test(canvas): add EmptyState component tests (22 cases)

Adds 22-case coverage for EmptyState — the full-canvas welcome card:

- Loading state (GET /templates pending)
- Template grid renders with correct name, tier badge, description, skill count, model
- Template button calls deploy on click
- "Deploying..." label on the deploying template button
- Buttons disabled while any deploy is in-flight
- "Create blank" button POSTs /workspaces with correct payload
- "Creating..." label while POST is pending
- selectNode + setPanelTab("chat") called after 500ms on success
- Error banner with role=alert on POST failure
- Fetch failure / empty templates → only "create blank" button shown

Uses vi.hoisted + vi.mock to fully isolate api.get, api.post, useTemplateDeploy,
useCanvasStore, and all child components.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.gitea/scripts/tests/_review_check_fixture.py

@@ -1,140 +0,0 @@
-#!/usr/bin/env python3
-"""Stub Gitea API for review-check.sh test scenarios.
-
-Reads $FIXTURE_STATE_DIR/scenario to decide what to return for each
-endpoint the review-check.sh script calls.
-Reads $FIXTURE_STATE_DIR/token_owner_in_teams to decide whether
-the team membership probe returns 200/204 (member) or 403 (not in team).
-
-Scenarios:
-  T1_pr_open          — open PR, author=alice, sha=deadbeef → continue
-  T2_pr_closed        — closed PR → script exits 0 (no-op)
-  T3_reviews_approved_non_author  — one APPROVED from non-author → candidates exist
-  T4_reviews_empty             — zero APPROVED non-author → exit 1 (no candidates)
-  T5_reviews_only_author        — only author reviews → exit 1 (no candidates)
-  T6_reviews_dismissed          — dismissed APPROVED → treated as no approval
-  T7_team_member              — team membership → 204 (member) → exit 0
-  T8_team_not_member          — team membership → 404 (not a member) → exit 1
-  T9_team_403                — team membership → 403 (token not in team) → exit 1
-
-Usage:
-  FIXTURE_STATE_DIR=/tmp/x python3 _review_check_fixture.py 8080
-"""
-
-import http.server
-import json
-import os
-import re
-import sys
-import urllib.parse
-
-
-STATE_DIR = os.environ.get("FIXTURE_STATE_DIR", "/tmp")
-
-
-def scenario() -> str:
-    p = os.path.join(STATE_DIR, "scenario")
-    if not os.path.isfile(p):
-        return "T1_pr_open"
-    with open(p) as f:
-        return f.read().strip()
-
-
-class Handler(http.server.BaseHTTPRequestHandler):
-    def log_message(self, *args, **kwargs):
-        pass  # keep stdout for explicit logs only
-
-    def _json(self, code: int, body: dict) -> None:
-        payload = json.dumps(body).encode()
-        self.send_response(code)
-        self.send_header("Content-Type", "application/json")
-        self.send_header("Content-Length", str(len(payload)))
-        self.end_headers()
-        self.wfile.write(payload)
-
-    def _empty(self, code: int) -> None:
-        self.send_response(code)
-        self.send_header("Content-Length", "0")
-        self.end_headers()
-
-    def _text(self, code: int, body: str) -> None:
-        payload = body.encode()
-        self.send_response(code)
-        self.send_header("Content-Type", "text/plain")
-        self.send_header("Content-Length", str(len(payload)))
-        self.end_headers()
-        self.wfile.write(payload)
-
-    def do_GET(self):
-        u = urllib.parse.urlparse(self.path)
-        path = u.path
-        sc = scenario()
-
-        if path == "/_ping":
-            return self._json(200, {"ok": True})
-
-        # GET /repos/{owner}/{name}/pulls/{pr_number}
-        m = re.match(r"^/api/v1/repos/([^/]+)/([^/]+)/pulls/(\d+)$", path)
-        if m:
-            owner, name, pr_num = m.group(1), m.group(2), m.group(3)
-            if sc == "T2_pr_closed":
-                return self._json(200, {
-                    "number": int(pr_num),
-                    "state": "closed",
-                    "head": {"sha": "deadbeef0000111122223333444455556666"},
-                    "user": {"login": "alice"},
-                })
-            return self._json(200, {
-                "number": int(pr_num),
-                "state": "open",
-                "head": {"sha": "deadbeef0000111122223333444455556666"},
-                "user": {"login": "alice"},
-            })
-
-        # GET /repos/{owner}/{name}/pulls/{pr_number}/reviews
-        m = re.match(r"^/api/v1/repos/([^/]+)/([^/]+)/pulls/(\d+)/reviews$", path)
-        if m:
-            if sc in ("T4_reviews_empty", "T5_reviews_only_author"):
-                return self._json(200, [])
-            if sc == "T6_reviews_dismissed":
-                return self._json(200, [{
-                    "state": "APPROVED",
-                    "dismissed": True,
-                    "user": {"login": "core-devops"},
-                    "commit_id": "abc1234",
-                }])
-            if sc == "T3_reviews_approved_non_author":
-                return self._json(200, [
-                    {"state": "CHANGES_REQUESTED", "dismissed": False, "user": {"login": "bob"}, "commit_id": "abc1234"},
-                    {"state": "APPROVED", "dismissed": False, "user": {"login": "core-devops"}, "commit_id": "abc1234"},
-                ])
-            # Default: one non-author APPROVED
-            return self._json(200, [
-                {"state": "APPROVED", "dismissed": False, "user": {"login": "core-devops"}, "commit_id": "abc1234"},
-            ])
-
-        # GET /teams/{team_id}/members/{username}
-        m = re.match(r"^/api/v1/teams/(\d+)/members/([^/]+)$", path)
-        if m:
-            team_id, login = m.group(1), m.group(2)
-            if sc == "T8_team_not_member":
-                return self._empty(404)
-            if sc == "T9_team_403":
-                return self._empty(403)
-            # T7_team_member: member
-            return self._empty(204)
-
-        return self._json(404, {"path": path, "msg": "fixture: no route"})
-
-    def do_POST(self):
-        self._json(404, {"path": self.path, "msg": "fixture: no POST routes"})
-
-
-def main():
-    port = int(sys.argv[1])
-    srv = http.server.ThreadingHTTPServer(("127.0.0.1", port), Handler)
-    srv.serve_forever()
-
-
-if __name__ == "__main__":
-    main()

