fix(workspace-server): inject <PROVIDER>_BASE_URL fallback when API key is set but URL missing (internal#417)

When the operator saves only a vendor API key (e.g. MINIMAX_API_KEY)
into global_secrets without the matching <PROVIDER>_BASE_URL, the
in-workspace adapter falls back to its hardcoded registry default —
which for MiniMax is api.minimaxi.com (China region), while every
operator-host key in the post-2026-05-06 stack is issued against
api.minimax.io (global region). The result is silent 401 on every
LLM call from the workspace.

Fix: in workspace-server/internal/handlers/workspace_provision.go's
loadWorkspaceSecrets, after both DB queries, run a fallback pass that
injects the canonical <PROVIDER>_BASE_URL for every vendor whose API
key is set but whose URL is absent. Operator-saved URLs always win
(no overwrite); empty keys are treated as unset (no injection).

The canonical URL registry lives in
workspace-server/internal/handlers/provider_defaults.go and mirrors
the third-party provider lists in workspace-configs-templates/
openclaw + claude-code-default + hermes adapters. Six providers
covered (openai, groq, openrouter, qianfan, minimax, moonshot).

Also seed MINIMAX_API_KEY + MINIMAX_BASE_URL into the dev-local
post-rebuild-setup.sh global_secrets block so dev parity matches
prod-style provisioning.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

scripts/post-rebuild-setup.sh

@@ -41,6 +41,13 @@ until curl -s --max-time 5 "$PLATFORM_URL/health" >/dev/null 2>&1; do
 done
 echo "  platform up"
 
+# MINIMAX_BASE_URL defaults to the global endpoint (api.minimax.io) —
+# matches the operator-host MINIMAX_API_KEY scope. Override by setting
+# MINIMAX_BASE_URL before running this script (e.g. for the China
+# endpoint api.minimaxi.com). See RFC internal#417 for why the global
+# URL is the safe default.
+: "${MINIMAX_BASE_URL:=https://api.minimax.io}"
+
 echo "=== Inserting global secrets ==="
 docker exec "$DB_CONTAINER" psql -U "$DB_USER" -d "$DB_NAME" -c "
 INSERT INTO global_secrets (key, encrypted_value, encryption_version) VALUES
@@ -50,10 +57,12 @@ INSERT INTO global_secrets (key, encrypted_value, encryption_version) VALUES
 ('ANTHROPIC_SMALL_FAST_MODEL', 'MiniMax-M2.7', 0),
 ('API_TIMEOUT_MS', '3000000', 0),
 ('CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC', '1', 0),
-('GITHUB_TOKEN', '$GITHUB_PAT', 0)
+('GITHUB_TOKEN', '$GITHUB_PAT', 0),
+('MINIMAX_API_KEY', '$MINIMAX_API_KEY', 0),
+('MINIMAX_BASE_URL', '$MINIMAX_BASE_URL', 0)
 ON CONFLICT (key) DO UPDATE SET encrypted_value = EXCLUDED.encrypted_value;
 "
-echo "  7 global secrets set"
+echo "  9 global secrets set"
 
 echo "=== Importing org template ==="
 curl -s --max-time 600 -X POST "$PLATFORM_URL/org/import" \

workspace-server/internal/handlers/activity.go

@@ -14,18 +14,16 @@ import (
 
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/events"
-	"github.com/Molecule-AI/molecule-monorepo/platform/internal/push"
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 )
 
 type ActivityHandler struct {
 	broadcaster *events.Broadcaster
-	notifier    *push.Notifier
 }
 
-func NewActivityHandler(b *events.Broadcaster, notifier *push.Notifier) *ActivityHandler {
-	return &ActivityHandler{broadcaster: b, notifier: notifier}
+func NewActivityHandler(b *events.Broadcaster) *ActivityHandler {
+	return &ActivityHandler{broadcaster: b}
 }
 
 // List handles GET /workspaces/:id/activity?type=&source=&limit=&since_secs=&since_id=
@@ -478,7 +476,7 @@ func (h *ActivityHandler) Notify(c *gin.Context) {
 	for _, a := range body.Attachments {
 		attachments = append(attachments, AgentMessageAttachment(a))
 	}
-	writer := NewAgentMessageWriter(db.DB, h.broadcaster, h.notifier)
+	writer := NewAgentMessageWriter(db.DB, h.broadcaster)
 	if err := writer.Send(c.Request.Context(), workspaceID, body.Message, attachments); err != nil {
 		if errors.Is(err, ErrWorkspaceNotFound) {
 			c.JSON(http.StatusNotFound, gin.H{"error": "workspace not found"})

workspace-server/internal/handlers/activity_since_id_test.go

@@ -40,7 +40,7 @@ func TestActivityHandler_SinceID_ReturnsNewerASC(t *testing.T) {
 		WillReturnRows(newActivityRows())
 
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -69,7 +69,7 @@ func TestActivityHandler_SinceID_CursorNotFound_410(t *testing.T) {
 		WillReturnError(sql.ErrNoRows)
 
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -101,7 +101,7 @@ func TestActivityHandler_SinceID_CrossWorkspaceCursor_410(t *testing.T) {
 		WillReturnError(sql.ErrNoRows)
 
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -137,7 +137,7 @@ func TestActivityHandler_SinceID_CombinedWithSinceSecs(t *testing.T) {
 		WillReturnRows(newActivityRows())
 
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)

workspace-server/internal/handlers/activity_since_secs_test.go

@@ -41,7 +41,7 @@ func TestActivityHandler_SinceSecs_Accepted(t *testing.T) {
 		WillReturnRows(newActivityRows())
 
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -70,7 +70,7 @@ func TestActivityHandler_SinceSecs_ClampedAt30Days(t *testing.T) {
 		WillReturnRows(newActivityRows())
 
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -106,7 +106,7 @@ func TestActivityHandler_SinceSecs_InvalidRejected(t *testing.T) {
 			// No DB call expected; bad input must be caught before the query.
 			setupTestDB(t)
 			broadcaster := newTestBroadcaster()
-			handler := NewActivityHandler(broadcaster, nil)
+			handler := NewActivityHandler(broadcaster)
 
 			w := httptest.NewRecorder()
 			c, _ := gin.CreateTestContext(w)
@@ -142,7 +142,7 @@ func TestActivityHandler_SinceSecs_Omitted(t *testing.T) {
 		WillReturnRows(newActivityRows())
 
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)

workspace-server/internal/handlers/activity_test.go

@@ -22,7 +22,7 @@ func TestSessionSearchReturnsActivityAndMemory(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	rows := sqlmock.NewRows([]string{
 		"kind", "id", "workspace_id", "label", "content", "method", "status", "request_body", "response_body", "created_at",
@@ -68,7 +68,7 @@ func TestSessionSearchReturnsActivityAndMemory(t *testing.T) {
 func TestActivityList_SourceCanvas(t *testing.T) {
 	mock := setupTestDB(t)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	// Expect query with "source_id IS NULL"
 	mock.ExpectQuery(`SELECT .+ FROM activity_logs WHERE workspace_id = .+ AND source_id IS NULL`).
@@ -97,7 +97,7 @@ func TestActivityList_SourceCanvas(t *testing.T) {
 func TestActivityList_SourceAgent(t *testing.T) {
 	mock := setupTestDB(t)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	// Expect query with "source_id IS NOT NULL"
 	mock.ExpectQuery(`SELECT .+ FROM activity_logs WHERE workspace_id = .+ AND source_id IS NOT NULL`).
@@ -126,7 +126,7 @@ func TestActivityList_SourceAgent(t *testing.T) {
 func TestActivityList_SourceInvalid(t *testing.T) {
 	gin.SetMode(gin.TestMode)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -142,7 +142,7 @@ func TestActivityList_SourceInvalid(t *testing.T) {
 func TestActivityList_SourceWithType(t *testing.T) {
 	mock := setupTestDB(t)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	// Both type and source filters
 	mock.ExpectQuery(`SELECT .+ FROM activity_logs WHERE workspace_id = .+ AND activity_type = .+ AND source_id IS NULL`).
@@ -181,7 +181,7 @@ const testPeerUUID = "11111111-2222-3333-4444-555555555555"
 func TestActivityList_PeerIDFilter(t *testing.T) {
 	mock := setupTestDB(t)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	// peer_id binds twice in the query (source_id OR target_id) but is
 	// added to args once — sqlmock matches positional args, so the
@@ -220,7 +220,7 @@ func TestActivityList_PeerIDComposesWithType(t *testing.T) {
 	// of the builder can't silently rearrange placeholders.
 	mock := setupTestDB(t)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	mock.ExpectQuery(
 		`SELECT .+ FROM activity_logs WHERE workspace_id = .+ AND activity_type = .+ AND source_id IS NOT NULL AND \(source_id = .+ OR target_id = .+\)`,
@@ -258,7 +258,7 @@ func TestActivityList_PeerIDRejectsNonUUID(t *testing.T) {
 	// otherwise interpolate the value into the URL or another query.
 	gin.SetMode(gin.TestMode)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	for _, bad := range []string{
 		"not-a-uuid",
@@ -292,7 +292,7 @@ func TestActivityList_PeerIDRejectsNonUUID(t *testing.T) {
 func TestActivityList_BeforeTSFilter(t *testing.T) {
 	mock := setupTestDB(t)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	cutoff, _ := time.Parse(time.RFC3339, "2026-05-01T00:00:00Z")
 	mock.ExpectQuery(
@@ -328,7 +328,7 @@ func TestActivityList_BeforeTSComposesWithPeerID(t *testing.T) {
 	// can't silently drop one filter or reorder placeholders.
 	mock := setupTestDB(t)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	cutoff, _ := time.Parse(time.RFC3339, "2026-05-01T00:00:00Z")
 	mock.ExpectQuery(
@@ -363,7 +363,7 @@ func TestActivityList_BeforeTSComposesWithPeerID(t *testing.T) {
 func TestActivityList_BeforeTSRejectsInvalidFormat(t *testing.T) {
 	gin.SetMode(gin.TestMode)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	for _, bad := range []string{
 		"yesterday",
@@ -400,7 +400,7 @@ func TestActivityReport_AcceptsMemoryWriteType(t *testing.T) {
 		WillReturnResult(sqlmock.NewResult(1, 1))
 
