Add TestBroadcast coverage for workspace_broadcast.go

Covers all branches of the Broadcast handler:
- broadcastTruncate: 6 sub-cases (empty, under/over/unicode limits)
- Validation: invalid UUID, missing message, malformed JSON
- Auth: workspace not found, lookup error, broadcast disabled (403)
- DB errors: recipient query error, rows.Err error
- Success: one recipient, no recipients, multiple recipients
- Resiliency: recipient insert failure continues with 200; sender log
  failure also returns 200 (logged only)

canvas/src/components/settings/TokensTab.tsx

@@ -16,40 +16,7 @@ interface TokensTabProps {
   workspaceId: string;
 }
 
-// The settings panel passes the literal sentinel "global" when no canvas
-// node is selected. Workspace tokens are inherently per-workspace — there
-// is no /workspaces/global/tokens endpoint (querying the uuid column with
-// "global" 500s on Postgres). The org-wide equivalent lives in the
-// separate "Org API Keys" tab. Mirrors the sentinel-awareness that
-// api/secrets.ts already has (workspaceId === 'global' → /settings/secrets).
-const GLOBAL_WORKSPACE_ID = 'global';
-
 export function TokensTab({ workspaceId }: TokensTabProps) {
-  if (workspaceId === GLOBAL_WORKSPACE_ID) {
-    return (
-      <div className="p-4 space-y-4">
-        <div>
-          <h3 className="text-sm font-semibold text-ink">API Tokens</h3>
-          <p className="text-[10px] text-ink-mid mt-0.5">
-            Bearer tokens for authenticating API calls to this workspace.
-          </p>
-        </div>
-        <div className="text-center py-6">
-          <p className="text-xs text-ink-mid">Select a workspace node first</p>
-          <p className="text-[10px] text-ink-mid mt-1">
-            Workspace tokens are scoped to a single workspace. Select a node
-            on the canvas to manage its tokens, or use the{' '}
-            <span className="text-accent font-medium">Org API Keys</span> tab
-            for org-wide API keys.
-          </p>
-        </div>
-      </div>
-    );
-  }
-  return <WorkspaceTokensTab workspaceId={workspaceId} />;
-}
-
-function WorkspaceTokensTab({ workspaceId }: TokensTabProps) {
   const [tokens, setTokens] = useState<Token[]>([]);
   const [loading, setLoading] = useState(true);
   const [creating, setCreating] = useState(false);

canvas/src/components/settings/__tests__/TokensTab.test.tsx

@@ -302,35 +302,3 @@ describe("TokensTab — error", () => {
     expect(document.querySelector('[role="status"]')).toBeNull();
   });
 });
-
-// ─── "global" sentinel (no node selected) ────────────────────────────────────
-//
-// Regression: SettingsPanel passes the literal "global" when no canvas
-// node is selected. workspace tokens are per-workspace and there is no
-// /workspaces/global/tokens endpoint — calling it 500'd
-// ("invalid input syntax for type uuid: global"). The tab must NOT call
-// the API in that state and must point the user at the Org API Keys tab.
-describe("TokensTab — global sentinel (no node selected)", () => {
-  beforeEach(() => {
-    mockApiGet.mockReset();
-    mockApiPost.mockReset();
-    mockApiGet.mockRejectedValue(new Error("should not be called"));
-  });
-
-  it("does not call the API and shows a pointer to Org API Keys", async () => {
-    render(<TokensTab workspaceId="global" />);
-    await flush();
-    expect(mockApiGet).not.toHaveBeenCalled();
-    expect(mockApiPost).not.toHaveBeenCalled();
-    expect(document.body.textContent).toContain("Select a workspace node");
-    expect(document.body.textContent).toContain("Org API Keys");
-    // No error banner, no scary 500 surfacing.
-    expect(document.querySelector(".text-bad")).toBeNull();
-  });
-
-  it("has no create button in the global state", async () => {
-    render(<TokensTab workspaceId="global" />);
-    await flush();
-    expect(document.body.textContent).not.toContain("New Token");
-  });
-});

workspace-server/internal/handlers/tokens.go

@@ -10,20 +10,8 @@ import (
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/wsauth"
 	"github.com/gin-gonic/gin"
-	"github.com/google/uuid"
 )
 
-// validWorkspaceID returns true when id is a syntactically valid UUID.
-// workspace_id is a `uuid` column; passing a non-UUID (e.g. the canvas
-// "global" sentinel sent when no node is selected) makes Postgres raise
-// `invalid input syntax for type uuid`, which previously leaked as an
-// opaque 500. Reject up front with a clean 400 instead. Mirrors the
-// uuid.Parse guard already used in handlers/activity.go.
-func validWorkspaceID(id string) bool {
-	_, err := uuid.Parse(id)
-	return err == nil
-}
-
 // TokenHandler exposes user-facing token management for workspaces.
 // Routes: GET/POST/DELETE /workspaces/:id/tokens (behind WorkspaceAuth).
 type TokenHandler struct{}
@@ -43,10 +31,6 @@ type tokenListItem struct {
 // never the plaintext or hash).
 func (h *TokenHandler) List(c *gin.Context) {
 	workspaceID := c.Param("id")
-	if !validWorkspaceID(workspaceID) {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid workspace id"})
-		return
-	}
 
 	limit := 50
 	if v := c.Query("limit"); v != "" {
@@ -69,7 +53,6 @@ func (h *TokenHandler) List(c *gin.Context) {
 		LIMIT $2 OFFSET $3
 	`, workspaceID, limit, offset)
 	if err != nil {
-		log.Printf("tokens: list query failed for workspace %s: %v", workspaceID, err)
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to list tokens"})
 		return
 	}
@@ -102,10 +85,6 @@ const maxTokensPerWorkspace = 50
 // exactly once in the response — it cannot be recovered afterwards.
 func (h *TokenHandler) Create(c *gin.Context) {
 	workspaceID := c.Param("id")
-	if !validWorkspaceID(workspaceID) {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid workspace id"})
-		return
-	}
 
 	// Rate limit: max active tokens per workspace
 	var count int
@@ -138,10 +117,6 @@ func (h *TokenHandler) Create(c *gin.Context) {
 func (h *TokenHandler) Revoke(c *gin.Context) {
 	workspaceID := c.Param("id")
 	tokenID := c.Param("tokenId")
-	if !validWorkspaceID(workspaceID) {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid workspace id"})
-		return
-	}
 
 	result, err := db.DB.ExecContext(c.Request.Context(), `
 		UPDATE workspace_auth_tokens

workspace-server/internal/handlers/tokens_sqlmock_test.go

@@ -41,15 +41,6 @@ import (
 
 func init() { gin.SetMode(gin.TestMode) }
 
-// Workspace IDs are validated as UUIDs up front (tokens.go validWorkspaceID),
-// so handler tests must pass syntactically valid UUIDs. Fixed values keep
-// sqlmock WithArgs assertions deterministic.
-const (
-	wsUUID1 = "11111111-1111-1111-1111-111111111111"
-	wsUUID2 = "22222222-2222-2222-2222-222222222222"
-	wsUUID3 = "33333333-3333-3333-3333-333333333333"
-)
-
 // withMockDB swaps `db.DB` for a sqlmock and returns the mock plus a
 // restore func. Tests use this in place of setupTokenTestDB which
 // skips on a missing real DB.
@@ -90,13 +81,13 @@ func TestTokenHandler_List_HappyPath(t *testing.T) {
 	created := time.Date(2026, 4, 1, 12, 0, 0, 0, time.UTC)
 	last := created.Add(time.Hour)
 	mock.ExpectQuery(`SELECT id, prefix, created_at, last_used_at\s+FROM workspace_auth_tokens`).
-		WithArgs(wsUUID1, 50, 0).
+		WithArgs("ws-1", 50, 0).
 		WillReturnRows(sqlmock.NewRows([]string{"id", "prefix", "created_at", "last_used_at"}).
 			AddRow("tok-1", "abc12345", created, last).
 			AddRow("tok-2", "def67890", created, nil))
 
 	w := makeReq(t, NewTokenHandler().List, "GET",
-		"/workspaces/ws-1/tokens", gin.Params{{Key: "id", Value: wsUUID1}})
+		"/workspaces/ws-1/tokens", gin.Params{{Key: "id", Value: "ws-1"}})
 
 	if w.Code != http.StatusOK {
 		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
@@ -130,7 +121,7 @@ func TestTokenHandler_List_EmptyResult(t *testing.T) {
 		WillReturnRows(sqlmock.NewRows([]string{"id", "prefix", "created_at", "last_used_at"}))
 
 	w := makeReq(t, NewTokenHandler().List, "GET",
-		"/workspaces/ws-2/tokens", gin.Params{{Key: "id", Value: wsUUID2}})
+		"/workspaces/ws-2/tokens", gin.Params{{Key: "id", Value: "ws-2"}})
 
 	if w.Code != http.StatusOK {
 		t.Fatalf("expected 200 on empty list, got %d", w.Code)
@@ -155,7 +146,7 @@ func TestTokenHandler_List_QueryError(t *testing.T) {
 		WillReturnError(errors.New("connection refused"))
 
 	w := makeReq(t, NewTokenHandler().List, "GET",
-		"/workspaces/ws-3/tokens", gin.Params{{Key: "id", Value: wsUUID3}})
+		"/workspaces/ws-3/tokens", gin.Params{{Key: "id", Value: "ws-3"}})
 
 	if w.Code != http.StatusInternalServerError {
 		t.Errorf("query error must surface as 500, got %d", w.Code)
@@ -167,13 +158,13 @@ func TestTokenHandler_List_RespectsLimit(t *testing.T) {
 	defer cleanup()
 
 	mock.ExpectQuery(`SELECT id, prefix, created_at, last_used_at`).
-		WithArgs(wsUUID1, 10, 5).
+		WithArgs("ws-1", 10, 5).
 		WillReturnRows(sqlmock.NewRows([]string{"id", "prefix", "created_at", "last_used_at"}))
 
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
 	c.Request = httptest.NewRequest("GET", "/workspaces/ws-1/tokens?limit=10&offset=5", nil)
-	c.Params = gin.Params{{Key: "id", Value: wsUUID1}}
+	c.Params = gin.Params{{Key: "id", Value: "ws-1"}}
 	NewTokenHandler().List(c)
 
 	if w.Code != http.StatusOK {
@@ -195,7 +186,7 @@ func TestTokenHandler_List_ScanError(t *testing.T) {
 			AddRow("tok-1", "abc", "not-a-timestamp", nil))
 
 	w := makeReq(t, NewTokenHandler().List, "GET",
-		"/workspaces/ws-1/tokens", gin.Params{{Key: "id", Value: wsUUID1}})
+		"/workspaces/ws-1/tokens", gin.Params{{Key: "id", Value: "ws-1"}})
 
 	if w.Code != http.StatusInternalServerError {
 		t.Errorf("scan error must surface as 500, got %d: %s", w.Code, w.Body.String())
@@ -210,11 +201,11 @@ func TestTokenHandler_Create_RateLimited(t *testing.T) {
 
 	// Count query returns 50 (== max) → 429.
 	mock.ExpectQuery(`SELECT COUNT\(\*\) FROM workspace_auth_tokens`).
-		WithArgs(wsUUID1).
+		WithArgs("ws-1").
 		WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(50))
 
 	w := makeReq(t, NewTokenHandler().Create, "POST",
-		"/workspaces/ws-1/tokens", gin.Params{{Key: "id", Value: wsUUID1}})
+		"/workspaces/ws-1/tokens", gin.Params{{Key: "id", Value: "ws-1"}})
 
 	if w.Code != http.StatusTooManyRequests {
 		t.Errorf("max active tokens should 429, got %d", w.Code)
@@ -234,7 +225,7 @@ func TestTokenHandler_Create_IssueFails(t *testing.T) {
 		WillReturnError(errors.New("disk full"))
 
 	w := makeReq(t, NewTokenHandler().Create, "POST",
-		"/workspaces/ws-1/tokens", gin.Params{{Key: "id", Value: wsUUID1}})
+		"/workspaces/ws-1/tokens", gin.Params{{Key: "id", Value: "ws-1"}})
 
 	if w.Code != http.StatusInternalServerError {
 		t.Errorf("IssueToken DB error must 500, got %d", w.Code)
@@ -251,7 +242,7 @@ func TestTokenHandler_Create_HappyPath(t *testing.T) {
 		WillReturnResult(sqlmock.NewResult(1, 1))
 
 	w := makeReq(t, NewTokenHandler().Create, "POST",
-		"/workspaces/ws-1/tokens", gin.Params{{Key: "id", Value: wsUUID1}})
+		"/workspaces/ws-1/tokens", gin.Params{{Key: "id", Value: "ws-1"}})
 
 	if w.Code != http.StatusCreated {
 		t.Fatalf("expected 201, got %d: %s", w.Code, w.Body.String())
@@ -266,7 +257,7 @@ func TestTokenHandler_Create_HappyPath(t *testing.T) {
 	if body.AuthToken == "" {
 		t.Errorf("auth_token must be present and non-empty in response")
 	}
-	if body.WorkspaceID != wsUUID1 {
+	if body.WorkspaceID != "ws-1" {
 		t.Errorf("workspace_id mismatch: %q", body.WorkspaceID)
 	}
 }
@@ -278,12 +269,12 @@ func TestTokenHandler_Revoke_HappyPath(t *testing.T) {
 	defer cleanup()
 
 	mock.ExpectExec(`UPDATE workspace_auth_tokens\s+SET revoked_at = now\(\)`).
-		WithArgs("tok-1", wsUUID1).
+		WithArgs("tok-1", "ws-1").
 		WillReturnResult(sqlmock.NewResult(0, 1))
 
 	w := makeReq(t, NewTokenHandler().Revoke, "DELETE",
 		"/workspaces/ws-1/tokens/tok-1", gin.Params{
-			{Key: "id", Value: wsUUID1},
+			{Key: "id", Value: "ws-1"},
 			{Key: "tokenId", Value: "tok-1"},
 		})
 
@@ -298,12 +289,12 @@ func TestTokenHandler_Revoke_NotFound(t *testing.T) {
 
 	// 0 rows affected → token not found OR already revoked.
 	mock.ExpectExec(`UPDATE workspace_auth_tokens`).
-		WithArgs("tok-ghost", wsUUID1).
+		WithArgs("tok-ghost", "ws-1").
 		WillReturnResult(sqlmock.NewResult(0, 0))
 
 	w := makeReq(t, NewTokenHandler().Revoke, "DELETE",
 		"/workspaces/ws-1/tokens/tok-ghost", gin.Params{
-			{Key: "id", Value: wsUUID1},
+			{Key: "id", Value: "ws-1"},
 			{Key: "tokenId", Value: "tok-ghost"},
 		})
 
@@ -321,7 +312,7 @@ func TestTokenHandler_Revoke_DBError(t *testing.T) {
 
 	w := makeReq(t, NewTokenHandler().Revoke, "DELETE",
 		"/workspaces/ws-1/tokens/tok-1", gin.Params{
-			{Key: "id", Value: wsUUID1},
+			{Key: "id", Value: "ws-1"},
 			{Key: "tokenId", Value: "tok-1"},
 		})
 
@@ -330,59 +321,6 @@ func TestTokenHandler_Revoke_DBError(t *testing.T) {
 	}
 }
 
-// ---- UUID validation (regression: "global" sentinel 500) ------------
-
-// The canvas Settings → Workspace Tokens tab sent the literal sentinel
-// "global" as the workspace id when no node was selected. workspace_id
-// is a `uuid` column, so the query raised
-// `invalid input syntax for type uuid: "global"` which leaked as an
-// opaque 500. List/Create/Revoke now reject any non-UUID id with a
-// clean 400 before touching the DB. No DB expectation is set on the
-// mock — a DB hit would fail ExpectationsWereMet, proving short-circuit.
-func TestTokenHandler_RejectsNonUUIDWorkspaceID(t *testing.T) {
-	h := NewTokenHandler()
-	cases := []struct {
-		name   string
-		run    func(c *gin.Context)
-		method string
-		params gin.Params
-	}{
-		{"List", h.List, "GET", gin.Params{{Key: "id", Value: "global"}}},
-		{"Create", h.Create, "POST", gin.Params{{Key: "id", Value: "global"}}},
-		{"Revoke", h.Revoke, "DELETE", gin.Params{
-			{Key: "id", Value: "global"},
-			{Key: "tokenId", Value: "tok-1"},
-		}},
-	}
-	for _, tc := range cases {
-		t.Run(tc.name, func(t *testing.T) {
-			mock, cleanup := withMockDB(t)
-			defer cleanup()
-
-			w := makeReq(t, tc.run, tc.method,
-				"/workspaces/global/tokens", tc.params)
-
-			if w.Code != http.StatusBadRequest {
-				t.Fatalf("%s with non-UUID id must 400, got %d: %s",
-					tc.name, w.Code, w.Body.String())
-			}
-			var body struct {
-				Error string `json:"error"`
-			}
-			_ = json.Unmarshal(w.Body.Bytes(), &body)
-			if body.Error != "invalid workspace id" {
-				t.Errorf("%s: want error=%q, got %q",
-					tc.name, "invalid workspace id", body.Error)
-			}
-			// No query/exec was expected → if the handler hit the DB
-			// this fails, proving the guard short-circuits before SQL.
-			if err := mock.ExpectationsWereMet(); err != nil {
-				t.Errorf("%s leaked a DB call past the uuid guard: %v", tc.name, err)
-			}
-		})
-	}
-}
-
 // Compile-time noise removal: the imports list pulls in the sql /
 // driver packages and the silenced ctx so a future scenario that
 // needs them doesn't have to re-add the import. Documented here so

workspace-server/internal/handlers/tokens_test.go

@@ -11,7 +11,6 @@ import (
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/wsauth"
 	"github.com/gin-gonic/gin"
-	"github.com/google/uuid"
 )
 
 func init() { gin.SetMode(gin.TestMode) }
@@ -168,14 +167,11 @@ func TestTokenHandler_RevokeWrongWorkspace(t *testing.T) {
 
 	h := NewTokenHandler()
 
-	// Try to revoke with a different (valid-UUID) workspace ID that does
-	// not own the token — should 404. A valid UUID is required so this
-	// exercises the ownership branch, not the up-front uuid-shape 400.
-	otherWS := uuid.NewString()
+	// Try to revoke with a different workspace ID — should 404
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: otherWS}, {Key: "tokenId", Value: tokenID}}
-	c.Request = httptest.NewRequest("DELETE", "/workspaces/"+otherWS+"/tokens/"+tokenID, nil)
+	c.Params = gin.Params{{Key: "id", Value: "wrong-workspace-id"}, {Key: "tokenId", Value: tokenID}}
+	c.Request = httptest.NewRequest("DELETE", "/workspaces/wrong/tokens/"+tokenID, nil)
 	h.Revoke(c)
 
 	if w.Code != http.StatusNotFound {

workspace-server/internal/handlers/traces_test.go

@@ -107,88 +107,3 @@ func TestTracesList_LangfuseUnreachable(t *testing.T) {
 		t.Errorf("expected empty list when Langfuse unreachable, got %d items", len(resp))
 	}
 }
-
-// withLangfuseEnv sets all three required env vars pointing at ts and
-// arranges a deferred cleanup.
-func withLangfuseEnv(t *testing.T, ts *httptest.Server) {
-	os.Setenv("LANGFUSE_HOST", ts.URL)
-	os.Setenv("LANGFUSE_PUBLIC_KEY", "pk-test")
-	os.Setenv("LANGFUSE_SECRET_KEY", "sk-test")
-	t.Cleanup(func() {
-		os.Unsetenv("LANGFUSE_HOST")
-		os.Unsetenv("LANGFUSE_PUBLIC_KEY")
-		os.Unsetenv("LANGFUSE_SECRET_KEY")
-	})
-}
-
-func TestTracesList_LangfuseSuccess(t *testing.T) {
-	setupTestDB(t)
-	setupTestRedis(t)
-	handler := NewTracesHandler()
-
-	wantBody := `[{"id":"t1","name":"trace-1"},{"id":"t2","name":"trace-2"}]`
-
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		// Verify Basic Auth headers were forwarded
-		user, pass, ok := r.BasicAuth()
-		if !ok || user != "pk-test" || pass != "sk-test" {
-			t.Errorf("expected BasicAuth(pk-test,sk-test), got (%q,%q)", user, pass)
-		}
-		// Verify the request was a GET
-		if r.Method != http.MethodGet {
-			t.Errorf("expected GET, got %s", r.Method)
-		}
-		w.Header().Set("Content-Type", "application/json")
-		w.WriteHeader(http.StatusOK)
-		_, _ = w.Write([]byte(wantBody))
-	}))
-	defer ts.Close()
-
-	withLangfuseEnv(t, ts)
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "ws-success"}}
-	c.Request = httptest.NewRequest("GET", "/workspaces/ws-success/traces", nil)
-
-	handler.List(c)
-
-	if w.Code != http.StatusOK {
-		t.Errorf("expected 200, got %d: %s", w.Code, w.Body.String())
-	}
-	if ct := w.Header().Get("Content-Type"); ct != "application/json" {
-		t.Errorf("expected Content-Type application/json, got %q", ct)
-	}
-	if got := w.Body.String(); got != wantBody {
-		t.Errorf("body mismatch:\nwant: %s\n got: %s", wantBody, got)
-	}
-}
-
-func TestTracesList_LangfuseHTTPError(t *testing.T) {
-	setupTestDB(t)
-	setupTestRedis(t)
-	handler := NewTracesHandler()
-
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusServiceUnavailable)
-		_, _ = w.Write([]byte(`{"error":"upstream overloaded"}`))
-	}))
-	defer ts.Close()
-
-	withLangfuseEnv(t, ts)
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "ws-err"}}
-	c.Request = httptest.NewRequest("GET", "/workspaces/ws-err/traces", nil)
-
-	handler.List(c)
-
-	// Non-2xx must be forwarded as-is — not converted to 200
-	if w.Code != http.StatusServiceUnavailable {
-		t.Errorf("expected 503, got %d: %s", w.Code, w.Body.String())
-	}
-	if got := w.Body.String(); got != `{"error":"upstream overloaded"}` {
-		t.Errorf("expected raw error body, got: %s", got)
-	}
-}

workspace-server/internal/handlers/workspace_broadcast_test.go

@@ -0,0 +1,410 @@
+package handlers
+
+import (
+	"bytes"
+	"context"
+	"database/sql"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/DATA-DOG/go-sqlmock"
+	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
+	"github.com/Molecule-AI/molecule-monorepo/platform/internal/events"
+	"github.com/Molecule-AI/molecule-monorepo/platform/internal/ws"
+	"github.com/gin-gonic/gin"
+)
+
+// setupBroadcastDB uses QueryMatcherEqual so SQL strings with quoted literals
+// (e.g. status != 'removed') are compared verbatim, not as regex.
+func setupBroadcastDB(t *testing.T) sqlmock.Sqlmock {
+	t.Helper()
+	mockDB, mock, err := sqlmock.New(sqlmock.QueryMatcherOption(sqlmock.QueryMatcherEqual))
+	if err != nil {
+		t.Fatalf("failed to create sqlmock: %v", err)
+	}
+	prevDB := db.DB
+	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })
+	return mock
+}
+
+// broadcastTestUUID is a properly formatted test UUID.
+const broadcastTestUUID = "bbbbbbbb-0001-0001-0001-000000000001"
+
+// buildBroadcastCtx creates a gin.Context wired for POST /workspaces/:id/broadcast.
+func buildBroadcastCtx(id, body string) (*gin.Context, *httptest.ResponseRecorder) {
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	req := httptest.NewRequest(http.MethodPost, "/workspaces/"+id+"/broadcast", bytes.NewBufferString(body))
+	req.Header.Set("Content-Type", "application/json")
+	c.Request = req.WithContext(context.Background())
+	c.Params = gin.Params{{Key: "id", Value: id}}
+	return c, w
+}
+
+// ─── Pure function ─────────────────────────────────────────────────────────────
+
+func TestBroadcastTruncate(t *testing.T) {
+	tests := []struct {
+		name string
+		s    string
+		max  int
+		want string
+	}{
+		{"empty string", "", 10, ""},
+		{"under limit", "hello", 10, "hello"},
+		{"exactly at limit", "hello", 5, "hello"},
+		{"over limit", "hello world", 5, "hello…"},
+		{"unicode over limit", "こんにちは世界", 5, "こんにちは…"},
+		{"ascii over limit", "abcdefghij", 5, "abcde…"},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			got := broadcastTruncate(tc.s, tc.max)
+			if got != tc.want {
+				t.Errorf("broadcastTruncate(%q, %d) = %q; want %q", tc.s, tc.max, got, tc.want)
+			}
+		})
+	}
+}
+
+// ─── Validation ────────────────────────────────────────────────────────────────
+
+func TestBroadcast_InvalidWorkspaceID(t *testing.T) {
+	c, w := buildBroadcastCtx("not-a-uuid", `{"message":"hello"}`)
+	handler := NewBroadcastHandler(events.NewBroadcaster(ws.NewHub(nil)))
+	handler.Broadcast(c)
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("want 400, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestBroadcast_MissingMessage(t *testing.T) {
+	mock := setupBroadcastDB(t)
+	c, w := buildBroadcastCtx(broadcastTestUUID, `{}`)
+
+	handler := NewBroadcastHandler(events.NewBroadcaster(ws.NewHub(nil)))
+	handler.Broadcast(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("want 400, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet mock expectations: %v", err)
+	}
+}
+
+func TestBroadcast_MalformedJSON(t *testing.T) {
+	mock := setupBroadcastDB(t)
+	c, w := buildBroadcastCtx(broadcastTestUUID, `not json`)
+
+	handler := NewBroadcastHandler(events.NewBroadcaster(ws.NewHub(nil)))
+	handler.Broadcast(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("want 400, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet mock expectations: %v", err)
+	}
+}
+
+// ─── Auth / Authz ─────────────────────────────────────────────────────────────
+
+func TestBroadcast_WorkspaceNotFound(t *testing.T) {
+	mock := setupBroadcastDB(t)
+	c, w := buildBroadcastCtx(broadcastTestUUID, `{"message":"hello"}`)
+
+	// Workspace lookup returns no rows.
+	mock.ExpectQuery("SELECT name, broadcast_enabled FROM workspaces WHERE id = $1 AND status != 'removed'").
+		WithArgs(broadcastTestUUID).
+		WillReturnError(sql.ErrNoRows)
+
+	handler := NewBroadcastHandler(events.NewBroadcaster(ws.NewHub(nil)))
+	handler.Broadcast(c)
+
+	if w.Code != http.StatusNotFound {
+		t.Errorf("want 404, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet mock expectations: %v", err)
+	}
+}
+
+func TestBroadcast_WorkspaceLookupQueryError(t *testing.T) {
+	mock := setupBroadcastDB(t)
+	c, w := buildBroadcastCtx(broadcastTestUUID, `{"message":"hello"}`)
+
+	mock.ExpectQuery("SELECT name, broadcast_enabled FROM workspaces WHERE id = $1 AND status != 'removed'").
+		WithArgs(broadcastTestUUID).
+		WillReturnError(sql.ErrConnDone)
+
+	handler := NewBroadcastHandler(events.NewBroadcaster(ws.NewHub(nil)))
+	handler.Broadcast(c)
+
+	if w.Code != http.StatusNotFound {
+		t.Errorf("want 404, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet mock expectations: %v", err)
+	}
+}
+
+func TestBroadcast_BroadcastDisabled(t *testing.T) {
+	mock := setupBroadcastDB(t)
+	c, w := buildBroadcastCtx(broadcastTestUUID, `{"message":"hello"}`)
+
+	// Workspace found but broadcast_enabled=false.
+	rows := sqlmock.NewRows([]string{"name", "broadcast_enabled"}).
+		AddRow("test-workspace", false)
+	mock.ExpectQuery("SELECT name, broadcast_enabled FROM workspaces WHERE id = $1 AND status != 'removed'").
+		WithArgs(broadcastTestUUID).
+		WillReturnRows(rows)
+
+	handler := NewBroadcastHandler(events.NewBroadcaster(ws.NewHub(nil)))
+	handler.Broadcast(c)
+
+	if w.Code != http.StatusForbidden {
+		t.Errorf("want 403, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet mock expectations: %v", err)
+	}
+}
+
+// ─── DB error paths ────────────────────────────────────────────────────────────
+
+func TestBroadcast_RecipientQueryError(t *testing.T) {
+	mock := setupBroadcastDB(t)
+	c, w := buildBroadcastCtx(broadcastTestUUID, `{"message":"hello"}`)
+
+	// Workspace lookup succeeds with broadcast_enabled=true.
+	mock.ExpectQuery("SELECT name, broadcast_enabled FROM workspaces WHERE id = $1 AND status != 'removed'").
+		WithArgs(broadcastTestUUID).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "broadcast_enabled"}).AddRow("test-workspace", true))
+
+	// Recipient query fails.
+	mock.ExpectQuery("SELECT id FROM workspaces WHERE status != 'removed' AND id != $1").
+		WithArgs(broadcastTestUUID).
+		WillReturnError(sql.ErrConnDone)
+
+	handler := NewBroadcastHandler(events.NewBroadcaster(ws.NewHub(nil)))
+	handler.Broadcast(c)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Errorf("want 500, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet mock expectations: %v", err)
+	}
+}
+
+func TestBroadcast_RecipientRowsError(t *testing.T) {
+	mock := setupBroadcastDB(t)
+	c, w := buildBroadcastCtx(broadcastTestUUID, `{"message":"hello"}`)
+
+	mock.ExpectQuery("SELECT name, broadcast_enabled FROM workspaces WHERE id = $1 AND status != 'removed'").
+		WithArgs(broadcastTestUUID).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "broadcast_enabled"}).AddRow("test-workspace", true))
+
+	// Recipient query succeeds but rows.Err() fails.
+	badRows := sqlmock.NewRows([]string{"id"}).AddRow("ws-2").RowError(0, sql.ErrConnDone)
+	mock.ExpectQuery("SELECT id FROM workspaces WHERE status != 'removed' AND id != $1").
+		WithArgs(broadcastTestUUID).
+		WillReturnRows(badRows)
+
+	handler := NewBroadcastHandler(events.NewBroadcaster(ws.NewHub(nil)))
+	handler.Broadcast(c)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Errorf("want 500, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet mock expectations: %v", err)
+	}
+}
+
+// ─── Success paths ────────────────────────────────────────────────────────────
+
+func TestBroadcast_Success_OneRecipient(t *testing.T) {
+	mock := setupBroadcastDB(t)
+	c, w := buildBroadcastCtx(broadcastTestUUID, `{"message":"hello world"}`)
+
+	// Workspace lookup.
+	mock.ExpectQuery("SELECT name, broadcast_enabled FROM workspaces WHERE id = $1 AND status != 'removed'").
+		WithArgs(broadcastTestUUID).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "broadcast_enabled"}).AddRow("sender-workspace", true))
+
+	// Recipient query: one recipient.
+	recipRows := sqlmock.NewRows([]string{"id"}).AddRow("ws-recipient-1")
+	mock.ExpectQuery("SELECT id FROM workspaces WHERE status != 'removed' AND id != $1").
+		WithArgs(broadcastTestUUID).
+		WillReturnRows(recipRows)
+
+	// Activity log insert for recipient.
+	mock.ExpectExec("INSERT INTO activity_logs (workspace_id, activity_type, method, source_id, summary, status) VALUES ($1, 'broadcast_receive', 'broadcast', $2, $3, 'ok')").
+		WithArgs("ws-recipient-1", broadcastTestUUID, sqlmock.AnyArg()).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	// Activity log insert for sender (broadcast_sent).
+	mock.ExpectExec("INSERT INTO activity_logs (workspace_id, activity_type, method, summary, status) VALUES ($1, 'broadcast_sent', 'broadcast', $2, 'ok')").
+		WithArgs(broadcastTestUUID, sqlmock.AnyArg()).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	handler := NewBroadcastHandler(events.NewBroadcaster(ws.NewHub(nil)))
+	handler.Broadcast(c)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("want 200, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet mock expectations: %v", err)
+	}
+}
+
+func TestBroadcast_Success_NoRecipients(t *testing.T) {
+	mock := setupBroadcastDB(t)
+	c, w := buildBroadcastCtx(broadcastTestUUID, `{"message":"hello"}`)
+
+	mock.ExpectQuery("SELECT name, broadcast_enabled FROM workspaces WHERE id = $1 AND status != 'removed'").
+		WithArgs(broadcastTestUUID).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "broadcast_enabled"}).AddRow("solo-workspace", true))
+
+	// No recipients.
+	recipRows := sqlmock.NewRows([]string{"id"})
+	mock.ExpectQuery("SELECT id FROM workspaces WHERE status != 'removed' AND id != $1").
+		WithArgs(broadcastTestUUID).
+		WillReturnRows(recipRows)
+
+	// Activity log insert for sender (broadcast_sent).
+	mock.ExpectExec("INSERT INTO activity_logs (workspace_id, activity_type, method, summary, status) VALUES ($1, 'broadcast_sent', 'broadcast', $2, 'ok')").
+		WithArgs(broadcastTestUUID, sqlmock.AnyArg()).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	handler := NewBroadcastHandler(events.NewBroadcaster(ws.NewHub(nil)))
+	handler.Broadcast(c)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("want 200, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet mock expectations: %v", err)
+	}
+}
+
+func TestBroadcast_Success_MultipleRecipients(t *testing.T) {
