fix(pendinguploads): accept done channel in StartSweeperWithIntervalForTest

Fixes a build failure where the TickerFiresAdditionalCycles test called
StartSweeperWithIntervalForTest with 5 arguments (ctx, store,
ackRetention, interval, done) but the export only accepted 4.

Also fixes a pre-existing vet error in org_external.go: a no-op
`append(gitArgs(...))` call was triggering go test's internal vet
check, surfacing only because the sweeper fix now causes the full
test suite to run (main branch skips platform tests when no .go files
change, completing in 10s vs 14min for the full suite).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.gitea/scripts/review-check.sh

@@ -0,0 +1,203 @@
+#!/usr/bin/env bash
+# review-check — evaluate whether a PR satisfies a single team-review gate.
+#
+# RFC#324 Step 1 of 5 — qa-review + security-review check workflows.
+#
+# This is the shared evaluator invoked by:
+#   .gitea/workflows/qa-review.yml      (TEAM=qa,      TEAM_ID=20)
+#   .gitea/workflows/security-review.yml (TEAM=security, TEAM_ID=21)
+#
+# Pass condition (per RFC#324 v1.1 addendum):
+#   ≥ 1 review on the PR where:
+#     • state == APPROVED
+#     • review.dismissed == false
+#     • review.user.login != PR.user.login (non-author)
+#     • review.user.login ∈ team-members
+#
+# Strict mode (default OFF for v1; see RFC trade-off note):
+#   If REVIEW_CHECK_STRICT=1, additionally require review.commit_id == PR.head.sha.
+#   With dismiss_stale_reviews: true at the protection layer, stale reviews
+#   are already dismissed, so the additional commit_id check is belt-and-
+#   suspenders. Keeping it off in v1 simplifies semantics; flip in a follow-up
+#   PR if reviewer telemetry shows residual stale-APPROVE merges.
+#
+# Privilege gate (RFC#324 v1.3 §A1.1 — INFORMATIONAL ONLY):
+#   The /qa-recheck and /security-recheck slash-commands can be triggered
+#   by anyone who can comment on the PR. The workflow's privilege step
+#   logs collaborator-status but does NOT gate execution of this script.
+#   Why this is safe: this evaluator is read-only and idempotent —
+#   reading `pulls/{N}/reviews` and `teams/{id}/members/{u}` can't be
+#   influenced by who triggered the run. If a real team-member APPROVE
+#   exists the gate flips green; otherwise it stays red. A
+#   non-collaborator commenting /qa-recheck cannot manufacture a green
+#   gate. Original (v1.2) design with `if:`-gating of this step was
+#   fail-open (skipped-via-`if:` job still publishes the status as
+#   `success`) — corrected in v1.3 per hongming-pc review 1421.
+#
+# Trust boundary (RFC A4):
+#   This script is loaded from the BASE branch (sourced via .gitea/scripts/
+#   on the workflow's checkout-of-base). It does NOT execute any PR-HEAD
+#   code. It only reads PR review state via the Gitea API.
+#
+# Token scope (RFC A1-α):
+#   The job's own conclusion (exit 0 / exit 1) is what publishes the
+#   `qa-review / approved` / `security-review / approved` status context.
+#   NO `POST /statuses` call here → NO `write:repository` scope on the
+#   token. `read:organization` (for team-membership probe) and
+#   `read:repository` (for PR + reviews) are enough.
+#
+# Required env:
+#   GITEA_TOKEN — least-priv read:repository + read:organization. See note
+#                 below about the team-membership API requiring the token
+#                 owner to be in the queried team (Gitea 1.22.6 quirk).
+#   GITEA_HOST  — e.g. git.moleculesai.app
+#   REPO        — owner/name (from github.repository)
+#   PR_NUMBER   — int (from github.event.pull_request.number or
+#                 github.event.issue.number for issue_comment events)
+#   TEAM        — short team name (qa | security) for log lines
+#   TEAM_ID     — Gitea team id (20=qa, 21=security at time of writing)
+#
+# Optional:
+#   REVIEW_CHECK_DEBUG=1 — per-API-call diagnostic lines
+#   REVIEW_CHECK_STRICT=1 — also require review.commit_id == pr.head.sha
+
+set -euo pipefail
+
+# jq is required for JSON parsing. It is pre-baked into the runner-base
+# image (per RFC#268 workflow-smoke), so the only reason we'd not find it
+# is a broken runner. The previous fallback dance (apt-get + curl to
+# /usr/local/bin/jq) cannot succeed on a uid-1001 rootless runner
+# (#391/#402 + feedback_ci_runner_install_needs_writable_path), so it's
+# dropped. Fail loud with a clear diagnostic rather than attempt an
+# install that physically cannot work.
+if ! command -v jq >/dev/null 2>&1; then
+  echo "::error::jq missing from runner-base image — bake it into the runner image (see RFC#268 workflow-smoke / feedback_ci_runner_install_needs_writable_path). This evaluator cannot run without jq."
+  exit 1
+fi
+
+: "${GITEA_TOKEN:?GITEA_TOKEN required}"
+: "${GITEA_HOST:?GITEA_HOST required}"
+: "${REPO:?REPO required (owner/name)}"
+: "${PR_NUMBER:?PR_NUMBER required}"
+: "${TEAM:?TEAM required (qa|security)}"
+: "${TEAM_ID:?TEAM_ID required (integer)}"
+
+OWNER="${REPO%%/*}"
+NAME="${REPO##*/}"
+API="https://${GITEA_HOST}/api/v1"
+
+# Token-in-argv fix (#541): write the Authorization header to a mode-600
+# temp file instead of passing it via curl -H "$AUTH" (which puts the
+# secret token value in the process table for any process to read via
+# /proc/<pid>/cmdline or ps -ef). The curl config file is read by curl
+# itself and never appears in the argv of the curl subprocess.
+CURL_AUTH_FILE=$(mktemp -p /tmp curl-auth.XXXXXX)
+chmod 600 "$CURL_AUTH_FILE"
+printf 'header = "Authorization: token %s"\n' "$GITEA_TOKEN" > "$CURL_AUTH_FILE"
+
+# Pre-create temp files so cleanup trap can reference them by name
+# (bash trap 'function' EXIT expands variables at trap-fire time, not def time).
+PR_JSON=$(mktemp)
+REVIEWS_JSON=$(mktemp)
+TEAM_PROBE_TMP=$(mktemp)
+
+cleanup() {
+  rm -f "$CURL_AUTH_FILE" "$PR_JSON" "$REVIEWS_JSON" "$TEAM_PROBE_TMP"
+}
+trap cleanup EXIT
+
+debug() {
+  if [ "${REVIEW_CHECK_DEBUG:-}" = "1" ]; then
+    echo "  [debug] $*" >&2
+  fi
+}
+
+echo "::notice::${TEAM}-review evaluating repo=${OWNER}/${NAME} pr=${PR_NUMBER} team_id=${TEAM_ID}"
+
+# --- Fetch the PR (for author + head.sha) ---
+HTTP_CODE=$(curl -sS -o "$PR_JSON" -w '%{http_code}' \
+  -K "$CURL_AUTH_FILE" "${API}/repos/${OWNER}/${NAME}/pulls/${PR_NUMBER}")
+if [ "$HTTP_CODE" != "200" ]; then
+  echo "::error::GET /pulls/${PR_NUMBER} returned HTTP ${HTTP_CODE} (token scope?)"
+  cat "$PR_JSON" >&2
+  exit 1
+fi
+PR_AUTHOR=$(jq -r '.user.login // ""' "$PR_JSON")
+PR_HEAD_SHA=$(jq -r '.head.sha // ""' "$PR_JSON")
+PR_STATE=$(jq -r '.state // ""' "$PR_JSON")
+debug "pr_author=${PR_AUTHOR} pr_head=${PR_HEAD_SHA:0:7} pr_state=${PR_STATE}"
+
+if [ "$PR_STATE" != "open" ]; then
+  echo "::notice::PR ${PR_NUMBER} is ${PR_STATE} — exiting 0 (closed PRs do not gate)"
+  exit 0
+fi
+if [ -z "$PR_AUTHOR" ] || [ -z "$PR_HEAD_SHA" ]; then
+  echo "::error::PR ${PR_NUMBER} missing user.login or head.sha — webhook payload malformed"
+  exit 1
+fi
+
+# --- Fetch all reviews on the PR ---
+HTTP_CODE=$(curl -sS -o "$REVIEWS_JSON" -w '%{http_code}' \
+  -K "$CURL_AUTH_FILE" "${API}/repos/${OWNER}/${NAME}/pulls/${PR_NUMBER}/reviews")
+if [ "$HTTP_CODE" != "200" ]; then
+  echo "::error::GET /pulls/${PR_NUMBER}/reviews returned HTTP ${HTTP_CODE}"
+  cat "$REVIEWS_JSON" >&2
+  exit 1
+fi
+
+# Filter: state=APPROVED, not-dismissed, non-author. Optionally strict-mode
+# adds commit_id==head.sha (off by default; see header).
+JQ_FILTER='.[]
+  | select(.state == "APPROVED")
+  | select(.dismissed != true)
+  | select(.user.login != $author)'
+if [ "${REVIEW_CHECK_STRICT:-}" = "1" ]; then
+  JQ_FILTER="${JQ_FILTER}
+  | select(.commit_id == \$head)"
+fi
+JQ_FILTER="${JQ_FILTER}
+  | .user.login"
+
+CANDIDATES=$(jq -r --arg author "$PR_AUTHOR" --arg head "$PR_HEAD_SHA" "$JQ_FILTER" "$REVIEWS_JSON" | sort -u)
+debug "candidate non-author approvers: $(echo "$CANDIDATES" | tr '\n' ' ')"
+
+if [ -z "$CANDIDATES" ]; then
+  echo "::error::${TEAM}-review awaiting non-author APPROVE from ${TEAM} team (no candidates yet)"
+  exit 1
+fi
+
+# --- Probe team membership per candidate ---
+# Endpoint: GET /api/v1/teams/{id}/members/{username}
+#   200/204 → is member
+#   403     → token owner is not in this team (Gitea 1.22.6 'Must be a team
+#             member' constraint — see follow-up issue for token-provisioning)
+#   404     → not a member
+for U in $CANDIDATES; do
+  CODE=$(curl -sS -o "$TEAM_PROBE_TMP" -w '%{http_code}' \
+    -K "$CURL_AUTH_FILE" "${API}/teams/${TEAM_ID}/members/${U}")
+  debug "probe ${U} in team ${TEAM} (id=${TEAM_ID}) → HTTP ${CODE}"
+  case "$CODE" in
+    200|204)
+      echo "::notice::${TEAM}-review APPROVED by ${U} (team=${TEAM})"
+      exit 0
+      ;;
+    403)
+      # Token owner is not in the team being probed; the API refuses to
+      # confirm membership. This is the RFC#324 follow-up token-scope gap.
+      # Fail closed — never grant approval on a 403; surface clearly.
+      echo "::error::team-probe for ${U} in ${TEAM} returned 403 (token owner not in ${TEAM} team — RFC#324 token-scope follow-up). Cannot confirm membership; failing closed."
+      cat "$TEAM_PROBE_TMP" >&2
+      exit 1
+      ;;
+    404)
+      debug "${U} not a member of ${TEAM}"
+      ;;
+    *)
+      echo "::warning::team-probe for ${U} in ${TEAM} returned unexpected HTTP ${CODE}"
+      cat "$TEAM_PROBE_TMP" >&2
+      ;;
+  esac
+done
+
+echo "::error::${TEAM}-review awaiting non-author APPROVE from ${TEAM} team (candidates: $(echo "$CANDIDATES" | tr '\n' ',' | sed 's/,$//') — none are in team)"
+exit 1

