test(e2e): expose peer visibility token fallback failures

Merge pull request #1637
ci: compensate cancelled push status noise
2026-05-21 10:17:23 -07:00 · 2026-05-21 07:24:34 +00:00 · 2026-05-21 00:19:56 -07:00 · 2026-05-21 06:59:26 +00:00 · 2026-05-21 06:59:25 +00:00 · 2026-05-20 23:12:27 -07:00
396 changed files with 9846 additions and 75665 deletions
@@ -0,0 +1,174 @@
+#!/usr/bin/env python3
+"""Shared path-filter helper for Gitea Actions workflows.
+
+Computes changed files against the PR base SHA or push-before SHA and writes
+boolean outputs to GITHUB_OUTPUT. If the diff base is missing or untrusted, the
+helper fails open by setting every output in the selected profile to true.
+"""
+
+from __future__ import annotations
+
+import argparse
+import os
+import re
+import subprocess
+import sys
+from pathlib import Path
+
+
+PROFILES: dict[str, dict[str, str]] = {
+    "ci": {
+        "platform": r"^workspace-server/",
+        "canvas": r"^canvas/",
+        "python": r"^workspace/",
+        "scripts": r"^tests/e2e/|^scripts/|^infra/scripts/",
+    },
+    "handlers-postgres": {
+        "handlers": (
+            r"^workspace-server/internal/handlers/"
+            r"|^workspace-server/internal/wsauth/"
+            r"|^workspace-server/migrations/"
+            r"|^\.gitea/workflows/handlers-postgres-integration\.yml$"
+        ),
+    },
+    "e2e-api": {
+        "api": r"^workspace-server/|^tests/e2e/|^\.gitea/workflows/e2e-api\.yml$",
+    },
+}
+
+
+def classify(profile: str, paths: list[str]) -> dict[str, bool]:
+    patterns = PROFILES[profile]
+    return {
+        name: any(re.search(pattern, path) for path in paths)
+        for name, pattern in patterns.items()
+    }
+
+
+def all_true(profile: str) -> dict[str, bool]:
+    return {name: True for name in PROFILES[profile]}
+
+
+def resolve_base(event_name: str, pr_base_sha: str, push_before: str) -> str:
+    if event_name == "pull_request" and pr_base_sha:
+        return pr_base_sha
+    return push_before
+
+
+def is_zero_sha(value: str) -> bool:
+    return not value or bool(re.fullmatch(r"0+", value))
+
+
+def run_git(args: list[str], *, timeout: int = 30) -> subprocess.CompletedProcess[str]:
+    return subprocess.run(
+        ["git", *args],
+        check=False,
+        text=True,
+        stdout=subprocess.PIPE,
+        stderr=subprocess.PIPE,
+        timeout=timeout,
+    )
+
+
+def base_exists(base: str) -> bool:
+    return run_git(["cat-file", "-e", base]).returncode == 0
+
+
+def fetch_base(base: str, base_ref: str) -> None:
+    # Gitea may reject fetching an arbitrary unadvertised SHA from a shallow
+    # PR checkout. Fetch the advertised base branch first, then fall back to
+    # the SHA for hosts that allow it.
+    if base_ref:
+        run_git(["fetch", "--depth=1", "origin", base_ref])
+    if not base_exists(base):
+        run_git(["fetch", "--depth=1", "origin", base])
+
+
+def deepen_base_ref(base_ref: str) -> None:
+    if base_ref:
+        run_git(["fetch", "--deepen=200", "origin", base_ref], timeout=60)
+
+
+def merge_base(base: str) -> str | None:
+    proc = run_git(["merge-base", base, "HEAD"])
+    if proc.returncode != 0:
+        return None
+    value = proc.stdout.strip()
+    return value or None
+
+
+def changed_paths(base: str, *, use_merge_base: bool) -> list[str] | None:
+    compare_base = base
+    if use_merge_base:
+        compare_base = merge_base(base) or ""
+        if not compare_base:
+            return None
+
+    proc = run_git(["diff", "--name-only", compare_base, "HEAD"])
+    if proc.returncode != 0:
+        return None
+    return [line for line in proc.stdout.splitlines() if line]
+
+
+def write_outputs(values: dict[str, bool], output_path: str | None) -> None:
+    lines = [f"{name}={'true' if value else 'false'}" for name, value in values.items()]
+    if output_path:
+        with Path(output_path).open("a", encoding="utf-8") as fh:
+            for line in lines:
+                fh.write(line + "\n")
+    else:
+        for line in lines:
+            print(line)
+
+
+def detect(
+    profile: str,
+    event_name: str,
+    pr_base_sha: str,
+    push_before: str,
+    base_ref: str = "",
+) -> dict[str, bool]:
+    base = resolve_base(event_name, pr_base_sha, push_before)
+    if is_zero_sha(base):
+        return all_true(profile)
+
+    if not base_exists(base):
+        fetch_base(base, base_ref)
+    if not base_exists(base):
+        return all_true(profile)
+
+    use_merge_base = event_name == "pull_request"
+    if use_merge_base and base_ref and merge_base(base) is None:
+        deepen_base_ref(base_ref)
+
+    paths = changed_paths(base, use_merge_base=use_merge_base)
+    if paths is None:
+        return all_true(profile)
+    return classify(profile, paths)
+
+
+def parse_args(argv: list[str]) -> argparse.Namespace:
+    parser = argparse.ArgumentParser(description=__doc__)
+    parser.add_argument("--profile", required=True, choices=sorted(PROFILES))
+    parser.add_argument("--event-name", default=os.environ.get("GITHUB_EVENT_NAME", ""))
+    parser.add_argument("--pr-base-sha", default="")
+    parser.add_argument("--base-ref", default="")
+    parser.add_argument("--push-before", default=os.environ.get("GITHUB_EVENT_BEFORE", ""))
+    return parser.parse_args(argv)
+
+
+def main(argv: list[str]) -> int:
+    args = parse_args(argv)
+    values = detect(
+        args.profile,
+        args.event_name,
+        args.pr_base_sha,
+        args.push_before,
+        args.base_ref,
+    )
+    write_outputs(values, os.environ.get("GITHUB_OUTPUT"))
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main(sys.argv[1:]))
@@ -61,6 +61,7 @@ import os
 import shutil
 import subprocess
 import sys
+import time
 import urllib.error
 import urllib.parse
 import urllib.request
@@ -89,6 +90,19 @@ API = f"https://{GITEA_HOST}/api/v1" if GITEA_HOST else ""
 # match by exact title without parsing.
 TITLE_PREFIX = "[main-red]"

+# Settling window (seconds) between initial red detection and the
+# pre-file recheck. The recheck filters out the two largest false-
+# positive classes seen in mc#1597..1630 (task #394, 2026-05-21):
+#   1. HEAD moved on (a new commit landed mid-tick) — the prior red SHA
+#      is no longer authoritative; let the next cron tick re-evaluate.
+#   2. Combined status recovered on the SAME SHA (transient
+#      cancel-cascade rolled forward to success on retry).
+# 90s is well below the hourly cron cadence; a real failure that
+# persists past it is the one we want surfaced.
+# Override with WATCHDOG_RECHECK_DELAY_SECS for tests / local probes
+# (the test suite stubs time.sleep to a no-op).
+RECHECK_DELAY_SECS = int(_env("WATCHDOG_RECHECK_DELAY_SECS", default="90"))
+

 def _require_runtime_env() -> None:
    """Enforce env contract — called from `main()` only.
@@ -172,6 +186,49 @@ def api(
        return status, {"_raw": raw.decode("utf-8", errors="replace")}


+# --------------------------------------------------------------------------
+# action_run.status resolver — extensibility hook for task #394.
+# --------------------------------------------------------------------------
+def _resolve_action_run_status(target_url: str) -> int | None:
+    """Resolve the underlying Gitea `action_run.status` integer for the
+    run referenced by `target_url`, returning None if the resolver
+    cannot reach an authoritative source from the runner.
+
+    Canonical Gitea 1.22.6 enum (per `models/actions/status.go` +
+    `reference_gitea_action_status_enum_corrected_2026_05_19`):
+        1=Success, 2=Failure, 3=Cancelled, 4=Skipped,
+        5=Waiting,  6=Running, 7=Blocked
+    Only `status == 2` is a real defect; status=3 is cancel-cascade and
+    status=1 is an emission artifact (Gitea wrote a 'failure' commit_status
+    row for a run that actually succeeded — observed empirically on
+    `publish-canvas-image` jobs at SHAs in mc#1597..1630).
+
+    CURRENT STATE (2026-05-20, verified): Gitea 1.22.6 exposes NO REST
+    endpoint for `action_run.status`. Probed:
+        /api/v1/repos/{o}/{r}/actions/runs/{id}   → HTTP 404
+        /api/v1/repos/{o}/{r}/actions/jobs/{id}   → HTTP 404
+        /api/v1/repos/{o}/{r}/actions/tasks/{id}  → HTTP 404
+        /swagger.v1.json paths containing 'actions' → secrets+variables+runners only
+    The SPA backend (`/{repo}/actions/runs/{id}/jobs/{idx}` POST) requires
+    a session CSRF token, unreachable from a runner. The only authoritative
+    source today is direct DB access (`mol_action_status` on op-host,
+    `docker exec molecule-postgres-1 psql ...`), which the runner cannot
+    reach.
+
+    Therefore: this hook returns None on every call. Callers MUST fall
+    back to the description-string filter (existing) plus the HEAD
+    recheck (this PR). When a future Gitea release (>=1.23 expected) or
+    an op-host proxy exposes the endpoint, replace the body of this
+    function with an `api(...)` call — the caller contract is stable.
+
+    See also:
+        - `reference_chronic_red_sweep_cancelled_vs_failed_filter`
+        - `feedback_gitea_status_enum_use_helper_not_raw_int`
+    """
+    _ = target_url  # noqa: F841 — intentional placeholder
+    return None
+
+
 # --------------------------------------------------------------------------
 # Gitea reads
 # --------------------------------------------------------------------------
@@ -218,6 +275,31 @@ def is_red(status: dict) -> tuple[bool, list[dict]]:

    `failed_statuses` is the list of per-context entries whose own
    `state` is in the red set; useful for the issue body.
+
+    Cancel-cascade filter (mc#1564, 2026-05-19):
+      Gitea maps BOTH `action_run.status=2 (Failure)` AND
+      `action_run.status=3 (Cancelled)` to commit-status string
+      `"failure"`. On a busy main with
+      `concurrency: cancel-in-progress: true`, every merge burst
+      cancels prior in-flight runs (status=3) — those bubble to the
+      combined-status `failure` and inflate the watchdog's red%,
+      generating phantom `[main-red]` issues (mc#1562/#1552/#1540/...).
+      Canonical Gitea 1.22.6 enum per `models/actions/status.go` +
+      `reference_gitea_action_status_enum_corrected_2026_05_19`:
+          1=Success, 2=Failure, 3=Cancelled, 4=Skipped,
+          5=Waiting, 6=Running, 7=Blocked
+      We only want status=2 (real defects) to file. At the
+      commit-status layer we don't have the integer enum directly
+      (only the `failure` rollup string), so we use the description
+      string Gitea writes when a run is cancelled — empirically
+      `"Has been cancelled"` (verified 2026-05-19 via #1562 body).
+      Real failures show `"Failing after Ns"` and are unaffected.
+      This is option B from mc#1564 (description-string filter, no
+      extra API call). Description-string stability is a soft contract
+      with Gitea; if a future release renames it, the cancel-cascade
+      entries will simply leak back through (visible-not-silent), and
+      we'll either re-pin the string or upgrade to option A (resolve
+      the underlying action_run.status integer via target_url).
    """
    combined = status.get("state")
    statuses = status.get("statuses") or []
@@ -233,11 +315,30 @@ def is_red(status: dict) -> tuple[bool, list[dict]]:
    def _entry_state(s: dict) -> str:
        return s.get("status") or s.get("state") or ""

+    def _is_cancel_cascade(s: dict) -> bool:
+        """status=3 entry per Gitea 1.22.6 description-string contract.
+        Match exactly (after strip) — substring match would catch
+        legitimate test names like "Has been cancelled by the user
+        unexpectedly" in failure logs."""
+        desc = (s.get("description") or "").strip()
+        return desc == "Has been cancelled"
+
    failed = [
        s for s in statuses
-        if isinstance(s, dict) and _entry_state(s) in red_states
+        if isinstance(s, dict)
+        and _entry_state(s) in red_states
+        and not _is_cancel_cascade(s)
    ]
-    return (combined in red_states or bool(failed), failed)
+    # Combined state alone is no longer sufficient — combined=failure
+    # may be 100% cancel-cascade. Drive `red` off the FILTERED list:
+    # if every red-shaped per-entry was cancel-cascade, `failed` is
+    # empty and we report green. Combined-failure with no per-entry
+    # detail (empty `statuses[]`) still trips red — that's the
+    # "CI emitter set combined-status directly" edge case from
+    # render_body's fallback path; we keep filing on it so the
+    # operator sees the breadcrumb.
+    combined_red_no_detail = combined in red_states and not statuses
+    return (bool(failed) or combined_red_no_detail, failed)


 # --------------------------------------------------------------------------
@@ -570,6 +671,56 @@ def run_once(*, dry_run: bool = False) -> int:
    }

    if red:
+        # HEAD recheck (task #394 — guards mc#1597..1630 false-positive
+        # cluster). After the initial detection, wait RECHECK_DELAY_SECS
+        # (default 90s; tests stub time.sleep) and re-evaluate:
+        #
+        #   1. Re-fetch HEAD SHA. If HEAD moved, a new commit landed
+        #      mid-tick — the prior red SHA is no longer authoritative
+        #      and the next cron run will re-evaluate against the new
+        #      HEAD. Skip-file.
+        #
+        #   2. If HEAD unchanged, re-fetch the combined status. If it
+        #      recovered (combined state no longer in {failure,error}
+        #      after the cancel-cascade filter), a transient retry
+        #      rolled the run forward. Skip-file.
+        #
+        # Both paths emit a Loki event distinguishable from the real
+        # `main_red_detected` so obs queries can track filter activity.
+        # The settling window is well below the hourly cron cadence —
+        # genuine failures persist past it and are surfaced normally.
+        time.sleep(RECHECK_DELAY_SECS)
+
+        recheck_sha = get_head_sha(WATCH_BRANCH)
+        if recheck_sha != sha:
+            emit_loki_event("main_red_skipped_head_drift", sha, [])
+            print(
+                f"::notice::skip-file (HEAD moved): initial red at "
+                f"{sha[:10]} but HEAD is now {recheck_sha[:10]} on "
+                f"{WATCH_BRANCH}; next cron tick will re-evaluate."
+            )
+            return 0
+
+        recheck_status = get_combined_status(sha)
+        recheck_red, recheck_failed = is_red(recheck_status)
+        if not recheck_red:
+            emit_loki_event("main_red_skipped_recovered", sha, [])
+            print(
+                f"::notice::skip-file (recovered after settling): "
+                f"combined state at {sha[:10]} flipped to "
+                f"{recheck_status.get('state')!r} on recheck; "
+                f"initial red was a transient cancel-cascade."
+            )
+            return 0
+
+        # Still red after settling — file/update. Use the recheck data
+        # as authoritative so the issue body reflects the latest state.
+        failed = recheck_failed
+        debug["recheck_combined_state"] = recheck_status.get("state")
+        debug["recheck_failed_contexts"] = [
+            s.get("context") for s in failed
+        ]
+
        failed_ctxs = [s.get("context") for s in failed if s.get("context")]
        emit_loki_event("main_red_detected", sha, failed_ctxs)
        print(f"::warning::main is RED at {sha[:10]} on {WATCH_BRANCH}: "
@@ -71,6 +71,12 @@ def build_plan(env: dict[str, str]) -> dict:
        "soak_seconds": _int_env(env, "PROD_AUTO_DEPLOY_SOAK_SECONDS", 60, minimum=0),
        "batch_size": _int_env(env, "PROD_AUTO_DEPLOY_BATCH_SIZE", 3),
        "dry_run": truthy_flag(env.get("PROD_AUTO_DEPLOY_DRY_RUN", "")),
+        # confirm:true ack required by CP /cp/admin/tenants/redeploy-fleet
+        # contract (cp#228 / task #308) for fleet-wide intent. Empty body
+        # / {confirm:false} / {only_slugs:[]} → 400. This caller is the
+        # production auto-deploy step that rolls every live tenant (canary
+        # + fan-out), no slug scoping, so confirm:true is correct.
+        "confirm": True,
    }
    if canary_slug:
        body["canary_slug"] = canary_slug
@@ -64,11 +64,41 @@ import argparse
 import json
 import os
 import re
+import resource
 import sys
 import urllib.error
 import urllib.parse
 import urllib.request
-from typing import Any, Callable
+from typing import Any, Callable, Iterator
+
+# ---------------------------------------------------------------------------
+# Address-space guardrail (RFC#369 / task #369 follow-up to mc#1242-class OOM).
+#
+# `get_issue_comments` paginates the full comment history of a PR. On
+# bot-relay-heavy PRs (e.g. mc#291, mc#1242) this can balloon past the
+# runner's cgroup memory limit and 137 the job. Cap virtual-address-space
+# at 2 GiB so the script OOMs as a `MemoryError` (catchable / surfaceable)
+# rather than a SIGKILL we can't post a status for.
+#
+# 2 GiB is generous — a 5000-comment PR with 1 KiB minimal-dicts (see
+# get_issue_comments below) fits in ~10 MiB, leaving plenty of headroom
+# for the Python runtime + urllib + json buffers.
+#
+# Skipped under pytest / dry-run where RLIMIT_AS would interfere with
+# test runner memory needs (set SOP_CHECKLIST_NO_RLIMIT=1 to opt out).
+if not os.environ.get("SOP_CHECKLIST_NO_RLIMIT"):
+    try:
+        resource.setrlimit(resource.RLIMIT_AS, (2 * 1024**3, 2 * 1024**3))
+    except (ValueError, OSError):
+        # macOS sometimes refuses RLIMIT_AS; not fatal — the Linux runner
+        # is the only place this matters for the OOM-prevention goal.
+        pass
+
+# Per-comment body cap (task #369). The directive parser walks the body
+# line-by-line looking for ^/sop-ack ^/sop-revoke ^/sop-n/a markers — only
+# the first few KiB matter for that. Cap each comment body so a single
+# pasted-log comment can't push us past the cgroup limit.
+_MAX_BODY_BYTES = int(os.environ.get("SOP_CHECKLIST_MAX_BODY_BYTES") or 8 * 1024)


 # ---------------------------------------------------------------------------
@@ -268,6 +298,7 @@ def compute_ack_state(
    items_by_slug: dict[str, dict[str, Any]],
    numeric_aliases: dict[int, str],
    team_membership_probe: "callable[[str, list[str]], list[str]]",
+    high_risk: bool = False,
 ) -> dict[str, dict[str, Any]]:
    """Compute per-item ack state.

@@ -330,11 +361,16 @@ def compute_ack_state(
    for slug, candidates in pending_team_check.items():
        if not candidates:
            continue
-        required = items_by_slug[slug]["required_teams"]
+        # Risk-class-aware required-teams resolution (RFC#450 Option C):
+        # high-risk PRs use `required_teams_high_risk` (when set on the
+        # item); default class uses `required_teams`. The probe closure
+        # is built with the same high_risk flag so the two reads are
+        # always consistent (both sites share `resolve_required_teams`).
+        required = resolve_required_teams(items_by_slug[slug], high_risk)
        approved = team_membership_probe(slug, candidates)  # returns subset
        rejected_not_in_team[slug] = [u for u in candidates if u not in approved]
        ackers_per_slug[slug] = approved
-        # Stash required teams for description rendering.
+        # Stash resolved teams for description rendering.
        items_by_slug[slug]["_required_resolved"] = required

    return {
@@ -454,16 +490,35 @@ class GiteaClient:
            raise RuntimeError(f"GET pulls/{pr} → HTTP {code}: {data!r}")
        return data

-    def get_issue_comments(
-        self, owner: str, repo: str, issue: int
-    ) -> list[dict[str, Any]]:
-        # Paginate. Gitea default page size 50.
-        out: list[dict[str, Any]] = []
+    def iter_issue_comments(
+        self, owner: str, repo: str, issue: int, page_size: int = 50
+    ) -> Iterator[dict[str, Any]]:
+        """Stream comments page-by-page, yielding ONE minimal-dict per comment.
+
+        Each yielded comment carries ONLY the fields the gate actually reads
+        — `{"user": {"login": str}, "body": str}` — and DROPS the much
+        larger Gitea-API extras (html_url, pull_request_url, issue_url,
+        assets, created_at, updated_at, id, original_author_*).
+
+        Memory motivation (task #369 / mc#1242-class OOM): full Gitea
+        comment dicts are ~2 KiB median + ~3 KiB p95. On PRs with several
+        thousand bot-relay comments the eager `list[full_dict]` shape used
+        previously pushed runner anon-rss past the cgroup limit. The
+        minimal-dict shape is ~10-20x smaller (typically ~50-100B Python
+        overhead + the body string).
+
+        The two downstream consumers (`compute_ack_state`,
+        `compute_na_state`) each iterate the comment list exactly once and
+        read only `body` + `user.login`, so dropping every other field is
+        safe. They still receive `list[dict[str, Any]]`-shaped objects so
+        the test fixtures (which already used the minimal shape) keep
+        working with no fixture changes.
+        """
        page = 1
        while True:
            code, data = self._req(
                "GET",
-                f"/repos/{owner}/{repo}/issues/{issue}/comments?limit=50&page={page}",
+                f"/repos/{owner}/{repo}/issues/{issue}/comments?limit={page_size}&page={page}",
            )
            if code != 200:
                raise RuntimeError(
@@ -471,10 +526,41 @@ class GiteaClient:
                )
            if not data:
                break
-            out.extend(data)
-            if len(data) < 50:
+            for c in data:
+                # Minimal projection — drop ALL fields the gate doesn't read.
+                user_login = ((c.get("user") or {}).get("login") or "") if isinstance(c, dict) else ""
+                body = (c.get("body") if isinstance(c, dict) else "") or ""
+                # Body-size guardrail: huge comments (e.g. pasted CI logs) can
+                # individually be MiBs. The directive parser only needs the
+                # first ~8 KiB to find /sop-ack /sop-revoke /sop-n/a markers
+                # — anything past that is filler. Truncate at 8 KiB so a
+                # single oversized comment can't OOM the runner.
+                if len(body) > _MAX_BODY_BYTES:
+                    body = body[:_MAX_BODY_BYTES]
+                yield {"user": {"login": user_login}, "body": body}
+            if len(data) < page_size:
                break
            page += 1
+
+    def get_issue_comments(
+        self,
+        owner: str,
+        repo: str,
+        issue: int,
+        max_comments: int | None = None,
+    ) -> list[dict[str, Any]]:
+        """Paginate + collect minimal comment dicts. See `iter_issue_comments`
+        for the per-comment shape and the OOM-prevention rationale.
+
+        `max_comments` (optional, default unbounded): hard cap. When the cap
+        is hit we stop fetching further pages and the caller surfaces a
+        soft 'skipping due to volume' status (see main()).
+        """
+        out: list[dict[str, Any]] = []
+        for c in self.iter_issue_comments(owner, repo, issue):
+            out.append(c)
+            if max_comments is not None and len(out) >= max_comments:
+                break
        return out

    def resolve_team_id(self, org: str, team_name: str) -> int | None:
@@ -765,6 +851,42 @@ def get_tier_mode(pr: dict[str, Any], cfg: dict[str, Any]) -> str:
    return default_mode


+def is_high_risk(pr: dict[str, Any], cfg: dict[str, Any]) -> bool:
+    """Return True when the PR is high-risk per RFC#450 Option C.
+
+    A PR is high-risk when ANY of:
+      - it carries the `tier:high` label (mechanically strictest tier), or
+      - it carries any label listed in cfg.high_risk_labels.
+
+    High-risk PRs use `required_teams_high_risk` (when set on an item)
+    instead of the default `required_teams`. Items without
+    `required_teams_high_risk` are unaffected (the default applies).
+
+    Governance fix for internal#442 — closes the inconsistency between
+    sop-tier-check (tier-aware) and sop-checklist (was tier-blind).
+    """
+    label_set = {(l.get("name") or "") for l in (pr.get("labels") or [])}
+    if "tier:high" in label_set:
+        return True
+    high_risk_labels = set(cfg.get("high_risk_labels") or [])
+    return bool(label_set & high_risk_labels)
+
+
+def resolve_required_teams(item: dict[str, Any], high_risk: bool) -> list[str]:
+    """Pick the active required_teams list for an item.
+
+    When high_risk is True AND the item declares a non-empty
+    `required_teams_high_risk`, return that. Else fall back to
+    `required_teams`. Keeping this in one helper means the gate's
+    decision shape stays single-sited even as items grow.
+    """
+    if high_risk:
+        elevated = item.get("required_teams_high_risk") or []
+        if elevated:
+            return list(elevated)
+    return list(item.get("required_teams") or [])
+
+
 def main(argv: list[str] | None = None) -> int:
    p = argparse.ArgumentParser()
    p.add_argument("--owner", required=True)
@@ -790,6 +912,17 @@ def main(argv: list[str] | None = None) -> int:
            "thing BP sees is the POSTed status. Useful for local debugging."
        ),
    )
+    p.add_argument(
+        "--max-comments",
+        type=int,
+        default=int(os.environ.get("SOP_CHECKLIST_MAX_COMMENTS") or 5000),
+        help=(
+            "Hard cap on comments fetched from the PR. Above this we post "
+            "a SOFT-pending status with a 'skipping due to volume' note "
+            "instead of OOM'ing the runner (task #369). Override with the "
+            "SOP_CHECKLIST_MAX_COMMENTS env var. Set 0 to disable the cap."
+        ),
+    )
    args = p.parse_args(argv)

    token = os.environ.get("GITEA_TOKEN", "")
@@ -823,7 +956,24 @@ def main(argv: list[str] | None = None) -> int:
        print("::error::PR payload missing user.login or head.sha", file=sys.stderr)
        return 1

-    comments = client.get_issue_comments(args.owner, args.repo, args.pr)
+    max_comments_cap = args.max_comments if args.max_comments and args.max_comments > 0 else None
+    comments = client.get_issue_comments(
+        args.owner, args.repo, args.pr, max_comments=max_comments_cap
+    )
+
+    # Volume short-circuit: PRs with thousands of bot-relay comments
+    # (the mc#1242-class OOM source) get a soft 'volume-skipped' status
+    # so the gate doesn't churn the runner; reviewers can re-trigger by
+    # editing the PR or filing a fresh PR with the housekeeping comments
+    # split off. Cap-hit means we couldn't see the WHOLE history, so we
+    # can't fairly post failure — pending is the safe default.
+    volume_skipped = bool(max_comments_cap and len(comments) >= max_comments_cap)
+
+    # High-risk classification (RFC#450 Option C, governance fix for
+    # internal#442). Computed ONCE per PR — used by both the probe
+    # closure and compute_ack_state so the elevation decision is
+    # single-sited.
+    high_risk = is_high_risk(pr, cfg)

    # Build team-membership probe closure that caches results per
    # (user, team-id) so a user acking multiple items only triggers
@@ -831,8 +981,34 @@ def main(argv: list[str] | None = None) -> int:
    team_member_cache: dict[tuple[str, int], bool | None] = {}

    def probe(slug: str, users: list[str]) -> list[str]:
-        item = items_by_slug[slug]
-        team_names: list[str] = item["required_teams"]
+        # `slug` may be either an items-key (compute_ack_state caller) OR
+        # an n/a-gate key (compute_na_state caller). Previously this hard
+        # KeyError'd on the n/a-gate path when slug was e.g. "security-review"
+        # — that's a config gate, not an item — so the gate would crash
+        # instead of falling back to the gate's own required_teams. Fix
+        # task #369 follow-up to issue #355.
+        if slug in items_by_slug:
+            item = items_by_slug[slug]
+            team_names: list[str] = resolve_required_teams(item, high_risk)
+        elif slug in na_gates:
+            # n/a-gate configs carry `required_teams` directly (see
+            # sop-checklist-config.yaml: n/a_gates.<gate>.required_teams).
+            gate_cfg = na_gates[slug] or {}
+            team_names = list(gate_cfg.get("required_teams") or [])
+            if not team_names:
+                print(
+                    f"::warning::n/a-gate '{slug}' has no required_teams; "
+                    "fail-closed (no users will be approved)",
+                    file=sys.stderr,
+                )
+        else:
+            # Unknown slug — fail closed, log so we can find config drift.
+            print(
+                f"::warning::probe() called with slug '{slug}' which is "
+                f"neither an items entry nor an n/a-gate; fail-closed",
+                file=sys.stderr,
+            )
+            return []
        # Resolve names → ids. NOTE: orgs/{org}/teams/search may not be
        # available — fall back to the list endpoint.
        team_ids: list[int] = []
@@ -877,7 +1053,9 @@ def main(argv: list[str] | None = None) -> int:
                    # may still find membership in another team.
        return approved

-    ack_state = compute_ack_state(comments, author, items_by_slug, numeric_aliases, probe)
+    ack_state = compute_ack_state(
+        comments, author, items_by_slug, numeric_aliases, probe, high_risk=high_risk
+    )
    body_state = {it["slug"]: section_marker_present(body, it["pr_section_marker"]) for it in items}

    state, description = render_status(items, ack_state, body_state)
@@ -888,9 +1066,21 @@ def main(argv: list[str] | None = None) -> int:
        # were not required (vs a tier:medium+ PR that truly passed all acks).
        state = "success"
        description = f"[info tier:low] {description}"
+    if volume_skipped:
+        # Above the comment-cap — we may have a partial view. Soft-pend
+        # so neither BP nor the author gets stuck; surface the cap so
+        # reviewers know what's up. No-block at the gate level.
+        state = "pending"
+        description = (
+            f"[volume-skipped] comment-cap={max_comments_cap} hit; please file "
+            f"a fresh PR with bot-relay history split off (#369). {description}"
+        )

    # Diagnostics to job log.
-    print(f"::notice::PR #{args.pr} author={author} head={head_sha[:7]} mode={mode}")
+    print(
+        f"::notice::PR #{args.pr} author={author} head={head_sha[:7]} "
+        f"mode={mode} risk_class={'high' if high_risk else 'default'}"
+    )
    for it in items:
        slug = it["slug"]
        ackers = ack_state[slug]["ackers"]
@@ -47,7 +47,9 @@ What this script does, per `.gitea/workflows/status-reaper.yml` invocation:
         Parse context as `<workflow_name> / <job_name> (push)`.
         Look up workflow_name in the trigger map:
           - missing → log ::notice:: and skip (conservative).
-           - has_push_trigger=True → preserve (real defect signal).
+           - has_push_trigger=True and description == "Has been cancelled"
+             → compensate cancelled/superseded push noise.
+           - has_push_trigger=True otherwise → preserve (real defect signal).
           - has_push_trigger=False → POST a compensating
             `state=success` status to /statuses/{sha} with the same
             context (Gitea de-dups by context) and a description
@@ -141,6 +143,11 @@ PR_SHADOW_COMPENSATION_DESCRIPTION = (
    "shadowed by successful push status on same SHA; see "
    ".gitea/scripts/status-reaper.py)"
 )
+CANCELLED_PUSH_COMPENSATION_DESCRIPTION = (
+    "Compensated by status-reaper (push run was cancelled/superseded; "
+    "Gitea 1.22.6 reports cancelled runs as failure statuses)"
+)
+CANCELLED_DESCRIPTION = "Has been cancelled"

 # Context suffix the reaper acts on. Gitea hardcodes this for ALL
 # default-branch workflow runs.
@@ -476,7 +483,7 @@ def reap(
      {compensated, preserved_real_push, preserved_unknown,
       preserved_non_failure, preserved_non_push_suffix,
       preserved_unparseable, compensated_pr_shadowed_by_push_success,
-       preserved_pr_without_push_success,
+       preserved_pr_without_push_success, compensated_cancelled_push,
       compensated_contexts: [<context>, ...]}

