test(e2e): patch 3 more non-external POST /workspaces sites for MODEL_REQUIRED contract

Follow-up to the prior commits in this PR — E2E API Smoke run on commit a3c15bc9 surfaced 3 remaining E2E scripts that POST /workspaces without a model field AND without the external-runtime exemption, so they 422 under the new MODEL_REQUIRED gate. - tests/e2e/test_notify_attachments_e2e.sh:96 — bare {"name":"Notify E2E","tier":1} (no runtime → defaults to langgraph). Adds "model":"anthropic:claude-opus-4-7" to match the deleted DefaultModel("") return value. - tests/e2e/test_priority_runtimes_e2e.sh:192 — runtime:claude-code without model. Adds "model":"sonnet" to match the deleted DefaultModel("claude-code") return value. - tests/e2e/test_priority_runtimes_e2e.sh:384 — runtime:gemini-cli without model. Adds "model":"gemini-2.0-flash" — gemini-cli routes via the gemini provider (per derive-provider.sh), so a gemini:* slug picks the right provider chain. Scripts inspected but NOT patched (already external-exempt): - test_api.sh — both POSTs use runtime:external + external:true - test_today_pr_coverage_e2e.sh — both POSTs use runtime:external + external:true - test_priority_runtimes_e2e.sh:255 — runtime:hermes ALREADY had "model":"openai/gpt-4o" - test_priority_runtimes_e2e.sh:326 — already had "model":"openai/gpt-4o-mini" Other scripts that POST without model (test_a2a_e2e.sh:133, test_activity_e2e.sh:218, test_dev_mode.sh:72, test_workspace_abilities_e2e.sh, test_comprehensive_e2e.sh, test_mcp_stdio_staging.sh, test_chat_upload_e2e.sh, tests/harness/seed.sh) are NOT triggered by the e2e-api.yml workflow that this PR's CI runs — they're tracked for a follow-up sweep once #1667 lands. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
feat(workspace-server): exempt external runtime from MODEL_REQUIRED + E2E updates
2026-05-21 22:16:11 -07:00 · 2026-05-21 21:42:49 -07:00 · 2026-05-21 21:12:24 -07:00 · 2026-05-21 21:06:07 -07:00
84 changed files with 530 additions and 4775 deletions
@@ -1,186 +0,0 @@
-# ci-arm64-advisory — Mac arm64 self-hosted ADVISORY fast-check lane.
-#
-# === WHY ===
-#
-# The amd64 Gitea runner pool (molecule-runner-1..20) is queue-contended
-# (internal#418). This lane offloads the *genuinely container-independent*
-# fast checks (Go build/vet/lint, shellcheck, Python lint) onto the Mac
-# arm64 self-hosted runner so developers get a fast arm64 signal WITHOUT
-# adding load to the starved amd64 pool — capability-honestly, as an
-# additive pilot. Pilot ② of the Mac-CI strategy (CTO-delegated 2026-05-17).
-#
-# === NON-NEGOTIABLE SAFETY CONTRACT (the prime directive) ===
-#
-# This lane is **ADVISORY ONLY**. It is provably incapable of hanging a
-# merge. Concretely:
-#
-#   1. It is a SEPARATE workflow file. `ci.yml` is byte-for-byte
-#      untouched by this PR. The `CI / all-required` aggregator sentinel
-#      and the five contexts it polls
-#      (`CI / Detect changes|Platform (Go)|Canvas (Next.js)|
-#      Shellcheck (E2E scripts)|Python Lint & Test (pull_request)`)
-#      are unchanged. The canonical required gate stays 100% on the
-#      existing amd64 pool.
-#
-#   2. The context this workflow emits is
-#      `ci-arm64-advisory / fast-checks (pull_request)`. That string is
-#      DELIBERATELY NOT present in, and this PR does NOT add it to:
-#        - branch_protections/{main,staging}.status_check_contexts
-#          (DB-verified pb 86/75 = exactly
-#           ["CI / all-required (pull_request)",
-#            "sop-checklist / all-items-acked (pull_request)"])
-#        - audit-force-merge.yml REQUIRED_CHECKS env
-#        - ci.yml `all-required` sentinel's hardcoded `required[]` list
-#      Branch protection therefore never waits on this context. If the
-#      Mac runner is absent / offline / removed, this workflow's status
-#      simply never appears — and because nothing requires it, every
-#      merge proceeds exactly as it does today. There is no path by
-#      which a missing/red arm64 status blocks a merge.
-#
-#   3. `continue-on-error: true` on the job — even a genuine arm64-only
-#      failure (toolchain drift, arch-specific test flake) is surfaced
-#      as information, never as a merge blocker, for the duration of
-#      the pilot.
-#
-#   4. The job carries a `github.event_name` `if:` gate. Beyond its
-#      functional purpose this also keeps the job OUT of
-#      `ci-required-drift.py:ci_job_names()` (which excludes
-#      `github.event_name`/`github.ref`-gated jobs), so the hourly
-#      ci-required-drift sentinel's F1 ("job not under sentinel needs")
-#      cannot ever flag this advisory job. F2/F3 are untouched because
-#      this context is absent from BP and from REQUIRED_CHECKS.
-#      `lint-bp-context-emit-match` only fails on BP→emitter gaps; an
-#      emitter without a BP context is explicitly informational there.
-#
-# === RUNNER TARGETING ===
-#
-# The Mac runner is `hongming-pc-runner-1`. The bare `self-hosted`
-# label is POLLUTED in this Gitea instance: molecule-runner-1..20
-# (the contended amd64 pool) also advertise `self-hosted`. Targeting
-# bare `self-hosted` would route back onto the very pool we are trying
-# to relieve — and onto amd64 hardware. We therefore require an
-# AND-set of labels that ONLY the Mac satisfies. `macos-self-hosted`
-# is Mac-exclusive (the amd64 pool does not carry it). Until the
-# label-install burst (a10862b2) lands `self-hosted`+`macos-self-hosted`
-# on the Mac, the runner's current unique label `hongming-pc-laptop`
-# is also listed; AND-semantics over the labels a runner advertises
-# means a job requiring [self-hosted, macos-self-hosted] can ONLY be
-# claimed once the Mac advertises both. If neither label set is yet
-# present on the Mac, the workflow stays queued harmlessly and is
-# garbage-collected by the normal stale-run reaper — it blocks nothing
-# (see safety contract point 2).
-#
-# === ROLLBACK ===
-#
-# Delete this single file (`git rm .gitea/workflows/ci-arm64-advisory.yml`)
-# and merge. No branch-protection edit, no ci.yml edit, no
-# REQUIRED_CHECKS edit is required to roll back, because none were made
-# to roll forward. Zero blast radius either direction.
-
-name: ci-arm64-advisory
-
-on:
-  push:
-    branches: [main, staging]
-  pull_request:
-    branches: [main, staging]
-
-# Per-ref cancel: a newer commit on the same ref supersedes the older
-# advisory run. Distinct from ci.yml's `ci-${ref}` group so this lane
-# never cancels (or is cancelled by) the canonical required CI.
-concurrency:
-  group: ci-arm64-advisory-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  GITHUB_SERVER_URL: https://git.moleculesai.app
-
-jobs:
-  fast-checks:
-    name: fast-checks
-    # AND-set: only the Mac arm64 runner advertises macos-self-hosted.
-    # See "RUNNER TARGETING" header note for why bare self-hosted is unsafe.
-    runs-on: [self-hosted, macos-self-hosted]
-    # ADVISORY: never blocks. See safety contract point 3.
-    continue-on-error: true
-    # event_name gate: functional (only meaningful on push/PR) AND keeps
-    # this job out of ci-required-drift.py:ci_job_names() so F1 can never
-    # flag it. See safety contract point 4.
-    if: ${{ github.event_name == 'push' || github.event_name == 'pull_request' }}
-    timeout-minutes: 20
-    steps:
-      - name: Provenance — advisory lane, non-gating
-        run: |
-          echo "This is the arm64 ADVISORY fast-check lane."
-          echo "It does NOT gate merges. Canonical required CI is ci.yml"
-          echo "on the amd64 pool. Arch: $(uname -m) on $(uname -s)."
-
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      # ---- Go: build + vet + lint (container-independent: needs only the
-      # Go toolchain; no amd64 ECR image, no docker-in-job). Race-detector
-      # unit-test + coverage gates are deliberately NOT duplicated here —
-      # those stay authoritative on amd64 ci.yml `Platform (Go)`. This lane
-      # is fast-feedback for the compile/vet/lint surface only. ----
-      - name: Setup Go
-        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
-        with:
-          go-version: 'stable'
-      - name: Go build + vet (workspace-server)
-        working-directory: workspace-server
-        run: |
-          go mod download
-          go build ./cmd/server
-          go vet ./...
-      - name: golangci-lint (workspace-server)
-        working-directory: workspace-server
-        run: |
-          go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.12.2
-          "$(go env GOPATH)/bin/golangci-lint" run --timeout 3m ./...
-
-      # ---- Shellcheck (container-independent: shellcheck binary only).
-      # Mirrors ci.yml `Shellcheck (E2E scripts)` bulk pass scope. ----
-      - name: Install shellcheck (arm64)
-        run: |
-          if ! command -v shellcheck >/dev/null 2>&1; then
-            echo "shellcheck not preinstalled on this self-hosted runner."
-            echo "Attempting Homebrew install (Mac arm64)."
-            brew install shellcheck || {
-              echo "::warning::shellcheck unavailable on runner; advisory shellcheck skipped."
-              exit 0
-            }
-          fi
-          shellcheck --version
-      - name: Shellcheck tests/e2e + infra/scripts
-        run: |
-          command -v shellcheck >/dev/null 2>&1 || { echo "skip"; exit 0; }
-          find tests/e2e infra/scripts -type f -name '*.sh' -print0 \
-            | xargs -0 shellcheck --severity=warning
-
-      # ---- Python lint/compile (container-independent: CPython only).
-      # Lint + import-compile surface; the authoritative pytest + coverage
-      # floors stay on amd64 ci.yml `Python Lint & Test`. ----
-      - name: Setup Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: '3.11'
-      - name: Python byte-compile (workspace)
-        working-directory: workspace
-        run: |
-          python -m pip install --quiet ruff || true
-          python -m compileall -q .
-          if command -v ruff >/dev/null 2>&1; then
-            ruff check . || echo "::warning::ruff findings (advisory only)"
-          fi
-
-      - name: Advisory summary
-        if: always()
-        run: |
-          {
-            echo "## arm64 advisory fast-checks complete"
-            echo ""
-            echo "This lane is **advisory** — it does not gate merges."
-            echo "Authoritative required CI remains \`CI / all-required\`"
-            echo "on the amd64 pool (\`ci.yml\`, unchanged by this PR)."
-          } >> "$GITHUB_STEP_SUMMARY"
@@ -98,10 +98,10 @@ jobs:
            --base-ref "$PR_BASE_REF" \
            --push-before "${GITHUB_EVENT_BEFORE:-$PUSH_BEFORE}"

-  # Platform (Go) — Go build/vet/test/lint + coverage gates. The job always
-  # emits the required context, but expensive steps are path-scoped on every
-  # event so docs/E2E/Canvas-only main pushes do not block deploy on unrelated
-  # Go bootstrap work.
+  # Platform (Go) — Go build/vet/test/lint + coverage gates. The always-run
+  # + per-step gating shape preserves the GitHub-side required-check name
+  # contract (so when this Gitea port becomes a required check in Phase 4,
+  # the name match works on PRs that don't touch workspace-server/).
  platform-build:
    name: Platform (Go)
    needs: changes
@@ -125,29 +125,29 @@ jobs:
      run:
        working-directory: workspace-server
    steps:
-      - if: ${{ needs.changes.outputs.platform != 'true' }}
+      - if: ${{ github.event_name == 'pull_request' && needs.changes.outputs.platform != 'true' }}
        working-directory: .
-        run: echo "No workspace-server/** changes — Platform (Go) gate satisfied without running Go build/test/lint."
-      - if: ${{ needs.changes.outputs.platform == 'true' }}
+        run: echo "No workspace-server/** changes on this PR — Platform (Go) gate satisfied without running Go build/test/lint."
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.platform == 'true' }}
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - if: ${{ needs.changes.outputs.platform == 'true' }}
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.platform == 'true' }}
        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
        with:
          go-version: 'stable'
-      - if: ${{ needs.changes.outputs.platform == 'true' }}
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.platform == 'true' }}
        run: go mod download
-      - if: ${{ needs.changes.outputs.platform == 'true' }}
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.platform == 'true' }}
        run: go build ./cmd/server
      # CLI (molecli) moved to standalone repo: git.moleculesai.app/molecule-ai/molecule-cli
-      - if: ${{ needs.changes.outputs.platform == 'true' }}
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.platform == 'true' }}
        run: go vet ./...
-      - if: ${{ needs.changes.outputs.platform == 'true' }}
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.platform == 'true' }}
        name: Install golangci-lint
        run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.12.2
-      - if: ${{ needs.changes.outputs.platform == 'true' }}
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.platform == 'true' }}
        name: Run golangci-lint
        run: $(go env GOPATH)/bin/golangci-lint run --timeout 3m ./...
-      - if: ${{ needs.changes.outputs.platform == 'true' }}
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.platform == 'true' }}
        name: Diagnostic — per-package verbose 60s
        run: |
          set +e
@@ -163,7 +163,7 @@ jobs:
          echo "::endgroup::"
        # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
        continue-on-error: true
-      - if: ${{ needs.changes.outputs.platform == 'true' }}
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.platform == 'true' }}
        name: Run tests with race detection and coverage
        # Explicit timeout: cold runner cache causes OOM kills at ~4m39s on the
        # full ./... suite with race detection + coverage. A 10m per-step timeout
@@ -171,7 +171,7 @@ jobs:
        # instead of OOM-killing. The job-level timeout (15m) is a backstop.
        run: go test -race -timeout 10m -coverprofile=coverage.out ./...

-      - if: ${{ needs.changes.outputs.platform == 'true' }}
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.platform == 'true' }}
        name: Per-file coverage report
        # Advisory — lists every source file with its coverage so reviewers
        # can see at-a-glance where gaps are. Sorted ascending so the worst
@@ -185,7 +185,7 @@ jobs:
                   END {for (f in s) printf "%6.1f%%  %s\n", s[f]/c[f], f}' \
            | sort -n

-      - if: ${{ needs.changes.outputs.platform == 'true' }}
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.platform == 'true' }}
        name: Check coverage thresholds
        # Enforces two gates from #1823 Layer 1:
        #   1. Total floor (25% — ratchet plan in COVERAGE_FLOOR.md).
@@ -282,20 +282,20 @@ jobs:
      run:
        working-directory: canvas
    steps:
-      - if: ${{ needs.changes.outputs.canvas != 'true' }}
+      - if: ${{ github.event_name == 'pull_request' && needs.changes.outputs.canvas != 'true' }}
        working-directory: .
-        run: echo "No canvas/** changes — Canvas (Next.js) gate satisfied without running npm build/test."
-      - if: ${{ needs.changes.outputs.canvas == 'true' }}
+        run: echo "No canvas/** changes on this PR — Canvas (Next.js) gate satisfied without running npm build/test."
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.canvas == 'true' }}
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - if: ${{ needs.changes.outputs.canvas == 'true' }}
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.canvas == 'true' }}
        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: '22'
-      - if: ${{ needs.changes.outputs.canvas == 'true' }}
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.canvas == 'true' }}
        run: npm ci --include=optional --prefer-offline
-      - if: ${{ needs.changes.outputs.canvas == 'true' }}
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.canvas == 'true' }}
        run: npm run build
-      - if: ${{ needs.changes.outputs.canvas == 'true' }}
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.canvas == 'true' }}
        name: Run tests with coverage
        # Coverage instrumentation is configured in canvas/vitest.config.ts
        # (provider: v8, reporters: text + html + json-summary). Step 2 of
@@ -304,7 +304,7 @@ jobs:
        # tracked in #1815) after the team sees what current coverage is.
        run: npx vitest run --coverage
      - name: Upload coverage summary as artifact
-        if: ${{ needs.changes.outputs.canvas == 'true' }}
+        if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.canvas == 'true' }}
        # Pinned to v3 for Gitea act_runner v0.6 compatibility — v4+ uses
        # the GHES 3.10+ artifact protocol that Gitea 1.22.x does NOT
        # implement, surfacing as `GHESNotSupportedError: @actions/artifact
@@ -318,7 +318,7 @@ jobs:
          retention-days: 7
          if-no-files-found: warn

-  # Shellcheck (E2E scripts) — required context, path-scoped heavy steps.
+  # Shellcheck (E2E scripts) — required check, always runs.
  shellcheck:
    name: Shellcheck (E2E scripts)
    needs: changes
@@ -326,11 +326,11 @@ jobs:
    # Phase 4 (RFC #219 §1): confirmed green on main 2026-05-12.
    continue-on-error: false
    steps:
-      - if: ${{ needs.changes.outputs.scripts != 'true' }}
-        run: echo "No tests/e2e, scripts, or infra/scripts changes — Shellcheck gate satisfied without running script checks."
-      - if: ${{ needs.changes.outputs.scripts == 'true' }}
+      - if: ${{ github.event_name == 'pull_request' && needs.changes.outputs.scripts != 'true' }}
+        run: echo "No tests/e2e, scripts, or infra/scripts changes on this PR — Shellcheck gate satisfied without running script checks."
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.scripts == 'true' }}
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - if: ${{ needs.changes.outputs.scripts == 'true' }}
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.scripts == 'true' }}
        name: Run shellcheck on tests/e2e/*.sh and infra/scripts/*.sh
        # shellcheck is pre-installed on ubuntu-latest runners (via apt).
        # infra/scripts/ is included because setup.sh + nuke.sh gate the
@@ -341,16 +341,16 @@ jobs:
          find tests/e2e infra/scripts -type f -name '*.sh' -print0 \
            | xargs -0 shellcheck --severity=warning

-      - if: ${{ needs.changes.outputs.scripts == 'true' }}
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.scripts == 'true' }}
        name: Lint cleanup-trap hygiene (RFC #2873)
        run: bash tests/e2e/lint_cleanup_traps.sh

-      - if: ${{ needs.changes.outputs.scripts == 'true' }}
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.scripts == 'true' }}
        name: Run E2E bash unit tests (no live infra)
        run: |
          bash tests/e2e/test_model_slug.sh

-      - if: ${{ needs.changes.outputs.scripts == 'true' }}
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.scripts == 'true' }}
        name: Test ECR promote-tenant-image script (mock-driven, no live infra)
        # Covers scripts/promote-tenant-image.sh — the codified
        # :staging-latest → :latest ECR promote + tenant fleet redeploy
@@ -360,7 +360,7 @@ jobs:
        run: |
          bash scripts/test-promote-tenant-image.sh

-      - if: ${{ needs.changes.outputs.scripts == 'true' }}
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.scripts == 'true' }}
        name: Shellcheck promote-tenant-image script
        # scripts/ is excluded from the bulk shellcheck pass above (legacy
        # SC3040/SC3043 cleanup pending). Run shellcheck explicitly on
@@ -118,7 +118,7 @@ jobs:
    timeout-minutes: 20
    env:
      # claude-code default: cold-start ~5 min (comparable to langgraph),
-      # but uses MiniMax-M2 via the template's third-party-
+      # but uses MiniMax-M2.7-highspeed via the template's third-party-
      # Anthropic-compat path (workspace-configs-templates/claude-code-
      # default/config.yaml:64-69). MiniMax is ~5-10x cheaper than
      # gpt-4.1-mini per token AND avoids the recurring OpenAI quota-
@@ -131,9 +131,9 @@ jobs:
      # on the per-runtime default ("sonnet" → routes to direct
      # Anthropic, defeats the cost saving). Operators can override
      # via workflow_dispatch by setting a different E2E_MODEL_SLUG
-      # input if they need to exercise a specific model. MiniMax-M2 is the
-      # stable staging MiniMax path used by the full-SaaS smoke.
-      E2E_MODEL_SLUG: ${{ github.event.inputs.model_slug || 'MiniMax-M2' }}
+      # input if they need to exercise a specific model. M2.7-highspeed
+      # is "Token Plan only" but cheap-per-token and fast.
+      E2E_MODEL_SLUG: ${{ github.event.inputs.model_slug || 'MiniMax-M2.7-highspeed' }}
      # Bound to 10 min so a stuck provision fails the run instead of
      # holding up the next cron firing. 15-min default in the script
      # is for the on-PR full lifecycle where we have more headroom.
@@ -161,7 +161,7 @@ jobs:
      # and defeats the cost saving. Operators can override via the
      # workflow_dispatch flow (no input wired here yet — runtime
      # override is enough for ad-hoc).
-      E2E_MODEL_SLUG: ${{ github.event.inputs.runtime == 'hermes' && 'openai/gpt-4o' || github.event.inputs.runtime == 'langgraph' && 'openai:gpt-4o' || 'MiniMax-M2' }}
+      E2E_MODEL_SLUG: ${{ github.event.inputs.runtime == 'hermes' && 'openai/gpt-4o' || github.event.inputs.runtime == 'langgraph' && 'openai:gpt-4o' || 'MiniMax-M2.7-highspeed' }}
      E2E_RUN_ID: "${{ github.run_id }}-${{ github.run_attempt }}"
      E2E_KEEP_ORG: ${{ github.event.inputs.keep_org && '1' || '0' }}

@@ -112,9 +112,9 @@ jobs:
      E2E_RUNTIME: claude-code
      # Pin the smoke to a specific MiniMax model rather than relying
      # on the per-runtime default (which could resolve to "sonnet" →
-      # direct Anthropic and defeat the cost saving). MiniMax-M2 is the
-      # stable staging MiniMax path used by the full-SaaS smoke.
-      E2E_MODEL_SLUG: MiniMax-M2
+      # direct Anthropic and defeat the cost saving). M2.7-highspeed
+      # is "Token Plan only" but cheap-per-token and fast.
+      E2E_MODEL_SLUG: MiniMax-M2.7-highspeed
      E2E_RUN_ID: "smoke-${{ github.run_id }}"
      # Debug-only: when an operator dispatches with keep_on_failure=true,
      # the smoke script's E2E_KEEP_ORG=1 path skips teardown so the
@@ -4,7 +4,7 @@
 # use this Makefile; CI calls docker compose / go test directly so the
 # Makefile can evolve without breaking the build.

-.PHONY: help dev up down logs build test e2e-peer-visibility openapi-spec openapi-spec-check
+.PHONY: help dev up down logs build test e2e-peer-visibility

 help: ## Show this help.
 	@grep -E '^[a-zA-Z0-9_-]+:.*?## ' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-22s\033[0m %s\n", $$1, $$2}'
@@ -36,23 +36,3 @@ test: ## Run Go unit tests in workspace-server/.
 # env contract (CLAUDE_CODE_OAUTH_TOKEN / E2E_MINIMAX_API_KEY / etc).
 e2e-peer-visibility: ## Run the LOCAL peer-visibility MCP gate vs the running stack (needs `make up` first).
 	bash tests/e2e/test_peer_visibility_mcp_local.sh
-
-# ─── OpenAPI spec generation (RFC #1706, Phase 1) ─────────────────────
-# Regenerate workspace-server/docs/openapi/swagger.{yaml,json} from
-# swaggo annotations on the gin handlers. Commit the output. CI runs
-# `make openapi-spec-check` to assert no drift between annotations and
-# the committed file — if a PR changes a handler but forgets to
-# regenerate, CI fails with a diff.
-openapi-spec: ## Regenerate OpenAPI spec from workspace-server handler annotations.
-	@command -v swag >/dev/null 2>&1 || go install github.com/swaggo/swag/cmd/swag@v1.16.4
-	cd workspace-server && swag init \
-	  --generalInfo cmd/server/main.go \
-	  --output docs/openapi \
-	  --outputTypes yaml,json \
-	  --dir . \
-	  --parseDependency=false \
-	  --parseInternal=true
-
-openapi-spec-check: openapi-spec ## CI gate — fail if openapi-spec produces a diff vs the committed file.
-	@git diff --exit-code -- workspace-server/docs/openapi/ \
-	  || (echo "openapi-spec is stale — run 'make openapi-spec' and commit the result" && exit 1)
@@ -9,8 +9,6 @@ import { DetailsTab } from "./tabs/DetailsTab";
 import { SkillsTab } from "./tabs/SkillsTab";
 import { ChatTab } from "./tabs/ChatTab";
 import { ConfigTab } from "./tabs/ConfigTab";
-import { ContainerConfigTab } from "./tabs/ContainerConfigTab";
-import { DisplayTab } from "./tabs/DisplayTab";
 import { TerminalTab } from "./tabs/TerminalTab";
 import { FilesTab } from "./tabs/FilesTab";
 import { MemoryInspectorPanel } from "./MemoryInspectorPanel";
@@ -33,8 +31,6 @@ const TABS: { id: PanelTab; label: string; icon: string }[] = [
  { id: "details", label: "Details", icon: "◉" },
  { id: "skills", label: "Plugins", icon: "✦" },
  { id: "terminal", label: "Terminal", icon: "▸" },
-  { id: "display", label: "Display", icon: "▣" },
-  { id: "container-config", label: "Container", icon: "▤" },
  { id: "config", label: "Config", icon: "⚙" },
  { id: "schedule", label: "Schedule", icon: "⏲" },
  { id: "channels", label: "Channels", icon: "⇌" },
@@ -304,8 +300,6 @@ export function SidePanel() {
        {panelTab === "activity" && <ActivityTab key={selectedNodeId} workspaceId={selectedNodeId} />}
        {panelTab === "chat" && <ChatTab key={selectedNodeId} workspaceId={selectedNodeId} data={node.data} />}
        {panelTab === "terminal" && <TerminalTab key={selectedNodeId} workspaceId={selectedNodeId} data={node.data} />}
-        {panelTab === "display" && <DisplayTab key={selectedNodeId} workspaceId={selectedNodeId} />}
-        {panelTab === "container-config" && <ContainerConfigTab key={selectedNodeId} data={node.data} />}
        {panelTab === "config" && <ConfigTab key={selectedNodeId} workspaceId={selectedNodeId} />}
        {panelTab === "schedule" && <ScheduleTab key={selectedNodeId} workspaceId={selectedNodeId} />}
        {panelTab === "channels" && <ChannelsTab key={selectedNodeId} workspaceId={selectedNodeId} />}
@@ -11,8 +11,6 @@ vi.mock("../tabs/DetailsTab", () => ({ DetailsTab: () => null }));
 vi.mock("../tabs/SkillsTab", () => ({ SkillsTab: () => null }));
 vi.mock("../tabs/ChatTab", () => ({ ChatTab: () => null }));
 vi.mock("../tabs/ConfigTab", () => ({ ConfigTab: () => null }));
-vi.mock("../tabs/ContainerConfigTab", () => ({ ContainerConfigTab: () => null }));
-vi.mock("../tabs/DisplayTab", () => ({ DisplayTab: () => null }));
 vi.mock("../tabs/TerminalTab", () => ({ TerminalTab: () => null }));
 vi.mock("../tabs/FilesTab", () => ({ FilesTab: () => null }));
 vi.mock("../MemoryInspectorPanel", () => ({ MemoryInspectorPanel: () => null }));
@@ -76,7 +74,7 @@ import { SidePanel } from "../SidePanel";

 const TABS = [
  "chat", "activity", "details", "skills", "terminal",
-  "display", "container-config", "config", "schedule", "channels", "files", "memory", "traces", "events", "audit",
+  "config", "schedule", "channels", "files", "memory", "traces", "events", "audit",
 ];

 describe("SidePanel — ARIA tablist pattern", () => {
@@ -87,20 +85,10 @@ describe("SidePanel — ARIA tablist pattern", () => {
    expect(tablist.getAttribute("aria-label")).toBe("Workspace panel tabs");
  });

-  it("renders exactly 15 tab buttons", () => {
+  it("renders exactly 13 tab buttons", () => {
    render(<SidePanel />);
    const tabs = screen.getAllByRole("tab");
-    expect(tabs.length).toBe(15);
-  });
-
-  it("renders the Display tab", () => {
-    render(<SidePanel />);
-    expect(document.getElementById("tab-display")).toBeTruthy();
-  });
-
-  it("renders the Container Config tab", () => {
-    render(<SidePanel />);
-    expect(document.getElementById("tab-container-config")).toBeTruthy();
+    expect(tabs.length).toBe(13);
  });

  it("active tab (chat) has aria-selected='true'", () => {
@@ -111,11 +99,11 @@ describe("SidePanel — ARIA tablist pattern", () => {
    expect(chatTab?.getAttribute("aria-selected")).toBe("true");
  });

-  it("all other 14 tabs have aria-selected='false'", () => {
+  it("all other 12 tabs have aria-selected='false'", () => {
    render(<SidePanel />);
    const tabs = screen.getAllByRole("tab");
    const inactive = tabs.filter((t) => t.id !== "tab-chat");
-    expect(inactive.length).toBe(14);
+    expect(inactive.length).toBe(12);
    for (const tab of inactive) {
      expect(tab.getAttribute("aria-selected")).toBe("false");
    }
@@ -128,7 +116,7 @@ describe("SidePanel — ARIA tablist pattern", () => {
    const minusOnes = tabs.filter((t) => t.getAttribute("tabindex") === "-1");
    expect(zeros.length).toBe(1);
    expect(zeros[0].id).toBe("tab-chat");
-    expect(minusOnes.length).toBe(14);
+    expect(minusOnes.length).toBe(12);
  });

  it("active tab has aria-controls='panel-chat' and id='tab-chat'", () => {
@@ -1,96 +0,0 @@
-"use client";
-
-import { runtimeDisplayName } from "@/lib/runtime-names";
-import type { WorkspaceNodeData } from "@/store/canvas";
-
-type Props = {
-  data: Pick<
-    WorkspaceNodeData,
-    "runtime" | "status" | "needsRestart" | "activeTasks" | "deliveryMode"
-    | "workspaceAccess" | "maxConcurrentTasks"
-  >;
-};
-
-export function ContainerConfigTab({ data }: Props) {
-  const runtime = data.runtime || "unknown";
-  const workspaceAccess = formatAccess(data.workspaceAccess);
-  const maxConcurrentTasks = data.maxConcurrentTasks ? String(data.maxConcurrentTasks) : "platform-managed";
-  const mountedPath = "/workspace";
-  const privilegeStatus = "standard";
-  const deliveryMode = data.deliveryMode || "push";
-
-  return (
-    <div className="p-4 space-y-4">
-      <section className="rounded-lg border border-line/50 bg-surface-card/40 p-4">
-        <div className="mb-3">
-          <h3 className="text-sm font-semibold text-ink">Container Config</h3>
-        </div>
-
-        <dl className="grid grid-cols-1 gap-2 text-[11px]">
-          <ConfigRow label="Runtime image" value={runtimeDisplayName(runtime)} detail={runtime} />
-          <ConfigRow label="Workspace access" value={workspaceAccess} />
-          <ConfigRow label="Max concurrent tasks" value={maxConcurrentTasks} />
-          <ConfigRow label="Mounted workspace path" value={mountedPath} />
-          <ConfigRow label="Container privileges" value={privilegeStatus} />
-          <ConfigRow label="Delivery mode" value={deliveryMode} />
-        </dl>
-      </section>
-
-      <section className="rounded-lg border border-line/50 bg-surface-card/40 p-4">
-        <h3 className="mb-3 text-sm font-semibold text-ink">Session Controls</h3>
-        <div className="grid grid-cols-2 gap-2">
-          <ReadOnlyAction label={data.needsRestart ? "Restart required" : "Restart"} />
-          <ReadOnlyAction label="Reset session" />
-        </div>
-      </section>
-
-      <section className="rounded-lg border border-line/50 bg-surface-card/40 p-4">
-        <h3 className="mb-3 text-sm font-semibold text-ink">Status</h3>
-        <dl className="grid grid-cols-1 gap-2 text-[11px]">
-          <ConfigRow label="Container status" value={data.status} />
-          <ConfigRow label="Active tasks" value={String(data.activeTasks ?? 0)} />
-          <ConfigRow label="Mounted path access" value="available" />
-        </dl>
-      </section>
-    </div>
-  );
-}
-
-function formatAccess(value: string | null | undefined): string {
-  if (!value) return "none";
-  return value.replace(/_/g, "-");
-}
-
-function ConfigRow({
-  label,
-  value,
-  detail,
-}: {
-  label: string;
-  value: string;
-  detail?: string;
-}) {
-  return (
-    <div className="flex items-start justify-between gap-3 rounded-md bg-surface-sunken/40 px-3 py-2">
-      <dt className="text-ink-mid">{label}</dt>
-      <dd className="min-w-0 text-right">
-        <div className="font-mono text-ink break-words">{value}</div>
-        {detail && detail !== value && (
-          <div className="mt-0.5 font-mono text-[10px] text-ink-mid break-words">{detail}</div>
-        )}
-      </dd>
-    </div>
-  );
-}
-
-function ReadOnlyAction({ label }: { label: string }) {
-  return (
-    <button
-      type="button"
-      disabled
-      className="rounded-md border border-line/50 bg-surface-sunken/40 px-3 py-2 text-[11px] text-ink-mid disabled:cursor-not-allowed disabled:opacity-70"
-    >
-      {label}
-    </button>
-  );
-}
@@ -1,196 +0,0 @@
-"use client";
-
-import { useEffect, useRef, useState } from "react";
-import { api } from "@/lib/api";
-
-interface DisplayStatus {
-  available: boolean;
-  reason?: string;
-  mode?: string;
-  status?: string;
-  protocol?: string;
-  width?: number;
-  height?: number;
-}
-
-interface DisplayControlStatus {
-  controller: "none" | "user" | "agent";
-  controlled_by?: string;
-  expires_at?: string;
-}
-
-interface Props {
-  workspaceId: string;
-}
-
-export function DisplayTab({ workspaceId }: Props) {
-  const [status, setStatus] = useState<DisplayStatus | null>(null);
-  const [control, setControl] = useState<DisplayControlStatus | null>(null);
-  const [error, setError] = useState<string | null>(null);
-  const [controlError, setControlError] = useState<string | null>(null);
-  const [controlBusy, setControlBusy] = useState(false);
-  const requestGeneration = useRef(0);
-
-  useEffect(() => {
-    const generation = requestGeneration.current + 1;
-    requestGeneration.current = generation;
-    let cancelled = false;
-    setStatus(null);
-    setControl(null);
-    setError(null);
-    setControlError(null);
-    setControlBusy(false);
-    async function load() {
-      try {
-        const displayStatus = await api.get<DisplayStatus>(`/workspaces/${workspaceId}/display`);
-        if (cancelled || requestGeneration.current !== generation) return;
-        setStatus(displayStatus);
-        if (displayStatus.reason === "display_not_enabled") return;
-        try {
-          const displayControl = await api.get<DisplayControlStatus>(`/workspaces/${workspaceId}/display/control`);
-          if (!cancelled && requestGeneration.current === generation) setControl(displayControl);
-        } catch (err) {
-          if (!cancelled && requestGeneration.current === generation) {
-            setControl(null);
-            setControlError("Display control unavailable");
-          }
-        }
-      } catch (err) {
-        if (!cancelled && requestGeneration.current === generation) setError("The display status could not be loaded.");
-      }
-    }
-    load();
-    return () => {
-      cancelled = true;
-    };
-  }, [workspaceId]);
-
-  const acquireControl = async () => {
-    const generation = requestGeneration.current;
-    const controlPath = `/workspaces/${workspaceId}/display/control`;
-    setControlBusy(true);
-    setControlError(null);
-    try {
-      const next = await api.post<DisplayControlStatus>(`${controlPath}/acquire`, {
-        controller: "user",
-        ttl_seconds: 300,
-      });
-      if (requestGeneration.current !== generation) return;
-      setControl(next);
-    } catch (err) {
-      if (requestGeneration.current !== generation) return;
-      setControlError("Failed to take control");
-      try {
-        const latest = await api.get<DisplayControlStatus>(controlPath);
-        if (requestGeneration.current !== generation) return;
-        setControl(latest);
-      } catch {
-        if (requestGeneration.current !== generation) return;
-        setControl(null);
-      }
-    } finally {
-      if (requestGeneration.current === generation) setControlBusy(false);
-    }
-  };
-
-  if (error) {
-    return (
-      <div className="p-5">
-        <div className="rounded-lg border border-red-500/20 bg-red-950/20 p-4">
-          <h3 className="text-sm font-medium text-red-200">Display status unavailable</h3>
-          <p className="mt-2 text-[11px] leading-relaxed text-red-200/75">{error}</p>
-        </div>
-      </div>
-    );
-  }
-
-  if (!status) {
-    return (
-      <div className="p-5">
-        <div className="h-24 rounded-lg border border-line/40 bg-surface-sunken/30 motion-safe:animate-pulse" />
-      </div>
-    );
-  }
-
-  if (!status.available) {
-    const isNotEnabled = status.reason === "display_not_enabled";
-    return (
-      <div className="flex min-h-full flex-col items-center justify-center bg-surface-sunken/30 p-8 text-center">
-        <svg
-          width="72"
-          height="72"
-          viewBox="0 0 72 72"
-          fill="none"
-          aria-hidden="true"
-          className="mb-4 text-ink-mid"
-        >
-          <rect x="12" y="14" width="48" height="36" rx="4" stroke="currentColor" strokeWidth="2.5" opacity="0.65" />
-          <path d="M28 58h16M36 50v8M16 16l40 40" stroke="currentColor" strokeWidth="3" strokeLinecap="round" />
-        </svg>
-        <h3 className="mb-1.5 text-sm font-medium text-ink">
-          {isNotEnabled ? "Display is not enabled for this workspace." : "Display session is not ready."}
-        </h3>
-        <p className="max-w-xs text-[11px] leading-relaxed text-ink-mid">
-          {isNotEnabled
-            ? "Recreate this workspace with display enabled to view and take over its desktop."
-            : "This workspace has display configuration, but the desktop session infrastructure is not configured yet."}
-        </p>
-        {!isNotEnabled && (
-          <>
-            <dl className="mt-5 grid grid-cols-2 gap-x-4 gap-y-2 text-left text-[11px]">
-              <dt className="text-ink-mid">Mode</dt>
-              <dd className="font-mono text-ink">{status.mode || "unknown"}</dd>
-              <dt className="text-ink-mid">Status</dt>
-              <dd className="font-mono text-ink">{status.status || "unknown"}</dd>
-            </dl>
-            <div className="mt-5 w-full max-w-xs border-t border-line/50 pt-4">
-              {control ? (
-                <div className="flex items-center justify-between gap-3 text-left">
-                  <div className="min-w-0">
-                    <p className="text-[11px] font-medium text-ink">
-                      {control.controller === "none"
-                        ? "No active controller"
-                        : `Controlled by ${displayControlActorLabel(control)}`}
-                    </p>
-                    {control.expires_at && (
-                      <p className="mt-1 truncate font-mono text-[10px] text-ink-mid">
-                        Until {new Date(control.expires_at).toLocaleTimeString()}
-                      </p>
-                    )}
-                    {controlError && <p className="mt-1 text-[10px] leading-snug text-red-200">{controlError}</p>}
-                  </div>
-                  {control.controller === "none" && (
-                    <button
-                      type="button"
-                      onClick={acquireControl}
-                      disabled={controlBusy}
-                      className="h-8 shrink-0 rounded border border-line bg-surface px-3 text-[11px] font-medium text-ink hover:bg-surface-elevated disabled:cursor-not-allowed disabled:opacity-60"
-                    >
-                      Take control
-                    </button>
-                  )}
-                </div>
-              ) : (
-                <div className="text-left">
-                  {!controlError && (
-                    <div className="h-8 rounded border border-line/40 bg-surface-sunken/30 motion-safe:animate-pulse" />
-                  )}
-                  {controlError && <p className="mt-2 text-[10px] leading-snug text-red-200">{controlError}</p>}
-                </div>
-              )}
-            </div>
-          </>
-        )}
-      </div>
-    );
-  }
-
-  return null;
-}
-
-function displayControlActorLabel(control: DisplayControlStatus): string {
-  if (control.controller === "agent") return "Agent";
-  if (control.controlled_by === "admin-token") return "Admin";
-  if (control.controlled_by?.startsWith("org-token:")) return "Automation";
-  return "User";
-}
@@ -1,42 +0,0 @@
-// @vitest-environment jsdom
-import { cleanup, render, screen } from "@testing-library/react";
-import { afterEach, describe, expect, it, vi } from "vitest";
-
-vi.mock("@/lib/runtime-names", () => ({
-  runtimeDisplayName: (runtime: string) => runtime,
-}));
-
-import { ContainerConfigTab } from "../ContainerConfigTab";
-
-afterEach(() => {
-  cleanup();
-});
-
-describe("ContainerConfigTab", () => {
-  it("renders read-only runtime and container settings separate from compute shape", () => {
-    render(
-      <ContainerConfigTab
-        data={{
-          runtime: "claude-code",
-          status: "online",
-          needsRestart: false,
-          activeTasks: 2,
-          maxConcurrentTasks: 3,
-          workspaceAccess: "read_write",
-          deliveryMode: "poll",
-        }}
-      />,
-    );
-
-    expect(screen.getByText("Runtime image")).toBeTruthy();
-    expect(screen.getByText("claude-code")).toBeTruthy();
-    expect(screen.getByText("Workspace access")).toBeTruthy();
-    expect(screen.getByText("read-write")).toBeTruthy();
-    expect(screen.getByText("Max concurrent tasks")).toBeTruthy();
-    expect(screen.getByText("3")).toBeTruthy();
-    expect(screen.getByText("/workspace")).toBeTruthy();
-    expect(screen.getByText("Container privileges")).toBeTruthy();
-    expect(screen.queryByText("Instance type")).toBeNull();
-    expect(screen.queryByText("Root volume")).toBeNull();
-  });
-});
@@ -1,250 +0,0 @@
-// @vitest-environment jsdom
-import { describe, it, expect, vi, beforeEach } from "vitest";
-import { cleanup, fireEvent, render, screen, waitFor } from "@testing-library/react";
-
-const { mockGet, mockPost } = vi.hoisted(() => ({ mockGet: vi.fn(), mockPost: vi.fn() }));
-
-vi.mock("@/lib/api", () => ({
-  api: {
-    get: mockGet,
-    post: mockPost,
-  },
-}));
-
-import { DisplayTab } from "../DisplayTab";
-
-describe("DisplayTab", () => {
-  beforeEach(() => {
-    cleanup();
-    mockGet.mockReset();
-    mockPost.mockReset();
-  });
-
-  it("renders unavailable state for non-display workspaces", async () => {
-    mockGet.mockResolvedValueOnce({
-      available: false,
-      reason: "display_not_enabled",
-    });
-
-    render(<DisplayTab workspaceId="ws-no-display" />);
-
-    await waitFor(() => {
-      expect(screen.getByText("Display is not enabled for this workspace.")).toBeTruthy();
-    });
-    expect(mockGet).toHaveBeenCalledWith("/workspaces/ws-no-display/display");
-    expect(mockGet).not.toHaveBeenCalledWith("/workspaces/ws-no-display/display/control");
-  });
-
-  it("renders control acquisition for display-configured workspaces", async () => {
-    mockGet
-      .mockResolvedValueOnce({
-        available: false,
-        reason: "display_session_unavailable",
-        mode: "desktop-control",
-        status: "not_configured",
-      })
-      .mockResolvedValueOnce({
-        controller: "none",
-      });
-    mockPost.mockResolvedValueOnce({
-      controller: "user",
-      controlled_by: "admin-token",
-      expires_at: "2026-05-23T08:48:27Z",
-    });
-
-    render(<DisplayTab workspaceId="ws-display" />);
-
-    await waitFor(() => {
-      expect(screen.getByRole("button", { name: "Take control" })).toBeTruthy();
-    });
-    expect(mockGet).toHaveBeenCalledWith("/workspaces/ws-display/display");
-    expect(mockGet).toHaveBeenCalledWith("/workspaces/ws-display/display/control");
-
-    fireEvent.click(screen.getByRole("button", { name: "Take control" }));
-
-    await waitFor(() => {
-      expect(screen.getByText("Controlled by Admin")).toBeTruthy();
-    });
-    expect(mockPost).toHaveBeenCalledWith("/workspaces/ws-display/display/control/acquire", {
-      controller: "user",
-      ttl_seconds: 300,
-    });
-  });
-
-  it("renders active display control locks as observe-only", async () => {
-    mockGet
-      .mockResolvedValueOnce({
-        available: false,
-        reason: "display_session_unavailable",
-        mode: "desktop-control",
-        status: "not_configured",
-      })
-      .mockResolvedValueOnce({
-        controller: "agent",
-        controlled_by: "sidecar",
-        expires_at: "2026-05-23T08:48:27Z",
-      });
-
-    render(<DisplayTab workspaceId="ws-display" />);
-
-    await waitFor(() => {
-      expect(screen.getByText("Controlled by Agent")).toBeTruthy();
-    });
-    expect(screen.queryByRole("button", { name: "Release" })).toBeNull();
-    expect(screen.queryByRole("button", { name: "Take control" })).toBeNull();
-    expect(mockPost).not.toHaveBeenCalled();
-  });
-
-  it("labels org-token display control locks as automation", async () => {
-    mockGet
-      .mockResolvedValueOnce({
-        available: false,
-        reason: "display_session_unavailable",
-        mode: "desktop-control",
-        status: "not_configured",
-      })
-      .mockResolvedValueOnce({
-        controller: "user",
-        controlled_by: "org-token:abc123",
-        expires_at: "2026-05-23T08:48:27Z",
-      });
-
-    render(<DisplayTab workspaceId="ws-display" />);
-
-    await waitFor(() => {
-      expect(screen.getByText("Controlled by Automation")).toBeTruthy();
-    });
-    expect(screen.queryByText("org-token:abc123")).toBeNull();
-    expect(screen.queryByRole("button", { name: "Take control" })).toBeNull();
-  });
-
-  it("refreshes display control state after failed acquisition", async () => {
-    mockGet
-      .mockResolvedValueOnce({
-        available: false,
-        reason: "display_session_unavailable",
-        mode: "desktop-control",
-        status: "not_configured",
-      })
-      .mockResolvedValueOnce({
-        controller: "none",
-      })
-      .mockResolvedValueOnce({
-        controller: "agent",
-        controlled_by: "sidecar",
-        expires_at: "2026-05-23T08:48:27Z",
-      });
-    mockPost.mockRejectedValueOnce(new Error("API POST /workspaces/ws-display/display/control/acquire: 409 conflict"));
-
-    render(<DisplayTab workspaceId="ws-display" />);
-
-    await waitFor(() => {
-      expect(screen.getByRole("button", { name: "Take control" })).toBeTruthy();
-    });
-
-    fireEvent.click(screen.getByRole("button", { name: "Take control" }));
-
-    await waitFor(() => {
-      expect(screen.getByText("Controlled by Agent")).toBeTruthy();
-    });
-    expect(screen.getByText("Failed to take control")).toBeTruthy();
-    expect(mockGet).toHaveBeenCalledWith("/workspaces/ws-display/display/control");
-    expect(mockGet).toHaveBeenCalledTimes(3);
-    expect(mockPost).toHaveBeenCalledWith("/workspaces/ws-display/display/control/acquire", {
-      controller: "user",
-      ttl_seconds: 300,
-    });
-  });
-
-  it("keeps display status visible without takeover actions when control status fails", async () => {
-    mockGet
-      .mockResolvedValueOnce({
-        available: false,
-        reason: "display_session_unavailable",
-        mode: "desktop-control",
-        status: "not_configured",
-      })
-      .mockRejectedValueOnce(new Error("API GET /workspaces/ws-display/display/control: 401 unauthorized"));
-
-    render(<DisplayTab workspaceId="ws-display" />);
-
-    await waitFor(() => {
-      expect(screen.getByText("Display session is not ready.")).toBeTruthy();
-    });
-    expect(screen.queryByRole("button", { name: "Take control" })).toBeNull();
-    expect(screen.getByText("Display control unavailable")).toBeTruthy();
-  });
-
-  it("does not render raw display status errors", async () => {
-    mockGet.mockRejectedValueOnce(new Error("API GET /workspaces/ws-display/display: 500 secret backend details"));
-
-    render(<DisplayTab workspaceId="ws-display" />);
-
-    await waitFor(() => {
-      expect(screen.getByText("Display status unavailable")).toBeTruthy();
-    });
-    expect(screen.queryByText(/secret backend details/)).toBeNull();
-  });
-
-  it("ignores stale acquire responses after workspace changes", async () => {
-    const acquire = deferred<{ controller: "user"; controlled_by: string; expires_at: string }>();
-    mockGet
-      .mockResolvedValueOnce({
-        available: false,
-        reason: "display_session_unavailable",
-        mode: "desktop-control",
-        status: "not_configured",
-      })
-      .mockResolvedValueOnce({
-        controller: "none",
-      })
-      .mockResolvedValueOnce({
-        available: false,
-        reason: "display_session_unavailable",
-        mode: "desktop-control",
-        status: "not_configured",
-      })
-      .mockResolvedValueOnce({
-        controller: "none",
-      });
-    mockPost.mockReturnValueOnce(acquire.promise);
-
-    const { rerender } = render(<DisplayTab workspaceId="ws-a" />);
-
-    await waitFor(() => {
-      expect(screen.getByRole("button", { name: "Take control" })).toBeTruthy();
-    });
-    fireEvent.click(screen.getByRole("button", { name: "Take control" }));
-
-    rerender(<DisplayTab workspaceId="ws-b" />);
-
-    await waitFor(() => {
-      expect(mockGet).toHaveBeenCalledWith("/workspaces/ws-b/display/control");
-    });
-    await waitFor(() => {
-      expect(screen.getByRole("button", { name: "Take control" })).toBeTruthy();
-    });
-
-    acquire.resolve({
-      controller: "user",
-      controlled_by: "admin-token",
-      expires_at: "2026-05-23T08:48:27Z",
-    });
-    await acquire.promise;
-
-    await waitFor(() => {
-      expect(screen.queryByText("Controlled by Admin")).toBeNull();
-    });
-    expect(screen.getByRole("button", { name: "Take control" })).toBeTruthy();
-  });
-});
-
-function deferred<T>() {
-  let resolve!: (value: T) => void;
-  let reject!: (reason?: unknown) => void;
-  const promise = new Promise<T>((res, rej) => {
-    resolve = res;
-    reject = rej;
-  });
-  return { promise, resolve, reject };
-}
@@ -513,8 +513,6 @@ export function buildNodesAndEdges(
        parentId: ws.parent_id,
        currentTask: ws.current_task || "",
        runtime: ws.runtime || "",
-        workspaceAccess: ws.workspace_access,
-        maxConcurrentTasks: ws.max_concurrent_tasks ?? null,
        needsRestart: false,
        budgetLimit: ws.budget_limit ?? null,
        budgetUsed: ws.budget_used ?? null,
@@ -88,8 +88,6 @@ export interface WorkspaceNodeData extends Record<string, unknown> {
  parentId: string | null;
  currentTask: string;
  runtime: string;
-  workspaceAccess?: string | null;
-  maxConcurrentTasks?: number | null;
  needsRestart: boolean;
  /** USD spend ceiling set by the user; null = unlimited. Added by issue #541. */
  budgetLimit: number | null;
@@ -132,7 +130,7 @@ export interface WorkspaceNodeData extends Record<string, unknown> {
  deliveryMode?: string;
 }

