chore: retimestamp to retrigger CI

- ValidationHint (6 cases): null/valid/error render, role=alert a11y
- RevealToggle (9 cases): eye-icon toggle, aria-label, onToggle callback, SVG icons
- KeyValueField (14 cases): password type, aria-label forwarding, onChange
  with whitespace trim, disabled state, auto-hide timer setup + cleanup

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.gitea/workflows/ci.yml

@@ -148,6 +148,21 @@ jobs:
       - if: needs.changes.outputs.platform == 'true'
         name: Run golangci-lint
         run: golangci-lint run --timeout 3m ./... || true
+      - if: needs.changes.outputs.platform == 'true'
+        name: Diagnostic — per-package verbose 60s
+        run: |
+          set +e
+          go test -race -v -timeout 60s ./internal/handlers/... 2>&1 | tee /tmp/test-handlers.log
+          handlers_exit=$?
+          go test -race -v -timeout 60s ./internal/pendinguploads/... 2>&1 | tee /tmp/test-pu.log
+          pu_exit=$?
+          echo "::group::handlers exit=$handlers_exit (last 100 lines)"
+          tail -100 /tmp/test-handlers.log
+          echo "::endgroup::"
+          echo "::group::pendinguploads exit=$pu_exit (last 100 lines)"
+          tail -100 /tmp/test-pu.log
+          echo "::endgroup::"
+        continue-on-error: true
       - if: needs.changes.outputs.platform == 'true'
         name: Run tests with race detection and coverage
         run: go test -race -coverprofile=coverage.out ./...

.gitea/workflows/gate-check-v3.yml

@@ -71,8 +71,12 @@ jobs:
         run: |
           set -euo pipefail
           # Fetch all open PRs and run gate-check on each
+          # socket.setdefaulttimeout(15): defence-in-depth for missing SOP_TIER_CHECK_TOKEN.
+          # gate_check.py uses timeout=15 on every urlopen call; this catches the
+          # inline Python polling loop too (issue #603).
           pr_numbers=$(python3 -c "
-            import urllib.request, json, os
+            import socket, urllib.request, json, os
+            socket.setdefaulttimeout(15)
             token = os.environ['GITEA_TOKEN']
             req = urllib.request.Request(
                 'https://git.moleculesai.app/api/v1/repos/${{ github.repository }}/pulls?state=open&limit=100',

.gitea/workflows/publish-canvas-image.yml

@@ -54,11 +54,13 @@ env:
 jobs:
   build-and-push:
     name: Build & push canvas image
-    # NOTE: infra-sre must register a `docker` label on every act-runner that
-    # mounts /var/run/docker.sock (group=docker, socket perms 660+). Jobs without
-    # the `docker` label land on runners that lack the socket and fail here.
-    # See issue #576.
-    runs-on: [ubuntu-latest, docker]
+    # REVERTED (infra/revert-docker-runner-label): `runs-on: ubuntu-latest` restored.
+    # The `docker` label is not registered on any act_runner. `runs-on: [ubuntu-latest, docker]`
+    # causes jobs to queue indefinitely with zero eligible runners — strictly worse than the
+    # pre-#599 coin-flip (50% success rate). Once the `docker` label is registered on
+    # ≥2 runners, re-apply the fix from #599 (infra/docker-runner-label).
+    # See issue #576 + infra-lead pulse ~00:30Z.
+    runs-on: ubuntu-latest
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
     continue-on-error: true
     steps:

.gitea/workflows/publish-workspace-server-image.yml

@@ -52,12 +52,13 @@ env:
 
 jobs:
   build-and-push:
-    # NOTE: infra-sre must register a `docker` label on every act-runner that
-    # mounts /var/run/docker.sock (group=docker, socket perms 660+). Jobs without
-    # the `docker` label land on runners that lack the socket and fail here.
-    # molecule-runner-1 (no socket) vs molecule-runner-4 (socket) — coin-flip
-    # without this label gate.  See issue #576.
-    runs-on: [ubuntu-latest, docker]
+    # REVERTED (infra/revert-docker-runner-label): `runs-on: ubuntu-latest` restored.
+    # The `docker` label is not registered on any act_runner. `runs-on: [ubuntu-latest, docker]`
+    # causes jobs to queue indefinitely with zero eligible runners — strictly worse than the
+    # pre-#599 coin-flip (50% success rate). Once the `docker` label is registered on
+    # ≥2 runners, re-apply the fix from #599 (infra/docker-runner-label).
+    # See issue #576 + infra-lead pulse ~00:30Z.
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

.gitea/workflows/status-reaper.yml

@@ -67,12 +67,13 @@ on:
 permissions:
   contents: read
 
-# Single-flight: two reaper ticks racing would POST duplicate
-# compensations. Idempotent at the API (Gitea overwrites by context
-# on POST /statuses/{sha}) but cleaner to serialise.
-concurrency:
-  group: status-reaper
-  cancel-in-progress: false
+# NOTE: NO `concurrency:` block is intentional.
+# Gitea 1.22.6 doesn't honor `cancel-in-progress: false`: queued ticks
+# of the same group get cancelled-with-started=0 instead of waiting
+# (DB-verified 2026-05-12, runs 16053/16085 of status-reaper.yml).
+# The reaper's POST /statuses/{sha} is idempotent — Gitea de-dups by
+# context — so concurrent ticks are safe; accept them rather than
+# serialise via the broken mechanism.
 
 jobs:
   reap:

.gitea/workflows/weekly-platform-go.yml

@@ -0,0 +1,109 @@
+name: Weekly Platform-Go Surface
+
+# Surface latent vet/test errors on main by running the full Platform-Go
+# suite on a weekly cron regardless of whether the last push touched
+# workspace-server/.
+#
+# Background: ci.yml's `platform-build` job gates real work on
+# `if: needs.changes.outputs.platform == 'true'`. When no push touches
+# workspace-server/, the skip fires and the suite never executes on main.
+# Latent vet errors and test flakes can sit for weeks undetected.
+#
+# This workflow runs the full suite (build, vet, golangci-lint, tests with
+# coverage) every Monday at 04:17 UTC. Results are posted as commit statuses
+# but continue-on-error: true means they never block anything — they're
+# purely a noise-reduction signal for when the next workspace-server push
+# lands and would otherwise trigger the first real suite run.
+#
+# Why 04:17 UTC on Monday: off-peak, before the weekly sprint cycle starts.
+
+on:
+  schedule:
+    - cron: '17 4 * * 1'  # Mondays at 04:17 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  statuses: write
+
+jobs:
+  weekly-platform-go:
+    name: Weekly Platform-Go Surface
+    runs-on: ubuntu-latest
+    # continue-on-error: surface only, never block
+    continue-on-error: true
+    defaults:
+      run:
+        working-directory: workspace-server
+    steps:
+      - name: Checkout main
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: main
+          fetch-depth: 1
+
+      - name: Set up Go
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version: stable
+
+      - name: Go mod download
+        run: go mod download
+
+      - name: Build
+        run: go build ./cmd/server
+
+      - name: go vet
+        run: go vet ./... || true
+
+      - name: golangci-lint
+        run: golangci-lint run --timeout 3m ./... || true
+
+      - name: Tests with race detection + coverage
+        run: go test -race -coverprofile=coverage.out ./...
+
+      - name: Check coverage thresholds
+        run: |
+          set -e
+          TOTAL_FLOOR=25
+          CRITICAL_PATHS=(
+            "internal/handlers/tokens"
+            "internal/handlers/workspace_provision"
+            "internal/handlers/a2a_proxy"
+            "internal/handlers/registry"
+            "internal/handlers/secrets"
+            "internal/middleware/wsauth"
+            "internal/crypto"
+          )
+
+          TOTAL=$(go tool cover -func=coverage.out | grep '^total:' | awk '{print $3}' | sed 's/%//')
+          echo "Total coverage: ${TOTAL}%"
+          if awk "BEGIN{exit !(\$TOTAL < \$TOTAL_FLOOR)}"; then
+            echo "::error::Total coverage \${TOTAL}% is below the \${TOTAL_FLOOR}% floor."
+            exit 1
+          fi
+
+          ALLOWLIST=""
+          if [ -f ../.coverage-allowlist.txt ]; then
+            ALLOWLIST=$(grep -vE '^(#|[[:space:]]*$)' ../.coverage-allowlist.txt || true)
+          fi
+
+          FAILED=0
+          for path in "\${CRITICAL_PATHS[@]}"; do
+            while read -r file pct; do
+              [[ "$file" == *_test.go ]] && continue
+              [[ "$file" == *"$path"* ]] || continue
+              awk "BEGIN{exit !(\$pct < 10)}" || continue
+              rel=$(echo "$file" | sed 's|^github.com/molecule-ai/molecule-monorepo/platform/workspace-server/||; s|^github.com/molecule-ai/molecule-monorepo/platform/||')
+              if echo "$ALLOWLIST" | grep -qxF "$rel"; then
+                continue
+              fi
+              echo "::error::Low coverage \${pct}% on \${rel} (below 10% in critical path \${path})"
+              FAILED=$((FAILED + 1))
+            done < <(go tool cover -func=coverage.out | grep -v '^total:' | awk '{file=$1; sub(/:[0-9][0-9.]*:.*/, "", file); pct=$NF; gsub(/%/,"",pct); s[file]+=pct; c[file]++} END {for (f in s) printf "%s %.1f\n", f, s[f]/c[f]}' | sort)
+          done
+          if [ "$FAILED" -gt 0 ]; then
+            echo "::error::\${FAILED} critical paths below 10% coverage — see above."
+            exit 1
+          fi
+          echo "Coverage thresholds: OK"