    `compensated_contexts` is rev2-added so `reap_branch` can build
@@ -490,6 +497,7 @@ def reap(
        "preserved_non_push_suffix": 0,
        "preserved_unparseable": 0,
        "compensated_pr_shadowed_by_push_success": 0,
+        "compensated_cancelled_push": 0,
        "preserved_pr_without_push_success": 0,
        "compensated_contexts": [],
    }
@@ -567,8 +575,27 @@ def reap(
            counters["preserved_unknown"] += 1
            continue

+        if (s.get("description") or "").strip() == CANCELLED_DESCRIPTION:
+            # Gitea 1.22.6 maps cancelled action runs to failure commit
+            # statuses. During merge bursts, older push runs can be
+            # superseded and cancelled even though a newer run for the
+            # same branch is the real signal. Compensate only the exact
+            # Gitea cancellation description; real push failures remain red.
+            post_compensating_status(
+                sha,
+                context,
+                s.get("target_url"),
+                description=CANCELLED_PUSH_COMPENSATION_DESCRIPTION,
+                dry_run=dry_run,
+            )
+            counters["compensated"] += 1
+            counters["compensated_cancelled_push"] += 1
+            counters["compensated_contexts"].append(context)
+            continue
+
        if workflow_trigger_map[workflow_name]:
-            # Real push trigger → real defect signal. Preserve.
+            # Real push trigger with a non-cancelled failure description
+            # remains a defect signal. Preserve.
            counters["preserved_real_push"] += 1
            continue

@@ -674,6 +701,7 @@ def reap_branch(
            "preserved_non_push_suffix": 0,
            "preserved_unparseable": 0,
            "compensated_pr_shadowed_by_push_success": 0,
+            "compensated_cancelled_push": 0,
            "preserved_pr_without_push_success": 0,
            "compensated_per_sha": {},
            "skipped": True,
@@ -689,6 +717,7 @@ def reap_branch(
        "preserved_non_push_suffix": 0,
        "preserved_unparseable": 0,
        "compensated_pr_shadowed_by_push_success": 0,
+        "compensated_cancelled_push": 0,
        "preserved_pr_without_push_success": 0,
        "compensated_per_sha": {},
    }
@@ -728,6 +757,7 @@ def reap_branch(
            "preserved_non_push_suffix",
            "preserved_unparseable",
            "compensated_pr_shadowed_by_push_success",
+            "compensated_cancelled_push",
            "preserved_pr_without_push_success",
        ):
            aggregate[key] += per_sha[key]
@@ -36,9 +36,37 @@ def test_build_plan_defaults_to_staging_sha_target_and_prod_cp():
        "soak_seconds": 60,
        "batch_size": 3,
        "dry_run": False,
+        # cp#228 / task #308: fleet-wide intent must carry confirm:true.
+        "confirm": True,
    }


+def test_build_plan_always_sets_confirm_true_for_fleet_intent():
+    """Regression guard: every plan body MUST carry confirm:true.
+
+    CP /cp/admin/tenants/redeploy-fleet (cp#228) returns 400 on empty
+    body / {confirm:false} / {only_slugs:[]} to prevent accidental
+    fleet-wide mutation. This caller is fleet-wide intent (canary +
+    fan-out, no slug scoping), so the plan MUST carry confirm:true.
+    Pairs with cp#228's TestRedeployFleet_EmptyBodyReturns400 +
+    TestRedeployFleet_ConfirmTrueProceeds.
+    """
+    plan = prod.build_plan({"GITHUB_SHA": "abcdef1234567890"})
+    assert plan["body"]["confirm"] is True
+
+    # Operator-overridable knobs do NOT drop the ack.
+    plan = prod.build_plan(
+        {
+            "GITHUB_SHA": "abcdef1234567890",
+            "PROD_AUTO_DEPLOY_SOAK_SECONDS": "0",
+            "PROD_AUTO_DEPLOY_BATCH_SIZE": "10",
+            "PROD_AUTO_DEPLOY_DRY_RUN": "true",
+            "PROD_AUTO_DEPLOY_CANARY_SLUG": "",
+        }
+    )
+    assert plan["body"]["confirm"] is True
+
+
 def test_build_plan_rejects_non_prod_cp_without_explicit_override():
    try:
        prod.build_plan(
@@ -602,4 +602,405 @@ class TestComputeNaState(unittest.TestCase):
        self.assertEqual(len(na_directives), 1)
        self.assertEqual(na_directives[0][0], "sop-n/a")
        self.assertEqual(na_directives[0][1], "qa-review")
-        self.assertIn("no surface", na_directives[0][2])
+
+
+# ---------------------------------------------------------------------------
+# RFC#450 Option C — risk-classed two-eyes (governance fix for internal#442)
+# ---------------------------------------------------------------------------
+
+
+class TestIsHighRisk(unittest.TestCase):
+    """The high-risk predicate decides which required_teams list applies.
+
+    Predicate: tier:high label OR any label in cfg.high_risk_labels.
+    """
+
+    def setUp(self):
+        self.cfg = sop.load_config(CONFIG_PATH)
+
+    def test_no_labels_is_default_class(self):
+        pr = {"labels": []}
+        self.assertFalse(sop.is_high_risk(pr, self.cfg))
+
+    def test_tier_high_is_high_risk(self):
+        pr = {"labels": [{"name": "tier:high"}]}
+        self.assertTrue(sop.is_high_risk(pr, self.cfg))
+
+    def test_tier_low_is_default_class(self):
+        pr = {"labels": [{"name": "tier:low"}]}
+        self.assertFalse(sop.is_high_risk(pr, self.cfg))
+
+    def test_tier_medium_is_default_class(self):
+        # tier:medium alone is NOT high-risk (Option C — medium routes
+        # to the wider engineers OR-set).
+        pr = {"labels": [{"name": "tier:medium"}]}
+        self.assertFalse(sop.is_high_risk(pr, self.cfg))
+
+    def test_area_security_label_is_high_risk(self):
+        pr = {"labels": [{"name": "tier:medium"}, {"name": "area:security"}]}
+        self.assertTrue(sop.is_high_risk(pr, self.cfg))
+
+    def test_area_schema_label_is_high_risk(self):
+        pr = {"labels": [{"name": "area:schema"}]}
+        self.assertTrue(sop.is_high_risk(pr, self.cfg))
+
+    def test_area_identity_label_is_high_risk(self):
+        pr = {"labels": [{"name": "area:identity"}]}
+        self.assertTrue(sop.is_high_risk(pr, self.cfg))
+
+    def test_area_fleet_image_label_is_high_risk(self):
+        pr = {"labels": [{"name": "area:fleet-image"}]}
+        self.assertTrue(sop.is_high_risk(pr, self.cfg))
+
+    def test_area_gate_meta_label_is_high_risk(self):
+        # Gate-meta = changes to sop-checklist/sop-tier-check itself.
+        pr = {"labels": [{"name": "area:gate-meta"}]}
+        self.assertTrue(sop.is_high_risk(pr, self.cfg))
+
+    def test_unknown_area_label_is_default_class(self):
+        pr = {"labels": [{"name": "area:docs"}]}
+        self.assertFalse(sop.is_high_risk(pr, self.cfg))
+
+
+class TestResolveRequiredTeams(unittest.TestCase):
+    """The team resolver picks the elevated list only for high-risk PRs
+    AND only when the item declares one — items without an elevated
+    list always use the default required_teams."""
+
+    def test_default_class_uses_default_teams(self):
+        item = {"required_teams": ["engineers", "managers", "ceo"], "required_teams_high_risk": ["ceo"]}
+        self.assertEqual(
+            sop.resolve_required_teams(item, high_risk=False),
+            ["engineers", "managers", "ceo"],
+        )
+
+    def test_high_risk_uses_elevated_teams(self):
+        item = {"required_teams": ["engineers", "managers", "ceo"], "required_teams_high_risk": ["ceo"]}
+        self.assertEqual(
+            sop.resolve_required_teams(item, high_risk=True),
+            ["ceo"],
+        )
+
+    def test_high_risk_without_elevated_falls_back_to_default(self):
+        # Items that don't declare required_teams_high_risk (e.g.
+        # comprehensive-testing, staging-smoke) are unaffected by risk-class.
+        item = {"required_teams": ["engineers"]}
+        self.assertEqual(
+            sop.resolve_required_teams(item, high_risk=True),
+            ["engineers"],
+        )
+
+    def test_empty_elevated_list_falls_back_to_default(self):
+        # A defensive case: required_teams_high_risk: [] should not
+        # silently lock out all approvers — fall back to the default
+        # so the gate stays satisfiable. (Tightening should remove the
+        # key, not set it to empty.)
+        item = {"required_teams": ["engineers"], "required_teams_high_risk": []}
+        self.assertEqual(
+            sop.resolve_required_teams(item, high_risk=True),
+            ["engineers"],
+        )
+
+
+class TestRootCauseAckEligibilityWidened(unittest.TestCase):
+    """Closes internal#442: a non-author engineers-team ack now satisfies
+    root-cause / no-backwards-compat for the default class.
+
+    The dead-managers/ceo-persona-token gridlock is the symptom; the
+    root cause is that sop-checklist ignored tier-class. These tests
+    pin the new wider-default behavior so it can't regress silently.
+    """
+
+    def setUp(self):
+        self.items = _items_by_slug()
+        self.aliases = _numeric_aliases()
+
+    @staticmethod
+    def _approve_only(allowed):
+        return lambda slug, users: [u for u in users if u in allowed]
+
+    def test_engineers_ack_satisfies_root_cause_default_class(self):
+        # Bob is in engineers only (not managers, not ceo). Default class.
+        comments = [_comment("bob", "/sop-ack root-cause")]
+        # Probe: bob is approved because root-cause now lists engineers.
+        probe = self._approve_only({"bob"})
+        state = sop.compute_ack_state(
+            comments, "alice", self.items, self.aliases, probe, high_risk=False
+        )
+        self.assertEqual(state["root-cause"]["ackers"], ["bob"])
+
+    def test_engineers_ack_satisfies_no_backwards_compat_default_class(self):
+        comments = [_comment("bob", "/sop-ack no-backwards-compat")]
+        probe = self._approve_only({"bob"})
+        state = sop.compute_ack_state(
+            comments, "alice", self.items, self.aliases, probe, high_risk=False
+        )
+        self.assertEqual(state["no-backwards-compat"]["ackers"], ["bob"])
+
+    def test_engineers_ack_alone_fails_root_cause_when_high_risk(self):
+        # High-risk PR: only ceo can ack. Engineers-only ack must fail.
+        comments = [_comment("bob", "/sop-ack root-cause")]
+        # Probe: bob is in engineers, not ceo. Under high_risk,
+        # required_teams_high_risk=[ceo] → bob is NOT approved.
+        # Probe receives the items + flag indirectly via main(); for
+        # the unit-test path we inject a probe that rejects bob.
+        probe = self._approve_only(set())  # nobody is in ceo
+        state = sop.compute_ack_state(
+            comments, "alice", self.items, self.aliases, probe, high_risk=True
+        )
+        self.assertEqual(state["root-cause"]["ackers"], [])
+        self.assertIn("bob", state["root-cause"]["rejected"]["not_in_team"])
+
+    def test_ceo_ack_satisfies_root_cause_when_high_risk(self):
+        # High-risk PR + ceo-team approver → passes (the senior path).
+        comments = [_comment("hongming", "/sop-ack root-cause")]
+        probe = self._approve_only({"hongming"})
+        state = sop.compute_ack_state(
+            comments, "alice", self.items, self.aliases, probe, high_risk=True
+        )
+        self.assertEqual(state["root-cause"]["ackers"], ["hongming"])
+
+    def test_self_ack_still_forbidden_even_with_widened_eligibility(self):
+        # Author cannot self-ack — widening teams must NOT weaken
+        # the non-author rule.
+        comments = [_comment("alice", "/sop-ack root-cause")]
+        probe = self._approve_only({"alice"})
+        state = sop.compute_ack_state(
+            comments, "alice", self.items, self.aliases, probe, high_risk=False
+        )
+        self.assertEqual(state["root-cause"]["ackers"], [])
+        self.assertIn("alice", state["root-cause"]["rejected"]["self_ack"])
+
+
+class TestHighRiskClassUsesElevatedListInConfig(unittest.TestCase):
+    """End-to-end: the shipped config + RFC#450 predicate must keep
+    root-cause / no-backwards-compat gated on ceo for high-risk PRs."""
+
+    def test_root_cause_high_risk_elevated_to_ceo_only(self):
+        items = _items_by_slug()
+        # tier:high alone makes the PR high-risk → root-cause needs ceo.
+        self.assertEqual(
+            sop.resolve_required_teams(items["root-cause"], high_risk=True),
+            ["ceo"],
+        )
+        # Default class accepts engineers/managers/ceo.
+        self.assertEqual(
+            sorted(sop.resolve_required_teams(items["root-cause"], high_risk=False)),
+            sorted(["engineers", "managers", "ceo"]),
+        )
+
+    def test_no_backwards_compat_high_risk_elevated_to_ceo_only(self):
+        items = _items_by_slug()
+        self.assertEqual(
+            sop.resolve_required_teams(items["no-backwards-compat"], high_risk=True),
+            ["ceo"],
+        )
+        self.assertEqual(
+            sorted(sop.resolve_required_teams(items["no-backwards-compat"], high_risk=False)),
+            sorted(["engineers", "managers", "ceo"]),
+        )
+
+    def test_other_items_unchanged_by_risk_class(self):
+        # Items without required_teams_high_risk are unaffected.
+        items = _items_by_slug()
+        for slug in (
+            "comprehensive-testing",
+            "local-postgres-e2e",
+            "staging-smoke",
+            "five-axis-review",
+            "memory-consulted",
+        ):
+            self.assertEqual(
+                sop.resolve_required_teams(items[slug], high_risk=False),
+                sop.resolve_required_teams(items[slug], high_risk=True),
+                f"item {slug} should not be affected by risk-class",
+            )
+
+
+# ---------------------------------------------------------------------------
+# get_issue_comments — streaming + minimal-dict shape (task #369 / OOM fix)
+# ---------------------------------------------------------------------------
+
+
+class _FakeReq:
+    """Stand-in for GiteaClient._req that serves canned pages."""
+
+    def __init__(self, pages):
+        # pages: list[list[dict]]; one page per call, exhausted in order.
+        self._pages = list(pages)
+        self.calls = []
+
+    def __call__(self, method, path, body=None, ok_codes=(200, 201, 204)):
+        self.calls.append((method, path))
+        if not self._pages:
+            return 200, []
+        return 200, self._pages.pop(0)
+
+
+class TestGetIssueCommentsStreaming(unittest.TestCase):
+    """Verify the OOM-fix invariants — minimal-dict shape + page break."""
+
+    def _client_with_pages(self, pages):
+        client = sop.GiteaClient("git.example.com", "tok")
+        client._req = _FakeReq(pages)  # type: ignore[method-assign]
+        return client
+
+    def test_minimal_dict_shape_drops_large_fields(self):
+        """get_issue_comments must DROP html_url/assets/timestamps/etc. and
+        keep ONLY {user.login, body} — that's the whole OOM-prevention."""
+        full_page = [
+            {
+                "id": 1234,
+                "html_url": "https://example.com/some-huge-url",
+                "pull_request_url": "https://example.com/some-other-huge-url",
+                "issue_url": "https://example.com/yet-another-url",
+                "user": {"login": "bob", "avatar_url": "x" * 4000, "id": 99},
+                "original_author": "",
+                "original_author_id": 0,
+                "body": "/sop-ack comprehensive-testing\n\nlooks good",
+                "assets": ["x" * 1000, "y" * 1000],
+                "created_at": "2026-05-19T01:02:03Z",
+                "updated_at": "2026-05-19T01:02:03Z",
+            }
+        ]
+        client = self._client_with_pages([full_page])
+        out = client.get_issue_comments("o", "r", 1)
+        self.assertEqual(len(out), 1)
+        # Only the two whitelisted keys + nested user.login
+        self.assertEqual(set(out[0].keys()), {"user", "body"})
+        self.assertEqual(set(out[0]["user"].keys()), {"login"})
+        self.assertEqual(out[0]["user"]["login"], "bob")
+        self.assertEqual(out[0]["body"], "/sop-ack comprehensive-testing\n\nlooks good")
+        # Critical: avatar/assets/timestamps/etc. must be gone (~4KB+ each).
+        self.assertNotIn("html_url", out[0])
+        self.assertNotIn("assets", out[0])
+        self.assertNotIn("created_at", out[0])
+
+    def test_pagination_break_on_short_page(self):
+        # Page-size 50; a page of <50 means no more pages.
+        page1 = [{"user": {"login": "u"}, "body": "x"}] * 7
+        client = self._client_with_pages([page1])
+        out = client.get_issue_comments("o", "r", 2)
+        self.assertEqual(len(out), 7)
+        # Should have made exactly 1 _req call (no page-2 probe).
+        self.assertEqual(len(client._req.calls), 1)
+
+    def test_pagination_continues_until_empty(self):
+        # Two full pages + one short page.
+        page1 = [{"user": {"login": "u"}, "body": "x"}] * 50
+        page2 = [{"user": {"login": "u"}, "body": "y"}] * 50
+        page3 = [{"user": {"login": "u"}, "body": "z"}] * 3
+        client = self._client_with_pages([page1, page2, page3])
+        out = client.get_issue_comments("o", "r", 3)
+        self.assertEqual(len(out), 103)
+        self.assertEqual(len(client._req.calls), 3)
+
+    def test_max_comments_caps_collection(self):
+        page1 = [{"user": {"login": "u"}, "body": "x"}] * 50
+        page2 = [{"user": {"login": "u"}, "body": "y"}] * 50
+        page3 = [{"user": {"login": "u"}, "body": "z"}] * 50
+        client = self._client_with_pages([page1, page2, page3])
+        out = client.get_issue_comments("o", "r", 4, max_comments=75)
+        self.assertEqual(len(out), 75)
+        # Stops short: shouldn't have requested page-3.
+        self.assertLessEqual(len(client._req.calls), 2)
+
+    def test_oversized_body_truncated(self):
+        # An individual comment with a multi-MiB body (e.g. pasted CI log)
+        # must NOT pull the whole thing into memory. The directive parser
+        # only needs the first ~8 KiB to find /sop-* markers.
+        huge_body = "/sop-ack comprehensive-testing\n" + ("X" * (4 * 1024 * 1024))
+        page = [{"user": {"login": "bob"}, "body": huge_body}]
+        client = self._client_with_pages([page])
+        out = client.get_issue_comments("o", "r", 99)
+        self.assertEqual(len(out), 1)
+        # Cap is 8 KiB; comment body must be <= 8 KiB after streaming.
+        self.assertLessEqual(len(out[0]["body"]), 8 * 1024)
+        # Marker still discoverable at the start.
+        self.assertTrue(out[0]["body"].startswith("/sop-ack comprehensive-testing"))
+
+    def test_iter_handles_missing_user_or_body(self):
+        # Defensive: Gitea has been seen to return user=null on deleted users.
+        page = [
+            {"user": None, "body": "abandoned-author"},
+            {"user": {"login": "alice"}, "body": None},
+            {"body": "no-user-key"},
+            {"user": {"login": "bob"}, "body": "ok"},
+        ]
+        client = self._client_with_pages([page])
+        out = client.get_issue_comments("o", "r", 5)
+        self.assertEqual(len(out), 4)
+        self.assertEqual(out[0]["user"]["login"], "")
+        self.assertEqual(out[0]["body"], "abandoned-author")
+        self.assertEqual(out[1]["user"]["login"], "alice")
+        self.assertEqual(out[1]["body"], "")
+        self.assertEqual(out[2]["user"]["login"], "")
+        self.assertEqual(out[3]["user"]["login"], "bob")
+
+    def test_minimal_dicts_work_with_compute_ack_state(self):
+        """Round-trip: minimal dicts feed back through compute_ack_state."""
+        page = [{"user": {"login": "bob"}, "body": "/sop-ack comprehensive-testing"}]
+        client = self._client_with_pages([page])
+        comments = client.get_issue_comments("o", "r", 6)
+        items = _items_by_slug()
+        aliases = _numeric_aliases()
+        state = sop.compute_ack_state(
+            comments, "alice", items, aliases, lambda slug, users: list(users)
+        )
+        self.assertEqual(state["comprehensive-testing"]["ackers"], ["bob"])
+
+
+# ---------------------------------------------------------------------------
+# probe() na-gate fallback — fix for #355-class KeyError 'security-review'
+# ---------------------------------------------------------------------------
+
+
+class TestComputeNaStateAcceptsGateNotInItems(unittest.TestCase):
+    """compute_na_state passes the gate NAME to probe(); when the gate is
+    NOT also an items entry (the common case for `security-review`,
+    `qa-review`), probe must fall back to the gate's own required_teams
+    instead of KeyError'ing on items_by_slug[slug].
+
+    This test exercises the public surface (compute_na_state) rather than
+    the inline `probe` closure, because the closure is built inside main().
+    We simulate the fallback by passing a probe that mirrors the production
+    contract — slug may be either an item OR an n/a-gate key, both are valid.
+    """
+
+    def test_na_gate_with_required_teams_resolves_without_keyerror(self):
+        na_gates = {
+            "security-review": {
+                "required_teams": ["security", "managers", "ceo"],
+                "description": "security N/A",
+            },
+        }
+        comments = [
+            {"user": {"login": "carol"}, "body": "/sop-n/a security-review docs-only"},
+        ]
+        # Probe approves any user in the security team; importantly it does
+        # NOT try items_by_slug[slug] for the gate name.
+        called_with = []
+
+        def probe(slug, users):
+            called_with.append(slug)
+            # production probe accepts gate-name OR item-slug; for this test
+            # we just approve everyone.
+            return list(users)
+
+        na_state = sop.compute_na_state(comments, "alice", na_gates, probe)
+        self.assertTrue(na_state["security-review"]["declared"])
+        self.assertEqual(na_state["security-review"]["decl_ackers"], ["carol"])
+        # probe must have been called with the GATE name, not an item slug.
+        self.assertEqual(called_with, ["security-review"])
+
+    def test_na_gate_self_declaration_rejected(self):
+        # Author cannot self-declare N/A — pre-existing invariant; pin it
+        # so the new probe-fallback doesn't regress this.
+        na_gates = {"security-review": {"required_teams": ["security"]}}
+        comments = [
+            {"user": {"login": "alice"}, "body": "/sop-n/a security-review"},
+        ]
+        na_state = sop.compute_na_state(
+            comments, "alice", na_gates, lambda *_: ["alice"]
+        )
+        self.assertFalse(na_state["security-review"]["declared"])
@@ -50,6 +50,34 @@ tier_failure_mode:
  "tier:low": soft
 default_mode: hard  # used when no tier:* label is present

+# High-risk class (RFC#450 Option C, governance-fix for internal#442).
+#
+# A PR is "high-risk" when ANY of the listed labels are applied OR when
+# the PR has `tier:high` (mechanically the strictest existing tier).
+# High-risk items use `required_teams_high_risk` (when present on the
+# item); non-high-risk items use the default `required_teams`.
+#
+# This closes the inconsistency that the SOP charter already mandates
+# `tier:high → ceo only` for the sibling `sop-tier-check` gate; the
+# sop-checklist's `root-cause` and `no-backwards-compat` items now
+# follow the same risk-classed two-eyes shape:
+#   - Default class (tier:low/medium, not high-risk): a non-author
+#     engineers/managers/ceo ack satisfies the item — 25+ live
+#     identities, no dependency on a dead/inactive senior persona
+#     token.
+#   - High-risk class (tier:high OR any high_risk_label): still
+#     requires a non-author ceo ack (durable human team).
+#
+# Tightening: add labels to high_risk_labels.
+# Loosening: remove labels.
+high_risk_labels:
+  - "risk:high"
+  - "area:security"
+  - "area:schema"
+  - "area:fleet-image"
+  - "area:identity"
+  - "area:gate-meta"
+
 items:
  - slug: comprehensive-testing
    numeric_alias: 1
@@ -78,11 +106,15 @@ items:
  - slug: root-cause
    numeric_alias: 4
    pr_section_marker: "Root-cause not symptom"
-    required_teams: [managers, ceo]
+    required_teams: [engineers, managers, ceo]
+    required_teams_high_risk: [ceo]
    description: >-
-      One-sentence root-cause statement. Ack from managers tier
-      (team-leads) or ceo. Senior judgment required to attest
-      root-cause-versus-symptom.
+      One-sentence root-cause statement. Default class: non-author
+      engineers/managers/ceo ack suffices (engineers can attest
+      root-cause-vs-symptom for routine fixes). High-risk class
+      (see `high_risk_labels`): non-author ceo ack required —
+      senior judgment for irreversible/security/identity/gate
+      changes. Closes internal#442 + tracks RFC#450.

  - slug: five-axis-review
    numeric_alias: 5
@@ -95,10 +127,14 @@ items:
  - slug: no-backwards-compat
    numeric_alias: 6
    pr_section_marker: "No backwards-compat shim / dead code added"
-    required_teams: [managers, ceo]
+    required_teams: [engineers, managers, ceo]
+    required_teams_high_risk: [ceo]
    description: >-
-      Yes/no + justification if no. Senior ack required because
-      backward-compat shims are how dead-code accretes.
+      Yes/no + justification if no. Default class: non-author
+      engineers/managers/ceo ack suffices. High-risk class
+      (see `high_risk_labels`): non-author ceo ack required —
+      senior judgment for shim-versus-real-fix on irreversible
+      surfaces. Closes internal#442 + tracks RFC#450.

