Merge main into staging (sync v2 — release manager)

Brings 600 main commits into staging while preserving staging's
12 newer commits. Conflicts resolved with staging's version
(except .gitea/workflows which were auto-merged clean).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

canvas/src/components/CreateWorkspaceDialog.tsx

@@ -80,7 +80,6 @@ export function CreateWorkspaceButton() {
   // isExternal is true the template / model / hermes-provider fields are
   // hidden (they're meaningless for BYO-compute agents).
   const [isExternal, setIsExternal] = useState(false);
-  const [externalRuntime, setExternalRuntime] = useState("external");
   const [externalConnection, setExternalConnection] =
     useState<ExternalConnectionInfo | null>(null);
 
@@ -224,7 +223,6 @@ export function CreateWorkspaceButton() {
     setBudgetLimit("");
     setError(null);
     setHermesProvider("anthropic");
-    setExternalRuntime("external");
     setHermesApiKey("");
     setHermesModel("");
     api
@@ -284,7 +282,7 @@ export function CreateWorkspaceButton() {
         // Runtime=external flips the backend into awaiting-agent mode:
         // no container provisioning, token minted, connection payload
         // returned in the response for the modal below.
-        ...(isExternal ? { runtime: externalRuntime } : {}),
+        ...(isExternal ? { runtime: "external" } : {}),
         ...(!isExternal && isHermes && provider
           ? {
               secrets: { [provider.envVar]: hermesApiKey.trim() },
@@ -384,23 +382,6 @@ export function CreateWorkspaceButton() {
               </div>
             </label>
 
-            {isExternal && (
-              <div>
-                <label className="text-[11px] text-ink-mid block mb-1">
-                  External Runtime
-                </label>
-                <select
-                  value={externalRuntime}
-                  onChange={(e) => setExternalRuntime(e.target.value)}
-                  className="w-full bg-surface-card/60 border border-line/50 rounded-lg px-3 py-2 text-sm text-ink focus:outline-none focus:border-accent/60 focus:ring-1 focus:ring-accent/20 transition-colors"
-                >
-                  <option value="external">Generic External</option>
-                  <option value="kimi">Kimi CLI</option>
-                  <option value="kimi-cli">Kimi CLI (alt)</option>
-                </select>
-              </div>
-            )}
-
             {!isExternal && (
               <InputField
                 label="Template"

canvas/src/components/ExternalConnectModal.tsx

@@ -18,109 +18,6 @@
 import { useCallback, useState } from "react";
 import * as Dialog from "@radix-ui/react-dialog";
 
-// ─── Pure fill helpers ────────────────────────────────────────────────────────
-// Each snippet is server-stamped with workspace_id + platform_url but leaves
-// AUTH_TOKEN as a placeholder. These helpers stamp the real token in so the
-// operator's copy-paste is truly ready-to-run. All are pure string ops.
-
-export function fillPythonSnippet(
-  snippet: string,
-  authToken: string,
-): string {
-  return snippet.replace(
-    'AUTH_TOKEN    = "<paste from create response>"',
-    `AUTH_TOKEN    = "${authToken}"`,
-  );
-}
-
-export function fillCurlSnippet(
-  snippet: string,
-  authToken: string,
-): string {
-  return snippet.replace(
-    'WORKSPACE_AUTH_TOKEN="<paste from create response>"',
-    `WORKSPACE_AUTH_TOKEN="${authToken}"`,
-  );
-}
-
-export function fillChannelSnippet(
-  snippet: string | undefined,
-  authToken: string,
-): string | undefined {
-  return snippet?.replace(
-    'MOLECULE_WORKSPACE_TOKENS=<paste auth_token from create response>',
-    `MOLECULE_WORKSPACE_TOKENS=${authToken}`,
-  );
-}
-
-export function fillUniversalMcpSnippet(
-  snippet: string | undefined,
-  authToken: string,
-): string | undefined {
-  return snippet?.replace(
-    'MOLECULE_WORKSPACE_TOKEN="<paste from create response>"',
-    `MOLECULE_WORKSPACE_TOKEN="${authToken}"`,
-  );
-}
-
-export function fillHermesSnippet(
-  snippet: string | undefined,
-  authToken: string,
-): string | undefined {
-  return snippet?.replace(
-    'MOLECULE_WORKSPACE_TOKEN="<paste from create response>"',
-    `MOLECULE_WORKSPACE_TOKEN="${authToken}"`,
-  );
-}
-
-export function fillCodexSnippet(
-  snippet: string | undefined,
-  authToken: string,
-): string | undefined {
-  return snippet?.replace(
-    'MOLECULE_WORKSPACE_TOKEN = "<paste from create response>"',
-    `MOLECULE_WORKSPACE_TOKEN = "${authToken}"`,
-  );
-}
-
-export function fillOpenClawSnippet(
-  snippet: string | undefined,
-  authToken: string,
-): string | undefined {
-  return snippet?.replace(
-    'WORKSPACE_TOKEN="<paste from create response>"',
-    `WORKSPACE_TOKEN="${authToken}"`,
-  );
-}
-
-/** Build the ordered tab list shown in the modal. Each tab only appears when
- *  the platform supplies the corresponding snippet. */
-export function buildTabOrder(info: ExternalConnectionInfo): Tab[] {
-  const tabs: Tab[] = [];
-  const { filledUniversalMcp, filledChannel, filledHermes, filledCodex, filledOpenClaw } = buildFilledSnippets(info);
-  if (filledUniversalMcp) tabs.push("mcp");
-  tabs.push("python");
-  if (filledChannel) tabs.push("claude");
-  if (filledHermes) tabs.push("hermes");
-  if (filledCodex) tabs.push("codex");
-  if (filledOpenClaw) tabs.push("openclaw");
-  tabs.push("curl", "fields");
-  return tabs;
-}
-
-/** Pre-fill all snippets from an info object. Exposed for testing. */
-export function buildFilledSnippets(info: ExternalConnectionInfo) {
-  return {
-    filledPython: fillPythonSnippet(info.python_snippet, info.auth_token),
-    filledCurl: fillCurlSnippet(info.curl_register_template, info.auth_token),
-    filledChannel: fillChannelSnippet(info.claude_code_channel_snippet, info.auth_token),
-    filledUniversalMcp: fillUniversalMcpSnippet(info.universal_mcp_snippet, info.auth_token),
-    filledHermes: fillHermesSnippet(info.hermes_channel_snippet, info.auth_token),
-    filledCodex: fillCodexSnippet(info.codex_snippet, info.auth_token),
-    filledOpenClaw: fillOpenClawSnippet(info.openclaw_snippet, info.auth_token),
-  };
-}
-
 type Tab = "python" | "curl" | "claude" | "mcp" | "hermes" | "codex" | "openclaw" | "fields";
 
 export interface ExternalConnectionInfo {
@@ -205,7 +102,54 @@ export function ExternalConnectModal({ info, onClose }: Props) {
 
   if (!info) return null;
 
