Merge pull request 'fix(chat-upload): SSOT caps + Starlette max_part_size fix (#1520 )' (#1524 ) from fix/chat-upload-ssot-100mb-1520 into staging

fix(chat-upload): SSOT caps + Starlette max_part_size fix (#1520 )
Empirically root-caused: workspace/internal_chat_uploads.py:153 called request.form(max_files=64, max_fields=32) without max_part_size, so Starlette 1.0's 1 MiB default raised MultiPartException on every single-part > 1 MiB. The Cloudflare-chunked-encoding hypothesis from the issue body was source-level disproven (Starlette doesn't read Content-Length/TE). Three coupled changes per CTO directive: 1) Single source of truth across Go ws-server + Python workspace runtime. The Go-side const chatUploadMaxFileBytes / chatUploadMaxBytes are exported at provision time via env vars CHAT_UPLOAD_MAX_FILE_BYTES / CHAT_UPLOAD_MAX_TOTAL_BYTES (workspace_provision_shared.go::applyChatUploadLimits, defaulting layer — pre-set values win). Python module init reads the env; unset env keeps the legacy 25 MB / 50 MB defaults so an unprovisioned worker doesn't regress. 2) Raise the user-visible ceiling to 100 MB per file + 100 MB total. Issue #1520 asked for >= 100 MB; matching per-file = total avoids the "fits the total but 413'd on per-file" surprise. 3) Surface the MultiPartException string in the 400 body's `detail` field (per feedback_surface_actionable_failure_reason_to_user). MultiPartException messages describe shape, not content — no secrets — and they tell the user WHY (e.g. "Invalid boundary", "Part exceeded maximum size of …"). Bounded at 200 chars. Tests: - workspace/tests/test_internal_chat_uploads.py: pin 2 MiB part is now accepted (regression for #1520), parse-error 400 includes `detail`, total-cap 413 still fires above a per-file pass, env-driven SSOT override works, malformed env value falls back to default. - workspace-server/internal/handlers/chat_upload_limits_test.go: pin the env-injection contract (both vars set to byte-stringified Go consts, pre-existing values preserved, 100 MB floor invariant). All 28 Python tests in test_internal_chat_uploads.py pass; full workspace-server/internal/handlers Go test package passes (14.2s).
2026-05-18 20:14:47 +00:00 · 2026-05-18 20:00:55 +00:00 · 2026-05-18 19:36:06 +00:00 · 2026-05-18 19:36:02 +00:00 · 2026-05-18 19:28:02 +00:00 · 2026-05-18 07:30:33 +00:00
56 changed files with 1444 additions and 852 deletions
@@ -206,29 +206,6 @@ CANDIDATES=$(jq -r --arg author "$PR_AUTHOR" --arg head "$PR_HEAD_SHA" "$JQ_FILT
 debug "candidate non-author approvers: $(echo "$CANDIDATES" | tr '\n' ' ')"

 if [ -z "$CANDIDATES" ]; then
-  # --- Guardrail (internal#503): explain the most common false
-  # "no candidates" red. Gitea's review event enum is EXACTLY
-  # APPROVED/REQUEST_CHANGES/COMMENT/PENDING. A wrong value ("APPROVE",
-  # lowercase, ...) is silently accepted (HTTP 200) and stored as
-  # state=PENDING. A correctly-started draft review has an EMPTY body;
-  # a NON-empty body + state==PENDING by a non-author == an intended
-  # verdict mis-filed by a wrong event string. Surface it actionably.
-  # This does NOT change the gate result (still fail-closed below) — it
-  # only converts a mystery red into a named, self-fixing error.
-  MISFILED_FILTER='.[]
-    | select(.state == "PENDING")
-    | select(.dismissed != true)
-    | select(.user.login != $author)
-    | select(((.body // "") | gsub("^\\s+|\\s+$";"") | length) > 0)
-    | "\(.id)\t\(.user.login)"'
-  MISFILED=$(jq -r --arg author "$PR_AUTHOR" "$MISFILED_FILTER" "$REVIEWS_JSON" 2>/dev/null || true)
-  if [ -n "$MISFILED" ]; then
-    echo "::error::${TEAM}-review: non-author review(s) were SUBMITTED but stored as PENDING — almost certainly the wrong Gitea review event string (internal#503)."
-    echo "::error::Gitea accepts ONLY the exact enum APPROVED / REQUEST_CHANGES / COMMENT. 'APPROVE' or lowercase is silently (HTTP 200) filed as PENDING and is invisible to this gate."
-    printf '%s\n' "$MISFILED" | while IFS="$(printf '\t')" read -r _rid _rl; do
-      [ -n "${_rid:-}" ] && echo "::error::  review id=${_rid} by '${_rl}': RE-SUBMIT via POST ${API}/repos/${OWNER}/${NAME}/pulls/${PR_NUMBER}/reviews with {\"event\":\"APPROVED\"} (correct enum) — do NOT edit the DB."
-    done
-  fi
  echo "::error::${TEAM}-review awaiting non-author APPROVE from ${TEAM} team (no candidates yet)"
  exit 1
 fi
@@ -145,10 +145,10 @@ jobs:
    # the diagnostic step with its own continue-on-error: true (line 203).
    # Flip confirmed by CI / Platform (Go) status = success on main HEAD 363905d3.
    continue-on-error: false
-    # Job-level ceiling. The go test step below runs with a per-step 10m timeout;
-    # this cap catches any step that leaks past that. Set well above 10m so
+    # Job-level ceiling. The go test step below runs with a per-step 30m timeout;
+    # this cap catches any step that leaks past that. Set well above 30m so
    # the per-step timeout is the active constraint.
-    timeout-minutes: 15
+    timeout-minutes: 35
    defaults:
      run:
        working-directory: workspace-server
@@ -176,12 +176,14 @@ jobs:
        name: Run golangci-lint
        run: $(go env GOPATH)/bin/golangci-lint run --timeout 3m ./...
      - if: always()
-        name: Diagnostic — per-package verbose 60s
+        name: Diagnostic — per-package verbose (300s timeout)
        run: |
          set +e
-          go test -race -v -timeout 60s ./internal/handlers/... 2>&1 | tee /tmp/test-handlers.log
+          # 300s allows handlers + pendinguploads packages to complete on cold
+          # runners with -race instrumentation (~60-120s each vs ~14s non-race).
+          go test -race -v -timeout 300s ./internal/handlers/... 2>&1 | tee /tmp/test-handlers.log
          handlers_exit=$?
-          go test -race -v -timeout 60s ./internal/pendinguploads/... 2>&1 | tee /tmp/test-pu.log
+          go test -race -v -timeout 300s ./internal/pendinguploads/... 2>&1 | tee /tmp/test-pu.log
          pu_exit=$?
          echo "::group::handlers exit=$handlers_exit (last 100 lines)"
          tail -100 /tmp/test-handlers.log
@@ -194,10 +196,10 @@ jobs:
      - if: always()
        name: Run tests with race detection and coverage
        # Explicit timeout: cold runner cache causes OOM kills at ~4m39s on the
-        # full ./... suite with race detection + coverage. A 10m per-step timeout
-        # lets the suite complete on cold cache (~5-7m) while failing cleanly
-        # instead of OOM-killing. The job-level timeout (15m) is a backstop.
-        run: go test -race -timeout 10m -coverprofile=coverage.out ./...
+        # full ./... suite with race detection + coverage. A 30m per-step timeout
+        # lets the suite complete on cold cache (~13-25m) while failing cleanly
+        # instead of OOM-killing. The job-level timeout (35m) is a backstop.
+        run: go test -race -timeout 30m -coverprofile=coverage.out ./...

      - if: always()
        name: Per-file coverage report
@@ -538,13 +540,11 @@ jobs:
  all-required:
    # Aggregator sentinel — RFC internal#219 §2 (Phase 4 — closes internal#286).
    #
-    # Emits `CI / all-required (<event>)` where <event> is the workflow trigger
-    # (e.g. `CI / all-required (pull_request)`, `CI / all-required (push)`).
-    # Branch protection MUST be updated to require the event-suffixed name —
-    # requiring `CI / all-required` (bare, no suffix) silently blocks all merges
-    # because Gitea treats absent status contexts as pending (not skipped), and
-    # no workflow emits the bare name. Fixed: BP now requires
-    # `CI / all-required (pull_request)` per issue #1473.
+    # Single stable required-status name that branch protection points at;
+    # CI churns underneath in `needs:` without any protection edits. Mirrors
+    # the molecule-controlplane Phase 2a impl shipped in CP PR#112 and
+    # referenced by `internal#286` ("Phase 4 is a single small PR... mirrors
+    # CP's existing one").
    #
    # Closes the failure mode where status_check_contexts on molecule-core/main
    # only listed `Secret scan` + `sop-tier-check` (the 2 meta-gates), so real
@@ -52,9 +52,5 @@ jobs:
          # explicitly instead of the combined state avoids false-pause when
          # non-blocking jobs (continue-on-error: true) have failed — those
          # failures pollute combined state but do not gate merges.
-          # NOTE: the event-suffixed context name is intentional — branch protection
-          # MUST require `CI / all-required (pull_request)` (with suffix), NOT the
-          # bare `CI / all-required`. Gitea treats absent contexts as pending, not
-          # skipped; requiring the bare name silently blocks all merges (issue #1473).
          PUSH_REQUIRED_CONTEXTS: CI / all-required (push)
        run: python3 .gitea/scripts/gitea-merge-queue.py
@@ -104,7 +104,7 @@ jobs:
        with:
          python-version: "3.11"

-      - name: Compute next version from PyPI latest and existing tags
+      - name: Compute next version from PyPI latest
        id: bump
        run: |
          set -eu
@@ -112,24 +112,9 @@ jobs:
            | python -c "import sys,json; print(json.load(sys.stdin)['info']['version'])")
          MAJOR=$(echo "$LATEST" | cut -d. -f1)
          MINOR=$(echo "$LATEST" | cut -d. -f2)
-          TAG_LATEST=$(git tag --list "runtime-v${MAJOR}.${MINOR}.*" \
-            | sed -E 's/^runtime-v//' \
-            | grep -E '^[0-9]+\.[0-9]+\.[0-9]+$' \
-            | sort -V \
-            | tail -1 || true)
-          VERSION=$(PYPI_LATEST="$LATEST" TAG_LATEST="$TAG_LATEST" python - <<'PY'
-          import os
-
-          def parse(v):
-              return tuple(int(part) for part in v.split("."))
-
-          pypi = os.environ["PYPI_LATEST"]
-          tag = os.environ.get("TAG_LATEST") or pypi
-          base = max(parse(pypi), parse(tag))
-          print(f"{base[0]}.{base[1]}.{base[2] + 1}")
-          PY
-          )
-          echo "PyPI latest=$LATEST, latest runtime tag=${TAG_LATEST:-none} -> next=$VERSION"
+          PATCH=$(echo "$LATEST" | cut -d. -f3)
+          VERSION="${MAJOR}.${MINOR}.$((PATCH+1))"
+          echo "PyPI latest=$LATEST -> next=$VERSION"
          if ! echo "$VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+$'; then
            echo "::error::computed version $VERSION does not match PEP 440 X.Y.Z"
            exit 1
@@ -89,7 +89,6 @@ on:
 permissions:
  contents: read
  pull-requests: read
-  secrets: read

 jobs:
  # bp-exempt: PR review bot signal; required merge state is enforced by CI / all-required.
@@ -30,11 +30,6 @@ jobs:
  scan:
    name: Scan diff for credential-shaped strings
    runs-on: ubuntu-latest
-    # Hard CI gate — must complete or the PR is unmergable. 10-minute ceiling
-    # is generous for a diff-scan against a single SHA. If this times out, the
-    # runner is frozen and holding a slot — the step timeout triggers clean
-    # failure, releasing the runner for the next job.
-    timeout-minutes: 10
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -138,14 +133,6 @@ jobs:
            [ -z "$f" ] && continue
            [ "$f" = "$SELF_GITHUB" ] && continue
            [ "$f" = "$SELF_GITEA" ] && continue
-            # Test-fixture exclude (internal#425): the secrets-detector's OWN
-            # unit-test corpus deliberately embeds credential-SHAPED example
-            # strings to exercise the detector. Verified 2026-05-18 synthetic
-            # (fabricated ghp_* fixtures, not real). Without this the scanner
-            # self-trips on its own fixtures and fail-closes every deploy.
-            # Same rationale as the SELF_* excludes above; gate NOT weakened
-            # (all other paths still fully scanned).
-            [ "$f" = "workspace-server/internal/secrets/patterns_test.go" ] && continue
            if [ -n "$DIFF_RANGE" ]; then
              ADDED=$(git diff --no-color --unified=0 "$BASE" "$HEAD" -- "$f" 2>/dev/null | grep -E '^\+[^+]' || true)
            else
@@ -16,7 +16,6 @@ on:
 permissions:
  contents: read
  pull-requests: read
-  secrets: read

 jobs:
  # bp-exempt: PR security review bot signal; required merge state is enforced by CI / all-required.
@@ -84,8 +84,11 @@ on:
 permissions:
  contents: read
  pull-requests: read
+  # NOTE: `statuses: write` is the GitHub-Actions name for POST /statuses.
+  # Gitea 1.22.6 may not gate on this permission key (it just checks the
+  # token), but listing it explicitly documents intent for the next
+  # platform-version upgrade.
  statuses: write
-  secrets: read

 jobs:
  all-items-acked:
@@ -71,7 +71,6 @@ jobs:
    permissions:
      contents: read
      pull-requests: read
-      secrets: read
    steps:
      - name: Check out base branch (for the script)
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
@@ -105,7 +105,7 @@ export function EmptyState() {

        {/* Template grid */}
        {loading ? (
-          <div role="status" aria-live="polite" className="flex items-center justify-center gap-2 text-xs text-ink-mid py-4">
+          <div className="flex items-center justify-center gap-2 text-xs text-ink-mid py-4">
            <Spinner />
            Loading templates...
          </div>
@@ -459,7 +459,7 @@ function ProviderPickerModal({
                )}

                {entry.error && (
-                  <div role="alert" aria-live="assertive" className="mt-1.5 text-[10px] text-bad">{entry.error}</div>
+                  <div className="mt-1.5 text-[10px] text-bad">{entry.error}</div>
                )}
              </div>
            ))}
@@ -718,7 +718,7 @@ function AllKeysModal({
          ))}

          {globalError && (
-            <div role="alert" aria-live="assertive" className="px-3 py-2 bg-red-950/40 border border-red-800/50 rounded-lg text-[11px] text-bad">
+            <div className="px-3 py-2 bg-red-950/40 border border-red-800/50 rounded-lg text-[11px] text-bad">
              {globalError}
            </div>
          )}
@@ -71,7 +71,7 @@ export function WorkspaceUsage({ workspaceId }: WorkspaceUsageProps) {
            <SkeletonRow />
          </>
        ) : error ? (
-          <p role="alert" aria-live="assertive" className="text-xs text-bad" data-testid="usage-error">
+          <p className="text-xs text-bad" data-testid="usage-error">
            {error}
          </p>
        ) : metrics ? (
@@ -475,7 +475,7 @@ export function MobileChat({
        }}
      >
        {tab === "my" && historyLoading && (
-          <div role="status" aria-live="polite" style={{ padding: "20px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
+          <div style={{ padding: "20px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
            Loading chat history…
          </div>
        )}
@@ -510,7 +510,7 @@ export function MobileChat({
          </div>
        )}
        {tab === "my" && !historyLoading && !historyError && messages.length === 0 && (
-          <div role="status" aria-live="polite" style={{ padding: "20px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
+          <div style={{ padding: "20px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
            Send a message to start chatting.
          </div>
        )}
@@ -748,7 +748,14 @@ export function MobileChat({
              border: "none",
              outline: "none",
              background: "transparent",
-              fontSize: 14.5,
+              // 16px floor: iOS Safari/WebKit auto-zooms the viewport on
+              // focus when a focused field's font-size is < 16px. Anything
+              // below this re-introduces the tap-to-zoom layout jump on the
+              // mobile PWA. Do NOT lower this without also adding a
+              // maximum-scale/user-scalable viewport lock — and that lock
+              // breaks pinch-to-zoom accessibility, so 16px here is the
+              // correct trade.
+              fontSize: 16,
              lineHeight: 1.4,
              color: p.text,
              padding: "6px 0",
@@ -251,11 +251,11 @@ export function MobileComms({ dark }: { dark: boolean }) {