  - slug: memory-consulted
    numeric_alias: 7
@@ -1,60 +0,0 @@
-name: cascade-list-drift-gate
-
-# Ported from .github/workflows/cascade-list-drift-gate.yml on 2026-05-11
-# per RFC internal#219 §1 sweep.
-#
-# Differences from the GitHub version:
-#   - on.paths reference .gitea/workflows/publish-runtime.yml (the active
-#     Gitea workflow file) instead of .github/workflows/publish-runtime.yml
-#     (which Category A of this sweep deletes).
-#   - Explicit `WORKFLOW=` arg passed to the drift script so it audits the
-#     .gitea/ workflow (the script's default is still .github/... which
-#     will not exist post-Cat-A).
-#   - Workflow-level env.GITHUB_SERVER_URL set per
-#     feedback_act_runner_github_server_url.
-#   - `continue-on-error: true` on the job (RFC §1 contract — surface
-#     defects without blocking; follow-up PR flips after triage).
-#
-# Structural gate: TEMPLATES list in publish-runtime.yml must match
-# manifest.json's workspace_templates exactly. Closes the recurrence
-# path of PR #2556 (the data fix) and is the first concrete deliverable
-# of RFC #388 PR-3.
-#
-# Triggers narrowly to keep CI quiet: only on PRs that actually change
-# one of the two files. The path-filtered split + always-emit-result
-# pattern (memory: "Required check names need a job that always runs")
-# is unnecessary here because the workflow IS the check name and PR
-# branch protection should require it directly. Future-proof: if this
-# becomes a required check, add a no-op aggregator with always() so the
-# name still emits when paths don't match.
-
-on:
-  pull_request:
-    branches: [staging, main]
-    paths:
-      - manifest.json
-      - .gitea/workflows/publish-runtime.yml
-      - scripts/check-cascade-list-vs-manifest.sh
-
-env:
-  GITHUB_SERVER_URL: https://git.moleculesai.app
-
-permissions:
-  contents: read
-
-jobs:
-  # bp-exempt: drift visibility gate; CI / all-required remains the required aggregate.
-  check:
-    runs-on: ubuntu-latest
-    # Phase 3 (RFC #219 §1): surface broken workflows without blocking
-    # the PR. Follow-up PR flips this off after surfaced defects are
-    # triaged.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
-    continue-on-error: true
-    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-      - name: Check cascade list matches manifest
-        # Pass the .gitea/ workflow path explicitly — the script's
-        # default still points at .github/... which Category A of this
-        # sweep removes.
-        run: bash scripts/check-cascade-list-vs-manifest.sh manifest.json .gitea/workflows/publish-runtime.yml
@@ -1,225 +0,0 @@
-name: MCP Stdio Transport Regression
-
-# Regression test for molecule-ai-workspace-runtime#61:
-# asyncio.connect_read_pipe / connect_write_pipe fail with
-# ValueError: "Pipe transport is only for pipes, sockets and character devices"
-# when stdout is a regular file (openclaw capture, CI tee, debugging).
-#
-# This workflow reproduces the exact failure mode and verifies the
-# fallback to direct buffer I/O works. It runs on every PR that
-# touches the MCP server or this workflow, plus nightly cron.
-#
-# Why a separate workflow (not folded into ci.yml python-lint):
-#   - The test needs to spawn the MCP server with stdout redirected
-#     to a regular file (not a TTY/pipe), which conflicts with
-#     pytest's own capture mechanism.
-#   - It exercises the actual process spawn path (python a2a_mcp_server.py)
-#     not just unit-test mocks — closer to the real openclaw integration.
-#   - A dedicated workflow surfaces stdio-specific regressions without
-#     coupling to the broader Python test suite's coverage gate.
-
-on:
-  pull_request:
-    branches: [main, staging]
-    paths:
-      - 'workspace/a2a_mcp_server.py'
-      - 'workspace/mcp_cli.py'
-      - 'workspace/tests/test_a2a_mcp_server.py'
-      - '.gitea/workflows/ci-mcp-stdio-transport.yml'
-  push:
-    branches: [main, staging]
-    paths:
-      - 'workspace/a2a_mcp_server.py'
-      - 'workspace/mcp_cli.py'
-      - 'workspace/tests/test_a2a_mcp_server.py'
-      - '.gitea/workflows/ci-mcp-stdio-transport.yml'
-  schedule:
-    # Nightly at 04:00 UTC — catches drift from dependency updates
-    # (e.g. asyncio behavior changes in new Python patch releases).
-    - cron: '0 4 * * *'
-
-concurrency:
-  group: mcp-stdio-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  GITHUB_SERVER_URL: https://git.moleculesai.app
-
-jobs:
-  # bp-exempt: regression canary for runtime#61; not a merge gate — informational only until promoted to required.
-  # mc#774: continue-on-error mask — new workflow, flip to false once it's green on ≥3 consecutive main runs.
-  mcp-stdio-regular-file:
-    name: MCP stdio with regular-file stdout
-    runs-on: ubuntu-latest
-    continue-on-error: true  # mc#774
-    timeout-minutes: 5
-    env:
-      WORKSPACE_ID: "00000000-0000-0000-0000-000000000001"
-    defaults:
-      run:
-        working-directory: workspace
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: '3.11'
-          cache: pip
-          cache-dependency-path: workspace/requirements.txt
-      - run: pip install -r requirements.txt pytest pytest-asyncio pytest-cov
-
-      - name: Reproduce runtime#61 — stdout as regular file
-        run: |
-          set -euo pipefail
-          echo "=== Reproducing molecule-ai-workspace-runtime#61 ==="
-          echo ""
-          echo "Before the fix, this command would fail with:"
-          echo '  ValueError: Pipe transport is only for pipes, sockets and character devices'
-          echo ""
-
-          # Spawn the MCP server with stdout redirected to a regular file.
-          # This is exactly what openclaw does when capturing MCP output.
-          OUTPUT=$(mktemp)
-          trap 'rm -f "$OUTPUT"' EXIT
-
-          # Send initialize request, then tools/list, then exit
-          {
-            echo '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{}}'
-            echo '{"jsonrpc":"2.0","id":2,"method":"tools/list"}'
-          } | python a2a_mcp_server.py > "$OUTPUT" 2>&1 || {
-            RC=$?
-            echo "FAIL: MCP server exited with code $RC"
-            echo "--- stdout+stderr ---"
-            cat "$OUTPUT"
-            exit 1
-          }
-
-          echo "PASS: MCP server handled regular-file stdout without crashing"
-          echo ""
-          echo "--- Output (first 20 lines) ---"
-          head -20 "$OUTPUT"
-          echo ""
-
-          # Verify we got valid JSON-RPC responses
-          if grep -q '"result"' "$OUTPUT"; then
-            echo "PASS: JSON-RPC responses found in output"
-          else
-            echo "FAIL: No JSON-RPC responses in output"
-            cat "$OUTPUT"
-            exit 1
-          fi
-
-      - name: Reproduce runtime#61 — stdin from regular file
-        run: |
-          set -euo pipefail
-          echo "=== stdin as regular file (CI tee / capture pattern) ==="
-
-          INPUT=$(mktemp)
-          OUTPUT=$(mktemp)
-          trap 'rm -f "$INPUT" "$OUTPUT"' EXIT
-
-          cat > "$INPUT" <<'EOF'
-          {"jsonrpc":"2.0","id":1,"method":"initialize","params":{}}
-          {"jsonrpc":"2.0","id":2,"method":"tools/list"}
-          EOF
-
-          python a2a_mcp_server.py < "$INPUT" > "$OUTPUT" 2>&1 || {
-            RC=$?
-            echo "FAIL: MCP server exited with code $RC"
-            cat "$OUTPUT"
-            exit 1
-          }
-
-          echo "PASS: MCP server handled regular-file stdin without crashing"
-
-          if grep -q '"result"' "$OUTPUT"; then
-            echo "PASS: JSON-RPC responses found in output"
-          else
-            echo "FAIL: No JSON-RPC responses in output"
-            cat "$OUTPUT"
-            exit 1
-          fi
-
-      - name: Verify warning is emitted for non-pipe stdio
-        run: |
-          set -euo pipefail
-          echo "=== Verify diagnostic warning ==="
-
-          OUTPUT=$(mktemp)
-          trap 'rm -f "$OUTPUT"' EXIT
-
-          {
-            echo '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{}}'
-          } | python a2a_mcp_server.py > "$OUTPUT" 2>&1
-
-          # The warning should mention "not a pipe" for operator visibility
-          if grep -qi "not a pipe" "$OUTPUT"; then
-            echo "PASS: Diagnostic warning emitted for non-pipe stdio"
-          else
-            echo "NOTE: No warning in output (may be suppressed by log level)"
-          fi
-
-      - name: Reproduce openclaw failure — pipe held OPEN, no EOF
-        run: |
-          set -euo pipefail
-          echo "=== keep-stdin-open pipe (the real openclaw / Claude Code case) ==="
-          echo ""
-          echo "Before the readline() fix this HANGS: main() did"
-          echo "  stdin.read(65536)  -> on a pipe, blocks until 64KB OR EOF."
-          echo "An MCP client sends one ~150B initialize and keeps stdin"
-          echo "open waiting for the response, so the server never parsed"
-          echo "the request and the client timed out (openclaw: 'MCP error"
-          echo "-32000: Connection closed'). The earlier regular-file /"
-          echo "heredoc-pipe steps PASSED through this bug because a file"
-          echo "(or a closing heredoc) yields EOF immediately."
-          echo ""
-
-          # Drive the server through a real pipe that stays OPEN: write
-          # one initialize, do NOT close stdin, and require a response
-          # within a hard timeout. read(65536) -> no output -> timeout
-          # kills it -> FAIL. readline() -> immediate response -> PASS.
-          python - <<'PYEOF'
-          import json, subprocess, sys, time, select
-
-          proc = subprocess.Popen(
-              [sys.executable, "a2a_mcp_server.py"],
-              stdin=subprocess.PIPE, stdout=subprocess.PIPE,
-              stderr=subprocess.STDOUT,
-              env={**__import__("os").environ},
-          )
-          req = json.dumps({
-              "jsonrpc": "2.0", "id": 1, "method": "initialize",
-              "params": {"protocolVersion": "2024-11-05",
-                         "capabilities": {},
-                         "clientInfo": {"name": "keepopen", "version": "1"}},
-          }) + "\n"
-          proc.stdin.write(req.encode())
-          proc.stdin.flush()
-          # Deliberately DO NOT close proc.stdin — mirror a live MCP client.
-
-          deadline = time.time() + 15
-          line = b""
-          while time.time() < deadline:
-              r, _, _ = select.select([proc.stdout], [], [], 1)
-              if r:
-                  line = proc.stdout.readline()
-                  if line:
-                      break
-          proc.kill()
-
-          if not line:
-              print("FAIL: no response within 15s on an open pipe — "
-                    "stdin.read(65536) regression is back")
-              sys.exit(1)
-          resp = json.loads(line.decode())
-          assert resp.get("id") == 1 and "result" in resp, \
-              f"unexpected response: {line[:200]!r}"
-          assert resp["result"]["serverInfo"]["name"] == "molecule", \
-              f"wrong serverInfo: {line[:200]!r}"
-          print("PASS: server answered initialize on a still-open pipe")
-          PYEOF
-
-      - name: Run unit tests for stdio transport
-        run: |
-          set -euo pipefail
-          echo "=== Running stdio transport unit tests ==="
-          python -m pytest tests/test_a2a_mcp_server.py::TestStdioPipeAssertion tests/test_a2a_mcp_server.py::TestStdioKeepOpenPipe -v --no-cov
@@ -86,46 +86,17 @@ jobs:
        with:
          fetch-depth: 0
      - id: check
+        env:
+          PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          PR_BASE_REF: ${{ github.event.pull_request.base.ref }}
+          PUSH_BEFORE: ${{ github.event.before }}
        run: |
-          # For PR events: diff against the base branch (not HEAD~1 of the branch,
-          # which may be unrelated after force-pushes). When a push updates a PR,
-          # both pull_request and push events fire — prefer the PR base so that
-          # the diff is always computed against the actual merge base, not the
-          # previous SHA on the branch which may be on a different history line.
-          BASE="${GITHUB_BASE_REF:-${{ github.event.before }}}"
-          # GITHUB_BASE_REF is set for PR events (the base branch name).
-          # For pull_request events we use the stored base.sha; for push events
-          # (or when base.sha is unavailable) fall back to github.event.before.
-          if [ "${{ github.event_name }}" = "pull_request" ] && [ -n "${{ github.event.pull_request.base.sha }}" ]; then
-            BASE="${{ github.event.pull_request.base.sha }}"
-          fi
-          # Fallback: if BASE is empty or all zeros (new branch), run everything
-          if [ -z "$BASE" ] || echo "$BASE" | grep -qE '^0+$'; then
-            echo "platform=true" >> "$GITHUB_OUTPUT"
-            echo "canvas=true" >> "$GITHUB_OUTPUT"
-            echo "python=true" >> "$GITHUB_OUTPUT"
-            echo "scripts=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          # Workflow-only edits are covered by the workflow lint family
-          # and by this workflow's always-present required jobs. Do not fan
-          # those edits out into Go/Canvas/Python/shellcheck work; the
-          # downstream jobs still emit their required contexts via no-op
-          # steps when their surface flag is false.
-          #
-          # If the diff itself cannot be trusted, fail open by running every
-          # surface instead of silently under-testing the PR.
-          if ! DIFF=$(git diff --name-only "$BASE" HEAD 2>/dev/null); then
-            echo "platform=true" >> "$GITHUB_OUTPUT"
-            echo "canvas=true" >> "$GITHUB_OUTPUT"
-            echo "python=true" >> "$GITHUB_OUTPUT"
-            echo "scripts=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          echo "platform=$(echo "$DIFF" | grep -qE '^workspace-server/' && echo true || echo false)" >> "$GITHUB_OUTPUT"
-          echo "canvas=$(echo "$DIFF" | grep -qE '^canvas/' && echo true || echo false)" >> "$GITHUB_OUTPUT"
-          echo "python=$(echo "$DIFF" | grep -qE '^workspace/' && echo true || echo false)" >> "$GITHUB_OUTPUT"
-          echo "scripts=$(echo "$DIFF" | grep -qE '^tests/e2e/|^scripts/|^infra/scripts/' && echo true || echo false)" >> "$GITHUB_OUTPUT"
+          python3 .gitea/scripts/detect-changes.py \
+            --profile ci \
+            --event-name "${{ github.event_name }}" \
+            --pr-base-sha "$PR_BASE_SHA" \
+            --base-ref "$PR_BASE_REF" \
+            --push-before "${GITHUB_EVENT_BEFORE:-$PUSH_BEFORE}"

  # Platform (Go) — Go build/vet/test/lint + coverage gates. The always-run
  # + per-step gating shape preserves the GitHub-side required-check name
@@ -133,6 +104,7 @@ jobs:
  # the name match works on PRs that don't touch workspace-server/).
  platform-build:
    name: Platform (Go)
+    needs: changes
    runs-on: ubuntu-latest
    # mc#774 (closed 2026-05-14): Phase 4 flip of the platform-build job.
    # Phase 4 (#656) originally flipped this to continue-on-error: false based on
@@ -153,29 +125,29 @@ jobs:
      run:
        working-directory: workspace-server
    steps:
-      - if: false
+      - if: ${{ github.event_name == 'pull_request' && needs.changes.outputs.platform != 'true' }}
        working-directory: .
-        run: echo "No platform/** changes — skipping real build steps; this job always runs to satisfy the required-check name on branch protection."
-      - if: always()
+        run: echo "No workspace-server/** changes on this PR — Platform (Go) gate satisfied without running Go build/test/lint."
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.platform == 'true' }}
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - if: always()
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.platform == 'true' }}
        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
        with:
          go-version: 'stable'
-      - if: always()
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.platform == 'true' }}
        run: go mod download
-      - if: always()
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.platform == 'true' }}
        run: go build ./cmd/server
      # CLI (molecli) moved to standalone repo: git.moleculesai.app/molecule-ai/molecule-cli
-      - if: always()
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.platform == 'true' }}
        run: go vet ./...
-      - if: always()
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.platform == 'true' }}
        name: Install golangci-lint
        run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.12.2
-      - if: always()
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.platform == 'true' }}
        name: Run golangci-lint
        run: $(go env GOPATH)/bin/golangci-lint run --timeout 3m ./...
-      - if: always()
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.platform == 'true' }}
        name: Diagnostic — per-package verbose 60s
        run: |
          set +e
@@ -191,7 +163,7 @@ jobs:
          echo "::endgroup::"
        # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
        continue-on-error: true
-      - if: always()
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.platform == 'true' }}
        name: Run tests with race detection and coverage
        # Explicit timeout: cold runner cache causes OOM kills at ~4m39s on the
        # full ./... suite with race detection + coverage. A 10m per-step timeout
@@ -199,7 +171,7 @@ jobs:
        # instead of OOM-killing. The job-level timeout (15m) is a backstop.
        run: go test -race -timeout 10m -coverprofile=coverage.out ./...

-      - if: always()
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.platform == 'true' }}
        name: Per-file coverage report
        # Advisory — lists every source file with its coverage so reviewers
        # can see at-a-glance where gaps are. Sorted ascending so the worst
@@ -213,7 +185,7 @@ jobs:
                   END {for (f in s) printf "%6.1f%%  %s\n", s[f]/c[f], f}' \
            | sort -n

-      - if: always()
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.platform == 'true' }}
        name: Check coverage thresholds
        # Enforces two gates from #1823 Layer 1:
        #   1. Total floor (25% — ratchet plan in COVERAGE_FLOOR.md).
@@ -301,6 +273,7 @@ jobs:
  # siblings — verified empirically on PR #2314).
  canvas-build:
    name: Canvas (Next.js)
+    needs: changes
    runs-on: ubuntu-latest
    timeout-minutes: 20
    # Phase 4 (RFC #219 §1): confirmed green on main 2026-05-12.
@@ -309,20 +282,20 @@ jobs:
      run:
        working-directory: canvas
    steps:
-      - if: false
+      - if: ${{ github.event_name == 'pull_request' && needs.changes.outputs.canvas != 'true' }}
        working-directory: .
-        run: echo "No canvas/** changes — skipping real build steps; this job always runs to satisfy the required-check name on branch protection."
-      - if: always()
+        run: echo "No canvas/** changes on this PR — Canvas (Next.js) gate satisfied without running npm build/test."
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.canvas == 'true' }}
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - if: always()
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.canvas == 'true' }}
        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: '22'
-      - if: always()
-        run: rm -f package-lock.json && npm install
-      - if: always()
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.canvas == 'true' }}
+        run: npm ci --include=optional --prefer-offline
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.canvas == 'true' }}
        run: npm run build
-      - if: always()
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.canvas == 'true' }}
        name: Run tests with coverage
        # Coverage instrumentation is configured in canvas/vitest.config.ts
        # (provider: v8, reporters: text + html + json-summary). Step 2 of
@@ -331,7 +304,7 @@ jobs:
        # tracked in #1815) after the team sees what current coverage is.
        run: npx vitest run --coverage
      - name: Upload coverage summary as artifact
-        if: always()
+        if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.canvas == 'true' }}
        # Pinned to v3 for Gitea act_runner v0.6 compatibility — v4+ uses
        # the GHES 3.10+ artifact protocol that Gitea 1.22.x does NOT
        # implement, surfacing as `GHESNotSupportedError: @actions/artifact
@@ -348,15 +321,16 @@ jobs:
  # Shellcheck (E2E scripts) — required check, always runs.
  shellcheck:
    name: Shellcheck (E2E scripts)
+    needs: changes
    runs-on: ubuntu-latest
    # Phase 4 (RFC #219 §1): confirmed green on main 2026-05-12.
    continue-on-error: false
    steps:
-      - if: false
-        run: echo "No tests/e2e/ or infra/scripts/ changes — skipping real shellcheck; this job always runs to satisfy the required-check name on branch protection."
-      - if: always()
+      - if: ${{ github.event_name == 'pull_request' && needs.changes.outputs.scripts != 'true' }}
+        run: echo "No tests/e2e, scripts, or infra/scripts changes on this PR — Shellcheck gate satisfied without running script checks."
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.scripts == 'true' }}
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - if: always()
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.scripts == 'true' }}
        name: Run shellcheck on tests/e2e/*.sh and infra/scripts/*.sh
        # shellcheck is pre-installed on ubuntu-latest runners (via apt).
        # infra/scripts/ is included because setup.sh + nuke.sh gate the
@@ -367,16 +341,16 @@ jobs:
          find tests/e2e infra/scripts -type f -name '*.sh' -print0 \
            | xargs -0 shellcheck --severity=warning

-      - if: always()
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.scripts == 'true' }}
        name: Lint cleanup-trap hygiene (RFC #2873)
        run: bash tests/e2e/lint_cleanup_traps.sh

-      - if: always()
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.scripts == 'true' }}
        name: Run E2E bash unit tests (no live infra)
        run: |
          bash tests/e2e/test_model_slug.sh

-      - if: always()
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.scripts == 'true' }}
        name: Test ECR promote-tenant-image script (mock-driven, no live infra)
        # Covers scripts/promote-tenant-image.sh — the codified
        # :staging-latest → :latest ECR promote + tenant fleet redeploy
@@ -386,7 +360,7 @@ jobs:
        run: |
          bash scripts/test-promote-tenant-image.sh

-      - if: always()
+      - if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.scripts == 'true' }}
        name: Shellcheck promote-tenant-image script
        # scripts/ is excluded from the bulk shellcheck pass above (legacy
        # SC3040/SC3043 cleanup pending). Run shellcheck explicitly on
@@ -401,7 +375,7 @@ jobs:

  canvas-deploy-reminder:
    name: Canvas Deploy Reminder
-    runs-on: ubuntu-latest
+    runs-on: docker-host
    # mc#774 root-fix: added job-level `if:` so ci-required-drift.py's
    # ci_job_names() detects this as github.ref-gated and skips it from F1.
    # The step-level exit 0 handles the "not main push" case; the job-level
@@ -456,84 +430,29 @@ jobs:
          cat /tmp/deploy-reminder.md >> "$GITHUB_STEP_SUMMARY"

  # Python Lint & Test — required check, always runs.
+  # Runtime Python moved to molecule-ai-workspace-runtime. Keep this context as
+  # a guard so branch protection still catches attempts to reintroduce an
+  # editable runtime copy under molecule-core/workspace/.
  python-lint:
    name: Python Lint & Test
    runs-on: ubuntu-latest
-    # Phase 4 (RFC #219 §1): confirmed green on main 2026-05-12.
    continue-on-error: false
-    env:
-      WORKSPACE_ID: test
-    defaults:
-      run:
-        working-directory: workspace
    steps:
-      - if: false
-        working-directory: .
-        run: echo "No workspace/** changes — skipping real lint+test; this job always runs to satisfy the required-check name on branch protection."
-      - if: always()
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - if: always()
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: '3.11'
-          cache: pip
-          cache-dependency-path: workspace/requirements.txt
-      - if: always()
-        run: pip install -r requirements.txt pytest pytest-asyncio pytest-cov sqlalchemy>=2.0.0
-      # Coverage flags + fail-under floor moved into workspace/pytest.ini
-      # (issue #1817) so local `pytest` and CI use identical config.
-      - if: always()
-        run: python -m pytest --tb=short
-
-      - if: always()
-        name: Per-file critical-path coverage (MCP / inbox / auth)
-        # MCP-critical Python files have a per-file floor on top of the
-        # 86% total floor in pytest.ini. See issue #2790 for full rationale.
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Runtime SSOT guard
        run: |
-          set -e
-          PER_FILE_FLOOR=75
-          CRITICAL_FILES=(
-            "a2a_mcp_server.py"
-            "mcp_cli.py"
-            "a2a_tools.py"
-            "a2a_tools_inbox.py"
-            "inbox.py"
-            "platform_auth.py"
-          )
-
-          # pytest already wrote .coverage; emit a JSON view scoped to
-          # the critical files so jq/python can read the per-file pct
-          # without parsing tabular text.
-          INCLUDES=$(printf '*%s,' "${CRITICAL_FILES[@]}")
-          INCLUDES="${INCLUDES%,}"
-          python -m coverage json -o /tmp/critical-cov.json --include="$INCLUDES"
-
-          FAILED=0
-          for f in "${CRITICAL_FILES[@]}"; do
-            pct=$(jq -r --arg f "$f" '.files | to_entries | map(select(.key == $f)) | .[0].value.summary.percent_covered // "MISSING"' /tmp/critical-cov.json)
-            if [ "$pct" = "MISSING" ]; then
-              echo "::error file=workspace/$f::No coverage data — file may have moved or test exclusion mis-set."
-              FAILED=$((FAILED+1))
-              continue
-            fi
-            echo "$f: ${pct}%"
-            if awk "BEGIN{exit !($pct < $PER_FILE_FLOOR)}"; then
-              echo "::error file=workspace/$f::${pct}% < ${PER_FILE_FLOOR}% per-file floor (MCP critical path). See COVERAGE_FLOOR.md."
-              FAILED=$((FAILED+1))
-            fi
-          done
-
-          if [ "$FAILED" -gt 0 ]; then
-            echo ""
-            echo "$FAILED MCP critical-path file(s) below the ${PER_FILE_FLOOR}% per-file floor."
-            echo "These paths handle multi-tenant routing, auth tokens, and inbox dispatch."
-            echo "A coverage drop here is the same risk shape as Go-side tokens/secrets files"
-            echo "dropping below 10% (see COVERAGE_FLOOR.md). Either:"
-            echo "  (a) add tests to raise coverage back above ${PER_FILE_FLOOR}%, or"
-            echo "  (b) if this is unavoidable historical debt, file an issue and propose"
-            echo "      adjusting the floor with rationale in COVERAGE_FLOOR.md."
+          set -eu
+          if [ -d workspace ]; then
+            echo "::error file=workspace::Runtime source must live in molecule-ai-workspace-runtime, not molecule-core/workspace."
            exit 1
          fi
+          for f in scripts/build_runtime_package.py scripts/test_build_runtime_package.py; do
+            if [ -e "$f" ]; then
+              echo "::error file=$f::Legacy build-from-workspace packaging script must not be restored."
+              exit 1
+            fi
+          done
+          echo "Runtime SSOT guard passed; core consumes the standalone runtime package."

  all-required:
    # Aggregator sentinel — RFC internal#219 §2 (Phase 4 — closes internal#286).
@@ -43,6 +43,18 @@ name: Continuous synthetic E2E (staging)

 on:
  schedule:
+    # Every 30 minutes, on :02 and :32. This keeps a recurring SaaS
+    # behavior probe while cutting runner occupancy from this workflow by
+    # roughly two thirds; fast liveness belongs in the lighter smoke/heartbeat
+    # probes, not in a full tenant/workspace synth every 10 minutes.
+    #
+    # Previous cadence was every 10 minutes (:02 :12 :22 :32 :42 :52).
+    # The current operator-host runner pool is the bottleneck, so full
+    # synth E2E is deliberately lower-cadence until it moves to a dedicated
+    # runner host or warm-runtime pool.
+    #
+    # Historical notes from the 10-minute shape:
+    #
    # Every 10 minutes, on :02 :12 :22 :32 :42 :52. Three constraints:
    #   1. Stay off the top-of-hour. GitHub Actions scheduler drops
    #      :00 firings under high load (own docs:
@@ -66,7 +78,7 @@ on:
    # fires = ~30 min cadence; closer to the 20-min target than the
    # current shape and provides a real degradation alarm if drops
    # get worse.
-    - cron: '2,12,22,32,42,52 * * * *'
+    - cron: '2,32 * * * *'
 permissions:
  contents: read
  # No issue-write here — failures surface as red runs in the workflow
@@ -108,7 +108,20 @@ env:

 jobs:
  detect-changes:
-    runs-on: ubuntu-latest
+    # mc#1529 follow-on: pin to `docker-host` so the e2e-api lane lands
+    # on Linux operator-host runners (molecule-runner-*) that carry the
+    # `molecule-core-net` bridge network + a working `aws ecr get-login-
+    # password | docker login` path. The bare `ubuntu-latest` label is
+    # also accepted by hongming-pc-runner-* (Windows act_runner v1.0.3),
+    # where the docker.sock-bound steps below fail non-deterministically
+    # (e.g. `docker run -d --name pg-e2e-api-...` with port-bind +
+    # `docker exec ... pg_isready` cannot work against a Windows daemon).
+    # detect-changes itself doesn't bind docker.sock, but pinning here too
+    # keeps both jobs on the same lane so we don't re-roll the dice on
+    # workspace-volume cross-host surprises and the routing rule is
+    # discoverable in one place. Mirror of mc#1543 (handlers-postgres-
+    # integration). See internal#512 for the class defect.
+    runs-on: docker-host
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
@@ -119,31 +132,13 @@ jobs:
        with:
          fetch-depth: 0
      - id: decide
-        # Inline replacement for dorny/paths-filter — same pattern PR#372's
-        # ci.yml port used. Diffs against the PR base or push BEFORE SHA,
-        # then matches against the api-relevant path set.
        run: |
-          BASE="${GITHUB_BASE_REF:-${{ github.event.before }}}"
-          if [ "${{ github.event_name }}" = "pull_request" ] && [ -n "${{ github.event.pull_request.base.sha }}" ]; then
-            BASE="${{ github.event.pull_request.base.sha }}"
-          fi
-          if [ -z "$BASE" ] || echo "$BASE" | grep -qE '^0+$'; then
-            echo "api=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          if ! git cat-file -e "$BASE" 2>/dev/null; then
-            git fetch --depth=1 origin "$BASE" 2>/dev/null || true
-          fi
-          if ! git cat-file -e "$BASE" 2>/dev/null; then
-            echo "api=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          CHANGED=$(git diff --name-only "$BASE" HEAD)
-          if echo "$CHANGED" | grep -qE '^(workspace-server/|tests/e2e/|\.gitea/workflows/e2e-api\.yml$)'; then
-            echo "api=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "api=false" >> "$GITHUB_OUTPUT"
-          fi
+          python3 .gitea/scripts/detect-changes.py \
+            --profile e2e-api \
+            --event-name "${{ github.event_name }}" \
+            --pr-base-sha "${{ github.event.pull_request.base.sha }}" \
+            --base-ref "${{ github.event.pull_request.base.ref }}" \
+            --push-before "${GITHUB_EVENT_BEFORE:-${{ github.event.before }}}"

  # ONE job (no job-level `if:`) that always runs and reports under the
  # required-check name `E2E API Smoke Test`. Real work is gated per-step
@@ -160,7 +155,10 @@ jobs:
  e2e-api:
    needs: detect-changes
    name: E2E API Smoke Test
-    runs-on: ubuntu-latest
+    # mc#1529 follow-on: must run on operator-host Linux runners (where
+    # docker.sock + `molecule-core-net` + `aws ecr ...` work). See
+    # detect-changes for the full rationale.
+    runs-on: docker-host
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
@@ -350,6 +348,9 @@ jobs:
            exit 1
          fi
          echo "Migrations OK"
+      - name: Run today's-PR-coverage E2E (mc#1525/1535/1536/1539/1542 fix-specific assertions)
+        if: needs.detect-changes.outputs.api == 'true'
+        run: bash tests/e2e/test_today_pr_coverage_e2e.sh
      - name: Run E2E API tests
        if: needs.detect-changes.outputs.api == 'true'
        run: bash tests/e2e/test_api.sh
@@ -359,6 +360,12 @@ jobs:
      - name: Run priority-runtimes E2E (claude-code + hermes — skips when keys absent)
        if: needs.detect-changes.outputs.api == 'true'
        run: bash tests/e2e/test_priority_runtimes_e2e.sh
+      - name: Install standalone runtime parser from Gitea registry
+        if: needs.detect-changes.outputs.api == 'true'
+        run: |
+          python3 -m pip install --no-deps \
+            --index-url https://git.moleculesai.app/api/packages/molecule-ai/pypi/simple/ \
+            molecule-ai-workspace-runtime
      - name: Run poll-mode + since_id cursor E2E (#2339)
        if: needs.detect-changes.outputs.api == 'true'
        run: bash tests/e2e/test_poll_mode_e2e.sh
@@ -382,4 +389,3 @@ jobs:
        run: |
          docker rm -f "$PG_CONTAINER" 2>/dev/null || true
          docker rm -f "$REDIS_CONTAINER" 2>/dev/null || true
-
@@ -1,8 +1,10 @@
 name: E2E Chat

 # Comprehensive Playwright E2E for the unified chat stack (desktop
-# ChatTab + mobile MobileChat). Runs on every PR that touches canvas,
-# workspace-server, or this workflow file.
+# ChatTab + mobile MobileChat). Heavy browser execution is intentionally
+# outside the normal required PR path: PRs run it only after entering the
+# `merge-queue`, while push/main, nightly, and manual dispatch preserve
+# coverage without making every PR pay the full runtime/browser cost.
 #
 # Architecture:
 #   1. Ephemeral Postgres + Redis (docker, unique container names)
@@ -22,6 +24,11 @@ on:
    branches: [main, staging]
  pull_request:
    branches: [main, staging]
+  schedule:
+    # Nightly at 09:00 UTC. Keeps coverage for the currently non-required
+    # heavy browser lane without spending runner time on every PR.
+    - cron: '0 9 * * *'
+  workflow_dispatch:

 concurrency:
  group: e2e-chat-${{ github.event.pull_request.head.sha || github.sha }}
@@ -33,7 +40,13 @@ env:
 jobs:
  # bp-exempt: helper job; real gate is E2E Chat / E2E Chat (pull_request)
  detect-changes:
-    runs-on: ubuntu-latest
+    # mc#1529 follow-on: pin to `docker-host` (Linux operator-host
+    # runners). The bare `ubuntu-latest` label is also advertised by
+    # hongming-pc-runner-* (Windows act_runner v1.0.3) where the
+    # docker.sock-bound steps below fail. Mirror of mc#1543
+    # (handlers-postgres-integration). See internal#512 for the class
+    # defect.
+    runs-on: docker-host
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
@@ -44,7 +57,14 @@ jobs:
        with:
          fetch-depth: 0
      - id: decide
+        env:
+          GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          QUEUE_LABEL: merge-queue
        run: |
+          if [ "${{ github.event_name }}" = "schedule" ] || [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            echo "chat=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
          BASE="${GITHUB_BASE_REF:-${{ github.event.before }}}"
          if [ "${{ github.event_name }}" = "pull_request" ] && [ -n "${{ github.event.pull_request.base.sha }}" ]; then
            BASE="${{ github.event.pull_request.base.sha }}"
@@ -61,9 +81,26 @@ jobs:
            exit 0
          fi
          CHANGED=$(git diff --name-only "$BASE" HEAD)
-          if echo "$CHANGED" | grep -qE '^(canvas/|workspace-server/|\.gitea/workflows/e2e-chat\.yml$)'; then
+          if ! echo "$CHANGED" | grep -qE '^(canvas/|workspace-server/|\.gitea/workflows/e2e-chat\.yml$)'; then
+            echo "chat=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          if [ "${{ github.event_name }}" != "pull_request" ]; then
+            echo "chat=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          authfile=$(mktemp)
+          chmod 600 "$authfile"
+          printf 'header = "Authorization: token %s"\n' "$GITEA_TOKEN" > "$authfile"
+          labels=$(curl -fsS -K "$authfile" \
+            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels" \
+            | python3 -c 'import json,sys; print("\n".join(label.get("name","") for label in json.load(sys.stdin)))')
+          rm -f "$authfile"
+          if printf '%s\n' "$labels" | grep -qx "$QUEUE_LABEL"; then
            echo "chat=true" >> "$GITHUB_OUTPUT"
          else
+            echo "PR is not in merge-queue; skipping heavy E2E Chat for normal PR path."
            echo "chat=false" >> "$GITHUB_OUTPUT"
          fi

@@ -71,7 +108,9 @@ jobs:
  e2e-chat:
    needs: detect-changes
    name: E2E Chat
-    runs-on: ubuntu-latest
+    # mc#1529 follow-on: docker run/exec for postgres + redis containers.
+    # Must land on operator-host Linux (docker-host).
+    runs-on: docker-host
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
@@ -222,7 +261,14 @@ jobs:
      - name: Install Playwright browsers
        if: needs.detect-changes.outputs.chat == 'true'
        working-directory: canvas
-        run: npx playwright install --with-deps chromium
+        run: |
+          PREBAKED_PLAYWRIGHT=/ms-playwright
+          if [ -d "${PREBAKED_PLAYWRIGHT}" ] && find "${PREBAKED_PLAYWRIGHT}" -maxdepth 3 -type f -name 'chrome' | grep -q .; then
+            echo "Using prebaked Playwright Chromium from ${PREBAKED_PLAYWRIGHT}"
+            echo "PLAYWRIGHT_BROWSERS_PATH=${PREBAKED_PLAYWRIGHT}" >> "$GITHUB_ENV"
+            exit 0
+          fi
+          npx playwright install --with-deps chromium

      - name: Start canvas dev server (background)
        if: needs.detect-changes.outputs.chat == 'true'
@@ -52,6 +52,27 @@ name: E2E Peer Visibility (literal MCP list_peers)
 #     flip-to-required-ready (mirrors e2e-staging-saas.yml's proven shape;
 #     real EC2-provisioning E2E is push/dispatch/cron only — it is 30+ min
 #     and cannot run per-PR-update).
+#
+# LOCAL BACKEND (added 2026-05-15 — feedback_local_must_mimic_production,
+# feedback_mandatory_local_e2e_before_ship, feedback_local_test_before_
+# staging_e2e)
+# --------------------------------------------------------------------
+# The standing rule is that the local prod-mimic stack runs a MANDATORY
+# local-Postgres E2E BEFORE staging E2E. A staging-only peer-visibility
+# gate caught regressions late + expensively (cold EC2). The
+# `peer-visibility-local` job below runs the SAME byte-identical
+# assertion (tests/e2e/lib/peer_visibility_assert.sh) against the local
+# docker-compose stack — built + booted exactly like e2e-api.yml's
+# proven E2E API Smoke Test job (ephemeral pg/redis ports, go build,
+# background platform-server). It runs on PR + push (local boot is
+# minutes, not the 30+ min cold-EC2 path), so peer-visibility is part of
+# the local gate that fires before the staging E2E.
+#
+# It is its OWN non-required status context `E2E Peer Visibility (local)`.
+# The local backend uses external-mode workspaces by default so it tests
+# the literal platform MCP list_peers path without depending on local
+# template container boot/heartbeat. Container-mode runtime boot remains
+# available via PV_LOCAL_PROVISION_MODE=container for targeted debugging.

 on:
  push:
@@ -62,9 +83,9 @@ on:
      - 'workspace-server/internal/middleware/**'
      - 'workspace-server/internal/handlers/registry.go'
      - 'workspace-server/internal/handlers/workspace.go'
-      - 'workspace/a2a_mcp_server.py'
-      - 'workspace/platform_tools/registry.py'
      - 'tests/e2e/test_peer_visibility_mcp_staging.sh'
+      - 'tests/e2e/test_peer_visibility_mcp_local.sh'
+      - 'tests/e2e/lib/peer_visibility_assert.sh'
      - '.gitea/workflows/e2e-peer-visibility.yml'
  pull_request:
    branches: [main]
@@ -74,9 +95,9 @@ on:
      - 'workspace-server/internal/middleware/**'
      - 'workspace-server/internal/handlers/registry.go'
      - 'workspace-server/internal/handlers/workspace.go'
-      - 'workspace/a2a_mcp_server.py'
-      - 'workspace/platform_tools/registry.py'
      - 'tests/e2e/test_peer_visibility_mcp_staging.sh'
+      - 'tests/e2e/test_peer_visibility_mcp_local.sh'
+      - 'tests/e2e/lib/peer_visibility_assert.sh'
      - '.gitea/workflows/e2e-peer-visibility.yml'
  workflow_dispatch:
  schedule:
@@ -108,16 +129,162 @@ jobs:
    timeout-minutes: 5
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Validate driving script
+      - name: Validate driving scripts + shared assertion lib
        run: |
+          bash -n tests/e2e/lib/peer_visibility_assert.sh
+          echo "lib/peer_visibility_assert.sh — bash syntax OK"
          bash -n tests/e2e/test_peer_visibility_mcp_staging.sh
          echo "test_peer_visibility_mcp_staging.sh — bash syntax OK"
-          echo "Real fresh-provision MCP list_peers E2E runs on push to"
+          bash -n tests/e2e/test_peer_visibility_mcp_local.sh
+          echo "test_peer_visibility_mcp_local.sh — bash syntax OK"
+          echo "Staging fresh-provision MCP list_peers E2E runs on push to"
          echo "main / workflow_dispatch / daily cron (30+ min EC2 boot)."
+          echo "The LOCAL backend runs in the peer-visibility-local job"
+          echo "below on this same PR (local docker-compose stack)."

