diff --git a/workspace-server/internal/handlers/agent_git_identity_test.go b/workspace-server/internal/handlers/agent_git_identity_test.go
index 1d7b7dc0..9b2ebc75 100644
--- a/workspace-server/internal/handlers/agent_git_identity_test.go
+++ b/workspace-server/internal/handlers/agent_git_identity_test.go
@@ -99,3 +99,55 @@ func TestSlugifyForEmail(t *testing.T) {
 		})
 	}
 }
+
+// setIfEmpty sets m[key] = val only when key is absent.
+
+func TestSetIfEmpty_NewKey(t *testing.T) {
+	m := map[string]string{}
+	setIfEmpty(m, "FOO", "bar")
+	if got := m["FOO"]; got != "bar" {
+		t.Errorf("setIfEmpty(new key): got %q, want %q", got, "bar")
+	}
+}
+
+func TestSetIfEmpty_ExistingKey_NotOverwritten(t *testing.T) {
+	m := map[string]string{"FOO": "original"}
+	setIfEmpty(m, "FOO", "ignored")
+	if got := m["FOO"]; got != "original" {
+		t.Errorf("setIfEmpty(existing key): got %q, want %q", got, "original")
+	}
+}
+
+func TestSetIfEmpty_ExistingKey_EmptyString_NotOverwritten(t *testing.T) {
+	m := map[string]string{"FOO": ""}
+	setIfEmpty(m, "FOO", "ignored")
+	// Key exists (even with empty value) — must not be overwritten.
+	if got := m["FOO"]; got != "" {
+		t.Errorf("setIfEmpty(existing, empty value): got %q, want %q", got, "")
+	}
+}
+
+func TestSetIfEmpty_NilMap_DoesNotPanic(t *testing.T) {
+	defer func() {
+		if r := recover(); r != nil {
+			t.Errorf("setIfEmpty panicked on nil map: %v", r)
+		}
+	}()
+	var m map[string]string // nil map
+	setIfEmpty(m, "KEY", "val")
+	// Writing to a nil map is a no-op in Go; no panic, but no insert either.
+}
+
+func TestSetIfEmpty_MultipleKeys(t *testing.T) {
+	m := map[string]string{}
+	setIfEmpty(m, "A", "1")
+	setIfEmpty(m, "B", "2")
+	setIfEmpty(m, "A", "ignored") // already set
+	setIfEmpty(m, "C", "3")
+	want := map[string]string{"A": "1", "B": "2", "C": "3"}
+	for k, v := range want {
+		if m[k] != v {
+			t.Errorf("m[%q] = %q, want %q", k, m[k], v)
+		}
+	}
+}
diff --git a/workspace-server/internal/handlers/artifacts_test.go b/workspace-server/internal/handlers/artifacts_test.go
index 283dea0b..8dd2acc2 100644
--- a/workspace-server/internal/handlers/artifacts_test.go
+++ b/workspace-server/internal/handlers/artifacts_test.go
@@ -993,3 +993,40 @@ func containsCredentials(u string) bool {
 	}
 	return false
 }
+
+// buildCloneURL constructs an authenticated Cloudflare Git CDN URL from a repo
+// name and token.  The third parameter is unused (named _).
+
+func TestBuildCloneURL_NormalCase(t *testing.T) {
+	got := buildCloneURL("my-repo", "mytoken123", "unused")
+	want := "https://x:mytoken123@artifacts.cloudflare.net/git/my-repo.git"
+	if got != want {
+		t.Errorf("buildCloneURL() = %q, want %q", got, want)
+	}
+}
+
+func TestBuildCloneURL_TokenWithSpecialChars(t *testing.T) {
+	// Token characters are interpolated raw; URL-safe token encoding is the
+	// caller's responsibility.
+	got := buildCloneURL("org/repo", "tok!@#$%", "_ignored")
+	want := "https://x:tok!@#$%@artifacts.cloudflare.net/git/org/repo.git"
+	if got != want {
+		t.Errorf("buildCloneURL() = %q, want %q", got, want)
+	}
+}
+
+func TestBuildCloneURL_EmptyToken(t *testing.T) {
+	got := buildCloneURL("repo", "", "_ignored")
+	want := "https://x:@artifacts.cloudflare.net/git/repo.git"
+	if got != want {
+		t.Errorf("buildCloneURL() = %q, want %q", got, want)
+	}
+}
+
+func TestBuildCloneURL_EmptyRepoName(t *testing.T) {
+	got := buildCloneURL("", "tok", "_ignored")
+	want := "https://x:tok@artifacts.cloudflare.net/git/.git"
+	if got != want {
+		t.Errorf("buildCloneURL() = %q, want %q", got, want)
+	}
+}