fix(sop-checklist): implement /sop-n/a N/A declarations + review-check 403 fix

Cherry-pick of infra/main-sop-na-fix N/A implementation + follow-up fixes.

N/A gate implementation (mc#1233 follow-up):
  - Adds separate _NA_DIRECTIVE_RE for /sop-n/a <gate> [reason] parsing.
  - parse_directives() now returns (directives, na_directives) tuple.
  - compute_na_state() evaluates N/A declarations per gate with
    team-membership probe (same 403 semantics as acks).
  - Posts 'sop-checklist / na-declarations (pull_request)' status
    with state=success when a gate is validly declared N/A by a
    non-author team member; state=failure otherwise.
  - review-check.sh reads this status to waive qa-review/security-review
    Gitea-APPROVE requirement when N/A is declared.

review-check 403 follow-up:
  - Team-membership API returns 403 if token owner is not in the team.
    Changed from exit 1 (hard-fail entire gate) to continue (skip this
    candidate, check others). Prevents a single 403 from blocking a gate
    when other valid team-members exist.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.gitea/ci-refire

@@ -0,0 +1 @@
+refire:1778784369

.gitea/scripts/ci-required-drift.py

@@ -203,12 +203,17 @@ def ci_jobs_all(ci_doc: dict) -> set[str]:
 
 def ci_job_names(ci_doc: dict) -> set[str]:
     """Set of job keys in ci.yml MINUS the sentinel itself MINUS jobs
-    whose `if:` gates on `github.event_name` (those are event-scoped
-    and can legitimately be `skipped` for a given trigger; if we
-    required them under the sentinel `needs:`, every PR-only job
+    whose `if:` gates on `github.event_name` or `github.ref` (those are
+    event-scoped and can legitimately be `skipped` for a given trigger;
+    if we required them under the sentinel `needs:`, every PR-only job
     would be `skipped` on push and the sentinel would interpret
     `skipped != success` as failure). RFC §4 spec.
 
+    `github.ref` is the companion gate for jobs that run only on direct
+    pushes to specific branches (e.g. `github.ref == 'refs/heads/main'`).
+    These never execute in a PR context, so flagging them as missing
+    from `all-required.needs:` is a false positive (mc#958 / mc#959).
+
     Used for F1 (jobs missing from sentinel needs). NOT used for F1b
     (typos in needs) — see `ci_jobs_all` for that."""
     jobs = ci_doc.get("jobs")
@@ -221,7 +226,9 @@ def ci_job_names(ci_doc: dict) -> set[str]:
             continue
         if isinstance(v, dict):
             gate = v.get("if")
-            if isinstance(gate, str) and "github.event_name" in gate:
+            if isinstance(gate, str) and (
+                "github.event_name" in gate or "github.ref" in gate
+            ):
                 continue
         names.add(k)
     return names

.gitea/scripts/gitea-merge-queue.py

@@ -417,7 +417,21 @@ def main() -> int:
     parser.add_argument("--dry-run", action="store_true")
     args = parser.parse_args()
     _require_runtime_env()
-    return process_once(dry_run=args.dry_run)
+    try:
+        return process_once(dry_run=args.dry_run)
+    except ApiError as exc:
+        # API errors (401/403/404/500) are transient for a queue tick —
+        # log and exit 0 so the workflow is not marked failed and the next
+        # tick can retry. Returning non-zero would permanently fail the
+        # workflow run, blocking future ticks.
+        sys.stderr.write(f"::error::queue API error: {exc}\n")
+        return 0
+    except urllib.error.URLError as exc:
+        sys.stderr.write(f"::error::queue network error: {exc}\n")
+        return 0
+    except TimeoutError as exc:
+        sys.stderr.write(f"::error::queue timeout: {exc}\n")
+        return 0
 
 
 if __name__ == "__main__":

.gitea/scripts/review-check.sh

@@ -214,7 +214,10 @@ fi
 # Endpoint: GET /api/v1/teams/{id}/members/{username}
 #   200/204 → is member
 #   403     → token owner is not in this team (Gitea 1.22.6 'Must be a team
-#             member' constraint — see follow-up issue for token-provisioning)
+#             member' constraint). The evaluator skips this candidate and
+#             continues to check others. The final failure fires only when
+#             NO candidate has a 200/204 (not when any single one hits 403).
+#             See RFC#324 token-scope follow-up issue for long-term fix.
 #   404     → not a member
 for U in $CANDIDATES; do
   CODE=$(curl -sS -o "$TEAM_PROBE_TMP" -w '%{http_code}' \
@@ -226,12 +229,15 @@ for U in $CANDIDATES; do
       exit 0
       ;;
     403)
-      # Token owner is not in the team being probed; the API refuses to
-      # confirm membership. This is the RFC#324 follow-up token-scope gap.
-      # Fail closed — never grant approval on a 403; surface clearly.
-      echo "::error::team-probe for ${U} in ${TEAM} returned 403 (token owner not in ${TEAM} team — RFC#324 token-scope follow-up). Cannot confirm membership; failing closed."
+      # Token owner is not in the team being probed; Gitea 1.22.6 refuses
+      # to confirm membership in this case. Do NOT hard-fail the gate on a
+      # 403 — doing so would fail the entire gate if ANY candidate triggers
+      # a 403, even when other valid team-members exist. Instead skip this
+      # candidate and continue checking others. If all candidates produce
+      # 403 (token owner can't query any of them) the final exit fires.
+      echo "::warning::team-probe for ${U} in ${TEAM} returned 403 (token owner not in ${TEAM} team — skipping; cannot confirm membership)"
       cat "$TEAM_PROBE_TMP" >&2
-      exit 1
+      continue
       ;;
     404)
       debug "${U} not a member of ${TEAM}"
@@ -243,5 +249,5 @@ for U in $CANDIDATES; do
   esac
 done
 
-echo "::error::${TEAM}-review awaiting non-author APPROVE from ${TEAM} team (candidates: $(echo "$CANDIDATES" | tr '\n' ',' | sed 's/,$//') — none are in team)"
+echo "::error::${TEAM}-review awaiting non-author APPROVE from ${TEAM} team (candidates: $(echo "$CANDIDATES" | tr '\n' ',' | sed 's/,$//') — no valid team-member approval found; check that reviewer is in ${TEAM} team or token owner is a ${TEAM} team member)"
 exit 1

.gitea/scripts/sop-checklist.py

@@ -102,7 +102,7 @@ def normalize_slug(raw: str, numeric_aliases: dict[int, str] | None = None) -> s
 
 
 # ---------------------------------------------------------------------------
-# Comment parsing — /sop-ack and /sop-revoke
+# Comment parsing — /sop-ack, /sop-revoke, and /sop-n/a
 # ---------------------------------------------------------------------------
 
 # A directive must be on its own line. Permits leading whitespace.
@@ -114,23 +114,33 @@ _DIRECTIVE_RE = re.compile(
     re.MULTILINE,
 )
 
+# /sop-n/a <gate> [reason] — declare a qa/sec gate N/A.
+# Gate names: qa-review, security-review (match review-check.sh context names).
+_NA_DIRECTIVE_RE = re.compile(
+    r"^[ \t]*/sop-n/a[ \t]+([A-Za-z0-9_\-]+)(?:[ \t]+(.*))?[ \t]*$",
+    re.MULTILINE,
+)
+
 
 def parse_directives(
     comment_body: str,
     numeric_aliases: dict[int, str],
-) -> tuple[list[tuple[str, str, str]], list]:
-    """Extract /sop-ack and /sop-revoke directives from a comment body.
+) -> tuple[list[tuple[str, str, str]], list[tuple[str, str, str]]]:
+    """Extract /sop-ack, /sop-revoke, and /sop-n/a directives from a comment body.
 
     Returns (directives, na_directives) where:
       directives is a list of (kind, canonical_slug, note) tuples
         kind is "sop-ack" or "sop-revoke"
         canonical_slug is the normalized form (or "" if unparseable)
         note is the trailing free-text (may be "")
-      na_directives is reserved for future N/A handling (always [] for now)
+      na_directives is a list of (gate_name, reason) tuples
+        gate_name is "qa-review" or "security-review" (raw from comment)
+        reason is the free-text after the gate name (may be "")
     """
     out: list[tuple[str, str, str]] = []
+    na_out: list[tuple[str, str, str]] = []
     if not comment_body:
-        return out, []
+        return out, na_out
     for m in _DIRECTIVE_RE.finditer(comment_body):
         kind = m.group(1)
         raw_slug = (m.group(2) or "").strip()
@@ -161,7 +171,11 @@ def parse_directives(
         # If we collapsed multi-word slug into kebab and there's a
         # trailing-text group too, append it.
         out.append((kind, canonical, note_from_group))
-    return out, []
+    for m in _NA_DIRECTIVE_RE.finditer(comment_body):
+        gate_raw = (m.group(1) or "").strip()
+        reason = (m.group(2) or "").strip()
+        na_out.append((gate_raw.lower(), reason))
+    return out, na_out
 
 
 # ---------------------------------------------------------------------------
@@ -304,6 +318,82 @@ def compute_ack_state(
     }
 
 
+def compute_na_state(
+    comments: list[dict[str, Any]],
+    pr_author: str,
+    na_gates: dict[str, dict[str, Any]],
+    team_membership_probe: "callable[[str, list[str]], list[str]]",
+) -> dict[str, dict[str, Any]]:
+    """Compute per-gate N/A declaration state.
+
+    Each comment is processed in chronological order. The most-recent
+    N/A directive per (commenter, gate) wins.
+
+    Returns a dict keyed by gate name:
+       {
+         "qa-review": {
+           "declared": True,
+           "declared_by": "core-qa-agent",
+           "reason": "CI/non-security-touching",
+           "valid": True,   # non-author + in required team
+           "error": None,   # error string if invalid
+         },
+         ...
+       }
+    Undeclared gates have declared=False; invalid gates have declared=True, valid=False.
+    """
+    # Step 1: collapse N/A directives per (commenter, gate) — most recent wins.
+    latest_na: dict[tuple[str, str], tuple[str, str]] = {}
+    for c in comments:
+        body = c.get("body", "") or ""
+        user = (c.get("user") or {}).get("login", "")
+        if not user:
+            continue
+        _, na_directives = parse_directives(body, {})
+        for gate, reason in na_directives:
+            if gate not in na_gates:
+                continue
+            latest_na[(user, gate)] = (gate, reason)
+
+    # Step 2: initialise all gates as undeclared.
+    result: dict[str, dict[str, Any]] = {
+        g: {"declared": False, "declared_by": "", "reason": "", "valid": False, "error": None}
+        for g in na_gates
+    }
+
+    # Step 3: evaluate each gate's most-recent N/A declaration.
+    for (user, gate), (gate_name, reason) in latest_na.items():
+        if gate_name not in na_gates:
+            continue
+        cfg = na_gates[gate_name]
+        required_teams: list[str] = cfg.get("required_teams", [])
+
+        entry: dict[str, Any] = {
+            "declared": True,
+            "declared_by": user,
+            "reason": reason,
+            "valid": False,
+            "error": None,
+        }
+
+        # Authors cannot self-declare N/A (gate script enforces same rule).
+        if user == pr_author:
+            entry["error"] = "self-declare N/A rejected"
+        else:
+            # Probe team membership: is the declarer in any required team?
+            approved = team_membership_probe(f"na:{gate_name}", [user])
+            if user in approved:
+                entry["valid"] = True
+            else:
+                # 403 from team API means token owner not in that team.
+                # Fail-closed: treat unknown membership as invalid.
+                entry["error"] = f"{user} not in required team {required_teams}"
+
+        result[gate_name] = entry
+
+    return result
+
+
 # ---------------------------------------------------------------------------
 # Gitea API client
 # ---------------------------------------------------------------------------
@@ -463,10 +553,29 @@ def _load_config_minimal(path: str) -> dict[str, Any]:
     tier_failure_mode), top-level list of maps (items:), and within an
     item map: scalars + lists of scalars. Does NOT support nested lists,
     YAML anchors, multi-doc, or flow style.
+
+    Key names containing '/' (e.g. n/a_gates) are handled by using
+    rpartition(':') — splitting at the LAST colon so embedded colons
+    in the key are preserved.
     """
     with open(path) as f:
         lines = f.readlines()
-    return _parse_minimal_yaml(lines)
+    # Preprocess: for lines at indent 0 that contain '/' before ':',
+    # use rpartition so the key keeps the '/'. e.g.
+    #   "n/a_gates:"  → key="n/a_gates", val=""
+    #   "n/a_gates: value" → key="n/a_gates", val="value"
+    processed: list[str] = []
+    for raw in lines:
+        stripped = raw.rstrip("\n")
+        indent = len(stripped) - len(stripped.lstrip(" "))
+        content = stripped.lstrip(" ")
+        if indent == 0 and "/" in content and ":" in content:
+            # Use rpartition so the last ':' is the key-value separator.
+            key, _, val = content.rpartition(":")
+            processed.append(" " * indent + key.strip() + ": " + val.strip())
+        else:
+            processed.append(stripped)
+    return _parse_minimal_yaml(processed)
 
 
 def _parse_minimal_yaml(lines: list[str]) -> dict[str, Any]:  # noqa: C901
@@ -803,6 +912,90 @@ def main(argv: list[str] | None = None) -> int:
             extra = " (" + "; ".join(extras) + ")" if extras else ""
             print(f"::notice::  [WAIT] {slug} — no valid peer-ack yet{extra}")
 
+    # ----- N/A gate declarations (RFC#324 §N/A follow-up) -----
+    # sop-checklist.yml fires on /sop-n/a comments; this step posts the
+    # `sop-checklist / na-declarations (pull_request)` status that
+    # review-check.sh reads to waive the Gitea-APPROVE requirement.
+    na_gates: dict[str, Any] = cfg.get("n/a_gates") or {}
+
+    # Build a team-membership probe for N/A gates (separate cache from items probe).
+    na_cache: dict[tuple[str, int], bool | None] = {}
+
+    def na_probe(slug_hint: str, users: list[str]) -> list[str]:
+        # slug_hint is "na:{gate_name}" — extract gate name and required teams.
+        gate_name = slug_hint.removeprefix("na:")
+        gate_cfg = na_gates.get(gate_name, {})
+        team_names: list[str] = gate_cfg.get("required_teams", [])
+        # Resolve team names → ids.
+        team_ids: list[int] = []
+        for tn in team_names:
+            tid = client.resolve_team_id(args.owner, tn)  # noqa: SLF001
+            if tid is None:
+                code, data = client._req(  # noqa: SLF001
+                    "GET", f"/orgs/{args.owner}/teams"
+                )
+                if code == 200 and isinstance(data, list):
+                    for t in data:
+                        if t.get("name") == tn:
+                            tid = t.get("id")
+                            client._team_id_cache[(args.owner, tn)] = tid  # noqa: SLF001
+                            break
+            if tid is not None:
+                team_ids.append(tid)
+        approved: list[str] = []
+        for u in users:
+            for tid in team_ids:
+                ck = (u, tid)
+                if ck not in na_cache:
+                    na_cache[ck] = client.is_team_member(tid, u)  # noqa: SLF001
+                res = na_cache[ck]
+                if res is True:
+                    approved.append(u)
+                    break
+                if res is None:
+                    print(
+                        f"::warning::team-probe for {u} (N/A gate {gate_name}) "
+                        "returned 403 — token owner not in that team; "
+                        "fail-closed for this declaration",
+                        file=sys.stderr,
+                    )
+        return approved
+
+    na_state = compute_na_state(comments, author, na_gates, na_probe)
+    # Build description: list of validly-declared N/A gates.
+    na_approved_gates = [
+        g for g, entry in na_state.items() if entry["valid"]
+    ]
+    na_invalid = [
+        f"{g}({entry['declared_by']})" for g, entry in na_state.items()
+        if entry["declared"] and not entry["valid"]
+    ]
+
+    if na_approved_gates:
+        na_desc = "N/A: " + ", ".join(na_approved_gates)
+    elif na_invalid:
+        na_desc = "invalid N/A: " + ", ".join(na_invalid)
+    else:
+        na_desc = "no N/A declarations"
+    na_state_str = "success" if na_approved_gates else "failure"
+    print(f"::notice::  N/A state: {na_state_str} — {na_desc}")
+    for g, entry in na_state.items():
+        if entry["declared"]:
+            status_flag = "valid" if entry["valid"] else f"invalid: {entry['error']}"
+            print(f"::notice::    {g}: declared by {entry['declared_by']} — {status_flag}")
+
+    target_url = f"https://{args.gitea_host}/{args.owner}/{args.repo}/pulls/{args.pr}"
+
+    if not args.dry_run:
+        na_context = "sop-checklist / na-declarations (pull_request)"
+        client.post_status(
+            args.owner, args.repo, head_sha,
+            state=na_state_str, context=na_context,
+            description=na_desc, target_url=target_url,
+        )
+        print(f"::notice::status posted: {na_context} → {na_state_str}")
+    # ----- end N/A gate declarations -----
+
     print(f"::notice::posting status: state={state} desc={description!r}")
 
     if args.dry_run:
@@ -810,8 +1003,6 @@ def main(argv: list[str] | None = None) -> int:
         if args.exit_on_state:
             return 0 if state in ("success", "pending") else 1
         return 0
-
-    target_url = f"https://{args.gitea_host}/{args.owner}/{args.repo}/pulls/{args.pr}"
     client.post_status(
         args.owner, args.repo, head_sha,
         state=state, context=args.status_context,

.gitea/workflows/ci.yml

@@ -348,16 +348,15 @@ jobs:
   # Shellcheck (E2E scripts) — required check, always runs.
   shellcheck:
     name: Shellcheck (E2E scripts)
-    needs: changes
     runs-on: ubuntu-latest
     # Phase 4 (RFC #219 §1): confirmed green on main 2026-05-12.
     continue-on-error: false
     steps:
-      - if: needs.changes.outputs.scripts != 'true'
+      - if: false
         run: echo "No tests/e2e/ or infra/scripts/ changes — skipping real shellcheck; this job always runs to satisfy the required-check name on branch protection."
-      - if: needs.changes.outputs.scripts == 'true'
+      - if: always()
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - if: needs.changes.outputs.scripts == 'true'
+      - if: always()
         name: Run shellcheck on tests/e2e/*.sh and infra/scripts/*.sh
         # shellcheck is pre-installed on ubuntu-latest runners (via apt).
         # infra/scripts/ is included because setup.sh + nuke.sh gate the
@@ -368,16 +367,16 @@ jobs:
           find tests/e2e infra/scripts -type f -name '*.sh' -print0 \
             | xargs -0 shellcheck --severity=warning
 
-      - if: needs.changes.outputs.scripts == 'true'
+      - if: always()
         name: Lint cleanup-trap hygiene (RFC #2873)
         run: bash tests/e2e/lint_cleanup_traps.sh
 
-      - if: needs.changes.outputs.scripts == 'true'
+      - if: always()
         name: Run E2E bash unit tests (no live infra)
         run: |
           bash tests/e2e/test_model_slug.sh
 
-      - if: needs.changes.outputs.scripts == 'true'
+      - if: always()
         name: Test ECR promote-tenant-image script (mock-driven, no live infra)
         # Covers scripts/promote-tenant-image.sh — the codified
         # :staging-latest → :latest ECR promote + tenant fleet redeploy
@@ -387,7 +386,7 @@ jobs:
         run: |
           bash scripts/test-promote-tenant-image.sh
 