-  # Real gate: provisions a throwaway org + sibling-per-runtime, drives
-  # the LITERAL list_peers MCP call per runtime, asserts 200 + expected
-  # peer set, then scoped teardown. push(main)/dispatch/cron only.
+  # LOCAL gate: same byte-identical assertion against the local prod-mimic
+  # docker-compose stack — the MANDATORY local-E2E that must run BEFORE
+  # the staging E2E (feedback_mandatory_local_e2e_before_ship,
+  # feedback_local_test_before_staging_e2e). Bootstrap mirrors
+  # e2e-api.yml's proven E2E API Smoke Test job (per-run container names +
+  # ephemeral host ports so concurrent host-network act_runner runs don't
+  # collide; go build; background platform-server). Its OWN non-required
+  # status context `E2E Peer Visibility (local)` — non-required-by-design
+  # exactly like the staging job (flip-to-required tracked at
+  # molecule-core#1296). HONEST gate, NO continue-on-error mask
+  # (feedback_fix_root_not_symptom). Runs on PR +
+  # push (local boot is minutes, not the 30+ min cold-EC2 path).
+  # bp-required: pending #1296
+  peer-visibility-local:
+    name: E2E Peer Visibility (local)
+    runs-on: docker-host
+    timeout-minutes: 30
+    env:
+      # Per-run names + ephemeral ports — same collision-avoidance as
+      # e2e-api.yml (host-network act_runner; feedback_act_runner_*).
+      PG_CONTAINER: pg-e2e-pv-${{ github.run_id }}-${{ github.run_attempt }}
+      REDIS_CONTAINER: redis-e2e-pv-${{ github.run_id }}-${{ github.run_attempt }}
+      # LLM keys so hermes/openclaw can actually boot. The local script
+      # SKIPs (not fails) any runtime whose key is absent, so a partially
+      # keyed CI env still exercises whatever it can.
+      CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.E2E_CLAUDE_CODE_OAUTH_TOKEN }}
+      E2E_MINIMAX_API_KEY: ${{ secrets.MOLECULE_STAGING_MINIMAX_API_KEY }}
+      E2E_ANTHROPIC_API_KEY: ${{ secrets.MOLECULE_STAGING_ANTHROPIC_API_KEY }}
+      E2E_OPENAI_API_KEY: ${{ secrets.MOLECULE_STAGING_OPENAI_API_KEY }}
+      PV_RUNTIMES: "hermes openclaw claude-code"
+      PV_LOCAL_PROVISION_MODE: external
+      ADMIN_TOKEN: local-e2e-admin-token
+      MOLECULE_ADMIN_TOKEN: local-e2e-admin-token
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version: 'stable'
+          cache: true
+          cache-dependency-path: workspace-server/go.sum
+      - name: Pre-pull alpine + ensure provisioner network
+        run: |
+          docker pull alpine:latest >/dev/null
+          docker network create molecule-core-net >/dev/null 2>&1 || true
+          echo "alpine:latest pre-pulled; molecule-core-net ensured."
+      - name: Start Postgres (docker, ephemeral port)
+        run: |
+          docker rm -f "$PG_CONTAINER" 2>/dev/null || true
+          docker run -d --name "$PG_CONTAINER" \
+            -e POSTGRES_USER=dev -e POSTGRES_PASSWORD=dev -e POSTGRES_DB=molecule \
+            -p 0:5432 postgres:16 >/dev/null
+          PG_PORT=$(docker port "$PG_CONTAINER" 5432/tcp | awk -F: '/^0\.0\.0\.0:/ {print $2; exit}')
+          [ -n "$PG_PORT" ] || PG_PORT=$(docker port "$PG_CONTAINER" 5432/tcp | head -1 | awk -F: '{print $NF}')
+          if [ -z "$PG_PORT" ]; then
+            echo "::error::Could not resolve host port for $PG_CONTAINER"
+            docker logs "$PG_CONTAINER" || true; exit 1
+          fi
+          echo "DATABASE_URL=postgres://dev:dev@127.0.0.1:${PG_PORT}/molecule?sslmode=disable" >> "$GITHUB_ENV"
+          for i in $(seq 1 30); do
+            docker exec "$PG_CONTAINER" pg_isready -U dev >/dev/null 2>&1 && { echo "Postgres ready after ${i}s"; exit 0; }
+            sleep 1
+          done
+          echo "::error::Postgres did not become ready in 30s"; docker logs "$PG_CONTAINER" || true; exit 1
+      - name: Start Redis (docker, ephemeral port)
+        run: |
+          docker rm -f "$REDIS_CONTAINER" 2>/dev/null || true
+          docker run -d --name "$REDIS_CONTAINER" -p 0:6379 redis:7 >/dev/null
+          REDIS_PORT=$(docker port "$REDIS_CONTAINER" 6379/tcp | awk -F: '/^0\.0\.0\.0:/ {print $2; exit}')
+          [ -n "$REDIS_PORT" ] || REDIS_PORT=$(docker port "$REDIS_CONTAINER" 6379/tcp | head -1 | awk -F: '{print $NF}')
+          if [ -z "$REDIS_PORT" ]; then
+            echo "::error::Could not resolve host port for $REDIS_CONTAINER"
+            docker logs "$REDIS_CONTAINER" || true; exit 1
+          fi
+          echo "REDIS_URL=redis://127.0.0.1:${REDIS_PORT}" >> "$GITHUB_ENV"
+          for i in $(seq 1 15); do
+            docker exec "$REDIS_CONTAINER" redis-cli ping 2>/dev/null | grep -q PONG && { echo "Redis ready after ${i}s"; exit 0; }
+            sleep 1
+          done
+          echo "::error::Redis did not become ready in 15s"; docker logs "$REDIS_CONTAINER" || true; exit 1
+      - name: Build platform
+        working-directory: workspace-server
+        run: go build -o platform-server ./cmd/server
+      - name: Pick platform port
+        run: |
+          PLATFORM_PORT=$(python3 - <<'PY'
+          import socket
+          with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
+              s.bind(("127.0.0.1", 0))
+              print(s.getsockname()[1])
+          PY
+          )
+          echo "PORT=${PLATFORM_PORT}" >> "$GITHUB_ENV"
+          echo "BASE=http://127.0.0.1:${PLATFORM_PORT}" >> "$GITHUB_ENV"
+          echo "Platform host port: ${PLATFORM_PORT}"
+      - name: Kill stale platform-server before start
+        run: |
+          killed=0
+          for pid in $(grep -l "platform-serve" /proc/[0-9]*/comm 2>/dev/null); do
+            kpid="${pid%/comm}"; kpid="${kpid##*/}"
+            cmdline=$(cat "/proc/${kpid}/cmdline" 2>/dev/null | tr '\0' ' ')
+            if echo "$cmdline" | grep -q "platform-server"; then
+              echo "Killing stale platform-server pid ${kpid}"
+              kill "$kpid" 2>/dev/null || true; killed=$((killed + 1))
+            fi
+          done
+          [ "$killed" -gt 0 ] && sleep 2 || true
+          echo "stale-kill done ($killed killed)"
+      - name: Start platform (background)
+        working-directory: workspace-server
+        run: |
+          ./platform-server > platform.log 2>&1 &
+          echo $! > platform.pid
+      - name: Wait for /health
+        run: |
+          for i in $(seq 1 30); do
+            curl -sf "$BASE/health" > /dev/null && { echo "Platform up after ${i}s"; exit 0; }
+            sleep 1
+          done
+          echo "::error::Platform did not become healthy in 30s"
+          cat workspace-server/platform.log || true; exit 1
+      - name: Run LOCAL fresh-provision peer-visibility E2E (literal MCP list_peers)
+        # HONEST gate — NO continue-on-error. The local backend uses
+        # external-mode workspaces so this context tests the literal MCP
+        # peer-visibility path without coupling to template container boot.
+        run: bash tests/e2e/test_peer_visibility_mcp_local.sh
+      - name: Dump platform log on failure
+        if: failure()
+        run: cat workspace-server/platform.log || true
+      - name: Stop platform
+        if: always()
+        run: |
+          if [ -f workspace-server/platform.pid ]; then
+            kill "$(cat workspace-server/platform.pid)" 2>/dev/null || true
+          fi
+      - name: Stop service containers
+        if: always()
+        run: |
+          docker rm -f "$PG_CONTAINER" 2>/dev/null || true
+          docker rm -f "$REDIS_CONTAINER" 2>/dev/null || true
+
+  # Real STAGING gate: provisions a throwaway org + sibling-per-runtime,
+  # drives the LITERAL list_peers MCP call per runtime, asserts 200 +
+  # expected peer set, then scoped teardown. push(main)/dispatch/cron only.
  peer-visibility:
    name: E2E Peer Visibility
    runs-on: ubuntu-latest
@@ -16,9 +16,9 @@ name: E2E Staging Canvas (Playwright)
 # e2e-staging-saas.yml (which tests the API shape) by exercising the
 # actual browser + canvas bundle against live staging.
 #
-# Triggers: push to main/staging or PR touching canvas sources + this workflow,
-# manual dispatch, and weekly cron to catch browser/runtime drift even
-# when canvas is quiet.
+# Triggers: push to main, PR touching canvas sources + this workflow only
+# after the PR enters `merge-queue`, manual dispatch, and scheduled cron to
+# catch browser/runtime drift even when canvas is quiet.
 # Added staging to push/pull_request branches so the auto-promote gate
 # check (--event push --branch staging) can see a completed run for this
 # workflow — mirrors what PR #1891 does for e2e-api.yml.
@@ -37,9 +37,10 @@ on:
  pull_request:
    branches: [main]
  schedule:
-    # Weekly on Sunday 08:00 UTC — catches Chrome / Playwright / Next.js
+    # Nightly at 08:00 UTC — catches Chrome / Playwright / Next.js
    # release-note-shaped regressions that don't ride in with a PR.
-    - cron: '0 8 * * 0'
+    - cron: '0 8 * * *'
+  workflow_dispatch:

 concurrency:
  # Per-SHA grouping (changed 2026-04-28 from a single global group). The
@@ -79,10 +80,13 @@ jobs:
        with:
          fetch-depth: 0
      - id: decide
+        env:
+          GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          QUEUE_LABEL: merge-queue
        # Inline replacement for dorny/paths-filter — see e2e-api.yml.
-        # Cron triggers always run real work (no diff context).
+        # Cron and manual triggers always run real work (no diff context).
        run: |
-          if [ "${{ github.event_name }}" = "schedule" ]; then
+          if [ "${{ github.event_name }}" = "schedule" ] || [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
            echo "canvas=true" >> "$GITHUB_OUTPUT"
            exit 0
          fi
@@ -102,9 +106,26 @@ jobs:
            exit 0
          fi
          CHANGED=$(git diff --name-only "$BASE" HEAD)
-          if echo "$CHANGED" | grep -qE '^(canvas/|\.gitea/workflows/e2e-staging-canvas\.yml$)'; then
+          if ! echo "$CHANGED" | grep -qE '^(canvas/|\.gitea/workflows/e2e-staging-canvas\.yml$)'; then
+            echo "canvas=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          if [ "${{ github.event_name }}" != "pull_request" ]; then
+            echo "canvas=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          authfile=$(mktemp)
+          chmod 600 "$authfile"
+          printf 'header = "Authorization: token %s"\n' "$GITEA_TOKEN" > "$authfile"
+          labels=$(curl -fsS -K "$authfile" \
+            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels" \
+            | python3 -c 'import json,sys; print("\n".join(label.get("name","") for label in json.load(sys.stdin)))')
+          rm -f "$authfile"
+          if printf '%s\n' "$labels" | grep -qx "$QUEUE_LABEL"; then
            echo "canvas=true" >> "$GITHUB_OUTPUT"
          else
+            echo "PR is not in merge-queue; skipping heavy E2E Staging Canvas for normal PR path."
            echo "canvas=false" >> "$GITHUB_OUTPUT"
          fi

@@ -169,7 +190,14 @@ jobs:
      - name: Install Playwright browsers
        if: needs.detect-changes.outputs.canvas == 'true'
        timeout-minutes: 10
-        run: npx playwright install --with-deps chromium
+        run: |
+          PREBAKED_PLAYWRIGHT=/ms-playwright
+          if [ -d "${PREBAKED_PLAYWRIGHT}" ] && find "${PREBAKED_PLAYWRIGHT}" -maxdepth 3 -type f -name 'chrome' | grep -q .; then
+            echo "Using prebaked Playwright Chromium from ${PREBAKED_PLAYWRIGHT}"
+            echo "PLAYWRIGHT_BROWSERS_PATH=${PREBAKED_PLAYWRIGHT}" >> "$GITHUB_ENV"
+            exit 0
+          fi
+          npx playwright install --with-deps chromium

      - name: Run staging canvas E2E
        if: needs.detect-changes.outputs.canvas == 'true'
@@ -13,8 +13,12 @@ name: gitea-merge-queue
 #   - add `merge-queue-hold` to pause a queued PR without removing it

 on:
-  schedule:
-    - cron: '*/5 * * * *'
+  # Schedule moved to operator-config:
+  #   /etc/cron.d/molecule-core-merge-queue ->
+  #   /usr/local/bin/molecule-core-cron-bot.sh merge-queue
+  #
+  # The queue bot still processes one PR per tick, but no longer occupies
+  # one of the shared Actions runners just to poll.
  workflow_dispatch:

 permissions:
@@ -77,7 +77,16 @@ env:
 jobs:
  detect-changes:
    name: detect-changes
-    runs-on: ubuntu-latest
+    # mc#1529 §1: pin to `docker-host` so the integration job runs on the
+    # operator-host runners (molecule-runner-*), which carry the
+    # `molecule-core-net` bridge network this workflow depends on. PC2
+    # runners (hongming-pc-runner-*) also advertise ubuntu-latest but
+    # don't have that network — the previous `runs-on: ubuntu-latest`
+    # rolled the dice and hard-failed the bridge-inspect step ~30% of
+    # the time. detect-changes itself doesn't need the bridge, but keeping
+    # both jobs on the same label avoids workspace-volume cross-host
+    # surprises and keeps the routing rule discoverable in one place.
+    runs-on: docker-host
    # mc#774 Phase 3 (RFC §1): surface broken workflows without blocking.
    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
@@ -92,36 +101,13 @@ jobs:
          # not present in the shallow checkout.
          fetch-depth: 2
      - id: filter
-        # Inline replacement for dorny/paths-filter — see e2e-api.yml.
        run: |
-          # Gitea Actions evaluates github.event.before to empty string in shell
-          # scripts. Use GITHUB_EVENT_BEFORE shell env var instead (Gitea
-          # correctly populates it for push events). PR case uses template var.
-          BASE=""
-          if [ "${{ github.event_name }}" = "pull_request" ] && [ -n "${{ github.event.pull_request.base.sha }}" ]; then
-            BASE="${{ github.event.pull_request.base.sha }}"
-          elif [ -n "$GITHUB_EVENT_BEFORE" ]; then
-            BASE="$GITHUB_EVENT_BEFORE"
-          fi
-          if [ -z "$BASE" ] || echo "$BASE" | grep -qE '^0+$'; then
-            echo "handlers=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          # timeout 30 guards against the case where BASE points to a ref that
-          # git can resolve but cat-file hangs (rare on corrupted objects).
-          if ! timeout 30 git cat-file -e "$BASE" 2>/dev/null; then
-            git fetch --depth=1 origin "$BASE" 2>/dev/null || true
-          fi
-          if ! timeout 30 git cat-file -e "$BASE" 2>/dev/null; then
-            echo "handlers=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          CHANGED=$(git diff --name-only "$BASE" HEAD)
-          if echo "$CHANGED" | grep -qE '^(workspace-server/internal/handlers/|workspace-server/internal/wsauth/|workspace-server/migrations/|\.gitea/workflows/handlers-postgres-integration\.yml$)'; then
-            echo "handlers=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "handlers=false" >> "$GITHUB_OUTPUT"
-          fi
+          python3 .gitea/scripts/detect-changes.py \
+            --profile handlers-postgres \
+            --event-name "${{ github.event_name }}" \
+            --pr-base-sha "${{ github.event.pull_request.base.sha }}" \
+            --base-ref "${{ github.event.pull_request.base.ref }}" \
+            --push-before "${GITHUB_EVENT_BEFORE:-}"

  # Single-job-with-per-step-if pattern: always runs to satisfy the
  # required-check name on branch protection; real work gates on the
@@ -129,7 +115,9 @@ jobs:
  integration:
    name: Handlers Postgres Integration
    needs: detect-changes
-    runs-on: ubuntu-latest
+    # mc#1529 §1: must run on operator-host (where `molecule-core-net`
+    # exists). See detect-changes for the full routing rationale.
+    runs-on: docker-host
    # mc#774 Phase 3 (RFC §1): surface broken workflows without blocking.
    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
@@ -62,7 +62,13 @@ env:
 jobs:
  # bp-exempt: change detector only; downstream Harness Replays is the meaningful gate.
  detect-changes:
-    runs-on: ubuntu-latest
+    # mc#1529 follow-on: pin to `docker-host` so this lane lands on
+    # Linux operator-host runners (the only ones with a working
+    # docker.sock + `molecule-core-net`). The bare `ubuntu-latest`
+    # label is also matched by hongming-pc-runner-* (Windows act_runner
+    # v1.0.3), where the `docker compose ...` exec below fails. Mirror
+    # of mc#1543; see internal#512 for class defect.
+    runs-on: docker-host
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
@@ -162,7 +168,9 @@ jobs:
  harness-replays:
    needs: detect-changes
    name: Harness Replays
-    runs-on: ubuntu-latest
+    # mc#1529 follow-on: `docker compose ... ps/logs` against tenant-alpha/
+    # beta containers. Must run on operator-host Linux (docker-host).
+    runs-on: docker-host
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
@@ -0,0 +1,182 @@
+name: Lint no tenant GITEA or GITHUB token write
+
+# Task #146 — CI guardrail companion to RFC#523's `lint-forbidden-env-keys.yml`.
+#
+# `lint-forbidden-env-keys.yml` (Layer 3) catches code that hardcodes a
+# forbidden env-var key NAME as a quoted literal in workspace_secrets
+# writer paths under workspace-server/internal/.
+#
+# This workflow catches a BROADER class: any code path that reads a
+# repo-host token (GITEA_TOKEN / GITHUB_TOKEN / GH_TOKEN) and then writes
+# it into a TENANT WORKSPACE's env, secret store, user-data, or
+# provision payload. This is the actual RFC#523 threat-model statement —
+# the goal is "no tenant workspace ever receives an operator-scope repo
+# token," not just "no _quoted_ literal `GITEA_TOKEN`." A future writer
+# could route the value via a variable, a struct field, or a config key
+# and slip past the existing literal scan; this lint catches those
+# routing patterns at PR review time.
+#
+# Scope
+#   Scans the WHOLE repo's Go sources (not just workspace-server/) for
+#   co-occurrences of:
+#     - a repo-host token NAME (GITEA_TOKEN / GITHUB_TOKEN / GH_TOKEN /
+#       GITEA_PAT / GITHUB_PAT) used as os.Getenv argument or string
+#       literal
+#     - within a file that ALSO references a tenant-writer surface
+#       (`tenant`, `workspace_secrets`, `global_secrets`, `seedAllowList`,
+#       `/settings/secrets`, `userData`, `provisionPayload`,
+#       `envVars[`, `containerEnv`).
+#
+#   Co-occurrence (not single-line) is the false-positive control: a
+#   file that just LOGS the variable name (e.g. "missing GITEA_TOKEN")
+#   without touching any tenant surface won't fire.
+#
+# Drift contract with lint-forbidden-env-keys.yml
+#   Both lints share the same FORBIDDEN_KEYS list (a subset — only the
+#   repo-host tokens, since this lint's threat model is "tenant gets
+#   write access to operator's git host"). If RFC#523's deny set grows,
+#   update BOTH this file AND lint-forbidden-env-keys.yml AND the Go
+#   source-of-truth in
+#   workspace-server/internal/handlers/workspace_provision_forbidden_env.go.
+#
+# Open-source-template-friendly
+#   The patterns scanned are generic (no MOLECULE_-prefix literals).
+#   A fork can copy this workflow as-is and adjust FORBIDDEN_KEYS.
+#
+# Path-filter discipline
+#   No `paths:` filter — required-status workflows must run on every PR
+#   per `feedback_path_filtered_workflow_cant_be_required`. Scan is
+#   sub-second.
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+  push:
+    branches: [main, staging]
+
+env:
+  GITHUB_SERVER_URL: https://git.moleculesai.app
+
+jobs:
+  # bp-exempt: advisory RFC#523 lint; PR review gate is review-driven, not BP-driven.
+  # (Carried with the workflow-name rename in PR mc#1593 so the renamed
+  # context emission satisfies lint_required_context_exists_in_bp Tier 2g.)
+  scan:
+    name: Scan for repo-host token write into tenant workspace surface
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 1
+
+      - name: Find Go files referencing a tenant-writer surface AND a repo-host token
+        run: |
+          set -euo pipefail
+
+          # Repo-host token NAMES — the threat-model subset. Operator-fleet
+          # tokens (CP_ADMIN_API_TOKEN, RAILWAY_TOKEN, INFISICAL_*) are
+          # caught by lint-forbidden-env-keys.yml's broader deny set; this
+          # lint focuses on the git-host class so a single co-occurrence
+          # match has a low false-positive rate.
+          FORBIDDEN_KEYS=(
+            "GITEA_TOKEN"
+            "GITEA_PAT"
+            "GITHUB_TOKEN"
+            "GITHUB_PAT"
+            "GH_TOKEN"
+          )
+
+          # Tenant-writer surface markers. A file matches the surface set
+          # if it references ANY of these strings. This is the "is this
+          # code path writing into a tenant workspace?" heuristic.
+          # Curated to catch the actual code shapes used in this repo
+          # (verified by grep against current main 2026-05-19):
+          #   - "workspace_secrets" / "global_secrets"  → DB table writes
+          #   - "seedAllowList"                          → CP-side seed table
+          #   - "/settings/secrets"                      → tenant HTTP API write
+          #   - "envVars["                               → in-memory env map write
+          #   - "containerEnv"                           → docker-run env-set
+          #   - "userData"                               → EC2 user-data script
+          #   - "provisionPayload" / "provisionContext"  → provision-request shape
+          SURFACE_PATTERN='workspace_secrets|global_secrets|seedAllowList|/settings/secrets|envVars\[|containerEnv|userData|provisionPayload|provisionContext'
+
+          # Files that legitimately reference these names AND a surface
+          # marker, but do so for guard / strip / test / doc-comment
+          # reasons. New entries require reviewer signoff and a one-line
+          # justification in the diff.
+          EXEMPT_FILES=(
+            # RFC#523 L1 deny-set source-of-truth + tests
+            "workspace-server/internal/handlers/workspace_provision_forbidden_env.go"
+            "workspace-server/internal/handlers/workspace_provision_forbidden_env_test.go"
+            # Forensic-#145 silent-strip denylist (defense-in-depth, by design lists the names)
+            "workspace-server/internal/provisioner/provisioner.go"
+            "workspace-server/internal/provisioner/provisioner_test.go"
+            # Pre-RFC#523 persona-fallback / org-helper paths. The L1
+            # fail-closed runs BEFORE these writers; downstream silent-strip
+            # also covers them. See applyAgentGitHTTPCreds doc-comment.
+            "workspace-server/internal/handlers/agent_git_identity.go"
+            "workspace-server/internal/handlers/org_helpers.go"
+            "workspace-server/internal/handlers/org.go"
+            # CP→platform admin auth (NOT a tenant env write).
+            "workspace-server/internal/provisioner/cp_provisioner.go"
+          )
+
+          # Build an extended-regex alternation of forbidden keys.
+          KEY_ALT="$(IFS='|'; echo "${FORBIDDEN_KEYS[*]}")"
+
+          # Find candidate files: Go non-test sources that contain a
+          # tenant-writer surface marker.
+          mapfile -t CANDIDATES < <(
+            grep -rlE --include='*.go' --exclude='*_test.go' \
+              "${SURFACE_PATTERN}" . 2>/dev/null \
+            | sed 's|^\./||' \
+            | sort -u
+          )
+
+          if [ "${#CANDIDATES[@]}" -eq 0 ]; then
+            echo "OK No tenant-writer-surface files found in tree (unexpected, but not a lint failure)."
+            exit 0
+          fi
+
+          HITS=""
+          for f in "${CANDIDATES[@]}"; do
+            # Skip exempt files.
+            skip=0
+            for ex in "${EXEMPT_FILES[@]}"; do
+              if [ "$f" = "$ex" ]; then skip=1; break; fi
+            done
+            [ "$skip" = "1" ] && continue
+
+            # File contains a surface marker; now grep for a forbidden
+            # key NAME. We require a QUOTED-literal match to avoid
+            # firing on a comment like "// also handle GITEA_TOKEN".
+            #
+            # The literal form catches:
+            #   - os.Getenv("GITEA_TOKEN")
+            #   - envVars["GITEA_TOKEN"] = ...
+            #   - {envKey: "GITEA_TOKEN", tenantKey: "GITEA_TOKEN"}
+            # but not:
+            #   - // see GITEA_TOKEN below   (no quotes)
+            found=$(grep -nE "\"(${KEY_ALT})\"" "$f" 2>/dev/null || true)
+            if [ -n "$found" ]; then
+              HITS="${HITS}--- ${f} ---\n${found}\n"
+            fi
+          done
+
+          if [ -n "$HITS" ]; then
+            echo "::error::Task #146 lint: repo-host token name(s) quoted in a tenant-writer-surface file:"
+            printf "$HITS"
+            echo ""
+            echo "These files reference a tenant-writer surface (workspace_secrets,"
+            echo "seedAllowList, /settings/secrets, containerEnv, userData, etc.)"
+            echo "AND quote a repo-host token name (GITEA_TOKEN/GITHUB_TOKEN/…)."
+            echo "Per RFC#523 threat model, tenant workspaces MUST NOT receive"
+            echo "operator-scope repo-host tokens. If your code legitimately needs"
+            echo "to reference one of these names in a tenant-writer file (e.g."
+            echo "a deny-set definition or silent-strip list), add the file to"
+            echo "EXEMPT_FILES with a one-line justification — reviewer signoff"
+            echo "required."
+            exit 1
+          fi
+
+          echo "OK No tenant-writer-surface file co-mentions a repo-host token literal."
@@ -0,0 +1,164 @@
+name: lint-required-workflows-docker-host-pinned
+
+# Fail-closed lint that catches workflows touching docker.sock without
+# pinning `runs-on:` to a Linux-only label.
+#
+# Class defect (internal#512 + mc#1529 + today's oc#81/82/83 + autogen#8):
+# the `ubuntu-latest` label is advertised by BOTH the Linux operator-host
+# runners (molecule-runner-*) AND the Windows act_runner v1.0.3 on
+# hongming-pc-runner-*. Job placement is non-deterministic. When a docker-
+# bound job lands on a Windows runner, `docker run`/`docker login`/
+# `docker compose` fail with platform-specific errors ("protocol not
+# available", "cannot exec", etc.) — placement-dependent, not transient.
+#
+# This lint enforces the convention: any workflow whose YAML body
+# contains a docker exec (`docker run|build|buildx|compose|pull|push|
+# exec|tag|login|cp|inspect|ps` OR `docker/build-push-action|docker/
+# login-action|docker/setup-buildx`) MUST pin every job's `runs-on:` to
+# one of:
+#   - docker-host  (general docker.sock work — molecule-runner-*)
+#   - publish      (image build/push — molecule-runner-publish-*)
+#
+# Comments and heredoc/markdown bodies that merely MENTION docker are
+# excluded by the detection rule (see scan.py below).
+#
+# Per `feedback_never_skip_ci`: this is fail-closed (exit 1 on miss).
+
+on:
+  pull_request:
+    paths:
+      - '.gitea/workflows/**'
+  push:
+    branches: [main, staging]
+    paths:
+      - '.gitea/workflows/**'
+
+permissions:
+  contents: read
+
+env:
+  GITHUB_SERVER_URL: https://git.moleculesai.app
+
+jobs:
+  lint-docker-host-pin:
+    name: Lint docker-host pin on docker-touching workflows
+    runs-on: docker-host
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Scan workflows for docker-bound jobs missing docker-host/publish pin
+        run: |
+          set -euo pipefail
+          python3 - <<'PY'
+          import os
+          import re
+          import sys
+
+          # Docker-step detection: real exec, not just word-mention in comments.
+          # We strip comment-only lines, then look for the docker subcommand
+          # tokens at word-boundary, OR uses: docker/* actions.
+          DOCKER_EXEC = re.compile(
+              r'(?<!\w)docker\s+(run|build|buildx|compose|pull|push|exec|tag|login|cp|inspect|ps)\b'
+          )
+          DOCKER_ACTION = re.compile(
+              r'uses:\s*docker/(build-push-action|login-action|setup-buildx-action|setup-qemu-action)'
+          )
+          # Detect a job header line like `  myjob:` (2-space indent) AND its runs-on.
+          JOB_HEADER = re.compile(r'^( {2})([a-zA-Z0-9_-]+):\s*$')
+          RUNS_ON    = re.compile(r'^( {4})runs-on:\s*(.+?)\s*$')
+
+          ALLOWED_LABELS = {'docker-host', 'publish'}
+
+          fails = []
+          warnings = []
+
+          # Gitea is SSOT for molecule-core CI per task #347 / memory
+          # reference_molecule_core_actions_gitea_only. The legacy
+          # .github/workflows/ tree was deleted in SSOT-Instance-4 (#331).
+          roots = []
+          for root in ('.gitea/workflows',):
+              if os.path.isdir(root):
+                  roots.append(root)
+
+          for root in roots:
+              for fn in sorted(os.listdir(root)):
+                  if not (fn.endswith('.yml') or fn.endswith('.yaml')):
+                      continue
+                  path = os.path.join(root, fn)
+                  with open(path) as f:
+                      raw_lines = f.readlines()
+
+                  # Parse job headers + their runs-on. Simple line scan; relies on
+                  # 2-space job indent + 4-space runs-on indent under `jobs:`.
+                  jobs = []
+                  current = None
+                  in_jobs = False
+                  for i, line in enumerate(raw_lines, 1):
+                      if re.match(r'^jobs:\s*$', line):
+                          in_jobs = True
+                          continue
+                      if not in_jobs:
+                          continue
+                      mh = JOB_HEADER.match(line)
+                      if mh:
+                          if current:
+                              current['end'] = i - 1
+                              jobs.append(current)
+                          current = {'name': mh.group(2), 'line': i, 'end': len(raw_lines), 'runs_on': None}
+                          continue
+                      mr = RUNS_ON.match(line)
+                      if mr and current and current['runs_on'] is None:
+                          current['runs_on'] = mr.group(2).strip()
+                  if current:
+                      jobs.append(current)
+
+                  for j in jobs:
+                      # Strip pure-comment lines for docker-exec detection so
+                      # documentation comments don't trigger the lint. Scan the
+                      # current job body only: a workflow may contain one
+                      # docker-bound job and several harmless metadata jobs.
+                      job_lines = raw_lines[j['line'] - 1:j['end']]
+                      scan_text = ''.join(
+                          l for l in job_lines
+                          if not re.match(r'^\s*#', l)
+                      )
+                      has_docker = bool(DOCKER_EXEC.search(scan_text)) or bool(DOCKER_ACTION.search(scan_text))
+                      if not has_docker:
+                          continue
+                      ro = j['runs_on']
+                      if ro is None:
+                          # Reusable workflow caller (`uses:` instead of `runs-on:`) —
+                          # skip; rule enforced in the called workflow.
+                          continue
+                      # Strip surrounding [ ] and quotes.
+                      ro_norm = ro.strip('[]').strip().strip('"\'')
+                      # Multi-label "[a, b]" — split.
+                      labels = [t.strip().strip('"\'') for t in ro_norm.split(',') if t.strip()]
+                      if any(lbl in ALLOWED_LABELS for lbl in labels):
+                          continue
+                      # Allow caller-supplied label expressions; spell the
+                      # marker indirectly so Gitea's expression parser does
+                      # not try to parse this Python heredoc.
+                      expression_marker = '$' + '{{'
+                      if any(expression_marker in lbl for lbl in labels):
+                          continue
+                      fails.append(
+                          f"{path}:{j['line']}: job `{j['name']}` uses docker but runs-on={ro!r} "
+                          f"(must be one of {sorted(ALLOWED_LABELS)})"
+                      )
+
+          if fails:
+              print("FAIL: docker-bound jobs missing docker-host/publish pin:")
+              for f in fails:
+                  print(f"  - {f}")
+              print()
+              print("Why this rule exists (internal#512 + mc#1529):")
+              print("  Bare `ubuntu-latest` is advertised by BOTH Linux operator-host")
+              print("  runners AND Windows hongming-pc-runner-* (act_runner v1.0.3).")
+              print("  Docker-bound jobs that land on Windows fail non-deterministically.")
+              print("  Pin to `docker-host` (general) or `publish` (image build/push).")
+              sys.exit(1)
+
+          print("OK: all docker-bound jobs are pinned to docker-host or publish.")
+          PY
@@ -0,0 +1,88 @@
+name: Lint shellcheck (arm64 pilot)
+
+# Mac-CI dual-track pilot (#233). ADDITIVE / NOT REQUIRED.
+#
+# Validates the arm64 self-hosted lane (no docker.sock, no privileged
+# ops) before any required gate moves onto it. Until a Mac arm64 runner
+# is registered with the `arm64` label, this workflow sits PENDING —
+# that is FINE: `arm64` is NOT in branch_protections required contexts.
+#
+# Pairs with internal#543 (RFC: Mac arm64 multi-arch runner-base).
+# No paths: filter on purpose (feedback_path_filtered_workflow_cant_be_required).
+
+on:
+  pull_request:
+    branches:
+      - main
+      - staging
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  shellcheck-arm64:
+    name: shellcheck-arm64 (pilot)
+    runs-on: [self-hosted, arm64]
+    # NOT a required check; safe to sit pending until Mac runner is up.
+    # If the Mac runner has trouble pulling actions/checkout we fall
+    # back to a plain git clone (see step 'fallback clone').
+    timeout-minutes: 10
+    env:
+      GITHUB_SERVER_URL: https://git.moleculesai.app
+    steps:
+      - name: Identify runner
+        run: |
+          set -eu
+          echo "arch=$(uname -m)"
+          echo "kernel=$(uname -sr)"
+          echo "shell=$BASH_VERSION"
+          # Sanity: must actually be arm64. If amd64 sneaks in here,
+          # fail fast — that means the label routing is wrong.
+          case "$(uname -m)" in
+            aarch64|arm64) echo "arm64 confirmed" ;;
+            *) echo "ERROR: expected arm64, got $(uname -m)"; exit 1 ;;
+          esac
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Install shellcheck (arm64)
+        run: |
+          set -eu
+          if command -v shellcheck >/dev/null 2>&1; then
+            echo "shellcheck already present: $(shellcheck --version | head -1)"
+          else
+            # Prefer apt if the runner base ships it; else download arm64 binary.
+            if command -v apt-get >/dev/null 2>&1; then
+              sudo apt-get update -qq
+              sudo apt-get install -y --no-install-recommends shellcheck
+            else
+              SC_VER=v0.10.0
+              curl -fsSL "https://github.com/koalaman/shellcheck/releases/download/${SC_VER}/shellcheck-${SC_VER}.linux.aarch64.tar.xz" \
+                | tar -xJf - --strip-components=1
+              sudo mv shellcheck /usr/local/bin/
+            fi
+          fi
+          shellcheck --version | head -2
+
+      - name: Run shellcheck on .gitea/scripts/*.sh
+        run: |
+          set -eu
+          # Only the scripts we control under .gitea/scripts. Pilot
+          # scope is intentionally narrow — broaden in a follow-up
+          # once the lane is proven.
+          mapfile -t TARGETS < <(find .gitea/scripts -maxdepth 2 -type f -name '*.sh' | sort)
+          if [ "${#TARGETS[@]}" -eq 0 ]; then
+            echo "No .sh files found under .gitea/scripts — nothing to check"
+            exit 0
+          fi
+          echo "Checking ${#TARGETS[@]} file(s):"
+          printf '  %s\n' "${TARGETS[@]}"
+          # SC1091 = couldn't follow non-constant source; expected for
+          # CI-time analysis without the full runtime layout.
+          shellcheck --severity=error --exclude=SC1091 "${TARGETS[@]}"
@@ -42,7 +42,13 @@ permissions:
  packages: write