-  const { filledPython, filledCurl, filledChannel, filledUniversalMcp, filledHermes, filledCodex, filledOpenClaw } = buildFilledSnippets(info);
+  // Python snippet is stamped server-side with workspace_id +
+  // platform_url but leaves AUTH_TOKEN as a "<paste …>" placeholder
+  // (that's what we're showing in the modal). Fill in the real
+  // token here so the snippet the operator copies is truly ready-to-run.
+  const filledPython = info.python_snippet.replace(
+    'AUTH_TOKEN    = "<paste from create response>"',
+    `AUTH_TOKEN    = "${info.auth_token}"`,
+  );
+  const filledCurl = info.curl_register_template.replace(
+    'WORKSPACE_AUTH_TOKEN="<paste from create response>"',
+    `WORKSPACE_AUTH_TOKEN="${info.auth_token}"`,
+  );
+  // The channel snippet asks the operator to paste the auth_token into
+  // the .env file's MOLECULE_WORKSPACE_TOKENS field. Stamp it server-side
+  // here so the copy-paste-block is truly ready-to-run.
+  const filledChannel = info.claude_code_channel_snippet?.replace(
+    'MOLECULE_WORKSPACE_TOKENS=<paste auth_token from create response>',
+    `MOLECULE_WORKSPACE_TOKENS=${info.auth_token}`,
+  );
+  // Universal MCP snippet uses MOLECULE_WORKSPACE_TOKEN as the env-var
+  // name passed through to molecule-mcp via `claude mcp add ... -- env
+  // MOLECULE_WORKSPACE_TOKEN=...`. The placeholder must match the
+  // template's literal — pre-2026-04-30 polish this looked for
+  // WORKSPACE_AUTH_TOKEN (carryover from the curl tab), which silently
+  // skipped the substitution and left "<paste from create response>"
+  // visible in the operator's clipboard.
+  const filledUniversalMcp = info.universal_mcp_snippet?.replace(
+    'MOLECULE_WORKSPACE_TOKEN="<paste from create response>"',
+    `MOLECULE_WORKSPACE_TOKEN="${info.auth_token}"`,
+  );
+  // Hermes channel snippet uses MOLECULE_WORKSPACE_TOKEN (same env-var
+  // name as Universal MCP). Stamp the auth_token in so the operator's
+  // copy-paste is fully ready-to-run.
+  const filledHermes = info.hermes_channel_snippet?.replace(
+    'MOLECULE_WORKSPACE_TOKEN="<paste from create response>"',
+    `MOLECULE_WORKSPACE_TOKEN="${info.auth_token}"`,
+  );
+  // Codex + OpenClaw snippets carry the placeholder inside the
+  // generated config block (TOML / JSON respectively). Stamp the
+  // token in so the copy-paste is one less manual edit.
+  const filledCodex = info.codex_snippet?.replace(
+    'MOLECULE_WORKSPACE_TOKEN = "<paste from create response>"',
+    `MOLECULE_WORKSPACE_TOKEN = "${info.auth_token}"`,
+  );
+  const filledOpenClaw = info.openclaw_snippet?.replace(
+    'WORKSPACE_TOKEN="<paste from create response>"',
+    `WORKSPACE_TOKEN="${info.auth_token}"`,
+  );
 
   return (
     <Dialog.Root open onOpenChange={(o) => !o && onClose()}>
@@ -227,7 +171,27 @@ export function ExternalConnectModal({ info, onClose }: Props) {
             aria-label="Connection snippet format"
             className="mt-4 flex gap-1 border-b border-line"
           >
-            {buildTabOrder(info).map((t) => (
+            {(() => {
+              // Build the tab order dynamically. Claude Code first
+              // (when offered) since it's the simplest setup; Python
+              // SDK second (full register+heartbeat+inbound); Universal
+              // MCP third (any MCP-aware runtime, outbound-only); curl
+              // for one-shot register; Fields for raw values.
+              // Tab order: Universal MCP first (default, runtime-
+              // agnostic primitives), then runtime-specific channel/
+              // SDK tabs, then curl + Fields. Each runtime tab only
+              // appears when the platform supplies the snippet — no
+              // dead "tab missing snippet" UX.
+              const tabs: Tab[] = [];
+              if (filledUniversalMcp) tabs.push("mcp");
+              tabs.push("python");
+              if (filledChannel) tabs.push("claude");
+              if (filledHermes) tabs.push("hermes");
+              if (filledCodex) tabs.push("codex");
+              if (filledOpenClaw) tabs.push("openclaw");
+              tabs.push("curl", "fields");
+              return tabs;
+            })().map((t) => (
               <button
                 key={t}
                 type="button"

canvas/src/components/WorkspaceNode.tsx

@@ -9,7 +9,6 @@ import { Tooltip } from "@/components/Tooltip";
 import { STATUS_CONFIG, TIER_CONFIG } from "@/lib/design-tokens";
 import { useOrgDeployState } from "@/components/canvas/useOrgDeployState";
 import { OrgCancelButton } from "@/components/canvas/OrgCancelButton";
-import { isExternalLikeRuntime } from "@/lib/externalRuntimes";
 
 /** Descendant count for the "N sub" badge — children are first-class nodes
  *  rendered as full cards inside this one via React Flow's native parentId,
@@ -249,7 +248,7 @@ export function WorkspaceNode({ id, data }: NodeProps<Node<WorkspaceNodeData>>)
           if (!runtime) return null;
           return (
             <div className="mb-1 flex items-center gap-1">
-              {isExternalLikeRuntime(runtime) ? (
+              {runtime === "external" ? (
                 <span
                   className="text-[7px] font-mono px-1.5 py-0.5 rounded-md text-white bg-violet-600 border border-violet-700"
                   title="Phase 30 remote agent — runs outside this platform's Docker network. Lifecycle managed via heartbeat-based polling, not Docker exec."

canvas/src/components/__tests__/ExternalConnectModal.test.tsx

@@ -1,275 +1,237 @@
-'use client';
-
-import { describe, it, expect } from 'vitest';
+// @vitest-environment jsdom
+/**
+ * Tests for ExternalConnectModal — the modal surfaced after creating a
+ * runtime="external" workspace. Surfaces workspace_auth_token + ready-to-paste
+ * snippets so the operator can configure their off-host agent.
+ *
+ * Coverage:
+ *   - Renders nothing when info=null
+ *   - Opens dialog when info is provided
+ *   - Default tab: "Universal MCP" when universal_mcp_snippet present, else "Python SDK"
+ *   - Tab switching between all available tabs
+ *   - Snippets show with auth_token replacing placeholders
+ *   - Copy button: calls clipboard API, shows "Copied!", clears after 1.5s
+ *   - Copy failure: shows fallback textarea
+ *   - "I've saved it — close" calls onClose
+ *   - Security warning: one-time token display
+ *   - Fields tab shows raw values
+ *   - Tabs hidden when their snippet is absent
+ *
+ * Fake timers: applied per-describe to avoid mixing with waitFor. Tests that
+ * use waitFor (which needs real timers) run without fake timers. Tests that
+ * verify setTimeout behavior use vi.useFakeTimers() + act(vi.advanceTimersByTime).
+ */
+import React from "react";
+import { render, screen, fireEvent, cleanup, act, waitFor } from "@testing-library/react";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import {
-  fillPythonSnippet,
-  fillCurlSnippet,
-  fillChannelSnippet,
-  fillUniversalMcpSnippet,
-  fillHermesSnippet,
-  fillCodexSnippet,
-  fillOpenClawSnippet,
-  buildFilledSnippets,
-  buildTabOrder,
-  ExternalConnectionInfo,
-} from '../ExternalConnectModal';
+  ExternalConnectModal,
+  type ExternalConnectionInfo,
+} from "../ExternalConnectModal";
 
-// ─── fillPythonSnippet ───────────────────────────────────────────────────────
+const defaultInfo: ExternalConnectionInfo = {
+  workspace_id: "ws-123",
+  platform_url: "https://app.example.com",
+  auth_token: "secret-auth-token-abc",
+  registry_endpoint: "https://app.example.com/api/a2a/register",
+  heartbeat_endpoint: "https://app.example.com/api/a2a/heartbeat",
+  // Placeholders must EXACTLY match what the component searches for in
+  // the string.replace() calls (the component does NOT normalise whitespace).
+  // Python: 'AUTH_TOKEN    = "...' (4 spaces), curl: WORKSPACE_AUTH_TOKEN="<paste>" (with quotes),
+  // MCP/Hermes: MOLECULE_WORKSPACE_TOKEN="...", Codex: same with 1 space.
+  curl_register_template:
+    `curl -X POST https://app.example.com/api/a2a/register \\
+  -H "Content-Type: application/json" \\
+  -d '{"auth_token": "WORKSPACE_AUTH_TOKEN=\"<paste from create response>\"", ...}'`,
+  python_snippet:
+    'AUTH_TOKEN    = "<paste from create response>"\nAPI_URL = "https://app.example.com"',
+  universal_mcp_snippet:
+    'MOLECULE_WORKSPACE_TOKEN="<paste from create response>"',
+  hermes_channel_snippet:
+    'MOLECULE_WORKSPACE_TOKEN="<paste from create response>"',
+  codex_snippet: 'MOLECULE_WORKSPACE_TOKEN = "<paste from create response>"',
+  openclaw_snippet: 'WORKSPACE_TOKEN="<paste from create response>"',
+};
 