-      - if: needs.changes.outputs.scripts == 'true'
+      - if: always()
         name: Shellcheck promote-tenant-image script
         # scripts/ is excluded from the bulk shellcheck pass above (legacy
         # SC3040/SC3043 cleanup pending). Run shellcheck explicitly on
@@ -407,8 +406,8 @@ jobs:
     # ci_job_names() detects this as github.ref-gated and skips it from F1.
     # The step-level exit 0 handles the "not main push" case; the job-level
     # `if:` makes the gating explicit so the drift script sees it.
-    # continue-on-error removed (was mc#774 mask): step exits 0 when not applicable.
-    if: ${{ github.ref == 'refs/heads/staging' }}
+    # Runs on both main and staging pushes; step exits 0 when not applicable.
+    if: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/staging' }}
     needs: [changes, canvas-build]
     steps:
       - name: Write deploy reminder to step summary
@@ -459,7 +458,6 @@ jobs:
   # Python Lint & Test — required check, always runs.
   python-lint:
     name: Python Lint & Test
-    needs: changes
     runs-on: ubuntu-latest
     # Phase 4 (RFC #219 §1): confirmed green on main 2026-05-12.
     continue-on-error: false
@@ -469,25 +467,25 @@ jobs:
       run:
         working-directory: workspace
     steps:
-      - if: needs.changes.outputs.python != 'true'
+      - if: false
         working-directory: .
         run: echo "No workspace/** changes — skipping real lint+test; this job always runs to satisfy the required-check name on branch protection."
-      - if: needs.changes.outputs.python == 'true'
+      - if: always()
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - if: needs.changes.outputs.python == 'true'
+      - if: always()
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.11'
           cache: pip
           cache-dependency-path: workspace/requirements.txt
-      - if: needs.changes.outputs.python == 'true'
+      - if: always()
         run: pip install -r requirements.txt pytest pytest-asyncio pytest-cov sqlalchemy>=2.0.0
       # Coverage flags + fail-under floor moved into workspace/pytest.ini
       # (issue #1817) so local `pytest` and CI use identical config.
-      - if: needs.changes.outputs.python == 'true'
+      - if: always()
         run: python -m pytest --tb=short
 
-      - if: needs.changes.outputs.python == 'true'
+      - if: always()
         name: Per-file critical-path coverage (MCP / inbox / auth)
         # MCP-critical Python files have a per-file floor on top of the
         # 86% total floor in pytest.ini. See issue #2790 for full rationale.
@@ -552,41 +550,18 @@ jobs:
     # red silently merged through. See internal#286 for the three concrete
     # tonight-of-2026-05-11 incidents that prompted the emergency bump.
     #
-    # Three properties of this job each close a failure mode:
+    # This job deliberately has no `needs:`. Gitea 1.22/act_runner can mark a
+    # job-level `if: always()` + `needs:` sentinel as skipped before upstream
+    # jobs settle, leaving branch protection with a permanent pending
+    # `CI / all-required` context. Instead, this independent sentinel polls the
+    # required commit-status contexts for this SHA and fails if any fail, skip,
+    # or never emit.
     #
-    #  1. `if: always()` — runs even when an upstream fails. Without it the
-    #     sentinel is `skipped` and protection treats that as missing → merge
-    #     ungated.
+    # canvas-deploy-reminder is intentionally NOT included in all-required.needs.
+    # It is an informational main-push reminder, not a PR quality gate. Keeping
+    # it in this dependency list lets a skipped reminder skip the required
+    # sentinel before the `always()` guard can emit a branch-protection status.
     #
-    #  2. Assertion is `result == "success"` per dep, NOT `!= "failure"`.
-    #     A `skipped` upstream (job gated by `if:` evaluating false, matrix
-    #     entry that couldn't run) must NOT silently pass through.
-    #     `skipped`-as-green is exactly the failure mode this gate closes.
-    #
-    #  3. `needs:` is the canonical list of "what counts as required."
-    #     status_check_contexts will reference only `ci/all-required` (Step 5
-    #     follow-up — branch-protection PATCH is Owners-tier per
-    #     `feedback_never_admin_merge_bypass`, separate PR); a new job is
-    #     added simply by listing it in `needs:` here.
-    #     `.gitea/workflows/ci-required-drift.yml` files a [ci-drift] issue
-    #     hourly if this list diverges from status_check_contexts or from
-    #     audit-force-merge.yml's REQUIRED_CHECKS env (RFC §4 + §6).
-    #
-    # canvas-deploy-reminder is intentionally excluded from all-required.needs:
-    # it needs canvas-build, which is skipped on CI-only PRs (canvas=false).
-    # Including it in all-required.needs causes all-required to hang on
-    # every CI-only PR. Keep it runnable on PRs via its own
-    # `needs: [changes, canvas-build]` — the sentinel only aggregates the result.
-    #
-    # Phase 3 (RFC #219 §1) safety: underlying build jobs carry
-    # continue-on-error: true so their failures are masked to null (2026-05-12: re-enabled mc#774 interim)
-    # (Gitea suppresses status reporting for CoE jobs). This sentinel
-    # runs with continue-on-error: false so it always reports its
-    # result to the API — without this, the required-status entry
-    # (CI / all-required (pull_request)) is never created, which
-    # blocks PR merges. When Phase 3 ends, flip underlying jobs to
-    # continue-on-error: false; this sentinel can then be flipped to
-    # continue-on-error: true if a Phase-4 regression requires it.
     continue-on-error: false
     runs-on: ubuntu-latest
     timeout-minutes: 1
@@ -596,42 +571,90 @@ jobs:
       - canvas-build
       - shellcheck
       - python-lint
-      - canvas-deploy-reminder
     if: ${{ always() }}
     steps:
-      - name: Assert every required dependency succeeded
+      - name: Wait for required CI contexts
+        env:
+          GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          API_ROOT: ${{ github.server_url }}/api/v1
+          REPOSITORY: ${{ github.repository }}
+          COMMIT_SHA: ${{ github.sha }}
+          EVENT_NAME: ${{ github.event_name }}
         run: |
           set -euo pipefail
-          # `needs.*.result` is one of: success | failure | cancelled | skipped | null.
-          # We assert success per dep (not != failure) — see RFC §2 reasoning above.
-          # Null results are skipped: they come from Phase 3 (continue-on-error: true
-          # suppresses status) or from jobs still in-flight. The sentinel succeeds
-          # rather than blocking PRs on Phase 3 noise.
-          results='${{ toJSON(needs) }}'
-          echo "$results"
-          echo "$results" | python3 -c '
-          import json, sys
-          ns = json.load(sys.stdin)
-          # Phase 3 masked: jobs with continue-on-error: true may report "failure"
-          # Remove when mc#774 handler test failures are resolved.
-          PHASE3_MASKED = {"platform-build"}
-          # Exclude null (Phase 3 suppressed / in-flight) from the bad list.
-          bad = [(k, v.get("result")) for k, v in ns.items()
-                 if v.get("result") not in ("success", None, "cancelled", "skipped") and k not in PHASE3_MASKED]
-          if bad:
-              print(f"FAIL: jobs not green:", file=sys.stderr)
-              for k, r in bad:
-                  print(f"  - {k}: {r}", file=sys.stderr)
-              sys.exit(1)
-          pending = [(k, v.get("result")) for k, v in ns.items()
-                     if v.get("result") is None]
-          cancelled = [(k, v.get("result")) for k, v in ns.items()
-                       if v.get("result") == "cancelled"]
-          if pending:
-              print(f"WARN: {len(pending)} job(s) still in-flight (result=null): " +
-                    ", ".join(k for k, _ in pending), file=sys.stderr)
-          if cancelled:
-              print(f"INFO: {len(cancelled)} job(s) masked by continue-on-error: " +
-                    ", ".join(k for k, _ in cancelled), file=sys.stderr)
-          print(f"OK: all {len(ns)} required jobs succeeded (or Phase-3 suppressed)")
-          '
+          python3 - <<'PY'
+          import json
+          import os
+          import sys
+          import time
+          import urllib.error
+          import urllib.request
+
+          token = os.environ["GITEA_TOKEN"]
+          api_root = os.environ["API_ROOT"].rstrip("/")
+          repo = os.environ["REPOSITORY"]
+          sha = os.environ["COMMIT_SHA"]
+          event = os.environ["EVENT_NAME"]
+          required = [
+              f"CI / Detect changes ({event})",
+              f"CI / Platform (Go) ({event})",
+              f"CI / Canvas (Next.js) ({event})",
+              f"CI / Shellcheck (E2E scripts) ({event})",
+              f"CI / Python Lint & Test ({event})",
+          ]
+          terminal_bad = {"failure", "error"}
+          deadline = time.time() + 40 * 60
+          last_summary = None
+
+          def fetch_statuses():
+              statuses = []
+              for page in range(1, 6):
+                  url = f"{api_root}/repos/{repo}/commits/{sha}/statuses?page={page}&limit=100"
+                  req = urllib.request.Request(url, headers={"Authorization": f"token {token}"})
+                  with urllib.request.urlopen(req, timeout=10) as resp:
+                      chunk = json.load(resp)
+                  if not chunk:
+                      break
+                  statuses.extend(chunk)
+              latest = {}
+              for item in statuses:
+                  ctx = item.get("context")
+                  if not ctx:
+                      continue
+                  prev = latest.get(ctx)
+                  if prev is None or (item.get("updated_at") or item.get("created_at") or "") >= (prev.get("updated_at") or prev.get("created_at") or ""):
+                      latest[ctx] = item
+              return latest
+
+          while True:
+              try:
+                  latest = fetch_statuses()
+              except (TimeoutError, OSError, urllib.error.URLError) as exc:
+                  if time.time() >= deadline:
+                      print(f"FAIL: status polling did not recover before deadline: {exc}", file=sys.stderr)
+                      sys.exit(1)
+                  print(f"WARN: status poll failed, retrying: {exc}", flush=True)
+                  time.sleep(15)
+                  continue
+              states = {ctx: (latest.get(ctx) or {}).get("status") or (latest.get(ctx) or {}).get("state") or "missing" for ctx in required}
+              summary = ", ".join(f"{ctx}={state}" for ctx, state in states.items())
+              if summary != last_summary:
+                  print(summary, flush=True)
+                  last_summary = summary
+              bad = {ctx: state for ctx, state in states.items() if state in terminal_bad}
+              if bad:
+                  print("FAIL: required CI context failed:", file=sys.stderr)
+                  for ctx, state in bad.items():
+                      desc = (latest.get(ctx) or {}).get("description") or ""
+                      print(f"  - {ctx}: {state} {desc}", file=sys.stderr)
+                  sys.exit(1)
+              if all(state == "success" for state in states.values()):
+                  print(f"OK: all {len(required)} required CI contexts succeeded")
+                  sys.exit(0)
+              if time.time() >= deadline:
+                  print("FAIL: timed out waiting for required CI contexts:", file=sys.stderr)
+                  for ctx, state in states.items():
+                      print(f"  - {ctx}: {state}", file=sys.stderr)
+                  sys.exit(1)
+              time.sleep(15)
+          PY

.gitea/workflows/e2e-api.yml

@@ -69,6 +69,13 @@ name: E2E API Smoke Test
 # 2318) shows Postgres ready in 3s, Redis in 1s, Platform in 1s when
 # they DO come up. Timeouts are not the bottleneck; not bumped.
 #
+# Item #1046 (fixed 2026-05-14): Stale platform-server from cancelled runs
+#   lingers on :8080 after "Stop platform" step is skipped (workflow cancelled
+#   before reaching line 335). Added a pre-start "Kill stale platform-server"
+#   step (line 286) that scans /proc for zombie platform-server processes
+#   and kills them before the port probe or bind. Makes the ephemeral port
+#   probe + start sequence deterministic.
+#
 # Item explicitly NOT fixed here: failing test `Status back online`
 # fails because the platform's langgraph workspace template image
 # (ghcr.io/molecule-ai/workspace-template-langgraph:latest) returns
@@ -283,6 +290,35 @@ jobs:
           echo "PORT=${PLATFORM_PORT}" >> "$GITHUB_ENV"
           echo "BASE=http://127.0.0.1:${PLATFORM_PORT}" >> "$GITHUB_ENV"
           echo "Platform host port: ${PLATFORM_PORT}"
+      - name: Kill stale platform-server before start (issue #1046)
+        if: needs.detect-changes.outputs.api == 'true'
+        run: |
+          # Concurrent runs on the same host-network act_runner can leave a
+          # zombie platform-server from a cancelled/timeout run. Cancelled
+          # runs never reach the "Stop platform" step (line 335), so the
+          # old process lingers. Kill it before the ephemeral port probe
+          # or start so the port is definitively free.
+          #
+          # /proc scan — works on any Linux without pkill/lsof/ss.
+          # comm field is truncated to 15 chars: "platform-serve" matches
+          # "platform-server". Verify with cmdline to avoid false positives.
+          killed=0
+          for pid in $(grep -l "platform-serve" /proc/[0-9]*/comm 2>/dev/null); do
+            kpid="${pid%/comm}"
+            kpid="${kpid##*/}"
+            cmdline=$(cat "/proc/${kpid}/cmdline" 2>/dev/null | tr '\0' ' ')
+            if echo "$cmdline" | grep -q "platform-server"; then
+              echo "Killing stale platform-server pid ${kpid}: ${cmdline}"
+              kill "$kpid" 2>/dev/null || true
+              killed=$((killed + 1))
+            fi
+          done
+          if [ "$killed" -gt 0 ]; then
+            sleep 2
+            echo "Killed $killed stale process(es); port(s) released."
+          else
+            echo "No stale platform-server found."
+          fi
       - name: Start platform (background)
         if: needs.detect-changes.outputs.api == 'true'
         working-directory: workspace-server
@@ -346,3 +382,4 @@ jobs:
         run: |
           docker rm -f "$PG_CONTAINER" 2>/dev/null || true
           docker rm -f "$REDIS_CONTAINER" 2>/dev/null || true
+

.gitea/workflows/e2e-chat.yml

@@ -97,7 +97,7 @@ jobs:
           cache-dependency-path: workspace-server/go.sum
 
       - if: needs.detect-changes.outputs.chat == 'true'
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d6f5 # v4
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: '22'
           cache: 'npm'

.gitea/workflows/gate-check-v3.yml

@@ -83,25 +83,41 @@ jobs:
           REPO: ${{ github.repository }}
         run: |
           set -euo pipefail
-          # Fetch all open PRs and run gate-check on each
-          # socket.setdefaulttimeout(15): defence-in-depth for missing SOP_TIER_CHECK_TOKEN.
-          # gate_check.py uses timeout=15 on every urlopen call; this catches the
-          # inline Python polling loop too (issue #603).
+          # Fetch all open PRs and run gate-check on each. This scheduled
+          # refresher is advisory; a transient Gitea list timeout must not turn
+          # main red. PR-specific gate-check runs still use normal failure
+          # semantics.
           pr_numbers=$(python3 <<'PY'
           import json
           import os
           import socket
+          import sys
+          import time
+          import urllib.error
           import urllib.request
 
-          socket.setdefaulttimeout(15)
+          socket.setdefaulttimeout(30)
           token = os.environ["GITEA_TOKEN"]
           repo = os.environ["REPO"]
-          req = urllib.request.Request(
-              f"https://git.moleculesai.app/api/v1/repos/{repo}/pulls?state=open&limit=100",
-              headers={"Authorization": f"token {token}", "Accept": "application/json"},
-          )
-          with urllib.request.urlopen(req) as r:
-              prs = json.loads(r.read())
+          url = f"https://git.moleculesai.app/api/v1/repos/{repo}/pulls?state=open&limit=100"
+          last_error = None
+          for attempt in range(1, 4):
+              req = urllib.request.Request(
+                  url,
+                  headers={"Authorization": f"token {token}", "Accept": "application/json"},
+              )
+              try:
+                  with urllib.request.urlopen(req, timeout=30) as r:
+                      prs = json.loads(r.read())
+                  break
+              except (TimeoutError, OSError, urllib.error.URLError, urllib.error.HTTPError) as exc:
+                  last_error = exc
+                  print(f"warning: PR list fetch attempt {attempt}/3 failed: {exc}", file=sys.stderr)
+                  if attempt < 3:
+                      time.sleep(2 * attempt)
+          else:
+              print(f"warning: skipped scheduled gate-check refresh; failed to list open PRs after 3 attempts: {last_error}", file=sys.stderr)
+              raise SystemExit(0)
           for pr in prs:
               print(pr["number"])
           PY

.gitea/workflows/handlers-postgres-integration.yml

@@ -86,7 +86,11 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          fetch-depth: 0
+          # A full-history checkout can exceed the runner's quiet/startup
+          # window before the path filter emits logs. Fetch the common push
+          # case cheaply; the script below fetches the exact BASE SHA if it is
+          # not present in the shallow checkout.
+          fetch-depth: 2
       - id: filter
         # Inline replacement for dorny/paths-filter — see e2e-api.yml.
         run: |

.gitea/workflows/lint-continue-on-error-tracking.yml

@@ -93,7 +93,7 @@ jobs:
   lint:
     name: lint-continue-on-error-tracking
     runs-on: ubuntu-latest
-    timeout-minutes: 10
+    timeout-minutes: 20
     # Phase 3 (RFC #219 §1): surface masked defects without blocking
     # PRs. Pre-existing continue-on-error: true directives on main
     # all violate this lint at first — intentional. Flip to false

.gitea/workflows/review-refire-comments.yml

@@ -18,6 +18,10 @@ permissions:
   pull-requests: read
   statuses: write
 
+concurrency:
+  group: ${{ github.repository }}-${{ github.workflow }}-${{ github.event.issue.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   dispatch:
     runs-on: ubuntu-latest

.gitea/workflows/sop-checklist.yml

@@ -70,7 +70,7 @@ name: sop-checklist
 # Cancel any in-progress runs for the same PR to prevent
 # stale runs from overwriting newer status contexts.
 concurrency:
-  group: ${{ github.repository }}-${{ github.event.pull_request.number }}
+  group: ${{ github.repository }}-${{ github.workflow }}-${{ github.event.pull_request.number || github.event.issue.number || github.ref }}
   cancel-in-progress: true
 
 # bp-required: yes  ← emits sop-checklist / all-items-acked (pull_request)

.gitea/workflows/sop-tier-check.yml

@@ -61,6 +61,10 @@ on:
   pull_request_review:
     types: [submitted, dismissed, edited]
 
+concurrency:
+  group: ${{ github.repository }}-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   tier-check:
     runs-on: ubuntu-latest

.staging-trigger

@@ -1 +1 @@
-staging trigger
+staging trigger 2026-05-14T17:35:02Z

_ci_trigger.txt

@@ -0,0 +1 @@
+trigger

canvas/src/components/__tests__/ThemeToggle.test.tsx

@@ -24,8 +24,12 @@ vi.mock("@/lib/theme-provider", () => ({
   })),
 }));
 
+// Wrap cleanup in act() so any pending React state updates (e.g. from
+// keyDown handlers that call setTheme) flush before DOM unmount. Without
+// this, cleanup() can race against pending renders and cause INDEX_SIZE_ERR
+// when the handleKeyDown callback tries to query the DOM mid-teardown.
 afterEach(() => {
-  cleanup();
+  act(() => { cleanup(); });
   vi.clearAllMocks();
 });
 
@@ -146,7 +150,7 @@ describe("ThemeToggle — keyboard navigation (WCAG 2.1.1 / ARIA radiogroup)", (
     const radios = screen.getAllByRole("radio");
     // dark (index 2) is current; ArrowRight should wrap to light (index 0)
     act(() => { radios[2].focus(); });
-    fireEvent.keyDown(radios[2], { key: "ArrowRight" });
+    act(() => { fireEvent.keyDown(radios[2], { key: "ArrowRight" }); });
     expect(mockSetTheme).toHaveBeenCalledWith("light");
   });
 