      <div style={{ padding: "0 14px", display: "flex", flexDirection: "column", gap: 8 }}>
        {loading && items.length === 0 ? (
-          <div role="status" aria-live="polite" style={{ padding: "30px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
+          <div style={{ padding: "30px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
            Loading recent comms…
          </div>
        ) : filtered.length === 0 ? (
-          <div role="status" aria-live="polite" style={{ padding: "30px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
+          <div style={{ padding: "30px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
            No A2A traffic yet.
          </div>
        ) : (
@@ -416,8 +416,6 @@ function DetailActivity({ workspaceId, dark }: { workspaceId: string; dark: bool
  if (items === null) {
    return (
      <div
-        role="status"
-        aria-live="polite"
        style={{
          background: p.surface,
          borderRadius: 16,
@@ -170,8 +170,6 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
        <div style={{ padding: "0 14px" }}>
          {loadingTemplates ? (
            <div
-              role="status"
-              aria-live="polite"
              style={{
                padding: "24px 8px",
                textAlign: "center",
@@ -263,6 +263,20 @@ describe("MobileChat — composer", () => {
    const sendBtn = container.querySelector('[aria-label="Send"]') as HTMLButtonElement;
    expect(sendBtn.disabled).toBe(true);
  });
+
+  // iOS Safari/WebKit auto-zooms the viewport on focus when a focused
+  // <input>/<textarea> has an effective font-size below 16px. On the
+  // mobile PWA this made the whole layout scale up the moment the user
+  // tapped into the chat box. Keeping the composer font ≥16px is the
+  // root-cause fix — it suppresses the focus-zoom WITHOUT disabling
+  // pinch-to-zoom (which a maximum-scale/user-scalable viewport hack
+  // would have done at the cost of accessibility).
+  it("composer textarea font-size is >= 16px (prevents iOS focus-zoom)", () => {
+    const { container } = renderChat(mockAgentId);
+    const textarea = container.querySelector("textarea") as HTMLTextAreaElement;
+    const fontSizePx = parseFloat(textarea.style.fontSize);
+    expect(fontSizePx).toBeGreaterThanOrEqual(16);
+  });
 });

 // ─── Tabs ─────────────────────────────────────────────────────────────────────
@@ -160,14 +160,14 @@ export function OrgTokensTab() {
            </code>
            <button
              onClick={handleCopy}
-              className="shrink-0 px-2 py-1.5 bg-emerald-800/40 hover:bg-emerald-700/50 border border-emerald-700/40 rounded text-[10px] text-good transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
+              className="shrink-0 px-2 py-1.5 bg-emerald-800/40 hover:bg-emerald-700/50 border border-emerald-700/40 rounded text-[10px] text-good transition-colors"
            >
              {copied ? 'Copied' : 'Copy'}
            </button>
          </div>
          <button
            onClick={() => setNewToken(null)}
-            className="text-[9px] text-good/60 hover:text-good transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
+            className="text-[9px] text-good/60 hover:text-good transition-colors"
          >
            Dismiss
          </button>
@@ -219,7 +219,7 @@ export function OrgTokensTab() {
              </div>
              <button
                onClick={() => setRevokeTarget(t)}
-                className="text-[10px] text-bad/70 hover:text-bad transition-colors px-2 py-1 shrink-0 focus:outline-none focus-visible:ring-2 focus-visible:ring-red-400 focus-visible:ring-offset-1"
+                className="text-[10px] text-bad/70 hover:text-bad transition-colors px-2 py-1 shrink-0"
              >
                Revoke
              </button>
@@ -140,14 +140,14 @@ function WorkspaceTokensTab({ workspaceId }: TokensTabProps) {
            </code>
            <button
              onClick={handleCopy}
-              className="shrink-0 px-2 py-1.5 bg-emerald-800/40 hover:bg-emerald-700/50 border border-emerald-700/40 rounded text-[10px] text-good transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
+              className="shrink-0 px-2 py-1.5 bg-emerald-800/40 hover:bg-emerald-700/50 border border-emerald-700/40 rounded text-[10px] text-good transition-colors"
            >
              {copied ? 'Copied' : 'Copy'}
            </button>
          </div>
          <button
            onClick={() => setNewToken(null)}
-            className="text-[9px] text-good/60 hover:text-good transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
+            className="text-[9px] text-good/60 hover:text-good transition-colors"
          >
            Dismiss
          </button>
@@ -192,7 +192,7 @@ function WorkspaceTokensTab({ workspaceId }: TokensTabProps) {
              </div>
              <button
                onClick={() => setRevokeTarget(t)}
-                className="text-[10px] text-bad/70 hover:text-bad transition-colors px-2 py-1 focus:outline-none focus-visible:ring-2 focus-visible:ring-red-400 focus-visible:ring-offset-1"
+                className="text-[10px] text-bad/70 hover:text-bad transition-colors px-2 py-1"
              >
                Revoke
              </button>
@@ -185,7 +185,7 @@ export function ActivityTab({ workspaceId }: Props) {
      {/* Activity list */}
      <div className="flex-1 overflow-y-auto p-3 space-y-1.5">
        {loading && activities.length === 0 && (
-          <div role="status" aria-live="polite" className="text-xs text-ink-mid text-center py-8">Loading activity...</div>
+          <div className="text-xs text-ink-mid text-center py-8">Loading activity...</div>
        )}

        {error && (
@@ -262,7 +262,7 @@ export function ChannelsTab({ workspaceId }: Props) {
      </div>

      {error && (
-        <div role="alert" aria-live="assertive" className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
+        <div className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
          {error}
        </div>
      )}
@@ -81,7 +81,7 @@ function AgentCardSection({ workspaceId }: { workspaceId: string }) {
            spellCheck={false} rows={12}
            className="w-full bg-surface-card border border-line rounded p-2 text-[10px] font-mono text-ink focus:outline-none focus:border-accent resize-none"
          />
-          {error && <div role="alert" aria-live="assertive" className="px-2 py-1 bg-red-900/30 border border-red-800 rounded text-[10px] text-bad">{error}</div>}
+          {error && <div className="px-2 py-1 bg-red-900/30 border border-red-800 rounded text-[10px] text-bad">{error}</div>}
          <div className="flex gap-2">
            <button type="button" onClick={handleSave} disabled={saving}
              className="px-2 py-1 bg-accent hover:bg-accent-strong text-[10px] rounded text-white disabled:opacity-50 transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface">
@@ -109,130 +109,6 @@ function AgentCardSection({ workspaceId }: { workspaceId: string }) {
  );
 }

-// --- Agent Abilities Section ---
-//
-// Always-visible on/off controls for the two workspace-level ability flags
-// (broadcast_enabled, talk_to_user_enabled). Both are mutated through the
-// same admin endpoint the ChatTab recovery banner already uses
-// (PATCH /workspaces/:id/abilities) and reflected into the canvas store node
-// data (broadcastEnabled / talkToUserEnabled) so every surface that reads
-// useCanvasStore.nodes stays consistent without a full re-hydrate.
-//
-// Before this section there was NO canvas control for either flag: the
-// backend was fully wired (workspace_abilities.go / workspace_broadcast.go /
-// agent_message_writer.go, see commit 29b4bffb + internal#510/#511) but the
-// only frontend affordance was the ChatTab recovery banner, which renders
-// solely when talk_to_user_enabled===false and so is invisible under the
-// TRUE default and never existed at all for broadcast.
-function AgentAbilitiesSection({ workspaceId }: { workspaceId: string }) {
-  // Read the live ability flags off the canvas store node — the platform
-  // event stream hydrates these (canvas-topology.ts maps the workspace row's
-  // broadcast_enabled/talk_to_user_enabled onto node data), so this stays in
-  // sync with the recovery banner and avoids a duplicate GET. Mirrors the
-  // store-read pattern used by AgentCardSection above.
-  const node = useCanvasStore((s) =>
-    s.nodes?.find?.((n) => n.id === workspaceId),
-  );
-  // Defaults match the backend column defaults + canvas-topology mapping:
-  // broadcast_enabled defaults FALSE, talk_to_user_enabled defaults TRUE.
-  const broadcastEnabled = node?.data.broadcastEnabled ?? false;
-  const talkToUserEnabled = node?.data.talkToUserEnabled ?? true;
-
-  // Track an in-flight PATCH per field so a double-click can't fire two
-  // racing writes, and surface a one-line error if the server rejects.
-  const [pending, setPending] = useState<null | "broadcast" | "talk">(null);
-  const [error, setError] = useState<string | null>(null);
-
-  const patchAbility = async (
-    which: "broadcast" | "talk",
-    body: { broadcast_enabled: boolean } | { talk_to_user_enabled: boolean },
-    optimistic: Partial<{ broadcastEnabled: boolean; talkToUserEnabled: boolean }>,
-  ) => {
-    setError(null);
-    setPending(which);
-    // Optimistic store update — the toggle flips immediately; on failure we
-    // roll back to the server-truth value the store last held.
-    const prev = {
-      broadcastEnabled,
-      talkToUserEnabled,
-    };
-    useCanvasStore.getState().updateNodeData(workspaceId, optimistic);
-    try {
-      await api.patch(`/workspaces/${workspaceId}/abilities`, body);
-    } catch (e) {
-      // Roll back the optimistic change to last-known server truth.
-      useCanvasStore.getState().updateNodeData(workspaceId, {
-        broadcastEnabled: prev.broadcastEnabled,
-        talkToUserEnabled: prev.talkToUserEnabled,
-      });
-      setError(
-        e instanceof Error ? e.message : "Failed to update ability — try again",
-      );
-    } finally {
-      setPending(null);
-    }
-  };
-
-  return (
-    <Section title="Agent Abilities">
-      <p className="text-[10px] text-ink-mid px-1 pb-1">
-        Workspace-level permissions for this agent. Changes apply immediately
-        (no restart required).
-      </p>
-      <div className="space-y-2">
-        <div>
-          <Toggle
-            label="Talk to user"
-            checked={talkToUserEnabled}
-            onChange={(v) =>
-              pending
-                ? undefined
-                : patchAbility(
-                    "talk",
-                    { talk_to_user_enabled: v },
-                    { talkToUserEnabled: v },
-                  )
-            }
-          />
-          <p className="text-[10px] text-ink-mid mt-0.5 ml-6">
-            When off, the agent&apos;s <code className="font-mono">send_message_to_user</code>{" "}
-            and <code className="font-mono">POST /notify</code> calls are
-            rejected (403) — it must route updates through a parent workspace.
-          </p>
-        </div>
-        <div>
-          <Toggle
-            label="Broadcast to peers"
-            checked={broadcastEnabled}
-            onChange={(v) =>
-              pending
-                ? undefined
-                : patchAbility(
-                    "broadcast",
-                    { broadcast_enabled: v },
-                    { broadcastEnabled: v },
-                  )
-            }
-          />
-          <p className="text-[10px] text-ink-mid mt-0.5 ml-6">
-            When on, the agent may <code className="font-mono">POST /broadcast</code>{" "}
-            to message all non-removed agent workspaces in the org. Off by
-            default — only privileged orchestrators should hold this.
-          </p>
-        </div>
-      </div>
-      {pending && (
-        <div className="mt-2 text-[10px] text-ink-mid">Saving…</div>
-      )}
-      {error && (
-        <div className="mt-2 px-2 py-1 bg-red-900/30 border border-red-800 rounded text-[10px] text-bad">
-          {error}
-        </div>
-      )}
-    </Section>
-  );
-}
-
 // --- Main ConfigTab ---

 interface ModelSpec {
@@ -1009,8 +885,6 @@ export function ConfigTab({ workspaceId }: Props) {
            )}
          </Section>

-          <AgentAbilitiesSection workspaceId={workspaceId} />
-
          {/* Claude Settings — shown for claude-code runtime or claude/anthropic model names */}
          {(config.runtime === "claude-code" ||
            (config.runtime_config?.model || config.model || "").toLowerCase().includes("claude") ||
@@ -1121,7 +995,7 @@ export function ConfigTab({ workspaceId }: Props) {
      )}

      {error && (
-        <div role="alert" aria-live="assertive" className="mx-3 mb-2 px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">{error}</div>
+        <div className="mx-3 mb-2 px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">{error}</div>
      )}
      {!error && RUNTIMES_WITH_OWN_CONFIG.has(config.runtime || "") && (
        <div className="mx-3 mb-2 px-3 py-1.5 bg-surface-sunken/50 border border-line rounded text-xs text-ink-mid">
@@ -157,7 +157,7 @@ export function DetailsTab({ workspaceId, data }: Props) {
              </select>
            </Field>
            {saveError && (
-              <div role="alert" aria-live="assertive" className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
+              <div className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
                {saveError}
              </div>
            )}
@@ -203,7 +203,7 @@ export function DetailsTab({ workspaceId, data }: Props) {
            {isRestartable && (
              <div className="pt-2">
                {restartError && (
-                  <div role="alert" aria-live="assertive" className="mb-2 px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
+                  <div className="mb-2 px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
                    {restartError}
                  </div>
                )}
@@ -307,7 +307,7 @@ export function DetailsTab({ workspaceId, data }: Props) {
      {/* Delete */}
      <Section title="Danger Zone">
        {deleteError && (
-          <div role="alert" aria-live="assertive" className="mb-2 px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
+          <div className="mb-2 px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
            {deleteError}
          </div>
        )}
@@ -82,7 +82,7 @@ export function EventsTab({ workspaceId }: Props) {
      </div>

      {error && (
-        <div role="alert" aria-live="assertive" className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
+        <div className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
          {error}
        </div>
      )}
@@ -102,7 +102,7 @@ export function ExternalConnectionSection({ workspaceId }: Props) {
      </div>

      {error && (
-        <div role="alert" aria-live="assertive" className="mt-2 px-2 py-1 bg-red-900/30 border border-red-800 rounded text-[10px] text-bad">
+        <div className="mt-2 px-2 py-1 bg-red-900/30 border border-red-800 rounded text-[10px] text-bad">
          {error}
        </div>
      )}
@@ -275,7 +275,7 @@ export function ScheduleTab({ workspaceId }: Props) {
              Enabled
            </label>
          </div>
-          {error && <div role="alert" aria-live="assertive" className="text-[10px] text-bad">{error}</div>}
+          {error && <div className="text-[10px] text-bad">{error}</div>}
          <div className="flex gap-2">
            <button
              type="button"
@@ -67,7 +67,7 @@ export function TracesTab({ workspaceId }: Props) {
      </div>