.gitea/scripts/tests/test_review_check.sh

@@ -1,331 +0,0 @@
-#!/usr/bin/env bash
-# Regression tests for .gitea/scripts/review-check.sh (RFC#324 Step 1).
-#
-# Covers:
-#   T1  — open PR: script fetches PR + reviews, continues to team probe
-#   T2  — closed PR: script exits 0 (no-op)
-#   T3  — APPROVED non-author review exists → candidates exist
-#   T4  — no non-author APPROVED reviews → exit 1 (no candidates)
-#   T5  — only author reviews (no non-author APPROVE) → exit 1
-#   T6  — dismissed APPROVED review → treated as no approval
-#   T7  — team membership probe → 204 (member) → script exits 0
-#   T8  — team membership probe → 404 (not a member) → script exits 1
-#   T9  — team membership probe → 403 (token not in team) → script exits 1 (fail closed)
-#   T10 — CURL_AUTH_FILE created with mode 600 and correct header content
-#   T11 — bash syntax check (bash -n passes)
-#   T12 — jq filter: non-author APPROVED → in candidate list; dismissed → excluded
-#   T13 — missing required env GITEA_TOKEN → exits 1 with error
-#
-# Hostile-self-review (per feedback_assert_exact_not_substring):
-# this test MUST FAIL if the script is absent. Verified by running
-# the test before the file exists (covered in the PR body).
-
-set -euo pipefail
-
-THIS_DIR="$(cd "$(dirname "$0")" && pwd)"
-SCRIPT_DIR="$(cd "$THIS_DIR/.." && pwd)"
-SCRIPT="$SCRIPT_DIR/review-check.sh"
-
-PASS=0
-FAIL=0
-FAILED_TESTS=""
-
-assert_eq() {
-  local label="$1"
-  local expected="$2"
-  local got="$3"
-  if [ "$expected" = "$got" ]; then
-    echo "  PASS  $label"
-    PASS=$((PASS + 1))
-  else
-    echo "  FAIL  $label"
-    echo "        expected: <$expected>"
-    echo "        got:      <$got>"
-    FAIL=$((FAIL + 1))
-    FAILED_TESTS="${FAILED_TESTS} ${label}"
-  fi
-}
-
-assert_contains() {
-  local label="$1"
-  local needle="$2"
-  local haystack="$3"
-  if printf '%s' "$haystack" | grep -qF "$needle"; then
-    echo "  PASS  $label"
-    PASS=$((PASS + 1))
-  else
-    echo "  FAIL  $label"
-    echo "        needle:    <$needle>"
-    echo "        haystack:  <$(printf '%s' "$haystack" | head -c 200)>"
-    FAIL=$((FAIL + 1))
-    FAILED_TESTS="${FAILED_TESTS} ${label}"
-  fi
-}
-
-assert_file_mode() {
-  local label="$1"
-  local path="$2"
-  local expected_mode="$3"
-  if [ ! -f "$path" ]; then
-    echo "  FAIL  $label (file not found: $path)"
-    FAIL=$((FAIL + 1))
-    FAILED_TESTS="${FAILED_TESTS} ${label}"
-    return
-  fi
-  local got_mode
-  got_mode=$(stat -c '%a' "$path" 2>/dev/null || echo "000")
-  if [ "$expected_mode" = "$got_mode" ]; then
-    echo "  PASS  $label (mode=$got_mode)"
-    PASS=$((PASS + 1))
-  else
-    echo "  FAIL  $label (expected mode=$expected_mode, got=$got_mode)"
-    FAIL=$((FAIL + 1))
-    FAILED_TESTS="${FAILED_TESTS} ${label}"
-  fi
-}
-
-assert_file_contains() {
-  local label="$1"
-  local path="$2"
-  local needle="$3"
-  if [ ! -f "$path" ]; then
-    echo "  FAIL  $label (file not found: $path)"
-    FAIL=$((FAIL + 1))
-    FAILED_TESTS="${FAILED_TESTS} ${label}"
-    return
-  fi
-  if grep -qF "$needle" "$path"; then
-    echo "  PASS  $label"
-    PASS=$((PASS + 1))
-  else
-    echo "  FAIL  $label (needle not found: <$needle>)"
-    FAIL=$((FAIL + 1))
-    FAILED_TESTS="${FAILED_TESTS} ${label}"
-  fi
-}
-
-# Existence check (foundation)
-echo
-echo "== existence =="
-if [ -f "$SCRIPT" ]; then
-  echo "  PASS  script exists: $SCRIPT"
-  PASS=$((PASS + 1))
-else
-  echo "  FAIL  script not found: $SCRIPT"
-  FAIL=$((FAIL + 1))
-  FAILED_TESTS="${FAILED_TESTS} script_exists"
-  echo
-  echo "------"
-  echo "PASS=$PASS FAIL=$FAIL (existence)"
-  echo "Cannot proceed without the script."
-  exit 1
-fi
-
-# T11 — bash syntax check
-echo
-echo "== T11 bash syntax =="
-if bash -n "$SCRIPT" 2>&1; then
-  echo "  PASS  T11 bash -n passes"
-  PASS=$((PASS + 1))
-else
-  echo "  FAIL  T11 bash -n failed"
-  FAIL=$((FAIL + 1))
-  FAILED_TESTS="${FAILED_TESTS} T11"
-fi
-
-# T13 — missing required env
-echo
-echo "== T13 missing GITEA_TOKEN =="
-set +e
-T13_OUT=$(PATH="/tmp:$PATH" GITEA_TOKEN= GITEA_HOST=git.example.com REPO=x/y PR_NUMBER=1 TEAM=qa TEAM_ID=1 bash "$SCRIPT" 2>&1 || true)
-set -e
-assert_contains "T13 exits non-zero when GITEA_TOKEN missing" "GITEA_TOKEN required" "$T13_OUT"
-
-# Start fixture HTTP server
-echo
-echo "== fixture setup =="
-FIXTURE_DIR=$(mktemp -d)
-trap 'rm -rf "$FIXTURE_DIR"; [ -n "${FIX_PID:-}" ] && kill "$FIX_PID" 2>/dev/null || true' EXIT
-FIXTURE_PY="$THIS_DIR/_review_check_fixture.py"
-if [ ! -f "$FIXTURE_PY" ]; then
-  echo "::error::fixture server $FIXTURE_PY missing"
-  exit 1
-fi
-
-FIX_LOG="$FIXTURE_DIR/fixture.log"
-FIX_STATE_DIR="$FIXTURE_DIR/state"
-mkdir -p "$FIX_STATE_DIR"
-
-# Find an unused port
-FIX_PORT=$(python3 -c 'import socket;s=socket.socket();s.bind(("127.0.0.1",0));print(s.getsockname()[1]);s.close()')
-
-FIXTURE_STATE_DIR="$FIX_STATE_DIR" python3 "$FIXTURE_PY" "$FIX_PORT" \
-  >"$FIX_LOG" 2>&1 &
-FIX_PID=$!
-
-# Wait for fixture readiness
-for _ in $(seq 1 50); do
-  if curl -fsS "http://127.0.0.1:${FIX_PORT}/_ping" >/dev/null 2>&1; then
-    break
-  fi
-  sleep 0.1
-done
-if ! curl -fsS "http://127.0.0.1:${FIX_PORT}/_ping" >/dev/null 2>&1; then
-  echo "::error::fixture server failed to start. Log:"
-  cat "$FIX_LOG"
-  exit 1
-fi
-echo "  fixture running on port $FIX_PORT"
-
-# Install a curl shim that rewrites https://fixture.local/* -> http://127.0.0.1:$FIX_PORT/*
-# Use double-quoted heredoc so FIX_PORT is expanded into the shim at creation time.
-mkdir -p "$FIXTURE_DIR/bin"
-cat >"$FIXTURE_DIR/bin/curl" <<"CURL_SHIM"
-#!/usr/bin/env bash
-# Shim: rewrite https://fixture.local/* -> http://127.0.0.1:FIXPORT/*
-# Generated at test-run time; FIXPORT is substituted when this file is written.
-new_args=()
-for a in "$@"; do
-  if [[ "$a" == https://fixture.local/* ]]; then
-    rest="${a#https://fixture.local}"
-    a="http://127.0.0.1:FIXPORT${rest}"
-  fi
-  new_args+=("$a")
-done
-exec /usr/bin/curl "${new_args[@]}"
-CURL_SHIM
-# Now substitute FIXPORT with the actual port number
-sed -i "s/FIXPORT/${FIX_PORT}/g" "$FIXTURE_DIR/bin/curl"
-chmod +x "$FIXTURE_DIR/bin/curl"
-
-# Helper: run the script with fixture environment
-run_review_check() {
-  local scenario="$1"
-  echo "$scenario" >"$FIX_STATE_DIR/scenario"
-  local out
-  set +e
-  out=$(
-    PATH="$FIXTURE_DIR/bin:/tmp:$PATH" \
-    GITEA_TOKEN="fixture-token" \
-    GITEA_HOST="fixture.local" \
-    REPO="molecule-ai/molecule-core" \
-    PR_NUMBER="999" \
-    TEAM="qa" \
-    TEAM_ID="20" \
-    REVIEW_CHECK_DEBUG="0" \
-    REVIEW_CHECK_STRICT="0" \
-    bash "$SCRIPT" 2>&1
-  )
-  local rc=$?
-  set -e
-  echo "$out" >"$FIX_STATE_DIR/last_run.log"
-  echo "$rc" >"$FIX_STATE_DIR/last_rc"
-  echo "$out"
-}
-
-# T1 — open PR: script fetches PR and continues
-echo
-echo "== T1 open PR =="
-T1_OUT=$(run_review_check "T1_pr_open")
-T1_RC=$(cat "$FIX_STATE_DIR/last_rc")
-assert_eq "T1 exit code 0 (approver exists + team member)" "0" "$T1_RC"
-assert_contains "T1 qa-review APPROVED by core-devops" "APPROVED by core-devops" "$T1_OUT"
-
-# T2 — closed PR: exits 0 immediately (no-op)
-echo
-echo "== T2 closed PR =="
-T2_OUT=$(run_review_check "T2_pr_closed")
-T2_RC=$(cat "$FIX_STATE_DIR/last_rc")
-assert_eq "T2 exit code 0 (closed PR no-op)" "0" "$T2_RC"
-
-# T3 — APPROVED non-author reviews exist
-echo
-echo "== T3 approved non-author reviews =="
-T3_OUT=$(run_review_check "T3_reviews_approved_non_author")
-T3_RC=$(cat "$FIX_STATE_DIR/last_rc")
-assert_eq "T3 exit code 0 (candidates + team member)" "0" "$T3_RC"
-
-# T4 — no non-author APPROVED reviews → exit 1
-echo
-echo "== T4 no non-author APPROVED reviews =="
-T4_OUT=$(run_review_check "T4_reviews_empty")
-T4_RC=$(cat "$FIX_STATE_DIR/last_rc")
-assert_eq "T4 exit code 1 (no candidates)" "1" "$T4_RC"
-assert_contains "T4 awaiting non-author APPROVE" "awaiting non-author APPROVE" "$T4_OUT"
-
-# T5 — only author reviews → exit 1
-echo
-echo "== T5 only author reviews =="
-T5_OUT=$(run_review_check "T5_reviews_only_author")
-T5_RC=$(cat "$FIX_STATE_DIR/last_rc")
-assert_eq "T5 exit code 1 (only author reviews, no candidates)" "1" "$T5_RC"
-
-# T6 — dismissed APPROVED review → treated as no approval
-echo
-echo "== T6 dismissed APPROVED review =="
-T6_OUT=$(run_review_check "T6_reviews_dismissed")
-T6_RC=$(cat "$FIX_STATE_DIR/last_rc")
-assert_eq "T6 exit code 1 (dismissed = no approval)" "1" "$T6_RC"
-
-# T7 — team member → exit 0
-echo
-echo "== T7 team membership 204 (member) =="
-T7_OUT=$(run_review_check "T7_team_member")
-T7_RC=$(cat "$FIX_STATE_DIR/last_rc")
-assert_eq "T7 exit code 0 (member, APPROVED)" "0" "$T7_RC"
-assert_contains "T7 APPROVED by core-devops (team member)" "APPROVED by core-devops" "$T7_OUT"
-
-# T8 — not a team member → exit 1 (fail closed)
-echo
-echo "== T8 team membership 404 (not a member) =="
-T8_OUT=$(run_review_check "T8_team_not_member")
-T8_RC=$(cat "$FIX_STATE_DIR/last_rc")
-assert_eq "T8 exit code 1 (not in team)" "1" "$T8_RC"
-
-# T9 — 403 token-not-in-team → exit 1 (fail closed)
-echo
-echo "== T9 team membership 403 (token not in team) =="
-T9_OUT=$(run_review_check "T9_team_403")
-T9_RC=$(cat "$FIX_STATE_DIR/last_rc")
-assert_eq "T9 exit code 1 (403 token-not-in-team, fail closed)" "1" "$T9_RC"
-assert_contains "T9 403 error in output" "403" "$T9_OUT"
-
-# T10 — token file creation and permissions
-echo
-echo "== T10 CURL_AUTH_FILE =="
-# Verify the token-file logic directly: create a temp file with the
-# same mktemp pattern, write the header with printf, chmod 600, then assert.
-T10_TOKEN="secret-test-token-abc123"
-T10_AUTHFILE=$(mktemp -p /tmp curl-auth.test.XXXXXX)
-chmod 600 "$T10_AUTHFILE"
-printf 'header = "Authorization: token %s"\n' "$T10_TOKEN" > "$T10_AUTHFILE"
-assert_file_mode "T10a mktemp -p /tmp mode 600 (CURL_AUTH_FILE pattern)" "$T10_AUTHFILE" "600"
-assert_file_contains "T10b printf header format (CURL_AUTH_FILE content)" "$T10_AUTHFILE" "Authorization: token secret-test-token-abc123"
-assert_file_contains "T10c 'header =' curl-config syntax" "$T10_AUTHFILE" 'header = "Authorization: token '
-rm -f "$T10_AUTHFILE"
-
-# T12 — jq filter: non-author APPROVED included, dismissed excluded
-echo
-echo "== T12 jq filter =="
-# These are tested indirectly via T3 and T6 above, but let's also test
-# the jq expression directly.
-JQ_FILTER='.[]
-  | select(.state == "APPROVED")
-  | select(.dismissed != true)
-  | select(.user.login != "alice")
-  | .user.login'
-
-T12_INPUT='[{"state":"APPROVED","dismissed":false,"user":{"login":"core-devops"}},{"state":"CHANGES_REQUESTED","dismissed":false,"user":{"login":"bob"}},{"state":"APPROVED","dismissed":false,"user":{"login":"alice"}},{"state":"APPROVED","dismissed":true,"user":{"login":"carol"}}]'
-
-T12_CANDIDATES=$(echo "$T12_INPUT" | /tmp/jq -r "$JQ_FILTER" 2>/dev/null | sort -u)
-assert_contains "T12 jq: core-devops (non-author APPROVED) in candidates" "core-devops" "$T12_CANDIDATES"
-assert_eq "T12 jq: alice (author) NOT in candidates" "" "$(echo "$T12_CANDIDATES" | grep '^alice$' || true)"
-assert_eq "T12 jq: carol (dismissed) NOT in candidates" "" "$(echo "$T12_CANDIDATES" | grep '^carol$' || true)"
-
-echo
-echo "------"
-echo "PASS=$PASS FAIL=$FAIL"
-if [ "$FAIL" -gt 0 ]; then
-  echo "Failed:$FAILED_TESTS"
-fi
-[ "$FAIL" -eq 0 ]