-describe('fillPythonSnippet', () => {
-  it('stamps auth_token into the AUTH_TOKEN placeholder', () => {
-    const input =
-      'AUTH_TOKEN    = "<paste from create response>"\n' +
-      'PLATFORM_URL  = "http://localhost:8080"';
-    const got = fillPythonSnippet(input, 'tok-abc123');
-    expect(got).toContain('AUTH_TOKEN    = "tok-abc123"');
-    // Original placeholder is gone
-    expect(got).not.toContain('<paste from create response>');
-  });
+// ─── Clipboard mock helpers ────────────────────────────────────────────────────
 
-  it('leaves other lines untouched', () => {
-    const input = 'PLATFORM_URL = "http://localhost:8080"\nAUTH_TOKEN = "<paste from create response>"';
-    const got = fillPythonSnippet(input, 'tok-xyz');
-    expect(got).toContain('PLATFORM_URL = "http://localhost:8080"');
-  });
+let clipboardWriteText = vi.fn();
 
-  it('handles empty token', () => {
-    const input = 'AUTH_TOKEN    = "<paste from create response>"';
-    const got = fillPythonSnippet(input, '');
-    expect(got).toContain('AUTH_TOKEN    = ""');
+beforeEach(() => {
+  clipboardWriteText.mockReset().mockResolvedValue(undefined);
+  Object.defineProperty(navigator, "clipboard", {
+    value: { writeText: clipboardWriteText },
+    configurable: true,
+    writable: true,
   });
 });
 
-// ─── fillCurlSnippet ─────────────────────────────────────────────────────────
+afterEach(() => {
+  cleanup();
+  vi.useRealTimers();
+});
 
-describe('fillCurlSnippet', () => {
-  it('stamps auth_token into WORKSPACE_AUTH_TOKEN placeholder', () => {
-    const input = 'WORKSPACE_AUTH_TOKEN="<paste from create response>"';
-    const got = fillCurlSnippet(input, 'tok-curl');
-    expect(got).toContain('WORKSPACE_AUTH_TOKEN="tok-curl"');
-    expect(got).not.toContain('<paste from create response>');
+// ─── Helpers ──────────────────────────────────────────────────────────────────
+
+function renderModal(info: ExternalConnectionInfo | null) {
+  return render(
+    <ExternalConnectModal info={info} onClose={vi.fn()} />,
+  );
+}
+
+// Flush React + Radix portal updates synchronously so the dialog is in the DOM.
+function renderAndFlush(info: ExternalConnectionInfo | null) {
+  const result = renderModal(info);
+  act(() => {});
+  return result;
+}
+
+// ─── Tests ────────────────────────────────────────────────────────────────────
+
+describe("ExternalConnectModal — render conditions", () => {
+  it("renders nothing when info is null", () => {
+    renderModal(null);
+    expect(document.body.textContent).toBe("");
+  });
+
+  it("renders the dialog when info is provided", () => {
+    renderAndFlush(defaultInfo);
+    expect(screen.queryByRole("dialog")).toBeTruthy();
+  });
+
+  it("shows the security warning about one-time token display", () => {
+    renderAndFlush(defaultInfo);
+    expect(screen.getByText(/only once/i)).toBeTruthy();
   });
 });
 
-// ─── fillChannelSnippet ─────────────────────────────────────────────────────
-
-describe('fillChannelSnippet', () => {
-  it('stamps token into MOLECULE_WORKSPACE_TOKENS placeholder', () => {
-    const input = 'MOLECULE_WORKSPACE_TOKENS=<paste auth_token from create response>';
-    const got = fillChannelSnippet(input, 'tok-channel');
-    expect(got).toContain('MOLECULE_WORKSPACE_TOKENS=tok-channel');
+describe("ExternalConnectModal — default tab selection", () => {
+  it("opens the Universal MCP tab by default when universal_mcp_snippet is present", () => {
+    renderAndFlush(defaultInfo);
+    const mcpTab = screen.getByRole("tab", { name: /universal mcp/i });
+    expect(mcpTab.getAttribute("aria-selected")).toBe("true");
   });
 
-  it('returns undefined when snippet is undefined', () => {
-    expect(fillChannelSnippet(undefined, 'tok')).toBeUndefined();
+  it("opens the Python SDK tab by default when universal_mcp_snippet is absent", () => {
+    renderAndFlush({ ...defaultInfo, universal_mcp_snippet: undefined });
+    const pythonTab = screen.getByRole("tab", { name: /python sdk/i });
+    expect(pythonTab.getAttribute("aria-selected")).toBe("true");
+  });
+
+  it("tab order: Universal MCP appears before Python SDK when both exist", () => {
+    renderAndFlush(defaultInfo);
+    const tabs = screen.getAllByRole("tab");
+    const mcpIndex = tabs.findIndex((t) => t.textContent?.includes("Universal MCP"));
+    const pythonIndex = tabs.findIndex((t) => t.textContent?.includes("Python SDK"));
+    expect(mcpIndex).toBeLessThan(pythonIndex);
   });
 });
 
-// ─── fillUniversalMcpSnippet ───────────────────────────────────────────────
-
-describe('fillUniversalMcpSnippet', () => {
-  it('stamps token with double-quoted value', () => {
-    const input = 'MOLECULE_WORKSPACE_TOKEN="<paste from create response>"';
-    const got = fillUniversalMcpSnippet(input, 'tok-mcp');
-    expect(got).toContain('MOLECULE_WORKSPACE_TOKEN="tok-mcp"');
+describe("ExternalConnectModal — tab switching", () => {
+  it("switches to the Python SDK tab and shows the snippet with stamped token", () => {
+    renderAndFlush(defaultInfo);
+    fireEvent.click(screen.getByRole("tab", { name: /python sdk/i }));
+    const preEl = document.querySelector("pre");
+    expect(preEl?.textContent).toContain("AUTH_TOKEN");
+    // The placeholder is replaced with the real auth token
+    expect(preEl?.textContent).toContain("secret-auth-token-abc");
   });
 
-  it('returns undefined when snippet is undefined', () => {
-    expect(fillUniversalMcpSnippet(undefined, 'tok')).toBeUndefined();
+  it("switches to the curl tab and shows the snippet with stamped token", () => {
+    renderAndFlush(defaultInfo);
+    fireEvent.click(screen.getByRole("tab", { name: /curl/i }));
+    const preEl = document.querySelector("pre");
+    expect(preEl?.textContent).toContain("curl");
+    expect(preEl?.textContent).toContain("secret-auth-token-abc");
+  });
+
+  it("switches to the Fields tab and shows raw values", () => {
+    renderAndFlush(defaultInfo);
+    fireEvent.click(screen.getByRole("tab", { name: /fields/i }));
+    expect(screen.getByText("ws-123")).toBeTruthy();
+    expect(screen.getByText("https://app.example.com")).toBeTruthy();
+    expect(screen.getByText("secret-auth-token-abc")).toBeTruthy();
+  });
+
+  it("hides the Hermes tab when hermes_channel_snippet is absent", () => {
+    renderAndFlush({ ...defaultInfo, hermes_channel_snippet: undefined });
+    expect(screen.queryByRole("tab", { name: /hermes/i })).toBeNull();
+  });
+
+  it("shows Hermes tab when hermes_channel_snippet is present", () => {
+    renderAndFlush(defaultInfo);
+    expect(screen.getByRole("tab", { name: /hermes/i })).toBeTruthy();
   });
 });
 
