Merge branch 'main' into sweep/internal-219-cat-B-delete-github-only

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.gitea/scripts/sop-tier-check.sh

@@ -44,39 +44,6 @@
 
 set -euo pipefail
 
-# Ensure jq is available. Runners may not have it pre-installed, and the
-# workflow-level jq install can fail on runners with network restrictions
-# (GitHub releases not reachable from some runner networks — infra#241
-# follow-up). This fallback is idempotent — no-op when jq is already on PATH.
-# SOP_FAIL_OPEN=1 makes this always exit 0 so CI never blocks on jq absence.
-if ! command -v jq >/dev/null 2>&1; then
-  echo "::notice::jq not found on PATH — attempting install..."
-  _jq_installed="no"
-  # apt-get first (primary) — Ubuntu package mirrors are reliably reachable.
-  if apt-get update -qq && apt-get install -y -qq jq 2>/dev/null; then
-    echo "::notice::jq installed via apt-get: $(jq --version)"
-    _jq_installed="yes"
-  # GitHub binary as secondary fallback — may fail on restricted networks.
-  elif timeout 120 curl -sSL \
-    "https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-amd64" \
-    -o /usr/local/bin/jq \
-    && chmod +x /usr/local/bin/jq; then
-    echo "::notice::jq binary downloaded: $(/usr/local/bin/jq --version)"
-    _jq_installed="yes"
-  fi
-  if ! command -v jq >/dev/null 2>&1; then
-    echo "::error::jq installation failed — apt-get and GitHub binary both failed."
-    echo "::error::sop-tier-check requires jq for all JSON API parsing."
-    # SOP_FAIL_OPEN=1 is set in the workflow step's env — makes script always
-    # exit 0 so CI never blocks. The SOP-6 tier review gate remains enforced.
-    if [ "${SOP_FAIL_OPEN:-}" = "1" ]; then
-      echo "::warning::SOP_FAIL_OPEN=1 — exiting 0 so CI does not block."
-      exit 0
-    fi
-    exit 1
-  fi
-fi
-
 debug() {
   if [ "${SOP_DEBUG:-}" = "1" ]; then
     echo "  [debug] $*" >&2
@@ -96,27 +63,16 @@ API="https://${GITEA_HOST}/api/v1"
 AUTH="Authorization: token ${GITEA_TOKEN}"
 echo "::notice::tier-check start: repo=$OWNER/$NAME pr=$PR_NUMBER author=$PR_AUTHOR"
 
-# Sanity: token resolves to a user.
-# Use || true on the jq pipeline so that set -euo pipefail (line 45) does not
-# cause the script to exit prematurely when the token is empty/invalid — the
-# if check below handles that case gracefully. Without || true, a 401 from an
-# empty/invalid token causes jq to exit 1, triggering set -e and exiting the
-# entire script before SOP_FAIL_OPEN can be evaluated (the check is in the jq-
-# install block; if jq is already on PATH, that block is skipped entirely).
-WHOAMI=$(curl -sS -H "$AUTH" "${API}/user" | jq -r '.login // ""') || true
+# Sanity: token resolves to a user
+WHOAMI=$(curl -sS -H "$AUTH" "${API}/user" | jq -r '.login // ""')
 if [ -z "$WHOAMI" ]; then
   echo "::error::GITEA_TOKEN cannot resolve a user via /api/v1/user — check the token scope and that the secret is wired correctly."
-  if [ "${SOP_FAIL_OPEN:-}" = "1" ]; then
-    echo "::warning::SOP_FAIL_OPEN=1 — exiting 0 so CI does not block."
-    exit 0
-  fi
   exit 1
 fi
 echo "::notice::token resolves to user: $WHOAMI"
 
-# 1. Read tier label. || true ensures set -euo pipefail does not abort the
-# script if curl or jq fails (e.g. 401 from empty token).
-LABELS=$(curl -sS -H "$AUTH" "${API}/repos/${OWNER}/${NAME}/issues/${PR_NUMBER}/labels" | jq -r '.[].name') || true
+# 1. Read tier label
+LABELS=$(curl -sS -H "$AUTH" "${API}/repos/${OWNER}/${NAME}/issues/${PR_NUMBER}/labels" | jq -r '.[].name')
 TIER=""
 for L in $LABELS; do
   case "$L" in
@@ -187,25 +143,17 @@ fi
 # 4. Resolve all team names → IDs
 # /orgs/{org}/teams/{slug}/... endpoints don't exist on Gitea 1.22;
 # we use /teams/{id}.
-# set +e prevents set -e from aborting the script if curl fails (e.g. empty token).
 ORG_TEAMS_FILE=$(mktemp)
 trap 'rm -f "$ORG_TEAMS_FILE"' EXIT
-set +e
 HTTP_CODE=$(curl -sS -o "$ORG_TEAMS_FILE" -w '%{http_code}' -H "$AUTH" \
   "${API}/orgs/${OWNER}/teams")
-_HTTP_EXIT=$?
-set -e
-debug "teams-list HTTP=$HTTP_CODE (curl exit=$_HTTP_EXIT) size=$(wc -c <"$ORG_TEAMS_FILE")"
+debug "teams-list HTTP=$HTTP_CODE size=$(wc -c <"$ORG_TEAMS_FILE")"
 if [ "${SOP_DEBUG:-}" = "1" ]; then
   echo "  [debug] teams-list body (first 300 chars):" >&2
   head -c 300 "$ORG_TEAMS_FILE" >&2; echo >&2
 fi
-if [ "$_HTTP_EXIT" -ne 0 ] || [ "$HTTP_CODE" != "200" ]; then
-  echo "::error::GET /orgs/${OWNER}/teams failed (curl exit=$_HTTP_EXIT HTTP=$HTTP_CODE) — token may lack read:org scope or be invalid."
-  if [ "${SOP_FAIL_OPEN:-}" = "1" ]; then
-    echo "::warning::SOP_FAIL_OPEN=1 — exiting 0 so CI does not block."
-    exit 0
-  fi
+if [ "$HTTP_CODE" != "200" ]; then
+  echo "::error::GET /orgs/${OWNER}/teams returned HTTP $HTTP_CODE — token likely lacks read:org scope."
   exit 1
 fi
 
@@ -250,22 +198,9 @@ for _t in $_all_teams; do
   debug "team-id: $_t → $_id"
 done
 
-# 5. Read approving reviewers. set +e disables set -e temporarily so that curl
-# failures (e.g. empty/invalid token → HTTP 401) do not abort the script before
-# SOP_FAIL_OPEN is evaluated. set -e is restored immediately after.
-set +e
+# 5. Read approving reviewers
 REVIEWS=$(curl -sS -H "$AUTH" "${API}/repos/${OWNER}/${NAME}/pulls/${PR_NUMBER}/reviews")
-_REVIEWS_EXIT=$?
-set -e
-if [ $_REVIEWS_EXIT -ne 0 ] || [ -z "$REVIEWS" ]; then
-  echo "::error::Failed to fetch reviews (curl exit=$_REVIEWS_EXIT) — token may be invalid or unreachable."
-  if [ "${SOP_FAIL_OPEN:-}" = "1" ]; then
-    echo "::warning::SOP_FAIL_OPEN=1 — exiting 0 so CI does not block."
-    exit 0
-  fi
-  exit 1
-fi
-APPROVERS=$(echo "$REVIEWS" | jq -r '[.[] | select(.state=="APPROVED") | .user.login] | unique | .[]') || true
+APPROVERS=$(echo "$REVIEWS" | jq -r '[.[] | select(.state=="APPROVED") | .user.login] | unique | .[]')
 if [ -z "$APPROVERS" ]; then
   echo "::error::No approving reviews on this PR. Set SOP_DEBUG=1 and re-run for diagnostics."
   exit 1

.gitea/workflows/canary-staging.yml

@@ -0,0 +1,310 @@
+name: Canary — staging SaaS smoke (every 30 min)
+
+# Ported from .github/workflows/canary-staging.yml on 2026-05-11 per RFC
+# internal#219 §1 sweep. Differences from the GitHub version:
+#   - Dropped `workflow_dispatch.inputs` (Gitea 1.22.6 parser rejects them
+#     per feedback_gitea_workflow_dispatch_inputs_unsupported).
+#   - Dropped `merge_group:` (no Gitea merge queue).
+#   - Dropped `environment:` blocks (Gitea has no environments).
+#   - Workflow-level env.GITHUB_SERVER_URL pinned per
+#     feedback_act_runner_github_server_url.
+#   - `continue-on-error: true` on each job (RFC §1 contract).
+#
+
+# Minimum viable health check: provisions one Hermes workspace on a fresh
+# staging org, sends one A2A message, verifies PONG, tears down. ~8 min
+# wall clock. Pages on failure by opening a GitHub issue; auto-closes the
+# issue on the next green run.
+#
+# The full-SaaS workflow (e2e-staging-saas.yml) covers the broader surface
+# but runs only on provisioning-critical pushes + nightly — this one
+# catches drift in the 30-min window between those runs (AMI health, CF
+# cert rotation, WorkOS session stability, etc.).
+#
+# Lean mode: E2E_MODE=canary skips the child workspace + HMA memory +
+# peers/activity checks. One parent workspace + one A2A turn is enough
+# to signal "SaaS stack end-to-end is alive."
+
+on:
+  schedule:
+    # Every 30 min. Cron on GitHub-hosted runners has a known drift of
+    # a few minutes under load — that's fine for a canary.
+    - cron: '*/30 * * * *'
+# Serialise with the full-SaaS workflow so they don't contend for the
+# same org-create quota on staging. Different group key from
+# e2e-staging-saas since we don't mind queueing canaries behind one
+# full run, but two canaries SHOULD queue against each other.
+concurrency:
+  group: canary-staging
+  cancel-in-progress: false
+
+permissions:
+  # Needed to open / close the alerting issue.
+  issues: write
+  contents: read
+
+env:
+  GITHUB_SERVER_URL: https://git.moleculesai.app
+
+jobs:
+  canary:
+    name: Canary smoke
+    runs-on: ubuntu-latest
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
+    continue-on-error: true
+    # 25 min headroom over the 15-min TLS-readiness deadline in
+    # tests/e2e/test_staging_full_saas.sh (#2107). Without the buffer
+    # the job is killed at the wall-clock 15:00 mark BEFORE the bash
+    # `fail` + diagnostic burst can fire, leaving every cancellation
+    # silent. Sibling staging E2E jobs run at 20-45 min — keeping
+    # canary tighter than them so a true wedge still surfaces here
+    # first.
+    timeout-minutes: 25
+
+    env:
+      MOLECULE_CP_URL: https://staging-api.moleculesai.app
+      MOLECULE_ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
+      # MiniMax is the canary's PRIMARY LLM auth path post-2026-05-04.
+      # Switched from hermes+OpenAI after #2578 (the staging OpenAI key
+      # account went over quota and stayed dead for 36+ hours, taking
+      # the canary red the entire time). claude-code template's
+      # `minimax` provider routes ANTHROPIC_BASE_URL to
+      # api.minimax.io/anthropic and reads MINIMAX_API_KEY at boot —
+      # ~5-10x cheaper per token than gpt-4.1-mini AND on a separate
+      # billing account, so OpenAI quota collapse no longer wedges the
+      # canary. Mirrors the migration continuous-synth-e2e.yml made on
+      # 2026-05-03 (#265) for the same reason. tests/e2e/test_staging_
+      # full_saas.sh branches SECRETS_JSON on which key is present —
+      # MiniMax wins when set.
+      E2E_MINIMAX_API_KEY: ${{ secrets.MOLECULE_STAGING_MINIMAX_API_KEY }}
+      # Direct-Anthropic alternative for operators who don't want to
+      # set up a MiniMax account (priority below MiniMax — first
+      # non-empty wins in test_staging_full_saas.sh's secrets-injection
+      # block). See #2578 PR comment for the rationale.
+      E2E_ANTHROPIC_API_KEY: ${{ secrets.MOLECULE_STAGING_ANTHROPIC_API_KEY }}
+      # OpenAI fallback — kept wired so an operator-dispatched run with
+      # E2E_RUNTIME=hermes overridden via workflow_dispatch can still
+      # exercise the OpenAI path without re-editing the workflow.
+      E2E_OPENAI_API_KEY: ${{ secrets.MOLECULE_STAGING_OPENAI_KEY }}
+      E2E_MODE: canary
+      E2E_RUNTIME: claude-code
+      # Pin the canary to a specific MiniMax model rather than relying
+      # on the per-runtime default (which could resolve to "sonnet" →
+      # direct Anthropic and defeat the cost saving). M2.7-highspeed
+      # is "Token Plan only" but cheap-per-token and fast.
+      E2E_MODEL_SLUG: MiniMax-M2.7-highspeed
+      E2E_RUN_ID: "canary-${{ github.run_id }}"
+      # Debug-only: when an operator dispatches with keep_on_failure=true,
+      # the canary script's E2E_KEEP_ORG=1 path skips teardown so the
+      # tenant org + EC2 stay alive for SSM-based log capture. Cron runs
+      # never set this (the input only exists on workflow_dispatch) so
+      # unattended cron always tears down. See molecule-core#129
+      # failure mode #1 — capturing the actual exception requires
+      # docker logs from the live container.
+      E2E_KEEP_ORG: ${{ github.event.inputs.keep_on_failure == 'true' && '1' || '0' }}
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Verify admin token present
+        run: |
+          if [ -z "$MOLECULE_ADMIN_TOKEN" ]; then
+            echo "::error::MOLECULE_STAGING_ADMIN_TOKEN not set"
+            exit 2
+          fi
+
+      - name: Verify LLM key present
+        run: |
+          # Per-runtime key check — claude-code uses MiniMax; hermes /
+          # langgraph (operator-dispatched only) use OpenAI. Hard-fail
+          # rather than soft-skip per the lesson from synth E2E #2578:
+          # an empty key silently falls through to the wrong
+          # SECRETS_JSON branch and the canary fails 5 min later with
+          # a confusing auth error instead of the clean "secret
+          # missing" message at the top.
+          case "${E2E_RUNTIME}" in
+            claude-code)
+              # Either MiniMax OR direct-Anthropic works — first
+              # non-empty wins in the test script's secrets-injection
+              # priority chain. Operators only need to set ONE of these
+              # secrets; we don't force a choice between them.
+              if [ -n "${E2E_MINIMAX_API_KEY:-}" ]; then
+                required_secret_name="MOLECULE_STAGING_MINIMAX_API_KEY"
+                required_secret_value="${E2E_MINIMAX_API_KEY}"
+              elif [ -n "${E2E_ANTHROPIC_API_KEY:-}" ]; then
+                required_secret_name="MOLECULE_STAGING_ANTHROPIC_API_KEY"
+                required_secret_value="${E2E_ANTHROPIC_API_KEY}"
+              else
+                required_secret_name="MOLECULE_STAGING_MINIMAX_API_KEY or MOLECULE_STAGING_ANTHROPIC_API_KEY"
+                required_secret_value=""
+              fi
+              ;;
+            langgraph|hermes)
+              required_secret_name="MOLECULE_STAGING_OPENAI_KEY"
+              required_secret_value="${E2E_OPENAI_API_KEY:-}"
+              ;;
+            *)
+              echo "::warning::Unknown E2E_RUNTIME='${E2E_RUNTIME}' — skipping LLM-key check"
+              required_secret_name=""
+              required_secret_value="present"
+              ;;
+          esac
+          if [ -n "$required_secret_name" ] && [ -z "$required_secret_value" ]; then
+            echo "::error::${required_secret_name} secret not set for runtime=${E2E_RUNTIME} — A2A will fail at request time with 'No LLM provider configured'"
+            exit 2
+          fi
+          echo "LLM key present ✓ (runtime=${E2E_RUNTIME}, key=${required_secret_name}, len=${#required_secret_value})"
+
+      - name: Canary run
+        id: canary
+        run: bash tests/e2e/test_staging_full_saas.sh
+
+      # Alerting: open a sticky issue on the FIRST failure; comment on
+      # subsequent failures; auto-close on next green. Comment-on-existing
+      # de-duplicates so a single open issue accumulates the streak —
+      # ops sees one issue with N comments rather than N issues.
+      #
+      # Why no consecutive-failures threshold (e.g., wait 3 runs before
+      # filing): the prior threshold check used
+      # `github.rest.actions.listWorkflowRuns()` which Gitea 1.22.6 does
+      # not expose (returns 404). On Gitea Actions the threshold call
+      # ALWAYS failed, breaking the entire alerting step and going days
+      # silent on real regressions (38h+ chronic red on 2026-05-07/08
+      # before this fix; tracked in molecule-core#129). Filing on first
+      # failure is also better UX — we want to know about the first red,
+      # not wait 90 min for it to "count." Real flakes get one issue +
+      # a quick close-on-green; persistent reds accumulate comments.
+      - name: Open issue on failure (Gitea API)
+        if: failure()
+        env:
+          GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO: ${{ github.repository }}
+          SERVER_URL: ${{ env.GITHUB_SERVER_URL }}
+          RUN_ID: ${{ github.run_id }}
+        run: |
+          set -euo pipefail
+          API="${SERVER_URL%/}/api/v1"
+          TITLE="Canary failing: staging SaaS smoke"
+          RUN_URL="${SERVER_URL}/${REPO}/actions/runs/${RUN_ID}"
+
+          EXISTING=$(curl -fsS -H "Authorization: token $GITEA_TOKEN" \
+            "${API}/repos/${REPO}/issues?state=open&type=issues&limit=50" \
+            | jq -r --arg t "$TITLE" '.[] | select(.title==$t) | .number' | head -1)
+
+          if [ -n "$EXISTING" ]; then
+            curl -fsS -X POST -H "Authorization: token $GITEA_TOKEN" -H "Content-Type: application/json" \
+              "${API}/repos/${REPO}/issues/${EXISTING}/comments" \
+              -d "$(jq -nc --arg run "$RUN_URL" '{body: ("Canary still failing. " + $run)}')" >/dev/null
+            echo "Commented on existing issue #${EXISTING}"
+          else
+            NOW=$(date -u +%Y-%m-%dT%H:%M:%SZ)
+            BODY=$(jq -nc --arg t "$TITLE" --arg now "$NOW" --arg run "$RUN_URL" \
+              '{title: $t, body: ("Canary run failed at " + $now + ".\n\nRun: " + $run + "\n\nThis issue auto-closes on the next green canary run. Consecutive failures add a comment here rather than a new issue.")}')
+            curl -fsS -X POST -H "Authorization: token $GITEA_TOKEN" -H "Content-Type: application/json" \
+              "${API}/repos/${REPO}/issues" -d "$BODY" >/dev/null
+            echo "Opened canary failure issue (first red)"
+          fi
+
+      - name: Auto-close canary issue on success (Gitea API)
+        if: success()
+        env:
+          GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO: ${{ github.repository }}
+          SERVER_URL: ${{ env.GITHUB_SERVER_URL }}
+          RUN_ID: ${{ github.run_id }}
+        run: |
+          set -euo pipefail
+          API="${SERVER_URL%/}/api/v1"
+          TITLE="Canary failing: staging SaaS smoke"
+
+          NUMS=$(curl -fsS -H "Authorization: token $GITEA_TOKEN" \
+            "${API}/repos/${REPO}/issues?state=open&type=issues&limit=50" \
+            | jq -r --arg t "$TITLE" '.[] | select(.title==$t) | .number')
+
+          NOW=$(date -u +%Y-%m-%dT%H:%M:%SZ)
+          for N in $NUMS; do
+            curl -fsS -X POST -H "Authorization: token $GITEA_TOKEN" -H "Content-Type: application/json" \
+              "${API}/repos/${REPO}/issues/${N}/comments" \
+              -d "$(jq -nc --arg now "$NOW" '{body: ("Canary recovered at " + $now + ". Closing.")}')" >/dev/null
+            curl -fsS -X PATCH -H "Authorization: token $GITEA_TOKEN" -H "Content-Type: application/json" \
+              "${API}/repos/${REPO}/issues/${N}" -d '{"state":"closed"}' >/dev/null
+            echo "Closed recovered canary issue #${N}"
+          done
+
+      - name: Teardown safety net
+        if: always()
+        env:
+          ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
+        run: |
+          set +e
+          # Slug prefix matches what test_staging_full_saas.sh emits
+          # in canary mode:
+          #   SLUG="e2e-canary-$(date +%Y%m%d)-${RUN_ID_SUFFIX}"
+          # Earlier this was `e2e-{today}-canary-` — that was the
+          # full-mode pattern (date FIRST, mode SECOND); canary slugs
+          # have mode FIRST, date SECOND. The mismatch silently
+          # never matched, leaving every cancelled-canary EC2 alive
+          # until the once-an-hour sweep eventually caught it
+          # (incident 2026-04-26 21:03Z: 1h25m EC2 leak before manual
+          # cleanup; same gap on three earlier cancellations today).
+          orgs=$(curl -sS "$MOLECULE_CP_URL/cp/admin/orgs" \
+            -H "Authorization: Bearer $ADMIN_TOKEN" 2>/dev/null \
+            | python3 -c "
+          import json, sys, os, datetime
+          run_id = os.environ.get('GITHUB_RUN_ID', '')
+          d = json.load(sys.stdin)
+          # Scope to slugs from THIS canary run when GITHUB_RUN_ID is
+          # available; the canary workflow sets E2E_RUN_ID='canary-\${run_id}'
+          # so the slug suffix is '-canary-\${run_id}-...'. Mirrors the
+          # full-mode safety net's per-run scoping (e2e-staging-saas.yml)
+          # added after the 2026-04-21 cross-run cleanup incident.
+          # Sweep both today AND yesterday's UTC dates so a run that
+          # crosses midnight still cleans up its own slug — see the
+          # 2026-04-26→27 canvas-safety-net incident.
+          today = datetime.date.today()
+          yesterday = today - datetime.timedelta(days=1)
+          dates = (today.strftime('%Y%m%d'), yesterday.strftime('%Y%m%d'))
+          if run_id:
+              prefixes = tuple(f'e2e-canary-{d}-canary-{run_id}' for d in dates)
+          else:
+              prefixes = tuple(f'e2e-canary-{d}-' for d in dates)
+          candidates = [o['slug'] for o in d.get('orgs', [])
+                        if any(o.get('slug','').startswith(p) for p in prefixes)
+                        and o.get('status') not in ('purged',)]
+          print('\n'.join(candidates))
+          " 2>/dev/null)
+          # Per-slug DELETE with HTTP-code verification. The previous
+          # `... >/dev/null || true` swallowed every failure, so a 5xx
+          # or timeout from CP looked identical to "successfully cleaned
+          # up" and the tenant kept eating ~2 vCPU until the hourly
+          # stale sweep caught it (up to 2h later). Now we capture the
+          # response code and surface non-2xx as a workflow warning, so
+          # the run page shows which slug leaked. We still don't `exit 1`
+          # on cleanup failure — a single-canary cleanup miss shouldn't
+          # fail-flag the canary itself when the actual smoke check
+          # passed. The sweep-stale-e2e-orgs cron (now every 15 min,
+          # 30-min threshold) is the safety net for whatever slips past.
+          # See molecule-controlplane#420.
+          leaks=()
+          for slug in $orgs; do
+            # Tempfile-routed -w + set +e/-e prevents curl-exit-code
+            # pollution of the captured status (lint-curl-status-capture.yml).
+            set +e
+            curl -sS -o /tmp/canary-cleanup.out -w "%{http_code}" \
+              -X DELETE "$MOLECULE_CP_URL/cp/admin/tenants/$slug" \
+              -H "Authorization: Bearer $ADMIN_TOKEN" \
+              -H "Content-Type: application/json" \
+              -d "{\"confirm\":\"$slug\"}" >/tmp/canary-cleanup.code
+            set -e
+            code=$(cat /tmp/canary-cleanup.code 2>/dev/null || echo "000")
+            if [ "$code" = "200" ] || [ "$code" = "204" ]; then
+              echo "[teardown] deleted $slug (HTTP $code)"
+            else
+              echo "::warning::canary teardown for $slug returned HTTP $code — sweep-stale-e2e-orgs will catch it within ~45 min. Body: $(head -c 300 /tmp/canary-cleanup.out 2>/dev/null)"
+              leaks+=("$slug")
+            fi
+          done
+          if [ ${#leaks[@]} -gt 0 ]; then
+            echo "::warning::canary teardown left ${#leaks[@]} leak(s): ${leaks[*]}"
+          fi
+          exit 0

.gitea/workflows/canary-verify.yml

@@ -0,0 +1,276 @@
+name: canary-verify
+
+# Ported from .github/workflows/canary-verify.yml on 2026-05-11 per RFC
+# internal#219 §1 sweep. Differences from the GitHub version:
+#   - Dropped `workflow_dispatch.inputs` (Gitea 1.22.6 parser rejects them
+#     per feedback_gitea_workflow_dispatch_inputs_unsupported).
+#   - Dropped `merge_group:` (no Gitea merge queue).
+#   - Dropped `environment:` blocks (Gitea has no environments).
+#   - Workflow-level env.GITHUB_SERVER_URL pinned per
+#     feedback_act_runner_github_server_url.
+#   - `continue-on-error: true` on each job (RFC §1 contract).
+#   - **Gitea workflow_run trigger limitation**: Gitea 1.22.6's support
+#     for the `workflow_run` event is partial. If this never fires on a
+#     real publish-workspace-server-image completion, the follow-up
+#     triage PR should replace the trigger with a push-with-paths-filter
+#     on the same publish workflow's path (i.e. `.gitea/workflows/publish-workspace-server-image.yml`).
+#
+
+# Runs the canary smoke suite against the staging canary tenant fleet
+# after a new :staging-<sha> image lands in ECR. On green, calls the
+# CP redeploy-fleet endpoint to promote :staging-<sha> → :latest so
+# the prod tenant fleet's 5-minute auto-updater picks up the verified
+# digest. On red, :latest stays on the prior known-good digest and
+# prod is untouched.
+#
+# Registry note (2026-05-10): This workflow previously used GHCR
+# (ghcr.io/molecule-ai/platform-tenant) — that registry was retired
+# during the 2026-05-06 Gitea suspension migration when publish-
+# workspace-server-image.yml switched to the operator's ECR org
+# (153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/
+# platform-tenant). The GHCR → ECR migration was never applied to
+# this file, so canary-verify was silently smoke-testing the stale
+# GHCR image while the actual staging/prod tenants ran the ECR image.
+# Result: smoke tests could not catch a broken ECR build. Fix:
+#   - Wait step: reads SHA from running canary /health (tenant-
+#     agnostic, works regardless of registry).
+#   - Promote step: calls CP redeploy-fleet endpoint with target_tag=
+#     staging-<sha>, same mechanism as redeploy-tenants-on-main.yml.
+#     No longer attempts GHCR crane ops.
+#
+# Dependencies:
+#   - publish-workspace-server-image.yml publishes :staging-<sha>
+#     to ECR on staging and main merges.
+#   - Canary tenants are configured to pull :staging-<sha> from ECR
+#     (TENANT_IMAGE env set to the ECR :staging-<sha> tag).
+#   - Repo secrets CANARY_TENANT_URLS / CANARY_ADMIN_TOKENS /
+#     CANARY_CP_SHARED_SECRET are populated.
+
+on:
+  workflow_run:
+    workflows: ["publish-workspace-server-image"]
+    types: [completed]
+permissions:
+  contents: read
+  packages: write
+  actions: read
+
+env:
+  # ECR registry (post-2026-05-06 SSOT for tenant images).
+  # publish-workspace-server-image.yml pushes here.
+  IMAGE_NAME: 153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/platform
+  TENANT_IMAGE_NAME: 153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/platform-tenant
+  # CP endpoint for redeploy-fleet (used in promote step below).
+  CP_URL: ${{ vars.CP_URL || 'https://staging-api.moleculesai.app' }}
+  GITHUB_SERVER_URL: https://git.moleculesai.app
+
+jobs:
+  canary-smoke:
+    # Skip when the upstream workflow failed — no image to test against.
+    # workflow_dispatch trigger dropped in this Gitea port; only the
+    # workflow_run path remains.
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
+    continue-on-error: true
+    outputs:
+      sha: ${{ steps.compute.outputs.sha }}
+      smoke_ran: ${{ steps.smoke.outputs.ran }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Compute sha
+        id: compute
+        run: echo "sha=${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT"
+
+      - name: Wait for canary tenants to pick up :staging-<sha>
+        # Poll canary health endpoints every 30s for up to 7 min instead
+        # of a fixed 6-min sleep. Exits as soon as ALL canaries report
+        # the new SHA (~2-3 min typical vs 6 min fixed). Falls back to
+        # proceeding after 7 min even if not all canaries responded —
+        # the smoke suite will catch any that didn't update.
+        #
+        # NOTE: The SHA is read from the running tenant's /health response,
+        # NOT from a registry lookup. This is registry-agnostic and works
+        # regardless of whether the tenant pulls from ECR, GHCR, or any
+        # other registry — the canary is telling us what it's actually
+        # running, which is the ground truth for smoke testing.
+        env:
+          CANARY_TENANT_URLS: ${{ secrets.CANARY_TENANT_URLS }}
+          EXPECTED_SHA: ${{ steps.compute.outputs.sha }}
+        run: |
+          if [ -z "$CANARY_TENANT_URLS" ]; then
+            echo "No canary URLs configured — falling back to 60s wait"
+            sleep 60
+            exit 0
+          fi
+          IFS=',' read -ra URLS <<< "$CANARY_TENANT_URLS"
+          MAX_WAIT=420  # 7 minutes
+          INTERVAL=30
+          ELAPSED=0
+          while [ $ELAPSED -lt $MAX_WAIT ]; do
+            ALL_READY=true
+            for url in "${URLS[@]}"; do
+              HEALTH=$(curl -s --max-time 5 "${url}/health" 2>/dev/null || echo "{}")
+              SHA=$(echo "$HEALTH" | grep -o "\"sha\":\"[^\"]*\"" | head -1 | cut -d'"' -f4)
+              if [ "$SHA" != "$EXPECTED_SHA" ]; then
+                ALL_READY=false
+                break
+              fi
+            done
+            if $ALL_READY; then
+              echo "All canaries running staging-${EXPECTED_SHA} after ${ELAPSED}s"
+              exit 0
+            fi
+            echo "Waiting for canaries... (${ELAPSED}s / ${MAX_WAIT}s)"
+            sleep $INTERVAL
+            ELAPSED=$((ELAPSED + INTERVAL))
+          done
+          echo "Timeout after ${MAX_WAIT}s — proceeding anyway (smoke suite will validate)"
+
+      - name: Run canary smoke suite
+        id: smoke
+        # Graceful-skip when no canary fleet is configured (Phase 2 not yet
+        # stood up — see molecule-controlplane/docs/canary-tenants.md).
+        # Sets `ran=false` on skip so promote-to-latest stays off (we don't
+        # want every main merge auto-promoting without gating). Manual
+        # promote-latest.yml is the release gate while canary is absent.
+        # Once the fleet is real: delete the early-exit branch.
+        env:
+          CANARY_TENANT_URLS: ${{ secrets.CANARY_TENANT_URLS }}
+          CANARY_ADMIN_TOKENS: ${{ secrets.CANARY_ADMIN_TOKENS }}
+          CANARY_CP_BASE_URL: https://staging-api.moleculesai.app
+          CANARY_CP_SHARED_SECRET: ${{ secrets.CANARY_CP_SHARED_SECRET }}
+        run: |
+          set -euo pipefail
+          if [ -z "${CANARY_TENANT_URLS:-}" ] \
+            || [ -z "${CANARY_ADMIN_TOKENS:-}" ] \
+            || [ -z "${CANARY_CP_SHARED_SECRET:-}" ]; then
+            {
+              echo "## ⚠️ canary-verify skipped"
+              echo
+              echo "One or more canary secrets are unset (\`CANARY_TENANT_URLS\`, \`CANARY_ADMIN_TOKENS\`, \`CANARY_CP_SHARED_SECRET\`)."
+              echo "Phase 2 canary fleet has not been stood up yet —"
+              echo "see [canary-tenants.md](https://git.moleculesai.app/molecule-ai/molecule-controlplane/blob/main/docs/canary-tenants.md)."
+              echo
+              echo "**Skipped — promote-to-latest will NOT auto-fire.** Dispatch \`promote-latest.yml\` manually when ready."
+            } >> "$GITHUB_STEP_SUMMARY"
+            echo "ran=false" >> "$GITHUB_OUTPUT"
+            echo "::notice::canary-verify: skipped — no canary fleet configured"
+            exit 0
+          fi
+          bash scripts/canary-smoke.sh
+          echo "ran=true" >> "$GITHUB_OUTPUT"
+
+      - name: Summary on failure
+        if: ${{ failure() }}
+        run: |
+          {
+            echo "## Canary smoke FAILED"
+            echo
+            echo "Canary tenants rejected image \`staging-${{ steps.compute.outputs.sha }}\`."
+            echo ":latest stays pinned to the prior good digest — prod is untouched."
+            echo
+            echo "Fix forward and merge again, or investigate the specific failed"
+            echo "assertions in the canary-smoke step log above."
+          } >> "$GITHUB_STEP_SUMMARY"
+
+  promote-to-latest:
+    # On green, calls the CP redeploy-fleet endpoint with target_tag=
+    # staging-<sha> to promote the verified ECR image. This is the same
+    # mechanism as redeploy-tenants-on-main.yml — no GHCR crane ops.
+    #
+    # Pre-fix history: the old GHCR promote step used `crane tag` against
+    # ghcr.io/molecule-ai/platform-tenant, but publish-workspace-server-
+    # image.yml had already migrated to ECR on 2026-05-07 (commit
+    # 10e510f5). The GHCR tags were never updated, so this step was
+    # silently promoting a stale GHCR image while actual prod tenants
+    # pulled from ECR. Canary smoke tests were GHCR-targeted and could
+    # not catch a broken ECR build.
+    needs: canary-smoke
+    if: ${{ needs.canary-smoke.result == 'success' && needs.canary-smoke.outputs.smoke_ran == 'true' }}
+    runs-on: ubuntu-latest
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
+    continue-on-error: true
+    env:
+      SHA: ${{ needs.canary-smoke.outputs.sha }}
+      CP_URL: ${{ vars.CP_URL || 'https://staging-api.moleculesai.app' }}
+      # CP_ADMIN_API_TOKEN gates write access to the redeploy endpoint.
+      # Stored at the repo level so all workflows pick it up automatically.
+      CP_ADMIN_API_TOKEN: ${{ secrets.CP_ADMIN_API_TOKEN }}
+      # canary_slug pin: deploy the verified :staging-<sha> to the canary
+      # first (soak 120s), then fan out to the rest of the fleet.
+      CANARY_SLUG: ${{ vars.CANARY_PROMOTE_SLUG || '' }}
+      SOAK_SECONDS: ${{ vars.CANARY_PROMOTE_SOAK || '120' }}
+      BATCH_SIZE: ${{ vars.CANARY_PROMOTE_BATCH || '3' }}
+    steps:
+      - name: Check CP credentials
+        run: |
+          if [ -z "${CP_ADMIN_API_TOKEN:-}" ]; then
+            echo "::error::CP_ADMIN_API_TOKEN secret is not set — promote step cannot call redeploy-fleet."
+            echo "::error::Set it at: repo Settings → Actions → Variables and Secrets → New Secret."
+            exit 1
+          fi
+
+      - name: Promote verified ECR image to :latest
+        run: |
+          set -euo pipefail
+
+          TARGET_TAG="staging-${SHA}"
+          BODY=$(jq -nc \
+            --arg tag "$TARGET_TAG" \
+            --argjson soak "${SOAK_SECONDS:-120}" \
+            --argjson batch "${BATCH_SIZE:-3}" \
+            --argjson dry false \
+            '{
+              target_tag: $tag,
+              soak_seconds: $soak,
+              batch_size: $batch,
+              dry_run: $dry
+            }')
+
+          if [ -n "${CANARY_SLUG:-}" ]; then
+            BODY=$(jq '. * {canary_slug: $slug}' --arg slug "$CANARY_SLUG" <<<"$BODY")
+          fi
+
+          echo "Calling: POST $CP_URL/cp/admin/tenants/redeploy-fleet"
+          echo "  target_tag: $TARGET_TAG"
+          echo "  body: $BODY"
+
+          HTTP_RESPONSE=$(mktemp)
+          HTTP_CODE_FILE=$(mktemp)
+          set +e
+          curl -sS -o "$HTTP_RESPONSE" -w '%{http_code}' \
+            -m 1200 \
+            -H "Authorization: Bearer $CP_ADMIN_API_TOKEN" \
+            -H "Content-Type: application/json" \
+            -X POST "$CP_URL/cp/admin/tenants/redeploy-fleet" \
+            -d "$BODY" >"$HTTP_CODE_FILE"
+          CURL_EXIT=$?
+          set -e
+
+          HTTP_CODE=$(cat "$HTTP_CODE_FILE" 2>/dev/null || echo "000")
+          [ -z "$HTTP_CODE" ] && HTTP_CODE="000"
+
+          echo "HTTP $HTTP_CODE (curl exit $CURL_EXIT)"
+          cat "$HTTP_RESPONSE" | jq . || cat "$HTTP_RESPONSE"
+
+          if [ "$HTTP_CODE" -ge 400 ]; then
+            echo "::error::CP redeploy-fleet returned HTTP $HTTP_CODE — refusing to proceed."
+            exit 1
+          fi
+
+      - name: Summary
+        run: |
+          {
+            echo "## Canary verified — :latest promoted via CP redeploy-fleet"
+            echo ""
+            echo "- **Target tag:** \`staging-${{ needs.canary-smoke.outputs.sha }}\`"
+            echo "- **Registry:** ECR (\`${TENANT_IMAGE_NAME}\`)"
+            echo "- **Canary slug:** \`${CANARY_SLUG:-<none>}\` (soak ${SOAK_SECONDS}s)"
+            echo "- **Batch size:** ${BATCH_SIZE:-3}"
+            echo ""
+            echo "CP redeploy-fleet is rolling out the verified image across the prod fleet."
+            echo "The fleet's 5-minute health-check loop will pick up the update automatically."
+          } >> "$GITHUB_STEP_SUMMARY"

.gitea/workflows/ci.yml

@@ -0,0 +1,453 @@
+# Ported from .github/workflows/ci.yml on 2026-05-11 per RFC internal#219 §1.
+# continue-on-error: true on every job; follow-up PR will flip required after
+# surfaced bugs are fixed (per RFC §1 — "surface broken workflows without
+# blocking"). The four-surface migration audit
+# (feedback_gitea_actions_migration_audit_pattern) was performed against this
+# port:
+#
+#   1. YAML — dropped `merge_group` trigger (no Gitea merge queue); no
+#      `workflow_dispatch.inputs` to drop (Gitea 1.22.6 rejects those —
+#      feedback_gitea_workflow_dispatch_inputs_unsupported); no `environment:`
+#      blocks; kept `runs-on: ubuntu-latest` (Gitea runner pool advertises
+#      this label per agent_labels in action_runner table). Workflow-level
+#      env.GITHUB_SERVER_URL set as belt-and-suspenders against runner
+#      defaults (feedback_act_runner_github_server_url).
+#
+#   2. Cache — `actions/upload-artifact@v3.2.2` was already pinned to v3 for
+#      Gitea act_runner v0.6 compatibility (a comment in the original called
+#      this out). v4+ is incompatible with Gitea 1.22.x. No `actions/cache`
+#      usage to audit. `actions/setup-python@v6` `cache: pip` is left in
+#      place — works against Gitea's built-in cache server when runner.cache
+#      is configured (currently is, /opt/molecule/runners/config.yaml).
+#
+#   3. Token — workflow uses no custom dispatch tokens. The auto-injected
+#      `GITHUB_TOKEN` (which Gitea aliases to a runner-scoped token) is
+#      sufficient for `actions/checkout` against this same repo.
+#
+#   4. Docs — no docs/scripts reference github.com URLs that need swapping.
+#      The canvas-deploy-reminder step writes a `ghcr.io/...` image
+#      reference into the step summary text — that's documentation prose
+#      pointing at the ECR-mirrored canvas image and stays unchanged for
+#      this port (a separate cleanup if ghcr→ECR sweep is in scope).
+#
+# Cross-links:
+#   - RFC: internal#219 (CI/CD hard-gate hardening)
+#   - Reference port style: molecule-controlplane/.gitea/workflows/ci.yml
+#   - Bugs that may surface immediately and are tracked separately:
+#     internal#214 (Go-side vanity-import / go.sum drift, if any)
+#   - Phase 4 (this PR's follow-up): flip `continue-on-error: false` once
+#     surfaced defects are fixed, then add `all-required` aggregator
+#     sentinel (RFC §2) and PATCH branch protection (Phase 4 scope).
+
+name: CI
+
+on:
+  push:
+    branches: [main, staging]
+  pull_request:
+    branches: [main, staging]
+  # `merge_group` (GitHub merge-queue trigger) dropped — Gitea has no merge
+  # queue. The .github/ original retains it; this Gitea-side copy drops it.
+
+# Cancel in-progress CI runs when a new commit arrives on the same ref.
+# Stale runs queue up otherwise. PR refs and main/staging refs each get
+# their own group because github.ref differs.
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  # Belt-and-suspenders against the runner-default trap
+  # (feedback_act_runner_github_server_url). Runners are configured with
+  # this env via /opt/molecule/runners/config.yaml runner.envs, but pinning
+  # at the workflow level protects against a runner regenerated without
+  # the config file (feedback_act_runner_needs_config_file_env).
+  GITHUB_SERVER_URL: https://git.moleculesai.app
+
+jobs:
+  # Detect which paths changed so downstream jobs can skip when only
+  # docs/markdown files were modified.
+  changes:
+    name: Detect changes
+    runs-on: ubuntu-latest
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking
+    # the PR. Follow-up PR flips this off after the surfaced defects
+    # (if any) are triaged.
+    continue-on-error: true
+    outputs:
+      platform: ${{ steps.check.outputs.platform }}
+      canvas: ${{ steps.check.outputs.canvas }}
+      python: ${{ steps.check.outputs.python }}
+      scripts: ${{ steps.check.outputs.scripts }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+      - id: check
+        run: |
+          # For PR events: diff against the base branch (not HEAD~1 of the branch,
+          # which may be unrelated after force-pushes). When a push updates a PR,
+          # both pull_request and push events fire — prefer the PR base so that
+          # the diff is always computed against the actual merge base, not the
+          # previous SHA on the branch which may be on a different history line.
+          BASE="${GITHUB_BASE_REF:-${{ github.event.before }}}"
+          # GITHUB_BASE_REF is set for PR events (the base branch name).
+          # For pull_request events we use the stored base.sha; for push events
+          # (or when base.sha is unavailable) fall back to github.event.before.
+          if [ "${{ github.event_name }}" = "pull_request" ] && [ -n "${{ github.event.pull_request.base.sha }}" ]; then
+            BASE="${{ github.event.pull_request.base.sha }}"
+          fi
+          # Fallback: if BASE is empty or all zeros (new branch), run everything
+          if [ -z "$BASE" ] || echo "$BASE" | grep -qE '^0+$'; then
+            echo "platform=true" >> "$GITHUB_OUTPUT"
+            echo "canvas=true" >> "$GITHUB_OUTPUT"
+            echo "python=true" >> "$GITHUB_OUTPUT"
+            echo "scripts=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          # Both .github/workflows/ci.yml AND .gitea/workflows/ci.yml count
+          # as "this workflow changed" — either edit should force-run every
+          # downstream job. The Gitea port follows the same shape as the
+          # GitHub original so behavior matches when triggered on either
+          # platform.
+          DIFF=$(git diff --name-only "$BASE" HEAD 2>/dev/null || echo ".gitea/workflows/ci.yml")
+          echo "platform=$(echo "$DIFF" | grep -qE '^workspace-server/|^\.gitea/workflows/ci\.yml$|^\.github/workflows/ci\.yml$' && echo true || echo false)" >> "$GITHUB_OUTPUT"
+          echo "canvas=$(echo "$DIFF" | grep -qE '^canvas/|^\.gitea/workflows/ci\.yml$|^\.github/workflows/ci\.yml$' && echo true || echo false)" >> "$GITHUB_OUTPUT"
+          echo "python=$(echo "$DIFF" | grep -qE '^workspace/|^\.gitea/workflows/ci\.yml$|^\.github/workflows/ci\.yml$' && echo true || echo false)" >> "$GITHUB_OUTPUT"
+          echo "scripts=$(echo "$DIFF" | grep -qE '^tests/e2e/|^scripts/|^infra/scripts/|^\.gitea/workflows/ci\.yml$|^\.github/workflows/ci\.yml$' && echo true || echo false)" >> "$GITHUB_OUTPUT"
+
+  # Platform (Go) — Go build/vet/test/lint + coverage gates. The always-run
+  # + per-step gating shape preserves the GitHub-side required-check name
+  # contract (so when this Gitea port becomes a required check in Phase 4,
+  # the name match works on PRs that don't touch workspace-server/).
+  platform-build:
+    name: Platform (Go)
+    needs: changes
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    defaults:
+      run:
+        working-directory: workspace-server
+    steps:
+      - if: needs.changes.outputs.platform != 'true'
+        working-directory: .
+        run: echo "No platform/** changes — skipping real build steps; this job always runs to satisfy the required-check name on branch protection."
+      - if: needs.changes.outputs.platform == 'true'
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - if: needs.changes.outputs.platform == 'true'
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version: 'stable'
+      - if: needs.changes.outputs.platform == 'true'
+        run: go mod download
+      - if: needs.changes.outputs.platform == 'true'
+        run: go build ./cmd/server
+      # CLI (molecli) moved to standalone repo: git.moleculesai.app/molecule-ai/molecule-cli
+      - if: needs.changes.outputs.platform == 'true'
+        run: go vet ./... || true
+      - if: needs.changes.outputs.platform == 'true'
+        name: Run golangci-lint
+        run: golangci-lint run --timeout 3m ./... || true
+      - if: needs.changes.outputs.platform == 'true'
+        name: Run tests with race detection and coverage
+        run: go test -race -coverprofile=coverage.out ./...
+
+      - if: needs.changes.outputs.platform == 'true'
+        name: Per-file coverage report
+        # Advisory — lists every source file with its coverage so reviewers
+        # can see at-a-glance where gaps are. Sorted ascending so the worst
+        # offenders float to the top. Does NOT fail the build; the hard
+        # gate is the threshold check below. (#1823)
+        run: |
+          echo "=== Per-file coverage (worst first) ==="
+          go tool cover -func=coverage.out \
+            | grep -v '^total:' \
+            | awk '{file=$1; sub(/:[0-9][0-9.]*:.*/, "", file); pct=$NF; gsub(/%/,"",pct); s[file]+=pct; c[file]++}
+                   END {for (f in s) printf "%6.1f%%  %s\n", s[f]/c[f], f}' \
+            | sort -n
+
+      - if: needs.changes.outputs.platform == 'true'
+        name: Check coverage thresholds
+        # Enforces two gates from #1823 Layer 1:
+        #   1. Total floor (25% — ratchet plan in COVERAGE_FLOOR.md).
+        #   2. Per-file floor — non-test .go files in security-critical
+        #      paths with coverage <10% fail the build, UNLESS the file
+        #      path is listed in .coverage-allowlist.txt (acknowledged
+        #      historical debt with a tracking issue + expiry).
+        run: |
+          set -e
+          TOTAL_FLOOR=25
+          # Security-critical paths where a 0%-coverage file is a real risk.
+          CRITICAL_PATHS=(
+            "internal/handlers/tokens"
+            "internal/handlers/workspace_provision"
+            "internal/handlers/a2a_proxy"
+            "internal/handlers/registry"
+            "internal/handlers/secrets"
+            "internal/middleware/wsauth"
+            "internal/crypto"
+          )
+
+          TOTAL=$(go tool cover -func=coverage.out | grep '^total:' | awk '{print $3}' | sed 's/%//')
+          echo "Total coverage: ${TOTAL}%"
+          if awk "BEGIN{exit !($TOTAL < $TOTAL_FLOOR)}"; then
+            echo "::error::Total coverage ${TOTAL}% is below the ${TOTAL_FLOOR}% floor. See COVERAGE_FLOOR.md for ratchet plan."
+            exit 1
+          fi
+
+          # Aggregate per-file coverage → /tmp/perfile.txt: "<fullpath> <pct>"
+          go tool cover -func=coverage.out \
+            | grep -v '^total:' \
+            | awk '{file=$1; sub(/:[0-9][0-9.]*:.*/, "", file); pct=$NF; gsub(/%/,"",pct); s[file]+=pct; c[file]++}
+                   END {for (f in s) printf "%s %.1f\n", f, s[f]/c[f]}' \
+            > /tmp/perfile.txt
+
+          # Build allowlist — paths relative to workspace-server, one per line.
+          # Lines starting with # are comments.
+          ALLOWLIST=""
+          if [ -f ../.coverage-allowlist.txt ]; then
+            ALLOWLIST=$(grep -vE '^(#|[[:space:]]*$)' ../.coverage-allowlist.txt || true)
+          fi
+
+          FAILED=0
+          WARNED=0
+          for path in "${CRITICAL_PATHS[@]}"; do
+            while read -r file pct; do
+              [[ "$file" == *_test.go ]] && continue
+              [[ "$file" == *"$path"* ]] || continue
+              awk "BEGIN{exit !($pct < 10)}" || continue
+
+              # Strip the package-import prefix so we can match .coverage-allowlist.txt
+              # entries written as paths relative to workspace-server/.
+              # Handle both module paths: platform/workspace-server/... and platform/...
+              rel=$(echo "$file" | sed 's|^github.com/molecule-ai/molecule-monorepo/platform/workspace-server/||; s|^github.com/molecule-ai/molecule-monorepo/platform/||')
+
+              if echo "$ALLOWLIST" | grep -qxF "$rel"; then
+                echo "::warning file=workspace-server/$rel::Critical file at ${pct}% coverage (allowlisted, #1823) — fix before expiry."
+                WARNED=$((WARNED+1))
+              else
+                echo "::error file=workspace-server/$rel::Critical file at ${pct}% coverage — must be >=10% (target 80%). See #1823. To acknowledge as known debt, add this path to .coverage-allowlist.txt."
+                FAILED=$((FAILED+1))
+              fi
+            done < /tmp/perfile.txt
+          done
+
+          echo ""
+          echo "Critical-path check: $FAILED new failures, $WARNED allowlisted warnings."
+
+          if [ "$FAILED" -gt 0 ]; then
+            echo ""
+            echo "$FAILED security-critical file(s) have <10% test coverage and are"
+            echo "NOT in the allowlist. These paths handle auth, tokens, secrets, or"
+            echo "workspace provisioning — a 0% file here is the exact gap that let"
+            echo "CWE-22, CWE-78, KI-005 slip through in past incidents. Either:"
+            echo "  (a) add tests to raise coverage above 10%, or"
+            echo "  (b) add the path to .coverage-allowlist.txt with an expiry date"
+            echo "      and a tracking issue reference."
+            exit 1
+          fi
+
+  # Canvas (Next.js) — required check, always runs. Same always-run +
+  # per-step gating shape as platform-build. The two-job-sharing-name
+  # pattern attempted in PR #2321 doesn't satisfy branch protection
+  # (SKIPPED siblings count as not-passed regardless of SUCCESS
+  # siblings — verified empirically on PR #2314).
+  canvas-build:
+    name: Canvas (Next.js)
+    needs: changes
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    defaults:
+      run:
+        working-directory: canvas
+    steps:
+      - if: needs.changes.outputs.canvas != 'true'
+        working-directory: .
+        run: echo "No canvas/** changes — skipping real build steps; this job always runs to satisfy the required-check name on branch protection."
+      - if: needs.changes.outputs.canvas == 'true'
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - if: needs.changes.outputs.canvas == 'true'
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: '22'
+      - if: needs.changes.outputs.canvas == 'true'
+        run: rm -f package-lock.json && npm install
+      - if: needs.changes.outputs.canvas == 'true'
+        run: npm run build
+      - if: needs.changes.outputs.canvas == 'true'
+        name: Run tests with coverage
+        # Coverage instrumentation is configured in canvas/vitest.config.ts
+        # (provider: v8, reporters: text + html + json-summary). Step 2 of
+        # #1815 — wires coverage into CI so we get a baseline visible on
+        # every PR. No threshold gate yet; thresholds dial in (Step 3, also
+        # tracked in #1815) after the team sees what current coverage is.
+        run: npx vitest run --coverage
+      - name: Upload coverage summary as artifact
+        if: needs.changes.outputs.canvas == 'true' && always()
+        # Pinned to v3 for Gitea act_runner v0.6 compatibility — v4+ uses
+        # the GHES 3.10+ artifact protocol that Gitea 1.22.x does NOT
+        # implement, surfacing as `GHESNotSupportedError: @actions/artifact
+        # v2.0.0+, upload-artifact@v4+ and download-artifact@v4+ are not
+        # currently supported on GHES`. Drop this pin when Gitea ships
+        # the v4 protocol (tracked: post-Gitea-1.23 followup).
+        uses: actions/upload-artifact@c6a366c94c3e0affe28c06c8df20a878f24da3cf # v3.2.2
+        with:
+          name: canvas-coverage-${{ github.run_id }}
+          path: canvas/coverage/
+          retention-days: 7
+          if-no-files-found: warn
+
+  # Shellcheck (E2E scripts) — required check, always runs.
+  shellcheck:
+    name: Shellcheck (E2E scripts)
+    needs: changes
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - if: needs.changes.outputs.scripts != 'true'
+        run: echo "No tests/e2e/ or infra/scripts/ changes — skipping real shellcheck; this job always runs to satisfy the required-check name on branch protection."
+      - if: needs.changes.outputs.scripts == 'true'
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - if: needs.changes.outputs.scripts == 'true'
+        name: Run shellcheck on tests/e2e/*.sh and infra/scripts/*.sh
+        # shellcheck is pre-installed on ubuntu-latest runners (via apt).
+        # infra/scripts/ is included because setup.sh + nuke.sh gate the
+        # README quickstart — a shellcheck regression there silently breaks
+        # new-user onboarding. scripts/ is intentionally excluded until its
+        # pre-existing SC3040/SC3043 warnings are cleaned up.
+        run: |
+          find tests/e2e infra/scripts -type f -name '*.sh' -print0 \
+            | xargs -0 shellcheck --severity=warning
+
+      - if: needs.changes.outputs.scripts == 'true'
+        name: Lint cleanup-trap hygiene (RFC #2873)
+        run: bash tests/e2e/lint_cleanup_traps.sh
+
+      - if: needs.changes.outputs.scripts == 'true'
+        name: Run E2E bash unit tests (no live infra)
+        run: |
+          bash tests/e2e/test_model_slug.sh
+
+  canvas-deploy-reminder:
+    name: Canvas Deploy Reminder
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    needs: [changes, canvas-build]
+    # Only fires on direct pushes to main (i.e. after staging→main promotion).
+    if: needs.changes.outputs.canvas == 'true' && github.event_name == 'push' && github.ref == 'refs/heads/main'
+    steps:
+      - name: Write deploy reminder to step summary
+        env:
+          COMMIT_SHA: ${{ github.sha }}
+          # github.server_url resolves via the workflow-level env override
+          # to the Gitea instance, so the RUN_URL points at the Gitea run
+          # page (not github.com). See feedback_act_runner_github_server_url.
+          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+        run: |
+          # Write body to a temp file — avoids backtick escaping in shell.
+          cat > /tmp/deploy-reminder.md << 'BODY'
+          ## Canvas build passed — deploy required
+
+          The `publish-canvas-image` workflow is now building a fresh Docker image
+          (`ghcr.io/molecule-ai/canvas:latest`) in the background.
+
+          Once it completes (~3–5 min), apply on the host machine with:
+          ```bash
+          cd <runner-workspace>
+          git pull origin main
+          docker compose pull canvas && docker compose up -d canvas
+          ```
+
+          If you need to rebuild from local source instead (e.g. testing unreleased
+          changes or a new `NEXT_PUBLIC_*` URL), use:
+          ```bash
+          docker compose build canvas && docker compose up -d canvas
+          ```
+          BODY
+          printf '\n> Posted automatically by CI · commit `%s` · [build log](%s)\n' \
+            "$COMMIT_SHA" "$RUN_URL" >> /tmp/deploy-reminder.md
+
+          # Gitea has no commit-comments API; write to GITHUB_STEP_SUMMARY,
+          # which both GitHub Actions and Gitea Actions render as the
+          # workflow run's summary page. (#75 / PR-D)
+          cat /tmp/deploy-reminder.md >> "$GITHUB_STEP_SUMMARY"
+
+  # Python Lint & Test — required check, always runs.
+  python-lint:
+    name: Python Lint & Test
+    needs: changes
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    env:
+      WORKSPACE_ID: test
+    defaults:
+      run:
+        working-directory: workspace
+    steps:
+      - if: needs.changes.outputs.python != 'true'
+        working-directory: .
+        run: echo "No workspace/** changes — skipping real lint+test; this job always runs to satisfy the required-check name on branch protection."
+      - if: needs.changes.outputs.python == 'true'
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - if: needs.changes.outputs.python == 'true'
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: '3.11'
+          cache: pip
+          cache-dependency-path: workspace/requirements.txt
+      - if: needs.changes.outputs.python == 'true'
+        run: pip install -r requirements.txt pytest pytest-asyncio pytest-cov sqlalchemy>=2.0.0
+      # Coverage flags + fail-under floor moved into workspace/pytest.ini
+      # (issue #1817) so local `pytest` and CI use identical config.
+      - if: needs.changes.outputs.python == 'true'
+        run: python -m pytest --tb=short
+
+      - if: needs.changes.outputs.python == 'true'
+        name: Per-file critical-path coverage (MCP / inbox / auth)
+        # MCP-critical Python files have a per-file floor on top of the
+        # 86% total floor in pytest.ini. See issue #2790 for full rationale.
+        run: |
+          set -e
+          PER_FILE_FLOOR=75
+          CRITICAL_FILES=(
+            "a2a_mcp_server.py"
+            "mcp_cli.py"
+            "a2a_tools.py"
+            "a2a_tools_inbox.py"
+            "inbox.py"
+            "platform_auth.py"
+          )
+
+          # pytest already wrote .coverage; emit a JSON view scoped to
+          # the critical files so jq/python can read the per-file pct
+          # without parsing tabular text.
+          INCLUDES=$(printf '*%s,' "${CRITICAL_FILES[@]}")
+          INCLUDES="${INCLUDES%,}"
+          python -m coverage json -o /tmp/critical-cov.json --include="$INCLUDES"
+
+          FAILED=0
+          for f in "${CRITICAL_FILES[@]}"; do
+            pct=$(jq -r --arg f "$f" '.files | to_entries | map(select(.key == $f)) | .[0].value.summary.percent_covered // "MISSING"' /tmp/critical-cov.json)
+            if [ "$pct" = "MISSING" ]; then
+              echo "::error file=workspace/$f::No coverage data — file may have moved or test exclusion mis-set."
+              FAILED=$((FAILED+1))
+              continue
+            fi
+            echo "$f: ${pct}%"
+            if awk "BEGIN{exit !($pct < $PER_FILE_FLOOR)}"; then
+              echo "::error file=workspace/$f::${pct}% < ${PER_FILE_FLOOR}% per-file floor (MCP critical path). See COVERAGE_FLOOR.md."
+              FAILED=$((FAILED+1))
+            fi
+          done
+
+          if [ "$FAILED" -gt 0 ]; then
+            echo ""
+            echo "$FAILED MCP critical-path file(s) below the ${PER_FILE_FLOOR}% per-file floor."
+            echo "These paths handle multi-tenant routing, auth tokens, and inbox dispatch."
+            echo "A coverage drop here is the same risk shape as Go-side tokens/secrets files"
+            echo "dropping below 10% (see COVERAGE_FLOOR.md). Either:"
+            echo "  (a) add tests to raise coverage back above ${PER_FILE_FLOOR}%, or"
+            echo "  (b) if this is unavoidable historical debt, file an issue and propose"
+            echo "      adjusting the floor with rationale in COVERAGE_FLOOR.md."
+            exit 1
+          fi

.gitea/workflows/continuous-synth-e2e.yml

@@ -0,0 +1,255 @@
+name: Continuous synthetic E2E (staging)
+
+# Ported from .github/workflows/continuous-synth-e2e.yml on 2026-05-11 per RFC
+# internal#219 §1 sweep. Differences from the GitHub version:
+#   - Dropped `workflow_dispatch.inputs` (Gitea 1.22.6 parser rejects them
+#     per feedback_gitea_workflow_dispatch_inputs_unsupported).
+#   - Dropped `merge_group:` (no Gitea merge queue).
+#   - Dropped `environment:` blocks (Gitea has no environments).
+#   - Workflow-level env.GITHUB_SERVER_URL pinned per
+#     feedback_act_runner_github_server_url.
+#   - `continue-on-error: true` on each job (RFC §1 contract).
+#
+
+# Hard gate (#2342): cron-driven full-lifecycle E2E that catches
+# regressions visible only at runtime — schema drift, deployment-pipeline
+# gaps, vendor outages, env-var rotations, DNS / CF / Railway side-effects.
+#
+# Why this gate exists:
+#   PR-time CI catches code-level regressions but not deployment-time or
+#   integration-time ones. Today's empirical data:
+#     • #2345 (A2A v0.2 silent drop) — passed all unit tests, broke at
+#       JSON-RPC parse layer between sender and receiver. Visible only
+#       to a sender exercising the full path.
+#     • RFC #2312 chat upload — landed on staging-branch but never
+#       reached staging tenants because publish-workspace-server-image
+#       was main-only. Caught by manual dogfooding hours after deploy.
+#   Both would have surfaced within 15-20 min of regression if a
+#   continuous synth-E2E was running.
+#
+# Cadence: every 20 min (3x/hour). The script is conservatively
+# bounded at 10 min wall-clock; even on degraded staging it should
+# finish before the next firing. cron-overlap is guarded by the
+# concurrency group below.
+#
+# Cost: ~3 runs/hour × 5-10 min × $0.008/min GHA = ~$0.50-$1/day.
+# Plus a fresh tenant provisioned + torn down each run (Railway +
+# AWS pennies). Negligible.
+#
+# Failure handling: when the run fails, the workflow exits non-zero
+# and GitHub's standard email/notification path fires. Operators
+# can subscribe to this workflow's failure channel for paging-grade
+# alerting.
+
+on:
+  schedule:
+    # Every 10 minutes, on :02 :12 :22 :32 :42 :52. Three constraints:
+    #   1. Stay off the top-of-hour. GitHub Actions scheduler drops
+    #      :00 firings under high load (own docs:
+    #      https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule).
+    #      Prior history: cron was '0,20,40' (2026-05-02) — only :00
+    #      ever survived. Bumped to '10,30,50' (2026-05-03) on the
+    #      theory that further-from-:00 wins. Empirically 2026-05-04
+    #      that ALSO dropped to ~60 min effective cadence (only ~1
+    #      schedule fire per hour — see molecule-core#2726). Detection
+    #      latency was claimed 20 min, actual 60 min.
+    #   2. Avoid colliding with the existing :15 sweep-cf-orphans
+    #      and :45 sweep-cf-tunnels — both hit the CF API and we
+    #      don't want to fight for rate-limit tokens.
+    #   3. Avoid the :30 heavy slot (canary-staging /30, sweep-aws-
+    #      secrets, sweep-stale-e2e-orgs every :15) — multiple
+    #      overlapping cron registrations on the same minute is part
+    #      of what GH drops under load.
+    # Solution: bump fires-per-hour 3 → 6 AND keep all slots in clean
+    # lanes (1-3 min away from any other cron). Even with empirically-
+    # observed ~67% GH drop ratio, 6 attempts/hour yields ~2 effective
+    # fires = ~30 min cadence; closer to the 20-min target than the
+    # current shape and provides a real degradation alarm if drops
+    # get worse.
+    - cron: '2,12,22,32,42,52 * * * *'
+permissions:
+  contents: read
+  # No issue-write here — failures surface as red runs in the workflow
+  # history. If you want auto-issue-on-fail, add a follow-up step that
+  # uses gh issue create gated on `if: failure()`. Keeping the surface
+  # minimal until that's actually wanted.
+
+# Serialize so two firings can never overlap. Cron firing every 20 min
+# but scripts conservatively bounded at 10 min — overlap shouldn't
+# happen in steady state, but if a run hangs we don't want N more
+# stacking up.
+concurrency:
+  group: continuous-synth-e2e
+  cancel-in-progress: false
+
+env:
+  GITHUB_SERVER_URL: https://git.moleculesai.app
+
+jobs:
+  synth:
+    name: Synthetic E2E against staging
+    runs-on: ubuntu-latest
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
+    continue-on-error: true
+    # Bumped from 12 → 20 (2026-05-04). Tenant user-data install phase
+    # (apt-get update + install docker.io/jq/awscli/caddy + snap install
+    # ssm-agent) runs from raw Ubuntu on every boot — none of it is
+    # pre-baked into the tenant AMI. Empirical fetch_secrets/ok timing
+    # across today's canaries: 51s → 82s → 143s → 625s. apt-mirror tail
+    # latency drives the boot-to-fetch_secrets phase from ~1min to >10min.
+    # A 12min budget leaves only ~2min for the workspace (which needs
+    # ~3.5min for claude-code cold boot) on slow-apt days, blowing the
+    # budget. 20min absorbs the worst tenant tail so the workspace probe
+    # gets the full ~7min it needs even on a slow apt day. Real fix:
+    # pre-bake caddy + ssm-agent into the tenant AMI (controlplane#TBD).
+    timeout-minutes: 20
+    env:
+      # claude-code default: cold-start ~5 min (comparable to langgraph),
+      # but uses MiniMax-M2.7-highspeed via the template's third-party-
+      # Anthropic-compat path (workspace-configs-templates/claude-code-
+      # default/config.yaml:64-69). MiniMax is ~5-10x cheaper than
+      # gpt-4.1-mini per token AND avoids the recurring OpenAI quota-
+      # exhaustion class that took the canary down 2026-05-03 (#265).
+      # Operators can pick langgraph / hermes via workflow_dispatch
+      # when they specifically need to exercise the OpenAI or SDK-
+      # native paths.
+      E2E_RUNTIME: ${{ github.event.inputs.runtime || 'claude-code' }}
+      # Pin the canary to a specific MiniMax model rather than relying
+      # on the per-runtime default ("sonnet" → routes to direct
+      # Anthropic, defeats the cost saving). Operators can override
+      # via workflow_dispatch by setting a different E2E_MODEL_SLUG
+      # input if they need to exercise a specific model. M2.7-highspeed
+      # is "Token Plan only" but cheap-per-token and fast.
+      E2E_MODEL_SLUG: ${{ github.event.inputs.model_slug || 'MiniMax-M2.7-highspeed' }}
+      # Bound to 10 min so a stuck provision fails the run instead of
+      # holding up the next cron firing. 15-min default in the script
+      # is for the on-PR full lifecycle where we have more headroom.
+      E2E_PROVISION_TIMEOUT_SECS: '600'
+      # Slug suffix — namespaced "synth-" so these runs are
+      # distinguishable from PR-driven runs in CP admin.
+      E2E_RUN_ID: synth-${{ github.run_id }}
+      # Forced false for cron; respected for manual dispatch
+      E2E_KEEP_ORG: ${{ github.event.inputs.keep_org == 'true' && '1' || '' }}
+      MOLECULE_CP_URL: ${{ vars.STAGING_CP_URL || 'https://staging-api.moleculesai.app' }}
+      MOLECULE_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
+      # MiniMax key is the canary's PRIMARY auth path. claude-code
+      # template's `minimax` provider routes ANTHROPIC_BASE_URL to
+      # api.minimax.io/anthropic and reads MINIMAX_API_KEY at boot.
+      # tests/e2e/test_staging_full_saas.sh branches SECRETS_JSON on
+      # which key is present — MiniMax wins when set.
+      E2E_MINIMAX_API_KEY: ${{ secrets.MOLECULE_STAGING_MINIMAX_API_KEY }}
+      # Direct-Anthropic alternative for operators who don't want to
+      # set up a MiniMax account (priority below MiniMax — first
+      # non-empty wins in test_staging_full_saas.sh's secrets-injection
+      # block). See #2578 PR comment for the rationale.
+      E2E_ANTHROPIC_API_KEY: ${{ secrets.MOLECULE_STAGING_ANTHROPIC_API_KEY }}
+      # OpenAI fallback — kept wired so operators can dispatch with
+      # E2E_RUNTIME=langgraph or =hermes and still have a working
+      # canary path. The script picks the right blob shape based on
+      # which key is non-empty.
+      E2E_OPENAI_API_KEY: ${{ secrets.MOLECULE_STAGING_OPENAI_KEY }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Verify required secrets present
+        run: |
+          # Hard-fail on missing secret REGARDLESS of trigger. Previously
+          # this step soft-skipped on workflow_dispatch via `exit 0`, but
+          # `exit 0` only ends the STEP — subsequent steps still ran with
+          # the empty secret, the synth script fell through to the wrong
+          # SECRETS_JSON branch, and the canary failed 5 min later with a
+          # confusing "Agent error (Exception)" instead of the clean
+          # "secret missing" message at the top. Caught 2026-05-04 by
+          # dispatched run 25296530706: claude-code + missing MINIMAX
+          # silently used OpenAI keys but kept model=MiniMax-M2.7, then
+          # the workspace 401'd against MiniMax once it tried to call.
+          # Fix: exit 1 in both cron and dispatch paths. Operators who
+          # want to verify a YAML change without setting up the secret
+          # can read the verify-secrets step's stderr — the failure is
+          # itself the verification signal.
+          if [ -z "${MOLECULE_ADMIN_TOKEN:-}" ]; then
+            echo "::error::CP_STAGING_ADMIN_API_TOKEN secret missing — synth E2E cannot run"
+            echo "::error::Set it at Settings → Secrets and Variables → Actions; pull from staging-CP's CP_ADMIN_API_TOKEN env in Railway."
+            exit 1
+          fi
+
+          # LLM-key requirement is per-runtime: claude-code accepts
+          # EITHER MiniMax OR direct-Anthropic (whichever is set first),
+          # langgraph + hermes use OpenAI (MOLECULE_STAGING_OPENAI_KEY).
+          case "${E2E_RUNTIME}" in
+            claude-code)
+              if [ -n "${E2E_MINIMAX_API_KEY:-}" ]; then
+                required_secret_name="MOLECULE_STAGING_MINIMAX_API_KEY"
+                required_secret_value="${E2E_MINIMAX_API_KEY}"
+              elif [ -n "${E2E_ANTHROPIC_API_KEY:-}" ]; then
+                required_secret_name="MOLECULE_STAGING_ANTHROPIC_API_KEY"
+                required_secret_value="${E2E_ANTHROPIC_API_KEY}"
+              else
+                required_secret_name="MOLECULE_STAGING_MINIMAX_API_KEY or MOLECULE_STAGING_ANTHROPIC_API_KEY"
+                required_secret_value=""
+              fi
+              ;;
+            langgraph|hermes)
+              required_secret_name="MOLECULE_STAGING_OPENAI_KEY"
+              required_secret_value="${E2E_OPENAI_API_KEY:-}"
+              ;;
+            *)
+              echo "::warning::Unknown E2E_RUNTIME='${E2E_RUNTIME}' — skipping LLM-key check"
+              required_secret_name=""
+              required_secret_value="present"
+              ;;
+          esac
+          if [ -n "$required_secret_name" ] && [ -z "$required_secret_value" ]; then
+            echo "::error::${required_secret_name} secret missing — runtime=${E2E_RUNTIME} cannot authenticate against its LLM provider"
+            echo "::error::Set it at Settings → Secrets and Variables → Actions, OR dispatch with a different runtime"
+            exit 1
+          fi
+
+      - name: Install required tools
+        run: |
+          # The script depends on jq + curl (already on ubuntu-latest)
+          # and python3 (likewise). Verify they're all present so we
+          # fail fast on a runner image regression rather than mid-script.
+          for cmd in jq curl python3; do
+            command -v "$cmd" >/dev/null 2>&1 || {
+              echo "::error::required tool '$cmd' not on PATH — runner image regression?"
+              exit 1
+            }
+          done
+
+      - name: Run synthetic E2E
+        # The script handles its own teardown via EXIT trap; even on
+        # failure (timeout, assertion), the org is deprovisioned and
+        # leaks are reported. Exit code propagates from the script.
+        run: |
+          bash tests/e2e/test_staging_full_saas.sh
+
+      - name: Failure summary
+        # Runs only on failure. Adds a job summary so the workflow run
+        # page shows a quick "what happened" instead of forcing readers
+        # to scroll through script output.
+        if: failure()
+        run: |
+          {
+            echo "## Continuous synth E2E failed"
+            echo ""
+            echo "**Run ID:** ${{ github.run_id }}"
+            echo "**Trigger:** ${{ github.event_name }}"
+            echo "**Runtime:** ${E2E_RUNTIME}"
+            echo "**Slug:** synth-${{ github.run_id }}"
+            echo ""
+            echo "### What this means"
+            echo ""
+            echo "Staging just regressed on a path that previously worked. Likely classes:"
+            echo "- Schema mismatch between sender and receiver (#2345 class)"
+            echo "- Deployment-pipeline gap (RFC #2312 / staging-tenant-image-stale class)"
+            echo "- Vendor outage (Cloudflare, Railway, AWS, GHCR)"
+            echo "- Staging-CP env var rotation"
+            echo ""
+            echo "### Next steps"
+            echo ""
+            echo "1. Check the script output above for the assertion that failed"
+            echo "2. If it's a vendor outage, no action needed — next firing in ~20 min"
+            echo "3. If it's a code regression, find the causing PR via \`git log\` against last green run and revert/fix"
+            echo "4. Keep an eye on the next 1-2 firings — flake vs persistent fail differs in priority"
+          } >> "$GITHUB_STEP_SUMMARY"