      {error && (
-        <div role="alert" aria-live="assertive" className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
+        <div className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
          {error}
        </div>
      )}
@@ -1,165 +0,0 @@
-// @vitest-environment jsdom
-//
-// Tests for the always-visible "Agent Abilities" section added to ConfigTab
-// (internal#510 broadcast_enabled, internal#511 talk_to_user_enabled; backend
-// wired in commit 29b4bffb).
-//
-// Problem this pins: the two workspace ability flags had complete wired
-// backends but NO canvas control — broadcast had none at all, talk-to-user
-// only surfaced as a ChatTab recovery banner that is invisible under its
-// TRUE default. The CTO could not see or toggle either from canvas.
-//
-// What this suite pins:
-//   1. An "Agent Abilities" section renders (always visible, not gated).
-//   2. Both toggles render and reflect the store node's ability fields,
-//      including the asymmetric defaults (broadcast FALSE, talk TRUE).
-//   3. Toggling a switch calls PATCH /workspaces/:id/abilities with the
-//      correct snake_case body and optimistically updates the store.
-
-import { describe, it, expect, vi, afterEach, beforeEach } from "vitest";
-import { render, screen, cleanup, waitFor, fireEvent } from "@testing-library/react";
-import React from "react";
-
-afterEach(cleanup);
-
-const apiGet = vi.fn();
-const apiPatch = vi.fn();
-vi.mock("@/lib/api", () => ({
-  api: {
-    get: (path: string) => apiGet(path),
-    patch: (path: string, body?: unknown) => apiPatch(path, body),
-    put: vi.fn(),
-    post: vi.fn(),
-    del: vi.fn(),
-  },
-}));
-
-// Store node carries the ability flags hydrated by the platform stream
-// (canvas-topology.ts maps broadcast_enabled/talk_to_user_enabled onto
-// node.data). Mirror that shape so the section reads real values.
-const storeUpdateNodeData = vi.fn();
-const storeRestartWorkspace = vi.fn();
-let nodeData: { broadcastEnabled?: boolean; talkToUserEnabled?: boolean } = {};
-const makeState = () => ({
-  nodes: [{ id: "ws-test", data: nodeData }],
-  restartWorkspace: storeRestartWorkspace,
-  updateNodeData: storeUpdateNodeData,
-});
-vi.mock("@/store/canvas", () => ({
-  useCanvasStore: Object.assign(
-    (selector: (s: unknown) => unknown) => selector(makeState()),
-    { getState: () => makeState() },
-  ),
-}));
-
-vi.mock("../AgentCardSection", () => ({
-  AgentCardSection: () => <div data-testid="agent-card-stub" />,
-}));
-
-import { ConfigTab } from "../ConfigTab";
-
-beforeEach(() => {
-  apiGet.mockReset();
-  apiPatch.mockReset();
-  apiPatch.mockResolvedValue({ status: "updated" });
-  storeUpdateNodeData.mockReset();
-  apiGet.mockImplementation((path: string) => {
-    if (path === `/workspaces/ws-test`) {
-      return Promise.resolve({ runtime: "claude-code" });
-    }
-    if (path === `/workspaces/ws-test/model`) {
-      return Promise.resolve({ model: "claude-opus-4-7" });
-    }
-    if (path === `/workspaces/ws-test/provider`) {
-      return Promise.resolve({ provider: "anthropic-oauth", source: "default" });
-    }
-    if (path === `/workspaces/ws-test/files/config.yaml`) {
-      return Promise.resolve({ content: "name: test\nruntime: claude-code\n" });
-    }
-    if (path === "/templates") {
-      return Promise.resolve([
-        { id: "claude-code", name: "Claude Code", runtime: "claude-code", providers: [] },
-      ]);
-    }
-    return Promise.reject(new Error(`unmocked api.get: ${path}`));
-  });
-});
-
-describe("ConfigTab Agent Abilities section", () => {
-  it("renders an always-visible 'Agent Abilities' section with both toggles", async () => {
-    nodeData = {}; // unset → defaults
-    render(<ConfigTab workspaceId="ws-test" />);
-    await waitFor(() => expect(apiGet).toHaveBeenCalled());
-    expect(
-      await screen.findByRole("button", { name: /Agent Abilities/i }),
-    ).toBeTruthy();
-    expect(screen.getByText("Talk to user")).toBeTruthy();
-    expect(screen.getByText("Broadcast to peers")).toBeTruthy();
-  });
-
-  it("reflects the asymmetric defaults: talk-to-user ON, broadcast OFF", async () => {
-    nodeData = {}; // unset → backend defaults
-    render(<ConfigTab workspaceId="ws-test" />);
-    await waitFor(() => expect(apiGet).toHaveBeenCalled());
-    const talk = (await screen.findByText("Talk to user"))
-      .closest("label")!
-      .querySelector("input") as HTMLInputElement;
-    const broadcast = screen
-      .getByText("Broadcast to peers")
-      .closest("label")!
-      .querySelector("input") as HTMLInputElement;
-    expect(talk.checked).toBe(true);
-    expect(broadcast.checked).toBe(false);
-  });
-
-  it("reflects explicit store values", async () => {
-    nodeData = { broadcastEnabled: true, talkToUserEnabled: false };
-    render(<ConfigTab workspaceId="ws-test" />);
-    await waitFor(() => expect(apiGet).toHaveBeenCalled());
-    const talk = (await screen.findByText("Talk to user"))
-      .closest("label")!
-      .querySelector("input") as HTMLInputElement;
-    const broadcast = screen
-      .getByText("Broadcast to peers")
-      .closest("label")!
-      .querySelector("input") as HTMLInputElement;
-    expect(talk.checked).toBe(false);
-    expect(broadcast.checked).toBe(true);
-  });
-
-  it("PATCHes /abilities with talk_to_user_enabled and optimistically updates the store", async () => {
-    nodeData = {}; // talk defaults true
-    render(<ConfigTab workspaceId="ws-test" />);
-    await waitFor(() => expect(apiGet).toHaveBeenCalled());
-    const talk = (await screen.findByText("Talk to user"))
-      .closest("label")!
-      .querySelector("input") as HTMLInputElement;
-    fireEvent.click(talk); // true → false
-    await waitFor(() =>
-      expect(apiPatch).toHaveBeenCalledWith("/workspaces/ws-test/abilities", {
-        talk_to_user_enabled: false,
-      }),
-    );
-    expect(storeUpdateNodeData).toHaveBeenCalledWith("ws-test", {
-      talkToUserEnabled: false,
-    });
-  });
-
-  it("PATCHes /abilities with broadcast_enabled when the broadcast toggle is flipped", async () => {
-    nodeData = {}; // broadcast defaults false
-    render(<ConfigTab workspaceId="ws-test" />);
-    await waitFor(() => expect(apiGet).toHaveBeenCalled());
-    const broadcast = (await screen.findByText("Broadcast to peers"))
-      .closest("label")!
-      .querySelector("input") as HTMLInputElement;
-    fireEvent.click(broadcast); // false → true
-    await waitFor(() =>
-      expect(apiPatch).toHaveBeenCalledWith("/workspaces/ws-test/abilities", {
-        broadcast_enabled: true,
-      }),
-    );
-    expect(storeUpdateNodeData).toHaveBeenCalledWith("ws-test", {
-      broadcastEnabled: true,
-    });
-  });
-});
@@ -248,6 +248,88 @@ describe("extractResponseText", () => {
  });
 });

+describe("extractAgentText", () => {
+  it("extracts text from top-level parts", () => {
+    const task = {
+      parts: [{ kind: "text", text: "Agent said hello" }],
+    };
+    expect(extractAgentText(task)).toBe("Agent said hello");
+  });
+
+  it("extracts from artifacts[0].parts when top-level parts absent", () => {
+    const task = {
+      artifacts: [
+        { parts: [{ kind: "text", text: "From artifact block" }] },
+      ],
+    };
+    expect(extractAgentText(task)).toBe("From artifact block");
+  });
+
+  it("extracts from status.message.parts as fallback", () => {
+    const task = {
+      status: {
+        message: { parts: [{ kind: "text", text: "Status text" }] },
+      },
+    };
+    expect(extractAgentText(task)).toBe("Status text");
+  });
+
+  it("prefers top-level parts over artifacts", () => {
+    const task = {
+      parts: [{ kind: "text", text: "top-level wins" }],
+      artifacts: [
+        { parts: [{ kind: "text", text: "artifact text" }] },
+      ],
+    };
+    expect(extractAgentText(task)).toBe("top-level wins");
+  });
+
+  it("prefers top-level parts over status.message", () => {
+    const task = {
+      parts: [{ kind: "text", text: "parts wins" }],
+      status: {
+        message: { parts: [{ kind: "text", text: "status text" }] },
+      },
+    };
+    expect(extractAgentText(task)).toBe("parts wins");
+  });
+
+  it("returns string identity when task itself is a string", () => {
+    expect(extractAgentText("plain string task" as unknown as Record<string, unknown>)).toBe(
+      "plain string task",
+    );
+  });
+
+  it("returns fallback when task is an empty object", () => {
+    expect(extractAgentText({})).toBe("(Could not extract response text)");
+  });
+
+  it("returns fallback when task has no extractable text", () => {
+    expect(
+      extractAgentText({ status: "running", other: "fields" }),
+    ).toBe("(Could not extract response text)");
+  });
+
+  it("tolerates malformed nested shapes without throwing", () => {
+    const task = {
+      parts: null,
+      artifacts: "not an array",
+      status: { message: 42 },
+    };
+    expect(extractAgentText(task)).toBe("(Could not extract response text)");
+  });
+
+  it("joins multiple text parts with newline", () => {
+    const task = {
+      parts: [
+        { kind: "text", text: "Line one" },
+        { kind: "text", text: "Line two" },
+      ],
+    };
+    expect(extractAgentText(task)).toBe("Line one\nLine two");
+  });
+});
+
 describe("extractTextsFromParts", () => {
  it("extracts text parts with kind=text", () => {
    const parts = [
@@ -0,0 +1,102 @@
+import { describe, it, expect, beforeEach } from "vitest";
+import { useCanvasStore } from "@/store/canvas";
+import { resolveWorkspaceName } from "../hooks/resolveWorkspaceName";
+
+beforeEach(() => {
+  // Reset store to a clean slate between tests so node lookup is deterministic.
+  useCanvasStore.setState({ nodes: [] });
+});
+
+describe("resolveWorkspaceName", () => {
+  it("returns the workspace name when a node with that ID exists", () => {
+    useCanvasStore.setState({
+      nodes: [
+        {
+          id: "ws-alpha-001",
+          type: "workspace",
+          data: { name: "Alpha Agent" },
+          position: { x: 0, y: 0 },
+        },
+      ],
+    });
+
+    expect(resolveWorkspaceName("ws-alpha-001")).toBe("Alpha Agent");
+  });
+
+  it("falls back to the first 8 chars of the ID when no matching node exists", () => {
+    expect(resolveWorkspaceName("ws-zzz-not-found")).toBe("ws-zzz-n");
+  });
+
+  it("falls back to the first 8 chars when the node exists but has no name", () => {
+    useCanvasStore.setState({
+      nodes: [
+        {
+          id: "ws-no-name",
+          type: "workspace",
+          // data.name is deliberately absent
+          data: {},
+          position: { x: 0, y: 0 },
+        },
+      ],
+    });
+
+    expect(resolveWorkspaceName("ws-no-name")).toBe("ws-no-na");
+  });
+
+  it("returns the first 8 chars for a very short ID", () => {
+    expect(resolveWorkspaceName("ab")).toBe("ab");
+  });
+
+  it("returns the first 8 chars when the ID is exactly 8 characters", () => {
+    // slice(0,8) of an 8-char string is the full string
+    const id = "12345678";
+    expect(resolveWorkspaceName(id)).toBe(id);
+  });
+
+  it("picks the right node when multiple workspaces share a prefix", () => {
+    useCanvasStore.setState({
+      nodes: [
+        {
+          id: "00000000-0000-0000-0000-000000000001",
+          type: "workspace",
+          data: { name: "Backend Agent" },
+          position: { x: 0, y: 0 },
+        },
+        {
+          id: "00000000-0000-0000-0000-000000000002",
+          type: "workspace",
+          data: { name: "Frontend Agent" },
+          position: { x: 100, y: 0 },
+        },
+      ],
+    });
+
+    expect(resolveWorkspaceName("00000000-0000-0000-0000-000000000002")).toBe(
+      "Frontend Agent"
+    );
+    expect(resolveWorkspaceName("00000000-0000-0000-0000-000000000001")).toBe(
+      "Backend Agent"
+    );
+  });
+
+  it("does not mutate store state between calls", () => {
+    useCanvasStore.setState({
+      nodes: [
+        {
+          id: "stable-id",
+          type: "workspace",
+          data: { name: "Stable Workspace" },
+          position: { x: 0, y: 0 },
+        },
+      ],
+    });
+
+    resolveWorkspaceName("stable-id");
+    resolveWorkspaceName("unknown-id");
+
+    // Store nodes must be unchanged — resolveWorkspaceName is read-only.
+    const nodes = useCanvasStore.getState().nodes;
+    expect(nodes).toHaveLength(1);
+    expect((nodes[0] as { id: string }).id).toBe("stable-id");
+  });
+});
@@ -0,0 +1,209 @@
+// @vitest-environment jsdom
+/**
+ * Tests for useChatSend — the canvas user→agent send hook.
+ *
+ * Behavioural focus: the poll-mode ("queued") path. When the target
+ * workspace is an external / MCP-registered agent (delivery_mode=poll,
+ * e.g. an operator laptop running the molecule MCP channel), the
+ * platform's POST /workspaces/:id/a2a returns a synthetic
+ * {status:"queued", delivery_mode:"poll"} envelope IMMEDIATELY with no
+ * reply — the real reply arrives later over the AGENT_MESSAGE
+ * WebSocket push.
+ *
+ * Pre-fix the hook treated that synthetic envelope as a terminal
+ * response and called releaseSendGuards() → `sending` went false the
+ * instant the POST returned → the "agent is working" indicator
+ * vanished and the external turn looked dead. This suite pins the
+ * fixed contract:
+ *
+ *   - a real reply still clears `sending` (regression guard)
+ *   - a poll "queued" envelope KEEPS `sending` true (no terminal
+ *     clear) so the existing thinking indicator persists
+ *   - the eventual reply path (releaseSendGuards, the same call the
+ *     AGENT_MESSAGE WS push makes via useChatSocket) clears it
+ *   - an offline poll agent that never replies eventually surfaces an
+ *     honest error instead of an infinite spinner
+ *
+ * Plus pure-function coverage for the poll-envelope detector.
+ *
+ * Root cause: workspace-server a2a_proxy.go:402 poll-mode
+ * short-circuit returns {status:"queued"} synchronously.
+ */
+import {
+  describe,
+  it,
+  expect,
+  vi,
+  beforeEach,
+  afterEach,
+  type Mock,
+} from "vitest";
+import { act, renderHook, cleanup } from "@testing-library/react";
+
+const { mockApiPost } = vi.hoisted(() => ({ mockApiPost: vi.fn() }));
+
+vi.mock("@/lib/api", () => ({
+  api: { post: mockApiPost },
+}));
+
+vi.mock("../uploads", () => ({
+  uploadChatFiles: vi.fn(),
+}));
+
+// Import AFTER mocks.
+import {
+  useChatSend,
+  isPollQueuedResponse,
+  extractReplyText,
+  POLL_QUEUED_REPLY_TIMEOUT_MS,
+} from "../useChatSend";
+
+const flush = () => act(async () => { await Promise.resolve(); });
+
+describe("isPollQueuedResponse", () => {
+  it("is true only for the synthetic poll-mode queued envelope", () => {
+    expect(isPollQueuedResponse({ status: "queued", delivery_mode: "poll" })).toBe(true);
+  });
+
+  it("is false for a real agent reply", () => {
+    expect(
+      isPollQueuedResponse({ result: { parts: [{ kind: "text", text: "hi" }] } }),
+    ).toBe(false);
+  });
+
+  it("is false for null / undefined / partial shapes", () => {
+    expect(isPollQueuedResponse(null)).toBe(false);
+    expect(isPollQueuedResponse(undefined)).toBe(false);
+    // status=queued without delivery_mode=poll is NOT the poll envelope
+    // — don't accidentally swallow a real reply that happens to carry
+    // an unrelated status field.
+    expect(isPollQueuedResponse({ status: "queued" })).toBe(false);
+    expect(isPollQueuedResponse({ delivery_mode: "poll" })).toBe(false);
+  });
+});
+
+describe("extractReplyText (regression guard — unchanged by fix)", () => {
+  it("collects text parts from result", () => {
+    expect(
+      extractReplyText({ result: { parts: [{ kind: "text", text: "hello" }] } }),
+    ).toBe("hello");
+  });
+  it("returns empty for the poll-queued envelope", () => {
+    expect(extractReplyText({ status: "queued", delivery_mode: "poll" })).toBe("");
+  });
+});
+
+describe("useChatSend — poll-mode in-progress state", () => {
+  beforeEach(() => {
+    vi.useFakeTimers();
+    mockApiPost.mockReset();
+  });
+  afterEach(() => {
+    vi.runOnlyPendingTimers();
+    vi.useRealTimers();
+    cleanup();
+  });
+
+  const setup = () => {
+    const onUserMessage = vi.fn();
+    const onAgentMessage = vi.fn();
+    const { result } = renderHook(() =>
+      useChatSend("ws-ext-1", {
+        getHistoryMessages: () => [],
+        onUserMessage,
+        onAgentMessage,
+      }),
+    );
+    return { result, onUserMessage, onAgentMessage };
+  };
+
+  it("a real reply clears `sending` (regression guard)", async () => {
+    mockApiPost.mockResolvedValue({
+      result: { parts: [{ kind: "text", text: "real reply" }] },
+    });
+    const { result, onAgentMessage } = setup();
+
+    await act(async () => {
+      void result.current.sendMessage("hi");
+    });
+    await flush();
+
+    expect(onAgentMessage).toHaveBeenCalledTimes(1);
+    expect(result.current.sending).toBe(false);
+  });
+
+  it("keeps `sending` true on a poll 'queued' envelope (no terminal clear)", async () => {
+    mockApiPost.mockResolvedValue({ status: "queued", delivery_mode: "poll" });
+    const { result, onAgentMessage } = setup();
+
+    await act(async () => {
+      void result.current.sendMessage("hi external agent");
+    });
+    await flush();
+
+    // The POST resolved, but it was only a queued ack — the indicator
+    // must stay up and no agent bubble should be rendered yet.
+    expect(result.current.sending).toBe(true);
+    expect(onAgentMessage).not.toHaveBeenCalled();
+    expect(result.current.error).toBeNull();
+  });
+
+  it("releaseSendGuards (the AGENT_MESSAGE-push path) clears the poll in-progress state", async () => {
+    mockApiPost.mockResolvedValue({ status: "queued", delivery_mode: "poll" });
+    const { result } = setup();
+
+    await act(async () => {
+      void result.current.sendMessage("hi");
+    });
+    await flush();
+    expect(result.current.sending).toBe(true);
+
+    // Simulate the terminal AGENT_MESSAGE WebSocket push arriving:
+    // useChatSocket's onAgentMessage / onSendComplete call
+    // releaseSendGuards. That must clear the in-progress state AND the
+    // safety timer (asserted by the next test).
+    act(() => {
+      result.current.releaseSendGuards();
+    });
+    expect(result.current.sending).toBe(false);
+  });
+
+  it("surfaces an honest error if a poll agent never replies (safety timeout)", async () => {
+    mockApiPost.mockResolvedValue({ status: "queued", delivery_mode: "poll" });
+    const { result } = setup();
+
+    await act(async () => {
+      void result.current.sendMessage("hi");
+    });
+    await flush();
+    expect(result.current.sending).toBe(true);
+
+    act(() => {
+      vi.advanceTimersByTime(POLL_QUEUED_REPLY_TIMEOUT_MS + 1000);
+    });
+
+    expect(result.current.sending).toBe(false);
+    expect(result.current.error).toMatch(/queued/i);
+  });
+
+  it("does NOT fire the safety error when the reply arrives before timeout", async () => {
+    mockApiPost.mockResolvedValue({ status: "queued", delivery_mode: "poll" });
+    const { result } = setup();
+
+    await act(async () => {
+      void result.current.sendMessage("hi");
+    });
+    await flush();
+
+    // Reply arrives (releaseSendGuards) well before the timeout.
+    act(() => {
+      result.current.releaseSendGuards();
+    });
+    act(() => {
+      vi.advanceTimersByTime(POLL_QUEUED_REPLY_TIMEOUT_MS + 1000);
+    });
+
+    expect(result.current.error).toBeNull();
+    expect(result.current.sending).toBe(false);
+  });
+});
@@ -1,6 +1,6 @@
 "use client";