-export type PanelTab = "details" | "skills" | "chat" | "terminal" | "display" | "container-config" | "config" | "schedule" | "channels" | "files" | "memory" | "traces" | "events" | "activity" | "audit";
+export type PanelTab = "details" | "skills" | "chat" | "terminal" | "config" | "schedule" | "channels" | "files" | "memory" | "traces" | "events" | "activity" | "audit";

 export interface ContextMenuState {
  x: number;
@@ -320,13 +320,11 @@ export interface WorkspaceData {
  url: string;
  parent_id: string | null;
  active_tasks: number;
-  max_concurrent_tasks?: number | null;
  last_error_rate: number;
  last_sample_error: string;
  uptime_seconds: number;
  current_task: string;
  runtime: string;
-  workspace_access?: string | null;
  x: number;
  y: number;
  collapsed: boolean;
@@ -19,18 +19,11 @@
 #                                    PR #2558+#2563+#2567 cleared the
 #                                    masking layers.)
 #
-#   claude-code → auth-aware:
-#                  E2E_MINIMAX_API_KEY    → "MiniMax-M2"
-#                  E2E_ANTHROPIC_API_KEY  → "claude-sonnet-4-6"
-#                  otherwise              → "sonnet"
-#
-#                  claude-code provider routing is model-driven. The bare
-#                  "sonnet" alias selects the OAuth provider, so it is only a
-#                  good default when the canary is using Claude Code OAuth or
-#                  intentionally exercising the missing-auth path. MiniMax and
-#                  direct Anthropic API keys need model IDs that resolve to
-#                  their provider entries, otherwise the workspace boots
-#                  reachable but the first A2A call hits the wrong auth path.
+#   claude-code → "sonnet"         (entry-id form: claude-code template's
+#                                    config.yaml uses bare model names,
+#                                    auth comes via CLAUDE_CODE_OAUTH_TOKEN
+#                                    or ANTHROPIC_API_KEY rather than the
+#                                    slug.)
 #
 # When E2E_MODEL_SLUG is set, it overrides this dispatch — useful when an
 # operator dispatches the workflow to test a specific slug.
@@ -52,15 +45,7 @@ pick_model_slug() {
  case "$runtime" in
    hermes)      printf 'openai/gpt-4o' ;;
    langgraph)   printf 'openai:gpt-4o' ;;
-    claude-code)
-      if [ -n "${E2E_MINIMAX_API_KEY:-}" ]; then
-        printf 'MiniMax-M2'
-      elif [ -n "${E2E_ANTHROPIC_API_KEY:-}" ]; then
-        printf 'claude-sonnet-4-6'
-      else
-        printf 'sonnet'
-      fi
-      ;;
+    claude-code) printf 'sonnet' ;;
    *)           printf 'openai/gpt-4o' ;;  # safest fallback (matches hermes)
  esac
 }
@@ -16,7 +16,7 @@ set -uo pipefail
 # Resolve to the lib relative to this test file so the test runs from
 # any cwd (CI, local invocation, repo root).
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-# shellcheck source=tests/e2e/lib/model_slug.sh
+# shellcheck source=lib/model_slug.sh
 source "$SCRIPT_DIR/lib/model_slug.sh"

 PASS=0
@@ -48,16 +48,7 @@ echo
 # ── Per-runtime branches (the load-bearing ones for synth-E2E) ──
 run_test "hermes → slash-form (derive-provider.sh contract)"       hermes      "openai/gpt-4o"
 run_test "langgraph → colon-form (init_chat_model contract)"       langgraph   "openai:gpt-4o"
-run_test "claude-code → OAuth/default alias"                      claude-code "sonnet"
-
-got=$(unset E2E_MODEL_SLUG E2E_ANTHROPIC_API_KEY; E2E_MINIMAX_API_KEY="mx-test" pick_model_slug claude-code)
-assert_eq "claude-code + MiniMax key → MiniMax model"             "$got" "MiniMax-M2"
-
-got=$(unset E2E_MODEL_SLUG E2E_MINIMAX_API_KEY; E2E_ANTHROPIC_API_KEY="sk-ant-test" pick_model_slug claude-code)
-assert_eq "claude-code + Anthropic API key → Anthropic API model" "$got" "claude-sonnet-4-6"
-
-got=$(unset E2E_MODEL_SLUG; E2E_MINIMAX_API_KEY="mx-priority" E2E_ANTHROPIC_API_KEY="sk-ant-loser" pick_model_slug claude-code)
-assert_eq "claude-code + both keys → MiniMax priority"            "$got" "MiniMax-M2"
+run_test "claude-code → bare model name (entry-id form)"           claude-code "sonnet"

 # ── Fallback for unknown runtime ──
 # Picks slash-form (hermes-shaped) since hermes is the historical
@@ -24,12 +24,14 @@
 #
 # Only PROVISIONING differs from staging:
 #   - staging: POST /cp/admin/orgs (cold EC2 tenant) + per-tenant admin
-#     token + each workspace's MCP bearer from the POST /workspaces
-#     create response.
+#     token + each workspace's MCP bearer from create response or an admin
+#     token-mint fallback.
 #   - local:   POST /workspaces directly against the local stack
-#     (BASE, default http://localhost:8080), MCP bearer consumed inline
-#     from the create response (auth_token field). Same model every
-#     other local E2E uses; no new credential/provision flow.
+#     (BASE, default http://localhost:8080), MCP bearer minted via
+#     GET /admin/workspaces/:id/test-token (e2e_mint_test_token —
+#     deterministic, gated by MOLECULE_ENV != production). Same model
+#     every other local E2E (test_priority_runtimes_e2e.sh,
+#     test_api.sh) already uses; no new credential/provision flow.
 #
 # By default the local backend creates external-mode workspace rows and
 # drives the literal MCP path directly. That keeps the local peer-visibility
@@ -79,17 +81,6 @@ NAME_PREFIX="PV-Local-$$-$(date +%H%M%S)"
 log()  { echo "[$(date +%H:%M:%S)] $*"; }
 ok()   { echo "[$(date +%H:%M:%S)] ✅ $*"; }

-extract_auth_token() {
-  python3 -c "
-import sys, json
-try:
-    d = json.load(sys.stdin)
-except Exception:
-    print(''); sys.exit(0)
-print(d.get('auth_token') or d.get('connection', {}).get('auth_token') or '')
-" 2>/dev/null
-}
-
 CREATED_WSIDS=()
 ADMIN_BEARER="${MOLECULE_ADMIN_TOKEN:-${ADMIN_TOKEN:-}}"
 ADMIN_AUTH=()
@@ -140,6 +131,17 @@ if ! curl -fsS "$BASE/health" -m 5 >/dev/null 2>&1; then
  echo "::error::Local stack not healthy at $BASE/health — bring it up (make up) before this gate. Infra, not a workspace bug (feedback_fix_root_not_symptom)." >&2
  exit 1
 fi
+# admin/test-token is the local MCP-bearer mint path; it 404s in
+# production. If it is off, this gate cannot drive the literal call.
+if ! curl -fsS "$BASE/admin/workspaces/preflight-probe/test-token" ${ADMIN_AUTH[@]+"${ADMIN_AUTH[@]}"} -m 5 >/dev/null 2>&1; then
+  # A 404 here is EITHER "no such ws" (fine — endpoint is enabled) OR the
+  # endpoint is disabled (MOLECULE_ENV=production). Distinguish by body.
+  PROBE=$(curl -s "$BASE/admin/workspaces/preflight-probe/test-token" ${ADMIN_AUTH[@]+"${ADMIN_AUTH[@]}"} -m 5 2>/dev/null)
+  if echo "$PROBE" | grep -qi 'production\|disabled\|not found.*endpoint'; then
+    echo "::error::GET /admin/workspaces/:id/test-token disabled (MOLECULE_ENV=production?). Cannot mint a local MCP bearer." >&2
+    exit 1
+  fi
+fi
 ok "    local stack healthy"

 # ─── Resolve per-runtime provisioning secrets ──────────────────────────
@@ -258,12 +260,6 @@ PARENT_MODEL=$(_model_for_runtime "$PARENT_RUNTIME")
 P_RESP=$(curl -s -X POST "$BASE/workspaces" ${ADMIN_AUTH[@]+"${ADMIN_AUTH[@]}"} -H "Content-Type: application/json" \
  -d "{\"name\":\"${NAME_PREFIX}-parent\",\"runtime\":\"$PARENT_RUNTIME\",\"model\":\"$PARENT_MODEL\",\"tier\":3$PARENT_EXTRA,\"secrets\":$PARENT_SECRETS}")
 PARENT_ID=$(echo "$P_RESP" | python3 -c 'import json,sys;print(json.load(sys.stdin).get("id",""))' 2>/dev/null)
-# PARENT_TOKEN captured for symmetry with the per-sibling auth-token
-# capture in the runtime loop below + reserved for follow-up steps
-# that need parent-side auth. Current downstream steps reach the parent
-# via admin token, so the variable isn't dereferenced — SC2034.
-# shellcheck disable=SC2034 # captured for downstream parent-auth use; see #1644 follow-up
-PARENT_TOKEN=$(echo "$P_RESP" | extract_auth_token)
 if [ -z "$PARENT_ID" ]; then
  echo "::error::parent create failed: $(echo "$P_RESP" | head -c 300)" >&2
  exit 1
@@ -279,8 +275,6 @@ log "    PARENT_ID=$PARENT_ID runtime=$PARENT_RUNTIME"
 WS_IDS_MAP=""
 # shellcheck disable=SC2034 # map values are updated through portable eval-based helpers.
 VERDICT_MAP=""
-# shellcheck disable=SC2034 # map values are updated through portable eval-based helpers.
-WS_TOKENS_MAP=""
 _map_set() { # _map_set <mapvarname> <key> <value>
  local __m="$1" __k="$2" __v="$3" __cur
  eval "__cur=\$$__m"
@@ -317,17 +311,11 @@ for rt in $PV_RUNTIMES; do
  R=$(curl -s -X POST "$BASE/workspaces" ${ADMIN_AUTH[@]+"${ADMIN_AUTH[@]}"} -H "Content-Type: application/json" \
    -d "{\"name\":\"${NAME_PREFIX}-$rt\",\"runtime\":\"$CREATE_RUNTIME\",\"model\":\"$CREATE_MODEL\",\"tier\":2,\"parent_id\":\"$PARENT_ID\"$CREATE_EXTRA,\"secrets\":$SEC}")
  WID=$(echo "$R" | python3 -c 'import json,sys;print(json.load(sys.stdin).get("id",""))' 2>/dev/null)
-  WTOK=$(echo "$R" | extract_auth_token)
  if [ -z "$WID" ]; then
    echo "::error::$rt workspace create failed: $(echo "$R" | head -c 300)" >&2
    exit 1
  fi
-  if [ -z "$WTOK" ]; then
-    echo "::error::$rt workspace create did not return an auth_token — cannot drive the literal MCP call" >&2
-    exit 1
-  fi
  _map_set WS_IDS_MAP "$rt" "$WID"
-  _map_set WS_TOKENS_MAP "$rt" "$WTOK"
  CREATED_WSIDS+=("$WID")
  ALL_WS_IDS="$ALL_WS_IDS $WID"
  ACTIVE_RUNTIMES="$ACTIVE_RUNTIMES $rt"
@@ -385,10 +373,10 @@ log "4/5 driving the LITERAL list_peers MCP call per online runtime..."
 echo ""
 for rt in $ONLINE_RUNTIMES; do
  wid="$(_map_get WS_IDS_MAP "$rt")"
-  WTOK="$(_map_get WS_TOKENS_MAP "$rt")"
+  WTOK=$(e2e_mint_test_token "$wid" 2>/dev/null || true)
  if [ -z "$WTOK" ]; then
    echo "--- $rt (ws=$wid) ---"
-    echo "  ✗ $rt: workspace create did not return an auth_token — cannot drive the literal call"
+    echo "  ✗ $rt: could not mint a local MCP bearer (admin/test-token) — cannot drive the literal call"
    _map_set VERDICT_MAP "$rt" "FAIL(no-bearer)"
    REGRESSED=1
    echo ""
@@ -40,10 +40,10 @@
 #   drives: POST /cp/admin/orgs (provision), GET
 #   /cp/admin/orgs/:slug/admin-token (per-tenant token), DELETE
 #   /cp/admin/tenants/:slug (teardown). The per-tenant admin token drives
-#   tenant workspace creation; each workspace's OWN auth_token is consumed
-#   inline from the POST /workspaces 201 response to drive its MCP call.
-#   No dev-only admin token-mint routes are used in this E2E
-#   (feedback_no_dev_only_routes_in_e2e).
+#   tenant workspace creation; each workspace's OWN auth_token drives its
+#   MCP call. External-like runtimes may return the token in POST
+#   /workspaces; managed container runtimes usually require the admin token
+#   mint fallback below.
 #
 # Required env:
 #   MOLECULE_ADMIN_TOKEN   CP admin bearer — Railway staging CP_ADMIN_API_TOKEN
@@ -265,19 +265,44 @@ log "    PARENT_ID=$PARENT_ID"
 # WS_IDS[runtime]=id ; WS_TOKENS[runtime]=auth_token (the MCP bearer)
 declare -A WS_IDS WS_TOKENS
 ALL_WS_IDS="$PARENT_ID"
+TOKEN_ERRORS=0
+TOKEN_ERROR_SUMMARY=""
 for rt in $PV_RUNTIMES; do
  R=$(tenant_call POST /workspaces \
    -d "{\"name\":\"pv-$rt\",\"runtime\":\"$rt\",\"tier\":2,\"parent_id\":\"$PARENT_ID\",\"secrets\":$SECRETS_JSON}")
  WID=$(echo "$R" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null)
+  # External-like runtimes may return connection.auth_token on create.
+  # Managed container runtimes usually return only id/status here, then
+  # receive their bearer through registry/bootstrap; for this literal MCP
+  # driver we mint through the production-safe admin token route below.
  WTOK=$(echo "$R" | extract_auth_token)
-  [ -n "$WID" ] || fail "$rt workspace create failed: $(echo \"$R\" | head -c 300)"
-  [ -n "$WTOK" ] || fail "$rt workspace create did not return an auth_token — cannot drive its MCP call (workspace_id=$WID; create_resp: $(echo \"$R\" | redact_token_body))"
+  [ -n "$WID" ] || fail "$rt workspace create failed: $(echo "$R" | head -c 300)"
+  TOKEN_DIAG=""
+  if [ -z "$WTOK" ]; then
+    TTOK_FILE=$(mktemp)
+    TTOK_CODE=$(tenant_call_capture POST "/admin/workspaces/$WID/tokens" "$TTOK_FILE" 2>/dev/null || echo "curl_error")
+    TTOK_RESP=$(cat "$TTOK_FILE" 2>/dev/null || true)
+    WTOK=$(echo "$TTOK_RESP" | extract_auth_token)
+    TOKEN_DIAG="POST /admin/workspaces/$WID/tokens -> HTTP $TTOK_CODE body: $(echo "$TTOK_RESP" | redact_token_body)"
+    rm -f "$TTOK_FILE"
+  fi
  WS_IDS[$rt]="$WID"
+  if [ -z "$WTOK" ]; then
+    TOKEN_ERRORS=$((TOKEN_ERRORS + 1))
+    TOKEN_ERROR_SUMMARY="${TOKEN_ERROR_SUMMARY}
+[$rt] workspace did not return or mint an auth_token — cannot drive its MCP call (workspace_id=$WID; create_resp: $(echo "$R" | redact_token_body); token_fallbacks: $TOKEN_DIAG)"
+    log "    $rt → $WID (token acquisition failed; continuing to classify other runtimes)"
+    continue
+  fi
  WS_TOKENS[$rt]="$WTOK"
  ALL_WS_IDS="$ALL_WS_IDS $WID"
  log "    $rt → $WID"
 done

+if [ "$TOKEN_ERRORS" -gt 0 ]; then
+  fail "token acquisition failed for $TOKEN_ERRORS runtime(s):$TOKEN_ERROR_SUMMARY"
+fi
+
 if [ "${PV_TOKEN_DIAGNOSTIC_ONLY:-0}" = "1" ]; then
  ok "token diagnostic passed for runtimes: $PV_RUNTIMES"
  exit 0
@@ -25,11 +25,6 @@
 # Optional env:
 #   E2E_RUNTIME                  hermes (default) | claude-code | langgraph
 #   E2E_PROVISION_TIMEOUT_SECS   default 900 (15 min cold EC2 budget)
-#   E2E_WORKSPACE_ONLINE_TIMEOUT_SECS  default 3600 (60 min — hermes
-#                                cold-boot worst-case + slack). Raised from
-#                                1800 (#1646) because flaky tenant-provisioning
-#                                latency (not a code regression) causes
-#                                alternating pass/fail on identical SHAs.
 #   E2E_KEEP_ORG                 1 → skip teardown (debugging only)
 #   E2E_RUN_ID                   Slug suffix; CI: ${GITHUB_RUN_ID}
 #   E2E_MODE                     full (default) | smoke
@@ -61,7 +56,6 @@ CP_URL="${MOLECULE_CP_URL:-https://staging-api.moleculesai.app}"
 ADMIN_TOKEN="${MOLECULE_ADMIN_TOKEN:?MOLECULE_ADMIN_TOKEN required — Railway staging CP_ADMIN_API_TOKEN}"
 RUNTIME="${E2E_RUNTIME:-hermes}"
 PROVISION_TIMEOUT_SECS="${E2E_PROVISION_TIMEOUT_SECS:-900}"
-WORKSPACE_ONLINE_TIMEOUT_SECS="${E2E_WORKSPACE_ONLINE_TIMEOUT_SECS:-3600}"
 RUN_ID_SUFFIX="${E2E_RUN_ID:-$(date +%H%M%S)-$$}"
 MODE="${E2E_MODE:-full}"
 # `canary` is a legacy alias for `smoke` retained for back-compat with
@@ -356,75 +350,6 @@ tenant_call() {
    "$@"
 }

-sanitize_http_body() {
-  python3 -c '
-import re, sys
-s = sys.stdin.read()
-s = re.sub(r"(?i)(Authorization:\s*Bearer\s+)[A-Za-z0-9._~+/=-]+", r"\1[redacted]", s)
-s = re.sub(r"(?i)(\"(?:auth_token|access_token|refresh_token|token|api_key|secret|password)\"\s*:\s*\")[^\"]+\"", r"\1[redacted]\"", s)
-s = re.sub(r"(?i)((?:auth_token|access_token|refresh_token|api_key|secret|password)=)[^&\s]+", r"\1[redacted]", s)
-print(s[:4000])
-'
-}
-
-wait_workspaces_online_routable() {
-  local label="$1"; shift
-  local deadline=$(( $(date +%s) + WORKSPACE_ONLINE_TIMEOUT_SECS ))
-  local wid ws_last_status ws_last_url ws_url_missing_logged ws_failed_logged
-  local ws_json ws_status ws_url ws_last_err
-
-  log "$label"
-  for wid in "$@"; do
-    ws_last_status=""
-    ws_last_url=""
-    ws_url_missing_logged=0
-    ws_failed_logged=0
-    while true; do
-      if [ "$(date +%s)" -gt "$deadline" ]; then
-        ws_last_err=$(tenant_call GET "/workspaces/$wid" 2>/dev/null | \
-          python3 -c "import json,sys; print(json.load(sys.stdin).get('last_sample_error',''))" 2>/dev/null || echo "")
-        fail "Workspace $wid never reached online with a routable URL within ${WORKSPACE_ONLINE_TIMEOUT_SECS}s (~$((WORKSPACE_ONLINE_TIMEOUT_SECS/60)) min) (last status=$ws_last_status, url=$ws_last_url, err=$ws_last_err)"
-      fi
-      ws_json=$(tenant_call GET "/workspaces/$wid" 2>/dev/null || echo '{}')
-      ws_status=$(echo "$ws_json" | python3 -c "import json,sys; print(json.load(sys.stdin).get('status') or '')" 2>/dev/null)
-      ws_url=$(echo "$ws_json" | python3 -c "import json,sys; print(json.load(sys.stdin).get('url') or '')" 2>/dev/null)
-      if [ "$ws_status" != "$ws_last_status" ]; then
-        log "    $wid → $ws_status"
-        ws_last_status="$ws_status"
-      fi
-      if [ -n "$ws_url" ] && [ "$ws_url" != "$ws_last_url" ]; then
-        log "    $wid url ready: $ws_url"
-        ws_last_url="$ws_url"
-      fi
-      case "$ws_status" in
-        online)
-          if [ -n "$ws_url" ]; then
-            break
-          fi
-          if [ "$ws_url_missing_logged" = "0" ]; then
-            log "    $wid online but URL is not assigned yet — waiting for workspace routing readiness"
-            ws_url_missing_logged=1
-          fi
-          sleep 10
-          ;;
-        failed)
-          # Not a hard fail — bootstrap-watcher frequently marks failed at
-          # 5 min on hermes, then heartbeat recovers to online around 10-13
-          # min when install.sh finishes. Log once per workspace so the CI
-          # output isn't spammy.
-          if [ "$ws_failed_logged" = "0" ]; then
-            log "    $wid transiently failed — waiting for heartbeat recovery (bootstrap-watcher deadline, see cp#245)"
-            ws_failed_logged=1
-          fi
-          sleep 10
-          ;;
-        *)      sleep 10 ;;
-      esac
-    done
-    ok "    $wid online and routable"
-  done
-}
-
 # ─── 5. Provision parent workspace ─────────────────────────────────────
 # Inject the LLM provider key so the runtime can authenticate at boot.
 # Branch by which secret is set so the script supports multiple paths
@@ -477,9 +402,9 @@ elif [ -n "${E2E_ANTHROPIC_API_KEY:-}" ]; then
  # is still independent of MOLECULE_STAGING_OPENAI_API_KEY, so an OpenAI
  # quota collapse doesn't wedge this path. Pinned to the claude-code
  # runtime: hermes/langgraph use OpenAI-shaped envs and won't honour
-  # ANTHROPIC_API_KEY without further wiring. pick_model_slug maps this
-  # branch to claude-sonnet-4-6 so the claude-code provider registry
-  # selects anthropic-api instead of the OAuth-only sonnet alias.
+  # ANTHROPIC_API_KEY without further wiring (out of scope for this
+  # branch; if you need a hermes/Anthropic path, dispatch with
+  # E2E_RUNTIME=hermes + E2E_OPENAI_API_KEY pointing at a working key).
  SECRETS_JSON=$(python3 -c "
 import json, os
 k = os.environ['E2E_ANTHROPIC_API_KEY']
@@ -504,7 +429,6 @@ print(json.dumps({
 fi

 MODEL_SLUG=$(pick_model_slug "$RUNTIME")
-log "    MODEL_SLUG=$MODEL_SLUG"

 log "5/11 Provisioning parent workspace (runtime=$RUNTIME)..."
 PARENT_RESP=$(tenant_call POST /workspaces \
@@ -532,16 +456,48 @@ fi
 # deadline fires at 5 min and sets status=failed prematurely; heartbeat
 # then transitions failed → online after install.sh finishes. So:
 #
-#   - ${WORKSPACE_ONLINE_TIMEOUT_SECS}s (~$((WORKSPACE_ONLINE_TIMEOUT_SECS/60)) min)
-#     deadline (hermes worst-case + slack). Configurable via
-#     E2E_WORKSPACE_ONLINE_TIMEOUT_SECS (#1646).
+#   - 20 min deadline (hermes worst-case + slack)
 #   - 'failed' is a TRANSIENT state we must tolerate — log and keep
 #     polling, only hard-fail at the deadline. Pre-bootstrap-watcher-fix
 #     (controlplane#245) this was a flake generator: workspace went
 #     failed→online inside our window but we bailed at the failed read.
-WS_TO_CHECK=("$PARENT_ID")
-[ -n "$CHILD_ID" ] && WS_TO_CHECK+=("$CHILD_ID")
-wait_workspaces_online_routable "7/11 Waiting for workspace(s) to reach status=online (up to $((WORKSPACE_ONLINE_TIMEOUT_SECS/60)) min — hermes cold boot)..." "${WS_TO_CHECK[@]}"
+log "7/11 Waiting for workspace(s) to reach status=online (up to 30 min — hermes cold boot)..."
+WS_DEADLINE=$(( $(date +%s) + 1800 ))
+WS_TO_CHECK="$PARENT_ID"
+[ -n "$CHILD_ID" ] && WS_TO_CHECK="$WS_TO_CHECK $CHILD_ID"
+for wid in $WS_TO_CHECK; do
+  WS_LAST_STATUS=""
+  WS_FAILED_LOGGED=0
+  while true; do
+    if [ "$(date +%s)" -gt "$WS_DEADLINE" ]; then
+      WS_LAST_ERR=$(tenant_call GET "/workspaces/$wid" 2>/dev/null | \
+        python3 -c "import json,sys; print(json.load(sys.stdin).get('last_sample_error',''))" 2>/dev/null || echo "")
+      fail "Workspace $wid never reached online within 20 min (last status=$WS_LAST_STATUS, err=$WS_LAST_ERR)"
+    fi
+    WS_JSON=$(tenant_call GET "/workspaces/$wid" 2>/dev/null || echo '{}')
+    WS_STATUS=$(echo "$WS_JSON" | python3 -c "import json,sys; print(json.load(sys.stdin).get('status',''))" 2>/dev/null)
+    if [ "$WS_STATUS" != "$WS_LAST_STATUS" ]; then
+      log "    $wid → $WS_STATUS"
+      WS_LAST_STATUS="$WS_STATUS"
+    fi
+    case "$WS_STATUS" in
+      online) break ;;
+      failed)
+        # Not a hard fail — bootstrap-watcher frequently marks failed at
+        # 5 min on hermes, then heartbeat recovers to online around 10-13
+        # min when install.sh finishes. Log once per workspace so the CI
+        # output isn't spammy.
+        if [ "$WS_FAILED_LOGGED" = "0" ]; then
+          log "    $wid transiently failed — waiting for heartbeat recovery (bootstrap-watcher deadline, see cp#245)"
+          WS_FAILED_LOGGED=1
+        fi
+        sleep 10
+        ;;
+      *)      sleep 10 ;;
+    esac
+  done
+  ok "    $wid online"
+done

 # ─── 7b. Canvas-terminal diagnose (EIC chain probe) ────────────────────
 # This step exists because the canvas-terminal failure of 2026-05-03
@@ -567,7 +523,7 @@ wait_workspaces_online_routable "7/11 Waiting for workspace(s) to reach status=o
 # probes docker.Ping + container exec; we still expect ok=true there
 # since local-docker is the alternative production path.
 log "7b/11 Canvas-terminal EIC diagnose probe..."
-for wid in "${WS_TO_CHECK[@]}"; do
+for wid in $WS_TO_CHECK; do
  DIAG_JSON=$(tenant_call GET "/workspaces/$wid/terminal/diagnose" 2>/dev/null || echo '{}')
  DIAG_OK=$(echo "$DIAG_JSON" | python3 -c "import json,sys; d=json.load(sys.stdin); print('true' if d.get('ok') else 'false')" 2>/dev/null || echo "false")
  if [ "$DIAG_OK" = "true" ]; then
@@ -603,7 +559,7 @@ CONFIG_PAYLOAD="${CONFIG_MARKER}
 name: synth-canary
 runtime: ${RUNTIME}
 "
-for wid in "${WS_TO_CHECK[@]}"; do
+for wid in $WS_TO_CHECK; do
  PUT_BODY=$(python3 -c "import json,sys; print(json.dumps({'content': sys.stdin.read()}))" <<< "$CONFIG_PAYLOAD")
  # Capture body to a tempfile so curl's -w '%{http_code}' is the only
  # thing on stdout. The first version used `-w '\n%{http_code}\n'` and
@@ -636,12 +592,6 @@ for wid in "${WS_TO_CHECK[@]}"; do
  ok "    $wid config.yaml PUT OK (HTTP $PUT_CODE)"
 done