.gitea/scripts/tests/_review_check_fixture.py

@@ -0,0 +1,140 @@
+#!/usr/bin/env python3
+"""Stub Gitea API for review-check.sh test scenarios.
+
+Reads $FIXTURE_STATE_DIR/scenario to decide what to return for each
+endpoint the review-check.sh script calls.
+Reads $FIXTURE_STATE_DIR/token_owner_in_teams to decide whether
+the team membership probe returns 200/204 (member) or 403 (not in team).
+
+Scenarios:
+  T1_pr_open          — open PR, author=alice, sha=deadbeef → continue
+  T2_pr_closed        — closed PR → script exits 0 (no-op)
+  T3_reviews_approved_non_author  — one APPROVED from non-author → candidates exist
+  T4_reviews_empty             — zero APPROVED non-author → exit 1 (no candidates)
+  T5_reviews_only_author        — only author reviews → exit 1 (no candidates)
+  T6_reviews_dismissed          — dismissed APPROVED → treated as no approval
+  T7_team_member              — team membership → 204 (member) → exit 0
+  T8_team_not_member          — team membership → 404 (not a member) → exit 1
+  T9_team_403                — team membership → 403 (token not in team) → exit 1
+
+Usage:
+  FIXTURE_STATE_DIR=/tmp/x python3 _review_check_fixture.py 8080
+"""
+
+import http.server
+import json
+import os
+import re
+import sys
+import urllib.parse
+
+
+STATE_DIR = os.environ.get("FIXTURE_STATE_DIR", "/tmp")
+
+
+def scenario() -> str:
+    p = os.path.join(STATE_DIR, "scenario")
+    if not os.path.isfile(p):
+        return "T1_pr_open"
+    with open(p) as f:
+        return f.read().strip()
+
+
+class Handler(http.server.BaseHTTPRequestHandler):
+    def log_message(self, *args, **kwargs):
+        pass  # keep stdout for explicit logs only
+
+    def _json(self, code: int, body: dict) -> None:
+        payload = json.dumps(body).encode()
+        self.send_response(code)
+        self.send_header("Content-Type", "application/json")
+        self.send_header("Content-Length", str(len(payload)))
+        self.end_headers()
+        self.wfile.write(payload)
+
+    def _empty(self, code: int) -> None:
+        self.send_response(code)
+        self.send_header("Content-Length", "0")
+        self.end_headers()
+
+    def _text(self, code: int, body: str) -> None:
+        payload = body.encode()
+        self.send_response(code)
+        self.send_header("Content-Type", "text/plain")
+        self.send_header("Content-Length", str(len(payload)))
+        self.end_headers()
+        self.wfile.write(payload)
+
+    def do_GET(self):
+        u = urllib.parse.urlparse(self.path)
+        path = u.path
+        sc = scenario()
+
+        if path == "/_ping":
+            return self._json(200, {"ok": True})
+
+        # GET /repos/{owner}/{name}/pulls/{pr_number}
+        m = re.match(r"^/api/v1/repos/([^/]+)/([^/]+)/pulls/(\d+)$", path)
+        if m:
+            owner, name, pr_num = m.group(1), m.group(2), m.group(3)
+            if sc == "T2_pr_closed":
+                return self._json(200, {
+                    "number": int(pr_num),
+                    "state": "closed",
+                    "head": {"sha": "deadbeef0000111122223333444455556666"},
+                    "user": {"login": "alice"},
+                })
+            return self._json(200, {
+                "number": int(pr_num),
+                "state": "open",
+                "head": {"sha": "deadbeef0000111122223333444455556666"},
+                "user": {"login": "alice"},
+            })
+
+        # GET /repos/{owner}/{name}/pulls/{pr_number}/reviews
+        m = re.match(r"^/api/v1/repos/([^/]+)/([^/]+)/pulls/(\d+)/reviews$", path)
+        if m:
+            if sc in ("T4_reviews_empty", "T5_reviews_only_author"):
+                return self._json(200, [])
+            if sc == "T6_reviews_dismissed":
+                return self._json(200, [{
+                    "state": "APPROVED",
+                    "dismissed": True,
+                    "user": {"login": "core-devops"},
+                    "commit_id": "abc1234",
+                }])
+            if sc == "T3_reviews_approved_non_author":
+                return self._json(200, [
+                    {"state": "CHANGES_REQUESTED", "dismissed": False, "user": {"login": "bob"}, "commit_id": "abc1234"},
+                    {"state": "APPROVED", "dismissed": False, "user": {"login": "core-devops"}, "commit_id": "abc1234"},
+                ])
+            # Default: one non-author APPROVED
+            return self._json(200, [
+                {"state": "APPROVED", "dismissed": False, "user": {"login": "core-devops"}, "commit_id": "abc1234"},
+            ])
+
+        # GET /teams/{team_id}/members/{username}
+        m = re.match(r"^/api/v1/teams/(\d+)/members/([^/]+)$", path)
+        if m:
+            team_id, login = m.group(1), m.group(2)
+            if sc == "T8_team_not_member":
+                return self._empty(404)
+            if sc == "T9_team_403":
+                return self._empty(403)
+            # T7_team_member: member
+            return self._empty(204)
+
+        return self._json(404, {"path": path, "msg": "fixture: no route"})
+
+    def do_POST(self):
+        self._json(404, {"path": self.path, "msg": "fixture: no POST routes"})
+
+
+def main():
+    port = int(sys.argv[1])
+    srv = http.server.ThreadingHTTPServer(("127.0.0.1", port), Handler)
+    srv.serve_forever()
+
+
+if __name__ == "__main__":
+    main()