+	mock := setupBroadcastDB(t)
+	c, w := buildBroadcastCtx(broadcastTestUUID, `{"message":"hello"}`)
+
+	mock.ExpectQuery("SELECT name, broadcast_enabled FROM workspaces WHERE id = $1 AND status != 'removed'").
+		WithArgs(broadcastTestUUID).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "broadcast_enabled"}).AddRow("broadcaster", true))
+
+	// Three recipients.
+	recipRows := sqlmock.NewRows([]string{"id"}).
+		AddRow("ws-1").AddRow("ws-2").AddRow("ws-3")
+	mock.ExpectQuery("SELECT id FROM workspaces WHERE status != 'removed' AND id != $1").
+		WithArgs(broadcastTestUUID).
+		WillReturnRows(recipRows)
+
+	// Each recipient gets a broadcast_receive log.
+	for _, rid := range []string{"ws-1", "ws-2", "ws-3"} {
+		mock.ExpectExec("INSERT INTO activity_logs (workspace_id, activity_type, method, source_id, summary, status) VALUES ($1, 'broadcast_receive', 'broadcast', $2, $3, 'ok')").
+			WithArgs(rid, broadcastTestUUID, sqlmock.AnyArg()).
+			WillReturnResult(sqlmock.NewResult(0, 1))
+	}
+
+	// Sender log.
+	mock.ExpectExec("INSERT INTO activity_logs (workspace_id, activity_type, method, summary, status) VALUES ($1, 'broadcast_sent', 'broadcast', $2, 'ok')").
+		WithArgs(broadcastTestUUID, sqlmock.AnyArg()).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	handler := NewBroadcastHandler(events.NewBroadcaster(ws.NewHub(nil)))
+	handler.Broadcast(c)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("want 200, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet mock expectations: %v", err)
+	}
+}
+
+// ─── Recipient insert failure (logged, continues) ─────────────────────────────
+
+func TestBroadcast_RecipientInsertError_ContinuesAndSucceeds(t *testing.T) {
+	mock := setupBroadcastDB(t)
+	c, w := buildBroadcastCtx(broadcastTestUUID, `{"message":"hello"}`)
+
+	mock.ExpectQuery("SELECT name, broadcast_enabled FROM workspaces WHERE id = $1 AND status != 'removed'").
+		WithArgs(broadcastTestUUID).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "broadcast_enabled"}).AddRow("broadcaster", true))
+
+	// Two recipients.
+	recipRows := sqlmock.NewRows([]string{"id"}).AddRow("ws-1").AddRow("ws-2")
+	mock.ExpectQuery("SELECT id FROM workspaces WHERE status != 'removed' AND id != $1").
+		WithArgs(broadcastTestUUID).
+		WillReturnRows(recipRows)
+
+	// First recipient insert fails (logged, continues).
+	mock.ExpectExec("INSERT INTO activity_logs (workspace_id, activity_type, method, source_id, summary, status) VALUES ($1, 'broadcast_receive', 'broadcast', $2, $3, 'ok')").
+		WithArgs("ws-1", broadcastTestUUID, sqlmock.AnyArg()).
+		WillReturnError(sql.ErrConnDone)
+
+	// Second recipient insert succeeds.
+	mock.ExpectExec("INSERT INTO activity_logs (workspace_id, activity_type, method, source_id, summary, status) VALUES ($1, 'broadcast_receive', 'broadcast', $2, $3, 'ok')").
+		WithArgs("ws-2", broadcastTestUUID, sqlmock.AnyArg()).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	// Sender log.
+	mock.ExpectExec("INSERT INTO activity_logs (workspace_id, activity_type, method, summary, status) VALUES ($1, 'broadcast_sent', 'broadcast', $2, 'ok')").
+		WithArgs(broadcastTestUUID, sqlmock.AnyArg()).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	handler := NewBroadcastHandler(events.NewBroadcaster(ws.NewHub(nil)))
+	handler.Broadcast(c)
+
+	// Handler returns 200 even though one insert failed — it logs and continues.
+	if w.Code != http.StatusOK {
+		t.Errorf("want 200 despite insert error, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet mock expectations: %v", err)
+	}
+}
+
+// ─── Sender activity log insert failure (logged, still 200) ────────────────────
+
+func TestBroadcast_SenderLogInsertError_Still200(t *testing.T) {
+	mock := setupBroadcastDB(t)
+	c, w := buildBroadcastCtx(broadcastTestUUID, `{"message":"hello"}`)
+
+	mock.ExpectQuery("SELECT name, broadcast_enabled FROM workspaces WHERE id = $1 AND status != 'removed'").
+		WithArgs(broadcastTestUUID).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "broadcast_enabled"}).AddRow("broadcaster", true))
+
+	recipRows := sqlmock.NewRows([]string{"id"}).AddRow("ws-1")
+	mock.ExpectQuery("SELECT id FROM workspaces WHERE status != 'removed' AND id != $1").
+		WithArgs(broadcastTestUUID).
+		WillReturnRows(recipRows)
+
+	mock.ExpectExec("INSERT INTO activity_logs (workspace_id, activity_type, method, source_id, summary, status) VALUES ($1, 'broadcast_receive', 'broadcast', $2, $3, 'ok')").
+		WithArgs("ws-1", broadcastTestUUID, sqlmock.AnyArg()).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	// Sender log fails — but handler still returns 200 (logged only).
+	mock.ExpectExec("INSERT INTO activity_logs (workspace_id, activity_type, method, summary, status) VALUES ($1, 'broadcast_sent', 'broadcast', $2, 'ok')").
+		WithArgs(broadcastTestUUID, sqlmock.AnyArg()).
+		WillReturnError(sql.ErrConnDone)
+
+	handler := NewBroadcastHandler(events.NewBroadcaster(ws.NewHub(nil)))
+	handler.Broadcast(c)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("want 200 despite sender log error, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet mock expectations: %v", err)
+	}
+}