-# Saving config.yaml follows the same path as Canvas Config Save & Restart.
-# The controlplane can briefly put the workspace back into provisioning and
-# clear its route while the runtime restarts, so A2A must wait on the same
-# externally routable readiness boundary again.
-wait_workspaces_online_routable "7d/11 Waiting for workspace(s) to recover routing after config.yaml PUT..." "${WS_TO_CHECK[@]}"
-
 # ─── 8. A2A round-trip on parent ───────────────────────────────────────
 log "8/11 Sending A2A message to parent — expecting agent response..."
 # Smoke prompt phrasing — DO NOT trim back to the bare "Reply with exactly: PONG"
@@ -681,44 +631,10 @@ print(json.dumps({
 # 90s gives ~3x headroom over observed cold-call P95 (~25-30s).
 # Subsequent A2A turns hit the same workspace and are sub-second, so
 # this only widens the window for step 8/11 of the canary's first turn.
-A2A_TMP=$(mktemp -t synth_a2a.XXXXXX)
-for A2A_ATTEMPT in $(seq 1 12); do
-  : >"$A2A_TMP"
-  set +e
-  A2A_CODE=$(tenant_call POST "/workspaces/$PARENT_ID/a2a" \
-    --max-time 90 \
-    -H "Content-Type: application/json" \
-    -d "$A2A_PAYLOAD" \
-    -o "$A2A_TMP" \
-    -w '%{http_code}' \
-    2>/dev/null)
-  A2A_RC=$?
-  set -e
-  A2A_CODE=${A2A_CODE:-000}
-  A2A_RESP=$(cat "$A2A_TMP" 2>/dev/null || echo "")
-  if [ "$A2A_RC" = "0" ] && [ "$A2A_CODE" -ge 200 ] && [ "$A2A_CODE" -lt 300 ]; then
-    break
-  fi
-
-  A2A_SAFE_BODY=$(printf '%s' "$A2A_RESP" | sanitize_http_body)
-  if echo "$A2A_CODE" | grep -Eq '^(502|503|504)$' && echo "$A2A_SAFE_BODY" | grep -Eqi 'Service Unavailable|Bad Gateway|Gateway Timeout|error code: 502|error code: 504|workspace agent unreachable|connection refused|no healthy upstream|workspace agent busy|native_session'; then
-    log "    A2A cold-start probe attempt $A2A_ATTEMPT/12 returned $A2A_CODE: $A2A_SAFE_BODY"
-    if [ "$A2A_ATTEMPT" -lt 12 ]; then
-      A2A_SLEEP=10
-      if echo "$A2A_SAFE_BODY" | grep -Eqi 'workspace agent busy|native_session'; then
-        A2A_SLEEP=30
-      fi
-      sleep "$A2A_SLEEP"
-      continue
-    fi
-  fi
-  break
-done
-rm -f "$A2A_TMP"
-if [ "$A2A_RC" != "0" ] || [ "$A2A_CODE" -lt 200 ] || [ "$A2A_CODE" -ge 300 ]; then
-  A2A_SAFE_BODY=$(printf '%s' "$A2A_RESP" | sanitize_http_body)
-  fail "A2A POST /workspaces/$PARENT_ID/a2a failed after $A2A_ATTEMPT attempt(s) (curl_rc=$A2A_RC, http=$A2A_CODE): $A2A_SAFE_BODY"
-fi
+A2A_RESP=$(tenant_call POST "/workspaces/$PARENT_ID/a2a" \
+  --max-time 90 \
+  -H "Content-Type: application/json" \
+  -d "$A2A_PAYLOAD")
 AGENT_TEXT=$(echo "$A2A_RESP" | python3 -c "
 import json, sys
 d = json.load(sys.stdin)
@@ -915,50 +831,20 @@ print(json.dumps({
    }
 }))
 ")
-  DELEG_TMP=$(mktemp -t deleg_a2a.XXXXXX)
-  for DELEG_ATTEMPT in $(seq 1 12); do
-    : >"$DELEG_TMP"
-    set +e
-    # Raw curl (not tenant_call) because this call carries an extra
-    # X-Source-Workspace-Id header. Must still send X-Molecule-Org-Id
-    # or TenantGuard 404s — previously missing, caused section 10 to
-    # fail rc=22 despite everything upstream being correct (2026-04-21).
-    DELEG_CODE=$(curl "${CURL_COMMON[@]}" -X POST "$TENANT_URL/workspaces/$CHILD_ID/a2a" \
-      -H "Authorization: Bearer $EFFECTIVE_TENANT_TOKEN" \
-      -H "X-Molecule-Org-Id: $ORG_ID" \
-      -H "X-Source-Workspace-Id: $PARENT_ID" \
-      -H "Content-Type: application/json" \
-      -d "$DELEG_PAYLOAD" \
-      -o "$DELEG_TMP" \
-      -w '%{http_code}' \
-      2>/dev/null)
-    DELEG_RC=$?
-    set -e
-    DELEG_CODE=${DELEG_CODE:-000}
-    DELEG_RESP=$(cat "$DELEG_TMP" 2>/dev/null || echo "")
-    if [ "$DELEG_RC" = "0" ] && [ "$DELEG_CODE" -ge 200 ] && [ "$DELEG_CODE" -lt 300 ]; then
-      break
-    fi
-
-    DELEG_SAFE_BODY=$(printf '%s' "$DELEG_RESP" | sanitize_http_body)
-    if echo "$DELEG_CODE" | grep -Eq '^(502|503|504)$' && echo "$DELEG_SAFE_BODY" | grep -Eqi 'Service Unavailable|Bad Gateway|Gateway Timeout|error code: 502|error code: 504|workspace agent unreachable|connection refused|no healthy upstream|workspace agent busy|native_session'; then
-      log "    Delegation A2A cold-start attempt $DELEG_ATTEMPT/12 returned $DELEG_CODE: $DELEG_SAFE_BODY"
-      if [ "$DELEG_ATTEMPT" -lt 12 ]; then
-        DELEG_SLEEP=10
-        if echo "$DELEG_SAFE_BODY" | grep -Eqi 'workspace agent busy|native_session'; then
-          DELEG_SLEEP=30
-        fi
-        sleep "$DELEG_SLEEP"
-        continue
-      fi
-    fi
-    break
-  done
-  rm -f "$DELEG_TMP"
-  if [ "$DELEG_RC" != "0" ] || [ "$DELEG_CODE" -lt 200 ] || [ "$DELEG_CODE" -ge 300 ]; then
-    DELEG_SAFE_BODY=$(printf '%s' "$DELEG_RESP" | sanitize_http_body)
-    fail "Delegation A2A POST failed after $DELEG_ATTEMPT attempt(s) (curl_rc=$DELEG_RC, http=$DELEG_CODE): $DELEG_SAFE_BODY"
-  fi
+  set +e
+  # Raw curl (not tenant_call) because this call carries an extra
+  # X-Source-Workspace-Id header. Must still send X-Molecule-Org-Id
+  # or TenantGuard 404s — previously missing, caused section 10 to
+  # fail rc=22 despite everything upstream being correct (2026-04-21).
+  DELEG_RESP=$(curl "${CURL_COMMON[@]}" -X POST "$TENANT_URL/workspaces/$CHILD_ID/a2a" \
+    -H "Authorization: Bearer $EFFECTIVE_TENANT_TOKEN" \
+    -H "X-Molecule-Org-Id: $ORG_ID" \
+    -H "X-Source-Workspace-Id: $PARENT_ID" \
+    -H "Content-Type: application/json" \
+    -d "$DELEG_PAYLOAD")
+  DELEG_RC=$?
+  set -e
+  [ $DELEG_RC -ne 0 ] && fail "Delegation A2A POST failed (rc=$DELEG_RC)"
  DELEG_TEXT=$(echo "$DELEG_RESP" | python3 -c "
 import json, sys
 try:
@@ -1,18 +0,0 @@
-from pathlib import Path
-
-
-ROOT = Path(__file__).resolve().parents[1]
-
-
-def test_staging_e2e_workflows_use_stable_minimax_default() -> None:
-    """Keep cron/push E2E on the same MiniMax model as the smoke-tested script."""
-    workflow_paths = [
-        ".gitea/workflows/e2e-staging-saas.yml",
-        ".gitea/workflows/staging-smoke.yml",
-        ".gitea/workflows/continuous-synth-e2e.yml",
-    ]
-
-    for rel in workflow_paths:
-        text = (ROOT / rel).read_text()
-        assert "MiniMax-M2.7-highspeed" not in text
-        assert "MiniMax-M2" in text
@@ -705,7 +705,7 @@ def test_ci_change_detector_docs_and_meta_scripts_do_not_trigger_surfaces():
    }


-def test_ci_platform_go_steps_are_path_scoped_on_all_events():
+def test_ci_platform_go_pr_steps_are_path_scoped():
    doc = yaml.safe_load(CI_WORKFLOW.read_text(encoding="utf-8"))
    platform = doc["jobs"]["platform-build"]
    assert platform.get("needs") == "changes"
@@ -720,11 +720,11 @@ def test_ci_platform_go_steps_are_path_scoped_on_all_events():
    assert expensive_steps
    for step in expensive_steps:
        expr = step.get("if", "")
+        assert "github.event_name != 'pull_request'" in expr
        assert "needs.changes.outputs.platform == 'true'" in expr
-        assert "github.event_name != 'pull_request'" not in expr


-def test_ci_canvas_nextjs_steps_are_path_scoped_on_all_events():
+def test_ci_canvas_nextjs_pr_steps_are_path_scoped():
    doc = yaml.safe_load(CI_WORKFLOW.read_text(encoding="utf-8"))
    canvas = doc["jobs"]["canvas-build"]
    assert canvas.get("needs") == "changes"
@@ -739,11 +739,11 @@ def test_ci_canvas_nextjs_steps_are_path_scoped_on_all_events():
    assert expensive_steps
    for step in expensive_steps:
        expr = step.get("if", "")
+        assert "github.event_name != 'pull_request'" in expr
        assert "needs.changes.outputs.canvas == 'true'" in expr
-        assert "github.event_name != 'pull_request'" not in expr


-def test_ci_shellcheck_steps_are_path_scoped_on_all_events():
+def test_ci_shellcheck_pr_steps_are_path_scoped():
    doc = yaml.safe_load(CI_WORKFLOW.read_text(encoding="utf-8"))
    shellcheck = doc["jobs"]["shellcheck"]
    assert shellcheck.get("needs") == "changes"
@@ -756,5 +756,5 @@ def test_ci_shellcheck_steps_are_path_scoped_on_all_events():
    assert expensive_steps
    for step in expensive_steps:
        expr = step.get("if", "")
+        assert "github.event_name != 'pull_request'" in expr
        assert "needs.changes.outputs.scripts == 'true'" in expr
-        assert "github.event_name != 'pull_request'" not in expr
@@ -1,26 +1,3 @@
-// Package main runs the per-tenant workspace-server.
-//
-//	@title			Molecule AI Workspace Server API
-//	@version		1.0
-//	@description	The per-tenant workspace-server HTTP API. Single source of truth for workspace/schedule/agent/secrets/files/memory CRUD. Hand-written clients (canvas, molecule-mcp-server, molecule-cli, molecule-sdk-python) should be replaced by clients generated from this spec — see RFC #1706.
-//	@host			api.moleculesai.app
-//	@BasePath		/
-//	@schemes		https
-//
-//	@securityDefinitions.apikey	BearerAuth
-//	@in							header
-//	@name						Authorization
-//	@description				Bearer token issued by Gitea (org-admin or persona PAT) or by the platform's signup/SSO flow.
-//
-//	@securityDefinitions.apikey	OrgSlugAuth
-//	@in							header
-//	@name						X-Molecule-Org-Slug
-//	@description				Tenant routing header — required on every /workspaces/{id}/* request so the platform edge can route to the correct per-tenant workspace-server. Either X-Molecule-Org-Slug (human-readable, e.g. "agents-team") or X-Molecule-Org-Id (UUID) must be sent; slug is preferred for client code.
-//
-//	@securityDefinitions.apikey	OrgIdAuth
-//	@in							header
-//	@name						X-Molecule-Org-Id
-//	@description				Tenant routing header (UUID form). Alternative to X-Molecule-Org-Slug. At least one of OrgSlugAuth or OrgIdAuth must be sent alongside BearerAuth.
 package main

 import (
@@ -393,9 +370,8 @@ func main() {
 	// See molecule-core#7.
 	bindHost := resolveBindHost()
 	srv := &http.Server{
-		Addr:              fmt.Sprintf("%s:%s", bindHost, port),
-		Handler:           r,
-		ReadHeaderTimeout: 5 * time.Second,
+		Addr:    fmt.Sprintf("%s:%s", bindHost, port),
+		Handler: r,
 	}

 	// Start server in goroutine
@@ -1,521 +0,0 @@
-{
-    "schemes": [
-        "https"
-    ],
-    "swagger": "2.0",
-    "info": {
-        "description": "The per-tenant workspace-server HTTP API. Single source of truth for workspace/schedule/agent/secrets/files/memory CRUD. Hand-written clients (canvas, molecule-mcp-server, molecule-cli, molecule-sdk-python) should be replaced by clients generated from this spec — see RFC #1706.",
-        "title": "Molecule AI Workspace Server API",
-        "contact": {},
-        "version": "1.0"
-    },
-    "host": "api.moleculesai.app",
-    "basePath": "/",
-    "paths": {
-        "/workspaces/{id}/schedules": {
-            "get": {
-                "security": [
-                    {
-                        "BearerAuth": [],
-                        "OrgSlugAuth": []
-                    }
-                ],
-                "produces": [
-                    "application/json"
-                ],
-                "tags": [
-                    "schedules"
-                ],
-                "summary": "List schedules for a workspace",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "description": "Workspace ID",
-                        "name": "id",
-                        "in": "path",
-                        "required": true
-                    }
-                ],
-                "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "type": "array",
-                            "items": {
-                                "$ref": "#/definitions/handlers.ScheduleResponse"
-                            }
-                        }
-                    },
-                    "500": {
-                        "description": "Internal Server Error",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    }
-                }
-            },
-            "post": {
-                "security": [
-                    {
-                        "BearerAuth": [],
-                        "OrgSlugAuth": []
-                    }
-                ],
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
-                ],
-                "tags": [
-                    "schedules"
-                ],
-                "summary": "Create a schedule",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "description": "Workspace ID",
-                        "name": "id",
-                        "in": "path",
-                        "required": true
-                    },
-                    {
-                        "description": "Schedule fields",
-                        "name": "body",
-                        "in": "body",
-                        "required": true,
-                        "schema": {
-                            "$ref": "#/definitions/handlers.CreateScheduleRequest"
-                        }
-                    }
-                ],
-                "responses": {
-                    "201": {
-                        "description": "Created",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.CreateScheduleResponse"
-                        }
-                    },
-                    "400": {
-                        "description": "Bad Request",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
-                    "500": {
-                        "description": "Internal Server Error",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    }
-                }
-            }
-        },
-        "/workspaces/{id}/schedules/{scheduleId}": {
-            "delete": {
-                "security": [
-                    {
-                        "BearerAuth": [],
-                        "OrgSlugAuth": []
-                    }
-                ],
-                "produces": [
-                    "application/json"
-                ],
-                "tags": [
-                    "schedules"
-                ],
-                "summary": "Delete a schedule",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "description": "Workspace ID",
-                        "name": "id",
-                        "in": "path",
-                        "required": true
-                    },
-                    {
-                        "type": "string",
-                        "description": "Schedule ID",
-                        "name": "scheduleId",
-                        "in": "path",
-                        "required": true
-                    }
-                ],
-                "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.StatusResponse"
-                        }
-                    },
-                    "404": {
-                        "description": "Not Found",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
-                    "500": {
-                        "description": "Internal Server Error",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    }
-                }
-            },
-            "patch": {
-                "security": [
-                    {
-                        "BearerAuth": [],
-                        "OrgSlugAuth": []
-                    }
-                ],
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
-                ],
-                "tags": [
-                    "schedules"
-                ],
-                "summary": "Update a schedule",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "description": "Workspace ID",
-                        "name": "id",
-                        "in": "path",
-                        "required": true
-                    },
-                    {
-                        "type": "string",
-                        "description": "Schedule ID",
-                        "name": "scheduleId",
-                        "in": "path",
-                        "required": true
-                    },
-                    {
-                        "description": "Partial schedule fields (only provided keys are updated)",
-                        "name": "body",
-                        "in": "body",
-                        "required": true,
-                        "schema": {
-                            "$ref": "#/definitions/handlers.UpdateScheduleRequest"
-                        }
-                    }
-                ],
-                "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ScheduleResponse"
-                        }
-                    },
-                    "400": {
-                        "description": "Bad Request",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
-                    "404": {
-                        "description": "Not Found",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
-                    "500": {
-                        "description": "Internal Server Error",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    }
-                }
-            }
-        },
-        "/workspaces/{id}/schedules/{scheduleId}/history": {
-            "get": {
-                "security": [
-                    {
-                        "BearerAuth": [],
-                        "OrgSlugAuth": []
-                    }
-                ],
-                "produces": [
-                    "application/json"
-                ],
-                "tags": [
-                    "schedules"
-                ],
-                "summary": "Get past runs of a schedule",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "description": "Workspace ID",
-                        "name": "id",
-                        "in": "path",
-                        "required": true
-                    },
-                    {
-                        "type": "string",
-                        "description": "Schedule ID",
-                        "name": "scheduleId",
-                        "in": "path",
-                        "required": true
-                    }
-                ],
-                "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "type": "array",
-                            "items": {
-                                "$ref": "#/definitions/handlers.HistoryEntry"
-                            }
-                        }
-                    },
-                    "500": {
-                        "description": "Internal Server Error",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    }
-                }
-            }
-        },
-        "/workspaces/{id}/schedules/{scheduleId}/run": {
-            "post": {
-                "security": [
-                    {
-                        "BearerAuth": [],
-                        "OrgSlugAuth": []
-                    }
-                ],
-                "produces": [
-                    "application/json"
-                ],
-                "tags": [
-                    "schedules"
-                ],
-                "summary": "Fire a schedule manually",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "description": "Workspace ID",
-                        "name": "id",
-                        "in": "path",
-                        "required": true
-                    },
-                    {
-                        "type": "string",
-                        "description": "Schedule ID",
-                        "name": "scheduleId",
-                        "in": "path",
-                        "required": true
-                    }
-                ],
-                "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.RunNowResponse"
-                        }
-                    },
-                    "404": {
-                        "description": "Not Found",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
-                    "500": {
-                        "description": "Internal Server Error",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    }
-                }
-            }
-        }
-    },
-    "definitions": {
-        "handlers.CreateScheduleRequest": {
-            "type": "object",
-            "required": [
-                "cron_expr",
-                "prompt"
-            ],
-            "properties": {
-                "cron_expr": {
-                    "type": "string"
-                },
-                "enabled": {
-                    "type": "boolean"
-                },
-                "name": {
-                    "type": "string"
-                },
-                "prompt": {
-                    "type": "string"
-                },
-                "timezone": {
-                    "type": "string"
-                }
-            }
-        },
-        "handlers.CreateScheduleResponse": {
-            "type": "object",
-            "properties": {
-                "id": {
-                    "type": "string"
-                },
-                "next_run_at": {
-                    "type": "string"
-                },
-                "status": {
-                    "type": "string"
-                }
-            }
-        },
-        "handlers.ErrorResponse": {
-            "type": "object",
-            "properties": {
-                "error": {
-                    "type": "string"
-                }
-            }
-        },
-        "handlers.HistoryEntry": {
-            "type": "object",
-            "properties": {
-                "duration_ms": {
-                    "type": "integer"
-                },
-                "error_detail": {
-                    "type": "string"
-                },
-                "request": {
-                    "type": "object"
-                },
-                "status": {
-                    "type": "string"
-                },
-                "timestamp": {
-                    "type": "string"
-                }
-            }
-        },
-        "handlers.RunNowResponse": {
-            "type": "object",
-            "properties": {
-                "prompt": {
-                    "type": "string"
-                },
-                "status": {
-                    "type": "string"
-                },
-                "workspace_id": {
-                    "type": "string"
-                }
-            }
-        },
-        "handlers.ScheduleResponse": {
-            "type": "object",
-            "properties": {
-                "created_at": {
-                    "type": "string"
-                },
-                "cron_expr": {
-                    "type": "string"
-                },
-                "enabled": {
-                    "type": "boolean"
-                },
-                "id": {
-                    "type": "string"
-                },
-                "last_error": {
-                    "type": "string"
-                },
-                "last_run_at": {
-                    "type": "string"
-                },
-                "last_status": {
-                    "type": "string"
-                },
-                "name": {
-                    "type": "string"
-                },
-                "next_run_at": {
-                    "type": "string"
-                },
-                "prompt": {
-                    "type": "string"
-                },
-                "run_count": {
-                    "type": "integer"
-                },
-                "source": {
-                    "description": "'template' (seeded by org/import) | 'runtime' (created via Canvas/API). Issue #24.",
-                    "type": "string"
-                },
-                "timezone": {
-                    "type": "string"
-                },
-                "updated_at": {
-                    "type": "string"
-                },
-                "workspace_id": {
-                    "type": "string"
-                }
-            }
-        },
-        "handlers.StatusResponse": {
-            "type": "object",
-            "properties": {
-                "status": {
-                    "type": "string"
-                }
-            }
-        },
-        "handlers.UpdateScheduleRequest": {
-            "type": "object",
-            "properties": {
-                "cron_expr": {
-                    "type": "string"
-                },
-                "enabled": {
-                    "type": "boolean"
-                },
-                "name": {
-                    "type": "string"
-                },
-                "prompt": {
-                    "type": "string"
-                },
-                "timezone": {
-                    "type": "string"
-                }
-            }
-        }
-    },
-    "securityDefinitions": {
-        "BearerAuth": {
-            "description": "Bearer token issued by Gitea (org-admin or persona PAT) or by the platform's signup/SSO flow.",
-            "type": "apiKey",
-            "name": "Authorization",
-            "in": "header"
-        },
-        "OrgIdAuth": {
-            "description": "Tenant routing header (UUID form). Alternative to X-Molecule-Org-Slug. At least one of OrgSlugAuth or OrgIdAuth must be sent alongside BearerAuth.",
-            "type": "apiKey",
-            "name": "X-Molecule-Org-Id",
-            "in": "header"
-        },
-        "OrgSlugAuth": {
-            "description": "Tenant routing header — required on every /workspaces/{id}/* request so the platform edge can route to the correct per-tenant workspace-server. Either X-Molecule-Org-Slug (human-readable, e.g. \"agents-team\") or X-Molecule-Org-Id (UUID) must be sent; slug is preferred for client code.",
-            "type": "apiKey",
-            "name": "X-Molecule-Org-Slug",
-            "in": "header"
-        }
-    }
-}
@@ -1,349 +0,0 @@
-basePath: /
-definitions:
-  handlers.CreateScheduleRequest:
-    properties:
-      cron_expr:
-        type: string
-      enabled:
-        type: boolean
-      name:
-        type: string
-      prompt:
-        type: string
-      timezone:
-        type: string
-    required:
-    - cron_expr
-    - prompt
-    type: object
-  handlers.CreateScheduleResponse:
-    properties:
-      id:
-        type: string
-      next_run_at:
-        type: string
-      status:
-        type: string
-    type: object
-  handlers.ErrorResponse:
-    properties:
-      error:
-        type: string
-    type: object
-  handlers.HistoryEntry:
-    properties:
-      duration_ms:
-        type: integer
-      error_detail:
-        type: string
-      request:
-        type: object
-      status:
-        type: string
-      timestamp:
-        type: string
-    type: object
-  handlers.RunNowResponse:
-    properties:
-      prompt:
-        type: string
-      status:
-        type: string
-      workspace_id:
-        type: string
-    type: object
-  handlers.ScheduleResponse:
-    properties:
-      created_at:
-        type: string
-      cron_expr:
-        type: string
-      enabled:
-        type: boolean
-      id:
-        type: string
-      last_error:
-        type: string
-      last_run_at:
-        type: string
-      last_status:
-        type: string
-      name:
-        type: string
-      next_run_at:
-        type: string
-      prompt:
-        type: string
-      run_count:
-        type: integer
-      source:
-        description: '''template'' (seeded by org/import) | ''runtime'' (created via
-          Canvas/API). Issue #24.'
-        type: string
-      timezone:
-        type: string
-      updated_at:
-        type: string
-      workspace_id:
-        type: string
-    type: object
-  handlers.StatusResponse:
-    properties:
-      status:
-        type: string
-    type: object
-  handlers.UpdateScheduleRequest:
-    properties:
-      cron_expr:
-        type: string
-      enabled:
-        type: boolean
-      name:
-        type: string
-      prompt:
-        type: string
-      timezone:
-        type: string
-    type: object
-host: api.moleculesai.app
-info:
-  contact: {}
-  description: 'The per-tenant workspace-server HTTP API. Single source of truth for
-    workspace/schedule/agent/secrets/files/memory CRUD. Hand-written clients (canvas,
-    molecule-mcp-server, molecule-cli, molecule-sdk-python) should be replaced by
-    clients generated from this spec — see RFC #1706.'
-  title: Molecule AI Workspace Server API
-  version: "1.0"
-paths:
-  /workspaces/{id}/schedules:
-    get:
-      parameters:
-      - description: Workspace ID
-        in: path
-        name: id
-        required: true
-        type: string
-      produces:
-      - application/json
-      responses:
-        "200":
-          description: OK
-          schema:
-            items:
-              $ref: '#/definitions/handlers.ScheduleResponse'
-            type: array
-        "500":
-          description: Internal Server Error
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-      security:
-      - BearerAuth: []
-        OrgSlugAuth: []
-      summary: List schedules for a workspace
-      tags:
-      - schedules
-    post:
-      consumes:
-      - application/json
-      parameters:
-      - description: Workspace ID
-        in: path
-        name: id
-        required: true
-        type: string
-      - description: Schedule fields
-        in: body
-        name: body
-        required: true
-        schema:
-          $ref: '#/definitions/handlers.CreateScheduleRequest'
-      produces:
-      - application/json
-      responses:
-        "201":
-          description: Created
-          schema:
-            $ref: '#/definitions/handlers.CreateScheduleResponse'
-        "400":
-          description: Bad Request
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-        "500":
-          description: Internal Server Error
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-      security:
-      - BearerAuth: []
-        OrgSlugAuth: []
-      summary: Create a schedule
-      tags:
-      - schedules
-  /workspaces/{id}/schedules/{scheduleId}:
-    delete:
-      parameters:
-      - description: Workspace ID
-        in: path
-        name: id
-        required: true
-        type: string
-      - description: Schedule ID
-        in: path
-        name: scheduleId
-        required: true
-        type: string
-      produces:
-      - application/json
-      responses:
-        "200":
-          description: OK
-          schema:
-            $ref: '#/definitions/handlers.StatusResponse'
-        "404":
-          description: Not Found
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-        "500":
-          description: Internal Server Error
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-      security:
-      - BearerAuth: []
-        OrgSlugAuth: []
-      summary: Delete a schedule
-      tags:
-      - schedules
-    patch:
-      consumes:
-      - application/json
-      parameters:
-      - description: Workspace ID
-        in: path
-        name: id
-        required: true
-        type: string
-      - description: Schedule ID
-        in: path
-        name: scheduleId
-        required: true
-        type: string
-      - description: Partial schedule fields (only provided keys are updated)
-        in: body
-        name: body
-        required: true
-        schema:
-          $ref: '#/definitions/handlers.UpdateScheduleRequest'
-      produces:
-      - application/json
-      responses:
-        "200":
-          description: OK
-          schema:
-            $ref: '#/definitions/handlers.ScheduleResponse'
-        "400":
-          description: Bad Request
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-        "404":
-          description: Not Found
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-        "500":
-          description: Internal Server Error
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-      security:
-      - BearerAuth: []
-        OrgSlugAuth: []
-      summary: Update a schedule
-      tags:
-      - schedules
-  /workspaces/{id}/schedules/{scheduleId}/history:
-    get:
-      parameters:
-      - description: Workspace ID
-        in: path
-        name: id
-        required: true
-        type: string
-      - description: Schedule ID
-        in: path
-        name: scheduleId
-        required: true
-        type: string
-      produces:
-      - application/json
-      responses:
-        "200":
-          description: OK
-          schema:
-            items:
-              $ref: '#/definitions/handlers.HistoryEntry'
-            type: array
-        "500":
-          description: Internal Server Error
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-      security:
-      - BearerAuth: []
-        OrgSlugAuth: []
-      summary: Get past runs of a schedule
-      tags:
-      - schedules
-  /workspaces/{id}/schedules/{scheduleId}/run:
-    post:
-      parameters:
-      - description: Workspace ID
-        in: path
-        name: id
-        required: true
-        type: string
-      - description: Schedule ID
-        in: path
-        name: scheduleId
-        required: true
-        type: string
-      produces:
-      - application/json
-      responses:
-        "200":
-          description: OK
-          schema:
-            $ref: '#/definitions/handlers.RunNowResponse'
-        "404":
-          description: Not Found
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-        "500":
-          description: Internal Server Error
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-      security:
-      - BearerAuth: []
-        OrgSlugAuth: []
-      summary: Fire a schedule manually
-      tags:
-      - schedules
-schemes:
- https
-securityDefinitions:
-  BearerAuth:
-    description: Bearer token issued by Gitea (org-admin or persona PAT) or by the
-      platform's signup/SSO flow.
-    in: header
-    name: Authorization
-    type: apiKey
-  OrgIdAuth:
-    description: Tenant routing header (UUID form). Alternative to X-Molecule-Org-Slug.
-      At least one of OrgSlugAuth or OrgIdAuth must be sent alongside BearerAuth.
-    in: header
-    name: X-Molecule-Org-Id
-    type: apiKey
-  OrgSlugAuth:
-    description: Tenant routing header — required on every /workspaces/{id}/* request
-      so the platform edge can route to the correct per-tenant workspace-server. Either
-      X-Molecule-Org-Slug (human-readable, e.g. "agents-team") or X-Molecule-Org-Id
-      (UUID) must be sent; slug is preferred for client code.
-    in: header
-    name: X-Molecule-Org-Slug
-    type: apiKey
-swagger: "2.0"
@@ -116,11 +116,8 @@ func (d *DiscordAdapter) SendMessage(ctx context.Context, config map[string]inte
 			// would propagate that token into logs and error responses (#659).
 			return fmt.Errorf("discord: HTTP request failed")
 		}
-		body, readErr := io.ReadAll(io.LimitReader(resp.Body, 4096))
+		body, _ := io.ReadAll(io.LimitReader(resp.Body, 4096))
 		_ = resp.Body.Close()
-		if readErr != nil {
-			return fmt.Errorf("discord: read response body: %w", readErr)
-		}

 		// Discord returns 204 No Content on success.
 		if resp.StatusCode != http.StatusNoContent && resp.StatusCode != http.StatusOK {
@@ -119,10 +119,7 @@ func (l *LarkAdapter) SendMessage(ctx context.Context, config map[string]interfa
 	}
 	defer func() { _ = resp.Body.Close() }()

-	body, readErr := io.ReadAll(resp.Body)
-	if readErr != nil {
-		return fmt.Errorf("lark: read response body: %w", readErr)
-	}
+	body, _ := io.ReadAll(resp.Body)
 	if resp.StatusCode != http.StatusOK {
 		return fmt.Errorf("lark: webhook returned %d: %s", resp.StatusCode, strings.TrimSpace(string(body)))
 	}
@@ -156,9 +156,6 @@ func (m *Manager) PausePollersForToken(workspaceID, botToken string) func() {
 			}
 		}
 	}
-	if err := rows.Err(); err != nil {
-		log.Printf("Channels: pause-pollers rows.Err: %v", err)
-	}
 	m.mu.Unlock()

 	if len(pausedIDs) == 0 {
@@ -207,16 +204,8 @@ func (m *Manager) Reload(ctx context.Context) {
 			log.Printf("Channels: reload scan error: %v", err)
 			continue
 		}
-		if err := json.Unmarshal(configJSON, &ch.Config); err != nil {
-			log.Printf("Channels: reload config unmarshal error for %s: %v", truncID(ch.ID), err)
-			continue
-		}
-		if len(allowedJSON) > 0 {
-			if err := json.Unmarshal(allowedJSON, &ch.AllowedUsers); err != nil {
-				log.Printf("Channels: reload allowed_users unmarshal error for %s: %v", truncID(ch.ID), err)
-				continue
-			}
-		}
+		_ = json.Unmarshal(configJSON, &ch.Config)
+		_ = json.Unmarshal(allowedJSON, &ch.AllowedUsers)
 		// #319: decrypt at the boundary between DB (ciphertext) and the
 		// in-memory config adapters consume. A decrypt failure logs and
 		// skips the channel — downstream getUpdates would fail anyway
@@ -227,9 +216,6 @@ func (m *Manager) Reload(ctx context.Context) {
 		}
 		desired[ch.ID] = ch
 	}
-	if err := rows.Err(); err != nil {
-		log.Printf("Channels: reload rows.Err: %v", err)
-	}

 	m.mu.Lock()
 	defer m.mu.Unlock()
@@ -487,9 +473,6 @@ func (m *Manager) BroadcastToWorkspaceChannels(ctx context.Context, workspaceID,
 			}
 		}
 	}
-	if err := rows.Err(); err != nil {
-		log.Printf("Channels: broadcast rows.Err: %v", err)
-	}
 }

 // FetchWorkspaceChannelContext returns recent Slack channel messages formatted
@@ -572,14 +555,8 @@ func (m *Manager) loadChannel(ctx context.Context, channelID string) (ChannelRow
 	if err != nil {
 		return ch, fmt.Errorf("channel %s not found: %w", channelID, err)
 	}
-	if err := json.Unmarshal(configJSON, &ch.Config); err != nil {
-		return ch, fmt.Errorf("channel %s config unmarshal: %w", channelID, err)
-	}
-	if len(allowedJSON) > 0 {
-		if err := json.Unmarshal(allowedJSON, &ch.AllowedUsers); err != nil {
-			return ch, fmt.Errorf("channel %s allowed_users unmarshal: %w", channelID, err)
-		}
-	}
+	json.Unmarshal(configJSON, &ch.Config)
+	json.Unmarshal(allowedJSON, &ch.AllowedUsers)
 	// #319: decrypt bot_token / webhook_secret — SendOutbound and adapter
 	// methods downstream read them as plaintext strings.
 	if err := DecryptSensitiveFields(ch.Config); err != nil {
@@ -171,11 +171,8 @@ func (s *SlackAdapter) sendBotMessage(ctx context.Context, config map[string]int
 		if err != nil {
 			return fmt.Errorf("slack: send: %w", err)
 		}
-		respBody, readErr := io.ReadAll(io.LimitReader(resp.Body, 4096))
+		respBody, _ := io.ReadAll(io.LimitReader(resp.Body, 4096))
 		_ = resp.Body.Close()
-		if readErr != nil {
-			return fmt.Errorf("slack: read response body: %w", readErr)
-		}
 		var result struct {
 			OK    bool   `json:"ok"`
 			Error string `json:"error"`
@@ -211,13 +208,9 @@ func (s *SlackAdapter) sendWebhookMessage(ctx context.Context, config map[string
 	if err != nil {
 		return fmt.Errorf("slack: send: %w", err)
 	}
-	defer func() { _ = resp.Body.Close() }()

 	if resp.StatusCode != http.StatusOK {
-		body, readErr := io.ReadAll(resp.Body)
-		if readErr != nil {
-			return fmt.Errorf("slack: webhook returned %d (read body failed: %v)", resp.StatusCode, readErr)
-		}
+		body, _ := io.ReadAll(resp.Body)
 		return fmt.Errorf("slack: webhook returned %d: %s", resp.StatusCode, strings.TrimSpace(string(body)))
 	}
 	return nil
@@ -531,11 +524,8 @@ func FetchChannelHistory(ctx context.Context, botToken, channelID string, limit
 	if err != nil {
 		return nil, err
 	}
-	body, readErr := io.ReadAll(io.LimitReader(resp.Body, 65536))
+	body, _ := io.ReadAll(io.LimitReader(resp.Body, 65536))
 	_ = resp.Body.Close()
-	if readErr != nil {
-		return nil, fmt.Errorf("slack: read history response: %w", readErr)
-	}

 	var result struct {
 		OK       bool                  `json:"ok"`
@@ -71,30 +71,35 @@ func (h *WorkspaceHandler) handleA2ADispatchError(ctx context.Context, workspace
 	// with 202 status here was the original cycle 53 bug — callers saw
 	// proxyErr != nil and logged "delegation failed: proxy a2a error".
 	if isUpstreamBusyError(err) {
-		// #1684 / Reno Stars: native_session adapters previously took a
-		// 503-no-enqueue path here, on the assumption that the SDK owned
-		// an inbound queue and the platform a2a_queue would double-buffer.
-		// In practice, the common native_session SDKs (claude-agent-sdk,
-		// codex app-server, hermes-agent) do NOT have an inbound queue —
-		// new turns can only be pushed via the same HTTP POST that just
-		// returned busy. So cron fires (and any A2A retry) bounce 503
-		// every tick until the SDK voluntarily yields. Reno Stars #1684
-		// observed 12 consecutive `*/30` cron fires lost over 6h while a
-		// single native_session held the slot.
+		// Capability primitive #5 — see project memory
+		// `project_runtime_native_pluggable.md`. When the target workspace's
+		// adapter has declared provides_native_session=True, the SDK
+		// owns its own queue/session state (claude-agent-sdk's streaming
+		// session, hermes-agent's in-container event log, etc.). Adding
+		// the platform's a2a_queue layer on top would double-buffer the
+		// same in-flight state — and worse, the platform queue's drain
+		// timing has no relationship to the SDK's actual readiness, so
+		// the queued request might dispatch while the SDK is STILL busy.
 		//
-		// The original concern — "drain timing has no relationship to SDK
-		// readiness" — turns out to be unfounded: heartbeat→drain is
-		// gated by `payload.ActiveTasks < maxConcurrent` in
-		// registry.go:Heartbeat, so drain only fires when the workspace
-		// itself reports spare capacity. That IS the session-ended
-		// signal. The native_session SDK reports ActiveTasks=1 while in a
-		// turn, ActiveTasks=0 when idle, and the next heartbeat after
-		// idle triggers DrainQueueForWorkspace.
-		//
-		// So we collapse the two branches: both native_session and
-		// non-native callers enqueue here. The native_session SDK's own
-		// in-flight POST stays unaffected; the queued item drains on the
-		// next post-idle heartbeat.
+		// For native_session targets, return 503 + Retry-After directly.
+		// The caller's adapter handles retry on its own schedule, and
+		// the SDK's own queue absorbs the in-flight request when it does.
+		// Observability is preserved: logA2AFailure already ran above;
+		// activity_logs records the busy event; the broadcaster fires.
+		if runtimeOverrides.HasCapability(workspaceID, "session") {
+			log.Printf("ProxyA2A: target %s busy and declares native_session — skip enqueue, return 503", workspaceID)
+			return 0, nil, &proxyA2AError{
+				Status:  http.StatusServiceUnavailable,
+				Headers: map[string]string{"Retry-After": strconv.Itoa(busyRetryAfterSeconds)},
+				Response: gin.H{
+					"error":          "workspace agent busy — adapter handles retry (native_session)",
+					"busy":           true,
+					"retry_after":    busyRetryAfterSeconds,
+					"native_session": true,
+				},
+			}
+		}
+
 		idempotencyKey := extractIdempotencyKey(body)
 		// Honor params.expires_in_seconds when the caller specifies one. Zero
 		// (the unset default) → expiresAt = nil → infinite TTL preserved by
@@ -39,7 +39,6 @@ func TestAdminTestToken_EnabledViaFlagEvenInProd(t *testing.T) {
 	mock := setupTestDB(t)
 	t.Setenv("MOLECULE_ENV", "production")
 	t.Setenv("MOLECULE_ENABLE_TEST_TOKENS", "1")
-	t.Setenv("ADMIN_TOKEN", "")

 	mock.ExpectQuery("SELECT id FROM workspaces WHERE id =").
 		WithArgs("ws-1").
@@ -59,7 +58,6 @@ func TestAdminTestToken_EnabledViaFlagEvenInProd(t *testing.T) {
 func TestAdminTestToken_WorkspaceNotFound(t *testing.T) {
 	mock := setupTestDB(t)
 	t.Setenv("MOLECULE_ENV", "development")
-	t.Setenv("ADMIN_TOKEN", "")

 	mock.ExpectQuery("SELECT id FROM workspaces WHERE id =").
 		WithArgs("missing").
@@ -77,7 +75,6 @@ func TestAdminTestToken_WorkspaceNotFound(t *testing.T) {
 func TestAdminTestToken_HappyPath_TokenValidates(t *testing.T) {
 	mock := setupTestDB(t)
 	t.Setenv("MOLECULE_ENV", "development")
-	t.Setenv("ADMIN_TOKEN", "")

 	mock.ExpectQuery("SELECT id FROM workspaces WHERE id =").
 		WithArgs("ws-1").
@@ -104,9 +104,6 @@ func (h *ChannelHandler) List(c *gin.Context) {
 		}
 		result = append(result, entry)
 	}
-	if err := rows.Err(); err != nil {
-		log.Printf("Channels: list rows.Err: %v", err)
-	}

 	c.JSON(http.StatusOK, result)
 }
@@ -517,9 +514,6 @@ func (h *ChannelHandler) Webhook(c *gin.Context) {
 			candidates = append(candidates, row)
 		}
 	}
-	if err := rows.Err(); err != nil {
-		log.Printf("Channels: telegram webhook rows.Err: %v", err)
-	}

 	if targetSlug != "" {
 		// [slug] routing — match against config username (lowercased)
@@ -393,9 +393,6 @@ func queryPeerMaps(query string, args ...interface{}) ([]map[string]interface{},

 		result = append(result, peer)
 	}
-	if err := rows.Err(); err != nil {
-		log.Printf("queryPeerMaps rows.Err: %v", err)
-	}
 	return result, nil
 }

@@ -49,9 +49,6 @@ func (h *EventsHandler) List(c *gin.Context) {
 			"created_at":   createdAt,
 		})
 	}
-	if err := rows.Err(); err != nil {
-		log.Printf("Events list rows error: %v", err)
-	}
 	c.JSON(http.StatusOK, events)
 }

@@ -90,8 +87,5 @@ func (h *EventsHandler) ListByWorkspace(c *gin.Context) {
 			"created_at":   createdAt,
 		})
 	}
-	if err := rows.Err(); err != nil {
-		log.Printf("WorkspaceEvents list rows error: %v", err)
-	}
 	c.JSON(http.StatusOK, events)
 }
@@ -33,7 +33,7 @@ func TestWorkspaceCreate_WithParentID(t *testing.T) {
 	// Default tier is 3 (Privileged) — see workspace.go create-handler comment.
 	// delivery_mode defaults to "push" when payload omits it (#2339).
 	mock.ExpectExec("INSERT INTO workspaces").
-		WithArgs(sqlmock.AnyArg(), "Child Agent", nil, 3, "langgraph", &parentID, nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
+		WithArgs(sqlmock.AnyArg(), "Child Agent", nil, 3, "langgraph", sqlmock.AnyArg(), &parentID, nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectCommit()
 	mock.ExpectExec("INSERT INTO canvas_layouts").
@@ -69,7 +69,7 @@ func TestWorkspaceCreate_ExplicitClaudeCodeRuntime(t *testing.T) {
 	mock.ExpectBegin()
 	// delivery_mode defaults to "push" when payload omits it (#2339).
 	mock.ExpectExec("INSERT INTO workspaces").
-		WithArgs(sqlmock.AnyArg(), "CC Agent", nil, 2, "claude-code", (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
+		WithArgs(sqlmock.AnyArg(), "CC Agent", nil, 2, "claude-code", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectCommit()
 	mock.ExpectExec("INSERT INTO canvas_layouts").
@@ -230,7 +230,7 @@ func TestWorkspaceList_WithData(t *testing.T) {
 	broadcaster := newTestBroadcaster()
 	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())