@@ -160,7 +164,7 @@ describe("ThemeToggle — keyboard navigation (WCAG 2.1.1 / ARIA radiogroup)", (
     const radios = screen.getAllByRole("radio");
     // light (index 0) is current; ArrowLeft should go to dark (index 2)
     act(() => { radios[0].focus(); });
-    fireEvent.keyDown(radios[0], { key: "ArrowLeft" });
+    act(() => { fireEvent.keyDown(radios[0], { key: "ArrowLeft" }); });
     expect(mockSetTheme).toHaveBeenCalledWith("dark");
   });
 
@@ -174,7 +178,7 @@ describe("ThemeToggle — keyboard navigation (WCAG 2.1.1 / ARIA radiogroup)", (
     const radios = screen.getAllByRole("radio");
     // light (index 0) is current; ArrowDown should go to system (index 1)
     act(() => { radios[0].focus(); });
-    fireEvent.keyDown(radios[0], { key: "ArrowDown" });
+    act(() => { fireEvent.keyDown(radios[0], { key: "ArrowDown" }); });
     expect(mockSetTheme).toHaveBeenCalledWith("system");
   });
 
@@ -187,7 +191,7 @@ describe("ThemeToggle — keyboard navigation (WCAG 2.1.1 / ARIA radiogroup)", (
     render(<ThemeToggle />);
     const radios = screen.getAllByRole("radio");
     act(() => { radios[2].focus(); });
-    fireEvent.keyDown(radios[2], { key: "Home" });
+    act(() => { fireEvent.keyDown(radios[2], { key: "Home" }); });
     expect(mockSetTheme).toHaveBeenCalledWith("light");
   });
 
@@ -200,14 +204,14 @@ describe("ThemeToggle — keyboard navigation (WCAG 2.1.1 / ARIA radiogroup)", (
     render(<ThemeToggle />);
     const radios = screen.getAllByRole("radio");
     act(() => { radios[0].focus(); });
-    fireEvent.keyDown(radios[0], { key: "End" });
+    act(() => { fireEvent.keyDown(radios[0], { key: "End" }); });
     expect(mockSetTheme).toHaveBeenCalledWith("dark");
   });
 
   it("does nothing on unrelated keys", () => {
     render(<ThemeToggle />);
     const radios = screen.getAllByRole("radio");
-    fireEvent.keyDown(radios[0], { key: "Enter" });
+    act(() => { fireEvent.keyDown(radios[0], { key: "Enter" }); });
     expect(mockSetTheme).not.toHaveBeenCalled();
   });
 });

canvas/src/components/mobile/MobileSpawn.tsx

@@ -12,6 +12,7 @@ import { useEffect, useState } from "react";
 
 import { api } from "@/lib/api";
 import { type Template } from "@/lib/deploy-preflight";
+import { isSaaSTenant } from "@/lib/tenant";
 
 import { tierCode } from "./palette";
 import { MOBILE_FONT_MONO, MOBILE_FONT_SANS, type MobilePalette, usePalette } from "./palette";
@@ -26,6 +27,7 @@ const TIER_LABEL: Record<"T1" | "T2" | "T3" | "T4", string> = {
 
 export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => void }) {
   const p = usePalette(dark);
+  const isSaaS = isSaaSTenant();
   const [templates, setTemplates] = useState<Template[]>([]);
   const [loadingTemplates, setLoadingTemplates] = useState(true);
   const [tplId, setTplId] = useState<string | null>(null);
@@ -43,7 +45,7 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
         setTemplates(list);
         if (list.length > 0) {
           setTplId(list[0].id);
-          setTier(tierCode(list[0].tier));
+          setTier(isSaaS ? "T4" : tierCode(list[0].tier));
         }
       })
       .catch(() => {
@@ -55,7 +57,7 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
     return () => {
       cancelled = true;
     };
-  }, []);
+  }, [isSaaS]);
 
   const handleSpawn = async () => {
     if (busy || !tplId) return;
@@ -67,7 +69,7 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
       await api.post<{ id: string }>("/workspaces", {
         name: (name.trim() || chosen.name),
         template: chosen.id,
-        tier: Number(tier.slice(1)),
+        tier: isSaaS ? 4 : Number(tier.slice(1)),
         canvas: {
           x: Math.random() * 400 + 100,
           y: Math.random() * 300 + 100,
@@ -203,7 +205,7 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
             >
               {templates.map((t) => {
                 const on = tplId === t.id;
-                const tCode = tierCode(t.tier);
+                const tCode = isSaaS ? "T4" : tierCode(t.tier);
                 return (
                   <button
                     key={t.id}

canvas/src/components/tabs/ConfigTab.tsx

@@ -176,7 +176,7 @@ export function deriveProvidersFromModels(models: ModelSpec[]): string[] {
 // exactly the point of the platform adaptor. The deep `~/.hermes/
 // config.yaml` on the container is a separate runtime-internal file,
 // not this one.
-const RUNTIMES_WITH_OWN_CONFIG = new Set<string>(["external", "kimi", "kimi-cli"]);
+const RUNTIMES_WITH_OWN_CONFIG = new Set<string>(["external", "kimi", "kimi-cli", "openclaw"]);
 
 const FALLBACK_RUNTIME_OPTIONS: RuntimeOption[] = [
   { value: "", label: "LangGraph (default)", models: [], providers: [] },

canvas/src/hooks/useTemplateDeploy.tsx

@@ -8,6 +8,7 @@ import {
   type PreflightResult,
   type Template,
 } from "@/lib/deploy-preflight";
+import { isSaaSTenant } from "@/lib/tenant";
 import { MissingKeysModal } from "@/components/MissingKeysModal";
 
 /**
@@ -105,7 +106,7 @@ export function useTemplateDeploy(
         const ws = await api.post<{ id: string }>("/workspaces", {
           name: template.name,
           template: template.id,
-          tier: template.tier,
+          tier: isSaaSTenant() ? 4 : template.tier,
           canvas: coords,
           ...(model ? { model } : {}),
         });

canvas/src/lib/api.ts

@@ -8,14 +8,18 @@ import { getTenantSlug } from "./tenant";
 export const PLATFORM_URL =
   process.env.NEXT_PUBLIC_PLATFORM_URL ?? "http://localhost:8080";
 
-// 15s is long enough for slow CP queries but short enough that a
-// hung backend doesn't leave the UI spinning forever. The abort
-// propagates through AbortController so React components can observe
-// the error and render a retry affordance. Callers that know the
-// endpoint is intentionally slow (org import walks a tree of
-// workspaces with server-side pacing) can pass `timeoutMs` to
-// override.
-const DEFAULT_TIMEOUT_MS = 15_000;
+// 35s is long enough for the slowest server-side path (EIC SSH
+// tunnel for tenant EC2 file operations, bounded server-side by
+// `eicFileOpTimeout = 30 * time.Second` in
+// workspace-server/internal/handlers/template_files_eic.go) so the
+// canvas surfaces the server's real error instead of aborting first
+// with a generic timeout. Shorter values caused "Save & Restart" to
+// time out at the client before the backend returned its 5xx. The
+// abort still propagates through AbortController so React components
+// can render a retry affordance. Callers that know an endpoint is
+// intentionally slow (org import walks a tree of workspaces with
+// server-side pacing) can pass `timeoutMs` to override.
+const DEFAULT_TIMEOUT_MS = 35_000;
 
 export interface RequestOptions {
   timeoutMs?: number;

workspace-server/internal/handlers/a2a_proxy.go

@@ -97,28 +97,28 @@ const maxProxyResponseBody = 10 << 20
 //
 // Timeout model — three independent budgets, none of which gets in each other's way:
 //
-//   1. Client.Timeout — DELIBERATELY UNSET. Client.Timeout is a hard wall on
-//      the entire request including streamed body reads, and would pre-empt
-//      legitimate slow cold-start flows (Claude Code first-token over OAuth
-//      can take 30-60s on boot; long-running agent synthesis can stream
-//      tokens for minutes). Total-request budget is enforced per-request
-//      via context deadline (canvas = idle-only, agent-to-agent = 30 min ceiling).
+//  1. Client.Timeout — DELIBERATELY UNSET. Client.Timeout is a hard wall on
+//     the entire request including streamed body reads, and would pre-empt
+//     legitimate slow cold-start flows (Claude Code first-token over OAuth
+//     can take 30-60s on boot; long-running agent synthesis can stream
+//     tokens for minutes). Total-request budget is enforced per-request
+//     via context deadline (canvas = idle-only, agent-to-agent = 30 min ceiling).
 //
-//   2. Transport.DialContext — 10s connect timeout. When a workspace's EC2
-//      black-holes TCP connects (instance terminated mid-flight, security group
-//      flipped, NACL bug), the OS default is 75s on Linux / 21s on macOS — long
-//      enough that Cloudflare's ~100s edge timeout can fire first and surface
-//      a generic 502 page to canvas. 10s is well above realistic intra-region
-//      latencies and well below CF's edge timeout.
+//  2. Transport.DialContext — 10s connect timeout. When a workspace's EC2
+//     black-holes TCP connects (instance terminated mid-flight, security group
+//     flipped, NACL bug), the OS default is 75s on Linux / 21s on macOS — long
+//     enough that Cloudflare's ~100s edge timeout can fire first and surface
+//     a generic 502 page to canvas. 10s is well above realistic intra-region
+//     latencies and well below CF's edge timeout.
 //
-//   3. Transport.ResponseHeaderTimeout — 180s default. From request-body-end
-//      to response-headers-start. Configurable via
-//      A2A_PROXY_RESPONSE_HEADER_TIMEOUT (envx.Duration). Covers cold-start
-//      first-byte (30-60s OAuth flow above) with enough room for Opus agent
-//      turns (big context + internal delegate_task round-trips routinely exceed
-//      the old 60s ceiling). Body streaming after headers is governed by the
-//      per-request context deadline, NOT this timeout — so multi-minute agent
-//      responses still work fine.
+//  3. Transport.ResponseHeaderTimeout — 180s default. From request-body-end
+//     to response-headers-start. Configurable via
+//     A2A_PROXY_RESPONSE_HEADER_TIMEOUT (envx.Duration). Covers cold-start
+//     first-byte (30-60s OAuth flow above) with enough room for Opus agent
+//     turns (big context + internal delegate_task round-trips routinely exceed
+//     the old 60s ceiling). Body streaming after headers is governed by the
+//     per-request context deadline, NOT this timeout — so multi-minute agent
+//     responses still work fine.
 //
 // The point of (2) and (3) is to surface a *structured* 503 from
 // handleA2ADispatchError when the workspace agent is unreachable, so canvas

workspace-server/internal/handlers/a2a_proxy_helpers.go

@@ -194,7 +194,7 @@ func (h *WorkspaceHandler) maybeMarkContainerDead(ctx context.Context, workspace
 	}
 	db.ClearWorkspaceKeys(ctx, workspaceID)
 	h.broadcaster.RecordAndBroadcast(ctx, string(events.EventWorkspaceOffline), workspaceID, map[string]interface{}{})
-	go h.RestartByID(workspaceID)
+	h.goAsync(func() { h.RestartByID(workspaceID) })
 	return true
 }
 
@@ -241,7 +241,7 @@ func (h *WorkspaceHandler) preflightContainerHealth(ctx context.Context, workspa
 	}
 	db.ClearWorkspaceKeys(ctx, workspaceID)
 	h.broadcaster.RecordAndBroadcast(ctx, string(events.EventWorkspaceOffline), workspaceID, map[string]interface{}{})
-	go h.RestartByID(workspaceID)
+	h.goAsync(func() { h.RestartByID(workspaceID) })
 	return &proxyA2AError{
 		Status: http.StatusServiceUnavailable,
 		Response: gin.H{
@@ -262,8 +262,8 @@ func (h *WorkspaceHandler) logA2AFailure(ctx context.Context, workspaceID, calle
 		errWsName = workspaceID
 	}
 	summary := "A2A request to " + errWsName + " failed: " + errMsg
-	go func(parent context.Context) {
-		logCtx, cancel := context.WithTimeout(context.WithoutCancel(parent), 30*time.Second)
+	h.goAsync(func() {
+		logCtx, cancel := context.WithTimeout(context.WithoutCancel(ctx), 30*time.Second)
 		defer cancel()
 		LogActivity(logCtx, h.broadcaster, ActivityParams{
 			WorkspaceID:  workspaceID,
@@ -277,7 +277,7 @@ func (h *WorkspaceHandler) logA2AFailure(ctx context.Context, workspaceID, calle
 			Status:       "error",
 			ErrorDetail:  &errMsg,
 		})
-	}(ctx)
+	})
 }
 
 // logA2ASuccess records a successful A2A round-trip and (for canvas-initiated
@@ -298,19 +298,19 @@ func (h *WorkspaceHandler) logA2ASuccess(ctx context.Context, workspaceID, calle
 	// silent workspaces. Only update when callerID is a real workspace (not
 	// canvas, not a system caller) and the target returned 2xx/3xx.
 	if callerID != "" && !isSystemCaller(callerID) && statusCode < 400 {
-		go func() {
+		h.goAsync(func() {
 			bgCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 			defer cancel()
 			if _, err := db.DB.ExecContext(bgCtx,
 				`UPDATE workspaces SET last_outbound_at = NOW() WHERE id = $1`, callerID); err != nil {
 				log.Printf("last_outbound_at update failed for %s: %v", callerID, err)
 			}
-		}()
+		})
 	}
 	summary := a2aMethod + " → " + wsNameForLog
 	toolTrace := extractToolTrace(respBody)
-	go func(parent context.Context) {
-		logCtx, cancel := context.WithTimeout(context.WithoutCancel(parent), 30*time.Second)
+	h.goAsync(func() {
+		logCtx, cancel := context.WithTimeout(context.WithoutCancel(ctx), 30*time.Second)
 		defer cancel()
 		LogActivity(logCtx, h.broadcaster, ActivityParams{
 			WorkspaceID:  workspaceID,
@@ -325,7 +325,7 @@ func (h *WorkspaceHandler) logA2ASuccess(ctx context.Context, workspaceID, calle
 			DurationMs:   &durationMs,
 			Status:       logStatus,
 		})
-	}(ctx)
+	})
 
 	if callerID == "" && statusCode < 400 {
 		h.broadcaster.BroadcastOnly(workspaceID, string(events.EventA2AResponse), map[string]interface{}{
@@ -510,8 +510,8 @@ func (h *WorkspaceHandler) logA2AReceiveQueued(ctx context.Context, workspaceID,
 		wsName = workspaceID
 	}
 	summary := a2aMethod + " → " + wsName + " (queued for poll)"
-	go func(parent context.Context) {
-		logCtx, cancel := context.WithTimeout(context.WithoutCancel(parent), 30*time.Second)
+	h.goAsync(func() {
+		logCtx, cancel := context.WithTimeout(context.WithoutCancel(ctx), 30*time.Second)
 		defer cancel()
 		LogActivity(logCtx, h.broadcaster, ActivityParams{
 			WorkspaceID:  workspaceID,
@@ -523,7 +523,7 @@ func (h *WorkspaceHandler) logA2AReceiveQueued(ctx context.Context, workspaceID,
 			RequestBody:  json.RawMessage(body),
 			Status:       "ok",
 		})
-	}(ctx)
+	})
 }
 
 // readUsageMap extracts input_tokens / output_tokens from the "usage" key of m.

workspace-server/internal/handlers/a2a_proxy_preflight_test.go

@@ -54,6 +54,7 @@ func TestPreflight_ContainerRunning_ReturnsNil(t *testing.T) {
 	_ = setupTestDB(t)
 	stub := &preflightLocalProv{running: true, err: nil}
 	h := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
+	waitForHandlerAsyncBeforeDBCleanup(t, h)
 	h.provisioner = stub
 
 	if err := h.preflightContainerHealth(context.Background(), "ws-running-123"); err != nil {
@@ -186,8 +187,8 @@ func TestProxyA2A_Preflight_RoutesThroughProvisionerSSOT(t *testing.T) {
 	}
 
 	var (
-		callsIsRunning             bool
-		callsContainerInspectRaw   bool
+		callsIsRunning                  bool
+		callsContainerInspectRaw        bool
 		callsRunningContainerNameDirect bool
 	)
 	ast.Inspect(fn.Body, func(n ast.Node) bool {

workspace-server/internal/handlers/a2a_proxy_test.go

@@ -262,6 +262,7 @@ func TestProxyA2A_Upstream502_TriggersContainerDeadCheck(t *testing.T) {
 	allowLoopbackForTest(t)
 	broadcaster := newTestBroadcaster()
 	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+	waitForHandlerAsyncBeforeDBCleanup(t, handler)
 	cp := &fakeCPProv{running: false}
 	handler.SetCPProvisioner(cp)
 
@@ -324,6 +325,7 @@ func TestProxyA2A_Upstream502_AliveAgent_PropagatesAsIs(t *testing.T) {
 	allowLoopbackForTest(t)
 	broadcaster := newTestBroadcaster()
 	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+	waitForHandlerAsyncBeforeDBCleanup(t, handler)
 	cp := &fakeCPProv{running: true}
 	handler.SetCPProvisioner(cp)
 
@@ -513,6 +515,7 @@ func TestProxyA2A_AllowedSelf_SkipsAccessCheck(t *testing.T) {
 	allowLoopbackForTest(t)
 	broadcaster := newTestBroadcaster()
 	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+	waitForHandlerAsyncBeforeDBCleanup(t, handler)
 
 	agentServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
@@ -661,18 +664,18 @@ func TestProxyA2A_CallerIDDerivedFromBearer(t *testing.T) {
 	//    (column order: workspace_id, activity_type, source_id, target_id, ...)
 	mock.ExpectExec("INSERT INTO activity_logs").
 		WithArgs(
-			"ws-target",                       // $1 workspace_id
-			"a2a_receive",                     // $2 activity_type
-			sqlmock.AnyArg(),                  // $3 source_id — *string("ws-caller"), checked below
-			sqlmock.AnyArg(),                  // $4 target_id
-			sqlmock.AnyArg(),                  // $5 method
-			sqlmock.AnyArg(),                  // $6 summary
-			sqlmock.AnyArg(),                  // $7 request_body
-			sqlmock.AnyArg(),                  // $8 response_body
-			sqlmock.AnyArg(),                  // $9 tool_trace
-			sqlmock.AnyArg(),                  // $10 duration_ms
-			sqlmock.AnyArg(),                  // $11 status
-			sqlmock.AnyArg(),                  // $12 error_detail
+			"ws-target",      // $1 workspace_id
+			"a2a_receive",    // $2 activity_type
+			sqlmock.AnyArg(), // $3 source_id — *string("ws-caller"), checked below
+			sqlmock.AnyArg(), // $4 target_id
+			sqlmock.AnyArg(), // $5 method
+			sqlmock.AnyArg(), // $6 summary
+			sqlmock.AnyArg(), // $7 request_body
+			sqlmock.AnyArg(), // $8 response_body
+			sqlmock.AnyArg(), // $9 tool_trace
+			sqlmock.AnyArg(), // $10 duration_ms
+			sqlmock.AnyArg(), // $11 status
+			sqlmock.AnyArg(), // $12 error_detail
 		).
 		WillReturnResult(sqlmock.NewResult(0, 1))
 
@@ -1716,7 +1719,6 @@ func TestDispatchA2A_RejectsUnsafeURL(t *testing.T) {
 	}
 }
 