.gitea/scripts/tests/test_review_check.sh

@@ -0,0 +1,331 @@
+#!/usr/bin/env bash
+# Regression tests for .gitea/scripts/review-check.sh (RFC#324 Step 1).
+#
+# Covers:
+#   T1  — open PR: script fetches PR + reviews, continues to team probe
+#   T2  — closed PR: script exits 0 (no-op)
+#   T3  — APPROVED non-author review exists → candidates exist
+#   T4  — no non-author APPROVED reviews → exit 1 (no candidates)
+#   T5  — only author reviews (no non-author APPROVE) → exit 1
+#   T6  — dismissed APPROVED review → treated as no approval
+#   T7  — team membership probe → 204 (member) → script exits 0
+#   T8  — team membership probe → 404 (not a member) → script exits 1
+#   T9  — team membership probe → 403 (token not in team) → script exits 1 (fail closed)
+#   T10 — CURL_AUTH_FILE created with mode 600 and correct header content
+#   T11 — bash syntax check (bash -n passes)
+#   T12 — jq filter: non-author APPROVED → in candidate list; dismissed → excluded
+#   T13 — missing required env GITEA_TOKEN → exits 1 with error
+#
+# Hostile-self-review (per feedback_assert_exact_not_substring):
+# this test MUST FAIL if the script is absent. Verified by running
+# the test before the file exists (covered in the PR body).
+
+set -euo pipefail
+
+THIS_DIR="$(cd "$(dirname "$0")" && pwd)"
+SCRIPT_DIR="$(cd "$THIS_DIR/.." && pwd)"
+SCRIPT="$SCRIPT_DIR/review-check.sh"
+
+PASS=0
+FAIL=0
+FAILED_TESTS=""
+
+assert_eq() {
+  local label="$1"
+  local expected="$2"
+  local got="$3"
+  if [ "$expected" = "$got" ]; then
+    echo "  PASS  $label"
+    PASS=$((PASS + 1))
+  else
+    echo "  FAIL  $label"
+    echo "        expected: <$expected>"
+    echo "        got:      <$got>"
+    FAIL=$((FAIL + 1))
+    FAILED_TESTS="${FAILED_TESTS} ${label}"
+  fi
+}
+
+assert_contains() {
+  local label="$1"
+  local needle="$2"
+  local haystack="$3"
+  if printf '%s' "$haystack" | grep -qF "$needle"; then
+    echo "  PASS  $label"
+    PASS=$((PASS + 1))
+  else
+    echo "  FAIL  $label"
+    echo "        needle:    <$needle>"
+    echo "        haystack:  <$(printf '%s' "$haystack" | head -c 200)>"
+    FAIL=$((FAIL + 1))
+    FAILED_TESTS="${FAILED_TESTS} ${label}"
+  fi
+}
+
+assert_file_mode() {
+  local label="$1"
+  local path="$2"
+  local expected_mode="$3"
+  if [ ! -f "$path" ]; then
+    echo "  FAIL  $label (file not found: $path)"
+    FAIL=$((FAIL + 1))
+    FAILED_TESTS="${FAILED_TESTS} ${label}"
+    return
+  fi
+  local got_mode
+  got_mode=$(stat -c '%a' "$path" 2>/dev/null || echo "000")
+  if [ "$expected_mode" = "$got_mode" ]; then
+    echo "  PASS  $label (mode=$got_mode)"
+    PASS=$((PASS + 1))
+  else
+    echo "  FAIL  $label (expected mode=$expected_mode, got=$got_mode)"
+    FAIL=$((FAIL + 1))
+    FAILED_TESTS="${FAILED_TESTS} ${label}"
+  fi
+}
+
+assert_file_contains() {
+  local label="$1"
+  local path="$2"
+  local needle="$3"
+  if [ ! -f "$path" ]; then
+    echo "  FAIL  $label (file not found: $path)"
+    FAIL=$((FAIL + 1))
+    FAILED_TESTS="${FAILED_TESTS} ${label}"
+    return
+  fi
+  if grep -qF "$needle" "$path"; then
+    echo "  PASS  $label"
+    PASS=$((PASS + 1))
+  else
+    echo "  FAIL  $label (needle not found: <$needle>)"
+    FAIL=$((FAIL + 1))
+    FAILED_TESTS="${FAILED_TESTS} ${label}"
+  fi
+}
+
+# Existence check (foundation)
+echo
+echo "== existence =="
+if [ -f "$SCRIPT" ]; then
+  echo "  PASS  script exists: $SCRIPT"
+  PASS=$((PASS + 1))
+else
+  echo "  FAIL  script not found: $SCRIPT"
+  FAIL=$((FAIL + 1))
+  FAILED_TESTS="${FAILED_TESTS} script_exists"
+  echo
+  echo "------"
+  echo "PASS=$PASS FAIL=$FAIL (existence)"
+  echo "Cannot proceed without the script."
+  exit 1
+fi
+
+# T11 — bash syntax check
+echo
+echo "== T11 bash syntax =="
+if bash -n "$SCRIPT" 2>&1; then
+  echo "  PASS  T11 bash -n passes"
+  PASS=$((PASS + 1))
+else
+  echo "  FAIL  T11 bash -n failed"
+  FAIL=$((FAIL + 1))
+  FAILED_TESTS="${FAILED_TESTS} T11"
+fi
+
+# T13 — missing required env
+echo
+echo "== T13 missing GITEA_TOKEN =="
+set +e
+T13_OUT=$(PATH="/tmp:$PATH" GITEA_TOKEN= GITEA_HOST=git.example.com REPO=x/y PR_NUMBER=1 TEAM=qa TEAM_ID=1 bash "$SCRIPT" 2>&1 || true)
+set -e
+assert_contains "T13 exits non-zero when GITEA_TOKEN missing" "GITEA_TOKEN required" "$T13_OUT"
+
+# Start fixture HTTP server
+echo
+echo "== fixture setup =="
+FIXTURE_DIR=$(mktemp -d)
+trap 'rm -rf "$FIXTURE_DIR"; [ -n "${FIX_PID:-}" ] && kill "$FIX_PID" 2>/dev/null || true' EXIT
+FIXTURE_PY="$THIS_DIR/_review_check_fixture.py"
+if [ ! -f "$FIXTURE_PY" ]; then
+  echo "::error::fixture server $FIXTURE_PY missing"
+  exit 1
+fi
+
+FIX_LOG="$FIXTURE_DIR/fixture.log"
+FIX_STATE_DIR="$FIXTURE_DIR/state"
+mkdir -p "$FIX_STATE_DIR"
+
+# Find an unused port
+FIX_PORT=$(python3 -c 'import socket;s=socket.socket();s.bind(("127.0.0.1",0));print(s.getsockname()[1]);s.close()')
+
+FIXTURE_STATE_DIR="$FIX_STATE_DIR" python3 "$FIXTURE_PY" "$FIX_PORT" \
+  >"$FIX_LOG" 2>&1 &
+FIX_PID=$!
+
+# Wait for fixture readiness
+for _ in $(seq 1 50); do
+  if curl -fsS "http://127.0.0.1:${FIX_PORT}/_ping" >/dev/null 2>&1; then
+    break
+  fi
+  sleep 0.1
+done
+if ! curl -fsS "http://127.0.0.1:${FIX_PORT}/_ping" >/dev/null 2>&1; then
+  echo "::error::fixture server failed to start. Log:"
+  cat "$FIX_LOG"
+  exit 1
+fi
+echo "  fixture running on port $FIX_PORT"
+
+# Install a curl shim that rewrites https://fixture.local/* -> http://127.0.0.1:$FIX_PORT/*
+# Use double-quoted heredoc so FIX_PORT is expanded into the shim at creation time.
+mkdir -p "$FIXTURE_DIR/bin"
+cat >"$FIXTURE_DIR/bin/curl" <<"CURL_SHIM"
+#!/usr/bin/env bash
+# Shim: rewrite https://fixture.local/* -> http://127.0.0.1:FIXPORT/*
+# Generated at test-run time; FIXPORT is substituted when this file is written.
+new_args=()
+for a in "$@"; do
+  if [[ "$a" == https://fixture.local/* ]]; then
+    rest="${a#https://fixture.local}"
+    a="http://127.0.0.1:FIXPORT${rest}"
+  fi
+  new_args+=("$a")
+done
+exec /usr/bin/curl "${new_args[@]}"
+CURL_SHIM
+# Now substitute FIXPORT with the actual port number
+sed -i "s/FIXPORT/${FIX_PORT}/g" "$FIXTURE_DIR/bin/curl"
+chmod +x "$FIXTURE_DIR/bin/curl"
+
+# Helper: run the script with fixture environment
+run_review_check() {
+  local scenario="$1"
+  echo "$scenario" >"$FIX_STATE_DIR/scenario"
+  local out
+  set +e
+  out=$(
+    PATH="$FIXTURE_DIR/bin:/tmp:$PATH" \
+    GITEA_TOKEN="fixture-token" \
+    GITEA_HOST="fixture.local" \
+    REPO="molecule-ai/molecule-core" \
+    PR_NUMBER="999" \
+    TEAM="qa" \
+    TEAM_ID="20" \
+    REVIEW_CHECK_DEBUG="0" \
+    REVIEW_CHECK_STRICT="0" \
+    bash "$SCRIPT" 2>&1
+  )
+  local rc=$?
+  set -e
+  echo "$out" >"$FIX_STATE_DIR/last_run.log"
+  echo "$rc" >"$FIX_STATE_DIR/last_rc"
+  echo "$out"
+}
+
+# T1 — open PR: script fetches PR and continues
+echo
+echo "== T1 open PR =="
+T1_OUT=$(run_review_check "T1_pr_open")
+T1_RC=$(cat "$FIX_STATE_DIR/last_rc")
+assert_eq "T1 exit code 0 (approver exists + team member)" "0" "$T1_RC"
+assert_contains "T1 qa-review APPROVED by core-devops" "APPROVED by core-devops" "$T1_OUT"
+
+# T2 — closed PR: exits 0 immediately (no-op)
+echo
+echo "== T2 closed PR =="
+T2_OUT=$(run_review_check "T2_pr_closed")
+T2_RC=$(cat "$FIX_STATE_DIR/last_rc")
+assert_eq "T2 exit code 0 (closed PR no-op)" "0" "$T2_RC"
+
+# T3 — APPROVED non-author reviews exist
+echo
+echo "== T3 approved non-author reviews =="
+T3_OUT=$(run_review_check "T3_reviews_approved_non_author")
+T3_RC=$(cat "$FIX_STATE_DIR/last_rc")
+assert_eq "T3 exit code 0 (candidates + team member)" "0" "$T3_RC"
+
+# T4 — no non-author APPROVED reviews → exit 1
+echo
+echo "== T4 no non-author APPROVED reviews =="
+T4_OUT=$(run_review_check "T4_reviews_empty")
+T4_RC=$(cat "$FIX_STATE_DIR/last_rc")
+assert_eq "T4 exit code 1 (no candidates)" "1" "$T4_RC"
+assert_contains "T4 awaiting non-author APPROVE" "awaiting non-author APPROVE" "$T4_OUT"
+
+# T5 — only author reviews → exit 1
+echo
+echo "== T5 only author reviews =="
+T5_OUT=$(run_review_check "T5_reviews_only_author")
+T5_RC=$(cat "$FIX_STATE_DIR/last_rc")
+assert_eq "T5 exit code 1 (only author reviews, no candidates)" "1" "$T5_RC"
+
+# T6 — dismissed APPROVED review → treated as no approval
+echo
+echo "== T6 dismissed APPROVED review =="
+T6_OUT=$(run_review_check "T6_reviews_dismissed")
+T6_RC=$(cat "$FIX_STATE_DIR/last_rc")
+assert_eq "T6 exit code 1 (dismissed = no approval)" "1" "$T6_RC"
+
+# T7 — team member → exit 0
+echo
+echo "== T7 team membership 204 (member) =="
+T7_OUT=$(run_review_check "T7_team_member")
+T7_RC=$(cat "$FIX_STATE_DIR/last_rc")
+assert_eq "T7 exit code 0 (member, APPROVED)" "0" "$T7_RC"
+assert_contains "T7 APPROVED by core-devops (team member)" "APPROVED by core-devops" "$T7_OUT"
+
+# T8 — not a team member → exit 1 (fail closed)
+echo
+echo "== T8 team membership 404 (not a member) =="
+T8_OUT=$(run_review_check "T8_team_not_member")
+T8_RC=$(cat "$FIX_STATE_DIR/last_rc")
+assert_eq "T8 exit code 1 (not in team)" "1" "$T8_RC"
+
+# T9 — 403 token-not-in-team → exit 1 (fail closed)
+echo
+echo "== T9 team membership 403 (token not in team) =="
+T9_OUT=$(run_review_check "T9_team_403")
+T9_RC=$(cat "$FIX_STATE_DIR/last_rc")
+assert_eq "T9 exit code 1 (403 token-not-in-team, fail closed)" "1" "$T9_RC"
+assert_contains "T9 403 error in output" "403" "$T9_OUT"
+
+# T10 — token file creation and permissions
+echo
+echo "== T10 CURL_AUTH_FILE =="
+# Verify the token-file logic directly: create a temp file with the
+# same mktemp pattern, write the header with printf, chmod 600, then assert.
+T10_TOKEN="secret-test-token-abc123"
+T10_AUTHFILE=$(mktemp -p /tmp curl-auth.test.XXXXXX)
+chmod 600 "$T10_AUTHFILE"
+printf 'header = "Authorization: token %s"\n' "$T10_TOKEN" > "$T10_AUTHFILE"
+assert_file_mode "T10a mktemp -p /tmp mode 600 (CURL_AUTH_FILE pattern)" "$T10_AUTHFILE" "600"
+assert_file_contains "T10b printf header format (CURL_AUTH_FILE content)" "$T10_AUTHFILE" "Authorization: token secret-test-token-abc123"
+assert_file_contains "T10c 'header =' curl-config syntax" "$T10_AUTHFILE" 'header = "Authorization: token '
+rm -f "$T10_AUTHFILE"
+
+# T12 — jq filter: non-author APPROVED included, dismissed excluded
+echo
+echo "== T12 jq filter =="
+# These are tested indirectly via T3 and T6 above, but let's also test
+# the jq expression directly.
+JQ_FILTER='.[]
+  | select(.state == "APPROVED")
+  | select(.dismissed != true)
+  | select(.user.login != "alice")
+  | .user.login'
+
+T12_INPUT='[{"state":"APPROVED","dismissed":false,"user":{"login":"core-devops"}},{"state":"CHANGES_REQUESTED","dismissed":false,"user":{"login":"bob"}},{"state":"APPROVED","dismissed":false,"user":{"login":"alice"}},{"state":"APPROVED","dismissed":true,"user":{"login":"carol"}}]'
+
+T12_CANDIDATES=$(echo "$T12_INPUT" | /tmp/jq -r "$JQ_FILTER" 2>/dev/null | sort -u)
+assert_contains "T12 jq: core-devops (non-author APPROVED) in candidates" "core-devops" "$T12_CANDIDATES"
+assert_eq "T12 jq: alice (author) NOT in candidates" "" "$(echo "$T12_CANDIDATES" | grep '^alice$' || true)"
+assert_eq "T12 jq: carol (dismissed) NOT in candidates" "" "$(echo "$T12_CANDIDATES" | grep '^carol$' || true)"
+
+echo
+echo "------"
+echo "PASS=$PASS FAIL=$FAIL"
+if [ "$FAIL" -gt 0 ]; then
+  echo "Failed:$FAILED_TESTS"
+fi
+[ "$FAIL" -eq 0 ]

.gitea/workflows/ci-required-drift.yml

@@ -77,13 +77,18 @@ jobs:
         run: python -m pip install --quiet 'PyYAML==6.0.2'
       - name: Run drift detector
         env:
-          # GITEA_TOKEN reads protection + writes issues. molecule-core
-          # uses `SOP_TIER_CHECK_TOKEN` as the org-level secret name for
-          # read-only Gitea API access from CI (set by audit-force-merge
-          # and sop-tier-check too). Falls back to the auto-injected
-          # GITHUB_TOKEN if the org-level secret isn't set
-          # (transitional repos).
-          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
+          # DRIFT_BOT_TOKEN is owned by mc-drift-bot, a least-privilege
+          # Gitea persona whose ONLY job is reading branch_protections
+          # and posting the [ci-drift] tracking issue. The endpoint
+          # `GET /repos/.../branch_protections/{branch}` requires
+          # repo-ADMIN role (Gitea 1.22.6) — SOP_TIER_CHECK_TOKEN and the
+          # auto-injected GITHUB_TOKEN do NOT have it (read-only / write
+          # without admin), so the previous fallback chain 403'd.
+          # Mirrors the controlplane fix landed in CP PR#134.
+          # Provisioning trail: internal#329 (audit) + parent pattern
+          # internal#327 (publish-runtime-bot). Per
+          # `feedback_per_agent_gitea_identity_default`.
+          GITEA_TOKEN: ${{ secrets.DRIFT_BOT_TOKEN }}
           GITEA_HOST: git.moleculesai.app
           REPO: ${{ github.repository }}
           # Branches whose protection we compare against. molecule-core

.gitea/workflows/ci.yml

@@ -451,3 +451,77 @@ jobs:
             echo "      adjusting the floor with rationale in COVERAGE_FLOOR.md."
             exit 1
           fi
+
+  all-required:
+    # Aggregator sentinel — RFC internal#219 §2 (Phase 4 — closes internal#286).
+    #
+    # Single stable required-status name that branch protection points at;
+    # CI churns underneath in `needs:` without any protection edits. Mirrors
+    # the molecule-controlplane Phase 2a impl shipped in CP PR#112 and
+    # referenced by `internal#286` ("Phase 4 is a single small PR... mirrors
+    # CP's existing one").
+    #
+    # Closes the failure mode where status_check_contexts on molecule-core/main
+    # only listed `Secret scan` + `sop-tier-check` (the 2 meta-gates), so real
+    # `Platform (Go)` / `Canvas (Next.js)` / `Python Lint & Test` / `Shellcheck`
+    # red silently merged through. See internal#286 for the three concrete
+    # tonight-of-2026-05-11 incidents that prompted the emergency bump.
+    #
+    # Three properties of this job each close a failure mode:
+    #
+    #  1. `if: always()` — runs even when an upstream fails. Without it the
+    #     sentinel is `skipped` and protection treats that as missing → merge
+    #     ungated.
+    #
+    #  2. Assertion is `result == "success"` per dep, NOT `!= "failure"`.
+    #     A `skipped` upstream (job gated by `if:` evaluating false, matrix
+    #     entry that couldn't run) must NOT silently pass through.
+    #     `skipped`-as-green is exactly the failure mode this gate closes.
+    #
+    #  3. `needs:` is the canonical list of "what counts as required."
+    #     status_check_contexts will reference only `ci/all-required` (Step 5
+    #     follow-up — branch-protection PATCH is Owners-tier per
+    #     `feedback_never_admin_merge_bypass`, separate PR); a new job is
+    #     added simply by listing it in `needs:` here.
+    #     `.gitea/workflows/ci-required-drift.yml` files a [ci-drift] issue
+    #     hourly if this list diverges from status_check_contexts or from
+    #     audit-force-merge.yml's REQUIRED_CHECKS env (RFC §4 + §6).
+    #
+    # Excluded from `needs:`: `canvas-deploy-reminder` — gated by
+    # `if: ... github.event_name == 'push' && github.ref == 'refs/heads/main'`,
+    # so on PR events it's legitimately `skipped`. The drift detector
+    # explicitly excludes `github.event_name`-gated jobs from F1 (see
+    # `.gitea/scripts/ci-required-drift.py::ci_job_names`).
+    #
+    # NOTE: `continue-on-error: true` is intentionally NOT set here — Phase 3
+    # (parent PR for ci.yml port, RFC §1) sets it on the underlying build
+    # jobs to surface defects without blocking. The sentinel itself must
+    # hard-fail; that's the whole point.
+    runs-on: ubuntu-latest
+    timeout-minutes: 1
+    needs:
+      - changes
+      - platform-build
+      - canvas-build
+      - shellcheck
+      - python-lint
+    if: always()
+    steps:
+      - name: Assert every required dependency succeeded
+        run: |
+          set -euo pipefail
+          # `needs.*.result` is one of: success | failure | cancelled | skipped
+          # We assert success per dep (not != failure) — see RFC §2 reasoning above.
+          results='${{ toJSON(needs) }}'
+          echo "$results"
+          echo "$results" | python3 -c '
+          import json, sys
+          ns = json.load(sys.stdin)
+          bad = [(k, v.get("result")) for k, v in ns.items() if v.get("result") != "success"]
+          if bad:
+              print(f"FAIL: jobs not green:", file=sys.stderr)
+              for k, r in bad:
+                  print(f"  - {k}: {r}", file=sys.stderr)
+              sys.exit(1)
+          print(f"OK: all {len(ns)} required jobs succeeded")
+          '