 env:
-  IMAGE_NAME: 153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/canvas
+  # SSOT-Instance-10 (#333): ECR registry triplet (account.dkr.ecr.region.amazonaws.com)
+  # sourced from org/repo var `ECR_REGISTRY` with the current prod-account literal as
+  # bootstrap fallback. When the org var is set, the fallback becomes dead code and
+  # switching accounts/regions is a one-line change at the org level (instead of
+  # touching every workflow). Pattern mirrors `vars.CP_URL || 'literal'` already in
+  # use below in this repo's staging-verify.yml.
+  IMAGE_NAME: ${{ vars.ECR_REGISTRY || '153263036946.dkr.ecr.us-east-2.amazonaws.com' }}/molecule-ai/canvas
  GITHUB_SERVER_URL: https://git.moleculesai.app

 jobs:
@@ -1,167 +0,0 @@
-name: publish-runtime-autobump
-
-# Auto-bump-on-workspace-edit half of the publish pipeline.
-#
-# Why this file exists (issue #351):
-#   Gitea Actions does not correctly disambiguate `paths:` from `tags:`
-#   when both are bundled under a single `on.push` key. The result is
-#   that tag pushes get filtered out and `publish-runtime.yml` never
-#   fires — `action_run` rows: 0. This was unnoticed pre-2026-05-11
-#   because PYPI_TOKEN was absent (publishes would have failed anyway).
-#
-#   Split design:
-#     - publish-runtime.yml         : on.push.tags only        (the publisher)
-#     - publish-runtime-autobump.yml: on.push.branches+paths   (this file — the version-bumper)
-#
-#   This file computes the next version from PyPI's latest, pushes a
-#   `runtime-v$VERSION` tag, and exits. The tag push then triggers
-#   publish-runtime.yml via its tags-only trigger.
-#
-# Concurrency: shares the `publish-runtime` group with publish-runtime.yml
-# so concurrent workspace pushes serialize at the bump step. Without
-# this, two pushes minutes apart could both read PyPI latest=0.1.129
-# and try to tag 0.1.130 simultaneously, only one of which would land.
-
-on:
-  # Run on PR pushes to post a success status so Gitea can merge the PR.
-  # All steps use continue-on-error: true so operational failures
-  # (PyPI unreachable, DISPATCH_TOKEN missing) do not block merge.
-  pull_request:
-    paths:
-      - "workspace/**"
-  # Bump-and-tag on main/staging push (the actual operational trigger).
-  push:
-    branches:
-      - main
-      - staging
-    paths:
-      - "workspace/**"
-  # Manual dispatch — useful when Gitea Actions API (/actions/*) is
-  # unreachable (e.g. act_runner 404 on Gitea 1.22.6) and we cannot
-  # re-trigger via curl.
-  workflow_dispatch:
-
-permissions:
-  contents: write  # required to push tags back
-
-concurrency:
-  group: publish-runtime
-  cancel-in-progress: false
-
-jobs:
-  # PR-validation path: always succeeds so Gitea can merge workflow-only PRs.
-  # Operational failures (PyPI unreachable, missing DISPATCH_TOKEN) are
-  # surfaced via continue-on-error: true rather than blocking the merge.
-  # The actual bump work happens on the main/staging push after merge.
-  # bp-exempt: advisory validation for runtime publication; not a branch-protection gate.
-  pr-validate:
-    runs-on: ubuntu-latest
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
-    continue-on-error: true  # do not block PR merge on operational failures
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 1
-
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: "3.11"
-
-      - name: Validate PyPI connectivity (best-effort)
-        run: |
-          set -eu
-          echo "=== Checking PyPI accessibility ==="
-          LATEST=$(curl -fsS --retry 3 --max-time 10 \
-            https://pypi.org/pypi/molecule-ai-workspace-runtime/json \
-            | python -c "import sys,json; print(json.load(sys.stdin)['info']['version'])" \
-            || echo "PyPI unreachable (non-blocking for PR validation)")
-          echo "Latest: ${LATEST:-unknown}"
-
-  # Actual bump-and-tag: runs on main/staging pushes, posts real success/failure.
-  # No continue-on-error — operational failures here trip the main-red
-  # watchdog, which is the desired signal for infrastructure degradation.
-  # bp-exempt: post-merge tag publication side effect; CI / all-required gates source changes.
-  bump-and-tag:
-    runs-on: ubuntu-latest
-    # Only fire on push events (main/staging after PR merge). Pull_request
-    # events are handled by pr-validate above; we do NOT bump on every
-    # push-synchronize because that would race with the PR head.
-    #
-    # NOTE: the prior condition `github.event.pull_request.base.ref == ''`
-    # was broken — on a PR-merge push in Gitea Actions, the pull_request
-    # context is still attached (base.ref='main'), so the condition always
-    # evaluated to false and bump-and-tag was permanently skipped.
-    if: github.event_name == 'push'
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 1
-
-      - name: Fetch tags for collision check
-        run: git fetch origin --tags --depth=1
-
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: "3.11"
-
-      - name: Compute next version from PyPI latest and existing tags
-        id: bump
-        run: |
-          set -eu
-          LATEST=$(curl -fsS --retry 3 https://pypi.org/pypi/molecule-ai-workspace-runtime/json \
-            | python -c "import sys,json; print(json.load(sys.stdin)['info']['version'])")
-          MAJOR=$(echo "$LATEST" | cut -d. -f1)
-          MINOR=$(echo "$LATEST" | cut -d. -f2)
-          TAG_LATEST=$(git tag --list "runtime-v${MAJOR}.${MINOR}.*" \
-            | sed -E 's/^runtime-v//' \
-            | grep -E '^[0-9]+\.[0-9]+\.[0-9]+$' \
-            | sort -V \
-            | tail -1 || true)
-          VERSION=$(PYPI_LATEST="$LATEST" TAG_LATEST="$TAG_LATEST" python - <<'PY'
-          import os
-
-          def parse(v):
-              return tuple(int(part) for part in v.split("."))
-
-          pypi = os.environ["PYPI_LATEST"]
-          tag = os.environ.get("TAG_LATEST") or pypi
-          base = max(parse(pypi), parse(tag))
-          print(f"{base[0]}.{base[1]}.{base[2] + 1}")
-          PY
-          )
-          echo "PyPI latest=$LATEST, latest runtime tag=${TAG_LATEST:-none} -> next=$VERSION"
-          if ! echo "$VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+$'; then
-            echo "::error::computed version $VERSION does not match PEP 440 X.Y.Z"
-            exit 1
-          fi
-          if git tag --list | grep -qx "runtime-v$VERSION"; then
-            echo "::error::tag runtime-v$VERSION already exists in this repo. Manual intervention required (PyPI and Gitea tag history are out of sync)."
-            exit 1
-          fi
-          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
-
-      - name: Push runtime-v$VERSION tag
-        env:
-          DISPATCH_TOKEN: ${{ secrets.DISPATCH_TOKEN }}
-          VERSION: ${{ steps.bump.outputs.version }}
-          GITEA_URL: https://git.moleculesai.app
-        run: |
-          set -eu
-          if [ -z "$DISPATCH_TOKEN" ]; then
-            echo "::error::DISPATCH_TOKEN secret is not set — needed to push the tag back to molecule-core."
-            exit 1
-          fi
-          git config user.name  "publish-runtime autobump"
-          git config user.email "publish-runtime@moleculesai.app"
-          git tag -a "runtime-v$VERSION" \
-            -m "Auto-bump on workspace/** edit on $GITHUB_REF" \
-            -m "Triggered by: $GITHUB_REF @ $GITHUB_SHA" \
-            -m "publish-runtime.yml will pick up this tag and upload to PyPI"
-          # Push via DISPATCH_TOKEN (a Gitea PAT). Using the bot identity
-          # ensures the resulting tag-push event is dispatched to
-          # publish-runtime.yml; act_runner's default GITHUB_TOKEN cannot
-          # trigger downstream workflows.
-          git remote set-url origin "${GITEA_URL#https://}"
-          git remote set-url origin "https://x-access-token:${DISPATCH_TOKEN}@${GITEA_URL#https://}/molecule-ai/molecule-core.git"
-          git push origin "runtime-v$VERSION"
-          echo "✓ pushed runtime-v$VERSION — publish-runtime.yml should fire next"
@@ -1,345 +0,0 @@
-name: publish-runtime
-
-# Gitea Actions port of .github/workflows/publish-runtime.yml.
-#
-# Ported 2026-05-10 (issue #206). Key differences from the GitHub version:
-#   - Gitea Actions reads .gitea/workflows/, not .github/workflows/
-#   - Dropped `environment: pypi-publish` — Gitea Actions does not support
-#     named environments or OIDC trusted publishers
-#   - Replaced `pypa/gh-action-pypi-publish@release/v1` (OIDC) with
-#     `twine upload` using PYPI_TOKEN secret — same mechanism as a local
-#     `python -m twine upload` with a PyPI token
-#   - Replaced `github.ref_name` (GitHub-only) with `${GITHUB_REF#refs/tags/}`
-#     — Gitea Actions exposes github.ref (the full ref) but not ref_name
-#   - Dropped `merge_group` trigger (Gitea has no merge queue)
-#
-# 2026-05-10 (issue #348): originally restored `staging`/`main` branch +
-# `workspace/**` path-filter trigger in PR #349.
-#
-# 2026-05-11 (issue #351): REVERTED the branches+paths trigger from THIS
-# file. Bundling `paths` with `tags` under a single `on.push` key caused
-# Gitea Actions to never dispatch the workflow for tag-push events (0
-# runs in `action_run` for workflow_id='publish-runtime.yml' since the
-# port, including the runtime-v1.0.0 tag — which is why PyPI is still at
-# 0.1.129 despite a v1.0.0 Gitea tag existing).
-#
-# The auto-bump-on-workspace-edit trigger now lives in
-# `.gitea/workflows/publish-runtime-autobump.yml`. That file computes the
-# next version from PyPI's latest and pushes a `runtime-v$VERSION` tag,
-# which THIS file then picks up via the tags-only trigger below.
-#
-# This decoupling means Gitea's path-vs-tag evaluator never has to
-# disambiguate — each file has a single unambiguous trigger shape.
-#
-# PyPI publishing: requires PYPI_TOKEN repository secret (or org-level secret).
-# Set via: repo Settings → Actions → Variables and Secrets → New Secret.
-# The token should be a PyPI API token scoped to molecule-ai-workspace-runtime.
-#
-# The DISPATCH_TOKEN cascade (git push to template repos) is unchanged —
-# it uses the Gitea API directly and was already Gitea-compatible.
-
-on:
-  push:
-    tags:
-      - "runtime-v*"
-  workflow_dispatch:
-  # 2026-05-11 (root cause of #351 / 0 runs ever):
-  # Gitea 1.22.6's workflow parser rejects `workflow_dispatch.inputs.version`
-  # with "unknown on type" — it mis-treats the inputs sub-keys as top-level
-  # `on:` event types. Log line:
-  #   actions/workflows.go:DetectWorkflows() [W] ignore invalid workflow
-  #   "publish-runtime.yml": unknown on type: map["version": {...}]
-  # That `[W] ignore invalid workflow` is silent UX — the workflow never
-  # registers, so it never fires for ANY event (push.tags included).
-  # Removing the inputs block restores parsing. Manual dispatch from the
-  # Gitea UI now triggers the PyPI auto-bump fallback in `Derive version`
-  # below (no `inputs.version` to read).
-
-permissions:
-  contents: read
-
-# Serialize publishes so two concurrent tag pushes don't both compute
-# "latest+1" and race on PyPI upload. The second one waits.
-concurrency:
-  group: publish-runtime
-  cancel-in-progress: false
-
-jobs:
-  publish:
-    # Dedicated publish/release lane (internal#462 / #394 / #399). Ship
-    # path (on: push tag runtime-v*) — reserved capacity, never FIFO
-    # behind PR-CI. `publish` resolves only to molecule-runner-publish-*.
-    runs-on: publish
-    outputs:
-      version: ${{ steps.version.outputs.version }}
-      wheel_sha256: ${{ steps.wheel_hash.outputs.wheel_sha256 }}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: "3.11"
-          cache: pip
-
-      - name: Derive version (tag or PyPI auto-bump)
-        id: version
-        run: |
-          if echo "$GITHUB_REF" | grep -q "^refs/tags/runtime-v"; then
-            # Tag is `runtime-vX.Y.Z` — strip the prefix.
-            VERSION="${GITHUB_REF#refs/tags/runtime-v}"
-          else
-            # workflow_dispatch path (no inputs supported on Gitea 1.22.6) or
-            # any other non-tag trigger: derive from PyPI latest + patch bump.
-            LATEST=$(curl -fsS --retry 3 https://pypi.org/pypi/molecule-ai-workspace-runtime/json \
-              | python -c "import sys,json; print(json.load(sys.stdin)['info']['version'])")
-            MAJOR=$(echo "$LATEST" | cut -d. -f1)
-            MINOR=$(echo "$LATEST" | cut -d. -f2)
-            PATCH=$(echo "$LATEST" | cut -d. -f3)
-            VERSION="${MAJOR}.${MINOR}.$((PATCH+1))"
-            echo "Auto-bumped from PyPI latest $LATEST -> $VERSION"
-          fi
-          if ! echo "$VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+(\.dev[0-9]+|rc[0-9]+|a[0-9]+|b[0-9]+|\.post[0-9]+)?$'; then
-            echo "::error::version $VERSION does not match PEP 440"
-            exit 1
-          fi
-          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
-          echo "Publishing molecule-ai-workspace-runtime $VERSION"
-
-      - name: Install build tooling
-        run: pip install build twine
-
-      - name: Build package from workspace/
-        run: |
-          python scripts/build_runtime_package.py \
-            --version "${{ steps.version.outputs.version }}" \
-            --out "${{ runner.temp }}/runtime-build"
-
-      - name: Build wheel + sdist
-        working-directory: ${{ runner.temp }}/runtime-build
-        run: python -m build
-
-      - name: Capture wheel SHA256 for cascade content-verification
-        id: wheel_hash
-        working-directory: ${{ runner.temp }}/runtime-build
-        run: |
-          set -eu
-          WHEEL=$(ls dist/*.whl 2>/dev/null | head -1)
-          if [ -z "$WHEEL" ]; then
-            echo "::error::No .whl in dist/ — \`python -m build\` must have failed silently"
-            exit 1
-          fi
-          HASH=$(sha256sum "$WHEEL" | awk '{print $1}')
-          echo "wheel_sha256=${HASH}" >> "$GITHUB_OUTPUT"
-          echo "Local wheel SHA256 (pre-upload): ${HASH}"
-          echo "Wheel filename: $(basename "$WHEEL")"
-
-      - name: Verify package contents (sanity)
-        working-directory: ${{ runner.temp }}/runtime-build
-        run: |
-          python -m twine check dist/*
-          python -m venv /tmp/smoke
-          /tmp/smoke/bin/pip install --quiet dist/*.whl
-          /tmp/smoke/bin/python "$GITHUB_WORKSPACE/scripts/wheel_smoke.py"
-
-      - name: Publish to PyPI
-        # working-directory matches the preceding Build/Verify steps. Without
-        # this, twine runs from the default workspace checkout dir where
-        # `dist/` doesn't exist and fails with:
-        #   ERROR InvalidDistribution: Cannot find file (or expand pattern): 'dist/*'
-        # Caught on the first-ever successful dispatch of this workflow
-        # (run 5097, 2026-05-11 02:08Z) — every other step in the publish
-        # job already had this working-directory; Publish was missing it.
-        working-directory: ${{ runner.temp }}/runtime-build
-        env:
-          # PYPI_TOKEN: repository secret scoped to molecule-ai-workspace-runtime.
-          # Set via: Settings → Actions → Variables and Secrets → New Secret.
-          # Format: pypi-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-          PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
-        run: |
-          if [ -z "$PYPI_TOKEN" ]; then
-            echo "::error::PYPI_TOKEN secret is not set — set it at Settings → Actions → Variables and Secrets → New Secret."
-            echo "::error::Required format: pypi-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
-            exit 1
-          fi
-          python -m twine upload \
-            --verbose \
-            --repository pypi \
-            --username __token__ \
-            --password "$PYPI_TOKEN" \
-            dist/*
-
-  cascade:
-    needs: publish
-    # Publish/release lane (internal#462) — downstream of the runtime
-    # publish ship job; keep it on the reserved lane too.
-    runs-on: publish
-    steps:
-      - name: Wait for PyPI to propagate the new version
-        env:
-          RUNTIME_VERSION: ${{ needs.publish.outputs.version }}
-          EXPECTED_SHA256: ${{ needs.publish.outputs.wheel_sha256 }}
-        run: |
-          set -eu
-          if [ -z "$EXPECTED_SHA256" ]; then
-            echo "::error::publish job did not expose wheel_sha256 — cannot verify wheel content. Refusing to fan out cascade."
-            exit 1
-          fi
-          python -m venv /tmp/propagation-probe
-          PROBE=/tmp/propagation-probe/bin
-          $PROBE/pip install --upgrade --quiet pip
-          for i in $(seq 1 30); do
-            if $PROBE/pip install \
-                  --quiet \
-                  --no-cache-dir \
-                  --force-reinstall \
-                  --no-deps \
-                  "molecule-ai-workspace-runtime==${RUNTIME_VERSION}" \
-                  >/dev/null 2>&1; then
-              INSTALLED=$($PROBE/pip show molecule-ai-workspace-runtime 2>/dev/null \
-                          | awk -F': ' '/^Version:/{print $2}')
-              if [ "$INSTALLED" = "$RUNTIME_VERSION" ]; then
-                echo "✓ PyPI resolved $RUNTIME_VERSION (install check)"
-                break
-              fi
-            fi
-            if [ $i -eq 30 ]; then
-              echo "::error::pip install --no-cache-dir molecule-ai-workspace-runtime==${RUNTIME_VERSION} never resolved within ~5 min."
-              echo "::error::Refusing to fan out cascade against a potentially stale PyPI index."
-              exit 1
-            fi
-            echo "  [$i/30] waiting for PyPI to propagate ${RUNTIME_VERSION}..."
-            sleep 4
-          done
-
-          # Stage (b): download wheel + SHA256 compare against what we built.
-          # Catches Fastly stale-content serving old bytes under a new version URL.
-          #
-          # Caught run 5196 (first-ever successful publish, 2026-05-11): the
-          # previous one-liner `HASH=$(pip download ... && sha256sum ...)`
-          # captured pip's stdout (`Collecting molecule-ai-workspace-runtime
-          # ==X.Y.Z`) into HASH, then the SHA comparison failed against the
-          # leaked `Collecting...` string. `2>/dev/null` silences stderr but
-          # NOT stdout; pip writes its progress to stdout by default.
-          # Fix: split into two steps, silence pip's stdout explicitly, capture
-          # only sha256sum's output into HASH.
-          python -m pip download \
-            --no-deps \
-            --no-cache-dir \
-            --dest /tmp/wheel-probe \
-            --quiet \
-            "molecule-ai-workspace-runtime==${RUNTIME_VERSION}" \
-            >/dev/null 2>&1
-          HASH=$(sha256sum /tmp/wheel-probe/*.whl | awk '{print $1}')
-          if [ "$HASH" != "$EXPECTED_SHA256" ]; then
-            echo "::error::PyPI propagated $RUNTIME_VERSION but wheel content SHA256 mismatch."
-            echo "::error::Expected: $EXPECTED_SHA256"
-            echo "::error::Got:      $HASH"
-            echo "::error::Fastly may be serving stale content. Refusing to fan out cascade."
-            exit 1
-          fi
-          echo "✓ PyPI CDN verified (SHA256 match)"
-
-      - name: Fan out via push to .runtime-version
-        env:
-          # Gitea PAT with write:repository scope on the 8 cascade-active
-          # template repos. Used for git push to each template repo's main
-          # branch, which trips their `on: push: branches: [main]` trigger
-          # on publish-image.yml.
-          DISPATCH_TOKEN: ${{ secrets.DISPATCH_TOKEN }}
-          RUNTIME_VERSION: ${{ needs.publish.outputs.version }}
-        run: |
-          set +e   # don't abort on a single repo failure — collect them all
-
-          if [ -z "$DISPATCH_TOKEN" ]; then
-            if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-              echo "::warning::DISPATCH_TOKEN secret not set — skipping cascade."
-              echo "::warning::set it at Settings → Actions → Variables and Secrets → New Secret."
-              exit 0
-            fi
-            echo "::error::DISPATCH_TOKEN secret missing — cascade cannot fan out."
-            echo "::error::PyPI was published, but the 8 template repos will NOT pick up the new version."
-            exit 1
-          fi
-          VERSION="$RUNTIME_VERSION"
-          if [ -z "$VERSION" ]; then
-            echo "::error::publish job did not expose a version output"
-            exit 1
-          fi
-
-          GITEA_URL="${GITEA_URL:-https://git.moleculesai.app}"
-          TEMPLATES="claude-code hermes openclaw codex langgraph crewai autogen deepagents gemini-cli"
-          FAILED=""
-          SKIPPED=""
-
-          git config --global user.name  "publish-runtime cascade"
-          git config --global user.email "publish-runtime@moleculesai.app"
-
-          WORKDIR="$(mktemp -d)"
-          for tpl in $TEMPLATES; do
-            REPO="molecule-ai/molecule-ai-workspace-template-$tpl"
-            CLONE="$WORKDIR/$tpl"
-
-            HTTP=$(curl -sS -o /dev/null -w "%{http_code}" \
-              -H "Authorization: token $DISPATCH_TOKEN" \
-              "$GITEA_URL/api/v1/repos/$REPO/contents/.github/workflows/publish-image.yml")
-            if [ "$HTTP" = "404" ]; then
-              echo "↷ $tpl has no publish-image.yml — soft-skip"
-              SKIPPED="$SKIPPED $tpl"
-              continue
-            fi
-
-            attempt=0
-            success=false
-            while [ $attempt -lt 3 ]; do
-              attempt=$((attempt + 1))
-              rm -rf "$CLONE"
-              if ! git clone --depth=1 \
-                  "https://x-access-token:${DISPATCH_TOKEN}@${GITEA_URL#https://}/$REPO.git" \
-                  "$CLONE" >/tmp/clone.log 2>&1; then
-                echo "::warning::clone $tpl attempt $attempt failed: $(tail -n3 /tmp/clone.log)"
-                sleep 2
-                continue
-              fi
-
-              cd "$CLONE"
-              echo "$VERSION" > .runtime-version
-
-              if git diff --quiet -- .runtime-version; then
-                echo "✓ $tpl already at $VERSION — no commit needed"
-                success=true
-                cd - >/dev/null
-                break
-              fi
-
-              git add .runtime-version
-              git commit -m "chore: pin runtime to $VERSION (publish-runtime cascade)" \
-                -m "Co-Authored-By: publish-runtime cascade <publish-runtime@moleculesai.app>" \
-                >/dev/null
-
-              if git push origin HEAD:main >/tmp/push.log 2>&1; then
-                echo "✓ $tpl pushed $VERSION on attempt $attempt"
-                success=true
-                cd - >/dev/null
-                break
-              fi
-
-              echo "::warning::push $tpl attempt $attempt failed, pull-rebasing"
-              git pull --rebase origin main >/tmp/rebase.log 2>&1 || true
-              cd - >/dev/null
-            done
-
-            if [ "$success" != "true" ]; then
-              FAILED="$FAILED $tpl"
-            fi
-          done
-          rm -rf "$WORKDIR"
-
-          if [ -n "$FAILED" ]; then
-            echo "::error::Cascade incomplete after 3 retries each. Failed:$FAILED"
-            exit 1
-          fi
-          if [ -n "$SKIPPED" ]; then
-            echo "Cascade complete: pinned $VERSION. Soft-skipped (no publish-image.yml):$SKIPPED"
-          else
-            echo "Cascade complete: $VERSION pinned across all manifest workspace_templates."
-          fi
@@ -43,14 +43,28 @@ on:
 # `cancel-in-progress: false`; that is not acceptable for a workflow with a
 # production deploy job. Per-SHA image tags are immutable, and staging-latest is
 # best-effort last-writer-wins metadata.
+#
+# 2026-05-20 retrigger: run #86994 on mc#1589 merge sha 0f0f1ba2 failed at
+# setup-buildx-action with EACCES on PC2 WSL publish runner — the runner's
+# DOCKER_CONFIG=/home/hongming/.docker-ecr/ dir didn't have a buildx/certs
+# subdir writable by the container's UID 1001. Hot-patched the dir perms;
+# this chore push retriggers the workflow. Proper fix (per-runner
+# DOCKER_CONFIG owned by 1001, internal#597 --env HOME=/home/runner pattern)
+# is tracked as a CI-hygiene follow-up — not in scope here.