canvas/src/components/tabs/FilesTab/__tests__/FilesTab.test.tsx

@@ -0,0 +1,224 @@
+// @vitest-environment jsdom
+/**
+ * FilesTab: NotAvailablePanel + FilesToolbar coverage.
+ *
+ * NotAvailablePanel: pure presentational component — renders a "feature not
+ * available" placeholder for external-runtime workspaces.
+ * FilesToolbar: pure props-driven component — directory selector, file count,
+ * action buttons (New, Upload, Export, Clear, Refresh) with correct aria-labels.
+ *
+ * No @testing-library/jest-dom import — use textContent / className /
+ * getAttribute checks to avoid "expect is not defined" errors.
+ */
+import { afterEach, describe, expect, it, vi } from "vitest";
+import { cleanup, render, screen } from "@testing-library/react";
+import React from "react";
+
+import { FilesToolbar } from "../FilesToolbar";
+import { NotAvailablePanel } from "../NotAvailablePanel";
+
+// ─── afterEach ─────────────────────────────────────────────────────────────────
+
+afterEach(() => {
+  cleanup();
+  vi.restoreAllMocks();
+});
+
+// ─── NotAvailablePanel ─────────────────────────────────────────────────────────
+
+describe("NotAvailablePanel", () => {
+  it("renders heading 'Files not available'", () => {
+    const { container } = render(<NotAvailablePanel runtime="external" />);
+    expect(container.textContent).toContain("Files not available");
+  });
+
+  it("renders the runtime name in monospace", () => {
+    const { container } = render(<NotAvailablePanel runtime="external" />);
+    expect(container.textContent).toContain("external");
+    const spans = container.querySelectorAll("span");
+    const monoSpans = Array.from(spans).filter(
+      (s) => s.className && s.className.includes("font-mono"),
+    );
+    expect(monoSpans.length).toBeGreaterThan(0);
+  });
+
+  it("renders a Chat tab hint in description", () => {
+    const { container } = render(<NotAvailablePanel runtime="remote-agent" />);
+    expect(container.textContent).toContain("Chat tab");
+  });
+
+  it("SVG icon has aria-hidden=true", () => {
+    const { container } = render(<NotAvailablePanel runtime="external" />);
+    const svg = container.querySelector("svg");
+    expect(svg?.getAttribute("aria-hidden")).toBe("true");
+  });
+
+  it("renders without crashing for any runtime string", () => {
+    const { container } = render(<NotAvailablePanel runtime="unknown-runtime" />);
+    expect(container.textContent).toContain("unknown-runtime");
+  });
+
+  it("applies the correct layout classes to root div", () => {
+    const { container } = render(<NotAvailablePanel runtime="external" />);
+    const root = container.firstElementChild as HTMLElement;
+    expect(root.className).toContain("flex");
+    expect(root.className).toContain("flex-col");
+    expect(root.className).toContain("items-center");
+  });
+});
+
+// ─── FilesToolbar ───────────────────────────────────────────────────────────────
+
+describe("FilesToolbar", () => {
+  const noop = vi.fn();
+
+  function renderToolbar(props: Partial<React.ComponentProps<typeof FilesToolbar>> = {}) {
+    return render(
+      <FilesToolbar
+        root="/configs"
+        setRoot={noop}
+        fileCount={0}
+        onNewFile={noop}
+        onUpload={noop}
+        onDownloadAll={noop}
+        onClearAll={noop}
+        onRefresh={noop}
+        {...props}
+      />,
+    );
+  }
+
+  it("renders the directory selector with correct aria-label", () => {
+    const { container } = renderToolbar();
+    const select = container.querySelector("select");
+    expect(select?.getAttribute("aria-label")).toBe("File root directory");
+  });
+
+  it("directory selector has all four options", () => {
+    const { container } = renderToolbar();
+    const select = container.querySelector("select") as HTMLSelectElement;
+    const options = Array.from(select?.options ?? []);
+    const values = options.map((o) => o.value);
+    expect(values).toContain("/configs");
+    expect(values).toContain("/home");
+    expect(values).toContain("/workspace");
+    expect(values).toContain("/plugins");
+  });
+
+  it("calls setRoot when directory changes", () => {
+    const setRoot = vi.fn();
+    const { container } = renderToolbar({ setRoot });
+    const select = container.querySelector("select") as HTMLSelectElement;
+    select.value = "/home";
+    select.dispatchEvent(new Event("change", { bubbles: true }));
+    expect(setRoot).toHaveBeenCalledWith("/home");
+  });
+
+  it("displays the file count", () => {
+    const { container } = renderToolbar({ fileCount: 42 });
+    expect(container.textContent).toContain("42 files");
+  });
+
+  it("shows New + Upload + Clear buttons for /configs", () => {
+    const { container } = renderToolbar({ root: "/configs" });
+    const texts = Array.from(container.querySelectorAll("button")).map(
+      (b) => b.textContent?.trim(),
+    );
+    expect(texts).toContain("+ New");
+    expect(texts).toContain("Upload");
+    expect(texts).toContain("Clear");
+    expect(texts).toContain("Export");
+    expect(texts).toContain("↻");
+  });
+
+  it("hides New + Upload + Clear for /workspace", () => {
+    const { container } = renderToolbar({ root: "/workspace" });
+    const texts = Array.from(container.querySelectorAll("button")).map(
+      (b) => b.textContent?.trim(),
+    );
+    expect(texts).not.toContain("+ New");
+    expect(texts).not.toContain("Upload");
+    expect(texts).not.toContain("Clear");
+    expect(texts).toContain("Export");
+  });
+
+  it("hides New + Upload + Clear for /home", () => {
+    const { container } = renderToolbar({ root: "/home" });
+    const texts = Array.from(container.querySelectorAll("button")).map(
+      (b) => b.textContent?.trim(),
+    );
+    expect(texts).not.toContain("+ New");
+    expect(texts).not.toContain("Upload");
+    expect(texts).not.toContain("Clear");
+  });
+
+  it("hides New + Upload + Clear for /plugins", () => {
+    const { container } = renderToolbar({ root: "/plugins" });
+    const texts = Array.from(container.querySelectorAll("button")).map(
+      (b) => b.textContent?.trim(),
+    );
+    expect(texts).not.toContain("+ New");
+    expect(texts).not.toContain("Upload");
+    expect(texts).not.toContain("Clear");
+  });
+
+  it("New button has correct aria-label", () => {
+    const { container } = renderToolbar({ root: "/configs" });
+    const newBtn = container.querySelector('button[aria-label="Create new file"]');
+    expect(newBtn?.textContent?.trim()).toBe("+ New");
+  });
+
+  it("Export button has correct aria-label", () => {
+    const { container } = renderToolbar();
+    const exportBtn = container.querySelector('button[aria-label="Download all files"]');
+    expect(exportBtn?.textContent?.trim()).toBe("Export");
+  });
+
+  it("Clear button has correct aria-label", () => {
+    const { container } = renderToolbar({ root: "/configs" });
+    const clearBtn = container.querySelector('button[aria-label="Delete all files"]');
+    expect(clearBtn?.textContent?.trim()).toBe("Clear");
+  });
+
+  it("Refresh button has correct aria-label", () => {
+    const { container } = renderToolbar();
+    const refreshBtn = container.querySelector('button[aria-label="Refresh file list"]');
+    expect(refreshBtn?.textContent?.trim()).toBe("↻");
+  });
+
+  it("calls onNewFile when New button is clicked", () => {
+    const onNewFile = vi.fn();
+    const { container } = renderToolbar({ root: "/configs", onNewFile });
+    container.querySelector('button[aria-label="Create new file"]')!.click();
+    expect(onNewFile).toHaveBeenCalledTimes(1);
+  });
+
+  it("calls onDownloadAll when Export button is clicked", () => {
+    const onDownloadAll = vi.fn();
+    const { container } = renderToolbar({ onDownloadAll });
+    container.querySelector('button[aria-label="Download all files"]')!.click();
+    expect(onDownloadAll).toHaveBeenCalledTimes(1);
+  });
+
+  it("calls onClearAll when Clear button is clicked", () => {
+    const onClearAll = vi.fn();
+    const { container } = renderToolbar({ root: "/configs", onClearAll });
+    container.querySelector('button[aria-label="Delete all files"]')!.click();
+    expect(onClearAll).toHaveBeenCalledTimes(1);
+  });
+
+  it("calls onRefresh when Refresh button is clicked", () => {
+    const onRefresh = vi.fn();
+    const { container } = renderToolbar({ onRefresh });
+    container.querySelector('button[aria-label="Refresh file list"]')!.click();
+    expect(onRefresh).toHaveBeenCalledTimes(1);
+  });
+
+  it("applies focus-visible ring to all interactive buttons", () => {
+    const { container } = renderToolbar({ root: "/configs" });
+    const buttons = container.querySelectorAll("button");
+    for (const btn of buttons) {
+      expect(btn.className).toContain("focus-visible:ring-2");
+    }
+  });
+});

