Merge commit 'd3770fde' into __merge-test

# Conflicts: # workspace-server/internal/handlers/workspace.go
docs(runbooks): add engineer-agent Gitea token scope runbook (#1750 follow-up)
2026-05-27 04:01:01 +00:00 · 2026-05-27 03:20:40 +00:00 · 2026-05-27 03:17:26 +00:00 · 2026-05-27 03:06:58 +00:00 · 2026-05-26 23:50:42 +00:00 · 2026-05-26 16:31:52 -07:00
89 changed files with 4256 additions and 739 deletions
@@ -385,8 +385,12 @@ def detect_drift(branch: str) -> tuple[list[str], dict]:
    contexts = set(protection.get("status_check_contexts") or [])

    # ----- F1: job exists in CI but not under sentinel.needs -----
+    # Post-#1766 contract: the sentinel may deliberately have no `needs:`
+    # and instead poll path-relevant statuses dynamically. In that case
+    # F1 is a false positive — skip it. F1b (typos in existing needs)
+    # is naturally skipped when needs is empty.
    missing_from_needs = sorted(jobs - needs)
-    if missing_from_needs:
+    if missing_from_needs and needs:
        findings.append(
            "F1 — jobs in ci.yml NOT under sentinel `needs:` "
            "(sentinel doesn't gate them):\n"
@@ -512,8 +516,11 @@ def render_body(branch: str, findings: list[str], debug: dict) -> str:
            "",
            "## Resolution",
            "",
-            "- **F1 / F1b**: add the missing job to `all-required.needs:` "
-            "in `.gitea/workflows/ci.yml`, or remove the stale entry.",
+            "- **F1 / F1b**: if the sentinel job has a `needs:` block, add "
+            "the missing job to it in `.gitea/workflows/ci.yml`, or remove "
+            "the stale entry. If the sentinel deliberately has no `needs:` "
+            "(path-aware polling sentinel per post-#1766 contract), this "
+            "finding is expected and F1 is skipped.",
            "- **F2**: rename the protection context to match an emitter, "
            "or remove it from `status_check_contexts` "
            "(PATCH `/api/v1/repos/{owner}/{repo}/branch_protections/{branch}`).",
@@ -641,6 +641,15 @@ def main(argv: list[str] | None = None) -> int:

    base_workflows = workflows_at_sha(BASE_SHA)
    head_workflows = workflows_at_sha(HEAD_SHA)
+    # Ignore workflow files that are identical on both sides — old branches
+    # that haven't rebased onto main carry stale copies of workflows that
+    # were updated later. Comparing those stale copies against the current
+    # base produces false-positive "flips".
+    base_workflows = {
+        p: t for p, t in base_workflows.items()
+        if p in head_workflows and head_workflows[p] != t
+    }
+    head_workflows = {p: t for p, t in head_workflows.items() if p in base_workflows}
    flips = detect_flips(base_workflows, head_workflows)

    if not flips:
@@ -90,6 +90,15 @@ API = f"https://{GITEA_HOST}/api/v1" if GITEA_HOST else ""
 # match by exact title without parsing.
 TITLE_PREFIX = "[main-red]"

+# Contexts that are scheduled or non-required — their pending/failure
+# state should not block stale-issue closeout (mc#1789).
+SCHEDULED_CONTEXT_PATTERNS = (
+    "Staging SaaS smoke",
+    "Continuous synthetic E2E",
+    "main-red-watchdog",
+    "ci-arm64-advisory",
+)
+
 # Settling window (seconds) between initial red detection and the
 # pre-file recheck. The recheck filters out the two largest false-
 # positive classes seen in mc#1597..1630 (task #394, 2026-05-21):
@@ -265,6 +274,11 @@ def get_combined_status(sha: str) -> dict:
    return body


+def _entry_state(s: dict) -> str:
+    """Per-entry status key in Gitea 1.22.6 is `status`; fall back to `state`."""
+    return s.get("status") or s.get("state") or ""
+
+
 def is_red(status: dict) -> tuple[bool, list[dict]]:
    """Return (is_red, failed_statuses).

@@ -312,9 +326,6 @@ def is_red(status: dict) -> tuple[bool, list[dict]]:
    # "no per-context entries were in a red state" fallback even when
    # the combined-state correctly flagged red. See
    # `feedback_smoke_test_vendor_truth_not_shape_match`.
-    def _entry_state(s: dict) -> str:
-        return s.get("status") or s.get("state") or ""
-
    def _is_cancel_cascade(s: dict) -> bool:
        """status=3 entry per Gitea 1.22.6 description-string contract.
        Match exactly (after strip) — substring match would catch
@@ -353,6 +364,15 @@ def title_for(sha: str) -> str:
    return f"{TITLE_PREFIX} {REPO}: {sha[:10]}"


+def _is_scheduled_context(context: str) -> bool:
+    """Return True if `context` is a known scheduled/non-required job.
+
+    These contexts run on a schedule and should not block stale-issue
+    closeout when main's required CI has recovered (mc#1789).
+    """
+    return any(pattern.lower() in context.lower() for pattern in SCHEDULED_CONTEXT_PATTERNS)
+
+
 def list_open_red_issues() -> list[dict]:
    """All open issues whose title starts with `[main-red] {repo}: `.

@@ -362,23 +382,34 @@ def list_open_red_issues() -> list[dict]:
    file-or-update path to POST a duplicate — exactly the regression
    class the helper-raises contract closes.

-    Gitea issue search returns at most 50/page; we only need open
-    `[main-red]` issues which are by design ≤ 1 at any time per repo,
-    so a single page is enough.
+    Pagination is exhausted (mc#1789). The old "by design ≤ 1" invariant
+    was false — backlog can exceed 50 open issues.
    """
-    _, results = api(
-        "GET",
-        f"/repos/{OWNER}/{NAME}/issues",
-        query={"state": "open", "type": "issues", "limit": "50"},
-    )
-    if not isinstance(results, list):
-        raise ApiError(
-            f"issue search returned non-list body (got {type(results).__name__})"
-        )
    prefix = f"{TITLE_PREFIX} {REPO}: "
-    return [i for i in results if isinstance(i, dict)
+    all_issues: list[dict] = []
+    page = 1
+    limit = 50
+    while True:
+        _, results = api(
+            "GET",
+            f"/repos/{OWNER}/{NAME}/issues",
+            query={"state": "open", "type": "issues", "limit": str(limit), "page": str(page)},
+        )
+        if not isinstance(results, list):
+            raise ApiError(
+                f"issue search returned non-list body (got {type(results).__name__})"
+            )
+        matched = [
+            i for i in results
+            if isinstance(i, dict)
            and isinstance(i.get("title"), str)
-            and i["title"].startswith(prefix)]
+            and i["title"].startswith(prefix)
+        ]
+        all_issues.extend(matched)
+        if len(results) < limit:
+            break
+        page += 1
+    return all_issues


 def find_open_issue_for_sha(sha: str) -> dict | None:
@@ -745,23 +776,60 @@ def run_once(*, dry_run: bool = False) -> int:
              f"{len(failed)} failed context(s)")
        file_or_update_red(sha, failed, debug, dry_run=dry_run)
    else:
-        # Green (or pending — pending is treated as not-red so we don't
-        # spam during the post-merge CI window). Close any stale issues
-        # from earlier SHAs only when we're actually green; pending
-        # means CI hasn't finished and the prior issue might still be
-        # accurate.
-        if status.get("state") == "success":
+        # Green or pending-with-no-real-failures. Close stale issues
+        # from earlier SHAs when required CI has recovered.
+        #
+        # mc#1789: main often sits at combined `pending` because
+        # scheduled/non-required contexts (Staging SaaS smoke,
+        # Continuous synthetic E2E, main-red-watchdog itself,
+        # ci-arm64-advisory) are still running. We close stale issues
+        # as long as no *non-scheduled* context has failed and no
+        # *non-scheduled* context is still pending — i.e. required CI
+        # is effectively green.
+        #
+        # The success-only gate is preserved for the canonical green
+        # path; the extended check below only fires when combined is
+        # `pending` but all required work is done.
+        combined_state = status.get("state")
+        if combined_state == "success":
+            should_close = True
+            close_reason = "GREEN"
+        else:
+            statuses = status.get("statuses") or []
+            non_scheduled_pending = [
+                s for s in statuses
+                if isinstance(s, dict)
+                and (_entry_state(s) == "pending")
+                and not _is_scheduled_context(s.get("context", ""))
+            ]
+            non_scheduled_failed = [
+                s for s in statuses
+                if isinstance(s, dict)
+                and (_entry_state(s) in {"failure", "error"})
+                and not _is_scheduled_context(s.get("context", ""))
+            ]
+            # Cancel-cascade already filtered by is_red(); red=False
+            # here means no real failures. We additionally check that
+            # no non-scheduled context is still pending.
+            should_close = not non_scheduled_pending and not non_scheduled_failed
+            close_reason = "pending-but-required-green"
+
+        if should_close:
            closed = close_open_red_issues_for_other_shas(sha, dry_run=dry_run)
            if closed:
                emit_loki_event(
                    "main_returned_to_green", sha,
                    [],
                )
-            print(f"::notice::main is GREEN at {sha[:10]} on {WATCH_BRANCH} "
-                  f"(closed {closed} stale issue(s))")
+            print(
+                f"::notice::main is {close_reason} at {sha[:10]} on {WATCH_BRANCH} "
+                f"(closed {closed} stale issue(s))"
+            )
        else:
-            print(f"::notice::main is PENDING at {sha[:10]} on {WATCH_BRANCH} "
-                  f"(combined state={status.get('state')!r}; no action)")
+            print(
+                f"::notice::main has pending-or-failed required CI at {sha[:10]} "
+                f"on {WATCH_BRANCH} (combined state={combined_state!r}; no action)"
+            )
    return 0


@@ -306,12 +306,15 @@ for U in $CANDIDATES; do
      exit 0
      ;;
    403)
-      # Token owner is not in the team being probed; the API refuses to
-      # confirm membership. This is the RFC#324 follow-up token-scope gap.
-      # Fail closed — never grant approval on a 403; surface clearly.
-      echo "::error::team-probe for ${U} in ${TEAM} returned 403 (token owner not in ${TEAM} team — RFC#324 token-scope follow-up). Cannot confirm membership; failing closed."
+      # Token owner is not in the team being probed; Gitea 1.22.6 refuses
+      # to confirm membership in this case. Do NOT hard-fail the gate on a
+      # 403 — doing so would fail the entire gate if ANY candidate triggers
+      # a 403, even when other valid team-members exist. Instead skip this
+      # candidate and continue checking others. If all candidates produce
+      # 403 (token owner can't query any of them) the final exit fires.
+      echo "::warning::team-probe for ${U} in ${TEAM} returned 403 (token owner not in ${TEAM} team — skipping; cannot confirm membership)"
      cat "$TEAM_PROBE_TMP" >&2
-      exit 1
+      continue
      ;;
    404)
      debug "${U} not a member of ${TEAM}"
@@ -636,6 +636,11 @@ def load_config(path: str) -> dict[str, Any]:
    dep by keeping the config shape constrained.
    """
    try:
+        # yaml is an optional dep; the canonical loader is used when available,
+        # but the SOP runs on runners that may not have PyYAML installed. The
+        # fallback _load_config_minimal covers the same config shape without
+        # requiring the dep, so the ignore is safe: if yaml loads, we use it;
+        # otherwise we fall back silently.
        import yaml  # type: ignore[import-not-found]
        with open(path) as f:
            return yaml.safe_load(f)
@@ -656,8 +661,14 @@ def _load_config_minimal(path: str) -> dict[str, Any]:
    return _parse_minimal_yaml(lines)


-def _parse_minimal_yaml(lines: list[str]) -> dict[str, Any]:  # noqa: C901
-    """Hand-rolled subset parser. See _load_config_minimal docstring."""
+def _parse_minimal_yaml(lines: list[str]) -> dict[str, Any]:
+    """Hand-rolled subset parser. See _load_config_minimal docstring.
+
+    C901: function is necessarily long — it implements a finite-state YAML
+    subset (scalars, maps, lists of maps at fixed depth). No utility refactors
+    meaningfully reduce length without degrading readability. All branches
+    are exhaustively tested in test_parse_minimal_yaml.py.
+    """
    # Strip comments + blank lines but preserve indentation.
    cleaned: list[tuple[int, str]] = []
    for raw in lines:
@@ -1015,14 +1026,14 @@ def main(argv: list[str] | None = None) -> int:
            tid = client.resolve_team_id(args.owner, tn)
            if tid is None:
                # Try the list endpoint as a fallback.
-                code, data = client._req(  # noqa: SLF001
+                code, data = client._req(  # noqa: SLF001  # internal helper; called from loop in caller context
                    "GET", f"/orgs/{args.owner}/teams"
                )
                if code == 200 and isinstance(data, list):
                    for t in data:
                        if t.get("name") == tn:
                            tid = t.get("id")
-                            client._team_id_cache[(args.owner, tn)] = tid  # noqa: SLF001
+                            client._team_id_cache[(args.owner, tn)] = tid  # noqa: SLF001  # internal write-through cache
                            break
            if tid is not None:
                team_ids.append(tid)
@@ -0,0 +1,176 @@
+import importlib.util
+import sys
+from pathlib import Path
+from unittest.mock import patch
+
+SCRIPT = Path(__file__).resolve().parents[1] / "ci-required-drift.py"
+spec = importlib.util.spec_from_file_location("ci_required_drift", SCRIPT)
+drift = importlib.util.module_from_spec(spec)
+sys.modules[spec.name] = drift
+spec.loader.exec_module(drift)
+
+# Module-level constants are loaded from env at import time; set them
+# explicitly so unit tests can import without the full env contract.
+drift.SENTINEL_JOB = "all-required"
+drift.CI_WORKFLOW_PATH = ".gitea/workflows/ci.yml"
+drift.AUDIT_WORKFLOW_PATH = ".gitea/workflows/audit-force-merge.yml"
+
+
+# ---------------------------------------------------------------------------
+# Helper fixtures
+# ---------------------------------------------------------------------------
+
+def _make_ci_doc(jobs: dict) -> dict:
+    return {"jobs": jobs}
+
+
+def _make_audit_doc(required_checks: list[str]) -> dict:
+    return {
+        "jobs": {
+            "audit": {
+                "steps": [
+                    {"env": {"REQUIRED_CHECKS": "\n".join(required_checks)}}
+                ]
+            }
+        }
+    }
+
+
+# ---------------------------------------------------------------------------
+# sentinel_needs
+# ---------------------------------------------------------------------------
+
+def test_sentinel_needs_returns_empty_when_absent():
+    doc = _make_ci_doc({"all-required": {"runs-on": "ubuntu-latest"}})
+    assert drift.sentinel_needs(doc) == set()
+
+
+def test_sentinel_needs_parses_list():
+    doc = _make_ci_doc(
+        {"all-required": {"needs": ["platform-build", "canvas-build"]}}
+    )
+    assert drift.sentinel_needs(doc) == {"platform-build", "canvas-build"}
+
+
+def test_sentinel_needs_parses_string():
+    doc = _make_ci_doc({"all-required": {"needs": "platform-build"}})
+    assert drift.sentinel_needs(doc) == {"platform-build"}
+
+
+# ---------------------------------------------------------------------------
+# ci_job_names / ci_jobs_all
+# ---------------------------------------------------------------------------
+
+def test_ci_job_names_excludes_sentinel_and_event_gated():
+    doc = _make_ci_doc(
+        {
+            "platform-build": {},
+            "canvas-build": {"if": "github.event_name == 'pull_request'"},
+            "main-push": {"if": "github.ref == 'refs/heads/main'"},
+            "all-required": {},
+        }
+    )
+    assert drift.ci_job_names(doc) == {"platform-build"}
+
+
+def test_ci_jobs_all_includes_event_gated():
+    doc = _make_ci_doc(
+        {
+            "platform-build": {},
+            "canvas-build": {"if": "github.event_name == 'pull_request'"},
+            "all-required": {},
+        }
+    )
+    assert drift.ci_jobs_all(doc) == {"platform-build", "canvas-build"}
+
+
+# ---------------------------------------------------------------------------
+# detect_drift — F1 / F1b with mocked I/O
+# ---------------------------------------------------------------------------
+
+SAMPLE_PROTECTION = {
+    "status_check_contexts": [
+        "CI / all-required (pull_request)",
+        "Secret scan / Scan diff for credential-shaped strings (pull_request)",
+    ]
+}
+
+
+def test_detect_drift_no_needs_sentinel_skips_f1():
+    """Post-#1766 contract: all-required has no needs: → F1 is a false positive."""
+    ci = _make_ci_doc(
+        {
+            "platform-build": {},
+            "canvas-build": {},
+            "all-required": {},
+        }
+    )
+    audit = _make_audit_doc(
+        [
+            "CI / all-required (pull_request)",
+            "Secret scan / Scan diff for credential-shaped strings (pull_request)",
+        ]
+    )
+
+    with patch.object(drift, "load_yaml", side_effect=[ci, audit]):
+        with patch.object(drift, "api", return_value=(200, SAMPLE_PROTECTION)):
+            findings, debug = drift.detect_drift("main")
+
+    assert findings == []
+    assert debug["sentinel_needs"] == []
+
+
+def test_detect_drift_typo_in_needs_triggers_f1b():
+    """F1b still catches typos when needs exists."""
+    ci = _make_ci_doc(
+        {
+            "platform-build": {},
+            "all-required": {"needs": ["platfom-build"]},  # typo
+        }
+    )
+    audit = _make_audit_doc(["CI / all-required (pull_request)"])
+
+    with patch.object(drift, "load_yaml", side_effect=[ci, audit]):
+        with patch.object(drift, "api", return_value=(200, SAMPLE_PROTECTION)):
+            findings, _ = drift.detect_drift("main")
+
+    assert any("F1b" in f for f in findings)
+    assert any("platfom-build" in f for f in findings)
+
+
+def test_detect_drift_missing_job_in_needs_triggers_f1():
+    """F1 still fires when needs is non-empty and jobs are missing."""
+    ci = _make_ci_doc(
+        {
+            "platform-build": {},
+            "canvas-build": {},
+            "all-required": {"needs": ["platform-build"]},
+        }
+    )
+    audit = _make_audit_doc(["CI / all-required (pull_request)"])
+
+    with patch.object(drift, "load_yaml", side_effect=[ci, audit]):
+        with patch.object(drift, "api", return_value=(200, SAMPLE_PROTECTION)):
+            findings, _ = drift.detect_drift("main")
+
+    assert any("F1 —" in f for f in findings)
+    assert any("canvas-build" in f for f in findings)
+    assert not any("F1b" in f for f in findings)
+
+
+def test_detect_drift_no_f1_when_needs_empty_even_with_jobs():
+    """Explicit regression guard: empty needs + existing jobs = no F1."""
+    ci = _make_ci_doc(
+        {
+            "platform-build": {},
+            "canvas-build": {},
+            "all-required": {"needs": []},
+        }
+    )
+    audit = _make_audit_doc(["CI / all-required (pull_request)"])
+
+    with patch.object(drift, "load_yaml", side_effect=[ci, audit]):
+        with patch.object(drift, "api", return_value=(200, SAMPLE_PROTECTION)):
+            findings, _ = drift.detect_drift("main")
+
+    assert not any("F1 —" in f for f in findings)
@@ -0,0 +1,282 @@
+import importlib.util
+import sys
+from pathlib import Path
+from unittest.mock import patch, MagicMock
+
+SCRIPT = Path(__file__).resolve().parents[1] / "main-red-watchdog.py"
+spec = importlib.util.spec_from_file_location("main_red_watchdog", SCRIPT)
+wd = importlib.util.module_from_spec(spec)
+sys.modules[spec.name] = wd
+spec.loader.exec_module(wd)
+
+# Module-level constants are loaded from env at import time; set them
+# explicitly so unit tests can import without the full env contract.
+wd.GITEA_TOKEN = "fake-token"
+wd.GITEA_HOST = "git.example.com"
+wd.REPO = "molecule-ai/molecule-core"
+wd.OWNER = "molecule-ai"
+wd.NAME = "molecule-core"
+wd.WATCH_BRANCH = "main"
+wd.RED_LABEL = "tier:high"
+wd.API = "https://git.example.com/api/v1"
+
+
+# ---------------------------------------------------------------------------
+# _is_scheduled_context
+# ---------------------------------------------------------------------------
+
+def test_is_scheduled_context_matches_staging_saas_smoke():
+    assert wd._is_scheduled_context("Staging SaaS smoke") is True
+
+
+def test_is_scheduled_context_matches_case_insensitive():
+    assert wd._is_scheduled_context("continuous synthetic e2e") is True
+
+
+def test_is_scheduled_context_no_match_for_required_ci():
+    assert wd._is_scheduled_context("CI / all-required") is False
+
+
+# ---------------------------------------------------------------------------
+# _entry_state
+# ---------------------------------------------------------------------------
+
+def test_entry_state_prefers_status_over_state():
+    """Gitea 1.22.6 per-entry key is `status`; `state` is fallback."""
+    assert wd._entry_state({"status": "failure", "state": "success"}) == "failure"
+
+
+def test_entry_state_falls_back_to_state():
+    assert wd._entry_state({"state": "pending"}) == "pending"
+
+
+def test_entry_state_empty_when_neither_key_present():
+    assert wd._entry_state({"context": "foo"}) == ""
+
+
+# ---------------------------------------------------------------------------
+# is_red
+# ---------------------------------------------------------------------------
+
+def test_is_red_combined_failure_no_statuses():
+    """Combined failure with empty statuses[] still trips red."""
+    red, failed = wd.is_red({"state": "failure", "statuses": []})
+    assert red is True
+    assert failed == []
+
+
+def test_is_red_cancel_cascade_filtered():
+    """status=3 (cancelled) mapped to failure string must be filtered."""
+    status = {
+        "state": "failure",
+        "statuses": [
+            {"context": "CI / build", "status": "failure", "description": "Has been cancelled"},
+        ],
+    }
+    red, failed = wd.is_red(status)
+    assert red is False
+    assert failed == []
+
+
+def test_is_red_real_failure_not_filtered():
+    """Real failures with different descriptions are kept."""
+    status = {
+        "state": "failure",
+        "statuses": [
+            {"context": "CI / build", "status": "failure", "description": "Failing after 12s"},
+        ],
+    }
+    red, failed = wd.is_red(status)
+    assert red is True
+    assert len(failed) == 1
+    assert failed[0]["context"] == "CI / build"
+
+
+def test_is_red_uses_entry_state_not_top_level_state():
+    """Regression: per-entry key is `status`, not `state`."""
+    status = {
+        "state": "failure",
+        "statuses": [
+            # Only `status` present; pre-rev4 code read `state` and got None
+            {"context": "CI / test", "status": "failure"},
+        ],
+    }
+    red, failed = wd.is_red(status)
+    assert red is True
+    assert len(failed) == 1
+
+
+# ---------------------------------------------------------------------------
+# list_open_red_issues — pagination (mc#1789)
+# ---------------------------------------------------------------------------
+
+def test_list_open_red_issues_exhausts_pagination():
+    """Backlog can exceed 50 issues; all pages must be fetched."""
+    calls = []
+
+    def fake_api(method, path, **kwargs):
+        calls.append((method, path, kwargs))
+        query = (kwargs.get("query") or {})
+        page = int(query.get("page", "1"))
+        limit = int(query.get("limit", "50"))
+        # Page 1 returns full limit; page 2 returns partial → break
+        if page == 1:
+            return 200, [
+                {"title": f"[main-red] molecule-ai/molecule-core: sha{i:04d}"}
+                for i in range(limit)
+            ]
+        if page == 2:
+            return 200, [
+                {"title": "[main-red] molecule-ai/molecule-core: extra1"},
+                {"title": "[main-red] molecule-ai/molecule-core: extra2"},
+                {"title": " unrelated issue "},  # filtered out
+            ]
+        return 200, []
+
+    with patch.object(wd, "api", side_effect=fake_api):
+        issues = wd.list_open_red_issues()
+
+    assert len(issues) == 52  # 50 + 2 matched
+    titles = {i["title"] for i in issues}
+    assert "[main-red] molecule-ai/molecule-core: extra1" in titles
+    assert "[main-red] molecule-ai/molecule-core: extra2" in titles
+
+
+def test_list_open_red_issues_single_page():
+    """When results < limit, loop breaks after first page."""
+    def fake_api(method, path, **kwargs):
+        return 200, [
+            {"title": "[main-red] molecule-ai/molecule-core: abc123"},
+        ]
+
+    with patch.object(wd, "api", side_effect=fake_api):
+        issues = wd.list_open_red_issues()
+
+    assert len(issues) == 1
+
+
+# ---------------------------------------------------------------------------
+# run_once — close logic (mc#1789)
+# ---------------------------------------------------------------------------
+
+def test_run_once_green_closes_stale_issues(monkeypatch):
+    """Combined success → close stale issues."""
+    monkeypatch.setattr(wd, "get_head_sha", lambda b: "abc123")
+    monkeypatch.setattr(wd, "get_combined_status", lambda s: {"state": "success", "statuses": []})
+    monkeypatch.setattr(wd, "is_red", lambda s: (False, []))
+
+    closed = []
+
+    def capture_close(current_sha, *, dry_run=False, close_same_sha=False):
+        closed.append(current_sha)
+        return 1
+
+    monkeypatch.setattr(wd, "close_open_red_issues_for_other_shas", capture_close)
+    monkeypatch.setattr(wd, "emit_loki_event", lambda *a, **k: None)
+
+    assert wd.run_once(dry_run=True) == 0
+    assert closed == ["abc123"]
+
+
+def test_run_once_pending_scheduled_only_closes_stale_issues(monkeypatch):
+    """Combined pending, but only scheduled contexts pending → close stale."""
+    monkeypatch.setattr(wd, "get_head_sha", lambda b: "abc123")
+    monkeypatch.setattr(
+        wd, "get_combined_status",
+        lambda s: {
+            "state": "pending",
+            "statuses": [
+                {"context": "CI / all-required", "status": "success"},
+                {"context": "Staging SaaS smoke", "status": "pending"},
+            ],
+        }
+    )
+    monkeypatch.setattr(wd, "is_red", lambda s: (False, []))
+
+    closed = []
+
+    def capture_close(current_sha, *, dry_run=False, close_same_sha=False):
+        closed.append(current_sha)
+        return 1
+
+    monkeypatch.setattr(wd, "close_open_red_issues_for_other_shas", capture_close)
+    monkeypatch.setattr(wd, "emit_loki_event", lambda *a, **k: None)
+
+    assert wd.run_once(dry_run=True) == 0
+    assert closed == ["abc123"]
+
+
+def test_run_once_pending_required_does_not_close(monkeypatch):
+    """Combined pending with a real required context still pending → no close."""
+    monkeypatch.setattr(wd, "get_head_sha", lambda b: "abc123")
+    monkeypatch.setattr(
+        wd, "get_combined_status",
+        lambda s: {
+            "state": "pending",
+            "statuses": [
+                {"context": "CI / all-required", "status": "pending"},
+                {"context": "Staging SaaS smoke", "status": "success"},
+            ],
+        }
+    )
+    monkeypatch.setattr(wd, "is_red", lambda s: (False, []))
+
+    closed = []
+
+    def capture_close(current_sha, *, dry_run=False, close_same_sha=False):
+        closed.append(current_sha)
+        return 0
+
+    monkeypatch.setattr(wd, "close_open_red_issues_for_other_shas", capture_close)
+    monkeypatch.setattr(wd, "emit_loki_event", lambda *a, **k: None)
+
+    assert wd.run_once(dry_run=True) == 0
+    assert closed == []
+
+
+def test_run_once_failure_does_not_close(monkeypatch):
+    """Real failure in non-scheduled context → no close."""
+    monkeypatch.setattr(wd, "get_head_sha", lambda b: "abc123")
+    monkeypatch.setattr(
+        wd, "get_combined_status",
+        lambda s: {
+            "state": "failure",
+            "statuses": [
+                {"context": "CI / all-required", "status": "failure"},
+            ],
+        }
+    )
+    # is_red will return True, so we enter the red path, not the green close path
+    monkeypatch.setattr(wd, "is_red", lambda s: (True, s.get("statuses", [])))
+    monkeypatch.setattr(wd, "time", MagicMock(sleep=lambda x: None))
+    monkeypatch.setattr(wd, "emit_loki_event", lambda *a, **k: None)
+
+    filed = []
+
+    def capture_file(sha, failed, debug, *, dry_run=False):
+        filed.append(sha)
+
+    monkeypatch.setattr(wd, "file_or_update_red", capture_file)
+    monkeypatch.setattr(wd, "close_open_red_issues_for_other_shas", lambda *a, **k: 0)
+
+    assert wd.run_once(dry_run=True) == 0
+    assert filed == ["abc123"]
+
+
+# ---------------------------------------------------------------------------
+# title_for / find_open_issue_for_sha
+# ---------------------------------------------------------------------------
+
+def test_title_for_uses_short_sha():
+    assert wd.title_for("abcdef123456") == "[main-red] molecule-ai/molecule-core: abcdef1234"
+
+
+def test_find_open_issue_for_sha_matches_exact_title(monkeypatch):
+    fake_issue = {"title": "[main-red] molecule-ai/molecule-core: abc1234567", "number": 42}
+    monkeypatch.setattr(wd, "list_open_red_issues", lambda: [fake_issue])
+    assert wd.find_open_issue_for_sha("abc1234567") == fake_issue
+
+
+def test_find_open_issue_for_sha_returns_none_when_no_match(monkeypatch):
+    monkeypatch.setattr(wd, "list_open_red_issues", lambda: [])
+    assert wd.find_open_issue_for_sha("abc123") is None
@@ -54,5 +54,6 @@ jobs:
          # read-only by design (least-privilege).
          REQUIRED_CHECKS: |
            CI / all-required (pull_request)
-            sop-checklist / all-items-acked (pull_request)
+            E2E API Smoke Test / E2E API Smoke Test (pull_request)
+            Handlers Postgres Integration / Handlers Postgres Integration (pull_request)
        run: bash .gitea/scripts/audit-force-merge.sh
@@ -7,10 +7,11 @@
 #   PR_NUMBER  — set via ${{ github.event.pull_request.number }} from the trigger
 #   POST_COMMENT — "true" to post/update comment on PR
 #
-# Gating logic (MVP signals 1,2,3,6):
+# Gating logic (MVP signals 1,2,3,4,6):
 #   1. Author-aware agent-tag comment scan
 #   2. REQUEST_CHANGES reviews state machine
 #   3. Staleness detection (SOP-12: review.commit_id != PR.head_sha + >1 working day)
+#   4. Branch divergence / scope-creep guard (base-sha vs target HEAD; mc#365)
 #   6. CI required-checks awareness
 #
 # Exit code: 0=CLEAR, 1=BLOCKED, 2=ERROR
@@ -3,11 +3,26 @@ name: Lint shellcheck (arm64 pilot)
 # Mac-CI dual-track pilot (#233). ADDITIVE / NOT REQUIRED.
 #
 # Validates the arm64 self-hosted lane (no docker.sock, no privileged
-# ops) before any required gate moves onto it. Until a Mac arm64 runner
-# is registered with the `arm64` label, this workflow sits PENDING —
-# that is FINE: `arm64` is NOT in branch_protections required contexts.
+# ops) before any required gate moves onto it.
 #
-# Pairs with internal#543 (RFC: Mac arm64 multi-arch runner-base).
+# Runner label mapping (2026-05-22 fix): the actual Mac mini runner
+# registered in this Gitea ships labels
+#   ["self-hosted","macos-self-hosted-arm64","arm64-darwin"]
+# — no plain `arm64`. The earlier `runs-on: [self-hosted, arm64]`
+# could not match any registered runner so every fire of this workflow
+# was assigned task_id=0 / runner_id=NULL → Gitea cancelled it. The
+# rows showed up as Cancelled in the action status feed (not Failed)
+# but the lane never actually ran. Workflow now selects on
+# `arm64-darwin` which is the canonical Mac-arm64 label per the
+# Mac mini's registration (per internal#494 capability-honest labels).
+#
+# If we later want to add a Linux-arm64 runner to the same lane, add
+# both labels to that runner's registration AND broaden the selector
+# here — don't rename `arm64-darwin` (it's Mac-specific by design and
+# `feedback_pc2_runner_labels_must_stay_narrow` rule applies).
+#
+# Pairs with internal#543 (RFC: Mac arm64 multi-arch runner-base) and
+# internal#494 (multi-arch runner-base capability-honest labels).
 # No paths: filter on purpose (feedback_path_filtered_workflow_cant_be_required).

 on:
@@ -82,7 +97,15 @@ jobs:
            echo "WARN: shellcheck binary not found — skipping (pilot mode)"
            exit 0
          fi
-          mapfile -t TARGETS < <(find .gitea/scripts -maxdepth 2 -type f -name '*.sh' | sort)
+          # NOTE: macOS ships Bash 3.2 (Apple license), no `mapfile`
+          # (Bash 4+ builtin). Mac mini runner empirically failed at
+          # `mapfile: command not found` (run 79275 / task 145654).
+          # Use the portable `while read` pattern instead — works on
+          # both Bash 3.2 (macOS) and Bash 4+ (Linux).
+          TARGETS=()
+          while IFS= read -r f; do
+            TARGETS+=("$f")
+          done < <(find .gitea/scripts -maxdepth 2 -type f -name '*.sh' | sort)
          if [ "${#TARGETS[@]}" -eq 0 ]; then
            echo "No .sh files found under .gitea/scripts — nothing to check"
            exit 0
@@ -34,22 +34,6 @@ interface TemplateSpec {
  providers?: string[];
 }

-interface HermesProvider {
-  id: string;
-  label: string;
-  envVar: string;
-  defaultModel: string;
-  models: string[];
-}
-
-const DEFAULT_LLM_MODELS: SelectorModel[] = [
-  { id: "moonshot/kimi-k2.6", name: "Kimi K2.6", provider: "platform", required_env: [] },
-  { id: "MiniMax-M2.7", name: "MiniMax M2.7", required_env: ["MINIMAX_API_KEY"] },
-  { id: "kimi-k2-turbo-preview", name: "Kimi K2 Turbo Preview", required_env: ["KIMI_API_KEY"] },
-  { id: "claude-sonnet-4-6", name: "Claude Sonnet 4.6", required_env: ["ANTHROPIC_API_KEY"] },
-  { id: "sonnet", name: "Claude Sonnet", required_env: ["CLAUDE_CODE_OAUTH_TOKEN"] },
-];
-const DEFAULT_PLATFORM_MODEL = DEFAULT_LLM_MODELS[0];
 const DEFAULT_RUNTIME = "claude-code";
 const RUNTIME_OPTIONS = [
  { value: "claude-code", label: "Claude Code" },
@@ -63,31 +47,6 @@ const DEFAULT_HEADLESS_ROOT_GB = 30;
 const DEFAULT_DISPLAY_INSTANCE_TYPE = "t3.xlarge";
 const DEFAULT_DISPLAY_ROOT_GB = 80;

-// All providers supported by Hermes runtime via providers.resolve_provider().
-// `defaultModel` is the slug injected into the workspace provision request
-// when the user picks this provider — template-hermes's derive-provider.sh
-// maps the prefix back to the provider name at install time, so this is
-// the canonical handshake. `models` are additional suggestions surfaced in
-// the datalist so the user can pick a different size without typing the
-// whole slug.
-export const HERMES_PROVIDERS: HermesProvider[] = [
-  { id: "anthropic",  label: "Anthropic (Claude)",    envVar: "ANTHROPIC_API_KEY",  defaultModel: "anthropic/claude-sonnet-4-5",   models: ["anthropic/claude-opus-4-5", "anthropic/claude-sonnet-4-5", "anthropic/claude-haiku-4-5"] },
-  { id: "openai",     label: "OpenAI",                envVar: "OPENAI_API_KEY",     defaultModel: "openai/gpt-4o",                 models: ["openai/gpt-4o", "openai/gpt-4o-mini", "openai/o3-mini"] },
-  { id: "openrouter", label: "OpenRouter",            envVar: "OPENROUTER_API_KEY", defaultModel: "openrouter/auto",               models: ["openrouter/auto", "openrouter/anthropic/claude-sonnet-4", "openrouter/meta-llama/llama-3.3-70b"] },
-  { id: "xai",        label: "xAI (Grok)",            envVar: "XAI_API_KEY",        defaultModel: "xai/grok-4",                    models: ["xai/grok-4", "xai/grok-4-mini"] },
-  { id: "gemini",     label: "Google Gemini",         envVar: "GEMINI_API_KEY",     defaultModel: "gemini/gemini-2.5-pro",         models: ["gemini/gemini-2.5-pro", "gemini/gemini-2.5-flash"] },
-  { id: "qwen",       label: "Qwen (Alibaba)",        envVar: "QWEN_API_KEY",       defaultModel: "alibaba/qwen3-max",             models: ["alibaba/qwen3-max", "alibaba/qwen3-coder"] },
-  { id: "glm",        label: "GLM (Zhipu AI)",        envVar: "GLM_API_KEY",        defaultModel: "zai/glm-4.6",                   models: ["zai/glm-4.6", "zai/glm-4.5-air"] },
-  { id: "kimi",       label: "Kimi (Moonshot)",       envVar: "KIMI_API_KEY",       defaultModel: "kimi-coding/kimi-k2",           models: ["kimi-coding/kimi-k2", "kimi-coding/kimi-k1.5"] },
-  { id: "minimax",    label: "MiniMax",               envVar: "MINIMAX_API_KEY",    defaultModel: "minimax/MiniMax-M2.7",          models: ["minimax/MiniMax-M2.7", "minimax/MiniMax-M2.7-highspeed", "minimax/MiniMax-M1"] },
-  { id: "deepseek",   label: "DeepSeek",              envVar: "DEEPSEEK_API_KEY",   defaultModel: "deepseek/deepseek-chat",        models: ["deepseek/deepseek-chat", "deepseek/deepseek-reasoner"] },
-  { id: "groq",       label: "Groq",                  envVar: "GROQ_API_KEY",       defaultModel: "openrouter/groq/llama-3.3-70b", models: ["openrouter/groq/llama-3.3-70b"] },
-  { id: "mistral",    label: "Mistral",               envVar: "MISTRAL_API_KEY",    defaultModel: "openrouter/mistralai/mistral-large", models: ["openrouter/mistralai/mistral-large"] },
-  { id: "together",   label: "Together AI",           envVar: "TOGETHER_API_KEY",   defaultModel: "openrouter/meta-llama/llama-3.3-70b", models: ["openrouter/meta-llama/llama-3.3-70b"] },
-  { id: "fireworks",  label: "Fireworks AI",          envVar: "FIREWORKS_API_KEY",  defaultModel: "openrouter/meta-llama/llama-3.3-70b", models: ["openrouter/meta-llama/llama-3.3-70b"] },
-  { id: "hermes",     label: "Hermes / Nous (legacy)", envVar: "HERMES_API_KEY",    defaultModel: "nousresearch/Hermes-3-Llama-3.1-405B", models: ["nousresearch/Hermes-3-Llama-3.1-405B", "nousresearch/Hermes-4-14B"] },
-];
-
 export function CreateWorkspaceButton() {
  const [open, setOpen] = useState(false);
  const [name, setName] = useState("");
@@ -107,32 +66,20 @@ export function CreateWorkspaceButton() {
  // filter below. Same data source ConfigTab uses (PR #2454). When the
  // selected template declares `runtime_config.providers` in its
  // config.yaml, the modal surfaces only those providers in the
-  // <select>. Empty/missing list falls back to the full HERMES_PROVIDERS
-  // catalog so older templates without the field keep working.
+  // <select>. Provider/model options are derived from template models.
  const [templateSpecs, setTemplateSpecs] = useState<TemplateSpec[]>([]);
  // External-runtime path: skip docker provision, mint a workspace_auth_token,
  // and surface the connection snippet in a modal after create. When
-  // isExternal is true the template / model / hermes-provider fields are
-  // hidden (they're meaningless for BYO-compute agents).
+  // isExternal is true the template and model fields are hidden (they're
+  // meaningless for BYO-compute agents).
  const [isExternal, setIsExternal] = useState(false);
  const [externalRuntime, setExternalRuntime] = useState("external");
  const [externalConnection, setExternalConnection] =
    useState<ExternalConnectionInfo | null>(null);