 permissions:
  contents: read
  packages: write

 env:
-  IMAGE_NAME: 153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/platform
-  TENANT_IMAGE_NAME: 153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/platform-tenant
+  # SSOT-Instance-10 (#333): ECR registry triplet (account.dkr.ecr.region.amazonaws.com)
+  # sourced from org/repo var `ECR_REGISTRY` with the current prod-account literal as
+  # bootstrap fallback. When the org var is set, the fallback becomes dead code and
+  # switching accounts/regions is a one-line change at the org level (instead of
+  # touching every workflow). Pattern mirrors `vars.CP_URL || 'literal'` already in
+  # use below in this repo's staging-verify.yml.
+  IMAGE_NAME: ${{ vars.ECR_REGISTRY || '153263036946.dkr.ecr.us-east-2.amazonaws.com' }}/molecule-ai/platform
+  TENANT_IMAGE_NAME: ${{ vars.ECR_REGISTRY || '153263036946.dkr.ecr.us-east-2.amazonaws.com' }}/molecule-ai/platform-tenant

 jobs:
  build-and-push:
@@ -151,6 +151,11 @@ jobs:
            exit 1
          fi

+          # confirm:true ack required by CP /cp/admin/tenants/redeploy-fleet
+          # contract (cp#228 / task #308) for fleet-wide intent. Empty body
+          # / {confirm:false} / {only_slugs:[]} → 400. This caller redeploys
+          # the entire prod fleet (canary + fan-out), no slug scoping, so
+          # confirm:true is correct.
          BODY=$(jq -nc \
            --arg tag "$TARGET_TAG" \
            --arg canary "$CANARY_SLUG" \
@@ -162,7 +167,8 @@ jobs:
              canary_slug: $canary,
              soak_seconds: $soak,
              batch_size: $batch,
-              dry_run: $dry
+              dry_run: $dry,
+              confirm: true
            }')

          echo "POST $CP_URL/cp/admin/tenants/redeploy-fleet"
@@ -123,6 +123,11 @@ jobs:
            exit 1
          fi

+          # confirm:true ack required by CP /cp/admin/tenants/redeploy-fleet
+          # contract (cp#228 / task #308) for fleet-wide intent. Empty body
+          # / {confirm:false} / {only_slugs:[]} → 400. Staging IS the
+          # canary, no slug scoping; this rolls the entire staging fleet,
+          # so confirm:true is correct.
          BODY=$(jq -nc \
            --arg tag "$TARGET_TAG" \
            --arg canary "$CANARY_SLUG" \
@@ -134,7 +139,8 @@ jobs:
              canary_slug: $canary,
              soak_seconds: $soak,
              batch_size: $batch,
-              dry_run: $dry
+              dry_run: $dry,
+              confirm: true
            }')

          echo "POST $CP_URL/cp/admin/tenants/redeploy-fleet"
@@ -1,11 +1,16 @@
-# Consolidated comment dispatcher for manual review/tier refires.
+# DEPRECATED — superseded by `.gitea/workflows/sop-checklist.yml`.
 #
+# The review-refire logic (qa/security/tier slash-command dispatch) has been
+# merged into sop-checklist.yml as the `review-refire` job. This workflow
+# is kept as a no-op stub to avoid a gap during the transition window where
+# this file may be deleted while sop-checklist.yml has not yet been merged.
+#
+# After sop-checklist.yml lands, this file will be deleted (issue #1280).
+#
+# Historical behavior (superseded):
 # Gitea 1.22 queues one run per workflow subscribed to `issue_comment` before
-# evaluating job-level `if:`. SOP-heavy PRs therefore created queue storms when
-# qa-review, security-review, sop-checklist, and sop-tier-refire all
-# listened to comments. This workflow is the single non-SOP comment subscriber:
-# ordinary comments no-op quickly; slash commands post the required status
-# contexts to the PR head SHA.
+# evaluating job-level `if:`. Previously this workflow was the single
+# non-SOP comment subscriber for qa/security/tier refire slash commands.

 name: review-refire-comments

@@ -23,91 +28,12 @@ concurrency:
  cancel-in-progress: true

 jobs:
+  # No-op stub — all refire logic moved to sop-checklist.yml review-refire job.
+  # Kept to avoid transition gap; will be deleted after sop-checklist.yml merges.
  dispatch:
    runs-on: ubuntu-latest
    steps:
-      - name: Classify comment
-        id: classify
-        env:
-          COMMENT_BODY: ${{ github.event.comment.body }}
-          IS_PR: ${{ github.event.issue.pull_request != null }}
+      - name: Deprecated — refire logic moved to sop-checklist.yml
        run: |
-          set -euo pipefail
-          {
-            echo "run_qa=false"
-            echo "run_security=false"
-            echo "run_tier=false"
-          } >> "$GITHUB_OUTPUT"
-          if [ "$IS_PR" != "true" ]; then
-            echo "::notice::not a PR comment; no-op"
-            exit 0
-          fi
-          first_line=$(printf '%s\n' "$COMMENT_BODY" | sed -n '1p')
-          case "$first_line" in
-            /qa-recheck*)
-              echo "run_qa=true" >> "$GITHUB_OUTPUT"
-              ;;
-            /security-recheck*)
-              echo "run_security=true" >> "$GITHUB_OUTPUT"
-              ;;
-            /refire-tier-check*)
-              echo "run_tier=true" >> "$GITHUB_OUTPUT"
-              ;;
-            *)
-              echo "::notice::no supported review refire slash command; no-op"
-              ;;
-          esac
-
-      - name: Check out BASE ref for trusted scripts
-        if: |
-          steps.classify.outputs.run_qa == 'true' ||
-          steps.classify.outputs.run_security == 'true' ||
-          steps.classify.outputs.run_tier == 'true'
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          ref: ${{ github.event.repository.default_branch }}
-
-      - name: Refire qa-review status
-        if: steps.classify.outputs.run_qa == 'true'
-        env:
-          GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
-          GITEA_HOST: git.moleculesai.app
-          REPO: ${{ github.repository }}
-          PR_NUMBER: ${{ github.event.issue.number }}
-          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
-          TEAM: qa
-          TEAM_ID: '20'
-          REVIEW_CHECK_DEBUG: '0'
-          REVIEW_CHECK_STRICT: '0'
-          COMMENT_AUTHOR: ${{ github.event.comment.user.login }}
-        run: |
-          set -euo pipefail
-          .gitea/scripts/review-refire-status.sh
-
-      - name: Refire security-review status
-        if: steps.classify.outputs.run_security == 'true'
-        env:
-          GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
-          GITEA_HOST: git.moleculesai.app
-          REPO: ${{ github.repository }}
-          PR_NUMBER: ${{ github.event.issue.number }}
-          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
-          TEAM: security
-          TEAM_ID: '21'
-          REVIEW_CHECK_DEBUG: '0'
-          REVIEW_CHECK_STRICT: '0'
-          COMMENT_AUTHOR: ${{ github.event.comment.user.login }}
-        run: |
-          set -euo pipefail
-          .gitea/scripts/review-refire-status.sh
-
-      - name: Refire sop-tier-check status
-        if: steps.classify.outputs.run_tier == 'true'
-        env:
-          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
-          GITEA_HOST: git.moleculesai.app
-          REPO: ${{ github.repository }}
-          PR_NUMBER: ${{ github.event.issue.number }}
-          COMMENT_AUTHOR: ${{ github.event.comment.user.login }}
-          SOP_DEBUG: '0'
-        run: bash .gitea/scripts/sop-tier-refire.sh
+          echo "::warning::review-refire-comments.yml is deprecated. Refire logic is now in sop-checklist.yml review-refire job. This workflow is a no-op stub pending deletion (issue #1280)."
+          exit 0
@@ -1,101 +0,0 @@
-name: Runtime Pin Compatibility
-
-# Ported from .github/workflows/runtime-pin-compat.yml on 2026-05-11 per
-# RFC internal#219 §1 sweep.
-#
-# Differences from the GitHub version:
-#   - Dropped `merge_group:` (no Gitea merge queue) and
-#     `workflow_dispatch:` (no inputs, but the trigger itself is
-#     parser-rejected when inputs are absent in some Gitea 1.22.x
-#     builds; safest to drop entirely — manual runs go via cron-trigger
-#     bump or push-with-paths-filter).
-#   - on.paths references .gitea/workflows/runtime-pin-compat.yml (this
-#     file) instead of the .github/ one.
-#   - Workflow-level env.GITHUB_SERVER_URL set.
-#   - `continue-on-error: true` on the job (RFC §1 contract).
-#
-# CI gate that prevents the 5-hour staging outage from 2026-04-24 from
-# recurring (controlplane#253). The original failure mode:
-#   1. molecule-ai-workspace-runtime 0.1.13 declared `a2a-sdk<1.0` in its
-#      requires_dist metadata (incorrect — it actually imports
-#      a2a.server.routes which only exists in a2a-sdk 1.0+)
-#   2. `pip install molecule-ai-workspace-runtime` resolved cleanly
-#   3. `from molecule_runtime.main import main_sync` raised ImportError
-#   4. Every tenant workspace crashed; the canary tenant caught it but
-#      only after 5 hours of degraded staging
-#
-# This workflow installs the CURRENTLY PUBLISHED runtime from PyPI on
-# top of `workspace/requirements.txt` and smoke-imports. Catches:
-#   - Upstream PyPI yanks
-#   - Bad re-releases of molecule-ai-workspace-runtime
-#   - Already-shipped wheels that stop importing because a transitive
-#     dep moved underneath
-
-on:
-  push:
-    branches: [main, staging]
-    paths:
-      # Narrow filter: pypi-latest is sensitive only to changes that
-      # affect what we're INSTALLING (requirements.txt) or WHAT THE
-      # CHECK ITSELF DOES (this workflow file). Edits to workspace/
-      # source code don't change what's on PyPI right now, so they
-      # don't change this gate's verdict.
-      - 'workspace/requirements.txt'
-      - '.gitea/workflows/runtime-pin-compat.yml'
-  pull_request:
-    branches: [main, staging]
-    paths:
-      - 'workspace/requirements.txt'
-      - '.gitea/workflows/runtime-pin-compat.yml'
-  # Daily catch for upstream PyPI publishes that break the pin combo
-  # without any change in our repo (e.g. someone re-yanks an a2a-sdk
-  # release or molecule-ai-workspace-runtime publishes a bad bump).
-  schedule:
-    - cron: '0 13 * * *'  # 06:00 PT
-
-env:
-  GITHUB_SERVER_URL: https://git.moleculesai.app
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  pypi-latest-install:
-    name: PyPI-latest install + import smoke
-    runs-on: ubuntu-latest
-    # Phase 3 (RFC #219 §1): surface broken workflows without blocking
-    # the PR. Follow-up PR flips this off after surfaced defects are
-    # triaged.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
-    continue-on-error: true
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: '3.11'
-          cache: pip
-          cache-dependency-path: workspace/requirements.txt
-      - name: Install runtime + workspace requirements
-        # Install order is load-bearing: install the runtime FIRST so pip
-        # honors whatever a2a-sdk constraint the runtime metadata declares
-        # (this is the surface that broke in 2026-04-24 — runtime declared
-        # `a2a-sdk<1.0` but actually needed >=1.0). The follow-up install
-        # of workspace/requirements.txt then upgrades a2a-sdk to the
-        # constraint our runtime image actually pins. The import smoke
-        # below verifies the upgraded combination is consistent.
-        run: |
-          python -m venv /tmp/venv
-          /tmp/venv/bin/pip install --upgrade pip
-          /tmp/venv/bin/pip install molecule-ai-workspace-runtime
-          /tmp/venv/bin/pip install -r workspace/requirements.txt
-          /tmp/venv/bin/pip show molecule-ai-workspace-runtime a2a-sdk \
-            | grep -E '^(Name|Version):'
-      - name: Smoke import — fail if metadata declares deps that don't satisfy real imports
-        # WORKSPACE_ID is validated at import time by platform_auth.py — EC2
-        # user-data sets it from the cloud-init template; set a placeholder
-        # here so the import smoke doesn't trip on the env-var guard.
-        env:
-          WORKSPACE_ID: 00000000-0000-0000-0000-000000000001
-        run: |
-          /tmp/venv/bin/python -c "from molecule_runtime.main import main_sync; print('runtime imports OK')"
@@ -1,150 +0,0 @@
-name: Runtime PR-Built Compatibility
-
-# Ported from .github/workflows/runtime-prbuild-compat.yml on 2026-05-11
-# per RFC internal#219 §1 sweep.
-#
-# Differences from the GitHub version:
-#   - Dropped `merge_group:` (no Gitea merge queue) and `workflow_dispatch:`
-#     (Gitea 1.22.6 parser-rejects workflow_dispatch with inputs and is
-#     finicky without them).
-#   - `dorny/paths-filter@v4` replaced with inline `git diff` (per PR#372
-#     pattern for ci.yml port).
-#   - on.paths references .gitea/workflows/runtime-prbuild-compat.yml.
-#   - Workflow-level env.GITHUB_SERVER_URL set.
-#   - `continue-on-error: true` on every job (RFC §1 contract).
-#
-# Companion to `runtime-pin-compat.yml`. That workflow tests what's
-# CURRENTLY PUBLISHED on PyPI; this workflow tests what WOULD BE
-# PUBLISHED if THIS PR merges.
-#
-# Why two workflows: the chicken-and-egg #128 fix added a "PR-built
-# wheel" job to the original runtime-pin-compat.yml, but both jobs
-# shared a `paths:` filter that was the union of their needs
-# (`workspace/**`). That meant the PyPI-latest job ran on every doc
-# edit even though the upstream PyPI artifact can't change with our
-# workspace/ source. Splitting the two means each gets a narrow
-# `paths:` filter that matches the inputs it actually depends on.
-#
-# Catches the failure mode where a PR adds an import requiring a newer
-# SDK than `workspace/requirements.txt` pins:
-#   1. Pip resolves the existing PyPI wheel + the old SDK pin -> smoke
-#      passes (it imports the OLD main.py from the wheel, not the PR's
-#      new main.py).
-#   2. Merge -> publish-runtime.yml ships a wheel WITH the new import.
-#   3. Tenant images redeploy -> all crash on first boot with ImportError.
-
-on:
-  push:
-    branches: [main, staging]
-  pull_request:
-    branches: [main, staging]
-
-env:
-  GITHUB_SERVER_URL: https://git.moleculesai.app
-
-concurrency:
-  # event_name + sha keeps PR sync and the subsequent staging push on the
-  # same SHA from cancelling each other (per feedback_concurrency_group_per_sha).
-  group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.head.sha || github.sha }}
-  cancel-in-progress: true
-
-jobs:
-  detect-changes:
-    runs-on: ubuntu-latest
-    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
-    continue-on-error: true
-    outputs:
-      wheel: ${{ steps.decide.outputs.wheel }}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
-      - id: decide
-        run: |
-          # Inline replacement for dorny/paths-filter — same pattern
-          # PR#372's ci.yml port used. Diffs against the PR base or the
-          # previous push SHA, then matches against the wheel-relevant
-          # path set.
-          #
-          # NOTE: Gitea Actions does not expose github.event.before as a
-          # shell environment variable. The ${{ github.event.before }} template
-          # expression works inside YAML run: blocks but is evaluated to an
-          # empty string for push events, making the ${VAR:-fallback} always
-          # use the fallback. Use GITHUB_EVENT_BEFORE instead — it IS set in
-          # the runner's shell environment for push events.
-          BASE=""
-          if [ "${{ github.event_name }}" = "pull_request" ]; then
-            BASE="${{ github.event.pull_request.base.sha }}"
-          elif [ -n "$GITHUB_EVENT_BEFORE" ]; then
-            BASE="$GITHUB_EVENT_BEFORE"
-          fi
-          if [ -z "$BASE" ] || echo "$BASE" | grep -qE '^0+$'; then
-            # New branch or no previous SHA: treat as wheel-relevant.
-            echo "wheel=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          if ! timeout 30 git cat-file -e "$BASE" 2>/dev/null; then
-            git fetch --depth=1 origin "$BASE" 2>/dev/null || true
-          fi
-          if ! timeout 30 git cat-file -e "$BASE" 2>/dev/null; then
-            echo "wheel=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          CHANGED=$(git diff --name-only "$BASE" HEAD)
-          if echo "$CHANGED" | grep -qE '^(workspace/|scripts/build_runtime_package\.py$|scripts/wheel_smoke\.py$|\.gitea/workflows/runtime-prbuild-compat\.yml$)'; then
-            echo "wheel=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "wheel=false" >> "$GITHUB_OUTPUT"
-          fi
-
-  # ONE job (no job-level `if:`) that always runs and reports under the
-  # required-check name `PR-built wheel + import smoke`. Real work is
-  # gated per-step on `needs.detect-changes.outputs.wheel`.
-  local-build-install:
-    needs: detect-changes
-    name: PR-built wheel + import smoke
-    runs-on: ubuntu-latest
-    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
-    continue-on-error: true
-    steps:
-      - name: No-op pass (paths filter excluded this commit)
-        if: needs.detect-changes.outputs.wheel != 'true'
-        run: |
-          echo "No workspace/ / scripts/{build_runtime_package,wheel_smoke}.py / workflow changes — wheel gate satisfied without rebuilding."
-          echo "::notice::PR-built wheel + import smoke no-op pass (paths filter excluded this commit)."
-      - if: needs.detect-changes.outputs.wheel == 'true'
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - if: needs.detect-changes.outputs.wheel == 'true'
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: '3.11'
-          cache: pip
-          cache-dependency-path: workspace/requirements.txt
-      - name: Install build tooling
-        if: needs.detect-changes.outputs.wheel == 'true'
-        run: pip install build
-      - name: Build wheel from PR source (mirrors publish-runtime.yml)
-        if: needs.detect-changes.outputs.wheel == 'true'
-        # Use a fixed test version so the wheel filename is predictable.
-        # Doesn't reach PyPI — this build is local-only for the smoke.
-        run: |
-          python scripts/build_runtime_package.py \
-            --version "0.0.0.dev0+pin-compat" \
-            --out /tmp/runtime-build
-          cd /tmp/runtime-build && python -m build
-      - name: Install built wheel + workspace requirements
-        if: needs.detect-changes.outputs.wheel == 'true'
-        run: |
-          python -m venv /tmp/venv-built
-          /tmp/venv-built/bin/pip install --upgrade pip
-          /tmp/venv-built/bin/pip install /tmp/runtime-build/dist/*.whl
-          /tmp/venv-built/bin/pip install -r workspace/requirements.txt
-          /tmp/venv-built/bin/pip show molecule-ai-workspace-runtime a2a-sdk \
-            | grep -E '^(Name|Version):'
-      - name: Smoke import the PR-built wheel
-        if: needs.detect-changes.outputs.wheel == 'true'
-        # Same script publish-runtime.yml runs against the to-be-PyPI wheel.
-        run: |
-          /tmp/venv-built/bin/python "$GITHUB_WORKSPACE/scripts/wheel_smoke.py"
@@ -2,24 +2,20 @@
 #
 # RFC#351 Step 2 of 6 (implementation MVP).
 #
-# === DESIGN ===
+# === CONSOLIDATION (issue #1280) ===
 #
-# Goal: each PR must answer 7 SOP-checklist questions in its body,
-# and each item must have at least one /sop-ack <slug> comment from
-# a non-author peer in the required team. BP requires the
-# `sop-checklist / all-items-acked (pull_request)` status to merge.
+# This workflow is the SINGLE `issue_comment` subscriber — the logic from
+# `review-refire-comments.yml` has been merged in. Before this change:
+#   - sop-checklist.yml (pre-2026-05-16) → issue_comment:[created,edited,deleted] → runner slot used, job no-oped
+#   - review-refire-comments.yml           → issue_comment:[created]            → runner slot used, job no-oped
+#   → every non-refire comment occupied 2 runner slots for ~800 s each
+#      (~650 no-op runs/day, ~1,300 runner-slot-occupancy-hours/day).
 #
-# Triggers:
-#   - `pull_request_target`: opened, edited, synchronize, reopened
-#       → fires when PR opens, body is edited (refire — RFC#351 §4),
-#         or new code is pushed (head.sha changes → stale status would
-#         be auto-discarded by BP via dismiss_stale_reviews, but the
-#         status itself is per-SHA so we re-post on the new head).
-#   - `issue_comment`: created, edited, deleted
-#       → fires on any new comment so /sop-ack / /sop-revoke take
-#         effect immediately (Gitea 1.22.6 doesn't refire on
-#         pull_request_review per feedback_pull_request_review_no_refire,
-#         so issue_comment is the canonical refire channel).
+# Fix (PR #1345 / issue #1280):
+#   - ONE workflow, ONE issue_comment:[created] subscription (no edited/deleted)
+#   - all-items-acked job: pull_request_target OR sop slash-command comments
+#   - review-refire job: qa/security/tier refire slash commands
+#   → ~50% reduction in comment-triggered runner occupancy vs pre-fix.
 #
 # Trust boundary (mirrors RFC#324 §A4 + sop-tier-check security note):
 #   `pull_request_target` (not `pull_request`) — workflow def is loaded
@@ -51,7 +47,7 @@
 #   /sop-ack <slug-or-numeric-alias> [optional note]
 #       — register a peer-ack for one checklist item.
 #       — slug accepts kebab-case, snake_case, or natural-spaces
-#         (all normalize to canonical kebab-case).
+#         (all normalized to canonical kebab-case).
 #       — numeric 1..7 maps via config.items[*].numeric_alias.
 #       — most-recent (user, slug) directive wins.
 #
@@ -61,6 +57,13 @@
 #       — most-recent (user, slug) directive wins, so a later /sop-ack
 #         re-restores the ack.
 #
+#   /sop-n/a <gate> [reason]
+#       — declare a gate (qa-review, security-review) N/A.
+#       — see sop-checklist-config.yaml n/a_gates section.
+#
+#   /qa-recheck /security-recheck /refire-tier-check
+#       — refire the corresponding status check on the PR head.
+#
 # The eval is read-only + idempotent (read PR + comments + team
 # membership, compute, post status). Re-running on any event is safe —
 # the new status overwrites the previous one for the same context.
@@ -79,7 +82,10 @@ on:
  pull_request_target:
    types: [opened, edited, synchronize, reopened, labeled, unlabeled]
  issue_comment:
-    types: [created, edited, deleted]
+    types: [created]   # NOT [created, edited, deleted] — Gitea 1.22.6 holds a runner slot
+    # at job-parsing time, before job-level if: guards run. edited/deleted events
+    # occupied ~1,300 runner-slot-hours/day on this workflow alone during the
+    # 2026-05-16 freeze. Per PR #1345 fix.

 permissions:
  contents: read
@@ -88,10 +94,10 @@ permissions:
  secrets: read

 jobs:
+  # sop-checklist gate: runs on PR lifecycle events OR sop slash commands.
+  # All other comment types (no-op text comments) no longer assign a runner
+  # because this job's if: guard short-circuits before runner assignment.
  all-items-acked:
-    # Run on pull_request_target events always. On issue_comment events,
-    # only when the comment is on a PR (issue_comment fires for issues
-    # too) and the body contains one of the slash-commands.
    if: |
      github.event_name == 'pull_request_target' ||
      (github.event_name == 'issue_comment' &&
@@ -125,3 +131,95 @@ jobs:
            --pr "$PR_NUMBER" \
            --config .gitea/sop-checklist-config.yaml \
            --gitea-host git.moleculesai.app
+
+  # bp-exempt: informational refire handler, not a merge gate. Emits
+  # qa-review/security-review status updates on /qa-recheck et al slash commands.
+  review-refire:
+    if: |
+      github.event_name == 'issue_comment' &&
+      github.event.issue.pull_request != null
+    runs-on: ubuntu-latest
+    steps:
+      - name: Classify comment
+        id: classify
+        env:
+          COMMENT_BODY: ${{ github.event.comment.body }}
+        run: |
+          set -euo pipefail
+          {
+            echo "run_qa=false"
+            echo "run_security=false"
+            echo "run_tier=false"
+          } >> "$GITHUB_OUTPUT"
+          first_line=$(printf '%s\n' "$COMMENT_BODY" | sed -n '1p')
+          case "$first_line" in
+            /qa-recheck*)
+              echo "run_qa=true" >> "$GITHUB_OUTPUT"
+              ;;
+            /security-recheck*)
+              echo "run_security=true" >> "$GITHUB_OUTPUT"
+              ;;
+            /refire-tier-check*)
+              echo "run_tier=true" >> "$GITHUB_OUTPUT"
+              ;;
+            *)
+              echo "::notice::no supported review refire slash command; no-op"
+              ;;
+          esac
+
+      - name: Check out BASE ref for trusted scripts
+        if: |
+          steps.classify.outputs.run_qa == 'true' ||
+          steps.classify.outputs.run_security == 'true' ||
+          steps.classify.outputs.run_tier == 'true'
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+
+      - name: Refire qa-review status
+        if: steps.classify.outputs.run_qa == 'true'
+        env:
+          # RFC_324_TEAM_READ_TOKEN is read-only (team membership read scope only).
+          # review-refire-status.sh POSTs to /statuses — requires write scope.
+          # SOP_TIER_CHECK_TOKEN carries write:repository + write:issue + read:organization.
+          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
+          GITEA_HOST: git.moleculesai.app
+          REPO: ${{ github.repository }}
+          PR_NUMBER: ${{ github.event.issue.number }}
+          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+          TEAM: qa
+          TEAM_ID: '20'
+          REVIEW_CHECK_DEBUG: '0'
+          REVIEW_CHECK_STRICT: '0'
+        run: |
+          set -euo pipefail
+          .gitea/scripts/review-refire-status.sh
+
+      - name: Refire security-review status
+        if: steps.classify.outputs.run_security == 'true'
+        env:
+          # RFC_324_TEAM_READ_TOKEN is read-only (team membership read scope only).
+          # review-refire-status.sh POSTs to /statuses — requires write scope.
+          # SOP_TIER_CHECK_TOKEN carries write:repository + write:issue + read:organization.
+          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
+          GITEA_HOST: git.moleculesai.app
+          REPO: ${{ github.repository }}
+          PR_NUMBER: ${{ github.event.issue.number }}
+          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+          TEAM: security
+          TEAM_ID: '21'
+          REVIEW_CHECK_DEBUG: '0'
+          REVIEW_CHECK_STRICT: '0'
+        run: |
+          set -euo pipefail
+          .gitea/scripts/review-refire-status.sh
+
+      - name: Refire sop-tier-check status
+        if: steps.classify.outputs.run_tier == 'true'
+        env:
+          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
+          GITEA_HOST: git.moleculesai.app
+          REPO: ${{ github.repository }}
+          PR_NUMBER: ${{ github.event.issue.number }}
+          SOP_DEBUG: '0'
+        run: bash .gitea/scripts/sop-tier-refire.sh
@@ -75,8 +75,12 @@ permissions:
 env:
  # ECR registry (post-2026-05-06 SSOT for tenant images).
  # publish-workspace-server-image.yml pushes here.
-  IMAGE_NAME: 153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/platform
-  TENANT_IMAGE_NAME: 153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/platform-tenant
+  # SSOT-Instance-10 (#333): triplet sourced from org/repo var `ECR_REGISTRY` with
+  # the current prod-account literal as bootstrap fallback. When the org var is set,
+  # the fallback becomes dead code and switching accounts/regions is a one-line
+  # change at the org level. Pattern mirrors `vars.CP_URL || 'literal'` below.
+  IMAGE_NAME: ${{ vars.ECR_REGISTRY || '153263036946.dkr.ecr.us-east-2.amazonaws.com' }}/molecule-ai/platform
+  TENANT_IMAGE_NAME: ${{ vars.ECR_REGISTRY || '153263036946.dkr.ecr.us-east-2.amazonaws.com' }}/molecule-ai/platform-tenant
  # CP endpoint for redeploy-fleet (used in promote step below).
  CP_URL: ${{ vars.CP_URL || 'https://staging-api.moleculesai.app' }}
  GITHUB_SERVER_URL: https://git.moleculesai.app
@@ -235,6 +239,11 @@ jobs:
          set -euo pipefail

          TARGET_TAG="staging-${SHA}"
+          # confirm:true ack required by CP /cp/admin/tenants/redeploy-fleet
+          # contract (cp#228 / task #308) for fleet-wide intent. Empty body
+          # / {confirm:false} / {only_slugs:[]} → 400. This caller promotes
+          # the verified staging image across the entire prod fleet (canary
+          # + fan-out), no slug scoping, so confirm:true is correct.
          BODY=$(jq -nc \
            --arg tag "$TARGET_TAG" \
            --argjson soak "${SOAK_SECONDS:-120}" \
@@ -244,7 +253,8 @@ jobs:
              target_tag: $tag,
              soak_seconds: $soak,
              batch_size: $batch,
-              dry_run: $dry
+              dry_run: $dry,
+              confirm: true
            }')

          if [ -n "${CANARY_SLUG:-}" ]; then
@@ -53,19 +53,12 @@ name: status-reaper
 # `inputs:` block here. Gitea 1.22.6 rejects the whole workflow as
 # "unknown on type" when `workflow_dispatch.inputs.X` is present.
 on:
-  # SCHEDULE RE-ENABLED 2026-05-12 rev3 — interim disable (mc#645) reverted now that
-  # rev3 widens DEFAULT_SWEEP_LIMIT 10 → 30 (covers retroactive-failure timing window).
-  # Sibling watchdog re-enabled in the same PR with timeout-minutes raised 5 → 15.
-  schedule:
-    # Every 5 minutes. Off-zero alignment with sibling cron workflows:
-    # ci-required-drift (`:17`), main-red-watchdog (`:05`),
-    # railway-pin-audit (`:23`). 5-min cadence gives a tight enough
-    # close on schedule-triggered false-reds that main-red-watchdog
-    # (hourly :05) almost never files an issue on the false case.
-    # rev3 keeps `*/5` unchanged per hongming-pc2 03:25Z review:
-    # "trades window-width-cheap for cadence-loady" — N=30 widens
-    # the lookback cheaply without doubling runner load via `*/2`.
-    - cron: '*/5 * * * *'
+  # Schedule moved to operator-config:
+  #   /etc/cron.d/molecule-core-status-reaper ->
+  #   /usr/local/bin/molecule-core-cron-bot.sh status-reaper
+  #
+  # This keeps the 5-minute compensation cadence but stops a maintenance
+  # bot from consuming Gitea Actions runner slots during PR merge waves.
  workflow_dispatch:

 # Compensating-status POST needs write on repo statuses; no other
@@ -58,14 +58,20 @@ jobs:
          python-version: '3.11'
      - name: Install .gitea script test dependencies
        run: python -m pip install --quiet 'pytest==9.0.2' 'PyYAML==6.0.2'
-      - name: Run scripts/ unittests (build_runtime_package, ...)
-        # Top-level scripts/ tests live alongside their target file
-        # (e.g. scripts/test_build_runtime_package.py exercises
-        # scripts/build_runtime_package.py). discover from scripts/
-        # picks up only top-level test_*.py because scripts/ops/ has
-        # no __init__.py — that's intentional, so we run two passes.
+      - name: Run scripts/ unittests, if any
+        # Top-level scripts/ tests live alongside their target file. The
+        # runtime packaging tests moved to molecule-ai-workspace-runtime, so
+        # this pass may legitimately find no tests.
        working-directory: scripts
-        run: python -m unittest discover -t . -p 'test_*.py' -v
+        run: |
+          set +e
+          python -m unittest discover -t . -p 'test_*.py' -v
+          rc=$?
+          if [ "$rc" -eq 5 ]; then
+            echo "No top-level scripts/ unittest files found; skipping."
+            exit 0
+          fi
+          exit "$rc"
      - name: Run scripts/ops/ unittests (sweep_cf_decide, ...)
        working-directory: scripts/ops
        run: python -m unittest discover -p 'test_*.py' -v
@@ -1,154 +0,0 @@
-name: Block internal-flavored paths
-
-# Hard CI gate. Internal content (positioning, competitive briefs, sales
-# playbooks, PMM/press drip, draft campaigns) lives in molecule-ai/internal —
-# this public monorepo must never re-acquire those paths. CEO directive
-# 2026-04-23 after a fleet-wide audit found 79 internal files leaked here.
-#
-# Failure mode without this gate: agents (PMM, Research, DevRel, Sales) drop
-# briefs into the easiest path their cwd resolves to (root /research,
-# /marketing, /docs/marketing) and gitignore alone won't catch a `git add -f`
-# or a stale gitignore line. This workflow is the mechanical backstop.
-
-on:
-  pull_request:
-    types: [opened, synchronize, reopened]
-  push:
-    branches: [main, staging]
-  # Required for GitHub merge queue: the queue's pre-merge CI run on
-  # `gh-readonly-queue/...` refs needs this check to fire so the queue
-  # gets a real result instead of stalling forever AWAITING_CHECKS.
-  merge_group:
-    types: [checks_requested]
-
-jobs:
-  check:
-    name: Block forbidden paths
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 2  # need previous commit to diff against on push events
-
-      # For pull_request events the diff base is github.event.pull_request.base.sha,
-      # which may be many commits behind HEAD and therefore absent from the
-      # shallow clone above.  Fetch it explicitly (depth=1 keeps it fast).
-      - name: Fetch PR base SHA (pull_request events only)
-        if: github.event_name == 'pull_request'
-        run: git fetch --depth=1 origin ${{ github.event.pull_request.base.sha }}
-
-      # For merge_group events the queue's pre-merge ref is a commit on
-      # `gh-readonly-queue/...` whose parent is the queue's base_sha.
-      # That parent isn't part of the queue branch's shallow clone, so
-      # we fetch it explicitly. Mirrors the equivalent step in
-      # secret-scan.yml (#2120) — same shallow-clone bug class.
-      - name: Fetch merge_group base SHA (merge_group events only)
-        if: github.event_name == 'merge_group'
-        run: git fetch --depth=1 origin ${{ github.event.merge_group.base_sha }}
-
-      - name: Refuse if forbidden paths appear
-        env:
-          # Plumb event-specific SHAs through env so the script doesn't
-          # need conditional `${{ ... }}` interpolation per event type.
-          # github.event.before/after only exist on push events;
-          # merge_group has its own base_sha/head_sha; pull_request has
-          # pull_request.base.sha / pull_request.head.sha.
-          PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
-          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-          MG_BASE_SHA: ${{ github.event.merge_group.base_sha }}
-          MG_HEAD_SHA: ${{ github.event.merge_group.head_sha }}
-          PUSH_BEFORE: ${{ github.event.before }}
-          PUSH_AFTER: ${{ github.event.after }}
-        run: |
-          # Paths that must NEVER live in the public monorepo. Add to this
-          # list narrowly — broader patterns belong in .gitignore so day-to-day
-          # docs work isn't accidentally blocked.
-          FORBIDDEN_PATTERNS=(
-            "^research/"
-            "^marketing/"
-            "^docs/marketing/"
-            "^comment-[0-9]+\.json$"
-            "^test-pmm.*\.(txt|md)$"
-            "^tick-reflections.*\.(txt|md)$"
-            ".*-temp\.(md|txt)$"
-          )
-
-          # Determine the diff base. Each event type stores its SHAs in
-          # a different place — see the env block above.
-          case "${{ github.event_name }}" in
-            pull_request)
-              BASE="$PR_BASE_SHA"
-              HEAD="$PR_HEAD_SHA"
-              ;;
-            merge_group)
-              BASE="$MG_BASE_SHA"
-              HEAD="$MG_HEAD_SHA"
-              ;;
-            *)
-              BASE="$PUSH_BEFORE"
-              HEAD="$PUSH_AFTER"
-              ;;
-          esac
-
-          # On push events with shallow clones, BASE may be present in
-          # the event payload but absent from the local object DB
-          # (fetch-depth=2 doesn't always reach the previous commit
-          # across true merges). Try fetching it on demand. If the
-          # fetch fails — e.g. the SHA was force-overwritten — we fall
-          # through to the empty-BASE branch below, which scans the
-          # entire tree as if every file were new. Correct, just slow.
-          # Same recovery shape as secret-scan.yml (#2120 — incident
-          # 2026-04-27 06:50Z block-internal-paths exit 128 with
-          # "fatal: bad object <sha>" on staging push).
-          if [ -n "$BASE" ] && ! echo "$BASE" | grep -qE '^0+$'; then
-            if ! git cat-file -e "$BASE" 2>/dev/null; then
-              git fetch --depth=1 origin "$BASE" 2>/dev/null || true
-            fi
-          fi
-
-          # Files added or modified in this change.
-          if [ -z "$BASE" ] || echo "$BASE" | grep -qE '^0+$' || ! git cat-file -e "$BASE" 2>/dev/null; then
-            # New branch / no previous SHA / BASE unreachable — check
-            # the entire tree as if every file were new. Slower but
-            # correct on first push or post-fetch-failure recovery.
-            CHANGED=$(git ls-tree -r --name-only HEAD)
-          else
-            CHANGED=$(git diff --name-only --diff-filter=AM "$BASE" "$HEAD")
-          fi
-
-          if [ -z "$CHANGED" ]; then
-            echo "No changed files to inspect."
-            exit 0
-          fi
-
-          OFFENDING=""
-          for path in $CHANGED; do
-            for pattern in "${FORBIDDEN_PATTERNS[@]}"; do
-              if echo "$path" | grep -qE "$pattern"; then
-                OFFENDING="${OFFENDING}${path} (matched: ${pattern})\n"
-                break
-              fi
-            done
-          done
-
-          if [ -n "$OFFENDING" ]; then
-            echo "::error::Forbidden internal-flavored paths detected:"
-            printf "$OFFENDING"
-            echo ""
-            echo "These paths belong in molecule-ai/internal, not this public repo."
-            echo "See docs/internal-content-policy.md for canonical locations."
-            echo ""
-            echo "If your file is genuinely public-facing (e.g. a blog post"
-            echo "ready to ship), use one of these alternatives instead:"
-            echo "  • Public-bound blog posts:  docs/blog/<slug>.md"
-            echo "  • Public-bound tutorials:   docs/tutorials/<slug>.md"
-            echo "  • Public devrel content:    docs/devrel/<slug>.md"
-            echo ""
-            echo "If you legitimately need to add a new top-level path that"
-            echo "happens to match a forbidden pattern, edit"
-            echo ".github/workflows/block-internal-paths.yml and update the"
-            echo "FORBIDDEN_PATTERNS list with reviewer signoff."
-            exit 1
-          fi
-
-          echo "✓ No forbidden paths in this change."
@@ -1,320 +0,0 @@
-name: Canary — staging SaaS smoke (every 30 min)
-
-# Minimum viable health check: provisions one Hermes workspace on a fresh
-# staging org, sends one A2A message, verifies PONG, tears down. ~8 min
-# wall clock. Pages on failure by opening a GitHub issue; auto-closes the
-# issue on the next green run.
-#
-# The full-SaaS workflow (e2e-staging-saas.yml) covers the broader surface
-# but runs only on provisioning-critical pushes + nightly — this one
-# catches drift in the 30-min window between those runs (AMI health, CF
-# cert rotation, WorkOS session stability, etc.).
-#
-# Lean mode: E2E_MODE=canary skips the child workspace + HMA memory +
-# peers/activity checks. One parent workspace + one A2A turn is enough
-# to signal "SaaS stack end-to-end is alive."
-
-on:
-  schedule:
-    # Every 30 min. Cron on GitHub-hosted runners has a known drift of
-    # a few minutes under load — that's fine for a canary.
-    - cron: '*/30 * * * *'
-  workflow_dispatch:
-    inputs:
-      keep_on_failure:
-        description: >-
-          Skip teardown when the canary fails (debugging only). The
-          tenant org + EC2 + CF tunnel + DNS stay alive so an operator
-          can SSM into the workspace EC2 and capture docker logs of the
-          failing claude-code container. REMEMBER to manually delete
-          via DELETE /cp/admin/tenants/<slug> when done so the org
-          doesn't accumulate cost. Only honored on workflow_dispatch;
-          cron runs always tear down (we don't want unattended cron
-          to leak resources).
-        type: boolean
-        default: false
-
-# Serialise with the full-SaaS workflow so they don't contend for the
-# same org-create quota on staging. Different group key from
-# e2e-staging-saas since we don't mind queueing canaries behind one
-# full run, but two canaries SHOULD queue against each other.
-concurrency:
-  group: canary-staging
-  cancel-in-progress: false
-
-permissions:
-  # Needed to open / close the alerting issue.
-  issues: write
-  contents: read
-
-jobs:
-  canary:
-    name: Canary smoke
-    runs-on: ubuntu-latest
-    # 25 min headroom over the 15-min TLS-readiness deadline in
-    # tests/e2e/test_staging_full_saas.sh (#2107). Without the buffer
-    # the job is killed at the wall-clock 15:00 mark BEFORE the bash
-    # `fail` + diagnostic burst can fire, leaving every cancellation
-    # silent. Sibling staging E2E jobs run at 20-45 min — keeping
-    # canary tighter than them so a true wedge still surfaces here
-    # first.
-    timeout-minutes: 25
-
-    env:
-      MOLECULE_CP_URL: https://staging-api.moleculesai.app
-      MOLECULE_ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
-      # MiniMax is the canary's PRIMARY LLM auth path post-2026-05-04.
-      # Switched from hermes+OpenAI after #2578 (the staging OpenAI key
-      # account went over quota and stayed dead for 36+ hours, taking
-      # the canary red the entire time). claude-code template's
-      # `minimax` provider routes ANTHROPIC_BASE_URL to
-      # api.minimax.io/anthropic and reads MINIMAX_API_KEY at boot —
-      # ~5-10x cheaper per token than gpt-4.1-mini AND on a separate
-      # billing account, so OpenAI quota collapse no longer wedges the
-      # canary. Mirrors the migration continuous-synth-e2e.yml made on
-      # 2026-05-03 (#265) for the same reason. tests/e2e/test_staging_
-      # full_saas.sh branches SECRETS_JSON on which key is present —
-      # MiniMax wins when set.
-      E2E_MINIMAX_API_KEY: ${{ secrets.MOLECULE_STAGING_MINIMAX_API_KEY }}
-      # Direct-Anthropic alternative for operators who don't want to
-      # set up a MiniMax account (priority below MiniMax — first
-      # non-empty wins in test_staging_full_saas.sh's secrets-injection
-      # block). See #2578 PR comment for the rationale.
-      E2E_ANTHROPIC_API_KEY: ${{ secrets.MOLECULE_STAGING_ANTHROPIC_API_KEY }}
-      # OpenAI fallback — kept wired so an operator-dispatched run with
-      # E2E_RUNTIME=hermes overridden via workflow_dispatch can still
-      # exercise the OpenAI path without re-editing the workflow.
-      E2E_OPENAI_API_KEY: ${{ secrets.MOLECULE_STAGING_OPENAI_KEY }}
-      E2E_MODE: canary
-      E2E_RUNTIME: claude-code
-      # Pin the canary to a specific MiniMax model rather than relying
-      # on the per-runtime default (which could resolve to "sonnet" →
-      # direct Anthropic and defeat the cost saving). M2.7-highspeed
-      # is "Token Plan only" but cheap-per-token and fast.
-      E2E_MODEL_SLUG: MiniMax-M2.7-highspeed
-      E2E_RUN_ID: "canary-${{ github.run_id }}"
-      # Debug-only: when an operator dispatches with keep_on_failure=true,
-      # the canary script's E2E_KEEP_ORG=1 path skips teardown so the
-      # tenant org + EC2 stay alive for SSM-based log capture. Cron runs
-      # never set this (the input only exists on workflow_dispatch) so
-      # unattended cron always tears down. See molecule-core#129
-      # failure mode #1 — capturing the actual exception requires
-      # docker logs from the live container.
-      E2E_KEEP_ORG: ${{ github.event.inputs.keep_on_failure == 'true' && '1' || '0' }}
-
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - name: Verify admin token present
-        run: |
-          if [ -z "$MOLECULE_ADMIN_TOKEN" ]; then
-            echo "::error::MOLECULE_STAGING_ADMIN_TOKEN not set"
-            exit 2
-          fi
-
-      - name: Verify LLM key present
-        run: |
-          # Per-runtime key check — claude-code uses MiniMax; hermes /
-          # langgraph (operator-dispatched only) use OpenAI. Hard-fail
-          # rather than soft-skip per the lesson from synth E2E #2578:
-          # an empty key silently falls through to the wrong
-          # SECRETS_JSON branch and the canary fails 5 min later with
-          # a confusing auth error instead of the clean "secret
-          # missing" message at the top.
-          case "${E2E_RUNTIME}" in
-            claude-code)
-              # Either MiniMax OR direct-Anthropic works — first
-              # non-empty wins in the test script's secrets-injection
-              # priority chain. Operators only need to set ONE of these
-              # secrets; we don't force a choice between them.
-              if [ -n "${E2E_MINIMAX_API_KEY:-}" ]; then
-                required_secret_name="MOLECULE_STAGING_MINIMAX_API_KEY"
-                required_secret_value="${E2E_MINIMAX_API_KEY}"
-              elif [ -n "${E2E_ANTHROPIC_API_KEY:-}" ]; then
-                required_secret_name="MOLECULE_STAGING_ANTHROPIC_API_KEY"
-                required_secret_value="${E2E_ANTHROPIC_API_KEY}"
-              else
-                required_secret_name="MOLECULE_STAGING_MINIMAX_API_KEY or MOLECULE_STAGING_ANTHROPIC_API_KEY"
-                required_secret_value=""
-              fi
-              ;;
-            langgraph|hermes)
-              required_secret_name="MOLECULE_STAGING_OPENAI_KEY"
-              required_secret_value="${E2E_OPENAI_API_KEY:-}"
-              ;;
-            *)
-              echo "::warning::Unknown E2E_RUNTIME='${E2E_RUNTIME}' — skipping LLM-key check"
-              required_secret_name=""
-              required_secret_value="present"
-              ;;
-          esac
-          if [ -n "$required_secret_name" ] && [ -z "$required_secret_value" ]; then
-            echo "::error::${required_secret_name} secret not set for runtime=${E2E_RUNTIME} — A2A will fail at request time with 'No LLM provider configured'"
-            exit 2
-          fi
-          echo "LLM key present ✓ (runtime=${E2E_RUNTIME}, key=${required_secret_name}, len=${#required_secret_value})"
-
-      - name: Canary run
-        id: canary
-        run: bash tests/e2e/test_staging_full_saas.sh
-
-      # Alerting: open a sticky issue on the FIRST failure; comment on
-      # subsequent failures; auto-close on next green. Comment-on-existing
-      # de-duplicates so a single open issue accumulates the streak —
-      # ops sees one issue with N comments rather than N issues.
-      #
-      # Why no consecutive-failures threshold (e.g., wait 3 runs before
-      # filing): the prior threshold check used
-      # `github.rest.actions.listWorkflowRuns()` which Gitea 1.22.6 does
-      # not expose (returns 404). On Gitea Actions the threshold call
-      # ALWAYS failed, breaking the entire alerting step and going days
-      # silent on real regressions (38h+ chronic red on 2026-05-07/08
-      # before this fix; tracked in molecule-core#129). Filing on first
-      # failure is also better UX — we want to know about the first red,
-      # not wait 90 min for it to "count." Real flakes get one issue +
-      # a quick close-on-green; persistent reds accumulate comments.
-      - name: Open issue on failure
-        if: failure()
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
-        with:
-          script: |
-            const title = '🔴 Canary failing: staging SaaS smoke';
-            const runURL = `${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`;
-
-            // Find an existing open canary issue (stable title match).
-            // If one exists, this isn't a "first failure" — comment and exit.
-            const { data: existing } = await github.rest.issues.listForRepo({
-              owner: context.repo.owner, repo: context.repo.repo,
-              state: 'open', labels: 'canary-staging',
-              per_page: 10,
-            });
-            const match = existing.find(i => i.title === title);
-            if (match) {
-              await github.rest.issues.createComment({
-                owner: context.repo.owner, repo: context.repo.repo,
-                issue_number: match.number,
-                body: `Canary still failing. ${runURL}`,
-              });
-              core.info(`Commented on existing issue #${match.number}`);
-              return;
-            }
-
-            // No open issue yet — file one on this first failure. The
-            // comment-on-existing branch above means subsequent failures
-            // accumulate as comments on this same issue, so we don't
-            // spam new issues per run.
-            const body =
-              `Canary run failed at ${new Date().toISOString()}.\n\n` +
-              `Run: ${runURL}\n\n` +
-              `This issue auto-closes on the next green canary run. ` +
-              `Consecutive failures add a comment here rather than a new issue.`;
-            await github.rest.issues.create({
-              owner: context.repo.owner, repo: context.repo.repo,
-              title, body,
-              labels: ['canary-staging', 'bug'],
-            });
-            core.info('Opened canary failure issue (first red)');
-
-      - name: Auto-close canary issue on success
-        if: success()
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
-        with:
-          script: |
-            const title = '🔴 Canary failing: staging SaaS smoke';
-            const { data: open } = await github.rest.issues.listForRepo({
-              owner: context.repo.owner, repo: context.repo.repo,
-              state: 'open', labels: 'canary-staging',
-              per_page: 10,
-            });
-            const match = open.find(i => i.title === title);
-            if (match) {
-              await github.rest.issues.createComment({
-                owner: context.repo.owner, repo: context.repo.repo,
-                issue_number: match.number,
-                body: `Canary recovered at ${new Date().toISOString()}. Closing.`,
-              });
-              await github.rest.issues.update({
-                owner: context.repo.owner, repo: context.repo.repo,
-                issue_number: match.number,
-                state: 'closed',
-              });
-              core.info(`Closed recovered canary issue #${match.number}`);
-            }
-
-      - name: Teardown safety net
-        if: always()
-        env:
-          ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
-        run: |
-          set +e
-          # Slug prefix matches what test_staging_full_saas.sh emits
-          # in canary mode:
-          #   SLUG="e2e-canary-$(date +%Y%m%d)-${RUN_ID_SUFFIX}"
-          # Earlier this was `e2e-{today}-canary-` — that was the
-          # full-mode pattern (date FIRST, mode SECOND); canary slugs
-          # have mode FIRST, date SECOND. The mismatch silently
-          # never matched, leaving every cancelled-canary EC2 alive
-          # until the once-an-hour sweep eventually caught it
-          # (incident 2026-04-26 21:03Z: 1h25m EC2 leak before manual
-          # cleanup; same gap on three earlier cancellations today).
-          orgs=$(curl -sS "$MOLECULE_CP_URL/cp/admin/orgs" \
-            -H "Authorization: Bearer $ADMIN_TOKEN" 2>/dev/null \
-            | python3 -c "
-          import json, sys, os, datetime
-          run_id = os.environ.get('GITHUB_RUN_ID', '')
-          d = json.load(sys.stdin)
-          # Scope to slugs from THIS canary run when GITHUB_RUN_ID is
-          # available; the canary workflow sets E2E_RUN_ID='canary-\${run_id}'
-          # so the slug suffix is '-canary-\${run_id}-...'. Mirrors the
-          # full-mode safety net's per-run scoping (e2e-staging-saas.yml)
-          # added after the 2026-04-21 cross-run cleanup incident.
-          # Sweep both today AND yesterday's UTC dates so a run that
-          # crosses midnight still cleans up its own slug — see the
-          # 2026-04-26→27 canvas-safety-net incident.
-          today = datetime.date.today()
-          yesterday = today - datetime.timedelta(days=1)
-          dates = (today.strftime('%Y%m%d'), yesterday.strftime('%Y%m%d'))
-          if run_id:
-              prefixes = tuple(f'e2e-canary-{d}-canary-{run_id}' for d in dates)
-          else:
-              prefixes = tuple(f'e2e-canary-{d}-' for d in dates)
-          candidates = [o['slug'] for o in d.get('orgs', [])
-                        if any(o.get('slug','').startswith(p) for p in prefixes)
-                        and o.get('status') not in ('purged',)]
-          print('\n'.join(candidates))
-          " 2>/dev/null)
-          # Per-slug DELETE with HTTP-code verification. The previous
-          # `... >/dev/null || true` swallowed every failure, so a 5xx
-          # or timeout from CP looked identical to "successfully cleaned
-          # up" and the tenant kept eating ~2 vCPU until the hourly
-          # stale sweep caught it (up to 2h later). Now we capture the
-          # response code and surface non-2xx as a workflow warning, so
-          # the run page shows which slug leaked. We still don't `exit 1`
-          # on cleanup failure — a single-canary cleanup miss shouldn't
-          # fail-flag the canary itself when the actual smoke check
-          # passed. The sweep-stale-e2e-orgs cron (now every 15 min,
-          # 30-min threshold) is the safety net for whatever slips past.
-          # See molecule-controlplane#420.
-          leaks=()
-          for slug in $orgs; do
-            # Tempfile-routed -w + set +e/-e prevents curl-exit-code
-            # pollution of the captured status (lint-curl-status-capture.yml).
-            set +e
-            curl -sS -o /tmp/canary-cleanup.out -w "%{http_code}" \
-              -X DELETE "$MOLECULE_CP_URL/cp/admin/tenants/$slug" \
-              -H "Authorization: Bearer $ADMIN_TOKEN" \
-              -H "Content-Type: application/json" \
-              -d "{\"confirm\":\"$slug\"}" >/tmp/canary-cleanup.code
-            set -e
-            code=$(cat /tmp/canary-cleanup.code 2>/dev/null || echo "000")
-            if [ "$code" = "200" ] || [ "$code" = "204" ]; then
-              echo "[teardown] deleted $slug (HTTP $code)"
-            else
-              echo "::warning::canary teardown for $slug returned HTTP $code — sweep-stale-e2e-orgs will catch it within ~45 min. Body: $(head -c 300 /tmp/canary-cleanup.out 2>/dev/null)"
-              leaks+=("$slug")
-            fi
-          done
-          if [ ${#leaks[@]} -gt 0 ]; then
-            echo "::warning::canary teardown left ${#leaks[@]} leak(s): ${leaks[*]}"
-          fi
-          exit 0
@@ -1,39 +0,0 @@
-name: cascade-list-drift-gate
-
-# Structural gate: TEMPLATES list in publish-runtime.yml must match
-# manifest.json's workspace_templates exactly. Closes the recurrence
-# path of PR #2556 (the data fix) and is the first concrete deliverable
-# of RFC #388 PR-3.
-#
-# Why a gate, not just discipline: PR #2536 pruned the manifest, but the
-# cascade list wasn't updated for ~weeks before someone (PR #2556)
-# noticed during an unrelated audit. During that window, codex never
-# rebuilt on a runtime publish. A structural gate catches the drift
-# the same day either file changes.
-#
-# Triggers narrowly to keep CI quiet: only on PRs that actually change
-# one of the two files. The path-filtered split + always-emit-result
-# pattern (memory: "Required check names need a job that always runs")
-# is unnecessary here because the workflow IS the check name and PR
-# branch protection should require it directly. Future-proof: if this
-# becomes a required check, add a no-op aggregator with always() so the
-# name still emits when paths don't match.
-
-on:
-  pull_request:
-    branches: [staging, main]
-    paths:
-      - manifest.json
-      - .github/workflows/publish-runtime.yml
-      - scripts/check-cascade-list-vs-manifest.sh
-
-permissions:
-  contents: read
-
-jobs:
-  check:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-      - name: Check cascade list matches manifest
-        run: bash scripts/check-cascade-list-vs-manifest.sh
@@ -1,58 +0,0 @@
-name: Check migration collisions
-
-# Hard gate (#2341): fails a PR that adds a migration prefix already
-# claimed by the base branch or another open PR. Caught manually 2026-04-30
-# during PR #2276 rebase: 044_runtime_image_pins collided with
-# 044_platform_inbound_secret from RFC #2312. This workflow makes that
-# check automatic.
-#
-# Trigger model: pull_request only — there's no value running this on
-# pushes to staging or main (those are post-merge; the gate must fire
-# pre-merge to be useful). Path filter scopes to PRs that actually touch
-# migrations.
-
-on:
-  pull_request:
-    types: [opened, synchronize, reopened]
-    paths:
-      - 'workspace-server/migrations/**'
-      - 'scripts/ops/check_migration_collisions.py'
-      - '.github/workflows/check-migration-collisions.yml'
-
-permissions:
-  contents: read
-  # gh pr list/diff need read access to other PRs
-  pull-requests: read
-
-jobs:
-  check:
-    name: Migration version collision check
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          # Need history to diff against base ref
-          fetch-depth: 0
-
-      - name: Detect collisions
-        env:
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-          BASE_REF: origin/${{ github.event.pull_request.base.ref }}
-          HEAD_REF: ${{ github.event.pull_request.head.sha }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-          # gh CLI uses GH_TOKEN from env
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          # Ensure the named base ref exists locally. checkout@v4 with
-          # fetch-depth=0 pulls full history, but the explicit fetch is
-          # cheap insurance against form-of-ref differences across runs.
-          #
-          # IMPORTANT: do NOT pass --depth=1 here. The script below uses
-          # `git diff origin/<base>...<head>` (three-dot, merge-base form),
-          # which fails with "fatal: no merge base" if the base ref is
-          # shallow. The auto-promote staging→main PR (#2361) was blocked
-          # by exactly this for ~5h on 2026-04-30 — the depth=1 fetch
-          # overwrote checkout@v4's full-history clone with a shallow tip.
-          git fetch origin "${{ github.event.pull_request.base.ref }}" || true
-          python3 scripts/ops/check_migration_collisions.py
@@ -1,443 +0,0 @@
-name: CI
-
-on:
-  push:
-    branches: [main, staging]
-  pull_request:
-    branches: [main, staging]
-  # GitHub merge queue fires `merge_group` for the queue's pre-merge CI run.
-  # Required so the queue gets a real check result instead of a false-green
-  # from the absence of a triggered workflow. Safe to add unconditionally —
-  # the event simply doesn't fire until the queue is enabled on the branch.
-  merge_group:
-    types: [checks_requested]
-
-# Cancel in-progress CI runs when a new commit arrives on the same ref.
-# This prevents stale runs from queuing behind each other. The merge_group
-# refs (refs/heads/gh-readonly-queue/...) get their own concurrency group
-# automatically because github.ref differs from the PR ref.
-concurrency:
-  group: ci-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  # Detect which paths changed so downstream jobs can skip when only
-  # docs/markdown files were modified.
-  changes:
-    name: Detect changes
-    runs-on: ubuntu-latest
-    outputs:
-      platform: ${{ steps.check.outputs.platform }}
-      canvas: ${{ steps.check.outputs.canvas }}
-      python: ${{ steps.check.outputs.python }}
-      scripts: ${{ steps.check.outputs.scripts }}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
-      - id: check
-        run: |
-          # For PR events: diff against the base branch (not HEAD~1 of the branch,
-          # which may be unrelated after force-pushes). When a push updates a PR,
-          # both pull_request and push events fire — prefer the PR base so that
-          # the diff is always computed against the actual merge base, not the
-          # previous SHA on the branch which may be on a different history line.
-          BASE="${GITHUB_BASE_REF:-${{ github.event.before }}}"
-          # GITHUB_BASE_REF is set by GitHub for PR events (the base branch name).
-          # For pull_request events we use the stored base.sha; for push events
-          # (or when base.sha is unavailable) fall back to github.event.before.
-          if [ "${{ github.event_name }}" = "pull_request" ] && [ -n "${{ github.event.pull_request.base.sha }}" ]; then
-            BASE="${{ github.event.pull_request.base.sha }}"
-          fi
-          # Fallback: if BASE is empty or all zeros (new branch), run everything
-          if [ -z "$BASE" ] || echo "$BASE" | grep -qE '^0+$'; then
-            echo "platform=true" >> "$GITHUB_OUTPUT"
-            echo "canvas=true" >> "$GITHUB_OUTPUT"
-            echo "python=true" >> "$GITHUB_OUTPUT"
-            echo "scripts=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          DIFF=$(git diff --name-only "$BASE" HEAD 2>/dev/null || echo ".github/workflows/ci.yml")
-          echo "platform=$(echo "$DIFF" | grep -qE '^workspace-server/|^\.github/workflows/ci\.yml$' && echo true || echo false)" >> "$GITHUB_OUTPUT"
-          echo "canvas=$(echo "$DIFF" | grep -qE '^canvas/|^\.github/workflows/ci\.yml$' && echo true || echo false)" >> "$GITHUB_OUTPUT"
-          echo "python=$(echo "$DIFF" | grep -qE '^workspace/|^\.github/workflows/ci\.yml$' && echo true || echo false)" >> "$GITHUB_OUTPUT"
-          echo "scripts=$(echo "$DIFF" | grep -qE '^tests/e2e/|^scripts/|^infra/scripts/|^\.github/workflows/ci\.yml$' && echo true || echo false)" >> "$GITHUB_OUTPUT"
-
-  # Platform (Go) is a required check on staging. Always-run + per-step
-  # gating (see Canvas (Next.js) for the rationale and the failure mode
-  # this avoids).
-  platform-build:
-    name: Platform (Go)
-    needs: changes
-    runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: workspace-server
-    steps:
-      - if: needs.changes.outputs.platform != 'true'
-        working-directory: .
-        run: echo "No platform/** changes — skipping real build steps; this job always runs to satisfy the required-check name on branch protection."
-      - if: needs.changes.outputs.platform == 'true'
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - if: needs.changes.outputs.platform == 'true'
-        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
-        with:
-          go-version: 'stable'
-      - if: needs.changes.outputs.platform == 'true'
-        run: go mod download
-      - if: needs.changes.outputs.platform == 'true'
-        run: go build ./cmd/server
-      # CLI (molecli) moved to standalone repo: github.com/molecule-ai/molecule-cli
-      - if: needs.changes.outputs.platform == 'true'
-        run: go vet ./... || true
-      - if: needs.changes.outputs.platform == 'true'
-        name: Run golangci-lint
-        run: golangci-lint run --timeout 3m ./... || true