-import { useCallback, useRef, useState } from "react";
+import { useCallback, useEffect, useRef, useState } from "react";
 import { api } from "@/lib/api";
 import { uploadChatFiles } from "../uploads";
 import { createMessage, type ChatMessage, type ChatAttachment } from "../types";
@@ -22,8 +22,42 @@ interface A2AResponse {
    parts?: A2APart[];
    artifacts?: Array<{ parts: A2APart[] }>;
  };
+  /** Synthetic poll-mode envelope. The platform returns this
+   *  immediately (HTTP 200) when the target workspace is registered
+   *  delivery_mode=poll — an external / MCP-registered agent with no
+   *  public URL (e.g. an operator's laptop running the molecule MCP
+   *  channel). The request has only been QUEUED into activity_logs;
+   *  the agent will pick it up on its next poll and the real reply
+   *  arrives asynchronously over the AGENT_MESSAGE WebSocket push
+   *  (consumed by useChatSocket). See workspace-server
+   *  a2a_proxy.go:402 (poll-mode short-circuit) and
+   *  a2a_proxy_helpers.go:516 (logA2AReceiveQueued). */
+  status?: string;
+  delivery_mode?: string;
 }

+/** True when `resp` is the platform's synthetic poll-mode "queued"
+ *  envelope rather than a real agent reply. For these the send is
+ *  acknowledged-but-pending: the user's message landed and the agent
+ *  is working, but there is no reply yet — the terminal AGENT_MESSAGE
+ *  push will arrive later over the WebSocket. Treating this as a
+ *  terminal response (the pre-fix behaviour) cleared the "agent is
+ *  working" indicator the instant the POST returned, so an external
+ *  workspace turn looked dead even though work had not started. */
+export function isPollQueuedResponse(resp: A2AResponse | null | undefined): boolean {
+  return !!resp && resp.status === "queued" && resp.delivery_mode === "poll";
+}
+
+/** Hard ceiling on how long the "agent is working" indicator stays up
+ *  for a poll-mode turn with no reply. The terminal AGENT_MESSAGE push
+ *  normally clears it well before this. The cap exists so a poll-mode
+ *  workspace that is offline / never consumes its queue doesn't pin a
+ *  spinner forever — at which point we surface an honest, actionable
+ *  error instead of an opaque dead spinner. Generous because poll
+ *  agents (an operator laptop) can legitimately take minutes to wake,
+ *  poll, and respond; the goal is "eventually honest", not fail-fast. */
+export const POLL_QUEUED_REPLY_TIMEOUT_MS = 15 * 60 * 1000;
+
 export function extractReplyText(resp: A2AResponse): string {
  const collect = (parts: A2APart[] | undefined): string => {
    if (!parts) return "";
@@ -59,14 +93,29 @@ export function useChatSend(workspaceId: string, options: UseChatSendOptions) {
  const sendInFlightRef = useRef(false);
  const sendingFromAPIRef = useRef(false);
  const sendTokenRef = useRef(0);
+  // Safety-net timer armed only for poll-mode ("queued") turns: the
+  // POST returns immediately with no reply, so the normal
+  // POST-resolves-→-clear-spinner path can't drive the indicator. The
+  // terminal AGENT_MESSAGE WebSocket push clears it via
+  // releaseSendGuards (which also clears this timer); the timer is the
+  // backstop for an offline poll agent that never consumes its queue.
+  const pollTimeoutRef = useRef<ReturnType<typeof setTimeout> | null>(null);
  const optionsRef = useRef(options);
  optionsRef.current = options;

+  const clearPollTimeout = useCallback(() => {
+    if (pollTimeoutRef.current !== null) {
+      clearTimeout(pollTimeoutRef.current);
+      pollTimeoutRef.current = null;
+    }
+  }, []);
+
  const releaseSendGuards = useCallback(() => {
+    clearPollTimeout();
    setSending(false);
    sendingFromAPIRef.current = false;
    sendInFlightRef.current = false;
-  }, []);
+  }, [clearPollTimeout]);

  const clearError = useCallback(() => setError(null), []);

@@ -146,6 +195,33 @@ export function useChatSend(workspaceId: string, options: UseChatSendOptions) {
            sendInFlightRef.current = false;
            return;
          }
+          // Poll-mode ("queued") turn: the message landed and the
+          // external/MCP agent will pick it up on its next poll, but
+          // there is NO reply in this response. Pre-fix this fell
+          // through to releaseSendGuards() below and the "agent is
+          // working" indicator vanished the instant the POST returned —
+          // an external-workspace turn looked dead even though work had
+          // not started. Instead, keep `sending` true so the existing
+          // thinking indicator (the same one internal agents use)
+          // persists as a "received — agent is working" state; the
+          // terminal AGENT_MESSAGE WebSocket push (consumed by
+          // useChatSocket → onAgentMessage / onSendComplete →
+          // releaseSendGuards) clears it when the real reply arrives,
+          // exactly the path an internal async reply already uses.
+          if (isPollQueuedResponse(resp)) {
+            clearPollTimeout();
+            pollTimeoutRef.current = setTimeout(() => {
+              if (sendTokenRef.current !== myToken) return;
+              if (!sendingFromAPIRef.current) return;
+              releaseSendGuards();
+              setError(
+                "No response yet from this agent — it may be offline or " +
+                  "busy. Your message was delivered and is queued; the " +
+                  "reply will appear here if the agent picks it up.",
+              );
+            }, POLL_QUEUED_REPLY_TIMEOUT_MS);
+            return;
+          }
          const replyText = extractReplyText(resp);
          const replyFiles = extractFilesFromTask(
            (resp?.result ?? {}) as Record<string, unknown>,
@@ -167,9 +243,15 @@ export function useChatSend(workspaceId: string, options: UseChatSendOptions) {
          setError("Failed to send message — agent may be unreachable");
        });
    },
-    [workspaceId, sending, uploading],
+    [workspaceId, sending, uploading, clearPollTimeout],
  );

+  // Drop the poll-mode safety timer on unmount / workspace switch so a
+  // stale timeout can't fire setError against a panel the user has
+  // already navigated away from. sendTokenRef guards correctness if it
+  // ever did fire; this just avoids the wasted timer + setState churn.
+  useEffect(() => clearPollTimeout, [clearPollTimeout]);
+
  return {
    sending,
    uploading,
@@ -67,9 +67,21 @@ export function useChatSocket(
            const own = (targetId || msg.workspace_id) === workspaceId;
            if (own) {
              callbacksRef.current.onSendComplete?.();
-              callbacksRef.current.onSendError?.(
-                "Agent error (Exception) — see workspace logs for details.",
-              );
+              // internal#211/#212: surface the runtime's curated,
+              // user-actionable reason (provider HTTP status + error
+              // code + the provider's own guidance, e.g. a 403 "org
+              // disabled · use an API key / ask your admin"). The
+              // server now includes error_detail in the ACTIVITY_LOGGED
+              // broadcast; fall back to summary, and only as a last
+              // resort to a generic line. The old hardcoded
+              // "Agent error (Exception) — see workspace logs for
+              // details." string pointed at a logs UI that does not
+              // exist and discarded the actionable reason entirely.
+              const detail =
+                (p.error_detail as string) ||
+                (p.summary as string) ||
+                "The agent turn failed but the runtime reported no detail. Retry once; if it repeats the workspace runtime may need a restart.";
+              callbacksRef.current.onSendError?.(detail);
            }
          }
        } else if (type === "a2a_send") {
@@ -99,7 +99,7 @@ export function TestConnectionButton({

 function Spinner() {
  return (
-    <svg aria-hidden="true" className="spinner" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+    <svg className="spinner" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
      <path d="M12 2v4M12 18v4M4.93 4.93l2.83 2.83M16.24 16.24l2.83 2.83M2 12h4M18 12h4M4.93 19.07l2.83-2.83M16.24 7.76l2.83-2.83" />
    </svg>
  );
@@ -649,10 +649,6 @@
  border-radius: 6px;
  cursor: pointer;
 }
-.delete-dialog__cancel-btn:focus-visible {
-  outline: var(--focus-ring);
-  outline-offset: var(--focus-ring-offset);
-}

 .delete-dialog__confirm-btn {
  background: var(--status-invalid);
@@ -662,10 +658,6 @@
  border-radius: 6px;
  cursor: pointer;
 }
-.delete-dialog__confirm-btn:focus-visible {
-  outline: var(--focus-ring);
-  outline-offset: var(--focus-ring-offset);
-}

 .delete-dialog__confirm-btn:disabled { opacity: 0.4; cursor: not-allowed; }

@@ -58,11 +58,11 @@ TOP_LEVEL_MODULES = {
    "a2a_response",
    "a2a_tools",
    "a2a_tools_delegation",
-    "a2a_tools_identity",
    "a2a_tools_inbox",
    "a2a_tools_memory",
    "a2a_tools_messaging",
    "a2a_tools_rbac",
+    "a2a_tools_identity",
    "adapter_base",
    "agent",
    "agents_md",
@@ -691,6 +691,19 @@ func logActivityExec(ctx context.Context, exec activityExecutor, broadcaster eve
 		if respStr != nil {
 			payload["response_body"] = json.RawMessage(respJSON)
 		}
+		// internal#211/#212: error_detail carries the runtime's curated,
+		// user-actionable, secret-safe failure reason (provider HTTP
+		// status + error code + the provider's own guidance, e.g. a 403
+		// "org disabled · use an API key / ask your admin"). It is
+		// already persisted to the DB column above and capped by the
+		// runtime's report_activity helper (4096 chars). Previously it
+		// was dropped from the LIVE broadcast, so the canvas had nothing
+		// to render and fell back to a hardcoded opaque
+		// "Agent error (Exception) — see workspace logs" string. Include
+		// it so the chat bubble shows the real reason in real time.
+		if params.ErrorDetail != nil && *params.ErrorDetail != "" {
+			payload["error_detail"] = *params.ErrorDetail
+		}
 	}

 	return func() {
@@ -17,17 +17,6 @@ var gitIdentitySlugPattern = regexp.MustCompile(`[^a-z0-9]+`)
 // docs/authorship.md (when it exists).
 const gitIdentityEmailDomain = "agents.moleculesai.app"

-// gitAskpassHelperPath is the in-container path of the askpass helper
-// installed by every workspace runtime image (workspace/Dockerfile in
-// molecule-core; scripts/git-askpass.sh → /usr/local/bin/molecule-askpass
-// in each external template-* repo). The helper reads GIT_HTTP_USERNAME
-// / GIT_HTTP_PASSWORD (falling back to GITEA_USER / GITEA_TOKEN) from
-// env and emits them on the git credential-prompt protocol. Setting
-// GIT_ASKPASS to this path is what wires container-side HTTPS git auth
-// to the persona credentials already arriving via workspace_secrets,
-// with no on-disk .gitconfig / .git-credentials mutation required.
-const gitAskpassHelperPath = "/usr/local/bin/molecule-askpass"
-
 // applyAgentGitIdentity sets GIT_AUTHOR_* / GIT_COMMITTER_* env vars so
 // every commit from this workspace container carries a distinct author
 // in `git log` and `git blame`. Git reads these env vars before falling
@@ -61,34 +50,6 @@ func applyAgentGitIdentity(envVars map[string]string, workspaceName string) {
 	setIfEmpty(envVars, "GIT_AUTHOR_EMAIL", authorEmail)
 	setIfEmpty(envVars, "GIT_COMMITTER_NAME", authorName)
 	setIfEmpty(envVars, "GIT_COMMITTER_EMAIL", authorEmail)
-
-	applyGitAskpass(envVars)
-}
-
-// applyGitAskpass points git at the in-image askpass helper so that any
-// HTTPS git operation against a remote without a pre-configured
-// credential.helper picks up the persona credentials already present in
-// the container env (GIT_HTTP_USERNAME / GIT_HTTP_PASSWORD, or
-// GITEA_USER / GITEA_TOKEN as fallback — the latter pair is what
-// loadPersonaEnvFile delivers from the operator-host bootstrap kit).
-//
-// Idempotent: if GIT_ASKPASS is already set (e.g. by an operator-
-// supplied workspace_secret or an env-mutator plugin), the existing
-// value wins. This lets a workspace opt out by setting GIT_ASKPASS=""
-// or pointing at a different helper.
-//
-// No vendor-specific behaviour lives in this function — the host the
-// credentials apply to is determined entirely by the deployer choosing
-// when to populate GIT_HTTP_USERNAME / GIT_HTTP_PASSWORD (or
-// GITEA_USER / GITEA_TOKEN). The helper script itself is generic and
-// has no hardcoded hostnames, so it's safe to ship inside the
-// open-source workspace template images alongside the platform-managed
-// claude-code image.
-func applyGitAskpass(envVars map[string]string) {
-	if envVars == nil {
-		return
-	}
-	setIfEmpty(envVars, "GIT_ASKPASS", gitAskpassHelperPath)
 }

 // slugifyForEmail collapses a workspace name to a safe email localpart:
@@ -75,53 +75,6 @@ func TestApplyAgentGitIdentity_NilMapIsSafe(t *testing.T) {
 	applyAgentGitIdentity(nil, "PM")
 }

-func TestApplyAgentGitIdentity_SetsGitAskpass(t *testing.T) {
-	// GIT_ASKPASS is what wires container-side HTTPS git auth to the
-	// persona credentials (GITEA_USER/GITEA_TOKEN, etc.) that
-	// loadPersonaEnvFile delivers via workspace_secrets. Without this,
-	// `git push` inside the container would fall through to interactive
-	// prompts (impossible) or a missing credential.helper (401).
-	env := map[string]string{}
-	applyAgentGitIdentity(env, "Frontend Engineer")
-	if env["GIT_ASKPASS"] != "/usr/local/bin/molecule-askpass" {
-		t.Errorf("GIT_ASKPASS: got %q, want %q",
-			env["GIT_ASKPASS"], "/usr/local/bin/molecule-askpass")
-	}
-}
-
-func TestApplyAgentGitIdentity_RespectsAskpassOverride(t *testing.T) {
-	// A workspace_secret or env-mutator plugin must be able to point at
-	// a custom askpass helper without us clobbering it. Symmetric with
-	// the GIT_AUTHOR_NAME override test above.
-	env := map[string]string{
-		"GIT_ASKPASS": "/opt/custom/askpass",
-	}
-	applyAgentGitIdentity(env, "Backend Engineer")
-	if env["GIT_ASKPASS"] != "/opt/custom/askpass" {
-		t.Errorf("GIT_ASKPASS should not be overwritten, got %q", env["GIT_ASKPASS"])
-	}
-}
-
-func TestApplyAgentGitIdentity_AskpassSkippedOnEmptyName(t *testing.T) {
-	// The empty-name early-return covers GIT_ASKPASS too — a provisioning
-	// glitch that dropped the workspace name shouldn't half-configure the
-	// container (identity vars empty but askpass wired). All-or-nothing.
-	env := map[string]string{}
-	applyAgentGitIdentity(env, "")
-	if _, ok := env["GIT_ASKPASS"]; ok {
-		t.Errorf("empty name should not set GIT_ASKPASS, got %q", env["GIT_ASKPASS"])
-	}
-}
-
-func TestApplyGitAskpass_NilMapIsSafe(t *testing.T) {
-	defer func() {
-		if r := recover(); r != nil {
-			t.Errorf("applyGitAskpass panicked on nil map: %v", r)
-		}
-	}()
-	applyGitAskpass(nil)
-}
-
 func TestSlugifyForEmail(t *testing.T) {
 	cases := []struct {
 		in, want string
@@ -107,10 +107,29 @@ func (h *ChatFilesHandler) WithPendingUploads(storage pendinguploads.Storage, br
 }