-
 // --- handleA2ADispatchError ---
 
 func TestHandleA2ADispatchError_ContextDeadline(t *testing.T) {
@@ -1803,6 +1805,7 @@ func TestMaybeMarkContainerDead_CPOnly_NotRunning(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t)
 	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
+	waitForHandlerAsyncBeforeDBCleanup(t, handler)
 	cp := &fakeCPProv{running: false}
 	handler.SetCPProvisioner(cp)
 
@@ -1955,6 +1958,7 @@ func TestLogA2AFailure_Smoke(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t)
 	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
+	waitForHandlerAsyncBeforeDBCleanup(t, handler)
 
 	// Sync workspace-name lookup (called in the caller goroutine).
 	mock.ExpectQuery(`SELECT name FROM workspaces WHERE id =`).
@@ -1973,6 +1977,7 @@ func TestLogA2AFailure_EmptyNameFallback(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t)
 	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
+	waitForHandlerAsyncBeforeDBCleanup(t, handler)
 
 	// Empty name from DB → summary uses the workspaceID as the name.
 	mock.ExpectQuery(`SELECT name FROM workspaces WHERE id =`).
@@ -1989,6 +1994,7 @@ func TestLogA2ASuccess_Smoke(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t)
 	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
+	waitForHandlerAsyncBeforeDBCleanup(t, handler)
 
 	mock.ExpectQuery(`SELECT name FROM workspaces WHERE id =`).
 		WithArgs("ws-ok").
@@ -2005,6 +2011,7 @@ func TestLogA2ASuccess_ErrorStatus(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t)
 	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
+	waitForHandlerAsyncBeforeDBCleanup(t, handler)
 
 	mock.ExpectQuery(`SELECT name FROM workspaces WHERE id =`).
 		WithArgs("ws-err").

workspace-server/internal/handlers/a2a_queue_test.go

@@ -26,6 +26,10 @@ import (
 // setupTestDBForQueueTests creates a sqlmock DB using QueryMatcherEqual (exact
 // string matching) so that ExpectQuery/ExpectExec patterns are compared verbatim.
 // Uses the same global db.DB as setupTestDB so the handler can use it.
+//
+// IMPORTANT: db.DB is saved before assignment and restored via t.Cleanup so
+// that tests running after this one are not polluted by a closed mock.
+// Same fix as setupTestDB (handlers_test.go); same root cause as mc#975.
 func setupTestDBForQueueTests(t *testing.T) sqlmock.Sqlmock {
 	t.Helper()
 	mockDB, mock, err := sqlmock.New(sqlmock.QueryMatcherOption(sqlmock.QueryMatcherEqual))

workspace-server/internal/handlers/delegation.go

@@ -2,6 +2,7 @@ package handlers
 
 import (
 	"context"
+	"database/sql"
 	"encoding/json"
 	"log"
 	"net/http"
@@ -698,7 +699,8 @@ func (h *DelegationHandler) listDelegationsFromLedger(ctx context.Context, works
 
 	var result []map[string]interface{}
 	for rows.Next() {
-		var delegationID, callerID, calleeID, taskPreview, status, resultPreview, errorDetail string
+		var delegationID, callerID, calleeID, taskPreview, status string
+		var resultPreview, errorDetail sql.NullString
 		var lastHeartbeat, deadline, createdAt, updatedAt *time.Time
 		if err := rows.Scan(
 			&delegationID, &callerID, &calleeID, &taskPreview,
@@ -717,11 +719,11 @@ func (h *DelegationHandler) listDelegationsFromLedger(ctx context.Context, works
 			"updated_at":    updatedAt,
 			"_ledger":       true, // marker so callers know this row is from the ledger
 		}
-		if resultPreview != "" {
-			entry["response_preview"] = textutil.TruncateBytes(resultPreview, 300)
+		if resultPreview.Valid && resultPreview.String != "" {
+			entry["response_preview"] = textutil.TruncateBytes(resultPreview.String, 300)
 		}
-		if errorDetail != "" {
-			entry["error"] = errorDetail
+		if errorDetail.Valid && errorDetail.String != "" {
+			entry["error"] = errorDetail.String
 		}
 		if lastHeartbeat != nil {
 			entry["last_heartbeat"] = lastHeartbeat

workspace-server/internal/handlers/delegation_list_test.go

@@ -145,6 +145,54 @@ func TestListDelegationsFromLedger_MultipleRows(t *testing.T) {
 	}
 }
 
+func TestListDelegationsFromLedger_NullsOmitted(t *testing.T) {
+	// last_heartbeat, deadline, result_preview, error_detail are all NULL.
+	// Handler must not panic and must omit those keys from the map.
+	mockDB, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("failed to create sqlmock: %v", err)
+	}
+	prevDB := db.DB
+	db.DB = mockDB
+	t.Cleanup(func() { mockDB.Close(); db.DB = prevDB })
+
+	now := time.Now()
+	rows := sqlmock.NewRows([]string{
+		"delegation_id", "caller_id", "callee_id", "task_preview",
+		"status", "result_preview", "error_detail",
+		"last_heartbeat", "deadline", "created_at", "updated_at",
+	}).
+		AddRow("del-1", "ws-1", "ws-2", "task", "queued", nil, nil, nil, nil, now, now)
+	mock.ExpectQuery("SELECT .+ FROM delegations").
+		WithArgs("ws-1").
+		WillReturnRows(rows)
+
+	broadcaster := newTestBroadcaster()
+	wh := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+	dh := NewDelegationHandler(wh, broadcaster)
+
+	got := dh.listDelegationsFromLedger(context.Background(), "ws-1")
+	if len(got) != 1 {
+		t.Fatalf("expected 1 entry, got %d", len(got))
+	}
+	e := got[0]
+	if _, ok := e["last_heartbeat"]; ok {
+		t.Error("last_heartbeat should be absent when NULL")
+	}
+	if _, ok := e["deadline"]; ok {
+		t.Error("deadline should be absent when NULL")
+	}
+	if _, ok := e["response_preview"]; ok {
+		t.Error("response_preview should be absent when NULL result_preview")
+	}
+	if _, ok := e["error"]; ok {
+		t.Error("error should be absent when NULL error_detail")
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("sqlmock expectations: %v", err)
+	}
+}
+
 func TestListDelegationsFromLedger_QueryError(t *testing.T) {
 	// Query failure returns nil — graceful fallback, no panic.
 	mockDB, mock, err := sqlmock.New()

workspace-server/internal/handlers/external_connection.go

@@ -646,8 +646,12 @@ const externalOpenClawTemplate = `# OpenClaw MCP config — outbound tool path.
 # external machine today, pair with the Python SDK tab.
 
 # 1. Install openclaw CLI + the workspace runtime wheel:
+#    The version pin (>=0.1.999) ensures the "molecule-mcp" console
+#    script is present — it is what keeps the workspace ALIVE on canvas
+#    (register-on-startup + 20s heartbeat). Older versions only ship
+#    a2a_mcp_server which does not heartbeat.
 npm install -g openclaw@latest
-pip install molecule-ai-workspace-runtime
+pip install "molecule-ai-workspace-runtime>=0.1.999"
 
 # 2. Onboard openclaw against your model provider (one-time setup).
 #    --non-interactive needs an explicit --provider + --model so it

workspace-server/internal/handlers/handlers_test.go

@@ -29,6 +29,11 @@ func init() {
 // setupTestDB creates a sqlmock DB and assigns it to the global db.DB.
 // It also disables the SSRF URL check so that httptest.NewServer loopback
 // URLs and fake hostnames (*.example) used in tests don't trigger rejections.
+//
+// IMPORTANT: db.DB is saved before assignment and restored via t.Cleanup so
+// that tests running after this one are not polluted by a closed mock.
+// This is the single root cause of the systemic CI/Platform (Go) failures on
+// main HEAD 8026f020 (mc#975).
 func setupTestDB(t *testing.T) sqlmock.Sqlmock {
 	t.Helper()
 	mockDB, mock, err := sqlmock.New()
@@ -57,6 +62,11 @@ func setupTestDB(t *testing.T) sqlmock.Sqlmock {
 	return mock
 }
 
+func waitForHandlerAsyncBeforeDBCleanup(t *testing.T, h *WorkspaceHandler) {
+	t.Helper()
+	t.Cleanup(h.waitAsyncForTest)
+}
+
 // setupTestRedis creates a miniredis instance and assigns it to the global db.RDB.
 func setupTestRedis(t *testing.T) *miniredis.Miniredis {
 	t.Helper()
@@ -356,6 +366,11 @@ func TestWorkspaceCreate(t *testing.T) {
 }
 
 func TestBuildProvisionerConfig_IncludesAwarenessSettings(t *testing.T) {
+	mock := setupTestDB(t)
+	mock.ExpectQuery(`SELECT digest FROM runtime_image_pins`).
+		WithArgs("claude-code").
+		WillReturnError(sql.ErrNoRows)
+
 	broadcaster := newTestBroadcaster()
 	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", "/tmp/configs")
 

workspace-server/internal/handlers/instructions_test.go

@@ -2,10 +2,12 @@ package handlers
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"errors"
 	"net/http"
 	"net/http/httptest"
+	"regexp"
 	"testing"
 	"time"
 
@@ -80,117 +82,135 @@ func TestInstructionsList_ByWorkspaceID(t *testing.T) {
 	if w.Code != http.StatusOK {
 		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
 	}
-	var out []Instruction
-	if err := json.Unmarshal(w.Body.Bytes(), &out); err != nil {
-		t.Fatalf("response not valid JSON: %v", err)
+	var result []Instruction
+	if err := json.Unmarshal(w.Body.Bytes(), &result); err != nil {
+		t.Fatalf("invalid JSON: %v", err)
 	}
-	if len(out) != 2 {
-		t.Errorf("expected 2 instructions, got %d", len(out))
+	if len(result) != 2 {
+		t.Fatalf("expected 2 instructions, got %d", len(result))
 	}
-	if out[0].Scope != "global" {
-		t.Errorf("first row scope: expected global, got %s", out[0].Scope)
+	if result[0].Scope != "global" || result[1].Scope != "workspace" {
+		t.Fatalf("expected global then workspace instructions, got %#v", result)
 	}
 	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet expectations: %v", err)
+		t.Fatalf("unmet expectations: %v", err)
 	}
 }
 
-func TestInstructionsList_ByScope(t *testing.T) {
+func TestInstructionsHandler_List_WithScopeFilter(t *testing.T) {
 	mock := setupTestDB(t)
-	h := NewInstructionsHandler()
+	handler := NewInstructionsHandler()
 
-	w, c := newGetRequest("/instructions?scope=global")
-	c.Request = httptest.NewRequest(http.MethodGet, "/instructions?scope=global", nil)
+	rows := sqlmock.NewRows([]string{
+		"id", "scope", "scope_target", "title", "content", "priority", "enabled", "created_at", "updated_at",
+	}).AddRow("inst-1", "global", nil, "Be kind", "Always be kind", 10, true,
+		time.Now(), time.Now())
 
-	rows := sqlmock.NewRows(instructionCols).
-		AddRow("inst-g", "global", nil, "Global Rule", "Follow policy.", 10, true, time.Now(), time.Now())
-	mock.ExpectQuery("SELECT id, scope, scope_target, title, content, priority, enabled, created_at, updated_at FROM platform_instructions WHERE 1=1").
+	mock.ExpectQuery(regexp.QuoteMeta("SELECT id, scope, scope_target, title, content, priority, enabled, created_at, updated_at FROM platform_instructions WHERE 1=1 AND scope = $1 ORDER BY scope, priority DESC, created_at")).
 		WithArgs("global").
 		WillReturnRows(rows)
 
-	h.List(c)
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("GET", "/instructions?scope=global", nil)
+
+	handler.List(c)
 
 	if w.Code != http.StatusOK {
-		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+		t.Fatalf("expected 200, got %d", w.Code)
 	}
-	var out []Instruction
-	if err := json.Unmarshal(w.Body.Bytes(), &out); err != nil {
-		t.Fatalf("response not valid JSON: %v", err)
+	var result []Instruction
+	if err := json.Unmarshal(w.Body.Bytes(), &result); err != nil {
+		t.Fatalf("invalid JSON: %v", err)
 	}
-	if len(out) != 1 || out[0].Scope != "global" {
-		t.Errorf("unexpected response: %v", out)
+	if len(result) != 1 {
+		t.Fatalf("expected 1 instruction, got %d", len(result))
+	}
+	if result[0].Scope != "global" {
+		t.Errorf("expected scope 'global', got %q", result[0].Scope)
 	}
 	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet expectations: %v", err)
+		t.Fatalf("unmet expectations: %v", err)
 	}
 }
 
-func TestInstructionsList_AllNoParams(t *testing.T) {
+func TestInstructionsHandler_List_WithWorkspaceID(t *testing.T) {
 	mock := setupTestDB(t)
-	h := NewInstructionsHandler()
+	handler := NewInstructionsHandler()
+	wsID := "ws-test-123"
 
-	w, c := newGetRequest("/instructions")
+	rows := sqlmock.NewRows([]string{
+		"id", "scope", "scope_target", "title", "content", "priority", "enabled", "created_at", "updated_at",
+	}).AddRow("inst-1", "global", nil, "Global rule", "Stay safe", 5, true,
+		time.Now(), time.Now()).
+		AddRow("inst-2", "workspace", &wsID, "WS rule", "Use HTTPS", 10, true,
+			time.Now(), time.Now())
 
-	rows := sqlmock.NewRows(instructionCols)
-	mock.ExpectQuery("SELECT id, scope, scope_target, title, content, priority, enabled, created_at, updated_at FROM platform_instructions WHERE 1=1").
+	mock.ExpectQuery("SELECT id, scope, scope_target, title, content, priority, enabled, created_at, updated_at FROM platform_instructions WHERE enabled = true AND \\(").
+		WithArgs(wsID).
 		WillReturnRows(rows)
 
-	h.List(c)
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("GET", "/instructions?workspace_id="+wsID, nil)
+
+	handler.List(c)
 
 	if w.Code != http.StatusOK {
-		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+		t.Fatalf("expected 200, got %d", w.Code)
 	}
-	var out []Instruction
-	if err := json.Unmarshal(w.Body.Bytes(), &out); err != nil {
-		t.Fatalf("response not valid JSON: %v", err)
+	var result []Instruction
+	if err := json.Unmarshal(w.Body.Bytes(), &result); err != nil {
+		t.Fatalf("invalid JSON: %v", err)
 	}
-	// Empty slice, not nil
-	if out == nil {
-		t.Error("expected empty slice, got nil")
+	if len(result) != 2 {
+		t.Fatalf("expected 2 instructions, got %d", len(result))
 	}
 	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet expectations: %v", err)
+		t.Fatalf("unmet expectations: %v", err)
 	}
 }
 
-func TestInstructionsList_DBError(t *testing.T) {
+func TestInstructionsHandler_List_QueryError(t *testing.T) {
 	mock := setupTestDB(t)
-	h := NewInstructionsHandler()
-
-	w, c := newGetRequest("/instructions")
-	c.Request = httptest.NewRequest(http.MethodGet, "/instructions", nil)
+	handler := NewInstructionsHandler()
 
 	mock.ExpectQuery("SELECT id, scope, scope_target, title, content, priority, enabled, created_at, updated_at FROM platform_instructions WHERE 1=1").
-		WillReturnError(errors.New("connection refused"))
+		WillReturnError(context.DeadlineExceeded)
 
-	h.List(c)
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("GET", "/instructions", nil)
+
+	handler.List(c)
 
 	if w.Code != http.StatusInternalServerError {
-		t.Fatalf("expected 500, got %d: %s", w.Code, w.Body.String())
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet expectations: %v", err)
+		t.Fatalf("expected 500, got %d", w.Code)
 	}
 }
 
-// ─── Create ───────────────────────────────────────────────────────────────────
+// ── Create ──────────────────────────────────────────────────────────────────────
 
-func TestInstructionsCreate_ValidGlobal(t *testing.T) {
+func TestInstructionsHandler_Create_Success(t *testing.T) {
 	mock := setupTestDB(t)
-	h := NewInstructionsHandler()
-
-	w, c := newPostRequest("/instructions", map[string]interface{}{
-		"scope":    "global",
-		"title":    "Be Helpful",
-		"content":  "Always be helpful to the user.",
-		"priority": 10,
-	})
+	handler := NewInstructionsHandler()
 
 	mock.ExpectQuery("INSERT INTO platform_instructions").
-		WithArgs("global", nil, "Be Helpful", "Always be helpful to the user.", 10).
-		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow("new-inst-1"))
+		WithArgs("global", nil, "Be kind", "Always be kind", 5).
+		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow("new-inst-id"))
 
-	h.Create(c)
+	body, _ := json.Marshal(map[string]interface{}{
+		"scope":    "global",
+		"title":    "Be kind",
+		"content":  "Always be kind",
+		"priority": 5,
+	})
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("POST", "/instructions", bytes.NewReader(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Create(c)
 
 	if w.Code != http.StatusCreated {
 		t.Fatalf("expected 201, got %d: %s", w.Code, w.Body.String())
@@ -199,8 +219,8 @@ func TestInstructionsCreate_ValidGlobal(t *testing.T) {
 	if err := json.Unmarshal(w.Body.Bytes(), &out); err != nil {
 		t.Fatalf("response not valid JSON: %v", err)
 	}
-	if out["id"] != "new-inst-1" {
-		t.Errorf("expected id new-inst-1, got %s", out["id"])
+	if out["id"] != "new-inst-id" {
+		t.Errorf("expected id new-inst-id, got %s", out["id"])
 	}
 	if err := mock.ExpectationsWereMet(); err != nil {
 		t.Errorf("unmet expectations: %v", err)
@@ -299,56 +319,65 @@ func TestInstructionsCreate_InvalidScope(t *testing.T) {
 	}
 }
 
-func TestInstructionsCreate_WorkspaceScopeNoTarget(t *testing.T) {
+func TestInstructionsHandler_Create_WorkspaceScopeMissingScopeTarget(t *testing.T) {
 	setupTestDB(t)
-	h := NewInstructionsHandler()
+	handler := NewInstructionsHandler()
 
-	w, c := newPostRequest("/instructions", map[string]interface{}{
+	body, _ := json.Marshal(map[string]interface{}{
 		"scope":   "workspace",
-		"title":   "Missing Target",
-		"content": "Workspace scope without scope_target.",
+		"title":   "Test",
+		"content": "Test content",
 	})
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("POST", "/instructions", bytes.NewReader(body))
+	c.Request.Header.Set("Content-Type", "application/json")
 
-	h.Create(c)
+	handler.Create(c)
 
 	if w.Code != http.StatusBadRequest {
 		t.Fatalf("expected 400, got %d: %s", w.Code, w.Body.String())
 	}
 }
 
-func TestInstructionsCreate_ContentTooLong(t *testing.T) {
+func TestInstructionsHandler_Create_ContentTooLong(t *testing.T) {
 	setupTestDB(t)
-	h := NewInstructionsHandler()
+	handler := NewInstructionsHandler()
 
-	// Build a string longer than maxInstructionContentLen (8192).
-	longContent := string(make([]byte, maxInstructionContentLen+1))
-
-	w, c := newPostRequest("/instructions", map[string]interface{}{
+	longContent := string(bytes.Repeat([]byte("x"), 8193))
+	body, _ := json.Marshal(map[string]interface{}{
 		"scope":   "global",
-		"title":   "Too Long",
+		"title":   "Test",
 		"content": longContent,
 	})
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("POST", "/instructions", bytes.NewReader(body))
+	c.Request.Header.Set("Content-Type", "application/json")
 
-	h.Create(c)
+	handler.Create(c)
 
 	if w.Code != http.StatusBadRequest {
 		t.Fatalf("expected 400, got %d: %s", w.Code, w.Body.String())
 	}
 }
 
