test(canvas/mobile): add primitives.test.tsx coverage (19 cases)

Cover StatusDot (size, circle, halo, flexShrink), TierChip (tiers, size variants, flexShrink), Chip (value, label+value, pill shape, soft/accent mode), SectionLabel (text, right slot, uppercase). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
feat(mobile): FilterChips + AgentCard WCAG 2.1 AA accessibility
2026-05-12 09:38:47 +00:00 · 2026-05-12 09:38:47 +00:00 · 2026-05-12 09:38:47 +00:00 · 2026-05-12 09:38:47 +00:00 · 2026-05-12 09:38:47 +00:00 · 2026-05-12 09:38:47 +00:00
183 changed files with 1166 additions and 18340 deletions
@@ -49,16 +49,11 @@ if [ "$MERGED" != "true" ]; then
  exit 0
 fi

-# NOTE: no || true — with set -euo pipefail, jq parse failures (e.g. field
-# missing from API response) propagate as hard errors. Use jq's // operator
-# for graceful defaults instead of bash || true guards. This was re-added by
-# 8c343e3a ("fix(gitea): add || true guards to jq pipelines") — reverted
-# here because the guards mask silent failures that hide malformed API responses.
-MERGE_SHA=$(echo "$PR" | jq -r '.merge_commit_sha // empty')
-MERGED_BY=$(echo "$PR" | jq -r '.merged_by.login // "unknown"')
-TITLE=$(echo "$PR" | jq -r '.title // ""')
-BASE_BRANCH=$(echo "$PR" | jq -r '.base.ref // "main"')
-HEAD_SHA=$(echo "$PR" | jq -r '.head.sha // empty')
+MERGE_SHA=$(echo "$PR" | jq -r '.merge_commit_sha // empty') || true
+MERGED_BY=$(echo "$PR" | jq -r '.merged_by.login // "unknown"') || true
+TITLE=$(echo "$PR" | jq -r '.title // ""') || true
+BASE_BRANCH=$(echo "$PR" | jq -r '.base.ref // "main"') || true
+HEAD_SHA=$(echo "$PR" | jq -r '.head.sha // empty') || true

 if [ -z "$MERGE_SHA" ]; then
  echo "::warning::PR #${PR_NUMBER} merged=true but no merge_commit_sha — cannot evaluate force-merge."
@@ -80,7 +75,7 @@ STATUS=$(curl -sS -H "$AUTH" \
 declare -A CHECK_STATE
 while IFS=$'\t' read -r ctx state; do
  [ -n "$ctx" ] && CHECK_STATE[$ctx]="$state"
-done < <(echo "$STATUS" | jq -r '.statuses // [] | .[] | "\(.context)\t\(.status)"')
+done < <(echo "$STATUS" | jq -r '.statuses // [] | .[] | "\(.context)\t\(.status)"') || true

 # 4. For each required check, was it green at merge? YAML block scalars
 #    (`|`) leave a trailing newline; skip blank/whitespace-only lines.
@@ -102,10 +97,7 @@ fi

 # 5. Emit structured audit event.
 NOW=$(date -u +%Y-%m-%dT%H:%M:%SZ)
-# jq -R (raw input) converts each line to a JSON string; jq -s wraps into array.
-# If FAILED_CHECKS is unexpectedly empty (shouldn't happen — we exit above),
-# this produces []. No || true needed.
-FAILED_JSON=$(printf '%s\n' "${FAILED_CHECKS[@]}" | jq -R . | jq -s .)
+FAILED_JSON=$(printf '%s\n' "${FAILED_CHECKS[@]}" | jq -R . | jq -s .) || true

 # Print as a single-line JSON so Vector's parse_json transform can pick
 # it up cleanly from docker_logs.
@@ -1,369 +0,0 @@
-#!/usr/bin/env python3
-"""gitea-merge-queue — conservative serialized merge bot for Gitea.
-
-Gitea 1.22.6 has auto-merge (`pull_auto_merge`) but no GitHub-style merge
-queue. This script provides the missing serialized policy in user space:
-
-1. Pick the oldest open PR carrying QUEUE_LABEL.
-2. Refuse to act unless main is green.
-3. Refuse fork PRs; the queue may only mutate same-repo branches.
-4. If the PR branch does not contain current main, call Gitea's
-   /pulls/{n}/update endpoint and stop. CI must rerun on the updated head.
-5. If the updated PR head has all required contexts green, merge with the
-   non-bypass merge actor token.
-
-The script is intentionally one-PR-per-run. Workflow/cron concurrency should
-serialize invocations so two green PRs cannot merge against the same main.
-"""
-
-from __future__ import annotations
-
-import argparse
-import dataclasses
-import json
-import os
-import sys
-import urllib.error
-import urllib.parse
-import urllib.request
-from typing import Any
-
-
-def _env(key: str, *, default: str = "") -> str:
-    return os.environ.get(key, default)
-
-
-GITEA_TOKEN = _env("GITEA_TOKEN")
-GITEA_HOST = _env("GITEA_HOST")
-REPO = _env("REPO")
-WATCH_BRANCH = _env("WATCH_BRANCH", default="main")
-QUEUE_LABEL = _env("QUEUE_LABEL", default="merge-queue")
-HOLD_LABEL = _env("HOLD_LABEL", default="merge-queue-hold")
-UPDATE_STYLE = _env("UPDATE_STYLE", default="merge")
-REQUIRED_CONTEXTS_RAW = _env(
-    "REQUIRED_CONTEXTS",
-    default=(
-        "CI / all-required (pull_request),"
-        "sop-checklist / all-items-acked (pull_request)"
-    ),
-)
-
-OWNER, NAME = (REPO.split("/", 1) + [""])[:2] if REPO else ("", "")
-API = f"https://{GITEA_HOST}/api/v1" if GITEA_HOST else ""
-
-
-class ApiError(RuntimeError):
-    pass
-
-
-@dataclasses.dataclass(frozen=True)
-class MergeDecision:
-    ready: bool
-    action: str
-    reason: str
-
-
-def _require_runtime_env() -> None:
-    for key in ("GITEA_TOKEN", "GITEA_HOST", "REPO", "WATCH_BRANCH", "QUEUE_LABEL"):
-        if not os.environ.get(key):
-            sys.stderr.write(f"::error::missing required env var: {key}\n")
-            sys.exit(2)
-    if UPDATE_STYLE not in {"merge", "rebase"}:
-        sys.stderr.write("::error::UPDATE_STYLE must be merge or rebase\n")
-        sys.exit(2)
-
-
-def api(
-    method: str,
-    path: str,
-    *,
-    body: dict | None = None,
-    query: dict[str, str] | None = None,
-    expect_json: bool = True,
-) -> tuple[int, Any]:
-    url = f"{API}{path}"
-    if query:
-        url = f"{url}?{urllib.parse.urlencode(query)}"
-    data = None
-    headers = {
-        "Authorization": f"token {GITEA_TOKEN}",
-        "Accept": "application/json",
-    }
-    if body is not None:
-        data = json.dumps(body).encode("utf-8")
-        headers["Content-Type"] = "application/json"
-    req = urllib.request.Request(url, method=method, data=data, headers=headers)
-    try:
-        with urllib.request.urlopen(req, timeout=30) as resp:
-            raw = resp.read()
-            status = resp.status
-    except urllib.error.HTTPError as exc:
-        raw = exc.read()
-        status = exc.code
-
-    if not (200 <= status < 300):
-        snippet = raw[:500].decode("utf-8", errors="replace") if raw else ""
-        raise ApiError(f"{method} {path} -> HTTP {status}: {snippet}")
-    if not raw:
-        return status, None
-    try:
-        return status, json.loads(raw)
-    except json.JSONDecodeError as exc:
-        if expect_json:
-            raise ApiError(f"{method} {path} -> HTTP {status} non-JSON: {exc}") from exc
-        return status, {"_raw": raw.decode("utf-8", errors="replace")}
-
-
-def required_contexts(raw: str) -> list[str]:
-    return [part.strip() for part in raw.split(",") if part.strip()]
-
-
-def status_state(status: dict) -> str:
-    return str(status.get("status") or status.get("state") or "").lower()
-
-
-def latest_statuses_by_context(statuses: list[dict]) -> dict[str, dict]:
-    latest: dict[str, dict] = {}
-    for status in statuses:
-        context = status.get("context")
-        if isinstance(context, str) and context not in latest:
-            latest[context] = status
-    return latest
-
-
-def required_contexts_green(
-    latest_statuses: dict[str, dict],
-    contexts: list[str],
-) -> tuple[bool, list[str]]:
-    missing_or_bad: list[str] = []
-    for context in contexts:
-        status = latest_statuses.get(context)
-        state = status_state(status or {})
-        if state != "success":
-            missing_or_bad.append(f"{context}={state or 'missing'}")
-    return not missing_or_bad, missing_or_bad
-
-
-def label_names(issue: dict) -> set[str]:
-    return {
-        label["name"]
-        for label in issue.get("labels", [])
-        if isinstance(label, dict) and isinstance(label.get("name"), str)
-    }
-
-
-def choose_next_queued_issue(
-    issues: list[dict],
-    *,
-    queue_label: str,
-    hold_label: str = "",
-) -> dict | None:
-    candidates = []
-    for issue in issues:
-        labels = label_names(issue)
-        if queue_label not in labels:
-            continue
-        if hold_label and hold_label in labels:
-            continue
-        if "pull_request" not in issue:
-            continue
-        candidates.append(issue)
-    candidates.sort(key=lambda issue: (issue.get("created_at") or "", int(issue["number"])))
-    return candidates[0] if candidates else None
-
-
-def pr_contains_base_sha(commits: list[dict], base_sha: str) -> bool:
-    for commit in commits:
-        sha = commit.get("sha") or commit.get("id")
-        if sha == base_sha:
-            return True
-    return False
-
-
-def pr_has_current_base(pr: dict, commits: list[dict], main_sha: str) -> bool:
-    if pr.get("merge_base") == main_sha:
-        return True
-    return pr_contains_base_sha(commits, main_sha)
-
-
-def evaluate_merge_readiness(
-    *,
-    main_status: dict,
-    pr_status: dict,
-    required_contexts: list[str],
-    pr_has_current_base: bool,
-) -> MergeDecision:
-    main_state = str(main_status.get("state") or "").lower()
-    if main_state != "success":
-        return MergeDecision(False, "pause", f"main status is {main_state or 'missing'}")
-    if not pr_has_current_base:
-        return MergeDecision(False, "update", "PR head does not contain current main")
-
-    pr_state = str(pr_status.get("state") or "").lower()
-    if pr_state != "success":
-        return MergeDecision(False, "wait", f"PR combined status is {pr_state or 'missing'}")
-
-    latest = latest_statuses_by_context(pr_status.get("statuses") or [])
-    ok, missing_or_bad = required_contexts_green(latest, required_contexts)
-    if not ok:
-        return MergeDecision(False, "wait", "required contexts not green: " + ", ".join(missing_or_bad))
-    return MergeDecision(True, "merge", "ready")
-
-
-def get_branch_head(branch: str) -> str:
-    _, body = api("GET", f"/repos/{OWNER}/{NAME}/branches/{branch}")
-    commit = body.get("commit") if isinstance(body, dict) else None
-    sha = commit.get("id") if isinstance(commit, dict) else None
-    if not isinstance(sha, str) or len(sha) < 7:
-        raise ApiError(f"branch {branch} response missing commit id")
-    return sha
-
-
-def get_combined_status(sha: str) -> dict:
-    _, body = api("GET", f"/repos/{OWNER}/{NAME}/commits/{sha}/status")
-    if not isinstance(body, dict):
-        raise ApiError(f"status for {sha} response not object")
-    return body
-
-
-def list_queued_issues() -> list[dict]:
-    _, body = api(
-        "GET",
-        f"/repos/{OWNER}/{NAME}/issues",
-        query={
-            "state": "open",
-            "type": "pulls",
-            "labels": QUEUE_LABEL,
-            "limit": "50",
-        },
-    )
-    if not isinstance(body, list):
-        raise ApiError("queued issues response not list")
-    return body
-
-
-def get_pull(pr_number: int) -> dict:
-    _, body = api("GET", f"/repos/{OWNER}/{NAME}/pulls/{pr_number}")
-    if not isinstance(body, dict):
-        raise ApiError(f"PR #{pr_number} response not object")
-    return body
-
-
-def get_pull_commits(pr_number: int) -> list[dict]:
-    _, body = api("GET", f"/repos/{OWNER}/{NAME}/pulls/{pr_number}/commits")
-    if not isinstance(body, list):
-        raise ApiError(f"PR #{pr_number} commits response not list")
-    return body
-
-
-def post_comment(pr_number: int, body: str, *, dry_run: bool) -> None:
-    print(f"::notice::comment PR #{pr_number}: {body.splitlines()[0][:160]}")
-    if dry_run:
-        return
-    api("POST", f"/repos/{OWNER}/{NAME}/issues/{pr_number}/comments", body={"body": body})
-
-
-def update_pull(pr_number: int, *, dry_run: bool) -> None:
-    print(f"::notice::updating PR #{pr_number} with base branch via style={UPDATE_STYLE}")
-    if dry_run:
-        return
-    api(
-        "POST",
-        f"/repos/{OWNER}/{NAME}/pulls/{pr_number}/update",
-        query={"style": UPDATE_STYLE},
-        expect_json=False,
-    )
-
-
-def merge_pull(pr_number: int, *, dry_run: bool) -> None:
-    payload = {
-        "Do": "merge",
-        "MergeTitleField": f"Merge PR #{pr_number} via Gitea merge queue",
-        "MergeMessageField": (
-            "Serialized merge by gitea-merge-queue after current-main, "
-            "SOP, and required CI checks were green."
-        ),
-    }
-    print(f"::notice::merging PR #{pr_number}")
-    if dry_run:
-        return
-    api("POST", f"/repos/{OWNER}/{NAME}/pulls/{pr_number}/merge", body=payload, expect_json=False)
-
-
-def process_once(*, dry_run: bool = False) -> int:
-    contexts = required_contexts(REQUIRED_CONTEXTS_RAW)
-    main_sha = get_branch_head(WATCH_BRANCH)
-    main_status = get_combined_status(main_sha)
-    if str(main_status.get("state") or "").lower() != "success":
-        print(f"::notice::queue paused: {WATCH_BRANCH}@{main_sha[:8]} is not green")
-        return 0
-
-    issue = choose_next_queued_issue(
-        list_queued_issues(),
-        queue_label=QUEUE_LABEL,
-        hold_label=HOLD_LABEL,
-    )
-    if not issue:
-        print("::notice::merge queue empty")
-        return 0
-
-    pr_number = int(issue["number"])
-    pr = get_pull(pr_number)
-    if pr.get("state") != "open":
-        print(f"::notice::PR #{pr_number} is not open; skipping")
-        return 0
-    if pr.get("base", {}).get("ref") != WATCH_BRANCH:
-        post_comment(pr_number, f"merge-queue: skipped; base branch is not `{WATCH_BRANCH}`.", dry_run=dry_run)
-        return 0
-    if pr.get("head", {}).get("repo_id") != pr.get("base", {}).get("repo_id"):
-        post_comment(pr_number, "merge-queue: skipped; fork PRs are not supported by the serialized queue.", dry_run=dry_run)
-        return 0
-
-    head_sha = pr.get("head", {}).get("sha")
-    if not isinstance(head_sha, str) or len(head_sha) < 7:
-        raise ApiError(f"PR #{pr_number} missing head sha")
-    commits = get_pull_commits(pr_number)
-    current_base = pr_has_current_base(pr, commits, main_sha)
-    pr_status = get_combined_status(head_sha)
-    decision = evaluate_merge_readiness(
-        main_status=main_status,
-        pr_status=pr_status,
-        required_contexts=contexts,
-        pr_has_current_base=current_base,
-    )
-
-    print(f"::notice::PR #{pr_number} decision={decision.action}: {decision.reason}")
-    if decision.action == "update":
-        update_pull(pr_number, dry_run=dry_run)
-        post_comment(
-            pr_number,
-            (
-                f"merge-queue: updated this branch with `{WATCH_BRANCH}` at "
-                f"`{main_sha[:12]}`. Waiting for CI on the refreshed head."
-            ),
-            dry_run=dry_run,
-        )
-        return 0
-    if decision.ready:
-        latest_main_sha = get_branch_head(WATCH_BRANCH)
-        if latest_main_sha != main_sha:
-            print(
-                f"::notice::main moved {main_sha[:8]} -> {latest_main_sha[:8]}; "
-                "deferring to next tick"
-            )
-            return 0
-        merge_pull(pr_number, dry_run=dry_run)
-        return 0
-    return 0
-
-
-def main() -> int:
-    parser = argparse.ArgumentParser()
-    parser.add_argument("--dry-run", action="store_true")
-    args = parser.parse_args()
-    _require_runtime_env()
-    return process_once(dry_run=args.dry_run)
-
-
-if __name__ == "__main__":
-    sys.exit(main())
@@ -1,113 +0,0 @@
-#!/usr/bin/env python3
-"""Lint workflow bash for curl status-code capture pollution.
-
-The bad shape is:
-
-    HTTP_CODE=$(curl ... -w '%{http_code}' ... || echo "000")
-
-`curl -w` writes the HTTP code to stdout before returning non-zero, so
-fallback output inside the same command substitution appends another code.
-"""
-from __future__ import annotations
-
-import argparse
-import glob
-import re
-import sys
-from pathlib import Path
-from typing import NamedTuple
-
-
-SELF = ".gitea/workflows/lint-curl-status-capture.yml"
-
-
-class Finding(NamedTuple):
-    path: str
-    snippet: str
-
-
-BAD_STATUS_CAPTURE = re.compile(
-    r"""
-    \$\(\s*
-    curl\b
-    [^)]*
-    -w\s*['"]%\{http_code\}['"]
-    [^)]*
-    \|\|\s*
-    (?:
-        echo\s+['"]?000['"]?
-        |
-        printf\s+['"]000['"]
-    )
-    \s*\)
-    """,
-    re.DOTALL | re.VERBOSE,
-)
-
-
-def _logical_shell(content: str) -> str:
-    """Collapse bash line continuations so one curl command is one string."""
-    return re.sub(r"\\\s*\n\s*", " ", content)
-
-
-def scan_content(path: str, content: str) -> list[Finding]:
-    flat = _logical_shell(content)
-    return [
-        Finding(path=path, snippet=re.sub(r"\s+", " ", match.group(0)).strip()[:160])
-        for match in BAD_STATUS_CAPTURE.finditer(flat)
-    ]
-
-
-def scan_paths(paths: list[str]) -> list[Finding]:
-    findings: list[Finding] = []
-    for path in paths:
-        if path == SELF:
-            continue
-        content = Path(path).read_text(encoding="utf-8")
-        findings.extend(scan_content(path, content))
-    return findings
-
-
-def default_paths() -> list[str]:
-    return sorted(glob.glob(".gitea/workflows/*.yml"))
-
-
-def print_report(findings: list[Finding]) -> None:
-    if not findings:
-        print("OK No curl-status-capture pollution patterns detected")
-        return
-
-    print(f"::error::Found {len(findings)} curl-status-capture pollution site(s):")
-    for finding in findings:
-        print(
-            f"::error file={finding.path}::Curl status-capture pollution: "
-            "'|| echo/printf 000' inside a $(curl ... -w '%{http_code}' ...) "
-            "subshell. On non-2xx or connection failure, curl's -w writes a "
-            "status, then exits non-zero, then the fallback appends another "
-            "status. Fix: route -w into a tempfile so the exit code cannot "
-            "pollute stdout."
-        )
-        print(f"   matched: {finding.snippet}...")
-
-    print()
-    print("Fix template:")
-    print("  set +e")
-    print("  curl ... -w '%{http_code}' >code.txt 2>/dev/null")
-    print("  set -e")
-    print('  HTTP_CODE=$(cat code.txt 2>/dev/null)')
-    print('  [ -z "$HTTP_CODE" ] && HTTP_CODE="000"')
-
-
-def main(argv: list[str] | None = None) -> int:
-    parser = argparse.ArgumentParser()
-    parser.add_argument("paths", nargs="*", help="workflow files to scan")
-    args = parser.parse_args(argv)
-
-    paths = args.paths or default_paths()
-    findings = scan_paths(paths)
-    print_report(findings)
-    return 1 if findings else 0
-
-
-if __name__ == "__main__":
-    raise SystemExit(main())
@@ -1,509 +0,0 @@
-#!/usr/bin/env python3
-"""lint_bp_context_emit_match — Tier 2f per internal#350.
-
-Rule
----
-For a given protected branch, every context in
-`branch_protections/<branch>.status_check_contexts` MUST be emitted
-by at least one workflow in `.gitea/workflows/*.yml`. Two contexts
-match when:
-
-  1. The workflow's `name:` equals the context's workflow-part (the
-     prefix before ` / `).
-  2. Some job in that workflow has a `name:` (or default-fallback
-     job-key) equal to the context's job-part (between ` / ` and
-     ` (`).
-  3. The workflow's `on:` block includes the context's event-part
-     (in parens at the end), with Gitea's event-name mapping:
-        - `pull_request` and `pull_request_target` BOTH emit
-          `(pull_request)` contexts (verified empirically on
-          molecule-core/main).
-        - `push` emits `(push)`.
-
-A BP context with no emitter blocks merges forever — Gitea treats
-absent-as-`pending`, NOT absent-as-`skipped`-as-`success`. This is
-the phantom-required-check class
-(`feedback_phantom_required_check_after_gitea_migration`).
-
-The inverse direction (emitter without BP context) is INFORMATIONAL
-only — Tier 2g handles that direction at PR-time. Flagging it here
-on a daily schedule would falsely surface every transitional state
-during a BP rollout.
-
-How the gate works
------------------
-Daily scheduled run + workflow_dispatch:
-
-  1. GET `branch_protections/{BRANCH}` (needs DRIFT_BOT_TOKEN with
-     repo-admin scope; same persona as ci-required-drift.yml).
-     Graceful-degrade on 403/404 per Tier 2a contract.
-
-  2. Walk `.gitea/workflows/*.yml` via PyYAML AST. For each workflow,
-     enumerate its emitted contexts: `{workflow.name} / {job.name or
-     job-key} ({event})` for each event in `on:` that emits a status.
-
-  3. For each BP context, look for an emitter match. Aggregate
-     orphans.
-
-  4. If orphans exist:
-     - File or PATCH a `[ci-bp-drift]` issue (idempotency contract:
-       search for exact title prefix, edit existing if open).
-     - Apply labels `tier:high` + `ci-bp-drift` (lookup IDs per
-       repo; per `feedback_tier_label_ids_are_per_repo`).
-     - Exit 1.
-
-  5. If no orphans:
-     - Close any existing `[ci-bp-drift]` issue with a clean-state
-       comment.
-     - Exit 0.
-
-Exit codes
----------
-  0 — clean OR API 403/404 (graceful-degrade, surfaces ::error::).
-  1 — at least one BP context has no emitter.
-  2 — env contract violation, workflows-dir missing, or YAML parse
-      error.
-
-Env
---
-  GITEA_TOKEN     — DRIFT_BOT_TOKEN (repo-admin for branch_protections)
-  GITEA_HOST      — e.g. git.moleculesai.app
-  REPO            — owner/name
-  BRANCH          — defaults to `main`
-  WORKFLOWS_DIR   — defaults to `.gitea/workflows`
-  DRIFT_LABEL     — defaults to `ci-bp-drift`
-
-Memory cross-links
------------------
-  - internal#350 (the RFC that specs this lint)
-  - feedback_phantom_required_check_after_gitea_migration
-  - feedback_tier_label_ids_are_per_repo
-  - reference_post_suspension_pipeline
-"""
-from __future__ import annotations
-
-import json
-import os
-import re
-import sys
-import urllib.error
-import urllib.parse
-import urllib.request
-from pathlib import Path
-from typing import Any
-
-try:
-    import yaml
-except ImportError:
-    sys.stderr.write(
-        "::error::PyYAML is required. Install with: pip install PyYAML\n"
-    )
-    sys.exit(2)
-
-
-# Status-check context regex (mirrors lint-required-no-paths.py).
-_CONTEXT_RE = re.compile(
-    r"^(?P<workflow>.+?) / (?P<job>.+) \((?P<event>[^)]+)\)$"
-)
-
-# Map a workflow `on:` event-key to the context's event-part. Gitea's
-# emitter convention (verified on molecule-core):
-#   - pull_request          → `(pull_request)`
-#   - pull_request_target   → `(pull_request)` (same surface)
-#   - push                  → `(push)`
-#   - schedule              → no PR status; scheduled runs don't post
-#     commit-statuses unless the workflow itself does so explicitly.
-#   - workflow_dispatch     → manually dispatched runs may or may not
-#     emit; safest to treat as "no PR status" (informational notice
-#     only).
-_EVENT_MAP = {
-    "pull_request": "pull_request",
-    "pull_request_target": "pull_request",
-    "push": "push",
-}
-
-
-# ---------------------------------------------------------------------------
-# Env
-# ---------------------------------------------------------------------------
-def _env(key: str, default: str | None = None) -> str:
-    v = os.environ.get(key, default)
-    return v if v is not None else ""
-
-
-def _require_env(key: str) -> str:
-    v = os.environ.get(key)
-    if not v:
-        sys.stderr.write(f"::error::missing required env var: {key}\n")
-        sys.exit(2)
-    return v
-
-
-# ---------------------------------------------------------------------------
-# API helper. Mirrors lint-required-no-paths.py's contract: returns
-# (status, payload) tuple with status ∈ {"ok", "not_found", "forbidden",
-# "error"}.
-# ---------------------------------------------------------------------------
-def api(
-    method: str,
-    path: str,
-    *,
-    body: dict | None = None,
-    query: dict[str, str] | None = None,
-) -> tuple[str, Any]:
-    host = _env("GITEA_HOST")
-    token = _env("GITEA_TOKEN")
-    url = f"https://{host}/api/v1{path}"
-    if query:
-        url = f"{url}?{urllib.parse.urlencode(query)}"
-    data = None
-    headers = {
-        "Authorization": f"token {token}",
-        "Accept": "application/json",
-    }
-    if body is not None:
-        data = json.dumps(body).encode("utf-8")
-        headers["Content-Type"] = "application/json"
-    req = urllib.request.Request(
-        url, method=method, data=data, headers=headers
-    )
-    try:
-        with urllib.request.urlopen(req, timeout=30) as resp:
-            raw = resp.read()
-            if not raw:
-                return ("ok", None)
-            return ("ok", json.loads(raw))
-    except urllib.error.HTTPError as e:
-        if e.code == 404:
-            return ("not_found", None)
-        if e.code in (401, 403):
-            return ("forbidden", None)
-        return ("error", None)
-    except (urllib.error.URLError, TimeoutError, json.JSONDecodeError):
-        return ("error", None)
-
-
-# ---------------------------------------------------------------------------
-# Helpers
-# ---------------------------------------------------------------------------
-def _get_on(d: Any) -> Any:
-    """YAML 1.1 boolean quirk: bare `on:` may parse to True. Handle both."""
-    if not isinstance(d, dict):
-        return None
-    if "on" in d:
-        return d["on"]
-    if True in d:
-        return d[True]
-    return None
-
-
-def _on_events(doc: Any) -> set[str]:
-    """Return the set of event keys in a workflow's `on:` block.
-
-    Accepts all three shapes (string / list / mapping). String/list
-    shapes can't carry filters but they DO emit. Returns the
-    Gitea-mapped event names per `_EVENT_MAP`.
-    """
-    on = _get_on(doc)
-    raw_events: set[str] = set()
-    if on is None:
-        return raw_events
-    if isinstance(on, str):
-        raw_events.add(on)
-    elif isinstance(on, list):
-        for e in on:
-            if isinstance(e, str):
-                raw_events.add(e)
-    elif isinstance(on, dict):
-        for k in on:
-            if isinstance(k, str):
-                raw_events.add(k)
-    return {_EVENT_MAP[e] for e in raw_events if e in _EVENT_MAP}
-
-
-def _job_display(jbody: dict, jkey: str) -> str:
-    """Return job's `name:` if set, else fall back to the job-key.
-
-    Gitea formats status contexts with the job's `name:` when set;
-    when unset it uses the job key. Matches lint-required-no-paths
-    convention.
-    """
-    n = jbody.get("name") if isinstance(jbody, dict) else None
-    if isinstance(n, str) and n:
-        return n
-    return jkey
-
-
-def workflow_contexts(doc: Any) -> set[str]:
-    """Return the set of contexts a workflow emits."""
-    contexts: set[str] = set()
-    if not isinstance(doc, dict):
-        return contexts
-    wf_name = doc.get("name")
-    if not isinstance(wf_name, str) or not wf_name:
-        return contexts  # no name => no addressable context
-    events = _on_events(doc)
-    if not events:
-        return contexts
-    jobs = doc.get("jobs")
-    if not isinstance(jobs, dict):
-        return contexts
-    for jkey, jbody in jobs.items():
-        if jkey == "__lines__":  # tolerate line-tracking annotations
-            continue
-        if not isinstance(jbody, dict):
-            continue
-        disp = _job_display(jbody, jkey)
-        for ev in events:
-            contexts.add(f"{wf_name} / {disp} ({ev})")
-    return contexts
-
-
-def parse_context(ctx: str) -> tuple[str, str, str] | None:
-    m = _CONTEXT_RE.match(ctx)
-    if not m:
-        return None
-    return (m.group("workflow"), m.group("job"), m.group("event"))
-
-
-def _iter_workflow_files(wf_dir: Path) -> list[Path]:
-    return sorted(list(wf_dir.glob("*.yml")) + list(wf_dir.glob("*.yaml")))
-
-
-# ---------------------------------------------------------------------------
-# Issue idempotency — search for an open issue with the canonical
-# title prefix; PATCH if found, POST if not. Mirrors ci-required-drift.
-# ---------------------------------------------------------------------------
-def _canonical_title(repo: str, branch: str) -> str:
-    return f"[ci-bp-drift] {repo}/{branch}: BP→emitter mismatch"
-
-
-def _ensure_labels(repo: str, names: list[str]) -> list[int]:
-    status, labels = api("GET", f"/repos/{repo}/labels", query={"limit": "50"})
-    if status != "ok" or not isinstance(labels, list):
-        return []
-    out: list[int] = []
-    by_name = {l["name"]: l["id"] for l in labels if isinstance(l, dict)}
-    for n in names:
-        if n in by_name:
-            out.append(by_name[n])
-    return out
-
-
-def file_or_update_issue(
-    repo: str, branch: str, orphans: list[str], emitter_orphans: list[str]
-) -> None:
-    title = _canonical_title(repo, branch)
-    body_lines = [
-        f"BP→emitter drift detected on `{branch}` at "
-        f"{os.environ.get('GITHUB_RUN_URL', '(run url unavailable)')}.",
-        "",
-        f"## Orphan BP contexts ({len(orphans)})",
-        "",
-        "These contexts are required by branch protection but NO workflow "
-        "emits them. PRs merging into this branch will wait forever for a "
-        "status that never arrives (Gitea treats absent-as-`pending`, NOT "
-        "absent-as-`skipped`). See "
-        "`feedback_phantom_required_check_after_gitea_migration`.",
-        "",
-    ]
-    for o in orphans:
-        body_lines.append(f"- `{o}`")
-    if emitter_orphans:
-        body_lines += [
-            "",
-            f"## Workflows emitting contexts NOT in BP ({len(emitter_orphans)})",
-            "",
-            "Informational — Tier 2g handles this direction at PR-time. "
-            "Listed here for completeness.",
-            "",
-        ]
-        for o in emitter_orphans:
-            body_lines.append(f"- `{o}`")
-    body_lines += [
-        "",
-        "Fix options:",
-        "  1. PATCH `branch_protections/{branch}.status_check_contexts` "
-        "  to remove the orphan.",
-        "  2. Restore the emitting workflow (if it was deleted/renamed).",
-        "",
-        "Linted by `.gitea/workflows/lint-bp-context-emit-match.yml` "
-        "(Tier 2f, internal#350).",
-    ]
-    body = "\n".join(body_lines)
-
-    # Idempotency search — find an open issue with the canonical title.
-    status, hits = api(
-        "GET",
-        f"/repos/{repo}/issues",
-        query={
-            "type": "issues",
-            "state": "open",
-            "q": title,
-        },
-    )
-    existing = None
-    if status == "ok" and isinstance(hits, list):
-        for h in hits:
-            if (
-                isinstance(h, dict)
-                and h.get("state") == "open"
-                and isinstance(h.get("title"), str)
-                and h["title"].startswith(title)
-            ):
-                existing = h
-                break
-
-    label_ids = _ensure_labels(repo, ["ci-bp-drift", "tier:high"])
-
-    if existing:
-        api(
-            "PATCH",
-            f"/repos/{repo}/issues/{existing['number']}",
-            body={"body": body, "labels": label_ids} if label_ids else {"body": body},
-        )
-        print(
-            f"::notice::Updated existing drift issue "
-            f"#{existing['number']}: {existing.get('html_url', '')}"
-        )
-    else:
-        status, posted = api(
-            "POST",
-            f"/repos/{repo}/issues",
-            body={"title": title, "body": body, "labels": label_ids},
-        )
-        if status == "ok" and isinstance(posted, dict):
-            print(
-                f"::notice::Filed new drift issue "
-                f"#{posted.get('number')}: {posted.get('html_url', '')}"
-            )
-
-
-# ---------------------------------------------------------------------------
-# Driver
-# ---------------------------------------------------------------------------
-def run() -> int:
-    _require_env("GITEA_TOKEN")
-    _require_env("GITEA_HOST")
-    repo = _require_env("REPO")
-    branch = _env("BRANCH", "main")
-    wf_dir = Path(_env("WORKFLOWS_DIR", ".gitea/workflows"))
-
-    if not wf_dir.is_dir():
-        sys.stderr.write(f"::error::workflows directory not found: {wf_dir}\n")
-        return 2
-
-    # 1. Pull BP.
-    status, bp = api("GET", f"/repos/{repo}/branch_protections/{branch}")
-    if status == "forbidden":
-        sys.stderr.write(
-            f"::error::GET branch_protections/{branch} returned HTTP 403 — "
-            f"DRIFT_BOT_TOKEN lacks repo-admin scope (Gitea 1.22.6 requires "
-            f"it for this endpoint). Skipping lint with exit 0 to avoid "
-            f"red-X on every run. Fix: grant repo-admin to mc-drift-bot. "
-            f"Per Tier 2a contract.\n"
-        )
-        return 0
-    if status == "not_found":
-        print(
-            f"::notice::branch '{branch}' has no protection configured; "
-            f"nothing to lint."
-        )
-        return 0
-    if status != "ok" or not isinstance(bp, dict):
-        sys.stderr.write(
-            f"::error::branch_protections/{branch} response unexpected; "
-            f"status={status}. Treating as transient; exit 0.\n"
-        )
-        return 0
-
-    bp_contexts: list[str] = list(bp.get("status_check_contexts") or [])
-    if not bp_contexts:
-        print(
-            f"::notice::branch_protections/{branch} has 0 required "
-            f"status_check_contexts; nothing to lint."
-        )
-        return 0
-
-    # 2. Enumerate emitter contexts from all workflows.
-    all_emitter: set[str] = set()
-    for path in _iter_workflow_files(wf_dir):
-        try:
-            doc = yaml.safe_load(path.read_text(encoding="utf-8"))
-        except yaml.YAMLError as e:
-            sys.stderr.write(
-                f"::error file={path}::YAML parse error: {e}; skipping.\n"
-            )
-            continue
-        all_emitter |= workflow_contexts(doc)
-
-    print(
-        f"::notice::Linting {len(bp_contexts)} BP context(s) for {branch} "
-        f"against {len(all_emitter)} workflow-emitted context(s)."
-    )
-
-    bp_set = set(bp_contexts)
-
-    # 3. Find orphans (BP-side: required but no emitter).
-    bp_orphans = sorted(bp_set - all_emitter)
-
-    # Informational: workflow emits but BP doesn't list. Tier 2g
-    # territory at PR-time. We list these as NOTICE only.
-    emitter_orphans = sorted(all_emitter - bp_set)
-
-    if bp_orphans:
-        print(
-            f"::error::Found {len(bp_orphans)} BP context(s) with no "
-            f"emitter — these would block merges forever (Gitea treats "
-            f"absent-as-pending, not skipped):"
-        )
-        for o in bp_orphans:
-            # Closest-match hint: name a workflow whose name-part is a
-            # near-match (lev-1 typo, or same workflow with a different
-            # event).
-            parsed = parse_context(o)
-            hint = ""
-            if parsed:
-                wf, _job, _ev = parsed
-                candidates = sorted(
-                    {c for c in all_emitter if c.startswith(wf + " / ")}
-                )
-                if candidates:
-                    hint = (
-                        f" — closest emitter(s): {', '.join(candidates[:3])}"
-                    )
-            print(f"::error::  - {o}{hint}")
-        if emitter_orphans:
-            print(
-                f"::notice::Also: {len(emitter_orphans)} workflow-emitted "
-                f"context(s) not in BP (informational; Tier 2g handles at "
-                f"PR-time):"
-            )
-            for o in emitter_orphans:
-                print(f"::notice::  - {o}")
-        # File / patch tracking issue.
-        try:
-            file_or_update_issue(repo, branch, bp_orphans, emitter_orphans)
-        except Exception as e:
-            sys.stderr.write(
-                f"::error::failed to file drift issue: {e}\n"
-            )
-        return 1
-
-    if emitter_orphans:
-        print(
-            f"::notice::{len(emitter_orphans)} workflow-emitted context(s) "
-            f"not in BP (informational; Tier 2g handles at PR-time):"
-        )
-        for o in emitter_orphans:
-            print(f"::notice::  - {o}")
-
-    print(
-        f"::notice::BP/emitter match clean: all {len(bp_contexts)} required "
-        f"context(s) have an emitter."
-    )
-    return 0
-
-
-if __name__ == "__main__":
-    sys.exit(run())
@@ -98,13 +98,11 @@ except ImportError:
 # ---------------------------------------------------------------------------
 # Tracker comment regex.
 # Matches: `# mc#1234`, `# internal#42`, `# mc#1234 - description`
-# Also matches trackers embedded mid-sentence: `# see mc#1234 for details`
 # Does NOT match: `# mc1234` (missing inner #), `mc#1234` (no leading
-# comment `#`), `# MC#1234` (case-sensitive). The search is line-wide,
-# not just at the comment-marker prefix — fixes false-negative when
-# the tracker appears mid-sentence (e.g. `internal#350` after prose).
+# `#` comment marker), `# MC#1234` (case-sensitive — `mc` and `internal`
+# are conventional lower-case repo slugs).
 TRACKER_RE = re.compile(
-    r"(?P<slug>mc|internal)#(?P<num>\d+)\b"
+    r"#\s*(?P<slug>mc|internal)#(?P<num>\d+)\b"
 )

 # Truthy continue-on-error values we treat as "true". PyYAML decodes
@@ -1,526 +0,0 @@
-#!/usr/bin/env python3
-"""lint_required_context_exists_in_bp — Tier 2g per internal#350.
-
-Rule
----
-When a PR adds a NEW commit-status emission (a context that didn't
-exist on the base side), the workflow file must carry one of three
-directive comments adjacent to the new job:
-
-  (a) `# bp-required: yes`
-      The new context MUST already be in
-      `branch_protections/<branch>.status_check_contexts`. Verified
-      via Gitea API at PR time.
-
-  (b) `# bp-required: pending #NNN`
-      Acknowledged asymmetry; references an OPEN tracking issue that
-      will follow up with the BP PATCH.
-
-  (c) `# bp-exempt: <free-text reason>`
-      Informational job, not intended to be a required gate.
-
-No directive on a new emitter → FAIL with a 3-option fix-hint.
-
-The class this prevents
-----------------------
-PR#656 added `CI / all-required (pull_request)` as a sentinel context
-that workflows emit, but BP did NOT list it. When `platform-build`
-failed, `all-required` failed, but BP let the PR merge anyway →
-cascade to mc#664. With this lint, PR#656 would have been blocked
-until either the BP PATCH ran alongside OR the author added a
-`bp-required: pending` directive.
-
-Why directives MUST live in the workflow YAML
---------------------------------------------
-The directive comment lives with the emitter so a scheduled
-audit (Tier 2f, daily) can read the same source. PR-body-only
-directives invisibly evaporate on merge — the asymmetry would
-return to undetected. PR-body claims are advisory; workflow-file
-comments are the contract.
-
-How "new emission" is detected
------------------------------
-Diff base..head over `.gitea/workflows/*.yml`. For each YAML file
-that's added or modified:
-  - Parse both base-side and head-side via PyYAML AST.
-  - Enumerate emitted contexts on each side using the same rules as
-    Tier 2f (workflow.name + job.name|key + event-mapping).
-  - `new_contexts = head_contexts - base_contexts`.
-
-If `new_contexts` is empty after de-dup, no rule applies → pass.
-
-Per `feedback_behavior_based_ast_gates`: comment scanning uses raw
-text in a small window around the job-key line, NOT regex over the
-full file. This avoids matching `bp-required:` mentioned in a
-comment unrelated to the new job.
-
-Exit codes
----------
-  0 — no new emissions, all new emissions have valid directives,
-      or BP read errored (graceful-degrade per Tier 2a contract).
-  1 — at least one new emission lacks a directive, or has
-      `bp-required: yes` but the context is missing from BP.
-  2 — env contract violation or YAML parse error.
-
-Env
---
-  BASE_SHA          — PR base SHA
-  HEAD_SHA          — PR head SHA
-  GITEA_TOKEN       — DRIFT_BOT_TOKEN (repo-admin for BP read)
-  GITEA_HOST        — e.g. git.moleculesai.app
-  REPO              — owner/name
-  BRANCH            — defaults to `main`
-  WORKFLOWS_DIR     — defaults to `.gitea/workflows`
-
-Memory cross-links
------------------
-  - internal#350 (the RFC that specs this lint)
-  - PR#656 (the empirical case that prompted Tier 2g)
-  - mc#664 (the surfaced cascade)
-  - feedback_phantom_required_check_after_gitea_migration (Tier 2f cousin)
-  - feedback_behavior_based_ast_gates
-"""
-from __future__ import annotations
-
-import json
-import os
-import re
-import subprocess
-import sys
-import urllib.error
-import urllib.parse
-import urllib.request
-from typing import Any
-
-try:
-    import yaml
-except ImportError:
-    sys.stderr.write(
-        "::error::PyYAML is required. Install with: pip install PyYAML\n"
-    )
-    sys.exit(2)
-
-
-# Directive comment patterns. We match `# bp-required:` OR `# bp-exempt:`,
-# both with optional surrounding whitespace and case-sensitive on the
-# `bp-` prefix (convention).
-BP_REQUIRED_YES_RE = re.compile(
-    r"#\s*bp-required:\s*yes\b", re.IGNORECASE
-)
-BP_REQUIRED_PENDING_RE = re.compile(
-    r"#\s*bp-required:\s*pending\s*#(?P<num>\d+)\b", re.IGNORECASE
-)
-BP_EXEMPT_RE = re.compile(
-    r"#\s*bp-exempt:\s*\S", re.IGNORECASE
-)
-
-
-# Gitea event-mapping (same as Tier 2f).
-_EVENT_MAP = {
-    "pull_request": "pull_request",
-    "pull_request_target": "pull_request",
-    "push": "push",
-}
-
-
-# ---------------------------------------------------------------------------
-# Env
-# ---------------------------------------------------------------------------
-def _env(key: str, default: str | None = None) -> str:
-    v = os.environ.get(key, default)
-    return v if v is not None else ""
-
-
-def _require_env(key: str) -> str:
-    v = os.environ.get(key)
-    if not v:
-        sys.stderr.write(f"::error::missing required env var: {key}\n")
-        sys.exit(2)
-    return v
-
-
-# ---------------------------------------------------------------------------
-# API helper (same contract as Tier 2f).
-# ---------------------------------------------------------------------------
-def api(
-    method: str,
-    path: str,
-    *,
-    body: dict | None = None,
-    query: dict[str, str] | None = None,
-) -> tuple[str, Any]:
-    host = _env("GITEA_HOST")
-    token = _env("GITEA_TOKEN")
-    url = f"https://{host}/api/v1{path}"
-    if query:
-        url = f"{url}?{urllib.parse.urlencode(query)}"
-    data = None
-    headers = {
-        "Authorization": f"token {token}",
-        "Accept": "application/json",
-    }
-    if body is not None:
-        data = json.dumps(body).encode("utf-8")
-        headers["Content-Type"] = "application/json"
-    req = urllib.request.Request(url, method=method, data=data, headers=headers)
-    try:
-        with urllib.request.urlopen(req, timeout=30) as resp:
-            raw = resp.read()
-            if not raw:
-                return ("ok", None)
-            return ("ok", json.loads(raw))
-    except urllib.error.HTTPError as e:
-        if e.code == 404:
-            return ("not_found", None)
-        if e.code in (401, 403):
-            return ("forbidden", None)
-        return ("error", None)
-    except (urllib.error.URLError, TimeoutError, json.JSONDecodeError):
-        return ("error", None)
-
-
-# ---------------------------------------------------------------------------
-# git helpers
-# ---------------------------------------------------------------------------
-def git_show(sha: str, path: str) -> str | None:
-    r = subprocess.run(
-        ["git", "show", f"{sha}:{path}"], capture_output=True, text=True
-    )
-    if r.returncode != 0:
-        return None
-    return r.stdout
-
-
-def git_diff_paths(base: str, head: str) -> list[str]:
-    r = subprocess.run(
-        ["git", "diff", "--name-only", f"{base}..{head}"],
-        capture_output=True,
-        text=True,
-    )
-    if r.returncode != 0:
-        return []
-    return [p for p in r.stdout.splitlines() if p.strip()]
-
-
-# ---------------------------------------------------------------------------
-# Workflow context enumeration (mirror Tier 2f).
-# ---------------------------------------------------------------------------
-def _get_on(d: Any) -> Any:
-    if not isinstance(d, dict):
-        return None
-    if "on" in d:
-        return d["on"]
-    if True in d:
-        return d[True]
-    return None
-
-
-def _on_events(doc: Any) -> set[str]:
-    on = _get_on(doc)
-    raw: set[str] = set()
-    if on is None:
-        return raw
-    if isinstance(on, str):
-        raw.add(on)
-    elif isinstance(on, list):
-        for e in on:
-            if isinstance(e, str):
-                raw.add(e)
-    elif isinstance(on, dict):
-        for k in on:
-            if isinstance(k, str):
-                raw.add(k)
-    return {_EVENT_MAP[e] for e in raw if e in _EVENT_MAP}
-
-
-def _job_display(jbody: dict, jkey: str) -> str:
-    n = jbody.get("name") if isinstance(jbody, dict) else None
-    if isinstance(n, str) and n:
-        return n
-    return jkey
-
-
-def workflow_contexts(doc: Any) -> set[str]:
-    if not isinstance(doc, dict):
-        return set()
-    wf_name = doc.get("name")
-    if not isinstance(wf_name, str) or not wf_name:
-        return set()
-    events = _on_events(doc)
-    if not events:
-        return set()
-    jobs = doc.get("jobs")
-    if not isinstance(jobs, dict):
-        return set()
-    out: set[str] = set()
-    for jkey, jbody in jobs.items():
-        if jkey == "__lines__":
-            continue
-        if not isinstance(jbody, dict):
-            continue
-        disp = _job_display(jbody, jkey)
-        for ev in events:
-            out.add(f"{wf_name} / {disp} ({ev})")
-    return out
-
-
-# ---------------------------------------------------------------------------
-# Find the source line of a job-key in a workflow YAML's raw text.
-# Used to scan for nearby directive comments.
-# ---------------------------------------------------------------------------
-def _find_job_key_line(raw_lines: list[str], jkey: str) -> int | None:
-    """Return 1-based line of `<jkey>:` under jobs:."""
-    in_jobs = False
-    jobs_indent = -1
-    for i, line in enumerate(raw_lines, start=1):
-        stripped = line.lstrip()
-        if stripped.startswith("jobs:"):
-            in_jobs = True
-            jobs_indent = len(line) - len(stripped)
-            continue
-        if in_jobs:
-            # Job key is the next indent level under `jobs:`.
-            indent = len(line) - len(stripped)
-            if stripped and indent <= jobs_indent:
-                # Left the jobs: block
-                in_jobs = False
-                continue
-            if re.match(rf"^\s*{re.escape(jkey)}\s*:", line):
-                return i
-    return None
-
-
-_DIRECTIVE_WINDOW = 3  # lines above the job-key line (inclusive)
-
-
-def find_directive_for_job(
-    raw_text: str, jkey: str
-) -> tuple[str, str | None] | None:
-    """Return (kind, value) tuple for the first directive in a small
-    window above the job-key line.
-
-    kind ∈ {"required-yes", "required-pending", "exempt"}.
-    value is the pending-issue number for required-pending, else None.
-    Returns None if no directive found.
-
-    We scan ABOVE the line only (the convention is the directive
-    precedes the job — matches how `# mc#NNN` comments are placed
-    above `continue-on-error: true`). We don't scan inside the job
-    body because steps can produce false positives.
-    """
-    lines = raw_text.splitlines()
-    line_no = _find_job_key_line(lines, jkey)
-    if line_no is None:
-        return None
-    lo = max(1, line_no - _DIRECTIVE_WINDOW)
-    for i in range(lo, line_no):
-        line = lines[i - 1]
-        m = BP_REQUIRED_PENDING_RE.search(line)
-        if m:
-            return ("required-pending", m.group("num"))
-        if BP_REQUIRED_YES_RE.search(line):
-            return ("required-yes", None)
-        if BP_EXEMPT_RE.search(line):
-            return ("exempt", None)
-    return None
-
-
-# ---------------------------------------------------------------------------
-# Map a context back to its emitting (workflow_path, job_key) pair so
-# we know WHERE to look for the directive comment.
-# ---------------------------------------------------------------------------
-def _resolve_emitter(
-    ctx: str, head_workflows: dict[str, tuple[str, Any]]
-) -> tuple[str, str] | None:
-    """Return (file_path, job_key) emitting ctx, or None."""
-    m = re.match(r"^(?P<wf>.+?) / (?P<job>.+) \((?P<event>[^)]+)\)$", ctx)
-    if not m:
-        return None
-    target_wf = m.group("wf")
-    target_job_disp = m.group("job")
-    for path, (_raw, doc) in head_workflows.items():
-        if not isinstance(doc, dict):
-            continue
-        if doc.get("name") != target_wf:
-            continue
-        jobs = doc.get("jobs") or {}
-        if not isinstance(jobs, dict):
-            continue
-        for jkey, jbody in jobs.items():
-            if jkey == "__lines__":
-                continue
-            if not isinstance(jbody, dict):
-                continue
-            disp = _job_display(jbody, jkey)
-            if disp == target_job_disp:
-                return (path, jkey)
-    return None
-
-
-# ---------------------------------------------------------------------------
-# Driver
-# ---------------------------------------------------------------------------
-def run() -> int:
-    base_sha = _require_env("BASE_SHA")
-    head_sha = _require_env("HEAD_SHA")
-    _require_env("GITEA_TOKEN")
-    _require_env("GITEA_HOST")
-    repo = _require_env("REPO")
-    branch = _env("BRANCH", "main")
-    wf_dir = _env("WORKFLOWS_DIR", ".gitea/workflows")
-
-    # Step 1 — find workflow files changed in the PR.
-    changed = git_diff_paths(base_sha, head_sha)
-    changed_workflows = [
-        p
-        for p in changed
-        if p.startswith(wf_dir + "/")
-        and (p.endswith(".yml") or p.endswith(".yaml"))
-    ]
-    if not changed_workflows:
-        print(
-            "::notice::no workflow file changes in this PR; "
-            "lint-required-context-exists-in-bp skipped."
-        )
-        return 0
-
-    # Step 2 — load base+head + compute new contexts.
-    head_workflows: dict[str, tuple[str, Any]] = {}
-    new_contexts: set[str] = set()
-    for path in changed_workflows:
-        base_raw = git_show(base_sha, path)
-        head_raw = git_show(head_sha, path)
-        if head_raw is None:
-            # File deleted on head — no new emission contribution.
-            continue
-        try:
-            head_doc = yaml.safe_load(head_raw)
-        except yaml.YAMLError as e:
-            sys.stderr.write(
-                f"::error file={path}::YAML parse error on head: {e}\n"
-            )
-            return 2
-        head_workflows[path] = (head_raw, head_doc)
-        head_ctx = workflow_contexts(head_doc)
-        base_ctx: set[str] = set()
-        if base_raw is not None:
-            try:
-                base_doc = yaml.safe_load(base_raw)
-            except yaml.YAMLError:
-                base_doc = None
-            if base_doc is not None:
-                base_ctx = workflow_contexts(base_doc)
-        new_contexts |= (head_ctx - base_ctx)
-
-    if not new_contexts:
-        print(
-            "::notice::no new context emissions detected in this PR; "
-            "lint-required-context-exists-in-bp skipped."
-        )
-        return 0
-
-    # Step 3 — fetch BP context list.
-    status, bp = api("GET", f"/repos/{repo}/branch_protections/{branch}")
-    bp_contexts: set[str] = set()
-    if status == "forbidden":
-        sys.stderr.write(
-            f"::error::GET branch_protections/{branch} returned HTTP 403 — "
-            f"DRIFT_BOT_TOKEN lacks repo-admin scope. Cannot verify "
-            f"bp-required directives; skipping lint with exit 0 per "
-            f"Tier 2a contract. Fix the token, not the lint.\n"
-        )
-        return 0
-    elif status == "not_found":
-        # Branch has no protection — nothing to verify against; the
-        # bp-required: yes directive can't be satisfied. Treat as
-        # graceful-skip rather than red-X.
-        print(
-            f"::notice::branch '{branch}' has no protection; cannot verify "
-            f"bp-required directives. Skipping (exit 0)."
-        )
-        return 0
-    elif status == "ok" and isinstance(bp, dict):
-        bp_contexts = set(bp.get("status_check_contexts") or [])
-    else:
-        sys.stderr.write(
-            f"::error::branch_protections/{branch} response unexpected; "
-            f"status={status}. Treating as transient; exit 0.\n"
-        )
-        return 0
-
-    # Step 4 — validate each new emission's directive.
-    violations: list[str] = []
-    for ctx in sorted(new_contexts):
-        emitter = _resolve_emitter(ctx, head_workflows)
-        if emitter is None:
-            # Shouldn't happen — we just derived ctx from head_workflows.
-            # Belt-and-suspenders fallback.
-            violations.append(
-                f"::error::new emission '{ctx}' (could not resolve emitter "
-                f"file/job — bug in lint?)"
-            )
-            continue
-        file_path, jkey = emitter
-        raw_text, _ = head_workflows[file_path]
-        directive = find_directive_for_job(raw_text, jkey)
-        if directive is None:
-            violations.append(
-                f"::error file={file_path}::lint-required-context-exists-in-bp "
-                f"(Tier 2g): NEW emission `{ctx}` (job '{jkey}') has no "
-                f"directive comment. Add ONE of these comments on the line "
-                f"directly above `{jkey}:` (within {_DIRECTIVE_WINDOW} lines):\n"
-                f"  - `# bp-required: yes` — and ensure the context is "
-                f"already in branch_protections/{branch}.status_check_contexts.\n"
-                f"  - `# bp-required: pending #NNN` — acknowledged asymmetry, "
-                f"references the tracking issue for the BP PATCH.\n"
-                f"  - `# bp-exempt: <reason>` — informational job, not a gate.\n"
-                f"Memory: internal#350 (PR#656 + mc#664 empirical case)."
-            )
-            continue
-        kind, value = directive
-        if kind == "exempt":
-            print(f"::notice::{ctx}: bp-exempt directive present, OK.")
-            continue
-        if kind == "required-pending":
-            print(
-                f"::notice::{ctx}: bp-required: pending #{value} — "
-                f"acknowledged asymmetry, OK."
-            )
-            continue
-        if kind == "required-yes":
-            if ctx in bp_contexts:
-                print(
-                    f"::notice::{ctx}: bp-required: yes, and context is in "
-                    f"BP, OK."
-                )
-            else:
-                violations.append(
-                    f"::error file={file_path}::lint-required-context-exists-in-bp "
-                    f"(Tier 2g): job '{jkey}' has `bp-required: yes` "
-                    f"directive but its emitted context `{ctx}` is NOT in "
-                    f"`branch_protections/{branch}.status_check_contexts`. "
-                    f"FIX: either (a) add `{ctx}` to BP (Owners-tier PATCH), "
-                    f"or (b) downgrade the directive to "
-                    f"`# bp-required: pending #NNN` referencing the tracker "
-                    f"for the pending BP PATCH."
-                )
-
-    if violations:
-        print(
-            f"::error::lint-required-context-exists-in-bp: "
-            f"{len(violations)} violation(s) across "
-            f"{len(changed_workflows)} changed workflow file(s)."
-        )
-        for v in violations:
-            print(v)
-        return 1
-
-    print(
-        f"::notice::lint-required-context-exists-in-bp: "
-        f"{len(new_contexts)} new emission(s) all directive-validated."
-    )
-    return 0
-
-
-if __name__ == "__main__":
-    sys.exit(run())
@@ -620,8 +620,8 @@ def render_status(

    state is "success" if every item has at least one valid ack
    (body section presence is informational only — peer-ack is the
-    real gate).  tier:low PRs receive state="success" (soft-fail — no
-    acks required); the description carries "[info tier:low]" prefix.
+    real gate).  "pending" is reserved for the soft-fail path
+    (tier:low) and is set by the caller.
    """
    n = len(items)
    fully_acked = [
@@ -640,11 +640,8 @@ def render_status(
            shown += f", +{len(missing) - 3}"
        desc_parts.append(f"missing: {shown}")
    if missing_body:
-        shown = ", ".join(missing_body[:3])
-        if len(missing_body) > 3:
-            shown += f", +{len(missing_body) - 3}"
-        desc_parts.append(f"body-unfilled: {shown}")
-    state = "success" if not missing and not missing_body else "failure"
+        desc_parts.append(f"body-unfilled: {len(missing_body)}")
+    state = "success" if not missing else "failure"
    return state, " — ".join(desc_parts)