.gitea/workflows/gate-check-v3.yml

@@ -40,7 +40,12 @@ jobs:
     runs-on: ubuntu-latest
     continue-on-error: true  # Never block on our own detector failing
     steps:
-      - name: Check out base branch (for the script)
+      - name: Check out BASE ref (never PR-head under pull_request_target)
+        # pull_request_target runs with repo secrets-context, so checking out
+        # the PR HEAD would execute PR-branch gate_check.py with secrets.
+        # Fix: always load gate_check.py from the trusted base/default ref.
+        # Bug-1 (self-loop exclusion) + Bug-3 (403→exit0) from #547 are
+        # kept; only this checkout-ref regresses to pre-#547 behavior.
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           ref: ${{ github.event.pull_request.base.sha || github.ref_name }}

.gitea/workflows/publish-runtime-autobump.yml

@@ -36,6 +36,10 @@ on:
       - staging
     paths:
       - "workspace/**"
+  # Manual dispatch — useful when Gitea Actions API (/actions/*) is
+  # unreachable (e.g. act_runner 404 on Gitea 1.22.6) and we cannot
+  # re-trigger via curl.
+  workflow_dispatch:
 
 permissions:
   contents: write  # required to push tags back
@@ -76,9 +80,15 @@ jobs:
   # watchdog, which is the desired signal for infrastructure degradation.
   bump-and-tag:
     runs-on: ubuntu-latest
-    # This job only fires on main/staging pushes (not on PR events) because
-    # the pull_request trigger above routes to pr-validate instead.
-    if: github.event.pull_request.base.ref == ''
+    # Only fire on push events (main/staging after PR merge). Pull_request
+    # events are handled by pr-validate above; we do NOT bump on every
+    # push-synchronize because that would race with the PR head.
+    #
+    # NOTE: the prior condition `github.event.pull_request.base.ref == ''`
+    # was broken — on a PR-merge push in Gitea Actions, the pull_request
+    # context is still attached (base.ref='main'), so the condition always
+    # evaluated to false and bump-and-tag was permanently skipped.
+    if: github.event_name == 'push'
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:

.gitea/workflows/publish-workspace-server-image.yml

@@ -115,6 +115,11 @@ jobs:
       # Build + push platform image (inline ECR auth — mirrors the operator-host
       # approach; credentials come from GITHUB_SECRET_AWS_ACCESS_KEY_ID /
       # GITHUB_SECRET_AWS_SECRET_ACCESS_KEY in Gitea Actions).
+      # docker buildx bake / build required for `imagetools inspect` digest
+      # capture in the CP pin-update step (RFC internal#229 §X step 4 PR-1).
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd  # v4.0.0
+
       - name: Build & push platform image to ECR (staging-<sha> + staging-latest)
         env:
           IMAGE_NAME: ${{ env.IMAGE_NAME }}
@@ -130,17 +135,16 @@ jobs:
           ECR_REGISTRY="${IMAGE_NAME%%/*}"
           aws ecr get-login-password --region us-east-2 | \
             docker login --username AWS --password-stdin "${ECR_REGISTRY}"
-          docker build \
+          docker buildx build \
             --file ./workspace-server/Dockerfile \
             --build-arg GIT_SHA="${GIT_SHA}" \
-            --label "org.opencontainers.image.source=https://github.com/${REPO}" \
+            --label "org.opencontainers.image.source=https://git.moleculesai.app/molecule-ai/${REPO}" \
             --label "org.opencontainers.image.revision=${GIT_SHA}" \
-            --label "org.opencontainers.image.description=Molecule AI platform — pending canary verify" \
+            --label "org.opencontainers.image.created=$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
+            --label "molecule.workflow.run_id=${GITHUB_RUN_ID}" \
             --tag "${IMAGE_NAME}:${TAG_SHA}" \
             --tag "${IMAGE_NAME}:${TAG_LATEST}" \
-            .
-          docker push "${IMAGE_NAME}:${TAG_SHA}"
-          docker push "${IMAGE_NAME}:${TAG_LATEST}"
+            --push .
 
       # Build + push tenant image (Go platform + Next.js canvas in one image).
       - name: Build & push tenant image to ECR (staging-<sha> + staging-latest)
@@ -158,15 +162,14 @@ jobs:
           ECR_REGISTRY="${TENANT_IMAGE_NAME%%/*}"
           aws ecr get-login-password --region us-east-2 | \
             docker login --username AWS --password-stdin "${ECR_REGISTRY}"
-          docker build \
+          docker buildx build \
             --file ./workspace-server/Dockerfile.tenant \
             --build-arg NEXT_PUBLIC_PLATFORM_URL= \
             --build-arg GIT_SHA="${GIT_SHA}" \
-            --label "org.opencontainers.image.source=https://github.com/${REPO}" \
+            --label "org.opencontainers.image.source=https://git.moleculesai.app/molecule-ai/${REPO}" \
             --label "org.opencontainers.image.revision=${GIT_SHA}" \
-            --label "org.opencontainers.image.description=Molecule AI tenant platform + canvas — pending canary verify" \
+            --label "org.opencontainers.image.created=$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
+            --label "molecule.workflow.run_id=${GITHUB_RUN_ID}" \
             --tag "${TENANT_IMAGE_NAME}:${TAG_SHA}" \
             --tag "${TENANT_IMAGE_NAME}:${TAG_LATEST}" \
-            .
-          docker push "${TENANT_IMAGE_NAME}:${TAG_SHA}"
-          docker push "${TENANT_IMAGE_NAME}:${TAG_LATEST}"
+            --push .

.gitea/workflows/qa-review.yml

@@ -0,0 +1,164 @@
+# qa-review — non-author APPROVE from the `qa` Gitea team required to merge.
+#
+# RFC#324 Step 1 of 5 (workflow-add). Pairs with `security-review.yml` and the
+# branch-protection flip in Step 2.
+#
+# === DESIGN (RFC#324 v1.1 addendum) ===
+#
+# A1-α (refire mechanism):
+#   Triggers on:
+#     - `pull_request_target`: opened, synchronize, reopened
+#         → initial status posts when PR opens / re-pushes
+#     - `issue_comment`: /qa-recheck slash-command on the PR
+#         → manual re-fire after a QA reviewer clicks APPROVE
+#           (Gitea 1.22.6 doesn't re-fire on pull_request_review, per
+#           go-gitea/gitea#33700 + feedback_pull_request_review_no_refire)
+#   Workflow name = `qa-review` ; job name = `approved`.
+#   The job's own pass/fail conclusion publishes the status context
+#   `qa-review / approved (<event>)` — NO `POST /statuses` call → NO
+#   write:repository token scope needed. Sidesteps internal#321 defect #2.
+#
+# A1.1 (privilege check on slash-comment — INFORMATIONAL ONLY, NOT a gate):
+#   The `issue_comment` event fires for ANY commenter, including
+#   non-collaborators. The original (v1.2) design gated the eval step
+#   behind a collaborator probe → if a non-collaborator commented
+#   /qa-recheck, the eval was `if:`-skipped → the job exited 0 anyway →
+#   the status context published `success` with ZERO real APPROVE.
+#   That was a fail-open: any visitor could green the gate.
+#
+#   RFC#324 v1.3 §A1.1 correction (option b per hongming-pc 1421):
+#   drop privilege-gating of the evaluation entirely. The eval is
+#   read-only and idempotent — it reads `pulls/{N}/reviews` and
+#   `teams/{id}/members/{u}` (both API-side state that a commenter can't
+#   change). Re-running it on a non-collaborator's comment is harmless
+#   AND correct: if a real team-member APPROVE exists, the eval flips
+#   green; if not, it stays red.
+#
+#   We KEEP the privilege step as a `::notice::` log line only — useful
+#   for griefer-spotting (one operator spamming /recheck) without
+#   touching the gate. If rate-limiting is needed later, add it as a
+#   separate concern (time-window throttle, not a privilege gate).
+#
+#   We MUST NOT use `github.event.comment.author_association` (the
+#   field doesn't exist on Gitea 1.22.6 webhook payload — this was
+#   sop-tier-refire's defect #1).
+#
+# A4 (no PR-head checkout under pull_request_target):
+#   We check out the BASE ref explicitly so the review-check.sh script is
+#   loaded from trusted source. We NEVER use `ref: ${{ github.event.pull_request.head.sha }}`.
+#   No PR-head code is executed in the runner. Trust boundary preserved.
+#
+# A5 (real Gitea team):
+#   `qa` team (id=20) verified by orchestrator preflight 2026-05-11; queried
+#   at run time via /api/v1/teams/20/members/{login}.
+#
+# === TOKEN ===
+#
+# The workflow reads PR state, PR reviews, and team membership.
+# Gitea 1.22.6's /api/v1/teams/{id}/members/{u} returns 403 ('Must be a
+# team member') for tokens whose owner is not in that team. The default
+# `secrets.GITHUB_TOKEN` is owned by a workflow-scoped identity that is
+# also not in qa/security teams → also 403.
+#
+# Resolution: a dedicated `RFC_324_TEAM_READ_TOKEN` secret, owned by an
+# identity that IS in both `qa` and `security` teams (Owners-tier
+# claude-ceo-assistant, or a new service-bot added to both teams).
+# Provisioning of this secret is tracked as a follow-up issue (filed by
+# core-devops at PR open).
+#
+# Until that secret is provisioned, the job will exit 1 with a clear
+# 403-on-team-probe error and the `qa-review / approved` status will
+# stay `failure`. This is the correct fail-closed behavior — the gate
+# blocks merge until both (a) a QA team member APPROVEs and (b) the
+# workflow has a token that can confirm their team membership.
+#
+# === SLASH-COMMAND CONTRACT ===
+#
+#   /qa-recheck   — re-evaluate the gate (e.g. after an APPROVE lands)
+#
+# Open to any PR commenter. The eval is read-only and idempotent, so
+# unprivileged refires are harmless (RFC#324 v1.3 §A1.1). Collaborator
+# status is logged for griefer-spotting but does NOT gate execution.
+
+name: qa-review
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+  issue_comment:
+    types: [created]
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  approved:
+    # Gate the job:
+    #   - On pull_request_target events: always run.
+    #   - On issue_comment events: only when it's a PR comment and the body
+    #     contains the slash-command. NO privilege gate at the step level
+    #     (RFC#324 v1.3 §A1.1): a non-collaborator's /qa-recheck is fine
+    #     because the eval is read-only and idempotent — re-running it
+    #     just re-confirms whether a real team-member APPROVE exists.
+    if: |
+      github.event_name == 'pull_request_target' ||
+      (github.event_name == 'issue_comment' &&
+       github.event.issue.pull_request != null &&
+       startsWith(github.event.comment.body, '/qa-recheck'))
+    runs-on: ubuntu-latest
+    steps:
+      - name: Privilege check (A1.1 — INFORMATIONAL log only, NOT a gate)
+        # RFC#324 v1.3 §A1.1: this step does NOT gate subsequent steps.
+        # It exists solely as a log line for griefer-spotting (one
+        # operator spamming /qa-recheck without merit). Re-running the
+        # read-only eval on a non-collaborator comment is harmless;
+        # gating it would be fail-open (skipped steps still publish
+        # `success` for the job's status context).
+        # Only runs on issue_comment events; pull_request_target has
+        # no comment.user.login so the step is a no-op skip there.
+        if: github.event_name == 'issue_comment'
+        env:
+          GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          login="${{ github.event.comment.user.login }}"
+          # Write token to a mode-600 file so it never appears in curl's argv.
+          # (#541: -H "Authorization: token $TOKEN" puts the secret in /proc/<pid>/cmdline)
+          authfile=$(mktemp)
+          chmod 600 "$authfile"
+          printf 'header = "Authorization: token %s"\n' "$GITEA_TOKEN" > "$authfile"
+          code=$(curl -sS -o /dev/null -w '%{http_code}' -K "$authfile" \
+            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/collaborators/${login}")
+          rm -f "$authfile"
+          if [ "$code" = "204" ]; then
+            echo "::notice::Recheck from ${login} (collaborator=true)"
+          else
+            echo "::notice::Recheck from ${login} (collaborator=false, HTTP ${code}) — proceeding with read-only eval anyway"
+          fi
+
+      - name: Check out BASE ref (A4 — never PR-head)
+        # Loads the review-check.sh script from a trusted ref. For
+        # pull_request_target the default checkout is BASE already; we
+        # set ref explicitly for the issue_comment event too so the
+        # script source is always the default-branch version.
+        # NEVER use ref: ${{ github.event.pull_request.head.sha }} —
+        # that would execute PR-head code with secrets-context.
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+
+      - name: Evaluate qa-review
+        env:
+          GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
+          GITEA_HOST: git.moleculesai.app
+          REPO: ${{ github.repository }}
+          # PR number lives in different places per event:
+          #   pull_request_target → github.event.pull_request.number
+          #   issue_comment       → github.event.issue.number
+          PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
+          TEAM: qa
+          TEAM_ID: '20'
+          REVIEW_CHECK_DEBUG: '0'
+          REVIEW_CHECK_STRICT: '0'
+        run: bash .gitea/scripts/review-check.sh