canvas/src/components/tabs/__tests__/BudgetSection.test.tsx

@@ -0,0 +1,330 @@
+// @vitest-environment jsdom
+import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
+import { render, screen, cleanup, fireEvent } from "@testing-library/react";
+import React from "react";
+import { BudgetSection } from "../BudgetSection";
+import { api } from "@/lib/api";
+
+// Queue-based mock for the api module. Each api call shifts from the queue.
+// Tests push with qGet/qPatch and the module-level mockImplementation
+// reads from the queue.
+type QueueEntry = { body?: unknown; err?: Error };
+const apiQueue: QueueEntry[] = [];
+
+vi.mock("@/lib/api", () => ({
+  api: {
+    get: vi.fn(async (path: string) => {
+      const next = apiQueue.shift();
+      if (!next) throw new Error(`api.get queue exhausted at: ${path}`);
+      if (next.err) throw next.err;
+      return next.body;
+    }),
+    patch: vi.fn(async (path: string, _body?: unknown) => {
+      const next = apiQueue.shift();
+      if (!next) throw new Error(`api.patch queue exhausted at: ${path}`);
+      if (next.err) throw next.err;
+      return next.body;
+    }),
+  },
+}));
+
+afterEach(cleanup);
+
+beforeEach(() => {
+  apiQueue.length = 0;
+  vi.clearAllMocks();
+});
+
+const WS_ID = "budget-test-ws";
+
+function qGet(body: unknown) {
+  apiQueue.push({ body });
+}
+
+function qGetErr(status: number, msg: string) {
+  apiQueue.push({ err: new Error(`${msg}: ${status}`) });
+}
+
+function qPatch(body: unknown) {
+  apiQueue.push({ body });
+}
+
+function qPatchErr(status: number, msg: string) {
+  apiQueue.push({ err: new Error(`${msg}: ${status}`) });
+}
+
+function makeBudget(overrides: Partial<{
+  budget_limit: number | null;
+  budget_used: number;
+  budget_remaining: number | null;
+}> = {}) {
+  return {
+    budget_limit: 10_000,
+    budget_used: 3_500,
+    budget_remaining: 6_500,
+    ...overrides,
+  };
+}
+
+describe("BudgetSection", () => {
+  describe("loading state", () => {
+    it("shows loading indicator while fetching", async () => {
+      let resolveGet: (v: unknown) => void;
+      vi.mocked(api.get).mockImplementationOnce(
+        async () => new Promise((r) => { resolveGet = r as (v: unknown) => void; }),
+      );
+
+      render(<BudgetSection workspaceId={WS_ID} />);
+
+      expect(screen.getByTestId("budget-loading")).toBeTruthy();
+
+      // Resolve after render to verify state clears
+      resolveGet!(makeBudget());
+      await vi.waitFor(() => {
+        expect(screen.queryByTestId("budget-loading")).toBeNull();
+      });
+    });
+  });
+
+  describe("fetch error state", () => {
+    it("shows error message on non-402 fetch failure", async () => {
+      qGetErr(500, "Internal Server Error");
+
+      render(<BudgetSection workspaceId={WS_ID} />);
+
+      await vi.waitFor(() => {
+        expect(screen.getByTestId("budget-fetch-error")).toBeTruthy();
+      });
+      expect(screen.getByTestId("budget-fetch-error")!.textContent).toContain("500");
+    });
+
+    it("shows 402 as exceeded banner, not fetch error", async () => {
+      // 402 means the budget limit was hit — different UX from a network/API error.
+      qGetErr(402, "Payment Required");
+
+      render(<BudgetSection workspaceId={WS_ID} />);
+
+      await vi.waitFor(() => {
+        expect(screen.getByTestId("budget-exceeded-banner")).toBeTruthy();
+      });
+      expect(screen.queryByTestId("budget-fetch-error")).toBeNull();
+    });
+  });
+
+  describe("budget loaded — display", () => {
+    it("renders used / limit stats row", async () => {
+      qGet(makeBudget({ budget_limit: 10_000, budget_used: 3_500 }));
+
+      render(<BudgetSection workspaceId={WS_ID} />);
+
+      await vi.waitFor(() => {
+        expect(screen.getByTestId("budget-used-value")!.textContent).toBe("3,500");
+      });
+      expect(screen.getByTestId("budget-limit-value")!.textContent).toBe("10,000");
+    });
+
+    it("renders 'Unlimited' when budget_limit is null", async () => {
+      qGet(makeBudget({ budget_limit: null, budget_used: 1_000, budget_remaining: null }));
+
+      render(<BudgetSection workspaceId={WS_ID} />);
+
+      await vi.waitFor(() => {
+        expect(screen.getByTestId("budget-limit-value")!.textContent).toBe("Unlimited");
+      });
+    });
+
+    it("renders remaining credits when present", async () => {
+      qGet(makeBudget({ budget_limit: 10_000, budget_used: 3_500, budget_remaining: 6_500 }));
+
+      render(<BudgetSection workspaceId={WS_ID} />);
+
+      await vi.waitFor(() => {
+        expect(screen.getByTestId("budget-remaining")!.textContent).toContain("6,500");
+        expect(screen.getByTestId("budget-remaining")!.textContent).toContain("credits remaining");
+      });
+    });
+
+    it("omits remaining credits when budget_remaining is null", async () => {
+      qGet(makeBudget({ budget_limit: 10_000, budget_used: 3_500, budget_remaining: null }));
+
+      render(<BudgetSection workspaceId={WS_ID} />);
+
+      await vi.waitFor(() => {
+        expect(screen.queryByTestId("budget-remaining")).toBeNull();
+      });
+    });
+
+    it("caps progress bar at 100% when used > limit", async () => {
+      // Over-limit: 12000 used of 10000 limit should show 100%, not 120%.
+      qGet(makeBudget({ budget_limit: 10_000, budget_used: 12_000, budget_remaining: null }));
+
+      render(<BudgetSection workspaceId={WS_ID} />);
+
+      await vi.waitFor(() => {
+        const fill = screen.getByTestId("budget-progress-fill");
+        expect(fill.getAttribute("style")).toContain("100%");
+      });
+    });
+
+    it("omits progress bar when budget_limit is null (unlimited)", async () => {