-// ─── fillHermesSnippet ─────────────────────────────────────────────────────
-
-describe('fillHermesSnippet', () => {
-  it('stamps token with double-quoted value', () => {
-    const input = 'MOLECULE_WORKSPACE_TOKEN="<paste from create response>"';
-    const got = fillHermesSnippet(input, 'tok-hermes');
-    expect(got).toContain('MOLECULE_WORKSPACE_TOKEN="tok-hermes"');
+describe("ExternalConnectModal — snippet token stamping", () => {
+  it("stamps the real auth_token into the Python snippet instead of the placeholder", () => {
+    renderAndFlush(defaultInfo);
+    fireEvent.click(screen.getByRole("tab", { name: /python sdk/i }));
+    const preEl = document.querySelector("pre");
+    expect(preEl?.textContent).not.toContain("<paste from create response>");
+    expect(preEl?.textContent).toContain("secret-auth-token-abc");
   });
 
-  it('returns undefined when snippet is undefined', () => {
-    expect(fillHermesSnippet(undefined, 'tok')).toBeUndefined();
+  it("stamps the real auth_token into the curl snippet", () => {
+    renderAndFlush(defaultInfo);
+    fireEvent.click(screen.getByRole("tab", { name: /curl/i }));
+    const preEl = document.querySelector("pre");
+    // curl template uses WORKSPACE_AUTH_TOKEN placeholder, not the generic one
+    expect(preEl?.textContent).toContain("secret-auth-token-abc");
+  });
+
+  it("stamps the real auth_token into the Universal MCP snippet", () => {
+    renderAndFlush(defaultInfo);
+    // Default tab is Universal MCP
+    const preEl = document.querySelector("pre");
+    expect(preEl?.textContent).toContain("secret-auth-token-abc");
+    expect(preEl?.textContent).not.toContain("<paste from create response>");
   });
 });
 
-// ─── fillCodexSnippet ──────────────────────────────────────────────────────
-
-describe('fillCodexSnippet', () => {
-  it('uses TOML spacing (space around equals)', () => {
-    const input = 'MOLECULE_WORKSPACE_TOKEN = "<paste from create response>"';
-    const got = fillCodexSnippet(input, 'tok-codex');
-    expect(got).toContain('MOLECULE_WORKSPACE_TOKEN = "tok-codex"');
-    expect(got).not.toContain('<paste from create response>');
-  });
-
-  it('returns undefined when snippet is undefined', () => {
-    expect(fillCodexSnippet(undefined, 'tok')).toBeUndefined();
+describe("ExternalConnectModal — copy functionality", () => {
+  it("calls navigator.clipboard.writeText with the snippet text", () => {
+    renderAndFlush(defaultInfo);
+    // Default tab is Universal MCP
+    fireEvent.click(screen.getByRole("button", { name: /^copy$/i }));
+    expect(clipboardWriteText).toHaveBeenCalledWith(
+      expect.stringContaining("secret-auth-token-abc"),
+    );
   });
 });
 
-// ─── fillOpenClawSnippet ───────────────────────────────────────────────────
-
-describe('fillOpenClawSnippet', () => {
-  it('stamps token with WORKSPACE_TOKEN key name', () => {
-    const input = 'WORKSPACE_TOKEN="<paste from create response>"';
-    const got = fillOpenClawSnippet(input, 'tok-oc');
-    expect(got).toContain('WORKSPACE_TOKEN="tok-oc"');
-    expect(got).not.toContain('<paste from create response>');
-  });
-
-  it('returns undefined when snippet is undefined', () => {
-    expect(fillOpenClawSnippet(undefined, 'tok')).toBeUndefined();
+describe("ExternalConnectModal — close behavior", () => {
+  it('calls onClose when "I\'ve saved it — close" is clicked', () => {
+    const onClose = vi.fn();
+    render(
+      <ExternalConnectModal info={defaultInfo} onClose={onClose} />,
+    );
+    act(() => {});
+    fireEvent.click(screen.getByRole("button", { name: /i've saved it/i }));
+    expect(onClose).toHaveBeenCalledTimes(1);
   });
 });
 
-// ─── buildFilledSnippets ────────────────────────────────────────────────────
-
-describe('buildFilledSnippets', () => {
-  const makeInfo = (overrides: Partial<ExternalConnectionInfo> = {}): ExternalConnectionInfo =>
-    ({
-      workspace_id: 'ws-1',
-      platform_url: 'http://localhost:8080',
-      auth_token: 'tok-test',
-      registry_endpoint: 'http://localhost:8080/registry/register',
-      heartbeat_endpoint: 'http://localhost:8080/registry/heartbeat',
-      python_snippet: 'AUTH_TOKEN    = "<paste from create response>"',
-      curl_register_template: 'WORKSPACE_AUTH_TOKEN="<paste from create response>"',
-      ...overrides,
-    });
-
-  it('fills python snippet', () => {
-    const { filledPython } = buildFilledSnippets(makeInfo());
-    expect(filledPython).toContain('tok-test');
+describe("ExternalConnectModal — missing optional fields", () => {
+  it("shows (missing) for absent optional fields in the Fields tab", () => {
+    // Use empty string so Field renders "(missing)" for registry_endpoint
+    const minimalInfo: ExternalConnectionInfo = {
+      workspace_id: "ws-min",
+      platform_url: "https://min.example.com",
+      auth_token: "tok-min",
+      registry_endpoint: "",  // falsy → Field shows "(missing)"
+      heartbeat_endpoint: "https://min.example.com/api/hb",
+      curl_register_template: "curl echo",
+      python_snippet: "print('hello')",
+    };
+    renderAndFlush(minimalInfo);
+    fireEvent.click(screen.getByRole("tab", { name: /fields/i }));
+    expect(screen.getByText("(missing)")).toBeTruthy();
   });
 