 // chatUploadMaxBytes caps the full multipart request body so a
-// malicious / runaway client can't OOM the proxy hop. 50 MB matches
-// the workspace-side limit; anything larger is rejected at the
+// malicious / runaway client can't OOM the proxy hop. 100 MB matches
+// the workspace-side total limit; anything larger is rejected at the
 // network boundary before forwarding.
-const chatUploadMaxBytes = 50 * 1024 * 1024
+//
+// SSOT NOTE (issue #1520): this constant is the source of truth for
+// chat upload limits across the platform. Its value is exported to
+// the workspace container at provision time via the env var
+// CHAT_UPLOAD_MAX_TOTAL_BYTES (see
+// workspace_provision_shared.go::applyChatUploadLimits) so the
+// Python runtime cap stays in lock-step. Do NOT change this without
+// updating the per-file cap chatUploadMaxFileBytes below and
+// verifying the env-injection site is unchanged.
+const chatUploadMaxBytes = 100 * 1024 * 1024
+
+// chatUploadMaxFileBytes caps any single multipart part. Mirrors the
+// total cap by default because most chat uploads are a single file;
+// keeping per-file equal to total avoids the surprise of "my 60 MB
+// file fit under the total but got 413'd on per-file". Exported to
+// the workspace container as CHAT_UPLOAD_MAX_FILE_BYTES so the
+// Starlette parser's max_part_size matches and any single part above
+// Starlette's default 1 MiB no longer raises MultiPartException
+// (root cause of issue #1520).
+const chatUploadMaxFileBytes = 100 * 1024 * 1024

 // resolveWorkspaceForwardCreds resolves the workspace's URL +
 // platform_inbound_secret for an /internal/* forward, applying
@@ -0,0 +1,63 @@
+package handlers
+
+// chat_upload_limits_test.go — pins the SSOT env-injection contract
+// for chat-upload caps (issue #1520). The Python workspace runtime
+// reads these env vars at module init; drift between the constant in
+// chat_files.go and the env-var name here silently breaks chat upload
+// fleet-wide, so the contract is asserted as a unit test in the same
+// package as the producer.
+
+import (
+	"fmt"
+	"testing"
+)
+
+// applyChatUploadLimits MUST seed both env vars to the byte-count
+// stringification of the Go-side constants. Anything else means a
+// Python-side parser cap that disagrees with the Go-side network cap,
+// which is exactly the drift that shipped #1520.
+func TestApplyChatUploadLimits_DefaultsMatchGoConstants(t *testing.T) {
+	env := map[string]string{}
+	applyChatUploadLimits(env)
+
+	wantFile := fmt.Sprintf("%d", chatUploadMaxFileBytes)
+	if got := env["CHAT_UPLOAD_MAX_FILE_BYTES"]; got != wantFile {
+		t.Errorf("CHAT_UPLOAD_MAX_FILE_BYTES = %q, want %q", got, wantFile)
+	}
+
+	wantTotal := fmt.Sprintf("%d", chatUploadMaxBytes)
+	if got := env["CHAT_UPLOAD_MAX_TOTAL_BYTES"]; got != wantTotal {
+		t.Errorf("CHAT_UPLOAD_MAX_TOTAL_BYTES = %q, want %q", got, wantTotal)
+	}
+}
+
+// Pre-existing values win. A tenant override, plugin mutator, or A/B
+// experiment that already set the env MUST be preserved — the SSOT
+// helper is a defaulting layer, not an override layer.
+func TestApplyChatUploadLimits_PreExistingValuesPreserved(t *testing.T) {
+	env := map[string]string{
+		"CHAT_UPLOAD_MAX_FILE_BYTES":  "1234",
+		"CHAT_UPLOAD_MAX_TOTAL_BYTES": "5678",
+	}
+	applyChatUploadLimits(env)
+
+	if got := env["CHAT_UPLOAD_MAX_FILE_BYTES"]; got != "1234" {
+		t.Errorf("pre-existing CHAT_UPLOAD_MAX_FILE_BYTES overwritten: got %q", got)
+	}
+	if got := env["CHAT_UPLOAD_MAX_TOTAL_BYTES"]; got != "5678" {
+		t.Errorf("pre-existing CHAT_UPLOAD_MAX_TOTAL_BYTES overwritten: got %q", got)
+	}
+}
+
+// The 100 MB minimum is the CTO-directed allowance floor (issue #1520).
+// Pin so a future "tidy up: 100 MB seems large" refactor surfaces here
+// before reverting the user-visible behaviour change.
+func TestChatUploadCaps_MinimumAllowanceFloor(t *testing.T) {
+	const floor = 100 * 1024 * 1024
+	if chatUploadMaxBytes < floor {
+		t.Errorf("chatUploadMaxBytes = %d, below #1520 floor %d", chatUploadMaxBytes, floor)
+	}
+	if chatUploadMaxFileBytes < floor {
+		t.Errorf("chatUploadMaxFileBytes = %d, below #1520 floor %d", chatUploadMaxFileBytes, floor)
+	}
+}
@@ -218,14 +218,6 @@ func loadWorkspaceEnv(orgBaseDir, filesDir string) map[string]string {
 // check, or when the env file does not exist (workspaces without a role —
 // or running on hosts that don't ship the bootstrap dir — keep their old
 // behavior).
-//
-// Token-file fallback: the newer prod-team personas (agent-dev-a,
-// agent-dev-b, agent-pm) ship `token` + `universal-auth.env` only — no
-// legacy plaintext `env` file. When the env-file load produces zero rows,
-// loadPersonaTokenFile fills in GITEA_TOKEN / GITEA_USER / GITEA_USER_EMAIL
-// from the token file so the GIT_ASKPASS helper has something to emit.
-// The env-file form remains authoritative when present (it may carry
-// richer rows like GITEA_TOKEN_SCOPES / GITEA_SSH_KEY_PATH).
 func loadPersonaEnvFile(role string, out map[string]string) {
 	if !isSafeRoleName(role) {
 		if role != "" {
@@ -237,61 +229,7 @@ func loadPersonaEnvFile(role string, out map[string]string) {
 	if root == "" {
 		root = "/etc/molecule-bootstrap/personas"
 	}
-	before := len(out)
 	parseEnvFile(filepath.Join(root, role, "env"), out)
-	if len(out) == before {
-		// No env-file rows landed (file absent, or present-but-empty).
-		// Try the token-only persona shape used by the prod-team
-		// identities. Existing keys in out are preserved.
-		loadPersonaTokenFile(role, out)
-	}
-}
-
-// loadPersonaTokenFile populates GITEA_TOKEN / GITEA_USER / GITEA_USER_EMAIL
-// from a persona dir that ships only the bare `token` file — the shape used
-// by the production agent personas (agent-dev-a, agent-dev-b, agent-pm).
-// Those dirs do not carry an `env` file because their non-Gitea creds come
-// from Infisical Universal Auth at runtime (universal-auth.env), so the
-// historical loadPersonaEnvFile path silently no-ops on them.
-//
-// File layout: $MOLECULE_PERSONA_ROOT/<role>/token (mode 600, plain text).
-// The token contents become GITEA_TOKEN (whitespace-trimmed); the role
-// name becomes GITEA_USER; GITEA_USER_EMAIL is synthesised as
-// <role>@<gitIdentityEmailDomain> to match the email shape that
-// applyAgentGitIdentity uses for its slug-derived authorship addresses.
-//
-// Silent no-op when the role fails the safe-segment check, when the
-// token file does not exist, or when its contents are empty after
-// trimming. Existing keys in out are not overwritten — the caller's
-// later .env layers and any prior loadPersonaEnvFile rows always win.
-func loadPersonaTokenFile(role string, out map[string]string) {
-	if out == nil {
-		return
-	}
-	if !isSafeRoleName(role) {
-		return
-	}
-	root := os.Getenv("MOLECULE_PERSONA_ROOT")
-	if root == "" {
-		root = "/etc/molecule-bootstrap/personas"
-	}
-	data, err := os.ReadFile(filepath.Join(root, role, "token"))
-	if err != nil {
-		return
-	}
-	token := strings.TrimSpace(string(data))
-	if token == "" {
-		return
-	}
-	if _, ok := out["GITEA_TOKEN"]; !ok {
-		out["GITEA_TOKEN"] = token
-	}
-	if _, ok := out["GITEA_USER"]; !ok {
-		out["GITEA_USER"] = role
-	}
-	if _, ok := out["GITEA_USER_EMAIL"]; !ok {
-		out["GITEA_USER_EMAIL"] = role + "@" + gitIdentityEmailDomain
-	}
 }