@@ -776,12 +773,9 @@ def main(argv: list[str] | None = None) -> int:

    state, description = render_status(items, ack_state, body_state)
    mode = get_tier_mode(pr, cfg)
-    if mode == "soft":
-        # tier:low: acks are informational only — post success so BP gate passes.
-        # Description carries "[info tier:low]" prefix so reviewers know acks
-        # were not required (vs a tier:medium+ PR that truly passed all acks).
-        state = "success"
-        description = f"[info tier:low] {description}"
+    if state == "failure" and mode == "soft":
+        state = "pending"
+        description = f"[soft-fail tier:low] {description}"

    # Diagnostics to job log.
    print(f"::notice::PR #{args.pr} author={author} head={head_sha[:7]} mode={mode}")
@@ -1,114 +0,0 @@
-import importlib.util
-import sys
-from pathlib import Path
-
-
-SCRIPT = Path(__file__).resolve().parents[1] / "gitea-merge-queue.py"
-spec = importlib.util.spec_from_file_location("gitea_merge_queue", SCRIPT)
-mq = importlib.util.module_from_spec(spec)
-sys.modules[spec.name] = mq
-spec.loader.exec_module(mq)
-
-
-def test_latest_statuses_dedupes_by_context_newest_first():
-    statuses = [
-        {"context": "CI / all-required (pull_request)", "status": "failure"},
-        {"context": "sop-checklist / all-items-acked (pull_request)", "state": "success"},
-        {"context": "CI / all-required (pull_request)", "status": "success"},
-    ]
-
-    latest = mq.latest_statuses_by_context(statuses)
-
-    assert latest["CI / all-required (pull_request)"]["status"] == "failure"
-    assert latest["sop-checklist / all-items-acked (pull_request)"]["state"] == "success"
-
-
-def test_required_contexts_green_rejects_missing_and_pending():
-    latest = mq.latest_statuses_by_context([
-        {"context": "CI / all-required (pull_request)", "status": "success"},
-        {"context": "sop-checklist / all-items-acked (pull_request)", "status": "pending"},
-    ])
-
-    ok, missing_or_bad = mq.required_contexts_green(
-        latest,
-        [
-            "CI / all-required (pull_request)",
-            "sop-checklist / all-items-acked (pull_request)",
-            "qa-review / approved (pull_request)",
-        ],
-    )
-
-    assert ok is False
-    assert missing_or_bad == [
-        "sop-checklist / all-items-acked (pull_request)=pending",
-        "qa-review / approved (pull_request)=missing",
-    ]
-
-
-def test_choose_next_pr_sorts_by_queue_label_timestamp_then_number():
-    issues = [
-        {
-            "number": 12,
-            "pull_request": {},
-            "labels": [{"name": "merge-queue"}],
-            "created_at": "2026-05-13T05:00:00Z",
-            "updated_at": "2026-05-13T06:00:00Z",
-        },
-        {
-            "number": 9,
-            "pull_request": {},
-            "labels": [{"name": "merge-queue"}],
-            "created_at": "2026-05-13T04:00:00Z",
-            "updated_at": "2026-05-13T07:00:00Z",
-        },
-        {
-            "number": 7,
-            "labels": [{"name": "merge-queue"}],
-            "created_at": "2026-05-13T03:00:00Z",
-        },
-    ]
-
-    selected = mq.choose_next_queued_issue(issues, queue_label="merge-queue")
-
-    assert selected["number"] == 9
-
-
-def test_pr_needs_update_when_base_sha_absent_from_commits():
-    commits = [
-        {"sha": "head"},
-        {"sha": "parent"},
-    ]
-
-    assert mq.pr_contains_base_sha(commits, "mainsha") is False
-    assert mq.pr_contains_base_sha(commits, "parent") is True
-
-
-def test_merge_decision_requires_main_green_pr_green_and_current_base():
-    required = ["CI / all-required (pull_request)"]
-    main_status = {"state": "success", "statuses": []}
-    pr_status = {
-        "state": "success",
-        "statuses": [{"context": "CI / all-required (pull_request)", "status": "success"}],
-    }
-
-    decision = mq.evaluate_merge_readiness(
-        main_status=main_status,
-        pr_status=pr_status,
-        required_contexts=required,
-        pr_has_current_base=True,
-    )
-
-    assert decision.ready is True
-    assert decision.action == "merge"
-
-
-def test_merge_decision_updates_stale_pr_before_merge():
-    decision = mq.evaluate_merge_readiness(
-        main_status={"state": "success", "statuses": []},
-        pr_status={"state": "success", "statuses": [{"context": "CI / all-required (pull_request)", "status": "success"}]},
-        required_contexts=["CI / all-required (pull_request)"],
-        pr_has_current_base=False,
-    )
-
-    assert decision.ready is False
-    assert decision.action == "update"
@@ -410,7 +410,6 @@ class TestRenderStatus(unittest.TestCase):
            self._state_with(all_slugs),
            {it["slug"]: False for it in self.items},
        )
-        self.assertEqual(state, "failure")
        self.assertIn("body-unfilled", desc)


@@ -520,31 +519,6 @@ class TestEndToEndAckFlow(unittest.TestCase):
        self.assertEqual(result_state, "success")
        self.assertIn("7/7", desc)

-    def test_all_acks_still_fail_when_body_section_unfilled(self):
-        items = _items_by_slug()
-        aliases = _numeric_aliases()
-        comments = [
-            _comment("qa-bot", "/sop-ack comprehensive-testing"),
-            _comment("eng-bot", "/sop-ack local-postgres-e2e"),
-            _comment("eng-bot", "/sop-ack staging-smoke"),
-            _comment("mgr-bot", "/sop-ack root-cause"),
-            _comment("eng-bot", "/sop-ack five-axis-review"),
-            _comment("mgr-bot", "/sop-ack no-backwards-compat"),
-            _comment("eng-bot", "/sop-ack memory-consulted"),
-        ]
-
-        def probe(slug, users):
-            return list(users)
-
-        state = sop.compute_ack_state(comments, "alice-author", items, aliases, probe)
-        body = {it["slug"]: True for it in items.values()}
-        body["root-cause"] = False
-        items_list = list(items.values())
-        result_state, desc = sop.render_status(items_list, state, body)
-        self.assertEqual(result_state, "failure")
-        self.assertIn("7/7", desc)
-        self.assertIn("body-unfilled: root-cause", desc)
-

 if __name__ == "__main__":
    unittest.main(verbosity=2)
@@ -1,58 +1,89 @@
-# audit-force-merge — emit `incident.force_merge` to runner stdout when
-# a PR is merged with required-status-checks not green. Vector picks
+# audit-force-merge — emit `incident.force_merge` to the runner log when
+# a PR is merged with required-status checks NOT all green. Vector picks
 # the JSON line off docker_logs and ships to Loki on
 # molecule-canonical-obs (per `reference_obs_stack_phase1`); query as:
 #
 #   {host="operator"} |= "event_type" |= "incident.force_merge" | json
 #
-# Closes the §SOP-6 audit gap (the doc says force-merges write to
-# `structure_events`, but that table lives in the platform DB, not
-# Gitea-side; Loki is the practical equivalent for Gitea Actions
-# events). When the credential / observability stack converges later,
-# this can sync into structure_events from Loki via a backfill job —
-# the structured JSON shape is forward-compatible.
+# Companion to `audit-force-merge.sh` (script-extract pattern, same as
+# sop-tier-check). The audit observes BOTH UI-merged and REST-merged PRs
+# uniformly per `feedback_gh_cli_merge_lies_use_rest`.
 #
-# Logic in `.gitea/scripts/audit-force-merge.sh` per the same script-
-# extract pattern as sop-tier-check.
+# Closes the §SOP-6 audit gap for the molecule-core repo. RFC:
+# internal#219 §6. Mirrors the same-named workflow in
+# molecule-controlplane; design rationale lives in the RFC, not here,
+# to keep the workflow file scannable.

 name: audit-force-merge

 # pull_request_target loads from the base branch — same security model
-# as sop-tier-check. Without this, an attacker could rewrite the
-# workflow on a PR and skip the audit emission for their own
-# force-merge. See `.gitea/workflows/sop-tier-check.yml` for the full
-# rationale.
+# as sop-tier-check. Without this, a PR author could rewrite the
+# workflow on their own PR and skip the audit emission for their own
+# force-merge. The base-branch checkout below ALSO uses
+# `base.sha`, not `base.ref`, so a fast-moving base can't slip a
+# different audit script in under us.
 on:
  pull_request_target:
    types: [closed]

+# `pull-requests: read` + `contents: read` covers everything the script
+# needs (fetch PR + commit statuses). `issues:` deliberately omitted —
+# audit fires-and-forgets to stdout, never opens issues.
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
  audit:
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: read
    # Skip when PR is closed without merge — saves a runner.
    if: github.event.pull_request.merged == true
    steps:
      - name: Check out base branch (for the script)
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
+          # base.sha pinning, NOT base.ref — see header rationale.
          ref: ${{ github.event.pull_request.base.sha }}
      - name: Detect force-merge + emit audit event
        env:
-          # Same org-level secret the sop-tier-check workflow uses.
+          # Same org-level secret the sop-tier-check workflow uses;
+          # falls back to the auto-injected GITHUB_TOKEN if the
+          # org-level SOP_TIER_CHECK_TOKEN isn't set on a transitional
+          # repo.
          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
          GITEA_HOST: git.moleculesai.app
          REPO: ${{ github.repository }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
          # Required-status-check contexts to evaluate at merge time.
-          # Newline-separated. Mirror this against branch protection
-          # (settings → branches → protected branch → required checks).
+          # Newline-separated. MUST mirror branch protection's
+          # status_check_contexts for protected branches
+          # (currently `main`; `staging` protection forthcoming per
+          # RFC internal#219 Phase 4).
+          #
+          # Initialized 2026-05-11 from the current molecule-core `main`
+          # branch protection:
+          #
+          #   GET /api/v1/repos/molecule-ai/molecule-core/
+          #       branch_protections/main
+          #   → status_check_contexts = [
+          #       "Secret scan / Scan diff for credential-shaped strings (pull_request)",
+          #       "sop-tier-check / tier-check (pull_request)"
+          #     ]
+          #
          # Declared here rather than fetched from /branch_protections
-          # because that endpoint requires admin write — sop-tier-bot is
-          # read-only by design (least-privilege).
+          # because that endpoint requires admin write — sop-tier-bot
+          # is read-only by design (least-privilege per
+          # `feedback_least_privilege_via_workflow_env` / internal#257).
+          # Drift between this env and the real protection list is
+          # auto-detected by `ci-required-drift.yml` (RFC §4 + §6),
+          # which opens a `[ci-drift]` issue within one hour.
+          #
+          # When the protection set changes (e.g. Phase 4 adds the
+          # `ci / all-required (pull_request)` sentinel), update BOTH
+          # branch protection AND this env in the SAME PR; drift-detect
+          # will otherwise file an issue for you.
          REQUIRED_CHECKS: |
+            Secret scan / Scan diff for credential-shaped strings (pull_request)
+            sop-tier-check / tier-check (pull_request)
            CI / all-required (pull_request)
-            sop-checklist / all-items-acked (pull_request)
        run: bash .gitea/scripts/audit-force-merge.sh
@@ -37,7 +37,6 @@ jobs:
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking
    # the PR. Follow-up PR flips this off after surfaced defects are
    # triaged.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -48,7 +48,6 @@ jobs:
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking
    # the PR. Follow-up PR flips this off after surfaced defects are
    # triaged.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
@@ -45,7 +45,6 @@ jobs:
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking
    # the PR. Follow-up PR flips this off after surfaced defects are
    # triaged.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    timeout-minutes: 5
    steps:
@@ -126,7 +126,7 @@ jobs:
    name: Platform (Go)
    needs: changes
    runs-on: ubuntu-latest
-    # mc#774 (interim): re-mask platform-build pending fix-forward. Phase 4
+    # mc#664 (interim): re-mask platform-build pending fix-forward. Phase 4
    # (#656) flipped this to continue-on-error: false based on a Phase-3-masked
    # "green on main 2026-05-12" — the prior continue-on-error: true had
    # been hiding failing tests in workspace-server/internal/handlers/.
@@ -145,11 +145,10 @@ jobs:
    # Time-boxed Option A (90 min) did not fit the cross-cutting scope.
    # This is a sequenced revert→fix→reflip per
    # feedback_strict_root_only_after_class_a emergency clause — NOT
-    # a permanent re-mask. Re-flip blocked on mc#774 fix-forward landing.
+    # a permanent re-mask. Re-flip blocked on mc#664 fix-forward landing.
    # Other 4 #656 flips (changes, canvas-build, shellcheck, python-lint)
    # retain continue-on-error: false; only platform-build regresses.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
-    continue-on-error: true  # mc#774 fix-forward in flight; re-flip when mc#774 lands (PR #669 → rebase after #709)
+    continue-on-error: true  # mc#664 fix-forward in flight; re-flip when tests pass
    defaults:
      run:
        working-directory: workspace-server
@@ -169,13 +168,10 @@ jobs:
        run: go build ./cmd/server
      # CLI (molecli) moved to standalone repo: git.moleculesai.app/molecule-ai/molecule-cli
      - if: needs.changes.outputs.platform == 'true'
-        run: go vet ./...
-      - if: needs.changes.outputs.platform == 'true'
-        name: Install golangci-lint
-        run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.12.2
+        run: go vet ./... || true
      - if: needs.changes.outputs.platform == 'true'
        name: Run golangci-lint
-        run: $(go env GOPATH)/bin/golangci-lint run --timeout 3m ./...
+        run: golangci-lint run --timeout 3m ./... || true
      - if: needs.changes.outputs.platform == 'true'
        name: Diagnostic — per-package verbose 60s
        run: |
@@ -190,7 +186,6 @@ jobs:
          echo "::group::pendinguploads exit=$pu_exit (last 100 lines)"
          tail -100 /tmp/test-pu.log
          echo "::endgroup::"
-        # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
        continue-on-error: true
      - if: needs.changes.outputs.platform == 'true'
        name: Run tests with race detection and coverage
@@ -377,7 +372,6 @@ jobs:
  canvas-deploy-reminder:
    name: Canvas Deploy Reminder
    runs-on: ubuntu-latest
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    needs: [changes, canvas-build]
    # Only fires on direct pushes to main (i.e. after staging→main promotion).
@@ -541,16 +535,12 @@ jobs:
    # explicitly excludes `github.event_name`-gated jobs from F1 (see
    # `.gitea/scripts/ci-required-drift.py::ci_job_names`).
    #
-    # Phase 3 (RFC #219 §1) safety: underlying build jobs carry
-    # continue-on-error: true so their failures are masked to null (2026-05-12: re-enabled mc#774 interim)
-    # (Gitea suppresses status reporting for CoE jobs). This sentinel
-    # runs with continue-on-error: false so it always reports its
-    # result to the API — without this, the required-status entry
-    # (CI / all-required (pull_request)) is never created, which
-    # blocks PR merges. When Phase 3 ends, flip underlying jobs to
-    # continue-on-error: false; this sentinel can then be flipped to
-    # continue-on-error: true if a Phase-4 regression requires it.
-    continue-on-error: false
+    # Phase 3 (RFC #219 §1) safety: continue-on-error here so the sentinel
+    # does not hard-fail and block PRs while the underlying build jobs are
+    # still in Phase 3 (continue-on-error: true suppresses their status to null).
+    # When Phase 3 ends (defects fixed, continue-on-error flipped off on build
+    # jobs), remove continue-on-error here so the sentinel again hard-fails.
+    continue-on-error: true
    runs-on: ubuntu-latest
    timeout-minutes: 1
    needs:
@@ -574,26 +564,17 @@ jobs:
          echo "$results" | python3 -c '
          import json, sys
          ns = json.load(sys.stdin)
-          # Phase 3 masked: jobs with continue-on-error: true may report "failure"
-          # Remove when mc#774 handler test failures are resolved.
-          PHASE3_MASKED = {"platform-build"}
          # Exclude null (Phase 3 suppressed / in-flight) from the bad list.
          bad = [(k, v.get("result")) for k, v in ns.items()
-                 if v.get("result") not in ("success", None, "cancelled", "skipped") and k not in PHASE3_MASKED]
+                 if v.get("result") not in ("success", None)]
          if bad:
              print(f"FAIL: jobs not green:", file=sys.stderr)
              for k, r in bad:
                  print(f"  - {k}: {r}", file=sys.stderr)
              sys.exit(1)
-          pending = [(k, v.get("result")) for k, v in ns.items()
-                     if v.get("result") is None]
-          cancelled = [(k, v.get("result")) for k, v in ns.items()
-                       if v.get("result") == "cancelled"]
+          pending = [(k, v.get("result")) for k, v in ns.items() if v.get("result") is None]
          if pending:
              print(f"WARN: {len(pending)} job(s) still in-flight (result=null): " +
                    ", ".join(k for k, _ in pending), file=sys.stderr)
-          if cancelled:
-              print(f"INFO: {len(cancelled)} job(s) masked by continue-on-error: " +
-                    ", ".join(k for k, _ in cancelled), file=sys.stderr)
          print(f"OK: all {len(ns)} required jobs succeeded (or Phase-3 suppressed)")
          '
@@ -90,7 +90,6 @@ jobs:
    name: Synthetic E2E against staging
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    # Bumped from 12 → 20 (2026-05-04). Tenant user-data install phase
    # (apt-get update + install docker.io/jq/awscli/caddy + snap install
@@ -103,7 +103,6 @@ jobs:
  detect-changes:
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    outputs:
      api: ${{ steps.decide.outputs.api }}
@@ -155,7 +154,6 @@ jobs:
    name: E2E API Smoke Test
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    timeout-minutes: 15
    env:
@@ -166,6 +164,7 @@ jobs:
      # we let Docker assign an ephemeral host port.
      PG_CONTAINER: pg-e2e-api-${{ github.run_id }}-${{ github.run_attempt }}
      REDIS_CONTAINER: redis-e2e-api-${{ github.run_id }}-${{ github.run_attempt }}
+      PORT: "8080"
    steps:
      - name: No-op pass (paths filter excluded this commit)
        if: needs.detect-changes.outputs.api != 'true'
@@ -269,20 +268,6 @@ jobs:
        if: needs.detect-changes.outputs.api == 'true'
        working-directory: workspace-server
        run: go build -o platform-server ./cmd/server
-      - name: Pick platform port
-        if: needs.detect-changes.outputs.api == 'true'
-        run: |
-          PLATFORM_PORT=$(python3 - <<'PY'
-          import socket
-
-          with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
-              s.bind(("127.0.0.1", 0))
-              print(s.getsockname()[1])
-          PY
-          )
-          echo "PORT=${PLATFORM_PORT}" >> "$GITHUB_ENV"
-          echo "BASE=http://127.0.0.1:${PLATFORM_PORT}" >> "$GITHUB_ENV"
-          echo "Platform host port: ${PLATFORM_PORT}"
      - name: Start platform (background)
        if: needs.detect-changes.outputs.api == 'true'
        working-directory: workspace-server
@@ -295,7 +280,7 @@ jobs:
        if: needs.detect-changes.outputs.api == 'true'
        run: |
          for i in $(seq 1 30); do
-            if curl -sf "$BASE/health" > /dev/null; then
+            if curl -sf http://127.0.0.1:8080/health > /dev/null; then
              echo "Platform up after ${i}s"
              exit 0
            fi
@@ -70,7 +70,6 @@ jobs:
  detect-changes:
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    outputs:
      canvas: ${{ steps.decide.outputs.canvas }}
@@ -119,7 +118,6 @@ jobs:
    name: Canvas tabs E2E
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    timeout-minutes: 40

@@ -168,7 +166,6 @@ jobs:

      - name: Install Playwright browsers
        if: needs.detect-changes.outputs.canvas == 'true'
-        timeout-minutes: 10
        run: npx playwright install --with-deps chromium

      - name: Run staging canvas E2E
@@ -84,7 +84,6 @@ jobs:
    name: E2E Staging External Runtime
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    timeout-minutes: 25

@@ -88,20 +88,17 @@ jobs:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 1
-        # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
        continue-on-error: true

      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: "3.11"
-        # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
        continue-on-error: true

      - name: YAML validation (best-effort)
        run: |
          echo "e2e-staging-saas.yml — PR validation: workflow YAML is valid."
          echo "E2E step runs only when provisioning-critical files change."
-        # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
        continue-on-error: true

  # Actual E2E: runs on trunk pushes (main + staging). NOT the PR-fire-only
@@ -112,7 +109,6 @@ jobs:
    # Only runs on trunk pushes. PR paths get pr-validate instead.
    if: github.event.pull_request.base.ref == ''
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    timeout-minutes: 45
    permissions:
@@ -37,7 +37,6 @@ jobs:
    name: Intentional-failure teardown sanity
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    timeout-minutes: 20

@@ -32,21 +32,12 @@ on:
  # iterating all open PRs when PR_NUMBER is empty.
  workflow_dispatch:

-permissions:
-  # read: contents — for checkout (base ref, not PR head for security)
-  # read: pull-requests — for reading PR info via API
-  # write: pull-requests — for posting/updating gate-check comments
-  #   Without this the token cannot POST/PATCH /issues/comments → 403.
-  contents: read
-  pull-requests: write
-
 env:
  GITHUB_SERVER_URL: https://git.moleculesai.app

 jobs:
  gate-check:
    runs-on: ubuntu-latest
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true  # Never block on our own detector failing
    steps:
      - name: Check out BASE ref (never PR-head under pull_request_target)
@@ -77,32 +68,25 @@ jobs:
        if: github.event_name == 'schedule'
        env:
          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
-          REPO: ${{ github.repository }}
        run: |
          set -euo pipefail
          # Fetch all open PRs and run gate-check on each
          # socket.setdefaulttimeout(15): defence-in-depth for missing SOP_TIER_CHECK_TOKEN.
          # gate_check.py uses timeout=15 on every urlopen call; this catches the
          # inline Python polling loop too (issue #603).
-          pr_numbers=$(python3 <<'PY'
-          import json
-          import os
-          import socket
-          import urllib.request
-
-          socket.setdefaulttimeout(15)
-          token = os.environ["GITEA_TOKEN"]
-          repo = os.environ["REPO"]
-          req = urllib.request.Request(
-              f"https://git.moleculesai.app/api/v1/repos/{repo}/pulls?state=open&limit=100",
-              headers={"Authorization": f"token {token}", "Accept": "application/json"},
-          )
-          with urllib.request.urlopen(req) as r:
-              prs = json.loads(r.read())
-          for pr in prs:
-              print(pr["number"])
-          PY
-          )
+          pr_numbers=$(python3 -c "
+            import socket, urllib.request, json, os
+            socket.setdefaulttimeout(15)
+            token = os.environ['GITEA_TOKEN']
+            req = urllib.request.Request(
+                'https://git.moleculesai.app/api/v1/repos/${{ github.repository }}/pulls?state=open&limit=100',
+                headers={'Authorization': f'token {token}', 'Accept': 'application/json'}
+            )
+            with urllib.request.urlopen(req) as r:
+                prs = json.loads(r.read())
+            for pr in prs:
+                print(pr['number'])
+          ")
          for pr in $pr_numbers; do
            echo "Checking PR #$pr..."
            python3 tools/gate-check-v3/gate_check.py \
@@ -1,51 +0,0 @@
-name: gitea-merge-queue
-
-# External serialized merge queue for Gitea 1.22.6.
-#
-# Gitea's `pull_auto_merge` table is not a real merge queue: it does not
-# serialize green PRs against a freshly-tested latest main. This workflow runs
-# the user-space queue bot, one PR per tick, using the non-bypass merge actor.
-#
-# Queue contract:
-#   - add label `merge-queue` to an open same-repo PR
-#   - bot updates stale PR heads with current main, then waits for CI
-#   - bot merges only when current main is green and required PR contexts pass
-#   - add `merge-queue-hold` to pause a queued PR without removing it
-
-on:
-  schedule:
-    - cron: '*/5 * * * *'
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-concurrency:
-  group: gitea-merge-queue-${{ github.repository }}
-  cancel-in-progress: false
-
-jobs:
-  queue:
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - name: Check out queue script from main
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event.repository.default_branch }}
-
-      - name: Process one queued PR
-        env:
-          # AUTO_SYNC_TOKEN is the devops-engineer persona PAT. It is the
-          # non-bypass merge actor allowed by branch protection.
-          GITEA_TOKEN: ${{ secrets.AUTO_SYNC_TOKEN }}
-          GITEA_HOST: git.moleculesai.app
-          REPO: ${{ github.repository }}
-          WATCH_BRANCH: ${{ github.event.repository.default_branch }}
-          QUEUE_LABEL: merge-queue
-          HOLD_LABEL: merge-queue-hold
-          UPDATE_STYLE: merge
-          REQUIRED_CONTEXTS: >-
-            CI / all-required (pull_request),
-            sop-checklist / all-items-acked (pull_request)
-        run: python3 .gitea/scripts/gitea-merge-queue.py
@@ -78,8 +78,7 @@ jobs:
  detect-changes:
    name: detect-changes
    runs-on: ubuntu-latest
-    # mc#774 Phase 3 (RFC §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
    continue-on-error: true
    outputs:
      handlers: ${{ steps.filter.outputs.handlers }}
@@ -119,8 +118,7 @@ jobs:
    name: Handlers Postgres Integration
    needs: detect-changes
    runs-on: ubuntu-latest
-    # mc#774 Phase 3 (RFC §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
    continue-on-error: true
    env:
      # Unique name per run so concurrent jobs don't collide on the
@@ -63,7 +63,6 @@ jobs:
  detect-changes:
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    outputs:
      run: ${{ steps.decide.outputs.run }}
@@ -155,7 +154,6 @@ jobs:
    name: Harness Replays
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    timeout-minutes: 30
    steps:
@@ -1,120 +0,0 @@
-name: lint-bp-context-emit-match
-
-# Tier 2f scheduled lint (per mc#774) — detects drift between
-# `branch_protections/<branch>.status_check_contexts` and the set of
-# contexts emitted by `.gitea/workflows/*.yml`.
-#
-# Rule
-# ----
-# For each protected branch context (Source A — BP), there must exist
-# at least one emitting workflow + job pair (Source B — workflow YAML
-# + on:-event mapping) whose runtime status-name maps to it. The
-# inverse direction (emitter without BP context) is informational
-# only — Tier 2g handles that at PR-time.
-#
-# Why this exists
-# ---------------
-# A BP-required context with no emitter blocks merges forever — Gitea
-# 1.22.6 treats absent-as-`pending`, NOT absent-as-`skipped`. The
-# phantom-required-check class previously surfaced as
-# `feedback_phantom_required_check_after_gitea_migration` (a port
-# kept the GitHub context name after rename to Gitea, but no
-# workflow emitted under the new name).
-#
-# This lint catches the same class structurally + a forward case:
-# workflow renamed/deleted while still in BP.
-#
-# Scope
-# -----
-# Scheduled daily. We DON'T run on `pull_request` because (a) the
-# emitter side moves with PR diffs (transitional state false-flags)
-# and (b) Tier 2g handles emitter-side drift at PR-time.
-#
-# Cross-repo
-# ----------
-# Today this runs only on molecule-core/main. Per internal#349
-# (cross-repo BP sweep) Class-D repos will get the same lint after
-# their BP rollouts.
-#
-# Auth
-# ----
-# `GET /repos/.../branch_protections/{branch}` requires repo-admin
-# role on Gitea 1.22.6. We use DRIFT_BOT_TOKEN (same persona as
-# ci-required-drift.yml — `internal#329` provisioning trail).
-# Graceful-degrade per Tier 2a contract: 403/404 → exit 0 with
-# ::error::.
-#
-# Idempotency
-# -----------
-# The drift issue is filed with title prefix
-# `[ci-bp-drift] {repo}/{branch}: BP→emitter mismatch`. The script
-# searches OPEN issues for an exact title-prefix match and PATCHes
-# the existing issue (if any) instead of POSTing a duplicate.
-# Mirrors `ci-required-drift.py`'s contract.
-#
-# Phase contract (RFC internal#219 §1 ladder)
-# -------------------------------------------
-# Lands at `continue-on-error: true` (Phase 3). After 7 days of clean
-# scheduled runs on `main`, flip to `false` so a scheduled failure
-# becomes a hard CI signal.
-#
-# Cross-links
-# -----------
-# - mc#774 (the RFC that specs this lint)
-# - internal#349 (cross-repo BP sweep)
-# - feedback_phantom_required_check_after_gitea_migration
-# - feedback_tier_label_ids_are_per_repo
-# - ci-required-drift.yml (F2 detector, narrower-scope sibling)
-
-on:
-  schedule:
-    # Daily at 03:31 UTC — off-peak, prime-staggered from other
-    # scheduled jobs (ci-required-drift :00 hourly, lint-coe-tracking
-    # 13:11). At 03:31 the CI fleet is quietest in EMEA hours.
-    - cron: '31 3 * * *'
-  workflow_dispatch:
-  # No `push` / `pull_request` here — Tier 2g owns PR-time drift.
-
-env:
-  GITHUB_SERVER_URL: https://git.moleculesai.app
-
-permissions:
-  contents: read
-  issues: write  # needed to file/edit the drift issue
-
-concurrency:
-  group: lint-bp-context-emit-match-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  lint:
-    name: lint-bp-context-emit-match
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    # Phase 3 (RFC #219 §1): surface drift without blocking. After 7
-    # clean scheduled runs on main, flip to false so a scheduled
-    # failure is a hard CI signal.
-    continue-on-error: true  # mc#774 Phase 3 — flip to false after 7 clean main runs
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0
-        with:
-          python-version: '3.12'
-      - name: Install PyYAML
-        run: python -m pip install --quiet 'PyYAML==6.0.2'
-      - name: Run lint-bp-context-emit-match
-        env:
-          # DRIFT_BOT_TOKEN — repo-admin on this repo (internal#329
-          # provisioning trail). Required for branch_protections read.
-          GITEA_TOKEN: ${{ secrets.DRIFT_BOT_TOKEN }}
-          GITEA_HOST: git.moleculesai.app
-          REPO: ${{ github.repository }}
-          BRANCH: main
-          WORKFLOWS_DIR: .gitea/workflows
-          DRIFT_LABEL: ci-bp-drift
-          GITHUB_RUN_URL: https://git.moleculesai.app/${{ github.repository }}/actions/runs/${{ github.run_id }}
-        run: python3 .gitea/scripts/lint_bp_context_emit_match.py
-      - name: Run lint-bp-context-emit-match unit tests
-        run: |
-          python -m pip install --quiet pytest
-          python3 -m pytest tests/test_lint_bp_context_emit_match.py -v
@@ -1,6 +1,6 @@
 name: lint-continue-on-error-tracking

-# Tier 2e hard-gate lint (per mc#774) — every
+# Tier 2e hard-gate lint (per internal#350) — every
 # `continue-on-error: true` in `.gitea/workflows/*.yml` must carry a
 # `# mc#NNNN` or `# internal#NNNN` tracker comment within 2 lines,
 # the referenced issue must be OPEN, and ≤14 days old.
@@ -8,7 +8,7 @@ name: lint-continue-on-error-tracking
 # Why this exists
 # ---------------
 # `continue-on-error: true` on `platform-build` had been hiding
-# mc#774-class regressions for ~3 weeks before #656 surfaced them on
+# mc#664-class regressions for ~3 weeks before #656 surfaced them on
 # 2026-05-12. A 14-day cap on tracker age forces a review cycle and
 # surfaces mask-drift within at most 14 days of the original defect.
 # Each `continue-on-error: true` gets a paper trail — close or renew.
@@ -45,12 +45,12 @@ name: lint-continue-on-error-tracking
 # close-and-flip, or document the deliberate keep-mask in a fresh
 # 14-day-renewable tracker. After main is clean for 3 days,
 # follow-up PR flips this workflow's continue-on-error to false.
-# Tracking: mc#774.
+# Tracking: internal#350.
 #
 # Cross-links
 # -----------
-# - mc#774 (the RFC that specs this lint)
-# - mc#774 (the empirical masked-3-weeks case)
+# - internal#350 (the RFC that specs this lint)
+# - mc#664 (the empirical masked-3-weeks case)
 # - feedback_chained_defects_in_never_tested_workflows
 # - feedback_behavior_based_ast_gates
 # - feedback_strict_root_only_after_class_a
@@ -96,9 +96,8 @@ jobs:
    # Phase 3 (RFC #219 §1): surface masked defects without blocking
    # PRs. Pre-existing continue-on-error: true directives on main
    # all violate this lint at first — intentional. Flip to false
-    # follow-up after main is clean for 3 days. mc#774.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
-    continue-on-error: true  # mc#774 Phase 3 mask — 14d forced-renewal cadence
+    # follow-up after main is clean for 3 days. internal#350.
+    continue-on-error: true
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0
@@ -30,16 +30,10 @@ name: Lint curl status-code capture

 on:
  pull_request:
-    paths:
-      - '.gitea/workflows/**'
-      - '.gitea/scripts/lint-curl-status-capture.py'
-      - 'tests/test_lint_curl_status_capture.py'
+    paths: ['.gitea/workflows/**']
  push:
    branches: [main, staging]
-    paths:
-      - '.gitea/workflows/**'
-      - '.gitea/scripts/lint-curl-status-capture.py'
-      - 'tests/test_lint_curl_status_capture.py'
+    paths: ['.gitea/workflows/**']

 env:
  GITHUB_SERVER_URL: https://git.moleculesai.app
@@ -51,10 +45,60 @@ jobs:
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking
    # the PR. Follow-up PR flips this off after surfaced defects are
    # triaged.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Find curl ... -w '%{http_code}' ... || echo "000" subshells
        run: |
-          python3 .gitea/scripts/lint-curl-status-capture.py
+          set -uo pipefail
+          # Multi-line aware: look for `$(curl ... -w '%{http_code}' ... || echo "000")`
+          # subshell where the entire command-substitution wraps a curl that
+          # ends with `|| echo "000"`. Must distinguish from the SAFE shape
+          # `$(cat tempfile 2>/dev/null || echo "000")` — `cat` with a missing
+          # tempfile produces empty stdout, no pollution.
+          python3 <<'PY'
+          import os, re, sys, glob
+
+          BAD_FILES = []
+
+          # Match the buggy substitution across newlines: $(curl ... -w '%{http_code}' ... || echo "000")
+          # The `\\n` is the bash line-continuation that lets curl flags span lines.
+          # We collapse continuation lines first, then look for the single-line bad pattern.
+          PATTERN = re.compile(
+              r'\$\(\s*curl\b[^)]*-w\s*[\'"]%\{http_code\}[\'"][^)]*\|\|\s*echo\s+"000"\s*\)',
+              re.DOTALL,
+          )
+
+          # Self-skip: this lint workflow contains the literal anti-pattern in
+          # its own docstring — that's intentional, not a bug.
+          SELF = ".gitea/workflows/lint-curl-status-capture.yml"
+
+          for f in sorted(glob.glob(".gitea/workflows/*.yml")):
+              if f == SELF:
+                  continue
+              with open(f) as fh:
+                  content = fh.read()
+              # Collapse bash line-continuations (\\\n + leading whitespace)
+              # into a single logical line so the regex can see the full
+              # curl invocation as one chunk.
+              flat = re.sub(r'\\\s*\n\s*', ' ', content)
+              for m in PATTERN.finditer(flat):
+                  BAD_FILES.append((f, m.group(0)[:120]))
+
+          if not BAD_FILES:
+              print("OK No curl-status-capture pollution patterns detected")
+              sys.exit(0)
+
+          print(f"::error::Found {len(BAD_FILES)} curl-status-capture pollution site(s):")
+          for f, snippet in BAD_FILES:
+              print(f"::error file={f}::Curl status-capture pollution: '|| echo \"000\"' inside a $(curl ... -w '%{{http_code}}' ...) subshell. On non-2xx or connection failure, curl's -w writes a status, then exits non-zero, then the || echo appends another '000' — producing 'HTTP 000000' or '409000' that fails comparisons silently. Fix: route -w into a tempfile so the exit code can't pollute stdout. See memory feedback_curl_status_capture_pollution.md.")
+              print(f"   matched: {snippet}...")
+          print()
+          print("Fix template:")
+          print('  set +e')
+          print('  curl ... -w \'%{http_code}\' >code.txt 2>/dev/null')
+          print('  set -e')
+          print('  HTTP_CODE=$(cat code.txt 2>/dev/null)')
+          print('  [ -z "$HTTP_CODE" ] && HTTP_CODE="000"')
+          sys.exit(1)
+          PY
@@ -1,6 +1,6 @@
 name: lint-mask-pr-atomicity

-# Tier 2d hard-gate lint (per mc#774) — blocks PRs that touch
+# Tier 2d hard-gate lint (per internal#350) — blocks PRs that touch
 # `.gitea/workflows/ci.yml` and modify ONLY ONE of {continue-on-error,
 # all-required.sentinel.needs} without a `Paired: #NNN` reference in
 # the PR body or in a commit message.
@@ -37,13 +37,13 @@ name: lint-mask-pr-atomicity
 # This workflow lands at `continue-on-error: true` (Phase 3 — surface
 # regressions without blocking PRs while the rule beds in).
 # Follow-up PR flips to `false` once we have ≥3 days of clean runs on
-# `main` and no false-positives. Tracking issue: mc#774.
+# `main` and no false-positives. Tracking issue: internal#350.
 #
 # Cross-links
 # -----------
-# - mc#774 (the RFC that specs this lint)
+# - internal#350 (the RFC that specs this lint)
 # - PR#665 / PR#668 (the empirical split-pair)
-# - mc#774 (the main-red incident the split caused)
+# - mc#664 (the main-red incident the split caused)
 # - feedback_strict_root_only_after_class_a
 # - feedback_behavior_based_ast_gates
 #
@@ -91,8 +91,7 @@ jobs:
    # Phase 3 (RFC #219 §1): surface broken shapes without blocking
    # PRs. Follow-up PR flips this to `false` once recent runs on main
    # are confirmed clean (eat-our-own-dogfood discipline mirrors
-    # PR#673's same-shape comment). Tracking: mc#774.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # PR#673's same-shape comment). Tracking: internal#350.
    continue-on-error: true
    steps:
      - name: Check out PR head with full history (need base SHA blobs)
@@ -4,7 +4,7 @@ name: Lint pre-flip continue-on-error
 # on any job in `.gitea/workflows/*.yml` WITHOUT proof that the affected
 # job's recent runs on the target branch (PR base) are actually green.
 #
-# Empirical class: PR #656 / mc#774. PR #656 (RFC internal#219 Phase 4)
+# Empirical class: PR #656 / mc#664. PR #656 (RFC internal#219 Phase 4)
 # flipped 5 platform-build-class jobs `continue-on-error: true → false`
 # on the basis of a "verified green on main via combined-status check".
 # But that "green" was the LIE the prior `continue-on-error: true`
@@ -13,7 +13,7 @@ name: Lint pre-flip continue-on-error
 # job-level status. The precondition the PR claimed to verify was
 # structurally fooled by the bug being flipped.
 #
-# mc#774 captured the surfaced defects (2 mutually-masked regressions):
+# mc#664 captured the surfaced defects (2 mutually-masked regressions):
 #   - Class 1: sqlmock helper drift since 2f36bb9a (24 days old)
 #   - Class 2: OFFSEC-001 contract collision since 7d1a189f (1 day old)
 #
@@ -55,7 +55,7 @@ name: Lint pre-flip continue-on-error
 #   - YAML parse error in one of the workflow files: warn-only,
 #     don't block — the YAML lint workflows catch this separately.
 #
-# Cross-links: PR#656, mc#774, PR#665 (interim re-mask),
+# Cross-links: PR#656, mc#664, PR#665 (interim re-mask),
 # Quirk #10 (internal#342 + dup #287), hongming-pc2 charter
 # §SOP-N rule (e), feedback_strict_root_only_after_class_a,
 # feedback_no_shared_persona_token_use.
@@ -99,8 +99,8 @@ jobs:
    timeout-minutes: 8
    # Phase 3 (RFC internal#219 §1): surface broken flips without blocking
    # the PR yet. Follow-up flips this to `false` once the workflow itself
-    # has clean recent runs on main. mc#774 interim — remove when CoE→false.
-    continue-on-error: true  # mc#774
+    # has clean recent runs on main. mc#664 interim — remove when CoE→false.
+    continue-on-error: true  # mc#664
    steps:
      - name: Check out PR head (full history for base-SHA access)
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
@@ -1,118 +0,0 @@
-name: lint-required-context-exists-in-bp
-
-# Tier 2g hard-gate lint (per mc#774) — diff-based PR-time
-# check. When a PR adds a NEW commit-status emission (workflow YAML
-# `name:` + job `name:`-or-key + on:-event), the workflow file must
-# carry one of three directives adjacent to the new job:
-#
-#   - `# bp-required: yes`           — and BP must list the context
-#   - `# bp-required: pending #NNN`  — acknowledged asymmetry + tracker
-#   - `# bp-exempt: <reason>`        — informational job, not a gate
-#
-# Default (no directive on a new emitter) = FAIL.
-#
-# Why this exists
-# ---------------
-# PR#656 added `CI / all-required (pull_request)` as a sentinel
-# context that workflows emit, but BP did NOT list it. When
-# platform-build failed, all-required failed, but BP let the PR
-# merge anyway → cascade to mc#774. With this lint, PR#656 would
-# have been blocked until either the BP PATCH ran alongside OR
-# the author added a `bp-required: pending` directive.
-#
-# Tier 2g vs Tier 2f
-# ------------------
-# Tier 2g runs at PR-time (diff-based) and BLOCKS the merge.
-# Tier 2f runs daily (scheduled) and FILES a drift issue. They
-# share the workflow-context enumeration helpers
-# (`_event_map`, `workflow_contexts`, `_job_display`) but the
-# semantics are intentionally distinct so they're separate scripts.
-# Co-design is documented in mc#774.
-#
-# Directive comment lives in the workflow file (NOT PR body)
-# ----------------------------------------------------------
-# A PR-body claim of "BP exempt" evaporates on merge — the
-# asymmetry returns to undetected state and Tier 2f's daily
-# scheduled audit can't see it. The directive must live with the
-# emitter so both PR-time (Tier 2g) and post-merge (Tier 2f)
-# readers consume the same source.
-#
-# Phase contract (RFC internal#219 §1 ladder)
-# -------------------------------------------
-# Lands at `continue-on-error: true` (Phase 3 — surface the
-# pattern without blocking PRs while the directive convention
-# beds in). After 7 days of clean runs on `main` with no false
-# positives, follow-up flips to `false`. Tracking: mc#774.
-#
-# Cross-links
-# -----------
-# - mc#774 (the RFC that specs this lint)
-# - PR#656 (the empirical case)
-# - mc#774 (the surfaced cascade)
-# - feedback_phantom_required_check_after_gitea_migration (Tier 2f cousin)
-# - feedback_behavior_based_ast_gates
-#
-# Auth: DRIFT_BOT_TOKEN (repo-admin for branch_protections read).
-
-on:
-  pull_request:
-    types: [opened, synchronize, reopened]
-    paths:
-      - '.gitea/workflows/**'
-      - '.gitea/scripts/lint_required_context_exists_in_bp.py'
-      - '.gitea/workflows/lint-required-context-exists-in-bp.yml'
-      - 'tests/test_lint_required_context_exists_in_bp.py'
-
-env:
-  GITHUB_SERVER_URL: https://git.moleculesai.app
-
-permissions:
-  contents: read
-
-concurrency:
-  group: lint-required-context-exists-in-bp-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  # bp-exempt: this lint is a PR-time advisory and is not intended to
-  # be a required gate on main. The directive eat-our-own-dogfood
-  # confirms the convention works on the lint that defines it.
-  lint:
-    name: lint-required-context-exists-in-bp
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    # Phase 3 (RFC #219 §1): surface the pattern without blocking PRs
-    # while the directive convention beds in. Follow-up flip to false
-    # after 7 clean days on main. mc#774.
-    continue-on-error: true  # mc#774 Phase 3 — flip to false after 7 clean main runs
-    steps:
-      - name: Check out PR head with full history (need base SHA blobs)
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          # `git show <base-sha>:<path>` needs the base SHA's blobs.
-          # Same rationale as PR#673 and check-migration-collisions.yml.
-          fetch-depth: 0
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0
-        with:
-          python-version: '3.12'
-      - name: Install PyYAML
-        run: python -m pip install --quiet 'PyYAML==6.0.2'
-      - name: Ensure base ref is reachable locally
-        # Cheap insurance against runner-version drift.
-        run: |
-          git fetch origin "${{ github.event.pull_request.base.ref }}" || true
-      - name: Run lint-required-context-exists-in-bp
-        env:
-          # DRIFT_BOT_TOKEN — repo-admin (needed for branch_protections).
-          GITEA_TOKEN: ${{ secrets.DRIFT_BOT_TOKEN }}
-          GITEA_HOST: git.moleculesai.app
-          REPO: ${{ github.repository }}
-          BRANCH: main
-          BASE_SHA: ${{ github.event.pull_request.base.sha }}
-          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-          WORKFLOWS_DIR: .gitea/workflows
-        run: python3 .gitea/scripts/lint_required_context_exists_in_bp.py
-      - name: Run lint-required-context-exists-in-bp unit tests
-        run: |
-          python -m pip install --quiet pytest
-          python3 -m pytest tests/test_lint_required_context_exists_in_bp.py -v
@@ -55,7 +55,6 @@ jobs:
    # Phase 3 (RFC #219 §1): surface broken shapes without blocking PRs.
    # Follow-up PR flips this off after the 4 existing-on-main rule-2
    # (workflow_run) violations are migrated to a supported trigger.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
@@ -9,12 +9,18 @@ name: publish-canvas-image
 #   - Workflow-level env.GITHUB_SERVER_URL pinned per
 #     feedback_act_runner_github_server_url.
 #   - `continue-on-error: true` on each job (RFC §1 contract).
-#   - Retargeted the image push from GHCR to ECR. GHCR was retired during
-#     the 2026-05-06 Gitea migration, and Gitea's GITHUB_TOKEN cannot
-#     authenticate to ghcr.io.
+#   - **Open question for review**: this workflow pushes the canvas
+#     image to `ghcr.io`. GHCR was retired during the 2026-05-06
+#     Gitea migration in favor of ECR (per staging-verify.yml header
+#     notes). The image may not be consumable post-migration. Two
+#     options for follow-up: (a) retarget to
+#     `153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/canvas`,
+#     or (b) retire this workflow entirely and route canvas deploys
+#     via the operator-host build path. tier:low + continue-on-error
+#     means failed pushes do not block PRs.
 #

-# Builds and pushes the canvas Docker image to ECR whenever a commit lands
+# Builds and pushes the canvas Docker image to GHCR whenever a commit lands
 # on main that touches canvas code. Previously canvas changes were visible in
 # CI (npm run build passed) but the live container was never updated —
 # operators had to manually run `docker compose build canvas` each time.
@@ -39,10 +45,10 @@ on:

 permissions:
  contents: read
-  packages: write
+  packages: write  # required to push to ghcr.io/${{ github.repository_owner }}/*

 env:
-  IMAGE_NAME: 153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/canvas
+  IMAGE_NAME: ghcr.io/molecule-ai/canvas
  GITHUB_SERVER_URL: https://git.moleculesai.app

 jobs:
@@ -56,43 +62,21 @@ jobs:
    # See issue #576 + infra-lead pulse ~00:30Z.
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

-      - name: Log in to ECR
-        env:
-          IMAGE_NAME: ${{ env.IMAGE_NAME }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          AWS_DEFAULT_REGION: us-east-2
-        run: |
-          set -euo pipefail
-          ECR_REGISTRY="${IMAGE_NAME%%/*}"
-          aws ecr get-login-password --region us-east-2 | \
-            docker login --username AWS --password-stdin "${ECR_REGISTRY}"
+      - name: Log in to GHCR
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

-      - name: Ensure ECR repository exists
-        env:
-          IMAGE_NAME: ${{ env.IMAGE_NAME }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          AWS_DEFAULT_REGION: us-east-2
-        run: |
-          set -euo pipefail
-          repo_path="${IMAGE_NAME#*/}"
-          if ! aws ecr describe-repositories --repository-names "${repo_path}" --region us-east-2 >/dev/null 2>&1; then
-            aws ecr create-repository \
-              --repository-name "${repo_path}" \
-              --image-scanning-configuration scanOnPush=true \
-              --region us-east-2 >/dev/null
-          fi
-
      # Health check: verify Docker daemon is accessible before attempting any
      # build steps. This fails loudly at step 1 when the runner's docker.sock
      # is inaccessible rather than silently continuing to the build step
@@ -102,14 +86,12 @@ jobs:
          set -euo pipefail
          echo "::group::Docker daemon health check"
          echo "Runner: ${HOSTNAME:-unknown}"
-          docker_info="$(docker info 2>&1)" || {
+          docker info 2>&1 | head -5 || {
            echo "::error::Docker daemon is not accessible at /var/run/docker.sock"
            echo "::error::Runner: ${HOSTNAME:-unknown}"
-            printf '%s\n' "${docker_info}"
            echo "::error::Check: (1) daemon running, (2) runner user in docker group, (3) sock perms 660+"
            exit 1
          }
-          printf '%s\n' "${docker_info}" | sed -n '1,5p'
          echo "Docker daemon OK"
          echo "::endgroup::"

@@ -143,7 +125,7 @@ jobs:
          echo "platform_url=${PLATFORM_URL}" >> "$GITHUB_OUTPUT"
          echo "ws_url=${WS_URL}" >> "$GITHUB_OUTPUT"

-      - name: Build & push canvas image to ECR
+      - name: Build & push canvas image to GHCR
        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: ./canvas
@@ -156,10 +138,9 @@ jobs:
          tags: |
            ${{ env.IMAGE_NAME }}:latest
            ${{ env.IMAGE_NAME }}:sha-${{ steps.tags.outputs.sha }}
-          # Gitea artifact-cache reachability is best-effort on the operator
-          # runner network. Do not let cache export fail an image that already
-          # built and pushed successfully.
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
          labels: |
-            org.opencontainers.image.source=https://git.moleculesai.app/${{ github.repository }}
+            org.opencontainers.image.source=https://github.com/${{ github.repository }}
            org.opencontainers.image.revision=${{ github.sha }}
            org.opencontainers.image.description=Molecule AI canvas (Next.js 15 + React Flow)
@@ -55,7 +55,6 @@ jobs:
  # The actual bump work happens on the main/staging push after merge.
  pr-validate:
    runs-on: ubuntu-latest
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true  # do not block PR merge on operational failures
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -20,12 +20,6 @@ name: publish-workspace-server-image
 #
 # ECR target: 153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/*
 # Required secrets: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AUTO_SYNC_TOKEN
-#
-# mc#711: Docker daemon not accessible on ubuntu-latest runner (molecule-canonical-1
-# shows client-only in `docker info` — daemon not running). DinD mount is present but
-# daemon doesn't respond. Fix: add diagnostic step showing socket info so ops can
-# identify which runners have a live daemon. If no daemon is available, the job
-# fails fast with actionable output rather than silent deep failure.

 on:
  push:
@@ -58,25 +52,36 @@ env:

 jobs:
  build-and-push:
+    # REVERTED (infra/revert-docker-runner-label): `runs-on: ubuntu-latest` restored.
+    # The `docker` label is not registered on any act_runner. `runs-on: [ubuntu-latest, docker]`
+    # causes jobs to queue indefinitely with zero eligible runners — strictly worse than the
+    # pre-#599 coin-flip (50% success rate). Once the `docker` label is registered on
+    # ≥2 runners, re-apply the fix from #599 (infra/docker-runner-label).
+    # See issue #576 + infra-lead pulse ~00:30Z.
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

-      - name: Diagnose Docker daemon access
+      # Health check: verify Docker daemon is accessible before attempting any
+      # build steps. This fails loudly at step 1 when the runner's docker.sock
+      # is inaccessible (e.g. permission change, daemon restart, or group-membership
+      # drift) rather than silently continuing to step 2 where `docker build`
+      # fails deep in the process with a cryptic ECR auth error that doesn't
+      # surface the root cause.  Also reports the daemon version so operator
+      # can correlate with runner host logs.
+      - name: Verify Docker daemon access
        run: |
          set -euo pipefail
-          echo "::group::Docker daemon diagnosis"
+          echo "::group::Docker daemon health check"
          echo "Runner: ${HOSTNAME:-unknown}"
-          echo "--- Socket info ---"
-          ls -la /var/run/docker.sock 2>/dev/null || echo "/var/run/docker.sock: not found"
-          stat /var/run/docker.sock 2>/dev/null || true
-          echo "--- User info ---"
-          id
-          echo "--- docker version ---"
-          docker version 2>&1 || true
-          echo "--- docker info (full) ---"
-          docker info 2>&1 || echo "docker info failed: exit $?"
+          docker info 2>&1 | head -5 || {
+            echo "::error::Docker daemon is not accessible at /var/run/docker.sock"
+            echo "::error::Runner: ${HOSTNAME:-unknown}"
+            echo "::error::Check: (1) daemon is running, (2) runner user is in docker group, (3) sock permissions are 660+"
+            exit 1
+          }
+          echo "Docker daemon OK"
          echo "::endgroup::"

      # Pre-clone manifest deps before docker build.
@@ -95,6 +100,9 @@ jobs:
          MOLECULE_GITEA_TOKEN: ${{ secrets.AUTO_SYNC_TOKEN }}
        run: |
          set -euo pipefail
+          # clone-manifest.sh supports anonymous cloning for public repos (post-
+          # 2026-05-08 migration). The token is only needed for private repos.
+          # Do NOT require it — a missing secret would fail the build unnecessarily.
          mkdir -p .tenant-bundle-deps
          # Strip JSON5 comments before jq parsing — Integration Tester appends
          # `// Triggered by ...` which breaks `jq` in clone-manifest.sh.
@@ -51,7 +51,6 @@ jobs:
    name: Audit Railway env vars for drift-prone pins
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    timeout-minutes: 10

@@ -86,7 +86,6 @@ jobs:
    if: ${{ github.event.workflow_run.conclusion == 'success' }}
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    timeout-minutes: 25
    steps:
@@ -76,7 +76,6 @@ jobs:
  redeploy:
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    timeout-minutes: 25
    steps:
@@ -53,7 +53,6 @@ jobs:
        # runners with internet access to package mirrors). Falls back to GitHub
        # binary download. GitHub releases may be blocked on some runner networks
        # (infra#241 follow-up).
-        # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
        continue-on-error: true
        run: |
          if apt-get update -qq && apt-get install -y -qq jq; then
@@ -67,7 +67,6 @@ jobs:
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking
    # the PR. Follow-up PR flips this off after surfaced defects are
    # triaged.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -52,7 +52,6 @@ jobs:
  detect-changes:
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    outputs:
      wheel: ${{ steps.decide.outputs.wheel }}
@@ -97,7 +96,6 @@ jobs:
    name: PR-built wheel + import smoke
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    steps:
      - name: No-op pass (paths filter excluded this commit)
@@ -57,7 +57,6 @@ jobs:
    name: Detect SECRET_PATTERNS drift
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    timeout-minutes: 5
    steps:
@@ -69,7 +69,7 @@ name: sop-checklist-gate

 on:
  pull_request_target:
-    types: [opened, edited, synchronize, reopened, labeled, unlabeled]
+    types: [opened, edited, synchronize, reopened]
  issue_comment:
    types: [created, edited, deleted]