.gitea/workflows/publish-runtime-autobump.yml

@@ -36,10 +36,6 @@ on:
       - staging
     paths:
       - "workspace/**"
-  # Manual dispatch — useful when Gitea Actions API (/actions/*) is
-  # unreachable (e.g. act_runner 404 on Gitea 1.22.6) and we cannot
-  # re-trigger via curl.
-  workflow_dispatch:
 
 permissions:
   contents: write  # required to push tags back
@@ -80,15 +76,9 @@ jobs:
   # watchdog, which is the desired signal for infrastructure degradation.
   bump-and-tag:
     runs-on: ubuntu-latest
-    # Only fire on push events (main/staging after PR merge). Pull_request
-    # events are handled by pr-validate above; we do NOT bump on every
-    # push-synchronize because that would race with the PR head.
-    #
-    # NOTE: the prior condition `github.event.pull_request.base.ref == ''`
-    # was broken — on a PR-merge push in Gitea Actions, the pull_request
-    # context is still attached (base.ref='main'), so the condition always
-    # evaluated to false and bump-and-tag was permanently skipped.
-    if: github.event_name == 'push'
+    # This job only fires on main/staging pushes (not on PR events) because
+    # the pull_request trigger above routes to pr-validate instead.
+    if: github.event.pull_request.base.ref == ''
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:

canvas/src/components/__tests__/ApprovalBanner.test.tsx

@@ -5,20 +5,22 @@
  * Covers: renders nothing when no approvals, polls /approvals/pending,
  * shows approval cards, approve/deny decisions, toast notifications.
  *
- * Note: does NOT mock @/lib/api — uses vi.spyOn on the real module.
- * vi.restoreAllMocks() is omitted from afterEach so queued mock values
- * (set up via mockResolvedValueOnce in beforeEach) are preserved for the
- * component's useEffect to consume.
+ * Uses vi.hoisted + vi.mock (file-level) for @/lib/api. vi.resetModules()
+ * in every afterEach undoes the mock so other test files that import the
+ * real api module (e.g. socket.url.test.ts) are unaffected.
  */
 import React from "react";
 import { render, screen, fireEvent, cleanup, act } from "@testing-library/react";
 import { afterEach, describe, expect, it, vi, beforeEach } from "vitest";
 import { ApprovalBanner } from "../ApprovalBanner";
 import { showToast } from "@/components/Toaster";
-import { api } from "@/lib/api";
 
-vi.mock("@/components/Toaster", () => ({
-  showToast: vi.fn(),
+// ─── Hoisted mock refs ─────────────────────────────────────────────────────────
+// vi.hoisted runs in the same hoisting phase as vi.mock factories, so these
+// refs are stable across all tests and available inside the mock factory.
+const { mockApiGet, mockApiPost } = vi.hoisted(() => ({
+  mockApiGet: vi.fn<(args: unknown[]) => Promise<unknown>>(),
+  mockApiPost: vi.fn<(args: unknown[]) => Promise<unknown>>(),
 }));
 
 // ─── Helpers ──────────────────────────────────────────────────────────────────
@@ -41,28 +43,42 @@ const pendingApproval = (id = "a1", workspaceId = "ws-1"): {
   created_at: "2026-05-10T10:00:00Z",
 });
 
-// Shared spy references so individual tests can reset or reject the POST mock
-// without needing to call spyOn again (which would create a duplicate spy).
-let mockGet: ReturnType<typeof vi.spyOn>;
-let mockPost: ReturnType<typeof vi.spyOn>;
+// ─── Static mocks (file-level — no other test needs the real modules) ─────────
 