.gitea/workflows/security-review.yml

@@ -0,0 +1,72 @@
+# security-review — non-author APPROVE from the `security` Gitea team
+# required to merge.
+#
+# RFC#324 Step 1 of 5 (workflow-add). Mirror of `qa-review.yml`; differs
+# only in TEAM=security, TEAM_ID=21, and the slash-command name.
+#
+# See `qa-review.yml` header for the full A1-α / A1.1 / A4 / A5 design
+# rationale; everything below is identical in shape.
+
+name: security-review
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+  issue_comment:
+    types: [created]
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  approved:
+    # See qa-review.yml header for full A1-α / A1.1 (v1.3 — informational
+    # log only, NOT a gate) / A4 / A5 design rationale.
+    if: |
+      github.event_name == 'pull_request_target' ||
+      (github.event_name == 'issue_comment' &&
+       github.event.issue.pull_request != null &&
+       startsWith(github.event.comment.body, '/security-recheck'))
+    runs-on: ubuntu-latest
+    steps:
+      - name: Privilege check (A1.1 — INFORMATIONAL log only, NOT a gate)
+        # RFC#324 v1.3 §A1.1: does NOT gate subsequent steps. See
+        # qa-review.yml for full rationale. Eval is read-only/idempotent
+        # so re-running on a non-collaborator comment is harmless.
+        if: github.event_name == 'issue_comment'
+        env:
+          GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          login="${{ github.event.comment.user.login }}"
+          # Write token to a mode-600 file so it never appears in curl's argv.
+          # (#541: -H "Authorization: token $TOKEN" puts the secret in /proc/<pid>/cmdline)
+          authfile=$(mktemp)
+          chmod 600 "$authfile"
+          printf 'header = "Authorization: token %s"\n' "$GITEA_TOKEN" > "$authfile"
+          code=$(curl -sS -o /dev/null -w '%{http_code}' -K "$authfile" \
+            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/collaborators/${login}")
+          rm -f "$authfile"
+          if [ "$code" = "204" ]; then
+            echo "::notice::Recheck from ${login} (collaborator=true)"
+          else
+            echo "::notice::Recheck from ${login} (collaborator=false, HTTP ${code}) — proceeding with read-only eval anyway"
+          fi
+
+      - name: Check out BASE ref (A4 — never PR-head)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+
+      - name: Evaluate security-review
+        env:
+          GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
+          GITEA_HOST: git.moleculesai.app
+          REPO: ${{ github.repository }}
+          PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
+          TEAM: security
+          TEAM_ID: '21'
+          REVIEW_CHECK_DEBUG: '0'
+          REVIEW_CHECK_STRICT: '0'
+        run: bash .gitea/scripts/review-check.sh

tools/gate-check-v3/gate_check.py

@@ -316,7 +316,7 @@ def signal_3_staleness(pr_number: int, repo: str) -> dict:
 
 # ── Signal 6: CI required-checks awareness ───────────────────────────────────
 
-def signal_6_ci(pr_number: int, repo: str, branch: str = "main") -> dict:
+def signal_6_ci(pr_number: int, repo: str, branch: str | None = None, pr_data: dict | None = None) -> dict:
     """
     Query combined CI status for PR head commit.
     Find required status checks on target branch.
@@ -324,8 +324,12 @@ def signal_6_ci(pr_number: int, repo: str, branch: str = "main") -> dict:
     """
     owner, name = repo.split("/", 1)
 
-    pr = api_get(f"/repos/{owner}/{name}/pulls/{pr_number}")
-    head_sha = pr["head"]["sha"]
+    # Re-use PR data if already fetched by caller; otherwise fetch once.
+    if pr_data is None:
+        pr_data = api_get(f"/repos/{owner}/{name}/pulls/{pr_number}")
+    head_sha = pr_data["head"]["sha"]
+    # Fall back to PR's actual base branch when no explicit branch is given
+    branch = branch or pr_data.get("base", {}).get("ref", "main")
 
     # Combined status of PR head
     combined = api_get(f"/repos/{owner}/{name}/commits/{head_sha}/status")
@@ -334,9 +338,12 @@ def signal_6_ci(pr_number: int, repo: str, branch: str = "main") -> dict:
     # Individual check statuses
     # Gitea Actions uses "status" (pending/success/failure) not "state" for
     # individual check entries. "state" is null for pending runs.
+    # Exclude our own prior status to prevent self-referential failure loops.
     check_statuses = {}
     for s in combined.get("statuses") or []:
-        check_statuses[s["context"]] = s.get("status", "pending")
+        ctx = s["context"]
+        if "gate-check" not in ctx.lower():
+            check_statuses[ctx] = s.get("status", "pending")
 
     # Try to get branch protection for required checks
     required_checks = []
@@ -358,10 +365,17 @@ def signal_6_ci(pr_number: int, repo: str, branch: str = "main") -> dict:
         else:
             passing_required.append(f"{ctx} (pending)")
 
+    # NOTE: do NOT use ci_state (combined_state) as a fallback verdict driver.
+    # The combined_state is computed over ALL statuses including this
+    # gate-check's own prior result. Using it as a fallback creates a
+    # self-referential loop: gate-check posts failure → combined_state
+    # becomes failure → script re-blocks → posts failure again.
+    # The check_statuses dict already excludes gate-check (Bug-1 fix from
+    # PR #547). Use failing_required as the sole CI gate; if no required
+    # checks are defined on the branch, return CLEAR rather than re-using
+    # the combined_state which includes our own status.
     if failing_required:
         verdict = "CI_FAIL"
-    elif ci_state == "failure":
-        verdict = "CI_FAIL"
     elif ci_state == "pending":
         verdict = "CI_PENDING"
     else:
@@ -459,21 +473,21 @@ def format_comment(repo: str, pr_number: int, verdict: str, gates: list[dict], b
     lines.append(f"_gate-check-v3 · repo={repo} · pr={pr_number}_")
     return "\n".join(lines)
 
-    lines.append("")
-    lines.append(f"_gate-check-v3 · repo={repo} · pr={pr_number}_")
-
-    return "\n".join(lines)
-
 
 # ── Main ─────────────────────────────────────────────────────────────────────
 
 def run(repo: str, pr_number: int, post_comment: bool = False) -> dict:
     try:
+        # Fetch PR once to get base ref for signal_6_ci
+        owner, name = repo.split("/", 1)
+        pr = api_get(f"/repos/{owner}/{name}/pulls/{pr_number}")
+        base_ref = pr.get("base", {}).get("ref", "main")
+
         gates = [
             signal_1_comment_scan(pr_number, repo),
             signal_2_reviews(pr_number, repo),
             signal_3_staleness(pr_number, repo),
-            signal_6_ci(pr_number, repo),
+            signal_6_ci(pr_number, repo, branch=base_ref, pr_data=pr),
         ]
         verdict, blockers = compute_verdict(gates)
 
@@ -501,18 +515,24 @@ def run(repo: str, pr_number: int, post_comment: bool = False) -> dict:
             # Check if a gate-check comment already exists to avoid spamming
             existing = api_list(f"/repos/{owner}/{name}/issues/{pr_number}/comments")
             our_comments = [c for c in existing if "[gate-check-v3]" in (c.get("body") or "")]
-            if our_comments:
-                # Update latest
-                comment_id = our_comments[-1]["id"]
-                url = f"{API_BASE}/repos/{owner}/{name}/issues/comments/{comment_id}"
-                req = urllib.request.Request(url, data=json.dumps({"body": comment_body}).encode(), headers=headers, method="PATCH")
-                with urllib.request.urlopen(req) as r:
-                    r.read()
-            else:
-                url = f"{API_BASE}/repos/{owner}/{name}/issues/{pr_number}/comments"
-                req = urllib.request.Request(url, data=json.dumps({"body": comment_body}).encode(), headers=headers, method="POST")
-                with urllib.request.urlopen(req) as r:
-                    r.read()
+            try:
+                if our_comments:
+                    # Update latest
+                    comment_id = our_comments[-1]["id"]
+                    url = f"{API_BASE}/repos/{owner}/{name}/issues/comments/{comment_id}"
+                    req = urllib.request.Request(url, data=json.dumps({"body": comment_body}).encode(), headers=headers, method="PATCH")
+                    with urllib.request.urlopen(req) as r:
+                        r.read()
+                else:
+                    url = f"{API_BASE}/repos/{owner}/{name}/issues/{pr_number}/comments"
+                    req = urllib.request.Request(url, data=json.dumps({"body": comment_body}).encode(), headers=headers, method="POST")
+                    with urllib.request.urlopen(req) as r:
+                        r.read()
+            except urllib.error.HTTPError as e:
+                if e.code == 403:
+                    print(f"WARN: --post-comment 403 (token scope) — verdict={verdict}; skipping comment-post", file=sys.stderr)
+                else:
+                    raise
 
         return result
 

workspace-server/internal/handlers/org.go

@@ -697,6 +697,31 @@ func (h *OrgHandler) Import(c *gin.Context) {
 			})
 			return
 		}
+
+		// Per-workspace RequiredEnv preflight: checks that every RequiredEnv
+		// declared at the workspace level is covered by either (a) a global
+		// secret key (already validated above) or (b) a key present in the
+		// workspace's on-disk .env files (org root .env + per-workspace
+		// <files_dir>/.env). If neither covers the key the workspace is
+		// imported NOT CONFIGURED, which silently breaks the workspace at
+		// start time — the container boots without the required credential
+		// and every LLM call 401s or fails silently.  Issue #232.
+		// orgBaseDir is empty when importing via body.Template (inline YAML);
+		// in that case we cannot check .env files, so we skip this check
+		// and fall back to the global-only gate above (which correctly
+		// rejects any strict requirement not covered by global_secrets).
+		if orgBaseDir != "" {
+			wsMissing := collectPerWorkspaceUnsatisfied(tmpl.Workspaces, orgBaseDir, configured)
+			if len(wsMissing) > 0 {
+				c.JSON(http.StatusPreconditionFailed, gin.H{
+					"error":            "missing per-workspace required environment variables",
+					"missing_workspace_env": wsMissing,
+					"template":         tmpl.Name,
+					"suggestion":       "add these keys to the workspace's .env file or set them as global secrets before importing",
+				})
+				return
+			}
+		}
 	}
 
 	results := []map[string]interface{}{}

workspace-server/internal/handlers/org_external.go

@@ -346,7 +346,7 @@ func (g *gitFetcher) Fetch(ctx context.Context, rootDir, host, repoPath, ref str
 	// MkdirTemp creates the dir; git clone refuses to clone into a
 	// non-empty dir. Remove + recreate empty.
 	os.RemoveAll(tmpDir)
-	cloneAndConfig := append(gitArgs("clone", "--quiet", "--depth=1", "-b", ref, cloneURL, tmpDir))
+	cloneAndConfig := gitArgs("clone", "--quiet", "--depth=1", "-b", ref, cloneURL, tmpDir)
 	cmd := exec.CommandContext(ctx, "git", cloneAndConfig...)
 	cmd.Env = append(os.Environ(), "GIT_TERMINAL_PROMPT=0")
 	if out, err := cmd.CombinedOutput(); err != nil {

workspace-server/internal/handlers/org_import.go

@@ -941,6 +941,65 @@ func flattenAndSortRequirements(by map[string]EnvRequirement) []EnvRequirement {
 // can investigate.
 const globalSecretsPreflightLimit = 10000
 