-	// 24 cols — compute added after talk_to_user_enabled.
+	// 23 cols — broadcast_enabled + talk_to_user_enabled added after monthly_spend
 	// (migration 20260514). Column order must match scanWorkspaceRow exactly.
 	columns := []string{
 		"id", "name", "role", "tier", "status", "agent_card", "url",
@@ -238,13 +238,13 @@ func TestWorkspaceList_WithData(t *testing.T) {
 		"last_error_rate", "last_sample_error",
 		"uptime_seconds", "current_task", "runtime", "workspace_dir", "x", "y", "collapsed",
 		"budget_limit", "monthly_spend",
-		"broadcast_enabled", "talk_to_user_enabled", "compute",
+		"broadcast_enabled", "talk_to_user_enabled",
 	}
 	rows := sqlmock.NewRows(columns).
 		AddRow("ws-1", "Agent One", "worker", 1, "online", []byte(`{"name":"agent1"}`), "http://localhost:8001",
-			nil, 3, 1, 0.02, "", 7200, "processing", "langgraph", "", 10.0, 20.0, false, nil, int64(0), false, true, []byte(`{}`)).
+			nil, 3, 1, 0.02, "", 7200, "processing", "langgraph", "", 10.0, 20.0, false, nil, int64(0), false, true).
 		AddRow("ws-2", "Agent Two", "", 2, "degraded", []byte("null"), "",
-			nil, 0, 1, 0.6, "timeout", 100, "", "claude-code", "", 50.0, 60.0, true, nil, int64(0), false, true, []byte(`{}`))
+			nil, 0, 1, 0.6, "timeout", 100, "", "claude-code", "", 50.0, 60.0, true, nil, int64(0), false, true)

 	mock.ExpectQuery("SELECT w.id, w.name").
 		WillReturnRows(rows)
@@ -291,7 +291,7 @@ func TestWorkspaceCreate_MaxConcurrentTasksOverride(t *testing.T) {

 	mock.ExpectBegin()
 	mock.ExpectExec("INSERT INTO workspaces").
-		WithArgs(sqlmock.AnyArg(), "Leader Agent", nil, 3, "claude-code", (*string)(nil), nil, "none", (*int64)(nil), 3, "push").
+		WithArgs(sqlmock.AnyArg(), "Leader Agent", nil, 3, "claude-code", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), 3, "push").
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectCommit()
 	mock.ExpectExec("INSERT INTO canvas_layouts").
@@ -364,11 +364,11 @@ func TestWorkspaceCreate(t *testing.T) {
 	// Expect transaction begin for atomic workspace+secrets creation
 	mock.ExpectBegin()

-	// Expect workspace INSERT (uuid is dynamic, use AnyArg for id, runtime).
+	// Expect workspace INSERT (uuid is dynamic, use AnyArg for id, runtime, awareness_namespace).
 	// Default tier is 3 (Privileged) — see workspace.go create-handler comment.
 	// delivery_mode defaults to "push" when payload omits it (#2339).
 	mock.ExpectExec("INSERT INTO workspaces").
-		WithArgs(sqlmock.AnyArg(), "Test Agent", nil, 3, "langgraph", (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
+		WithArgs(sqlmock.AnyArg(), "Test Agent", nil, 3, "langgraph", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
 		WillReturnResult(sqlmock.NewResult(0, 1))

 	// Expect transaction commit (no secrets in this payload)
@@ -412,17 +412,24 @@ func TestWorkspaceCreate(t *testing.T) {
 	if resp["id"] == nil || resp["id"] == "" {
 		t.Error("expected non-empty id in response")
 	}
+	if resp["awareness_namespace"] != "workspace:"+resp["id"].(string) {
+		t.Errorf("expected awareness namespace derived from workspace id, got %v", resp["awareness_namespace"])
+	}

 	if err := mock.ExpectationsWereMet(); err != nil {
 		t.Errorf("unmet sqlmock expectations: %v", err)
 	}
 }

-func TestBuildProvisionerConfig_WorkspacePathFromPayload(t *testing.T) {
+func TestBuildProvisionerConfig_IncludesAwarenessSettings(t *testing.T) {
 	setupTestDB(t)
+	// runtime_image_pins reader removed by RFC internal#617 / task #335
+	// — CP is the SSOT for runtime image pins. No DB lookup here anymore.
+
 	broadcaster := newTestBroadcaster()
 	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", "/tmp/configs")

+	t.Setenv("AWARENESS_URL", "http://awareness:37800")
 	t.Setenv("WORKSPACE_DIR", "/tmp/workspace")

 	cfg := handler.buildProvisionerConfig(
@@ -433,10 +440,17 @@ func TestBuildProvisionerConfig_WorkspacePathFromPayload(t *testing.T) {
 		models.CreateWorkspacePayload{Tier: 2, Runtime: "claude-code", WorkspaceDir: "/tmp/workspace", WorkspaceAccess: "read_write"},
 		map[string]string{"OPENAI_API_KEY": "sk-test"},
 		"/tmp/plugins",
+		"workspace:ws-123",
 	)

+	if cfg.AwarenessURL != "http://awareness:37800" {
+		t.Fatalf("expected awareness URL to be injected, got %q", cfg.AwarenessURL)
+	}
+	if cfg.AwarenessNamespace != "workspace:ws-123" {
+		t.Fatalf("expected awareness namespace to be injected, got %q", cfg.AwarenessNamespace)
+	}
 	if cfg.WorkspacePath != "/tmp/workspace" {
-		t.Fatalf("expected workspace path from payload, got %q", cfg.WorkspacePath)
+		t.Fatalf("expected workspace path from env, got %q", cfg.WorkspacePath)
 	}
 }

@@ -448,7 +462,7 @@ func TestWorkspaceList(t *testing.T) {
 	broadcaster := newTestBroadcaster()
 	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", "/tmp/configs")

-	// 24 cols: compute added after talk_to_user_enabled.
+	// 23 cols: broadcast_enabled + talk_to_user_enabled added after monthly_spend
 	// (migration 20260514). Column order must match scanWorkspaceRow exactly.
 	columns := []string{
 		"id", "name", "role", "tier", "status", "agent_card", "url",
@@ -456,13 +470,13 @@ func TestWorkspaceList(t *testing.T) {
 		"last_error_rate", "last_sample_error",
 		"uptime_seconds", "current_task", "runtime", "workspace_dir", "x", "y", "collapsed",
 		"budget_limit", "monthly_spend",
-		"broadcast_enabled", "talk_to_user_enabled", "compute",
+		"broadcast_enabled", "talk_to_user_enabled",
 	}
 	rows := sqlmock.NewRows(columns).
 		AddRow("ws-1", "Agent One", "worker", 1, "online", []byte("null"), "http://localhost:8001",
-			nil, 0, 1, 0.0, "", 100, "", "claude-code", "", 10.0, 20.0, false, nil, int64(0), false, true, []byte(`{}`)).
+			nil, 0, 1, 0.0, "", 100, "", "claude-code", "", 10.0, 20.0, false, nil, int64(0), false, true).
 		AddRow("ws-2", "Agent Two", "manager", 2, "provisioning", []byte("null"), "",
-			nil, 0, 1, 0.0, "", 0, "", "langgraph", "", 50.0, 60.0, false, nil, int64(0), false, true, []byte(`{}`))
+			nil, 0, 1, 0.0, "", 0, "", "langgraph", "", 50.0, 60.0, false, nil, int64(0), false, true)

 	mock.ExpectQuery("SELECT w.id, w.name").
 		WillReturnRows(rows)
@@ -1176,14 +1190,14 @@ func TestWorkspaceGet_CurrentTask(t *testing.T) {
 		"parent_id", "active_tasks", "max_concurrent_tasks", "last_error_rate", "last_sample_error",
 		"uptime_seconds", "current_task", "runtime", "workspace_dir", "x", "y", "collapsed",
 		"budget_limit", "monthly_spend",
-		"broadcast_enabled", "talk_to_user_enabled", "compute",
+		"broadcast_enabled", "talk_to_user_enabled",
 	}
 	mock.ExpectQuery("SELECT w.id, w.name").
 		WithArgs("dddddddd-0004-0000-0000-000000000000").
 		WillReturnRows(sqlmock.NewRows(columns).AddRow(
 			"dddddddd-0004-0000-0000-000000000000", "Task Worker", "worker", 1, "online", []byte("null"), "http://localhost:9000",
 			nil, 2, 1, 0.0, "", 300, "Analyzing document", "langgraph", "", 10.0, 20.0, false,
-			nil, int64(0), false, true, []byte(`{}`),
+			nil, int64(0), false, true,
 		))

 	w := httptest.NewRecorder()
@@ -1141,8 +1141,6 @@ func TestIsSafeURL_Blocks169_254_Metadata(t *testing.T) {
 }

 func TestIsSafeURL_Blocks10xPrivate(t *testing.T) {
-	t.Setenv("MOLECULE_ORG_ID", "")
-	t.Setenv("MOLECULE_DEPLOY_MODE", "self-hosted")
 	err := isSafeURL("http://10.0.0.1/agent")
 	if err == nil {
 		t.Errorf("isSafeURL: expected 10.x.x.x to be blocked, got nil")
@@ -1150,8 +1148,6 @@ func TestIsSafeURL_Blocks10xPrivate(t *testing.T) {
 }

 func TestIsSafeURL_Blocks172Private(t *testing.T) {
-	t.Setenv("MOLECULE_ORG_ID", "")
-	t.Setenv("MOLECULE_DEPLOY_MODE", "self-hosted")
 	err := isSafeURL("http://172.16.0.1/agent")
 	if err == nil {
 		t.Errorf("isSafeURL: expected 172.16.0.0/12 to be blocked, got nil")
@@ -1159,8 +1155,6 @@ func TestIsSafeURL_Blocks172Private(t *testing.T) {
 }

 func TestIsSafeURL_Blocks192_168Private(t *testing.T) {
-	t.Setenv("MOLECULE_ORG_ID", "")
-	t.Setenv("MOLECULE_DEPLOY_MODE", "self-hosted")
 	err := isSafeURL("http://192.168.1.100/agent")
 	if err == nil {
 		t.Errorf("isSafeURL: expected 192.168.x.x to be blocked, got nil")
@@ -1184,8 +1178,6 @@ func TestIsSafeURL_BlocksInvalidURL(t *testing.T) {
 // ==================== SSRF Defence — isPrivateOrMetadataIP ====================

 func TestIsPrivateOrMetadataIP_10Range(t *testing.T) {
-	t.Setenv("MOLECULE_ORG_ID", "")
-	t.Setenv("MOLECULE_DEPLOY_MODE", "self-hosted")
 	tests := []string{"10.0.0.0", "10.255.255.255", "10.1.2.3"}
 	for _, ip := range tests {
 		if !isPrivateOrMetadataIP(net.ParseIP(ip)) {
@@ -1195,8 +1187,6 @@ func TestIsPrivateOrMetadataIP_10Range(t *testing.T) {
 }

 func TestIsPrivateOrMetadataIP_172Range(t *testing.T) {
-	t.Setenv("MOLECULE_ORG_ID", "")
-	t.Setenv("MOLECULE_DEPLOY_MODE", "self-hosted")
 	tests := []string{"172.16.0.0", "172.31.255.255", "172.20.1.1"}
 	for _, ip := range tests {
 		if !isPrivateOrMetadataIP(net.ParseIP(ip)) {
@@ -1206,8 +1196,6 @@ func TestIsPrivateOrMetadataIP_172Range(t *testing.T) {
 }

 func TestIsPrivateOrMetadataIP_192_168Range(t *testing.T) {
-	t.Setenv("MOLECULE_ORG_ID", "")
-	t.Setenv("MOLECULE_DEPLOY_MODE", "self-hosted")
 	tests := []string{"192.168.0.0", "192.168.255.255", "192.168.1.1"}
 	for _, ip := range tests {
 		if !isPrivateOrMetadataIP(net.ParseIP(ip)) {
@@ -95,18 +95,14 @@ func (h *MCPHandler) toolListPeers(ctx context.Context, workspaceID string) (str
 			cols+` FROM workspaces w WHERE w.parent_id = $1 AND w.id != $2 AND w.status != 'removed'`,
 			parentID.String, workspaceID)
 		if err == nil {
-			if scanErr := scanPeers(rows); scanErr != nil {
-				log.Printf("MCP toolListPeers: sibling scan error: %v", scanErr)
-			}
+			_ = scanPeers(rows)
 		}
 	} else {
 		rows, err := h.database.QueryContext(ctx,
 			cols+` FROM workspaces w WHERE w.parent_id IS NULL AND w.id != $1 AND w.status != 'removed'`,
 			workspaceID)
 		if err == nil {
-			if scanErr := scanPeers(rows); scanErr != nil {
-				log.Printf("MCP toolListPeers: sibling scan error: %v", scanErr)
-			}
+			_ = scanPeers(rows)
 		}
 	}

@@ -116,9 +112,7 @@ func (h *MCPHandler) toolListPeers(ctx context.Context, workspaceID string) (str
 			cols+` FROM workspaces w WHERE w.parent_id = $1 AND w.status != 'removed'`,
 			workspaceID)
 		if err == nil {
-			if scanErr := scanPeers(rows); scanErr != nil {
-				log.Printf("MCP toolListPeers: children scan error: %v", scanErr)
-			}
+			_ = scanPeers(rows)
 		}
 	}

@@ -128,9 +122,7 @@ func (h *MCPHandler) toolListPeers(ctx context.Context, workspaceID string) (str
 			cols+` FROM workspaces w WHERE w.id = $1 AND w.status != 'removed'`,
 			parentID.String)
 		if err == nil {
-			if scanErr := scanPeers(rows); scanErr != nil {
-				log.Printf("MCP toolListPeers: parent scan error: %v", scanErr)
-			}
+			_ = scanPeers(rows)
 		}
 	}

@@ -6,26 +6,18 @@ import (
 	"testing"
 )

-// TestHandleA2ADispatchError_NativeSession_NowEnqueues validates the #1684
-// fix: native_session adapters used to short-circuit to 503-no-queue here,
-// on the assumption that the SDK owned an inbound queue. In practice the
-// common native_session SDKs (claude-agent-sdk, codex app-server, hermes)
-// don't — new turns arrive only via the same HTTP POST that returns busy.
-// So cron fires bounced 503 every tick until the SDK voluntarily yielded;
-// Reno Stars #1684 observed 12 consecutive `*/30` cron fires lost over 6h.
+// TestHandleA2ADispatchError_NativeSession_SkipsEnqueue validates capability
+// primitive #5: when the target workspace has declared
+// provides_native_session=True, a busy-shaped dispatch error MUST short-
+// circuit straight to 503 + Retry-After. The platform's a2a_queue is
+// skipped because the SDK owns its own queue/session state — double-
+// buffering would cause spurious dispatches when the SDK is still busy.
 //
-// Post-fix: native_session and non-native both enqueue. Drain timing is
-// gated by registry.go:Heartbeat (`payload.ActiveTasks < maxConcurrent`)
-// so the queued item only dispatches when the SDK reports spare capacity
-// — i.e. the next heartbeat after the in-flight turn returns.
-//
-// This test pins the new behavior: native_session capability DOES NOT
-// bypass EnqueueA2A. We expect the INSERT INTO a2a_queue query to fire,
-// here arranged to fail so we can observe the legacy 503 fallback (and
-// thereby confirm the INSERT was attempted; sqlmock fails the test if
-// the expected query never runs).
-func TestHandleA2ADispatchError_NativeSession_NowEnqueues(t *testing.T) {
-	mock := setupTestDB(t)
+// Pin via sqlmock: we deliberately do NOT expect any INSERT INTO a2a_queue.
+// If a future refactor re-introduces enqueueing under native_session,
+// sqlmock fails the test on the unexpected query.
+func TestHandleA2ADispatchError_NativeSession_SkipsEnqueue(t *testing.T) {
+	setupTestDB(t)
 	setupTestRedis(t)
 	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())

@@ -33,15 +25,10 @@ func TestHandleA2ADispatchError_NativeSession_NowEnqueues(t *testing.T) {
 	runtimeOverrides.SetCapabilities("ws-native", map[string]bool{"session": true})
 	defer runtimeOverrides.Reset()

-	// We now EXPECT the INSERT to fire even with native_session=true. Make
-	// it fail so the handler falls through to the legacy 503 path — that
-	// lets us assert (1) enqueue was attempted, (2) the response on
-	// queue-failure does NOT carry native_session=true marker (that field
-	// was removed alongside the gate).
-	mock.ExpectQuery(`INSERT INTO a2a_queue`).
-		WithArgs("ws-native", nil, PriorityTask, "{}", "message/send", nil).
-		WillReturnError(errTestQueueUnavailable)
-
+	// DeadlineExceeded triggers isUpstreamBusyError. Without the native
+	// gate, this would fire EnqueueA2A → INSERT INTO a2a_queue. With
+	// the gate, it short-circuits to 503. We expect ZERO queue queries;
+	// sqlmock's ExpectationsWereMet implicitly enforces that on teardown.
 	_, _, perr := handler.handleA2ADispatchError(
 		context.Background(), "ws-native", "", []byte("{}"), "message/send",
 		context.DeadlineExceeded, 1, false,
@@ -50,27 +37,28 @@ func TestHandleA2ADispatchError_NativeSession_NowEnqueues(t *testing.T) {
 		t.Fatal("expected proxy error, got nil")
 	}
 	if perr.Status != http.StatusServiceUnavailable {
-		t.Errorf("got status %d, want 503 (enqueue failed → legacy 503 fallback)", perr.Status)
+		t.Errorf("got status %d, want 503 (native_session bypasses queue but still 503s)", perr.Status)
 	}
 	if perr.Headers["Retry-After"] == "" {
-		t.Error("expected Retry-After header on busy-503")
+		t.Error("expected Retry-After header on native-session 503")
 	}
-	// The native_session marker was removed from the response body — the
-	// platform queues both kinds now, callers no longer distinguish. Pin
-	// its absence so a future revert is caught.
-	if got, ok := perr.Response["native_session"].(bool); ok && got {
-		t.Errorf("native_session marker should be gone after #1684 fix; got %+v", perr.Response)
+	// Pin the marker so callers' adapters can distinguish this from a
+	// queue-failure 503: the body has native_session=true.
+	if got, _ := perr.Response["native_session"].(bool); !got {
+		t.Errorf("expected native_session=true in response body; got %+v", perr.Response)
 	}
+	// And busy=true stays so existing busy-handling code paths still trigger.
 	if got, _ := perr.Response["busy"].(bool); !got {
-		t.Errorf("expected busy=true; got %+v", perr.Response)
+		t.Errorf("expected busy=true in response body; got %+v", perr.Response)
 	}
 }

-// TestHandleA2ADispatchError_NoNativeSession_StillEnqueues — non-native
-// behavior is unchanged: enqueue is attempted, fail-fallback to 503. This
-// negative pin guards against accidentally reverting the unification by
-// re-introducing a `if HasCapability(...)` gate that would short-circuit
-// the enqueue path.
+// TestHandleA2ADispatchError_NoNativeSession_StillEnqueues is the negative
+// pin: a workspace WITHOUT the capability flag falls through to the
+// existing EnqueueA2A path (and 503 if that fails). Same shape as
+// TestHandleA2ADispatchError_ContextDeadline; we duplicate it here so
+// the native_session gate change is bracketed by both positive and
+// negative tests in the same file.
 func TestHandleA2ADispatchError_NoNativeSession_StillEnqueues(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t)
@@ -91,11 +79,13 @@ func TestHandleA2ADispatchError_NoNativeSession_StillEnqueues(t *testing.T) {
 	if perr == nil {
 		t.Fatal("expected proxy error, got nil")
 	}
+	// Queue insert failed → falls through to legacy 503 (without
+	// native_session marker).
 	if perr.Status != http.StatusServiceUnavailable {
 		t.Errorf("got status %d, want 503", perr.Status)
 	}
 	if got, _ := perr.Response["native_session"].(bool); got {
-		t.Errorf("non-native workspace should NOT carry native_session=true; got %+v", perr.Response)
+		t.Errorf("non-native workspace should NOT carry native_session=true in response; got %+v", perr.Response)
 	}
 }

@@ -799,12 +799,13 @@ func (h *OrgHandler) Import(c *gin.Context) {
 	if len(tmpl.GlobalMemories) > 0 && len(results) > 0 {
 		rootID, _ := results[0]["id"].(string)
 		if rootID != "" {
+			rootNS := workspaceAwarenessNamespace(rootID)
 			// Force scope to GLOBAL regardless of what the YAML says.
 			globalSeeds := make([]models.MemorySeed, len(tmpl.GlobalMemories))
 			for i, gm := range tmpl.GlobalMemories {
 				globalSeeds[i] = models.MemorySeed{Content: gm.Content, Scope: "GLOBAL"}
 			}
-			seedInitialMemories(context.Background(), rootID, globalSeeds)
+			seedInitialMemories(context.Background(), rootID, globalSeeds, rootNS)
 			log.Printf("Org import: seeded %d global memories on root workspace %s", len(globalSeeds), rootID)
 		}
 	}
@@ -102,6 +102,7 @@ func (h *OrgHandler) createWorkspaceTree(ws OrgWorkspace, parentID *string, absX
 	}

 	id := uuid.New().String()
+	awarenessNS := workspaceAwarenessNamespace(id)

 	var role interface{}
 	if ws.Role != "" {
@@ -167,13 +168,13 @@ func (h *OrgHandler) createWorkspaceTree(ws OrgWorkspace, parentID *string, absX
 	// EXACTLY for Postgres to consider the index applicable.
 	var insertedID string
 	err := db.DB.QueryRowContext(ctx, `
-		INSERT INTO workspaces (id, name, role, tier, runtime, status, parent_id, workspace_dir, workspace_access, max_concurrent_tasks)
-		VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)
+		INSERT INTO workspaces (id, name, role, tier, runtime, awareness_namespace, status, parent_id, workspace_dir, workspace_access, max_concurrent_tasks)
+		VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11)
 		ON CONFLICT (COALESCE(parent_id, '00000000-0000-0000-0000-000000000000'::uuid), name)
 		WHERE status != 'removed'
 		DO NOTHING
 		RETURNING id
-	`, id, ws.Name, role, tier, runtime, "provisioning", parentID, workspaceDir, workspaceAccess, maxConcurrent).Scan(&insertedID)
+	`, id, ws.Name, role, tier, runtime, awarenessNS, "provisioning", parentID, workspaceDir, workspaceAccess, maxConcurrent).Scan(&insertedID)
 	if errors.Is(err, sql.ErrNoRows) {
 		// Skip path — a non-removed row already exists for
 		// (parent_id, name). Re-select its id; idempotency-friendly
@@ -258,7 +259,7 @@ func (h *OrgHandler) createWorkspaceTree(ws OrgWorkspace, parentID *string, absX
 	if len(wsMemories) == 0 {
 		wsMemories = defaults.InitialMemories
 	}
-	seedInitialMemories(ctx, id, wsMemories)
+	seedInitialMemories(ctx, id, wsMemories, awarenessNS)

 	// Handle external workspaces
 	if ws.External {
@@ -712,8 +712,6 @@ func TestHeartbeat_SkipsRemovedRows(t *testing.T) {
 // ------------------------------------------------------------

 func TestValidateAgentURL(t *testing.T) {
-	t.Setenv("MOLECULE_ORG_ID", "")
-	t.Setenv("MOLECULE_DEPLOY_MODE", "self-hosted")
 	cases := []struct {
 		name    string
 		url     string
@@ -133,30 +133,24 @@ func loadRestartContextData(ctx context.Context, workspaceID string) restartCont
 	// message bus.
 	keySet := map[string]struct{}{}
 	if rows, err := db.DB.QueryContext(ctx, `SELECT key FROM global_secrets`); err == nil {
-		defer rows.Close()
 		for rows.Next() {
 			var k string
 			if rows.Scan(&k) == nil {
 				keySet[k] = struct{}{}
 			}
 		}
-		if err := rows.Err(); err != nil {
-			log.Printf("loadRestartContextData: global_secrets rows.Err: %v", err)
-		}
+		rows.Close()
 	}
 	if rows, err := db.DB.QueryContext(ctx,
 		`SELECT key FROM workspace_secrets WHERE workspace_id = $1`, workspaceID,
 	); err == nil {
-		defer rows.Close()
 		for rows.Next() {
 			var k string
 			if rows.Scan(&k) == nil {
 				keySet[k] = struct{}{}
 			}
 		}
-		if err := rows.Err(); err != nil {
-			log.Printf("loadRestartContextData: workspace_secrets rows.Err: %v", err)
-		}
+		rows.Close()
 	}
 	for k := range keySet {
 		d.EnvKeys = append(d.EnvKeys, k)
@@ -15,46 +15,13 @@ import (
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/scheduler"
 )

-// ErrorResponse is returned for 4xx/5xx errors. (OpenAPI doc shape — used by swaggo.)
-type ErrorResponse struct {
-	Error string `json:"error"`
-}
-
-// StatusResponse is returned by mutating endpoints that only echo a status verb.
-type StatusResponse struct {
-	Status string `json:"status"`
-}
-
-// CreateScheduleResponse is returned by POST /workspaces/{id}/schedules.
-type CreateScheduleResponse struct {
-	ID        string    `json:"id"`
-	Status    string    `json:"status"`
-	NextRunAt time.Time `json:"next_run_at"`
-}
-
-// RunNowResponse is returned by POST /workspaces/{id}/schedules/{scheduleId}/run.
-type RunNowResponse struct {
-	Status      string `json:"status"`
-	WorkspaceID string `json:"workspace_id"`
-	Prompt      string `json:"prompt"`
-}
-
-// HistoryEntry is one row of /workspaces/{id}/schedules/{scheduleId}/history.
-type HistoryEntry struct {
-	Timestamp   time.Time       `json:"timestamp"`
-	DurationMs  *int            `json:"duration_ms"`
-	Status      *string         `json:"status"`
-	ErrorDetail string          `json:"error_detail"`
-	Request     json.RawMessage `json:"request" swaggertype:"object"`
-}
-
 type ScheduleHandler struct{}

 func NewScheduleHandler() *ScheduleHandler {
 	return &ScheduleHandler{}
 }

-type ScheduleResponse struct {
+type scheduleResponse struct {
 	ID          string     `json:"id"`
 	WorkspaceID string     `json:"workspace_id"`
 	Name        string     `json:"name"`
@@ -73,15 +40,6 @@ type ScheduleResponse struct {
 }

 // List returns all schedules for a workspace.
-//
-//	@Summary	List schedules for a workspace
-//	@Tags		schedules
-//	@Produce	json
-//	@Param		id	path		string	true	"Workspace ID"
-//	@Success	200	{array}		ScheduleResponse
-//	@Failure	500	{object}	ErrorResponse
-//	@Router		/workspaces/{id}/schedules [get]
-//	@Security	BearerAuth && OrgSlugAuth
 func (h *ScheduleHandler) List(c *gin.Context) {
 	workspaceID := c.Param("id")
 	ctx := c.Request.Context()
@@ -100,9 +58,9 @@ func (h *ScheduleHandler) List(c *gin.Context) {
 	}
 	defer rows.Close()

-	schedules := make([]ScheduleResponse, 0)
+	schedules := make([]scheduleResponse, 0)
 	for rows.Next() {
-		var s ScheduleResponse
+		var s scheduleResponse
 		if err := rows.Scan(
 			&s.ID, &s.WorkspaceID, &s.Name, &s.CronExpr, &s.Timezone,
 			&s.Prompt, &s.Enabled, &s.LastRunAt, &s.NextRunAt, &s.RunCount,
@@ -120,7 +78,7 @@ func (h *ScheduleHandler) List(c *gin.Context) {
 	c.JSON(http.StatusOK, schedules)
 }

-type CreateScheduleRequest struct {
+type createScheduleRequest struct {
 	Name     string `json:"name"`
 	CronExpr string `json:"cron_expr" binding:"required"`
 	Timezone string `json:"timezone"`
@@ -129,23 +87,11 @@ type CreateScheduleRequest struct {
 }

 // Create adds a new schedule for a workspace.
-//
-//	@Summary	Create a schedule
-//	@Tags		schedules
-//	@Accept		json
-//	@Produce	json
-//	@Param		id		path		string					true	"Workspace ID"
-//	@Param		body	body		CreateScheduleRequest	true	"Schedule fields"
-//	@Success	201		{object}	CreateScheduleResponse
-//	@Failure	400		{object}	ErrorResponse
-//	@Failure	500		{object}	ErrorResponse
-//	@Router		/workspaces/{id}/schedules [post]
-//	@Security	BearerAuth && OrgSlugAuth
 func (h *ScheduleHandler) Create(c *gin.Context) {
 	workspaceID := c.Param("id")
 	ctx := c.Request.Context()

-	var body CreateScheduleRequest
+	var body createScheduleRequest
 	if err := c.ShouldBindJSON(&body); err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "cron_expr and prompt are required"})
 		return
@@ -199,7 +145,7 @@ func (h *ScheduleHandler) Create(c *gin.Context) {
 	})
 }

-type UpdateScheduleRequest struct {
+type updateScheduleRequest struct {
 	Name     *string `json:"name"`
 	CronExpr *string `json:"cron_expr"`
 	Timezone *string `json:"timezone"`
@@ -209,26 +155,12 @@ type UpdateScheduleRequest struct {

 // Update modifies a schedule. Uses a fixed UPDATE with COALESCE so only
 // provided fields are changed — no dynamic SQL construction.
-//
-//	@Summary	Update a schedule
-//	@Tags		schedules
-//	@Accept		json
-//	@Produce	json
-//	@Param		id			path		string					true	"Workspace ID"
-//	@Param		scheduleId	path		string					true	"Schedule ID"
-//	@Param		body		body		UpdateScheduleRequest	true	"Partial schedule fields (only provided keys are updated)"
-//	@Success	200			{object}	ScheduleResponse
-//	@Failure	400			{object}	ErrorResponse
-//	@Failure	404			{object}	ErrorResponse
-//	@Failure	500			{object}	ErrorResponse
-//	@Router		/workspaces/{id}/schedules/{scheduleId} [patch]
-//	@Security	BearerAuth && OrgSlugAuth
 func (h *ScheduleHandler) Update(c *gin.Context) {
 	scheduleID := c.Param("scheduleId")
 	workspaceID := c.Param("id") // #113: bind to owning workspace to prevent IDOR
 	ctx := c.Request.Context()

-	var body UpdateScheduleRequest
+	var body updateScheduleRequest
 	if err := c.ShouldBindJSON(&body); err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid JSON"})
 		return
@@ -298,17 +230,6 @@ func (h *ScheduleHandler) Update(c *gin.Context) {
 }

 // Delete removes a schedule.
-//
-//	@Summary	Delete a schedule
-//	@Tags		schedules
-//	@Produce	json
-//	@Param		id			path		string	true	"Workspace ID"
-//	@Param		scheduleId	path		string	true	"Schedule ID"
-//	@Success	200			{object}	StatusResponse
-//	@Failure	404			{object}	ErrorResponse
-//	@Failure	500			{object}	ErrorResponse
-//	@Router		/workspaces/{id}/schedules/{scheduleId} [delete]
-//	@Security	BearerAuth && OrgSlugAuth
 func (h *ScheduleHandler) Delete(c *gin.Context) {
 	scheduleID := c.Param("scheduleId")
 	workspaceID := c.Param("id") // #113: bind to owning workspace to prevent IDOR
@@ -331,17 +252,6 @@ func (h *ScheduleHandler) Delete(c *gin.Context) {
 }

 // RunNow manually fires a schedule immediately.
-//
-//	@Summary	Fire a schedule manually
-//	@Tags		schedules
-//	@Produce	json
-//	@Param		id			path		string	true	"Workspace ID"
-//	@Param		scheduleId	path		string	true	"Schedule ID"
-//	@Success	200			{object}	RunNowResponse
-//	@Failure	404			{object}	ErrorResponse
-//	@Failure	500			{object}	ErrorResponse
-//	@Router		/workspaces/{id}/schedules/{scheduleId}/run [post]
-//	@Security	BearerAuth && OrgSlugAuth
 func (h *ScheduleHandler) RunNow(c *gin.Context) {
 	scheduleID := c.Param("scheduleId")
 	workspaceID := c.Param("id")
@@ -372,16 +282,6 @@ func (h *ScheduleHandler) RunNow(c *gin.Context) {
 }

 // History returns recent runs for a schedule from activity_logs.
-//
-//	@Summary	Get past runs of a schedule
-//	@Tags		schedules
-//	@Produce	json
-//	@Param		id			path		string	true	"Workspace ID"
-//	@Param		scheduleId	path		string	true	"Schedule ID"
-//	@Success	200			{array}		HistoryEntry
-//	@Failure	500			{object}	ErrorResponse
-//	@Router		/workspaces/{id}/schedules/{scheduleId}/history [get]
-//	@Security	BearerAuth && OrgSlugAuth
 func (h *ScheduleHandler) History(c *gin.Context) {
 	scheduleID := c.Param("scheduleId")
 	workspaceID := c.Param("id")
@@ -407,9 +307,17 @@ func (h *ScheduleHandler) History(c *gin.Context) {
 	}
 	defer rows.Close()

-	entries := make([]HistoryEntry, 0)
+	type historyEntry struct {
+		Timestamp   time.Time       `json:"timestamp"`
+		DurationMs  *int            `json:"duration_ms"`
+		Status      *string         `json:"status"`
+		ErrorDetail string          `json:"error_detail"`
+		Request     json.RawMessage `json:"request"`
+	}
+
+	entries := make([]historyEntry, 0)
 	for rows.Next() {
-		var e HistoryEntry
+		var e historyEntry
 		var reqStr string
 		if err := rows.Scan(&e.Timestamp, &e.DurationMs, &e.Status, &e.ErrorDetail, &reqStr); err != nil {
 			continue
@@ -417,18 +325,15 @@ func (h *ScheduleHandler) History(c *gin.Context) {
 		e.Request = json.RawMessage(reqStr)
 		entries = append(entries, e)
 	}
-	if err := rows.Err(); err != nil {
-		log.Printf("ScheduleHistory: rows error: %v", err)
-	}

 	c.JSON(http.StatusOK, entries)
 }

-// ScheduleHealthResponse is the read-only health view of a schedule.
+// scheduleHealthResponse is the read-only health view of a schedule.
 // It deliberately omits prompt and cron_expr so sensitive task content is
 // never exposed to peer workspaces — only execution-state fields needed to
 // detect silent cron failures are returned (issue #249).
-type ScheduleHealthResponse struct {
+type scheduleHealthResponse struct {
 	ID         string     `json:"id"`
 	Name       string     `json:"name"`
 	Enabled    bool       `json:"enabled"`
@@ -497,9 +402,9 @@ func (h *ScheduleHandler) Health(c *gin.Context) {
 	}
 	defer rows.Close()

-	schedules := make([]ScheduleHealthResponse, 0)
+	schedules := make([]scheduleHealthResponse, 0)
 	for rows.Next() {
-		var s ScheduleHealthResponse
+		var s scheduleHealthResponse
 		if err := rows.Scan(
 			&s.ID, &s.Name, &s.Enabled, &s.LastRunAt, &s.NextRunAt,
 			&s.RunCount, &s.LastStatus, &s.LastError,
@@ -234,7 +234,7 @@ func TestScheduleHealth_SelfCall_Allowed(t *testing.T) {
 		t.Fatalf("expected 200 for self-call, got %d: %s", w.Code, w.Body.String())
 	}

-	var resp []ScheduleHealthResponse
+	var resp []scheduleHealthResponse
 	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
 		t.Fatalf("failed to parse response: %v", err)
 	}
@@ -284,7 +284,7 @@ func TestScheduleHealth_CanCommunicatePeer_LegacyNoToken(t *testing.T) {
 		t.Fatalf("expected 200 for peer with no tokens, got %d: %s", w.Code, w.Body.String())
 	}

-	var resp []ScheduleHealthResponse
+	var resp []scheduleHealthResponse
 	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
 		t.Fatalf("failed to parse response: %v", err)
 	}
@@ -95,7 +95,6 @@ func TestSecurity_GetTemplates_NoAuth_Returns401(t *testing.T) {
 func TestSecurity_GetTemplates_FreshInstall_FailsOpen(t *testing.T) {
 	setupTestDB(t)
 	setupTestRedis(t)
-	t.Setenv("ADMIN_TOKEN", "")
 	authDB, authMock := newFreshInstallAuthDB(t)

 	tmpDir := t.TempDir()
@@ -153,7 +152,6 @@ func TestSecurity_GetOrgTemplates_NoAuth_Returns401(t *testing.T) {
 func TestSecurity_GetOrgTemplates_FreshInstall_FailsOpen(t *testing.T) {
 	setupTestDB(t)
 	setupTestRedis(t)
-	t.Setenv("ADMIN_TOKEN", "")
 	authDB, authMock := newFreshInstallAuthDB(t)

 	tmpDir := t.TempDir()
@@ -51,10 +51,6 @@ func (h *TracesHandler) List(c *gin.Context) {
 	}
 	defer func() { _ = resp.Body.Close() }()

-	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to read response body"})
-		return
-	}
+	body, _ := io.ReadAll(resp.Body)
 	c.Data(resp.StatusCode, "application/json", body)
 }
@@ -216,6 +216,7 @@ func (h *WorkspaceHandler) Create(c *gin.Context) {
 	}

 	id := uuid.New().String()
+	awarenessNamespace := workspaceAwarenessNamespace(id)
 	if h.IsSaaS() {
 		// SaaS hard gate: every hosted workspace gets its own sibling
 		// EC2 instance, so T4 is the only meaningful runtime boundary.
@@ -392,10 +393,6 @@ func (h *WorkspaceHandler) Create(c *gin.Context) {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid workspace access"})
 		return
 	}
-	if err := validateWorkspaceCompute(payload.Compute); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}

 	// Begin a transaction so the workspace row and any initial secrets are
 	// committed atomically.  A secret-encrypt or DB error rolls back the
@@ -447,10 +444,10 @@ func (h *WorkspaceHandler) Create(c *gin.Context) {
 	// returns the actually-persisted name (which we MUST thread back into
 	// payload + broadcast so the canvas displays what the DB has).
 	const insertWorkspaceSQL = `
-		INSERT INTO workspaces (id, name, role, tier, runtime, status, parent_id, workspace_dir, workspace_access, budget_limit, max_concurrent_tasks, delivery_mode)
-		VALUES ($1, $2, $3, $4, $5, 'provisioning', $6, $7, $8, $9, $10, $11)
+		INSERT INTO workspaces (id, name, role, tier, runtime, awareness_namespace, status, parent_id, workspace_dir, workspace_access, budget_limit, max_concurrent_tasks, delivery_mode)
+		VALUES ($1, $2, $3, $4, $5, $6, 'provisioning', $7, $8, $9, $10, $11, $12)
 	`
-	insertArgs := []any{id, payload.Name, role, payload.Tier, payload.Runtime, payload.ParentID, workspaceDir, workspaceAccess, payload.BudgetLimit, maxConcurrent, deliveryMode}
+	insertArgs := []any{id, payload.Name, role, payload.Tier, payload.Runtime, awarenessNamespace, payload.ParentID, workspaceDir, workspaceAccess, payload.BudgetLimit, maxConcurrent, deliveryMode}
 	persistedName, currentTx, err := insertWorkspaceWithNameRetry(
 		ctx,
 		tx,
@@ -483,24 +480,6 @@ func (h *WorkspaceHandler) Create(c *gin.Context) {
 		payload.Name = persistedName
 	}

-	if !workspaceComputeIsZero(payload.Compute) {
-		computeJSON, encErr := workspaceComputeJSON(payload.Compute)
-		if encErr != nil {
-			tx.Rollback() //nolint:errcheck
-			log.Printf("Create workspace %s: failed to encode compute config: %v", id, encErr)
-			c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to encode compute config"})
-			return
-		}
-		if _, dbErr := tx.ExecContext(ctx,
-			`UPDATE workspaces SET compute = $2::jsonb, updated_at = now() WHERE id = $1`,
-			id, computeJSON); dbErr != nil {
-			tx.Rollback() //nolint:errcheck
-			log.Printf("Create workspace %s: failed to persist compute config: %v", id, dbErr)
-			c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to save compute config"})
-			return
-		}
-	}
-
 	// Persist initial secrets from the create payload (inside same transaction).
 	// nil/empty map is a no-op.  Any failure rolls back the workspace insert
 	// so we never have a workspace row without its intended secrets.
@@ -571,7 +550,7 @@ func (h *WorkspaceHandler) Create(c *gin.Context) {

 	// Seed initial memories from the create payload (issue #1050).
 	// Non-fatal: failures are logged but don't block workspace creation.
-	seedInitialMemories(ctx, id, payload.InitialMemories)
+	seedInitialMemories(ctx, id, payload.InitialMemories, awarenessNamespace)