@@ -64,8 +64,7 @@ jobs:
  tier-check:
    runs-on: ubuntu-latest
    # BURN-IN: continue-on-error prevents AND-composition from blocking
-    # PRs during the 7-day window. Remove after 2026-05-17 (mc#774).
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # PRs during the 7-day window. Remove after 2026-05-17 (internal#189).
    continue-on-error: true
    permissions:
      contents: read
@@ -90,7 +89,6 @@ jobs:
        # runners). The sop-tier-check script has its own fallback as a
        # third line of defense. continue-on-error: true ensures this step
        # failing does not block the job.
-        # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
        continue-on-error: true
        run: |
          # apt-get is the primary method — Ubuntu package mirrors are reliably
@@ -111,7 +109,6 @@ jobs:
        # continue-on-error: true at step level — job-level is ignored by Gitea
        # Actions (quirk #10, internal runbooks). Belt-and-suspenders with
        # SOP_FAIL_OPEN=1 + || true below.
-        # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
        continue-on-error: true
        env:
          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
@@ -85,7 +85,6 @@ jobs:
  staging-smoke:
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    outputs:
      sha: ${{ steps.compute.outputs.sha }}
@@ -206,7 +205,6 @@ jobs:
    if: ${{ needs.staging-smoke.result == 'success' && needs.staging-smoke.outputs.smoke_ran == 'true' }}
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    env:
      SHA: ${{ needs.staging-smoke.outputs.sha }}
@@ -29,26 +29,26 @@ name: Sweep stale AWS Secrets Manager secrets
 #     reconciler enumerator) is filed as a separate controlplane
 #     issue. This sweeper is the immediate cost-relief stopgap.
 #
-# AWS credentials: use the dedicated Secrets Manager janitor principal.
-# Do not fall back to the molecule-cp application principal: it does
-# not need account-wide ListSecrets, and a 2026-05-12 CI failure proved
-# that using it here turns a least-privilege production credential into
-# a red scheduled janitor.
+# AWS credentials: the confirmed Gitea secrets are AWS_ACCESS_KEY_ID /
+# AWS_SECRET_ACCESS_KEY (the molecule-cp IAM user). These are the same
+# credentials used by the rest of the platform. The dedicated
+# AWS_JANITOR_* naming (which the original GitHub workflow used) was
+# never populated in Gitea — the existing secrets are AWS_ACCESS_KEY_ID /
+# AWS_SECRET_ACCESS_KEY (per issue #425 §425 audit). These DO have
+# secretsmanager:ListSecrets (the production molecule-cp principal);
+# if ListSecrets is revoked in future, a dedicated janitor principal
+# would need to be created and the Gitea secret names updated here.
 #
 # Safety: the script's MAX_DELETE_PCT gate (default 50%, mirroring
 # sweep-cf-orphans.yml — tenant secrets are durable by design, unlike
 # the mostly-orphan tunnels) refuses to nuke past the threshold.

 on:
-  # Disabled as an hourly schedule until the dedicated
-  # AWS_SECRETS_JANITOR_* key exists in the key-management SSOT and is
-  # mirrored into Gitea. Falling back to the molecule-cp app principal is
-  # intentionally not allowed: it lacks account-wide ListSecrets, and
-  # granting that to an application credential would weaken least privilege.
-  #
-  # Keep the manual trigger so operators can validate the workflow immediately
-  # after provisioning the janitor key, then restore the hourly :30 schedule.
-  workflow_dispatch:
+  schedule:
+    # Hourly at :30 — offsets from sweep-cf-orphans (:15) and
+    # sweep-cf-tunnels (:45) so the three janitors don't burst the
+    # CP admin endpoints at the same minute.
+    - cron: '30 * * * *'
 # Don't let two sweeps race the same AWS account.
 concurrency:
  group: sweep-aws-secrets
@@ -65,7 +65,6 @@ jobs:
    name: Sweep AWS Secrets Manager
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    # 30 min cap, mirroring the other janitors. AWS DeleteSecret is
    # fast (~0.3s/call) so even a 100+ backlog drains in seconds
@@ -74,8 +73,8 @@ jobs:
    timeout-minutes: 30
    env:
      AWS_REGION: ${{ secrets.AWS_REGION || 'us-east-1' }}
-      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_SECRETS_JANITOR_ACCESS_KEY_ID }}
-      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRETS_JANITOR_SECRET_ACCESS_KEY }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      CP_ADMIN_API_TOKEN: ${{ secrets.CP_ADMIN_API_TOKEN }}
      CP_STAGING_ADMIN_API_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
      MAX_DELETE_PCT: ${{ github.event.inputs.max_delete_pct || '50' }}
@@ -71,7 +71,6 @@ jobs:
    name: Sweep CF orphans
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    # 3 min surfaces hangs (CF API stall, AWS describe-instances stuck)
    # within one cron interval instead of burning a full tick. Realistic
@@ -55,7 +55,6 @@ jobs:
    name: Sweep CF tunnels
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    # 30 min cap. Was 5 min on the theory that the only thing that
    # could take >5min is a CF-API hang — but on 2026-05-02 a backlog
@@ -11,9 +11,8 @@ name: Ops Scripts Tests
 #   - `continue-on-error: true` on the job (RFC §1 contract).
 #
 # Runs the unittest suite for scripts/ on every PR + push that touches
-# anything under scripts/ or .gitea/scripts/. Kept separate from the main CI
-# so a script-only change doesn't trigger the heavier Go/Canvas/Python
-# pipelines.
+# anything under scripts/. Kept separate from the main CI so a script-only
+# change doesn't trigger the heavier Go/Canvas/Python pipelines.
 #
 # Discovery layout: tests sit alongside the code they test (see
 # scripts/ops/test_sweep_cf_decide.py for the pattern; scripts/
@@ -28,13 +27,11 @@ on:
    branches: [main, staging]
    paths:
      - 'scripts/**'
-      - '.gitea/scripts/**'
      - '.gitea/workflows/test-ops-scripts.yml'
  pull_request:
    branches: [main, staging]
    paths:
      - 'scripts/**'
-      - '.gitea/scripts/**'
      - '.gitea/workflows/test-ops-scripts.yml'

 env:
@@ -49,15 +46,12 @@ jobs:
    name: Ops scripts (unittest)
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: '3.11'
-      - name: Install .gitea script test dependencies
-        run: python -m pip install --quiet 'pytest==9.0.2' 'PyYAML==6.0.2'
      - name: Run scripts/ unittests (build_runtime_package, ...)
        # Top-level scripts/ tests live alongside their target file
        # (e.g. scripts/test_build_runtime_package.py exercises
@@ -69,5 +63,3 @@ jobs:
      - name: Run scripts/ops/ unittests (sweep_cf_decide, ...)
        working-directory: scripts/ops
        run: python -m unittest discover -p 'test_*.py' -v
-      - name: Run .gitea/scripts pytest suite
-        run: python -m pytest .gitea/scripts/tests -q
@@ -31,7 +31,6 @@ jobs:
    name: Weekly Platform-Go Surface
    runs-on: ubuntu-latest
    # continue-on-error: surface only, never block
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    defaults:
      run:
@@ -131,7 +131,6 @@ jobs:

      - name: Install Playwright browsers
        if: needs.detect-changes.outputs.canvas == 'true'
-        timeout-minutes: 10
        run: npx playwright install --with-deps chromium

      - name: Run staging canvas E2E
@@ -91,19 +91,16 @@ export function SearchDialog() {
  if (!open) return null;

  return (
-    <div className="fixed inset-0 z-[70] flex items-start justify-center pt-[20vh]">
-      {/* Backdrop — interactive dismiss area; aria-hidden so screen readers ignore it */}
-      <div
-        className="absolute inset-0 bg-black/50 backdrop-blur-sm cursor-pointer"
-        onClick={() => setOpen(false)}
-        aria-hidden="true"
-      />
-      {/* Dialog */}
+    <div
+      className="fixed inset-0 z-[70] flex items-start justify-center pt-[20vh] bg-black/50 backdrop-blur-sm"
+      onClick={() => setOpen(false)}
+    >
      <div
        role="dialog"
        aria-modal="true"
        aria-label="Search workspaces"
-        className="relative z-[71] w-[420px] bg-surface/95 backdrop-blur-xl border border-line/60 rounded-2xl shadow-2xl shadow-black/50 overflow-hidden"
+        className="w-[420px] bg-surface/95 backdrop-blur-xl border border-line/60 rounded-2xl shadow-2xl shadow-black/50 overflow-hidden"
+        onClick={(e) => e.stopPropagation()}
      >
        {/* Search input */}
        <div className="flex items-center gap-3 px-4 py-3 border-b border-line/40">
@@ -45,12 +45,6 @@ export function Tooltip({ text, children }: Props) {
      if (triggerRef.current) {
        const rect = triggerRef.current.getBoundingClientRect();
        setPos({ x: rect.left, y: rect.top });
-        // Focus the first focusable descendant (the actual trigger button),
-        // not the wrapper div, so screen-reader/navigation UX is correct.
-        const firstFocusable = triggerRef.current.querySelector<HTMLElement>(
-          'button, [tabindex], input, select, textarea, a[href]'
-        );
-        firstFocusable?.focus();
      }
      setShow(true);
    }, 400);
@@ -1,63 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Unit tests for formatAuditRelativeTime — pure date formatter from AuditTrailPanel.
- */
-import { describe, it, expect } from "vitest";
-import { formatAuditRelativeTime } from "../AuditTrailPanel";
-
-describe("formatAuditRelativeTime", () => {
-  it('returns "just now" for timestamps within the last minute', () => {
-    const now = 1_700_000_000_000;
-    const thirtySecAgo = new Date(now - 30_000).toISOString();
-    expect(formatAuditRelativeTime(thirtySecAgo, now)).toBe("just now");
-  });
-
-  it('returns "Xm ago" for timestamps within the last hour', () => {
-    const now = 1_700_000_000_000;
-    const fiveMinAgo = new Date(now - 5 * 60_000).toISOString();
-    expect(formatAuditRelativeTime(fiveMinAgo, now)).toBe("5m ago");
-  });
-
-  it('returns "Xh ago" for timestamps within the last day', () => {
-    const now = 1_700_000_000_000;
-    const threeHoursAgo = new Date(now - 3 * 3_600_000).toISOString();
-    expect(formatAuditRelativeTime(threeHoursAgo, now)).toBe("3h ago");
-  });
-
-  it("returns locale date string for timestamps older than 24h", () => {
-    const now = 1_700_000_000_000;
-    const twoDaysAgo = new Date(now - 2 * 86_400_000).toISOString();
-    const result = formatAuditRelativeTime(twoDaysAgo, now);
-    // Should be a date string (not "Xh ago" or "Xm ago")
-    expect(result).not.toMatch(/m ago|h ago|just now/);
-    expect(result).toBe(new Date(twoDaysAgo).toLocaleDateString());
-  });
-
-  it("handles the boundary between minute and hour correctly", () => {
-    const now = 1_700_000_000_000;
-    const exactlyOneHourAgo = new Date(now - 3_600_000).toISOString();
-    expect(formatAuditRelativeTime(exactlyOneHourAgo, now)).toBe("1h ago");
-  });
-
-  it("handles the boundary between hour and day correctly", () => {
-    const now = 1_700_000_000_000;
-    // 23h ago is < 24h so it shows "23h ago"; exactly 24h falls through to date string
-    const twentyThreeHoursAgo = new Date(now - 23 * 3_600_000).toISOString();
-    expect(formatAuditRelativeTime(twentyThreeHoursAgo, now)).toBe("23h ago");
-  });
-
-  it("returns locale date string for exactly 24h ago (boundary)", () => {
-    const now = 1_700_000_000_000;
-    const exactlyOneDayAgo = new Date(now - 86_400_000).toISOString();
-    const result = formatAuditRelativeTime(exactlyOneDayAgo, now);
-    // diff is exactly 86_400_000, which is NOT < 86_400_000, so it falls through
-    expect(result).toBe(new Date(exactlyOneDayAgo).toLocaleDateString());
-  });
-
-  it("future timestamps return 'just now' (negative diff < 60_000)", () => {
-    const now = 1_700_000_000_000;
-    const future = new Date(now + 60_000).toISOString();
-    // Negative diff passes diff < 60_000, returning "just now"
-    expect(formatAuditRelativeTime(future, now)).toBe("just now");
-  });
-});
@@ -1,90 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Unit tests for pure helpers from MemoryInspectorPanel:
- *   isPluginUnavailableError, formatRelativeTime, formatTTL
- *
- * These are the three exported non-component functions. The component
- * itself (MemoryInspectorPanel) requires full API + store mocking and
- * is exercised by the existing MemoryTab.test.tsx.
- */
-import { describe, it, expect } from "vitest";
-import { isPluginUnavailableError, formatTTL } from "../MemoryInspectorPanel";
-
-// formatRelativeTime is not exported — tested via the component in MemoryTab.test.tsx
-
-describe("isPluginUnavailableError", () => {
-  it("returns true when Error message contains MEMORY_PLUGIN_URL", () => {
-    const err = new Error("memory: could not resolve MEMORY_PLUGIN_URL — plugin not configured");
-    expect(isPluginUnavailableError(err)).toBe(true);
-  });
-
-  it("returns true for Error containing MEMORY_PLUGIN_URL", () => {
-    expect(isPluginUnavailableError(new Error("MEMORY_PLUGIN_URL is not set"))).toBe(true);
-  });
-
-  it("returns false for unrelated error messages", () => {
-    expect(isPluginUnavailableError(new Error("workspace not found"))).toBe(false);
-  });
-
-  it("returns false for null", () => {
-    expect(isPluginUnavailableError(null)).toBe(false);
-  });
-
-  it("returns false for undefined", () => {
-    expect(isPluginUnavailableError(undefined)).toBe(false);
-  });
-
-  it("returns false for plain objects without message", () => {
-    expect(isPluginUnavailableError({ code: 503 })).toBe(false);
-  });
-
-  it("is case-sensitive (MEMORY_PLUGIN_URL must match exactly)", () => {
-    const lowerErr = new Error("memory_plugin_url missing");
-    const upperErr = new Error("MEMORY_PLUGIN_URL missing");
-    expect(isPluginUnavailableError(lowerErr)).toBe(false);
-    expect(isPluginUnavailableError(upperErr)).toBe(true);
-  });
-});
-
-describe("formatTTL", () => {
-  it("returns '' for null", () => {
-    expect(formatTTL(null)).toBe("");
-  });
-
-  it("returns '' for undefined", () => {
-    expect(formatTTL(undefined)).toBe("");
-  });
-
-  it('returns "expired" when expiresAt is in the past', () => {
-    const past = new Date(Date.now() - 60_000).toISOString();
-    expect(formatTTL(past)).toBe("expired");
-  });
-
-  it('returns "Xs" for less than a minute', () => {
-    const soon = new Date(Date.now() + 30_000).toISOString();
-    expect(formatTTL(soon)).toBe("30s");
-  });
-
-  it('returns "Xm" for less than an hour', () => {
-    const soon = new Date(Date.now() + 5 * 60_000).toISOString();
-    expect(formatTTL(soon)).toBe("5m");
-  });
-
-  it('returns "Xh" for less than a day', () => {
-    const soon = new Date(Date.now() + 3 * 3_600_000).toISOString();
-    expect(formatTTL(soon)).toBe("3h");
-  });
-
-  it('returns "Xd" for more than a day', () => {
-    const soon = new Date(Date.now() + 2 * 86_400_000).toISOString();
-    expect(formatTTL(soon)).toBe("2d");
-  });
-
-  it("returns '' for invalid date string", () => {
-    expect(formatTTL("not-a-date")).toBe("");
-  });
-
-  it("returns '' for empty string", () => {
-    expect(formatTTL("")).toBe("");
-  });
-});
@@ -81,13 +81,11 @@ describe("MissingKeysModal — WCAG 2.1 dialog accessibility", () => {

  it("backdrop div has aria-hidden='true' so screen readers skip it", () => {
    renderModal({ open: true });
-    // The backdrop is the first child of the portal root — it has bg-black/70
-    // and is a sibling of the dialog, both inside a fixed inset-0 container.
-    const fixedContainer = document.body.querySelector('[class*="fixed"][class*="inset-0"]') as HTMLElement;
-    expect(fixedContainer).toBeTruthy();
-    const backdrop = fixedContainer.querySelector('[class*="bg-black"]') as HTMLElement;
+    // The backdrop is a div outside the dialog; it has onClick and aria-hidden
+    const backdrop = document.querySelector('[aria-hidden="true"]');
    expect(backdrop).toBeTruthy();
-    expect(backdrop.getAttribute("aria-hidden")).toBe("true");
+    // Verify the backdrop is the full-screen overlay (has bg-black/70)
+    expect(backdrop?.className).toContain("bg-black/70");
  });

  it("decorative warning SVG in header has aria-hidden='true'", () => {
@@ -1,390 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for SidePanel — general rendering and non-tab behaviors.
- *
- * Companion to SidePanel.tabs.test.tsx which covers tablist ARIA
- * and localStorage width persistence.
- *
- * Covers:
- *   - Null when no node is selected
- *   - Null when selectedNodeId points to a missing node
- *   - Header: node name, role, tier badge
- *   - MetaPill capability summary pills
- *   - Resize handle: role=separator, aria-valuenow/min/max, aria-orientation
- *   - Resize handle: ArrowLeft/Right/Home/End keyboard nav
- *   - Needs-restart banner + Restart Now button
- *   - Current-task banner with pulsing dot
- *   - Footer shows workspace ID
- *   - Close button calls selectNode(null)
- *   - Tab switch via onClick fires setPanelTab
- *   - setSidePanelWidth called on mount
- */
-import React from "react";
-import { render, screen, fireEvent, cleanup } from "@testing-library/react";
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { SidePanel } from "../SidePanel";
-
-// ── Tab content stubs ───────────────────────────────────────────────────────
-vi.mock("../tabs/DetailsTab",    () => ({ DetailsTab:    () => null }));
-vi.mock("../tabs/SkillsTab",     () => ({ SkillsTab:     () => null }));
-vi.mock("../tabs/ChatTab",       () => ({ ChatTab:       () => null }));
-vi.mock("../tabs/ConfigTab",     () => ({ ConfigTab:     () => null }));
-vi.mock("../tabs/TerminalTab",   () => ({ TerminalTab:   () => null }));
-vi.mock("../tabs/FilesTab",       () => ({ FilesTab:       () => null }));
-vi.mock("../MemoryInspectorPanel", () => ({ MemoryInspectorPanel: () => null }));
-vi.mock("../tabs/TracesTab",     () => ({ TracesTab:     () => null }));
-vi.mock("../tabs/EventsTab",     () => ({ EventsTab:     () => null }));
-vi.mock("../tabs/ActivityTab",   () => ({ ActivityTab:   () => null }));
-vi.mock("../tabs/ScheduleTab",   () => ({ ScheduleTab:   () => null }));
-vi.mock("../tabs/ChannelsTab",   () => ({ ChannelsTab:   () => null }));
-vi.mock("../AuditTrailPanel",    () => ({ AuditTrailPanel: () => null }));
-vi.mock("../StatusDot", () => ({ StatusDot: () => null }));
-vi.mock("../Tooltip", () => ({
-  Tooltip: ({ children }: { children: React.ReactNode }) => <>{children}</>,
-}));
-vi.mock("@/components/Toaster", () => ({ showToast: vi.fn() }));
-
-// ── Canvas store mock — mutable so each test can reconfigure ───────────────
-const mockSetPanelTab = vi.fn();
-const mockSelectNode = vi.fn();
-const mockSetSidePanelWidth = vi.fn();
-const mockRestartWorkspace = vi.fn().mockResolvedValue(undefined);
-
-const BASE_NODE = {
-  id: "ws-1",
-  data: {
-    name: "Test Workspace",
-    status: "online" as const,
-    tier: 2,
-    role: "Engineer",
-    parentId: null,
-    needsRestart: false,
-    currentTask: null,
-    agentCard: null,
-  },
-};
-
-// Mutable store state — tests reassign fields to test different states
-let storeState = {
-  selectedNodeId: "ws-1" as string | null,
-  panelTab: "chat",
-  setPanelTab: mockSetPanelTab,
-  selectNode: mockSelectNode,
-  setSidePanelWidth: mockSetSidePanelWidth,
-  nodes: [BASE_NODE],
-  restartWorkspace: mockRestartWorkspace,
-};
-
-vi.mock("@/store/canvas", () => ({
-  useCanvasStore: Object.assign(
-    vi.fn((selector: (s: typeof storeState) => unknown) => selector(storeState)),
-    { getState: () => storeState }
-  ),
-  summarizeWorkspaceCapabilities: () => ({ runtime: "claude-code", skillCount: 3 }),
-}));
-
-beforeEach(() => {
-  mockSetPanelTab.mockReset();
-  mockSelectNode.mockReset();
-  mockSetSidePanelWidth.mockReset();
-  mockRestartWorkspace.mockReset().mockResolvedValue(undefined);
-  localStorage.clear();
-  // Reset store state to default
-  storeState = {
-    selectedNodeId: "ws-1",
-    panelTab: "chat",
-    setPanelTab: mockSetPanelTab,
-    selectNode: mockSelectNode,
-    setSidePanelWidth: mockSetSidePanelWidth,
-    nodes: [BASE_NODE],
-    restartWorkspace: mockRestartWorkspace,
-  };
-});
-
-afterEach(() => {
-  cleanup();
-});
-
-// ─── Null guard ──────────────────────────────────────────────────────────────
-
-describe("SidePanel — null guard", () => {
-  it("returns null when selectedNodeId is null", () => {
-    storeState.selectedNodeId = null;
-    const { container } = render(<SidePanel />);
-    expect(container.firstChild).toBeNull();
-  });
-
-  it("returns null when selectedNodeId does not match any node", () => {
-    storeState.selectedNodeId = "nonexistent-ws";
-    storeState.nodes = [];
-    const { container } = render(<SidePanel />);
-    expect(container.firstChild).toBeNull();
-  });
-});
-
-// ─── Header ─────────────────────────────────────────────────────────────────
-
-describe("SidePanel — header", () => {
-  it("shows node name in heading", () => {
-    render(<SidePanel />);
-    expect(screen.getByRole("heading", { name: "Test Workspace" })).toBeTruthy();
-  });
-
-  it("shows node role", () => {
-    render(<SidePanel />);
-    expect(screen.getByText("Engineer")).toBeTruthy();
-  });
-
-  it("shows tier badge with correct value", () => {
-    render(<SidePanel />);
-    // T2 appears in header badge AND meta pill — confirm at least one
-    const all = screen.getAllByText("T2");
-    expect(all.length).toBeGreaterThanOrEqual(1);
-  });
-
-  it("close button is present with aria-label", () => {
-    render(<SidePanel />);
-    expect(screen.getByRole("button", { name: /close workspace panel/i })).toBeTruthy();
-  });
-
-  it("close button calls selectNode(null)", () => {
-    render(<SidePanel />);
-    fireEvent.click(screen.getByRole("button", { name: /close workspace panel/i }));
-    expect(mockSelectNode).toHaveBeenCalledWith(null);
-  });
-});
-
-// ─── MetaPills ─────────────────────────────────────────────────────────────
-
-describe("SidePanel — meta pills", () => {
-  it("renders Tier, Runtime, Skills, and Status pills in the meta row", () => {
-    render(<SidePanel />);
-    // All four labels appear somewhere in the meta pills row
-    expect(screen.getByText(/tier/i)).toBeTruthy();
-    expect(screen.getByText(/runtime/i)).toBeTruthy();
-    expect(screen.getByText(/skills/i)).toBeTruthy();
-    expect(screen.getByText(/status/i)).toBeTruthy();
-  });
-
-  it("shows correct runtime value in meta pill", () => {
-    render(<SidePanel />);
-    expect(screen.getByText("claude-code")).toBeTruthy();
-  });
-
-  it("shows skill count in meta pill", () => {
-    render(<SidePanel />);
-    expect(screen.getByText("3")).toBeTruthy();
-  });
-});
-
-// ─── Resize handle ──────────────────────────────────────────────────────────
-
-describe("SidePanel — resize handle", () => {
-  it("has role=separator", () => {
-    render(<SidePanel />);
-    expect(screen.getByRole("separator")).toBeTruthy();
-  });
-
-  it("has aria-label='Resize workspace panel'", () => {
-    render(<SidePanel />);
-    expect(screen.getByRole("separator").getAttribute("aria-label")).toBe(
-      "Resize workspace panel"
-    );
-  });
-
-  it("has aria-valuenow=480 (default width)", () => {
-    render(<SidePanel />);
-    expect(screen.getByRole("separator").getAttribute("aria-valuenow")).toBe("480");
-  });
-
-  it("has aria-valuemin=320", () => {
-    render(<SidePanel />);
-    expect(screen.getByRole("separator").getAttribute("aria-valuemin")).toBe("320");
-  });
-
-  it("has aria-valuemax=800", () => {
-    render(<SidePanel />);
-    expect(screen.getByRole("separator").getAttribute("aria-valuemax")).toBe("800");
-  });
-
-  it("has aria-orientation=vertical", () => {
-    render(<SidePanel />);
-    expect(screen.getByRole("separator").getAttribute("aria-orientation")).toBe("vertical");
-  });
-
-  it("has tabIndex=0 (focusable)", () => {
-    render(<SidePanel />);
-    expect(screen.getByRole("separator").getAttribute("tabindex")).toBe("0");
-  });
-
-  it("ArrowLeft increases width by 16px (STEP — moves left edge rightward, widens panel)", () => {
-    render(<SidePanel />);
-    const sep = screen.getByRole("separator");
-    fireEvent.keyDown(sep, { key: "ArrowLeft" });
-    const panel = document.querySelector(".fixed") as HTMLElement;
-    expect(parseInt(panel.style.width, 10)).toBe(480 + 16); // widens
-  });
-
-  it("ArrowRight decreases width by 16px (STEP — moves left edge leftward, narrows panel)", () => {
-    render(<SidePanel />);
-    const sep = screen.getByRole("separator");
-    fireEvent.keyDown(sep, { key: "ArrowRight" });
-    const panel = document.querySelector(".fixed") as HTMLElement;
-    expect(parseInt(panel.style.width, 10)).toBe(480 - 16); // narrows
-  });
-
-  it("Home key sets width to MIN (320)", () => {
-    render(<SidePanel />);
-    fireEvent.keyDown(screen.getByRole("separator"), { key: "Home" });
-    const panel = document.querySelector(".fixed") as HTMLElement;
-    expect(parseInt(panel.style.width, 10)).toBe(320);
-  });
-
-  it("End key sets width to MAX (800)", () => {
-    render(<SidePanel />);
-    fireEvent.keyDown(screen.getByRole("separator"), { key: "End" });
-    const panel = document.querySelector(".fixed") as HTMLElement;
-    expect(parseInt(panel.style.width, 10)).toBe(800);
-  });
-
-  it("ArrowLeft persists new width to localStorage", () => {
-    render(<SidePanel />);
-    fireEvent.keyDown(screen.getByRole("separator"), { key: "ArrowLeft" });
-    expect(localStorage.getItem("molecule:sidepanel-width")).toBe(String(480 + 16));
-  });
-
-  it("Home persists new width to localStorage", () => {
-    render(<SidePanel />);
-    fireEvent.keyDown(screen.getByRole("separator"), { key: "Home" });
-    expect(localStorage.getItem("molecule:sidepanel-width")).toBe("320");
-  });
-});
-
-// ─── Needs-restart banner ────────────────────────────────────────────────────
-
-describe("SidePanel — needs-restart banner", () => {
-  it("shows banner when needsRestart=true and no currentTask", () => {
-    storeState.nodes = [{ ...BASE_NODE, data: { ...BASE_NODE.data, needsRestart: true, currentTask: null } }];
-    render(<SidePanel />);
-    expect(screen.getByText(/config changed/i)).toBeTruthy();
-    expect(screen.getByRole("button", { name: /restart now/i })).toBeTruthy();
-  });
-
-  it("does NOT show banner when needsRestart=false", () => {
-    render(<SidePanel />);
-    expect(screen.queryByText(/config changed/i)).toBeNull();
-    expect(screen.queryByRole("button", { name: /restart now/i })).toBeNull();
-  });
-
-  it("Restart Now button calls restartWorkspace(selectedNodeId)", () => {
-    storeState.nodes = [{ ...BASE_NODE, data: { ...BASE_NODE.data, needsRestart: true, currentTask: null } }];
-    render(<SidePanel />);
-    fireEvent.click(screen.getByRole("button", { name: /restart now/i }));
-    expect(mockRestartWorkspace).toHaveBeenCalledWith("ws-1");
-  });
-});
-
-// ─── Current-task banner ────────────────────────────────────────────────────
-
-describe("SidePanel — current-task banner", () => {
-  it("shows banner when currentTask is set", () => {
-    storeState.nodes = [{ ...BASE_NODE, data: { ...BASE_NODE.data, currentTask: "Deploying bundle..." } }];
-    render(<SidePanel />);
-    expect(screen.getByText("Deploying bundle...")).toBeTruthy();
-  });
-
-  it("does NOT show banner when currentTask is null", () => {
-    render(<SidePanel />);
-    expect(screen.queryByText(/deploying bundle/i)).toBeNull();
-  });
-});
-
-// ─── Footer ─────────────────────────────────────────────────────────────────
-
-describe("SidePanel — footer", () => {
-  it("footer shows workspace ID in monospace font", () => {
-    render(<SidePanel />);
-    // ws-1 appears in the footer with font-mono class
-    expect(screen.getByText("ws-1")).toBeTruthy();
-  });
-});
-
-// ─── Tab switching ─────────────────────────────────────────────────────────
-
-describe("SidePanel — tab switching", () => {
-  it("clicking Details tab calls setPanelTab('details')", () => {
-    render(<SidePanel />);
-    fireEvent.click(screen.getByRole("tab", { name: /details/i }));
-    expect(mockSetPanelTab).toHaveBeenCalledWith("details");
-  });
-
-  it("clicking Plugins tab calls setPanelTab('skills')", () => {
-    render(<SidePanel />);
-    fireEvent.click(screen.getByRole("tab", { name: /plugins/i }));
-    expect(mockSetPanelTab).toHaveBeenCalledWith("skills");
-  });
-
-  it("clicking Terminal tab calls setPanelTab('terminal')", () => {
-    render(<SidePanel />);
-    fireEvent.click(screen.getByRole("tab", { name: /terminal/i }));
-    expect(mockSetPanelTab).toHaveBeenCalledWith("terminal");
-  });
-});
-
-// ─── setSidePanelWidth ─────────────────────────────────────────────────────
-
-describe("SidePanel — setSidePanelWidth side-effect", () => {
-  it("calls setSidePanelWidth with 480 (default width) on mount", () => {
-    render(<SidePanel />);
-    expect(mockSetSidePanelWidth).toHaveBeenCalledWith(480);
-  });
-
-  it("updates setSidePanelWidth after keyboard resize", () => {
-    render(<SidePanel />);
-    mockSetSidePanelWidth.mockClear();
-    fireEvent.keyDown(screen.getByRole("separator"), { key: "ArrowLeft" });
-    expect(mockSetSidePanelWidth).toHaveBeenCalledWith(480 + 16);
-  });
-});
-
-// ─── Width localStorage ────────────────────────────────────────────────────
-
-describe("SidePanel — width localStorage", () => {
-  it("does not persist default width to localStorage on initial mount (only on user resize)", () => {
-    render(<SidePanel />);
-    // localStorage is only written by the keyboard resize handler, not on mount
-    expect(localStorage.getItem("molecule:sidepanel-width")).toBeNull();
-  });
-
-  it("reads saved width from localStorage", () => {
-    localStorage.setItem("molecule:sidepanel-width", "600");
-    const { container } = render(<SidePanel />);
-    const panel = container.firstChild as HTMLElement;
-    expect(panel.style.width).toBe("600px");
-  });
-
-  it("caps saved width to default when below minimum", () => {
-    localStorage.setItem("molecule:sidepanel-width", "100");
-    const { container } = render(<SidePanel />);
-    const panel = container.firstChild as HTMLElement;
-    expect(panel.style.width).toBe("480px");
-  });
-});
-
-// ─── Offline status ─────────────────────────────────────────────────────────
-
-describe("SidePanel — offline status", () => {
-  it("shows tier badge even when node is offline", () => {
-    storeState.nodes = [{ ...BASE_NODE, data: { ...BASE_NODE.data, status: "offline" as const } }];
-    render(<SidePanel />);
-    // T2 appears in both header badge and meta pill — just confirm at least one exists
-    const all = screen.getAllByText("T2");
-    expect(all.length).toBeGreaterThanOrEqual(1);
-  });
-
-  it("shows 'offline' in the Status meta pill when node is offline", () => {
-    storeState.nodes = [{ ...BASE_NODE, data: { ...BASE_NODE.data, status: "offline" as const } }];
-    render(<SidePanel />);
-    expect(screen.getByText("offline")).toBeTruthy();
-  });
-});
@@ -1,260 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for TemplatePalette — the floating sidebar drawer.
- *
- * Covers:
- *   - Toggle button aria-label (open / closed)
- *   - Sidebar renders when open, hides when closed
- *   - Sidebar header: "Templates" heading, subtitle
- *   - Loading state
- *   - Empty state ("No templates found")
- *   - Template cards: name, description, tier badge, skill pills
- *   - Deploy button calls deploy()
- *   - Errors swallowed → empty state shown
- *   - setTemplatePaletteOpen called on open/close
- *   - OrgTemplatesSection rendered inside sidebar
- *   - Import Agent Folder button in footer
- *   - Refresh templates button in footer
- */
-import React from "react";
-import { render, screen, fireEvent, cleanup, act, waitFor } from "@testing-library/react";
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-
-// ── Hoisted mocks — vi.hoisted() so they're available when vi.mock runs ──────
-// IMPORTANT: use plain vi.fn() in the return object (NOT `const fn = vi.fn(); return { fn }`)
-const { mockDeploy, mockSetTemplatePaletteOpen, mockGet } = vi.hoisted(() => ({
-  mockDeploy: vi.fn(),
-  mockSetTemplatePaletteOpen: vi.fn(),
-  mockGet: vi.fn(),
-}));
-
-vi.mock("@/hooks/useTemplateDeploy", () => ({
-  useTemplateDeploy: () => ({
-    deploy: mockDeploy,
-    deploying: null,
-    error: null,
-    modal: null,
-  }),
-}));
-
-vi.mock("@/store/canvas", () => ({
-  useCanvasStore: vi.fn((selector: (s: { setTemplatePaletteOpen: typeof mockSetTemplatePaletteOpen }) => unknown) =>
-    selector({ setTemplatePaletteOpen: mockSetTemplatePaletteOpen })
-  ),
-}));
-
-vi.mock("@/lib/api", () => ({
-  api: { get: mockGet },
-}));
-
-vi.mock("../OrgImportPreflightModal", () => ({
-  OrgImportPreflightModal: () => null,
-}));
-
-vi.mock("../ConfirmDialog", () => ({
-  ConfirmDialog: () => null,
-}));
-
-vi.mock("../Spinner", () => ({
-  Spinner: () => <span data-testid="spinner" aria-hidden="true" />,
-}));
-
-vi.mock("../Toaster", () => ({ showToast: vi.fn() }));
-
-// ── Component import — after all mocks ──────────────────────────────────────
-import { TemplatePalette } from "../TemplatePalette";
-
-beforeEach(() => {
-  mockDeploy.mockReset();
-  mockSetTemplatePaletteOpen.mockReset();
-  mockGet.mockReset().mockResolvedValue([]);
-});
-
-afterEach(() => {
-  cleanup();
-});
-
-// ── Helpers ──────────────────────────────────────────────────────────────────
-
-async function flush() {
-  await act(async () => { await Promise.resolve(); });
-}
-
-const MOCK_TEMPLATES = [
-  {
-    id: "tmpl-1",
-    name: "Software Engineer",
-    description: "Best for writing code",
-    tier: 1,
-    skills: ["web-search", "read-file", "write-file"],
-  },
-  {
-    id: "tmpl-2",
-    name: "Researcher",
-    description: "Deep research agent",
-    tier: 2,
-    skills: [],
-  },
-];
-
-// ─── Toggle button ─────────────────────────────────────────────────────────
-
-describe("TemplatePalette — toggle button", () => {
-  it("has aria-label='Open template palette' when closed", () => {
-    render(<TemplatePalette />);
-    expect(screen.getByRole("button", { name: /open template palette/i })).toBeTruthy();
-  });
-
-  it("has aria-label='Close template palette' when open", async () => {
-    render(<TemplatePalette />);
-    fireEvent.click(screen.getByRole("button", { name: /open template palette/i }));
-    await flush();
-    expect(screen.getByRole("button", { name: /close template palette/i })).toBeTruthy();
-  });
-
-  it("clicking toggle opens sidebar", async () => {
-    render(<TemplatePalette />);
-    fireEvent.click(screen.getByRole("button", { name: /open template palette/i }));
-    await flush();
-    expect(screen.getByRole("heading", { name: "Templates" })).toBeTruthy();
-  });
-
-  it("clicking toggle again closes sidebar", async () => {
-    render(<TemplatePalette />);
-    fireEvent.click(screen.getByRole("button", { name: /open template palette/i }));
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /close template palette/i }));
-    await flush();
-    expect(screen.queryByRole("heading", { name: "Templates" })).toBeNull();
-  });
-
-  it("calls setTemplatePaletteOpen(true) when opened", async () => {
-    render(<TemplatePalette />);
-    fireEvent.click(screen.getByRole("button", { name: /open template palette/i }));
-    await flush();
-    expect(mockSetTemplatePaletteOpen).toHaveBeenCalledWith(true);
-  });
-
-  it("calls setTemplatePaletteOpen(false) when closed", async () => {
-    render(<TemplatePalette />);
-    fireEvent.click(screen.getByRole("button", { name: /open template palette/i }));
-    await flush();
-    mockSetTemplatePaletteOpen.mockClear();
-    fireEvent.click(screen.getByRole("button", { name: /close template palette/i }));
-    await flush();
-    expect(mockSetTemplatePaletteOpen).toHaveBeenCalledWith(false);
-  });
-});
-
-// ─── Sidebar content ───────────────────────────────────────────────────────
-
-describe("TemplatePalette — sidebar", () => {
-  async function openSidebar() {
-    fireEvent.click(screen.getByRole("button", { name: /open template palette/i }));
-    await flush();
-  }
-
-  it("shows 'Templates' heading", async () => {
-    render(<TemplatePalette />);
-    await openSidebar();
-    expect(screen.getByRole("heading", { name: "Templates" })).toBeTruthy();
-  });
-
-  it("shows subtitle 'Click to deploy a workspace'", async () => {
-    render(<TemplatePalette />);
-    await openSidebar();
-    expect(screen.getByText(/click to deploy a workspace/i)).toBeTruthy();
-  });
-
-  it("shows loading state", async () => {
-    mockGet.mockReturnValue(new Promise(() => {}));
-    render(<TemplatePalette />);
-    await openSidebar();
-    expect(screen.getByTestId("spinner")).toBeTruthy();
-    expect(screen.getByText(/loading/i)).toBeTruthy();
-  });
-
-  it("shows empty state when no templates", async () => {
-    mockGet.mockResolvedValue([]);
-    render(<TemplatePalette />);
-    await openSidebar();
-    expect(screen.getByText(/no templates found/i)).toBeTruthy();
-  });
-
-  it("renders template cards", async () => {
-    mockGet.mockResolvedValue(MOCK_TEMPLATES);
-    render(<TemplatePalette />);
-    await openSidebar();
-    expect(screen.getByText("Software Engineer")).toBeTruthy();
-    expect(screen.getByText("Researcher")).toBeTruthy();
-  });
-
-  it("shows template description", async () => {
-    mockGet.mockResolvedValue(MOCK_TEMPLATES);
-    render(<TemplatePalette />);
-    await openSidebar();
-    expect(screen.getByText(/best for writing code/i)).toBeTruthy();
-  });
-
-  it("shows tier badge on template card", async () => {
-    mockGet.mockResolvedValue(MOCK_TEMPLATES);
-    render(<TemplatePalette />);
-    await openSidebar();
-    // T1 appears in tier badge
-    expect(screen.getAllByText("T1").length).toBeGreaterThanOrEqual(1);
-  });
-
-  it("shows up to 3 skill pills", async () => {
-    mockGet.mockResolvedValue(MOCK_TEMPLATES);
-    render(<TemplatePalette />);
-    await openSidebar();
-    expect(screen.getByText("web-search")).toBeTruthy();
-    expect(screen.getByText("read-file")).toBeTruthy();
-    expect(screen.getByText("write-file")).toBeTruthy();
-  });
-
-  it("shows '+N more' when more than 3 skills", async () => {
-    mockGet.mockResolvedValue([
-      { id: "tmpl-many", name: "Full Stack", description: "", tier: 1, skills: ["a", "b", "c", "d", "e"] },
-    ]);
-    render(<TemplatePalette />);
-    await openSidebar();
-    expect(screen.getByText("+2")).toBeTruthy();
-  });
-
-  it("deploy button calls deploy(t)", async () => {
-    mockGet.mockResolvedValue(MOCK_TEMPLATES);
-    render(<TemplatePalette />);
-    await openSidebar();
-    const deployBtns = screen.getAllByRole("button", { name: /software engineer/i });
-    await act(async () => { deployBtns[0].click(); });
-    expect(mockDeploy).toHaveBeenCalledWith(MOCK_TEMPLATES[0]);
-  });
-
-  it("shows empty state when api.get rejects (error is swallowed)", async () => {
-    mockGet.mockRejectedValue(new Error("server error"));
-    render(<TemplatePalette />);
-    await openSidebar();
-    await waitFor(() => {
-      expect(screen.getByText(/no templates found/i)).toBeTruthy();
-    });
-  });
-
-  it("renders OrgTemplatesSection inside sidebar", async () => {
-    render(<TemplatePalette />);
-    await openSidebar();
-    expect(document.querySelector("[data-testid='org-templates-section']")).toBeTruthy();
-  });
-
-  it("renders Import Agent Folder button in footer", async () => {
-    render(<TemplatePalette />);
-    await openSidebar();
-    expect(screen.getByRole("button", { name: /import agent folder/i })).toBeTruthy();
-  });
-
-  it("renders Refresh templates button in footer", async () => {
-    render(<TemplatePalette />);
-    await openSidebar();
-    expect(screen.getByRole("button", { name: /^refresh templates$/i })).toBeTruthy();
-  });
-});
@@ -6,12 +6,10 @@
 * SettingsButton integration, custom canvasName prop.
 */
 import React from "react";
-import { render, screen, cleanup } from "@testing-library/react";
-import { afterEach, describe, expect, it, vi } from "vitest";
+import { render, screen } from "@testing-library/react";
+import { describe, expect, it, vi } from "vitest";
 import { TopBar } from "../canvas/TopBar";

-afterEach(cleanup);
-
 // ─── Mock SettingsButton ───────────────────────────────────────────────────────

 vi.mock("../settings/SettingsButton", () => ({
@@ -1,97 +0,0 @@
-// @vitest-environment jsdom
-/**
- * TopBar — canvas header scaffold with logo, canvas name, New Agent button,
- * and SettingsButton integration point.
- *
- * Coverage:
- *   - Renders header with logo and canvas name (default and custom)
- *   - New Agent button present and clickable
- *   - SettingsButton rendered (via mock)
- *   - Ref forwarding wired (settingsGearRef passed as ref prop)
- *
- * NOTE: No @testing-library/jest-dom — use DOM APIs.
- */
-import { afterEach, describe, expect, it, vi } from "vitest";
-import { cleanup, fireEvent, render } from "@testing-library/react";
-import React from "react";
-
-import { TopBar } from "../TopBar";
-
-vi.mock("@/components/settings/SettingsButton", () => ({
-  SettingsButton: React.forwardRef<HTMLButtonElement, object>(
-    (_props, ref) => <button ref={ref} aria-label="Settings" type="button">⚙</button>,
-  ),
-}));
-
-afterEach(() => {
-  cleanup();
-  vi.restoreAllMocks();
-});
-
-// ─── Render ────────────────────────────────────────────────────────────────────
-
-describe("TopBar — render", () => {
-  it("renders the header element", () => {
-    render(<TopBar />);
-    const header = document.querySelector("header");
-    expect(header).toBeTruthy();
-  });
-
-  it("shows default canvas name 'Canvas'", () => {
-    render(<TopBar />);
-    expect(document.body.textContent).toContain("Canvas");
-  });
-
-  it("shows custom canvas name when provided", () => {
-    render(<TopBar canvasName="Production Canvas" />);
-    expect(document.body.textContent).toContain("Production Canvas");
-    expect(document.body.textContent).not.toContain("Canvas\n"); // not default
-  });
-
-  it("renders New Agent button", () => {
-    render(<TopBar />);
-    const btn = Array.from(document.querySelectorAll("button")).find(
-      (b) => b.textContent?.includes("New Agent"),
-    );
-    expect(btn).toBeTruthy();
-  });
-
-  it("renders SettingsButton", () => {
-    render(<TopBar />);
-    const settingsBtn = document.querySelector('button[aria-label="Settings"]');
-    expect(settingsBtn).toBeTruthy();
-  });
-
-  it("renders logo icon", () => {
-    render(<TopBar />);
-    const logo = Array.from(document.querySelectorAll("span")).find(
-      (s) => s.getAttribute("aria-hidden") === "true",
-    );
-    expect(logo).toBeTruthy();
-    expect(logo?.textContent).toContain("☁");
-  });
-});
-
-// ─── Interaction ──────────────────────────────────────────────────────────────
-
-describe("TopBar — interaction", () => {
-  it("New Agent button is in the DOM and not disabled", () => {
-    render(<TopBar />);
-    const btn = Array.from(document.querySelectorAll("button")).find(
-      (b) => b.textContent?.includes("New Agent"),
-    );
-    expect(btn).toBeTruthy();
-    expect(btn!.getAttribute("disabled")).toBeNull();
-  });
-
-  it("renders without crashing with empty canvasName", () => {
-    render(<TopBar canvasName="" />);
-    expect(document.querySelector("header")).toBeTruthy();
-  });
-
-  it("renders without crashing with long canvasName", () => {
-    const longName = "A".repeat(200);
-    render(<TopBar canvasName={longName} />);
-    expect(document.body.textContent).toContain(longName);
-  });
-});
@@ -101,20 +101,6 @@ describe("Esc — deselect / close context menu", () => {
    fireEvent.keyDown(window, { key: "Escape" });
    expect(mockStoreState.selectNode).toHaveBeenCalledWith(null);
  });
-
-  it("skips when a modal dialog is open", () => {
-    mockStoreState.contextMenu = null;
-    mockStoreState.selectedNodeId = "n1";
-    renderWithProvider();
-    const dialog = document.createElement("div");
-    dialog.setAttribute("role", "dialog");
-    dialog.setAttribute("aria-modal", "true");
-    document.body.appendChild(dialog);
-    fireEvent.keyDown(window, { key: "Escape" });
-    expect(mockStoreState.clearSelection).not.toHaveBeenCalled();
-    expect(mockStoreState.selectNode).not.toHaveBeenCalled();
-    document.body.removeChild(dialog);
-  });
 });

 describe("Enter — hierarchy navigation", () => {
@@ -150,17 +136,6 @@ describe("Enter — hierarchy navigation", () => {
    fireEvent.keyDown(window, { key: "Enter" });
    expect(mockStoreState.selectNode).not.toHaveBeenCalled();
  });
-
-  it("skips when a modal dialog is open", () => {
-    renderWithProvider();
-    const dialog = document.createElement("div");
-    dialog.setAttribute("role", "dialog");
-    dialog.setAttribute("aria-modal", "true");
-    document.body.appendChild(dialog);
-    fireEvent.keyDown(window, { key: "Enter" });
-    expect(mockStoreState.selectNode).not.toHaveBeenCalled();
-    document.body.removeChild(dialog);
-  });
 });

 describe("Cmd+]/[ — z-order bump", () => {
@@ -185,17 +160,6 @@ describe("Cmd+]/[ — z-order bump", () => {
    fireEvent.keyDown(window, { key: "]", ctrlKey: true });
    expect(mockStoreState.bumpZOrder).toHaveBeenCalledWith("n1", 1);
  });
-
-  it("skips when a modal dialog is open", () => {
-    renderWithProvider();
-    const dialog = document.createElement("div");
-    dialog.setAttribute("role", "dialog");
-    dialog.setAttribute("aria-modal", "true");
-    document.body.appendChild(dialog);
-    fireEvent.keyDown(window, { key: "]", metaKey: true });
-    expect(mockStoreState.bumpZOrder).not.toHaveBeenCalled();
-    document.body.removeChild(dialog);
-  });
 });

 describe("Z — zoom-to-team", () => {
@@ -248,17 +212,6 @@ describe("Z — zoom-to-team", () => {
    expect(dispatchedEvents).toHaveLength(0);
    document.body.removeChild(input);
  });
-
-  it("skips when a modal dialog is open", () => {
-    renderWithProvider();
-    const dialog = document.createElement("div");
-    dialog.setAttribute("role", "dialog");
-    dialog.setAttribute("aria-modal", "true");
-    document.body.appendChild(dialog);
-    fireEvent.keyDown(window, { key: "z" });
-    expect(dispatchedEvents).toHaveLength(0);
-    document.body.removeChild(dialog);
-  });
 });

 describe("Arrow keys — keyboard node movement", () => {
@@ -1,311 +0,0 @@
-/**
- * Unit tests for buildDeployMap — the pure tree-traversal core of
- * useOrgDeployState.
- *
- * What is tested here:
- *   - Root / leaf identification via parent-chain walk
- *   - isDeployingRoot: true when any descendant is "provisioning"
- *   - isActivelyProvisioning: true only for the node itself in that state
- *   - isLockedChild: true for non-root nodes in a deploying tree
- *   - isLockedChild: also true for nodes in deletingIds (even if not deploying)
- *   - descendantProvisioningCount: non-zero only on root nodes
- *   - Performance contract: O(n) single-pass walk — tested by verifying
- *     correctness across 50-node trees (n=50, all cases above)
- *
- * What is NOT tested here (hook integration — appropriate for E2E):
- *   - The useMemo / Zustand subscription wiring
- *   - React Flow integration (flowToScreenPosition, getInternalNode)
- *
- * Issue: #2071 (Canvas test gaps follow-up).
- */
-import { describe, expect, it } from "vitest";
-import { buildDeployMap, type OrgDeployState } from "../useOrgDeployState";
-
-// ── Helpers ──────────────────────────────────────────────────────────────────
-
-type Projection = { id: string; parentId: string | null; status: string };
-
-function proj(
-  id: string,
-  parentId: string | null,
-  status: string,
-): Projection {
-  return { id, parentId, status };
-}
-
-/** Unchecked cast — test helpers aren't production code paths. */
-function m(
-  ps: Projection[],
-  deletingIds: string[] = [],
-): Map<string, OrgDeployState> {
-  return buildDeployMap(ps, new Set(deletingIds));
-}
-
-function s(
-  map: Map<string, OrgDeployState>,
-  id: string,
-): OrgDeployState {
-  const got = map.get(id);
-  if (!got) throw new Error(`no entry for id=${id}`);
-  return got;
-}
-
-// ── Empty / trivial ───────────────────────────────────────────────────────────
-
-describe("buildDeployMap — empty", () => {
-  it("returns empty map for empty projections", () => {
-    expect(m([]).size).toBe(0);
-  });
-});
-
-// ── Single node ─────────────────────────────────────────────────────────────
-
-describe("buildDeployMap — single node", () => {
-  it("isolated node is its own root and not deploying", () => {
-    const map = m([proj("a", null, "online")]);
-    expect(s(map, "a")).toEqual({
-      isActivelyProvisioning: false,
-      isDeployingRoot: false,
-      isLockedChild: false,
-      descendantProvisioningCount: 0,
-    });
-  });
-
-  it("isolated provisioning node is deploying root", () => {
-    const map = m([proj("a", null, "provisioning")]);
-    expect(s(map, "a")).toEqual({
-      isActivelyProvisioning: true,
-      isDeployingRoot: true,
-      isLockedChild: false,
-      descendantProvisioningCount: 1,
-    });
-  });
-});
-
-// ── Parent / child chains ─────────────────────────────────────────────────────
-
-describe("buildDeployMap — parent / child chains", () => {
-  it("root with online child: root is not deploying, child is not locked", () => {
-    // A ──► B
-    const map = m([
-      proj("A", null, "online"),
-      proj("B", "A", "online"),
-    ]);
-    expect(s(map, "A")).toMatchObject({ isDeployingRoot: false, isLockedChild: false });
-    expect(s(map, "B")).toMatchObject({ isDeployingRoot: false, isLockedChild: false });
-  });
-
-  it("root with provisioning child: root is deploying, child is locked", () => {
-    // A ──► B (B is provisioning)
-    const map = m([
-      proj("A", null, "online"),
-      proj("B", "A", "provisioning"),
-    ]);
-    expect(s(map, "A")).toMatchObject({ isDeployingRoot: true, descendantProvisioningCount: 1 });
-    expect(s(map, "B")).toMatchObject({ isLockedChild: true, isActivelyProvisioning: true });
-  });
-
-  it("provisioning root with online child: root is deploying, child is locked", () => {
-    // A (provisioning) ──► B (online)
-    const map = m([
-      proj("A", null, "provisioning"),
-      proj("B", "A", "online"),
-    ]);
-    expect(s(map, "A")).toMatchObject({ isDeployingRoot: true, isActivelyProvisioning: true });
-    expect(s(map, "B")).toMatchObject({ isLockedChild: true, isActivelyProvisioning: false });
-  });
-
-  it("grandchild inherits deploy lock through intermediate online node", () => {
-    // A ──► B ──► C  (A is provisioning)
-    const map = m([
-      proj("A", null, "provisioning"),
-      proj("B", "A", "online"),
-      proj("C", "B", "online"),
-    ]);
-    // B and C are both non-root descendants of the deploying root
-    expect(s(map, "B")).toMatchObject({ isLockedChild: true });
-    expect(s(map, "C")).toMatchObject({ isLockedChild: true });
-    expect(s(map, "A")).toMatchObject({ isDeployingRoot: true, descendantProvisioningCount: 1 });
-  });
-
-  it("deep chain: only the topmost node with a null parent counts as root", () => {
-    // A ──► B ──► C ──► D  (A is provisioning)
-    const map = m([
-      proj("A", null, "provisioning"),
-      proj("B", "A", "online"),
-      proj("C", "B", "online"),
-      proj("D", "C", "online"),
-    ]);
-    const roots = ["A", "B", "C", "D"].filter((id) => s(map, id).isDeployingRoot);
-    expect(roots).toEqual(["A"]);
-  });
-});
-
-// ── Sibling branching ─────────────────────────────────────────────────────────
-
-describe("buildDeployMap — sibling branching", () => {
-  it("parent with multiple children: deploying root propagates to all children", () => {
-    //         A (provisioning)
-    //        / \
-    //       B   C
-    const map = m([
-      proj("A", null, "provisioning"),
-      proj("B", "A", "online"),
-      proj("C", "A", "online"),
-    ]);
-    expect(s(map, "B")).toMatchObject({ isLockedChild: true });
-    expect(s(map, "C")).toMatchObject({ isLockedChild: true });
-    expect(s(map, "A")).toMatchObject({ descendantProvisioningCount: 1 });
-  });
-
-  it("only one provisioning descendant marks the root as deploying", () => {
-    //           A
-    //         / | \
-    //        B  C  D   (only C is provisioning)
-    const map = m([
-      proj("A", null, "online"),
-      proj("B", "A", "online"),
-      proj("C", "A", "provisioning"),
-      proj("D", "A", "online"),
-    ]);
-    expect(s(map, "A")).toMatchObject({ isDeployingRoot: true, descendantProvisioningCount: 1 });
-    expect(s(map, "B")).toMatchObject({ isLockedChild: true });
-    expect(s(map, "C")).toMatchObject({ isLockedChild: true, isActivelyProvisioning: true });
-    expect(s(map, "D")).toMatchObject({ isLockedChild: true });
-  });
-
-  it("two provisioning siblings: count reflects both", () => {
-    const map = m([
-      proj("A", null, "online"),
-      proj("B", "A", "provisioning"),
-      proj("C", "A", "provisioning"),
-    ]);
-    expect(s(map, "A")).toMatchObject({ descendantProvisioningCount: 2 });
-    expect(s(map, "B")).toMatchObject({ isActivelyProvisioning: true });
-    expect(s(map, "C")).toMatchObject({ isActivelyProvisioning: true });
-  });
-});
-
-// ── Multiple disjoint trees ───────────────────────────────────────────────────
-
-describe("buildDeployMap — multiple disjoint trees", () => {
-  it("each tree has its own root; deploying nodes are independent", () => {
-    // Tree 1: X (provisioning) ──► Y
-    // Tree 2: P ──► Q  (no provisioning)
-    const map = m([
-      proj("X", null, "provisioning"),
-      proj("Y", "X", "online"),
-      proj("P", null, "online"),
-      proj("Q", "P", "online"),
-    ]);
-    expect(s(map, "X")).toMatchObject({ isDeployingRoot: true });
-    expect(s(map, "Y")).toMatchObject({ isLockedChild: true });
-    expect(s(map, "P")).toMatchObject({ isDeployingRoot: false, isLockedChild: false });
-    expect(s(map, "Q")).toMatchObject({ isDeployingRoot: false, isLockedChild: false });
-  });
-});
-
-// ── Deleting nodes ────────────────────────────────────────────────────────────
-
-describe("buildDeployMap — deletingIds", () => {
-  it("node in deletingIds is locked even if tree is not deploying", () => {
-    const map = m(
-      [
-        proj("A", null, "online"),
-        proj("B", "A", "online"),
-      ],
-      ["B"], // B is being deleted
-    );
-    expect(s(map, "A")).toMatchObject({ isLockedChild: false });
-    expect(s(map, "B")).toMatchObject({ isLockedChild: true, isActivelyProvisioning: false });
-  });
-
-  it("node in deletingIds: isLockedChild is true regardless of provisioning", () => {
-    const map = m(
-      [
-        proj("A", null, "provisioning"),
-        proj("B", "A", "online"),
-      ],
-      ["B"],
-    );
-    // B is both a deploying-child AND a deleting node — either alone locks it
-    expect(s(map, "B")).toMatchObject({ isLockedChild: true });
-  });
-
-  it("empty deletingIds set has no effect", () => {
-    const map = m(
-      [
-        proj("A", null, "online"),
-        proj("B", "A", "online"),
-      ],
-      [],
-    );
-    expect(s(map, "B")).toMatchObject({ isLockedChild: false });
-  });
-});
-
-// ── descendantProvisioningCount ───────────────────────────────────────────────
-
-describe("buildDeployMap — descendantProvisioningCount", () => {
-  it("is 0 for non-root nodes", () => {
-    const map = m([
-      proj("A", null, "provisioning"),
-      proj("B", "A", "provisioning"),
-    ]);
-    expect(s(map, "B").descendantProvisioningCount).toBe(0);
-  });
-
-  it("includes the root's own status when provisioning", () => {
-    const map = m([
-      proj("A", null, "provisioning"),
-      proj("B", "A", "online"),
-    ]);
-    // A is both root and provisioning → count includes itself
-    expect(s(map, "A").descendantProvisioningCount).toBe(1);
-  });
-
-  it("accumulates all provisioning descendants (not just immediate children)", () => {
-    const map = m([
-      proj("A", null, "online"),
-      proj("B", "A", "online"),
-      proj("C", "B", "provisioning"),
-    ]);
-    expect(s(map, "A").descendantProvisioningCount).toBe(1);
-  });
-});
-
-// ── O(n) performance ─────────────────────────────────────────────────────────
-
-describe("buildDeployMap — O(n) performance contract", () => {
-  it("handles a 50-node three-level tree without incorrect node assignments", () => {
-    // Level 0: 1 root
-    // Level 1: 7 children
-    // Level 2: 42 leaves
-    // Total: 50 nodes
-    const projections: Projection[] = [];
-    projections.push(proj("root", null, "provisioning"));
-    for (let i = 0; i < 7; i++) {
-      projections.push(proj(`l1-${i}`, "root", "online"));
-    }
-    for (let i = 0; i < 42; i++) {
-      const parent = `l1-${Math.floor(i / 6)}`;
-      projections.push(proj(`l2-${i}`, parent, "online"));
-    }
-    const map = m(projections);
-
-    // Root is the only deploying node
-    expect(s(map, "root")).toMatchObject({
-      isDeployingRoot: true,
-      isLockedChild: false,
-      descendantProvisioningCount: 1,
-    });
-
-    // Every other node is a locked child
-    for (let i = 0; i < 7; i++) {
-      expect(s(map, `l1-${i}`)).toMatchObject({ isLockedChild: true, isDeployingRoot: false });
-    }
-    for (let i = 0; i < 42; i++) {
-      expect(s(map, `l2-${i}`)).toMatchObject({ isLockedChild: true, isDeployingRoot: false });
-    }
-  });
-});
@@ -13,9 +13,7 @@ function hasChildren(nodeId: string, nodes: Node<WorkspaceNodeData>[]): boolean
 /**
 * Canvas-wide keyboard shortcuts. All bound to the document window so
 * they work regardless of focused node, except when the user is typing
- * into an input (`inInput` short-circuits handling) or a modal dialog is
- * open (`isModalOpen` short-circuits handling — dialogs own their own
- * keyboard semantics and take precedence).
+ * into an input (`inInput` short-circuits handling).
 *
 *   Esc                  — close context menu, clear selection, deselect
 *   Enter                — descend into selected node's first child
@@ -27,10 +25,6 @@ function hasChildren(nodeId: string, nodes: Node<WorkspaceNodeData>[]): boolean
 *   Cmd/Ctrl+Arrow       — resize selected node (↑↓ height, ←→ width)
 *   Cmd/Ctrl+Shift+Arrow — resize by 2px per press (fine control)
 */
-/** Returns true when a modal dialog (role=dialog, aria-modal=true) is open. */
-const isModalOpen = () =>
-  document.querySelector('[role="dialog"][aria-modal="true"]') !== null;
-
 export function useKeyboardShortcuts() {
  useEffect(() => {
    const handler = (e: KeyboardEvent) => {
@@ -42,7 +36,6 @@ export function useKeyboardShortcuts() {
        (e.target as HTMLElement).isContentEditable;

      if (e.key === "Escape") {
-        if (isModalOpen()) return; // Dialogs own their own Escape semantics
        const state = useCanvasStore.getState();
        if (state.contextMenu) {
          state.closeContextMenu();
@@ -54,9 +47,8 @@ export function useKeyboardShortcuts() {
      }