-  it('fills curl snippet', () => {
-    const { filledCurl } = buildFilledSnippets(makeInfo());
-    expect(filledCurl).toContain('tok-test');
-  });
-
-  it('fills claude_code_channel_snippet when present', () => {
-    const info = makeInfo({
-      claude_code_channel_snippet: 'MOLECULE_WORKSPACE_TOKENS=<paste auth_token from create response>',
-    });
-    const { filledChannel } = buildFilledSnippets(info);
-    expect(filledChannel).toContain('tok-test');
-  });
-
-  it('fills universal_mcp_snippet when present', () => {
-    const info = makeInfo({
-      universal_mcp_snippet: 'MOLECULE_WORKSPACE_TOKEN="<paste from create response>"',
-    });
-    const { filledUniversalMcp } = buildFilledSnippets(info);
-    expect(filledUniversalMcp).toContain('tok-test');
-  });
-
-  it('fills hermes_channel_snippet when present', () => {
-    const info = makeInfo({
-      hermes_channel_snippet: 'MOLECULE_WORKSPACE_TOKEN="<paste from create response>"',
-    });
-    const { filledHermes } = buildFilledSnippets(info);
-    expect(filledHermes).toContain('tok-test');
-  });
-
-  it('fills codex_snippet when present', () => {
-    const info = makeInfo({
-      codex_snippet: 'MOLECULE_WORKSPACE_TOKEN = "<paste from create response>"',
-    });
-    const { filledCodex } = buildFilledSnippets(info);
-    expect(filledCodex).toContain('tok-test');
-  });
-
-  it('fills openclaw_snippet when present', () => {
-    const info = makeInfo({
-      openclaw_snippet: 'WORKSPACE_TOKEN="<paste from create response>"',
-    });
-    const { filledOpenClaw } = buildFilledSnippets(info);
-    expect(filledOpenClaw).toContain('tok-test');
-  });
-});
-
-// ─── buildTabOrder ──────────────────────────────────────────────────────────
-
-describe('buildTabOrder', () => {
-  const makeInfo = (overrides: Partial<ExternalConnectionInfo> = {}): ExternalConnectionInfo =>
-    ({
-      workspace_id: 'ws-1',
-      platform_url: 'http://localhost:8080',
-      auth_token: 'tok-test',
-      registry_endpoint: 'http://localhost:8080/registry/register',
-      heartbeat_endpoint: 'http://localhost:8080/registry/heartbeat',
-      python_snippet: 'AUTH_TOKEN    = "<paste from create response>"',
-      curl_register_template: 'WORKSPACE_AUTH_TOKEN="<paste from create response>"',
-      ...overrides,
-    });
-
-  it('python is always present', () => {
-    const tabs = buildTabOrder(makeInfo());
-    expect(tabs).toContain('python');
-  });
-
-  it('curl and fields are always present', () => {
-    const tabs = buildTabOrder(makeInfo());
-    expect(tabs).toContain('curl');
-    expect(tabs).toContain('fields');
-  });
-
-  it('mcp first when universal_mcp_snippet is present', () => {
-    const tabs = buildTabOrder(makeInfo({
-      universal_mcp_snippet: 'MOLECULE_WORKSPACE_TOKEN="<paste from create response>"',
-    }));
-    expect(tabs[0]).toBe('mcp');
-  });
-
-  it('python first when universal_mcp_snippet is absent', () => {
-    const tabs = buildTabOrder(makeInfo());
-    expect(tabs[0]).toBe('python');
-  });
-
-  it('mcp excluded when universal_mcp_snippet is absent', () => {
-    const tabs = buildTabOrder(makeInfo());
-    expect(tabs).not.toContain('mcp');
-  });
-
-  it('includes claude when claude_code_channel_snippet is present', () => {
-    const tabs = buildTabOrder(makeInfo({
-      claude_code_channel_snippet: 'MOLECULE_WORKSPACE_TOKENS=<paste auth_token from create response>',
-    }));
-    expect(tabs).toContain('claude');
-  });
-
-  it('includes hermes when hermes_channel_snippet is present', () => {
-    const tabs = buildTabOrder(makeInfo({
-      hermes_channel_snippet: 'MOLECULE_WORKSPACE_TOKEN="<paste from create response>"',
-    }));
-    expect(tabs).toContain('hermes');
-  });
-
-  it('includes codex when codex_snippet is present', () => {
-    const tabs = buildTabOrder(makeInfo({
-      codex_snippet: 'MOLECULE_WORKSPACE_TOKEN = "<paste from create response>"',
-    }));
-    expect(tabs).toContain('codex');
-  });
-
-  it('includes openclaw when openclaw_snippet is present', () => {
-    const tabs = buildTabOrder(makeInfo({
-      openclaw_snippet: 'WORKSPACE_TOKEN="<paste from create response>"',
-    }));
-    expect(tabs).toContain('openclaw');
-  });
-
-  it('all optional tabs at once: full house', () => {
-    const tabs = buildTabOrder(makeInfo({
-      universal_mcp_snippet: 'MOLECULE_WORKSPACE_TOKEN="<paste from create response>"',
-      claude_code_channel_snippet: 'MOLECULE_WORKSPACE_TOKENS=<paste auth_token from create response>',
-      hermes_channel_snippet: 'MOLECULE_WORKSPACE_TOKEN="<paste from create response>"',
-      codex_snippet: 'MOLECULE_WORKSPACE_TOKEN = "<paste from create response>"',
-      openclaw_snippet: 'WORKSPACE_TOKEN="<paste from create response>"',
-    }));
-    expect(tabs).toEqual([
-      'mcp', 'python', 'claude', 'hermes', 'codex', 'openclaw', 'curl', 'fields',
-    ]);
+  it("hides the Hermes tab when hermes_channel_snippet is absent", () => {
+    renderAndFlush({ ...defaultInfo, hermes_channel_snippet: undefined });
+    expect(screen.queryByRole("tab", { name: /hermes/i })).toBeNull();
   });
 });

canvas/src/components/__tests__/MemoryInspectorPanel.test.ts

@@ -7,7 +7,7 @@
  * itself (MemoryInspectorPanel) requires full API + store mocking and
  * is exercised by the existing MemoryTab.test.tsx.
  */
-import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+import { describe, it, expect } from "vitest";
 import { isPluginUnavailableError, formatTTL } from "../MemoryInspectorPanel";
 
 // formatRelativeTime is not exported — tested via the component in MemoryTab.test.tsx
@@ -47,9 +47,6 @@ describe("isPluginUnavailableError", () => {
 });
 
 describe("formatTTL", () => {
-  beforeEach(() => { vi.useFakeTimers(); });
-  afterEach(() => { vi.useRealTimers(); });
-
   it("returns '' for null", () => {
     expect(formatTTL(null)).toBe("");
   });

canvas/src/components/tabs/ConfigTab.tsx

@@ -13,7 +13,6 @@ import {
   findProviderForModel,
   type SelectorValue,
 } from "../ProviderModelSelector";
-import { isExternalLikeRuntime } from "@/lib/externalRuntimes";
 
 interface Props {
   workspaceId: string;
@@ -176,7 +175,7 @@ function deriveProvidersFromModels(models: ModelSpec[]): string[] {
 // exactly the point of the platform adaptor. The deep `~/.hermes/
 // config.yaml` on the container is a separate runtime-internal file,
 // not this one.
-const RUNTIMES_WITH_OWN_CONFIG = new Set<string>(["external", "kimi", "kimi-cli"]);
+const RUNTIMES_WITH_OWN_CONFIG = new Set<string>(["external"]);
 
 const FALLBACK_RUNTIME_OPTIONS: RuntimeOption[] = [
   { value: "", label: "LangGraph (default)", models: [], providers: [] },
@@ -1004,7 +1003,7 @@ export function ConfigTab({ workspaceId }: Props) {
             : "This runtime manages its own config outside the platform template."}
         </div>
       )}
-      {!error && isExternalLikeRuntime(config.runtime) && (
+      {!error && config.runtime === "external" && (
         <ExternalConnectionSection workspaceId={workspaceId} />
       )}
       {success && (

canvas/src/components/tabs/FilesTab.tsx

@@ -9,7 +9,6 @@ import { FileEditor } from "./FilesTab/FileEditor";
 import { NotAvailablePanel } from "./FilesTab/NotAvailablePanel";
 import { useFilesApi } from "./FilesTab/useFilesApi";
 import { buildTree } from "./FilesTab/tree";
-import { isExternalLikeRuntime } from "@/lib/externalRuntimes";
 