+      qGet(makeBudget({ budget_limit: null, budget_used: 5_000, budget_remaining: null }));
+
+      render(<BudgetSection workspaceId={WS_ID} />);
+
+      await vi.waitFor(() => {
+        expect(screen.queryByTestId("budget-progress-fill")).toBeNull();
+      });
+    });
+  });
+
+  describe("budget exceeded (402)", () => {
+    it("shows exceeded banner when load returns 402", async () => {
+      qGetErr(402, "Payment Required");
+
+      render(<BudgetSection workspaceId={WS_ID} />);
+
+      await vi.waitFor(() => {
+        expect(screen.getByTestId("budget-exceeded-banner")).toBeTruthy();
+        expect(screen.getByTestId("budget-exceeded-banner")!.textContent).toContain("Budget exceeded");
+      });
+    });
+
+    it("clears exceeded banner after successful save", async () => {
+      qGetErr(402, "Payment Required");
+      qPatch(makeBudget({ budget_limit: 50_000, budget_used: 0, budget_remaining: 50_000 }));
+
+      render(<BudgetSection workspaceId={WS_ID} />);
+
+      await vi.waitFor(() => {
+        expect(screen.getByTestId("budget-exceeded-banner")).toBeTruthy();
+      });
+
+      const input = screen.getByTestId("budget-limit-input");
+      fireEvent.change(input, { target: { value: "50000" } });
+
+      const saveBtn = screen.getByTestId("budget-save-btn");
+      fireEvent.click(saveBtn);
+
+      await vi.waitFor(() => {
+        expect(screen.queryByTestId("budget-exceeded-banner")).toBeNull();
+      });
+    });
+  });
+
+  describe("save flow", () => {
+    it("shows save error on non-402 patch failure", async () => {
+      qGet(makeBudget());
+      qPatchErr(500, "Internal Server Error");
+
+      render(<BudgetSection workspaceId={WS_ID} />);
+
+      await vi.waitFor(() => {
+        expect(screen.getByTestId("budget-limit-input")).toBeTruthy();
+      });
+
+      const saveBtn = screen.getByTestId("budget-save-btn");
+      fireEvent.click(saveBtn);
+
+      await vi.waitFor(() => {
+        expect(screen.getByTestId("budget-save-error")).toBeTruthy();
+        expect(screen.getByTestId("budget-save-error")!.textContent).toContain("500");
+      });
+    });
+
+    it("updates input to new limit value after successful save", async () => {
+      qGet(makeBudget({ budget_limit: 10_000 }));
+      qPatch(makeBudget({ budget_limit: 20_000 }));
+
+      render(<BudgetSection workspaceId={WS_ID} />);
+
+      // Wait for the input to appear (loading → loaded)
+      await vi.waitFor(() => {
+        expect(screen.queryByTestId("budget-loading")).toBeNull();
+      });
+
+      const input = screen.getByTestId("budget-limit-input") as HTMLInputElement;
+      // Debug: check what values are rendered
+      const limitValue = screen.getByTestId("budget-limit-value")?.textContent;
+      expect(input.value).toBe("10000"); // initial value from API
+      expect(limitValue).toBe("10,000");
+
+      fireEvent.change(input, { target: { value: "20000" } });
+      expect(input.value).toBe("20000");
+
+      fireEvent.click(screen.getByTestId("budget-save-btn"));
+
+      await vi.waitFor(() => {
+        expect((screen.getByTestId("budget-limit-input") as HTMLInputElement).value).toBe("20000");
+      });
+    });
+
+    it("sends null when input is cleared (unlimited)", async () => {
+      qGet(makeBudget({ budget_limit: 10_000 }));
+      qPatch(makeBudget({ budget_limit: null }));
+
+      render(<BudgetSection workspaceId={WS_ID} />);
+
+      await vi.waitFor(() => {
+        expect(screen.getByTestId("budget-limit-input")).toBeTruthy();
+      });
+
+      const input = screen.getByTestId("budget-limit-input") as HTMLInputElement;
+      fireEvent.change(input, { target: { value: "" } });
+      fireEvent.click(screen.getByTestId("budget-save-btn"));
+
+      await vi.waitFor(() => {
+        // After save with null limit, input should show empty (unlimited)
+        expect(input.value).toBe("");
+      });
+    });
+
+    it("shows saving state on button while patch is in flight", async () => {
+      qGet(makeBudget());
+      let resolvePatch: (v: unknown) => void;
+      vi.mocked(api.patch).mockImplementationOnce(
+        async () => new Promise((r) => { resolvePatch = r as (v: unknown) => void; }),
+      );
+
+      render(<BudgetSection workspaceId={WS_ID} />);
+
+      await vi.waitFor(() => {
+        expect(screen.getByTestId("budget-limit-input")).toBeTruthy();
+      });
+
+      fireEvent.change(screen.getByTestId("budget-limit-input"), { target: { value: "50000" } });
+      fireEvent.click(screen.getByTestId("budget-save-btn"));
+
+      const btn = screen.getByTestId("budget-save-btn");
+      expect(btn.textContent).toContain("Saving");
+
+      resolvePatch!(makeBudget({ budget_limit: 50_000 }));
+      await vi.waitFor(() => {
+        expect(btn.textContent).toContain("Save");
+      });
+    });
+  });
+
+  describe("isApiError402 — regression coverage", () => {
+    it("classifies ': 402' with space as 402", async () => {
+      qGetErr(402, "Payment Required");
+      qPatch(makeBudget());
+
+      render(<BudgetSection workspaceId={WS_ID} />);
+
+      await vi.waitFor(() => {
+        expect(screen.getByTestId("budget-exceeded-banner")).toBeTruthy();
+      });
+    });
+
+    it("classifies non-402 error messages as regular fetch errors", async () => {
+      qGetErr(503, "Service Unavailable");
+
+      render(<BudgetSection workspaceId={WS_ID} />);
+
+      await vi.waitFor(() => {
+        expect(screen.getByTestId("budget-fetch-error")).toBeTruthy();
+      });
+      expect(screen.queryByTestId("budget-exceeded-banner")).toBeNull();
+    });
+  });
+});