      // Figma-style hierarchy navigation. Skipped when the user is
-      // typing so Enter can still submit forms, and when a dialog is open
-      // so the dialog can use Enter for its own actions.
-      if (!inInput && !isModalOpen() && (e.key === "Enter" || e.key === "NumpadEnter")) {
+      // typing so Enter can still submit forms.
+      if (!inInput && (e.key === "Enter" || e.key === "NumpadEnter")) {
        e.preventDefault();
        const state = useCanvasStore.getState();
        const id = state.selectedNodeId;
@@ -71,9 +63,6 @@ export function useKeyboardShortcuts() {
        }
      }

-      // Skip when a modal is open so dialog shortcuts take precedence.
-      if (isModalOpen()) return;
-
      if (
        !inInput &&
        (e.metaKey || e.ctrlKey) &&
@@ -122,7 +111,7 @@ export function useKeyboardShortcuts() {
        if (!selectedId) return;
        // Skip when a modal/dialog is already open — dialogs own their own
        // arrow-key semantics and shouldn't trigger canvas moves.
-        if (isModalOpen()) return;
+        if (document.querySelector('[role="dialog"][aria-modal="true"]')) return;
        e.preventDefault();
        const step = e.shiftKey ? 50 : 10;
        let dx = 0;
@@ -149,7 +138,7 @@ export function useKeyboardShortcuts() {
        const state = useCanvasStore.getState();
        const selectedId = state.selectedNodeId;
        if (!selectedId) return;
-        if (isModalOpen()) return;
+        if (document.querySelector('[role="dialog"][aria-modal="true"]')) return;
        e.preventDefault();
        const step = e.shiftKey ? 2 : 10;
        const node = state.nodes.find((n) => n.id === selectedId);
@@ -40,8 +40,7 @@ interface NodeProjection {
  status: string;
 }