 	// Broadcast provisioning event. Include `runtime` so the canvas can
 	// populate the Runtime pill on the side panel immediately — without it
@@ -706,9 +685,10 @@ func (h *WorkspaceHandler) Create(c *gin.Context) {
 	}

 	c.JSON(http.StatusCreated, gin.H{
-		"id":               id,
-		"status":           "provisioning",
-		"workspace_access": workspaceAccess,
+		"id":                  id,
+		"status":              "provisioning",
+		"awareness_namespace": awarenessNamespace,
+		"workspace_access":    workspaceAccess,
 	})
 }

@@ -744,7 +724,6 @@ func scanWorkspaceRow(rows interface {
 	Scan(dest ...interface{}) error
 }) (map[string]interface{}, error) {
 	var id, name, role, status, url, sampleError, currentTask, runtime, workspaceDir string
-	var computeRaw []byte
 	var tier, activeTasks, maxConcurrentTasks, uptimeSeconds int
 	var errorRate, x, y float64
 	var collapsed, broadcastEnabled, talkToUserEnabled bool
@@ -756,7 +735,7 @@ func scanWorkspaceRow(rows interface {
 	err := rows.Scan(&id, &name, &role, &tier, &status, &agentCard, &url,
 		&parentID, &activeTasks, &maxConcurrentTasks, &errorRate, &sampleError, &uptimeSeconds,
 		&currentTask, &runtime, &workspaceDir, &x, &y, &collapsed,
-		&budgetLimit, &monthlySpend, &broadcastEnabled, &talkToUserEnabled, &computeRaw)
+		&budgetLimit, &monthlySpend, &broadcastEnabled, &talkToUserEnabled)
 	if err != nil {
 		return nil, err
 	}
@@ -783,11 +762,6 @@ func scanWorkspaceRow(rows interface {
 		"broadcast_enabled":    broadcastEnabled,
 		"talk_to_user_enabled": talkToUserEnabled,
 	}
-	if len(computeRaw) > 0 && string(computeRaw) != "null" {
-		ws["compute"] = json.RawMessage(computeRaw)
-	} else {
-		ws["compute"] = json.RawMessage(`{}`)
-	}

 	// budget_limit: nil when no limit set, int64 otherwise
 	if budgetLimit.Valid {
@@ -823,8 +797,7 @@ const workspaceListQuery = `
 		   COALESCE(w.workspace_dir, ''),
 		   COALESCE(cl.x, 0), COALESCE(cl.y, 0), COALESCE(cl.collapsed, false),
 		   w.budget_limit, COALESCE(w.monthly_spend, 0),
-		   w.broadcast_enabled, w.talk_to_user_enabled,
-		   COALESCE(w.compute, '{}'::jsonb)
+		   w.broadcast_enabled, w.talk_to_user_enabled
 	FROM workspaces w
 	LEFT JOIN canvas_layouts cl ON cl.workspace_id = w.id
 	WHERE w.status != 'removed'
@@ -885,8 +858,7 @@ func (h *WorkspaceHandler) Get(c *gin.Context) {
 			   COALESCE(w.workspace_dir, ''),
 			   COALESCE(cl.x, 0), COALESCE(cl.y, 0), COALESCE(cl.collapsed, false),
 			   w.budget_limit, COALESCE(w.monthly_spend, 0),
-			   w.broadcast_enabled, w.talk_to_user_enabled,
-			   COALESCE(w.compute, '{}'::jsonb)
+			   w.broadcast_enabled, w.talk_to_user_enabled
 		FROM workspaces w
 		LEFT JOIN canvas_layouts cl ON cl.workspace_id = w.id
 		WHERE w.id = $1
@@ -33,7 +33,7 @@ var wsColumns = []string{
 	"parent_id", "active_tasks", "max_concurrent_tasks", "last_error_rate", "last_sample_error",
 	"uptime_seconds", "current_task", "runtime", "workspace_dir", "x", "y", "collapsed",
 	"budget_limit", "monthly_spend",
-	"broadcast_enabled", "talk_to_user_enabled", "compute",
+	"broadcast_enabled", "talk_to_user_enabled",
 }

 // ==================== GET — financial fields stripped from open endpoint ====================
@@ -56,8 +56,7 @@ func TestWorkspaceBudget_Get_NilLimit(t *testing.T) {
 				nil,   // budget_limit NULL
 				0,     // monthly_spend 0
 				false, // broadcast_enabled
-				true,  // talk_to_user_enabled
-				[]byte(`{}`)))
+				true)) // talk_to_user_enabled

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -101,8 +100,7 @@ func TestWorkspaceBudget_Get_WithLimit(t *testing.T) {
 				0.0, 0.0, false,
 				int64(500),  // budget_limit = $5.00 in DB
 				int64(123),  // monthly_spend = $1.23 in DB
-				false, true, // broadcast_enabled, talk_to_user_enabled
-				[]byte(`{}`)))
+				false, true)) // broadcast_enabled, talk_to_user_enabled

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -147,17 +145,18 @@ func TestWorkspaceBudget_Create_WithLimit(t *testing.T) {
 	mock.ExpectBegin()
 	mock.ExpectExec("INSERT INTO workspaces").
 		WithArgs(
-			sqlmock.AnyArg(),                 // id
-			"Budgeted Agent",                 // name
-			nil,                              // role
-			3,                                // tier (default, workspace.go create-handler)
-			"langgraph",                      // runtime
-			(*string)(nil),                   // parent_id
-			nil,                              // workspace_dir
-			"none",                           // workspace_access
-			&budgetVal,                       // budget_limit ($10)
+			sqlmock.AnyArg(), // id
+			"Budgeted Agent", // name
+			nil,              // role
+			3,                // tier (default, workspace.go create-handler)
+			"langgraph",      // runtime
+			sqlmock.AnyArg(), // awareness_namespace
+			(*string)(nil),   // parent_id
+			nil,              // workspace_dir
+			"none",           // workspace_access
+			&budgetVal,       // budget_limit ($10)
 			models.DefaultMaxConcurrentTasks, // max_concurrent_tasks default
-			"push",                           // delivery_mode default (#2339)
+			"push",           // delivery_mode default (#2339)
 		).
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectCommit()
@@ -1,208 +0,0 @@
-package handlers
-
-import (
-	"context"
-	"database/sql"
-	"encoding/json"
-	"fmt"
-	"log"
-
-	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
-	"github.com/Molecule-AI/molecule-monorepo/platform/internal/models"
-	"github.com/gin-gonic/gin"
-)
-
-const (
-	workspaceComputeDiskFloorGB   = 30
-	workspaceComputeDiskCeilingGB = 500
-)
-
-type workspaceDisplayResponse struct {
-	Available bool   `json:"available"`
-	Reason    string `json:"reason,omitempty"`
-	Mode      string `json:"mode,omitempty"`
-	Protocol  string `json:"protocol,omitempty"`
-	Width     int    `json:"width,omitempty"`
-	Height    int    `json:"height,omitempty"`
-	Status    string `json:"status,omitempty"`
-}
-
-var workspaceComputeInstanceAllowlist = map[string]struct{}{
-	"t3.medium":  {},
-	"t3.large":   {},
-	"t3.xlarge":  {},
-	"t3.2xlarge": {},
-	"m6i.large":  {},
-	"m6i.xlarge": {},
-	"c6i.xlarge": {},
-}
-
-func validateWorkspaceCompute(compute models.WorkspaceCompute) error {
-	if compute.InstanceType != "" {
-		if _, ok := workspaceComputeInstanceAllowlist[compute.InstanceType]; !ok {
-			return fmt.Errorf("unsupported compute.instance_type")
-		}
-	}
-	if compute.Volume.RootGB != 0 {
-		if compute.Volume.RootGB < workspaceComputeDiskFloorGB || compute.Volume.RootGB > workspaceComputeDiskCeilingGB {
-			return fmt.Errorf("compute.volume.root_gb must be between %d and %d", workspaceComputeDiskFloorGB, workspaceComputeDiskCeilingGB)
-		}
-	}
-	switch compute.Display.Mode {
-	case "", "none", "desktop-control", "gpu-desktop-control":
-	default:
-		return fmt.Errorf("unsupported compute.display.mode")
-	}
-	switch compute.Display.Protocol {
-	case "", "dcv":
-	default:
-		return fmt.Errorf("unsupported compute.display.protocol")
-	}
-	if compute.Display.Width < 0 || compute.Display.Height < 0 {
-		return fmt.Errorf("compute.display width/height must be non-negative")
-	}
-	return nil
-}
-
-func validateWorkspaceDisplayConfig(display models.WorkspaceComputeDisplay) error {
-	switch display.Mode {
-	case "", "none", "desktop-control", "gpu-desktop-control":
-	default:
-		return fmt.Errorf("unsupported compute.display.mode")
-	}
-	switch display.Protocol {
-	case "", "dcv":
-	default:
-		return fmt.Errorf("unsupported compute.display.protocol")
-	}
-	if display.Width < 0 || display.Height < 0 {
-		return fmt.Errorf("compute.display width/height must be non-negative")
-	}
-	return nil
-}
-
-func workspaceComputeIsZero(compute models.WorkspaceCompute) bool {
-	return compute.InstanceType == "" &&
-		compute.Volume.RootGB == 0 &&
-		compute.Display.Mode == "" &&
-		compute.Display.Width == 0 &&
-		compute.Display.Height == 0 &&
-		compute.Display.Protocol == ""
-}
-
-func workspaceComputeJSON(compute models.WorkspaceCompute) (string, error) {
-	if workspaceComputeIsZero(compute) {
-		return "{}", nil
-	}
-	out := map[string]interface{}{}
-	if compute.InstanceType != "" {
-		out["instance_type"] = compute.InstanceType
-	}
-	if compute.Volume.RootGB != 0 {
-		out["volume"] = map[string]interface{}{"root_gb": compute.Volume.RootGB}
-	}
-	display := map[string]interface{}{}
-	if compute.Display.Mode != "" {
-		display["mode"] = compute.Display.Mode
-	}
-	if compute.Display.Width != 0 {
-		display["width"] = compute.Display.Width
-	}
-	if compute.Display.Height != 0 {
-		display["height"] = compute.Display.Height
-	}
-	if compute.Display.Protocol != "" {
-		display["protocol"] = compute.Display.Protocol
-	}
-	if len(display) > 0 {
-		out["display"] = display
-	}
-	b, err := json.Marshal(out)
-	if err != nil {
-		return "", err
-	}
-	return string(b), nil
-}
-
-func withStoredCompute(ctx context.Context, workspaceID string, payload models.CreateWorkspacePayload) models.CreateWorkspacePayload {
-	if !workspaceComputeIsZero(payload.Compute) || db.DB == nil {
-		return payload
-	}
-	var raw string
-	err := db.DB.QueryRowContext(ctx,
-		`SELECT COALESCE(compute, '{}'::jsonb) FROM workspaces WHERE id = $1`,
-		workspaceID,
-	).Scan(&raw)
-	if err != nil {
-		if err != sql.ErrNoRows {
-			log.Printf("withStoredCompute: load compute for %s failed: %v", workspaceID, err)
-		}
-		return payload
-	}
-	if raw == "" || raw == "{}" {
-		return payload
-	}
-	var compute models.WorkspaceCompute
-	if err := json.Unmarshal([]byte(raw), &compute); err != nil {
-		log.Printf("withStoredCompute: invalid compute JSON for %s: %v", workspaceID, err)
-		return payload
-	}
-	if err := validateWorkspaceCompute(compute); err != nil {
-		log.Printf("withStoredCompute: stored compute for %s failed validation: %v", workspaceID, err)
-		return payload
-	}
-	payload.Compute = compute
-	return payload
-}
-
-// Display handles GET /workspaces/:id/display.
-//
-// Phase 1 only exposes the product contract and the non-display unavailable
-// state. Future desktop-control work will replace the display-enabled branch
-// with short-lived proxied DCV session details.
-func (h *WorkspaceHandler) Display(c *gin.Context) {
-	workspaceID := c.Param("id")
-	var raw string
-	err := db.DB.QueryRowContext(c.Request.Context(),
-		`SELECT COALESCE(compute, '{}'::jsonb) FROM workspaces WHERE id = $1`,
-		workspaceID,
-	).Scan(&raw)
-	if err != nil {
-		if err == sql.ErrNoRows {
-			c.JSON(404, gin.H{"error": "workspace not found"})
-			return
-		}
-		log.Printf("Display: load compute for %s failed: %v", workspaceID, err)
-		c.JSON(500, gin.H{"error": "failed to load display config"})
-		return
-	}
-	var compute models.WorkspaceCompute
-	if raw != "" && raw != "{}" {
-		if err := json.Unmarshal([]byte(raw), &compute); err != nil {
-			log.Printf("Display: invalid compute JSON for %s: %v", workspaceID, err)
-			c.JSON(500, gin.H{"error": "invalid display config"})
-			return
-		}
-		if err := validateWorkspaceDisplayConfig(compute.Display); err != nil {
-			log.Printf("Display: invalid stored compute for %s: %v", workspaceID, err)
-			c.JSON(500, gin.H{"error": "invalid display config"})
-			return
-		}
-	}
-	if compute.Display.Mode == "" || compute.Display.Mode == "none" {
-		c.JSON(200, workspaceDisplayResponse{
-			Available: false,
-			Reason:    "display_not_enabled",
-		})
-		return
-	}
-	c.JSON(200, workspaceDisplayResponse{
-		Available: false,
-		Reason:    "display_session_unavailable",
-		Mode:      compute.Display.Mode,
-		Protocol:  compute.Display.Protocol,
-		Width:     compute.Display.Width,
-		Height:    compute.Display.Height,
-		Status:    "not_configured",
-	})
-}
@@ -1,318 +0,0 @@
-package handlers
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"net/http"
-	"net/http/httptest"
-	"strings"
-	"testing"
-
-	"github.com/DATA-DOG/go-sqlmock"
-	"github.com/Molecule-AI/molecule-monorepo/platform/internal/models"
-	"github.com/gin-gonic/gin"
-)
-
-func TestValidateWorkspaceCompute_AcceptsPhase1SizingAndDisplayNone(t *testing.T) {
-	compute := models.WorkspaceCompute{
-		InstanceType: "m6i.xlarge",
-		Volume:       models.WorkspaceComputeVolume{RootGB: 100},
-		Display:      models.WorkspaceComputeDisplay{Mode: "none"},
-	}
-
-	if err := validateWorkspaceCompute(compute); err != nil {
-		t.Fatalf("validateWorkspaceCompute returned error for valid compute: %v", err)
-	}
-}
-
-func TestValidateWorkspaceCompute_RejectsUnknownInstanceType(t *testing.T) {
-	compute := models.WorkspaceCompute{InstanceType: "p4d.24xlarge"}
-
-	if err := validateWorkspaceCompute(compute); err == nil {
-		t.Fatal("validateWorkspaceCompute accepted unsupported instance type")
-	}
-}
-
-func TestValidateWorkspaceCompute_RejectsOutOfRangeRootVolume(t *testing.T) {
-	for _, rootGB := range []int{29, 501} {
-		compute := models.WorkspaceCompute{Volume: models.WorkspaceComputeVolume{RootGB: rootGB}}
-		if err := validateWorkspaceCompute(compute); err == nil {
-			t.Fatalf("validateWorkspaceCompute accepted root_gb=%d", rootGB)
-		}
-	}
-}
-
-func TestWorkspaceComputeJSON_OmitsEmptyNestedSections(t *testing.T) {
-	got, err := workspaceComputeJSON(models.WorkspaceCompute{
-		InstanceType: "m6i.xlarge",
-		Volume:       models.WorkspaceComputeVolume{RootGB: 100},
-	})
-	if err != nil {
-		t.Fatalf("workspaceComputeJSON returned error: %v", err)
-	}
-
-	if strings.Contains(got, `"display"`) {
-		t.Fatalf("workspaceComputeJSON included empty display section: %s", got)
-	}
-	if got != `{"instance_type":"m6i.xlarge","volume":{"root_gb":100}}` {
-		t.Fatalf("workspaceComputeJSON = %s", got)
-	}
-}
-
-func TestWorkspaceCreate_WithCompute_PersistsComputeJSON(t *testing.T) {
-	mock := setupTestDB(t)
-	setupTestRedis(t)
-	broadcaster := newTestBroadcaster()
-	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
-
-	mock.ExpectBegin()
-	mock.ExpectExec("INSERT INTO workspaces").
-		WillReturnResult(sqlmock.NewResult(0, 1))
-	mock.ExpectExec(`UPDATE workspaces SET compute = \$2::jsonb`).
-		WithArgs(sqlmock.AnyArg(), sqlmock.AnyArg()).
-		WillReturnResult(sqlmock.NewResult(0, 1))
-	mock.ExpectCommit()
-	mock.ExpectExec("INSERT INTO canvas_layouts").
-		WillReturnResult(sqlmock.NewResult(0, 1))
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	body := `{
-		"name":"Sized Agent",
-		"external":true,
-		"runtime":"external",
-		"compute":{
-			"instance_type":"m6i.xlarge",
-			"volume":{"root_gb":100},
-			"display":{"mode":"none"}
-		}
-	}`
-	c.Request = httptest.NewRequest("POST", "/workspaces", bytes.NewBufferString(body))
-	c.Request.Header.Set("Content-Type", "application/json")
-
-	handler.Create(c)
-
-	if w.Code != http.StatusCreated {
-		t.Fatalf("expected status 201, got %d: %s", w.Code, w.Body.String())
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
-
-func TestWorkspaceCreate_WithInvalidCompute_ReturnsBadRequest(t *testing.T) {
-	setupTestDB(t)
-	setupTestRedis(t)
-	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	body := `{
-		"name":"Oversized Agent",
-		"model":"gpt-4",
-		"compute":{"instance_type":"p4d.24xlarge"}
-	}`
-	c.Request = httptest.NewRequest("POST", "/workspaces", bytes.NewBufferString(body))
-	c.Request.Header.Set("Content-Type", "application/json")
-
-	handler.Create(c)
-
-	if w.Code != http.StatusBadRequest {
-		t.Fatalf("expected status 400, got %d: %s", w.Code, w.Body.String())
-	}
-}
-
-func TestBuildProvisionerConfig_CopiesComputeSizingFromPayload(t *testing.T) {
-	mock := setupTestDB(t)
-	mock.ExpectQuery(`SELECT COALESCE\(workspace_dir`).
-		WithArgs("ws-compute").
-		WillReturnRows(sqlmock.NewRows([]string{"workspace_dir", "workspace_access"}).AddRow("", "none"))
-
-	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
-	cfg := handler.buildProvisionerConfig(
-		context.Background(),
-		"ws-compute",
-		"",
-		nil,
-		models.CreateWorkspacePayload{
-			Tier:    4,
-			Runtime: "claude-code",
-			Compute: models.WorkspaceCompute{
-				InstanceType: "m6i.xlarge",
-				Volume:       models.WorkspaceComputeVolume{RootGB: 100},
-			},
-		},
-		nil,
-		t.TempDir(),
-	)
-
-	if cfg.InstanceType != "m6i.xlarge" {
-		t.Errorf("cfg.InstanceType = %q, want m6i.xlarge", cfg.InstanceType)
-	}
-	if cfg.DiskGB != 100 {
-		t.Errorf("cfg.DiskGB = %d, want 100", cfg.DiskGB)
-	}
-}
-
-func TestWithStoredCompute_LoadsComputeForRestartPayloads(t *testing.T) {
-	mock := setupTestDB(t)
-	mock.ExpectQuery(`SELECT COALESCE\(compute, '\{\}'::jsonb\) FROM workspaces WHERE id = \$1`).
-		WithArgs("ws-restart-compute").
-		WillReturnRows(sqlmock.NewRows([]string{"compute"}).AddRow(`{"instance_type":"m6i.xlarge","volume":{"root_gb":100}}`))
-
-	payload := models.CreateWorkspacePayload{Name: "Restart Me", Tier: 4, Runtime: "claude-code"}
-	got := withStoredCompute(context.Background(), "ws-restart-compute", payload)
-
-	if got.Compute.InstanceType != "m6i.xlarge" {
-		t.Errorf("stored compute instance_type = %q, want m6i.xlarge", got.Compute.InstanceType)
-	}
-	if got.Compute.Volume.RootGB != 100 {
-		t.Errorf("stored compute root_gb = %d, want 100", got.Compute.Volume.RootGB)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
-
-func TestWorkspaceDisplay_NonDisplayWorkspaceReturnsUnavailable(t *testing.T) {
-	mock := setupTestDB(t)
-	setupTestRedis(t)
-	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
-
-	mock.ExpectQuery(`SELECT COALESCE\(compute, '\{\}'::jsonb\) FROM workspaces WHERE id = \$1`).
-		WithArgs("ws-no-display").
-		WillReturnRows(sqlmock.NewRows([]string{"compute"}).AddRow(`{}`))
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "ws-no-display"}}
-	c.Request = httptest.NewRequest("GET", "/workspaces/ws-no-display/display", nil)
-
-	handler.Display(c)
-
-	if w.Code != http.StatusOK {
-		t.Fatalf("expected status 200, got %d: %s", w.Code, w.Body.String())
-	}
-	var resp map[string]interface{}
-	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
-		t.Fatalf("failed to parse display response: %v", err)
-	}
-	if resp["available"] != false {
-		t.Fatalf("available = %v, want false", resp["available"])
-	}
-	if resp["reason"] != "display_not_enabled" {
-		t.Fatalf("reason = %v, want display_not_enabled", resp["reason"])
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
-
-func TestWorkspaceDisplay_DisplayConfiguredReturnsSessionUnavailableContract(t *testing.T) {
-	mock := setupTestDB(t)
-	setupTestRedis(t)
-	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
-
-	mock.ExpectQuery(`SELECT COALESCE\(compute, '\{\}'::jsonb\) FROM workspaces WHERE id = \$1`).
-		WithArgs("ws-display").
-		WillReturnRows(sqlmock.NewRows([]string{"compute"}).AddRow(`{"display":{"mode":"desktop-control","protocol":"dcv","width":1920,"height":1080}}`))
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "ws-display"}}
-	c.Request = httptest.NewRequest("GET", "/workspaces/ws-display/display", nil)
-
-	handler.Display(c)
-
-	if w.Code != http.StatusOK {
-		t.Fatalf("expected status 200, got %d: %s", w.Code, w.Body.String())
-	}
-	var resp map[string]interface{}
-	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
-		t.Fatalf("failed to parse display response: %v", err)
-	}
-	if resp["available"] != false {
-		t.Fatalf("available = %v, want false", resp["available"])
-	}
-	if resp["reason"] != "display_session_unavailable" {
-		t.Fatalf("reason = %v, want display_session_unavailable", resp["reason"])
-	}
-	if resp["status"] != "not_configured" {
-		t.Fatalf("status = %v, want not_configured", resp["status"])
-	}
-	if resp["mode"] != "desktop-control" || resp["protocol"] != "dcv" {
-		t.Fatalf("mode/protocol = %v/%v, want desktop-control/dcv", resp["mode"], resp["protocol"])
-	}
-	if resp["width"] != float64(1920) || resp["height"] != float64(1080) {
-		t.Fatalf("width/height = %v/%v, want 1920/1080", resp["width"], resp["height"])
-	}
-	if _, ok := resp["url"]; ok {
-		t.Fatalf("display response exposed url before session infra exists: %v", resp["url"])
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
-
-func TestWorkspaceDisplay_IgnoresUnrelatedStoredComputeSizingDrift(t *testing.T) {
-	mock := setupTestDB(t)
-	setupTestRedis(t)
-	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
-
-	mock.ExpectQuery(`SELECT COALESCE\(compute, '\{\}'::jsonb\) FROM workspaces WHERE id = \$1`).
-		WithArgs("ws-display-sizing-drift").
-		WillReturnRows(sqlmock.NewRows([]string{"compute"}).AddRow(`{"instance_type":"old.large","display":{"mode":"desktop-control","protocol":"dcv","width":1920,"height":1080}}`))
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "ws-display-sizing-drift"}}
-	c.Request = httptest.NewRequest("GET", "/workspaces/ws-display-sizing-drift/display", nil)
-
-	handler.Display(c)
-
-	if w.Code != http.StatusOK {
-		t.Fatalf("expected status 200, got %d: %s", w.Code, w.Body.String())
-	}
-	var resp map[string]interface{}
-	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
-		t.Fatalf("failed to parse display response: %v", err)
-	}
-	if resp["reason"] != "display_session_unavailable" {
-		t.Fatalf("reason = %v, want display_session_unavailable", resp["reason"])
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
-
-func TestWorkspaceDisplay_InvalidStoredDisplayConfigReturnsServerError(t *testing.T) {
-	mock := setupTestDB(t)
-	setupTestRedis(t)
-	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
-
-	mock.ExpectQuery(`SELECT COALESCE\(compute, '\{\}'::jsonb\) FROM workspaces WHERE id = \$1`).
-		WithArgs("ws-invalid-display").
-		WillReturnRows(sqlmock.NewRows([]string{"compute"}).AddRow(`{"display":{"mode":"desktop-control","protocol":"vnc"}}`))
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "ws-invalid-display"}}
-	c.Request = httptest.NewRequest("GET", "/workspaces/ws-invalid-display/display", nil)
-
-	handler.Display(c)
-
-	if w.Code != http.StatusInternalServerError {
-		t.Fatalf("expected status 500, got %d: %s", w.Code, w.Body.String())
-	}
-	var resp map[string]interface{}
-	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
-		t.Fatalf("failed to parse display response: %v", err)
-	}
-	if resp["error"] != "invalid display config" {
-		t.Fatalf("error = %v, want invalid display config", resp["error"])
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
@@ -103,13 +103,13 @@ func cleanupTestRows(t *testing.T, conn *sql.DB, namePrefix string) {
 // TestIntegration_WorkspaceCreate_NameRetry_AutoSuffixesOnCollision
 // exercises the helper end-to-end against a real Postgres:
 //
-//  1. INSERT a row with name "<prefix>-Repro" — succeeds.
-//  2. Run insertWorkspaceWithNameRetry with the same name —
-//     partial-unique violation fires, helper retries with
-//     " (2)", that succeeds.
-//  3. SELECT the row by id, confirm name = "<prefix>-Repro (2)".
-//  4. Run helper AGAIN — second collision, helper retries with
-//     " (3)".
+//   1. INSERT a row with name "<prefix>-Repro" — succeeds.
+//   2. Run insertWorkspaceWithNameRetry with the same name —
+//      partial-unique violation fires, helper retries with
+//      " (2)", that succeeds.
+//   3. SELECT the row by id, confirm name = "<prefix>-Repro (2)".
+//   4. Run helper AGAIN — second collision, helper retries with
+//      " (3)".
 //
 // This is the live-test that proves the partial-index behaviour
 // matches the migration's intent — sqlmock cannot reach this depth.
@@ -130,9 +130,9 @@ func TestIntegration_WorkspaceCreate_NameRetry_AutoSuffixesOnCollision(t *testin
 	// targets + the NOT NULL columns required by the schema).
 	firstID := uuid.New().String()
 	if _, err := conn.ExecContext(ctx, `
-		INSERT INTO workspaces (id, name, tier, runtime, status)
-		VALUES ($1, $2, 2, 'claude-code', 'provisioning')
-	`, firstID, baseName); err != nil {
+		INSERT INTO workspaces (id, name, tier, runtime, awareness_namespace, status)
+		VALUES ($1, $2, 2, 'claude-code', $3, 'provisioning')
+	`, firstID, baseName, "workspace:"+firstID); err != nil {
 		t.Fatalf("seed first row: %v", err)
 	}

@@ -145,10 +145,10 @@ func TestIntegration_WorkspaceCreate_NameRetry_AutoSuffixesOnCollision(t *testin
 	}
 	secondID := uuid.New().String()
 	query := `
-		INSERT INTO workspaces (id, name, tier, runtime, status)
-		VALUES ($1, $2, 2, 'claude-code', 'provisioning')
+		INSERT INTO workspaces (id, name, tier, runtime, awareness_namespace, status)
+		VALUES ($1, $2, 2, 'claude-code', $3, 'provisioning')
 	`
-	args := []any{secondID, baseName}
+	args := []any{secondID, baseName, "workspace:" + secondID}
 	persistedName, finalTx, err := insertWorkspaceWithNameRetry(
 		ctx, tx, beginTx, baseName, 1, query, args,
 	)
@@ -179,7 +179,7 @@ func TestIntegration_WorkspaceCreate_NameRetry_AutoSuffixesOnCollision(t *testin
 		t.Fatalf("begin tx3: %v", err)
 	}
 	thirdID := uuid.New().String()
-	args3 := []any{thirdID, baseName}
+	args3 := []any{thirdID, baseName, "workspace:" + thirdID}
 	persistedName3, finalTx3, err := insertWorkspaceWithNameRetry(
 		ctx, tx3, beginTx, baseName, 1, query, args3,
 	)
@@ -216,9 +216,9 @@ func TestIntegration_WorkspaceCreate_NameRetry_TombstonedRowDoesNotCollide(t *te
 	// Seed a row, then tombstone it.
 	firstID := uuid.New().String()
 	if _, err := conn.ExecContext(ctx, `
-		INSERT INTO workspaces (id, name, tier, runtime, status)
-		VALUES ($1, $2, 2, 'claude-code', 'removed')
-	`, firstID, baseName); err != nil {
+		INSERT INTO workspaces (id, name, tier, runtime, awareness_namespace, status)
+		VALUES ($1, $2, 2, 'claude-code', $3, 'removed')
+	`, firstID, baseName, "workspace:"+firstID); err != nil {
 		t.Fatalf("seed tombstoned row: %v", err)
 	}

@@ -231,10 +231,10 @@ func TestIntegration_WorkspaceCreate_NameRetry_TombstonedRowDoesNotCollide(t *te
 	}
 	secondID := uuid.New().String()
 	query := `
-		INSERT INTO workspaces (id, name, tier, runtime, status)
-		VALUES ($1, $2, 2, 'claude-code', 'provisioning')
+		INSERT INTO workspaces (id, name, tier, runtime, awareness_namespace, status)
+		VALUES ($1, $2, 2, 'claude-code', $3, 'provisioning')
 	`
-	args := []any{secondID, baseName}
+	args := []any{secondID, baseName, "workspace:" + secondID}
 	persistedName, finalTx, err := insertWorkspaceWithNameRetry(
 		ctx, tx, beginTx, baseName, 1, query, args,
 	)
@@ -435,16 +435,13 @@ func (h *WorkspaceHandler) CascadeDelete(ctx context.Context, id string) ([]stri
 	if err != nil {
 		return nil, nil, fmt.Errorf("descendant query: %w", err)
 	}
-	defer descRows.Close()
 	for descRows.Next() {
 		var descID string
 		if descRows.Scan(&descID) == nil {
 			descendantIDs = append(descendantIDs, descID)
 		}
 	}
-	if err := descRows.Err(); err != nil {
-		return nil, nil, fmt.Errorf("CascadeDelete: failed iterating descendants: %w", err)
-	}
+	descRows.Close()

 	allIDs := append([]string{id}, descendantIDs...)

@@ -503,32 +503,6 @@ func TestCascadeDelete_DescendantQueryError(t *testing.T) {
 	// sqlmock verifies all expected queries were executed
 }