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	gin.SetMode(gin.TestMode)
 	w := httptest.NewRecorder()
@@ -426,7 +426,7 @@ func TestActivityReport_RejectsUnknownType(t *testing.T) {
 	t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })
 
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	gin.SetMode(gin.TestMode)
 	w := httptest.NewRecorder()
@@ -478,7 +478,7 @@ func TestNotify_PersistsToActivityLogsForReloadRecovery(t *testing.T) {
 		WillReturnResult(sqlmock.NewResult(1, 1))
 
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	gin.SetMode(gin.TestMode)
 	w := httptest.NewRecorder()
@@ -527,7 +527,7 @@ func TestNotify_WithAttachments_PersistsFilePartsForReload(t *testing.T) {
 		WillReturnResult(sqlmock.NewResult(1, 1))
 
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	gin.SetMode(gin.TestMode)
 	w := httptest.NewRecorder()
@@ -593,7 +593,7 @@ func TestNotify_RejectsAttachmentWithEmptyURIOrName(t *testing.T) {
 			// only if the handler unexpectedly queries.
 
 			broadcaster := newTestBroadcaster()
-			handler := NewActivityHandler(broadcaster, nil)
+			handler := NewActivityHandler(broadcaster)
 			gin.SetMode(gin.TestMode)
 			w := httptest.NewRecorder()
 			c, _ := gin.CreateTestContext(w)
@@ -647,7 +647,7 @@ func TestNotify_DBFailure_StillBroadcastsAnd200(t *testing.T) {
 		WillReturnError(fmt.Errorf("simulated db hiccup"))
 
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	gin.SetMode(gin.TestMode)
 	w := httptest.NewRecorder()

workspace-server/internal/handlers/agent_message_writer.go

@@ -44,7 +44,6 @@ import (
 	"log"
 
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/events"
-	"github.com/Molecule-AI/molecule-monorepo/platform/internal/push"
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/textutil"
 )
 
@@ -82,14 +81,12 @@ type AgentMessageAttachment struct {
 type AgentMessageWriter struct {
 	db          *sql.DB
 	broadcaster events.EventEmitter
-	notifier    *push.Notifier
 }
 
 // NewAgentMessageWriter binds the writer to the platform's DB pool +
-// WebSocket broadcaster. notifier may be nil if push notifications are
-// not configured.
-func NewAgentMessageWriter(db *sql.DB, broadcaster events.EventEmitter, notifier *push.Notifier) *AgentMessageWriter {
-	return &AgentMessageWriter{db: db, broadcaster: broadcaster, notifier: notifier}
+// WebSocket broadcaster.
+func NewAgentMessageWriter(db *sql.DB, broadcaster events.EventEmitter) *AgentMessageWriter {
+	return &AgentMessageWriter{db: db, broadcaster: broadcaster}
 }
 
 // Send delivers a single agent → user message. Look up + broadcast +
@@ -144,12 +141,7 @@ func (w *AgentMessageWriter) Send(
 	}
 	w.broadcaster.BroadcastOnly(workspaceID, string(events.EventAgentMessage), broadcastPayload)
 
-	// 3. Send push notifications to mobile devices.
-	if w.notifier != nil {
-		w.notifier.NotifyAgentMessage(ctx, workspaceID, wsName, message)
-	}
-
-	// 4. Persist for chat-history hydration. response_body shape MUST stay
+	// 3. Persist for chat-history hydration. response_body shape MUST stay
 	//    in sync with extractResponseText + extractFilesFromTask in
 	//    canvas/src/components/tabs/chat/historyHydration.ts:
 	//      - extractResponseText reads body.result (string) → renders text

workspace-server/internal/handlers/agent_message_writer_test.go

@@ -86,7 +86,7 @@ func (c *capturingEmitter) RecordAndBroadcast(_ context.Context, eventType strin
 // path: workspace lookup, broadcast, INSERT, return nil.
 func TestAgentMessageWriter_Send_Success_NoAttachments(t *testing.T) {
 	mock := setupTestDB(t)
-	w := NewAgentMessageWriter(db.DB, newTestBroadcaster(), nil)
+	w := NewAgentMessageWriter(db.DB, newTestBroadcaster())
 
 	mock.ExpectQuery("SELECT name, talk_to_user_enabled FROM workspaces").
 		WithArgs("ws-1").
@@ -114,7 +114,7 @@ func TestAgentMessageWriter_Send_Success_NoAttachments(t *testing.T) {
 // Drift here = chips disappear on chat reload.
 func TestAgentMessageWriter_Send_Success_WithAttachments(t *testing.T) {
 	mock := setupTestDB(t)
-	w := NewAgentMessageWriter(db.DB, newTestBroadcaster(), nil)
+	w := NewAgentMessageWriter(db.DB, newTestBroadcaster())
 
 	mock.ExpectQuery("SELECT name, talk_to_user_enabled FROM workspaces").
 		WithArgs("ws-att").
@@ -171,7 +171,7 @@ func TestAgentMessageWriter_Send_Success_WithAttachments(t *testing.T) {
 func TestAgentMessageWriter_Send_WorkspaceNotFound(t *testing.T) {
 	mock := setupTestDB(t)
 	emitter := &capturingEmitter{}
-	w := NewAgentMessageWriter(db.DB, emitter, nil)
+	w := NewAgentMessageWriter(db.DB, emitter)
 
 	mock.ExpectQuery("SELECT name, talk_to_user_enabled FROM workspaces").
 		WithArgs("ws-missing").
@@ -200,7 +200,7 @@ func TestAgentMessageWriter_Send_WorkspaceNotFound(t *testing.T) {
 // broadcast.
 func TestAgentMessageWriter_Send_DBInsertFailureStillReturnsNil(t *testing.T) {
 	mock := setupTestDB(t)
-	w := NewAgentMessageWriter(db.DB, newTestBroadcaster(), nil)
+	w := NewAgentMessageWriter(db.DB, newTestBroadcaster())
 
 	mock.ExpectQuery("SELECT name, talk_to_user_enabled FROM workspaces").
 		WithArgs("ws-dbfail").
@@ -221,7 +221,7 @@ func TestAgentMessageWriter_Send_DBInsertFailureStillReturnsNil(t *testing.T) {
 // table doesn't carry multi-KB summaries that bloat list queries.
 func TestAgentMessageWriter_Send_PreviewTruncation(t *testing.T) {
 	mock := setupTestDB(t)
-	w := NewAgentMessageWriter(db.DB, newTestBroadcaster(), nil)
+	w := NewAgentMessageWriter(db.DB, newTestBroadcaster())
 
 	mock.ExpectQuery("SELECT name, talk_to_user_enabled FROM workspaces").
 		WithArgs("ws-trunc").
@@ -261,7 +261,7 @@ func TestAgentMessageWriter_Send_PreviewTruncation(t *testing.T) {
 func TestAgentMessageWriter_Send_BroadcastsAgentMessageEvent(t *testing.T) {
 	mock := setupTestDB(t)
 	emitter := &capturingEmitter{}
-	w := NewAgentMessageWriter(db.DB, emitter, nil)
+	w := NewAgentMessageWriter(db.DB, emitter)
 