 // isSafeRoleName accepts a single path segment of [A-Za-z0-9_-]+. Rejects
@@ -164,181 +164,3 @@ func TestIsSafeRoleName_Acceptance(t *testing.T) {
 		}
 	}
 }
-
-// TestLoadPersonaTokenFile_TokenOnlyPersona: the prod-team personas
-// (agent-dev-a / agent-dev-b / agent-pm) ship `token` only — no `env`
-// file. loadPersonaEnvFile's fallback path must populate GITEA_TOKEN /
-// GITEA_USER / GITEA_USER_EMAIL from the token contents + role name so
-// the GIT_ASKPASS helper has something to emit.
-func TestLoadPersonaTokenFile_TokenOnlyPersona(t *testing.T) {
-	root := t.TempDir()
-	roleDir := filepath.Join(root, "agent-dev-a")
-	if err := os.MkdirAll(roleDir, 0o755); err != nil {
-		t.Fatal(err)
-	}
-	if err := os.WriteFile(filepath.Join(roleDir, "token"),
-		[]byte("token-bytes-redacted\n"), 0o600); err != nil {
-		t.Fatal(err)
-	}
-	t.Setenv("MOLECULE_PERSONA_ROOT", root)
-
-	out := map[string]string{}
-	loadPersonaEnvFile("agent-dev-a", out)
-
-	want := map[string]string{
-		"GITEA_TOKEN":      "token-bytes-redacted",
-		"GITEA_USER":       "agent-dev-a",
-		"GITEA_USER_EMAIL": "agent-dev-a@" + gitIdentityEmailDomain,
-	}
-	if len(out) != len(want) {
-		t.Fatalf("got %d keys, want %d: %#v", len(out), len(want), out)
-	}
-	for k, v := range want {
-		if out[k] != v {
-			t.Errorf("out[%q] = %q; want %q", k, out[k], v)
-		}
-	}
-}
-
-// TestLoadPersonaTokenFile_EnvFileWins: when BOTH an env file and a
-// token file exist in the same persona dir, the env file is the more-
-// specific declaration and wins outright — the fallback must not fire
-// at all. This pins precedence so a persona later migrated to the
-// richer env-file form (carrying GITEA_TOKEN_SCOPES / GITEA_SSH_KEY_PATH)
-// doesn't get its token silently overridden by the fallback.
-func TestLoadPersonaTokenFile_EnvFileWins(t *testing.T) {
-	root := t.TempDir()
-	roleDir := filepath.Join(root, "agent-dev-b")
-	if err := os.MkdirAll(roleDir, 0o755); err != nil {
-		t.Fatal(err)
-	}
-	envBody := "GITEA_USER=env-form-user\nGITEA_TOKEN=env-form-token\n" +
-		"GITEA_USER_EMAIL=env-form@example.invalid\nGITEA_TOKEN_SCOPES=write:repository\n"
-	if err := os.WriteFile(filepath.Join(roleDir, "env"), []byte(envBody), 0o600); err != nil {
-		t.Fatal(err)
-	}
-	if err := os.WriteFile(filepath.Join(roleDir, "token"),
-		[]byte("token-form-token\n"), 0o600); err != nil {
-		t.Fatal(err)
-	}
-	t.Setenv("MOLECULE_PERSONA_ROOT", root)
-
-	out := map[string]string{}
-	loadPersonaEnvFile("agent-dev-b", out)
-
-	if out["GITEA_USER"] != "env-form-user" {
-		t.Errorf("env file should win for GITEA_USER; got %q", out["GITEA_USER"])
-	}
-	if out["GITEA_TOKEN"] != "env-form-token" {
-		t.Errorf("env file should win for GITEA_TOKEN; got %q", out["GITEA_TOKEN"])
-	}
-	if out["GITEA_USER_EMAIL"] != "env-form@example.invalid" {
-		t.Errorf("env file should win for GITEA_USER_EMAIL; got %q", out["GITEA_USER_EMAIL"])
-	}
-	if out["GITEA_TOKEN_SCOPES"] != "write:repository" {
-		t.Errorf("env file extras must be preserved; got GITEA_TOKEN_SCOPES=%q", out["GITEA_TOKEN_SCOPES"])
-	}
-}
-
-// TestLoadPersonaTokenFile_NeitherFile: persona dir exists but ships
-// neither env nor token — silent no-op. This is the legitimate case
-// for a partially-provisioned persona during bootstrap; callers expect
-// an empty map, no error, no log noise.
-func TestLoadPersonaTokenFile_NeitherFile(t *testing.T) {
-	root := t.TempDir()
-	roleDir := filepath.Join(root, "agent-pm")
-	if err := os.MkdirAll(roleDir, 0o755); err != nil {
-		t.Fatal(err)
-	}
-	t.Setenv("MOLECULE_PERSONA_ROOT", root)
-
-	out := map[string]string{}
-	loadPersonaEnvFile("agent-pm", out)
-	if len(out) != 0 {
-		t.Errorf("expected empty out when neither env nor token exists; got %#v", out)
-	}
-}
-
-// TestLoadPersonaTokenFile_EmptyToken: a token file with only
-// whitespace must be treated as absent — never emit
-// GITEA_TOKEN="" / GITEA_USER=<role> / GITEA_USER_EMAIL=<role>@... because
-// that would set GITEA_USER without a usable token, and the askpass
-// helper would then prompt with an empty password. Silent no-op is the
-// correct behavior — let downstream auth fall through to its existing
-// "no credentials available" path.
-func TestLoadPersonaTokenFile_EmptyToken(t *testing.T) {
-	root := t.TempDir()
-	roleDir := filepath.Join(root, "agent-dev-a")
-	if err := os.MkdirAll(roleDir, 0o755); err != nil {
-		t.Fatal(err)
-	}
-	// Whitespace-only contents: spaces, tabs, newlines.
-	if err := os.WriteFile(filepath.Join(roleDir, "token"),
-		[]byte("   \t\n  \n"), 0o600); err != nil {
-		t.Fatal(err)
-	}
-	t.Setenv("MOLECULE_PERSONA_ROOT", root)
-
-	out := map[string]string{}
-	loadPersonaEnvFile("agent-dev-a", out)
-	if len(out) != 0 {
-		t.Errorf("expected empty out when token file is whitespace-only; got %#v", out)
-	}
-}
-
-// TestLoadPersonaTokenFile_TrimsWhitespace: tokens shipped from the
-// operator-host bootstrap kit may have a trailing newline (the
-// canonical `printf "%s\n" "$token" > token` shape). The fallback must
-// trim leading + trailing whitespace so the askpass helper emits the
-// raw token bytes — Gitea's PAT validator rejects tokens with embedded
-// whitespace.
-func TestLoadPersonaTokenFile_TrimsWhitespace(t *testing.T) {
-	root := t.TempDir()
-	roleDir := filepath.Join(root, "agent-dev-b")
-	if err := os.MkdirAll(roleDir, 0o755); err != nil {
-		t.Fatal(err)
-	}
-	if err := os.WriteFile(filepath.Join(roleDir, "token"),
-		[]byte("\n  raw-token-bytes  \n\n"), 0o600); err != nil {
-		t.Fatal(err)
-	}
-	t.Setenv("MOLECULE_PERSONA_ROOT", root)
-
-	out := map[string]string{}
-	loadPersonaEnvFile("agent-dev-b", out)
-	if out["GITEA_TOKEN"] != "raw-token-bytes" {
-		t.Errorf("token whitespace not trimmed; got %q", out["GITEA_TOKEN"])
-	}
-}
-
-// TestLoadPersonaTokenFile_RejectsUnsafeRole: defense-in-depth — even
-// in the fallback path, role names that fail isSafeRoleName must not
-// touch the filesystem. Mirrors TestLoadPersonaEnvFile_RejectsTraversal.
-func TestLoadPersonaTokenFile_RejectsUnsafeRole(t *testing.T) {
-	root := t.TempDir()
-	// Plant a token at /tmp/.../token so a bad traversal would reach it.
-	if err := os.WriteFile(filepath.Join(root, "token"),
-		[]byte("stolen-token\n"), 0o600); err != nil {
-		t.Fatal(err)
-	}
-	t.Setenv("MOLECULE_PERSONA_ROOT", filepath.Join(root, "personas"))
-
-	for _, bad := range []string{"..", "../personas", "/abs", "with/slash", "."} {
-		out := map[string]string{}
-		loadPersonaTokenFile(bad, out)
-		if len(out) != 0 {
-			t.Errorf("role %q should have been rejected; got %#v", bad, out)
-		}
-	}
-}
-
-// TestLoadPersonaTokenFile_NilMapSafe: callers pass a fresh map in
-// practice, but defense-in-depth — a nil map must not panic.
-func TestLoadPersonaTokenFile_NilMapSafe(t *testing.T) {
-	defer func() {
-		if r := recover(); r != nil {
-			t.Fatalf("nil map caused panic: %v", r)
-		}
-	}()
-	loadPersonaTokenFile("agent-dev-a", nil)
-}
@@ -0,0 +1,53 @@
+package handlers
+
+// plugins_install_test.go — additional coverage for plugins_install.go.
+//
+// Gaps filled vs. existing test files:
+//   - plugins_install_external_test.go: Install + Uninstall 422 (external runtime) ✓ covered
+//   - plugins_test.go:                 Install 400 (missing source, invalid body, etc.) ✓ covered
+//                                    Uninstall 400 (invalid plugin name, empty name) ✓ covered
+//                                    Download auth gate ✓ covered
+//   - org_import_helpers_test.go:      countWorkspaces, envRequirementKey, sanitizeEnvMembers,
+//                                        flattenAndSortRequirements, collectOrgEnv ✓ covered
+//
+// New test added here:
+//   - Uninstall 503: container not running, no SaaS dispatch.
+//
+// NOTE: validateWorkspaceID is not called inside the Install/Uninstall handlers.
+// UUID validation is the responsibility of the WorkspaceAuth middleware, so no
+// 400 test is needed here for UUID format.
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/gin-gonic/gin"
+	"github.com/stretchr/testify/require"
+)
+
+// TestPluginUninstall_ContainerNotRunning_Returns503 exercises the 503 path
+// where neither a local Docker container nor a SaaS instance-id dispatch
+// resolves. The handler must return "workspace container not running" — NOT a
+// generic 500 or a misleading 422 (external-runtime) message.
+func TestPluginUninstall_ContainerNotRunning_Returns503(t *testing.T) {
+	// No docker client + no instance-id lookup → falls through to 503.
+	h := NewPluginsHandler(t.TempDir(), nil, nil)
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{
+		{Key: "id", Value: "550e8400-e29b-41d4-a716-446655440000"},
+		{Key: "name", Value: "some-plugin"},
+	}
+	c.Request = httptest.NewRequest("DELETE",
+		"/workspaces/550e8400-e29b-41d4-a716-446655440000/plugins/some-plugin", nil)
+
+	h.Uninstall(c)
+
+	require.Equal(t, http.StatusServiceUnavailable, w.Code)
+	var body map[string]string
+	json.Unmarshal(w.Body.Bytes(), &body)
+	require.Equal(t, "workspace container not running", body["error"])
+}
@@ -0,0 +1,193 @@
+package handlers
+
+import (
+	"bytes"
+	"database/sql"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/DATA-DOG/go-sqlmock"
+	"github.com/gin-gonic/gin"
+)
+
+// patchReq builds a gin context for a PATCH request to /workspaces/:id/abilities.
+func patchReq(id, body string) (*http.Request, *httptest.ResponseRecorder, *gin.Context) {
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: id}}
+	c.Request = httptest.NewRequest("PATCH", "/workspaces/"+id+"/abilities", bytes.NewBufferString(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+	return c.Request, w, c
+}
+
+func TestPatchAbilities_InvalidWorkspaceID(t *testing.T) {
+	setupTestDB(t)
+
+	// "not-a-uuid" fails validateWorkspaceID
+	_, w, c := patchReq("not-a-uuid", `{"broadcast_enabled":true}`)
+	PatchAbilities(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestPatchAbilities_EmptyBody(t *testing.T) {
+	setupTestDB(t)
+	id := "00000000-0000-0000-0000-000000000001"
+
+	// Empty JSON object — no ability fields present
+	_, w, c := patchReq(id, `{}`)
+	PatchAbilities(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d: %s", w.Code, w.Body.String())
+	}
+
+	var resp map[string]string
+	json.Unmarshal(w.Body.Bytes(), &resp)
+	if resp["error"] != "at least one ability field required" {
+		t.Errorf("expected 'at least one ability field required', got %v", resp["error"])
+	}
+}
+
+func TestPatchAbilities_WorkspaceNotFound(t *testing.T) {
+	mock := setupTestDB(t)
+	id := "00000000-0000-0000-0000-000000000002"
+
+	// SELECT EXISTS returns false (workspace does not exist)
+	mock.ExpectQuery(`SELECT EXISTS\(SELECT 1 FROM workspaces WHERE id = \$1 AND status != 'removed'\)`).
+		WithArgs(id).
+		WillReturnRows(sqlmock.NewRows([]string{"exists"}).AddRow(false))
+
+	_, w, c := patchReq(id, `{"broadcast_enabled":true}`)
+	PatchAbilities(c)
+
+	if w.Code != http.StatusNotFound {
+		t.Errorf("expected 404, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestPatchAbilities_SetBroadcastEnabledTrue(t *testing.T) {
+	mock := setupTestDB(t)
+	id := "00000000-0000-0000-0000-000000000003"
+
+	// SELECT EXISTS → true
+	mock.ExpectQuery(`SELECT EXISTS\(SELECT 1 FROM workspaces WHERE id = \$1 AND status != 'removed'\)`).
+		WithArgs(id).
+		WillReturnRows(sqlmock.NewRows([]string{"exists"}).AddRow(true))
+
+	// UPDATE broadcast_enabled = true
+	mock.ExpectExec(`UPDATE workspaces SET broadcast_enabled = \$2, updated_at = now\(\) WHERE id = \$1`).
+		WithArgs(id, true).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	_, w, c := patchReq(id, `{"broadcast_enabled":true}`)
+	PatchAbilities(c)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+
+	var resp map[string]string
+	json.Unmarshal(w.Body.Bytes(), &resp)
+	if resp["status"] != "updated" {
+		t.Errorf("expected status=updated, got %v", resp["status"])
+	}
+}
+
+func TestPatchAbilities_SetTalkToUserEnabledFalse(t *testing.T) {
+	mock := setupTestDB(t)
+	id := "00000000-0000-0000-0000-000000000004"
+
+	// SELECT EXISTS → true
+	mock.ExpectQuery(`SELECT EXISTS\(SELECT 1 FROM workspaces WHERE id = \$1 AND status != 'removed'\)`).
+		WithArgs(id).
+		WillReturnRows(sqlmock.NewRows([]string{"exists"}).AddRow(true))
+
+	// UPDATE talk_to_user_enabled = false
+	mock.ExpectExec(`UPDATE workspaces SET talk_to_user_enabled = \$2, updated_at = now\(\) WHERE id = \$1`).
+		WithArgs(id, false).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	_, w, c := patchReq(id, `{"talk_to_user_enabled":false}`)
+	PatchAbilities(c)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestPatchAbilities_BothFields(t *testing.T) {
+	mock := setupTestDB(t)
+	id := "00000000-0000-0000-0000-000000000005"
+
+	// SELECT EXISTS → true
+	mock.ExpectQuery(`SELECT EXISTS\(SELECT 1 FROM workspaces WHERE id = \$1 AND status != 'removed'\)`).
+		WithArgs(id).
+		WillReturnRows(sqlmock.NewRows([]string{"exists"}).AddRow(true))
+
+	// UPDATE broadcast_enabled = false
+	mock.ExpectExec(`UPDATE workspaces SET broadcast_enabled = \$2, updated_at = now\(\) WHERE id = \$1`).
+		WithArgs(id, false).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	// UPDATE talk_to_user_enabled = true
+	mock.ExpectExec(`UPDATE workspaces SET talk_to_user_enabled = \$2, updated_at = now\(\) WHERE id = \$1`).
+		WithArgs(id, true).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	_, w, c := patchReq(id, `{"broadcast_enabled":false,"talk_to_user_enabled":true}`)
+	PatchAbilities(c)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestPatchAbilities_BroadcastUpdateFails(t *testing.T) {
+	mock := setupTestDB(t)
+	id := "00000000-0000-0000-0000-000000000006"
+
+	// SELECT EXISTS → true
+	mock.ExpectQuery(`SELECT EXISTS\(SELECT 1 FROM workspaces WHERE id = \$1 AND status != 'removed'\)`).
+		WithArgs(id).
+		WillReturnRows(sqlmock.NewRows([]string{"exists"}).AddRow(true))
+
+	// UPDATE fails
+	mock.ExpectExec(`UPDATE workspaces SET broadcast_enabled = \$2, updated_at = now\(\) WHERE id = \$1`).
+		WithArgs(id, true).
+		WillReturnError(sql.ErrConnDone)
+
+	_, w, c := patchReq(id, `{"broadcast_enabled":true}`)
+	PatchAbilities(c)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Errorf("expected 500, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestPatchAbilities_TalkToUserUpdateFails(t *testing.T) {
+	mock := setupTestDB(t)
+	id := "00000000-0000-0000-0000-000000000007"
+
+	// SELECT EXISTS → true
+	mock.ExpectQuery(`SELECT EXISTS\(SELECT 1 FROM workspaces WHERE id = \$1 AND status != 'removed'\)`).
+		WithArgs(id).
+		WillReturnRows(sqlmock.NewRows([]string{"exists"}).AddRow(true))
+
+	// UPDATE broadcast_enabled skipped (not in payload)
+	// UPDATE talk_to_user_enabled fails
+	mock.ExpectExec(`UPDATE workspaces SET talk_to_user_enabled = \$2, updated_at = now\(\) WHERE id = \$1`).
+		WithArgs(id, false).
+		WillReturnError(sql.ErrConnDone)
+
+	_, w, c := patchReq(id, `{"talk_to_user_enabled":false}`)
+	PatchAbilities(c)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Errorf("expected 500, got %d: %s", w.Code, w.Body.String())
+	}
+}
@@ -34,11 +34,13 @@ import (

 // BroadcastHandler is constructed once and shared across requests.
 type BroadcastHandler struct {
-	broadcaster *events.Broadcaster
+	broadcaster events.EventEmitter
 }

 // NewBroadcastHandler creates a BroadcastHandler.
-func NewBroadcastHandler(b *events.Broadcaster) *BroadcastHandler {
+// The emitter is any EventEmitter — the concrete *Broadcaster in production,
+// or a test double in unit tests.
+func NewBroadcastHandler(b events.EventEmitter) *BroadcastHandler {
 	return &BroadcastHandler{broadcaster: b}
 }

@@ -67,7 +67,6 @@ func TestBroadcast_OrgScopedRecipients(t *testing.T) {
 	if w.Code != http.StatusOK {
 		t.Errorf("expected 200, got %d: %s", w.Code, w.Body.String())
 	}
-
 	var resp map[string]interface{}
 	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
 		t.Fatalf("failed to unmarshal response: %v", err)
@@ -206,7 +205,7 @@ func TestBroadcast_Disabled(t *testing.T) {
 	broadcaster := newTestBroadcaster()
 	handler := NewBroadcastHandler(broadcaster)

-	senderID := "00000000-0000-0000-0000-000000000001"
+	senderID := "00000000-0000-0000-0000-000000000003"
 	mock.ExpectQuery(`SELECT name, broadcast_enabled FROM workspaces WHERE id = \$1 AND status != 'removed'`).
 		WithArgs(senderID).
 		WillReturnRows(sqlmock.NewRows([]string{"name", "broadcast_enabled"}).AddRow("Disabled Agent", false))
@@ -237,7 +236,7 @@ func TestBroadcast_EmptyOrg_NoRecipients(t *testing.T) {
 	broadcaster := newTestBroadcaster()
 	handler := NewBroadcastHandler(broadcaster)

-	senderID := "00000000-0000-0000-0000-000000000001" // org root, only workspace in org
+	senderID := "00000000-0000-0000-0000-000000000004" // org root, only workspace in org

 	mock.ExpectQuery(`SELECT name, broadcast_enabled FROM workspaces WHERE id = \$1 AND status != 'removed'`).
 		WithArgs(senderID).
@@ -297,33 +296,12 @@ func TestBroadcast_InvalidWorkspaceID(t *testing.T) {
 	}
 }

-func TestBroadcast_MissingMessage(t *testing.T) {
-	setupTestDB(t)
-	broadcaster := newTestBroadcaster()
-	handler := NewBroadcastHandler(broadcaster)
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "00000000-0000-0000-0000-000000000001"}}
-	c.Request = httptest.NewRequest("POST", "/workspaces/00000000-0000-0000-0000-000000000001/broadcast", bytes.NewBufferString("{}"))
-	c.Request.Header.Set("Content-Type", "application/json")
-
-	handler.Broadcast(c)
-
-	if w.Code != http.StatusBadRequest {
-		t.Errorf("expected 400, got %d: %s", w.Code, w.Body.String())
-	}
-}
-
-// TestBroadcast_OrgRootLookupFails verifies that if the recursive CTE for
-// finding the org root errors, the handler returns 500 instead of proceeding
-// with an un-scoped query that would broadcast to all orgs.
 func TestBroadcast_OrgRootLookupFails(t *testing.T) {
 	mock := setupTestDB(t)
 	broadcaster := newTestBroadcaster()
 	handler := NewBroadcastHandler(broadcaster)

-	senderID := "00000000-0000-0000-0000-000000000001"
+	senderID := "00000000-0000-0000-0000-000000000005"

 	mock.ExpectQuery(`SELECT name, broadcast_enabled FROM workspaces WHERE id = \$1 AND status != 'removed'`).
 		WithArgs(senderID).
@@ -353,16 +331,13 @@ func TestBroadcast_OrgRootLookupFails(t *testing.T) {
 	}
 }

-// TestBroadcast_OrgScoped_SelfBroadcastExcluded verifies that broadcasting
-// from a workspace does not send a broadcast_receive to the sender itself
-// (the sender logs broadcast_sent, not broadcast_receive).
 func TestBroadcast_OrgScoped_SelfBroadcastExcluded(t *testing.T) {
 	mock := setupTestDB(t)
 	broadcaster := newTestBroadcaster()
 	handler := NewBroadcastHandler(broadcaster)

-	senderID := "00000000-0000-0000-0000-000000000001"
-	peerID := "00000000-0000-0000-0000-000000000002"
+	senderID := "00000000-0000-0000-0000-000000000006"
+	peerID := "00000000-0000-0000-0000-000000000007"

 	mock.ExpectQuery(`SELECT name, broadcast_enabled FROM workspaces WHERE id = \$1 AND status != 'removed'`).
 		WithArgs(senderID).
@@ -399,10 +374,145 @@ func TestBroadcast_OrgScoped_SelfBroadcastExcluded(t *testing.T) {
 	}
 }