-func TestCascadeDelete_DescendantRowsError(t *testing.T) {
-	mock, _ := setupWorkspaceCrudTest(t)
-	wsID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
-
-	// RowError(0, ...) requires a real row at index 0 to be reachable —
-	// sqlmock only invokes nextErr[N] when r.pos-1 == N and the row exists.
-	// AddRow ensures Next() attempts the first row, triggers the error,
-	// and rows.Err() returns the injected error.
-	h := &WorkspaceHandler{}
-	rows := sqlmock.NewRows([]string{"id"}).AddRow("desc-1").RowError(0, sql.ErrConnDone)
-	mock.ExpectQuery(`WITH RECURSIVE descendants AS`).
-		WithArgs(wsID).
-		WillReturnRows(rows)
-
-	deleted, stopErrs, err := h.CascadeDelete(context.Background(), wsID)
-	if err == nil {
-		t.Fatal("CascadeDelete returned nil error; want descendant rows error")
-	}
-	if deleted != nil {
-		t.Errorf("deleted = %v; want nil", deleted)
-	}
-	if stopErrs != nil {
-		t.Errorf("stopErrs = %v; want nil", stopErrs)
-	}
-}
-
 // Note: Full CascadeDelete testing requires mocking StopWorkspace, RemoveVolume,
 // and provisioner calls — covered in integration tests. Unit tests here focus on
 // the validation and pre-condition paths.
@@ -1,360 +0,0 @@
-package handlers
-
-import (
-	"context"
-	"crypto/subtle"
-	"database/sql"
-	"encoding/json"
-	"fmt"
-	"log"
-	"net/http"
-	"os"
-	"time"
-
-	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
-	"github.com/Molecule-AI/molecule-monorepo/platform/internal/models"
-	"github.com/Molecule-AI/molecule-monorepo/platform/internal/wsauth"
-	"github.com/gin-gonic/gin"
-)
-
-const (
-	displayControlDefaultTTLSeconds = 300
-	displayControlMinTTLSeconds     = 30
-	displayControlMaxTTLSeconds     = 3600
-)
-
-type workspaceDisplayControlResponse struct {
-	Controller   string    `json:"controller"`
-	ControlledBy string    `json:"controlled_by,omitempty"`
-	ExpiresAt    time.Time `json:"expires_at"`
-}
-
-type workspaceDisplayControlNoneResponse struct {
-	Controller string `json:"controller"`
-}
-
-type acquireDisplayControlRequest struct {
-	Controller string `json:"controller"`
-	TTLSeconds int    `json:"ttl_seconds"`
-}
-
-type releaseDisplayControlRequest struct {
-	Force bool `json:"force"`
-}
-
-// DisplayControl handles GET /workspaces/:id/display/control.
-func (h *WorkspaceHandler) DisplayControl(c *gin.Context) {
-	lock, found, err := h.loadActiveDisplayControl(c, c.Param("id"))
-	if err != nil {
-		log.Printf("DisplayControl: load lock for %s failed: %v", c.Param("id"), err)
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to load display control"})
-		return
-	}
-	if !found {
-		c.JSON(http.StatusOK, workspaceDisplayControlNoneResponse{Controller: "none"})
-		return
-	}
-	c.JSON(http.StatusOK, lock)
-}
-
-// AcquireDisplayControl handles POST /workspaces/:id/display/control/acquire.
-func (h *WorkspaceHandler) AcquireDisplayControl(c *gin.Context) {
-	var req acquireDisplayControlRequest
-	if c.Request.Body != nil && c.Request.ContentLength != 0 {
-		if err := c.ShouldBindJSON(&req); err != nil {
-			c.JSON(http.StatusBadRequest, gin.H{"error": "invalid display control request"})
-			return
-		}
-	}
-	if req.Controller == "" {
-		req.Controller = "user"
-	}
-	if req.Controller != "user" {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "browser callers may only acquire user display control"})
-		return
-	}
-	if req.TTLSeconds == 0 {
-		req.TTLSeconds = displayControlDefaultTTLSeconds
-	}
-	if req.TTLSeconds < displayControlMinTTLSeconds || req.TTLSeconds > displayControlMaxTTLSeconds {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "ttl_seconds must be between 30 and 3600"})
-		return
-	}
-	if ok := h.displayControlEnabled(c, c.Param("id")); !ok {
-		return
-	}
-
-	controlledBy, ok := displayControlActor(c)
-	if !ok {
-		c.JSON(http.StatusForbidden, gin.H{"error": "display control requires admin-token or org-token auth"})
-		return
-	}
-	workspaceID := c.Param("id")
-	startedAt := time.Now()
-	emitDisplayControlEvent(c.Request.Context(), "display.control.acquire.started", workspaceID, map[string]any{
-		"controller":    req.Controller,
-		"controlled_by": controlledBy,
-		"ttl_seconds":   req.TTLSeconds,
-	})
-	var lock workspaceDisplayControlResponse
-	err := db.DB.QueryRowContext(c.Request.Context(), `
-INSERT INTO workspace_display_control_locks
-    (workspace_id, controller, controlled_by, expires_at)
-VALUES
-    ($1, $2, $3, now() + ($4 * interval '1 second'))
-ON CONFLICT (workspace_id) DO UPDATE
-SET controller = EXCLUDED.controller,
-    controlled_by = EXCLUDED.controlled_by,
-    expires_at = EXCLUDED.expires_at,
-    updated_at = now()
-WHERE workspace_display_control_locks.expires_at <= now()
-   OR workspace_display_control_locks.controlled_by = EXCLUDED.controlled_by
-RETURNING controller, controlled_by, expires_at`,
-		workspaceID, req.Controller, controlledBy, req.TTLSeconds,
-	).Scan(&lock.Controller, &lock.ControlledBy, &lock.ExpiresAt)
-	if err == nil {
-		emitDisplayControlEvent(c.Request.Context(), "display.control.acquire.completed", workspaceID, map[string]any{
-			"controller":    lock.Controller,
-			"controlled_by": lock.ControlledBy,
-			"ttl_seconds":   req.TTLSeconds,
-			"duration_ms":   time.Since(startedAt).Milliseconds(),
-		})
-		c.JSON(http.StatusOK, lock)
-		return
-	}
-	if err == sql.ErrNoRows {
-		current, found, loadErr := h.loadActiveDisplayControl(c, workspaceID)
-		if loadErr != nil {
-			log.Printf("AcquireDisplayControl: load active lock for %s failed: %v", workspaceID, loadErr)
-			emitDisplayControlEvent(c.Request.Context(), "display.control.acquire.failed", workspaceID, map[string]any{
-				"controlled_by": controlledBy,
-				"duration_ms":   time.Since(startedAt).Milliseconds(),
-				"error":         loadErr.Error(),
-			})
-			c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to load display control"})
-			return
-		}
-		emitDisplayControlEvent(c.Request.Context(), "display.control.acquire.failed", workspaceID, map[string]any{
-			"controlled_by": controlledBy,
-			"duration_ms":   time.Since(startedAt).Milliseconds(),
-			"error":         "display control already held",
-		})
-		if !found {
-			c.JSON(http.StatusConflict, gin.H{
-				"error":   "display control already held",
-				"current": workspaceDisplayControlNoneResponse{Controller: "none"},
-			})
-			return
-		}
-		c.JSON(http.StatusConflict, gin.H{
-			"error":   "display control already held",
-			"current": current,
-		})
-		return
-	}
-	log.Printf("AcquireDisplayControl: acquire lock for %s failed: %v", workspaceID, err)
-	emitDisplayControlEvent(c.Request.Context(), "display.control.acquire.failed", workspaceID, map[string]any{
-		"controlled_by": controlledBy,
-		"duration_ms":   time.Since(startedAt).Milliseconds(),
-		"error":         err.Error(),
-	})
-	c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to acquire display control"})
-}
-
-// ReleaseDisplayControl handles POST /workspaces/:id/display/control/release.
-func (h *WorkspaceHandler) ReleaseDisplayControl(c *gin.Context) {
-	var req releaseDisplayControlRequest
-	if c.Request.Body != nil && c.Request.ContentLength != 0 {
-		if err := c.ShouldBindJSON(&req); err != nil {
-			c.JSON(http.StatusBadRequest, gin.H{"error": "invalid display control release request"})
-			return
-		}
-	}
-	if req.Force {
-		if !displayControlIsAdminToken(c) {
-			c.JSON(http.StatusForbidden, gin.H{"error": "force release requires admin-token auth"})
-			return
-		}
-	}
-
-	controlledBy, ok := displayControlActor(c)
-	if !ok {
-		c.JSON(http.StatusForbidden, gin.H{"error": "display control requires admin-token or org-token auth"})
-		return
-	}
-	workspaceID := c.Param("id")
-	startedAt := time.Now()
-	emitDisplayControlEvent(c.Request.Context(), "display.control.release.started", workspaceID, map[string]any{
-		"controlled_by": controlledBy,
-		"force":         req.Force,
-	})
-	query := `DELETE FROM workspace_display_control_locks WHERE workspace_id = $1 AND controlled_by = $2`
-	args := []interface{}{workspaceID, controlledBy}
-	if req.Force {
-		query = `DELETE FROM workspace_display_control_locks WHERE workspace_id = $1`
-		args = []interface{}{workspaceID}
-	}
-	result, err := db.DB.ExecContext(c.Request.Context(), query, args...)
-	if err != nil {
-		log.Printf("ReleaseDisplayControl: release lock for %s failed: %v", workspaceID, err)
-		emitDisplayControlEvent(c.Request.Context(), "display.control.release.failed", workspaceID, map[string]any{
-			"controlled_by": controlledBy,
-			"duration_ms":   time.Since(startedAt).Milliseconds(),
-			"error":         err.Error(),
-			"force":         req.Force,
-		})
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to release display control"})
-		return
-	}
-	rowsAffected, err := result.RowsAffected()
-	if err != nil {
-		log.Printf("ReleaseDisplayControl: rows affected for %s failed: %v", workspaceID, err)
-		emitDisplayControlEvent(c.Request.Context(), "display.control.release.failed", workspaceID, map[string]any{
-			"controlled_by": controlledBy,
-			"duration_ms":   time.Since(startedAt).Milliseconds(),
-			"error":         err.Error(),
-			"force":         req.Force,
-		})
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to release display control"})
-		return
-	}
-	if rowsAffected == 0 {
-		current, found, loadErr := h.loadActiveDisplayControl(c, workspaceID)
-		if loadErr != nil {
-			log.Printf("ReleaseDisplayControl: load active lock for %s failed: %v", workspaceID, loadErr)
-			emitDisplayControlEvent(c.Request.Context(), "display.control.release.failed", workspaceID, map[string]any{
-				"controlled_by": controlledBy,
-				"duration_ms":   time.Since(startedAt).Milliseconds(),
-				"error":         loadErr.Error(),
-				"force":         req.Force,
-			})
-			c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to load display control"})
-			return
-		}
-		if !found {
-			emitDisplayControlEvent(c.Request.Context(), "display.control.release.completed", workspaceID, map[string]any{
-				"controlled_by": controlledBy,
-				"duration_ms":   time.Since(startedAt).Milliseconds(),
-				"force":         req.Force,
-				"rows_affected": rowsAffected,
-			})
-			c.JSON(http.StatusOK, workspaceDisplayControlNoneResponse{Controller: "none"})
-			return
-		}
-		emitDisplayControlEvent(c.Request.Context(), "display.control.release.failed", workspaceID, map[string]any{
-			"controlled_by": controlledBy,
-			"duration_ms":   time.Since(startedAt).Milliseconds(),
-			"error":         "display control held by another caller",
-			"force":         req.Force,
-		})
-		c.JSON(http.StatusConflict, gin.H{
-			"error":   "display control held by another caller",
-			"current": current,
-		})
-		return
-	}
-	emitDisplayControlEvent(c.Request.Context(), "display.control.release.completed", workspaceID, map[string]any{
-		"controlled_by": controlledBy,
-		"duration_ms":   time.Since(startedAt).Milliseconds(),
-		"force":         req.Force,
-		"rows_affected": rowsAffected,
-	})
-	c.JSON(http.StatusOK, workspaceDisplayControlNoneResponse{Controller: "none"})
-}
-
-func (h *WorkspaceHandler) loadActiveDisplayControl(c *gin.Context, workspaceID string) (workspaceDisplayControlResponse, bool, error) {
-	var lock workspaceDisplayControlResponse
-	err := db.DB.QueryRowContext(c.Request.Context(),
-		`SELECT controller, controlled_by, expires_at FROM workspace_display_control_locks WHERE workspace_id = $1 AND expires_at > now()`,
-		workspaceID,
-	).Scan(&lock.Controller, &lock.ControlledBy, &lock.ExpiresAt)
-	if err == nil {
-		return lock, true, nil
-	}
-	if err == sql.ErrNoRows {
-		return workspaceDisplayControlResponse{}, false, nil
-	}
-	return workspaceDisplayControlResponse{}, false, err
-}
-
-func (h *WorkspaceHandler) displayControlEnabled(c *gin.Context, workspaceID string) bool {
-	var raw string
-	err := db.DB.QueryRowContext(c.Request.Context(),
-		`SELECT COALESCE(compute, '{}'::jsonb) FROM workspaces WHERE id = $1`,
-		workspaceID,
-	).Scan(&raw)
-	if err != nil {
-		if err == sql.ErrNoRows {
-			c.JSON(http.StatusNotFound, gin.H{"error": "workspace not found"})
-			return false
-		}
-		log.Printf("displayControlEnabled: load compute for %s failed: %v", workspaceID, err)
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to load display config"})
-		return false
-	}
-	compute, err := parseWorkspaceDisplayCompute(workspaceID, raw)
-	if err != nil {
-		log.Printf("displayControlEnabled: invalid display config for %s: %v", workspaceID, err)
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "invalid display config"})
-		return false
-	}
-	if compute.Display.Mode == "" || compute.Display.Mode == "none" {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "display not enabled"})
-		return false
-	}
-	return true
-}
-
-func parseWorkspaceDisplayCompute(workspaceID, raw string) (models.WorkspaceCompute, error) {
-	var compute models.WorkspaceCompute
-	if raw == "" || raw == "{}" {
-		return compute, nil
-	}
-	if err := json.Unmarshal([]byte(raw), &compute); err != nil {
-		return models.WorkspaceCompute{}, fmt.Errorf("invalid compute JSON for %s: %w", workspaceID, err)
-	}
-	if err := validateWorkspaceDisplayConfig(compute.Display); err != nil {
-		return models.WorkspaceCompute{}, err
-	}
-	return compute, nil
-}
-
-func displayControlActor(c *gin.Context) (string, bool) {
-	if v, ok := c.Get("org_token_prefix"); ok {
-		if s, ok := v.(string); ok && s != "" {
-			return actorOrgTokenPrefix + s, true
-		}
-	}
-	if displayControlIsAdminToken(c) {
-		return actorAdminToken, true
-	}
-	// Browser session auth is intentionally observe-only until AdminAuth
-	// exposes a stable per-user or per-session identity in gin.Context.
-	return "", false
-}
-
-func displayControlIsAdminToken(c *gin.Context) bool {
-	adminSecret := os.Getenv("ADMIN_TOKEN")
-	if adminSecret == "" {
-		return false
-	}
-	tok := wsauth.BearerTokenFromHeader(c.GetHeader("Authorization"))
-	return subtle.ConstantTimeCompare([]byte(tok), []byte(adminSecret)) == 1
-}
-
-func emitDisplayControlEvent(ctx context.Context, eventType string, workspaceID string, payload map[string]any) {
-	if payload == nil {
-		payload = map[string]any{}
-	}
-	payloadJSON, err := json.Marshal(payload)
-	if err != nil {
-		log.Printf("emitDisplayControlEvent: marshal %s payload failed: %v", eventType, err)
-		return
-	}
-	if _, err := db.DB.ExecContext(ctx, `
-		INSERT INTO structure_events (event_type, workspace_id, payload, created_at)
-		VALUES ($1, $2, $3::jsonb, now())
-	`, eventType, workspaceID, string(payloadJSON)); err != nil {
-		log.Printf("emitDisplayControlEvent: insert %s failed: %v", eventType, err)
-	}
-}
@@ -1,321 +0,0 @@
-package handlers
-
-import (
-	"bytes"
-	"database/sql"
-	"encoding/json"
-	"net/http"
-	"net/http/httptest"
-	"testing"
-	"time"
-
-	"github.com/DATA-DOG/go-sqlmock"
-	"github.com/gin-gonic/gin"
-)
-
-func attachDisplayControlAdminToken(t *testing.T, c *gin.Context) {
-	t.Helper()
-	t.Setenv("ADMIN_TOKEN", "test-admin-secret")
-	c.Request.Header.Set("Authorization", "Bearer test-admin-secret")
-}
-
-func TestWorkspaceDisplayControl_NoActiveLockReturnsNone(t *testing.T) {
-	mock := setupTestDB(t)
-	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
-
-	mock.ExpectQuery(`SELECT controller, controlled_by, expires_at FROM workspace_display_control_locks WHERE workspace_id = \$1 AND expires_at > now\(\)`).
-		WithArgs("ws-display").
-		WillReturnError(sql.ErrNoRows)
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "ws-display"}}
-	c.Request = httptest.NewRequest("GET", "/workspaces/ws-display/display/control", nil)
-
-	handler.DisplayControl(c)
-
-	if w.Code != http.StatusOK {
-		t.Fatalf("expected status 200, got %d: %s", w.Code, w.Body.String())
-	}
-	var resp map[string]interface{}
-	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
-		t.Fatalf("failed to parse response: %v", err)
-	}
-	if resp["controller"] != "none" {
-		t.Fatalf("controller = %v, want none", resp["controller"])
-	}
-	if _, ok := resp["expires_at"]; ok {
-		t.Fatalf("none response included expires_at: %#v", resp)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
-
-func TestWorkspaceDisplayControlAcquire_ClaimsUnlockedDisplay(t *testing.T) {
-	mock := setupTestDB(t)
-	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
-	expiresAt := time.Date(2026, 5, 23, 18, 30, 0, 0, time.UTC)
-
-	mock.ExpectQuery(`SELECT COALESCE\(compute, '\{\}'::jsonb\) FROM workspaces WHERE id = \$1`).
-		WithArgs("ws-display").
-		WillReturnRows(sqlmock.NewRows([]string{"compute"}).AddRow(`{"display":{"mode":"desktop-control","protocol":"dcv","width":1920,"height":1080}}`))
-	mock.ExpectQuery(`INSERT INTO workspace_display_control_locks`).
-		WithArgs("ws-display", "user", "admin-token", 300).
-		WillReturnRows(sqlmock.NewRows([]string{"controller", "controlled_by", "expires_at"}).
-			AddRow("user", "admin-token", expiresAt))
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "ws-display"}}
-	c.Request = httptest.NewRequest("POST", "/workspaces/ws-display/display/control/acquire", bytes.NewBufferString(`{"controller":"user","ttl_seconds":300}`))
-	c.Request.Header.Set("Content-Type", "application/json")
-	attachDisplayControlAdminToken(t, c)
-
-	handler.AcquireDisplayControl(c)
-
-	if w.Code != http.StatusOK {
-		t.Fatalf("expected status 200, got %d: %s", w.Code, w.Body.String())
-	}
-	var resp map[string]interface{}
-	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
-		t.Fatalf("failed to parse response: %v", err)
-	}
-	if resp["controller"] != "user" || resp["controlled_by"] != "admin-token" {
-		t.Fatalf("lock response = %#v, want user/admin-token", resp)
-	}
-	if resp["expires_at"] == "" {
-		t.Fatalf("expires_at missing in response: %#v", resp)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
-
-func TestWorkspaceDisplayControlAcquire_ActiveLockReturnsConflict(t *testing.T) {
-	mock := setupTestDB(t)
-	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
-	expiresAt := time.Date(2026, 5, 23, 18, 30, 0, 0, time.UTC)
-
-	mock.ExpectQuery(`SELECT COALESCE\(compute, '\{\}'::jsonb\) FROM workspaces WHERE id = \$1`).
-		WithArgs("ws-display").
-		WillReturnRows(sqlmock.NewRows([]string{"compute"}).AddRow(`{"display":{"mode":"desktop-control","protocol":"dcv","width":1920,"height":1080}}`))
-	mock.ExpectQuery(`INSERT INTO workspace_display_control_locks`).
-		WithArgs("ws-display", "user", "admin-token", 300).
-		WillReturnError(sql.ErrNoRows)
-	mock.ExpectQuery(`SELECT controller, controlled_by, expires_at FROM workspace_display_control_locks WHERE workspace_id = \$1 AND expires_at > now\(\)`).
-		WithArgs("ws-display").
-		WillReturnRows(sqlmock.NewRows([]string{"controller", "controlled_by", "expires_at"}).
-			AddRow("agent", "sidecar", expiresAt))
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "ws-display"}}
-	c.Request = httptest.NewRequest("POST", "/workspaces/ws-display/display/control/acquire", bytes.NewBufferString(`{"controller":"user","ttl_seconds":300}`))
-	c.Request.Header.Set("Content-Type", "application/json")
-	attachDisplayControlAdminToken(t, c)
-
-	handler.AcquireDisplayControl(c)
-
-	if w.Code != http.StatusConflict {
-		t.Fatalf("expected status 409, got %d: %s", w.Code, w.Body.String())
-	}
-	var resp map[string]interface{}
-	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
-		t.Fatalf("failed to parse response: %v", err)
-	}
-	if resp["error"] != "display control already held" {
-		t.Fatalf("error = %v, want display control already held", resp["error"])
-	}
-	current, ok := resp["current"].(map[string]interface{})
-	if !ok || current["controller"] != "agent" || current["controlled_by"] != "sidecar" {
-		t.Fatalf("current lock = %#v, want agent/sidecar", resp["current"])
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
-
-func TestWorkspaceDisplayControlAcquire_RejectsDisplayDisabledWorkspace(t *testing.T) {
-	mock := setupTestDB(t)
-	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
-
-	mock.ExpectQuery(`SELECT COALESCE\(compute, '\{\}'::jsonb\) FROM workspaces WHERE id = \$1`).
-		WithArgs("ws-no-display").
-		WillReturnRows(sqlmock.NewRows([]string{"compute"}).AddRow(`{}`))
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "ws-no-display"}}
-	c.Request = httptest.NewRequest("POST", "/workspaces/ws-no-display/display/control/acquire", bytes.NewBufferString(`{"controller":"user","ttl_seconds":300}`))
-	c.Request.Header.Set("Content-Type", "application/json")
-	attachDisplayControlAdminToken(t, c)
-
-	handler.AcquireDisplayControl(c)
-
-	if w.Code != http.StatusBadRequest {
-		t.Fatalf("expected status 400, got %d: %s", w.Code, w.Body.String())
-	}
-	var resp map[string]interface{}
-	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
-		t.Fatalf("failed to parse response: %v", err)
-	}
-	if resp["error"] != "display not enabled" {
-		t.Fatalf("error = %v, want display not enabled", resp["error"])
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
-
-func TestWorkspaceDisplayControlAcquire_RejectsCoarseSessionActor(t *testing.T) {
-	mock := setupTestDB(t)
-	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
-
-	mock.ExpectQuery(`SELECT COALESCE\(compute, '\{\}'::jsonb\) FROM workspaces WHERE id = \$1`).
-		WithArgs("ws-display").
-		WillReturnRows(sqlmock.NewRows([]string{"compute"}).AddRow(`{"display":{"mode":"desktop-control","protocol":"dcv","width":1920,"height":1080}}`))
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "ws-display"}}
-	c.Request = httptest.NewRequest("POST", "/workspaces/ws-display/display/control/acquire", bytes.NewBufferString(`{"controller":"user","ttl_seconds":300}`))
-	c.Request.Header.Set("Content-Type", "application/json")
-	c.Request.Header.Set("Cookie", "molecule_session=present")
-
-	handler.AcquireDisplayControl(c)
-
-	if w.Code != http.StatusForbidden {
-		t.Fatalf("expected status 403, got %d: %s", w.Code, w.Body.String())
-	}
-	var resp map[string]interface{}
-	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
-		t.Fatalf("failed to parse response: %v", err)
-	}
-	if resp["error"] != "display control requires admin-token or org-token auth" {
-		t.Fatalf("error = %v, want display control requires admin-token or org-token auth", resp["error"])
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
-
-func TestWorkspaceDisplayControlRelease_RemovesCallerLock(t *testing.T) {
-	mock := setupTestDB(t)
-	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
-
-	mock.ExpectExec(`DELETE FROM workspace_display_control_locks WHERE workspace_id = \$1 AND controlled_by = \$2`).
-		WithArgs("ws-display", "admin-token").
-		WillReturnResult(sqlmock.NewResult(0, 1))
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "ws-display"}}
-	c.Request = httptest.NewRequest("POST", "/workspaces/ws-display/display/control/release", nil)
-	attachDisplayControlAdminToken(t, c)
-
-	handler.ReleaseDisplayControl(c)
-
-	if w.Code != http.StatusOK {
-		t.Fatalf("expected status 200, got %d: %s", w.Code, w.Body.String())
-	}
-	var resp map[string]interface{}
-	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
-		t.Fatalf("failed to parse response: %v", err)
-	}
-	if resp["controller"] != "none" {
-		t.Fatalf("controller = %v, want none", resp["controller"])
-	}
-	if _, ok := resp["expires_at"]; ok {
-		t.Fatalf("none response included expires_at: %#v", resp)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
-
-func TestWorkspaceDisplayControlRelease_ConflictWhenCallerDoesNotOwnLock(t *testing.T) {
-	mock := setupTestDB(t)
-	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
-	expiresAt := time.Date(2026, 5, 23, 18, 30, 0, 0, time.UTC)
-
-	mock.ExpectExec(`DELETE FROM workspace_display_control_locks WHERE workspace_id = \$1 AND controlled_by = \$2`).
-		WithArgs("ws-display", "admin-token").
-		WillReturnResult(sqlmock.NewResult(0, 0))
-	mock.ExpectQuery(`SELECT controller, controlled_by, expires_at FROM workspace_display_control_locks WHERE workspace_id = \$1 AND expires_at > now\(\)`).
-		WithArgs("ws-display").
-		WillReturnRows(sqlmock.NewRows([]string{"controller", "controlled_by", "expires_at"}).
-			AddRow("user", "org-token:abcd1234", expiresAt))
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "ws-display"}}
-	c.Request = httptest.NewRequest("POST", "/workspaces/ws-display/display/control/release", nil)
-	attachDisplayControlAdminToken(t, c)
-
-	handler.ReleaseDisplayControl(c)
-
-	if w.Code != http.StatusConflict {
-		t.Fatalf("expected status 409, got %d: %s", w.Code, w.Body.String())
-	}
-	var resp map[string]interface{}
-	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
-		t.Fatalf("failed to parse response: %v", err)
-	}
-	if resp["error"] != "display control held by another caller" {
-		t.Fatalf("error = %v, want display control held by another caller", resp["error"])
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
-
-func TestWorkspaceDisplayControlRelease_RejectsOrgTokenForceRelease(t *testing.T) {
-	setupTestDB(t)
-	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "ws-display"}}
-	c.Set("org_token_prefix", "abcd1234")
-	c.Request = httptest.NewRequest("POST", "/workspaces/ws-display/display/control/release", bytes.NewBufferString(`{"force":true}`))
-	c.Request.Header.Set("Content-Type", "application/json")
-
-	handler.ReleaseDisplayControl(c)
-
-	if w.Code != http.StatusForbidden {
-		t.Fatalf("expected status 403, got %d: %s", w.Code, w.Body.String())
-	}
-	var resp map[string]interface{}
-	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
-		t.Fatalf("failed to parse response: %v", err)
-	}
-	if resp["error"] != "force release requires admin-token auth" {
-		t.Fatalf("error = %v, want force release requires admin-token auth", resp["error"])
-	}
-}
-
-func TestWorkspaceDisplayControlAcquire_RejectsAgentImpersonation(t *testing.T) {
-	setupTestDB(t)
-	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "ws-display"}}
-	c.Request = httptest.NewRequest("POST", "/workspaces/ws-display/display/control/acquire", bytes.NewBufferString(`{"controller":"agent","ttl_seconds":300}`))
-	c.Request.Header.Set("Content-Type", "application/json")
-	attachDisplayControlAdminToken(t, c)
-
-	handler.AcquireDisplayControl(c)
-
-	if w.Code != http.StatusBadRequest {
-		t.Fatalf("expected status 400, got %d: %s", w.Code, w.Body.String())
-	}
-	var resp map[string]interface{}
-	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
-		t.Fatalf("failed to parse response: %v", err)
-	}
-	if resp["error"] != "browser callers may only acquire user display control" {
-		t.Fatalf("error = %v, want browser callers may only acquire user display control", resp["error"])
-	}
-}
@@ -128,7 +128,7 @@ func (h *WorkspaceHandler) provisionWorkspaceOpts(workspaceID, templatePath stri
 							workspaceID, filepath.Base(runtimeTemplate))
 						templatePath = runtimeTemplate
 						// Rebuild cfg with the recovered template path so Start() sees it.
-						cfg = h.buildProvisionerConfig(ctx, workspaceID, templatePath, configFiles, payload, prepared.EnvVars, prepared.PluginsPath)
+						cfg = h.buildProvisionerConfig(ctx, workspaceID, templatePath, configFiles, payload, prepared.EnvVars, prepared.PluginsPath, prepared.AwarenessNamespace)
 						cfg.ResetClaudeSession = resetClaudeSession
 						recovered = true
 						break
@@ -194,11 +194,10 @@ func (h *WorkspaceHandler) provisionWorkspaceOpts(workspaceID, templatePath stri
 // a ~64k context window worth of text — but small enough to prevent abuse.
 const maxMemoryContentLength = 100_000 // ~100 KiB of text

-func seedInitialMemories(ctx context.Context, workspaceID string, memories []models.MemorySeed) {
+func seedInitialMemories(ctx context.Context, workspaceID string, memories []models.MemorySeed, awarenessNamespace string) {
 	if len(memories) == 0 {
 		return
 	}
-	namespace := workspaceMemoryNamespace(workspaceID)
 	for _, mem := range memories {
 		scope := strings.ToUpper(mem.Scope)
 		if scope == "" {
@@ -224,27 +223,33 @@ func seedInitialMemories(ctx context.Context, workspaceID string, memories []mod
 		if _, err := db.DB.ExecContext(ctx, `
 			INSERT INTO agent_memories (workspace_id, content, scope, namespace)
 			VALUES ($1, $2, $3, $4)
-		`, workspaceID, redactedContent, scope, namespace); err != nil {
+		`, workspaceID, redactedContent, scope, awarenessNamespace); err != nil {
 			log.Printf("seedInitialMemories: failed to insert memory for %s (scope=%s): %v", workspaceID, scope, err)
 		}
 	}
 	log.Printf("seedInitialMemories: seeded %d memories for workspace %s", len(memories), workspaceID)
 }

-// workspaceMemoryNamespace returns the canonical v2 memory namespace
-// string for a workspace. Matches the form produced by
-// internal/memory/namespace/resolver.go for self-reads (issue #1735).
-func workspaceMemoryNamespace(workspaceID string) string {
+func workspaceAwarenessNamespace(workspaceID string) string {
 	return fmt.Sprintf("workspace:%s", workspaceID)
 }

+func (h *WorkspaceHandler) loadAwarenessNamespace(ctx context.Context, workspaceID string) string {
+	var awarenessNamespace string
+	err := db.DB.QueryRowContext(ctx, `SELECT COALESCE(awareness_namespace, '') FROM workspaces WHERE id = $1`, workspaceID).Scan(&awarenessNamespace)
+	if err != nil || awarenessNamespace == "" {
+		return workspaceAwarenessNamespace(workspaceID)
+	}
+	return awarenessNamespace
+}
+
 func (h *WorkspaceHandler) buildProvisionerConfig(
 	ctx context.Context,
 	workspaceID, templatePath string,
 	configFiles map[string][]byte,
 	payload models.CreateWorkspacePayload,
 	envVars map[string]string,
-	pluginsPath string,
+	pluginsPath, awarenessNamespace string,
 ) provisioner.WorkspaceConfig {
 	// Per-workspace workspace_dir takes priority over global WORKSPACE_DIR env var.
 	// If neither is set, the provisioner creates an isolated Docker volume.
@@ -283,18 +288,18 @@ func (h *WorkspaceHandler) buildProvisionerConfig(
 	}

 	return provisioner.WorkspaceConfig{
-		WorkspaceID:     workspaceID,
-		TemplatePath:    templatePath,
-		ConfigFiles:     configFiles,
-		PluginsPath:     pluginsPath,
-		WorkspacePath:   workspacePath,
-		WorkspaceAccess: workspaceAccess,
-		Tier:            payload.Tier,
-		Runtime:         payload.Runtime,
-		InstanceType:    payload.Compute.InstanceType,
-		DiskGB:          int32(payload.Compute.Volume.RootGB),
-		EnvVars:         envVars,
-		PlatformURL:     h.platformURL,
+		WorkspaceID:        workspaceID,
+		TemplatePath:       templatePath,
+		ConfigFiles:        configFiles,
+		PluginsPath:        pluginsPath,
+		WorkspacePath:      workspacePath,
+		WorkspaceAccess:    workspaceAccess,
+		Tier:               payload.Tier,
+		Runtime:            payload.Runtime,
+		EnvVars:            envVars,
+		PlatformURL:        h.platformURL,
+		AwarenessURL:       os.Getenv("AWARENESS_URL"),
+		AwarenessNamespace: awarenessNamespace,
 		// Image left empty — molecule-core's runtime_image_pins table (mig
 		// 047, dead reader removed by RFC internal#617 / task #335) was an
 		// aspirational SSOT that never received a writer. CP's
@@ -1013,3 +1018,4 @@ func (h *WorkspaceHandler) provisionWorkspaceCP(workspaceID, templatePath string

 	log.Printf("CPProvisioner: workspace %s started as machine %s via control plane", workspaceID, machineID)
 }
+
@@ -85,9 +85,10 @@ func readOrLazyHealInboundSecret(ctx context.Context, workspaceID, opLabel strin
 // prepareProvisionContext when the caller proceeds; nil + non-empty
 // abort message when the caller must mark the workspace failed.
 type preparedProvisionContext struct {
-	EnvVars     map[string]string
-	PluginsPath string
-	Config      provisioner.WorkspaceConfig
+	EnvVars            map[string]string
+	PluginsPath        string
+	AwarenessNamespace string
+	Config             provisioner.WorkspaceConfig
 }

 // provisionAbort describes why prepareProvisionContext refused to
@@ -169,6 +170,7 @@ func (h *WorkspaceHandler) prepareProvisionContext(
 	}

 	pluginsPath, _ := filepath.Abs(filepath.Join(h.configsDir, "..", "plugins"))
+	awarenessNamespace := h.loadAwarenessNamespace(ctx, workspaceID)

 	// Per-agent git identity (#1957) — must run after secret loads so
 	// a workspace_secret named GIT_AUTHOR_NAME can override.
@@ -229,13 +231,14 @@ func (h *WorkspaceHandler) prepareProvisionContext(
 		}
 	}

-	cfg := h.buildProvisionerConfig(ctx, workspaceID, templatePath, configFiles, payload, envVars, pluginsPath)
+	cfg := h.buildProvisionerConfig(ctx, workspaceID, templatePath, configFiles, payload, envVars, pluginsPath, awarenessNamespace)
 	cfg.ResetClaudeSession = resetClaudeSession

 	return &preparedProvisionContext{
-		EnvVars:     envVars,
-		PluginsPath: pluginsPath,
-		Config:      cfg,
+		EnvVars:            envVars,
+		PluginsPath:        pluginsPath,
+		AwarenessNamespace: awarenessNamespace,
+		Config:             cfg,
 	}, nil
 }

@@ -17,9 +17,9 @@ import (
 	"gopkg.in/yaml.v3"
 )

-// ==================== workspaceMemoryNamespace ====================
+// ==================== workspaceAwarenessNamespace ====================

-func TestWorkspaceMemoryNamespace(t *testing.T) {
+func TestWorkspaceAwarenessNamespace(t *testing.T) {
 	tests := []struct {
 		workspaceID string
 		expected    string
@@ -31,9 +31,9 @@ func TestWorkspaceMemoryNamespace(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.workspaceID, func(t *testing.T) {
-			result := workspaceMemoryNamespace(tt.workspaceID)
+			result := workspaceAwarenessNamespace(tt.workspaceID)
 			if result != tt.expected {
-				t.Errorf("workspaceMemoryNamespace(%q) = %q, want %q", tt.workspaceID, result, tt.expected)
+				t.Errorf("workspaceAwarenessNamespace(%q) = %q, want %q", tt.workspaceID, result, tt.expected)
 			}
 		})
 	}
@@ -645,7 +645,7 @@ func TestSeedInitialMemories_TruncatesOversizedContent(t *testing.T) {
 					WillReturnResult(sqlmock.NewResult(1, 1))
 			}

-			seedInitialMemories(context.Background(), workspaceID, memories)
+			seedInitialMemories(context.Background(), workspaceID, memories, "test-ns")

 			if err := mock.ExpectationsWereMet(); err != nil {
 				t.Errorf("unmet DB expectations: %v", err)
@@ -674,7 +674,7 @@ func TestSeedInitialMemories_RedactsSecrets(t *testing.T) {
 		WithArgs(workspaceID, wantRedacted, "LOCAL", sqlmock.AnyArg()).
 		WillReturnResult(sqlmock.NewResult(1, 1))

-	seedInitialMemories(context.Background(), workspaceID, memories)
+	seedInitialMemories(context.Background(), workspaceID, memories, "test-ns")

 	if err := mock.ExpectationsWereMet(); err != nil {
 		t.Errorf("unmet DB expectations: %v", err)
@@ -691,7 +691,7 @@ func TestSeedInitialMemories_InvalidScopeSkipped(t *testing.T) {
 		{Content: "this should be skipped", Scope: "NOT_A_REAL_SCOPE"},
 	}

-	seedInitialMemories(context.Background(), "ws-bad-scope", memories)
+	seedInitialMemories(context.Background(), "ws-bad-scope", memories, "test-ns")

 	if err := mock.ExpectationsWereMet(); err != nil {
 		t.Errorf("unexpected DB calls for invalid scope: %v", err)
@@ -704,7 +704,7 @@ func TestSeedInitialMemories_EmptyMemoriesNil(t *testing.T) {
 	mock := setupTestDB(t)
 	mock.ExpectationsWereMet()

-	seedInitialMemories(context.Background(), "ws-nil", nil)
+	seedInitialMemories(context.Background(), "ws-nil", nil, "test-ns")

 	if err := mock.ExpectationsWereMet(); err != nil {
 		t.Errorf("unexpected DB calls for nil slice: %v", err)
@@ -733,6 +733,7 @@ func TestBuildProvisionerConfig_BasicFields(t *testing.T) {
 		models.CreateWorkspacePayload{Tier: 1, Runtime: "langgraph"},
 		map[string]string{"API_KEY": "secret"},
 		pluginsPath,
+		"workspace:ws-basic",
 	)

 	if cfg.WorkspaceID != "ws-basic" {
@@ -747,6 +748,9 @@ func TestBuildProvisionerConfig_BasicFields(t *testing.T) {
 	if cfg.PlatformURL != "http://localhost:8080" {
 		t.Errorf("expected PlatformURL 'http://localhost:8080', got %q", cfg.PlatformURL)
 	}
+	if cfg.AwarenessNamespace != "workspace:ws-basic" {
+		t.Errorf("expected AwarenessNamespace 'workspace:ws-basic', got %q", cfg.AwarenessNamespace)
+	}
 	if cfg.PluginsPath != pluginsPath {
 		t.Errorf("expected PluginsPath %q, got %q", pluginsPath, cfg.PluginsPath)
 	}
@@ -771,6 +775,7 @@ func TestBuildProvisionerConfig_WorkspacePathFromEnv(t *testing.T) {

 	workspaceDir := t.TempDir()
 	t.Setenv("WORKSPACE_DIR", workspaceDir)
+	t.Setenv("AWARENESS_URL", "http://awareness:37800")

 	pluginsPath := t.TempDir()
 	cfg := handler.buildProvisionerConfig(
@@ -781,11 +786,15 @@ func TestBuildProvisionerConfig_WorkspacePathFromEnv(t *testing.T) {
 		models.CreateWorkspacePayload{Tier: 2, Runtime: "claude-code"},
 		nil,
 		pluginsPath,
+		"workspace:ws-env",
 	)

 	if cfg.WorkspacePath != workspaceDir {
 		t.Errorf("expected WorkspacePath from env, got %q", cfg.WorkspacePath)
 	}
+	if cfg.AwarenessURL != "http://awareness:37800" {
+		t.Errorf("expected AwarenessURL from env, got %q", cfg.AwarenessURL)
+	}
 }

 // ==================== issueAndInjectToken (issue #418) ====================
@@ -797,8 +806,6 @@ func TestIssueAndInjectToken_HappyPath(t *testing.T) {
 	mock := setupTestDB(t)
 	broadcaster := newTestBroadcaster()
 	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
-	t.Setenv("MOLECULE_ORG_ID", "")
-	t.Setenv("MOLECULE_DEPLOY_MODE", "self-hosted")

 	// RevokeAllForWorkspace UPDATE (0 rows — no prior tokens, still succeeds)
 	mock.ExpectExec(`UPDATE workspace_auth_tokens SET revoked_at`).
@@ -836,8 +843,6 @@ func TestIssueAndInjectToken_RotatesExistingToken(t *testing.T) {
 	mock := setupTestDB(t)
 	broadcaster := newTestBroadcaster()
 	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
-	t.Setenv("MOLECULE_ORG_ID", "")
-	t.Setenv("MOLECULE_DEPLOY_MODE", "self-hosted")

 	// RevokeAllForWorkspace: 1 existing token revoked
 	mock.ExpectExec(`UPDATE workspace_auth_tokens SET revoked_at`).
@@ -904,8 +909,6 @@ func TestIssueAndInjectToken_IssueFailSkipsInjection(t *testing.T) {
 	mock := setupTestDB(t)
 	broadcaster := newTestBroadcaster()
 	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
-	t.Setenv("MOLECULE_ORG_ID", "")
-	t.Setenv("MOLECULE_DEPLOY_MODE", "self-hosted")

 	mock.ExpectExec(`UPDATE workspace_auth_tokens SET revoked_at`).
 		WithArgs("ws-418-issue-fail").
@@ -932,8 +935,6 @@ func TestIssueAndInjectToken_NilConfigFilesAllocated(t *testing.T) {
 	mock := setupTestDB(t)
 	broadcaster := newTestBroadcaster()
 	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
-	t.Setenv("MOLECULE_ORG_ID", "")
-	t.Setenv("MOLECULE_DEPLOY_MODE", "self-hosted")

 	mock.ExpectExec(`UPDATE workspace_auth_tokens SET revoked_at`).
 		WithArgs("ws-418-nil-cfg").
@@ -998,7 +999,7 @@ func TestSeedInitialMemories_Truncation(t *testing.T) {
 		WithArgs(sqlmock.AnyArg(), expectTruncated, "LOCAL", sqlmock.AnyArg()).
 		WillReturnResult(sqlmock.NewResult(0, 1))

-	seedInitialMemories(context.Background(), "ws-1066-test", memories)
+	seedInitialMemories(context.Background(), "ws-1066-test", memories, "test-ns")

 	if err := mock.ExpectationsWereMet(); err != nil {
 		t.Errorf("DB expectations not met: %v\n"+
@@ -1018,7 +1019,7 @@ func TestSeedInitialMemories_ContentUnderLimit(t *testing.T) {
 		WithArgs(sqlmock.AnyArg(), "short content", "TEAM", sqlmock.AnyArg()).
 		WillReturnResult(sqlmock.NewResult(0, 1))

-	seedInitialMemories(context.Background(), "ws-1066-under", memories)
+	seedInitialMemories(context.Background(), "ws-1066-under", memories, "test-ns")

 	if err := mock.ExpectationsWereMet(); err != nil {
 		t.Errorf("DB expectations not met: %v", err)
@@ -1043,7 +1044,7 @@ func TestSeedInitialMemories_ExactlyAtLimit(t *testing.T) {
 		WithArgs(sqlmock.AnyArg(), atLimitContent, "LOCAL", sqlmock.AnyArg()).
 		WillReturnResult(sqlmock.NewResult(0, 1))

-	seedInitialMemories(context.Background(), "ws-boundary", memories)
+	seedInitialMemories(context.Background(), "ws-boundary", memories, "test-ns")

 	if err := mock.ExpectationsWereMet(); err != nil {
 		t.Errorf("DB expectations not met: %v", err)
@@ -1059,7 +1060,7 @@ func TestSeedInitialMemories_EmptyContent(t *testing.T) {
 	}

 	// seedInitialMemories skips empty content at line 234 — no DB call expected.
-	seedInitialMemories(context.Background(), "ws-empty", memories)
+	seedInitialMemories(context.Background(), "ws-empty", memories, "test-ns")

 	if err := mock.ExpectationsWereMet(); err != nil {
 		t.Errorf("DB expectations not met: %v", err)
@@ -1083,7 +1084,7 @@ func TestSeedInitialMemories_OversizedWithSecrets(t *testing.T) {
 		WithArgs(sqlmock.AnyArg(), sqlmock.AnyArg(), "GLOBAL", sqlmock.AnyArg()).
 		WillReturnResult(sqlmock.NewResult(0, 1))

-	seedInitialMemories(context.Background(), "ws-secrets", memories)
+	seedInitialMemories(context.Background(), "ws-secrets", memories, "test-ns")

 	if err := mock.ExpectationsWereMet(); err != nil {
 		t.Errorf("DB expectations not met: %v", err)
@@ -164,7 +164,7 @@ func (h *WorkspaceHandler) maybeRestartAfterFileWrite(workspaceID string) {
 // isRestarting reports whether a restart cycle is currently in flight for
 // the workspace. Callers that have their own "container looks dead" probe
 // MUST consult this before triggering a restart, because during the
-// 20-30s EC2-pending window the workspace's url=” and IsRunning()=false
+// 20-30s EC2-pending window the workspace's url='' and IsRunning()=false
 // looks identical to a dead container — and any restart-triggering probe
 // (maybeMarkContainerDead from canvas /delegations poll, or the trailing
 // restart-context probe at the end of runRestartCycle) will set
@@ -337,7 +337,7 @@ func (h *WorkspaceHandler) Restart(c *gin.Context) {
 	}

 	var configFiles map[string][]byte
-	payload := withStoredCompute(ctx, id, models.CreateWorkspacePayload{Name: wsName, Tier: tier, Runtime: containerRuntime})
+	payload := models.CreateWorkspacePayload{Name: wsName, Tier: tier, Runtime: containerRuntime}
 	log.Printf("Restart: workspace %s (%s) runtime=%q", wsName, id, containerRuntime)

 	// #12: ?reset=true (or body.Reset) discards the claude-sessions volume
@@ -791,7 +791,7 @@ func (h *WorkspaceHandler) runRestartCycle(workspaceID string) {
 	})

 	// Runtime from DB — no more config file parsing
-	payload := withStoredCompute(ctx, workspaceID, models.CreateWorkspacePayload{Name: wsName, Tier: tier, Runtime: dbRuntime})
+	payload := models.CreateWorkspacePayload{Name: wsName, Tier: tier, Runtime: dbRuntime}

 	// Snapshot restart-context data before the new session overwrites
 	// last_heartbeat_at. Issue #19 Layer 1.
@@ -858,9 +858,6 @@ func (h *WorkspaceHandler) Pause(c *gin.Context) {
 				toPause = append(toPause, struct{ id, name string }{cid, cname})
 			}
 		}
-		if err := rows.Err(); err != nil {
-			log.Printf("Pause: descendant query rows.Err: %v", err)
-		}
 	}

 	// Stop containers and mark all as paused. StopWorkspaceAuto routes
@@ -942,9 +939,6 @@ func (h *WorkspaceHandler) Resume(c *gin.Context) {
 				toResume = append(toResume, ws)
 			}
 		}
-		if err := rows.Err(); err != nil {
-			log.Printf("Resume: descendant query rows.Err: %v", err)
-		}
 	}

 	// Re-provision all
@@ -954,7 +948,7 @@ func (h *WorkspaceHandler) Resume(c *gin.Context) {
 		h.broadcaster.RecordAndBroadcast(ctx, string(events.EventWorkspaceProvisioning), ws.id, map[string]interface{}{
 			"name": ws.name, "tier": ws.tier, "runtime": ws.runtime,
 		})
-		payload := withStoredCompute(ctx, ws.id, models.CreateWorkspacePayload{Name: ws.name, Tier: ws.tier, Runtime: ws.runtime})
+		payload := models.CreateWorkspacePayload{Name: ws.name, Tier: ws.tier, Runtime: ws.runtime}
 		// Resume is provision-only (workspace is paused, no live container
 		// to stop). provisionWorkspaceAuto handles backend routing and the
 		// no-backend mark-failed fallback identically to Create. Pre-
@@ -29,7 +29,7 @@ func TestWorkspaceGet_Success(t *testing.T) {
 		"parent_id", "active_tasks", "max_concurrent_tasks", "last_error_rate", "last_sample_error",
 		"uptime_seconds", "current_task", "runtime", "workspace_dir", "x", "y", "collapsed",
 		"budget_limit", "monthly_spend",
-		"broadcast_enabled", "talk_to_user_enabled", "compute",
+		"broadcast_enabled", "talk_to_user_enabled",
 	}
 	mock.ExpectQuery("SELECT w.id, w.name").
 		WithArgs("cccccccc-0001-0000-0000-000000000000").
@@ -37,7 +37,7 @@ func TestWorkspaceGet_Success(t *testing.T) {
 			AddRow("cccccccc-0001-0000-0000-000000000000", "My Agent", "worker", 1, "online", []byte(`{"name":"test"}`),
 				"http://localhost:8001", nil, 2, 1, 0.05, "", 3600, "working", "langgraph",
 				"", 10.0, 20.0, false,
-				nil, 0, false, true, []byte(`{}`)))
+				nil, 0, false, true))