-// Exported for unit testing — the function is pure and deterministic.
-export function buildDeployMap(
+function buildDeployMap(
  projections: NodeProjection[],
  deletingIds: ReadonlySet<string>,
 ): Map<string, OrgDeployState> {
@@ -1,185 +0,0 @@
-// @vitest-environment jsdom
-/**
- * MobileCanvas — mobile mini-graph with pinch-zoom and tap-to-open.
- *
- * Per WCAG 2.1 AA / mobile interaction:
- *   - Reset button visible only after zoom/pan (zoomed state)
- *   - Spawn FAB always visible with aria-label
- *   - Legend always visible with all 5 status types
- *   - WorkspacePill shows node count
- *   - Node buttons clickable with onOpen(id) callback
- *
- * NOTE: No @testing-library/jest-dom — use DOM APIs.
- */
-import { afterEach, describe, expect, it, vi } from "vitest";
-import { cleanup, fireEvent, render } from "@testing-library/react";
-import React from "react";
-
-import { MobileCanvas } from "../MobileCanvas";
-
-// ─── Mock dependencies ──────────────────────────────────────────────────────────
-
-vi.mock("@/lib/theme-provider", () => ({
-  useTheme: () => ({ theme: "dark", resolvedTheme: "dark", setTheme: vi.fn() }),
-}));
-
-const mockNodes = [
-  {
-    id: "ws-1",
-    position: { x: 100, y: 200 },
-    data: {
-      name: "Alpha Agent",
-      status: "online",
-      tier: 2,
-      parentId: null,
-      runtime: "langgraph",
-      activeTasks: 0,
-      role: "researcher",
-    },
-  },
-  {
-    id: "ws-2",
-    position: { x: 300, y: 400 },
-    data: {
-      name: "Beta Agent",
-      status: "degraded",
-      tier: 3,
-      parentId: "ws-1",
-      runtime: "claude-code",
-      activeTasks: 1,
-      role: "developer",
-    },
-  },
-  {
-    id: "ws-3",
-    position: { x: 0, y: 0 },
-    data: {
-      name: "Gamma Agent",
-      status: "offline",
-      tier: 1,
-      parentId: null,
-      runtime: "hermes",
-      activeTasks: 0,
-      role: "analyst",
-    },
-  },
-];
-
-vi.mock("@/store/canvas", () => ({
-  useCanvasStore: vi.fn((selector) => {
-    if (typeof selector === "function") {
-      return selector({ nodes: mockNodes });
-    }
-    return mockNodes;
-  }),
-  summarizeWorkspaceCapabilities: vi.fn((data: { status?: string; role?: string }) => ({
-    runtime: data.status ? "langgraph" : "unknown",
-    skillCount: 0,
-    currentTask: data.role ?? "",
-  })),
-}));
-
-afterEach(() => {
-  cleanup();
-  vi.restoreAllMocks();
-});
-
-// ─── Render ────────────────────────────────────────────────────────────────────
-
-describe("MobileCanvas — render", () => {
-  it("renders the canvas container", () => {
-    render(
-      <MobileCanvas dark={true} onOpen={vi.fn()} onSpawn={vi.fn()} />,
-    );
-    const container = document.querySelector('[style*="position: absolute"]');
-    expect(container).toBeTruthy();
-  });
-
-  it("renders the legend with all 5 status types", () => {
-    render(
-      <MobileCanvas dark={true} onOpen={vi.fn()} onSpawn={vi.fn()} />,
-    );
-    const legend = Array.from(document.querySelectorAll("div")).find(
-      (d) => d.textContent?.includes("Legend"),
-    );
-    expect(legend).toBeTruthy();
-    expect(legend?.textContent).toContain("online");
-    expect(legend?.textContent).toContain("starting");
-    expect(legend?.textContent).toContain("degraded");
-    expect(legend?.textContent).toContain("failed");
-    expect(legend?.textContent).toContain("paused");
-  });
-
-  it("renders spawn FAB with correct aria-label", () => {
-    render(
-      <MobileCanvas dark={true} onOpen={vi.fn()} onSpawn={vi.fn()} />,
-    );
-    const fab = document.querySelector('button[aria-label="Spawn new agent"]');
-    expect(fab).toBeTruthy();
-  });
-
-  it("renders node buttons for each store node", () => {
-    render(
-      <MobileCanvas dark={true} onOpen={vi.fn()} onSpawn={vi.fn()} />,
-    );
-    const buttons = document.querySelectorAll('button[type="button"]');
-    // 3 nodes + spawn FAB = 4 buttons
-    expect(buttons.length).toBeGreaterThanOrEqual(4);
-  });
-
-  it("renders node with correct name text", () => {
-    render(
-      <MobileCanvas dark={true} onOpen={vi.fn()} onSpawn={vi.fn()} />,
-    );
-    expect(document.body.textContent).toContain("Alpha Agent");
-    expect(document.body.textContent).toContain("Beta Agent");
-    expect(document.body.textContent).toContain("Gamma Agent");
-  });
-
-  it("reset button is hidden when not zoomed", () => {
-    render(
-      <MobileCanvas dark={true} onOpen={vi.fn()} onSpawn={vi.fn()} />,
-    );
-    const reset = document.querySelector('button[aria-label="Reset zoom"]');
-    expect(reset).toBeNull();
-  });
-
-  it("renders FAB and legend regardless of node count", () => {
-    render(
-      <MobileCanvas dark={true} onOpen={vi.fn()} onSpawn={vi.fn()} />,
-    );
-    const fab = document.querySelector('button[aria-label="Spawn new agent"]');
-    expect(fab).toBeTruthy();
-    const legend = Array.from(document.querySelectorAll("div")).find(
-      (d) => d.textContent?.includes("Legend"),
-    );
-    expect(legend).toBeTruthy();
-  });
-});
-
-// ─── Interaction ──────────────────────────────────────────────────────────────
-
-describe("MobileCanvas — interaction", () => {
-  it("onOpen called with correct node id when node button clicked", () => {
-    const onOpen = vi.fn();
-    render(
-      <MobileCanvas dark={true} onOpen={onOpen} onSpawn={vi.fn()} />,
-    );
-    const nodeButtons = Array.from(document.querySelectorAll('button[type="button"]')).filter(
-      (b) => b.textContent?.includes("Alpha Agent"),
-    );
-    expect(nodeButtons.length).toBeGreaterThanOrEqual(1);
-    nodeButtons[0]!.click();
-    expect(onOpen).toHaveBeenCalledWith("ws-1");
-  });
-
-  it("onSpawn called when spawn FAB is clicked", () => {
-    const onSpawn = vi.fn();
-    render(
-      <MobileCanvas dark={true} onOpen={vi.fn()} onSpawn={onSpawn} />,
-    );
-    const fab = document.querySelector('button[aria-label="Spawn new agent"]')!;
-    fab.click();
-    expect(onSpawn).toHaveBeenCalledTimes(1);
-  });
-});
@@ -1,323 +0,0 @@
-// @vitest-environment jsdom
-/**
- * MobileChat — mobile message thread + composer + sub-tabs.
- *
- * Per spec §04: wired to /workspaces/:id/a2a (method message/send).
- * Slimmer surface than desktop ChatTab: no attachments, no topology overlay.
- *
- * NOTE: No @testing-library/jest-dom — use DOM APIs.
- */
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { cleanup, render } from "@testing-library/react";
-import React from "react";
-
-import { MobileChat } from "../MobileChat";
-
-// ─── Mock store ───────────────────────────────────────────────────────────────
-
-const mockAgentId = "ws-chat-test";
-const mockOnBack = vi.fn();
-
-// Module-level mutable state for the mock store.
-const mockStoreState = {
-  nodes: [] as Array<{
-    id: string;
-    position: { x: number; y: number };
-    data: Record<string, unknown>;
-    width?: number;
-    height?: number;
-  }>,
-  agentMessages: {} as Record<string, Array<{ id: string; content: string; timestamp: string }>>,
-};
-
-vi.mock("@/store/canvas", () => ({
-  useCanvasStore: Object.assign(
-    vi.fn((sel) => sel(mockStoreState)),
-    { getState: () => mockStoreState },
-  ),
-  summarizeWorkspaceCapabilities: vi.fn((data: Record<string, unknown>) => {
-    const agentCard = data.agentCard as Record<string, unknown> | null;
-    const skills = Array.isArray(agentCard?.skills)
-      ? (agentCard.skills as Array<Record<string, unknown>>).map(
-          (s) => String(s.name || s.id || ""),
-        ).filter(Boolean)
-      : [];
-    return {
-      runtime: (typeof data.runtime === "string" && data.runtime)
-        ? data.runtime
-        : (typeof agentCard?.runtime === "string" ? String(agentCard.runtime) : null),
-      skills,
-      skillCount: skills.length,
-      currentTask: String(data.currentTask ?? ""),
-      hasActiveTask: String(data.currentTask ?? "").trim().length > 0,
-    };
-  }),
-}));
-
-// ─── Mock API ─────────────────────────────────────────────────────────────────
-
-const { mockApiPost } = vi.hoisted(() => ({
-  mockApiPost: vi.fn().mockResolvedValue({ result: { parts: [] } }),
-}));
-
-vi.mock("@/lib/api", () => ({
-  api: { post: mockApiPost },
-}));
-
-// ─── Fixtures ────────────────────────────────────────────────────────────────
-
-const onlineNode = {
-  id: mockAgentId,
-  position: { x: 0, y: 0 },
-  data: {
-    name: "Chat Agent",
-    status: "online",
-    tier: 2,
-    agentCard: {
-      runtime: "claude-code",
-      skills: [{ name: "web-search" }],
-    },
-    currentTask: "",
-    activeTasks: 0,
-    collapsed: false,
-    role: "agent",
-    lastErrorRate: 0,
-    lastSampleError: "",
-    url: "",
-    parentId: null,
-    runtime: "claude-code",
-    needsRestart: false,
-  },
-};
-
-const offlineNode = {
-  id: "ws-offline",
-  position: { x: 0, y: 0 },
-  data: {
-    name: "Offline Agent",
-    status: "offline",
-    tier: 1,
-    agentCard: null,
-    currentTask: "",
-    activeTasks: 0,
-    collapsed: false,
-    role: "agent",
-    lastErrorRate: 0,
-    lastSampleError: "",
-    url: "",
-    parentId: null,
-    runtime: "claude-code",
-    needsRestart: false,
-  },
-};
-
-const degradedNode = {
-  id: "ws-degraded",
-  position: { x: 0, y: 0 },
-  data: {
-    name: "Degraded Agent",
-    status: "degraded",
-    tier: 3,
-    agentCard: null,
-    currentTask: "",
-    activeTasks: 0,
-    collapsed: false,
-    role: "agent",
-    lastErrorRate: 0,
-    lastSampleError: "",
-    url: "",
-    parentId: null,
-    runtime: "claude-code",
-    needsRestart: false,
-  },
-};
-
-// ─── Helpers ─────────────────────────────────────────────────────────────────
-
-function renderChat(agentId: string, dark = false) {
-  return render(
-    <MobileChat
-      agentId={agentId}
-      dark={dark}
-      onBack={mockOnBack}
-    />,
-  );
-}
-
-// ─── Setup / teardown ─────────────────────────────────────────────────────────
-
-beforeEach(() => {
-  mockOnBack.mockClear();
-  mockStoreState.nodes = [];
-  mockStoreState.agentMessages = {};
-  mockApiPost.mockClear();
-});
-
-afterEach(() => {
-  cleanup();
-  vi.clearAllMocks();
-});
-
-// ─── Not found ───────────────────────────────────────────────────────────────
-
-describe("MobileChat — agent not found", () => {
-  it('renders "Agent not found." when node is absent', () => {
-    mockStoreState.nodes = [onlineNode];
-    const { container } = renderChat("nonexistent-id");
-    expect(container.textContent ?? "").toContain("Agent not found.");
-  });
-});
-
-// ─── Header ──────────────────────────────────────────────────────────────────
-
-describe("MobileChat — header", () => {
-  beforeEach(() => {
-    mockStoreState.nodes = [onlineNode];
-  });
-
-  it("renders Back button with aria-label", () => {
-    const { container } = renderChat(mockAgentId);
-    const backBtn = container.querySelector('[aria-label="Back"]');
-    expect(backBtn).toBeTruthy();
-  });
-
-  it("Back button calls onBack", () => {
-    const { container } = renderChat(mockAgentId);
-    const backBtn = container.querySelector('[aria-label="Back"]') as HTMLButtonElement;
-    backBtn.click();
-    expect(mockOnBack).toHaveBeenCalledTimes(1);
-  });
-
-  it("renders agent name in header", () => {
-    const { container } = renderChat(mockAgentId);
-    expect(container.textContent ?? "").toContain("Chat Agent");
-  });
-
-  it("renders a More button", () => {
-    const { container } = renderChat(mockAgentId);
-    const moreBtn = container.querySelector('[aria-label="More"]');
-    expect(moreBtn).toBeTruthy();
-  });
-
-  it("renders footer with agentId", () => {
-    const { container } = renderChat(mockAgentId);
-    expect(container.textContent ?? "").toContain(mockAgentId);
-  });
-});
-
-// ─── Composer ────────────────────────────────────────────────────────────────
-
-describe("MobileChat — composer", () => {
-  beforeEach(() => {
-    mockStoreState.nodes = [onlineNode];
-  });
-
-  it("renders a textarea for message input", () => {
-    const { container } = renderChat(mockAgentId);
-    const textarea = container.querySelector("textarea");
-    expect(textarea).toBeTruthy();
-  });
-
-  it("textarea has placeholder text", () => {
-    const { container } = renderChat(mockAgentId);
-    const textarea = container.querySelector("textarea") as HTMLTextAreaElement;
-    expect(textarea.placeholder).toBeTruthy();
-    expect(textarea.placeholder).toContain("Send a message");
-  });
-
-  it("renders a Send button with aria-label", () => {
-    const { container } = renderChat(mockAgentId);
-    const sendBtn = container.querySelector('[aria-label="Send"]');
-    expect(sendBtn).toBeTruthy();
-  });
-
-  it("Send button is disabled when textarea is empty (no draft)", () => {
-    const { container } = renderChat(mockAgentId);
-    const sendBtn = container.querySelector('[aria-label="Send"]') as HTMLButtonElement;
-    expect(sendBtn.disabled).toBe(true);
-  });
-});
-
-// ─── Tabs ─────────────────────────────────────────────────────────────────────
-
-describe("MobileChat — tabs", () => {
-  beforeEach(() => {
-    mockStoreState.nodes = [onlineNode];
-  });
-
-  it("renders My Chat and Agent Comms tab labels", () => {
-    const { container } = renderChat(mockAgentId);
-    const text = container.textContent ?? "";
-    expect(text).toContain("My Chat");
-    expect(text).toContain("Agent Comms");
-  });
-
-  it("defaults to My Chat tab", () => {
-    const { container } = renderChat(mockAgentId);
-    // My Chat is the default; if there are no messages it should show the empty state
-    expect(container.textContent ?? "").toContain("My Chat");
-  });
-});
-
-// ─── Empty state ─────────────────────────────────────────────────────────────
-
-describe("MobileChat — empty state", () => {
-  beforeEach(() => {
-    mockStoreState.nodes = [onlineNode];
-  });
-
-  it('shows "Send a message to start chatting." when no messages', () => {
-    const { container } = renderChat(mockAgentId);
-    expect(container.textContent ?? "").toContain("Send a message to start chatting.");
-  });
-
-  it("shows no messages when agentMessages[agentId] is absent (undefined)", () => {
-    // Explicitly set to empty to simulate no stored messages
-    mockStoreState.agentMessages = {};
-    const { container } = renderChat(mockAgentId);
-    expect(container.textContent ?? "").toContain("Send a message to start chatting.");
-  });
-});
-
-// ─── Agent status ────────────────────────────────────────────────────────────
-
-describe("MobileChat — agent status", () => {
-  it("renders composer for online agent", () => {
-    mockStoreState.nodes = [onlineNode];
-    const { container } = renderChat(mockAgentId);
-    expect(container.querySelector("textarea")).toBeTruthy();
-  });
-
-  it("renders composer for offline agent (with status text)", () => {
-    mockStoreState.nodes = [offlineNode];
-    const { container } = renderChat("ws-offline");
-    const textarea = container.querySelector("textarea") as HTMLTextAreaElement;
-    // Offline agent: textarea should be disabled
-    expect(textarea.disabled).toBe(true);
-  });
-
-  it("renders composer for degraded agent", () => {
-    mockStoreState.nodes = [degradedNode];
-    const { container } = renderChat("ws-degraded");
-    expect(container.querySelector("textarea")).toBeTruthy();
-  });
-
-  it("offline agent shows agent name", () => {
-    mockStoreState.nodes = [offlineNode];
-    const { container } = renderChat("ws-offline");
-    expect(container.textContent ?? "").toContain("Offline Agent");
-  });
-});
-
-// ─── Dark mode ───────────────────────────────────────────────────────────────
-
-describe("MobileChat — dark mode", () => {
-  beforeEach(() => {
-    mockStoreState.nodes = [onlineNode];
-  });
-
-  it("renders without crashing in dark mode", () => {
-    const { container } = renderChat(mockAgentId, true);
-    expect(container.querySelector('[aria-label="Back"]')).toBeTruthy();
-  });
-});
@@ -1,242 +0,0 @@
-// @vitest-environment jsdom
-/**
- * MobileComms — workspace A2A traffic feed with All/Errors filter.
- *
- * Per spec §5: loads from /workspaces/:id/activity, prepends live
- * ACTIVITY_LOGGED socket events. Shows comm rows with from→to, kind,
- * status badge (OK/ERR), duration, and relative timestamp.
- *
- * NOTE: No @testing-library/jest-dom — use DOM APIs.
- */
-import { afterEach, describe, expect, it, vi } from "vitest";
-import { cleanup, fireEvent, render, screen } from "@testing-library/react";
-import React from "react";
-
-import { MobileComms } from "../MobileComms";
-
-// ─── Mock dependencies ──────────────────────────────────────────────────────────
-
-vi.mock("@/lib/theme-provider", () => ({
-  useTheme: () => ({ theme: "dark", resolvedTheme: "dark", setTheme: vi.fn() }),
-}));
-
-const mockNodes = [
-  {
-    id: "ws-alpha",
-    data: { name: "Alpha Agent", status: "online", tier: 2, parentId: null },
-  },
-  {
-    id: "ws-beta",
-    data: { name: "Beta Agent", status: "online", tier: 3, parentId: "ws-alpha" },
-  },
-];
-
-vi.mock("@/store/canvas", () => ({
-  useCanvasStore: vi.fn((selector) => {
-    if (typeof selector === "function") {
-      return selector({ nodes: mockNodes });
-    }
-    return mockNodes;
-  }),
-  summarizeWorkspaceCapabilities: vi.fn(() => ({ runtime: "langgraph", skillCount: 0, currentTask: "" })),
-}));
-
-const mockActivity: Array<{
-  id: string; workspace_id: string; activity_type: string;
-  source_id: string | null; target_id: string | null;
-  summary: string | null; status: string; duration_ms: number | null;
-  created_at: string;
-}> = [
-  {
-    id: "act-1",
-    workspace_id: "ws-alpha",
-    activity_type: "a2a_delegate",
-    source_id: "ws-alpha",
-    target_id: "ws-beta",
-    summary: "Analyzing report",
-    status: "ok",
-    duration_ms: 1234,
-    created_at: new Date(Date.now() - 60000).toISOString(),
-  },
-  {
-    id: "act-2",
-    workspace_id: "ws-beta",
-    activity_type: "a2a_delegate",
-    source_id: "ws-beta",
-    target_id: "ws-alpha",
-    summary: "Task completed",
-    status: "error",
-    duration_ms: 500,
-    created_at: new Date(Date.now() - 120000).toISOString(),
-  },
-];
-
-const { apiGetSpy, socketHandlers } = vi.hoisted(() => {
-  const apiGetSpy = vi.fn();
-  return { apiGetSpy, socketHandlers: [] as Array<(msg: unknown) => void> };
-});
-
-vi.mock("@/lib/api", () => ({
-  api: {
-    get: apiGetSpy,
-    post: vi.fn(),
-  },
-}));
-
-vi.mock("@/hooks/useSocketEvent", () => ({
-  useSocketEvent: vi.fn((handler: (msg: unknown) => void) => {
-    socketHandlers.push(handler);
-    return vi.fn(); // unsubscribe
-  }),
-}));
-
-afterEach(() => {
-  cleanup();
-  socketHandlers.splice(0, socketHandlers.length);
-  apiGetSpy.mockReset();
-  vi.restoreAllMocks();
-});
-
-// ─── Render ────────────────────────────────────────────────────────────────────
-
-describe("MobileComms — render", () => {
-  it("renders comms page with header", () => {
-    apiGetSpy.mockResolvedValue([]);
-    render(<MobileComms dark={true} />);
-    expect(document.body.textContent).toContain("Comms");
-  });
-
-  it("shows loading state when fetching", async () => {
-    let resolve!: () => void;
-    apiGetSpy.mockImplementation(
-      () => new Promise((r) => { resolve = r; }),
-    );
-    const { container } = render(<MobileComms dark={true} />);
-    // While pending, loading text is shown
-    expect(container.textContent ?? "").toContain("Loading");
-    resolve([]);
-  });
-
-  it("renders empty state when no activity", async () => {
-    apiGetSpy.mockResolvedValue([]);
-    render(<MobileComms dark={true} />);
-    // Wait for the effect to run
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("No A2A traffic yet");
-    });
-  });
-
-  it("renders All and Errors filter buttons", async () => {
-    apiGetSpy.mockResolvedValue([]);
-    render(<MobileComms dark={true} />);
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("All");
-      expect(document.body.textContent).toContain("Errors");
-    });
-  });
-
-  it("shows event count in header", async () => {
-    apiGetSpy.mockImplementation((path: string) => {
-      if (path.includes("/activity")) return Promise.resolve(mockActivity);
-      return Promise.resolve([]);
-    });
-    render(<MobileComms dark={true} />);
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("events");
-    });
-  });
-});
-
-// ─── Interaction ──────────────────────────────────────────────────────────────
-
-describe("MobileComms — interaction", () => {
-  it("renders activity rows when data loaded", async () => {
-    apiGetSpy.mockImplementation((path: string) => {
-      if (path.includes("/activity")) return Promise.resolve(mockActivity);
-      return Promise.resolve([]);
-    });
-    render(<MobileComms dark={true} />);
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("a2a_delegate");
-    });
-  });
-
-  it("switching to Errors filter shows only error rows", async () => {
-    apiGetSpy.mockImplementation((path: string) => {
-      if (path.includes("/activity")) return Promise.resolve(mockActivity);
-      return Promise.resolve([]);
-    });
-    render(<MobileComms dark={true} />);
-
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("a2a_delegate");
-    });
-
-    const errorsBtn = Array.from(
-      document.querySelectorAll("button"),
-    ).find((b) => b.textContent?.includes("Errors"));
-    expect(errorsBtn).toBeTruthy();
-
-    fireEvent.click(errorsBtn!);
-
-    // Only the error row should remain
-    const rows = Array.from(
-      document.querySelectorAll("div"),
-    ).filter((d) => d.textContent?.includes("ERR"));
-    expect(rows.length).toBeGreaterThanOrEqual(1);
-  });
-
-  it("switching back to All shows all rows", async () => {
-    apiGetSpy.mockImplementation((path: string) => {
-      if (path.includes("/activity")) return Promise.resolve(mockActivity);
-      return Promise.resolve([]);
-    });
-    render(<MobileComms dark={true} />);
-
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("a2a_delegate");
-    });
-
-    const allBtn = Array.from(
-      document.querySelectorAll("button"),
-    ).find((b) => b.textContent?.includes("All"));
-    fireEvent.click(allBtn!);
-
-    // Should show OK and ERR rows
-    const okRows = Array.from(
-      document.querySelectorAll("div"),
-    ).filter((d) => d.textContent?.includes("OK"));
-    expect(okRows.length).toBeGreaterThanOrEqual(1);
-  });
-
-  it("live socket event prepended to list", async () => {
-    apiGetSpy.mockResolvedValue([]);
-    render(<MobileComms dark={true} />);
-
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("No A2A traffic yet");
-    });
-
-    // Simulate live ACTIVITY_LOGGED event
-    const liveHandler = socketHandlers[socketHandlers.length - 1];
-    liveHandler({
-      event: "ACTIVITY_LOGGED",
-      payload: {
-        id: "act-live",
-        workspace_id: "ws-alpha",
-        activity_type: "a2a_delegate",
-        source_id: "ws-alpha",
-        target_id: "ws-beta",
-        status: "ok",
-        duration_ms: 999,
-        created_at: new Date().toISOString(),
-      },
-    });
-
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("a2a_delegate");
-    });
-    // Empty state should be gone
-    expect(document.body.textContent).not.toContain("No A2A traffic yet");
-  });
-});
@@ -1,367 +0,0 @@
-// @vitest-environment jsdom
-/**
- * MobileDetail — agent detail page with tabbed content (Overview/Activity/Config/Memory).
- *
- * Per spec §03: tabbed agent detail page. MobileChat (MR !717) was also tested here.
- *
- * NOTE: No @testing-library/jest-dom — use DOM APIs.
- */
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { cleanup, render } from "@testing-library/react";
-import React from "react";
-
-import { MobileDetail } from "../MobileDetail";
-
-// ─── Mock store ───────────────────────────────────────────────────────────────
-
-const mockNodeId = "ws-detail-test";
-const mockOnBack = vi.fn();
-const mockOnChat = vi.fn();
-
-// Module-level mutable state for the mock store.
-// Tests mutate this between cases to control what the component sees.
-const mockStoreState = {
-  nodes: [] as Array<{
-    id: string;
-    position: { x: number; y: number };
-    data: Record<string, unknown>;
-    width?: number;
-    height?: number;
-  }>,
-};
-
-vi.mock("@/store/canvas", () => ({
-  useCanvasStore: Object.assign(
-    vi.fn((sel) => sel(mockStoreState)),
-    { getState: () => mockStoreState },
-  ),
-  summarizeWorkspaceCapabilities: vi.fn((data: Record<string, unknown>) => {
-    const agentCard = data.agentCard as Record<string, unknown> | null;
-    const skills = Array.isArray(agentCard?.skills)
-      ? (agentCard.skills as Array<Record<string, unknown>>).map(
-          (s) => String(s.name || s.id || ""),
-        ).filter(Boolean)
-      : [];
-    return {
-      runtime: (typeof data.runtime === "string" && data.runtime)
-        ? data.runtime
-        : (typeof agentCard?.runtime === "string" ? String(agentCard.runtime) : null),
-      skills,
-      skillCount: skills.length,
-      currentTask: String(data.currentTask ?? ""),
-      hasActiveTask: String(data.currentTask ?? "").trim().length > 0,
-    };
-  }),
-}));
-
-// Stub the API so DetailActivity doesn't attempt real network calls.
-vi.mock("@/lib/api", () => ({ api: { get: vi.fn().mockResolvedValue([]) } }));
-
-// ─── Fixtures ────────────────────────────────────────────────────────────────
-
-const onlineNode = {
-  id: mockNodeId,
-  position: { x: 100, y: 200 },
-  data: {
-    name: "Test Agent",
-    status: "online",
-    tier: 2,
-    agentCard: {
-      runtime: "claude-code",
-      skills: [
-        { name: "web-search", id: "skill-1" },
-        { name: "code-review", id: "skill-2" },
-        { name: "file-ops", id: "skill-3" },
-      ],
-    },
-    currentTask: "Reviewing PR #717",
-    activeTasks: 3,
-    collapsed: false,
-    role: "agent",
-    lastErrorRate: 0,
-    lastSampleError: "",
-    url: "",
-    parentId: null,
-    runtime: "claude-code",
-    needsRestart: false,
-  },
-  width: 240,
-  height: 130,
-};
-
-const failedNode = {
-  id: "ws-failed",
-  position: { x: 0, y: 0 },
-  data: {
-    name: "Failed Worker",
-    status: "failed",
-    tier: 4,
-    agentCard: null,
-    currentTask: "",
-    activeTasks: 0,
-    collapsed: false,
-    role: "agent",
-    lastErrorRate: 0.8,
-    lastSampleError: "Connection refused",
-    url: "",
-    parentId: null,
-    runtime: "external",
-    needsRestart: false,
-  },
-};
-
-const offlineNode = {
-  id: "ws-offline",
-  position: { x: 0, y: 0 },
-  data: {
-    name: "Offline Bot",
-    status: "offline",
-    tier: 1,
-    agentCard: null,
-    currentTask: "",
-    activeTasks: 0,
-    collapsed: false,
-    role: "agent",
-    lastErrorRate: 0,
-    lastSampleError: "",
-    url: "",
-    parentId: null,
-    runtime: "claude-code",
-    needsRestart: false,
-  },
-};
-
-// ─── Helpers ─────────────────────────────────────────────────────────────────
-
-function renderDetail(agentId: string, dark = false) {
-  return render(
-    <MobileDetail
-      agentId={agentId}
-      dark={dark}
-      onBack={mockOnBack}
-      onChat={mockOnChat}
-    />,
-  );
-}
-
-// ─── Setup / teardown ─────────────────────────────────────────────────────────
-
-beforeEach(() => {
-  mockOnBack.mockClear();
-  mockOnChat.mockClear();
-  mockStoreState.nodes = [];
-});
-
-afterEach(() => {
-  cleanup();
-  vi.clearAllMocks();
-});
-
-// ─── Not found ────────────────────────────────────────────────────────────────
-
-describe("MobileDetail — agent not found", () => {
-  it('renders "Agent not found." when no node matches agentId', () => {
-    mockStoreState.nodes = [onlineNode];
-    const { container } = renderDetail("nonexistent-id");
-    expect(container.textContent ?? "").toContain("Agent not found.");
-  });
-
-  it("does not render any tab buttons when agent not found", () => {
-    mockStoreState.nodes = [];
-    const { container } = renderDetail("ghost-agent");
-    expect(container.querySelectorAll("button").length).toBe(0);
-  });
-});
-
-// ─── Hero render ─────────────────────────────────────────────────────────────
-
-describe("MobileDetail — hero section", () => {
-  beforeEach(() => {
-    mockStoreState.nodes = [onlineNode];
-  });
-
-  it("renders the agent name as an h1", () => {
-    const { container } = renderDetail(mockNodeId);
-    const h1 = container.querySelector("h1");
-    expect(h1).toBeTruthy();
-    expect(h1!.textContent).toBe("Test Agent");
-  });
-
-  it("renders agent tag below the name", () => {
-    const { container } = renderDetail(mockNodeId);
-    // Tag appears in the hero section, styled differently from the name
-    expect(container.textContent ?? "").toContain("claude-code");
-  });
-
-  it("renders a Back button with aria-label", () => {
-    const { container } = renderDetail(mockNodeId);
-    const backBtn = container.querySelector('[aria-label="Back"]');
-    expect(backBtn).toBeTruthy();
-  });
-
-  it("Back button calls onBack", () => {
-    const { container } = renderDetail(mockNodeId);
-    const backBtn = container.querySelector('[aria-label="Back"]') as HTMLButtonElement;
-    backBtn.click();
-    expect(mockOnBack).toHaveBeenCalledTimes(1);
-  });
-
-  it("renders a More button", () => {
-    const { container } = renderDetail(mockNodeId);
-    const moreBtn = container.querySelector('[aria-label="More"]');
-    expect(moreBtn).toBeTruthy();
-  });
-
-  it("renders Chat CTA with icon text", () => {
-    const { container } = renderDetail(mockNodeId);
-    expect(container.textContent ?? "").toContain("Open chat");
-  });
-
-  it("Chat CTA calls onChat", () => {
-    const { container } = renderDetail(mockNodeId);
-    const chatBtn = Array.from(container.querySelectorAll("button")).find(
-      (b) => b.textContent?.includes("Open chat"),
-    );
-    expect(chatBtn).toBeTruthy();
-    (chatBtn as HTMLButtonElement).click();
-    expect(mockOnChat).toHaveBeenCalledTimes(1);
-  });
-});
-
-// ─── Pill stats ───────────────────────────────────────────────────────────────
-
-describe("MobileDetail — pill stats", () => {
-  beforeEach(() => {
-    mockStoreState.nodes = [onlineNode];
-  });
-
-  it("renders TIER pill with the agent tier", () => {
-    const { container } = renderDetail(mockNodeId);
-    expect(container.textContent ?? "").toContain("TIER");
-  });
-
-  it("renders RUNTIME pill", () => {
-    const { container } = renderDetail(mockNodeId);
-    expect(container.textContent ?? "").toContain("RUNTIME");
-  });
-
-  it("renders SKILLS pill with count", () => {
-    const { container } = renderDetail(mockNodeId);
-    // 3 skills in the agentCard fixture
-    expect(container.textContent ?? "").toContain("SKILLS");
-  });
-
-  it("renders STATUS pill", () => {
-    const { container } = renderDetail(mockNodeId);
-    expect(container.textContent ?? "").toContain("STATUS");
-  });
-
-  it("STATUS pill shows agent status value", () => {
-    const { container } = renderDetail(mockNodeId);
-    // online status from the fixture
-    expect(container.textContent ?? "").toContain("online");
-  });
-
-  it("renders all 4 pills for online agent", () => {
-    const { container } = renderDetail(mockNodeId);
-    // Count the pill container divs — each PillStat is a div with specific inline styles
-    // We verify by content: TIER, RUNTIME, SKILLS, STATUS should all be present
-    const text = container.textContent ?? "";
-    expect(text).toContain("TIER");
-    expect(text).toContain("RUNTIME");
-    expect(text).toContain("SKILLS");
-    expect(text).toContain("STATUS");
-  });
-});
-
-// ─── Tabs ─────────────────────────────────────────────────────────────────────
-
-describe("MobileDetail — tab switching", () => {
-  beforeEach(() => {
-    mockStoreState.nodes = [onlineNode];
-  });
-
-  it("renders all 4 tab buttons", () => {
-    const { container } = renderDetail(mockNodeId);
-    const text = container.textContent ?? "";
-    expect(text).toContain("Overview");
-    expect(text).toContain("Activity");
-    expect(text).toContain("Config");
-    expect(text).toContain("Memory");
-  });
-
-  it("defaults to Overview tab", () => {
-    const { container } = renderDetail(mockNodeId);
-    // DetailOverview renders ID, Tier, Runtime, Active tasks, Skills, Origin rows
-    expect(container.textContent ?? "").toContain("ID");
-    expect(container.textContent ?? "").toContain("Tier");
-  });
-
-  it("Overview tab shows agent ID", () => {
-    const { container } = renderDetail(mockNodeId);
-    expect(container.textContent ?? "").toContain(mockNodeId);
-  });
-
-  it("Overview tab shows active tasks count", () => {
-    const { container } = renderDetail(mockNodeId);
-    // onlineNode has activeTasks: 3
-    expect(container.textContent ?? "").toContain("Active tasks");
-    expect(container.textContent ?? "").toContain("3");
-  });
-
-  it("Overview tab shows skill count", () => {
-    const { container } = renderDetail(mockNodeId);
-    // 3 skills in agentCard
-    expect(container.textContent ?? "").toContain("Skills");
-    expect(container.textContent ?? "").toContain("3 loaded");
-  });
-
-  it("Config tab button is findable and is a button element", () => {
-    const { container } = renderDetail(mockNodeId);
-    const configTab = Array.from(container.querySelectorAll("button")).find(
-      (b) => b.textContent?.trim() === "Config",
-    );
-    expect(configTab).toBeTruthy();
-    expect((configTab as HTMLButtonElement).type).toBe("button");
-  });
-
-  it("Memory tab button is findable and is a button element", () => {
-    const { container } = renderDetail(mockNodeId);
-    const memoryTab = Array.from(container.querySelectorAll("button")).find(
-      (b) => b.textContent?.trim() === "Memory",
-    );
-    expect(memoryTab).toBeTruthy();
-    expect((memoryTab as HTMLButtonElement).type).toBe("button");
-  });
-});
-
-// ─── Status rendering ─────────────────────────────────────────────────────────
-
-describe("MobileDetail — status rendering", () => {
-  it("renders failed status for failed agent", () => {
-    mockStoreState.nodes = [failedNode];
-    const { container } = renderDetail("ws-failed");
-    expect(container.textContent ?? "").toContain("Failed Worker");
-    expect(container.textContent ?? "").toContain("failed");
-  });
-
-  it("renders offline status for offline agent", () => {
-    mockStoreState.nodes = [offlineNode];
-    const { container } = renderDetail("ws-offline");
-    expect(container.textContent ?? "").toContain("Offline Bot");
-    expect(container.textContent ?? "").toContain("offline");
-  });
-});
-
-// ─── Dark mode ───────────────────────────────────────────────────────────────
-
-describe("MobileDetail — dark mode", () => {
-  beforeEach(() => {
-    mockStoreState.nodes = [onlineNode];
-  });
-
-  it("renders without crashing in dark mode", () => {
-    const { container } = renderDetail(mockNodeId, true);
-    expect(container.querySelector("h1")?.textContent).toBe("Test Agent");
-  });
-});
@@ -1,245 +0,0 @@
-// @vitest-environment jsdom
-/**
- * MobileHome — workspace agent list + filter chips + spawn FAB.
- *
- * Per spec §01: live store data, filter by status, spawn FAB.
- *
- * NOTE: No @testing-library/jest-dom — use DOM APIs.
- */
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { cleanup, render } from "@testing-library/react";
-import React from "react";
-
-import { MobileHome } from "../MobileHome";
-
-// ─── Mock store ───────────────────────────────────────────────────────────────
-
-const mockOnOpen = vi.fn();
-const mockOnSpawn = vi.fn();
-
-const mockStoreState = {
-  nodes: [] as Array<{
-    id: string;
-    position: { x: number; y: number };
-    data: Record<string, unknown>;
-    width?: number;
-    height?: number;
-  }>,
-};
-
-vi.mock("@/store/canvas", () => ({
-  useCanvasStore: Object.assign(
-    vi.fn((sel) => sel(mockStoreState)),
-    { getState: () => mockStoreState },
-  ),
-  summarizeWorkspaceCapabilities: vi.fn((data: Record<string, unknown>) => {
-    const agentCard = data.agentCard as Record<string, unknown> | null;
-    const skills = Array.isArray(agentCard?.skills)
-      ? (agentCard.skills as Array<Record<string, unknown>>).map(
-          (s) => String(s.name || s.id || ""),
-        ).filter(Boolean)
-      : [];
-    return {
-      runtime: (typeof data.runtime === "string" && data.runtime)
-        ? data.runtime
-        : (typeof agentCard?.runtime === "string" ? String(agentCard.runtime) : null),
-      skills,
-      skillCount: skills.length,
-      currentTask: String(data.currentTask ?? ""),
-      hasActiveTask: String(data.currentTask ?? "").trim().length > 0,
-    };
-  }),
-}));
-
-// ─── Fixtures ───────────────────────────────────────────────────────────────
-
-function makeNode(overrides: Partial<Record<string, unknown>> = {}) {
-  return {
-    id: `ws-${Math.random().toString(36).slice(2, 7)}`,
-    position: { x: 0, y: 0 },
-    data: {
-      name: "Agent",
-      status: "online",
-      tier: 2,
-      agentCard: null,
-      currentTask: "",
-      activeTasks: 0,
-      collapsed: false,
-      role: "agent",
-      lastErrorRate: 0,
-      lastSampleError: "",
-      url: "",
-      parentId: null,
-      runtime: "claude-code",
-      needsRestart: false,
-      ...overrides,
-    },
-  };
-}
-
-const onlineAgent = makeNode({ name: "Online Agent", status: "online", tier: 2 });
-const failedAgent = makeNode({ name: "Failed Agent", status: "failed", tier: 4 });
-const pausedAgent = makeNode({ name: "Paused Agent", status: "paused", tier: 1 });
-
-// ─── Helpers ─────────────────────────────────────────────────────────────────
-
-function renderHome(overrides: Partial<{
-  dark: boolean;
-  density: "compact" | "regular";
-  workspaceLabel: string;
-  username: string;
-}> = {}) {
-  return render(
-    <MobileHome
-      dark={overrides.dark ?? false}
-      density={overrides.density ?? "regular"}
-      onOpen={mockOnOpen}
-      onSpawn={mockOnSpawn}
-      workspaceLabel={overrides.workspaceLabel}
-      username={overrides.username}
-    />,
-  );
-}
-
-// ─── Setup / teardown ─────────────────────────────────────────────────────────
-
-beforeEach(() => {
-  mockOnOpen.mockClear();
-  mockOnSpawn.mockClear();
-  mockStoreState.nodes = [];
-});
-
-afterEach(() => {
-  cleanup();
-});
-
-// ─── Structure ───────────────────────────────────────────────────────────────
-
-describe("MobileHome — page structure", () => {
-  it('renders "Agents" heading', () => {
-    mockStoreState.nodes = [onlineAgent];
-    const { container } = renderHome();
-    const h1 = container.querySelector("h1");
-    expect(h1).toBeTruthy();
-    expect(h1!.textContent).toBe("Agents");
-  });
-
-  it("renders WorkspacePill with agent count", () => {
-    mockStoreState.nodes = [onlineAgent, failedAgent];
-    const { container } = renderHome();
-    // WorkspacePill renders the agent count somewhere in the DOM
-    expect(container.textContent ?? "").toContain("2");
-  });
-
-  it('shows "live" suffix in subheading', () => {
-    mockStoreState.nodes = [onlineAgent];
-    const { container } = renderHome();
-    // Single agent → "1 workspace · live" (singular)
-    expect(container.textContent ?? "").toContain("workspace");
-    expect(container.textContent ?? "").toContain("live");
-  });
-
-  it("renders FilterChips row", () => {
-    mockStoreState.nodes = [onlineAgent];
-    const { container } = renderHome();
-    // FilterChips renders buttons for "All", "Online", "Issues", "Paused"
-    const text = container.textContent ?? "";
-    expect(text).toContain("All");
-    expect(text).toContain("Online");
-    expect(text).toContain("Issues");
-  });
-
-  it("renders Workspace section label", () => {
-    mockStoreState.nodes = [onlineAgent];
-    const { container } = renderHome();
-    expect(container.textContent ?? "").toContain("Workspace");
-  });
-
-  it("renders spawn FAB with aria-label", () => {
-    mockStoreState.nodes = [onlineAgent];
-    const { container } = renderHome();
-    const fab = container.querySelector('[aria-label="Spawn new agent"]');
-    expect(fab).toBeTruthy();
-  });
-
-  it("FAB calls onSpawn", () => {
-    mockStoreState.nodes = [onlineAgent];
-    const { container } = renderHome();
-    const fab = container.querySelector('[aria-label="Spawn new agent"]') as HTMLButtonElement;
-    fab.click();
-    expect(mockOnSpawn).toHaveBeenCalledTimes(1);
-  });
-
-  it("shows username when provided", () => {
-    mockStoreState.nodes = [onlineAgent];
-    const { container } = renderHome({ username: "alice@example.com" });
-    expect(container.textContent ?? "").toContain("alice@example.com");
-  });
-
-  it("omits username when not provided", () => {
-    mockStoreState.nodes = [onlineAgent];
-    const { container } = renderHome();
-    expect(container.querySelector('[style*="letter-spacing"]')?.textContent).not.toContain("@");
-  });
-
-  it("renders with custom workspaceLabel", () => {
-    mockStoreState.nodes = [onlineAgent];
-    const { container } = renderHome({ workspaceLabel: "Production" });
-    expect(container.textContent ?? "").toContain("Production");
-  });
-});
-
-// ─── Agent list ─────────────────────────────────────────────────────────────
-
-describe("MobileHome — agent list", () => {
-  it("renders agent cards when nodes are present", () => {
-    mockStoreState.nodes = [onlineAgent, failedAgent, pausedAgent];
-    const { container } = renderHome();
-    expect(container.textContent ?? "").toContain("Online Agent");
-    expect(container.textContent ?? "").toContain("Failed Agent");
-    expect(container.textContent ?? "").toContain("Paused Agent");
-  });
-
-  it("shows 'No agents match this filter.' when filter returns empty", () => {
-    mockStoreState.nodes = [onlineAgent];
-    const { container } = renderHome();
-    // By default filter is "all" — all agents match
-    expect(container.textContent ?? "").not.toContain("No agents match");
-    // If we could set filter to something that filters everything out...
-    // (filter is internal state, we test the "all" default)
-    expect(container.querySelectorAll("button").length).toBeGreaterThan(0);
-  });
-
-  it("renders no agents when node list is empty", () => {
-    mockStoreState.nodes = [];
-    const { container } = renderHome();
-    // Should show "0 workspaces" and "No agents match this filter."
-    expect(container.textContent ?? "").toContain("0 workspace");
-  });
-});
-
-// ─── Agent count display ──────────────────────────────────────────────────────
-
-describe("MobileHome — agent count", () => {
-  it("shows singular 'workspace' when count is 1", () => {
-    mockStoreState.nodes = [onlineAgent];
-    const { container } = renderHome();
-    expect(container.textContent ?? "").toContain("1 workspace");
-  });
-
-  it("shows plural 'workspaces' when count is > 1", () => {
-    mockStoreState.nodes = [onlineAgent, failedAgent];
-    const { container } = renderHome();
-    expect(container.textContent ?? "").toContain("2 workspaces");
-  });
-});
-
-// ─── Dark mode ───────────────────────────────────────────────────────────────
-
-describe("MobileHome — dark mode", () => {
-  it("renders without crashing in dark mode", () => {
-    mockStoreState.nodes = [onlineAgent];
-    const { container } = renderHome({ dark: true });
-    expect(container.querySelector("h1")?.textContent).toBe("Agents");
-  });
-});
@@ -1,212 +0,0 @@
-// @vitest-environment jsdom
-/**
- * MobileMe — theme, accent, and density preferences.
- *
- * Per spec: theme + accent + density settings for mobile.
- *
- * NOTE: No @testing-library/jest-dom — use DOM APIs.
- */
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { cleanup, render } from "@testing-library/react";
-import React from "react";
-
-import { MobileMe } from "../MobileMe";
-
-// ─── Mock theme provider ───────────────────────────────────────────────────────
-
-const mockSetTheme = vi.fn();
-const mockSetAccent = vi.fn();
-const mockSetDensity = vi.fn();
-
-vi.mock("@/lib/theme-provider", () => ({
-  useTheme: vi.fn(() => ({
-    theme: "system",
-    resolvedTheme: "light",
-    setTheme: mockSetTheme,
-  })),
-}));
-
-// ─── Helpers ─────────────────────────────────────────────────────────────────
-
-function renderMe(overrides: Partial<{
-  dark: boolean;
-  accent: string;
-  density: "compact" | "regular";
-}> = {}) {
-  return render(
-    <MobileMe
-      dark={overrides.dark ?? false}
-      accent={overrides.accent ?? "#2f9e6a"}
-      setAccent={mockSetAccent}
-      density={overrides.density ?? "regular"}
-      setDensity={mockSetDensity}
-    />,
-  );
-}
-
-// ─── Setup / teardown ─────────────────────────────────────────────────────────
-
-beforeEach(() => {
-  mockSetTheme.mockClear();
-  mockSetAccent.mockClear();
-  mockSetDensity.mockClear();
-});
-
-afterEach(() => {
-  cleanup();
-});
-
-// ─── Structure ───────────────────────────────────────────────────────────────
-
-describe("MobileMe — page structure", () => {
-  it('renders "Me" heading', () => {
-    const { container } = renderMe();
-    const h1 = container.querySelector("h1");
-    expect(h1).toBeTruthy();
-    expect(h1!.textContent).toBe("Me");
-  });
-
-  it("renders theme section label", () => {
-    const { container } = renderMe();
-    expect(container.textContent ?? "").toContain("Theme");
-  });
-
-  it("renders theme options: System, Light, Dark", () => {
-    const { container } = renderMe();
-    const text = container.textContent ?? "";
-    expect(text).toContain("System");
-    expect(text).toContain("Light");
-    expect(text).toContain("Dark");
-  });
-
-  it("renders accent section label", () => {
-    const { container } = renderMe();
-    expect(container.textContent ?? "").toContain("Accent");
-  });
-
-  it("renders all 5 accent color swatches", () => {
-    const { container } = renderMe();
-    const swatches = container.querySelectorAll("button[aria-label]");
-    // 5 accent swatches + theme buttons + density buttons = more than 5
-    // We verify the accent swatches by checking aria-labels
-    const accentLabels = Array.from(swatches)
-      .map((b) => b.getAttribute("aria-label") ?? "")
-      .filter((l) => l.startsWith("Set accent"));
-    expect(accentLabels.length).toBe(5);
-  });
-
-  it("renders density section label", () => {
-    const { container } = renderMe();
-    expect(container.textContent ?? "").toContain("Density");
-  });
-
-  it("renders density options: Regular, Compact", () => {
-    const { container } = renderMe();
-    const text = container.textContent ?? "";
-    expect(text).toContain("Regular");
-    expect(text).toContain("Compact");
-  });
-
-  it("renders version footer", () => {
-    const { container } = renderMe();
-    expect(container.textContent ?? "").toContain("Mobile design preview");
-  });
-});
-
-// ─── Theme selection ──────────────────────────────────────────────────────────
-
-describe("MobileMe — theme selection", () => {
-  it("renders System as the active theme (from mock)", () => {
-    const { container } = renderMe();
-    // The theme buttons are rendered; System is active in our mock
-    // We verify the buttons exist and are findable
-    const buttons = Array.from(container.querySelectorAll("button"));
-    const themeButtons = buttons.filter(
-      (b) => ["System", "Light", "Dark"].includes(b.textContent?.trim() ?? ""),
-    );
-    expect(themeButtons.length).toBe(3);
-  });
-
-  it("calls setTheme when a theme button is clicked", () => {
-    const { container } = renderMe();
-    const darkBtn = Array.from(container.querySelectorAll("button")).find(
-      (b) => b.textContent?.trim() === "Dark",
-    );
-    expect(darkBtn).toBeTruthy();
-    darkBtn!.click();
-    expect(mockSetTheme).toHaveBeenCalledWith("dark");
-  });
-});
-
-// ─── Accent selection ────────────────────────────────────────────────────────
-
-describe("MobileMe — accent selection", () => {
-  it("renders accent buttons with aria-label", () => {
-    const { container } = renderMe();
-    const swatches = container.querySelectorAll("button[aria-label]");
-    const accentSwatches = Array.from(swatches).filter(
-      (b) => (b.getAttribute("aria-label") ?? "").startsWith("Set accent"),
-    );
-    expect(accentSwatches.length).toBe(5);
-  });
-
-  it("calls setAccent with the correct color", () => {
-    const { container } = renderMe();
-    const swatch = Array.from(container.querySelectorAll("button[aria-label]")).find(
-      (b) => b.getAttribute("aria-label") === "Set accent #3b6fe0",
-    );
-    expect(swatch).toBeTruthy();
-    swatch!.click();
-    expect(mockSetAccent).toHaveBeenCalledWith("#3b6fe0");
-  });
-});
-
-// ─── Density selection ────────────────────────────────────────────────────────
-
-describe("MobileMe — density selection", () => {
-  it("renders density buttons", () => {
-    const { container } = renderMe();
-    const buttons = Array.from(container.querySelectorAll("button"));
-    const densityButtons = buttons.filter(
-      (b) => ["Regular", "Compact"].includes(b.textContent?.trim() ?? ""),
-    );
-    expect(densityButtons.length).toBe(2);
-  });
-
-  it("calls setDensity when Compact is clicked", () => {
-    const { container } = renderMe({ density: "regular" });
-    const compactBtn = Array.from(container.querySelectorAll("button")).find(
-      (b) => b.textContent?.trim() === "Compact",
-    );
-    expect(compactBtn).toBeTruthy();
-    compactBtn!.click();
-    expect(mockSetDensity).toHaveBeenCalledWith("compact");
-  });
-
-  it("calls setDensity when Regular is clicked", () => {
-    const { container } = renderMe({ density: "compact" });
-    const regularBtn = Array.from(container.querySelectorAll("button")).find(
-      (b) => b.textContent?.trim() === "Regular",
-    );
-    expect(regularBtn).toBeTruthy();
-    regularBtn!.click();
-    expect(mockSetDensity).toHaveBeenCalledWith("regular");
-  });
-});
-
-// ─── Dark mode ───────────────────────────────────────────────────────────────
-
-describe("MobileMe — dark mode", () => {
-  it("renders without crashing in dark mode", () => {
-    const { container } = renderMe({ dark: true });
-    expect(container.querySelector("h1")?.textContent).toBe("Me");
-  });
-
-  it("renders theme, accent, and density sections in dark mode", () => {
-    const { container } = renderMe({ dark: true });
-    const text = container.textContent ?? "";
-    expect(text).toContain("Theme");
-    expect(text).toContain("Accent");
-    expect(text).toContain("Density");
-  });
-});
@@ -1,253 +0,0 @@
-// @vitest-environment jsdom
-/**
- * MobileSpawn — bottom-sheet agent spawn form.
- *
- * Per spec §6: fetches /templates, user picks tier + name,
- * POST /workspaces. Backdrop click closes. Error surfaced inline.
- *
- * NOTE: No @testing-library/jest-dom — use DOM APIs.
- */
-import { afterEach, describe, expect, it, vi } from "vitest";
-import { cleanup, fireEvent, render, screen } from "@testing-library/react";
-import React from "react";
-
-import { MobileSpawn } from "../MobileSpawn";
-
-// ─── Mock dependencies ──────────────────────────────────────────────────────────
-
-vi.mock("@/lib/theme-provider", () => ({
-  useTheme: () => ({ theme: "dark", resolvedTheme: "dark", setTheme: vi.fn() }),
-}));
-
-const mockTemplates = [
-  {
-    id: "tpl-langgraph",
-    name: "LangGraph Agent",
-    description: "Multi-step reasoning with state machines.",
-    tier: 2,
-  },
-  {
-    id: "tpl-claude-code",
-    name: "Claude Code",
-    description: "Autonomous coding agent.",
-    tier: 3,
-  },
-  {
-    id: "tpl-hermes",
-    name: "Hermes",
-    description: "OpenAI-compatible multi-provider agent.",
-    tier: 2,
-  },
-];
-
-const { apiGetSpy, apiPostSpy } = vi.hoisted(() => {
-  return { apiGetSpy: vi.fn(), apiPostSpy: vi.fn() };
-});
-
-vi.mock("@/lib/api", () => ({
-  api: {
-    get: apiGetSpy,
-    post: apiPostSpy,
-  },
-}));
-
-afterEach(() => {
-  cleanup();
-  apiGetSpy.mockReset();
-  apiPostSpy.mockReset();
-  vi.restoreAllMocks();
-});
-
-// ─── Render ────────────────────────────────────────────────────────────────────
-
-describe("MobileSpawn — render", () => {
-  it("renders the dialog with aria-label", () => {
-    apiGetSpy.mockResolvedValue(mockTemplates);
-    render(<MobileSpawn dark={true} onClose={vi.fn()} />);
-    const dialog = document.querySelector('[role="dialog"][aria-label="Spawn agent"]');
-    expect(dialog).toBeTruthy();
-  });
-
-  it("shows loading state while fetching templates", () => {
-    let resolve!: (v: unknown) => void;
-    apiGetSpy.mockImplementation(() => new Promise((r) => { resolve = r; }));
-    render(<MobileSpawn dark={true} onClose={vi.fn()} />);
-    expect(document.body.textContent).toContain("Loading templates");
-    resolve(mockTemplates);
-  });
-
-  it("renders template cards once loaded", async () => {
-    apiGetSpy.mockResolvedValue(mockTemplates);
-    render(<MobileSpawn dark={true} onClose={vi.fn()} />);
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("LangGraph Agent");
-      expect(document.body.textContent).toContain("Claude Code");
-      expect(document.body.textContent).toContain("Hermes");
-    });
-  });
-
-  it("renders name input", () => {
-    apiGetSpy.mockResolvedValue(mockTemplates);
-    render(<MobileSpawn dark={true} onClose={vi.fn()} />);
-    const input = document.querySelector('input[placeholder]');
-    expect(input).toBeTruthy();
-  });
-
-  it("renders all 4 tier buttons", () => {
-    apiGetSpy.mockResolvedValue(mockTemplates);
-    render(<MobileSpawn dark={true} onClose={vi.fn()} />);
-    expect(document.body.textContent).toContain("Sandboxed");
-    expect(document.body.textContent).toContain("Standard");
-    expect(document.body.textContent).toContain("Privileged");
-    expect(document.body.textContent).toContain("Full Access");
-  });
-
-  it("shows empty state when no templates installed", async () => {
-    apiGetSpy.mockResolvedValue([]);
-    render(<MobileSpawn dark={true} onClose={vi.fn()} />);
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("No templates installed");
-    });
-  });
-
-  it("renders spawn button with correct label", () => {
-    apiGetSpy.mockResolvedValue(mockTemplates);
-    render(<MobileSpawn dark={true} onClose={vi.fn()} />);
-    const spawnBtn = Array.from(
-      document.querySelectorAll("button"),
-    ).find((b) => b.textContent?.includes("Spawn agent"));
-    expect(spawnBtn).toBeTruthy();
-  });
-
-  it("renders close button", () => {
-    apiGetSpy.mockResolvedValue(mockTemplates);
-    render(<MobileSpawn dark={true} onClose={vi.fn()} />);
-    const closeBtn = document.querySelector('button[aria-label="Close"]');
-    expect(closeBtn).toBeTruthy();
-  });
-});
-
-// ─── Interaction ──────────────────────────────────────────────────────────────
-
-describe("MobileSpawn — interaction", () => {
-  it("calls onClose when close button clicked", async () => {
-    apiGetSpy.mockResolvedValue(mockTemplates);
-    const onClose = vi.fn();
-    render(<MobileSpawn dark={true} onClose={onClose} />);
-    await vi.waitFor(() => {
-      expect(document.querySelector('button[aria-label="Close"]')).toBeTruthy();
-    });
-    document.querySelector('button[aria-label="Close"]')!.click();
-    expect(onClose).toHaveBeenCalledTimes(1);
-  });
-
-  it("calls onClose when backdrop is clicked", async () => {
-    apiGetSpy.mockResolvedValue(mockTemplates);
-    const onClose = vi.fn();
-    const { container } = render(<MobileSpawn dark={true} onClose={onClose} />);
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("Spawn Agent");
-    });
-    // Click on the outer dim backdrop (the dialog's outer div)
-    const dialog = container.querySelector('[role="dialog"]')!;
-    dialog.dispatchEvent(new MouseEvent("click", { bubbles: true, currentTarget: dialog }));
-    // The dialog's onClick checks e.target === e.currentTarget
-    // In jsdom the click event won't naturally hit the outer div as both target and currentTarget,
-    // so we verify the dialog renders and the backdrop area is clickable
-    expect(dialog).toBeTruthy();
-  });
-
-  it("POST /workspaces with correct payload on spawn", async () => {
-    apiGetSpy.mockResolvedValue(mockTemplates);
-    apiPostSpy.mockResolvedValue({ id: "ws-new" });
-    const onClose = vi.fn();
-    render(<MobileSpawn dark={true} onClose={onClose} />);
-
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("LangGraph Agent");
-    });
-
-    // Fill name
-    const input = document.querySelector("input") as HTMLInputElement;
-    fireEvent.change(input, { target: { value: "My New Agent" } });
-
-    // Click spawn
-    const spawnBtn = Array.from(
-      document.querySelectorAll("button"),
-    ).find((b) => b.textContent?.includes("Spawn agent"))!;
-    spawnBtn.click();
-
-    await vi.waitFor(() => {
-      expect(apiPostSpy).toHaveBeenCalledWith("/workspaces", expect.objectContaining({
-        name: "My New Agent",
-        template: "tpl-langgraph", // first template selected by default
-      }));
-    });
-  });
-
-  it("shows error message on spawn failure", async () => {
-    apiGetSpy.mockResolvedValue(mockTemplates);
-    apiPostSpy.mockRejectedValue(new Error("Template not found"));
-    render(<MobileSpawn dark={true} onClose={vi.fn()} />);
-
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("LangGraph Agent");
-    });
-
-    const spawnBtn = Array.from(
-      document.querySelectorAll("button"),
-    ).find((b) => b.textContent?.includes("Spawn agent"))!;
-    spawnBtn.click();
-
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("Template not found");
-    });
-  });
-
-  it("onClose NOT called when spawn fails", async () => {
-    apiGetSpy.mockResolvedValue(mockTemplates);
-    apiPostSpy.mockRejectedValue(new Error("Server error"));
-    const onClose = vi.fn();
-    render(<MobileSpawn dark={true} onClose={onClose} />);
-
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("Spawn agent");
-    });
-
-    const spawnBtn = Array.from(
-      document.querySelectorAll("button"),
-    ).find((b) => b.textContent?.includes("Spawn agent"))!;
-    spawnBtn.click();
-
-    await vi.waitFor(() => {
-      expect(onClose).not.toHaveBeenCalled();
-    });
-  });
-
-  it("tier selection updates state", async () => {
-    apiGetSpy.mockResolvedValue(mockTemplates);
-    render(<MobileSpawn dark={true} onClose={vi.fn()} />);
-
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("Spawn agent");
-    });
-
-    // Default tier is T2 (Standard). Click T4 (Full Access).
-    const t4Btn = Array.from(
-      document.querySelectorAll("button"),
-    ).find((b) => b.textContent?.includes("Full Access"))!;
-    fireEvent.click(t4Btn);
-
-    // Spawn with T4
-    const spawnBtn = Array.from(
-      document.querySelectorAll("button"),
-    ).find((b) => b.textContent?.includes("Spawn agent"))!;
-    spawnBtn.click();
-
-    await vi.waitFor(() => {
-      expect(apiPostSpy).toHaveBeenCalledWith("/workspaces", expect.objectContaining({
-        tier: 4, // T4 = tier 4
-      }));
-    });
-  });
-});
@@ -1,184 +0,0 @@
-// @vitest-environment jsdom
-/**
- * mobile/components.tsx — pure functions.
- *
- * Covers:
- *   - toMobileAgent: full transform, all status/tier/runtime cases
- *   - classifyForFilter: online → "online", failed/degraded → "issue",
- *     starting/paused/offline → "paused"
- *
- * NOTE: No @testing-library/jest-dom — use DOM APIs.
- */
-import { beforeEach, describe, expect, it, vi } from "vitest";
-import type { Node } from "@xyflow/react";
-import type { WorkspaceNodeData } from "@/store/canvas";
-
-import {
-  AgentCard,
-  FilterChips,
-  RemoteBadge,
-  classifyForFilter,
-  toMobileAgent,
-  type MobileAgent,
-  type AgentFilter,
-} from "../components";
-
-// ─── Mock store ────────────────────────────────────────────────────────────────
-
-const mockSummarize = vi.fn();
-
-vi.mock("@/store/canvas", () => ({
-  summarizeWorkspaceCapabilities: (...args: unknown[]) => mockSummarize(...args),
-}));
-
-// ─── Helpers ─────────────────────────────────────────────────────────────────
-
-function makeNode(overrides: Partial<WorkspaceNodeData> = {}): Node<WorkspaceNodeData> {
-  return {
-    id: "ws-1",
-    position: { x: 0, y: 0 },
-    data: {
-      name: "Test Agent",
-      status: "online",
-      tier: 2,
-      agentCard: null,
-      activeTasks: 0,
-      collapsed: false,
-      role: "assistant",
-      lastErrorRate: 0,
-      lastSampleError: "",
-      url: "http://localhost:9000",
-      parentId: null,
-      runtime: "langgraph",
-      currentTask: "",
-      budgetLimit: null,
-      ...overrides,
-    } as WorkspaceNodeData,
-  };
-}
-
-// ─── toMobileAgent ────────────────────────────────────────────────────────────
-
-describe("toMobileAgent — basic fields", () => {
-  beforeEach(() => {
-    mockSummarize.mockReturnValue({
-      runtime: "langgraph",
-      skills: [],
-      skillCount: 0,
-      currentTask: "",
-      hasActiveTask: false,
-    });
-  });
-
-  it("maps id and name", () => {
-    const node = makeNode({ name: "My Agent" });
-    const agent = toMobileAgent(node);
-    expect(agent.id).toBe("ws-1");
-    expect(agent.name).toBe("My Agent");
-  });
-
-  it("uses id as name when name is empty", () => {
-    const node = makeNode({ name: "" });
-    const agent = toMobileAgent(node);
-    expect(agent.name).toBe("ws-1");
-  });
-
-  it("maps tier correctly for tier 1-4", () => {
-    const tiers: Array<[number, MobileAgent["tier"]]> = [
-      [1, "T1"],
-      [2, "T2"],
-      [3, "T3"],
-      [4, "T4"],
-    ];
-    for (const [tier, code] of tiers) {
-      const agent = toMobileAgent(makeNode({ tier }));
-      expect(agent.tier).toBe(code);
-    }
-  });
-
-  it("maps status to MobileStatus", () => {
-    const statuses: Array<[string, MobileAgent["status"]]> = [
-      ["online", "online"],
-      ["starting", "starting"],
-      ["degraded", "degraded"],
-      ["failed", "failed"],
-      ["paused", "paused"],
-      ["offline", "offline"],
-    ];
-    for (const [status, mobileStatus] of statuses) {
-      const agent = toMobileAgent(makeNode({ status }));
-      expect(agent.status).toBe(mobileStatus);
-    }
-  });
-
-  it("marks remote=true for external runtime", () => {
-    mockSummarize.mockReturnValue({ runtime: "external", skills: [], skillCount: 0, currentTask: "", hasActiveTask: false });
-    const agent = toMobileAgent(makeNode({ runtime: "external" }));
-    expect(agent.remote).toBe(true);
-  });
-
-  it("marks remote=false for non-external runtime", () => {
-    mockSummarize.mockReturnValue({ runtime: "langgraph", skills: [], skillCount: 0, currentTask: "", hasActiveTask: false });
-    const agent = toMobileAgent(makeNode({ runtime: "langgraph" }));
-    expect(agent.remote).toBe(false);
-  });
-
-  it("maps runtime from summarizeWorkspaceCapabilities", () => {
-    mockSummarize.mockReturnValue({ runtime: "claude-code", skills: [], skillCount: 0, currentTask: "", hasActiveTask: false });
-    const agent = toMobileAgent(makeNode({ runtime: "" }));
-    expect(agent.runtime).toBe("claude-code");
-  });
-
-  it("maps skills count from summarizeWorkspaceCapabilities", () => {
-    mockSummarize.mockReturnValue({ runtime: "langgraph", skills: ["skill1", "skill2"], skillCount: 2, currentTask: "", hasActiveTask: false });
-    const agent = toMobileAgent(makeNode());
-    expect(agent.skills).toBe(2);
-  });
-
-  it("maps activeTasks to calls", () => {
-    const agent = toMobileAgent(makeNode({ activeTasks: 5 }));
-    expect(agent.calls).toBe(5);
-  });
-
-  it("defaults calls to 0 when activeTasks is not a number", () => {
-    const node = makeNode() as Node<WorkspaceNodeData>;
-    node.data.activeTasks = "not a number" as unknown as number;
-    const agent = toMobileAgent(node);
-    expect(agent.calls).toBe(0);
-  });
-
-  it("maps role as desc fallback to currentTask", () => {
-    mockSummarize.mockReturnValue({ runtime: "langgraph", skills: [], skillCount: 0, currentTask: "Doing analysis", hasActiveTask: true });
-    const agent = toMobileAgent(makeNode({ role: "" }));
-    expect(agent.desc).toBe("Doing analysis");
-  });
-
-  it("uses role as desc when currentTask is empty", () => {
-    mockSummarize.mockReturnValue({ runtime: "langgraph", skills: [], skillCount: 0, currentTask: "", hasActiveTask: false });
-    const agent = toMobileAgent(makeNode({ role: "researcher" }));
-    expect(agent.desc).toBe("researcher");
-  });
-
-  it("maps parentId from node data", () => {
-    const node = makeNode({ parentId: "ws-parent" });
-    const agent = toMobileAgent(node);
-    expect(agent.parentId).toBe("ws-parent");
-  });
-});
-
-// ─── classifyForFilter ─────────────────────────────────────────────────────────
-
-describe("classifyForFilter", () => {
-  const cases: Array<[MobileAgent["status"], AgentFilter]> = [
-    ["online", "online"],
-    ["starting", "paused"],
-    ["degraded", "issue"],
-    ["failed", "issue"],
-    ["paused", "paused"],
-    ["offline", "paused"],
-  ];
-
-  it.each(cases)("normalizeStatus(%s) → %s", (status, expected) => {
-    expect(classifyForFilter(status)).toBe(expected);
-  });
-});
@@ -1,137 +0,0 @@
-/** @vitest-environment jsdom */
-/**
- * Tests for rendering components exported from components.tsx:
- *   RemoteBadge, WorkspacePill.
- *
- * Note: TabBar, FilterChips, AgentCard are tested in their own files.
- * toMobileAgent and classifyForFilter are tested in components.test.ts.
- */
-import { describe, expect, it } from "vitest";
-import { render } from "@testing-library/react";
-
-import { RemoteBadge, WorkspacePill } from "../components";
-import { MOL_DARK, MOL_LIGHT } from "../palette";
-import { MobileAccentProvider } from "../palette-context";
-
-// ─── Palette provider wrapper ────────────────────────────────────────────────
-// RemoteBadge uses palette directly; WorkspacePill calls usePalette(dark) internally,
-// so WorkspacePill must be rendered inside MobileAccentProvider.
-
-function renderWithProvider(ui: React.ReactElement) {
-  return render(<MobileAccentProvider accent="#2f9e6a">{ui}</MobileAccentProvider>);
-}
-
-// ─── RemoteBadge ─────────────────────────────────────────────────────────────
-
-describe("RemoteBadge", () => {
-  it("renders the ★ REMOTE label text", () => {
-    const { container } = render(
-      <RemoteBadge palette={MOL_LIGHT} />
-    );
-    expect(container.textContent).toContain("REMOTE");
-    expect(container.textContent).toContain("★");
-  });
-
-  it("renders a span element", () => {
-    const { container } = render(
-      <RemoteBadge palette={MOL_DARK} />
-    );
-    expect(container.querySelector("span")).toBeTruthy();
-  });
-
-  it("has border-radius 4px (compact badge shape)", () => {
-    const { container } = render(
-      <RemoteBadge palette={MOL_LIGHT} />
-    );
-    const span = container.querySelector("span") as HTMLSpanElement;
-    expect(span.style.borderRadius).toBe("4px");
-  });
-
-  it("applies the palette's remote color as text color", () => {
-    const { container } = render(
-      <RemoteBadge palette={MOL_DARK} />
-    );
-    const span = container.querySelector("span") as HTMLSpanElement;
-    expect(span.style.color).toBeTruthy();
-  });
-
-  it("applies the palette's remoteBg as background", () => {
-    const { container } = render(
-      <RemoteBadge palette={MOL_LIGHT} />
-    );
-    const span = container.querySelector("span") as HTMLSpanElement;
-    expect(span.style.background).toBeTruthy();
-  });
-
-  it("dark and light palettes produce different background colors", () => {
-    const { container: darkContainer } = render(
-      <RemoteBadge palette={MOL_DARK} />
-    );
-    const { container: lightContainer } = render(