-// ─── Tests ────────────────────────────────────────────────────────────────────
+vi.mock("@/components/Toaster", () => ({
+  showToast: vi.fn(),
+}));
+
+// vi.resetModules() in afterEach undoes this mock so other files that import
+// the real api module are unaffected.
+vi.mock("@/lib/api", () => ({
+  api: {
+    get: mockApiGet,
+    post: mockApiPost,
+  },
+}));
+
+// ─── Tests ─────────────────────────────────────────────────────────────────────
 
 describe("ApprovalBanner — empty state", () => {
   beforeEach(() => {
     vi.useFakeTimers();
-    vi.spyOn(api, "get").mockResolvedValueOnce([]);
+    mockApiGet.mockReset().mockResolvedValue([]);
+    mockApiPost.mockReset().mockResolvedValue({});
   });
 
   afterEach(() => {
     cleanup();
     vi.useRealTimers();
+    vi.restoreAllMocks();
+    vi.resetModules();
   });
 
   it("renders nothing when there are no pending approvals", async () => {
     render(<ApprovalBanner />);
     await act(async () => { await vi.runOnlyPendingTimersAsync(); });
     expect(screen.queryByRole("alert")).toBeNull();
+    expect(mockApiGet).toHaveBeenCalled();
   });
 
   it("does not render any approve/deny buttons when list is empty", async () => {
@@ -76,41 +92,40 @@ describe("ApprovalBanner — empty state", () => {
 describe("ApprovalBanner — renders approval cards", () => {
   beforeEach(() => {
     vi.useFakeTimers();
-    mockGet = vi.spyOn(api, "get").mockResolvedValueOnce([
+    mockApiGet.mockReset().mockResolvedValue([
       pendingApproval("a1"),
       pendingApproval("a2", "ws-2"),
     ]);
+    mockApiPost.mockReset().mockResolvedValue({});
   });
 
   afterEach(() => {
     cleanup();
     vi.useRealTimers();
+    vi.restoreAllMocks();
+    vi.resetModules();
   });
 
   it("renders an alert card for each pending approval", async () => {
     render(<ApprovalBanner />);
     await act(async () => { await vi.runOnlyPendingTimersAsync(); });
-    const alerts = screen.getAllByRole("alert");
-    expect(alerts).toHaveLength(2);
-    mockGet.mockRestore();
+    expect(screen.getAllByRole("alert")).toHaveLength(2);
   });
 
   it("displays the workspace name and action text", async () => {
     render(<ApprovalBanner />);
     await act(async () => { await vi.runOnlyPendingTimersAsync(); });
-    const nameEls = screen.getAllByText(/test workspace needs approval/i);
-    expect(nameEls).toHaveLength(2);
+    expect(screen.getAllByText(/test workspace needs approval/i)).toHaveLength(2);
   });
 
   it("displays the reason when present", async () => {
     render(<ApprovalBanner />);
     await act(async () => { await vi.runOnlyPendingTimersAsync(); });
-    const reasons = screen.getAllByText(/requires human approval/i);
-    expect(reasons).toHaveLength(2);
+    expect(screen.getAllByText(/requires human approval/i)).toHaveLength(2);
   });
 
   it("omits the reason div when reason is null", async () => {
-    vi.spyOn(api, "get").mockResolvedValueOnce([{
+    mockApiGet.mockReset().mockResolvedValue([{
       ...pendingApproval("a1"),
       reason: null,
     }]);
@@ -124,7 +139,6 @@ describe("ApprovalBanner — renders approval cards", () => {
     await act(async () => { await vi.runOnlyPendingTimersAsync(); });
     const approveBtns = screen.getAllByRole("button", { name: /Approve/i });
     const denyBtns = screen.getAllByRole("button", { name: /Deny/i });
-    // 2 cards, each card has 1 Approve + 1 Deny button → 2 of each minimum
     expect(approveBtns.length).toBeGreaterThanOrEqual(2);
     expect(denyBtns.length).toBeGreaterThanOrEqual(2);
   });
@@ -132,21 +146,22 @@ describe("ApprovalBanner — renders approval cards", () => {
   it("has aria-live=assertive on the alert container", async () => {
     render(<ApprovalBanner />);
     await act(async () => { await vi.runOnlyPendingTimersAsync(); });
-    const alert = screen.getAllByRole("alert")[0];
-    expect(alert.getAttribute("aria-live")).toBe("assertive");
+    expect(screen.getAllByRole("alert")[0].getAttribute("aria-live")).toBe("assertive");
   });
 });
 
 describe("ApprovalBanner — decisions", () => {
   beforeEach(() => {
     vi.useFakeTimers();
-    mockGet = vi.spyOn(api, "get").mockResolvedValueOnce([pendingApproval("a1")]);
-    mockPost = vi.spyOn(api, "post").mockResolvedValue({});
+    mockApiGet.mockReset().mockResolvedValue([pendingApproval("a1")]);
+    mockApiPost.mockReset().mockResolvedValue({});
   });
 
   afterEach(() => {
     cleanup();
     vi.useRealTimers();
+    vi.restoreAllMocks();
+    vi.resetModules();
   });
 
   it("calls POST /workspaces/:id/approvals/:id/decide on Approve click", async () => {
@@ -154,7 +169,7 @@ describe("ApprovalBanner — decisions", () => {
     await act(async () => { await vi.runOnlyPendingTimersAsync(); });
     fireEvent.click(screen.getAllByRole("button", { name: /approve/i })[0]);
     await act(async () => { /* flush */ });
-    expect(vi.mocked(api.post)).toHaveBeenCalledWith(
+    expect(mockApiPost).toHaveBeenCalledWith(
       "/workspaces/ws-1/approvals/a1/decide",
       expect.objectContaining({ decision: "approved" })
     );
@@ -165,7 +180,7 @@ describe("ApprovalBanner — decisions", () => {
     await act(async () => { await vi.runOnlyPendingTimersAsync(); });
     fireEvent.click(screen.getAllByRole("button", { name: /deny/i })[0]);
     await act(async () => { /* flush */ });
-    expect(vi.mocked(api.post)).toHaveBeenCalledWith(
+    expect(mockApiPost).toHaveBeenCalledWith(
       "/workspaces/ws-1/approvals/a1/decide",
       expect.objectContaining({ decision: "denied" })
     );
@@ -197,7 +212,10 @@ describe("ApprovalBanner — decisions", () => {
   });
 
   it("shows an error toast when POST fails", async () => {
-    mockPost.mockReset().mockRejectedValue(new Error("Network error"));
+    // mockImplementation preserves the vi.fn() wrapper (unlike mockReset() which
+    // strips it and causes the real fetch() to fire — the root cause of the
+    // original flakiness in this file).
+    mockApiPost.mockImplementation(() => Promise.reject(new Error("Network error")));
     render(<ApprovalBanner />);
     await act(async () => { await vi.runOnlyPendingTimersAsync(); });
     fireEvent.click(screen.getAllByRole("button", { name: /approve/i })[0]);
@@ -209,9 +227,9 @@ describe("ApprovalBanner — decisions", () => {
   });
 
   it("keeps the card visible when the POST fails", async () => {
-    // Reset the post mock before rejecting so the beforeEach's resolved value
-    // is gone and we get a clean rejection instead of a resolved→rejected queue.
-    mockPost.mockReset().mockRejectedValue(new Error("Network error"));
+    // Same mockImplementation pattern — preserves the wrapper so the component's
+    // catch block runs instead of the real fetch().
+    mockApiPost.mockImplementation(() => Promise.reject(new Error("Network error")));
     render(<ApprovalBanner />);
     await act(async () => { await vi.runOnlyPendingTimersAsync(); });
     fireEvent.click(screen.getAllByRole("button", { name: /approve/i })[0]);
@@ -223,12 +241,15 @@ describe("ApprovalBanner — decisions", () => {
 describe("ApprovalBanner — handles empty list from server", () => {
   beforeEach(() => {
     vi.useFakeTimers();
-    vi.spyOn(api, "get").mockResolvedValueOnce([]);
+    mockApiGet.mockReset().mockResolvedValue([]);
+    mockApiPost.mockReset().mockResolvedValue({});
   });
 
   afterEach(() => {
     cleanup();
     vi.useRealTimers();
+    vi.restoreAllMocks();
+    vi.resetModules();
   });
 
   it("shows nothing when the API returns an empty array on first poll", async () => {