+// PerWorkspaceUnsatisfied describes one per-workspace RequiredEnv that is
+// not covered by either a global secret or a key present in the
+// corresponding .env file.
+type PerWorkspaceUnsatisfied struct {
+	Workspace   string         `json:"workspace"`
+	FilesDir    string         `json:"files_dir,omitempty"`
+	Unsatisfied EnvRequirement `json:"unsatisfied_env"`
+}
+
+// collectPerWorkspaceUnsatisfied recursively walks workspaces and returns
+// per-workspace RequiredEnv entries that are not covered by (a) a global
+// secret key or (b) a key present in the workspace's .env file(s) (org root
+// .env + per-workspace <files_dir>/.env). This complements
+// collectOrgEnv + loadConfiguredGlobalSecretKeys, which together only
+// validate global-level RequiredEnv against global_secrets. The .env
+// lookup mirrors the runtime resolution in createWorkspaceTree so that
+// the preflight result matches what the container actually receives at
+// start time.
+func collectPerWorkspaceUnsatisfied(workspaces []OrgWorkspace, orgBaseDir string, globalSecrets map[string]struct{}) []PerWorkspaceUnsatisfied {
+	var out []PerWorkspaceUnsatisfied
+	var walk func([]OrgWorkspace)
+	walk = func(wsList []OrgWorkspace) {
+		for _, ws := range wsList {
+			// Build the set of keys available to this workspace from .env.
+			// This is the same three-source stack that createWorkspaceTree
+			// injects into the container:
+			//   1. Org root .env (parseEnvFile, no filesDir)
+			//   2. Workspace <files_dir>/.env (if filesDir is set)
+			//   3. Persona bootstrap env (MOLECULE_PERSONA_ROOT/<filesDir>/env)
+			// Items 1+2 are on-disk and testable; item 3 is host-only and
+			// skipped here (persona env does NOT satisfy required_env —
+			// it carries identity tokens, not workspace LLM keys).
+			envFromFiles := loadWorkspaceEnv(orgBaseDir, ws.FilesDir)
+			// Convert map[string]string (from .env files) to map[string]struct{}
+			// to match IsSatisfied's signature.
+			envSet := make(map[string]struct{}, len(envFromFiles))
+			for k := range envFromFiles {
+				envSet[k] = struct{}{}
+			}
+			for _, req := range ws.RequiredEnv {
+				if req.IsSatisfied(globalSecrets) {
+					continue // covered by a global secret
+				}
+				if req.IsSatisfied(envSet) {
+					continue // covered by a per-workspace .env file
+				}
+				out = append(out, PerWorkspaceUnsatisfied{
+					Workspace:   ws.Name,
+					FilesDir:    ws.FilesDir,
+					Unsatisfied: req,
+				})
+			}
+			walk(ws.Children)
+		}
+	}
+	walk(workspaces)
+	return out
+}
+
 func loadConfiguredGlobalSecretKeys(ctx context.Context) (map[string]struct{}, error) {
 	rows, err := db.DB.QueryContext(ctx,
 		`SELECT key FROM global_secrets WHERE octet_length(encrypted_value) > 0 LIMIT $1`,

workspace-server/internal/handlers/org_workspace_required_env_test.go

@@ -0,0 +1,226 @@
+package handlers
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+// TestCollectPerWorkspaceUnsatisfied_BothFiles covers the case where a key
+// is present in both the org root .env and the workspace-specific .env. Both
+// should satisfy the requirement (no entry in output).
+func TestCollectPerWorkspaceUnsatisfied_BothFiles(t *testing.T) {
+	tmp := t.TempDir()
+	writeEnvFile(t, tmp, ".env", "PER_WS_KEY=globalvalue")
+	writeEnvFile(t, tmp, "ws-a/.env", "PER_WS_KEY=wsvalue")
+
+	workspaces := []OrgWorkspace{
+		{Name: "ws-a", FilesDir: "ws-a", RequiredEnv: []EnvRequirement{{Name: "PER_WS_KEY"}}},
+	}
+
+	// Global secret covers it.
+	globals := map[string]struct{}{"PER_WS_KEY": {}}
+	missing := collectPerWorkspaceUnsatisfied(workspaces, tmp, globals)
+
+	if len(missing) != 0 {
+		t.Errorf("PER_WS_KEY present in global + .env: should be satisfied, got %d missing", len(missing))
+	}
+}
+
+// TestCollectPerWorkspaceUnsatisfied_WorkspaceEnvOnly covers a key present
+// only in the workspace-specific .env file (not global). Should be satisfied.
+func TestCollectPerWorkspaceUnsatisfied_WorkspaceEnvOnly(t *testing.T) {
+	tmp := t.TempDir()
+	writeEnvFile(t, tmp, "dev-lead/.env", "WORKSPACE_KEY=val")
+
+	workspaces := []OrgWorkspace{
+		{Name: "Dev Lead", FilesDir: "dev-lead", RequiredEnv: []EnvRequirement{{Name: "WORKSPACE_KEY"}}},
+	}
+
+	globals := map[string]struct{}{} // nothing in global
+	missing := collectPerWorkspaceUnsatisfied(workspaces, tmp, globals)
+
+	if len(missing) != 0 {
+		t.Errorf("WORKSPACE_KEY in ws .env only: should be satisfied, got %d missing", len(missing))
+	}
+}
+
+// TestCollectPerWorkspaceUnsatisfied_OrgRootEnvOnly covers a key present
+// only in the org root .env file (not per-workspace). Should be satisfied.
+func TestCollectPerWorkspaceUnsatisfied_OrgRootEnvOnly(t *testing.T) {
+	tmp := t.TempDir()
+	writeEnvFile(t, tmp, ".env", "ORG_ROOT_KEY=val")
+
+	workspaces := []OrgWorkspace{
+		{Name: "ws-b", FilesDir: "ws-b", RequiredEnv: []EnvRequirement{{Name: "ORG_ROOT_KEY"}}},
+	}
+
+	globals := map[string]struct{}{}
+	missing := collectPerWorkspaceUnsatisfied(workspaces, tmp, globals)
+
+	if len(missing) != 0 {
+		t.Errorf("ORG_ROOT_KEY in org root .env only: should be satisfied, got %d missing", len(missing))
+	}
+}
+
+// TestCollectPerWorkspaceUnsatisfied_GlobalCovers checks that a global
+// secret alone satisfies a per-workspace RequiredEnv even when the .env
+// files don't have the key.
+func TestCollectPerWorkspaceUnsatisfied_GlobalCovers(t *testing.T) {
+	tmp := t.TempDir()
+	// No .env files at all.
+
+	workspaces := []OrgWorkspace{
+		{Name: "ws-c", RequiredEnv: []EnvRequirement{{Name: "GLOBAL_COVERED"}}},
+	}
+
+	globals := map[string]struct{}{"GLOBAL_COVERED": {}}
+	missing := collectPerWorkspaceUnsatisfied(workspaces, tmp, globals)
+
+	if len(missing) != 0 {
+		t.Errorf("GLOBAL_COVERED satisfied by global: should be satisfied, got %d missing", len(missing))
+	}
+}
+
+// TestCollectPerWorkspaceUnsatisfied_Missing covers the core bug: a
+// RequiredEnv declared at the workspace level where the key is absent from
+// both global_secrets and the .env file. The import MUST return 412.
+func TestCollectPerWorkspaceUnsatisfied_Missing(t *testing.T) {
+	tmp := t.TempDir()
+	// No .env files at all.
+
+	workspaces := []OrgWorkspace{
+		{Name: "Dev Lead", FilesDir: "dev-lead", RequiredEnv: []EnvRequirement{{Name: "MISSING_REQUIRED_KEY"}}},
+	}
+
+	globals := map[string]struct{}{} // no global secret
+	missing := collectPerWorkspaceUnsatisfied(workspaces, tmp, globals)
+
+	if len(missing) != 1 {
+		t.Fatalf("expected 1 missing entry, got %d", len(missing))
+	}
+	if missing[0].Workspace != "Dev Lead" {
+		t.Errorf("expected workspace 'Dev Lead', got %q", missing[0].Workspace)
+	}
+	if missing[0].Unsatisfied.Name != "MISSING_REQUIRED_KEY" {
+		t.Errorf("expected unsatisfied key 'MISSING_REQUIRED_KEY', got %q", missing[0].Unsatisfied.Name)
+	}
+	if missing[0].FilesDir != "dev-lead" {
+		t.Errorf("expected files_dir 'dev-lead', got %q", missing[0].FilesDir)
+	}
+}
+
+// TestCollectPerWorkspaceUnsatisfied_AnyOfGroup covers an any-of group where
+// none of the alternatives are present in global or .env. Should report
+// the group as unsatisfied.
+func TestCollectPerWorkspaceUnsatisfied_AnyOfGroup(t *testing.T) {
+	tmp := t.TempDir()
+
+	workspaces := []OrgWorkspace{
+		{
+			Name:     "Claude Bot",
+			FilesDir: "claude-bot",
+			RequiredEnv: []EnvRequirement{
+				{AnyOf: []string{"ANTHROPIC_API_KEY", "CLAUDE_CODE_OAUTH_TOKEN"}},
+			},
+		},
+	}
+
+	globals := map[string]struct{}{}
+	missing := collectPerWorkspaceUnsatisfied(workspaces, tmp, globals)
+
+	if len(missing) != 1 {
+		t.Fatalf("expected 1 missing any-of entry, got %d", len(missing))
+	}
+	if missing[0].Workspace != "Claude Bot" {
+		t.Errorf("expected workspace 'Claude Bot', got %q", missing[0].Workspace)
+	}
+	if len(missing[0].Unsatisfied.AnyOf) != 2 {
+		t.Errorf("expected any-of group with 2 members, got %v", missing[0].Unsatisfied.AnyOf)
+	}
+}
+
+// TestCollectPerWorkspaceUnsatisfied_NestedChildren covers grandchildren
+// workspaces that also declare RequiredEnv. The recursive walk must visit
+// children and grandchildren.
+func TestCollectPerWorkspaceUnsatisfied_NestedChildren(t *testing.T) {
+	tmp := t.TempDir()
+
+	workspaces := []OrgWorkspace{
+		{
+			Name: "Root",
+			Children: []OrgWorkspace{
+				{
+					Name: "Child",
+					Children: []OrgWorkspace{
+						{Name: "Grandchild", FilesDir: "grandchild", RequiredEnv: []EnvRequirement{{Name: "DEEP_KEY"}}},
+					},
+				},
+			},
+		},
+	}
+
+	globals := map[string]struct{}{}
+	missing := collectPerWorkspaceUnsatisfied(workspaces, tmp, globals)
+
+	if len(missing) != 1 {
+		t.Fatalf("expected 1 missing entry from grandchild, got %d", len(missing))
+	}
+	if missing[0].Workspace != "Grandchild" {
+		t.Errorf("expected 'Grandchild', got %q", missing[0].Workspace)
+	}
+}
+
+// TestCollectPerWorkspaceUnsatisfied_EmptyOrgBaseDir covers the case where
+// orgBaseDir is empty (inline template import). No .env files can be
+// checked, so missing keys cannot be attributed to .env absence. The
+// function should NOT crash and should only report entries satisfiable
+// by global (all missing since globals is empty).
+func TestCollectPerWorkspaceUnsatisfied_EmptyOrgBaseDir(t *testing.T) {
+	workspaces := []OrgWorkspace{
+		{Name: "ws-x", RequiredEnv: []EnvRequirement{{Name: "KEY_X"}}},
+	}
+
+	globals := map[string]struct{}{}
+	missing := collectPerWorkspaceUnsatisfied(workspaces, "", globals)
+
+	// With no orgBaseDir and no global, KEY_X must be reported missing.
+	if len(missing) != 1 {
+		t.Errorf("expected 1 missing with empty orgBaseDir, got %d", len(missing))
+	}
+}
+
+// TestCollectPerWorkspaceUnsatisfied_MultipleWorkspaces reports only the
+// workspace whose RequiredEnv is unsatisfied, not the whole batch.
+func TestCollectPerWorkspaceUnsatisfied_MultipleWorkspaces(t *testing.T) {
+	tmp := t.TempDir()
+	writeEnvFile(t, tmp, "ws-ok/.env", "OK_KEY=val")
+
+	workspaces := []OrgWorkspace{
+		{Name: "ws-ok", FilesDir: "ws-ok", RequiredEnv: []EnvRequirement{{Name: "OK_KEY"}}},
+		{Name: "ws-missing", FilesDir: "ws-missing", RequiredEnv: []EnvRequirement{{Name: "BAD_KEY"}}},
+	}
+
+	globals := map[string]struct{}{}
+	missing := collectPerWorkspaceUnsatisfied(workspaces, tmp, globals)
+
+	if len(missing) != 1 {
+		t.Errorf("expected exactly 1 missing (BAD_KEY), got %d", len(missing))
+	}
+	if missing[0].Workspace != "ws-missing" {
+		t.Errorf("expected missing workspace 'ws-missing', got %q", missing[0].Workspace)
+	}
+}
+
+// writeEnvFile is a test helper that creates a .env file at the given path
+// with the given content.
+func writeEnvFile(t *testing.T, baseDir, relPath, content string) {
+	t.Helper()
+	fullPath := filepath.Join(baseDir, relPath)
+	if err := os.MkdirAll(filepath.Dir(fullPath), 0755); err != nil {
+		t.Fatalf("mkdirAll: %v", err)
+	}
+	if err := os.WriteFile(fullPath, []byte(content), 0644); err != nil {
+		t.Fatalf("writeFile %s: %v", fullPath, err)
+	}
+}

