diff --git a/workspace-server/internal/middleware/wsauth_middleware_test.go b/workspace-server/internal/middleware/wsauth_middleware_test.go
index db58ab59..6ed046ee 100644
--- a/workspace-server/internal/middleware/wsauth_middleware_test.go
+++ b/workspace-server/internal/middleware/wsauth_middleware_test.go
@@ -473,8 +473,8 @@ func TestAdminAuth_InvalidBearer_Returns401(t *testing.T) {
 // token (org_id="ws-org-1").
 // ────────────────────────────────────────────────────────────────────────────
 
-// orgTokenValidateQuery is declared in wsauth_middleware_org_id_test.go
-// and reused here — same package, shared const, matched by sqlmock regex.
+// orgTokenValidateQuery is matched for orgtoken.Validate().
+const orgTokenValidateQuery = "SELECT id, prefix, org_id::text FROM org_api_tokens"
 
 // orgTokenOrgIDQuery is matched for the org_id lookup added in the F1097 fix.
 const orgTokenOrgIDQuery = "SELECT org_id::text FROM org_api_tokens"
@@ -525,8 +525,8 @@ func TestAdminAuth_OrgToken_SetsOrgID(t *testing.T) {
 			// (ValidateAnyToken), so ValidateAnyToken is NOT called here.
 			mock.ExpectQuery(orgTokenValidateQuery).
 				WithArgs(orgTokenHash[:]).
-				WillReturnRows(sqlmock.NewRows([]string{"id", "prefix"}).
-					AddRow("tok-org-1", "tok-org-1"))
+				WillReturnRows(sqlmock.NewRows([]string{"id", "prefix", "org_id"}).
+					AddRow("tok-org-1", "tok-org-1", nil))
 
 			// Best-effort last_used_at UPDATE (after Validate).
 			mock.ExpectExec(orgTokenLastUsedQuery).