-  // Hermes-specific state
-  const [hermesProvider, setHermesProvider] = useState("anthropic");
-  const [hermesApiKey, setHermesApiKey] = useState("");
-  // Model slug is sent to CP as `model` and plumbed to the workspace EC2
-  // as HERMES_DEFAULT_MODEL env var. template-hermes's derive-provider.sh
-  // reads the prefix (`minimax/…`, `anthropic/…`) to set
-  // HERMES_INFERENCE_PROVIDER at install time. Missing model → provider
-  // falls back to "auto" and hermes picks its compiled-in default
-  // (Anthropic), which 401s if the user's key is for a different
-  // provider. Hence: require model when template=hermes.
-  const [hermesModel, setHermesModel] = useState("");
  const [llmSelection, setLLMSelection] = useState<SelectorValue>({
-    providerId: "platform|",
-    model: "moonshot/kimi-k2.6",
+    providerId: "",
+    model: "",
    envVars: [],
  });
  const [llmSecret, setLLMSecret] = useState("");
@@ -194,10 +141,7 @@ export function CreateWorkspaceButton() {
  const handleRuntimeChange = useCallback((nextRuntime: string) => {
    setRuntime(nextRuntime);
    setTemplate("");
-    setHermesProvider("anthropic");
-    setHermesApiKey("");
-    setHermesModel("");
-    setLLMSelection({ providerId: "platform|", model: DEFAULT_PLATFORM_MODEL.id, envVars: [] });
+    setLLMSelection({ providerId: "", model: "", envVars: [] });
    setLLMSecret("");
  }, []);

@@ -209,9 +153,12 @@ export function CreateWorkspaceButton() {
    return templateSpecs.find((s) => s.id === template) ?? null;
  }, [template, templateSpecs]);
  const selectedRuntimeTemplateSpec = useMemo<TemplateSpec | null>(() => (
-    templateSpecs.find((s) => s.id === runtime && BASE_RUNTIME_TEMPLATE_IDS.has(s.id)) ?? null
+    templateSpecs.find((s) => {
+      if (!BASE_RUNTIME_TEMPLATE_IDS.has(s.id)) return false;
+      const specRuntime = (s.runtime ?? s.id).trim().toLowerCase();
+      return s.id === runtime || specRuntime === runtime;
+    }) ?? null
  ), [runtime, templateSpecs]);
-  const isHermes = runtime === "hermes";
  const visibleTemplateSpecs = useMemo(
    () => templateSpecs.filter((spec) => {
      if (BASE_RUNTIME_TEMPLATE_IDS.has(spec.id)) return false;
@@ -222,28 +169,11 @@ export function CreateWorkspaceButton() {
  );
  const llmModels = useMemo(
    () => {
-      if (!selectedTemplateSpec?.models?.length) return DEFAULT_LLM_MODELS;
-      if (isHermes) {
-        return selectedTemplateSpec.models;
-      }
-      if (selectedTemplateSpec.models.some((model) => model.provider === "platform")) {
-        return selectedTemplateSpec.models;
-      }
-      const templateDefault = selectedTemplateSpec.model?.trim();
-      const defaultModelSpec = templateDefault
-        ? selectedTemplateSpec.models.find((model) => model.id === templateDefault)
-        : undefined;
-      return [
-        {
-          id: templateDefault || DEFAULT_PLATFORM_MODEL.id,
-          name: defaultModelSpec?.name ?? DEFAULT_PLATFORM_MODEL.name,
-          provider: "platform",
-          required_env: [],
-        },
-        ...selectedTemplateSpec.models,
-      ];
+      const sourceSpec = selectedTemplateSpec ?? selectedRuntimeTemplateSpec;
+      if (!sourceSpec?.models?.length) return [];
+      return sourceSpec.models;
    },
-    [isHermes, selectedTemplateSpec],
+    [selectedRuntimeTemplateSpec, selectedTemplateSpec],
  );
  const llmCatalog = useMemo(() => buildProviderCatalog(llmModels), [llmModels]);
  const selectedLLMProvider = useMemo(
@@ -251,67 +181,22 @@ export function CreateWorkspaceButton() {
    [llmCatalog, llmSelection.providerId],
  );

-  // Filter HERMES_PROVIDERS by what the template declares it supports.
-  // Empty/missing declared list → fall back to the full catalog so
-  // templates that haven't migrated to the explicit `providers:` field
-  // (and self-hosted setups without /templates) keep working unchanged.
-  const availableProviders = useMemo<HermesProvider[]>(() => {
-    const declared = selectedTemplateSpec?.providers ?? selectedRuntimeTemplateSpec?.providers;
-    if (!declared || declared.length === 0) return HERMES_PROVIDERS;
-    const allowed = new Set(declared.map((p) => p.toLowerCase()));
-    const filtered = HERMES_PROVIDERS.filter((p) => allowed.has(p.id.toLowerCase()));
-    // Defensive: if the template's declared list doesn't match anything
-    // in our static catalog (e.g. brand-new provider id we don't have
-    // metadata for yet), fall back to the full list rather than render
-    // an empty <select>. Better to over-show than to lock the user out.
-    return filtered.length > 0 ? filtered : HERMES_PROVIDERS;
-  }, [selectedRuntimeTemplateSpec, selectedTemplateSpec]);
-
-  // If the currently-selected provider is filtered out by a template
-  // change, snap back to the first available. Without this, the
-  // hermesProvider state could refer to a provider not in the dropdown
-  // — confusing UI + the API key field's envVar would be wrong.
  useEffect(() => {
-    if (!isHermes) return;
-    if (availableProviders.length === 0) return;
-    if (!availableProviders.some((p) => p.id === hermesProvider)) {
-      setHermesProvider(availableProviders[0].id);
-    }
-    // eslint-disable-next-line react-hooks/exhaustive-deps
-  }, [availableProviders, isHermes]);
-
-  useEffect(() => {
-    if (isHermes || llmCatalog.length === 0) return;
-    const templateDefault = selectedTemplateSpec?.model?.trim();
-    const matched = templateDefault ? findProviderForModel(llmCatalog, templateDefault) : null;
-    const next = matched ?? llmCatalog[0];
+    if (llmCatalog.length === 0) return;
+    const sourceDefault = (selectedTemplateSpec ?? selectedRuntimeTemplateSpec)?.model?.trim();
+    const platformProvider = llmCatalog.find((p) => p.vendor === "platform");
+    const matched = sourceDefault ? findProviderForModel(llmCatalog, sourceDefault) : null;
+    const next = platformProvider ?? matched ?? llmCatalog[0];
+    const defaultModel = next.models.find((model) => model.id === sourceDefault)?.id
+      ?? next.models[0]?.id
+      ?? "";
    setLLMSelection({
      providerId: next.id,
-      model: matched && templateDefault
-        ? templateDefault
-        : next.wildcard
-          ? ""
-          : next.models[0]?.id ?? "",
+      model: next.wildcard ? "" : defaultModel,
      envVars: next.envVars,
    });
    setLLMSecret("");
-  }, [isHermes, llmCatalog, selectedTemplateSpec?.model]);
-
-  // Auto-fill hermesModel with the provider's defaultModel whenever the
-  // provider changes, but only if the user hasn't already typed their own
-  // slug. Prevents the empty-model → "auto" → Anthropic-default 401 trap.
-  useEffect(() => {
-    if (!isHermes) return;
-    const p = HERMES_PROVIDERS.find((x) => x.id === hermesProvider);
-    if (!p) return;
-    // Replace model only if current value matches another provider's
-    // default (user hasn't customized it) OR is empty.
-    const isUntouched =
-      hermesModel === "" ||
-      HERMES_PROVIDERS.some((x) => x.defaultModel === hermesModel);
-    if (isUntouched) setHermesModel(p.defaultModel);
-    // eslint-disable-next-line react-hooks/exhaustive-deps
-  }, [hermesProvider, isHermes]);
+  }, [llmCatalog, selectedRuntimeTemplateSpec, selectedTemplateSpec]);

  // Reset form and load workspaces whenever dialog opens
  useEffect(() => {
@@ -328,11 +213,8 @@ export function CreateWorkspaceButton() {
    setDisplayInstanceType(DEFAULT_DISPLAY_INSTANCE_TYPE);
    setDisplayRootGB(String(DEFAULT_DISPLAY_ROOT_GB));
    setDisplayResolution("1920x1080");
-    setHermesProvider("anthropic");
    setExternalRuntime("external");
-    setHermesApiKey("");
-    setHermesModel("");
-    setLLMSelection({ providerId: "platform|", model: "moonshot/kimi-k2.6", envVars: [] });
+    setLLMSelection({ providerId: "", model: "", envVars: [] });
    setLLMSecret("");
    api
      .get<WorkspaceOption[]>("/workspaces")
@@ -341,7 +223,7 @@ export function CreateWorkspaceButton() {
    api
      .get<TemplateSpec[]>("/templates")
      .then((rows) => setTemplateSpecs(Array.isArray(rows) ? rows : []))
-      .catch(() => { /* keep empty — HERMES_PROVIDERS fallback below */ });
+      .catch(() => { /* keep empty; create stays blocked until the catalog loads */ });
    // defaultTier is stable for the session (derived from window.location),
    // safe to omit from deps.
    // eslint-disable-next-line react-hooks/exhaustive-deps
@@ -352,29 +234,18 @@ export function CreateWorkspaceButton() {
      setError("Name is required");
      return;
    }
-    if (isHermes && !hermesApiKey.trim()) {
-      setError("API key is required for Hermes workspaces");
-      return;
-    }
-    if (isHermes && !hermesModel.trim()) {
-      setError("Model is required for Hermes workspaces — provider routing depends on the model slug prefix");
-      return;
-    }
-    if (!isExternal && !isHermes && !llmSelection.model.trim()) {
+    if (!isExternal && !llmSelection.model.trim()) {
      setError("Model is required");
      return;
    }
-    if (!isExternal && !isHermes && selectedLLMProvider?.envVars.length && !llmSecret.trim()) {
+    if (!isExternal && selectedLLMProvider?.envVars.length && !llmSecret.trim()) {
      setError("Provider credential is required");
      return;
    }
    setCreating(true);
    setError(null);

-    const provider = isHermes
-      ? HERMES_PROVIDERS.find((p) => p.id === hermesProvider)
-      : undefined;
-    const nativeProvider = !isHermes ? selectedLLMProvider : undefined;
+    const nativeProvider = selectedLLMProvider;

    try {
      const parsedBudget = budgetLimit.trim()
@@ -398,7 +269,7 @@ export function CreateWorkspaceButton() {
        tier,
        parent_id: parentId || undefined,
        budget_limit: parsedBudget,
-        ...(!isExternal && !isHermes && nativeProvider
+        ...(!isExternal && nativeProvider
          ? {
              model: llmSelection.model.trim(),
              llm_provider: nativeProvider.vendor,
@@ -432,12 +303,6 @@ export function CreateWorkspaceButton() {
        // no container provisioning, token minted, connection payload
        // returned in the response for the modal below.
        ...(isExternal ? { runtime: externalRuntime } : { runtime }),
-        ...(!isExternal && isHermes && provider
-          ? {
-              secrets: { [provider.envVar]: hermesApiKey.trim() },
-              model: hermesModel.trim(),
-            }
-          : {}),
      });
      // External path: keep the create dialog open just long enough to
      // hand control to the connect modal, then close. The connect
@@ -588,7 +453,7 @@ export function CreateWorkspaceButton() {
              </div>
            )}

-            {!isExternal && !isHermes && selectedLLMProvider && (
+            {!isExternal && selectedLLMProvider && (
              <div className="rounded-lg border border-line/50 bg-surface-card/40 p-3 space-y-3">
                <div className="text-[11px] font-medium text-ink-mid">
                  LLM
@@ -744,100 +609,6 @@ export function CreateWorkspaceButton() {
            </div>
          </div>

-          {/* Hermes provider configuration — shown only for the Hermes runtime. */}
-          {isHermes && (
-            <div
-              className="mt-4 rounded-xl border border-violet-700/40 bg-violet-950/20 p-4 space-y-3"
-              data-testid="hermes-provider-section"
-            >
-              <p className="text-[11px] font-semibold text-violet-400 uppercase tracking-wide">
-                Hermes Provider
-              </p>
-              <p className="text-[11px] text-ink-mid -mt-1">
-                Choose the AI provider and paste your API key. The key is
-                stored as an encrypted workspace secret.
-              </p>
-
-              <div>
-                <label
-                  htmlFor="hermes-provider-select"
-                  className="text-[11px] text-ink-mid block mb-1"
-                >
-                  Provider
-                </label>
-                <select
-                  id="hermes-provider-select"
-                  value={hermesProvider}
-                  onChange={(e) => setHermesProvider(e.target.value)}
-                  aria-label="Hermes provider"
-                  className="w-full bg-surface-card/60 border border-line/50 rounded-lg px-3 py-2 text-sm text-ink focus:outline-none focus:border-violet-500/60 focus:ring-1 focus:ring-violet-500/20 transition-colors"
-                >
-                  {availableProviders.map((p) => (
-                    <option key={p.id} value={p.id}>
-                      {p.label}
-                    </option>
-                  ))}
-                </select>
-              </div>
-
-              <div>
-                <label
-                  htmlFor="hermes-api-key-input"
-                  className="text-[11px] text-ink-mid block mb-1"
-                >
-                  API Key{" "}
-                  <span aria-hidden="true" className="text-bad">
-                    *
-                  </span>
-                  <span className="sr-only"> (required)</span>
-                </label>
-                <input
-                  id="hermes-api-key-input"
-                  type="password"
-                  value={hermesApiKey}
-                  onChange={(e) => setHermesApiKey(e.target.value)}
-                  placeholder="sk-…"
-                  aria-label="Hermes API key"
-                  autoComplete="off"
-                  className="w-full bg-surface-card/60 border border-line/50 rounded-lg px-3 py-2 text-sm text-ink placeholder-ink-soft focus:outline-none focus:border-violet-500/60 focus:ring-1 focus:ring-violet-500/20 transition-colors font-mono"
-                />
-              </div>
-
-              <div>
-                <label
-                  htmlFor="hermes-model-input"
-                  className="text-[11px] text-ink-mid block mb-1"
-                >
-                  Model{" "}
-                  <span aria-hidden="true" className="text-bad">
-                    *
-                  </span>
-                  <span className="sr-only"> (required)</span>
-                </label>
-                <input
-                  id="hermes-model-input"
-                  type="text"
-                  value={hermesModel}
-                  onChange={(e) => setHermesModel(e.target.value)}
-                  placeholder="e.g. minimax/MiniMax-M2.7"
-                  aria-label="Hermes model slug"
-                  autoComplete="off"
-                  spellCheck={false}
-                  list="hermes-model-suggestions"
-                  className="w-full bg-surface-card/60 border border-line/50 rounded-lg px-3 py-2 text-sm text-ink placeholder-ink-soft focus:outline-none focus:border-violet-500/60 focus:ring-1 focus:ring-violet-500/20 transition-colors font-mono"
-                />
-                <datalist id="hermes-model-suggestions">
-                  {HERMES_PROVIDERS.find((p) => p.id === hermesProvider)?.models.map(
-                    (m) => <option key={m} value={m} />,
-                  )}
-                </datalist>
-                <p className="text-[10px] text-ink-mid mt-1">
-                  Slug determines which provider hermes routes to at install time.
-                </p>
-              </div>
-            </div>
-          )}
-
          {error && (
            <div
              role="alert"
@@ -1,7 +1,7 @@
 // @vitest-environment jsdom
 import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
 import { render, screen, fireEvent, waitFor, cleanup } from "@testing-library/react";
-import { CreateWorkspaceButton, HERMES_PROVIDERS } from "../CreateWorkspaceDialog";
+import { CreateWorkspaceButton } from "../CreateWorkspaceDialog";

 vi.mock("@/lib/api", () => ({
  api: {
@@ -21,6 +21,22 @@ const SAMPLE_WORKSPACES = [
 ];

 const SAMPLE_TEMPLATES = [
+  {
+    id: "claude-code-default",
+    name: "Claude Code Agent",
+    runtime: "claude-code",
+    model: "moonshot/kimi-k2.6",
+    providers: ["platform", "minimax", "kimi-coding", "anthropic", "anthropic-oauth"],
+    models: [
+      { id: "moonshot/kimi-k2.6", name: "Kimi K2.6", provider: "platform", required_env: [] },
+      { id: "MiniMax-M2.7", name: "MiniMax M2.7", required_env: ["MINIMAX_API_KEY"] },
+      { id: "kimi-k2-turbo-preview", name: "Kimi K2 Turbo Preview", required_env: ["KIMI_API_KEY"] },
+      { id: "claude-sonnet-4-6", name: "Claude Sonnet 4.6", required_env: ["ANTHROPIC_API_KEY"] },
+      { id: "sonnet", name: "Claude Sonnet", required_env: ["CLAUDE_CODE_OAUTH_TOKEN"] },
+      { id: "opus", name: "Claude Opus", required_env: ["CLAUDE_CODE_OAUTH_TOKEN"] },
+      { id: "haiku", name: "Claude Haiku", required_env: ["CLAUDE_CODE_OAUTH_TOKEN"] },
+    ],
+  },
  {
    id: "seo-agent",
    name: "SEO Agent",
@@ -33,9 +49,22 @@ const SAMPLE_TEMPLATES = [
      { id: "kimi-k2-turbo-preview", name: "Kimi K2 Turbo Preview", required_env: ["KIMI_API_KEY"] },
      { id: "claude-sonnet-4-6", name: "Claude Sonnet 4.6", required_env: ["ANTHROPIC_API_KEY"] },
      { id: "sonnet", name: "Claude Sonnet", required_env: ["CLAUDE_CODE_OAUTH_TOKEN"] },
+      { id: "opus", name: "Claude Opus", required_env: ["CLAUDE_CODE_OAUTH_TOKEN"] },
+      { id: "haiku", name: "Claude Haiku", required_env: ["CLAUDE_CODE_OAUTH_TOKEN"] },
+    ],
+  },
+  {
+    id: "hermes",
+    name: "Hermes",
+    runtime: "hermes",
+    model: "openai/gpt-4o",
+    providers: ["openai", "anthropic", "platform"],
+    models: [
+      { id: "openai/gpt-4o", name: "GPT-4o", required_env: ["OPENAI_API_KEY"] },
+      { id: "anthropic/claude-sonnet-4-5", name: "Claude Sonnet 4.5", required_env: ["ANTHROPIC_API_KEY"] },
+      { id: "moonshot/kimi-k2.6", name: "Kimi K2.6", provider: "platform", required_env: [] },
    ],
  },
-  { id: "hermes", name: "Hermes", runtime: "hermes" },
 ];

 beforeEach(() => {
@@ -269,6 +298,9 @@ describe("CreateWorkspaceDialog", () => {
    fireEvent.change(document.querySelector("[data-testid='provider-select']") as HTMLSelectElement, {
      target: { value: "anthropic-oauth|CLAUDE_CODE_OAUTH_TOKEN" },
    });
+    fireEvent.change(document.querySelector("[data-testid='model-select']") as HTMLSelectElement, {
+      target: { value: "sonnet" },
+    });
    fireEvent.change(document.getElementById("llm-secret-input") as HTMLInputElement, {
      target: { value: "oauth-token" },
    });
@@ -283,6 +315,18 @@ describe("CreateWorkspaceDialog", () => {
    expect(body.secrets).toEqual({ CLAUDE_CODE_OAUTH_TOKEN: "oauth-token" });
  });

+  it("lists all Claude Code subscription aliases for blank workspaces", async () => {
+    await openDialog();
+
+    fireEvent.change(document.querySelector("[data-testid='provider-select']") as HTMLSelectElement, {
+      target: { value: "anthropic-oauth|CLAUDE_CODE_OAUTH_TOKEN" },
+    });
+
+    const modelSelect = document.querySelector("[data-testid='model-select']") as HTMLSelectElement;
+    const optionValues = Array.from(modelSelect.options).map((option) => option.value);
+    expect(optionValues).toEqual(expect.arrayContaining(["sonnet", "opus", "haiku"]));
+  });
+
  it("renders gracefully when GET /workspaces fails", async () => {
    mockGet.mockRejectedValueOnce(new Error("Network error"));
    await openDialog();
@@ -297,226 +341,103 @@ describe("CreateWorkspaceDialog", () => {
 });

 // ---------------------------------------------------------------------------
-// Hermes provider picker tests
+// Dynamic runtime provider picker tests
 // ---------------------------------------------------------------------------

-describe("CreateWorkspaceDialog — Hermes provider picker", () => {
-  it("does NOT show hermes provider section for non-hermes templates", async () => {
+describe("CreateWorkspaceDialog — dynamic runtime provider picker", () => {
+  it("does not render the old Hermes-only provider section", async () => {
    await openDialog();
-    await setTemplate("seo-agent");
+    await setRuntime("hermes");
    expect(document.querySelector("[data-testid='hermes-provider-section']")).toBeNull();
  });

-  it("shows hermes provider section when runtime is 'hermes'", async () => {
+  it("derives Hermes provider and model options from the /templates runtime row", async () => {
    await openDialog();
    await setRuntime("hermes");
-    await waitFor(() =>
-      expect(document.querySelector("[data-testid='hermes-provider-section']")).toBeTruthy()
-    );
+
+    const providerSelect = document.querySelector("[data-testid='provider-select']") as HTMLSelectElement;
+    await waitFor(() => expect(providerSelect.options.length).toBe(4));
+
+    const providerValues = Array.from(providerSelect.options).map((option) => option.value);
+    expect(providerValues).toEqual(expect.arrayContaining([
+      "platform|",
+      "openai|OPENAI_API_KEY",
+      "anthropic|ANTHROPIC_API_KEY",
+    ]));
+    expect(providerValues).not.toContain("gemini|GEMINI_API_KEY");
  });

-  it("shows hermes provider section for the Hermes runtime preset", async () => {
+  it("uses the template-declared default provider/model for Hermes", async () => {
    await openDialog();
    await setRuntime("hermes");
-    await waitFor(() =>
-      expect(document.querySelector("[data-testid='hermes-provider-section']")).toBeTruthy()
-    );
+
+    await waitFor(() => {
+      const providerSelect = document.querySelector("[data-testid='provider-select']") as HTMLSelectElement;
+      expect(providerSelect.value).toBe("platform|");
+    });
+    const modelSelect = document.querySelector("[data-testid='model-select']") as HTMLSelectElement;
+    expect(modelSelect.value).toBe("moonshot/kimi-k2.6");
  });

-  it("hermes provider dropdown defaults to 'anthropic'", async () => {
+  it("prompts for the provider credential required by the selected Hermes model", async () => {
    await openDialog();
    await setRuntime("hermes");
-    await waitFor(() =>
-      expect(document.querySelector("[data-testid='hermes-provider-section']")).toBeTruthy()
-    );
-    const providerSelect = document.getElementById("hermes-provider-select") as HTMLSelectElement;
-    expect(providerSelect).toBeTruthy();
-    expect(providerSelect.value).toBe("anthropic");
-  });

-  it("hermes provider dropdown lists all 15 providers", async () => {
-    await openDialog();
-    await setRuntime("hermes");
-    await waitFor(() =>
-      expect(document.querySelector("[data-testid='hermes-provider-section']")).toBeTruthy()
-    );
-    const providerSelect = document.getElementById("hermes-provider-select") as HTMLSelectElement;
-    expect(providerSelect.options.length).toBe(HERMES_PROVIDERS.length);
-    const ids = Array.from(providerSelect.options).map((o) => o.value);
-    expect(ids).toContain("anthropic");
-    expect(ids).toContain("openai");
-    expect(ids).toContain("gemini");
-    expect(ids).toContain("deepseek");
-    expect(ids).toContain("hermes");
-  });
-
-  // Pins the dynamic-providers behavior: when the matched template's
-  // /templates row declares `providers`, the dropdown filters to that
-  // subset instead of showing the full HERMES_PROVIDERS catalog. Same
-  // data source ConfigTab uses (PR #2454) — keeps the modal and the
-  // settings tab honest about which providers a template supports.
-  it("hermes provider dropdown filters to template-declared providers when /templates ships them", async () => {
-    // Per-URL mock: /workspaces returns the existing fixture, /templates
-    // returns a hermes row that only allows anthropic + minimax + openai.
-    mockGet.mockImplementation(async (url: string) => {
-      if (url === "/templates") {
-        return [
-          { id: "hermes", name: "Hermes", runtime: "hermes", providers: ["anthropic", "minimax", "openai"] },
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        ] as any;
-      }
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      return SAMPLE_WORKSPACES as any;
+    fireEvent.change(document.querySelector("[data-testid='provider-select']") as HTMLSelectElement, {
+      target: { value: "openai|OPENAI_API_KEY" },
    });

-    await openDialog();
-    await setRuntime("hermes");
-    await waitFor(() =>
-      expect(document.querySelector("[data-testid='hermes-provider-section']")).toBeTruthy()
-    );
-    const providerSelect = document.getElementById("hermes-provider-select") as HTMLSelectElement;
-    // Filtered list arrives async after /templates fetch resolves —
-    // keep waiting until the dropdown shrinks below the full catalog.
-    await waitFor(() => expect(providerSelect.options.length).toBe(3));
-    const ids = Array.from(providerSelect.options).map((o) => o.value);
-    expect(ids).toEqual(expect.arrayContaining(["anthropic", "minimax", "openai"]));
-    expect(ids).not.toContain("gemini");
-    expect(ids).not.toContain("deepseek");
-  });
-
-  // Back-compat: a template that hasn't migrated to runtime_config.providers
-  // (older templates, self-hosted setups without /templates server) keeps
-  // showing the full provider catalog. Operators picking from those
-  // templates can't be locked out of providers we know hermes supports.
-  it("hermes provider dropdown falls back to all providers when template declares no providers list", async () => {
-    mockGet.mockImplementation(async (url: string) => {
-      if (url === "/templates") {
-        // No `providers` field — empty/missing → fall back to full catalog.
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        return [{ id: "hermes", name: "Hermes", runtime: "hermes" }] as any;
-      }
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      return SAMPLE_WORKSPACES as any;
-    });
-
-    await openDialog();
-    await setRuntime("hermes");
-    await waitFor(() =>
-      expect(document.querySelector("[data-testid='hermes-provider-section']")).toBeTruthy()
-    );
-    const providerSelect = document.getElementById("hermes-provider-select") as HTMLSelectElement;
-    expect(providerSelect.options.length).toBe(HERMES_PROVIDERS.length);
-  });
-
-  // Defensive: a template's declared list with NO matches against our
-  // static catalog (e.g. a brand-new provider id we don't have label/
-  // envVar metadata for yet) must not render an empty <select> — the
-  // operator can't pick a provider, the form locks. Component falls
-  // back to the full catalog so the user can still proceed.
-  it("hermes provider dropdown falls back to all providers when template declares only unknown providers", async () => {
-    mockGet.mockImplementation(async (url: string) => {
-      if (url === "/templates") {
-        return [
-          { id: "hermes", name: "Hermes", runtime: "hermes", providers: ["totally-new-provider-2030"] },
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        ] as any;
-      }
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      return SAMPLE_WORKSPACES as any;
-    });
-
-    await openDialog();
-    await setRuntime("hermes");
-    await waitFor(() =>
-      expect(document.querySelector("[data-testid='hermes-provider-section']")).toBeTruthy()
-    );
-    const providerSelect = document.getElementById("hermes-provider-select") as HTMLSelectElement;
-    // Stays at full catalog length — no flapping to 0 then back.
-    expect(providerSelect.options.length).toBe(HERMES_PROVIDERS.length);
-  });
-
-  it("hermes API key field is a password input (masked)", async () => {
-    await openDialog();
-    await setRuntime("hermes");
-    await waitFor(() =>
-      expect(document.querySelector("[data-testid='hermes-provider-section']")).toBeTruthy()
-    );
-    const keyInput = document.getElementById("hermes-api-key-input") as HTMLInputElement;
+    const keyInput = document.getElementById("llm-secret-input") as HTMLInputElement;
    expect(keyInput).toBeTruthy();
    expect(keyInput.type).toBe("password");
  });

-  it("shows an error if hermes template is set but API key is empty on submit", async () => {
+  it("shows an error if the selected runtime provider requires a credential", async () => {
    await openDialog();
    fireEvent.change(screen.getByPlaceholderText("e.g. SEO Agent"), {
      target: { value: "Hermes Agent" },
    });
    await setRuntime("hermes");
-    await waitFor(() =>
-      expect(document.querySelector("[data-testid='hermes-provider-section']")).toBeTruthy()
-    );
+    fireEvent.change(document.querySelector("[data-testid='provider-select']") as HTMLSelectElement, {
+      target: { value: "openai|OPENAI_API_KEY" },
+    });

-    // Submit without API key
    const createBtn = screen.getAllByRole("button").find((b) => b.textContent === "Create");
    fireEvent.click(createBtn!);

    await waitFor(() => {
      const alert = screen.getByRole("alert");
-      expect(alert.textContent).toContain("API key");
+      expect(alert.textContent).toContain("Provider credential");
    });
    expect(mockPost).not.toHaveBeenCalled();
  });

-  it("includes secrets in POST body with correct env var for selected provider", async () => {
-    await openDialog();
-    fireEvent.change(screen.getByPlaceholderText("e.g. SEO Agent"), {
-      target: { value: "Hermes Agent" },
-    });
-    await setRuntime("hermes");
-    await waitFor(() =>
-      expect(document.querySelector("[data-testid='hermes-provider-section']")).toBeTruthy()
-    );
-
-    // Fill in the API key
-    const keyInput = document.getElementById("hermes-api-key-input") as HTMLInputElement;
-    fireEvent.change(keyInput, { target: { value: "sk-test-anthropic-key" } });
-
-    const createBtn = screen.getAllByRole("button").find((b) => b.textContent === "Create");
-    fireEvent.click(createBtn!);
-
-    await waitFor(() => expect(mockPost).toHaveBeenCalled());
-    const body = mockPost.mock.calls[0][1] as Record<string, unknown>;
-    expect(body.secrets).toEqual({ ANTHROPIC_API_KEY: "sk-test-anthropic-key" });
-    expect(body.runtime).toBe("hermes");
-    expect(body.template).toBeUndefined();
-  });
-
-  it("uses the correct env var when a non-default provider is selected", async () => {
+  it("includes runtime-derived provider/model/secrets in POST body", async () => {
    await openDialog();
    fireEvent.change(screen.getByPlaceholderText("e.g. SEO Agent"), {
      target: { value: "Hermes OpenAI" },
    });
    await setRuntime("hermes");
-    await waitFor(() =>
-      expect(document.querySelector("[data-testid='hermes-provider-section']")).toBeTruthy()
-    );
-
-    // Switch to openai
-    const providerSelect = document.getElementById("hermes-provider-select") as HTMLSelectElement;
-    fireEvent.change(providerSelect, { target: { value: "openai" } });
-
-    const keyInput = document.getElementById("hermes-api-key-input") as HTMLInputElement;
-    fireEvent.change(keyInput, { target: { value: "sk-openai-test" } });
+    fireEvent.change(document.querySelector("[data-testid='provider-select']") as HTMLSelectElement, {
+      target: { value: "openai|OPENAI_API_KEY" },
+    });
+    fireEvent.change(document.getElementById("llm-secret-input") as HTMLInputElement, {
+      target: { value: "sk-openai-test" },
+    });

    const createBtn = screen.getAllByRole("button").find((b) => b.textContent === "Create");
    fireEvent.click(createBtn!);

    await waitFor(() => expect(mockPost).toHaveBeenCalled());
    const body = mockPost.mock.calls[0][1] as Record<string, unknown>;
+    expect(body.runtime).toBe("hermes");
+    expect(body.template).toBeUndefined();
+    expect(body.model).toBe("openai/gpt-4o");
+    expect(body.llm_provider).toBe("openai");
    expect(body.secrets).toEqual({ OPENAI_API_KEY: "sk-openai-test" });
  });

-  it("does NOT include secrets field when template is not hermes", async () => {
+  it("does NOT include secrets field when provider is platform-managed", async () => {
    await openDialog();
    fireEvent.change(screen.getByPlaceholderText("e.g. SEO Agent"), {
      target: { value: "Normal Agent" },
@@ -530,20 +451,6 @@ describe("CreateWorkspaceDialog — Hermes provider picker", () => {
    const body = mockPost.mock.calls[0][1] as Record<string, unknown>;
    expect(body.secrets).toBeUndefined();
  });
-
-  it("hides hermes section and resets state when template is cleared", async () => {
-    await openDialog();
-    await setRuntime("hermes");
-    await waitFor(() =>
-      expect(document.querySelector("[data-testid='hermes-provider-section']")).toBeTruthy()
-    );
-
-    // Switch back to a non-Hermes runtime.
-    await setRuntime("claude-code");
-    await waitFor(() =>
-      expect(document.querySelector("[data-testid='hermes-provider-section']")).toBeNull()
-    );
-  });
 });

 // ---------------------------------------------------------------------------
@@ -131,7 +131,7 @@ export function OrgTokensTab() {
        <button
          onClick={handleCreate}
          disabled={creating}
-          className="px-3 py-1.5 bg-accent-strong/20 hover:bg-accent-strong/30 border border-accent/30 rounded-lg text-[11px] text-accent font-medium transition-colors disabled:opacity-50 disabled:cursor-not-allowed flex items-center gap-1.5"
+          className="px-3 py-1.5 bg-accent-strong/20 hover:bg-accent-strong/30 border border-accent/30 rounded-lg text-[11px] text-accent font-medium transition-colors disabled:opacity-50 disabled:cursor-not-allowed flex items-center gap-1.5 focus:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
        >
          {creating ? (
            <>
@@ -175,7 +175,7 @@ export function OrgTokensTab() {
      )}

      {error && (
-        <div className="px-3 py-2 bg-red-950/40 border border-red-800/50 rounded-lg text-[10px] text-bad">
+        <div role="alert" aria-live="assertive" className="px-3 py-2 bg-red-950/40 border border-red-800/50 rounded-lg text-[10px] text-bad">
          {error}
        </div>
      )}
@@ -152,7 +152,7 @@ export function SecretRow({ secret, workspaceId }: SecretRowProps) {
            className="secret-row__action-btn"
            title="Edit"
          >
-            ✏
+            <span aria-hidden="true">✏</span>
          </button>
          <button
            type="button"
@@ -161,7 +161,7 @@ export function SecretRow({ secret, workspaceId }: SecretRowProps) {
            className="secret-row__action-btn secret-row__action-btn--delete"
            title="Delete"
          >
-            🗑
+            <span aria-hidden="true">🗑</span>
          </button>
        </div>
      </div>
@@ -121,7 +121,7 @@ function WorkspaceTokensTab({ workspaceId }: TokensTabProps) {
        <button
          onClick={handleCreate}
          disabled={creating}
-          className="px-3 py-1.5 bg-accent-strong/20 hover:bg-accent-strong/30 border border-accent/30 rounded-lg text-[11px] text-accent font-medium transition-colors disabled:opacity-50 disabled:cursor-not-allowed flex items-center gap-1.5"
+          className="px-3 py-1.5 bg-accent-strong/20 hover:bg-accent-strong/30 border border-accent/30 rounded-lg text-[11px] text-accent font-medium transition-colors disabled:opacity-50 disabled:cursor-not-allowed flex items-center gap-1.5 focus:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
        >
          {creating ? <><Spinner size="sm" /> Creating...</> : '+ New Token'}
        </button>
@@ -155,7 +155,7 @@ function WorkspaceTokensTab({ workspaceId }: TokensTabProps) {
      )}

      {error && (
-        <div className="px-3 py-2 bg-red-950/40 border border-red-800/50 rounded-lg text-[10px] text-bad">
+        <div role="alert" aria-live="assertive" className="px-3 py-2 bg-red-950/40 border border-red-800/50 rounded-lg text-[10px] text-bad">
          {error}
        </div>
      )}
@@ -6,6 +6,7 @@ import { useCanvasStore } from "@/store/canvas";
 import { type ConfigData, DEFAULT_CONFIG, TextInput, NumberInput, Toggle, TagList, Section } from "./config/form-inputs";
 import { parseYaml, toYaml } from "./config/yaml-utils";
 import { SecretsSection } from "./config/secrets-section";
+import { LLMBillingSection } from "./config/llm-billing-section";
 import { ExternalConnectionSection } from "./ExternalConnectionSection";
 import {
  ProviderModelSelector,
@@ -1108,6 +1109,8 @@ export function ConfigTab({ workspaceId }: Props) {
            </div>
          </Section>