.gitea/workflows/e2e-api.yml

@@ -0,0 +1,333 @@
+name: E2E API Smoke Test
+
+# Ported from .github/workflows/e2e-api.yml on 2026-05-11 per RFC
+# internal#219 §1 sweep. Differences from the GitHub version:
+#   - Dropped `workflow_dispatch.inputs` (Gitea 1.22.6 parser rejects them
+#     per feedback_gitea_workflow_dispatch_inputs_unsupported).
+#   - Dropped `merge_group:` (no Gitea merge queue).
+#   - Dropped `environment:` blocks (Gitea has no environments).
+#   - Workflow-level env.GITHUB_SERVER_URL pinned per
+#     feedback_act_runner_github_server_url.
+#   - `continue-on-error: true` on each job (RFC §1 contract).
+#
+# Extracted from ci.yml so workflow-level concurrency can protect this job
+# from run-level cancellation (issue #458).
+#
+# Trigger model (revised 2026-04-29):
+#
+# Always FIRES on push/pull_request to staging+main. Real work is gated
+# per-step on `needs.detect-changes.outputs.api` — when paths under
+# `workspace-server/`, `tests/e2e/`, or this workflow file haven't
+# changed, the no-op step alone runs and emits SUCCESS for the
+# `E2E API Smoke Test` check, satisfying branch protection without
+# spending CI cycles. See the in-job comment on the `e2e-api` job for
+# why this is one job (not two-jobs-sharing-name) and the 2026-04-29
+# PR #2264 incident that drove the consolidation.
+#
+# Parallel-safety (Class B Hongming-owned CICD red sweep, 2026-05-08)
+# -------------------------------------------------------------------
+# Same substrate hazard as PR #98 (handlers-postgres-integration). Our
+# Gitea act_runner runs with `container.network: host` (operator host
+# `/opt/molecule/runners/config.yaml`), which means:
+#
+#   * Two concurrent runs both try to bind their `-p 15432:5432` /
+#     `-p 16379:6379` host ports — the second postgres/redis FATALs
+#     with `Address in use` and `docker run` returns exit 125 with
+#     `Conflict. The container name "/molecule-ci-postgres" is already
+#     in use by container ...`. Verified in run a7/2727 on 2026-05-07.
+#   * The fixed container names `molecule-ci-postgres` / `-redis` (the
+#     pre-fix shape) collide on name AS WELL AS port. The cleanup-with-
+#     `docker rm -f` at the start of the second job KILLS the first
+#     job's still-running postgres/redis.
+#
+# Fix shape (mirrors PR #98's bridge-net pattern, adapted because
+# platform-server is a Go binary on the host, not a containerised
+# step):
+#
+#   1. Unique container names per run:
+#         pg-e2e-api-${RUN_ID}-${RUN_ATTEMPT}
+#         redis-e2e-api-${RUN_ID}-${RUN_ATTEMPT}
+#      `${RUN_ID}-${RUN_ATTEMPT}` is unique even across reruns of the
+#      same run_id.
+#   2. Ephemeral host port per run (`-p 0:5432`), then read the actual
+#      bound port via `docker port` and export DATABASE_URL/REDIS_URL
+#      pointing at it. No fixed host-port → no port collision.
+#   3. `127.0.0.1` (NOT `localhost`) in URLs — IPv6 first-resolve was
+#      the original flake fixed in #92 and the script's still IPv6-
+#      enabled.
+#   4. `if: always()` cleanup so containers don't leak when test steps
+#      fail.
+#
+# Issue #94 items #2 + #3 (also fixed here):
+#   * Pre-pull `alpine:latest` so the platform-server's provisioner
+#     (`internal/handlers/container_files.go`) can stand up its
+#     ephemeral token-write helper without a daemon.io round-trip.
+#   * Create `molecule-core-net` bridge network if missing so the
+#     provisioner's container.HostConfig {NetworkMode: ...} attach
+#     succeeds.
+# Item #1 (timeouts) — evidence on recent runs (77/3191, ae/4270, 0e/
+# 2318) shows Postgres ready in 3s, Redis in 1s, Platform in 1s when
+# they DO come up. Timeouts are not the bottleneck; not bumped.
+#
+# Item explicitly NOT fixed here: failing test `Status back online`
+# fails because the platform's langgraph workspace template image
+# (ghcr.io/molecule-ai/workspace-template-langgraph:latest) returns
+# 403 Forbidden post-2026-05-06 GitHub org suspension. That is a
+# template-registry resolution issue (ADR-002 / local-build mode) and
+# belongs in a separate change that touches workspace-server, not
+# this workflow file.
+
+on:
+  push:
+    branches: [main, staging]
+  pull_request:
+    branches: [main, staging]
+concurrency:
+  # Per-SHA grouping (changed 2026-04-28 from per-ref). Per-ref had the
+  # same auto-promote-staging brittleness as e2e-staging-canvas — back-
+  # to-back staging pushes share refs/heads/staging, so the older push's
+  # queued run gets cancelled when a newer push lands. Auto-promote-
+  # staging then sees `completed/cancelled` for the older SHA and stays
+  # put; the newer SHA's gates may eventually save the day, but if the
+  # newer push gets cancelled too, we deadlock.
+  #
+  # See e2e-staging-canvas.yml's identical concurrency block for the full
+  # rationale and the 2026-04-28 incident reference.
+  group: e2e-api-${{ github.event.pull_request.head.sha || github.sha }}
+  cancel-in-progress: false
+
+env:
+  GITHUB_SERVER_URL: https://git.moleculesai.app
+
+jobs:
+  detect-changes:
+    runs-on: ubuntu-latest
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
+    continue-on-error: true
+    outputs:
+      api: ${{ steps.decide.outputs.api }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+      - id: decide
+        # Inline replacement for dorny/paths-filter — same pattern PR#372's
+        # ci.yml port used. Diffs against the PR base or push BEFORE SHA,
+        # then matches against the api-relevant path set.
+        run: |
+          BASE="${GITHUB_BASE_REF:-${{ github.event.before }}}"
+          if [ "${{ github.event_name }}" = "pull_request" ] && [ -n "${{ github.event.pull_request.base.sha }}" ]; then
+            BASE="${{ github.event.pull_request.base.sha }}"
+          fi
+          if [ -z "$BASE" ] || echo "$BASE" | grep -qE '^0+$'; then
+            echo "api=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          if ! git cat-file -e "$BASE" 2>/dev/null; then
+            git fetch --depth=1 origin "$BASE" 2>/dev/null || true
+          fi
+          if ! git cat-file -e "$BASE" 2>/dev/null; then
+            echo "api=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          CHANGED=$(git diff --name-only "$BASE" HEAD)
+          if echo "$CHANGED" | grep -qE '^(workspace-server/|tests/e2e/|\.gitea/workflows/e2e-api\.yml$)'; then
+            echo "api=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "api=false" >> "$GITHUB_OUTPUT"
+          fi
+
+  # ONE job (no job-level `if:`) that always runs and reports under the
+  # required-check name `E2E API Smoke Test`. Real work is gated per-step
+  # on `needs.detect-changes.outputs.api`. Reason: GitHub registers a
+  # check run for every job that matches `name:`, and a job-level
+  # `if: false` produces a SKIPPED check run. Branch protection treats
+  # all check runs with a matching context name on the latest commit as a
+  # SET — any SKIPPED in the set fails the required-check eval, even with
+  # SUCCESS siblings. Verified 2026-04-29 on PR #2264 (staging→main):
+  # 4 check runs (2 SKIPPED + 2 SUCCESS) at the head SHA blocked
+  # promotion despite all real work succeeding. Collapsing to a single
+  # always-running job with conditional steps emits exactly one SUCCESS
+  # check run regardless of paths filter — branch-protection-clean.
+  e2e-api:
+    needs: detect-changes
+    name: E2E API Smoke Test
+    runs-on: ubuntu-latest
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
+    continue-on-error: true
+    timeout-minutes: 15
+    env:
+      # Unique per-run container names so concurrent runs on the host-
+      # network act_runner don't collide on name OR port.
+      # `${RUN_ID}-${RUN_ATTEMPT}` stays unique across reruns of the
+      # same run_id. PORT is set later (after docker port lookup) since
+      # we let Docker assign an ephemeral host port.
+      PG_CONTAINER: pg-e2e-api-${{ github.run_id }}-${{ github.run_attempt }}
+      REDIS_CONTAINER: redis-e2e-api-${{ github.run_id }}-${{ github.run_attempt }}
+      PORT: "8080"
+    steps:
+      - name: No-op pass (paths filter excluded this commit)
+        if: needs.detect-changes.outputs.api != 'true'
+        run: |
+          echo "No workspace-server / tests/e2e / workflow changes — E2E API gate satisfied without running tests."
+          echo "::notice::E2E API Smoke Test no-op pass (paths filter excluded this commit)."
+      - if: needs.detect-changes.outputs.api == 'true'
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - if: needs.detect-changes.outputs.api == 'true'
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version: 'stable'
+          cache: true
+          cache-dependency-path: workspace-server/go.sum
+      - name: Pre-pull alpine + ensure provisioner network (Issue #94 items #2 + #3)
+        if: needs.detect-changes.outputs.api == 'true'
+        run: |
+          # Provisioner uses alpine:latest for ephemeral token-write
+          # containers (workspace-server/internal/handlers/container_files.go).
+          # Pre-pull so the first provision in test_api.sh doesn't race
+          # the daemon's pull cache. Idempotent — `docker pull` is a no-op
+          # when the image is already present.
+          docker pull alpine:latest >/dev/null
+          # Provisioner attaches workspace containers to
+          # molecule-core-net (workspace-server/internal/provisioner/
+          # provisioner.go::DefaultNetwork). The bridge already exists on
+          # the operator host's docker daemon — `network create` is
+          # idempotent via `|| true`.
+          docker network create molecule-core-net >/dev/null 2>&1 || true
+          echo "alpine:latest pre-pulled; molecule-core-net ensured."
+      - name: Start Postgres (docker)
+        if: needs.detect-changes.outputs.api == 'true'
+        run: |
+          # Defensive cleanup — only matches THIS run's container name,
+          # so it cannot kill a sibling run's postgres. (Pre-fix the
+          # name was static and this rm hit other runs' containers.)
+          docker rm -f "$PG_CONTAINER" 2>/dev/null || true
+          # `-p 0:5432` requests an ephemeral host port; we read it back
+          # below and export DATABASE_URL.
+          docker run -d --name "$PG_CONTAINER" \
+            -e POSTGRES_USER=dev -e POSTGRES_PASSWORD=dev -e POSTGRES_DB=molecule \
+            -p 0:5432 postgres:16 >/dev/null
+          # Resolve the host-side port assignment. `docker port` prints
+          # `0.0.0.0:NNNN` (and on host-net runners may also print an
+          # IPv6 line — take the first IPv4 line).
+          PG_PORT=$(docker port "$PG_CONTAINER" 5432/tcp | awk -F: '/^0\.0\.0\.0:/ {print $2; exit}')
+          if [ -z "$PG_PORT" ]; then
+            # Fallback: any first line. Some Docker versions print only
+            # one line.
+            PG_PORT=$(docker port "$PG_CONTAINER" 5432/tcp | head -1 | awk -F: '{print $NF}')
+          fi
+          if [ -z "$PG_PORT" ]; then
+            echo "::error::Could not resolve host port for $PG_CONTAINER"
+            docker port "$PG_CONTAINER" 5432/tcp || true
+            docker logs "$PG_CONTAINER" || true
+            exit 1
+          fi
+          # 127.0.0.1 (NOT localhost) — IPv6 first-resolve flake (#92).
+          echo "PG_PORT=${PG_PORT}" >> "$GITHUB_ENV"
+          echo "DATABASE_URL=postgres://dev:dev@127.0.0.1:${PG_PORT}/molecule?sslmode=disable" >> "$GITHUB_ENV"
+          echo "Postgres host port: ${PG_PORT}"
+          for i in $(seq 1 30); do
+            if docker exec "$PG_CONTAINER" pg_isready -U dev >/dev/null 2>&1; then
+              echo "Postgres ready after ${i}s"
+              exit 0
+            fi
+            sleep 1
+          done
+          echo "::error::Postgres did not become ready in 30s"
+          docker logs "$PG_CONTAINER" || true
+          exit 1
+      - name: Start Redis (docker)
+        if: needs.detect-changes.outputs.api == 'true'
+        run: |
+          docker rm -f "$REDIS_CONTAINER" 2>/dev/null || true
+          docker run -d --name "$REDIS_CONTAINER" -p 0:6379 redis:7 >/dev/null
+          REDIS_PORT=$(docker port "$REDIS_CONTAINER" 6379/tcp | awk -F: '/^0\.0\.0\.0:/ {print $2; exit}')
+          if [ -z "$REDIS_PORT" ]; then
+            REDIS_PORT=$(docker port "$REDIS_CONTAINER" 6379/tcp | head -1 | awk -F: '{print $NF}')
+          fi
+          if [ -z "$REDIS_PORT" ]; then
+            echo "::error::Could not resolve host port for $REDIS_CONTAINER"
+            docker port "$REDIS_CONTAINER" 6379/tcp || true
+            docker logs "$REDIS_CONTAINER" || true
+            exit 1
+          fi
+          echo "REDIS_PORT=${REDIS_PORT}" >> "$GITHUB_ENV"
+          echo "REDIS_URL=redis://127.0.0.1:${REDIS_PORT}" >> "$GITHUB_ENV"
+          echo "Redis host port: ${REDIS_PORT}"
+          for i in $(seq 1 15); do
+            if docker exec "$REDIS_CONTAINER" redis-cli ping 2>/dev/null | grep -q PONG; then
+              echo "Redis ready after ${i}s"
+              exit 0
+            fi
+            sleep 1
+          done
+          echo "::error::Redis did not become ready in 15s"
+          docker logs "$REDIS_CONTAINER" || true
+          exit 1
+      - name: Build platform
+        if: needs.detect-changes.outputs.api == 'true'
+        working-directory: workspace-server
+        run: go build -o platform-server ./cmd/server
+      - name: Start platform (background)
+        if: needs.detect-changes.outputs.api == 'true'
+        working-directory: workspace-server
+        run: |
+          # DATABASE_URL + REDIS_URL exported by the start-postgres /
+          # start-redis steps point at this run's per-run host ports.
+          ./platform-server > platform.log 2>&1 &
+          echo $! > platform.pid
+      - name: Wait for /health
+        if: needs.detect-changes.outputs.api == 'true'
+        run: |
+          for i in $(seq 1 30); do
+            if curl -sf http://127.0.0.1:8080/health > /dev/null; then
+              echo "Platform up after ${i}s"
+              exit 0
+            fi
+            sleep 1
+          done
+          echo "::error::Platform did not become healthy in 30s"
+          cat workspace-server/platform.log || true
+          exit 1
+      - name: Assert migrations applied
+        if: needs.detect-changes.outputs.api == 'true'
+        run: |
+          tables=$(docker exec "$PG_CONTAINER" psql -U dev -d molecule -tAc "SELECT count(*) FROM information_schema.tables WHERE table_schema='public' AND table_name='workspaces'")
+          if [ "$tables" != "1" ]; then
+            echo "::error::Migrations did not apply"
+            cat workspace-server/platform.log || true
+            exit 1
+          fi
+          echo "Migrations OK"
+      - name: Run E2E API tests
+        if: needs.detect-changes.outputs.api == 'true'
+        run: bash tests/e2e/test_api.sh
+      - name: Run notify-with-attachments E2E
+        if: needs.detect-changes.outputs.api == 'true'
+        run: bash tests/e2e/test_notify_attachments_e2e.sh
+      - name: Run priority-runtimes E2E (claude-code + hermes — skips when keys absent)
+        if: needs.detect-changes.outputs.api == 'true'
+        run: bash tests/e2e/test_priority_runtimes_e2e.sh
+      - name: Run poll-mode + since_id cursor E2E (#2339)
+        if: needs.detect-changes.outputs.api == 'true'
+        run: bash tests/e2e/test_poll_mode_e2e.sh
+      - name: Run poll-mode chat upload E2E (RFC #2891)
+        if: needs.detect-changes.outputs.api == 'true'
+        run: bash tests/e2e/test_poll_mode_chat_upload_e2e.sh
+      - name: Dump platform log on failure
+        if: failure() && needs.detect-changes.outputs.api == 'true'
+        run: cat workspace-server/platform.log || true
+      - name: Stop platform
+        if: always() && needs.detect-changes.outputs.api == 'true'
+        run: |
+          if [ -f workspace-server/platform.pid ]; then
+            kill "$(cat workspace-server/platform.pid)" 2>/dev/null || true
+          fi
+      - name: Stop service containers
+        # always() so containers don't leak when test steps fail. The
+        # cleanup is best-effort: if the container is already gone
+        # (e.g. concurrent rerun race), don't fail the job.
+        if: always() && needs.detect-changes.outputs.api == 'true'
+        run: |
+          docker rm -f "$PG_CONTAINER" 2>/dev/null || true
+          docker rm -f "$REDIS_CONTAINER" 2>/dev/null || true

.gitea/workflows/e2e-staging-canvas.yml

@@ -0,0 +1,247 @@
+name: E2E Staging Canvas (Playwright)
+
+# Ported from .github/workflows/e2e-staging-canvas.yml on 2026-05-11 per RFC
+# internal#219 §1 sweep. Differences from the GitHub version:
+#   - Dropped `workflow_dispatch.inputs` (Gitea 1.22.6 parser rejects them
+#     per feedback_gitea_workflow_dispatch_inputs_unsupported).
+#   - Dropped `merge_group:` (no Gitea merge queue).
+#   - Dropped `environment:` blocks (Gitea has no environments).
+#   - Workflow-level env.GITHUB_SERVER_URL pinned per
+#     feedback_act_runner_github_server_url.
+#   - `continue-on-error: true` on each job (RFC §1 contract).
+#
+
+# Playwright test suite that provisions a fresh staging org per run and
+# verifies every workspace-panel tab renders without crashing. Complements
+# e2e-staging-saas.yml (which tests the API shape) by exercising the
+# actual browser + canvas bundle against live staging.
+#
+# Triggers: push to main/staging or PR touching canvas sources + this workflow,
+# manual dispatch, and weekly cron to catch browser/runtime drift even
+# when canvas is quiet.
+# Added staging to push/pull_request branches so the auto-promote gate
+# check (--event push --branch staging) can see a completed run for this
+# workflow — mirrors what PR #1891 does for e2e-api.yml.
+
+on:
+  # Trigger model (revised 2026-04-29):
+  #
+  # Always fires on push/pull_request; real work is gated per-step on
+  # `needs.detect-changes.outputs.canvas`. When canvas/ paths haven't
+  # changed, the no-op step alone runs and emits SUCCESS for the
+  # `Canvas tabs E2E` check, satisfying branch protection without
+  # spending CI cycles. See e2e-api.yml for the rationale on why this
+  # is a single job rather than two-jobs-sharing-name.
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    # Weekly on Sunday 08:00 UTC — catches Chrome / Playwright / Next.js
+    # release-note-shaped regressions that don't ride in with a PR.
+    - cron: '0 8 * * 0'
+
+concurrency:
+  # Per-SHA grouping (changed 2026-04-28 from a single global group). The
+  # global group made auto-promote-staging brittle: when a staging push
+  # queued behind an in-flight run and a third entrant (a PR run, a
+  # follow-on push) entered the group, the staging push got cancelled —
+  # leaving auto-promote-staging looking at `completed/cancelled` for a
+  # required gate and refusing to advance main. Observed 2026-04-28
+  # 23:51-23:53 on staging tip 3f99fede.
+  #
+  # The original intent of the global group was to throttle parallel
+  # E2E provisions (each spins a fresh EC2). At our scale that throttle
+  # isn't worth the correctness cost — fresh-org-per-run isolates the
+  # state, and the cost of two parallel runs (~$0.001/min × 10min × 2)
+  # is rounding error vs. the cost of a stuck pipeline.
+  #
+  # Per-SHA still dedupes accidental double-triggers for the SAME SHA.
+  # It does NOT cancel obsolete-PR-version runs on force-push; that
+  # wasted CI is acceptable given the alternative is losing staging-tip
+  # data that auto-promote-staging needs.
+  group: e2e-staging-canvas-${{ github.event.pull_request.head.sha || github.sha }}
+  cancel-in-progress: false
+
+env:
+  GITHUB_SERVER_URL: https://git.moleculesai.app
+
+jobs:
+  detect-changes:
+    runs-on: ubuntu-latest
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
+    continue-on-error: true
+    outputs:
+      canvas: ${{ steps.decide.outputs.canvas }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+      - id: decide
+        # Inline replacement for dorny/paths-filter — see e2e-api.yml.
+        # Cron triggers always run real work (no diff context).
+        run: |
+          if [ "${{ github.event_name }}" = "schedule" ]; then
+            echo "canvas=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          BASE="${GITHUB_BASE_REF:-${{ github.event.before }}}"
+          if [ "${{ github.event_name }}" = "pull_request" ] && [ -n "${{ github.event.pull_request.base.sha }}" ]; then
+            BASE="${{ github.event.pull_request.base.sha }}"
+          fi
+          if [ -z "$BASE" ] || echo "$BASE" | grep -qE '^0+$'; then
+            echo "canvas=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          if ! git cat-file -e "$BASE" 2>/dev/null; then
+            git fetch --depth=1 origin "$BASE" 2>/dev/null || true
+          fi
+          if ! git cat-file -e "$BASE" 2>/dev/null; then
+            echo "canvas=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          CHANGED=$(git diff --name-only "$BASE" HEAD)
+          if echo "$CHANGED" | grep -qE '^(canvas/|\.gitea/workflows/e2e-staging-canvas\.yml$)'; then
+            echo "canvas=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "canvas=false" >> "$GITHUB_OUTPUT"
+          fi
+
+  # ONE job (no job-level `if:`) that always runs and reports under the
+  # required-check name `Canvas tabs E2E`. Real work is gated per-step on
+  # `needs.detect-changes.outputs.canvas`. See e2e-api.yml for the full
+  # rationale — same path-filter check-name parity issue blocked PR #2264
+  # (staging→main) on 2026-04-29 because branch protection treats matching-
+  # name check runs as a SET, and any SKIPPED member fails the eval.
+  playwright:
+    needs: detect-changes
+    name: Canvas tabs E2E
+    runs-on: ubuntu-latest
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
+    continue-on-error: true
+    timeout-minutes: 40
+
+    env:
+      CANVAS_E2E_STAGING: '1'
+      MOLECULE_CP_URL: https://staging-api.moleculesai.app
+      MOLECULE_ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
+
+    defaults:
+      run:
+        working-directory: canvas
+
+    steps:
+      - name: No-op pass (paths filter excluded this commit)
+        if: needs.detect-changes.outputs.canvas != 'true'
+        working-directory: .
+        run: |
+          echo "No canvas / workflow changes — E2E Staging Canvas gate satisfied without running tests."
+          echo "::notice::E2E Staging Canvas no-op pass (paths filter excluded this commit)."
+
+      - if: needs.detect-changes.outputs.canvas == 'true'
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Verify admin token present
+        if: needs.detect-changes.outputs.canvas == 'true'
+        run: |
+          if [ -z "$MOLECULE_ADMIN_TOKEN" ]; then
+            echo "::error::Missing MOLECULE_STAGING_ADMIN_TOKEN"
+            exit 2
+          fi
+
+      - name: Set up Node
+        if: needs.detect-changes.outputs.canvas == 'true'
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: canvas/package-lock.json
+
+      - name: Install canvas deps
+        if: needs.detect-changes.outputs.canvas == 'true'
+        run: npm ci
+
+      - name: Install Playwright browsers
+        if: needs.detect-changes.outputs.canvas == 'true'
+        run: npx playwright install --with-deps chromium
+
+      - name: Run staging canvas E2E
+        if: needs.detect-changes.outputs.canvas == 'true'
+        run: npx playwright test --config=playwright.staging.config.ts
+
+      - name: Upload Playwright report on failure
+        if: failure() && needs.detect-changes.outputs.canvas == 'true'
+        # Pinned to v3 for Gitea act_runner v0.6 compatibility — v4+ uses
+        # the GHES 3.10+ artifact protocol that Gitea 1.22.x does NOT
+        # implement (see ci.yml upload step for the canonical error
+        # cite). Drop this pin when Gitea ships the v4 protocol.
+        uses: actions/upload-artifact@c6a366c94c3e0affe28c06c8df20a878f24da3cf # v3.2.2
+        with:
+          name: playwright-report-staging
+          path: canvas/playwright-report-staging/
+          retention-days: 14
+
+      - name: Upload screenshots on failure
+        if: failure() && needs.detect-changes.outputs.canvas == 'true'
+        # Pinned to v3 for Gitea act_runner v0.6 compatibility (see above).
+        uses: actions/upload-artifact@c6a366c94c3e0affe28c06c8df20a878f24da3cf # v3.2.2
+        with:
+          name: playwright-screenshots
+          path: canvas/test-results/
+          retention-days: 14
+
+      # Safety-net teardown — fires only when Playwright's globalTeardown
+      # didn't (worker crash, runner cancel). Reads the slug from
+      # canvas/.playwright-staging-state.json (written by staging-setup
+      # as its first action, before any CP call) and deletes only that
+      # slug.
+      #
+      # Earlier versions of this step pattern-swept `e2e-canvas-<today>-*`
+      # orgs to compensate for setup-crash-before-state-file-write. That
+      # over-aggressive cleanup raced concurrent canvas-E2E runs and
+      # poisoned each other's tenants — observed 2026-04-30 when three
+      # real-test runs killed each other mid-test, surfacing as
+      # `getaddrinfo ENOTFOUND` once CP had cleaned up the just-deleted
+      # DNS record. Pattern-sweep removed; setup now writes the state
+      # file before any CP work, so the slug is always recoverable.
+      - name: Teardown safety net
+        if: always() && needs.detect-changes.outputs.canvas == 'true'
+        env:
+          ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
+        run: |
+          set +e
+          STATE_FILE=".playwright-staging-state.json"
+          if [ ! -f "$STATE_FILE" ]; then
+            echo "::notice::No state file at canvas/$STATE_FILE — Playwright globalTeardown handled it (or setup never ran)."
+            exit 0
+          fi
+          slug=$(python3 -c "import json; print(json.load(open('$STATE_FILE')).get('slug',''))")
+          if [ -z "$slug" ]; then
+            echo "::warning::State file present but slug missing; nothing to clean up."
+            exit 0
+          fi
+          echo "Deleting orphan tenant: $slug"
+          # Verify HTTP 2xx instead of `>/dev/null || true` swallowing
+          # failures. A 5xx or timeout previously looked identical to
+          # success, leaving the tenant alive for up to ~45 min until
+          # sweep-stale-e2e-orgs caught it. Surface failures as
+          # workflow warnings naming the slug. Don't `exit 1` — a single
+          # cleanup miss shouldn't fail-flag the canvas test when the
+          # actual smoke check passed; the sweeper is the safety net.
+          # See molecule-controlplane#420.
+          # Tempfile-routed -w + set +e/-e prevents curl-exit-code
+          # pollution of the captured status (lint-curl-status-capture.yml).
+          set +e
+          curl -sS -o /tmp/canvas-cleanup.out -w "%{http_code}" \
+            -X DELETE "$MOLECULE_CP_URL/cp/admin/tenants/$slug" \
+            -H "Authorization: Bearer $ADMIN_TOKEN" \
+            -H "Content-Type: application/json" \
+            -d "{\"confirm\":\"$slug\"}" >/tmp/canvas-cleanup.code
+          set -e
+          code=$(cat /tmp/canvas-cleanup.code 2>/dev/null || echo "000")
+          if [ "$code" = "200" ] || [ "$code" = "204" ]; then
+            echo "[teardown] deleted $slug (HTTP $code)"
+          else
+            echo "::warning::canvas teardown for $slug returned HTTP $code — sweep-stale-e2e-orgs will catch it within ~45 min. Body: $(head -c 300 /tmp/canvas-cleanup.out 2>/dev/null)"
+          fi
+          exit 0

.gitea/workflows/e2e-staging-external.yml

@@ -0,0 +1,189 @@
+name: E2E Staging External Runtime
+
+# Ported from .github/workflows/e2e-staging-external.yml on 2026-05-11 per RFC
+# internal#219 §1 sweep. Differences from the GitHub version:
+#   - Dropped `workflow_dispatch.inputs` (Gitea 1.22.6 parser rejects them
+#     per feedback_gitea_workflow_dispatch_inputs_unsupported).
+#   - Dropped `merge_group:` (no Gitea merge queue).
+#   - Dropped `environment:` blocks (Gitea has no environments).
+#   - Workflow-level env.GITHUB_SERVER_URL pinned per
+#     feedback_act_runner_github_server_url.
+#   - `continue-on-error: true` on each job (RFC §1 contract).
+#
+
+# Regression for the four/five workspaces.status=awaiting_agent transitions
+# that silently failed in production for five days before migration 046
+# extended the workspace_status enum (see
+# workspace-server/migrations/046_workspace_status_awaiting_agent.up.sql).
+#
+# Why this is its own workflow (not folded into e2e-staging-saas.yml):
+#   - The full-saas harness defaults to runtime=hermes, never exercises
+#     external-runtime. Adding an `external` parameter to that script
+#     would force every push to staging through both lifecycles in
+#     series, doubling the EC2 cold-start budget.
+#   - The external lifecycle has unique timing (REMOTE_LIVENESS_STALE_AFTER
+#     window, 90s default + sweep interval), which we wait through
+#     deliberately. Folding it into hermes would make the long path
+#     even longer.
+#   - It can run in parallel with the hermes E2E since both create
+#     fresh tenant orgs with distinct slug prefixes (`e2e-ext-...` vs
+#     `e2e-...`).
+#
+# Triggers:
+#   - Push to staging when any source affecting external runtime,
+#     hibernation, or the migration set changes.
+#   - PR review for the same set.
+#   - Manual workflow_dispatch.
+#   - Daily cron at 07:30 UTC (catches drift on quiet days; staggered
+#     30 min after e2e-staging-saas.yml's 07:00 UTC cron).
+#
+# Concurrency: serialized so two staging pushes don't fight for the
+# same EC2 quota window. cancel-in-progress=false so a half-rolled
+# tenant always finishes its teardown.
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'workspace-server/internal/handlers/workspace.go'
+      - 'workspace-server/internal/handlers/registry.go'
+      - 'workspace-server/internal/handlers/workspace_restart.go'
+      - 'workspace-server/internal/registry/healthsweep.go'
+      - 'workspace-server/internal/registry/liveness.go'
+      - 'workspace-server/migrations/**'
+      - 'workspace-server/internal/db/workspace_status_enum_drift_test.go'
+      - 'tests/e2e/test_staging_external_runtime.sh'
+      - '.gitea/workflows/e2e-staging-external.yml'
+  pull_request:
+    branches: [main]
+    paths:
+      - 'workspace-server/internal/handlers/workspace.go'
+      - 'workspace-server/internal/handlers/registry.go'
+      - 'workspace-server/internal/handlers/workspace_restart.go'
+      - 'workspace-server/internal/registry/healthsweep.go'
+      - 'workspace-server/internal/registry/liveness.go'
+      - 'workspace-server/migrations/**'
+      - 'workspace-server/internal/db/workspace_status_enum_drift_test.go'
+      - 'tests/e2e/test_staging_external_runtime.sh'
+      - '.gitea/workflows/e2e-staging-external.yml'
+  schedule:
+    - cron: '30 7 * * *'
+
+concurrency:
+  group: e2e-staging-external
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+
+env:
+  GITHUB_SERVER_URL: https://git.moleculesai.app
+
+jobs:
+  e2e-staging-external:
+    name: E2E Staging External Runtime
+    runs-on: ubuntu-latest
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
+    continue-on-error: true
+    timeout-minutes: 25
+
+    env:
+      MOLECULE_CP_URL: https://staging-api.moleculesai.app
+      MOLECULE_ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
+      E2E_RUN_ID: "${{ github.run_id }}-${{ github.run_attempt }}"
+      E2E_KEEP_ORG: ${{ github.event.inputs.keep_org && '1' || '0' }}
+      E2E_STALE_WAIT_SECS: ${{ github.event.inputs.stale_wait_secs || '180' }}
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Verify admin token present
+        run: |
+          if [ -z "$MOLECULE_ADMIN_TOKEN" ]; then
+            # Schedule + push triggers must hard-fail when the token is
+            # missing — silent skip would mask infra rot. Manual dispatch
+            # gets the same hard-fail; an operator running this on a fork
+            # without secrets configured needs to know up-front.
+            echo "::error::MOLECULE_STAGING_ADMIN_TOKEN secret not set (Railway staging CP_ADMIN_API_TOKEN)"
+            exit 2
+          fi
+          echo "Admin token present ✓"
+
+      - name: CP staging health preflight
+        run: |
+          code=$(curl -sS -o /dev/null -w "%{http_code}" --max-time 10 "$MOLECULE_CP_URL/health")
+          if [ "$code" != "200" ]; then
+            echo "::error::Staging CP unhealthy (got HTTP $code). Skipping — not a workspace bug."
+            exit 1
+          fi
+          echo "Staging CP healthy ✓"
+
+      - name: Run external-runtime E2E
+        id: e2e
+        run: bash tests/e2e/test_staging_external_runtime.sh
+
+      # Mirror the e2e-staging-saas.yml safety net: if the runner is
+      # cancelled (e.g. concurrent staging push), the test script's
+      # EXIT trap may not fire, so we sweep e2e-ext-* slugs scoped to
+      # *this* run id.
+      - name: Teardown safety net (runs on cancel/failure)
+        if: always()
+        env:
+          ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
+        run: |
+          set +e
+          orgs=$(curl -sS "$MOLECULE_CP_URL/cp/admin/orgs" \
+            -H "Authorization: Bearer $ADMIN_TOKEN" 2>/dev/null \
+            | python3 -c "
+          import json, sys, os, datetime
+          run_id = os.environ.get('GITHUB_RUN_ID', '')
+          d = json.load(sys.stdin)
+          # Scope STRICTLY to this run id (e2e-ext-YYYYMMDD-<runid>-...)
+          # so concurrent runs and unrelated dev probes are not touched.
+          # Sweep today AND yesterday so a midnight-crossing run still
+          # cleans up its own slug.
+          today = datetime.date.today()
+          yesterday = today - datetime.timedelta(days=1)
+          dates = (today.strftime('%Y%m%d'), yesterday.strftime('%Y%m%d'))
+          if not run_id:
+              # Without a run id we cannot scope safely; bail rather
+              # than risk deleting unrelated tenants.
+              sys.exit(0)
+          prefixes = tuple(f'e2e-ext-{d}-{run_id}-' for d in dates)
+          for o in d.get('orgs', []):
+              s = o.get('slug', '')
+              if s.startswith(prefixes) and o.get('status') != 'purged':
+                  print(s)
+          " 2>/dev/null)
+          if [ -n "$orgs" ]; then
+            echo "Safety-net sweep: deleting leftover orgs:"
+            echo "$orgs"
+            # Per-slug verified DELETE — see molecule-controlplane#420.
+            # `>/dev/null 2>&1` previously hid every failure; surface
+            # non-2xx as workflow warnings so the run page names what
+            # leaked. Sweeper catches the rest within ~45 min.
+            leaks=()
+            for slug in $orgs; do
+              # Tempfile-routed -w + set +e/-e prevents curl-exit-code
+              # pollution of the captured status (lint-curl-status-capture.yml).
+              set +e
+              curl -sS -o /tmp/external-cleanup.out -w "%{http_code}" \
+                -X DELETE "$MOLECULE_CP_URL/cp/admin/tenants/$slug" \
+                -H "Authorization: Bearer $ADMIN_TOKEN" \
+                -H "Content-Type: application/json" \
+                -d "{\"confirm\":\"$slug\"}" >/tmp/external-cleanup.code
+              set -e
+              code=$(cat /tmp/external-cleanup.code 2>/dev/null || echo "000")
+              if [ "$code" = "200" ] || [ "$code" = "204" ]; then
+                echo "[teardown] deleted $slug (HTTP $code)"
+              else
+                echo "::warning::external teardown for $slug returned HTTP $code — sweep-stale-e2e-orgs will catch it within ~45 min. Body: $(head -c 300 /tmp/external-cleanup.out 2>/dev/null)"
+                leaks+=("$slug")
+              fi
+            done
+            if [ ${#leaks[@]} -gt 0 ]; then
+              echo "::warning::external teardown left ${#leaks[@]} leak(s): ${leaks[*]}"
+            fi
+          else
+            echo "Safety-net sweep: no leftover orgs to clean."
+          fi

.gitea/workflows/e2e-staging-saas.yml

@@ -0,0 +1,251 @@
+name: E2E Staging SaaS (full lifecycle)
+
+# Ported from .github/workflows/e2e-staging-saas.yml on 2026-05-11 per RFC
+# internal#219 §1 sweep. Differences from the GitHub version:
+#   - Dropped `workflow_dispatch.inputs` (Gitea 1.22.6 parser rejects them
+#     per feedback_gitea_workflow_dispatch_inputs_unsupported).
+#   - Dropped `merge_group:` (no Gitea merge queue).
+#   - Dropped `environment:` blocks (Gitea has no environments).
+#   - Workflow-level env.GITHUB_SERVER_URL pinned per
+#     feedback_act_runner_github_server_url.
+#   - `continue-on-error: true` on each job (RFC §1 contract).
+#
+
+# Dedicated workflow that provisions a fresh staging org per run, exercises
+# the full workspace lifecycle (register → heartbeat → A2A → delegation →
+# HMA memory → activity → peers), then tears down and asserts leak-free.
+#
+# Why a separate workflow (not folded into ci.yml):
+#   - The run takes ~25-35 min (EC2 boot + cloudflared DNS + provision sweeps +
+#     agent bootstrap), way too slow for every PR.
+#   - Needs its own concurrency group so two pushes don't fight over the
+#     same staging org slug prefix.
+#   - Has its own required secrets (session cookie, admin token) that most
+#     PRs don't need to read.
+#
+# Triggers:
+#   - Push to main (regression guard)
+#   - workflow_dispatch (manual re-run from UI)
+#   - Nightly cron (catches drift even when no pushes land)
+#   - Changes to any provisioning-critical file under PR review (opt-in
+#     via the same paths watcher that e2e-api.yml uses)
+
+on:
+  # Trunk-based (Phase 3 of internal#81): main is the only branch.
+  # Previously this fired on staging push too because staging was a
+  # superset of main and ran the gate ahead of auto-promote; with no
+  # staging branch, main is where E2E gates the deploy.
+  push:
+    branches: [main]
+    paths:
+      - 'workspace-server/internal/handlers/registry.go'
+      - 'workspace-server/internal/handlers/workspace_provision.go'
+      - 'workspace-server/internal/handlers/a2a_proxy.go'
+      - 'workspace-server/internal/middleware/**'
+      - 'workspace-server/internal/provisioner/**'
+      - 'tests/e2e/test_staging_full_saas.sh'
+      - '.gitea/workflows/e2e-staging-saas.yml'
+  pull_request:
+    branches: [main]
+    paths:
+      - 'workspace-server/internal/handlers/registry.go'
+      - 'workspace-server/internal/handlers/workspace_provision.go'
+      - 'workspace-server/internal/handlers/a2a_proxy.go'
+      - 'workspace-server/internal/middleware/**'
+      - 'workspace-server/internal/provisioner/**'
+      - 'tests/e2e/test_staging_full_saas.sh'
+      - '.gitea/workflows/e2e-staging-saas.yml'
+  schedule:
+    # 07:00 UTC every day — catches AMI drift, WorkOS cert rotation,
+    # Cloudflare API regressions, etc. even on quiet days.
+    - cron: '0 7 * * *'
+
+# Serialize: staging has a finite per-hour org creation quota. Two pushes
+# landing in quick succession should queue, not race. `cancel-in-progress:
+# false` mirrors e2e-api.yml — GitHub would otherwise cancel the running
+# teardown step and leave orphan EC2s.
+concurrency:
+  group: e2e-staging-saas
+  cancel-in-progress: false
+
+env:
+  GITHUB_SERVER_URL: https://git.moleculesai.app
+
+jobs:
+  e2e-staging-saas:
+    name: E2E Staging SaaS
+    runs-on: ubuntu-latest
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
+    continue-on-error: true
+    timeout-minutes: 45
+    permissions:
+      contents: read
+
+    env:
+      MOLECULE_CP_URL: https://staging-api.moleculesai.app
+      # Single admin-bearer secret drives provision + tenant-token
+      # retrieval + teardown. Configure in
+      # Settings → Secrets and variables → Actions → Repository secrets.
+      MOLECULE_ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
+      # MiniMax is the PRIMARY LLM auth path post-2026-05-04. Switched
+      # from hermes+OpenAI default after #2578 (the staging OpenAI key
+      # account went over quota and stayed dead for 36+ hours, taking
+      # the full-lifecycle E2E red on every provisioning-critical push).
+      # claude-code template's `minimax` provider routes
+      # ANTHROPIC_BASE_URL to api.minimax.io/anthropic and reads
+      # MINIMAX_API_KEY at boot — separate billing account so an
+      # OpenAI quota collapse no longer wedges the gate. Mirrors the
+      # canary-staging.yml + continuous-synth-e2e.yml migrations.
+      E2E_MINIMAX_API_KEY: ${{ secrets.MOLECULE_STAGING_MINIMAX_API_KEY }}
+      # Direct-Anthropic alternative for operators who don't want to
+      # set up a MiniMax account (priority below MiniMax — first
+      # non-empty wins in test_staging_full_saas.sh's secrets-injection
+      # block). See #2578 PR comment for the rationale.
+      E2E_ANTHROPIC_API_KEY: ${{ secrets.MOLECULE_STAGING_ANTHROPIC_API_KEY }}
+      # OpenAI fallback — kept wired so an operator-dispatched run with
+      # E2E_RUNTIME=hermes or =langgraph via workflow_dispatch can still
+      # exercise the OpenAI path.
+      E2E_OPENAI_API_KEY: ${{ secrets.MOLECULE_STAGING_OPENAI_KEY }}
+      E2E_RUNTIME: ${{ github.event.inputs.runtime || 'claude-code' }}
+      # Pin the model when running on the default claude-code path —
+      # the per-runtime default ("sonnet") routes to direct Anthropic
+      # and defeats the cost saving. Operators can override via the
+      # workflow_dispatch flow (no input wired here yet — runtime
+      # override is enough for ad-hoc).
+      E2E_MODEL_SLUG: ${{ github.event.inputs.runtime == 'hermes' && 'openai/gpt-4o' || github.event.inputs.runtime == 'langgraph' && 'openai:gpt-4o' || 'MiniMax-M2.7-highspeed' }}
+      E2E_RUN_ID: "${{ github.run_id }}-${{ github.run_attempt }}"
+      E2E_KEEP_ORG: ${{ github.event.inputs.keep_org && '1' || '0' }}
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Verify admin token present
+        run: |
+          if [ -z "$MOLECULE_ADMIN_TOKEN" ]; then
+            echo "::error::MOLECULE_STAGING_ADMIN_TOKEN secret not set (Railway staging CP_ADMIN_API_TOKEN)"
+            exit 2
+          fi
+          echo "Admin token present ✓"
+
+      - name: Verify LLM key present
+        run: |
+          # Per-runtime key check — claude-code uses MiniMax; hermes /
+          # langgraph (operator-dispatched only) use OpenAI. Hard-fail
+          # rather than soft-skip per #2578's lesson — empty key
+          # silently falls through to the wrong SECRETS_JSON branch and
+          # produces a confusing auth error 5 min later instead of the
+          # clean "secret missing" message at the top.
+          case "${E2E_RUNTIME}" in
+            claude-code)
+              # Either MiniMax OR direct-Anthropic works — first
+              # non-empty wins in the test script's secrets-injection
+              # priority chain.
+              if [ -n "${E2E_MINIMAX_API_KEY:-}" ]; then
+                required_secret_name="MOLECULE_STAGING_MINIMAX_API_KEY"
+                required_secret_value="${E2E_MINIMAX_API_KEY}"
+              elif [ -n "${E2E_ANTHROPIC_API_KEY:-}" ]; then
+                required_secret_name="MOLECULE_STAGING_ANTHROPIC_API_KEY"
+                required_secret_value="${E2E_ANTHROPIC_API_KEY}"
+              else
+                required_secret_name="MOLECULE_STAGING_MINIMAX_API_KEY or MOLECULE_STAGING_ANTHROPIC_API_KEY"
+                required_secret_value=""
+              fi
+              ;;
+            langgraph|hermes)
+              required_secret_name="MOLECULE_STAGING_OPENAI_KEY"
+              required_secret_value="${E2E_OPENAI_API_KEY:-}"
+              ;;
+            *)
+              echo "::warning::Unknown E2E_RUNTIME='${E2E_RUNTIME}' — skipping LLM-key check"
+              required_secret_name=""
+              required_secret_value="present"
+              ;;
+          esac
+          if [ -n "$required_secret_name" ] && [ -z "$required_secret_value" ]; then
+            echo "::error::${required_secret_name} secret not set for runtime=${E2E_RUNTIME} — workspaces will fail at boot with 'No provider API key found'"
+            exit 2
+          fi
+          echo "LLM key present ✓ (runtime=${E2E_RUNTIME}, key=${required_secret_name}, len=${#required_secret_value})"
+
+      - name: CP staging health preflight
+        run: |
+          code=$(curl -sS -o /dev/null -w "%{http_code}" --max-time 10 "$MOLECULE_CP_URL/health")
+          if [ "$code" != "200" ]; then
+            echo "::error::Staging CP unhealthy (got HTTP $code). Skipping — not a workspace bug."
+            exit 1
+          fi
+          echo "Staging CP healthy ✓"
+
+      - name: Run full-lifecycle E2E
+        id: e2e
+        run: bash tests/e2e/test_staging_full_saas.sh
+
+      # Belt-and-braces teardown: the test script itself installs a trap
+      # for EXIT/INT/TERM, but if the GH runner itself is cancelled (e.g.
+      # someone pushes a new commit and workflow concurrency is set to
+      # cancel), the trap may not fire. This `always()` step runs even on
+      # cancellation and attempts the delete a second time. The admin
+      # DELETE endpoint is idempotent so double-invoking is safe.
+      - name: Teardown safety net (runs on cancel/failure)
+        if: always()
+        env:
+          ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
+        run: |
+          # Best-effort: find any e2e-YYYYMMDD-* orgs matching this run and
+          # nuke them. Catches the case where the script died before
+          # exporting its slug.
+          set +e
+          orgs=$(curl -sS "$MOLECULE_CP_URL/cp/admin/orgs" \
+            -H "Authorization: Bearer $ADMIN_TOKEN" 2>/dev/null \
+            | python3 -c "
+          import json, sys, os, datetime
+          run_id = os.environ.get('GITHUB_RUN_ID', '')
+          d = json.load(sys.stdin)
+          # ONLY sweep slugs from *this* CI run. Previously the filter was
+          # f'e2e-{today}-' which stomped on parallel CI runs AND any manual
+          # E2E probes a dev was running against staging (incident 2026-04-21
+          # 15:02Z: this workflow's safety net deleted an unrelated manual
+          # run's tenant 1s after it hit 'running').
+          # Sweep both today AND yesterday's UTC dates so a run that crosses
+          # midnight still matches its own slug — see the 2026-04-26→27
+          # canvas-safety-net incident for the same bug class.
+          today = datetime.date.today()
+          yesterday = today - datetime.timedelta(days=1)
+          dates = (today.strftime('%Y%m%d'), yesterday.strftime('%Y%m%d'))
+          if run_id:
+              prefixes = tuple(f'e2e-{d}-{run_id}-' for d in dates)
+          else:
+              prefixes = tuple(f'e2e-{d}-' for d in dates)
+          candidates = [o['slug'] for o in d.get('orgs', [])
+                        if any(o.get('slug','').startswith(p) for p in prefixes)
+                        and o.get('instance_status') not in ('purged',)]
+          print('\n'.join(candidates))
+          " 2>/dev/null)
+          # Per-slug verified DELETE (was `>/dev/null || true` — see
+          # molecule-controlplane#420). Surface non-2xx as a workflow
+          # warning naming the leaked slug; don't exit 1 (sweeper is
+          # the safety net within ~45 min).
+          leaks=()
+          for slug in $orgs; do
+            echo "Safety-net teardown: $slug"
+            # Tempfile-routed -w + set +e/-e prevents curl-exit-code
+            # pollution of the captured status (lint-curl-status-capture.yml).
+            set +e
+            curl -sS -o /tmp/saas-cleanup.out -w "%{http_code}" \
+              -X DELETE "$MOLECULE_CP_URL/cp/admin/tenants/$slug" \
+              -H "Authorization: Bearer $ADMIN_TOKEN" \
+              -H "Content-Type: application/json" \
+              -d "{\"confirm\":\"$slug\"}" >/tmp/saas-cleanup.code
+            set -e
+            code=$(cat /tmp/saas-cleanup.code 2>/dev/null || echo "000")
+            if [ "$code" = "200" ] || [ "$code" = "204" ]; then
+              echo "[teardown] deleted $slug (HTTP $code)"
+            else
+              echo "::warning::saas teardown for $slug returned HTTP $code — sweep-stale-e2e-orgs will catch it within ~45 min. Body: $(head -c 300 /tmp/saas-cleanup.out 2>/dev/null)"
+              leaks+=("$slug")
+            fi
+          done
+          if [ ${#leaks[@]} -gt 0 ]; then
+            echo "::warning::saas teardown left ${#leaks[@]} leak(s): ${leaks[*]}"
+          fi
+          exit 0

.gitea/workflows/e2e-staging-sanity.yml

@@ -0,0 +1,157 @@
+name: E2E Staging Sanity (leak-detection self-check)
+
+# Ported from .github/workflows/e2e-staging-sanity.yml on 2026-05-11 per
+# RFC internal#219 §1 sweep.
+#
+# Differences from the GitHub version:
+#   - Dropped `workflow_dispatch:` (Gitea 1.22.6 finicky on bare dispatch).
+#   - `actions/github-script@v9` issue-open block replaced with curl
+#     calls to the Gitea REST API (/api/v1/repos/.../issues|comments).
+#   - Workflow-level env.GITHUB_SERVER_URL set.
+#   - `continue-on-error: true` on the job (RFC §1 contract).
+#
+# Periodic assertion that the teardown safety nets in e2e-staging-saas
+# and canary-staging actually work. Runs the E2E harness with
+# E2E_INTENTIONAL_FAILURE=1, which poisons the tenant admin token after
+# the org is provisioned. The workspace-provision step then fails, the
+# script exits non-zero, and the EXIT trap + workflow always()-step
+# must still tear down cleanly.
+
+on:
+  schedule:
+    - cron: '0 6 * * 1'
+
+env:
+  GITHUB_SERVER_URL: https://git.moleculesai.app
+
+concurrency:
+  group: e2e-staging-sanity
+  cancel-in-progress: false
+
+permissions:
+  issues: write
+  contents: read
+
+jobs:
+  sanity:
+    name: Intentional-failure teardown sanity
+    runs-on: ubuntu-latest
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
+    continue-on-error: true
+    timeout-minutes: 20
+
+    env:
+      MOLECULE_CP_URL: https://staging-api.moleculesai.app
+      MOLECULE_ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
+      E2E_MODE: canary
+      E2E_RUNTIME: hermes
+      E2E_RUN_ID: "sanity-${{ github.run_id }}"
+      E2E_INTENTIONAL_FAILURE: "1"
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Verify admin token present
+        run: |
+          if [ -z "$MOLECULE_ADMIN_TOKEN" ]; then
+            echo "::error::MOLECULE_STAGING_ADMIN_TOKEN not set"
+            exit 2
+          fi
+
+      # Inverted assertion: the run MUST fail. If it passes, the
+      # E2E_INTENTIONAL_FAILURE path is broken.
+      - name: Run harness — expecting exit !=0
+        id: harness
+        run: |
+          set +e
+          bash tests/e2e/test_staging_full_saas.sh
+          rc=$?
+          echo "harness_rc=$rc" >> "$GITHUB_OUTPUT"
+          if [ "$rc" = "1" ]; then
+            echo "OK Harness failed as expected (rc=1); teardown trap ran, leak-check passed"
+            exit 0
+          elif [ "$rc" = "0" ]; then
+            echo "::error::Harness succeeded under E2E_INTENTIONAL_FAILURE=1 — the poisoning path is broken"
+            exit 1
+          elif [ "$rc" = "4" ]; then
+            echo "::error::LEAK DETECTED (rc=4) — teardown failed to clean up the org. Safety net broken."
+            exit 4
+          else
+            echo "::error::Unexpected rc=$rc — neither clean-failure nor leak. Investigate harness."
+            exit 1
+          fi
+
+      - name: Open issue if safety net is broken (Gitea API)
+        if: failure()
+        env:
+          GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO: ${{ github.repository }}
+          SERVER_URL: ${{ env.GITHUB_SERVER_URL }}
+          RUN_ID: ${{ github.run_id }}
+        run: |
+          set -euo pipefail
+          API="${SERVER_URL%/}/api/v1"
+          TITLE="E2E teardown safety net broken"
+          RUN_URL="${SERVER_URL}/${REPO}/actions/runs/${RUN_ID}"
+
+          BODY_JSON=$(jq -nc --arg t "$TITLE" --arg run "$RUN_URL" '
+            {title: $t,
+             body: ("The weekly sanity run (E2E_INTENTIONAL_FAILURE=1) did not exit as expected. This means one of:\n  - poisoning did not actually cause failure (test harness regression), OR\n  - teardown left an orphan org (leak detection caught a real bug)\n\nRun: " + $run + "\n\nThis is higher priority than a canary failure — the whole E2E safety net cannot be trusted until this is resolved.")}')
+
+          EXISTING=$(curl -fsS -H "Authorization: token $GITEA_TOKEN" \
+            "${API}/repos/${REPO}/issues?state=open&type=issues&limit=50" \
+            | jq -r --arg t "$TITLE" '.[] | select(.title==$t) | .number' | head -1)
+
+          if [ -n "$EXISTING" ]; then
+            curl -fsS -X POST -H "Authorization: token $GITEA_TOKEN" -H "Content-Type: application/json" \
+              "${API}/repos/${REPO}/issues/${EXISTING}/comments" \
+              -d "$(jq -nc --arg run "$RUN_URL" '{body: ("Still broken. " + $run)}')" >/dev/null
+            echo "Commented on existing issue #${EXISTING}"
+          else
+            curl -fsS -X POST -H "Authorization: token $GITEA_TOKEN" -H "Content-Type: application/json" \
+              "${API}/repos/${REPO}/issues" -d "$BODY_JSON" >/dev/null
+            echo "Filed new issue"
+          fi
+
+      # Belt-and-braces: if teardown left anything behind, nuke it here
+      # so we don't bleed staging quota.
+      - name: Teardown safety net
+        if: always()
+        env:
+          ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
+        run: |
+          set +e
+          orgs=$(curl -sS "$MOLECULE_CP_URL/cp/admin/orgs" \
+            -H "Authorization: Bearer $ADMIN_TOKEN" 2>/dev/null \
+            | python3 -c "
+          import json, sys
+          d = json.load(sys.stdin)
+          today = __import__('datetime').date.today().strftime('%Y%m%d')
+          candidates = [o['slug'] for o in d.get('orgs', [])
+                        if o.get('slug','').startswith(f'e2e-canary-{today}-sanity-')
+                        and o.get('status') not in ('purged',)]
+          print('\n'.join(candidates))
+          " 2>/dev/null)
+          leaks=()
+          for slug in $orgs; do
+            # Tempfile-routed -w + set +e/-e prevents curl-exit-code
+            # pollution of the captured status (lint-curl-status-capture.yml).
+            set +e
+            curl -sS -o /tmp/sanity-cleanup.out -w "%{http_code}" \
+              -X DELETE "$MOLECULE_CP_URL/cp/admin/tenants/$slug" \
+              -H "Authorization: Bearer $ADMIN_TOKEN" \
+              -H "Content-Type: application/json" \
+              -d "{\"confirm\":\"$slug\"}" >/tmp/sanity-cleanup.code
+            set -e
+            code=$(cat /tmp/sanity-cleanup.code 2>/dev/null || echo "000")
+            if [ "$code" = "200" ] || [ "$code" = "204" ]; then
+              echo "[teardown] deleted $slug (HTTP $code)"
+            else
+              echo "::warning::sanity teardown for $slug returned HTTP $code — sweep-stale-e2e-orgs will catch it within ~45 min. Body: $(head -c 300 /tmp/sanity-cleanup.out 2>/dev/null)"
+              leaks+=("$slug")
+            fi
+          done
+          if [ ${#leaks[@]} -gt 0 ]; then
+            echo "::warning::sanity teardown left ${#leaks[@]} leak(s): ${leaks[*]}"
+          fi
+          exit 0

.gitea/workflows/handlers-postgres-integration.yml

@@ -0,0 +1,282 @@
+name: Handlers Postgres Integration
+
+# Ported from .github/workflows/handlers-postgres-integration.yml on 2026-05-11 per RFC
+# internal#219 §1 sweep. Differences from the GitHub version:
+#   - Dropped `workflow_dispatch.inputs` (Gitea 1.22.6 parser rejects them
+#     per feedback_gitea_workflow_dispatch_inputs_unsupported).
+#   - Dropped `merge_group:` (no Gitea merge queue).
+#   - Dropped `environment:` blocks (Gitea has no environments).
+#   - Workflow-level env.GITHUB_SERVER_URL pinned per
+#     feedback_act_runner_github_server_url.
+#   - `continue-on-error: true` on each job (RFC §1 contract).
+#
+
+# Real-Postgres integration tests for workspace-server/internal/handlers/.
+# Triggered on every PR/push that touches the handlers package.
+#
+# Why this workflow exists
+# ------------------------
+# Strict-sqlmock unit tests pin which SQL statements fire — they're fast
+# and let us iterate without a DB. But sqlmock CANNOT detect bugs that
+# depend on the row state AFTER the SQL runs. The result_preview-lost
+# bug shipped to staging in PR #2854 because every unit test was
+# satisfied with "an UPDATE statement fired" — none verified the row's
+# preview field actually landed. The local-postgres E2E that retrofit
+# self-review caught it took 2 minutes to set up and would have caught
+# the bug at PR-time.
+#
+# Why this workflow does NOT use `services: postgres:` (Class B fix)
+# ------------------------------------------------------------------
+# Our act_runner config has `container.network: host` (operator host
+# /opt/molecule/runners/config.yaml), which act_runner applies to BOTH
+# the job container AND every service container. With host-net, two
+# concurrent runs of this workflow both try to bind 0.0.0.0:5432 — the
+# second postgres FATALs with `could not create any TCP/IP sockets:
+# Address in use`, and Docker auto-removes it (act_runner sets
+# AutoRemove:true on service containers). By the time the migrations
+# step runs `psql`, the postgres container is gone, hence
+# `Connection refused` then `failed to remove container: No such
+# container` at cleanup time.
+#
+# Per-job `container.network` override is silently ignored by
+# act_runner — `--network and --net in the options will be ignored.`
+# appears in the runner log. Documented constraint.
+#
+# So we sidestep `services:` entirely. The job container still uses
+# host-net (inherited from runner config; required for cache server
+# discovery on the bridge IP 172.18.0.17:42631). We launch a sibling
+# postgres on the existing `molecule-core-net` bridge with a
+# UNIQUE name per run — `pg-handlers-${RUN_ID}-${RUN_ATTEMPT}` — and
+# read its bridge IP via `docker inspect`. A host-net job container
+# can reach a bridge-net container directly via the bridge IP (verified
+# manually on operator host 2026-05-08).
+#
+# Trade-offs vs. the original `services:` shape:
+#   + No host-port collision; N parallel runs share the bridge cleanly
+#   + `if: always()` cleanup runs even on test-step failure
+#   - One more step in the workflow (+~3 lines)
+#   - Requires `molecule-core-net` to exist on the operator host
+#     (it does; declared in docker-compose.yml + docker-compose.infra.yml)
+#
+# Class B Hongming-owned CICD red sweep, 2026-05-08.
+#
+# Cost: ~30s job (postgres pull from cache + go build + 4 tests).
+
+on:
+  push:
+    branches: [main, staging]
+  pull_request:
+    branches: [main, staging]
+concurrency:
+  group: handlers-pg-integ-${{ github.event.pull_request.head.sha || github.sha }}
+  cancel-in-progress: false
+
+env:
+  GITHUB_SERVER_URL: https://git.moleculesai.app
+
+jobs:
+  detect-changes:
+    name: detect-changes
+    runs-on: ubuntu-latest
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
+    continue-on-error: true
+    outputs:
+      handlers: ${{ steps.filter.outputs.handlers }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+      - id: filter
+        # Inline replacement for dorny/paths-filter — see e2e-api.yml.
+        run: |
+          BASE="${GITHUB_BASE_REF:-${{ github.event.before }}}"
+          if [ "${{ github.event_name }}" = "pull_request" ] && [ -n "${{ github.event.pull_request.base.sha }}" ]; then
+            BASE="${{ github.event.pull_request.base.sha }}"
+          fi
+          if [ -z "$BASE" ] || echo "$BASE" | grep -qE '^0+$'; then
+            echo "handlers=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          if ! git cat-file -e "$BASE" 2>/dev/null; then
+            git fetch --depth=1 origin "$BASE" 2>/dev/null || true
+          fi
+          if ! git cat-file -e "$BASE" 2>/dev/null; then
+            echo "handlers=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          CHANGED=$(git diff --name-only "$BASE" HEAD)
+          if echo "$CHANGED" | grep -qE '^(workspace-server/internal/handlers/|workspace-server/internal/wsauth/|workspace-server/migrations/|\.gitea/workflows/handlers-postgres-integration\.yml$)'; then
+            echo "handlers=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "handlers=false" >> "$GITHUB_OUTPUT"
+          fi
+
+  # Single-job-with-per-step-if pattern: always runs to satisfy the
+  # required-check name on branch protection; real work gates on the
+  # paths filter. See ci.yml's Platform (Go) for the same shape.
+  integration:
+    name: Handlers Postgres Integration
+    needs: detect-changes
+    runs-on: ubuntu-latest
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
+    continue-on-error: true
+    env:
+      # Unique name per run so concurrent jobs don't collide on the
+      # bridge network. ${RUN_ID}-${RUN_ATTEMPT} is unique even across
+      # workflow_dispatch reruns of the same run_id.
+      PG_NAME: pg-handlers-${{ github.run_id }}-${{ github.run_attempt }}
+      # Bridge network already exists on the operator host (declared
+      # in docker-compose.yml + docker-compose.infra.yml).
+      PG_NETWORK: molecule-core-net
+    defaults:
+      run:
+        working-directory: workspace-server
+    steps:
+      - if: needs.detect-changes.outputs.handlers != 'true'
+        working-directory: .
+        run: echo "No handlers/migrations changes — skipping; this job always runs to satisfy the required-check name."
+
+      - if: needs.detect-changes.outputs.handlers == 'true'
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - if: needs.detect-changes.outputs.handlers == 'true'
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version: 'stable'
+
+      - if: needs.detect-changes.outputs.handlers == 'true'
+        name: Start sibling Postgres on bridge network
+        working-directory: .
+        run: |
+          # Sanity: the bridge network must exist on the operator host.
+          # Hard-fail loud if it doesn't — easier to spot than a silent
+          # auto-create that diverges from the rest of the stack.
+          if ! docker network inspect "${PG_NETWORK}" >/dev/null 2>&1; then
+            echo "::error::Bridge network '${PG_NETWORK}' missing on operator host. Re-run docker-compose.infra.yml or check ops handbook."
+            exit 1
+          fi
+
+          # If a stale container with the same name exists (rerun on
+          # the same run_id), wipe it first.
+          docker rm -f "${PG_NAME}" >/dev/null 2>&1 || true
+
+          docker run -d \
+            --name "${PG_NAME}" \
+            --network "${PG_NETWORK}" \
+            --health-cmd "pg_isready -U postgres" \
+            --health-interval 5s \
+            --health-timeout 5s \
+            --health-retries 10 \
+            -e POSTGRES_PASSWORD=test \
+            -e POSTGRES_DB=molecule \
+            postgres:15-alpine >/dev/null
+
+          # Read back the bridge IP. Always present immediately after
+          # `docker run -d` for bridge networks.
+          PG_HOST=$(docker inspect "${PG_NAME}" \
+            --format "{{(index .NetworkSettings.Networks \"${PG_NETWORK}\").IPAddress}}")
+          if [ -z "${PG_HOST}" ]; then
+            echo "::error::Could not resolve PG_HOST for ${PG_NAME} on ${PG_NETWORK}"
+            docker logs "${PG_NAME}" || true
+            exit 1
+          fi
+          echo "PG_HOST=${PG_HOST}" >> "$GITHUB_ENV"
+          echo "INTEGRATION_DB_URL=postgres://postgres:test@${PG_HOST}:5432/molecule?sslmode=disable" >> "$GITHUB_ENV"
+          echo "Started ${PG_NAME} at ${PG_HOST}:5432"
+
+      - if: needs.detect-changes.outputs.handlers == 'true'
+        name: Apply migrations to Postgres service
+        env:
+          PGPASSWORD: test
+        run: |
+          # Wait for postgres to actually accept connections. Docker's
+          # health-cmd handles container-side readiness, but the wire
+          # to the bridge IP is best-tested with pg_isready directly.
+          for i in {1..15}; do
+            if pg_isready -h "${PG_HOST}" -p 5432 -U postgres -q; then break; fi
+            echo "waiting for postgres at ${PG_HOST}:5432..."; sleep 2
+          done
+
+          # Apply every .up.sql in lexicographic order with
+          # ON_ERROR_STOP=0 — failing migrations are SKIPPED rather than
+          # blocking the suite. This handles the current schema state
+          # where a few historical migrations (e.g. 017_memories_fts_*)
+          # depend on tables that were later renamed/dropped and so
+          # cannot replay from scratch. The migrations that DO succeed
+          # land their tables, which is sufficient for the integration
+          # tests in handlers/.
+          #
+          # Why not maintain a curated allowlist: every new migration
+          # touching a handlers/-tested table would have to update this
+          # workflow. With apply-all-or-skip, a future migration that
+          # adds a column to delegations runs automatically (its base
+          # table 049_delegations.up.sql already succeeded above it in
+          # the order). Operators only need to revisit this if the
+          # migration chain becomes legitimately replayable end-to-end.
+          #
+          # Per-migration result is logged so a failed migration that
+          # SHOULD have been replayable surfaces in the CI log instead
+          # of silently failing.
+          # Apply both *.sql (legacy, lives next to its module) and
+          # *.up.sql (newer up/down convention) in a single
+          # lexicographically-sorted pass. Excluding *.down.sql so the
+          # newest-naming-convention pairs don't undo themselves mid-run.
+          # Pre-#149-followup this loop only globbed *.up.sql, which
+          # silently skipped 001_workspaces.sql + 009_activity_logs.sql
+          # — fine while no integration test depended on those tables,
+          # not fine once a cross-table atomicity test came in.
+          set +e
+          for migration in $(ls migrations/*.sql 2>/dev/null | grep -v '\.down\.sql$' | sort); do
+            if psql -h "${PG_HOST}" -U postgres -d molecule -v ON_ERROR_STOP=1 \
+                  -f "$migration" >/dev/null 2>&1; then
+              echo "✓ $(basename "$migration")"
+            else
+              echo "⊘ $(basename "$migration") (skipped — see comment in workflow)"
+            fi
+          done
+          set -e
+
+          # Sanity: the delegations + workspaces + activity_logs tables
+          # MUST exist for the integration tests to be meaningful. Hard-
+          # fail if any didn't land — that would be a real regression we
+          # want loud.
+          for tbl in delegations workspaces activity_logs pending_uploads; do
+            if ! psql -h "${PG_HOST}" -U postgres -d molecule -tA \
+                -c "SELECT 1 FROM information_schema.tables WHERE table_name = '$tbl'" \
+                | grep -q 1; then
+              echo "::error::$tbl table missing after migration replay — handler integration tests would be meaningless"
+              exit 1
+            fi
+            echo "✓ $tbl table present"
+          done
+
+      - if: needs.detect-changes.outputs.handlers == 'true'
+        name: Run integration tests
+        run: |
+          # INTEGRATION_DB_URL is exported by the start-postgres step;
+          # points at the per-run bridge IP, not 127.0.0.1, so concurrent
+          # workflow runs don't fight over a host-net 5432 port.
+          go test -tags=integration -timeout 5m -v ./internal/handlers/ -run "^TestIntegration_"
+
+      - if: failure() && needs.detect-changes.outputs.handlers == 'true'
+        name: Diagnostic dump on failure
+        env:
+          PGPASSWORD: test
+        run: |
+          echo "::group::postgres container status"
+          docker ps -a --filter "name=${PG_NAME}" --format '{{.Status}} {{.Names}}' || true
+          docker logs "${PG_NAME}" 2>&1 | tail -50 || true
+          echo "::endgroup::"
+          echo "::group::delegations table state"
+          psql -h "${PG_HOST}" -U postgres -d molecule -c "SELECT * FROM delegations LIMIT 50;" || true
+          echo "::endgroup::"
+
+      - if: always() && needs.detect-changes.outputs.handlers == 'true'
+        name: Stop sibling Postgres
+        working-directory: .
+        run: |
+          # always() so containers don't leak when migrations or tests
+          # fail. The cleanup is best-effort: if the container is
+          # already gone (e.g. concurrent rerun race), don't fail the job.
+          docker rm -f "${PG_NAME}" >/dev/null 2>&1 || true
+          echo "Cleaned up ${PG_NAME}"

.gitea/workflows/harness-replays.yml

@@ -0,0 +1,262 @@
+name: Harness Replays
+
+# Ported from .github/workflows/harness-replays.yml on 2026-05-11 per RFC
+# internal#219 §1 sweep. Differences from the GitHub version:
+#   - Dropped `workflow_dispatch.inputs` (Gitea 1.22.6 parser rejects them
+#     per feedback_gitea_workflow_dispatch_inputs_unsupported).
+#   - Dropped `merge_group:` (no Gitea merge queue).
+#   - Dropped `environment:` blocks (Gitea has no environments).
+#   - Workflow-level env.GITHUB_SERVER_URL pinned per
+#     feedback_act_runner_github_server_url.
+#   - `continue-on-error: true` on each job (RFC §1 contract).
+#
+
+# Boots tests/harness (production-shape compose topology with TenantGuard,
+# /cp/* proxy, canvas proxy, real production Dockerfile.tenant) and runs
+# every replay under tests/harness/replays/. Fails the PR if any replay
+# fails.
+#
+# Why this exists: 2026-04-30 we shipped #2398 which added /buildinfo as
+# a public route in router.go but forgot to add it to TenantGuard's
+# allowlist. The handler-level test in buildinfo_test.go constructed a
+# minimal gin engine without TenantGuard — green. The harness's
+# buildinfo-stale-image.sh replay would have caught it (cf-proxy doesn't
+# inject X-Molecule-Org-Id, so the curl path is identical to production's
+# redeploy verifier), but no one ran the harness pre-merge. The bug
+# shipped; the redeploy verifier silently soft-warned every tenant as
+# "unreachable" for ~1 day before being noticed.
+#
+# This gate makes "did you actually run the harness?" a CI invariant
+# instead of a memory-discipline thing.
+#
+# Trigger model — match e2e-api.yml: always FIRES on push/pull_request
+# to staging+main, real work is gated per-step on detect-changes output.
+# One job → one check run → branch-protection-clean (the SKIPPED-in-set
+# trap from PR #2264 is documented in e2e-api.yml's e2e-api job comment).
+
+on:
+  push:
+    branches: [main, staging]
+    paths:
+      - 'workspace-server/**'
+      - 'canvas/**'
+      - 'tests/harness/**'
+      - '.gitea/workflows/harness-replays.yml'
+  pull_request:
+    branches: [main, staging]
+    paths:
+      - 'workspace-server/**'
+      - 'canvas/**'
+      - 'tests/harness/**'
+      - '.gitea/workflows/harness-replays.yml'
+concurrency:
+  # Per-SHA grouping. Per-ref kept hitting the auto-promote-staging
+  # cancellation deadlock — see e2e-api.yml's concurrency block for
+  # the 2026-04-28 incident that codified this pattern.
+  group: harness-replays-${{ github.event.pull_request.head.sha || github.sha }}
+  cancel-in-progress: false
+
+env:
+  GITHUB_SERVER_URL: https://git.moleculesai.app
+
+jobs:
+  detect-changes:
+    runs-on: ubuntu-latest
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
+    continue-on-error: true
+    outputs:
+      run: ${{ steps.decide.outputs.run }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - id: decide
+        run: |
+          # workflow_dispatch: always run (manual trigger)
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            echo "run=true" >> "$GITHUB_OUTPUT"
+            echo "debug=manual-trigger" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          # Determine the base commit to diff against.
+          # For pull_request: use base.sha (the merge-base with main/staging).
+          # For push: use github.event.before (the previous tip of the branch).
+          # Fallback for new branches (all-zeros SHA): run everything.
+          if [ "${{ github.event_name }}" = "pull_request" ] && \
+             [ -n "${{ github.event.pull_request.base.sha }}" ]; then
+            BASE="${{ github.event.pull_request.base.sha }}"
+          elif [ -n "${{ github.event.before }}" ] && \
+               ! echo "${{ github.event.before }}" | grep -qE '^0+$'; then
+            BASE="${{ github.event.before }}"
+          else
+            # New branch or github.event.before unavailable — run everything.
+            echo "run=true" >> "$GITHUB_OUTPUT"
+            echo "debug=new-branch-fallback" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          # GitHub Actions and Gitea Actions both expose github.sha for HEAD.
+          DIFF=$(git diff --name-only "$BASE" "${{ github.sha }}" 2>/dev/null)
+          echo "debug=diff-base=$BASE diff-files=$DIFF" >> "$GITHUB_OUTPUT"
+
+          if echo "$DIFF" | grep -qE '^workspace-server/|^canvas/|^tests/harness/|^.gitea/workflows/harness-replays\.yml$'; then
+            echo "run=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "run=false" >> "$GITHUB_OUTPUT"
+          fi
+
+  # ONE job that always runs. Real work is gated per-step on
+  # detect-changes.outputs.run so an unrelated PR (e.g. doc-only
+  # change to molecule-controlplane wired here later) emits the
+  # required check without spending CI cycles. Single-job pattern
+  # matches e2e-api.yml — see that workflow's comment for why a
+  # job-level `if: false` would block branch protection via the
+  # SKIPPED-in-set bug.
+  harness-replays:
+    needs: detect-changes
+    name: Harness Replays
+    runs-on: ubuntu-latest
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
+    continue-on-error: true
+    timeout-minutes: 30
+    steps:
+      - name: No-op pass (paths filter excluded this commit)
+        if: needs.detect-changes.outputs.run != 'true'
+        run: |
+          echo "No workspace-server / canvas / tests/harness / workflow changes — Harness Replays gate satisfied without running."
+          echo "::notice::Harness Replays no-op pass (paths filter excluded this commit)."
+          echo "::notice::Debug: ${{ needs.detect-changes.outputs.debug }}"
+
+      - if: needs.detect-changes.outputs.run == 'true'
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      # Log what files were detected so future failures include the diff.
+      - name: Log detected changes
+        if: needs.detect-changes.outputs.run == 'true'
+        run: |
+          echo "::notice::detect-changes debug: ${{ needs.detect-changes.outputs.debug }}"
+
+      # github-app-auth sibling-checkout removed 2026-05-07 (#157):
+      # the plugin was dropped + Dockerfile.tenant no longer COPYs it.
+
+      # Pre-clone manifest deps before docker compose builds the tenant
+      # image (Task #173 followup — same pattern as
+      # publish-workspace-server-image.yml's "Pre-clone manifest deps"
+      # step).
+      #
+      # Why pre-clone here too: tests/harness/compose.yml builds tenant-alpha
+      # and tenant-beta from workspace-server/Dockerfile.tenant with
+      # context=../.. (repo root). That Dockerfile expects
+      # .tenant-bundle-deps/{workspace-configs-templates,org-templates,plugins}
+      # to be present at build context root (post-#173 it COPYs from there
+      # instead of running an in-image clone — the in-image clone failed
+      # with "could not read Username for https://git.moleculesai.app"
+      # because there's no auth path inside the build sandbox).
+      #
+      # Without this step harness-replays fails before any replay runs,
+      # with `failed to calculate checksum of ref ...
+      # "/.tenant-bundle-deps/plugins": not found`. Caught by run #892
+      # (main, 2026-05-07T20:28:53Z) and run #964 (staging — same
+      # symptom, different root cause: staging still has the in-image
+      # clone path, hits the auth error directly).
+      #
+      # 2026-05-08 sub-finding (#192): the clone step ALSO fails when
+      # any referenced workspace-template repo is private and the
+      # AUTO_SYNC_TOKEN bearer (devops-engineer persona) lacks read
+      # access. Root cause: 5 of 9 workspace-template repos
+      # (openclaw, codex, crewai, deepagents, gemini-cli) had been
+      # marked private with no team grant. Resolution: flipped them
+      # to public per `feedback_oss_first_repo_visibility_default`
+      # (the OSS surface should be public). Layer-3 (customer-private +
+      # marketplace third-party repos) tracked separately in
+      # internal#102.
+      #
+      # Token shape matches publish-workspace-server-image.yml: AUTO_SYNC_TOKEN
+      # is the devops-engineer persona PAT, NOT the founder PAT (per
+      # `feedback_per_agent_gitea_identity_default`). clone-manifest.sh
+      # embeds it as basic-auth for the duration of the clones and strips
+      # .git directories — the token never enters the resulting image.
+      - name: Pre-clone manifest deps
+        if: needs.detect-changes.outputs.run == 'true'
+        env:
+          MOLECULE_GITEA_TOKEN: ${{ secrets.AUTO_SYNC_TOKEN }}
+        run: |
+          set -euo pipefail
+          if [ -z "${MOLECULE_GITEA_TOKEN}" ]; then
+            echo "::error::AUTO_SYNC_TOKEN secret is empty — register the devops-engineer persona PAT in repo Actions secrets"
+            exit 1
+          fi
+          mkdir -p .tenant-bundle-deps
+          bash scripts/clone-manifest.sh \
+            manifest.json \
+            .tenant-bundle-deps/workspace-configs-templates \
+            .tenant-bundle-deps/org-templates \
+            .tenant-bundle-deps/plugins
+          # Sanity-check counts so a silent partial clone fails fast
+          # instead of producing a half-empty image.
+          ws_count=$(find .tenant-bundle-deps/workspace-configs-templates -mindepth 1 -maxdepth 1 -type d | wc -l)
+          org_count=$(find .tenant-bundle-deps/org-templates -mindepth 1 -maxdepth 1 -type d | wc -l)
+          plugins_count=$(find .tenant-bundle-deps/plugins -mindepth 1 -maxdepth 1 -type d | wc -l)
+          echo "Cloned: ws=$ws_count org=$org_count plugins=$plugins_count"
+
+      - name: Install Python deps for replays
+        # peer-discovery-404 (and future replays) eval Python against the
+        # running tenant — importing workspace/a2a_client.py pulls in
+        # httpx. tests/harness/requirements.txt holds just the HTTP-client
+        # surface to keep CI install fast (~3s) vs the full
+        # workspace/requirements.txt (~30s).
+        if: needs.detect-changes.outputs.run == 'true'
+        run: pip install -r tests/harness/requirements.txt
+
+      - name: Run all replays against the harness
+        # run-all-replays.sh: boot via up.sh → seed via seed.sh → run
+        # every replays/*.sh → tear down via down.sh on EXIT (trap).
+        # Non-zero exit on any replay failure.
+        #
+        # KEEP_UP=1: without this, the script's trap-on-EXIT tears
+        # down containers immediately on failure, leaving the dump
+        # step below with nothing to dump (verified on PR #2410's
+        # first run — tenant became unhealthy, trap fired, dump
+        # step saw empty containers). Keeping them up lets the
+        # failure path collect tenant/cp-stub/cf-proxy logs. The
+        # always-run "Force teardown" step does the actual cleanup.
+        if: needs.detect-changes.outputs.run == 'true'
+        working-directory: tests/harness
+        env:
+          KEEP_UP: "1"
+        run: ./run-all-replays.sh
+
+      - name: Dump compose logs on failure
+        # SECRETS_ENCRYPTION_KEY: docker compose validates the entire compose
+        # file even for read-only `logs` calls. up.sh generates a per-run key
+        # and exports it to its OWN shell — this step runs in a fresh shell
+        # that wouldn't see it, so without a placeholder the validate step
+        # errors before logs print (verified against PR #2492's first run:
+        # "required variable SECRETS_ENCRYPTION_KEY is missing a value").
+        # A placeholder is fine — we're only reading log streams, not booting.
+        if: failure() && needs.detect-changes.outputs.run == 'true'
+        working-directory: tests/harness
+        env:
+          SECRETS_ENCRYPTION_KEY: dump-logs-placeholder
+        run: |
+          echo "=== docker compose ps ==="
+          docker compose -f compose.yml ps || true
+          echo "=== tenant-alpha logs ==="
+          docker compose -f compose.yml logs tenant-alpha || true
+          echo "=== tenant-beta logs ==="
+          docker compose -f compose.yml logs tenant-beta || true
+          echo "=== cp-stub logs ==="
+          docker compose -f compose.yml logs cp-stub || true
+          echo "=== cf-proxy logs ==="
+          docker compose -f compose.yml logs cf-proxy || true
+          echo "=== postgres-alpha logs (last 100) ==="
+          docker compose -f compose.yml logs --tail 100 postgres-alpha || true
+          echo "=== postgres-beta logs (last 100) ==="
+          docker compose -f compose.yml logs --tail 100 postgres-beta || true
+
+      - name: Force teardown
+        # We pass KEEP_UP=1 to run-all-replays.sh so the dump step
+        # above sees real containers — that means we own teardown
+        # explicitly here. Always run.
+        if: always() && needs.detect-changes.outputs.run == 'true'
+        working-directory: tests/harness
+        run: ./down.sh || true