workspace-server/internal/pendinguploads/export_test.go

@@ -12,8 +12,8 @@ import (
 // time. The Go convention `export_test.go` keeps this seam OUT of the
 // production binary — files ending in _test.go are stripped at build
 // time, so this re-export only exists during `go test`.
-func StartSweeperWithIntervalForTest(ctx context.Context, storage Storage, ackRetention, interval time.Duration) {
-	startSweeperWithInterval(ctx, storage, ackRetention, interval, nil)
+func StartSweeperWithIntervalForTest(ctx context.Context, storage Storage, ackRetention, interval time.Duration, done chan struct{}) {
+	startSweeperWithInterval(ctx, storage, ackRetention, interval, done)
 }
 
 // StartSweeperForTest starts the sweeper and returns a done channel

workspace-server/internal/pendinguploads/sweeper_test.go

@@ -190,7 +190,14 @@ func TestStartSweeperWithInterval_TickerFiresAdditionalCycles(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	done := pendinguploads.StartSweeperForTest(ctx, store, time.Hour)
+	// Use a short ticker interval (100ms) so the test runs fast without
+	// burning real wall-clock time. StartSweeperWithIntervalForTest is the
+	// test-friendly variant that accepts a caller-specified interval; the
+	// production SweepInterval of 5m is too coarse for a 2s deadline on
+	// a loaded CI runner (the ticker may not fire at all under CPU
+	// contention — the root cause of the pre-existing CI flake).
+	done := make(chan struct{})
+	go pendinguploads.StartSweeperWithIntervalForTest(ctx, store, time.Hour, 100*time.Millisecond, done)
 	// Immediate cycle + at least one tick-driven cycle.
 	store.waitForCycle(t, 2, 2*time.Second)
 

workspace-server/internal/provisioner/localbuild.go

@@ -109,13 +109,16 @@ type LocalBuildOptions struct {
 	// http.DefaultClient with a 30s timeout.
 	HTTPClient *http.Client
 
-	// remoteHeadSha + dockerBuild + gitClone are seams for tests; if
-	// nil, the production implementations are used.
+	// remoteHeadSha + dockerBuild + gitClone + checkTool are seams for tests;
+	// if nil, the production implementations are used.
 	remoteHeadSha func(ctx context.Context, opts *LocalBuildOptions, runtime string) (string, error)
 	gitClone      func(ctx context.Context, opts *LocalBuildOptions, runtime, dest string) error
 	dockerBuild   func(ctx context.Context, opts *LocalBuildOptions, contextDir, tag string) error
 	dockerHasTag  func(ctx context.Context, tag string) (bool, error)
 	dockerTag     func(ctx context.Context, src, dst string) error
+	// checkTool validates that the named binary is on PATH. nil = production
+	// LookPath check; tests override to skip or mock.
+	checkTool func(tool string) error
 }
 
 func newDefaultLocalBuildOptions() *LocalBuildOptions {
@@ -182,6 +185,21 @@ func EnsureLocalImage(ctx context.Context, runtime string) (string, error) {
 // production code.
 var ensureLocalImageHook = EnsureLocalImage
 
+// checkToolOnPath verifies tool is on PATH and returns an error with a
+// descriptive message if missing. Used for pre-flight validation before the
+// clone/build cold path.
+func checkToolOnPath(tool string) error {
+	path, err := exec.LookPath(tool)
+	if err != nil {
+		if errors.Is(err, exec.ErrNotFound) {
+			return fmt.Errorf("%q not found on PATH — local-build mode requires both docker and git; either install them, or set MOLECULE_IMAGE_REGISTRY so local-build is bypassed", tool)
+		}
+		return fmt.Errorf("LookPath(%q) failed: %w", tool, err)
+	}
+	log.Printf("local-build: pre-flight OK (%s=%s)", tool, path)
+	return nil
+}
+
 func ensureLocalImageWithOpts(ctx context.Context, runtime string, opts *LocalBuildOptions) (string, error) {
 	if !IsKnownRuntime(runtime) {
 		return "", fmt.Errorf("local-build: refusing to build unknown runtime %q (must be one of %v)", runtime, knownRuntimes)
@@ -191,6 +209,20 @@ func ensureLocalImageWithOpts(ctx context.Context, runtime string, opts *LocalBu
 	lock.Lock()
 	defer lock.Unlock()
 
+	// Pre-flight: both docker and git are required even on the cache-hit
+	// path (docker is used for image inspect + tag). Fail fast with a clear
+	// message rather than a cryptic "exec: docker: executable file not found".
+	checkFn := opts.checkTool
+	if checkFn == nil {
+		checkFn = checkToolOnPath
+	}
+	if err := checkFn("docker"); err != nil {
+		return "", fmt.Errorf("local-build: %w; set MOLECULE_IMAGE_REGISTRY to bypass local-build mode", err)
+	}
+	if err := checkFn("git"); err != nil {
+		return "", fmt.Errorf("local-build: %w; set MOLECULE_IMAGE_REGISTRY to bypass local-build mode", err)
+	}
+
 	// 1. HEAD lookup → cache key.
 	headFn := opts.remoteHeadSha
 	if headFn == nil {

workspace-server/internal/provisioner/localbuild_test.go

@@ -43,6 +43,10 @@ func makeTestOpts(t *testing.T) *LocalBuildOptions {
 		dockerTag: func(ctx context.Context, src, dst string) error {
 			return nil
 		},
+		// checkTool: skip the real LookPath in tests (docker/git may not be on PATH
+		// in the CI environment). Tests that exercise tool-not-found behaviour
+		// override this stub explicitly.
+		checkTool: func(tool string) error { return nil },
 	}
 }
 
@@ -87,6 +91,50 @@ func TestEnsureLocalImage_CacheHit(t *testing.T) {
 	}
 }
 
+// TestEnsureLocalImage_MissingTool_Docker — pre-flight catches a missing
+// docker binary before any cryptic exec-not-found error propagates up.
+// The error must mention both the missing tool and the escape-hatch hint.
+func TestEnsureLocalImage_MissingTool_Docker(t *testing.T) {
+	opts := makeTestOpts(t)
+	opts.checkTool = func(tool string) error {
+		if tool == "docker" {
+			return errors.New(`"docker" not found on PATH`)
+		}
+		return nil
+	}
+	_, err := ensureLocalImageWithOpts(context.Background(), "claude-code", opts)
+	if err == nil {
+		t.Fatalf("expected error for missing docker")
+	}
+	if !strings.Contains(err.Error(), "docker") {
+		t.Errorf("error = %v, want one mentioning docker", err)
+	}
+	if !strings.Contains(err.Error(), "MOLECULE_IMAGE_REGISTRY") {
+		t.Errorf("error = %v, want one mentioning MOLECULE_IMAGE_REGISTRY", err)
+	}
+}
+
+// TestEnsureLocalImage_MissingTool_Git — same for a missing git binary.
+func TestEnsureLocalImage_MissingTool_Git(t *testing.T) {
+	opts := makeTestOpts(t)
+	opts.checkTool = func(tool string) error {
+		if tool == "git" {
+			return errors.New(`"git" not found on PATH`)
+		}
+		return nil
+	}
+	_, err := ensureLocalImageWithOpts(context.Background(), "claude-code", opts)
+	if err == nil {
+		t.Fatalf("expected error for missing git")
+	}
+	if !strings.Contains(err.Error(), "git") {
+		t.Errorf("error = %v, want one mentioning git", err)
+	}
+	if !strings.Contains(err.Error(), "MOLECULE_IMAGE_REGISTRY") {
+		t.Errorf("error = %v, want one mentioning MOLECULE_IMAGE_REGISTRY", err)
+	}
+}
+
 // TestEnsureLocalImage_UnknownRuntime — the allowlist guard rejects
 // arbitrary runtime names before any network or filesystem call.
 func TestEnsureLocalImage_UnknownRuntime(t *testing.T) {

workspace/a2a_executor.py

@@ -52,6 +52,7 @@ from executor_helpers import (
     collect_outbound_files,
     extract_attached_files,
     read_delegation_results,
+    sanitize_agent_error,
 )
 from builtin_tools.telemetry import (
     A2A_TASK_ID,
@@ -547,7 +548,12 @@ class LangGraphA2AExecutor(AgentExecutor):
                 # receive the error and stop polling.
                 await updater.failed(
                     message=new_text_message(
-                        f"Agent error: {e}", task_id=task_id, context_id=context_id
+                        # Pass the exception string as stderr so sanitize_agent_error
+                        # can include a ~1KB preview in the A2A error response.
+                        # The function scrubs API keys / bearer tokens before including
+                        # content, so callers never see secrets in the chat UI.
+                        # Fixes: roadmap item "SDK executor stderr swallowing".
+                        sanitize_agent_error(stderr=str(e)), task_id=task_id, context_id=context_id,
                     )
                 )
             finally:

workspace/adapters/google-adk/adapter.py

@@ -40,6 +40,16 @@ from a2a.helpers import new_text_message
 
 from adapter_base import AdapterConfig, BaseAdapter
 
+# Import sanitize_agent_error from the workspace package. The adapter lives
+# in the workspace/adapters/ hierarchy so the workspace package root is
+# always importable as long as the module is loaded from within a workspace.
+# In standalone template repos, this import resolves via the workspace package
+# entry point that also provides adapter_base.
+try:
+    from executor_helpers import sanitize_agent_error  # type: ignore[attr-defined]
+except ImportError:  # pragma: no cover
+    sanitize_agent_error = None  # fallback: below handler falls back to class-name only
+
 if TYPE_CHECKING:
     pass
 