 	mock.ExpectQuery("SELECT name, talk_to_user_enabled FROM workspaces").
 		WithArgs("ws-bc").
@@ -312,7 +312,7 @@ func TestAgentMessageWriter_Send_BroadcastsAgentMessageEvent(t *testing.T) {
 // real incidents in alerting.
 func TestAgentMessageWriter_Send_DBErrorOnLookupReturnsWrapped(t *testing.T) {
 	mock := setupTestDB(t)
-	w := NewAgentMessageWriter(db.DB, newTestBroadcaster(), nil)
+	w := NewAgentMessageWriter(db.DB, newTestBroadcaster())
 
 	transientErr := errors.New("connection refused")
 	mock.ExpectQuery("SELECT name, talk_to_user_enabled FROM workspaces").
@@ -344,7 +344,7 @@ func TestAgentMessageWriter_Send_DBErrorOnLookupReturnsWrapped(t *testing.T) {
 // coverage. Now it does.
 func TestAgentMessageWriter_Send_NonASCIIMessagePersists(t *testing.T) {
 	mock := setupTestDB(t)
-	w := NewAgentMessageWriter(db.DB, newTestBroadcaster(), nil)
+	w := NewAgentMessageWriter(db.DB, newTestBroadcaster())
 
 	// 200-rune CJK message — exceeds the 80-rune cap, would have hit
 	// the byte-slice bug.
@@ -393,7 +393,7 @@ func TestAgentMessageWriter_Send_NonASCIIMessagePersists(t *testing.T) {
 func TestAgentMessageWriter_Send_OmitsAttachmentsKeyWhenEmpty(t *testing.T) {
 	mock := setupTestDB(t)
 	emitter := &capturingEmitter{}
-	w := NewAgentMessageWriter(db.DB, emitter, nil)
+	w := NewAgentMessageWriter(db.DB, emitter)
 
 	mock.ExpectQuery("SELECT name, talk_to_user_enabled FROM workspaces").
 		WithArgs("ws-noatt").

workspace-server/internal/handlers/handlers_test.go

@@ -631,7 +631,7 @@ func TestActivityHandler_List(t *testing.T) {
 		WillReturnRows(rows)
 
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -680,7 +680,7 @@ func TestActivityHandler_ListByType(t *testing.T) {
 		WillReturnRows(rows)
 
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -708,7 +708,7 @@ func TestActivityHandler_Report(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	// Expect the INSERT into activity_logs
 	mock.ExpectExec("INSERT INTO activity_logs").
@@ -737,7 +737,7 @@ func TestActivityHandler_Report_InvalidType(t *testing.T) {
 	setupTestDB(t)
 	setupTestRedis(t)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -965,7 +965,7 @@ func TestActivityHandler_ListEmpty(t *testing.T) {
 		WillReturnRows(sqlmock.NewRows(columns))
 
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -999,7 +999,7 @@ func TestActivityHandler_ListCustomLimit(t *testing.T) {
 		WillReturnRows(sqlmock.NewRows(columns))
 
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -1032,7 +1032,7 @@ func TestActivityHandler_ListMaxLimit(t *testing.T) {
 		WillReturnRows(sqlmock.NewRows(columns))
 
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -1060,7 +1060,7 @@ func TestActivityHandler_ReportAllValidTypes(t *testing.T) {
 			mock := setupTestDB(t)
 			setupTestRedis(t)
 			broadcaster := newTestBroadcaster()
-			handler := NewActivityHandler(broadcaster, nil)
+			handler := NewActivityHandler(broadcaster)
 
 			mock.ExpectExec("INSERT INTO activity_logs").
 				WillReturnResult(sqlmock.NewResult(0, 1))
@@ -1091,7 +1091,7 @@ func TestActivityHandler_ReportAllValidTypes(t *testing.T) {
 func TestActivityHandler_ReportMissingBody(t *testing.T) {
 	setupTestDB(t)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -1165,7 +1165,7 @@ func TestActivityHandler_Report_SourceIDSpoofRejected(t *testing.T) {
 	setupTestDB(t)
 	setupTestRedis(t)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -1188,7 +1188,7 @@ func TestActivityHandler_Report_MatchingSourceIDAccepted(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	mock.ExpectExec("INSERT INTO activity_logs").
 		WillReturnResult(sqlmock.NewResult(0, 1))
@@ -1218,7 +1218,7 @@ func TestActivityHandler_Report_SourceIDLogInjection(t *testing.T) {
 	setupTestDB(t)
 	setupTestRedis(t)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster, nil)
+	handler := NewActivityHandler(broadcaster)
 
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)

workspace-server/internal/handlers/mcp.go

@@ -34,7 +34,6 @@ import (
 	"time"
 
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/events"
-	"github.com/Molecule-AI/molecule-monorepo/platform/internal/push"
 	"github.com/gin-gonic/gin"
 )
 
@@ -85,7 +84,6 @@ type mcpTool struct {
 type MCPHandler struct {
 	database    *sql.DB
 	broadcaster *events.Broadcaster
-	notifier    *push.Notifier
 
 	// memv2 is the v2 memory plugin wiring (RFC #2728). nil-safe:
 	// every v2 tool calls memoryV2Available() first and returns a
@@ -96,9 +94,8 @@ type MCPHandler struct {
 
 // NewMCPHandler wires the handler to db and broadcaster.
 // Pass db.DB and the platform broadcaster at router-setup time.
-// notifier may be nil if push notifications are not configured.
-func NewMCPHandler(database *sql.DB, broadcaster *events.Broadcaster, notifier *push.Notifier) *MCPHandler {
-	return &MCPHandler{database: database, broadcaster: broadcaster, notifier: notifier}
+func NewMCPHandler(database *sql.DB, broadcaster *events.Broadcaster) *MCPHandler {
+	return &MCPHandler{database: database, broadcaster: broadcaster}
 }
 
 // ─────────────────────────────────────────────────────────────────────────────

workspace-server/internal/handlers/mcp_test.go

@@ -26,7 +26,7 @@ import (
 func newMCPHandler(t *testing.T) (*MCPHandler, sqlmock.Sqlmock) {
 	t.Helper()
 	mock := setupTestDB(t)
-	h := NewMCPHandler(db.DB, newTestBroadcaster(), nil)
+	h := NewMCPHandler(db.DB, newTestBroadcaster())
 	return h, mock
 }
 

workspace-server/internal/handlers/mcp_tools.go

@@ -392,7 +392,7 @@ func (h *MCPHandler) toolSendMessageToUser(ctx context.Context, workspaceID stri
 	// (the tool args don't accept them); pass nil. If a future tool
 	// schema adds an attachments arg, build []AgentMessageAttachment
 	// and pass through.
-	writer := NewAgentMessageWriter(h.database, h.broadcaster, h.notifier)
+	writer := NewAgentMessageWriter(h.database, h.broadcaster)
 	if err := writer.Send(ctx, workspaceID, message, nil); err != nil {
 		if errors.Is(err, ErrWorkspaceNotFound) {
 			return "", fmt.Errorf("workspace not found")