+          <LLMBillingSection workspaceId={workspaceId} />
+
          <SecretsSection
            workspaceId={workspaceId}
            requiredEnv={config.runtime_config?.required_env}
@@ -0,0 +1,176 @@
+// @vitest-environment jsdom
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+import {
+  render,
+  screen,
+  waitFor,
+  cleanup,
+  fireEvent,
+} from "@testing-library/react";
+import { LLMBillingSection } from "../llm-billing-section";
+
+// Tests for LLMBillingSection (internal#691). Locks in:
+//  - the section renders the resolved mode + source label
+//  - the dropdown maps "inherit" → PUT {mode: null}
+//  - the dropdown maps "byok" → PUT {mode: "byok"}
+//  - a garbled override surfaces the warning banner
+//  - the post-write resolution updates the UI without a refetch
+
+const apiGet = vi.fn();
+const apiPut = vi.fn();
+
+vi.mock("@/lib/api", () => ({
+  api: {
+    get: (...args: unknown[]) => apiGet(...args),
+    put: (...args: unknown[]) => apiPut(...args),
+    post: vi.fn().mockResolvedValue({}),
+    del: vi.fn().mockResolvedValue({}),
+    patch: vi.fn().mockResolvedValue({}),
+  },
+}));
+
+// Collapsed-by-default Section wrapper would hide the content; replace
+// it with a passthrough so the dropdown is reachable in the test DOM.
+vi.mock("../form-inputs", async () => {
+  const actual = await vi.importActual<typeof import("../form-inputs")>(
+    "../form-inputs",
+  );
+  return {
+    ...actual,
+    Section: ({ children }: { children: React.ReactNode }) => (
+      <div>{children}</div>
+    ),
+  };
+});
+
+beforeEach(() => {
+  vi.clearAllMocks();
+});
+
+afterEach(() => {
+  cleanup();
+});
+
+describe("LLMBillingSection — internal#691", () => {
+  it("renders the resolved mode + source for an inherited workspace", async () => {
+    apiGet.mockResolvedValueOnce({
+      workspace_id: "ws-1",
+      resolved_mode: "platform_managed",
+      workspace_override: null,
+      org_default: "platform_managed",
+      source: "org_default",
+    });
+
+    render(<LLMBillingSection workspaceId="ws-1" />);
+
+    await waitFor(() => {
+      expect(apiGet).toHaveBeenCalledWith(
+        "/admin/workspaces/ws-1/llm-billing-mode",
+      );
+    });
+    // Resolved mode appears.
+    expect(screen.getByText(/Resolved mode:/i).textContent).toMatch(/platform_managed/);
+    // Source label appears.
+    expect(
+      screen.getByText(/inherited from org default/i),
+    ).toBeTruthy();
+  });
+
+  it('PUTs {mode: "byok"} when user picks BYOK and reflects the new resolution', async () => {
+    apiGet.mockResolvedValueOnce({
+      workspace_id: "ws-2",
+      resolved_mode: "platform_managed",
+      workspace_override: null,
+      org_default: "platform_managed",
+      source: "org_default",
+    });
+    apiPut.mockResolvedValueOnce({
+      workspace_id: "ws-2",
+      resolved_mode: "byok",
+      workspace_override: "byok",
+      org_default: "platform_managed",
+      source: "workspace_override",
+    });
+
+    render(<LLMBillingSection workspaceId="ws-2" />);
+    await waitFor(() => expect(apiGet).toHaveBeenCalled());
+
+    const select = (await screen.findByLabelText(
+      /llm billing mode override/i,
+    )) as HTMLSelectElement;
+    fireEvent.change(select, { target: { value: "byok" } });
+
+    await waitFor(() => {
+      expect(apiPut).toHaveBeenCalledWith(
+        "/admin/workspaces/ws-2/llm-billing-mode",
+        { mode: "byok" },
+      );
+    });
+    // Post-write resolution propagated to UI.
+    await waitFor(() => {
+      expect(
+        screen.getByText(/explicit override on this workspace/i),
+      ).toBeTruthy();
+    });
+  });
+
+  it("PUTs {mode: null} when user picks Inherit (clears the override)", async () => {
+    apiGet.mockResolvedValueOnce({
+      workspace_id: "ws-3",
+      resolved_mode: "byok",
+      workspace_override: "byok",
+      org_default: "platform_managed",
+      source: "workspace_override",
+    });
+    apiPut.mockResolvedValueOnce({
+      workspace_id: "ws-3",
+      resolved_mode: "platform_managed",
+      workspace_override: null,
+      org_default: "platform_managed",
+      source: "org_default",
+    });
+
+    render(<LLMBillingSection workspaceId="ws-3" />);
+    await waitFor(() => expect(apiGet).toHaveBeenCalled());
+
+    const select = (await screen.findByLabelText(
+      /llm billing mode override/i,
+    )) as HTMLSelectElement;
+    fireEvent.change(select, { target: { value: "inherit" } });
+
+    await waitFor(() => {
+      expect(apiPut).toHaveBeenCalledWith(
+        "/admin/workspaces/ws-3/llm-billing-mode",
+        { mode: null },
+      );
+    });
+  });
+
+  it("surfaces a warning banner when the override value is garbled", async () => {
+    apiGet.mockResolvedValueOnce({
+      workspace_id: "ws-4",
+      resolved_mode: "platform_managed", // resolver fell through, default-closed
+      workspace_override: "byokk", // typo persisted somehow
+      org_default: "platform_managed",
+      source: "org_default",
+    });
+
+    render(<LLMBillingSection workspaceId="ws-4" />);
+
+    await waitFor(() => {
+      expect(
+        screen.getByText(/non-standard value/i),
+      ).toBeTruthy();
+    });
+  });
+
+  it("renders an error banner when the GET fails", async () => {
+    apiGet.mockRejectedValueOnce(new Error("network down"));
+
+    render(<LLMBillingSection workspaceId="ws-5" />);
+
+    await waitFor(() => {
+      expect(screen.getByText(/network down/i)).toBeTruthy();
+    });
+  });
+});
@@ -1,3 +1,4 @@
 export { type ConfigData, DEFAULT_CONFIG, TextInput, NumberInput, Toggle, TagList, Section } from "./form-inputs";
 export { parseYaml, toYaml } from "./yaml-utils";
 export { SecretsSection } from "./secrets-section";
+export { LLMBillingSection } from "./llm-billing-section";
@@ -0,0 +1,219 @@
+"use client";
+
+// llm-billing-section.tsx — Config-tab section for the per-workspace
+// llm_billing_mode override (internal#691).
+//
+// Surfaces:
+//   - The currently RESOLVED mode for this workspace (the mode the
+//     workspace-server's strip gate will use at next provision).
+//   - The org-level default (so the user sees what they're inheriting).
+//   - A dropdown to set / clear the workspace-level override.
+//   - A "source" line so operators can answer "is this inherited or
+//     explicit?" without DB archeology (RFC Observability hot-spot).
+//
+// Hits:
+//   GET /admin/workspaces/:id/llm-billing-mode   — read resolution
+//   PUT /admin/workspaces/:id/llm-billing-mode   — write {mode: "..."|null}
+//
+// Both routes are on the per-tenant workspace-server (same origin as the
+// other canvas /admin calls). CP's proxy at /cp/admin/workspaces/:id/
+// llm-billing-mode exists for ops use; the canvas uses the per-tenant
+// path directly to keep the round-trip cheap.
+
+import { useState, useEffect, useCallback } from "react";
+import { api } from "@/lib/api";
+import { Section } from "./form-inputs";
+
+// Mirrors workspace-server/internal/handlers/llm_billing_mode.go::BillingModeResolution.
+// Kept as a literal shape (not imported) because canvas has no Go-type bridge.
+export interface BillingModeResolution {
+  workspace_id: string;
+  resolved_mode: "platform_managed" | "byok" | "disabled";
+  // Pointer-typed on the Go side: nil = inherit, non-nil = the raw
+  // workspace-level override (even if garbled and falling through).
+  workspace_override: string | null;
+  org_default: "platform_managed" | "byok" | "disabled";
+  source: "workspace_override" | "org_default" | "constant_fallback";
+}
+
+// The dropdown emits one of these values. "inherit" is the UX-only label
+// that maps to a `null` body in the PUT request.
+type DropdownChoice = "inherit" | "platform_managed" | "byok" | "disabled";
+
+interface Props {
+  workspaceId: string;
+}
+
+const MODE_LABELS: Record<DropdownChoice, string> = {
+  inherit: "Inherit from org default",
+  platform_managed: "Platform-managed (uses Molecule credits)",
+  byok: "BYOK (your own OAuth / vendor keys)",
+  disabled: "Disabled (no LLM access)",
+};
+
+const MODE_DESCRIPTIONS: Record<DropdownChoice, string> = {
+  inherit:
+    "Use whichever mode is set at the organization level. Recommended unless this specific workspace needs a different billing source.",
+  platform_managed:
+    "Strip CLAUDE_CODE_OAUTH_TOKEN and vendor API keys from the workspace; route all LLM traffic through Molecule's proxy and bill your org credits.",
+  byok:
+    "Keep CLAUDE_CODE_OAUTH_TOKEN / vendor API keys in the workspace; LLM traffic goes directly to your provider and is billed to your OAuth subscription or API account.",
+  disabled:
+    "Block all LLM access for this workspace. Useful for sandbox workspaces that should not consume credits or hit external providers.",
+};
+
+const SOURCE_LABELS: Record<BillingModeResolution["source"], string> = {
+  workspace_override: "explicit override on this workspace",
+  org_default: "inherited from org default",
+  constant_fallback:
+    "fallback (workspace + org defaults missing or unrecognized — defaulted to platform_managed)",
+};
+
+export function LLMBillingSection({ workspaceId }: Props) {
+  const [resolution, setResolution] = useState<BillingModeResolution | null>(
+    null,
+  );
+  const [loading, setLoading] = useState(true);
+  const [saving, setSaving] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+  const [success, setSuccess] = useState(false);
+
+  const load = useCallback(async () => {
+    setLoading(true);
+    setError(null);
+    try {
+      const res = await api.get<BillingModeResolution>(
+        `/admin/workspaces/${workspaceId}/llm-billing-mode`,
+      );
+      setResolution(res);
+    } catch (e) {
+      setError(e instanceof Error ? e.message : "Failed to load billing mode");
+    } finally {
+      setLoading(false);
+    }
+  }, [workspaceId]);
+
+  useEffect(() => {
+    void load();
+  }, [load]);
+
+  // Current dropdown selection is derived from the resolution. If the
+  // override is null, we show "inherit"; otherwise we mirror the raw
+  // workspace_override (NOT resolved_mode — that would conflate "explicit
+  // platform_managed override" with "inherit while org happens to be
+  // platform_managed", which has different semantics on the write side).
+  const currentChoice: DropdownChoice = (() => {
+    if (!resolution) return "inherit";
+    if (resolution.workspace_override == null) return "inherit";
+    const raw = resolution.workspace_override;
+    if (raw === "platform_managed" || raw === "byok" || raw === "disabled") {
+      return raw;
+    }
+    // Garbled value persisted via some external write. Show inherit so
+    // the user can pick a clean value; on save they'll either clear it
+    // (PUT null) or overwrite it with a valid one.
+    return "inherit";
+  })();
+
+  const handleChange = async (choice: DropdownChoice) => {
+    if (!resolution) return;
+    setSaving(true);
+    setError(null);
+    setSuccess(false);
+    try {
+      // "inherit" → PUT {mode: null}; otherwise → PUT {mode: choice}.
+      const body = choice === "inherit" ? { mode: null } : { mode: choice };
+      const updated = await api.put<BillingModeResolution>(
+        `/admin/workspaces/${workspaceId}/llm-billing-mode`,
+        body,
+      );
+      setResolution(updated);
+      setSuccess(true);
+      setTimeout(() => setSuccess(false), 2000);
+    } catch (e) {
+      setError(e instanceof Error ? e.message : "Failed to update billing mode");
+    } finally {
+      setSaving(false);
+    }
+  };
+
+  return (
+    <Section title="LLM Billing" defaultOpen={false}>
+      {loading && (
+        <div className="text-[10px] text-ink-mid">Loading billing mode…</div>
+      )}
+
+      {error && (
+        <div
+          role="alert"
+          aria-live="assertive"
+          className="px-2 py-1 bg-red-900/30 border border-red-800 rounded text-[10px] text-bad mb-2"
+        >
+          {error}
+        </div>
+      )}
+
+      {resolution && (
+        <div className="space-y-2">
+          <div className="text-[10px] text-ink-mid">
+            Resolved mode: <strong className="text-ink">{resolution.resolved_mode}</strong>{" "}
+            <span className="text-ink-mid">
+              ({SOURCE_LABELS[resolution.source]})
+            </span>
+          </div>
+          <div className="text-[10px] text-ink-mid">
+            Org default: <span className="text-ink">{resolution.org_default}</span>
+          </div>
+
+          <label
+            className="block text-[10px] text-ink-mid"
+            htmlFor={`llm-billing-mode-${workspaceId}`}
+          >
+            Override
+          </label>
+          <select
+            id={`llm-billing-mode-${workspaceId}`}
+            aria-label="LLM billing mode override"
+            value={currentChoice}
+            disabled={saving}
+            onChange={(e) => void handleChange(e.target.value as DropdownChoice)}
+            className="w-full bg-surface-card border border-line rounded p-1 text-[10px] text-ink focus:outline-none focus:border-accent disabled:opacity-50"
+          >
+            {(Object.keys(MODE_LABELS) as DropdownChoice[]).map((m) => (
+              <option key={m} value={m}>
+                {MODE_LABELS[m]}
+              </option>
+            ))}
+          </select>
+
+          <div
+            className="text-[10px] text-ink-mid leading-snug"
+            aria-live="polite"
+          >
+            {MODE_DESCRIPTIONS[currentChoice]}
+          </div>
+
+          {success && (
+            <div className="mt-1 px-2 py-1 bg-green-900/30 border border-green-800 rounded text-[10px] text-good">
+              Updated. Restart the workspace to apply.
+            </div>
+          )}
+
+          {resolution.workspace_override != null &&
+            !["platform_managed", "byok", "disabled"].includes(
+              resolution.workspace_override,
+            ) && (
+              <div
+                role="alert"
+                className="mt-1 px-2 py-1 bg-yellow-900/30 border border-yellow-800 rounded text-[10px] text-warning"
+              >
+                Workspace override has a non-standard value (
+                <code>{resolution.workspace_override}</code>) and is being
+                ignored. Pick a valid mode above to clear the corrupt value.
+              </div>
+            )}
+        </div>
+      )}
+    </Section>
+  );
+}
@@ -658,6 +658,11 @@
  outline-offset: var(--focus-ring-offset);
 }

+.delete-dialog__cancel-btn:focus-visible {
+  outline: var(--focus-ring);
+  outline-offset: var(--focus-ring-offset);
+}
+
 .delete-dialog__confirm-btn {
  background: var(--status-invalid);
  color: #ffffff;
@@ -671,6 +676,11 @@
  outline-offset: var(--focus-ring-offset);
 }

+.delete-dialog__confirm-btn:focus-visible {
+  outline: var(--focus-ring);
+  outline-offset: var(--focus-ring-offset);
+}
+
 .delete-dialog__confirm-btn:disabled { opacity: 0.4; cursor: not-allowed; }

 /* ── Unsaved changes guard ─────────────────────────── */
@@ -0,0 +1,124 @@
+# Engineer-Agent Gitea Token Scope Runbook
+
+## Symptom
+
+Engineer-class agents (e.g. `agent-dev-a`, `agent-dev-b`) fail swarm-pull issue discovery or receive HTTP 403 when calling Gitea issue-list APIs, while PR review and repository API operations continue to work.
+
+Typical failing call:
+```bash
+GET /api/v1/repos/molecule-ai/molecule-core/issues?state=open&labels=approved&limit=50
+# => 403 Forbidden
+```
+
+Typical working calls (same token):
+```bash
+GET /api/v1/repos/molecule-ai/molecule-core/pulls?state=open&limit=50
+POST /api/v1/repos/molecule-ai/molecule-core/pulls/1666/comments
+# => 200 OK
+```
+
+## Root Cause
+
+Gitea v1.22.6 routes issue-list under the `Issue` scope category (`routers/api/v1/api.go:1379-1491`), while PR routes live under repository/pull routing (`api.go:1278-1305`). The scope gate derives required read/write level from HTTP method (`api.go:309-313`), so `GET /issues?...` requires `read:issue`.
+
+Engineer-class agent PATs were provisioned with repository and PR scopes but without `read:issue`, causing the asymmetric 403.
+
+## Detection
+
+1. **Agent-side**: swarm-pull workflow logs show `403 Forbidden` on issue enumeration but not on PR list/review.
+2. **Platform-side**: Gitea access logs show `GET /repos/{owner}/{repo}/issues` returning 403 for the affected token.
+3. **Reproduction** (from any workspace with a suspected token):
+   ```bash
+   TOKEN=$(cat /configs/secrets.d/GITEA_TOKEN)
+   PLATFORM="https://git.moleculesai.app"
+
+   # Should succeed — confirms token is live
+   curl -s -o /dev/null -w "%{http_code}" \
+     -H "Authorization: token $TOKEN" \
+     "$PLATFORM/api/v1/user"
+
+   # Will 403 if the token lacks read:issue
+   curl -s -o /dev/null -w "%{http_code}" \
+     -H "Authorization: token $TOKEN" \
+     "$PLATFORM/api/v1/repos/molecule-ai/molecule-core/issues?state=open&limit=1"
+   ```
+
+## Immediate Fix
+
+### Step 1: Issue fresh PATs with correct scopes
+
+From a Gitea site-admin account (or via the Gitea web UI → Settings → Applications):
+
+1. Navigate to the affected user's profile (e.g. `agent-dev-a`).
+2. Go to **Settings → Applications → Generate New Token**.
+3. Select scopes:
+   - `read:repository` (existing)
+   - `write:repository` (existing, if push is required)
+   - `read:issue` (**add this**)
+   - `write:issue` (add only if agents must comment/edit issues)
+   - `read:pull-request` / `write:pull-request` (existing)
+   - `read:comment` / `write:comment` (existing, if PR review is required)
+4. Copy the plaintext token immediately — it is shown only once.
+
+### Step 2: Update workspace secrets
+
+For each affected engineer workspace, update the Gitea token secret:
+
+```bash
+# Via the platform API (admin auth required)
+PLATFORM="https://agents-team.moleculesai.app"
+ADMIN_TOKEN="<your-admin-token>"
+WORKSPACE_ID="<affected-workspace-id>"
+NEW_GITEA_TOKEN="<fresh-token-from-step-1>"
+
+curl -X POST "$PLATFORM/workspaces/$WORKSPACE_ID/secrets" \
+  -H "Authorization: Bearer $ADMIN_TOKEN" \
+  -H "Content-Type: application/json" \
+  -d "{
+    \"GITEA_TOKEN\": \"$NEW_GITEA_TOKEN\"
+  }"
+```
+
+Restart the workspace so the runtime re-reads secrets:
+```bash
+curl -X POST "$PLATFORM/workspaces/$WORKSPACE_ID/restart" \
+  -H "Authorization: Bearer $ADMIN_TOKEN"
+```
+
+### Step 3: Smoke-test
+
+From the restarted workspace, verify all three paths:
+
+```bash
+# 1. Issue list (the previously failing path)
+curl -s -H "Authorization: token $GITEA_TOKEN" \
+  "https://git.moleculesai.app/api/v1/repos/molecule-ai/molecule-core/issues?state=open&labels=approved&limit=1" | jq '.[0].number'
+
+# 2. PR list (should still work)
+curl -s -H "Authorization: token $GITEA_TOKEN" \
+  "https://git.moleculesai.app/api/v1/repos/molecule-ai/molecule-core/pulls?state=open&limit=1" | jq '.[0].number'
+
+# 3. Swarm-pull discovery (end-to-end)
+# Trigger the agent's autonomous tick or delegate a task that enumerates open issues.
+```
+
+## Long-Term Fix
+
+Update the **workspace secret injection path** that writes `/configs/secrets.d/GITEA_TOKEN` for engineer-class agents. The provisioning template or secret-distribution job should request `read:issue` (and optionally `write:issue`) at token-creation time.
+
+File locations to audit:
+- `.gitea/scripts/` — any token-provisioning automation
+- `infra/terraform/` or equivalent — IAM/secret-manager templates
+- `workspace-configs-templates/` — engineer-class workspace templates that declare required secrets
+
+## Prevention
+
+1. **Token scope checklist**: when provisioning new engineer-class agent tokens, verify the scope set includes `read:issue` before distributing the secret.
+2. **Monitoring**: add an agent health-check that probes `GET /repos/molecule-ai/molecule-core/issues?limit=1` and surfaces a non-fatal warning if it returns 403.
+3. **Documentation**: update the onboarding runbook for new engineer agents to include the full required scope list.
+
+## References
+
+- Gitea issue #1750: [RCA: engineer-token read:issue scope gap blocks swarm-pull workflow](https://git.moleculesai.app/molecule-ai/molecule-core/issues/1750)
+- Gitea source: `routers/api/v1/api.go:309-313` (scope gate), `api.go:1278-1305` (PR routing), `api.go:1379-1491` (issue routing)
+- Related: PR #1542 (provisioner git-creds injection), PR #1669 (auth_token inline mint)
@@ -91,6 +91,10 @@ def _gitea_get(path: str, params: dict[str, str] | None = None) -> bytes | None:
        req.add_header("Authorization", f"token {token}")
    req.add_header("Accept", "application/json")
    try:
+        # S310 (信任boundary): this function IS the outbound HTTP client for
+        # Gitea API calls. The call is intentional and controlled — we build
+        # the request ourselves and handle errors explicitly. Timeout=20s
+        # prevents indefinite hangs.
        with urllib.request.urlopen(req, timeout=20) as resp:  # noqa: S310
            return resp.read()
    except urllib.error.HTTPError as e:
@@ -606,7 +606,7 @@ def test_head_drift_closes_stale_issue_for_prior_sha(wd_module, monkeypatch):
                {"context": "ci/test", "status": "success"},
            ])),
        ],
-        (f"GET", f"/repos/owner/repo/commits/{SHA_NEW}/status"): [
+        ("GET", f"/repos/owner/repo/commits/{SHA_NEW}/status"): [
            (200, _combined_status("success", [
                {"context": "ci/test", "status": "success"},
            ])),
@@ -6,10 +6,11 @@ Emits structured verdict + human-readable summary. Designed to run as:
  1. CLI:  python gate_check.py --repo org/repo --pr N
  2. Gitea Actions step: runs this script, captures stdout JSON

-Signals (MVP — signals 1,2,3,6):
+Signals (MVP — signals 1,2,3,4,6):
  1. Author-aware agent-tag comment scan
  2. REQUEST_CHANGES reviews state machine
  3. Staleness detection (review.commit_id != PR.head_sha)
+  4. Branch divergence / scope-creep guard (base-sha vs target HEAD)
  6. CI required-checks awareness

 Exit codes:
@@ -177,7 +178,7 @@ def signal_1_comment_scan(pr_number: int, repo: str) -> dict:
    try:
        reviews = api_list(f"/repos/{owner}/{name}/pulls/{pr_number}/reviews")
        for r in reviews:
-            login = r.get("user", {}).get("login", "")
+            login = (r.get("user") or {}).get("login", "")
            canonical = LOGIN_ALIASES.get(login, login)
            if canonical in login_to_group and r.get("state") == "APPROVED":
                comments.append(
@@ -198,7 +199,7 @@ def signal_1_comment_scan(pr_number: int, repo: str) -> dict:
        matches = []
        for c in comments:
            body = c.get("body", "") or ""
-            user_login = c.get("user", {}).get("login", "")
+            user_login = (c.get("user") or {}).get("login", "")
            # Resolve LOGIN_ALIASES so alternate logins satisfy the canonical gate
            user_login = LOGIN_ALIASES.get(user_login, user_login)
            if user_login != login:
@@ -264,11 +265,18 @@ def signal_2_reviews(pr_number: int, repo: str) -> dict:

    blocking = []
    for r in reviews:
-        if r.get("state") == "REQUEST_CHANGES" and not r.get("dismissed", False):
+        if (
+            r.get("state") == "REQUEST_CHANGES"
+            and not r.get("dismissed", False)
+            and r.get("official") is not False
+        ):
+            login = (r.get("user") or {}).get("login", "")
+            if not login:
+                continue
            blocking.append(
                {
                    "review_id": r["id"],
-                    "user": r["user"]["login"],
+                    "user": login,
                    "commit_id": r.get("commit_id", ""),
                    "created_at": r.get("submitted_at") or r.get("created_at", ""),
                }
@@ -328,6 +336,132 @@ def signal_3_staleness(pr_number: int, repo: str) -> dict:
    }


+# ── Signal 4: Branch divergence / scope-creep guard ─────────────────────────
+# Detects stale PR branches where the base SHA has drifted behind target HEAD.
+# Distinguishes files that are "inherited" from base divergence (already on
+# target via prior commits) from genuinely new PR work. Prevents misattribution
+# of scope creep when branches are stale (molecule-core#365).
+
+
+def _commits_and_files_behind(
+    owner: str, name: str, base_sha: str, target_branch: str
+) -> tuple[int | None, set[str]]:
+    """Paginate target-branch commits from HEAD back to base_sha.
+    Return (commits_behind_count, set of filenames changed in those commits).
+    Safety-capped at 20 pages (~1000 commits) to avoid runaway pagination.
+    """
+    commits_behind = 0
+    target_files: set[str] = set()
+    page = 1
+    max_pages = 20
+    per_page = 50
+
+    while page <= max_pages:
+        try:
+            commits = api_get(
+                f"/repos/{owner}/{name}/commits?sha={target_branch}&page={page}&limit={per_page}"
+            )
+        except GiteaError:
+            return (None, target_files)
+
+        if not isinstance(commits, list):
+            return (None, target_files)
+
+        for c in commits:
+            if c.get("sha") == base_sha:
+                return (commits_behind, target_files)
+            commits_behind += 1
+            for f in c.get("files", []):
+                fname = f.get("filename") or f.get("name", "")
+                if fname:
+                    target_files.add(fname)
+
+        if len(commits) < per_page:
+            break
+        page += 1
+
+    return (commits_behind if commits_behind > 0 else None, target_files)
+
+
+def signal_4_branch_divergence(
+    pr_number: int, repo: str, pr_data: dict | None = None
+) -> dict:
+    """
+    Compare PR.base.sha to current target-branch HEAD.
+    If diverged, show "inherited from base divergence" vs "actual new work"
+    file fractions using the commits API.
+    Returns: {signal, verdict, diverged, commits_behind, inherited_fraction, ...}
+    """
+    owner, name = repo.split("/", 1)
+
+    if pr_data is None:
+        pr_data = api_get(f"/repos/{owner}/{name}/pulls/{pr_number}")
+
+    base_sha = pr_data["base"]["sha"]
+    target_branch = pr_data["base"]["ref"]
+
+    try:
+        branch_info = api_get(f"/repos/{owner}/{name}/branches/{target_branch}")
+        target_head = branch_info["commit"]["id"]
+    except GiteaError as e:
+        return {"signal": "branch_divergence", "verdict": "N/A", "error": str(e)}
+
+    if base_sha == target_head:
+        return {
+            "signal": "branch_divergence",
+            "verdict": "CLEAR",
+            "diverged": False,
+            "commits_behind": 0,
+            "pr_files_count": 0,
+            "inherited_files": [],
+            "new_work_files": [],
+            "inherited_fraction": 0.0,
+        }
+
+    # Branch is diverged — count commits behind and collect files changed on
+    # target since the PR's base snapshot.
+    commits_behind, target_files = _commits_and_files_behind(
+        owner, name, base_sha, target_branch
+    )
+
+    # Get PR files
+    try:
+        pr_files_data = api_list(f"/repos/{owner}/{name}/pulls/{pr_number}/files")
+        pr_files = {
+            f.get("filename") or f.get("name", "") for f in pr_files_data
+        }
+        pr_files.discard("")
+    except GiteaError:
+        pr_files = set()
+
+    inherited_files = sorted(pr_files & target_files)
+    new_work_files = sorted(pr_files - target_files)
+    total = len(pr_files)
+    inherited_fraction = len(inherited_files) / total if total else 0.0
+
+    # Verdict: WARNING if significant divergence.
+    # Thresholds: >50 % inherited files, or >5 commits behind with any inherited files.
+    if inherited_fraction > 0.5 or (
+        commits_behind and commits_behind > 5 and inherited_files
+    ):
+        verdict = "WARNING"
+    else:
+        verdict = "CLEAR"
+
+    return {
+        "signal": "branch_divergence",
+        "verdict": verdict,
+        "diverged": True,
+        "base_sha": base_sha,
+        "target_head": target_head,
+        "commits_behind": commits_behind,
+        "pr_files_count": total,
+        "inherited_files": inherited_files,
+        "new_work_files": new_work_files,
+        "inherited_fraction": round(inherited_fraction, 2),
+    }
+
+
 # ── Signal 6: CI required-checks awareness ───────────────────────────────────

 def signal_6_ci(pr_number: int, repo: str, branch: str | None = None, pr_data: dict | None = None) -> dict:
@@ -408,7 +542,7 @@ def signal_6_ci(pr_number: int, repo: str, branch: str | None = None, pr_data: d

 # ── Gate evaluation ───────────────────────────────────────────────────────────

-VERDICT_ORDER = {"ERROR": 0, "CI_FAIL": 1, "BLOCKED": 2, "STALE-RC": 3, "CI_PENDING": 4, "N/A": 5, "CLEAR": 6}
+VERDICT_ORDER = {"ERROR": 0, "CI_FAIL": 1, "BLOCKED": 2, "STALE-RC": 3, "CI_PENDING": 4, "N/A": 5, "WARNING": 6, "CLEAR": 7}


 def compute_verdict(gates: list[dict]) -> tuple[str, list[dict]]:
@@ -439,6 +573,7 @@ def format_comment(repo: str, pr_number: int, verdict: str, gates: list[dict], b
        "agent_tag_comments": "Agent-tag gates",
        "request_changes_reviews": "REQUEST_CHANGES reviews",
        "stale_reviews": "Staleness check",
+        "branch_divergence": "Branch divergence / scope-creep guard",
        "ci_checks": "CI required checks",
    }

@@ -474,6 +609,25 @@ def format_comment(repo: str, pr_number: int, verdict: str, gates: list[dict], b
                    lines.append(
                        f"  - @{r['user']} stale (commit={r.get('review_commit','?')[:7]}, age={r.get('age_hours','?')}h)"
                    )
+            elif sig == "branch_divergence":
+                if b.get("diverged"):
+                    lines.append(
+                        f"  - Branch is {b.get('commits_behind', '?')} commits behind target "
+                        f"({b.get('target_head', '?')[:7]})"
+                    )
+                    frac = b.get("inherited_fraction", 0)
+                    lines.append(
+                        f"  - {frac * 100:.0f}% of PR files inherited from base divergence "
+                        f"({len(b.get('inherited_files', []))}/{b.get('pr_files_count', 0)} files)"
+                    )
+                    for f in b.get("inherited_files", [])[:5]:
+                        lines.append(f"    - inherited: `{f}`")
+                    if len(b.get("inherited_files", [])) > 5:
+                        lines.append(
+                            f"    - ... and {len(b.get('inherited_files', [])) - 5} more"
+                        )
+                else:
+                    lines.append("  - Branch is up to date with target")
            elif sig == "agent_tag_comments":
                for agent, res in b.get("results", {}).items():
                    v = res.get("verdict", "MISSING")
@@ -516,6 +670,7 @@ def run(repo: str, pr_number: int, post_comment: bool = False) -> dict:
            signal_1_comment_scan(pr_number, repo),
            signal_2_reviews(pr_number, repo),
            signal_3_staleness(pr_number, repo),
+            signal_4_branch_divergence(pr_number, repo, pr_data=pr),
            signal_6_ci(pr_number, repo, branch=base_ref, pr_data=pr),
        ]
        verdict, blockers = compute_verdict(gates)
@@ -74,3 +74,247 @@ def test_signal_1_infra_sre_login_alias_resolved_to_core_devops(monkeypatch):
    engineers = result["results"]["core-devops"]
    assert engineers["verdict"] == "APPROVED"
    assert engineers["group"] == "engineers"
+
+
+def test_signal_1_null_user_in_review_does_not_crash(monkeypatch):
+    """Regression: Gitea may return reviews with user=null (deleted/bot edge case).
+    signal_1_comment_scan must survive this without AttributeError."""
+    mod = load_gate_check()
+
+    def fake_api_get(path):
+        if path == "/repos/molecule-ai/molecule-core/pulls/901":
+            return {
+                "number": 901,
+                "labels": [{"name": "tier:low"}],
+            }
+        raise AssertionError(f"unexpected api_get: {path}")
+
+    def fake_api_list(path):
+        if path == "/repos/molecule-ai/molecule-core/issues/901/comments":
+            return []
+        if path == "/repos/molecule-ai/molecule-core/pulls/901/comments":
+            return []
+        if path == "/repos/molecule-ai/molecule-core/pulls/901/reviews":
+            return [
+                {
+                    "id": 1,
+                    "user": None,  # <-- the regression trigger
+                    "state": "APPROVED",
+                    "submitted_at": "2026-05-13T10:00:00Z",
+                },
+                {
+                    "id": 2,
+                    "user": {"login": "core-devops"},
+                    "state": "APPROVED",
+                    "submitted_at": "2026-05-13T10:01:00Z",
+                },
+            ]
+        raise AssertionError(f"unexpected api_list: {path}")
+
+    monkeypatch.setattr(mod, "api_get", fake_api_get)
+    monkeypatch.setattr(mod, "api_list", fake_api_list)
+
+    result = mod.signal_1_comment_scan(901, "molecule-ai/molecule-core")
+
+    # Should not crash; the valid review from core-devops still satisfies engineers gate
+    assert result["verdict"] == "CLEAR"
+    assert result["results"]["core-devops"]["verdict"] == "APPROVED"
+
+
+# ── Signal 2: Draft REQUEST_CHANGES guard ───────────────────────────────────
+
+
+def test_signal_2_draft_request_changes_does_not_block(monkeypatch):
+    """official=False REQUEST_CHANGES is a draft/pending review and must NOT
+    block the gate (matching review-check.sh post-#1818 official-filter)."""
+    mod = load_gate_check()
+
+    def fake_api_list(path):
+        if path == "/repos/molecule-ai/molecule-core/pulls/902/reviews":
+            return [
+                {
+                    "id": 1,
+                    "user": {"login": "agent-reviewer"},
+                    "state": "REQUEST_CHANGES",
+                    "official": False,
+                    "dismissed": False,
+                    "submitted_at": "2026-05-13T10:00:00Z",
+                }
+            ]
+        raise AssertionError(f"unexpected api_list: {path}")
+
+    monkeypatch.setattr(mod, "api_list", fake_api_list)
+
+    result = mod.signal_2_reviews(902, "molecule-ai/molecule-core")
+    assert result["verdict"] == "CLEAR"
+    assert result["blocking_reviews"] == []
+
+
+def test_signal_2_null_user_in_request_changes_does_not_crash(monkeypatch):
+    """Regression: Gitea may return user=null on a REQUEST_CHANGES review.
+    signal_2_reviews must survive this without AttributeError."""
+    mod = load_gate_check()
+
+    def fake_api_list(path):
+        if path == "/repos/molecule-ai/molecule-core/pulls/903/reviews":
+            return [
+                {
+                    "id": 1,
+                    "user": None,
+                    "state": "REQUEST_CHANGES",
+                    "official": True,
+                    "dismissed": False,
+                    "submitted_at": "2026-05-13T10:00:00Z",
+                }
+            ]
+        raise AssertionError(f"unexpected api_list: {path}")
+
+    monkeypatch.setattr(mod, "api_list", fake_api_list)
+
+    result = mod.signal_2_reviews(903, "molecule-ai/molecule-core")
+    assert result["verdict"] == "CLEAR"
+    assert result["blocking_reviews"] == []
+
+
+# ── Signal 4: Branch divergence / scope-creep guard ─────────────────────────
+
+
+def test_signal_4_no_divergence_returns_clear(monkeypatch):
+    """When PR.base.sha equals target branch HEAD, divergence is zero."""
+    mod = load_gate_check()
+
+    shared_sha = "abc123"
+
+    def fake_api_get(path):
+        if path == "/repos/molecule-ai/molecule-core/pulls/100":
+            return {
+                "base": {"sha": shared_sha, "ref": "main"},
+                "head": {"sha": "def456"},
+            }
+        if path == "/repos/molecule-ai/molecule-core/branches/main":
+            return {"commit": {"id": shared_sha}}
+        raise AssertionError(f"unexpected api_get: {path}")
+
+    monkeypatch.setattr(mod, "api_get", fake_api_get)
+
+    result = mod.signal_4_branch_divergence(100, "molecule-ai/molecule-core")
+
+    assert result["verdict"] == "CLEAR"
+    assert result["diverged"] is False
+    assert result["commits_behind"] == 0
+    assert result["inherited_fraction"] == 0.0
+
+
+def test_signal_4_divergence_with_inherited_files_warning(monkeypatch):
+    """Stale branch with overlapping files triggers WARNING and correct fractions."""
+    mod = load_gate_check()
+
+    base_sha = "base000"
+    target_head = "head111"
+
+    def fake_api_get(path):
+        if path == "/repos/molecule-ai/molecule-core/pulls/101":
+            return {
+                "base": {"sha": base_sha, "ref": "main"},
+                "head": {"sha": "pr222"},
+            }
+        if path == "/repos/molecule-ai/molecule-core/branches/main":
+            return {"commit": {"id": target_head}}
+        if path == "/repos/molecule-ai/molecule-core/commits?sha=main&page=1&limit=50":
+            return [
+                {
+                    "sha": target_head,
+                    "files": [
+                        {"filename": "ci.yml"},
+                        {"filename": "README.md"},
+                    ],
+                },
+                {"sha": base_sha, "files": []},
+            ]
+        raise AssertionError(f"unexpected api_get: {path}")
+
+    def fake_api_list(path):
+        if path == "/repos/molecule-ai/molecule-core/pulls/101/files":
+            return [
+                {"filename": "ci.yml"},
+                {"filename": "README.md"},
+                {"filename": "new_feature.go"},
+            ]
+        raise AssertionError(f"unexpected api_list: {path}")
+
+    monkeypatch.setattr(mod, "api_get", fake_api_get)
+    monkeypatch.setattr(mod, "api_list", fake_api_list)
+
+    result = mod.signal_4_branch_divergence(101, "molecule-ai/molecule-core")
+
+    assert result["verdict"] == "WARNING"
+    assert result["diverged"] is True
+    assert result["commits_behind"] == 1
+    assert result["pr_files_count"] == 3
+    assert result["inherited_files"] == ["README.md", "ci.yml"]
+    assert result["new_work_files"] == ["new_feature.go"]
+    assert result["inherited_fraction"] == round(2 / 3, 2)
+
+
+def test_signal_4_divergence_no_inherited_files_clear(monkeypatch):
+    """Stale branch but zero file overlap → still CLEAR (no scope-creep risk)."""
+    mod = load_gate_check()
+
+    base_sha = "base000"
+    target_head = "head111"
+
+    def fake_api_get(path):
+        if path == "/repos/molecule-ai/molecule-core/pulls/102":
+            return {
+                "base": {"sha": base_sha, "ref": "main"},
+                "head": {"sha": "pr222"},
+            }
+        if path == "/repos/molecule-ai/molecule-core/branches/main":
+            return {"commit": {"id": target_head}}
+        if path == "/repos/molecule-ai/molecule-core/commits?sha=main&page=1&limit=50":
+            return [
+                {
+                    "sha": target_head,
+                    "files": [{"filename": "other.go"}],
+                },
+                {"sha": base_sha, "files": []},
+            ]
+        raise AssertionError(f"unexpected api_get: {path}")
+
+    def fake_api_list(path):
+        if path == "/repos/molecule-ai/molecule-core/pulls/102/files":
+            return [{"filename": "new_feature.go"}]
+        raise AssertionError(f"unexpected api_list: {path}")
+
+    monkeypatch.setattr(mod, "api_get", fake_api_get)
+    monkeypatch.setattr(mod, "api_list", fake_api_list)
+
+    result = mod.signal_4_branch_divergence(102, "molecule-ai/molecule-core")
+
+    assert result["verdict"] == "CLEAR"
+    assert result["diverged"] is True
+    assert result["inherited_files"] == []
+    assert result["new_work_files"] == ["new_feature.go"]
+    assert result["inherited_fraction"] == 0.0
+
+
+def test_signal_4_branch_api_error_returns_na(monkeypatch):
+    """If the branch endpoint 404s, signal degrades to N/A rather than crashing."""
+    mod = load_gate_check()
+
+    def fake_api_get(path):
+        if path == "/repos/molecule-ai/molecule-core/pulls/103":
+            return {
+                "base": {"sha": "base000", "ref": "main"},
+                "head": {"sha": "pr222"},
+            }
+        if path == "/repos/molecule-ai/molecule-core/branches/main":
+            raise mod.GiteaError("GET .../branches/main → 404: not found")
+        raise AssertionError(f"unexpected api_get: {path}")
+
+    monkeypatch.setattr(mod, "api_get", fake_api_get)
+
+    result = mod.signal_4_branch_divergence(103, "molecule-ai/molecule-core")
+
+    assert result["verdict"] == "N/A"
+    assert "error" in result
@@ -149,8 +149,13 @@ func main() {
 				result, err := db.DB.ExecContext(ctx, `DELETE FROM activity_logs WHERE created_at < now() - ($1 || ' days')::interval`, retentionDays)
 				if err != nil {
 					log.Printf("Activity log cleanup error: %v", err)
-				} else if n, _ := result.RowsAffected(); n > 0 {
-					log.Printf("Activity log cleanup: purged %d old entries", n)
+				} else {
+					n, err := result.RowsAffected()
+					if err != nil {
+						log.Printf("Activity log cleanup RowsAffected error: %v", err)
+					} else if n > 0 {
+						log.Printf("Activity log cleanup: purged %d old entries", n)
+					}
 				}
 			}
 		}
@@ -3,6 +3,7 @@ package bundle
 import (
 	"context"
 	"fmt"
+	"log"
 	"strings"

