diff --git a/workspace-server/internal/handlers/discovery.go b/workspace-server/internal/handlers/discovery.go
index 18ab225a..2e66a0cd 100644
--- a/workspace-server/internal/handlers/discovery.go
+++ b/workspace-server/internal/handlers/discovery.go
@@ -361,11 +361,9 @@ func validateDiscoveryCaller(ctx context.Context, c *gin.Context, workspaceID st
 		// Add verifiedCPSession() as a fallback after the bearer check so
 		// SaaS canvas Peers tab doesn't 401. Self-hosted workspaces are
 		// unaffected — they have no CP session cookie.
-		ok, presented := middleware.VerifiedCPSession(c.GetHeader("Cookie"))
-		if ok {
+		if ok2, presented2 := middleware.VerifiedCPSession(c.GetHeader("Cookie")); ok2 {
 			return nil
-		}
-		if presented {
+		} else if presented2 {
 			c.JSON(http.StatusUnauthorized, gin.H{"error": "invalid session"})
 			return errors.New("invalid session")
 		}
diff --git a/workspace-server/internal/middleware/session_auth.go b/workspace-server/internal/middleware/session_auth.go
index 33ce2ac2..3f6d058d 100644
--- a/workspace-server/internal/middleware/session_auth.go
+++ b/workspace-server/internal/middleware/session_auth.go
@@ -157,7 +157,7 @@ func tenantSlug() string {
 	return strings.TrimSpace(os.Getenv("MOLECULE_ORG_SLUG"))
 }
 
-// verifiedCPSession returns true when the request carries a cookie
+// VerifiedCPSession returns true when the request carries a cookie
 // that the CP confirms belongs to a MEMBER of THIS tenant's org (not
 // just "someone is logged in"). The difference is the authz boundary:
 // any WorkOS-authed user could hit /cp/auth/me successfully; only
@@ -171,7 +171,7 @@ func tenantSlug() string {
 // — fail-safe: better to refuse session auth than to accept it
 // without knowing which tenant we ARE. Deployments that want session
 // auth MUST set both CP_UPSTREAM_URL and MOLECULE_ORG_SLUG.
-func verifiedCPSession(cookieHeader string) (valid, presented bool) {
+func VerifiedCPSession(cookieHeader string) (valid, presented bool) {
 	if cookieHeader == "" {
 		return false, false
 	}
@@ -230,11 +230,3 @@ func verifiedCPSession(cookieHeader string) (valid, presented bool) {
 	sessionCachePut(key, true)
 	return true, true
 }
-
-// VerifiedCPSession is the exported alias — callers in other packages
-// (discovery.go, wsauth_middleware.go) use this name. Internal-only
-// deployments (self-hosted/dev) where CP_UPSTREAM_URL is unset get
-// (false, true) so the session path is skipped and bearer token auth runs.
-func VerifiedCPSession(cookieHeader string) (valid, presented bool) {
-	return verifiedCPSession(cookieHeader)
-}