canvas/src/components/__tests__/EmptyState.test.tsx

@@ -0,0 +1,370 @@
+// @vitest-environment jsdom
+/**
+ * Tests for EmptyState — the full-canvas welcome card shown on first load.
+ *
+ * Covers:
+ *   - Loading state (GET /templates in flight)
+ *   - Fetch failure → empty template grid (templates = [])
+ *   - Template grid renders with correct content
+ *   - Template button disabled while deploying
+ *   - "Deploying..." label on the button being deployed
+ *   - "Create blank" button POSTs /workspaces
+ *   - "Creating..." label while blank workspace is being created
+ *   - Blank create error shows error banner
+ *   - Error banner has role="alert"
+ *   - All buttons disabled while any deploy is in-flight
+ *   - handleDeployed fires after 500ms delay
+ *
+ * Uses vi.hoisted + vi.mock to fully isolate the api module, matching
+ * the pattern established in ApprovalBanner, MemoryTab, and ScheduleTab tests.
+ */
+import React from "react";
+import { render, screen, fireEvent, cleanup, act } from "@testing-library/react";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { EmptyState } from "../EmptyState";
+
+// ─── Hoisted mock refs ─────────────────────────────────────────────────────────
+// vi.hoisted runs in the same hoisting phase as vi.mock factories, so all refs
+// are available both to the factory and to test bodies.
+const { mockApiGet, mockApiPost } = vi.hoisted(() => ({
+  mockApiGet: vi.fn<(args: unknown[]) => Promise<unknown>>(),
+  mockApiPost: vi.fn<(args: unknown[]) => Promise<{ id: string }>>(),
+}));
+
+// Mutable deploy state — object reference is const; properties can be mutated.
+const _deploy = vi.hoisted(() => ({
+  deployFn: vi.fn(),
+  deploying: undefined as string | undefined,
+  error: undefined as string | undefined,
+  modal: null as React.ReactNode,
+}));
+
+const { mockSelectNode, mockSetPanelTab } = vi.hoisted(() => ({
+  mockSelectNode: vi.fn(),
+  mockSetPanelTab: vi.fn(),
+}));
+
+// ─── Mocks ────────────────────────────────────────────────────────────────────
+
+vi.mock("@/lib/api", () => ({
+  api: {
+    get: mockApiGet,
+    post: mockApiPost,
+  },
+}));
+
+vi.mock("@/hooks/useTemplateDeploy", () => ({
+  useTemplateDeploy: () => ({
+    deploy: _deploy.deployFn,
+    deploying: _deploy.deploying,
+    error: _deploy.error,
+    modal: _deploy.modal,
+  }),
+}));
+
+vi.mock("@/store/canvas", () => ({
+  useCanvasStore: Object.assign(
+    vi.fn((selector: (s: { getState: () => { selectNode: typeof mockSelectNode; setPanelTab: typeof mockSetPanelTab } }) => unknown) =>
+      selector({
+        getState: () => ({
+          selectNode: mockSelectNode,
+          setPanelTab: mockSetPanelTab,
+        }),
+      })
+    ),
+    { getState: () => ({ selectNode: mockSelectNode, setPanelTab: mockSetPanelTab }) }
+  ),
+}));
+
+vi.mock("../TemplatePalette", () => ({
+  OrgTemplatesSection: () => null,
+}));
+
+vi.mock("../Spinner", () => ({
+  Spinner: () => <span data-testid="spinner">⟳</span>,
+}));
+
+vi.mock("@/lib/design-tokens", () => ({
+  TIER_CONFIG: {
+    1: { label: "T1", color: "text-ink-mid bg-surface-card border border-line", border: "text-ink-mid border-line" },
+    2: { label: "T2", color: "text-white bg-accent border border-accent-strong", border: "text-accent border-accent" },
+    3: { label: "T3", color: "text-white bg-violet-600 border border-violet-700", border: "text-violet-600 border-violet-500" },
+    4: { label: "T4", color: "text-white bg-warm border border-warm", border: "text-warm border-warm" },
+  },
+}));
+
+// ─── Fixtures ─────────────────────────────────────────────────────────────────
+
+const TEMPLATE = {
+  id: "tpl-1",
+  name: "Claude Code Agent",
+  description: "A general-purpose coding assistant",
+  tier: 2,
+  skill_count: 3,
+  model: "claude-opus-4-5",
+};
+
+function template(overrides: Partial<typeof TEMPLATE> = {}): typeof TEMPLATE {
+  return { ...TEMPLATE, ...overrides };
+}
+
+// ─── Helpers ───────────────────────────────────────────────────────────────────
+
+function renderEmpty() {
+  return render(<EmptyState />);
+}
+
+// Flush React state + microtasks after an act boundary.
+async function flush() {
+  await act(async () => { await Promise.resolve(); });
+}
+
+// Reset deploy state to defaults before each test.
+function resetDeployState() {
+  _deploy.deployFn.mockReset();
+  _deploy.deploying = undefined;
+  _deploy.error = undefined;
+  _deploy.modal = null;
+}
+
+// ─── Tests ─────────────────────────────────────────────────────────────────────
+
+describe("EmptyState — loading", () => {
+  beforeEach(() => {
+    mockApiGet.mockReset().mockImplementation(
+      () => new Promise(() => {}) // never resolves
+    );
+  });
+
+  afterEach(() => {
+    cleanup();
+    vi.restoreAllMocks();
+  });
+
+  it("shows loading state while GET /templates is pending", async () => {
+    renderEmpty();
+    await flush();
+    expect(screen.getByTestId("spinner")).toBeTruthy();
+    expect(screen.getByText("Loading templates...")).toBeTruthy();
+  });
+
+  // "create blank" is rendered outside the loading/template-grid conditional,
+  // so it is always visible — adjust expectation accordingly.
+  it("renders 'create blank' button during loading", async () => {
+    renderEmpty();
+    await flush();
+    expect(screen.getByRole("button", { name: "+ Create blank workspace" })).toBeTruthy();
+  });
+
+  it("does not render template buttons while loading", async () => {
+    renderEmpty();
+    await flush();
+    expect(screen.queryByText("Claude Code Agent")).toBeNull();
+  });
+});
+
+describe("EmptyState — templates", () => {
+  beforeEach(() => {
+    mockApiGet.mockReset().mockResolvedValue([template()]);
+    resetDeployState();
+  });
+
+  afterEach(() => {
+    cleanup();
+    vi.restoreAllMocks();
+  });
+
+  it("renders the welcome heading", async () => {
+    renderEmpty();
+    await flush();
+    expect(screen.getByText("Deploy your first agent")).toBeTruthy();
+  });
+
+  it("renders template buttons with name and description", async () => {
+    renderEmpty();
+    await flush();
+    expect(screen.getByText("Claude Code Agent")).toBeTruthy();
+    expect(screen.getByText("A general-purpose coding assistant")).toBeTruthy();
+  });
+
+  it("renders tier badge and skill count", async () => {
+    renderEmpty();
+    await flush();
+    expect(screen.getByText("T2")).toBeTruthy();
+    // skill_count renders as "3 skills · <model>"
+    expect(screen.getByText(/^3 skills/)).toBeTruthy();
+  });
+
+  it("renders model name when present", async () => {
+    renderEmpty();
+    await flush();
+    expect(screen.getByText(/claude-opus/i)).toBeTruthy();
+  });
+
+  it("calls deploy with the template on click", async () => {
+    renderEmpty();
+    await flush();
+    fireEvent.click(screen.getByText("Claude Code Agent"));
+    expect(_deploy.deployFn).toHaveBeenCalledWith(template());
+  });
+
+  it("shows 'Deploying...' on the button of the template being deployed", async () => {
+    _deploy.deploying = "tpl-1";
+    renderEmpty();
+    await flush();
+    expect(screen.getByText("Deploying...")).toBeTruthy();
+  });
+
+  it("disables the template button of the deploying template", async () => {
+    _deploy.deploying = "tpl-1";
+    renderEmpty();
+    await flush();
+    const btn = screen.getByText("Deploying...").closest("button") as HTMLButtonElement;
+    expect(btn.disabled).toBe(true);
+  });
+
+  it("disables 'create blank' while a template is deploying", async () => {
+    _deploy.deploying = "tpl-1";
+    renderEmpty();
+    await flush();
+    expect(screen.getByRole("button", { name: "+ Create blank workspace" }).disabled).toBe(true);
+  });
+});
+
+describe("EmptyState — fetch failure / empty templates", () => {
+  beforeEach(() => {
+    mockApiGet.mockReset().mockResolvedValue([]);
+    resetDeployState();
+  });
+
+  afterEach(() => {
+    cleanup();
+    vi.restoreAllMocks();
+  });
+
+  it("does not render template grid when GET /templates returns []", async () => {
+    renderEmpty();
+    await flush();
+    expect(screen.queryByText("Claude Code Agent")).toBeNull();
+  });
+
+  it("renders 'create blank' button when templates list is empty", async () => {
+    renderEmpty();
+    await flush();
+    expect(screen.getByRole("button", { name: "+ Create blank workspace" })).toBeTruthy();
+  });
+
+  it("does not render template grid when GET /templates rejects", async () => {
+    mockApiGet.mockReset().mockRejectedValue(new Error("Network failure"));
+    renderEmpty();
+    await flush();
+    expect(screen.queryByText("Claude Code Agent")).toBeNull();
+  });
+});
+
+describe("EmptyState — create blank", () => {
+  beforeEach(() => {
+    mockApiGet.mockReset().mockResolvedValue([template()]);
+    mockApiPost.mockReset().mockResolvedValue({ id: "ws-new" });
+    resetDeployState();
+    vi.useFakeTimers();
+  });
+
+  afterEach(() => {
+    cleanup();
+    vi.useRealTimers();
+    vi.restoreAllMocks();
+  });
+
+  it("calls POST /workspaces on 'create blank' click", async () => {
+    renderEmpty();
+    await flush();
+    fireEvent.click(screen.getByRole("button", { name: "+ Create blank workspace" }));
+    await act(async () => { await Promise.resolve(); });
+    expect(mockApiPost).toHaveBeenCalledWith(
+      "/workspaces",
+      expect.objectContaining({ name: "My First Agent" })
+    );
+  });
+
+  it("shows 'Creating...' while blank workspace POST is pending", async () => {
+    mockApiPost.mockReset().mockImplementation(
+      () => new Promise(() => {}) // never resolves
+    );
+    renderEmpty();
+    await flush();
+    fireEvent.click(screen.getByRole("button", { name: "+ Create blank workspace" }));
+    await act(async () => { await Promise.resolve(); });
+    expect(screen.getByRole("button", { name: "Creating..." })).toBeTruthy();
+  });
+
+  it("calls selectNode + setPanelTab after 500ms on successful create", async () => {
+    renderEmpty();
+    await flush();
+    fireEvent.click(screen.getByRole("button", { name: "+ Create blank workspace" }));
+    await act(async () => { await Promise.resolve(); }); // flush POST
+    await act(async () => { vi.advanceTimersByTime(500); });
+    expect(mockSelectNode).toHaveBeenCalledWith("ws-new");
+    expect(mockSetPanelTab).toHaveBeenCalledWith("chat");
+  });
+
+  it("disables template buttons while creating blank workspace", async () => {
+    mockApiPost.mockReset().mockImplementation(
+      () => new Promise(() => {}) // never resolves
+    );
+    renderEmpty();
+    await flush();
+    fireEvent.click(screen.getByRole("button", { name: "+ Create blank workspace" }));
+    await act(async () => { await Promise.resolve(); });
+    expect((screen.getByText("Claude Code Agent").closest("button") as HTMLButtonElement).disabled).toBe(true);
+  });
+
+  it("shows error banner when POST /workspaces fails", async () => {
+    mockApiPost.mockReset().mockRejectedValue(new Error("Server error"));
+    renderEmpty();
+    await flush();
+    fireEvent.click(screen.getByRole("button", { name: "+ Create blank workspace" }));
+    await act(async () => { await Promise.resolve(); });
+    expect(screen.getByRole("alert")).toBeTruthy();
+    expect(screen.getByText(/server error/i)).toBeTruthy();
+  });
+
+  it("clears 'Creating...' and shows button again after POST failure", async () => {
+    mockApiPost.mockReset().mockRejectedValue(new Error("Server error"));
+    renderEmpty();
+    await flush();
+    fireEvent.click(screen.getByRole("button", { name: "+ Create blank workspace" }));
+    await act(async () => { await Promise.resolve(); });
+    // After rejection, blankCreating = false → button reverts to default label
+    expect(screen.getByRole("button", { name: "+ Create blank workspace" })).toBeTruthy();
+  });
+});
+
+describe("EmptyState — error banner", () => {
+  beforeEach(() => {
+    mockApiGet.mockReset().mockResolvedValue([template()]);
+    resetDeployState();
+    vi.useFakeTimers();
+  });
+
+  afterEach(() => {
+    cleanup();
+    vi.useRealTimers();
+    vi.restoreAllMocks();
+  });
+
+  it("has role=alert on the error banner", async () => {
+    _deploy.error = "Template deploy failed";
+    renderEmpty();
+    await flush();
+    const alert = screen.getByRole("alert");
+    expect(alert).toBeTruthy();
+    expect(alert.textContent).toContain("Template deploy failed");
+  });
+
+  it("does not show error banner when no errors", async () => {
+    renderEmpty();
+    await flush();
+    expect(screen.queryByRole("alert")).toBeNull();
+  });
+});