 	"git.moleculesai.app/molecule-ai/molecule-core/workspace-server/internal/db"
@@ -72,7 +73,9 @@ func Import(
 		}
 	}
 	// Store runtime in DB
-	_, _ = db.DB.ExecContext(ctx, `UPDATE workspaces SET runtime = $1 WHERE id = $2`, bundleRuntime, wsID)
+	if _, err := db.DB.ExecContext(ctx, `UPDATE workspaces SET runtime = $1 WHERE id = $2`, bundleRuntime, wsID); err != nil {
+		log.Printf("bundle import: failed to store runtime for workspace %s: %v", wsID, err)
+	}

 	// Provision the container if provisioner is available
 	if prov != nil {
@@ -92,7 +95,9 @@ func Import(
 			if err != nil {
 				markFailed(provCtx, wsID, broadcaster, err)
 			} else if url != "" {
-				db.DB.ExecContext(provCtx, `UPDATE workspaces SET url = $1 WHERE id = $2`, url, wsID)
+				if _, err := db.DB.ExecContext(provCtx, `UPDATE workspaces SET url = $1 WHERE id = $2`, url, wsID); err != nil {
+					log.Printf("bundle import: failed to store URL for workspace %s: %v", wsID, err)
+				}
 			}
 		}()
 	}
@@ -139,9 +144,11 @@ func markFailed(ctx context.Context, wsID string, broadcaster *events.Broadcaste
 	// markProvisionFailed in workspace-server/internal/handlers/
 	// workspace_provision_shared.go.
 	msg := err.Error()
-	db.DB.ExecContext(ctx,
+	if _, dbErr := db.DB.ExecContext(ctx,
 		`UPDATE workspaces SET status = $1, last_sample_error = $2, updated_at = now() WHERE id = $3`,
-		models.StatusFailed, msg, wsID)
+		models.StatusFailed, msg, wsID); dbErr != nil {
+		log.Printf("bundle import: failed to mark workspace %s as failed: %v", wsID, dbErr)
+	}
 	broadcaster.RecordAndBroadcast(ctx, string(events.EventWorkspaceProvisionFailed), wsID, map[string]interface{}{
 		"error": msg,
 	})
@@ -18,6 +18,11 @@ const (
 	discordHTTPTimeout   = 10 * time.Second
 )

+// httpClient abstracts http.Client for test injection.
+type httpClient interface {
+	Do(req *http.Request) (*http.Response, error)
+}
+
 // DiscordAdapter implements ChannelAdapter for Discord.
 //
 // Outbound messages are sent via Discord Incoming Webhooks. The webhook URL
@@ -33,7 +38,11 @@ const (
 //
 // StartPolling returns nil immediately — Discord does not support long-polling;
 // use the Interactions webhook route instead.
-type DiscordAdapter struct{}
+type DiscordAdapter struct {
+	// client allows dependency injection for testing. If nil, the default
+	// http.Client is used at call time (safe for production use).
+	client httpClient
+}

 func (d *DiscordAdapter) Type() string        { return "discord" }
 func (d *DiscordAdapter) DisplayName() string { return "Discord" }
@@ -95,7 +104,10 @@ func (d *DiscordAdapter) SendMessage(ctx context.Context, config map[string]inte
 	// Split long messages into chunks at word boundaries where possible.
 	chunks := splitMessage(text, maxLen)

-	client := &http.Client{Timeout: discordHTTPTimeout}
+	client := d.client
+	if client == nil {
+		client = &http.Client{Timeout: discordHTTPTimeout}
+	}
 	for _, chunk := range chunks {
 		payload, err := json.Marshal(map[string]string{"content": chunk})
 		if err != nil {
@@ -3,6 +3,7 @@ package channels
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"strings"
@@ -13,6 +14,17 @@ import (

 // ==================== DiscordAdapter unit tests ====================

+// fatalClient is a deterministic httpClient stub that always returns a
+// fixed error. Used to test that error messages from SendMessage do not
+// contain the Discord webhook token.
+type fatalClient struct {
+	err error
+}
+
+func (c *fatalClient) Do(*http.Request) (*http.Response, error) {
+	return nil, c.err
+}
+
 func TestDiscordAdapter_Type(t *testing.T) {
 	a := &DiscordAdapter{}
 	if a.Type() != "discord" {
@@ -288,17 +300,36 @@ func TestSplitMessage_LongMessage(t *testing.T) {
 }

 // TestDiscordAdapter_SendMessage_ErrorDoesNotLeakToken verifies that when the
-// HTTP call to the Discord webhook fails (e.g. DNS error), the returned error
+// HTTP call to the Discord webhook fails (network error), the returned error
 // message does NOT contain the webhook URL — which embeds the Discord token.
 // Regression test for the MEDIUM security finding in PR #659.
+//
+// This test uses a deterministic httptest.Server (connection refused) rather
+// than a live network call, so it always exercises the error path regardless
+// of environment routing.
 func TestDiscordAdapter_SendMessage_ErrorDoesNotLeakToken(t *testing.T) {
-	a := &DiscordAdapter{}
-	// Use a valid-looking webhook URL with a fake token so we can check it
-	// doesn't appear in the error string.
 	fakeToken := "SUPER_SECRET_DISCORD_TOKEN_12345"
 	webhookURL := discordWebhookPrefix + "123456789/" + fakeToken

-	// Point at an unroutable address to force a dial error.
+	// httptest.Server with no handler → connection refused / immediate close.
+	// Deterministic in all environments; no skip condition.
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		t.Fatal("server handler called — should have been unreachable")
+	}))
+	defer ts.Close()
+
+	// Point the webhook URL at the test server so DiscordAdapter sends there.
+	// We intercept the *request* (not the URL) by swapping the client's base URL.
+	// The adapter always resolves webhookURL from config, so we set up a
+	// test server that refuses connections on the real discord.com domain
+	// by having the adapter's HTTP client hit an unreachable host.
+	//
+	// Simpler: construct a URL with the fake token that won't route anywhere,
+	// but use a mock httpClient to control the error exactly.
+	a := &DiscordAdapter{
+		client: &fatalClient{err: fmt.Errorf("connection refused")},
+	}
+
 	err := a.SendMessage(
 		context.Background(),
 		map[string]interface{}{"webhook_url": webhookURL},
@@ -307,12 +338,14 @@ func TestDiscordAdapter_SendMessage_ErrorDoesNotLeakToken(t *testing.T) {
 	)

 	if err == nil {
-		// In some environments the request might actually succeed; that's fine.
-		t.Skip("request unexpectedly succeeded — skipping token-leak check")
+		t.Fatal("expected error from fatalClient")
 	}
 	if strings.Contains(err.Error(), fakeToken) {
 		t.Errorf("error message leaks Discord webhook token: %q", err.Error())
 	}
+	if strings.Contains(err.Error(), "123456789") {
+		t.Errorf("error message leaks webhook ID: %q", err.Error())
+	}
 }

 func TestSplitMessage_SplitsAtNewline(t *testing.T) {
@@ -82,7 +82,10 @@ func NewManager(proxy A2AProxy, broadcaster Broadcaster) *Manager {
 			log.Printf("Channels: failed to disable telegram chat_id=%s: %v", chatID, err)
 			return
 		}
-		if rows, _ := res.RowsAffected(); rows > 0 {
+		rows, err := res.RowsAffected()
+		if err != nil {
+			log.Printf("Channels: disable telegram RowsAffected error chat_id=%s: %v", chatID, err)
+		} else if rows > 0 {
 			log.Printf("Channels: disabled %d telegram channel(s) for chat_id=%s (bot removed)", rows, chatID)
 			// Reload so the in-memory poller map drops the now-disabled row.
 			m.Reload(ctx)
@@ -310,7 +313,7 @@ func (m *Manager) HandleInbound(ctx context.Context, ch ChannelRow, msg *Inbound
 	history := m.loadHistory(ctx, historyKey)

 	// Build A2A JSON-RPC payload
-	a2aBody, _ := json.Marshal(map[string]interface{}{
+	a2aBody, marshalErr := json.Marshal(map[string]interface{}{
 		"method": "message/send",
 		"params": map[string]interface{}{
 			"message": map[string]interface{}{
@@ -330,6 +333,9 @@ func (m *Manager) HandleInbound(ctx context.Context, ch ChannelRow, msg *Inbound
 			},
 		},
 	})
+	if marshalErr != nil {
+		log.Printf("Channels %s: json.Marshal a2aBody failed: %v", ch.ChannelType, marshalErr)
+	}

 	callerID := "channel:" + ch.ChannelType

@@ -389,11 +395,13 @@ func (m *Manager) HandleInbound(ctx context.Context, ch ChannelRow, msg *Inbound

 	// Update stats in DB
 	if db.DB != nil {
-		db.DB.ExecContext(ctx, `
+		if _, err := db.DB.ExecContext(ctx, `
 			UPDATE workspace_channels
 			SET last_message_at = now(), message_count = message_count + 1, updated_at = now()
 			WHERE id = $1
-		`, ch.ID)
+		`, ch.ID); err != nil {
+			log.Printf("Channels: inbound stats update failed for channel %s: %v", ch.ID, err)
+		}
 	}

 	// Broadcast event
@@ -434,11 +442,13 @@ func (m *Manager) SendOutbound(ctx context.Context, channelID string, text strin
 	}

 	if db.DB != nil {
-		db.DB.ExecContext(ctx, `
+		if _, err := db.DB.ExecContext(ctx, `
 			UPDATE workspace_channels
 			SET last_message_at = now(), message_count = message_count + 1, updated_at = now()
 			WHERE id = $1
-		`, channelID)
+		`, channelID); err != nil {
+			log.Printf("Channels: outbound stats update failed for channel %s: %v", channelID, err)
+		}
 	}

 	if m.broadcaster != nil {
@@ -508,14 +518,20 @@ func (m *Manager) FetchWorkspaceChannelContext(ctx context.Context, workspaceID
 	}
 	defer rows.Close()
 	if !rows.Next() {
+		if err := rows.Err(); err != nil {
+			log.Printf("ChannelManager: FetchWorkspaceChannelContext rows error for %s: %v", workspaceID, err)
+		}
 		return ""
 	}
 	var configJSON []byte
-	if rows.Scan(&configJSON) != nil {
+	if err := rows.Scan(&configJSON); err != nil {
+		log.Printf("ChannelManager: FetchWorkspaceChannelContext scan error for %s: %v", workspaceID, err)
 		return ""
 	}
 	var config map[string]interface{}
-	json.Unmarshal(configJSON, &config)
+	if err := json.Unmarshal(configJSON, &config); err != nil {
+		log.Printf("ChannelManager: unmarshal config: %v", err)
+	}
 	if err := DecryptSensitiveFields(config); err != nil {
 		return ""
 	}
@@ -652,12 +668,15 @@ func (m *Manager) appendHistory(ctx context.Context, key string, username, userM
 	if db.RDB == nil {
 		return
 	}
-	entry, _ := json.Marshal(map[string]string{
+	entry, marshalErr := json.Marshal(map[string]string{
 		"user":    username,
 		"message": userMsg,
 		"reply":   agentReply,
 		"time":    time.Now().UTC().Format(time.RFC3339),
 	})
+	if marshalErr != nil {
+		log.Printf("appendHistory %s: json.Marshal entry failed: %v", key, marshalErr)
+	}
 	db.RDB.LPush(ctx, key, string(entry))
 	db.RDB.LTrim(ctx, key, 0, int64(maxHistoryEntries-1))
 	db.RDB.Expire(ctx, key, historyTTL)
@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"log"
 	"net/http"
 	"strings"
 	"time"
@@ -159,7 +160,10 @@ func (s *SlackAdapter) sendBotMessage(ctx context.Context, config map[string]int
 			payload["icon_emoji"] = iconEmoji
 		}

-		body, _ := json.Marshal(payload)
+		body, marshalErr := json.Marshal(payload)
+		if marshalErr != nil {
+			log.Printf("slack SendMessage: json.Marshal payload failed: %v", marshalErr)
+		}
 		req, err := http.NewRequestWithContext(ctx, http.MethodPost, "https://slack.com/api/chat.postMessage", bytes.NewReader(body))
 		if err != nil {
 			return fmt.Errorf("slack: build request: %w", err)
@@ -115,12 +115,15 @@ func (h *WorkspaceHandler) handleA2ADispatchError(ctx context.Context, workspace
 			if logActivity {
 				h.logA2ABusyQueued(ctx, workspaceID, callerID, body, a2aMethod, durationMs)
 			}
-			respBody, _ := json.Marshal(gin.H{
+			respBody, marshalErr := json.Marshal(gin.H{
 				"queued":      true,
 				"queue_id":    qid,
 				"queue_depth": depth,
 				"message":     "workspace agent busy — request queued, will dispatch when capacity available",
 			})
+			if marshalErr != nil {
+				log.Printf("ProxyA2A %s: json.Marshal respBody failed: %v", workspaceID, marshalErr)
+			}
 			return http.StatusAccepted, respBody, nil
 		} else {
 			// Queue insert failed — fall through to legacy 503 behavior
@@ -160,10 +160,12 @@ func EnqueueA2A(
 	}

 	// Return current queue depth for the caller's visibility.
-	_ = db.DB.QueryRowContext(ctx, `
+	if err := db.DB.QueryRowContext(ctx, `
 		SELECT COUNT(*) FROM a2a_queue
 		WHERE workspace_id = $1 AND status = 'queued'
-	`, workspaceID).Scan(&depth)
+	`, workspaceID).Scan(&depth); err != nil {
+		log.Printf("A2AQueue: depth query failed for workspace %s: %v", workspaceID, err)
+	}

 	log.Printf("A2AQueue: enqueued %s for workspace %s (priority=%d, depth=%d)", id, workspaceID, priority, depth)
 	return id, depth, nil
@@ -249,10 +251,12 @@ func MarkQueueItemFailed(ctx context.Context, id, errMsg string) {
 // can see how many ahead of them.
 func QueueDepth(ctx context.Context, workspaceID string) int {
 	var n int
-	_ = db.DB.QueryRowContext(ctx,
+	if err := db.DB.QueryRowContext(ctx,
 		`SELECT COUNT(*) FROM a2a_queue WHERE workspace_id = $1 AND status = 'queued'`,
 		workspaceID,
-	).Scan(&n)
+	).Scan(&n); err != nil {
+		log.Printf("A2AQueue: QueueDepth query failed for workspace %s: %v", workspaceID, err)
+	}
 	return n
 }

@@ -415,10 +419,13 @@ func (h *WorkspaceHandler) stitchDrainResponseToDelegation(ctx context.Context,
 		return
 	}
 	responseText := extractResponseText(respBody)
-	respJSON, _ := json.Marshal(map[string]interface{}{
+	respJSON, marshalErr := json.Marshal(map[string]interface{}{
 		"text":          responseText,
 		"delegation_id": delegationID,
 	})
+	if marshalErr != nil {
+		log.Printf("a2aQueue stitch %s: json.Marshal respJSON failed: %v", delegationID, marshalErr)
+	}
 	res, err := db.DB.ExecContext(ctx, `
 		UPDATE activity_logs
 		   SET status        = 'completed',
@@ -434,7 +441,12 @@ func (h *WorkspaceHandler) stitchDrainResponseToDelegation(ctx context.Context,
 		log.Printf("A2AQueue drain stitch: update failed for delegation %s: %v", delegationID, err)
 		return
 	}
-	if rows, _ := res.RowsAffected(); rows == 0 {
+	rows, err := res.RowsAffected()
+	if err != nil {
+		log.Printf("A2AQueue drain stitch: RowsAffected error for delegation %s: %v", delegationID, err)
+		return
+	}
+	if rows == 0 {
 		log.Printf("A2AQueue drain stitch: no delegate_result row for delegation %s (queued-row may not exist yet)", delegationID)
 		return
 	}
@@ -164,7 +164,10 @@ func (w *AgentMessageWriter) Send(
 		}
 		respPayload["parts"] = fileParts
 	}
-	respJSON, _ := json.Marshal(respPayload)
+	respJSON, marshalErr := json.Marshal(respPayload)
+	if marshalErr != nil {
+		log.Printf("AgentMessageWriter %s: json.Marshal respPayload failed: %v", workspaceID, marshalErr)
+	}
 	preview := textutil.TruncateRunes(message, 80)
 	if _, err := w.db.ExecContext(ctx, `
 		INSERT INTO activity_logs (workspace_id, activity_type, method, summary, response_body, status)
@@ -34,7 +34,10 @@ func (h *ApprovalsHandler) Create(c *gin.Context) {
 		return
 	}

-	ctxJSON, _ := json.Marshal(body.Context)
+	ctxJSON, marshalErr := json.Marshal(body.Context)
+	if marshalErr != nil {
+		log.Printf("Approvals create %s: json.Marshal context failed: %v", workspaceID, marshalErr)
+	}
 	if ctxJSON == nil {
 		ctxJSON = []byte("{}")
 	}
@@ -80,10 +83,12 @@ func (h *ApprovalsHandler) ListAll(c *gin.Context) {
 	ctx := c.Request.Context()

 	// Auto-expire stale approvals (older than 10 min)
-	db.DB.ExecContext(ctx, `
+	if _, err := db.DB.ExecContext(ctx, `
 		UPDATE approval_requests SET status = 'denied', decided_by = 'auto-expired', decided_at = now()
 		WHERE status = 'pending' AND created_at < now() - interval '10 minutes'
-	`)
+	`); err != nil {
+		log.Printf("approvals: auto-expire failed: %v", err)
+	}

 	rows, err := db.DB.QueryContext(ctx, `
 		SELECT a.id, a.workspace_id, w.name, a.action, a.reason, a.status, a.created_at
@@ -200,7 +205,12 @@ func (h *ApprovalsHandler) Decide(c *gin.Context) {
 		return
 	}

-	rows, _ := result.RowsAffected()
+	rows, err := result.RowsAffected()
+	if err != nil {
+		log.Printf("Approval decision RowsAffected error approval=%s workspace=%s: %v", approvalID, workspaceID, err)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to update"})
+		return
+	}
 	if rows == 0 {
 		c.JSON(http.StatusNotFound, gin.H{"error": "approval not found or already decided"})
 		return
@@ -344,7 +344,10 @@ func computeAuditHMAC(key []byte, ev *auditEventRow) string {
 		"timestamp":            ev.Timestamp.UTC().Format("2006-01-02T15:04:05Z"),
 	}

-	payload, _ := json.Marshal(canonical) // compact, sorted keys
+	payload, marshalErr := json.Marshal(canonical) // compact, sorted keys
+	if marshalErr != nil {
+		log.Printf("auditChainHash: json.Marshal canonical failed: %v", marshalErr)
+	}
 	mac := hmac.New(sha256.New, key)
 	mac.Write(payload)
 	return hex.EncodeToString(mac.Sum(nil))
@@ -26,6 +26,10 @@ type ChannelHandler struct {
 	manager *channels.Manager
 }

+// channelSlugRe matches valid agent slugs used in [slug] routing.
+// Compiled once at init to avoid recompilation on every webhook call.
+var channelSlugRe = regexp.MustCompile(`^[a-zA-Z0-9 _-]+$`)
+
 // NewChannelHandler creates a channel handler with the given manager.
 func NewChannelHandler(manager *channels.Manager) *ChannelHandler {
 	return &ChannelHandler{manager: manager}
@@ -67,7 +71,9 @@ func (h *ChannelHandler) List(c *gin.Context) {
 		}

 		var config map[string]interface{}
-		json.Unmarshal(configJSON, &config)
+		if err := json.Unmarshal(configJSON, &config); err != nil {
+			log.Printf("Channels: unmarshal config for channel %s: %v", id, err)
+		}
 		// #319: decrypt sensitive fields first so the mask operates on
 		// plaintext (first-4 / last-4 of the real token, not the ciphertext
 		// prefix). Decrypt errors are logged but non-fatal — List must keep
@@ -86,7 +92,9 @@ func (h *ChannelHandler) List(c *gin.Context) {
 		}

 		var allowed []string
-		json.Unmarshal(allowedJSON, &allowed)
+		if err := json.Unmarshal(allowedJSON, &allowed); err != nil {
+			log.Printf("Channels: unmarshal allowed_users for channel %s: %v", id, err)
+		}

 		entry := map[string]interface{}{
 			"id":            id,
@@ -161,8 +169,14 @@ func (h *ChannelHandler) Create(c *gin.Context) {
 		return
 	}

-	configJSON, _ := json.Marshal(body.Config)
-	allowedJSON, _ := json.Marshal(body.AllowedUsers)
+	configJSON, marshalErr := json.Marshal(body.Config)
+	if marshalErr != nil {
+		log.Printf("Channels create %s: json.Marshal config failed: %v", workspaceID, marshalErr)
+	}
+	allowedJSON, marshalErr := json.Marshal(body.AllowedUsers)
+	if marshalErr != nil {
+		log.Printf("Channels create %s: json.Marshal allowed_users failed: %v", workspaceID, marshalErr)
+	}
 	enabled := true
 	if body.Enabled != nil {
 		enabled = *body.Enabled
@@ -217,11 +231,17 @@ func (h *ChannelHandler) Update(c *gin.Context) {
 			c.JSON(http.StatusInternalServerError, gin.H{"error": "encrypt failed"})
 			return
 		}
-		j, _ := json.Marshal(body.Config)
+		j, marshalErr := json.Marshal(body.Config)
+		if marshalErr != nil {
+			log.Printf("Channels update %s: json.Marshal config failed: %v", workspaceID, marshalErr)
+		}
 		configArg = string(j)
 	}
 	if body.AllowedUsers != nil {
-		j, _ := json.Marshal(body.AllowedUsers)
+		j, marshalErr := json.Marshal(body.AllowedUsers)
+		if marshalErr != nil {
+			log.Printf("Channels update %s: json.Marshal allowed_users failed: %v", workspaceID, marshalErr)
+		}
 		allowedArg = string(j)
 	}

@@ -238,7 +258,13 @@ func (h *ChannelHandler) Update(c *gin.Context) {
 		return
 	}

-	if n, _ := result.RowsAffected(); n == 0 {
+	n, err := result.RowsAffected()
+	if err != nil {
+		log.Printf("Channel update RowsAffected error channel=%s workspace=%s: %v", channelID, workspaceID, err)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "update failed"})
+		return
+	}
+	if n == 0 {
 		c.JSON(http.StatusNotFound, gin.H{"error": "channel not found"})
 		return
 	}
@@ -263,7 +289,13 @@ func (h *ChannelHandler) Delete(c *gin.Context) {
 		return
 	}

-	if n, _ := result.RowsAffected(); n == 0 {
+	n, err := result.RowsAffected()
+	if err != nil {
+		log.Printf("Channel delete RowsAffected error channel=%s workspace=%s: %v", channelID, workspaceID, err)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "delete failed"})
+		return
+	}
+	if n == 0 {
 		c.JSON(http.StatusNotFound, gin.H{"error": "channel not found"})
 		return
 	}
@@ -464,11 +496,10 @@ func (h *ChannelHandler) Webhook(c *gin.Context) {
 	// in a shared channel and route to a specific agent.
 	targetSlug := ""
 	routedText := msg.Text
-	validSlugRe := regexp.MustCompile(`^[a-zA-Z0-9 _-]+$`)
 	if len(msg.Text) > 2 && msg.Text[0] == '[' {
 		if idx := strings.Index(msg.Text, "]"); idx > 1 && idx < 40 {
 			candidate := strings.ToLower(strings.TrimSpace(msg.Text[1:idx]))
-			if validSlugRe.MatchString(candidate) {
+			if channelSlugRe.MatchString(candidate) {
 				targetSlug = candidate
 				routedText = strings.TrimSpace(msg.Text[idx+1:])
 				if routedText == "" {
@@ -499,8 +530,12 @@ func (h *ChannelHandler) Webhook(c *gin.Context) {
 		if err := rows.Scan(&row.ID, &row.WorkspaceID, &row.ChannelType, &configJSON, &row.Enabled, &allowedJSON); err != nil {
 			continue
 		}
-		json.Unmarshal(configJSON, &row.Config)
-		json.Unmarshal(allowedJSON, &row.AllowedUsers)
+		if err := json.Unmarshal(configJSON, &row.Config); err != nil {
+			log.Printf("Channels: unmarshal config for webhook row %s: %v", row.ID, err)
+		}
+		if err := json.Unmarshal(allowedJSON, &row.AllowedUsers); err != nil {
+			log.Printf("Channels: unmarshal allowed_users for webhook row %s: %v", row.ID, err)
+		}
 		if err := channels.DecryptSensitiveFields(row.Config); err != nil {
 			log.Printf("Channels: decrypt webhook row %s: %v", row.ID, err)
 			continue
@@ -229,7 +229,12 @@ func (h *CheckpointsHandler) Delete(c *gin.Context) {
 		return
 	}

-	n, _ := result.RowsAffected()
+	n, err := result.RowsAffected()
+	if err != nil {
+		log.Printf("Delete checkpoints RowsAffected error workspace=%s wf=%s: %v", workspaceID, workflowID, err)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to delete checkpoints"})
+		return
+	}
 	if n == 0 {
 		c.JSON(http.StatusNotFound, gin.H{"error": "no checkpoints found for workflow"})
 		return
@@ -57,10 +57,16 @@ func pushDelegationResultToInbox(ctx context.Context, sourceID, delegationID, st
 		"text":          responsePreview,
 		"delegation_id": delegationID,
 	}
-	respJSON, _ := json.Marshal(respPayload)
-	reqJSON, _ := json.Marshal(map[string]interface{}{
+	respJSON, marshalErr := json.Marshal(respPayload)
+	if marshalErr != nil {
+		log.Printf("Delegation %s: json.Marshal respPayload failed: %v", delegationID, marshalErr)
+	}
+	reqJSON, marshalErr := json.Marshal(map[string]interface{}{
 		"delegation_id": delegationID,
 	})
+	if marshalErr != nil {
+		log.Printf("Delegation %s: json.Marshal reqPayload failed: %v", delegationID, marshalErr)
+	}
 	logStatus := "ok"
 	if status == "failed" {
 		logStatus = "error"
@@ -165,7 +171,7 @@ func (h *DelegationHandler) Delegate(c *gin.Context) {
 	// check_task_status returned status='queued' forever even after a
 	// real reply landed). messageId mirrors delegation_id so the
 	// platform's idempotency-key extraction also keys off the same id.
-	a2aBody, _ := json.Marshal(map[string]interface{}{
+	a2aBody, marshalErr := json.Marshal(map[string]interface{}{
 		"method": "message/send",
 		"params": map[string]interface{}{
 			"message": map[string]interface{}{
@@ -176,6 +182,9 @@ func (h *DelegationHandler) Delegate(c *gin.Context) {
 			},
 		},
 	})
+	if marshalErr != nil {
+		log.Printf("Delegation %s: json.Marshal a2aBody failed: %v", delegationID, marshalErr)
+	}

 	// Fire-and-forget: send A2A in a background goroutine.
 	//
@@ -261,10 +270,12 @@ func lookupIdempotentDelegation(ctx context.Context, c *gin.Context, sourceID, i
 		return false
 	}
 	if existingStatus == "failed" {
-		_, _ = db.DB.ExecContext(ctx, `
+		if _, err := db.DB.ExecContext(ctx, `
 			DELETE FROM activity_logs
 			 WHERE workspace_id = $1 AND idempotency_key = $2 AND status = 'failed'
-		`, sourceID, idempotencyKey)
+		`, sourceID, idempotencyKey); err != nil {
+			log.Printf("delegation: failed to clean up failed idempotency row for %s/%s: %v", sourceID, idempotencyKey, err)
+		}
 		return false
 	}
 	c.JSON(http.StatusOK, gin.H{
@@ -302,16 +313,22 @@ const (
 // insertDelegationRow stores the pending delegation row. See
 // insertDelegationOutcome for the three possible return values.
 func insertDelegationRow(ctx context.Context, c *gin.Context, sourceID string, body delegateRequest, delegationID string) insertDelegationOutcome {
-	taskJSON, _ := json.Marshal(map[string]interface{}{
+	taskJSON, marshalErr := json.Marshal(map[string]interface{}{
 		"task":          body.Task,
 		"delegation_id": delegationID,
 	})
+	if marshalErr != nil {
+		log.Printf("Delegation %s: json.Marshal taskJSON failed: %v", delegationID, marshalErr)
+	}
 	// Store delegation_id in response_body so agent check_delegation_status
 	// (which reads response_body->>delegation_id) can locate this row even
 	// when request_body hasn't propagated yet. Fixes mc#984.
-	respJSON, _ := json.Marshal(map[string]interface{}{
+	respJSON, marshalErr := json.Marshal(map[string]interface{}{
 		"delegation_id": delegationID,
 	})
+	if marshalErr != nil {
+		log.Printf("Delegation %s: json.Marshal respJSON failed: %v", delegationID, marshalErr)
+	}
 	var idemArg interface{}
 	if body.IdempotencyKey != "" {
 		idemArg = body.IdempotencyKey
@@ -482,10 +499,13 @@ handleSuccess:
 		// dispatch eventually succeeds. Without the key, the drain finds
 		// the row by (workspace_id, target_id, method) but can't tell
 		// multiple-queued-delegations-to-same-target apart.
-		queuedJSON, _ := json.Marshal(map[string]interface{}{
+		queuedJSON, marshalErr := json.Marshal(map[string]interface{}{
 			"delegation_id": delegationID,
 			"queued":        true,
 		})
+		if marshalErr != nil {
+			log.Printf("Delegation %s: json.Marshal queuedJSON failed: %v", delegationID, marshalErr)
+		}
 		if _, err := db.DB.ExecContext(ctx, `
 			INSERT INTO activity_logs (workspace_id, activity_type, method, source_id, target_id, summary, response_body, status)
 			VALUES ($1, 'delegation', 'delegate_result', $2, $3, $4, $5::jsonb, 'queued')
@@ -505,10 +525,13 @@ handleSuccess:

 	log.Printf("Delegation %s: step=inserting_success_log", delegationID)
 	// Store success (response_body must be JSONB, include delegation_id)
-	respJSON, _ := json.Marshal(map[string]interface{}{
+	respJSON, marshalErr := json.Marshal(map[string]interface{}{
 		"text":          responseText,
 		"delegation_id": delegationID,
 	})
+	if marshalErr != nil {
+		log.Printf("Delegation %s: json.Marshal respJSON failed: %v", delegationID, marshalErr)
+	}
 	if _, err := db.DB.ExecContext(ctx, `
 		INSERT INTO activity_logs (workspace_id, activity_type, method, source_id, target_id, summary, response_body, status)
 		VALUES ($1, 'delegation', 'delegate_result', $2, $3, $4, $5::jsonb, 'completed')
@@ -590,15 +613,21 @@ func (h *DelegationHandler) Record(c *gin.Context) {
 		return
 	}

-	taskJSON, _ := json.Marshal(map[string]interface{}{
+	taskJSON, marshalErr := json.Marshal(map[string]interface{}{
 		"task":          body.Task,
 		"delegation_id": body.DelegationID,
 	})
+	if marshalErr != nil {
+		log.Printf("Delegation %s: json.Marshal taskJSON failed: %v", body.DelegationID, marshalErr)
+	}
 	// Store delegation_id in response_body so agent check_delegation_status
 	// can locate this row. Fixes mc#984.
-	respJSON, _ := json.Marshal(map[string]interface{}{
+	respJSON, marshalErr := json.Marshal(map[string]interface{}{
 		"delegation_id": body.DelegationID,
 	})
+	if marshalErr != nil {
+		log.Printf("Delegation %s: json.Marshal respJSON failed: %v", body.DelegationID, marshalErr)
+	}
 	if _, err := db.DB.ExecContext(ctx, `
 		INSERT INTO activity_logs (workspace_id, activity_type, method, source_id, target_id, summary, request_body, response_body, status)
 		VALUES ($1, 'delegation', 'delegate', $2, $3, $4, $5::jsonb, $6::jsonb, 'dispatched')
@@ -662,10 +691,13 @@ func (h *DelegationHandler) UpdateStatus(c *gin.Context) {
 	h.updateDelegationStatus(ctx, sourceID, delegationID, body.Status, body.Error)

 	if body.Status == "completed" {
-		respJSON, _ := json.Marshal(map[string]interface{}{
+		respJSON, marshalErr := json.Marshal(map[string]interface{}{
 			"text":          body.ResponsePreview,
 			"delegation_id": delegationID,
 		})
+		if marshalErr != nil {
+			log.Printf("Delegation UpdateStatus %s: json.Marshal respJSON failed: %v", delegationID, marshalErr)
+		}
 		if _, err := db.DB.ExecContext(ctx, `
 			INSERT INTO activity_logs (workspace_id, activity_type, method, source_id, summary, response_body, status)
 			VALUES ($1, 'delegation', 'delegate_result', $2, $3, $4::jsonb, 'completed')
@@ -155,7 +155,10 @@ func generateAppInstallationToken() (string, time.Time, error) {
 	if err != nil {
 		return "", time.Time{}, fmt.Errorf("sign JWT: %w", err)
 	}
-	req, _ := http.NewRequest("POST", fmt.Sprintf("https://api.github.com/app/installations/%d/access_tokens", installID), nil)
+	req, err := http.NewRequest("POST", fmt.Sprintf("https://api.github.com/app/installations/%d/access_tokens", installID), nil)
+	if err != nil {
+		return "", time.Time{}, fmt.Errorf("build request: %w", err)
+	}
 	req.Header.Set("Authorization", "Bearer "+signed)
 	req.Header.Set("Accept", "application/vnd.github+json")
 	client := &http.Client{Timeout: 30 * time.Second}
@@ -43,6 +43,8 @@ func TestWorkspaceCreate_WithParentID(t *testing.T) {
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectExec("INSERT INTO structure_events").
 		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec("INSERT INTO workspace_auth_tokens").
+		WillReturnResult(sqlmock.NewResult(0, 1))

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -79,6 +81,8 @@ func TestWorkspaceCreate_ExplicitClaudeCodeRuntime(t *testing.T) {
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectExec("INSERT INTO structure_events").
 		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec("INSERT INTO workspace_auth_tokens").
+		WillReturnResult(sqlmock.NewResult(0, 1))

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -300,6 +304,8 @@ func TestWorkspaceCreate_MaxConcurrentTasksOverride(t *testing.T) {
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectExec("INSERT INTO structure_events").
 		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec("INSERT INTO workspace_auth_tokens").
+		WillReturnResult(sqlmock.NewResult(0, 1))

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -255,9 +255,23 @@ func TestExtended_SecretsListEmpty(t *testing.T) {
 // ---------- TestSecretsSet (Extended) ----------

 func TestExtended_SecretsSet(t *testing.T) {
+	// internal#691: the per-workspace strip gate now defaults to platform_managed
+	// on empty MOLECULE_LLM_BILLING_MODE (closed default). This test's intent is
+	// the happy path of persisting a vendor key, so put the org into byok which
+	// matches the pre-#691 implicit behavior of an unset env.
+	t.Setenv("MOLECULE_LLM_BILLING_MODE", "byok")
 	mock := setupTestDB(t)
 	handler := NewSecretsHandler(nil)

+	// internal#691: secrets.Set now consults ResolveLLMBillingMode before the
+	// strip gate. Mock returns no row → resolver falls through to the org
+	// default (byok, set via t.Setenv above) → bypass-list check is skipped
+	// and the write proceeds. This pattern is the test-side mirror of the
+	// real-prod fall-through behavior for a fresh workspace with no override.
+	mock.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
+		WithArgs("22222222-2222-2222-2222-222222222222").
+		WillReturnRows(sqlmock.NewRows([]string{"llm_billing_mode"}))
+
 	// Expect INSERT (encrypted value is dynamic, use AnyArg)
 	mock.ExpectExec("INSERT INTO workspace_secrets").
 		WithArgs("22222222-2222-2222-2222-222222222222", "OPENAI_API_KEY", sqlmock.AnyArg(), sqlmock.AnyArg()).
@@ -293,6 +307,26 @@ func TestExtended_SecretsSet(t *testing.T) {
 	}
 }

+func TestExtended_SecretsSetRejectsHermesCustomProviderInPlatformManagedMode(t *testing.T) {
+	t.Setenv("MOLECULE_LLM_BILLING_MODE", "platform_managed")
+	_ = setupTestDB(t)
+	handler := NewSecretsHandler(nil)
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "22222222-2222-2222-2222-222222222222"}}
+
+	body := `{"key":"KIMI_API_KEY","value":"sk-test-moonshot"}`
+	c.Request = httptest.NewRequest("POST", "/workspaces/22222222-2222-2222-2222-222222222222/secrets", bytes.NewBufferString(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Set(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("expected status 400, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
 // ---------- TestSecretsDelete (Extended) ----------

 func TestExtended_SecretsDelete(t *testing.T) {
@@ -384,6 +384,8 @@ func TestWorkspaceCreate(t *testing.T) {
 	// Expect RecordAndBroadcast INSERT for WORKSPACE_PROVISIONING
 	mock.ExpectExec("INSERT INTO structure_events").
 		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec("INSERT INTO workspace_auth_tokens").
+		WillReturnResult(sqlmock.NewResult(0, 1))

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -420,6 +422,76 @@ func TestWorkspaceCreate(t *testing.T) {
 	}
 }