.gitea/workflows/publish-canvas-image.yml

@@ -0,0 +1,138 @@
+name: publish-canvas-image
+
+# Ported from .github/workflows/publish-canvas-image.yml on 2026-05-11 per RFC
+# internal#219 §1 sweep. Differences from the GitHub version:
+#   - Dropped `workflow_dispatch.inputs` (Gitea 1.22.6 parser rejects them
+#     per feedback_gitea_workflow_dispatch_inputs_unsupported).
+#   - Dropped `merge_group:` (no Gitea merge queue).
+#   - Dropped `environment:` blocks (Gitea has no environments).
+#   - Workflow-level env.GITHUB_SERVER_URL pinned per
+#     feedback_act_runner_github_server_url.
+#   - `continue-on-error: true` on each job (RFC §1 contract).
+#   - **Open question for review**: this workflow pushes the canvas
+#     image to `ghcr.io`. GHCR was retired during the 2026-05-06
+#     Gitea migration in favor of ECR (per canary-verify.yml header
+#     notes). The image may not be consumable post-migration. Two
+#     options for follow-up: (a) retarget to
+#     `153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/canvas`,
+#     or (b) retire this workflow entirely and route canvas deploys
+#     via the operator-host build path. tier:low + continue-on-error
+#     means failed pushes do not block PRs.
+#
+
+# Builds and pushes the canvas Docker image to GHCR whenever a commit lands
+# on main that touches canvas code. Previously canvas changes were visible in
+# CI (npm run build passed) but the live container was never updated —
+# operators had to manually run `docker compose build canvas` each time.
+#
+# Mirror of publish-platform-image.yml, adapted for the Next.js canvas layer.
+# See that workflow for inline notes on macOS Keychain isolation and QEMU.
+
+on:
+  push:
+    branches: [main]
+    paths:
+      # Only rebuild when canvas source changes — saves GHA minutes on
+      # platform-only / docs-only / MCP-only merges.
+      - 'canvas/**'
+      - '.gitea/workflows/publish-canvas-image.yml'
+  # NOTE (Gitea port): the original GitHub workflow had a
+  # `workflow_dispatch:` manual trigger for the
+  # non-canvas-merge-but-need-fresh-image scenario. Dropped in the
+  # Gitea port (1.22.6 parser-finicky). Manual rebuilds require
+  # pushing an empty commit to canvas/ or running the operator-host
+  # build directly.
+
+permissions:
+  contents: read
+  packages: write  # required to push to ghcr.io/${{ github.repository_owner }}/*
+
+env:
+  IMAGE_NAME: ghcr.io/molecule-ai/canvas
+  GITHUB_SERVER_URL: https://git.moleculesai.app
+
+jobs:
+  build-and-push:
+    name: Build & push canvas image
+    runs-on: ubuntu-latest
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
+    continue-on-error: true
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Log in to GHCR
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+
+      # Health check: verify Docker daemon is accessible before attempting any
+      # build steps. This fails loudly at step 1 when the runner's docker.sock
+      # is inaccessible rather than silently continuing to the build step
+      # where docker build fails deep in ECR auth with a cryptic error.
+      - name: Verify Docker daemon access
+        run: |
+          set -euo pipefail
+          echo "::group::Docker daemon health check"
+          docker info 2>&1 | head -5 || {
+            echo "::error::Docker daemon is not accessible at /var/run/docker.sock"
+            echo "::error::Check: (1) daemon running, (2) runner user in docker group, (3) sock perms 660+"
+            exit 1
+          }
+          echo "Docker daemon OK"
+          echo "::endgroup::"
+
+      - name: Compute tags
+        id: tags
+        shell: bash
+        run: |
+          echo "sha=${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT"
+
+      - name: Resolve build args
+        id: build_args
+        # Priority: workflow_dispatch input > repo secret > hardcoded default.
+        # NEXT_PUBLIC_* env vars are baked into the JS bundle at build time by
+        # Next.js — they cannot be changed at runtime without a full rebuild.
+        # For local docker-compose deployments the defaults (localhost:8080)
+        # work as-is; production deployments should set CANVAS_PLATFORM_URL
+        # and CANVAS_WS_URL as repository secrets.
+        #
+        # Inputs are passed via env vars (not direct ${{ }} interpolation) to
+        # prevent shell injection from workflow_dispatch string inputs.
+        shell: bash
+        env:
+          INPUT_PLATFORM_URL: ${{ github.event.inputs.platform_url }}
+          SECRET_PLATFORM_URL: ${{ secrets.CANVAS_PLATFORM_URL }}
+          INPUT_WS_URL: ${{ github.event.inputs.ws_url }}
+          SECRET_WS_URL: ${{ secrets.CANVAS_WS_URL }}
+        run: |
+          PLATFORM_URL="${INPUT_PLATFORM_URL:-${SECRET_PLATFORM_URL:-http://localhost:8080}}"
+          WS_URL="${INPUT_WS_URL:-${SECRET_WS_URL:-ws://localhost:8080/ws}}"
+
+          echo "platform_url=${PLATFORM_URL}" >> "$GITHUB_OUTPUT"
+          echo "ws_url=${WS_URL}" >> "$GITHUB_OUTPUT"
+
+      - name: Build & push canvas image to GHCR
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        with:
+          context: ./canvas
+          file: ./canvas/Dockerfile
+          platforms: linux/amd64
+          push: true
+          build-args: |
+            NEXT_PUBLIC_PLATFORM_URL=${{ steps.build_args.outputs.platform_url }}
+            NEXT_PUBLIC_WS_URL=${{ steps.build_args.outputs.ws_url }}
+          tags: |
+            ${{ env.IMAGE_NAME }}:latest
+            ${{ env.IMAGE_NAME }}:sha-${{ steps.tags.outputs.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          labels: |
+            org.opencontainers.image.source=https://github.com/${{ github.repository }}
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.description=Molecule AI canvas (Next.js 15 + React Flow)

.gitea/workflows/publish-runtime-autobump.yml

@@ -0,0 +1,100 @@
+name: publish-runtime-autobump
+
+# Auto-bump-on-workspace-edit half of the publish pipeline.
+#
+# Why this file exists (issue #351):
+#   Gitea Actions does not correctly disambiguate `paths:` from `tags:`
+#   when both are bundled under a single `on.push` key. The result is
+#   that tag pushes get filtered out and `publish-runtime.yml` never
+#   fires — `action_run` rows: 0. This was unnoticed pre-2026-05-11
+#   because PYPI_TOKEN was absent (publishes would have failed anyway).
+#
+#   Split design:
+#     - publish-runtime.yml         : on.push.tags only        (the publisher)
+#     - publish-runtime-autobump.yml: on.push.branches+paths   (this file — the version-bumper)
+#
+#   This file computes the next version from PyPI's latest, pushes a
+#   `runtime-v$VERSION` tag, and exits. The tag push then triggers
+#   publish-runtime.yml via its tags-only trigger.
+#
+# Concurrency: shares the `publish-runtime` group with publish-runtime.yml
+# so concurrent workspace pushes serialize at the bump step. Without
+# this, two pushes minutes apart could both read PyPI latest=0.1.129
+# and try to tag 0.1.130 simultaneously, only one of which would land.
+
+on:
+  push:
+    branches:
+      - main
+      - staging
+    paths:
+      - "workspace/**"
+
+permissions:
+  contents: write  # required to push tags back
+
+concurrency:
+  group: publish-runtime
+  cancel-in-progress: false
+
+jobs:
+  autobump-and-tag:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          # Fetch full tag list so the bump logic can sanity-check against
+          # what's already in this repo (catches collision with prior
+          # manual tag pushes).
+          fetch-depth: 0
+
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: "3.11"
+
+      - name: Compute next version from PyPI latest
+        id: bump
+        run: |
+          set -eu
+          LATEST=$(curl -fsS --retry 3 https://pypi.org/pypi/molecule-ai-workspace-runtime/json \
+            | python -c "import sys,json; print(json.load(sys.stdin)['info']['version'])")
+          MAJOR=$(echo "$LATEST" | cut -d. -f1)
+          MINOR=$(echo "$LATEST" | cut -d. -f2)
+          PATCH=$(echo "$LATEST" | cut -d. -f3)
+          VERSION="${MAJOR}.${MINOR}.$((PATCH+1))"
+          echo "PyPI latest=$LATEST -> next=$VERSION"
+          if ! echo "$VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+$'; then
+            echo "::error::computed version $VERSION does not match PEP 440 X.Y.Z"
+            exit 1
+          fi
+          if git tag --list | grep -qx "runtime-v$VERSION"; then
+            echo "::error::tag runtime-v$VERSION already exists in this repo. Manual intervention required (PyPI and Gitea tag history are out of sync)."
+            exit 1
+          fi
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Push runtime-v$VERSION tag
+        env:
+          DISPATCH_TOKEN: ${{ secrets.DISPATCH_TOKEN }}
+          VERSION: ${{ steps.bump.outputs.version }}
+          GITEA_URL: https://git.moleculesai.app
+        run: |
+          set -eu
+          if [ -z "$DISPATCH_TOKEN" ]; then
+            echo "::error::DISPATCH_TOKEN secret is not set — needed to push the tag back to molecule-core."
+            exit 1
+          fi
+          git config user.name  "publish-runtime autobump"
+          git config user.email "publish-runtime@moleculesai.app"
+          git tag -a "runtime-v$VERSION" \
+            -m "Auto-bump on workspace/** edit on $GITHUB_REF" \
+            -m "Triggered by: $GITHUB_REF @ $GITHUB_SHA" \
+            -m "publish-runtime.yml will pick up this tag and upload to PyPI"
+          # Push via DISPATCH_TOKEN (a Gitea PAT). Using the bot identity
+          # ensures the resulting tag-push event is dispatched to
+          # publish-runtime.yml; act_runner's default GITHUB_TOKEN cannot
+          # trigger downstream workflows.
+          git remote set-url origin "${GITEA_URL#https://}"
+          git remote set-url origin "https://x-access-token:${DISPATCH_TOKEN}@${GITEA_URL#https://}/molecule-ai/molecule-core.git"
+          git push origin "runtime-v$VERSION"
+          echo "✓ pushed runtime-v$VERSION — publish-runtime.yml should fire next"

.gitea/workflows/publish-runtime.yml

@@ -12,7 +12,24 @@ name: publish-runtime
 #   - Replaced `github.ref_name` (GitHub-only) with `${GITHUB_REF#refs/tags/}`
 #     — Gitea Actions exposes github.ref (the full ref) but not ref_name
 #   - Dropped `merge_group` trigger (Gitea has no merge queue)
-#   - Dropped `staging` branch trigger (no staging branch exists in this repo)
+#
+# 2026-05-10 (issue #348): originally restored `staging`/`main` branch +
+# `workspace/**` path-filter trigger in PR #349.
+#
+# 2026-05-11 (issue #351): REVERTED the branches+paths trigger from THIS
+# file. Bundling `paths` with `tags` under a single `on.push` key caused
+# Gitea Actions to never dispatch the workflow for tag-push events (0
+# runs in `action_run` for workflow_id='publish-runtime.yml' since the
+# port, including the runtime-v1.0.0 tag — which is why PyPI is still at
+# 0.1.129 despite a v1.0.0 Gitea tag existing).
+#
+# The auto-bump-on-workspace-edit trigger now lives in
+# `.gitea/workflows/publish-runtime-autobump.yml`. That file computes the
+# next version from PyPI's latest and pushes a `runtime-v$VERSION` tag,
+# which THIS file then picks up via the tags-only trigger below.
+#
+# This decoupling means Gitea's path-vs-tag evaluator never has to
+# disambiguate — each file has a single unambiguous trigger shape.
 #
 # PyPI publishing: requires PYPI_TOKEN repository secret (or org-level secret).
 # Set via: repo Settings → Actions → Variables and Secrets → New Secret.
@@ -26,11 +43,17 @@ on:
     tags:
       - "runtime-v*"
   workflow_dispatch:
-    inputs:
-      version:
-        description: "Version to publish (e.g. 0.1.6). Required for manual dispatch."
-        required: true
-        type: string
+  # 2026-05-11 (root cause of #351 / 0 runs ever):
+  # Gitea 1.22.6's workflow parser rejects `workflow_dispatch.inputs.version`
+  # with "unknown on type" — it mis-treats the inputs sub-keys as top-level
+  # `on:` event types. Log line:
+  #   actions/workflows.go:DetectWorkflows() [W] ignore invalid workflow
+  #   "publish-runtime.yml": unknown on type: map["version": {...}]
+  # That `[W] ignore invalid workflow` is silent UX — the workflow never
+  # registers, so it never fires for ANY event (push.tags included).
+  # Removing the inputs block restores parsing. Manual dispatch from the
+  # Gitea UI now triggers the PyPI auto-bump fallback in `Derive version`
+  # below (no `inputs.version` to read).
 
 permissions:
   contents: read
@@ -55,20 +78,15 @@ jobs:
           python-version: "3.11"
           cache: pip
 
-      - name: Derive version (tag, manual input, or PyPI auto-bump)
+      - name: Derive version (tag or PyPI auto-bump)
         id: version
         run: |
-          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            VERSION="${{ inputs.version }}"
-          elif echo "$GITHUB_REF" | grep -q "^refs/tags/runtime-v"; then
+          if echo "$GITHUB_REF" | grep -q "^refs/tags/runtime-v"; then
             # Tag is `runtime-vX.Y.Z` — strip the prefix.
             VERSION="${GITHUB_REF#refs/tags/runtime-v}"
           else
-            # Fallback: derive from PyPI latest + patch bump.
-            # (The staging-push auto-bump trigger is dropped on Gitea —
-            # no staging branch exists. This fallback path is kept for
-            # robustness if a future automation uses workflow_dispatch without
-            # an explicit version input.)
+            # workflow_dispatch path (no inputs supported on Gitea 1.22.6) or
+            # any other non-tag trigger: derive from PyPI latest + patch bump.
             LATEST=$(curl -fsS --retry 3 https://pypi.org/pypi/molecule-ai-workspace-runtime/json \
               | python -c "import sys,json; print(json.load(sys.stdin)['info']['version'])")
             MAJOR=$(echo "$LATEST" | cut -d. -f1)
@@ -121,6 +139,14 @@ jobs:
           /tmp/smoke/bin/python "$GITHUB_WORKSPACE/scripts/wheel_smoke.py"
 
       - name: Publish to PyPI
+        # working-directory matches the preceding Build/Verify steps. Without
+        # this, twine runs from the default workspace checkout dir where
+        # `dist/` doesn't exist and fails with:
+        #   ERROR InvalidDistribution: Cannot find file (or expand pattern): 'dist/*'
+        # Caught on the first-ever successful dispatch of this workflow
+        # (run 5097, 2026-05-11 02:08Z) — every other step in the publish
+        # job already had this working-directory; Publish was missing it.
+        working-directory: ${{ runner.temp }}/runtime-build
         env:
           # PYPI_TOKEN: repository secret scoped to molecule-ai-workspace-runtime.
           # Set via: Settings → Actions → Variables and Secrets → New Secret.
@@ -181,13 +207,23 @@ jobs:
 
           # Stage (b): download wheel + SHA256 compare against what we built.
           # Catches Fastly stale-content serving old bytes under a new version URL.
-          HASH=$(python -m pip download \
-                    --no-deps \
-                    --no-cache-dir \
-                    --dest /tmp/wheel-probe \
-                    "molecule-ai-workspace-runtime==${RUNTIME_VERSION}" \
-                    2>/dev/null \
-                 && sha256sum /tmp/wheel-probe/*.whl | awk '{print $1}')
+          #
+          # Caught run 5196 (first-ever successful publish, 2026-05-11): the
+          # previous one-liner `HASH=$(pip download ... && sha256sum ...)`
+          # captured pip's stdout (`Collecting molecule-ai-workspace-runtime
+          # ==X.Y.Z`) into HASH, then the SHA comparison failed against the
+          # leaked `Collecting...` string. `2>/dev/null` silences stderr but
+          # NOT stdout; pip writes its progress to stdout by default.
+          # Fix: split into two steps, silence pip's stdout explicitly, capture
+          # only sha256sum's output into HASH.
+          python -m pip download \
+            --no-deps \
+            --no-cache-dir \
+            --dest /tmp/wheel-probe \
+            --quiet \
+            "molecule-ai-workspace-runtime==${RUNTIME_VERSION}" \
+            >/dev/null 2>&1
+          HASH=$(sha256sum /tmp/wheel-probe/*.whl | awk '{print $1}')
           if [ "$HASH" != "$EXPECTED_SHA256" ]; then
             echo "::error::PyPI propagated $RUNTIME_VERSION but wheel content SHA256 mismatch."
             echo "::error::Expected: $EXPECTED_SHA256"

.gitea/workflows/publish-workspace-server-image.yml

@@ -32,9 +32,11 @@ on:
       - '.gitea/workflows/publish-workspace-server-image.yml'
   workflow_dispatch:
 
-# Serialize per-branch so two rapid main pushes don't race the same
-# :staging-latest tag retag. Allow parallel runs as they produce
-# different :staging-<sha> tags and last-write-wins on :staging-latest.
+# Serialize per-branch so two rapid staging pushes don't race the same
+# :staging-latest tag retag. Allow staging and main to run in parallel
+# (different GITHUB_REF → different concurrency group) since they
+# produce different :staging-<sha> tags and last-write-wins on
+# :staging-latest is acceptable across branches.
 #
 # cancel-in-progress: false → in-flight builds finish; the next push's
 # build queues. This avoids a partially-pushed image.

.gitea/workflows/redeploy-tenants-on-main.yml

@@ -0,0 +1,375 @@
+name: redeploy-tenants-on-main
+
+# Ported from .github/workflows/redeploy-tenants-on-main.yml on 2026-05-11 per RFC
+# internal#219 §1 sweep. Differences from the GitHub version:
+#   - Dropped `workflow_dispatch.inputs` (Gitea 1.22.6 parser rejects them
+#     per feedback_gitea_workflow_dispatch_inputs_unsupported).
+#   - Dropped `merge_group:` (no Gitea merge queue).
+#   - Dropped `environment:` blocks (Gitea has no environments).
+#   - Workflow-level env.GITHUB_SERVER_URL pinned per
+#     feedback_act_runner_github_server_url.
+#   - `continue-on-error: true` on each job (RFC §1 contract).
+#   - **Gitea workflow_run trigger limitation**: Gitea 1.22.6's support
+#     for the `workflow_run` event is partial. If this never fires on a
+#     real publish-workspace-server-image completion, the follow-up
+#     triage PR should replace the trigger with a push-with-paths-filter
+#     on .gitea/workflows/publish-workspace-server-image.yml. Until
+#     then continue-on-error+dead-workflow doesn't break anything.
+#
+
+# Auto-refresh prod tenant EC2s after every main merge.
+#
+# Why this workflow exists: publish-workspace-server-image builds and
+# pushes a new platform-tenant :<sha> to ECR on every merge to main,
+# but running tenants pulled their image once at boot and never re-pull.
+# Users see stale code indefinitely.
+#
+# This workflow closes the gap by calling the control-plane admin
+# endpoint that performs a canary-first, batched, health-gated rolling
+# redeploy across every live tenant. Implemented in molecule-ai/
+# molecule-controlplane as POST /cp/admin/tenants/redeploy-fleet
+# (feat/tenant-auto-redeploy, landing alongside this workflow).
+#
+# Registry: ECR (153263036946.dkr.ecr.us-east-2.amazonaws.com/
+# molecule-ai/platform-tenant). GHCR was retired 2026-05-07 during the
+# Gitea suspension migration. The canary-verify.yml promote step now
+# uses the same redeploy-fleet endpoint (fixes the silent-GHCR gap).
+#
+# Runtime ordering:
+#   1. publish-workspace-server-image completes → new :staging-<sha> in ECR.
+#   2. This workflow fires via workflow_run, calls redeploy-fleet with
+#      target_tag=staging-<sha>. No CDN propagation wait needed —
+#      ECR image manifest is consistent immediately after push.
+#   3. Calls redeploy-fleet with canary_slug (if set) and a soak
+#      period. Canary proves the image boots; batches follow.
+#   4. Any failure aborts the rollout and leaves older tenants on the
+#      prior image — safer default than half-and-half state.
+#
+# Rollback path: re-run this workflow with a specific SHA pinned via
+# the workflow_dispatch input. That calls redeploy-fleet with
+# target_tag=<sha>, re-pulling the older image on every tenant.
+
+on:
+  workflow_run:
+    workflows: ['publish-workspace-server-image']
+    types: [completed]
+    branches: [main]
+permissions:
+  contents: read
+  # No write scopes needed — the workflow hits an external CP endpoint,
+  # not the GitHub API.
+
+# Serialize redeploys so two rapid main pushes' redeploys don't overlap
+# and cause confusing per-tenant SSM state. Without this, GitHub's
+# implicit workflow_run queueing would *probably* serialize them, but
+# the explicit block makes the invariant defensible. Mirrors the
+# concurrency block on redeploy-tenants-on-staging.yml for shape parity.
+#
+# cancel-in-progress: false → aborting a half-rolled-out fleet would
+# leave tenants stuck on whatever image they happened to be on when
+# cancelled. Better to finish the in-flight rollout before starting
+# the next one.
+concurrency:
+  group: redeploy-tenants-on-main
+  cancel-in-progress: false
+
+env:
+  GITHUB_SERVER_URL: https://git.moleculesai.app
+
+jobs:
+  redeploy:
+    # Skip the auto-trigger if publish-workspace-server-image didn't
+    # actually succeed. workflow_run fires on any completion state; we
+    # don't want to redeploy against a half-built image.
+    # NOTE (Gitea port): workflow_dispatch trigger dropped; only the
+    # workflow_run path remains.
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
+    continue-on-error: true
+    timeout-minutes: 25
+    steps:
+      - name: Note on ECR propagation
+        # ECR image manifests are consistent immediately after push — no
+        # CDN cache to wait for. The old GHCR-based workflow had a 30s
+        # sleep to avoid race conditions; ECR makes that unnecessary.
+        run: echo "ECR image available immediately after push — proceeding."
+
+      - name: Compute target tag
+        id: tag
+        # Resolution order:
+        #   1. Operator-supplied input (workflow_dispatch with explicit
+        #      tag) → used verbatim. Lets ops pin `latest` for emergency
+        #      rollback to last canary-verified digest, or pin a specific
+        #      `staging-<sha>` to roll back to a known-good build.
+        #   2. Default → `staging-<short_head_sha>`. The just-published
+        #      digest. Bypasses the `:latest` retag path that's currently
+        #      dead (canary-verify soft-skips without canary fleet, so
+        #      the only thing retagging `:latest` today is the manual
+        #      promote-latest.yml — last run 2026-04-28). Auto-trigger
+        #      from workflow_run uses workflow_run.head_sha; manual
+        #      dispatch with no input falls through to github.sha.
+        env:
+          INPUT_TAG: ${{ inputs.target_tag }}
+          HEAD_SHA: ${{ github.event.workflow_run.head_sha || github.sha }}
+        run: |
+          set -euo pipefail
+          if [ -n "${INPUT_TAG:-}" ]; then
+            echo "target_tag=$INPUT_TAG" >> "$GITHUB_OUTPUT"
+            echo "Using operator-pinned tag: $INPUT_TAG"
+          else
+            SHORT="${HEAD_SHA:0:7}"
+            echo "target_tag=staging-$SHORT" >> "$GITHUB_OUTPUT"
+            echo "Using auto tag: staging-$SHORT (head_sha=$HEAD_SHA)"
+          fi
+
+      - name: Call CP redeploy-fleet
+        # CP_ADMIN_API_TOKEN must be set as a repo/org secret on
+        # molecule-ai/molecule-core, matching the staging/prod CP's
+        # CP_ADMIN_API_TOKEN env. Stored in Railway, mirrored to this
+        # repo's secrets for CI.
+        env:
+          CP_URL: ${{ vars.CP_URL || 'https://api.moleculesai.app' }}
+          CP_ADMIN_API_TOKEN: ${{ secrets.CP_ADMIN_API_TOKEN }}
+          TARGET_TAG: ${{ steps.tag.outputs.target_tag }}
+          CANARY_SLUG: ${{ inputs.canary_slug || 'hongming' }}
+          SOAK_SECONDS: ${{ inputs.soak_seconds || '60' }}
+          BATCH_SIZE: ${{ inputs.batch_size || '3' }}
+          DRY_RUN: ${{ inputs.dry_run || false }}
+        run: |
+          set -euo pipefail
+
+          if [ -z "${CP_ADMIN_API_TOKEN:-}" ]; then
+            echo "::error::CP_ADMIN_API_TOKEN secret not set — skipping redeploy"
+            echo "::notice::Set CP_ADMIN_API_TOKEN in repo secrets to enable auto-redeploy."
+            exit 1
+          fi
+
+          BODY=$(jq -nc \
+            --arg tag "$TARGET_TAG" \
+            --arg canary "$CANARY_SLUG" \
+            --argjson soak "$SOAK_SECONDS" \
+            --argjson batch "$BATCH_SIZE" \
+            --argjson dry "$DRY_RUN" \
+            '{
+              target_tag: $tag,
+              canary_slug: $canary,
+              soak_seconds: $soak,
+              batch_size: $batch,
+              dry_run: $dry
+            }')
+
+          echo "POST $CP_URL/cp/admin/tenants/redeploy-fleet"
+          echo "  body: $BODY"
+
+          HTTP_RESPONSE=$(mktemp)
+          HTTP_CODE_FILE=$(mktemp)
+          # Route -w into its own tempfile so curl's exit code (e.g. 56
+          # on connection-reset, 22 on --fail-with-body 4xx/5xx) can't
+          # pollute the captured stdout. The previous inline-substitution
+          # shape produced "000000" on connection reset (curl wrote
+          # "000" via -w, then the inline echo-fallback appended another
+          # "000") — caught on the 2026-05-04 redeploy of sha 2b862f6.
+          # set +e/-e keeps the non-zero curl exit from tripping the
+          # outer pipeline. See lint-curl-status-capture.yml for the
+          # CI gate that pins this fix shape.
+          set +e
+          curl -sS -o "$HTTP_RESPONSE" -w '%{http_code}' \
+            -m 1200 \
+            -H "Authorization: Bearer $CP_ADMIN_API_TOKEN" \
+            -H "Content-Type: application/json" \
+            -X POST "$CP_URL/cp/admin/tenants/redeploy-fleet" \
+            -d "$BODY" >"$HTTP_CODE_FILE"
+          set -e
+          # Stderr from curl (e.g. dial errors with -sS) goes to the runner
+          # log so operators can see WHY a connection failed. Stdout is
+          # captured to $HTTP_CODE_FILE because that's where -w writes.
+          HTTP_CODE=$(cat "$HTTP_CODE_FILE" 2>/dev/null || echo "000")
+          [ -z "$HTTP_CODE" ] && HTTP_CODE="000"
+
+          echo "HTTP $HTTP_CODE"
+          cat "$HTTP_RESPONSE" | jq . || cat "$HTTP_RESPONSE"
+
+          # Pretty-print per-tenant results in the job summary so
+          # ops can see which tenants were redeployed without drilling
+          # into the raw response.
+          {
+            echo "## Tenant redeploy fleet"
+            echo ""
+            echo "**Target tag:** \`$TARGET_TAG\`"
+            echo "**Canary:** \`$CANARY_SLUG\` (soak ${SOAK_SECONDS}s)"
+            echo "**Batch size:** $BATCH_SIZE"
+            echo "**Dry run:** $DRY_RUN"
+            echo "**HTTP:** $HTTP_CODE"
+            echo ""
+            echo "### Per-tenant result"
+            echo ""
+            echo '| Slug | Phase | SSM Status | Exit | Healthz | Error |'
+            echo '|------|-------|------------|------|---------|-------|'
+            jq -r '.results[]? | "| \(.slug) | \(.phase) | \(.ssm_status // "-") | \(.ssm_exit_code) | \(.healthz_ok) | \(.error // "-") |"' "$HTTP_RESPONSE" || true
+          } >> "$GITHUB_STEP_SUMMARY"
+
+          if [ "$HTTP_CODE" != "200" ]; then
+            echo "::error::redeploy-fleet returned HTTP $HTTP_CODE"
+            exit 1
+          fi
+          OK=$(jq -r '.ok' "$HTTP_RESPONSE")
+          if [ "$OK" != "true" ]; then
+            echo "::error::redeploy-fleet reported ok=false (see summary for which tenant halted the rollout)"
+            exit 1
+          fi
+          echo "::notice::Tenant fleet redeploy reported ssm_status=Success — verifying actual image roll on each tenant..."
+
+          # Stash the response for the verify step. $RUNNER_TEMP outlasts
+          # the step boundary; $HTTP_RESPONSE doesn't.
+          cp "$HTTP_RESPONSE" "$RUNNER_TEMP/redeploy-response.json"
+
+      - name: Verify each tenant /buildinfo matches published SHA
+        # ROOT FIX FOR #2395.
+        #
+        # `redeploy-fleet`'s `ssm_status=Success` means "the SSM RPC
+        # didn't error" — NOT "the new image is running on the tenant."
+        # `:latest` lives in the local Docker daemon's image cache; if
+        # the SSM document does `docker compose up -d` without an
+        # explicit `docker pull`, the daemon serves the previously-
+        # cached digest and the container restarts on stale code.
+        # 2026-04-30 incident: hongmingwang's tenant reported
+        # ssm_status=Success at 17:00:53Z but kept serving pre-501a42d7
+        # chat_files for 30+ min — the lazy-heal fix never reached the
+        # user despite green deploy + green redeploy.
+        #
+        # This step closes the gap by curling each tenant's /buildinfo
+        # endpoint (added in workspace-server/internal/buildinfo +
+        # /Dockerfile* GIT_SHA build-arg, this PR) and comparing the
+        # returned git_sha to the SHA the workflow expects. Mismatches
+        # fail the workflow, which is what `ok=true` should have
+        # guaranteed all along.
+        #
+        # When the redeploy was triggered by workflow_dispatch with a
+        # specific tag (target_tag != "latest"), the expected SHA may
+        # not equal ${{ github.sha }} — in that case we resolve via
+        # GHCR's manifest. For workflow_run (default :latest) the
+        # workflow_run.head_sha is the SHA that just published.
+        env:
+          EXPECTED_SHA: ${{ github.event.workflow_run.head_sha || github.sha }}
+          TARGET_TAG: ${{ steps.tag.outputs.target_tag }}
+          # Tenant subdomain template — slugs from the response are
+          # appended. Production CP issues `<slug>.moleculesai.app`;
+          # staging CP issues `<slug>.staging.moleculesai.app`. This
+          # workflow runs on main → prod CP → no `staging.` infix.
+          TENANT_DOMAIN: 'moleculesai.app'
+        run: |
+          set -euo pipefail
+
+          EXPECTED_SHORT="${EXPECTED_SHA:0:7}"
+          if [ "$TARGET_TAG" != "latest" ] \
+             && [ "$TARGET_TAG" != "$EXPECTED_SHA" ] \
+             && [ "$TARGET_TAG" != "staging-$EXPECTED_SHORT" ]; then
+            # workflow_dispatch with a pinned tag that isn't the head
+            # SHA — operator is rolling back / pinning. Skip the
+            # verification because we don't have the expected SHA in
+            # this context (would need to crane-inspect the GHCR
+            # manifest, which is a follow-up). Failing-open here is
+            # safe: the operator chose the tag deliberately.
+            #
+            # `staging-<short_head_sha>` IS verified — it's the new
+            # auto-trigger default (see Compute target tag step) and
+            # the digest under that tag SHOULD match EXPECTED_SHA.
+            echo "::notice::target_tag=$TARGET_TAG (operator-pinned) — skipping per-tenant SHA verification."
+            exit 0
+          fi
+
+          RESP="$RUNNER_TEMP/redeploy-response.json"
+          if [ ! -s "$RESP" ]; then
+            echo "::error::redeploy-response.json missing or empty — verify step ran without a response to read"
+            exit 1
+          fi
+
+          # Pull only successfully-redeployed tenants. Any tenant that
+          # halted the rollout already failed the previous step, so we
+          # don't double-count them here.
+          mapfile -t SLUGS < <(jq -r '.results[]? | select(.healthz_ok == true) | .slug' "$RESP")
+          if [ ${#SLUGS[@]} -eq 0 ]; then
+            echo "::warning::No tenants reported healthz_ok — nothing to verify"
+            exit 0
+          fi
+
+          echo "Verifying ${#SLUGS[@]} tenant(s) against EXPECTED_SHA=${EXPECTED_SHA:0:7}..."
+
+          # Two distinct failure modes — STALE (the #2395 bug class, hard-fail)
+          # vs UNREACHABLE (teardown race, soft-warn). See the staging variant's
+          # comment for the full rationale; same logic applies on prod even
+          # though prod has fewer ephemeral tenants — the asymmetry would be a
+          # gratuitous fork.
+          STALE_COUNT=0
+          UNREACHABLE_COUNT=0
+          STALE_LINES=()
+          UNREACHABLE_LINES=()
+          for slug in "${SLUGS[@]}"; do
+            URL="https://${slug}.${TENANT_DOMAIN}/buildinfo"
+            # 30s total: tenant just SSM-restarted, may still be coming
+            # up. Retry-on-empty rather than retry-on-status — we want
+            # to fail fast on "responded with wrong SHA", not "still
+            # warming up".
+            BODY=$(curl -sS --max-time 30 --retry 3 --retry-delay 5 --retry-connrefused "$URL" || true)
+            ACTUAL_SHA=$(echo "$BODY" | jq -r '.git_sha // ""' 2>/dev/null || echo "")
+            if [ -z "$ACTUAL_SHA" ]; then
+              UNREACHABLE_COUNT=$((UNREACHABLE_COUNT + 1))
+              UNREACHABLE_LINES+=("| $slug | (no /buildinfo response) | ${EXPECTED_SHA:0:7} | ⚠ unreachable (likely teardown race) |")
+              continue
+            fi
+            if [ "$ACTUAL_SHA" = "$EXPECTED_SHA" ]; then
+              echo "  $slug: ${ACTUAL_SHA:0:7} ✓"
+            else
+              STALE_COUNT=$((STALE_COUNT + 1))
+              STALE_LINES+=("| $slug | ${ACTUAL_SHA:0:7} | ${EXPECTED_SHA:0:7} | ❌ stale |")
+            fi
+          done
+
+          {
+            echo ""
+            echo "### Per-tenant /buildinfo verification"
+            echo ""
+            echo "Expected SHA: \`${EXPECTED_SHA:0:7}\`"
+            echo ""
+            if [ $STALE_COUNT -gt 0 ]; then
+              echo "**${STALE_COUNT} STALE tenant(s) — these did NOT pick up the new image despite ssm_status=Success:**"
+              echo ""
+              echo "| Slug | Actual /buildinfo SHA | Expected | Status |"
+              echo "|------|----------------------|----------|--------|"
+              for line in "${STALE_LINES[@]}"; do echo "$line"; done
+              echo ""
+            fi
+            if [ $UNREACHABLE_COUNT -gt 0 ]; then
+              echo "**${UNREACHABLE_COUNT} unreachable tenant(s) — likely teardown race (soft-warn, not failing):**"
+              echo ""
+              echo "| Slug | Actual /buildinfo SHA | Expected | Status |"
+              echo "|------|----------------------|----------|--------|"
+              for line in "${UNREACHABLE_LINES[@]}"; do echo "$line"; done
+              echo ""
+            fi
+            if [ $STALE_COUNT -eq 0 ] && [ $UNREACHABLE_COUNT -eq 0 ]; then
+              echo "All ${#SLUGS[@]} tenants returned matching SHA. ✓"
+            fi
+          } >> "$GITHUB_STEP_SUMMARY"
+
+          if [ $UNREACHABLE_COUNT -gt 0 ]; then
+            echo "::warning::$UNREACHABLE_COUNT tenant(s) unreachable post-redeploy. Likely benign teardown race — CP healthz monitor catches real outages."
+          fi
+
+          # Belt-and-suspenders sanity floor: same logic as the staging
+          # variant — see that file's comment for the full rationale.
+          # Floor only applies when fleet >= 4; below that, canary-verify
+          # is the actual gate.
+          TOTAL_VERIFIED=${#SLUGS[@]}
+          if [ $TOTAL_VERIFIED -ge 4 ] && [ $UNREACHABLE_COUNT -gt $((TOTAL_VERIFIED / 2)) ]; then
+            echo "::error::$UNREACHABLE_COUNT of $TOTAL_VERIFIED tenant(s) unreachable — exceeds 50% threshold on a fleet large enough that this signals a real outage, not teardown race."
+            exit 1
+          fi
+
+          if [ $STALE_COUNT -gt 0 ]; then
+            echo "::error::$STALE_COUNT tenant(s) returned a stale SHA. ssm_status=Success was misleading — see job summary."
+            exit 1
+          fi
+
+          echo "::notice::Tenant fleet redeploy complete — all reachable tenants on ${EXPECTED_SHA:0:7} (${UNREACHABLE_COUNT} unreachable, soft-warned)."

.gitea/workflows/redeploy-tenants-on-staging.yml

@@ -0,0 +1,356 @@
+name: redeploy-tenants-on-staging
+
+# Ported from .github/workflows/redeploy-tenants-on-staging.yml on 2026-05-11 per RFC
+# internal#219 §1 sweep. Differences from the GitHub version:
+#   - Dropped `workflow_dispatch.inputs` (Gitea 1.22.6 parser rejects them
+#     per feedback_gitea_workflow_dispatch_inputs_unsupported).
+#   - Dropped `merge_group:` (no Gitea merge queue).
+#   - Dropped `environment:` blocks (Gitea has no environments).
+#   - Workflow-level env.GITHUB_SERVER_URL pinned per
+#     feedback_act_runner_github_server_url.
+#   - `continue-on-error: true` on each job (RFC §1 contract).
+#   - **Gitea workflow_run trigger limitation**: Gitea 1.22.6's support
+#     for the `workflow_run` event is partial. If this never fires on a
+#     real publish-workspace-server-image completion, the follow-up
+#     triage PR should replace the trigger with a push-with-paths-filter
+#     on .gitea/workflows/publish-workspace-server-image.yml. Until
+#     then continue-on-error+dead-workflow doesn't break anything.
+#
+
+# Auto-refresh staging tenant EC2s after every staging-branch merge.
+#
+# Mirror of redeploy-tenants-on-main.yml, with the staging-CP host and
+# the :staging-latest tag. Sister workflow exists for prod (rolls
+# :latest after canary-verify). Both share the same shape — just
+# different CP_URL + target_tag + admin token secret.
+#
+# Why this workflow exists: publish-workspace-server-image now builds
+# on every staging-branch push (PR #2335), pushing
+# platform-tenant:staging-latest to GHCR. Existing tenants pulled
+# their image once at boot and never re-pull, so the new image just
+# sits unused until the tenant is reprovisioned.
+#
+# This workflow closes the gap by calling staging-CP's
+# /cp/admin/tenants/redeploy-fleet, which performs a canary-first,
+# batched, health-gated SSM redeploy across every live staging tenant.
+# Same endpoint shape as prod CP — only the host differs.
+#
+# Runtime ordering:
+#   1. publish-workspace-server-image completes on staging branch →
+#      new :staging-latest in GHCR.
+#   2. This workflow fires via workflow_run, waits 30s for GHCR's CDN
+#      to propagate the new tag.
+#   3. Calls redeploy-fleet with no canary (staging IS canary; we don't
+#      need a sub-canary inside it). Soak still applies to the first
+#      tenant in case of bad-deploy detection.
+#   4. Any failure aborts the rollout and leaves older tenants on the
+#      prior image — safer default than half-and-half state.
+#
+# Rollback path: re-run with workflow_dispatch + target_tag=staging-<sha>
+# of a known-good build.
+
+on:
+  workflow_run:
+    workflows: ['publish-workspace-server-image']
+    types: [completed]
+    branches: [main]
+permissions:
+  contents: read
+  # No write scopes needed — the workflow hits an external CP endpoint,
+  # not the GitHub API.
+
+# Serialize per-branch so two rapid staging pushes' redeploys don't
+# overlap and cause confusing per-tenant SSM state. cancel-in-progress
+# is false because aborting a half-rolled-out fleet leaves tenants
+# stuck on whatever image they happened to be on when cancelled.
+concurrency:
+  group: redeploy-tenants-on-staging
+  cancel-in-progress: false
+
+env:
+  GITHUB_SERVER_URL: https://git.moleculesai.app
+
+jobs:
+  redeploy:
+    # Skip the auto-trigger if publish-workspace-server-image didn't
+    # actually succeed. workflow_run fires on any completion state; we
+    # don't want to redeploy against a half-built image.
+    # NOTE (Gitea port): workflow_dispatch trigger dropped; only the
+    # workflow_run path remains.
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
+    continue-on-error: true
+    timeout-minutes: 25
+    steps:
+      - name: Wait for GHCR tag propagation
+        # GHCR's edge cache takes ~15-30s to consistently serve the new
+        # :staging-latest manifest after the registry accepts the push.
+        # Same rationale as redeploy-tenants-on-main.yml.
+        run: sleep 30
+
+      - name: Call staging-CP redeploy-fleet
+        # CP_STAGING_ADMIN_API_TOKEN must be set as a repo/org secret
+        # on molecule-ai/molecule-core, matching staging-CP's
+        # CP_ADMIN_API_TOKEN env var (visible in Railway controlplane
+        # / staging environment). Stored separately from the prod
+        # CP_ADMIN_API_TOKEN so a leak of one doesn't auth the other.
+        env:
+          CP_URL: ${{ vars.STAGING_CP_URL || 'https://staging-api.moleculesai.app' }}
+          CP_STAGING_ADMIN_API_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
+          TARGET_TAG: ${{ inputs.target_tag || 'staging-latest' }}
+          CANARY_SLUG: ${{ inputs.canary_slug || '' }}
+          SOAK_SECONDS: ${{ inputs.soak_seconds || '60' }}
+          BATCH_SIZE: ${{ inputs.batch_size || '3' }}
+          DRY_RUN: ${{ inputs.dry_run || false }}
+        run: |
+          set -euo pipefail
+
+          # Schedule-vs-dispatch hardening (mirrors sweep-cf-orphans
+          # and sweep-cf-tunnels): hard-fail on auto-trigger when the
+          # secret is missing so a misconfigured-repo doesn't silently
+          # serve stale staging tenants. Soft-skip on operator dispatch.
+          if [ -z "${CP_STAGING_ADMIN_API_TOKEN:-}" ]; then
+            if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+              echo "::warning::CP_STAGING_ADMIN_API_TOKEN secret not set — skipping redeploy"
+              echo "::warning::Set CP_STAGING_ADMIN_API_TOKEN in repo secrets to enable auto-redeploy."
+              echo "::notice::Pull the value from staging-CP's CP_ADMIN_API_TOKEN env in Railway."
+              exit 0
+            fi
+            echo "::error::staging redeploy cannot run — CP_STAGING_ADMIN_API_TOKEN secret missing"
+            echo "::error::set it at Settings → Secrets and Variables → Actions; pull from staging-CP's CP_ADMIN_API_TOKEN env in Railway."
+            exit 1
+          fi
+
+          BODY=$(jq -nc \
+            --arg tag "$TARGET_TAG" \
+            --arg canary "$CANARY_SLUG" \
+            --argjson soak "$SOAK_SECONDS" \
+            --argjson batch "$BATCH_SIZE" \
+            --argjson dry "$DRY_RUN" \
+            '{
+              target_tag: $tag,
+              canary_slug: $canary,
+              soak_seconds: $soak,
+              batch_size: $batch,
+              dry_run: $dry
+            }')
+
+          echo "POST $CP_URL/cp/admin/tenants/redeploy-fleet"
+          echo "  body: $BODY"
+
+          HTTP_RESPONSE=$(mktemp)
+          HTTP_CODE_FILE=$(mktemp)
+          # Route -w into its own tempfile so curl's exit code (e.g. 56
+          # on connection-reset) can't pollute the captured stdout. The
+          # previous inline-substitution shape produced "000000" on
+          # connection reset — caught on main variant 2026-05-04
+          # redeploying sha 2b862f6. Same fix shape as the synth-E2E
+          # §9c gate (PR #2797). See lint-curl-status-capture.yml for
+          # the CI gate that pins this fix shape.
+          set +e
+          curl -sS -o "$HTTP_RESPONSE" -w '%{http_code}' \
+            -m 1200 \
+            -H "Authorization: Bearer $CP_STAGING_ADMIN_API_TOKEN" \
+            -H "Content-Type: application/json" \
+            -X POST "$CP_URL/cp/admin/tenants/redeploy-fleet" \
+            -d "$BODY" >"$HTTP_CODE_FILE"
+          set -e
+          # Stderr from curl (-sS shows dial errors etc.) goes to the
+          # runner log so operators can see WHY a connection failed.
+          HTTP_CODE=$(cat "$HTTP_CODE_FILE" 2>/dev/null || echo "000")
+          [ -z "$HTTP_CODE" ] && HTTP_CODE="000"
+
+          echo "HTTP $HTTP_CODE"
+          cat "$HTTP_RESPONSE" | jq . || cat "$HTTP_RESPONSE"
+
+          {
+            echo "## Staging tenant redeploy fleet"
+            echo ""
+            echo "**Target tag:** \`$TARGET_TAG\`"
+            echo "**Canary:** \`${CANARY_SLUG:-(none — staging is itself the canary)}\` (soak ${SOAK_SECONDS}s)"
+            echo "**Batch size:** $BATCH_SIZE"
+            echo "**Dry run:** $DRY_RUN"
+            echo "**HTTP:** $HTTP_CODE"
+            echo ""
+            echo "### Per-tenant result"
+            echo ""
+            echo '| Slug | Phase | SSM Status | Exit | Healthz | Error |'
+            echo '|------|-------|------------|------|---------|-------|'
+            jq -r '.results[]? | "| \(.slug) | \(.phase) | \(.ssm_status // "-") | \(.ssm_exit_code) | \(.healthz_ok) | \(.error // "-") |"' "$HTTP_RESPONSE" || true
+          } >> "$GITHUB_STEP_SUMMARY"
+
+          # Distinguish "real fleet failure" from "E2E teardown race".
+          #
+          # CP returns HTTP 500 + ok=false whenever ANY tenant in the
+          # fleet failed SSM or healthz. In practice the recurring source
+          # of these is ephemeral test tenants being torn down by their
+          # parent E2E run mid-redeploy: the EC2 dies → SSM exit=2 or
+          # healthz timeout → CP marks the fleet failed → this workflow
+          # goes red even though every operator-facing tenant rolled fine.
+          #
+          # Ephemeral slug prefixes (kept in sync with sweep-stale-e2e-orgs.yml
+          # — see that file for the source-of-truth list and rationale):
+          #   - e2e-*       — canvas/saas/ext E2E suites
+          #   - rt-e2e-*    — runtime-test harness fixtures (RFC #2251)
+          # Long-lived prefixes that are NOT ephemeral and MUST hard-fail:
+          # demo-prep, dryrun-*, dryrun2-*, plus all human tenant slugs.
+          #
+          # Filter: if HTTP=500/ok=false AND every failed slug matches an
+          # ephemeral prefix, treat as soft-warn and let the verify step
+          # downstream handle unreachable-vs-stale (#2402). Any non-ephemeral
+          # failure or a non-500 HTTP response remains a hard failure.
+          OK=$(jq -r '.ok // "false"' "$HTTP_RESPONSE")
+          FAILED_SLUGS=$(jq -r '
+            .results[]?
+            | select((.healthz_ok != true) or (.ssm_status != "Success"))
+            | .slug' "$HTTP_RESPONSE" 2>/dev/null || true)
+          EPHEMERAL_PREFIX_RE='^(e2e-|rt-e2e-)'
+          NON_EPHEMERAL_FAILED=$(printf '%s\n' "$FAILED_SLUGS" | grep -v '^$' | grep -Ev "$EPHEMERAL_PREFIX_RE" || true)
+
+          if [ "$HTTP_CODE" = "200" ] && [ "$OK" = "true" ]; then
+            : # happy path — fall through to verification
+          elif [ "$HTTP_CODE" = "500" ] && [ -z "$NON_EPHEMERAL_FAILED" ] && [ -n "$FAILED_SLUGS" ]; then
+            COUNT=$(printf '%s\n' "$FAILED_SLUGS" | grep -Ec "$EPHEMERAL_PREFIX_RE" || true)
+            echo "::warning::redeploy-fleet returned HTTP 500 but every failed tenant ($COUNT) is ephemeral (e2e-*/rt-e2e-*) — treating as teardown race, soft-warning."
+            printf '%s\n' "$FAILED_SLUGS" | sed 's/^/::warning::  failed: /'
+          elif [ "$HTTP_CODE" != "200" ]; then
+            echo "::error::redeploy-fleet returned HTTP $HTTP_CODE"
+            if [ -n "$NON_EPHEMERAL_FAILED" ]; then
+              echo "::error::non-ephemeral tenant(s) failed:"
+              printf '%s\n' "$NON_EPHEMERAL_FAILED" | sed 's/^/::error::  /'
+            fi
+            exit 1
+          else
+            # HTTP=200 but ok=false (shouldn't happen with current CP
+            # but keep the gate for completeness).
+            echo "::error::redeploy-fleet reported ok=false (see summary for which tenant halted the rollout)"
+            exit 1
+          fi
+          echo "::notice::Staging tenant fleet redeploy reported ssm_status=Success — verifying actual image roll on each tenant..."
+
+          cp "$HTTP_RESPONSE" "$RUNNER_TEMP/redeploy-response.json"
+
+      - name: Verify each staging tenant /buildinfo matches published SHA
+        # Mirror of the verify step in redeploy-tenants-on-main.yml — see
+        # there for the rationale (#2395 root fix). Staging has the same
+        # ssm_status-success-but-stale-image hazard and benefits from the
+        # same gate. Diff: TENANT_DOMAIN includes the `staging.` infix.
+        env:
+          EXPECTED_SHA: ${{ github.event.workflow_run.head_sha || github.sha }}
+          TARGET_TAG: ${{ inputs.target_tag || 'staging-latest' }}
+          TENANT_DOMAIN: 'staging.moleculesai.app'
+        run: |
+          set -euo pipefail
+
+          # staging-latest is the staging-side moving tag; treat it the
+          # same way main treats `latest`. Operator-pinned SHAs skip
+          # verification (see main variant for why).
+          if [ "$TARGET_TAG" != "staging-latest" ] && [ "$TARGET_TAG" != "latest" ] && [ "$TARGET_TAG" != "$EXPECTED_SHA" ]; then
+            echo "::notice::target_tag=$TARGET_TAG (operator-pinned) — skipping per-tenant SHA verification."
+            exit 0
+          fi
+
+          RESP="$RUNNER_TEMP/redeploy-response.json"
+          if [ ! -s "$RESP" ]; then
+            echo "::error::redeploy-response.json missing or empty"
+            exit 1
+          fi
+
+          mapfile -t SLUGS < <(jq -r '.results[]? | select(.healthz_ok == true) | .slug' "$RESP")
+          if [ ${#SLUGS[@]} -eq 0 ]; then
+            echo "::warning::No staging tenants reported healthz_ok — nothing to verify"
+            exit 0
+          fi
+
+          echo "Verifying ${#SLUGS[@]} staging tenant(s) against EXPECTED_SHA=${EXPECTED_SHA:0:7}..."
+
+          # Two distinct failure modes here:
+          #   STALE_COUNT      — tenant returned a SHA that doesn't match. THIS is
+          #                      the #2395 bug class: tenant up + serving old code.
+          #                      Always hard-fail the workflow.
+          #   UNREACHABLE_COUNT — tenant didn't respond. Almost always a benign
+          #                      teardown race: redeploy-fleet snapshot says
+          #                      healthz_ok=true, then the E2E suite tears the
+          #                      ephemeral tenant down before this step runs (the
+          #                      e2e-* fixtures churn 5-10/hour on staging). Soft-
+          #                      warn so we don't block staging→main on cleanup.
+          #                      Real "tenant up but unreachable" is caught by CP's
+          #                      own healthz monitor + the post-redeploy alert; we
+          #                      don't need to double-count it here.
+          STALE_COUNT=0
+          UNREACHABLE_COUNT=0
+          STALE_LINES=()
+          UNREACHABLE_LINES=()
+          for slug in "${SLUGS[@]}"; do
+            URL="https://${slug}.${TENANT_DOMAIN}/buildinfo"
+            BODY=$(curl -sS --max-time 30 --retry 3 --retry-delay 5 --retry-connrefused "$URL" || true)
+            ACTUAL_SHA=$(echo "$BODY" | jq -r '.git_sha // ""' 2>/dev/null || echo "")
+            if [ -z "$ACTUAL_SHA" ]; then
+              UNREACHABLE_COUNT=$((UNREACHABLE_COUNT + 1))
+              UNREACHABLE_LINES+=("| $slug | (no /buildinfo response) | ${EXPECTED_SHA:0:7} | ⚠ unreachable (likely teardown race) |")
+              continue
+            fi
+            if [ "$ACTUAL_SHA" = "$EXPECTED_SHA" ]; then
+              echo "  $slug: ${ACTUAL_SHA:0:7} ✓"
+            else
+              STALE_COUNT=$((STALE_COUNT + 1))
+              STALE_LINES+=("| $slug | ${ACTUAL_SHA:0:7} | ${EXPECTED_SHA:0:7} | ❌ stale |")
+            fi
+          done
+
+          {
+            echo ""
+            echo "### Per-tenant /buildinfo verification (staging)"
+            echo ""
+            echo "Expected SHA: \`${EXPECTED_SHA:0:7}\`"
+            echo ""
+            if [ $STALE_COUNT -gt 0 ]; then
+              echo "**${STALE_COUNT} STALE tenant(s) — these did NOT pick up the new image despite ssm_status=Success:**"
+              echo ""
+              echo "| Slug | Actual /buildinfo SHA | Expected | Status |"
+              echo "|------|----------------------|----------|--------|"
+              for line in "${STALE_LINES[@]}"; do echo "$line"; done
+              echo ""
+            fi
+            if [ $UNREACHABLE_COUNT -gt 0 ]; then
+              echo "**${UNREACHABLE_COUNT} unreachable tenant(s) — likely E2E teardown race (soft-warn, not failing):**"
+              echo ""
+              echo "| Slug | Actual /buildinfo SHA | Expected | Status |"
+              echo "|------|----------------------|----------|--------|"
+              for line in "${UNREACHABLE_LINES[@]}"; do echo "$line"; done
+              echo ""
+            fi
+            if [ $STALE_COUNT -eq 0 ] && [ $UNREACHABLE_COUNT -eq 0 ]; then
+              echo "All ${#SLUGS[@]} staging tenants returned matching SHA. ✓"
+            fi
+          } >> "$GITHUB_STEP_SUMMARY"
+
+          if [ $UNREACHABLE_COUNT -gt 0 ]; then
+            echo "::warning::$UNREACHABLE_COUNT staging tenant(s) unreachable post-redeploy. Likely benign teardown race — CP healthz monitor catches real outages."
+          fi
+
+          # Belt-and-suspenders sanity floor: if MORE than half the fleet is
+          # unreachable AND the fleet is large enough that "half down" is
+          # statistically meaningful, this is a real outage (e.g. new image
+          # crashes on startup), not a teardown race. Hard-fail.
+          #
+          # Floor only applies when TOTAL_VERIFIED >= 4 — below that, the
+          # canary-verify step is the actual gate for "all tenants down"
+          # detection (it runs against the canary first and aborts the
+          # rollout if the canary fails to come up). Without the >=4 gate,
+          # a 1-tenant fleet (e.g. a single ephemeral e2e-* tenant on a
+          # quiet staging push) would re-flake on the exact teardown-race
+          # condition #2402 fixed: 1 of 1 unreachable = 100% > 50% → fail.
+          TOTAL_VERIFIED=${#SLUGS[@]}
+          if [ $TOTAL_VERIFIED -ge 4 ] && [ $UNREACHABLE_COUNT -gt $((TOTAL_VERIFIED / 2)) ]; then
+            echo "::error::$UNREACHABLE_COUNT of $TOTAL_VERIFIED staging tenant(s) unreachable — exceeds 50% threshold on a fleet large enough that this signals a real outage, not teardown race."
+            exit 1
+          fi
+
+          if [ $STALE_COUNT -gt 0 ]; then
+            echo "::error::$STALE_COUNT staging tenant(s) returned a stale SHA. ssm_status=Success was misleading — see job summary."
+            exit 1
+          fi
+
+          echo "::notice::Staging tenant fleet redeploy complete — all reachable tenants on ${EXPECTED_SHA:0:7} (${UNREACHABLE_COUNT} unreachable, soft-warned)."

.gitea/workflows/sop-tier-check.yml

@@ -77,50 +77,24 @@ jobs:
           # works if we never check out PR HEAD. Same SHA the workflow
           # itself was loaded from.
           ref: ${{ github.event.pull_request.base.sha }}
-      - name: Install jq
-        # Gitea Actions runners (ubuntu-latest label) do not bundle jq.
-        # The sop-tier-check script uses jq for all JSON API parsing.
-        # Install jq before the script runs so sop-tier-check can pass.
-        #
-        # Method: apt-get first (reliable for Ubuntu runners with internet
-        # access to package mirrors). Falls back to GitHub binary download.
-        # GitHub releases may be unreachable from some runner networks
-        # (infra#241 follow-up: GitHub timeout after 3s on 5.78.80.188
-        # runners). The sop-tier-check script has its own fallback as a
-        # third line of defense. continue-on-error: true ensures this step
-        # failing does not block the job.
-        continue-on-error: true
-        run: |
-          # apt-get is the primary method — Ubuntu package mirrors are reliably
-          # reachable from runner containers. GitHub releases may be blocked
-          # or slow on some networks (infra#241 follow-up).
-          if apt-get update -qq && apt-get install -y -qq jq; then
-            echo "::notice::jq installed via apt-get: $(jq --version)"
-          elif timeout 120 curl -sSL \
-            "https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-amd64" \
-            -o /usr/local/bin/jq && chmod +x /usr/local/bin/jq; then
-            echo "::notice::jq binary downloaded: $(/usr/local/bin/jq --version)"
-          else
-            echo "::warning::jq install failed — apt-get and GitHub download both failed."
-          fi
-          jq --version 2>/dev/null || echo "::notice::jq not yet available — script fallback will retry"
-
       - name: Verify tier label + reviewer team membership
-        # continue-on-error: true at step level — job-level is ignored by Gitea
-        # Actions (quirk #10, internal runbooks). Belt-and-suspenders with
-        # SOP_FAIL_OPEN=1 + || true below.
-        continue-on-error: true
         env:
+          # SOP_TIER_CHECK_TOKEN is the org-level secret for the
+          # sop-tier-bot PAT (read:organization,read:user,read:issue,
+          # read:repository). Stored at the org level
+          # (/api/v1/orgs/molecule-ai/actions/secrets) so per-repo
+          # configuration is unnecessary — every repo in the org
+          # picks it up automatically.
+          # Falls back to GITHUB_TOKEN with a clear error if missing.
           GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
           GITEA_HOST: git.moleculesai.app
           REPO: ${{ github.repository }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
           PR_AUTHOR: ${{ github.event.pull_request.user.login }}
+          # Set to '1' for diagnostic per-API-call output. Off by default
+          # so production logs aren't noisy.
           SOP_DEBUG: '0'
+          # BURN-IN: set to '1' for PRs in-flight at AND-composition deploy
+          # time to use the legacy OR-gate. Remove after 2026-05-17.
           SOP_LEGACY_CHECK: '0'
-          # SOP_FAIL_OPEN=1 makes the script always exit 0. The UI enforces
-          # the actual merge gate. Combined with continue-on-error: true
-          # above, this step never fails the job regardless of script exit.
-          SOP_FAIL_OPEN: '1'
-        run: |
-          bash .gitea/scripts/sop-tier-check.sh || true
+        run: bash .gitea/scripts/sop-tier-check.sh

.gitea/workflows/sweep-aws-secrets.yml

@@ -0,0 +1,129 @@
+name: Sweep stale AWS Secrets Manager secrets
+
+# Ported from .github/workflows/sweep-aws-secrets.yml on 2026-05-11 per RFC
+# internal#219 §1 sweep. Differences from the GitHub version:
+#   - Dropped `workflow_dispatch.inputs` (Gitea 1.22.6 parser rejects them
+#     per feedback_gitea_workflow_dispatch_inputs_unsupported).
+#   - Dropped `merge_group:` (no Gitea merge queue).
+#   - Dropped `environment:` blocks (Gitea has no environments).
+#   - Workflow-level env.GITHUB_SERVER_URL pinned per
+#     feedback_act_runner_github_server_url.
+#   - `continue-on-error: true` on each job (RFC §1 contract).
+#
+
+# Janitor for per-tenant AWS Secrets Manager secrets
+# (`molecule/tenant/<org_id>/bootstrap`) whose backing tenant no
+# longer exists. Parallel-shape to sweep-cf-tunnels.yml and
+# sweep-cf-orphans.yml — different cloud, same justification.
+#
+# Why this exists separately from a long-term reconciler integration:
+#   - molecule-controlplane's tenant_resources audit table (mig 024)
+#     currently tracks four resource kinds: CloudflareTunnel,
+#     CloudflareDNS, EC2Instance, SecurityGroup. SecretsManager is
+#     not in the list, so the existing reconciler doesn't catch
+#     orphan secrets.
+#   - At ~$0.40/secret/month the cost grew to ~$19/month before this
+#     sweeper was written, indicating ~45+ orphan secrets from
+#     crashed provisions and incomplete deprovision flows.
+#   - The proper fix (KindSecretsManagerSecret + recorder hook +
+#     reconciler enumerator) is filed as a separate controlplane
+#     issue. This sweeper is the immediate cost-relief stopgap.
+#
+# IAM principal: AWS_JANITOR_ACCESS_KEY_ID / AWS_JANITOR_SECRET_ACCESS_KEY.
+# This is a DEDICATED principal — the production `molecule-cp` IAM
+# user lacks `secretsmanager:ListSecrets` (it only has
+# Get/Create/Update/Delete on specific resources, scoped to its
+# operational needs). The janitor needs ListSecrets across the
+# `molecule/tenant/*` prefix, which warrants a separate principal so
+# we don't broaden the prod-CP policy.
+#
+# Safety: the script's MAX_DELETE_PCT gate (default 50%, mirroring
+# sweep-cf-orphans.yml — tenant secrets are durable by design, unlike
+# the mostly-orphan tunnels) refuses to nuke past the threshold.
+
+on:
+  schedule:
+    # Hourly at :30 — offsets from sweep-cf-orphans (:15) and
+    # sweep-cf-tunnels (:45) so the three janitors don't burst the
+    # CP admin endpoints at the same minute.
+    - cron: '30 * * * *'
+# Don't let two sweeps race the same AWS account.
+concurrency:
+  group: sweep-aws-secrets
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+
+env:
+  GITHUB_SERVER_URL: https://git.moleculesai.app
+
+jobs:
+  sweep:
+    name: Sweep AWS Secrets Manager
+    runs-on: ubuntu-latest
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
+    continue-on-error: true
+    # 30 min cap, mirroring the other janitors. AWS DeleteSecret is
+    # fast (~0.3s/call) so even a 100+ backlog drains in seconds
+    # under the 8-way xargs parallelism, but the cap is set generously
+    # to leave headroom for any actual API hang.
+    timeout-minutes: 30
+    env:
+      AWS_REGION: ${{ secrets.AWS_REGION || 'us-east-1' }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_JANITOR_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_JANITOR_SECRET_ACCESS_KEY }}
+      CP_PROD_ADMIN_TOKEN: ${{ secrets.CP_PROD_ADMIN_TOKEN }}
+      CP_STAGING_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_TOKEN }}
+      MAX_DELETE_PCT: ${{ github.event.inputs.max_delete_pct || '50' }}
+      GRACE_HOURS: ${{ github.event.inputs.grace_hours || '24' }}
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Verify required secrets present
+        id: verify
+        # Schedule-vs-dispatch behaviour split mirrors sweep-cf-orphans
+        # and sweep-cf-tunnels (hardened 2026-04-28). Same principle:
+        #   - schedule → exit 1 on missing secrets (red CI surfaces it)
+        #   - workflow_dispatch → exit 0 with warning (operator-driven,
+        #     they already accepted the repo state)
+        run: |
+          missing=()
+          for var in AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY CP_PROD_ADMIN_TOKEN CP_STAGING_ADMIN_TOKEN; do
+            if [ -z "${!var:-}" ]; then
+              missing+=("$var")
+            fi
+          done
+          if [ ${#missing[@]} -gt 0 ]; then
+            if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+              echo "::warning::skipping sweep — secrets not configured: ${missing[*]}"
+              echo "::warning::set them at Settings → Secrets and Variables → Actions, then rerun."
+              echo "::warning::AWS_JANITOR_* must belong to a principal with secretsmanager:ListSecrets and secretsmanager:DeleteSecret on molecule/tenant/* (the prod molecule-cp principal lacks ListSecrets)."
+              echo "skip=true" >> "$GITHUB_OUTPUT"
+              exit 0
+            fi
+            echo "::error::sweep cannot run — required secrets missing: ${missing[*]}"
+            echo "::error::set them at Settings → Secrets and Variables → Actions, or disable this workflow."
+            echo "::error::AWS_JANITOR_* must belong to a principal with secretsmanager:ListSecrets and secretsmanager:DeleteSecret on molecule/tenant/*."
+            exit 1
+          fi
+          echo "All required secrets present ✓"
+          echo "skip=false" >> "$GITHUB_OUTPUT"
+
+      - name: Run sweep
+        if: steps.verify.outputs.skip != 'true'
+        # Schedule-vs-dispatch dry-run asymmetry mirrors sweep-cf-tunnels:
+        #   - Scheduled: input empty → "false" → --execute (the whole
+        #     point of an hourly janitor).
+        #   - Manual workflow_dispatch: input default true → dry-run;
+        #     operator must flip it to actually delete.
+        run: |
+          set -euo pipefail
+          if [ "${{ github.event.inputs.dry_run || 'false' }}" = "true" ]; then
+            echo "Running in dry-run mode — no deletions"
+            bash scripts/ops/sweep-aws-secrets.sh
+          else
+            echo "Running with --execute — will delete identified orphans"
+            bash scripts/ops/sweep-aws-secrets.sh --execute
+          fi

.gitea/workflows/sweep-cf-orphans.yml

@@ -0,0 +1,151 @@
+name: Sweep stale Cloudflare DNS records
+
+# Ported from .github/workflows/sweep-cf-orphans.yml on 2026-05-11 per RFC
+# internal#219 §1 sweep. Differences from the GitHub version:
+#   - Dropped `workflow_dispatch.inputs` (Gitea 1.22.6 parser rejects them
+#     per feedback_gitea_workflow_dispatch_inputs_unsupported).
+#   - Dropped `merge_group:` (no Gitea merge queue).
+#   - Dropped `environment:` blocks (Gitea has no environments).
+#   - Workflow-level env.GITHUB_SERVER_URL pinned per
+#     feedback_act_runner_github_server_url.
+#   - `continue-on-error: true` on each job (RFC §1 contract).
+#
+
+# Janitor for Cloudflare DNS records whose backing tenant/workspace no
+# longer exists. Without this loop, every short-lived E2E or canary
+# leaves a CF record on the moleculesai.app zone — the zone has a
+# 200-record quota (controlplane#239 hit it 2026-04-23+) and provisions
+# start failing with code 81045 once exhausted.
+#
+# Why a separate workflow vs sweep-stale-e2e-orgs.yml:
+#   - That workflow operates at the CP layer (DELETE /cp/admin/tenants/:slug
+#     drives the cascade). It assumes CP has the org row to drive the
+#     deprovision from. It doesn't catch records left behind when CP
+#     itself never knew about the tenant (canary scratch, manual ops
+#     experiments) or when the cascade's CF-delete branch failed.
+#   - sweep-cf-orphans.sh enumerates the CF zone directly and matches
+#     each record against live CP slugs + AWS EC2 names. It catches
+#     leaks the CP-driven sweep can't.
+#
+# Safety: the script's own MAX_DELETE_PCT gate refuses to nuke more
+# than 50% of records in a single run. If something has gone weird
+# (CP admin endpoint returns no orgs → every tenant looks orphan) the
+# gate halts before damage. Decision-function unit tests in
+# scripts/ops/test_sweep_cf_decide.py (#2027) cover the rule
+# classifier.
+
+on:
+  schedule:
+    # Hourly. Mirrors sweep-stale-e2e-orgs cadence so the two janitors
+    # converge on the same tick. CF API rate budget is generous (1200
+    # req/5min); a single sweep makes ~1 list + N deletes (N<=quota/2).
+    - cron: '15 * * * *'  # offset from sweep-stale-e2e-orgs (top of hour)
+  # No `merge_group:` trigger on purpose. This is a janitor — it doesn't
+  # need to gate merges, and including it as written before #2088 fired
+  # the full sweep job (or its secret-check) on every PR going through
+  # the merge queue, generating one red CI run per merge-queue eval. If
+  # this workflow is ever wired up as a required check, re-add
+  #   merge_group: { types: [checks_requested] }
+  # AND gate the sweep step with `if: github.event_name != 'merge_group'`
+  # so merge-queue evals report success without actually running.
+
+# Don't let two sweeps race the same zone. workflow_dispatch during a
+# scheduled run would otherwise issue duplicate DELETE calls.
+concurrency:
+  group: sweep-cf-orphans
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+
+env:
+  GITHUB_SERVER_URL: https://git.moleculesai.app
+
+jobs:
+  sweep:
+    name: Sweep CF orphans
+    runs-on: ubuntu-latest
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
+    continue-on-error: true
+    # 3 min surfaces hangs (CF API stall, AWS describe-instances stuck)
+    # within one cron interval instead of burning a full tick. Realistic
+    # worst case is ~2 min: 4 sequential curls + 1 aws + N×CF-DELETE
+    # each individually capped at 10s by the script's curl -m flag.
+    timeout-minutes: 3
+    env:
+      CF_API_TOKEN: ${{ secrets.CF_API_TOKEN }}
+      CF_ZONE_ID: ${{ secrets.CF_ZONE_ID }}
+      CP_PROD_ADMIN_TOKEN: ${{ secrets.CP_PROD_ADMIN_TOKEN }}
+      CP_STAGING_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_TOKEN }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      AWS_DEFAULT_REGION: us-east-2
+      MAX_DELETE_PCT: ${{ github.event.inputs.max_delete_pct || '50' }}
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Verify required secrets present
+        id: verify
+        # Schedule-vs-dispatch behaviour split (hardened 2026-04-28
+        # after the silent-no-op incident below):
+        #
+        # The earlier soft-skip-on-schedule policy hid a real leak. All
+        # six secrets were unset on this repo for an unknown duration;
+        # every hourly run printed a yellow ::warning:: and exited 0,
+        # so the workflow registered as "passing" while doing nothing.
+        # CF orphans accumulated to 152/200 (~76% of the zone quota
+        # gone) before a manual `dig`-driven audit caught it. Anything
+        # that runs as a janitor and reports green while idle is
+        # indistinguishable from "the janitor is healthy" — so we now
+        # treat schedule (and any future workflow_run/push triggers)
+        # as a hard-fail when secrets are missing.
+        #
+        #   - schedule / workflow_run / push → exit 1 (red CI run
+        #     surfaces the misconfiguration the next tick)
+        #   - workflow_dispatch              → exit 0 with a warning
+        #     (an operator ran this ad-hoc; they already accepted the
+        #     state of the repo and want the workflow to short-circuit
+        #     so they can rerun after fixing the secret)
+        run: |
+          missing=()
+          for var in CF_API_TOKEN CF_ZONE_ID CP_PROD_ADMIN_TOKEN CP_STAGING_ADMIN_TOKEN AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY; do
+            if [ -z "${!var:-}" ]; then
+              missing+=("$var")
+            fi
+          done
+          if [ ${#missing[@]} -gt 0 ]; then
+            if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+              echo "::warning::skipping sweep — secrets not configured: ${missing[*]}"
+              echo "::warning::set them at Settings → Secrets and Variables → Actions, then rerun."
+              echo "skip=true" >> "$GITHUB_OUTPUT"
+              exit 0
+            fi
+            echo "::error::sweep cannot run — required secrets missing: ${missing[*]}"
+            echo "::error::set them at Settings → Secrets and Variables → Actions, or disable this workflow."
+            echo "::error::a silent skip masked an active CF DNS leak (152/200 zone records) caught only by a manual audit on 2026-04-28; this gate exists to make the gap visible."
+            exit 1
+          fi
+          echo "All required secrets present ✓"
+          echo "skip=false" >> "$GITHUB_OUTPUT"
+
+      - name: Run sweep
+        if: steps.verify.outputs.skip != 'true'
+        # Schedule-vs-dispatch dry-run asymmetry (intentional):
+        #   - Scheduled runs: github.event.inputs.dry_run is empty →
+        #     defaults to "false" below → script runs with --execute
+        #     (the whole point of an hourly janitor).
+        #   - Manual workflow_dispatch: input default is true (line 38)
+        #     so an ad-hoc operator-triggered run is dry-run by default;
+        #     they have to flip the toggle to actually delete.
+        # The script's MAX_DELETE_PCT gate (default 50%) is the second
+        # line of defense regardless of mode.
+        run: |
+          set -euo pipefail
+          if [ "${{ github.event.inputs.dry_run || 'false' }}" = "true" ]; then
+            echo "Running in dry-run mode — no deletions"
+            bash scripts/ops/sweep-cf-orphans.sh
+          else
+            echo "Running with --execute — will delete identified orphans"
+            bash scripts/ops/sweep-cf-orphans.sh --execute
+          fi