+// TestBroadcast_RecipientActivityLogFails_SkipsAndContinues: if one recipient's
+// activity_log insert fails, the handler logs the error and continues to the
+// next recipient rather than aborting the whole broadcast.
+func TestBroadcast_RecipientActivityLogFails_SkipsAndContinues(t *testing.T) {
+	mock := setupTestDB(t)
+	broadcaster := newTestBroadcaster()
+	handler := NewBroadcastHandler(broadcaster)
+
+	senderID := "00000000-0000-0000-0000-000000000008"
+	peerA := "00000000-0000-0000-0000-000000000009"
+	peerB := "00000000-0000-0000-0000-00000000000a"
+
+	mock.ExpectQuery(`SELECT name, broadcast_enabled FROM workspaces WHERE id = \$1 AND status != 'removed'`).
+		WithArgs(senderID).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "broadcast_enabled"}).AddRow("Resilient Agent", true))
+
+	mock.ExpectQuery(`WITH RECURSIVE org_chain AS`).
+		WithArgs(senderID).
+		WillReturnRows(sqlmock.NewRows([]string{"root_id"}).AddRow(senderID))
+
+	mock.ExpectQuery(`WITH RECURSIVE org_chain AS`).
+		WithArgs(senderID, senderID).
+		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow(peerA).AddRow(peerB))
+
+	// Peer A fails — handler logs and continues
+	mock.ExpectExec(`INSERT INTO activity_logs`).WithArgs(peerA, senderID, sqlmock.AnyArg()).
+		WillReturnError(context.DeadlineExceeded)
+	// Peer B succeeds
+	mock.ExpectExec(`INSERT INTO activity_logs`).WithArgs(peerB, senderID, sqlmock.AnyArg()).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+	// Sender log succeeds
+	mock.ExpectExec(`INSERT INTO activity_logs`).WithArgs(senderID, sqlmock.AnyArg()).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: senderID}}
+	body := `{"message":"partial delivery"}`
+	c.Request = httptest.NewRequest("POST", "/workspaces/"+senderID+"/broadcast", bytes.NewBufferString(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Broadcast(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	var resp map[string]interface{}
+	json.Unmarshal(w.Body.Bytes(), &resp)
+	// Only peerB was delivered
+	if int(resp["delivered"].(float64)) != 1 {
+		t.Errorf("expected delivered=1, got %v", resp["delivered"])
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet expectations: %v", err)
+	}
+}
+
+// TestBroadcast_SenderActivityLogFails_StillReturns200: if the sender's own
+// broadcast_sent activity_log insert fails, the handler still returns 200
+// so the caller doesn't retry a broadcast that already partially delivered.
+func TestBroadcast_SenderActivityLogFails_StillReturns200(t *testing.T) {
+	mock := setupTestDB(t)
+	broadcaster := newTestBroadcaster()
+	handler := NewBroadcastHandler(broadcaster)
+
+	senderID := "00000000-0000-0000-0000-00000000000b"
+	peerA := "00000000-0000-0000-0000-00000000000c"
+
+	mock.ExpectQuery(`SELECT name, broadcast_enabled FROM workspaces WHERE id = \$1 AND status != 'removed'`).
+		WithArgs(senderID).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "broadcast_enabled"}).AddRow("Log-Fail Agent", true))
+
+	mock.ExpectQuery(`WITH RECURSIVE org_chain AS`).
+		WithArgs(senderID).
+		WillReturnRows(sqlmock.NewRows([]string{"root_id"}).AddRow(senderID))
+
+	mock.ExpectQuery(`WITH RECURSIVE org_chain AS`).
+		WithArgs(senderID, senderID).
+		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow(peerA))
+
+	// Peer log succeeds
+	mock.ExpectExec(`INSERT INTO activity_logs`).WithArgs(peerA, senderID, sqlmock.AnyArg()).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+	// Sender log FAILS
+	mock.ExpectExec(`INSERT INTO activity_logs`).WithArgs(senderID, sqlmock.AnyArg()).
+		WillReturnError(context.DeadlineExceeded)
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: senderID}}
+	body := `{"message":"log fail test"}`
+	c.Request = httptest.NewRequest("POST", "/workspaces/"+senderID+"/broadcast", bytes.NewBufferString(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Broadcast(c)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200 even on sender log failure, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestBroadcast_MissingMessage(t *testing.T) {
+	setupTestDB(t)
+	broadcaster := newTestBroadcaster()
+	handler := NewBroadcastHandler(broadcaster)
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "00000000-0000-0000-0000-00000000000d"}}
+	c.Request = httptest.NewRequest("POST", "/workspaces/00000000-0000-0000-0000-00000000000d/broadcast", bytes.NewBufferString("{}"))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Broadcast(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestBroadcast_MissingBody(t *testing.T) {
+	setupTestDB(t)
+	broadcaster := newTestBroadcaster()
+	handler := NewBroadcastHandler(broadcaster)
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "00000000-0000-0000-0000-00000000000e"}}
+	c.Request = httptest.NewRequest("POST", "/workspaces/00000000-0000-0000-0000-00000000000e/broadcast", nil)
+	// no Content-Type and no body
+
+	handler.Broadcast(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
 // TestBroadcast_Truncate tests that messages are truncated with the Unicode ellipsis
-// TestBroadcast_Truncate tests that messages are truncated with the Unicode ellipsis
-// character (U+2026) when len(msg) > max. The truncated output is max runes + "…",
-// so truncating a 48-char string at max=20 produces 21 characters (20 runes + "…").
+// character (U+2026) when len(msg) > max. The truncated output is max runes + "…".
 func TestBroadcast_Truncate(t *testing.T) {
 	cases := []struct {
 		msg    string
@@ -410,14 +520,18 @@ func TestBroadcast_Truncate(t *testing.T) {
 		expect string
 	}{
 		{"short", 120, "short"}, // under max — no truncation
-		// exactly120chars (15) + 105 ones = 120 chars; at max=120 → unchanged
+		// exactly 120 chars → unchanged
 		{"exactly120chars1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111", 120, "exactly120chars111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111…"},
-		// "this is a longer mes" = 20 runes; + "…" = 21 chars
+		// 21 runes at max=20 → 20 + "…" = 21 chars
 		{"this is a longer message that needs truncating", 20, "this is a longer mes…"},
 		// at-max boundary: 20 chars at max=20 → no truncation
 		{"exactly twenty chars", 20, "exactly twenty chars"},
 		// over max: 11 chars at max=10 → 10 + "…" = 11
 		{"hello world!", 10, "hello worl…"},
+		// Unicode: 3-rune string at max=3 → unchanged
+		{"日本語", 3, "日本語"},
+		// Empty string → unchanged
+		{"", 120, ""},
 	}
 	for _, tc := range cases {
 		result := broadcastTruncate(tc.msg, tc.max)
@@ -37,6 +37,7 @@ package handlers
 import (
 	"context"
 	"errors"
+	"fmt"
 	"log"
 	"path/filepath"

@@ -132,6 +133,10 @@ func (h *WorkspaceHandler) prepareProvisionContext(
 	// a workspace_secret named GIT_AUTHOR_NAME can override.
 	applyAgentGitIdentity(envVars, payload.Name)
 	applyRuntimeModelEnv(envVars, payload.Runtime, payload.Model)
+	// SSOT for chat-upload limits — see chat_files.go::chatUploadMaxBytes.
+	// Injecting via env keeps the Python workspace runtime caps in
+	// lock-step with the Go cap on every provision. Fixes #1520.
+	applyChatUploadLimits(envVars)
 	if payload.Role != "" {
 		envVars["MOLECULE_AGENT_ROLE"] = payload.Role
 	}
@@ -223,3 +228,28 @@ func (h *WorkspaceHandler) markProvisionFailed(ctx context.Context, workspaceID,
 		log.Printf("markProvisionFailed: db update failed for %s: %v", workspaceID, dbErr)
 	}
 }
+
+// applyChatUploadLimits seeds the chat-upload cap env vars on the
+// workspace container so the Python /internal/chat/uploads/ingest
+// handler parses the multipart form with the same per-file allowance
+// that the Go proxy enforces.
+//
+// Why env-driven (and not, say, a hard-coded Python constant): keeping
+// one Go constant as the source of truth and forwarding it lets
+// operations bump the cap by editing one file + redeploy, instead of
+// editing two files in two languages and risking the drift that
+// shipped #1520 (Go cap 50 MB, Python parser cap 1 MiB — Starlette
+// default — so a 5 MB image always 400'd on parse before per-file
+// enforcement could fire).
+//
+// Pre-existing env wins. If something downstream (a tenant override,
+// a plugin mutator, an A/B experiment) has already set either var,
+// we leave it alone. Default-only injection.
+func applyChatUploadLimits(envVars map[string]string) {
+	if _, set := envVars["CHAT_UPLOAD_MAX_FILE_BYTES"]; !set {
+		envVars["CHAT_UPLOAD_MAX_FILE_BYTES"] = fmt.Sprintf("%d", chatUploadMaxFileBytes)
+	}
+	if _, set := envVars["CHAT_UPLOAD_MAX_TOTAL_BYTES"]; !set {
+		envVars["CHAT_UPLOAD_MAX_TOTAL_BYTES"] = fmt.Sprintf("%d", chatUploadMaxBytes)
+	}
+}
@@ -81,11 +81,11 @@ func TestPositiveMatches(t *testing.T) {
 		fixture      string
 		expectedName string
 	}{
-		{"ghp_" + "EXAMPLE111122223333444455556666777788889999", "github-pat-classic"},
-		{"ghs_" + "EXAMPLE111122223333444455556666777788889999", "github-app-installation-token"},
-		{"gho_" + "EXAMPLE111122223333444455556666777788889999", "github-oauth-user-to-server"},
-		{"ghu_" + "EXAMPLE111122223333444455556666777788889999", "github-oauth-user"},
-		{"ghr_" + "EXAMPLE111122223333444455556666777788889999", "github-oauth-refresh"},
+		{"ghp_EXAMPLE111122223333444455556666777788889999", "github-pat-classic"},
+		{"ghs_EXAMPLE111122223333444455556666777788889999", "github-app-installation-token"},
+		{"gho_EXAMPLE111122223333444455556666777788889999", "github-oauth-user-to-server"},
+		{"ghu_EXAMPLE111122223333444455556666777788889999", "github-oauth-user"},
+		{"ghr_EXAMPLE111122223333444455556666777788889999", "github-oauth-refresh"},
 		{"github_pat_EXAMPLE" + strings.Repeat("1", 80), "github-pat-fine-grained"},
 		{"sk-ant-EXAMPLE" + strings.Repeat("1", 40), "anthropic-api-key"},
 		{"sk-proj-EXAMPLE" + strings.Repeat("1", 40), "openai-project-key"},
@@ -156,7 +156,7 @@ func TestNegativeShapes(t *testing.T) {
 // makes ScanString do its own thing (e.g. accidentally normalise
 // case) would diverge silently.
 func TestScanString_NoOp(t *testing.T) {
-	in := "ghp_" + "EXAMPLE111122223333444455556666777788889999"
+	in := "ghp_EXAMPLE111122223333444455556666777788889999"
 	m1, err1 := ScanBytes([]byte(in))
 	if err1 != nil {
 		t.Fatalf("ScanBytes errored: %v", err1)
@@ -62,19 +62,6 @@ RUN chmod +x ./scripts/molecule-git-token-helper.sh
 COPY scripts/molecule-gh-token-refresh.sh ./scripts/
 RUN chmod +x ./scripts/molecule-gh-token-refresh.sh

-# Generic GIT_ASKPASS helper. Reads HTTPS Basic-Auth credentials from env
-# vars (GIT_HTTP_USERNAME / GIT_HTTP_PASSWORD, with GITEA_USER / GITEA_TOKEN
-# as fallback) and emits them on the git credential-prompt protocol so
-# container-side `git` can authenticate to any private HTTPS remote
-# without on-disk .gitconfig / .git-credentials mutation. The platform
-# provisioner sets GIT_ASKPASS=/usr/local/bin/molecule-askpass via
-# applyAgentGitIdentity (workspace-server/internal/handlers/agent_git_identity.go).
-# Filename is the only project-specific marker; the script body contains
-# no vendor literals and is identical to the script shipped in each
-# open-source workspace template (scripts/git-askpass.sh).
-COPY scripts/molecule-askpass /usr/local/bin/molecule-askpass
-RUN chmod +x /usr/local/bin/molecule-askpass
-
 # Dirs and permissions
 RUN mkdir -p /workspace /plugins /home/agent/.claude /home/agent/.config /home/agent/.local \
    /home/agent/.molecule-token-cache && \
@@ -172,12 +172,6 @@ async def handle_tool_call(name: str, arguments: dict) -> str:
            arguments.get("message", ""),
            workspace_id=arguments.get("workspace_id") or None,
        )
-    elif name == "get_runtime_identity":
-        return await tool_get_runtime_identity()
-    elif name == "update_agent_card":
-        return await tool_update_agent_card(
-            arguments.get("card"),
-        )
    return f"Unknown tool: {name}"


@@ -599,6 +599,28 @@ def _sanitize_for_external(msg: str) -> str:
    import re as _re

    msg = _re.sub(r"(?i)(?:bearer|token|api[_-]?key|sk-)[ :=]+[A-Za-z0-9_/.-]{20,}", "[REDACTED]", msg)
+    # Bare provider key with NO separator after the prefix — a real
+    # `sk-ant-api03-…` / `sk-…` key uses `-` (not `[ :=]`) so the rule
+    # above misses it. Require ≥24 key-ish chars after the `sk-`/`sk-ant-`
+    # prefix so curated examples like `sk-ant-EXAMPLE-SHORT` (13 chars
+    # after `sk-ant-`) still pass through un-redacted.
+    msg = _re.sub(r"(?i)\bsk-(?:ant-)?[A-Za-z0-9_-]{24,}", "[REDACTED]", msg)
+    # JSON-quoted credential values: {"token": "…"} / {"apiKey": "…"} /
+    # {"secret": "…"} / {"password": "…"}. Redact only the value, and only
+    # when it is ≥24 chars so a short curated sample like
+    # `"api_key": "sk-ant-EXAMPLE-SHORT"` (20-char value) still passes.
+    msg = _re.sub(
+        r'(?i)("(?:token|api[_-]?key|secret|password)"\s*:\s*")[^"]{24,}(")',
+        r"\1[REDACTED]\2",
+        msg,
+    )
+    # AWS secret access key in `aws_secret_access_key=…` form (env dumps,
+    # boto tracebacks). The base64-ish value runs until whitespace/quote.
+    msg = _re.sub(
+        r"(?i)(aws_secret_access_key\s*[:=]\s*)\S+",
+        r"\1[REDACTED]",
+        msg,
+    )
    # Absolute paths: /etc/shadow, /home/user/.aws/credentials, etc.
    msg = _re.sub(r"(?:/[^/\s]+){2,}", lambda m: m.group(0) if len(m.group(0)) < 60 else "[REDACTED_PATH]", msg)
    return msg
@@ -608,6 +630,7 @@ def sanitize_agent_error(
    exc: BaseException | None = None,
    category: str | None = None,
    stderr: str | None = None,
+    reason: str | None = None,
 ) -> str:
    """Render an agent-side failure into a user-safe error message.

@@ -615,6 +638,18 @@ def sanitize_agent_error(
    category string (e.g. from `classify_subprocess_error`). If both are
    given, `category` wins. If neither, the tag defaults to "unknown".

+    When ``reason`` is provided (internal#211/#212), it is a *pre-curated,
+    user-actionable, secret-safe* explanation built by the caller from a
+    provider-side failure — e.g. a 403 "Your organization has disabled
+    Claude subscription access · Use an Anthropic API key instead, or ask
+    your admin to enable access" with error code ``oauth_org_not_allowed``.
+    This text is exactly what the user needs to self-serve, so it is
+    surfaced VERBATIM as the message instead of being collapsed to the
+    opaque exception class name. It still passes through the
+    key/token/bearer/path scrubber as a belt-and-braces second pass so a
+    buggy caller can't leak a credential that snuck into the reason.
+    ``reason`` wins over ``stderr``; both lose to neither being set.
+
    When ``stderr`` is provided (e.g. the first ~1 KB of a subprocess stderr
    or HTTP error body), it is sanitized and appended to the output so the
    A2A caller gets actionable context without needing to dig through workspace
@@ -629,6 +664,13 @@ def sanitize_agent_error(
    else:
        tag = "unknown"

+    if reason:
+        # Curated, user-actionable reason — surface it as the message.
+        # Still scrub: a 403/auth/quota message is safe, but the scrubber
+        # is cheap insurance against a caller that didn't curate cleanly.
+        clean = _sanitize_for_external(reason[:_MAX_STDERR_PREVIEW])
+        return f"Agent error ({tag}): {clean}"
+
    if stderr:
        # Truncate and sanitize before including — prevents DoS via
        # a malicious or buggy peer injecting a huge error body, and
@@ -26,9 +26,14 @@ Path safety:
    a colliding name fails fast (the random prefix already makes
    collisions astronomical, but defense-in-depth costs nothing).