+// TestWorkspaceCreate_ReturnsAuthToken_201 pins the inline-auth_token
+// behaviour added for #1644. Pre-fix, the 201 response was
+// {id, status, awareness_namespace, workspace_access} — callers had to
+// make a separate POST to /admin/workspaces/:id/tokens (AdminAuth-gated,
+// path-prefix differs in CP-admin deploys) OR fall back to the dev-only
+// GET /admin/workspaces/:id/test-token (deliberately 404s on
+// MOLECULE_ENV=production per feedback_no_dev_only_routes_in_e2e).
+//
+// Post-fix: every Create response includes an `auth_token` field with
+// the freshly-minted plaintext bearer (returned once, never recoverable).
+// This is the SSOT path — production E2E + canvas + org_import all
+// get the bearer they need in the same round trip.
+//
+// Failure path is non-fatal: if the IssueToken DB call fails, the 201
+// still goes out without auth_token + a fallback log line. That branch
+// is exercised by sqlmock returning a non-INSERT-INTO-workspace_auth_tokens
+// path here — the test asserts presence on the happy path.
+func TestWorkspaceCreate_ReturnsAuthToken_201(t *testing.T) {
+	mock := setupTestDB(t)
+	setupTestRedis(t)
+	broadcaster := newTestBroadcaster()
+	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", "/tmp/configs")
+
+	mock.ExpectBegin()
+	mock.ExpectExec("INSERT INTO workspaces").
+		WithArgs(sqlmock.AnyArg(), "Token Holder", nil, 3, "langgraph", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectCommit()
+	mock.ExpectExec("INSERT INTO canvas_layouts").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec("INSERT INTO structure_events").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+	// The inline mint added in #1644 Part B — wsauth.IssueToken issues
+	// a new bearer via INSERT INTO workspace_auth_tokens (workspace_id,
+	// token_hash, prefix). This is the assertion that the new code path
+	// reaches the DB.
+	mock.ExpectExec("INSERT INTO workspace_auth_tokens").
+		WithArgs(sqlmock.AnyArg(), sqlmock.AnyArg(), sqlmock.AnyArg()).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	body := `{"name":"Token Holder","model":"anthropic:claude-opus-4-7"}`
+	c.Request = httptest.NewRequest("POST", "/workspaces", bytes.NewBufferString(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Create(c)
+
+	if w.Code != http.StatusCreated {
+		t.Fatalf("expected 201, got %d: %s", w.Code, w.Body.String())
+	}
+	var resp map[string]interface{}
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("parse response: %v", err)
+	}
+	tok, ok := resp["auth_token"].(string)
+	if !ok || tok == "" {
+		t.Fatalf("expected non-empty auth_token in 201 response (the #1644 SSOT inline mint), got: %s", w.Body.String())
+	}
+	// Sanity: tokens are base64-RawURL encoded 32-byte payloads (per
+	// wsauth/tokens.go::tokenPayloadBytes), so a meaningful lower bound
+	// is ~40 chars. If this fails, IssueToken's contract drifted.
+	if len(tok) < 40 {
+		t.Errorf("auth_token suspiciously short (%d chars) — wsauth.IssueToken contract drift?", len(tok))
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations — inline mint path may have skipped IssueToken: %v", err)
+	}
+}
+
 func TestBuildProvisionerConfig_WorkspacePathFromPayload(t *testing.T) {
 	setupTestDB(t)
 	broadcaster := newTestBroadcaster()
@@ -169,7 +169,13 @@ func (h *InstructionsHandler) Update(c *gin.Context) {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "update failed"})
 		return
 	}
-	if n, _ := result.RowsAffected(); n == 0 {
+	n, err := result.RowsAffected()
+	if err != nil {
+		log.Printf("Instructions update RowsAffected error: %v", err)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "update failed"})
+		return
+	}
+	if n == 0 {
 		c.JSON(http.StatusNotFound, gin.H{"error": "instruction not found"})
 		return
 	}
@@ -186,7 +192,13 @@ func (h *InstructionsHandler) Delete(c *gin.Context) {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "delete failed"})
 		return
 	}
-	if n, _ := result.RowsAffected(); n == 0 {
+	n, err := result.RowsAffected()
+	if err != nil {
+		log.Printf("Instructions delete RowsAffected error: %v", err)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "delete failed"})
+		return
+	}
+	if n == 0 {
 		c.JSON(http.StatusNotFound, gin.H{"error": "instruction not found"})
 		return
 	}
@@ -0,0 +1,234 @@
+package handlers
+
+// llm_billing_mode.go — per-workspace LLM billing mode resolution (internal#691).
+//
+// The resolver answers a single question at provision time:
+//   "Should we strip CLAUDE_CODE_OAUTH_TOKEN + every vendor key from this
+//    workspace's env, force-route to the CP proxy, and bill org credits?"
+//
+// That question used to be a single env-var read inside applyPlatformManagedLLMEnv:
+//
+//   os.Getenv("MOLECULE_LLM_BILLING_MODE") == "platform_managed"  → strip
+//
+// where MOLECULE_LLM_BILLING_MODE was an ORG-level value, fetched from CP's
+// tenant_config and exported into the workspace-server process at boot. That
+// shape made it impossible to mix billing modes across workspaces in the same
+// org: turning the org dial to `byok` so one workspace could keep its OAuth
+// stops the strip for EVERY workspace in the org. Turning it to `platform_managed`
+// blocks every workspace's own OAuth/vendor keys.
+//
+// The resolver replaces the env-var read with a per-workspace lookup:
+//
+//   workspaces.llm_billing_mode (per-workspace override, NULLABLE)
+//     ?? organizations.llm_billing_mode (org default, fetched via tenant_config)
+//     ?? "platform_managed" (closed default — the existing implicit default)
+//
+// Default-closed contract — non-negotiable per the RFC Safety axis:
+//
+//   - workspace row missing (sql.ErrNoRows)         → fall through to org default
+//   - DB error on the lookup                         → "platform_managed" + propagated error
+//   - workspace override = NULL                      → fall through to org default
+//   - workspace override = unknown string            → "platform_managed" (default-closed)
+//   - org default = NULL / empty / unknown string    → "platform_managed" (closed default)
+//   - org default = recognized non-pm string + ws null → org default (byok/disabled honored)
+//
+// The ONLY way to resolve to "byok" or "disabled" is an explicit, recognized
+// string in the workspace override OR the org default. A NULL JOIN, transient
+// resolver error, or garbled enum value MUST NOT silently flip a workspace
+// off of platform_managed — that would shadow the org's billing policy and
+// is the exact failure mode the RFC's Safety hot-spot calls out.
+
+import (
+	"context"
+	"database/sql"
+	"errors"
+	"fmt"
+
+	"git.moleculesai.app/molecule-ai/molecule-core/workspace-server/internal/db"
+)
+
+// Constants mirror molecule-controlplane/internal/credits/llm_billing.go.
+// Kept as string literals (not imports) because workspace-server has no
+// build-time dependency on the CP module; the values are stable wire
+// strings used in the tenant_config response, the workspaces.llm_billing_mode
+// column check constraint, and the CP route bodies.
+const (
+	LLMBillingModePlatformManaged = "platform_managed"
+	LLMBillingModeBYOK            = "byok"
+	LLMBillingModeDisabled        = "disabled"
+)
+
+// BillingModeSource describes which layer of the resolution stack supplied
+// the final mode. Surfaced via the admin route for operator debug
+// ("why is this workspace being stripped?") per the RFC Observability axis.
+type BillingModeSource string
+
+const (
+	BillingModeSourceWorkspaceOverride BillingModeSource = "workspace_override"
+	BillingModeSourceOrgDefault        BillingModeSource = "org_default"
+	BillingModeSourceConstantFallback  BillingModeSource = "constant_fallback"
+)
+
+// BillingModeResolution is the structured answer the admin GET route returns
+// and the strip gate logs at INFO. The same struct is the unit-test fixture
+// shape, so the resolver test asserts both the mode AND the source per case
+// (catches a bug where the right mode is returned via the wrong layer).
+type BillingModeResolution struct {
+	WorkspaceID       string             `json:"workspace_id"`
+	ResolvedMode      string             `json:"resolved_mode"`
+	WorkspaceOverride *string            `json:"workspace_override"` // nil = inherit
+	OrgDefault        string             `json:"org_default"`        // already default-closed by CP
+	Source            BillingModeSource  `json:"source"`
+}
+
+// isKnownBillingMode is the enum-recognizer for the resolver's default-closed
+// branch. Returning false for an unknown string forces the resolver to fall
+// through to the next layer (or the constant fallback) — NEVER to honor a
+// garbled value as if it were valid. This is what makes a row with mode='byokk'
+// (typo) resolve to platform_managed instead of accidentally to byok.
+func isKnownBillingMode(s string) bool {
+	switch s {
+	case LLMBillingModePlatformManaged, LLMBillingModeBYOK, LLMBillingModeDisabled:
+		return true
+	default:
+		return false
+	}
+}
+
+// normalizeOrgDefault applies the same default-closed contract to the
+// org-level input as the workspace override gets. The org_default arrives
+// from tenant_config which already COALESCEs NULL → platform_managed at the
+// CP SQL layer, but we DO NOT trust that contract here — if CP regresses or
+// the tenant_config env wasn't populated (race on boot), we still default-
+// close. Same principle: never honor a garbled value.
+func normalizeOrgDefault(orgMode string) string {
+	if isKnownBillingMode(orgMode) {
+		return orgMode
+	}
+	return LLMBillingModePlatformManaged
+}
+
+// ResolveLLMBillingMode is the canonical resolver. Every code path that
+// previously gated on `os.Getenv("MOLECULE_LLM_BILLING_MODE") == "platform_managed"`
+// must call this instead and gate on the returned mode. The architectural
+// test (resolver_ast_test.go) asserts there is no remaining call site of
+// the old shape outside the resolver-input wiring.
+//
+// Returning an error does NOT prevent the caller from making a decision —
+// the returned mode is always a valid enum value (default-closed to
+// platform_managed) so the caller can proceed without a separate fail-closed
+// branch. The error is informational: log it, surface it to operators, but
+// the strip-gate decision is already safe.
+func ResolveLLMBillingMode(ctx context.Context, workspaceID, orgMode string) (BillingModeResolution, error) {
+	res := BillingModeResolution{
+		WorkspaceID: workspaceID,
+		OrgDefault:  normalizeOrgDefault(orgMode),
+	}
+
+	if workspaceID == "" {
+		// No workspace ID = pre-provision context (templating, validation).
+		// Resolve against the org default only, no DB read.
+		res.ResolvedMode = res.OrgDefault
+		res.Source = BillingModeSourceOrgDefault
+		if !isKnownBillingMode(orgMode) {
+			// Org default was garbled/NULL and we clamped to platform_managed.
+			// Mark the source as constant_fallback so the operator can see
+			// the clamp happened, not that the org "really" said platform_managed.
+			res.Source = BillingModeSourceConstantFallback
+		}
+		return res, nil
+	}
+
+	var wsOverride sql.NullString
+	err := db.DB.QueryRowContext(ctx,
+		`SELECT llm_billing_mode FROM workspaces WHERE id = $1`,
+		workspaceID,
+	).Scan(&wsOverride)
+
+	switch {
+	case errors.Is(err, sql.ErrNoRows):
+		// Workspace row missing — concurrent delete, or pre-create call. Don't
+		// silently flip; fall through to org default. Source stays org_default
+		// so operators can see the row-missing case is being handled as a
+		// fallback, not a workspace-explicit decision.
+		res.ResolvedMode = res.OrgDefault
+		res.Source = BillingModeSourceOrgDefault
+		if !isKnownBillingMode(orgMode) {
+			res.Source = BillingModeSourceConstantFallback
+		}
+		return res, nil
+	case err != nil:
+		// DB error — default-closed to platform_managed AND propagate the
+		// error so operators get a structured log line. The caller is
+		// expected to log and continue with the safe default.
+		res.ResolvedMode = LLMBillingModePlatformManaged
+		res.Source = BillingModeSourceConstantFallback
+		return res, fmt.Errorf("resolve workspace llm_billing_mode for %s: %w", workspaceID, err)
+	}
+
+	if wsOverride.Valid && isKnownBillingMode(wsOverride.String) {
+		mode := wsOverride.String
+		res.WorkspaceOverride = &mode
+		res.ResolvedMode = mode
+		res.Source = BillingModeSourceWorkspaceOverride
+		return res, nil
+	}
+
+	// Override row present but the value is NULL or garbled. Fall through.
+	// If the value was non-NULL but garbled (CHECK constraint should prevent
+	// this, but defense in depth — a future migration could relax the check
+	// or another path could write the column directly), surface the raw
+	// override value so operators can spot the corrupt row.
+	if wsOverride.Valid {
+		raw := wsOverride.String
+		res.WorkspaceOverride = &raw
+	}
+	res.ResolvedMode = res.OrgDefault
+	res.Source = BillingModeSourceOrgDefault
+	if !isKnownBillingMode(orgMode) {
+		res.Source = BillingModeSourceConstantFallback
+	}
+	return res, nil
+}
+
+// SetWorkspaceLLMBillingMode writes the override column. Pass mode=="" to
+// clear (set to NULL = inherit). Validates the mode against the enum set
+// so the route handler doesn't have to duplicate validation; a garbled
+// mode round-trips as an explicit 400 from the caller, not a CHECK-
+// constraint error from the DB driver.
+func SetWorkspaceLLMBillingMode(ctx context.Context, workspaceID, mode string) error {
+	if workspaceID == "" {
+		return errors.New("SetWorkspaceLLMBillingMode: workspace id required")
+	}
+	if mode == "" {
+		// NULL = inherit. Caller asked to clear the override.
+		res, err := db.DB.ExecContext(ctx,
+			`UPDATE workspaces SET llm_billing_mode = NULL WHERE id = $1`,
+			workspaceID,
+		)
+		if err != nil {
+			return fmt.Errorf("clear workspace llm_billing_mode for %s: %w", workspaceID, err)
+		}
+		n, _ := res.RowsAffected()
+		if n == 0 {
+			return sql.ErrNoRows
+		}
+		return nil
+	}
+	if !isKnownBillingMode(mode) {
+		return fmt.Errorf("unknown billing mode %q (allowed: %s, %s, %s)",
+			mode, LLMBillingModePlatformManaged, LLMBillingModeBYOK, LLMBillingModeDisabled)
+	}
+	res, err := db.DB.ExecContext(ctx,
+		`UPDATE workspaces SET llm_billing_mode = $1 WHERE id = $2`,
+		mode, workspaceID,
+	)
+	if err != nil {
+		return fmt.Errorf("set workspace llm_billing_mode for %s: %w", workspaceID, err)
+	}
+	n, _ := res.RowsAffected()
+	if n == 0 {
+		return sql.ErrNoRows
+	}
+	return nil
+}
@@ -0,0 +1,154 @@
+package handlers
+
+// llm_billing_mode_handler.go — workspace-server admin routes that read /
+// write the per-workspace billing mode override (internal#691). These are
+// the per-tenant routes that CP's new /cp/admin/workspaces/:id/llm-billing-mode
+// proxies to; the canvas hits them via the CP route, not directly.
+//
+// Route shape:
+//
+//   GET  /admin/workspaces/:id/llm-billing-mode
+//     -> 200 BillingModeResolution
+//     -> 400 on malformed UUID
+//     -> 500 on DB error (response still includes a safe_default the caller
+//             can fall through to — the resolver always returns a valid mode
+//             even on error, per the default-closed contract)
+//
+//   PUT  /admin/workspaces/:id/llm-billing-mode
+//     body: {"mode": "byok" | "platform_managed" | "disabled" | null}
+//     -> 200 BillingModeResolution (post-write)
+//     -> 400 on bad UUID / unknown mode / malformed body / missing "mode" key
+//     -> 404 when the workspace row doesn't exist
+//
+// Auth: mounted under wsAdmin (middleware.AdminAuth) — admin_token required.
+
+import (
+	"database/sql"
+	"encoding/json"
+	"errors"
+	"io"
+	"net/http"
+	"os"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+)
+
+// GetWorkspaceLLMBillingMode handles GET /admin/workspaces/:id/llm-billing-mode.
+//
+// Reads the workspace override + the org-level default (from the same
+// MOLECULE_LLM_BILLING_MODE env var the provisioner reads at strip-gate time —
+// keeps the two paths consistent so the GET result matches what the strip
+// gate would compute) and returns the structured resolution.
+func GetWorkspaceLLMBillingMode(c *gin.Context) {
+	workspaceID := strings.TrimSpace(c.Param("id"))
+	if !uuidRegex.MatchString(workspaceID) {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid workspace id"})
+		return
+	}
+	orgMode := strings.ToLower(strings.TrimSpace(os.Getenv("MOLECULE_LLM_BILLING_MODE")))
+	res, err := ResolveLLMBillingMode(c.Request.Context(), workspaceID, orgMode)
+	if err != nil {
+		// Resolver returns a safe default-closed mode alongside the error;
+		// surface the error so the operator sees the DB issue, but the
+		// response still has a usable mode field for the caller to fall
+		// through to without a separate fail-closed branch.
+		c.JSON(http.StatusInternalServerError, gin.H{
+			"error":        "resolve workspace billing mode failed",
+			"detail":       err.Error(),
+			"safe_default": res.ResolvedMode,
+			"workspace_id": res.WorkspaceID,
+		})
+		return
+	}
+	c.JSON(http.StatusOK, res)
+}
+
+// PutWorkspaceLLMBillingMode handles PUT /admin/workspaces/:id/llm-billing-mode.
+//
+// Body shape: {"mode": "byok" | "platform_managed" | "disabled" | null}
+// where null clears the override (workspace inherits the org default again).
+// Omitting "mode" entirely is a 400 — callers must be explicit about whether
+// they want to set or clear, so a typo'd field name can't silently no-op.
+//
+// On success returns the post-write resolution so the canvas can re-render
+// without a follow-up GET.
+func PutWorkspaceLLMBillingMode(c *gin.Context) {
+	workspaceID := strings.TrimSpace(c.Param("id"))
+	if !uuidRegex.MatchString(workspaceID) {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid workspace id"})
+		return
+	}
+
+	// Read raw body so we can distinguish three cases:
+	//   {"mode": "byok"}     → set override
+	//   {"mode": null}       → clear override
+	//   {}                   → 400 (caller must be explicit)
+	// json.RawMessage zero length ⇔ key absent; raw "null" ⇔ explicit clear;
+	// raw quoted string ⇔ set.
+	raw, readErr := io.ReadAll(c.Request.Body)
+	if readErr != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "read body", "detail": readErr.Error()})
+		return
+	}
+	var body struct {
+		Mode json.RawMessage `json:"mode"`
+	}
+	if err := json.Unmarshal(raw, &body); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid json", "detail": err.Error()})
+		return
+	}
+	if len(body.Mode) == 0 {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "missing required field 'mode' (use null to clear override)"})
+		return
+	}
+
+	var writeErr error
+	if string(body.Mode) == "null" {
+		writeErr = SetWorkspaceLLMBillingMode(c.Request.Context(), workspaceID, "")
+	} else {
+		var modeStr string
+		if err := json.Unmarshal(body.Mode, &modeStr); err != nil {
+			c.JSON(http.StatusBadRequest, gin.H{"error": "mode must be a string or null", "detail": err.Error()})
+			return
+		}
+		modeStr = strings.TrimSpace(modeStr)
+		if modeStr == "" {
+			// Empty string is ambiguous (could be "clear" or "user error");
+			// reject as 400 so the caller picks null explicitly.
+			c.JSON(http.StatusBadRequest, gin.H{"error": "mode must be one of platform_managed, byok, disabled, or null to clear"})
+			return
+		}
+		writeErr = SetWorkspaceLLMBillingMode(c.Request.Context(), workspaceID, modeStr)
+	}
+
+	if errors.Is(writeErr, sql.ErrNoRows) {
+		c.JSON(http.StatusNotFound, gin.H{"error": "workspace not found"})
+		return
+	}
+	if writeErr != nil {
+		// Validation errors from SetWorkspaceLLMBillingMode (unknown mode
+		// string) come back as a plain error; map to 400.
+		if strings.HasPrefix(writeErr.Error(), "unknown billing mode") {
+			c.JSON(http.StatusBadRequest, gin.H{"error": writeErr.Error()})
+			return
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "set workspace billing mode failed", "detail": writeErr.Error()})
+		return
+	}
+
+	// Read back the resolution so the response reflects post-write state.
+	orgMode := strings.ToLower(strings.TrimSpace(os.Getenv("MOLECULE_LLM_BILLING_MODE")))
+	res, resolveErr := ResolveLLMBillingMode(c.Request.Context(), workspaceID, orgMode)
+	if resolveErr != nil {
+		// Write succeeded but readback failed — still return 200 with the
+		// best-effort resolution; the safe default is set even on error.
+		c.JSON(http.StatusOK, gin.H{
+			"workspace_id":   workspaceID,
+			"resolved_mode":  res.ResolvedMode,
+			"readback_error": resolveErr.Error(),
+		})
+		return
+	}
+	c.JSON(http.StatusOK, res)
+}
@@ -0,0 +1,205 @@
+package handlers
+
+// llm_billing_mode_handler_test.go — admin route coverage for the per-workspace
+// LLM billing mode endpoint (internal#691).
+//
+// What this guards:
+//   - GET path validates UUID + returns the BillingModeResolution shape
+//   - PUT distinguishes "omitted mode" (400) from "explicit null" (clear)
+//     from "string value" (set), so a typo'd field name can't silently no-op
+//   - Unknown mode strings 400 from the validator, not from a PG CHECK
+//     constraint round-trip (matters because the error message must be
+//     actionable to a canvas user)
+//   - 404 propagates when the workspace row is missing on a set/clear
+
+import (
+	"bytes"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/DATA-DOG/go-sqlmock"
+	"github.com/gin-gonic/gin"
+)
+
+func init() {
+	gin.SetMode(gin.TestMode)
+}
+
+const testWSID = "44444444-4444-4444-4444-444444444444"
+
+func TestGetWorkspaceLLMBillingMode_HappyPath_InheritsOrgDefault(t *testing.T) {
+	t.Setenv("MOLECULE_LLM_BILLING_MODE", LLMBillingModeBYOK)
+	mock := setupTestDB(t)
+	// Workspace has no override → resolver returns org_default = byok.
+	mock.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
+		WithArgs(testWSID).
+		WillReturnRows(sqlmock.NewRows([]string{"llm_billing_mode"}).AddRow(nil))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: testWSID}}
+	c.Request = httptest.NewRequest("GET", "/admin/workspaces/"+testWSID+"/llm-billing-mode", nil)
+
+	GetWorkspaceLLMBillingMode(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("status: got %d want 200, body=%s", w.Code, w.Body.String())
+	}
+	var res BillingModeResolution
+	if err := json.Unmarshal(w.Body.Bytes(), &res); err != nil {
+		t.Fatalf("decode: %v", err)
+	}
+	if res.ResolvedMode != LLMBillingModeBYOK {
+		t.Errorf("resolved mode: got %q want %q", res.ResolvedMode, LLMBillingModeBYOK)
+	}
+	if res.Source != BillingModeSourceOrgDefault {
+		t.Errorf("source: got %q want %q", res.Source, BillingModeSourceOrgDefault)
+	}
+	if res.WorkspaceOverride != nil {
+		t.Errorf("expected nil override, got %v", *res.WorkspaceOverride)
+	}
+}
+
+func TestGetWorkspaceLLMBillingMode_BadUUID_400(t *testing.T) {
+	setupTestDB(t)
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "not-a-uuid"}}
+	c.Request = httptest.NewRequest("GET", "/admin/workspaces/not-a-uuid/llm-billing-mode", nil)
+	GetWorkspaceLLMBillingMode(c)
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("status: got %d want 400", w.Code)
+	}
+}
+
+func TestPutWorkspaceLLMBillingMode_SetByok(t *testing.T) {
+	t.Setenv("MOLECULE_LLM_BILLING_MODE", LLMBillingModePlatformManaged)
+	mock := setupTestDB(t)
+	mock.ExpectExec(`UPDATE workspaces SET llm_billing_mode = \$1 WHERE id = \$2`).
+		WithArgs(LLMBillingModeBYOK, testWSID).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+	// Readback after write.
+	mock.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
+		WithArgs(testWSID).
+		WillReturnRows(sqlmock.NewRows([]string{"llm_billing_mode"}).AddRow(LLMBillingModeBYOK))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: testWSID}}
+	body := `{"mode":"byok"}`
+	c.Request = httptest.NewRequest("PUT",
+		"/admin/workspaces/"+testWSID+"/llm-billing-mode",
+		bytes.NewBufferString(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	PutWorkspaceLLMBillingMode(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("status: got %d want 200, body=%s", w.Code, w.Body.String())
+	}
+	var res BillingModeResolution
+	if err := json.Unmarshal(w.Body.Bytes(), &res); err != nil {
+		t.Fatalf("decode: %v", err)
+	}
+	if res.ResolvedMode != LLMBillingModeBYOK {
+		t.Errorf("post-write resolved: got %q want %q", res.ResolvedMode, LLMBillingModeBYOK)
+	}
+	if res.Source != BillingModeSourceWorkspaceOverride {
+		t.Errorf("post-write source: got %q want %q", res.Source, BillingModeSourceWorkspaceOverride)
+	}
+}
+
+func TestPutWorkspaceLLMBillingMode_ExplicitNullClearsOverride(t *testing.T) {
+	t.Setenv("MOLECULE_LLM_BILLING_MODE", LLMBillingModePlatformManaged)
+	mock := setupTestDB(t)
+	mock.ExpectExec(`UPDATE workspaces SET llm_billing_mode = NULL WHERE id = \$1`).
+		WithArgs(testWSID).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
+		WithArgs(testWSID).
+		WillReturnRows(sqlmock.NewRows([]string{"llm_billing_mode"}).AddRow(nil))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: testWSID}}
+	body := `{"mode":null}`
+	c.Request = httptest.NewRequest("PUT",
+		"/admin/workspaces/"+testWSID+"/llm-billing-mode",
+		bytes.NewBufferString(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	PutWorkspaceLLMBillingMode(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("status: got %d want 200, body=%s", w.Code, w.Body.String())
+	}
+	var res BillingModeResolution
+	if err := json.Unmarshal(w.Body.Bytes(), &res); err != nil {
+		t.Fatalf("decode: %v", err)
+	}
+	if res.ResolvedMode != LLMBillingModePlatformManaged {
+		t.Errorf("post-clear resolved: got %q want %q", res.ResolvedMode, LLMBillingModePlatformManaged)
+	}
+	if res.Source != BillingModeSourceOrgDefault {
+		t.Errorf("post-clear source: got %q want %q", res.Source, BillingModeSourceOrgDefault)
+	}
+	if res.WorkspaceOverride != nil {
+		t.Errorf("post-clear override should be nil, got %v", *res.WorkspaceOverride)
+	}
+}
+
+func TestPutWorkspaceLLMBillingMode_MissingModeField_400(t *testing.T) {
+	setupTestDB(t)
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: testWSID}}
+	body := `{}`
+	c.Request = httptest.NewRequest("PUT",
+		"/admin/workspaces/"+testWSID+"/llm-billing-mode",
+		bytes.NewBufferString(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+	PutWorkspaceLLMBillingMode(c)
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("status: got %d want 400, body=%s", w.Code, w.Body.String())
+	}
+}
+
+func TestPutWorkspaceLLMBillingMode_UnknownMode_400(t *testing.T) {
+	setupTestDB(t)
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: testWSID}}
+	body := `{"mode":"totally-bogus"}`
+	c.Request = httptest.NewRequest("PUT",
+		"/admin/workspaces/"+testWSID+"/llm-billing-mode",
+		bytes.NewBufferString(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+	PutWorkspaceLLMBillingMode(c)
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("status: got %d want 400, body=%s", w.Code, w.Body.String())
+	}
+}
+
+func TestPutWorkspaceLLMBillingMode_NoSuchWorkspace_404(t *testing.T) {
+	mock := setupTestDB(t)
+	// SET path: rows affected = 0 → SetWorkspaceLLMBillingMode returns sql.ErrNoRows
+	// → handler maps to 404.
+	mock.ExpectExec(`UPDATE workspaces SET llm_billing_mode = \$1 WHERE id = \$2`).
+		WithArgs(LLMBillingModeBYOK, testWSID).
+		WillReturnResult(sqlmock.NewResult(0, 0))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: testWSID}}
+	body := `{"mode":"byok"}`
+	c.Request = httptest.NewRequest("PUT",
+		"/admin/workspaces/"+testWSID+"/llm-billing-mode",
+		bytes.NewBufferString(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+	PutWorkspaceLLMBillingMode(c)
+	if w.Code != http.StatusNotFound {
+		t.Fatalf("status: got %d want 404, body=%s", w.Code, w.Body.String())
+	}
+}
@@ -0,0 +1,261 @@
+package handlers
+
+// llm_billing_mode_test.go — table-driven tests for the per-workspace
+// resolver (internal#691). The cases below enumerate every documented
+// branch in the default-closed contract; if one of them flips behavior
+// later the test names will tell the reviewer exactly which RFC clause
+// regressed.
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"github.com/DATA-DOG/go-sqlmock"
+)
+
+func TestResolveLLMBillingMode_TableDriven(t *testing.T) {
+	ctx := context.Background()
+	const wsID = "11111111-1111-1111-1111-111111111111"
+
+	type want struct {
+		mode   string
+		source BillingModeSource
+		// hasOverride asserts whether the resolver surfaced the override
+		// value in the result (nil pointer = clean inherit, non-nil = the
+		// row was present even if it ultimately fell through because it
+		// was garbled). Lets us distinguish "row missing, fell through"
+		// from "row present but garbled, fell through" — both resolve to
+		// the same mode but the resolver tells operators which case it was.
+		hasOverride bool
+	}
+	type tc struct {
+		name        string
+		workspaceID string
+		orgMode     string
+		setupMock   func(m sqlmock.Sqlmock)
+		want        want
+		wantErr     bool
+	}
+
+	cases := []tc{
+		{
+			name:        "workspace_override_byok_overrides_pm_org",
+			workspaceID: wsID,
+			orgMode:     LLMBillingModePlatformManaged,
+			setupMock: func(m sqlmock.Sqlmock) {
+				m.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
+					WithArgs(wsID).
+					WillReturnRows(sqlmock.NewRows([]string{"llm_billing_mode"}).AddRow(LLMBillingModeBYOK))
+			},
+			want: want{mode: LLMBillingModeBYOK, source: BillingModeSourceWorkspaceOverride, hasOverride: true},
+		},
+		{
+			name:        "workspace_override_disabled_overrides_pm_org",
+			workspaceID: wsID,
+			orgMode:     LLMBillingModePlatformManaged,
+			setupMock: func(m sqlmock.Sqlmock) {
+				m.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
+					WithArgs(wsID).
+					WillReturnRows(sqlmock.NewRows([]string{"llm_billing_mode"}).AddRow(LLMBillingModeDisabled))
+			},
+			want: want{mode: LLMBillingModeDisabled, source: BillingModeSourceWorkspaceOverride, hasOverride: true},
+		},
+		{
+			name:        "workspace_override_null_inherits_byok_org",
+			workspaceID: wsID,
+			orgMode:     LLMBillingModeBYOK,
+			setupMock: func(m sqlmock.Sqlmock) {
+				m.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
+					WithArgs(wsID).
+					WillReturnRows(sqlmock.NewRows([]string{"llm_billing_mode"}).AddRow(nil))
+			},
+			want: want{mode: LLMBillingModeBYOK, source: BillingModeSourceOrgDefault, hasOverride: false},
+		},
+		{
+			name:        "workspace_override_null_inherits_pm_org",
+			workspaceID: wsID,
+			orgMode:     LLMBillingModePlatformManaged,
+			setupMock: func(m sqlmock.Sqlmock) {
+				m.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
+					WithArgs(wsID).
+					WillReturnRows(sqlmock.NewRows([]string{"llm_billing_mode"}).AddRow(nil))
+			},
+			want: want{mode: LLMBillingModePlatformManaged, source: BillingModeSourceOrgDefault, hasOverride: false},
+		},
+		{
+			name:        "workspace_override_garbled_falls_through_to_pm_org_DEFAULT_CLOSED",
+			workspaceID: wsID,
+			orgMode:     LLMBillingModePlatformManaged,
+			setupMock: func(m sqlmock.Sqlmock) {
+				// CHECK constraint would normally prevent this but if a future
+				// migration loosens it (or a direct UPDATE bypasses it on a
+				// non-PG driver in a test stub), a garbled value MUST NOT
+				// be honored as if it were valid. This is the default-closed
+				// safety axis the RFC calls out.
+				m.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
+					WithArgs(wsID).
+					WillReturnRows(sqlmock.NewRows([]string{"llm_billing_mode"}).AddRow("byokk"))
+			},
+			want: want{mode: LLMBillingModePlatformManaged, source: BillingModeSourceOrgDefault, hasOverride: true},
+		},
+		{
+			name:        "workspace_override_garbled_org_garbled_constant_fallback",
+			workspaceID: wsID,
+			orgMode:     "garbled-or-empty",
+			setupMock: func(m sqlmock.Sqlmock) {
+				m.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
+					WithArgs(wsID).
+					WillReturnRows(sqlmock.NewRows([]string{"llm_billing_mode"}).AddRow("nonsense"))
+			},
+			// Both layers garbled → constant fallback. Source is constant_fallback
+			// so operators can see the org-default-was-also-bad case explicitly.
+			want: want{mode: LLMBillingModePlatformManaged, source: BillingModeSourceConstantFallback, hasOverride: true},
+		},
+		{
+			name:        "workspace_row_missing_falls_through_to_org_byok",
+			workspaceID: wsID,
+			orgMode:     LLMBillingModeBYOK,
+			setupMock: func(m sqlmock.Sqlmock) {
+				m.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
+					WithArgs(wsID).
+					WillReturnRows(sqlmock.NewRows([]string{"llm_billing_mode"}))
+			},
+			want: want{mode: LLMBillingModeBYOK, source: BillingModeSourceOrgDefault, hasOverride: false},
+		},
+		{
+			name:        "workspace_id_empty_pre_provision_org_only",
+			workspaceID: "",
+			orgMode:     LLMBillingModeBYOK,
+			setupMock:   func(m sqlmock.Sqlmock) { /* no DB read expected — empty ws id short-circuits */ },
+			want:        want{mode: LLMBillingModeBYOK, source: BillingModeSourceOrgDefault, hasOverride: false},
+		},
+		{
+			name:        "workspace_id_empty_org_garbled_constant_fallback",
+			workspaceID: "",
+			orgMode:     "",
+			setupMock:   func(m sqlmock.Sqlmock) { /* no DB read */ },
+			want:        want{mode: LLMBillingModePlatformManaged, source: BillingModeSourceConstantFallback, hasOverride: false},
+		},
+		{
+			name:        "db_error_default_closed_to_pm_with_error",
+			workspaceID: wsID,
+			orgMode:     LLMBillingModeBYOK, // org says byok but DB errored — DO NOT honor org
+			setupMock: func(m sqlmock.Sqlmock) {
+				m.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
+					WithArgs(wsID).
+					WillReturnError(errors.New("connection refused"))
+			},
+			// Critical: even though orgMode=byok, a DB error means we can't
+			// confirm the workspace doesn't have an override, so we default
+			// to the closed mode. This is the safer of the two failures —
+			// silently flipping to org-byok on a DB error would leak the
+			// OAuth-keeping behavior to workspaces whose row says NULL.
+			want:    want{mode: LLMBillingModePlatformManaged, source: BillingModeSourceConstantFallback, hasOverride: false},
+			wantErr: true,
+		},
+	}
+
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			mock := setupTestDB(t)
+			c.setupMock(mock)
+
+			res, err := ResolveLLMBillingMode(ctx, c.workspaceID, c.orgMode)
+			if (err != nil) != c.wantErr {
+				t.Fatalf("err: got %v wantErr=%v", err, c.wantErr)
+			}
+			if res.ResolvedMode != c.want.mode {
+				t.Errorf("mode: got %q want %q", res.ResolvedMode, c.want.mode)
+			}
+			if res.Source != c.want.source {
+				t.Errorf("source: got %q want %q", res.Source, c.want.source)
+			}
+			if (res.WorkspaceOverride != nil) != c.want.hasOverride {
+				t.Errorf("hasOverride: got %v want %v (override=%v)",
+					res.WorkspaceOverride != nil, c.want.hasOverride, res.WorkspaceOverride)
+			}
+			if err := mock.ExpectationsWereMet(); err != nil {
+				t.Errorf("sqlmock expectations: %v", err)
+			}
+		})
+	}
+}
+
+// TestResolveLLMBillingMode_ResolvedModeIsAlwaysValid asserts the resolver's
+// post-condition: the returned mode is ALWAYS one of the three known enum
+// values, never an empty string and never a garbled passthrough. The strip
+// gate downstream relies on this so it can switch on res.ResolvedMode
+// without a separate is-valid check on every call site.
+func TestResolveLLMBillingMode_ResolvedModeIsAlwaysValid(t *testing.T) {
+	ctx := context.Background()
+	const wsID = "22222222-2222-2222-2222-222222222222"
+
+	// Throw a pathological row at the resolver: garbled override + garbled
+	// org default. Resolved mode must still be a recognized enum.
+	mock := setupTestDB(t)
+	mock.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
+		WithArgs(wsID).
+		WillReturnRows(sqlmock.NewRows([]string{"llm_billing_mode"}).AddRow("totally-bogus"))
+
+	res, err := ResolveLLMBillingMode(ctx, wsID, "also-bogus")
+	if err != nil {
+		t.Fatalf("unexpected err: %v", err)
+	}
+	if !isKnownBillingMode(res.ResolvedMode) {
+		t.Errorf("post-condition violated: resolved mode %q is not a known enum value", res.ResolvedMode)
+	}
+	if res.ResolvedMode != LLMBillingModePlatformManaged {
+		t.Errorf("default-closed contract: garbled-x-garbled must resolve to platform_managed, got %q", res.ResolvedMode)
+	}
+}
+
+// TestSetWorkspaceLLMBillingMode_Validation guards the SET path. The CHECK
+// constraint at the DB layer is the second line of defense; the route
+// handler relies on this function rejecting unknown modes with a clean
+// error (so it can map to 400) instead of letting them hit Postgres and
+// surfacing as a sql-driver error string.
+func TestSetWorkspaceLLMBillingMode_Validation(t *testing.T) {
+	ctx := context.Background()
+	const wsID = "33333333-3333-3333-3333-333333333333"
+
+	t.Run("rejects_unknown_mode_without_db_call", func(t *testing.T) {
+		setupTestDB(t) // mock expects nothing — the function must short-circuit
+		if err := SetWorkspaceLLMBillingMode(ctx, wsID, "totally-bogus"); err == nil {
+			t.Fatal("expected error for unknown mode, got nil")
+		}
+	})
+
+	t.Run("rejects_empty_workspace_id", func(t *testing.T) {
+		setupTestDB(t)
+		if err := SetWorkspaceLLMBillingMode(ctx, "", LLMBillingModeBYOK); err == nil {
+			t.Fatal("expected error for empty workspace id, got nil")
+		}
+	})
+
+	t.Run("clear_uses_NULL_update", func(t *testing.T) {
+		mock := setupTestDB(t)
+		mock.ExpectExec(`UPDATE workspaces SET llm_billing_mode = NULL WHERE id = \$1`).
+			WithArgs(wsID).
+			WillReturnResult(sqlmock.NewResult(0, 1))
+		if err := SetWorkspaceLLMBillingMode(ctx, wsID, ""); err != nil {
+			t.Fatalf("unexpected err: %v", err)
+		}
+		if err := mock.ExpectationsWereMet(); err != nil {
+			t.Fatal(err)
+		}
+	})
+
+	t.Run("set_byok_uses_value_update", func(t *testing.T) {
+		mock := setupTestDB(t)
+		mock.ExpectExec(`UPDATE workspaces SET llm_billing_mode = \$1 WHERE id = \$2`).
+			WithArgs(LLMBillingModeBYOK, wsID).
+			WillReturnResult(sqlmock.NewResult(0, 1))
+		if err := SetWorkspaceLLMBillingMode(ctx, wsID, LLMBillingModeBYOK); err != nil {
+			t.Fatalf("unexpected err: %v", err)
+		}
+		if err := mock.ExpectationsWereMet(); err != nil {
+			t.Fatal(err)
+		}
+	})
+}
@@ -14,9 +14,9 @@ import (

 	"errors"

-	"github.com/DATA-DOG/go-sqlmock"
 	"git.moleculesai.app/molecule-ai/molecule-core/workspace-server/internal/db"
 	"git.moleculesai.app/molecule-ai/molecule-core/workspace-server/internal/memory/contract"
+	"github.com/DATA-DOG/go-sqlmock"
 	"github.com/gin-gonic/gin"
 )

@@ -196,7 +196,7 @@ func TestMCPHandler_DelegateTask_RoutesThroughPlatformA2AProxy(t *testing.T) {

 	expectCanCommunicateSiblings(mock, callerID, targetID, parentID)
 	mock.ExpectExec(`(?s)INSERT INTO activity_logs.*'delegation'.*'delegate'`).
-		WithArgs(callerID, callerID, targetID, "Delegating to "+targetID, sqlmock.AnyArg()).
+		WithArgs(callerID, callerID, targetID, "Delegating to "+targetID, sqlmock.AnyArg(), "pending").
 		WillReturnResult(sqlmock.NewResult(1, 1))
 	mock.ExpectExec(`UPDATE activity_logs`).
 		WithArgs("dispatched", "", callerID, sqlmock.AnyArg()).
@@ -241,7 +241,7 @@ func TestMCPHandler_DelegateTaskAsync_RoutesThroughPlatformA2AProxy(t *testing.T

 	expectCanCommunicateSiblings(mock, callerID, targetID, parentID)
 	mock.ExpectExec(`(?s)INSERT INTO activity_logs.*'delegation'.*'delegate'`).
-		WithArgs(callerID, callerID, targetID, "Delegating to "+targetID, sqlmock.AnyArg()).
+		WithArgs(callerID, callerID, targetID, "Delegating to "+targetID, sqlmock.AnyArg(), "pending").
 		WillReturnResult(sqlmock.NewResult(1, 1))
 	mock.ExpectExec(`UPDATE activity_logs`).
 		WithArgs("dispatched", "", callerID, sqlmock.AnyArg()).
@@ -24,14 +24,17 @@ import (
 // Agent Comms tab can show the task text for MCP-initiated delegations.
 // Mirrors insertDelegationRow (delegation.go) for the MCP tool path.
 func insertMCPDelegationRow(ctx context.Context, db *sql.DB, workspaceID, targetID, delegationID, task string) error {
-	taskJSON, _ := json.Marshal(map[string]interface{}{
+	taskJSON, marshalErr := json.Marshal(map[string]interface{}{
 		"task":          task,
 		"delegation_id": delegationID,
 	})
+	if marshalErr != nil {
+		log.Printf("insertMCPDelegationRow %s: json.Marshal taskJSON failed: %v", delegationID, marshalErr)
+	}
 	_, err := db.ExecContext(ctx, `
 		INSERT INTO activity_logs (workspace_id, activity_type, method, source_id, target_id, summary, request_body, status)
-		VALUES ($1, 'delegation', 'delegate', $2, $3, $4, $5::jsonb, 'pending')
-	`, workspaceID, workspaceID, targetID, "Delegating to "+targetID, string(taskJSON))
+		VALUES ($1, 'delegation', 'delegate', $2, $3, $4, $5::jsonb, $6)
+	`, workspaceID, workspaceID, targetID, "Delegating to "+targetID, string(taskJSON), "pending")
 	return err
 }

@@ -138,7 +141,10 @@ func (h *MCPHandler) toolListPeers(ctx context.Context, workspaceID string) (str
 		return "No peers found.", nil
 	}

-	b, _ := json.MarshalIndent(peers, "", "  ")
+	b, marshalErr := json.MarshalIndent(peers, "", "  ")
+	if marshalErr != nil {
+		log.Printf("toolListPeers: json.MarshalIndent peers failed: %v", marshalErr)
+	}
 	return string(b), nil
 }

@@ -168,7 +174,10 @@ func (h *MCPHandler) toolGetWorkspaceInfo(ctx context.Context, workspaceID strin
 	if parentID.Valid {
 		info["parent_id"] = parentID.String
 	}
-	b, _ := json.MarshalIndent(info, "", "  ")
+	b, marshalErr := json.MarshalIndent(info, "", "  ")
+	if marshalErr != nil {
+		log.Printf("toolGetWorkspaceInfo %s: json.MarshalIndent info failed: %v", workspaceID, marshalErr)
+	}
 	return string(b), nil
 }

@@ -260,7 +269,7 @@ func (h *MCPHandler) toolDelegateTaskAsync(ctx context.Context, callerID string,
 		bgCtx, cancel := context.WithTimeout(context.Background(), mcpAsyncCallTimeout)
 		defer cancel()

-		a2aBody, _ := json.Marshal(map[string]interface{}{
+		a2aBody, marshalErr := json.Marshal(map[string]interface{}{
 			"jsonrpc": "2.0",
 			"id":      delegationID,
 			"method":  "message/send",
@@ -272,6 +281,9 @@ func (h *MCPHandler) toolDelegateTaskAsync(ctx context.Context, callerID string,
 				},
 			},
 		})
+		if marshalErr != nil {
+			log.Printf("toolDelegateTask %s: json.Marshal a2aBody failed: %v", delegationID, marshalErr)
+		}

 		status, _, err := h.proxyA2ARequest(bgCtx, targetID, a2aBody, callerID, true)
 		if err != nil || status < 200 || status >= 300 {
@@ -327,7 +339,10 @@ func (h *MCPHandler) toolCheckTaskStatus(ctx context.Context, callerID string, a
 	if len(responseBody) > 0 {
 		result["result"] = extractA2AText(responseBody)
 	}
-	b, _ := json.MarshalIndent(result, "", "  ")
+	b, marshalErr := json.MarshalIndent(result, "", "  ")
+	if marshalErr != nil {
+		log.Printf("toolCheckTaskStatus: json.MarshalIndent result failed: %v", marshalErr)
+	}
 	return string(b), nil
 }

@@ -482,6 +497,9 @@ func extractA2AText(body []byte) string {
 	}

 	// Fallback: marshal result as JSON.
-	b, _ := json.Marshal(result)
+	b, marshalErr := json.Marshal(result)
+	if marshalErr != nil {
+		log.Printf("extractA2AText: json.Marshal result failed: %v", marshalErr)
+	}
 	return string(b)
 }
@@ -25,6 +25,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"log"
 	"strings"

 	"git.moleculesai.app/molecule-ai/molecule-core/workspace-server/internal/memory/contract"
@@ -190,7 +191,10 @@ func (h *MCPHandler) recallMemoryLegacyShim(ctx context.Context, workspaceID str
 	if len(out) == 0 {
 		return "No memories found.", nil
 	}
-	b, _ := json.MarshalIndent(out, "", "  ")
+	b, marshalErr := json.MarshalIndent(out, "", "  ")
+	if marshalErr != nil {
+		log.Printf("toolRecallMemory: json.MarshalIndent out failed: %v", marshalErr)
+	}
 	return string(b), nil
 }

@@ -163,7 +163,10 @@ func (h *MCPHandler) toolCommitMemoryV2(ctx context.Context, workspaceID string,
 	summary := "commit_memory to " + ns
 	logMemoryMCPActivity(ctx, h.broadcaster, workspaceID, "memory_write", resp.ID, ns, &summary)

-	out, _ := json.Marshal(resp)
+	out, marshalErr := json.Marshal(resp)
+	if marshalErr != nil {
+		log.Printf("toolCommitMemoryV2 %s: json.Marshal resp failed: %v", workspaceID, marshalErr)
+	}
 	return string(out), nil
 }

@@ -217,7 +220,10 @@ func (h *MCPHandler) toolSearchMemory(ctx context.Context, workspaceID string, a
 		}
 	}

-	out, _ := json.Marshal(resp)
+	out, marshalErr := json.Marshal(resp)
+	if marshalErr != nil {
+		log.Printf("toolSearchMemory %s: json.Marshal resp failed: %v", workspaceID, marshalErr)
+	}
 	return string(out), nil
 }

@@ -272,7 +278,10 @@ func (h *MCPHandler) toolCommitSummary(ctx context.Context, workspaceID string,
 	summary := "commit_summary to " + ns
 	logMemoryMCPActivity(ctx, h.broadcaster, workspaceID, "memory_summary_write", resp.ID, ns, &summary)

-	out, _ := json.Marshal(resp)
+	out, marshalErr := json.Marshal(resp)
+	if marshalErr != nil {
+		log.Printf("toolCommitSummary %s: json.Marshal resp failed: %v", workspaceID, marshalErr)
+	}
 	return string(out), nil
 }

@@ -288,7 +297,10 @@ func (h *MCPHandler) toolListWritableNamespaces(ctx context.Context, workspaceID
 	if err != nil {
 		return "", fmt.Errorf("resolve writable: %w", err)
 	}
-	b, _ := json.MarshalIndent(ns, "", "  ")
+	b, marshalErr := json.MarshalIndent(ns, "", "  ")
+	if marshalErr != nil {
+		log.Printf("toolListWritableNamespaces %s: json.MarshalIndent ns failed: %v", workspaceID, marshalErr)
+	}
 	return string(b), nil
 }

@@ -300,7 +312,10 @@ func (h *MCPHandler) toolListReadableNamespaces(ctx context.Context, workspaceID
 	if err != nil {
 		return "", fmt.Errorf("resolve readable: %w", err)
 	}
-	b, _ := json.MarshalIndent(ns, "", "  ")
+	b, marshalErr := json.MarshalIndent(ns, "", "  ")
+	if marshalErr != nil {
+		log.Printf("toolListReadableNamespaces %s: json.MarshalIndent ns failed: %v", workspaceID, marshalErr)
+	}
 	return string(b), nil
 }

@@ -1,8 +1,12 @@
 package handlers

 import (
+	"context"
 	"encoding/json"
 	"testing"
+
+	"git.moleculesai.app/molecule-ai/molecule-core/workspace-server/internal/db"
+	"github.com/DATA-DOG/go-sqlmock"
 )

 // ─────────────────────────────────────────────────────────────────────────────
@@ -191,3 +195,115 @@ func TestExtractA2AText_PriorityArtifactsOverMessage(t *testing.T) {
 		t.Errorf("artifacts should take priority: got %q, want %q", got, want)
 	}
 }
+
+// ─────────────────────────────────────────────────────────────────────────────
+// insertMCPDelegationRow tests
+// ─────────────────────────────────────────────────────────────────────────────
+
+func TestInsertMCPDelegationRow_Success(t *testing.T) {
+	mockDB, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("failed to create sqlmock: %v", err)
+	}
+	prevDB := db.DB
+	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })
+
+	mock.ExpectExec(`INSERT INTO activity_logs`).
+		WithArgs("ws-src", "ws-src", "ws-tgt", "Delegating to ws-tgt", sqlmock.AnyArg(), "pending").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	err = insertMCPDelegationRow(context.Background(), mockDB, "ws-src", "ws-tgt", "del-123", "summarise the report")
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("sqlmock expectations: %v", err)
+	}
+}
+
+func TestInsertMCPDelegationRow_DBError(t *testing.T) {
+	mockDB, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("failed to create sqlmock: %v", err)
+	}
+	prevDB := db.DB
+	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })
+
+	mock.ExpectExec(`INSERT INTO activity_logs`).
+		WithArgs("ws-src", "ws-src", "ws-tgt", sqlmock.AnyArg(), sqlmock.AnyArg(), "pending").
+		WillReturnError(context.DeadlineExceeded)
+
+	err = insertMCPDelegationRow(context.Background(), mockDB, "ws-src", "ws-tgt", "del-456", "check the logs")
+	if err == nil {
+		t.Error("expected error, got nil")
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("sqlmock expectations: %v", err)
+	}
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// updateMCPDelegationStatus tests
+// ─────────────────────────────────────────────────────────────────────────────
+
+func TestUpdateMCPDelegationStatus_Success(t *testing.T) {
+	mockDB, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("failed to create sqlmock: %v", err)
+	}
+	prevDB := db.DB
+	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })
+
+	mock.ExpectExec(`UPDATE activity_logs`).
+		WithArgs("completed", "", "ws-src", "del-789").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	// Should not panic, should not error
+	updateMCPDelegationStatus(context.Background(), mockDB, "ws-src", "del-789", "completed", "")
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("sqlmock expectations: %v", err)
+	}
+}
+
+func TestUpdateMCPDelegationStatus_WithErrorDetail(t *testing.T) {
+	mockDB, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("failed to create sqlmock: %v", err)
+	}
+	prevDB := db.DB
+	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })
+
+	mock.ExpectExec(`UPDATE activity_logs`).
+		WithArgs("failed", "timeout", "ws-src", "del-000").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	updateMCPDelegationStatus(context.Background(), mockDB, "ws-src", "del-000", "failed", "timeout")
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("sqlmock expectations: %v", err)
+	}
+}
+
+func TestUpdateMCPDelegationStatus_DBError_LoggedNotReturned(t *testing.T) {
+	mockDB, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("failed to create sqlmock: %v", err)
+	}
+	prevDB := db.DB
+	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })
+
+	mock.ExpectExec(`UPDATE activity_logs`).
+		WithArgs("failed", sqlmock.AnyArg(), "ws-src", "del-abc").
+		WillReturnError(context.DeadlineExceeded)
+
+	// Function returns no value — error is logged, not propagated.
+	// Verify it does not panic.
+	updateMCPDelegationStatus(context.Background(), mockDB, "ws-src", "del-abc", "failed", "connection refused")
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("sqlmock expectations: %v", err)
+	}
+}
@@ -240,11 +240,14 @@ func (h *MemoriesHandler) Commit(c *gin.Context) {
 		// Hash the sanitised content so the audit trail reflects what was
 		// actually persisted (not the raw, potentially secret-bearing input).
 		sum := sha256.Sum256([]byte(content))
-		auditBody, _ := json.Marshal(map[string]string{
+		auditBody, marshalErr := json.Marshal(map[string]string{
 			"memory_id":      memoryID,
 			"namespace":      nsName,
 			"content_sha256": hex.EncodeToString(sum[:]),
 		})
+		if marshalErr != nil {
+			log.Printf("Commit %s: json.Marshal auditBody failed: %v", workspaceID, marshalErr)
+		}
 		summary := "GLOBAL memory written: id=" + memoryID + " namespace=" + nsName
 		if _, auditErr := db.DB.ExecContext(ctx, `
 			INSERT INTO activity_logs (workspace_id, activity_type, source_id, summary, request_body, status)
@@ -260,3 +263,60 @@ func (h *MemoriesHandler) Commit(c *gin.Context) {
 	// namespace — the latter is an internal storage detail.
 	c.JSON(http.StatusCreated, gin.H{"id": memoryID, "scope": body.Scope, "namespace": namespace})
 }
+
+// Search handles GET /workspaces/:id/memories (legacy v1 read path).
+//
+// Phase A3 (#1792) removed the original v1 Search because it read the frozen
+// agent_memories table. This shim restores the endpoint for old callers
+// (AwarenessClient, runtime SDKs) by proxying through the v2 plugin and
+// reshaping the response to the legacy contract.
+func (h *MemoriesHandler) Search(c *gin.Context) {
+	workspaceID := c.Param("id")
+	ctx := c.Request.Context()
+
+	if h.memv2 == nil {
+		c.JSON(http.StatusServiceUnavailable, gin.H{
+			"error": "memory plugin is not configured (set MEMORY_PLUGIN_URL)",
+		})
+		return
+	}
+
+	readable, err := h.memv2.resolver.ReadableNamespaces(ctx, workspaceID)
+	if err != nil {
+		log.Printf("memories search: resolve readable namespaces for %s failed: %v", workspaceID, err)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to resolve readable namespaces"})
+		return
+	}
+	nsNames := make([]string, len(readable))
+	for i, ns := range readable {
+		nsNames[i] = ns.Name
+	}
+
+	resp, err := h.memv2.plugin.Search(ctx, contract.SearchRequest{
+		Namespaces: nsNames,
+		Limit:      50,
+	})
+	if err != nil {
+		log.Printf("memories search: plugin search for %s failed: %v", workspaceID, err)
+		c.JSON(http.StatusBadGateway, gin.H{"error": "memory plugin search failed"})
+		return
+	}
+
+	type legacyEntry struct {
+		ID        string `json:"id"`
+		Content   string `json:"content"`
+		Scope     string `json:"scope"`
+		CreatedAt string `json:"created_at"`
+	}
+	out := make([]legacyEntry, 0, len(resp.Memories))
+	for _, m := range resp.Memories {
+		scope := namespaceKindToLegacyScope(m.Namespace)
+		out = append(out, legacyEntry{
+			ID:        m.ID,
+			Content:   m.Content,
+			Scope:     scope,
+			CreatedAt: m.CreatedAt.Format("2006-01-02T15:04:05Z"),
+		})
+	}
+	c.JSON(http.StatusOK, out)
+}
@@ -4,10 +4,12 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"
+	"time"

 	"github.com/DATA-DOG/go-sqlmock"
 	"git.moleculesai.app/molecule-ai/molecule-core/workspace-server/internal/memory/contract"
@@ -193,6 +195,114 @@ func TestMemoriesCommit_MissingFields(t *testing.T) {

 // ---------- MemoriesHandler: Search ----------

+func TestMemoriesSearch_Success(t *testing.T) {
+	setupTestDB(t)
+	setupTestRedis(t)
+	plugin := &stubMemoryPlugin{
+		searchFn: func(_ context.Context, body contract.SearchRequest) (*contract.SearchResponse, error) {
+			return &contract.SearchResponse{
+				Memories: []contract.Memory{
+					{ID: "mem-1", Namespace: "workspace:ws-1", Content: "fact A", CreatedAt: time.Date(2026, 5, 25, 10, 0, 0, 0, time.UTC)},
+					{ID: "mem-2", Namespace: "team:team-1", Content: "fact B", CreatedAt: time.Date(2026, 5, 25, 11, 0, 0, 0, time.UTC)},
+				},
+			}, nil
+		},
+	}
+	resolver := &stubNamespaceResolver{
+		readable: []namespace.Namespace{
+			{Name: "workspace:ws-1", Kind: contract.NamespaceKindWorkspace},
+			{Name: "team:team-1", Kind: contract.NamespaceKindTeam},
+		},
+	}
+	handler := NewMemoriesHandler().withMemoryV2APIs(plugin, resolver)
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "ws-1"}}
+	c.Request = httptest.NewRequest("GET", "/", nil)
+
+	handler.Search(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	var resp []map[string]interface{}
+	json.Unmarshal(w.Body.Bytes(), &resp)
+	if len(resp) != 2 {
+		t.Fatalf("expected 2 results, got %d", len(resp))
+	}
+	if resp[0]["id"] != "mem-1" {
+		t.Errorf("expected id mem-1, got %v", resp[0]["id"])
+	}
+	if resp[0]["scope"] != "LOCAL" {
+		t.Errorf("expected scope LOCAL, got %v", resp[0]["scope"])
+	}
+	if resp[1]["scope"] != "TEAM" {
+		t.Errorf("expected scope TEAM, got %v", resp[1]["scope"])
+	}
+}
+
+func TestMemoriesSearch_NoPlugin_503(t *testing.T) {
+	setupTestDB(t)
+	setupTestRedis(t)
+	handler := NewMemoriesHandler()
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "ws-1"}}
+	c.Request = httptest.NewRequest("GET", "/", nil)
+
+	handler.Search(c)
+
+	if w.Code != http.StatusServiceUnavailable {
+		t.Errorf("expected 503, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestMemoriesSearch_ResolverError_500(t *testing.T) {
+	setupTestDB(t)
+	setupTestRedis(t)
+	plugin := &stubMemoryPlugin{}
+	resolver := &stubNamespaceResolver{err: errors.New("resolver down")}
+	handler := NewMemoriesHandler().withMemoryV2APIs(plugin, resolver)
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "ws-1"}}
+	c.Request = httptest.NewRequest("GET", "/", nil)
+
+	handler.Search(c)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Errorf("expected 500, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestMemoriesSearch_PluginError_502(t *testing.T) {
+	setupTestDB(t)
+	setupTestRedis(t)
+	plugin := &stubMemoryPlugin{
+		searchFn: func(_ context.Context, _ contract.SearchRequest) (*contract.SearchResponse, error) {
+			return nil, errors.New("plugin timeout")
+		},
+	}
+	resolver := &stubNamespaceResolver{
+		readable: []namespace.Namespace{{Name: "workspace:ws-1", Kind: contract.NamespaceKindWorkspace}},
+	}
+	handler := NewMemoriesHandler().withMemoryV2APIs(plugin, resolver)
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "ws-1"}}
+	c.Request = httptest.NewRequest("GET", "/", nil)
+
+	handler.Search(c)
+
+	if w.Code != http.StatusBadGateway {
+		t.Errorf("expected 502, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
 // ---------- MemoriesHandler: Delete ----------

 // ---------- nextArg helper ----------
@@ -2,6 +2,7 @@ package handlers

 import (
 	"os"
+	"os/exec"
 	"path/filepath"
 	"strings"
 	"testing"
@@ -9,6 +10,16 @@ import (
 	"gopkg.in/yaml.v3"
 )

+// runCmd wraps exec.Command for convenience in tests.
+func runCmd(name string, args ...string) (exitCode int, stdout, stderr string) {
+	cmd := exec.Command(name, args...)
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		return -1, string(out), err.Error()
+	}
+	return 0, string(out), ""
+}
+
 // resolveYAMLIncludes is the preprocessor Phase 3 uses to split org.yaml
 // into per-team / per-role files. These tests cover the happy path,
 // nested includes, path traversal defense, cycle detection, depth cap,
@@ -191,31 +202,31 @@ func TestResolveYAMLIncludes_SiblingDirAccess(t *testing.T) {
 // resolves cleanly via !include and unmarshal into OrgTemplate produces
 // the full workspace tree. Guards against split regressions landing on
 // main before they can be caught by a deploy.
+//
+// Previously skipped because /org-templates/molecule-dev/ was a stale
+// in-tree copy with a broken !include graph. The extraction completed
+// and the canonical copy now lives at molecule-ai/molecule-ai-org-template-
+// molecule-dev. This test fetches it via HTTPS (no token needed — the repo
+// is public) to exercise the real include resolution on every CI run.
 func TestResolveYAMLIncludes_RealMoleculeDev(t *testing.T) {
-	// The in-tree copy at /org-templates/molecule-dev/ is being removed
-	// in favor of the standalone Molecule-AI/molecule-ai-org-template-
-	// molecule-dev repo (see .gitignore comment). Until that removal
-	// lands, the in-tree copy is stale and its !include graph is broken
-	// (teams/dev.yaml references missing core-platform.yaml etc.), so
-	// this integration test is skipped. Re-enable once the extraction
-	// PR lands and this test is rewritten to fetch the standalone repo
-	// or replaced with a self-contained fixture.
-	t.Skip("org-templates/molecule-dev is being extracted to a standalone repo; see .gitignore comment")
-
-	// Locate the monorepo root from the test file location.
-	// Test runs in platform/internal/handlers/; org template is at
-	// ../../../org-templates/molecule-dev/org.yaml.
-	here, err := os.Getwd()
-	if err != nil {
-		t.Fatalf("getwd: %v", err)
+	if _, err := exec.LookPath("git"); err != nil {
+		t.Skip("git not available in this runtime")
 	}
-	orgDir := filepath.Clean(filepath.Join(here, "..", "..", "..", "org-templates", "molecule-dev"))
-	orgFile := filepath.Join(orgDir, "org.yaml")
+	tmp := t.TempDir()
+	// Clone the canonical standalone org template. No token needed — the
+	// repo is public on the same Gitea instance.
+	res, _, _ := runCmd("git", "clone", "--depth", "1",
+		"https://git.moleculesai.app/molecule-ai/molecule-ai-org-template-molecule-dev.git",
+		tmp)
+	if res != 0 {
+		t.Skipf("could not clone standalone org template (skipping integration test): exit %d", res)
+	}
+	orgFile := filepath.Join(tmp, "org.yaml")
 	data, err := os.ReadFile(orgFile)
 	if err != nil {
-		t.Skipf("molecule-dev/org.yaml not found (skipping integration test): %v", err)
+		t.Skipf("org.yaml not found in standalone clone (skipping integration test): %v", err)
 	}
-	expanded, err := resolveYAMLIncludes(data, orgDir)
+	expanded, err := resolveYAMLIncludes(data, tmp)
 	if err != nil {
 		t.Fatalf("resolveYAMLIncludes on real org.yaml: %v", err)
 	}
@@ -223,17 +234,18 @@ func TestResolveYAMLIncludes_RealMoleculeDev(t *testing.T) {
 	if err := yaml.Unmarshal(expanded, &tmpl); err != nil {
 		t.Fatalf("unmarshal expanded yaml: %v", err)
 	}
-	// Sanity: should have PM + Marketing Lead at top, and PM should have
-	// at least Research Lead, Dev Lead, Documentation Specialist, Triage
-	// Operator as children (the Phase 3 split targets).
-	if len(tmpl.Workspaces) < 2 {
-		t.Fatalf("expected ≥2 top-level workspaces, got %d", len(tmpl.Workspaces))
+	// Sanity: should have PM + Marketing Lead + Dev Lead (via !external) at
+	// top. PM's direct children were slimmed in Phase 3d: Dev Lead and its
+	// subtree moved to molecule-dev-department, so PM now has Research Lead
+	// as its only direct child.
+	if len(tmpl.Workspaces) < 3 {
+		t.Fatalf("expected ≥3 top-level workspaces, got %d", len(tmpl.Workspaces))
 	}
 	names := map[string]bool{}
 	for _, w := range tmpl.Workspaces {
 		names[w.Name] = true
 	}
-	for _, want := range []string{"PM", "Marketing Lead"} {
+	for _, want := range []string{"PM", "Marketing Lead", "Dev Lead"} {
 		if !names[want] {
 			t.Errorf("expected top-level workspace %q, not found", want)
 		}
@@ -245,8 +257,8 @@ func TestResolveYAMLIncludes_RealMoleculeDev(t *testing.T) {
 			break
 		}
 	}
-	if pm == nil || len(pm.Children) < 4 {
-		t.Errorf("PM should have ≥4 children after include resolution, got %d", len(pm.Children))
+	if pm == nil || len(pm.Children) < 1 {
+		t.Errorf("PM should have ≥1 child after include resolution, got %d", len(pm.Children))
 	}
 }

@@ -270,3 +282,8 @@ workspaces:
 		t.Errorf("no-op changed semantics; orig=%+v expanded=%+v", orig, expanded)
 	}
 }
+
+// TestResolveYAMLIncludes_RealMoleculeDev clones molecule-ai-org-template-molecule-dev
+// via HTTPS and validates the full org include resolution. The exec.LookPath guard
+// ensures the test skips gracefully when git is unavailable in the runtime.
+// CI trigger: 2026-05-25T06:07 UTC
@@ -1,6 +1,7 @@
 package handlers

 import (
+	"io"
 	"log"
 	"net/http"

@@ -68,7 +69,10 @@ type createOrgTokenResponse struct {
 func (h *OrgTokenHandler) Create(c *gin.Context) {
 	var req createOrgTokenRequest
 	// Optional body — an empty POST should still work (unnamed token).
-	_ = c.ShouldBindJSON(&req)
+	if err := c.ShouldBindJSON(&req); err != nil && err != io.EOF {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid JSON body"})
+		return
+	}
 	if len(req.Name) > 100 {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "name too long (max 100 chars)"})
 		return
@@ -530,7 +530,9 @@ func (h *RegistryHandler) Heartbeat(c *gin.Context) {

 	// Read previous current_task to detect changes (before the UPDATE)
 	var prevTask string
-	_ = db.DB.QueryRowContext(ctx, `SELECT COALESCE(current_task, '') FROM workspaces WHERE id = $1`, payload.WorkspaceID).Scan(&prevTask)
+	if err := db.DB.QueryRowContext(ctx, `SELECT COALESCE(current_task, '') FROM workspaces WHERE id = $1`, payload.WorkspaceID).Scan(&prevTask); err != nil {
+		log.Printf("registry heartbeat: prev_task query failed for workspace %s: %v", payload.WorkspaceID, err)
+	}

 	// #615: Clamp monthly_spend to a safe range before any DB write.
 	// A malicious or buggy agent could report math.MaxInt64, causing
@@ -812,10 +814,12 @@ func (h *RegistryHandler) evaluateStatus(c *gin.Context, payload models.Heartbea
 	// timeouts, retry logic, and activity_logs wiring.
 	if h.drainQueue != nil {
 		var maxConcurrent int
-		_ = db.DB.QueryRowContext(ctx,
+		if err := db.DB.QueryRowContext(ctx,
 			`SELECT COALESCE(max_concurrent_tasks, 1) FROM workspaces WHERE id = $1`,
 			payload.WorkspaceID,
-		).Scan(&maxConcurrent)
+		).Scan(&maxConcurrent); err != nil {
+			log.Printf("registry heartbeat: max_concurrent query failed for workspace %s: %v", payload.WorkspaceID, err)
+		}
 		if payload.ActiveTasks < maxConcurrent {
 			// context.WithoutCancel: heartbeat handler's ctx is about to
 			// expire as soon as we return. The drain needs to outlive it.
@@ -80,7 +80,10 @@ func (h *WorkspaceHandler) gracefulPreRestart(ctx context.Context, workspaceID s
 			},
 			"id": nil,
 		}
-		body, _ := json.Marshal(payload)
+		body, marshalErr := json.Marshal(payload)
+		if marshalErr != nil {
+			log.Printf("A2AGracefulRestart %s: json.Marshal payload failed: %v", workspaceID, marshalErr)
+		}

 		req, reqErr := http.NewRequestWithContext(signalCtx, http.MethodPost, url, bytes.NewReader(body))
 		if reqErr != nil {
@@ -288,7 +288,12 @@ func (h *ScheduleHandler) Update(c *gin.Context) {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to update schedule"})
 		return
 	}
-	n, _ := result.RowsAffected()
+	n, err := result.RowsAffected()
+	if err != nil {
+		log.Printf("Schedules.Update: RowsAffected error: %v", err)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to update schedule"})
+		return
+	}
 	if n == 0 {
 		c.JSON(http.StatusNotFound, gin.H{"error": "schedule not found"})
 		return
@@ -321,7 +326,12 @@ func (h *ScheduleHandler) Delete(c *gin.Context) {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to delete schedule"})
 		return
 	}
-	n, _ := result.RowsAffected()
+	n, err := result.RowsAffected()
+	if err != nil {
+		log.Printf("Schedules.Delete: RowsAffected error: %v", err)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to delete schedule"})
+		return
+	}
 	if n == 0 {
 		c.JSON(http.StatusNotFound, gin.H{"error": "schedule not found"})
 		return
@@ -5,7 +5,9 @@ import (
 	"database/sql"
 	"log"
 	"net/http"
+	"os"
 	"regexp"
+	"strings"

 	"git.moleculesai.app/molecule-ai/molecule-core/workspace-server/internal/audit"
 	"git.moleculesai.app/molecule-ai/molecule-core/workspace-server/internal/crypto"
@@ -16,6 +18,95 @@ import (

 var uuidRegex = regexp.MustCompile(`^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$`)

+var platformManagedDirectLLMBypassKeys = map[string]struct{}{
+	"AI_GATEWAY_API_KEY":      {},
+	"ANTHROPIC_API_KEY":       {},
+	"ANTHROPIC_AUTH_TOKEN":    {},
+	"ARCEEAI_API_KEY":         {},
+	"CLAUDE_CODE_OAUTH_TOKEN": {},
+	"DASHSCOPE_API_KEY":       {},
+	"DEEPSEEK_API_KEY":        {},
+	"GEMINI_API_KEY":          {},
+	"GLM_API_KEY":             {},
+	"HERMES_CUSTOM_API_KEY":   {},
+	"HERMES_CUSTOM_BASE_URL":  {},
+	"HF_TOKEN":                {},
+	"KIMI_API_KEY":            {},
+	"KIMI_CN_API_KEY":         {},
+	"MINIMAX_API_KEY":         {},
+	"MINIMAX_CN_API_KEY":      {},
+	"NOUS_API_KEY":            {},
+	"OPENAI_API_KEY":          {},
+	"OPENAI_BASE_URL":         {},
+	"OPENROUTER_API_KEY":      {},
+	"XAI_API_KEY":             {},
+	"ZAI_API_KEY":             {},
+}
+
+func isPlatformManagedDirectLLMBypassKey(key string) bool {
+	_, ok := platformManagedDirectLLMBypassKeys[strings.ToUpper(strings.TrimSpace(key))]
+	return ok
+}
+
+// platformManagedLLMModeForWorkspace replaces the org-level platformManagedLLMMode
+// gate with a per-workspace resolved-mode check (internal#691). The strip-list
+// is enforced ONLY when this specific workspace's resolved mode is
+// platform_managed — a workspace with a byok override is allowed to write its
+// own CLAUDE_CODE_OAUTH_TOKEN / vendor key via the canvas Secrets tab.
+//
+// Default-closed: if the resolver hits a DB error, falls back to
+// platform_managed (the safe-default behavior), so a transient DB failure
+// during a secret write still rejects the bypass-list keys — fail safer not
+// freer. This matches the resolver's documented contract.
+func platformManagedLLMModeForWorkspace(c *gin.Context, workspaceID string) bool {
+	orgMode := strings.ToLower(strings.TrimSpace(os.Getenv("MOLECULE_LLM_BILLING_MODE")))
+	res, err := ResolveLLMBillingMode(c.Request.Context(), workspaceID, orgMode)
+	if err != nil {
+		log.Printf("secrets: resolve billing mode for workspace=%s failed: %v (defaulting to platform_managed for safety)", workspaceID, err)
+	}
+	return strings.EqualFold(res.ResolvedMode, LLMBillingModePlatformManaged)
+}
+
+// platformManagedLLMMode is the legacy org-level gate retained for any test
+// harness still asserting the env-var-only behavior. Production code paths
+// must call platformManagedLLMModeForWorkspace instead so a workspace-level
+// byok override actually takes effect on the secrets-write path.
+func platformManagedLLMMode() bool {
+	return strings.EqualFold(strings.TrimSpace(os.Getenv("MOLECULE_LLM_BILLING_MODE")), "platform_managed")
+}
+
+// rejectPlatformManagedDirectLLMBypassForWorkspace is the per-workspace
+// successor to rejectPlatformManagedDirectLLMBypass (internal#691). The
+// strip-list ONLY applies when this specific workspace resolves to
+// platform_managed; byok/disabled workspaces can write their own vendor keys.
+func rejectPlatformManagedDirectLLMBypassForWorkspace(c *gin.Context, workspaceID, key string) bool {
+	if !platformManagedLLMModeForWorkspace(c, workspaceID) || !isPlatformManagedDirectLLMBypassKey(key) {
+		return false
+	}
+	c.JSON(http.StatusBadRequest, gin.H{
+		"error":        "direct vendor key writes are blocked for platform-managed workspaces; use MODEL/LLM_PROVIDER or the platform LLM proxy env instead, or set this workspace's billing mode to 'byok' via /admin/workspaces/:id/llm-billing-mode",
+		"key":          key,
+		"workspace_id": workspaceID,
+	})
+	return true
+}
+
+// rejectPlatformManagedDirectLLMBypass is the legacy org-level shim. Retained
+// only for backwards compatibility with any external/test caller still on the
+// old shape; new code MUST use the per-workspace variant above. Production
+// code paths (the secrets.go handlers + workspace.go create-secret path) all
+// switched in internal#691.
+func rejectPlatformManagedDirectLLMBypass(c *gin.Context, key string) bool {
+	if !platformManagedLLMMode() || !isPlatformManagedDirectLLMBypassKey(key) {
+		return false
+	}
+	c.JSON(http.StatusBadRequest, gin.H{
+		"error": "direct Hermes custom provider secrets are blocked for platform-managed LLM workspaces; use MODEL/LLM_PROVIDER or the platform LLM proxy env instead",
+		"key":   key,
+	})
+	return true
+}
+
 type SecretsHandler struct {
 	restartFunc func(workspaceID string) // Optional: auto-restart after secret change
 }
@@ -238,6 +329,9 @@ func (h *SecretsHandler) Set(c *gin.Context) {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid request body"})
 		return
 	}
+	if rejectPlatformManagedDirectLLMBypassForWorkspace(c, workspaceID, body.Key) {
+		return
+	}

 	// Encrypt the value (AES-256-GCM if SECRETS_ENCRYPTION_KEY is set, plaintext otherwise)
 	encrypted, err := crypto.Encrypt([]byte(body.Value))
@@ -307,6 +401,8 @@ func (h *SecretsHandler) Delete(c *gin.Context) {
 	rows, err := result.RowsAffected()
 	if err != nil {
 		log.Printf("DeleteWorkspace: RowsAffected error: %v", err)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to delete secret"})
+		return
 	}
 	if rows == 0 {
 		c.JSON(http.StatusNotFound, gin.H{"error": "secret not found"})
@@ -380,6 +476,9 @@ func (h *SecretsHandler) SetGlobal(c *gin.Context) {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid request body"})
 		return
 	}
+	if rejectPlatformManagedDirectLLMBypass(c, body.Key) {
+		return
+	}

 	encrypted, err := crypto.Encrypt([]byte(body.Value))
 	if err != nil {
@@ -488,6 +587,8 @@ func (h *SecretsHandler) DeleteGlobal(c *gin.Context) {
 	rows, err := result.RowsAffected()
 	if err != nil {
 		log.Printf("DeleteGlobal: RowsAffected error: %v", err)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to delete"})
+		return
 	}
 	if rows == 0 {
 		c.JSON(http.StatusNotFound, gin.H{"error": "secret not found"})
@@ -0,0 +1,180 @@
+package handlers
+
+// template_schedules.go — read a workspace template's `schedules:`
+// block and seed workspace_schedules with source='template'. Mirrors
+// the org/import flow (org_import.go) so a workspace created directly
+// from a workspace template (e.g. via WorkspaceHandler.Create) lands
+// with the same schedule grid the org/import path would have produced.
+//
+// Issue #24 contract (also enforced by org_import + schedules.go):
+//   - INSERT new rows with source='template'
+//   - On (workspace_id, name) collision, only refresh template-source
+//     rows; runtime-added rows survive re-provisioning untouched
+//   - Never DELETE (additive only)
+//
+// The actual INSERT statement is the canonical orgImportScheduleSQL
+// defined in org.go — reused here verbatim so the four guarantees
+// stay in one place.
+//
+// Hostile-template defenses (a tenant can upload a config.yaml via
+// POST /templates/import or webhook-sync a repo they control):
+//   - config.yaml is loaded through a 1 MiB LimitReader so a YAML
+//     anchor-bomb / billion-laughs cannot pre-explode memory before
+//     unmarshal returns.
+//   - len(schedules), per-schedule cron length, and resolved prompt
+//     body length are all bounded; over-sized entries are skipped
+//     rather than committed.
+//   - Per-row insert errors and ctx cancellation surface to the
+//     caller via the returned counts so partial-seed states are
+//     observable (workspace.go Create logs the (seeded, skipped)
+//     pair when skipped > 0).
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"os"
+	"path/filepath"
+	"time"
+
+	"gopkg.in/yaml.v3"
+
+	"git.moleculesai.app/molecule-ai/molecule-core/workspace-server/internal/db"
+	"git.moleculesai.app/molecule-ai/molecule-core/workspace-server/internal/scheduler"
+)
+
+// Bounds protecting the seeder against hostile or buggy templates.
+// All chosen with generous headroom relative to legitimate use
+// (reno-stars org template — the largest production schedule grid —
+// runs ~10 entries per workspace, each prompt body well under 1 KiB).
+const (
+	maxTemplateConfigYAMLBytes int64 = 1 << 20  // 1 MiB — hard cap on config.yaml size
+	maxTemplateSchedules             = 100      // 10x current largest grid
+	maxScheduleCronExprLen           = 128      // cron-spec syntax is short by construction
+	maxSchedulePromptBytes           = 16 << 10 // 16 KiB after prompt_file resolution
+)
+
+// templateConfigSchedules is the minimal shape parsed from a workspace
+// template's config.yaml. Only the `schedules:` block is modelled;
+// the rest of the file (providers, runtime_config, …) is opaque to
+// this loader and continues to flow through the existing pass-through
+// in workspace_provision.go.
+type templateConfigSchedules struct {
+	Schedules []OrgSchedule `yaml:"schedules"`
+}
+
+// parseTemplateSchedules reads `<templatePath>/config.yaml` and
+// returns its `schedules:` block (nil + nil error when the file is
+// absent or the block is empty).
+//
+// The file is read through a 1 MiB LimitReader so a billion-laughs
+// or anchor-explosion YAML cannot pre-explode memory before
+// Unmarshal returns. Returns an error only when a present
+// config.yaml fails to read or parse — callers should treat that as
+// a template-author bug rather than a runtime fault. The Create
+// handler logs the error and continues so a broken schedules block
+// can never block workspace provisioning.
+func parseTemplateSchedules(templatePath string) ([]OrgSchedule, error) {
+	if templatePath == "" {
+		return nil, nil
+	}
+	f, err := os.Open(filepath.Join(templatePath, "config.yaml"))
+	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			return nil, nil
+		}
+		return nil, fmt.Errorf("open template config.yaml: %w", err)
+	}
+	defer f.Close()
+
+	// Read maxTemplateConfigYAMLBytes+1 — if we filled the buffer the
+	// underlying file exceeded the cap and we refuse to unmarshal.
+	data, err := io.ReadAll(io.LimitReader(f, maxTemplateConfigYAMLBytes+1))
+	if err != nil {
+		return nil, fmt.Errorf("read template config.yaml: %w", err)
+	}
+	if int64(len(data)) > maxTemplateConfigYAMLBytes {
+		return nil, fmt.Errorf("template config.yaml exceeds %d-byte cap", maxTemplateConfigYAMLBytes)
+	}
+	var cfg templateConfigSchedules
+	if err := yaml.Unmarshal(data, &cfg); err != nil {
+		return nil, fmt.Errorf("parse template config.yaml schedules: %w", err)
+	}
+	if len(cfg.Schedules) > maxTemplateSchedules {
+		return nil, fmt.Errorf("template declares %d schedules; cap is %d", len(cfg.Schedules), maxTemplateSchedules)
+	}
+	return cfg.Schedules, nil
+}
+
+// seedTemplateSchedules INSERTs (or refreshes) each schedule into
+// workspace_schedules with source='template'. Returns (seeded,
+// skipped) counts so the caller can observe partial-seed states.
+//
+// Prompt body resolution mirrors org_import.go: inline `prompt:` wins,
+// else `prompt_file:` is resolved relative to templatePath via
+// resolvePromptRef. Per-schedule failures (bad cron, missing prompt
+// file, DB error, oversize input) are logged with the schedule name
+// quoted via %q (CRLF-safe) and skipped so one bad row never breaks
+// the rest of the grid. A cancelled ctx breaks the loop early.
+//
+// Timezone defaults to "UTC" when unset. Env-var expansion in the
+// timezone field is intentionally not performed — that mirrors the
+// org/import behavior; template authors should pick a literal IANA
+// zone (or rely on UTC + operator overrides per-tenant).
+func seedTemplateSchedules(ctx context.Context, workspaceID, templatePath string, schedules []OrgSchedule) (seeded, skipped int) {
+	for _, sched := range schedules {
+		// Honour caller cancellation — protects against long seed
+		// loops on a request whose client already gave up.
+		if err := ctx.Err(); err != nil {
+			log.Printf("Template schedule seed: ctx cancelled after %d/%d on %s: %v", seeded, len(schedules), workspaceID, err)
+			skipped += len(schedules) - seeded - skipped
+			return
+		}
+		if len(sched.CronExpr) > maxScheduleCronExprLen {
+			log.Printf("Template schedule seed: cron_expr too long (%d > %d) for %q on %s — skipping", len(sched.CronExpr), maxScheduleCronExprLen, sched.Name, workspaceID)
+			skipped++
+			continue
+		}
+		tz := sched.Timezone
+		if tz == "" {
+			tz = "UTC"
+		}
+		enabled := true
+		if sched.Enabled != nil {
+			enabled = *sched.Enabled
+		}
+		prompt, promptErr := resolvePromptRef(sched.Prompt, sched.PromptFile, templatePath, "")
+		if promptErr != nil {
+			log.Printf("Template schedule seed: failed to resolve prompt for %q on %s: %v — skipping", sched.Name, workspaceID, promptErr)
+			skipped++
+			continue
+		}
+		if prompt == "" {
+			log.Printf("Template schedule seed: schedule %q on %s has empty prompt — skipping", sched.Name, workspaceID)
+			skipped++
+			continue
+		}
+		if len(prompt) > maxSchedulePromptBytes {
+			log.Printf("Template schedule seed: prompt too long (%d > %d bytes) for %q on %s — skipping", len(prompt), maxSchedulePromptBytes, sched.Name, workspaceID)
+			skipped++
+			continue
+		}
+		nextRun, nextRunErr := scheduler.ComputeNextRun(sched.CronExpr, tz, time.Now())
+		if nextRunErr != nil {
+			log.Printf("Template schedule seed: invalid cron for %q on %s: %v — skipping", sched.Name, workspaceID, nextRunErr)
+			skipped++
+			continue
+		}
+		if _, err := db.DB.ExecContext(ctx, orgImportScheduleSQL,
+			workspaceID, sched.Name, sched.CronExpr, tz, prompt, enabled, nextRun); err != nil {
+			log.Printf("Template schedule seed: failed to upsert %q on %s: %v", sched.Name, workspaceID, err)
+			skipped++
+			continue
+		}
+		seeded++
+		log.Printf("Template schedule seed: %q (%s, %d chars) upserted on %s (source=template)", sched.Name, sched.CronExpr, len(prompt), workspaceID)
+	}
+	return
+}
@@ -0,0 +1,141 @@
+package handlers
+
+// template_schedules_test.go — unit tests for parseTemplateSchedules.
+//
+// seedTemplateSchedules' DB INSERT path is already covered indirectly
+// by TestImport_OrgScheduleSQLShape (schedules_test.go) since both
+// code paths share the canonical orgImportScheduleSQL constant; the
+// loop logic (default tz, default enabled, prompt resolution, cron
+// validation) is exercised at the parser level here and at the
+// orgImportScheduleSQL level there.
+
+import (
+	"path/filepath"
+	"testing"
+)
+
+func TestParseTemplateSchedules_AbsentFile(t *testing.T) {
+	dir := t.TempDir()
+	// No config.yaml in dir.
+	got, err := parseTemplateSchedules(dir)
+	if err != nil {
+		t.Fatalf("expected nil error for absent config.yaml, got %v", err)
+	}
+	if got != nil {
+		t.Fatalf("expected nil slice, got %#v", got)
+	}
+}
+
+func TestParseTemplateSchedules_EmptyTemplatePath(t *testing.T) {
+	got, err := parseTemplateSchedules("")
+	if err != nil {
+		t.Fatalf("expected nil error for empty path, got %v", err)
+	}
+	if got != nil {
+		t.Fatalf("expected nil slice for empty path, got %#v", got)
+	}
+}
+
+func TestParseTemplateSchedules_NoSchedulesBlock(t *testing.T) {
+	dir := t.TempDir()
+	mustWriteFile(t, filepath.Join(dir, "config.yaml"), `
+name: Some Template
+runtime: claude-code
+model: foo/bar
+`)
+	got, err := parseTemplateSchedules(dir)
+	if err != nil {
+		t.Fatalf("expected nil error when schedules: absent, got %v", err)
+	}
+	if len(got) != 0 {
+		t.Fatalf("expected zero schedules, got %d", len(got))
+	}
+}
+
+func TestParseTemplateSchedules_HappyPath(t *testing.T) {
+	dir := t.TempDir()
+	mustWriteFile(t, filepath.Join(dir, "config.yaml"), `
+name: SEO Agent
+schedules:
+  - name: Continuous tick
+    cron_expr: "*/30 * * * *"
+    timezone: America/Vancouver
+    prompt: |
+      Run one SEO tick.
+  - name: Monday GSC
+    cron_expr: "0 8 * * 1"
+    timezone: America/Vancouver
+    prompt: /seo google
+    enabled: true
+  - name: Disabled placeholder
+    cron_expr: "0 0 1 1 *"
+    prompt: noop
+    enabled: false
+`)
+	got, err := parseTemplateSchedules(dir)
+	if err != nil {
+		t.Fatalf("parse: %v", err)
+	}
+	if len(got) != 3 {
+		t.Fatalf("expected 3 schedules, got %d", len(got))
+	}
+	if got[0].Name != "Continuous tick" || got[0].CronExpr != "*/30 * * * *" {
+		t.Errorf("schedule[0] mismatch: %+v", got[0])
+	}
+	if got[1].Timezone != "America/Vancouver" {
+		t.Errorf("schedule[1].Timezone = %q, want America/Vancouver", got[1].Timezone)
+	}
+	// Enabled is *bool: nil means "default true" at seed time, false is
+	// explicit opt-out and must survive the YAML round-trip.
+	if got[2].Enabled == nil {
+		t.Errorf("schedule[2].Enabled = nil, want *false")
+	} else if *got[2].Enabled {
+		t.Errorf("schedule[2].Enabled = true, want false")
+	}
+}
+
+func TestParseTemplateSchedules_MalformedYAML(t *testing.T) {
+	dir := t.TempDir()
+	mustWriteFile(t, filepath.Join(dir, "config.yaml"), `
+name: Broken
+schedules:
+  - this is: [not, a, valid
+`)
+	_, err := parseTemplateSchedules(dir)
+	if err == nil {
+		t.Fatal("expected parse error on malformed YAML, got nil")
+	}
+}
+
+// TestParseTemplateSchedules_RejectsOversizeFile gates against the
+// billion-laughs / anchor-bomb DoS class: a hostile config.yaml over
+// the 1 MiB cap must be refused before yaml.Unmarshal runs.
+func TestParseTemplateSchedules_RejectsOversizeFile(t *testing.T) {
+	dir := t.TempDir()
+	// One byte over the cap — fastest path to the gate.
+	pad := make([]byte, maxTemplateConfigYAMLBytes+1)
+	for i := range pad {
+		pad[i] = '#'
+	}
+	mustWriteFile(t, filepath.Join(dir, "config.yaml"), string(pad))
+	if _, err := parseTemplateSchedules(dir); err == nil {
+		t.Fatal("expected oversize-file error, got nil")
+	}
+}
+
+// TestParseTemplateSchedules_RejectsTooManySchedules gates against a
+// hostile config.yaml that flips one row into a 10k-row insert storm.
+func TestParseTemplateSchedules_RejectsTooManySchedules(t *testing.T) {
+	dir := t.TempDir()
+	var b []byte
+	b = append(b, []byte("schedules:\n")...)
+	// maxTemplateSchedules+1 minimal entries — they don't have to be
+	// valid as schedules because the gate trips before resolution.
+	for i := 0; i <= maxTemplateSchedules; i++ {
+		b = append(b, []byte("  - name: s\n    cron_expr: \"* * * * *\"\n    prompt: x\n")...)
+	}
+	mustWriteFile(t, filepath.Join(dir, "config.yaml"), string(b))
+	if _, err := parseTemplateSchedules(dir); err == nil {
+		t.Fatal("expected schedule-count error, got nil")
+	}
+}
@@ -243,10 +243,12 @@ func (h *TemplatesHandler) List(c *gin.Context) {
 				log.Printf("templates list: skip %s: yaml.Unmarshal: %v", id, err)
 				return
 			}
-			runtime := strings.TrimSuffix(strings.TrimSpace(raw.Runtime), "-default")
-			if _, ok := knownRuntimes[runtime]; !ok {
-				log.Printf("templates list: skip %s: unsupported runtime %q", id, raw.Runtime)
-				return
+			if raw.Runtime != "" {
+				runtime := strings.TrimSuffix(strings.TrimSpace(raw.Runtime), "-default")
+				if _, ok := knownRuntimes[runtime]; !ok {
+					log.Printf("templates list: skip %s: unsupported runtime %q", id, raw.Runtime)
+					return
+				}
 			}

 			// Model comes from either top-level (legacy) or runtime_config.model (current).
@@ -677,7 +677,7 @@ skills: []
 		t.Fatalf("parse: %v", err)
 	}
 	if len(resp) != 1 || resp[0].Model != "anthropic:claude-sonnet-4-6" {
-		t.Errorf("legacy top-level model not surfaced: %+v", resp)
+		t.Fatalf("legacy top-level model not surfaced: %+v", resp)
 	}
 	if resp[0].Runtime != "claude-code" {
 		t.Errorf("Runtime should be claude-code for legacy template, got %q", resp[0].Runtime)
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+	"log"
 	"net/http"
 	"os"
 	"os/exec"
@@ -119,9 +120,11 @@ func (h *TerminalHandler) HandleDiagnose(c *gin.Context) {
 	}

 	var instanceID string
-	_ = db.DB.QueryRowContext(ctx,
+	if err := db.DB.QueryRowContext(ctx,
 		`SELECT COALESCE(instance_id, '') FROM workspaces WHERE id = $1`,
-		workspaceID).Scan(&instanceID)
+		workspaceID).Scan(&instanceID); err != nil {
+		log.Printf("terminal diagnose: instance_id query failed for workspace %s: %v", workspaceID, err)
+	}

 	var res diagnoseResult
 	if instanceID != "" {
@@ -153,7 +153,12 @@ func (h *TokenHandler) Revoke(c *gin.Context) {
 		return
 	}

-	rows, _ := result.RowsAffected()
+	rows, err := result.RowsAffected()
+	if err != nil {
+		log.Printf("tokens: revoke RowsAffected error token=%s workspace=%s: %v", tokenID, workspaceID, err)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to revoke token"})
+		return
+	}
 	if rows == 0 {
 		c.JSON(http.StatusNotFound, gin.H{"error": "token not found or already revoked"})
 		return
@@ -394,9 +394,13 @@ func (h *WebhookHandler) handleCronTriggerEvent(c *gin.Context, eventType string
 			log.Printf("Webhook: cron trigger (issues/opened) DB error: %v", err)
 			return true, fmt.Errorf("failed to trigger schedules: %w", err)
 		}
-		affected, _ := result.RowsAffected()
-		log.Printf("Webhook: issues/opened in %s #%d by %s — triggered %d pick-up-work schedule(s)",
-			payload.Repository.FullName, payload.Issue.Number, payload.Sender.Login, affected)
+		affected, err := result.RowsAffected()
+		if err != nil {
+			log.Printf("Webhook: issues/opened RowsAffected error: %v", err)
+		} else {
+			log.Printf("Webhook: issues/opened in %s #%d by %s — triggered %d pick-up-work schedule(s)",
+				payload.Repository.FullName, payload.Issue.Number, payload.Sender.Login, affected)
+		}

 		c.JSON(http.StatusOK, gin.H{
 			"status":             "triggered",
@@ -429,9 +433,13 @@ func (h *WebhookHandler) handleCronTriggerEvent(c *gin.Context, eventType string
 			log.Printf("Webhook: cron trigger (pull_request_review/submitted) DB error: %v", err)
 			return true, fmt.Errorf("failed to trigger schedules: %w", err)
 		}
-		affected, _ := result.RowsAffected()
-		log.Printf("Webhook: pull_request_review/submitted in %s PR #%d by %s (state=%s) — triggered %d review schedule(s)",
-			payload.Repository.FullName, payload.PullRequest.Number, payload.Sender.Login, payload.Review.State, affected)
+		affected, err := result.RowsAffected()
+		if err != nil {
+			log.Printf("Webhook: pull_request_review/submitted RowsAffected error: %v", err)
+		} else {
+			log.Printf("Webhook: pull_request_review/submitted in %s PR #%d by %s (state=%s) — triggered %d review schedule(s)",
+				payload.Repository.FullName, payload.PullRequest.Number, payload.Sender.Login, payload.Review.State, affected)
+		}

 		c.JSON(http.StatusOK, gin.H{
 			"status":             "triggered",
@@ -568,6 +568,10 @@ func (h *WorkspaceHandler) Create(c *gin.Context) {
 	// nil/empty map is a no-op.  Any failure rolls back the workspace insert
 	// so we never have a workspace row without its intended secrets.
 	for k, v := range payload.Secrets {
+		if rejectPlatformManagedDirectLLMBypassForWorkspace(c, id, k) {
+			tx.Rollback() //nolint:errcheck
+			return
+		}
 		encrypted, encErr := crypto.Encrypt([]byte(v))
 		if encErr != nil {
 			tx.Rollback() //nolint:errcheck
@@ -673,7 +677,9 @@ func (h *WorkspaceHandler) Create(c *gin.Context) {
 			// Preserve BYO-compute runtime label (kimi, kimi-cli, external) —
 			// don't coerce to generic "external" so the canvas can show the
 			// correct runtime name in the node card.
-			db.DB.ExecContext(ctx, `UPDATE workspaces SET url = $1, status = $2, runtime = $3, updated_at = now() WHERE id = $4`, payload.URL, models.StatusOnline, normalizeExternalRuntime(payload.Runtime), id)
+			if _, err := db.DB.ExecContext(ctx, `UPDATE workspaces SET url = $1, status = $2, runtime = $3, updated_at = now() WHERE id = $4`, payload.URL, models.StatusOnline, normalizeExternalRuntime(payload.Runtime), id); err != nil {
+				log.Printf("External workspace: failed to update URL/status for %s: %v", id, err)
+			}
 			if err := db.CacheURL(ctx, id, payload.URL); err != nil {
 				log.Printf("External workspace: failed to cache URL for %s: %v", id, err)
 			}
@@ -686,7 +692,9 @@ func (h *WorkspaceHandler) Create(c *gin.Context) {
 			// from the external agent (with this token + its URL)
 			// flips the row to online.
 			// Preserve BYO-compute runtime label (kimi, kimi-cli, external).
-			db.DB.ExecContext(ctx, `UPDATE workspaces SET status = $1, runtime = $2, updated_at = now() WHERE id = $3`, models.StatusAwaitingAgent, normalizeExternalRuntime(payload.Runtime), id)
+			if _, err := db.DB.ExecContext(ctx, `UPDATE workspaces SET status = $1, runtime = $2, updated_at = now() WHERE id = $3`, models.StatusAwaitingAgent, normalizeExternalRuntime(payload.Runtime), id); err != nil {
+				log.Printf("External workspace: failed to update status for %s: %v", id, err)
+			}
 			tok, tokErr := wsauth.IssueToken(ctx, db.DB, id)
 			if tokErr != nil {
 				log.Printf("External workspace %s: token issuance failed: %v", id, tokErr)
@@ -761,7 +769,8 @@ func (h *WorkspaceHandler) Create(c *gin.Context) {
 	// runtime/model/tier as JSON — the Config tab needs that to render
 	// even on failed workspaces, so Create owns this Create-only side
 	// effect rather than coupling Auto to a UI concern.
-	if !h.provisionWorkspaceAuto(id, templatePath, configFiles, payload) {
+	provisionOK := h.provisionWorkspaceAuto(id, templatePath, configFiles, payload)
+	if !provisionOK {
 		cfgJSON := fmt.Sprintf(`{"name":%q,"runtime":%q,"tier":%d,"template":%q}`,
 			payload.Name, payload.Runtime, payload.Tier, payload.Template)
 		if _, err := db.DB.ExecContext(ctx, `
@@ -772,11 +781,64 @@ func (h *WorkspaceHandler) Create(c *gin.Context) {
 		}
 	}

-	c.JSON(http.StatusCreated, gin.H{
+	// Seed schedules declared in the workspace template's config.yaml
+	// AFTER provisionWorkspaceAuto succeeds so the scheduler never
+	// fires cron rows against a workspace whose backend never wired
+	// (review feedback PR #1929#1). Async EC2 provisioning may still
+	// fail downstream; scheduler.go is expected to handle non-online
+	// status as a no-op tick. Idempotent across re-creates via
+	// orgImportScheduleSQL's ON CONFLICT clause; runtime-added rows
+	// are preserved (Issue #24 contract). Restart does not re-seed
+	// (so user-deleted template rows stay deleted).
+	//
+	// Non-fatal: a broken schedules: block must never block workspace
+	// provisioning — the workspace row is already live and the grid
+	// is recoverable via POST /workspaces/{id}/schedules.
+	if provisionOK && templatePath != "" {
+		if templateScheds, parseErr := parseTemplateSchedules(templatePath); parseErr != nil {
+			log.Printf("Create %s: parsing template schedules: %v (continuing)", id, parseErr)
+		} else if len(templateScheds) > 0 {
+			seeded, skipped := seedTemplateSchedules(ctx, id, templatePath, templateScheds)
+			if skipped > 0 {
+				log.Printf("Create %s: template schedule partial-seed: seeded=%d skipped=%d total=%d", id, seeded, skipped, len(templateScheds))
+			} else {
+				log.Printf("Create %s: seeded %d/%d template schedules", id, seeded, len(templateScheds))
+			}
+		}
+	}
+
+	// Mint the workspace's first bearer token and return it inline
+	// (#1644). Pre-fix, callers had to make a separate POST to
+	// /admin/workspaces/:id/tokens (production path, AdminAuth-gated,
+	// but the path-prefix differs in CP-admin deploys so staging E2E
+	// got HTML 404) OR fall back to GET /admin/workspaces/:id/test-token
+	// (dev-only — deliberately 404s on MOLECULE_ENV=production per
+	// admin_test_token.go::TestTokensEnabled, which violates
+	// feedback_no_dev_only_routes_in_e2e). Inlining the first token here
+	// makes the create response the SSOT — every caller (canvas Save,
+	// org_import, E2E, third-party API) gets the bearer they need to
+	// authenticate /activity, /a2a, /memory etc. without an extra
+	// round trip to a separate mint endpoint.
+	//
+	// Failure is non-fatal: the workspace row already committed; the
+	// operator can recover via POST /admin/workspaces/:id/tokens
+	// (canonical admin mint) or POST /workspaces/:id/external/rotate
+	// (already-used for the external pre-register path above). We log
+	// the failure and return 201 without the field — callers that need
+	// the token will get a clear-shaped fallback (auth_token absent
+	// from response = use the admin mint path).
+	resp := gin.H{
 		"id":               id,
 		"status":           "provisioning",
 		"workspace_access": workspaceAccess,
-	})
+	}
+	if authToken, tokErr := wsauth.IssueToken(ctx, db.DB, id); tokErr != nil {
+		log.Printf("Create workspace %s: inline auth_token mint failed (non-fatal — caller can use POST /admin/workspaces/:id/tokens): %v", id, tokErr)
+	} else {
+		resp["auth_token"] = authToken
+	}
+
+	c.JSON(http.StatusCreated, resp)
 }

 // addProvisionTimeoutMs decorates a workspace response map with the
@@ -988,9 +1050,11 @@ func (h *WorkspaceHandler) Get(c *gin.Context) {
 			// the client would otherwise see — the actionable signal
 			// is the 410 + hint, not the timestamp.
 			var removedAt time.Time
-			_ = db.DB.QueryRowContext(c.Request.Context(),
+			if err := db.DB.QueryRowContext(c.Request.Context(),
 				`SELECT updated_at FROM workspaces WHERE id = $1`, id,
-			).Scan(&removedAt)
+			).Scan(&removedAt); err != nil {
+				log.Printf("workspace GET: removed_at query failed for %s: %v", id, err)
+			}
 			body := gin.H{
 				"error": "workspace removed",
 				"id":    id,
@@ -168,6 +168,8 @@ func TestWorkspaceBudget_Create_WithLimit(t *testing.T) {
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectExec("INSERT INTO structure_events").
 		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec("INSERT INTO workspace_auth_tokens").
+		WillReturnResult(sqlmock.NewResult(0, 1))

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -91,6 +91,8 @@ func TestWorkspaceCreate_WithCompute_PersistsComputeJSON(t *testing.T) {
 	mock.ExpectCommit()
 	mock.ExpectExec("INSERT INTO canvas_layouts").
 		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec("INSERT INTO workspace_auth_tokens").
+		WillReturnResult(sqlmock.NewResult(0, 1))

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -450,8 +450,12 @@ func (h *WorkspaceHandler) Delete(c *gin.Context) {
 			}
 		}
 		// Null out parent_id / forwarded_to references
-		db.DB.ExecContext(ctx, "UPDATE workspaces SET parent_id = NULL WHERE parent_id = ANY($1::uuid[])", purgeIDs)
-		db.DB.ExecContext(ctx, "UPDATE workspaces SET forwarded_to = NULL WHERE forwarded_to = ANY($1::uuid[])", purgeIDs)
+		if _, err := db.DB.ExecContext(ctx, "UPDATE workspaces SET parent_id = NULL WHERE parent_id = ANY($1::uuid[])", purgeIDs); err != nil {
+			log.Printf("Purge parent_id null error for %v: %v", allIDs, err)
+		}
+		if _, err := db.DB.ExecContext(ctx, "UPDATE workspaces SET forwarded_to = NULL WHERE forwarded_to = ANY($1::uuid[])", purgeIDs); err != nil {
+			log.Printf("Purge forwarded_to null error for %v: %v", allIDs, err)
+		}
 		// Hard delete the workspace row
 		if _, err := db.DB.ExecContext(ctx, "DELETE FROM workspaces WHERE id = ANY($1::uuid[])", purgeIDs); err != nil {
 			log.Printf("Purge workspace row error for %v: %v", allIDs, err)
@@ -165,3 +165,43 @@ func TestValidateWorkspaceFields_YAMLCharsAllowedInEmptyName(t *testing.T) {
 		t.Errorf("empty name with valid role: expected nil, got %v", err)
 	}
 }
+
+// ─── validateWorkspaceID ───────────────────────────────────────────────────────
+
+func TestValidateWorkspaceID_ValidUUIDv4(t *testing.T) {
+	if err := validateWorkspaceID("550e8400-e29b-41d4-a716-446655440000"); err != nil {
+		t.Errorf("valid v4 UUID: expected nil, got %v", err)
+	}
+}
+
+func TestValidateWorkspaceID_ValidUUIDv1(t *testing.T) {
+	// UUIDv1 format is also accepted by uuid.Parse.
+	if err := validateWorkspaceID("6ba7b810-9dad-11d1-80b4-00c04fd430c8"); err != nil {
+		t.Errorf("valid v1 UUID: expected nil, got %v", err)
+	}
+}
+
+func TestValidateWorkspaceID_EmptyString(t *testing.T) {
+	if err := validateWorkspaceID(""); err == nil {
+		t.Error("empty string: expected error, got nil")
+	}
+}
+
+func TestValidateWorkspaceID_NotAUuid(t *testing.T) {
+	if err := validateWorkspaceID("not-a-uuid"); err == nil {
+		t.Error("not-a-uuid: expected error, got nil")
+	}
+}
+
+func TestValidateWorkspaceID_WrongLength(t *testing.T) {
+	if err := validateWorkspaceID("550e8400-e29b-41d4-a716"); err == nil {
+		t.Error("short UUID: expected error, got nil")
+	}
+}
+
+func TestValidateWorkspaceID_InvalidCharacters(t *testing.T) {
+	// 'g' is not a valid hex character.
+	if err := validateWorkspaceID("550e8400-e29b-41d4-a716-44665544000g"); err == nil {
+		t.Error("invalid hex char: expected error, got nil")
+	}
+}
@@ -922,11 +922,45 @@ func applyRuntimeModelEnv(envVars map[string]string, runtime, model string) {
 }

 // applyPlatformManagedLLMEnv wires the control-plane LLM proxy into a
-// workspace only when the org is in platform-managed mode. Provider keys
-// never enter the tenant; provider SDK API-key envs receive the tenant token
-// for the CP proxy only when the workspace has not supplied BYOK/OAuth auth.
-func applyPlatformManagedLLMEnv(envVars map[string]string, runtime string, model string) {
-	if strings.ToLower(strings.TrimSpace(os.Getenv("MOLECULE_LLM_BILLING_MODE"))) != "platform_managed" {
+// workspace only when the RESOLVED billing mode for this workspace is
+// platform_managed. "Resolved" means: the workspace-level override (if any)
+// wins over the org default (delivered via tenant_config in MOLECULE_LLM_BILLING_MODE).
+//
+// Pre-internal#691 this gate read the org-level env var directly, which made
+// it impossible to mix billing modes across workspaces in the same org. The
+// resolver (ResolveLLMBillingMode) is the single source of truth now; the
+// architectural test asserts no remaining code path gates on os.Getenv
+// ("MOLECULE_LLM_BILLING_MODE") for strip-decision purposes — that env value
+// is still read INTO the resolver as the org-default input, but it is never
+// the final decision.
+//
+// Default-closed: any resolver error / NULL JOIN / garbled enum value
+// collapses to platform_managed (see llm_billing_mode.go for the contract).
+// This preserves the existing implicit default exactly while making the
+// per-workspace opt-out path safe.
+//
+// The resolved mode is exported into the workspace container as
+// MOLECULE_LLM_BILLING_MODE_RESOLVED so an in-container debug check can
+// answer "what mode is this workspace running under" without DB queries
+// (RFC Observability hot-spot).
+func applyPlatformManagedLLMEnv(ctx context.Context, envVars map[string]string, workspaceID, runtime, model string) {
+	orgMode := strings.ToLower(strings.TrimSpace(os.Getenv("MOLECULE_LLM_BILLING_MODE")))
+	res, resolveErr := ResolveLLMBillingMode(ctx, workspaceID, orgMode)
+	if resolveErr != nil {
+		// resolveErr != nil ⇒ resolver hit a DB error AND already defaulted
+		// res.ResolvedMode to platform_managed. Log + proceed; the safe default
+		// is already in place, no early return needed.
+		log.Printf("workspace_provision: resolve billing mode workspace=%s err=%v (defaulting to platform_managed)", workspaceID, resolveErr)
+	}
+	log.Printf("workspace_provision: billing mode workspace=%s resolved=%s source=%s org_default=%s", workspaceID, res.ResolvedMode, res.Source, res.OrgDefault)
+	// Observability: surface the resolved mode in the container env so the
+	// agent / debug shell can answer "why is my key being stripped" without
+	// pulling logs or hitting the admin route.
+	envVars["MOLECULE_LLM_BILLING_MODE_RESOLVED"] = res.ResolvedMode
+	if res.ResolvedMode != LLMBillingModePlatformManaged {
+		// byok or disabled — DO NOT strip vendor keys, DO NOT force-route to CP.
+		// Leave envVars alone so CLAUDE_CODE_OAUTH_TOKEN / vendor API keys
+		// pulled from workspace_secrets survive into the container.
 		return
 	}
 	baseURL := firstNonEmptyEnv("MOLECULE_LLM_BASE_URL", "OPENAI_BASE_URL")
@@ -935,6 +969,7 @@ func applyPlatformManagedLLMEnv(envVars map[string]string, runtime string, model
 	if baseURL == "" || token == "" {
 		return
 	}
+	stripPlatformManagedLLMBypassEnv(envVars)

 	envVars["MOLECULE_LLM_BILLING_MODE"] = "platform_managed"
 	envVars["MOLECULE_LLM_BASE_URL"] = baseURL
@@ -946,11 +981,11 @@ func applyPlatformManagedLLMEnv(envVars map[string]string, runtime string, model
 		envVars["MOLECULE_LLM_USAGE_URL"] = usageURL
 	}

-	if strings.TrimSpace(envVars["OPENAI_API_KEY"]) == "" && !runtimeUsesAnthropicNativeProxy(runtime) {
+	if !runtimeUsesAnthropicNativeProxy(runtime) {
 		envVars["OPENAI_API_KEY"] = token
 		envVars["OPENAI_BASE_URL"] = baseURL
 	}
-	if runtimeUsesAnthropicNativeProxy(runtime) && anthropicBaseURL != "" && workspaceHasNoAnthropicAuth(envVars) {
+	if runtimeUsesAnthropicNativeProxy(runtime) && anthropicBaseURL != "" {
 		envVars["ANTHROPIC_API_KEY"] = token
 		envVars["ANTHROPIC_BASE_URL"] = anthropicBaseURL
 	}
@@ -962,25 +997,14 @@ func applyPlatformManagedLLMEnv(envVars map[string]string, runtime string, model
 	}
 }

-func runtimeUsesAnthropicNativeProxy(runtime string) bool {
-	return strings.TrimSpace(strings.ToLower(runtime)) == "claude-code"
+func stripPlatformManagedLLMBypassEnv(envVars map[string]string) {
+	for key := range platformManagedDirectLLMBypassKeys {
+		delete(envVars, key)
+	}
 }

-func workspaceHasNoAnthropicAuth(envVars map[string]string) bool {
-	for _, key := range []string{
-		"CLAUDE_CODE_OAUTH_TOKEN",
-		"ANTHROPIC_API_KEY",
-		"ANTHROPIC_AUTH_TOKEN",
-		"MINIMAX_API_KEY",
-		"KIMI_API_KEY",
-		"GLM_API_KEY",
-		"DEEPSEEK_API_KEY",
-	} {
-		if strings.TrimSpace(envVars[key]) != "" {
-			return false
-		}
-	}
-	return true
+func runtimeUsesAnthropicNativeProxy(runtime string) bool {
+	return strings.TrimSpace(strings.ToLower(runtime)) == "claude-code"
 }

 func firstNonEmptyEnv(names ...string) string {
@@ -193,7 +193,7 @@ func (h *WorkspaceHandler) prepareProvisionContext(
 	// continue to rely on workspace_secrets / org-import persona-env
 	// merge for their git auth.
 	applyAgentGitHTTPCreds(envVars, payload.Role)
-	applyPlatformManagedLLMEnv(envVars, payload.Runtime, payload.Model)
+	applyPlatformManagedLLMEnv(ctx, envVars, workspaceID, payload.Runtime, payload.Model)
 	applyRuntimeModelEnv(envVars, payload.Runtime, payload.Model)
 	if payload.Role != "" {
 		envVars["MOLECULE_AGENT_ROLE"] = payload.Role
@@ -972,7 +972,7 @@ func TestApplyPlatformManagedLLMEnv_NonClaudeRuntimeDefaultsOpenAIProxyWhenNoWor
 	t.Setenv("MOLECULE_LLM_DEFAULT_MODEL", "moonshot/kimi-k2.6")

 	envVars := map[string]string{}
-	applyPlatformManagedLLMEnv(envVars, "codex", "")
+	applyPlatformManagedLLMEnv(context.Background(), envVars, "", "codex", "")
 	applyRuntimeModelEnv(envVars, "codex", "")

 	if got := envVars["OPENAI_BASE_URL"]; got != "https://api.example.test/api/v1/internal/llm/openai/v1" {
@@ -992,7 +992,7 @@ func TestApplyPlatformManagedLLMEnv_NonClaudeRuntimeDefaultsOpenAIProxyWhenNoWor
 	}
 }

-func TestApplyPlatformManagedLLMEnv_DoesNotOverrideWorkspaceOpenAIKey(t *testing.T) {
+func TestApplyPlatformManagedLLMEnv_StripsWorkspaceOpenAIKeyForClaudeCode(t *testing.T) {
 	t.Setenv("MOLECULE_LLM_BILLING_MODE", "platform_managed")
 	t.Setenv("MOLECULE_LLM_BASE_URL", "https://api.example.test/api/v1/internal/llm/openai/v1")
 	t.Setenv("MOLECULE_LLM_USAGE_TOKEN", "tenant-admin-token")
@@ -1002,13 +1002,13 @@ func TestApplyPlatformManagedLLMEnv_DoesNotOverrideWorkspaceOpenAIKey(t *testing
 		"OPENAI_BASE_URL": "https://api.openai.com/v1",
 		"MODEL":           "openai/gpt-5.5",
 	}
-	applyPlatformManagedLLMEnv(envVars, "claude-code", "")
+	applyPlatformManagedLLMEnv(context.Background(), envVars, "", "claude-code", "")

-	if got := envVars["OPENAI_API_KEY"]; got != "user-openai-key" {
-		t.Fatalf("OPENAI_API_KEY was overwritten: %q", got)
+	if _, ok := envVars["OPENAI_API_KEY"]; ok {
+		t.Fatalf("OPENAI_API_KEY should be stripped for claude-code platform-managed mode")
 	}
-	if got := envVars["OPENAI_BASE_URL"]; got != "https://api.openai.com/v1" {
-		t.Fatalf("OPENAI_BASE_URL was overwritten: %q", got)
+	if _, ok := envVars["OPENAI_BASE_URL"]; ok {
+		t.Fatalf("OPENAI_BASE_URL should be stripped for claude-code platform-managed mode")
 	}
 	if got := envVars["MOLECULE_LLM_USAGE_TOKEN"]; got != "tenant-admin-token" {
 		t.Fatalf("MOLECULE_LLM_USAGE_TOKEN = %q", got)
@@ -1018,7 +1018,7 @@ func TestApplyPlatformManagedLLMEnv_DoesNotOverrideWorkspaceOpenAIKey(t *testing
 	}
 }

-func TestApplyPlatformManagedLLMEnv_ClaudeCodeUsesAnthropicProxyWithoutOverwritingOAuth(t *testing.T) {
+func TestApplyPlatformManagedLLMEnv_ClaudeCodeUsesAnthropicProxyOverOAuth(t *testing.T) {
 	t.Setenv("MOLECULE_LLM_BILLING_MODE", "platform_managed")
 	t.Setenv("MOLECULE_LLM_BASE_URL", "https://api.example.test/api/v1/internal/llm/openai/v1")
 	t.Setenv("MOLECULE_LLM_ANTHROPIC_BASE_URL", "https://api.example.test/api/v1/internal/llm/anthropic/v1")
@@ -1028,13 +1028,16 @@ func TestApplyPlatformManagedLLMEnv_ClaudeCodeUsesAnthropicProxyWithoutOverwriti
 		"CLAUDE_CODE_OAUTH_TOKEN": "user-oauth-token",
 		"MODEL":                   "sonnet",
 	}
-	applyPlatformManagedLLMEnv(envVars, "claude-code", "")
+	applyPlatformManagedLLMEnv(context.Background(), envVars, "", "claude-code", "")