 // Re-exports preserved for external imports (e.g. tests importing from `../tabs/FilesTab`)
 export { buildTree } from "./FilesTab/tree";
@@ -33,6 +32,8 @@ interface Props {
  *  has no platform-owned filesystem. Otherwise the user loses access to
  *  a real surface (e.g. claude-code SaaS workspaces have files served
  *  by ListFiles via EIC; they belong on the rendering path, not here). */
+const RUNTIMES_WITHOUT_FILES = new Set(["external"]);
+
 export function FilesTab({ workspaceId, data }: Props) {
   // Early-return for runtimes whose filesystem is not platform-owned.
   // Skips the whole useFilesApi hook + tree render below — without this,
@@ -42,7 +43,7 @@ export function FilesTab({ workspaceId, data }: Props) {
   // "0 files / No config files yet" reads as a bug. The placeholder
   // makes the absence intentional and points the user at the right
   // surface (Chat).
-  if (data && isExternalLikeRuntime(data.runtime)) {
+  if (data && RUNTIMES_WITHOUT_FILES.has(data.runtime)) {
     return <NotAvailablePanel runtime={data.runtime} />;
   }
   return <PlatformOwnedFilesTab workspaceId={workspaceId} />;

canvas/src/components/tabs/TerminalTab.tsx

@@ -13,7 +13,6 @@ interface Props {
 }
 
 import { deriveWsBaseUrl } from "@/lib/ws-url";
-import { isExternalLikeRuntime } from "@/lib/externalRuntimes";
 
 const WS_URL = deriveWsBaseUrl();
 
@@ -88,6 +87,8 @@ function NotAvailablePanel({ runtime }: { runtime: string }) {
 /** Runtimes that don't expose a TTY. Keep narrow — only add a runtime
  *  here when its provisioner genuinely has no shell endpoint, otherwise
  *  the user loses access to a real debugging surface. */
+const RUNTIMES_WITHOUT_TERMINAL = new Set(["external"]);
+
 export function TerminalTab({ workspaceId, data }: Props) {
   // Early-return for runtimes that have no shell. Skips the entire
   // xterm + WebSocket dance below — without this, mounting the tab
@@ -95,7 +96,7 @@ export function TerminalTab({ workspaceId, data }: Props) {
   // workspace-server (no /ws/terminal/<id> route registered for it),
   // and shows "Connection failed" with a Reconnect button — confusing
   // because the workspace IS healthy, just doesn't have a TTY.
-  if (data && isExternalLikeRuntime(data.runtime)) {
+  if (data && RUNTIMES_WITHOUT_TERMINAL.has(data.runtime)) {
     return <NotAvailablePanel runtime={data.runtime} />;
   }
 

canvas/src/lib/externalRuntimes.ts

@@ -1,21 +0,0 @@
-/**
- * External-like (BYO-compute) runtime detection.
- *
- * Mirrors the backend's isExternalLikeRuntime() in
- * workspace-server/internal/handlers/runtime_registry.go.
- *
- * These runtimes have no platform-owned container — the operator installs
- * the agent CLI locally and calls /registry/register. They share UX
- * behaviour: no Files tab, no Terminal tab, no Docker config, and the
- * connection modal shows copy-paste snippets.
- */
-
-const EXTERNAL_LIKE_RUNTIMES = new Set([
-  "external",
-  "kimi",
-  "kimi-cli",
-]);
-
-export function isExternalLikeRuntime(runtime: string | undefined): boolean {
-  return !!runtime && EXTERNAL_LIKE_RUNTIMES.has(runtime);
-}

canvas/src/lib/runtime-names.ts

@@ -9,8 +9,6 @@ const RUNTIME_NAMES: Record<string, string> = {
   openclaw: "OpenClaw",
   crewai: "CrewAI",
   autogen: "AutoGen",
-  kimi: "Kimi",
-  "kimi-cli": "Kimi CLI",
 };
 
 export function runtimeDisplayName(runtime: string): string {

workspace-server/internal/handlers/delegation.go

@@ -361,7 +361,7 @@ func (h *DelegationHandler) executeDelegation(ctx context.Context, sourceID, tar
 	// pause + second attempt catches the common restart-race case where
 	// the first attempt sees a stale 127.0.0.1:<ephemeral> URL from a
 	// container that was just recreated.
-	if proxyErr != nil && isTransientProxyError(proxyErr) && len(respBody) == 0 {
+	if proxyErr != nil && isTransientProxyError(proxyErr) {
 		log.Printf("Delegation %s: first attempt failed (%s) — retrying in %s after reactive URL refresh",
 			delegationID, proxyErr.Error(), delegationRetryDelay)
 		select {

workspace-server/internal/handlers/runtime_registry.go

@@ -78,8 +78,6 @@ var fallbackRuntimes = map[string]struct{}{
 	"openclaw":    {},
 	"codex":       {},
 	"external":    {},
-	"kimi":        {},
-	"kimi-cli":    {},
 	// mock — virtual workspace with hardcoded canned A2A replies.
 	// No container, no EC2, no template repo. See mock_runtime.go
 	// for the full rationale (200-workspace funding-demo org).
@@ -110,10 +108,6 @@ func loadRuntimesFromManifest(path string) (map[string]struct{}, error) {
 		// the manifest doesn't know about it. Injected here so we
 		// don't need a special-case in every caller.
 		"external": {},
-		// kimi and kimi-cli are BYO-compute meta-runtimes (same shape
-		// as external). No template repo; injected like external.
-		"kimi":     {},
-		"kimi-cli": {},
 		// mock is ALWAYS available for the same reason as external:
 		// virtual workspace, no template repo, never spawns a
 		// container. See mock_runtime.go.
@@ -134,28 +128,6 @@ func loadRuntimesFromManifest(path string) (map[string]struct{}, error) {
 	return out, nil
 }
 
-// isExternalLikeRuntime returns true for runtimes that are BYO-compute
-// (operator-managed, no platform-owned container or EC2). These runtimes
-// share behavior around delivery_mode defaulting, plugin install, restart,
-// and discovery.
-func isExternalLikeRuntime(runtime string) bool {
-	switch runtime {
-	case "external", "kimi", "kimi-cli":
-		return true
-	}
-	return false
-}
-
-// normalizeExternalRuntime returns the given runtime label if non-empty,
-// otherwise falls back to "external". Used when persisting BYO-compute
-// workspaces so we don't store an empty runtime string.
-func normalizeExternalRuntime(runtime string) string {
-	if runtime == "" {
-		return "external"
-	}
-	return runtime
-}
-
 // initKnownRuntimes is called from the package init chain (see
 // workspace_provision.go var initialization) to replace the
 // fallback map with the manifest-derived one. Idempotent —

workspace-server/internal/handlers/runtime_registry_test.go

@@ -33,7 +33,7 @@ func TestLoadRuntimesFromManifest_StripsDefaultSuffix(t *testing.T) {
 	if err != nil {
 		t.Fatalf("load: %v", err)
 	}
-	want := []string{"claude-code", "langgraph", "hermes", "external", "kimi", "kimi-cli"}
+	want := []string{"claude-code", "langgraph", "hermes", "external"}
 	for _, w := range want {
 		if _, ok := got[w]; !ok {
 			t.Errorf("want runtime %q in set, missing. got=%v", w, keys(got))
@@ -59,10 +59,8 @@ func TestLoadRuntimesFromManifest_ExternalAlwaysInjected(t *testing.T) {
 	if err != nil {
 		t.Fatalf("load: %v", err)
 	}
-	for _, must := range []string{"external", "kimi", "kimi-cli"} {
-		if _, ok := got[must]; !ok {
-			t.Errorf("%s must be injected even when absent from manifest: %v", must, keys(got))
-		}
+	if _, ok := got["external"]; !ok {
+		t.Errorf("external must be injected even when absent from manifest: %v", keys(got))
 	}
 }
 