workspace-server/internal/handlers/provider_defaults.go

@@ -0,0 +1,97 @@
+package handlers
+
+// Mirror of the third-party LLM provider registry baked into adapter
+// templates (workspace-configs-templates/openclaw/adapter.py +
+// workspace-configs-templates/claude-code-default/adapter.py + the
+// hermes counterparts). Must stay in sync — if a provider is added in
+// any of those adapters' base_url defaults, add it here too.
+//
+// Why this exists (RFC internal#417):
+//
+// Operators saving a vendor-scoped API key (e.g. MINIMAX_API_KEY) into
+// the platform `global_secrets` table expect the workspace to talk to
+// the canonical regional endpoint for that key. Pre-fix, when no
+// matching <PROVIDER>_BASE_URL was also saved, the adapter inside the
+// workspace fell back to its hardcoded registry default — which for
+// MiniMax is api.minimaxi.com (China), while every operator key issued
+// against api.minimax.io (global) hits 401 there. The fix is platform-
+// side: when we see the API key but no URL, we inject the canonical URL
+// so the workspace's adapter precedence chain (operator URL > runtime
+// config > adapter default) ends up pointing at the right region.
+//
+// This is a FALLBACK, never an override. If the operator already
+// saved <PROVIDER>_BASE_URL we leave it alone; their explicit choice
+// always wins. If the API key isn't set, we don't inject a stray URL
+// for a provider the workspace never uses.
+//
+// MINIMAX_BASE_URL is set to api.minimax.io (NOT api.minimaxi.com) —
+// the global endpoint matches the keys all operator-host secrets are
+// issued against. See RFC internal#417 §Phase 1 for the regional
+// ambiguity table.
+var ProviderBaseURLDefaults = map[string]string{
+	"OPENAI_BASE_URL":     "https://api.openai.com/v1",
+	"GROQ_BASE_URL":       "https://api.groq.com/openai/v1",
+	"OPENROUTER_BASE_URL": "https://openrouter.ai/api/v1",
+	"QIANFAN_BASE_URL":    "https://qianfan.baidubce.com/v2",
+	"MINIMAX_BASE_URL":    "https://api.minimax.io",
+	"MOONSHOT_BASE_URL":   "https://api.moonshot.ai/v1",
+}
+
+// applyProviderBaseURLDefaults injects each provider's canonical
+// BASE_URL into envVars when the matching <PROVIDER>_API_KEY is set
+// and non-empty AND no <PROVIDER>_BASE_URL is already present.
+//
+// The function mutates envVars in place. It is a pure helper (no DB,
+// no I/O) so unit tests drive it directly without sqlmock.
+//
+// Pairing rule: each entry in ProviderBaseURLDefaults names a key of
+// the form <PREFIX>_BASE_URL; the paired API-key var is derived by
+// swapping the suffix to _API_KEY (e.g. MINIMAX_BASE_URL ↔
+// MINIMAX_API_KEY). This mirrors how every adapter registry pairs the
+// two — see workspace-configs-templates/*/adapter.py for the canonical
+// pairing and RFC internal#417 §Phase 2 for the design rationale.
+//
+// Returns the list of base-URL keys that were injected, so the caller
+// can log which fallbacks fired without re-iterating the map.
+func applyProviderBaseURLDefaults(envVars map[string]string) []string {
+	if envVars == nil {
+		return nil
+	}
+	var injected []string
+	for baseURLKey, defaultURL := range ProviderBaseURLDefaults {
+		// Derive the paired API-key var name. Every entry in the map
+		// MUST end in `_BASE_URL`; if a future entry breaks that
+		// convention this strip-and-swap silently misses it. The unit
+		// test TestApplyProviderBaseURLDefaults_KeyShape pins the
+		// shape so the miss surfaces immediately on next test run.
+		const baseSuffix = "_BASE_URL"
+		if len(baseURLKey) <= len(baseSuffix) ||
+			baseURLKey[len(baseURLKey)-len(baseSuffix):] != baseSuffix {
+			continue
+		}
+		apiKeyKey := baseURLKey[:len(baseURLKey)-len(baseSuffix)] + "_API_KEY"
+
+		// API key must be present AND non-empty. An empty string is
+		// treated as unset — operators sometimes save a placeholder
+		// row and we don't want to silently route them to a real
+		// endpoint with no credential.
+		apiKeyVal, hasKey := envVars[apiKeyKey]
+		if !hasKey || apiKeyVal == "" {
+			continue
+		}
+
+		// Don't overwrite an explicit operator URL. The operator may
+		// have legitimately scoped this provider to a custom or
+		// regional endpoint (e.g. a corporate proxy, a different
+		// MiniMax region). Their explicit value always wins — same
+		// precedence rule as molecule_runtime.adapter_base's
+		// resolve_provider_routing.
+		if existing, ok := envVars[baseURLKey]; ok && existing != "" {
+			continue
+		}
+
+		envVars[baseURLKey] = defaultURL
+		injected = append(injected, baseURLKey)
+	}
+	return injected
+}

workspace-server/internal/handlers/provider_defaults_test.go

@@ -0,0 +1,118 @@
+package handlers
+
+import (
+	"strings"
+	"testing"
+)
+
+// TestApplyProviderBaseURLDefaults_InjectsWhenKeySetAndURLAbsent — the
+// happy path that closes RFC internal#417's reported bug: operator
+// saves MINIMAX_API_KEY only, fallback fills in the canonical URL.
+func TestApplyProviderBaseURLDefaults_InjectsWhenKeySetAndURLAbsent(t *testing.T) {
+	envVars := map[string]string{
+		"MINIMAX_API_KEY": "sk-real-key",
+	}
+
+	injected := applyProviderBaseURLDefaults(envVars)
+
+	if got := envVars["MINIMAX_BASE_URL"]; got != "https://api.minimax.io" {
+		t.Fatalf("MINIMAX_BASE_URL: got %q, want %q", got, "https://api.minimax.io")
+	}
+	if len(injected) != 1 || injected[0] != "MINIMAX_BASE_URL" {
+		t.Fatalf("injected list: got %v, want [MINIMAX_BASE_URL]", injected)
+	}
+}
+
+// TestApplyProviderBaseURLDefaults_DoesNotOverrideExplicitURL — operator
+// override wins. If they saved both MINIMAX_API_KEY and a custom URL
+// (say a corporate-proxy or a different region), we leave their URL
+// alone. This is the precedence rule from RFC §Phase 2.
+func TestApplyProviderBaseURLDefaults_DoesNotOverrideExplicitURL(t *testing.T) {
+	envVars := map[string]string{
+		"MINIMAX_API_KEY":  "sk-real-key",
+		"MINIMAX_BASE_URL": "https://custom.example.com",
+	}
+
+	injected := applyProviderBaseURLDefaults(envVars)
+
+	if got := envVars["MINIMAX_BASE_URL"]; got != "https://custom.example.com" {
+		t.Fatalf("MINIMAX_BASE_URL: got %q, want operator value %q",
+			got, "https://custom.example.com")
+	}
+	for _, k := range injected {
+		if k == "MINIMAX_BASE_URL" {
+			t.Fatalf("MINIMAX_BASE_URL should not appear in injected list when operator set it explicitly; got %v", injected)
+		}
+	}
+}
+
+// TestApplyProviderBaseURLDefaults_NoKeyNoInjection — provider whose
+// API key isn't set should not get a stray URL injected. Keeps the
+// workspace env clean and avoids accidentally signalling that the
+// provider is available when it isn't.
+func TestApplyProviderBaseURLDefaults_NoKeyNoInjection(t *testing.T) {
+	envVars := map[string]string{
+		// Some unrelated key set, but no MINIMAX_API_KEY.
+		"OPENAI_API_KEY": "sk-openai",
+	}
+
+	injected := applyProviderBaseURLDefaults(envVars)
+
+	if _, ok := envVars["MINIMAX_BASE_URL"]; ok {
+		t.Fatalf("MINIMAX_BASE_URL was injected without MINIMAX_API_KEY being set; envVars=%v", envVars)
+	}
+	// OPENAI_API_KEY is set, so OPENAI_BASE_URL should be injected —
+	// keeps this test honest about what "no injection" means (it's
+	// per-provider, not blanket).
+	if envVars["OPENAI_BASE_URL"] != "https://api.openai.com/v1" {
+		t.Fatalf("OPENAI_BASE_URL: got %q, want %q",
+			envVars["OPENAI_BASE_URL"], "https://api.openai.com/v1")
+	}
+	for _, k := range injected {
+		if k == "MINIMAX_BASE_URL" {
+			t.Fatalf("MINIMAX_BASE_URL should not appear in injected list; got %v", injected)
+		}
+	}
+}
+
+// TestApplyProviderBaseURLDefaults_EmptyKeyTreatedAsUnset — operators
+// sometimes save a placeholder empty-string row (e.g. they cleared the
+// key but didn't delete the row). Treat that the same as the key being
+// absent: don't route to a real endpoint with no credential.
+func TestApplyProviderBaseURLDefaults_EmptyKeyTreatedAsUnset(t *testing.T) {
+	envVars := map[string]string{
+		"MINIMAX_API_KEY": "", // explicitly empty
+	}
+
+	injected := applyProviderBaseURLDefaults(envVars)
+
+	if _, ok := envVars["MINIMAX_BASE_URL"]; ok {
+		t.Fatalf("MINIMAX_BASE_URL should not be injected when MINIMAX_API_KEY=\"\"; envVars=%v", envVars)
+	}
+	if len(injected) != 0 {
+		t.Fatalf("injected list should be empty when key is empty; got %v", injected)
+	}
+}
+
+// TestApplyProviderBaseURLDefaults_KeyShape — every key in the
+// registry must end in `_BASE_URL` so the strip-and-swap in
+// applyProviderBaseURLDefaults can derive the paired API-key var
+// name. If a future entry breaks that convention the fallback
+// silently misses it; this test catches the drift at next CI run.
+func TestApplyProviderBaseURLDefaults_KeyShape(t *testing.T) {
+	for k := range ProviderBaseURLDefaults {
+		if !strings.HasSuffix(k, "_BASE_URL") {
+			t.Errorf("ProviderBaseURLDefaults key %q must end in _BASE_URL", k)
+		}
+	}
+}
+
+// TestApplyProviderBaseURLDefaults_NilMap — defensive: the helper is
+// called from loadWorkspaceSecrets right before return, after both
+// query loops. If a future refactor passes nil (e.g. an error path
+// returns the bare nil map literal), the helper must not panic. The
+// function's nil-guard pins this.
+func TestApplyProviderBaseURLDefaults_NilMap(t *testing.T) {
+	// Must not panic. Return value can be nil/empty either way.
+	_ = applyProviderBaseURLDefaults(nil)
+}