-      <RemoteBadge palette={MOL_LIGHT} />
-    );
-    const darkSpan = darkContainer.querySelector("span") as HTMLSpanElement;
-    const lightSpan = lightContainer.querySelector("span") as HTMLSpanElement;
-    expect(darkSpan.style.background).not.toBe(lightSpan.style.background);
-  });
-});
-
-// ─── WorkspacePill ────────────────────────────────────────────────────────────
-
-describe("WorkspacePill", () => {
-  it("renders the Molecule AI brand text", () => {
-    const { container } = renderWithProvider(<WorkspacePill dark={false} count={3} />);
-    expect(container.textContent).toContain("Molecule AI");
-  });
-
-  it("renders the count value", () => {
-    const { container } = renderWithProvider(<WorkspacePill dark={true} count={7} />);
-    expect(container.textContent).toContain("7");
-  });
-
-  it("accepts a string count (e.g. LIVE)", () => {
-    const { container } = renderWithProvider(
-      <WorkspacePill dark={false} count="LIVE" live={true} />
-    );
-    expect(container.textContent).toContain("LIVE");
-  });
-
-  it("does NOT render LIVE when live=false", () => {
-    const { container } = renderWithProvider(
-      <WorkspacePill dark={false} count={5} live={false} />
-    );
-    expect(container.textContent).not.toContain("LIVE");
-  });
-
-  it("renders LIVE by default (live=true)", () => {
-    const { container } = renderWithProvider(
-      <WorkspacePill dark={true} count={2} />
-    );
-    expect(container.textContent).toContain("LIVE");
-  });
-
-  it("renders the brand initial M in the logo badge", () => {
-    const { container } = renderWithProvider(<WorkspacePill dark={false} count={1} />);
-    expect(container.textContent).toContain("M");
-  });
-
-  it("has an inline borderRadius style (pill shape)", () => {
-    const { container } = renderWithProvider(<WorkspacePill dark={false} count={0} />);
-    // Walk the DOM tree to find the outermost pill div (has inline borderRadius)
-    let el: HTMLElement | null = container.firstElementChild as HTMLElement | null;
-    while (el && !el.style.borderRadius) {
-      el = el.parentElement;
-    }
-    expect(el?.style.borderRadius).toBeTruthy();
-  });
-
-  it("dark and light palettes produce different root container backgrounds", () => {
-    const { container: dark } = renderWithProvider(<WorkspacePill dark={true} count={1} />);
-    const { container: light } = renderWithProvider(<WorkspacePill dark={false} count={1} />);
-    // The outermost element should have an inline background color set by the dark/light prop
-    const darkRoot = dark.firstElementChild as HTMLElement | null;
-    const lightRoot = light.firstElementChild as HTMLElement | null;
-    expect(darkRoot?.style.background).toBeTruthy();
-    expect(lightRoot?.style.background).toBeTruthy();
-  });
-});
@@ -41,11 +41,6 @@ export function UnsavedChangesGuard({
      <AlertDialog.Portal>
        <AlertDialog.Overlay className="guard-dialog__overlay" />
        <AlertDialog.Content className="guard-dialog">
-          {/* Screen-reader-only description — satisfies Radix aria-describedby requirement
-              without adding visible text to the dialog. */}
-          <AlertDialog.Description className="sr-only">
-            This dialog asks whether to discard or keep editing unsaved changes.
-          </AlertDialog.Description>
          <AlertDialog.Title className="guard-dialog__title">
            Discard unsaved changes?
          </AlertDialog.Title>
@@ -55,7 +50,6 @@ export function UnsavedChangesGuard({
                Keep editing
              </button>
            </AlertDialog.Cancel>
-            {/* eslint-disable-next-line jsx-a11y/click-events-have-key-events */}
            <AlertDialog.Action asChild>
              <button
                type="button"
@@ -1,340 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for AddKeyForm — inline form for adding a new API key.
- *
- * Covers:
- *   - Header + key name + value fields rendered
- *   - Key name auto-uppercased on input
- *   - Validation: UPPER_SNAKE_CASE required, duplicate name blocked
- *   - Provider hint shown for known providers (GitHub, Anthropic, OpenRouter)
- *   - Provider hint hidden for custom key names
- *   - Debounced value validation
- *   - Save button disabled when form invalid / saving
- *   - createSecret called on save with correct args
- *   - onCancel called on Cancel click
- *   - Save error shown on failure
- *   - TestConnectionButton shown when value is format-valid and provider supports it
- */
-import React from "react";
-import { render, screen, fireEvent, cleanup, act, waitFor } from "@testing-library/react";
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { AddKeyForm } from "../AddKeyForm";
-
-// ── Mocks ─────────────────────────────────────────────────────────────────────
-
-const { mockValidateSecretValue, mockIsValidKeyName, mockInferGroup } = vi.hoisted(() => ({
-  mockValidateSecretValue: vi.fn((value: string) => {
-    // Return error for "bad-value" to test ValidationHint display
-    if (value === "bad-value") return "Invalid format";
-    return null;
-  }),
-  mockIsValidKeyName: vi.fn((name: string) => /^[A-Z][A-Z0-9_]*$/.test(name)),
-  mockInferGroup: vi.fn((name: string) => {
-    const u = name.toUpperCase();
-    if (u.includes("GITHUB")) return "github" as const;
-    if (u.includes("ANTHROPIC")) return "anthropic" as const;
-    if (u.includes("OPENROUTER")) return "openrouter" as const;
-    return "custom" as const;
-  }),
-}));
-
-const mockCreateSecret = vi.fn();
-
-vi.mock("@/stores/secrets-store", () => ({
-  useSecretsStore: Object.assign(
-    vi.fn((selector?: (s: { createSecret: typeof mockCreateSecret }) => unknown) =>
-      selector ? selector({ createSecret: mockCreateSecret }) : { createSecret: mockCreateSecret }
-    ),
-    { getState: () => ({ createSecret: mockCreateSecret }) },
-  ),
-}));
-
-vi.mock("@/lib/validation/secret-formats", () => ({
-  validateSecretValue: mockValidateSecretValue,
-  isValidKeyName: mockIsValidKeyName,
-  inferGroup: mockInferGroup,
-}));
-
-vi.mock("@/lib/services", () => ({
-  SERVICES: {
-    github: { label: "GitHub", icon: "github", keyNames: [], docsUrl: "https://github.com", testSupported: true },
-    anthropic: { label: "Anthropic", icon: "anthropic", keyNames: [], docsUrl: "https://anthropic.com", testSupported: true },
-    openrouter: { label: "OpenRouter", icon: "openrouter", keyNames: [], docsUrl: "https://openrouter.ai", testSupported: true },
-    custom: { label: "Other", icon: "key", keyNames: [], docsUrl: "", testSupported: false },
-  },
-  KEY_NAME_SUGGESTIONS: [],
-}));
-
-vi.mock("@/components/ui/KeyValueField", () => ({
-  KeyValueField: ({ value, onChange, disabled }: { value: string; onChange: (v: string) => void; disabled?: boolean }) => (
-    <textarea
-      data-testid="key-value-field"
-      value={value}
-      onChange={(e) => onChange(e.target.value)}
-      disabled={disabled}
-      aria-label="Key value"
-    />
-  ),
-}));
-
-vi.mock("@/components/ui/ValidationHint", () => ({
-  ValidationHint: ({ error }: { error: string | null }) =>
-    error ? <span role="alert">{error}</span> : null,
-}));
-
-vi.mock("@/components/ui/TestConnectionButton", () => ({
-  TestConnectionButton: () => <button data-testid="test-connection-btn" type="button">Test connection</button>,
-}));
-
-beforeEach(() => {
-  mockCreateSecret.mockReset().mockResolvedValue(undefined);
-});
-
-afterEach(() => {
-  cleanup();
-  vi.useRealTimers();
-});
-
-// ── Helpers ──────────────────────────────────────────────────────────────────
-
-async function typeKeyName(name: string) {
-  const input = screen.getByLabelText("Key name");
-  fireEvent.change(input, { target: { value: name } });
-  await act(async () => { await Promise.resolve(); });
-}
-
-async function typeValue(val: string) {
-  const textarea = screen.getByTestId("key-value-field");
-  fireEvent.change(textarea, { target: { value: val } });
-  await act(async () => { await Promise.resolve(); });
-}
-
-// ─── Initial render ─────────────────────────────────────────────────────────
-
-describe("AddKeyForm — initial render", () => {
-  it("renders header 'Add New Key'", () => {
-    render(<AddKeyForm workspaceId="ws-1" existingNames={[]} onCancel={vi.fn()} />);
-    expect(screen.getByText("Add New Key")).toBeTruthy();
-  });
-
-  it("has key name and value inputs", () => {
-    render(<AddKeyForm workspaceId="ws-1" existingNames={[]} onCancel={vi.fn()} />);
-    expect(screen.getByLabelText("Key name")).toBeTruthy();
-    expect(screen.getByTestId("key-value-field")).toBeTruthy();
-  });
-
-  it("Save and Cancel buttons present", () => {
-    render(<AddKeyForm workspaceId="ws-1" existingNames={[]} onCancel={vi.fn()} />);
-    expect(screen.getByRole("button", { name: /save key/i })).toBeTruthy();
-    expect(screen.getByRole("button", { name: /cancel/i })).toBeTruthy();
-  });
-
-  it("Save button disabled initially", () => {
-    render(<AddKeyForm workspaceId="ws-1" existingNames={[]} onCancel={vi.fn()} />);
-    expect((screen.getByRole("button", { name: /save key/i }) as HTMLButtonElement).disabled).toBe(true);
-  });
-});
-
-// ─── Key name validation ────────────────────────────────────────────────────
-
-describe("AddKeyForm — key name validation", () => {
-  it("auto-uppercases key name input", async () => {
-    render(<AddKeyForm workspaceId="ws-1" existingNames={[]} onCancel={vi.fn()} />);
-    const input = screen.getByLabelText("Key name") as HTMLInputElement;
-    fireEvent.change(input, { target: { value: "github_token" } });
-    expect(input.value).toBe("GITHUB_TOKEN");
-  });
-
-  it("shows error for key name starting with digit (invalid UPPER_SNAKE_CASE)", async () => {
-    render(<AddKeyForm workspaceId="ws-1" existingNames={[]} onCancel={vi.fn()} />);
-    // The key name input auto-uppercases, so "123_token" → "123_TOKEN"
-    // which fails /^[A-Z][A-Z0-9_]*$/ (must start with uppercase letter)
-    const input = screen.getByLabelText("Key name");
-    fireEvent.change(input, { target: { value: "123_token" } });
-    await act(async () => { await Promise.resolve(); });
-    expect(screen.getByRole("alert")).toBeTruthy();
-    expect(screen.getByText(/upper_snake_case/i)).toBeTruthy();
-  });
-
-  it("shows error for key name starting with number", async () => {
-    render(<AddKeyForm workspaceId="ws-1" existingNames={[]} onCancel={vi.fn()} />);
-    await typeKeyName("123_TOKEN");
-    expect(screen.getByText(/upper_snake_case/i)).toBeTruthy();
-  });
-
-  it("shows duplicate error when key name already exists", async () => {
-    render(<AddKeyForm workspaceId="ws-1" existingNames={["ANTHROPIC_API_KEY"]} onCancel={vi.fn()} />);
-    await typeKeyName("ANTHROPIC_API_KEY");
-    await act(async () => { await Promise.resolve(); });
-    expect(screen.getByText(/already exists/i)).toBeTruthy();
-  });
-
-  it("no error for valid new key name", async () => {
-    render(<AddKeyForm workspaceId="ws-1" existingNames={[]} onCancel={vi.fn()} />);
-    await typeKeyName("MY_SECRET_KEY");
-    await act(async () => { await Promise.resolve(); });
-    expect(screen.queryByRole("alert")).toBeNull();
-  });
-});
-
-// ─── Provider hint ──────────────────────────────────────────────────────────
-
-describe("AddKeyForm — provider hint", () => {
-  it("shows provider hint for ANTHROPIC_API_KEY (known provider)", async () => {
-    render(<AddKeyForm workspaceId="ws-1" existingNames={[]} onCancel={vi.fn()} />);
-    await typeKeyName("ANTHROPIC_API_KEY");
-    await act(async () => { await Promise.resolve(); });
-    expect(screen.getByTestId("provider-hint")).toBeTruthy();
-    expect(screen.getByText("Anthropic")).toBeTruthy();
-  });
-
-  it("shows provider hint for GITHUB_TOKEN", async () => {
-    render(<AddKeyForm workspaceId="ws-1" existingNames={[]} onCancel={vi.fn()} />);
-    await typeKeyName("GITHUB_TOKEN");
-    await act(async () => { await Promise.resolve(); });
-    expect(screen.getByTestId("provider-hint")).toBeTruthy();
-    expect(screen.getByText("GitHub")).toBeTruthy();
-  });
-
-  it("shows provider hint for OPENROUTER_API_KEY", async () => {
-    render(<AddKeyForm workspaceId="ws-1" existingNames={[]} onCancel={vi.fn()} />);
-    await typeKeyName("OPENROUTER_API_KEY");
-    await act(async () => { await Promise.resolve(); });
-    expect(screen.getByTestId("provider-hint")).toBeTruthy();
-    expect(screen.getByText("OpenRouter")).toBeTruthy();
-  });
-
-  it("hides provider hint for unknown custom key name", async () => {
-    render(<AddKeyForm workspaceId="ws-1" existingNames={[]} onCancel={vi.fn()} />);
-    await typeKeyName("MY_CUSTOM_TOKEN");
-    await act(async () => { await Promise.resolve(); });
-    expect(screen.queryByTestId("provider-hint")).toBeNull();
-  });
-});
-
-// ─── Value validation (debounced) ───────────────────────────────────────────
-
-describe("AddKeyForm — value validation (debounced)", () => {
-  it("ValidationHint shown after debounce for invalid value", async () => {
-    vi.useFakeTimers();
-    render(<AddKeyForm workspaceId="ws-1" existingNames={[]} onCancel={vi.fn()} />);
-    await typeKeyName("ANTHROPIC_API_KEY");
-    const textarea = screen.getByTestId("key-value-field");
-    // "bad-value" is the mock's sentinel for invalid input
-    fireEvent.change(textarea, { target: { value: "bad-value" } });
-    // Advance past debounce (VALIDATION_DEBOUNCE_MS = 400)
-    await act(async () => { vi.advanceTimersByTime(400); });
-    expect(screen.getByRole("alert")).toBeTruthy();
-    vi.useRealTimers();
-  });
-});
-
-// ─── Save ───────────────────────────────────────────────────────────────────
-
-describe("AddKeyForm — save", () => {
-  it("Save button disabled when key name or value missing", () => {
-    render(<AddKeyForm workspaceId="ws-1" existingNames={[]} onCancel={vi.fn()} />);
-    const saveBtn = screen.getByRole("button", { name: /save key/i });
-    expect((saveBtn as HTMLButtonElement).disabled).toBe(true);
-  });
-
-  it("Save button enabled when valid key name + value", async () => {
-    vi.useFakeTimers();
-    render(<AddKeyForm workspaceId="ws-1" existingNames={[]} onCancel={vi.fn()} />);
-    await typeKeyName("ANTHROPIC_API_KEY");
-    await typeValue("GITHUB_FAKE_VALUE_FOR_TEST");
-    await act(async () => { vi.advanceTimersByTime(400); });
-    const saveBtn = screen.getByRole("button", { name: /save key/i });
-    expect((saveBtn as HTMLButtonElement).disabled).toBe(false);
-    vi.useRealTimers();
-  });
-
-  it("calls createSecret(workspaceId, keyName, value) on save", async () => {
-    vi.useFakeTimers();
-    render(<AddKeyForm workspaceId="ws-test" existingNames={[]} onCancel={vi.fn()} />);
-    await typeKeyName("ANTHROPIC_API_KEY");
-    await typeValue("GITHUB_FAKE_VALUE_FOR_TEST");
-    await act(async () => { vi.advanceTimersByTime(400); });
-    fireEvent.click(screen.getByRole("button", { name: /save key/i }));
-    await act(async () => { vi.advanceTimersByTime(0); });
-    expect(mockCreateSecret).toHaveBeenCalledWith(
-      "ws-test",
-      "ANTHROPIC_API_KEY",
-      "GITHUB_FAKE_VALUE_FOR_TEST",
-    );
-    vi.useRealTimers();
-  });
-
-  it("Save button shows 'Saving…' during save", async () => {
-    vi.useFakeTimers();
-    mockCreateSecret.mockImplementation(() => new Promise(() => {}));
-    render(<AddKeyForm workspaceId="ws-1" existingNames={[]} onCancel={vi.fn()} />);
-    await typeKeyName("ANTHROPIC_API_KEY");
-    await typeValue("GITHUB_FAKE_VALUE_FOR_TEST");
-    await act(async () => { vi.advanceTimersByTime(400); });
-    fireEvent.click(screen.getByRole("button", { name: /save key/i }));
-    await act(async () => { vi.advanceTimersByTime(0); });
-    expect(screen.getByRole("button", { name: /saving/i })).toBeTruthy();
-    vi.useRealTimers();
-  });
-
-  it("shows error on save failure", async () => {
-    mockCreateSecret.mockRejectedValue(new Error("network error"));
-    render(<AddKeyForm workspaceId="ws-1" existingNames={[]} onCancel={vi.fn()} />);
-    await typeKeyName("ANTHROPIC_API_KEY");
-    await typeValue("GITHUB_FAKE_VALUE_FOR_TEST");
-    fireEvent.click(screen.getByRole("button", { name: /save key/i }));
-    await act(async () => { await Promise.resolve(); });
-    expect(screen.getByText(/network error/i)).toBeTruthy();
-  });
-});
-
-// ─── Cancel ─────────────────────────────────────────────────────────────────
-
-describe("AddKeyForm — cancel", () => {
-  it("onCancel called when Cancel button clicked", () => {
-    const onCancel = vi.fn();
-    render(<AddKeyForm workspaceId="ws-1" existingNames={[]} onCancel={onCancel} />);
-    fireEvent.click(screen.getByRole("button", { name: /cancel/i }));
-    expect(onCancel).toHaveBeenCalled();
-  });
-
-  it("Cancel button disabled during save", async () => {
-    vi.useFakeTimers();
-    mockCreateSecret.mockImplementation(() => new Promise(() => {}));
-    render(<AddKeyForm workspaceId="ws-1" existingNames={[]} onCancel={vi.fn()} />);
-    await typeKeyName("ANTHROPIC_API_KEY");
-    await typeValue("GITHUB_FAKE_VALUE_FOR_TEST");
-    await act(async () => { vi.advanceTimersByTime(400); });
-    fireEvent.click(screen.getByRole("button", { name: /save key/i }));
-    await act(async () => { vi.advanceTimersByTime(0); });
-    expect((screen.getByRole("button", { name: /cancel/i }) as HTMLButtonElement).disabled).toBe(true);
-    vi.useRealTimers();
-  });
-});
-
-// ─── TestConnectionButton ────────────────────────────────────────────────────
-
-describe("AddKeyForm — TestConnectionButton", () => {
-  it("TestConnectionButton shown for known provider with valid-format value", async () => {
-    vi.useFakeTimers();
-    render(<AddKeyForm workspaceId="ws-1" existingNames={[]} onCancel={vi.fn()} />);
-    await typeKeyName("ANTHROPIC_API_KEY");
-    // Use a value that passes the regex (sk-ant- prefix + 90+ chars)
-    const validValue = "GHP_FAKEPLACEHOLDER_NOTREAL_ABCDEFGHIJKLMNOPQRSTUVWXYZ12345678901234567890";
-    await typeValue(validValue);
-    await act(async () => { vi.advanceTimersByTime(400); });
-    expect(screen.getByTestId("test-connection-btn")).toBeTruthy();
-    vi.useRealTimers();
-  });
-
-  it("TestConnectionButton NOT shown when value is invalid format", async () => {
-    vi.useFakeTimers();
-    render(<AddKeyForm workspaceId="ws-1" existingNames={[]} onCancel={vi.fn()} />);
-    await typeKeyName("ANTHROPIC_API_KEY");
-    await typeValue("bad-value");
-    await act(async () => { vi.advanceTimersByTime(400); });
-    expect(screen.queryByTestId("test-connection-btn")).toBeNull();
-    vi.useRealTimers();
-  });
-});
@@ -1,407 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for OrgTokensTab — org-scoped API key management.
- *
- * Covers:
- *   - Loading state (spinner + aria-busy)
- *   - Empty state when no tokens
- *   - Token list rendering (single + multiple)
- *   - Token age display (just now, minutes, hours, days)
- *   - New key form: label input + Create button
- *   - Create: POST with optional name payload
- *   - Create: loading spinner during creation
- *   - New-token success box with copy button
- *   - Copy button writes to clipboard + shows "Copied"
- *   - Copy auto-resets to "Copy" after 2s
- *   - Dismiss button hides new-token box
- *   - Revoke button opens ConfirmDialog
- *   - ConfirmDialog cancel closes without calling API
- *   - ConfirmDialog confirm calls DELETE and re-fetches
- *   - Error banner on fetch failure
- *   - Error banner on create failure
- *   - Error banner on revoke failure
- */
-import React from "react";
-import { render, screen, fireEvent, cleanup, act, waitFor } from "@testing-library/react";
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { OrgTokensTab } from "../OrgTokensTab";
-
-vi.mock("@/components/ConfirmDialog", () => ({
-  ConfirmDialog: vi.fn(() => null),
-}));
-
-const mockGet = vi.fn();
-const mockPost = vi.fn();
-const mockDel = vi.fn();
-
-vi.mock("@/lib/api", () => ({
-  api: { get: (...args: unknown[]) => mockGet(...args), post: (...args: unknown[]) => mockPost(...args), del: (...args: unknown[]) => mockDel(...args) },
-}));
-
-// Stub clipboard
-vi.stubGlobal("navigator", { clipboard: { writeText: vi.fn().mockResolvedValue(undefined) } });
-
-beforeEach(() => {
-  vi.useRealTimers();
-  mockGet.mockReset();
-  mockPost.mockReset();
-  mockDel.mockReset();
-  vi.mocked(navigator.clipboard.writeText).mockReset();
-});
-
-afterEach(() => {
-  cleanup();
-  vi.useRealTimers();
-});
-
-// ─── Helpers ──────────────────────────────────────────────────────────────────
-
-async function flush() {
-  await act(async () => { await Promise.resolve(); });
-}
-
-function token(overrides: Partial<{
-  id: string; prefix: string; name?: string; created_by?: string; created_at: string; last_used_at?: string;
-}> = {}) {
-  return {
-    id: "tok-1",
-    prefix: "mol_pk_test",
-    name: undefined,
-    created_by: undefined,
-    created_at: new Date(Date.now() - 120_000).toISOString(),
-    last_used_at: undefined,
-    ...overrides,
-  };
-}
-
-// ─── Loading ─────────────────────────────────────────────────────────────────
-
-describe("OrgTokensTab — loading", () => {
-  it("shows spinner while fetching", () => {
-    mockGet.mockImplementation(() => new Promise(() => {}));
-    render(<OrgTokensTab />);
-    expect(screen.getByRole("status")).toBeTruthy();
-    expect(screen.getByText("Loading keys...")).toBeTruthy();
-  });
-
-  it("loading indicator has role=status and aria-live=polite", () => {
-    mockGet.mockImplementation(() => new Promise(() => {}));
-    render(<OrgTokensTab />);
-    const status = screen.getByRole("status");
-    expect(status.getAttribute("aria-live")).toBe("polite");
-    expect(status.textContent).toContain("Loading keys");
-  });
-});
-
-// ─── Empty state ─────────────────────────────────────────────────────────────
-
-describe("OrgTokensTab — empty", () => {
-  it("shows empty state when no tokens", async () => {
-    mockGet.mockResolvedValue({ tokens: [], count: 0 });
-    render(<OrgTokensTab />);
-    await flush();
-    expect(screen.getByText("No active keys")).toBeTruthy();
-    expect(screen.getByText(/Create a key above to authenticate/i)).toBeTruthy();
-  });
-});
-
-// ─── Token list ─────────────────────────────────────────────────────────────
-
-describe("OrgTokensTab — token list", () => {
-  it("renders token rows", async () => {
-    mockGet.mockResolvedValue({ tokens: [token({ id: "tok-1", prefix: "mol_pk_abc" })], count: 1 });
-    render(<OrgTokensTab />);
-    await flush();
-    expect(screen.getByText(/mol_pk_abc/)).toBeTruthy();
-  });
-
-  it("renders multiple token rows", async () => {
-    mockGet.mockResolvedValue({
-      tokens: [
-        token({ id: "tok-1", prefix: "mol_pk_a" }),
-        token({ id: "tok-2", prefix: "mol_pk_b" }),
-      ],
-      count: 2,
-    });
-    render(<OrgTokensTab />);
-    await flush();
-    expect(screen.getByText(/mol_pk_a/)).toBeTruthy();
-    expect(screen.getByText(/mol_pk_b/)).toBeTruthy();
-  });
-
-  it("shows token name when present", async () => {
-    mockGet.mockResolvedValue({
-      tokens: [token({ id: "tok-1", prefix: "mol_pk_abc", name: "zapier-integration" })],
-      count: 1,
-    });
-    render(<OrgTokensTab />);
-    await flush();
-    expect(screen.getByText("zapier-integration")).toBeTruthy();
-  });
-
-  it("age shows 'just now' for very recent tokens", async () => {
-    mockGet.mockResolvedValue({
-      tokens: [token({ id: "tok-1", created_at: new Date().toISOString() })],
-      count: 1,
-    });
-    render(<OrgTokensTab />);
-    await flush();
-    expect(screen.getByText(/just now/)).toBeTruthy();
-  });
-
-  it("age shows minutes ago", async () => {
-    mockGet.mockResolvedValue({
-      tokens: [token({ id: "tok-1", created_at: new Date(Date.now() - 5 * 60_000).toISOString() })],
-      count: 1,
-    });
-    render(<OrgTokensTab />);
-    await flush();
-    expect(screen.getByText(/5m ago/)).toBeTruthy();
-  });
-
-  it("age shows hours ago", async () => {
-    mockGet.mockResolvedValue({
-      tokens: [token({ id: "tok-1", created_at: new Date(Date.now() - 3 * 3600_000).toISOString() })],
-      count: 1,
-    });
-    render(<OrgTokensTab />);
-    await flush();
-    expect(screen.getByText(/3h ago/)).toBeTruthy();
-  });
-
-  it("age shows days ago", async () => {
-    mockGet.mockResolvedValue({
-      tokens: [token({ id: "tok-1", created_at: new Date(Date.now() - 2 * 86400_000).toISOString() })],
-      count: 1,
-    });
-    render(<OrgTokensTab />);
-    await flush();
-    expect(screen.getByText(/2d ago/)).toBeTruthy();
-  });
-
-  it("each token has a Revoke button", async () => {
-    mockGet.mockResolvedValue({
-      tokens: [token({ id: "tok-1" }), token({ id: "tok-2" })],
-      count: 2,
-    });
-    render(<OrgTokensTab />);
-    await flush();
-    const revokeBtns = Array.from(document.querySelectorAll("button")).filter(b => b.textContent === "Revoke");
-    expect(revokeBtns.length).toBe(2);
-  });
-
-  it("last_used_at is shown when present", async () => {
-    mockGet.mockResolvedValue({
-      tokens: [token({
-        id: "tok-1",
-        created_at: new Date(Date.now() - 86400_000).toISOString(),
-        last_used_at: new Date(Date.now() - 3600_000).toISOString(),
-      })],
-      count: 1,
-    });
-    render(<OrgTokensTab />);
-    await flush();
-    expect(screen.getByText(/Last used/i)).toBeTruthy();
-  });
-});
-
-// ─── Create token ─────────────────────────────────────────────────────────────
-
-describe("OrgTokensTab — create", () => {
-  it("Create button calls POST with empty body when no label", async () => {
-    mockGet.mockResolvedValue({ tokens: [], count: 0 });
-    mockPost.mockResolvedValue({ auth_token: "tok_new_secret", prefix: "tok_new" });
-    render(<OrgTokensTab />);
-    await flush();
-    const createBtn = screen.getByRole("button", { name: "+ New Key" });
-    await act(async () => { createBtn.click(); });
-    await flush();
-    expect(mockPost).toHaveBeenCalledWith("/org/tokens", {});
-  });
-
-  it("Create button calls POST with name when label is filled", async () => {
-    mockGet.mockResolvedValue({ tokens: [], count: 0 });
-    mockPost.mockResolvedValue({ auth_token: "tok_new_secret", prefix: "tok_new" });
-    render(<OrgTokensTab />);
-    await flush();
-    const input = screen.getByRole("textbox");
-    fireEvent.change(input, { target: { value: "zapier-prod" } });
-    await act(async () => { screen.getByRole("button", { name: "+ New Key" }).click(); });
-    await flush();
-    expect(mockPost).toHaveBeenCalledWith("/org/tokens", { name: "zapier-prod" });
-  });
-
-  it("shows spinner while creating", async () => {
-    mockGet.mockResolvedValue({ tokens: [], count: 0 });
-    mockPost.mockImplementation(() => new Promise(() => {}));
-    render(<OrgTokensTab />);
-    await flush();
-    await act(async () => { screen.getByRole("button", { name: "+ New Key" }).click(); });
-    await flush();
-    expect(screen.getByText(/Creating/)).toBeTruthy();
-  });
-
-  it("shows new token box after creation", async () => {
-    mockGet.mockResolvedValue({ tokens: [], count: 0 });
-    mockPost.mockResolvedValue({ auth_token: "tok_new_secret_xyz", prefix: "tok_new" });
-    render(<OrgTokensTab />);
-    await flush();
-    await act(async () => { screen.getByRole("button", { name: "+ New Key" }).click(); });
-    await flush();
-    expect(screen.getByText(/tok_new_secret_xyz/)).toBeTruthy();
-    expect(screen.getByText(/Copy now/)).toBeTruthy();
-  });
-
-  it("new token shows label when provided", async () => {
-    mockGet.mockResolvedValue({ tokens: [], count: 0 });
-    mockPost.mockResolvedValue({ auth_token: "tok_abc123", prefix: "tok_abc" });
-    render(<OrgTokensTab />);
-    await flush();
-    const input = screen.getByRole("textbox");
-    fireEvent.change(input, { target: { value: "my-label" } });
-    await act(async () => { screen.getByRole("button", { name: "+ New Key" }).click(); });
-    await flush();
-    expect(screen.getByText(/New Key: my-label/)).toBeTruthy();
-  });
-
-  it("dismiss hides the new-token box", async () => {
-    mockGet.mockResolvedValue({ tokens: [], count: 0 });
-    mockPost.mockResolvedValue({ auth_token: "tok_dismiss", prefix: "tok_d" });
-    render(<OrgTokensTab />);
-    await flush();
-    await act(async () => { screen.getByRole("button", { name: "+ New Key" }).click(); });
-    await flush();
-    expect(screen.getByText(/tok_dismiss/)).toBeTruthy();
-    await act(async () => { screen.getByText("Dismiss").closest("button")!.click(); });
-    await flush();
-    expect(screen.queryByText(/tok_dismiss/)).toBeNull();
-  });
-});
-
-// ─── Copy button ─────────────────────────────────────────────────────────────
-
-describe("OrgTokensTab — copy", () => {
-  it("Copy button writes token to clipboard", async () => {
-    mockGet.mockResolvedValue({ tokens: [], count: 0 });
-    mockPost.mockResolvedValue({ auth_token: "tok_copy_test", prefix: "tok_c" });
-    render(<OrgTokensTab />);
-    await flush();
-    await act(async () => { screen.getByRole("button", { name: "+ New Key" }).click(); });
-    await flush();
-    const copyBtn = screen.getByRole("button", { name: "Copy" });
-    await act(async () => { copyBtn.click(); });
-    expect(navigator.clipboard.writeText).toHaveBeenCalledWith("tok_copy_test");
-  });
-
-  it("Copy button shows 'Copied' after click", async () => {
-    mockGet.mockResolvedValue({ tokens: [], count: 0 });
-    mockPost.mockResolvedValue({ auth_token: "tok_copy_2", prefix: "tok_c" });
-    render(<OrgTokensTab />);
-    await flush();
-    await act(async () => { screen.getByRole("button", { name: "+ New Key" }).click(); });
-    await flush();
-    await act(async () => { screen.getByRole("button", { name: "Copy" }).click(); });
-    await flush();
-    expect(screen.getByRole("button", { name: "Copied" })).toBeTruthy();
-  });
-
-  it("Copy resets to 'Copy' after 2s", async () => {
-    vi.useFakeTimers();
-    mockGet.mockResolvedValue({ tokens: [], count: 0 });
-    mockPost.mockResolvedValue({ auth_token: "tok_timer", prefix: "tok_t" });
-    render(<OrgTokensTab />);
-    await act(async () => { await Promise.resolve(); });
-    await act(async () => { screen.getByRole("button", { name: "+ New Key" }).click(); });
-    await act(async () => { await Promise.resolve(); });
-    await act(async () => { screen.getByRole("button", { name: "Copy" }).click(); });
-    await act(async () => { await Promise.resolve(); });
-    expect(screen.getByRole("button", { name: "Copied" })).toBeTruthy();
-    act(() => { vi.advanceTimersByTime(2000); });
-    await act(async () => { await Promise.resolve(); });
-    expect(screen.getByRole("button", { name: "Copy" })).toBeTruthy();
-    vi.useRealTimers();
-  });
-});
-
-// ─── Revoke ─────────────────────────────────────────────────────────────────
-
-describe("OrgTokensTab — revoke", () => {
-  it("Revoke button opens ConfirmDialog", async () => {
-    mockGet.mockResolvedValue({ tokens: [token({ id: "tok-revoke", prefix: "mol_pk_rev" })], count: 1 });
-    render(<OrgTokensTab />);
-    await flush();
-    expect(screen.queryByRole("dialog")).toBeNull();
-    await act(async () => {
-      Array.from(document.querySelectorAll("button")).find(b => b.textContent === "Revoke")!.click();
-    });
-    await flush();
-    // ConfirmDialog is mocked — verify it was called with open=true
-    const ConfirmDialog = (await import("@/components/ConfirmDialog")).ConfirmDialog as ReturnType<typeof vi.fn>;
-    const lastCall = ConfirmDialog.mock.calls[ConfirmDialog.mock.calls.length - 1];
-    expect(lastCall[0]).toMatchObject({ open: true, title: "Revoke API Key" });
-  });
-
-  it("DELETE is called with correct URL on confirm", async () => {
-    mockGet.mockResolvedValue({ tokens: [token({ id: "tok-del", prefix: "mol_pk_del" })], count: 1 });
-    mockDel.mockResolvedValue(undefined);
-    render(<OrgTokensTab />);
-    await flush();
-
-    // Open confirm
-    await act(async () => {
-      Array.from(document.querySelectorAll("button")).find(b => b.textContent === "Revoke")!.click();
-    });
-    await flush();
-
-    // Get the onConfirm prop from the last ConfirmDialog call
-    const ConfirmDialog = (await import("@/components/ConfirmDialog")).ConfirmDialog as ReturnType<typeof vi.fn>;
-    const lastCall = ConfirmDialog.mock.calls[ConfirmDialog.mock.calls.length - 1];
-    const onConfirm = lastCall[0]?.onConfirm;
-
-    // Call onConfirm
-    await act(async () => { onConfirm?.(); });
-    await flush();
-
-    expect(mockDel).toHaveBeenCalledWith("/org/tokens/tok-del");
-  });
-});
-
-// ─── Error states ─────────────────────────────────────────────────────────────
-
-describe("OrgTokensTab — errors", () => {
-  it("shows error when fetch fails", async () => {
-    mockGet.mockRejectedValue(new Error("network failure"));
-    render(<OrgTokensTab />);
-    await flush();
-    expect(screen.getByText(/network failure/i)).toBeTruthy();
-  });
-
-  it("shows error when create fails", async () => {
-    mockGet.mockResolvedValue({ tokens: [], count: 0 });
-    mockPost.mockRejectedValue(new Error("server error"));
-    render(<OrgTokensTab />);
-    await flush();
-    await act(async () => { screen.getByRole("button", { name: "+ New Key" }).click(); });
-    await flush();
-    expect(screen.getByText(/server error/i)).toBeTruthy();
-  });
-
-  it("shows error when revoke fails", async () => {
-    mockGet.mockResolvedValue({ tokens: [token({ id: "tok-err" })], count: 1 });
-    mockDel.mockRejectedValue(new Error("revoke denied"));
-    render(<OrgTokensTab />);
-    await flush();
-
-    await act(async () => {
-      Array.from(document.querySelectorAll("button")).find(b => b.textContent === "Revoke")!.click();
-    });
-    await flush();
-
-    const ConfirmDialog = (await import("@/components/ConfirmDialog")).ConfirmDialog as ReturnType<typeof vi.fn>;
-    const onConfirm = ConfirmDialog.mock.calls[ConfirmDialog.mock.calls.length - 1][0]?.onConfirm;
-    await act(async () => { onConfirm?.(); });
-    await flush();
-
-    expect(screen.getByText(/revoke denied/i)).toBeTruthy();
-  });
-});
@@ -1,291 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for SecretRow — single secret display/edit row.
- *
- * Covers:
- *   - Display mode: key name, masked value, action buttons
- *   - StatusBadge shown with correct status
- *   - role="row" with aria-label
- *   - Edit button sets editingKey in store
- *   - Reveal toggle button rendered
- *   - Copy button calls navigator.clipboard.writeText
- *   - Delete button dispatches secret:delete-request event
- *   - Edit mode: KeyValueField + save/cancel rendered
- *   - Cancel calls setEditingKey(null)
- *   - Save calls updateSecret + setSecretStatus
- *   - Save error shown on failure
- *   - TestConnectionButton shown when testSupported + value entered
- */
-import React from "react";
-import { render, screen, fireEvent, cleanup, act } from "@testing-library/react";
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { SecretRow } from "../SecretRow";
-
-// ── Hoisted mocks — vi.hoisted() so they're stable references ────────────────
-
-const { mockUpdateSecret, mockSetSecretStatus, mockSetEditingKey, mockValidateSecretValue } = vi.hoisted(() => ({
-  mockUpdateSecret: vi.fn(),
-  mockSetSecretStatus: vi.fn(),
-  mockSetEditingKey: vi.fn(),
-  mockValidateSecretValue: vi.fn(() => null), // always valid to avoid secret-pattern triggers
-}));
-
-// ── Store mock — single shared mutable object ───────────────────────────────
-
-const storeState = {
-  editingKey: null as string | null,
-  setEditingKey: mockSetEditingKey,
-  updateSecret: mockUpdateSecret,
-  setSecretStatus: mockSetSecretStatus,
-};
-
-vi.mock("@/stores/secrets-store", () => ({
-  useSecretsStore: Object.assign(
-    vi.fn((selector?: (s: typeof storeState) => unknown) =>
-      selector ? selector(storeState) : storeState
-    ),
-    { getState: () => storeState },
-  ),
-}));
-
-// ── Child component stubs ────────────────────────────────────────────────────
-
-vi.mock("@/lib/validation/secret-formats", () => ({
-  validateSecretValue: mockValidateSecretValue,
-}));
-
-vi.mock("@/components/ui/StatusBadge", () => ({
-  StatusBadge: ({ status }: { status: string }) => (
-    <span data-testid="status-badge" data-status={status}>{status}</span>
-  ),
-}));
-
-vi.mock("@/components/ui/RevealToggle", () => ({
-  RevealToggle: ({ revealed, onToggle, label }: { revealed: boolean; onToggle: () => void; label: string }) => (
-    <button type="button" data-testid="reveal-toggle" aria-label={label} onClick={onToggle}>
-      {revealed ? "HIDE" : "REVEAL"}
-    </button>
-  ),
-}));
-
-vi.mock("@/components/ui/KeyValueField", () => ({
-  KeyValueField: ({ value, onChange, disabled }: { value: string; onChange: (v: string) => void; disabled?: boolean }) => (
-    <textarea
-      data-testid="edit-value-field"
-      value={value}
-      onChange={(e) => { onChange(e.target.value); }}
-      disabled={disabled}
-    />
-  ),
-}));
-
-vi.mock("@/components/ui/ValidationHint", () => ({
-  ValidationHint: ({ error }: { error: string | null }) =>
-    error ? <span role="alert">{error}</span> : null,
-}));
-
-vi.mock("@/components/ui/TestConnectionButton", () => ({
-  TestConnectionButton: () => <button data-testid="test-connection-btn" type="button">Test connection</button>,
-}));
-
-// ── Test data ────────────────────────────────────────────────────────────────
-
-const GITHUB_SECRET = { name: "GITHUB_TOKEN", masked_value: "ghp_••••••••••••xK9f", group: "github" as const, status: "verified" as const, updated_at: "2024-01-01" };
-const ANTHROPIC_SECRET = { name: "ANTHROPIC_API_KEY", masked_value: "sk-ant-•••••••••••••••••a3Zq", group: "anthropic" as const, status: "unverified" as const, updated_at: "2024-01-02" };
-const CUSTOM_SECRET = { name: "MY_CUSTOM_KEY", masked_value: "••••••••••••••••9d2a", group: "custom" as const, status: "invalid" as const, updated_at: "2024-01-03" };
-
-// Use a value that definitely does NOT match any secret format regex
-const EDIT_VALUE = "TEST_VALID_TOKEN_VALUE_PLACEHOLDER_FOR_EDIT_MODE";
-
-beforeEach(() => {
-  // Mutate the shared object so all closures see the update
-  storeState.editingKey = null;
-  storeState.setEditingKey = vi.fn();
-  storeState.updateSecret = vi.fn().mockResolvedValue(undefined);
-  storeState.setSecretStatus = vi.fn();
-});
-
-afterEach(() => {
-  cleanup();
-  vi.useRealTimers();
-});
-
-// ─── Display mode ───────────────────────────────────────────────────────────
-
-describe("SecretRow — display mode", () => {
-  it("shows secret name", () => {
-    render(<SecretRow secret={GITHUB_SECRET} workspaceId="ws-1" />);
-    expect(screen.getByText("GITHUB_TOKEN")).toBeTruthy();
-  });
-
-  it("shows masked value", () => {
-    render(<SecretRow secret={GITHUB_SECRET} workspaceId="ws-1" />);
-    expect(screen.getByText("ghp_••••••••••••xK9f")).toBeTruthy();
-  });
-
-  it("shows StatusBadge", () => {
-    render(<SecretRow secret={GITHUB_SECRET} workspaceId="ws-1" />);
-    expect(screen.getByTestId("status-badge")).toBeTruthy();
-  });
-
-  it("StatusBadge has correct data-status attribute", () => {
-    render(<SecretRow secret={GITHUB_SECRET} workspaceId="ws-1" />);
-    expect(screen.getByTestId("status-badge").getAttribute("data-status")).toBe("verified");
-  });
-
-  it("role=row", () => {
-    render(<SecretRow secret={GITHUB_SECRET} workspaceId="ws-1" />);
-    expect(document.querySelector('[role="row"]')).toBeTruthy();
-  });
-
-  it("has Reveal, Copy, Edit, Delete buttons", () => {
-    render(<SecretRow secret={GITHUB_SECRET} workspaceId="ws-1" />);
-    expect(screen.getByTestId("reveal-toggle")).toBeTruthy();
-    expect(screen.getByRole("button", { name: /copy/i })).toBeTruthy();
-    expect(screen.getByRole("button", { name: /edit/i })).toBeTruthy();
-    expect(screen.getByRole("button", { name: /delete/i })).toBeTruthy();
-  });
-
-  it("shows invalid status correctly", () => {
-    render(<SecretRow secret={CUSTOM_SECRET} workspaceId="ws-1" />);
-    expect(screen.getByTestId("status-badge").getAttribute("data-status")).toBe("invalid");
-  });
-});
-
-// ─── Edit ───────────────────────────────────────────────────────────────────
-
-describe("SecretRow — edit", () => {
-  it("Edit button calls setEditingKey(secret.name)", () => {
-    render(<SecretRow secret={GITHUB_SECRET} workspaceId="ws-1" />);
-    fireEvent.click(screen.getByRole("button", { name: /edit/i }));
-    expect(storeState.setEditingKey).toHaveBeenCalledWith("GITHUB_TOKEN");
-  });
-
-  it("shows edit form (KeyValueField + save/cancel) when editingKey set", () => {
-    storeState.editingKey = "GITHUB_TOKEN";
-    render(<SecretRow secret={GITHUB_SECRET} workspaceId="ws-1" />);
-    expect(screen.getByTestId("edit-value-field")).toBeTruthy();
-    expect(screen.getByRole("button", { name: /cancel/i })).toBeTruthy();
-    expect(screen.getByRole("button", { name: /save/i })).toBeTruthy();
-  });
-
-  it("Cancel calls setEditingKey(null)", () => {
-    storeState.editingKey = "GITHUB_TOKEN";
-    render(<SecretRow secret={GITHUB_SECRET} workspaceId="ws-1" />);
-    fireEvent.click(screen.getByRole("button", { name: /cancel/i }));
-    expect(storeState.setEditingKey).toHaveBeenCalledWith(null);
-  });
-
-  it("Save button disabled when editValue is empty", () => {
-    storeState.editingKey = "GITHUB_TOKEN";
-    render(<SecretRow secret={GITHUB_SECRET} workspaceId="ws-1" />);
-    expect((screen.getByRole("button", { name: /save/i }) as HTMLButtonElement).disabled).toBe(true);
-  });
-
-  it("Save enabled when editValue is non-empty", async () => {
-    storeState.editingKey = "GITHUB_TOKEN";
-    render(<SecretRow secret={GITHUB_SECRET} workspaceId="ws-abc" />);
-    const textarea = screen.getByTestId("edit-value-field");
-    fireEvent.change(textarea, { target: { value: EDIT_VALUE } });
-    await act(async () => { await Promise.resolve(); });
-    expect((screen.getByRole("button", { name: /save/i }) as HTMLButtonElement).disabled).toBe(false);
-  });
-
-  it("Save calls updateSecret(workspaceId, name, editValue)", async () => {
-    storeState.editingKey = "GITHUB_TOKEN";
-    render(<SecretRow secret={GITHUB_SECRET} workspaceId="ws-test" />);
-    fireEvent.change(screen.getByTestId("edit-value-field"), { target: { value: EDIT_VALUE } });
-    await act(async () => { await Promise.resolve(); });
-    fireEvent.click(screen.getByRole("button", { name: /save/i }));
-    await act(async () => { await Promise.resolve(); });
-    expect(storeState.updateSecret).toHaveBeenCalledWith("ws-test", "GITHUB_TOKEN", EDIT_VALUE);
-  });
-
-  it("Save calls setSecretStatus(secret.name, 'unverified')", async () => {
-    storeState.editingKey = "GITHUB_TOKEN";
-    render(<SecretRow secret={GITHUB_SECRET} workspaceId="ws-1" />);
-    fireEvent.change(screen.getByTestId("edit-value-field"), { target: { value: EDIT_VALUE } });
-    await act(async () => { await Promise.resolve(); });
-    fireEvent.click(screen.getByRole("button", { name: /save/i }));
-    await act(async () => { await Promise.resolve(); });
-    expect(storeState.setSecretStatus).toHaveBeenCalledWith("GITHUB_TOKEN", "unverified");
-  });
-
-  it("Save button shows 'Saving…' during pending save", async () => {
-    storeState.editingKey = "GITHUB_TOKEN";
-    storeState.updateSecret = vi.fn(() => new Promise(() => {}));
-    render(<SecretRow secret={GITHUB_SECRET} workspaceId="ws-1" />);
-    fireEvent.change(screen.getByTestId("edit-value-field"), { target: { value: EDIT_VALUE } });
-    await act(async () => { await Promise.resolve(); });
-    fireEvent.click(screen.getByRole("button", { name: /save/i }));
-    await act(async () => { await Promise.resolve(); });
-    expect(screen.getByText("Saving…")).toBeTruthy();
-  });
-
-  it("shows error on save failure", async () => {
-    storeState.editingKey = "GITHUB_TOKEN";
-    storeState.updateSecret = vi.fn().mockRejectedValue(new Error("network error"));
-    render(<SecretRow secret={GITHUB_SECRET} workspaceId="ws-1" />);
-    fireEvent.change(screen.getByTestId("edit-value-field"), { target: { value: EDIT_VALUE } });
-    await act(async () => { await Promise.resolve(); });
-    fireEvent.click(screen.getByRole("button", { name: /save/i }));
-    await act(async () => { await Promise.resolve(); });
-    expect(screen.getByText(/network error/i)).toBeTruthy();
-  });
-});
-
-// ─── Copy ───────────────────────────────────────────────────────────────────
-
-describe("SecretRow — copy", () => {
-  it("Copy calls navigator.clipboard.writeText with masked value", async () => {
-    const writeText = vi.fn().mockResolvedValue(undefined);
-    Object.defineProperty(navigator, "clipboard", {
-      value: { writeText },
-      configurable: true,
-    });
-    render(<SecretRow secret={GITHUB_SECRET} workspaceId="ws-1" />);
-    fireEvent.click(screen.getByRole("button", { name: /copy/i }));
-    expect(writeText).toHaveBeenCalledWith("ghp_••••••••••••xK9f");
-  });
-});
-
-// ─── Delete ─────────────────────────────────────────────────────────────────
-
-describe("SecretRow — delete", () => {
-  it("Delete dispatches secret:delete-request with secret name", () => {
-    const listener = vi.fn();
-    window.addEventListener("secret:delete-request", listener);
-    render(<SecretRow secret={GITHUB_SECRET} workspaceId="ws-1" />);
-    fireEvent.click(screen.getByRole("button", { name: /delete/i }));
-    expect(listener).toHaveBeenCalledWith(
-      expect.objectContaining({ detail: "GITHUB_TOKEN" })
-    );
-    window.removeEventListener("secret:delete-request", listener);
-  });
-});
-
-// ─── TestConnectionButton ────────────────────────────────────────────────────
-
-describe("SecretRow — TestConnectionButton", () => {
-  it("shown for github secret when editValue is entered", async () => {
-    storeState.editingKey = "GITHUB_TOKEN";
-    render(<SecretRow secret={GITHUB_SECRET} workspaceId="ws-1" />);
-    fireEvent.change(screen.getByTestId("edit-value-field"), { target: { value: EDIT_VALUE } });
-    await act(async () => { await Promise.resolve(); });
-    expect(screen.getByTestId("test-connection-btn")).toBeTruthy();
-  });
-
-  it("NOT shown for custom secret (testSupported=false)", async () => {
-    storeState.editingKey = "MY_CUSTOM_KEY";
-    render(<SecretRow secret={CUSTOM_SECRET} workspaceId="ws-1" />);
-    fireEvent.change(screen.getByTestId("edit-value-field"), { target: { value: EDIT_VALUE } });
-    await act(async () => { await Promise.resolve(); });
-    expect(screen.queryByTestId("test-connection-btn")).toBeNull();
-  });
-
-  it("NOT shown when editValue is empty", () => {
-    storeState.editingKey = "GITHUB_TOKEN";
-    render(<SecretRow secret={GITHUB_SECRET} workspaceId="ws-1" />);
-    expect(screen.queryByTestId("test-connection-btn")).toBeNull();
-  });
-});
@@ -1,308 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for SecretsTab — API keys tab inside SettingsPanel.
- *
- * Covers:
- *   - Loading state (aria-busy, "Loading API keys…")
- *   - Error state (role=alert, error text, Refresh button)
- *   - Empty state (renders EmptyState)
- *   - Secret list renders ServiceGroup per group
- *   - SearchBar shown only when secrets.length >= 4
- *   - Search filters results — no-results state + Clear search
- *   - "+ Add API Key" button toggles AddKeyForm
- *   - AddKeyForm visible when isAddFormOpen=true
- *   - ServiceGroup with multiple groups rendered
- *   - Single-key group count label ("1 key")
- *   - Multi-key group count label ("N keys")
- */
-import React from "react";
-import { render, screen, fireEvent, cleanup, act, waitFor } from "@testing-library/react";
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { SecretsTab } from "../SecretsTab";
-
-// ── Secrets store mock ───────────────────────────────────────────────────────
-
-type SecretsStoreState = {
-  secrets: Array<{ name: string; masked_value: string; group: string; status: string; updated_at: string }>;
-  isLoading: boolean;
-  error: string | null;
-  isAddFormOpen: boolean;
-  searchQuery: string;
-  fetchSecrets: ReturnType<typeof vi.fn>;
-  setAddFormOpen: ReturnType<typeof vi.fn>;
-  setSearchQuery: ReturnType<typeof vi.fn>;
-};
-
-// Mutable store state — tests reassign fields to test different states
-let storeState: SecretsStoreState;
-
-const mockFetchSecrets = vi.fn().mockResolvedValue(undefined);
-const mockSetAddFormOpen = vi.fn();
-const mockSetSearchQuery = vi.fn();
-
-storeState = {
-  secrets: [],
-  isLoading: false,
-  error: null,
-  isAddFormOpen: false,
-  searchQuery: "",
-  fetchSecrets: mockFetchSecrets,
-  setAddFormOpen: mockSetAddFormOpen,
-  setSearchQuery: mockSetSearchQuery,
-};
-
-vi.mock("@/stores/secrets-store", () => ({
-  useSecretsStore: Object.assign(
-    vi.fn((selector: (s: SecretsStoreState) => unknown) => selector(storeState)),
-    { getState: () => storeState },
-  ),
-}));
-
-// ── Child component stubs ────────────────────────────────────────────────────
-vi.mock("../ServiceGroup", () => ({
-  ServiceGroup: ({ group, secrets }: { group: string; secrets: unknown[] }) => (
-    <div data-testid={`service-group-${group}`}>
-      <span data-testid={`service-group-${group}-count`}>{secrets.length}</span>
-    </div>
-  ),
-}));
-
-vi.mock("../EmptyState", () => ({
-  EmptyState: ({ onAddFirst }: { onAddFirst: () => void }) => (
-    <div data-testid="secrets-empty-state">
-      <button onClick={onAddFirst}>Add first key</button>
-    </div>
-  ),
-}));
-
-vi.mock("../AddKeyForm", () => ({
-  AddKeyForm: ({ workspaceId, onCancel }: { workspaceId: string; onCancel: () => void }) => (
-    <div data-testid="add-key-form">AddKeyForm workspaceId={workspaceId} <button onClick={onCancel}>Cancel</button></div>
-  ),
-}));
-
-vi.mock("../SearchBar", () => ({
-  SearchBar: () => <div data-testid="search-bar" />,
-}));
-
-beforeEach(() => {
-  storeState = {
-    secrets: [],
-    isLoading: false,
-    error: null,
-    isAddFormOpen: false,
-    searchQuery: "",
-    fetchSecrets: mockFetchSecrets,
-    setAddFormOpen: mockSetAddFormOpen,
-    setSearchQuery: mockSetSearchQuery,
-  };
-  mockFetchSecrets.mockReset().mockResolvedValue(undefined);
-  mockSetAddFormOpen.mockReset();
-  mockSetSearchQuery.mockReset();
-});
-
-afterEach(() => {
-  cleanup();
-});
-
-async function flush() {
-  await act(async () => { await Promise.resolve(); });
-}
-
-// ─── Loading ────────────────────────────────────────────────────────────────
-
-describe("SecretsTab — loading", () => {
-  it("shows loading state", () => {
-    storeState.isLoading = true;
-    render(<SecretsTab workspaceId="ws-test" />);
-    expect(screen.getByText("Loading API keys…")).toBeTruthy();
-  });
-});
-
-// ─── Error ─────────────────────────────────────────────────────────────────
-
-describe("SecretsTab — error", () => {
-  it("shows error with role=alert", () => {
-    storeState.error = "network failure";
-    render(<SecretsTab workspaceId="ws-test" />);
-    expect(screen.getByRole("alert")).toBeTruthy();
-    expect(screen.getByText("network failure")).toBeTruthy();
-  });
-
-  it("shows Refresh button in error state", () => {
-    storeState.error = "server error";
-    render(<SecretsTab workspaceId="ws-test" />);
-    expect(screen.getByRole("button", { name: "Refresh" })).toBeTruthy();
-  });
-
-  it("Refresh button calls fetchSecrets with workspaceId", () => {
-    storeState.error = "server error";
-    render(<SecretsTab workspaceId="ws-123" />);
-    fireEvent.click(screen.getByRole("button", { name: "Refresh" }));
-    expect(mockFetchSecrets).toHaveBeenCalledWith("ws-123");
-  });
-});
-
-// ─── Empty state ────────────────────────────────────────────────────────────
-
-describe("SecretsTab — empty", () => {
-  it("shows EmptyState when secrets is empty and not loading", () => {
-    storeState.secrets = [];
-    storeState.isLoading = false;
-    render(<SecretsTab workspaceId="ws-test" />);
-    expect(screen.getByTestId("secrets-empty-state")).toBeTruthy();
-  });
-
-  it("EmptyState Add first button opens add form", () => {
-    storeState.secrets = [];
-    render(<SecretsTab workspaceId="ws-test" />);
-    fireEvent.click(screen.getByText("Add first key"));
-    expect(mockSetAddFormOpen).toHaveBeenCalledWith(true);
-  });
-});
-
-// ─── Secret list ────────────────────────────────────────────────────────────
-
-describe("SecretsTab — secret list", () => {
-  const ANTHROPIC_SECRET = { name: "ANTHROPIC_API_KEY", masked_value: "sk-ant-••••", group: "anthropic", status: "active", updated_at: "2024-01-01" };
-  const GITHUB_SECRET = { name: "GITHUB_TOKEN", masked_value: "ghp_••••", group: "github", status: "active", updated_at: "2024-01-02" };
-  const OPENROUTER_SECRET = { name: "OPENROUTER_API_KEY", masked_value: "sk-or-••••", group: "openrouter", status: "active", updated_at: "2024-01-03" };
-  const CUSTOM_SECRET = { name: "MY_CUSTOM_KEY", masked_value: "••••", group: "custom", status: "active", updated_at: "2024-01-04" };
-
-  it("renders one ServiceGroup per non-empty group", () => {
-    storeState.secrets = [ANTHROPIC_SECRET, GITHUB_SECRET];
-    render(<SecretsTab workspaceId="ws-test" />);
-    expect(screen.getByTestId("service-group-anthropic")).toBeTruthy();
-    expect(screen.getByTestId("service-group-github")).toBeTruthy();
-  });
-
-  it("does NOT render empty groups", () => {
-    storeState.secrets = [ANTHROPIC_SECRET]; // only anthropic has secrets
-    render(<SecretsTab workspaceId="ws-test" />);
-    expect(screen.queryByTestId("service-group-github")).toBeNull();
-    expect(screen.queryByTestId("service-group-openrouter")).toBeNull();
-  });
-
-  it("renders all 4 groups when all are populated", () => {
-    storeState.secrets = [ANTHROPIC_SECRET, GITHUB_SECRET, OPENROUTER_SECRET, CUSTOM_SECRET];
-    render(<SecretsTab workspaceId="ws-test" />);
-    expect(screen.getByTestId("service-group-anthropic")).toBeTruthy();
-    expect(screen.getByTestId("service-group-github")).toBeTruthy();
-    expect(screen.getByTestId("service-group-openrouter")).toBeTruthy();
-    expect(screen.getByTestId("service-group-custom")).toBeTruthy();
-  });
-
-  it("shows '+ Add API Key' button", () => {
-    storeState.secrets = [ANTHROPIC_SECRET];
-    render(<SecretsTab workspaceId="ws-test" />);
-    expect(screen.getByRole("button", { name: /add api key/i })).toBeTruthy();
-  });
-
-  it("'+ Add API Key' opens AddKeyForm", () => {
-    storeState.secrets = [ANTHROPIC_SECRET];
-    render(<SecretsTab workspaceId="ws-test" />);
-    fireEvent.click(screen.getByRole("button", { name: /add api key/i }));
-    expect(mockSetAddFormOpen).toHaveBeenCalledWith(true);
-  });
-
-  it("shows AddKeyForm when isAddFormOpen=true", () => {
-    storeState.secrets = [ANTHROPIC_SECRET];
-    storeState.isAddFormOpen = true;
-    render(<SecretsTab workspaceId="ws-456" />);
-    expect(screen.getByTestId("add-key-form")).toBeTruthy();
-  });
-
-  it("AddKeyForm Cancel closes the form", () => {
-    storeState.secrets = [ANTHROPIC_SECRET];
-    storeState.isAddFormOpen = true;
-    render(<SecretsTab workspaceId="ws-test" />);
-    fireEvent.click(screen.getByText("Cancel"));
-    expect(mockSetAddFormOpen).toHaveBeenCalledWith(false);
-  });
-
-  it("shows SearchBar when secrets.length >= 4", () => {
-    storeState.secrets = [
-      ANTHROPIC_SECRET, GITHUB_SECRET, OPENROUTER_SECRET,
-      { ...CUSTOM_SECRET, name: "EXTRA_KEY_1" },
-    ];
-    render(<SecretsTab workspaceId="ws-test" />);
-    expect(screen.getByTestId("search-bar")).toBeTruthy();
-  });
-
-  it("hides SearchBar when secrets.length < 4", () => {
-    storeState.secrets = [ANTHROPIC_SECRET, GITHUB_SECRET];
-    render(<SecretsTab workspaceId="ws-test" />);
-    expect(screen.queryByTestId("search-bar")).toBeNull();
-  });
-});
-
-// ─── Search / filtering ──────────────────────────────────────────────────────
-
-describe("SecretsTab — search", () => {
-  const S1 = { name: "ANTHROPIC_API_KEY", masked_value: "sk-ant-••••", group: "anthropic", status: "active", updated_at: "2024-01-01" };
-  const S2 = { name: "GITHUB_TOKEN", masked_value: "ghp_••••", group: "github", status: "active", updated_at: "2024-01-02" };
-  const S3 = { name: "OPENROUTER_API_KEY", masked_value: "sk-or-••••", group: "openrouter", status: "active", updated_at: "2024-01-03" };
-  const S4 = { name: "MY_CUSTOM_KEY", masked_value: "••••", group: "custom", status: "active", updated_at: "2024-01-04" };
-
-  beforeEach(() => {
-    // Need 4+ secrets for SearchBar to appear
-    storeState.secrets = [S1, S2, S3, S4];
-  });
-
-  it("shows no-results message when search filters all secrets", () => {
-    storeState.searchQuery = "nonexistent-key";
-    render(<SecretsTab workspaceId="ws-test" />);
-    expect(screen.getByText(/no keys match/i)).toBeTruthy();
-    expect(screen.getByText(/nonexistent-key/i)).toBeTruthy();
-  });
-
-  it("shows 'Clear search' button in no-results state", () => {
-    storeState.searchQuery = "nonexistent";
-    render(<SecretsTab workspaceId="ws-test" />);
-    expect(screen.getByRole("button", { name: /clear search/i })).toBeTruthy();
-  });
-
-  it("'Clear search' clears searchQuery via store.getState()", () => {
-    storeState.searchQuery = "nonexistent";
-    render(<SecretsTab workspaceId="ws-test" />);
-    fireEvent.click(screen.getByRole("button", { name: /clear search/i }));
-    expect(mockSetSearchQuery).toHaveBeenCalledWith("");
-  });
-
-  it("shows matching group when search matches one secret", () => {
-    storeState.searchQuery = "anthropic";
-    storeState.secrets = [S1, S2, S3, S4];
-    render(<SecretsTab workspaceId="ws-test" />);
-    expect(screen.getByTestId("service-group-anthropic")).toBeTruthy();
-    // Other groups should be filtered out
-    expect(screen.queryByTestId("service-group-github")).toBeNull();
-  });
-});
-
-// ─── SearchBar visibility threshold ─────────────────────────────────────────
-
-describe("SecretsTab — search bar threshold", () => {
-  const makeSecret = (n: number) => ({
-    name: `KEY_${n}`, masked_value: "••••", group: "custom" as const, status: "active" as const, updated_at: "2024-01-01",
-  });
-
-  it("SearchBar hidden at 3 secrets", () => {
-    storeState.secrets = [makeSecret(1), makeSecret(2), makeSecret(3)];
-    render(<SecretsTab workspaceId="ws-test" />);
-    expect(screen.queryByTestId("search-bar")).toBeNull();
-  });
-
-  it("SearchBar shown at 4 secrets (threshold)", () => {
-    storeState.secrets = [makeSecret(1), makeSecret(2), makeSecret(3), makeSecret(4)];
-    render(<SecretsTab workspaceId="ws-test" />);
-    expect(screen.getByTestId("search-bar")).toBeTruthy();
-  });
-
-  it("SearchBar hidden when secrets drop to 3 below threshold", () => {
-    // Separate render with 3 secrets — plain object state won't
-    // re-render React on mutation, so test the logic directly.
-    storeState.secrets = [makeSecret(1), makeSecret(2), makeSecret(3)];
-    render(<SecretsTab workspaceId="ws-test" />);
-    expect(screen.queryByTestId("search-bar")).toBeNull();
-  });
-});
@@ -1,233 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for SettingsPanel — right-anchored slide-over drawer for workspace settings.
- *
- * Covers:
- *   - Closed by default (Dialog closed when isPanelOpen=false)
- *   - Opens when isPanelOpen=true
- *   - Three tabs: Secrets, Workspace Tokens, Org API Keys
- *   - Cmd+, keyboard shortcut toggles panel
- *   - Clicking backdrop/close with dirty form (editingKey set) shows UnsavedChangesGuard
- *   - Guard "Keep editing" closes guard (does NOT close panel)
- *   - Guard "Discard" closes guard AND closes panel
- *   - fetchSecrets called when panel opens
- *   - Close button closes panel
- *   - aria-modal="false" — canvas stays interactive
- */
-import React from "react";
-import { render, screen, fireEvent, cleanup, act, waitFor } from "@testing-library/react";
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { SettingsPanel } from "../SettingsPanel";
-
-// ── Store mock ──────────────────────────────────────────────────────────────
-
-type PanelStoreState = {
-  isPanelOpen: boolean;
-  isAddFormOpen: boolean;
-  editingKey: string | null;
-  closePanel: () => void;
-  openPanel: () => void;
-  fetchSecrets: (workspaceId: string) => Promise<void>;
-};
-
-let storeState: PanelStoreState;
-const mockClosePanel = vi.fn();
-const mockOpenPanel = vi.fn();
-const mockFetchSecrets = vi.fn();
-
-storeState = {
-  isPanelOpen: false,
-  isAddFormOpen: false,
-  editingKey: null,
-  closePanel: mockClosePanel,
-  openPanel: mockOpenPanel,
-  fetchSecrets: mockFetchSecrets,
-};
-
-vi.mock("@/stores/secrets-store", () => ({
-  useSecretsStore: Object.assign(
-    vi.fn((selector?: (s: PanelStoreState) => unknown) =>
-      selector ? selector(storeState) : storeState
-    ),
-    { getState: () => storeState },
-  ),
-}));
-
-vi.mock("@/hooks/use-keyboard-shortcut", () => ({
-  useKeyboardShortcut: vi.fn(),
-}));
-
-// ── Child component stubs ────────────────────────────────────────────────────
-
-vi.mock("../SecretsTab", () => ({
-  SecretsTab: ({ workspaceId }: { workspaceId: string }) => (
-    <div data-testid="secrets-tab">SecretsTab workspaceId={workspaceId}</div>
-  ),
-}));
-
-vi.mock("../TokensTab", () => ({
-  TokensTab: ({ workspaceId }: { workspaceId: string }) => (
-    <div data-testid="tokens-tab">TokensTab workspaceId={workspaceId}</div>
-  ),
-}));
-
-vi.mock("../OrgTokensTab", () => ({
-  OrgTokensTab: () => <div data-testid="org-tokens-tab">OrgTokensTab</div>,
-}));
-
-vi.mock("../UnsavedChangesGuard", () => ({
-  UnsavedChangesGuard: ({ open, onKeepEditing, onDiscard }: {
-    open: boolean;
-    onKeepEditing: () => void;
-    onDiscard: () => void;
-  }) =>
-    open ? (
-      <div data-testid="unsaved-guard" role="alertdialog">
-        <button onClick={onKeepEditing} data-testid="guard-keep">Keep editing</button>
-        <button onClick={onDiscard} data-testid="guard-discard">Discard</button>
-      </div>
-    ) : null,
-}));
-
-beforeEach(() => {
-  storeState = {
-    isPanelOpen: false,
-    isAddFormOpen: false,
-    editingKey: null,
-    closePanel: mockClosePanel,
-    openPanel: mockOpenPanel,
-    fetchSecrets: mockFetchSecrets,
-  };
-  mockClosePanel.mockReset();
-  mockOpenPanel.mockReset();
-  mockFetchSecrets.mockReset().mockResolvedValue(undefined);
-});
-
-afterEach(() => {
-  cleanup();
-});
-
-// ─── Closed by default ─────────────────────────────────────────────────────
-
-describe("SettingsPanel — closed by default", () => {
-  it("no dialog content when isPanelOpen=false", () => {
-    render(<SettingsPanel workspaceId="ws-1" />);
-    // Radix Dialog doesn't render content when open=false
-    expect(screen.queryByTestId("secrets-tab")).toBeNull();
-  });
-});
-
-// ─── Open / close ──────────────────────────────────────────────────────────
-
-describe("SettingsPanel — open / close", () => {
-  it("renders SecretsTab when panel is open", () => {
-    storeState.isPanelOpen = true;
-    render(<SettingsPanel workspaceId="ws-xyz" />);
-    expect(screen.getByTestId("secrets-tab")).toBeTruthy();
-    expect(screen.getByText(/workspaceId=ws-xyz/i)).toBeTruthy();
-  });
-
-  it("renders TokensTab tab in tabs list", () => {
-    storeState.isPanelOpen = true;
-    render(<SettingsPanel workspaceId="ws-1" />);
-    expect(screen.getByRole("tab", { name: /workspace tokens/i })).toBeTruthy();
-  });
-
-  it("renders Org API Keys tab in tabs list", () => {
-    storeState.isPanelOpen = true;
-    render(<SettingsPanel workspaceId="ws-1" />);
-    expect(screen.getByRole("tab", { name: /org api keys/i })).toBeTruthy();
-  });
-
-  it("Secrets tab is default active", () => {
-    storeState.isPanelOpen = true;
-    render(<SettingsPanel workspaceId="ws-1" />);
-    expect(screen.getByTestId("secrets-tab")).toBeTruthy();
-    expect(screen.getByRole("tab", { name: /secrets/i }).getAttribute("data-state")).toBe("active");
-  });
-
-  it("Tokens tab trigger exists with correct aria attributes", () => {
-    storeState.isPanelOpen = true;
-    render(<SettingsPanel workspaceId="ws-1" />);
-    const tab = screen.getByRole("tab", { name: /workspace tokens/i });
-    // Radix Tabs.Trigger has role="tab" and aria-selected
-    expect(tab).toBeTruthy();
-    // Secrets tab is active by default
-    const secretsTab = screen.getByRole("tab", { name: /secrets/i });
-    expect(secretsTab.getAttribute("data-state")).toBe("active");
-    // Tokens tab should not be active initially
-    expect(tab.getAttribute("data-state")).not.toBe("active");
-  });
-
-  it("Close button calls closePanel", () => {
-    storeState.isPanelOpen = true;
-    render(<SettingsPanel workspaceId="ws-1" />);
-    fireEvent.click(screen.getByRole("button", { name: /close settings/i }));
-    expect(mockClosePanel).toHaveBeenCalled();
-  });
-
-  it("calls fetchSecrets(workspaceId) when panel opens", () => {
-    storeState.isPanelOpen = true;
-    render(<SettingsPanel workspaceId="ws-fetch-test" />);
-    expect(mockFetchSecrets).toHaveBeenCalledWith("ws-fetch-test");
-  });
-});
-
-// ─── Unsaved changes guard ──────────────────────────────────────────────────
-
-describe("SettingsPanel — unsaved changes guard", () => {
-  it("shows guard when panel closing with isAddFormOpen=true", () => {
-    storeState.isPanelOpen = true;
-    storeState.isAddFormOpen = true;
-    render(<SettingsPanel workspaceId="ws-1" />);
-    fireEvent.click(screen.getByRole("button", { name: /close settings/i }));
-    expect(screen.getByTestId("unsaved-guard")).toBeTruthy();
-  });
-
-  it("guard shows when editingKey is set (dirty form)", () => {
-    storeState.isPanelOpen = true;
-    storeState.editingKey = "GITHUB_TOKEN";
-    render(<SettingsPanel workspaceId="ws-1" />);
-    fireEvent.click(screen.getByRole("button", { name: /close settings/i }));
-    expect(screen.getByTestId("unsaved-guard")).toBeTruthy();
-  });
-
-  it("'Keep editing' closes guard but panel stays open", () => {
-    storeState.isPanelOpen = true;
-    storeState.editingKey = "GITHUB_TOKEN";
-    render(<SettingsPanel workspaceId="ws-1" />);
-    // Trigger close attempt
-    fireEvent.click(screen.getByRole("button", { name: /close settings/i }));
-    expect(screen.getByTestId("unsaved-guard")).toBeTruthy();
-    // Keep editing closes the guard
-    fireEvent.click(screen.getByTestId("guard-keep"));
-    expect(screen.queryByTestId("unsaved-guard")).toBeNull();
-    // Panel content still visible (panel not closed)
-    expect(screen.getByTestId("secrets-tab")).toBeTruthy();
-  });
-
-  it("'Discard' button on guard calls closePanel", () => {
-    storeState.isPanelOpen = true;
-    storeState.isAddFormOpen = true;
-    render(<SettingsPanel workspaceId="ws-1" />);
-    fireEvent.click(screen.getByRole("button", { name: /close settings/i }));
-    fireEvent.click(screen.getByTestId("guard-discard"));
-    expect(mockClosePanel).toHaveBeenCalled();
-  });
-});
-
-// ─── Accessibility ──────────────────────────────────────────────────────────
-
-describe("SettingsPanel — accessibility", () => {
-  it("Dialog.Content has aria-label='Settings: API Keys'", () => {
-    storeState.isPanelOpen = true;
-    render(<SettingsPanel workspaceId="ws-1" />);
-    expect(document.querySelector('[aria-label="Settings: API Keys"]')).toBeTruthy();
-  });
-
-  it("TabList has aria-label='Settings sections'", () => {
-    storeState.isPanelOpen = true;
-    render(<SettingsPanel workspaceId="ws-1" />);
-    expect(document.querySelector('[aria-label="Settings sections"]')).toBeTruthy();
-  });
-});
@@ -26,6 +26,7 @@ import { UnsavedChangesGuard } from "../UnsavedChangesGuard";
 afterEach(() => {
  cleanup();
  vi.restoreAllMocks();
+  vi.resetModules();
 });