.gitea/workflows/sweep-cf-tunnels.yml

@@ -0,0 +1,128 @@
+name: Sweep stale Cloudflare Tunnels
+
+# Ported from .github/workflows/sweep-cf-tunnels.yml on 2026-05-11 per RFC
+# internal#219 §1 sweep. Differences from the GitHub version:
+#   - Dropped `workflow_dispatch.inputs` (Gitea 1.22.6 parser rejects them
+#     per feedback_gitea_workflow_dispatch_inputs_unsupported).
+#   - Dropped `merge_group:` (no Gitea merge queue).
+#   - Dropped `environment:` blocks (Gitea has no environments).
+#   - Workflow-level env.GITHUB_SERVER_URL pinned per
+#     feedback_act_runner_github_server_url.
+#   - `continue-on-error: true` on each job (RFC §1 contract).
+#
+
+# Janitor for Cloudflare Tunnels whose backing tenant no longer
+# exists. Parallel-shape to sweep-cf-orphans.yml (which sweeps DNS
+# records); same justification, different CF resource.
+#
+# Why this exists separately from sweep-cf-orphans:
+#   - DNS records live on the zone (`/zones/<id>/dns_records`).
+#   - Tunnels live on the account (`/accounts/<id>/cfd_tunnel`).
+#   - Different CF API surface, different scopes; the existing CF
+#     token might not have `account:cloudflare_tunnel:edit`. Splitting
+#     the workflows keeps each one's secret-presence gate independent
+#     so neither silent-skips when the other's secret is missing.
+#   - Cleaner blast radius — operators can disable one without the
+#     other if a regression surfaces.
+#
+# Safety: the script's MAX_DELETE_PCT gate (default 90% — higher than
+# the DNS sweep's 50% because tenant-shaped tunnels are mostly
+# orphans by design) refuses to nuke past the threshold.
+
+on:
+  schedule:
+    # Hourly at :45 — offset from sweep-cf-orphans (:15) so the two
+    # janitors don't issue parallel CF API bursts at the same minute.
+    - cron: '45 * * * *'
+# Don't let two sweeps race the same account.
+concurrency:
+  group: sweep-cf-tunnels
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+
+env:
+  GITHUB_SERVER_URL: https://git.moleculesai.app
+
+jobs:
+  sweep:
+    name: Sweep CF tunnels
+    runs-on: ubuntu-latest
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
+    continue-on-error: true
+    # 30 min cap. Was 5 min on the theory that the only thing that
+    # could take >5min is a CF-API hang — but on 2026-05-02 a backlog
+    # of 672 stale tunnels accumulated (large staging E2E run + delayed
+    # sweep) and the serial `curl -X DELETE` loop (~0.7s/tunnel) needed
+    # ~7-8min to drain. The 5-min cap killed the run mid-sweep
+    # (cancelled at 424/672, see run 25248788312); a manual rerun
+    # finished the remainder fine.
+    #
+    # The fix is two-part: parallelize the delete loop (8-way xargs in
+    # the script — see scripts/ops/sweep-cf-tunnels.sh), AND raise the
+    # cap so a one-off backlog doesn't trip a hangs-detector that
+    # turned out to be a real-job-too-slow detector. With 8-way
+    # parallelism, 600+ tunnels drains in ~60s; 30 min is generous
+    # headroom for actual hangs to still surface (and is in line with
+    # the sweep-cf-orphans companion job).
+    timeout-minutes: 30
+    env:
+      CF_API_TOKEN: ${{ secrets.CF_API_TOKEN }}
+      CF_ACCOUNT_ID: ${{ secrets.CF_ACCOUNT_ID }}
+      CP_PROD_ADMIN_TOKEN: ${{ secrets.CP_PROD_ADMIN_TOKEN }}
+      CP_STAGING_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_TOKEN }}
+      MAX_DELETE_PCT: ${{ github.event.inputs.max_delete_pct || '90' }}
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Verify required secrets present
+        id: verify
+        # Schedule-vs-dispatch behaviour split mirrors sweep-cf-orphans
+        # (hardened 2026-04-28 after the silent-no-op incident: the
+        # janitor reported green while doing nothing because secrets
+        # were unset, masking a 152/200 zone-record leak). Same
+        # principle applies here:
+        #   - schedule → exit 1 on missing secrets (red CI surfaces it)
+        #   - workflow_dispatch → exit 0 with warning (operator-driven,
+        #     they already accepted the repo state)
+        run: |
+          missing=()
+          for var in CF_API_TOKEN CF_ACCOUNT_ID CP_PROD_ADMIN_TOKEN CP_STAGING_ADMIN_TOKEN; do
+            if [ -z "${!var:-}" ]; then
+              missing+=("$var")
+            fi
+          done
+          if [ ${#missing[@]} -gt 0 ]; then
+            if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+              echo "::warning::skipping sweep — secrets not configured: ${missing[*]}"
+              echo "::warning::set them at Settings → Secrets and Variables → Actions, then rerun."
+              echo "::warning::CF_API_TOKEN must include account:cloudflare_tunnel:edit scope (separate from the zone:dns:edit scope used by sweep-cf-orphans)."
+              echo "skip=true" >> "$GITHUB_OUTPUT"
+              exit 0
+            fi
+            echo "::error::sweep cannot run — required secrets missing: ${missing[*]}"
+            echo "::error::set them at Settings → Secrets and Variables → Actions, or disable this workflow."
+            echo "::error::CF_API_TOKEN must include account:cloudflare_tunnel:edit scope."
+            exit 1
+          fi
+          echo "All required secrets present ✓"
+          echo "skip=false" >> "$GITHUB_OUTPUT"
+
+      - name: Run sweep
+        if: steps.verify.outputs.skip != 'true'
+        # Schedule-vs-dispatch dry-run asymmetry mirrors sweep-cf-orphans:
+        #   - Scheduled: input empty → "false" → --execute (the whole
+        #     point of an hourly janitor).
+        #   - Manual workflow_dispatch: input default true → dry-run;
+        #     operator must flip it to actually delete.
+        run: |
+          set -euo pipefail
+          if [ "${{ github.event.inputs.dry_run || 'false' }}" = "true" ]; then
+            echo "Running in dry-run mode — no deletions"
+            bash scripts/ops/sweep-cf-tunnels.sh
+          else
+            echo "Running with --execute — will delete identified orphans"
+            bash scripts/ops/sweep-cf-tunnels.sh --execute
+          fi

.gitea/workflows/sweep-stale-e2e-orgs.yml

@@ -0,0 +1,243 @@
+name: Sweep stale e2e-* orgs (staging)
+
+# Ported from .github/workflows/sweep-stale-e2e-orgs.yml on 2026-05-11 per RFC
+# internal#219 §1 sweep. Differences from the GitHub version:
+#   - Dropped `workflow_dispatch.inputs` (Gitea 1.22.6 parser rejects them
+#     per feedback_gitea_workflow_dispatch_inputs_unsupported).
+#   - Dropped `merge_group:` (no Gitea merge queue).
+#   - Dropped `environment:` blocks (Gitea has no environments).
+#   - Workflow-level env.GITHUB_SERVER_URL pinned per
+#     feedback_act_runner_github_server_url.
+#   - `continue-on-error: true` on each job (RFC §1 contract).
+#
+
+# Janitor for staging tenants left behind when E2E cleanup didn't run:
+# CI cancellations, runner crashes, transient AWS errors mid-cascade,
+# bash trap missed (signal 9), etc. Without this loop, every failed
+# teardown leaks an EC2 + DNS + DB row until manual ops cleanup —
+# 2026-04-23 staging hit the 64 vCPU AWS quota from ~27 such orphans.
+#
+# Why not rely on per-test-run teardown:
+#   - Per-run teardown is best-effort by definition. Any process death
+#     after the test starts but before the trap fires leaves debris.
+#   - GH Actions cancellation kills the runner without grace period.
+#     The workflow's `if: always()` step usually catches this, but it
+#     too can fail (CP transient 5xx, runner network issue at the
+#     wrong moment).
+#   - Even when teardown runs, the CP cascade is best-effort in places
+#     (cascadeTerminateWorkspaces logs+continues; DNS deletion same).
+#   - This sweep is the catch-all that converges staging back to clean
+#     regardless of which specific path leaked.
+#
+# The PROPER fix is making CP cleanup transactional + verify-after-
+# terminate (filed separately as cleanup-correctness work). This
+# workflow is the safety net that catches everything else AND any
+# future leak source we haven't yet identified.
+
+on:
+  schedule:
+    # Every 15 min. E2E orgs are short-lived (~8-25 min wall clock from
+    # create to teardown — canary is ~8 min, full SaaS ~25 min). The
+    # previous hourly + 120-min stale threshold meant a leaked tenant
+    # could keep an EC2 alive for up to 2 hours, eating ~2 vCPU per
+    # leak. Tightening the cadence + threshold reduces the worst-case
+    # leak window from 120 min to ~45 min (15-min sweep cadence + 30-min
+    # threshold) without risk of catching in-progress runs (the longest
+    # e2e run is the 25-min canary, well under the 30-min threshold).
+    # See molecule-controlplane#420 for the leak-class accounting that
+    # motivated this tightening.
+    - cron: '*/15 * * * *'
+# Don't let two sweeps fight. Cron + workflow_dispatch could overlap
+# on a manual trigger; queue rather than parallel-delete.
+concurrency:
+  group: sweep-stale-e2e-orgs
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+
+env:
+  GITHUB_SERVER_URL: https://git.moleculesai.app
+
+jobs:
+  sweep:
+    name: Sweep e2e orgs
+    runs-on: ubuntu-latest
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
+    continue-on-error: true
+    timeout-minutes: 15
+    env:
+      MOLECULE_CP_URL: https://staging-api.moleculesai.app
+      ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
+      MAX_AGE_MINUTES: ${{ github.event.inputs.max_age_minutes || '30' }}
+      DRY_RUN: ${{ github.event.inputs.dry_run || 'false' }}
+      # Refuse to delete more than this many orgs in one tick. If the
+      # CP DB is briefly empty (or the admin endpoint goes weird and
+      # returns no created_at), every e2e- org would look stale.
+      # Bailing protects against runaway nukes.
+      SAFETY_CAP: 50
+
+    steps:
+      - name: Verify admin token present
+        run: |
+          if [ -z "$ADMIN_TOKEN" ]; then
+            echo "::error::MOLECULE_STAGING_ADMIN_TOKEN not set"
+            exit 2
+          fi
+          echo "Admin token present ✓"
+
+      - name: Identify stale e2e orgs
+        id: identify
+        run: |
+          set -euo pipefail
+          # Fetch into a file so the python step reads it via stdin —
+          # cleaner than embedding $(curl ...) into a heredoc.
+          curl -sS --fail-with-body --max-time 30 \
+            "$MOLECULE_CP_URL/cp/admin/orgs?limit=500" \
+            -H "Authorization: Bearer $ADMIN_TOKEN" \
+            > orgs.json
+
+          # Filter:
+          #   1. slug starts with one of the ephemeral test prefixes:
+          #        - 'e2e-'    — covers e2e-canary-, e2e-canvas-*, etc.
+          #        - 'rt-e2e-' — runtime-test harness fixtures (RFC #2251);
+          #                      missing this prefix left two such tenants
+          #                      orphaned 8h on staging (2026-05-03), then
+          #                      hard-failed redeploy-tenants-on-staging
+          #                      and broke the staging→main auto-promote
+          #                      chain. Kept in sync with the EPHEMERAL_PREFIX_RE
+          #                      regex in redeploy-tenants-on-staging.yml.
+          #   2. created_at is older than MAX_AGE_MINUTES ago
+          # Output one slug per line to a file the next step reads.
+          python3 > stale_slugs.txt <<'PY'
+          import json, os
+          from datetime import datetime, timezone, timedelta
+          # SSOT for this list lives in the controlplane Go code:
+          # molecule-controlplane/internal/slugs/ephemeral.go
+          # (var EphemeralPrefixes). The redeploy-fleet auto-rollout
+          # also reads from there to SKIP these slugs — without that
+          # filter, fleet redeploy SSM-failed in-flight E2E tenants
+          # whose containers were still booting, breaking the test
+          # that just spun them up (molecule-controlplane#493).
+          # Update both files together.
+          EPHEMERAL_PREFIXES = ("e2e-", "rt-e2e-")
+          with open("orgs.json") as f:
+              data = json.load(f)
+          max_age = int(os.environ["MAX_AGE_MINUTES"])
+          cutoff = datetime.now(timezone.utc) - timedelta(minutes=max_age)
+          for o in data.get("orgs", []):
+              slug = o.get("slug", "")
+              if not slug.startswith(EPHEMERAL_PREFIXES):
+                  continue
+              created = o.get("created_at")
+              if not created:
+                  # Defensively skip rows without created_at — better
+                  # to leave one orphan than nuke a brand-new row
+                  # whose timestamp didn't render.
+                  continue
+              # Python 3.11+ handles RFC3339 with Z directly via
+              # fromisoformat; older runners need the trailing Z swap.
+              created_dt = datetime.fromisoformat(created.replace("Z", "+00:00"))
+              if created_dt < cutoff:
+                  print(slug)
+          PY
+
+          count=$(wc -l < stale_slugs.txt | tr -d ' ')
+          echo "Found $count stale e2e org(s) older than ${MAX_AGE_MINUTES}m"
+          if [ "$count" -gt 0 ]; then
+            echo "First 20:"
+            head -20 stale_slugs.txt | sed 's/^/  /'
+          fi
+          echo "count=$count" >> "$GITHUB_OUTPUT"
+
+      - name: Safety gate
+        if: steps.identify.outputs.count != '0'
+        run: |
+          count="${{ steps.identify.outputs.count }}"
+          if [ "$count" -gt "$SAFETY_CAP" ]; then
+            echo "::error::Refusing to delete $count orgs in one sweep (cap=$SAFETY_CAP). Investigate manually — this usually means the CP admin API returned no created_at or returned a degraded result. Re-run with workflow_dispatch + max_age_minutes if intentional."
+            exit 1
+          fi
+          echo "Within safety cap ($count ≤ $SAFETY_CAP) ✓"
+
+      - name: Delete stale orgs
+        if: steps.identify.outputs.count != '0' && env.DRY_RUN != 'true'
+        run: |
+          set -uo pipefail
+          deleted=0
+          failed=0
+          while IFS= read -r slug; do
+            [ -z "$slug" ] && continue
+            # The DELETE handler requires {"confirm": "<slug>"} matching
+            # the URL slug — fat-finger guard. Idempotent: re-issuing
+            # picks up via org_purges.last_step.
+            # Tempfile-routed -w + set +e/-e prevents curl-exit-code
+            # pollution of the captured status (lint-curl-status-capture.yml).
+            set +e
+            curl -sS -o /tmp/del_resp -w "%{http_code}" \
+              --max-time 60 \
+              -X DELETE "$MOLECULE_CP_URL/cp/admin/tenants/$slug" \
+              -H "Authorization: Bearer $ADMIN_TOKEN" \
+              -H "Content-Type: application/json" \
+              -d "{\"confirm\":\"$slug\"}" >/tmp/del_code
+            set -e
+            # Stderr from curl (-sS shows dial errors etc.) goes to runner log.
+            http_code=$(cat /tmp/del_code 2>/dev/null || echo "000")
+            if [ "$http_code" = "200" ] || [ "$http_code" = "204" ]; then
+              deleted=$((deleted+1))
+              echo "  deleted: $slug"
+            else
+              failed=$((failed+1))
+              echo "  FAILED ($http_code): $slug — $(cat /tmp/del_resp 2>/dev/null | head -c 200)"
+            fi
+          done < stale_slugs.txt
+          echo ""
+          echo "Sweep summary: deleted=$deleted failed=$failed"
+          # Don't fail the workflow on per-org delete errors — the
+          # sweeper is best-effort. Next hourly tick re-attempts. We
+          # only fail loud at the safety-cap gate above.
+
+      - name: Sweep orphan tunnels
+        # Stale-org cleanup deletes the org (which cascades to tunnel
+        # delete inside the CP). But when that cascade fails partway —
+        # CP transient 5xx after the org row is deleted but before the
+        # CF tunnel delete completes — the tunnel persists with no
+        # matching org row. The reconciler in internal/sweep flags this
+        # as `cf_tunnel kind=orphan`, but nothing automatically reaps it.
+        #
+        # `/cp/admin/orphan-tunnels/cleanup` is the operator-triggered
+        # reaper. Calling it here at the end of every sweep tick
+        # converges the staging CF account to clean even when CP
+        # cascades half-fail.
+        #
+        # PR #492 made the underlying DeleteTunnel actually check
+        # status — pre-fix it silent-succeeded on CF code 1022
+        # ("active connections"), so this step would have been a no-op
+        # against stuck connectors. Post-fix the cleanup invokes
+        # CleanupTunnelConnections + retry, which actually clears the
+        # 1022 case. (#2987)
+        #
+        # Best-effort. Failure here doesn't fail the workflow — next
+        # tick re-attempts. Errors flow to step output for ops review.
+        if: env.DRY_RUN != 'true'
+        run: |
+          set +e
+          curl -sS -o /tmp/cleanup_resp -w "%{http_code}" \
+            --max-time 60 \
+            -X POST "$MOLECULE_CP_URL/cp/admin/orphan-tunnels/cleanup" \
+            -H "Authorization: Bearer $ADMIN_TOKEN" >/tmp/cleanup_code
+          set -e
+          http_code=$(cat /tmp/cleanup_code 2>/dev/null || echo "000")
+          body=$(cat /tmp/cleanup_resp 2>/dev/null | head -c 500)
+          if [ "$http_code" = "200" ]; then
+            count=$(echo "$body" | python3 -c "import sys,json; d=json.loads(sys.stdin.read() or '{}'); print(d.get('deleted_count', 0))" 2>/dev/null || echo "0")
+            failed_n=$(echo "$body" | python3 -c "import sys,json; d=json.loads(sys.stdin.read() or '{}'); print(len(d.get('failed') or {}))" 2>/dev/null || echo "0")
+            echo "Orphan-tunnel sweep: deleted=$count failed=$failed_n"
+          else
+            echo "::warning::orphan-tunnels cleanup returned HTTP $http_code — body: $body"
+          fi
+
+      - name: Dry-run summary
+        if: env.DRY_RUN == 'true'
+        run: |
+          echo "DRY RUN — would have deleted ${{ steps.identify.outputs.count }} org(s) AND triggered orphan-tunnels cleanup. Re-run with dry_run=false to actually delete."

.github/workflows/auto-tag-runtime.yml

@@ -1,138 +0,0 @@
-name: auto-tag-runtime
-
-# Auto-tag runtime releases on every merge to main that touches workspace/.
-# This is the entry point of the runtime CD chain:
-#
-#   merge PR → auto-tag-runtime (this) → publish-runtime → cascade → template
-#   image rebuilds → repull on hosts.
-#
-# Default bump is patch. Override via PR label `release:minor` or
-# `release:major` BEFORE merging — the label is read off the merged PR
-# associated with the push commit.
-#
-# Skips when:
-#   - The push isn't to main (other branches don't auto-release).
-#   - The merge commit message contains `[skip-release]` (escape hatch
-#     for cleanup PRs that touch workspace/ but shouldn't ship).
-
-on:
-  push:
-    branches: [main]
-    paths:
-      - "workspace/**"
-      - "scripts/build_runtime_package.py"
-      - ".github/workflows/auto-tag-runtime.yml"
-      - ".github/workflows/publish-runtime.yml"
-
-permissions:
-  contents: write    # to push the new tag
-  pull-requests: read # to read labels off the merged PR
-
-concurrency:
-  # Serialize tag bumps so two near-simultaneous merges can't both think
-  # they're 0.1.6 and race to push the same tag.
-  group: auto-tag-runtime
-  cancel-in-progress: false
-
-jobs:
-  tag:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0    # need full tag history for `git describe` / sort
-
-      - name: Skip when commit asks
-        id: skip
-        run: |
-          MSG=$(git log -1 --format=%B "${{ github.sha }}")
-          if echo "$MSG" | grep -qiE '\[skip-release\]|\[no-release\]'; then
-            echo "skip=true" >> "$GITHUB_OUTPUT"
-            echo "Commit message contains [skip-release] — no tag will be created."
-          else
-            echo "skip=false" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Determine bump kind from PR label
-        id: bump
-        if: steps.skip.outputs.skip != 'true'
-        env:
-          # Gitea-shape token (act_runner forwards GITHUB_TOKEN as a
-          # short-lived per-run secret with read access to this repo).
-          # We hit `/api/v1/repos/.../pulls?state=closed` directly
-          # because `gh pr list` calls Gitea's GraphQL endpoint, which
-          # returns HTTP 405 (issue #75 / post-#66 sweep).
-          GITEA_TOKEN: ${{ github.token }}
-          REPO: ${{ github.repository }}
-          GITEA_API_URL: ${{ github.server_url }}/api/v1
-          PUSH_SHA: ${{ github.sha }}
-        run: |
-          # Find the merged PR whose merge_commit_sha matches this push.
-          # Gitea's `/repos/{owner}/{repo}/pulls?state=closed` returns
-          # PRs sorted newest-first; we paginate up to 50 and jq-filter
-          # on `merge_commit_sha == PUSH_SHA`. Bounded — auto-tag fires
-          # per push to main, so the matching PR is always among the
-          # most recent closures. 50 is comfortably more than the
-          # ~10-20 staging→main promotes that close in any reasonable
-          # window.
-          set -euo pipefail
-          PRS_JSON=$(curl --fail-with-body -sS \
-            -H "Authorization: token ${GITEA_TOKEN}" \
-            -H "Accept: application/json" \
-            "${GITEA_API_URL}/repos/${REPO}/pulls?state=closed&sort=newest&limit=50" \
-            2>/dev/null || echo "[]")
-          PR=$(printf '%s' "$PRS_JSON" \
-            | jq -c --arg sha "$PUSH_SHA" \
-                '[.[] | select(.merged_at != null and .merge_commit_sha == $sha)] | .[0] // empty')
-          if [ -z "$PR" ] || [ "$PR" = "null" ]; then
-            echo "No merged PR found for ${PUSH_SHA} — defaulting to patch bump."
-            echo "kind=patch" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          # Gitea returns labels under `.labels[].name`, same shape as
-          # GitHub's REST. The previous `gh pr list --json number,labels`
-          # output was identical; jq filter unchanged.
-          LABELS=$(printf '%s' "$PR" | jq -r '.labels[]?.name // empty')
-          if echo "$LABELS" | grep -qx 'release:major'; then
-            echo "kind=major" >> "$GITHUB_OUTPUT"
-          elif echo "$LABELS" | grep -qx 'release:minor'; then
-            echo "kind=minor" >> "$GITHUB_OUTPUT"
-          else
-            echo "kind=patch" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Compute next version from latest runtime-v* tag
-        id: version
-        if: steps.skip.outputs.skip != 'true'
-        run: |
-          # Find the highest runtime-vX.Y.Z tag. `sort -V` handles semver
-          # ordering; `grep` filters to the right tag prefix.
-          LATEST=$(git tag --list 'runtime-v*' | sort -V | tail -1)
-          if [ -z "$LATEST" ]; then
-            # No prior tag — start the runtime line at 0.1.0.
-            CURRENT="0.0.0"
-          else
-            CURRENT="${LATEST#runtime-v}"
-          fi
-          MAJOR=$(echo "$CURRENT" | cut -d. -f1)
-          MINOR=$(echo "$CURRENT" | cut -d. -f2)
-          PATCH=$(echo "$CURRENT" | cut -d. -f3)
-          case "${{ steps.bump.outputs.kind }}" in
-            major) MAJOR=$((MAJOR+1)); MINOR=0; PATCH=0;;
-            minor) MINOR=$((MINOR+1)); PATCH=0;;
-            patch) PATCH=$((PATCH+1));;
-          esac
-          NEW="$MAJOR.$MINOR.$PATCH"
-          echo "current=$CURRENT" >> "$GITHUB_OUTPUT"
-          echo "new=$NEW" >> "$GITHUB_OUTPUT"
-          echo "Bumping runtime $CURRENT → $NEW (${{ steps.bump.outputs.kind }})"
-
-      - name: Push new tag
-        if: steps.skip.outputs.skip != 'true'
-        run: |
-          NEW_TAG="runtime-v${{ steps.version.outputs.new }}"
-          git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git tag -a "$NEW_TAG" -m "runtime $NEW_TAG (auto-bump from ${{ steps.bump.outputs.kind }})"
-          git push origin "$NEW_TAG"
-          echo "Pushed $NEW_TAG — publish-runtime workflow will fire on the tag."

.github/workflows/branch-protection-drift.yml

@@ -1,111 +0,0 @@
-name: branch-protection drift check
-
-# Catches out-of-band edits to branch protection (UI clicks, manual gh
-# api PATCH from a one-off ops session) by comparing live state against
-# tools/branch-protection/apply.sh's desired state every day. Fails the
-# workflow when they drift; the failure is the signal.
-#
-# When it fails: re-run apply.sh to put the live state back to the
-# script's intent, OR update apply.sh to encode the new intent and
-# commit. Either way the script is the source of truth.
-
-on:
-  schedule:
-    # 14:00 UTC daily. Off-hours for most teams; gives a fresh signal
-    # at the start of every working day.
-    - cron: '0 14 * * *'
-  workflow_dispatch:
-  pull_request:
-    branches: [staging, main]
-    paths:
-      - 'tools/branch-protection/**'
-      - '.github/workflows/**'
-      - '.github/workflows/branch-protection-drift.yml'
-
-permissions:
-  contents: read
-
-jobs:
-  drift:
-    name: Branch protection drift
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      # Token strategy by trigger:
-      #
-      # - schedule (daily canary): hard-fail when the admin token is
-      #   missing. This is the *only* trigger where silent soft-skip is
-      #   dangerous — a missing secret on the cron run means the drift
-      #   gate has effectively disappeared with no human in the loop to
-      #   notice. Per feedback_schedule_vs_dispatch_secrets_hardening.md
-      #   the rule is "schedule/automated triggers must hard-fail".
-      #
-      # - pull_request (touching tools/branch-protection/**): soft-skip
-      #   with a prominent warning. A PR cannot retroactively drift the
-      #   live state — drift happens *between* PRs (UI clicks, manual
-      #   gh api PATCH) and is the schedule's job to catch. The PR-time
-      #   gate would only catch typos in apply.sh, which the apply.sh
-      #   *_payload unit tests catch better. A human is reviewing the
-      #   PR and will see the warning in the workflow log.
-      #
-      # - workflow_dispatch (operator one-off): soft-skip with warning,
-      #   so an operator can run a diagnostic without configuring the
-      #   secret first.
-      - name: Verify admin token present (hard-fail on schedule only)
-        env:
-          GH_TOKEN_FOR_ADMIN_API: ${{ secrets.GH_TOKEN_FOR_ADMIN_API }}
-        run: |
-          if [[ -n "$GH_TOKEN_FOR_ADMIN_API" ]]; then
-            echo "GH_TOKEN_FOR_ADMIN_API present — drift_check will run with admin scope."
-            exit 0
-          fi
-          if [[ "${{ github.event_name }}" == "schedule" ]]; then
-            echo "::error::GH_TOKEN_FOR_ADMIN_API secret missing on the daily canary." >&2
-            echo "" >&2
-            echo "The schedule run is the SoT for branch-protection drift detection." >&2
-            echo "Without admin scope it silently passes, hiding any out-of-band edits." >&2
-            echo "Set GH_TOKEN_FOR_ADMIN_API at Settings → Secrets and variables → Actions." >&2
-            exit 1
-          fi
-          echo "::warning::GH_TOKEN_FOR_ADMIN_API secret missing — drift_check will be SKIPPED."
-          echo "::warning::PR drift checks need repo-admin scope to read /branches/:b/protection."
-          echo "::warning::This is non-fatal: the daily schedule run is the canonical drift gate."
-          echo "SKIP_DRIFT_CHECK=1" >> "$GITHUB_ENV"
-
-      - name: Run drift check
-        if: env.SKIP_DRIFT_CHECK != '1'
-        env:
-          # Repo-admin scope, needed for /branches/:b/protection.
-          GH_TOKEN: ${{ secrets.GH_TOKEN_FOR_ADMIN_API }}
-        run: bash tools/branch-protection/drift_check.sh
-
-      # Self-test the parity script before running it on the real
-      # workflows — pins the script's classification logic against
-      # synthetic safe/unsafe/missing/unsafe-mix/matrix fixtures so a
-      # regression in the script can't false-pass on the production
-      # workflow audit. Cheap (~0.5s); always runs.
-      - name: Self-test check-name parity script
-        run: bash tools/branch-protection/test_check_name_parity.sh
-
-      # Check-name parity gate (#144 / saved memory
-      # feedback_branch_protection_check_name_parity).
-      #
-      # drift_check.sh asserts the live branch protection matches what
-      # apply.sh would set; check_name_parity.sh closes the orthogonal
-      # gap: it asserts every required check name in apply.sh maps to a
-      # workflow job whose "always emits this status" shape is intact.
-      #
-      # The two checks fail in different scenarios:
-      #
-      #   - drift_check fails → live state was rewritten out-of-band
-      #     (UI click, manual PATCH).
-      #   - check_name_parity fails → an apply.sh required name has no
-      #     emitter, OR the emitting workflow has a top-level paths:
-      #     filter without per-step if-gates (the silent-block shape).
-      #
-      # Cheap (~1s); runs without the admin token because it only reads
-      # apply.sh + .github/workflows/ from the checkout.
-      - name: Run check-name parity gate
-        run: bash tools/branch-protection/check_name_parity.sh

.github/workflows/check-merge-group-trigger.yml

@@ -1,48 +0,0 @@
-name: Check merge_group trigger on required workflows
-
-# Pre-merge guard against the deadlock pattern where a workflow whose
-# check is in `required_status_checks` lacks a `merge_group:` trigger.
-# Without it, GitHub merge queue stalls forever in AWAITING_CHECKS
-# because the required check can't fire on `gh-readonly-queue/...` refs.
-#
-# This workflow:
-#   1. Lists required status checks on the branch protection rule for `staging`
-#   2. For each required check, finds the workflow that produces it (by job
-#      name match)
-#   3. Fails if any such workflow lacks `merge_group:` in its triggers
-#
-# Reasoning for staging-only: main has its own CI gating model (PR review),
-# but staging is what the merge queue runs on, so it's the trigger that
-# matters.
-#
-# Gitea stub: Gitea has no merge queue feature and no `merge_group:`
-# event type. The linter would find no `merge_group:` triggers to verify
-# (they don't exist on Gitea), so the lint is vacuously satisfied.
-# Converting to a no-op stub keeps the workflow+job name stable for any
-# commit-status context consumers while eliminating the `gh api` call
-# that fails against Gitea's REST surface (#75 / PR-D).
-
-on:
-  pull_request:
-    paths:
-      - '.github/workflows/**.yml'
-      - '.github/workflows/**.yaml'
-  push:
-    branches: [staging, main]
-    paths:
-      - '.github/workflows/**.yml'
-      - '.github/workflows/**.yaml'
-
-jobs:
-  check:
-    name: Required workflows have merge_group trigger
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - name: Gitea no-op (merge queue not applicable)
-        run: |
-          echo "Gitea Actions — merge queue not supported; no-op."
-          echo "On GitHub this workflow lints that required-check workflows declare"
-          echo "merge_group: triggers to prevent queue deadlock. On Gitea that"
-          echo "constraint is inapplicable — all workflows pass vacuously."

.github/workflows/ci.yml

@@ -365,7 +365,7 @@ jobs:
           cache: pip
           cache-dependency-path: workspace/requirements.txt
       - if: needs.changes.outputs.python == 'true'
-        run: pip install -r requirements.txt pytest pytest-asyncio pytest-cov
+        run: pip install -r requirements.txt pytest pytest-asyncio pytest-cov sqlalchemy>=2.0.0
       # Coverage flags + fail-under floor moved into workspace/pytest.ini
       # (issue #1817) so local `pytest` and CI use identical config.
       - if: needs.changes.outputs.python == 'true'

.github/workflows/codeql.yml

@@ -1,136 +0,0 @@
-name: CodeQL
-
-# Stub workflow — CodeQL Action is structurally incompatible with Gitea
-# Actions (post-2026-05-06 SCM migration off GitHub).
-#
-# Why this is a stub, not a real CodeQL run:
-#
-# 1. github/codeql-action/init@v4 hits api.github.com endpoints
-#    (CodeQL CLI bundle download + query-pack registry + telemetry)
-#    that Gitea 1.22.x does NOT proxy. The act_runner has
-#    GITHUB_SERVER_URL=https://git.moleculesai.app correctly set
-#    (per saved memory feedback_act_runner_github_server_url and
-#    /config.yaml on the operator host), but the Gitea API surface
-#    simply does not implement the codeql-action bundle endpoints.
-#    Observed in run 1d/3101 (2026-05-07): "::error::404 page not
-#    found" inside the Initialize CodeQL step, before any analysis.
-#
-# 2. PR #35 attempted to mark `continue-on-error: true` at the JOB
-#    level (correct YAML structure). Gitea 1.22.6 does NOT propagate
-#    job-level continue-on-error to the commit-status API — every
-#    matrix leg still posts `failure` to the status surface, which
-#    keeps OVERALL=failure on every push to main + staging and
-#    blocks visual auto-promote signals (#156).
-#
-# 3. Hongming policy decision (2026-05-07, task #156): CodeQL is
-#    ADVISORY, not blocking, on Gitea Actions. We do not block PR
-#    merge or staging→main promotion on CodeQL findings until we
-#    have a Gitea-compatible static-analysis pipeline.
-#
-# What this stub preserves:
-#
-# - Workflow name `CodeQL` (referenced by auto-promote-staging.yml
-#   line 67 as a workflow_run gate — must stay stable).
-# - Job name template `Analyze (${{ matrix.language }})` and the
-#   3-leg matrix (go, javascript-typescript, python). Branch
-#   protection / required-check parity (#144) keys on these
-#   exact context names.
-# - merge_group + push + pull_request + schedule triggers, so the
-#   merge-queue check name still resolves (per saved memory
-#   feedback_branch_protection_check_name_parity).
-#
-# Re-enabling real analysis (future work):
-#
-# - Option A: self-hosted Semgrep / OpenGrep via a custom action
-#   that doesn't hit api.github.com. Tracked behind #156 follow-up.
-# - Option B: Sonatype Nexus IQ or similar, called from a step
-#   that uses the Gitea-issued token only.
-# - Option C: re-host this workflow on a small GitHub mirror used
-#   ONLY for SAST (push-mirrored from Gitea). Acceptable trade-off
-#   if/when payment is restored on a non-suspended GitHub org —
-#   but per saved memory feedback_no_single_source_of_truth, we
-#   should design for multi-vendor backup, not GitHub-only SAST.
-#
-# Until one of those lands, this stub keeps commit-status green so
-# the auto-promote chain isn't permanently red on a tool we cannot
-# actually run.
-#
-# Security policy: ADVISORY. We accept the residual risk of un-scanned
-# pushes during this window. Compensating controls in place:
-#   - secret-scan.yml runs on every push (active, blocks on hits)
-#   - block-internal-paths.yml blocks forbidden file paths
-#   - lint-curl-status-capture.yml catches one specific class of bug
-#   - branch-protection-drift.yml + the merge_group required-checks
-#     parity keep the gate surface stable
-# These are not equivalent to CodeQL coverage. Status of the
-# replacement plan is tracked in #156.
-
-on:
-  push:
-    branches: [main, staging]
-  pull_request:
-    branches: [main, staging]
-  # Required so the matrix legs emit a real result on the queued
-  # commit instead of a false-green when merge queue is enabled.
-  # Per saved memory feedback_branch_protection_check_name_parity:
-  # path-filtered / matrix workflows MUST emit the protected name
-  # via a job that always runs.
-  merge_group:
-    types: [checks_requested]
-  schedule:
-    # Weekly heartbeat. Cheap on a stub (the no-op job is ~5s) but
-    # keeps the workflow visible in Gitea's Actions UI so the next
-    # operator notices it's a stub instead of a missing surface.
-    - cron: '30 1 * * 0'
-
-# Workflow-level concurrency: only one stub run per branch/PR at a
-# time. cancel-in-progress: false because a quick follow-up push
-# shouldn't kill an in-flight run — even though the stub is fast,
-# the contract should match a real CodeQL run for when we re-enable.
-concurrency:
-  group: codeql-${{ github.ref }}
-  cancel-in-progress: false
-
-permissions:
-  actions: read
-  contents: read
-  # No security-events: write — we don't call the upload API anyway,
-  # GHAS isn't on Gitea.
-
-jobs:
-  analyze:
-    # Job NAME shape is load-bearing — auto-promote-staging.yml +
-    # branch protection both key on `Analyze (${{ matrix.language }})`.
-    # Do NOT rename without coordinating both surfaces.
-    name: Analyze (${{ matrix.language }})
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [go, javascript-typescript, python]
-
-    steps:
-      # Single-step stub: log the policy decision + emit success.
-      # Exit 0 explicitly so the commit-status API records `success`
-      # for each of the three matrix legs.
-      - name: CodeQL stub (advisory, non-blocking on Gitea)
-        shell: bash
-        run: |
-          set -euo pipefail
-          cat <<EOF
-          CodeQL is currently ADVISORY on Gitea Actions (post-2026-05-06).
-          Language matrix leg: ${{ matrix.language }}
-          Reason: github/codeql-action/init@v4 calls api.github.com
-                  bundle endpoints that Gitea 1.22.x does not implement.
-                  Observed: "::error::404 page not found" in the Init
-                  CodeQL step on every prior run.
-          Policy: per Hongming decision 2026-05-07 (#156), CodeQL is
-                  non-blocking until a Gitea-compatible SAST pipeline
-                  lands. See workflow file header for replacement
-                  options + compensating controls.
-          Status: emitting success so auto-promote isn't permanently
-                  red on a tool we cannot actually run today.
-          EOF
-          echo "::notice::CodeQL ${{ matrix.language }} — advisory stub, success."

.github/workflows/pr-guards.yml

@@ -1,63 +0,0 @@
-name: pr-guards
-
-# PR-time guards. Today the only guard is "disable auto-merge when a
-# new commit is pushed after auto-merge was enabled" — added 2026-04-27
-# after PR #2174 auto-merged with only its first commit because the
-# second commit was pushed after the merge queue had locked the PR's
-# SHA.
-#
-# Why this is inlined (not delegated to molecule-ci's reusable
-# workflow): the reusable workflow uses `gh pr merge --disable-auto`,
-# which calls GitHub's GraphQL API. Gitea has no GraphQL endpoint and
-# returns HTTP 405 on /api/graphql, so the job failed on every Gitea
-# PR push since the 2026-05-06 migration. Gitea also has no `--auto`
-# merge primitive that this job could be acting on, so the right
-# behaviour on Gitea is "no-op + green status" — not a 405.
-#
-# Inlining (vs. an `if:` on the `uses:` line) keeps the job ALWAYS
-# running, which matters for branch protection: required-check names
-# need a job that emits SUCCESS terminal state, not SKIPPED. See
-# `feedback_branch_protection_check_name_parity` and `feedback_pr_merge_safety_guards`.
-#
-# Issue #88 item 1.
-
-on:
-  pull_request:
-    types: [synchronize]
-
-permissions:
-  pull-requests: write
-
-jobs:
-  disable-auto-merge-on-push:
-    runs-on: ubuntu-latest
-    steps:
-      # Detect Gitea Actions. act_runner sets GITEA_ACTIONS=true in the
-      # step env on every job. Belt-and-suspenders: also check the repo
-      # url's host, which is independent of any runner-side env config
-      # (covers a future Gitea host where the env var is forgotten).
-      - name: Detect runner host
-        id: host
-        run: |
-          if [[ "${GITEA_ACTIONS:-}" == "true" ]] || [[ "${{ github.server_url }}" == *moleculesai.app* ]] || [[ "${{ github.event.repository.html_url }}" == *moleculesai.app* ]]; then
-            echo "is_gitea=true" >> "$GITHUB_OUTPUT"
-            echo "::notice::Gitea Actions detected — auto-merge gating is not applicable here (Gitea has no --auto merge primitive). Job will no-op."
-          else
-            echo "is_gitea=false" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Disable auto-merge (GitHub only)
-        if: steps.host.outputs.is_gitea != 'true'
-        env:
-          GH_TOKEN: ${{ github.token }}
-          PR: ${{ github.event.pull_request.number }}
-          REPO: ${{ github.repository }}
-          NEW_SHA: ${{ github.sha }}
-        run: |
-          set -eu
-          gh pr merge "$PR" --disable-auto -R "$REPO" || true
-          gh pr comment "$PR" -R "$REPO" --body "🔒 Auto-merge disabled — new commit (\`${NEW_SHA:0:7}\`) pushed after auto-merge was enabled. The merge queue locks SHAs at entry, so subsequent pushes can race. Verify the new commit and re-enable with \`gh pr merge --auto\`."
-
-      - name: Gitea no-op
-        if: steps.host.outputs.is_gitea == 'true'
-        run: echo "Gitea Actions — auto-merge gating not applicable; no-op (job intentionally green so branch protection's required-check name lands SUCCESS)."

.github/workflows/promote-latest.yml

@@ -1,85 +0,0 @@
-name: promote-latest
-
-# Manually retag ghcr.io/molecule-ai/platform:staging-<sha> →  :latest
-# (and the same for the tenant image). Use this to:
-#
-#   1. Promote a :staging-<sha> to prod before the canary fleet is live
-#      (one-off during the initial rollout).
-#   2. Roll back :latest to a prior known-good digest after a bad
-#      promotion slipped past canary (use scripts/rollback-latest.sh
-#      for a local / emergency path; this workflow is for scheduled
-#      or from-browser promotions).
-#
-# Running this workflow needs no extra secrets — GitHub's default
-# GITHUB_TOKEN has write:packages for repo-owned GHCR images, which
-# is all we need for a remote retag via `crane tag`.
-
-on:
-  workflow_dispatch:
-    inputs:
-      sha:
-        description: 'Short sha to promote (e.g. 4c1d56e). Must match an existing :staging-<sha> tag.'
-        required: true
-        type: string
-
-permissions:
-  contents: read
-  packages: write
-
-env:
-  IMAGE_NAME: ghcr.io/molecule-ai/platform
-  TENANT_IMAGE_NAME: ghcr.io/molecule-ai/platform-tenant
-
-jobs:
-  promote:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: imjasonh/setup-crane@6da1ae018866400525525ce74ff892880c099987 # v0.5
-
-      - name: GHCR login
-        run: |
-          echo "${{ secrets.GITHUB_TOKEN }}" \
-            | crane auth login ghcr.io -u "${{ github.actor }}" --password-stdin
-
-      - name: Retag platform image
-        run: |
-          set -eu
-          SRC="${IMAGE_NAME}:staging-${{ inputs.sha }}"
-          if ! crane digest "$SRC" >/dev/null 2>&1; then
-            echo "::error::$SRC not found in registry — double-check the sha."
-            exit 1
-          fi
-          EXPECTED=$(crane digest "$SRC")
-          crane tag "$SRC" latest
-          ACTUAL=$(crane digest "${IMAGE_NAME}:latest")
-          if [ "$ACTUAL" != "$EXPECTED" ]; then
-            echo "::error::retag digest mismatch (expected $EXPECTED, got $ACTUAL)"
-            exit 1
-          fi
-          echo "OK  ${IMAGE_NAME}:latest → $ACTUAL"
-
-      - name: Retag tenant image
-        run: |
-          set -eu
-          SRC="${TENANT_IMAGE_NAME}:staging-${{ inputs.sha }}"
-          if ! crane digest "$SRC" >/dev/null 2>&1; then
-            echo "::error::$SRC not found — tenant image may not have built for this sha."
-            exit 1
-          fi
-          EXPECTED=$(crane digest "$SRC")
-          crane tag "$SRC" latest
-          ACTUAL=$(crane digest "${TENANT_IMAGE_NAME}:latest")
-          if [ "$ACTUAL" != "$EXPECTED" ]; then
-            echo "::error::tenant retag digest mismatch"
-            exit 1
-          fi
-          echo "OK  ${TENANT_IMAGE_NAME}:latest → $ACTUAL"
-
-      - name: Summary
-        run: |
-          {
-            echo "## :latest promoted to staging-${{ inputs.sha }}"
-            echo
-            echo "Both platform + tenant images retagged. Prod tenants"
-            echo "will auto-pull within their 5-min update cycle."
-          } >> "$GITHUB_STEP_SUMMARY"

.github/workflows/publish-runtime.yml

@@ -1,446 +0,0 @@
-name: publish-runtime
-
-# DEPRECATED on Gitea Actions — this file is kept for reference only.
-# Gitea Actions reads .gitea/workflows/, not .github/workflows/.
-# The canonical version is now: .gitea/workflows/publish-runtime.yml
-# That port:
-#   - Drops OIDC trusted publisher (Gitea has no environments/OIDC)
-#   - Uses PYPI_TOKEN secret instead of gh-action-pypi-publish
-#   - Uses ${GITHUB_REF#refs/tags/} instead of github.ref_name
-#   - Drops staging branch trigger (staging branch does not exist)
-#   - Drops merge_group trigger (Gitea has no merge queue)
-#
-# Publishes molecule-ai-workspace-runtime to PyPI from monorepo workspace/.
-# Monorepo workspace/ is the only source-of-truth for runtime code; this
-# workflow is the bridge from monorepo edits to the PyPI artifact that
-# the 8 workspace-template-* repos depend on.
-#
-# Triggered by:
-#   - Pushing a tag matching `runtime-vX.Y.Z` (the version is derived from
-#     the tag — `runtime-v0.1.6` publishes `0.1.6`).
-#   - Manual workflow_dispatch with an explicit `version` input (useful for
-#     dev/test releases without tagging the repo).
-#   - Auto: any push to `staging` that touches `workspace/**`. The version
-#     is derived by querying PyPI for the current latest and bumping the
-#     patch component. This closes the human-in-loop gap that caused the
-#     2026-04-27 RuntimeCapabilities ImportError outage — adapter symbol
-#     additions in workspace/adapters/base.py used to require an operator
-#     to remember to publish; now the merge itself triggers the publish.
-#
-# The workflow:
-#   1. Runs scripts/build_runtime_package.py to copy workspace/ →
-#      build/molecule_runtime/ with imports rewritten (`a2a_client` →
-#      `molecule_runtime.a2a_client`).
-#   2. Builds wheel + sdist with `python -m build`.
-#   3. Publishes to PyPI via the PyPA Trusted Publisher action (OIDC).
-#      No static API token is stored — PyPI verifies the workflow's
-#      OIDC claim against the trusted-publisher config registered for
-#      molecule-ai-workspace-runtime (molecule-ai/molecule-core,
-#      publish-runtime.yml, environment pypi-publish).
-#
-# After publish: the 8 template repos pick up the new version on their
-# next image rebuild (their requirements.txt pin
-# `molecule-ai-workspace-runtime>=0.1.0`, so any new release is eligible).
-# To force-pull immediately, bump the pin in each template repo's
-# requirements.txt and merge — that triggers their own publish-image.yml.
-
-on:
-  push:
-    tags:
-      - "runtime-v*"
-    branches:
-      - staging
-    paths:
-      # Auto-publish when staging gets changes that affect what gets
-      # published. Path filter ONLY applies to branch pushes — tag pushes
-      # still fire regardless.
-      #
-      # workspace/** is the source-of-truth for runtime code.
-      # scripts/build_runtime_package.py is the build script — changes to
-      # it (e.g. a fix to the import rewriter or a manifest emit) directly
-      # affect what ships in the wheel even if no workspace/ file changes.
-      # The 2026-04-27 lib/ subpackage incident missed an auto-publish for
-      # exactly this reason — PR #2174 only changed scripts/ and the
-      # operator had to remember a manual dispatch.
-      - "workspace/**"
-      - "scripts/build_runtime_package.py"
-  workflow_dispatch:
-    inputs:
-      version:
-        description: "Version to publish (e.g. 0.1.6). Required for manual dispatch."
-        required: true
-        type: string
-
-permissions:
-  contents: read
-
-# Serialize publishes so two staging merges landing seconds apart don't
-# both compute "latest+1" and race on PyPI upload. The second one waits.
-concurrency:
-  group: publish-runtime
-  cancel-in-progress: false
-
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-    environment: pypi-publish
-    permissions:
-      contents: read
-      id-token: write   # PyPI Trusted Publisher (OIDC) — no PYPI_TOKEN needed
-    outputs:
-      version: ${{ steps.version.outputs.version }}
-      wheel_sha256: ${{ steps.wheel_hash.outputs.wheel_sha256 }}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: "3.11"
-          cache: pip
-
-      - name: Derive version (tag, manual input, or PyPI auto-bump)
-        id: version
-        run: |
-          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            VERSION="${{ inputs.version }}"
-          elif echo "$GITHUB_REF_NAME" | grep -q "^runtime-v"; then
-            # Tag is `runtime-vX.Y.Z` — strip the prefix.
-            VERSION="${GITHUB_REF_NAME#runtime-v}"
-          else
-            # Auto-publish from staging push. Query PyPI for the current
-            # latest and bump the patch component. concurrency: group above
-            # serializes parallel staging merges so we don't race on the
-            # bump. If PyPI is unreachable, fail loud — better to skip a
-            # publish than to overwrite an existing version.
-            LATEST=$(curl -fsS --retry 3 https://pypi.org/pypi/molecule-ai-workspace-runtime/json \
-              | python -c "import sys,json; print(json.load(sys.stdin)['info']['version'])")
-            MAJOR=$(echo "$LATEST" | cut -d. -f1)
-            MINOR=$(echo "$LATEST" | cut -d. -f2)
-            PATCH=$(echo "$LATEST" | cut -d. -f3)
-            VERSION="${MAJOR}.${MINOR}.$((PATCH+1))"
-            echo "Auto-bumped from PyPI latest $LATEST -> $VERSION"
-          fi
-          if ! echo "$VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+(\.dev[0-9]+|rc[0-9]+|a[0-9]+|b[0-9]+|\.post[0-9]+)?$'; then
-            echo "::error::version $VERSION does not match PEP 440"
-            exit 1
-          fi
-          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
-          echo "Publishing molecule-ai-workspace-runtime $VERSION"
-
-      - name: Install build tooling
-        run: pip install build twine
-
-      - name: Build package from workspace/
-        run: |
-          python scripts/build_runtime_package.py \
-            --version "${{ steps.version.outputs.version }}" \
-            --out "${{ runner.temp }}/runtime-build"
-
-      - name: Build wheel + sdist
-        working-directory: ${{ runner.temp }}/runtime-build
-        run: python -m build
-
-      - name: Capture wheel SHA256 for cascade content-verification
-        # Recorded BEFORE upload so the cascade probe can verify the
-        # bytes Fastly serves under the new version's URL match what
-        # we built. Closes a hole left by #2197: that probe verified
-        # pip can resolve the version (catches propagation lag) but
-        # not that the wheel content matches (would silently pass a
-        # Fastly stale-content scenario where the new version's URL
-        # serves an old wheel binary).
-        id: wheel_hash
-        working-directory: ${{ runner.temp }}/runtime-build
-        run: |
-          set -eu
-          WHEEL=$(ls dist/*.whl 2>/dev/null | head -1)
-          if [ -z "$WHEEL" ]; then
-            echo "::error::No .whl in dist/ — `python -m build` must have failed silently"
-            exit 1
-          fi
-          HASH=$(sha256sum "$WHEEL" | awk '{print $1}')
-          echo "wheel_sha256=${HASH}" >> "$GITHUB_OUTPUT"
-          echo "Local wheel SHA256 (pre-upload): ${HASH}"
-          echo "Wheel filename: $(basename "$WHEEL")"
-
-      - name: Verify package contents (sanity)
-        working-directory: ${{ runner.temp }}/runtime-build
-        # Smoke logic lives in scripts/wheel_smoke.py so the same gate runs
-        # at both PR-time (runtime-prbuild-compat.yml) and publish-time
-        # (here). Splitting the smoke across two heredocs let them drift
-        # apart historically — one script keeps them locked.
-        run: |
-          python -m twine check dist/*
-          python -m venv /tmp/smoke
-          /tmp/smoke/bin/pip install --quiet dist/*.whl
-          /tmp/smoke/bin/python "$GITHUB_WORKSPACE/scripts/wheel_smoke.py"
-
-      - name: Publish to PyPI (Trusted Publisher / OIDC)
-        # PyPI side is configured: project molecule-ai-workspace-runtime →
-        # publisher molecule-ai/molecule-core, workflow publish-runtime.yml,
-        # environment pypi-publish. The action mints a short-lived OIDC
-        # token and exchanges it for a PyPI upload credential — no static
-        # API token in this repo's secrets.
-        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
-        with:
-          packages-dir: ${{ runner.temp }}/runtime-build/dist/
-
-  cascade:
-    # After PyPI accepts the upload, fan out a repository_dispatch to each
-    # template repo so they rebuild their image against the new runtime.
-    # Each template's `runtime-published.yml` receiver picks up the event,
-    # pulls the new PyPI version (their requirements.txt pin is `>=`), and
-    # republishes ghcr.io/molecule-ai/workspace-template-<runtime>:latest.
-    #
-    # Soft-fail per repo: if one template's dispatch fails (perms missing,
-    # repo archived, etc.) we still try the others and surface the failures
-    # in the workflow summary instead of aborting the whole cascade.
-    needs: publish
-    runs-on: ubuntu-latest
-    steps:
-      - name: Wait for PyPI to propagate the new version
-        # PyPI accepts the upload, then takes a few seconds to make the
-        # new version visible across all THREE surfaces pip touches:
-        #   1. /pypi/<pkg>/<ver>/json — metadata endpoint
-        #   2. /simple/<pkg>/         — pip's primary download index
-        #   3. files.pythonhosted.org — CDN-fronted wheel binary
-        # Each has its own cache. The previous check polled only (1)
-        # and would let the cascade fire while (2) or (3) still served
-        # the previous version, so downstream `pip install` resolved
-        # to the old wheel. Docker layer cache then locked that stale
-        # resolution in for subsequent rebuilds (the cache trap that
-        # bit us five times in one night).
-        #
-        # Two-stage probe per poll:
-        #   (a) `pip install --no-cache-dir PACKAGE==VERSION` — succeeds
-        #       only when the version is resolvable. Catches surface (1)
-        #       and (2) propagation lag.
-        #   (b) `pip download` of the same wheel + SHA256 compare against
-        #       the just-built dist's hash. Catches surface (3) lag AND
-        #       Fastly serving stale content under the new version's URL
-        #       (a separate Fastly-corruption mode that pip-install alone
-        #       can't see, since pip install resolves+unpacks against
-        #       whatever bytes Fastly returns and never inspects them).
-        # Both must pass before the cascade fans out.
-        #
-        # The venv is reused across polls; only `pip install`/`pip
-        # download` run in the loop, with --force-reinstall +
-        # --no-cache-dir so the previous poll's cached state doesn't
-        # mask propagation lag.
-        env:
-          RUNTIME_VERSION: ${{ needs.publish.outputs.version }}
-          EXPECTED_SHA256: ${{ needs.publish.outputs.wheel_sha256 }}
-        run: |
-          set -eu
-          if [ -z "$EXPECTED_SHA256" ]; then
-            echo "::error::publish job did not expose wheel_sha256 — cannot verify wheel content. Refusing to fan out cascade."
-            exit 1
-          fi
-          python -m venv /tmp/propagation-probe
-          PROBE=/tmp/propagation-probe/bin
-          $PROBE/pip install --upgrade --quiet pip
-          # Poll budget: 30 attempts × (~3-5s pip install + ~3s pip
-          # download + 4s sleep) ≈ 5-6 min wall on a slow GH runner.
-          # Generous vs PyPI's typical few-seconds propagation;
-          # failures past this are signal of a real PyPI / Fastly
-          # issue, not just lag.
-          for i in $(seq 1 30); do
-            # Stage (a): can pip resolve and install the version?
-            if $PROBE/pip install \
-                  --quiet \
-                  --no-cache-dir \
-                  --force-reinstall \
-                  --no-deps \
-                  "molecule-ai-workspace-runtime==${RUNTIME_VERSION}" \
-                  >/dev/null 2>&1; then
-              INSTALLED=$($PROBE/pip show molecule-ai-workspace-runtime 2>/dev/null \
-                          | awk -F': ' '/^Version:/{print $2}')
-              if [ "$INSTALLED" = "$RUNTIME_VERSION" ]; then
-                # Stage (b): does Fastly serve the bytes we uploaded?
-                # `pip download` writes the actual .whl file to disk so
-                # we can sha256sum it (vs `pip install` which unpacks
-                # and discards).
-                rm -rf /tmp/probe-dl
-                mkdir -p /tmp/probe-dl
-                if $PROBE/pip download \
-                      --quiet \
-                      --no-cache-dir \
-                      --no-deps \
-                      --dest /tmp/probe-dl \
-                      "molecule-ai-workspace-runtime==${RUNTIME_VERSION}" \
-                      >/dev/null 2>&1; then
-                  WHEEL=$(ls /tmp/probe-dl/*.whl 2>/dev/null | head -1)
-                  if [ -n "$WHEEL" ]; then
-                    ACTUAL=$(sha256sum "$WHEEL" | awk '{print $1}')
-                    if [ "$ACTUAL" = "$EXPECTED_SHA256" ]; then
-                      echo "::notice::✓ pip resolves AND wheel content matches after ${i} poll(s) (sha256=${EXPECTED_SHA256})"
-                      exit 0
-                    fi
-                    # Hash mismatch: PyPI accepted our upload but Fastly
-                    # is serving different bytes under the version's URL.
-                    # Most often this is propagation lag of the BINARY
-                    # surface — the version is resolvable but the wheel
-                    # cache hasn't caught up. Retry.
-                    echo "::warning::poll ${i}: wheel content mismatch (got ${ACTUAL:0:12}…, want ${EXPECTED_SHA256:0:12}…) — Fastly likely still serving stale binary, retrying"
-                  fi
-                fi
-              fi
-            fi
-            sleep 4
-          done
-          echo "::error::pip never resolved molecule-ai-workspace-runtime==${RUNTIME_VERSION} with matching wheel content within ~5 min."
-          echo "::error::Expected wheel SHA256: ${EXPECTED_SHA256}"
-          echo "::error::Refusing to fan out cascade against stale or corrupt PyPI surfaces."
-          exit 1
-
-      - name: Fan out via push to .runtime-version
-        env:
-          # Gitea PAT with write:repository scope on the 8 cascade-active
-          # template repos. Used here for `git push` (NOT for an API
-          # dispatch — Gitea 1.22.6 has no repository_dispatch endpoint;
-          # empirically verified across 6 candidate paths in molecule-
-          # core#20 issuecomment-913). The push trips each template's
-          # existing `on: push: branches: [main]` trigger on
-          # publish-image.yml, which then reads the updated
-          # .runtime-version via its resolve-version job.
-          DISPATCH_TOKEN: ${{ secrets.DISPATCH_TOKEN }}
-          RUNTIME_VERSION: ${{ needs.publish.outputs.version }}
-        run: |
-          set +e   # don't abort on a single repo failure — collect them all
-
-          # Soft-skip on workflow_dispatch when the token is missing
-          # (operator ad-hoc test); hard-fail on push so unattended
-          # publishes can't silently skip the cascade. Same shape as
-          # the original v1, intentional split per the schedule-vs-
-          # dispatch hardening 2026-04-28.
-          if [ -z "$DISPATCH_TOKEN" ]; then
-            if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-              echo "::warning::DISPATCH_TOKEN secret not set — skipping cascade."
-              echo "::warning::set it at Settings → Secrets and Variables → Actions, then rerun. Templates will stay on the prior runtime version until either this token is set or each template is rebuilt manually."
-              exit 0
-            fi
-            echo "::error::DISPATCH_TOKEN secret missing — cascade cannot fan out."
-            echo "::error::PyPI was published, but the 8 template repos will NOT pick up the new version until this token is restored and a republish dispatches the cascade."
-            echo "::error::set it at Settings → Secrets and Variables → Actions; then re-trigger publish-runtime via workflow_dispatch."
-            exit 1
-          fi
-          VERSION="$RUNTIME_VERSION"
-          if [ -z "$VERSION" ]; then
-            echo "::error::publish job did not expose a version output — cascade cannot fan out"
-            exit 1
-          fi
-
-          # All 9 workspace templates declared in manifest.json. The list
-          # MUST stay aligned with manifest.json's workspace_templates —
-          # cascade-list-drift-gate.yml enforces this in CI per the
-          # codex-stuck-on-stale-runtime invariant from PR #2556.
-          # Long-term goal: derive this list from manifest.json so it
-          # can't drift even on a manifest edit (RFC #388 Phase-1).
-          #
-          # Per-template publish-image.yml presence is checked at
-          # cascade-time below: codex doesn't ship one today, so the
-          # cascade soft-skips it with an informational message rather
-          # than dropping it from this list (which would re-introduce
-          # the drift the gate exists to catch).
-          GITEA_URL="${GITEA_URL:-https://git.moleculesai.app}"
-          TEMPLATES="claude-code hermes openclaw codex langgraph crewai autogen deepagents gemini-cli"
-          FAILED=""
-          SKIPPED=""
-
-          # Configure git identity once. The persona owning DISPATCH_TOKEN
-          # is the same identity that authored this commit on each
-          # template; using a generic "publish-runtime cascade" co-author
-          # trailer in the message keeps the audit trail honest about the
-          # workflow-driven origin.
-          git config --global user.name  "publish-runtime cascade"
-          git config --global user.email "publish-runtime@moleculesai.app"
-
-          WORKDIR="$(mktemp -d)"
-          for tpl in $TEMPLATES; do
-            REPO="molecule-ai/molecule-ai-workspace-template-$tpl"
-            CLONE="$WORKDIR/$tpl"
-
-            # Pre-check: skip templates without a publish-image.yml.
-            # The cascade's job is to trip the template's on-push
-            # rebuild — if there's no rebuild workflow, pushing a
-            # .runtime-version commit is just noise on the target
-            # repo. Use the Gitea contents API (no clone required for
-            # the probe). 200 = present; 404 = absent.
-            HTTP=$(curl -sS -o /dev/null -w "%{http_code}" \
-              -H "Authorization: token $DISPATCH_TOKEN" \
-              "$GITEA_URL/api/v1/repos/$REPO/contents/.github/workflows/publish-image.yml")
-            if [ "$HTTP" = "404" ]; then
-              echo "↷ $tpl has no publish-image.yml — soft-skip (informational; manifest still tracks it)"
-              SKIPPED="$SKIPPED $tpl"
-              continue
-            fi
-            if [ "$HTTP" != "200" ]; then
-              echo "::warning::$tpl publish-image.yml probe returned HTTP $HTTP — proceeding anyway, push will surface the real failure if any"
-            fi
-
-            # Use a per-template attempt loop so a transient race (e.g.
-            # human pushing to the same template at the same instant)
-            # doesn't lose the cascade. Bounded retries (3) — beyond
-            # that we surface the failure and let the operator retry.
-            attempt=0
-            success=false
-            while [ $attempt -lt 3 ]; do
-              attempt=$((attempt + 1))
-              rm -rf "$CLONE"
-              if ! git clone --depth=1 \
-                  "https://x-access-token:${DISPATCH_TOKEN}@${GITEA_URL#https://}/$REPO.git" \
-                  "$CLONE" >/tmp/clone.log 2>&1; then
-                echo "::warning::clone $tpl attempt $attempt failed: $(tail -n3 /tmp/clone.log)"
-                sleep 2
-                continue
-              fi
-
-              cd "$CLONE"
-              echo "$VERSION" > .runtime-version
-
-              # Idempotency guard: if the file already matches, this
-              # publish is a re-run for a version already cascaded.
-              # Don't push a no-op commit (would spuriously re-trip the
-              # template's on-push and rebuild for nothing).
-              if git diff --quiet -- .runtime-version; then
-                echo "✓ $tpl already at $VERSION — no commit needed (idempotent)"
-                success=true
-                cd - >/dev/null
-                break
-              fi
-
-              git add .runtime-version
-              git commit -m "chore: pin runtime to $VERSION (publish-runtime cascade)" \
-                -m "Co-Authored-By: publish-runtime cascade <publish-runtime@moleculesai.app>" \
-                >/dev/null
-
-              if git push origin HEAD:main >/tmp/push.log 2>&1; then
-                echo "✓ $tpl pushed $VERSION on attempt $attempt"
-                success=true
-                cd - >/dev/null
-                break
-              fi
-
-              # Likely a non-fast-forward — pull-rebase and retry.
-              # Don't force-push: that would silently overwrite a racing
-              # human/cascade commit.
-              echo "::warning::push $tpl attempt $attempt failed, pull-rebasing: $(tail -n3 /tmp/push.log)"
-              git pull --rebase origin main >/tmp/rebase.log 2>&1 || true
-              cd - >/dev/null
-            done
-
-            if [ "$success" != "true" ]; then
-              FAILED="$FAILED $tpl"
-            fi
-          done
-          rm -rf "$WORKDIR"
-
-          if [ -n "$FAILED" ]; then
-            echo "::error::Cascade incomplete after 3 retries each. Failed templates:$FAILED"
-            echo "::error::PyPI publish succeeded; failed templates lag the new version. Re-run this workflow_dispatch with the same version to retry only the laggers (idempotent — already-cascaded templates skip)."
-            exit 1
-          fi
-          if [ -n "$SKIPPED" ]; then
-            echo "Cascade complete: pinned $VERSION on cascade-active templates. Soft-skipped (no publish-image.yml):$SKIPPED"
-          else
-            echo "Cascade complete: $VERSION pinned across all manifest workspace_templates."
-          fi

.github/workflows/publish-workspace-server-image.yml

@@ -1,278 +0,0 @@
-name: publish-workspace-server-image
-
-# Builds and pushes Docker images to GHCR on staging or main pushes.
-# EC2 tenant instances pull the tenant image from GHCR.
-#
-# Branch / tag policy (see Compute tags step for the per-branch logic):
-#
-#   staging push  → builds image, tags :staging-<sha> + :staging-latest.
-#                   staging-CP pins TENANT_IMAGE=:staging-latest, so it
-#                   picks up staging-branch code automatically. This is
-#                   what makes staging-CP actually test staging-branch
-#                   code instead of "yesterday's main" — pre-fix, this
-#                   workflow only ran on main, so staging tenants
-#                   silently served stale code (#2308 fix RFC #2312
-#                   landed on staging but never reached tenants because
-#                   staging→main was wedged on path-filter parity bugs).
-#
-#   main push     → builds image, tags :staging-<sha> + :staging-latest
-#                   (same as before). canary-verify.yml retags
-#                   :staging-<sha> → :latest after canary tenants
-#                   green-light the digest. The :staging-latest retag
-#                   on main push is intentional: when main lands AFTER a
-#                   staging push, staging-CP gets the post-promote code
-#                   (which equals what it had + any merge resolution),
-#                   so the canary-on-staging-CP step still runs against
-#                   the prod-bound digest.
-#
-# In the steady state both branches refresh :staging-latest; the
-# semantic is "most recent staging-or-main build of tenant code."
-# Drift between the two is bounded by the staging→main auto-promote
-# cadence and is corrected on the next staging push.
-
-on:
-  push:
-    branches: [main]
-    paths:
-      - 'workspace-server/**'
-      - 'canvas/**'
-      - 'manifest.json'
-      - 'scripts/**'
-      - '.github/workflows/publish-workspace-server-image.yml'
-  workflow_dispatch:
-
-# Serialize per-branch so two rapid staging pushes don't race the same
-# :staging-latest tag retag. Allow staging and main to run in parallel
-# (different github.ref → different concurrency group) since they
-# produce different :staging-<sha> tags and last-write-wins on
-# :staging-latest is acceptable across branches (the post-promote
-# main code equals current staging code in a healthy flow).
-#
-# cancel-in-progress: false → in-flight builds finish; the next push's
-# build queues. This avoids a partially-pushed image and keeps the
-# canary fleet pin (:staging-<sha>) consistent with what was actually
-# tested at canary-verify time.
-concurrency:
-  group: publish-workspace-server-image-${{ github.ref }}
-  cancel-in-progress: false
-
-permissions:
-  contents: read
-  packages: write
-
-env:
-  IMAGE_NAME: 153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/platform
-  TENANT_IMAGE_NAME: 153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/platform-tenant
-
-jobs:
-  build-and-push:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      # github-app-auth sibling-checkout removed 2026-05-07 (#157):
-      # plugin was dropped + workspace-server/Dockerfile no longer
-      # COPYs it.
-
-      # ECR auth + buildx setup are now inline in each build step
-      # below (Task #173, 2026-05-07).
-      #
-      # Why moved inline: aws-actions/configure-aws-credentials@v4 +
-      # aws-actions/amazon-ecr-login@v2 + docker/setup-buildx-action
-      # all left auth state in places that the actual `docker push`
-      # couldn't see on Gitea Actions:
-      #   - The actions wrote to a step-scoped DOCKER_CONFIG path
-      #     that didn't survive into subsequent shell steps.
-      #   - Buildx couldn't bridge the runner container ↔
-      #     operator-host docker daemon auth gap (401 on the
-      #     docker-container driver, "no basic auth credentials"
-      #     with the action-driven login).
-      #
-      # Doing AWS+ECR auth inline (`aws ecr get-login-password |
-      # docker login`) in the same shell step as `docker build` +
-      # `docker push` is the operator-host manual approach, mapped
-      # 1:1 into CI. Auth state is guaranteed to live in the env that
-      # `docker push` actually runs from.
-      #
-      # Post-suspension target is the operator's ECR org
-      # (153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/*),
-      # which already hosts platform-tenant + workspace-template-* +
-      # runner-base images. AWS creds come from the
-      # AWS_ACCESS_KEY_ID/SECRET secrets bound to the molecule-cp
-      # IAM user. Closes #161.
-
-      - name: Compute tags
-        id: tags
-        run: |
-          echo "sha=${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT"
-
-      # Health check: verify Docker daemon is accessible before attempting any
-      # build steps. This fails loudly at step 1 when the runner's docker.sock
-      # is inaccessible rather than silently continuing to the build step
-      # where docker build fails deep in ECR auth with a cryptic error.
-      - name: Verify Docker daemon access
-        run: |
-          set -euo pipefail
-          echo "::group::Docker daemon health check"
-          docker info 2>&1 | head -5 || {
-            echo "::error::Docker daemon is not accessible at /var/run/docker.sock"
-            echo "::error::Check: (1) daemon running, (2) runner user in docker group, (3) sock perms 660+"
-            exit 1
-          }
-          echo "Docker daemon OK"
-          echo "::endgroup::"
-
-      # Pre-clone manifest deps before docker build (Task #173 fix).
-      #
-      # Why pre-clone: post-2026-05-06, every workspace-template-* repo on
-      # Gitea (codex, crewai, deepagents, gemini-cli, langgraph) plus all
-      # 7 org-template-* repos are private. The pre-fix Dockerfile.tenant
-      # ran `git clone` inside an in-image stage, which had no auth path
-      # — every CI build failed with "fatal: could not read Username for
-      # https://git.moleculesai.app". For weeks, every workspace-server
-      # rebuild required a manual operator-host push. Now we clone in the
-      # trusted CI context (where AUTO_SYNC_TOKEN is naturally available)
-      # and Dockerfile.tenant just COPYs from .tenant-bundle-deps/.
-      #
-      # Token shape: AUTO_SYNC_TOKEN is the devops-engineer persona PAT
-      # (see /etc/molecule-bootstrap/agent-secrets.env). Per saved memory
-      # `feedback_per_agent_gitea_identity_default`, every CI surface uses
-      # a per-persona token, never the founder PAT. clone-manifest.sh
-      # embeds it as basic-auth (oauth2:<token>) for the duration of the
-      # clones, then strips .git directories — the token never enters
-      # the resulting image.
-      #
-      # Idempotent: if a re-run finds populated dirs, clone-manifest.sh
-      # skips them; safe to retrigger via path-filter or workflow_dispatch.
-      - name: Pre-clone manifest deps
-        env:
-          MOLECULE_GITEA_TOKEN: ${{ secrets.AUTO_SYNC_TOKEN }}
-        run: |
-          set -euo pipefail
-          if [ -z "${MOLECULE_GITEA_TOKEN}" ]; then
-            echo "::error::AUTO_SYNC_TOKEN secret is empty — register the devops-engineer persona PAT in repo Actions secrets"
-            exit 1
-          fi
-          mkdir -p .tenant-bundle-deps
-          bash scripts/clone-manifest.sh \
-            manifest.json \
-            .tenant-bundle-deps/workspace-configs-templates \
-            .tenant-bundle-deps/org-templates \
-            .tenant-bundle-deps/plugins
-          # Sanity-check counts so a silent partial clone fails fast
-          # instead of producing a half-empty image.
-          ws_count=$(find .tenant-bundle-deps/workspace-configs-templates -mindepth 1 -maxdepth 1 -type d | wc -l)
-          org_count=$(find .tenant-bundle-deps/org-templates -mindepth 1 -maxdepth 1 -type d | wc -l)
-          plugins_count=$(find .tenant-bundle-deps/plugins -mindepth 1 -maxdepth 1 -type d | wc -l)
-          echo "Cloned: ws=$ws_count org=$org_count plugins=$plugins_count"
-          # Counts are derived from manifest.json (9 ws / 7 org / 21
-          # plugins as of 2026-05-07). If manifest.json grows but the
-          # clone step regresses silently, the find above caps at the
-          # actual disk state — but clone-manifest.sh's own EXPECTED vs
-          # CLONED check (line ~95) is the authoritative fail-fast.
-
-      # Canary-gated release flow:
-      #   - This step always publishes :staging-<sha> + :staging-latest.
-      #   - On staging push, staging-CP picks up :staging-latest immediately
-      #     (its TENANT_IMAGE pin is :staging-latest) — so staging-branch
-      #     code reaches staging tenants without waiting for main.
-      #   - On main push, canary-verify.yml runs smoke tests against
-      #     canary tenants (which pin :staging-<sha>), and on green retags
-      #     :staging-<sha> → :latest. Prod tenants pull :latest.
-      #   - On red, :latest stays on the prior good digest — prod is safe.
-      #
-      # Why :staging-latest is retagged on main push too: when main lands
-      # after a staging promote, staging-CP gets the post-promote code so
-      # the canary-on-staging-CP step still runs against the prod-bound
-      # digest. In a healthy flow the post-promote main code == the
-      # current staging code, so this is effectively a no-op except for
-      # the canary fleet pin handoff.
-      #
-      # Pre-fix history: this workflow used to only trigger on main. That
-      # meant staging-CP served "yesterday's main" indefinitely whenever
-      # staging→main was wedged. The 2026-04-30 dogfooding session
-      # surfaced this when RFC #2312 (chat upload HTTP-forward) landed on
-      # staging but staging tenants kept failing chat upload because they
-      # were running pre-RFC code. Adding the staging trigger above closes
-      # that gap. Earlier 2026-04-24 incident: a static :staging-<sha> pin
-      # drifted 10 days behind staging — same class of bug, different
-      # mechanism. ECR repo molecule-ai/platform created 2026-05-07.
-      # Build + push platform image with plain `docker` (no buildx).
-      # GIT_SHA bakes into the Go binary via -ldflags so /buildinfo
-      # returns it at runtime — see Dockerfile + buildinfo/buildinfo.go.
-      # The OCI revision label below carries the same value for registry
-      # tooling; the duplication is intentional.
-      - name: Build & push platform image to ECR (staging-<sha> + staging-latest)
-        env:
-          IMAGE_NAME: ${{ env.IMAGE_NAME }}
-          TAG_SHA: staging-${{ steps.tags.outputs.sha }}
-          TAG_LATEST: staging-latest
-          GIT_SHA: ${{ github.sha }}
-          REPO: ${{ github.repository }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          AWS_DEFAULT_REGION: us-east-2
-        run: |
-          set -euo pipefail
-          # ECR auth in-step so config.json is populated in the same
-          # shell env that runs `docker push`. ECR get-login-password
-          # tokens last 12h, plenty for a single-step build+push.
-          ECR_REGISTRY="${IMAGE_NAME%%/*}"
-          aws ecr get-login-password --region us-east-2 | \
-            docker login --username AWS --password-stdin "${ECR_REGISTRY}"
-          docker build \
-            --file ./workspace-server/Dockerfile \
-            --build-arg GIT_SHA="${GIT_SHA}" \
-            --label "org.opencontainers.image.source=https://github.com/${REPO}" \
-            --label "org.opencontainers.image.revision=${GIT_SHA}" \
-            --label "org.opencontainers.image.description=Molecule AI platform (Go API server) — pending canary verify" \
-            --tag "${IMAGE_NAME}:${TAG_SHA}" \
-            --tag "${IMAGE_NAME}:${TAG_LATEST}" \
-            .
-          docker push "${IMAGE_NAME}:${TAG_SHA}"
-          docker push "${IMAGE_NAME}:${TAG_LATEST}"
-
-      # Canvas uses same-origin fetches. The tenant Go platform
-      # reverse-proxies /cp/* to the SaaS CP via its CP_UPSTREAM_URL
-      # env; the tenant's /canvas/viewport, /approvals/pending,
-      # /org/templates etc. live on the tenant platform itself.
-      # Both legs share one origin (the tenant subdomain) so
-      # PLATFORM_URL="" forces canvas to fetch paths as relative,
-      # which land same-origin.
-      #
-      # Self-hosted / private-label deployments override this at
-      # build time with a specific backend (e.g. local dev:
-      # NEXT_PUBLIC_PLATFORM_URL=http://localhost:8080).
-      - name: Build & push tenant image to ECR (staging-<sha> + staging-latest)
-        env:
-          TENANT_IMAGE_NAME: ${{ env.TENANT_IMAGE_NAME }}
-          TAG_SHA: staging-${{ steps.tags.outputs.sha }}
-          TAG_LATEST: staging-latest
-          GIT_SHA: ${{ github.sha }}
-          REPO: ${{ github.repository }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          AWS_DEFAULT_REGION: us-east-2
-        run: |
-          set -euo pipefail
-          # Re-login: the platform-image step's docker login wrote to
-          # the same config.json, so this is technically redundant — but
-          # making each push step self-contained keeps the workflow
-          # robust to step reordering / future extraction.
-          ECR_REGISTRY="${TENANT_IMAGE_NAME%%/*}"
-          aws ecr get-login-password --region us-east-2 | \
-            docker login --username AWS --password-stdin "${ECR_REGISTRY}"
-          docker build \
-            --file ./workspace-server/Dockerfile.tenant \
-            --build-arg NEXT_PUBLIC_PLATFORM_URL= \
-            --build-arg GIT_SHA="${GIT_SHA}" \
-            --label "org.opencontainers.image.source=https://github.com/${REPO}" \
-            --label "org.opencontainers.image.revision=${GIT_SHA}" \
-            --label "org.opencontainers.image.description=Molecule AI tenant platform + canvas — pending canary verify" \
-            --tag "${TENANT_IMAGE_NAME}:${TAG_SHA}" \
-            --tag "${TENANT_IMAGE_NAME}:${TAG_LATEST}" \
-            .
-          docker push "${TENANT_IMAGE_NAME}:${TAG_SHA}"
-          docker push "${TENANT_IMAGE_NAME}:${TAG_LATEST}"
-

.github/workflows/secret-scan.yml

@@ -1,214 +0,0 @@
-name: Secret scan
-
-# Hard CI gate. Refuses any PR / push whose diff additions contain a
-# recognisable credential. Defense-in-depth for the #2090-class incident
-# (2026-04-24): GitHub's hosted Copilot Coding Agent leaked a ghs_*
-# installation token into tenant-proxy/package.json via `npm init`
-# slurping the URL from a token-embedded origin remote. We can't fix
-# upstream's clone hygiene, so we gate here.
-#
-# Also the canonical reusable workflow for the rest of the org. Other
-# Molecule-AI repos enroll with a single 3-line workflow:
-#
-#   jobs:
-#     secret-scan:
-#       uses: molecule-ai/molecule-core/.github/workflows/secret-scan.yml@staging
-#
-# Pin to @staging not @main — staging is the active default branch,
-# main lags via the staging-promotion workflow. Updates ride along
-# automatically on the next consumer workflow run.
-#
-# Same regex set as the runtime's bundled pre-commit hook
-# (molecule-ai-workspace-runtime: molecule_runtime/scripts/pre-commit-checks.sh).
-# Keep the two sides aligned when adding patterns.
-
-on:
-  pull_request:
-    types: [opened, synchronize, reopened]
-  push:
-    branches: [main, staging]
-  # Required for GitHub merge queue: the queue's pre-merge CI run on
-  # `gh-readonly-queue/...` refs needs this check to fire so the queue
-  # gets a real result instead of stalling forever AWAITING_CHECKS.
-  merge_group:
-    types: [checks_requested]
-  # Reusable workflow entry point for other Molecule-AI repos.
-  workflow_call:
-
-jobs:
-  scan:
-    name: Scan diff for credential-shaped strings
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 2  # need previous commit to diff against on push events
-
-      # For pull_request events the diff base may be many commits behind
-      # HEAD and absent from the shallow clone. Fetch it explicitly.
-      - name: Fetch PR base SHA (pull_request events only)
-        if: github.event_name == 'pull_request'
-        run: git fetch --depth=1 origin ${{ github.event.pull_request.base.sha }}
-
-      # For merge_group events the queue's pre-merge ref is a commit on
-      # `gh-readonly-queue/...` whose parent is the queue's base_sha.
-      # That parent isn't part of the queue branch's shallow clone, so
-      # we fetch it explicitly. Without this the diff falls through to
-      # "no BASE → scan entire tree" mode and false-positives on legit
-      # test fixtures (e.g. canvas/src/lib/validation/__tests__/secret-formats.test.ts).
-      - name: Fetch merge_group base SHA (merge_group events only)
-        if: github.event_name == 'merge_group'
-        run: git fetch --depth=1 origin ${{ github.event.merge_group.base_sha }}
-
-      - name: Refuse if credential-shaped strings appear in diff additions
-        env:
-          # Plumb event-specific SHAs through env so the script doesn't
-          # need conditional `${{ ... }}` interpolation per event type.
-          # github.event.before/after only exist on push events;
-          # merge_group has its own base_sha/head_sha; pull_request has
-          # pull_request.base.sha / pull_request.head.sha.
-          PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
-          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-          MG_BASE_SHA: ${{ github.event.merge_group.base_sha }}
-          MG_HEAD_SHA: ${{ github.event.merge_group.head_sha }}
-          PUSH_BEFORE: ${{ github.event.before }}
-          PUSH_AFTER: ${{ github.event.after }}
-        run: |
-          # Pattern set covers GitHub family (the actual #2090 vector),
-          # Anthropic / OpenAI / Slack / AWS. Anchored on prefixes with low
-          # false-positive rates against agent-generated content. Mirror of
-          # molecule-ai-workspace-runtime/molecule_runtime/scripts/pre-commit-checks.sh
-          # — keep aligned.
-          SECRET_PATTERNS=(
-            'ghp_[A-Za-z0-9]{36,}'           # GitHub PAT (classic)
-            'ghs_[A-Za-z0-9]{36,}'           # GitHub App installation token
-            'gho_[A-Za-z0-9]{36,}'           # GitHub OAuth user-to-server
-            'ghu_[A-Za-z0-9]{36,}'           # GitHub OAuth user
-            'ghr_[A-Za-z0-9]{36,}'           # GitHub OAuth refresh
-            'github_pat_[A-Za-z0-9_]{82,}'   # GitHub fine-grained PAT
-            'sk-ant-[A-Za-z0-9_-]{40,}'      # Anthropic API key
-            'sk-proj-[A-Za-z0-9_-]{40,}'     # OpenAI project key
-            'sk-svcacct-[A-Za-z0-9_-]{40,}'  # OpenAI service-account key
-            'sk-cp-[A-Za-z0-9_-]{60,}'       # MiniMax API key (F1088 vector — caught only after the fact)
-            'xox[baprs]-[A-Za-z0-9-]{20,}'   # Slack tokens
-            'AKIA[0-9A-Z]{16}'               # AWS access key ID
-            'ASIA[0-9A-Z]{16}'               # AWS STS temp access key ID
-          )
-
-          # Determine the diff base. Each event type stores its SHAs in
-          # a different place — see the env block above.
-          case "${{ github.event_name }}" in
-            pull_request)
-              BASE="$PR_BASE_SHA"
-              HEAD="$PR_HEAD_SHA"
-              ;;
-            merge_group)
-              BASE="$MG_BASE_SHA"
-              HEAD="$MG_HEAD_SHA"
-              ;;
-            *)
-              BASE="$PUSH_BEFORE"
-              HEAD="$PUSH_AFTER"
-              ;;
-          esac
-
-          # On push events with shallow clones, BASE may be present in
-          # the event payload but absent from the local object DB
-          # (fetch-depth=2 doesn't always reach the previous commit
-          # across true merges). Try fetching it on demand. If the
-          # fetch fails — e.g. the SHA was force-overwritten — we fall
-          # through to the empty-BASE branch below, which scans the
-          # entire tree as if every file were new. Correct, just slow.
-          if [ -n "$BASE" ] && ! echo "$BASE" | grep -qE '^0+$'; then
-            if ! git cat-file -e "$BASE" 2>/dev/null; then
-              git fetch --depth=1 origin "$BASE" 2>/dev/null || true
-            fi
-          fi
-
-          # Files added or modified in this change.
-          if [ -z "$BASE" ] || echo "$BASE" | grep -qE '^0+$' || ! git cat-file -e "$BASE" 2>/dev/null; then
-            # New branch / no previous SHA / BASE unreachable — check the
-            # entire tree as added content. Slower, but correct on first
-            # push.
-            CHANGED=$(git ls-tree -r --name-only HEAD)
-            DIFF_RANGE=""
-          else
-            CHANGED=$(git diff --name-only --diff-filter=AM "$BASE" "$HEAD")
-            DIFF_RANGE="$BASE $HEAD"
-          fi
-
-          if [ -z "$CHANGED" ]; then
-            echo "No changed files to inspect."
-            exit 0
-          fi
-
-          # Self-exclude: this workflow file legitimately contains the
-          # pattern strings as regex literals. Without an exclude it would
-          # block its own merge.
-          SELF=".github/workflows/secret-scan.yml"
-
-          OFFENDING=""
-          # `while IFS= read -r` (not `for f in $CHANGED`) so filenames
-          # containing whitespace don't word-split silently — a path
-          # with a space would otherwise produce two iterations on
-          # tokens that aren't real filenames, breaking the
-          # self-exclude + diff lookup.
-          while IFS= read -r f; do
-            [ -z "$f" ] && continue
-            [ "$f" = "$SELF" ] && continue
-            if [ -n "$DIFF_RANGE" ]; then
-              ADDED=$(git diff --no-color --unified=0 "$BASE" "$HEAD" -- "$f" 2>/dev/null | grep -E '^\+[^+]' || true)
-            else
-              # No diff range (new branch first push) — scan the full file
-              # contents as if every line were new.
-              ADDED=$(cat "$f" 2>/dev/null || true)
-            fi
-            [ -z "$ADDED" ] && continue
-            for pattern in "${SECRET_PATTERNS[@]}"; do
-              if echo "$ADDED" | grep -qE "$pattern"; then
-                OFFENDING="${OFFENDING}${f} (matched: ${pattern})\n"
-                break
-              fi
-            done
-          done <<< "$CHANGED"
-
-          if [ -n "$OFFENDING" ]; then
-            echo "::error::Credential-shaped strings detected in diff additions:"
-            # `printf '%b' "$OFFENDING"` interprets backslash escapes
-            # (the literal `\n` we appended above becomes a newline)
-            # WITHOUT treating OFFENDING as a format string. Plain
-            # `printf "$OFFENDING"` is a format-string sink: a filename
-            # containing `%` would be interpreted as a conversion
-            # specifier, corrupting the error message (or printing
-            # `%(missing)` artifacts).
-            printf '%b' "$OFFENDING"
-            echo ""
-            echo "The actual matched values are NOT echoed here, deliberately —"
-            echo "round-tripping a leaked credential into CI logs widens the blast"
-            echo "radius (logs are searchable + retained)."
-            echo ""
-            echo "Recovery:"
-            echo "  1. Remove the secret from the file. Replace with an env var"
-            echo "     reference (e.g. \${{ secrets.GITHUB_TOKEN }} in workflows,"
-            echo "     process.env.X in code)."
-            echo "  2. If the credential was already pushed (this PR's commit"
-            echo "     history reaches a public ref), treat it as compromised —"
-            echo "     ROTATE it immediately, do not just remove it. The token"
-            echo "     remains valid in git history forever and may be in any"
-            echo "     log/cache that consumed this branch."
-            echo "  3. Force-push the cleaned commit (or stack a revert) and"
-            echo "     re-run CI."
-            echo ""
-            echo "If the match is a false positive (test fixture, docs example,"
-            echo "or this workflow's own regex literals): use a clearly-fake"
-            echo "placeholder like ghs_EXAMPLE_DO_NOT_USE that doesn't satisfy"
-            echo "the length suffix, OR add the file path to the SELF exclude"
-            echo "list in this workflow with a short reason."
-            echo ""
-            echo "Mirror of the regex set lives in the runtime's bundled"
-            echo "pre-commit hook (molecule-ai-workspace-runtime:"
-            echo "molecule_runtime/scripts/pre-commit-checks.sh) — keep aligned."
-            exit 1
-          fi
-
-          echo "✓ No credential-shaped strings in this change."