workspace-server/internal/handlers/workspace_provision.go

@@ -830,6 +830,21 @@ func loadWorkspaceSecrets(ctx context.Context, workspaceID string) (map[string]s
 			log.Printf("Provisioner: workspace_secrets rows.Err workspace=%s: %v", workspaceID, err)
 		}
 	}
+
+	// Provider BASE_URL fallback (RFC internal#417): when the operator
+	// saved a vendor API key (e.g. MINIMAX_API_KEY) but no matching
+	// <PROVIDER>_BASE_URL, inject the canonical regional URL so the
+	// in-workspace adapter doesn't fall back to its hardcoded default
+	// (which is wrong for at least MiniMax — api.minimaxi.com China vs
+	// api.minimax.io global). Operator-saved URLs win; this only fills
+	// holes. See provider_defaults.go for the registry + precedence.
+	if injected := applyProviderBaseURLDefaults(envVars); len(injected) > 0 {
+		for _, k := range injected {
+			log.Printf("Provisioner: provider BASE_URL fallback applied for %s: %s=%s",
+				workspaceID, k, envVars[k])
+		}
+	}
+
 	return envVars, ""
 }
 

workspace-server/internal/memory/e2e/swap_test.go

@@ -207,7 +207,7 @@ func setupSwapEnv(t *testing.T) (*handlers.MCPHandler, *flatPlugin, sqlmock.Sqlm
 	resolver := namespace.New(db)
 
 	// MCPHandler needs a real *sql.DB; pass the sqlmock-backed one.
-	h := handlers.NewMCPHandler(db, nil, nil).WithMemoryV2(cl, resolver)
+	h := handlers.NewMCPHandler(db, nil).WithMemoryV2(cl, resolver)
 	return h, plugin, mock
 }
 
@@ -430,7 +430,7 @@ func TestE2E_PluginUnreachable_AgentSeesClearError(t *testing.T) {
 	db, _, _ := sqlmock.New()
 	defer db.Close()
 	resolver := namespace.New(db)
-	h := handlers.NewMCPHandler(db, nil, nil).WithMemoryV2(cl, resolver)
+	h := handlers.NewMCPHandler(db, nil).WithMemoryV2(cl, resolver)
 
 	_, err := h.Dispatch(context.Background(), "root-1", "commit_memory_v2", map[string]interface{}{
 		"content": "x",

workspace-server/internal/push/handler.go

@@ -1,75 +0,0 @@
-package push
-
-import (
-	"net/http"
-
-	"github.com/gin-gonic/gin"
-	"github.com/google/uuid"
-)
-
-// Handler exposes HTTP endpoints for push-token management.
-type Handler struct {
-	repo *Repo
-}
-
-// NewHandler creates a push-token HTTP handler.
-func NewHandler(repo *Repo) *Handler {
-	return &Handler{repo: repo}
-}
-
-// RegisterRoutes mounts push-token routes on the given router group.
-func (h *Handler) RegisterRoutes(rg *gin.RouterGroup) {
-	rg.POST("/push-tokens", h.Create)
-	rg.DELETE("/push-tokens", h.Delete)
-}
-
-// Create handles POST /push-tokens.
-// Body: { "token": "ExponentPushToken[xxx]", "platform": "ios" | "android" }
-func (h *Handler) Create(c *gin.Context) {
-	workspaceID := c.Param("id")
-	if _, err := uuid.Parse(workspaceID); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid workspace id"})
-		return
-	}
-
-	var body struct {
-		Token    string `json:"token" binding:"required"`
-		Platform string `json:"platform" binding:"required,oneof=ios android"`
-	}
-	if err := c.ShouldBindJSON(&body); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-
-	if err := h.repo.SaveToken(c.Request.Context(), workspaceID, body.Token, body.Platform); err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to save token"})
-		return
-	}
-
-	c.Status(http.StatusNoContent)
-}
-
-// Delete handles DELETE /push-tokens.
-// Body: { "token": "ExponentPushToken[xxx]" }
-func (h *Handler) Delete(c *gin.Context) {
-	workspaceID := c.Param("id")
-	if _, err := uuid.Parse(workspaceID); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid workspace id"})
-		return
-	}
-
-	var body struct {
-		Token string `json:"token" binding:"required"`
-	}
-	if err := c.ShouldBindJSON(&body); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-
-	if err := h.repo.DeleteToken(c.Request.Context(), workspaceID, body.Token); err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to delete token"})
-		return
-	}
-
-	c.Status(http.StatusNoContent)
-}

workspace-server/internal/push/notifier.go

@@ -1,101 +0,0 @@
-package push
-
-import (
-	"context"
-	"database/sql"
-	"log"
-	"time"
-)
-
-// Notifier sends push notifications for agent messages.
-type Notifier struct {
-	repo   *Repo
-	sender *Sender
-}
-
-// NewNotifier creates a Notifier.
-func NewNotifier(db *sql.DB, sender *Sender) *Notifier {
-	return &Notifier{
-		repo:   NewRepo(db),
-		sender: sender,
-	}
-}
-
-// NotifyAgentMessage sends a push notification to all registered devices for a
-// workspace when an agent sends a message. It runs asynchronously (fire-and-
-// forget) so the caller's WebSocket broadcast is never blocked.
-func (n *Notifier) NotifyAgentMessage(ctx context.Context, workspaceID, workspaceName, message string) {
-	if n == nil || n.sender == nil {
-		return
-	}
-
-	// Capture values for the goroutine.
-	wsID := workspaceID
-	wsName := workspaceName
-	msg := message
-
-	go func() {
-		// Use a fresh context with timeout so a slow Expo API doesn't
-		// leak the caller's context deadline.
-		ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
-		defer cancel()
-
-		tokens, err := n.repo.GetTokens(ctx, wsID)
-		if err != nil {
-			log.Printf("push: failed to get tokens for workspace %s: %v", wsID, err)
-			return
-		}
-		if len(tokens) == 0 {
-			return
-		}
-
-		// Expo accepts batches of up to ~100 messages; we cap lower to stay
-		// well under the limit.
-		const batchSize = 50
-		for i := 0; i < len(tokens); i += batchSize {
-			end := i + batchSize
-			if end > len(tokens) {
-				end = len(tokens)
-			}
-
-			batch := tokens[i:end]
-			messages := make([]Message, 0, len(batch))
-			for _, t := range batch {
-				messages = append(messages, Message{
-					To:    t.Token,
-					Title: wsName,
-					Body:  truncate(msg, 100),
-					Data: map[string]string{
-						"type":          "agent_message",
-						"workspaceId":   wsID,
-						"workspaceSlug": "", // populated by caller if available
-					},
-					Sound:    "default",
-					Priority: "high",
-				})
-			}
-
-			results, err := n.sender.Send(ctx, messages)
-			if err != nil {
-				log.Printf("push: send failed for workspace %s: %v", wsID, err)
-				continue
-			}
-
-			// Remove invalid tokens.
-			for j, r := range results {
-				if ShouldRemoveToken(r) {
-					if delErr := n.repo.DeleteToken(ctx, wsID, batch[j].Token); delErr != nil {
-						log.Printf("push: failed to delete invalid token for workspace %s: %v", wsID, delErr)
-					}
-				}
-			}
-		}
-	}()
-}
-
-func truncate(s string, max int) string {
-	if len(s) <= max {
-		return s
-	}
-	return s[:max] + "…"
-}