canvas/src/components/ui/__tests__/KeyValueField.test.tsx

@@ -0,0 +1,142 @@
+// @vitest-environment jsdom
+/**
+ * Tests for KeyValueField component.
+ *
+ * Covers: initial password type, onChange callback (including whitespace trim
+ * on type), aria-label forwarding, disabled state, and auto-hide timer setup.
+ */
+import React from "react";
+import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
+import { render, screen, fireEvent, cleanup, act } from "@testing-library/react";
+import { KeyValueField } from "../KeyValueField";
+
+describe("KeyValueField — rendering", () => {
+  afterEach(cleanup);
+
+  it("renders input with type=password by default (secret hidden)", () => {
+    render(<KeyValueField value="" onChange={vi.fn()} />);
+    const input = screen.getByLabelText("Secret value");
+    expect(input.getAttribute("type")).toBe("password");
+  });
+
+  it("passes custom aria-label to the input element", () => {
+    render(<KeyValueField value="" onChange={vi.fn()} aria-label="API secret key" />);
+    expect(screen.getByLabelText("API secret key")).toBeTruthy();
+  });
+
+  it("disables the input when disabled=true", () => {
+    render(<KeyValueField value="secret" onChange={vi.fn()} disabled />);
+    expect(screen.getByLabelText("Secret value").disabled).toBe(true);
+  });
+
+  it("renders with the current value", () => {
+    render(<KeyValueField value="sk-test-key-123" onChange={vi.fn()} />);
+    expect(screen.getByLabelText("Secret value").value).toBe("sk-test-key-123");
+  });
+
+  it("renders with the placeholder text", () => {
+    render(<KeyValueField value="" onChange={vi.fn()} placeholder="Enter API key" />);
+    expect(screen.getByLabelText("Secret value").getAttribute("placeholder")).toBe("Enter API key");
+  });
+
+  it("renders the RevealToggle child button", () => {
+    render(<KeyValueField value="secret" onChange={vi.fn()} />);
+    // KeyValueField renders exactly one button (the RevealToggle)
+    expect(screen.getByRole("button")).toBeTruthy();
+  });
+});
+
+describe("KeyValueField — onChange", () => {
+  afterEach(cleanup);
+
+  it("calls onChange with the new value when user types", () => {
+    const onChange = vi.fn();
+    render(<KeyValueField value="" onChange={onChange} />);
+    fireEvent.change(screen.getByLabelText("Secret value"), { target: { value: "new-value" } });
+    expect(onChange).toHaveBeenCalledWith("new-value");
+  });
+
+  it("trims leading whitespace when user types with leading space", () => {
+    const onChange = vi.fn();
+    render(<KeyValueField value="" onChange={onChange} />);
+    fireEvent.change(screen.getByLabelText("Secret value"), { target: { value: "  trimmed" } });
+    expect(onChange).toHaveBeenCalledWith("trimmed");
+  });
+
+  it("trims trailing whitespace when user types with trailing space", () => {
+    const onChange = vi.fn();
+    render(<KeyValueField value="" onChange={onChange} />);
+    fireEvent.change(screen.getByLabelText("Secret value"), { target: { value: "trimmed  " } });
+    expect(onChange).toHaveBeenCalledWith("trimmed");
+  });
+
+  it("trims both sides when user types whitespace-surrounded value", () => {
+    const onChange = vi.fn();
+    render(<KeyValueField value="" onChange={onChange} />);
+    fireEvent.change(screen.getByLabelText("Secret value"), { target: { value: "  both sides  " } });
+    expect(onChange).toHaveBeenCalledWith("both sides");
+  });
+
+  it("does not modify value with no whitespace", () => {
+    const onChange = vi.fn();
+    render(<KeyValueField value="" onChange={onChange} />);
+    fireEvent.change(screen.getByLabelText("Secret value"), { target: { value: "clean-value" } });
+    expect(onChange).toHaveBeenCalledWith("clean-value");
+  });
+});
+
+describe("KeyValueField — auto-hide timer setup", () => {
+  beforeEach(() => {
+    vi.useFakeTimers();
+  });
+
+  afterEach(() => {
+    cleanup();
+    vi.useRealTimers();
+  });
+
+  it("sets up a 30s setTimeout when the component mounts with a non-empty value", () => {
+    const setTimeoutSpy = vi.spyOn(global, "setTimeout");
+    render(<KeyValueField value="secret" onChange={vi.fn()} />);
+    // No timer should be set initially (revealed=false by default)
+    const callsBeforeInteraction = setTimeoutSpy.mock.calls.length;
+
+    // Simulate reveal (click the only button)
+    act(() => { fireEvent.click(screen.getByRole("button")); });
+
+    // After reveal, a 30s timer should be set
+    const timerCalls = setTimeoutSpy.mock.calls.filter(
+      ([, delay]) => delay === 30_000,
+    );
+    expect(timerCalls.length).toBeGreaterThanOrEqual(1);
+  });
+
+  it("clears existing timer when a new toggle happens before auto-hide fires", () => {
+    const clearTimeoutSpy = vi.spyOn(global, "clearTimeout");
+    const timerObj = {}; // fake timer ID
+    vi.spyOn(global, "setTimeout").mockImplementation((fn: () => void, delay: number) => {
+      return timerObj;
+    });
+    render(<KeyValueField value="secret" onChange={vi.fn()} />);
+
+    // First toggle — reveal
+    act(() => { fireEvent.click(screen.getByRole("button")); });
+
+    // Second toggle — hide (should clear the timer from first toggle)
+    act(() => { fireEvent.click(screen.getByRole("button")); });
+
+    // clearTimeout was called with the timer object
+    expect(clearTimeoutSpy).toHaveBeenCalledWith(timerObj);
+  });
+
+  it("clears timer on unmount", () => {
+    const clearTimeoutSpy = vi.spyOn(global, "clearTimeout");
+    const { unmount } = render(<KeyValueField value="secret" onChange={vi.fn()} />);
+
+    // Toggle reveal to start the timer
+    act(() => { fireEvent.click(screen.getByRole("button")); });
+
+    unmount();
+    expect(clearTimeoutSpy).toHaveBeenCalled();
+  });
+});