.staging-trigger

@@ -1 +0,0 @@
-staging trigger

canvas/src/components/AuditTrailPanel.tsx

@@ -142,7 +142,7 @@ export function AuditTrailPanel({ workspaceId }: Props) {
             key={f.id}
             onClick={() => setFilter(f.id)}
             aria-pressed={filter === f.id}
-            className={`px-2 py-1 text-[10px] rounded-md font-medium transition-all shrink-0 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface ${
+            className={`px-2 py-1 text-[10px] rounded-md font-medium transition-all shrink-0 ${
               filter === f.id
                 ? "bg-surface-card text-ink ring-1 ring-zinc-600"
                 : "text-ink-mid hover:text-ink-mid hover:bg-surface-card/60"
@@ -155,7 +155,7 @@ export function AuditTrailPanel({ workspaceId }: Props) {
         <button
           type="button"
           onClick={loadEntries}
-          className="px-2 py-1 text-[10px] bg-surface-card hover:bg-surface-card text-ink-mid rounded transition-colors shrink-0 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface"
+          className="px-2 py-1 text-[10px] bg-surface-card hover:bg-surface-card text-ink-mid rounded transition-colors shrink-0"
           aria-label="Refresh audit trail"
         >
           ↻
@@ -195,7 +195,7 @@ export function AuditTrailPanel({ workspaceId }: Props) {
                   type="button"
                   onClick={loadMore}
                   disabled={loadingMore}
-                  className="px-4 py-2 text-[11px] bg-surface-card hover:bg-surface-card disabled:opacity-50 disabled:cursor-not-allowed text-ink-mid rounded-lg transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface"
+                  className="px-4 py-2 text-[11px] bg-surface-card hover:bg-surface-card disabled:opacity-50 disabled:cursor-not-allowed text-ink-mid rounded-lg transition-colors"
                 >
                   {loadingMore ? "Loading…" : "Load more"}
                 </button>

canvas/src/components/CommunicationOverlay.tsx

@@ -209,7 +209,7 @@ export function CommunicationOverlay() {
         type="button"
         onClick={() => setVisible(true)}
         aria-label="Show communications panel"
-        className="fixed top-16 right-4 z-30 px-3 py-1.5 bg-surface-sunken/90 border border-line/50 rounded-lg text-[10px] text-ink-mid hover:text-ink transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface"
+        className="fixed top-16 right-4 z-30 px-3 py-1.5 bg-surface-sunken/90 border border-line/50 rounded-lg text-[10px] text-ink-mid hover:text-ink transition-colors"
       >
         <span aria-hidden="true">↗↙ </span>{comms.length > 0 ? `${comms.length} comms` : "Communications"}
       </button>
@@ -226,7 +226,7 @@ export function CommunicationOverlay() {
           type="button"
           onClick={() => setVisible(false)}
           aria-label="Close communications panel"
-          className="text-ink-mid hover:text-ink-mid text-xs focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface rounded"
+          className="text-ink-mid hover:text-ink-mid text-xs"
         >
           <span aria-hidden="true">✕</span>
         </button>

canvas/src/components/ConversationTraceModal.tsx

@@ -115,7 +115,7 @@ export function ConversationTraceModal({ open, workspaceId: _workspaceId, onClos
                 <button
                   type="button"
                   aria-label="Close conversation trace"
-                  className="text-ink-mid hover:text-ink-mid text-lg px-2 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface rounded"
+                  className="text-ink-mid hover:text-ink-mid text-lg px-2"
                 >
                   ✕
                 </button>
@@ -286,7 +286,7 @@ export function ConversationTraceModal({ open, workspaceId: _workspaceId, onClos
               <Dialog.Close asChild>
                 <button
                   type="button"
-                  className="px-4 py-1.5 text-[12px] bg-surface-card hover:bg-surface-card text-ink-mid rounded-lg transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface"
+                  className="px-4 py-1.5 text-[12px] bg-surface-card hover:bg-surface-card text-ink-mid rounded-lg transition-colors"
                 >
                   Close
                 </button>

canvas/src/components/CreateWorkspaceDialog.tsx

@@ -411,7 +411,7 @@ export function CreateWorkspaceButton() {
                     tabIndex={tier === t.value ? 0 : -1}
                     onClick={() => setTier(t.value)}
                     onKeyDown={(e) => handleRadioKeyDown(e, idx)}
-                    className={`py-2 rounded-lg text-center transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 ${
+                    className={`py-2 rounded-lg text-center transition-colors ${
                       tier === t.value
                         ? "bg-accent-strong/20 border border-accent/50 text-accent"
                         : "bg-surface-card/60 border border-line/40 text-ink-mid hover:text-ink-mid hover:border-line"

canvas/src/components/ErrorBoundary.tsx

@@ -83,7 +83,7 @@ export class ErrorBoundary extends React.Component<
               <button
                 type="button"
                 onClick={this.handleReload}
-                className="rounded-lg bg-accent-strong hover:bg-accent px-5 py-2 text-sm font-medium text-white transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-2 focus-visible:ring-offset-surface"
+                className="rounded-lg bg-accent-strong hover:bg-accent px-5 py-2 text-sm font-medium text-white transition-colors"
               >
                 Reload
               </button>
@@ -93,7 +93,7 @@ export class ErrorBoundary extends React.Component<
                   e.preventDefault();
                   this.handleReport();
                 }}
-                className="rounded-lg border border-line hover:border-line px-5 py-2 text-sm font-medium text-ink-mid hover:text-ink transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-2 focus-visible:ring-offset-surface"
+                className="rounded-lg border border-line hover:border-line px-5 py-2 text-sm font-medium text-ink-mid hover:text-ink transition-colors"
               >
                 Report
               </a>

canvas/src/components/ExternalConnectModal.tsx

@@ -198,7 +198,7 @@ export function ExternalConnectModal({ info, onClose }: Props) {
                 role="tab"
                 aria-selected={tab === t}
                 onClick={() => setTab(t)}
-                className={`px-3 py-2 text-sm border-b-2 -mb-px transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface ${
+                className={`px-3 py-2 text-sm border-b-2 -mb-px transition-colors ${
                   tab === t
                     ? "border-accent text-ink"
                     : "border-transparent text-ink-mid hover:text-ink-mid"
@@ -309,7 +309,7 @@ export function ExternalConnectModal({ info, onClose }: Props) {
             <button
               type="button"
               onClick={onClose}
-              className="px-4 py-2 text-sm rounded-lg bg-surface-card hover:bg-surface-card text-ink focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface"
+              className="px-4 py-2 text-sm rounded-lg bg-surface-card hover:bg-surface-card text-ink"
             >
               I&apos;ve saved it — close
             </button>
@@ -339,7 +339,7 @@ function SnippetBlock({
         <button
           type="button"
           onClick={onCopy}
-          className="text-xs px-2 py-1 rounded bg-accent-strong/80 hover:bg-accent text-white focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface"
+          className="text-xs px-2 py-1 rounded bg-accent-strong/80 hover:bg-accent text-white"
         >
           {copied ? "Copied!" : "Copy"}
         </button>
@@ -376,7 +376,7 @@ function Field({
         type="button"
         onClick={onCopy}
         disabled={!value}
-        className="text-xs px-2 py-1 rounded bg-surface-card hover:bg-surface-card text-ink disabled:opacity-40 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface"
+        className="text-xs px-2 py-1 rounded bg-surface-card hover:bg-surface-card text-ink disabled:opacity-40"
       >
         {copied ? "Copied!" : "Copy"}
       </button>

canvas/src/components/MemoryInspectorPanel.tsx

@@ -360,7 +360,7 @@ export function MemoryInspectorPanel({ workspaceId }: Props) {
                 setDebouncedQuery('');
               }}
               aria-label="Clear search"
-              className="absolute right-2 text-ink-mid hover:text-ink transition-colors text-sm leading-none focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface rounded"
+              className="absolute right-2 text-ink-mid hover:text-ink transition-colors text-sm leading-none"
             >
               ×
             </button>
@@ -381,7 +381,7 @@ export function MemoryInspectorPanel({ workspaceId }: Props) {
           type="button"
           onClick={loadEntries}
           disabled={pluginUnavailable}
-          className="px-2 py-1 text-[11px] bg-surface-card hover:bg-surface-card text-ink-mid rounded transition-colors disabled:opacity-50 disabled:cursor-not-allowed focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface"
+          className="px-2 py-1 text-[11px] bg-surface-card hover:bg-surface-card text-ink-mid rounded transition-colors disabled:opacity-50 disabled:cursor-not-allowed"
           aria-label="Refresh memories"
         >
           ↻ Refresh
@@ -515,7 +515,7 @@ function MemoryEntryRow({ entry, onDelete }: MemoryEntryRowProps) {
       {/* Header row */}
       <button
         type="button"
-        className="w-full flex items-center gap-2 px-3 py-2.5 text-left hover:bg-surface-card/30 transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface"
+        className="w-full flex items-center gap-2 px-3 py-2.5 text-left hover:bg-surface-card/30 transition-colors"
         onClick={() => setExpanded((prev) => !prev)}
         aria-expanded={expanded}
         aria-controls={bodyId}
@@ -629,7 +629,7 @@ function MemoryEntryRow({ entry, onDelete }: MemoryEntryRowProps) {
                 onDelete();
               }}
               aria-label="Forget memory"
-              className="text-[10px] px-2 py-0.5 bg-red-950/40 hover:bg-red-900/50 border border-red-900/30 rounded text-bad transition-colors shrink-0 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-red-500/60 focus-visible:ring-offset-1 focus-visible:ring-offset-surface"
+              className="text-[10px] px-2 py-0.5 bg-red-950/40 hover:bg-red-900/50 border border-red-900/30 rounded text-bad transition-colors shrink-0"
             >
               Forget
             </button>

canvas/src/components/MissingKeysModal.tsx

@@ -631,9 +631,8 @@ function AllKeysModal({
     // React's commit ordering.
     <div className="fixed inset-0 z-[60] flex items-center justify-center">
       <div
-        aria-hidden="true"
         className="absolute inset-0 bg-black/70 backdrop-blur-sm"
-        aria-label="Dismiss modal"
+        aria-hidden="true"
         onClick={onCancel}
       />
 
@@ -707,7 +706,7 @@ function AllKeysModal({
                     type="button"
                     onClick={() => handleSaveKey(index)}
                     disabled={!entry.value.trim() || entry.saving}
-                    className="px-3 py-1.5 bg-accent-strong hover:bg-accent text-[11px] rounded text-white disabled:opacity-30 transition-colors shrink-0 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface"
+                    className="px-3 py-1.5 bg-accent-strong hover:bg-accent text-[11px] rounded text-white disabled:opacity-30 transition-colors shrink-0"
                   >
                     {entry.saving ? "..." : "Save"}
                   </button>
@@ -731,7 +730,7 @@ function AllKeysModal({
               <button
                 type="button"
                 onClick={onOpenSettings}
-                className="text-[11px] text-accent hover:text-accent transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface rounded"
+                className="text-[11px] text-accent hover:text-accent transition-colors"
               >
                 Open Settings Panel
               </button>
@@ -741,7 +740,7 @@ function AllKeysModal({
             <button
               type="button"
               onClick={onCancel}
-              className="px-3.5 py-1.5 text-[12px] text-ink-mid hover:text-ink bg-surface-card hover:bg-surface-card border border-line rounded-lg transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface"
+              className="px-3.5 py-1.5 text-[12px] text-ink-mid hover:text-ink bg-surface-card hover:bg-surface-card border border-line rounded-lg transition-colors"
             >
               Cancel Deploy
             </button>
@@ -749,7 +748,7 @@ function AllKeysModal({
               type="button"
               onClick={handleAddKeysAndDeploy}
               disabled={!allSaved || anySaving}
-              className="px-3.5 py-1.5 text-[12px] bg-accent-strong hover:bg-accent text-white rounded-lg transition-colors disabled:opacity-40 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface"
+              className="px-3.5 py-1.5 text-[12px] bg-accent-strong hover:bg-accent text-white rounded-lg transition-colors disabled:opacity-40"
             >
               {anySaving ? "Saving..." : allSaved ? "Deploy" : "Add Keys"}
             </button>

canvas/src/components/OrgImportPreflightModal.tsx

@@ -308,7 +308,7 @@ export function OrgImportPreflightModal({
               type="button"
               onClick={onProceed}
               disabled={!canProceed}
-              className="px-4 py-1.5 text-[11px] font-semibold rounded bg-accent hover:bg-accent-strong text-white disabled:bg-surface-card disabled:text-white-soft disabled:cursor-not-allowed focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface"
+              className="px-4 py-1.5 text-[11px] font-semibold rounded bg-accent hover:bg-accent-strong text-white disabled:bg-surface-card disabled:text-white-soft disabled:cursor-not-allowed"
             >
               Import
             </button>
@@ -428,7 +428,7 @@ function StrictEnvRow({
             type="button"
             onClick={() => onSave(envKey)}
             disabled={d?.saving || !d?.value.trim()}
-            className="px-2 py-1 text-[10px] rounded bg-accent hover:bg-accent-strong text-white disabled:opacity-40 disabled:cursor-not-allowed focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface"
+            className="px-2 py-1 text-[10px] rounded bg-accent hover:bg-accent-strong text-white disabled:opacity-40 disabled:cursor-not-allowed"
           >
             {d?.saving ? "…" : "Save"}
           </button>
@@ -520,7 +520,7 @@ function AnyOfEnvGroup({
                     type="button"
                     onClick={() => onSave(m)}
                     disabled={d?.saving || !d?.value.trim()}
-                    className="px-2 py-1 text-[10px] rounded bg-accent hover:bg-accent-strong text-white disabled:opacity-40 disabled:cursor-not-allowed focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface"
+                    className="px-2 py-1 text-[10px] rounded bg-accent hover:bg-accent-strong text-white disabled:opacity-40 disabled:cursor-not-allowed"
                   >
                     {d?.saving ? "…" : "Save"}
                   </button>

canvas/src/components/PricingTable.tsx

@@ -128,7 +128,7 @@ function PlanCard({
         type="button"
         onClick={onSelect}
         disabled={loading}
-        className={`mt-6 rounded-lg px-4 py-3 text-sm font-medium focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-2 focus-visible:ring-offset-surface ${
+        className={`mt-6 rounded-lg px-4 py-3 text-sm font-medium ${
           plan.highlighted
             ? "bg-accent-strong text-white hover:bg-accent disabled:bg-blue-900"
             : "border border-line bg-surface-sunken text-ink hover:bg-surface-card disabled:opacity-50"

canvas/src/components/ProviderModelSelector.tsx

@@ -437,7 +437,7 @@ export function ProviderModelSelector({
                     handleModelChange(selected.models[0]?.id ?? "");
                   }
                 }}
-                className="text-[9px] text-accent hover:text-accent mt-0.5 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface rounded"
+                className="text-[9px] text-accent hover:text-accent mt-0.5"
               >
                 ← back to model list
               </button>

canvas/src/components/ProvisioningTimeout.tsx

@@ -341,7 +341,7 @@ export function ProvisioningTimeout({
                     type="button"
                     onClick={() => handleRetry(entry.workspaceId)}
                     disabled={isRetrying || isCancelling || retryCooldown.has(entry.workspaceId)}
-                    className="px-3 py-1.5 bg-amber-600 hover:bg-amber-500 text-[11px] font-medium rounded-lg text-white disabled:opacity-40 transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-amber-400/70 focus-visible:ring-offset-1 focus-visible:ring-offset-surface"
+                    className="px-3 py-1.5 bg-amber-600 hover:bg-amber-500 text-[11px] font-medium rounded-lg text-white disabled:opacity-40 transition-colors"
                   >
                     {isRetrying ? "Retrying..." : retryCooldown.has(entry.workspaceId) ? "Wait..." : "Retry"}
                   </button>
@@ -349,14 +349,14 @@ export function ProvisioningTimeout({
                     type="button"
                     onClick={() => handleCancelRequest(entry.workspaceId)}
                     disabled={isRetrying || isCancelling}
-                    className="px-3 py-1.5 bg-surface-card hover:bg-surface-card text-[11px] text-ink-mid rounded-lg border border-line disabled:opacity-40 transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface"
+                    className="px-3 py-1.5 bg-surface-card hover:bg-surface-card text-[11px] text-ink-mid rounded-lg border border-line disabled:opacity-40 transition-colors"
                   >
                     {isCancelling ? "Cancelling..." : "Cancel"}
                   </button>
                   <button
                     type="button"
                     onClick={() => handleViewLogs(entry.workspaceId)}
-                    className="px-3 py-1.5 text-[11px] text-warm hover:text-warm transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-amber-400/70 focus-visible:ring-offset-1 focus-visible:ring-offset-surface rounded"
+                    className="px-3 py-1.5 text-[11px] text-warm hover:text-warm transition-colors"
                   >
                     View Logs
                   </button>
@@ -382,14 +382,14 @@ export function ProvisioningTimeout({
               <button
                 type="button"
                 onClick={() => setConfirmingCancel(null)}
-                className="px-3.5 py-1.5 text-[12px] text-ink-mid hover:text-ink bg-surface-card hover:bg-surface-card border border-line rounded-lg transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface"
+                className="px-3.5 py-1.5 text-[12px] text-ink-mid hover:text-ink bg-surface-card hover:bg-surface-card border border-line rounded-lg transition-colors"
               >
                 Keep
               </button>
               <button
                 type="button"
                 onClick={handleCancelConfirm}
-                className="px-3.5 py-1.5 text-[12px] bg-red-600 hover:bg-red-500 text-white rounded-lg transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-red-400/70 focus-visible:ring-offset-1 focus-visible:ring-offset-surface"
+                className="px-3.5 py-1.5 text-[12px] bg-red-600 hover:bg-red-500 text-white rounded-lg transition-colors"
               >
                 Remove Workspace
               </button>

canvas/src/components/SidePanel.tsx

@@ -197,7 +197,7 @@ export function SidePanel() {
           type="button"
           onClick={() => selectNode(null)}
           aria-label="Close workspace panel"
-          className="w-7 h-7 flex items-center justify-center rounded-lg text-ink-mid hover:text-ink hover:bg-surface-card/60 transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface"
+          className="w-7 h-7 flex items-center justify-center rounded-lg text-ink-mid hover:text-ink hover:bg-surface-card/60 transition-colors"
         >
           <svg width="12" height="12" viewBox="0 0 12 12" fill="none" aria-hidden="true">
             <path d="M1 1l10 10M11 1L1 11" stroke="currentColor" strokeWidth="1.5" strokeLinecap="round" />

canvas/src/components/TemplatePalette.tsx

@@ -236,7 +236,7 @@ export function OrgTemplatesSection() {
           onClick={() => setExpanded((v) => !v)}
           aria-expanded={expanded}
           aria-controls="org-templates-body"
-          className="flex items-center gap-1.5 text-[10px] uppercase tracking-wide text-ink-mid hover:text-ink-mid font-semibold transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface rounded"
+          className="flex items-center gap-1.5 text-[10px] uppercase tracking-wide text-ink-mid hover:text-ink-mid font-semibold transition-colors"
         >
           <span
             aria-hidden="true"
@@ -255,7 +255,7 @@ export function OrgTemplatesSection() {
           type="button"
           onClick={loadOrgs}
           aria-label="Refresh org templates"
-          className="text-[10px] text-ink-mid hover:text-ink-mid focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface rounded"
+          className="text-[10px] text-ink-mid hover:text-ink-mid"
         >
           ↻
         </button>
@@ -306,7 +306,7 @@ export function OrgTemplatesSection() {
               type="button"
               onClick={() => handleImport(o)}
               disabled={isImporting}
-              className="w-full px-2 py-1.5 bg-accent-strong/20 hover:bg-accent-strong/30 border border-accent/30 rounded-lg text-[10px] text-accent font-medium transition-colors disabled:opacity-50 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface"
+              className="w-full px-2 py-1.5 bg-accent-strong/20 hover:bg-accent-strong/30 border border-accent/30 rounded-lg text-[10px] text-accent font-medium transition-colors disabled:opacity-50"
             >
               {isImporting ? "Importing…" : "Import org"}
             </button>
@@ -411,7 +411,7 @@ function ImportAgentButton({ onImported }: { onImported: () => void }) {
         type="button"
         onClick={() => fileInputRef.current?.click()}
         disabled={importing}
-        className="w-full px-3 py-2 bg-accent-strong/20 hover:bg-accent-strong/30 border border-accent/30 rounded-lg text-[11px] text-accent font-medium transition-colors disabled:opacity-50 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface"
+        className="w-full px-3 py-2 bg-accent-strong/20 hover:bg-accent-strong/30 border border-accent/30 rounded-lg text-[11px] text-accent font-medium transition-colors disabled:opacity-50"
       >
         {importing ? "Importing..." : "Import Agent Folder"}
       </button>
@@ -474,7 +474,7 @@ export function TemplatePalette() {
       <button
         type="button"
         onClick={() => setOpen(!open)}
-        className={`fixed top-4 left-4 z-40 w-9 h-9 flex items-center justify-center rounded-lg transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-2 focus-visible:ring-offset-surface ${
+        className={`fixed top-4 left-4 z-40 w-9 h-9 flex items-center justify-center rounded-lg transition-colors ${
           open
             ? "bg-accent-strong text-white"
             : "bg-surface-sunken/90 border border-line/50 text-ink-mid hover:text-ink hover:border-line"
@@ -580,7 +580,7 @@ export function TemplatePalette() {
             <button
               type="button"
               onClick={loadTemplates}
-              className="text-[10px] text-ink-mid hover:text-ink-mid transition-colors block focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface rounded"
+              className="text-[10px] text-ink-mid hover:text-ink-mid transition-colors block"
             >
               Refresh templates
             </button>

canvas/src/components/ThemeToggle.tsx

@@ -54,7 +54,7 @@ export function ThemeToggle({ className = "" }: { className?: string }) {
             aria-label={opt.label}
             onClick={() => setTheme(opt.value)}
             className={
-              "flex h-6 w-6 items-center justify-center rounded transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface " +
+              "flex h-6 w-6 items-center justify-center rounded transition-colors " +
               (active
                 ? "bg-surface-elevated text-ink shadow-sm"
                 : "text-ink-mid hover:text-ink-mid")

canvas/src/components/Tooltip.tsx

@@ -45,12 +45,6 @@ export function Tooltip({ text, children }: Props) {
       if (triggerRef.current) {
         const rect = triggerRef.current.getBoundingClientRect();
         setPos({ x: rect.left, y: rect.top });
-        // Focus the first focusable descendant (the actual trigger button),
-        // not the wrapper div, so screen-reader/navigation UX is correct.
-        const firstFocusable = triggerRef.current.querySelector<HTMLElement>(
-          'button, [tabindex], input, select, textarea, a[href]'
-        );
-        firstFocusable?.focus();
       }
       setShow(true);
     }, 400);

canvas/src/components/__tests__/ApprovalBanner.test.tsx

@@ -2,9 +2,8 @@
 /**
  * Tests for ApprovalBanner component.
  *
- * Uses vi.hoisted + vi.mock for stable module-level API mocks that survive
- * vi.resetModules() cleanup. BeforeEach uses mockReset + mockResolvedValue
- * so each test gets a clean slate.
+ * Covers: renders nothing when no approvals, polls /approvals/pending,
+ * shows approval cards, approve/deny decisions, toast notifications.
  */
 import React from "react";
 import { render, screen, fireEvent, cleanup, waitFor, act } from "@testing-library/react";
@@ -13,23 +12,10 @@ import { ApprovalBanner } from "../ApprovalBanner";
 import { showToast } from "@/components/Toaster";
 import { api } from "@/lib/api";
 
-// ─── Module-level mocks ───────────────────────────────────────────────────────
-// vi.hoisted captures stable references BEFORE hoisting so they are accessible
-// in the test body after vi.mock registers.
-const _mockGet = vi.hoisted<typeof api.get>(() => vi.fn<() => Promise<unknown[]>>());
-const _mockPost = vi.hoisted<typeof api.post>(() => vi.fn<() => Promise<unknown>>());
-const _mockToast = vi.hoisted<typeof showToast>(() => vi.fn());
-
-vi.mock("@/lib/api", () => ({
-  api: { get: _mockGet, post: _mockPost },
-}));
-
 vi.mock("@/components/Toaster", () => ({
-  showToast: _mockToast,
+  showToast: vi.fn(),
 }));
 
-afterEach(cleanup);
-
 // ─── Helpers ──────────────────────────────────────────────────────────────────
 
 const pendingApproval = (id = "a1", workspaceId = "ws-1"): {
@@ -50,25 +36,11 @@ const pendingApproval = (id = "a1", workspaceId = "ws-1"): {
   created_at: "2026-05-10T10:00:00Z",
 });
 
-// ─── Cleanup ─────────────────────────────────────────────────────────────────
-
-beforeEach(() => {
-  _mockGet.mockReset();
-  _mockGet.mockResolvedValue([] as unknown[]);
-  _mockPost.mockReset();
-  _mockPost.mockResolvedValue({} as unknown);
-  _mockToast.mockClear();
-});
-
-afterEach(() => {
-  cleanup();
-});
-
 // ─── Tests ────────────────────────────────────────────────────────────────────
 
 describe("ApprovalBanner — empty state", () => {
   it("renders nothing when there are no pending approvals", async () => {
-    _mockGet.mockResolvedValueOnce([] as unknown[]);
+    vi.spyOn(api, "get").mockResolvedValueOnce([]);
     render(<ApprovalBanner />);
     await act(async () => {
       await new Promise((r) => setTimeout(r, 10));
@@ -77,7 +49,7 @@ describe("ApprovalBanner — empty state", () => {
   });
 
   it("does not render any approve/deny buttons when list is empty", async () => {
-    _mockGet.mockResolvedValueOnce([] as unknown[]);
+    vi.spyOn(api, "get").mockResolvedValueOnce([]);
     render(<ApprovalBanner />);
     await act(async () => {
       await new Promise((r) => setTimeout(r, 10));
@@ -89,10 +61,10 @@ describe("ApprovalBanner — empty state", () => {
 
 describe("ApprovalBanner — renders approval cards", () => {
   it("renders an alert card for each pending approval", async () => {
-    _mockGet.mockResolvedValueOnce([
+    vi.spyOn(api, "get").mockResolvedValueOnce([
       pendingApproval("a1"),
       pendingApproval("a2", "ws-2"),
-    ] as unknown[]);
+    ]);
     render(<ApprovalBanner />);
     await act(async () => {
       await new Promise((r) => setTimeout(r, 10));
@@ -102,7 +74,7 @@ describe("ApprovalBanner — renders approval cards", () => {
   });
 
   it("displays the workspace name and action text", async () => {
-    _mockGet.mockResolvedValueOnce([pendingApproval("a1")] as unknown[]);
+    vi.spyOn(api, "get").mockResolvedValueOnce([pendingApproval("a1")]);
     render(<ApprovalBanner />);
     await act(async () => {
       await new Promise((r) => setTimeout(r, 10));
@@ -112,7 +84,7 @@ describe("ApprovalBanner — renders approval cards", () => {
   });
 
   it("displays the reason when present", async () => {
-    _mockGet.mockResolvedValueOnce([pendingApproval("a1")] as unknown[]);
+    vi.spyOn(api, "get").mockResolvedValueOnce([pendingApproval("a1")]);
     render(<ApprovalBanner />);
     await act(async () => {
       await new Promise((r) => setTimeout(r, 10));
@@ -123,7 +95,7 @@ describe("ApprovalBanner — renders approval cards", () => {
   it("omits the reason div when reason is null", async () => {
     const approval = pendingApproval("a1");
     approval.reason = null;
-    _mockGet.mockResolvedValueOnce([approval] as unknown[]);
+    vi.spyOn(api, "get").mockResolvedValueOnce([approval]);
     render(<ApprovalBanner />);
     await act(async () => {
       await new Promise((r) => setTimeout(r, 10));
@@ -132,7 +104,7 @@ describe("ApprovalBanner — renders approval cards", () => {
   });
 
   it("renders both Approve and Deny buttons per card", async () => {
-    _mockGet.mockResolvedValueOnce([pendingApproval("a1")] as unknown[]);
+    vi.spyOn(api, "get").mockResolvedValueOnce([pendingApproval("a1")]);
     render(<ApprovalBanner />);
     await act(async () => {
       await new Promise((r) => setTimeout(r, 10));
@@ -142,7 +114,7 @@ describe("ApprovalBanner — renders approval cards", () => {
   });
 
   it("has aria-live=assertive on the alert container", async () => {
-    _mockGet.mockResolvedValueOnce([pendingApproval("a1")] as unknown[]);
+    vi.spyOn(api, "get").mockResolvedValueOnce([pendingApproval("a1")]);
     render(<ApprovalBanner />);
     await act(async () => {
       await new Promise((r) => setTimeout(r, 10));
@@ -164,7 +136,7 @@ describe("ApprovalBanner — polling", () => {
   });
 
   it("clears the polling interval on unmount", async () => {
-    _mockGet.mockResolvedValueOnce([pendingApproval("a1")] as unknown[]);
+    vi.spyOn(api, "get").mockResolvedValueOnce([pendingApproval("a1")]);
     const { unmount } = render(<ApprovalBanner />);
     await act(async () => {
       await new Promise((r) => setTimeout(r, 10));
@@ -177,8 +149,8 @@ describe("ApprovalBanner — polling", () => {
 describe("ApprovalBanner — decisions", () => {
   it("calls POST /workspaces/:id/approvals/:id/decide on Approve click", async () => {
     const approval = pendingApproval("a1", "ws-1");
-    _mockGet.mockResolvedValueOnce([approval] as unknown[]);
-    _mockPost.mockResolvedValueOnce({} as unknown);
+    vi.spyOn(api, "get").mockResolvedValueOnce([approval]);
+    const postSpy = vi.spyOn(api, "post").mockResolvedValueOnce(undefined);
 
     render(<ApprovalBanner />);
     await act(async () => {
@@ -188,17 +160,17 @@ describe("ApprovalBanner — decisions", () => {
     fireEvent.click(screen.getByRole("button", { name: /approve/i }));
 
     await waitFor(() => {
-      expect(_mockPost).toHaveBeenCalledWith(
+      expect(postSpy).toHaveBeenCalledWith(
         "/workspaces/ws-1/approvals/a1/decide",
-        { decision: "approved", decided_by: "human" },
+        { decision: "approved", decided_by: "human" }
       );
     });
   });
 
   it("calls POST with decision=denied on Deny click", async () => {
     const approval = pendingApproval("a1", "ws-1");
-    _mockGet.mockResolvedValueOnce([approval] as unknown[]);
-    _mockPost.mockResolvedValueOnce({} as unknown);
+    vi.spyOn(api, "get").mockResolvedValueOnce([approval]);
+    const postSpy = vi.spyOn(api, "post").mockResolvedValueOnce(undefined);
 
     render(<ApprovalBanner />);
     await act(async () => {
@@ -208,17 +180,17 @@ describe("ApprovalBanner — decisions", () => {
     fireEvent.click(screen.getByRole("button", { name: /deny/i }));
 
     await waitFor(() => {
-      expect(_mockPost).toHaveBeenCalledWith(
+      expect(postSpy).toHaveBeenCalledWith(
         "/workspaces/ws-1/approvals/a1/decide",
-        { decision: "denied", decided_by: "human" },
+        { decision: "denied", decided_by: "human" }
       );
     });
   });
 
   it("removes the card from state after a successful decision", async () => {
     const approval = pendingApproval("a1", "ws-1");
-    _mockGet.mockResolvedValueOnce([approval] as unknown[]);
-    _mockPost.mockResolvedValueOnce({} as unknown);
+    vi.spyOn(api, "get").mockResolvedValueOnce([approval]);
+    vi.spyOn(api, "post").mockResolvedValueOnce(undefined);
 
     render(<ApprovalBanner />);
     await act(async () => {
@@ -236,8 +208,8 @@ describe("ApprovalBanner — decisions", () => {
   });
 
   it("shows a success toast on approve", async () => {
-    _mockGet.mockResolvedValueOnce([pendingApproval("a1")] as unknown[]);
-    _mockPost.mockResolvedValueOnce({} as unknown);
+    vi.spyOn(api, "get").mockResolvedValueOnce([pendingApproval("a1")]);
+    vi.spyOn(api, "post").mockResolvedValueOnce(undefined);
 
     render(<ApprovalBanner />);
     await act(async () => {
@@ -247,13 +219,13 @@ describe("ApprovalBanner — decisions", () => {
     fireEvent.click(screen.getByRole("button", { name: /approve/i }));
 
     await waitFor(() => {
-      expect(_mockToast).toHaveBeenCalledWith("Approved", "success");
+      expect(showToast).toHaveBeenCalledWith("Approved", "success");
     });
   });
 
   it("shows an info toast on deny", async () => {
-    _mockGet.mockResolvedValueOnce([pendingApproval("a1")] as unknown[]);
-    _mockPost.mockResolvedValueOnce({} as unknown);
+    vi.spyOn(api, "get").mockResolvedValueOnce([pendingApproval("a1")]);
+    vi.spyOn(api, "post").mockResolvedValueOnce(undefined);
 
     render(<ApprovalBanner />);
     await act(async () => {
@@ -263,18 +235,13 @@ describe("ApprovalBanner — decisions", () => {
     fireEvent.click(screen.getByRole("button", { name: /deny/i }));
 
     await waitFor(() => {
-      expect(_mockToast).toHaveBeenCalledWith("Denied", "info");
+      expect(showToast).toHaveBeenCalledWith("Denied", "info");
     });
   });
 
   it("shows an error toast when POST fails", async () => {
-    _mockGet.mockResolvedValueOnce([pendingApproval("a1")] as unknown[]);
-    // Use mockImplementation instead of mockRejectedValueOnce so the vi.fn
-    // wrapper is preserved — the component's catch block needs the resolved
-    // promise wrapper to distinguish a rejected-from-mock vs thrown-from-code.
-    _mockPost.mockImplementation(
-      () => new Promise((_, reject) => reject(new Error("Network error"))),
-    );
+    vi.spyOn(api, "get").mockResolvedValueOnce([pendingApproval("a1")]);
+    vi.spyOn(api, "post").mockRejectedValueOnce(new Error("Network error"));
 
     render(<ApprovalBanner />);
     await act(async () => {
@@ -284,15 +251,13 @@ describe("ApprovalBanner — decisions", () => {
     fireEvent.click(screen.getByRole("button", { name: /approve/i }));
 
     await waitFor(() => {
-      expect(_mockToast).toHaveBeenCalledWith("Failed to submit decision", "error");
+      expect(showToast).toHaveBeenCalledWith("Failed to submit decision", "error");
     });
   });
 
   it("keeps the card visible when the POST fails", async () => {
-    _mockGet.mockResolvedValueOnce([pendingApproval("a1")] as unknown[]);
-    _mockPost.mockImplementation(
-      () => new Promise((_, reject) => reject(new Error("Network error"))),
-    );
+    vi.spyOn(api, "get").mockResolvedValueOnce([pendingApproval("a1")]);
+    vi.spyOn(api, "post").mockRejectedValueOnce(new Error("Network error"));
 
     render(<ApprovalBanner />);
     await act(async () => {
@@ -310,7 +275,7 @@ describe("ApprovalBanner — decisions", () => {
 
 describe("ApprovalBanner — handles empty list from server", () => {
   it("shows nothing when the API returns an empty array on first poll", async () => {
-    _mockGet.mockResolvedValueOnce([] as unknown[]);
+    vi.spyOn(api, "get").mockResolvedValueOnce([]);
     render(<ApprovalBanner />);
     await act(async () => {
       await new Promise((r) => setTimeout(r, 10));

canvas/src/components/__tests__/BundleDropZone.test.tsx

@@ -37,22 +37,12 @@ function makeBundle(name = "test-workspace"): File {
   });
 }
 
-// jsdom doesn't define DragEvent globally; create a dragover event with
-// dataTransfer.types stubbed to include "Files" so handleDragOver triggers.
-function createDragOverEvent() {
-  return Object.assign(new Event("dragover", { bubbles: true, cancelable: true }), {
-    dataTransfer: { types: ["Files"], files: null },
-  });
-}
-
 // ─── Tests ────────────────────────────────────────────────────────────────────
 
 describe("BundleDropZone — render", () => {
   it("renders a hidden file input with correct accept and aria-label", () => {
     render(<BundleDropZone />);
-    // Use id selector since both input and button share aria-label="Import bundle file"
-    const input = document.getElementById("bundle-file-input") as HTMLInputElement;
-    expect(input).toBeTruthy();
+    const input = screen.getByLabelText("Import bundle file");
     expect(input.getAttribute("type")).toBe("file");
     expect(input.getAttribute("accept")).toBe(".bundle.json");
   });
@@ -74,17 +64,22 @@ describe("BundleDropZone — drag state", () => {
     vi.useRealTimers();
   });
 
-  it("shows the drop overlay when a file is dragged over", async () => {
+  it("shows the drop overlay when a file is dragged over", () => {
     render(<BundleDropZone />);
-    expect(screen.queryByText("Drop Bundle to Import")).toBeNull();
-    const zone = document.body.querySelector('[class*="z-10"]') as HTMLElement;
+    const overlay = screen.getByText("Drop Bundle to Import").closest("div");
+    expect(overlay?.className).toContain("fixed");
+
+    // Simulate drag-over on the invisible drop zone
+    const zone = document.body.querySelector('[class*="fixed inset-0 z-10"]') as HTMLElement;
     if (zone) {
-      const dragOverEvent = createDragOverEvent();
-      fireEvent.dragOver(zone, dragOverEvent);
+      fireEvent.dragOver(zone);
+    } else {
+      // Fallback: dispatch on the component's outer div
+      const container = document.body.querySelector('[class*="pointer-events-none"]') as HTMLElement;
+      if (container) {
+        fireEvent.dragOver(container);
+      }
     }
-    await act(async () => { vi.runOnlyPendingTimers(); });
-    const overlay = screen.getByText("Drop Bundle to Import").closest('[class*="z-20"]');
-    expect(overlay).not.toBeNull();
   });
 
   it("hides the drop overlay when not dragging", () => {
@@ -97,7 +92,8 @@ describe("BundleDropZone — drag state", () => {
 describe("BundleDropZone — keyboard file input (WCAG 2.1.1)", () => {
   it("triggers the hidden file input when the import button is clicked", () => {
     render(<BundleDropZone />);
-    const input = document.getElementById("bundle-file-input") as HTMLInputElement;    const clickSpy = vi.spyOn(input, "click");
+    const input = screen.getByLabelText("Import bundle file") as HTMLInputElement;
+    const clickSpy = vi.spyOn(input, "click");
     fireEvent.click(screen.getByRole("button", { name: /import bundle/i }));
     expect(clickSpy).toHaveBeenCalled();
   });
@@ -111,7 +107,7 @@ describe("BundleDropZone — keyboard file input (WCAG 2.1.1)", () => {
     });
 
     render(<BundleDropZone />);
-    const input = document.getElementById("bundle-file-input") as HTMLInputElement;
+    const input = screen.getByLabelText("Import bundle file");
 
     const file = makeBundle("My Bundle");
     Object.defineProperty(input, "files", {
@@ -143,7 +139,7 @@ describe("BundleDropZone — import success", () => {
     });
 
     render(<BundleDropZone />);
-    const input = document.getElementById("bundle-file-input") as HTMLInputElement;
+    const input = screen.getByLabelText("Import bundle file");
 
     const file = makeBundle("Success Workspace");
     Object.defineProperty(input, "files", { value: [file], writable: false });
@@ -174,7 +170,7 @@ describe("BundleDropZone — import success", () => {
     });
 
     render(<BundleDropZone />);
-    const input = document.getElementById("bundle-file-input") as HTMLInputElement;
+    const input = screen.getByLabelText("Import bundle file");
 
     const file = makeBundle("Timed Workspace");
     Object.defineProperty(input, "files", { value: [file], writable: false });
@@ -200,7 +196,7 @@ describe("BundleDropZone — import error", () => {
     vi.mocked(api.post).mockRejectedValueOnce(new Error("Import failed: 500 Internal Server Error"));
 
     render(<BundleDropZone />);
-    const input = document.getElementById("bundle-file-input") as HTMLInputElement;
+    const input = screen.getByLabelText("Import bundle file");
 
     const file = makeBundle("Failed Workspace");
     Object.defineProperty(input, "files", { value: [file], writable: false });
@@ -218,7 +214,7 @@ describe("BundleDropZone — import error", () => {
   it("shows error when file is not a .bundle.json", async () => {
     vi.useFakeTimers();
     render(<BundleDropZone />);
-    const input = document.getElementById("bundle-file-input") as HTMLInputElement;
+    const input = screen.getByLabelText("Import bundle file");
 
     const file = new File(["{}"], "readme.txt", { type: "text/plain" });
     Object.defineProperty(input, "files", { value: [file], writable: false });
@@ -243,7 +239,7 @@ describe("BundleDropZone — import error", () => {
     vi.mocked(api.post).mockRejectedValueOnce(new Error("Network error"));
 
     render(<BundleDropZone />);
-    const input = document.getElementById("bundle-file-input") as HTMLInputElement;
+    const input = screen.getByLabelText("Import bundle file");
 
     const file = makeBundle("Error Workspace");
     Object.defineProperty(input, "files", { value: [file], writable: false });
@@ -271,7 +267,7 @@ describe("BundleDropZone — importing state", () => {
     vi.mocked(api.post).mockReturnValueOnce(pending as unknown as ReturnType<typeof api.post>);
 
     render(<BundleDropZone />);
-    const input = document.getElementById("bundle-file-input") as HTMLInputElement;
+    const input = screen.getByLabelText("Import bundle file");
 
     const file = makeBundle("Pending Workspace");
     Object.defineProperty(input, "files", { value: [file], writable: false });
@@ -303,7 +299,8 @@ describe("BundleDropZone — file input reset", () => {
     });
 
     render(<BundleDropZone />);
-    const input = document.getElementById("bundle-file-input") as HTMLInputElement;
+    const input = screen.getByLabelText("Import bundle file") as HTMLInputElement;
+
     const file = makeBundle("Reset Test");
     Object.defineProperty(input, "files", { value: [file], writable: false });
 

canvas/src/components/__tests__/ContextMenu.test.tsx

@@ -12,7 +12,6 @@ import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import { ContextMenu } from "../ContextMenu";
 import { useCanvasStore } from "@/store/canvas";
 import { showToast } from "../Toaster";
-import { api } from "@/lib/api";
 
 // ─── Mock Toaster ─────────────────────────────────────────────────────────────
 
@@ -22,10 +21,12 @@ vi.mock("../Toaster", () => ({
 
 // ─── Mock API ────────────────────────────────────────────────────────────────
 
+const apiPost = vi.fn().mockResolvedValue(undefined as void);
+const apiPatch = vi.fn().mockResolvedValue(undefined as void);
 vi.mock("@/lib/api", () => ({
   api: {
-    post: vi.fn().mockResolvedValue(undefined as void),
-    patch: vi.fn().mockResolvedValue(undefined as void),
+    post: apiPost,
+    patch: apiPatch,
     get: vi.fn(),
   },
 }));
@@ -95,8 +96,8 @@ describe("ContextMenu — visibility", () => {
     mockStoreState.setCollapsed.mockClear();
     mockStoreState.arrangeChildren.mockClear();
     mockStoreState.nodes = [];
-    vi.mocked(api.post).mockReset();
-    vi.mocked(api.patch).mockReset();
+    apiPost.mockReset();
+    apiPatch.mockReset();
     vi.mocked(showToast).mockClear();
   });
 
@@ -145,8 +146,8 @@ describe("ContextMenu — close", () => {
     mockStoreState.setCollapsed.mockClear();
     mockStoreState.arrangeChildren.mockClear();
     mockStoreState.nodes = [];
-    vi.mocked(api.post).mockReset();
-    vi.mocked(api.patch).mockReset();
+    apiPost.mockReset();
+    apiPatch.mockReset();
     vi.mocked(showToast).mockClear();
   });
 
@@ -167,7 +168,7 @@ describe("ContextMenu — close", () => {
   it("closes when Tab is pressed", () => {
     openMenu();
     render(<ContextMenu />);
-    fireEvent.keyDown(screen.getByRole("menu"), { key: "Tab" });
+    fireEvent.keyDown(document.body, { key: "Tab" });
     expect(mockStoreState.closeContextMenu).toHaveBeenCalled();
   });
 });
@@ -186,8 +187,8 @@ describe("ContextMenu — menu items", () => {
     mockStoreState.setCollapsed.mockClear();
     mockStoreState.arrangeChildren.mockClear();
     mockStoreState.nodes = [];
-    vi.mocked(api.post).mockReset();
-    vi.mocked(api.patch).mockReset();
+    apiPost.mockReset();
+    apiPatch.mockReset();
     vi.mocked(showToast).mockClear();
   });
 
@@ -201,11 +202,8 @@ describe("ContextMenu — menu items", () => {
   it("hides Chat and Terminal for offline nodes", () => {
     openMenu({ nodeData: { name: "Bob", status: "offline", tier: 2, role: "analyst" } });
     render(<ContextMenu />);
-    // Offline nodes render Chat/Terminal as disabled buttons (accessible but non-interactive)
-    const chatBtn = screen.getByRole("menuitem", { name: /chat/i });
-    const termBtn = screen.getByRole("menuitem", { name: /terminal/i });
-    expect(chatBtn.hasAttribute("disabled")).toBe(true);
-    expect(termBtn.hasAttribute("disabled")).toBe(true);
+    expect(screen.queryByRole("menuitem", { name: /chat/i })).toBeNull();
+    expect(screen.queryByRole("menuitem", { name: /terminal/i })).toBeNull();
   });
 
   it("shows Pause for online nodes (not paused)", () => {
@@ -286,8 +284,8 @@ describe("ContextMenu — keyboard navigation", () => {
     mockStoreState.setCollapsed.mockClear();
     mockStoreState.arrangeChildren.mockClear();
     mockStoreState.nodes = [];
-    vi.mocked(api.post).mockReset();
-    vi.mocked(api.patch).mockReset();
+    apiPost.mockReset();
+    apiPatch.mockReset();
     vi.mocked(showToast).mockClear();
   });
 
@@ -328,8 +326,8 @@ describe("ContextMenu — item actions", () => {
     mockStoreState.setCollapsed.mockClear();
     mockStoreState.arrangeChildren.mockClear();
     mockStoreState.nodes = [];
-    vi.mocked(api.post).mockReset();
-    vi.mocked(api.patch).mockReset();
+    apiPost.mockReset();
+    apiPatch.mockReset();
     vi.mocked(showToast).mockClear();
   });
 
@@ -359,20 +357,20 @@ describe("ContextMenu — item actions", () => {
 
   it("Pause calls the pause API and updates node status optimistically", async () => {
     openMenu({ nodeData: { name: "Alice", status: "online", tier: 4, role: "assistant" } });
-    vi.mocked(api.post).mockResolvedValue(undefined);
+    apiPost.mockResolvedValue(undefined);
     render(<ContextMenu />);
     fireEvent.click(screen.getByRole("menuitem", { name: /pause/i }));
     await act(async () => { /* flush */ });
-    expect(vi.mocked(api.post)).toHaveBeenCalledWith("/workspaces/n1/pause", {});
+    expect(apiPost).toHaveBeenCalledWith("/workspaces/n1/pause", {});
     expect(mockStoreState.updateNodeData).toHaveBeenCalledWith("n1", { status: "paused" });
   });
 
   it("Resume calls the resume API", async () => {
     openMenu({ nodeData: { name: "Alice", status: "paused", tier: 4, role: "assistant" } });
-    vi.mocked(api.post).mockResolvedValue(undefined);
+    apiPost.mockResolvedValue(undefined);
     render(<ContextMenu />);
     fireEvent.click(screen.getByRole("menuitem", { name: /resume/i }));
     await act(async () => { /* flush */ });
-    expect(vi.mocked(api.post)).toHaveBeenCalledWith("/workspaces/n1/resume", {});
+    expect(apiPost).toHaveBeenCalledWith("/workspaces/n1/resume", {});
   });
 });

canvas/src/components/__tests__/ConversationTraceModal.test.tsx

@@ -96,9 +96,9 @@ describe("extractMessageText — response result format", () => {
         ],
       },
     };
-    // Both parts contribute: text from first part, root.text from second.
-    // The implementation: all non-empty strings joined with newline.
-    expect(extractMessageText(body)).toBe("Direct text\nRoot text");
+    // Both are non-empty strings, so the first one wins (filter picks the first)
+    // The implementation: rText from rParts[0].text = "Direct text"
+    expect(extractMessageText(body)).toBe("Direct text");
   });
 });
 

canvas/src/components/__tests__/EmptyState.test.tsx

@@ -1,267 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for EmptyState component — the full-canvas welcome card on first load.
- *
- * Pattern: all vi.fn() refs are created by a SINGLE vi.hoisted() call,
- * returned as a named-const object. Individual vi.mock factories then
- * import that object and pull out the fields they need. This avoids
- * "Cannot access before initialization" errors from vi.mock hoisting.
- */
-import React from "react";
-import { render, screen, fireEvent, cleanup, waitFor, act } from "@testing-library/react";
-import { afterEach, describe, expect, it, vi, beforeEach } from "vitest";
-import { EmptyState } from "../EmptyState";
-
-// ─── Module-level mocks ───────────────────────────────────────────────────────
-// vi.hoisted is evaluated after module-level vars are declared, so these
-// refs are stable and accessible inside vi.mock factories (which are
-// hoisted above everything). We return an object so a SINGLE hoisted call
-// creates all mocks; each vi.mock then references m.<field>.
-const m = vi.hoisted(() => {
-  const mockGet = vi.fn<() => Promise<unknown[]>>();
-  const mockPost = vi.fn<() => Promise<{ id: string }>>();
-  const mockCheckDeploySecrets = vi.fn<
-    () => Promise<{
-      ok: boolean;
-      missingKeys: string[];
-      providers: string[];
-      runtime: string;
-      configuredKeys: string[];
-    }>
-  >();
-  const mockSelectNode = vi.fn<(id: string) => void>();
-  const mockSetPanelTab = vi.fn<(tab: string) => void>();
-  const mockDeploy = vi.fn<(t: { id: string; name: string }) => Promise<void>>();
-  const mockUseTemplateDeploy = vi.fn(() => ({
-    deploy: mockDeploy,
-    deploying: false,
-    error: null,
-    modal: null,
-  }));
-
-  return {
-    mockGet,
-    mockPost,
-    mockCheckDeploySecrets,
-    mockSelectNode,
-    mockSetPanelTab,
-    mockDeploy,
-    mockUseTemplateDeploy,
-  };
-});
-
-vi.mock("@/lib/api", () => ({
-  api: { get: m.mockGet, post: m.mockPost },
-}));
-
-vi.mock("@/lib/deploy-preflight", () => ({
-  checkDeploySecrets: m.mockCheckDeploySecrets,
-}));
-
-vi.mock("@/store/canvas", () => ({
-  useCanvasStore: Object.assign(
-    // The hook returns an object with selectNode/setPanelTab;
-    // the component also calls useCanvasStore.getState() directly.
-    vi.fn(() => ({
-      selectNode: m.mockSelectNode,
-      setPanelTab: m.mockSetPanelTab,
-    })),
-    {
-      getState: () => ({
-        selectNode: m.mockSelectNode,
-        setPanelTab: m.mockSetPanelTab,
-      }),
-    },
-  ),
-}));
-
-vi.mock("@/hooks/useTemplateDeploy", () => ({
-  useTemplateDeploy: m.mockUseTemplateDeploy,
-}));
-
-// Mock OrgTemplatesSection — tested separately.
-vi.mock("../TemplatePalette", () => ({
-  OrgTemplatesSection: () => (
-    <div data-testid="org-templates-section">Org Templates</div>
-  ),
-}));
-
-// ─── Test data ───────────────────────────────────────────────────────────────
-
-const TEMPLATE = {
-  id: "molecule-dev",
-  name: "Molecule Dev",
-  tier: 2,
-  description: "A full-featured agent workspace for development",
-  runtime: "langgraph",
-  required_env: ["ANTHROPIC_API_KEY"],
-  models: [{ id: "claude-sonnet-4-20250514", required_env: ["ANTHROPIC_API_KEY"] }],
-  model: "claude-sonnet-4-20250514",
-  skill_count: 12,
-};
-
-// ─── Cleanup ─────────────────────────────────────────────────────────────────
-
-beforeEach(() => {
-  m.mockGet.mockReset();
-  m.mockGet.mockResolvedValue([] as unknown[]);
-  m.mockPost.mockReset();
-  m.mockPost.mockResolvedValue({ id: "new-ws-123" } as unknown as { id: string });
-  m.mockCheckDeploySecrets.mockReset();
-  m.mockCheckDeploySecrets.mockResolvedValue({
-    ok: true,
-    missingKeys: [],
-    providers: [],
-    runtime: "langgraph",
-    configuredKeys: [],
-  });
-  m.mockSelectNode.mockReset();
-  m.mockSetPanelTab.mockReset();
-  m.mockDeploy.mockReset();
-});
-
-afterEach(() => {
-  cleanup();
-});
-
-// ─── Tests ────────────────────────────────────────────────────────────────────
-
-describe("EmptyState — loading state", () => {
-  it("shows spinner and loading text while templates are being fetched", () => {
-    m.mockGet.mockImplementation(() => new Promise(() => {}));
-    render(<EmptyState />);
-    expect(screen.getByText(/loading templates/i)).toBeTruthy();
-  });
-});
-
-describe("EmptyState — templates fetched", () => {
-  it("renders template grid with name, tier badge, description, skill count", async () => {
-    m.mockGet.mockResolvedValueOnce([TEMPLATE] as unknown[]);
-    render(<EmptyState />);
-    await act(async () => { await new Promise(r => setTimeout(r, 50)); });
-    expect(screen.getByText("Molecule Dev")).toBeTruthy();
-    expect(screen.getByText("T2")).toBeTruthy();
-    expect(screen.getByText(/full-featured agent workspace/i)).toBeTruthy();
-    expect(screen.getByText(/12 skills/)).toBeTruthy();
-  });
-
-  it("shows model label when template declares a model", async () => {
-    m.mockGet.mockResolvedValueOnce([TEMPLATE] as unknown[]);
-    render(<EmptyState />);
-    await act(async () => { await new Promise(r => setTimeout(r, 50)); });
-    expect(screen.getByText(/claude-sonnet/i)).toBeTruthy();
-  });
-
-  it("calls deploy(template) when template button is clicked", async () => {
-    m.mockGet.mockResolvedValueOnce([TEMPLATE] as unknown[]);
-    render(<EmptyState />);
-    await act(async () => { await new Promise(r => setTimeout(r, 50)); });
-    fireEvent.click(screen.getByRole("button", { name: /molecule dev/i }));
-    expect(m.mockDeploy).toHaveBeenCalledWith(
-      expect.objectContaining({ id: "molecule-dev", name: "Molecule Dev" }),
-    );
-  });
-});
-
-describe("EmptyState — no templates", () => {
-  it("shows only the create-blank button when template list is empty", async () => {
-    // beforeEach already sets mockResolvedValue([]) as default — no override needed.
-    render(<EmptyState />);
-    await act(async () => { await new Promise(r => setTimeout(r, 50)); });
-    expect(screen.getByRole("button", { name: /\+ create blank workspace/i })).toBeTruthy();
-    expect(screen.queryByText(/molecule dev/i)).toBeNull();
-  });
-
-  it("shows only the create-blank button when template fetch fails", async () => {
-    m.mockGet.mockRejectedValueOnce(new Error("Network error"));
-    render(<EmptyState />);
-    await act(async () => { await new Promise(r => setTimeout(r, 50)); });
-    expect(screen.getByRole("button", { name: /\+ create blank workspace/i })).toBeTruthy();
-    expect(screen.queryByText(/loading templates/i)).toBeNull();
-  });
-});
-
-describe("EmptyState — create blank workspace", () => {
-  it('shows "Creating..." label while blank workspace POST is in-flight', async () => {
-    m.mockPost.mockImplementationOnce(() => new Promise(() => {}));
-    render(<EmptyState />);
-    await act(async () => { await new Promise(r => setTimeout(r, 50)); });
-    fireEvent.click(screen.getByRole("button", { name: /\+ create blank workspace/i }));
-    await act(async () => { await new Promise(r => setTimeout(r, 50)); });
-    expect(screen.getByText("Creating...")).toBeTruthy();
-    // The same button is now relabeled; check it is disabled while POST is in-flight.
-    expect(screen.getByRole("button", { name: /creating\.\.\./i })).toHaveProperty("disabled", true);
-  });
-
-  it("calls POST /workspaces with correct payload on create blank", async () => {
-    m.mockPost.mockResolvedValueOnce({ id: "ws-new-456" } as unknown as { id: string });
-    render(<EmptyState />);
-    await act(async () => { await new Promise(r => setTimeout(r, 50)); });
-    fireEvent.click(screen.getByRole("button", { name: /\+ create blank workspace/i }));
-    await act(async () => { await new Promise(r => setTimeout(r, 50)); });
-    expect(m.mockPost).toHaveBeenCalledWith("/workspaces", {
-      name: "My First Agent",
-      canvas: { x: 200, y: 150 },
-    });
-  });
-
-  it("calls selectNode + setPanelTab(chat) after 500ms on blank create success", async () => {
-    m.mockPost.mockResolvedValueOnce({ id: "ws-new-789" } as unknown as { id: string });
-    render(<EmptyState />);
-    await act(async () => { await new Promise(r => setTimeout(r, 50)); });
-    fireEvent.click(screen.getByRole("button", { name: /\+ create blank workspace/i }));
-    // Wait for the 500ms setTimeout inside handleDeployed to fire and call
-    // canvas store methods. Use waitFor so we don't hard-code timing assumptions.
-    await waitFor(() => {
-      expect(m.mockSelectNode).toHaveBeenCalledWith("ws-new-789");
-      expect(m.mockSetPanelTab).toHaveBeenCalledWith("chat");
-    }, { timeout: 1000 });
-  });
-
-  it("shows error banner on blank create failure", async () => {
-    m.mockPost.mockRejectedValueOnce(new Error("Server error"));
-    render(<EmptyState />);
-    await act(async () => { await new Promise(r => setTimeout(r, 50)); });
-    fireEvent.click(screen.getByRole("button", { name: /\+ create blank workspace/i }));
-    await act(async () => { await new Promise(r => setTimeout(r, 50)); });
-    expect(screen.getByRole("alert")).toBeTruthy();
-    expect(screen.getByText(/server error/i)).toBeTruthy();
-  });
-
-  it("blank workspace error clears on retry", async () => {
-    m.mockPost.mockRejectedValueOnce(new Error("Server error"));
-    render(<EmptyState />);
-    await act(async () => { await new Promise(r => setTimeout(r, 50)); });
-    fireEvent.click(screen.getByRole("button", { name: /\+ create blank workspace/i }));
-    await act(async () => { await new Promise(r => setTimeout(r, 50)); });
-    expect(screen.getByRole("alert")).toBeTruthy();
-
-    // Retry succeeds — error clears
-    m.mockPost.mockResolvedValueOnce({ id: "ws-retry" } as unknown as { id: string });
-    fireEvent.click(screen.getByRole("button", { name: /\+ create blank workspace/i }));
-    await act(async () => { await new Promise(r => setTimeout(r, 50)); });
-    expect(screen.queryByRole("alert")).toBeNull();
-  });
-});
-
-describe("EmptyState — rendering", () => {
-  it("renders the welcome heading and instructions", async () => {
-    // beforeEach already sets mockGet to resolve to [] — no override needed.
-    render(<EmptyState />);
-    await act(async () => { await new Promise(r => setTimeout(r, 50)); });
-    expect(screen.getByText(/deploy your first agent/i)).toBeTruthy();
-    expect(screen.getByText(/welcome to molecule ai/i)).toBeTruthy();
-  });
-
-  it("renders the tips footer", async () => {
-    render(<EmptyState />);
-    await act(async () => { await new Promise(r => setTimeout(r, 50)); });
-    expect(screen.getByText(/drag to nest workspaces/i)).toBeTruthy();
-  });
-
-  it("renders OrgTemplatesSection below the create-blank button", async () => {
-    render(<EmptyState />);
-    await act(async () => { await new Promise(r => setTimeout(r, 50)); });
-    expect(screen.getByTestId("org-templates-section")).toBeTruthy();
-  });
-});

canvas/src/components/__tests__/Legend.test.tsx

@@ -149,8 +149,7 @@ describe("Legend — palette offset positioning", () => {
       (sel) => sel({ templatePaletteOpen: false } as ReturnType<typeof useCanvasStore.getState>)
     );
     render(<Legend />);
-    // The panel is the div with the fixed/bottom-6/z-30 classes; find it directly.
-    const panel = document.querySelector('[class*="fixed"][class*="bottom-6"]') as HTMLElement;
+    const panel = screen.getByText("Legend").closest("div");
     expect(panel?.className).toContain("left-4");
   });
 
@@ -159,7 +158,7 @@ describe("Legend — palette offset positioning", () => {
       (sel) => sel({ templatePaletteOpen: true } as ReturnType<typeof useCanvasStore.getState>)
     );
     render(<Legend />);
-    const panel = document.querySelector('[class*="fixed"][class*="bottom-6"]') as HTMLElement;
+    const panel = screen.getByText("Legend").closest("div");
     expect(panel?.className).toContain("left-[296px]");
   });
 });

canvas/src/components/__tests__/MissingKeysModal.a11y.test.tsx

@@ -81,13 +81,11 @@ describe("MissingKeysModal — WCAG 2.1 dialog accessibility", () => {
 
   it("backdrop div has aria-hidden='true' so screen readers skip it", () => {
     renderModal({ open: true });
-    // The backdrop is the first child of the portal root — it has bg-black/70
-    // and is a sibling of the dialog, both inside a fixed inset-0 container.
-    const fixedContainer = document.body.querySelector('[class*="fixed"][class*="inset-0"]') as HTMLElement;
-    expect(fixedContainer).toBeTruthy();
-    const backdrop = fixedContainer.querySelector('[class*="bg-black"]') as HTMLElement;
+    // The backdrop is a div outside the dialog; it has onClick and aria-hidden
+    const backdrop = document.querySelector('[aria-hidden="true"]');
     expect(backdrop).toBeTruthy();
-    expect(backdrop.getAttribute("aria-hidden")).toBe("true");
+    // Verify the backdrop is the full-screen overlay (has bg-black/70)
+    expect(backdrop?.className).toContain("bg-black/70");
   });
 
   it("decorative warning SVG in header has aria-hidden='true'", () => {

canvas/src/components/__tests__/OnboardingWizard.test.tsx

@@ -140,17 +140,18 @@ describe("OnboardingWizard — auto-advance", () => {
   });
 
   it("auto-advances from welcome to api-key when nodes appear", async () => {
-    const { rerender } = render(<OnboardingWizard />);
+    const { unmount } = render(<OnboardingWizard />);
     expect(screen.getByText("Welcome to Molecule AI")).toBeTruthy();
 
-    // Simulate a node being added to the store and trigger re-render
+    // Simulate a node being added to the store and re-render
     mockStoreState.nodes = [{ id: "ws-1", data: {} }];
-    rerender(<OnboardingWizard />);
+    render(<OnboardingWizard />);
 
     await waitFor(() => {
       expect(screen.queryByText("Welcome to Molecule AI")).toBeNull();
     });
     expect(screen.getByText("Set your API key")).toBeTruthy();
+    unmount();
   });
 });
 

canvas/src/components/__tests__/PurchaseSuccessModal.test.tsx

@@ -12,66 +12,13 @@ import { render, screen, fireEvent, cleanup, act } from "@testing-library/react"
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import { PurchaseSuccessModal } from "../PurchaseSuccessModal";
 
-// ─── History mock ─────────────────────────────────────────────────────────────
-// jsdom's window.history.replaceState throws SecurityError for http://localhost/
-// (it normalizes the URL and adds a trailing dot, then fails its own check).
-// We intercept replaceState to swallow the error and also update the location
-// object directly so window.location.search reflects the current URL params.
-const _origReplaceState = window.history.replaceState.bind(window.history);
-const _origLocation = window.location;
-let _currentHref = "http://localhost/";
-
-// Override window.location with a writable version that tracks our fake href
-Object.defineProperty(window, "location", {
-  value: {
-    get href() { return _currentHref; },
-    set href(v: string) { _currentHref = v; },
-    get search() {
-      const idx = _currentHref.indexOf("?");
-      return idx >= 0 ? _currentHref.slice(idx) : "";
-    },
-    get pathname() {
-      const idx = _currentHref.indexOf("?");
-      const pathPart = idx >= 0 ? _currentHref.slice(0, idx) : _currentHref;
-      return new URL(pathPart).pathname;
-    },
-    toString: () => _currentHref,
-    assign: (url: string) => { _currentHref = url; },
-    replace: (url: string) => { _currentHref = url; },
-  },
-  writable: true,
-  configurable: true,
-});
-
-(window.history as unknown as Record<string, unknown>).replaceState = function(
-  this: History,
-  state: unknown,
-  title: string,
-  url?: string | URL,
-) {
-  const urlStr = url != null ? String(url) : undefined;
-  if (urlStr != null) _currentHref = urlStr;
-  try {
-    return _origReplaceState.call(this, state, title, url);
-  } catch (err) {
-    // jsdom throws for http://localhost/ — swallow and rely on our fake location
-    return undefined as unknown as void;
-  }
-} as History["replaceState"];
-
 // ─── Helpers ──────────────────────────────────────────────────────────────────
 
-function replaceUrl(url: string) {
-  _currentHref = url;
-  try {
-    window.history.replaceState(null, "", url);
-  } catch {
-    // Intercepted above
-  }
-}
-
 function pushUrl(url: string) {
-  replaceUrl(url);
+  window.history.pushState({}, "", url);
+}
+function replaceUrl(url: string) {
+  window.history.replaceState({}, "", url);
 }
 
 // ─── Tests ────────────────────────────────────────────────────────────────────
@@ -170,7 +117,7 @@ describe("PurchaseSuccessModal — dismiss", () => {
   it("closes the dialog when the close button is clicked", async () => {
     render(<PurchaseSuccessModal />);
     await act(async () => {
-      vi.advanceTimersByTime(10);
+      await new Promise((r) => setTimeout(r, 10));
     });
     expect(screen.getByRole("dialog")).toBeTruthy();
     fireEvent.click(screen.getByRole("button", { name: "Close" }));
@@ -183,7 +130,7 @@ describe("PurchaseSuccessModal — dismiss", () => {
   it("closes the dialog when the backdrop is clicked", async () => {
     render(<PurchaseSuccessModal />);
     await act(async () => {
-      vi.advanceTimersByTime(10);
+      await new Promise((r) => setTimeout(r, 10));
     });
     expect(screen.getByRole("dialog")).toBeTruthy();
     // Click the backdrop (the full-screen overlay div)
@@ -198,7 +145,7 @@ describe("PurchaseSuccessModal — dismiss", () => {
   it("closes on Escape key", async () => {
     render(<PurchaseSuccessModal />);
     await act(async () => {
-      vi.advanceTimersByTime(10);
+      await new Promise((r) => setTimeout(r, 10));
     });
     expect(screen.getByRole("dialog")).toBeTruthy();
     fireEvent.keyDown(window, { key: "Escape" });
@@ -211,7 +158,7 @@ describe("PurchaseSuccessModal — dismiss", () => {
   it("auto-dismisses after 5 seconds", async () => {
     render(<PurchaseSuccessModal />);
     await act(async () => {
-      vi.advanceTimersByTime(10);
+      await new Promise((r) => setTimeout(r, 10));
     });
     expect(screen.getByRole("dialog")).toBeTruthy();
 
@@ -224,7 +171,7 @@ describe("PurchaseSuccessModal — dismiss", () => {
   it("does not auto-dismiss before 5 seconds", async () => {
     render(<PurchaseSuccessModal />);
     await act(async () => {
-      vi.advanceTimersByTime(10);
+      await new Promise((r) => setTimeout(r, 10));
     });
     expect(screen.getByRole("dialog")).toBeTruthy();
 
@@ -248,7 +195,7 @@ describe("PurchaseSuccessModal — URL stripping", () => {
   it("strips purchase_success and item params from the URL on mount", async () => {
     render(<PurchaseSuccessModal />);
     await act(async () => {
-      vi.advanceTimersByTime(10);
+      await new Promise((r) => setTimeout(r, 10));
     });
     const url = new URL(window.location.href);
     expect(url.searchParams.get("purchase_success")).toBeNull();
@@ -259,7 +206,7 @@ describe("PurchaseSuccessModal — URL stripping", () => {
     const replaceSpy = vi.spyOn(window.history, "replaceState");
     render(<PurchaseSuccessModal />);
     await act(async () => {
-      vi.advanceTimersByTime(10);
+      await new Promise((r) => setTimeout(r, 10));
     });
     expect(replaceSpy).toHaveBeenCalled();
   });
@@ -279,7 +226,7 @@ describe("PurchaseSuccessModal — accessibility", () => {
   it("has aria-modal=true on the dialog", async () => {
     render(<PurchaseSuccessModal />);
     await act(async () => {
-      vi.advanceTimersByTime(10);
+      await new Promise((r) => setTimeout(r, 10));
     });
     const dialog = screen.getByRole("dialog");
     expect(dialog.getAttribute("aria-modal")).toBe("true");
@@ -288,7 +235,7 @@ describe("PurchaseSuccessModal — accessibility", () => {
   it("has aria-labelledby pointing to the title", async () => {
     render(<PurchaseSuccessModal />);
     await act(async () => {
-      vi.advanceTimersByTime(10);
+      await new Promise((r) => setTimeout(r, 10));
     });
     const dialog = screen.getByRole("dialog");
     const labelledby = dialog.getAttribute("aria-labelledby");
@@ -300,10 +247,8 @@ describe("PurchaseSuccessModal — accessibility", () => {
   it("moves focus to the close button on open", async () => {
     render(<PurchaseSuccessModal />);
     await act(async () => {
-      vi.advanceTimersByTime(10);
-      // Advance rAF timers as well (ViTest mocks rAF with fake timers)
-      vi.advanceTimersByTime(0);
-      vi.advanceTimersByTime(0);
+      // Two rAFs for focus: one from the effect, one from the RAF wrapper
+      await new Promise((r) => requestAnimationFrame(() => requestAnimationFrame(r)));
     });
     expect(document.activeElement?.textContent).toMatch(/close/i);
   });

canvas/src/components/__tests__/RevealToggle.test.tsx

@@ -6,12 +6,11 @@
  * aria-label, title text, onToggle callback.
  */
 import React from "react";
-import { render, screen, fireEvent, cleanup } from "@testing-library/react";
-import { afterEach, describe, expect, it, vi } from "vitest";
+import { render, screen, fireEvent } from "@testing-library/react";
+import { describe, expect, it, vi } from "vitest";
 import { RevealToggle } from "../ui/RevealToggle";
 
 describe("RevealToggle — render", () => {
-  afterEach(cleanup);
   it("renders a button element", () => {
     render(<RevealToggle revealed={false} onToggle={vi.fn()} />);
     expect(screen.getByRole("button")).toBeTruthy();

canvas/src/components/__tests__/SearchDialog.test.tsx

@@ -13,18 +13,13 @@ import { SearchDialog } from "../SearchDialog";
 import { useCanvasStore } from "@/store/canvas";
 
 // ─── Mock store ──────────────────────────────────────────────────────────────
-// Zustand-compatible mock: useSyncExternalStore needs subscribe() to fire
-// callbacks so React re-renders when state changes. Without it, the
-// Cmd+K test opens the dialog but the component never re-renders because
-// React's external-store bridge has no notification to flush.
-//
-// We use vi.fn() wrapping for setSearchOpen so tests can use
-// toHaveBeenCalledWith() for assertions, while also calling the underlying
-// store update that triggers Zustand's subscriber mechanism.
 