-func TestInstructionsCreate_TitleTooLong(t *testing.T) {
+func TestInstructionsHandler_Create_TitleTooLong(t *testing.T) {
 	setupTestDB(t)
-	h := NewInstructionsHandler()
+	handler := NewInstructionsHandler()
 
-	longTitle := string(make([]byte, 201))
-
-	w, c := newPostRequest("/instructions", map[string]interface{}{
+	longTitle := string(bytes.Repeat([]byte("x"), 201))
+	body, _ := json.Marshal(map[string]interface{}{
 		"scope":   "global",
 		"title":   longTitle,
-		"content": "Short content.",
+		"content": "Short content",
 	})
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("POST", "/instructions", bytes.NewReader(body))
+	c.Request.Header.Set("Content-Type", "application/json")
 
-	h.Create(c)
+	handler.Create(c)
 
 	if w.Code != http.StatusBadRequest {
 		t.Fatalf("expected 400, got %d: %s", w.Code, w.Body.String())
@@ -842,43 +871,250 @@ func TestInstructionsResolve_ScopeTransitionOnlyGlobal(t *testing.T) {
 	if w.Code != http.StatusOK {
 		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
 	}
-	var out struct {
-		Instructions string `json:"instructions"`
-	}
-	if err := json.Unmarshal(w.Body.Bytes(), &out); err != nil {
-		t.Fatalf("response not valid JSON: %v", err)
-	}
-	// Two global instructions share one section header.
-	if bytes.Count([]byte(out.Instructions), []byte("Platform-Wide Rules")) != 1 {
-		t.Error("expect exactly one 'Platform-Wide Rules' header for consecutive global rows")
-	}
 	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet expectations: %v", err)
+		t.Fatalf("unmet expectations: %v", err)
 	}
 }
 
-// ─── Update: empty body (all nil — no-op update) ─────────────────────────────
-
-func TestInstructionsUpdate_EmptyBody(t *testing.T) {
+func TestInstructionsHandler_Update_NotFound(t *testing.T) {
 	mock := setupTestDB(t)
-	h := NewInstructionsHandler()
+	handler := NewInstructionsHandler()
 
-	instID := "inst-empty-update"
-	w, c := newPutRequest("/instructions/"+instID, map[string]interface{}{})
-	c.Params = []gin.Param{{Key: "id", Value: instID}}
+	mock.ExpectExec(regexp.QuoteMeta("UPDATE platform_instructions SET\n\t\t\t\ttitle = COALESCE($2, title),\n\t\t\t\tcontent = COALESCE($3, content),\n\t\t\t\tpriority = COALESCE($4, priority),\n\t\t\t\tenabled = COALESCE($5, enabled),\n\t\t\t\tupdated_at = NOW()\n\t\t\t\tWHERE id = $1")).
+		WithArgs("nonexistent", sqlmock.AnyArg(), nil, nil, nil).
+		WillReturnResult(sqlmock.NewResult(0, 0))
 
-	// COALESCE(nil, ...) = unchanged; still updates updated_at.
-	// Args order: ($1=id, $2=title, $3=content, $4=priority, $5=enabled)
-	mock.ExpectExec("UPDATE platform_instructions SET").
-		WithArgs(instID, sqlmock.AnyArg(), sqlmock.AnyArg(), sqlmock.AnyArg(), sqlmock.AnyArg()).
+	body, _ := json.Marshal(map[string]interface{}{"title": "Updated title"})
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "nonexistent"}}
+	c.Request = httptest.NewRequest("PUT", "/instructions/nonexistent", bytes.NewReader(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Update(c)
+
+	if w.Code != http.StatusNotFound {
+		t.Fatalf("expected 404, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Fatalf("unmet expectations: %v", err)
+	}
+}
+
+func TestInstructionsHandler_Update_ContentTooLong(t *testing.T) {
+	setupTestDB(t)
+	handler := NewInstructionsHandler()
+
+	longContent := string(bytes.Repeat([]byte("x"), 8193))
+	body, _ := json.Marshal(map[string]interface{}{"content": longContent})
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "inst-1"}}
+	c.Request = httptest.NewRequest("PUT", "/instructions/inst-1", bytes.NewReader(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Update(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("expected 400, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestInstructionsHandler_Update_TitleTooLong(t *testing.T) {
+	setupTestDB(t)
+	handler := NewInstructionsHandler()
+
+	longTitle := string(bytes.Repeat([]byte("x"), 201))
+	body, _ := json.Marshal(map[string]interface{}{"title": longTitle})
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "inst-1"}}
+	c.Request = httptest.NewRequest("PUT", "/instructions/inst-1", bytes.NewReader(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Update(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("expected 400, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+// ── Delete ─────────────────────────────────────────────────────────────────────
+
+func TestInstructionsHandler_Delete_Success(t *testing.T) {
+	mock := setupTestDB(t)
+	handler := NewInstructionsHandler()
+
+	mock.ExpectExec(regexp.QuoteMeta("DELETE FROM platform_instructions WHERE id = $1")).
+		WithArgs("inst-1").
 		WillReturnResult(sqlmock.NewResult(0, 1))
 
-	h.Update(c)
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "inst-1"}}
+	c.Request = httptest.NewRequest("DELETE", "/instructions/inst-1", nil)
+
+	handler.Delete(c)
 
 	if w.Code != http.StatusOK {
-		t.Fatalf("expected 200 for empty body, got %d: %s", w.Code, w.Body.String())
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
 	}
 	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet expectations: %v", err)
+		t.Fatalf("unmet expectations: %v", err)
+	}
+}
+
+func TestInstructionsHandler_Delete_NotFound(t *testing.T) {
+	mock := setupTestDB(t)
+	handler := NewInstructionsHandler()
+
+	mock.ExpectExec(regexp.QuoteMeta("DELETE FROM platform_instructions WHERE id = $1")).
+		WithArgs("nonexistent").
+		WillReturnResult(sqlmock.NewResult(0, 0))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "nonexistent"}}
+	c.Request = httptest.NewRequest("DELETE", "/instructions/nonexistent", nil)
+
+	handler.Delete(c)
+
+	if w.Code != http.StatusNotFound {
+		t.Fatalf("expected 404, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Fatalf("unmet expectations: %v", err)
+	}
+}
+
+// ── Resolve ────────────────────────────────────────────────────────────────────
+
+func TestInstructionsHandler_Resolve_Empty(t *testing.T) {
+	mock := setupTestDB(t)
+	handler := NewInstructionsHandler()
+	wsID := "ws-resolve-1"
+
+	mock.ExpectQuery("SELECT scope, title, content FROM platform_instructions WHERE enabled = true AND").
+		WithArgs(wsID).
+		WillReturnRows(sqlmock.NewRows([]string{"scope", "title", "content"}))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: wsID}}
+	c.Request = httptest.NewRequest("GET", "/workspaces/"+wsID+"/instructions/resolve", nil)
+
+	handler.Resolve(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	var resp map[string]interface{}
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("invalid JSON: %v", err)
+	}
+	if resp["workspace_id"] != wsID {
+		t.Errorf("expected workspace_id %q, got %v", wsID, resp["workspace_id"])
+	}
+	if resp["instructions"] != "" {
+		t.Errorf("expected empty instructions, got %q", resp["instructions"])
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Fatalf("unmet expectations: %v", err)
+	}
+}
+
+func TestInstructionsHandler_Resolve_WithInstructions(t *testing.T) {
+	mock := setupTestDB(t)
+	handler := NewInstructionsHandler()
+	wsID := "ws-resolve-2"
+
+	rows := sqlmock.NewRows([]string{"scope", "title", "content"}).
+		AddRow("global", "Be safe", "No SSRF").
+		AddRow("workspace", "WS Rule", "Use HTTPS")
+
+	mock.ExpectQuery("SELECT scope, title, content FROM platform_instructions WHERE enabled = true AND").
+		WithArgs(wsID).
+		WillReturnRows(rows)
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: wsID}}
+	c.Request = httptest.NewRequest("GET", "/workspaces/"+wsID+"/instructions/resolve", nil)
+
+	handler.Resolve(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	var resp map[string]interface{}
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("invalid JSON: %v", err)
+	}
+	instructions, ok := resp["instructions"].(string)
+	if !ok {
+		t.Fatalf("instructions field is not a string: %T", resp["instructions"])
+	}
+	if instructions == "" {
+		t.Fatalf("expected non-empty instructions")
+	}
+	// Verify scope headers are present
+	if !bytes.Contains([]byte(instructions), []byte("Platform-Wide Rules")) {
+		t.Errorf("expected 'Platform-Wide Rules' header in instructions")
+	}
+	if !bytes.Contains([]byte(instructions), []byte("Role-Specific Rules")) {
+		t.Errorf("expected 'Role-Specific Rules' header in instructions")
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Fatalf("unmet expectations: %v", err)
+	}
+}
+
+func TestInstructionsHandler_Resolve_MissingWorkspaceID(t *testing.T) {
+	setupTestDB(t)
+	handler := NewInstructionsHandler()
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: ""}}
+	c.Request = httptest.NewRequest("GET", "/workspaces//instructions/resolve", nil)
+
+	handler.Resolve(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("expected 400, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+// scanInstructions is called by the List handler — verify it handles
+// rows.Err() gracefully without panicking.
+func TestInstructionsHandler_List_ScanErrorContinues(t *testing.T) {
+	mock := setupTestDB(t)
+	handler := NewInstructionsHandler()
+
+	rows := sqlmock.NewRows([]string{
+		"id", "scope", "scope_target", "title", "content", "priority", "enabled", "created_at", "updated_at",
+	}).AddRow("inst-1", "global", nil, "Good", "Content here", 5, true, time.Now(), time.Now()).
+		RowError(1, context.DeadlineExceeded) // error on row 2 (if it existed)
+
+	mock.ExpectQuery("SELECT id, scope, scope_target, title, content, priority, enabled, created_at, updated_at FROM platform_instructions WHERE 1=1").
+		WillReturnRows(rows)
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("GET", "/instructions", nil)
+
+	handler.List(c)
+
+	// Should still return 200 and the one valid row
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d", w.Code)
+	}
+	var result []Instruction
+	if err := json.Unmarshal(w.Body.Bytes(), &result); err != nil {
+		t.Fatalf("invalid JSON: %v", err)
+	}
+	// The valid row should still be returned (error is logged, not fatal)
+	if len(result) != 1 {
+		t.Fatalf("expected 1 instruction despite row error, got %d", len(result))
 	}
 }

workspace-server/internal/handlers/org_helpers.go

@@ -15,6 +15,7 @@ import (
 
 	"gopkg.in/yaml.v3"
 )
+
 // resolvePromptRef reads a prompt body from either an inline string or a
 // file ref relative to the workspace's files_dir. Inline always wins when
 // both are non-empty (caller-provided inline is more authoritative than a

workspace-server/internal/handlers/org_helpers_pure_test.go

@@ -104,8 +104,8 @@ func TestHasUnresolvedVarRef_Resolved(t *testing.T) {
 		// documents this design choice; callers who need empty=resolved should
 		// pre-process the output before calling hasUnresolvedVarRef.
 		{"${VAR}", "", true},
-		{"${VAR}", "value", false},                    // var replaced
-		{"$VAR", "value", false},                      // bare var replaced
+		{"${VAR}", "value", false}, // var replaced
+		{"$VAR", "value", false},   // bare var replaced
 		{"prefix${VAR}suffix", "prefixvaluesuffix", false},
 		{"${A}${B}", "ab", false},
 		// FOO=FOO and BAR=BAR — both vars found and replaced. Expanded output
@@ -125,14 +125,14 @@ func TestHasUnresolvedVarRef_Resolved(t *testing.T) {
 func TestHasUnresolvedVarRef_Unresolved(t *testing.T) {
 	// Expansion left the refs intact → unresolved.
 	cases := []struct {
-		orig    string
+		orig     string
 		expanded string
 	}{
-		{"${VAR}", "${VAR}"},       // untouched
-		{"$VAR", "$VAR"},           // bare untouched
+		{"${VAR}", "${VAR}"}, // untouched
+		{"$VAR", "$VAR"},     // bare untouched
 		{"prefix${VAR}suffix", "prefix${VAR}suffix"},
-		{"${A}${B}", "${A}${B}"},   // both unresolved
-		{"${FOO}", ""},             // empty result with var ref in original
+		{"${A}${B}", "${A}${B}"}, // both unresolved
+		{"${FOO}", ""},           // empty result with var ref in original
 	}
 	for _, tc := range cases {
 		t.Run(tc.orig, func(t *testing.T) {
@@ -205,8 +205,8 @@ func TestMergeCategoryRouting_WorkspaceOverrides(t *testing.T) {
 		"ui":       {"Frontend Engineer"},
 	}
 	ws := map[string][]string{
-		"security": {"SRE Team"}, // narrows
-		"ui":       {},           // drops
+		"security": {"SRE Team"},      // narrows
+		"ui":       {},                // drops
 		"infra":    {"Platform Team"}, // adds
 	}
 	r := mergeCategoryRouting(defaults, ws)
@@ -467,6 +467,44 @@ func TestExpandWithEnv_PartiallyPresent(t *testing.T) {
 	assert.Equal(t, "yes and ${NOT_SET}", result)
 }
 
+func TestExpandWithEnv_EmbeddedMissingProcessEnvStaysLiteral(t *testing.T) {
+	t.Setenv("MOL_TEST_EMBEDDED_MISSING", "")
+
+	result := expandWithEnv("prefix/${MOL_TEST_EMBEDDED_MISSING}/suffix", map[string]string{})
+	assert.Equal(t, "prefix/${MOL_TEST_EMBEDDED_MISSING}/suffix", result)
+}
+
+// POSIX identifier guard regression tests (CWE-78 fix).
+// Keys not starting with [a-zA-Z_] must not be looked up in env or os.Getenv.
+func TestExpandWithEnv_DigitPrefix_NotExpanded(t *testing.T) {
+	// ${0}, ${5}, ${1VAR} — numeric prefix → not a valid shell identifier.
+	// Guard must return "$0", "$5", "$1VAR" literally; no env lookup.
+	cases := []struct {
+		input string
+		want  string
+	}{
+		{"${0}", "$0"},
+		{"${5}", "$5"},
+		{"${1VAR}", "$1VAR"},
+		{"prefix ${0} suffix", "prefix $0 suffix"},
+		{"$0", "$0"},
+		{"$5", "$5"},
+		{"HOME=${HOME}", "HOME=${HOME}"}, // HOME is valid but embedded in larger string
+	}
+	for _, tc := range cases {
+		t.Run(tc.input, func(t *testing.T) {
+			got := expandWithEnv(tc.input, map[string]string{})
+			assert.Equal(t, tc.want, got)
+		})
+	}
+}
+
+func TestExpandWithEnv_EmptyKey_ReturnsDollar(t *testing.T) {
+	// ${} → "$" (empty key, guard returns "$")
+	result := expandWithEnv("value=${}", map[string]string{})
+	assert.Equal(t, "value=$", result)
+}
+
 // mergeCategoryRouting tests — unions defaults with per-workspace routing.
 
 // ── Additional coverage: mergeCategoryRouting ──────────────────────
@@ -546,8 +584,8 @@ func TestRenderCategoryRoutingYAML_SingleCategory(t *testing.T) {
 
 func TestRenderCategoryRoutingYAML_MultipleCategoriesSorted(t *testing.T) {
 	routing := map[string][]string{
-		"zebra":   {"RoleZ"},
-		"alpha":   {"RoleA"},
+		"zebra":      {"RoleZ"},
+		"alpha":      {"RoleA"},
 		"middleware": {"RoleM"},
 	}
 	result, err := renderCategoryRoutingYAML(routing)

workspace-server/internal/handlers/plugins_install_eic_test.go

@@ -342,6 +342,11 @@ func TestPluginInstall_InstanceLookupError_Returns503(t *testing.T) {
 // ---------- dispatch: uninstall ----------
 
 func TestPluginUninstall_SaaS_DispatchesToEIC(t *testing.T) {
+	mock := setupTestDB(t)
+	mock.ExpectExec("DELETE FROM workspace_plugins WHERE workspace_id").
+		WithArgs("ws-1", "browser-automation").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
 	stubReadPluginManifestViaEIC(t, func(ctx context.Context, instanceID, runtime, pluginName string) ([]byte, error) {
 		return []byte("name: browser-automation\nskills:\n  - browse\n"), nil
 	})

workspace-server/internal/handlers/plugins_test.go

@@ -629,6 +629,9 @@ func TestPluginInstall_RejectsUnknownScheme(t *testing.T) {
 }
 
 func TestPluginInstall_LocalSourceReachesContainerLookup(t *testing.T) {
+	mock := setupTestDB(t)
+	expectAllowlistAllowAll(mock)
+
 	base := t.TempDir()
 	pluginDir := filepath.Join(base, "demo")
 	_ = os.MkdirAll(pluginDir, 0o755)
@@ -955,14 +958,14 @@ func TestLogInstallLimitsOnce(t *testing.T) {
 
 func TestRegexpEscapeForAwk(t *testing.T) {
 	cases := map[string]string{
-		"my-plugin":                 `my-plugin`,
-		"# Plugin: foo /":           `# Plugin: foo \/`,
-		"# Plugin: a.b /":           `# Plugin: a\.b \/`,
-		"foo[bar]":                  `foo\[bar\]`,
-		"a*b+c?":                    `a\*b\+c\?`,
-		"path|with|pipes":           `path\|with\|pipes`,
-		`back\slash`:                `back\\slash`,
-		"":                          ``,
+		"my-plugin":       `my-plugin`,
+		"# Plugin: foo /": `# Plugin: foo \/`,
+		"# Plugin: a.b /": `# Plugin: a\.b \/`,
+		"foo[bar]":        `foo\[bar\]`,
+		"a*b+c?":          `a\*b\+c\?`,
+		"path|with|pipes": `path\|with\|pipes`,
+		`back\slash`:      `back\\slash`,
+		"":                ``,
 	}
 	for in, want := range cases {
 		got := regexpEscapeForAwk(in)
@@ -1247,7 +1250,7 @@ func TestPluginDownload_GithubSchemeStreamsTarball(t *testing.T) {
 		scheme: "github",
 		fetchFn: func(_ context.Context, _ string, dst string) (string, error) {
 			files := map[string]string{
-				"plugin.yaml":            "name: remote-plugin\nversion: 1.0.0\n",
+				"plugin.yaml":             "name: remote-plugin\nversion: 1.0.0\n",
 				"skills/x/SKILL.md":       "---\nname: x\n---\n",
 				"adapters/claude_code.py": "from plugins_registry.builtins import AgentskillsAdaptor as Adaptor\n",
 			}

workspace-server/internal/handlers/restart_signals.go

@@ -58,7 +58,7 @@ func (h *WorkspaceHandler) gracefulPreRestart(ctx context.Context, workspaceID s
 	// Non-blocking send — don't stall the restart cycle.
 	// Run in a detached goroutine so the caller (runRestartCycle) can
 	// proceed to stopForRestart without waiting.
-	go func() {
+	h.goAsync(func() {
 		signalCtx, cancel := context.WithTimeout(context.Background(), restartSignalTimeout)
 		defer cancel()
 
@@ -109,7 +109,7 @@ func (h *WorkspaceHandler) gracefulPreRestart(ctx context.Context, workspaceID s
 		} else {
 			log.Printf("A2AGracefulRestart: %s returned status %d — proceeding with stop", workspaceID, resp.StatusCode)
 		}
-	}()
+	})
 }
 