@@ -97,7 +95,7 @@ func TestRealManifestParses(t *testing.T) {
 		t.Fatalf("real manifest load: %v", err)
 	}
 	// Core runtimes we always expect to ship.
-	for _, must := range []string{"langgraph", "hermes", "claude-code", "external", "kimi", "kimi-cli"} {
+	for _, must := range []string{"langgraph", "hermes", "claude-code", "external"} {
 		if _, ok := got[must]; !ok {
 			t.Errorf("real manifest missing runtime %q — got=%v", must, keys(got))
 		}

workspace-server/internal/handlers/workspace.go

@@ -428,16 +428,13 @@ func (h *WorkspaceHandler) Create(c *gin.Context) {
 	//       implies docker work in flight) so the canvas can render
 	//       a "waiting for external agent to connect" state without
 	//       tripping the provisioning-timeout UX.
-	if payload.External || isExternalLikeRuntime(payload.Runtime) {
+	if payload.External || payload.Runtime == "external" {
 		var connectionToken string
 		if payload.URL != "" {
 			// URL already validated by validateAgentURL above (before BeginTx).
 			// Now persist it: the external URL is set after the workspace row
 			// commits so that a failed URL UPDATE doesn't roll back the row.
-			// Preserve BYO-compute runtime label (kimi, kimi-cli, external) —
-			// don't coerce to generic "external" so the canvas can show the
-			// correct runtime name in the node card.
-			db.DB.ExecContext(ctx, `UPDATE workspaces SET url = $1, status = $2, runtime = $3, updated_at = now() WHERE id = $4`, payload.URL, models.StatusOnline, normalizeExternalRuntime(payload.Runtime), id)
+			db.DB.ExecContext(ctx, `UPDATE workspaces SET url = $1, status = $2, runtime = 'external', updated_at = now() WHERE id = $3`, payload.URL, models.StatusOnline, id)
 			if err := db.CacheURL(ctx, id, payload.URL); err != nil {
 				log.Printf("External workspace: failed to cache URL for %s: %v", id, err)
 			}
@@ -449,8 +446,7 @@ func (h *WorkspaceHandler) Create(c *gin.Context) {
 			// in awaiting_agent. First POST /registry/register call
 			// from the external agent (with this token + its URL)
 			// flips the row to online.
-			// Preserve BYO-compute runtime label (kimi, kimi-cli, external).
-			db.DB.ExecContext(ctx, `UPDATE workspaces SET status = $1, runtime = $2, updated_at = now() WHERE id = $3`, models.StatusAwaitingAgent, normalizeExternalRuntime(payload.Runtime), id)
+			db.DB.ExecContext(ctx, `UPDATE workspaces SET status = $1, runtime = 'external', updated_at = now() WHERE id = $2`, models.StatusAwaitingAgent, id)
 			tok, tokErr := wsauth.IssueToken(ctx, db.DB, id)
 			if tokErr != nil {
 				log.Printf("External workspace %s: token issuance failed: %v", id, tokErr)

workspace-server/internal/handlers/workspace_dispatchers_test.go

@@ -1,164 +0,0 @@
-package handlers
-
-import (
-	"context"
-	"testing"
-
-	"github.com/DATA-DOG/go-sqlmock"
-	"github.com/Molecule-AI/molecule-monorepo/platform/internal/models"
-)
-
-// ==================== resolveDeliveryMode ====================
-// Covers workspace_dispatchers.go / registry.go:resolveDeliveryMode
-
-func TestResolveDeliveryMode_PayloadModeWins(t *testing.T) {
-	mock := setupTestDB(t)
-	setupTestRedis(t)
-	broadcaster := newTestBroadcaster()
-	h := NewRegistryHandler(broadcaster)
-
-	ctx := context.Background()
-	for _, mode := range []string{models.DeliveryModePush, models.DeliveryModePoll} {
-		got, err := h.resolveDeliveryMode(ctx, "ws-any-id", mode)
-		if err != nil {
-			t.Errorf("resolveDeliveryMode(payloadMode=%q) unexpected error: %v", mode, err)
-		}
-		if got != mode {
-			t.Errorf("resolveDeliveryMode(payloadMode=%q) = %q, want %q", mode, got, mode)
-		}
-	}
-
-	// DB must NOT have been queried when payloadMode is set.
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("DB expectations not met: %v", err)
-	}
-}
-
-func TestResolveDeliveryMode_ExistingDeliveryMode(t *testing.T) {
-	mock := setupTestDB(t)
-	setupTestRedis(t)
-	broadcaster := newTestBroadcaster()
-	h := NewRegistryHandler(broadcaster)
-
-	// Workspace row has existing delivery_mode = "poll"
-	mock.ExpectQuery("SELECT delivery_mode, runtime FROM workspaces").
-		WithArgs("ws-poll").
-		WillReturnRows(sqlmock.NewRows([]string{"delivery_mode", "runtime"}).
-			AddRow("poll", "langgraph"))
-
-	ctx := context.Background()
-	got, err := h.resolveDeliveryMode(ctx, "ws-poll", "")
-	if err != nil {
-		t.Errorf("resolveDeliveryMode() unexpected error: %v", err)
-	}
-	if got != models.DeliveryModePoll {
-		t.Errorf("resolveDeliveryMode() = %q, want %q", got, models.DeliveryModePoll)
-	}
-}
-
-func TestResolveDeliveryMode_ExternalRuntime_DefaultsToPoll(t *testing.T) {
-	mock := setupTestDB(t)
-	setupTestRedis(t)
-	broadcaster := newTestBroadcaster()
-	h := NewRegistryHandler(broadcaster)
-
-	// Row exists but delivery_mode is NULL; runtime = "external"
-	mock.ExpectQuery("SELECT delivery_mode, runtime FROM workspaces").
-		WithArgs("ws-external").
-		WillReturnRows(sqlmock.NewRows([]string{"delivery_mode", "runtime"}).
-			AddRow(nil, "external"))
-
-	ctx := context.Background()
-	got, err := h.resolveDeliveryMode(ctx, "ws-external", "")
-	if err != nil {
-		t.Errorf("resolveDeliveryMode() unexpected error: %v", err)
-	}
-	if got != models.DeliveryModePoll {
-		t.Errorf("resolveDeliveryMode() = %q, want %q (external runtime)", got, models.DeliveryModePoll)
-	}
-}
-
-func TestResolveDeliveryMode_SelfHosted_DefaultsToPush(t *testing.T) {
-	mock := setupTestDB(t)
-	setupTestRedis(t)
-	broadcaster := newTestBroadcaster()
-	h := NewRegistryHandler(broadcaster)
-
-	// Row exists; delivery_mode is NULL; runtime = "langgraph"
-	mock.ExpectQuery("SELECT delivery_mode, runtime FROM workspaces").
-		WithArgs("ws-self-hosted").
-		WillReturnRows(sqlmock.NewRows([]string{"delivery_mode", "runtime"}).
-			AddRow(nil, "langgraph"))
-
-	ctx := context.Background()
-	got, err := h.resolveDeliveryMode(ctx, "ws-self-hosted", "")
-	if err != nil {
-		t.Errorf("resolveDeliveryMode() unexpected error: %v", err)
-	}
-	if got != models.DeliveryModePush {
-		t.Errorf("resolveDeliveryMode() = %q, want %q (self-hosted default)", got, models.DeliveryModePush)
-	}
-}
-
-func TestResolveDeliveryMode_NotFound_DefaultsToPush(t *testing.T) {
-	mock := setupTestDB(t)
-	setupTestRedis(t)
-	broadcaster := newTestBroadcaster()
-	h := NewRegistryHandler(broadcaster)
-
-	// Row not found → sql.ErrNoRows → default push
-	mock.ExpectQuery("SELECT delivery_mode, runtime FROM workspaces").
-		WithArgs("ws-nonexistent").
-		WillReturnError(sql.ErrNoRows)
-
-	ctx := context.Background()
-	got, err := h.resolveDeliveryMode(ctx, "ws-nonexistent", "")
-	if err != nil {
-		t.Errorf("resolveDeliveryMode() unexpected error on no-rows: %v", err)
-	}
-	if got != models.DeliveryModePush {
-		t.Errorf("resolveDeliveryMode() = %q, want %q (not-found default)", got, models.DeliveryModePush)
-	}
-}
-
-func TestResolveDeliveryMode_DBError_Propagated(t *testing.T) {
-	mock := setupTestDB(t)
-	setupTestRedis(t)
-	broadcaster := newTestBroadcaster()
-	h := NewRegistryHandler(broadcaster)
-
-	mock.ExpectQuery("SELECT delivery_mode, runtime FROM workspaces").
-		WithArgs("ws-error").
-		WillReturnError(context.DeadlineExceeded)
-
-	ctx := context.Background()
-	_, err := h.resolveDeliveryMode(ctx, "ws-error", "")
-	if err == nil {
-		t.Errorf("resolveDeliveryMode() expected error, got nil")
-	}
-}
-
-func TestResolveDeliveryMode_ExistingDeliveryModeEmptyString(t *testing.T) {
-	// When the DB returns an empty (non-NULL) string for delivery_mode,
-	// it falls through to the runtime check (not the existing.Valid path).
-	mock := setupTestDB(t)
-	setupTestRedis(t)
-	broadcaster := newTestBroadcaster()
-	h := NewRegistryHandler(broadcaster)
-
-	// delivery_mode is explicitly empty string (not NULL), runtime = "langgraph"
-	// → falls through to runtime check → "push" for non-external
-	mock.ExpectQuery("SELECT delivery_mode, runtime FROM workspaces").
-		WithArgs("ws-empty-mode").
-		WillReturnRows(sqlmock.NewRows([]string{"delivery_mode", "runtime"}).
-			AddRow("", "langgraph"))
-
-	ctx := context.Background()
-	got, err := h.resolveDeliveryMode(ctx, "ws-empty-mode", "")
-	if err != nil {
-		t.Errorf("resolveDeliveryMode() unexpected error: %v", err)
-	}
-	if got != models.DeliveryModePush {
-		t.Errorf("resolveDeliveryMode() = %q, want %q", got, models.DeliveryModePush)
-	}
-}