tools/gate-check-v3/gate_check.py

@@ -365,17 +365,10 @@ def signal_6_ci(pr_number: int, repo: str, branch: str | None = None, pr_data: d
         else:
             passing_required.append(f"{ctx} (pending)")
 
-    # NOTE: do NOT use ci_state (combined_state) as a fallback verdict driver.
-    # The combined_state is computed over ALL statuses including this
-    # gate-check's own prior result. Using it as a fallback creates a
-    # self-referential loop: gate-check posts failure → combined_state
-    # becomes failure → script re-blocks → posts failure again.
-    # The check_statuses dict already excludes gate-check (Bug-1 fix from
-    # PR #547). Use failing_required as the sole CI gate; if no required
-    # checks are defined on the branch, return CLEAR rather than re-using
-    # the combined_state which includes our own status.
     if failing_required:
         verdict = "CI_FAIL"
+    elif ci_state == "failure":
+        verdict = "CI_FAIL"
     elif ci_state == "pending":
         verdict = "CI_PENDING"
     else:

workspace-server/internal/handlers/delegation_test.go

@@ -1078,9 +1078,6 @@ func TestExecuteDelegation_DeliveryConfirmedProxyError_TreatsAsSuccess(t *testin
 	allowLoopbackForTest(t)
 
 	expectExecuteDelegationBase(mock)
-	// CanCommunicate: workspace hierarchy check added in b9311134; must be mocked
-	// so proxyA2ARequest doesn't return 403 and trigger the failure path.
-	mockCanCommunicate(mock, testSourceID, testTargetID, true)
 	expectExecuteDelegationSuccess(mock, `{"result":{"parts":[{"text":"work completed successfully"}]}}`)
 
 	// Execute synchronously (not as a goroutine) so we can check DB state immediately.
@@ -1151,9 +1148,6 @@ func TestExecuteDelegation_ProxyErrorNon2xx_RemainsFailed(t *testing.T) {
 	allowLoopbackForTest(t)
 
 	expectExecuteDelegationBase(mock)
-	// CanCommunicate: workspace hierarchy check added in b9311134; must be mocked
-	// so proxyA2ARequest doesn't return 403 and trigger the failure path.
-	mockCanCommunicate(mock, testSourceID, testTargetID, true)
 	expectExecuteDelegationFailed(mock)
 
 	a2aBody, _ := json.Marshal(map[string]interface{}{
@@ -1201,9 +1195,6 @@ func TestExecuteDelegation_ProxyErrorEmptyBody_RemainsFailed(t *testing.T) {
 
 	// First attempt: updateDelegationStatus(dispatched) — from expectExecuteDelegationBase
 	expectExecuteDelegationBase(mock)
-	// CanCommunicate: workspace hierarchy check added in b9311134; must be mocked
-	// so proxyA2ARequest doesn't return 403 and trigger the failure path.
-	mockCanCommunicate(mock, testSourceID, testTargetID, true)
 	// Second attempt (retry): updateDelegationStatus(dispatched) again
 	mock.ExpectExec("UPDATE activity_logs SET status").
 		WithArgs("dispatched", "", testSourceID, testDelegationID).
@@ -1252,9 +1243,6 @@ func TestExecuteDelegation_CleanProxyResponse_Unchanged(t *testing.T) {
 	allowLoopbackForTest(t)
 
 	expectExecuteDelegationBase(mock)
-	// CanCommunicate: workspace hierarchy check added in b9311134; must be mocked
-	// so proxyA2ARequest doesn't return 403 and trigger the failure path.
-	mockCanCommunicate(mock, testSourceID, testTargetID, true)
 	expectExecuteDelegationSuccess(mock, `{"result":{"parts":[{"text":"all good"}]}}`)
 
 	a2aBody, _ := json.Marshal(map[string]interface{}{

workspace-server/internal/handlers/mcp_test.go

@@ -26,10 +26,6 @@ func newMCPHandler(t *testing.T) (*MCPHandler, sqlmock.Sqlmock) {
 	t.Helper()
 	mock := setupTestDB(t)
 	h := NewMCPHandler(db.DB, newTestBroadcaster())
-	// Wire memv2 so toolCommitMemory takes the v2 path (where GLOBAL scope
-	// is blocked before any DB call), rather than the legacy shim path
-	// (which calls scopeToWritableNamespace before the scope check).
-	h.withMemoryV2APIs(nil, nil)
 	return h, mock
 }
 

workspace-server/internal/handlers/org.go

@@ -697,31 +697,6 @@ func (h *OrgHandler) Import(c *gin.Context) {
 			})
 			return
 		}
-
-		// Per-workspace RequiredEnv preflight: checks that every RequiredEnv
-		// declared at the workspace level is covered by either (a) a global
-		// secret key (already validated above) or (b) a key present in the
-		// workspace's on-disk .env files (org root .env + per-workspace
-		// <files_dir>/.env). If neither covers the key the workspace is
-		// imported NOT CONFIGURED, which silently breaks the workspace at
-		// start time — the container boots without the required credential
-		// and every LLM call 401s or fails silently.  Issue #232.
-		// orgBaseDir is empty when importing via body.Template (inline YAML);
-		// in that case we cannot check .env files, so we skip this check
-		// and fall back to the global-only gate above (which correctly
-		// rejects any strict requirement not covered by global_secrets).
-		if orgBaseDir != "" {
-			wsMissing := collectPerWorkspaceUnsatisfied(tmpl.Workspaces, orgBaseDir, configured)
-			if len(wsMissing) > 0 {
-				c.JSON(http.StatusPreconditionFailed, gin.H{
-					"error":            "missing per-workspace required environment variables",
-					"missing_workspace_env": wsMissing,
-					"template":         tmpl.Name,
-					"suggestion":       "add these keys to the workspace's .env file or set them as global secrets before importing",
-				})
-				return
-			}
-		}
 	}
 
 	results := []map[string]interface{}{}

workspace-server/internal/handlers/org_external.go

@@ -346,7 +346,7 @@ func (g *gitFetcher) Fetch(ctx context.Context, rootDir, host, repoPath, ref str
 	// MkdirTemp creates the dir; git clone refuses to clone into a
 	// non-empty dir. Remove + recreate empty.
 	os.RemoveAll(tmpDir)
-	cloneAndConfig := gitArgs("clone", "--quiet", "--depth=1", "-b", ref, cloneURL, tmpDir)
+	cloneAndConfig := append(gitArgs("clone", "--quiet", "--depth=1", "-b", ref, cloneURL, tmpDir))
 	cmd := exec.CommandContext(ctx, "git", cloneAndConfig...)
 	cmd.Env = append(os.Environ(), "GIT_TERMINAL_PROMPT=0")
 	if out, err := cmd.CombinedOutput(); err != nil {

workspace-server/internal/handlers/org_import.go

@@ -941,65 +941,6 @@ func flattenAndSortRequirements(by map[string]EnvRequirement) []EnvRequirement {
 // can investigate.
 const globalSecretsPreflightLimit = 10000
 