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -119,7 +119,7 @@ func TestWorkspaceGet_RemovedReturns410(t *testing.T) {
 		"parent_id", "active_tasks", "max_concurrent_tasks", "last_error_rate", "last_sample_error",
 		"uptime_seconds", "current_task", "runtime", "workspace_dir", "x", "y", "collapsed",
 		"budget_limit", "monthly_spend",
-		"broadcast_enabled", "talk_to_user_enabled", "compute",
+		"broadcast_enabled", "talk_to_user_enabled",
 	}
 	mock.ExpectQuery("SELECT w.id, w.name").
 		WithArgs(id).
@@ -127,7 +127,7 @@ func TestWorkspaceGet_RemovedReturns410(t *testing.T) {
 			AddRow(id, "Old Agent", "worker", 1, string(models.StatusRemoved), []byte(`null`),
 				"", nil, 0, 1, 0.0, "", 0, "", "langgraph",
 				"", 0.0, 0.0, false,
-				nil, 0, false, true, []byte(`{}`)))
+				nil, 0, false, true))
 	mock.ExpectQuery(`SELECT updated_at FROM workspaces`).
 		WithArgs(id).
 		WillReturnRows(sqlmock.NewRows([]string{"updated_at"}).AddRow(removedAt))
@@ -183,7 +183,7 @@ func TestWorkspaceGet_RemovedReturns410WithNullRemovedAtOnTimestampFetchFailure(
 		"parent_id", "active_tasks", "max_concurrent_tasks", "last_error_rate", "last_sample_error",
 		"uptime_seconds", "current_task", "runtime", "workspace_dir", "x", "y", "collapsed",
 		"budget_limit", "monthly_spend",
-		"broadcast_enabled", "talk_to_user_enabled", "compute",
+		"broadcast_enabled", "talk_to_user_enabled",
 	}
 	mock.ExpectQuery("SELECT w.id, w.name").
 		WithArgs(id).
@@ -191,7 +191,7 @@ func TestWorkspaceGet_RemovedReturns410WithNullRemovedAtOnTimestampFetchFailure(
 			AddRow(id, "Vanished", "worker", 1, string(models.StatusRemoved), []byte(`null`),
 				"", nil, 0, 1, 0.0, "", 0, "", "langgraph",
 				"", 0.0, 0.0, false,
-				nil, 0, false, true, []byte(`{}`)))
+				nil, 0, false, true))
 	// Simulate the row vanishing between the two queries.
 	mock.ExpectQuery(`SELECT updated_at FROM workspaces`).
 		WithArgs(id).
@@ -246,7 +246,7 @@ func TestWorkspaceGet_RemovedWithIncludeQueryReturns200(t *testing.T) {
 		"parent_id", "active_tasks", "max_concurrent_tasks", "last_error_rate", "last_sample_error",
 		"uptime_seconds", "current_task", "runtime", "workspace_dir", "x", "y", "collapsed",
 		"budget_limit", "monthly_spend",
-		"broadcast_enabled", "talk_to_user_enabled", "compute",
+		"broadcast_enabled", "talk_to_user_enabled",
 	}
 	mock.ExpectQuery("SELECT w.id, w.name").
 		WithArgs(id).
@@ -254,7 +254,7 @@ func TestWorkspaceGet_RemovedWithIncludeQueryReturns200(t *testing.T) {
 			AddRow(id, "Audit Agent", "worker", 1, string(models.StatusRemoved), []byte(`null`),
 				"", nil, 0, 1, 0.0, "", 0, "", "langgraph",
 				"", 0.0, 0.0, false,
-				nil, 0, false, true, []byte(`{}`)))
+				nil, 0, false, true))
 	// last_outbound_at follow-up query (existing path)
 	mock.ExpectQuery(`SELECT last_outbound_at FROM workspaces`).
 		WithArgs(id).
@@ -342,7 +342,7 @@ func TestWorkspaceCreate_DBInsertError(t *testing.T) {
 	// Transaction begins, workspace INSERT fails, transaction is rolled back.
 	mock.ExpectBegin()
 	mock.ExpectExec("INSERT INTO workspaces").
-		WithArgs(sqlmock.AnyArg(), "Failing Agent", nil, 3, "langgraph", (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
+		WithArgs(sqlmock.AnyArg(), "Failing Agent", nil, 3, "langgraph", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
 		WillReturnError(sql.ErrConnDone)
 	mock.ExpectRollback()

@@ -375,7 +375,7 @@ func TestWorkspaceCreate_DefaultsApplied(t *testing.T) {
 	// Expect workspace INSERT with defaulted tier=3 (Privileged — the
 	// handler default in workspace.go), runtime="langgraph"
 	mock.ExpectExec("INSERT INTO workspaces").
-		WithArgs(sqlmock.AnyArg(), "Default Agent", nil, 3, "langgraph", (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
+		WithArgs(sqlmock.AnyArg(), "Default Agent", nil, 3, "langgraph", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectCommit()

@@ -423,7 +423,7 @@ func TestWorkspaceCreate_SaaSHardForcesTier4(t *testing.T) {

 	mock.ExpectBegin()
 	mock.ExpectExec("INSERT INTO workspaces").
-		WithArgs(sqlmock.AnyArg(), "SaaS External Agent", nil, 4, "external", (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
+		WithArgs(sqlmock.AnyArg(), "SaaS External Agent", nil, 4, "external", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectCommit()
 	mock.ExpectExec("INSERT INTO canvas_layouts").
@@ -464,7 +464,7 @@ func TestWorkspaceCreate_WithSecrets_Persists(t *testing.T) {

 	mock.ExpectBegin()
 	mock.ExpectExec("INSERT INTO workspaces").
-		WithArgs(sqlmock.AnyArg(), "Hermes Agent", nil, 3, "hermes", (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
+		WithArgs(sqlmock.AnyArg(), "Hermes Agent", nil, 3, "hermes", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	// Secret inserted inside the same transaction.
 	mock.ExpectExec("INSERT INTO workspace_secrets").
@@ -576,7 +576,7 @@ func TestWorkspaceCreate_ExternalURL_SSRFSafe(t *testing.T) {

 	mock.ExpectBegin()
 	mock.ExpectExec("INSERT INTO workspaces").
-		WithArgs(sqlmock.AnyArg(), "Ext Agent", nil, 3, "external", (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
+		WithArgs(sqlmock.AnyArg(), "Ext Agent", nil, 3, "external", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectCommit()
 	// External URL update (localhost is explicitly allowed by validateAgentURL).
@@ -615,7 +615,7 @@ func TestWorkspaceCreate_KimiRuntime_PreservesLabel(t *testing.T) {

 	mock.ExpectBegin()
 	mock.ExpectExec("INSERT INTO workspaces").
-		WithArgs(sqlmock.AnyArg(), "Kimi Agent", nil, 3, "kimi", (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
+		WithArgs(sqlmock.AnyArg(), "Kimi Agent", nil, 3, "kimi", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectCommit()
 	// Pre-register flow: awaiting_agent + runtime preserved as "kimi"
@@ -718,7 +718,7 @@ func TestWorkspaceList_Empty(t *testing.T) {
 			"parent_id", "active_tasks", "last_error_rate", "last_sample_error",
 			"uptime_seconds", "current_task", "runtime", "workspace_dir", "x", "y", "collapsed",
 			"budget_limit", "monthly_spend",
-			"broadcast_enabled", "talk_to_user_enabled", "compute",
+			"broadcast_enabled", "talk_to_user_enabled",
 		}))

 	w := httptest.NewRecorder()
@@ -1422,7 +1422,7 @@ func TestWorkspaceGet_FinancialFieldsStripped(t *testing.T) {
 		"parent_id", "active_tasks", "max_concurrent_tasks", "last_error_rate", "last_sample_error",
 		"uptime_seconds", "current_task", "runtime", "workspace_dir", "x", "y", "collapsed",
 		"budget_limit", "monthly_spend",
-		"broadcast_enabled", "talk_to_user_enabled", "compute",
+		"broadcast_enabled", "talk_to_user_enabled",
 	}
 	// Populate with non-zero financial values to confirm they are stripped.
 	mock.ExpectQuery("SELECT w.id, w.name").
@@ -1431,7 +1431,7 @@ func TestWorkspaceGet_FinancialFieldsStripped(t *testing.T) {
 			AddRow("cccccccc-0010-0000-0000-000000000000", "Finance Test", "worker", 1, "online", []byte(`{}`),
 				"http://localhost:9001", nil, 0, 1, 0.0, "", 0, "", "langgraph",
 				"", 0.0, 0.0, false,
-				int64(50000), int64(12500), false, true, []byte(`{}`))) // budget_limit=500 USD, spend=125 USD
+				int64(50000), int64(12500), false, true)) // budget_limit=500 USD, spend=125 USD

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -1479,7 +1479,7 @@ func TestWorkspaceGet_SensitiveFieldsStripped(t *testing.T) {
 		"parent_id", "active_tasks", "max_concurrent_tasks", "last_error_rate", "last_sample_error",
 		"uptime_seconds", "current_task", "runtime", "workspace_dir", "x", "y", "collapsed",
 		"budget_limit", "monthly_spend",
-		"broadcast_enabled", "talk_to_user_enabled", "compute",
+		"broadcast_enabled", "talk_to_user_enabled",
 	}
 	mock.ExpectQuery("SELECT w.id, w.name").
 		WithArgs("cccccccc-0955-0000-0000-000000000000").
@@ -1492,7 +1492,7 @@ func TestWorkspaceGet_SensitiveFieldsStripped(t *testing.T) {
 				"langgraph",
 				"/home/user/secret-projects/client-work",
 				0.0, 0.0, false,
-				nil, 0, false, true, []byte(`{}`)))
+				nil, 0, false, true))

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -1639,7 +1639,7 @@ runtime_config:
 	mock.ExpectExec("INSERT INTO workspaces").
 		WithArgs(
 			sqlmock.AnyArg(), "Hermes Agent", nil, 3, "hermes",
-			(*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
+			sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectCommit()
 	mock.ExpectExec("INSERT INTO canvas_layouts").
@@ -1696,7 +1696,7 @@ model: anthropic:claude-sonnet-4-5
 	mock.ExpectExec("INSERT INTO workspaces").
 		WithArgs(
 			sqlmock.AnyArg(), "Legacy Agent", nil, 3, "langgraph",
-			(*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
+			sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectCommit()
 	mock.ExpectExec("INSERT INTO canvas_layouts").
@@ -1749,7 +1749,7 @@ runtime_config:
 	mock.ExpectExec("INSERT INTO workspaces").
 		WithArgs(
 			sqlmock.AnyArg(), "Custom Hermes", nil, 3, "hermes",
-			(*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
+			sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectCommit()
 	mock.ExpectExec("INSERT INTO canvas_layouts").
@@ -1894,7 +1894,7 @@ func TestWorkspaceCreate_188_ExplicitRuntimeNoTemplate_OK(t *testing.T) {

 	mock.ExpectBegin()
 	mock.ExpectExec("INSERT INTO workspaces").
-		WithArgs(sqlmock.AnyArg(), "Explicit Codex", nil, 3, "codex", (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
+		WithArgs(sqlmock.AnyArg(), "Explicit Codex", nil, 3, "codex", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectCommit()
 	mock.ExpectExec("INSERT INTO canvas_layouts").
@@ -329,13 +329,7 @@ func (c *Client) doJSON(ctx context.Context, method, path string, reqBody interf

 func decodeError(resp *http.Response) error {
 	var e contract.Error
-	body, readErr := io.ReadAll(resp.Body)
-	if readErr != nil {
-		return &contract.Error{
-			Code:    httpStatusToCode(resp.StatusCode),
-			Message: fmt.Sprintf("status %d (read body failed: %v)", resp.StatusCode, readErr),
-		}
-	}
+	body, _ := io.ReadAll(resp.Body)
 	if len(body) == 0 {
 		return &contract.Error{
 			Code:    httpStatusToCode(resp.StatusCode),
@@ -3,7 +3,6 @@ package pgplugin
 import (
 	"encoding/json"
 	"errors"
-	"log"
 	"net/http"
 	"strings"

@@ -247,9 +246,7 @@ func (h *Handler) forget(w http.ResponseWriter, r *http.Request, id string) {
 func writeJSON(w http.ResponseWriter, status int, body interface{}) {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(status)
-	if err := json.NewEncoder(w).Encode(body); err != nil {
-		log.Printf("pgplugin: JSON encode error: %v", err)
-	}
+	_ = json.NewEncoder(w).Encode(body)
 }

 func writeError(w http.ResponseWriter, status int, code contract.ErrorCode, message string, details map[string]interface{}) {
@@ -256,7 +256,6 @@ func TestWorkspaceAuth_WrongWorkspace_Returns401(t *testing.T) {
 // live tokens anywhere) the middleware must let the request through so existing
 // deployments keep working during the Phase-30 rollout.
 func TestAdminAuth_FailOpen_NoTokensGlobally(t *testing.T) {
-	t.Setenv("ADMIN_TOKEN", "")
 	mockDB, mock, err := sqlmock.New()
 	if err != nil {
 		t.Fatalf("sqlmock.New: %v", err)
@@ -376,7 +375,6 @@ func TestAdminAuth_C11_DeleteNoBearer_Returns401(t *testing.T) {
 // TestAdminAuth_ValidBearer_Passes — a valid bearer token (from any workspace)
 // must be accepted for admin routes.
 func TestAdminAuth_ValidBearer_Passes(t *testing.T) {
-	t.Setenv("ADMIN_TOKEN", "")
 	mockDB, mock, err := sqlmock.New()
 	if err != nil {
 		t.Fatalf("sqlmock.New: %v", err)
@@ -420,7 +418,6 @@ func TestAdminAuth_ValidBearer_Passes(t *testing.T) {

 // TestAdminAuth_InvalidBearer_Returns401 — wrong token must not grant admin access.
 func TestAdminAuth_InvalidBearer_Returns401(t *testing.T) {
-	t.Setenv("ADMIN_TOKEN", "")
 	mockDB, mock, err := sqlmock.New()
 	if err != nil {
 		t.Fatalf("sqlmock.New: %v", err)
@@ -703,7 +700,6 @@ func TestAdminAuth_Issue180_ApprovalsListing_NoBearer_Returns401(t *testing.T) {
 // fail-open contract: on a fresh install (no tokens anywhere), the middleware
 // must not block the canvas from polling /approvals/pending.
 func TestAdminAuth_Issue180_ApprovalsListing_FailOpen_NoTokens(t *testing.T) {
-	t.Setenv("ADMIN_TOKEN", "")
 	mockDB, mock, err := sqlmock.New()
 	if err != nil {
 		t.Fatalf("sqlmock.New: %v", err)
@@ -1102,7 +1098,6 @@ func TestCanvasOrBearer_TokensExist_CanvasOrigin_Passes(t *testing.T) {
 // issuing workspace has status='removed' must not grant admin access.
 // The JOIN in ValidateAnyToken filters the row out, resulting in ErrNoRows.
 func TestAdminAuth_RemovedWorkspaceToken_Returns401(t *testing.T) {
-	t.Setenv("ADMIN_TOKEN", "")
 	mockDB, mock, err := sqlmock.New()
 	if err != nil {
 		t.Fatalf("sqlmock.New: %v", err)
@@ -1256,7 +1251,6 @@ func TestAdminAuth_623_ForgedCORSOrigin_Returns401(t *testing.T) {
 // TestAdminAuth_623_ValidBearer_WithOrigin_Passes — bearer + matching Origin
 // should still work (the Origin is irrelevant once the bearer validates).
 func TestAdminAuth_623_ValidBearer_WithOrigin_Passes(t *testing.T) {
-	t.Setenv("ADMIN_TOKEN", "")
 	mockDB, mock, err := sqlmock.New()
 	if err != nil {
 		t.Fatalf("sqlmock: %v", err)
@@ -17,6 +17,7 @@ type Workspace struct {
 	Name               string          `json:"name" db:"name"`
 	Role               sql.NullString  `json:"role" db:"role"`
 	Tier               int             `json:"tier" db:"tier"`
+	AwarenessNamespace sql.NullString  `json:"awareness_namespace" db:"awareness_namespace"`
 	Status             string          `json:"status" db:"status"`
 	SourceBundleID     sql.NullString  `json:"source_bundle_id" db:"source_bundle_id"`
 	AgentCard          json.RawMessage `json:"agent_card" db:"agent_card"`
@@ -34,16 +35,16 @@ type Workspace struct {
 	// DeliveryMode: "push" (synchronous to URL — default) or "poll" (logged
 	// to activity_logs, agent reads via GET /activity?since_id=). See
 	// migration 045 + RFC #2339.
-	DeliveryMode string `json:"delivery_mode" db:"delivery_mode"`
+	DeliveryMode       string          `json:"delivery_mode" db:"delivery_mode"`
 	// BroadcastEnabled: when true the workspace may call POST /broadcast to
 	// deliver a message to all non-removed agent workspaces in the org.
 	// Default false — only privileged orchestrators should hold this ability.
-	BroadcastEnabled bool `json:"broadcast_enabled" db:"broadcast_enabled"`
+	BroadcastEnabled   bool            `json:"broadcast_enabled" db:"broadcast_enabled"`
 	// TalkToUserEnabled: when false the workspace's send_message_to_user calls
 	// and POST /notify requests are rejected with HTTP 403 so the agent is
 	// forced to route updates through a parent workspace. Default true
 	// (preserves existing behaviour for all workspaces).
-	TalkToUserEnabled bool `json:"talk_to_user_enabled" db:"talk_to_user_enabled"`
+	TalkToUserEnabled  bool            `json:"talk_to_user_enabled" db:"talk_to_user_enabled"`
 	// Canvas layout fields (from JOIN)
 	X         float64 `json:"x"`
 	Y         float64 `json:"y"`
@@ -70,12 +71,12 @@ type RegisterPayload struct {
 	// enforces the conditional requirement based on the resolved
 	// delivery mode (payload value, falling back to the row's existing
 	// value, falling back to "push").
-	URL       string          `json:"url"`
-	AgentCard json.RawMessage `json:"agent_card" binding:"required"`
+	URL          string          `json:"url"`
+	AgentCard    json.RawMessage `json:"agent_card" binding:"required"`
 	// DeliveryMode is optional. Empty string means "keep the existing
 	// value on the workspace row, or default to push for new rows".
 	// When set, must be one of DeliveryModePush / DeliveryModePoll.
-	DeliveryMode string `json:"delivery_mode,omitempty"`
+	DeliveryMode string          `json:"delivery_mode,omitempty"`
 }

 type HeartbeatPayload struct {
@@ -153,36 +154,19 @@ type MemorySeed struct {
 	Scope   string `json:"scope" yaml:"scope"` // LOCAL, TEAM, GLOBAL
 }

-type WorkspaceComputeVolume struct {
-	RootGB int `json:"root_gb,omitempty"`
-}
-
-type WorkspaceComputeDisplay struct {
-	Mode     string `json:"mode,omitempty"`
-	Width    int    `json:"width,omitempty"`
-	Height   int    `json:"height,omitempty"`
-	Protocol string `json:"protocol,omitempty"`
-}
-
-type WorkspaceCompute struct {
-	InstanceType string                  `json:"instance_type,omitempty"`
-	Volume       WorkspaceComputeVolume  `json:"volume,omitempty"`
-	Display      WorkspaceComputeDisplay `json:"display,omitempty"`
-}
-
 type CreateWorkspacePayload struct {
-	Name     string `json:"name" binding:"required"`
-	Role     string `json:"role"`
-	Template string `json:"template"` // workspace-configs-templates folder name
-	Tier     int    `json:"tier"`
-	Model    string `json:"model"`
-	Runtime  string `json:"runtime"`  // "langgraph" (default), "claude-code", etc.
-	External bool   `json:"external"` // true = no Docker container, just a registered URL
-	URL      string `json:"url"`      // for external workspaces: the A2A endpoint URL (push mode only — omit for poll)
+	Name     string  `json:"name" binding:"required"`
+	Role     string  `json:"role"`
+	Template string  `json:"template"` // workspace-configs-templates folder name
+	Tier     int     `json:"tier"`
+	Model    string  `json:"model"`
+	Runtime      string  `json:"runtime"`       // "langgraph" (default), "claude-code", etc.
+	External     bool    `json:"external"`      // true = no Docker container, just a registered URL
+	URL          string  `json:"url"`           // for external workspaces: the A2A endpoint URL (push mode only — omit for poll)
 	// DeliveryMode: "push" (default) sends inbound A2A to URL synchronously;
 	// "poll" records inbound to activity_logs for the agent to consume via
 	// GET /activity?since_id=. Poll mode does not require a URL. See #2339.
-	DeliveryMode    string  `json:"delivery_mode,omitempty"`
+	DeliveryMode string  `json:"delivery_mode,omitempty"`
 	WorkspaceDir    string  `json:"workspace_dir"`    // host path to mount as /workspace (empty = isolated volume)
 	WorkspaceAccess string  `json:"workspace_access"` // "none" (default), "read_only", or "read_write" — see #65
 	ParentID        *string `json:"parent_id"`
@@ -196,18 +180,13 @@ type CreateWorkspacePayload struct {
 	// MaxConcurrentTasks caps parallel A2A + cron dispatch. 0 means use
 	// DefaultMaxConcurrentTasks. Leaders typically set 3.
 	MaxConcurrentTasks int `json:"max_concurrent_tasks"`
-	// Compute is the product-facing per-workspace EC2 shape/display
-	// contract. Phase 1 uses instance_type + volume.root_gb and persists
-	// display for future desktop-control workspaces.
-	Compute WorkspaceCompute `json:"compute,omitempty"`
-	Canvas  struct {
+	Canvas   struct {
 		X float64 `json:"x"`
 		Y float64 `json:"y"`
 	} `json:"canvas"`
 	// InitialMemories is an optional list of memories to seed into the
 	// workspace immediately after creation. Each entry is inserted into
-	// agent_memories under the workspace's v2 memory namespace
-	// ("workspace:<id>"). Issue #1050.
+	// agent_memories with the workspace's awareness namespace. Issue #1050.
 	InitialMemories []MemorySeed `json:"initial_memories"`
 }

@@ -152,14 +152,12 @@ func (p *CPProvisioner) adminAuthHeaders(req *http.Request) {
 }

 type cpProvisionRequest struct {
-	OrgID        string            `json:"org_id"`
-	WorkspaceID  string            `json:"workspace_id"`
-	Runtime      string            `json:"runtime"`
-	Tier         int               `json:"tier"`
-	InstanceType string            `json:"instance_type,omitempty"`
-	DiskGB       int32             `json:"disk_gb,omitempty"`
-	PlatformURL  string            `json:"platform_url"`
-	Env          map[string]string `json:"env"`
+	OrgID       string            `json:"org_id"`
+	WorkspaceID string            `json:"workspace_id"`
+	Runtime     string            `json:"runtime"`
+	Tier        int               `json:"tier"`
+	PlatformURL string            `json:"platform_url"`
+	Env         map[string]string `json:"env"`
 	// ConfigFiles are template + generated config files to write into the
 	// EC2 instance's /configs directory. OFFSEC-010: collected by
 	// collectCPConfigFiles which rejects symlinks and non-regular files
@@ -208,15 +206,13 @@ func (p *CPProvisioner) Start(ctx context.Context, cfg WorkspaceConfig) (string,
 	}

 	req := cpProvisionRequest{
-		OrgID:        p.orgID,
-		WorkspaceID:  cfg.WorkspaceID,
-		Runtime:      cfg.Runtime,
-		Tier:         cfg.Tier,
-		InstanceType: cfg.InstanceType,
-		DiskGB:       cfg.DiskGB,
-		PlatformURL:  cfg.PlatformURL,
-		Env:          env,
-		ConfigFiles:  configFiles,
+		OrgID:       p.orgID,
+		WorkspaceID: cfg.WorkspaceID,
+		Runtime:     cfg.Runtime,
+		Tier:        cfg.Tier,
+		PlatformURL: cfg.PlatformURL,
+		Env:         env,
+		ConfigFiles: configFiles,
 	}

 	body, err := json.Marshal(req)
@@ -241,12 +237,9 @@ func (p *CPProvisioner) Start(ctx context.Context, cfg WorkspaceConfig) (string,
 	// Cap body read at 64 KiB — the CP only ever returns small JSON
 	// responses; an unbounded read could be weaponized into log-flood
 	// DoS by a compromised upstream.
-	respBody, readErr := io.ReadAll(io.LimitReader(resp.Body, 64<<10))
-	if readErr != nil {
-		return "", fmt.Errorf("cp provisioner: read response body: %w", readErr)
-	}
+	respBody, _ := io.ReadAll(io.LimitReader(resp.Body, 64<<10))
 	var result cpProvisionResponse
-	unmarshalErr := json.Unmarshal(respBody, &result)
+	json.Unmarshal(respBody, &result)

 	if resp.StatusCode != http.StatusCreated {
 		// Prefer the structured {"error":"..."} field. Do NOT fall back
@@ -260,10 +253,6 @@ func (p *CPProvisioner) Start(ctx context.Context, cfg WorkspaceConfig) (string,
 		return "", fmt.Errorf("cp provisioner: provision failed (%d): %s", resp.StatusCode, errMsg)
 	}

-	if unmarshalErr != nil {
-		return "", fmt.Errorf("cp provisioner: decode 201 response: %w", unmarshalErr)
-	}
-
 	log.Printf("CP provisioner: workspace %s → EC2 instance %s (%s)", cfg.WorkspaceID, result.InstanceID, result.State)
 	provlog.Event("provision.ec2_started", map[string]any{
 		"workspace_id": cfg.WorkspaceID,
@@ -416,11 +405,7 @@ func (p *CPProvisioner) Stop(ctx context.Context, workspaceID string) error {
 		// Read a bounded slice of the body so the error message gives ops
 		// enough to triage without risking a multi-MB log line on a
 		// pathological response. 512 bytes covers any sane error envelope.
-		body, readErr := io.ReadAll(io.LimitReader(resp.Body, 512))
-		if readErr != nil {
-			return fmt.Errorf("cp provisioner: stop %s: unexpected %d (read body failed: %w)",
-				workspaceID, resp.StatusCode, readErr)
-		}
+		body, _ := io.ReadAll(io.LimitReader(resp.Body, 512))
 		return fmt.Errorf("cp provisioner: stop %s: unexpected %d: %s",
 			workspaceID, resp.StatusCode, strings.TrimSpace(string(body)))
 	}
@@ -191,12 +191,6 @@ func TestStart_HappyPath(t *testing.T) {
 		if body.WorkspaceID != "ws-1" || body.Runtime != "python" {
 			t.Errorf("body mismatch: %+v", body)
 		}
-		if body.InstanceType != "m6i.xlarge" {
-			t.Errorf("instance_type = %q, want m6i.xlarge", body.InstanceType)
-		}
-		if body.DiskGB != 100 {
-			t.Errorf("disk_gb = %d, want 100", body.DiskGB)
-		}
 		w.WriteHeader(http.StatusCreated)
 		_, _ = io.WriteString(w, `{"instance_id":"i-abc123","state":"pending"}`)
 	}))
@@ -211,7 +205,6 @@ func TestStart_HappyPath(t *testing.T) {

 	id, err := p.Start(context.Background(), WorkspaceConfig{
 		WorkspaceID: "ws-1", Runtime: "python", Tier: 1, PlatformURL: "http://tenant",
-		InstanceType: "m6i.xlarge", DiskGB: 100,
 	})
 	if err != nil {
 		t.Fatalf("Start: %v", err)
@@ -369,7 +362,7 @@ func TestStart_CollectsConfigFiles(t *testing.T) {
 	p := &CPProvisioner{baseURL: srv.URL, orgID: "org-1", httpClient: srv.Client()}
 	_, err := p.Start(context.Background(), WorkspaceConfig{
 		WorkspaceID:  "ws-1",
-		Runtime:      "python",
+		Runtime:     "python",
 		Tier:         1,
 		PlatformURL:  "http://tenant",
 		TemplatePath: tmpl,
@@ -431,7 +424,7 @@ func TestStart_SymlinkTemplatePathError(t *testing.T) {
 	p := &CPProvisioner{baseURL: "http://unused", orgID: "org-1", httpClient: &http.Client{Timeout: time.Second}}
 	_, err := p.Start(context.Background(), WorkspaceConfig{
 		WorkspaceID:  "ws-1",
-		Runtime:      "python",
+		Runtime:     "python",
 		TemplatePath: symlink, // symlink root → OFFSEC-010 guard should fire
 	})
 	if err == nil {
@@ -442,26 +435,6 @@ func TestStart_SymlinkTemplatePathError(t *testing.T) {
 	}
 }

-// TestStart_Malformed201SurfacesError — when CP returns 201 Created with
-// unparseable JSON, Start must return an error instead of silently
-// returning an empty instance_id. CR2 blocker from review #5552.
-func TestStart_Malformed201SurfacesError(t *testing.T) {
-	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusCreated)
-		_, _ = io.WriteString(w, `{"instance_id": broken-json`)
-	}))
-	defer srv.Close()
-
-	p := &CPProvisioner{baseURL: srv.URL, orgID: "org-1", httpClient: srv.Client()}
-	_, err := p.Start(context.Background(), WorkspaceConfig{WorkspaceID: "ws-1", Runtime: "py"})
-	if err == nil {
-		t.Fatal("expected error on malformed 201, got nil")
-	}
-	if !strings.Contains(err.Error(), "decode 201 response") {
-		t.Errorf("error should mention decode 201 response, got %q", err.Error())
-	}
-}
-
 // TestStop_SendsBothAuthHeaders — verify #118/#130 compliance on the
 // teardown path. Any call to /cp/workspaces/:id must carry both the
 // platform-wide shared secret AND the per-tenant admin token, or the
@@ -98,10 +98,10 @@ type WorkspaceConfig struct {
 	WorkspacePath      string            // Host path to bind-mount as /workspace (if empty, uses Docker named volume)
 	Tier               int
 	Runtime            string            // "langgraph" (default) or "claude-code", "codex", "ollama", "custom"
-	InstanceType       string            // Optional CP EC2 instance type override (SaaS only)
-	DiskGB             int32             // Optional CP root volume size override in GiB (SaaS only)
 	EnvVars            map[string]string // Additional env vars (API keys, etc.)
 	PlatformURL        string
+	AwarenessURL       string
+	AwarenessNamespace string
 	WorkspaceAccess    string // #65: "none" (default), "read_only", or "read_write"
 	ResetClaudeSession bool   // #12: if true, discard the claude-sessions volume before start (fresh session dir)

@@ -704,19 +704,11 @@ func buildContainerEnv(cfg WorkspaceConfig) []string {
 		// still override (Dockerfile ENV is overridden by docker -e at runtime).
 		"PYTHONPATH=/app",
 	}
-	// #1687: track explicit GH_TOKEN / GITHUB_TOKEN so they win over GH_PAT
-	// alias. These are normally stripped by the SCM-write guard below, but
-	// when a user explicitly sets them we preserve the value.
-	var explicitGHToken, explicitGitHubToken string
+	if cfg.AwarenessNamespace != "" && cfg.AwarenessURL != "" {
+		env = append(env, fmt.Sprintf("AWARENESS_NAMESPACE=%s", cfg.AwarenessNamespace))
+		env = append(env, fmt.Sprintf("AWARENESS_URL=%s", cfg.AwarenessURL))
+	}
 	for k, v := range cfg.EnvVars {
-		if k == "GH_TOKEN" {
-			explicitGHToken = v
-			continue
-		}
-		if k == "GITHUB_TOKEN" {
-			explicitGitHubToken = v
-			continue
-		}
 		// Forensic #145 hardening: tenant workspace containers run
 		// agent-controlled code and must NEVER receive a Git SCM *write*
 		// credential. Without merge/approve creds in-container the
@@ -734,19 +726,6 @@ func buildContainerEnv(cfg WorkspaceConfig) []string {
 		}
 		env = append(env, fmt.Sprintf("%s=%s", k, v))
 	}
-	// #1687: alias GH_PAT → GH_TOKEN / GITHUB_TOKEN on the READ side
-	// (container env assembly). Explicit values win: only alias when the
-	// key was not set in workspace secrets.
-	if explicitGHToken != "" {
-		env = append(env, fmt.Sprintf("GH_TOKEN=%s", explicitGHToken))
-	} else if pat, hasPAT := cfg.EnvVars["GH_PAT"]; hasPAT && pat != "" {
-		env = append(env, fmt.Sprintf("GH_TOKEN=%s", pat))
-	}
-	if explicitGitHubToken != "" {
-		env = append(env, fmt.Sprintf("GITHUB_TOKEN=%s", explicitGitHubToken))
-	} else if pat, hasPAT := cfg.EnvVars["GH_PAT"]; hasPAT && pat != "" {
-		env = append(env, fmt.Sprintf("GITHUB_TOKEN=%s", pat))
-	}
 	// Inject ADMIN_TOKEN from the platform server's environment so workspace
 	// containers can call /admin/liveness and other admin-gated endpoints
 	// (core#831). cp_provisioner.go handles this separately for SaaS tenants.
@@ -1626,3 +1605,4 @@ func parseOCIPlatform(s string) *ocispec.Platform {
 	}
 	return &ocispec.Platform{OS: parts[0], Architecture: parts[1]}
 }
+
@@ -692,6 +692,39 @@ func TestBuildContainerEnv_MoleculeAIURLAlwaysMatchesPlatformURL(t *testing.T) {
 	}
 }

+func TestBuildContainerEnv_AwarenessOnlyWhenBothSet(t *testing.T) {
+	// Both set → both injected.
+	cfg := WorkspaceConfig{
+		WorkspaceID:        "ws-x",
+		PlatformURL:        "http://localhost:8080",
+		AwarenessURL:       "http://awareness:9000",
+		AwarenessNamespace: "ns-1",
+	}
+	env := buildContainerEnv(cfg)
+	hasNS := false
+	hasURL := false
+	for _, e := range env {
+		if e == "AWARENESS_NAMESPACE=ns-1" {
+			hasNS = true
+		}
+		if e == "AWARENESS_URL=http://awareness:9000" {
+			hasURL = true
+		}
+	}
+	if !hasNS || !hasURL {
+		t.Errorf("both awareness vars must be present: env=%v", env)
+	}
+
+	// Only namespace set → neither injected (must be both-or-nothing).
+	cfg.AwarenessURL = ""
+	env2 := buildContainerEnv(cfg)
+	for _, e := range env2 {
+		if strings.HasPrefix(e, "AWARENESS_") {
+			t.Errorf("awareness vars must NOT be injected when URL is missing: got %q", e)
+		}
+	}
+}
+
 func TestBuildContainerEnv_CustomEnvVarsAppended(t *testing.T) {
 	// NOTE: this test previously asserted GITHUB_TOKEN passed through
 	// verbatim. That assertion encoded the forensic #145 latent leak as
@@ -737,12 +770,9 @@ func TestBuildContainerEnv_CustomEnvVarsAppended(t *testing.T) {
 // place — i.e. the guard is proven by construction, not by environment
 // accident.
 func TestBuildContainerEnv_StripsSCMWriteTokens(t *testing.T) {
-	// GH_TOKEN and GITHUB_TOKEN are preserved when explicitly set (#1687)
-	// because they win over the GH_PAT alias. The unconditional strip list
-	// therefore excludes them; see TestBuildContainerEnv_GHPATAliasPrecedence
-	// for the positive assertion.
 	scmTokens := []string{
-		"GITEA_TOKEN", "GITLAB_TOKEN", "GL_TOKEN", "BITBUCKET_TOKEN",
+		"GITEA_TOKEN", "GITHUB_TOKEN", "GH_TOKEN",
+		"GITLAB_TOKEN", "GL_TOKEN", "BITBUCKET_TOKEN",
 	}

 	t.Run("normal path — SCM tokens explicitly set in EnvVars", func(t *testing.T) {
@@ -750,9 +780,6 @@ func TestBuildContainerEnv_StripsSCMWriteTokens(t *testing.T) {
 		for _, k := range scmTokens {
 			envVars[k] = "leaked-write-credential-" + k
 		}
-		// Explicit GH_TOKEN / GITHUB_TOKEN are now preserved (#1687).
-		envVars["GH_TOKEN"] = "explicit-gh-token"
-		envVars["GITHUB_TOKEN"] = "explicit-github-token"
 		cfg := WorkspaceConfig{
 			WorkspaceID: "ws-tenant",
 			PlatformURL: "http://localhost:8080",
@@ -768,13 +795,6 @@ func TestBuildContainerEnv_StripsSCMWriteTokens(t *testing.T) {
 		if !envContains(buildContainerEnv(cfg), "ANTHROPIC_API_KEY=sk-keep") {
 			t.Errorf("filter must not strip non-SCM API keys")
 		}
-		// Explicit GH tokens must be preserved (not stripped).
-		if !envContains(buildContainerEnv(cfg), "GH_TOKEN=explicit-gh-token") {
-			t.Errorf("explicit GH_TOKEN must be preserved")
-		}
-		if !envContains(buildContainerEnv(cfg), "GITHUB_TOKEN=explicit-github-token") {
-			t.Errorf("explicit GITHUB_TOKEN must be preserved")
-		}
 	})

 	t.Run("persona-file path — simulates loadPersonaEnvFile merge", func(t *testing.T) {
@@ -835,106 +855,6 @@ func TestCPProvisionerEnv_StripsSCMWriteTokens(t *testing.T) {
 	}
 }

-// TestBuildContainerEnv_GHPATAliasPrecedence asserts that explicit GH_TOKEN /
-// GITHUB_TOKEN in workspace secrets win over the GH_PAT alias (#1687 CR2
-// review_id=5646). The alias must only inject a key when it was NOT explicitly
-// set.
-func TestBuildContainerEnv_GHPATAliasPrecedence(t *testing.T) {
-	pat := "ghp_pat_from_secrets"
-	explicitGH := "gh_explicit_token"
-	explicitGitHub := "github_explicit_token"
-
-	t.Run("GH_PAT alone → alias both", func(t *testing.T) {
-		cfg := WorkspaceConfig{
-			WorkspaceID: "ws-x",
-			PlatformURL: "http://localhost:8080",
-			EnvVars:     map[string]string{"GH_PAT": pat},
-		}
-		env := buildContainerEnv(cfg)
-		if !envContains(env, "GH_TOKEN="+pat) {
-			t.Errorf("GH_PAT alias must set GH_TOKEN, got %v", env)
-		}
-		if !envContains(env, "GITHUB_TOKEN="+pat) {
-			t.Errorf("GH_PAT alias must set GITHUB_TOKEN, got %v", env)
-		}
-	})
-
-	t.Run("explicit GH_TOKEN wins over GH_PAT alias", func(t *testing.T) {
-		cfg := WorkspaceConfig{
-			WorkspaceID: "ws-x",
-			PlatformURL: "http://localhost:8080",
-			EnvVars: map[string]string{
-				"GH_PAT":   pat,
-				"GH_TOKEN": explicitGH,
-			},
-		}
-		env := buildContainerEnv(cfg)
-		if envContains(env, "GH_TOKEN="+pat) {
-			t.Errorf("explicit GH_TOKEN must win over GH_PAT alias, got GH_TOKEN=%q", pat)
-		}
-		if !envContains(env, "GH_TOKEN="+explicitGH) {
-			t.Errorf("explicit GH_TOKEN must be preserved, got %v", env)
-		}
-	})
-
-	t.Run("explicit GITHUB_TOKEN wins over GH_PAT alias", func(t *testing.T) {
-		cfg := WorkspaceConfig{
-			WorkspaceID: "ws-x",
-			PlatformURL: "http://localhost:8080",
-			EnvVars: map[string]string{
-				"GH_PAT":       pat,
-				"GITHUB_TOKEN": explicitGitHub,
-			},
-		}
-		env := buildContainerEnv(cfg)
-		if envContains(env, "GITHUB_TOKEN="+pat) {
-			t.Errorf("explicit GITHUB_TOKEN must win over GH_PAT alias, got GITHUB_TOKEN=%q", pat)
-		}
-		if !envContains(env, "GITHUB_TOKEN="+explicitGitHub) {
-			t.Errorf("explicit GITHUB_TOKEN must be preserved, got %v", env)
-		}
-	})
-
-	t.Run("explicit both → both preserved, no alias", func(t *testing.T) {
-		cfg := WorkspaceConfig{
-			WorkspaceID: "ws-x",
-			PlatformURL: "http://localhost:8080",
-			EnvVars: map[string]string{
-				"GH_PAT":       pat,
-				"GH_TOKEN":     explicitGH,
-				"GITHUB_TOKEN": explicitGitHub,
-			},
-		}
-		env := buildContainerEnv(cfg)
-		if envContains(env, "GH_TOKEN="+pat) {
-			t.Errorf("explicit GH_TOKEN must win, got alias value %q", pat)
-		}
-		if envContains(env, "GITHUB_TOKEN="+pat) {
-			t.Errorf("explicit GITHUB_TOKEN must win, got alias value %q", pat)
-		}
-		if !envContains(env, "GH_TOKEN="+explicitGH) {
-			t.Errorf("explicit GH_TOKEN must be preserved, got %v", env)
-		}
-		if !envContains(env, "GITHUB_TOKEN="+explicitGitHub) {
-			t.Errorf("explicit GITHUB_TOKEN must be preserved, got %v", env)
-		}
-	})
-
-	t.Run("no GH_PAT → no alias injected", func(t *testing.T) {
-		cfg := WorkspaceConfig{
-			WorkspaceID: "ws-x",
-			PlatformURL: "http://localhost:8080",
-			EnvVars:     map[string]string{"OTHER": "ok"},
-		}
-		env := buildContainerEnv(cfg)
-		for _, e := range env {
-			if strings.HasPrefix(e, "GH_TOKEN=") || strings.HasPrefix(e, "GITHUB_TOKEN=") {
-				t.Errorf("no GH_PAT present → no alias should be injected, got %q", e)
-			}
-		}
-	})
-}
-
 func assertNoSCMWriteToken(t *testing.T, env []string, scmTokens []string) {
 	t.Helper()
 	for _, e := range env {
@@ -93,9 +93,6 @@ func sweepOnlineWorkspaces(ctx context.Context, checker ContainerChecker, onOffl
 			ids = append(ids, id)
 		}
 	}
-	if err := rows.Err(); err != nil {
-		log.Printf("Health sweep: rows error: %v", err)
-	}

 	for _, id := range ids {
 		running, err := checker.IsRunning(ctx, id)
@@ -162,9 +159,6 @@ func sweepStaleRemoteWorkspaces(ctx context.Context, onOffline OfflineHandler) {
 			ids = append(ids, id)
 		}
 	}
-	if err := rows.Err(); err != nil {
-		log.Printf("Health sweep: rows error: %v", err)
-	}

 	for _, id := range ids {
 		// External workspaces flip to 'awaiting_agent' (re-registrable
@@ -166,9 +166,6 @@ func sweepStuckProvisioning(ctx context.Context, emitter ProvisionTimeoutEmitter
 			ids = append(ids, c)
 		}
 	}
-	if err := rows.Err(); err != nil {
-		log.Printf("Provision-timeout sweep: rows error: %v", err)
-	}

 	for _, c := range ids {
 		timeout := provisioningTimeoutFor(c.runtime, lookup)
@@ -81,7 +81,6 @@ func TestTestTokenRoute_RequiresAdminAuth_WhenTokensExist(t *testing.T) {
 // bootstrap path still works before the first workspace has registered.
 func TestTestTokenRoute_FailOpenOnFreshInstall(t *testing.T) {
 	t.Setenv("MOLECULE_ENV", "development")
-	t.Setenv("ADMIN_TOKEN", "")
 	mock := setupRouterTestDB(t)

 	// HasAnyLiveTokenGlobal: no tokens yet — fresh install.
@@ -178,13 +178,6 @@ func Setup(hub *ws.Hub, broadcaster *events.Broadcaster, prov *provisioner.Provi
 		// the tenant AWS credentials. Admin-gated because console output
 		// can include user-data snippets we treat as semi-sensitive.
 		wsAdmin.GET("/workspaces/:id/console", wh.Console)
-		// Display sessions will eventually return short-lived proxied DCV
-		// URLs, so keep the endpoint admin-gated from the first unavailable
-		// state rather than widening it later.
-		wsAdmin.GET("/workspaces/:id/display", wh.Display)
-		wsAdmin.GET("/workspaces/:id/display/control", wh.DisplayControl)
-		wsAdmin.POST("/workspaces/:id/display/control/acquire", wh.AcquireDisplayControl)
-		wsAdmin.POST("/workspaces/:id/display/control/release", wh.ReleaseDisplayControl)

 		// Admin memory backup/restore (#1051) — bulk export/import of agent
 		// memories for safe Docker rebuilds. Matches workspaces by name on import.
@@ -1,61 +0,0 @@
-package router
-
-import (
-	"net/http"
-	"net/http/httptest"
-	"testing"
-
-	"github.com/DATA-DOG/go-sqlmock"
-	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
-	"github.com/Molecule-AI/molecule-monorepo/platform/internal/handlers"
-	"github.com/Molecule-AI/molecule-monorepo/platform/internal/middleware"
-	"github.com/gin-gonic/gin"
-)
-
-func buildWorkspaceDisplayEngine(t *testing.T) *gin.Engine {
-	t.Helper()
-	gin.SetMode(gin.TestMode)
-	r := gin.New()
-	wh := handlers.NewWorkspaceHandler(nil, nil, "http://localhost:8080", t.TempDir())
-	r.GET("/workspaces/:id/display", middleware.AdminAuth(db.DB), wh.Display)
-	r.POST("/workspaces/:id/display/control/acquire", middleware.AdminAuth(db.DB), wh.AcquireDisplayControl)
-	return r
-}
-
-func TestWorkspaceDisplayRoute_RequiresAdminAuth(t *testing.T) {
-	t.Setenv("ADMIN_TOKEN", "test-admin-secret-not-presented-by-caller")
-	mock := setupRouterTestDB(t)
-	mock.ExpectQuery("SELECT COUNT.*FROM workspace_auth_tokens").
-		WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(1))
-
-	r := buildWorkspaceDisplayEngine(t)
-	w := httptest.NewRecorder()
-	req := httptest.NewRequest(http.MethodGet, "/workspaces/ws-display/display", nil)
-	r.ServeHTTP(w, req)
-
-	if w.Code != http.StatusUnauthorized {
-		t.Errorf("expected 401 for unauthenticated request, got %d: %s", w.Code, w.Body.String())
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("sqlmock unmet: %v", err)
-	}
-}
-
-func TestWorkspaceDisplayControlRoute_RequiresAdminAuth(t *testing.T) {
-	t.Setenv("ADMIN_TOKEN", "test-admin-secret-not-presented-by-caller")
-	mock := setupRouterTestDB(t)
-	mock.ExpectQuery("SELECT COUNT.*FROM workspace_auth_tokens").
-		WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(1))
-
-	r := buildWorkspaceDisplayEngine(t)
-	w := httptest.NewRecorder()
-	req := httptest.NewRequest(http.MethodPost, "/workspaces/ws-display/display/control/acquire", nil)
-	r.ServeHTTP(w, req)
-
-	if w.Code != http.StatusUnauthorized {
-		t.Errorf("expected 401 for unauthenticated request, got %d: %s", w.Code, w.Body.String())
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("sqlmock unmet: %v", err)
-	}
-}
@@ -425,7 +425,6 @@ func (s *Scheduler) fireSchedule(ctx context.Context, sched scheduleRow) {

 	lastStatus := "ok"
 	lastError := ""
-	resultKind := ""
 	if proxyErr != nil {
 		lastStatus = "error"
 		lastError = fmt.Sprintf("%v", proxyErr)
@@ -434,26 +433,8 @@ func (s *Scheduler) fireSchedule(ctx context.Context, sched scheduleRow) {
 		lastStatus = "error"
 		lastError = fmt.Sprintf("HTTP %d", statusCode)
 		log.Printf("Scheduler: '%s' non-2xx: %d", sched.Name, statusCode)
-	} else if a2aErr := a2aErrorFromBody(respBody); a2aErr != "" {
-		lastStatus = "error"
-		lastError = fmt.Sprintf("A2A adapter error: %s", a2aErr)
-		log.Printf("Scheduler: '%s' A2A adapter error (HTTP %d): %s", sched.Name, statusCode, a2aErr)
 	} else {
-		// HTTP 200 — inspect response body for SDK-layer errors.
-		// The claude-code-sdk adapter returns HTTP 200 even when the inner
-		// LLM call throws (e.g. Max-plan rate-limit, quota exhaustion, SDK
-		// internal errors). Without this check those failures surface as
-		// "completed (HTTP 200)" in last_status while the agent chat shows
-		// errors — a silent failure that hides schedule outages.
-		// See: #1696.
-		resultKind = detectResultKind(respBody)
-		if resultKind != "" && resultKind != "ok" {
-			lastStatus = resultKind
-			lastError = fmt.Sprintf("SDK error: result_kind=%s", resultKind)
-			log.Printf("Scheduler: '%s' SDK error detected — result_kind=%s", sched.Name, resultKind)
-		} else {
-			log.Printf("Scheduler: '%s' completed (HTTP %d)", sched.Name, statusCode)
-		}
+		log.Printf("Scheduler: '%s' completed (HTTP %d)", sched.Name, statusCode)
 	}

 	// #795: detect phantom-producing schedules — cron fires successfully
@@ -498,54 +479,6 @@ func (s *Scheduler) fireSchedule(ctx context.Context, sched scheduleRow) {
 		resetCancel()
 	}

-	// #1696: track consecutive SDK errors. When the adapter returns HTTP 200
-	// but the response body signals a non-ok result_kind (rate_limited,
-	// sdk_error, quota_exhausted), we increment a counter. After 3 consecutive
-	// SDK errors we auto-disable the schedule and log it — the schedule is
-	// suffering a persistent LLM-layer failure and firing it again will keep
-	// producing the same errors while burning tokens.
-	//
-	// Only apply when the current lastStatus is a non-ok resultKind (not when
-	// we already have 'error' from proxyErr or non-2xx HTTP status — those have
-	// their own failure semantics). Also skip when lastStatus is 'stale' (the
-	// empty-response escalation path takes priority).
-	var consecSDK int
-	if resultKind != "" && resultKind != "ok" {
-		sdkCtx, sdkCancel := context.WithTimeout(context.Background(), dbQueryTimeout)
-		if err := db.DB.QueryRowContext(sdkCtx, `
-			UPDATE workspace_schedules
-			SET consecutive_sdk_errors = consecutive_sdk_errors + 1,
-			    updated_at = now()
-			WHERE id = $1
-			RETURNING consecutive_sdk_errors`, sched.ID).Scan(&consecSDK); err != nil {
-			log.Printf("Scheduler: '%s' SDK-error bump failed: %v", sched.Name, err)
-		}
-		sdkCancel()
-		if consecSDK >= 3 {
-			log.Printf("Scheduler: '%s' AUTO-DISABLING after %d consecutive SDK errors (workspace %s)",
-				sched.Name, consecSDK, short(sched.WorkspaceID, 12))
-			autoDisableCtx, autoDisableCancel := context.WithTimeout(context.Background(), dbQueryTimeout)
-			_, _ = db.DB.ExecContext(autoDisableCtx, `
-				UPDATE workspace_schedules SET enabled = false, updated_at = now() WHERE id = $1 AND enabled = true`,
-				sched.ID)
-			autoDisableCancel()
-		}
-	} else {
-		// Non-SDK-error run — reset the counter.
-		// Guard: only reset when lastStatus is a clean ok (not 'stale', not
-		// 'error', not resultKind). An 'ok' resultKind means the SDK is fine
-		// and we should clear the streak.
-		if lastStatus == "ok" {
-			resetCtx, resetCancel := context.WithTimeout(context.Background(), dbQueryTimeout)
-			_, _ = db.DB.ExecContext(resetCtx, `
-				UPDATE workspace_schedules
-				SET consecutive_sdk_errors = 0,
-				    updated_at = now()
-				WHERE id = $1`, sched.ID)
-			resetCancel()
-		}
-	}
-
 	nextRun, nextErr := ComputeNextRun(sched.CronExpr, sched.Timezone, time.Now())
 	var nextRunPtr *time.Time
 	if nextErr == nil {
@@ -826,149 +759,6 @@ func (s *Scheduler) sweepPhantomBusy(ctx context.Context) {
 	}
 }

-// detectResultKind inspects an A2A response body for SDK-layer error signals
-// that are invisible at the HTTP level. The claude-code-sdk adapter returns
-// HTTP 200 even when the inner LLM call throws (Max-plan rate-limit, quota
-// exhaustion, SDK internal errors) — the error surfaces only in the response
-// body under result.kind or result.result_kind.
-//
-// Returns an empty string when the response is clean (result_kind is "ok",
-// "message" — the A2A-SDK canonical successful Message envelope — or absent).
-// Returns the result_kind value when it is a non-ok signal, so callers can
-// propagate it as the schedule's last_status.
-//
-// Known successful (= treat-as-ok) kinds (resultOKKinds):
-//   - "ok" — explicit success signal
-//   - "message" — A2A-SDK Message envelope (`{"result":{"kind":"message","parts":[...]}}`),
-//     emitted by every successful agent reply. Fix: #1696 originally allow-listed only
-//     "ok" / empty, which mis-flagged every successful agent response as an SDK error
-//     (PM scheduler observed 21 consecutive false-failure ticks before auto-disable;
-//     screenshot 2026-05-23). See [#1696 follow-up].
-//
-// Known non-ok kinds:
-//   - "rate_limited" — LLM API rate-limit hit (Max-plan, etc.)
-//   - "quota_exhausted" — quota / budget exhausted
-//   - "sdk_error" — SDK threw an internal error
-//
-// See #1696.
-//
-// resultOKKinds is the allowlist of `result.kind` values that are
-// UNCONDITIONALLY successful (no further parsing needed). Anything
-// outside this set is treated as a non-ok SDK signal, EXCEPT `task`
-// which is gated separately on `result.status.state` (see
-// classifyTaskState — A2A Task can be either in-progress or terminally
-// failed, depending on its status).
-//
-// Add to this list when new always-success envelope kinds are introduced
-// upstream. NEVER add an envelope that can carry a failure sub-state.
-var resultOKKinds = map[string]struct{}{
-	"":        {}, // absent / empty → treat as ok (no signal)
-	"ok":      {}, // explicit success
-	"message": {}, // A2A-SDK Message envelope (always a successful agent reply)
-}
-
-// taskOKStates is the A2A Task `status.state` allowlist for results that
-// have `kind: "task"`. Tasks can be in-progress (submitted/working) or
-// terminally successful (completed) — those are clean signals to the
-// scheduler. Terminal failure states (failed/canceled/rejected) are
-// surfaced as the scheduler's last_status so operators can see the real
-// state. Cf. CR2 review feedback on #1716.
-var taskOKStates = map[string]struct{}{
-	"":          {}, // status.state absent → conservative: don't fire false-failure
-	"submitted": {}, // task accepted, not yet running
-	"working":   {}, // task in progress
-	"completed": {}, // task finished successfully
-}
-
-// classifyTaskState inspects `result.status.state` (or `result.status_state`
-// legacy variant) and returns "" when the state is in taskOKStates (success
-// or in-progress) or the state string when it is a terminal failure that
-// should propagate as last_status.
-func classifyTaskState(result map[string]json.RawMessage) string {
-	rawStatus, ok := result["status"]
-	if !ok {
-		return "" // no status block → no signal, leave clean
-	}
-	var status map[string]json.RawMessage
-	if err := json.Unmarshal(rawStatus, &status); err != nil {
-		return ""
-	}
-	if rawState, ok := status["state"]; ok {
-		var s string
-		if json.Unmarshal(rawState, &s) == nil {
-			if _, isOK := taskOKStates[s]; !isOK {
-				return s
-			}
-		}
-	}
-	return ""
-}
-
-func detectResultKind(body []byte) string {
-	if len(body) == 0 {
-		return ""
-	}
-	var top map[string]json.RawMessage
-	if err := json.Unmarshal(body, &top); err != nil {
-		return ""
-	}
-	// Check result.kind first (canonical JSON-RPC shape).
-	if rawResult, ok := top["result"]; ok {
-		var result map[string]json.RawMessage
-		if err := json.Unmarshal(rawResult, &result); err == nil {
-			// result.kind (canonical JSON-RPC envelope field).
-			if rawKind, ok := result["kind"]; ok {
-				var k string
-				if json.Unmarshal(rawKind, &k) == nil {
-					// Special-case task: success or failure depends on status.state.
-					if k == "task" {
-						if bad := classifyTaskState(result); bad != "" {
-							return bad
-						}
-						// task with ok / in-progress state → clean
-					} else if _, isOK := resultOKKinds[k]; !isOK {
-						return k
-					}
-				}
-			}
-			// result.result_kind (legacy / alternative field name).
-			if rawKind, ok := result["result_kind"]; ok {
-				var k string
-				if json.Unmarshal(rawKind, &k) == nil {
-					if k == "task" {
-						if bad := classifyTaskState(result); bad != "" {
-							return bad
-						}
-					} else if _, isOK := resultOKKinds[k]; !isOK {
-						return k
-					}
-				}
-			}
-		}
-	}
-	// Top-level error: non-ok HTTP 200 with a structured error in the body.
-	if rawErr, ok := top["error"]; ok {
-		var errMsg string
-		if err := json.Unmarshal(rawErr, &errMsg); err == nil && errMsg != "" {
-			// Distinguish SDK errors from other errors. SDK-layer errors from the
-			// Claude Code runtime include specific markers.
-			lower := strings.ToLower(errMsg)
-			// Check more specific patterns first (max-plan quota > general rate).
-			if strings.Contains(lower, "max-plan") || strings.Contains(lower, "quota") || strings.Contains(lower, "budget") {
-				return "quota_exhausted"
-			}
-			if strings.Contains(lower, "rate limit") || strings.Contains(lower, "rate_limit") {
-				return "rate_limited"
-			}
-			if strings.Contains(lower, "claude code returned an error") || strings.Contains(lower, "sdk error") ||
-				strings.Contains(lower, "api key") || strings.Contains(lower, "authentication") {
-				return "sdk_error"
-			}
-		}
-	}
-	return ""
-}
-
 // isEmptyResponse checks if an A2A response body indicates the agent
 // produced no meaningful output. Catches "(no response generated)" from
 // the workspace runtime + genuinely empty/null responses. Used by the
@@ -1018,32 +808,6 @@ func isEmptyResponse(body []byte) bool {
 	return false
 }

-// a2aErrorFromBody extracts an A2A/JSON-RPC error message from a 2xx
-// response body. The adapter SDK may return HTTP 200 with an error
-// payload when it throws internally; this prevents the scheduler from
-// falsely recording last_status='ok'.
-// Issue #1696.
-func a2aErrorFromBody(body []byte) string {
-	if len(body) == 0 {
-		return ""
-	}
-	var resp map[string]interface{}
-	if json.Unmarshal(body, &resp) != nil {
-		return ""
-	}
-	// JSON-RPC style: {"error":{"code":-32603,"message":"..."}}
-	if errObj, ok := resp["error"].(map[string]interface{}); ok {
-		if msg, ok := errObj["message"].(string); ok {
-			return msg
-		}
-	}
-	// Plain style: {"error":"..."}
-	if errStr, ok := resp["error"].(string); ok {
-		return errStr
-	}
-	return ""
-}
-
 // truncation moved to internal/textutil.TruncateBytes (#2962 SSOT).
 // The original #2026 fix lives in textutil's package docs as canonical
 // prior art. Ellipsis was previously "..." (3 ASCII bytes); the SSOT
@@ -3,7 +3,6 @@ package scheduler
 import (
 	"context"
 	"database/sql"
-	"encoding/json"
 	"testing"
 	"time"
 	"unicode/utf8"
@@ -257,58 +256,6 @@ func (p *successProxy) ProxyA2ARequest(
 	return 200, []byte(`{"ok":true}`), nil
 }

-// ── adapterErrorProxy ─────────────────────────────────────────────────────────
-
-// adapterErrorProxy is a test double whose ProxyA2ARequest returns HTTP 200
-// with a JSON-RPC error body, simulating an adapter SDK that throws internally
-// but still completes the HTTP round-trip. Issue #1696.
-type adapterErrorProxy struct{}
-
-func (p *adapterErrorProxy) ProxyA2ARequest(
-	_ context.Context, _ string, _ []byte, _ string, _ bool,
-) (int, []byte, error) {
-	return 200, []byte(`{"jsonrpc":"2.0","id":"cron-test-123","error":{"code":-32603,"message":"adapter SDK internal error"}}`), nil
-}
-
-// ── TestFireSchedule_AdapterSDKError (#1696) ──────────────────────────────────
-//
-// When the adapter SDK throws internally and returns HTTP 200 with an error
-// payload, fireSchedule must record last_status='error', not 'ok'.
-
-func TestFireSchedule_AdapterSDKError(t *testing.T) {
-	mock := setupTestDB(t)
-
-	sched := scheduleRow{
-		ID:          "55555555-dead-beef-0000-000000000005",
-		WorkspaceID: "66666666-dead-beef-0000-000000000006",
-		Name:        "adapter-err-job",
-		CronExpr:    "0 * * * *",
-		Timezone:    "UTC",
-		Prompt:      "do something",
-	}
-
-	// active_tasks check → 0 (workspace is idle; proceed to fire)
-	mock.ExpectQuery(`SELECT COALESCE`).
-		WillReturnRows(sqlmock.NewRows([]string{"coalesce"}).AddRow(0))
-
-	// Post-fire UPDATE must record last_status='error' with the adapter error message.
-	mock.ExpectExec(`UPDATE workspace_schedules`).
-		WithArgs(sched.ID, sqlmock.AnyArg(), "error", "A2A adapter error: adapter SDK internal error").
-		WillReturnResult(sqlmock.NewResult(0, 1))
-
-	// activity_logs INSERT must carry status='error' and the error detail.
-	mock.ExpectExec(`INSERT INTO activity_logs`).
-		WithArgs(sched.WorkspaceID, sqlmock.AnyArg(), sqlmock.AnyArg(), "error", "A2A adapter error: adapter SDK internal error").
-		WillReturnResult(sqlmock.NewResult(0, 1))
-
-	s := New(&adapterErrorProxy{}, nil)
-	s.fireSchedule(context.Background(), sched)
-
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet DB expectations — adapter error not recorded correctly: %v", err)
-	}
-}
-
 // ── TestFireSchedule_ComputeNextRunError (#722 Bug 1) ─────────────────────────
 //
 // When ComputeNextRun fails (bad cron expression), fireSchedule must NOT write
@@ -338,12 +285,6 @@ func TestFireSchedule_ComputeNextRunError(t *testing.T) {
 		WithArgs(sched.ID).
 		WillReturnResult(sqlmock.NewResult(0, 1))

-	// #1696 consecutive_sdk_errors reset — successProxy has no result_kind,
-	// so detectResultKind returns "" and lastStatus="ok" → reset.
-	mock.ExpectExec(`UPDATE workspace_schedules`).
-		WithArgs(sched.ID).
-		WillReturnResult(sqlmock.NewResult(0, 1))
-
 	// UPDATE must fire — COALESCE($2, next_run_at) keeps existing value when $2 is nil.
 	// AnyArg for $2 because it will be nil (ComputeNextRun failed).
 	mock.ExpectExec(`UPDATE workspace_schedules`).
@@ -599,14 +540,7 @@ func TestFireSchedule_NormalSuccess_AdvancesNextRunAt(t *testing.T) {
 		WithArgs(sched.ID).
 		WillReturnResult(sqlmock.NewResult(0, 1))

-	// 3. #1696 consecutive_sdk_errors reset — successProxy response has no
-	//    result_kind in the body, so detectResultKind returns "" and lastStatus
-	//    is "ok" → we hit the SDK-error counter reset branch.
-	mock.ExpectExec(`UPDATE workspace_schedules`).
-		WithArgs(sched.ID).
-		WillReturnResult(sqlmock.NewResult(0, 1))
-
-	// 4. Normal UPDATE after successful proxy call.
+	// 3. Normal UPDATE after successful proxy call.
 	//    Args: $1=sched.ID, $2=nextRunPtr (computed time), $3=lastStatus, $4=lastError
 	mock.ExpectExec(`UPDATE workspace_schedules`).
 		WithArgs(sched.ID, sqlmock.AnyArg(), "ok", "").
@@ -669,336 +603,6 @@ func TestRecordSkipped_AdvancesNextRunAt(t *testing.T) {
 }
 // trigger CI

-// ── TestDetectResultKind ───────────────────────────────────────────────────────
-
-// TestDetectResultKind covers the SDK error detection path: HTTP 200 responses
-// with non-ok result_kind in the body must be recognised and returned as the
-// kind string, not silently treated as ok.
-func TestDetectResultKind(t *testing.T) {
-	// The test exercises detectResultKind directly so we don't need a full
-	// fireSchedule mock for this unit-test level.
-	tests := []struct {
-		name     string
-		body     string
-		wantKind string
-	}{
-		{
-			name:     "clean ok response — empty body",
-			body:     `{}`,
-			wantKind: "",
-		},
-		{
-			name:     "clean ok response — result.kind absent",
-			body:     `{"result":{"parts":[{"text":"hello"}]}}`,
-			wantKind: "",
-		},
-		{
-			name:     "clean ok response — result.kind=ok",
-			body:     `{"result":{"kind":"ok","parts":[{"text":"hello"}]}}`,
-			wantKind: "",
-		},
-		{
-			name:     "clean ok response — result.result_kind=ok",
-			body:     `{"result":{"result_kind":"ok","parts":[{"text":"hello"}]}}`,
-			wantKind: "",
-		},
-		{
-			// REGRESSION GUARD: A2A-SDK canonical Message envelope.
-			// Pre-fix, every successful agent reply was mis-flagged as an SDK
-			// error (PM scheduler hit 21 consecutive false-failure ticks before
-			// auto-disable; canvas screenshot 2026-05-23).
-			name:     "clean ok response — result.kind=message (A2A Message envelope)",
-			body:     `{"jsonrpc":"2.0","result":{"kind":"message","parts":[{"kind":"text","text":"hello"}]},"id":"1"}`,
-			wantKind: "",
-		},
-		{
-			name:     "clean ok response — result.result_kind=message",
-			body:     `{"result":{"result_kind":"message","parts":[{"text":"hello"}]}}`,
-			wantKind: "",
-		},
-		{
-			// A2A Task envelope, in-progress — `status.state` discriminator is
-			// `submitted` or `working` → treat as clean (not an SDK error).
-			name:     "clean ok — task envelope state=working",
-			body:     `{"result":{"kind":"task","task_id":"abc","status":{"state":"working"}}}`,
-			wantKind: "",
-		},
-		{
-			name:     "clean ok — task envelope state=submitted",
-			body:     `{"result":{"kind":"task","status":{"state":"submitted"}}}`,
-			wantKind: "",
-		},
-		{
-			name:     "clean ok — task envelope state=completed",
-			body:     `{"result":{"kind":"task","status":{"state":"completed"}}}`,
-			wantKind: "",
-		},
-		{
-			// Conservative: missing status.state → don't fire false-failure.
-			name:     "clean ok — task envelope no status block",
-			body:     `{"result":{"kind":"task","task_id":"abc"}}`,
-			wantKind: "",
-		},
-		{
-			// REGRESSION GUARD: terminal failure states MUST propagate as last_status.
-			// Without taskOKStates gating, the blanket "task" allowlist would have
-			// masked these — CR2 review feedback on #1716.
-			name:     "SDK error — task envelope state=failed",
-			body:     `{"result":{"kind":"task","status":{"state":"failed"}}}`,
-			wantKind: "failed",
-		},
-		{
-			name:     "SDK error — task envelope state=canceled",
-			body:     `{"result":{"kind":"task","status":{"state":"canceled"}}}`,
-			wantKind: "canceled",
-		},
-		{
-			name:     "SDK error — task envelope state=rejected",
-			body:     `{"result":{"kind":"task","status":{"state":"rejected"}}}`,
-			wantKind: "rejected",
-		},
-		{
-			name:     "SDK error — result.kind=rate_limited",
-			body:     `{"result":{"kind":"rate_limited","parts":[{"text":"error"}]}}`,
-			wantKind: "rate_limited",
-		},
-		{
-			name:     "SDK error — result.kind=quota_exhausted",
-			body:     `{"result":{"kind":"quota_exhausted"}}`,
-			wantKind: "quota_exhausted",
-		},
-		{
-			name:     "SDK error — result.kind=sdk_error",
-			body:     `{"result":{"kind":"sdk_error"}}`,
-			wantKind: "sdk_error",
-		},
-		{
-			name:     "SDK error — result.result_kind=rate_limited",
-			body:     `{"result":{"result_kind":"rate_limited"}}`,
-			wantKind: "rate_limited",
-		},
-		{
-			name:     "SDK error — error string with rate limit",
-			body:     `{"result":{"parts":[]},"error":"An error occurred: rate limit exceeded"}`,
-			wantKind: "rate_limited",
-		},
-		{
-			name:     "SDK error — error string with max-plan",
-			body:     `{"error":"Max-plan rate limit reached"}`,
-			wantKind: "quota_exhausted",
-		},
-		{
-			name:     "SDK error — error string with quota",
-			body:     `{"error":"quota exhausted for model"}`,
-			wantKind: "quota_exhausted",
-		},
-		{
-			name:     "SDK error — error string with sdk error",
-			body:     `{"error":"Claude Code returned an error result: success"}`,
-			wantKind: "sdk_error",
-		},
-		{
-			name:     "SDK error — error string with api key",
-			body:     `{"error":"invalid API key"}`,
-			wantKind: "sdk_error",
-		},
-		{
-			name:     "unknown error string — not an SDK error",
-			body:     `{"error":"something went wrong"}`,
-			wantKind: "",
-		},
-		{
-			name:     "empty response body",
-			body:     ``,
-			wantKind: "",
-		},
-		{
-			name:     "malformed JSON",
-			body:     `not valid json`,
-			wantKind: "",
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			got := detectResultKind([]byte(tc.body))
-			if got != tc.wantKind {
-				t.Errorf("detectResultKind(%q) = %q, want %q", tc.body, got, tc.wantKind)
-			}
-		})
-	}
-}
-
-// ── TestFireSchedule_SDKError_RateLimited (#1696) ───────────────────────────────
-//
-// When ProxyA2ARequest returns HTTP 200 but the response body contains a
-// non-ok result_kind, fireSchedule must:
-//   1. Set last_status to the result_kind (not 'ok').
-//   2. Set last_error to describe the SDK error.
-//   3. Increment consecutive_sdk_errors.
-//   4. NOT auto-disable on first occurrence (threshold is 3).
-//
-// This test uses an sdkErrorProxy that returns a rate-limited body and asserts
-// the first run is recorded as 'rate_limited' with consecutive_sdk_errors=1
-// and enabled=true.
-func TestFireSchedule_SDKError_RateLimited(t *testing.T) {
-	mock := setupTestDB(t)
-
-	sched := scheduleRow{
-		ID:          "sdk1-test-sched-0001",
-		WorkspaceID: "sdk1-test-workspace1",
-		Name:        "rate-limited-job",
-		CronExpr:    "0 * * * *",
-		Timezone:    "UTC",
-		Prompt:      "do work",
-	}
-
-	// 1. active_tasks check → workspace idle
-	mock.ExpectQuery(`SELECT COALESCE`).
-		WillReturnRows(sqlmock.NewRows([]string{"coalesce"}).AddRow(0))
-
-	// 2. #1696 consecutive_sdk_errors bump — RETURNING gives us count=1.
-	//    Use ExpectQuery (not Exec) because QueryRowContext + RETURNING
-	//    produces a result set consumed via .Scan().
-	mock.ExpectQuery(`UPDATE workspace_schedules`).
-		WithArgs(sched.ID).
-		WillReturnRows(sqlmock.NewRows([]string{"consecutive_sdk_errors"}).AddRow(1))
-
-	// 3. Post-fire UPDATE — last_status='rate_limited', last_error='SDK error: result_kind=rate_limited'
-	mock.ExpectExec(`UPDATE workspace_schedules`).
-		WithArgs(sched.ID, sqlmock.AnyArg(), "rate_limited", sqlmock.AnyArg()).
-		WillReturnResult(sqlmock.NewResult(0, 1))
-
-	// 4. activity_logs INSERT
-	mock.ExpectExec(`INSERT INTO activity_logs`).
-		WithArgs(sched.WorkspaceID, sqlmock.AnyArg(), sqlmock.AnyArg(), "rate_limited", sqlmock.AnyArg()).
-		WillReturnResult(sqlmock.NewResult(0, 1))
-
-	s := New(&sdkErrorProxy{kind: "rate_limited"}, nil)
-	s.fireSchedule(context.Background(), sched)
-
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet DB expectations for SDK-error first run: %v", err)
-	}
-}
-
-// ── TestFireSchedule_SDKError_AutoDisableOnThirdConsecutive (#1696) ───────────
-//
-// On the 3rd consecutive SDK error, fireSchedule must auto-disable the
-// schedule (enabled=false) in addition to recording the error status.
-// Threshold is 3 per #1696 requirement.
-func TestFireSchedule_SDKError_AutoDisableOnThirdConsecutive(t *testing.T) {
-	mock := setupTestDB(t)
-
-	sched := scheduleRow{
-		ID:          "sdk2-test-sched-0002",
-		WorkspaceID: "sdk2-test-workspace2",
-		Name:        "auto-disable-job",
-		CronExpr:    "0 * * * *",
-		Timezone:    "UTC",
-		Prompt:      "do work",
-	}
-
-	// 1. active_tasks check → workspace idle
-	mock.ExpectQuery(`SELECT COALESCE`).
-		WillReturnRows(sqlmock.NewRows([]string{"coalesce"}).AddRow(0))
-
-	// 2. #1696 consecutive_sdk_errors bump — RETURNING gives count=3 (threshold met).
-	//    Use ExpectQuery (not Exec) because QueryRowContext + RETURNING
-	//    produces a result set consumed via .Scan().
-	mock.ExpectQuery(`UPDATE workspace_schedules`).
-		WithArgs(sched.ID).
-		WillReturnRows(sqlmock.NewRows([]string{"consecutive_sdk_errors"}).AddRow(3))
-
-	// 3. Auto-disable UPDATE — sets enabled=false (schedule has hit 3rd SDK error)
-	mock.ExpectExec(`UPDATE workspace_schedules SET enabled`).
-		WithArgs(sched.ID).
-		WillReturnResult(sqlmock.NewResult(0, 1))
-
-	// 4. Post-fire UPDATE
-	mock.ExpectExec(`UPDATE workspace_schedules`).
-		WithArgs(sched.ID, sqlmock.AnyArg(), "rate_limited", sqlmock.AnyArg()).
-		WillReturnResult(sqlmock.NewResult(0, 1))
-
-	// 5. activity_logs INSERT
-	mock.ExpectExec(`INSERT INTO activity_logs`).
-		WithArgs(sched.WorkspaceID, sqlmock.AnyArg(), sqlmock.AnyArg(), "rate_limited", sqlmock.AnyArg()).
-		WillReturnResult(sqlmock.NewResult(0, 1))
-
-	s := New(&sdkErrorProxy{kind: "rate_limited"}, nil)
-	s.fireSchedule(context.Background(), sched)
-
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet DB expectations for SDK-error auto-disable: %v", err)
-	}
-}
-
-// ── TestFireSchedule_SDKError_CounterResetOnCleanRun (#1696) ──────────────────
-//
-// A clean HTTP-200 run (no SDK error) must reset consecutive_sdk_errors to 0.
-// This prevents false auto-disable after intermittent SDK blips.
-func TestFireSchedule_SDKError_CounterResetOnCleanRun(t *testing.T) {
-	mock := setupTestDB(t)
-
-	sched := scheduleRow{
-		ID:          "sdk3-test-sched-0003",
-		WorkspaceID: "sdk3-test-workspace3",
-		Name:        "clean-reset-job",
-		CronExpr:    "30 * * * *",
-		Timezone:    "UTC",
-		Prompt:      "do work",
-	}
-
-	// 1. active_tasks check → workspace idle
-	mock.ExpectQuery(`SELECT COALESCE`).
-		WillReturnRows(sqlmock.NewRows([]string{"coalesce"}).AddRow(0))
-
-	// 2. No SDK error — #1696 counter is reset to 0
-	//    (lastStatus is 'ok', resultKind is empty, so we go to the reset branch)
-	mock.ExpectExec(`UPDATE workspace_schedules`).
-		WithArgs(sched.ID).
-		WillReturnResult(sqlmock.NewResult(0, 1))
-
-	// 3. Post-fire UPDATE
-	mock.ExpectExec(`UPDATE workspace_schedules`).
-		WithArgs(sched.ID, sqlmock.AnyArg(), "ok", "").
-		WillReturnResult(sqlmock.NewResult(0, 1))
-
-	// 4. activity_logs INSERT
-	mock.ExpectExec(`INSERT INTO activity_logs`).
-		WithArgs(sched.WorkspaceID, sqlmock.AnyArg(), sqlmock.AnyArg(), "ok", "").
-		WillReturnResult(sqlmock.NewResult(0, 1))
-
-	s := New(&successProxy{}, nil)
-	s.fireSchedule(context.Background(), sched)
-
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet DB expectations for SDK-error counter reset: %v", err)
-	}
-}
-
-// ── sdkErrorProxy ──────────────────────────────────────────────────────────────
-//
-// sdkErrorProxy is a test double whose ProxyA2ARequest returns HTTP 200 but
-// embeds a non-ok result_kind in the response body, simulating a Claude Code
-// SDK that returned 200 but the inner LLM call threw a rate-limit / quota error.
-// Used by TestFireSchedule_SDKError_* to cover #1696 SDK error detection.
-type sdkErrorProxy struct {
-	kind string // result_kind value to embed in the response body
-}
-
-func (p *sdkErrorProxy) ProxyA2ARequest(
-	_ context.Context, _ string, _ []byte, _ string, _ bool,
-) (int, []byte, error) {
-	body, _ := json.Marshal(map[string]interface{}{
-		"result": map[string]interface{}{
-			"kind":  p.kind,
-			"parts": []map[string]interface{}{{"kind": "text", "text": "(no response generated)"}},
-		},
-	})
-	return 200, body, nil
-}
-
 // ── TestTruncate_utf8Safe_regression2026 ──────────────────────────────────────

 // TestTruncate_utf8Safe_regression2026 locks in the #2026 fix: truncate must
@@ -1 +0,0 @@
-ALTER TABLE workspaces DROP COLUMN IF EXISTS compute;
@@ -1,2 +0,0 @@
-ALTER TABLE workspaces
-    ADD COLUMN IF NOT EXISTS compute JSONB NOT NULL DEFAULT '{}'::jsonb;
@@ -1,4 +0,0 @@
-- migration: 20260523000000_schedule_consecutive_sdk_errors.down.sql
-- Reverts #1696 fix for #1696 (consecutive_sdk_errors column)
-
-ALTER TABLE workspace_schedules DROP COLUMN IF EXISTS consecutive_sdk_errors;
@@ -1,20 +0,0 @@
-- migration: 20260523000000_schedule_consecutive_sdk_errors.up.sql
-- Fixes #1696: Add consecutive_sdk_errors counter to track SDK errors (HTTP 200
-- responses where the Claude Code runtime returned a non-ok result_kind).
-- When this counter reaches 3, the scheduler sets last_status='rate_limited'
-- and auto-disables the schedule.
--
-- The core issue: the claude-code-sdk adapter returns HTTP 200 even when the
-- inner LLM call throws (e.g. Max-plan rate-limit). All 3 observed runs logged
-- "completed (HTTP 200)" yet surfaced agent errors in the workspace chat.
-- This counter lets us detect that pattern and escalate appropriately.
-
-ALTER TABLE workspace_schedules
-    ADD COLUMN IF NOT EXISTS consecutive_sdk_errors INTEGER NOT NULL DEFAULT 0;
-
-COMMENT ON COLUMN workspace_schedules.consecutive_sdk_errors IS
-    'Count of consecutive scheduler fires where ProxyA2ARequest returned HTTP 200
-     but the response body contained a non-ok result_kind (e.g. rate_limited,
-     sdk_error, quota_exhausted). Reset to 0 on any non-SDK-error status.
-     After 3 consecutive SDK errors the schedule is auto-disabled with
-     status rate_limited. Fixes #1696.';
@@ -1,2 +0,0 @@
-DROP INDEX IF EXISTS idx_workspace_display_control_locks_expires;
-DROP TABLE IF EXISTS workspace_display_control_locks;
@@ -1,11 +0,0 @@
-CREATE TABLE IF NOT EXISTS workspace_display_control_locks (
-    workspace_id uuid PRIMARY KEY REFERENCES workspaces(id) ON DELETE CASCADE,
-    controller text NOT NULL CHECK (controller IN ('user', 'agent')),
-    controlled_by text NOT NULL CHECK (length(controlled_by) > 0 AND length(controlled_by) <= 200),
-    expires_at timestamptz NOT NULL,
-    created_at timestamptz NOT NULL DEFAULT now(),
-    updated_at timestamptz NOT NULL DEFAULT now()
-);
-
-CREATE INDEX IF NOT EXISTS idx_workspace_display_control_locks_expires
-    ON workspace_display_control_locks (expires_at);
@@ -1,11 +0,0 @@
-- Reverse of 20260523130000_drop_workspaces_awareness_namespace.up.sql.
--
-- Restores the workspaces.awareness_namespace column verbatim from
-- migration 010_workspace_awareness.sql so a down-cycle leaves the
-- schema bit-identical to the pre-drop state. The column will be
-- NULL on all rows after re-add — handlers no longer write to it and
-- callers no longer read it, so this is functionally inert without
-- a paired code revert.
-
-ALTER TABLE workspaces
-    ADD COLUMN IF NOT EXISTS awareness_namespace TEXT;
@@ -1,19 +0,0 @@
-- Issue #1735 — drop the workspaces.awareness_namespace column.
--
-- "Awareness namespaces" were a memory-routing surface (env vars
-- AWARENESS_URL / AWARENESS_NAMESPACE) that was plumbed across the
-- platform but never wired in any production or staging environment
-- (verified 2026-05-23 via Railway GraphQL on the controlplane service:
-- AWARENESS_* unset in both env IDs 59227671-… and 639539ec-…).
--
-- The column added by migration 010_workspace_awareness.sql was only
-- ever populated with the canonical "workspace:<id>" string, which is
-- also the v2 memory namespace string (see internal/memory/namespace/
-- resolver.go:186). Removing the column does not change any agent-
-- visible memory namespace — handlers now compute the same
-- "workspace:<id>" string inline when inserting into agent_memories.
--
-- Related: #1733 (memory SSOT consolidation), #1734 (Memory tab bug).
-
-ALTER TABLE workspaces
-    DROP COLUMN IF EXISTS awareness_namespace;
				`@@ -1 +0,0 @@`
				`ALTER TABLE workspaces DROP COLUMN IF EXISTS compute;`