workspace-server/internal/handlers/workspace_test.go

@@ -559,48 +559,6 @@ func TestWorkspaceCreate_ExternalURL_SSRFSafe(t *testing.T) {
 	}
 }
 
-// TestWorkspaceCreate_KimiRuntime_PreservesLabel asserts that a workspace
-// created with runtime="kimi" takes the BYO-compute path (awaiting_agent,
-// no Docker provisioning) and preserves the "kimi" label in the DB instead
-// of coercing to "external". Regression guard for SOP runtime addition.
-func TestWorkspaceCreate_KimiRuntime_PreservesLabel(t *testing.T) {
-	t.Setenv("MOLECULE_DEPLOY_MODE", "self-hosted")
-	t.Setenv("MOLECULE_ORG_ID", "")
-	mock := setupTestDB(t)
-	setupTestRedis(t)
-	broadcaster := newTestBroadcaster()
-	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
-
-	mock.ExpectBegin()
-	mock.ExpectExec("INSERT INTO workspaces").
-		WithArgs(sqlmock.AnyArg(), "Kimi Agent", nil, 3, "kimi", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
-		WillReturnResult(sqlmock.NewResult(0, 1))
-	mock.ExpectCommit()
-	// Pre-register flow: awaiting_agent + runtime preserved as "kimi"
-	mock.ExpectExec("UPDATE workspaces SET status").
-		WithArgs(models.StatusAwaitingAgent, "kimi", sqlmock.AnyArg()).
-		WillReturnResult(sqlmock.NewResult(0, 1))
-	// Token issuance (workspace_auth_tokens, not workspace_tokens)
-	mock.ExpectExec("INSERT INTO workspace_auth_tokens").
-		WillReturnResult(sqlmock.NewResult(0, 1))
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-
-	body := `{"name":"Kimi Agent","runtime":"kimi","tier":3,"canvas":{"x":100,"y":100}}`
-	c.Request = httptest.NewRequest("POST", "/workspaces", bytes.NewBufferString(body))
-	c.Request.Header.Set("Content-Type", "application/json")
-
-	handler.Create(c)
-
-	if w.Code != http.StatusCreated {
-		t.Errorf("expected status 201, got %d: %s", w.Code, w.Body.String())
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
-
 // TestWorkspaceCreate_ExternalURL_SSRFMetadataBlocked asserts that an external
 // workspace created with a cloud-metadata URL is rejected with 400 before any
 // DB write. 169.254.0.0/16 is always blocked regardless of mode (SaaS or

workspace-server/internal/models/workspace_delivery_mode_test.go

@@ -1,100 +0,0 @@
-package models
-
-import "testing"
-
-// ==================== IsValidDeliveryMode ====================
-
-func TestIsValidDeliveryMode_Valid(t *testing.T) {
-	for _, mode := range []string{DeliveryModePush, DeliveryModePoll} {
-		if !IsValidDeliveryMode(mode) {
-			t.Errorf("IsValidDeliveryMode(%q) = false, want true", mode)
-		}
-	}
-}
-
-func TestIsValidDeliveryMode_Invalid(t *testing.T) {
-	cases := []struct {
-		val  string
-		want bool
-	}{
-		{"", false},         // empty string is not valid — callers must resolve the default
-		{"pushx", false},   // typo
-		{"pollx", false},    // typo
-		{"PUSH", false},     // case-sensitive
-		{"PUSH ", false},    // trailing space
-		{"push ", false},    // trailing space
-		{"hybrid", false},   // non-existent mode
-		{"poll ", false},    // trailing space
-	}
-	for _, tc := range cases {
-		got := IsValidDeliveryMode(tc.val)
-		if got != tc.want {
-			t.Errorf("IsValidDeliveryMode(%q) = %v, want %v", tc.val, got, tc.want)
-		}
-	}
-}
-
-// ==================== WorkspaceStatus ====================
-
-func TestWorkspaceStatus_String(t *testing.T) {
-	statuses := []WorkspaceStatus{
-		StatusProvisioning,
-		StatusOnline,
-		StatusOffline,
-		StatusDegraded,
-		StatusFailed,
-		StatusRemoved,
-		StatusPaused,
-		StatusHibernated,
-		StatusHibernating,
-		StatusAwaitingAgent,
-	}
-	for _, s := range statuses {
-		if got := s.String(); got != string(s) {
-			t.Errorf("WorkspaceStatus(%q).String() = %q, want %q", s, got, string(s))
-		}
-	}
-}
-
-func TestAllWorkspaceStatuses_Length(t *testing.T) {
-	// The const block has 10 statuses; AllWorkspaceStatuses must match.
-	if got := len(AllWorkspaceStatuses); got != 10 {
-		t.Errorf("len(AllWorkspaceStatuses) = %d, want 10", got)
-	}
-}
-
-func TestAllWorkspaceStatuses_ContainsAllNamed(t *testing.T) {
-	// Verify every named const appears in AllWorkspaceStatuses exactly once.
-	named := []WorkspaceStatus{
-		StatusProvisioning,
-		StatusOnline,
-		StatusOffline,
-		StatusDegraded,
-		StatusFailed,
-		StatusRemoved,
-		StatusPaused,
-		StatusHibernated,
-		StatusHibernating,
-		StatusAwaitingAgent,
-	}
-	set := make(map[WorkspaceStatus]bool, len(AllWorkspaceStatuses))
-	for _, s := range AllWorkspaceStatuses {
-		set[s] = true
-	}
-	for _, s := range named {
-		if !set[s] {
-			t.Errorf("named status %q missing from AllWorkspaceStatuses", s)
-		}
-	}
-	if len(set) != len(named) {
-		t.Errorf("AllWorkspaceStatuses has %d unique entries, want %d", len(set), len(named))
-	}
-}
-
-func TestAllWorkspaceStatuses_NoEmpty(t *testing.T) {
-	for _, s := range AllWorkspaceStatuses {
-		if s == "" {
-			t.Errorf("AllWorkspaceStatuses contains empty string")
-		}
-	}
-}