-// PerWorkspaceUnsatisfied describes one per-workspace RequiredEnv that is
-// not covered by either a global secret or a key present in the
-// corresponding .env file.
-type PerWorkspaceUnsatisfied struct {
-	Workspace   string         `json:"workspace"`
-	FilesDir    string         `json:"files_dir,omitempty"`
-	Unsatisfied EnvRequirement `json:"unsatisfied_env"`
-}
-
-// collectPerWorkspaceUnsatisfied recursively walks workspaces and returns
-// per-workspace RequiredEnv entries that are not covered by (a) a global
-// secret key or (b) a key present in the workspace's .env file(s) (org root
-// .env + per-workspace <files_dir>/.env). This complements
-// collectOrgEnv + loadConfiguredGlobalSecretKeys, which together only
-// validate global-level RequiredEnv against global_secrets. The .env
-// lookup mirrors the runtime resolution in createWorkspaceTree so that
-// the preflight result matches what the container actually receives at
-// start time.
-func collectPerWorkspaceUnsatisfied(workspaces []OrgWorkspace, orgBaseDir string, globalSecrets map[string]struct{}) []PerWorkspaceUnsatisfied {
-	var out []PerWorkspaceUnsatisfied
-	var walk func([]OrgWorkspace)
-	walk = func(wsList []OrgWorkspace) {
-		for _, ws := range wsList {
-			// Build the set of keys available to this workspace from .env.
-			// This is the same three-source stack that createWorkspaceTree
-			// injects into the container:
-			//   1. Org root .env (parseEnvFile, no filesDir)
-			//   2. Workspace <files_dir>/.env (if filesDir is set)
-			//   3. Persona bootstrap env (MOLECULE_PERSONA_ROOT/<filesDir>/env)
-			// Items 1+2 are on-disk and testable; item 3 is host-only and
-			// skipped here (persona env does NOT satisfy required_env —
-			// it carries identity tokens, not workspace LLM keys).
-			envFromFiles := loadWorkspaceEnv(orgBaseDir, ws.FilesDir)
-			// Convert map[string]string (from .env files) to map[string]struct{}
-			// to match IsSatisfied's signature.
-			envSet := make(map[string]struct{}, len(envFromFiles))
-			for k := range envFromFiles {
-				envSet[k] = struct{}{}
-			}
-			for _, req := range ws.RequiredEnv {
-				if req.IsSatisfied(globalSecrets) {
-					continue // covered by a global secret
-				}
-				if req.IsSatisfied(envSet) {
-					continue // covered by a per-workspace .env file
-				}
-				out = append(out, PerWorkspaceUnsatisfied{
-					Workspace:   ws.Name,
-					FilesDir:    ws.FilesDir,
-					Unsatisfied: req,
-				})
-			}
-			walk(ws.Children)
-		}
-	}
-	walk(workspaces)
-	return out
-}
-
 func loadConfiguredGlobalSecretKeys(ctx context.Context) (map[string]struct{}, error) {
 	rows, err := db.DB.QueryContext(ctx,
 		`SELECT key FROM global_secrets WHERE octet_length(encrypted_value) > 0 LIMIT $1`,