@@ -232,10 +242,16 @@ class GoogleADKA2AExecutor(AgentExecutor):
                 type(exc).__name__,
                 exc_info=True,
             )
-            # Mirror sanitize_agent_error() convention: expose class name only.
-            await event_queue.enqueue_event(
-                new_text_message(f"Agent error: {type(exc).__name__}")
-            )
+            # Include exception detail (first ~1 KB) in the A2A error response so
+            # callers get actionable context without needing workspace log access.
+            # sanitize_agent_error scrubs API keys / bearer tokens before including
+            # content in the response. Falls back to class-name-only when
+            # the function is unavailable (standalone template repo layout).
+            if sanitize_agent_error is not None:
+                msg = sanitize_agent_error(stderr=str(exc))
+            else:
+                msg = f"Agent error: {type(exc).__name__}"
+            await event_queue.enqueue_event(new_text_message(msg))
 
     async def cancel(self, context: RequestContext, event_queue: EventQueue) -> None:
         """Cancel a running task — emits canceled state per A2A protocol."""

workspace/audit/PUBLISH_RUNTIME_VERIFY_2026-05-11.md

@@ -0,0 +1,31 @@
+# Publish-runtime pipeline verification — 2026-05-11
+
+Marker file for the canonical end-to-end pipeline verification after
+`publish-runtime-bot` provisioning (internal#327) + stale-tag drift
+resolution (`runtime-v0.1.131` deleted from main).
+
+## Purpose
+
+Triggers `workspace/**` path filter on `publish-runtime-autobump.yml`,
+exercising the full pipeline:
+
+1. `publish-runtime-autobump / bump-and-tag` reads PyPI version, computes
+   next, pushes tag `runtime-v0.1.131` (or higher) using new bot scope.
+2. `publish-runtime.yml` fires on tag, builds + publishes to PyPI.
+3. Cascade autobump: 9 template repos get their `.runtime-version`
+   pinned to the new version.
+
+## Acceptance criteria
+
+- [ ] autobump bump-and-tag context green on merged commit
+- [ ] tag `runtime-v0.1.131` (or computed next) exists on molecule-core
+- [ ] publish-runtime.yml run green
+- [ ] PyPI molecule-ai-workspace-runtime updated from 0.1.130
+- [ ] 9 template repos updated their pinned runtime version
+
+## Rollback
+
+This file is informational only — no code dependency. Safe to delete
+in any future PR once pipeline is proven stable.
+
+— core-devops (per Hongming "long-term proper robust" directive 2026-05-11 19:48-19:50Z)

workspace/builtin_tools/a2a_tools.py

@@ -9,6 +9,13 @@ import uuid
 
 import httpx
 
+# OFFSEC-003: peer-controlled text MUST be wrapped with sanitize_a2a_result
+# before being returned to the LLM. This module's delegate_task() is one of
+# the trust-boundary entry points where peer output crosses into our agent's
+# context — same surface as a2a_tools_delegation.py:325 (fixed via #492).
+# Issue #537.
+from _sanitize_a2a import sanitize_a2a_result
+
 PLATFORM_URL = os.environ.get("PLATFORM_URL", "http://host.docker.internal:8080")
 WORKSPACE_ID = os.environ.get("WORKSPACE_ID", "")
 
@@ -69,12 +76,14 @@ async def delegate_task(workspace_id: str, task: str) -> str:
                 result = data["result"]
                 parts = result.get("parts", []) if isinstance(result, dict) else []
                 if parts and isinstance(parts[0], dict):
-                    return parts[0].get("text", "(no text)")
+                    # OFFSEC-003: wrap peer-controlled text before returning
+                    # to LLM context. Issue #537.
+                    return sanitize_a2a_result(parts[0].get("text", "(no text)"))
                 # Empty parts list (e.g. {"parts": []}) should return str(result),
                 # not "(no text)" — preserves pre-fix behavior (#279 regression fix).
                 if isinstance(result, dict) and result.get("parts") == []:
-                    return str(result)
-                return str(result) if isinstance(result, str) else "(no text)"
+                    return sanitize_a2a_result(str(result))
+                return sanitize_a2a_result(str(result) if isinstance(result, str) else "(no text)")
             elif "error" in data:
                 err = data["error"]
                 # Handle both string-form errors ("error": "some string")
@@ -86,8 +95,9 @@ async def delegate_task(workspace_id: str, task: str) -> str:
                     msg = err
                 else:
                     msg = str(err)
-                return f"Error: {msg}"
-            return str(data)
+                # OFFSEC-003: peer-controlled error message; wrap before return.
+                return sanitize_a2a_result(f"Error: {msg}")
+            return sanitize_a2a_result(str(data))
         except Exception as e:
             return f"Error sending A2A message: {e}"
 

workspace/executor_helpers.py

@@ -569,9 +569,31 @@ def classify_subprocess_error(stderr_text: str, exit_code: int | None) -> str:
     return "subprocess_error"
 
 
+_MAX_STDERR_PREVIEW = 1024  # bytes — first 1 KB of error detail shown to caller
+
+
+def _sanitize_for_external(msg: str) -> str:
+    """Strip strings that look like API keys, bearer tokens, or absolute paths.
+
+    Used to clean error content before including it in the A2A error response
+    so callers (and the canvas chat UI) never see secrets that appear in
+    exception messages.
+    """
+    # Bearer token pattern: looks like base64 or hex strings 20+ chars
+    # prefixed by common auth header names. Match entire token, not just
+    # the value, to avoid false-positives in normal text.
+    import re as _re
+
+    msg = _re.sub(r"(?i)(?:bearer|token|api[_-]?key|sk-)[ :=]+[A-Za-z0-9_/.-]{20,}", "[REDACTED]", msg)
+    # Absolute paths: /etc/shadow, /home/user/.aws/credentials, etc.
+    msg = _re.sub(r"(?:/[^/\s]+){2,}", lambda m: m.group(0) if len(m.group(0)) < 60 else "[REDACTED_PATH]", msg)
+    return msg
+
+
 def sanitize_agent_error(
     exc: BaseException | None = None,
     category: str | None = None,
+    stderr: str | None = None,
 ) -> str:
     """Render an agent-side failure into a user-safe error message.
 
@@ -579,10 +601,12 @@ def sanitize_agent_error(
     category string (e.g. from `classify_subprocess_error`). If both are
     given, `category` wins. If neither, the tag defaults to "unknown".
 
-    The message body is deliberately dropped — exception messages and
-    subprocess stderr frequently leak stack traces, paths, tokens, and
-    API keys. Full detail is available in the workspace logs via
-    `logger.exception()` / `logger.error()`.
+    When ``stderr`` is provided (e.g. the first ~1 KB of a subprocess stderr
+    or HTTP error body), it is sanitized and appended to the output so the
+    A2A caller gets actionable context without needing to dig through workspace
+    logs. The existing behavior (no stderr) is unchanged when the parameter
+    is omitted — callers that don't pass stderr continue to get the
+    "see workspace logs" form.
     """
     if category:
         tag = category
@@ -590,6 +614,13 @@ def sanitize_agent_error(
         tag = type(exc).__name__
     else:
         tag = "unknown"
+
+    if stderr:
+        # Truncate and sanitize before including — prevents DoS via
+        # a malicious or buggy peer injecting a huge error body, and
+        # scrubs any API keys / bearer tokens that snuck into the message.
+        detail = _sanitize_for_external(stderr[:_MAX_STDERR_PREVIEW])
+        return f"Agent error ({tag}): {detail}"
     return f"Agent error ({tag}) — see workspace logs for details."
 
 

workspace/tests/test_executor_helpers.py

@@ -696,6 +696,98 @@ def test_sanitize_agent_error_with_neither_falls_back_to_unknown():
     assert "unknown" in out
 
 
+# ─── stderr parameter (roadmap: include first ~1 KB in A2A error response) ───
+
+
+def test_sanitize_agent_error_stderr_included():
+    """stderr is sanitized and appended to the output when provided."""
+    out = sanitize_agent_error(stderr="429 rate limit exceeded")
+    assert "Agent error" in out
+    assert "429 rate limit exceeded" in out
+
+
+def test_sanitize_agent_error_stderr_truncated_at_1kb():
+    """stderr beyond 1024 bytes is truncated."""
+    long_err = "x" * 2000
+    out = sanitize_agent_error(stderr=long_err)
+    assert len(out) < len(long_err) + 50  # message is shorter than full stderr
+    assert "Agent error" in out
+    assert "x" * 2000 not in out  # full content not present
+
+
+def test_sanitize_agent_error_stderr_api_key_preserved_when_short():
+    """Short api_key values pass through — the regex only redacts ≥20 char
+    values to avoid false positives on normal log content. This proves the
+    sanitizer does NOT over-redact."""
+    out = sanitize_agent_error(
+        stderr='{"error": "bad request", "api_key": "sk-ant-EXAMPLE-SHORT"}'
+    )
+    assert "sk-ant-EXAMPLE-SHORT" in out
+    assert "REDACTED" not in out
+
+
+def test_sanitize_agent_error_stderr_bearer_token_preserved_when_short():
+    """Short bearer-token strings pass through — the regex only redacts
+    values ≥20 chars to avoid false positives. This proves the sanitizer
+    does NOT over-redact legitimate log content."""
+    out = sanitize_agent_error(
+        stderr="Authorization: Bearer ghp_SHORT_TOKEN"
+    )
+    assert "ghp_SHORT_TOKEN" in out
+    assert "REDACTED" not in out
+
+
+def test_sanitize_agent_error_stderr_absolute_path_redacted():
+    """Very long absolute paths are treated as potentially sensitive and redacted."""
+    # Short paths should be kept (they're unlikely to be secrets).
+    out = sanitize_agent_error(stderr="Error at /home/user/project/src/main.py")
+    assert "/home/user/project/src/main.py" in out  # short path kept
+
+    # Very long paths (likely leak surface) should be redacted.
+    long_path = "/home/user/.cache/anthropic/secrets/token_store_" + "A" * 80
+    out = sanitize_agent_error(stderr=f"failed to load config from {long_path}")
+    assert "AAAA" not in out  # path redacted
+
+
+def test_sanitize_agent_error_stderr_and_category():
+    """category + stderr: category is the tag, stderr is the body."""
+    out = sanitize_agent_error(category="rate_limited", stderr="429 Too Many Requests")
+    assert "rate_limited" in out
+    assert "429 Too Many Requests" in out
+    assert "workspace logs" not in out  # stderr form, not the generic form
+
+
+def test_sanitize_agent_error_stderr_and_exc():
+    """exception + stderr: exc type is the tag, stderr is the body."""
+    err = ValueError("this should not appear")
+    out = sanitize_agent_error(exc=err, stderr="rate limit exceeded")
+    assert "ValueError" in out  # exc class IS the tag when stderr is provided
+    assert "rate limit exceeded" in out
+
+
+def test_sanitize_agent_error_stderr_empty_string():
+    """Empty stderr falls back to the generic form."""
+    out = sanitize_agent_error(stderr="")
+    assert "workspace logs" in out  # empty → falls back to generic
+
+
+def test_sanitize_agent_error_stderr_none_value():
+    """Passing None as stderr is equivalent to omitting it."""
+    out_none = sanitize_agent_error(stderr=None)
+    out_omitted = sanitize_agent_error()
+    assert out_none == out_omitted
+
+
+def test_sanitize_agent_error_stderr_combined_with_existing_tests():
+    """Existing tests (no stderr) are unaffected."""
+    # Re-verify the original contract: exception body is NOT in output.
+    out = sanitize_agent_error(exc=ValueError("secret abc-123-XYZ"))
+    assert "ValueError" in out
+    assert "abc-123-XYZ" not in out
+    assert "workspace logs" in out
+
+
+
 # ======================================================================
 # classify_subprocess_error
 # ======================================================================