canvas/src/components/ui/__tests__/RevealToggle.test.tsx

@@ -0,0 +1,68 @@
+// @vitest-environment jsdom
+/**
+ * Tests for RevealToggle component.
+ *
+ * Covers: eye-icon (hidden) vs eye-off-icon (revealed), onToggle callback,
+ * aria-label (default + custom), title attribute.
+ */
+import { afterEach, describe, it, expect, vi } from "vitest";
+import { render, screen, fireEvent, cleanup } from "@testing-library/react";
+import { RevealToggle } from "../RevealToggle";
+
+afterEach(cleanup);
+
+describe("RevealToggle", () => {
+  it("renders as a button", () => {
+    render(<RevealToggle revealed={false} onToggle={vi.fn()} />);
+    expect(screen.getByRole("button")).toBeTruthy();
+  });
+
+  it("uses default aria-label when not provided", () => {
+    render(<RevealToggle revealed={false} onToggle={vi.fn()} />);
+    expect(screen.getByRole("button").getAttribute("aria-label")).toBe("Toggle reveal secret");
+  });
+
+  it("uses custom aria-label when provided", () => {
+    render(<RevealToggle revealed={false} onToggle={vi.fn()} label="Show password" />);
+    expect(screen.getByRole("button").getAttribute("aria-label")).toBe("Show password");
+  });
+
+  it('title is "Hide value" when revealed', () => {
+    render(<RevealToggle revealed={true} onToggle={vi.fn()} />);
+    expect(screen.getByRole("button").getAttribute("title")).toBe("Hide value");
+  });
+
+  it('title is "Show value" when hidden', () => {
+    render(<RevealToggle revealed={false} onToggle={vi.fn()} />);
+    expect(screen.getByRole("button").getAttribute("title")).toBe("Show value");
+  });
+
+  it("calls onToggle when clicked (revealed=true → should hide)", () => {
+    const onToggle = vi.fn();
+    render(<RevealToggle revealed={true} onToggle={onToggle} />);
+    fireEvent.click(screen.getByRole("button"));
+    expect(onToggle).toHaveBeenCalledTimes(1);
+  });
+
+  it("calls onToggle when clicked (revealed=false → should show)", () => {
+    const onToggle = vi.fn();
+    render(<RevealToggle revealed={false} onToggle={onToggle} />);
+    fireEvent.click(screen.getByRole("button"));
+    expect(onToggle).toHaveBeenCalledTimes(1);
+  });
+
+  it("renders the eye-open SVG (hide icon) when revealed=false", () => {
+    render(<RevealToggle revealed={false} onToggle={vi.fn()} />);
+    const btn = screen.getByRole("button");
+    // The eye SVG contains a circle element; eye-off has a strikethrough line
+    expect(btn.querySelector("circle")).toBeTruthy();
+    expect(btn.querySelectorAll("line")).toHaveLength(0);
+  });
+
+  it("renders the eye-off SVG (show icon) when revealed=true", () => {
+    render(<RevealToggle revealed={true} onToggle={vi.fn()} />);
+    const btn = screen.getByRole("button");
+    // EyeOffIcon has a line (strikethrough) through the eye
+    expect(btn.querySelectorAll("line")).toHaveLength(1);
+  });
+});