workspace-server/internal/handlers/org_workspace_required_env_test.go

@@ -1,226 +0,0 @@
-package handlers
-
-import (
-	"os"
-	"path/filepath"
-	"testing"
-)
-
-// TestCollectPerWorkspaceUnsatisfied_BothFiles covers the case where a key
-// is present in both the org root .env and the workspace-specific .env. Both
-// should satisfy the requirement (no entry in output).
-func TestCollectPerWorkspaceUnsatisfied_BothFiles(t *testing.T) {
-	tmp := t.TempDir()
-	writeEnvFile(t, tmp, ".env", "PER_WS_KEY=globalvalue")
-	writeEnvFile(t, tmp, "ws-a/.env", "PER_WS_KEY=wsvalue")
-
-	workspaces := []OrgWorkspace{
-		{Name: "ws-a", FilesDir: "ws-a", RequiredEnv: []EnvRequirement{{Name: "PER_WS_KEY"}}},
-	}
-
-	// Global secret covers it.
-	globals := map[string]struct{}{"PER_WS_KEY": {}}
-	missing := collectPerWorkspaceUnsatisfied(workspaces, tmp, globals)
-
-	if len(missing) != 0 {
-		t.Errorf("PER_WS_KEY present in global + .env: should be satisfied, got %d missing", len(missing))
-	}
-}
-
-// TestCollectPerWorkspaceUnsatisfied_WorkspaceEnvOnly covers a key present
-// only in the workspace-specific .env file (not global). Should be satisfied.
-func TestCollectPerWorkspaceUnsatisfied_WorkspaceEnvOnly(t *testing.T) {
-	tmp := t.TempDir()
-	writeEnvFile(t, tmp, "dev-lead/.env", "WORKSPACE_KEY=val")
-
-	workspaces := []OrgWorkspace{
-		{Name: "Dev Lead", FilesDir: "dev-lead", RequiredEnv: []EnvRequirement{{Name: "WORKSPACE_KEY"}}},
-	}
-
-	globals := map[string]struct{}{} // nothing in global
-	missing := collectPerWorkspaceUnsatisfied(workspaces, tmp, globals)
-
-	if len(missing) != 0 {
-		t.Errorf("WORKSPACE_KEY in ws .env only: should be satisfied, got %d missing", len(missing))
-	}
-}
-
-// TestCollectPerWorkspaceUnsatisfied_OrgRootEnvOnly covers a key present
-// only in the org root .env file (not per-workspace). Should be satisfied.
-func TestCollectPerWorkspaceUnsatisfied_OrgRootEnvOnly(t *testing.T) {
-	tmp := t.TempDir()
-	writeEnvFile(t, tmp, ".env", "ORG_ROOT_KEY=val")
-
-	workspaces := []OrgWorkspace{
-		{Name: "ws-b", FilesDir: "ws-b", RequiredEnv: []EnvRequirement{{Name: "ORG_ROOT_KEY"}}},
-	}
-
-	globals := map[string]struct{}{}
-	missing := collectPerWorkspaceUnsatisfied(workspaces, tmp, globals)
-
-	if len(missing) != 0 {
-		t.Errorf("ORG_ROOT_KEY in org root .env only: should be satisfied, got %d missing", len(missing))
-	}
-}
-
-// TestCollectPerWorkspaceUnsatisfied_GlobalCovers checks that a global
-// secret alone satisfies a per-workspace RequiredEnv even when the .env
-// files don't have the key.
-func TestCollectPerWorkspaceUnsatisfied_GlobalCovers(t *testing.T) {
-	tmp := t.TempDir()
-	// No .env files at all.
-
-	workspaces := []OrgWorkspace{
-		{Name: "ws-c", RequiredEnv: []EnvRequirement{{Name: "GLOBAL_COVERED"}}},
-	}
-
-	globals := map[string]struct{}{"GLOBAL_COVERED": {}}
-	missing := collectPerWorkspaceUnsatisfied(workspaces, tmp, globals)
-
-	if len(missing) != 0 {
-		t.Errorf("GLOBAL_COVERED satisfied by global: should be satisfied, got %d missing", len(missing))
-	}
-}
-
-// TestCollectPerWorkspaceUnsatisfied_Missing covers the core bug: a
-// RequiredEnv declared at the workspace level where the key is absent from
-// both global_secrets and the .env file. The import MUST return 412.
-func TestCollectPerWorkspaceUnsatisfied_Missing(t *testing.T) {
-	tmp := t.TempDir()
-	// No .env files at all.
-
-	workspaces := []OrgWorkspace{
-		{Name: "Dev Lead", FilesDir: "dev-lead", RequiredEnv: []EnvRequirement{{Name: "MISSING_REQUIRED_KEY"}}},
-	}
-
-	globals := map[string]struct{}{} // no global secret
-	missing := collectPerWorkspaceUnsatisfied(workspaces, tmp, globals)
-
-	if len(missing) != 1 {
-		t.Fatalf("expected 1 missing entry, got %d", len(missing))
-	}
-	if missing[0].Workspace != "Dev Lead" {
-		t.Errorf("expected workspace 'Dev Lead', got %q", missing[0].Workspace)
-	}
-	if missing[0].Unsatisfied.Name != "MISSING_REQUIRED_KEY" {
-		t.Errorf("expected unsatisfied key 'MISSING_REQUIRED_KEY', got %q", missing[0].Unsatisfied.Name)
-	}
-	if missing[0].FilesDir != "dev-lead" {
-		t.Errorf("expected files_dir 'dev-lead', got %q", missing[0].FilesDir)
-	}
-}
-
-// TestCollectPerWorkspaceUnsatisfied_AnyOfGroup covers an any-of group where
-// none of the alternatives are present in global or .env. Should report
-// the group as unsatisfied.
-func TestCollectPerWorkspaceUnsatisfied_AnyOfGroup(t *testing.T) {
-	tmp := t.TempDir()
-
-	workspaces := []OrgWorkspace{
-		{
-			Name:     "Claude Bot",
-			FilesDir: "claude-bot",
-			RequiredEnv: []EnvRequirement{
-				{AnyOf: []string{"ANTHROPIC_API_KEY", "CLAUDE_CODE_OAUTH_TOKEN"}},
-			},
-		},
-	}
-
-	globals := map[string]struct{}{}
-	missing := collectPerWorkspaceUnsatisfied(workspaces, tmp, globals)
-
-	if len(missing) != 1 {
-		t.Fatalf("expected 1 missing any-of entry, got %d", len(missing))
-	}
-	if missing[0].Workspace != "Claude Bot" {
-		t.Errorf("expected workspace 'Claude Bot', got %q", missing[0].Workspace)
-	}
-	if len(missing[0].Unsatisfied.AnyOf) != 2 {
-		t.Errorf("expected any-of group with 2 members, got %v", missing[0].Unsatisfied.AnyOf)
-	}
-}
-
-// TestCollectPerWorkspaceUnsatisfied_NestedChildren covers grandchildren
-// workspaces that also declare RequiredEnv. The recursive walk must visit
-// children and grandchildren.
-func TestCollectPerWorkspaceUnsatisfied_NestedChildren(t *testing.T) {
-	tmp := t.TempDir()
-
-	workspaces := []OrgWorkspace{
-		{
-			Name: "Root",
-			Children: []OrgWorkspace{
-				{
-					Name: "Child",
-					Children: []OrgWorkspace{
-						{Name: "Grandchild", FilesDir: "grandchild", RequiredEnv: []EnvRequirement{{Name: "DEEP_KEY"}}},
-					},
-				},
-			},
-		},
-	}
-
-	globals := map[string]struct{}{}
-	missing := collectPerWorkspaceUnsatisfied(workspaces, tmp, globals)
-
-	if len(missing) != 1 {
-		t.Fatalf("expected 1 missing entry from grandchild, got %d", len(missing))
-	}
-	if missing[0].Workspace != "Grandchild" {
-		t.Errorf("expected 'Grandchild', got %q", missing[0].Workspace)
-	}
-}
-
-// TestCollectPerWorkspaceUnsatisfied_EmptyOrgBaseDir covers the case where
-// orgBaseDir is empty (inline template import). No .env files can be
-// checked, so missing keys cannot be attributed to .env absence. The
-// function should NOT crash and should only report entries satisfiable
-// by global (all missing since globals is empty).
-func TestCollectPerWorkspaceUnsatisfied_EmptyOrgBaseDir(t *testing.T) {
-	workspaces := []OrgWorkspace{
-		{Name: "ws-x", RequiredEnv: []EnvRequirement{{Name: "KEY_X"}}},
-	}
-
-	globals := map[string]struct{}{}
-	missing := collectPerWorkspaceUnsatisfied(workspaces, "", globals)
-
-	// With no orgBaseDir and no global, KEY_X must be reported missing.
-	if len(missing) != 1 {
-		t.Errorf("expected 1 missing with empty orgBaseDir, got %d", len(missing))
-	}
-}
-
-// TestCollectPerWorkspaceUnsatisfied_MultipleWorkspaces reports only the
-// workspace whose RequiredEnv is unsatisfied, not the whole batch.
-func TestCollectPerWorkspaceUnsatisfied_MultipleWorkspaces(t *testing.T) {
-	tmp := t.TempDir()
-	writeEnvFile(t, tmp, "ws-ok/.env", "OK_KEY=val")
-
-	workspaces := []OrgWorkspace{
-		{Name: "ws-ok", FilesDir: "ws-ok", RequiredEnv: []EnvRequirement{{Name: "OK_KEY"}}},
-		{Name: "ws-missing", FilesDir: "ws-missing", RequiredEnv: []EnvRequirement{{Name: "BAD_KEY"}}},
-	}
-
-	globals := map[string]struct{}{}
-	missing := collectPerWorkspaceUnsatisfied(workspaces, tmp, globals)
-
-	if len(missing) != 1 {
-		t.Errorf("expected exactly 1 missing (BAD_KEY), got %d", len(missing))
-	}
-	if missing[0].Workspace != "ws-missing" {
-		t.Errorf("expected missing workspace 'ws-missing', got %q", missing[0].Workspace)
-	}
-}
-
-// writeEnvFile is a test helper that creates a .env file at the given path
-// with the given content.
-func writeEnvFile(t *testing.T, baseDir, relPath, content string) {
-	t.Helper()
-	fullPath := filepath.Join(baseDir, relPath)
-	if err := os.MkdirAll(filepath.Dir(fullPath), 0755); err != nil {
-		t.Fatalf("mkdirAll: %v", err)
-	}
-	if err := os.WriteFile(fullPath, []byte(content), 0644); err != nil {
-		t.Fatalf("writeFile %s: %v", fullPath, err)
-	}
-}

workspace-server/internal/pendinguploads/export_test.go

@@ -12,8 +12,8 @@ import (
 // time. The Go convention `export_test.go` keeps this seam OUT of the
 // production binary — files ending in _test.go are stripped at build
 // time, so this re-export only exists during `go test`.
-func StartSweeperWithIntervalForTest(ctx context.Context, storage Storage, ackRetention, interval time.Duration, done chan struct{}) {
-	startSweeperWithInterval(ctx, storage, ackRetention, interval, done)
+func StartSweeperWithIntervalForTest(ctx context.Context, storage Storage, ackRetention, interval time.Duration) {
+	startSweeperWithInterval(ctx, storage, ackRetention, interval, nil)
 }
 
 // StartSweeperForTest starts the sweeper and returns a done channel

workspace-server/internal/pendinguploads/sweeper_test.go

@@ -190,14 +190,7 @@ func TestStartSweeperWithInterval_TickerFiresAdditionalCycles(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	// Use a short ticker interval (100ms) so the test runs fast without
-	// burning real wall-clock time. StartSweeperWithIntervalForTest is the
-	// test-friendly variant that accepts a caller-specified interval; the
-	// production SweepInterval of 5m is too coarse for a 2s deadline on
-	// a loaded CI runner (the ticker may not fire at all under CPU
-	// contention — the root cause of the pre-existing CI flake).
-	done := make(chan struct{})
-	go pendinguploads.StartSweeperWithIntervalForTest(ctx, store, time.Hour, 100*time.Millisecond, done)
+	done := pendinguploads.StartSweeperForTest(ctx, store, time.Hour)
 	// Immediate cycle + at least one tick-driven cycle.
 	store.waitForCycle(t, 2, 2*time.Second)
 

workspace/audit/PUBLISH_RUNTIME_VERIFY_2026-05-11.md

@@ -1,31 +0,0 @@
-# Publish-runtime pipeline verification — 2026-05-11
-
-Marker file for the canonical end-to-end pipeline verification after
-`publish-runtime-bot` provisioning (internal#327) + stale-tag drift
-resolution (`runtime-v0.1.131` deleted from main).
-
-## Purpose
-
-Triggers `workspace/**` path filter on `publish-runtime-autobump.yml`,
-exercising the full pipeline:
-
-1. `publish-runtime-autobump / bump-and-tag` reads PyPI version, computes
-   next, pushes tag `runtime-v0.1.131` (or higher) using new bot scope.
-2. `publish-runtime.yml` fires on tag, builds + publishes to PyPI.
-3. Cascade autobump: 9 template repos get their `.runtime-version`
-   pinned to the new version.
-
-## Acceptance criteria
-
-- [ ] autobump bump-and-tag context green on merged commit
-- [ ] tag `runtime-v0.1.131` (or computed next) exists on molecule-core
-- [ ] publish-runtime.yml run green
-- [ ] PyPI molecule-ai-workspace-runtime updated from 0.1.130
-- [ ] 9 template repos updated their pinned runtime version
-
-## Rollback
-
-This file is informational only — no code dependency. Safe to delete
-in any future PR once pipeline is proven stable.
-
-— core-devops (per Hongming "long-term proper robust" directive 2026-05-11 19:48-19:50Z)