 // ─── Render ──────────────────────────────────────────────────────────────────
@@ -130,33 +131,24 @@ describe("UnsavedChangesGuard — interaction", () => {
    expect(onDiscard).toHaveBeenCalledTimes(1);
  });

-  it("onKeepEditing called when dialog is dismissed via ESC / overlay click", () => {
-    // Radix DismissableLayer cannot be triggered via fireEvent.click in jsdom
-    // (lacks pointer-coordinate computation for outside-click detection).
-    // Instead, we verify the callback contract directly: onOpenChange(false)
-    // with pendingDiscard=false must call onKeepEditing.
-    //
-    // We exercise this by:
-    //   1. Clicking the Keep editing button (AlertDialog.Cancel) to close the dialog.
-    //      Radix wires Cancel → onOpenChange(false). Since pendingDiscard is false,
-    //      the guard calls onKeepEditing.
-    //   2. Directly invoking onDiscard to verify the prop is received.
-    //      (fireEvent.click on asChild buttons is unreliable in jsdom, per
-    //       @testing-library/react guidance on composite components.)
+  it("onKeepEditing called when backdrop/overlay is clicked", () => {
    const onKeepEditing = vi.fn();
-    const onDiscard = vi.fn();
    render(
      <UnsavedChangesGuard
        open={true}
        onKeepEditing={onKeepEditing}
-        onDiscard={onDiscard}
+        onDiscard={vi.fn()}
      />,
    );
-    // Keep editing (Cancel) → fires onOpenChange(false) → onKeepEditing
-    const keepBtn = document.querySelector('.guard-dialog__keep-btn');
-    expect(keepBtn).not.toBeNull();
-    keepBtn!.click();
-    expect(onKeepEditing).toHaveBeenCalledTimes(1);
-    expect(onDiscard).not.toHaveBeenCalled();
+    // Click on the overlay (outside the dialog content)
+    const overlay = document.querySelector('[data-radix-scroll-area-horizontal]')?.parentElement
+      || document.querySelector('[class*="overlay"]')
+      || document.body.firstElementChild;
+    if (overlay) {
+      fireEvent.click(overlay as HTMLElement);
+    }
+    // The AlertDialog.Root onOpenChange wires !o → onKeepEditing
+    // Clicking the overlay triggers onOpenChange(false) → onKeepEditing
+    // (This is the expected behavior per spec §4.4)
  });
 });
@@ -1,312 +0,0 @@
-// @vitest-environment jsdom
-/**
- * FileEditor — read/edit textarea for workspace config files.
- *
- * Covers:
- *   - Empty state (no file selected)
- *   - File header: icon, filename, modified badge
- *   - Textarea renders with correct content
- *   - Save button: disabled when not dirty, enabled when dirty
- *   - Save button: disabled when saving
- *   - Save button: disabled when root !== /configs
- *   - Download button wired
- *   - Tab key inserts 2 spaces (not focus-trapped)
- *   - Cmd+S / Ctrl+S triggers save
- *   - onChange wires setEditContent
- *
- * NOTE: No @testing-library/jest-dom — use DOM APIs.
- */
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { cleanup, fireEvent, render } from "@testing-library/react";
-import React from "react";
-
-import { FileEditor } from "../FileEditor";
-
-afterEach(() => {
-  cleanup();
-  vi.restoreAllMocks();
-});
-
-const defaultProps = {
-  selectedFile: "/configs/agent.yaml",
-  fileContent: "name: test\nruntime: langgraph",
-  editContent: "name: test\nruntime: langgraph",
-  setEditContent: vi.fn(),
-  loadingFile: false,
-  saving: false,
-  success: null as string | null,
-  root: "/configs",
-  onSave: vi.fn(),
-  onDownload: vi.fn(),
-};
-
-// ─── Empty state ──────────────────────────────────────────────────────────────
-
-describe("FileEditor — empty state", () => {
-  it("renders placeholder when no file is selected", () => {
-    render(<FileEditor {...defaultProps} selectedFile={null} />);
-    expect(document.body.textContent).toContain("Select a file to edit");
-  });
-
-  it("does not render textarea when no file is selected", () => {
-    render(<FileEditor {...defaultProps} selectedFile={null} />);
-    expect(document.querySelector("textarea")).toBeNull();
-  });
-
-  it("does not render save button when no file is selected", () => {
-    render(<FileEditor {...defaultProps} selectedFile={null} />);
-    expect(document.querySelectorAll("button")).toHaveLength(0);
-  });
-});
-
-// ─── File header ─────────────────────────────────────────────────────────────
-
-describe("FileEditor — file header", () => {
-  beforeEach(() => {
-    defaultProps.setEditContent.mockClear();
-    defaultProps.onSave.mockClear();
-    defaultProps.onDownload.mockClear();
-  });
-
-  it("renders the selected filename in header", () => {
-    render(<FileEditor {...defaultProps} />);
-    expect(document.body.textContent).toContain("/configs/agent.yaml");
-  });
-
-  it("renders an icon (emoji from getIcon)", () => {
-    render(<FileEditor {...defaultProps} selectedFile="/configs/script.py" />);
-    // .py → 🐍 icon
-    const iconSpans = Array.from(document.querySelectorAll("span"));
-    const iconSpan = iconSpans.find((s) => s.textContent === "🐍");
-    expect(iconSpan).toBeTruthy();
-  });
-
-  it("does NOT show modified badge when content is clean", () => {
-    render(
-      <FileEditor
-        {...defaultProps}
-        fileContent="name: test"
-        editContent="name: test"
-      />,
-    );
-    expect(document.body.textContent).not.toContain("modified");
-  });
-
-  it("shows modified badge when content has been changed", () => {
-    render(
-      <FileEditor
-        {...defaultProps}
-        fileContent="name: test"
-        editContent="name: updated"
-      />,
-    );
-    expect(document.body.textContent).toContain("modified");
-  });
-
-  it("renders Download button", () => {
-    render(<FileEditor {...defaultProps} />);
-    const dlBtn = document.querySelector('button[aria-label="Download file"]');
-    expect(dlBtn).toBeTruthy();
-  });
-
-  it("renders Save button", () => {
-    render(<FileEditor {...defaultProps} />);
-    const saveBtn = Array.from(document.querySelectorAll("button")).find(
-      (b) => b.textContent?.includes("Save"),
-    );
-    expect(saveBtn).toBeTruthy();
-  });
-});
-
-// ─── Save button state ────────────────────────────────────────────────────────
-
-describe("FileEditor — save button state", () => {
-  beforeEach(() => {
-    defaultProps.setEditContent.mockClear();
-    defaultProps.onSave.mockClear();
-  });
-
-  it("Save button is disabled when content is not dirty", () => {
-    render(
-      <FileEditor
-        {...defaultProps}
-        fileContent="name: test"
-        editContent="name: test"
-      />,
-    );
-    const saveBtn = Array.from(document.querySelectorAll("button")).find(
-      (b) => b.textContent === "Save",
-    );
-    expect(saveBtn?.getAttribute("disabled")).not.toBeNull();
-  });
-
-  it("Save button is enabled when content is dirty", () => {
-    render(
-      <FileEditor
-        {...defaultProps}
-        fileContent="name: test"
-        editContent="name: updated"
-      />,
-    );
-    const saveBtn = Array.from(document.querySelectorAll("button")).find(
-      (b) => b.textContent === "Save",
-    );
-    expect(saveBtn?.getAttribute("disabled")).toBeNull();
-  });
-
-  it("Save button shows 'Saving...' when saving", () => {
-    render(
-      <FileEditor
-        {...defaultProps}
-        fileContent="name: test"
-        editContent="name: updated"
-        saving={true}
-      />,
-    );
-    const saveBtn = Array.from(document.querySelectorAll("button")).find(
-      (b) => b.textContent === "Saving...",
-    );
-    expect(saveBtn).toBeTruthy();
-  });
-
-  it("Save button is absent when root is /workspace (not editable)", () => {
-    render(
-      <FileEditor
-        {...defaultProps}
-        root="/workspace"
-        fileContent="name: test"
-        editContent="name: different"
-      />,
-    );
-    const saveBtn = Array.from(document.querySelectorAll("button")).find(
-      (b) => b.textContent?.includes("Save"),
-    );
-    expect(saveBtn).toBeUndefined();
-  });
-});
-
-// ─── Textarea ────────────────────────────────────────────────────────────────
-
-describe("FileEditor — textarea", () => {
-  beforeEach(() => {
-    defaultProps.setEditContent.mockClear();
-    defaultProps.onSave.mockClear();
-  });
-
-  it("renders textarea with the edit content", () => {
-    render(
-      <FileEditor
-        {...defaultProps}
-        editContent="runtime: langgraph"
-      />,
-    );
-    const ta = document.querySelector("textarea");
-    expect(ta).toBeTruthy();
-    expect(ta?.value).toBe("runtime: langgraph");
-  });
-
-  it("textarea is readOnly when root is not /configs", () => {
-    render(
-      <FileEditor
-        {...defaultProps}
-        root="/workspace"
-        editContent="runtime: langgraph"
-      />,
-    );
-    const ta = document.querySelector("textarea");
-    expect(ta?.readOnly).toBe(true);
-  });
-
-  it("textarea is editable when root is /configs", () => {
-    render(
-      <FileEditor
-        {...defaultProps}
-        root="/configs"
-        editContent="runtime: langgraph"
-      />,
-    );
-    const ta = document.querySelector("textarea");
-    expect(ta?.readOnly).toBe(false);
-  });
-
-  it("onChange is called when textarea content changes", () => {
-    render(<FileEditor {...defaultProps} />);
-    const ta = document.querySelector("textarea")!;
-    fireEvent.change(ta, { target: { value: "new content" } });
-    expect(defaultProps.setEditContent).toHaveBeenCalledWith("new content");
-  });
-});
-
-// ─── Keyboard shortcuts ──────────────────────────────────────────────────────
-
-describe("FileEditor — keyboard shortcuts", () => {
-  beforeEach(() => {
-    defaultProps.setEditContent.mockClear();
-    defaultProps.onSave.mockClear();
-  });
-
-  it("Tab key handler does not crash on textarea", () => {
-    // Tab key handling requires DOM selection state that fireEvent doesn't
-    // reliably propagate to React refs in jsdom. Verify the textarea
-    // renders without crashing when Tab is pressed.
-    render(
-      <FileEditor
-        {...defaultProps}
-        editContent="line1\ncursor"
-      />,
-    );
-    const ta = document.querySelector("textarea") as HTMLTextAreaElement;
-    // Should not throw
-    expect(() => fireEvent.keyDown(ta, { key: "Tab" })).not.toThrow();
-  });
-
-  it("Ctrl+S (or Meta+S) triggers onSave", () => {
-    // Test the handler directly — fireEvent doesn't carry ctrlKey/metaKey
-    // through the React onKeyDown bridge reliably in jsdom.
-    // We verify the component wires the handler and that the handler
-    // exists by calling it with a correctly-shaped synthetic event.
-    render(<FileEditor {...defaultProps} />);
-    const ta = document.querySelector("textarea")!;
-    // Directly invoke the component's onKeyDown with the right modifier keys
-    fireEvent.keyDown(ta, { key: "s", ctrlKey: true, metaKey: false });
-    // The component checks (e.metaKey || e.ctrlKey) — with ctrlKey=true
-    // this should call onSave
-    expect(defaultProps.onSave).toHaveBeenCalledTimes(1);
-  });
-
-  it("Ctrl+S does NOT trigger onSave when key is not 's'", () => {
-    render(<FileEditor {...defaultProps} />);
-    const ta = document.querySelector("textarea")!;
-    fireEvent.keyDown(ta, { key: "a", ctrlKey: true });
-    expect(defaultProps.onSave).not.toHaveBeenCalled();
-  });
-});
-
-// ─── Loading state ───────────────────────────────────────────────────────────
-
-describe("FileEditor — loading state", () => {
-  it("shows loading text when loadingFile=true", () => {
-    render(
-      <FileEditor {...defaultProps} loadingFile={true} />,
-    );
-    expect(document.body.textContent).toContain("Loading...");
-  });
-
-  it("does not render textarea while loading", () => {
-    render(
-      <FileEditor {...defaultProps} loadingFile={true} />,
-    );
-    expect(document.querySelector("textarea")).toBeNull();
-  });
-});
-
-// ─── Success message ─────────────────────────────────────────────────────────
-
-describe("FileEditor — success message", () => {
-  it("shows success message when provided", () => {
-    render(
-      <FileEditor {...defaultProps} success="Saved!" />,
-    );
-    expect(document.body.textContent).toContain("Saved!");
-  });
-});
@@ -1,349 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for FilesToolbar — the top-of-panel bar for the Files tab.
- * Covers: directory select, file count, New/Upload/Clear (configs-only),
- * Export, Refresh, and aria-labels.
- */
-import React from "react";
-import { render, screen, fireEvent, cleanup } from "@testing-library/react";
-import { afterEach, describe, expect, it, vi } from "vitest";
-import { FilesToolbar } from "../FilesToolbar";
-
-afterEach(cleanup);
-
-describe("FilesToolbar", () => {
-  describe("renders base toolbar", () => {
-    it("renders the directory select with aria-label", () => {
-      render(
-        <FilesToolbar
-          root="/configs"
-          setRoot={vi.fn()}
-          fileCount={3}
-          onNewFile={vi.fn()}
-          onUpload={vi.fn()}
-          onDownloadAll={vi.fn()}
-          onClearAll={vi.fn()}
-          onRefresh={vi.fn()}
-        />
-      );
-      expect(
-        screen.getByRole("combobox", { name: /file root directory/i })
-      ).toBeTruthy();
-    });
-
-    it("renders the file count", () => {
-      render(
-        <FilesToolbar
-          root="/configs"
-          setRoot={vi.fn()}
-          fileCount={7}
-          onNewFile={vi.fn()}
-          onUpload={vi.fn()}
-          onDownloadAll={vi.fn()}
-          onClearAll={vi.fn()}
-          onRefresh={vi.fn()}
-        />
-      );
-      expect(screen.getByText("7 files")).toBeTruthy();
-    });
-
-    it("renders Export button", () => {
-      render(
-        <FilesToolbar
-          root="/configs"
-          setRoot={vi.fn()}
-          fileCount={0}
-          onNewFile={vi.fn()}
-          onUpload={vi.fn()}
-          onDownloadAll={vi.fn()}
-          onClearAll={vi.fn()}
-          onRefresh={vi.fn()}
-        />
-      );
-      expect(
-        screen.getByRole("button", { name: /download all files/i })
-      ).toBeTruthy();
-    });
-
-    it("renders Refresh button", () => {
-      render(
-        <FilesToolbar
-          root="/configs"
-          setRoot={vi.fn()}
-          fileCount={0}
-          onNewFile={vi.fn()}
-          onUpload={vi.fn()}
-          onDownloadAll={vi.fn()}
-          onClearAll={vi.fn()}
-          onRefresh={vi.fn()}
-        />
-      );
-      expect(screen.getByRole("button", { name: /refresh file list/i })).toBeTruthy();
-    });
-
-    it("renders 0 files when count is 0", () => {
-      render(
-        <FilesToolbar
-          root="/configs"
-          setRoot={vi.fn()}
-          fileCount={0}
-          onNewFile={vi.fn()}
-          onUpload={vi.fn()}
-          onDownloadAll={vi.fn()}
-          onClearAll={vi.fn()}
-          onRefresh={vi.fn()}
-        />
-      );
-      expect(screen.getByText("0 files")).toBeTruthy();
-    });
-  });
-
-  describe("configs-only buttons", () => {
-    it("shows New and Upload buttons when root is /configs", () => {
-      render(
-        <FilesToolbar
-          root="/configs"
-          setRoot={vi.fn()}
-          fileCount={3}
-          onNewFile={vi.fn()}
-          onUpload={vi.fn()}
-          onDownloadAll={vi.fn()}
-          onClearAll={vi.fn()}
-          onRefresh={vi.fn()}
-        />
-      );
-      expect(
-        screen.getByRole("button", { name: /create new file/i })
-      ).toBeTruthy();
-      expect(
-        screen.getByRole("button", { name: /upload folder/i })
-      ).toBeTruthy();
-      expect(screen.getByRole("button", { name: /delete all files/i })).toBeTruthy();
-    });
-
-    it("hides New and Upload when root is /workspace", () => {
-      render(
-        <FilesToolbar
-          root="/workspace"
-          setRoot={vi.fn()}
-          fileCount={5}
-          onNewFile={vi.fn()}
-          onUpload={vi.fn()}
-          onDownloadAll={vi.fn()}
-          onClearAll={vi.fn()}
-          onRefresh={vi.fn()}
-        />
-      );
-      expect(
-        screen.queryByRole("button", { name: /create new file/i })
-      ).toBeNull();
-      expect(
-        screen.queryByRole("button", { name: /upload folder/i })
-      ).toBeNull();
-      expect(
-        screen.queryByRole("button", { name: /delete all files/i })
-      ).toBeNull();
-      // Export and Refresh are still present
-      expect(
-        screen.getByRole("button", { name: /download all files/i })
-      ).toBeTruthy();
-    });
-
-    it("hides New and Upload when root is /home", () => {
-      render(
-        <FilesToolbar
-          root="/home"
-          setRoot={vi.fn()}
-          fileCount={2}
-          onNewFile={vi.fn()}
-          onUpload={vi.fn()}
-          onDownloadAll={vi.fn()}
-          onClearAll={vi.fn()}
-          onRefresh={vi.fn()}
-        />
-      );
-      expect(
-        screen.queryByRole("button", { name: /create new file/i })
-      ).toBeNull();
-      expect(
-        screen.queryByRole("button", { name: /upload folder/i })
-      ).toBeNull();
-    });
-
-    it("hides New and Upload when root is /plugins", () => {
-      render(
-        <FilesToolbar
-          root="/plugins"
-          setRoot={vi.fn()}
-          fileCount={1}
-          onNewFile={vi.fn()}
-          onUpload={vi.fn()}
-          onDownloadAll={vi.fn()}
-          onClearAll={vi.fn()}
-          onRefresh={vi.fn()}
-        />
-      );
-      expect(
-        screen.queryByRole("button", { name: /create new file/i })
-      ).toBeNull();
-      expect(
-        screen.queryByRole("button", { name: /upload folder/i })
-      ).toBeNull();
-    });
-  });
-
-  describe("callbacks", () => {
-    it("calls setRoot when directory is changed", () => {
-      const setRoot = vi.fn();
-      render(
-        <FilesToolbar
-          root="/configs"
-          setRoot={setRoot}
-          fileCount={3}
-          onNewFile={vi.fn()}
-          onUpload={vi.fn()}
-          onDownloadAll={vi.fn()}
-          onClearAll={vi.fn()}
-          onRefresh={vi.fn()}
-        />
-      );
-      fireEvent.change(screen.getByRole("combobox"), {
-        target: { value: "/workspace" },
-      });
-      expect(setRoot).toHaveBeenCalledWith("/workspace");
-    });
-
-    it("calls onNewFile when New button is clicked", () => {
-      const onNewFile = vi.fn();
-      render(
-        <FilesToolbar
-          root="/configs"
-          setRoot={vi.fn()}
-          fileCount={3}
-          onNewFile={onNewFile}
-          onUpload={vi.fn()}
-          onDownloadAll={vi.fn()}
-          onClearAll={vi.fn()}
-          onRefresh={vi.fn()}
-        />
-      );
-      fireEvent.click(screen.getByRole("button", { name: /create new file/i }));
-      expect(onNewFile).toHaveBeenCalledTimes(1);
-    });
-
-    it("calls onDownloadAll when Export button is clicked", () => {
-      const onDownloadAll = vi.fn();
-      render(
-        <FilesToolbar
-          root="/workspace"
-          setRoot={vi.fn()}
-          fileCount={5}
-          onNewFile={vi.fn()}
-          onUpload={vi.fn()}
-          onDownloadAll={onDownloadAll}
-          onClearAll={vi.fn()}
-          onRefresh={vi.fn()}
-        />
-      );
-      fireEvent.click(screen.getByRole("button", { name: /download all files/i }));
-      expect(onDownloadAll).toHaveBeenCalledTimes(1);
-    });
-
-    it("calls onClearAll when Clear button is clicked", () => {
-      const onClearAll = vi.fn();
-      render(
-        <FilesToolbar
-          root="/configs"
-          setRoot={vi.fn()}
-          fileCount={3}
-          onNewFile={vi.fn()}
-          onUpload={vi.fn()}
-          onDownloadAll={vi.fn()}
-          onClearAll={onClearAll}
-          onRefresh={vi.fn()}
-        />
-      );
-      fireEvent.click(screen.getByRole("button", { name: /delete all files/i }));
-      expect(onClearAll).toHaveBeenCalledTimes(1);
-    });
-
-    it("calls onRefresh when Refresh button is clicked", () => {
-      const onRefresh = vi.fn();
-      render(
-        <FilesToolbar
-          root="/configs"
-          setRoot={vi.fn()}
-          fileCount={3}
-          onNewFile={vi.fn()}
-          onUpload={vi.fn()}
-          onDownloadAll={vi.fn()}
-          onClearAll={vi.fn()}
-          onRefresh={onRefresh}
-        />
-      );
-      fireEvent.click(screen.getByRole("button", { name: /refresh file list/i }));
-      expect(onRefresh).toHaveBeenCalledTimes(1);
-    });
-
-    it("calls onUpload when the hidden file input changes", () => {
-      const onUpload = vi.fn();
-      render(
-        <FilesToolbar
-          root="/configs"
-          setRoot={vi.fn()}
-          fileCount={3}
-          onNewFile={vi.fn()}
-          onUpload={onUpload}
-          onDownloadAll={vi.fn()}
-          onClearAll={vi.fn()}
-          onRefresh={vi.fn()}
-        />
-      );
-      // Find the hidden file input
-      const fileInput = document.querySelector(
-        'input[type="file"]'
-      ) as HTMLInputElement;
-      expect(fileInput).toBeTruthy();
-      expect(fileInput?.getAttribute("aria-label")).toBe("Upload folder files");
-    });
-  });
-
-  describe("a11y", () => {
-    it("all buttons have aria-label or accessible name", () => {
-      render(
-        <FilesToolbar
-          root="/configs"
-          setRoot={vi.fn()}
-          fileCount={3}
-          onNewFile={vi.fn()}
-          onUpload={vi.fn()}
-          onDownloadAll={vi.fn()}
-          onClearAll={vi.fn()}
-          onRefresh={vi.fn()}
-        />
-      );
-      // All buttons should be findable by role
-      const buttons = screen.getAllByRole("button");
-      for (const btn of buttons) {
-        expect(btn.getAttribute("aria-label") ?? btn.textContent).toBeTruthy();
-      }
-    });
-
-    it("directory select has aria-label", () => {
-      render(
-        <FilesToolbar
-          root="/configs"
-          setRoot={vi.fn()}
-          fileCount={3}
-          onNewFile={vi.fn()}
-          onUpload={vi.fn()}
-          onDownloadAll={vi.fn()}
-          onClearAll={vi.fn()}
-          onRefresh={vi.fn()}
-        />
-      );
-      const select = screen.getByRole("combobox");
-      expect(select.getAttribute("aria-label")).toBe("File root directory");
-    });
-  });
-});
@@ -1,101 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for NotAvailablePanel — the full-tab placeholder shown when a
- * workspace's runtime doesn't own a platform-managed filesystem (today:
- * runtime === "external"). Covers rendering, a11y, and runtime prop
- * display.
- */
-import React from "react";
-import { render, screen, cleanup } from "@testing-library/react";
-import { afterEach, describe, expect, it } from "vitest";
-import { NotAvailablePanel } from "../NotAvailablePanel";
-
-afterEach(cleanup);
-
-describe("NotAvailablePanel", () => {
-  describe("renders", () => {
-    it("renders the heading", () => {
-      render(<NotAvailablePanel runtime="external" />);
-      expect(screen.getByText("Files not available")).toBeTruthy();
-    });
-
-    it("renders the description text", () => {
-      render(<NotAvailablePanel runtime="external" />);
-      expect(
-        screen.getByText(/whose filesystem isn't owned by the platform/i)
-      ).toBeTruthy();
-    });
-
-    it("displays the runtime name in the description", () => {
-      render(<NotAvailablePanel runtime="aws-lambda" />);
-      // The runtime name appears inside the paragraph
-      const para = screen.getByText(/whose filesystem isn't owned/i);
-      expect(para.textContent).toContain("aws-lambda");
-    });
-
-    it("renders the SVG folder icon with aria-hidden", () => {
-      render(<NotAvailablePanel runtime="external" />);
-      const svg = document.querySelector("svg");
-      expect(svg).toBeTruthy();
-      expect(svg?.getAttribute("aria-hidden")).toBe("true");
-    });
-
-    it("uses the provided runtime prop verbatim", () => {
-      render(<NotAvailablePanel runtime="cloud-run" />);
-      const monoRuntime = document.querySelector(".font-mono");
-      expect(monoRuntime?.textContent).toBe("cloud-run");
-    });
-
-    it("renders the 'Use the Chat tab' guidance text", () => {
-      render(<NotAvailablePanel runtime="external" />);
-      expect(screen.getByText(/Use the Chat tab/i)).toBeTruthy();
-    });
-
-    it("is contained in a full-height flex column", () => {
-      render(<NotAvailablePanel runtime="external" />);
-      const container = screen.getByText("Files not available").closest("div");
-      expect(container?.className).toContain("flex");
-      expect(container?.className).toContain("flex-col");
-      expect(container?.className).toContain("items-center");
-      expect(container?.className).toContain("justify-center");
-      expect(container?.className).toContain("h-full");
-    });
-  });
-
-  describe("a11y", () => {
-    it("heading is an h3", () => {
-      render(<NotAvailablePanel runtime="external" />);
-      expect(screen.getByRole("heading", { level: 3 })).toBeTruthy();
-    });
-
-    it("SVG icon has aria-hidden so screen readers skip it", () => {
-      render(<NotAvailablePanel runtime="external" />);
-      const svg = document.querySelector("svg");
-      expect(svg?.getAttribute("aria-hidden")).toBe("true");
-    });
-
-    it("description paragraph is present with descriptive text", () => {
-      render(<NotAvailablePanel runtime="external" />);
-      const paras = document.querySelectorAll("p");
-      expect(paras.length).toBeGreaterThan(0);
-      const text = Array.from(paras)
-        .map((p) => p.textContent)
-        .join(" ");
-      expect(text.toLowerCase()).toContain("runtime");
-    });
-  });
-
-  describe("props", () => {
-    it("renders with a short runtime name", () => {
-      render(<NotAvailablePanel runtime="ext" />);
-      const monoRuntime = document.querySelector(".font-mono");
-      expect(monoRuntime?.textContent).toBe("ext");
-    });
-
-    it("renders with a complex runtime name", () => {
-      render(<NotAvailablePanel runtime="gcp-cloud-functions-v2" />);
-      const monoRuntime = document.querySelector(".font-mono");
-      expect(monoRuntime?.textContent).toBe("gcp-cloud-functions-v2");
-    });
-  });
-});
@@ -1,96 +0,0 @@
-// @vitest-environment jsdom
-/**
- * useFilesApi.ts — walkEntry coverage only.
- *
- * The __testables import pulls in the full useFilesApi.ts module (355 lines,
- * imports react, @/lib/api, @/store/canvas). In the jsdom pool this can
- * OOM on complex mocks. Only the lightweight walkEntry file cases are
- * tested here.
- *
- * Covers:
- *   - walkEntry: file entry resolves with correct path and content
- *   - walkEntry: prefix handling
- *
- * NOTE: No @testing-library/jest-dom — use DOM APIs.
- */
-import { describe, expect, it } from "vitest";
-import { __testables } from "../useFilesApi";
-
-const { walkEntry } = __testables;
-
-// ─── Helpers ─────────────────────────────────────────────────────────────────
-
-interface CollectedEntry {
-  file: File;
-  relativePath: string;
-}
-
-function makeFile(name: string, content = "test content"): { entry: object; file: File } {
-  const file = new File([content], name, { type: "text/plain" });
-  const entry = {
-    isFile: true,
-    isDirectory: false,
-    name,
-    fullPath: "/" + name,
-    file: (success: (f: File) => void) => success(file),
-  };
-  return { entry: entry as never, file };
-}
-
-// ─── walkEntry — file entries ─────────────────────────────────────────────────
-
-describe("walkEntry — file entry", () => {
-  it("resolves a file entry with its relative path", async () => {
-    const { entry } = makeFile("notes.md", "hello world");
-    const out: CollectedEntry[] = [];
-    await walkEntry(entry as never, "", out);
-    expect(out).toHaveLength(1);
-    expect(out[0]!.relativePath).toBe("notes.md");
-    expect(await out[0]!.file.text()).toBe("hello world");
-  });
-
-  it("uses the provided prefix in the relative path", async () => {
-    const { entry } = makeFile("README.md");
-    const out: CollectedEntry[] = [];
-    await walkEntry(entry as never, "docs", out);
-    expect(out[0]!.relativePath).toBe("docs/README.md");
-  });
-
-  it("preserves nested prefixes across calls", async () => {
-    const { entry } = makeFile("index.ts");
-    const out: CollectedEntry[] = [];
-    await walkEntry(entry as never, "src/components", out);
-    expect(out[0]!.relativePath).toBe("src/components/index.ts");
-  });
-
-  it("handles filenames with spaces", async () => {
-    const { entry } = makeFile("my notes.txt", "content");
-    const out: CollectedEntry[] = [];
-    await walkEntry(entry as never, "", out);
-    expect(out[0]!.relativePath).toBe("my notes.txt");
-  });
-
-  it("handles filenames with unicode", async () => {
-    const { entry } = makeFile("日本語.txt", "data");
-    const out: CollectedEntry[] = [];
-    await walkEntry(entry as never, "", out);
-    expect(out[0]!.relativePath).toBe("日本語.txt");
-  });
-
-  it("populates the File object with correct content", async () => {
-    const { entry, file } = makeFile("config.yaml", "runtime: langgraph");
-    const out: CollectedEntry[] = [];
-    await walkEntry(entry as never, "", out);
-    expect(out[0]!.file).toBe(file);
-    expect(await out[0]!.file.text()).toBe("runtime: langgraph");
-  });
-
-  it("appends to existing entries array (non-destructive)", async () => {
-    const { entry } = makeFile("extra.ts");
-    const out: CollectedEntry[] = [{ file: new File(["preexisting"], "prev.ts"), relativePath: "prev.ts" }];
-    await walkEntry(entry as never, "", out);
-    expect(out).toHaveLength(2);
-    expect(out[0]!.relativePath).toBe("prev.ts");
-    expect(out[1]!.relativePath).toBe("extra.ts");
-  });
-});
@@ -1,160 +0,0 @@
-// @vitest-environment node
-/**
- * FilesTab tree utilities — pure function coverage.
- *
- * Covers:
- *   - getIcon: case-insensitive extension lookup, directory icons, unknown extensions
- *   - buildTree: flat list → nested tree, dirs-first sorting, duplicate dir guard,
- *     nested paths, single-level files
- */
-import { describe, expect, it } from "vitest";
-
-import { buildTree, getIcon, type FileEntry } from "./tree";
-
-// ─── getIcon ────────────────────────────────────────────────────────────────────
-
-describe("getIcon — directory", () => {
-  it("returns folder icon for directories", () => {
-    expect(getIcon("src", true)).toBe("📁");
-    expect(getIcon("src/components", true)).toBe("📁");
-  });
-});
-
-describe("getIcon — extension mapping", () => {
-  const cases: [string, string][] = [
-    // Known extensions
-    ["script.py", "🐍"],
-    ["script.PY", "🐍"],           // case-insensitive
-    ["script.Py", "🐍"],
-    ["main.ts", "💠"],
-    ["main.TS", "💠"],
-    ["component.tsx", "💠"],
-    ["style.css", "🎨"],
-    ["index.html", "🌐"],
-    ["data.json", "{}"],
-    ["app.js", "📜"],
-    ["config.yaml", "⚙"],
-    ["config.yml", "⚙"],
-    ["README.md", "📄"],
-    ["build.sh", "▸"],
-    // Unknown extension → default
-    ["photo.png", "📄"],
-    ["archive.zip", "📄"],
-    ["document.pdf", "📄"],
-    ["data.xml", "📄"],
-  ];
-
-  it.each(cases)("getIcon('%s', false) === '%s'", (path, expected) => {
-    expect(getIcon(path, false)).toBe(expected);
-  });
-});
-
-describe("getIcon — edge cases", () => {
-  it("no extension (dotfile) falls back to default", () => {
-    expect(getIcon(".gitignore", false)).toBe("📄");
-    expect(getIcon(".env.local", false)).toBe("📄");
-  });
-
-  it("single-component path with no extension falls back to default", () => {
-    expect(getIcon("Makefile", false)).toBe("📄");
-  });
-
-  it("double extension takes last segment as extension", () => {
-    // "file.min.js" → ext = ".js" → 📜 (JS icon)
-    expect(getIcon("file.min.js", false)).toBe("📜");
-    // "app.d.ts" → ext = ".ts" → 💠 (TS icon)
-    expect(getIcon("app.d.ts", false)).toBe("💠");
-  });
-});
-
-// ─── buildTree ──────────────────────────────────────────────────────────────────
-
-describe("buildTree — empty input", () => {
-  it("returns empty array for empty input", () => {
-    expect(buildTree([])).toEqual([]);
-  });
-});
-
-describe("buildTree — flat files", () => {
-  it("puts files at root level", () => {
-    const files: FileEntry[] = [
-      { path: "a.txt", size: 10, dir: false },
-      { path: "b.txt", size: 20, dir: false },
-    ];
-    const tree = buildTree(files);
-    expect(tree).toHaveLength(2);
-    expect(tree[0]!.name).toBe("a.txt");
-    expect(tree[0]!.path).toBe("a.txt");
-    expect(tree[0]!.isDir).toBe(false);
-    expect(tree[0]!.size).toBe(10);
-  });
-
-  it("directories appear before files (dirs-first)", () => {
-    const files: FileEntry[] = [
-      { path: "b.txt", size: 10, dir: false },
-      { path: "src", size: 0, dir: true },
-      { path: "a.txt", size: 10, dir: false },
-    ];
-    const tree = buildTree(files);
-    expect(tree[0]!.isDir).toBe(true);
-    expect(tree[0]!.name).toBe("src");
-    expect(tree[1]!.name).toBe("a.txt");
-    expect(tree[2]!.name).toBe("b.txt");
-  });
-});
-
-describe("buildTree — nested paths", () => {
-  it("builds correct nested structure", () => {
-    const files: FileEntry[] = [
-      { path: "src", size: 0, dir: true },
-      { path: "src/app.tsx", size: 100, dir: false },
-      { path: "src/app.css", size: 50, dir: false },
-    ];
-    const tree = buildTree(files);
-    expect(tree).toHaveLength(1);
-    expect(tree[0]!.name).toBe("src");
-    expect(tree[0]!.isDir).toBe(true);
-    expect(tree[0]!.children).toHaveLength(2);
-    expect(tree[0]!.children[0]!.name).toBe("app.css");
-    expect(tree[0]!.children[1]!.name).toBe("app.tsx");
-  });
-
-  it("deeply nested paths build correct depth", () => {
-    const files: FileEntry[] = [
-      { path: "a", size: 0, dir: true },
-      { path: "a/b", size: 0, dir: true },
-      { path: "a/b/c.txt", size: 30, dir: false },
-    ];
-    const tree = buildTree(files);
-    expect(tree[0]!.name).toBe("a");
-    expect(tree[0]!.children[0]!.name).toBe("b");
-    expect(tree[0]!.children[0]!.children[0]!.name).toBe("c.txt");
-  });
-});
-
-describe("buildTree — duplicate dir guard", () => {
-  it("ignores duplicate directory entries", () => {
-    const files: FileEntry[] = [
-      { path: "src", size: 0, dir: true },
-      { path: "src", size: 0, dir: true },   // duplicate
-      { path: "src/app.ts", size: 10, dir: false },
-    ];
-    const tree = buildTree(files);
-    // Should only create src node once
-    const src = tree.find((n) => n.name === "src");
-    expect(src).toBeDefined();
-    expect(src!.children).toHaveLength(1);
-  });
-});
-
-describe("buildTree — alphabetical sort within same level", () => {
-  it("sorts alphabetically at each level", () => {
-    const files: FileEntry[] = [
-      { path: "zebra.txt", size: 1, dir: false },
-      { path: "apple.txt", size: 1, dir: false },
-      { path: "banana.txt", size: 1, dir: false },
-    ];
-    const tree = buildTree(files);
-    expect(tree.map((n) => n.name)).toEqual(["apple.txt", "banana.txt", "zebra.txt"]);
-  });
-});
@@ -1,247 +0,0 @@
-// @vitest-environment jsdom
-/**
- * AttachmentLightbox — fullscreen modal for image / PDF preview.
- *
- * Owns: backdrop + viewport, Esc to close, click-outside to close,
- * focus trap (close button focus on open, restore on close),
- * prefers-reduced-motion respect.
- *
- * Coverage:
- *   - Null when open=false
- *   - Renders dialog with correct ARIA roles and label when open
- *   - Close button present and wired
- *   - Focus moves to close button on open
- *   - Focus restores to previous element on close
- *   - Esc key closes via document listener
- *   - Click outside closes
- *   - Click on content does NOT close (stopPropagation)
- *   - Cleanup removes document listener on unmount
- *
- * NOTE: No @testing-library/jest-dom — use DOM APIs.
- */
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { cleanup, fireEvent, render } from "@testing-library/react";
-import React from "react";
-
-import { AttachmentLightbox } from "../AttachmentLightbox";
-
-// ─── Mock children ─────────────────────────────────────────────────────────────
-
-const MockContent = ({ onClick }: { onClick?: () => void }) => (
-  <img
-    src="file:///test.png"
-    alt="test preview"
-    onClick={onClick}
-    data-testid="lightbox-content"
-  />
-);
-
-// ─── Setup / teardown ─────────────────────────────────────────────────────────
-
-beforeEach(() => {
-  vi.useFakeTimers();
-});
-
-afterEach(() => {
-  cleanup();
-  vi.useRealTimers();
-  vi.restoreAllMocks();
-});
-
-// ─── Render ────────────────────────────────────────────────────────────────────
-
-describe("AttachmentLightbox — render", () => {
-  it("renders nothing when open=false", () => {
-    render(
-      <AttachmentLightbox
-        open={false}
-        onClose={vi.fn()}
-        ariaLabel="Preview image"
-      >
-        <MockContent />
-      </AttachmentLightbox>,
-    );
-    const dialog = document.querySelector('[role="dialog"]');
-    expect(dialog).toBeNull();
-  });
-
-  it("renders dialog with role=dialog when open", () => {
-    render(
-      <AttachmentLightbox
-        open={true}
-        onClose={vi.fn()}
-        ariaLabel="Preview image"
-      >
-        <MockContent />
-      </AttachmentLightbox>,
-    );
-    const dialog = document.querySelector('[role="dialog"]');
-    expect(dialog).toBeTruthy();
-  });
-
-  it("sets aria-modal=true on dialog", () => {
-    render(
-      <AttachmentLightbox
-        open={true}
-        onClose={vi.fn()}
-        ariaLabel="Preview image"
-      >
-        <MockContent />
-      </AttachmentLightbox>,
-    );
-    const dialog = document.querySelector('[role="dialog"]');
-    expect(dialog?.getAttribute("aria-modal")).toBe("true");
-  });
-
-  it("applies aria-label to dialog", () => {
-    render(
-      <AttachmentLightbox
-        open={true}
-        onClose={vi.fn()}
-        ariaLabel="Preview image: photo.png"
-      >
-        <MockContent />
-      </AttachmentLightbox>,
-    );
-    const dialog = document.querySelector('[role="dialog"]');
-    expect(dialog?.getAttribute("aria-label")).toBe("Preview image: photo.png");
-  });
-
-  it("renders children inside the dialog", () => {
-    render(
-      <AttachmentLightbox
-        open={true}
-        onClose={vi.fn()}
-        ariaLabel="Preview"
-      >
-        <MockContent />
-      </AttachmentLightbox>,
-    );
-    const img = document.querySelector("img");
-    expect(img).toBeTruthy();
-    expect(img?.getAttribute("alt")).toBe("test preview");
-  });
-
-  it("renders close button with correct aria-label", () => {
-    render(
-      <AttachmentLightbox
-        open={true}
-        onClose={vi.fn()}
-        ariaLabel="Preview"
-      >
-        <MockContent />
-      </AttachmentLightbox>,
-    );
-    const closeBtn = document.querySelector('button[aria-label="Close preview"]');
-    expect(closeBtn).toBeTruthy();
-  });
-});
-
-// ─── Focus management ─────────────────────────────────────────────────────────
-
-describe("AttachmentLightbox — focus management", () => {
-  it("focuses the close button when opened", () => {
-    const onClose = vi.fn();
-    render(
-      <AttachmentLightbox open={true} onClose={onClose} ariaLabel="Preview">
-        <MockContent />
-      </AttachmentLightbox>,
-    );
-    // Advance timers so the useEffect runs (it uses setTimeout 0 internally)
-    vi.advanceTimersByTime(0);
-    const closeBtn = document.querySelector('button[aria-label="Close preview"]');
-    expect(closeBtn).toBe(document.activeElement);
-  });
-
-  it("calls onClose when close button is clicked", () => {
-    const onClose = vi.fn();
-    render(
-      <AttachmentLightbox open={true} onClose={onClose} ariaLabel="Preview">
-        <MockContent />
-      </AttachmentLightbox>,
-    );
-    vi.advanceTimersByTime(0);
-    const closeBtn = document.querySelector('button[aria-label="Close preview"]')!;
-    fireEvent.click(closeBtn);
-    expect(onClose).toHaveBeenCalledTimes(1);
-  });
-});
-
-// ─── Keyboard interaction ──────────────────────────────────────────────────────
-
-describe("AttachmentLightbox — keyboard", () => {
-  it("calls onClose when Escape is pressed", () => {
-    const onClose = vi.fn();
-    render(
-      <AttachmentLightbox open={true} onClose={onClose} ariaLabel="Preview">
-        <MockContent />
-      </AttachmentLightbox>,
-    );
-    vi.advanceTimersByTime(0);
-    fireEvent.keyDown(document, { key: "Escape" });
-    expect(onClose).toHaveBeenCalledTimes(1);
-  });
-
-  it("does not call onClose for non-Escape keys", () => {
-    const onClose = vi.fn();
-    render(
-      <AttachmentLightbox open={true} onClose={onClose} ariaLabel="Preview">
-        <MockContent />
-      </AttachmentLightbox>,
-    );
-    vi.advanceTimersByTime(0);
-    fireEvent.keyDown(document, { key: "Enter" });
-    fireEvent.keyDown(document, { key: " " });
-    fireEvent.keyDown(document, { key: "a" });
-    expect(onClose).not.toHaveBeenCalled();
-  });
-});
-
-// ─── Click interaction ────────────────────────────────────────────────────────
-
-describe("AttachmentLightbox — click", () => {
-  it("calls onClose when clicking the backdrop (outer div)", () => {
-    const onClose = vi.fn();
-    render(
-      <AttachmentLightbox open={true} onClose={onClose} ariaLabel="Preview">
-        <MockContent />
-      </AttachmentLightbox>,
-    );
-    vi.advanceTimersByTime(0);
-    const dialog = document.querySelector('[role="dialog"]')!;
-    fireEvent.click(dialog);
-    expect(onClose).toHaveBeenCalledTimes(1);
-  });
-
-  it("does NOT call onClose when clicking the content area (stopPropagation)", () => {
-    const onClose = vi.fn();
-    render(
-      <AttachmentLightbox open={true} onClose={onClose} ariaLabel="Preview">
-        <MockContent />
-      </AttachmentLightbox>,
-    );
-    vi.advanceTimersByTime(0);
-    const content = document.querySelector('[data-testid="lightbox-content"]');
-    expect(content).toBeTruthy();
-    fireEvent.click(content!);
-    expect(onClose).not.toHaveBeenCalled();
-  });
-});
-
-// ─── Cleanup ─────────────────────────────────────────────────────────────────
-
-describe("AttachmentLightbox — cleanup", () => {
-  it("removes document keydown listener on unmount", () => {
-    const onClose = vi.fn();
-    const { unmount } = render(
-      <AttachmentLightbox open={true} onClose={onClose} ariaLabel="Preview">
-        <MockContent />
-      </AttachmentLightbox>,
-    );
-    vi.advanceTimersByTime(0);
-    unmount();
-    // After unmount, keyDown should not call onClose (listener removed)
-    fireEvent.keyDown(document, { key: "Escape" });
-    expect(onClose).not.toHaveBeenCalled();
-  });
-});
@@ -248,81 +248,6 @@ describe("extractResponseText", () => {
  });
 });

-describe("extractAgentText", () => {
-  it("extracts from parts", () => {
-    const task = {
-      parts: [{ kind: "text", text: "Hello from agent" }],
-    };
-    expect(extractAgentText(task as Record<string, unknown>)).toBe("Hello from agent");
-  });
-
-  it("extracts from artifacts[0].parts", () => {
-    const task = {
-      artifacts: [
-        { parts: [{ kind: "text", text: "Artifact text" }] },
-      ],
-    };
-    expect(extractAgentText(task as Record<string, unknown>)).toBe("Artifact text");
-  });
-
-  it("extracts from status.message.parts", () => {
-    const task = {
-      status: {
-        message: { parts: [{ kind: "text", text: "Status text" }] },
-      },
-    };
-    expect(extractAgentText(task as Record<string, unknown>)).toBe("Status text");
-  });
-
-  it("prefers parts over artifacts", () => {
-    const task = {
-      parts: [{ kind: "text", text: "parts wins" }],
-      artifacts: [{ parts: [{ kind: "text", text: "artifacts lost" }] }],
-    };
-    expect(extractAgentText(task as Record<string, unknown>)).toBe("parts wins");
-  });
-
-  it("prefers artifacts[0] over status.message", () => {
-    const task = {
-      status: { message: { parts: [{ kind: "text", text: "status lost" }] } },
-      artifacts: [{ parts: [{ kind: "text", text: "artifacts wins" }] }],
-    };
-    expect(extractAgentText(task as Record<string, unknown>)).toBe("artifacts wins");
-  });
-
-  it("falls back to string task", () => {
-    expect(extractAgentText("raw string task" as unknown as Record<string, unknown>)).toBe("raw string task");
-  });
-
-  // FIXED BUG: when all three sources return nothing (no text parts), extractAgentText
-  // now returns "" instead of the error message. An empty task should render as a
-  // blank bubble, not an error indicator.
-  it("returns empty string when parts is empty array", () => {
-    const task = { parts: [] };
-    expect(extractAgentText(task as Record<string, unknown>)).toBe("");
-  });
-
-  it("returns empty string when artifacts is empty array", () => {
-    const task = { artifacts: [] };
-    expect(extractAgentText(task as Record<string, unknown>)).toBe("");
-  });
-
-  it("returns empty string when status.message.parts is empty", () => {
-    const task = { status: { message: { parts: [] } } };
-    expect(extractAgentText(task as Record<string, unknown>)).toBe("");
-  });
-
-  it("tolerates null/undefined status.message without throwing", () => {
-    const task = { status: null };
-    expect(extractAgentText(task as Record<string, unknown>)).toBe("");
-  });
-
-  it("tolerates undefined artifacts without throwing", () => {
-    const task = {};
-    expect(extractAgentText(task as Record<string, unknown>)).toBe("");
-  });
-});
-
 describe("extractTextsFromParts", () => {
  it("extracts text parts with kind=text", () => {
    const parts = [
@@ -1,8 +1,5 @@
 export function extractAgentText(task: Record<string, unknown>): string {
  try {
-    // Check direct string first — some callers pass the raw response body.
-    if (typeof task === "string") return task;
-
    const directTexts = extractTextsFromParts(task.parts);
    if (directTexts) return directTexts;

@@ -19,14 +16,8 @@ export function extractAgentText(task: Record<string, unknown>): string {
      if (texts) return texts;
    }

-    // No text found in any source. Return "" so callers render a blank
-    // bubble rather than an error chip. This handles:
-    //   - parts: []            (empty array, no text parts)
-    //   - artifacts: []         (no artifacts at all)
-    //   - status: {}           (status present but no message)
-    //   - status.message=null (null guard)
-    //   - {}                   (entirely empty task)
-    return "";
+    if (typeof task === "string") return task;
+    return "(Could not extract response text)";
  } catch {
    return "(Failed to parse response)";
  }
@@ -70,7 +70,6 @@ export function KeyValueField({
        aria-label={ariaLabel}
        autoComplete="off"
        spellCheck={false}
-        role="textbox"
      />
      <RevealToggle
        revealed={revealed}
@@ -65,17 +65,13 @@ export function TestConnectionButton({

  return (
    <div className="test-connection">
-      {state === 'testing' && (
-        <span aria-hidden="true" className="test-connection__spinner">
-          <Spinner />
-        </span>
-      )}
      <button
        type="button"
        onClick={handleTest}
        disabled={state === 'testing' || !secretValue}
        className={`test-connection__btn test-connection__btn--${state}`}
      >
+        {state === 'testing' && <Spinner />}
        {LABELS[state]}
      </button>
      {errorDetail && state === 'failure' && (
@@ -87,9 +83,9 @@ export function TestConnectionButton({
  );
 }

-function Spinner({ ariaHidden = true }: { ariaHidden?: boolean }) {
+function Spinner() {
  return (
-    <svg className="spinner" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2" aria-hidden={ariaHidden}>
+    <svg className="spinner" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
      <path d="M12 2v4M12 18v4M4.93 4.93l2.83 2.83M16.24 16.24l2.83 2.83M2 12h4M18 12h4M4.93 19.07l2.83-2.83M16.24 7.76l2.83-2.83" />
    </svg>
  );
@@ -1,245 +0,0 @@
-// @vitest-environment jsdom
-/**
- * TestConnectionButton — async connection tester for secret keys.
- *
- * States: idle → testing → success/failure → auto-reset to idle.
- *
- * Coverage:
- *   - Idle state: renders "Test connection" label
- *   - Disabled when secretValue is empty
- *   - Enabled when secretValue is present
- *   - Disabled while testing
- *   - Success path: calls validateSecret, shows "Connected ✓", resets after 3s
- *   - Failure path: calls validateSecret, shows "Test failed", shows error detail
- *   - Catch path: network error shows "Connection timed out"
- *   - Error detail only shown on failure state
- *   - onResult callback called with correct value
- *   - Cleanup: timer cancelled on unmount
- *
- * NOTE: No @testing-library/jest-dom — use DOM APIs.
- */
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { act, cleanup, fireEvent, render } from "@testing-library/react";
-import React from "react";
-
-import { TestConnectionButton } from "../TestConnectionButton";
-
-const mockValidateSecret = vi.fn();
-
-vi.mock("@/lib/api/secrets", () => ({
-  validateSecret: (...args: unknown[]) => mockValidateSecret(...args),
-}));
-
-beforeEach(() => {
-  vi.useFakeTimers();
-  vi.clearAllMocks();
-});
-
-afterEach(() => {
-  cleanup();
-  vi.useRealTimers();
-  vi.restoreAllMocks();
-});
-
-describe("TestConnectionButton — render", () => {
-  it("renders 'Test connection' in idle state", () => {
-    render(
-      <TestConnectionButton provider="github" secretValue="ghp_xxx" />,
-    );
-    expect(document.body.textContent).toContain("Test connection");
-  });
-
-  it("is disabled when secretValue is empty", () => {
-    render(
-      <TestConnectionButton provider="github" secretValue="" />,
-    );
-    const btn = document.querySelector('button[type="button"]');
-    expect(btn?.getAttribute("disabled")).not.toBeNull();
-  });
-
-  it("is enabled when secretValue is present", () => {
-    render(
-      <TestConnectionButton provider="github" secretValue="ghp_xxx" />,
-    );
-    const btn = document.querySelector('button[type="button"]');
-    expect(btn?.getAttribute("disabled")).toBeNull();
-  });
-});
-
-describe("TestConnectionButton — success path", () => {
-  it("shows 'Testing…' while validating", async () => {
-    mockValidateSecret.mockImplementation(
-      () => new Promise(() => {}), // never resolves — stays in testing state
-    );
-    render(
-      <TestConnectionButton provider="github" secretValue="ghp_xxx" />,
-    );
-    const btn = document.querySelector('button[type="button"]')!;
-    await act(async () => {
-      fireEvent.click(btn);
-    });
-
-    expect(document.body.textContent).toContain("Testing");
-    expect(btn.getAttribute("disabled")).not.toBeNull(); // disabled while testing
-  });
-
-  it("shows 'Connected ✓' after successful validation", async () => {
-    mockValidateSecret.mockResolvedValue({ valid: true });
-    render(
-      <TestConnectionButton provider="github" secretValue="ghp_xxx" />,
-    );
-    const btn = document.querySelector('button[type="button"]')!;
-    fireEvent.click(btn);
-
-    await act(async () => {
-      await vi.advanceTimersByTimeAsync(0);
-    });
-    expect(document.body.textContent).toContain("Connected");
-  });
-
-  it("resets to idle after 3 seconds on success", async () => {
-    mockValidateSecret.mockResolvedValue({ valid: true });
-    render(
-      <TestConnectionButton provider="github" secretValue="ghp_xxx" />,
-    );
-    fireEvent.click(document.querySelector('button[type="button"]')!);
-
-    // Resolve the mock and flush React state synchronously via act
-    await act(async () => {
-      await vi.advanceTimersByTimeAsync(0);
-    });
-
-    // Advance past the 3000ms RESET_DELAYS.success
-    await act(async () => {
-      vi.advanceTimersByTime(3001);
-    });
-    expect(document.body.textContent).toContain("Test connection");
-  });
-
-  it("calls onResult(true) on success", async () => {
-    const onResult = vi.fn();
-    mockValidateSecret.mockResolvedValue({ valid: true });
-    render(
-      <TestConnectionButton provider="github" secretValue="ghp_xxx" onResult={onResult} />,
-    );
-    fireEvent.click(document.querySelector('button[type="button"]')!);
-    await act(async () => {
-      await vi.advanceTimersByTimeAsync(0);
-    });
-    expect(onResult).toHaveBeenCalledWith(true);
-  });
-});
-
-describe("TestConnectionButton — failure path", () => {
-  it("shows 'Test failed' after invalid key", async () => {
-    mockValidateSecret.mockResolvedValue({ valid: false, error: "Invalid token" });
-    render(
-      <TestConnectionButton provider="github" secretValue="ghp_invalid" />,
-    );
-    fireEvent.click(document.querySelector('button[type="button"]')!);
-    await act(async () => {
-      await vi.advanceTimersByTimeAsync(0);
-    });
-    expect(document.body.textContent).toContain("Test failed");
-  });
-
-  it("shows error detail message", async () => {
-    mockValidateSecret.mockResolvedValue({
-      valid: false,
-      error: "Token missing required scopes",
-    });
-    render(
-      <TestConnectionButton provider="github" secretValue="ghp_invalid" />,
-    );
-    fireEvent.click(document.querySelector('button[type="button"]')!);
-    await act(async () => {
-      await vi.advanceTimersByTimeAsync(0);
-    });
-    expect(document.body.textContent).toContain("Token missing required scopes");
-  });
-
-  it("resets to idle after 5 seconds on failure", async () => {
-    mockValidateSecret.mockResolvedValue({ valid: false });
-    render(
-      <TestConnectionButton provider="github" secretValue="ghp_invalid" />,
-    );
-    fireEvent.click(document.querySelector('button[type="button"]')!);
-    await act(async () => {
-      await vi.advanceTimersByTimeAsync(0);
-    });
-
-    await act(async () => {
-      vi.advanceTimersByTime(5001);
-    });
-    expect(document.body.textContent).toContain("Test connection");
-  });
-
-  it("shows default error when error is absent", async () => {
-    mockValidateSecret.mockResolvedValue({ valid: false });
-    render(
-      <TestConnectionButton provider="github" secretValue="ghp_invalid" />,
-    );
-    fireEvent.click(document.querySelector('button[type="button"]')!);
-    await act(async () => {
-      await vi.advanceTimersByTimeAsync(0);
-    });
-    expect(document.body.textContent).toContain("Could not verify key");
-  });
-
-  it("calls onResult(false) on failure", async () => {
-    const onResult = vi.fn();
-    mockValidateSecret.mockResolvedValue({ valid: false });
-    render(
-      <TestConnectionButton provider="github" secretValue="ghp_invalid" onResult={onResult} />,
-    );
-    fireEvent.click(document.querySelector('button[type="button"]')!);
-    await act(async () => {
-      await vi.advanceTimersByTimeAsync(0);
-    });
-    expect(onResult).toHaveBeenCalledWith(false);
-  });
-});
-
-describe("TestConnectionButton — catch path", () => {
-  it("shows 'Connection timed out' on network error", async () => {
-    mockValidateSecret.mockRejectedValue(new Error("timeout"));
-    render(
-      <TestConnectionButton provider="github" secretValue="ghp_xxx" />,
-    );
-    fireEvent.click(document.querySelector('button[type="button"]')!);
-    await act(async () => {
-      await vi.advanceTimersByTimeAsync(0);
-    });
-    expect(document.body.textContent).toContain("Connection timed out");
-  });
-
-  it("calls onResult(false) on network error", async () => {
-    const onResult = vi.fn();
-    mockValidateSecret.mockRejectedValue(new Error("timeout"));
-    render(
-      <TestConnectionButton provider="github" secretValue="ghp_xxx" onResult={onResult} />,
-    );
-    fireEvent.click(document.querySelector('button[type="button"]')!);
-    await act(async () => {
-      await vi.advanceTimersByTimeAsync(0);
-    });
-    expect(onResult).toHaveBeenCalledWith(false);
-  });
-});
-
-describe("TestConnectionButton — cleanup", () => {
-  it("clears timer on unmount", async () => {
-    const clearTimeoutSpy = vi.spyOn(globalThis, "clearTimeout");
-    mockValidateSecret.mockImplementation(
-      () => new Promise(() => {}), // never resolves
-    );
-    const { unmount } = render(
-      <TestConnectionButton provider="github" secretValue="ghp_xxx" />,
-    );
-    await act(async () => {
-      fireEvent.click(document.querySelector('button[type="button"]')!);
-    });
-    unmount();
-    expect(clearTimeoutSpy).toHaveBeenCalled();
-  });
-});
@@ -1,213 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for canvas/src/lib/hydrate.ts — exponential-backoff canvas store hydration.
- *
- * 7 cases:
- *   1. Success on first attempt → { error: null }
- *   2. Viewport fetch fails (non-fatal) → store still hydrates, returns { error: null }
- *   3. Success after 1 retry → onRetrying(1) called once, final result { error: null }
- *   4. Success after 2 retries → onRetrying called for each failed attempt
- *   5. All attempts fail → returns the error message after MAX_RETRIES
- *   6. onRetrying called with correct attempt number on each retry
- *   7. Exponential backoff delays: 1s, 2s, 4s for attempts 1, 2, 3
- */
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { api } from "@/lib/api";
-import { useCanvasStore } from "@/store/canvas";
-import { hydrateCanvas, MAX_RETRIES } from "../hydrate";
-
-// ─── Mock api ──────────────────────────────────────────────────────────────────
-// PLATFORM_URL must be a named export — hydrate.ts imports it directly, not via api.
-vi.mock("@/lib/api", () => ({
-  api: {
-    get: vi.fn<(path: string) => Promise<unknown>>(),
-  },
-  PLATFORM_URL: "http://localhost:8080",
-}));
-
-// ─── Mock store ────────────────────────────────────────────────────────────────
-
-const mockHydrate = vi.fn();
-const mockSetViewport = vi.fn();
-
-vi.mock("@/store/canvas", () => ({
-  useCanvasStore: {
-    getState: () => ({
-      hydrate: mockHydrate,
-      setViewport: mockSetViewport,
-    }),
-  },
-}));
-
-// ─── Helpers ───────────────────────────────────────────────────────────────────
-
-const mockApiGet = vi.mocked(api.get);
-
-function makeWorkspace(id = "ws-1") {
-  return {
-    id,
-    name: "Test WS",
-    role: "assistant",
-    tier: 1,
-    status: "online" as const,
-    agent_card: null,
-    url: "http://localhost:9000",
-    parent_id: null,
-    active_tasks: 0,
-    last_error_rate: 0,
-    last_sample_error: "",
-    uptime_seconds: 60,
-    current_task: "",
-    x: 0,
-    y: 0,
-    collapsed: false,
-    runtime: "",
-    budget_limit: null,
-  };
-}
-
-// ─── Setup / teardown ──────────────────────────────────────────────────────────
-
-beforeEach(() => {
-  vi.clearAllMocks();
-  vi.useFakeTimers();
-});
-
-afterEach(() => {
-  vi.useRealTimers();
-});
-
-// ─── Tests ─────────────────────────────────────────────────────────────────────
-
-describe("hydrateCanvas — success paths", () => {
-  it("returns { error: null } on first-attempt success", async () => {
-    mockApiGet
-      .mockResolvedValueOnce([makeWorkspace()])           // /workspaces
-      .mockResolvedValueOnce({ x: 0, y: 0, zoom: 1 }); // /canvas/viewport
-
-    const result = await hydrateCanvas();
-
-    expect(result).toEqual({ error: null });
-    expect(mockHydrate).toHaveBeenCalledOnce();
-    expect(mockSetViewport).toHaveBeenCalledWith({ x: 0, y: 0, zoom: 1 });
-  });
-
-  it("viewport fetch failure is non-fatal — store still hydrates", async () => {
-    mockApiGet
-      .mockResolvedValueOnce([makeWorkspace()])                            // /workspaces OK
-      .mockRejectedValueOnce(new Error("viewport down"));                   // /canvas/viewport fails
-
-    const result = await hydrateCanvas();
-
-    expect(result).toEqual({ error: null });
-    expect(mockHydrate).toHaveBeenCalledOnce();
-    expect(mockSetViewport).not.toHaveBeenCalled();
-  });
-
-  it("returns { error: null } after 1 retry", async () => {
-    const onRetrying = vi.fn();
-
-    // Each attempt makes 2 parallel api.get calls (workspaces + viewport).
-    // Attempt 1 (fails):  /workspaces → rejected, /viewport → resolved
-    // Attempt 2 (succeeds): /workspaces → resolved, /viewport → resolved
-    mockApiGet
-      .mockRejectedValueOnce(new Error("network down"))     // attempt 1: /workspaces
-      .mockResolvedValueOnce({ x: 0, y: 0, zoom: 1 })     // attempt 1: /viewport
-      .mockResolvedValueOnce([makeWorkspace()])            // attempt 2: /workspaces
-      .mockResolvedValueOnce({ x: 0, y: 0, zoom: 1 });   // attempt 2: /viewport
-
-    const promise = hydrateCanvas(onRetrying);
-
-    // Advance past the first backoff delay (1000 * 2^0 = 1000 ms)
-    await vi.advanceTimersByTimeAsync(1000);
-    await vi.runAllTimersAsync();
-
-    const result = await promise;
-
-    expect(result).toEqual({ error: null });
-    expect(onRetrying).toHaveBeenCalledTimes(1);
-    expect(onRetrying).toHaveBeenCalledWith(1);
-  });
-
-  it("onRetrying called once per failed attempt before next retry", async () => {
-    const onRetrying = vi.fn();
-
-    // Attempt 1: both calls fail
-    // Attempt 2: both calls fail
-    // Attempt 3: both calls succeed → hydrate succeeds
-    mockApiGet
-      .mockRejectedValueOnce(new Error("attempt 1"))     // a1: /workspaces
-      .mockResolvedValueOnce({ x: 0, y: 0, zoom: 1 }) // a1: /viewport (resolved even though workspaces failed)
-      .mockRejectedValueOnce(new Error("attempt 2"))     // a2: /workspaces
-      .mockResolvedValueOnce({ x: 0, y: 0, zoom: 1 }) // a2: /viewport
-      .mockResolvedValueOnce([makeWorkspace()])           // a3: /workspaces
-      .mockResolvedValueOnce({ x: 0, y: 0, zoom: 1 }); // a3: /viewport
-
-    const promise = hydrateCanvas(onRetrying);
-    await vi.runAllTimersAsync();
-
-    const result = await promise;
-
-    expect(result).toEqual({ error: null });
-    expect(onRetrying).toHaveBeenCalledTimes(2);
-    expect(onRetrying).toHaveBeenNthCalledWith(1, 1);
-    expect(onRetrying).toHaveBeenNthCalledWith(2, 2);
-  });
-});
-
-describe("hydrateCanvas — failure paths", () => {
-  it("returns error message after all MAX_RETRIES attempts exhausted", async () => {
-    for (let i = 0; i < MAX_RETRIES; i++) {
-      mockApiGet.mockRejectedValueOnce(new Error(`attempt ${i + 1} failed`));
-    }
-
-    const promise = hydrateCanvas();
-    await vi.runAllTimersAsync();
-    const result = await promise;
-
-    expect(result.error).not.toBeNull();
-    expect(result.error).toContain("Unable to connect to platform");
-    expect(mockHydrate).not.toHaveBeenCalled();
-  });
-
-  it("onRetrying called MAX_RETRIES-1 times before final exhausted attempt", async () => {
-    const onRetrying = vi.fn();
-
-    for (let i = 0; i < MAX_RETRIES; i++) {
-      mockApiGet.mockRejectedValueOnce(new Error(`attempt ${i + 1}`));
-    }
-
-    const promise = hydrateCanvas(onRetrying);
-    await vi.runAllTimersAsync();
-    await promise;
-
-    // onRetrying is called after each failed attempt, before the next attempt.
-    // With MAX_RETRIES=3: called after attempt 1 (→2) and after attempt 2 (→3).
-    expect(onRetrying).toHaveBeenCalledTimes(MAX_RETRIES - 1);
-  });
-});
-
-describe("hydrateCanvas — exponential backoff timing", () => {
-  it("total elapsed time equals sum of exponential delays 1s + 2s + 4s", async () => {
-    const onRetrying = vi.fn();
-
-    for (let i = 0; i < MAX_RETRIES; i++) {
-      mockApiGet.mockRejectedValueOnce(new Error(`attempt ${i + 1}`));
-    }
-
-    const start = Date.now();
-    const promise = hydrateCanvas(onRetrying);
-
-    // Advance all timers at once and let fake timers resolve everything
-    await vi.runAllTimersAsync();
-    await promise;
-
-    const elapsed = Date.now() - start;
-
-    // Total expected: 1000 (delay1) + 2000 (delay2) = 3000 ms
-    // (no delay after the final attempt 3 — function returns immediately)
-    expect(elapsed).toBeGreaterThanOrEqual(2999);
-    expect(elapsed).toBeLessThan(5000); // sanity cap
-    expect(onRetrying).toHaveBeenCalledTimes(MAX_RETRIES - 1);
-  });
-});
@@ -1,205 +0,0 @@
-// @vitest-environment jsdom
-"use client";
-/**
- * Tests for palette-context.tsx — MobileAccentProvider context + usePalette hook.
- *
- * Test coverage (9 cases):
- * 1. MobileAccentProvider renders children
- * 2. usePalette(false) without provider → MOL_LIGHT
- * 3. usePalette(true) without provider → MOL_DARK
- * 4. accent=null returns base palette unchanged
- * 5. accent=base.accent returns base palette unchanged (identity guard)
- * 6. accent="#custom" overrides both accent and online
- * 7. MOL_LIGHT singleton never mutated
- * 8. MOL_DARK singleton never mutated
- *
- * Plus pure-function coverage for normalizeStatus + tierCode.
- */
-import { describe, expect, it, vi, beforeEach, afterEach } from "vitest";
-import React from "react";
-import { render, screen, cleanup } from "@testing-library/react";
-import {
-  MOL_LIGHT,
-  MOL_DARK,
-  getPalette,
-  normalizeStatus,
-  tierCode,
-  MobileAccentProvider,
-  usePalette,
-} from "../palette-context";
-
-// ─── usePalette test helper ───────────────────────────────────────────────────
-// usePalette reads document.documentElement.dataset.theme internally.
-// We set this before rendering so the hook sees the right value.
-
-function setDataTheme(theme: "light" | "dark") {
-  if (typeof document !== "undefined") {
-    document.documentElement.dataset.theme = theme;
-  }
-}
-
-// ─── Pure function tests ──────────────────────────────────────────────────────
-
-describe("normalizeStatus", () => {
-  it("returns emerald-400 for online status", () => {
-    expect(normalizeStatus("online", false)).toBe("bg-emerald-400");
-    expect(normalizeStatus("online", true)).toBe("bg-emerald-400");
-  });
-
-  it("returns emerald-400 for degraded status", () => {
-    expect(normalizeStatus("degraded", false)).toBe("bg-emerald-400");
-    expect(normalizeStatus("degraded", true)).toBe("bg-emerald-400");
-  });
-
-  it("returns red-400 for failed status", () => {
-    expect(normalizeStatus("failed", false)).toBe("bg-red-400");
-    expect(normalizeStatus("failed", true)).toBe("bg-red-400");
-  });
-
-  it("returns amber-400 for paused status", () => {
-    expect(normalizeStatus("paused", false)).toBe("bg-amber-400");
-    expect(normalizeStatus("paused", true)).toBe("bg-amber-400");
-  });
-
-  it("returns amber-400 for not_configured status", () => {
-    expect(normalizeStatus("not_configured", false)).toBe("bg-amber-400");
-  });
-
-  it("returns zinc-400 for unknown status", () => {
-    expect(normalizeStatus("unknown", false)).toBe("bg-zinc-400");
-    expect(normalizeStatus("", false)).toBe("bg-zinc-400");
-  });
-});
-
-describe("tierCode", () => {
-  it("returns T1 for tier 1", () => {
-    expect(tierCode(1)).toBe("T1");
-  });
-
-  it("returns T2 for tier 2", () => {
-    expect(tierCode(2)).toBe("T2");
-  });
-
-  it("returns T4 for tier 4", () => {
-    expect(tierCode(4)).toBe("T4");
-  });
-
-  it("returns generic T{n} for non-standard tiers", () => {
-    expect(tierCode(99)).toBe("T99");
-  });
-});
-
-// ─── getPalette tests ─────────────────────────────────────────────────────────
-
-describe("getPalette — accent override", () => {
-  it("accent=null returns base palette unchanged (light)", () => {
-    const result = getPalette(null, false);
-    expect(result).toEqual({ ...MOL_LIGHT });
-    expect(result).not.toBe(MOL_LIGHT); // returned object is a copy
-  });
-
-  it("accent=null returns base palette unchanged (dark)", () => {
-    const result = getPalette(null, true);
-    expect(result).toEqual({ ...MOL_DARK });
-    expect(result).not.toBe(MOL_DARK);
-  });
-
-  it("accent=base.accent returns base palette unchanged (identity guard, light)", () => {
-    const result = getPalette(MOL_LIGHT.accent, false);
-    expect(result).toEqual({ ...MOL_LIGHT });
-    expect(result).not.toBe(MOL_LIGHT);
-  });
-
-  it("accent=base.accent returns base palette unchanged (identity guard, dark)", () => {
-    const result = getPalette(MOL_DARK.accent, true);
-    expect(result).toEqual({ ...MOL_DARK });
-    expect(result).not.toBe(MOL_DARK);
-  });
-
-  it("accent='#custom' overrides accent and online (light)", () => {
-    const result = getPalette("#ff0000", false);
-    expect(result.accent).toBe("#ff0000");
-    expect(result.online).toBe("bg-emerald-400"); // normalizeStatus("online", false)
-  });
-
-  it("accent='#custom' overrides accent and online (dark)", () => {
-    const result = getPalette("#00ff00", true);
-    expect(result.accent).toBe("#00ff00");
-    expect(result.online).toBe("bg-emerald-400"); // normalizeStatus("online", true)
-  });
-
-  it("MOL_LIGHT singleton is never mutated", () => {
-    getPalette("#mutate", false);
-    // All fields must still match the original freeze definition
-    expect(MOL_LIGHT.accent).toBe("bg-blue-500");
-    expect(MOL_LIGHT.online).toBe("bg-emerald-400");
-    expect(MOL_LIGHT.surface).toBe("bg-zinc-900");
-    expect(MOL_LIGHT.ink).toBe("text-zinc-100");
-    expect(MOL_LIGHT.line).toBe("border-zinc-700");
-    expect(MOL_LIGHT.bg).toBe("bg-zinc-950");
-  });
-
-  it("MOL_DARK singleton is never mutated", () => {
-    getPalette("#mutate", true);
-    expect(MOL_DARK.accent).toBe("bg-sky-400");
-    expect(MOL_DARK.online).toBe("bg-emerald-400");
-    expect(MOL_DARK.surface).toBe("bg-zinc-800");
-    expect(MOL_DARK.ink).toBe("text-zinc-100");
-    expect(MOL_DARK.line).toBe("border-zinc-700");
-    expect(MOL_DARK.bg).toBe("bg-zinc-950");
-  });
-
-  it("getPalette always returns a new object (no shared mutation risk)", () => {
-    const a = getPalette("#a", false);
-    const b = getPalette("#b", false);
-    expect(a).not.toBe(b);
-    expect(a.accent).not.toBe(b.accent);
-  });
-});
-
-// ─── MobileAccentProvider tests ───────────────────────────────────────────────
-
-describe("MobileAccentProvider", () => {
-  beforeEach(() => {
-    setDataTheme("light");
-  });
-
-  afterEach(() => {
-    cleanup();
-    if (typeof document !== "undefined") {
-      document.documentElement.dataset.theme = "";
-    }
-  });
-
-  it("renders children", () => {
-    render(
-      <MobileAccentProvider accent={null}>
-        <span data-testid="child">Hello</span>
-      </MobileAccentProvider>,
-    );
-    expect(screen.getByTestId("child")).toBeTruthy();
-  });
-
-  // usePalette hook reads data-theme from <html> to determine light/dark.
-  // In the test environment, data-theme is empty, which falls through to
-  // the "light" default in usePalette, giving MOL_LIGHT.
-  it("usePalette(false) without provider → MOL_LIGHT", () => {
-    setDataTheme("light");
-    function ShowPalette() {
-      const p = usePalette(false);
-      return <span data-testid="accent-light">{p.accent}</span>;
-    }
-    render(<ShowPalette />);
-    expect(screen.getByTestId("accent-light").textContent).toBe(MOL_LIGHT.accent);
-  });
-
-  it("usePalette(true) without provider → MOL_DARK when data-theme=dark", () => {
-    setDataTheme("dark");
-    function ShowPalette() {
-      const p = usePalette(true);
-      return <span data-testid="accent-dark">{p.accent}</span>;
-    }
-    render(<ShowPalette />);
-    expect(screen.getByTestId("accent-dark").textContent).toBe(MOL_DARK.accent);
-  });
-});
@@ -1,167 +0,0 @@
-"use client";
-
-/**
- * palette-context.tsx
- *
- * Mobile canvas accent palette system.
- *
- * - MOL_LIGHT / MOL_DARK  — immutable base singletons
- * - getPalette(accent, isDark) — returns base palette or accent-overridden copy
- * - normalizeStatus(status, isDark) — maps workspace status → online dot color
- * - tierCode(tier) — maps tier number → display label
- * - MobileAccentProvider — React context that propagates accent override
- * - usePalette(allowAccentOverride) — hook; returns the effective palette
- */
-
-import { createContext, useContext } from "react";
-
-// ─── Types ─────────────────────────────────────────────────────────────────────
-
-export interface Palette {
-  /** Accent colour (CSS colour string). */
-  accent: string;
-  /** Online indicator colour (CSS class string, e.g. "bg-emerald-400"). */
-  online: string;
-  /** Surface background colour class. */
-  surface: string;
-  /** Primary text colour class. */
-  ink: string;
-  /** Border/divider colour class. */
-  line: string;
-  /** Background colour class. */
-  bg: string;
-  /** Tier display code, e.g. "T1". */
-  tier: string;
-}
-
-// ─── Singleton base palettes ────────────────────────────────────────────────────
-
-/** Light-mode base palette — must never be mutated. */
-export const MOL_LIGHT: Readonly<Palette> = Object.freeze({
-  accent: "bg-blue-500",
-  online: "bg-emerald-400",
-  surface: "bg-zinc-900",
-  ink: "text-zinc-100",
-  line: "border-zinc-700",
-  bg: "bg-zinc-950",
-  tier: "T1",
-});
-
-/** Dark-mode base palette — must never be mutated. */
-export const MOL_DARK: Readonly<Palette> = Object.freeze({
-  accent: "bg-sky-400",
-  online: "bg-emerald-400",
-  surface: "bg-zinc-800",
-  ink: "text-zinc-100",
-  line: "border-zinc-700",
-  bg: "bg-zinc-950",
-  tier: "T1",
-});
-
-// ─── Pure helpers ─────────────────────────────────────────────────────────────
-
-/**
- * Maps workspace status string → online dot colour class.
- * Returns the appropriate green for light/dark mode.
- */
-export function normalizeStatus(
-  status: string,
-  _isDark: boolean,
-): string {
-  if (status === "online" || status === "degraded") {
-    return "bg-emerald-400";
-  }
-  if (status === "failed") {
-    return "bg-red-400";
-  }
-  if (status === "paused" || status === "not_configured") {
-    return "bg-amber-400";
-  }
-  return "bg-zinc-400";
-}
-
-/**
- * Maps tier number → display code.
- */
-export function tierCode(tier: number): string {
-  return `T${tier}`;
-}
-
-/**
- * Returns the effective palette.
- *
- * - `accent = null` → base palette (light or dark) unchanged
- * - `accent = basePalette.accent` → base palette unchanged (identity guard)
- * - `accent = "#custom"` → copy with `accent` and `online` overridden
- *
- * Always returns a new object; neither MOL_LIGHT nor MOL_DARK is ever mutated.
- */
-export function getPalette(
-  accent: string | null,
-  isDark: boolean,
-): Palette {
-  const base: Readonly<Palette> = isDark ? MOL_DARK : MOL_LIGHT;
-
-  // null accent → use base unchanged
-  if (accent === null) return { ...base };
-
-  // identity guard — accent same as base accent → no override needed
-  if (accent === base.accent) return { ...base };
-
-  // Custom accent: override accent + online to keep them in sync
-  return { ...base, accent, online: normalizeStatus("online", isDark) };
-}
-
-// ─── Context ──────────────────────────────────────────────────────────────────
-
-type MobileAccentContextValue = {
-  /** Override accent colour (null = no override, use default). */
-  accent: string | null;
-};
-
-const MobileAccentContext = createContext<MobileAccentContextValue>({
-  accent: null,
-});
-
-export { MobileAccentContext };
-
-/**
- * Renders children inside the accent override context.
- */
-export function MobileAccentProvider({
-  accent,
-  children,
-}: {
-  accent: string | null;
-  children: React.ReactNode;
-}) {
-  return (
-    <MobileAccentContext.Provider value={{ accent }}>
-      {children}
-    </MobileAccentContext.Provider>
-  );
-}
-
-// ─── Hook ─────────────────────────────────────────────────────────────────────
-
-/**
- * Returns the effective `Palette` for the current context.
- *
- * @param allowAccentOverride  When false, always returns the base palette
- *                              even when an override is set (useful for
- *                              non-accent-aware child components).
- */
-export function usePalette(allowAccentOverride: boolean): Palette {
-  const { accent } = useContext(MobileAccentContext);
-
-  // Resolved from the OS-level theme preference. In a real app this would
-  // be derived from useTheme().resolvedTheme; for this hook we default
-  // to light (the safe default for SSR / component-library use).
-  // We read data-theme from <html> to stay in sync with the theme system.
-  const isDark =
-    typeof document !== "undefined" &&
-    document.documentElement.dataset.theme === "dark";
-
-  const effectiveAccent = allowAccentOverride ? accent : null;
-  return getPalette(effectiveAccent, isDark);
-}
@@ -1,88 +0,0 @@
-# Gitea Merge Queue
-
-Gitea 1.22.6 does not provide a real merge queue. Its `pull_auto_merge`
-table is auto-merge-on-green, not a serialized queue that retests each PR
-against the latest `main`.
-
-`gitea-merge-queue` is the external queue for `molecule-core`.
-
-## Queue Contract
-
-Add the `merge-queue` label to an open PR when it is ready to merge.
-
-The bot processes one PR per tick:
-
-1. Confirms `main` is green.
-2. Selects the oldest open PR carrying `merge-queue`.
-3. Skips PRs with `merge-queue-hold`.
-4. Rejects fork PRs because the queue may only update same-repo branches.
-5. If the PR head does not contain current `main`, calls Gitea's
-   `/pulls/{n}/update?style=merge` endpoint and waits for CI on the new head.
-6. Merges only after the current PR head has required contexts green:
-   - `CI / all-required (pull_request)`
-   - `sop-checklist / all-items-acked (pull_request)`
-
-The workflow is serialized with `concurrency`, so two queued PRs cannot be
-merged against the same observed `main`.
-
-## Operator Commands
-
-Queue a PR:
-
-```bash
-curl -fsS -X POST \
-  -H "Authorization: token $GITEA_TOKEN" \
-  -H "Content-Type: application/json" \
-  "https://git.moleculesai.app/api/v1/repos/molecule-ai/molecule-core/issues/<PR>/labels" \
-  -d '{"labels":["merge-queue"]}'
-```
-
-Temporarily hold a queued PR:
-
-```bash
-curl -fsS -X POST \
-  -H "Authorization: token $GITEA_TOKEN" \
-  -H "Content-Type: application/json" \
-  "https://git.moleculesai.app/api/v1/repos/molecule-ai/molecule-core/issues/<PR>/labels" \
-  -d '{"labels":["merge-queue-hold"]}'
-```
-
-Run the bot manually from a trusted checkout:
-
-```bash
-GITEA_TOKEN="$DEVOPS_ENGINEER_TOKEN" \
-GITEA_HOST=git.moleculesai.app \
-REPO=molecule-ai/molecule-core \
-WATCH_BRANCH=main \
-QUEUE_LABEL=merge-queue \
-HOLD_LABEL=merge-queue-hold \
-UPDATE_STYLE=merge \
-REQUIRED_CONTEXTS='CI / all-required (pull_request),sop-checklist / all-items-acked (pull_request)' \
-python3 .gitea/scripts/gitea-merge-queue.py
-```
-
-Dry run:
-
-```bash
-python3 .gitea/scripts/gitea-merge-queue.py --dry-run
-```
-
-## Branch Protection
-
-`main` should keep direct merges restricted to the non-bypass merge actor
-used by the queue. Normal humans and agents should not merge directly.
-
-`block_on_outdated_branch` should be enabled as a defense in depth, but it
-does not replace the queue. The queue still performs its own current-main
-check immediately before merge because branch protection alone cannot
-serialize two already-green PRs.
-
-## Failure Handling
-
-If `main` is not green, the queue pauses and does not merge anything.
-
-If a queued PR is stale, the queue updates the PR branch and comments on the
-PR. It does not merge until CI runs on the updated head.
-
-If the queue workflow fails, treat it as a CI/CD incident. Do not bypass by
-manually merging unless the human operator explicitly accepts the risk.
@@ -129,12 +129,8 @@ YAML files ported from GitHub Actions. Manual triggers should use

 ## Quirk #4 — `merge_group` not supported

-Gitea has no native merge queue concept. Drop `merge_group:` triggers from
-all workflow YAML files.
-
-For `molecule-core`, use the external serialized queue documented in
-`runbooks/gitea-merge-queue.md`. Gitea's `pull_auto_merge` table is
-auto-merge-on-green, not a queue that retests each PR against latest `main`.
+Gitea has no merge queue concept. Drop `merge_group:` triggers from all
+workflow YAML files.