 // resolveAgentURLForRestartSignal returns the routable URL for the workspace

workspace-server/internal/handlers/restart_signals_test.go

@@ -271,6 +271,7 @@ func TestGracefulPreRestart_URLResolutionError(t *testing.T) {
 		WorkspaceHandler: newHandlerWithTestDeps(t),
 		errToReturn:      context.DeadlineExceeded,
 	}
+	waitForHandlerAsyncBeforeDBCleanup(t, hWrapper.WorkspaceHandler)
 
 	hWrapper.gracefulPreRestart(context.Background(), "ws-url-err-111")
 	time.Sleep(200 * time.Millisecond)

workspace-server/internal/handlers/templates.go

@@ -186,11 +186,16 @@ func (h *TemplatesHandler) List(c *gin.Context) {
 			model = raw.RuntimeConfig.Model
 		}
 
+		tier := raw.Tier
+		if h.wh != nil && h.wh.IsSaaS() {
+			tier = h.wh.DefaultTier()
+		}
+
 		templates = append(templates, templateSummary{
 			ID:                      id,
 			Name:                    raw.Name,
 			Description:             raw.Description,
-			Tier:                    raw.Tier,
+			Tier:                    tier,
 			Runtime:                 raw.Runtime,
 			Model:                   model,
 			Models:                  raw.RuntimeConfig.Models,
@@ -340,6 +345,11 @@ func (h *TemplatesHandler) ListFiles(c *gin.Context) {
 		if err != nil || path == walkRoot {
 			return nil
 		}
+		// Skip symlinks to prevent path traversal via malicious symlinks
+		// inside the workspace config directory (OFFSEC-010).
+		if info.Mode()&os.ModeSymlink != 0 {
+			return nil
+		}
 		rel, _ := filepath.Rel(walkRoot, path)
 		// Enforce depth limit
 		if strings.Count(rel, string(filepath.Separator))+1 > depth {

workspace-server/internal/handlers/templates_test.go

@@ -847,6 +847,58 @@ func TestListFiles_FallbackToHost_WithTemplate(t *testing.T) {
 	}
 }
 
+func TestListFiles_FallbackToHost_SkipsSymlinks(t *testing.T) {
+	mock := setupTestDB(t)
+	setupTestRedis(t)
+
+	tmpDir := t.TempDir()
+	tmplDir := filepath.Join(tmpDir, "test-agent")
+	if err := os.MkdirAll(tmplDir, 0755); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(filepath.Join(tmplDir, "config.yaml"), []byte("name: Test Agent\n"), 0644); err != nil {
+		t.Fatal(err)
+	}
+	secret := filepath.Join(t.TempDir(), "secret.txt")
+	if err := os.WriteFile(secret, []byte("do-not-list"), 0600); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.Symlink(secret, filepath.Join(tmplDir, "leaked-secret")); err != nil {
+		t.Fatal(err)
+	}
+
+	handler := NewTemplatesHandler(tmpDir, nil, nil)
+
+	mock.ExpectQuery(`SELECT name, COALESCE\(instance_id, ''\), COALESCE\(runtime, ''\) FROM workspaces WHERE id =`).
+		WithArgs("ws-tmpl").
+		WillReturnRows(sqlmock.NewRows([]string{"name", "instance_id", "runtime"}).AddRow("Test Agent", "", ""))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "ws-tmpl"}}
+	c.Request = httptest.NewRequest("GET", "/workspaces/ws-tmpl/files", nil)
+
+	handler.ListFiles(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+
+	var resp []map[string]interface{}
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatal(err)
+	}
+	for _, file := range resp {
+		if file["path"] == "leaked-secret" {
+			t.Fatalf("symlink should not be listed: %#v", resp)
+		}
+	}
+
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
 // ==================== GET /workspaces/:id/files/*path ====================
 
 func TestReadFile_PathTraversal(t *testing.T) {
@@ -1200,4 +1252,3 @@ func TestCWE78_DeleteFile_TraversalVariants(t *testing.T) {
 		})
 	}
 }
-

workspace-server/internal/handlers/terminal_test.go

@@ -340,6 +340,11 @@ func TestSSHCommandCmd_BuildsArgv(t *testing.T) {
 // a workspace must still be able to access its own terminal. The CanCommunicate
 // fast-path returns true when callerID == targetID.
 func TestTerminalConnect_KI005_AllowsOwnTerminal(t *testing.T) {
+	mock := setupTestDB(t)
+	mock.ExpectQuery("SELECT COALESCE").
+		WithArgs("ws-alice").
+		WillReturnRows(sqlmock.NewRows([]string{"instance_id"}).AddRow(""))
+
 	// CanCommunicate fast-path: callerID == targetID → returns true without DB.
 	prev := canCommunicateCheck
 	canCommunicateCheck = func(callerID, targetID string) bool { return callerID == targetID }
@@ -367,6 +372,11 @@ func TestTerminalConnect_KI005_AllowsOwnTerminal(t *testing.T) {
 // skip the CanCommunicate check entirely and fall through to the Docker auth path.
 // We assert they get the nil-docker 503 instead of 403.
 func TestTerminalConnect_KI005_SkipsCheckWithoutHeader(t *testing.T) {
+	mock := setupTestDB(t)
+	mock.ExpectQuery("SELECT COALESCE").
+		WithArgs("ws-any").
+		WillReturnRows(sqlmock.NewRows([]string{"instance_id"}).AddRow(""))
+
 	h := NewTerminalHandler(nil) // nil docker → 503 if reached
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -439,6 +449,9 @@ func TestTerminalConnect_KI005_AllowsSiblingWorkspace(t *testing.T) {
 	mock.ExpectExec(`UPDATE workspace_auth_tokens SET last_used_at`).
 		WithArgs(sqlmock.AnyArg()).
 		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectQuery("SELECT COALESCE").
+		WithArgs("ws-dev").
+		WillReturnRows(sqlmock.NewRows([]string{"instance_id"}).AddRow(""))
 
 	h := NewTerminalHandler(nil)
 	w := httptest.NewRecorder()
@@ -463,7 +476,10 @@ func TestTerminalConnect_KI005_AllowsSiblingWorkspace(t *testing.T) {
 // introduced in GH#1885: internal routing uses org tokens which are not in
 // workspace_auth_tokens, so ValidateToken would always fail for them.
 func TestKI005_OrgToken_SkipsValidateToken(t *testing.T) {
-	setupTestDB(t) // no ValidateToken ExpectQuery — none should fire
+	mock := setupTestDB(t) // no ValidateToken ExpectQuery — none should fire
+	mock.ExpectQuery("SELECT COALESCE").
+		WithArgs("ws-target").
+		WillReturnRows(sqlmock.NewRows([]string{"instance_id"}).AddRow(""))
 	prev := canCommunicateCheck
 	canCommunicateCheck = func(callerID, targetID string) bool {
 		// Simulate platform agent → target workspace (same org).
@@ -544,4 +560,3 @@ func TestSSHCommandCmd_ConnectTimeoutPresent(t *testing.T) {
 			args)
 	}
 }
-

workspace-server/internal/handlers/workspace.go

@@ -164,15 +164,14 @@ func (h *WorkspaceHandler) Create(c *gin.Context) {
 
 	id := uuid.New().String()
 	awarenessNamespace := workspaceAwarenessNamespace(id)
-	if payload.Tier == 0 {
-		// SaaS-aware default. SaaS → T4 (full host access; each
-		// workspace runs on its own sibling EC2 so the tier boundary
-		// is a Docker resource limit on the only container present —
-		// no neighbour to protect from). Self-hosted → T3 (read-write
-		// workspace mount + Docker daemon access, most templates'
-		// baseline). Lower tiers (T1 sandboxed, T2 standard) remain
-		// explicit opt-ins for low-trust agents. Matches the canvas
-		// CreateWorkspaceDialog defaults so the API and the UI agree.
+	if h.IsSaaS() {
+		// SaaS hard gate: every hosted workspace gets its own sibling
+		// EC2 instance, so T4 is the only meaningful runtime boundary.
+		// Do not trust stale clients/templates that still send T1/T2/T3.
+		payload.Tier = 4
+	} else if payload.Tier == 0 {
+		// Self-hosted default remains T3. Lower tiers (T1 sandboxed,
+		// T2 standard) stay explicit opt-ins for low-trust local agents.
 		payload.Tier = h.DefaultTier()
 	}
 

workspace-server/internal/handlers/workspace_broadcast.go

@@ -3,7 +3,7 @@ package handlers
 // workspace_broadcast.go — POST /workspaces/:id/broadcast
 //
 // Allows a workspace with broadcast_enabled=true to send a message to every
-// non-removed agent workspace in the org.  The message is:
+// non-removed agent workspace in the SAME ORG.  The message is:
 //
 //   • Persisted in each recipient's activity_logs (type='broadcast_receive')
 //     so poll-mode agents pick it up via GET /activity.
@@ -16,6 +16,11 @@ package handlers
 // Auth: WorkspaceAuth (the agent triggers this with its own bearer token).
 // The handler re-validates broadcast_enabled inside the DB lookup to prevent
 // TOCTOU — the middleware only proved the token is valid, not the ability.
+//
+// Org isolation (OFFSEC-015): recipients are scoped to the sender's org using
+// a recursive CTE that walks the parent_id chain to find the org root. This
+// prevents a compromised or misconfigured workspace from broadcasting to
+// workspaces in other tenants' orgs.
 
 import (
 	"log"
@@ -74,11 +79,49 @@ func (h *BroadcastHandler) Broadcast(c *gin.Context) {
 		return
 	}
 
-	// Collect all non-removed agent workspaces (excludes the sender itself).
-	rows, err := db.DB.QueryContext(ctx,
-		`SELECT id FROM workspaces WHERE status != 'removed' AND id != $1`,
-		senderID,
-	)
+	// Find the sender's org root by walking the parent_id chain.
+	// Workspaces with parent_id = NULL are org roots; every other workspace
+	// belongs to the org identified by its topmost ancestor.
+	var orgRootID string
+	err = db.DB.QueryRowContext(ctx, `
+		WITH RECURSIVE org_chain AS (
+			SELECT id, parent_id, id AS root_id
+			FROM workspaces
+			WHERE id = $1
+			UNION ALL
+			SELECT w.id, w.parent_id, c.root_id
+			FROM workspaces w
+			JOIN org_chain c ON w.id = c.parent_id
+		)
+		SELECT root_id FROM org_chain WHERE parent_id IS NULL LIMIT 1
+	`, senderID).Scan(&orgRootID)
+	if err != nil {
+		log.Printf("Broadcast: org root lookup for %s: %v", senderID, err)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "internal error"})
+		return
+	}
+
+	// Collect all non-removed agent workspaces in the SAME ORG (same root_id),
+	// excluding the sender itself.
+	rows, err := db.DB.QueryContext(ctx, `
+		WITH RECURSIVE org_chain AS (
+			SELECT id, parent_id, id AS root_id
+			FROM workspaces
+			WHERE parent_id IS NULL
+			UNION ALL
+			SELECT w.id, w.parent_id, c.root_id
+			FROM workspaces w
+			JOIN org_chain c ON w.parent_id = c.id
+		)
+		SELECT c.id
+		FROM org_chain c
+		WHERE c.root_id = $1
+		  AND c.id != $2
+		  AND EXISTS (
+			  SELECT 1 FROM workspaces w
+			  WHERE w.id = c.id AND w.status != 'removed'
+		  )
+	`, orgRootID, senderID)
 	if err != nil {
 		log.Printf("Broadcast: recipient query failed for %s: %v", senderID, err)
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "internal error"})

