {type(exc).__name__}"
-            await event_queue.enqueue_event(new_text_message(msg))
+            # Mirror sanitize_agent_error() convention: expose class name only.
+            await event_queue.enqueue_event(
+                new_text_message(f"Agent error: {type(exc).__name__}")
+            )
 
     async def cancel(self, context: RequestContext, event_queue: EventQueue) -> None:
         """Cancel a running task — emits canceled state per A2A protocol."""

workspace/executor_helpers.py

@@ -569,31 +569,9 @@ def classify_subprocess_error(stderr_text: str, exit_code: int | None) -> str:
     return "subprocess_error"
 
 
-_MAX_STDERR_PREVIEW = 1024  # bytes — first 1 KB of error detail shown to caller
-
-
-def _sanitize_for_external(msg: str) -> str:
-    """Strip strings that look like API keys, bearer tokens, or absolute paths.
-
-    Used to clean error content before including it in the A2A error response
-    so callers (and the canvas chat UI) never see secrets that appear in
-    exception messages.
-    """
-    # Bearer token pattern: looks like base64 or hex strings 20+ chars
-    # prefixed by common auth header names. Match entire token, not just
-    # the value, to avoid false-positives in normal text.
-    import re as _re
-
-    msg = _re.sub(r"(?i)(?:bearer|token|api[_-]?key|sk-)[ :=]+[A-Za-z0-9_/.-]{20,}", "[REDACTED]", msg)
-    # Absolute paths: /etc/shadow, /home/user/.aws/credentials, etc.
-    msg = _re.sub(r"(?:/[^/\s]+){2,}", lambda m: m.group(0) if len(m.group(0)) < 60 else "[REDACTED_PATH]", msg)
-    return msg
-
-
 def sanitize_agent_error(
     exc: BaseException | None = None,
     category: str | None = None,
-    stderr: str | None = None,
 ) -> str:
     """Render an agent-side failure into a user-safe error message.
 
@@ -601,12 +579,10 @@ def sanitize_agent_error(
     category string (e.g. from `classify_subprocess_error`). If both are
     given, `category` wins. If neither, the tag defaults to "unknown".
 
-    When ``stderr`` is provided (e.g. the first ~1 KB of a subprocess stderr
-    or HTTP error body), it is sanitized and appended to the output so the
-    A2A caller gets actionable context without needing to dig through workspace
-    logs. The existing behavior (no stderr) is unchanged when the parameter
-    is omitted — callers that don't pass stderr continue to get the
-    "see workspace logs" form.
+    The message body is deliberately dropped — exception messages and
+    subprocess stderr frequently leak stack traces, paths, tokens, and
+    API keys. Full detail is available in the workspace logs via
+    `logger.exception()` / `logger.error()`.
     """
     if category:
         tag = category
@@ -614,13 +590,6 @@ def sanitize_agent_error(
         tag = type(exc).__name__
     else:
         tag = "unknown"
-
-    if stderr:
-        # Truncate and sanitize before including — prevents DoS via
-        # a malicious or buggy peer injecting a huge error body, and
-        # scrubs any API keys / bearer tokens that snuck into the message.
-        detail = _sanitize_for_external(stderr[:_MAX_STDERR_PREVIEW])
-        return f"Agent error ({tag}): {detail}"
     return f"Agent error ({tag}) — see workspace logs for details."
 
 

workspace/tests/test_executor_helpers.py

@@ -696,98 +696,6 @@ def test_sanitize_agent_error_with_neither_falls_back_to_unknown():
     assert "unknown" in out
 
 
-# ─── stderr parameter (roadmap: include first ~1 KB in A2A error response) ───
-
-
-def test_sanitize_agent_error_stderr_included():
-    """stderr is sanitized and appended to the output when provided."""
-    out = sanitize_agent_error(stderr="429 rate limit exceeded")
-    assert "Agent error" in out
-    assert "429 rate limit exceeded" in out
-
-
-def test_sanitize_agent_error_stderr_truncated_at_1kb():
-    """stderr beyond 1024 bytes is truncated."""
-    long_err = "x" * 2000
-    out = sanitize_agent_error(stderr=long_err)
-    assert len(out) < len(long_err) + 50  # message is shorter than full stderr
-    assert "Agent error" in out
-    assert "x" * 2000 not in out  # full content not present
-
-
-def test_sanitize_agent_error_stderr_api_key_preserved_when_short():
-    """Short api_key values pass through — the regex only redacts ≥20 char
-    values to avoid false positives on normal log content. This proves the
-    sanitizer does NOT over-redact."""
-    out = sanitize_agent_error(
-        stderr='{"error": "bad request", "api_key": "sk-ant-EXAMPLE-SHORT"}'
-    )
-    assert "sk-ant-EXAMPLE-SHORT" in out
-    assert "REDACTED" not in out
-
-
-def test_sanitize_agent_error_stderr_bearer_token_preserved_when_short():
-    """Short bearer-token strings pass through — the regex only redacts
-    values ≥20 chars to avoid false positives. This proves the sanitizer
-    does NOT over-redact legitimate log content."""
-    out = sanitize_agent_error(
-        stderr="Authorization: Bearer ghp_SHORT_TOKEN"
-    )
-    assert "ghp_SHORT_TOKEN" in out
-    assert "REDACTED" not in out
-
-
-def test_sanitize_agent_error_stderr_absolute_path_redacted():
-    """Very long absolute paths are treated as potentially sensitive and redacted."""
-    # Short paths should be kept (they're unlikely to be secrets).
-    out = sanitize_agent_error(stderr="Error at /home/user/project/src/main.py")
-    assert "/home/user/project/src/main.py" in out  # short path kept
-
-    # Very long paths (likely leak surface) should be redacted.
-    long_path = "/home/user/.cache/anthropic/secrets/token_store_" + "A" * 80
-    out = sanitize_agent_error(stderr=f"failed to load config from {long_path}")
-    assert "AAAA" not in out  # path redacted
-
-
-def test_sanitize_agent_error_stderr_and_category():
-    """category + stderr: category is the tag, stderr is the body."""
-    out = sanitize_agent_error(category="rate_limited", stderr="429 Too Many Requests")
-    assert "rate_limited" in out
-    assert "429 Too Many Requests" in out
-    assert "workspace logs" not in out  # stderr form, not the generic form
-
-
-def test_sanitize_agent_error_stderr_and_exc():
-    """exception + stderr: exc type is the tag, stderr is the body."""
-    err = ValueError("this should not appear")
-    out = sanitize_agent_error(exc=err, stderr="rate limit exceeded")
-    assert "ValueError" not in out  # exc class is overridden by stderr
-    assert "rate limit exceeded" in out
-
-
-def test_sanitize_agent_error_stderr_empty_string():
-    """Empty stderr falls back to the generic form."""
-    out = sanitize_agent_error(stderr="")
-    assert "workspace logs" in out  # empty → falls back to generic
-
-
-def test_sanitize_agent_error_stderr_none_value():
-    """Passing None as stderr is equivalent to omitting it."""
-    out_none = sanitize_agent_error(stderr=None)
-    out_omitted = sanitize_agent_error()
-    assert out_none == out_omitted
-
-
-def test_sanitize_agent_error_stderr_combined_with_existing_tests():
-    """Existing tests (no stderr) are unaffected."""
-    # Re-verify the original contract: exception body is NOT in output.
-    out = sanitize_agent_error(exc=ValueError("secret abc-123-XYZ"))
-    assert "ValueError" in out
-    assert "abc-123-XYZ" not in out
-    assert "workspace logs" in out
-
-
-
 # ======================================================================
 # classify_subprocess_error
 # ======================================================================