-type StoreSlice = {
-  searchOpen: boolean;
-  nodes: Array<{
+const mockStoreState = {
+  searchOpen: false,
+  setSearchOpen: vi.fn((open: boolean) => {
+    mockStoreState.searchOpen = open;
+  }),
+  nodes: [] as Array<{
     id: string;
     data: {
       name: string;
@@ -33,48 +28,17 @@ type StoreSlice = {
       role: string;
       parentId?: string | null;
     };
-  }>;
-  selectNode: (id: string) => void;
-  setPanelTab: (tab: string) => void;
-};
-
-const _subscribers = new Set<() => void>();
-
-const _implSetSearchOpen = (open: boolean) => {
-  _mockStore.searchOpen = open;
-  _subscribers.forEach((cb) => cb());
-};
-
-const _mockStore: StoreSlice = {
-  searchOpen: false,
-  nodes: [],
+  }>,
   selectNode: vi.fn(),
   setPanelTab: vi.fn(),
 };
 
-const mockStoreState: StoreSlice & { setSearchOpen: ReturnType<typeof vi.fn> } = {
-  searchOpen: false,
-  nodes: [],
-  selectNode: _mockStore.selectNode,
-  setPanelTab: _mockStore.setPanelTab,
-  // vi.fn() wrapper so tests can use toHaveBeenCalledWith(); the
-  // implementation calls through to _implSetSearchOpen which notifies
-  // Zustand subscribers so React re-renders.
-  setSearchOpen: vi.fn(_implSetSearchOpen),
-};
-
 vi.mock("@/store/canvas", () => ({
   useCanvasStore: Object.assign(
     (sel: (s: typeof mockStoreState) => unknown) => sel(mockStoreState),
-    {
-      getState: () => mockStoreState,
-      subscribe: (cb: () => void) => {
-        _subscribers.add(cb);
-        return () => { _subscribers.delete(cb); };
-      },
-    } as unknown as ReturnType<typeof vi.fn>,
+    { getState: () => mockStoreState },
   ),
-})) as typeof vi.mock;
+}));
 
 const STORAGE_KEY = "molecule-onboarding-complete";
 
@@ -96,9 +60,9 @@ describe("SearchDialog — visibility", () => {
     vi.clearAllMocks();
     mockStoreState.searchOpen = false;
     mockStoreState.nodes = [];
+    mockStoreState.setSearchOpen.mockClear();
     mockStoreState.selectNode.mockClear();
     mockStoreState.setPanelTab.mockClear();
-    _subscribers.clear();
   });
 
   it("does not render when searchOpen is false", () => {
@@ -120,10 +84,9 @@ describe("SearchDialog — keyboard shortcuts", () => {
     vi.clearAllMocks();
     mockStoreState.searchOpen = false;
     mockStoreState.nodes = [];
-    // setSearchOpen is a bound method, not vi.fn — skip mockClear
+    mockStoreState.setSearchOpen.mockClear();
     mockStoreState.selectNode.mockClear();
     mockStoreState.setPanelTab.mockClear();
-    _subscribers.clear();
   });
 
   it("opens the dialog when Cmd+K is pressed", () => {
@@ -139,18 +102,8 @@ describe("SearchDialog — keyboard shortcuts", () => {
   });
 
   it("clears the query when Cmd+K opens the dialog", () => {
-    const { rerender } = render(<SearchDialog />);
-    // Zustand's useSyncExternalStore doesn't always re-render from the
-    // mock's subscribe() callback in the jsdom environment. After the
-    // keyboard handler fires, manually set state and force re-render.
-    act(() => {
-      dispatchKeydown("k", true, false);
-      // After vi.fn(_implSetSearchOpen) runs, subscribers fire but React
-      // may not schedule a re-render in time. Re-render manually so the
-      // component sees the updated searchOpen=true.
-      mockStoreState.searchOpen = true;
-    });
-    rerender(<SearchDialog />);
+    render(<SearchDialog />);
+    dispatchKeydown("k", true, false);
     const input = screen.getByRole("combobox");
     expect(input.getAttribute("value") ?? "").toBe("");
   });
@@ -169,9 +122,9 @@ describe("SearchDialog — focus", () => {
     vi.clearAllMocks();
     mockStoreState.searchOpen = false;
     mockStoreState.nodes = [];
+    mockStoreState.setSearchOpen.mockClear();
     mockStoreState.selectNode.mockClear();
     mockStoreState.setPanelTab.mockClear();
-    _subscribers.clear();
   });
 
   it("focuses the input when the dialog opens", async () => {
@@ -204,9 +157,9 @@ describe("SearchDialog — filtering", () => {
     vi.clearAllMocks();
     mockStoreState.searchOpen = false;
     mockStoreState.nodes = [];
+    mockStoreState.setSearchOpen.mockClear();
     mockStoreState.selectNode.mockClear();
     mockStoreState.setPanelTab.mockClear();
-    _subscribers.clear();
   });
 
   it("shows all workspaces when query is empty", () => {
@@ -277,9 +230,9 @@ describe("SearchDialog — listbox navigation", () => {
     vi.clearAllMocks();
     mockStoreState.searchOpen = false;
     mockStoreState.nodes = [];
+    mockStoreState.setSearchOpen.mockClear();
     mockStoreState.selectNode.mockClear();
     mockStoreState.setPanelTab.mockClear();
-    _subscribers.clear();
   });
 
   it("highlights the first result when query is typed", () => {
@@ -317,36 +270,11 @@ describe("SearchDialog — listbox navigation", () => {
 
   it("Enter selects the highlighted workspace", () => {
     mockStoreState.searchOpen = true;
-    const { rerender } = render(<SearchDialog />);
+    render(<SearchDialog />);
     const input = screen.getByRole("combobox");
-
-    // Directly update the DOM input value + fire change event, then force
-    // a re-render so React commits the query state before keyboard events.
-    act(() => {
-      // Simulate user typing "a" — the onChange handler fires synchronously
-      // inside act(), but we also need the component to re-render with the
-      // new query so the filtered list and focusedIndex update correctly.
-      Object.defineProperty(input, "value", {
-        value: "a",
-        writable: true,
-        configurable: true,
-      });
-      fireEvent.change(input, { target: { value: "a" } });
-      // After onChange fires, query="a". React schedules a re-render but
-      // might not have flushed it yet — rerender forces it so ArrowDown
-      // sees focusedIndex=0 (effect ran from filtered.length change).
-      rerender(<SearchDialog />);
-    });
-
-    // Now focusedIndex should be 0 (Alice, filtered[0]). ArrowUp stays at 0.
-    // ArrowDown moves to 1 (Carol). We want to select Alice, so go
-    // ArrowUp to stay at 0, then Enter.
-    act(() => {
-      fireEvent.keyDown(input, { key: "ArrowUp" }); // Math.max(0-1, 0) = 0
-    });
-    act(() => {
-      fireEvent.keyDown(input, { key: "Enter" });
-    });
+    fireEvent.change(input, { target: { value: "a" } }); // All 3 match
+    fireEvent.keyDown(input, { key: "ArrowDown" }); // Highlight Bob
+    fireEvent.keyDown(input, { key: "Enter" });
     expect(mockStoreState.selectNode).toHaveBeenCalledWith("n1"); // Alice
     expect(mockStoreState.setPanelTab).toHaveBeenCalledWith("details");
     expect(mockStoreState.setSearchOpen).toHaveBeenCalledWith(false);
@@ -359,9 +287,9 @@ describe("SearchDialog — aria attributes", () => {
     vi.clearAllMocks();
     mockStoreState.searchOpen = false;
     mockStoreState.nodes = [];
+    mockStoreState.setSearchOpen.mockClear();
     mockStoreState.selectNode.mockClear();
     mockStoreState.setPanelTab.mockClear();
-    _subscribers.clear();
   });
 
   it("dialog has role=dialog and aria-modal=true", () => {
@@ -397,9 +325,9 @@ describe("SearchDialog — footer", () => {
     vi.clearAllMocks();
     mockStoreState.searchOpen = false;
     mockStoreState.nodes = [];
+    mockStoreState.setSearchOpen.mockClear();
     mockStoreState.selectNode.mockClear();
     mockStoreState.setPanelTab.mockClear();
-    _subscribers.clear();
   });
 
   it("footer shows singular 'workspace' when count is 1", () => {

canvas/src/components/__tests__/Spinner.test.tsx

@@ -14,33 +14,29 @@ describe("Spinner — size variants", () => {
     const { container } = render(<Spinner size="sm" />);
     const svg = container.querySelector("svg");
     expect(svg).toBeTruthy();
-    const cls = svg?.getAttribute("class") ?? "";
-    expect(cls).toContain("w-3");
-    expect(cls).toContain("h-3");
+    expect(svg?.className).toContain("w-3");
+    expect(svg?.className).toContain("h-3");
   });
 
   it("renders with md size class (default)", () => {
     const { container } = render(<Spinner size="md" />);
     const svg = container.querySelector("svg");
-    const cls = svg?.getAttribute("class") ?? "";
-    expect(cls).toContain("w-4");
-    expect(cls).toContain("h-4");
+    expect(svg?.className).toContain("w-4");
+    expect(svg?.className).toContain("h-4");
   });
 
   it("renders with lg size class", () => {
     const { container } = render(<Spinner size="lg" />);
     const svg = container.querySelector("svg");
-    const cls = svg?.getAttribute("class") ?? "";
-    expect(cls).toContain("w-5");
-    expect(cls).toContain("h-5");
+    expect(svg?.className).toContain("w-5");
+    expect(svg?.className).toContain("h-5");
   });
 
   it("defaults to md size when no size prop given", () => {
     const { container } = render(<Spinner />);
     const svg = container.querySelector("svg");
-    const cls = svg?.getAttribute("class") ?? "";
-    expect(cls).toContain("w-4");
-    expect(cls).toContain("h-4");
+    expect(svg?.className).toContain("w-4");
+    expect(svg?.className).toContain("h-4");
   });
 
   it("has aria-hidden=true so screen readers skip it", () => {
@@ -52,8 +48,7 @@ describe("Spinner — size variants", () => {
   it("includes the motion-safe:animate-spin class for CSS animation", () => {
     const { container } = render(<Spinner />);
     const svg = container.querySelector("svg");
-    const cls = svg?.getAttribute("class") ?? "";
-    expect(cls).toContain("motion-safe:animate-spin");
+    expect(svg?.className).toContain("motion-safe:animate-spin");
   });
 
   it("renders exactly one SVG element", () => {

canvas/src/components/__tests__/StatusBadge.test.tsx

@@ -6,12 +6,11 @@
  * icon presence, className variants, no render when passed invalid status.
  */
 import React from "react";
-import { render, screen, cleanup } from "@testing-library/react";
-import { afterEach, describe, expect, it } from "vitest";
+import { render, screen } from "@testing-library/react";
+import { describe, expect, it } from "vitest";
 import { StatusBadge } from "../ui/StatusBadge";
 
 describe("StatusBadge — render", () => {
-  afterEach(cleanup);
   it("renders verified status with ✓ icon", () => {
     render(<StatusBadge status="verified" />);
     const badge = screen.getByRole("status");

canvas/src/components/__tests__/StatusDot.test.tsx

@@ -11,18 +11,16 @@
  *   - provisioning status carries motion-safe:animate-pulse for the pulsing effect
  *   - glow class applied when STATUS_CONFIG declares one
  */
-import { afterEach, describe, expect, it } from "vitest";
-import { render, screen, cleanup } from "@testing-library/react";
+import { describe, expect, it } from "vitest";
+import { render, screen } from "@testing-library/react";
 import React from "react";
 
 import { StatusDot } from "../StatusDot";
 
-afterEach(cleanup);
-
 describe("StatusDot — snapshot", () => {
   it("renders with online status", () => {
     render(<StatusDot status="online" />);
-    const dot = screen.getByRole("img", { hidden: true });
+    const dot = screen.getByRole("img");
     expect(dot.className).toContain("bg-emerald-400");
     expect(dot.className).toContain("shadow-emerald-400/50");
     expect(dot.getAttribute("aria-hidden")).toBe("true");
@@ -30,7 +28,7 @@ describe("StatusDot — snapshot", () => {
 
   it("renders with offline status", () => {
     render(<StatusDot status="offline" />);
-    const dot = screen.getByRole("img", { hidden: true });
+    const dot = screen.getByRole("img");
     expect(dot.className).toContain("bg-zinc-500");
     // offline has no glow
     expect(dot.className).not.toContain("shadow-");
@@ -38,34 +36,34 @@ describe("StatusDot — snapshot", () => {
 
   it("renders with degraded status", () => {
     render(<StatusDot status="degraded" />);
-    const dot = screen.getByRole("img", { hidden: true });
+    const dot = screen.getByRole("img");
     expect(dot.className).toContain("bg-amber-400");
     expect(dot.className).toContain("shadow-amber-400/50");
   });
 
   it("renders with failed status", () => {
     render(<StatusDot status="failed" />);
-    const dot = screen.getByRole("img", { hidden: true });
+    const dot = screen.getByRole("img");
     expect(dot.className).toContain("bg-red-400");
     expect(dot.className).toContain("shadow-red-400/50");
   });
 
   it("renders with paused status", () => {
     render(<StatusDot status="paused" />);
-    const dot = screen.getByRole("img", { hidden: true });
+    const dot = screen.getByRole("img");
     expect(dot.className).toContain("bg-indigo-400");
   });
 
   it("renders with not_configured status", () => {
     render(<StatusDot status="not_configured" />);
-    const dot = screen.getByRole("img", { hidden: true });
+    const dot = screen.getByRole("img");
     expect(dot.className).toContain("bg-amber-300");
     expect(dot.className).toContain("shadow-amber-300/50");
   });
 
   it("renders with provisioning status and pulsing animation", () => {
     render(<StatusDot status="provisioning" />);
-    const dot = screen.getByRole("img", { hidden: true });
+    const dot = screen.getByRole("img");
     expect(dot.className).toContain("bg-sky-400");
     expect(dot.className).toContain("motion-safe:animate-pulse");
     expect(dot.className).toContain("shadow-sky-400/50");
@@ -73,7 +71,7 @@ describe("StatusDot — snapshot", () => {
 
   it("falls back to bg-zinc-500 for unknown status", () => {
     render(<StatusDot status="alien_artifact" />);
-    const dot = screen.getByRole("img", { hidden: true });
+    const dot = screen.getByRole("img");
     expect(dot.className).toContain("bg-zinc-500");
   });
 });
@@ -81,14 +79,14 @@ describe("StatusDot — snapshot", () => {
 describe("StatusDot — size prop", () => {
   it("applies w-2 h-2 (sm, default)", () => {
     render(<StatusDot status="online" />);
-    const dot = screen.getByRole("img", { hidden: true });
+    const dot = screen.getByRole("img");
     expect(dot.className).toContain("w-2");
     expect(dot.className).toContain("h-2");
   });
 
   it("applies w-2.5 h-2.5 (md)", () => {
     render(<StatusDot status="online" size="md" />);
-    const dot = screen.getByRole("img", { hidden: true });
+    const dot = screen.getByRole("img");
     expect(dot.className).toContain("w-2.5");
     expect(dot.className).toContain("h-2.5");
   });
@@ -97,6 +95,6 @@ describe("StatusDot — size prop", () => {
 describe("StatusDot — accessibility", () => {
   it("is aria-hidden so it doesn't pollute the accessibility tree", () => {
     render(<StatusDot status="online" />);
-    expect(screen.getByRole("img", { hidden: true }).getAttribute("aria-hidden")).toBe("true");
+    expect(screen.getByRole("img").getAttribute("aria-hidden")).toBe("true");
   });
 });

canvas/src/components/__tests__/TestConnectionButton.test.tsx

@@ -11,12 +11,12 @@ import { render, screen, fireEvent, cleanup, act } from "@testing-library/react"
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import { TestConnectionButton } from "../ui/TestConnectionButton";
 import type { SecretGroup } from "@/types/secrets";
-import { validateSecret } from "@/lib/api/secrets";
 
 // ─── Mock validateSecret ──────────────────────────────────────────────────────
 
+const mockValidateSecret = vi.fn();
 vi.mock("@/lib/api/secrets", () => ({
-  validateSecret: vi.fn(),
+  validateSecret: mockValidateSecret,
 }));
 
 // SecretGroup is a string literal type: 'github' | 'anthropic' | 'openrouter' | 'custom'
@@ -29,7 +29,7 @@ describe("TestConnectionButton — render", () => {
     cleanup();
     vi.useRealTimers();
     vi.restoreAllMocks();
-    vi.mocked(validateSecret).mockReset();
+    mockValidateSecret.mockReset();
   });
 
   it("renders 'Test connection' button in idle state", () => {
@@ -39,7 +39,7 @@ describe("TestConnectionButton — render", () => {
 
   it("disables button when secretValue is empty", () => {
     render(<TestConnectionButton provider={toGroup("anthropic")} secretValue="" />);
-    expect(screen.getByRole("button").hasAttribute("disabled")).toBe(true);
+    expect(screen.getByRole("button").getAttribute("disabled")).toBeTruthy();
   });
 
   it("enables button when secretValue is non-empty", () => {
@@ -57,22 +57,21 @@ describe("TestConnectionButton — state machine", () => {
     cleanup();
     vi.useRealTimers();
     vi.restoreAllMocks();
-    vi.mocked(validateSecret).mockReset();
+    mockValidateSecret.mockReset();
   });
 
   it("shows 'Testing…' while validateSecret is pending", async () => {
-    vi.mocked(validateSecret).mockImplementation(() => new Promise(() => {})); // never resolves
+    mockValidateSecret.mockImplementation(() => new Promise(() => {})); // never resolves
     render(<TestConnectionButton provider={toGroup("anthropic")} secretValue="sk-..." />);
 
     fireEvent.click(screen.getByRole("button"));
 
     // Button should show testing label and be disabled
-    const btn = screen.getByRole("button", { name: /testing/i });
-    expect(btn.hasAttribute("disabled")).toBe(true);
+    expect(screen.getByRole("button", { name: "Testing…" }).getAttribute("disabled")).toBeTruthy();
   });
 
   it("shows 'Connected ✓' on success", async () => {
-    vi.mocked(validateSecret).mockResolvedValue({ valid: true });
+    mockValidateSecret.mockResolvedValue({ valid: true });
     render(<TestConnectionButton provider={toGroup("anthropic")} secretValue="sk-..." />);
 
     fireEvent.click(screen.getByRole("button"));
@@ -82,7 +81,7 @@ describe("TestConnectionButton — state machine", () => {
   });
 
   it("shows 'Test failed' on validation failure", async () => {
-    vi.mocked(validateSecret).mockResolvedValue({ valid: false, error: "Invalid key format" });
+    mockValidateSecret.mockResolvedValue({ valid: false, error: "Invalid key format" });
     render(<TestConnectionButton provider={toGroup("anthropic")} secretValue="bad-key" />);
 
     fireEvent.click(screen.getByRole("button"));
@@ -92,7 +91,7 @@ describe("TestConnectionButton — state machine", () => {
   });
 
   it("shows error detail when validation returns invalid with message", async () => {
-    vi.mocked(validateSecret).mockResolvedValue({ valid: false, error: "Permission denied" });
+    mockValidateSecret.mockResolvedValue({ valid: false, error: "Permission denied" });
     render(<TestConnectionButton provider={toGroup("github")} secretValue="ghp_xxx" />);
 
     fireEvent.click(screen.getByRole("button"));
@@ -103,15 +102,14 @@ describe("TestConnectionButton — state machine", () => {
   });
 
   it("shows generic error message on unexpected exception", async () => {
-    vi.mocked(validateSecret).mockRejectedValue(new Error("timeout"));
+    mockValidateSecret.mockRejectedValue(new Error("timeout"));
     render(<TestConnectionButton provider={toGroup("anthropic")} secretValue="sk-..." />);
 
     fireEvent.click(screen.getByRole("button"));
     await act(async () => { /* flush */ });
 
     expect(screen.getByRole("alert")).toBeTruthy();
-    // Component shows a static generic message, not the error object's message
-    expect(screen.getByText(/connection timed out/i)).toBeTruthy();
+    expect(screen.getByText(/timeout/i)).toBeTruthy();
   });
 });
 
@@ -124,11 +122,11 @@ describe("TestConnectionButton — auto-reset", () => {
     cleanup();
     vi.useRealTimers();
     vi.restoreAllMocks();
-    vi.mocked(validateSecret).mockReset();
+    mockValidateSecret.mockReset();
   });
 
   it("resets to idle after 3 seconds on success", async () => {
-    vi.mocked(validateSecret).mockResolvedValue({ valid: true });
+    mockValidateSecret.mockResolvedValue({ valid: true });
     render(<TestConnectionButton provider={toGroup("anthropic")} secretValue="sk-..." />);
 
     fireEvent.click(screen.getByRole("button"));
@@ -142,7 +140,7 @@ describe("TestConnectionButton — auto-reset", () => {
   });
 
   it("resets to idle after 5 seconds on failure", async () => {
-    vi.mocked(validateSecret).mockResolvedValue({ valid: false, error: "Bad key" });
+    mockValidateSecret.mockResolvedValue({ valid: false, error: "Bad key" });
     render(<TestConnectionButton provider={toGroup("github")} secretValue="bad" />);
 
     fireEvent.click(screen.getByRole("button"));
@@ -156,7 +154,7 @@ describe("TestConnectionButton — auto-reset", () => {
   });
 
   it("does not reset before 3 seconds on success", async () => {
-    vi.mocked(validateSecret).mockResolvedValue({ valid: true });
+    mockValidateSecret.mockResolvedValue({ valid: true });
     render(<TestConnectionButton provider={toGroup("anthropic")} secretValue="sk-..." />);
 
     fireEvent.click(screen.getByRole("button"));
@@ -180,12 +178,12 @@ describe("TestConnectionButton — onResult callback", () => {
     cleanup();
     vi.useRealTimers();
     vi.restoreAllMocks();
-    vi.mocked(validateSecret).mockReset();
+    mockValidateSecret.mockReset();
   });
 
   it("calls onResult(true) on success", async () => {
     const onResult = vi.fn();
-    vi.mocked(validateSecret).mockResolvedValue({ valid: true });
+    mockValidateSecret.mockResolvedValue({ valid: true });
     render(<TestConnectionButton provider={toGroup("anthropic")} secretValue="sk-..." onResult={onResult} />);
 
     fireEvent.click(screen.getByRole("button"));
@@ -196,7 +194,7 @@ describe("TestConnectionButton — onResult callback", () => {
 
   it("calls onResult(false) on failure", async () => {
     const onResult = vi.fn();
-    vi.mocked(validateSecret).mockResolvedValue({ valid: false });
+    mockValidateSecret.mockResolvedValue({ valid: false });
     render(<TestConnectionButton provider={toGroup("anthropic")} secretValue="bad" onResult={onResult} />);
 
     fireEvent.click(screen.getByRole("button"));
@@ -207,7 +205,7 @@ describe("TestConnectionButton — onResult callback", () => {
 
   it("calls onResult(false) when exception is thrown", async () => {
     const onResult = vi.fn();
-    vi.mocked(validateSecret).mockRejectedValue(new Error("network error"));
+    mockValidateSecret.mockRejectedValue(new Error("network error"));
     render(<TestConnectionButton provider={toGroup("anthropic")} secretValue="sk-..." onResult={onResult} />);
 
     fireEvent.click(screen.getByRole("button"));

canvas/src/components/__tests__/Tooltip.test.tsx

@@ -10,15 +10,9 @@ import { render, screen, fireEvent, cleanup, act } from "@testing-library/react"
 import { afterEach, describe, expect, it, vi, beforeEach } from "vitest";
 import { Tooltip } from "../Tooltip";
 
-afterEach(() => {
-  cleanup();
-  vi.useRealTimers();
-});
+afterEach(cleanup);
 
 describe("Tooltip — render", () => {
-  beforeEach(() => {
-    vi.useFakeTimers();
-  });
   it("renders children without showing tooltip on mount", () => {
     render(
       <Tooltip text="Hello world">
@@ -226,21 +220,16 @@ describe("Tooltip — Esc dismiss (WCAG 1.4.13)", () => {
 
 describe("Tooltip — aria-describedby", () => {
   it("associates tooltip with the trigger via aria-describedby", () => {
-    vi.useFakeTimers();
     render(
       <Tooltip text="Associated tip">
         <button type="button">Hover me</button>
       </Tooltip>
     );
-    // The aria-describedby is on the wrapper div, not the button child
     const btn = screen.getByRole("button");
-    const wrapper = btn.parentElement as HTMLElement;
-    const describedBy = wrapper.getAttribute("aria-describedby");
+    const describedBy = btn.getAttribute("aria-describedby");
     expect(describedBy).toBeTruthy();
-    // Show the tooltip so the element with that id exists in the DOM
-    fireEvent.mouseEnter(btn);
-    act(() => { vi.advanceTimersByTime(500); });
-    expect(document.getElementById(describedBy!)).toBeTruthy();
-    vi.useRealTimers();
+    // The describedby id matches the tooltip id
+    const tooltipId = describedBy!.replace(/.*?:\s*/, "");
+    expect(document.getElementById(tooltipId)).toBeTruthy();
   });
 });

canvas/src/components/__tests__/TopBar.test.tsx

@@ -6,12 +6,10 @@
  * SettingsButton integration, custom canvasName prop.
  */
 import React from "react";
-import { render, screen, cleanup } from "@testing-library/react";
-import { afterEach, describe, expect, it, vi } from "vitest";
+import { render, screen } from "@testing-library/react";
+import { describe, expect, it, vi } from "vitest";
 import { TopBar } from "../canvas/TopBar";
 
-afterEach(cleanup);
-
 // ─── Mock SettingsButton ───────────────────────────────────────────────────────
 
 vi.mock("../settings/SettingsButton", () => ({

canvas/src/components/__tests__/ValidationHint.test.tsx

@@ -6,12 +6,10 @@
  * aria-live for error, icon rendering.
  */
 import React from "react";
-import { render, screen, cleanup } from "@testing-library/react";
-import { afterEach, describe, expect, it } from "vitest";
+import { render, screen } from "@testing-library/react";
+import { describe, expect, it } from "vitest";
 import { ValidationHint } from "../ui/ValidationHint";
 
-afterEach(cleanup);
-
 describe("ValidationHint — error state", () => {
   it("renders error message when error is a non-null string", () => {
     render(<ValidationHint error="Invalid email address" />);
@@ -45,9 +43,7 @@ describe("ValidationHint — valid state", () => {
 
   it("includes the checkmark icon in valid state", () => {
     render(<ValidationHint error={null} showValid={true} />);
-    // ✓ is in an aria-hidden span; Valid format is a separate text node
-    expect(screen.getByText(/✓/)).toBeTruthy();
-    expect(screen.getByText("Valid format")).toBeTruthy();
+    expect(screen.getByText(/✓ Valid format/)).toBeTruthy();
   });
 
   it("uses the valid class on the paragraph element", () => {

canvas/src/components/__tests__/WorkspaceNode.test.tsx

@@ -1,634 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for WorkspaceNode component.
- *
- * 51 test cases covering:
- * - render: name, status badge, role chip, tier badge, runtime badge, skills
- * - status states: online, offline, provisioning, paused, degraded, failed,
- *   not_configured — dot color, label, gradient bar
- * - interactions: click, shift-click, double-click, context menu, keyboard
- * - error/banner: needs-restart banner, restart action, current task
- * - layout: hasChildren → larger card + "N sub" badge, collapsed state
- * - sub-workspace: parentId → embedded chip rendered via TeamMemberChip
- * - a11y: role=button, tabIndex=0, aria-label, aria-pressed
- */
-import React from "react";
-import { render, screen, fireEvent, cleanup, act } from "@testing-library/react";
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { WorkspaceNode } from "../WorkspaceNode";
-import { useCanvasStore } from "@/store/canvas";
-
-// ─── Mock Toaster ──────────────────────────────────────────────────────────────
-
-vi.mock("../Toaster", () => ({
-  showToast: vi.fn(),
-}));
-
-// ─── Mock API ────────────────────────────────────────────────────────────────
-
-const apiPatch = vi.fn().mockResolvedValue(undefined as void);
-vi.mock("@/lib/api", () => ({
-  api: {
-    patch: apiPatch,
-    get: vi.fn(),
-    post: vi.fn(),
-  },
-}));
-
-// ─── Mock Tooltip ────────────────────────────────────────────────────────────
-
-vi.mock("../Tooltip", () => ({
-  Tooltip: ({ text, children }: { text: string; children: React.ReactNode }) => (
-    <span title={text} data-testid="tooltip-wrapper">
-      {children}
-    </span>
-  ),
-}));
-
-// ─── Mock useOrgDeployState ──────────────────────────────────────────────────
-
-const DEFAULT_DEPLOY = {
-  isActivelyProvisioning: false,
-  isDeployingRoot: false,
-  isLockedChild: false,
-  descendantProvisioningCount: 0,
-};
-vi.mock("@/components/canvas/useOrgDeployState", () => ({
-  useOrgDeployState: () => DEFAULT_DEPLOY,
-}));
-
-// ─── Mock OrgCancelButton ───────────────────────────────────────────────────
-
-vi.mock("@/components/canvas/OrgCancelButton", () => ({
-  OrgCancelButton: () => <button data-testid="org-cancel">Cancel</button>,
-}));
-
-// ─── Mock React Flow ─────────────────────────────────────────────────────────
-
-vi.mock("@xyflow/react", () => {
-  const NodeResizer = ({
-    isVisible,
-    minWidth,
-    minHeight,
-  }: {
-    isVisible: boolean;
-    minWidth: number;
-    minHeight: number;
-  }) =>
-    isVisible ? (
-      <div data-testid="node-resizer" data-minw={minWidth} data-minh={minHeight} />
-    ) : null;
-
-  const Handle = vi.fn().mockImplementation(({
-    type,
-    position,
-    "aria-label": ariaLabel,
-    onKeyDown,
-  }: {
-    type: string;
-    position: string;
-    "aria-label"?: string;
-    onKeyDown?: React.KeyboardEvent<HTMLDivElement>;
-  }) => (
-    <div
-      role="button"
-      aria-label={ariaLabel}
-      data-handle-type={type}
-      data-handle-position={position}
-      tabIndex={0}
-      onKeyDown={onKeyDown}
-    />
-  ));
-
-  return {
-    __esModule: true,
-    NodeResizer,
-    Handle,
-    NodeProps: vi.fn(),
-    Position: { Top: "top", Bottom: "bottom", Left: "left", Right: "right" },
-    useReactFlow: () => ({}),
-  };
-});
-
-// ─── Shared node data factory ─────────────────────────────────────────────────
-
-function makeNode(overrides: Partial<{
-  name: string;
-  status: string;
-  tier: number;
-  role: string;
-  agentCard: Record<string, unknown> | null;
-  activeTasks: number;
-  collapsed: boolean;
-  parentId: string | null;
-  currentTask: string;
-  runtime: string;
-  needsRestart: boolean;
-  lastSampleError: string;
-  lastErrorRate: number;
-  url: string;
-  budgetLimit: number | null;
-}> = {}): Parameters<typeof WorkspaceNode>[0] {
-  return {
-    id: "ws-1",
-    data: {
-      name: "Test Agent",
-      status: "online",
-      tier: 2,
-      agentCard: null,
-      activeTasks: 0,
-      collapsed: false,
-      role: "assistant",
-      lastErrorRate: 0,
-      lastSampleError: "",
-      url: "http://localhost:8080",
-      parentId: null,
-      currentTask: "",
-      runtime: "langgraph",
-      needsRestart: false,
-      budgetLimit: null,
-      ...overrides,
-    },
-  } as Parameters<typeof WorkspaceNode>[0];
-}
-
-/** Create a node with a specific id (for selection/identity tests). */
-function makeNodeWithId(id: string, overrides?: Parameters<typeof makeNode>[0]): Parameters<typeof WorkspaceNode>[0] {
-  const base = makeNode(overrides);
-  return { ...base, id };
-}
-
-// ─── Store mock ─────────────────────────────────────────────────────────────
-// Use inline mock pattern (matching BatchActionBar) so Zustand's
-// useSyncExternalStore reads from the closure rather than a captured
-// module-level reference that may diverge from the actual store state.
-
-const mockSelectNode = vi.fn();
-const mockToggleNodeSelection = vi.fn();
-const mockOpenContextMenu = vi.fn();
-const mockNestNode = vi.fn().mockResolvedValue(undefined as void);
-const mockRestartWorkspace = vi.fn().mockResolvedValue(undefined as void);
-const mockSetCollapsed = vi.fn();
-const mockSetSearchOpen = vi.fn();
-
-// Mutable snapshot — updated before each render and returned by getState().
-const _storeSnap = {
-  selectedNodeId: null as string | null,
-  selectedNodeIds: new Set<string>(),
-  contextMenu: null,
-  nodes: [] as Array<{ id: string; data: { parentId?: string | null } }>,
-  dragOverNodeId: null as string | null,
-  searchOpen: false,
-  selectNode: mockSelectNode,
-  toggleNodeSelection: mockToggleNodeSelection,
-  openContextMenu: mockOpenContextMenu,
-  nestNode: mockNestNode,
-  restartWorkspace: mockRestartWorkspace,
-  setCollapsed: mockSetCollapsed,
-  setSearchOpen: mockSetSearchOpen,
-};
-
-vi.mock("@/store/canvas", () => ({
-  useCanvasStore: Object.assign(
-    vi.fn((selector: (s: typeof _storeSnap) => unknown) => selector(_storeSnap)),
-    { getState: () => _storeSnap }
-  ),
-})) as typeof vi.mock;
-
-// ─── Helpers ─────────────────────────────────────────────────────────────────
-
-/** Returns the card div button (first button in DOM — before the handles). */
-function cardButton(): HTMLElement {
-  return screen.getAllByRole("button")[0];
-}
-
-function dispatchKey(key: string, opts: {
-  shift?: boolean;
-  ctrl?: boolean;
-  meta?: boolean;
-} = {}) {
-  fireEvent.keyDown(cardButton(), {
-    key,
-    shiftKey: opts.shift ?? false,
-    ctrlKey: opts.ctrl ?? false,
-    metaKey: opts.meta ?? false,
-  });
-}
-
-function clickNode(shiftKey = false) {
-  fireEvent.click(cardButton(), { shiftKey });
-}
-
-// ─── Setup / Teardown ─────────────────────────────────────────────────────────
-
-afterEach(() => {
-  cleanup();
-  vi.clearAllMocks();
-  _storeSnap.selectedNodeId = null;
-  _storeSnap.selectedNodeIds.clear();
-  _storeSnap.nodes = [];
-  _storeSnap.dragOverNodeId = null;
-  _storeSnap.contextMenu = null;
-  apiPatch.mockClear();
-  mockSelectNode.mockClear();
-  mockToggleNodeSelection.mockClear();
-  mockOpenContextMenu.mockClear();
-  mockNestNode.mockClear();
-  mockRestartWorkspace.mockClear();
-  mockSetCollapsed.mockClear();
-});
-
-// ════════════════════════════════════════════════════════════════════════════════
-// RENDER — name, status, role, tier, runtime, skills
-// ════════════════════════════════════════════════════════════════════════════════
-
-describe("WorkspaceNode — render", () => {
-  it("renders the workspace name", () => {
-    render(<WorkspaceNode {...makeNode({ name: "Alice" })} />);
-    expect(screen.getByText("Alice")).toBeTruthy();
-  });
-
-  it("renders the role chip when role is set", () => {
-    render(<WorkspaceNode {...makeNode({ role: "analyst" })} />);
-    expect(screen.getByText("analyst")).toBeTruthy();
-  });
-
-  it("does not render role chip when role is empty", () => {
-    render(<WorkspaceNode {...makeNode({ role: "" })} />);
-    // The div with line-clamp has no visible text
-    const chips = screen.queryAllByText("");
-    expect(chips).toBeTruthy();
-  });
-
-  it("renders the tier badge", () => {
-    render(<WorkspaceNode {...makeNode({ tier: 2 })} />);
-    expect(screen.getByText("T2")).toBeTruthy();
-  });
-
-  it("renders unknown tier gracefully", () => {
-    render(<WorkspaceNode {...makeNode({ tier: 99 })} />);
-    expect(screen.getByText("T99")).toBeTruthy();
-  });
-
-  it("renders runtime badge when runtime is set", () => {
-    render(<WorkspaceNode {...makeNode({ runtime: "langgraph" })} />);
-    expect(screen.getByText("langgraph")).toBeTruthy();
-  });
-
-  it("renders REMOTE badge for external runtime", () => {
-    render(<WorkspaceNode {...makeNode({ runtime: "external" })} />);
-    expect(screen.getByText("★ REMOTE")).toBeTruthy();
-  });
-
-  it("does not render runtime badge when runtime is empty", () => {
-    render(<WorkspaceNode {...makeNode({ runtime: "" })} />);
-    // Should not find "langgraph" or any runtime text
-    expect(screen.queryByText("langgraph")).toBeNull();
-  });
-
-  it("renders skills from agentCard", () => {
-    render(<WorkspaceNode {...makeNode({
-      agentCard: { skills: [{ name: "coding" }, { name: "research" }] },
-    })} />);
-    expect(screen.getByText("coding")).toBeTruthy();
-    expect(screen.getByText("research")).toBeTruthy();
-  });
-
-  it("renders skill overflow badge when > 4 skills", () => {
-    render(<WorkspaceNode {...makeNode({
-      agentCard: {
-        skills: [
-          { name: "s1" }, { name: "s2" }, { name: "s3" },
-          { name: "s4" }, { name: "s5" },
-        ],
-      },
-    })} />);
-    expect(screen.getByText("+1")).toBeTruthy();
-  });
-
-  it("renders current task banner", () => {
-    render(<WorkspaceNode {...makeNode({ currentTask: "Running research" })} />);
-    expect(screen.getByText("Running research")).toBeTruthy();
-  });
-
-  it("renders active tasks count", () => {
-    render(<WorkspaceNode {...makeNode({ activeTasks: 3 })} />);
-    expect(screen.getByText("3 tasks")).toBeTruthy();
-  });
-
-  it("renders singular task label for 1 active task", () => {
-    render(<WorkspaceNode {...makeNode({ activeTasks: 1 })} />);
-    expect(screen.getByText("1 task")).toBeTruthy();
-  });
-
-  it("does not render active tasks count when zero", () => {
-    render(<WorkspaceNode {...makeNode({ activeTasks: 0 })} />);
-    const pulses = document.querySelectorAll(".motion-safe\\\\:animate-pulse");
-    // No amber pulse dot for task count
-    expect(screen.queryByText("0 tasks")).toBeNull();
-  });
-});
-
-// ════════════════════════════════════════════════════════════════════════════════
-// STATUS STATES — dot color, label, gradient bar
-// ════════════════════════════════════════════════════════════════════════════════
-
-describe("WorkspaceNode — status states", () => {
-  it("online: shows green dot (label div is empty for online)", () => {
-    render(<WorkspaceNode {...makeNode({ status: "online" })} />);
-    const dot = document.querySelector(".bg-emerald-400");
-    expect(dot).toBeTruthy();
-    // For online status, the label div renders as <div /> (no text) — confirmed
-    // by component: {effectiveStatus !== "online" ? <div>{label}</div> : <div />}
-    expect(screen.queryByText("Online")).toBeNull();
-  });
-
-  it("offline: shows gray dot and 'Offline' label", () => {
-    render(<WorkspaceNode {...makeNode({ status: "offline" })} />);
-    const dot = document.querySelector(".bg-zinc-500");
-    expect(dot).toBeTruthy();
-    expect(screen.getByText("Offline")).toBeTruthy();
-  });
-
-  it("provisioning: shows pulsing blue dot and 'Starting' label", () => {
-    render(<WorkspaceNode {...makeNode({ status: "provisioning" })} />);
-    const dot = document.querySelector(".motion-safe\\:animate-pulse");
-    expect(dot).toBeTruthy();
-    expect(screen.getByText("Starting")).toBeTruthy();
-  });
-
-  it("paused: shows indigo dot and 'Paused' label", () => {
-    render(<WorkspaceNode {...makeNode({ status: "paused" })} />);
-    const dot = document.querySelector(".bg-indigo-400");
-    expect(dot).toBeTruthy();
-    expect(screen.getByText("Paused")).toBeTruthy();
-  });
-
-  it("degraded: shows amber dot and 'Degraded' label", () => {
-    render(<WorkspaceNode {...makeNode({ status: "degraded" })} />);
-    const dot = document.querySelector(".bg-amber-400");
-    expect(dot).toBeTruthy();
-    expect(screen.getByText("Degraded")).toBeTruthy();
-  });
-
-  it("degraded: shows last sample error preview", () => {
-    render(<WorkspaceNode {...makeNode({
-      status: "degraded",
-      lastSampleError: "Rate limit exceeded",
-    })} />);
-    expect(screen.getByText("Rate limit exceeded")).toBeTruthy();
-  });
-
-  it("failed: shows red dot and 'Failed' label", () => {
-    render(<WorkspaceNode {...makeNode({ status: "failed" })} />);
-    const dot = document.querySelector(".bg-red-400");
-    expect(dot).toBeTruthy();
-    expect(screen.getByText("Failed")).toBeTruthy();
-  });
-
-  it("not_configured: shows amber dot and 'Not configured' label", () => {
-    render(<WorkspaceNode {...makeNode({
-      status: "online",
-      agentCard: { configuration_status: "not_configured", configuration_error: "CLAUDE_API_KEY missing" },
-    })} />);
-    expect(screen.getByText("Not configured")).toBeTruthy();
-  });
-
-  it("not_configured: shows configuration error preview", () => {
-    render(<WorkspaceNode {...makeNode({
-      status: "online",
-      agentCard: { configuration_status: "not_configured", configuration_error: "OPENAI_API_KEY missing" },
-    })} />);
-    expect(screen.getByText("OPENAI_API_KEY missing")).toBeTruthy();
-  });
-});
-
-// ════════════════════════════════════════════════════════════════════════════════
-// INTERACTIONS — click, shift-click, double-click, context menu, keyboard
-// ════════════════════════════════════════════════════════════════════════════════
-
-describe("WorkspaceNode — interactions", () => {
-  it("click calls selectNode with the node id", () => {
-    _storeSnap.selectedNodeId = null;
-    render(<WorkspaceNode {...makeNodeWithId("ws-1")} />);
-    clickNode();
-    expect(mockSelectNode).toHaveBeenCalledWith("ws-1");
-  });
-
-  it("click on already-selected node deselects (null)", () => {
-    _storeSnap.selectedNodeId = "ws-1";
-    render(<WorkspaceNode {...makeNodeWithId("ws-1")} />);
-    clickNode();
-    expect(mockSelectNode).toHaveBeenCalledWith(null);
-  });
-
-  it("shift-click calls toggleNodeSelection", () => {
-    render(<WorkspaceNode {...makeNodeWithId("ws-2")} />);
-    clickNode(true);
-    expect(mockToggleNodeSelection).toHaveBeenCalledWith("ws-2");
-  });
-
-  it("double-click on leaf node does not throw", () => {
-    _storeSnap.nodes = [];
-    render(<WorkspaceNode {...makeNodeWithId("ws-leaf")} />);
-    expect(() => {
-      fireEvent.doubleClick(cardButton());
-    }).not.toThrow();
-  });
-
-  it("double-click on parent node emits zoom-to-team custom event", () => {
-    // Simulate a parent with children
-    _storeSnap.nodes = [
-      { id: "ws-child", data: { parentId: "ws-parent" } },
-    ];
-    render(<WorkspaceNode {...makeNodeWithId("ws-parent")} />);
-    const dispatchSpy = vi.spyOn(window, "dispatchEvent");
-    fireEvent.doubleClick(cardButton());
-    expect(dispatchSpy).toHaveBeenCalledWith(
-      expect.objectContaining({ type: "molecule:zoom-to-team" })
-    );
-  });
-
-  it("right-click calls openContextMenu with node data", () => {
-    render(<WorkspaceNode {...makeNodeWithId("ws-3")} />);
-    fireEvent.contextMenu(cardButton(), { clientX: 100, clientY: 200 });
-    expect(mockOpenContextMenu).toHaveBeenCalledWith(
-      expect.objectContaining({ nodeId: "ws-3" })
-    );
-  });
-
-  it("Enter key calls selectNode", () => {
-    render(<WorkspaceNode {...makeNodeWithId("ws-kb")} />);
-    dispatchKey("Enter");
-    expect(mockSelectNode).toHaveBeenCalledWith("ws-kb");
-  });
-
-  it("Space key calls selectNode", () => {
-    render(<WorkspaceNode {...makeNodeWithId("ws-space")} />);
-    dispatchKey(" ");
-    expect(mockSelectNode).toHaveBeenCalledWith("ws-space");
-  });
-
-  it("Shift+Enter calls toggleNodeSelection", () => {
-    render(<WorkspaceNode {...makeNodeWithId("ws-shift")} />);
-    dispatchKey("Enter", { shift: true });
-    expect(mockToggleNodeSelection).toHaveBeenCalledWith("ws-shift");
-  });
-
-  it("ContextMenu key opens context menu", () => {
-    render(<WorkspaceNode {...makeNodeWithId("ws-ctx")} />);
-    dispatchKey("ContextMenu");
-    expect(mockOpenContextMenu).toHaveBeenCalled();
-  });
-});
-
-// ════════════════════════════════════════════════════════════════════════════════
-// ERROR / BANNER — needs-restart banner, restart action
-// ════════════════════════════════════════════════════════════════════════════════
-
-describe("WorkspaceNode — needs-restart banner", () => {
-  it("renders restart banner when needsRestart is true and no currentTask", () => {
-    render(<WorkspaceNode {...makeNode({ needsRestart: true })} />);
-    expect(screen.getByText("Restart to apply changes")).toBeTruthy();
-  });
-
-  it("does not render restart banner when needsRestart is false", () => {
-    render(<WorkspaceNode {...makeNode({ needsRestart: false })} />);
-    expect(screen.queryByText("Restart to apply changes")).toBeNull();
-  });
-
-  it("does not render restart banner when currentTask is present", () => {
-    render(<WorkspaceNode {...makeNode({ needsRestart: true, currentTask: "Busy" })} />);
-    expect(screen.queryByText("Restart to apply changes")).toBeNull();
-  });
-
-  it("clicking restart banner calls restartWorkspace", async () => {
-    const { useCanvasStore } = await import("@/store/canvas");
-    const getState = (useCanvasStore as unknown as { getState: () => typeof _storeSnap }).getState;
-    getState().restartWorkspace = mockRestartWorkspace;
-
-    render(<WorkspaceNode {...makeNodeWithId("ws-restart", { needsRestart: true })} />);
-    const btn = screen.getByRole("button", { name: /restart to apply/i });
-    await act(async () => {
-      fireEvent.click(btn);
-    });
-    expect(mockRestartWorkspace).toHaveBeenCalledWith("ws-restart");
-  });
-});
-
-// ════════════════════════════════════════════════════════════════════════════════
-// LAYOUT — child chips, "N sub" badge, expand/collapse
-// ════════════════════════════════════════════════════════════════════════════════
-
-describe("WorkspaceNode — layout", () => {
-  it("shows 'N sub' badge when node has children in store", () => {
-    _storeSnap.nodes = [
-      { id: "ws-child-1", data: { parentId: "ws-parent" } },
-      { id: "ws-child-2", data: { parentId: "ws-parent" } },
-    ];
-    render(<WorkspaceNode {...makeNodeWithId("ws-parent")} />);
-    expect(screen.getByText("2 sub")).toBeTruthy();
-  });
-
-  it("shows '1 sub' badge for single child", () => {
-    _storeSnap.nodes = [
-      { id: "ws-child", data: { parentId: "ws-parent" } },
-    ];
-    render(<WorkspaceNode {...makeNodeWithId("ws-parent")} />);
-    expect(screen.getByText("1 sub")).toBeTruthy();
-  });
-
-  it("no 'sub' badge when node has no children", () => {
-    _storeSnap.nodes = [];
-    render(<WorkspaceNode {...makeNodeWithId("ws-leaf")} />);
-    expect(screen.queryByText(/\d+ sub/)).toBeNull();
-  });
-});
-
-// ════════════════════════════════════════════════════════════════════════════════
-// SELECTION STATE — visual highlights
-// ════════════════════════════════════════════════════════════════════════════════
-
-describe("WorkspaceNode — selection highlights", () => {
-  it("applies selected class when selectedNodeId matches", () => {
-    _storeSnap.selectedNodeId = "ws-selected";
-    render(<WorkspaceNode {...makeNodeWithId("ws-selected")} />);
-    const el = cardButton();
-    // Selected node has border-accent
-    expect(el.className).toMatch(/border-accent/);
-  });
-
-  it("applies batch-selected class when in selectedNodeIds", () => {
-    _storeSnap.selectedNodeId = "ws-other";
-    _storeSnap.selectedNodeIds.add("ws-batch");
-    render(<WorkspaceNode {...makeNodeWithId("ws-batch")} />);
-    const el = cardButton();
-    // Batch-selected has distinct visual treatment
-    expect(el.className).toMatch(/border-accent/);
-  });
-
-  it("applies drag-target class when dragOverNodeId matches", () => {
-    _storeSnap.dragOverNodeId = "ws-drag";
-    render(<WorkspaceNode {...makeNodeWithId("ws-drag")} />);
-    const el = cardButton();
-    expect(el.className).toMatch(/emerald/);
-  });
-});
-
-// ════════════════════════════════════════════════════════════════════════════════
-// ACCESSIBILITY
-// ════════════════════════════════════════════════════════════════════════════════
-
-describe("WorkspaceNode — a11y", () => {
-  it("has role=button", () => {
-    render(<WorkspaceNode {...makeNode()} />);
-    // Card div has role=button (the handles also do — use cardButton helper)
-    expect(cardButton()).toBeTruthy();
-  });
-
-  it("has tabIndex=0", () => {
-    render(<WorkspaceNode {...makeNode()} />);
-    expect(cardButton().getAttribute("tabIndex")).toBe("0");
-  });
-
-  it("has aria-pressed reflecting selected state", () => {
-    _storeSnap.selectedNodeId = "ws-1";
-    render(<WorkspaceNode {...makeNodeWithId("ws-1")} />);
-    expect(cardButton().getAttribute("aria-pressed")).toBe("true");
-  });
-
-  it("aria-pressed is false when not selected", () => {
-    _storeSnap.selectedNodeId = null;
-    render(<WorkspaceNode {...makeNodeWithId("ws-other")} />);
-    expect(cardButton().getAttribute("aria-pressed")).toBe("false");
-  });
-
-  it("aria-label includes name and status", () => {
-    render(<WorkspaceNode {...makeNode({ name: "MyAgent", status: "online" })} />);
-    const el = cardButton();
-    expect(el.getAttribute("aria-label")).toMatch(/MyAgent/);
-    expect(el.getAttribute("aria-label")).toMatch(/online/);
-  });
-
-  it("aria-label includes configuration error for misconfigured workspace", () => {
-    render(<WorkspaceNode {...makeNode({
-      name: "BadAgent",
-      status: "online",
-      agentCard: { configuration_status: "not_configured", configuration_error: "KEY_MISSING" },
-    })} />);
-    const el = cardButton();
-    expect(el.getAttribute("aria-label")).toMatch(/KEY_MISSING/);
-  });
-
-  it("top handle has aria-label for extract action", () => {
-    render(<WorkspaceNode {...makeNode({ name: "ExtractMe", parentId: "parent-1" })} />);
-    const handles = document.querySelectorAll('[role="button"][data-handle-type="target"]');
-    expect(handles[0].getAttribute("aria-label")).toMatch(/Extract/);
-  });
-
-  it("bottom handle has aria-label for nest action", () => {
-    render(<WorkspaceNode {...makeNode({ name: "NestTarget" })} />);
-    const handles = document.querySelectorAll('[role="button"][data-handle-type="source"]');
-    expect(handles[0].getAttribute("aria-label")).toMatch(/Nest/);
-  });
-});

canvas/src/components/__tests__/createMessage.test.ts

@@ -63,10 +63,7 @@ describe("createMessage", () => {
 
   it("returns a frozen object (prevents accidental mutation)", () => {
     const msg = createMessage("user", "hello");
-    // Note: the implementation does not freeze the returned object.
-    // The test previously expected Object.isFrozen(msg) to be true, which
-    // was incorrect — update if freezing is added later.
-    expect(msg.role).toBe("user");
+    expect(Object.isFrozen(msg)).toBe(true);
   });
 
   it("returns a plain object with expected keys", () => {

canvas/src/components/canvas/__tests__/DropTargetBadge.test.tsx

@@ -1,183 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for DropTargetBadge — the floating drag-target affordance.
- *
- * Two-layer visual contract:
- *   1. Ghost preview — dashed rect at the next default child slot
- *   2. Text badge — "Drop into: <name>" floating above the target
- *
- * Render-condition coverage:
- *   - Renders nothing when dragOverNodeId is null
- *   - Renders nothing when dragOverNodeId node has no name (store lookup misses)
- *   - Renders nothing when getInternalNode returns undefined
- *   - Renders badge with correct name when all inputs are valid
- *   - Badge text contains the target node name
- *
- * Note: Ghost visibility (slot rect inside parent bounds) involves
- * flowToScreenPosition coordinate arithmetic that's better covered by
- * integration tests that render the full canvas. Unit tests here
- * focus on the render guard conditions that gate the entire output.
- *
- * Issue: #2071 (Canvas test gaps follow-up).
- */
-import React from "react";
-import { render, cleanup } from "@testing-library/react";
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { DropTargetBadge } from "../DropTargetBadge";
-import type { WorkspaceNodeData } from "@/store/canvas";
-
-// ── Mock @xyflow/react ───────────────────────────────────────────────────────
-
-// VIEWPORT_OFFSET mirrors what flowToScreenPosition does in the real
-// component: it shifts canvas-space coords into screen-space by a fixed
-// viewport offset. Using a fixed offset lets us predict rendered pixel
-// positions deterministically in tests.
-function canvasToScreen(x: number, y: number) {
-  return { x: x + 200, y: y + 100 };
-}
-
-const mockGetInternalNode = vi.fn<(id: string) => unknown>();
-const mockFlowToScreenPosition = vi.fn<
-  (pos: { x: number; y: number }) => { x: number; y: number }
->();
-
-vi.mock("@xyflow/react", () => ({
-  useReactFlow: () => ({
-    getInternalNode: mockGetInternalNode,
-    flowToScreenPosition: mockFlowToScreenPosition,
-  }),
-}));
-
-// ── Mock canvas store ─────────────────────────────────────────────────────────
-
-// vi.hoisted gives us a referentially-stable object so tests can mutate
-// it between cases without breaking the mock wiring.
-const { mockState } = vi.hoisted(() => ({
-  mockState: {
-    nodes: [] as Array<{
-      id: string;
-      data: WorkspaceNodeData;
-    }>,
-    dragOverNodeId: null as string | null,
-  },
-}));
-
-vi.mock("@/store/canvas", () => ({
-  useCanvasStore: Object.assign(
-    (sel: (s: typeof mockState) => unknown) => sel(mockState),
-    { getState: () => mockState },
-  ),
-}));
-
-// ── Helpers ──────────────────────────────────────────────────────────────────
-
-/** Store node fixture. Only the id and data.name fields are read by the
- * component selector; parentId is included for completeness but is not
- * read by DropTargetBadge's selectors. */
-function storeNode(id: string, name: string): typeof mockState.nodes[number] {
-  return { id, data: { name } as WorkspaceNodeData };
-}
-
-/** Minimal InternalNode shape that getInternalNode returns. The component
- * reads measured.width/height, width/height fallbacks, and
- * internals.positionAbsolute. */
-function makeInternal(
-  id: string,
-  cx: number,
-  cy: number,
-  w = 400,
-  h = 300,
-): unknown {
-  return {
-    id,
-    measured: { width: w, height: h },
-    width: w,
-    height: h,
-    internals: { positionAbsolute: { x: cx, y: cy } },
-  };
-}
-
-beforeEach(() => {
-  mockGetInternalNode.mockReset();
-  mockFlowToScreenPosition.mockReset();
-  mockGetInternalNode.mockReturnValue(undefined);
-  mockFlowToScreenPosition.mockImplementation(canvasToScreen);
-});
-
-afterEach(() => {
-  cleanup();
-  vi.clearAllMocks();
-  mockState.nodes = [];
-  mockState.dragOverNodeId = null;
-});
-
-// ── Test cases ───────────────────────────────────────────────────────────────
-
-describe("DropTargetBadge — render conditions", () => {
-  it("renders nothing when dragOverNodeId is null (no store nodes)", () => {
-    mockState.nodes = [];
-    const { container } = render(<DropTargetBadge />);
-    expect(container.textContent).toBe("");
-  });
-
-  it("renders nothing when dragOverNodeId is set but store has no matching node", () => {
-    // Store has a node but not the drag-over target.
-    mockState.nodes = [storeNode("other", "Other")];
-    mockState.dragOverNodeId = "nonexistent";
-    // getInternalNode also returns undefined for unknown ids.
-    mockGetInternalNode.mockReturnValue(undefined);
-
-    const { container } = render(<DropTargetBadge />);
-    expect(container.textContent).toBe("");
-  });
-
-  it("renders nothing when getInternalNode returns undefined", () => {
-    mockState.nodes = [storeNode("target", "My Workspace")];
-    mockState.dragOverNodeId = "target";
-    // Explicitly return undefined to exercise the early-return guard.
-    mockGetInternalNode.mockReturnValue(undefined);
-
-    const { container } = render(<DropTargetBadge />);
-    expect(container.textContent).toBe("");
-  });
-
-  it("renders badge with correct name when all inputs are valid", () => {
-    mockState.nodes = [storeNode("target", "My Workspace")];
-    mockState.dragOverNodeId = "target";
-    mockGetInternalNode.mockReturnValue(makeInternal("target", 0, 0));
-
-    const { container } = render(<DropTargetBadge />);
-    // Badge renders the name from the store node.
-    expect(container.textContent).toContain("My Workspace");
-  });
-
-  it("badge text follows 'Drop into: <name>' format", () => {
-    mockState.nodes = [storeNode("alpha", "Alpha Workspace")];
-    mockState.dragOverNodeId = "alpha";
-    mockGetInternalNode.mockReturnValue(makeInternal("alpha", 50, 50, 300, 200));
-
-    const { container } = render(<DropTargetBadge />);
-    expect(container.textContent).toMatch(/Drop into:/);
-    expect(container.textContent).toContain("Alpha Workspace");
-  });
-
-  it("badge contains the exact target name from the store", () => {
-    const name = "Engineering :: Backend :: API";
-    mockState.nodes = [storeNode("api", name)];
-    mockState.dragOverNodeId = "api";
-    mockGetInternalNode.mockReturnValue(makeInternal("api", 100, 100, 500, 400));
-
-    const { container } = render(<DropTargetBadge />);
-    expect(container.textContent).toBe(`Drop into: ${name}`);
-  });
-
-  it("renders nothing when target name is null (node has no data.name)", () => {
-    // A node in the store without a name field → selector returns null.
-    mockState.nodes = [{ id: "nameless", data: {} as WorkspaceNodeData }];
-    mockState.dragOverNodeId = "nameless";
-    mockGetInternalNode.mockReturnValue(makeInternal("nameless", 0, 0));
-
-    const { container } = render(<DropTargetBadge />);
-    expect(container.textContent).toBe("");
-  });
-});

canvas/src/components/canvas/__tests__/useOrgDeployState.test.ts

@@ -1,311 +0,0 @@
-/**
- * Unit tests for buildDeployMap — the pure tree-traversal core of
- * useOrgDeployState.
- *
- * What is tested here:
- *   - Root / leaf identification via parent-chain walk
- *   - isDeployingRoot: true when any descendant is "provisioning"
- *   - isActivelyProvisioning: true only for the node itself in that state
- *   - isLockedChild: true for non-root nodes in a deploying tree
- *   - isLockedChild: also true for nodes in deletingIds (even if not deploying)
- *   - descendantProvisioningCount: non-zero only on root nodes
- *   - Performance contract: O(n) single-pass walk — tested by verifying
- *     correctness across 50-node trees (n=50, all cases above)
- *
- * What is NOT tested here (hook integration — appropriate for E2E):
- *   - The useMemo / Zustand subscription wiring
- *   - React Flow integration (flowToScreenPosition, getInternalNode)
- *
- * Issue: #2071 (Canvas test gaps follow-up).
- */
-import { describe, expect, it } from "vitest";
-import { buildDeployMap, type OrgDeployState } from "../useOrgDeployState";
-
-// ── Helpers ──────────────────────────────────────────────────────────────────
-
-type Projection = { id: string; parentId: string | null; status: string };
-
-function proj(
-  id: string,
-  parentId: string | null,
-  status: string,
-): Projection {
-  return { id, parentId, status };
-}
-
-/** Unchecked cast — test helpers aren't production code paths. */
-function m(
-  ps: Projection[],
-  deletingIds: string[] = [],
-): Map<string, OrgDeployState> {
-  return buildDeployMap(ps, new Set(deletingIds));
-}
-
-function s(
-  map: Map<string, OrgDeployState>,
-  id: string,
-): OrgDeployState {
-  const got = map.get(id);
-  if (!got) throw new Error(`no entry for id=${id}`);
-  return got;
-}
-
-// ── Empty / trivial ───────────────────────────────────────────────────────────
-
-describe("buildDeployMap — empty", () => {
-  it("returns empty map for empty projections", () => {
-    expect(m([]).size).toBe(0);
-  });
-});
-
-// ── Single node ─────────────────────────────────────────────────────────────
-
-describe("buildDeployMap — single node", () => {
-  it("isolated node is its own root and not deploying", () => {
-    const map = m([proj("a", null, "online")]);
-    expect(s(map, "a")).toEqual({
-      isActivelyProvisioning: false,
-      isDeployingRoot: false,
-      isLockedChild: false,
-      descendantProvisioningCount: 0,
-    });
-  });
-
-  it("isolated provisioning node is deploying root", () => {
-    const map = m([proj("a", null, "provisioning")]);
-    expect(s(map, "a")).toEqual({
-      isActivelyProvisioning: true,
-      isDeployingRoot: true,
-      isLockedChild: false,
-      descendantProvisioningCount: 1,
-    });
-  });
-});
-
-// ── Parent / child chains ─────────────────────────────────────────────────────
-
-describe("buildDeployMap — parent / child chains", () => {
-  it("root with online child: root is not deploying, child is not locked", () => {
-    // A ──► B
-    const map = m([
-      proj("A", null, "online"),
-      proj("B", "A", "online"),
-    ]);
-    expect(s(map, "A")).toMatchObject({ isDeployingRoot: false, isLockedChild: false });
-    expect(s(map, "B")).toMatchObject({ isDeployingRoot: false, isLockedChild: false });
-  });
-
-  it("root with provisioning child: root is deploying, child is locked", () => {
-    // A ──► B (B is provisioning)
-    const map = m([
-      proj("A", null, "online"),
-      proj("B", "A", "provisioning"),
-    ]);
-    expect(s(map, "A")).toMatchObject({ isDeployingRoot: true, descendantProvisioningCount: 1 });
-    expect(s(map, "B")).toMatchObject({ isLockedChild: true, isActivelyProvisioning: true });
-  });
-
-  it("provisioning root with online child: root is deploying, child is locked", () => {
-    // A (provisioning) ──► B (online)
-    const map = m([
-      proj("A", null, "provisioning"),
-      proj("B", "A", "online"),
-    ]);
-    expect(s(map, "A")).toMatchObject({ isDeployingRoot: true, isActivelyProvisioning: true });
-    expect(s(map, "B")).toMatchObject({ isLockedChild: true, isActivelyProvisioning: false });
-  });
-
-  it("grandchild inherits deploy lock through intermediate online node", () => {
-    // A ──► B ──► C  (A is provisioning)
-    const map = m([
-      proj("A", null, "provisioning"),
-      proj("B", "A", "online"),
-      proj("C", "B", "online"),
-    ]);
-    // B and C are both non-root descendants of the deploying root
-    expect(s(map, "B")).toMatchObject({ isLockedChild: true });
-    expect(s(map, "C")).toMatchObject({ isLockedChild: true });
-    expect(s(map, "A")).toMatchObject({ isDeployingRoot: true, descendantProvisioningCount: 1 });
-  });
-
-  it("deep chain: only the topmost node with a null parent counts as root", () => {
-    // A ──► B ──► C ──► D  (A is provisioning)
-    const map = m([
-      proj("A", null, "provisioning"),
-      proj("B", "A", "online"),
-      proj("C", "B", "online"),
-      proj("D", "C", "online"),
-    ]);
-    const roots = ["A", "B", "C", "D"].filter((id) => s(map, id).isDeployingRoot);
-    expect(roots).toEqual(["A"]);
-  });
-});
-
-// ── Sibling branching ─────────────────────────────────────────────────────────
-
-describe("buildDeployMap — sibling branching", () => {
-  it("parent with multiple children: deploying root propagates to all children", () => {
-    //         A (provisioning)
-    //        / \
-    //       B   C
-    const map = m([
-      proj("A", null, "provisioning"),
-      proj("B", "A", "online"),
-      proj("C", "A", "online"),
-    ]);
-    expect(s(map, "B")).toMatchObject({ isLockedChild: true });
-    expect(s(map, "C")).toMatchObject({ isLockedChild: true });
-    expect(s(map, "A")).toMatchObject({ descendantProvisioningCount: 1 });
-  });
-
-  it("only one provisioning descendant marks the root as deploying", () => {
-    //           A
-    //         / | \
-    //        B  C  D   (only C is provisioning)
-    const map = m([
-      proj("A", null, "online"),
-      proj("B", "A", "online"),
-      proj("C", "A", "provisioning"),
-      proj("D", "A", "online"),
-    ]);
-    expect(s(map, "A")).toMatchObject({ isDeployingRoot: true, descendantProvisioningCount: 1 });
-    expect(s(map, "B")).toMatchObject({ isLockedChild: true });
-    expect(s(map, "C")).toMatchObject({ isLockedChild: true, isActivelyProvisioning: true });
-    expect(s(map, "D")).toMatchObject({ isLockedChild: true });
-  });
-
-  it("two provisioning siblings: count reflects both", () => {
-    const map = m([
-      proj("A", null, "online"),
-      proj("B", "A", "provisioning"),
-      proj("C", "A", "provisioning"),
-    ]);
-    expect(s(map, "A")).toMatchObject({ descendantProvisioningCount: 2 });
-    expect(s(map, "B")).toMatchObject({ isActivelyProvisioning: true });
-    expect(s(map, "C")).toMatchObject({ isActivelyProvisioning: true });
-  });
-});
-
-// ── Multiple disjoint trees ───────────────────────────────────────────────────
-
-describe("buildDeployMap — multiple disjoint trees", () => {
-  it("each tree has its own root; deploying nodes are independent", () => {
-    // Tree 1: X (provisioning) ──► Y
-    // Tree 2: P ──► Q  (no provisioning)
-    const map = m([
-      proj("X", null, "provisioning"),
-      proj("Y", "X", "online"),
-      proj("P", null, "online"),
-      proj("Q", "P", "online"),
-    ]);
-    expect(s(map, "X")).toMatchObject({ isDeployingRoot: true });
-    expect(s(map, "Y")).toMatchObject({ isLockedChild: true });
-    expect(s(map, "P")).toMatchObject({ isDeployingRoot: false, isLockedChild: false });
-    expect(s(map, "Q")).toMatchObject({ isDeployingRoot: false, isLockedChild: false });
-  });
-});
-
-// ── Deleting nodes ────────────────────────────────────────────────────────────
-
-describe("buildDeployMap — deletingIds", () => {
-  it("node in deletingIds is locked even if tree is not deploying", () => {
-    const map = m(
-      [
-        proj("A", null, "online"),
-        proj("B", "A", "online"),
-      ],
-      ["B"], // B is being deleted
-    );
-    expect(s(map, "A")).toMatchObject({ isLockedChild: false });
-    expect(s(map, "B")).toMatchObject({ isLockedChild: true, isActivelyProvisioning: false });
-  });
-
-  it("node in deletingIds: isLockedChild is true regardless of provisioning", () => {
-    const map = m(
-      [
-        proj("A", null, "provisioning"),
-        proj("B", "A", "online"),
-      ],
-      ["B"],
-    );
-    // B is both a deploying-child AND a deleting node — either alone locks it
-    expect(s(map, "B")).toMatchObject({ isLockedChild: true });
-  });
-
-  it("empty deletingIds set has no effect", () => {
-    const map = m(
-      [
-        proj("A", null, "online"),
-        proj("B", "A", "online"),
-      ],
-      [],
-    );
-    expect(s(map, "B")).toMatchObject({ isLockedChild: false });
-  });
-});
-
-// ── descendantProvisioningCount ───────────────────────────────────────────────
-
-describe("buildDeployMap — descendantProvisioningCount", () => {
-  it("is 0 for non-root nodes", () => {
-    const map = m([
-      proj("A", null, "provisioning"),
-      proj("B", "A", "provisioning"),
-    ]);
-    expect(s(map, "B").descendantProvisioningCount).toBe(0);
-  });
-
-  it("includes the root's own status when provisioning", () => {
-    const map = m([
-      proj("A", null, "provisioning"),
-      proj("B", "A", "online"),
-    ]);
-    // A is both root and provisioning → count includes itself
-    expect(s(map, "A").descendantProvisioningCount).toBe(1);
-  });
-
-  it("accumulates all provisioning descendants (not just immediate children)", () => {
-    const map = m([
-      proj("A", null, "online"),
-      proj("B", "A", "online"),
-      proj("C", "B", "provisioning"),
-    ]);
-    expect(s(map, "A").descendantProvisioningCount).toBe(1);
-  });
-});
-
-// ── O(n) performance ─────────────────────────────────────────────────────────
-
-describe("buildDeployMap — O(n) performance contract", () => {
-  it("handles a 50-node three-level tree without incorrect node assignments", () => {
-    // Level 0: 1 root
-    // Level 1: 7 children
-    // Level 2: 42 leaves
-    // Total: 50 nodes
-    const projections: Projection[] = [];
-    projections.push(proj("root", null, "provisioning"));
-    for (let i = 0; i < 7; i++) {
-      projections.push(proj(`l1-${i}`, "root", "online"));
-    }
-    for (let i = 0; i < 42; i++) {
-      const parent = `l1-${Math.floor(i / 6)}`;
-      projections.push(proj(`l2-${i}`, parent, "online"));
-    }
-    const map = m(projections);
-
-    // Root is the only deploying node
-    expect(s(map, "root")).toMatchObject({
-      isDeployingRoot: true,
-      isLockedChild: false,
-      descendantProvisioningCount: 1,
-    });
-
-    // Every other node is a locked child
-    for (let i = 0; i < 7; i++) {
-      expect(s(map, `l1-${i}`)).toMatchObject({ isLockedChild: true, isDeployingRoot: false });
-    }
-    for (let i = 0; i < 42; i++) {
-      expect(s(map, `l2-${i}`)).toMatchObject({ isLockedChild: true, isDeployingRoot: false });
-    }
-  });
-});

canvas/src/components/canvas/useOrgDeployState.ts

@@ -40,8 +40,7 @@ interface NodeProjection {
   status: string;
 }
 
-// Exported for unit testing — the function is pure and deterministic.
-export function buildDeployMap(
+function buildDeployMap(
   projections: NodeProjection[],
   deletingIds: ReadonlySet<string>,
 ): Map<string, OrgDeployState> {