workspace-server/internal/handlers/workspace_broadcast_test.go

@@ -0,0 +1,428 @@
+package handlers
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/DATA-DOG/go-sqlmock"
+	"github.com/gin-gonic/gin"
+)
+
+// -------- Org-scoped recipient query tests (OFFSEC-015) --------
+
+// TestBroadcast_OrgScopedRecipients verifies that a broadcast from Org-A does
+// NOT reach workspaces belonging to Org-B. This is the core regression test
+// for OFFSEC-015: the original query had no org filter, so a workspace in
+// Org-A could broadcast to every non-removed workspace in the entire DB,
+// including workspaces owned by other tenants.
+func TestBroadcast_OrgScopedRecipients(t *testing.T) {
+	mock := setupTestDB(t)
+	broadcaster := newTestBroadcaster()
+	handler := NewBroadcastHandler(broadcaster)
+
+	// Org-A structure:
+	//   org-a-root  (parent_id = NULL)  ← sender
+	//   ├── ws-a-child
+	// Org-B structure:
+	//   org-b-root  (parent_id = NULL)
+	//   └── ws-b-child
+	senderID := "00000000-0000-0000-0000-000000000001" // org-a-root
+	wsAChild := "00000000-0000-0000-0000-000000000002"
+	// ws-b-child is in Org-B (different root); the org-scoped query MUST NOT include it.
+
+	// 1. Sender lookup
+	mock.ExpectQuery(`SELECT name, broadcast_enabled FROM workspaces WHERE id = \$1 AND status != 'removed'`).
+		WithArgs(senderID).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "broadcast_enabled"}).AddRow("Org-A Root", true))
+
+	// 2. Org root lookup — sender is its own root (parent_id = NULL)
+	mock.ExpectQuery(`WITH RECURSIVE org_chain AS`).
+		WithArgs(senderID).
+		WillReturnRows(sqlmock.NewRows([]string{"root_id"}).AddRow(senderID))
+
+	// 3. Org-scoped recipient query — MUST include org filter so ws-b-child is NOT included.
+	// The query joins on org_chain.root_id = orgRootID, which scopes to Org-A only.
+	mock.ExpectQuery(`WITH RECURSIVE org_chain AS`).
+		WithArgs(senderID, senderID). // orgRootID, senderID (EXCLUDED)
+		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow(wsAChild)) // only Org-A child
+
+	// Activity log inserts
+	mock.ExpectExec(`INSERT INTO activity_logs`).WithArgs(wsAChild, senderID, sqlmock.AnyArg()).WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec(`INSERT INTO activity_logs`).WithArgs(senderID, sqlmock.AnyArg()).WillReturnResult(sqlmock.NewResult(0, 1))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: senderID}}
+	body := `{"message":"hello from org-a"}`
+	c.Request = httptest.NewRequest("POST", "/workspaces/"+senderID+"/broadcast", bytes.NewBufferString(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Broadcast(c)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+
+	var resp map[string]interface{}
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("failed to unmarshal response: %v", err)
+	}
+	if resp["status"] != "sent" {
+		t.Errorf("expected status 'sent', got %v", resp["status"])
+	}
+	// ws-b-child is in a DIFFERENT org — the org-scoped query MUST NOT include it.
+	// If it were included, the mock would have an unmet expectation.
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet mock expectations — cross-org workspace was included in broadcast: %v", err)
+	}
+}
+
+// TestBroadcast_OrgScoped_OrgRootSender verifies that when the sender IS the
+// org root (parent_id = NULL), broadcasts still reach sibling workspaces.
+func TestBroadcast_OrgScoped_OrgRootSender(t *testing.T) {
+	mock := setupTestDB(t)
+	broadcaster := newTestBroadcaster()
+	handler := NewBroadcastHandler(broadcaster)
+
+	senderID := "00000000-0000-0000-0000-000000000001" // org-a-root
+	siblingID := "00000000-0000-0000-0000-000000000002"
+
+	mock.ExpectQuery(`SELECT name, broadcast_enabled FROM workspaces WHERE id = \$1 AND status != 'removed'`).
+		WithArgs(senderID).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "broadcast_enabled"}).AddRow("Root Agent", true))
+
+	// Sender is the org root — CTE returns sender's own ID as root
+	mock.ExpectQuery(`WITH RECURSIVE org_chain AS`).
+		WithArgs(senderID).
+		WillReturnRows(sqlmock.NewRows([]string{"root_id"}).AddRow(senderID))
+
+	// Recipients in same org, excluding sender
+	mock.ExpectQuery(`WITH RECURSIVE org_chain AS`).
+		WithArgs(senderID, senderID).
+		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow(siblingID))
+
+	mock.ExpectExec(`INSERT INTO activity_logs`).WithArgs(siblingID, senderID, sqlmock.AnyArg()).WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec(`INSERT INTO activity_logs`).WithArgs(senderID, sqlmock.AnyArg()).WillReturnResult(sqlmock.NewResult(0, 1))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: senderID}}
+	body := `{"message":"hello siblings"}`
+	c.Request = httptest.NewRequest("POST", "/workspaces/"+senderID+"/broadcast", bytes.NewBufferString(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Broadcast(c)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet expectations: %v", err)
+	}
+}
+
+// TestBroadcast_OrgScoped_ChildWorkspaceSender verifies that a non-root child
+// workspace can broadcast to siblings in the same org.
+func TestBroadcast_OrgScoped_ChildWorkspaceSender(t *testing.T) {
+	mock := setupTestDB(t)
+	broadcaster := newTestBroadcaster()
+	handler := NewBroadcastHandler(broadcaster)
+
+	orgRootID := "00000000-0000-0000-0000-000000000001"
+	senderID := "00000000-0000-0000-0000-000000000002" // child workspace
+	siblingID := "00000000-0000-0000-0000-000000000003"
+
+	mock.ExpectQuery(`SELECT name, broadcast_enabled FROM workspaces WHERE id = \$1 AND status != 'removed'`).
+		WithArgs(senderID).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "broadcast_enabled"}).AddRow("Child Agent", true))
+
+	// Org root lookup — walk up to find org-a-root
+	mock.ExpectQuery(`WITH RECURSIVE org_chain AS`).
+		WithArgs(senderID).
+		WillReturnRows(sqlmock.NewRows([]string{"root_id"}).AddRow(orgRootID))
+
+	// Recipients: same org, excluding sender
+	mock.ExpectQuery(`WITH RECURSIVE org_chain AS`).
+		WithArgs(orgRootID, senderID).
+		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow(siblingID))
+
+	mock.ExpectExec(`INSERT INTO activity_logs`).WithArgs(siblingID, senderID, sqlmock.AnyArg()).WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec(`INSERT INTO activity_logs`).WithArgs(senderID, sqlmock.AnyArg()).WillReturnResult(sqlmock.NewResult(0, 1))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: senderID}}
+	body := `{"message":"child broadcasting"}`
+	c.Request = httptest.NewRequest("POST", "/workspaces/"+senderID+"/broadcast", bytes.NewBufferString(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Broadcast(c)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet expectations: %v", err)
+	}
+}
+
+// -------- Non-regression cases --------
+
+func TestBroadcast_NotFound(t *testing.T) {
+	mock := setupTestDB(t)
+	broadcaster := newTestBroadcaster()
+	handler := NewBroadcastHandler(broadcaster)
+
+	senderID := "00000000-0000-0000-0000-000000000099"
+	// UUID is valid, but no workspace row matches
+	mock.ExpectQuery(`SELECT name, broadcast_enabled FROM workspaces WHERE id = \$1 AND status != 'removed'`).
+		WithArgs(senderID).
+		WillReturnError(errors.New("workspace not found"))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: senderID}}
+	body := `{"message":"test"}`
+	c.Request = httptest.NewRequest("POST", "/workspaces/"+senderID+"/broadcast", bytes.NewBufferString(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Broadcast(c)
+
+	if w.Code != http.StatusNotFound {
+		t.Errorf("expected 404, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet expectations: %v", err)
+	}
+}
+
+func TestBroadcast_Disabled(t *testing.T) {
+	mock := setupTestDB(t)
+	broadcaster := newTestBroadcaster()
+	handler := NewBroadcastHandler(broadcaster)
+
+	senderID := "00000000-0000-0000-0000-000000000001"
+	mock.ExpectQuery(`SELECT name, broadcast_enabled FROM workspaces WHERE id = \$1 AND status != 'removed'`).
+		WithArgs(senderID).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "broadcast_enabled"}).AddRow("Disabled Agent", false))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: senderID}}
+	body := `{"message":"should not send"}`
+	c.Request = httptest.NewRequest("POST", "/workspaces/"+senderID+"/broadcast", bytes.NewBufferString(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Broadcast(c)
+
+	if w.Code != http.StatusForbidden {
+		t.Errorf("expected 403, got %d: %s", w.Code, w.Body.String())
+	}
+	var resp map[string]interface{}
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("failed to unmarshal: %v", err)
+	}
+	if resp["error"] != "broadcast_disabled" {
+		t.Errorf("expected error 'broadcast_disabled', got %v", resp["error"])
+	}
+}
+
+func TestBroadcast_EmptyOrg_NoRecipients(t *testing.T) {
+	mock := setupTestDB(t)
+	broadcaster := newTestBroadcaster()
+	handler := NewBroadcastHandler(broadcaster)
+
+	senderID := "00000000-0000-0000-0000-000000000001" // org root, only workspace in org
+
+	mock.ExpectQuery(`SELECT name, broadcast_enabled FROM workspaces WHERE id = \$1 AND status != 'removed'`).
+		WithArgs(senderID).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "broadcast_enabled"}).AddRow("Lone Root", true))
+
+	mock.ExpectQuery(`WITH RECURSIVE org_chain AS`).
+		WithArgs(senderID).
+		WillReturnRows(sqlmock.NewRows([]string{"root_id"}).AddRow(senderID))
+
+	// No other workspaces in this org
+	mock.ExpectQuery(`WITH RECURSIVE org_chain AS`).
+		WithArgs(senderID, senderID).
+		WillReturnRows(sqlmock.NewRows([]string{"id"}))
+
+	mock.ExpectExec(`INSERT INTO activity_logs`).WithArgs(senderID, sqlmock.AnyArg()).WillReturnResult(sqlmock.NewResult(0, 1))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: senderID}}
+	body := `{"message":"hello org"}`
+	c.Request = httptest.NewRequest("POST", "/workspaces/"+senderID+"/broadcast", bytes.NewBufferString(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Broadcast(c)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	var resp map[string]interface{}
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("failed to unmarshal: %v", err)
+	}
+	if resp["delivered"] != float64(0) {
+		t.Errorf("expected delivered=0, got %v", resp["delivered"])
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet expectations: %v", err)
+	}
+}
+
+func TestBroadcast_InvalidWorkspaceID(t *testing.T) {
+	setupTestDB(t)
+	broadcaster := newTestBroadcaster()
+	handler := NewBroadcastHandler(broadcaster)
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "not-a-uuid"}}
+	body := `{"message":"test"}`
+	c.Request = httptest.NewRequest("POST", "/workspaces/not-a-uuid/broadcast", bytes.NewBufferString(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Broadcast(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestBroadcast_MissingMessage(t *testing.T) {
+	setupTestDB(t)
+	broadcaster := newTestBroadcaster()
+	handler := NewBroadcastHandler(broadcaster)
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "00000000-0000-0000-0000-000000000001"}}
+	c.Request = httptest.NewRequest("POST", "/workspaces/00000000-0000-0000-0000-000000000001/broadcast", bytes.NewBufferString("{}"))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Broadcast(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+// TestBroadcast_OrgRootLookupFails verifies that if the recursive CTE for
+// finding the org root errors, the handler returns 500 instead of proceeding
+// with an un-scoped query that would broadcast to all orgs.
+func TestBroadcast_OrgRootLookupFails(t *testing.T) {
+	mock := setupTestDB(t)
+	broadcaster := newTestBroadcaster()
+	handler := NewBroadcastHandler(broadcaster)
+
+	senderID := "00000000-0000-0000-0000-000000000001"
+
+	mock.ExpectQuery(`SELECT name, broadcast_enabled FROM workspaces WHERE id = \$1 AND status != 'removed'`).
+		WithArgs(senderID).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "broadcast_enabled"}).AddRow("Root Agent", true))
+
+	// Org root CTE fails
+	mock.ExpectQuery(`WITH RECURSIVE org_chain AS`).
+		WithArgs(senderID).
+		WillReturnError(context.DeadlineExceeded)
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: senderID}}
+	body := `{"message":"should not broadcast"}`
+	c.Request = httptest.NewRequest("POST", "/workspaces/"+senderID+"/broadcast", bytes.NewBufferString(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Broadcast(c)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Errorf("expected 500, got %d: %s", w.Code, w.Body.String())
+	}
+	// The recipient query MUST NOT be called — it would broadcast cross-org
+	// if the org root lookup failed silently.
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet expectations: %v", err)
+	}
+}
+
+// TestBroadcast_OrgScoped_SelfBroadcastExcluded verifies that broadcasting
+// from a workspace does not send a broadcast_receive to the sender itself
+// (the sender logs broadcast_sent, not broadcast_receive).
+func TestBroadcast_OrgScoped_SelfBroadcastExcluded(t *testing.T) {
+	mock := setupTestDB(t)
+	broadcaster := newTestBroadcaster()
+	handler := NewBroadcastHandler(broadcaster)
+
+	senderID := "00000000-0000-0000-0000-000000000001"
+	peerID := "00000000-0000-0000-0000-000000000002"
+
+	mock.ExpectQuery(`SELECT name, broadcast_enabled FROM workspaces WHERE id = \$1 AND status != 'removed'`).
+		WithArgs(senderID).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "broadcast_enabled"}).AddRow("Root Agent", true))
+
+	mock.ExpectQuery(`WITH RECURSIVE org_chain AS`).
+		WithArgs(senderID).
+		WillReturnRows(sqlmock.NewRows([]string{"root_id"}).AddRow(senderID))
+
+	// Recipient query MUST exclude sender via id != senderID
+	mock.ExpectQuery(`WITH RECURSIVE org_chain AS`).
+		WithArgs(senderID, senderID).
+		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow(peerID))
+
+	// Peer receives broadcast_receive
+	mock.ExpectExec(`INSERT INTO activity_logs`).WithArgs(peerID, senderID, sqlmock.AnyArg()).WillReturnResult(sqlmock.NewResult(0, 1))
+	// Sender logs broadcast_sent (NOT broadcast_receive)
+	mock.ExpectExec(`INSERT INTO activity_logs`).WithArgs(senderID, sqlmock.AnyArg()).WillReturnResult(sqlmock.NewResult(0, 1))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: senderID}}
+	body := `{"message":"no echo to self"}`
+	c.Request = httptest.NewRequest("POST", "/workspaces/"+senderID+"/broadcast", bytes.NewBufferString(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Broadcast(c)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet expectations: %v", err)
+	}
+}
+
+// TestBroadcast_Truncate tests that messages are truncated with the Unicode ellipsis
+// TestBroadcast_Truncate tests that messages are truncated with the Unicode ellipsis
+// character (U+2026) when len(msg) > max. The truncated output is max runes + "…",
+// so truncating a 48-char string at max=20 produces 21 characters (20 runes + "…").
+func TestBroadcast_Truncate(t *testing.T) {
+	cases := []struct {
+		msg    string
+		max    int
+		expect string
+	}{
+		{"short", 120, "short"}, // under max — no truncation
+		// exactly120chars (15) + 105 ones = 120 chars; at max=120 → unchanged
+		{"exactly120chars1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111", 120, "exactly120chars111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111…"},
+		// "this is a longer mes" = 20 runes; + "…" = 21 chars
+		{"this is a longer message that needs truncating", 20, "this is a longer mes…"},
+		// at-max boundary: 20 chars at max=20 → no truncation
+		{"exactly twenty chars", 20, "exactly twenty chars"},
+		// over max: 11 chars at max=10 → 10 + "…" = 11
+		{"hello world!", 10, "hello worl…"},
+	}
+	for _, tc := range cases {
+		result := broadcastTruncate(tc.msg, tc.max)
+		if result != tc.expect {
+			t.Errorf("broadcastTruncate(%q, %d) = %q; want %q", tc.msg, tc.max, result, tc.expect)
+		}
+	}
+}

workspace-server/internal/handlers/workspace_provision.go

@@ -15,6 +15,7 @@ import (
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/models"
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/provisioner"
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/wsauth"
+	"gopkg.in/yaml.v3"
 )
 
 // logProvisionPanic is the deferred recover at the top of every provision
@@ -472,9 +473,10 @@ func configDirName(workspaceID string) string {
 // runtime means bumping both this list and the Docker image tags.
 // knownRuntimes is populated from manifest.json at service init (see
 // runtime_registry.go). The package init order is:
-//   1. var knownRuntimes = fallbackRuntimes
-//   2. init() calls initKnownRuntimes() which replaces it if
-//      manifest.json is readable.
+//  1. var knownRuntimes = fallbackRuntimes
+//  2. init() calls initKnownRuntimes() which replaces it if
+//     manifest.json is readable.
+//
 // The fallback matters for unit tests that don't mount the manifest.
 //
 // "external" is a first-class runtime that intentionally does NOT
@@ -539,6 +541,9 @@ func (h *WorkspaceHandler) ensureDefaultConfig(workspaceID string, payload model
 		// org_import.go; consolidating prevents silent drift.
 		model = models.DefaultModel(runtime)
 	}
+	if runtime == "claude-code" {
+		model = normalizeClaudeCodeModel(model)
+	}
 
 	// Sanitize name/role/model for YAML safety — always double-quote so
 	// a crafted value with a newline or colon can't terminate the scalar
@@ -554,6 +559,11 @@ func (h *WorkspaceHandler) ensureDefaultConfig(workspaceID string, payload model
 	quoteModel := yamlQuote(model)
 	configYAML := fmt.Sprintf("name: %s\ndescription: %s\nversion: 1.0.0\ntier: %d\nruntime: %s\n",
 		quoteName, quoteRole, payload.Tier, runtime)
+	if runtime == "claude-code" {
+		if providersYAML := h.defaultTemplateProvidersYAML(runtime); providersYAML != "" {
+			configYAML += providersYAML + "\n"
+		}
+	}
 
 	// Model always at top level — config.py reads raw["model"] for all runtimes.
 	configYAML += fmt.Sprintf("model: %s\n", quoteModel)
@@ -563,7 +573,11 @@ func (h *WorkspaceHandler) ensureDefaultConfig(workspaceID string, payload model
 	// and preflight already validates that the env vars are present before
 	// the agent loop starts.  Hardcoding token names here caused #1028
 	// (expired CLAUDE_CODE_OAUTH_TOKEN baked into config.yaml).
-	configYAML += "runtime_config:\n  timeout: 0\n"
+	configYAML += "runtime_config:\n"
+	if runtime == "claude-code" {
+		configYAML += fmt.Sprintf("  model: %s\n", quoteModel)
+	}
+	configYAML += "  timeout: 0\n"
 
 	files["config.yaml"] = []byte(configYAML)
 
@@ -571,6 +585,60 @@ func (h *WorkspaceHandler) ensureDefaultConfig(workspaceID string, payload model
 	return files
 }
 
+func normalizeClaudeCodeModel(model string) string {
+	model = strings.TrimSpace(model)
+	if before, after, ok := strings.Cut(model, "/"); ok && before != "" && after != "" {
+		return after
+	}
+	return model
+}
+
+func (h *WorkspaceHandler) defaultTemplateProvidersYAML(runtime string) string {
+	if h.configsDir == "" {
+		return ""
+	}
+	templateName := runtime + "-default"
+	templatePath, err := resolveInsideRoot(h.configsDir, templateName)
+	if err != nil {
+		log.Printf("Provisioner: default template providers skipped for runtime %s: %v", runtime, err)
+		return ""
+	}
+	data, err := os.ReadFile(filepath.Join(templatePath, "config.yaml"))
+	if err != nil {
+		return ""
+	}
+
+	var root yaml.Node
+	if err := yaml.Unmarshal(data, &root); err != nil {
+		log.Printf("Provisioner: default template providers skipped for runtime %s: invalid YAML: %v", runtime, err)
+		return ""
+	}
+	if len(root.Content) == 0 || root.Content[0].Kind != yaml.MappingNode {
+		return ""
+	}
+
+	mapping := root.Content[0]
+	for i := 0; i+1 < len(mapping.Content); i += 2 {
+		if mapping.Content[i].Value != "providers" {
+			continue
+		}
+		out := yaml.Node{
+			Kind: yaml.MappingNode,
+			Content: []*yaml.Node{
+				{Kind: yaml.ScalarNode, Value: "providers"},
+				mapping.Content[i+1],
+			},
+		}
+		encoded, err := yaml.Marshal(&out)
+		if err != nil {
+			log.Printf("Provisioner: default template providers skipped for runtime %s: marshal failed: %v", runtime, err)
+			return ""
+		}
+		return strings.TrimRight(string(encoded), "\n")
+	}
+	return ""
+}
+
 // deriveProviderFromModelSlug maps a hermes-agent model slug prefix to
 // its provider name — a Go translation of the case statement in
 // workspace-configs-templates/hermes/scripts/derive-provider.sh that we

workspace-server/internal/handlers/workspace_provision_auto_test.go

@@ -144,6 +144,7 @@ func TestProvisionWorkspaceAuto_RoutesToCPWhenSet(t *testing.T) {
 	rec := &trackingCPProv{startErr: errors.New("simulated CP rejection")}
 	bcast := &concurrentSafeBroadcaster{}
 	h := NewWorkspaceHandler(bcast, nil, "http://localhost:8080", t.TempDir())
+	waitForHandlerAsyncBeforeDBCleanup(t, h)
 	h.SetCPProvisioner(rec)
 
 	wsID := "ws-routes-to-cp-0123456789abcdef"
@@ -595,6 +596,7 @@ func TestRestartWorkspaceAuto_RoutesToCPWhenSet(t *testing.T) {
 
 	// Mock DB so cpStopWithRetry can run without a real Postgres.
 	mock := setupTestDB(t)
+	waitForHandlerAsyncBeforeDBCleanup(t, h)
 	mock.MatchExpectationsInOrder(false)
 	// provisionWorkspaceCP runs in the goroutine and will hit secrets
 	// SELECTs + UPDATE workspace as failed (we make CP Start return
@@ -670,6 +672,7 @@ func TestRestartWorkspaceAuto_RoutesToDockerWhenOnlyDocker(t *testing.T) {
 
 	bcast := &concurrentSafeBroadcaster{}
 	h := NewWorkspaceHandler(bcast, nil, "http://localhost:8080", t.TempDir())
+	waitForHandlerAsyncBeforeDBCleanup(t, h)
 	stub := &stoppingLocalProv{}
 	h.provisioner = stub
 

workspace-server/internal/handlers/workspace_provision_test.go

@@ -2,6 +2,7 @@ package handlers
 
 import (
 	"context"
+	"database/sql"
 	"fmt"
 	"net/http"
 	"os"
@@ -260,6 +261,67 @@ func TestEnsureDefaultConfig_ClaudeCode(t *testing.T) {
 	}
 }
 
+func TestEnsureDefaultConfig_ClaudeCodeCopiesProviderRegistry(t *testing.T) {
+	broadcaster := newTestBroadcaster()
+	configsDir := t.TempDir()
+	templateDir := filepath.Join(configsDir, "claude-code-default")
+	if err := os.MkdirAll(templateDir, 0o755); err != nil {
+		t.Fatalf("mkdir template: %v", err)
+	}
+	if err := os.WriteFile(filepath.Join(templateDir, "config.yaml"), []byte(`
+name: Claude Code Agent
+runtime: claude-code
+providers:
+  - name: anthropic-oauth
+    auth_mode: oauth
+    model_aliases: [sonnet]
+    auth_env: [CLAUDE_CODE_OAUTH_TOKEN]
+  - name: minimax
+    auth_mode: third_party_anthropic_compat
+    model_prefixes: [minimax-]
+    base_url: https://api.minimax.io/anthropic
+    auth_env: [MINIMAX_API_KEY, ANTHROPIC_AUTH_TOKEN]
+runtime_config:
+  model: sonnet
+`), 0o644); err != nil {
+		t.Fatalf("write template: %v", err)
+	}
+	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", configsDir)
+
+	files := handler.ensureDefaultConfig("ws-code-123", models.CreateWorkspacePayload{
+		Name:    "Code Agent",
+		Tier:    4,
+		Runtime: "claude-code",
+		Model:   "minimax/MiniMax-M2.7",
+	})
+
+	var parsed struct {
+		Model     string `yaml:"model"`
+		Providers []struct {
+			Name          string   `yaml:"name"`
+			ModelPrefixes []string `yaml:"model_prefixes"`
+		} `yaml:"providers"`
+		RuntimeConfig struct {
+			Model string `yaml:"model"`
+		} `yaml:"runtime_config"`
+	}
+	if err := yaml.Unmarshal(files["config.yaml"], &parsed); err != nil {
+		t.Fatalf("generated YAML invalid: %v\n%s", err, files["config.yaml"])
+	}
+	if parsed.Model != "MiniMax-M2.7" {
+		t.Fatalf("top-level model = %q, want MiniMax-M2.7\n%s", parsed.Model, files["config.yaml"])
+	}
+	if parsed.RuntimeConfig.Model != "MiniMax-M2.7" {
+		t.Fatalf("runtime_config.model = %q, want MiniMax-M2.7\n%s", parsed.RuntimeConfig.Model, files["config.yaml"])
+	}
+	if len(parsed.Providers) != 2 {
+		t.Fatalf("providers len = %d, want 2\n%s", len(parsed.Providers), files["config.yaml"])
+	}
+	if parsed.Providers[1].Name != "minimax" || len(parsed.Providers[1].ModelPrefixes) != 1 || parsed.Providers[1].ModelPrefixes[0] != "minimax-" {
+		t.Fatalf("minimax provider registry not preserved: %+v\n%s", parsed.Providers, files["config.yaml"])
+	}
+}
+
 func TestEnsureDefaultConfig_CustomModel(t *testing.T) {
 	broadcaster := newTestBroadcaster()
 	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
@@ -634,6 +696,11 @@ func TestSeedInitialMemories_EmptyMemoriesNil(t *testing.T) {
 // ==================== buildProvisionerConfig ====================
 
 func TestBuildProvisionerConfig_BasicFields(t *testing.T) {
+	mock := setupTestDB(t)
+	mock.ExpectQuery(`SELECT COALESCE\(workspace_dir`).
+		WithArgs("ws-basic").
+		WillReturnRows(sqlmock.NewRows([]string{"workspace_dir", "workspace_access"}).AddRow("", "none"))
+
 	broadcaster := newTestBroadcaster()
 	tmpDir := t.TempDir()
 	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", tmpDir)
@@ -678,6 +745,14 @@ func TestBuildProvisionerConfig_BasicFields(t *testing.T) {
 }
 
 func TestBuildProvisionerConfig_WorkspacePathFromEnv(t *testing.T) {
+	mock := setupTestDB(t)
+	mock.ExpectQuery(`SELECT COALESCE\(workspace_dir`).
+		WithArgs("ws-env").
+		WillReturnError(sql.ErrNoRows)
+	mock.ExpectQuery(`SELECT digest FROM runtime_image_pins`).
+		WithArgs("claude-code").
+		WillReturnError(sql.ErrNoRows)
+
 	broadcaster := newTestBroadcaster()
 	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
 

workspace-server/internal/handlers/workspace_test.go

@@ -414,6 +414,44 @@ func TestWorkspaceCreate_DefaultsApplied(t *testing.T) {
 	}
 }
 