-	if got := envVars["CLAUDE_CODE_OAUTH_TOKEN"]; got != "user-oauth-token" {
-		t.Fatalf("CLAUDE_CODE_OAUTH_TOKEN was overwritten: %q", got)
+	if _, ok := envVars["CLAUDE_CODE_OAUTH_TOKEN"]; ok {
+		t.Fatalf("CLAUDE_CODE_OAUTH_TOKEN should be stripped in platform-managed mode")
 	}
-	if _, ok := envVars["ANTHROPIC_API_KEY"]; ok {
-		t.Fatalf("ANTHROPIC_API_KEY should not be set when Claude OAuth is present")
+	if got := envVars["ANTHROPIC_API_KEY"]; got != "tenant-admin-token" {
+		t.Fatalf("ANTHROPIC_API_KEY = %q", got)
+	}
+	if got := envVars["ANTHROPIC_BASE_URL"]; got != "https://api.example.test/api/v1/internal/llm/anthropic/v1" {
+		t.Fatalf("ANTHROPIC_BASE_URL = %q", got)
 	}
 	if got := envVars["MOLECULE_LLM_ANTHROPIC_BASE_URL"]; got != "https://api.example.test/api/v1/internal/llm/anthropic/v1" {
 		t.Fatalf("MOLECULE_LLM_ANTHROPIC_BASE_URL = %q", got)
@@ -1048,7 +1051,7 @@ func TestApplyPlatformManagedLLMEnv_ClaudeCodeInjectsAnthropicProxyWhenNoWorkspa
 	t.Setenv("MOLECULE_LLM_USAGE_TOKEN", "tenant-admin-token")

 	envVars := map[string]string{}
-	applyPlatformManagedLLMEnv(envVars, "claude-code", "minimax/MiniMax-M2.7")
+	applyPlatformManagedLLMEnv(context.Background(), envVars, "", "claude-code", "minimax/MiniMax-M2.7")

 	if got := envVars["ANTHROPIC_BASE_URL"]; got != "https://api.example.test/api/v1/internal/llm/anthropic/v1" {
 		t.Fatalf("ANTHROPIC_BASE_URL = %q", got)
@@ -1061,7 +1064,7 @@ func TestApplyPlatformManagedLLMEnv_ClaudeCodeInjectsAnthropicProxyWhenNoWorkspa
 	}
 }

-func TestApplyPlatformManagedLLMEnv_ClaudeCodeDoesNotOverrideVendorBYOK(t *testing.T) {
+func TestApplyPlatformManagedLLMEnv_ClaudeCodeStripsVendorBYOK(t *testing.T) {
 	t.Setenv("MOLECULE_LLM_BILLING_MODE", "platform_managed")
 	t.Setenv("MOLECULE_LLM_BASE_URL", "https://api.example.test/api/v1/internal/llm/openai/v1")
 	t.Setenv("MOLECULE_LLM_ANTHROPIC_BASE_URL", "https://api.example.test/api/v1/internal/llm/anthropic/v1")
@@ -1071,16 +1074,16 @@ func TestApplyPlatformManagedLLMEnv_ClaudeCodeDoesNotOverrideVendorBYOK(t *testi
 		"MINIMAX_API_KEY": "user-minimax-key",
 		"MODEL":           "MiniMax-M2.7",
 	}
-	applyPlatformManagedLLMEnv(envVars, "claude-code", "")
+	applyPlatformManagedLLMEnv(context.Background(), envVars, "", "claude-code", "")

-	if got := envVars["MINIMAX_API_KEY"]; got != "user-minimax-key" {
-		t.Fatalf("MINIMAX_API_KEY was overwritten: %q", got)
+	if _, ok := envVars["MINIMAX_API_KEY"]; ok {
+		t.Fatalf("MINIMAX_API_KEY should be stripped in platform-managed mode")
 	}
-	if _, ok := envVars["ANTHROPIC_API_KEY"]; ok {
-		t.Fatalf("ANTHROPIC_API_KEY should not be set when vendor BYOK is present")
+	if got := envVars["ANTHROPIC_API_KEY"]; got != "tenant-admin-token" {
+		t.Fatalf("ANTHROPIC_API_KEY = %q", got)
 	}
-	if _, ok := envVars["ANTHROPIC_BASE_URL"]; ok {
-		t.Fatalf("ANTHROPIC_BASE_URL should not be set when vendor BYOK is present")
+	if got := envVars["ANTHROPIC_BASE_URL"]; got != "https://api.example.test/api/v1/internal/llm/anthropic/v1" {
+		t.Fatalf("ANTHROPIC_BASE_URL = %q", got)
 	}
 	if got := envVars["MOLECULE_LLM_USAGE_TOKEN"]; got != "tenant-admin-token" {
 		t.Fatalf("MOLECULE_LLM_USAGE_TOKEN = %q", got)
@@ -1093,7 +1096,7 @@ func TestApplyPlatformManagedLLMEnv_NoopsOutsidePlatformManaged(t *testing.T) {
 	t.Setenv("MOLECULE_LLM_USAGE_TOKEN", "tenant-admin-token")

 	envVars := map[string]string{}
-	applyPlatformManagedLLMEnv(envVars, "claude-code", "")
+	applyPlatformManagedLLMEnv(context.Background(), envVars, "", "claude-code", "")

 	if _, ok := envVars["OPENAI_API_KEY"]; ok {
 		t.Fatalf("OPENAI_API_KEY should not be set outside platform-managed mode")
@@ -3,6 +3,7 @@ package handlers
 import (
 	"context"
 	"database/sql"
+	"io"
 	"log"
 	"net/http"
 	"runtime/debug"
@@ -283,7 +284,10 @@ func (h *WorkspaceHandler) Restart(c *gin.Context) {
 		Reset         bool   `json:"reset"`          // #12: discard claude-sessions volume before restart
 		RebuildConfig bool   `json:"rebuild_config"` // #239: re-render config volume from org-template source (recovery path when volume was destroyed)
 	}
-	c.ShouldBindJSON(&body)
+	if err := c.ShouldBindJSON(&body); err != nil && err != io.EOF {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid JSON body"})
+		return
+	}

 	// Read runtime from container's config.yaml before stopping. Docker-
 	// only: in SaaS mode the workspace runs on a remote EC2 and we can't
@@ -292,8 +296,10 @@ func (h *WorkspaceHandler) Restart(c *gin.Context) {
 	containerRuntime := h.restartRuntimeFromConfig(ctx, id, wsName, dbRuntime, body.ApplyTemplate)

 	// Reset to provisioning
-	db.DB.ExecContext(ctx,
-		`UPDATE workspaces SET status = $1, url = '', updated_at = now() WHERE id = $2`, models.StatusProvisioning, id)
+	if _, err := db.DB.ExecContext(ctx,
+		`UPDATE workspaces SET status = $1, url = '', updated_at = now() WHERE id = $2`, models.StatusProvisioning, id); err != nil {
+		log.Printf("Restart: failed to set provisioning status for %s: %v", id, err)
+	}
 	h.broadcaster.RecordAndBroadcast(ctx, string(events.EventWorkspaceProvisioning), id, map[string]interface{}{
 		"name":    wsName,
 		"tier":    tier,
@@ -383,7 +389,9 @@ func (h *WorkspaceHandler) restartRuntimeFromConfig(ctx context.Context, id, wsN
 				if parsed != "" && parsed != containerRuntime {
 					log.Printf("Restart: runtime changed in config.yaml %q→%q for %s", containerRuntime, parsed, wsName)
 					containerRuntime = parsed
-					db.DB.ExecContext(ctx, `UPDATE workspaces SET runtime = $1 WHERE id = $2`, containerRuntime, id)
+					if _, err := db.DB.ExecContext(ctx, `UPDATE workspaces SET runtime = $1 WHERE id = $2`, containerRuntime, id); err != nil {
+						log.Printf("Restart: failed to persist runtime %q for %s: %v", containerRuntime, id, err)
+					}
 				}
 				break
 			}
@@ -466,7 +474,11 @@ func (h *WorkspaceHandler) HibernateWorkspace(ctx context.Context, workspaceID s
 		log.Printf("Hibernate: atomic claim failed for %s: %v", workspaceID, err)
 		return
 	}
-	rowsAffected, _ := result.RowsAffected()
+	rowsAffected, err := result.RowsAffected()
+	if err != nil {
+		log.Printf("Hibernate: RowsAffected error for %s: %v", workspaceID, err)
+		return
+	}
 	if rowsAffected == 0 {
 		// Either already hibernating/hibernated/paused/removed, or active_tasks > 0 —
 		// safe to abort without side-effects.
@@ -794,8 +806,10 @@ func (h *WorkspaceHandler) runRestartCycle(workspaceID string) {

 	h.stopForRestart(ctx, workspaceID)

-	db.DB.ExecContext(ctx,
-		`UPDATE workspaces SET status = $1, url = '', updated_at = now() WHERE id = $2`, models.StatusProvisioning, workspaceID)
+	if _, err := db.DB.ExecContext(ctx,
+		`UPDATE workspaces SET status = $1, url = '', updated_at = now() WHERE id = $2`, models.StatusProvisioning, workspaceID); err != nil {
+		log.Printf("Auto-restart: failed to set provisioning status for %s: %v", workspaceID, err)
+	}
 	h.broadcaster.RecordAndBroadcast(ctx, string(events.EventWorkspaceProvisioning), workspaceID, map[string]interface{}{
 		"name": wsName, "tier": tier, "runtime": dbRuntime,
 	})
@@ -854,12 +868,15 @@ func (h *WorkspaceHandler) Pause(c *gin.Context) {

 	// Collect this workspace + all descendants to pause
 	toPause := []struct{ id, name string }{{id, wsName}}
-	rows, _ := db.DB.QueryContext(ctx,
+	rows, err := db.DB.QueryContext(ctx,
 		`WITH RECURSIVE descendants AS (
 			SELECT id, name FROM workspaces WHERE parent_id = $1 AND status NOT IN ('removed', 'paused')
 			UNION ALL
 			SELECT w.id, w.name FROM workspaces w JOIN descendants d ON w.parent_id = d.id WHERE w.status NOT IN ('removed', 'paused')
 		) SELECT id, name FROM descendants`, id)
+	if err != nil {
+		log.Printf("Pause: descendant query failed for %s: %v", id, err)
+	}
 	if rows != nil {
 		defer rows.Close()
 		for rows.Next() {
@@ -886,8 +903,10 @@ func (h *WorkspaceHandler) Pause(c *gin.Context) {
 		if err := h.StopWorkspaceAuto(ctx, ws.id); err != nil {
 			log.Printf("Pause: stop %s failed: %v — orphan sweeper will reconcile", ws.id, err)
 		}
-		db.DB.ExecContext(ctx,
-			`UPDATE workspaces SET status = $1, url = '', updated_at = now() WHERE id = $2`, models.StatusPaused, ws.id)
+		if _, err := db.DB.ExecContext(ctx,
+			`UPDATE workspaces SET status = $1, url = '', updated_at = now() WHERE id = $2`, models.StatusPaused, ws.id); err != nil {
+			log.Printf("Pause: failed to set paused status for %s: %v", ws.id, err)
+		}
 		db.ClearWorkspaceKeys(ctx, ws.id)
 		h.broadcaster.RecordAndBroadcast(ctx, string(events.EventWorkspacePaused), ws.id, map[string]interface{}{
 			"name": ws.name,
@@ -938,12 +957,15 @@ func (h *WorkspaceHandler) Resume(c *gin.Context) {
 		tier              int
 	}
 	toResume := []wsInfo{{id, wsName, dbRuntime, tier}}
-	rows, _ := db.DB.QueryContext(ctx,
+	rows, err := db.DB.QueryContext(ctx,
 		`WITH RECURSIVE descendants AS (
 			SELECT id, name, tier, COALESCE(runtime, 'claude-code') AS runtime FROM workspaces WHERE parent_id = $1 AND status = 'paused'
 			UNION ALL
 			SELECT w.id, w.name, w.tier, COALESCE(w.runtime, 'claude-code') FROM workspaces w JOIN descendants d ON w.parent_id = d.id WHERE w.status = 'paused'
 		) SELECT id, name, tier, runtime FROM descendants`, id)
+	if err != nil {
+		log.Printf("Resume: descendant query failed for %s: %v", id, err)
+	}
 	if rows != nil {
 		defer rows.Close()
 		for rows.Next() {
@@ -959,8 +981,10 @@ func (h *WorkspaceHandler) Resume(c *gin.Context) {

 	// Re-provision all
 	for _, ws := range toResume {
-		db.DB.ExecContext(ctx,
-			`UPDATE workspaces SET status = $1, updated_at = now() WHERE id = $2`, models.StatusProvisioning, ws.id)
+		if _, err := db.DB.ExecContext(ctx,
+			`UPDATE workspaces SET status = $1, updated_at = now() WHERE id = $2`, models.StatusProvisioning, ws.id); err != nil {
+			log.Printf("Resume: failed to set provisioning status for %s: %v", ws.id, err)
+		}
 		h.broadcaster.RecordAndBroadcast(ctx, string(events.EventWorkspaceProvisioning), ws.id, map[string]interface{}{
 			"name": ws.name, "tier": ws.tier, "runtime": ws.runtime,
 		})
@@ -390,6 +390,8 @@ func TestWorkspaceCreate_DefaultsApplied(t *testing.T) {
 	// Expect RecordAndBroadcast INSERT
 	mock.ExpectExec("INSERT INTO structure_events").
 		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec("INSERT INTO workspace_auth_tokens").
+		WillReturnResult(sqlmock.NewResult(0, 1))

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -438,6 +440,8 @@ func TestWorkspaceCreate_SaaSHardForcesTier4(t *testing.T) {
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectExec("INSERT INTO structure_events").
 		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec("INSERT INTO workspace_auth_tokens").
+		WillReturnResult(sqlmock.NewResult(0, 1))

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -478,6 +482,8 @@ func TestWorkspaceCreate_WithSecrets_Persists(t *testing.T) {
 	// canvas_layouts (non-fatal, outside tx)
 	mock.ExpectExec("INSERT INTO canvas_layouts").
 		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec("INSERT INTO workspace_auth_tokens").
+		WillReturnResult(sqlmock.NewResult(0, 1))

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -501,6 +507,10 @@ func TestWorkspaceCreate_WithSecrets_Persists(t *testing.T) {
 // while persisting a secret causes the entire transaction to roll back and
 // the handler to return 500.  The workspace row must NOT be committed.
 func TestWorkspaceCreate_SecretPersistFails_RollsBack(t *testing.T) {
+	// internal#691: see TestExtended_SecretsSet — same default-closed reasoning.
+	// This test is asserting the rollback path on DB failure, not the strip gate;
+	// keep the org in byok so the OPENAI_API_KEY write reaches the INSERT.
+	t.Setenv("MOLECULE_LLM_BILLING_MODE", "byok")
 	mock := setupTestDB(t)
 	setupTestRedis(t)
 	broadcaster := newTestBroadcaster()
@@ -509,6 +519,14 @@ func TestWorkspaceCreate_SecretPersistFails_RollsBack(t *testing.T) {
 	mock.ExpectBegin()
 	mock.ExpectExec("INSERT INTO workspaces").
 		WillReturnResult(sqlmock.NewResult(0, 1))
+	// internal#691: Create() now resolves billing mode per-workspace before
+	// the secret-strip gate. The workspace row was just inserted in the same
+	// transaction so it isn't readable from a separate query yet; the
+	// resolver expects the SELECT and the mock returns no row → falls back
+	// to the org default (byok, set above) so the OPENAI_API_KEY write
+	// reaches the INSERT-and-fail path this test exercises.
+	mock.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
+		WillReturnRows(sqlmock.NewRows([]string{"llm_billing_mode"}))
 	mock.ExpectExec("INSERT INTO workspace_secrets").
 		WillReturnError(sql.ErrConnDone) // DB failure while writing secret
 	mock.ExpectRollback() // workspace insert must be rolled back
@@ -547,6 +565,8 @@ func TestWorkspaceCreate_EmptySecrets_OK(t *testing.T) {
 	mock.ExpectCommit()
 	mock.ExpectExec("INSERT INTO canvas_layouts").
 		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec("INSERT INTO workspace_auth_tokens").
+		WillReturnResult(sqlmock.NewResult(0, 1))

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -586,6 +606,8 @@ func TestWorkspaceCreate_ExternalURL_SSRFSafe(t *testing.T) {
 	mock.ExpectExec("UPDATE workspaces SET url").
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	// CacheURL is non-fatal — uses Redis (db.RDB, set by setupTestRedis), not the DB.
+	mock.ExpectExec("INSERT INTO workspace_auth_tokens").
+		WillReturnResult(sqlmock.NewResult(0, 1))

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -1797,6 +1819,8 @@ runtime_config:
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectExec("INSERT INTO structure_events").
 		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec("INSERT INTO workspace_auth_tokens").
+		WillReturnResult(sqlmock.NewResult(0, 1))

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -1856,6 +1880,8 @@ model: anthropic:claude-sonnet-4-5
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectExec("INSERT INTO structure_events").
 		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec("INSERT INTO workspace_auth_tokens").
+		WillReturnResult(sqlmock.NewResult(0, 1))

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -1909,6 +1935,8 @@ runtime_config:
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectExec("INSERT INTO structure_events").
 		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec("INSERT INTO workspace_auth_tokens").
+		WillReturnResult(sqlmock.NewResult(0, 1))

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -2054,6 +2082,8 @@ func TestWorkspaceCreate_188_ExplicitRuntimeNoTemplate_OK(t *testing.T) {
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectExec("INSERT INTO structure_events").
 		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec("INSERT INTO workspace_auth_tokens").
+		WillReturnResult(sqlmock.NewResult(0, 1))

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -15,6 +15,7 @@ import (
 	"context"
 	"database/sql"
 	"encoding/json"
+	"log"
 	"path"
 	"strings"
 	"time"
@@ -391,7 +392,9 @@ func extractFilesFromResponse(body json.RawMessage) []ChatAttachment {
 	var probe struct {
 		Result json.RawMessage `json:"result"`
 	}
-	_ = json.Unmarshal(body, &probe)
+	if err := json.Unmarshal(body, &probe); err != nil {
+		log.Printf("messagestore: unmarshal probe body: %v", err)
+	}
 	feed := body
 	if len(probe.Result) > 0 {
 		trimmed := bytesTrimSpace(probe.Result)
@@ -110,10 +110,15 @@ func WorkspaceAuth(database *sql.DB) gin.HandlerFunc {
 			c.Next()
 			return
 		}
-		// Same-origin canvas on tenant image — Referer matches Host.
-		if isSameOriginCanvas(c) {
-			c.Next()
-			return
+		// SaaS-canvas path: a browser cookie is acceptable only after the
+		// control plane confirms membership in this tenant. Referer/Origin
+		// are forgeable and must never authenticate workspace data routes.
+		if cookieHeader := c.GetHeader("Cookie"); cookieHeader != "" {
+			if ok, _ := VerifiedCPSession(cookieHeader); ok {
+				c.Set("cp_session_actor", cpSessionActor(cookieHeader))
+				c.Next()
+				return
+			}
 		}
 		// Local-dev escape hatch — see devmode.go. Unreachable on SaaS
 		// (hosted tenants always have ADMIN_TOKEN + MOLECULE_ENV=production).
@@ -75,6 +75,90 @@ func TestWorkspaceAuth_351_NoBearer_Returns401_NoDBCalls(t *testing.T) {
 	}
 }

+// TestWorkspaceAuth_ForgedSameOriginHeaders_Returns401 pins the production
+// boundary for combined tenant images: Referer/Origin are forgeable request
+// headers and must not authenticate workspace data routes.
+func TestWorkspaceAuth_ForgedSameOriginHeaders_Returns401(t *testing.T) {
+	t.Setenv("MOLECULE_ENV", "production")
+	t.Setenv("ADMIN_TOKEN", "admin-secret")
+	prev := canvasProxyActive
+	canvasProxyActive = true
+	defer func() { canvasProxyActive = prev }()
+
+	mockDB, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("sqlmock.New: %v", err)
+	}
+	defer mockDB.Close()
+
+	r := gin.New()
+	r.GET("/workspaces/:id/secrets", WorkspaceAuth(mockDB), func(c *gin.Context) {
+		c.JSON(http.StatusOK, gin.H{"ok": true})
+	})
+	r.DELETE("/workspaces/:id/secrets/:key", WorkspaceAuth(mockDB), func(c *gin.Context) {
+		c.JSON(http.StatusOK, gin.H{"ok": true})
+	})
+
+	for _, tt := range []struct {
+		name   string
+		method string
+		path   string
+	}{
+		{"list secrets", http.MethodGet, "/workspaces/ws-forged/secrets"},
+		{"delete secret", http.MethodDelete, "/workspaces/ws-forged/secrets/HERMES_CUSTOM_API_KEY"},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			w := httptest.NewRecorder()
+			req, _ := http.NewRequest(tt.method, tt.path, nil)
+			req.Host = "tenant.example.test"
+			req.Header.Set("Referer", "https://tenant.example.test/")
+			req.Header.Set("Origin", "https://tenant.example.test")
+			r.ServeHTTP(w, req)
+			if w.Code != http.StatusUnauthorized {
+				t.Fatalf("forged same-origin headers: expected 401, got %d: %s", w.Code, w.Body.String())
+			}
+		})
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
+func TestWorkspaceAuth_VerifiedTenantSessionCookie_AllowsCanvas(t *testing.T) {
+	resetSessionCache()
+	t.Setenv("MOLECULE_ENV", "production")
+	t.Setenv("ADMIN_TOKEN", "admin-secret")
+	t.Setenv("MOLECULE_ORG_SLUG", "tenant-a")
+	srv, _ := mockCPServer(t, http.StatusOK, `{"member":true,"user_id":"u_1","role":"owner","org_id":"org_1"}`)
+	t.Setenv("CP_UPSTREAM_URL", srv.URL)
+
+	mockDB, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("sqlmock.New: %v", err)
+	}
+	defer mockDB.Close()
+
+	r := gin.New()
+	r.GET("/workspaces/:id/secrets", WorkspaceAuth(mockDB), func(c *gin.Context) {
+		if _, ok := c.Get("cp_session_actor"); !ok {
+			t.Errorf("cp_session_actor was not set")
+		}
+		c.JSON(http.StatusOK, gin.H{"ok": true})
+	})
+
+	w := httptest.NewRecorder()
+	req, _ := http.NewRequest(http.MethodGet, "/workspaces/ws-session/secrets", nil)
+	req.Header.Set("Cookie", "molecule_session=valid")
+	r.ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("verified tenant session: expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
 // TestWorkspaceAuth_C4_C8_NoBearer_Returns401 — C4/C8 critical path:
 // when a workspace has live tokens and the caller sends NO bearer token,
 // the middleware must return 401.  This was the confirmed attack vector —
@@ -24,6 +24,7 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
+	"log"
 	"time"
 )

@@ -130,8 +131,10 @@ func Validate(ctx context.Context, db *sql.DB, plaintext string) (id, prefix, or
 	// Best-effort last_used_at bump. Failure here is acceptable — the
 	// request is already authenticated; we don't want a transient DB
 	// blip to flip a 200 into a 500.
-	_, _ = db.ExecContext(ctx,
-		`UPDATE org_api_tokens SET last_used_at = now() WHERE id = $1`, id)
+	if _, err := db.ExecContext(ctx,
+		`UPDATE org_api_tokens SET last_used_at = now() WHERE id = $1`, id); err != nil {
+		log.Printf("orgtoken: last_used_at bump failed for %s: %v", id, err)
+	}
 	return id, prefix, orgID, nil
 }

@@ -192,7 +195,10 @@ func Revoke(ctx context.Context, db *sql.DB, id string) (bool, error) {
 	if err != nil {
 		return false, fmt.Errorf("orgtoken: revoke: %w", err)
 	}
-	n, _ := res.RowsAffected()
+	n, err := res.RowsAffected()
+	if err != nil {
+		return false, fmt.Errorf("orgtoken: revoke RowsAffected: %w", err)
+	}
 	return n > 0, nil
 }

@@ -398,7 +398,10 @@ func (p *CPProvisioner) Stop(ctx context.Context, workspaceID string) error {
 		return ErrNoBackend
 	}
 	url := fmt.Sprintf("%s/cp/workspaces/%s?instance_id=%s", p.baseURL, workspaceID, instanceID)
-	req, _ := http.NewRequestWithContext(ctx, "DELETE", url, nil)
+	req, err := http.NewRequestWithContext(ctx, "DELETE", url, nil)
+	if err != nil {
+		return fmt.Errorf("cp provisioner: stop: build request: %w", err)
+	}
 	p.provisionAuthHeaders(req)
 	resp, err := p.httpClient.Do(req)
 	if err != nil {
@@ -513,7 +516,10 @@ func (p *CPProvisioner) IsRunning(ctx context.Context, workspaceID string) (bool
 		return false, ErrNoBackend
 	}
 	url := fmt.Sprintf("%s/cp/workspaces/%s/status?instance_id=%s", p.baseURL, workspaceID, instanceID)
-	req, _ := http.NewRequestWithContext(ctx, "GET", url, nil)
+	req, err := http.NewRequestWithContext(ctx, "GET", url, nil)
+	if err != nil {
+		return true, fmt.Errorf("cp provisioner: status: build request: %w", err)
+	}
 	p.provisionAuthHeaders(req)
 	resp, err := p.httpClient.Do(req)
 	if err != nil {
@@ -547,7 +553,10 @@ func (p *CPProvisioner) IsRunning(ctx context.Context, workspaceID string) (bool
 // to render to the user.
 func (p *CPProvisioner) GetConsoleOutput(ctx context.Context, workspaceID string) (string, error) {
 	url := fmt.Sprintf("%s/cp/admin/workspaces/%s/console", p.baseURL, workspaceID)
-	req, _ := http.NewRequestWithContext(ctx, "GET", url, nil)
+	req, err := http.NewRequestWithContext(ctx, "GET", url, nil)
+	if err != nil {
+		return "", fmt.Errorf("cp provisioner: console: build request: %w", err)
+	}
 	p.adminAuthHeaders(req)
 	resp, err := p.httpClient.Do(req)
 	if err != nil {
@@ -190,7 +190,11 @@ func sweepStuckProvisioning(ctx context.Context, emitter ProvisionTimeoutEmitter
 			log.Printf("Provision-timeout sweep: failed to flip %s to failed: %v", c.id, err)
 			continue
 		}
-		affected, _ := res.RowsAffected()
+		affected, err := res.RowsAffected()
+		if err != nil {
+			log.Printf("Provision-timeout sweep: RowsAffected error for %s: %v", c.id, err)
+			continue
+		}
 		if affected == 0 {
 			// Raced with restart / register — no harm, just skip.
 			continue
@@ -173,6 +173,12 @@ func Setup(hub *ws.Hub, broadcaster *events.Broadcaster, prov *provisioner.Provi
 		// so the canvas flips to failed in seconds instead of waiting
 		// for the 10-minute provision-timeout sweeper.
 		wsAdmin.POST("/admin/workspaces/:id/bootstrap-failed", wh.BootstrapFailed)
+		// Per-workspace LLM billing mode override (internal#691). Used by
+		// CP's /cp/admin/workspaces/:id/llm-billing-mode proxy + (via that
+		// proxy) by the canvas Config-tab "LLM Billing" section. Default-
+		// closed resolver lives in handlers/llm_billing_mode.go.
+		wsAdmin.GET("/admin/workspaces/:id/llm-billing-mode", handlers.GetWorkspaceLLMBillingMode)
+		wsAdmin.PUT("/admin/workspaces/:id/llm-billing-mode", handlers.PutWorkspaceLLMBillingMode)
 		// Proxy to CP's serial-console endpoint so the canvas's "View
 		// Logs" button can render the actual boot trace without handing
 		// the tenant AWS credentials. Admin-gated because console output
@@ -217,9 +223,7 @@ func Setup(hub *ws.Hub, broadcaster *events.Broadcaster, prov *provisioner.Provi
 	{
 		// #680: PATCH /workspaces/:id moved under WorkspaceAuth (#680 IDOR fix).
 		// WorkspaceAuth enforces that the caller holds a valid bearer token for
-		// this specific workspace — both auth AND ownership in one check. Cosmetic
-		// updates (x/y drag-reposition, inline rename) from the combined tenant
-		// image canvas still pass via the isSameOriginCanvas bypass in WorkspaceAuth.
+		// this specific workspace, or a control-plane-verified tenant session.
 		wsAuth.PATCH("", wh.Update)

 		// Lifecycle
@@ -282,11 +286,15 @@ func Setup(hub *ws.Hub, broadcaster *events.Broadcaster, prov *provisioner.Provi
 		// POST /memories stays — it routes through the v2 plugin per
 		// #1794 and is the high-volume write surface (workspace
 		// runtimes posting conversation snapshots etc.).
+		// GET /memories restored as a v2 shim (issue #1828) so legacy
+		// SDK callers (AwarenessClient, runtime agents) don't 404 into
+		// the canvas frontend.
 		memsh := handlers.NewMemoriesHandler()
 		if memBundle != nil {
 			memsh.WithMemoryV2(memBundle.Plugin, memBundle.Resolver)
 		}
 		wsAuth.POST("/memories", memsh.Commit)
+		wsAuth.GET("/memories", memsh.Search)

 		// Memory v2 — canvas reads through the plugin so the Memory
 		// tab surfaces post-cutover state (memory_records) instead
@@ -406,7 +406,7 @@ func (s *Scheduler) fireSchedule(ctx context.Context, sched scheduleRow) {

 	msgID := fmt.Sprintf("cron-%s-%s", short(sched.ID, 8), uuid.New().String()[:8])

-	a2aBody, _ := json.Marshal(map[string]interface{}{
+	a2aBody, marshalErr := json.Marshal(map[string]interface{}{
 		"method": "message/send",
 		"params": map[string]interface{}{
 			"message": map[string]interface{}{
@@ -416,6 +416,9 @@ func (s *Scheduler) fireSchedule(ctx context.Context, sched scheduleRow) {
 			},
 		},
 	})
+	if marshalErr != nil {
+		log.Printf("Scheduler '%s': json.Marshal a2aBody failed: %v", sched.Name, marshalErr)
+	}

 	log.Printf("Scheduler: firing '%s' → workspace %s", sched.Name, short(sched.WorkspaceID, 12))

@@ -490,11 +493,13 @@ func (s *Scheduler) fireSchedule(ctx context.Context, sched scheduleRow) {
 	} else if lastStatus == "ok" {
 		// Non-empty success — reset the counter
 		resetCtx, resetCancel := context.WithTimeout(context.Background(), dbQueryTimeout)
-		_, _ = db.DB.ExecContext(resetCtx, `
+		if _, err := db.DB.ExecContext(resetCtx, `
 			UPDATE workspace_schedules
 			SET consecutive_empty_runs = 0,
 			    updated_at = now()
-			WHERE id = $1`, sched.ID)
+			WHERE id = $1`, sched.ID); err != nil {
+			log.Printf("Scheduler: '%s' empty-run reset failed: %v", sched.Name, err)
+		}
 		resetCancel()
 	}

@@ -525,9 +530,11 @@ func (s *Scheduler) fireSchedule(ctx context.Context, sched scheduleRow) {
 			log.Printf("Scheduler: '%s' AUTO-DISABLING after %d consecutive SDK errors (workspace %s)",
 				sched.Name, consecSDK, short(sched.WorkspaceID, 12))
 			autoDisableCtx, autoDisableCancel := context.WithTimeout(context.Background(), dbQueryTimeout)
-			_, _ = db.DB.ExecContext(autoDisableCtx, `
+			if _, err := db.DB.ExecContext(autoDisableCtx, `
 				UPDATE workspace_schedules SET enabled = false, updated_at = now() WHERE id = $1 AND enabled = true`,
-				sched.ID)
+				sched.ID); err != nil {
+				log.Printf("Scheduler: '%s' auto-disable failed: %v", sched.Name, err)
+			}
 			autoDisableCancel()
 		}
 	} else {
@@ -537,11 +544,13 @@ func (s *Scheduler) fireSchedule(ctx context.Context, sched scheduleRow) {
 		// and we should clear the streak.
 		if lastStatus == "ok" {
 			resetCtx, resetCancel := context.WithTimeout(context.Background(), dbQueryTimeout)
-			_, _ = db.DB.ExecContext(resetCtx, `
+			if _, err := db.DB.ExecContext(resetCtx, `
 				UPDATE workspace_schedules
 				SET consecutive_sdk_errors = 0,
 				    updated_at = now()
-				WHERE id = $1`, sched.ID)
+				WHERE id = $1`, sched.ID); err != nil {
+				log.Printf("Scheduler: '%s' SDK-error reset failed: %v", sched.Name, err)
+			}
 			resetCancel()
 		}
 	}
@@ -586,12 +595,15 @@ func (s *Scheduler) fireSchedule(ctx context.Context, sched scheduleRow) {
 	// #2026: sanitize the truncated prompt — even UTF-8-safe truncate() can
 	// carry pre-existing invalid bytes from an agent-edited template. jsonb
 	// columns reject invalid UTF-8 and hold the transaction open.
-	cronMeta, _ := json.Marshal(map[string]interface{}{
+	cronMeta, marshalErr := json.Marshal(map[string]interface{}{
 		"schedule_id":   sched.ID,
 		"schedule_name": sched.Name,
 		"cron_expr":     sched.CronExpr,
 		"prompt":        sanitizeUTF8(textutil.TruncateBytes(sched.Prompt, 200)),
 	})
+	if marshalErr != nil {
+		log.Printf("Scheduler '%s': json.Marshal cronMeta failed: %v", sched.Name, marshalErr)
+	}
 	// #152: persist lastError into error_detail on the activity_logs row
 	// so GET /workspaces/:id/schedules/:id/history can surface why a run
 	// failed (previously dropped — history returned status without any
@@ -658,7 +670,7 @@ func (s *Scheduler) recordSkipped(ctx context.Context, sched scheduleRow, active
 	// #2026: bounded Background() context so the bookkeeping can't block
 	// on a stuck DB and stall the scheduler.
 	skipUpdCtx, skipUpdCancel := context.WithTimeout(context.Background(), dbQueryTimeout)
-	_, _ = db.DB.ExecContext(skipUpdCtx, `
+	if _, err := db.DB.ExecContext(skipUpdCtx, `
 		UPDATE workspace_schedules
 		SET last_run_at = now(),
 		    next_run_at = COALESCE($2, next_run_at),
@@ -667,23 +679,30 @@ func (s *Scheduler) recordSkipped(ctx context.Context, sched scheduleRow, active
 		    last_error = $3,
 		    updated_at = now()
 		WHERE id = $1
-	`, sched.ID, nextRunPtr, sanitizeUTF8(reason))
+	`, sched.ID, nextRunPtr, sanitizeUTF8(reason)); err != nil {
+		log.Printf("Scheduler: '%s' skip update failed: %v", sched.Name, err)
+	}
 	skipUpdCancel()

-	cronMeta, _ := json.Marshal(map[string]interface{}{
+	cronMeta, marshalErr := json.Marshal(map[string]interface{}{
 		"schedule_id":   sched.ID,
 		"schedule_name": sched.Name,
 		"cron_expr":     sched.CronExpr,
 		"skipped":       true,
 		"active_tasks":  activeTasks,
 	})
+	if marshalErr != nil {
+		log.Printf("Scheduler '%s': json.Marshal cronMeta failed: %v", sched.Name, marshalErr)
+	}
 	// #2026: bounded Background() context on the skipped activity log INSERT
 	// for the same reason as the fireSchedule activity_logs INSERT above.
 	skipInsCtx, skipInsCancel := context.WithTimeout(context.Background(), dbQueryTimeout)
-	_, _ = db.DB.ExecContext(skipInsCtx, `
+	if _, err := db.DB.ExecContext(skipInsCtx, `
 		INSERT INTO activity_logs (workspace_id, activity_type, source_id, method, summary, request_body, status, error_detail, created_at)
 		VALUES ($1, 'cron_run', NULL, 'cron', $2, $3::jsonb, 'skipped', $4, now())
-	`, sched.WorkspaceID, sanitizeUTF8("Cron skipped: "+sched.Name), string(cronMeta), sanitizeUTF8(reason))
+	`, sched.WorkspaceID, sanitizeUTF8("Cron skipped: "+sched.Name), string(cronMeta), sanitizeUTF8(reason)); err != nil {
+		log.Printf("Scheduler: '%s' skip activity log failed: %v", sched.Name, err)
+	}
 	skipInsCancel()

 	if s.broadcaster != nil {
@@ -19,6 +19,7 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
+	"log"
 	"strings"
 )

@@ -124,8 +125,10 @@ func ValidateToken(ctx context.Context, db *sql.DB, expectedWorkspaceID, plainte

 	// Best-effort last_used_at update. A failure here (DB hiccup, etc.)
 	// must not cause an otherwise-valid request to 401.
-	_, _ = db.ExecContext(ctx,
-		`UPDATE workspace_auth_tokens SET last_used_at = now() WHERE id = $1`, tokenID)
+	if _, err := db.ExecContext(ctx,
+		`UPDATE workspace_auth_tokens SET last_used_at = now() WHERE id = $1`, tokenID); err != nil {
+		log.Printf("wsauth: last_used_at bump failed for %s: %v", tokenID, err)
+	}
 	return nil
 }

@@ -250,7 +253,9 @@ func ValidateAnyToken(ctx context.Context, db *sql.DB, plaintext string) error {
 	}

 	// Best-effort last_used_at update.
-	_, _ = db.ExecContext(ctx,
-		`UPDATE workspace_auth_tokens SET last_used_at = now() WHERE id = $1`, tokenID)
+	if _, err := db.ExecContext(ctx,
+		`UPDATE workspace_auth_tokens SET last_used_at = now() WHERE id = $1`, tokenID); err != nil {
+		log.Printf("wsauth: last_used_at bump failed for %s: %v", tokenID, err)
+	}
 	return nil
 }
@@ -0,0 +1,4 @@
+-- Reverse internal#691 per-workspace billing mode column.
+-- The column is nullable + check-constrained; dropping it is non-destructive
+-- to org-level behavior (workspaces fall back to the org default again).
+ALTER TABLE workspaces DROP COLUMN IF EXISTS llm_billing_mode;
@@ -0,0 +1,17 @@
+-- Per-workspace llm_billing_mode override (internal#691).
+--
+-- NULL = inherit the org-level default (organizations.llm_billing_mode on CP,
+-- propagated to workspace-server via tenant_config as MOLECULE_LLM_BILLING_MODE).
+-- A non-NULL value overrides the org default for this workspace only.
+--
+-- Resolver contract: workspaces.llm_billing_mode ?? org_default ?? 'platform_managed'.
+-- Default-closed: any NULL, error, unknown enum, or JOIN miss resolves to
+-- 'platform_managed' (the existing implicit default — see internal#691
+-- spec sketch + Phase 1 design comment).
+--
+-- The check constraint mirrors the CP-side credits.LLMBillingMode* constants
+-- (molecule-controlplane/internal/credits/llm_billing.go). Keep in sync if
+-- a new mode is ever added; the resolver also enumerates them explicitly.
+ALTER TABLE workspaces
+  ADD COLUMN IF NOT EXISTS llm_billing_mode TEXT
+  CHECK (llm_billing_mode IS NULL OR llm_billing_mode IN ('platform_managed', 'byok', 'disabled'));