workspace-server/internal/push/push_test.go

@@ -1,437 +0,0 @@
-package push
-
-import (
-	"bytes"
-	"context"
-	"database/sql"
-	"encoding/json"
-	"io"
-	"net/http"
-	"net/http/httptest"
-	"strings"
-	"testing"
-	"time"
-
-	"github.com/DATA-DOG/go-sqlmock"
-	"github.com/gin-gonic/gin"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestSenderSend(t *testing.T) {
-	gin.SetMode(gin.TestMode)
-
-	expoResponse := map[string]interface{}{
-		"data": []map[string]interface{}{
-			{"status": "ok", "id": "abc123"},
-			{"status": "error", "message": "Invalid token", "details": map[string]string{"error": "DeviceNotRegistered"}},
-		},
-	}
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assert.Equal(t, "POST", r.Method)
-		assert.Equal(t, "application/json", r.Header.Get("Content-Type"))
-
-		var msgs []Message
-		require.NoError(t, json.NewDecoder(r.Body).Decode(&msgs))
-		assert.Len(t, msgs, 2)
-		assert.Equal(t, "ExponentPushToken[test1]", msgs[0].To)
-
-		w.Header().Set("Content-Type", "application/json")
-		w.WriteHeader(http.StatusOK)
-		json.NewEncoder(w).Encode(expoResponse)
-	}))
-	defer server.Close()
-
-	sender := NewSender("")
-	sender.apiURL = server.URL
-
-	results, err := sender.Send(context.Background(), []Message{
-		{To: "ExponentPushToken[test1]", Title: "Test", Body: "Hello"},
-		{To: "ExponentPushToken[test2]", Title: "Test", Body: "World"},
-	})
-	require.NoError(t, err)
-	require.Len(t, results, 2)
-	assert.Equal(t, "ok", results[0].Status)
-	assert.Equal(t, "error", results[1].Status)
-	assert.True(t, ShouldRemoveToken(results[1]))
-}
-
-func TestSenderSendEmpty(t *testing.T) {
-	sender := NewSender("")
-	results, err := sender.Send(context.Background(), nil)
-	require.NoError(t, err)
-	assert.Nil(t, results)
-}
-
-func TestHandlerCreate_InvalidWorkspaceID(t *testing.T) {
-	gin.SetMode(gin.TestMode)
-	handler := NewHandler(NewRepo(nil))
-
-	router := gin.New()
-	group := router.Group("/workspaces/:id")
-	handler.RegisterRoutes(group)
-
-	w := httptest.NewRecorder()
-	body := `{"token":"ExponentPushToken[abc]","platform":"ios"}`
-	req, _ := http.NewRequest("POST", "/workspaces/not-a-uuid/push-tokens", bytes.NewBufferString(body))
-	req.Header.Set("Content-Type", "application/json")
-	router.ServeHTTP(w, req)
-
-	assert.Equal(t, http.StatusBadRequest, w.Code)
-}
-
-func TestHandlerCreate(t *testing.T) {
-	gin.SetMode(gin.TestMode)
-
-	db, mock, err := sqlmock.New()
-	require.NoError(t, err)
-	defer db.Close()
-
-	mock.ExpectExec("INSERT INTO push_tokens").
-		WithArgs("11111111-1111-1111-1111-111111111111", "ExponentPushToken[abc]", "ios").
-		WillReturnResult(sqlmock.NewResult(1, 1))
-
-	repo := NewRepo(db)
-	handler := NewHandler(repo)
-
-	router := gin.New()
-	group := router.Group("/workspaces/:id")
-	handler.RegisterRoutes(group)
-
-	w := httptest.NewRecorder()
-	body := `{"token":"ExponentPushToken[abc]","platform":"ios"}`
-	req, _ := http.NewRequest("POST", "/workspaces/11111111-1111-1111-1111-111111111111/push-tokens", bytes.NewBufferString(body))
-	req.Header.Set("Content-Type", "application/json")
-	router.ServeHTTP(w, req)
-
-	assert.Equal(t, http.StatusNoContent, w.Code)
-	require.NoError(t, mock.ExpectationsWereMet())
-}
-
-func TestHandlerCreateInvalidPlatform(t *testing.T) {
-	gin.SetMode(gin.TestMode)
-
-	db, _, err := sqlmock.New()
-	require.NoError(t, err)
-	defer db.Close()
-
-	handler := NewHandler(NewRepo(db))
-
-	router := gin.New()
-	group := router.Group("/workspaces/:id")
-	handler.RegisterRoutes(group)
-
-	w := httptest.NewRecorder()
-	body := `{"token":"ExponentPushToken[abc]","platform":"windows"}`
-	req, _ := http.NewRequest("POST", "/workspaces/11111111-1111-1111-1111-111111111111/push-tokens", bytes.NewBufferString(body))
-	req.Header.Set("Content-Type", "application/json")
-	router.ServeHTTP(w, req)
-
-	assert.Equal(t, http.StatusBadRequest, w.Code)
-}
-
-func TestHandlerDelete_BindingError(t *testing.T) {
-	gin.SetMode(gin.TestMode)
-	handler := NewHandler(NewRepo(nil))
-
-	router := gin.New()
-	group := router.Group("/workspaces/:id")
-	handler.RegisterRoutes(group)
-
-	w := httptest.NewRecorder()
-	body := `{}` // missing required "token" field
-	req, _ := http.NewRequest("DELETE", "/workspaces/11111111-1111-1111-1111-111111111111/push-tokens", bytes.NewBufferString(body))
-	req.Header.Set("Content-Type", "application/json")
-	router.ServeHTTP(w, req)
-
-	assert.Equal(t, http.StatusBadRequest, w.Code)
-}
-
-func TestHandlerDelete_InvalidWorkspaceID(t *testing.T) {
-	gin.SetMode(gin.TestMode)
-	handler := NewHandler(NewRepo(nil))
-
-	router := gin.New()
-	group := router.Group("/workspaces/:id")
-	handler.RegisterRoutes(group)
-
-	w := httptest.NewRecorder()
-	body := `{"token":"ExponentPushToken[del]"}`
-	req, _ := http.NewRequest("DELETE", "/workspaces/not-a-uuid/push-tokens", bytes.NewBufferString(body))
-	req.Header.Set("Content-Type", "application/json")
-	router.ServeHTTP(w, req)
-
-	assert.Equal(t, http.StatusBadRequest, w.Code)
-}
-
-func TestHandlerDelete(t *testing.T) {
-	gin.SetMode(gin.TestMode)
-
-	db, mock, err := sqlmock.New()
-	require.NoError(t, err)
-	defer db.Close()
-
-	mock.ExpectExec("DELETE FROM push_tokens").
-		WithArgs("22222222-2222-2222-2222-222222222222", "ExponentPushToken[del]").
-		WillReturnResult(sqlmock.NewResult(0, 1))
-
-	repo := NewRepo(db)
-	handler := NewHandler(repo)
-
-	router := gin.New()
-	group := router.Group("/workspaces/:id")
-	handler.RegisterRoutes(group)
-
-	w := httptest.NewRecorder()
-	body := `{"token":"ExponentPushToken[del]"}`
-	req, _ := http.NewRequest("DELETE", "/workspaces/22222222-2222-2222-2222-222222222222/push-tokens", bytes.NewBufferString(body))
-	req.Header.Set("Content-Type", "application/json")
-	router.ServeHTTP(w, req)
-
-	assert.Equal(t, http.StatusNoContent, w.Code)
-	require.NoError(t, mock.ExpectationsWereMet())
-}
-
-func TestHandlerCreate_DBSaveError(t *testing.T) {
-	gin.SetMode(gin.TestMode)
-
-	db, mock, err := sqlmock.New()
-	require.NoError(t, err)
-	defer db.Close()
-
-	mock.ExpectExec("INSERT INTO push_tokens").
-		WithArgs("11111111-1111-1111-1111-111111111111", "ExponentPushToken[abc]", "ios").
-		WillReturnError(sql.ErrConnDone)
-
-	handler := NewHandler(NewRepo(db))
-
-	router := gin.New()
-	group := router.Group("/workspaces/:id")
-	handler.RegisterRoutes(group)
-
-	w := httptest.NewRecorder()
-	body := `{"token":"ExponentPushToken[abc]","platform":"ios"}`
-	req, _ := http.NewRequest("POST", "/workspaces/11111111-1111-1111-1111-111111111111/push-tokens", bytes.NewBufferString(body))
-	req.Header.Set("Content-Type", "application/json")
-	router.ServeHTTP(w, req)
-
-	assert.Equal(t, http.StatusInternalServerError, w.Code)
-	require.NoError(t, mock.ExpectationsWereMet())
-}
-
-func TestHandlerDelete_DBError(t *testing.T) {
-	gin.SetMode(gin.TestMode)
-
-	db, mock, err := sqlmock.New()
-	require.NoError(t, err)
-	defer db.Close()
-
-	mock.ExpectExec("DELETE FROM push_tokens").
-		WithArgs("22222222-2222-2222-2222-222222222222", "ExponentPushToken[del]").
-		WillReturnError(sql.ErrConnDone)
-
-	handler := NewHandler(NewRepo(db))
-
-	router := gin.New()
-	group := router.Group("/workspaces/:id")
-	handler.RegisterRoutes(group)
-
-	w := httptest.NewRecorder()
-	body := `{"token":"ExponentPushToken[del]"}`
-	req, _ := http.NewRequest("DELETE", "/workspaces/22222222-2222-2222-2222-222222222222/push-tokens", bytes.NewBufferString(body))
-	req.Header.Set("Content-Type", "application/json")
-	router.ServeHTTP(w, req)
-
-	assert.Equal(t, http.StatusInternalServerError, w.Code)
-	require.NoError(t, mock.ExpectationsWereMet())
-}
-
-func TestSenderSend_HTTPError(t *testing.T) {
-	gin.SetMode(gin.TestMode)
-
-	// Server that hijacks the connection and closes it before sending a response,
-	// causing the HTTP client to receive a connection-closed error.
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		// Drain request body so client send completes.
-		io.Copy(io.Discard, r.Body)
-		// Hijack and immediately close — no response written.
-		conn, _, _ := w.(http.Hijacker).Hijack()
-		conn.Close()
-	}))
-	defer server.Close()
-
-	sender := NewSender("")
-	sender.apiURL = server.URL
-
-	ctx, cancel := context.WithTimeout(context.Background(), 500*time.Millisecond)
-	defer cancel()
-
-	_, err := sender.Send(ctx, []Message{
-		{To: "ExponentPushToken[test]", Title: "T", Body: "H"},
-	})
-	require.Error(t, err)
-	assert.True(t, strings.Contains(err.Error(), "post:") || strings.Contains(err.Error(), "context"))
-}
-
-func TestSenderSend_Non200Response(t *testing.T) {
-	gin.SetMode(gin.TestMode)
-
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusServiceUnavailable)
-		w.Write([]byte(`{"error":"rate limited"}`))
-	}))
-	defer server.Close()
-
-	sender := NewSender("")
-	sender.apiURL = server.URL
-
-	_, err := sender.Send(context.Background(), []Message{
-		{To: "ExponentPushToken[test]", Title: "T", Body: "H"},
-	})
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "expo returned 503")
-}
-
-func TestNotifierNotifyAgentMessage_NilGuard(t *testing.T) {
-	// Must not panic when sender is nil.
-	n := NewNotifier(nil, nil)
-	// Should return immediately (nil check passes without panic).
-	n.NotifyAgentMessage(context.Background(), "ws-1", "Test", "Hello world")
-}
-
-func TestNotifierNotifyAgentMessage_ZeroTokens(t *testing.T) {
-	// Verify that NotifyAgentMessage does NOT panic when there are zero registered
-	// tokens — it should return early without calling sender.Send().
-	// Note: the fire-and-forget goroutine inside NotifyAgentMessage is not
-	// directly verifiable here without modifying production code; the key assertion
-	// is that no panic occurs and the method returns cleanly.
-	db, mock, err := sqlmock.New()
-	require.NoError(t, err)
-
-	mock.ExpectQuery("SELECT id, workspace_id, token, platform, created_at FROM push_tokens").
-		WithArgs("ws-1").
-		WillReturnRows(sqlmock.NewRows([]string{"id", "workspace_id", "token", "platform", "created_at"}))
-
-	sender := NewSender("")
-	sender.apiURL = "http://127.0.0.1:1" // unreachable — would error if Send is called
-
-	n := NewNotifier(db, sender)
-	n.NotifyAgentMessage(context.Background(), "ws-1", "Test", "Hello")
-
-	// Give goroutine time to run GetTokens and exit early before closing DB.
-	time.Sleep(200 * time.Millisecond)
-	require.NoError(t, mock.ExpectationsWereMet())
-	db.Close()
-}
-
-func TestRepoGetTokens_DBError(t *testing.T) {
-	db, mock, err := sqlmock.New()
-	require.NoError(t, err)
-	defer db.Close()
-
-	mock.ExpectQuery("SELECT id, workspace_id, token, platform, created_at FROM push_tokens").
-		WithArgs("ws-1").
-		WillReturnError(sql.ErrConnDone)
-
-	repo := NewRepo(db)
-	_, err = repo.GetTokens(context.Background(), "ws-1")
-	require.Error(t, err)
-	require.NoError(t, mock.ExpectationsWereMet())
-}
-
-func TestRepoGetTokens_ScanError(t *testing.T) {
-	db, mock, err := sqlmock.New()
-	require.NoError(t, err)
-	defer db.Close()
-
-	// Return fewer columns than struct has — causes scan error.
-	mock.ExpectQuery("SELECT id, workspace_id, token, platform, created_at FROM push_tokens").
-		WithArgs("ws-1").
-		WillReturnRows(sqlmock.NewRows([]string{"id", "workspace_id", "token"}). // missing platform, created_at
-			AddRow("1", "ws-1", "ExponentPushToken[a]"))
-
-	repo := NewRepo(db)
-	_, err = repo.GetTokens(context.Background(), "ws-1")
-	require.Error(t, err) // scan error
-	require.NoError(t, mock.ExpectationsWereMet())
-}
-
-func TestRepoSaveToken_Error(t *testing.T) {
-	db, mock, err := sqlmock.New()
-	require.NoError(t, err)
-	defer db.Close()
-
-	mock.ExpectExec("INSERT INTO push_tokens").
-		WithArgs("ws-1", "ExponentPushToken[xyz]", "android").
-		WillReturnError(sql.ErrConnDone)
-
-	repo := NewRepo(db)
-	err = repo.SaveToken(context.Background(), "ws-1", "ExponentPushToken[xyz]", "android")
-	require.Error(t, err)
-	require.NoError(t, mock.ExpectationsWereMet())
-}
-
-func TestRepoDeleteToken_Error(t *testing.T) {
-	db, mock, err := sqlmock.New()
-	require.NoError(t, err)
-	defer db.Close()
-
-	mock.ExpectExec("DELETE FROM push_tokens").
-		WithArgs("ws-1", "ExponentPushToken[xyz]").
-		WillReturnError(sql.ErrConnDone)
-
-	repo := NewRepo(db)
-	err = repo.DeleteToken(context.Background(), "ws-1", "ExponentPushToken[xyz]")
-	require.Error(t, err)
-	require.NoError(t, mock.ExpectationsWereMet())
-}
-
-func TestTruncate(t *testing.T) {
-	tests := []struct {
-		name string
-		s    string
-		max  int
-		want string
-	}{
-		{"short string unchanged", "hello", 10, "hello"},
-		{"exact length unchanged", "hello", 5, "hello"},
-		{"long string truncated", "hello world", 5, "hello…"},
-		{"empty string", "", 5, ""},
-		{"single char at max", "a", 1, "a"},
-		{"multi-byte truncation adds ellipsis", "こんにちは世界", 5, ""},
-		{"truncate with ellipsis ends with ellipsis", "hello world", 5, "hello…"},
-		{"truncate at 1 char", "hello", 1, "h…"},
-	}
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			got := truncate(tc.s, tc.max)
-			if tc.want == "" {
-				// Multi-byte / edge cases: verify no expansion beyond max+3.
-				assert.True(t, len(got) <= tc.max+3)
-			} else {
-				assert.Equal(t, tc.want, got)
-			}
-		})
-	}
-}
-
-func TestRepoGetTokens(t *testing.T) {
-	db, mock, err := sqlmock.New()
-	require.NoError(t, err)
-	defer db.Close()
-
-	mock.ExpectQuery("SELECT id, workspace_id, token, platform, created_at FROM push_tokens").
-		WithArgs("ws-1").
-		WillReturnRows(sqlmock.NewRows([]string{"id", "workspace_id", "token", "platform", "created_at"}).
-			AddRow("1", "ws-1", "ExponentPushToken[a]", "ios", "2026-01-01T00:00:00Z").
-			AddRow("2", "ws-1", "ExponentPushToken[b]", "android", "2026-01-01T00:00:00Z"))
-
-	repo := NewRepo(db)
-	tokens, err := repo.GetTokens(context.Background(), "ws-1")
-	require.NoError(t, err)
-	require.Len(t, tokens, 2)
-	assert.Equal(t, "ExponentPushToken[a]", tokens[0].Token)
-	assert.Equal(t, "ios", tokens[0].Platform)
-	assert.Equal(t, "ExponentPushToken[b]", tokens[1].Token)
-	require.NoError(t, mock.ExpectationsWereMet())
-}

workspace-server/internal/push/repo.go

@@ -1,76 +0,0 @@
-package push
-
-import (
-	"context"
-	"database/sql"
-	"fmt"
-)
-
-// Token is one registered push token for a workspace.
-type Token struct {
-	ID          string
-	WorkspaceID string
-	Token       string
-	Platform    string
-	CreatedAt   string
-}
-
-// Repo reads and writes push tokens in Postgres.
-type Repo struct {
-	db *sql.DB
-}
-
-// NewRepo creates a token repository backed by db.
-func NewRepo(db *sql.DB) *Repo {
-	return &Repo{db: db}
-}
-
-// SaveToken registers a push token for a workspace. If the same token already
-// exists for the workspace, it updates the timestamp.
-func (r *Repo) SaveToken(ctx context.Context, workspaceID, token, platform string) error {
-	_, err := r.db.ExecContext(ctx, `
-		INSERT INTO push_tokens (workspace_id, token, platform)
-		VALUES ($1, $2, $3)
-		ON CONFLICT (workspace_id, token) DO UPDATE
-		SET updated_at = now()
-	`, workspaceID, token, platform)
-	if err != nil {
-		return fmt.Errorf("push_tokens: save: %w", err)
-	}
-	return nil
-}
-
-// DeleteToken removes a push token. Returns nil even if the token did not exist.
-func (r *Repo) DeleteToken(ctx context.Context, workspaceID, token string) error {
-	_, err := r.db.ExecContext(ctx, `
-		DELETE FROM push_tokens
-		WHERE workspace_id = $1 AND token = $2
-	`, workspaceID, token)
-	if err != nil {
-		return fmt.Errorf("push_tokens: delete: %w", err)
-	}
-	return nil
-}
-
-// GetTokens returns all active push tokens for a workspace.
-func (r *Repo) GetTokens(ctx context.Context, workspaceID string) ([]Token, error) {
-	rows, err := r.db.QueryContext(ctx, `
-		SELECT id, workspace_id, token, platform, created_at
-		FROM push_tokens
-		WHERE workspace_id = $1
-	`, workspaceID)
-	if err != nil {
-		return nil, fmt.Errorf("push_tokens: list: %w", err)
-	}
-	defer rows.Close()
-
-	var tokens []Token
-	for rows.Next() {
-		var t Token
-		if err := rows.Scan(&t.ID, &t.WorkspaceID, &t.Token, &t.Platform, &t.CreatedAt); err != nil {
-			return nil, fmt.Errorf("push_tokens: scan: %w", err)
-		}
-		tokens = append(tokens, t)
-	}
-	return tokens, rows.Err()
-}

workspace-server/internal/push/sender.go

@@ -1,104 +0,0 @@
-package push
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"time"
-)
-
-const expoPushAPI = "https://exp.host/--/api/v2/push/send"
-
-// Message is one Expo push notification.
-type Message struct {
-	To       string            `json:"to"`
-	Title    string            `json:"title,omitempty"`
-	Body     string            `json:"body,omitempty"`
-	Data     map[string]string `json:"data,omitempty"`
-	Sound    string            `json:"sound,omitempty"`
-	Priority string            `json:"priority,omitempty"`
-}
-
-// Sender delivers push notifications via the Expo Push Service.
-type Sender struct {
-	apiURL     string
-	httpClient *http.Client
-	expoToken  string // optional Expo access token for authenticated requests
-}
-
-// NewSender creates a Sender. expoToken may be empty for unauthenticated
-// requests (sufficient for most use cases).
-func NewSender(expoToken string) *Sender {
-	return &Sender{
-		apiURL: expoPushAPI,
-		httpClient: &http.Client{
-			Timeout: 10 * time.Second,
-		},
-		expoToken: expoToken,
-	}
-}
-
-// SendResult is the per-recipient status from Expo.
-type SendResult struct {
-	Status  string `json:"status"`
-	ID      string `json:"id"`
-	Message string `json:"message,omitempty"`
-	Details struct {
-		Error string `json:"error,omitempty"`
-	} `json:"details,omitempty"`
-}
-
-// expoResponse is the wrapper shape returned by the Expo API.
-type expoResponse struct {
-	Data []SendResult `json:"data"`
-}
-
-// Send fires a batch of push messages. It returns a slice of results in the
-// same order as the input, plus an error only when the HTTP call itself fails.
-// Callers should inspect each result's Status field for per-message errors
-// (e.g. "DeviceNotRegistered" → token should be deleted).
-func (s *Sender) Send(ctx context.Context, messages []Message) ([]SendResult, error) {
-	if len(messages) == 0 {
-		return nil, nil
-	}
-
-	body, err := json.Marshal(messages)
-	if err != nil {
-		return nil, fmt.Errorf("push: marshal: %w", err)
-	}
-
-	req, err := http.NewRequestWithContext(ctx, http.MethodPost, s.apiURL, bytes.NewReader(body))
-	if err != nil {
-		return nil, fmt.Errorf("push: new request: %w", err)
-	}
-	req.Header.Set("Content-Type", "application/json")
-	req.Header.Set("Accept", "application/json")
-	req.Header.Set("Accept-Encoding", "gzip, deflate")
-	if s.expoToken != "" {
-		req.Header.Set("Authorization", "Bearer "+s.expoToken)
-	}
-
-	res, err := s.httpClient.Do(req)
-	if err != nil {
-		return nil, fmt.Errorf("push: post: %w", err)
-	}
-	defer res.Body.Close()
-
-	if res.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("push: expo returned %d", res.StatusCode)
-	}
-
-	var resp expoResponse
-	if err := json.NewDecoder(res.Body).Decode(&resp); err != nil {
-		return nil, fmt.Errorf("push: decode: %w", err)
-	}
-	return resp.Data, nil
-}
-
-// ShouldRemoveToken reports whether a SendResult indicates the token is no
-// longer valid and should be deleted from the database.
-func ShouldRemoveToken(r SendResult) bool {
-	return r.Status == "error" && r.Details.Error == "DeviceNotRegistered"
-}

workspace-server/internal/router/router.go

@@ -20,7 +20,6 @@ import (
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/pendinguploads"
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/plugins"
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/provisioner"
-	"github.com/Molecule-AI/molecule-monorepo/platform/internal/push"
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/supervised"
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/ws"
 	"github.com/docker/docker/client"
@@ -328,25 +327,13 @@ func Setup(hub *ws.Hub, broadcaster *events.Broadcaster, prov *provisioner.Provi
 
 	// Remaining auth-gated workspace sub-routes — appended to wsAuth group declared above.
 	{
-		// Push notifications (mobile)
-		var pushNotifier *push.Notifier
-		if expoToken := os.Getenv("EXPO_ACCESS_TOKEN"); expoToken != "" {
-			pushNotifier = push.NewNotifier(db.DB, push.NewSender(expoToken))
-		}
-
 		// Activity Logs
-		acth := handlers.NewActivityHandler(broadcaster, pushNotifier)
+		acth := handlers.NewActivityHandler(broadcaster)
 		wsAuth.GET("/activity", acth.List)
 		wsAuth.GET("/session-search", acth.SessionSearch)
 		wsAuth.POST("/activity", acth.Report)
 		wsAuth.POST("/notify", acth.Notify)
 
-		// Push token registration (mobile)
-		if pushNotifier != nil {
-			pushH := push.NewHandler(push.NewRepo(db.DB))
-			pushH.RegisterRoutes(wsAuth)
-		}
-
 		// Chat history — RFC #2945 PR-C (issue #3017) + PR-D (issue
 		// #3026). Server-side rendering of activity_logs rows into
 		// the canonical ChatMessage shape; storage is plugin-shaped
@@ -450,7 +437,7 @@ func Setup(hub *ws.Hub, broadcaster *events.Broadcaster, prov *provisioner.Provi
 		//       opencode session cannot saturate the platform.
 		//   C3: commit_memory/recall_memory with scope=GLOBAL → permission error;
 		//       send_message_to_user excluded unless MOLECULE_MCP_ALLOW_SEND_MESSAGE=true.
-		mcpH := handlers.NewMCPHandler(db.DB, broadcaster, pushNotifier)
+		mcpH := handlers.NewMCPHandler(db.DB, broadcaster)
 		if memBundle != nil {
 			mcpH.WithMemoryV2(memBundle.Plugin, memBundle.Resolver)
 		}

workspace-server/migrations/20260514000000_push_tokens.down.sql

@@ -1 +0,0 @@
-DROP TABLE IF EXISTS push_tokens;

workspace-server/migrations/20260514000000_push_tokens.up.sql

@@ -1,11 +0,0 @@
-CREATE TABLE push_tokens (
-    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-    workspace_id UUID NOT NULL REFERENCES workspaces(id) ON DELETE CASCADE,
-    token TEXT NOT NULL,
-    platform TEXT NOT NULL CHECK (platform IN ('ios', 'android')),
-    created_at TIMESTAMPTZ DEFAULT now(),
-    updated_at TIMESTAMPTZ DEFAULT now(),
-    UNIQUE(workspace_id, token)
-);
-
-CREATE INDEX idx_push_tokens_workspace ON push_tokens(workspace_id);