+func TestWorkspaceCreate_SaaSHardForcesTier4(t *testing.T) {
+	mock := setupTestDB(t)
+	setupTestRedis(t)
+	broadcaster := newTestBroadcaster()
+	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+	handler.SetCPProvisioner(&trackingCPProv{})
+
+	mock.ExpectBegin()
+	mock.ExpectExec("INSERT INTO workspaces").
+		WithArgs(sqlmock.AnyArg(), "SaaS External Agent", nil, 4, "external", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectCommit()
+	mock.ExpectExec("INSERT INTO canvas_layouts").
+		WithArgs(sqlmock.AnyArg(), float64(0), float64(0)).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec("INSERT INTO structure_events").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec("UPDATE workspaces SET url").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec("INSERT INTO structure_events").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	body := `{"name":"SaaS External Agent","runtime":"external","external":true,"url":"https://example.com/agent","tier":2}`
+	c.Request = httptest.NewRequest("POST", "/workspaces", bytes.NewBufferString(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Create(c)
+
+	if w.Code != http.StatusCreated {
+		t.Errorf("expected status 201, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
 // TestWorkspaceCreate_WithSecrets_Persists asserts that secrets in the create
 // payload are written to workspace_secrets inside the same transaction as the
 // workspace row, and that the handler returns 201.

workspace-server/internal/provisioner/cp_provisioner.go

@@ -343,6 +343,7 @@ func collectCPConfigFiles(cfg WorkspaceConfig) (map[string]string, error) {
 	}
 	return files, nil
 }
+
 // Stop terminates the workspace's EC2 instance via the control plane.
 //
 // Looks up the actual EC2 instance_id from the workspaces table before
@@ -497,7 +498,9 @@ func (p *CPProvisioner) IsRunning(ctx context.Context, workspaceID string) (bool
 		// Don't leak the body — upstream errors may echo headers.
 		return true, fmt.Errorf("cp provisioner: status: unexpected %d", resp.StatusCode)
 	}
-	var result struct{ State string `json:"state"` }
+	var result struct {
+		State string `json:"state"`
+	}
 	// Cap body read at 64 KiB for parity with Start — a misconfigured
 	// or compromised CP streaming a huge body could otherwise exhaust
 	// memory in this hot path (called reactively per-request from

workspace-server/internal/provisioner/cp_provisioner_test.go

@@ -217,6 +217,59 @@ func TestStart_HappyPath(t *testing.T) {
 	}
 }
 
+func TestStart_SendsTemplateAndGeneratedConfigFiles(t *testing.T) {
+	tmpl := t.TempDir()
+	if err := os.WriteFile(filepath.Join(tmpl, "config.yaml"), []byte("name: template\n"), 0o600); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(filepath.Join(tmpl, "adapter.py"), bytes.Repeat([]byte("x"), cpConfigFilesMaxBytes), 0o600); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.Mkdir(filepath.Join(tmpl, "prompts"), 0o700); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(filepath.Join(tmpl, "prompts", "system.md"), []byte("hello"), 0o600); err != nil {
+		t.Fatal(err)
+	}
+
+	var body cpProvisionRequest
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+			t.Errorf("decode request: %v", err)
+		}
+		w.WriteHeader(http.StatusCreated)
+		_, _ = io.WriteString(w, `{"instance_id":"i-abc123","state":"pending"}`)
+	}))
+	defer srv.Close()
+
+	p := &CPProvisioner{baseURL: srv.URL, orgID: "org-1", httpClient: srv.Client()}
+	_, err := p.Start(context.Background(), WorkspaceConfig{
+		WorkspaceID:  "ws-1",
+		Runtime:      "claude-code",
+		Tier:         4,
+		PlatformURL:  "http://tenant",
+		TemplatePath: tmpl,
+		ConfigFiles: map[string][]byte{
+			"config.yaml": []byte("name: generated\n"),
+		},
+	})
+	if err != nil {
+		t.Fatalf("Start: %v", err)
+	}
+
+	wantConfig := base64.StdEncoding.EncodeToString([]byte("name: generated\n"))
+	if got := body.ConfigFiles["config.yaml"]; got != wantConfig {
+		t.Errorf("config.yaml payload = %q, want generated override %q", got, wantConfig)
+	}
+	wantPrompt := base64.StdEncoding.EncodeToString([]byte("hello"))
+	if got := body.ConfigFiles["prompts/system.md"]; got != wantPrompt {
+		t.Errorf("prompt payload = %q, want %q", got, wantPrompt)
+	}
+	if _, ok := body.ConfigFiles["adapter.py"]; ok {
+		t.Error("non-config template file adapter.py must not be sent to CP")
+	}
+}
+
 // TestStart_Non201ReturnsStructuredError — when CP returns 401 with a
 // structured {"error":"..."} body, Start surfaces that error message.
 // Verifies the defense against log-leaking raw upstream bodies.
@@ -519,9 +572,9 @@ func TestStop_4xxResponseSurfacesError(t *testing.T) {
 func TestStop_2xxVariantsAllSucceed(t *testing.T) {
 	primeInstanceIDLookup(t, map[string]string{"ws-1": "i-ok"})
 	for _, code := range []int{
-		http.StatusOK,           // 200
-		http.StatusAccepted,     // 202
-		http.StatusNoContent,    // 204
+		http.StatusOK,        // 200
+		http.StatusAccepted,  // 202
+		http.StatusNoContent, // 204
 	} {
 		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 			w.WriteHeader(code)
@@ -589,11 +642,11 @@ func TestIsRunning_ParsesStateField(t *testing.T) {
 			_, _ = io.WriteString(w, `{"state":"`+state+`"}`)
 		}))
 		p := &CPProvisioner{
-			baseURL:    srv.URL,
-			orgID:      "org-1",
+			baseURL:      srv.URL,
+			orgID:        "org-1",
 			sharedSecret: "s3cret",
 			adminToken:   "tok-xyz",
-			httpClient: srv.Client(),
+			httpClient:   srv.Client(),
 		}
 		got, err := p.IsRunning(context.Background(), "ws-1")
 		srv.Close()

workspace-server/internal/provisioner/provisioner.go

@@ -773,6 +773,15 @@ func ApplyTierConfig(hostCfg *container.HostConfig, cfg WorkspaceConfig, configM
 
 // CopyTemplateToContainer copies files from a host directory into /configs in the container.
 func (p *Provisioner) CopyTemplateToContainer(ctx context.Context, containerID, templatePath string) error {
+	buf, err := buildTemplateTar(templatePath)
+	if err != nil {
+		return err
+	}
+
+	return p.cli.CopyToContainer(ctx, containerID, "/configs", buf, container.CopyToContainerOptions{})
+}
+
+func buildTemplateTar(templatePath string) (*bytes.Buffer, error) {
 	// Resolve symlinks at the root before walking. filepath.Walk does
 	// NOT follow a symlink that IS the root — it Lstats the path, sees
 	// a symlink (non-directory), and emits exactly one entry without
@@ -795,6 +804,15 @@ func (p *Provisioner) CopyTemplateToContainer(ctx context.Context, containerID,
 		if err != nil {
 			return err
 		}
+		// OFFSEC-010: skip symlinks to prevent path traversal via malicious
+		// template symlinks (e.g. template/.ssh → /root/.ssh). filepath.Walk
+		// follows symlinks by default, so without this guard a crafted symlink
+		// inside the template directory could escape to include arbitrary host
+		// files in the tar archive. We intentionally skip rather than error so
+		// a broken symlink in an org template is a silent no-op.
+		if info.Mode()&os.ModeSymlink != 0 {
+			return nil
+		}
 		rel, err := filepath.Rel(templatePath, path)
 		if err != nil {
 			return err
@@ -835,13 +853,13 @@ func (p *Provisioner) CopyTemplateToContainer(ctx context.Context, containerID,
 		return nil
 	})
 	if err != nil {
-		return fmt.Errorf("failed to create tar from %s: %w", templatePath, err)
+		return nil, fmt.Errorf("failed to create tar from %s: %w", templatePath, err)
 	}
 	if err := tw.Close(); err != nil {
-		return fmt.Errorf("failed to close tar writer: %w", err)
+		return nil, fmt.Errorf("failed to close tar writer: %w", err)
 	}
 
-	return p.cli.CopyToContainer(ctx, containerID, "/configs", &buf, container.CopyToContainerOptions{})
+	return &buf, nil
 }
 
 // WriteFilesToContainer writes in-memory files into /configs in the container.

workspace-server/internal/provisioner/provisioner_test.go

@@ -1,7 +1,9 @@
 package provisioner
 
 import (
+	"archive/tar"
 	"errors"
+	"io"
 	"os"
 	"path/filepath"
 	"strings"
@@ -62,6 +64,72 @@ func TestValidateConfigSource_TemplateIsDirName(t *testing.T) {
 	}
 }
 
+func TestStartSeedsConfigsBeforeContainerStart(t *testing.T) {
+	src, err := os.ReadFile("provisioner.go")
+	if err != nil {
+		t.Fatalf("read provisioner.go: %v", err)
+	}
+	text := string(src)
+	copyTemplate := strings.Index(text, "p.CopyTemplateToContainer(ctx, resp.ID, cfg.TemplatePath)")
+	writeFiles := strings.Index(text, "p.WriteFilesToContainer(ctx, resp.ID, cfg.ConfigFiles)")
+	start := strings.Index(text, "p.cli.ContainerStart(ctx, resp.ID, container.StartOptions{})")
+
+	if copyTemplate < 0 || writeFiles < 0 || start < 0 {
+		t.Fatalf("expected Start to copy template, write config files, and start container")
+	}
+	if copyTemplate >= start || writeFiles >= start {
+		t.Fatalf("config seeding must happen before ContainerStart: copyTemplate=%d writeFiles=%d start=%d", copyTemplate, writeFiles, start)
+	}
+}
+
+func TestBuildTemplateTar_SkipsSymlinks(t *testing.T) {
+	dir := t.TempDir()
+	if err := os.WriteFile(filepath.Join(dir, "config.yaml"), []byte("name: safe\n"), 0644); err != nil {
+		t.Fatalf("write config: %v", err)
+	}
+	outside := filepath.Join(t.TempDir(), "secret.txt")
+	if err := os.WriteFile(outside, []byte("do-not-copy\n"), 0644); err != nil {
+		t.Fatalf("write outside target: %v", err)
+	}
+	if err := os.Symlink(outside, filepath.Join(dir, "linked-secret.txt")); err != nil {
+		t.Fatalf("create symlink: %v", err)
+	}
+
+	buf, err := buildTemplateTar(dir)
+	if err != nil {
+		t.Fatalf("buildTemplateTar: %v", err)
+	}
+
+	names := map[string]string{}
+	tr := tar.NewReader(buf)
+	for {
+		hdr, err := tr.Next()
+		if errors.Is(err, io.EOF) {
+			break
+		}
+		if err != nil {
+			t.Fatalf("read tar: %v", err)
+		}
+		body, err := io.ReadAll(tr)
+		if err != nil {
+			t.Fatalf("read body for %s: %v", hdr.Name, err)
+		}
+		names[hdr.Name] = string(body)
+	}
+
+	if got := names["config.yaml"]; got != "name: safe\n" {
+		t.Fatalf("config.yaml body = %q, want safe config", got)
+	}
+	if _, ok := names["linked-secret.txt"]; ok {
+		t.Fatalf("symlink entry was copied into template tar: %#v", names)
+	}
+	for name, body := range names {
+		if strings.Contains(body, "do-not-copy") {
+			t.Fatalf("symlink target leaked through %s: %q", name, body)
+		}
+	}
+}
+
 // baseHostConfig returns a fresh HostConfig with typical pre-tier binds,
 // mimicking what Start() builds before calling ApplyTierConfig.
 func baseHostConfig(pluginsPath string) *container.HostConfig {

workspace-server/internal/registry/access_test.go

@@ -14,8 +14,9 @@ func setupMockDB(t *testing.T) sqlmock.Sqlmock {
 	if err != nil {
 		t.Fatalf("sqlmock: %v", err)
 	}
+	prevDB := db.DB
 	db.DB = mockDB
-	t.Cleanup(func() { mockDB.Close() })
+	t.Cleanup(func() { mockDB.Close(); db.DB = prevDB })
 	return mock
 }
 

workspace-server/internal/registry/healthsweep_test.go

@@ -31,8 +31,9 @@ func setupTestDB(t *testing.T) sqlmock.Sqlmock {
 	if err != nil {
 		t.Fatalf("failed to create sqlmock: %v", err)
 	}
+	prevDB := db.DB
 	db.DB = mockDB
-	t.Cleanup(func() { mockDB.Close() })
+	t.Cleanup(func() { mockDB.Close(); db.DB = prevDB })
 	return mock
 }
 

workspace-server/internal/registry/hibernation_test.go

@@ -17,8 +17,9 @@ func setupHibernationMock(t *testing.T) sqlmock.Sqlmock {
 	if err != nil {
 		t.Fatalf("sqlmock.New: %v", err)
 	}
+	prevDB := db.DB
 	db.DB = mockDB
-	t.Cleanup(func() { mockDB.Close() })
+	t.Cleanup(func() { mockDB.Close(); db.DB = prevDB })
 	return mock
 }
 

workspace-server/internal/registry/liveness_test.go

@@ -18,8 +18,9 @@ func setupLivenessTestDB(t *testing.T) sqlmock.Sqlmock {
 	if err != nil {
 		t.Fatalf("failed to create sqlmock: %v", err)
 	}
+	prevDB := db.DB
 	db.DB = mockDB
-	t.Cleanup(func() { mockDB.Close() })
+	t.Cleanup(func() { mockDB.Close(); db.DB = prevDB })
 	return mock
 }
 

workspace-server/internal/scheduler/scheduler_test.go

@@ -24,8 +24,9 @@ func setupTestDB(t *testing.T) sqlmock.Sqlmock {
 	if err != nil {
 		t.Fatalf("failed to create sqlmock: %v", err)
 	}
+	prevDB := db.DB
 	db.DB = mockDB
-	t.Cleanup(func() { mockDB.Close() })
+	t.Cleanup(func() { mockDB.Close(); db.DB = prevDB })
 	return mock
 }
 

workspace/a2a_mcp_server.py

@@ -692,8 +692,8 @@ def _format_channel_content(
 # --- MCP Server (JSON-RPC over stdio) ---
 
 
-def _warn_if_stdio_not_pipe(stdin_fd: int = 0, stdout_fd: int = 1) -> None:
-    """Warn when stdio isn't a pipe — but continue anyway.
+def _assert_stdio_is_pipe_compatible(stdin_fd: int = 0, stdout_fd: int = 1) -> None:
+    """Assert that stdio fds are pipe/socket/char-device compatible.
 
     The legacy asyncio.connect_read_pipe / connect_write_pipe transport
     rejected regular files, PTYs, and sockets with:
@@ -717,6 +717,10 @@ def _warn_if_stdio_not_pipe(stdin_fd: int = 0, stdout_fd: int = 1) -> None:
             )
 
 
+# Deprecated alias — the canonical name is _assert_stdio_is_pipe_compatible.
+_warn_if_stdio_not_pipe = _assert_stdio_is_pipe_compatible
+
+
 async def main():  # pragma: no cover
     """Run MCP server on stdio — reads JSON-RPC requests, writes responses.
 
@@ -973,7 +977,7 @@ def cli_main(transport: str = "stdio", port: int = 9100) -> None:  # pragma: no
     if transport == "http":
         asyncio.run(_run_http_server(port))
     else:
-        _warn_if_stdio_not_pipe()
+        _assert_stdio_is_pipe_compatible()
         asyncio.run(main())
 
 

workspace/tests/test_a2a_mcp_server.py

@@ -1826,8 +1826,8 @@ def test_inbox_bridge_swallows_closed_loop_runtime_error():
 
 
 class TestStdioPipeAssertion:
-    """Pin _warn_if_stdio_not_pipe — the diagnostic warning that replaces
-    the old fatal _assert_stdio_is_pipe_compatible guard.
+    """Pin _assert_stdio_is_pipe_compatible — the canonical function name.
+    _warn_if_stdio_not_pipe is a deprecated alias.
 
     The universal stdio transport now works with ANY file descriptor
     (pipes, regular files, PTYs, sockets), so the old exit-2 behavior
@@ -1838,12 +1838,12 @@ class TestStdioPipeAssertion:
 
     def test_pipe_pair_passes_silently(self, caplog):
         """Happy path — both fds are pipes. No warning emitted."""
-        from a2a_mcp_server import _warn_if_stdio_not_pipe
+        from a2a_mcp_server import _assert_stdio_is_pipe_compatible
 
         r, w = os.pipe()
         try:
             with caplog.at_level("WARNING"):
-                _warn_if_stdio_not_pipe(stdin_fd=r, stdout_fd=w)
+                _assert_stdio_is_pipe_compatible(stdin_fd=r, stdout_fd=w)
             assert "not a pipe" not in caplog.text
         finally:
             os.close(r)
@@ -1852,14 +1852,14 @@ class TestStdioPipeAssertion:
     def test_regular_file_stdout_warns(self, tmp_path, caplog):
         """Reproducer for runtime#61: stdout redirected to a regular file.
         Now emits a warning instead of exiting."""
-        from a2a_mcp_server import _warn_if_stdio_not_pipe
+        from a2a_mcp_server import _assert_stdio_is_pipe_compatible
 
         r, _w = os.pipe()
         regular = tmp_path / "captured.log"
         f = open(regular, "wb")
         try:
             with caplog.at_level("WARNING"):
-                _warn_if_stdio_not_pipe(stdin_fd=r, stdout_fd=f.fileno())
+                _assert_stdio_is_pipe_compatible(stdin_fd=r, stdout_fd=f.fileno())
             assert "stdout" in caplog.text
             assert "not a pipe" in caplog.text
         finally:
@@ -1868,7 +1868,7 @@ class TestStdioPipeAssertion:
 
     def test_regular_file_stdin_warns(self, tmp_path, caplog):
         """Symmetric case — stdin redirected from a regular file."""
-        from a2a_mcp_server import _warn_if_stdio_not_pipe
+        from a2a_mcp_server import _assert_stdio_is_pipe_compatible
 
         regular = tmp_path / "input.json"
         regular.write_bytes(b'{"jsonrpc":"2.0","id":1,"method":"initialize"}\n')
@@ -1876,7 +1876,7 @@ class TestStdioPipeAssertion:
         _r, w = os.pipe()
         try:
             with caplog.at_level("WARNING"):
-                _warn_if_stdio_not_pipe(stdin_fd=f.fileno(), stdout_fd=w)
+                _assert_stdio_is_pipe_compatible(stdin_fd=f.fileno(), stdout_fd=w)
             assert "stdin" in caplog.text
             assert "not a pipe" in caplog.text
         finally:
@@ -1886,13 +1886,13 @@ class TestStdioPipeAssertion:
     def test_closed_fd_warns_about_stat_error(self, caplog):
         """If stdio is closed, os.fstat raises OSError. Warning is
         skipped silently (can't stat the fd)."""
-        from a2a_mcp_server import _warn_if_stdio_not_pipe
+        from a2a_mcp_server import _assert_stdio_is_pipe_compatible
 
         r, w = os.pipe()
         os.close(w)  # Now `w` is a stale fd — fstat will fail.
         try:
             with caplog.at_level("WARNING"):
-                _warn_if_stdio_not_pipe(stdin_fd=r, stdout_fd=w)
+                _assert_stdio_is_pipe_compatible(stdin_fd=r, stdout_fd=w)
             # No warning emitted because fstat failed before the check
             assert "not a pipe" not in caplog.text
         finally: