diff --git a/.github/workflows/branch-protection-drift.yml b/.github/workflows/branch-protection-drift.yml
new file mode 100644
index 00000000..889d3d5b
--- /dev/null
+++ b/.github/workflows/branch-protection-drift.yml
@@ -0,0 +1,81 @@
+name: branch-protection drift check
+
+# Catches out-of-band edits to branch protection (UI clicks, manual gh
+# api PATCH from a one-off ops session) by comparing live state against
+# tools/branch-protection/apply.sh's desired state every day. Fails the
+# workflow when they drift; the failure is the signal.
+#
+# When it fails: re-run apply.sh to put the live state back to the
+# script's intent, OR update apply.sh to encode the new intent and
+# commit. Either way the script is the source of truth.
+
+on:
+  schedule:
+    # 14:00 UTC daily. Off-hours for most teams; gives a fresh signal
+    # at the start of every working day.
+    - cron: '0 14 * * *'
+  workflow_dispatch:
+  pull_request:
+    branches: [staging, main]
+    paths:
+      - 'tools/branch-protection/**'
+      - '.github/workflows/branch-protection-drift.yml'
+
+permissions:
+  contents: read
+
+jobs:
+  drift:
+    name: Branch protection drift
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      # Token strategy by trigger:
+      #
+      # - schedule (daily canary): hard-fail when the admin token is
+      #   missing. This is the *only* trigger where silent soft-skip is
+      #   dangerous — a missing secret on the cron run means the drift
+      #   gate has effectively disappeared with no human in the loop to
+      #   notice. Per feedback_schedule_vs_dispatch_secrets_hardening.md
+      #   the rule is "schedule/automated triggers must hard-fail".
+      #
+      # - pull_request (touching tools/branch-protection/**): soft-skip
+      #   with a prominent warning. A PR cannot retroactively drift the
+      #   live state — drift happens *between* PRs (UI clicks, manual
+      #   gh api PATCH) and is the schedule's job to catch. The PR-time
+      #   gate would only catch typos in apply.sh, which the apply.sh
+      #   *_payload unit tests catch better. A human is reviewing the
+      #   PR and will see the warning in the workflow log.
+      #
+      # - workflow_dispatch (operator one-off): soft-skip with warning,
+      #   so an operator can run a diagnostic without configuring the
+      #   secret first.
+      - name: Verify admin token present (hard-fail on schedule only)
+        env:
+          GH_TOKEN_FOR_ADMIN_API: ${{ secrets.GH_TOKEN_FOR_ADMIN_API }}
+        run: |
+          if [[ -n "$GH_TOKEN_FOR_ADMIN_API" ]]; then
+            echo "GH_TOKEN_FOR_ADMIN_API present — drift_check will run with admin scope."
+            exit 0
+          fi
+          if [[ "${{ github.event_name }}" == "schedule" ]]; then
+            echo "::error::GH_TOKEN_FOR_ADMIN_API secret missing on the daily canary." >&2
+            echo "" >&2
+            echo "The schedule run is the SoT for branch-protection drift detection." >&2
+            echo "Without admin scope it silently passes, hiding any out-of-band edits." >&2
+            echo "Set GH_TOKEN_FOR_ADMIN_API at Settings → Secrets and variables → Actions." >&2
+            exit 1
+          fi
+          echo "::warning::GH_TOKEN_FOR_ADMIN_API secret missing — drift_check will be SKIPPED."
+          echo "::warning::PR drift checks need repo-admin scope to read /branches/:b/protection."
+          echo "::warning::This is non-fatal: the daily schedule run is the canonical drift gate."
+          echo "SKIP_DRIFT_CHECK=1" >> "$GITHUB_ENV"
+
+      - name: Run drift check
+        if: env.SKIP_DRIFT_CHECK != '1'
+        env:
+          # Repo-admin scope, needed for /branches/:b/protection.
+          GH_TOKEN: ${{ secrets.GH_TOKEN_FOR_ADMIN_API }}
+        run: bash tools/branch-protection/drift_check.sh
diff --git a/canvas/src/components/MemoryEditorDialog.tsx b/canvas/src/components/MemoryEditorDialog.tsx
new file mode 100644
index 00000000..6625412a
--- /dev/null
+++ b/canvas/src/components/MemoryEditorDialog.tsx
@@ -0,0 +1,261 @@
+'use client';
+
+import { useEffect, useRef, useState } from "react";
+import { createPortal } from "react-dom";
+import { api } from "@/lib/api";
+import type { MemoryEntry } from "@/components/MemoryInspectorPanel";
+
+type Scope = "LOCAL" | "TEAM" | "GLOBAL";
+const SCOPES: Scope[] = ["LOCAL", "TEAM", "GLOBAL"];
+
+interface AddProps {
+  open: boolean;
+  mode: "add";
+  workspaceId: string;
+  defaultScope: Scope;
+  defaultNamespace?: string;
+  entry?: undefined;
+  onClose: () => void;
+  onSaved: () => void;
+}
+
+interface EditProps {
+  open: boolean;
+  mode: "edit";
+  workspaceId: string;
+  entry: MemoryEntry;
+  defaultScope?: undefined;
+  defaultNamespace?: undefined;
+  onClose: () => void;
+  onSaved: () => void;
+}
+
+type Props = AddProps | EditProps;
+
+export function MemoryEditorDialog(props: Props) {
+  const { open, mode, workspaceId, onClose, onSaved } = props;
+  const dialogRef = useRef<HTMLDivElement>(null);
+  const [mounted, setMounted] = useState(false);
+  const [scope, setScope] = useState<Scope>("LOCAL");
+  const [namespace, setNamespace] = useState("general");
+  const [content, setContent] = useState("");
+  const [saving, setSaving] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+
+  useEffect(() => {
+    setMounted(true);
+  }, []);
+
+  // Reset form whenever the dialog opens.
+  useEffect(() => {
+    if (!open) return;
+    setError(null);
+    setSaving(false);
+    if (mode === "edit" && props.entry) {
+      setScope(props.entry.scope);
+      setNamespace(props.entry.namespace || "general");
+      setContent(props.entry.content);
+    } else if (mode === "add") {
+      setScope(props.defaultScope);
+      setNamespace(props.defaultNamespace || "general");
+      setContent("");
+    }
+    // mode/props are stable per-open; intentional shallow deps.
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [open]);
+
+  // Move focus into the dialog when it opens (WCAG SC 2.4.3).
+  useEffect(() => {
+    if (!open || !mounted) return;
+    const raf = requestAnimationFrame(() => {
+      dialogRef.current?.querySelector<HTMLElement>("textarea, input, select")?.focus();
+    });
+    return () => cancelAnimationFrame(raf);
+  }, [open, mounted]);
+
+  // Escape closes; Cmd/Ctrl-Enter saves.
+  const onCloseRef = useRef(onClose);
+  onCloseRef.current = onClose;
+  const handleSaveRef = useRef<() => void>(() => {});
+  useEffect(() => {
+    if (!open) return;
+    const handler = (e: KeyboardEvent) => {
+      if (e.key === "Escape") {
+        e.preventDefault();
+        onCloseRef.current();
+      } else if (e.key === "Enter" && (e.metaKey || e.ctrlKey)) {
+        e.preventDefault();
+        handleSaveRef.current();
+      }
+    };
+    window.addEventListener("keydown", handler);
+    return () => window.removeEventListener("keydown", handler);
+  }, [open]);
+
+  const handleSave = async () => {
+    if (saving) return;
+    const trimmed = content.trim();
+    if (!trimmed) {
+      setError("Content cannot be empty");
+      return;
+    }
+    setError(null);
+    setSaving(true);
+    try {
+      if (mode === "add") {
+        await api.post(`/workspaces/${workspaceId}/memories`, {
+          content: trimmed,
+          scope,
+          namespace: namespace.trim() || "general",
+        });
+      } else {
+        // PATCH only sends fields that changed. Content always changeable;
+        // namespace only sent if it differs from the original (saves a
+        // no-op write through redactSecrets + re-embed).
+        const original = props.entry;
+        const body: Record<string, string> = {};
+        if (trimmed !== original.content) body.content = trimmed;
+        const ns = namespace.trim() || "general";
+        if (ns !== original.namespace) body.namespace = ns;
+        if (Object.keys(body).length === 0) {
+          // No-op edit — close without an HTTP round-trip.
+          onSaved();
+          onClose();
+          return;
+        }
+        await api.patch(
+          `/workspaces/${workspaceId}/memories/${encodeURIComponent(original.id)}`,
+          body,
+        );
+      }
+      onSaved();
+      onClose();
+    } catch (e) {
+      setError(e instanceof Error ? e.message : "Save failed");
+    } finally {
+      setSaving(false);
+    }
+  };
+  handleSaveRef.current = handleSave;
+
+  if (!open || !mounted) return null;
+
+  const titleId = "memory-editor-title";
+  const isEdit = mode === "edit";
+
+  return createPortal(
+    <div className="fixed inset-0 z-[9999] flex items-center justify-center">
+      <div className="absolute inset-0 bg-black/60 backdrop-blur-sm" onClick={onClose} />
+
+      <div
+        ref={dialogRef}
+        role="dialog"
+        aria-modal="true"
+        aria-labelledby={titleId}
+        className="relative bg-surface-sunken border border-line rounded-xl shadow-2xl shadow-black/50 max-w-[480px] w-full mx-4 overflow-hidden"
+      >
+        <div className="px-5 py-4 space-y-3">
+          <h3 id={titleId} className="text-sm font-semibold text-ink">
+            {isEdit ? "Edit memory" : "Add memory"}
+          </h3>
+
+          {/* Scope */}
+          <div className="space-y-1">
+            <label className="text-[10px] text-ink-soft block" htmlFor="memory-editor-scope">
+              Scope
+            </label>
+            {isEdit ? (
+              <div
+                id="memory-editor-scope"
+                className="text-[12px] font-mono text-ink-mid bg-surface rounded px-2 py-1.5 border border-line/50"
+                title="Scope is fixed on edit. To move a memory across scopes, delete and re-create it."
+              >
+                {scope}
+              </div>
+            ) : (
+              <div className="flex items-center gap-1" id="memory-editor-scope" role="radiogroup" aria-label="Scope">
+                {SCOPES.map((s) => (
+                  <button
+                    key={s}
+                    type="button"
+                    role="radio"
+                    aria-checked={scope === s}
+                    onClick={() => setScope(s)}
+                    className={[
+                      "px-3 py-1 text-[11px] rounded transition-colors",
+                      scope === s
+                        ? "bg-accent-strong text-white"
+                        : "bg-surface-card text-ink-mid hover:text-ink",
+                    ].join(" ")}
+                  >
+                    {s}
+                  </button>
+                ))}
+              </div>
+            )}
+          </div>
+
+          {/* Namespace */}
+          <div className="space-y-1">
+            <label htmlFor="memory-editor-namespace" className="text-[10px] text-ink-soft block">
+              Namespace
+            </label>
+            <input
+              id="memory-editor-namespace"
+              type="text"
+              value={namespace}
+              onChange={(e) => setNamespace(e.target.value)}
+              placeholder="general"
+              className="w-full bg-surface border border-line/60 focus:border-accent/60 rounded px-2 py-1.5 text-[12px] text-ink placeholder-zinc-600 focus:outline-none transition-colors"
+            />
+          </div>
+
+          {/* Content */}
+          <div className="space-y-1">
+            <label htmlFor="memory-editor-content" className="text-[10px] text-ink-soft block">
+              Content
+            </label>
+            <textarea
+              id="memory-editor-content"
+              value={content}
+              onChange={(e) => setContent(e.target.value)}
+              rows={6}
+              placeholder="What should the agent remember?"
+              className="w-full bg-surface border border-line/60 focus:border-accent/60 rounded px-2 py-1.5 text-[12px] font-mono text-ink placeholder-zinc-600 focus:outline-none transition-colors resize-y min-h-[100px] max-h-[300px]"
+            />
+          </div>
+
+          {error && (
+            <div
+              role="alert"
+              aria-live="assertive"
+              className="px-2 py-1.5 bg-red-950/30 border border-red-800/40 rounded text-[11px] text-bad"
+            >
+              {error}
+            </div>
+          )}
+        </div>
+
+        <div className="flex items-center justify-end gap-2 px-5 py-3 border-t border-line bg-surface/50">
+          <button
+            type="button"
+            onClick={onClose}
+            disabled={saving}
+            className="px-3.5 py-1.5 text-[13px] text-ink-mid hover:text-ink bg-surface-card hover:bg-surface-elevated border border-line hover:border-line-soft rounded-lg transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-accent/40 disabled:opacity-50 disabled:cursor-not-allowed"
+          >
+            Cancel
+          </button>
+          <button
+            type="button"
+            onClick={handleSave}
+            disabled={saving}
+            className="px-3.5 py-1.5 text-[13px] rounded-lg transition-colors bg-accent hover:bg-accent-strong text-white focus:outline-none focus-visible:ring-2 focus-visible:ring-offset-2 focus-visible:ring-offset-surface-sunken focus-visible:ring-accent/60 disabled:opacity-50 disabled:cursor-not-allowed"
+          >
+            {saving ? "Saving…" : isEdit ? "Save changes" : "Add memory"}
+          </button>
+        </div>
+      </div>
+    </div>,
+    document.body,
+  );
+}
diff --git a/canvas/src/components/MemoryInspectorPanel.tsx b/canvas/src/components/MemoryInspectorPanel.tsx
index 1c43f194..086d910c 100644
--- a/canvas/src/components/MemoryInspectorPanel.tsx
+++ b/canvas/src/components/MemoryInspectorPanel.tsx
@@ -3,6 +3,7 @@
 import { useState, useEffect, useCallback } from "react";
 import { api } from "@/lib/api";
 import { ConfirmDialog } from "@/components/ConfirmDialog";
+import { MemoryEditorDialog } from "@/components/MemoryEditorDialog";
 
 // ── Types ─────────────────────────────────────────────────────────────────────
 
@@ -92,6 +93,13 @@ export function MemoryInspectorPanel({ workspaceId }: Props) {
   // ── Delete state ─────────────────────────────────────────────────────────────
   const [pendingDeleteId, setPendingDeleteId] = useState<string | null>(null);
 
+  // ── Editor state (Add + Edit share one modal) ───────────────────────────────
+  type EditorState =
+    | { mode: "add" }
+    | { mode: "edit"; entry: MemoryEntry }
+    | null;
+  const [editorState, setEditorState] = useState<EditorState>(null);
+
   // ── Data loading ────────────────────────────────────────────────────────────
 
   const loadEntries = useCallback(async () => {
@@ -241,14 +249,24 @@ export function MemoryInspectorPanel({ workspaceId }: Props) {
             ? "1 memory"
             : `${entries.length} memories`}
         </span>
-        <button
-          type="button"
-          onClick={loadEntries}
-          className="px-2 py-1 text-[11px] bg-surface-card hover:bg-surface-card text-ink-mid rounded transition-colors"
-          aria-label="Refresh memories"
-        >
-          ↻ Refresh
-        </button>
+        <div className="flex items-center gap-1.5">
+          <button
+            type="button"
+            onClick={() => setEditorState({ mode: "add" })}
+            className="px-2 py-1 text-[11px] bg-accent hover:bg-accent-strong text-white rounded transition-colors"
+            aria-label="Add memory"
+          >
+            + Add
+          </button>
+          <button
+            type="button"
+            onClick={loadEntries}
+            className="px-2 py-1 text-[11px] bg-surface-card hover:bg-surface-card text-ink-mid rounded transition-colors"
+            aria-label="Refresh memories"
+          >
+            ↻ Refresh
+          </button>
+        </div>
       </div>
 
       {/* Error banner */}
@@ -307,6 +325,7 @@ export function MemoryInspectorPanel({ workspaceId }: Props) {
               <MemoryEntryRow
                 key={entry.id}
                 entry={entry}
+                onEdit={() => setEditorState({ mode: "edit", entry })}
                 onDelete={() => setPendingDeleteId(entry.id)}
               />
             ))}
@@ -324,6 +343,29 @@ export function MemoryInspectorPanel({ workspaceId }: Props) {
         onConfirm={confirmDelete}
         onCancel={() => setPendingDeleteId(null)}
       />
+
+      {/* Add / Edit dialog */}
+      {editorState?.mode === "add" && (
+        <MemoryEditorDialog
+          open={true}
+          mode="add"
+          workspaceId={workspaceId}
+          defaultScope={activeScope}
+          defaultNamespace={activeNamespace || "general"}
+          onClose={() => setEditorState(null)}
+          onSaved={loadEntries}
+        />
+      )}
+      {editorState?.mode === "edit" && (
+        <MemoryEditorDialog
+          open={true}
+          mode="edit"
+          workspaceId={workspaceId}
+          entry={editorState.entry}
+          onClose={() => setEditorState(null)}
+          onSaved={loadEntries}
+        />
+      )}
     </div>
   );
 }
@@ -332,10 +374,11 @@ export function MemoryInspectorPanel({ workspaceId }: Props) {
 
 interface MemoryEntryRowProps {
   entry: MemoryEntry;
+  onEdit: () => void;
   onDelete: () => void;
 }
 
-function MemoryEntryRow({ entry, onDelete }: MemoryEntryRowProps) {
+function MemoryEntryRow({ entry, onEdit, onDelete }: MemoryEntryRowProps) {
   const [expanded, setExpanded] = useState(false);
   const bodyId = `mem-body-${sanitizeId(entry.id)}`;
 
@@ -413,17 +456,30 @@ function MemoryEntryRow({ entry, onDelete }: MemoryEntryRowProps) {
             <span className="text-[9px] text-ink-soft">
               Created: {new Date(entry.created_at).toLocaleString()}
             </span>
-            <button
-              type="button"
-              onClick={(e) => {
-                e.stopPropagation();
-                onDelete();
-              }}
-              aria-label="Delete memory"
-              className="text-[10px] px-2 py-0.5 bg-red-950/40 hover:bg-red-900/50 border border-red-900/30 rounded text-bad transition-colors shrink-0"
-            >
-              Delete
-            </button>
+            <div className="flex items-center gap-1.5 shrink-0">
+              <button
+                type="button"
+                onClick={(e) => {
+                  e.stopPropagation();
+                  onEdit();
+                }}
+                aria-label="Edit memory"
+                className="text-[10px] px-2 py-0.5 bg-surface-card hover:bg-surface-elevated border border-line/40 rounded text-ink-mid hover:text-ink transition-colors"
+              >
+                Edit
+              </button>
+              <button
+                type="button"
+                onClick={(e) => {
+                  e.stopPropagation();
+                  onDelete();
+                }}
+                aria-label="Delete memory"
+                className="text-[10px] px-2 py-0.5 bg-red-950/40 hover:bg-red-900/50 border border-red-900/30 rounded text-bad transition-colors"
+              >
+                Delete
+              </button>
+            </div>
           </div>
         </div>
       )}
diff --git a/canvas/src/components/SidePanel.tsx b/canvas/src/components/SidePanel.tsx
index 437aff90..2db6c4a1 100644
--- a/canvas/src/components/SidePanel.tsx
+++ b/canvas/src/components/SidePanel.tsx
@@ -283,7 +283,7 @@ export function SidePanel() {
         {panelTab === "skills" && <SkillsTab key={selectedNodeId} workspaceId={selectedNodeId} data={node.data} />}
         {panelTab === "activity" && <ActivityTab key={selectedNodeId} workspaceId={selectedNodeId} />}
         {panelTab === "chat" && <ChatTab key={selectedNodeId} workspaceId={selectedNodeId} data={node.data} />}
-        {panelTab === "terminal" && <TerminalTab key={selectedNodeId} workspaceId={selectedNodeId} />}
+        {panelTab === "terminal" && <TerminalTab key={selectedNodeId} workspaceId={selectedNodeId} data={node.data} />}
         {panelTab === "config" && <ConfigTab key={selectedNodeId} workspaceId={selectedNodeId} />}
         {panelTab === "schedule" && <ScheduleTab key={selectedNodeId} workspaceId={selectedNodeId} />}
         {panelTab === "channels" && <ChannelsTab key={selectedNodeId} workspaceId={selectedNodeId} />}
diff --git a/canvas/src/components/__tests__/MemoryEditorDialog.test.tsx b/canvas/src/components/__tests__/MemoryEditorDialog.test.tsx
new file mode 100644
index 00000000..436bc649
--- /dev/null
+++ b/canvas/src/components/__tests__/MemoryEditorDialog.test.tsx
@@ -0,0 +1,202 @@
+// @vitest-environment jsdom
+/**
+ * MemoryEditorDialog tests — covers Add (POST /memories) and Edit
+ * (PATCH /memories/:id) flows. Pins:
+ *   - Add posts {content, scope, namespace} with the trimmed defaults
+ *   - Edit only sends fields that changed (no-op edit short-circuits, no PATCH fires)
+ *   - Empty content blocks save
+ *   - Save error surfaces in the dialog and keeps the modal open
+ */
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+import { render, screen, fireEvent, waitFor, cleanup } from "@testing-library/react";
+
+vi.mock("@/lib/api", () => ({
+  api: {
+    get: vi.fn(),
+    post: vi.fn(),
+    patch: vi.fn(),
+    del: vi.fn(),
+  },
+}));
+
+import { api } from "@/lib/api";
+import { MemoryEditorDialog } from "../MemoryEditorDialog";
+import type { MemoryEntry } from "../MemoryInspectorPanel";
+
+const mockPost = vi.mocked(api.post);
+const mockPatch = vi.mocked(api.patch);
+
+const SAMPLE: MemoryEntry = {
+  id: "mem-x",
+  workspace_id: "ws-1",
+  content: "original content",
+  scope: "TEAM",
+  namespace: "procedures",
+  created_at: "2026-04-17T12:00:00.000Z",
+};
+
+beforeEach(() => {
+  vi.clearAllMocks();
+  mockPost.mockResolvedValue({} as never);
+  mockPatch.mockResolvedValue({} as never);
+});
+
+afterEach(() => {
+  cleanup();
+});
+
+describe("Add mode", () => {
+  it("POSTs scope+namespace+trimmed-content and calls onSaved+onClose", async () => {
+    const onClose = vi.fn();
+    const onSaved = vi.fn();
+    render(
+      <MemoryEditorDialog
+        open
+        mode="add"
+        workspaceId="ws-1"
+        defaultScope="GLOBAL"
+        defaultNamespace="facts"
+        onClose={onClose}
+        onSaved={onSaved}
+      />,
+    );
+
+    const textarea = screen.getByLabelText(/Content/i) as HTMLTextAreaElement;
+    fireEvent.change(textarea, { target: { value: "  new fact  " } });
+
+    fireEvent.click(screen.getByRole("button", { name: /Add memory$/i }));
+
+    await waitFor(() => expect(mockPost).toHaveBeenCalledTimes(1));
+    expect(mockPost).toHaveBeenCalledWith("/workspaces/ws-1/memories", {
+      content: "new fact",
+      scope: "GLOBAL",
+      namespace: "facts",
+    });
+    expect(onSaved).toHaveBeenCalledTimes(1);
+    expect(onClose).toHaveBeenCalledTimes(1);
+  });
+
+  it("blocks save when content is empty (whitespace-only)", () => {
+    const onClose = vi.fn();
+    const onSaved = vi.fn();
+    render(
+      <MemoryEditorDialog
+        open
+        mode="add"
+        workspaceId="ws-1"
+        defaultScope="LOCAL"
+        onClose={onClose}
+        onSaved={onSaved}
+      />,
+    );
+    const textarea = screen.getByLabelText(/Content/i) as HTMLTextAreaElement;
+    fireEvent.change(textarea, { target: { value: "   " } });
+    fireEvent.click(screen.getByRole("button", { name: /Add memory$/i }));
+    expect(mockPost).not.toHaveBeenCalled();
+    expect(screen.getByRole("alert").textContent).toMatch(/empty/i);
+    expect(onSaved).not.toHaveBeenCalled();
+    expect(onClose).not.toHaveBeenCalled();
+  });
+});
+
+describe("Edit mode", () => {
+  it("PATCHes only changed fields", async () => {
+    const onClose = vi.fn();
+    const onSaved = vi.fn();
+    render(
+      <MemoryEditorDialog
+        open
+        mode="edit"
+        workspaceId="ws-1"
+        entry={SAMPLE}
+        onClose={onClose}
+        onSaved={onSaved}
+      />,
+    );
+
+    const textarea = screen.getByLabelText(/Content/i) as HTMLTextAreaElement;
+    fireEvent.change(textarea, { target: { value: "rewritten content" } });
+    // namespace untouched
+
+    fireEvent.click(screen.getByRole("button", { name: /Save changes/i }));
+
+    await waitFor(() => expect(mockPatch).toHaveBeenCalledTimes(1));
+    expect(mockPatch).toHaveBeenCalledWith(
+      "/workspaces/ws-1/memories/mem-x",
+      { content: "rewritten content" },
+    );
+    expect(onSaved).toHaveBeenCalledTimes(1);
+    expect(onClose).toHaveBeenCalledTimes(1);
+  });
+
+  it("no-op edit short-circuits (no PATCH fires) and still closes", async () => {
+    const onClose = vi.fn();
+    const onSaved = vi.fn();
+    render(
+      <MemoryEditorDialog
+        open
+        mode="edit"
+        workspaceId="ws-1"
+        entry={SAMPLE}
+        onClose={onClose}
+        onSaved={onSaved}
+      />,
+    );
+    fireEvent.click(screen.getByRole("button", { name: /Save changes/i }));
+    await waitFor(() => expect(onClose).toHaveBeenCalled());
+    expect(mockPatch).not.toHaveBeenCalled();
+    expect(onSaved).toHaveBeenCalledTimes(1);
+  });
+
+  it("sends namespace too when both content and namespace changed", async () => {
+    const onClose = vi.fn();
+    const onSaved = vi.fn();
+    render(
+      <MemoryEditorDialog
+        open
+        mode="edit"
+        workspaceId="ws-1"
+        entry={SAMPLE}
+        onClose={onClose}
+        onSaved={onSaved}
+      />,
+    );
+    fireEvent.change(screen.getByLabelText(/Content/i), {
+      target: { value: "newer content" },
+    });
+    fireEvent.change(screen.getByLabelText(/Namespace/i), {
+      target: { value: "blockers" },
+    });
+    fireEvent.click(screen.getByRole("button", { name: /Save changes/i }));
+    await waitFor(() => expect(mockPatch).toHaveBeenCalledTimes(1));
+    expect(mockPatch).toHaveBeenCalledWith(
+      "/workspaces/ws-1/memories/mem-x",
+      { content: "newer content", namespace: "blockers" },
+    );
+  });
+
+  it("surfaces save error and keeps the modal open", async () => {
+    const onClose = vi.fn();
+    const onSaved = vi.fn();
+    mockPatch.mockRejectedValueOnce(new Error("boom"));
+    render(
+      <MemoryEditorDialog
+        open
+        mode="edit"
+        workspaceId="ws-1"
+        entry={SAMPLE}
+        onClose={onClose}
+        onSaved={onSaved}
+      />,
+    );
+    fireEvent.change(screen.getByLabelText(/Content/i), {
+      target: { value: "rewritten content" },
+    });
+    fireEvent.click(screen.getByRole("button", { name: /Save changes/i }));
+    await waitFor(() =>
+      expect(screen.getByRole("alert").textContent).toMatch(/boom/),
+    );
+    expect(onClose).not.toHaveBeenCalled();
+    expect(onSaved).not.toHaveBeenCalled();
+  });
+});
diff --git a/canvas/src/components/tabs/ConfigTab.tsx b/canvas/src/components/tabs/ConfigTab.tsx
index fdb8eb38..4e1bfbbf 100644
--- a/canvas/src/components/tabs/ConfigTab.tsx
+++ b/canvas/src/components/tabs/ConfigTab.tsx
@@ -6,6 +6,7 @@ import { useCanvasStore } from "@/store/canvas";
 import { type ConfigData, DEFAULT_CONFIG, TextInput, NumberInput, Toggle, TagList, Section } from "./config/form-inputs";
 import { parseYaml, toYaml } from "./config/yaml-utils";
 import { SecretsSection } from "./config/secrets-section";
+import { ExternalConnectionSection } from "./ExternalConnectionSection";
 import {
   ProviderModelSelector,
   buildProviderCatalog,
@@ -886,10 +887,24 @@ export function ConfigTab({ workspaceId }: Props) {
             </Section>
           )}
 
-          <Section title="Skills & Tools" defaultOpen={false}>
-            <TagList label="Skills" values={config.skills || []} onChange={(v) => update("skills", v)} placeholder="e.g. code-review" />
-            <TagList label="Tools" values={config.tools || []} onChange={(v) => update("tools", v)} placeholder="e.g. web_search, filesystem" />
-            <TagList label="Prompt Files" values={config.prompt_files || []} onChange={(v) => update("prompt_files", v)} placeholder="e.g. system-prompt.md" />
+          {/* Skills + Tools used to live here as TagList inputs. They were
+              redundant with their dedicated tabs:
+              - Skills → managed via SkillsTab (per-workspace skill folders)
+              - Tools  → managed via the Plugins tab (install/uninstall)
+              Editing them here only set the config.yaml field; the
+              actual install/load happened elsewhere. Removed to stop
+              showing the misnamed list-input affordance. */}
+
+          <Section title="Prompt Files" defaultOpen={false}>
+            <p className="text-[10px] text-ink-soft px-1 pb-1">
+              Markdown files that compose this workspace&apos;s system prompt.
+              Loaded in order at boot from the workspace config dir
+              (e.g. <code className="font-mono">system-prompt.md</code>,{' '}
+              <code className="font-mono">CLAUDE.md</code>,{' '}
+              <code className="font-mono">AGENTS.md</code>). Edit the file
+              contents directly via the Files tab.
+            </p>
+            <TagList label="Files (load order)" values={config.prompt_files || []} onChange={(v) => update("prompt_files", v)} placeholder="e.g. system-prompt.md" />
           </Section>
 
           <Section title="A2A Protocol" defaultOpen={false}>
@@ -946,6 +961,9 @@ export function ConfigTab({ workspaceId }: Props) {
             : "This runtime manages its own config outside the platform template."}
         </div>
       )}
+      {!error && config.runtime === "external" && (
+        <ExternalConnectionSection workspaceId={workspaceId} />
+      )}
       {success && (
         <div className="mx-3 mb-2 px-3 py-1.5 bg-green-900/30 border border-green-800 rounded text-xs text-good">Saved</div>
       )}
diff --git a/canvas/src/components/tabs/ExternalConnectionSection.tsx b/canvas/src/components/tabs/ExternalConnectionSection.tsx
new file mode 100644
index 00000000..42dfca08
--- /dev/null
+++ b/canvas/src/components/tabs/ExternalConnectionSection.tsx
@@ -0,0 +1,146 @@
+'use client';
+
+// ExternalConnectionSection — credential lifecycle controls for runtime=external
+// workspaces. Surfaced inside ConfigTab when the workspace's runtime is
+// "external"; ignored for hermes/claude-code/etc. (those have their own
+// restart-mints-token path).
+//
+// Two affordances:
+//
+//   1. "Show connection info" (read-only)
+//        Fetches GET /workspaces/:id/external/connection. Returns the
+//        connect block (PLATFORM_URL, WORKSPACE_ID, all 7 snippets) WITH
+//        auth_token="". The modal masks the token field and labels it
+//        "rotate to reveal a new token — current token is unrecoverable".
+//
+//   2. "Rotate credentials" (destructive)
+//        POST /workspaces/:id/external/rotate. Revokes any prior live
+//        tokens, mints a fresh one, returns the same connect block with
+//        auth_token populated. Old credentials stop working IMMEDIATELY —
+//        the previously-paired agent will fail auth on its next heartbeat.
+//        Confirm dialog explains this before firing.
+//
+// Reuses the existing ExternalConnectModal so the snippet UX is the
+// same as on Create — operators don't have to learn a second modal.
+
+import { useState } from "react";
+import * as Dialog from "@radix-ui/react-dialog";
+
+import { api } from "@/lib/api";
+import {
+  ExternalConnectModal,
+  type ExternalConnectionInfo,
+} from "../ExternalConnectModal";
+
+interface Props {
+  workspaceId: string;
+}
+
+export function ExternalConnectionSection({ workspaceId }: Props) {
+  const [info, setInfo] = useState<ExternalConnectionInfo | null>(null);
+  const [busy, setBusy] = useState<"show" | "rotate" | null>(null);
+  const [confirmRotate, setConfirmRotate] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+
+  async function showConnection() {
+    setError(null);
+    setBusy("show");
+    try {
+      const resp = await api.get<{ connection: ExternalConnectionInfo }>(
+        `/workspaces/${workspaceId}/external/connection`,
+      );
+      setInfo(resp.connection);
+    } catch (e) {
+      setError(e instanceof Error ? e.message : String(e));
+    } finally {
+      setBusy(null);
+    }
+  }
+
+  async function doRotate() {
+    setError(null);
+    setBusy("rotate");
+    setConfirmRotate(false);
+    try {
+      const resp = await api.post<{ connection: ExternalConnectionInfo }>(
+        `/workspaces/${workspaceId}/external/rotate`,
+        {},
+      );
+      setInfo(resp.connection);
+    } catch (e) {
+      setError(e instanceof Error ? e.message : String(e));
+    } finally {
+      setBusy(null);
+    }
+  }
+
+  return (
+    <div className="mx-3 mt-3 p-3 bg-surface-sunken/50 border border-line rounded">
+      <h3 className="text-xs text-ink-mid font-medium mb-1">External Connection</h3>
+      <p className="text-[10px] text-ink-soft mb-2">
+        This workspace runs an external agent. Use these controls to
+        re-show the setup snippets or rotate the workspace token.
+      </p>
+
+      <div className="flex gap-2 flex-wrap">
+        <button
+          type="button"
+          onClick={showConnection}
+          disabled={busy !== null}
+          className="px-3 py-1.5 bg-surface-card hover:bg-surface-card text-xs rounded text-ink-mid disabled:opacity-30 transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-accent/60"
+        >
+          {busy === "show" ? "Loading…" : "Show connection info"}
+        </button>
+        <button
+          type="button"
+          onClick={() => setConfirmRotate(true)}
+          disabled={busy !== null}
+          className="px-3 py-1.5 bg-red-900/30 hover:bg-red-900/50 border border-red-800/60 text-xs rounded text-bad disabled:opacity-30 transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-red-600/60"
+        >
+          {busy === "rotate" ? "Rotating…" : "Rotate credentials"}
+        </button>
+      </div>
+
+      {error && (
+        <div className="mt-2 px-2 py-1 bg-red-900/30 border border-red-800 rounded text-[10px] text-bad">
+          {error}
+        </div>
+      )}
+
+      <Dialog.Root open={confirmRotate} onOpenChange={setConfirmRotate}>
+        <Dialog.Portal>
+          <Dialog.Overlay className="fixed inset-0 bg-black/60 z-50" />
+          <Dialog.Content className="fixed left-1/2 top-1/2 z-50 w-[min(440px,92vw)] -translate-x-1/2 -translate-y-1/2 rounded-xl bg-surface-sunken border border-line p-5 shadow-2xl">
+            <Dialog.Title className="text-sm font-medium text-ink mb-2">
+              Rotate workspace credentials?
+            </Dialog.Title>
+            <Dialog.Description className="text-xs text-ink-mid mb-4 leading-relaxed">
+              This will mint a new <code className="font-mono">workspace_auth_token</code> and{' '}
+              <strong>immediately invalidate the current one</strong>. Your external
+              agent will start failing authentication on its next heartbeat
+              until you redeploy it with the new token.
+            </Dialog.Description>
+            <div className="flex justify-end gap-2">
+              <button
+                type="button"
+                onClick={() => setConfirmRotate(false)}
+                className="px-3 py-1.5 bg-surface-card text-xs rounded text-ink-mid"
+              >
+                Cancel
+              </button>
+              <button
+                type="button"
+                onClick={doRotate}
+                className="px-3 py-1.5 bg-red-700 hover:bg-red-600 text-xs rounded text-white"
+              >
+                Rotate
+              </button>
+            </div>
+          </Dialog.Content>
+        </Dialog.Portal>
+      </Dialog.Root>
+
+      <ExternalConnectModal info={info} onClose={() => setInfo(null)} />
+    </div>
+  );
+}
diff --git a/canvas/src/components/tabs/TerminalTab.tsx b/canvas/src/components/tabs/TerminalTab.tsx
index 1c2c2027..43fc8e04 100644
--- a/canvas/src/components/tabs/TerminalTab.tsx
+++ b/canvas/src/components/tabs/TerminalTab.tsx
@@ -1,16 +1,105 @@
 "use client";
 
 import { useEffect, useRef, useState, useCallback } from "react";
+import type { WorkspaceNodeData } from "@/store/canvas";
 
 interface Props {
   workspaceId: string;
+  /** Workspace metadata from the canvas store. Optional for back-compat
+   *  with any caller that still mounts <TerminalTab workspaceId=... />
+   *  without threading data through (e.g. tests). When present, the
+   *  runtime field gates the early-return below. */
+  data?: WorkspaceNodeData;
 }
 
 import { deriveWsBaseUrl } from "@/lib/ws-url";
 
 const WS_URL = deriveWsBaseUrl();
 
-export function TerminalTab({ workspaceId }: Props) {
+/**
+ * NotAvailablePanel — full-tab placeholder with a big terminal-off icon
+ * for runtimes that don't expose a TTY (e.g. external workspaces, where
+ * the platform doesn't own the process). Pre-fix the tab tried to open
+ * a WebSocket against /ws/terminal/<id> for these workspaces, the server
+ * 404'd, and the user saw "Connection failed" — which reads as a bug,
+ * not as "this runtime intentionally has no shell". This banner makes
+ * the absence intentional.
+ */
+function NotAvailablePanel({ runtime }: { runtime: string }) {
+  return (
+    <div className="flex flex-col items-center justify-center h-full p-8 text-center bg-surface-sunken/30">
+      {/* Big terminal-off icon — bracket "[_]" with a slash through it.
+          Custom inline SVG so we don't depend on an icon set being
+          present at canvas build-time. */}
+      <svg
+        width="72"
+        height="72"
+        viewBox="0 0 72 72"
+        fill="none"
+        aria-hidden="true"
+        className="text-ink-soft mb-4"
+      >
+        <rect
+          x="10"
+          y="14"
+          width="52"
+          height="44"
+          rx="4"
+          stroke="currentColor"
+          strokeWidth="2.5"
+          fill="none"
+          opacity="0.6"
+        />
+        <path
+          d="M22 30 L30 36 L22 42"
+          stroke="currentColor"
+          strokeWidth="2.5"
+          strokeLinecap="round"
+          strokeLinejoin="round"
+          opacity="0.7"
+        />
+        <path
+          d="M34 44 L44 44"
+          stroke="currentColor"
+          strokeWidth="2.5"
+          strokeLinecap="round"
+          opacity="0.7"
+        />
+        {/* Diagonal cancel slash */}
+        <path
+          d="M14 14 L58 58"
+          stroke="currentColor"
+          strokeWidth="3"
+          strokeLinecap="round"
+        />
+      </svg>
+      <h3 className="text-sm font-medium text-ink mb-1.5">Terminal not available</h3>
+      <p className="text-[11px] text-ink-soft max-w-xs leading-relaxed">
+        This workspace runs the{" "}
+        <span className="font-mono text-ink-mid">{runtime}</span> runtime,
+        which doesn't expose a shell. Use the Chat tab to interact with the
+        agent directly.
+      </p>
+    </div>
+  );
+}
+
+/** Runtimes that don't expose a TTY. Keep narrow — only add a runtime
+ *  here when its provisioner genuinely has no shell endpoint, otherwise
+ *  the user loses access to a real debugging surface. */
+const RUNTIMES_WITHOUT_TERMINAL = new Set(["external"]);
+
+export function TerminalTab({ workspaceId, data }: Props) {
+  // Early-return for runtimes that have no shell. Skips the entire
+  // xterm + WebSocket dance below — without this, mounting the tab
+  // for an external workspace pops the WS, gets a 404 from the
+  // workspace-server (no /ws/terminal/<id> route registered for it),
+  // and shows "Connection failed" with a Reconnect button — confusing
+  // because the workspace IS healthy, just doesn't have a TTY.
+  if (data && RUNTIMES_WITHOUT_TERMINAL.has(data.runtime)) {
+    return <NotAvailablePanel runtime={data.runtime} />;
+  }
+
   const containerRef = useRef<HTMLDivElement>(null);
   const termRef = useRef<{ dispose: () => void } | null>(null);
   const wsRef = useRef<WebSocket | null>(null);
diff --git a/canvas/src/components/tabs/__tests__/ConfigTab.sections.test.tsx b/canvas/src/components/tabs/__tests__/ConfigTab.sections.test.tsx
new file mode 100644
index 00000000..2e083fb3
--- /dev/null
+++ b/canvas/src/components/tabs/__tests__/ConfigTab.sections.test.tsx
@@ -0,0 +1,125 @@
+// @vitest-environment jsdom
+//
+// Regression tests for the ConfigTab section restructure (user feedback
+// 2026-05-04: "Skills and Tools are having their own tab as plugin, and
+// Prompt Files are in the file system which can be directly edited. Am
+// I missing something?" + "Tools should be merged into plugin then, and
+// for prompt files... should be in another section than in skill& tools").
+//
+// What this pins:
+//   1. The "Skills & Tools" section title is gone.
+//   2. Editable Skills + Tools tag inputs are gone (managed elsewhere).
+//   3. A dedicated "Prompt Files" section exists with explanatory text.
+//
+// If a future PR re-adds the Skills/Tools tag inputs to ConfigTab, this
+// suite catches it.
+
+import { describe, it, expect, vi, afterEach, beforeEach } from "vitest";
+import { render, screen, cleanup, waitFor, fireEvent } from "@testing-library/react";
+import React from "react";
+
+afterEach(cleanup);
+
+const apiGet = vi.fn();
+vi.mock("@/lib/api", () => ({
+  api: {
+    get: (path: string) => apiGet(path),
+    patch: vi.fn(),
+    put: vi.fn(),
+    post: vi.fn(),
+    del: vi.fn(),
+  },
+}));
+
+const storeUpdateNodeData = vi.fn();
+const storeRestartWorkspace = vi.fn();
+vi.mock("@/store/canvas", () => ({
+  useCanvasStore: Object.assign(
+    (selector: (s: unknown) => unknown) =>
+      selector({ restartWorkspace: storeRestartWorkspace, updateNodeData: storeUpdateNodeData }),
+    {
+      getState: () => ({
+        restartWorkspace: storeRestartWorkspace,
+        updateNodeData: storeUpdateNodeData,
+      }),
+    },
+  ),
+}));
+
+vi.mock("../AgentCardSection", () => ({
+  AgentCardSection: () => <div data-testid="agent-card-stub" />,
+}));
+
+import { ConfigTab } from "../ConfigTab";
+
+beforeEach(() => {
+  apiGet.mockReset();
+  apiGet.mockImplementation((path: string) => {
+    if (path === `/workspaces/ws-test`) {
+      return Promise.resolve({ runtime: "claude-code" });
+    }
+    if (path === `/workspaces/ws-test/model`) {
+      return Promise.resolve({ model: "claude-opus-4-7" });
+    }
+    if (path === `/workspaces/ws-test/provider`) {
+      return Promise.resolve({ provider: "anthropic-oauth", source: "default" });
+    }
+    if (path === `/workspaces/ws-test/files/config.yaml`) {
+      return Promise.resolve({ content: "name: test\nruntime: claude-code\n" });
+    }
+    if (path === "/templates") {
+      return Promise.resolve([
+        { id: "claude-code", name: "Claude Code", runtime: "claude-code", providers: [] },
+      ]);
+    }
+    return Promise.reject(new Error(`unmocked api.get: ${path}`));
+  });
+});
+
+describe("ConfigTab section restructure", () => {
+  it("does not render a 'Skills & Tools' section title", async () => {
+    render(<ConfigTab workspaceId="ws-test" />);
+    await waitFor(() => expect(apiGet).toHaveBeenCalled());
+    // Section button uses the title as its accessible name; should be absent.
+    expect(screen.queryByRole("button", { name: /Skills\s*&\s*Tools/i })).toBeNull();
+  });
+
+  it("does not render an editable Skills tag input", async () => {
+    render(<ConfigTab workspaceId="ws-test" />);
+    await waitFor(() => expect(apiGet).toHaveBeenCalled());
+    // TagList renders its label; check no input labelled "Skills" in the form.
+    // (Skills are managed via the dedicated Skills tab.)
+    const skillsLabels = screen
+      .queryAllByText(/^Skills$/)
+      .filter((el) => el.tagName.toLowerCase() === "label");
+    expect(skillsLabels).toHaveLength(0);
+  });
+
+  it("does not render an editable Tools tag input", async () => {
+    render(<ConfigTab workspaceId="ws-test" />);
+    await waitFor(() => expect(apiGet).toHaveBeenCalled());
+    // Tools are managed via the Plugins tab — install a plugin → its tools
+    // become available. No reason to type tool names here.
+    const toolsLabels = screen
+      .queryAllByText(/^Tools$/)
+      .filter((el) => el.tagName.toLowerCase() === "label");
+    expect(toolsLabels).toHaveLength(0);
+  });
+
+  it("renders a dedicated 'Prompt Files' section with explanatory copy", async () => {
+    render(<ConfigTab workspaceId="ws-test" />);
+    await waitFor(() => expect(apiGet).toHaveBeenCalled());
+    // Section is collapsed by default — find + expand first.
+    const sectionButton = screen.getByRole("button", { name: /Prompt Files/i });
+    expect(sectionButton).toBeTruthy();
+    fireEvent.click(sectionButton);
+    // Explanatory copy mentions system-prompt.md (split across <code> tags
+    // so use textContent on any element rather than the default text matcher).
+    await waitFor(() => {
+      const matches = screen.queryAllByText((_, el) =>
+        (el?.textContent || "").includes("system-prompt.md"),
+      );
+      expect(matches.length).toBeGreaterThan(0);
+    });
+  });
+});
diff --git a/canvas/src/components/tabs/__tests__/ExternalConnectionSection.test.tsx b/canvas/src/components/tabs/__tests__/ExternalConnectionSection.test.tsx
new file mode 100644
index 00000000..d54eb933
--- /dev/null
+++ b/canvas/src/components/tabs/__tests__/ExternalConnectionSection.test.tsx
@@ -0,0 +1,156 @@
+// @vitest-environment jsdom
+//
+// ExternalConnectionSection — coverage for the credential-rotate +
+// re-show-instructions UI on the Config tab.
+//
+// What this pins:
+//   1. "Show connection info" → GET /external/connection, opens modal
+//      with auth_token=""
+//   2. "Rotate credentials" → confirm dialog → POST /external/rotate,
+//      opens modal with the returned auth_token
+//   3. Confirm dialog cancels without firing the POST
+//   4. API failure surfaces an error chip (no silent loss)
+
+import { describe, it, expect, vi, afterEach, beforeEach } from "vitest";
+import {
+  render,
+  screen,
+  cleanup,
+  fireEvent,
+  waitFor,
+} from "@testing-library/react";
+import React from "react";
+
+afterEach(cleanup);
+
+const apiGet = vi.fn();
+const apiPost = vi.fn();
+vi.mock("@/lib/api", () => ({
+  api: {
+    get: (path: string) => apiGet(path),
+    post: (path: string, body?: unknown) => apiPost(path, body),
+    patch: vi.fn(),
+    put: vi.fn(),
+    del: vi.fn(),
+  },
+}));
+
+import { ExternalConnectionSection } from "../ExternalConnectionSection";
+
+beforeEach(() => {
+  apiGet.mockReset();
+  apiPost.mockReset();
+});
+
+const SAMPLE_INFO = {
+  workspace_id: "ws-test",
+  platform_url: "https://platform.example.test",
+  auth_token: "",
+  registry_endpoint: "https://platform.example.test/registry/register",
+  heartbeat_endpoint: "https://platform.example.test/registry/heartbeat",
+  // The modal stamps these snippets server-side; for the test we
+  // bake workspace_id into one so the rendered DOM contains a
+  // findable token after the modal mounts.
+  curl_register_template: "# curl ws=ws-test",
+  python_snippet: "# py ws=ws-test",
+  claude_code_channel_snippet: "# claude ws=ws-test",
+  universal_mcp_snippet: "# mcp ws=ws-test",
+  hermes_channel_snippet: "# hermes ws=ws-test",
+  codex_snippet: "# codex ws=ws-test",
+  openclaw_snippet: "# openclaw ws=ws-test",
+};
+
+describe("ExternalConnectionSection", () => {
+  it("renders both action buttons", () => {
+    render(<ExternalConnectionSection workspaceId="ws-test" />);
+    expect(screen.getByRole("button", { name: /show connection info/i })).toBeTruthy();
+    expect(screen.getByRole("button", { name: /rotate credentials/i })).toBeTruthy();
+  });
+
+  it("'Show connection info' calls GET /external/connection and opens modal with blank token", async () => {
+    apiGet.mockResolvedValue({ connection: { ...SAMPLE_INFO, auth_token: "" } });
+    render(<ExternalConnectionSection workspaceId="ws-test" />);
+
+    fireEvent.click(screen.getByRole("button", { name: /show connection info/i }));
+
+    await waitFor(() =>
+      expect(apiGet).toHaveBeenCalledWith("/workspaces/ws-test/external/connection"),
+    );
+    // The ExternalConnectModal renders the workspace_id field in its
+    // copy-block. document.body covers Radix's portal mount point.
+    await waitFor(() => {
+      expect(document.body.textContent || "").toContain("ws-test");
+    });
+  });
+
+  it("'Rotate credentials' opens confirm dialog before firing POST", async () => {
+    render(<ExternalConnectionSection workspaceId="ws-test" />);
+    fireEvent.click(screen.getByRole("button", { name: /rotate credentials/i }));
+
+    // Confirm dialog appears with the destructive copy.
+    await waitFor(() => {
+      expect(
+        screen.getByText(/Rotate workspace credentials\?/i),
+      ).toBeTruthy();
+    });
+    expect(screen.getByText(/immediately invalidate the current one/i)).toBeTruthy();
+
+    // POST must NOT have fired yet — only on confirm.
+    expect(apiPost).not.toHaveBeenCalled();
+  });
+
+  it("Cancel in confirm dialog dismisses without rotating", async () => {
+    render(<ExternalConnectionSection workspaceId="ws-test" />);
+    fireEvent.click(screen.getByRole("button", { name: /rotate credentials/i }));
+
+    await waitFor(() =>
+      expect(screen.getByText(/Rotate workspace credentials\?/i)).toBeTruthy(),
+    );
+    fireEvent.click(screen.getByRole("button", { name: /^cancel$/i }));
+
+    await waitFor(() =>
+      expect(screen.queryByText(/Rotate workspace credentials\?/i)).toBeNull(),
+    );
+    expect(apiPost).not.toHaveBeenCalled();
+  });
+
+  it("Confirm in dialog POSTs to /external/rotate and opens modal with returned token", async () => {
+    apiPost.mockResolvedValue({
+      connection: { ...SAMPLE_INFO, auth_token: "fresh-tok-123" },
+    });
+    render(<ExternalConnectionSection workspaceId="ws-test" />);
+
+    fireEvent.click(screen.getByRole("button", { name: /rotate credentials/i }));
+    await waitFor(() =>
+      expect(screen.getByText(/Rotate workspace credentials\?/i)).toBeTruthy(),
+    );
+    // Click the dialog's Rotate button (NOT the section's — the section's
+    // "Rotate credentials" stays mounted; the dialog's "Rotate" is the
+    // commit button. getAllByRole returns both; pick the one inside the
+    // dialog by name "Rotate" exact-match).
+    const rotateBtns = screen.getAllByRole("button", { name: /^rotate$/i });
+    expect(rotateBtns.length).toBeGreaterThanOrEqual(1);
+    fireEvent.click(rotateBtns[rotateBtns.length - 1]);
+
+    await waitFor(() =>
+      expect(apiPost).toHaveBeenCalledWith(
+        "/workspaces/ws-test/external/rotate",
+        {},
+      ),
+    );
+  });
+
+  it("Surfaces API errors as a visible chip, not silent loss", async () => {
+    apiGet.mockRejectedValue(new Error("forbidden"));
+    render(<ExternalConnectionSection workspaceId="ws-test" />);
+
+    fireEvent.click(screen.getByRole("button", { name: /show connection info/i }));
+
+    await waitFor(() => {
+      const matches = screen.queryAllByText((_, el) =>
+        (el?.textContent || "").toLowerCase().includes("forbidden"),
+      );
+      expect(matches.length).toBeGreaterThan(0);
+    });
+  });
+});
diff --git a/canvas/src/components/tabs/__tests__/TerminalTab.notAvailable.test.tsx b/canvas/src/components/tabs/__tests__/TerminalTab.notAvailable.test.tsx
new file mode 100644
index 00000000..df955a46
--- /dev/null
+++ b/canvas/src/components/tabs/__tests__/TerminalTab.notAvailable.test.tsx
@@ -0,0 +1,107 @@
+// @vitest-environment jsdom
+//
+// Pins the "Terminal not available" early-return added 2026-05-05.
+//
+// Pre-fix: TerminalTab tried to open /ws/terminal/<id> for every
+// workspace including external runtimes (which have no shell endpoint).
+// The server returned 404, status flipped to "error", user saw
+// "Connection failed" with a Reconnect button — reading as a bug
+// when really the runtime intentionally has no TTY. Now: when
+// data.runtime is in RUNTIMES_WITHOUT_TERMINAL, render a banner +
+// big icon instead of mounting xterm/WS.
+//
+// Pinned branches:
+//   1. external runtime → "Terminal not available" banner renders,
+//      runtime name surfaces in the body so the user knows WHY.
+//   2. external runtime → xterm + WebSocket are NOT initialised.
+//      Verified by checking the global WebSocket constructor isn't
+//      called.
+//   3. claude-code (or any other runtime) → no banner, normal mount
+//      proceeds. Pre-fix regression cover.
+//   4. data prop omitted (back-compat with any caller that doesn't
+//      thread it through) → no early-return, falls through to normal
+//      mount. Tested via the absence of the banner.
+
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+import { render, screen, cleanup } from "@testing-library/react";
+import React from "react";
+
+afterEach(cleanup);
+
+// xterm + addon-fit are dynamically imported by TerminalTab. Stub them
+// so the tests don't pull a 200KB+ dependency just to verify the
+// not-available banner. The stubs only matter for the non-banner
+// branches; the banner returns BEFORE the dynamic import.
+vi.mock("xterm", () => ({
+  Terminal: vi.fn().mockImplementation(() => ({
+    loadAddon: vi.fn(),
+    open: vi.fn(),
+    onData: vi.fn(),
+    write: vi.fn(),
+    dispose: vi.fn(),
+    onResize: vi.fn(),
+    cols: 80,
+    rows: 24,
+  })),
+}));
+vi.mock("@xterm/addon-fit", () => ({
+  FitAddon: vi.fn().mockImplementation(() => ({
+    fit: vi.fn(),
+  })),
+}));
+
+// Track WebSocket constructor calls — this is the load-bearing
+// assertion for "external doesn't even try to connect".
+let wsConstructed = 0;
+beforeEach(() => {
+  wsConstructed = 0;
+  (globalThis as unknown as { WebSocket: unknown }).WebSocket = vi
+    .fn()
+    .mockImplementation(() => {
+      wsConstructed++;
+      return {
+        addEventListener: vi.fn(),
+        removeEventListener: vi.fn(),
+        send: vi.fn(),
+        close: vi.fn(),
+        readyState: 0,
+      };
+    });
+});
+
+import { TerminalTab } from "../TerminalTab";
+
+const externalData = { runtime: "external", status: "online" } as unknown as Parameters<
+  typeof TerminalTab
+>[0]["data"];
+
+const claudeData = { runtime: "claude-code", status: "online" } as unknown as Parameters<
+  typeof TerminalTab
+>[0]["data"];
+
+describe("TerminalTab not-available early-return for runtimes without TTY", () => {
+  it("external runtime renders the not-available banner with runtime name", () => {
+    render(<TerminalTab workspaceId="ws-ext" data={externalData} />);
+    expect(screen.getByText(/Terminal not available/i)).not.toBeNull();
+    // Runtime name surfaces so user knows WHY there's no terminal.
+    expect(screen.getByText(/external/)).not.toBeNull();
+  });
+
+  it("external runtime does NOT open a WebSocket", async () => {
+    render(<TerminalTab workspaceId="ws-ext" data={externalData} />);
+    // Wait a tick for any deferred init (there shouldn't be any, but
+    // tolerate a microtask boundary).
+    await new Promise((r) => setTimeout(r, 0));
+    expect(wsConstructed).toBe(0);
+  });
+
+  it("claude-code runtime does NOT render the banner (normal mount)", () => {
+    render(<TerminalTab workspaceId="ws-claude" data={claudeData} />);
+    expect(screen.queryByText(/Terminal not available/i)).toBeNull();
+  });
+
+  it("data prop omitted falls through to normal mount (back-compat)", () => {
+    render(<TerminalTab workspaceId="ws-no-data" />);
+    expect(screen.queryByText(/Terminal not available/i)).toBeNull();
+  });
+});
diff --git a/docs/architecture/backends.md b/docs/architecture/backends.md
index ce01b247..0d5ba827 100644
--- a/docs/architecture/backends.md
+++ b/docs/architecture/backends.md
@@ -2,7 +2,7 @@
 
 **Status:** living document — update when you ship a feature that touches one backend.
 **Owner:** workspace-server + controlplane teams.
-**Last audit:** 2026-05-02 (Claude agent, PR #TBD).
+**Last audit:** 2026-05-05 (Claude agent — `provisionWorkspaceAuto` / `StopWorkspaceAuto` / `HasProvisioner` SoT pattern landed in PRs #2811 + #2824).
 
 ## Why this exists
 
@@ -15,16 +15,39 @@ Every user-visible workspace feature should work on both backends unless it is f
 
 This document is the canonical matrix. If you are landing a workspace-facing feature, update the row before you merge.
 
+## How to dispatch (the SoT pattern)
+
+When a handler needs to start, stop, or check whether-something-can-run a workspace, it MUST go through the centralized dispatcher on `WorkspaceHandler`:
+
+| Need | Use | Source |
+|---|---|---|
+| Start a workspace | `provisionWorkspaceAuto(ctx, ...)` | `workspace.go:130` |
+| Stop a workspace | `StopWorkspaceAuto(ctx, wsID)` | `workspace.go:172` |
+| Gate "do we have any backend wired?" | `HasProvisioner()` | `workspace.go:115` |
+
+Each dispatcher routes to `cpProv.X()` when the SaaS backend is wired, then `provisioner.X()` when the Docker backend is wired, then a defined fallback (`provisionWorkspaceAuto` self-marks-failed; `StopWorkspaceAuto` no-ops; `HasProvisioner` returns false).
+
+**Rule: do not call `h.cpProv.Stop`, `h.provisioner.Stop`, `h.cpProv.Start`, or `h.provisioner.Start` directly from a handler.** Source-level pins (`TestNoCallSiteCallsDirectProvisionerExceptAuto`, `TestNoCallSiteCallsBareStop`) gate this at CI; they exist because the same drift class shipped twice — TeamHandler.Expand (#2367) bypassed routing on Start, then `team.go:208` + `workspace_crud.go:432` bypassed it on Stop (#2813, #2814) for ~6 months.
+
+Allowed exceptions (in the source-pin allowlists):
+- `workspace.go` and `workspace_provision.go` — define the per-backend bodies the dispatcher routes between.
+- `workspace_restart.go` — pre-dates the dispatchers and uses manual if-cpProv-else dispatch with retry semantics tuned for the restart hot path. Consolidation tracked in #2799.
+- `container_files.go` — drives the Docker daemon directly for short-lived file-copy containers; no workspace-level Stop semantics involved.
+
+For "do we have any backend?", use `HasProvisioner()`, never bare `h.provisioner == nil && h.cpProv == nil`. Source-level pin `TestNoBareBothNilCheck` enforces this — added 2026-05-05 after the hongming org-import incident showed the bare check shape was a recurring drift target.
+
 ## The matrix
 
 | Feature | File(s) | Docker | EC2 | Verdict |
 |---|---|---|---|---|
 | **Lifecycle** | | | | |
-| Create | `workspace_provision.go:19-214` | `provisionWorkspace()` → `provisioner.Start()` | `provisionWorkspaceCP()` → `cpProv.Start()` | ✅ parity |
+| Create | `workspace.go:130` `provisionWorkspaceAuto` → `provisionWorkspace()` (Docker) / `provisionWorkspaceCP()` (CP) | dispatched | dispatched | ✅ parity (single source of truth, PR #2811) |
 | Start | `provisioner.go:140-325` | container create + image pull | EC2 `RunInstance` via CP | ✅ parity |
-| Stop | `provisioner.go:772-785` | `ContainerRemove(force=true)` + optional volume rm | `DELETE /cp/workspaces/:id` | ✅ parity |
+| Stop | `workspace.go:172` `StopWorkspaceAuto` → `provisioner.Stop()` (Docker) / `cpProv.Stop()` (CP) | dispatched | dispatched | ✅ parity (single source of truth, PR #2824) |
 | Restart | `workspace_restart.go:45-210` | reads runtime from live container before stop | reads runtime from DB only | ⚠️ divergent — config-change + crash window can boot old runtime on EC2 |
-| Delete | `workspace_crud.go` | stop + volume rm | stop only (stateless) | ✅ parity (expected divergence on volume cleanup) |
+| Delete | `workspace_crud.go` `stopAndRemove` → `StopWorkspaceAuto` + Docker-only `RemoveVolume` | stop + volume rm | stop only (stateless — CP has no volumes) | ✅ parity (PR #2824 closed the SaaS-leak gap) |
+| Org-import (bulk Create) | `org_import.go:178` gates on `h.workspace.HasProvisioner()`; routes through `provisionWorkspaceAuto` per workspace | dispatched | dispatched | ✅ parity (PR #2811 closed the SaaS-skip gate) |
+| Team-collapse (bulk Stop) | `team.go:206` calls `StopWorkspaceAuto` for each child | dispatched | dispatched | ✅ parity (PR #2824 closed the SaaS-leak gap) |
 | **Secrets** | | | | |
 | Create / update | `secrets.go` | DB insert, injected at container start | DB insert, injected via user-data at boot | ✅ parity |
 | Redaction | `workspace_provision.go:251` | applied at memory-seed time | applied at agent runtime | ⚠️ divergent — timing differs |
@@ -76,7 +99,23 @@ This document is the canonical matrix. If you are landing a workspace-facing fea
 
 - **`tools/check-template-parity.sh`** (this repo) — ensures `install.sh` and `start.sh` in a template repo forward identical sets of provider keys. Wire into each template repo's CI as `bash $MONOREPO/tools/check-template-parity.sh install.sh start.sh`.
 - **Contract tests** (stub) — `workspace-server/internal/provisioner/backend_contract_test.go` defines the behaviors every `provisioner.Provisioner` implementation must satisfy. Fails compile when a method drifts between `Docker` and `CPProvisioner`. Scenario-level runs are `t.Skip`'d today pending drift risk #6 (see above) — compile-time assertions still catch method drift.
+- **Source-level dispatcher pins** — `workspace_provision_auto_test.go` enforces the SoT pattern documented above:
+  - `TestNoCallSiteCallsDirectProvisionerExceptAuto` — no handler calls `.provisionWorkspace(` or `.provisionWorkspaceCP(` directly outside the dispatcher's allowlist.
+  - `TestNoCallSiteCallsBareStop` — no handler calls `.provisioner.Stop(` or `.cpProv.Stop(` directly outside the dispatcher's allowlist (strips Go comments before substring match so archaeology in code comments doesn't trip the gate).
+  - `TestNoBareBothNilCheck` — no production code uses `h.provisioner == nil && h.cpProv == nil`; must use `!h.HasProvisioner()`.
+  - `TestOrgImportGate_UsesHasProvisionerNotBareField` — pins the org-import provisioning gate against the bare-Docker-check shape that caused the 2026-05-05 hongming incident.
 
 ## How to update this doc
 
 When you land a feature that touches a handler dispatch on `h.cpProv != nil`, add or update the matching row. If you can't implement both backends in the same PR, mark the row `docker-only` or `ec2-only` and file an issue tracking the gap.
+
+### When you add a NEW dispatch site
+
+If you find yourself writing `if h.cpProv != nil { ... } else if h.provisioner != nil { ... }` for a new operation (Pause, Hibernate, Snapshot, etc.):
+
+1. Add a `<Op>WorkspaceAuto` method on `WorkspaceHandler` next to the existing dispatchers. Mirror the docstring shape: routing, no-backend fallback, ordering rationale.
+2. Add a source-level pin in `workspace_provision_auto_test.go` — the bare-call shape your dispatcher replaces, fail when a handler reintroduces it.
+3. Add a row to the matrix above with the dispatcher reference.
+4. If your operation has retry semantics specific to a hot path, leave them in the original location for now and file a follow-up under #2799 — don't bake retry into the generic dispatcher unless every caller benefits.
+
+The pattern is "one dispatcher per verb." Don't fold every operation into `provisionWorkspaceAuto` — different verbs have different no-backend fallbacks (mark-failed for Start, no-op for Stop, false for Has).
diff --git a/docs/e2e-coverage.md b/docs/e2e-coverage.md
new file mode 100644
index 00000000..48ca0e19
--- /dev/null
+++ b/docs/e2e-coverage.md
@@ -0,0 +1,58 @@
+# E2E coverage matrix
+
+This document is the source of truth for which E2E suites guard which surfaces and which gates are wired up where. Read this before adding a new E2E or moving a check between branches.
+
+## Suites
+
+| Workflow file | Job (= required-check name) | What it covers | Cron |
+|---|---|---|---|
+| `e2e-api.yml` | `E2E API Smoke Test` | A2A handshake, registry/register, /workspaces/:id/a2a forward, structured-event emission. Lightweight enough to run on every PR. | — |
+| `e2e-staging-canvas.yml` | `Canvas tabs E2E` | Canvas-tab Playwright UX checks against staging — config tab, secrets tab, agent-card tab, Activity hydration. | weekly Sun 08:00 UTC |
+| `e2e-staging-saas.yml` | `E2E Staging SaaS` | Full lifecycle: org creation → workspace provision (CP path) → A2A delegation → status/heartbeat → workspace delete → EC2 termination. The integration test that catches the silent-drop bug class (#2486 / #2811 / #2813 / #2814). | daily 07:00 UTC |
+| `e2e-staging-external.yml` | `E2E Staging External Runtime` | External-runtime registration + heartbeat staleness sweep + `/registry/peers` resolution. Validates the OSS-templated workspace path. | daily 07:30 UTC |
+| `e2e-staging-sanity.yml` | `Intentional-failure teardown sanity` | Inverted assertion — the run MUST fail. Validates the leak-detection self-check itself; not for general gating. | weekly Mon 06:00 UTC |
+| `continuous-synth-e2e.yml` | `Synthetic E2E against staging` | Standing background coverage between PR runs. Catches drift in production-like staging that PR-time E2Es miss. | every 15 min |
+
+## Required-check status (branch protection)
+
+| Suite | staging required | main required |
+|---|---|---|
+| `E2E API Smoke Test` | ✅ this PR | ✅ |
+| `Canvas tabs E2E` | ✅ this PR | (see follow-up) |
+| `E2E Staging SaaS` | ❌ — needs always-emit refactor | ❌ |
+| `E2E Staging External Runtime` | ❌ — needs always-emit refactor | ❌ |
+| `Intentional-failure teardown sanity` | ❌ inverted assertion, never required | ❌ |
+| `Synthetic E2E against staging` | ❌ cron-only, not a per-PR gate | ❌ |
+
+## Why the always-emit pattern matters
+
+Branch protection requires a *check name* to land at SUCCESS for every PR. Workflows with `paths:` filters that exclude a PR never run, so the check name never appears, and the PR sits BLOCKED forever.
+
+The pattern that supports being required is:
+
+1. Workflow always triggers on push/PR to the protected branch.
+2. A `detect-changes` job uses `dorny/paths-filter` to decide if real work runs.
+3. The protected job runs unconditionally and either (a) does real work when paths matched, or (b) emits a no-op SUCCESS step when paths skipped.
+
+`e2e-api.yml` and `e2e-staging-canvas.yml` already have this shape. `e2e-staging-saas.yml` and `e2e-staging-external.yml` use plain `paths:` filters and need the refactor before they can be required (filed as follow-up).
+
+## Adding a new E2E suite
+
+1. Pick a verb: smoke test, full lifecycle, fault-injection, drift detection. Pre-existing suites split along these lines.
+2. Use the always-emit shape so the check name can be made required.
+3. Add a row to the matrix above.
+4. Decide cron cadence based on cost + how fast drift would otherwise be caught.
+5. If you want it required, add to the relevant branch protection via `tools/branch-protection/apply.sh` (this PR adds the script).
+
+## When to break glass — temporarily skip a required E2E
+
+Don't. If an E2E is intermittently flaky, fix the test or move it out of required. The point of a required check is that it's load-bearing; bypassing one with admin override teaches the next operator the gate is optional.
+
+If a Production incident requires bypassing, document the override in the incident postmortem with a same-week followup to either fix the test or rip the check out of required.
+
+## Related issues / PRs
+
+- #2486 — silent-drop bug class that the SaaS E2E now catches
+- PR #2811 — `provisionWorkspaceAuto` consolidation (org-import SaaS gate)
+- PR #2824 — `StopWorkspaceAuto` mirror (closes #2813 + #2814)
+- Follow-up: refactor `e2e-staging-saas` + `e2e-staging-external` to always-emit (so they can be required)
diff --git a/tools/branch-protection/apply.sh b/tools/branch-protection/apply.sh
new file mode 100755
index 00000000..21b72ac2
--- /dev/null
+++ b/tools/branch-protection/apply.sh
@@ -0,0 +1,238 @@
+#!/usr/bin/env bash
+# tools/branch-protection/apply.sh — idempotently apply branch
+# protection to molecule-core's `staging` and `main` branches.
+#
+# Single source of truth for the protection settings. Diff this file
+# against the live state (drift_check.sh handles that nightly + on
+# every PR that touches this directory).
+#
+# Why each branch has its OWN payload section instead of a shared
+# template: pre-2026-05-05 the script generated both branches from a
+# shared template that hard-coded enforce_admins=false,
+# dismiss_stale_reviews=true, strict=false, allow_fork_syncing=true,
+# and dropped bypass_pull_request_allowances. Live staging had
+# enforce_admins=true, dismiss_stale_reviews=false, strict=true,
+# allow_fork_syncing=false, and a bypass list. Running the script
+# would have silently weakened protection on every dimension at once.
+# Per-branch payloads codify the deliberate per-branch policy that
+# already lives on the repo, with the script's net contribution
+# being ONLY the explicit additions to required_status_checks.
+#
+# Per memory feedback_dismiss_stale_reviews_blocks_promote.md,
+# dismiss_stale_reviews=true silently re-blocks every auto-promote PR
+# (cost the user 2.5h once already on staging — confirming we keep
+# this OFF on staging is load-bearing for the auto-promote chain).
+#
+# Usage:
+#   tools/branch-protection/apply.sh                # apply both branches
+#   tools/branch-protection/apply.sh --dry-run      # show payload only
+#   tools/branch-protection/apply.sh --branch staging
+#   tools/branch-protection/apply.sh --skip-preflight  # skip check-name validation
+#
+# Requires: gh CLI authenticated as a repo admin. The script uses gh's
+# token (no separate PAT needed).
+
+set -euo pipefail
+
+REPO="Molecule-AI/molecule-core"
+DRY_RUN=0
+ONLY_BRANCH=""
+SKIP_PREFLIGHT=0
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --dry-run) DRY_RUN=1; shift ;;
+    --branch)  ONLY_BRANCH="$2"; shift 2 ;;
+    --skip-preflight) SKIP_PREFLIGHT=1; shift ;;
+    -h|--help)
+      echo "Usage: $0 [--dry-run] [--branch <name>] [--skip-preflight]"
+      exit 0
+      ;;
+    *) echo "Unknown arg: $1" >&2; exit 1 ;;
+  esac
+done
+
+# ─── Required-check matrices ──────────────────────────────────────
+# Each branch's set is the canonical list of check NAMES (from each
+# workflow's job-name). Adding/removing a check here is the place to
+# do it. Match docs/e2e-coverage.md.
+
+read -r -d '' STAGING_CHECKS <<'EOF' || true
+Analyze (go)
+Analyze (javascript-typescript)
+Analyze (python)
+Canvas (Next.js)
+Canvas tabs E2E
+Detect changes
+E2E API Smoke Test
+Platform (Go)
+Python Lint & Test
+Scan diff for credential-shaped strings
+Shellcheck (E2E scripts)
+EOF
+
+read -r -d '' MAIN_CHECKS <<'EOF' || true
+Analyze (go)
+Analyze (javascript-typescript)
+Analyze (python)
+Canvas (Next.js)
+Canvas tabs E2E
+Detect changes
+E2E API Smoke Test
+PR-built wheel + import smoke
+Platform (Go)
+Python Lint & Test
+Scan diff for credential-shaped strings
+Shellcheck (E2E scripts)
+EOF
+
+checks_to_json() {
+  printf '%s\n' "$1" | jq -Rs '
+    split("\n")
+    | map(select(length > 0))
+    | map({context: ., app_id: -1})
+  '
+}
+
+# ─── Per-branch payloads (each preserves live-state policy) ───────
+# Staging payload — preserves the live values that pre-2026-05-05's
+# apply.sh would have silently rewritten:
+#   enforce_admins=true, dismiss_stale_reviews=false, strict=true,
+#   allow_fork_syncing=false, bypass list = HongmingWang-Rabbit + molecule-ai app.
+build_staging_payload() {
+  local checks_json
+  checks_json=$(checks_to_json "$STAGING_CHECKS")
+  jq -n \
+    --argjson checks "$checks_json" \
+    '{
+      required_status_checks: {
+        strict: true,
+        checks: $checks
+      },
+      enforce_admins: true,
+      required_pull_request_reviews: {
+        required_approving_review_count: 1,
+        dismiss_stale_reviews: false,
+        require_code_owner_reviews: false,
+        require_last_push_approval: false,
+        bypass_pull_request_allowances: {
+          users: ["HongmingWang-Rabbit"],
+          teams: [],
+          apps: ["molecule-ai"]
+        }
+      },
+      restrictions: null,
+      allow_deletions: false,
+      allow_force_pushes: false,
+      block_creations: false,
+      required_conversation_resolution: true,
+      required_linear_history: false,
+      lock_branch: false,
+      allow_fork_syncing: false
+    }'
+}
+
+# Main payload — preserves the live values:
+#   enforce_admins=false, dismiss_stale_reviews=true, strict=true,
+#   allow_fork_syncing=false, NO bypass list.
+# main intentionally has different settings than staging because main
+# is the deploy target — the auto-promote app pushes to main without
+# the friction of an admin-bypass list, and stale-review dismissal
+# is acceptable here because every change has already cleared
+# staging review.
+build_main_payload() {
+  local checks_json
+  checks_json=$(checks_to_json "$MAIN_CHECKS")
+  jq -n \
+    --argjson checks "$checks_json" \
+    '{
+      required_status_checks: {
+        strict: true,
+        checks: $checks
+      },
+      enforce_admins: false,
+      required_pull_request_reviews: {
+        required_approving_review_count: 1,
+        dismiss_stale_reviews: true,
+        require_code_owner_reviews: false,
+        require_last_push_approval: false
+      },
+      restrictions: null,
+      allow_deletions: false,
+      allow_force_pushes: false,
+      block_creations: false,
+      required_conversation_resolution: true,
+      required_linear_history: false,
+      lock_branch: false,
+      allow_fork_syncing: false
+    }'
+}
+
+# ─── R3 preflight: validate every desired check name has at least
+# one historical run ──────────────────────────────────────────────
+# Pre-fix the script accepted arbitrary strings into
+# required_status_checks.checks. A typo like "Canvas Tabs E2E" vs
+# "Canvas tabs E2E" → GH accepts → every PR is blocked forever
+# waiting for a context that never emits. The preflight hits the
+# /commits/{sha}/check-runs endpoint and asserts each desired name
+# has at least one matching run. Skippable via --skip-preflight for
+# the case where you're adding a brand-new workflow whose first run
+# hasn't fired yet.
+preflight_check_names() {
+  local branch="$1"
+  local checks="$2"
+  local sha
+  sha=$(gh api "repos/$REPO/commits/$branch" --jq '.sha' 2>/dev/null || echo "")
+  if [[ -z "$sha" ]]; then
+    echo "preflight: WARN cannot resolve $branch tip SHA, skipping check-name validation" >&2
+    return 0
+  fi
+  local known_names
+  known_names=$(gh api "repos/$REPO/commits/$sha/check-runs?per_page=100" \
+    --jq '.check_runs | map(.name)' 2>/dev/null || echo "[]")
+  local missing=()
+  while IFS= read -r name; do
+    [[ -z "$name" ]] && continue
+    if ! echo "$known_names" | jq -e --arg n "$name" 'index($n) != null' >/dev/null; then
+      missing+=("$name")
+    fi
+  done <<< "$checks"
+  if [[ ${#missing[@]} -gt 0 ]]; then
+    echo "preflight: $branch — these check names are NOT in the historical check-runs for the tip SHA:" >&2
+    printf '  - %s\n' "${missing[@]}" >&2
+    echo "If they're truly new (workflow added but never run), re-run with --skip-preflight." >&2
+    echo "Otherwise typos here will permanently block every PR — fix the names." >&2
+    return 1
+  fi
+}
+
+apply_branch() {
+  local branch="$1"
+  local checks="$2"
+  local payload_fn="$3"
+  local payload
+  payload=$($payload_fn)
+  if [[ "$DRY_RUN" -eq 1 ]]; then
+    echo "=== branch: $branch ==="
+    echo "$payload" | jq .
+    return
+  fi
+  if [[ "$SKIP_PREFLIGHT" -eq 0 ]]; then
+    if ! preflight_check_names "$branch" "$checks"; then
+      echo "FAIL: preflight on $branch caught typos or missing workflows. Aborting." >&2
+      return 1
+    fi
+  fi
+  echo "Applying branch protection on $branch..."
+  printf '%s' "$payload" | gh api -X PUT \
+    "repos/$REPO/branches/$branch/protection" \
+    --input -
+  echo "Applied: $branch"
+}
+
+if [[ -z "$ONLY_BRANCH" || "$ONLY_BRANCH" == "staging" ]]; then
+  apply_branch staging "$STAGING_CHECKS" build_staging_payload
+fi
+if [[ -z "$ONLY_BRANCH" || "$ONLY_BRANCH" == "main" ]]; then
+  apply_branch main "$MAIN_CHECKS" build_main_payload
+fi
diff --git a/tools/branch-protection/drift_check.sh b/tools/branch-protection/drift_check.sh
new file mode 100755
index 00000000..86d120f2
--- /dev/null
+++ b/tools/branch-protection/drift_check.sh
@@ -0,0 +1,157 @@
+#!/usr/bin/env bash
+# tools/branch-protection/drift_check.sh — compare the live branch
+# protection on staging + main against what apply.sh would set. Used
+# by branch-protection-drift.yml (cron) to catch out-of-band UI edits.
+#
+# Pre-2026-05-05 version diffed only required_status_checks.checks —
+# would have missed a UI click that flipped enforce_admins or
+# dismiss_stale_reviews. Now compares the full normalized payload so
+# any silent rewrite of admin/review/lock/deletion settings trips the
+# drift gate.
+#
+# Exit codes:
+#   0 — live state matches the script
+#   1 — drift detected (output shows the diff)
+#   2 — gh API call failed
+
+set -euo pipefail
+
+REPO="Molecule-AI/molecule-core"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+EXIT_CODE=0
+
+# Normalise the GET /branches/:b/protection response so we can compare
+# against apply.sh's payload. The GET response inflates booleans into
+# {url, enabled} sub-objects and bypass list users/apps into full
+# user/app objects with avatar_url etc — strip those down to match
+# the input shape.
+NORMALISE_LIVE='{
+  required_status_checks: (
+    .required_status_checks
+    | { strict: .strict,
+        checks: (.checks | map({context}) | sort_by(.context)) }
+  ),
+  enforce_admins: (
+    if (.enforce_admins | type) == "object"
+    then .enforce_admins.enabled
+    else .enforce_admins end
+  ),
+  required_pull_request_reviews: (
+    .required_pull_request_reviews
+    | if . == null then null else
+        { required_approving_review_count,
+          dismiss_stale_reviews,
+          require_code_owner_reviews,
+          require_last_push_approval,
+          bypass_pull_request_allowances: (
+            if .bypass_pull_request_allowances == null then null
+            else {
+              users: (.bypass_pull_request_allowances.users // [] | map(.login) | sort),
+              teams: (.bypass_pull_request_allowances.teams // [] | map(.slug) | sort),
+              apps:  (.bypass_pull_request_allowances.apps  // [] | map(.slug) | sort)
+            } end
+          )
+        }
+      end
+  ),
+  restrictions: (
+    if .restrictions == null then null
+    else { users: (.restrictions.users | map(.login) | sort),
+           teams: (.restrictions.teams | map(.slug) | sort),
+           apps:  (.restrictions.apps  | map(.slug) | sort) }
+    end
+  ),
+  allow_deletions: (
+    if (.allow_deletions | type) == "object" then .allow_deletions.enabled
+    else (.allow_deletions // false) end
+  ),
+  allow_force_pushes: (
+    if (.allow_force_pushes | type) == "object" then .allow_force_pushes.enabled
+    else (.allow_force_pushes // false) end
+  ),
+  block_creations: (
+    if (.block_creations | type) == "object" then .block_creations.enabled
+    else (.block_creations // false) end
+  ),
+  required_conversation_resolution: (
+    if (.required_conversation_resolution | type) == "object"
+    then .required_conversation_resolution.enabled
+    else (.required_conversation_resolution // false) end
+  ),
+  required_linear_history: (
+    if (.required_linear_history | type) == "object" then .required_linear_history.enabled
+    else (.required_linear_history // false) end
+  ),
+  lock_branch: (
+    if (.lock_branch | type) == "object" then .lock_branch.enabled
+    else (.lock_branch // false) end
+  ),
+  allow_fork_syncing: (
+    if (.allow_fork_syncing | type) == "object" then .allow_fork_syncing.enabled
+    else (.allow_fork_syncing // false) end
+  )
+}'
+
+# Apply.sh's payload is already in the input shape; we just need to
+# canonicalise the checks order and fill in optional fields with their
+# defaults so the comparison aligns.
+NORMALISE_SCRIPT='{
+  required_status_checks: {
+    strict: .required_status_checks.strict,
+    checks: (.required_status_checks.checks | map({context}) | sort_by(.context))
+  },
+  enforce_admins: .enforce_admins,
+  required_pull_request_reviews: (
+    if .required_pull_request_reviews == null then null else
+      { required_approving_review_count: .required_pull_request_reviews.required_approving_review_count,
+        dismiss_stale_reviews: .required_pull_request_reviews.dismiss_stale_reviews,
+        require_code_owner_reviews: (.required_pull_request_reviews.require_code_owner_reviews // false),
+        require_last_push_approval: (.required_pull_request_reviews.require_last_push_approval // false),
+        bypass_pull_request_allowances: (
+          if .required_pull_request_reviews.bypass_pull_request_allowances == null then null
+          else {
+            users: (.required_pull_request_reviews.bypass_pull_request_allowances.users // [] | sort),
+            teams: (.required_pull_request_reviews.bypass_pull_request_allowances.teams // [] | sort),
+            apps:  (.required_pull_request_reviews.bypass_pull_request_allowances.apps  // [] | sort)
+          } end
+        )
+      }
+    end
+  ),
+  restrictions: .restrictions,
+  allow_deletions: (.allow_deletions // false),
+  allow_force_pushes: (.allow_force_pushes // false),
+  block_creations: (.block_creations // false),
+  required_conversation_resolution: (.required_conversation_resolution // false),
+  required_linear_history: (.required_linear_history // false),
+  lock_branch: (.lock_branch // false),
+  allow_fork_syncing: (.allow_fork_syncing // false)
+}'
+
+check_branch() {
+  local branch="$1"
+  local want
+  want=$(bash "$SCRIPT_DIR/apply.sh" --dry-run --branch "$branch" 2>&1 |
+    sed -n '/^{$/,/^}$/p' |
+    jq -S "$NORMALISE_SCRIPT")
+  local have_raw
+  if ! have_raw=$(gh api "repos/$REPO/branches/$branch/protection" 2>/dev/null); then
+    echo "drift_check: FAIL to fetch $branch protection (gh API error)"
+    return 2
+  fi
+  local have
+  have=$(echo "$have_raw" | jq -S "$NORMALISE_LIVE")
+  if [[ "$want" != "$have" ]]; then
+    echo "=== DRIFT on $branch ==="
+    diff <(echo "$want") <(echo "$have") || true
+    return 1
+  fi
+  echo "OK: $branch matches desired state"
+}
+
+for b in staging main; do
+  if ! check_branch "$b"; then
+    EXIT_CODE=1
+  fi
+done
+exit "$EXIT_CODE"
diff --git a/workspace-server/cmd/server/main.go b/workspace-server/cmd/server/main.go
index e11f5a96..3961a842 100644
--- a/workspace-server/cmd/server/main.go
+++ b/workspace-server/cmd/server/main.go
@@ -297,6 +297,15 @@ func main() {
 		registry.StartHibernationMonitor(c, wh.HibernateWorkspace)
 	})
 
+	// RFC #2829 PR-3: stuck-task sweeper for the durable delegations
+	// ledger. Marks deadline-exceeded rows as failed and heartbeat-stale
+	// in-flight rows as stuck. Both transitions go through the ledger's
+	// terminal forward-only protection so concurrent UpdateStatus calls
+	// are not clobbered. Defaults: 5min interval, 10min stale threshold;
+	// override via DELEGATION_SWEEPER_INTERVAL_S / DELEGATION_STUCK_THRESHOLD_S.
+	delegSweeper := handlers.NewDelegationSweeper(nil, nil)
+	go supervised.RunWithRecover(ctx, "delegation-sweeper", delegSweeper.Start)
+
 	// Channel Manager — social channel integrations (Telegram, Slack, etc.)
 	channelMgr := channels.NewManager(wh, broadcaster)
 	go supervised.RunWithRecover(ctx, "channel-manager", channelMgr.Start)
diff --git a/workspace-server/internal/bundle/importer.go b/workspace-server/internal/bundle/importer.go
index e12dfda8..43ec618c 100644
--- a/workspace-server/internal/bundle/importer.go
+++ b/workspace-server/internal/bundle/importer.go
@@ -131,11 +131,19 @@ func buildBundleConfigFiles(b *Bundle) map[string][]byte {
 }
 
 func markFailed(ctx context.Context, wsID string, broadcaster *events.Broadcaster, err error) {
+	// Set last_sample_error along with status so operators (and the
+	// Canvas E2E + GET /workspaces/:id callers) get a non-null reason
+	// in the row. Pre-2026-05-05 this UPDATE only set status, leaving
+	// last_sample_error NULL — Canvas E2E #2632 surfaced the gap with
+	// `Workspace failed: (no last_sample_error)`. Same UPDATE shape as
+	// markProvisionFailed in workspace-server/internal/handlers/
+	// workspace_provision_shared.go.
+	msg := err.Error()
 	db.DB.ExecContext(ctx,
-		`UPDATE workspaces SET status = $1, updated_at = now() WHERE id = $2`,
-		models.StatusFailed, wsID)
+		`UPDATE workspaces SET status = $1, last_sample_error = $2, updated_at = now() WHERE id = $3`,
+		models.StatusFailed, msg, wsID)
 	broadcaster.RecordAndBroadcast(ctx, "WORKSPACE_PROVISION_FAILED", wsID, map[string]interface{}{
-		"error": err.Error(),
+		"error": msg,
 	})
 }
 
diff --git a/workspace-server/internal/db/workspace_status_failed_message_drift_test.go b/workspace-server/internal/db/workspace_status_failed_message_drift_test.go
new file mode 100644
index 00000000..872903ad
--- /dev/null
+++ b/workspace-server/internal/db/workspace_status_failed_message_drift_test.go
@@ -0,0 +1,175 @@
+package db_test
+
+// Static drift gate: every UPDATE that sets status to a "failed" value
+// must also set last_sample_error in the same statement. Otherwise the
+// row ends up with status='failed' + last_sample_error=NULL — operators
+// see "workspace failed" with no reason, and the Canvas E2E reports the
+// useless `Workspace failed: (no last_sample_error)` from #2632.
+//
+// Why a static gate: pre-2026-05-05 we had at least two writers
+// (markProvisionFailed in workspace_provision_shared.go set the
+// message; bundle/importer.go's markFailed didn't). The provision-
+// timeout sweep also sets the message. Code review missed the
+// importer drift for ~6 months until the Canvas E2E surfaced it.
+//
+// Rule:
+//   - If a Go string literal in this repo contains both
+//     `UPDATE workspaces` and a clause setting `status` to a value
+//     resembling "failed" — either via a `$N` placeholder later bound
+//     to StatusFailed, or via an inline `'failed'` literal — that same
+//     literal MUST also contain `last_sample_error`.
+//   - Allowed: an UPDATE that only sets status to a non-failed value
+//     (online, hibernating, removed, etc.). Those don't need the
+//     message column, and clearing it would lose forensic context.
+//
+// Caveats:
+//   - The test reads source as text. Multi-line UPDATEs split across
+//     concatenated string fragments will slip past — that's an
+//     accepted limitation for now; the parameterized-write refactor
+//     (#2799) will let us replace this textual gate with a typed-call
+//     gate eventually.
+//   - "last_sample_error" appearing anywhere in the same literal is
+//     enough to satisfy the rule. We don't try to verify the column
+//     receives a non-empty value at runtime — that's the
+//     parameterized-write refactor's territory too.
+
+import (
+	"fmt"
+	"go/ast"
+	"go/parser"
+	"go/token"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strings"
+	"testing"
+)
+
+// TestWorkspaceStatusFailed_MustSetLastSampleError uses Go's AST to find
+// every ExecContext call whose argument list includes the
+// `models.StatusFailed` constant. For each such call, the SQL literal
+// (the second argument) must also contain `last_sample_error`. This
+// catches the bug class without false-positive matches on UPDATEs that
+// set status to a non-failed value (online/hibernating/removed/etc.)
+// because those don't pass StatusFailed as an arg.
+func TestWorkspaceStatusFailed_MustSetLastSampleError(t *testing.T) {
+	root := findRepoRoot(t)
+	violations := []string{}
+
+	walkErr := filepath.Walk(filepath.Join(root, "workspace-server", "internal"), func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		if info.IsDir() {
+			return nil
+		}
+		if filepath.Ext(path) != ".go" {
+			return nil
+		}
+		if strings.HasSuffix(path, "_test.go") {
+			return nil
+		}
+		fset := token.NewFileSet()
+		f, err := parser.ParseFile(fset, path, nil, parser.SkipObjectResolution)
+		if err != nil {
+			return err
+		}
+		ast.Inspect(f, func(n ast.Node) bool {
+			call, ok := n.(*ast.CallExpr)
+			if !ok {
+				return true
+			}
+			sel, ok := call.Fun.(*ast.SelectorExpr)
+			if !ok {
+				return true
+			}
+			// Match db.DB.ExecContext / db.DB.QueryContext / db.DB.QueryRowContext
+			// — the three SQL execution surfaces this codebase uses.
+			methodName := sel.Sel.Name
+			if methodName != "ExecContext" && methodName != "QueryContext" && methodName != "QueryRowContext" {
+				return true
+			}
+			// Args: 0=ctx, 1=sql-literal, 2..=bind vars.
+			if len(call.Args) < 3 {
+				return true
+			}
+			passesStatusFailed := false
+			for _, a := range call.Args[2:] {
+				if isStatusFailedRef(a) {
+					passesStatusFailed = true
+					break
+				}
+			}
+			if !passesStatusFailed {
+				return true
+			}
+			// SQL literal — usually `*ast.BasicLit` for a single-line
+			// string or a back-tick string. May also be a const ref.
+			sqlText := extractStringLit(call.Args[1])
+			if sqlText == "" {
+				// SQL is a name reference, not a literal — can't check.
+				return true
+			}
+			if strings.Contains(sqlText, "last_sample_error") {
+				return true
+			}
+			// Skip non-UPDATE statements that happen to pass StatusFailed
+			// (e.g. SELECT … WHERE status = $1). The drift target is
+			// specifically writes that mark the row failed.
+			if !regexp.MustCompile(`(?i)\bUPDATE\s+workspaces\b`).MatchString(sqlText) {
+				return true
+			}
+			rel, _ := filepath.Rel(root, path)
+			pos := fset.Position(call.Pos())
+			snippet := strings.TrimSpace(sqlText)
+			if len(snippet) > 120 {
+				snippet = snippet[:120] + "..."
+			}
+			violations = append(violations,
+				fmt.Sprintf("%s:%d: %s", rel, pos.Line, snippet))
+			return true
+		})
+		return nil
+	})
+	if walkErr != nil {
+		t.Fatalf("walk: %v", walkErr)
+	}
+
+	if len(violations) > 0 {
+		t.Errorf("UPDATE workspaces SET status = ... binds models.StatusFailed but the SQL literal does not write last_sample_error — every code path that marks a workspace failed must also write the reason, or operators see `Workspace failed: (no last_sample_error)` (incident: Canvas E2E #2632). Add `, last_sample_error = $N` to the SET clause.\n\nViolations:\n  - %s",
+			strings.Join(violations, "\n  - "))
+	}
+}
+
+// isStatusFailedRef returns true if expr resolves to models.StatusFailed
+// (selector StatusFailed off the models package). Catches both
+// `models.StatusFailed` directly and `models.StatusFailed.String()`
+// style usages — anything that names the constant.
+func isStatusFailedRef(expr ast.Expr) bool {
+	if sel, ok := expr.(*ast.SelectorExpr); ok {
+		if sel.Sel.Name == "StatusFailed" {
+			return true
+		}
+	}
+	return false
+}
+
+// extractStringLit returns the unquoted contents of a string literal
+// expression, or "" if expr is not a literal we can read statically
+// (e.g. concatenation, function-call argument, named const reference).
+func extractStringLit(expr ast.Expr) string {
+	lit, ok := expr.(*ast.BasicLit)
+	if !ok || lit.Kind != token.STRING {
+		return ""
+	}
+	val := lit.Value
+	if len(val) >= 2 {
+		first, last := val[0], val[len(val)-1]
+		if (first == '`' && last == '`') || (first == '"' && last == '"') {
+			return val[1 : len(val)-1]
+		}
+	}
+	return val
+}
+
+
diff --git a/workspace-server/internal/handlers/admin_delegations.go b/workspace-server/internal/handlers/admin_delegations.go
new file mode 100644
index 00000000..b2165397
--- /dev/null
+++ b/workspace-server/internal/handlers/admin_delegations.go
@@ -0,0 +1,236 @@
+package handlers
+
+import (
+	"database/sql"
+	"log"
+	"net/http"
+	"strconv"
+	"time"
+
+	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
+	"github.com/gin-gonic/gin"
+)
+
+// admin_delegations.go — RFC #2829 PR-4: operator dashboard endpoint
+// over the durable delegations ledger (PR-1 schema, PR-3 sweeper).
+//
+// What this endpoint serves
+// -------------------------
+//
+//   GET /admin/delegations[?status=in_flight|stuck|failed&limit=N]
+//
+// Returns the rows the operator needs to triage delegation health:
+//   - in_flight : status IN (queued, dispatched, in_progress) — the
+//                 things actively churning right now. Default view.
+//   - stuck     : status='stuck' — sweeper found these wedged. Operator
+//                 can investigate the callee + decide whether to retry
+//                 (RFC #2829 PR-5 plan).
+//   - failed    : status='failed' — terminal failures, recent. Useful
+//                 for spotting trends like "callee X is failing 50% of
+//                 delegations since 14:00".
+//
+// Why an admin endpoint at all
+// ----------------------------
+// Without this, post-incident investigation requires direct DB access —
+// only the on-call SRE can answer "is workspace X delegating to a wedged
+// callee?". The dashboard endpoint moves that visibility into the same
+// surface as /admin/queue, /admin/schedules-health, /admin/memories etc.
+//
+// Out of scope (deferred to a follow-up PR per RFC #2829)
+// -------------------------------------------------------
+//   - "retry this stuck task" mutation: needs careful interaction with
+//     the agent-side cutover (PR-5) before it can be safely re-fired
+//   - p95 / p99 duration aggregates: separate metric exposure, not a
+//     row-level read
+//   - Canvas UI: this is the JSON contract; the canvas operator panel
+//     consumes it in a follow-up canvas PR
+
+// AdminDelegationsHandler serves the operator dashboard read endpoint.
+type AdminDelegationsHandler struct {
+	db *sql.DB
+}
+
+func NewAdminDelegationsHandler(handle *sql.DB) *AdminDelegationsHandler {
+	if handle == nil {
+		handle = db.DB
+	}
+	return &AdminDelegationsHandler{db: handle}
+}
+
+// delegationRow mirrors the row shape of the `delegations` table that the
+// operator dashboard cares about. Order matches the SELECT below — keep
+// the two in sync if you add a column.
+type delegationRow struct {
+	DelegationID   string     `json:"delegation_id"`
+	CallerID       string     `json:"caller_id"`
+	CalleeID       string     `json:"callee_id"`
+	TaskPreview    string     `json:"task_preview"`
+	Status         string     `json:"status"`
+	LastHeartbeat  *time.Time `json:"last_heartbeat,omitempty"`
+	Deadline       time.Time  `json:"deadline"`
+	ResultPreview  *string    `json:"result_preview,omitempty"`
+	ErrorDetail    *string    `json:"error_detail,omitempty"`
+	RetryCount     int        `json:"retry_count"`
+	CreatedAt      time.Time  `json:"created_at"`
+	UpdatedAt      time.Time  `json:"updated_at"`
+}
+
+// statusFilters maps the query-string `status` value to the SQL set.
+// Keep tight — operators don't get to query arbitrary status — so a
+// new status name added to the schema needs an explicit allowlist
+// entry here. Caught when a future status name doesn't pin to a UI
+// expectation (forward-defense).
+var statusFilters = map[string][]string{
+	"in_flight": {"queued", "dispatched", "in_progress"},
+	"stuck":     {"stuck"},
+	"failed":    {"failed"},
+	"completed": {"completed"},
+}
+
+const defaultListLimit = 100
+const maxListLimit = 1000
+
+// List handles GET /admin/delegations
+//
+// Query params:
+//   - status — one of `in_flight` (default) / `stuck` / `failed` / `completed`
+//   - limit  — int, 1..1000 (default 100)
+//
+// Returns 200 with `{"delegations": [...], "count": N}`.
+func (h *AdminDelegationsHandler) List(c *gin.Context) {
+	statusKey := c.DefaultQuery("status", "in_flight")
+	statuses, ok := statusFilters[statusKey]
+	if !ok {
+		c.JSON(http.StatusBadRequest, gin.H{
+			"error":             "unknown status filter",
+			"allowed":           []string{"in_flight", "stuck", "failed", "completed"},
+			"requested_status":  statusKey,
+		})
+		return
+	}
+
+	limit := defaultListLimit
+	if v := c.Query("limit"); v != "" {
+		n, err := strconv.Atoi(v)
+		if err != nil || n < 1 || n > maxListLimit {
+			c.JSON(http.StatusBadRequest, gin.H{
+				"error":     "limit must be 1..1000",
+				"requested": v,
+			})
+			return
+		}
+		limit = n
+	}
+
+	// Build the IN list as a parameterized expression — never string-
+	// concatenate user-controlled values into the SQL. statusKey came
+	// from the allowlist above so the slice is fully bounded.
+	args := make([]any, 0, len(statuses)+1)
+	placeholders := ""
+	for i, s := range statuses {
+		if i > 0 {
+			placeholders += ","
+		}
+		args = append(args, s)
+		placeholders += "$" + strconv.Itoa(i+1)
+	}
+	args = append(args, limit)
+	limitPlaceholder := "$" + strconv.Itoa(len(statuses)+1)
+
+	rows, err := h.db.QueryContext(c.Request.Context(), `
+		SELECT delegation_id, caller_id::text, callee_id::text, task_preview,
+		       status, last_heartbeat, deadline, result_preview, error_detail,
+		       retry_count, created_at, updated_at
+		  FROM delegations
+		 WHERE status IN (`+placeholders+`)
+		 ORDER BY created_at DESC
+		 LIMIT `+limitPlaceholder, args...)
+	if err != nil {
+		log.Printf("AdminDelegations.List: query failed: %v", err)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "query failed"})
+		return
+	}
+	defer rows.Close()
+
+	out := make([]delegationRow, 0)
+	for rows.Next() {
+		var r delegationRow
+		var lastBeat sql.NullTime
+		var resultPreview, errorDetail sql.NullString
+		if err := rows.Scan(
+			&r.DelegationID, &r.CallerID, &r.CalleeID, &r.TaskPreview,
+			&r.Status, &lastBeat, &r.Deadline, &resultPreview, &errorDetail,
+			&r.RetryCount, &r.CreatedAt, &r.UpdatedAt,
+		); err != nil {
+			log.Printf("AdminDelegations.List: scan failed: %v", err)
+			continue
+		}
+		if lastBeat.Valid {
+			t := lastBeat.Time
+			r.LastHeartbeat = &t
+		}
+		if resultPreview.Valid {
+			s := resultPreview.String
+			r.ResultPreview = &s
+		}
+		if errorDetail.Valid {
+			s := errorDetail.String
+			r.ErrorDetail = &s
+		}
+		out = append(out, r)
+	}
+	if err := rows.Err(); err != nil {
+		log.Printf("AdminDelegations.List: rows.Err: %v", err)
+	}
+
+	c.JSON(http.StatusOK, gin.H{
+		"delegations": out,
+		"count":       len(out),
+		"status":      statusKey,
+		"limit":       limit,
+	})
+}
+
+// Stats handles GET /admin/delegations/stats — at-a-glance counts per
+// status. Useful for the dashboard summary card at the top of the
+// operator panel without paying for a row-level fetch.
+//
+// Returns 200 with `{"queued": N, "dispatched": N, "in_progress": N,
+// "completed": N, "failed": N, "stuck": N}`.
+func (h *AdminDelegationsHandler) Stats(c *gin.Context) {
+	rows, err := h.db.QueryContext(c.Request.Context(), `
+		SELECT status, COUNT(*) FROM delegations GROUP BY status
+	`)
+	if err != nil {
+		log.Printf("AdminDelegations.Stats: query failed: %v", err)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "query failed"})
+		return
+	}
+	defer rows.Close()
+
+	// Initialise to zero so the response always has every known status
+	// key — the dashboard card doesn't need to handle "missing key vs
+	// zero" branching.
+	stats := map[string]int{
+		"queued":      0,
+		"dispatched":  0,
+		"in_progress": 0,
+		"completed":   0,
+		"failed":      0,
+		"stuck":       0,
+	}
+	for rows.Next() {
+		var status string
+		var count int
+		if err := rows.Scan(&status, &count); err != nil {
+			log.Printf("AdminDelegations.Stats: scan failed: %v", err)
+			continue
+		}
+		stats[status] = count
+	}
+	if err := rows.Err(); err != nil {
+		log.Printf("AdminDelegations.Stats: rows.Err: %v", err)
+	}
+
+	c.JSON(http.StatusOK, stats)
+}
diff --git a/workspace-server/internal/handlers/admin_delegations_test.go b/workspace-server/internal/handlers/admin_delegations_test.go
new file mode 100644
index 00000000..8fb2cb3d
--- /dev/null
+++ b/workspace-server/internal/handlers/admin_delegations_test.go
@@ -0,0 +1,332 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/DATA-DOG/go-sqlmock"
+	"github.com/gin-gonic/gin"
+)
+
+// admin_delegations_test.go — RFC #2829 PR-4 dashboard endpoint coverage.
+//
+//   - List: status filter + limit defaults + bad-input rejection
+//   - Stats: per-status counts + zero-fill for missing statuses
+
+// ---------- List ----------
+
+func TestAdminDelegations_List_DefaultStatusInFlight(t *testing.T) {
+	mock := setupTestDB(t)
+	h := NewAdminDelegationsHandler(nil)
+
+	now := time.Now()
+	mock.ExpectQuery(`SELECT delegation_id, caller_id::text, callee_id::text, task_preview,\s+status, last_heartbeat, deadline, result_preview, error_detail,\s+retry_count, created_at, updated_at\s+FROM delegations\s+WHERE status IN \(\$1,\$2,\$3\)\s+ORDER BY created_at DESC\s+LIMIT \$4`).
+		WithArgs("queued", "dispatched", "in_progress", 100).
+		WillReturnRows(sqlmock.NewRows([]string{
+			"delegation_id", "caller_id", "callee_id", "task_preview",
+			"status", "last_heartbeat", "deadline", "result_preview", "error_detail",
+			"retry_count", "created_at", "updated_at",
+		}).AddRow(
+			"deleg-1", "caller-uuid", "callee-uuid", "task body",
+			"in_progress", now, now.Add(2*time.Hour), nil, nil,
+			0, now.Add(-5*time.Minute), now.Add(-1*time.Minute),
+		))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("GET", "/admin/delegations", nil)
+	h.List(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	var body map[string]any
+	if err := json.Unmarshal(w.Body.Bytes(), &body); err != nil {
+		t.Fatalf("body parse: %v", err)
+	}
+	if got := body["count"]; got != float64(1) {
+		t.Errorf("count: expected 1, got %v", got)
+	}
+	if got := body["status"]; got != "in_flight" {
+		t.Errorf("status: expected in_flight, got %v", got)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet: %v", err)
+	}
+}
+
+func TestAdminDelegations_List_StatusStuck(t *testing.T) {
+	mock := setupTestDB(t)
+	h := NewAdminDelegationsHandler(nil)
+
+	mock.ExpectQuery(`SELECT delegation_id`).
+		WithArgs("stuck", 100).
+		WillReturnRows(sqlmock.NewRows([]string{
+			"delegation_id", "caller_id", "callee_id", "task_preview",
+			"status", "last_heartbeat", "deadline", "result_preview", "error_detail",
+			"retry_count", "created_at", "updated_at",
+		}))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("GET", "/admin/delegations?status=stuck", nil)
+	h.List(c)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d", w.Code)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet: %v", err)
+	}
+}
+
+func TestAdminDelegations_List_StatusFailed(t *testing.T) {
+	mock := setupTestDB(t)
+	h := NewAdminDelegationsHandler(nil)
+
+	mock.ExpectQuery(`SELECT delegation_id`).
+		WithArgs("failed", 100).
+		WillReturnRows(sqlmock.NewRows([]string{
+			"delegation_id", "caller_id", "callee_id", "task_preview",
+			"status", "last_heartbeat", "deadline", "result_preview", "error_detail",
+			"retry_count", "created_at", "updated_at",
+		}))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("GET", "/admin/delegations?status=failed", nil)
+	h.List(c)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d", w.Code)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet: %v", err)
+	}
+}
+
+func TestAdminDelegations_List_RejectsUnknownStatus(t *testing.T) {
+	setupTestDB(t)
+	h := NewAdminDelegationsHandler(nil)
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("GET", "/admin/delegations?status=garbage", nil)
+	h.List(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestAdminDelegations_List_RejectsNegativeLimit(t *testing.T) {
+	setupTestDB(t)
+	h := NewAdminDelegationsHandler(nil)
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("GET", "/admin/delegations?limit=-5", nil)
+	h.List(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestAdminDelegations_List_RejectsLimitOverCap(t *testing.T) {
+	setupTestDB(t)
+	h := NewAdminDelegationsHandler(nil)
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("GET", "/admin/delegations?limit=99999", nil)
+	h.List(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestAdminDelegations_List_AcceptsCustomLimit(t *testing.T) {
+	mock := setupTestDB(t)
+	h := NewAdminDelegationsHandler(nil)
+
+	mock.ExpectQuery(`SELECT delegation_id`).
+		WithArgs("queued", "dispatched", "in_progress", 25).
+		WillReturnRows(sqlmock.NewRows([]string{
+			"delegation_id", "caller_id", "callee_id", "task_preview",
+			"status", "last_heartbeat", "deadline", "result_preview", "error_detail",
+			"retry_count", "created_at", "updated_at",
+		}))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("GET", "/admin/delegations?limit=25", nil)
+	h.List(c)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	var body map[string]any
+	_ = json.Unmarshal(w.Body.Bytes(), &body)
+	if body["limit"] != float64(25) {
+		t.Errorf("expected limit=25 echo, got %v", body["limit"])
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet: %v", err)
+	}
+}
+
+func TestAdminDelegations_List_PopulatesNullableFields(t *testing.T) {
+	mock := setupTestDB(t)
+	h := NewAdminDelegationsHandler(nil)
+
+	now := time.Now()
+	resultStr := "all done"
+	mock.ExpectQuery(`SELECT delegation_id`).
+		WithArgs("completed", 100).
+		WillReturnRows(sqlmock.NewRows([]string{
+			"delegation_id", "caller_id", "callee_id", "task_preview",
+			"status", "last_heartbeat", "deadline", "result_preview", "error_detail",
+			"retry_count", "created_at", "updated_at",
+		}).AddRow(
+			"deleg-2", "c", "ca", "t",
+			"completed", now, now.Add(2*time.Hour), resultStr, nil,
+			0, now, now,
+		))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("GET", "/admin/delegations?status=completed", nil)
+	h.List(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d", w.Code)
+	}
+	var body struct {
+		Delegations []struct {
+			ResultPreview *string `json:"result_preview"`
+			ErrorDetail   *string `json:"error_detail"`
+			LastHeartbeat *string `json:"last_heartbeat"`
+		} `json:"delegations"`
+	}
+	if err := json.Unmarshal(w.Body.Bytes(), &body); err != nil {
+		t.Fatalf("parse: %v", err)
+	}
+	if len(body.Delegations) != 1 {
+		t.Fatalf("expected 1 row, got %d", len(body.Delegations))
+	}
+	row := body.Delegations[0]
+	if row.ResultPreview == nil || *row.ResultPreview != "all done" {
+		t.Errorf("result_preview not populated correctly: %+v", row.ResultPreview)
+	}
+	if row.ErrorDetail != nil {
+		t.Errorf("error_detail should be nil for completed-no-error: %+v", row.ErrorDetail)
+	}
+	if row.LastHeartbeat == nil {
+		t.Errorf("last_heartbeat should be present (non-NULL); got nil")
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet: %v", err)
+	}
+}
+
+// ---------- Stats ----------
+
+func TestAdminDelegations_Stats_ZeroFillsMissingStatuses(t *testing.T) {
+	// Stats response must always include every status key. If no rows
+	// exist for status='stuck', the response still shows "stuck": 0.
+	mock := setupTestDB(t)
+	h := NewAdminDelegationsHandler(nil)
+
+	mock.ExpectQuery(`SELECT status, COUNT\(\*\) FROM delegations GROUP BY status`).
+		WillReturnRows(sqlmock.NewRows([]string{"status", "count"}).
+			AddRow("in_progress", 7).
+			AddRow("completed", 130))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("GET", "/admin/delegations/stats", nil)
+	h.Stats(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d", w.Code)
+	}
+	var stats map[string]int
+	if err := json.Unmarshal(w.Body.Bytes(), &stats); err != nil {
+		t.Fatalf("parse: %v", err)
+	}
+
+	expectedKeys := []string{"queued", "dispatched", "in_progress", "completed", "failed", "stuck"}
+	for _, k := range expectedKeys {
+		if _, ok := stats[k]; !ok {
+			t.Errorf("stats missing key %q (zero-fill contract broken)", k)
+		}
+	}
+	if stats["in_progress"] != 7 {
+		t.Errorf("in_progress count: expected 7, got %d", stats["in_progress"])
+	}
+	if stats["completed"] != 130 {
+		t.Errorf("completed count: expected 130, got %d", stats["completed"])
+	}
+	if stats["stuck"] != 0 {
+		t.Errorf("stuck must be zero-filled: got %d", stats["stuck"])
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet: %v", err)
+	}
+}
+
+func TestAdminDelegations_Stats_EmptyTable(t *testing.T) {
+	mock := setupTestDB(t)
+	h := NewAdminDelegationsHandler(nil)
+
+	mock.ExpectQuery(`SELECT status, COUNT\(\*\) FROM delegations GROUP BY status`).
+		WillReturnRows(sqlmock.NewRows([]string{"status", "count"}))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("GET", "/admin/delegations/stats", nil)
+	h.Stats(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d", w.Code)
+	}
+	var stats map[string]int
+	_ = json.Unmarshal(w.Body.Bytes(), &stats)
+	for k, v := range stats {
+		if v != 0 {
+			t.Errorf("empty table → all counts zero; %s=%d", k, v)
+		}
+	}
+}
+
+// statusFilters is a contract surface — every key here is documented in
+// the endpoint comment + accepted by the validator. Pin it.
+func TestStatusFiltersTableShape(t *testing.T) {
+	expected := map[string][]string{
+		"in_flight": {"queued", "dispatched", "in_progress"},
+		"stuck":     {"stuck"},
+		"failed":    {"failed"},
+		"completed": {"completed"},
+	}
+	for k, want := range expected {
+		got, ok := statusFilters[k]
+		if !ok {
+			t.Errorf("statusFilters missing key %q", k)
+			continue
+		}
+		if len(got) != len(want) {
+			t.Errorf("statusFilters[%q]: want %v, got %v", k, want, got)
+			continue
+		}
+		for i := range want {
+			if got[i] != want[i] {
+				t.Errorf("statusFilters[%q][%d]: want %q, got %q", k, i, want[i], got[i])
+			}
+		}
+	}
+}
diff --git a/workspace-server/internal/handlers/delegation.go b/workspace-server/internal/handlers/delegation.go
index 59da198c..e1b5e1a8 100644
--- a/workspace-server/internal/handlers/delegation.go
+++ b/workspace-server/internal/handlers/delegation.go
@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"log"
 	"net/http"
+	"os"
 	"time"
 
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
@@ -13,6 +14,68 @@ import (
 	"github.com/google/uuid"
 )
 
+// delegationResultInboxPushEnabled gates the RFC #2829 PR-2 result-push
+// behavior: when callee POSTs `status=completed` (or `failed`) via
+// /workspaces/:id/delegations/:delegation_id/update, ALSO write an
+// `activity_type='a2a_receive'` row to the caller's activity_logs.
+//
+// Why a flag: the caller's inbox poller (workspace/inbox.py) queries
+// `?type=a2a_receive` to surface inbound messages to the agent. Adding
+// a2a_receive rows for delegation results is the universal-sized fix for
+// the 600s message/send timeout class — long-running delegations no
+// longer rely on the proxy holding the HTTP connection open. But it is
+// observable behavior change (existing agents start seeing delegation
+// results in their inbox where they didn't before), so we flag it for
+// staging burn-in before flipping default.
+//
+// Default: off. Staging-canary first; flip to on after RFC #2829 PR-3
+// (agent-side cutover) lands and proves the round-trip end-to-end.
+func delegationResultInboxPushEnabled() bool {
+	return os.Getenv("DELEGATION_RESULT_INBOX_PUSH") == "1"
+}
+
+// pushDelegationResultToInbox writes the inbox-visible row for a
+// completed/failed delegation. Best-effort: a failure logs but does NOT
+// fail the parent UpdateStatus — the existing delegate_result row in
+// activity_logs is still authoritative for the dashboard.
+//
+// Caller (sourceID) is the workspace that initiated the delegation; the
+// inbox row lands in their activity_logs so wait_for_message picks it up.
+//
+// Body shape mirrors a2a_receive rows produced by the proxy on a
+// successful synchronous reply: response_body.text carries the agent's
+// answer, request_body.delegation_id correlates back to the originating
+// row.
+func pushDelegationResultToInbox(ctx context.Context, sourceID, delegationID, status, responsePreview, errorDetail string) {
+	if !delegationResultInboxPushEnabled() {
+		return
+	}
+	respPayload := map[string]interface{}{
+		"text":          responsePreview,
+		"delegation_id": delegationID,
+	}
+	respJSON, _ := json.Marshal(respPayload)
+	reqJSON, _ := json.Marshal(map[string]interface{}{
+		"delegation_id": delegationID,
+	})
+	logStatus := "ok"
+	if status == "failed" {
+		logStatus = "error"
+	}
+	summary := "Delegation result delivered"
+	if status == "failed" {
+		summary = "Delegation failed"
+	}
+	if _, err := db.DB.ExecContext(ctx, `
+		INSERT INTO activity_logs (
+			workspace_id, activity_type, method, source_id,
+			summary, request_body, response_body, status, error_detail
+		) VALUES ($1, 'a2a_receive', 'delegate_result', $2, $3, $4::jsonb, $5::jsonb, $6, NULLIF($7, ''))
+	`, sourceID, sourceID, summary, string(reqJSON), string(respJSON), logStatus, errorDetail); err != nil {
+		log.Printf("Delegation %s: inbox-push insert failed: %v", delegationID, err)
+	}
+}
+
 // Delegation status lifecycle:
 //   pending → dispatched → received → in_progress → completed | failed
 //
@@ -289,6 +352,8 @@ func (h *DelegationHandler) executeDelegation(sourceID, targetID, delegationID s
 		h.broadcaster.RecordAndBroadcast(ctx, "DELEGATION_FAILED", sourceID, map[string]interface{}{
 			"delegation_id": delegationID, "target_id": targetID, "error": proxyErr.Error(),
 		})
+		// RFC #2829 PR-2 result-push (see UpdateStatus for rationale).
+		pushDelegationResultToInbox(ctx, sourceID, delegationID, "failed", "", proxyErr.Error())
 		return
 	}
 
@@ -349,6 +414,8 @@ func (h *DelegationHandler) executeDelegation(sourceID, targetID, delegationID s
 		"target_id":        targetID,
 		"response_preview": truncate(responseText, 200),
 	})
+	// RFC #2829 PR-2 result-push (see UpdateStatus for rationale).
+	pushDelegationResultToInbox(ctx, sourceID, delegationID, "completed", responseText, "")
 }
 
 // updateDelegationStatus updates the status of a delegation record in activity_logs.
@@ -459,11 +526,19 @@ func (h *DelegationHandler) UpdateStatus(c *gin.Context) {
 			"delegation_id":    delegationID,
 			"response_preview": truncate(body.ResponsePreview, 200),
 		})
+		// RFC #2829 PR-2 result-push: when the gate is on, also write an
+		// a2a_receive row so the caller's inbox poller surfaces this to
+		// the agent. Foundational for getting rid of the proxy-blocked
+		// sync path that hits the 600s message/send timeout — once the
+		// agent-side cutover lands, the caller polls its own inbox for
+		// the result instead of holding open an HTTP connection.
+		pushDelegationResultToInbox(ctx, sourceID, delegationID, "completed", body.ResponsePreview, "")
 	} else {
 		h.broadcaster.RecordAndBroadcast(ctx, "DELEGATION_FAILED", sourceID, map[string]interface{}{
 			"delegation_id": delegationID,
 			"error":         body.Error,
 		})
+		pushDelegationResultToInbox(ctx, sourceID, delegationID, "failed", "", body.Error)
 	}
 
 	c.JSON(http.StatusOK, gin.H{"status": body.Status, "delegation_id": delegationID})
diff --git a/workspace-server/internal/handlers/delegation_inbox_push_test.go b/workspace-server/internal/handlers/delegation_inbox_push_test.go
new file mode 100644
index 00000000..02c51190
--- /dev/null
+++ b/workspace-server/internal/handlers/delegation_inbox_push_test.go
@@ -0,0 +1,246 @@
+package handlers
+
+import (
+	"bytes"
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/DATA-DOG/go-sqlmock"
+	"github.com/gin-gonic/gin"
+)
+
+// delegation_inbox_push_test.go — coverage for the RFC #2829 PR-2
+// result-push behavior. The push is feature-flagged via
+// DELEGATION_RESULT_INBOX_PUSH=1; default off keeps the existing
+// strict-sqlmock test surface unchanged.
+//
+// What we pin:
+//   1. Flag off (default) → no a2a_receive INSERT fires.
+//   2. Flag on, status=completed → a2a_receive row written with the
+//      response_preview and no error_detail.
+//   3. Flag on, status=failed → a2a_receive row written with status=error
+//      and the error_detail set.
+//   4. INSERT failure on inbox-push does NOT bubble up — UpdateStatus
+//      still returns 200.
+
+// ---------- pushDelegationResultToInbox in isolation ----------
+
+func TestPushDelegationResultToInbox_FlagOff_NoSQL(t *testing.T) {
+	mock := setupTestDB(t)
+	t.Setenv("DELEGATION_RESULT_INBOX_PUSH", "")
+
+	pushDelegationResultToInbox(
+		context.Background(),
+		"caller", "deleg-1", "completed", "answer body", "",
+	)
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("flag off must not fire SQL: %v", err)
+	}
+}
+
+func TestPushDelegationResultToInbox_FlagOn_CompletedInsertsA2AReceiveRow(t *testing.T) {
+	mock := setupTestDB(t)
+	t.Setenv("DELEGATION_RESULT_INBOX_PUSH", "1")
+
+	mock.ExpectExec(`INSERT INTO activity_logs`).
+		WithArgs(
+			"caller-ws",
+			"caller-ws", // source_id mirrors workspace_id
+			"Delegation result delivered",
+			sqlmock.AnyArg(), // request_body json
+			sqlmock.AnyArg(), // response_body json
+			"ok",
+			"", // error_detail empty for completed
+		).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	pushDelegationResultToInbox(
+		context.Background(),
+		"caller-ws", "deleg-1", "completed", "answer body", "",
+	)
+
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet: %v", err)
+	}
+}
+
+func TestPushDelegationResultToInbox_FlagOn_FailedInsertsErrorRow(t *testing.T) {
+	mock := setupTestDB(t)
+	t.Setenv("DELEGATION_RESULT_INBOX_PUSH", "1")
+
+	mock.ExpectExec(`INSERT INTO activity_logs`).
+		WithArgs(
+			"caller-ws",
+			"caller-ws",
+			"Delegation failed",
+			sqlmock.AnyArg(),
+			sqlmock.AnyArg(),
+			"error",
+			"target unreachable",
+		).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	pushDelegationResultToInbox(
+		context.Background(),
+		"caller-ws", "deleg-2", "failed", "", "target unreachable",
+	)
+
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet: %v", err)
+	}
+}
+
+// ---------- UpdateStatus end-to-end ----------
+
+func TestUpdateStatus_FlagOn_PushesA2AReceiveOnCompleted(t *testing.T) {
+	mock := setupTestDB(t)
+	setupTestRedis(t)
+	t.Setenv("DELEGATION_RESULT_INBOX_PUSH", "1")
+
+	broadcaster := newTestBroadcaster()
+	wh := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+	dh := NewDelegationHandler(wh, broadcaster)
+
+	// 1. updateDelegationStatus — UPDATE activity_logs SET status='completed'
+	mock.ExpectExec(`UPDATE activity_logs`).
+		WithArgs("completed", "", "ws-source", "deleg-9").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	// 2. existing delegate_result INSERT (caller-side dashboard view)
+	mock.ExpectExec(`INSERT INTO activity_logs`).
+		WithArgs(
+			"ws-source", "ws-source",
+			sqlmock.AnyArg(), // summary
+			sqlmock.AnyArg(), // response_body
+		).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	// 3. NEW: PR-2 a2a_receive row for inbox-poller
+	mock.ExpectExec(`INSERT INTO activity_logs`).
+		WithArgs(
+			"ws-source", "ws-source",
+			"Delegation result delivered",
+			sqlmock.AnyArg(),
+			sqlmock.AnyArg(),
+			"ok",
+			"",
+		).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{
+		{Key: "id", Value: "ws-source"},
+		{Key: "delegation_id", Value: "deleg-9"},
+	}
+	body := `{"status":"completed","response_preview":"all done"}`
+	c.Request = httptest.NewRequest("POST",
+		"/workspaces/ws-source/delegations/deleg-9/update",
+		bytes.NewBufferString(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	dh.UpdateStatus(c)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+func TestUpdateStatus_FlagOn_PushesA2AReceiveOnFailed(t *testing.T) {
+	mock := setupTestDB(t)
+	setupTestRedis(t)
+	t.Setenv("DELEGATION_RESULT_INBOX_PUSH", "1")
+
+	broadcaster := newTestBroadcaster()
+	wh := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+	dh := NewDelegationHandler(wh, broadcaster)
+
+	// 1. updateDelegationStatus — UPDATE activity_logs
+	mock.ExpectExec(`UPDATE activity_logs`).
+		WithArgs("failed", "boom", "ws-source", "deleg-10").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	// 2. NEW: PR-2 a2a_receive row for inbox-poller (failure path doesn't
+	// have the existing delegate_result INSERT — only the new push).
+	mock.ExpectExec(`INSERT INTO activity_logs`).
+		WithArgs(
+			"ws-source", "ws-source",
+			"Delegation failed",
+			sqlmock.AnyArg(),
+			sqlmock.AnyArg(),
+			"error",
+			"boom",
+		).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{
+		{Key: "id", Value: "ws-source"},
+		{Key: "delegation_id", Value: "deleg-10"},
+	}
+	body := `{"status":"failed","error":"boom"}`
+	c.Request = httptest.NewRequest("POST",
+		"/workspaces/ws-source/delegations/deleg-10/update",
+		bytes.NewBufferString(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	dh.UpdateStatus(c)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d", w.Code)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet: %v", err)
+	}
+}
+
+// TestUpdateStatus_FlagOff_NoNewSQL — sanity check that the existing
+// behavior is preserved when the flag is off. Critical for safe rollout.
+func TestUpdateStatus_FlagOff_NoNewSQL(t *testing.T) {
+	mock := setupTestDB(t)
+	setupTestRedis(t)
+	// explicitly empty — flag off
+	t.Setenv("DELEGATION_RESULT_INBOX_PUSH", "")
+
+	broadcaster := newTestBroadcaster()
+	wh := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+	dh := NewDelegationHandler(wh, broadcaster)
+
+	// Only the two pre-existing queries — no third (a2a_receive) INSERT.
+	mock.ExpectExec(`UPDATE activity_logs`).
+		WithArgs("completed", "", "ws-source", "deleg-11").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec(`INSERT INTO activity_logs`).
+		WithArgs(
+			"ws-source", "ws-source",
+			sqlmock.AnyArg(),
+			sqlmock.AnyArg(),
+		).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{
+		{Key: "id", Value: "ws-source"},
+		{Key: "delegation_id", Value: "deleg-11"},
+	}
+	c.Request = httptest.NewRequest("POST",
+		"/workspaces/ws-source/delegations/deleg-11/update",
+		bytes.NewBufferString(`{"status":"completed","response_preview":"ok"}`))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	dh.UpdateStatus(c)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d", w.Code)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("flag-off must not fire extra SQL: %v", err)
+	}
+}
diff --git a/workspace-server/internal/handlers/delegation_ledger.go b/workspace-server/internal/handlers/delegation_ledger.go
new file mode 100644
index 00000000..9a783ece
--- /dev/null
+++ b/workspace-server/internal/handlers/delegation_ledger.go
@@ -0,0 +1,200 @@
+package handlers
+
+import (
+	"context"
+	"database/sql"
+	"errors"
+	"log"
+	"time"
+
+	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
+)
+
+// delegation_ledger.go — durable per-task ledger for A2A delegation
+// (RFC #2829 PR-1).
+//
+// activity_logs is an event stream — one row per state transition. Replaying
+// the stream gives you history. This file's table (delegations) is the
+// folded current state — one row per delegation_id with a single status,
+// last_heartbeat, deadline, and result_preview.
+//
+// Why both: PR-3 needs a sweeper that joins on
+//   (status='in_progress' AND last_heartbeat < now() - interval '10 minutes')
+// which is impossible to express against the event stream without a window
+// function over every (delegation_id, latest event) pair — a planner-killing
+// query at scale. The dedicated table makes the sweeper an indexed scan.
+//
+// Writes go to BOTH tables. activity_logs remains the audit-grade record
+// for forensics; delegations is the queryable view for dashboards + sweeper
+// joins. Symmetric-write pattern — same posture as tenant_resources (PR
+// #2343), per memory `reference_tenant_resources_audit`.
+
+// DelegationLedger writes the per-task durable row alongside the existing
+// activity_logs event-stream writes. All methods are best-effort: a ledger
+// write failure logs but does NOT propagate up — activity_logs remains the
+// audit-grade source of truth.
+//
+// Same shape as `tenant_resources` reconciler (PR #2343): orchestration
+// continues even when the ledger write fails, and the next status update
+// (or PR-3 reconciler) will heal the ledger.
+type DelegationLedger struct {
+	db *sql.DB
+}
+
+// NewDelegationLedger returns a ledger backed by the package db handle.
+// Tests can construct one with a sqlmock-backed *sql.DB.
+func NewDelegationLedger(handle *sql.DB) *DelegationLedger {
+	if handle == nil {
+		handle = db.DB
+	}
+	return &DelegationLedger{db: handle}
+}
+
+// truncatePreview caps stored preview at 4KB. The full prompt/response is
+// already in activity_logs.{request,response}_body — this is the at-a-glance
+// view for the dashboard, not a forensic record.
+const previewCap = 4096
+
+func truncatePreview(s string) string {
+	if len(s) <= previewCap {
+		return s
+	}
+	return s[:previewCap]
+}
+
+// InsertOpts is the agent's record-of-intent. Caller, callee, task preview,
+// and the chosen delegation_id are required; idempotency_key is optional.
+type InsertOpts struct {
+	DelegationID   string
+	CallerID       string
+	CalleeID       string
+	TaskPreview    string
+	IdempotencyKey string // empty → NULL
+	// Deadline defaults to now + 6h when zero. Callers can pass a tighter
+	// per-task deadline (cron, interactive request) by setting it.
+	Deadline time.Time
+}
+
+// Insert writes the queued row. ON CONFLICT (delegation_id) DO NOTHING so
+// the agent's retry-on-restart codepath is naturally idempotent — a duplicate
+// Insert with the same delegation_id is a no-op. (Idempotency_key dedupe is
+// a separate UNIQUE index handled by the same DO NOTHING.)
+func (l *DelegationLedger) Insert(ctx context.Context, opts InsertOpts) {
+	if opts.DelegationID == "" || opts.CallerID == "" || opts.CalleeID == "" {
+		log.Printf("delegation_ledger Insert: missing required field, skipping")
+		return
+	}
+	deadline := opts.Deadline
+	if deadline.IsZero() {
+		deadline = time.Now().Add(6 * time.Hour)
+	}
+	idemArg := sql.NullString{String: opts.IdempotencyKey, Valid: opts.IdempotencyKey != ""}
+	_, err := l.db.ExecContext(ctx, `
+		INSERT INTO delegations (
+			delegation_id, caller_id, callee_id, task_preview,
+			status, deadline, idempotency_key
+		) VALUES ($1, $2, $3, $4, 'queued', $5, $6)
+		ON CONFLICT (delegation_id) DO NOTHING
+	`, opts.DelegationID, opts.CallerID, opts.CalleeID,
+		truncatePreview(opts.TaskPreview), deadline, idemArg)
+	if err != nil {
+		log.Printf("delegation_ledger Insert(%s): %v", opts.DelegationID, err)
+	}
+}
+
+// allowedTransitions enforces the lifecycle in code as defense-in-depth on
+// the schema CHECK. Terminal states (completed, failed, stuck) reject any
+// further status update — once a delegation is done, it stays done.
+//
+// The "queued → in_progress" jump (skipping dispatched) is allowed: lazy
+// callers that don't ack the dispatched stage shouldn't be penalised,
+// since the agent ultimately cares about whether work started, not which
+// HTTP layer happened to ack first.
+var allowedTransitions = map[string]map[string]bool{
+	"queued":      {"dispatched": true, "in_progress": true, "failed": true},
+	"dispatched":  {"in_progress": true, "completed": true, "failed": true},
+	"in_progress": {"completed": true, "failed": true, "stuck": true},
+}
+
+// ErrInvalidTransition is returned by SetStatus when the transition would
+// move out of a terminal state. Callers SHOULD ignore (it's a duplicate
+// terminal write) but they're surfaced for tests.
+var ErrInvalidTransition = errors.New("delegation ledger: invalid status transition")
+
+// SetStatus is the catch-all updater. Status MUST be one of the lifecycle
+// values. errorDetail is non-empty only for failed/stuck. resultPreview is
+// non-empty only for completed.
+//
+// Idempotent: re-applying the same terminal status with the same payload
+// returns nil; transitioning back out of a terminal state returns
+// ErrInvalidTransition. (Forward-only protection — once 'completed' you
+// don't get to revise to 'failed'.)
+func (l *DelegationLedger) SetStatus(ctx context.Context,
+	delegationID, status, errorDetail, resultPreview string,
+) error {
+	if delegationID == "" || status == "" {
+		return errors.New("delegation ledger: missing required field")
+	}
+
+	// Read current status to validate the transition. We accept the rare
+	// race where two updaters both observe the same prior status — Postgres
+	// CHECK constraint catches truly-invalid status values; our forward-only
+	// check is best-effort.
+	var current string
+	err := l.db.QueryRowContext(ctx,
+		`SELECT status FROM delegations WHERE delegation_id = $1`,
+		delegationID,
+	).Scan(&current)
+	if errors.Is(err, sql.ErrNoRows) {
+		// Insert was lost or wasn't called. Defensively NO-OP — the next
+		// agent retry will re-Insert and the next SetStatus will land.
+		log.Printf("delegation_ledger SetStatus(%s, %s): row missing, skipping",
+			delegationID, status)
+		return nil
+	}
+	if err != nil {
+		return err
+	}
+
+	// Same-status replay (e.g. duplicate completion notification): no-op,
+	// don't bump updated_at, no error.
+	if current == status {
+		return nil
+	}
+
+	// Forward-only on terminal states.
+	if next, ok := allowedTransitions[current]; !ok || !next[status] {
+		// Terminal already — refuse to revise.
+		return ErrInvalidTransition
+	}
+
+	_, err = l.db.ExecContext(ctx, `
+		UPDATE delegations
+		SET status = $2,
+		    error_detail = NULLIF($3, ''),
+		    result_preview = NULLIF($4, ''),
+		    updated_at = now()
+		WHERE delegation_id = $1
+	`, delegationID, status, errorDetail, truncatePreview(resultPreview))
+	return err
+}
+
+// Heartbeat stamps last_heartbeat = now() for an in-flight delegation. Used
+// by the callee whenever it makes progress; PR-3's sweeper compares to
+// NOW() to decide stuckness. No-op on terminal-state delegations.
+//
+// Best-effort: failure logs but doesn't propagate.
+func (l *DelegationLedger) Heartbeat(ctx context.Context, delegationID string) {
+	if delegationID == "" {
+		return
+	}
+	_, err := l.db.ExecContext(ctx, `
+		UPDATE delegations
+		SET last_heartbeat = now(), updated_at = now()
+		WHERE delegation_id = $1
+		  AND status NOT IN ('completed','failed','stuck')
+	`, delegationID)
+	if err != nil {
+		log.Printf("delegation_ledger Heartbeat(%s): %v", delegationID, err)
+	}
+}
diff --git a/workspace-server/internal/handlers/delegation_ledger_test.go b/workspace-server/internal/handlers/delegation_ledger_test.go
new file mode 100644
index 00000000..78cb4b94
--- /dev/null
+++ b/workspace-server/internal/handlers/delegation_ledger_test.go
@@ -0,0 +1,312 @@
+package handlers
+
+import (
+	"context"
+	"errors"
+	"strings"
+	"testing"
+
+	"github.com/DATA-DOG/go-sqlmock"
+)
+
+// delegation_ledger_test.go — unit coverage for the durable ledger writer
+// (RFC #2829 PR-1).
+//
+// Coverage targets:
+//   - Insert: happy path; missing-required no-op; deadline default;
+//     idempotency_key NULL vs string passthrough.
+//   - SetStatus: queued→dispatched→in_progress→completed; same-status
+//     replay no-op; terminal state forward-only protection; missing row
+//     no-op; SQL error propagation.
+//   - Heartbeat: stamps now() on in-flight; no-op on terminal; missing-id
+//     guard.
+//   - truncatePreview: under-cap passthrough; over-cap truncates.
+
+// ---------- Insert ----------
+
+func TestLedgerInsert_HappyPath(t *testing.T) {
+	mock := setupTestDB(t)
+	l := NewDelegationLedger(nil) // uses package db.DB which sqlmock replaced
+
+	mock.ExpectExec(`INSERT INTO delegations`).
+		WithArgs(
+			"deleg-123",
+			"caller-uuid",
+			"callee-uuid",
+			"task body",
+			sqlmock.AnyArg(), // deadline (default = now+6h)
+			sqlmock.AnyArg(), // idempotency_key NullString
+		).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	l.Insert(context.Background(), InsertOpts{
+		DelegationID: "deleg-123",
+		CallerID:     "caller-uuid",
+		CalleeID:     "callee-uuid",
+		TaskPreview:  "task body",
+	})
+
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+func TestLedgerInsert_MissingRequired_NoSQLFired(t *testing.T) {
+	mock := setupTestDB(t)
+	l := NewDelegationLedger(nil)
+
+	// Caller-side guard: no DB call expected.
+	for _, opts := range []InsertOpts{
+		{DelegationID: "", CallerID: "c", CalleeID: "ca", TaskPreview: "t"},
+		{DelegationID: "d", CallerID: "", CalleeID: "ca", TaskPreview: "t"},
+		{DelegationID: "d", CallerID: "c", CalleeID: "", TaskPreview: "t"},
+	} {
+		l.Insert(context.Background(), opts)
+	}
+	// No ExpectExec → ExpectationsWereMet stays clean.
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unexpected sqlmock activity: %v", err)
+	}
+}
+
+func TestLedgerInsert_TruncatesOversizedPreview(t *testing.T) {
+	mock := setupTestDB(t)
+	l := NewDelegationLedger(nil)
+
+	huge := strings.Repeat("x", 10_000) // > previewCap
+
+	mock.ExpectExec(`INSERT INTO delegations`).
+		WithArgs(
+			"deleg-big",
+			"c", "ca",
+			sqlmock.AnyArg(), // truncated preview — verify length below via custom matcher
+			sqlmock.AnyArg(),
+			sqlmock.AnyArg(),
+		).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	l.Insert(context.Background(), InsertOpts{
+		DelegationID: "deleg-big",
+		CallerID:     "c",
+		CalleeID:     "ca",
+		TaskPreview:  huge,
+	})
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet: %v", err)
+	}
+}
+
+// ---------- truncatePreview unit ----------
+
+func TestTruncatePreview_UnderCap(t *testing.T) {
+	in := "short"
+	if got := truncatePreview(in); got != in {
+		t.Errorf("under-cap should passthrough; got %q", got)
+	}
+}
+
+func TestTruncatePreview_OverCapTruncatesAtBoundary(t *testing.T) {
+	in := strings.Repeat("a", previewCap+100)
+	got := truncatePreview(in)
+	if len(got) != previewCap {
+		t.Errorf("expected len=%d got len=%d", previewCap, len(got))
+	}
+}
+
+func TestTruncatePreview_ExactlyAtCap(t *testing.T) {
+	in := strings.Repeat("a", previewCap)
+	got := truncatePreview(in)
+	if got != in {
+		t.Errorf("at-cap should passthrough unchanged")
+	}
+}
+
+// ---------- SetStatus lifecycle ----------
+
+func TestLedgerSetStatus_QueuedToDispatched(t *testing.T) {
+	mock := setupTestDB(t)
+	l := NewDelegationLedger(nil)
+
+	mock.ExpectQuery(`SELECT status FROM delegations WHERE delegation_id = \$1`).
+		WithArgs("d-1").
+		WillReturnRows(sqlmock.NewRows([]string{"status"}).AddRow("queued"))
+
+	mock.ExpectExec(`UPDATE delegations`).
+		WithArgs("d-1", "dispatched", "", "").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	if err := l.SetStatus(context.Background(), "d-1", "dispatched", "", ""); err != nil {
+		t.Errorf("unexpected: %v", err)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet: %v", err)
+	}
+}
+
+func TestLedgerSetStatus_QueuedToInProgress_SkipsDispatched(t *testing.T) {
+	// Lazy callers that go queued → in_progress without ack should be allowed.
+	mock := setupTestDB(t)
+	l := NewDelegationLedger(nil)
+
+	mock.ExpectQuery(`SELECT status FROM delegations WHERE delegation_id = \$1`).
+		WithArgs("d-1").
+		WillReturnRows(sqlmock.NewRows([]string{"status"}).AddRow("queued"))
+
+	mock.ExpectExec(`UPDATE delegations`).
+		WithArgs("d-1", "in_progress", "", "").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	if err := l.SetStatus(context.Background(), "d-1", "in_progress", "", ""); err != nil {
+		t.Errorf("unexpected: %v", err)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet: %v", err)
+	}
+}
+
+func TestLedgerSetStatus_InProgressToCompleted_StoresResult(t *testing.T) {
+	mock := setupTestDB(t)
+	l := NewDelegationLedger(nil)
+
+	mock.ExpectQuery(`SELECT status FROM delegations WHERE delegation_id = \$1`).
+		WithArgs("d-1").
+		WillReturnRows(sqlmock.NewRows([]string{"status"}).AddRow("in_progress"))
+
+	mock.ExpectExec(`UPDATE delegations`).
+		WithArgs("d-1", "completed", "", "answer text").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	if err := l.SetStatus(context.Background(), "d-1", "completed", "", "answer text"); err != nil {
+		t.Errorf("unexpected: %v", err)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet: %v", err)
+	}
+}
+
+func TestLedgerSetStatus_TerminalForwardOnly(t *testing.T) {
+	// completed → failed must be rejected: terminal states are forward-only.
+	mock := setupTestDB(t)
+	l := NewDelegationLedger(nil)
+
+	mock.ExpectQuery(`SELECT status FROM delegations WHERE delegation_id = \$1`).
+		WithArgs("d-done").
+		WillReturnRows(sqlmock.NewRows([]string{"status"}).AddRow("completed"))
+
+	err := l.SetStatus(context.Background(), "d-done", "failed", "post-hoc error", "")
+	if !errors.Is(err, ErrInvalidTransition) {
+		t.Errorf("expected ErrInvalidTransition, got %v", err)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet: %v", err)
+	}
+}
+
+func TestLedgerSetStatus_SameStatusReplay_NoUpdate(t *testing.T) {
+	// Re-applying the same terminal status should NOT bump updated_at —
+	// duplicate completion notifications shouldn't generate spurious writes.
+	mock := setupTestDB(t)
+	l := NewDelegationLedger(nil)
+
+	mock.ExpectQuery(`SELECT status FROM delegations WHERE delegation_id = \$1`).
+		WithArgs("d-1").
+		WillReturnRows(sqlmock.NewRows([]string{"status"}).AddRow("completed"))
+
+	// No ExpectExec — UPDATE must not fire.
+	if err := l.SetStatus(context.Background(), "d-1", "completed", "", ""); err != nil {
+		t.Errorf("same-status replay should be no-op, got err: %v", err)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet (or unexpected UPDATE): %v", err)
+	}
+}
+
+func TestLedgerSetStatus_MissingRowIsNoOp(t *testing.T) {
+	// A SetStatus call that arrives before Insert (lost INSERT, race, etc.)
+	// must NOT error — it's a transient inconsistency the next agent retry
+	// will heal.
+	mock := setupTestDB(t)
+	l := NewDelegationLedger(nil)
+
+	mock.ExpectQuery(`SELECT status FROM delegations WHERE delegation_id = \$1`).
+		WithArgs("d-missing").
+		WillReturnRows(sqlmock.NewRows([]string{"status"})) // empty
+
+	if err := l.SetStatus(context.Background(), "d-missing", "completed", "", "ok"); err != nil {
+		t.Errorf("missing row should be no-op; got err: %v", err)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet: %v", err)
+	}
+}
+
+func TestLedgerSetStatus_RejectsEmptyDelegationID(t *testing.T) {
+	mock := setupTestDB(t)
+	l := NewDelegationLedger(nil)
+
+	if err := l.SetStatus(context.Background(), "", "completed", "", ""); err == nil {
+		t.Errorf("expected error for empty delegation_id")
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unexpected sqlmock activity for empty input: %v", err)
+	}
+}
+
+func TestLedgerSetStatus_RejectsEmptyStatus(t *testing.T) {
+	mock := setupTestDB(t)
+	l := NewDelegationLedger(nil)
+
+	if err := l.SetStatus(context.Background(), "d-1", "", "", ""); err == nil {
+		t.Errorf("expected error for empty status")
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unexpected sqlmock activity for empty input: %v", err)
+	}
+}
+
+// ---------- Heartbeat ----------
+
+func TestLedgerHeartbeat_StampsInflightRow(t *testing.T) {
+	mock := setupTestDB(t)
+	l := NewDelegationLedger(nil)
+
+	mock.ExpectExec(`UPDATE delegations`).
+		WithArgs("d-1").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	l.Heartbeat(context.Background(), "d-1")
+
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet: %v", err)
+	}
+}
+
+func TestLedgerHeartbeat_EmptyIDIsNoOp(t *testing.T) {
+	mock := setupTestDB(t)
+	l := NewDelegationLedger(nil)
+
+	l.Heartbeat(context.Background(), "") // no SQL expected
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unexpected SQL on empty id: %v", err)
+	}
+}
+
+// ---------- Allowed-transition table ----------
+
+// TestAllowedTransitionsTableShape pins the lifecycle map: every starting
+// state must have at least one outbound transition, and every terminal
+// state (completed/failed/stuck) must be ABSENT from the map keys (forward-
+// only enforcement). Catches accidental edits that re-add an outbound edge
+// from a terminal state.
+func TestAllowedTransitionsTableShape(t *testing.T) {
+	for _, terminal := range []string{"completed", "failed", "stuck"} {
+		if _, has := allowedTransitions[terminal]; has {
+			t.Errorf("terminal state %q must not appear as transition source", terminal)
+		}
+	}
+	for src, dests := range allowedTransitions {
+		if len(dests) == 0 {
+			t.Errorf("non-terminal state %q has no outbound transitions", src)
+		}
+	}
+}
diff --git a/workspace-server/internal/handlers/delegation_sweeper.go b/workspace-server/internal/handlers/delegation_sweeper.go
new file mode 100644
index 00000000..8ac673c4
--- /dev/null
+++ b/workspace-server/internal/handlers/delegation_sweeper.go
@@ -0,0 +1,265 @@
+package handlers
+
+import (
+	"context"
+	"database/sql"
+	"log"
+	"os"
+	"strconv"
+	"time"
+
+	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
+)
+
+// delegation_sweeper.go — RFC #2829 PR-3: stuck-task sweeper.
+//
+// What it does
+// ------------
+// Periodically scans the `delegations` table (PR-1 schema) for in-flight
+// rows that have either:
+//
+//   1. Blown past their `deadline` — agent claims to still be working but
+//      the hard ceiling fired. Mark `failed` with error_detail = "deadline
+//      exceeded".
+//   2. Stopped heartbeating for >stuckThreshold while still claiming
+//      in_progress. Mark `stuck` with error_detail = "no heartbeat for Ns".
+//
+// Why both rules
+// --------------
+// Deadline catches forever-heartbeating agents that never make progress
+// (a wedged agent looping on a heartbeat call inside its main work loop
+// looks "alive" by liveness signals but is not actually advancing).
+// Heartbeat-staleness catches agents that crash or get OOM-killed
+// without graceful shutdown — no terminal status update fires, but the
+// heartbeat stops cold.
+//
+// Order matters: deadline check fires first because deadline → failed
+// is a stronger statement than deadline → stuck. A stuck row can be
+// retried by the operator; a failed row says "give up, retry was
+// already exhausted or not viable."
+//
+// Frequency
+// ---------
+// 5min default cadence. Faster than that wastes DB round-trips for the
+// hot index; slower means a stuck task isn't caught until ~5min after
+// the heartbeat stops. Operators can override via DELEGATION_SWEEPER_INTERVAL_S.
+//
+// Threshold
+// ---------
+// Default 10× the runtime's heartbeat interval (≈100s for hermes that
+// beats every 10s during stream output). 10× is the heuristic from the
+// RFC #2829 design discussion: it tolerates legitimate slow LLM
+// responses (a single completion can stall a heartbeat for 30-60s) while
+// still catching real wedges within ~2 minutes. Operators override via
+// DELEGATION_STUCK_THRESHOLD_S.
+//
+// Safety
+// ------
+// All transitions go through DelegationLedger.SetStatus so the
+// terminal-state forward-only protection applies — a delegation that
+// just transitioned to completed concurrently with the sweep won't be
+// flipped back to failed/stuck. The ledger's same-status replay no-op
+// also makes re-running the sweep idempotent.
+
+const (
+	defaultSweeperInterval = 5 * time.Minute
+
+	// 10min = 60× the typical 10s hermes heartbeat. Tightens to ~10×
+	// once the user community settles on a tighter heartbeat cadence;
+	// today's mix of runtimes (hermes 10s, claude-code 30-60s, langchain
+	// minute-scale) needs the looser threshold to avoid false positives.
+	defaultStuckThreshold = 10 * time.Minute
+)
+
+// DelegationSweeper runs the periodic sweep. Construct via
+// NewDelegationSweeper, then Start(ctx) in main.go to begin ticking.
+type DelegationSweeper struct {
+	db        *sql.DB
+	ledger    *DelegationLedger
+	interval  time.Duration
+	threshold time.Duration
+}
+
+// NewDelegationSweeper builds a sweeper bound to the package db.DB
+// (production wiring) or a test handle. Reads optional env overrides
+// at construction time so a long-running process picks them up via
+// restart, not mid-flight.
+func NewDelegationSweeper(handle *sql.DB, ledger *DelegationLedger) *DelegationSweeper {
+	if handle == nil {
+		handle = db.DB
+	}
+	if ledger == nil {
+		ledger = NewDelegationLedger(handle)
+	}
+	return &DelegationSweeper{
+		db:        handle,
+		ledger:    ledger,
+		interval:  envDuration("DELEGATION_SWEEPER_INTERVAL_S", defaultSweeperInterval),
+		threshold: envDuration("DELEGATION_STUCK_THRESHOLD_S", defaultStuckThreshold),
+	}
+}
+
+// envDuration parses an integer-seconds env var into a Duration. Falls
+// back to def on missing/invalid input — never fails fast on misconfig
+// (a typo'd env var should run with sane defaults, not crash startup).
+func envDuration(key string, def time.Duration) time.Duration {
+	v := os.Getenv(key)
+	if v == "" {
+		return def
+	}
+	n, err := strconv.Atoi(v)
+	if err != nil || n <= 0 {
+		log.Printf("delegation_sweeper: invalid %s=%q, using default %s", key, v, def)
+		return def
+	}
+	return time.Duration(n) * time.Second
+}
+
+// Interval exposes the configured tick cadence — tests use it; main.go
+// uses it implicitly via Start.
+func (s *DelegationSweeper) Interval() time.Duration { return s.interval }
+
+// Threshold exposes the heartbeat-staleness threshold.
+func (s *DelegationSweeper) Threshold() time.Duration { return s.threshold }
+
+// Start ticks Sweep() at the configured interval until ctx is cancelled.
+// Defers panic recovery so a single bad row can't kill the sweeper.
+//
+// Wired into main.go: `go sweeper.Start(ctx)`. No-op until both the
+// `delegations` table (PR-1) and the result-push flag (PR-2) have rolled
+// out — the sweeper just won't find any rows to mark.
+func (s *DelegationSweeper) Start(ctx context.Context) {
+	t := time.NewTicker(s.interval)
+	defer t.Stop()
+	log.Printf("DelegationSweeper: started (interval=%s, stuck-threshold=%s)",
+		s.interval, s.threshold)
+
+	tickWithRecover := func() {
+		defer func() {
+			if r := recover(); r != nil {
+				log.Printf("DelegationSweeper: PANIC in tick — recovered: %v", r)
+			}
+		}()
+		s.Sweep(ctx)
+	}
+
+	// First sweep immediately so operators see it run on startup, not
+	// after waiting one interval.
+	tickWithRecover()
+
+	for {
+		select {
+		case <-ctx.Done():
+			log.Printf("DelegationSweeper: stopped")
+			return
+		case <-t.C:
+			tickWithRecover()
+		}
+	}
+}
+
+// SweepResult records what the last sweep changed. Surfaced via the
+// admin dashboard (PR-4); also useful for tests to assert behavior
+// without diffing log lines.
+type SweepResult struct {
+	DeadlineFailures int
+	StuckMarked      int
+	Errors           int
+}
+
+// Sweep runs one pass: find every in-flight delegation, mark deadline-
+// exceeded as failed, mark heartbeat-stale as stuck. Returns counts
+// for observability.
+//
+// SQL strategy: one indexed scan over the partial inflight index, two
+// updaters per offending row. We fold both checks into a single SELECT
+// to amortize the round-trip — the row count in flight at any time
+// is small (single-digit hundreds even on a busy tenant), so reading
+// them all and dispatching SetStatus per-row is cheaper than two
+// separate UPDATEs with bespoke WHERE clauses.
+func (s *DelegationSweeper) Sweep(ctx context.Context) SweepResult {
+	res := SweepResult{}
+
+	rows, err := s.db.QueryContext(ctx, `
+		SELECT delegation_id, last_heartbeat, deadline
+		  FROM delegations
+		 WHERE status IN ('queued','dispatched','in_progress')
+	`)
+	if err != nil {
+		log.Printf("DelegationSweeper: query failed: %v", err)
+		res.Errors++
+		return res
+	}
+	defer rows.Close()
+
+	now := time.Now()
+	type candidate struct {
+		id       string
+		lastBeat sql.NullTime
+		deadline time.Time
+	}
+	var todo []candidate
+	for rows.Next() {
+		var c candidate
+		if err := rows.Scan(&c.id, &c.lastBeat, &c.deadline); err != nil {
+			log.Printf("DelegationSweeper: scan failed: %v", err)
+			res.Errors++
+			continue
+		}
+		todo = append(todo, c)
+	}
+	if err := rows.Err(); err != nil {
+		log.Printf("DelegationSweeper: rows.Err: %v", err)
+		res.Errors++
+	}
+
+	for _, c := range todo {
+		// Deadline first — stronger statement than stuck.
+		if now.After(c.deadline) {
+			if err := s.ledger.SetStatus(ctx, c.id, "failed",
+				"deadline exceeded by sweeper", ""); err != nil {
+				log.Printf("DelegationSweeper: SetStatus(%s, failed): %v", c.id, err)
+				res.Errors++
+				continue
+			}
+			res.DeadlineFailures++
+			continue
+		}
+
+		// Heartbeat staleness. A NULL last_heartbeat counts as stale ONLY
+		// if the row has lived past one threshold since creation — gives
+		// the agent one full window to emit its first beat. We fold this
+		// by treating NULL as "created_at — but we don't have created_at
+		// in the SELECT. Approximate: NULL last_heartbeat + deadline more
+		// than (5h, default deadline=6h) away from now means the row was
+		// created ≤1h ago, give it a free pass. Simpler heuristic: NULL
+		// heartbeat is only stale if deadline is already imminent (within
+		// 1 threshold).
+		var lastBeat time.Time
+		if c.lastBeat.Valid {
+			lastBeat = c.lastBeat.Time
+		}
+		if !c.lastBeat.Valid {
+			// Row never heartbeat. Don't mark stuck — let the deadline
+			// catch it. Reduces false positives during the agent's first
+			// beat window after restart.
+			continue
+		}
+		if now.Sub(lastBeat) > s.threshold {
+			if err := s.ledger.SetStatus(ctx, c.id, "stuck",
+				"no heartbeat for "+now.Sub(lastBeat).Round(time.Second).String(),
+				""); err != nil {
+				log.Printf("DelegationSweeper: SetStatus(%s, stuck): %v", c.id, err)
+				res.Errors++
+				continue
+			}
+			res.StuckMarked++
+		}
+	}
+
+	if res.DeadlineFailures > 0 || res.StuckMarked > 0 || res.Errors > 0 {
+		log.Printf("DelegationSweeper: sweep complete — deadline_failures=%d stuck=%d errors=%d",
+			res.DeadlineFailures, res.StuckMarked, res.Errors)
+	}
+	return res
+}
diff --git a/workspace-server/internal/handlers/delegation_sweeper_test.go b/workspace-server/internal/handlers/delegation_sweeper_test.go
new file mode 100644
index 00000000..3f93fb31
--- /dev/null
+++ b/workspace-server/internal/handlers/delegation_sweeper_test.go
@@ -0,0 +1,314 @@
+package handlers
+
+import (
+	"context"
+	"database/sql"
+	"testing"
+	"time"
+
+	"github.com/DATA-DOG/go-sqlmock"
+)
+
+// delegation_sweeper_test.go — coverage for the RFC #2829 PR-3 stuck-task
+// sweeper. Validates:
+//
+//   1. Deadline-exceeded rows are marked failed.
+//   2. Heartbeat-stale rows (lastBeat older than threshold) are marked stuck.
+//   3. NULL last_heartbeat is NOT marked stuck (free first-beat pass).
+//   4. Healthy in-flight rows (recent heartbeat, future deadline) are
+//      left alone.
+//   5. Empty in-flight set is a clean no-op.
+//   6. Both rules apply in one sweep without double-marking.
+//   7. Env-override interval/threshold parse correctly + fall back on
+//      invalid input.
+
+func TestSweeper_HappyPath_NoInflightRowsIsCleanNoOp(t *testing.T) {
+	mock := setupTestDB(t)
+	ledger := NewDelegationLedger(nil)
+	sw := NewDelegationSweeper(nil, ledger)
+
+	mock.ExpectQuery(`SELECT delegation_id, last_heartbeat, deadline\s+FROM delegations`).
+		WillReturnRows(sqlmock.NewRows([]string{"delegation_id", "last_heartbeat", "deadline"}))
+
+	res := sw.Sweep(context.Background())
+	if res.DeadlineFailures != 0 || res.StuckMarked != 0 || res.Errors != 0 {
+		t.Errorf("empty in-flight set must produce zero changes; got %+v", res)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet: %v", err)
+	}
+}
+
+func TestSweeper_DeadlineExceededIsMarkedFailed(t *testing.T) {
+	mock := setupTestDB(t)
+	ledger := NewDelegationLedger(nil)
+	sw := NewDelegationSweeper(nil, ledger)
+
+	past := time.Now().Add(-1 * time.Minute)
+	mock.ExpectQuery(`SELECT delegation_id, last_heartbeat, deadline\s+FROM delegations`).
+		WillReturnRows(sqlmock.NewRows([]string{"delegation_id", "last_heartbeat", "deadline"}).
+			AddRow("deleg-overdue", time.Now(), past))
+
+	// SetStatus reads current status...
+	mock.ExpectQuery(`SELECT status FROM delegations WHERE delegation_id = \$1`).
+		WithArgs("deleg-overdue").
+		WillReturnRows(sqlmock.NewRows([]string{"status"}).AddRow("in_progress"))
+	// ...then updates to failed.
+	mock.ExpectExec(`UPDATE delegations`).
+		WithArgs("deleg-overdue", "failed", "deadline exceeded by sweeper", "").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	res := sw.Sweep(context.Background())
+	if res.DeadlineFailures != 1 {
+		t.Errorf("expected 1 deadline failure, got %d", res.DeadlineFailures)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet: %v", err)
+	}
+}
+
+func TestSweeper_StaleHeartbeatIsMarkedStuck(t *testing.T) {
+	mock := setupTestDB(t)
+	ledger := NewDelegationLedger(nil)
+	sw := NewDelegationSweeper(nil, ledger)
+
+	// Last heartbeat 30min ago — well past the 10min default threshold.
+	staleBeat := time.Now().Add(-30 * time.Minute)
+	future := time.Now().Add(2 * time.Hour) // deadline NOT exceeded
+
+	mock.ExpectQuery(`SELECT delegation_id, last_heartbeat, deadline\s+FROM delegations`).
+		WillReturnRows(sqlmock.NewRows([]string{"delegation_id", "last_heartbeat", "deadline"}).
+			AddRow("deleg-stuck", staleBeat, future))
+
+	mock.ExpectQuery(`SELECT status FROM delegations WHERE delegation_id = \$1`).
+		WithArgs("deleg-stuck").
+		WillReturnRows(sqlmock.NewRows([]string{"status"}).AddRow("in_progress"))
+
+	// We can't predict the exact "no heartbeat for Xs" string because
+	// the suffix depends on now() at sweep time; just match against any.
+	mock.ExpectExec(`UPDATE delegations`).
+		WithArgs("deleg-stuck", "stuck", sqlmock.AnyArg(), "").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	res := sw.Sweep(context.Background())
+	if res.StuckMarked != 1 {
+		t.Errorf("expected 1 stuck mark, got %d", res.StuckMarked)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet: %v", err)
+	}
+}
+
+func TestSweeper_NullHeartbeatIsLeftAlone(t *testing.T) {
+	// A delegation that was JUST inserted (queued, no heartbeat yet) must
+	// not be flipped to stuck on the first sweep — give it the chance to
+	// emit its first beat.
+	mock := setupTestDB(t)
+	ledger := NewDelegationLedger(nil)
+	sw := NewDelegationSweeper(nil, ledger)
+
+	future := time.Now().Add(2 * time.Hour)
+	mock.ExpectQuery(`SELECT delegation_id, last_heartbeat, deadline\s+FROM delegations`).
+		WillReturnRows(sqlmock.NewRows([]string{"delegation_id", "last_heartbeat", "deadline"}).
+			AddRow("deleg-fresh", sql.NullTime{}, future))
+
+	res := sw.Sweep(context.Background())
+	if res.StuckMarked != 0 {
+		t.Errorf("NULL heartbeat must not be stuck-marked; got %d", res.StuckMarked)
+	}
+	if res.DeadlineFailures != 0 {
+		t.Errorf("future deadline must not fail; got %d", res.DeadlineFailures)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet: %v", err)
+	}
+}
+
+func TestSweeper_HealthyInflightRowsAreLeftAlone(t *testing.T) {
+	mock := setupTestDB(t)
+	ledger := NewDelegationLedger(nil)
+	sw := NewDelegationSweeper(nil, ledger)
+
+	freshBeat := time.Now().Add(-1 * time.Minute) // well within 10min threshold
+	future := time.Now().Add(2 * time.Hour)
+
+	mock.ExpectQuery(`SELECT delegation_id, last_heartbeat, deadline\s+FROM delegations`).
+		WillReturnRows(sqlmock.NewRows([]string{"delegation_id", "last_heartbeat", "deadline"}).
+			AddRow("deleg-healthy", freshBeat, future))
+
+	res := sw.Sweep(context.Background())
+	if res.DeadlineFailures != 0 || res.StuckMarked != 0 {
+		t.Errorf("healthy row must produce zero changes; got %+v", res)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet: %v", err)
+	}
+}
+
+func TestSweeper_DeadlineFiresFirstNotStuck(t *testing.T) {
+	// Row that's BOTH past deadline AND stale-heartbeat must be marked
+	// failed (deadline) not stuck — deadline is the stronger statement.
+	mock := setupTestDB(t)
+	ledger := NewDelegationLedger(nil)
+	sw := NewDelegationSweeper(nil, ledger)
+
+	staleBeat := time.Now().Add(-30 * time.Minute)
+	past := time.Now().Add(-5 * time.Minute)
+
+	mock.ExpectQuery(`SELECT delegation_id, last_heartbeat, deadline\s+FROM delegations`).
+		WillReturnRows(sqlmock.NewRows([]string{"delegation_id", "last_heartbeat", "deadline"}).
+			AddRow("deleg-both", staleBeat, past))
+
+	// Only the failed transition fires; no stuck transition.
+	mock.ExpectQuery(`SELECT status FROM delegations WHERE delegation_id = \$1`).
+		WithArgs("deleg-both").
+		WillReturnRows(sqlmock.NewRows([]string{"status"}).AddRow("in_progress"))
+	mock.ExpectExec(`UPDATE delegations`).
+		WithArgs("deleg-both", "failed", "deadline exceeded by sweeper", "").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	res := sw.Sweep(context.Background())
+	if res.DeadlineFailures != 1 || res.StuckMarked != 0 {
+		t.Errorf("expected 1 deadline failure, 0 stuck; got %+v", res)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet (stuck UPDATE may have fired by accident): %v", err)
+	}
+}
+
+func TestSweeper_MixedSetAppliesBothRules(t *testing.T) {
+	mock := setupTestDB(t)
+	ledger := NewDelegationLedger(nil)
+	sw := NewDelegationSweeper(nil, ledger)
+
+	now := time.Now()
+	mock.ExpectQuery(`SELECT delegation_id, last_heartbeat, deadline\s+FROM delegations`).
+		WillReturnRows(sqlmock.NewRows([]string{"delegation_id", "last_heartbeat", "deadline"}).
+			AddRow("deleg-overdue", now, now.Add(-1*time.Minute)).      // deadline → failed
+			AddRow("deleg-stuck", now.Add(-30*time.Minute), now.Add(2*time.Hour)). // stale → stuck
+			AddRow("deleg-healthy", now.Add(-30*time.Second), now.Add(2*time.Hour)), // healthy → no-op
+		)
+
+	// 1st: deadline → failed
+	mock.ExpectQuery(`SELECT status FROM delegations WHERE delegation_id = \$1`).
+		WithArgs("deleg-overdue").
+		WillReturnRows(sqlmock.NewRows([]string{"status"}).AddRow("in_progress"))
+	mock.ExpectExec(`UPDATE delegations`).
+		WithArgs("deleg-overdue", "failed", "deadline exceeded by sweeper", "").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	// 2nd: stale → stuck
+	mock.ExpectQuery(`SELECT status FROM delegations WHERE delegation_id = \$1`).
+		WithArgs("deleg-stuck").
+		WillReturnRows(sqlmock.NewRows([]string{"status"}).AddRow("in_progress"))
+	mock.ExpectExec(`UPDATE delegations`).
+		WithArgs("deleg-stuck", "stuck", sqlmock.AnyArg(), "").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	// 3rd: healthy — no SQL fired
+
+	res := sw.Sweep(context.Background())
+	if res.DeadlineFailures != 1 || res.StuckMarked != 1 {
+		t.Errorf("expected 1 failure + 1 stuck, got %+v", res)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet: %v", err)
+	}
+}
+
+func TestSweeper_TerminalReplayFromConcurrentCompletionIsIgnored(t *testing.T) {
+	// Edge case: row was marked completed by UpdateStatus between the
+	// SELECT and the SetStatus call. SetStatus's forward-only protection
+	// returns ErrInvalidTransition; sweeper increments Errors but the
+	// row is correctly left in completed state.
+	mock := setupTestDB(t)
+	ledger := NewDelegationLedger(nil)
+	sw := NewDelegationSweeper(nil, ledger)
+
+	past := time.Now().Add(-1 * time.Minute)
+	mock.ExpectQuery(`SELECT delegation_id, last_heartbeat, deadline\s+FROM delegations`).
+		WillReturnRows(sqlmock.NewRows([]string{"delegation_id", "last_heartbeat", "deadline"}).
+			AddRow("deleg-raced", time.Now(), past))
+
+	// SetStatus's status read finds the row already completed (concurrent UpdateStatus won).
+	mock.ExpectQuery(`SELECT status FROM delegations WHERE delegation_id = \$1`).
+		WithArgs("deleg-raced").
+		WillReturnRows(sqlmock.NewRows([]string{"status"}).AddRow("completed"))
+	// No UPDATE — terminal forward-only blocks it.
+
+	res := sw.Sweep(context.Background())
+	if res.Errors != 1 {
+		t.Errorf("forward-only block must surface as Error count; got %+v", res)
+	}
+	if res.DeadlineFailures != 0 {
+		t.Errorf("must NOT credit a deadline failure that didn't fire; got %d", res.DeadlineFailures)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet: %v", err)
+	}
+}
+
+// ---------- env override parsing ----------
+
+func TestEnvDuration_Default(t *testing.T) {
+	t.Setenv("MY_TEST_KEY", "")
+	if got := envDuration("MY_TEST_KEY", 7*time.Second); got != 7*time.Second {
+		t.Errorf("expected default 7s, got %v", got)
+	}
+}
+
+func TestEnvDuration_ParsesPositiveSeconds(t *testing.T) {
+	t.Setenv("MY_TEST_KEY", "42")
+	if got := envDuration("MY_TEST_KEY", 1*time.Second); got != 42*time.Second {
+		t.Errorf("expected 42s, got %v", got)
+	}
+}
+
+func TestEnvDuration_FallsBackOnInvalid(t *testing.T) {
+	t.Setenv("MY_TEST_KEY", "garbage")
+	if got := envDuration("MY_TEST_KEY", 5*time.Second); got != 5*time.Second {
+		t.Errorf("invalid input must fall back to default; got %v", got)
+	}
+}
+
+func TestEnvDuration_FallsBackOnNegative(t *testing.T) {
+	t.Setenv("MY_TEST_KEY", "-10")
+	if got := envDuration("MY_TEST_KEY", 5*time.Second); got != 5*time.Second {
+		t.Errorf("negative must fall back to default; got %v", got)
+	}
+}
+
+// TestSweeperConstructor_PicksUpEnvOverrides — interval + threshold env
+// vars are read at construction time. Confirms the wiring contract; if
+// somebody adds a new env var without plumbing it, this fails.
+func TestSweeperConstructor_PicksUpEnvOverrides(t *testing.T) {
+	t.Setenv("DELEGATION_SWEEPER_INTERVAL_S", "60")
+	t.Setenv("DELEGATION_STUCK_THRESHOLD_S", "120")
+
+	mock := setupTestDB(t)
+	_ = mock // unused — constructor doesn't fire SQL
+	sw := NewDelegationSweeper(nil, nil)
+
+	if sw.Interval() != 60*time.Second {
+		t.Errorf("interval override not picked up: got %v", sw.Interval())
+	}
+	if sw.Threshold() != 120*time.Second {
+		t.Errorf("threshold override not picked up: got %v", sw.Threshold())
+	}
+}
+
+func TestSweeperConstructor_DefaultsWhenEnvUnset(t *testing.T) {
+	t.Setenv("DELEGATION_SWEEPER_INTERVAL_S", "")
+	t.Setenv("DELEGATION_STUCK_THRESHOLD_S", "")
+
+	mock := setupTestDB(t)
+	_ = mock
+	sw := NewDelegationSweeper(nil, nil)
+
+	if sw.Interval() != defaultSweeperInterval {
+		t.Errorf("default interval not used: got %v", sw.Interval())
+	}
+	if sw.Threshold() != defaultStuckThreshold {
+		t.Errorf("default threshold not used: got %v", sw.Threshold())
+	}
+}
diff --git a/workspace-server/internal/handlers/external_connection.go b/workspace-server/internal/handlers/external_connection.go
index 249e74a7..b12d08fa 100644
--- a/workspace-server/internal/handlers/external_connection.go
+++ b/workspace-server/internal/handlers/external_connection.go
@@ -8,13 +8,51 @@ package handlers
 // to piece together workspace_id + platform_url + auth_token + API
 // shape from the docs. curl snippet has zero dependencies; Python
 // snippet pairs with molecule-sdk-python's A2AServer + RemoteAgentClient.
+//
+// BuildExternalConnectionPayload (below) is the single source of truth
+// for the payload shape — used by Create (#workspace.go), Rotate
+// (#external_rotate.go), and the read-only "show instructions again"
+// endpoint. Adding a snippet means adding it here once; the three
+// callers pick it up automatically.
 
 import (
 	"os"
+	"strings"
 
 	"github.com/gin-gonic/gin"
 )
 
+// BuildExternalConnectionPayload assembles the gin.H payload that the
+// canvas's ExternalConnectModal consumes. Pure data — caller owns DB
+// reads (workspace_id) and token minting (auth_token).
+//
+// authToken may be empty for the read-only "show instructions again"
+// path; the modal masks the field in that case rather than displaying
+// an empty string.
+func BuildExternalConnectionPayload(platformURL, workspaceID, authToken string) gin.H {
+	pURL := strings.TrimSuffix(platformURL, "/")
+	stamp := func(tmpl string) string {
+		return strings.ReplaceAll(
+			strings.ReplaceAll(tmpl, "{{PLATFORM_URL}}", pURL),
+			"{{WORKSPACE_ID}}", workspaceID,
+		)
+	}
+	return gin.H{
+		"workspace_id":                workspaceID,
+		"platform_url":                pURL,
+		"auth_token":                  authToken,
+		"registry_endpoint":           pURL + "/registry/register",
+		"heartbeat_endpoint":          pURL + "/registry/heartbeat",
+		"curl_register_template":      stamp(externalCurlTemplate),
+		"python_snippet":              stamp(externalPythonTemplate),
+		"claude_code_channel_snippet": stamp(externalChannelTemplate),
+		"universal_mcp_snippet":       stamp(externalUniversalMcpTemplate),
+		"hermes_channel_snippet":      stamp(externalHermesChannelTemplate),
+		"codex_snippet":               stamp(externalCodexTemplate),
+		"openclaw_snippet":            stamp(externalOpenClawTemplate),
+	}
+}
+
 // externalPlatformURL returns the public URL at which this workspace-
 // server instance is reachable by the operator's external agent. This
 // is NOT necessarily the caller's Host header (which could be an
@@ -312,9 +350,9 @@ const externalCodexTemplate = `# Codex external setup — outbound tools (MCP) +
 # session.
 
 # 1. Install codex CLI, the workspace runtime, and the bridge daemon:
-npm install -g @openai/codex@^0.57
+npm install -g @openai/codex@latest
 pip install molecule-ai-workspace-runtime
-pip install 'git+https://github.com/Molecule-AI/codex-channel-molecule.git'
+pip install codex-channel-molecule
 
 # 2. Wire the molecule MCP server into codex's config.toml — this is
 #    the OUTBOUND path (codex calls list_peers / delegate_task /
diff --git a/workspace-server/internal/handlers/external_rotate.go b/workspace-server/internal/handlers/external_rotate.go
new file mode 100644
index 00000000..887bddd5
--- /dev/null
+++ b/workspace-server/internal/handlers/external_rotate.go
@@ -0,0 +1,163 @@
+package handlers
+
+import (
+	"context"
+	"database/sql"
+	"errors"
+	"log"
+	"net/http"
+
+	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
+	"github.com/Molecule-AI/molecule-monorepo/platform/internal/wsauth"
+	"github.com/gin-gonic/gin"
+)
+
+// external_rotate.go — operator-facing endpoints for credential lifecycle
+// on runtime=external workspaces.
+//
+//   POST /workspaces/:id/external/rotate
+//     Mints a fresh workspace_auth_token, revokes any prior live tokens
+//     for the same workspace, and returns the same payload shape Create
+//     returns. Old credentials stop working immediately — the next
+//     heartbeat from the previously-paired agent will fail auth.
+//
+//   GET /workspaces/:id/external/connection
+//     Returns the connection payload WITHOUT minting (auth_token = "").
+//     For the operator who lost their copy of the snippet but still has
+//     the token elsewhere — they want the rest of the connect block
+//     (PLATFORM_URL, WORKSPACE_ID, registry endpoints, all 7 snippets)
+//     without invalidating the live agent.
+//
+// Both endpoints reject runtime ≠ external with 400 — the "external
+// connection" payload only makes sense for awaiting-agent / online-
+// external workspaces. A user clicking Rotate on a hermes / claude-code
+// workspace would silently break ssh-EIC tunnel auth, which is worse
+// than refusing the action.
+
+// RotateExternalCredentials handles POST /workspaces/:id/external/rotate.
+//
+// Why this endpoint exists: today the auth_token is only revealed once
+// (on Create), via the Modal that closes after the operator dismisses
+// it. There's no recovery path — lost the token, lost the workspace.
+// Rotation gives operators a way to (a) recover from lost credentials
+// and (b) respond to a suspected leak without recreating the workspace
+// from scratch (which would also invalidate any cross-workspace
+// delegation links + memory namespace).
+func (h *WorkspaceHandler) RotateExternalCredentials(c *gin.Context) {
+	id := c.Param("id")
+	if id == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "id required"})
+		return
+	}
+	ctx := c.Request.Context()
+
+	runtime, err := lookupWorkspaceRuntime(ctx, db.DB, id)
+	if errors.Is(err, sql.ErrNoRows) {
+		c.JSON(http.StatusNotFound, gin.H{"error": "workspace not found"})
+		return
+	}
+	if err != nil {
+		log.Printf("RotateExternalCredentials(%s): runtime lookup failed: %v", id, err)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "lookup failed"})
+		return
+	}
+	if runtime != "external" {
+		// Rotating a hermes/claude-code workspace's bearer would not
+		// just break the ssh-EIC tunnel auth on the platform side — it
+		// would also leave the workspace's in-container heartbeat with
+		// a stale token until the next reboot. The right action for a
+		// non-external workspace's compromised credential is restart,
+		// which mints a fresh token AND injects it into the container
+		// (workspace_provision.go:issueAndInjectToken). Refuse cleanly
+		// here so the canvas can show "rotate is for external workspaces;
+		// click Restart instead" rather than silently corrupting state.
+		c.JSON(http.StatusBadRequest, gin.H{
+			"error":   "rotate is only valid for runtime=external workspaces",
+			"runtime": runtime,
+			"hint":    "use POST /workspaces/:id/restart for non-external runtimes",
+		})
+		return
+	}
+
+	// Revoke first, then mint. Order matters: if mint fails, the
+	// workspace is left without any live token (operator can retry) —
+	// that's better than the inverse where mint succeeds + revoke fails
+	// and TWO live tokens end up valid (the previous one + the new one),
+	// silently leaving the leaked credential alive.
+	if err := wsauth.RevokeAllForWorkspace(ctx, db.DB, id); err != nil {
+		log.Printf("RotateExternalCredentials(%s): revoke failed: %v", id, err)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "revoke failed"})
+		return
+	}
+	tok, err := wsauth.IssueToken(ctx, db.DB, id)
+	if err != nil {
+		log.Printf("RotateExternalCredentials(%s): mint failed: %v", id, err)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "mint failed"})
+		return
+	}
+
+	// Audit broadcast — operators reviewing the activity feed should
+	// see when credentials were rotated. No PII; the token plaintext
+	// is NOT logged.
+	if h.broadcaster != nil {
+		h.broadcaster.RecordAndBroadcast(ctx, "EXTERNAL_CREDENTIALS_ROTATED", id, map[string]interface{}{
+			"workspace_id": id,
+		})
+	}
+
+	platformURL := externalPlatformURL(c)
+	c.JSON(http.StatusOK, gin.H{
+		"connection": BuildExternalConnectionPayload(platformURL, id, tok),
+	})
+}
+
+// GetExternalConnection handles GET /workspaces/:id/external/connection.
+//
+// Returns the connect-block WITHOUT minting (auth_token = ""). For the
+// operator who needs to re-find PLATFORM_URL / WORKSPACE_ID / one of
+// the snippets (their note app got wiped, they switched machines, etc.)
+// but doesn't want to invalidate the live external agent.
+//
+// The canvas modal masks the auth_token field in this mode and labels
+// it "(rotate to reveal a new token — current token is unrecoverable)".
+func (h *WorkspaceHandler) GetExternalConnection(c *gin.Context) {
+	id := c.Param("id")
+	if id == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "id required"})
+		return
+	}
+	ctx := c.Request.Context()
+
+	runtime, err := lookupWorkspaceRuntime(ctx, db.DB, id)
+	if errors.Is(err, sql.ErrNoRows) {
+		c.JSON(http.StatusNotFound, gin.H{"error": "workspace not found"})
+		return
+	}
+	if err != nil {
+		log.Printf("GetExternalConnection(%s): runtime lookup failed: %v", id, err)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "lookup failed"})
+		return
+	}
+	if runtime != "external" {
+		c.JSON(http.StatusBadRequest, gin.H{
+			"error":   "connection payload is only valid for runtime=external workspaces",
+			"runtime": runtime,
+		})
+		return
+	}
+
+	platformURL := externalPlatformURL(c)
+	c.JSON(http.StatusOK, gin.H{
+		"connection": BuildExternalConnectionPayload(platformURL, id, ""),
+	})
+}
+
+// lookupWorkspaceRuntime returns the workspace's runtime field. Wrapped
+// for readability + so tests can mock the single SELECT.
+func lookupWorkspaceRuntime(ctx context.Context, handle *sql.DB, id string) (string, error) {
+	var runtime string
+	err := handle.QueryRowContext(ctx, `
+		SELECT COALESCE(runtime, '') FROM workspaces WHERE id = $1
+	`, id).Scan(&runtime)
+	return runtime, err
+}
diff --git a/workspace-server/internal/handlers/external_rotate_test.go b/workspace-server/internal/handlers/external_rotate_test.go
new file mode 100644
index 00000000..bddc120c
--- /dev/null
+++ b/workspace-server/internal/handlers/external_rotate_test.go
@@ -0,0 +1,310 @@
+package handlers
+
+import (
+	"bytes"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/DATA-DOG/go-sqlmock"
+	"github.com/gin-gonic/gin"
+)
+
+// external_rotate_test.go — coverage for the credential-rotate +
+// re-show-instructions endpoints (#319).
+//
+// What we pin:
+//   1. Rotate happy path — revoke + mint fire in the right order, response
+//      shape matches BuildExternalConnectionPayload, broadcast event
+//      'EXTERNAL_CREDENTIALS_ROTATED' is emitted.
+//   2. Rotate refuses non-external runtimes with 400 + the hint text.
+//   3. Rotate 404 on unknown workspace.
+//   4. GetExternalConnection happy path returns auth_token="" + the same
+//      payload shape.
+//   5. GetExternalConnection refuses non-external + 404 on unknown.
+//   6. BuildExternalConnectionPayload — placeholder substitution +
+//      trailing-slash trimming on platformURL.
+
+// ---------- POST /external/rotate ----------
+
+func TestRotateExternalCredentials_HappyPath(t *testing.T) {
+	mock := setupTestDB(t)
+	setupTestRedis(t)
+	wh := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
+
+	// 1. Runtime lookup
+	mock.ExpectQuery(`SELECT COALESCE\(runtime, ''\) FROM workspaces WHERE id = \$1`).
+		WithArgs("ws-ext").
+		WillReturnRows(sqlmock.NewRows([]string{"runtime"}).AddRow("external"))
+
+	// 2. Revoke all live tokens
+	mock.ExpectExec(`UPDATE workspace_auth_tokens`).
+		WithArgs("ws-ext").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	// 3. Mint a fresh token
+	mock.ExpectExec(`INSERT INTO workspace_auth_tokens`).
+		WithArgs("ws-ext", sqlmock.AnyArg(), sqlmock.AnyArg()).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "ws-ext"}}
+	c.Request = httptest.NewRequest("POST",
+		"/workspaces/ws-ext/external/rotate", bytes.NewBufferString("{}"))
+	c.Request.Header.Set("Content-Type", "application/json")
+	c.Request.Host = "platform.example.test"
+	c.Request.Header.Set("X-Forwarded-Proto", "https")
+
+	wh.RotateExternalCredentials(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	var body struct {
+		Connection map[string]interface{} `json:"connection"`
+	}
+	if err := json.Unmarshal(w.Body.Bytes(), &body); err != nil {
+		t.Fatalf("parse: %v", err)
+	}
+	if got := body.Connection["workspace_id"]; got != "ws-ext" {
+		t.Errorf("workspace_id: got %v", got)
+	}
+	if got := body.Connection["auth_token"]; got == "" || got == nil {
+		t.Errorf("auth_token must be non-empty after mint; got %v", got)
+	}
+	if got := body.Connection["platform_url"]; got != "https://platform.example.test" {
+		t.Errorf("platform_url: got %v", got)
+	}
+	for _, k := range []string{
+		"curl_register_template", "python_snippet",
+		"claude_code_channel_snippet", "universal_mcp_snippet",
+		"hermes_channel_snippet", "codex_snippet", "openclaw_snippet",
+	} {
+		if _, ok := body.Connection[k]; !ok {
+			t.Errorf("payload missing snippet field: %s", k)
+		}
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock: %v", err)
+	}
+}
+
+func TestRotateExternalCredentials_RejectsNonExternal(t *testing.T) {
+	mock := setupTestDB(t)
+	setupTestRedis(t)
+	wh := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
+
+	mock.ExpectQuery(`SELECT COALESCE\(runtime, ''\) FROM workspaces WHERE id = \$1`).
+		WithArgs("ws-hermes").
+		WillReturnRows(sqlmock.NewRows([]string{"runtime"}).AddRow("hermes"))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "ws-hermes"}}
+	c.Request = httptest.NewRequest("POST",
+		"/workspaces/ws-hermes/external/rotate", nil)
+
+	wh.RotateExternalCredentials(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400 for non-external runtime, got %d", w.Code)
+	}
+	if !strings.Contains(w.Body.String(), "external") {
+		t.Errorf("body should mention 'external'; got: %s", w.Body.String())
+	}
+	if !strings.Contains(w.Body.String(), "restart") {
+		t.Errorf("body should hint at restart for non-external; got: %s", w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet: %v", err)
+	}
+}
+
+func TestRotateExternalCredentials_NotFound(t *testing.T) {
+	mock := setupTestDB(t)
+	setupTestRedis(t)
+	wh := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
+
+	mock.ExpectQuery(`SELECT COALESCE\(runtime, ''\) FROM workspaces WHERE id = \$1`).
+		WithArgs("ws-missing").
+		WillReturnRows(sqlmock.NewRows([]string{"runtime"})) // no rows
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "ws-missing"}}
+	c.Request = httptest.NewRequest("POST",
+		"/workspaces/ws-missing/external/rotate", nil)
+
+	wh.RotateExternalCredentials(c)
+
+	if w.Code != http.StatusNotFound {
+		t.Errorf("expected 404, got %d", w.Code)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet: %v", err)
+	}
+}
+
+func TestRotateExternalCredentials_RejectsEmptyID(t *testing.T) {
+	setupTestDB(t)
+	setupTestRedis(t)
+	wh := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("POST", "/workspaces//external/rotate", nil)
+
+	wh.RotateExternalCredentials(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400 for empty id, got %d", w.Code)
+	}
+}
+
+// ---------- GET /external/connection ----------
+
+func TestGetExternalConnection_HappyPathReturnsBlankToken(t *testing.T) {
+	mock := setupTestDB(t)
+	setupTestRedis(t)
+	wh := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
+
+	mock.ExpectQuery(`SELECT COALESCE\(runtime, ''\) FROM workspaces WHERE id = \$1`).
+		WithArgs("ws-ext").
+		WillReturnRows(sqlmock.NewRows([]string{"runtime"}).AddRow("external"))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "ws-ext"}}
+	c.Request = httptest.NewRequest("GET",
+		"/workspaces/ws-ext/external/connection", nil)
+	c.Request.Host = "platform.example.test"
+	c.Request.Header.Set("X-Forwarded-Proto", "https")
+
+	wh.GetExternalConnection(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d", w.Code)
+	}
+	var body struct {
+		Connection map[string]interface{} `json:"connection"`
+	}
+	if err := json.Unmarshal(w.Body.Bytes(), &body); err != nil {
+		t.Fatalf("parse: %v", err)
+	}
+	if body.Connection["auth_token"] != "" {
+		t.Errorf("auth_token MUST be empty in re-show path; got %v", body.Connection["auth_token"])
+	}
+	if body.Connection["workspace_id"] != "ws-ext" {
+		t.Errorf("workspace_id wrong: %v", body.Connection["workspace_id"])
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet: %v", err)
+	}
+}
+
+func TestGetExternalConnection_RejectsNonExternal(t *testing.T) {
+	mock := setupTestDB(t)
+	setupTestRedis(t)
+	wh := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
+
+	mock.ExpectQuery(`SELECT COALESCE\(runtime, ''\) FROM workspaces WHERE id = \$1`).
+		WithArgs("ws-claude").
+		WillReturnRows(sqlmock.NewRows([]string{"runtime"}).AddRow("claude-code"))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "ws-claude"}}
+	c.Request = httptest.NewRequest("GET",
+		"/workspaces/ws-claude/external/connection", nil)
+
+	wh.GetExternalConnection(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400 for non-external, got %d", w.Code)
+	}
+}
+
+func TestGetExternalConnection_NotFound(t *testing.T) {
+	mock := setupTestDB(t)
+	setupTestRedis(t)
+	wh := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
+
+	mock.ExpectQuery(`SELECT COALESCE\(runtime, ''\) FROM workspaces WHERE id = \$1`).
+		WithArgs("ws-missing").
+		WillReturnRows(sqlmock.NewRows([]string{"runtime"}))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "ws-missing"}}
+	c.Request = httptest.NewRequest("GET",
+		"/workspaces/ws-missing/external/connection", nil)
+
+	wh.GetExternalConnection(c)
+
+	if w.Code != http.StatusNotFound {
+		t.Errorf("expected 404, got %d", w.Code)
+	}
+}
+
+// ---------- BuildExternalConnectionPayload (pure helper) ----------
+
+func TestBuildExternalConnectionPayload_StampsPlaceholders(t *testing.T) {
+	got := BuildExternalConnectionPayload("https://platform.test", "ws-7", "tok-abc")
+
+	if got["workspace_id"] != "ws-7" {
+		t.Errorf("workspace_id: %v", got["workspace_id"])
+	}
+	if got["auth_token"] != "tok-abc" {
+		t.Errorf("auth_token: %v", got["auth_token"])
+	}
+	if got["platform_url"] != "https://platform.test" {
+		t.Errorf("platform_url: %v", got["platform_url"])
+	}
+	if got["registry_endpoint"] != "https://platform.test/registry/register" {
+		t.Errorf("registry_endpoint: %v", got["registry_endpoint"])
+	}
+	// {{PLATFORM_URL}} + {{WORKSPACE_ID}} placeholders must be substituted
+	// out of every snippet — if any snippet still contains a literal
+	// "{{PLATFORM_URL}}" or "{{WORKSPACE_ID}}", a future template author
+	// forgot to use the placeholder convention and operators see broken
+	// snippets.
+	for _, k := range []string{
+		"curl_register_template", "python_snippet",
+		"claude_code_channel_snippet", "universal_mcp_snippet",
+		"hermes_channel_snippet", "codex_snippet", "openclaw_snippet",
+	} {
+		v, _ := got[k].(string)
+		if strings.Contains(v, "{{PLATFORM_URL}}") {
+			t.Errorf("%s still contains literal {{PLATFORM_URL}}", k)
+		}
+		if strings.Contains(v, "{{WORKSPACE_ID}}") {
+			t.Errorf("%s still contains literal {{WORKSPACE_ID}}", k)
+		}
+	}
+}
+
+func TestBuildExternalConnectionPayload_TrimsTrailingSlash(t *testing.T) {
+	// platform_url passed in with trailing slash must be trimmed before
+	// being concatenated into endpoint paths — otherwise the operator
+	// gets `https://platform.test//registry/register` (double slash) which
+	// some servers reject as a redirect target.
+	got := BuildExternalConnectionPayload("https://platform.test/", "ws-7", "")
+	if got["platform_url"] != "https://platform.test" {
+		t.Errorf("platform_url: trailing slash not trimmed; got %v", got["platform_url"])
+	}
+	if got["registry_endpoint"] != "https://platform.test/registry/register" {
+		t.Errorf("registry_endpoint should not have double slash; got %v", got["registry_endpoint"])
+	}
+}
+
+func TestBuildExternalConnectionPayload_BlankAuthTokenIsAllowed(t *testing.T) {
+	// Re-show path: auth_token="" is the contract; the modal masks the
+	// field and labels it "rotate to reveal a new token".
+	got := BuildExternalConnectionPayload("https://platform.test", "ws-7", "")
+	if got["auth_token"] != "" {
+		t.Errorf("blank token must propagate as \"\"; got %v", got["auth_token"])
+	}
+}
diff --git a/workspace-server/internal/handlers/memories.go b/workspace-server/internal/handlers/memories.go
index 3efff1dc..137bab90 100644
--- a/workspace-server/internal/handlers/memories.go
+++ b/workspace-server/internal/handlers/memories.go
@@ -475,6 +475,177 @@ func (h *MemoriesHandler) Search(c *gin.Context) {
 	c.JSON(http.StatusOK, memories)
 }
 
+// Update handles PATCH /workspaces/:id/memories/:memoryId
+//
+// Edits an existing semantic-memory row's content and/or namespace.
+// Both body fields are optional; at least one must be present (a body
+// with neither returns 400 — there's nothing to do, and silently
+// no-op'ing would let a buggy client think it had succeeded).
+//
+// Content edits re-run the same security pipeline as Commit: secret
+// redaction (#1201) on every scope, plus delimiter-spoofing escape on
+// GLOBAL. Skipping either when content changes would mean an Edit
+// becomes a back-door past the policies a Commit enforces. The same
+// re-embedding rule applies — a stale embedding for the new content
+// would silently break semantic search. GLOBAL audit log fires on
+// content change so the forensic trail captures edits, not just
+// initial writes.
+//
+// Namespace edits are validated against the same 50-char ceiling
+// Commit uses; cross-scope changes (e.g. LOCAL→GLOBAL) are NOT
+// supported here — that's a delete + recreate so the GLOBAL
+// access-control gate (only root workspaces can write GLOBAL) gets
+// re-evaluated from scratch.
+//
+// Returns 200 with the updated row's id+scope+namespace on success,
+// 400 on bad body, 404 when the memory doesn't exist or isn't owned
+// by this workspace, 500 on DB failure.
+func (h *MemoriesHandler) Update(c *gin.Context) {
+	workspaceID := c.Param("id")
+	memoryID := c.Param("memoryId")
+	ctx := c.Request.Context()
+
+	// json.Decode (not gin's ShouldBindJSON) so we can distinguish
+	// "field omitted" from "field set to empty string" — content="" is
+	// invalid; content omitted means "don't change content".
+	var body struct {
+		Content   *string `json:"content,omitempty"`
+		Namespace *string `json:"namespace,omitempty"`
+	}
+	if err := json.NewDecoder(c.Request.Body).Decode(&body); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid request body"})
+		return
+	}
+	if body.Content == nil && body.Namespace == nil {
+		c.JSON(http.StatusBadRequest, gin.H{
+			"error": "at least one of content or namespace must be set",
+		})
+		return
+	}
+	if body.Content != nil && *body.Content == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "content cannot be empty"})
+		return
+	}
+	if body.Namespace != nil {
+		if len(*body.Namespace) == 0 {
+			c.JSON(http.StatusBadRequest, gin.H{"error": "namespace cannot be empty"})
+			return
+		}
+		if len(*body.Namespace) > 50 {
+			c.JSON(http.StatusBadRequest, gin.H{"error": "namespace must be <= 50 characters"})
+			return
+		}
+	}
+
+	// Fetch current row to discover the scope (we need it for the
+	// GLOBAL delimiter-escape + audit log) and to confirm ownership.
+	// One round-trip rather than two: SELECT ... WHERE id AND
+	// workspace_id covers the 404 path without an extra existence check.
+	var existingScope, existingContent, existingNamespace string
+	if err := db.DB.QueryRowContext(ctx, `
+		SELECT scope, content, namespace
+		FROM agent_memories
+		WHERE id = $1 AND workspace_id = $2
+	`, memoryID, workspaceID).Scan(&existingScope, &existingContent, &existingNamespace); err != nil {
+		// sql.ErrNoRows or any other read failure — both surface as 404
+		// to avoid leaking row existence across workspaces.
+		c.JSON(http.StatusNotFound, gin.H{"error": "memory not found or not owned by this workspace"})
+		return
+	}
+
+	// Compute the new content (post-redaction, post-delimiter-escape)
+	// only when content is actually changing. This keeps namespace-only
+	// edits cheap (no embed call, no audit row).
+	newContent := existingContent
+	contentChanged := false
+	if body.Content != nil && *body.Content != existingContent {
+		c2 := *body.Content
+		c2, _ = redactSecrets(workspaceID, c2)
+		if existingScope == "GLOBAL" {
+			c2 = strings.ReplaceAll(c2, "[MEMORY ", "[_MEMORY ")
+		}
+		if c2 != existingContent {
+			newContent = c2
+			contentChanged = true
+		}
+	}
+
+	newNamespace := existingNamespace
+	if body.Namespace != nil && *body.Namespace != existingNamespace {
+		newNamespace = *body.Namespace
+	}
+
+	if !contentChanged && newNamespace == existingNamespace {
+		// Nothing to do post-normalisation (e.g. caller passed the
+		// SAME content + namespace). Return the existing shape so the
+		// caller's response-handling can stay uniform with the change
+		// path — silently no-op would force every client to special-
+		// case 204.
+		c.JSON(http.StatusOK, gin.H{
+			"id": memoryID, "scope": existingScope, "namespace": existingNamespace,
+			"changed": false,
+		})
+		return
+	}
+
+	if _, err := db.DB.ExecContext(ctx, `
+		UPDATE agent_memories
+		SET content = $1, namespace = $2, updated_at = now()
+		WHERE id = $3 AND workspace_id = $4
+	`, newContent, newNamespace, memoryID, workspaceID); err != nil {
+		log.Printf("Update memory error: %v", err)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to update memory"})
+		return
+	}
+
+	// GLOBAL content edits write an audit row mirroring Commit's #767
+	// pattern. Namespace-only edits don't get an audit entry — the
+	// content (and its sha256) is unchanged, so there's nothing new
+	// for forensic replay to capture.
+	if existingScope == "GLOBAL" && contentChanged {
+		sum := sha256.Sum256([]byte(newContent))
+		auditBody, _ := json.Marshal(map[string]string{
+			"memory_id":      memoryID,
+			"namespace":      newNamespace,
+			"content_sha256": hex.EncodeToString(sum[:]),
+			"reason":         "edited",
+		})
+		summary := "GLOBAL memory edited: id=" + memoryID + " namespace=" + newNamespace
+		if _, auditErr := db.DB.ExecContext(ctx, `
+			INSERT INTO activity_logs (workspace_id, activity_type, source_id, summary, request_body, status)
+			VALUES ($1, $2, $3, $4, $5::jsonb, $6)
+		`, workspaceID, "memory_edit_global", workspaceID, summary, string(auditBody), "ok"); auditErr != nil {
+			log.Printf("Update: GLOBAL memory audit log failed for %s/%s: %v", workspaceID, memoryID, auditErr)
+		}
+	}
+
+	// Re-embed when content changed. Same non-fatal pattern as Commit:
+	// a failed embed leaves the row with its OLD vector (or no vector
+	// if the original Commit's embed also failed). Future Search calls
+	// fall through to FTS for this row.
+	if contentChanged && h.embed != nil {
+		if vec, embedErr := h.embed(ctx, newContent); embedErr != nil {
+			log.Printf("Update: embedding failed workspace=%s memory=%s: %v (kept stale embedding)",
+				workspaceID, memoryID, embedErr)
+		} else if fmtVec := formatVector(vec); fmtVec != "" {
+			if _, updateErr := db.DB.ExecContext(ctx,
+				`UPDATE agent_memories SET embedding = $1::vector WHERE id = $2`,
+				fmtVec, memoryID,
+			); updateErr != nil {
+				log.Printf("Update: embedding UPDATE failed workspace=%s memory=%s: %v",
+					workspaceID, memoryID, updateErr)
+			}
+		}
+	}
+
+	c.JSON(http.StatusOK, gin.H{
+		"id":        memoryID,
+		"scope":     existingScope,
+		"namespace": newNamespace,
+		"changed":   true,
+	})
+}
+
 // Delete handles DELETE /workspaces/:id/memories/:memoryId
 func (h *MemoriesHandler) Delete(c *gin.Context) {
 	workspaceID := c.Param("id")
diff --git a/workspace-server/internal/handlers/memories_test.go b/workspace-server/internal/handlers/memories_test.go
index 8b9bcedf..5fbf6db5 100644
--- a/workspace-server/internal/handlers/memories_test.go
+++ b/workspace-server/internal/handlers/memories_test.go
@@ -1083,4 +1083,219 @@ func TestCommitMemory_LocalScope_NoDelimiterEscape(t *testing.T) {
 	if err := mock.ExpectationsWereMet(); err != nil {
 		t.Errorf("LOCAL memory content should be stored verbatim: %v", err)
 	}
-}
\ No newline at end of file
+}
+// ---------- MemoriesHandler: Update (PATCH) ----------
+//
+// Pin the full Update flow: namespace-only edit, content edit (LOCAL),
+// content edit (GLOBAL with audit + delimiter escape), no-op edit, and
+// the 400 / 404 paths. Matches the security pipeline of Commit so an
+// edit can't become a back-door past the policies a write enforces.
+
+func TestMemoriesUpdate_NamespaceOnly_Success(t *testing.T) {
+	mock := setupTestDB(t)
+	setupTestRedis(t)
+	handler := NewMemoriesHandler()
+
+	mock.ExpectQuery("SELECT scope, content, namespace").
+		WithArgs("mem-1", "ws-1").
+		WillReturnRows(sqlmock.NewRows([]string{"scope", "content", "namespace"}).
+			AddRow("LOCAL", "old content", "general"))
+	mock.ExpectExec("UPDATE agent_memories").
+		WithArgs("old content", "facts", "mem-1", "ws-1").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "ws-1"}, {Key: "memoryId", Value: "mem-1"}}
+	c.Request = httptest.NewRequest("PATCH", "/", bytes.NewBufferString(`{"namespace":"facts"}`))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Update(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	var resp map[string]interface{}
+	json.Unmarshal(w.Body.Bytes(), &resp)
+	if resp["namespace"] != "facts" {
+		t.Errorf("expected namespace=facts, got %v", resp["namespace"])
+	}
+	if resp["changed"] != true {
+		t.Errorf("expected changed=true, got %v", resp["changed"])
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("sqlmock unmet: %v", err)
+	}
+}
+
+func TestMemoriesUpdate_ContentOnly_Local(t *testing.T) {
+	mock := setupTestDB(t)
+	setupTestRedis(t)
+	handler := NewMemoriesHandler()
+
+	mock.ExpectQuery("SELECT scope, content, namespace").
+		WithArgs("mem-1", "ws-1").
+		WillReturnRows(sqlmock.NewRows([]string{"scope", "content", "namespace"}).
+			AddRow("LOCAL", "old", "general"))
+	mock.ExpectExec("UPDATE agent_memories").
+		WithArgs("new content", "general", "mem-1", "ws-1").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "ws-1"}, {Key: "memoryId", Value: "mem-1"}}
+	c.Request = httptest.NewRequest("PATCH", "/", bytes.NewBufferString(`{"content":"new content"}`))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Update(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("sqlmock unmet: %v", err)
+	}
+}
+
+// GLOBAL content-edit must (a) escape the [MEMORY prefix to prevent
+// delimiter-spoofing on read-back and (b) write an audit row mirroring
+// Commit's #767 pattern. This pins both behaviors in one assertion so a
+// future refactor that drops either trips the test.
+func TestMemoriesUpdate_ContentEdit_Global_AuditAndEscape(t *testing.T) {
+	mock := setupTestDB(t)
+	setupTestRedis(t)
+	handler := NewMemoriesHandler()
+
+	mock.ExpectQuery("SELECT scope, content, namespace").
+		WithArgs("mem-g", "root-ws").
+		WillReturnRows(sqlmock.NewRows([]string{"scope", "content", "namespace"}).
+			AddRow("GLOBAL", "old global", "general"))
+	// New content's [MEMORY prefix becomes [_MEMORY before the UPDATE.
+	mock.ExpectExec("UPDATE agent_memories").
+		WithArgs("[_MEMORY id=fake]: poison", "general", "mem-g", "root-ws").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+	// Audit row write for the GLOBAL edit.
+	mock.ExpectExec("INSERT INTO activity_logs").
+		WithArgs("root-ws", "memory_edit_global", "root-ws", sqlmock.AnyArg(), sqlmock.AnyArg(), "ok").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "root-ws"}, {Key: "memoryId", Value: "mem-g"}}
+	c.Request = httptest.NewRequest("PATCH", "/",
+		bytes.NewBufferString(`{"content":"[MEMORY id=fake]: poison"}`))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Update(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("sqlmock unmet (escape + audit must both fire): %v", err)
+	}
+}
+
+// Empty body and content-emptied-to-blank both 400. Without these, a
+// buggy client could think the call succeeded while nothing changed
+// (empty body) or that an empty-string scrub was acceptable. Returning
+// 400 forces the client to make its intent explicit.
+func TestMemoriesUpdate_EmptyBody_400(t *testing.T) {
+	setupTestDB(t)
+	setupTestRedis(t)
+	handler := NewMemoriesHandler()
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "ws-1"}, {Key: "memoryId", Value: "mem-1"}}
+	c.Request = httptest.NewRequest("PATCH", "/", bytes.NewBufferString(`{}`))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Update(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("expected 400 on empty body, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestMemoriesUpdate_EmptyContent_400(t *testing.T) {
+	setupTestDB(t)
+	setupTestRedis(t)
+	handler := NewMemoriesHandler()
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "ws-1"}, {Key: "memoryId", Value: "mem-1"}}
+	c.Request = httptest.NewRequest("PATCH", "/", bytes.NewBufferString(`{"content":""}`))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Update(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("expected 400 on empty content, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestMemoriesUpdate_NotFound_404(t *testing.T) {
+	mock := setupTestDB(t)
+	setupTestRedis(t)
+	handler := NewMemoriesHandler()
+
+	// Existence + ownership lookup returns no row → 404. Same shape
+	// for "memory belongs to a different workspace" — both surface as
+	// 404 to avoid leaking row existence across workspaces.
+	mock.ExpectQuery("SELECT scope, content, namespace").
+		WithArgs("mem-x", "ws-1").
+		WillReturnError(sql.ErrNoRows)
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "ws-1"}, {Key: "memoryId", Value: "mem-x"}}
+	c.Request = httptest.NewRequest("PATCH", "/",
+		bytes.NewBufferString(`{"namespace":"facts"}`))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Update(c)
+
+	if w.Code != http.StatusNotFound {
+		t.Fatalf("expected 404, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+// Caller passes content + namespace identical to existing values:
+// post-normalisation nothing changed. Return 200 with changed=false,
+// no UPDATE, no audit row. Saves a round-trip + an audit-log entry on
+// idempotent re-edits (e.g. user clicks Save without changing fields).
+func TestMemoriesUpdate_NoOp_NoUpdate(t *testing.T) {
+	mock := setupTestDB(t)
+	setupTestRedis(t)
+	handler := NewMemoriesHandler()
+
+	mock.ExpectQuery("SELECT scope, content, namespace").
+		WithArgs("mem-1", "ws-1").
+		WillReturnRows(sqlmock.NewRows([]string{"scope", "content", "namespace"}).
+			AddRow("LOCAL", "same", "general"))
+	// No UPDATE expectation — sqlmock will fail ExpectationsWereMet
+	// if one fires.
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "ws-1"}, {Key: "memoryId", Value: "mem-1"}}
+	c.Request = httptest.NewRequest("PATCH", "/",
+		bytes.NewBufferString(`{"content":"same","namespace":"general"}`))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Update(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200 on no-op, got %d: %s", w.Code, w.Body.String())
+	}
+	var resp map[string]interface{}
+	json.Unmarshal(w.Body.Bytes(), &resp)
+	if resp["changed"] != false {
+		t.Errorf("expected changed=false on no-op, got %v", resp["changed"])
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("UPDATE must not fire on no-op: %v", err)
+	}
+}
diff --git a/workspace-server/internal/handlers/team.go b/workspace-server/internal/handlers/team.go
index c4a481f9..0ac5aac4 100644
--- a/workspace-server/internal/handlers/team.go
+++ b/workspace-server/internal/handlers/team.go
@@ -11,7 +11,6 @@ import (
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/events"
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/models"
-	"github.com/Molecule-AI/molecule-monorepo/platform/internal/provisioner"
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 	"gopkg.in/yaml.v3"
@@ -25,28 +24,21 @@ import (
 // NULL auth_token — same drift class as the SaaS bug fixed in #2366.
 type TeamHandler struct {
 	broadcaster *events.Broadcaster
-	// provisioner is interface-typed (#2369) for the same reason as
-	// WorkspaceHandler.provisioner — Stop is the only call site here
-	// and it's on the LocalProvisionerAPI surface, so widening is free
-	// and symmetric with WorkspaceHandler.
-	provisioner provisioner.LocalProvisionerAPI
 	wh          *WorkspaceHandler
 	platformURL string
 	configsDir  string
 }
 
-func NewTeamHandler(b *events.Broadcaster, p *provisioner.Provisioner, wh *WorkspaceHandler, platformURL, configsDir string) *TeamHandler {
-	h := &TeamHandler{
+// NewTeamHandler constructs a TeamHandler. Backend selection (Docker vs
+// CP) goes through h.wh.StopWorkspaceAuto + h.wh.provisionWorkspaceAuto;
+// no per-handler provisioner field is needed here.
+func NewTeamHandler(b *events.Broadcaster, wh *WorkspaceHandler, platformURL, configsDir string) *TeamHandler {
+	return &TeamHandler{
 		broadcaster: b,
 		wh:          wh,
 		platformURL: platformURL,
 		configsDir:  configsDir,
 	}
-	// Avoid the typed-nil interface trap (see NewWorkspaceHandler note).
-	if p != nil {
-		h.provisioner = p
-	}
-	return h
 }
 
 // Expand handles POST /workspaces/:id/expand
@@ -203,9 +195,14 @@ func (h *TeamHandler) Collapse(c *gin.Context) {
 			continue
 		}
 
-		// Stop container if provisioner available
-		if h.provisioner != nil {
-			h.provisioner.Stop(ctx, childID)
+		// Stop the workload via the backend dispatcher (CP for SaaS,
+		// Docker for self-hosted). Pre-2026-05-05 this was
+		// `if h.provisioner != nil { h.provisioner.Stop(...) }`, which
+		// silently skipped on every SaaS tenant — child EC2s kept running
+		// after team-collapse until the orphan sweeper caught them
+		// (issue #2813).
+		if err := h.wh.StopWorkspaceAuto(ctx, childID); err != nil {
+			log.Printf("Team collapse: stop %s failed: %v — orphan sweeper will reconcile", childID, err)
 		}
 
 		// Mark as removed
diff --git a/workspace-server/internal/handlers/team_test.go b/workspace-server/internal/handlers/team_test.go
index e909308d..1967ee1f 100644
--- a/workspace-server/internal/handlers/team_test.go
+++ b/workspace-server/internal/handlers/team_test.go
@@ -34,7 +34,7 @@ func TestTeamCollapse_NoChildren(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t)
 	broadcaster := newTestBroadcaster()
-	handler := NewTeamHandler(broadcaster, nil, nil, "http://localhost:8080", "/tmp/configs")
+	handler := NewTeamHandler(broadcaster, NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir()), "http://localhost:8080", "/tmp/configs")
 
 	// No children
 	mock.ExpectQuery("SELECT id, name FROM workspaces WHERE parent_id").
@@ -66,7 +66,7 @@ func TestTeamCollapse_WithChildren(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t)
 	broadcaster := newTestBroadcaster()
-	handler := NewTeamHandler(broadcaster, nil, nil, "http://localhost:8080", "/tmp/configs")
+	handler := NewTeamHandler(broadcaster, NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir()), "http://localhost:8080", "/tmp/configs")
 
 	// Two children
 	mock.ExpectQuery("SELECT id, name FROM workspaces WHERE parent_id").
@@ -122,7 +122,7 @@ func TestTeamCollapse_WithChildren(t *testing.T) {
 func TestTeamExpand_WorkspaceNotFound(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t)
-	handler := NewTeamHandler(newTestBroadcaster(), nil, nil, "http://localhost:8080", "/tmp/configs")
+	handler := NewTeamHandler(newTestBroadcaster(), NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir()), "http://localhost:8080", "/tmp/configs")
 
 	mock.ExpectQuery("SELECT name, tier, status FROM workspaces WHERE id").
 		WithArgs("ws-missing").
@@ -143,7 +143,7 @@ func TestTeamExpand_WorkspaceNotFound(t *testing.T) {
 func TestTeamExpand_NoConfigFound(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t)
-	handler := NewTeamHandler(newTestBroadcaster(), nil, nil, "http://localhost:8080", t.TempDir())
+	handler := NewTeamHandler(newTestBroadcaster(), NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir()), "http://localhost:8080", t.TempDir())
 
 	mock.ExpectQuery("SELECT name, tier, status FROM workspaces WHERE id").
 		WithArgs("ws-1").
@@ -167,7 +167,7 @@ func TestTeamExpand_EmptySubWorkspaces(t *testing.T) {
 	setupTestRedis(t)
 
 	configDir := makeTeamConfigDir(t, "myagent", "name: MyAgent\nsub_workspaces: []\n")
-	handler := NewTeamHandler(newTestBroadcaster(), nil, nil, "http://localhost:8080", configDir)
+	handler := NewTeamHandler(newTestBroadcaster(), NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir()), "http://localhost:8080", configDir)
 
 	mock.ExpectQuery("SELECT name, tier, status FROM workspaces WHERE id").
 		WithArgs("ws-1").
@@ -199,7 +199,7 @@ sub_workspaces:
     role: code-reviewer
 `
 	configDir := makeTeamConfigDir(t, "teamlead", yaml)
-	handler := NewTeamHandler(broadcaster, nil, nil, "http://localhost:8080", configDir)
+	handler := NewTeamHandler(broadcaster, NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir()), "http://localhost:8080", configDir)
 
 	mock.ExpectQuery("SELECT name, tier, status FROM workspaces WHERE id").
 		WithArgs("ws-lead").
diff --git a/workspace-server/internal/handlers/template_files_eic.go b/workspace-server/internal/handlers/template_files_eic.go
index da8a7d14..edce34fc 100644
--- a/workspace-server/internal/handlers/template_files_eic.go
+++ b/workspace-server/internal/handlers/template_files_eic.go
@@ -178,6 +178,16 @@ func writeFileViaEIC(ctx context.Context, instanceID, runtime, relPath string, c
 		"-i", keyPath,
 		"-o", "StrictHostKeyChecking=no",
 		"-o", "UserKnownHostsFile=/dev/null",
+		// LogLevel=ERROR silences the benign "Warning: Permanently
+		// added '[127.0.0.1]:NNNNN' to known hosts" notice that ssh
+		// emits on every fresh tunnel connection. Without this, the
+		// notice lands on stderr and fools readFileViaEIC's "empty
+		// stdout + empty stderr → file not found" classifier into
+		// thinking the warning is a real ssh-layer error → 500
+		// instead of 404 (Hermes config.yaml load, hongming tenant,
+		// 2026-05-05 02:38). Real auth/tunnel errors stay visible
+		// because they're emitted at ERROR level.
+		"-o", "LogLevel=ERROR",
 		"-o", "ServerAliveInterval=15",
 		"-p", fmt.Sprintf("%d", localPort),
 		fmt.Sprintf("%s@127.0.0.1", osUser),
@@ -292,6 +302,16 @@ func readFileViaEIC(ctx context.Context, instanceID, runtime, relPath string) ([
 		"-i", keyPath,
 		"-o", "StrictHostKeyChecking=no",
 		"-o", "UserKnownHostsFile=/dev/null",
+		// LogLevel=ERROR silences the benign "Warning: Permanently
+		// added '[127.0.0.1]:NNNNN' to known hosts" notice that ssh
+		// emits on every fresh tunnel connection. Without this, the
+		// notice lands on stderr and fools readFileViaEIC's "empty
+		// stdout + empty stderr → file not found" classifier into
+		// thinking the warning is a real ssh-layer error → 500
+		// instead of 404 (Hermes config.yaml load, hongming tenant,
+		// 2026-05-05 02:38). Real auth/tunnel errors stay visible
+		// because they're emitted at ERROR level.
+		"-o", "LogLevel=ERROR",
 		"-o", "ServerAliveInterval=15",
 		"-p", fmt.Sprintf("%d", localPort),
 		fmt.Sprintf("%s@127.0.0.1", osUser),
diff --git a/workspace-server/internal/handlers/template_files_eic_test.go b/workspace-server/internal/handlers/template_files_eic_test.go
index 30bd9988..e5bc8a48 100644
--- a/workspace-server/internal/handlers/template_files_eic_test.go
+++ b/workspace-server/internal/handlers/template_files_eic_test.go
@@ -1,6 +1,8 @@
 package handlers
 
 import (
+	"os"
+	"regexp"
 	"strings"
 	"testing"
 )
@@ -66,6 +68,36 @@ func TestResolveWorkspaceFilePath_RejectsTraversal(t *testing.T) {
 	}
 }
 
+// TestSSHArgs_LogLevelErrorBothSites pins that BOTH ssh invocations
+// (writeFileViaEIC + readFileViaEIC) include `-o LogLevel=ERROR`.
+//
+// Without that flag, ssh emits a "Warning: Permanently added
+// '[127.0.0.1]:NNNNN' (ED25519) to the list of known hosts." line on
+// every fresh tunnel connection (even with UserKnownHostsFile=/dev/null
+// — that prevents persistence, not the warning). The warning lands on
+// stderr, which fools readFileViaEIC's "empty stdout + empty stderr →
+// file not found" classifier into thinking the warning is a real
+// ssh-layer error and returning 500 instead of 404.
+//
+// Caught 2026-05-05 02:38 on hongming.moleculesai.app: opening Hermes
+// workspace's Config tab returned 500 with body
+// `ssh cat: exit status 1 (Warning: Permanently added '[127.0.0.1]:37951'…)`.
+//
+// LogLevel=ERROR silences info+warning while keeping real auth/tunnel
+// errors visible. This test reads the source and asserts the flag
+// appears at least twice (one per ssh block) — fires if a future edit
+// removes it from either site.
+func TestSSHArgs_LogLevelErrorBothSites(t *testing.T) {
+	src, err := os.ReadFile("template_files_eic.go")
+	if err != nil {
+		t.Fatalf("read source: %v", err)
+	}
+	matches := regexp.MustCompile(`"-o", "LogLevel=ERROR"`).FindAllIndex(src, -1)
+	if len(matches) < 2 {
+		t.Errorf("expected LogLevel=ERROR in BOTH ssh blocks (write + read); found %d occurrences", len(matches))
+	}
+}
+
 // TestShellQuote — the sole piece of variable data in the remote ssh
 // command is the absolute path. It's already built from a map + Clean()
 // so traversal is impossible, but we still single-quote as defence-in-
diff --git a/workspace-server/internal/handlers/workspace.go b/workspace-server/internal/handlers/workspace.go
index 27051e23..bedda7b1 100644
--- a/workspace-server/internal/handlers/workspace.go
+++ b/workspace-server/internal/handlers/workspace.go
@@ -170,6 +170,165 @@ func (h *WorkspaceHandler) provisionWorkspaceAuto(workspaceID, templatePath stri
 	return false
 }
 
+// provisionWorkspaceAutoSync is the synchronous variant of
+// provisionWorkspaceAuto — it BLOCKS in the current goroutine until the
+// per-backend provision body returns, instead of spawning a goroutine.
+//
+// Used by callers that need to coordinate stop+provision as a pair and
+// can't return until provision is done — today that's runRestartCycle
+// (auto-restart cycle's pending-flag loop relies on synchronous return
+// to know when it's safe to start the next cycle without racing the
+// in-flight provision goroutine on the next iteration's Stop call).
+//
+// Backend selection + no-backend fallback are identical to
+// provisionWorkspaceAuto. The only difference is the goroutine wrapper.
+// Keep these two helpers in sync — when one grows a new arm (third
+// backend, retry semantics), the other should too.
+func (h *WorkspaceHandler) provisionWorkspaceAutoSync(workspaceID, templatePath string, configFiles map[string][]byte, payload models.CreateWorkspacePayload) bool {
+	if h.cpProv != nil {
+		h.provisionWorkspaceCP(workspaceID, templatePath, configFiles, payload)
+		return true
+	}
+	if h.provisioner != nil {
+		h.provisionWorkspace(workspaceID, templatePath, configFiles, payload)
+		return true
+	}
+	log.Printf("provisionWorkspaceAutoSync: no provisioning backend wired for %s — marking failed (cpProv=nil, provisioner=nil)", workspaceID)
+	failCtx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+	h.markProvisionFailed(failCtx, workspaceID,
+		"no provisioning backend available — workspace requires either a Docker daemon (self-hosted) or control-plane provisioner (SaaS)",
+		nil)
+	return false
+}
+
+// StopWorkspaceAuto picks the backend (CP for SaaS, local Docker for
+// self-hosted) and stops the workspace synchronously. Returns nil when
+// neither backend is wired (a workspace nobody is running can't be
+// stopped — that's a no-op, not an error).
+//
+// Single source of truth for "stop a workspace" — symmetric with
+// provisionWorkspaceAuto. Pre-2026-05-05 the stop side had no Auto
+// dispatcher and every caller wrote `if h.provisioner != nil { Stop }`,
+// which silently leaked EC2s on SaaS:
+//   - team.go:208 (Collapse) — issue #2813
+//   - workspace_crud.go:432 (stopAndRemove during Delete) — issue #2814
+//
+// Both bugs reproduced for ~6 months. The pattern is the same drift
+// class as the org-import provision bug closed by PR #2811.
+//
+// Why CP wins when both are wired (matching provisionWorkspaceAuto):
+// production runs exactly one backend at a time — a SaaS tenant has
+// cpProv set + provisioner nil; a self-hosted operator has provisioner
+// set + cpProv nil. The "both set" case only arises in test fixtures,
+// and the CP-wins ordering matches how Auto picks for provisioning so
+// the test stubs stay on a single side.
+//
+// Volume cleanup (workspace_crud.go) stays Docker-only — CP-managed
+// workspaces have no volumes to clean. Callers that need that extra
+// step keep their `if h.provisioner != nil { RemoveVolume(...) }`
+// gate AFTER calling StopWorkspaceAuto. The abstraction here is "stop
+// the running workload," not "tear down all state."
+func (h *WorkspaceHandler) StopWorkspaceAuto(ctx context.Context, workspaceID string) error {
+	if h.cpProv != nil {
+		return h.cpProv.Stop(ctx, workspaceID)
+	}
+	if h.provisioner != nil {
+		return h.provisioner.Stop(ctx, workspaceID)
+	}
+	return nil
+}
+
+// RestartWorkspaceAuto stops the running workload (with retry semantics
+// tuned for the restart hot path) then starts provisioning again, in a
+// detached goroutine. Returns true when a backend was kicked off, false
+// when neither is wired (caller owns the persist + mark-failed surface
+// in that case — symmetric with provisionWorkspaceAuto's bool return).
+//
+// Single source of truth for "restart a workspace" — third in the
+// dispatcher trio alongside provisionWorkspaceAuto and StopWorkspaceAuto.
+// Phase 1 of #2799 introduces this helper + migrates one caller; the
+// remaining workspace_restart.go sites (Restart HTTP handler goroutine,
+// Resume handler, Pause loop) follow in Phase 2/3 because they need
+// async-context reasoning beyond a fire-and-return dispatcher.
+//
+// Retry on the Stop leg is intentional and distinguishes this from
+// StopWorkspaceAuto:
+//
+//   - StopWorkspaceAuto (Stop-on-delete contract): no retry, no-backend
+//     is a silent no-op. Different verb, different stakes — a workspace
+//     nobody is running can't be stopped.
+//
+//   - RestartWorkspaceAuto: bounded exponential backoff on cpProv.Stop
+//     via cpStopWithRetry. Restart's contract is "make the workspace
+//     alive again" — refusing to reprovision when Stop fails strands
+//     the user with a dead workspace and no recovery path other than
+//     manual canvas intervention. Retry absorbs the transient CP/AWS
+//     hiccups that cause most EC2-leak-adjacent incidents. On final
+//     exhaustion, cpStopWithRetry logs LEAK-SUSPECT and proceeds with
+//     reprovision regardless, bridging to the orphan reconciler.
+//
+// Docker provisioner.Stop has no retry — a local container that fails
+// to stop is a local infrastructure problem (OOM, resource pressure)
+// and retries won't help; the subsequent provision attempt will surface
+// the underlying daemon failure.
+//
+// Architectural note: this helper encapsulates the stop+reprovision
+// pair. The "which backend for stop" and "which backend for provision"
+// decisions live here and stay in sync (CP-stop pairs with CP-provision;
+// Docker-stop pairs with Docker-provision). Callers that need only the
+// stop half use StopWorkspaceAuto (delete path) or stopForRestart
+// (restart-path internal helper) directly.
+//
+// Payload requirements: caller MUST construct payload from the live
+// workspace row (name, runtime, tier, model, workspace_dir, etc.) so
+// the reprovision comes up with the workspace's actual configuration.
+// runRestartCycle does this synchronously (line ~538) before delegating
+// — match that pattern in any new caller.
+func (h *WorkspaceHandler) RestartWorkspaceAuto(ctx context.Context, workspaceID, templatePath string, configFiles map[string][]byte, payload models.CreateWorkspacePayload) bool {
+	return h.RestartWorkspaceAutoOpts(ctx, workspaceID, templatePath, configFiles, payload, false)
+}
+
+// RestartWorkspaceAutoOpts is the variant that carries Docker-only
+// per-invocation knobs that don't fit on CreateWorkspacePayload. Today
+// the only such knob is resetClaudeSession (issue #12 — clears the
+// in-container Claude session before restart so the agent comes up
+// fresh). CP doesn't have a session-reset concept (each EC2 boots from
+// a fresh image), so the flag is silently ignored on the CP path.
+//
+// Most callers should call RestartWorkspaceAuto (resetClaudeSession=
+// false). The Restart HTTP handler is the one site that exposes the
+// flag to operators — it reads ?reset_session=true from the query
+// string when an operator wants to force a fresh session.
+func (h *WorkspaceHandler) RestartWorkspaceAutoOpts(ctx context.Context, workspaceID, templatePath string, configFiles map[string][]byte, payload models.CreateWorkspacePayload, resetClaudeSession bool) bool {
+	// Stop leg first. CP-first ordering matches the other dispatchers
+	// (provisionWorkspaceAuto, StopWorkspaceAuto) and the convention
+	// documented in docs/architecture/backends.md.
+	if h.cpProv != nil {
+		h.cpStopWithRetry(ctx, workspaceID, "RestartWorkspaceAuto")
+		// resetClaudeSession is Docker-only — CP has no session state to clear.
+		go h.provisionWorkspaceCP(workspaceID, templatePath, configFiles, payload)
+		return true
+	}
+	if h.provisioner != nil {
+		// Docker.Stop has no retry — see docstring rationale.
+		h.provisioner.Stop(ctx, workspaceID)
+		go h.provisionWorkspaceOpts(workspaceID, templatePath, configFiles, payload, resetClaudeSession)
+		return true
+	}
+	// No backend wired — same shape as provisionWorkspaceAuto's no-backend
+	// arm. Mark the workspace failed so the user sees a meaningful state
+	// rather than a hang. 10s context lets markProvisionFailed broadcast
+	// + UPDATE; the original ctx may already be cancelled.
+	log.Printf("RestartWorkspaceAuto: no provisioning backend wired for %s — marking failed (cpProv=nil, provisioner=nil)", workspaceID)
+	failCtx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+	h.markProvisionFailed(failCtx, workspaceID,
+		"no provisioning backend available — workspace requires either a Docker daemon (self-hosted) or control-plane provisioner (SaaS)",
+		nil)
+	return false
+}
+
 // SetEnvMutators wires a provisionhook.Registry into the handler. Plugins
 // living in separate repos register on the same Registry instance during
 // boot (see cmd/server/main.go) and main.go calls this setter once before
@@ -458,8 +617,8 @@ func (h *WorkspaceHandler) Create(c *gin.Context) {
 			if tokErr != nil {
 				log.Printf("External workspace %s: token issuance failed: %v", id, tokErr)
 				// Non-fatal — the workspace row still exists; the
-				// operator can call POST /workspaces/:id/tokens later
-				// to mint one. Return a 201 with a hint instead of
+				// operator can call POST /workspaces/:id/external/rotate
+				// later to recover. Return a 201 with a hint instead of
 				// 500'ing a partial-success write.
 			} else {
 				connectionToken = tok
@@ -479,91 +638,16 @@ func (h *WorkspaceHandler) Create(c *gin.Context) {
 		} else {
 			resp["status"] = "awaiting_agent"
 			// Connection snippet payload. Returned ONCE on create —
-			// the token is not recoverable from any later read. UI
-			// is responsible for surfacing this in a copy-paste modal.
-			platformURL := strings.TrimSuffix(externalPlatformURL(c), "/")
-			resp["connection"] = gin.H{
-				"workspace_id": id,
-				"platform_url": platformURL,
-				"auth_token":   connectionToken, // may be "" if IssueToken failed above
-				"registry_endpoint": platformURL + "/registry/register",
-				"heartbeat_endpoint": platformURL + "/registry/heartbeat",
-				// Pre-formatted snippet that a non-Go operator can
-				// paste verbatim. curl-based so there's no SDK
-				// install dependency. The external agent only
-				// needs to replace $AGENT_URL with its own public URL.
-				"curl_register_template": strings.ReplaceAll(
-					strings.ReplaceAll(externalCurlTemplate,
-						"{{PLATFORM_URL}}", platformURL),
-					"{{WORKSPACE_ID}}", id,
-				),
-				// Python/SDK snippet. molecule-sdk-python PR #13
-				// shipped A2AServer + RemoteAgentClient specifically
-				// for this flow. The SDK is not yet on PyPI — the
-				// snippet pins @main until we cut a release.
-				"python_snippet": strings.ReplaceAll(
-					strings.ReplaceAll(externalPythonTemplate,
-						"{{PLATFORM_URL}}", platformURL),
-					"{{WORKSPACE_ID}}", id,
-				),
-				// Claude Code channel plugin snippet. For operators
-				// whose external agent IS a Claude Code session —
-				// the snippet sets up ~/.claude/channels/molecule/.env
-				// and points at the canonical first-party plugin at
-				// github.com/Molecule-AI/molecule-mcp-claude-channel.
-				// Polling-based; no tunnel needed.
-				"claude_code_channel_snippet": strings.ReplaceAll(
-					strings.ReplaceAll(externalChannelTemplate,
-						"{{PLATFORM_URL}}", platformURL),
-					"{{WORKSPACE_ID}}", id,
-				),
-				// Universal MCP snippet — runtime-agnostic outbound
-				// tool path via the molecule-mcp console script. Same
-				// 8 platform tools any MCP-aware runtime can register
-				// (Claude Code, hermes, codex, etc.). Outbound-only:
-				// the snippet calls out that heartbeat/inbound need
-				// pairing with the SDK or channel tab.
-				"universal_mcp_snippet": strings.ReplaceAll(
-					strings.ReplaceAll(externalUniversalMcpTemplate,
-						"{{PLATFORM_URL}}", platformURL),
-					"{{WORKSPACE_ID}}", id,
-				),
-				// Hermes channel snippet — for operators whose external
-				// agent IS a hermes-agent session. Routes A2A traffic
-				// into the hermes gateway via the molecule-channel
-				// plugin (Molecule-AI/hermes-channel-molecule). Long-
-				// poll based (no tunnel) — same UX as the Claude Code
-				// channel tab. Gives hermes true push parity with the
-				// other runtime templates.
-				"hermes_channel_snippet": strings.ReplaceAll(
-					strings.ReplaceAll(externalHermesChannelTemplate,
-						"{{PLATFORM_URL}}", platformURL),
-					"{{WORKSPACE_ID}}", id,
-				),
-				// Codex MCP config snippet — for operators whose
-				// external agent is a codex CLI (@openai/codex)
-				// session. Wires the molecule MCP server into
-				// ~/.codex/config.toml. Outbound-tools-only today;
-				// codex's MCP client doesn't route arbitrary
-				// notifications/* so push parity needs a separate
-				// bridge daemon (future work).
-				"codex_snippet": strings.ReplaceAll(
-					strings.ReplaceAll(externalCodexTemplate,
-						"{{PLATFORM_URL}}", platformURL),
-					"{{WORKSPACE_ID}}", id,
-				),
-				// OpenClaw MCP config snippet — for operators whose
-				// external agent is an openclaw session. Wires the
-				// molecule MCP server via `openclaw mcp set` + starts
-				// the gateway on loopback. Outbound-tools-only today;
-				// full push parity needs a sessions.steer bridge
-				// daemon (future work).
-				"openclaw_snippet": strings.ReplaceAll(
-					strings.ReplaceAll(externalOpenClawTemplate,
-						"{{PLATFORM_URL}}", platformURL),
-					"{{WORKSPACE_ID}}", id,
-				),
-			}
+			// the token is not recoverable from any later read.
+			//
+			// Payload assembly + per-snippet template stamping lives
+			// in BuildExternalConnectionPayload (external_connection.go)
+			// so the rotate + re-show endpoints emit byte-identical
+			// shape. Adding a new snippet means adding it once there;
+			// all three callers pick it up automatically.
+			resp["connection"] = BuildExternalConnectionPayload(
+				externalPlatformURL(c), id, connectionToken,
+			)
 		}
 		c.JSON(http.StatusCreated, resp)
 		return
diff --git a/workspace-server/internal/handlers/workspace_crud.go b/workspace-server/internal/handlers/workspace_crud.go
index f254ea86..4e58804f 100644
--- a/workspace-server/internal/handlers/workspace_crud.go
+++ b/workspace-server/internal/handlers/workspace_crud.go
@@ -420,22 +420,33 @@ func (h *WorkspaceHandler) Delete(c *gin.Context) {
 
 	var stopErrs []error
 	stopAndRemove := func(wsID string) {
-		if h.provisioner == nil {
-			return
-		}
-		// Check Stop's error before attempting RemoveVolume — the
-		// previous code discarded it and immediately tried the
-		// volume remove, which always fails with "volume in use"
-		// when Stop didn't actually kill the container. The orphan
-		// sweeper (registry/orphan_sweeper.go) catches what we
-		// skip here on the next reconcile pass.
-		if err := h.provisioner.Stop(cleanupCtx, wsID); err != nil {
-			log.Printf("Delete %s container stop failed: %v — leaving volume for orphan sweeper", wsID, err)
+		// Stop the workload first via the backend dispatcher (CP for
+		// SaaS, Docker for self-hosted). Pre-2026-05-05 this gate was
+		// `if h.provisioner == nil { return }` — early-returning on
+		// every SaaS tenant left the EC2 running with no DB row to
+		// track it (issue #2814; the comment below claimed "loud-fail
+		// instead of silent-leak" but the early-return made it the
+		// silent path on SaaS).
+		//
+		// Check Stop's error before any volume cleanup — the previous
+		// code discarded it and immediately tried RemoveVolume, which
+		// always fails with "volume in use" when Stop didn't actually
+		// kill the container. The orphan sweeper
+		// (registry/orphan_sweeper.go) catches what we skip here on
+		// the next reconcile pass.
+		if err := h.StopWorkspaceAuto(cleanupCtx, wsID); err != nil {
+			log.Printf("Delete %s stop failed: %v — leaving cleanup for orphan sweeper", wsID, err)
 			stopErrs = append(stopErrs, fmt.Errorf("stop %s: %w", wsID, err))
 			return
 		}
-		if err := h.provisioner.RemoveVolume(cleanupCtx, wsID); err != nil {
-			log.Printf("Delete %s volume removal warning: %v", wsID, err)
+		// Volume cleanup is Docker-only — CP-managed workspaces have
+		// no host-bind volumes to remove. Skip silently when no Docker
+		// provisioner is wired (the SaaS path already terminated the
+		// EC2 above; nothing left to do).
+		if h.provisioner != nil {
+			if err := h.provisioner.RemoveVolume(cleanupCtx, wsID); err != nil {
+				log.Printf("Delete %s volume removal warning: %v", wsID, err)
+			}
 		}
 	}
 
diff --git a/workspace-server/internal/handlers/workspace_provision_auto_test.go b/workspace-server/internal/handlers/workspace_provision_auto_test.go
index 9198e8f6..1cf32994 100644
--- a/workspace-server/internal/handlers/workspace_provision_auto_test.go
+++ b/workspace-server/internal/handlers/workspace_provision_auto_test.go
@@ -41,7 +41,9 @@ import (
 type trackingCPProv struct {
 	mu       sync.Mutex
 	started  []string
+	stopped  []string
 	startErr error
+	stopErr  error
 }
 
 func (r *trackingCPProv) Start(_ context.Context, cfg provisioner.WorkspaceConfig) (string, error) {
@@ -53,12 +55,25 @@ func (r *trackingCPProv) Start(_ context.Context, cfg provisioner.WorkspaceConfi
 	}
 	return "i-stub-" + cfg.WorkspaceID, nil
 }
-func (r *trackingCPProv) Stop(_ context.Context, _ string) error { return nil }
+func (r *trackingCPProv) Stop(_ context.Context, workspaceID string) error {
+	r.mu.Lock()
+	r.stopped = append(r.stopped, workspaceID)
+	r.mu.Unlock()
+	return r.stopErr
+}
 func (r *trackingCPProv) GetConsoleOutput(_ context.Context, _ string) (string, error) {
 	return "", nil
 }
 func (r *trackingCPProv) IsRunning(_ context.Context, _ string) (bool, error) { return true, nil }
 
+func (r *trackingCPProv) stoppedSnapshot() []string {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	out := make([]string, len(r.stopped))
+	copy(out, r.stopped)
+	return out
+}
+
 func (r *trackingCPProv) startedSnapshot() []string {
 	r.mu.Lock()
 	defer r.mu.Unlock()
@@ -432,3 +447,507 @@ func TestOrgImportGate_UsesHasProvisionerNotBareField(t *testing.T) {
 		t.Errorf("org_import.go must call h.workspace.HasProvisioner() in the provisioning gate — current code does not")
 	}
 }
+
+// TestStopWorkspaceAuto_RoutesToCPWhenSet — symmetric with the
+// provision dispatcher test above. SaaS tenants run with cpProv set
+// and the local Docker provisioner nil; Auto must route Stop to CP
+// (= terminate the EC2). Pre-2026-05-05 the absence of this dispatcher
+// meant team-collapse + workspace-delete called h.provisioner.Stop
+// directly, no-oping on every SaaS tenant — issue #2813 (collapse) and
+// #2814 (delete) both leak EC2s for ~6 months.
+func TestStopWorkspaceAuto_RoutesToCPWhenSet(t *testing.T) {
+	rec := &trackingCPProv{}
+	bcast := &concurrentSafeBroadcaster{}
+	h := NewWorkspaceHandler(bcast, nil, "http://localhost:8080", t.TempDir())
+	h.SetCPProvisioner(rec)
+
+	wsID := "ws-stop-routes-cp"
+	if err := h.StopWorkspaceAuto(context.Background(), wsID); err != nil {
+		t.Fatalf("StopWorkspaceAuto returned err with CP wired: %v", err)
+	}
+	got := rec.stoppedSnapshot()
+	if len(got) != 1 || got[0] != wsID {
+		t.Errorf("expected cpProv.Stop invoked once with %q, got %v", wsID, got)
+	}
+}
+
+// TestStopWorkspaceAuto_RoutesToDockerWhenOnlyDocker — self-hosted
+// operators run with the local Docker provisioner wired and cpProv nil.
+// Auto must route to Docker.
+//
+// Stub-injects a LocalProvisionerAPI via a private constructor pattern
+// so we don't need a real Docker daemon. NewWorkspaceHandler's
+// constructor takes *provisioner.Provisioner (concrete) so we set the
+// interface field directly.
+func TestStopWorkspaceAuto_RoutesToDockerWhenOnlyDocker(t *testing.T) {
+	bcast := &concurrentSafeBroadcaster{}
+	h := NewWorkspaceHandler(bcast, nil, "http://localhost:8080", t.TempDir())
+	stub := &stoppingLocalProv{}
+	h.provisioner = stub
+
+	wsID := "ws-stop-routes-docker"
+	if err := h.StopWorkspaceAuto(context.Background(), wsID); err != nil {
+		t.Fatalf("StopWorkspaceAuto returned err with Docker wired: %v", err)
+	}
+	if len(stub.stopped) != 1 || stub.stopped[0] != wsID {
+		t.Errorf("expected Docker provisioner.Stop invoked once with %q, got %v", wsID, stub.stopped)
+	}
+}
+
+// TestStopWorkspaceAuto_NoBackendIsNoOp — when neither backend is wired
+// (misconfigured deployment, or test fixture), StopWorkspaceAuto returns
+// nil silently. Distinct from provisionWorkspaceAuto's mark-failed
+// behavior: there's no row state to mark "failed to stop" against, and
+// the absence of a backend means nothing was running to stop.
+func TestStopWorkspaceAuto_NoBackendIsNoOp(t *testing.T) {
+	bcast := &concurrentSafeBroadcaster{}
+	h := NewWorkspaceHandler(bcast, nil, "http://localhost:8080", t.TempDir())
+	// Neither SetCPProvisioner nor a Docker provisioner — both nil.
+
+	if err := h.StopWorkspaceAuto(context.Background(), "ws-noback"); err != nil {
+		t.Errorf("expected nil error on no-backend stop, got %v", err)
+	}
+}
+
+// stoppingLocalProv is a minimal LocalProvisionerAPI stub that records
+// Stop invocations. Other methods panic — guards against accidental
+// use by tests that should be using a different stub.
+type stoppingLocalProv struct {
+	stopped []string
+}
+
+func (s *stoppingLocalProv) Stop(_ context.Context, workspaceID string) error {
+	s.stopped = append(s.stopped, workspaceID)
+	return nil
+}
+func (s *stoppingLocalProv) Start(_ context.Context, _ provisioner.WorkspaceConfig) (string, error) {
+	panic("stoppingLocalProv: Start not implemented for this test")
+}
+func (s *stoppingLocalProv) IsRunning(_ context.Context, _ string) (bool, error) {
+	panic("stoppingLocalProv: IsRunning not implemented for this test")
+}
+func (s *stoppingLocalProv) ExecRead(_ context.Context, _, _ string) ([]byte, error) {
+	panic("stoppingLocalProv: ExecRead not implemented for this test")
+}
+func (s *stoppingLocalProv) RemoveVolume(_ context.Context, _ string) error {
+	panic("stoppingLocalProv: RemoveVolume not implemented for this test")
+}
+func (s *stoppingLocalProv) VolumeHasFile(_ context.Context, _, _ string) (bool, error) {
+	panic("stoppingLocalProv: VolumeHasFile not implemented for this test")
+}
+func (s *stoppingLocalProv) WriteAuthTokenToVolume(_ context.Context, _, _ string) error {
+	panic("stoppingLocalProv: WriteAuthTokenToVolume not implemented for this test")
+}
+
+// TestNoCallSiteCallsBareStop — source-level pin against the bug
+// pattern that motivated this PR. Any non-test handler that wants to
+// "stop the workload" must go through h.X.StopWorkspaceAuto, not bare
+// h.X.provisioner.Stop / h.X.cpProv.Stop / h.X.Stop. Pre-2026-05-05
+// team.go and workspace_crud.go both called h.provisioner.Stop directly
+// inside `if h.provisioner != nil { ... }` gates — silent no-op on
+// SaaS, EC2 leak (#2813, #2814).
+//
+// Allowed exceptions:
+//   - workspace.go: defines StopWorkspaceAuto (the dispatcher itself).
+//   - workspace_provision.go: defines per-backend Start/Stop bodies.
+//   - workspace_restart.go: pre-dates the dispatchers and uses manual
+//     if-cpProv-else dispatch with retry semantics tuned for the
+//     restart hot path. Functionally equivalent + wraps cpStopWithRetry,
+//     so it's not the bug class this gate targets — but it IS
+//     architectural duplication, tracked under #2799.
+//   - container_files.go: drives Docker daemon directly for file-copy
+//     short-lived containers; no workspace-level Stop semantics.
+func TestNoCallSiteCallsBareStop(t *testing.T) {
+	wd, err := os.Getwd()
+	if err != nil {
+		t.Fatalf("getwd: %v", err)
+	}
+	entries, err := os.ReadDir(wd)
+	if err != nil {
+		t.Fatalf("readdir: %v", err)
+	}
+	bareShapes := []string{
+		".provisioner.Stop(",
+		".cpProv.Stop(",
+	}
+	allowedFiles := map[string]bool{
+		"workspace.go":           true,
+		"workspace_provision.go": true,
+		"workspace_restart.go":   true,
+		"container_files.go":     true,
+	}
+	for _, entry := range entries {
+		name := entry.Name()
+		if filepath.Ext(name) != ".go" {
+			continue
+		}
+		if len(name) > len("_test.go") &&
+			name[len(name)-len("_test.go"):] == "_test.go" {
+			continue
+		}
+		if allowedFiles[name] {
+			continue
+		}
+		src, err := os.ReadFile(filepath.Join(wd, name))
+		if err != nil {
+			t.Fatalf("read %s: %v", name, err)
+		}
+		// Strip line + block comments before substring check — the gate
+		// targets call expressions in real code, not historical
+		// references in documentation/comments. Without this, comments
+		// describing the old buggy shape (kept on purpose for
+		// archaeology) trip the test.
+		stripped := stripGoComments(src)
+		for _, needle := range bareShapes {
+			if bytes.Contains(stripped, []byte(needle)) {
+				t.Errorf("%s contains bare `%s` — must go through h.X.StopWorkspaceAuto so SaaS tenants route to CP. "+
+					"Pre-2026-05-05 team.go and workspace_crud.go did this and silently leaked EC2s on every SaaS collapse / delete (#2813, #2814).", name, needle)
+			}
+		}
+	}
+}
+
+// TestRestartWorkspaceAuto_RoutesToCPWhenSet — third dispatcher, same
+// drift-class shape as the other two. SaaS path goes through CP with
+// retry semantics. The cpStopWithRetry retry loop fires before
+// provision spawns; this test asserts cpProv.Stop was invoked at
+// least once with the workspace ID (we can't assert exact retry
+// count without mocking out the retry helper itself, which would
+// invert the test contract — the retry IS the dispatcher's job here).
+func TestRestartWorkspaceAuto_RoutesToCPWhenSet(t *testing.T) {
+	rec := &trackingCPProv{}
+	bcast := &concurrentSafeBroadcaster{}
+	h := NewWorkspaceHandler(bcast, nil, "http://localhost:8080", t.TempDir())
+	h.SetCPProvisioner(rec)
+
+	// Mock DB so cpStopWithRetry can run without a real Postgres.
+	mock := setupTestDB(t)
+	mock.MatchExpectationsInOrder(false)
+	// provisionWorkspaceCP runs in the goroutine and will hit secrets
+	// SELECTs + UPDATE workspace as failed (we make CP Start return
+	// an error to short-circuit the post-Start path).
+	mock.ExpectQuery(`SELECT key, encrypted_value, encryption_version FROM global_secrets`).
+		WillReturnRows(sqlmock.NewRows([]string{"key", "encrypted_value", "encryption_version"}))
+	mock.ExpectQuery(`SELECT key, encrypted_value, encryption_version FROM workspace_secrets`).
+		WithArgs(sqlmock.AnyArg()).
+		WillReturnRows(sqlmock.NewRows([]string{"key", "encrypted_value", "encryption_version"}))
+	mock.ExpectExec(`UPDATE workspaces SET status =`).
+		WithArgs(sqlmock.AnyArg(), sqlmock.AnyArg(), sqlmock.AnyArg()).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	rec.startErr = errors.New("simulated CP rejection")
+
+	wsID := "ws-restart-routes-cp-0123456789ab"
+	ok := h.RestartWorkspaceAuto(context.Background(), wsID, "", nil, models.CreateWorkspacePayload{
+		Name: "restart-test", Tier: 1, Runtime: "claude-code",
+	})
+	if !ok {
+		t.Fatalf("expected RestartWorkspaceAuto to return true with CP wired")
+	}
+
+	// Wait for the goroutine to land. cpStopWithRetry runs synchronously
+	// before the provision goroutine fires; both call sites record into
+	// the tracking stub, so we expect at least one Stop and (eventually)
+	// at least one Start.
+	deadline := time.Now().Add(2 * time.Second)
+	for {
+		if len(rec.stoppedSnapshot()) > 0 && len(rec.startedSnapshot()) > 0 {
+			break
+		}
+		if time.Now().After(deadline) {
+			t.Fatalf("timed out waiting for cpProv.Stop + cpProv.Start; stopped=%v started=%v",
+				rec.stoppedSnapshot(), rec.startedSnapshot())
+		}
+		time.Sleep(20 * time.Millisecond)
+	}
+
+	stopped := rec.stoppedSnapshot()
+	if len(stopped) == 0 || stopped[0] != wsID {
+		t.Errorf("expected cpProv.Stop invoked with %q, got %v", wsID, stopped)
+	}
+	started := rec.startedSnapshot()
+	if len(started) == 0 || started[0] != wsID {
+		t.Errorf("expected cpProv.Start invoked with %q, got %v", wsID, started)
+	}
+}
+
+// TestRestartWorkspaceAuto_RoutesToDockerWhenOnlyDocker — self-hosted
+// path. Docker provisioner.Stop has no retry; this test only asserts
+// the dispatch order (Stop → spawn provision goroutine) without
+// stubbing the entire Docker provision pipeline.
+//
+// The spawned provision goroutine WILL panic in provisionWorkspaceOpts
+// (no real Docker daemon), be recovered by logProvisionPanic, and
+// attempt a markProvisionFailed UPDATE on the test DB. We pre-register
+// that expectation so the panic-recovery doesn't fail the test as a
+// "was not expected" call. We also wait for the goroutine to land
+// before the test body exits, so its db.DB writes don't leak into the
+// next test's sqlmock when tests run sequentially in the same package.
+func TestRestartWorkspaceAuto_RoutesToDockerWhenOnlyDocker(t *testing.T) {
+	mock := setupTestDB(t)
+	mock.MatchExpectationsInOrder(false)
+	// Allow up to 5 markProvisionFailed UPDATEs from the panic-recovered
+	// goroutine (it'll panic in provisionWorkspaceOpts since
+	// stoppingLocalProv.Start panics, then logProvisionPanic calls
+	// markProvisionFailed). Generous count so a slower CI runner
+	// doesn't trip on duplicate writes; we don't assert
+	// ExpectationsWereMet since the count is a runtime detail.
+	for i := 0; i < 5; i++ {
+		mock.ExpectExec(`UPDATE workspaces SET status =`).
+			WithArgs(sqlmock.AnyArg(), sqlmock.AnyArg(), sqlmock.AnyArg()).
+			WillReturnResult(sqlmock.NewResult(0, 1))
+	}
+
+	bcast := &concurrentSafeBroadcaster{}
+	h := NewWorkspaceHandler(bcast, nil, "http://localhost:8080", t.TempDir())
+	stub := &stoppingLocalProv{}
+	h.provisioner = stub
+
+	wsID := "ws-restart-routes-docker"
+	ok := h.RestartWorkspaceAuto(context.Background(), wsID, "", nil, models.CreateWorkspacePayload{
+		Name: "restart-test", Tier: 1, Runtime: "claude-code",
+	})
+	if !ok {
+		t.Fatalf("expected RestartWorkspaceAuto to return true with Docker wired")
+	}
+
+	// Wait for the spawned goroutine to settle — it'll panic in
+	// provisionWorkspaceOpts (stoppingLocalProv.Start panics) and be
+	// recovered by logProvisionPanic. Without this wait, the goroutine
+	// outlives the test and writes to a sqlmock that the NEXT test
+	// owns, causing a `was not expected` race.
+	time.Sleep(200 * time.Millisecond)
+
+	// Stop call is synchronous on the Docker leg.
+	if len(stub.stopped) == 0 || stub.stopped[0] != wsID {
+		t.Errorf("expected provisioner.Stop invoked with %q, got %v", wsID, stub.stopped)
+	}
+}
+
+// TestRestartWorkspaceAuto_NoBackendMarksFailed — when neither backend
+// is wired, the dispatcher returns false AND marks the workspace
+// failed (defense in depth, mirroring provisionWorkspaceAuto). Distinct
+// from StopWorkspaceAuto's no-op-on-no-backend contract: Restart's
+// promise is "the workspace will be alive again" — failing silently
+// would strand the user with a stuck workspace and no error path.
+func TestRestartWorkspaceAuto_NoBackendMarksFailed(t *testing.T) {
+	mock := setupTestDB(t)
+	mock.MatchExpectationsInOrder(false)
+	mock.ExpectExec(`UPDATE workspaces SET status =`).
+		WithArgs(sqlmock.AnyArg(), sqlmock.AnyArg(), sqlmock.AnyArg()).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	bcast := &concurrentSafeBroadcaster{}
+	h := NewWorkspaceHandler(bcast, nil, "http://localhost:8080", t.TempDir())
+	// Neither SetCPProvisioner nor a Docker provisioner — both nil.
+
+	ok := h.RestartWorkspaceAuto(context.Background(), "ws-restart-noback", "", nil, models.CreateWorkspacePayload{
+		Name: "restart-test", Tier: 1, Runtime: "claude-code",
+	})
+	if ok {
+		t.Fatalf("expected RestartWorkspaceAuto to return false with no backend wired")
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("expected markProvisionFailed UPDATE to fire on no-backend path: %v", err)
+	}
+}
+
+// TestRestartHandler_UsesRestartWorkspaceAuto — source-level pin that
+// the Restart HTTP handler routes through the dispatcher. Phase 2 PR-A
+// of #2799 migrates Site 1+2 (the Restart goroutine) to call
+// RestartWorkspaceAutoOpts. This test pins the migration so the next
+// refactor doesn't accidentally regress to the inline if-cpProv-else
+// dispatch — that pre-fix shape had Docker-FIRST ordering, a different
+// drift class from the silent-drop bugs PRs #2811/#2824 closed.
+//
+// Allowed in workspace_restart.go: stopForRestart (Site 4), Pause
+// (Site 5). Both are tracked under #2799 Phase 2 PR-B / Phase 3.
+func TestRestartHandler_UsesRestartWorkspaceAuto(t *testing.T) {
+	wd, err := os.Getwd()
+	if err != nil {
+		t.Fatalf("getwd: %v", err)
+	}
+	src, err := os.ReadFile(filepath.Join(wd, "workspace_restart.go"))
+	if err != nil {
+		t.Fatalf("read workspace_restart.go: %v", err)
+	}
+	stripped := stripGoComments(src)
+	// The Restart handler must dispatch through the SoT helper. Either
+	// signature variant satisfies the gate.
+	if !bytes.Contains(stripped, []byte("h.RestartWorkspaceAutoOpts(")) &&
+		!bytes.Contains(stripped, []byte("h.RestartWorkspaceAuto(")) {
+		t.Errorf("workspace_restart.go must call RestartWorkspaceAuto[Opts] from the Restart handler — current code does not. " +
+			"Phase 2 of #2799 migrated this site; do not regress to the inline if-cpProv-else dispatch.")
+	}
+}
+
+// TestResumeHandler_UsesProvisionWorkspaceAuto — source-level pin that
+// the Resume HTTP handler routes through the dispatcher. Phase 2 PR-A
+// of #2799 migrates Site 3 (Resume goroutine) to call
+// provisionWorkspaceAuto (Resume is provision-only — the workspace is
+// already paused/stopped, no Stop step needed).
+func TestResumeHandler_UsesProvisionWorkspaceAuto(t *testing.T) {
+	wd, err := os.Getwd()
+	if err != nil {
+		t.Fatalf("getwd: %v", err)
+	}
+	src, err := os.ReadFile(filepath.Join(wd, "workspace_restart.go"))
+	if err != nil {
+		t.Fatalf("read workspace_restart.go: %v", err)
+	}
+	stripped := stripGoComments(src)
+	// The Resume handler's loop must dispatch through provisionWorkspaceAuto.
+	// Doesn't need a uniqueness check — the file already calls it from at
+	// least the Resume site (a regression that removes only the Resume call
+	// would still match this needle from another call in the file, but the
+	// stripGoComments output of workspace_restart.go is small enough that
+	// inspecting the diff catches that.)
+	if !bytes.Contains(stripped, []byte("h.provisionWorkspaceAuto(ws.id")) {
+		t.Errorf("workspace_restart.go must call provisionWorkspaceAuto from the Resume handler with `ws.id` — current code does not. " +
+			"Phase 2 of #2799 migrated this site; do not regress to the inline if-cpProv-else dispatch.")
+	}
+}
+
+// TestProvisionWorkspaceAutoSync_RoutesToCPWhenSet — sync variant of the
+// provision dispatcher used by runRestartCycle. CP path runs synchronously
+// (no goroutine wrapper). Verified via the same trackingCPProv stub as
+// the async tests; the absence of `go` semantics is the load-bearing
+// distinction we're pinning.
+func TestProvisionWorkspaceAutoSync_RoutesToCPWhenSet(t *testing.T) {
+	mock := setupTestDB(t)
+	mock.MatchExpectationsInOrder(false)
+	// provisionWorkspaceCP runs prepareProvisionContext synchronously, which
+	// hits secrets selects + the markProvisionFailed UPDATE when CP.Start
+	// returns an error. We allow these calls without strictly asserting
+	// counts — the goal here is to assert the routing branch was taken.
+	mock.ExpectQuery(`SELECT key, encrypted_value, encryption_version FROM global_secrets`).
+		WillReturnRows(sqlmock.NewRows([]string{"key", "encrypted_value", "encryption_version"}))
+	mock.ExpectQuery(`SELECT key, encrypted_value, encryption_version FROM workspace_secrets`).
+		WithArgs(sqlmock.AnyArg()).
+		WillReturnRows(sqlmock.NewRows([]string{"key", "encrypted_value", "encryption_version"}))
+	mock.ExpectExec(`UPDATE workspaces SET status =`).
+		WithArgs(sqlmock.AnyArg(), sqlmock.AnyArg(), sqlmock.AnyArg()).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	rec := &trackingCPProv{startErr: errors.New("simulated CP rejection")}
+	bcast := &concurrentSafeBroadcaster{}
+	h := NewWorkspaceHandler(bcast, nil, "http://localhost:8080", t.TempDir())
+	h.SetCPProvisioner(rec)
+
+	wsID := "ws-sync-routes-cp"
+	ok := h.provisionWorkspaceAutoSync(wsID, "", nil, models.CreateWorkspacePayload{
+		Name: "sync-test", Tier: 1, Runtime: "claude-code",
+	})
+	if !ok {
+		t.Fatalf("expected provisionWorkspaceAutoSync to return true with CP wired")
+	}
+	// Synchronous: the call returns AFTER cpProv.Start has been invoked.
+	// No deadline-poll loop needed.
+	got := rec.startedSnapshot()
+	if len(got) != 1 || got[0] != wsID {
+		t.Errorf("expected cpProv.Start invoked once with %q, got %v", wsID, got)
+	}
+}
+
+// TestProvisionWorkspaceAutoSync_NoBackendMarksFailed — sync variant
+// uses the same no-backend fallback as the async dispatcher: returns
+// false + marks failed. Pinning this so the two helpers stay
+// behaviorally identical except for the goroutine wrapper.
+func TestProvisionWorkspaceAutoSync_NoBackendMarksFailed(t *testing.T) {
+	mock := setupTestDB(t)
+	mock.MatchExpectationsInOrder(false)
+	mock.ExpectExec(`UPDATE workspaces SET status =`).
+		WithArgs(sqlmock.AnyArg(), sqlmock.AnyArg(), sqlmock.AnyArg()).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	bcast := &concurrentSafeBroadcaster{}
+	h := NewWorkspaceHandler(bcast, nil, "http://localhost:8080", t.TempDir())
+
+	ok := h.provisionWorkspaceAutoSync("ws-sync-noback", "", nil, models.CreateWorkspacePayload{
+		Name: "sync-test", Tier: 1, Runtime: "claude-code",
+	})
+	if ok {
+		t.Fatalf("expected provisionWorkspaceAutoSync to return false with no backend wired")
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("expected markProvisionFailed UPDATE to fire on no-backend path: %v", err)
+	}
+}
+
+// TestRunRestartCycle_UsesProvisionWorkspaceAutoSync — source-level pin
+// that runRestartCycle (Site 4) routes through the sync dispatcher
+// instead of inlining the if-cpProv-else dispatch. Phase 2 PR-B of
+// #2799 migrated this site.
+func TestRunRestartCycle_UsesProvisionWorkspaceAutoSync(t *testing.T) {
+	wd, err := os.Getwd()
+	if err != nil {
+		t.Fatalf("getwd: %v", err)
+	}
+	src, err := os.ReadFile(filepath.Join(wd, "workspace_restart.go"))
+	if err != nil {
+		t.Fatalf("read workspace_restart.go: %v", err)
+	}
+	stripped := stripGoComments(src)
+	if !bytes.Contains(stripped, []byte("h.provisionWorkspaceAutoSync(workspaceID")) {
+		t.Errorf("workspace_restart.go must call provisionWorkspaceAutoSync from runRestartCycle — current code does not. " +
+			"Phase 2 PR-B of #2799 migrated this site; do not regress to the inline if-cpProv-else dispatch.")
+	}
+}
+
+// TestPauseHandler_UsesStopWorkspaceAuto — Phase 3 of #2799 source-level
+// pin. Pause's per-workspace stop call must route through
+// StopWorkspaceAuto so SaaS tenants terminate the EC2 instead of leaking
+// it (same drift class as the team-collapse leak #2813 and the
+// workspace-delete leak #2814 closed by PR #2824).
+//
+// Pause-specific bookkeeping (mark paused, clear keys, broadcast)
+// stays in the Pause handler — only the "stop the running workload"
+// step delegates to the dispatcher. This pin asserts the dispatcher
+// is called from the Pause loop with `ws.id`.
+func TestPauseHandler_UsesStopWorkspaceAuto(t *testing.T) {
+	wd, err := os.Getwd()
+	if err != nil {
+		t.Fatalf("getwd: %v", err)
+	}
+	src, err := os.ReadFile(filepath.Join(wd, "workspace_restart.go"))
+	if err != nil {
+		t.Fatalf("read workspace_restart.go: %v", err)
+	}
+	stripped := stripGoComments(src)
+	if !bytes.Contains(stripped, []byte("h.StopWorkspaceAuto(ctx, ws.id)")) {
+		t.Errorf("workspace_restart.go must call StopWorkspaceAuto from the Pause loop with `ws.id` — current code does not. " +
+			"Phase 3 of #2799 migrated this site; do not regress to the inline `if h.provisioner != nil { Stop }` dispatch.")
+	}
+}
+
+// stripGoComments removes // line comments and /* */ block comments
+// from Go source. Imperfect (doesn't handle comments-inside-strings)
+// but adequate for the source-level pin tests in this file — none of
+// our gated needles legitimately appear inside string literals in the
+// handlers package.
+func stripGoComments(src []byte) []byte {
+	out := make([]byte, 0, len(src))
+	for i := 0; i < len(src); i++ {
+		// Block comment
+		if i+1 < len(src) && src[i] == '/' && src[i+1] == '*' {
+			i += 2
+			for i+1 < len(src) && !(src[i] == '*' && src[i+1] == '/') {
+				i++
+			}
+			i++ // skip closing /
+			continue
+		}
+		// Line comment — preserve the newline so line counts stay sane
+		if i+1 < len(src) && src[i] == '/' && src[i+1] == '/' {
+			for i < len(src) && src[i] != '\n' {
+				i++
+			}
+			if i < len(src) {
+				out = append(out, '\n')
+			}
+			continue
+		}
+		out = append(out, src[i])
+	}
+	return out
+}
diff --git a/workspace-server/internal/handlers/workspace_restart.go b/workspace-server/internal/handlers/workspace_restart.go
index 9ccab037..3b3097c4 100644
--- a/workspace-server/internal/handlers/workspace_restart.go
+++ b/workspace-server/internal/handlers/workspace_restart.go
@@ -199,33 +199,31 @@ func (h *WorkspaceHandler) Restart(c *gin.Context) {
 	// last_heartbeat_at with the new session. Issue #19 Layer 1.
 	restartData := loadRestartContextData(ctx, id)
 
-	// Dispatch to the correct provisioner. provisionWorkspaceOpts is the
-	// Docker path; provisionWorkspaceCP is the SaaS path. The Create
-	// handler already branches this way; Restart now mirrors it.
+	// Dispatch through the SoT restart dispatcher. RestartWorkspaceAutoOpts
+	// owns "which backend for stop" + "which backend for provision" and
+	// keeps the two halves in sync. resetClaudeSession is the one
+	// Docker-only per-invocation knob the dispatcher carries through.
 	//
-	// Stop runs inside this goroutine — NOT before the response — because
-	// CPProvisioner.Stop is synchronous DELETE /cp/workspaces/:id →
-	// CP → AWS EC2 terminate, which can exceed the canvas's 15s default
+	// Stop runs inside the dispatcher's stop leg (synchronous), then the
+	// provision leg fires in a goroutine — NOT before the response —
+	// because CPProvisioner.Stop is synchronous DELETE /cp/workspaces/:id
+	// → CP → AWS EC2 terminate, which can exceed the canvas's 15s default
 	// HTTP timeout when the platform has just redeployed (every tenant's
-	// CP request queues at once). Pre-fix the user saw a misleading
-	// "signal timed out" error on the canvas even though the restart
-	// actually succeeded — caught 2026-04-30 on hongmingwang hermes
+	// CP request queues at once). Pre-fix (2026-04-30) the user saw a
+	// misleading "signal timed out" on the canvas even though the
+	// restart actually succeeded — caught on hongmingwang hermes
 	// workspace 32993ee7-…cb9d75d112a5 right after the heartbeat-fix
-	// platform redeploy. Use context.Background() to detach from the
-	// request lifecycle so an aborted client connection doesn't cancel
-	// the in-flight Stop/provision pair.
+	// platform redeploy. context.Background() detaches the dispatch
+	// from the request lifecycle so an aborted client connection
+	// doesn't cancel the in-flight Stop/provision pair.
+	//
+	// Pre-2026-05-05 this site inlined the manual if-cpProv-else
+	// dispatch with Docker-FIRST ordering (a different drift class from
+	// the silent-drop bugs PRs #2811/#2824 closed). RestartWorkspaceAuto
+	// enforces CP-FIRST ordering matching the other dispatchers — see
+	// docs/architecture/backends.md.
 	go func() {
-		bgCtx := context.Background()
-		if h.provisioner != nil {
-			h.provisioner.Stop(bgCtx, id)
-		} else if h.cpProv != nil {
-			h.cpStopWithRetry(bgCtx, id, "Restart")
-		}
-		if h.cpProv != nil {
-			h.provisionWorkspaceCP(id, templatePath, configFiles, payload)
-		} else {
-			h.provisionWorkspaceOpts(id, templatePath, configFiles, payload, resetClaudeSession)
-		}
+		h.RestartWorkspaceAutoOpts(context.Background(), id, templatePath, configFiles, payload, resetClaudeSession)
 	}()
 	go h.sendRestartContext(id, restartData)
 
@@ -555,24 +553,22 @@ func (h *WorkspaceHandler) runRestartCycle(workspaceID string) {
 	restartData := loadRestartContextData(ctx, workspaceID)
 
 	// On auto-restart, do NOT re-apply templates — preserve existing config volume.
-	// SYNCHRONOUS provisionWorkspace: returns when the new container is up
-	// (or has failed). The outer loop relies on this to know when it's safe
-	// to start another restart cycle without racing this one's Stop call.
+	// provisionWorkspaceAutoSync is the SYNCHRONOUS dispatcher (mirrors
+	// provisionWorkspaceAuto but blocks instead of spawning a goroutine):
+	// returns when the new container is up (or has failed). The outer
+	// pending-flag loop in RestartByID relies on this to know when it's
+	// safe to start another restart cycle without racing this one's
+	// Stop call.
 	//
-	// Branch on which provisioner is wired — same dispatch as the other call
-	// sites in this package (workspace.go:431-433, workspace_restart.go:197+596).
-	// Pre-fix this only called the Docker variant, so on SaaS the auto-restart
-	// cycle would NPE inside provisionWorkspace's `h.provisioner.VolumeHasFile`
-	// call, get swallowed by coalesceRestart's recover()-without-re-raise (a
-	// platform-stability safeguard), and leave the workspace permanently
-	// stuck in status='provisioning' (the UPDATE above already ran). User-
-	// observable result before this fix on SaaS: dead workspace → manual
-	// canvas restart was the only recovery path.
-	if h.cpProv != nil {
-		h.provisionWorkspaceCP(workspaceID, "", nil, payload)
-	} else {
-		h.provisionWorkspace(workspaceID, "", nil, payload)
-	}
+	// Pre-2026-05-05 this site inlined the if-cpProv-else dispatch. On
+	// SaaS the cycle would NPE inside provisionWorkspace's
+	// `h.provisioner.VolumeHasFile` call, get swallowed by
+	// coalesceRestart's recover()-without-re-raise (a platform-stability
+	// safeguard), and leave the workspace permanently stuck in
+	// status='provisioning' (the UPDATE above already ran). User-
+	// observable result on SaaS pre-fix: dead workspace → manual canvas
+	// restart was the only recovery path.
+	h.provisionWorkspaceAutoSync(workspaceID, "", nil, payload)
 	// sendRestartContext is a one-way notification to the new container; safe
 	// to fire async — the next restart cycle won't depend on it completing.
 	go h.sendRestartContext(workspaceID, restartData)
@@ -617,10 +613,18 @@ func (h *WorkspaceHandler) Pause(c *gin.Context) {
 		}
 	}
 
-	// Stop containers and mark all as paused
+	// Stop containers and mark all as paused. StopWorkspaceAuto routes
+	// to whichever backend is wired (CP for SaaS, Docker for self-hosted)
+	// — pre-2026-05-05 this site inlined `if h.provisioner != nil { Stop }`,
+	// which silently leaked EC2s on every SaaS Pause (same drift class as
+	// the team-collapse leak #2813 and the workspace-delete leak #2814,
+	// both closed by PR #2824). StopWorkspaceAuto returns nil on no-backend
+	// (no-op), so the Pause-specific bookkeeping (mark paused, clear keys,
+	// broadcast) still fires regardless of whether anything was actually
+	// stopped — matches the pre-fix behavior on misconfigured deployments.
 	for _, ws := range toPause {
-		if h.provisioner != nil {
-			h.provisioner.Stop(ctx, ws.id)
+		if err := h.StopWorkspaceAuto(ctx, ws.id); err != nil {
+			log.Printf("Pause: stop %s failed: %v — orphan sweeper will reconcile", ws.id, err)
 		}
 		db.DB.ExecContext(ctx,
 			`UPDATE workspaces SET status = $1, url = '', updated_at = now() WHERE id = $2`, models.StatusPaused, ws.id)
@@ -698,14 +702,12 @@ func (h *WorkspaceHandler) Resume(c *gin.Context) {
 			"name": ws.name, "tier": ws.tier, "runtime": ws.runtime,
 		})
 		payload := models.CreateWorkspacePayload{Name: ws.name, Tier: ws.tier, Runtime: ws.runtime}
-		// Dispatch to the matching provisioner (mirrors the Create +
-		// Restart branching). SaaS tenants use cpProv; self-hosted Docker
-		// uses provisioner via provisionWorkspaceOpts.
-		if h.cpProv != nil {
-			go h.provisionWorkspaceCP(ws.id, "", nil, payload)
-		} else {
-			go h.provisionWorkspace(ws.id, "", nil, payload)
-		}
+		// Resume is provision-only (workspace is paused, no live container
+		// to stop). provisionWorkspaceAuto handles backend routing and the
+		// no-backend mark-failed fallback identically to Create. Pre-
+		// 2026-05-05 this site inlined the if-cpProv-else dispatch; the
+		// dispatcher is the SoT now.
+		h.provisionWorkspaceAuto(ws.id, "", nil, payload)
 	}
 
 	log.Printf("Resuming workspace %s (%s) + %d children", wsName, id, len(toResume)-1)
diff --git a/workspace-server/internal/router/admin_delegations_route_test.go b/workspace-server/internal/router/admin_delegations_route_test.go
new file mode 100644
index 00000000..062b6967
--- /dev/null
+++ b/workspace-server/internal/router/admin_delegations_route_test.go
@@ -0,0 +1,78 @@
+package router
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/DATA-DOG/go-sqlmock"
+	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
+	"github.com/Molecule-AI/molecule-monorepo/platform/internal/handlers"
+	"github.com/Molecule-AI/molecule-monorepo/platform/internal/middleware"
+	"github.com/gin-gonic/gin"
+)
+
+// admin_delegations_route_test.go — pin the RFC #2829 PR-4 wiring.
+//
+// Both the List and Stats endpoints must:
+//   1. Be registered at the documented path
+//   2. Be gated by AdminAuth (caller without a valid admin token → 401)
+//
+// Without this gate test, a future router refactor could silently drop
+// AdminAuth on these endpoints — the operator dashboard would still work
+// for the operator, but unauthenticated callers could pull the in-flight
+// delegation list including caller_id, callee_id, and task previews.
+
+func buildAdminDelegationsEngine(t *testing.T) *gin.Engine {
+	t.Helper()
+	gin.SetMode(gin.TestMode)
+	r := gin.New()
+	adH := handlers.NewAdminDelegationsHandler(db.DB)
+	r.GET("/admin/delegations", middleware.AdminAuth(db.DB), adH.List)
+	r.GET("/admin/delegations/stats", middleware.AdminAuth(db.DB), adH.Stats)
+	return r
+}
+
+// Both tests use the existing AdminAuth pattern: set ADMIN_TOKEN to disable
+// the dev-mode fail-open branch, and have HasAnyLiveTokenGlobal return ≥1
+// so AdminAuth enforces auth (rather than fail-open on fresh install).
+// Without these two switches AdminAuth would return 200 + invoke the
+// handler — defeating the gate test.
+
+func TestAdminDelegationsRoute_List_RequiresAdminAuth(t *testing.T) {
+	t.Setenv("ADMIN_TOKEN", "test-admin-secret-not-presented-by-caller")
+	mock := setupRouterTestDB(t)
+	mock.ExpectQuery("SELECT COUNT.*FROM workspace_auth_tokens").
+		WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(1))
+
+	r := buildAdminDelegationsEngine(t)
+	w := httptest.NewRecorder()
+	req := httptest.NewRequest("GET", "/admin/delegations", nil)
+	r.ServeHTTP(w, req)
+
+	if w.Code != http.StatusUnauthorized {
+		t.Errorf("expected 401 for unauthenticated request, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("sqlmock unmet: %v", err)
+	}
+}
+
+func TestAdminDelegationsRoute_Stats_RequiresAdminAuth(t *testing.T) {
+	t.Setenv("ADMIN_TOKEN", "test-admin-secret-not-presented-by-caller")
+	mock := setupRouterTestDB(t)
+	mock.ExpectQuery("SELECT COUNT.*FROM workspace_auth_tokens").
+		WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(1))
+
+	r := buildAdminDelegationsEngine(t)
+	w := httptest.NewRecorder()
+	req := httptest.NewRequest("GET", "/admin/delegations/stats", nil)
+	r.ServeHTTP(w, req)
+
+	if w.Code != http.StatusUnauthorized {
+		t.Errorf("expected 401 for unauthenticated request, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("sqlmock unmet: %v", err)
+	}
+}
diff --git a/workspace-server/internal/router/router.go b/workspace-server/internal/router/router.go
index 516aa99d..6ce1dcff 100644
--- a/workspace-server/internal/router/router.go
+++ b/workspace-server/internal/router/router.go
@@ -190,6 +190,18 @@ func Setup(hub *ws.Hub, broadcaster *events.Broadcaster, prov *provisioner.Provi
 		// to 'hibernated'. The workspace auto-wakes on the next A2A message.
 		wsAuth.POST("/hibernate", wh.Hibernate)
 
+		// External-workspace credential lifecycle (issue #319 follow-up to
+		// the Create flow). Both endpoints reject runtime ≠ external with
+		// 400 — see external_rotate.go for the rationale.
+		//
+		//   POST .../external/rotate     — mint fresh token, revoke prior,
+		//                                  return ExternalConnectionInfo
+		//   GET  .../external/connection — return ExternalConnectionInfo
+		//                                  with auth_token="" (re-show
+		//                                  instructions without rotating)
+		wsAuth.POST("/external/rotate", wh.RotateExternalCredentials)
+		wsAuth.GET("/external/connection", wh.GetExternalConnection)
+
 		// Async Delegation
 		delh := handlers.NewDelegationHandler(wh, broadcaster)
 		wsAuth.POST("/delegate", delh.Delegate)
@@ -217,6 +229,7 @@ func Setup(hub *ws.Hub, broadcaster *events.Broadcaster, prov *provisioner.Provi
 		wsAuth.POST("/memories", memsh.Commit)
 		wsAuth.GET("/memories", memsh.Search)
 		wsAuth.DELETE("/memories/:memoryId", memsh.Delete)
+		wsAuth.PATCH("/memories/:memoryId", memsh.Update)
 
 		// Approvals
 		apph := handlers.NewApprovalsHandler(broadcaster)
@@ -230,7 +243,7 @@ func Setup(hub *ws.Hub, broadcaster *events.Broadcaster, prov *provisioner.Provi
 		r.GET("/approvals/pending", middleware.AdminAuth(db.DB), apph.ListAll)
 
 		// Team Expansion
-		teamh := handlers.NewTeamHandler(broadcaster, prov, wh, platformURL, configsDir)
+		teamh := handlers.NewTeamHandler(broadcaster, wh, platformURL, configsDir)
 		wsAuth.POST("/expand", teamh.Expand)
 		wsAuth.POST("/collapse", teamh.Collapse)
 
@@ -432,6 +445,15 @@ func Setup(hub *ws.Hub, broadcaster *events.Broadcaster, prov *provisioner.Provi
 		r.POST("/admin/a2a-queue/drop-stale", middleware.AdminAuth(db.DB), qH.DropStale)
 	}
 
+	// Admin — RFC #2829 PR-4 dashboard endpoints over the durable
+	// `delegations` ledger (PR-1 schema). Operators triage in-flight,
+	// stuck, or failed delegations without direct DB access.
+	{
+		adH := handlers.NewAdminDelegationsHandler(db.DB)
+		r.GET("/admin/delegations", middleware.AdminAuth(db.DB), adH.List)
+		r.GET("/admin/delegations/stats", middleware.AdminAuth(db.DB), adH.Stats)
+	}
+
 	// Admin — workspace template image refresh. Pulls latest images from GHCR
 	// and recreates running ws-* containers so they adopt the new image.
 	// Final step of the runtime CD chain — see docs/workspace-runtime-package.md.
diff --git a/workspace-server/migrations/049_delegations.down.sql b/workspace-server/migrations/049_delegations.down.sql
new file mode 100644
index 00000000..03fccbc4
--- /dev/null
+++ b/workspace-server/migrations/049_delegations.down.sql
@@ -0,0 +1,5 @@
+DROP INDEX IF EXISTS idx_delegations_idempotency;
+DROP INDEX IF EXISTS idx_delegations_callee_created;
+DROP INDEX IF EXISTS idx_delegations_caller_created;
+DROP INDEX IF EXISTS idx_delegations_inflight_heartbeat;
+DROP TABLE IF EXISTS delegations;
diff --git a/workspace-server/migrations/049_delegations.up.sql b/workspace-server/migrations/049_delegations.up.sql
new file mode 100644
index 00000000..d306859a
--- /dev/null
+++ b/workspace-server/migrations/049_delegations.up.sql
@@ -0,0 +1,99 @@
+-- RFC #2829 PR-1: durable delegations ledger.
+--
+-- Today, delegation state is reconstructed by GROUPing activity_logs rows
+-- by delegation_id and ORDER BY created_at DESC. Three problems:
+--
+--   1. No queryable "what is currently in flight for this workspace" — every
+--      caller has to fold the event stream itself.
+--   2. No place to durably stamp last_heartbeat / deadline on a per-task
+--      basis, so a stuck-task sweeper has nothing to scan.
+--   3. The 600s message/send proxy timeout (the user's 2026-05-05 home-hermes
+--      iteration-14/90 incident) leaves the in-flight HTTP connection holding
+--      all the state — caller restart, callee restart, proxy timeout all kill
+--      the delegation. activity_logs can replay the *intent* but not the
+--      *current state* without the row that says "yes this is still alive".
+--
+-- This table is the durable ledger that PRs #2-#4 build on:
+--   PR-2 — push result to caller's inbox + use this row to track readiness
+--   PR-3 — sweeper joins on (status='in_progress', last_heartbeat<now-N)
+--   PR-4 — operator dashboard reads SELECT * WHERE status NOT IN ('completed','failed')
+--
+-- Delegation lifecycle:
+--   queued     — caller recorded intent, target unreachable / busy queue
+--   dispatched — A2A request sent to target's HTTP server
+--   in_progress — target acknowledged + started work
+--   completed  — terminal: result delivered to caller
+--   failed     — terminal: gave up after retries
+--   stuck      — terminal-ish: sweeper couldn't reach target for >threshold;
+--                operator can transition to failed via dashboard (PR-4)
+
+CREATE TABLE IF NOT EXISTS delegations (
+    -- delegation_id chosen by the caller so callee + caller agree on the key
+    -- without a database round-trip. UUID, but stored as TEXT to match the
+    -- existing agent-side string contract (delegation.py uses str(uuid4())).
+    delegation_id  text PRIMARY KEY,
+
+    -- Caller is the workspace that initiated the delegation. Callee is the
+    -- target. Both reference workspaces, but we don't FK them — workspace
+    -- delete should NOT cascade-delete delegations history (audit retention).
+    -- Same posture as tenant_resources (PR #2343).
+    caller_id      uuid NOT NULL,
+    callee_id      uuid NOT NULL,
+
+    -- Truncated at insertion so a 50KB prompt doesn't bloat the ledger; the
+    -- full prompt lives in activity_logs.request_body for forensic replay.
+    task_preview   text NOT NULL,
+
+    status         text NOT NULL DEFAULT 'queued'
+        CHECK (status IN ('queued','dispatched','in_progress','completed','failed','stuck')),
+
+    -- Stamped by callee heartbeats (PR-3 sweeper compares to NOW()). NULL
+    -- before any heartbeat — sweeper treats NULL same as last_heartbeat
+    -- < (created_at) for stuckness purposes.
+    last_heartbeat timestamptz,
+
+    -- Hard deadline. Beyond this, sweeper marks `failed` regardless of
+    -- heartbeat liveness — protects against agents that heartbeat forever
+    -- without making progress. Default 6h matches the longest-observed legit
+    -- delegation in production (memory-namespace migration runs).
+    deadline       timestamptz NOT NULL DEFAULT (now() + interval '6 hours'),
+
+    -- Truncated result preview (full result in activity_logs response_body).
+    -- Set on terminal completed transition.
+    result_preview text,
+
+    -- Set on failed/stuck terminal transition.
+    error_detail   text,
+
+    -- For PR-3 retry policy. Not used in PR-1 — declared so PR-3 doesn't
+    -- need a follow-on migration.
+    retry_count    integer NOT NULL DEFAULT 0,
+
+    created_at     timestamptz NOT NULL DEFAULT now(),
+    updated_at     timestamptz NOT NULL DEFAULT now(),
+
+    -- Idempotency: the agent-side delegate_task call accepts an idempotency
+    -- key. Two records of the same key collapse to one row. Indexed UNIQUE
+    -- where non-null so the natural collision becomes an INSERT … ON
+    -- CONFLICT no-op.
+    idempotency_key text
+);
+
+-- Sweeper hot path (PR-3): list everything that's in_progress and overdue
+-- for a heartbeat. Partial index on non-terminal status keeps this small.
+CREATE INDEX IF NOT EXISTS idx_delegations_inflight_heartbeat
+    ON delegations (last_heartbeat NULLS FIRST)
+    WHERE status IN ('queued','dispatched','in_progress');
+
+-- Operator dashboard (PR-4): per-workspace recent delegations.
+CREATE INDEX IF NOT EXISTS idx_delegations_caller_created
+    ON delegations (caller_id, created_at DESC);
+
+CREATE INDEX IF NOT EXISTS idx_delegations_callee_created
+    ON delegations (callee_id, created_at DESC);
+
+-- Idempotency dedupe: composite (caller_id, idempotency_key) so two
+-- different callers can use the same key without colliding.
+CREATE UNIQUE INDEX IF NOT EXISTS idx_delegations_idempotency
+    ON delegations (caller_id, idempotency_key)
+    WHERE idempotency_key IS NOT NULL;
diff --git a/workspace/a2a_client.py b/workspace/a2a_client.py
index 3dbf33fa..7cd151bf 100644
--- a/workspace/a2a_client.py
+++ b/workspace/a2a_client.py
@@ -9,8 +9,11 @@ import logging
 import os
 import random
 import re
+import threading
 import time
 import uuid
+from collections import OrderedDict
+from concurrent.futures import ThreadPoolExecutor
 
 import httpx
 
@@ -50,13 +53,29 @@ _peer_to_source: dict[str, str] = {}
 # Cache workspace ID → full peer record (id, name, role, status, url, ...).
 # Populated by tool_list_peers and by the lazy registry lookup in
 # enrich_peer_metadata. The notification-callback path (channel envelope
-# enrichment) reads this cache on every inbound peer_agent push, so a
-# bare ``dict[str, tuple[float, dict | None]]`` is the fastest read
-# shape; entries carry their fetched-at timestamp so TTL eviction is
-# in-line with the lookup. ``None`` as the record is the negative-cache
-# sentinel: registry failure is cached for one TTL window so we don't
-# re-fire the 2s-bounded GET on every push from a flaky peer.
-_peer_metadata: dict[str, tuple[float, dict | None]] = {}
+# enrichment) reads this cache on every inbound peer_agent push, so the
+# read shape stays a dict-like ``__getitem__`` lookup; entries carry
+# their fetched-at timestamp so TTL eviction is in-line with the
+# lookup. ``None`` as the record is the negative-cache sentinel:
+# registry failure is cached for one TTL window so we don't re-fire
+# the 2s-bounded GET on every push from a flaky peer.
+#
+# OrderedDict + maxsize bound (#2482): pre-fix this was an unbounded
+# ``dict``, so a workspace receiving from N distinct peers across its
+# lifetime accumulated ~100 bytes/entry × N indefinitely. At 10K peers
+# that's ~1 MB; at 100K (a chatty platform-wide router) ~10 MB; not
+# crash-class but unbounded. The LRU bound caps memory + the TTL caps
+# per-entry staleness — both gates are needed because a runaway poller
+# touching N new peer_ids per push could grow within a single TTL
+# window.
+#
+# All reads / writes go through ``_peer_metadata_get`` /
+# ``_peer_metadata_set`` so the LRU move-to-end + size-trim invariants
+# stay co-located. Direct mutation is allowed only in test fixtures
+# (clearing for isolation); production code path uses the helpers.
+_PEER_METADATA_MAXSIZE = 1024
+_peer_metadata: "OrderedDict[str, tuple[float, dict | None]]" = OrderedDict()
+_peer_metadata_lock = threading.Lock()
 
 # How long an entry in ``_peer_metadata`` is treated as fresh. 5 minutes
 # is the same window we use for delegation routing — long enough that a
@@ -66,6 +85,176 @@ _peer_metadata: dict[str, tuple[float, dict | None]] = {}
 _PEER_METADATA_TTL_SECONDS = 300.0
 
 
+def _peer_metadata_get(canon: str) -> tuple[float, dict | None] | None:
+    """Read with LRU touch — moves the entry to the most-recently-used
+    position so steady-state pushes from a busy peer don't get evicted
+    by a cold-start burst from new peers. Returns the raw tuple shape
+    callers expect; TTL eviction stays at the call site.
+    """
+    with _peer_metadata_lock:
+        entry = _peer_metadata.get(canon)
+        if entry is not None:
+            _peer_metadata.move_to_end(canon)
+        return entry
+
+
+def _peer_metadata_set(canon: str, value: tuple[float, dict | None]) -> None:
+    """Write + evict-if-over-maxsize. The eviction is in-process and
+    cheap (popitem(last=False) on an OrderedDict is O(1)). Holding the
+    lock across the trim keeps the size invariant stable under concurrent
+    writes from background enrichment workers.
+    """
+    with _peer_metadata_lock:
+        _peer_metadata[canon] = value
+        _peer_metadata.move_to_end(canon)
+        # Trim the oldest entries until at-or-below maxsize. The bound
+        # is a soft cap — a single overrun (set called when at maxsize)
+        # evicts the LRU entry before returning, never letting size
+        # exceed maxsize.
+        while len(_peer_metadata) > _PEER_METADATA_MAXSIZE:
+            _peer_metadata.popitem(last=False)
+
+
+# Background-fetch executor for enrich_peer_metadata_nonblocking (#2484).
+# A small pool — peers are highly TTL-cached, so the steady-state load
+# is "one fetch per peer per 5 minutes." Two workers handle the cold-
+# start burst when an agent starts receiving pushes from a new peer for
+# the first time without backing up the inbox poller. Daemon threads:
+# the executor must NOT block process exit if the inbox shuts down.
+_enrich_executor: ThreadPoolExecutor | None = None
+_enrich_executor_lock = threading.Lock()
+
+# In-flight peer IDs — guards against a single peer's repeated pushes
+# scheduling N concurrent registry fetches before the first one fills
+# the cache. Set membership is "a worker is currently fetching this
+# peer; subsequent calls should NOT schedule another."
+_enrich_in_flight: set[str] = set()
+_enrich_in_flight_lock = threading.Lock()
+
+
+def _get_enrich_executor() -> ThreadPoolExecutor:
+    """Lazy-init the enrichment worker pool. Lazy because most test
+    fixtures and short-lived CLI invocations don't need it; only the
+    long-running molecule-mcp / inbox-poller path actually schedules
+    background fetches.
+    """
+    global _enrich_executor
+    if _enrich_executor is not None:
+        return _enrich_executor
+    with _enrich_executor_lock:
+        if _enrich_executor is None:
+            _enrich_executor = ThreadPoolExecutor(
+                max_workers=2,
+                thread_name_prefix="enrich-peer",
+            )
+    return _enrich_executor
+
+
+def enrich_peer_metadata_nonblocking(
+    peer_id: str,
+    source_workspace_id: str | None = None,
+) -> dict | None:
+    """Cache-first variant of ``enrich_peer_metadata`` — returns
+    immediately without blocking on a registry GET.
+
+    Behavior:
+      - Cache hit (fresh): return the cached record.
+      - Cache miss or TTL expired: schedule a background fetch via the
+        worker pool, return ``None`` (caller renders bare peer_id).
+        The next push for this peer hits the warm cache and gets the
+        full record.
+
+    Why this exists (#2484): the inbox poller's notification callback
+    in molecule-mcp called the synchronous ``enrich_peer_metadata`` on
+    every push, blocking the poller for up to 2s × N uncached peers
+    per batch. Push-delivery latency was gated on registry latency —
+    the exact thing the negative-cache patch in PR #2471 was supposed
+    to avoid amplifying. Moving the fetch off the poller thread means
+    push delivery is bounded by the inbox poll interval, never by
+    registry RTT.
+
+    Trade-off: the FIRST push from a new peer arrives metadata-light
+    (no name/role). The MCP host renders the bare peer_id. Subsequent
+    pushes (within the 5-min TTL) hit the warm cache and get the full
+    record. Acceptable because:
+      - Channel-envelope enrichment is a UX nicety, not a correctness
+        invariant.
+      - The cold-cache window per peer is bounded to one push.
+      - The TTL is long enough that an active conversation never
+        re-enters the cold state.
+    """
+    canon = _validate_peer_id(peer_id)
+    if canon is None:
+        return None
+    current = time.monotonic()
+    cached = _peer_metadata_get(canon)
+    if cached is not None:
+        fetched_at, record = cached
+        if current - fetched_at < _PEER_METADATA_TTL_SECONDS:
+            return record
+    # Schedule background fetch unless one is already in flight for this
+    # peer. The synchronous version atomically reads-then-writes; the
+    # async version splits that into "schedule fetch" + "fetch fills
+    # cache later." The in-flight set keeps a flurry of pushes from
+    # one peer (e.g., a chatty agent) from spawning N parallel GETs.
+    with _enrich_in_flight_lock:
+        if canon in _enrich_in_flight:
+            return None
+        _enrich_in_flight.add(canon)
+    try:
+        _get_enrich_executor().submit(
+            _enrich_peer_metadata_worker, canon, source_workspace_id
+        )
+    except RuntimeError:
+        # Executor was shut down (process exit path) — drop the request,
+        # let the caller render bare peer_id.
+        with _enrich_in_flight_lock:
+            _enrich_in_flight.discard(canon)
+    return None
+
+
+def _enrich_peer_metadata_worker(
+    canon: str, source_workspace_id: str | None
+) -> None:
+    """Background-thread body for ``enrich_peer_metadata_nonblocking``.
+    Runs the same fetch logic as the synchronous helper but discards
+    the return value — the cache write is the only output anyone
+    needs. Always clears the in-flight marker so a future cache miss
+    can retry.
+    """
+    try:
+        enrich_peer_metadata(canon, source_workspace_id)
+    except Exception as exc:  # noqa: BLE001
+        # Background workers must not crash the executor — log and
+        # move on. The negative-cache path inside enrich_peer_metadata
+        # already records failures, so a re-attempt is rate-limited
+        # by TTL.
+        logger.debug("_enrich_peer_metadata_worker: %s failed: %s", canon, exc)
+    finally:
+        with _enrich_in_flight_lock:
+            _enrich_in_flight.discard(canon)
+
+
+def _wait_for_enrichment_inflight_for_testing(timeout: float = 2.0) -> None:
+    """Block until all in-flight enrichment workers have completed.
+
+    Test-only helper. Production code never has a reason to wait — the
+    point of the nonblocking path is that callers don't care when the
+    cache fills. Tests that want to assert "after the worker runs, the
+    cache has the record" use this to synchronise without sleeping.
+
+    Polls ``_enrich_in_flight`` rather than holding a Condition because
+    the worker pool is already serializing through ``_enrich_in_flight_lock``;
+    poll keeps the production hot path lock-free.
+    """
+    deadline = time.monotonic() + timeout
+    while time.monotonic() < deadline:
+        with _enrich_in_flight_lock:
+            if not _enrich_in_flight:
+                return
+        time.sleep(0.01)
+
+
 def enrich_peer_metadata(
     peer_id: str,
     source_workspace_id: str | None = None,
@@ -99,7 +288,7 @@ def enrich_peer_metadata(
         return None
 
     current = now if now is not None else time.monotonic()
-    cached = _peer_metadata.get(canon)
+    cached = _peer_metadata_get(canon)
     if cached is not None:
         fetched_at, record = cached
         if current - fetched_at < _PEER_METADATA_TTL_SECONDS:
@@ -115,26 +304,26 @@ def enrich_peer_metadata(
             resp = client.get(url, headers={"X-Workspace-ID": src, **auth_headers(src)})
     except Exception as exc:  # noqa: BLE001
         logger.debug("enrich_peer_metadata: GET %s failed: %s", url, exc)
-        _peer_metadata[canon] = (current, None)
+        _peer_metadata_set(canon, (current, None))
         return None
 
     if resp.status_code != 200:
         logger.debug(
             "enrich_peer_metadata: %s returned HTTP %d", url, resp.status_code
         )
-        _peer_metadata[canon] = (current, None)
+        _peer_metadata_set(canon, (current, None))
         return None
 
     try:
         data = resp.json()
     except Exception:  # noqa: BLE001
-        _peer_metadata[canon] = (current, None)
+        _peer_metadata_set(canon, (current, None))
         return None
     if not isinstance(data, dict):
-        _peer_metadata[canon] = (current, None)
+        _peer_metadata_set(canon, (current, None))
         return None
 