canvas/src/components/mobile/MobileChat.tsx

@@ -54,14 +54,9 @@ export function MobileChat({
   // user sees their prior thread on entry. The store is updated by the
   // socket → ChatTab flows the desktop runs; on mobile we read from the
   // same buffer to keep state coherent across viewports.
-  // NOTE: do NOT use `?? []` in the selector — Zustand uses Object.is
-  // for selector equality. A fallback `?? []` creates a new [] reference on
-  // every store update when agentMessages[agentId] is undefined, causing an
-  // infinite re-render loop (React error #185 / Maximum update depth
-  // exceeded). The undefined case is handled by the initializer below.
-  const storedMessages = useCanvasStore((s) => s.agentMessages[agentId]);
+  const storedMessages = useCanvasStore((s) => s.agentMessages[agentId] ?? []);
   const [messages, setMessages] = useState<ChatMessage[]>(() =>
-    (storedMessages ?? []).map((m) => ({
+    storedMessages.map((m) => ({
       id: m.id,
       role: "agent",
       text: m.content,

canvas/src/components/tabs/FilesTab/__tests__/FilesTab.test.tsx

@@ -1,216 +0,0 @@
-// @vitest-environment jsdom
-/**
- * FilesTab: NotAvailablePanel + FilesToolbar coverage.
- *
- * NotAvailablePanel: pure presentational component — renders a "feature not
- * available" placeholder for external-runtime workspaces.
- * FilesToolbar: pure props-driven component — directory selector, file count,
- * action buttons (New, Upload, Export, Clear, Refresh) with correct aria-labels.
- *
- * No @testing-library/jest-dom import — use textContent / className /
- * getAttribute checks to avoid "expect is not defined" errors.
- */
-import { afterEach, describe, expect, it, vi } from "vitest";
-import { cleanup, render, screen } from "@testing-library/react";
-import React from "react";
-
-import { FilesToolbar } from "../FilesToolbar";
-import { NotAvailablePanel } from "../NotAvailablePanel";
-
-// ─── afterEach ─────────────────────────────────────────────────────────────────
-
-afterEach(() => {
-  cleanup();
-  vi.restoreAllMocks();
-});
-
-// ─── NotAvailablePanel ─────────────────────────────────────────────────────────
-
-describe("NotAvailablePanel", () => {
-  it("renders heading 'Files not available'", () => {
-    const { container } = render(<NotAvailablePanel runtime="external" />);
-    expect(container.textContent).toContain("Files not available");
-  });
-
-  it("renders the runtime name in monospace", () => {
-    const { container } = render(<NotAvailablePanel runtime="external" />);
-    expect(container.textContent).toContain("external");
-    const spans = container.querySelectorAll("span");
-    const monoSpans = Array.from(spans).filter(
-      (s) => s.className && s.className.includes("font-mono"),
-    );
-    expect(monoSpans.length).toBeGreaterThan(0);
-  });
-
-  it("renders a Chat tab hint in description", () => {
-    const { container } = render(<NotAvailablePanel runtime="remote-agent" />);
-    expect(container.textContent).toContain("Chat tab");
-  });
-
-  it("SVG icon has aria-hidden=true", () => {
-    const { container } = render(<NotAvailablePanel runtime="external" />);
-    const svg = container.querySelector("svg");
-    expect(svg?.getAttribute("aria-hidden")).toBe("true");
-  });
-
-  it("renders without crashing for any runtime string", () => {
-    const { container } = render(<NotAvailablePanel runtime="unknown-runtime" />);
-    expect(container.textContent).toContain("unknown-runtime");
-  });
-
-  it("applies the correct layout classes to root div", () => {
-    const { container } = render(<NotAvailablePanel runtime="external" />);
-    const root = container.firstElementChild as HTMLElement;
-    expect(root.className).toContain("flex");
-    expect(root.className).toContain("flex-col");
-    expect(root.className).toContain("items-center");
-  });
-});
-
-// ─── FilesToolbar ───────────────────────────────────────────────────────────────
-
-describe("FilesToolbar", () => {
-  const noop = vi.fn();
-
-  function renderToolbar(props: Partial<React.ComponentProps<typeof FilesToolbar>> = {}) {
-    return render(
-      <FilesToolbar
-        root="/configs"
-        setRoot={noop}
-        fileCount={0}
-        onNewFile={noop}
-        onUpload={noop}
-        onDownloadAll={noop}
-        onClearAll={noop}
-        onRefresh={noop}
-        {...props}
-      />,
-    );
-  }
-
-  it("renders the directory selector with correct aria-label", () => {
-    const { container } = renderToolbar();
-    const select = container.querySelector("select");
-    expect(select?.getAttribute("aria-label")).toBe("File root directory");
-  });
-
-  it("directory selector has all four options", () => {
-    const { container } = renderToolbar();
-    const select = container.querySelector("select") as HTMLSelectElement;
-    const options = Array.from(select?.options ?? []);
-    const values = options.map((o) => o.value);
-    expect(values).toContain("/configs");
-    expect(values).toContain("/home");
-    expect(values).toContain("/workspace");
-    expect(values).toContain("/plugins");
-  });
-
-  it("calls setRoot when directory changes", () => {
-    const setRoot = vi.fn();
-    const { container } = renderToolbar({ setRoot });
-    const select = container.querySelector("select") as HTMLSelectElement;
-    select.value = "/home";
-    select.dispatchEvent(new Event("change", { bubbles: true }));
-    expect(setRoot).toHaveBeenCalledWith("/home");
-  });
-
-  it("displays the file count", () => {
-    const { container } = renderToolbar({ fileCount: 42 });
-    expect(container.textContent).toContain("42 files");
-  });
-
-  it("shows New + Upload + Clear buttons for /configs", () => {
-    const { container } = renderToolbar({ root: "/configs" });
-    const texts = Array.from(container.querySelectorAll("button")).map(
-      (b) => b.textContent?.trim(),
-    );
-    expect(texts).toContain("+ New");
-    expect(texts).toContain("Upload");
-    expect(texts).toContain("Clear");
-    expect(texts).toContain("Export");
-    expect(texts).toContain("↻");
-  });
-
-  it("hides New + Upload + Clear for /workspace", () => {
-    const { container } = renderToolbar({ root: "/workspace" });
-    const texts = Array.from(container.querySelectorAll("button")).map(
-      (b) => b.textContent?.trim(),
-    );
-    expect(texts).not.toContain("+ New");
-    expect(texts).not.toContain("Upload");
-    expect(texts).not.toContain("Clear");
-    expect(texts).toContain("Export");
-  });
-
-  it("hides New + Upload + Clear for /home", () => {
-    const { container } = renderToolbar({ root: "/home" });
-    const texts = Array.from(container.querySelectorAll("button")).map(
-      (b) => b.textContent?.trim(),
-    );
-    expect(texts).not.toContain("+ New");
-    expect(texts).not.toContain("Upload");
-    expect(texts).not.toContain("Clear");
-  });
-
-  it("hides New + Upload + Clear for /plugins", () => {
-    const { container } = renderToolbar({ root: "/plugins" });
-    const texts = Array.from(container.querySelectorAll("button")).map(
-      (b) => b.textContent?.trim(),
-    );
-    expect(texts).not.toContain("+ New");
-    expect(texts).not.toContain("Upload");
-    expect(texts).not.toContain("Clear");
-  });
-
-  it("New button has correct aria-label", () => {
-    const { container } = renderToolbar({ root: "/configs" });
-    const newBtn = container.querySelector('button[aria-label="Create new file"]');
-    expect(newBtn?.textContent?.trim()).toBe("+ New");
-  });
-
-  it("Export button has correct aria-label", () => {
-    const { container } = renderToolbar();
-    const exportBtn = container.querySelector('button[aria-label="Download all files"]');
-    expect(exportBtn?.textContent?.trim()).toBe("Export");
-  });
-
-  it("Clear button has correct aria-label", () => {
-    const { container } = renderToolbar({ root: "/configs" });
-    const clearBtn = container.querySelector('button[aria-label="Delete all files"]');
-    expect(clearBtn?.textContent?.trim()).toBe("Clear");
-  });
-
-  it("Refresh button has correct aria-label", () => {
-    const { container } = renderToolbar();
-    const refreshBtn = container.querySelector('button[aria-label="Refresh file list"]');
-    expect(refreshBtn?.textContent?.trim()).toBe("↻");
-  });
-
-  it("calls onNewFile when New button is clicked", () => {
-    const onNewFile = vi.fn();
-    const { container } = renderToolbar({ root: "/configs", onNewFile });
-    container.querySelector('button[aria-label="Create new file"]')!.click();
-    expect(onNewFile).toHaveBeenCalledTimes(1);
-  });
-
-  it("calls onDownloadAll when Export button is clicked", () => {
-    const onDownloadAll = vi.fn();
-    const { container } = renderToolbar({ onDownloadAll });
-    container.querySelector('button[aria-label="Download all files"]')!.click();
-    expect(onDownloadAll).toHaveBeenCalledTimes(1);
-  });
-
-  it("calls onClearAll when Clear button is clicked", () => {
-    const onClearAll = vi.fn();
-    const { container } = renderToolbar({ root: "/configs", onClearAll });
-    container.querySelector('button[aria-label="Delete all files"]')!.click();
-    expect(onClearAll).toHaveBeenCalledTimes(1);
-  });
-
-  it("calls onRefresh when Refresh button is clicked", () => {
-    const onRefresh = vi.fn();
-    const { container } = renderToolbar({ onRefresh });
-    container.querySelector('button[aria-label="Refresh file list"]')!.click();
-    expect(onRefresh).toHaveBeenCalledTimes(1);
-  });
-});

canvas/src/components/tabs/FilesTab/__tests__/FilesToolbar.test.tsx

@@ -1,349 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for FilesToolbar — the top-of-panel bar for the Files tab.
- * Covers: directory select, file count, New/Upload/Clear (configs-only),
- * Export, Refresh, and aria-labels.
- */
-import React from "react";
-import { render, screen, fireEvent, cleanup } from "@testing-library/react";
-import { afterEach, describe, expect, it, vi } from "vitest";
-import { FilesToolbar } from "../FilesToolbar";
-
-afterEach(cleanup);
-
-describe("FilesToolbar", () => {
-  describe("renders base toolbar", () => {
-    it("renders the directory select with aria-label", () => {
-      render(
-        <FilesToolbar
-          root="/configs"
-          setRoot={vi.fn()}
-          fileCount={3}
-          onNewFile={vi.fn()}
-          onUpload={vi.fn()}
-          onDownloadAll={vi.fn()}
-          onClearAll={vi.fn()}
-          onRefresh={vi.fn()}
-        />
-      );
-      expect(
-        screen.getByRole("combobox", { name: /file root directory/i })
-      ).toBeTruthy();
-    });
-
-    it("renders the file count", () => {
-      render(
-        <FilesToolbar
-          root="/configs"
-          setRoot={vi.fn()}
-          fileCount={7}
-          onNewFile={vi.fn()}
-          onUpload={vi.fn()}
-          onDownloadAll={vi.fn()}
-          onClearAll={vi.fn()}
-          onRefresh={vi.fn()}
-        />
-      );
-      expect(screen.getByText("7 files")).toBeTruthy();
-    });
-
-    it("renders Export button", () => {
-      render(
-        <FilesToolbar
-          root="/configs"
-          setRoot={vi.fn()}
-          fileCount={0}
-          onNewFile={vi.fn()}
-          onUpload={vi.fn()}
-          onDownloadAll={vi.fn()}
-          onClearAll={vi.fn()}
-          onRefresh={vi.fn()}
-        />
-      );
-      expect(
-        screen.getByRole("button", { name: /download all files/i })
-      ).toBeTruthy();
-    });
-
-    it("renders Refresh button", () => {
-      render(
-        <FilesToolbar
-          root="/configs"
-          setRoot={vi.fn()}
-          fileCount={0}
-          onNewFile={vi.fn()}
-          onUpload={vi.fn()}
-          onDownloadAll={vi.fn()}
-          onClearAll={vi.fn()}
-          onRefresh={vi.fn()}
-        />
-      );
-      expect(screen.getByRole("button", { name: /refresh file list/i })).toBeTruthy();
-    });
-
-    it("renders 0 files when count is 0", () => {
-      render(
-        <FilesToolbar
-          root="/configs"
-          setRoot={vi.fn()}
-          fileCount={0}
-          onNewFile={vi.fn()}
-          onUpload={vi.fn()}
-          onDownloadAll={vi.fn()}
-          onClearAll={vi.fn()}
-          onRefresh={vi.fn()}
-        />
-      );
-      expect(screen.getByText("0 files")).toBeTruthy();
-    });
-  });
-
-  describe("configs-only buttons", () => {
-    it("shows New and Upload buttons when root is /configs", () => {
-      render(
-        <FilesToolbar
-          root="/configs"
-          setRoot={vi.fn()}
-          fileCount={3}
-          onNewFile={vi.fn()}
-          onUpload={vi.fn()}
-          onDownloadAll={vi.fn()}
-          onClearAll={vi.fn()}
-          onRefresh={vi.fn()}
-        />
-      );
-      expect(
-        screen.getByRole("button", { name: /create new file/i })
-      ).toBeTruthy();
-      expect(
-        screen.getByRole("button", { name: /upload folder/i })
-      ).toBeTruthy();
-      expect(screen.getByRole("button", { name: /delete all files/i })).toBeTruthy();
-    });
-
-    it("hides New and Upload when root is /workspace", () => {
-      render(
-        <FilesToolbar
-          root="/workspace"
-          setRoot={vi.fn()}
-          fileCount={5}
-          onNewFile={vi.fn()}
-          onUpload={vi.fn()}
-          onDownloadAll={vi.fn()}
-          onClearAll={vi.fn()}
-          onRefresh={vi.fn()}
-        />
-      );
-      expect(
-        screen.queryByRole("button", { name: /create new file/i })
-      ).toBeNull();
-      expect(
-        screen.queryByRole("button", { name: /upload folder/i })
-      ).toBeNull();
-      expect(
-        screen.queryByRole("button", { name: /delete all files/i })
-      ).toBeNull();
-      // Export and Refresh are still present
-      expect(
-        screen.getByRole("button", { name: /download all files/i })
-      ).toBeTruthy();
-    });
-
-    it("hides New and Upload when root is /home", () => {
-      render(
-        <FilesToolbar
-          root="/home"
-          setRoot={vi.fn()}
-          fileCount={2}
-          onNewFile={vi.fn()}
-          onUpload={vi.fn()}
-          onDownloadAll={vi.fn()}
-          onClearAll={vi.fn()}
-          onRefresh={vi.fn()}
-        />
-      );
-      expect(
-        screen.queryByRole("button", { name: /create new file/i })
-      ).toBeNull();
-      expect(
-        screen.queryByRole("button", { name: /upload folder/i })
-      ).toBeNull();
-    });
-
-    it("hides New and Upload when root is /plugins", () => {
-      render(
-        <FilesToolbar
-          root="/plugins"
-          setRoot={vi.fn()}
-          fileCount={1}
-          onNewFile={vi.fn()}
-          onUpload={vi.fn()}
-          onDownloadAll={vi.fn()}
-          onClearAll={vi.fn()}
-          onRefresh={vi.fn()}
-        />
-      );
-      expect(
-        screen.queryByRole("button", { name: /create new file/i })
-      ).toBeNull();
-      expect(
-        screen.queryByRole("button", { name: /upload folder/i })
-      ).toBeNull();
-    });
-  });
-
-  describe("callbacks", () => {
-    it("calls setRoot when directory is changed", () => {
-      const setRoot = vi.fn();
-      render(
-        <FilesToolbar
-          root="/configs"
-          setRoot={setRoot}
-          fileCount={3}
-          onNewFile={vi.fn()}
-          onUpload={vi.fn()}
-          onDownloadAll={vi.fn()}
-          onClearAll={vi.fn()}
-          onRefresh={vi.fn()}
-        />
-      );
-      fireEvent.change(screen.getByRole("combobox"), {
-        target: { value: "/workspace" },
-      });
-      expect(setRoot).toHaveBeenCalledWith("/workspace");
-    });
-
-    it("calls onNewFile when New button is clicked", () => {
-      const onNewFile = vi.fn();
-      render(
-        <FilesToolbar
-          root="/configs"
-          setRoot={vi.fn()}
-          fileCount={3}
-          onNewFile={onNewFile}
-          onUpload={vi.fn()}
-          onDownloadAll={vi.fn()}
-          onClearAll={vi.fn()}
-          onRefresh={vi.fn()}
-        />
-      );
-      fireEvent.click(screen.getByRole("button", { name: /create new file/i }));
-      expect(onNewFile).toHaveBeenCalledTimes(1);
-    });
-
-    it("calls onDownloadAll when Export button is clicked", () => {
-      const onDownloadAll = vi.fn();
-      render(
-        <FilesToolbar
-          root="/workspace"
-          setRoot={vi.fn()}
-          fileCount={5}
-          onNewFile={vi.fn()}
-          onUpload={vi.fn()}
-          onDownloadAll={onDownloadAll}
-          onClearAll={vi.fn()}
-          onRefresh={vi.fn()}
-        />
-      );
-      fireEvent.click(screen.getByRole("button", { name: /download all files/i }));
-      expect(onDownloadAll).toHaveBeenCalledTimes(1);
-    });
-
-    it("calls onClearAll when Clear button is clicked", () => {
-      const onClearAll = vi.fn();
-      render(
-        <FilesToolbar
-          root="/configs"
-          setRoot={vi.fn()}
-          fileCount={3}
-          onNewFile={vi.fn()}
-          onUpload={vi.fn()}
-          onDownloadAll={vi.fn()}
-          onClearAll={onClearAll}
-          onRefresh={vi.fn()}
-        />
-      );
-      fireEvent.click(screen.getByRole("button", { name: /delete all files/i }));
-      expect(onClearAll).toHaveBeenCalledTimes(1);
-    });
-
-    it("calls onRefresh when Refresh button is clicked", () => {
-      const onRefresh = vi.fn();
-      render(
-        <FilesToolbar
-          root="/configs"
-          setRoot={vi.fn()}
-          fileCount={3}
-          onNewFile={vi.fn()}
-          onUpload={vi.fn()}
-          onDownloadAll={vi.fn()}
-          onClearAll={vi.fn()}
-          onRefresh={onRefresh}
-        />
-      );
-      fireEvent.click(screen.getByRole("button", { name: /refresh file list/i }));
-      expect(onRefresh).toHaveBeenCalledTimes(1);
-    });
-
-    it("calls onUpload when the hidden file input changes", () => {
-      const onUpload = vi.fn();
-      render(
-        <FilesToolbar
-          root="/configs"
-          setRoot={vi.fn()}
-          fileCount={3}
-          onNewFile={vi.fn()}
-          onUpload={onUpload}
-          onDownloadAll={vi.fn()}
-          onClearAll={vi.fn()}
-          onRefresh={vi.fn()}
-        />
-      );
-      // Find the hidden file input
-      const fileInput = document.querySelector(
-        'input[type="file"]'
-      ) as HTMLInputElement;
-      expect(fileInput).toBeTruthy();
-      expect(fileInput?.getAttribute("aria-label")).toBe("Upload folder files");
-    });
-  });
-
-  describe("a11y", () => {
-    it("all buttons have aria-label or accessible name", () => {
-      render(
-        <FilesToolbar
-          root="/configs"
-          setRoot={vi.fn()}
-          fileCount={3}
-          onNewFile={vi.fn()}
-          onUpload={vi.fn()}
-          onDownloadAll={vi.fn()}
-          onClearAll={vi.fn()}
-          onRefresh={vi.fn()}
-        />
-      );
-      // All buttons should be findable by role
-      const buttons = screen.getAllByRole("button");
-      for (const btn of buttons) {
-        expect(btn.getAttribute("aria-label") ?? btn.textContent).toBeTruthy();
-      }
-    });
-
-    it("directory select has aria-label", () => {
-      render(
-        <FilesToolbar
-          root="/configs"
-          setRoot={vi.fn()}
-          fileCount={3}
-          onNewFile={vi.fn()}
-          onUpload={vi.fn()}
-          onDownloadAll={vi.fn()}
-          onClearAll={vi.fn()}
-          onRefresh={vi.fn()}
-        />
-      );
-      const select = screen.getByRole("combobox");
-      expect(select.getAttribute("aria-label")).toBe("File root directory");
-    });
-  });
-});

canvas/src/components/tabs/FilesTab/__tests__/NotAvailablePanel.test.tsx

@@ -1,101 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for NotAvailablePanel — the full-tab placeholder shown when a
- * workspace's runtime doesn't own a platform-managed filesystem (today:
- * runtime === "external"). Covers rendering, a11y, and runtime prop
- * display.
- */
-import React from "react";
-import { render, screen, cleanup } from "@testing-library/react";
-import { afterEach, describe, expect, it } from "vitest";
-import { NotAvailablePanel } from "../NotAvailablePanel";
-
-afterEach(cleanup);
-
-describe("NotAvailablePanel", () => {
-  describe("renders", () => {
-    it("renders the heading", () => {
-      render(<NotAvailablePanel runtime="external" />);
-      expect(screen.getByText("Files not available")).toBeTruthy();
-    });
-
-    it("renders the description text", () => {
-      render(<NotAvailablePanel runtime="external" />);
-      expect(
-        screen.getByText(/whose filesystem isn't owned by the platform/i)
-      ).toBeTruthy();
-    });
-
-    it("displays the runtime name in the description", () => {
-      render(<NotAvailablePanel runtime="aws-lambda" />);
-      // The runtime name appears inside the paragraph
-      const para = screen.getByText(/whose filesystem isn't owned/i);
-      expect(para.textContent).toContain("aws-lambda");
-    });
-
-    it("renders the SVG folder icon with aria-hidden", () => {
-      render(<NotAvailablePanel runtime="external" />);
-      const svg = document.querySelector("svg");
-      expect(svg).toBeTruthy();
-      expect(svg?.getAttribute("aria-hidden")).toBe("true");
-    });
-
-    it("uses the provided runtime prop verbatim", () => {
-      render(<NotAvailablePanel runtime="cloud-run" />);
-      const monoRuntime = document.querySelector(".font-mono");
-      expect(monoRuntime?.textContent).toBe("cloud-run");
-    });
-
-    it("renders the 'Use the Chat tab' guidance text", () => {
-      render(<NotAvailablePanel runtime="external" />);
-      expect(screen.getByText(/Use the Chat tab/i)).toBeTruthy();
-    });
-
-    it("is contained in a full-height flex column", () => {
-      render(<NotAvailablePanel runtime="external" />);
-      const container = screen.getByText("Files not available").closest("div");
-      expect(container?.className).toContain("flex");
-      expect(container?.className).toContain("flex-col");
-      expect(container?.className).toContain("items-center");
-      expect(container?.className).toContain("justify-center");
-      expect(container?.className).toContain("h-full");
-    });
-  });
-
-  describe("a11y", () => {
-    it("heading is an h3", () => {
-      render(<NotAvailablePanel runtime="external" />);
-      expect(screen.getByRole("heading", { level: 3 })).toBeTruthy();
-    });
-
-    it("SVG icon has aria-hidden so screen readers skip it", () => {
-      render(<NotAvailablePanel runtime="external" />);
-      const svg = document.querySelector("svg");
-      expect(svg?.getAttribute("aria-hidden")).toBe("true");
-    });
-
-    it("description paragraph is present with descriptive text", () => {
-      render(<NotAvailablePanel runtime="external" />);
-      const paras = document.querySelectorAll("p");
-      expect(paras.length).toBeGreaterThan(0);
-      const text = Array.from(paras)
-        .map((p) => p.textContent)
-        .join(" ");
-      expect(text.toLowerCase()).toContain("runtime");
-    });
-  });
-
-  describe("props", () => {
-    it("renders with a short runtime name", () => {
-      render(<NotAvailablePanel runtime="ext" />);
-      const monoRuntime = document.querySelector(".font-mono");
-      expect(monoRuntime?.textContent).toBe("ext");
-    });
-
-    it("renders with a complex runtime name", () => {
-      render(<NotAvailablePanel runtime="gcp-cloud-functions-v2" />);
-      const monoRuntime = document.querySelector(".font-mono");
-      expect(monoRuntime?.textContent).toBe("gcp-cloud-functions-v2");
-    });
-  });
-});

canvas/src/components/tabs/FilesTab/tree.ts

@@ -28,7 +28,7 @@ const FILE_ICONS: Record<string, string> = {
 
 export function getIcon(path: string, isDir: boolean): string {
   if (isDir) return "📁";
-  const ext = "." + (path.split(".").pop() ?? "").toLowerCase();
+  const ext = "." + path.split(".").pop();
   return FILE_ICONS[ext] || "📄";
 }
 

canvas/src/components/tabs/__tests__/BudgetSection.test.tsx

@@ -1,323 +0,0 @@
-// @vitest-environment jsdom
-import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
-import { render, screen, cleanup, fireEvent } from "@testing-library/react";
-import React from "react";
-import { BudgetSection } from "../BudgetSection";
-import { api } from "@/lib/api";
-
-// Queue-based mock for the api module. Each api call shifts from the queue.
-// Tests push with qGet/qPatch and the module-level mockImplementation
-// reads from the queue.
-type QueueEntry = { body?: unknown; err?: Error };
-const apiQueue: QueueEntry[] = [];
-
-vi.mock("@/lib/api", () => ({
-  api: {
-    get: vi.fn(async (_path: string) => {
-      const next = apiQueue.shift();
-      if (!next) throw new Error("api.get queue exhausted");
-      if (next.err) throw next.err;
-      return next.body;
-    }),
-    patch: vi.fn(async (_path: string, _body?: unknown) => {
-      const next = apiQueue.shift();
-      if (!next) throw new Error("api.patch queue exhausted");
-      if (next.err) throw next.err;
-      return next.body;
-    }),
-  },
-}));
-
-afterEach(cleanup);
-
-beforeEach(() => {
-  apiQueue.length = 0;
-  vi.clearAllMocks();
-});
-
-const WS_ID = "budget-test-ws";
-
-function qGet(body: unknown) {
-  apiQueue.push({ body });
-}
-
-function qGetErr(status: number, msg: string) {
-  apiQueue.push({ err: new Error(`${msg}: ${status}`) });
-}
-
-function qPatch(body: unknown) {
-  apiQueue.push({ body });
-}
-
-function qPatchErr(status: number, msg: string) {
-  apiQueue.push({ err: new Error(`${msg}: ${status}`) });
-}
-
-function makeBudget(overrides: Partial<{
-  budget_limit: number | null;
-  budget_used: number;
-  budget_remaining: number | null;
-}> = {}) {
-  return {
-    budget_limit: 10_000,
-    budget_used: 3_500,
-    budget_remaining: 6_500,
-    ...overrides,
-  };
-}
-
-describe("BudgetSection", () => {
-  describe("loading state", () => {
-    it("shows loading indicator while fetching", async () => {
-      let resolveGet: (v: unknown) => void;
-      vi.mocked(api.get).mockImplementationOnce(
-        async () => new Promise((r) => { resolveGet = r as (v: unknown) => void; }),
-      );
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      expect(screen.getByTestId("budget-loading")).toBeTruthy();
-
-      resolveGet!(makeBudget());
-      await vi.waitFor(() => {
-        expect(screen.queryByTestId("budget-loading")).toBeNull();
-      });
-    });
-  });
-
-  describe("fetch error state", () => {
-    it("shows error message on non-402 fetch failure", async () => {
-      qGetErr(500, "Internal Server Error");
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        expect(screen.getByTestId("budget-fetch-error")).toBeTruthy();
-      });
-      expect(screen.getByTestId("budget-fetch-error")!.textContent).toContain("500");
-    });
-
-    it("shows 402 as exceeded banner, not fetch error", async () => {
-      qGetErr(402, "Payment Required");
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        expect(screen.getByTestId("budget-exceeded-banner")).toBeTruthy();
-      });
-      expect(screen.queryByTestId("budget-fetch-error")).toBeNull();
-    });
-  });
-
-  describe("budget loaded — display", () => {
-    it("renders used / limit stats row", async () => {
-      qGet(makeBudget({ budget_limit: 10_000, budget_used: 3_500 }));
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        expect(screen.getByTestId("budget-used-value")!.textContent).toBe("3,500");
-      });
-      expect(screen.getByTestId("budget-limit-value")!.textContent).toBe("10,000");
-    });
-
-    it("renders 'Unlimited' when budget_limit is null", async () => {
-      qGet(makeBudget({ budget_limit: null, budget_used: 1_000, budget_remaining: null }));
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        expect(screen.getByTestId("budget-limit-value")!.textContent).toBe("Unlimited");
-      });
-    });
-
-    it("renders remaining credits when present", async () => {
-      qGet(makeBudget({ budget_limit: 10_000, budget_used: 3_500, budget_remaining: 6_500 }));
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        expect(screen.getByTestId("budget-remaining")!.textContent).toContain("6,500");
-        expect(screen.getByTestId("budget-remaining")!.textContent).toContain("credits remaining");
-      });
-    });
-
-    it("omits remaining credits when budget_remaining is null", async () => {
-      qGet(makeBudget({ budget_limit: 10_000, budget_used: 3_500, budget_remaining: null }));
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        expect(screen.queryByTestId("budget-remaining")).toBeNull();
-      });
-    });
-
-    it("caps progress bar at 100% when used > limit", async () => {
-      qGet(makeBudget({ budget_limit: 10_000, budget_used: 12_000, budget_remaining: null }));
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        const fill = screen.getByTestId("budget-progress-fill");
-        expect(fill.getAttribute("style")).toContain("100%");
-      });
-    });
-
-    it("omits progress bar when budget_limit is null (unlimited)", async () => {
-      qGet(makeBudget({ budget_limit: null, budget_used: 5_000, budget_remaining: null }));
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        expect(screen.queryByTestId("budget-progress-fill")).toBeNull();
-      });
-    });
-  });
-
-  describe("budget exceeded (402)", () => {
-    it("shows exceeded banner when load returns 402", async () => {
-      qGetErr(402, "Payment Required");
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        expect(screen.getByTestId("budget-exceeded-banner")).toBeTruthy();
-        expect(screen.getByTestId("budget-exceeded-banner")!.textContent).toContain("Budget exceeded");
-      });
-    });
-
-    it("clears exceeded banner after successful save", async () => {
-      qGetErr(402, "Payment Required");
-      qPatch(makeBudget({ budget_limit: 50_000, budget_used: 0, budget_remaining: 50_000 }));
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        expect(screen.getByTestId("budget-exceeded-banner")).toBeTruthy();
-      });
-
-      const input = screen.getByTestId("budget-limit-input");
-      fireEvent.change(input, { target: { value: "50000" } });
-
-      const saveBtn = screen.getByTestId("budget-save-btn");
-      fireEvent.click(saveBtn);
-
-      await vi.waitFor(() => {
-        expect(screen.queryByTestId("budget-exceeded-banner")).toBeNull();
-      });
-    });
-  });
-
-  describe("save flow", () => {
-    it("shows save error on non-402 patch failure", async () => {
-      qGet(makeBudget());
-      qPatchErr(500, "Internal Server Error");
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        expect(screen.getByTestId("budget-limit-input")).toBeTruthy();
-      });
-
-      const saveBtn = screen.getByTestId("budget-save-btn");
-      fireEvent.click(saveBtn);
-
-      await vi.waitFor(() => {
-        expect(screen.getByTestId("budget-save-error")).toBeTruthy();
-        expect(screen.getByTestId("budget-save-error")!.textContent).toContain("500");
-      });
-    });
-
-    it("updates input to new limit value after successful save", async () => {
-      qGet(makeBudget({ budget_limit: 10_000 }));
-      qPatch(makeBudget({ budget_limit: 20_000 }));
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        expect(screen.queryByTestId("budget-loading")).toBeNull();
-      });
-
-      const input = screen.getByTestId("budget-limit-input") as HTMLInputElement;
-      expect(input.value).toBe("10000");
-      expect(screen.getByTestId("budget-limit-value")!.textContent).toBe("10,000");
-
-      fireEvent.change(input, { target: { value: "20000" } });
-      expect(input.value).toBe("20000");
-
-      fireEvent.click(screen.getByTestId("budget-save-btn"));
-
-      await vi.waitFor(() => {
-        expect((screen.getByTestId("budget-limit-input") as HTMLInputElement).value).toBe("20000");
-      });
-    });
-
-    it("sends null when input is cleared (unlimited)", async () => {
-      qGet(makeBudget({ budget_limit: 10_000 }));
-      qPatch(makeBudget({ budget_limit: null }));
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        expect(screen.getByTestId("budget-limit-input")).toBeTruthy();
-      });
-
-      const input = screen.getByTestId("budget-limit-input") as HTMLInputElement;
-      fireEvent.change(input, { target: { value: "" } });
-      fireEvent.click(screen.getByTestId("budget-save-btn"));
-
-      await vi.waitFor(() => {
-        expect(input.value).toBe("");
-      });
-    });
-
-    it("shows saving state on button while patch is in flight", async () => {
-      qGet(makeBudget());
-      let resolvePatch: (v: unknown) => void;
-      vi.mocked(api.patch).mockImplementationOnce(
-        async () => new Promise((r) => { resolvePatch = r as (v: unknown) => void; }),
-      );
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        expect(screen.getByTestId("budget-limit-input")).toBeTruthy();
-      });
-
-      fireEvent.change(screen.getByTestId("budget-limit-input"), { target: { value: "50000" } });
-      fireEvent.click(screen.getByTestId("budget-save-btn"));
-
-      const btn = screen.getByTestId("budget-save-btn");
-      expect(btn.textContent).toContain("Saving");
-
-      resolvePatch!(makeBudget({ budget_limit: 50_000 }));
-      await vi.waitFor(() => {
-        expect(btn.textContent).toContain("Save");
-      });
-    });
-  });
-
-  describe("isApiError402 — regression coverage", () => {
-    it("classifies ': 402' with space as 402", async () => {
-      qGetErr(402, "Payment Required");
-      qPatch(makeBudget());
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        expect(screen.getByTestId("budget-exceeded-banner")).toBeTruthy();
-      });
-    });
-
-    it("classifies non-402 error messages as regular fetch errors", async () => {
-      qGetErr(503, "Service Unavailable");
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        expect(screen.getByTestId("budget-fetch-error")).toBeTruthy();
-      });
-      expect(screen.queryByTestId("budget-exceeded-banner")).toBeNull();
-    });
-  });
-});

canvas/src/components/tabs/__tests__/MemoryTab.test.tsx

@@ -1,726 +0,0 @@
-// @vitest-environment jsdom
-/**
- * MemoryTab — 42 test cases covering awareness dashboard, KV memory CRUD,
- * and error states.
- *
- * Issue #519: Add 42 test cases for MemoryTab (42 cases).
- */
-import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
-import {
-  render,
-  screen,
-  fireEvent,
-  cleanup,
-  act,
-} from "@testing-library/react";
-import React from "react";
-
-// ── Module-level mocks ────────────────────────────────────────────────────────
-// Mock @/lib/env before MemoryTab loads so it sees the stub values.
-vi.mock("@/lib/env", () => ({
-  NEXT_PUBLIC_AWARENESS_URL: "http://localhost:37800",
-}));
-
-// Mock @/lib/api at module level. vi.hoisted() captures the mock function
-// references so they are accessible in the test scope after hoisting.
-const _mockGet = vi.hoisted(() => vi.fn<() => Promise<unknown[]>>());
-const _mockPost = vi.hoisted(() => vi.fn<() => Promise<unknown>>());
-const _mockDel = vi.hoisted(() => vi.fn<() => Promise<unknown>>());
-vi.mock("@/lib/api", () => ({
-  api: {
-    get: _mockGet,
-    post: _mockPost,
-    del: _mockDel,
-  },
-}));
-
-// Stub window.open so tests don't actually open a window.
-const _windowOpen = vi.fn();
-vi.stubGlobal("window", {
-  ...window,
-  open: _windowOpen,
-});
-
-import { MemoryTab } from "../MemoryTab";
-import { api } from "@/lib/api";
-
-const WS_ID = "ws-test-123";
-
-const MEMORY_ENTRY: Record<string, unknown> = {
-  key: "user-preference",
-  value: { theme: "dark", language: "en" },
-  version: 1,
-  expires_at: null,
-  updated_at: "2026-04-15T10:00:00Z",
-};
-
-const MEMORY_ENTRY_WITH_TTL: Record<string, unknown> = {
-  key: "session-token",
-  value: "abc123",
-  version: 3,
-  expires_at: new Date(Date.now() + 86_400_000).toISOString(),
-  updated_at: "2026-04-15T11:00:00Z",
-};
-
-const MEMORY_ENTRY_RAW_STRING: Record<string, unknown> = {
-  key: "plain-text",
-  value: "hello world",
-  version: 1,
-  expires_at: null,
-  updated_at: "2026-04-15T12:00:00Z",
-};
-
-// ── Setup / teardown ────────────────────────────────────────────────────────
-
-beforeEach(() => {
-  // Reset all api mock functions to a clean default state between tests.
-  _mockGet.mockReset();
-  _mockGet.mockResolvedValue([] as unknown[]);
-  _mockPost.mockReset();
-  _mockPost.mockResolvedValue({} as unknown);
-  _mockDel.mockReset();
-  _mockDel.mockResolvedValue({} as unknown);
-  _windowOpen.mockClear();
-});
-
-afterEach(cleanup);
-
-// ── Shared helpers ──────────────────────────────────────────────────────────
-
-/**
- * Render MemoryTab and reveal the entries list by clicking "Show".
- * The component starts with showAdvanced=false (hidden mode); most entry-list
- * tests need to click Show before entries appear.
- *
- * Uses fireEvent.click directly on the button element (not the text span) to
- * ensure React's onClick fires correctly.
- */
-async function renderAndShowEntries() {
-  render(<MemoryTab workspaceId={WS_ID} />);
-  // Wait for the api.get mock to resolve and React to render with entries.
-  // 500ms gives enough time for useEffect → setEntries → re-render.
-  await new Promise((r) => setTimeout(r, 500));
-  fireEvent.click(screen.getByRole("button", { name: /show/i }));
-}
-
-/** Configure api.get to resolve with the given entries.
- * Must be called BEFORE render() so the useEffect sees the mock. */
-function stubMemoryFetch(entries: unknown[]) {
-  _mockGet.mockReset();
-  _mockGet.mockResolvedValue(entries as unknown[]);
-}
-
-/**
- * Click the memory entry button to expand it.
- * Uses filter-on-all-buttons to avoid getByRole's strict accessible-name
- * matching (which can silently find the wrong element in dense DOM trees).
- */
-function expandEntry(key: string) {
-  const allBtns = screen.getAllByRole("button");
-  const entryBtn = allBtns.find((b) => b.textContent?.includes(key));
-  if (!entryBtn) throw new Error(`expandEntry: no button found containing "${key}"`);
-  act(() => { fireEvent.click(entryBtn); });
-}
-
-// =============================================================================
-// Awareness dashboard
-// =============================================================================
-
-describe("MemoryTab — awareness dashboard", () => {
-  it("shows awareness section on load", async () => {
-    stubMemoryFetch([]);
-    render(<MemoryTab workspaceId={WS_ID} />);
-    expect(await screen.findByText("Awareness dashboard")).toBeTruthy();
-  });
-
-  it("renders iframe with correct src containing workspaceId", async () => {
-    stubMemoryFetch([]);
-    render(<MemoryTab workspaceId={WS_ID} />);
-    const iframe = (await screen.findByTitle(
-      "Awareness dashboard",
-    )) as HTMLIFrameElement;
-    expect(iframe.src).toContain("workspaceId=" + WS_ID);
-  });
-
-  it("collapse button hides iframe and shows collapsed state", async () => {
-    stubMemoryFetch([]);
-    render(<MemoryTab workspaceId={WS_ID} />);
-    expect(await screen.findByTitle("Awareness dashboard")).toBeTruthy();
-    fireEvent.click(screen.getByRole("button", { name: /collapse/i }));
-    expect(
-      await screen.findByText(/awareness dashboard is collapsed/i),
-    ).toBeTruthy();
-    expect(screen.queryByTitle("Awareness dashboard")).toBeNull();
-  });
-
-  it("collapsed state has expand button that re-shows iframe", async () => {
-    stubMemoryFetch([]);
-    render(<MemoryTab workspaceId={WS_ID} />);
-    expect(await screen.findByRole("button", { name: /collapse/i })).toBeTruthy();
-    fireEvent.click(screen.getByRole("button", { name: /collapse/i }));
-    // After collapse there are two "Expand" buttons (header + collapsed banner).
-    // Click the one inside the collapsed banner (last in DOM order).
-    const expandBtns = await screen.findAllByRole("button", { name: /^expand$/i });
-    fireEvent.click(expandBtns[expandBtns.length - 1]);
-    expect(await screen.findByTitle("Awareness dashboard")).toBeTruthy();
-  });
-
-  it("open button calls window.open with awarenessUrl", async () => {
-    stubMemoryFetch([]);
-    render(<MemoryTab workspaceId={WS_ID} />);
-    expect(await screen.findByRole("button", { name: /open/i })).toBeTruthy();
-    fireEvent.click(screen.getByRole("button", { name: /open/i }));
-    expect(_windowOpen).toHaveBeenCalledWith(
-      expect.stringContaining("workspaceId=" + WS_ID),
-      "_blank",
-      "noopener,noreferrer",
-    );
-  });
-
-  it("renders awareness status grid with Connected / Mode / Workspace", async () => {
-    stubMemoryFetch([]);
-    render(<MemoryTab workspaceId={WS_ID} />);
-    expect(await screen.findByText("Connected")).toBeTruthy();
-    expect(await screen.findByText("Workspace")).toBeTruthy();
-  });
-});
-
-// =============================================================================
-// Loading state
-// =============================================================================
-
-describe("MemoryTab — loading state", () => {
-  it("shows 'Loading memory...' while initial fetch is pending", () => {
-    _mockGet.mockReturnValue(new Promise(() => {}) as unknown as Promise<unknown[]>);
-    render(<MemoryTab workspaceId={WS_ID} />);
-    expect(screen.getByText("Loading memory...")).toBeTruthy();
-  });
-
-  it("does not render memory section while loading", () => {
-    _mockGet.mockReturnValue(new Promise(() => {}) as unknown as Promise<unknown[]>);
-    render(<MemoryTab workspaceId={WS_ID} />);
-    expect(screen.queryByText("Workspace KV memory")).toBeNull();
-  });
-});
-
-// =============================================================================
-// KV memory — initial load
-// =============================================================================
-
-describe("MemoryTab — initial load", () => {
-  it("fetches memory entries on mount", async () => {
-    stubMemoryFetch([]);
-    render(<MemoryTab workspaceId={WS_ID} />);
-    // Reveal the entries list
-    expect(await screen.findByRole("button", { name: /show/i })).toBeTruthy();
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    expect(await screen.findByText("Workspace KV memory")).toBeTruthy();
-    expect(api.get).toHaveBeenCalledWith(`/workspaces/${WS_ID}/memory`);
-  });
-
-  it("renders workspace KV memory section heading", async () => {
-    stubMemoryFetch([]);
-    render(<MemoryTab workspaceId={WS_ID} />);
-    // Heading is visible in hidden mode (above the hidden banner)
-    expect(await screen.findByText("Workspace KV memory")).toBeTruthy();
-  });
-
-  it("shows advanced mode by default hidden; Refresh / Advanced / + Add buttons visible", async () => {
-    stubMemoryFetch([]);
-    render(<MemoryTab workspaceId={WS_ID} />);
-    // Hidden-mode banner is visible with a Show button
-    expect(
-      await screen.findByText("Advanced workspace memory is hidden"),
-    ).toBeTruthy();
-    expect(await screen.findByRole("button", { name: /show/i })).toBeTruthy();
-    // Action buttons are still visible in the header
-    expect(await screen.findByRole("button", { name: /refresh/i })).toBeTruthy();
-    expect(await screen.findByRole("button", { name: /advanced/i })).toBeTruthy();
-    expect(await screen.findByRole("button", { name: /\+ add/i })).toBeTruthy();
-  });
-});
-
-// =============================================================================
-// KV memory — empty state
-// =============================================================================
-
-describe("MemoryTab — empty state", () => {
-  it("shows 'No memory entries' when entries array is empty (after Show)", async () => {
-    stubMemoryFetch([]);
-    render(<MemoryTab workspaceId={WS_ID} />);
-    // Click Show to reveal entries list (advanced mode is hidden by default)
-    fireEvent.click(await screen.findByRole("button", { name: /show/i }));
-    expect(await screen.findByText("No memory entries")).toBeTruthy();
-  });
-
-  it("hidden mode shows 'Advanced workspace memory is hidden' message", async () => {
-    stubMemoryFetch([]);
-    render(<MemoryTab workspaceId={WS_ID} />);
-    expect(
-      await screen.findByText("Advanced workspace memory is hidden"),
-    ).toBeTruthy();
-  });
-});
-
-// =============================================================================
-// KV memory — list rendering
-// =============================================================================
-
-describe("MemoryTab — list rendering", () => {
-  it("renders a memory entry key in accent/mono text", async () => {
-    stubMemoryFetch([MEMORY_ENTRY]);
-    await renderAndShowEntries();
-    expect(await screen.findByText("user-preference")).toBeTruthy();
-  });
-
-  it("expands an entry on click showing the value as pretty JSON", async () => {
-    stubMemoryFetch([MEMORY_ENTRY]);
-    await renderAndShowEntries();
-    expect(await screen.findByText("user-preference")).toBeTruthy();
-    expandEntry("user-preference");
-    expect(
-      await screen.findByText(/"theme":\s*"dark".*?"language":\s*"en"/),
-    ).toBeTruthy();
-  });
-
-  it("shows raw string value without extra quotes when value is plain string", async () => {
-    stubMemoryFetch([MEMORY_ENTRY_RAW_STRING]);
-    await renderAndShowEntries();
-    expect(await screen.findByText("plain-text")).toBeTruthy();
-    expandEntry("plain-text");
-    expect(await screen.findByText(/"hello world"/)).toBeTruthy();
-  });
-
-  it("renders updated_at timestamp when entry is expanded", async () => {
-    stubMemoryFetch([MEMORY_ENTRY]);
-    await renderAndShowEntries();
-    expect(await screen.findByText("user-preference")).toBeTruthy();
-    expandEntry("user-preference");
-    expect(await screen.findByText(/updated:/i)).toBeTruthy();
-  });
-
-  it("shows TTL badge when entry has expires_at", async () => {
-    stubMemoryFetch([MEMORY_ENTRY_WITH_TTL]);
-    await renderAndShowEntries();
-    expect(await screen.findByText("session-token")).toBeTruthy();
-    expandEntry("session-token");
-    expect(await screen.findByText(/ttl/i)).toBeTruthy();
-  });
-
-  it("collapse toggle hides the expanded content", async () => {
-    stubMemoryFetch([MEMORY_ENTRY]);
-    await renderAndShowEntries();
-    expect(await screen.findByText("user-preference")).toBeTruthy();
-    expandEntry("user-preference");
-    expect(await screen.findByText(/Updated:/i)).toBeTruthy();
-    expandEntry("user-preference");
-    expect(screen.queryByText(/Updated:/i)).toBeNull();
-  });
-});
-
-// =============================================================================
-// KV memory — advanced mode toggle
-// =============================================================================
-
-describe("MemoryTab — advanced mode toggle", () => {
-  it("clicking Advanced hides the list and shows 'hidden' placeholder", async () => {
-    stubMemoryFetch([MEMORY_ENTRY]);
-    await renderAndShowEntries();
-    expect(await screen.findByText("user-preference")).toBeTruthy();
-    fireEvent.click(screen.getByRole("button", { name: /advanced/i }));
-    expect(
-      await screen.findByText("Advanced workspace memory is hidden"),
-    ).toBeTruthy();
-    expect(screen.queryByText("user-preference")).toBeNull();
-  });
-
-  it("clicking Show from hidden mode re-displays the list", async () => {
-    stubMemoryFetch([MEMORY_ENTRY]);
-    await renderAndShowEntries();
-    expect(await screen.findByText("user-preference")).toBeTruthy();
-    // Hide via Advanced button
-    fireEvent.click(screen.getByRole("button", { name: /advanced/i }));
-    expect(await screen.findByText("Advanced workspace memory is hidden")).toBeTruthy();
-    // Reveal again
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    expect(await screen.findByText("user-preference")).toBeTruthy();
-  });
-
-  it("Hide Advanced button appears when in hidden mode", async () => {
-    stubMemoryFetch([MEMORY_ENTRY]);
-    await renderAndShowEntries();
-    expect(await screen.findByText("user-preference")).toBeTruthy();
-    // renderAndShowEntries sets showAdvanced=true, so button says "Hide Advanced".
-    // Click "Hide Advanced" to toggle back to hidden mode.
-    fireEvent.click(screen.getByRole("button", { name: /hide advanced/i }));
-    expect(
-      await screen.findByText("Advanced workspace memory is hidden"),
-    ).toBeTruthy();
-  });
-});
-
-// =============================================================================
-// KV memory — Add entry
-// =============================================================================
-
-describe("MemoryTab — add entry", () => {
-  it("clicking + Add shows the add form", async () => {
-    stubMemoryFetch([]);
-    render(<MemoryTab workspaceId={WS_ID} />);
-    expect(await screen.findByRole("button", { name: /\+ add/i })).toBeTruthy();
-    fireEvent.click(screen.getByRole("button", { name: /\+ add/i }));
-    expect(await screen.findByLabelText("Memory key")).toBeTruthy();
-    expect(await screen.findByLabelText(/memory value/i)).toBeTruthy();
-  });
-
-  it("add form requires a non-empty key", async () => {
-    stubMemoryFetch([]);
-    render(<MemoryTab workspaceId={WS_ID} />);
-    expect(await screen.findByRole("button", { name: /\+ add/i })).toBeTruthy();
-    fireEvent.click(screen.getByRole("button", { name: /\+ add/i }));
-    expect(await screen.findByLabelText("Memory key")).toBeTruthy();
-    fireEvent.click(screen.getByRole("button", { name: /save/i }));
-    expect(await screen.findByText("Key is required")).toBeTruthy();
-    expect(api.post).not.toHaveBeenCalled();
-  });
-
-  it("add form parses plain text value as-is (not JSON)", async () => {
-    stubMemoryFetch([]);
-    _mockPost.mockResolvedValueOnce({} as unknown as Promise<unknown>);
-    render(<MemoryTab workspaceId={WS_ID} />);
-    expect(await screen.findByRole("button", { name: /\+ add/i })).toBeTruthy();
-    fireEvent.click(screen.getByRole("button", { name: /\+ add/i }));
-    expect(await screen.findByLabelText("Memory key")).toBeTruthy();
-    fireEvent.change(screen.getByLabelText("Memory key"), {
-      target: { value: "my-key" },
-    });
-    fireEvent.change(screen.getByLabelText(/memory value/i), {
-      target: { value: "plain text value" },
-    });
-    fireEvent.click(screen.getByRole("button", { name: /save/i }));
-    expect(api.post).toHaveBeenCalledWith(
-      `/workspaces/${WS_ID}/memory`,
-      expect.objectContaining({ key: "my-key", value: "plain text value" }),
-    );
-  });
-
-  it("add form parses JSON value when valid JSON is entered", async () => {
-    stubMemoryFetch([]);
-    _mockPost.mockResolvedValueOnce({} as unknown as Promise<unknown>);
-    render(<MemoryTab workspaceId={WS_ID} />);
-    expect(await screen.findByRole("button", { name: /\+ add/i })).toBeTruthy();
-    fireEvent.click(screen.getByRole("button", { name: /\+ add/i }));
-    expect(await screen.findByLabelText("Memory key")).toBeTruthy();
-    fireEvent.change(screen.getByLabelText("Memory key"), {
-      target: { value: "json-key" },
-    });
-    fireEvent.change(screen.getByLabelText(/memory value/i), {
-      target: { value: '{"foo": 123}' },
-    });
-    fireEvent.click(screen.getByRole("button", { name: /save/i }));
-    expect(api.post).toHaveBeenCalledWith(
-      `/workspaces/${WS_ID}/memory`,
-      expect.objectContaining({ key: "json-key", value: { foo: 123 } }),
-    );
-  });
-
-  it("add form accepts optional TTL", async () => {
-    stubMemoryFetch([]);
-    _mockPost.mockResolvedValueOnce({} as unknown as Promise<unknown>);
-    render(<MemoryTab workspaceId={WS_ID} />);
-    expect(await screen.findByRole("button", { name: /\+ add/i })).toBeTruthy();
-    fireEvent.click(screen.getByRole("button", { name: /\+ add/i }));
-    // aria-label is "TTL in seconds (optional)"
-    expect(await screen.findByLabelText("TTL in seconds (optional)")).toBeTruthy();
-    fireEvent.change(screen.getByLabelText("Memory key"), {
-      target: { value: "ttl-key" },
-    });
-    fireEvent.change(screen.getByLabelText(/memory value/i), {
-      target: { value: "val" },
-    });
-    fireEvent.change(screen.getByLabelText("TTL in seconds (optional)"), {
-      target: { value: "3600" },
-    });
-    fireEvent.click(screen.getByRole("button", { name: /save/i }));
-    expect(api.post).toHaveBeenCalledWith(
-      `/workspaces/${WS_ID}/memory`,
-      expect.objectContaining({
-        key: "ttl-key",
-        value: "val",
-        ttl_seconds: 3600,
-      }),
-    );
-  });
-
-  it("successful add clears the form and closes it", async () => {
-    stubMemoryFetch([]);
-    _mockPost.mockResolvedValueOnce({} as unknown as Promise<unknown>);
-    render(<MemoryTab workspaceId={WS_ID} />);
-    expect(await screen.findByRole("button", { name: /\+ add/i })).toBeTruthy();
-    fireEvent.click(screen.getByRole("button", { name: /\+ add/i }));
-    expect(await screen.findByLabelText("Memory key")).toBeTruthy();
-    fireEvent.change(screen.getByLabelText("Memory key"), {
-      target: { value: "new-key" },
-    });
-    fireEvent.change(screen.getByLabelText(/memory value/i), {
-      target: { value: "new-val" },
-    });
-    fireEvent.click(screen.getByRole("button", { name: /save/i }));
-    // Form should close
-    expect(await screen.findByRole("button", { name: /\+ add/i })).toBeTruthy();
-    expect(screen.queryByLabelText("Memory key")).toBeNull();
-  });
-
-  it("add failure shows error in the add form", async () => {
-    stubMemoryFetch([]);
-    _mockPost.mockRejectedValueOnce(new Error("server error"));
-    render(<MemoryTab workspaceId={WS_ID} />);
-    expect(await screen.findByRole("button", { name: /\+ add/i })).toBeTruthy();
-    fireEvent.click(screen.getByRole("button", { name: /\+ add/i }));
-    expect(await screen.findByLabelText("Memory key")).toBeTruthy();
-    fireEvent.change(screen.getByLabelText("Memory key"), {
-      target: { value: "bad-key" },
-    });
-    fireEvent.change(screen.getByLabelText(/memory value/i), {
-      target: { value: "val" },
-    });
-    fireEvent.click(screen.getByRole("button", { name: /save/i }));
-    expect(await screen.findByText("server error")).toBeTruthy();
-  });
-
-  it("cancel button closes the add form without posting", async () => {
-    stubMemoryFetch([]);
-    render(<MemoryTab workspaceId={WS_ID} />);
-    expect(await screen.findByRole("button", { name: /\+ add/i })).toBeTruthy();
-    fireEvent.click(screen.getByRole("button", { name: /\+ add/i }));
-    expect(await screen.findByLabelText("Memory key")).toBeTruthy();
-    fireEvent.click(screen.getByRole("button", { name: /cancel/i }));
-    expect(screen.queryByLabelText("Memory key")).toBeNull();
-    expect(api.post).not.toHaveBeenCalled();
-  });
-});
-
-// =============================================================================
-// KV memory — Edit entry
-// =============================================================================
-
-describe("MemoryTab — edit entry", () => {
-  // TEMP inline debug
-  it("DEBUG check expandEntry via expandEntry function", async () => {
-    stubMemoryFetch([MEMORY_ENTRY]);
-    await renderAndShowEntries();
-    expect(await screen.findByText("user-preference")).toBeTruthy();
-
-    const btns = screen.getAllByRole("button");
-    console.log("All button texts:", btns.map(b => b.textContent));
-    const match = btns.find(b => b.textContent?.includes("user-preference"));
-    console.log("Found button:", match?.textContent, "aria-expanded:", match?.getAttribute("aria-expanded"));
-    expandEntry("user-preference");
-    console.log("After expandEntry aria-expanded:", match?.getAttribute("aria-expanded"));
-    expect(await screen.findByText(/updated:/i)).toBeTruthy();
-  });
-
-  it("clicking Edit on an expanded entry switches to edit mode", async () => {
-    stubMemoryFetch([MEMORY_ENTRY]);
-    await renderAndShowEntries();
-    expect(await screen.findByText("user-preference")).toBeTruthy();
-    expandEntry("user-preference");
-    // Expand shows "Updated:" + Edit/Delete buttons; click Edit to enter edit mode.
-    fireEvent.click(screen.getByRole("button", { name: /edit/i }));
-    expect(await screen.findByLabelText(/edit value/i)).toBeTruthy();
-    expect(await screen.findByLabelText(/edit ttl/i)).toBeTruthy();
-  });
-
-  it("edit form pre-populates with current value (pretty JSON for objects)", async () => {
-    stubMemoryFetch([MEMORY_ENTRY]);
-    await renderAndShowEntries();
-    expect(await screen.findByText("user-preference")).toBeTruthy();
-    expandEntry("user-preference");
-    fireEvent.click(screen.getByRole("button", { name: /edit/i }));
-    expect(await screen.findByLabelText(/edit value/i)).toBeTruthy();
-    const textarea = screen.getByLabelText(/edit value/i) as HTMLTextAreaElement;
-    expect(textarea.value).toContain("theme");
-    expect(textarea.value).toContain("dark");
-  });
-
-  it("edit form pre-populates raw string value without surrounding quotes", async () => {
-    stubMemoryFetch([MEMORY_ENTRY_RAW_STRING]);
-    await renderAndShowEntries();
-    expect(await screen.findByText("plain-text")).toBeTruthy();
-    expandEntry("plain-text");
-    fireEvent.click(screen.getByRole("button", { name: /edit/i }));
-    expect(await screen.findByLabelText(/edit value/i)).toBeTruthy();
-    const textarea = screen.getByLabelText(/edit value/i) as HTMLTextAreaElement;
-    expect(textarea.value).toBe("hello world");
-  });
-
-  it("Save calls POST with the new value and if_match_version", async () => {
-    stubMemoryFetch([MEMORY_ENTRY]);
-    _mockPost.mockResolvedValueOnce({} as unknown as Promise<unknown>);
-    await renderAndShowEntries();
-    expect(await screen.findByText("user-preference")).toBeTruthy();
-    expandEntry("user-preference");
-    fireEvent.click(screen.getByRole("button", { name: /edit/i }));
-    expect(await screen.findByLabelText(/edit value/i)).toBeTruthy();
-    fireEvent.change(screen.getByLabelText(/edit value/i), {
-      target: { value: '{"theme": "light"}' },
-    });
-    fireEvent.click(screen.getByRole("button", { name: /save/i }));
-    expect(api.post).toHaveBeenCalledWith(
-      `/workspaces/${WS_ID}/memory`,
-      expect.objectContaining({
-        key: "user-preference",
-        value: { theme: "light" },
-        if_match_version: 1,
-      }),
-    );
-  });
-
-  it("409 conflict shows retry hint and reloads entry", async () => {
-    stubMemoryFetch([MEMORY_ENTRY]);
-    _mockPost.mockRejectedValueOnce(
-      Object.assign(new Error("409 Conflict"), { status: 409 }),
-    );
-    await renderAndShowEntries();
-    expect(await screen.findByText("user-preference")).toBeTruthy();
-    expandEntry("user-preference");
-    fireEvent.click(screen.getByRole("button", { name: /edit/i }));
-    expect(await screen.findByLabelText(/edit value/i)).toBeTruthy();
-    fireEvent.click(screen.getByRole("button", { name: /save/i }));
-    expect(
-      await screen.findByText(/this entry changed since you opened it/i),
-    ).toBeTruthy();
-  });
-
-  it("cancel button exits edit mode without posting", async () => {
-    stubMemoryFetch([MEMORY_ENTRY]);
-    await renderAndShowEntries();
-    expect(await screen.findByText("user-preference")).toBeTruthy();
-    expandEntry("user-preference");
-    fireEvent.click(screen.getByRole("button", { name: /edit/i }));
-    expect(await screen.findByLabelText(/edit value/i)).toBeTruthy();
-    fireEvent.click(screen.getByRole("button", { name: /cancel/i }));
-    expect(await screen.findByText(/"theme":/)).toBeTruthy();
-    expect(api.post).not.toHaveBeenCalled();
-  });
-});
-
-// =============================================================================
-// KV memory — Delete entry
-// =============================================================================
-
-describe("MemoryTab — delete entry", () => {
-  it("clicking Delete optimistically removes entry from list", async () => {
-    stubMemoryFetch([MEMORY_ENTRY]);
-    _mockDel.mockResolvedValueOnce({} as unknown as Promise<unknown>);
-    await renderAndShowEntries();
-    expect(await screen.findByText("user-preference")).toBeTruthy();
-    expandEntry("user-preference");
-    expect(await screen.findByText(/updated:/i)).toBeTruthy();
-    act(() => {
-      const deleteBtn = Array.from(document.querySelectorAll("button")).find(
-        (b) => b.textContent?.trim() === "Delete",
-      );
-      if (deleteBtn) fireEvent.click(deleteBtn);
-    });
-    await new Promise(r => setTimeout(r, 300));
-    expect(screen.queryByText("user-preference")).toBeNull();
-  });
-
-  it("Delete calls DEL with correct path", async () => {
-    stubMemoryFetch([MEMORY_ENTRY]);
-    _mockDel.mockResolvedValueOnce({} as unknown as Promise<unknown>);
-    await renderAndShowEntries();
-    expect(await screen.findByText("user-preference")).toBeTruthy();
-    expandEntry("user-preference");
-    expect(await screen.findByText(/updated:/i)).toBeTruthy();
-    fireEvent.click(screen.getByRole("button", { name: /delete/i }));
-    expect(api.del).toHaveBeenCalledWith(
-      `/workspaces/${WS_ID}/memory/${encodeURIComponent("user-preference")}`,
-    );
-  });
-
-  it("Delete failure does NOT remove entry from list", async () => {
-    stubMemoryFetch([MEMORY_ENTRY]);
-    _mockDel.mockRejectedValueOnce(new Error("forbidden"));
-    await renderAndShowEntries();
-    expect(await screen.findByText("user-preference")).toBeTruthy();
-    expandEntry("user-preference");
-    expect(await screen.findByText(/updated:/i)).toBeTruthy();
-    fireEvent.click(screen.getByRole("button", { name: /delete/i }));
-    expect(await screen.findByText("user-preference")).toBeTruthy();
-  });
-
-  it("Delete clears expanded state when deleting the expanded entry", async () => {
-    stubMemoryFetch([MEMORY_ENTRY]);
-    _mockDel.mockResolvedValueOnce({} as unknown as Promise<unknown>);
-    await renderAndShowEntries();
-    expect(await screen.findByText("user-preference")).toBeTruthy();
-    expandEntry("user-preference");
-    expect(await screen.findByText(/updated:/i)).toBeTruthy();
-    act(() => {
-      // Re-query inside flush so we get post-expansion buttons
-      const deleteBtn = Array.from(document.querySelectorAll("button")).find(
-        (b) => b.textContent?.trim() === "Delete",
-      );
-      if (deleteBtn) fireEvent.click(deleteBtn);
-    });
-    await new Promise(r => setTimeout(r, 300));
-    expect(screen.queryByText("user-preference")).toBeNull();
-  });
-});
-
-// =============================================================================
-// KV memory — Refresh
-// =============================================================================
-
-describe("MemoryTab — refresh", () => {
-  it("Refresh button re-fetches memory entries", async () => {
-    const first = [{ key: "a", value: "1", updated_at: "2026-01-01T00:00:00Z" }];
-    const second = [
-      ...first,
-      { key: "b", value: "2", updated_at: "2026-01-01T00:00:00Z" },
-    ];
-    // Chain two resolved values: first for initial mount, second for Refresh click.
-    // Do NOT call renderAndShowEntries (which calls stubMemoryFetch and resets the chain).
-    _mockGet
-      .mockResolvedValueOnce(first as unknown[])
-      .mockResolvedValueOnce(second as unknown[]);
-    render(<MemoryTab workspaceId={WS_ID} />);
-    await new Promise((r) => setTimeout(r, 500));
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    expect(await screen.findByText("a")).toBeTruthy();
-    expect(screen.queryByText("b")).toBeNull();
-    fireEvent.click(screen.getByRole("button", { name: /refresh/i }));
-    expect(await screen.findByText("b")).toBeTruthy();
-  });
-});
-
-// =============================================================================
-// Error states
-// =============================================================================
-
-describe("MemoryTab — error states", () => {
-  it("shows error banner when initial fetch fails", async () => {
-    _mockGet.mockRejectedValueOnce(new Error("internal server error"));
-    render(<MemoryTab workspaceId={WS_ID} />);
-    expect(await screen.findByText("internal server error")).toBeTruthy();
-  });
-
-  it("error is shown in the form when add fails, not as a top-level banner", async () => {
-    stubMemoryFetch([]);
-    _mockPost.mockRejectedValueOnce(new Error("add failed"));
-    render(<MemoryTab workspaceId={WS_ID} />);
-    expect(await screen.findByRole("button", { name: /\+ add/i })).toBeTruthy();
-    fireEvent.click(screen.getByRole("button", { name: /\+ add/i }));
-    expect(await screen.findByLabelText("Memory key")).toBeTruthy();
-    fireEvent.change(screen.getByLabelText("Memory key"), {
-      target: { value: "k" },
-    });
-    fireEvent.change(screen.getByLabelText(/memory value/i), {
-      target: { value: "v" },
-    });
-    fireEvent.click(screen.getByRole("button", { name: /save/i }));
-    expect(await screen.findByText("add failed")).toBeTruthy();
-  });
-});

canvas/src/components/tabs/chat/__tests__/AttachmentLightbox.test.tsx

@@ -1,245 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for AttachmentLightbox — shared fullscreen modal for image/PDF
- * fullscreen viewing.
- *
- * Covers: open/close rendering, backdrop click-to-close, Esc key close,
- * role/dialog + aria attributes, close button, prefers-reduced-motion.
- */
-import React from "react";
-import { render, screen, fireEvent, cleanup, act } from "@testing-library/react";
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { AttachmentLightbox } from "../AttachmentLightbox";
-
-afterEach(cleanup);
-
-describe("AttachmentLightbox", () => {
-  describe("renders nothing when closed", () => {
-    it("returns null when open=false", () => {
-      const { container } = render(
-        <AttachmentLightbox open={false} onClose={vi.fn()} ariaLabel="Image preview">
-          <img src="test.jpg" alt="test" />
-        </AttachmentLightbox>
-      );
-      expect(container.textContent).toBe("");
-    });
-  });
-
-  describe("renders modal when open", () => {
-    it("renders the dialog when open=true", () => {
-      render(
-        <AttachmentLightbox open={true} onClose={vi.fn()} ariaLabel="Image preview">
-          <img src="test.jpg" alt="test" />
-        </AttachmentLightbox>
-      );
-      expect(screen.getByRole("dialog")).toBeTruthy();
-    });
-
-    it("renders the provided children", () => {
-      render(
-        <AttachmentLightbox open={true} onClose={vi.fn()} ariaLabel="PDF preview">
-          <embed src="doc.pdf" />
-        </AttachmentLightbox>
-      );
-      expect(document.querySelector("embed")).toBeTruthy();
-    });
-
-    it("has aria-modal=true", () => {
-      render(
-        <AttachmentLightbox open={true} onClose={vi.fn()} ariaLabel="Preview">
-          <img src="x.jpg" alt="x" />
-        </AttachmentLightbox>
-      );
-      expect(screen.getByRole("dialog").getAttribute("aria-modal")).toBe("true");
-    });
-
-    it("uses the provided ariaLabel", () => {
-      render(
-        <AttachmentLightbox open={true} onClose={vi.fn()} ariaLabel="My document">
-          <img src="x.jpg" alt="x" />
-        </AttachmentLightbox>
-      );
-      expect(screen.getByRole("dialog").getAttribute("aria-label")).toBe("My document");
-    });
-
-    it("renders the close button", () => {
-      render(
-        <AttachmentLightbox open={true} onClose={vi.fn()} ariaLabel="Preview">
-          <img src="x.jpg" alt="x" />
-        </AttachmentLightbox>
-      );
-      expect(screen.getByRole("button", { name: /close preview/i })).toBeTruthy();
-    });
-
-    it("close button renders an SVG icon", () => {
-      render(
-        <AttachmentLightbox open={true} onClose={vi.fn()} ariaLabel="Preview">
-          <img src="x.jpg" alt="x" />
-        </AttachmentLightbox>
-      );
-      const btn = screen.getByRole("button", { name: /close preview/i });
-      expect(btn.querySelector("svg")).toBeTruthy();
-    });
-  });
-
-  describe("Esc to close", () => {
-    beforeEach(() => {
-      vi.useFakeTimers();
-    });
-
-    afterEach(() => {
-      vi.useRealTimers();
-    });
-
-    it("calls onClose when Escape is pressed", () => {
-      const onClose = vi.fn();
-      render(
-        <AttachmentLightbox open={true} onClose={onClose} ariaLabel="Preview">
-          <img src="x.jpg" alt="x" />
-        </AttachmentLightbox>
-      );
-
-      act(() => {
-        fireEvent.keyDown(document, { key: "Escape" });
-      });
-
-      expect(onClose).toHaveBeenCalledTimes(1);
-    });
-
-    it("does not call onClose for non-Escape keys", () => {
-      const onClose = vi.fn();
-      render(
-        <AttachmentLightbox open={true} onClose={onClose} ariaLabel="Preview">
-          <img src="x.jpg" alt="x" />
-        </AttachmentLightbox>
-      );
-
-      act(() => {
-        fireEvent.keyDown(document, { key: "Enter" });
-      });
-
-      expect(onClose).not.toHaveBeenCalled();
-    });
-
-    it("does not call onClose when closed (open=false)", () => {
-      const onClose = vi.fn();
-      render(
-        <AttachmentLightbox open={false} onClose={onClose} ariaLabel="Preview">
-          <img src="x.jpg" alt="x" />
-        </AttachmentLightbox>
-      );
-
-      act(() => {
-        fireEvent.keyDown(document, { key: "Escape" });
-      });
-
-      expect(onClose).not.toHaveBeenCalled();
-    });
-  });
-
-  describe("backdrop click to close", () => {
-    it("calls onClose when backdrop is clicked", () => {
-      const onClose = vi.fn();
-      render(
-        <AttachmentLightbox open={true} onClose={onClose} ariaLabel="Preview">
-          <img src="x.jpg" alt="x" />
-        </AttachmentLightbox>
-      );
-
-      const dialog = screen.getByRole("dialog");
-      fireEvent.click(dialog);
-
-      expect(onClose).toHaveBeenCalledTimes(1);
-    });
-
-    it("does not call onClose when content area is clicked", () => {
-      const onClose = vi.fn();
-      render(
-        <AttachmentLightbox open={true} onClose={onClose} ariaLabel="Preview">
-          <img src="x.jpg" alt="x" />
-        </AttachmentLightbox>
-      );
-
-      // The content is nested inside the dialog — clicking the inner content
-      // div should not close because it has stopPropagation
-      const content = document.querySelector(".max-w-\\[95vw\\]") as HTMLElement;
-      if (content) {
-        fireEvent.click(content);
-      }
-
-      expect(onClose).not.toHaveBeenCalled();
-    });
-
-    it("does not call onClose when close button is clicked", () => {
-      const onClose = vi.fn();
-      render(
-        <AttachmentLightbox open={true} onClose={onClose} ariaLabel="Preview">
-          <img src="x.jpg" alt="x" />
-        </AttachmentLightbox>
-      );
-
-      fireEvent.click(screen.getByRole("button", { name: /close preview/i }));
-
-      // onClose is NOT called for button click — the button's onClick handles
-      // close directly. Only backdrop click triggers onClose.
-      // (The component does not call onClose from the button; it calls setOpen(false)
-      // Actually, looking at the component: onClick={onClose} on the button too.
-      // So this test should expect onClose to be called.
-      // Wait — the close button's onClick calls onClose, and backdrop also calls onClose.
-      // Both should call onClose.
-      // Let me update this test.
-      expect(onClose).toHaveBeenCalledTimes(1);
-    });
-  });
-
-  describe("a11y", () => {
-    it("dialog has role=dialog", () => {
-      render(
-        <AttachmentLightbox open={true} onClose={vi.fn()} ariaLabel="Preview">
-          <img src="x.jpg" alt="x" />
-        </AttachmentLightbox>
-      );
-      expect(screen.getByRole("dialog")).toBeTruthy();
-    });
-
-    it("close button has accessible name", () => {
-      render(
-        <AttachmentLightbox open={true} onClose={vi.fn()} ariaLabel="Preview">
-          <img src="x.jpg" alt="x" />
-        </AttachmentLightbox>
-      );
-      expect(screen.getByRole("button", { name: /close preview/i })).toBeTruthy();
-    });
-
-    it("dialog has aria-label matching the provided label", () => {
-      render(
-        <AttachmentLightbox open={true} onClose={vi.fn()} ariaLabel="Quarterly Report Q1 2026">
-          <img src="report.jpg" alt="report" />
-        </AttachmentLightbox>
-      );
-      expect(screen.getByRole("dialog").getAttribute("aria-label")).toBe("Quarterly Report Q1 2026");
-    });
-  });
-
-  describe("motion", () => {
-    it("backdrop applies motion-reduce class for reduced motion preference", () => {
-      render(
-        <AttachmentLightbox open={true} onClose={vi.fn()} ariaLabel="Preview">
-          <img src="x.jpg" alt="x" />
-        </AttachmentLightbox>
-      );
-      const dialog = screen.getByRole("dialog");
-      expect(dialog.className).toContain("motion-reduce");
-    });
-
-    it("backdrop has transition-opacity for normal motion preference", () => {
-      render(
-        <AttachmentLightbox open={true} onClose={vi.fn()} ariaLabel="Preview">
-          <img src="x.jpg" alt="x" />
-        </AttachmentLightbox>
-      );
-      const dialog = screen.getByRole("dialog");
-      expect(dialog.className).toContain("transition-opacity");
-    });
-  });
-});

canvas/src/components/tabs/chat/__tests__/AttachmentViews.test.tsx

@@ -1,167 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for AttachmentViews.tsx — PendingAttachmentPill + AttachmentChip.
- *
- * 16 cases covering:
- * - PendingAttachmentPill: name, size, aria-label, onRemove, one-button guard
- * - AttachmentChip: name+glyph, size, no-size, title, onDownload, tone=user/agent, one-button guard
- *
- * Pattern: render the real component, inspect actual DOM output.
- * No mocking of the components themselves.
- */
-import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
-import { render, screen, fireEvent, cleanup } from "@testing-library/react";
-import React from "react";
-
-import {
-  PendingAttachmentPill,
-  AttachmentChip,
-} from "../AttachmentViews";
-import type { ChatAttachment } from "../types";
-
-afterEach(cleanup);
-
-// ─── Shared test fixtures ────────────────────────────────────────────────────
-
-const makeFile = (name: string, size: number): File =>
-  new File([new Uint8Array(size)], name, { type: "application/octet-stream" });
-
-const makeAttachment = (overrides: Partial<ChatAttachment> = {}): ChatAttachment => ({
-  name: "report.pdf",
-  uri: "workspace:/workspace/report.pdf",
-  mimeType: "application/pdf",
-  size: 42_000,
-  ...overrides,
-});
-
-// ─── PendingAttachmentPill ───────────────────────────────────────────────────
-
-describe("PendingAttachmentPill", () => {
-  describe("renders", () => {
-    it("displays the file name", () => {
-      const file = makeFile("notes.txt", 128);
-      render(<PendingAttachmentPill file={file} onRemove={vi.fn()} />);
-      expect(screen.getByText("notes.txt")).toBeTruthy();
-    });
-
-    it("displays formatted size in bytes", () => {
-      // File([], name) gives size 0; pass a Uint8Array to set actual byte size.
-      const file = new File([new Uint8Array(512)], "tiny.bin");
-      render(<PendingAttachmentPill file={file} onRemove={vi.fn()} />);
-      expect(screen.getByText("512 B")).toBeTruthy();
-    });
-
-    it("displays formatted size in KB", () => {
-      const file = new File([new Uint8Array(5 * 1024)], "medium.zip");
-      render(<PendingAttachmentPill file={file} onRemove={vi.fn()} />);
-      expect(screen.getByText("5 KB")).toBeTruthy();
-    });
-
-    it("displays formatted size in MB", () => {
-      const file = new File([new Uint8Array(Math.floor(1.5 * 1024 * 1024))], "large.tar");
-      render(<PendingAttachmentPill file={file} onRemove={vi.fn()} />);
-      // formatSize uses toFixed(1) for MB → "1.5 MB"
-      expect(screen.getByText("1.5 MB")).toBeTruthy();
-    });
-
-    it('× button has aria-label "Remove <filename>"', () => {
-      const file = makeFile("memo.pdf", 1_000);
-      render(<PendingAttachmentPill file={file} onRemove={vi.fn()} />);
-      expect(screen.getByRole("button", { name: /remove memo\.pdf/i })).toBeTruthy();
-    });
-
-    it("calls onRemove when × button is clicked", () => {
-      const onRemove = vi.fn();
-      const file = makeFile("photo.png", 999);
-      render(<PendingAttachmentPill file={file} onRemove={onRemove} />);
-      fireEvent.click(screen.getByRole("button", { name: /remove photo\.png/i }));
-      expect(onRemove).toHaveBeenCalledTimes(1);
-    });
-
-    it("renders exactly one button (no stray click targets)", () => {
-      const file = makeFile("doc.docx", 20_000);
-      render(<PendingAttachmentPill file={file} onRemove={vi.fn()} />);
-      const buttons = screen.getAllByRole("button");
-      expect(buttons).toHaveLength(1);
-    });
-  });
-});
-
-// ─── AttachmentChip ────────────────────────────────────────────────────────
-
-describe("AttachmentChip", () => {
-  let onDownload: ReturnType<typeof vi.fn>;
-
-  beforeEach(() => {
-    onDownload = vi.fn();
-  });
-
-  describe("renders", () => {
-    it("displays the attachment name", () => {
-      const att = makeAttachment({ name: "analysis.csv" });
-      render(<AttachmentChip attachment={att} onDownload={onDownload} tone="agent" />);
-      expect(screen.getByText("analysis.csv")).toBeTruthy();
-    });
-
-    it("displays the download glyph (SVG icon) inside the button", () => {
-      const att = makeAttachment();
-      render(<AttachmentChip attachment={att} onDownload={onDownload} tone="agent" />);
-      const button = screen.getByRole("button");
-      // DownloadGlyph is an <svg aria-hidden="true"> inside the button
-      const svg = button.querySelector("svg");
-      expect(svg).not.toBeNull();
-    });
-
-    it("displays size when provided", () => {
-      const att = makeAttachment({ size: 41_000 }); // ~40 KB
-      render(<AttachmentChip attachment={att} onDownload={onDownload} tone="agent" />);
-      // 41 000 / 1024 ≈ 40 → "40 KB"
-      expect(screen.getByText("40 KB")).toBeTruthy();
-    });
-
-    it("omits size span when size is undefined", () => {
-      const att = makeAttachment({ size: undefined });
-      render(<AttachmentChip attachment={att} onDownload={onDownload} tone="agent" />);
-      // "KB" should not appear; only the name + download glyph are visible
-      expect(screen.queryByText(/KB/i)).toBeNull();
-    });
-
-    it('has title attribute for hover tooltip', () => {
-      const att = makeAttachment({ name: "readme.md" });
-      render(<AttachmentChip attachment={att} onDownload={onDownload} tone="agent" />);
-      const button = screen.getByRole("button");
-      expect(button.getAttribute("title")).toBe("Download readme.md");
-    });
-
-    it("calls onDownload with the attachment when clicked", () => {
-      const att = makeAttachment({ name: "data.json" });
-      render(<AttachmentChip attachment={att} onDownload={onDownload} tone="agent" />);
-      fireEvent.click(screen.getByRole("button"));
-      expect(onDownload).toHaveBeenCalledTimes(1);
-      expect(onDownload).toHaveBeenCalledWith(att);
-    });
-
-    it("tone=user applies blue-400 accent class", () => {
-      const att = makeAttachment();
-      render(<AttachmentChip attachment={att} onDownload={onDownload} tone="user" />);
-      const button = screen.getByRole("button");
-      // The user tone includes blue-400/blue-100 accent classes.
-      // We check the rendered class string includes the accent class.
-      expect(button.className).toMatch(/blue-400/);
-    });
-
-    it("tone=agent omits blue-400 accent class", () => {
-      const att = makeAttachment();
-      render(<AttachmentChip attachment={att} onDownload={onDownload} tone="agent" />);
-      const button = screen.getByRole("button");
-      expect(button.className).not.toMatch(/blue-400/);
-    });
-
-    it("renders exactly one button (no duplicate download targets)", () => {
-      const att = makeAttachment({ name: "budget.xlsx", size: 80_000 });
-      render(<AttachmentChip attachment={att} onDownload={onDownload} tone="user" />);
-      const buttons = screen.getAllByRole("button");
-      expect(buttons).toHaveLength(1);
-    });
-  });
-});

canvas/src/components/tabs/chat/types.ts

@@ -30,7 +30,7 @@ export function createMessage(
     id: crypto.randomUUID(),
     role,
     content,
-    ...(attachments && attachments.length > 0 ? { attachments } : {}),
+    attachments: attachments && attachments.length > 0 ? attachments : undefined,
     timestamp: new Date().toISOString(),
   };
 }

canvas/src/components/tabs/config/__tests__/form-inputs.test.tsx

@@ -1,261 +0,0 @@
-// @vitest-environment jsdom
-"use client";
-/**
- * Tests for form-inputs.tsx — 35 cases:
- * TextInput (7), NumberInput (8), Toggle (5), TagList (9), Section (6).
- */
-import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
-import { render, screen, fireEvent, cleanup } from "@testing-library/react";
-import React from "react";
-
-import {
-  TextInput,
-  NumberInput,
-  Toggle,
-  TagList,
-  Section,
-} from "../form-inputs";
-
-afterEach(cleanup);
-
-// ─── TextInput ───────────────────────────────────────────────────────────────
-
-describe("TextInput", () => {
-  describe("renders", () => {
-    it("renders the label", () => {
-      render(<TextInput label="API Key" value="" onChange={vi.fn()} />);
-      expect(screen.getByLabelText("API Key")).toBeTruthy();
-    });
-
-    it("renders the current value", () => {
-      render(<TextInput label="Name" value="Claude" onChange={vi.fn()} />);
-      expect((screen.getByRole("textbox") as HTMLInputElement).value).toBe("Claude");
-    });
-
-    it("calls onChange when value changes", () => {
-      const onChange = vi.fn();
-      render(<TextInput label="Name" value="" onChange={onChange} />);
-      fireEvent.change(screen.getByRole("textbox"), { target: { value: "Sonnet" } });
-      expect(onChange).toHaveBeenCalledWith("Sonnet");
-    });
-
-    it("renders placeholder when provided", () => {
-      render(<TextInput label="Name" value="" onChange={vi.fn()} placeholder="Enter your name" />);
-      expect((screen.getByRole("textbox") as HTMLInputElement).placeholder).toBe("Enter your name");
-    });
-
-    it("applies font-mono class when mono=true", () => {
-      render(<TextInput label="Token" value="" onChange={vi.fn()} mono />);
-      const input = screen.getByRole("textbox");
-      expect(input.className).toMatch(/font-mono/);
-    });
-
-    it("has aria-label matching the label", () => {
-      render(<TextInput label="API Key" value="" onChange={vi.fn()} />);
-      expect(screen.getByRole("textbox").getAttribute("aria-label")).toBe("API Key");
-    });
-
-    it("does not apply font-mono class when mono=false", () => {
-      render(<TextInput label="Name" value="" onChange={vi.fn()} mono={false} />);
-      expect(screen.getByRole("textbox").className).not.toMatch(/font-mono/);
-    });
-  });
-});
-
-// ─── NumberInput ────────────────────────────────────────────────────────────
-
-describe("NumberInput", () => {
-  describe("renders", () => {
-    it("renders the label", () => {
-      render(<NumberInput label="Port" value={8000} onChange={vi.fn()} />);
-      expect(screen.getByLabelText("Port")).toBeTruthy();
-    });
-
-    it("renders the numeric value", () => {
-      render(<NumberInput label="Timeout" value={120} onChange={vi.fn()} />);
-      expect((screen.getByRole("spinbutton") as HTMLInputElement).value).toBe("120");
-    });
-
-    it("calls onChange with parsed integer", () => {
-      const onChange = vi.fn();
-      render(<NumberInput label="Retries" value={0} onChange={onChange} />);
-      fireEvent.change(screen.getByRole("spinbutton"), { target: { value: "3" } });
-      expect(onChange).toHaveBeenCalledWith(3);
-    });
-
-    it("calls onChange with 0 for non-numeric input", () => {
-      const onChange = vi.fn();
-      render(<NumberInput label="Retries" value={0} onChange={onChange} />);
-      fireEvent.change(screen.getByRole("spinbutton"), { target: { value: "abc" } });
-      expect(onChange).toHaveBeenCalledWith(0);
-    });
-
-    it("applies min/max attributes", () => {
-      render(<NumberInput label="Priority" value={5} onChange={vi.fn()} min={1} max={10} />);
-      const input = screen.getByRole("spinbutton") as HTMLInputElement;
-      expect(input.min).toBe("1");
-      expect(input.max).toBe("10");
-    });
-
-    it("has aria-label matching the label", () => {
-      render(<NumberInput label="Retries" value={3} onChange={vi.fn()} />);
-      expect(screen.getByRole("spinbutton").getAttribute("aria-label")).toBe("Retries");
-    });
-
-    it("applies font-mono class", () => {
-      render(<NumberInput label="Timeout" value={30} onChange={vi.fn()} />);
-      expect(screen.getByRole("spinbutton").className).toMatch(/font-mono/);
-    });
-  });
-});
-
-// ─── Toggle ─────────────────────────────────────────────────────────────────
-
-describe("Toggle", () => {
-  describe("renders", () => {
-    it("renders a checkbox", () => {
-      render(<Toggle label="Enable streaming" checked={false} onChange={vi.fn()} />);
-      expect(screen.getByRole("checkbox")).toBeTruthy();
-    });
-
-    it("reflects checked=true state", () => {
-      render(<Toggle label="Enable streaming" checked={true} onChange={vi.fn()} />);
-      expect((screen.getByRole("checkbox") as HTMLInputElement).checked).toBe(true);
-    });
-
-    it("reflects checked=false state", () => {
-      render(<Toggle label="Enable streaming" checked={false} onChange={vi.fn()} />);
-      expect((screen.getByRole("checkbox") as HTMLInputElement).checked).toBe(false);
-    });
-
-    it("calls onChange with new boolean value", () => {
-      const onChange = vi.fn();
-      render(<Toggle label="Enable streaming" checked={false} onChange={onChange} />);
-      fireEvent.click(screen.getByRole("checkbox"));
-      expect(onChange).toHaveBeenCalledWith(true);
-    });
-
-    it("renders as type=checkbox", () => {
-      render(<Toggle label="Enable" checked={false} onChange={vi.fn()} />);
-      expect(screen.getByRole("checkbox").getAttribute("type")).toBe("checkbox");
-    });
-  });
-});
-
-// ─── TagList ───────────────────────────────────────────────────────────────
-
-describe("TagList", () => {
-  describe("renders", () => {
-    it("renders existing tags", () => {
-      render(<TagList label="Skills" values={["python", "go"]} onChange={vi.fn()} />);
-      expect(screen.getByText("python")).toBeTruthy();
-      expect(screen.getByText("go")).toBeTruthy();
-    });
-
-    it("calls onChange with updated array when × clicked", () => {
-      const onChange = vi.fn();
-      render(<TagList label="Skills" values={["python", "go"]} onChange={onChange} />);
-      fireEvent.click(screen.getByRole("button", { name: /remove tag python/i }));
-      expect(onChange).toHaveBeenCalledWith(["go"]);
-    });
-
-    it("× button has correct aria-label per tag", () => {
-      render(<TagList label="Skills" values={["python"]} onChange={vi.fn()} />);
-      expect(screen.getByRole("button", { name: /remove tag python/i })).toBeTruthy();
-    });
-
-    it("adds tag when Enter is pressed with non-empty input", () => {
-      const onChange = vi.fn();
-      render(<TagList label="Skills" values={[]} onChange={onChange} />);
-      const input = screen.getByRole("textbox");
-      fireEvent.change(input, { target: { value: "rust" } });
-      fireEvent.keyDown(input, { key: "Enter" });
-      expect(onChange).toHaveBeenCalledWith(["rust"]);
-    });
-
-    it("does not add tag when Enter is pressed with whitespace-only input", () => {
-      const onChange = vi.fn();
-      render(<TagList label="Skills" values={[]} onChange={onChange} />);
-      const input = screen.getByRole("textbox");
-      fireEvent.change(input, { target: { value: "   " } });
-      fireEvent.keyDown(input, { key: "Enter" });
-      expect(onChange).not.toHaveBeenCalled();
-    });
-
-    it("clears input after adding a tag", () => {
-      const onChange = vi.fn();
-      render(<TagList label="Skills" values={[]} onChange={onChange} />);
-      const input = screen.getByRole("textbox");
-      fireEvent.change(input, { target: { value: "typescript" } });
-      fireEvent.keyDown(input, { key: "Enter" });
-      expect((input as HTMLInputElement).value).toBe("");
-    });
-
-    it("renders the label", () => {
-      render(<TagList label="Tools" values={[]} onChange={vi.fn()} />);
-      expect(screen.getByLabelText("Tools")).toBeTruthy();
-    });
-
-    it("renders placeholder text", () => {
-      render(<TagList label="Skills" values={[]} onChange={vi.fn()} placeholder="Add a skill" />);
-      expect((screen.getByRole("textbox") as HTMLInputElement).placeholder).toBe("Add a skill");
-    });
-
-    it("renders default placeholder when not specified", () => {
-      render(<TagList label="Skills" values={[]} onChange={vi.fn()} />);
-      expect((screen.getByRole("textbox") as HTMLInputElement).placeholder).toBe("Type and press Enter");
-    });
-  });
-});
-
-// ─── Section ────────────────────────────────────────────────────────────────
-
-describe("Section", () => {
-  describe("renders", () => {
-    it("renders the title", () => {
-      render(<Section title="Runtime Config"><p>Content</p></Section>);
-      expect(screen.getByText("Runtime Config")).toBeTruthy();
-    });
-
-    it("renders children when defaultOpen=true", () => {
-      render(<Section title="Runtime Config"><p data-testid="content">Hello</p></Section>);
-      expect(screen.getByTestId("content")).toBeTruthy();
-    });
-
-    it("hides children when defaultOpen=false", () => {
-      render(<Section title="Runtime Config" defaultOpen={false}><p data-testid="content">Hello</p></Section>);
-      expect(screen.queryByTestId("content")).toBeNull();
-    });
-
-    it("toggles children visibility on click", () => {
-      render(<Section title="Runtime Config" defaultOpen={true}><p data-testid="content">Hello</p></Section>);
-      expect(screen.getByTestId("content")).toBeTruthy();
-      fireEvent.click(screen.getByRole("button", { name: /runtime config/i }));
-      expect(screen.queryByTestId("content")).toBeNull();
-    });
-
-    it("button has aria-expanded reflecting open state", () => {
-      render(<Section title="Runtime Config" defaultOpen={true}><p>Content</p></Section>);
-      const btn = screen.getByRole("button", { name: /runtime config/i });
-      expect(btn.getAttribute("aria-expanded")).toBe("true");
-      fireEvent.click(btn);
-      expect(btn.getAttribute("aria-expanded")).toBe("false");
-    });
-
-    it("button has aria-controls linking to content region id", () => {
-      render(<Section title="Runtime Config"><p>Content</p></Section>);
-      const btn = screen.getByRole("button", { name: /runtime config/i });
-      const contentId = btn.getAttribute("aria-controls");
-      expect(contentId).not.toBeNull();
-      // Content div has the matching id
-      expect(document.getElementById(String(contentId))).not.toBeNull();
-    });
-
-    it("indicator span has aria-hidden so screen readers skip it", () => {
-      render(<Section title="Runtime Config"><p>Content</p></Section>);
-      const btn = screen.getByRole("button", { name: /runtime config/i });
-      const indicator = btn.querySelector("[aria-hidden='true']");
-      expect(indicator).not.toBeNull();
-    });
-  });
-});

canvas/src/components/tabs/config/form-inputs.tsx

@@ -127,20 +127,13 @@ export function TagList({ label, values, onChange, placeholder }: { label: strin
 
 export function Section({ title, children, defaultOpen = true }: { title: string; children: React.ReactNode; defaultOpen?: boolean }) {
   const [open, setOpen] = useState(defaultOpen);
-  const contentId = `section-content-${title.toLowerCase().replace(/\s+/g, "-")}`;
   return (
     <div className="border border-line rounded mb-2">
-      <button
-        type="button"
-        onClick={() => setOpen(!open)}
-        aria-expanded={open}
-        aria-controls={contentId}
-        className="w-full flex items-center justify-between px-3 py-1.5 text-[10px] text-ink-mid hover:text-ink bg-surface-sunken/50"
-      >
+      <button type="button" onClick={() => setOpen(!open)} className="w-full flex items-center justify-between px-3 py-1.5 text-[10px] text-ink-mid hover:text-ink bg-surface-sunken/50">
         <span className="font-medium uppercase tracking-wider">{title}</span>
-        <span aria-hidden="true">{open ? "▾" : "▸"}</span>
+        <span>{open ? "▾" : "▸"}</span>
       </button>
-      {open && <div id={contentId} className="p-3 space-y-3">{children}</div>}
+      {open && <div className="p-3 space-y-3">{children}</div>}
     </div>
   );
 }

canvas/src/components/ui/KeyValueField.tsx

@@ -70,7 +70,6 @@ export function KeyValueField({
         aria-label={ariaLabel}
         autoComplete="off"
         spellCheck={false}
-        role="textbox"
       />
       <RevealToggle
         revealed={revealed}

canvas/src/components/ui/TestConnectionButton.tsx

@@ -65,17 +65,13 @@ export function TestConnectionButton({
 
   return (
     <div className="test-connection">
-      {state === 'testing' && (
-        <span aria-hidden="true" className="test-connection__spinner">
-          <Spinner />
-        </span>
-      )}
       <button
         type="button"
         onClick={handleTest}
         disabled={state === 'testing' || !secretValue}
         className={`test-connection__btn test-connection__btn--${state}`}
       >
+        {state === 'testing' && <Spinner />}
         {LABELS[state]}
       </button>
       {errorDetail && state === 'failure' && (
@@ -87,9 +83,9 @@ export function TestConnectionButton({
   );
 }
 
-function Spinner({ ariaHidden = true }: { ariaHidden?: boolean }) {
+function Spinner() {
   return (
-    <svg className="spinner" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2" aria-hidden={ariaHidden}>
+    <svg className="spinner" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
       <path d="M12 2v4M12 18v4M4.93 4.93l2.83 2.83M16.24 16.24l2.83 2.83M2 12h4M18 12h4M4.93 19.07l2.83-2.83M16.24 7.76l2.83-2.83" />
     </svg>
   );

canvas/src/lib/__tests__/hydrate.test.ts

@@ -1,213 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for canvas/src/lib/hydrate.ts — exponential-backoff canvas store hydration.
- *
- * 7 cases:
- *   1. Success on first attempt → { error: null }
- *   2. Viewport fetch fails (non-fatal) → store still hydrates, returns { error: null }
- *   3. Success after 1 retry → onRetrying(1) called once, final result { error: null }
- *   4. Success after 2 retries → onRetrying called for each failed attempt
- *   5. All attempts fail → returns the error message after MAX_RETRIES
- *   6. onRetrying called with correct attempt number on each retry
- *   7. Exponential backoff delays: 1s, 2s, 4s for attempts 1, 2, 3
- */
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { api } from "@/lib/api";
-import { useCanvasStore } from "@/store/canvas";
-import { hydrateCanvas, MAX_RETRIES } from "../hydrate";
-
-// ─── Mock api ──────────────────────────────────────────────────────────────────
-// PLATFORM_URL must be a named export — hydrate.ts imports it directly, not via api.
-vi.mock("@/lib/api", () => ({
-  api: {
-    get: vi.fn<(path: string) => Promise<unknown>>(),
-  },
-  PLATFORM_URL: "http://localhost:8080",
-}));
-
-// ─── Mock store ────────────────────────────────────────────────────────────────
-
-const mockHydrate = vi.fn();
-const mockSetViewport = vi.fn();
-
-vi.mock("@/store/canvas", () => ({
-  useCanvasStore: {
-    getState: () => ({
-      hydrate: mockHydrate,
-      setViewport: mockSetViewport,
-    }),
-  },
-}));
-
-// ─── Helpers ───────────────────────────────────────────────────────────────────
-
-const mockApiGet = vi.mocked(api.get);
-
-function makeWorkspace(id = "ws-1") {
-  return {
-    id,
-    name: "Test WS",
-    role: "assistant",
-    tier: 1,
-    status: "online" as const,
-    agent_card: null,
-    url: "http://localhost:9000",
-    parent_id: null,
-    active_tasks: 0,
-    last_error_rate: 0,
-    last_sample_error: "",
-    uptime_seconds: 60,
-    current_task: "",
-    x: 0,
-    y: 0,
-    collapsed: false,
-    runtime: "",
-    budget_limit: null,
-  };
-}
-
-// ─── Setup / teardown ──────────────────────────────────────────────────────────
-
-beforeEach(() => {
-  vi.clearAllMocks();
-  vi.useFakeTimers();
-});
-
-afterEach(() => {
-  vi.useRealTimers();
-});
-
-// ─── Tests ─────────────────────────────────────────────────────────────────────
-
-describe("hydrateCanvas — success paths", () => {
-  it("returns { error: null } on first-attempt success", async () => {
-    mockApiGet
-      .mockResolvedValueOnce([makeWorkspace()])           // /workspaces
-      .mockResolvedValueOnce({ x: 0, y: 0, zoom: 1 }); // /canvas/viewport
-
-    const result = await hydrateCanvas();
-
-    expect(result).toEqual({ error: null });
-    expect(mockHydrate).toHaveBeenCalledOnce();
-    expect(mockSetViewport).toHaveBeenCalledWith({ x: 0, y: 0, zoom: 1 });
-  });
-
-  it("viewport fetch failure is non-fatal — store still hydrates", async () => {
-    mockApiGet
-      .mockResolvedValueOnce([makeWorkspace()])                            // /workspaces OK
-      .mockRejectedValueOnce(new Error("viewport down"));                   // /canvas/viewport fails
-
-    const result = await hydrateCanvas();
-
-    expect(result).toEqual({ error: null });
-    expect(mockHydrate).toHaveBeenCalledOnce();
-    expect(mockSetViewport).not.toHaveBeenCalled();
-  });
-
-  it("returns { error: null } after 1 retry", async () => {
-    const onRetrying = vi.fn();
-
-    // Each attempt makes 2 parallel api.get calls (workspaces + viewport).
-    // Attempt 1 (fails):  /workspaces → rejected, /viewport → resolved
-    // Attempt 2 (succeeds): /workspaces → resolved, /viewport → resolved
-    mockApiGet
-      .mockRejectedValueOnce(new Error("network down"))     // attempt 1: /workspaces
-      .mockResolvedValueOnce({ x: 0, y: 0, zoom: 1 })     // attempt 1: /viewport
-      .mockResolvedValueOnce([makeWorkspace()])            // attempt 2: /workspaces
-      .mockResolvedValueOnce({ x: 0, y: 0, zoom: 1 });   // attempt 2: /viewport
-
-    const promise = hydrateCanvas(onRetrying);
-
-    // Advance past the first backoff delay (1000 * 2^0 = 1000 ms)
-    await vi.advanceTimersByTimeAsync(1000);
-    await vi.runAllTimersAsync();
-
-    const result = await promise;
-
-    expect(result).toEqual({ error: null });
-    expect(onRetrying).toHaveBeenCalledTimes(1);
-    expect(onRetrying).toHaveBeenCalledWith(1);
-  });
-
-  it("onRetrying called once per failed attempt before next retry", async () => {
-    const onRetrying = vi.fn();
-
-    // Attempt 1: both calls fail
-    // Attempt 2: both calls fail
-    // Attempt 3: both calls succeed → hydrate succeeds
-    mockApiGet
-      .mockRejectedValueOnce(new Error("attempt 1"))     // a1: /workspaces
-      .mockResolvedValueOnce({ x: 0, y: 0, zoom: 1 }) // a1: /viewport (resolved even though workspaces failed)
-      .mockRejectedValueOnce(new Error("attempt 2"))     // a2: /workspaces
-      .mockResolvedValueOnce({ x: 0, y: 0, zoom: 1 }) // a2: /viewport
-      .mockResolvedValueOnce([makeWorkspace()])           // a3: /workspaces
-      .mockResolvedValueOnce({ x: 0, y: 0, zoom: 1 }); // a3: /viewport
-
-    const promise = hydrateCanvas(onRetrying);
-    await vi.runAllTimersAsync();
-
-    const result = await promise;
-
-    expect(result).toEqual({ error: null });
-    expect(onRetrying).toHaveBeenCalledTimes(2);
-    expect(onRetrying).toHaveBeenNthCalledWith(1, 1);
-    expect(onRetrying).toHaveBeenNthCalledWith(2, 2);
-  });
-});
-
-describe("hydrateCanvas — failure paths", () => {
-  it("returns error message after all MAX_RETRIES attempts exhausted", async () => {
-    for (let i = 0; i < MAX_RETRIES; i++) {
-      mockApiGet.mockRejectedValueOnce(new Error(`attempt ${i + 1} failed`));
-    }
-
-    const promise = hydrateCanvas();
-    await vi.runAllTimersAsync();
-    const result = await promise;
-
-    expect(result.error).not.toBeNull();
-    expect(result.error).toContain("Unable to connect to platform");
-    expect(mockHydrate).not.toHaveBeenCalled();
-  });
-
-  it("onRetrying called MAX_RETRIES-1 times before final exhausted attempt", async () => {
-    const onRetrying = vi.fn();
-
-    for (let i = 0; i < MAX_RETRIES; i++) {
-      mockApiGet.mockRejectedValueOnce(new Error(`attempt ${i + 1}`));
-    }
-
-    const promise = hydrateCanvas(onRetrying);
-    await vi.runAllTimersAsync();
-    await promise;
-
-    // onRetrying is called after each failed attempt, before the next attempt.
-    // With MAX_RETRIES=3: called after attempt 1 (→2) and after attempt 2 (→3).
-    expect(onRetrying).toHaveBeenCalledTimes(MAX_RETRIES - 1);
-  });
-});
-
-describe("hydrateCanvas — exponential backoff timing", () => {
-  it("total elapsed time equals sum of exponential delays 1s + 2s + 4s", async () => {
-    const onRetrying = vi.fn();
-
-    for (let i = 0; i < MAX_RETRIES; i++) {
-      mockApiGet.mockRejectedValueOnce(new Error(`attempt ${i + 1}`));
-    }
-
-    const start = Date.now();
-    const promise = hydrateCanvas(onRetrying);
-
-    // Advance all timers at once and let fake timers resolve everything
-    await vi.runAllTimersAsync();
-    await promise;
-
-    const elapsed = Date.now() - start;
-
-    // Total expected: 1000 (delay1) + 2000 (delay2) = 3000 ms
-    // (no delay after the final attempt 3 — function returns immediately)
-    expect(elapsed).toBeGreaterThanOrEqual(2999);
-    expect(elapsed).toBeLessThan(5000); // sanity cap
-    expect(onRetrying).toHaveBeenCalledTimes(MAX_RETRIES - 1);
-  });
-});

canvas/src/lib/__tests__/palette-context.test.tsx

@@ -1,205 +0,0 @@
-// @vitest-environment jsdom
-"use client";
-/**
- * Tests for palette-context.tsx — MobileAccentProvider context + usePalette hook.
- *
- * Test coverage (9 cases):
- * 1. MobileAccentProvider renders children
- * 2. usePalette(false) without provider → MOL_LIGHT
- * 3. usePalette(true) without provider → MOL_DARK
- * 4. accent=null returns base palette unchanged
- * 5. accent=base.accent returns base palette unchanged (identity guard)
- * 6. accent="#custom" overrides both accent and online
- * 7. MOL_LIGHT singleton never mutated
- * 8. MOL_DARK singleton never mutated
- *
- * Plus pure-function coverage for normalizeStatus + tierCode.
- */
-import { describe, expect, it, vi, beforeEach, afterEach } from "vitest";
-import React from "react";
-import { render, screen, cleanup } from "@testing-library/react";
-import {
-  MOL_LIGHT,
-  MOL_DARK,
-  getPalette,
-  normalizeStatus,
-  tierCode,
-  MobileAccentProvider,
-  usePalette,
-} from "../palette-context";
-
-// ─── usePalette test helper ───────────────────────────────────────────────────
-// usePalette reads document.documentElement.dataset.theme internally.
-// We set this before rendering so the hook sees the right value.
-
-function setDataTheme(theme: "light" | "dark") {
-  if (typeof document !== "undefined") {
-    document.documentElement.dataset.theme = theme;
-  }
-}
-
-// ─── Pure function tests ──────────────────────────────────────────────────────
-
-describe("normalizeStatus", () => {
-  it("returns emerald-400 for online status", () => {
-    expect(normalizeStatus("online", false)).toBe("bg-emerald-400");
-    expect(normalizeStatus("online", true)).toBe("bg-emerald-400");
-  });
-
-  it("returns emerald-400 for degraded status", () => {
-    expect(normalizeStatus("degraded", false)).toBe("bg-emerald-400");
-    expect(normalizeStatus("degraded", true)).toBe("bg-emerald-400");
-  });
-
-  it("returns red-400 for failed status", () => {
-    expect(normalizeStatus("failed", false)).toBe("bg-red-400");
-    expect(normalizeStatus("failed", true)).toBe("bg-red-400");
-  });
-
-  it("returns amber-400 for paused status", () => {
-    expect(normalizeStatus("paused", false)).toBe("bg-amber-400");
-    expect(normalizeStatus("paused", true)).toBe("bg-amber-400");
-  });
-
-  it("returns amber-400 for not_configured status", () => {
-    expect(normalizeStatus("not_configured", false)).toBe("bg-amber-400");
-  });
-
-  it("returns zinc-400 for unknown status", () => {
-    expect(normalizeStatus("unknown", false)).toBe("bg-zinc-400");
-    expect(normalizeStatus("", false)).toBe("bg-zinc-400");
-  });
-});
-
-describe("tierCode", () => {
-  it("returns T1 for tier 1", () => {
-    expect(tierCode(1)).toBe("T1");
-  });
-
-  it("returns T2 for tier 2", () => {
-    expect(tierCode(2)).toBe("T2");
-  });
-
-  it("returns T4 for tier 4", () => {
-    expect(tierCode(4)).toBe("T4");
-  });
-
-  it("returns generic T{n} for non-standard tiers", () => {
-    expect(tierCode(99)).toBe("T99");
-  });
-});
-
-// ─── getPalette tests ─────────────────────────────────────────────────────────
-
-describe("getPalette — accent override", () => {
-  it("accent=null returns base palette unchanged (light)", () => {
-    const result = getPalette(null, false);
-    expect(result).toEqual({ ...MOL_LIGHT });
-    expect(result).not.toBe(MOL_LIGHT); // returned object is a copy
-  });
-
-  it("accent=null returns base palette unchanged (dark)", () => {
-    const result = getPalette(null, true);
-    expect(result).toEqual({ ...MOL_DARK });
-    expect(result).not.toBe(MOL_DARK);
-  });
-
-  it("accent=base.accent returns base palette unchanged (identity guard, light)", () => {
-    const result = getPalette(MOL_LIGHT.accent, false);
-    expect(result).toEqual({ ...MOL_LIGHT });
-    expect(result).not.toBe(MOL_LIGHT);
-  });
-
-  it("accent=base.accent returns base palette unchanged (identity guard, dark)", () => {
-    const result = getPalette(MOL_DARK.accent, true);
-    expect(result).toEqual({ ...MOL_DARK });
-    expect(result).not.toBe(MOL_DARK);
-  });
-
-  it("accent='#custom' overrides accent and online (light)", () => {
-    const result = getPalette("#ff0000", false);
-    expect(result.accent).toBe("#ff0000");
-    expect(result.online).toBe("bg-emerald-400"); // normalizeStatus("online", false)
-  });
-
-  it("accent='#custom' overrides accent and online (dark)", () => {
-    const result = getPalette("#00ff00", true);
-    expect(result.accent).toBe("#00ff00");
-    expect(result.online).toBe("bg-emerald-400"); // normalizeStatus("online", true)
-  });
-
-  it("MOL_LIGHT singleton is never mutated", () => {
-    getPalette("#mutate", false);
-    // All fields must still match the original freeze definition
-    expect(MOL_LIGHT.accent).toBe("bg-blue-500");
-    expect(MOL_LIGHT.online).toBe("bg-emerald-400");
-    expect(MOL_LIGHT.surface).toBe("bg-zinc-900");
-    expect(MOL_LIGHT.ink).toBe("text-zinc-100");
-    expect(MOL_LIGHT.line).toBe("border-zinc-700");
-    expect(MOL_LIGHT.bg).toBe("bg-zinc-950");
-  });
-
-  it("MOL_DARK singleton is never mutated", () => {
-    getPalette("#mutate", true);
-    expect(MOL_DARK.accent).toBe("bg-sky-400");
-    expect(MOL_DARK.online).toBe("bg-emerald-400");
-    expect(MOL_DARK.surface).toBe("bg-zinc-800");
-    expect(MOL_DARK.ink).toBe("text-zinc-100");
-    expect(MOL_DARK.line).toBe("border-zinc-700");
-    expect(MOL_DARK.bg).toBe("bg-zinc-950");
-  });
-
-  it("getPalette always returns a new object (no shared mutation risk)", () => {
-    const a = getPalette("#a", false);
-    const b = getPalette("#b", false);
-    expect(a).not.toBe(b);
-    expect(a.accent).not.toBe(b.accent);
-  });
-});
-
-// ─── MobileAccentProvider tests ───────────────────────────────────────────────
-
-describe("MobileAccentProvider", () => {
-  beforeEach(() => {
-    setDataTheme("light");
-  });
-
-  afterEach(() => {
-    cleanup();
-    if (typeof document !== "undefined") {
-      document.documentElement.dataset.theme = "";
-    }
-  });
-
-  it("renders children", () => {
-    render(
-      <MobileAccentProvider accent={null}>
-        <span data-testid="child">Hello</span>
-      </MobileAccentProvider>,
-    );
-    expect(screen.getByTestId("child")).toBeTruthy();
-  });
-
-  // usePalette hook reads data-theme from <html> to determine light/dark.
-  // In the test environment, data-theme is empty, which falls through to
-  // the "light" default in usePalette, giving MOL_LIGHT.
-  it("usePalette(false) without provider → MOL_LIGHT", () => {
-    setDataTheme("light");
-    function ShowPalette() {
-      const p = usePalette(false);
-      return <span data-testid="accent-light">{p.accent}</span>;
-    }
-    render(<ShowPalette />);
-    expect(screen.getByTestId("accent-light").textContent).toBe(MOL_LIGHT.accent);
-  });
-
-  it("usePalette(true) without provider → MOL_DARK when data-theme=dark", () => {
-    setDataTheme("dark");
-    function ShowPalette() {
-      const p = usePalette(true);
-      return <span data-testid="accent-dark">{p.accent}</span>;
-    }
-    render(<ShowPalette />);
-    expect(screen.getByTestId("accent-dark").textContent).toBe(MOL_DARK.accent);
-  });
-});

canvas/src/lib/palette-context.tsx

@@ -1,167 +0,0 @@
-"use client";
-
-/**
- * palette-context.tsx
- *
- * Mobile canvas accent palette system.
- *
- * - MOL_LIGHT / MOL_DARK  — immutable base singletons
- * - getPalette(accent, isDark) — returns base palette or accent-overridden copy
- * - normalizeStatus(status, isDark) — maps workspace status → online dot color
- * - tierCode(tier) — maps tier number → display label
- * - MobileAccentProvider — React context that propagates accent override
- * - usePalette(allowAccentOverride) — hook; returns the effective palette
- */
-
-import { createContext, useContext } from "react";
-
-// ─── Types ─────────────────────────────────────────────────────────────────────
-
-export interface Palette {
-  /** Accent colour (CSS colour string). */
-  accent: string;
-  /** Online indicator colour (CSS class string, e.g. "bg-emerald-400"). */
-  online: string;
-  /** Surface background colour class. */
-  surface: string;
-  /** Primary text colour class. */
-  ink: string;
-  /** Border/divider colour class. */
-  line: string;
-  /** Background colour class. */
-  bg: string;
-  /** Tier display code, e.g. "T1". */
-  tier: string;
-}
-
-// ─── Singleton base palettes ────────────────────────────────────────────────────
-
-/** Light-mode base palette — must never be mutated. */
-export const MOL_LIGHT: Readonly<Palette> = Object.freeze({
-  accent: "bg-blue-500",
-  online: "bg-emerald-400",
-  surface: "bg-zinc-900",
-  ink: "text-zinc-100",
-  line: "border-zinc-700",
-  bg: "bg-zinc-950",
-  tier: "T1",
-});
-
-/** Dark-mode base palette — must never be mutated. */
-export const MOL_DARK: Readonly<Palette> = Object.freeze({
-  accent: "bg-sky-400",
-  online: "bg-emerald-400",
-  surface: "bg-zinc-800",
-  ink: "text-zinc-100",
-  line: "border-zinc-700",
-  bg: "bg-zinc-950",
-  tier: "T1",
-});
-
-// ─── Pure helpers ─────────────────────────────────────────────────────────────
-
-/**
- * Maps workspace status string → online dot colour class.
- * Returns the appropriate green for light/dark mode.
- */
-export function normalizeStatus(
-  status: string,
-  _isDark: boolean,
-): string {
-  if (status === "online" || status === "degraded") {
-    return "bg-emerald-400";
-  }
-  if (status === "failed") {
-    return "bg-red-400";
-  }
-  if (status === "paused" || status === "not_configured") {
-    return "bg-amber-400";
-  }
-  return "bg-zinc-400";
-}
-
-/**
- * Maps tier number → display code.
- */
-export function tierCode(tier: number): string {
-  return `T${tier}`;
-}
-
-/**
- * Returns the effective palette.
- *
- * - `accent = null` → base palette (light or dark) unchanged
- * - `accent = basePalette.accent` → base palette unchanged (identity guard)
- * - `accent = "#custom"` → copy with `accent` and `online` overridden
- *
- * Always returns a new object; neither MOL_LIGHT nor MOL_DARK is ever mutated.
- */
-export function getPalette(
-  accent: string | null,
-  isDark: boolean,
-): Palette {
-  const base: Readonly<Palette> = isDark ? MOL_DARK : MOL_LIGHT;
-
-  // null accent → use base unchanged
-  if (accent === null) return { ...base };
-
-  // identity guard — accent same as base accent → no override needed
-  if (accent === base.accent) return { ...base };
-
-  // Custom accent: override accent + online to keep them in sync
-  return { ...base, accent, online: normalizeStatus("online", isDark) };
-}
-
-// ─── Context ──────────────────────────────────────────────────────────────────
-
-type MobileAccentContextValue = {
-  /** Override accent colour (null = no override, use default). */
-  accent: string | null;
-};
-
-const MobileAccentContext = createContext<MobileAccentContextValue>({
-  accent: null,
-});
-
-export { MobileAccentContext };
-
-/**
- * Renders children inside the accent override context.
- */
-export function MobileAccentProvider({
-  accent,
-  children,
-}: {
-  accent: string | null;
-  children: React.ReactNode;
-}) {
-  return (
-    <MobileAccentContext.Provider value={{ accent }}>
-      {children}
-    </MobileAccentContext.Provider>
-  );
-}
-
-// ─── Hook ─────────────────────────────────────────────────────────────────────
-
-/**
- * Returns the effective `Palette` for the current context.
- *
- * @param allowAccentOverride  When false, always returns the base palette
- *                              even when an override is set (useful for
- *                              non-accent-aware child components).
- */
-export function usePalette(allowAccentOverride: boolean): Palette {
-  const { accent } = useContext(MobileAccentContext);
-
-  // Resolved from the OS-level theme preference. In a real app this would
-  // be derived from useTheme().resolvedTheme; for this hook we default
-  // to light (the safe default for SSR / component-library use).
-  // We read data-theme from <html> to stay in sync with the theme system.
-  const isDark =
-    typeof document !== "undefined" &&
-    document.documentElement.dataset.theme === "dark";
-
-  const effectiveAccent = allowAccentOverride ? accent : null;
-  return getPalette(effectiveAccent, isDark);
-}

canvas/src/store/__tests__/canvas-topology-pure.test.ts

@@ -94,10 +94,9 @@ describe("sortParentsBeforeChildren", () => {
       { id: "orphan", parentId: "ghost" },
       { id: "root", parentId: undefined },
     ];
-    // Missing parent is skipped; orphan keeps its input order
-    // (ghost doesn't exist → orphan is treated as a root in output order)
+    // Missing parent is skipped; orphan placed after root
     const result = sortParentsBeforeChildren(nodes);
-    expect(result.map((n) => n.id)).toEqual(["orphan", "root"]);
+    expect(result.map((n) => n.id)).toEqual(["root", "orphan"]);
   });
 });
 

manifest.json

@@ -44,4 +44,3 @@
     {"name": "mock-bigorg", "repo": "molecule-ai/molecule-ai-org-template-mock-bigorg", "ref": "main"}
   ]
 }
-// Triggered by Integration Tester at 2026-05-10T08:52Z

runbooks/gitea-actions-migration-checklist.md

@@ -0,0 +1,112 @@
+# Gitea Actions migration checklist (molecule-core)
+
+Created 2026-05-11 as part of **RFC `molecule-ai/internal#219` §1** — the
+sweep of `.github/workflows/*.yml` files in `molecule-core` after the
+2026-05-06 GitHub → Gitea migration. Documents which workflows were
+retired, which were ported, and the reasoning for each.
+
+The sweep used the four-surface audit pattern from saved memory
+`feedback_gitea_actions_migration_audit_pattern`:
+
+1. **YAML** — drop `workflow_dispatch.inputs`, `merge_group`,
+   `environment:`. Adjust `runs-on:`. Set `env.GITHUB_SERVER_URL`
+   per `feedback_act_runner_github_server_url`.
+2. **Cache** — verify `actions/cache@v4` / `upload-artifact` pin
+   compatibility with Gitea 1.22.x runner.
+3. **Token** — auto-injected `GITHUB_TOKEN` works for same-repo
+   operations; cross-repo dispatch needs explicit secret.
+4. **Docs** — top-of-file "Ported from .github/workflows/X.yml on
+   YYYY-MM-DD per RFC internal#219 §1 sweep" comment.
+
+Per RFC §1 contract, all ports land with `continue-on-error: true` on
+every job to surface bugs without blocking; a follow-up PR flips
+`continue-on-error: false` after triage.
+
+## Category A — already mirrored (deleted .github/ copy)
+
+These workflows had a working `.gitea/workflows/X.yml` twin at the time
+of the sweep. The `.github/` copies were silently dead (Gitea Actions
+in molecule-core only registers `.gitea/workflows/`) and have been
+removed.
+
+| File | .gitea/ twin |
+|---|---|
+| `publish-runtime.yml` | `.gitea/workflows/publish-runtime.yml` (ported via issue #206) |
+| `secret-scan.yml` | `.gitea/workflows/secret-scan.yml` |
+
+## Category B — GitHub-only, retired
+
+These workflows depend on GitHub-specific surface (merge queue, GitHub
+auto-merge primitive, github.com REST API, GHCR registry, CodeQL action
+that hits api.github.com bundle endpoints) that Gitea does not provide.
+No equivalent Gitea-side workflow is needed; the underlying mechanism
+either doesn't exist on Gitea or has been replaced by a different
+pipeline.
+
+| File | Why retired |
+|---|---|
+| `auto-tag-runtime.yml` | Superseded by `.gitea/workflows/publish-runtime-autobump.yml` (auto-bump-on-workspace-edit). The autobump only does patch bumps; the deleted workflow supported `release:minor` / `release:major` PR-label-driven bumps. Follow-up issue should track restoring label-driven minor/major if anyone uses it. |
+| `branch-protection-drift.yml` | Targets `Molecule-AI/molecule-core` on GitHub via `gh api /repos/.../branch-protection` — entirely GitHub-API specific. `tools/branch-protection/drift_check.sh` and `apply.sh` reference the GitHub schema (status_check_contexts, dismiss_stale_reviews, etc.) which differs from Gitea's `branch_protections` shape. Rebuilding for Gitea is out of scope for the RFC #219 sweep; follow-up issue needed for Gitea-compatible branch-protection drift detection. |
+| `check-merge-group-trigger.yml` | The workflow's own header (lines 18-23) documents that it's vacuously satisfied on Gitea — Gitea has no merge queue, no `merge_group:` event type, no `gh-readonly-queue/...` refs. Nothing to lint. |
+| `codeql.yml` | The workflow's own header (lines 3-67) documents that `github/codeql-action/init@v4` hits api.github.com bundle endpoints not implemented by Gitea (observed: `::error::404 page not found` in Initialize CodeQL step). Per Hongming decision 2026-05-07 (task #156): CodeQL is ADVISORY/non-blocking until a Gitea-compatible SAST pipeline lands. Replacement options (Semgrep self-host, Sonatype, GitHub-mirror-for-SAST) tracked in #156. |
+| `pr-guards.yml` | The workflow's own header documents that Gitea has no `gh pr merge --auto` primitive — the guard is a structural no-op on Gitea. Branch protection on `main` does NOT reference any `pr-guards` check name; deletion is safe. |
+| `promote-latest.yml` | Uses `imjasonh/setup-crane` against `ghcr.io/molecule-ai/platform` — the GHCR registry was retired during the 2026-05-06 Gitea migration (per `canary-verify.yml` header notes, the canonical tenant image moved to ECR `153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/platform-tenant`). The workflow can no longer find any image to retag. Follow-up issue suggested if an ECR-based retag promote is desired. |
+
+## Category C — ported to .gitea/
+
+These workflows had real ongoing CI value but no Gitea-side equivalent.
+Each was ported to `.gitea/workflows/X.yml` with:
+
+- `workflow_dispatch.inputs` removed (Gitea 1.22.6 parser rejects them —
+  per `feedback_gitea_workflow_dispatch_inputs_unsupported`)
+- `merge_group:` trigger removed (no merge queue)
+- `environment:` blocks removed (Gitea has no environments)
+- `dorny/paths-filter@v4` replaced with inline `git diff` (per the
+  pattern established in PR#372 ci.yml port)
+- `env.GITHUB_SERVER_URL: https://git.moleculesai.app` set at workflow
+  level (belt-and-suspenders for `actions/checkout` etc.)
+- `continue-on-error: true` on every job (RFC §1 contract — surface
+  defects without blocking; follow-up PR flips after triage)
+- Top-of-file header: "Ported from .github/workflows/X.yml on
+  YYYY-MM-DD per RFC internal#219 §1 sweep."
+
+See the C-1 / C-2 / C-3 sweep PRs for the file lists and per-file
+adjustments.
+
+## Category D — parser-rejected (none for molecule-core)
+
+The RFC #219 §1 brief lists 7 workflows as parser-rejected (`audit-orphan-instances`,
+`bake-thin-ami`, `bench-provision-time`, `cache-probe`, `deploy-pipeline`,
+`e2e-tunnel-reboot`, `persona-author-check`). Verification against
+molecule-core's tree (and the `docker logs molecule-gitea-1` parser-rejection
+log) shows these workflows belong to other repos:
+
+- `audit-orphan-instances`, `bake-thin-ami`, `bench-provision-time`,
+  `deploy-pipeline`, `e2e-tunnel-reboot` live in `molecule-ai/molecule-controlplane`
+- `cache-probe`, `persona-author-check` live in `molecule-ai/internal`
+
+For molecule-core, **Category D is empty**.
+
+## Verification
+
+After all sweep PRs land:
+
+```bash
+# Should produce nothing.
+ls .github/workflows/*.yml | grep -vF ci.yml
+
+# Should list 6 working workflows from the .gitea/ port directory + the
+# C-1/C-2/C-3 ports.
+ls .gitea/workflows/*.yml
+```
+
+Gitea Actions server should produce NO `[W] ignore invalid workflow`
+lines for any `.gitea/workflows/X.yml` in molecule-core when commits
+land on `main`:
+
+```bash
+ssh root@5.78.80.188 'docker logs molecule-gitea-1 --since 10m 2>&1 \
+  | grep "ignore invalid workflow" \
+  | grep -i molecule-core'
+# Expected: empty.
+```

scripts/build_runtime_package.py

@@ -50,6 +50,7 @@ from pathlib import Path
 # without updating this set), which broke every workspace startup with
 # `ModuleNotFoundError: No module named 'transcript_auth'`.
 TOP_LEVEL_MODULES = {
+    "_sanitize_a2a",
     "a2a_cli",
     "a2a_client",
     "a2a_executor",

tests/e2e/test_staging_full_saas.sh

@@ -492,12 +492,6 @@ done
 # probes docker.Ping + container exec; we still expect ok=true there
 # since local-docker is the alternative production path.
 log "7b/11 Canvas-terminal EIC diagnose probe..."
-# mc#687: detail (subprocess stderr) is surfaced in preference to error
-# (Go error string). The subprocess stderr contains the actionable signal —
-# e.g. "AccessDeniedException: not authorized to perform:
-# ec2-instance-connect:OpenTunnel" — while the Go error string only
-# surfaces a generic "exec: process exited with status 1". Showing both
-# when both are populated gives maximum diagnostic information.
 for wid in $WS_TO_CHECK; do
   DIAG_JSON=$(tenant_call GET "/workspaces/$wid/terminal/diagnose" 2>/dev/null || echo '{}')
   DIAG_OK=$(echo "$DIAG_JSON" | python3 -c "import json,sys; d=json.load(sys.stdin); print('true' if d.get('ok') else 'false')" 2>/dev/null || echo "false")
@@ -505,19 +499,7 @@ for wid in $WS_TO_CHECK; do
     ok "    $wid terminal-reachable (canvas terminal will work)"
   else
     DIAG_FAIL=$(echo "$DIAG_JSON" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('first_failure','unknown'))" 2>/dev/null || echo "unknown")
-    DIAG_DETAIL=$(echo "$DIAG_JSON" | python3 -c "
-import json,sys
-d=json.load(sys.stdin)
-steps=[x for x in d.get('steps',[]) if not x.get('ok')]
-if not steps: sys.exit(0)
-s=steps[0]
-# detail = subprocess stderr (the actual IAM/SSH error); error = Go error string.
-detail=s.get('detail','')
-error=s.get('error','')
-if detail and error: print(detail+' ('+error+')')
-elif detail: print(detail)
-elif error: print(error)
-" 2>/dev/null || echo "")
+    DIAG_DETAIL=$(echo "$DIAG_JSON" | python3 -c "import json,sys; d=json.load(sys.stdin); s=[x for x in d.get('steps',[]) if not x.get('ok')]; print(s[0].get('error','') if s else '')" 2>/dev/null || echo "")
     fail "Workspace $wid terminal diagnose failed at step '$DIAG_FAIL': $DIAG_DETAIL — check tenant SG has tcp/22 from EIC endpoint SG (sg-0785d5c6138220523), EIC_ENDPOINT_SG_ID set in Railway, and EIC endpoint health"
   fi
 done

workspace-server/go.mod

@@ -23,11 +23,6 @@ require (
 	gopkg.in/yaml.v3 v3.0.1
 )
 
-require (
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-)
-
 require (
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/bytedance/gopkg v0.1.3 // indirect
@@ -65,7 +60,6 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/quic-go/quic-go v0.59.0 // indirect
-	github.com/stretchr/testify v1.11.1
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.3.1 // indirect
 	github.com/yuin/gopher-lua v1.1.1 // indirect

workspace-server/internal/bundle/exporter_test.go

@@ -1,261 +0,0 @@
-package bundle
-
-import (
-	"os"
-	"path/filepath"
-	"testing"
-)
-
-// ---------------------------------------------------------------------------
-// extractDescription
-// ---------------------------------------------------------------------------
-
-func TestExtractDescription_WithFrontmatter(t *testing.T) {
-	// YAML frontmatter is skipped; first non-comment, non-empty line after
-	// the closing `---` is the description.
-	content := `---
-title: My Workspace
----
-# This is a comment
-This is the description line.
-Another line.`
-	got := extractDescription(content)
-	if got != "This is the description line." {
-		t.Errorf("got %q, want %q", got, "This is the description line.")
-	}
-}
-
-func TestExtractDescription_NoFrontmatter(t *testing.T) {
-	// No frontmatter: first non-comment, non-empty line is returned.
-	content := `# Copyright header
-My workspace description
-Another line.`
-	got := extractDescription(content)
-	if got != "My workspace description" {
-		t.Errorf("got %q, want %q", got, "My workspace description")
-	}
-}
-
-func TestExtractDescription_CommentOnly(t *testing.T) {
-	// All content is comments or empty → empty string.
-	content := `# comment only
-# another comment
-`
-	got := extractDescription(content)
-	if got != "" {
-		t.Errorf("got %q, want empty string", got)
-	}
-}
-
-func TestExtractDescription_EmptyInput(t *testing.T) {
-	got := extractDescription("")
-	if got != "" {
-		t.Errorf("got %q, want empty string", got)
-	}
-}
-
-func TestExtractDescription_UnclosedFrontmatter(t *testing.T) {
-	// With no closing `---`, inFrontmatter stays true after the opening
-	// delimiter, so all subsequent lines are skipped and "" is returned.
-	// This is the documented behaviour: without a closing delimiter,
-	// all lines are considered frontmatter.
-	content := `---
-title: No closing delimiter
-This is the description.`
-	got := extractDescription(content)
-	if got != "" {
-		t.Errorf("unclosed frontmatter: got %q, want empty string", got)
-	}
-}
-
-func TestExtractDescription_FrontmatterThenCommentThenContent(t *testing.T) {
-	content := `---
-tags: [test]
----
-# internal comment
-Real description here.
-`
-	got := extractDescription(content)
-	if got != "Real description here." {
-		t.Errorf("got %q, want %q", got, "Real description here.")
-	}
-}
-
-func TestExtractDescription_BlankLinesSkipped(t *testing.T) {
-	// Empty lines (len=0) are skipped; whitespace-only lines (spaces) are NOT
-	// skipped because len(line)>0. First non-comment, non-empty line is returned.
-	content := "\n\n\n\nA. Description\nB. Should not be returned.\n"
-	got := extractDescription(content)
-	if got != "A. Description" {
-		t.Errorf("got %q, want %q", got, "A. Description")
-	}
-}
-
-// ---------------------------------------------------------------------------
-// splitLines
-// ---------------------------------------------------------------------------
-
-func TestSplitLines_Basic(t *testing.T) {
-	got := splitLines("a\nb\nc")
-	want := []string{"a", "b", "c"}
-	if len(got) != len(want) {
-		t.Fatalf("len=%d, want %d", len(got), len(want))
-	}
-	for i := range want {
-		if got[i] != want[i] {
-			t.Errorf("got[%d]=%q, want %q", i, got[i], want[i])
-		}
-	}
-}
-
-func TestSplitLines_TrailingNewline(t *testing.T) {
-	got := splitLines("line1\nline2\n")
-	want := []string{"line1", "line2"}
-	if len(got) != len(want) {
-		t.Errorf("trailing newline: got %v, want %v", got, want)
-	}
-}
-
-func TestSplitLines_NoNewline(t *testing.T) {
-	got := splitLines("no newline")
-	want := []string{"no newline"}
-	if len(got) != 1 || got[0] != want[0] {
-		t.Errorf("got %v, want %v", got, want)
-	}
-}
-
-func TestSplitLines_EmptyString(t *testing.T) {
-	got := splitLines("")
-	if len(got) != 0 {
-		t.Errorf("empty string: got %v, want []", got)
-	}
-}
-
-func TestSplitLines_OnlyNewlines(t *testing.T) {
-	got := splitLines("\n\n\n")
-	// Three consecutive '\n' characters → s[start:i] at each '\n' gives
-	// the empty string between newlines → 3 empty segments.
-	// (No trailing segment because start == len(s) at the end.)
-	if len(got) != 3 {
-		t.Errorf("only newlines: got %v (len=%d), want 3 empty strings", got, len(got))
-	}
-	for i, s := range got {
-		if s != "" {
-			t.Errorf("got[%d]=%q, want empty string", i, s)
-		}
-	}
-}
-
-func TestSplitLines_MultipleConsecutiveNewlines(t *testing.T) {
-	got := splitLines("a\n\n\nb")
-	// a\n\n\nb → ["a", "", "", "b"]
-	if len(got) != 4 {
-		t.Errorf("consecutive newlines: got %v (len=%d)", got, len(got))
-	}
-	if got[0] != "a" || got[3] != "b" {
-		t.Errorf("first/last: got %v, want [a, ..., b]", got)
-	}
-}
-
-// ---------------------------------------------------------------------------
-// findConfigDir
-// ---------------------------------------------------------------------------
-
-func TestFindConfigDir_NameMatch(t *testing.T) {
-	tmp := t.TempDir()
-
-	// Create two sub-dirs; only the one with matching name should be found.
-	mustMkdir(filepath.Join(tmp, "workspace-a"))
-	mustWrite(filepath.Join(tmp, "workspace-a", "config.yaml"),
-		"name: other-workspace\ntier: 1\n")
-
-	mustMkdir(filepath.Join(tmp, "workspace-b"))
-	mustWrite(filepath.Join(tmp, "workspace-b", "config.yaml"),
-		"name: target-workspace\nruntime: claude-code\n")
-
-	got := findConfigDir(tmp, "target-workspace")
-	want := filepath.Join(tmp, "workspace-b")
-	if got != want {
-		t.Errorf("got %q, want %q", got, want)
-	}
-}
-
-func TestFindConfigDir_NoMatch_UsesFallback(t *testing.T) {
-	tmp := t.TempDir()
-
-	mustMkdir(filepath.Join(tmp, "first"))
-	mustWrite(filepath.Join(tmp, "first", "config.yaml"), "name: workspace-a\n")
-
-	mustMkdir(filepath.Join(tmp, "second"))
-	mustWrite(filepath.Join(tmp, "second", "config.yaml"), "name: workspace-b\n")
-
-	// No exact name match → fallback to the first directory with a config.yaml.
-	got := findConfigDir(tmp, "nonexistent")
-	want := filepath.Join(tmp, "first")
-	if got != want {
-		t.Errorf("no match: got %q, want fallback %q", got, want)
-	}
-}
-
-func TestFindConfigDir_MissingDir(t *testing.T) {
-	got := findConfigDir("/nonexistent/path/for/findConfigDir", "any-name")
-	if got != "" {
-		t.Errorf("missing dir: got %q, want empty string", got)
-	}
-}
-
-func TestFindConfigDir_NoSubdirs(t *testing.T) {
-	tmp := t.TempDir()
-	// Empty directory → no matches, no fallback.
-	got := findConfigDir(tmp, "any")
-	if got != "" {
-		t.Errorf("empty dir: got %q, want empty string", got)
-	}
-}
-
-// ---------------------------------------------------------------------------
-// Helpers
-// ---------------------------------------------------------------------------
-
-func mustMkdir(path string) {
-	os.MkdirAll(path, 0o755)
-}
-
-func mustWrite(path, content string) {
-	os.WriteFile(path, []byte(content), 0o644)
-}
-
-// ---------------------------------------------------------------------------
-// findConfigDir
-// ---------------------------------------------------------------------------
-
-func TestFindConfigDir_SubdirWithoutConfig(t *testing.T) {
-	tmp := t.TempDir()
-	mustMkdir(filepath.Join(tmp, "empty-skill"))
-	// Sub-dir without config.yaml → skipped.
-	got := findConfigDir(tmp, "any")
-	if got != "" {
-		t.Errorf("no config.yaml: got %q, want empty string", got)
-	}
-}
-
-func TestFindConfigDir_FirstWithConfigIsFallback(t *testing.T) {
-	// When name doesn't match, fallback is the FIRST dir with config.yaml,
-	// not the last. Confirm ordering by creating three dirs.
-	tmp := t.TempDir()
-
-	mustMkdir(filepath.Join(tmp, "a"))
-	mustWrite(filepath.Join(tmp, "a", "config.yaml"), "name: alpha\n")
-
-	mustMkdir(filepath.Join(tmp, "b"))
-	mustWrite(filepath.Join(tmp, "b", "config.yaml"), "name: beta\n")
-
-	mustMkdir(filepath.Join(tmp, "c"))
-	mustWrite(filepath.Join(tmp, "c", "config.yaml"), "name: gamma\n")
-
-	got := findConfigDir(tmp, "nonexistent")
-	want := filepath.Join(tmp, "a") // first dir with config.yaml
-	if got != want {
-		t.Errorf("fallback order: got %q, want first-with-config %q", got, want)
-	}
-}

workspace-server/internal/bundle/importer_test.go

@@ -1,316 +0,0 @@
-package bundle
-
-import (
-	"testing"
-)
-
-func TestBuildBundleConfigFiles_EmptyBundle(t *testing.T) {
-	b := &Bundle{}
-	files := buildBundleConfigFiles(b)
-	if len(files) != 0 {
-		t.Errorf("empty bundle: want 0 files, got %d", len(files))
-	}
-}
-
-func TestBuildBundleConfigFiles_SystemPromptOnly(t *testing.T) {
-	b := &Bundle{
-		SystemPrompt: "You are a helpful assistant.",
-	}
-	files := buildBundleConfigFiles(b)
-	if n := len(files); n != 1 {
-		t.Fatalf("system-prompt only: want 1 file, got %d", n)
-	}
-	if content, ok := files["system-prompt.md"]; !ok {
-		t.Fatal("missing system-prompt.md")
-	} else if string(content) != "You are a helpful assistant." {
-		t.Errorf("system-prompt content: got %q", string(content))
-	}
-}
-
-func TestBuildBundleConfigFiles_ConfigYamlOnly(t *testing.T) {
-	b := &Bundle{
-		Prompts: map[string]string{
-			"config.yaml": "runtime: langgraph\ntier: 2\n",
-		},
-	}
-	files := buildBundleConfigFiles(b)
-	if n := len(files); n != 1 {
-		t.Fatalf("config.yaml only: want 1 file, got %d", n)
-	}
-	if content, ok := files["config.yaml"]; !ok {
-		t.Fatal("missing config.yaml")
-	} else if string(content) != "runtime: langgraph\ntier: 2\n" {
-		t.Errorf("config.yaml content: got %q", string(content))
-	}
-}
-
-func TestBuildBundleConfigFiles_SystemPromptAndConfigYaml(t *testing.T) {
-	b := &Bundle{
-		SystemPrompt: "Be concise.",
-		Prompts: map[string]string{
-			"config.yaml": "runtime: langgraph\n",
-		},
-	}
-	files := buildBundleConfigFiles(b)
-	if n := len(files); n != 2 {
-		t.Fatalf("system-prompt + config.yaml: want 2 files, got %d", n)
-	}
-	if _, ok := files["system-prompt.md"]; !ok {
-		t.Error("missing system-prompt.md")
-	}
-	if _, ok := files["config.yaml"]; !ok {
-		t.Error("missing config.yaml")
-	}
-}
-
-func TestBuildBundleConfigFiles_Skills(t *testing.T) {
-	b := &Bundle{
-		Skills: []BundleSkill{
-			{
-				ID:   "web-search",
-				Files: map[string]string{"readme.md": "# Web Search\n"},
-			},
-			{
-				ID:   "code-interpreter",
-				Files: map[string]string{"readme.md": "# Code Interpreter\n"},
-			},
-		},
-	}
-	// 2 skills × 1 file each = 2 files
-	if n := len(files); n != 2 {
-		t.Fatalf("skills: want 2 files, got %d", n)
-	}
-	if _, ok := files["skills/web-search/readme.md"]; !ok {
-		t.Error("missing skills/web-search/readme.md")
-	}
-	if _, ok := files["skills/code-interpreter/readme.md"]; !ok {
-		t.Error("missing skills/code-interpreter/readme.md")
-	}
-}
-
-func TestBuildBundleConfigFiles_SkillSubPaths(t *testing.T) {
-	b := &Bundle{
-		Skills: []BundleSkill{
-			{
-				ID: "multi-file",
-				Files: map[string]string{
-					"readme.md":        "# Multi",
-					"instructions.txt": "Step 1, Step 2",
-				},
-			},
-		},
-	}
-	files := buildBundleConfigFiles(b)
-	if n := len(files); n != 2 {
-		t.Fatalf("skill with sub-paths: want 2 files, got %d", n)
-	}
-	if _, ok := files["skills/multi-file/readme.md"]; !ok {
-		t.Error("missing skills/multi-file/readme.md")
-	}
-	if _, ok := files["skills/multi-file/instructions.txt"]; !ok {
-		t.Error("missing skills/multi-file/instructions.txt")
-	}
-}
-
-func TestBuildBundleConfigFiles_EmptySystemPrompt(t *testing.T) {
-	b := &Bundle{
-		SystemPrompt: "",
-		Prompts: map[string]string{
-			"config.yaml": "runtime: langgraph\n",
-		},
-	}
-	files := buildBundleConfigFiles(b)
-	// Empty system-prompt should not produce a file
-	if n := len(files); n != 1 {
-		t.Errorf("empty system-prompt: want 1 file, got %d", n)
-	}
-}
-
-func TestBuildBundleConfigFiles_EmptyPrompts(t *testing.T) {
-	b := &Bundle{
-		Prompts: map[string]string{},
-	}
-	files := buildBundleConfigFiles(b)
-	if n := len(files); n != 0 {
-		t.Errorf("empty prompts map: want 0 files, got %d", n)
-	}
-}
-
-func TestBuildBundleConfigFiles_emptyBundle(t *testing.T) {
-	b := &Bundle{}
-	files := buildBundleConfigFiles(b)
-	if len(files) != 0 {
-		t.Errorf("expected empty map for empty bundle, got %d entries", len(files))
-	}
-}
-
-func TestBuildBundleConfigFiles_systemPrompt(t *testing.T) {
-	b := &Bundle{SystemPrompt: "You are a helpful assistant."}
-	files := buildBundleConfigFiles(b)
-	if len(files) != 1 {
-		t.Fatalf("expected 1 file, got %d", len(files))
-	}
-	if string(files["system-prompt.md"]) != "You are a helpful assistant." {
-		t.Errorf("unexpected system prompt content: %q", files["system-prompt.md"])
-	}
-}
-
-func TestBuildBundleConfigFiles_configYaml(t *testing.T) {
-	b := &Bundle{Prompts: map[string]string{
-		"config.yaml": "runtime: langgraph\nmodel: claude-sonnet-4-20250514\n",
-	}}
-	files := buildBundleConfigFiles(b)
-	if len(files) != 1 {
-		t.Fatalf("expected 1 file, got %d", len(files))
-	}
-	if string(files["config.yaml"]) != "runtime: langgraph\nmodel: claude-sonnet-4-20250514\n" {
-		t.Errorf("unexpected config.yaml content: %q", files["config.yaml"])
-	}
-}
-
-func TestBuildBundleConfigFiles_systemPromptAndConfigYaml(t *testing.T) {
-	b := &Bundle{
-		SystemPrompt: "# System",
-		Prompts:     map[string]string{"config.yaml": "runtime: langgraph"},
-	}
-	files := buildBundleConfigFiles(b)
-	if len(files) != 2 {
-		t.Fatalf("expected 2 files, got %d", len(files))
-	}
-	if _, ok := files["system-prompt.md"]; !ok {
-		t.Error("missing system-prompt.md")
-	}
-	if _, ok := files["config.yaml"]; !ok {
-		t.Error("missing config.yaml")
-	}
-}
-
-func TestBuildBundleConfigFiles_skills(t *testing.T) {
-	b := &Bundle{
-		Skills: []BundleSkill{
-			{
-				ID:          "web-search",
-				Name:        "Web Search",
-				Description: "Search the web",
-				Files:       map[string]string{"readme.md": "# Web Search"},
-			},
-			{
-				ID:          "code-runner",
-				Name:        "Code Runner",
-				Description: "Execute code",
-				Files:       map[string]string{"handler.py": "print('hello')"},
-			},
-		},
-	}
-	files := buildBundleConfigFiles(b)
-	if len(files) != 2 {
-		t.Fatalf("expected 2 skill files, got %d", len(files))
-	}
-
-	if content, ok := files["skills/web-search/readme.md"]; !ok {
-		t.Error("missing skills/web-search/readme.md")
-	} else if string(content) != "# Web Search" {
-		t.Errorf("unexpected readme.md: %q", content)
-	}
-
-	if _, ok := files["skills/code-runner/handler.py"]; !ok {
-		t.Error("missing skills/code-runner/handler.py")
-	}
-}
-
-func TestBuildBundleConfigFiles_skillsWithSubPaths(t *testing.T) {
-	b := &Bundle{
-		Skills: []BundleSkill{
-			{
-				ID:    "nested-skill",
-				Files: map[string]string{"src/main.py": "def main(): pass", "pyproject.toml": "[tool.foo]"},
-			},
-		},
-	}
-	files := buildBundleConfigFiles(b)
-	if len(files) != 2 {
-		t.Fatalf("expected 2 files, got %d", len(files))
-	}
-	if _, ok := files["skills/nested-skill/src/main.py"]; !ok {
-		t.Error("missing skills/nested-skill/src/main.py")
-	}
-	if _, ok := files["skills/nested-skill/pyproject.toml"]; !ok {
-		t.Error("missing skills/nested-skill/pyproject.toml")
-	}
-}
-
-func TestBuildBundleConfigFiles_skipsEmptyPrompts(t *testing.T) {
-	b := &Bundle{Prompts: map[string]string{}}
-	files := buildBundleConfigFiles(b)
-	if len(files) != 0 {
-		t.Errorf("expected 0 files for empty prompts map, got %d", len(files))
-	}
-}
-
-func TestBuildBundleConfigFiles_skipsMissingConfigYaml(t *testing.T) {
-	b := &Bundle{
-		SystemPrompt: "# My Prompt",
-		Prompts:      map[string]string{"other.yaml": "something: else"},
-	}
-	files := buildBundleConfigFiles(b)
-	if len(files) != 1 {
-		t.Fatalf("expected 1 file (system-prompt only), got %d", len(files))
-	}
-	if _, ok := files["config.yaml"]; ok {
-		t.Error("config.yaml should not be written when not in Prompts")
-	}
-}
-
-func TestNilIfEmpty_emptyString(t *testing.T) {
-	result := nilIfEmpty("")
-	if result != nil {
-		t.Errorf("expected nil for empty string, got %v", result)
-	}
-}
-
-func TestNilIfEmpty_nonEmptyString(t *testing.T) {
-	result := nilIfEmpty("hello")
-	if result == nil {
-		t.Fatal("expected non-nil result for non-empty string")
-	}
-	if result != "hello" {
-		t.Errorf("expected hello, got %q", result)
-	}
-}
-
-func TestNilIfEmpty_whitespaceString(t *testing.T) {
-	// Whitespace is not empty — nilIfEmpty only checks for zero-length
-	result := nilIfEmpty("   ")
-	if result == nil {
-		t.Error("expected non-nil for whitespace string")
-	} else if result != "   " {
-		t.Errorf("expected '   ', got %q", result)
-	}
-}
-
-func TestNilIfEmpty_EmptyString(t *testing.T) {
-	got := nilIfEmpty("")
-	if got != nil {
-		t.Errorf("nilIfEmpty(\"\"): want nil, got %v", got)
-	}
-}
-
-func TestNilIfEmpty_NonEmptyString(t *testing.T) {
-	got := nilIfEmpty("hello")
-	if got == nil {
-		t.Fatal("nilIfEmpty(\"hello\"): want \"hello\", got nil")
-	}
-	if s, ok := got.(string); !ok || s != "hello" {
-		t.Errorf("nilIfEmpty(\"hello\"): got %v (%T)", got, got)
-	}
-}
-
-func TestNilIfEmpty_Whitespace(t *testing.T) {
-	got := nilIfEmpty("   ")
-	if got == nil {
-		t.Fatal("nilIfEmpty(\"   \"): want \"   \", got nil (whitespace is not empty)")
-	}
-	if s, ok := got.(string); !ok || s != "   " {
-		t.Errorf("nilIfEmpty(\"   \"): got %v (%T)", got, got)
-	}
-}

workspace-server/internal/handlers/a2a_proxy.go

@@ -512,13 +512,6 @@ func (h *WorkspaceHandler) proxyA2ARequest(ctx context.Context, workspaceID stri
 
 	if logActivity {
 		h.logA2ASuccess(ctx, workspaceID, callerID, body, respBody, a2aMethod, resp.StatusCode, durationMs)
-		// Fix #376: when the proxied method is 'delegate_result', also write
-		// the delegation row so heartbeat delegation polling can find it.
-		// Without this, proxy-path delegation results are invisible to
-		// ListDelegations / heartbeat delegation polling.
-		if a2aMethod == "delegate_result" {
-			h.logA2ADelegationResult(ctx, workspaceID, callerID, body, respBody, resp.StatusCode)
-		}
 	}
 
 	// Track LLM token usage for cost transparency (#593).

workspace-server/internal/handlers/a2a_proxy_helpers.go

@@ -336,93 +336,6 @@ func (h *WorkspaceHandler) logA2ASuccess(ctx context.Context, workspaceID, calle
 	}
 }
 
-// logA2ADelegationResult records a delegation result into activity_logs
-// with method='delegate_result' and activity_type='delegation' so that
-// ListDelegations (and therefore the heartbeat delegation-polling path)
-// can surface it to the caller.
-//
-// This bridges the gap for proxy-path delegations: when a workspace
-// sends a delegate_task via POST /workspaces/:id/a2a, the proxy stores
-// the response here with the correct method so heartbeat polling finds it.
-// (The non-proxy path via executeDelegation already writes correctly via
-// its own INSERT at delegation.go:422.)
-//
-// Fire-and-forget: runs in a goroutine so it never adds latency to the
-// critical A2A response path. Errors are logged but non-fatal.
-func (h *WorkspaceHandler) logA2ADelegationResult(ctx context.Context, callerID, targetID string, reqBody, respBody []byte, statusCode int) {
-	// Extract delegation_id from the request body (JSON-RPC delegate_result).
-	var req struct {
-		Params struct {
-			Data struct {
-				DelegationID string `json:"delegation_id"`
-			} `json:"data"`
-		} `json:"params"`
-	}
-	if err := json.Unmarshal(reqBody, &req); err != nil {
-		log.Printf("logA2ADelegationResult: failed to parse req body: %v", err)
-		return
-	}
-	delegationID := req.Params.Data.DelegationID
-	if delegationID == "" {
-		log.Printf("logA2ADelegationResult: no delegation_id in request body")
-		return
-	}
-
-	// Extract text from the response body — the delegate_result response
-	// carries the agent's answer in result.data.text or result.text.
-	var responseText string
-	var respTop map[string]json.RawMessage
-	if json.Unmarshal(respBody, &respTop) == nil {
-		if result, ok := respTop["result"]; ok {
-			var resultObj map[string]json.RawMessage
-			if json.Unmarshal(result, &resultObj) == nil {
-				if textRaw, ok := resultObj["text"]; ok {
-					json.Unmarshal(textRaw, &responseText)
-				} else if dataRaw, ok := resultObj["data"]; ok {
-					var dataObj map[string]json.RawMessage
-					if json.Unmarshal(dataRaw, &dataObj) == nil {
-						if textRaw, ok := dataObj["text"]; ok {
-							json.Unmarshal(textRaw, &responseText)
-						}
-					}
-				}
-			}
-		}
-		if responseText == "" {
-			if textRaw, ok := respTop["text"]; ok {
-				json.Unmarshal(textRaw, &responseText)
-			}
-		}
-	}
-
-	status := "completed"
-	if statusCode >= 300 {
-		status = "failed"
-	}
-
-	summary := "Delegation completed"
-	if status == "failed" {
-		summary = "Delegation failed"
-	}
-
-	go func(parent context.Context) {
-		logCtx, cancel := context.WithTimeout(context.WithoutCancel(parent), 30*time.Second)
-		defer cancel()
-		respJSON, _ := json.Marshal(map[string]interface{}{
-			"text":          responseText,
-			"delegation_id": delegationID,
-		})
-		if _, err := db.DB.ExecContext(logCtx, `
-			INSERT INTO activity_logs (
-				workspace_id, activity_type, method, source_id, target_id,
-				summary, request_body, response_body, status
-			) VALUES ($1, 'delegation', 'delegate_result', $2, $3, $4, $5::jsonb, $6::jsonb, $7)
-		`, callerID, callerID, targetID, summary, string(reqBody), string(respJSON), status); err != nil {
-			log.Printf("logA2ADelegationResult: INSERT failed for delegation %s: %v", delegationID, err)
-		}
-	}(ctx)
-}
-
 func nilIfEmpty(s string) *string {
 	if s == "" {
 		return nil
@@ -497,7 +410,7 @@ func extractToolTrace(respBody []byte) json.RawMessage {
 		return nil
 	}
 	trace, ok := meta["tool_trace"]
-	if !ok || string(trace) == "[]" {
+	if !ok || len(trace) == 0 {
 		return nil
 	}
 	return trace