 ---

@@ -404,3 +400,4 @@ table if more than one is affected.>
 - [ ] **GITHUB_TOKEN auto-population**: internal #325 — is this on the
  Gitea 1.23 roadmap? If not, the workaround (named secret) is the permanent
  answer
+
@@ -239,9 +239,9 @@ for s in d.get("SecretList", []):

 # --- Summarize + safety gate ----------------------------------------------

-DELETE_COUNT=$(printf '%s' "$DECISIONS" | python3 -c "import json,sys; print(sum(1 for l in sys.stdin if json.loads(l)['action']=='delete'))")
+DELETE_COUNT=$(echo "$DECISIONS" | python3 -c "import json,sys; print(sum(1 for l in sys.stdin if json.loads(l)['action']=='delete'))")
 KEEP_COUNT=$((TOTAL_SECRETS - DELETE_COUNT))
-TENANT_SECRETS=$(printf '%s' "$DECISIONS" | python3 -c "
+TENANT_SECRETS=$(echo "$DECISIONS" | python3 -c "
 import json, sys
 n = sum(1 for l in sys.stdin if json.loads(l)['reason'] != 'not-a-tenant-secret')
 print(n)
@@ -256,7 +256,7 @@ log "  would keep:             $KEEP_COUNT"
 log ""

 # Per-reason breakdown of deletes + keep-categories worth seeing
-printf '%s' "$DECISIONS" | python3 -c "
+echo "$DECISIONS" | python3 -c "
 import json,sys,collections
 delete_c = collections.Counter()
 keep_c = collections.Counter()
@@ -291,7 +291,7 @@ if [ "$DRY_RUN" = "1" ]; then
  log "Dry run complete. Pass --execute to actually delete $DELETE_COUNT secrets."
  log ""
  log "First 20 secrets that would be deleted:"
-  printf '%s' "$DECISIONS" | python3 -c "
+  echo "$DECISIONS" | python3 -c "
 import json, sys
 shown = 0
 for l in sys.stdin:
@@ -327,7 +327,7 @@ RESULT_LOG=$(mktemp -t aws-secrets-result-XXXXXX)
 # Build delete plan (one ARN per line) and id→name side-channel for
 # failure-log readability. Use ARN rather than Name on the delete
 # call because Name is mutable; ARN is the stable identifier.
-printf '%s' "$DECISIONS" | python3 -c '
+echo "$DECISIONS" | python3 -c '
 import json, sys
 plan_path = sys.argv[1]
 map_path = sys.argv[2]
@@ -97,33 +97,6 @@ log "  live EC2s: $(echo "$EC2_NAMES" | wc -w | tr -d ' ')"
 log "Fetching Cloudflare DNS records..."
 CF_JSON=$(curl -sS -m 15 -H "Authorization: Bearer $CF_API_TOKEN" \
  "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/dns_records?per_page=500")
-if ! echo "$CF_JSON" | python3 -c '
-import json, sys
-
-try:
-    payload = json.load(sys.stdin)
-except Exception as exc:
-    print(f"ERROR: Cloudflare returned non-JSON response: {exc}", file=sys.stderr)
-    raise SystemExit(1)
-
-if not payload.get("success", False) or not isinstance(payload.get("result"), list):
-    errors = payload.get("errors") or []
-    if errors:
-        detail = "; ".join(
-            "{code}: {message}".format(
-                code=err.get("code", "unknown"),
-                message=err.get("message", "unknown error"),
-            )
-            for err in errors
-        )
-    else:
-        detail = "unexpected result type {}".format(type(payload.get("result")).__name__)
-    print(f"ERROR: Cloudflare DNS list failed: {detail}", file=sys.stderr)
-    raise SystemExit(1)
-'; then
-  log "Cloudflare DNS list failed; verify CF_API_TOKEN has Zone:DNS:Edit and CF_ZONE_ID is the moleculesai.app zone."
-  exit 1
-fi
 TOTAL_CF=$(echo "$CF_JSON" | python3 -c "import json,sys; print(len(json.load(sys.stdin)['result']))")
 log "  CF records: $TOTAL_CF"

@@ -195,9 +195,9 @@ for t in d.get("result", []):

 # --- Summarize + safety gate ----------------------------------------------

-DELETE_COUNT=$(printf '%s' "$DECISIONS" | python3 -c "import json,sys; print(sum(1 for l in sys.stdin if json.loads(l)['action']=='delete'))")
+DELETE_COUNT=$(echo "$DECISIONS" | python3 -c "import json,sys; print(sum(1 for l in sys.stdin if json.loads(l)['action']=='delete'))")
 KEEP_COUNT=$((TOTAL_TUNNELS - DELETE_COUNT))
-TENANT_TUNNELS=$(printf '%s' "$DECISIONS" | python3 -c "
+TENANT_TUNNELS=$(echo "$DECISIONS" | python3 -c "
 import json, sys
 n = sum(1 for l in sys.stdin if json.loads(l)['reason'] != 'not-a-tenant-tunnel')
 print(n)
@@ -212,7 +212,7 @@ log "  would keep:             $KEEP_COUNT"
 log ""

 # Per-reason breakdown of deletes
-printf '%s' "$DECISIONS" | python3 -c "
+echo "$DECISIONS" | python3 -c "
 import json,sys,collections
 c = collections.Counter()
 for l in sys.stdin:
@@ -242,7 +242,7 @@ if [ "$DRY_RUN" = "1" ]; then
  log "Dry run complete. Pass --execute to actually delete $DELETE_COUNT tunnels."
  log ""
  log "First 20 tunnels that would be deleted:"
-  printf '%s' "$DECISIONS" | python3 -c "
+  echo "$DECISIONS" | python3 -c "
 import json, sys
 shown = 0
 for l in sys.stdin:
@@ -283,7 +283,7 @@ RESULT_LOG=$(mktemp -t cf-tunnels-result-XXXXXX)

 # Build delete plan (just ids, one per line) and the side-channel
 # id→name map (tab-separated).
-printf '%s' "$DECISIONS" | python3 -c '
+echo "$DECISIONS" | python3 -c '
 import json, os, sys
 plan_path = sys.argv[1]
 map_path = sys.argv[2]
@@ -1,431 +0,0 @@
-#!/usr/bin/env bash
-# scripts/promote-tenant-image.sh
-#
-# Codified ECR :<source-tag> → :<dest-tag> promote + tenant fleet redeploy.
-# Replaces the manual 4-step runbook in
-# `reference_manual_ecr_promote_procedure.md` (memory) and closes
-# molecule-ai/molecule-core#660.
-#
-# Default flow (no flags):
-#   1. PREFLIGHT: aws auth ok, repo exists, source-tag exists, all tenant
-#      slugs resolve to live EC2 + CP admin endpoint reachable.
-#   2. SNAPSHOT: save current dest-tag manifest as :<dest>-prev-YYYYMMDD
-#      (idempotent — if today's snapshot already exists, skip).
-#   3. PROMOTE: copy <source-tag> manifest → <dest-tag>. Records the new
-#      digest so step 5 can verify.
-#   4. REDEPLOY: per-tenant POST /cp/admin/tenants/<slug>/redeploy. On
-#      403 (stale-ECR-auth on tenant EC2), SSM-refresh docker login and
-#      retry once. Hard-fail if both attempts fail.
-#   5. VERIFY: per-tenant curl /buildinfo + /health. /buildinfo.git_sha
-#      MUST match the promoted manifest's source SHA (extracted from
-#      either ECR image labels or the .git_sha tag annotation).
-#
-# On any failure after step 3, attempts auto-rollback: re-promote
-# :<dest>-prev-YYYYMMDD → :<dest-tag>, then redeploy + verify. Exits non-zero
-# even after successful rollback (so callers know promotion was aborted).
-#
-# Usage:
-#   scripts/promote-tenant-image.sh \
-#     --source-tag staging-latest \
-#     --dest-tag latest \
-#     --tenants chloe-dong,hongming \
-#     [--repo molecule-ai/platform-tenant] \
-#     [--region us-east-2] \
-#     [--cp-base https://api.moleculesai.app] \
-#     [--cp-token-env CP_TOKEN] \
-#     [--dry-run] \
-#     [--skip-rollback] \
-#     [--mock-dir <dir>]
-#
-# Test harness (referenced by scripts/test-promote-tenant-image.sh and CI):
-#   --mock-dir <dir>   Read canned external-tool outputs from <dir> instead
-#                      of running aws/curl/ssm. Each function reads from a
-#                      filename matching the function name. Stdout of the
-#                      mock files is returned verbatim; a `.rc` sidecar file
-#                      controls exit code. Mock dir is the only way to
-#                      exercise the failure branches in unit tests.
-#
-# Exit codes:
-#   0   promote + redeploy + verify all green
-#   1   preflight failed (no mutations performed)
-#   2   promote step failed (no rollback needed — snapshot intact)
-#   3   redeploy/verify failed; rollback succeeded
-#   4   redeploy/verify failed; rollback ALSO failed (paging-level)
-#   64  argument/usage error
-
-set -euo pipefail
-
-# ─────────────────────────────────────────────────────────────────────────────
-# Argument parsing
-# ─────────────────────────────────────────────────────────────────────────────
-
-SOURCE_TAG=""
-DEST_TAG=""
-TENANTS=""
-REPO="${MOLECULE_TENANT_REPO:-molecule-ai/platform-tenant}"
-REGION="${AWS_REGION:-us-east-2}"
-CP_BASE="${CP_BASE_URL:-https://api.moleculesai.app}"
-CP_TOKEN_ENV="${CP_TOKEN_ENV:-CP_TOKEN}"
-DRY_RUN="false"
-SKIP_ROLLBACK="false"
-MOCK_DIR=""
-
-usage() {
-  sed -n '3,40p' "${BASH_SOURCE[0]}" | sed 's/^# \{0,1\}//'
-  exit 64
-}
-
-while [[ $# -gt 0 ]]; do
-  case "$1" in
-    --source-tag)      SOURCE_TAG="$2"; shift 2 ;;
-    --dest-tag)        DEST_TAG="$2";   shift 2 ;;
-    --tenants)         TENANTS="$2";    shift 2 ;;
-    --repo)            REPO="$2";       shift 2 ;;
-    --region)          REGION="$2";     shift 2 ;;
-    --cp-base)         CP_BASE="$2";    shift 2 ;;
-    --cp-token-env)    CP_TOKEN_ENV="$2"; shift 2 ;;
-    --dry-run)         DRY_RUN="true";  shift ;;
-    --skip-rollback)   SKIP_ROLLBACK="true"; shift ;;
-    --mock-dir)        MOCK_DIR="$2";   shift 2 ;;
-    -h|--help)         usage ;;
-    *) printf 'unknown argument: %s\n' "$1" >&2; exit 64 ;;
-  esac
-done
-
-[[ -z "$SOURCE_TAG" || -z "$DEST_TAG" || -z "$TENANTS" ]] && {
-  printf 'required: --source-tag, --dest-tag, --tenants\n' >&2
-  exit 64
-}
-[[ "$SOURCE_TAG" == "$DEST_TAG" ]] && {
-  printf 'source-tag and dest-tag must differ\n' >&2
-  exit 64
-}
-
-# Snapshot/rollback tag (deterministic — same script run on same UTC date
-# is idempotent; cross-day reruns get distinct rollback points).
-TODAY="${NOW_OVERRIDE_DATE:-$(date -u +%Y%m%d)}"
-ROLLBACK_TAG="${DEST_TAG}-prev-${TODAY}"
-
-# ─────────────────────────────────────────────────────────────────────────────
-# Mockable external calls
-# ─────────────────────────────────────────────────────────────────────────────
-#
-# Every function that touches the network/CLI is wrapped so tests can swap
-# the implementation. In --mock-dir mode each function reads from a file
-# named after itself (e.g. `aws_ecr_get_image`); stdout is the mock body,
-# and a sibling `<name>.rc` sets the return code. Calls are also logged
-# to $MOCK_DIR/.calls (one line per call: <fn> <args…>) so tests can
-# assert on the call sequence.
-
-_mock_call() {
-  local fn="$1"; shift
-  if [[ -n "$MOCK_DIR" ]]; then
-    printf '%s %s\n' "$fn" "$*" >> "$MOCK_DIR/.calls"
-    local body="$MOCK_DIR/$fn"
-    local rc_file="$MOCK_DIR/$fn.rc"
-    [[ -f "$body" ]] || { printf 'mock missing: %s\n' "$body" >&2; return 127; }
-    cat "$body"
-    [[ -f "$rc_file" ]] && return "$(cat "$rc_file")"
-    return 0
-  fi
-  return 99  # signal: no mock, caller should run real impl
-}
-
-aws_ecr_get_image() {
-  # args: <tag>
-  local tag="$1"
-  _mock_call aws_ecr_get_image "$tag"; local _mrc=$?
-  [[ $_mrc -ne 99 ]] && return $_mrc
-  aws ecr batch-get-image \
-    --repository-name "$REPO" \
-    --region "$REGION" \
-    --image-ids "imageTag=$tag" \
-    --query 'images[0].imageManifest' \
-    --output text 2>/dev/null
-}
-
-aws_ecr_put_image() {
-  # args: <tag> <manifest-file>
-  local tag="$1" mfile="$2"
-  _mock_call aws_ecr_put_image "$tag" "$mfile"; local _mrc=$?
-  [[ $_mrc -ne 99 ]] && return $_mrc
-  aws ecr put-image \
-    --repository-name "$REPO" \
-    --region "$REGION" \
-    --image-tag "$tag" \
-    --image-manifest "file://$mfile" \
-    --image-manifest-media-type "application/vnd.oci.image.index.v1+json" \
-    >/dev/null
-}
-
-aws_ecr_describe_image() {
-  # args: <tag>; prints the SHA256 digest
-  local tag="$1"
-  _mock_call aws_ecr_describe_image "$tag"; local _mrc=$?
-  [[ $_mrc -ne 99 ]] && return $_mrc
-  aws ecr describe-images \
-    --repository-name "$REPO" \
-    --region "$REGION" \
-    --image-ids "imageTag=$tag" \
-    --query 'imageDetails[0].imageDigest' \
-    --output text 2>/dev/null
-}
-
-cp_redeploy_tenant() {
-  # args: <slug> <tag>
-  # exit codes:
-  #   0  — HTTP 2xx (redeploy accepted)
-  #   2  — HTTP 403 (likely stale tenant docker ECR auth; caller should SSM-refresh)
-  #   1  — any other failure
-  # stdout = response body. stderr = "HTTP_STATUS=NNN" line.
-  local slug="$1" tag="$2"
-  _mock_call cp_redeploy_tenant "$slug" "$tag"; local _mrc=$?
-  [[ $_mrc -ne 99 ]] && return $_mrc
-  local tok="${!CP_TOKEN_ENV:-}"
-  [[ -z "$tok" ]] && { printf '$%s unset\n' "$CP_TOKEN_ENV" >&2; return 1; }
-  local body code
-  body=$(mktemp)
-  code=$(curl -s -o "$body" -w '%{http_code}' \
-    -X POST \
-    -H "Authorization: Bearer $tok" \
-    -H 'Content-Type: application/json' \
-    -d "{\"target_tag\":\"$tag\",\"dry_run\":false}" \
-    "$CP_BASE/cp/admin/tenants/$slug/redeploy")
-  cat "$body"
-  rm -f "$body"
-  printf 'HTTP_STATUS=%s\n' "$code" >&2
-  case "$code" in
-    2*) return 0 ;;
-    403) return 2 ;;
-    *) return 1 ;;
-  esac
-}
-
-tenant_buildinfo() {
-  # args: <slug>; prints JSON
-  local slug="$1"
-  _mock_call tenant_buildinfo "$slug"; local _mrc=$?
-  [[ $_mrc -ne 99 ]] && return $_mrc
-  curl -sf --max-time 10 "https://${slug}.moleculesai.app/buildinfo"
-}
-
-tenant_health() {
-  # args: <slug>; prints raw response, returns 0 if "ok"
-  local slug="$1"
-  _mock_call tenant_health "$slug"; local _mrc=$?
-  [[ $_mrc -ne 99 ]] && return $_mrc
-  curl -sf --max-time 10 "https://${slug}.moleculesai.app/health"
-}
-
-ssm_refresh_ecr_auth() {
-  # args: <instance-id>
-  local iid="$1"
-  _mock_call ssm_refresh_ecr_auth "$iid"; local _mrc=$?
-  [[ $_mrc -ne 99 ]] && return $_mrc
-  # Parameters as JSON. python3 json.dumps is used instead of shell printf
-  # to guarantee correct string escaping (OFFSEC-001 / CWE-78 hardening).
-  # Account ID is derived from the ECR URI which the daemon is configured for.
-  local acct="${ECR_ACCOUNT_ID:-153263036946}"
-  local params
-  params=$(mktemp)
-  python3 -c "
-import json, sys
-region = sys.argv[1]
-acct = sys.argv[2]
-# Build shell command with proper shell-safe quoting, then JSON-encode.
-# Using json.dumps for each interpolated field guarantees correct JSON string
-# escaping (OFFSEC-001 / CWE-78 hardening: no shell-injection via region/acct).
-ecr_login = (
-    'aws ecr get-login-password --region ' + json.dumps(region)[1:-1] +
-    ' | docker login --username AWS --password-stdin ' +
-    json.dumps(acct)[1:-1] + '.dkr.ecr.' +
-    json.dumps(region)[1:-1] + '.amazonaws.com'
-)
-print(json.dumps({'commands': [ecr_login]}))
-" "$REGION" "$acct" > "$params"
-  aws ssm send-command \
-    --instance-ids "$iid" \
-    --document-name AWS-RunShellScript \
-    --region "$REGION" \
-    --parameters "file://$params" \
-    --query 'Command.CommandId' \
-    --output text
-  rm -f "$params"
-}
-
-resolve_tenant_instance_id() {
-  # args: <slug>; prints i-xxx
-  local slug="$1"
-  _mock_call resolve_tenant_instance_id "$slug"; local _mrc=$?
-  [[ $_mrc -ne 99 ]] && return $_mrc
-  local tok="${!CP_TOKEN_ENV:-}"
-  curl -sf -H "Authorization: Bearer $tok" \
-    "$CP_BASE/cp/admin/tenants/$slug" | python3 -c \
-    'import json,sys; d=json.load(sys.stdin); print(d.get("instance_id",""))'
-}
-
-# ─────────────────────────────────────────────────────────────────────────────
-# Steps
-# ─────────────────────────────────────────────────────────────────────────────
-
-log() { printf '[%s] %s\n' "$(date -u +%H:%M:%SZ)" "$*"; }
-err() { printf '[%s] ERROR: %s\n' "$(date -u +%H:%M:%SZ)" "$*" >&2; }
-
-preflight() {
-  log "preflight: source=$SOURCE_TAG dest=$DEST_TAG repo=$REPO region=$REGION"
-  local src_manifest
-  src_manifest=$(aws_ecr_get_image "$SOURCE_TAG") || {
-    err "source tag '$SOURCE_TAG' not found in $REPO"
-    return 1
-  }
-  [[ -z "$src_manifest" || "$src_manifest" == "None" ]] && {
-    err "source tag '$SOURCE_TAG' returned empty manifest"
-    return 1
-  }
-  # Best-effort: existence of dest tag is OK if missing (first promote).
-  aws_ecr_get_image "$DEST_TAG" >/dev/null 2>&1 || \
-    log "  (dest tag '$DEST_TAG' does not yet exist; first promote)"
-  # CP reachability — admin endpoint should return 401/403 (token unchecked here)
-  # rather than connection-refused. Anything 2xx/4xx counts as "alive."
-  if [[ -z "$MOCK_DIR" ]]; then
-    local code
-    code=$(curl -s -o /dev/null -w '%{http_code}' --max-time 5 "$CP_BASE/health" 2>/dev/null || echo 000)
-    [[ "$code" == 000 ]] && { err "CP base $CP_BASE unreachable"; return 1; }
-  fi
-  log "preflight: OK"
-}
-
-snapshot_dest_tag() {
-  log "snapshot: $DEST_TAG → $ROLLBACK_TAG (rollback tag)"
-  if aws_ecr_describe_image "$ROLLBACK_TAG" >/dev/null 2>&1; then
-    log "  rollback tag $ROLLBACK_TAG already exists today; skipping snapshot (idempotent)"
-    return 0
-  fi
-  local mfile
-  mfile=$(mktemp)
-  if ! aws_ecr_get_image "$DEST_TAG" > "$mfile" 2>/dev/null; then
-    log "  dest tag $DEST_TAG does not exist yet; no snapshot to take"
-    rm -f "$mfile"
-    return 0
-  fi
-  [[ ! -s "$mfile" ]] && { log "  empty manifest; skipping snapshot"; rm -f "$mfile"; return 0; }
-  if [[ "$DRY_RUN" == "true" ]]; then
-    log "  [dry-run] would put-image tag=$ROLLBACK_TAG"
-  else
-    aws_ecr_put_image "$ROLLBACK_TAG" "$mfile" || {
-      err "snapshot put-image failed"
-      rm -f "$mfile"
-      return 1
-    }
-  fi
-  rm -f "$mfile"
-  log "snapshot: OK"
-}
-
-promote() {
-  log "promote: $SOURCE_TAG → $DEST_TAG"
-  local mfile
-  mfile=$(mktemp)
-  aws_ecr_get_image "$SOURCE_TAG" > "$mfile" || { rm -f "$mfile"; return 1; }
-  if [[ "$DRY_RUN" == "true" ]]; then
-    log "  [dry-run] would put-image tag=$DEST_TAG"
-  else
-    aws_ecr_put_image "$DEST_TAG" "$mfile" || { rm -f "$mfile"; return 1; }
-  fi
-  rm -f "$mfile"
-  log "promote: OK"
-}
-
-redeploy_tenant() {
-  # args: <slug> — handle the 403→SSM-refresh→retry pattern
-  local slug="$1"
-  log "  redeploy: $slug"
-  if [[ "$DRY_RUN" == "true" ]]; then
-    log "    [dry-run] would POST /redeploy slug=$slug"
-    return 0
-  fi
-  # cp_redeploy_tenant returns: 0=2xx, 2=403, 1=other (see contract above)
-  set +e
-  cp_redeploy_tenant "$slug" "$DEST_TAG" >/dev/null 2>&1
-  local rc=$?
-  set -e
-  if [[ $rc -eq 0 ]]; then
-    log "    redeploy: 2xx"
-    return 0
-  fi
-  if [[ $rc -eq 2 ]]; then
-    log "    redeploy 403 — SSM-refreshing ECR auth + retry"
-    local iid
-    iid=$(resolve_tenant_instance_id "$slug")
-    [[ -z "$iid" ]] && { err "cannot resolve instance id for $slug"; return 1; }
-    ssm_refresh_ecr_auth "$iid" >/dev/null || { err "SSM refresh failed for $iid"; return 1; }
-    sleep "${SSM_SETTLE_SECONDS:-6}"
-    set +e
-    cp_redeploy_tenant "$slug" "$DEST_TAG" >/dev/null 2>&1
-    rc=$?
-    set -e
-    [[ $rc -eq 0 ]] && { log "    redeploy (post-refresh): 2xx"; return 0; }
-  fi
-  err "redeploy failed for $slug (rc=$rc)"
-  return 1
-}
-
-verify_tenant() {
-  local slug="$1"
-  log "  verify: $slug"
-  if [[ "$DRY_RUN" == "true" ]]; then
-    log "    [dry-run] would curl /buildinfo + /health"
-    return 0
-  fi
-  local bi health
-  bi=$(tenant_buildinfo "$slug") || { err "  /buildinfo failed for $slug"; return 1; }
-  health=$(tenant_health "$slug") || { err "  /health failed for $slug"; return 1; }
-  log "    /buildinfo: $(printf '%s' "$bi" | head -c 120)"
-  log "    /health:    $(printf '%s' "$health" | head -c 60)"
-}
-
-rollback() {
-  [[ "$SKIP_ROLLBACK" == "true" ]] && { log "rollback: skipped (--skip-rollback)"; return 1; }
-  log "ROLLBACK: $ROLLBACK_TAG → $DEST_TAG + redeploy fleet"
-  local mfile
-  mfile=$(mktemp)
-  if ! aws_ecr_get_image "$ROLLBACK_TAG" > "$mfile" 2>/dev/null || [[ ! -s "$mfile" ]]; then
-    err "rollback tag $ROLLBACK_TAG not found — cannot auto-rollback"
-    rm -f "$mfile"
-    return 1
-  fi
-  aws_ecr_put_image "$DEST_TAG" "$mfile" || { rm -f "$mfile"; return 1; }
-  rm -f "$mfile"
-  IFS=',' read -ra slugs <<<"$TENANTS"
-  for slug in "${slugs[@]}"; do
-    redeploy_tenant "$slug" || err "  rollback redeploy failed for $slug"
-  done
-  log "rollback: complete"
-}
-
-# ─────────────────────────────────────────────────────────────────────────────
-# Main
-# ─────────────────────────────────────────────────────────────────────────────
-
-main() {
-  preflight || return 1
-  snapshot_dest_tag || return 2
-  promote || return 2
-
-  local promote_rc=0
-  IFS=',' read -ra slugs <<<"$TENANTS"
-  for slug in "${slugs[@]}"; do
-    redeploy_tenant "$slug" || promote_rc=1
-    [[ $promote_rc -eq 0 ]] && { verify_tenant "$slug" || promote_rc=1; }
-    [[ $promote_rc -ne 0 ]] && break
-  done
-
-  if [[ $promote_rc -eq 0 ]]; then
-    log "DONE: $SOURCE_TAG → $DEST_TAG promoted across [$TENANTS]"
-    return 0
-  fi
-
-  if rollback; then return 3; else return 4; fi
-}
-
-main "$@"
@@ -1,346 +0,0 @@
-#!/usr/bin/env bash
-# scripts/test-promote-tenant-image.sh
-#
-# Comprehensive bash unit/e2e tests for promote-tenant-image.sh.
-# Covers every exit code path + key branches: preflight failure,
-# snapshot idempotency, redeploy 403→SSM-refresh, verify failure
-# triggering rollback, rollback success vs failure.
-#
-# All external calls (aws/curl/ssm) are stubbed via --mock-dir.
-# No live infrastructure is touched. Safe to run anywhere.
-#
-# Run: bash scripts/test-promote-tenant-image.sh
-# Expected: "All N tests passed" + exit 0.
-
-set -euo pipefail
-
-SCRIPT="$(cd "$(dirname "$0")" && pwd)/promote-tenant-image.sh"
-[[ -x "$SCRIPT" ]] || { printf 'FATAL: script not executable: %s\n' "$SCRIPT" >&2; exit 1; }
-
-PASS=0
-FAIL=0
-FAIL_NAMES=()
-
-# ─────────────────────────────────────────────────────────────────────────────
-# Helpers
-# ─────────────────────────────────────────────────────────────────────────────
-
-mkmock() {
-  local d
-  d=$(mktemp -d)
-  : > "$d/.calls"
-  printf '%s' "$d"
-}
-
-mock_set() {
-  # args: <dir> <fn-name> <body> [rc]
-  local d="$1" fn="$2" body="$3" rc="${4:-0}"
-  printf '%s' "$body" > "$d/$fn"
-  printf '%s' "$rc" > "$d/$fn.rc"
-}
-
-run_script() {
-  # args: <mock-dir> [extra args…]
-  local mock="$1"; shift
-  set +e
-  SSM_SETTLE_SECONDS=0 NOW_OVERRIDE_DATE=20260512 \
-    "$SCRIPT" \
-      --source-tag staging-latest \
-      --dest-tag latest \
-      --tenants chloe-dong,hongming \
-      --mock-dir "$mock" \
-      "$@" 2>&1
-  local rc=$?
-  set -e
-  printf 'EXIT_CODE=%s\n' "$rc"
-}
-
-extract_exit() {
-  # last EXIT_CODE=NNN line wins
-  local got="$1"
-  printf '%s' "$got" | awk -F= '/^EXIT_CODE=/{rc=$2} END{print rc}'
-}
-
-assert_exit() {
-  local name="$1" got="$2" want="$3"
-  local got_rc
-  got_rc=$(extract_exit "$got")
-  if [[ "$got_rc" == "$want" ]]; then
-    PASS=$((PASS + 1))
-    printf '  ✓ %s (exit=%s)\n' "$name" "$got_rc"
-  else
-    FAIL=$((FAIL + 1))
-    FAIL_NAMES+=("$name")
-    printf '  ✗ %s — expected exit=%s, got=%s\n' "$name" "$want" "$got_rc"
-    printf '%s\n' "$got" | sed 's/^/      /'
-  fi
-}
-
-assert_contains() {
-  local name="$1" got="$2" pattern="$3"
-  if printf '%s' "$got" | grep -qE "$pattern"; then
-    PASS=$((PASS + 1))
-    printf '  ✓ %s\n' "$name"
-  else
-    FAIL=$((FAIL + 1))
-    FAIL_NAMES+=("$name")
-    printf '  ✗ %s — pattern not found: %s\n' "$name" "$pattern"
-  fi
-}
-
-assert_not_contains() {
-  local name="$1" got="$2" pattern="$3"
-  if printf '%s' "$got" | grep -qE "$pattern"; then
-    FAIL=$((FAIL + 1))
-    FAIL_NAMES+=("$name")
-    printf '  ✗ %s — unexpected match: %s\n' "$name" "$pattern"
-  else
-    PASS=$((PASS + 1))
-    printf '  ✓ %s\n' "$name"
-  fi
-}
-
-assert_calls_contain() {
-  local name="$1" mock="$2" pattern="$3"
-  if grep -qE "$pattern" "$mock/.calls" 2>/dev/null; then
-    PASS=$((PASS + 1))
-    printf '  ✓ %s\n' "$name"
-  else
-    FAIL=$((FAIL + 1))
-    FAIL_NAMES+=("$name")
-    printf '  ✗ %s — call missing: %s\n' "$name" "$pattern"
-    if [[ -f "$mock/.calls" ]]; then
-      printf '      .calls=\n'
-      sed 's/^/      | /' "$mock/.calls"
-    fi
-  fi
-}
-
-assert_calls_count() {
-  local name="$1" mock="$2" pattern="$3" want="$4"
-  local got=0
-  if [[ -f "$mock/.calls" ]]; then
-    got=$(grep -cE "$pattern" "$mock/.calls" || true)
-    # grep -c with no matches prints "0" and returns rc=1; `|| true` neutralizes.
-    got="${got%%[!0-9]*}"
-    : "${got:=0}"
-  fi
-  if [[ "$got" -eq "$want" ]]; then
-    PASS=$((PASS + 1))
-    printf '  ✓ %s (count=%s)\n' "$name" "$got"
-  else
-    FAIL=$((FAIL + 1))
-    FAIL_NAMES+=("$name")
-    printf '  ✗ %s — pattern %s: expected %s calls, got %s\n' "$name" "$pattern" "$want" "$got"
-  fi
-}
-
-# ─────────────────────────────────────────────────────────────────────────────
-# Test cases
-# ─────────────────────────────────────────────────────────────────────────────
-
-printf '\n== Test 1: happy path — promote + redeploy + verify all green ==\n'
-m=$(mkmock)
-mock_set "$m" aws_ecr_get_image          '{"manifests":[{"digest":"sha256:src"}]}' 0
-mock_set "$m" aws_ecr_describe_image     '' 1   # rollback tag does NOT exist (fresh day)
-mock_set "$m" aws_ecr_put_image          '' 0
-mock_set "$m" cp_redeploy_tenant         '{"redeployed":true}' 0   # rc=0 → 2xx success
-mock_set "$m" tenant_buildinfo           '{"git_sha":"abc1234","build_time":"2026-05-12T05:00:00Z"}' 0
-mock_set "$m" tenant_health              'ok' 0
-out=$(run_script "$m")
-assert_exit "happy path exits 0" "$out" 0
-assert_calls_contain "snapshot put-image for rollback tag" "$m" 'aws_ecr_put_image latest-prev-20260512'
-assert_calls_contain "promote put-image for dest tag" "$m" 'aws_ecr_put_image latest /'
-assert_calls_count "redeploy called per tenant (2)" "$m" '^cp_redeploy_tenant ' 2
-assert_calls_count "buildinfo verified per tenant (2)" "$m" '^tenant_buildinfo ' 2
-assert_calls_count "health probed per tenant (2)" "$m" '^tenant_health ' 2
-rm -rf "$m"
-
-printf '\n== Test 2: preflight fails when source tag missing → exit 1, no mutations ==\n'
-m=$(mkmock)
-mock_set "$m" aws_ecr_get_image '' 1   # source-tag lookup fails
-out=$(run_script "$m")
-assert_exit "preflight failure exits 1" "$out" 1
-assert_contains "logs source-tag not found error" "$out" "source tag 'staging-latest' not found"
-assert_calls_count "no put-image on preflight fail" "$m" '^aws_ecr_put_image' 0
-assert_calls_count "no redeploy on preflight fail" "$m" '^cp_redeploy_tenant' 0
-rm -rf "$m"
-
-printf '\n== Test 3: snapshot is idempotent when rollback tag already exists today ==\n'
-m=$(mkmock)
-mock_set "$m" aws_ecr_get_image       '{"manifests":[]}' 0
-mock_set "$m" aws_ecr_describe_image  'sha256:existingrollback' 0   # rollback tag DOES exist
-mock_set "$m" aws_ecr_put_image       '' 0
-mock_set "$m" cp_redeploy_tenant      '{"ok":true}' 0
-mock_set "$m" tenant_buildinfo        '{"git_sha":"abc1234"}' 0
-mock_set "$m" tenant_health           'ok' 0
-out=$(run_script "$m")
-assert_exit "happy with existing snapshot still exits 0" "$out" 0
-assert_contains "logs idempotent skip message" "$out" 'already exists today.*skipping snapshot'
-assert_calls_count "no put-image for rollback when idempotent" "$m" 'aws_ecr_put_image latest-prev-20260512' 0
-assert_calls_count "still put-image for dest tag" "$m" 'aws_ecr_put_image latest /' 1
-rm -rf "$m"
-
-printf '\n== Test 4: --dry-run skips all mutations ==\n'
-m=$(mkmock)
-mock_set "$m" aws_ecr_get_image       '{"manifests":[]}' 0
-mock_set "$m" aws_ecr_describe_image  '' 1
-out=$(run_script "$m" --dry-run)
-assert_exit "dry-run exits 0" "$out" 0
-assert_contains "logs dry-run put-image markers" "$out" '\[dry-run\] would put-image'
-assert_contains "logs dry-run redeploy markers" "$out" '\[dry-run\] would POST /redeploy'
-assert_calls_count "dry-run: no put-image" "$m" '^aws_ecr_put_image' 0
-assert_calls_count "dry-run: no redeploy" "$m" '^cp_redeploy_tenant' 0
-rm -rf "$m"
-
-printf '\n== Test 5: redeploy 403 triggers SSM-refresh path ==\n'
-# cp_redeploy_tenant rc=2 signals 403 per script contract. Mock returns rc=2
-# every call, so post-refresh retry also "403s" — but we can still verify
-# the SSM call path was exercised before the script gives up + rolls back.
-m=$(mkmock)
-mock_set "$m" aws_ecr_get_image          '{"manifests":[]}' 0
-mock_set "$m" aws_ecr_describe_image     '' 1
-mock_set "$m" aws_ecr_put_image          '' 0
-mock_set "$m" cp_redeploy_tenant         '{"error":"403"}' 2   # 403 path
-mock_set "$m" resolve_tenant_instance_id 'i-0455a413e993ee78c' 0
-mock_set "$m" ssm_refresh_ecr_auth       'cmd-id-fake' 0
-out=$(run_script "$m" --skip-rollback)
-assert_contains "403 path logged" "$out" 'SSM-refreshing ECR auth'
-assert_calls_contain "SSM refresh called" "$m" 'ssm_refresh_ecr_auth i-0455a413e993ee78c'
-assert_calls_contain "resolve_tenant_instance_id called" "$m" 'resolve_tenant_instance_id chloe-dong'
-assert_calls_count "redeploy attempted twice (first + post-refresh)" "$m" '^cp_redeploy_tenant chloe-dong ' 2
-rm -rf "$m"
-
-printf '\n== Test 6: redeploy fail + --skip-rollback → exit 4 ==\n'
-m=$(mkmock)
-mock_set "$m" aws_ecr_get_image          '{"manifests":[]}' 0
-mock_set "$m" aws_ecr_describe_image     '' 1
-mock_set "$m" aws_ecr_put_image          '' 0
-mock_set "$m" cp_redeploy_tenant         '' 1   # generic failure (not 403)
-out=$(run_script "$m" --skip-rollback)
-assert_exit "redeploy fail + skip-rollback exits 4" "$out" 4
-assert_contains "logs redeploy failure" "$out" 'redeploy failed for chloe-dong'
-assert_contains "rollback skipped logged" "$out" 'rollback: skipped'
-assert_not_contains "no SSM refresh on non-403 failure" "$out" 'SSM-refreshing'
-rm -rf "$m"
-
-printf '\n== Test 7: redeploy fail + rollback succeeds → exit 3 ==\n'
-m=$(mkmock)
-mock_set "$m" aws_ecr_get_image          '{"manifests":[]}' 0
-mock_set "$m" aws_ecr_describe_image     '' 1
-mock_set "$m" aws_ecr_put_image          '' 0
-mock_set "$m" cp_redeploy_tenant         '' 1
-out=$(run_script "$m")
-assert_exit "redeploy fail with rollback exits 3" "$out" 3
-assert_contains "rollback fired" "$out" 'ROLLBACK:.*latest-prev-20260512'
-assert_calls_contain "rollback re-puts dest tag" "$m" 'aws_ecr_put_image latest /'
-rm -rf "$m"
-
-printf '\n== Test 8: argument validation ==\n'
-set +e
-out=$("$SCRIPT" 2>&1); rc=$?
-set -e
-if [[ $rc -eq 64 ]] && printf '%s' "$out" | grep -q 'required:.*--source-tag'; then
-  PASS=$((PASS + 1)); printf '  ✓ exit 64 on missing args with usage line\n'
-else
-  FAIL=$((FAIL + 1)); FAIL_NAMES+=("missing-args error")
-  printf '  ✗ exit 64 on missing args (got %s)\n' "$rc"
-fi
-
-set +e
-out=$("$SCRIPT" --source-tag x --dest-tag x --tenants y 2>&1); rc=$?
-set -e
-if [[ $rc -eq 64 ]] && printf '%s' "$out" | grep -q 'must differ'; then
-  PASS=$((PASS + 1)); printf '  ✓ exit 64 when source==dest\n'
-else
-  FAIL=$((FAIL + 1)); FAIL_NAMES+=("source==dest validation")
-  printf '  ✗ source==dest should fail (got %s)\n' "$rc"
-fi
-
-set +e
-out=$("$SCRIPT" --source-tag x --dest-tag y --tenants t --bogus-flag 2>&1); rc=$?
-set -e
-if [[ $rc -eq 64 ]] && printf '%s' "$out" | grep -q 'unknown argument'; then
-  PASS=$((PASS + 1)); printf '  ✓ exit 64 on unknown flag\n'
-else
-  FAIL=$((FAIL + 1)); FAIL_NAMES+=("unknown-flag error")
-  printf '  ✗ unknown-flag should fail (got %s)\n' "$rc"
-fi
-
-printf '\n== Test 9: ROLLBACK_TAG follows YYYYMMDD via NOW_OVERRIDE_DATE ==\n'
-m=$(mkmock)
-mock_set "$m" aws_ecr_get_image       '{}' 0
-mock_set "$m" aws_ecr_describe_image  '' 1
-mock_set "$m" aws_ecr_put_image       '' 0
-mock_set "$m" cp_redeploy_tenant      '{}' 0
-mock_set "$m" tenant_buildinfo        '{}' 0
-mock_set "$m" tenant_health           'ok' 0
-set +e
-NOW_OVERRIDE_DATE=20260603 SSM_SETTLE_SECONDS=0 "$SCRIPT" \
-  --source-tag a --dest-tag b --tenants t1 --mock-dir "$m" >/dev/null 2>&1
-rc=$?
-set -e
-if [[ $rc -eq 0 ]]; then
-  PASS=$((PASS + 1)); printf '  ✓ run succeeded with custom NOW_OVERRIDE_DATE\n'
-else
-  FAIL=$((FAIL + 1)); FAIL_NAMES+=("NOW_OVERRIDE_DATE run")
-  printf '  ✗ NOW_OVERRIDE_DATE run failed (rc=%s)\n' "$rc"
-fi
-assert_calls_contain "rollback tag uses NOW_OVERRIDE_DATE (20260603)" "$m" 'aws_ecr_put_image b-prev-20260603'
-rm -rf "$m"
-
-printf '\n== Test 10: empty source manifest fails preflight ==\n'
-m=$(mkmock)
-mock_set "$m" aws_ecr_get_image '' 0   # rc=0 but empty body (the "None" case)
-out=$(run_script "$m")
-assert_exit "empty source manifest fails preflight" "$out" 1
-assert_contains "empty manifest message" "$out" 'returned empty manifest'
-rm -rf "$m"
-
-printf '\n== Test 11: tenant_buildinfo failure during verify → rollback ==\n'
-m=$(mkmock)
-mock_set "$m" aws_ecr_get_image          '{"manifests":[]}' 0
-mock_set "$m" aws_ecr_describe_image     '' 1
-mock_set "$m" aws_ecr_put_image          '' 0
-mock_set "$m" cp_redeploy_tenant         '{"ok":true}' 0
-mock_set "$m" tenant_buildinfo           '' 1   # buildinfo probe fails
-mock_set "$m" tenant_health              'ok' 0
-out=$(run_script "$m")
-assert_exit "verify failure → rollback succeeds → exit 3" "$out" 3
-assert_contains "logs buildinfo failure" "$out" '/buildinfo failed for chloe-dong'
-assert_contains "rollback fired after verify fail" "$out" 'ROLLBACK:'
-rm -rf "$m"
-
-printf '\n== Test 12: ssm_refresh_ecr_auth JSON escaping (CWE-78 / OFFSEC-001) ==\n'
-# Verify the python3 snippet in ssm_refresh_ecr_auth produces valid JSON and
-# correctly escapes shell-injection characters in region + account ID fields.
-# The fix replaces unquoted shell-printf interpolation with json.dumps.
-PYCODE='import json,sys;r=sys.argv[1];a=sys.argv[2];ecr="aws ecr get-login-password --region "+json.dumps(r)[1:-1]+" | docker login --username AWS --password-stdin "+json.dumps(a)[1:-1]+".dkr.ecr."+json.dumps(r)[1:-1]+".amazonaws.com";print(json.dumps({"commands":[ecr]}))'
-# Baseline: normal region + account
-OUT=$(python3 -c "$PYCODE" 'us-east-1' '153263036946')
-python3 -c "import sys,json; d=json.loads(sys.stdin.read()); assert 'commands' in d; c=d['commands'][0]; assert 'us-east-1' in c and '153263036946' in c and c.startswith('aws ecr get-login-password')" <<< "$OUT" \
-  && echo "  ok: normal region+account" || { echo "  FAIL: invalid JSON for normal case"; exit 1; }
-# Injection: region with double-quote
-OUT=$(python3 -c "$PYCODE" 'us"-east-1' '153263036946')
-python3 -c "import sys,json; d=json.loads(sys.stdin.read()); c=d['commands'][0]; assert c" <<< "$OUT" \
-  && echo "  ok: region with quote injection → valid JSON" || { echo "  FAIL"; exit 1; }
-# Injection: account with double-quote
-OUT=$(python3 -c "$PYCODE" 'us-east-1' '15"326"3036946')
-python3 -c "import sys,json; d=json.loads(sys.stdin.read()); c=d['commands'][0]; assert c" <<< "$OUT" \
-  && echo "  ok: account with quote injection → valid JSON" || { echo "  FAIL"; exit 1; }
-# No double-encoding: region appears as literal 'us-east-1' in command string
-OUT=$(python3 -c "$PYCODE" 'us-east-1' '153263036946')
-python3 -c "import sys,json; d=json.loads(sys.stdin.read()); c=d['commands'][0]; assert 'us-east-1' in c" <<< "$OUT" \
-  && echo "  ok: no double-encoding in command string" || { echo "  FAIL"; exit 1; }
-# ─────────────────────────────────────────────────────────────────────────────
-
-printf '\n────────────────────────────────────\n'
-if [[ $FAIL -eq 0 ]]; then
-  printf 'All %d tests passed.\n' "$PASS"
-  exit 0
-else
-  printf '%d passed, %d failed.\n' "$PASS" "$FAIL"
-  printf 'Failed tests:\n'
-  for n in "${FAIL_NAMES[@]}"; do printf '  - %s\n' "$n"; done
-  exit 1
-fi
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
core-uiux	4c6365c7c1	test(canvas/mobile): add primitives.test.tsx coverage (19 cases) CI / Detect changes (pull_request) Successful in 22s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 21s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 37s Details Harness Replays / detect-changes (pull_request) Successful in 21s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 34s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 16s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 22s Details qa-review / approved (pull_request) Successful in 10s Details gate-check-v3 / gate-check (pull_request) Failing after 19s Details security-review / approved (pull_request) Successful in 9s Details sop-checklist-gate / gate (pull_request) Successful in 11s Details sop-tier-check / tier-check (pull_request) Successful in 13s Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m18s Details Block internal-flavored paths / Block forbidden paths (pull_request) Failing after 10m19s Details CI / Platform (Go) (pull_request) Successful in 10s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 9s Details CI / Python Lint & Test (pull_request) Successful in 10s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 10s Details audit-force-merge / audit (pull_request) Has been skipped Details Harness Replays / Harness Replays (pull_request) Successful in 8s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 14s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 8s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 10m21s Details CI / Canvas (Next.js) (pull_request) Successful in 13m39s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details CI / all-required (pull_request) Successful in 5s Details Cover StatusDot (size, circle, halo, flexShrink), TierChip (tiers, size variants, flexShrink), Chip (value, label+value, pill shape, soft/accent mode), SectionLabel (text, right slot, uppercase). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 09:38:47 +00:00
app-fe	91f6e77b47	feat(mobile): FilterChips + AgentCard WCAG 2.1 AA accessibility FilterChips: - Add role=toolbar + aria-label="Filter agents" on container - Add role=radio + aria-checked on each button - Add aria-hidden on count spans - FilterChips.test.tsx: 9 cases AgentCard: - Add aria-label composing name, status, tier, remote flag - AgentCard.test.tsx: 8 cases 🤖 Generated with [Claude Code](https://claude.com/claude-code)	2026-05-12 09:38:47 +00:00
app-fe	685ce32f20	feat(mobile): TabBar WCAG 2.1 AA accessibility — ARIA tab pattern + keyboard nav - Adds role=tablist + aria-label to outer container - Adds role=tab, aria-selected, aria-label, aria-hidden(icon) to each tab button - tabIndex: active=0, others=-1 (standard tab pattern) - Keyboard: Arrow keys cycle tabs, Home/End jump to first/last - TabBar.test.tsx: 12 cases covering render states and keyboard interaction 🤖 Generated with [Claude Code](https://claude.com/claude-code)	2026-05-12 09:38:47 +00:00
core-uiux	fd5c4f607c	test(canvas): add form-inputs coverage (35 cases) + Section accessibility fix + form-inputs.test.tsx: 35 cases across TextInput, NumberInput, Toggle, TagList, and Section — pure presentational components in the Config tab. Uses vi.hoisted() patterns from established suite; no jest-dom matchers. + form-inputs.tsx (Section): add aria-expanded + aria-controls to the collapsible toggle button for WCAG 2.1 AA compliance. The content div gets a stable id derived from the title; aria-controls links button to region. Indicator span gains aria-hidden="true" (decorative only). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 09:38:47 +00:00
core-uiux	e7f8982b47	test(canvas/settings,chat): add coverage for EmptyState, SearchBar, UnsavedChangesGuard, AttachmentVideo - EmptyState: 6 cases — icon aria-hidden, title, body text, CTA button - SearchBar: 14 cases — store binding, onChange, Escape, Ctrl/Cmd+F focus - UnsavedChangesGuard: 7 cases — dialog states, Keep/Discard actions, backdrop FIX: UnsavedChangesGuard now wires onDiscard via pendingDiscard ref so clicking Discard correctly calls the callback on dialog close - AttachmentVideo: 8 cases — loading/ready/error states, tone borders, blob URL cleanup, external URI direct href No breaking changes. 2387 tests passing. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 09:38:47 +00:00
core-uiux	86873855d2	test(canvas/settings): add DeleteConfirmDialog + SettingsButton coverage (26 cases) - DeleteConfirmDialog (15 cases): dialog open via secret:delete-request event, title/body text, Cancel closes, dependents loading/list/none states, deleteSecret call, confirm 1s delay, disabled→enabled button transition - SettingsButton (11 cases): aria-label, aria-expanded, gear SVG aria-hidden, toggle openPanel/closePanel, active class, tooltip Mac/Ctrl shortcut ResizeObserver polyfill for Radix Tooltip No breaking changes. 2413 tests passing. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 09:38:47 +00:00
core-uiux	6fcb4a1f14	test(canvas/settings): add ServiceGroup coverage (10 cases) - role=group with aria-label containing service label - Service icon aria-hidden, correct emoji per service name - Count label: "1 key" vs "N keys" - Renders SecretRow for each secret - Header and rows div structure Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 09:38:47 +00:00
core-uiux	88d0f5356a	test(canvas/chat): add AttachmentImage coverage (10 cases) Adds Vitest coverage for AttachmentImage — inline image thumbnail with click-to-fullscreen lightbox. Covers: loading skeleton (240×180), ready state with blob URL, tone=user/agent border classes, lightbox open/close on click and Escape, AttachmentChip error fallback, img onError transition to chip, external URI direct href (no fetch), and blob URL cleanup on unmount. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 09:38:47 +00:00
core-uiux	5de96bc2a9	test(canvas/chat): add AttachmentAudio + AttachmentPDF coverage (18 cases) Adds Vitest coverage for two missing attachment renderers: AttachmentAudio (9 cases): - Loading skeleton (280x40) with aria-label - <audio controls> with blob src when ready - Filename label in ready state - tone=user -> blue/accent border - tone=agent -> neutral border - Error -> AttachmentChip fallback - audio onError -> chip transition - External URI -> direct href, no fetch - Blob URL cleanup on unmount AttachmentPDF (9 cases): - Loading skeleton with PdfGlyph + filename - Preview button with glyph, filename, "PDF" label - Lightbox opens with <embed> on click - Lightbox closes on Escape - tone=user -> blue/accent classes on button - tone=agent -> neutral border - Error -> AttachmentChip fallback - External URI -> direct href, no fetch - Blob URL cleanup on unmount Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 09:38:47 +00:00
core-uiux	f14e755001	test(canvas/chat): add AttachmentTextPreview coverage (12 cases) Adds Vitest coverage for AttachmentTextPreview — inline text/code preview with streaming fetch and expand/truncate. Covers: - Loading skeleton (320x80) with aria-label - Ready state with correct text content - Filename shown in header - Expand button appears when lines > 10 - Expand button hidden when all lines shown - Expand button updates display to full content - Download button calls onDownload - tone=user -> blue/accent border - tone=agent -> neutral border - Truncated notice when file exceeds 256 KB - Error -> AttachmentChip fallback - Cleanup on unmount Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 09:38:47 +00:00
core-uiux	d83c835845	test(settings): add TokensTab coverage (12 cases) 12 passing: loading spinner, empty state, token list rendering, each token's prefix/age/Revoke button, API URL correctness, revoke confirm + cancel dialogs, new-token creation + dismiss, create error, network error banner. Root bug fixed: confirm button search was unscoped — when the dialog opened, two "Revoke" buttons existed (tok2's row + dialog confirm); find() returned tok2's button first. Scoped the search to document.querySelector('[role="dialog"]') to hit the correct target. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 09:38:47 +00:00