diff --git a/workspace-server/cmd/server/cp_config.go b/workspace-server/cmd/server/cp_config.go
index 61275073..d1021c22 100644
--- a/workspace-server/cmd/server/cp_config.go
+++ b/workspace-server/cmd/server/cp_config.go
@@ -64,7 +64,7 @@ func refreshEnvFromCP() error {
 	if err != nil {
 		return fmt.Errorf("do request: %w", err)
 	}
-	defer func() { _ = $1 }()
+	defer func() { _ = resp.Body.Close() }()
 
 	// 64 KiB cap — the CP only returns small JSON blobs here. An
 	// unbounded read would be weaponizable if a compromised upstream
diff --git a/workspace-server/internal/handlers/a2a_proxy.go b/workspace-server/internal/handlers/a2a_proxy.go
index 0eba6b24..0ba8e021 100644
--- a/workspace-server/internal/handlers/a2a_proxy.go
+++ b/workspace-server/internal/handlers/a2a_proxy.go
@@ -288,7 +288,7 @@ func (h *WorkspaceHandler) proxyA2ARequest(ctx context.Context, workspaceID stri
 	if err != nil {
 		return h.handleA2ADispatchError(ctx, workspaceID, callerID, body, a2aMethod, err, durationMs, logActivity)
 	}
-	defer func() { _ = $1 }()
+	defer func() { _ = resp.Body.Close() }()
 
 	// Read agent response (capped at 10MB).
 	// #689: Do() succeeded, which means the target received the request and sent
diff --git a/workspace-server/internal/handlers/github_token.go b/workspace-server/internal/handlers/github_token.go
index c4f4d1e2..ce9492a9 100644
--- a/workspace-server/internal/handlers/github_token.go
+++ b/workspace-server/internal/handlers/github_token.go
@@ -163,7 +163,7 @@ func generateAppInstallationToken() (string, time.Time, error) {
 	if err != nil {
 		return "", time.Time{}, err
 	}
-	defer func() { _ = $1 }()
+	defer func() { _ = resp.Body.Close() }()
 	var result struct {
 		Token     string    `json:"token"`
 		ExpiresAt time.Time `json:"expires_at"`
diff --git a/workspace-server/internal/handlers/traces.go b/workspace-server/internal/handlers/traces.go
index 6e0d952e..19df5f1c 100644
--- a/workspace-server/internal/handlers/traces.go
+++ b/workspace-server/internal/handlers/traces.go
@@ -49,7 +49,7 @@ func (h *TracesHandler) List(c *gin.Context) {
 		c.JSON(http.StatusOK, []interface{}{})
 		return
 	}
-	defer func() { _ = $1 }()
+	defer func() { _ = resp.Body.Close() }()
 
 	body, _ := io.ReadAll(resp.Body)
 	c.Data(resp.StatusCode, "application/json", body)
diff --git a/workspace-server/internal/handlers/transcript.go b/workspace-server/internal/handlers/transcript.go
index 09624079..4690f8d6 100644
--- a/workspace-server/internal/handlers/transcript.go
+++ b/workspace-server/internal/handlers/transcript.go
@@ -111,7 +111,7 @@ func (h *TranscriptHandler) Get(c *gin.Context) {
 		c.JSON(http.StatusBadGateway, gin.H{"error": "workspace unreachable"})
 		return
 	}
-	defer func() { _ = $1 }()
+	defer func() { _ = resp.Body.Close() }()
 
 	// Cap at 1 MB so a giant transcript doesn't melt the canvas.
 	body, err := io.ReadAll(io.LimitReader(resp.Body, 1<<20))
diff --git a/workspace-server/internal/middleware/session_auth.go b/workspace-server/internal/middleware/session_auth.go
index a0daa077..54d59ba8 100644
--- a/workspace-server/internal/middleware/session_auth.go
+++ b/workspace-server/internal/middleware/session_auth.go
@@ -207,7 +207,7 @@ func verifiedCPSession(cookieHeader string) (valid, presented bool) {
 		// for the negative-TTL window. Next request retries.
 		return false, true
 	}
-	defer func() { _ = $1 }()
+	defer func() { _ = resp.Body.Close() }()
 
 	if resp.StatusCode != http.StatusOK {
 		sessionCachePut(key, false)
diff --git a/workspace-server/internal/provisioner/cp_provisioner.go b/workspace-server/internal/provisioner/cp_provisioner.go
index 533fb230..68606fea 100644
--- a/workspace-server/internal/provisioner/cp_provisioner.go
+++ b/workspace-server/internal/provisioner/cp_provisioner.go
@@ -129,7 +129,7 @@ func (p *CPProvisioner) Start(ctx context.Context, cfg WorkspaceConfig) (string,
 	if err != nil {
 		return "", fmt.Errorf("cp provisioner: send: %w", err)
 	}
-	defer func() { _ = $1 }()
+	defer func() { _ = resp.Body.Close() }()
 
 	// Cap body read at 64 KiB — the CP only ever returns small JSON
 	// responses; an unbounded read could be weaponized into log-flood
@@ -199,7 +199,7 @@ func (p *CPProvisioner) IsRunning(ctx context.Context, workspaceID string) (bool
 	if err != nil {
 		return true, fmt.Errorf("cp provisioner: status: %w", err)
 	}
-	defer func() { _ = $1 }()
+	defer func() { _ = resp.Body.Close() }()
 	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
 		// Don't leak the body — upstream errors may echo headers.
 		return true, fmt.Errorf("cp provisioner: status: unexpected %d", resp.StatusCode)
@@ -231,7 +231,7 @@ func (p *CPProvisioner) GetConsoleOutput(ctx context.Context, workspaceID string
 	if err != nil {
 		return "", fmt.Errorf("cp provisioner: console: %w", err)
 	}
-	defer func() { _ = $1 }()
+	defer func() { _ = resp.Body.Close() }()
 	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
 		return "", fmt.Errorf("cp provisioner: console: unexpected %d", resp.StatusCode)
 	}