-    _peer_metadata[canon] = (current, data)
+    _peer_metadata_set(canon, (current, data))
     if name := data.get("name"):
         _peer_names[canon] = name
     return data
diff --git a/workspace/a2a_mcp_server.py b/workspace/a2a_mcp_server.py
index 687c62fd..72d5f33c 100644
--- a/workspace/a2a_mcp_server.py
+++ b/workspace/a2a_mcp_server.py
@@ -55,6 +55,7 @@ from a2a_client import (  # noqa: F401, E402
     _validate_peer_id,
     discover_peer,
     enrich_peer_metadata,
+    enrich_peer_metadata_nonblocking,
     get_peers,
     get_workspace_info,
     send_a2a_message,
@@ -498,7 +499,15 @@ def _build_channel_notification(msg: dict) -> dict:
             meta["peer_id"] = ""
         else:
             meta["peer_id"] = safe_peer_id
-            record = enrich_peer_metadata(safe_peer_id)
+            # Cache-first non-blocking enrichment (#2484): on cache miss
+            # this returns None immediately and schedules a background
+            # fetch. The first push for a new peer renders bare
+            # peer_id; the next push (within the 5-min TTL) hits the
+            # warm cache and gets full name/role. Push-delivery latency
+            # is bounded by the inbox poll interval, never by registry
+            # RTT — closes the gap that PR #2471's negative-cache path
+            # was meant to avoid amplifying.
+            record = enrich_peer_metadata_nonblocking(safe_peer_id)
             if record is not None:
                 # Sanitise BEFORE storing in meta so both the JSON-RPC
                 # envelope and the rendered content (via
diff --git a/workspace/a2a_tools.py b/workspace/a2a_tools.py
index 922a45e0..55a19758 100644
--- a/workspace/a2a_tools.py
+++ b/workspace/a2a_tools.py
@@ -191,6 +191,145 @@ async def report_activity(
         pass  # Best-effort — don't block delegation on activity reporting
 
 
+# RFC #2829 PR-5 cutover constants. The poll cadence + timeout are
+# intentionally generous: 3s gives the platform's executeDelegation
+# goroutine room to dispatch + the callee to respond + the result to
+# write to activity_logs without thrashing the platform with rapid
+# polls; the budget matches the legacy DELEGATION_TIMEOUT (300s) so
+# operators don't see behavior change beyond "no more 600s timeouts".
+_SYNC_POLL_INTERVAL_S = 3.0
+_SYNC_POLL_BUDGET_S = float(os.environ.get("DELEGATION_TIMEOUT", "300.0"))
+
+
+async def _delegate_sync_via_polling(
+    workspace_id: str,
+    task: str,
+    src: str,
+) -> str:
+    """RFC #2829 PR-5: durable async delegation + poll for terminal status.
+
+    Sidesteps the platform proxy's blocking `message/send` HTTP path that
+    hits a hard 600s ceiling. Instead:
+
+      1. POST /workspaces/<src>/delegate (async, returns 202 + delegation_id)
+         — platform's executeDelegation goroutine handles A2A dispatch in
+         the background. No client-side timeout dependency on the platform
+         holding a connection open.
+      2. Poll GET /workspaces/<src>/delegations every 3s for a row with
+         matching delegation_id reaching terminal status (completed/failed).
+      3. Return the response_preview text on completed; surface error_detail
+         on failed (with the same _A2A_ERROR_PREFIX wrapping the legacy
+         path uses, so caller error-detection logic is unchanged).
+
+    Both /delegate and /delegations are existing endpoints — this helper
+    just composes them into a polling synchronous facade. The result is
+    available the moment the platform writes the terminal status row;
+    no extra latency vs. the legacy proxy-blocked path on fast cases.
+    """
+    import asyncio
+    import time
+
+    idem_key = hashlib.sha256(f"{src}:{workspace_id}:{task}".encode()).hexdigest()[:32]
+
+    # 1. Dispatch via /delegate (the async, durable path).
+    try:
+        async with httpx.AsyncClient(timeout=10.0) as client:
+            resp = await client.post(
+                f"{PLATFORM_URL}/workspaces/{src}/delegate",
+                json={
+                    "target_id": workspace_id,
+                    "task": task,
+                    "idempotency_key": idem_key,
+                },
+                headers=_auth_headers_for_heartbeat(src),
+            )
+    except Exception as e:  # pylint: disable=broad-except
+        return f"{_A2A_ERROR_PREFIX}delegate dispatch failed: {e}"
+
+    if resp.status_code != 202 and resp.status_code != 200:
+        return f"{_A2A_ERROR_PREFIX}delegate dispatch failed: HTTP {resp.status_code} {resp.text[:200]}"
+
+    try:
+        dispatch = resp.json()
+    except Exception as e:  # pylint: disable=broad-except
+        return f"{_A2A_ERROR_PREFIX}delegate dispatch returned non-JSON: {e}"
+
+    delegation_id = dispatch.get("delegation_id", "")
+    if not delegation_id:
+        return f"{_A2A_ERROR_PREFIX}delegate dispatch missing delegation_id: {dispatch}"
+
+    # 2. Poll for terminal status with a deadline. Each poll is a cheap
+    # /delegations GET — bounded by the platform's existing rate limit.
+    deadline = time.monotonic() + _SYNC_POLL_BUDGET_S
+    last_status = "unknown"
+    while time.monotonic() < deadline:
+        try:
+            async with httpx.AsyncClient(timeout=10.0) as client:
+                poll = await client.get(
+                    f"{PLATFORM_URL}/workspaces/{src}/delegations",
+                    headers=_auth_headers_for_heartbeat(src),
+                )
+        except Exception as e:  # pylint: disable=broad-except
+            # Transient — keep polling. The platform IS holding the
+            # delegation row; we just lost a network request.
+            last_status = f"poll-error: {e}"
+            await asyncio.sleep(_SYNC_POLL_INTERVAL_S)
+            continue
+
+        if poll.status_code != 200:
+            last_status = f"poll HTTP {poll.status_code}"
+            await asyncio.sleep(_SYNC_POLL_INTERVAL_S)
+            continue
+
+        try:
+            rows = poll.json()
+        except Exception as e:  # pylint: disable=broad-except
+            last_status = f"poll non-JSON: {e}"
+            await asyncio.sleep(_SYNC_POLL_INTERVAL_S)
+            continue
+
+        # /delegations returns a flat list of delegation events. Filter to
+        # our delegation_id; pick the first terminal one. The list may
+        # have multiple rows per delegation_id (one for the original
+        # dispatch, one per status update); we want the latest terminal.
+        if not isinstance(rows, list):
+            await asyncio.sleep(_SYNC_POLL_INTERVAL_S)
+            continue
+        terminal = None
+        for r in rows:
+            if not isinstance(r, dict):
+                continue
+            if r.get("delegation_id") != delegation_id:
+                continue
+            status = (r.get("status") or "").lower()
+            last_status = status
+            if status in ("completed", "failed"):
+                terminal = r
+                break
+        if terminal:
+            if (terminal.get("status") or "").lower() == "completed":
+                return terminal.get("response_preview") or ""
+            err = (
+                terminal.get("error_detail")
+                or terminal.get("summary")
+                or "delegation failed"
+            )
+            return f"{_A2A_ERROR_PREFIX}{err}"
+
+        await asyncio.sleep(_SYNC_POLL_INTERVAL_S)
+
+    # Budget exhausted — the platform's row is still in flight (or queued).
+    # Surface as an error so the caller can decide to retry or fall back;
+    # the platform DOES still have the durable row, so the work isn't
+    # lost — it'll complete eventually and a future check_task_status
+    # will surface the result.
+    return (
+        f"{_A2A_ERROR_PREFIX}polling timeout after {_SYNC_POLL_BUDGET_S}s "
+        f"(delegation_id={delegation_id}, last_status={last_status}); "
+        f"the platform is still working on it — call check_task_status('{delegation_id}') to retrieve later"
+    )
+
+
 async def tool_delegate_task(
     workspace_id: str,
     task: str,
@@ -229,10 +368,22 @@ async def tool_delegate_task(
     # Brief summary for canvas display — just the delegation target
     await report_activity("a2a_send", workspace_id, f"Delegating to {peer_name}", task_text=task)
 
-    # send_a2a_message routes through ${PLATFORM_URL}/workspaces/{id}/a2a
-    # (the platform proxy) so the same code works for in-container and
-    # external (standalone molecule-mcp) callers.
-    result = await send_a2a_message(workspace_id, task, source_workspace_id=src)
+    # RFC #2829 PR-5: agent-side cutover. When DELEGATION_SYNC_VIA_INBOX=1,
+    # use the platform's durable async delegation API (POST /delegate +
+    # poll /delegations) instead of the proxy-blocked message/send path.
+    # This sidesteps the 600s message/send timeout class that broke
+    # iteration-14/90-style long-running delegations on 2026-05-05.
+    #
+    # Default off — staging-canary first, flip default after PR-2's
+    # result-push flag (DELEGATION_RESULT_INBOX_PUSH) has been on for
+    # ≥1 week without incident.
+    if os.environ.get("DELEGATION_SYNC_VIA_INBOX") == "1":
+        result = await _delegate_sync_via_polling(workspace_id, task, src or WORKSPACE_ID)
+    else:
+        # send_a2a_message routes through ${PLATFORM_URL}/workspaces/{id}/a2a
+        # (the platform proxy) so the same code works for in-container and
+        # external (standalone molecule-mcp) callers.
+        result = await send_a2a_message(workspace_id, task, source_workspace_id=src)
 
     # Detect delegation failures — wrap them clearly so the calling agent
     # can decide to retry, use another peer, or handle the task itself.
diff --git a/workspace/tests/test_a2a_mcp_server.py b/workspace/tests/test_a2a_mcp_server.py
index 1a690830..25f46e6f 100644
--- a/workspace/tests/test_a2a_mcp_server.py
+++ b/workspace/tests/test_a2a_mcp_server.py
@@ -3,6 +3,7 @@
 import asyncio
 import json
 import os
+import time
 
 from unittest.mock import AsyncMock, MagicMock, patch
 
@@ -507,11 +508,22 @@ def _reset_peer_metadata_cache(monkeypatch):
     """Each test starts with a clean ``_peer_metadata`` cache so an
     earlier test's hit doesn't satisfy a later test's miss. Mutates the
     module-level dict in place rather than reassigning so other modules
-    that imported the dict by reference still see the same instance."""
+    that imported the dict by reference still see the same instance.
+
+    Also drains and clears ``_enrich_in_flight`` (#2484): a previous
+    test's background fetch worker can leave a peer marked in-flight,
+    and the next test's nonblocking call would short-circuit without
+    scheduling a fetch. Drain BEFORE clearing in case a worker is
+    mid-execution and writes to ``_peer_metadata`` after the clear.
+    """
     import a2a_client
+    a2a_client._wait_for_enrichment_inflight_for_testing(timeout=2.0)
     a2a_client._peer_metadata.clear()
+    a2a_client._enrich_in_flight.clear()
     yield
+    a2a_client._wait_for_enrichment_inflight_for_testing(timeout=2.0)
     a2a_client._peer_metadata.clear()
+    a2a_client._enrich_in_flight.clear()
 
 
 def _make_httpx_response(status_code: int, json_body: object) -> MagicMock:
@@ -586,9 +598,16 @@ def test_envelope_enrichment_uses_cache_when_present(_reset_peer_metadata_cache)
 
 
 def test_envelope_enrichment_fetches_on_cache_miss(_reset_peer_metadata_cache):
-    """Cache miss + registry hit: GET fires, response cached, meta
-    carries fetched fields. Subsequent build for the same peer must
-    NOT re-fetch (cache populated by first call)."""
+    """Cache miss: nonblocking enrichment returns None on the first
+    push (first push arrives metadata-light), schedules a background
+    fetch that populates the cache, second push hits the warm cache.
+
+    Pre-2026-05-05 (#2484) the first push was synchronous: the inbox
+    poller blocked up to 2s on the registry GET before delivering. The
+    nonblocking path means push delivery is bounded by the inbox poll
+    interval, never by registry RTT — at the cost of one push per peer
+    per TTL window arriving without name/role.
+    """
     import a2a_client
     from a2a_mcp_server import _build_channel_notification
 
@@ -602,22 +621,39 @@ def test_envelope_enrichment_fetches_on_cache_miss(_reset_peer_metadata_cache):
         payload1 = _build_channel_notification({
             "peer_id": _PEER_UUID, "kind": "peer_agent", "text": "first",
         })
+        # First push: bare peer_id, fetch is in-flight in the background.
+        # peer_name / peer_role NOT yet present.
+        assert "peer_name" not in payload1["params"]["meta"]
+        assert "peer_role" not in payload1["params"]["meta"]
+
+        # Wait for the background worker to finish populating the cache.
+        a2a_client._wait_for_enrichment_inflight_for_testing(timeout=2.0)
+
         payload2 = _build_channel_notification({
             "peer_id": _PEER_UUID, "kind": "peer_agent", "text": "second",
         })
 
+    # Worker fired exactly one GET (cache miss → fetch); the second push
+    # hit the warm cache and DID NOT fire another GET.
     assert client.get.call_count == 1, (
         f"second push for same peer must use cache, got {client.get.call_count} GETs"
     )
-    assert payload1["params"]["meta"]["peer_name"] == "fetched-name"
+    # Second push has the enriched fields the worker stored.
     assert payload2["params"]["meta"]["peer_name"] == "fetched-name"
+    assert payload2["params"]["meta"]["peer_role"] == "router"
 
 
 def test_envelope_enrichment_degrades_on_registry_failure(_reset_peer_metadata_cache):
     """Registry returns 500 (or 4xx, or network error): enrichment
     silently degrades to bare peer_id. The push must not crash, the
     push must not block, and the agent_card_url must still surface
-    because it's constructable from peer_id alone."""
+    because it's constructable from peer_id alone.
+
+    Post-#2484 the first push always degrades to bare peer_id (the
+    background fetch hasn't run yet); this test captures that
+    "degrades on cache miss + failure path doesn't break" stays true.
+    """
+    import a2a_client
     from a2a_mcp_server import _build_channel_notification
 
     p, _ = _patch_httpx_client(_make_httpx_response(500, {}))
@@ -630,6 +666,9 @@ def test_envelope_enrichment_degrades_on_registry_failure(_reset_peer_metadata_c
             "method": "message/send",
             "created_at": "2026-05-01T00:00:00Z",
         })
+        # Drain the background fetch so a follow-up test starting with
+        # this peer in-flight doesn't see ghost state.
+        a2a_client._wait_for_enrichment_inflight_for_testing(timeout=2.0)
 
     meta = payload["params"]["meta"]
     assert meta["peer_id"] == _PEER_UUID
@@ -649,7 +688,13 @@ def test_envelope_enrichment_negative_caches_registry_failure(_reset_peer_metada
     exact scenarios it most needs to defend against, and the poller
     thread stalls 2s per push for that peer until the registry comes
     back. Pin: two pushes from a 5xx-returning peer fire exactly one
-    GET, not two."""
+    GET, not two.
+
+    Post-#2484 the GETs run in a background worker, so the test waits
+    for in-flight to drain between pushes — the negative-cache write
+    must land in `_peer_metadata` before the second push consults it.
+    """
+    import a2a_client
     from a2a_mcp_server import _build_channel_notification
 
     p, client = _patch_httpx_client(_make_httpx_response(500, {}))
@@ -657,9 +702,13 @@ def test_envelope_enrichment_negative_caches_registry_failure(_reset_peer_metada
         payload1 = _build_channel_notification({
             "peer_id": _PEER_UUID, "kind": "peer_agent", "text": "first",
         })
+        # Wait for the worker to write the negative-cache entry before
+        # the second push reads it.
+        a2a_client._wait_for_enrichment_inflight_for_testing(timeout=2.0)
         payload2 = _build_channel_notification({
             "peer_id": _PEER_UUID, "kind": "peer_agent", "text": "second",
         })
+        a2a_client._wait_for_enrichment_inflight_for_testing(timeout=2.0)
 
     assert client.get.call_count == 1, (
         f"second push from a 5xx-returning peer must use the negative "
@@ -692,7 +741,9 @@ def test_envelope_enrichment_negative_caches_network_exception(_reset_peer_metad
     client.get = MagicMock(side_effect=_httpx.ConnectError("dns down"))
     with patch("httpx.Client", return_value=client):
         _build_channel_notification({"peer_id": _PEER_UUID, "kind": "peer_agent"})
+        a2a_client._wait_for_enrichment_inflight_for_testing(timeout=2.0)
         _build_channel_notification({"peer_id": _PEER_UUID, "kind": "peer_agent"})
+        a2a_client._wait_for_enrichment_inflight_for_testing(timeout=2.0)
 
     assert client.get.call_count == 1, (
         f"network exceptions must be negative-cached, got "
@@ -728,7 +779,9 @@ def test_envelope_enrichment_negative_caches_non_json_200(_reset_peer_metadata_c
     p, client = _patch_httpx_client(resp)
     with p:
         _build_channel_notification({"peer_id": _PEER_UUID, "kind": "peer_agent", "text": "first"})
+        a2a_client._wait_for_enrichment_inflight_for_testing(timeout=2.0)
         _build_channel_notification({"peer_id": _PEER_UUID, "kind": "peer_agent", "text": "second"})
+        a2a_client._wait_for_enrichment_inflight_for_testing(timeout=2.0)
 
     assert client.get.call_count == 1, (
         f"non-JSON 200 must be negative-cached, got {client.get.call_count} GETs"
@@ -756,7 +809,9 @@ def test_envelope_enrichment_negative_caches_non_dict_json_200(_reset_peer_metad
     )
     with p:
         _build_channel_notification({"peer_id": _PEER_UUID, "kind": "peer_agent", "text": "first"})
+        a2a_client._wait_for_enrichment_inflight_for_testing(timeout=2.0)
         _build_channel_notification({"peer_id": _PEER_UUID, "kind": "peer_agent", "text": "second"})
+        a2a_client._wait_for_enrichment_inflight_for_testing(timeout=2.0)
 
     assert client.get.call_count == 1, (
         f"non-dict JSON 200 must be negative-cached, got {client.get.call_count} GETs"
@@ -792,13 +847,25 @@ def test_envelope_enrichment_re_fetches_after_ttl(_reset_peer_metadata_cache):
         )
     )
     with p:
-        payload = _build_channel_notification({
+        # First push: stale cache → background fetch scheduled; the
+        # nonblocking path returns None when the entry is past TTL,
+        # so this first push degrades to bare peer_id (no peer_name).
+        # Wait for the background worker to fill the cache, then issue
+        # a second push to confirm it picked up the fresh values.
+        payload1 = _build_channel_notification({
             "peer_id": _PEER_UUID, "kind": "peer_agent", "text": "ping",
         })
+        a2a_client._wait_for_enrichment_inflight_for_testing(timeout=2.0)
+        payload2 = _build_channel_notification({
+            "peer_id": _PEER_UUID, "kind": "peer_agent", "text": "pong",
+        })
 
     assert client.get.call_count == 1, "stale cache must trigger a re-fetch"
-    assert payload["params"]["meta"]["peer_name"] == "fresh-name"
-    assert payload["params"]["meta"]["peer_role"] == "new"
+    assert "peer_name" not in payload1["params"]["meta"], (
+        "first push past TTL degrades to bare peer_id under nonblocking enrichment"
+    )
+    assert payload2["params"]["meta"]["peer_name"] == "fresh-name"
+    assert payload2["params"]["meta"]["peer_role"] == "new"
 
 
 def test_envelope_enrichment_invalid_peer_id_skips_lookup(_reset_peer_metadata_cache):
@@ -1732,3 +1799,193 @@ def _readable(fd: int) -> bool:
 
     rlist, _, _ = select.select([fd], [], [], 0)
     return bool(rlist)
+
+
+# ---- #2484 nonblocking-enrichment dedicated tests ----
+
+
+def test_enrich_peer_metadata_nonblocking_cache_hit_returns_immediately(
+    _reset_peer_metadata_cache,
+):
+    """Cache hit (fresh entry within TTL): nonblocking helper returns
+    the cached record without scheduling a worker. Pin the fast path —
+    the whole point of the helper is that the steady-state pushes for
+    a known peer don't touch the executor."""
+    import a2a_client
+    import time as _time
+
+    a2a_client._peer_metadata[_PEER_UUID] = (
+        _time.monotonic(),
+        {"id": _PEER_UUID, "name": "ops", "role": "sre"},
+    )
+
+    p, client = _patch_httpx_client(_make_httpx_response(200, {}))
+    with p:
+        record = a2a_client.enrich_peer_metadata_nonblocking(_PEER_UUID)
+
+    assert record is not None
+    assert record["name"] == "ops"
+    assert client.get.call_count == 0, "cache hit must not schedule a worker"
+    # No in-flight marker should have been added since we returned synchronously.
+    assert _PEER_UUID not in a2a_client._enrich_in_flight
+
+
+def test_enrich_peer_metadata_nonblocking_cache_miss_schedules_fetch(
+    _reset_peer_metadata_cache,
+):
+    """Cache miss: helper returns None immediately, schedules a
+    background fetch, the worker fills the cache. After draining the
+    in-flight marker, a follow-up call hits the warm cache."""
+    import a2a_client
+
+    p, client = _patch_httpx_client(
+        _make_httpx_response(
+            200,
+            {"id": _PEER_UUID, "name": "fresh", "role": "router"},
+        )
+    )
+    with p:
+        first = a2a_client.enrich_peer_metadata_nonblocking(_PEER_UUID)
+        assert first is None, "first call on cache miss must return None (bare peer_id)"
+        a2a_client._wait_for_enrichment_inflight_for_testing(timeout=2.0)
+        second = a2a_client.enrich_peer_metadata_nonblocking(_PEER_UUID)
+
+    assert client.get.call_count == 1
+    assert second is not None
+    assert second["name"] == "fresh"
+
+
+def test_enrich_peer_metadata_nonblocking_coalesces_duplicate_pushes(
+    _reset_peer_metadata_cache,
+):
+    """A burst of pushes for the same uncached peer must schedule
+    exactly ONE background fetch. Without the in-flight gate, a chatty
+    peer's first 10 pushes would queue 10 GETs against the registry —
+    exactly the DoS-on-self pattern the negative cache was meant to
+    rate-limit, except now we're amplifying with concurrency.
+    """
+    import a2a_client
+
+    p, client = _patch_httpx_client(
+        _make_httpx_response(
+            200,
+            {"id": _PEER_UUID, "name": "x", "role": "y"},
+        )
+    )
+    with p:
+        # Fire 5 nonblocking calls back-to-back BEFORE the worker has
+        # a chance to drain. All 5 hit the in-flight gate; only the
+        # first schedules a worker.
+        for _ in range(5):
+            assert a2a_client.enrich_peer_metadata_nonblocking(_PEER_UUID) is None
+        a2a_client._wait_for_enrichment_inflight_for_testing(timeout=2.0)
+
+    assert client.get.call_count == 1, (
+        f"in-flight gate must coalesce concurrent pushes; got {client.get.call_count} GETs"
+    )
+
+
+def test_enrich_peer_metadata_nonblocking_invalid_peer_id_returns_none(
+    _reset_peer_metadata_cache,
+):
+    """Defensive: malformed peer_id (not a UUID) must short-circuit
+    without touching the cache OR the executor."""
+    import a2a_client
+
+    p, client = _patch_httpx_client(_make_httpx_response(200, {}))
+    with p:
+        assert a2a_client.enrich_peer_metadata_nonblocking("not-a-uuid") is None
+
+    assert client.get.call_count == 0
+    assert "not-a-uuid" not in a2a_client._enrich_in_flight
+
+
+# ---- #2482 bounded-cache tests ----
+
+
+def test_peer_metadata_set_evicts_lru_when_at_maxsize(_reset_peer_metadata_cache, monkeypatch):
+    """Cache size never exceeds ``_PEER_METADATA_MAXSIZE``. When the
+    next write would push past the bound, the least-recently-used entry
+    is evicted. Pin: a workspace receiving from N > maxsize peers ends
+    up with exactly maxsize entries — the oldest get dropped, the
+    newest stay.
+    """
+    import a2a_client
+
+    # Shrink the bound to make the test fast + deterministic. The real
+    # bound (1024) is too large to exercise per-test.
+    monkeypatch.setattr(a2a_client, "_PEER_METADATA_MAXSIZE", 4)
+
+    now = time.monotonic()
+    for i in range(6):
+        # Distinct UUIDs — generate via the static template + index so
+        # _validate_peer_id accepts them.
+        peer = f"00000000-0000-0000-0000-00000000000{i}"
+        a2a_client._peer_metadata_set(peer, (now + i, {"id": peer, "name": f"p{i}"}))
+
+    # Size capped at maxsize.
+    assert len(a2a_client._peer_metadata) == 4
+    # Oldest two evicted, newest four remain.
+    assert "00000000-0000-0000-0000-000000000000" not in a2a_client._peer_metadata
+    assert "00000000-0000-0000-0000-000000000001" not in a2a_client._peer_metadata
+    assert "00000000-0000-0000-0000-000000000002" in a2a_client._peer_metadata
+    assert "00000000-0000-0000-0000-000000000005" in a2a_client._peer_metadata
+
+
+def test_peer_metadata_get_promotes_to_lru_head(_reset_peer_metadata_cache, monkeypatch):
+    """Read promotes the entry to most-recently-used. Steady-state
+    pushes from a busy peer must NOT be evicted by a cold-start burst
+    from new peers — the LRU touch on read is what makes that hold.
+    """
+    import a2a_client
+
+    monkeypatch.setattr(a2a_client, "_PEER_METADATA_MAXSIZE", 3)
+
+    now = time.monotonic()
+    a = "00000000-0000-0000-0000-aaaaaaaaaaaa"
+    b = "00000000-0000-0000-0000-bbbbbbbbbbbb"
+    c = "00000000-0000-0000-0000-cccccccccccc"
+    d = "00000000-0000-0000-0000-dddddddddddd"
+
+    # Insert in order a, b, c. LRU position: a (oldest) → c (newest).
+    a2a_client._peer_metadata_set(a, (now, {"id": a}))
+    a2a_client._peer_metadata_set(b, (now, {"id": b}))
+    a2a_client._peer_metadata_set(c, (now, {"id": c}))
+
+    # Touch `a` via _peer_metadata_get → moves to MRU. Eviction order:
+    # b (oldest now) → c → a (newest).
+    a2a_client._peer_metadata_get(a)
+
+    # Insert `d` — pushes `b` out (not `a` even though `a` was inserted first).
+    a2a_client._peer_metadata_set(d, (now, {"id": d}))
+
+    assert a in a2a_client._peer_metadata, (
+        "recently-touched entry must survive eviction; LRU touch on read is broken"
+    )
+    assert b not in a2a_client._peer_metadata, (
+        "oldest-untouched entry must be evicted first"
+    )
+    assert c in a2a_client._peer_metadata
+    assert d in a2a_client._peer_metadata
+
+
+def test_peer_metadata_set_replaces_existing_entry_in_place(_reset_peer_metadata_cache):
+    """Re-write of an existing key updates the value in place — does
+    NOT evict to maxsize-1 then re-insert. The LRU move-to-end on
+    update keeps the entry as MRU.
+    """
+    import a2a_client
+
+    peer = "00000000-0000-0000-0000-aaaaaaaaaaaa"
+    now = time.monotonic()
+    a2a_client._peer_metadata_set(peer, (now, {"id": peer, "name": "v1"}))
+    assert len(a2a_client._peer_metadata) == 1
+
+    # Re-write — same key, new value.
+    a2a_client._peer_metadata_set(peer, (now + 100, {"id": peer, "name": "v2"}))
+
+    assert len(a2a_client._peer_metadata) == 1, (
+        "re-write must not duplicate the entry"
+    )
+    cached = a2a_client._peer_metadata[peer]
+    assert cached[1]["name"] == "v2", "re-write must update the value in place"
diff --git a/workspace/tests/test_delegation_sync_via_polling.py b/workspace/tests/test_delegation_sync_via_polling.py
new file mode 100644
index 00000000..4d032f4e
--- /dev/null
+++ b/workspace/tests/test_delegation_sync_via_polling.py
@@ -0,0 +1,321 @@
+"""RFC #2829 PR-5: tests for the agent-side cutover that replaces the
+proxy-blocked send_a2a_message sync path with delegate-then-poll.
+
+Coverage:
+
+  - Flag off (default) → byte-identical to legacy: tool_delegate_task
+    calls send_a2a_message and never touches /delegate.
+  - Flag on, dispatch fails → wrapped error returned, no infinite poll.
+  - Flag on, dispatch returns no delegation_id → wrapped error.
+  - Flag on, completed status on first poll → response_preview returned.
+  - Flag on, failed status → wrapped error with error_detail.
+  - Flag on, transient poll error → keeps polling, eventually succeeds.
+  - Flag on, deadline exceeded → wrapped timeout error mentions
+    delegation_id so caller can pick it up via check_task_status later.
+  - Idempotency key is consistent with the legacy path's hashing.
+"""
+
+import json
+import os
+from unittest.mock import AsyncMock, MagicMock, patch
+
+import httpx
+import pytest
+
+# WORKSPACE_ID + PLATFORM_URL are checked at a2a_client import time.
+# CI ships them via the workflow env block; for local pytest runs we
+# set them here so the test file can import a2a_tools at module scope
+# (matching the pattern in test_a2a_tools_impl.py — that file relies
+# on the same CI env shape).
+os.environ.setdefault("WORKSPACE_ID", "00000000-0000-0000-0000-000000000001")
+os.environ.setdefault("PLATFORM_URL", "http://localhost:8080")
+
+
+def _resp(status_code, payload, text=None):
+    r = MagicMock()
+    r.status_code = status_code
+    r.json = MagicMock(return_value=payload)
+    r.text = text or json.dumps(payload)
+    return r
+
+
+def _make_client(post_resp=None, get_resps=None, post_exc=None):
+    """Build an AsyncClient mock where get() returns a sequence of responses
+    (one per call) so we can simulate multiple poll rounds.
+    """
+    mc = AsyncMock()
+    mc.__aenter__ = AsyncMock(return_value=mc)
+    mc.__aexit__ = AsyncMock(return_value=False)
+    if post_exc is not None:
+        mc.post = AsyncMock(side_effect=post_exc)
+    else:
+        mc.post = AsyncMock(return_value=post_resp or _resp(202, {"delegation_id": "deleg-1"}))
+    if get_resps is None:
+        get_resps = [_resp(200, [])]
+    mc.get = AsyncMock(side_effect=get_resps)
+    return mc
+
+
+# ---------------------------------------------------------------------------
+# Flag-off: legacy path is preserved
+# ---------------------------------------------------------------------------
+
+class TestFlagOffLegacyPath:
+
+    async def test_flag_off_uses_send_a2a_message_not_polling(self, monkeypatch):
+        """With DELEGATION_SYNC_VIA_INBOX unset, tool_delegate_task must
+        invoke the legacy send_a2a_message and NEVER call /delegate."""
+        monkeypatch.delenv("DELEGATION_SYNC_VIA_INBOX", raising=False)
+
+        import a2a_tools
+        send_calls = []
+
+        async def fake_send(workspace_id, task, source_workspace_id=None):
+            send_calls.append((workspace_id, task, source_workspace_id))
+            return "legacy ok"
+
+        async def fake_discover(*_a, **_kw):
+            return {"name": "peer-name", "status": "online"}
+
+        async def fake_report_activity(*_a, **_kw):
+            return None
+
+        with patch("a2a_tools.send_a2a_message", side_effect=fake_send), \
+             patch("a2a_tools.discover_peer", side_effect=fake_discover), \
+             patch("a2a_tools.report_activity", side_effect=fake_report_activity), \
+             patch("a2a_tools._delegate_sync_via_polling", new=AsyncMock()) as poll_mock:
+            result = await a2a_tools.tool_delegate_task(
+                "ws-target", "task body", source_workspace_id="ws-self"
+            )
+
+        assert result == "legacy ok", f"expected legacy passthrough, got {result!r}"
+        assert send_calls == [("ws-target", "task body", "ws-self")]
+        poll_mock.assert_not_called()
+
+
+# ---------------------------------------------------------------------------
+# Flag-on: dispatch failures
+# ---------------------------------------------------------------------------
+
+class TestFlagOnDispatchFailures:
+
+    async def test_dispatch_http_exception_returns_wrapped_error(self, monkeypatch):
+        monkeypatch.setenv("DELEGATION_SYNC_VIA_INBOX", "1")
+
+        import a2a_tools
+        mc = _make_client(post_exc=httpx.ConnectError("network down"))
+
+        with patch("a2a_tools.httpx.AsyncClient", return_value=mc):
+            res = await a2a_tools._delegate_sync_via_polling(
+                "ws-target", "task", "ws-self"
+            )
+
+        assert res.startswith(a2a_tools._A2A_ERROR_PREFIX)
+        assert "delegate dispatch failed" in res
+
+    async def test_dispatch_non_2xx_returns_wrapped_error(self, monkeypatch):
+        monkeypatch.setenv("DELEGATION_SYNC_VIA_INBOX", "1")
+
+        import a2a_tools
+        mc = _make_client(post_resp=_resp(403, {"error": "forbidden"}))
+
+        with patch("a2a_tools.httpx.AsyncClient", return_value=mc):
+            res = await a2a_tools._delegate_sync_via_polling(
+                "ws-target", "task", "ws-self"
+            )
+
+        assert res.startswith(a2a_tools._A2A_ERROR_PREFIX)
+        assert "HTTP 403" in res
+
+    async def test_dispatch_missing_delegation_id_returns_wrapped_error(self, monkeypatch):
+        monkeypatch.setenv("DELEGATION_SYNC_VIA_INBOX", "1")
+
+        import a2a_tools
+        # 202 Accepted but no delegation_id field — defensive shape check.
+        mc = _make_client(post_resp=_resp(202, {"status": "delegated"}))
+
+        with patch("a2a_tools.httpx.AsyncClient", return_value=mc):
+            res = await a2a_tools._delegate_sync_via_polling(
+                "ws-target", "task", "ws-self"
+            )
+
+        assert res.startswith(a2a_tools._A2A_ERROR_PREFIX)
+        assert "missing delegation_id" in res
+
+
+# ---------------------------------------------------------------------------
+# Flag-on: polling outcomes
+# ---------------------------------------------------------------------------
+
+class TestFlagOnPollingOutcomes:
+
+    async def test_completed_first_poll_returns_response_preview(self, monkeypatch):
+        monkeypatch.setenv("DELEGATION_SYNC_VIA_INBOX", "1")
+        # Tighten budget to a few seconds so the test never blocks long.
+        monkeypatch.setenv("DELEGATION_TIMEOUT", "10")
+
+        import importlib
+        import a2a_tools
+        importlib.reload(a2a_tools)  # pick up new env-driven _SYNC_POLL_BUDGET_S
+
+        completed_row = {
+            "delegation_id": "deleg-1",
+            "status": "completed",
+            "response_preview": "the answer",
+        }
+        mc = _make_client(
+            post_resp=_resp(202, {"delegation_id": "deleg-1"}),
+            get_resps=[_resp(200, [completed_row])],
+        )
+
+        with patch("a2a_tools.httpx.AsyncClient", return_value=mc):
+            res = await a2a_tools._delegate_sync_via_polling(
+                "ws-target", "task", "ws-self"
+            )
+
+        assert res == "the answer"
+        # Cleanup: restore the module to default state for subsequent tests.
+        monkeypatch.delenv("DELEGATION_TIMEOUT", raising=False)
+        importlib.reload(a2a_tools)
+
+    async def test_failed_status_returns_wrapped_error_with_detail(self, monkeypatch):
+        monkeypatch.setenv("DELEGATION_SYNC_VIA_INBOX", "1")
+        monkeypatch.setenv("DELEGATION_TIMEOUT", "10")
+
+        import importlib
+        import a2a_tools
+        importlib.reload(a2a_tools)
+
+        failed_row = {
+            "delegation_id": "deleg-1",
+            "status": "failed",
+            "error_detail": "callee unreachable",
+        }
+        mc = _make_client(
+            post_resp=_resp(202, {"delegation_id": "deleg-1"}),
+            get_resps=[_resp(200, [failed_row])],
+        )
+
+        with patch("a2a_tools.httpx.AsyncClient", return_value=mc):
+            res = await a2a_tools._delegate_sync_via_polling(
+                "ws-target", "task", "ws-self"
+            )
+
+        assert res.startswith(a2a_tools._A2A_ERROR_PREFIX)
+        assert "callee unreachable" in res
+        monkeypatch.delenv("DELEGATION_TIMEOUT", raising=False)
+        importlib.reload(a2a_tools)
+
+    async def test_transient_poll_error_then_completed_succeeds(self, monkeypatch):
+        """A network blip during polling must NOT abort — keep polling."""
+        monkeypatch.setenv("DELEGATION_SYNC_VIA_INBOX", "1")
+        monkeypatch.setenv("DELEGATION_TIMEOUT", "30")
+
+        import importlib
+        import a2a_tools
+        importlib.reload(a2a_tools)
+
+        # Speed up: monkey-patch the poll interval to 0.01s so we don't
+        # actually wait 3s between rounds in the test.
+        monkeypatch.setattr(a2a_tools, "_SYNC_POLL_INTERVAL_S", 0.01)
+
+        completed_row = {
+            "delegation_id": "deleg-1",
+            "status": "completed",
+            "response_preview": "eventually ok",
+        }
+        # First poll raises, second poll returns completed.
+        get_seq = [
+            httpx.ConnectError("transient"),
+            _resp(200, [completed_row]),
+        ]
+        mc = _make_client(
+            post_resp=_resp(202, {"delegation_id": "deleg-1"}),
+            get_resps=get_seq,
+        )
+
+        with patch("a2a_tools.httpx.AsyncClient", return_value=mc):
+            res = await a2a_tools._delegate_sync_via_polling(
+                "ws-target", "task", "ws-self"
+            )
+
+        assert res == "eventually ok"
+        monkeypatch.delenv("DELEGATION_TIMEOUT", raising=False)
+        importlib.reload(a2a_tools)
+
+    async def test_deadline_exceeded_returns_recovery_hint(self, monkeypatch):
+        """When the budget runs out without a terminal status, the error
+        must surface delegation_id + a check_task_status hint so the
+        caller can recover the result."""
+        monkeypatch.setenv("DELEGATION_SYNC_VIA_INBOX", "1")
+        monkeypatch.setenv("DELEGATION_TIMEOUT", "1")  # 1s budget
+
+        import importlib
+        import a2a_tools
+        importlib.reload(a2a_tools)
+        monkeypatch.setattr(a2a_tools, "_SYNC_POLL_INTERVAL_S", 0.05)
+
+        # Endless in-progress responses.
+        in_progress_row = {
+            "delegation_id": "deleg-1",
+            "status": "in_progress",
+        }
+        get_seq = [_resp(200, [in_progress_row])] * 50
+        mc = _make_client(
+            post_resp=_resp(202, {"delegation_id": "deleg-1"}),
+            get_resps=get_seq,
+        )
+
+        with patch("a2a_tools.httpx.AsyncClient", return_value=mc):
+            res = await a2a_tools._delegate_sync_via_polling(
+                "ws-target", "task", "ws-self"
+            )
+
+        assert res.startswith(a2a_tools._A2A_ERROR_PREFIX)
+        assert "polling timeout" in res
+        assert "deleg-1" in res, "must surface delegation_id for recovery"
+        assert "check_task_status" in res, "must hint at the recovery tool"
+        monkeypatch.delenv("DELEGATION_TIMEOUT", raising=False)
+        importlib.reload(a2a_tools)
+
+    async def test_poll_filters_by_delegation_id_ignoring_other_rows(self, monkeypatch):
+        """Other delegations' rows in the response must NOT be picked up
+        by mistake — we pin to delegation_id."""
+        monkeypatch.setenv("DELEGATION_SYNC_VIA_INBOX", "1")
+        monkeypatch.setenv("DELEGATION_TIMEOUT", "10")
+
+        import importlib
+        import a2a_tools
+        importlib.reload(a2a_tools)
+        monkeypatch.setattr(a2a_tools, "_SYNC_POLL_INTERVAL_S", 0.01)
+
+        # First poll: no row matching ours, BUT a completed row for
+        # someone else's delegation. We must NOT return that one.
+        # Second poll: ours completes.
+        first_poll = _resp(200, [
+            {"delegation_id": "deleg-OTHER", "status": "completed", "response_preview": "wrong"},
+        ])
+        second_poll = _resp(200, [
+            {"delegation_id": "deleg-OTHER", "status": "completed", "response_preview": "wrong"},
+            {"delegation_id": "deleg-1", "status": "completed", "response_preview": "right"},
+        ])
+        mc = _make_client(
+            post_resp=_resp(202, {"delegation_id": "deleg-1"}),
+            get_resps=[first_poll, second_poll],
+        )
+
+        with patch("a2a_tools.httpx.AsyncClient", return_value=mc):
+            res = await a2a_tools._delegate_sync_via_polling(
+                "ws-target", "task", "ws-self"
+            )
+
+        assert res == "right", f"must filter to delegation_id, got {res!r}"
+        monkeypatch.delenv("DELEGATION_TIMEOUT", raising=False)
+        importlib.reload(a2a_tools)
+
+
+# ---------------------------------------------------------------------------
+# pytest-asyncio collection marker
+# ---------------------------------------------------------------------------
+
+pytestmark = pytest.mark.asyncio