canvas/src/components/ui/__tests__/ValidationHint.test.tsx

@@ -0,0 +1,49 @@
+// @vitest-environment jsdom
+/**
+ * Tests for ValidationHint component.
+ *
+ * Covers: null/neutral render, error state (red ⚠ + message), valid state
+ * (green ✓ + "Valid format"), ARIA role="alert" on error.
+ */
+import { afterEach, describe, it, expect } from "vitest";
+import { render, screen, cleanup } from "@testing-library/react";
+import { ValidationHint } from "../ValidationHint";
+
+afterEach(cleanup);
+
+describe("ValidationHint", () => {
+  it("renders nothing when error is null and showValid is false", () => {
+    const { container } = render(<ValidationHint error={null} showValid={false} />);
+    expect(container.innerHTML).toBe("");
+  });
+
+  it("renders nothing when error is null and showValid is undefined", () => {
+    const { container } = render(<ValidationHint error={null} />);
+    expect(container.innerHTML).toBe("");
+  });
+
+  it("renders error state with ⚠ icon and message", () => {
+    render(<ValidationHint error="Key name must be UPPER_SNAKE_CASE" />);
+    const el = screen.getByRole("alert");
+    expect(el.textContent).toContain("⚠");
+    expect(el.textContent).toContain("Key name must be UPPER_SNAKE_CASE");
+  });
+
+  it("renders valid state with ✓ and 'Valid format'", () => {
+    render(<ValidationHint error={null} showValid />);
+    const el = screen.getByText("Valid format");
+    expect(el.textContent).toContain("✓");
+  });
+
+  it("prefers error over valid when both are set (error is not null)", () => {
+    // ValidationHint checks error first; showValid is only rendered when error is falsy.
+    render(<ValidationHint error="Some error" showValid />);
+    expect(screen.getByRole("alert")).toBeTruthy();
+    expect(screen.queryByText("Valid format")).toBeNull();
+  });
+
+  it("error alert has role='alert' for screen readers", () => {
+    render(<ValidationHint error="Invalid format" />);
+    expect(screen.getByRole("alert")).toBeTruthy();
+  });
+});

tools/gate-check-v3/gate_check.py

@@ -35,6 +35,12 @@ GITEA_HOST = os.environ.get("GITEA_HOST", "git.moleculesai.app")
 GITEA_TOKEN = os.environ.get("GITEA_TOKEN", os.environ.get("GITHUB_TOKEN", ""))
 API_BASE = f"https://{GITEA_HOST}/api/v1"
 
+# Timeout in seconds for all HTTP calls. Defence-in-depth: ensures a missing or
+# invalid SOP_TIER_CHECK_TOKEN causes a fast (~15 s) failure rather than an
+# indefinite hang. The real fix is provisioning the token; this caps worst-case
+# wall-clock on a broken/unreachable Gitea host.
+DEFAULT_TIMEOUT = 15
+
 
 def api_get(path: str) -> dict | list:
     url = f"{API_BASE}{path}"
@@ -46,7 +52,7 @@ def api_get(path: str) -> dict | list:
         },
     )
     try:
-        with urllib.request.urlopen(req) as r:
+        with urllib.request.urlopen(req, timeout=DEFAULT_TIMEOUT) as r:
             return json.loads(r.read())
     except urllib.error.HTTPError as e:
         body = e.read().decode(errors="replace")
@@ -521,12 +527,12 @@ def run(repo: str, pr_number: int, post_comment: bool = False) -> dict:
                     comment_id = our_comments[-1]["id"]
                     url = f"{API_BASE}/repos/{owner}/{name}/issues/comments/{comment_id}"
                     req = urllib.request.Request(url, data=json.dumps({"body": comment_body}).encode(), headers=headers, method="PATCH")
-                    with urllib.request.urlopen(req) as r:
+                    with urllib.request.urlopen(req, timeout=DEFAULT_TIMEOUT) as r:
                         r.read()
                 else:
                     url = f"{API_BASE}/repos/{owner}/{name}/issues/{pr_number}/comments"
                     req = urllib.request.Request(url, data=json.dumps({"body": comment_body}).encode(), headers=headers, method="POST")
-                    with urllib.request.urlopen(req) as r:
+                    with urllib.request.urlopen(req, timeout=DEFAULT_TIMEOUT) as r:
                         r.read()
             except urllib.error.HTTPError as e:
                 if e.code == 403:

workspace-server/internal/handlers/delegation_test.go

@@ -983,7 +983,16 @@ func expectExecuteDelegationBase(mock sqlmock.Sqlmock) {
 		WithArgs("dispatched", "", testSourceID, testDelegationID).
 		WillReturnResult(sqlmock.NewResult(0, 1))
 
-	// CanCommunicate (source=target self-call is always allowed — no DB lookup needed)
+	// CanCommunicate: source != target → fires two getWorkspaceRef lookups.
+	// Both test fixtures have parent_id = NULL (root-level siblings) → allowed.
+	// Order matches call order: source first, then target.
+	mock.ExpectQuery("SELECT id, parent_id FROM workspaces WHERE id").
+		WithArgs(testSourceID).
+		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow(testSourceID, nil))
+	mock.ExpectQuery("SELECT id, parent_id FROM workspaces WHERE id").
+		WithArgs(testTargetID).
+		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow(testTargetID, nil))
+
 	// resolveAgentURL: reads ws:{id}:url from Redis, falls back to DB for target
 	mock.ExpectQuery("SELECT url, status FROM workspaces WHERE id = ").
 		WithArgs(testTargetID).