-Limits (matches the Go contract from chat_files.go):
-    - 50 MB total request body
-    - 25 MB per file
+Limits (SSOT — matches the Go contract from chat_files.go, injected
+via CHAT_UPLOAD_MAX_TOTAL_BYTES / CHAT_UPLOAD_MAX_FILE_BYTES at
+provision time; falls back to legacy 50 MB / 25 MB when env unset):
+    - CHAT_UPLOAD_MAX_TOTAL_BYTES total request body (default 50 MB)
+    - CHAT_UPLOAD_MAX_FILE_BYTES per file (default 25 MB)
+      ALSO passed as Starlette ``max_part_size`` to override the
+      Starlette-1.0 default of 1 MiB which silently 400'd every
+      upload > 1 MiB before #1520 fix.
    - filename truncated to 100 chars

 Response shape:
@@ -61,14 +66,47 @@ logger = logging.getLogger(__name__)
 # keeps working unchanged.
 CHAT_UPLOAD_DIR = "/workspace/.molecule/chat-uploads"

+def _env_int(name: str, default: int) -> int:
+    """Parse an int from the environment, falling back to ``default``.
+
+    Mis-formatted values (anything ``int()`` rejects) fall back to the
+    default rather than crashing module import — operations needs to be
+    able to roll back a bad env-var push by simply removing the var,
+    not by also fixing a worker that won't boot.
+    """
+    raw = os.environ.get(name)
+    if not raw:
+        return default
+    try:
+        return int(raw)
+    except (TypeError, ValueError):
+        logger.warning("internal_chat_uploads: env %s=%r not an int; using default %d", name, raw, default)
+        return default
+
 # Total-request body cap. multipart/form-data with multiple parts can
 # add ~100 bytes of framing per file; the cap is the bytes hitting the
 # socket, including framing.
-CHAT_UPLOAD_MAX_BYTES = 50 * 1024 * 1024  # 50 MB
+#
+# SSOT (issue #1520): the source of truth is the Go constant
+# chatUploadMaxBytes in workspace-server/internal/handlers/chat_files.go,
+# exported to the workspace container as CHAT_UPLOAD_MAX_TOTAL_BYTES at
+# provision time (workspace_provision_shared.go::applyChatUploadLimits).
+# Unset env → keep the previous 50 MB default so an unprovisioned /
+# locally-run workspace does NOT regress.
+CHAT_UPLOAD_MAX_BYTES = _env_int("CHAT_UPLOAD_MAX_TOTAL_BYTES", 50 * 1024 * 1024)

-# Per-file cap. Keeping per-file under total lets a user attach, say,
-# a 5 MB PDF + 10 small screenshots in a single batch.
-CHAT_UPLOAD_MAX_FILE_BYTES = 25 * 1024 * 1024  # 25 MB
+# Per-file cap. SSOT (issue #1520): exported from the Go side as
+# CHAT_UPLOAD_MAX_FILE_BYTES; default 25 MB if env is unset so an older
+# workspace provisioned before the env-injection landed keeps the
+# legacy ceiling.
+#
+# This value is ALSO passed as Starlette's ``max_part_size`` (see
+# ingest_handler below) — Starlette 1.0 defaults max_part_size to
+# **1 MiB**, which is the actual root cause of #1520: any single file
+# part above 1 MiB raised MultiPartException before per-file enforcement
+# could fire. Wiring max_part_size to the same cap as per-file means
+# the user-visible ceiling is exactly the per-file cap, no surprises.
+CHAT_UPLOAD_MAX_FILE_BYTES = _env_int("CHAT_UPLOAD_MAX_FILE_BYTES", 25 * 1024 * 1024)

 # Conservative {alnum, dot, underscore, dash} character class — anything
 # outside gets rewritten so embedded paths, control chars, newlines,
@@ -146,11 +184,30 @@ async def ingest_handler(request: Request) -> JSONResponse:
                status_code=413,
            )

+    # max_part_size: Starlette 1.0 defaults to 1 MiB. Any single
+    # part above that raises MultiPartException BEFORE per-file
+    # enforcement can run — which silently broke every chat upload
+    # > 1 MiB (issue #1520, fleet-wide P0 2026-05-18). Wire it to
+    # the per-file cap so the user-visible ceiling matches what
+    # the per-file 413 path expects.
    try:
-        form = await request.form(max_files=64, max_fields=32)
+        form = await request.form(
+            max_files=64,
+            max_fields=32,
+            max_part_size=CHAT_UPLOAD_MAX_FILE_BYTES,
+        )
    except Exception as exc:  # multipart parse error
        logger.warning("internal_chat_uploads: multipart parse failed: %s", exc)
-        return JSONResponse({"error": "failed to parse multipart form"}, status_code=400)
+        # Surface the exception detail (feedback_surface_actionable_failure_reason_to_user):
+        # MultiPartException strings ("Part exceeded maximum size of …",
+        # "Invalid boundary", "Too many parts", etc.) contain no secrets
+        # — they describe shape, not content. The 200-char cap is
+        # belt-and-braces against an exception class we haven't seen
+        # whose ``str()`` is unbounded.
+        return JSONResponse(
+            {"error": "failed to parse multipart form", "detail": str(exc)[:200]},
+            status_code=400,
+        )

    # Starlette's FormData allows multiple values per key — `files` may
    # appear multiple times for batched uploads. getlist returns them
@@ -1,35 +0,0 @@
-#!/bin/sh
-# git-askpass helper. Reads HTTPS Basic-Auth credentials from env vars so
-# the deployer can wire git authentication for any private remote without
-# touching ~/.gitconfig or ~/.git-credentials inside the container.
-#
-# Wire-up: set GIT_ASKPASS=/usr/local/bin/molecule-askpass in the
-# container env, then export GIT_HTTP_USERNAME / GIT_HTTP_PASSWORD (or the
-# GITEA_USER / GITEA_TOKEN fallback pair). When git encounters an HTTPS
-# auth challenge on a host that has no credential.helper configured for
-# it, git invokes GIT_ASKPASS twice — once with a "Username for ..."
-# prompt and once with a "Password for ..." prompt. We pattern-match on
-# that prompt and emit the matching env var.
-#
-# No hardcoded hostnames or vendor names — the deployer decides which
-# host these credentials apply to by virtue of setting GIT_ASKPASS only
-# when the target remote is in scope. The helper itself is reusable for
-# any HTTPS git remote.
-#
-# Failure mode: if the env vars are unset, we emit an empty string and
-# let git surface "Authentication failed" — this is intentional, so a
-# misconfigured deployment fails loudly at first push instead of silently
-# falling through to an unrelated credential chain.
-
-case "$1" in
-    Username*)
-        printf '%s\n' "${GIT_HTTP_USERNAME:-${GITEA_USER:-}}"
-        ;;
-    Password*)
-        printf '%s\n' "${GIT_HTTP_PASSWORD:-${GITEA_TOKEN:-}}"
-        ;;
-    *)
-        # Unknown prompt — emit empty and let git decide.
-        printf '\n'
-        ;;
-esac
@@ -788,6 +788,123 @@ def test_sanitize_agent_error_stderr_combined_with_existing_tests():
    assert "workspace logs" in out


+# ─── reason passthrough (internal#211/#212: surface actionable provider error) ───
+
+
+def test_sanitize_agent_error_reason_surfaced_verbatim():
+    """A curated provider reason is shown to the user, not collapsed to the
+    exception class name. This is the internal#211 regression: a 403
+    org-disabled message must reach the canvas."""
+    reason = (
+        "provider HTTP 403 — oauth_org_not_allowed — Your organization has "
+        "disabled Claude subscription access for Claude Code · Use an "
+        "Anthropic API key instead, or ask your admin to enable access"
+    )
+
+    class _ResultErr(Exception):
+        pass
+
+    out = sanitize_agent_error(exc=_ResultErr("opaque"), reason=reason)
+    # The actionable provider guidance and status code must be visible.
+    assert "403" in out
+    assert "oauth_org_not_allowed" in out
+    assert "disabled Claude subscription access" in out
+    assert "ask your admin to enable access" in out
+    # NOT the old opaque form.
+    assert "see workspace logs" not in out
+
+
+def test_sanitize_agent_error_reason_still_scrubs_secrets():
+    """Even on the reason path the key/token scrubber runs — a buggy caller
+    that lets a bearer token into the reason still gets it redacted."""
+    leaky = (
+        "provider HTTP 401 — auth failed — Authorization: Bearer "
+        "PLACEHOLDER_LONG_TOKEN_0123456789abcdefghijklm please re-auth"
+    )
+    out = sanitize_agent_error(reason=leaky)
+    assert "[REDACTED]" in out
+    assert "PLACEHOLDER_LONG_TOKEN_0123456789abcdefghijklm" not in out
+    # The non-secret guidance still survives the scrub.
+    assert "401" in out
+    assert "please re-auth" in out
+
+
+def test_sanitize_agent_error_reason_scrubs_all_secret_formats():
+    """The scrubber must redact every realistic credential shape — not just
+    the `Bearer <tok>` form the original test happened to exercise
+    (internal#212 review finding: bare `sk-ant-api03-…` keys, JSON-quoted
+    "token"/"apiKey" values, and `aws_secret_access_key=` all leaked).
+    All curated/actionable guidance must still survive the scrub.
+    """
+    # 1. Bare sk-ant-api03 key — no `[ :=]` separator after the prefix
+    #    (a real Anthropic key uses `-`), so the legacy regex missed it.
+    bare = (
+        "provider HTTP 401 — auth failed — invalid key "
+        "sk-FAKEPLACEHOLDERabcdefghijklmnopqrstuvwxy0123456789 "
+        "please re-auth"
+    )
+    out = sanitize_agent_error(reason=bare)
+    assert "sk-FAKEPLACEHOLDERabcdefghijklmnopqrstuvwxy0123456789" not in out
+    assert "[REDACTED]" in out
+    assert "401" in out  # actionable status survives
+    assert "please re-auth" in out  # actionable guidance survives
+
+    # 2. JSON-quoted "token" / "apiKey" values.
+    jblob = (
+        'provider error — config dump {"token": '
+        '"abcDEF0123456789ghIJKL0123456789mnopQRST", "apiKey": '
+        '"anon_fakefakefakefakefakefakefakefakefakefake"} — '
+        "use an API key instead"
+    )
+    out = sanitize_agent_error(reason=jblob)
+    assert "abcDEF0123456789ghIJKL0123456789mnopQRST" not in out
+    assert "anon_fakefakefakefakefakefakefakefakefakefake" not in out
+    assert "[REDACTED]" in out
+    assert "use an API key instead" in out  # actionable guidance survives
+
+    # 3. aws_secret_access_key=… form.
+    awsblob = (
+        "provider HTTP 403 — boto credential error "
+        "aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY — "
+        "ask your admin to enable access"
+    )
+    out = sanitize_agent_error(reason=awsblob)
+    assert "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" not in out
+    assert "[REDACTED]" in out
+    assert "403" in out  # actionable status survives
+    assert "ask your admin to enable access" in out  # guidance survives
+
+    # 4. Regression: the original Bearer form still redacts.
+    # Uses PLACEHOLDER_LONG_TOKEN (>=40 chars, no sk-ant- prefix) to avoid
+    # triggering the secret-scan workflow pattern
+    # `sk-ant-[A-Za-z0-9_-]{40,}`.
+    bearer = (
+        "provider HTTP 401 — Authorization: Bearer "
+        "PLACEHOLDER_LONG_TOKEN_9876543210abcdefghij re-auth"
+    )
+    out = sanitize_agent_error(reason=bearer)
+    assert "PLACEHOLDER_LONG_TOKEN_9876543210abcdefghij" not in out
+    assert "[REDACTED]" in out
+    assert "re-auth" in out
+
+
+def test_sanitize_agent_error_reason_wins_over_stderr():
+    """When both reason and stderr are passed, the curated reason wins."""
+    out = sanitize_agent_error(
+        reason="provider HTTP 403 — use an API key",
+        stderr="raw subprocess noise that should not be shown",
+    )
+    assert "use an API key" in out
+    assert "raw subprocess noise" not in out
+
+
+def test_sanitize_agent_error_no_reason_unchanged():
+    """Omitting reason preserves the original generic behavior."""
+    out = sanitize_agent_error(exc=ValueError("boom"))
+    assert "ValueError" in out
+    assert "workspace logs" in out
+
+

 # ======================================================================
 # classify_subprocess_error
@@ -299,3 +299,122 @@ def test_symlink_at_target_is_refused(client: TestClient, chat_uploads_dir: Path
    assert r.status_code == 500, r.text
    # Sentinel content unchanged — the symlink wasn't followed.
    assert sentinel.read_bytes() == b"original"
+# ───────────── issue #1520: max_part_size + SSOT env-driven caps ─────────────
+
+
+def test_part_above_starlette_1mib_default_is_accepted(client: TestClient, chat_uploads_dir: Path):
+    """Regression: pre-fix, ANY single multipart part > 1 MiB raised
+    MultiPartException because the ingest handler called
+    ``request.form()`` without ``max_part_size`` and Starlette 1.0's
+    default is 1 MiB (issue #1520, fleet-wide P0 2026-05-18).
+
+    This test sends a 2 MiB part, which is well below the 25 MB default
+    per-file cap but ABOVE the Starlette default, so it pins the fix:
+    we now pass ``max_part_size=CHAT_UPLOAD_MAX_FILE_BYTES`` so the
+    parser uses the same cap the per-file 413 path expects.
+    """
+    payload = b"a" * (2 * 1024 * 1024)  # 2 MiB — > Starlette 1 MiB default
+    r = client.post(
+        "/internal/chat/uploads/ingest",
+        files={"files": ("big-but-allowed.bin", payload)},
+        headers={"Authorization": "Bearer test-secret"},
+    )
+    assert r.status_code == 200, r.text
+    item = r.json()["files"][0]
+    assert item["size"] == len(payload)
+
+
+def test_parse_error_surfaces_exception_detail(client: TestClient):
+    """Per feedback_surface_actionable_failure_reason_to_user: the 400
+    body must include a ``detail`` field naming WHICH multipart error
+    fired. The MultiPartException strings ("Part exceeded maximum size
+    of …", "Invalid boundary", "Too many parts", etc.) describe SHAPE
+    not content — no secrets.
+
+    We trigger a real Starlette MultiPartException by submitting a body
+    whose Content-Type advertises ``multipart/form-data`` but whose
+    body is not a valid multipart envelope — the parser raises before
+    any per-file check can fire.
+    """
+    r = client.post(
+        "/internal/chat/uploads/ingest",
+        content=b"this is not a valid multipart body",
+        headers={
+            "Authorization": "Bearer test-secret",
+            "Content-Type": "multipart/form-data; boundary=----not-a-real-boundary",
+        },
+    )
+    assert r.status_code == 400, r.text
+    body = r.json()
+    assert body["error"] == "failed to parse multipart form"
+    # Detail must be present + non-empty + bounded.
+    assert "detail" in body and isinstance(body["detail"], str)
+    assert body["detail"], "detail must not be empty"
+    assert len(body["detail"]) <= 200, "detail must be bounded"
+
+
+def test_total_cap_413_still_fires_above_per_file_pass(client: TestClient, monkeypatch: pytest.MonkeyPatch):
+    """Total-cap 413 path still works: two parts whose sum exceeds
+    CHAT_UPLOAD_MAX_BYTES but each individually fits the per-file cap.
+    Sanity-check that raising the per-file ceiling didn't accidentally
+    short-circuit the total-cap check.
+    """
+    monkeypatch.setattr(internal_chat_uploads, "CHAT_UPLOAD_MAX_BYTES", 1024)
+    monkeypatch.setattr(internal_chat_uploads, "CHAT_UPLOAD_MAX_FILE_BYTES", 800)
+    r = client.post(
+        "/internal/chat/uploads/ingest",
+        files=[
+            ("files", ("a.bin", b"a" * 600)),
+            ("files", ("b.bin", b"b" * 600)),
+        ],
+        headers={"Authorization": "Bearer test-secret"},
+    )
+    assert r.status_code == 413
+    # Either early (Content-Length pre-parse) or post-parse cumulative path is
+    # acceptable; both messages mention exceeding the total limit.
+    err = r.json()["error"]
+    assert "exceeds" in err and "limit" in err, err
+
+
+def test_env_driven_ssot_overrides_caps(tmp_path: Path, monkeypatch: pytest.MonkeyPatch):
+    """SSOT contract: setting CHAT_UPLOAD_MAX_FILE_BYTES /
+    CHAT_UPLOAD_MAX_TOTAL_BYTES in the environment at module import
+    time changes the module constants. Pin so the
+    workspace_provision_shared.go::applyChatUploadLimits env injection
+    cannot silently drift from what the Python side reads.
+    """
+    import importlib
+
+    monkeypatch.setenv("CHAT_UPLOAD_MAX_FILE_BYTES", str(7 * 1024 * 1024))
+    monkeypatch.setenv("CHAT_UPLOAD_MAX_TOTAL_BYTES", str(13 * 1024 * 1024))
+
+    reloaded = importlib.reload(internal_chat_uploads)
+    try:
+        assert reloaded.CHAT_UPLOAD_MAX_FILE_BYTES == 7 * 1024 * 1024
+        assert reloaded.CHAT_UPLOAD_MAX_BYTES == 13 * 1024 * 1024
+    finally:
+        # Reset to defaults so subsequent tests see clean constants.
+        monkeypatch.delenv("CHAT_UPLOAD_MAX_FILE_BYTES", raising=False)
+        monkeypatch.delenv("CHAT_UPLOAD_MAX_TOTAL_BYTES", raising=False)
+        importlib.reload(internal_chat_uploads)
+
+
+def test_env_driven_ssot_malformed_value_falls_back_to_default(tmp_path: Path, monkeypatch: pytest.MonkeyPatch):
+    """If ops pushes a garbage value the worker still boots with the
+    in-code default (operability over precision — see _env_int
+    docstring). Pin the fallback.
+    """
+    import importlib
+
+    monkeypatch.setenv("CHAT_UPLOAD_MAX_FILE_BYTES", "not-an-int")
+    monkeypatch.setenv("CHAT_UPLOAD_MAX_TOTAL_BYTES", "")  # empty == use default
+
+    reloaded = importlib.reload(internal_chat_uploads)
+    try:
+        # Defaults (legacy 25 MB / 50 MB) come back.
+        assert reloaded.CHAT_UPLOAD_MAX_FILE_BYTES == 25 * 1024 * 1024
+        assert reloaded.CHAT_UPLOAD_MAX_BYTES == 50 * 1024 * 1024
+    finally:
+        monkeypatch.delenv("CHAT_UPLOAD_MAX_FILE_BYTES", raising=False)
+        monkeypatch.delenv("CHAT_UPLOAD_MAX_TOTAL_BYTES", raising=False)
+        importlib.reload(internal_chat_uploads)