-      - if: needs.changes.outputs.platform == 'true'
-        name: Run tests with race detection and coverage
-        run: go test -race -coverprofile=coverage.out ./...
-
-      - if: needs.changes.outputs.platform == 'true'
-        name: Per-file coverage report
-        # Advisory — lists every source file with its coverage so reviewers
-        # can see at-a-glance where gaps are. Sorted ascending so the worst
-        # offenders float to the top. Does NOT fail the build; the hard
-        # gate is the threshold check below. (#1823)
-        run: |
-          echo "=== Per-file coverage (worst first) ==="
-          go tool cover -func=coverage.out \
-            | grep -v '^total:' \
-            | awk '{file=$1; sub(/:[0-9][0-9.]*:.*/, "", file); pct=$NF; gsub(/%/,"",pct); s[file]+=pct; c[file]++}
-                   END {for (f in s) printf "%6.1f%%  %s\n", s[f]/c[f], f}' \
-            | sort -n
-
-      - if: needs.changes.outputs.platform == 'true'
-        name: Check coverage thresholds
-        # Enforces two gates from #1823 Layer 1:
-        #   1. Total floor (25% — ratchet plan in COVERAGE_FLOOR.md).
-        #   2. Per-file floor — non-test .go files in security-critical
-        #      paths with coverage <10% fail the build, UNLESS the file
-        #      path is listed in .coverage-allowlist.txt (acknowledged
-        #      historical debt with a tracking issue + expiry).
-        run: |
-          set -e
-          TOTAL_FLOOR=25
-          # Security-critical paths where a 0%-coverage file is a real risk.
-          CRITICAL_PATHS=(
-            "internal/handlers/tokens"
-            "internal/handlers/workspace_provision"
-            "internal/handlers/a2a_proxy"
-            "internal/handlers/registry"
-            "internal/handlers/secrets"
-            "internal/middleware/wsauth"
-            "internal/crypto"
-          )
-
-          TOTAL=$(go tool cover -func=coverage.out | grep '^total:' | awk '{print $3}' | sed 's/%//')
-          echo "Total coverage: ${TOTAL}%"
-          if awk "BEGIN{exit !($TOTAL < $TOTAL_FLOOR)}"; then
-            echo "::error::Total coverage ${TOTAL}% is below the ${TOTAL_FLOOR}% floor. See COVERAGE_FLOOR.md for ratchet plan."
-            exit 1
-          fi
-
-          # Aggregate per-file coverage → /tmp/perfile.txt: "<fullpath> <pct>"
-          go tool cover -func=coverage.out \
-            | grep -v '^total:' \
-            | awk '{file=$1; sub(/:[0-9][0-9.]*:.*/, "", file); pct=$NF; gsub(/%/,"",pct); s[file]+=pct; c[file]++}
-                   END {for (f in s) printf "%s %.1f\n", f, s[f]/c[f]}' \
-            > /tmp/perfile.txt
-
-          # Build allowlist — paths relative to workspace-server, one per line.
-          # Lines starting with # are comments.
-          ALLOWLIST=""
-          if [ -f ../.coverage-allowlist.txt ]; then
-            ALLOWLIST=$(grep -vE '^(#|[[:space:]]*$)' ../.coverage-allowlist.txt || true)
-          fi
-
-          FAILED=0
-          WARNED=0
-          for path in "${CRITICAL_PATHS[@]}"; do
-            while read -r file pct; do
-              [[ "$file" == *_test.go ]] && continue
-              [[ "$file" == *"$path"* ]] || continue
-              awk "BEGIN{exit !($pct < 10)}" || continue
-
-              # Strip the package-import prefix so we can match .coverage-allowlist.txt
-              # entries written as paths relative to workspace-server/.
-              # Handle both module paths: platform/workspace-server/... and platform/...
-              rel=$(echo "$file" | sed 's|^github.com/molecule-ai/molecule-monorepo/platform/workspace-server/||; s|^github.com/molecule-ai/molecule-monorepo/platform/||')
-
-              if echo "$ALLOWLIST" | grep -qxF "$rel"; then
-                echo "::warning file=workspace-server/$rel::Critical file at ${pct}% coverage (allowlisted, #1823) — fix before expiry."
-                WARNED=$((WARNED+1))
-              else
-                echo "::error file=workspace-server/$rel::Critical file at ${pct}% coverage — must be >=10% (target 80%). See #1823. To acknowledge as known debt, add this path to .coverage-allowlist.txt."
-                FAILED=$((FAILED+1))
-              fi
-            done < /tmp/perfile.txt
-          done
-
-          echo ""
-          echo "Critical-path check: $FAILED new failures, $WARNED allowlisted warnings."
-
-          if [ "$FAILED" -gt 0 ]; then
-            echo ""
-            echo "$FAILED security-critical file(s) have <10% test coverage and are"
-            echo "NOT in the allowlist. These paths handle auth, tokens, secrets, or"
-            echo "workspace provisioning — a 0% file here is the exact gap that let"
-            echo "CWE-22, CWE-78, KI-005 slip through in past incidents. Either:"
-            echo "  (a) add tests to raise coverage above 10%, or"
-            echo "  (b) add the path to .coverage-allowlist.txt with an expiry date"
-            echo "      and a tracking issue reference."
-            exit 1
-          fi
-
-  # Canvas (Next.js) — required check, always runs. See platform-build
-  # comment above for the rationale.
-  #
-  # Supersedes the canvas-build-noop pattern attempted in PR #2321: two
-  # jobs sharing `name:` doesn't actually satisfy branch protection
-  # because the SKIPPED check run sibling is treated as not-passed
-  # regardless of how many SUCCESS siblings it has. Verified empirically
-  # on PR #2314 — mergeStateStatus stayed BLOCKED until I collapsed to
-  # a single-job-with-conditional-steps shape.
-  canvas-build:
-    name: Canvas (Next.js)
-    needs: changes
-    runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: canvas
-    steps:
-      - if: needs.changes.outputs.canvas != 'true'
-        working-directory: .
-        run: echo "No canvas/** changes — skipping real build steps; this job always runs to satisfy the required-check name on branch protection."
-      - if: needs.changes.outputs.canvas == 'true'
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - if: needs.changes.outputs.canvas == 'true'
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
-        with:
-          node-version: '22'
-      - if: needs.changes.outputs.canvas == 'true'
-        run: rm -f package-lock.json && npm install
-      - if: needs.changes.outputs.canvas == 'true'
-        run: npm run build
-      - if: needs.changes.outputs.canvas == 'true'
-        name: Run tests with coverage
-        # Coverage instrumentation is configured in canvas/vitest.config.ts
-        # (provider: v8, reporters: text + html + json-summary). Step 2 of
-        # #1815 — wires coverage into CI so we get a baseline visible on
-        # every PR. No threshold gate yet; thresholds dial in (Step 3, also
-        # tracked in #1815) after the team sees what current coverage is.
-        # Per the inline comment in vitest.config.ts: "first land
-        # observability so we can see the baseline, then dial in
-        # thresholds + a hard gate" — this PR ships the observability half.
-        run: npx vitest run --coverage
-      - name: Upload coverage summary as artifact
-        if: needs.changes.outputs.canvas == 'true' && always()
-        # Pinned to v3 for Gitea act_runner v0.6 compatibility — v4+ uses
-        # the GHES 3.10+ artifact protocol that Gitea 1.22.x does NOT
-        # implement, surfacing as `GHESNotSupportedError: @actions/artifact
-        # v2.0.0+, upload-artifact@v4+ and download-artifact@v4+ are not
-        # currently supported on GHES`. Drop this pin when Gitea ships
-        # the v4 protocol (tracked: post-Gitea-1.23 followup).
-        uses: actions/upload-artifact@c6a366c94c3e0affe28c06c8df20a878f24da3cf # v3.2.2
-        with:
-          name: canvas-coverage-${{ github.run_id }}
-          path: canvas/coverage/
-          retention-days: 7
-          if-no-files-found: warn
-
-  # MCP Server + SDK removed from CI — now in standalone repos:
-  # - github.com/molecule-ai/molecule-mcp-server (npm CI)
-  # - github.com/molecule-ai/molecule-sdk-python (PyPI CI)
-
-  # e2e-api job moved to .github/workflows/e2e-api.yml (issue #458).
-  # It now has workflow-level concurrency (cancel-in-progress: false) so
-  # new pushes queue the E2E run rather than cancelling it at the run level.
-
-  # Shellcheck (E2E scripts) — required check, always runs. See
-  # platform-build for the rationale.
-  shellcheck:
-    name: Shellcheck (E2E scripts)
-    needs: changes
-    runs-on: ubuntu-latest
-    steps:
-      - if: needs.changes.outputs.scripts != 'true'
-        run: echo "No tests/e2e/ or infra/scripts/ changes — skipping real shellcheck; this job always runs to satisfy the required-check name on branch protection."
-      - if: needs.changes.outputs.scripts == 'true'
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - if: needs.changes.outputs.scripts == 'true'
-        name: Run shellcheck on tests/e2e/*.sh and infra/scripts/*.sh
-        # shellcheck is pre-installed on ubuntu-latest runners (via apt).
-        # infra/scripts/ is included because setup.sh + nuke.sh gate the
-        # README quickstart — a shellcheck regression there silently breaks
-        # new-user onboarding. scripts/ is intentionally excluded until its
-        # pre-existing SC3040/SC3043 warnings are cleaned up.
-        run: |
-          find tests/e2e infra/scripts -type f -name '*.sh' -print0 \
-            | xargs -0 shellcheck --severity=warning
-
-      - if: needs.changes.outputs.scripts == 'true'
-        name: Lint cleanup-trap hygiene (RFC #2873)
-        # Asserts every shell E2E test that calls `mktemp` also installs
-        # an EXIT trap. Catches the /tmp-leak class — a missing trap
-        # silently leaks scratch into CI runners (~10-100KB per run).
-        # See tests/e2e/lint_cleanup_traps.sh for the rule + fix pattern.
-        run: bash tests/e2e/lint_cleanup_traps.sh
-
-      - if: needs.changes.outputs.scripts == 'true'
-        name: Run E2E bash unit tests (no live infra)
-        # Pure-bash unit tests for E2E helper libs (lib/*.sh). These pin
-        # behavior of dispatch logic that — when broken — silently masks as
-        # "Could not resolve authentication method" only after a successful
-        # tenant + workspace provision (PR #2571 incident, 2026-05-03). Add
-        # new self-contained unit tests here as the lib/ directory grows;
-        # tests requiring live CP/tenant credentials belong in the dedicated
-        # e2e-staging-* workflows, not this job.
-        run: |
-          bash tests/e2e/test_model_slug.sh
-
-  canvas-deploy-reminder:
-    name: Canvas Deploy Reminder
-    runs-on: ubuntu-latest
-    needs: [changes, canvas-build]
-    # Only fires on direct pushes to main (i.e. after staging→main promotion).
-    if: needs.changes.outputs.canvas == 'true' && github.event_name == 'push' && github.ref == 'refs/heads/main'
-    steps:
-      - name: Write deploy reminder to step summary
-        env:
-          COMMIT_SHA: ${{ github.sha }}
-          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-        run: |
-          # Write body to a temp file — avoids backtick escaping in shell.
-          cat > /tmp/deploy-reminder.md << 'BODY'
-          ## Canvas build passed ✅ — deploy required
-
-          The `publish-canvas-image` workflow is now building a fresh Docker image
-          (`ghcr.io/molecule-ai/canvas:latest`) in the background.
-
-          Once it completes (~3–5 min), apply on the host machine with:
-          ```bash
-          cd <runner-workspace>
-          git pull origin main
-          docker compose pull canvas && docker compose up -d canvas
-          ```
-
-          If you need to rebuild from local source instead (e.g. testing unreleased
-          changes or a new `NEXT_PUBLIC_*` URL), use:
-          ```bash
-          docker compose build canvas && docker compose up -d canvas
-          ```
-          BODY
-          printf '\n> Posted automatically by CI · commit `%s` · [build log](%s)\n' \
-            "$COMMIT_SHA" "$RUN_URL" >> /tmp/deploy-reminder.md
-
-          # Gitea has no commit-comments API (no equivalent of
-          # POST /repos/{owner}/{repo}/commits/{commit_sha}/comments).
-          # Write to GITHUB_STEP_SUMMARY instead — both GitHub Actions and
-          # Gitea Actions render this as the workflow run's summary page,
-          # which is where operators look for post-deploy action items.
-          # (#75 / PR-D)
-          cat /tmp/deploy-reminder.md >> "$GITHUB_STEP_SUMMARY"
-
-  # Python Lint & Test — required check, always runs. See platform-build
-  # for the rationale.
-  python-lint:
-    name: Python Lint & Test
-    needs: changes
-    runs-on: ubuntu-latest
-    env:
-      WORKSPACE_ID: test
-    defaults:
-      run:
-        working-directory: workspace
-    steps:
-      - if: needs.changes.outputs.python != 'true'
-        working-directory: .
-        run: echo "No workspace/** changes — skipping real lint+test; this job always runs to satisfy the required-check name on branch protection."
-      - if: needs.changes.outputs.python == 'true'
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - if: needs.changes.outputs.python == 'true'
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: '3.11'
-          cache: pip
-          cache-dependency-path: workspace/requirements.txt
-      - if: needs.changes.outputs.python == 'true'
-        run: pip install -r requirements.txt pytest pytest-asyncio pytest-cov sqlalchemy>=2.0.0
-      # Coverage flags + fail-under floor moved into workspace/pytest.ini
-      # (issue #1817) so local `pytest` and CI use identical config.
-      - if: needs.changes.outputs.python == 'true'
-        run: python -m pytest --tb=short
-
-      - if: needs.changes.outputs.python == 'true'
-        name: Per-file critical-path coverage (MCP / inbox / auth)
-        # MCP-critical Python files have a per-file floor on top of the
-        # 86% total floor in pytest.ini. Rationale (issue #2790, after
-        # the PR #2766 → PR #2771 cycle): the total floor averages ~6000
-        # lines, so a single MCP file could regress to ~50% with no
-        # complaint as long as other modules compensate. These five
-        # files handle multi-tenant routing + auth + inbox dispatch —
-        # a coverage drop here is the same risk shape as a Go-side
-        # workspace-server token/secrets file dropping below 10%.
-        #
-        # Floor 75% sits below current actuals (80-96%) so this gate is
-        # strictly additive — no existing PR fails. Ratchet plan in
-        # COVERAGE_FLOOR.md.
-        run: |
-          set -e
-          PER_FILE_FLOOR=75
-          CRITICAL_FILES=(
-            "a2a_mcp_server.py"
-            "mcp_cli.py"
-            "a2a_tools.py"
-            "a2a_tools_inbox.py"
-            "inbox.py"
-            "platform_auth.py"
-          )
-
-          # pytest already wrote .coverage; emit a JSON view scoped to
-          # the critical files so jq/python can read the per-file pct
-          # without parsing tabular text. --include uses fnmatch, and
-          # the leading "*" allows the file to live anywhere under the
-          # workspace root (today they sit at workspace/<name>.py).
-          INCLUDES=$(printf '*%s,' "${CRITICAL_FILES[@]}")
-          INCLUDES="${INCLUDES%,}"
-          python -m coverage json -o /tmp/critical-cov.json --include="$INCLUDES"
-
-          FAILED=0
-          for f in "${CRITICAL_FILES[@]}"; do
-            # Match by top-level path key (e.g. "a2a_tools.py", not
-            # "builtin_tools/a2a_tools.py" — different file at 100%).
-            # The keys in coverage.json are paths relative to the run
-            # cwd (workspace/), so the critical-path entry sits at the
-            # bare basename.
-            pct=$(jq -r --arg f "$f" '.files | to_entries | map(select(.key == $f)) | .[0].value.summary.percent_covered // "MISSING"' /tmp/critical-cov.json)
-            if [ "$pct" = "MISSING" ]; then
-              echo "::error file=workspace/$f::No coverage data — file may have moved or test exclusion mis-set."
-              FAILED=$((FAILED+1))
-              continue
-            fi
-            echo "$f: ${pct}%"
-            if awk "BEGIN{exit !($pct < $PER_FILE_FLOOR)}"; then
-              echo "::error file=workspace/$f::${pct}% < ${PER_FILE_FLOOR}% per-file floor (MCP critical path). See COVERAGE_FLOOR.md."
-              FAILED=$((FAILED+1))
-            fi
-          done
-
-          if [ "$FAILED" -gt 0 ]; then
-            echo ""
-            echo "$FAILED MCP critical-path file(s) below the ${PER_FILE_FLOOR}% per-file floor."
-            echo "These paths handle multi-tenant routing, auth tokens, and inbox dispatch."
-            echo "A coverage drop here is the same risk shape as Go-side tokens/secrets files"
-            echo "dropping below 10% (see COVERAGE_FLOOR.md). Either:"
-            echo "  (a) add tests to raise coverage back above ${PER_FILE_FLOOR}%, or"
-            echo "  (b) if this is unavoidable historical debt, file an issue and propose"
-            echo "      adjusting the floor with rationale in COVERAGE_FLOOR.md."
-            exit 1
-          fi
-
-      # SDK + plugin validation moved to standalone repo:
-      # github.com/molecule-ai/molecule-sdk-python
-
@@ -1,257 +0,0 @@
-name: Continuous synthetic E2E (staging)
-
-# Hard gate (#2342): cron-driven full-lifecycle E2E that catches
-# regressions visible only at runtime — schema drift, deployment-pipeline
-# gaps, vendor outages, env-var rotations, DNS / CF / Railway side-effects.
-#
-# Why this gate exists:
-#   PR-time CI catches code-level regressions but not deployment-time or
-#   integration-time ones. Today's empirical data:
-#     • #2345 (A2A v0.2 silent drop) — passed all unit tests, broke at
-#       JSON-RPC parse layer between sender and receiver. Visible only
-#       to a sender exercising the full path.
-#     • RFC #2312 chat upload — landed on staging-branch but never
-#       reached staging tenants because publish-workspace-server-image
-#       was main-only. Caught by manual dogfooding hours after deploy.
-#   Both would have surfaced within 15-20 min of regression if a
-#   continuous synth-E2E was running.
-#
-# Cadence: every 20 min (3x/hour). The script is conservatively
-# bounded at 10 min wall-clock; even on degraded staging it should
-# finish before the next firing. cron-overlap is guarded by the
-# concurrency group below.
-#
-# Cost: ~3 runs/hour × 5-10 min × $0.008/min GHA = ~$0.50-$1/day.
-# Plus a fresh tenant provisioned + torn down each run (Railway +
-# AWS pennies). Negligible.
-#
-# Failure handling: when the run fails, the workflow exits non-zero
-# and GitHub's standard email/notification path fires. Operators
-# can subscribe to this workflow's failure channel for paging-grade
-# alerting.
-
-on:
-  schedule:
-    # Every 10 minutes, on :02 :12 :22 :32 :42 :52. Three constraints:
-    #   1. Stay off the top-of-hour. GitHub Actions scheduler drops
-    #      :00 firings under high load (own docs:
-    #      https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule).
-    #      Prior history: cron was '0,20,40' (2026-05-02) — only :00
-    #      ever survived. Bumped to '10,30,50' (2026-05-03) on the
-    #      theory that further-from-:00 wins. Empirically 2026-05-04
-    #      that ALSO dropped to ~60 min effective cadence (only ~1
-    #      schedule fire per hour — see molecule-core#2726). Detection
-    #      latency was claimed 20 min, actual 60 min.
-    #   2. Avoid colliding with the existing :15 sweep-cf-orphans
-    #      and :45 sweep-cf-tunnels — both hit the CF API and we
-    #      don't want to fight for rate-limit tokens.
-    #   3. Avoid the :30 heavy slot (canary-staging /30, sweep-aws-
-    #      secrets, sweep-stale-e2e-orgs every :15) — multiple
-    #      overlapping cron registrations on the same minute is part
-    #      of what GH drops under load.
-    # Solution: bump fires-per-hour 3 → 6 AND keep all slots in clean
-    # lanes (1-3 min away from any other cron). Even with empirically-
-    # observed ~67% GH drop ratio, 6 attempts/hour yields ~2 effective
-    # fires = ~30 min cadence; closer to the 20-min target than the
-    # current shape and provides a real degradation alarm if drops
-    # get worse.
-    - cron: '2,12,22,32,42,52 * * * *'
-  workflow_dispatch:
-    inputs:
-      runtime:
-        description: "Runtime to provision (claude-code = default + cheapest via MiniMax; langgraph = OpenAI-only; hermes = SDK-native path, slower)"
-        required: false
-        default: "claude-code"
-        type: string
-      model_slug:
-        description: "Model id to provision the workspace with (default MiniMax-M2.7-highspeed; e.g. 'sonnet' to test direct Anthropic, 'openai/gpt-4o' for hermes)"
-        required: false
-        default: "MiniMax-M2.7-highspeed"
-        type: string
-      keep_org:
-        description: "Skip teardown for post-mortem debugging (only manual dispatch — never set this for cron runs)"
-        required: false
-        default: false
-        type: boolean
-
-permissions:
-  contents: read
-  # No issue-write here — failures surface as red runs in the workflow
-  # history. If you want auto-issue-on-fail, add a follow-up step that
-  # uses gh issue create gated on `if: failure()`. Keeping the surface
-  # minimal until that's actually wanted.
-
-# Serialize so two firings can never overlap. Cron firing every 20 min
-# but scripts conservatively bounded at 10 min — overlap shouldn't
-# happen in steady state, but if a run hangs we don't want N more
-# stacking up.
-concurrency:
-  group: continuous-synth-e2e
-  cancel-in-progress: false
-
-jobs:
-  synth:
-    name: Synthetic E2E against staging
-    runs-on: ubuntu-latest
-    # Bumped from 12 → 20 (2026-05-04). Tenant user-data install phase
-    # (apt-get update + install docker.io/jq/awscli/caddy + snap install
-    # ssm-agent) runs from raw Ubuntu on every boot — none of it is
-    # pre-baked into the tenant AMI. Empirical fetch_secrets/ok timing
-    # across today's canaries: 51s → 82s → 143s → 625s. apt-mirror tail
-    # latency drives the boot-to-fetch_secrets phase from ~1min to >10min.
-    # A 12min budget leaves only ~2min for the workspace (which needs
-    # ~3.5min for claude-code cold boot) on slow-apt days, blowing the
-    # budget. 20min absorbs the worst tenant tail so the workspace probe
-    # gets the full ~7min it needs even on a slow apt day. Real fix:
-    # pre-bake caddy + ssm-agent into the tenant AMI (controlplane#TBD).
-    timeout-minutes: 20
-    env:
-      # claude-code default: cold-start ~5 min (comparable to langgraph),
-      # but uses MiniMax-M2.7-highspeed via the template's third-party-
-      # Anthropic-compat path (workspace-configs-templates/claude-code-
-      # default/config.yaml:64-69). MiniMax is ~5-10x cheaper than
-      # gpt-4.1-mini per token AND avoids the recurring OpenAI quota-
-      # exhaustion class that took the canary down 2026-05-03 (#265).
-      # Operators can pick langgraph / hermes via workflow_dispatch
-      # when they specifically need to exercise the OpenAI or SDK-
-      # native paths.
-      E2E_RUNTIME: ${{ github.event.inputs.runtime || 'claude-code' }}
-      # Pin the canary to a specific MiniMax model rather than relying
-      # on the per-runtime default ("sonnet" → routes to direct
-      # Anthropic, defeats the cost saving). Operators can override
-      # via workflow_dispatch by setting a different E2E_MODEL_SLUG
-      # input if they need to exercise a specific model. M2.7-highspeed
-      # is "Token Plan only" but cheap-per-token and fast.
-      E2E_MODEL_SLUG: ${{ github.event.inputs.model_slug || 'MiniMax-M2.7-highspeed' }}
-      # Bound to 10 min so a stuck provision fails the run instead of
-      # holding up the next cron firing. 15-min default in the script
-      # is for the on-PR full lifecycle where we have more headroom.
-      E2E_PROVISION_TIMEOUT_SECS: '600'
-      # Slug suffix — namespaced "synth-" so these runs are
-      # distinguishable from PR-driven runs in CP admin.
-      E2E_RUN_ID: synth-${{ github.run_id }}
-      # Forced false for cron; respected for manual dispatch
-      E2E_KEEP_ORG: ${{ github.event.inputs.keep_org == 'true' && '1' || '' }}
-      MOLECULE_CP_URL: ${{ vars.STAGING_CP_URL || 'https://staging-api.moleculesai.app' }}
-      MOLECULE_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
-      # MiniMax key is the canary's PRIMARY auth path. claude-code
-      # template's `minimax` provider routes ANTHROPIC_BASE_URL to
-      # api.minimax.io/anthropic and reads MINIMAX_API_KEY at boot.
-      # tests/e2e/test_staging_full_saas.sh branches SECRETS_JSON on
-      # which key is present — MiniMax wins when set.
-      E2E_MINIMAX_API_KEY: ${{ secrets.MOLECULE_STAGING_MINIMAX_API_KEY }}
-      # Direct-Anthropic alternative for operators who don't want to
-      # set up a MiniMax account (priority below MiniMax — first
-      # non-empty wins in test_staging_full_saas.sh's secrets-injection
-      # block). See #2578 PR comment for the rationale.
-      E2E_ANTHROPIC_API_KEY: ${{ secrets.MOLECULE_STAGING_ANTHROPIC_API_KEY }}
-      # OpenAI fallback — kept wired so operators can dispatch with
-      # E2E_RUNTIME=langgraph or =hermes and still have a working
-      # canary path. The script picks the right blob shape based on
-      # which key is non-empty.
-      E2E_OPENAI_API_KEY: ${{ secrets.MOLECULE_STAGING_OPENAI_KEY }}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - name: Verify required secrets present
-        run: |
-          # Hard-fail on missing secret REGARDLESS of trigger. Previously
-          # this step soft-skipped on workflow_dispatch via `exit 0`, but
-          # `exit 0` only ends the STEP — subsequent steps still ran with
-          # the empty secret, the synth script fell through to the wrong
-          # SECRETS_JSON branch, and the canary failed 5 min later with a
-          # confusing "Agent error (Exception)" instead of the clean
-          # "secret missing" message at the top. Caught 2026-05-04 by
-          # dispatched run 25296530706: claude-code + missing MINIMAX
-          # silently used OpenAI keys but kept model=MiniMax-M2.7, then
-          # the workspace 401'd against MiniMax once it tried to call.
-          # Fix: exit 1 in both cron and dispatch paths. Operators who
-          # want to verify a YAML change without setting up the secret
-          # can read the verify-secrets step's stderr — the failure is
-          # itself the verification signal.
-          if [ -z "${MOLECULE_ADMIN_TOKEN:-}" ]; then
-            echo "::error::CP_STAGING_ADMIN_API_TOKEN secret missing — synth E2E cannot run"
-            echo "::error::Set it at Settings → Secrets and Variables → Actions; pull from staging-CP's CP_ADMIN_API_TOKEN env in Railway."
-            exit 1
-          fi
-
-          # LLM-key requirement is per-runtime: claude-code accepts
-          # EITHER MiniMax OR direct-Anthropic (whichever is set first),
-          # langgraph + hermes use OpenAI (MOLECULE_STAGING_OPENAI_KEY).
-          case "${E2E_RUNTIME}" in
-            claude-code)
-              if [ -n "${E2E_MINIMAX_API_KEY:-}" ]; then
-                required_secret_name="MOLECULE_STAGING_MINIMAX_API_KEY"
-                required_secret_value="${E2E_MINIMAX_API_KEY}"
-              elif [ -n "${E2E_ANTHROPIC_API_KEY:-}" ]; then
-                required_secret_name="MOLECULE_STAGING_ANTHROPIC_API_KEY"
-                required_secret_value="${E2E_ANTHROPIC_API_KEY}"
-              else
-                required_secret_name="MOLECULE_STAGING_MINIMAX_API_KEY or MOLECULE_STAGING_ANTHROPIC_API_KEY"
-                required_secret_value=""
-              fi
-              ;;
-            langgraph|hermes)
-              required_secret_name="MOLECULE_STAGING_OPENAI_KEY"
-              required_secret_value="${E2E_OPENAI_API_KEY:-}"
-              ;;
-            *)
-              echo "::warning::Unknown E2E_RUNTIME='${E2E_RUNTIME}' — skipping LLM-key check"
-              required_secret_name=""
-              required_secret_value="present"
-              ;;
-          esac
-          if [ -n "$required_secret_name" ] && [ -z "$required_secret_value" ]; then
-            echo "::error::${required_secret_name} secret missing — runtime=${E2E_RUNTIME} cannot authenticate against its LLM provider"
-            echo "::error::Set it at Settings → Secrets and Variables → Actions, OR dispatch with a different runtime"
-            exit 1
-          fi
-
-      - name: Install required tools
-        run: |
-          # The script depends on jq + curl (already on ubuntu-latest)
-          # and python3 (likewise). Verify they're all present so we
-          # fail fast on a runner image regression rather than mid-script.
-          for cmd in jq curl python3; do
-            command -v "$cmd" >/dev/null 2>&1 || {
-              echo "::error::required tool '$cmd' not on PATH — runner image regression?"
-              exit 1
-            }
-          done
-
-      - name: Run synthetic E2E
-        # The script handles its own teardown via EXIT trap; even on
-        # failure (timeout, assertion), the org is deprovisioned and
-        # leaks are reported. Exit code propagates from the script.
-        run: |
-          bash tests/e2e/test_staging_full_saas.sh
-
-      - name: Failure summary
-        # Runs only on failure. Adds a job summary so the workflow run
-        # page shows a quick "what happened" instead of forcing readers
-        # to scroll through script output.
-        if: failure()
-        run: |
-          {
-            echo "## Continuous synth E2E failed"
-            echo ""
-            echo "**Run ID:** ${{ github.run_id }}"
-            echo "**Trigger:** ${{ github.event_name }}"
-            echo "**Runtime:** ${E2E_RUNTIME}"
-            echo "**Slug:** synth-${{ github.run_id }}"
-            echo ""
-            echo "### What this means"
-            echo ""
-            echo "Staging just regressed on a path that previously worked. Likely classes:"
-            echo "- Schema mismatch between sender and receiver (#2345 class)"
-            echo "- Deployment-pipeline gap (RFC #2312 / staging-tenant-image-stale class)"
-            echo "- Vendor outage (Cloudflare, Railway, AWS, GHCR)"
-            echo "- Staging-CP env var rotation"
-            echo ""
-            echo "### Next steps"
-            echo ""
-            echo "1. Check the script output above for the assertion that failed"
-            echo "2. If it's a vendor outage, no action needed — next firing in ~20 min"
-            echo "3. If it's a code regression, find the causing PR via \`git log\` against last green run and revert/fix"
-            echo "4. Keep an eye on the next 1-2 firings — flake vs persistent fail differs in priority"
-          } >> "$GITHUB_STEP_SUMMARY"
@@ -1,307 +0,0 @@
-name: E2E API Smoke Test
-# Extracted from ci.yml so workflow-level concurrency can protect this job
-# from run-level cancellation (issue #458).
-#
-# Trigger model (revised 2026-04-29):
-#
-# Always FIRES on push/pull_request to staging+main. Real work is gated
-# per-step on `needs.detect-changes.outputs.api` — when paths under
-# `workspace-server/`, `tests/e2e/`, or this workflow file haven't
-# changed, the no-op step alone runs and emits SUCCESS for the
-# `E2E API Smoke Test` check, satisfying branch protection without
-# spending CI cycles. See the in-job comment on the `e2e-api` job for
-# why this is one job (not two-jobs-sharing-name) and the 2026-04-29
-# PR #2264 incident that drove the consolidation.
-#
-# Parallel-safety (Class B Hongming-owned CICD red sweep, 2026-05-08)
-# -------------------------------------------------------------------
-# Same substrate hazard as PR #98 (handlers-postgres-integration). Our
-# Gitea act_runner runs with `container.network: host` (operator host
-# `/opt/molecule/runners/config.yaml`), which means:
-#
-#   * Two concurrent runs both try to bind their `-p 15432:5432` /
-#     `-p 16379:6379` host ports — the second postgres/redis FATALs
-#     with `Address in use` and `docker run` returns exit 125 with
-#     `Conflict. The container name "/molecule-ci-postgres" is already
-#     in use by container ...`. Verified in run a7/2727 on 2026-05-07.
-#   * The fixed container names `molecule-ci-postgres` / `-redis` (the
-#     pre-fix shape) collide on name AS WELL AS port. The cleanup-with-
-#     `docker rm -f` at the start of the second job KILLS the first
-#     job's still-running postgres/redis.
-#
-# Fix shape (mirrors PR #98's bridge-net pattern, adapted because
-# platform-server is a Go binary on the host, not a containerised
-# step):
-#
-#   1. Unique container names per run:
-#         pg-e2e-api-${RUN_ID}-${RUN_ATTEMPT}
-#         redis-e2e-api-${RUN_ID}-${RUN_ATTEMPT}
-#      `${RUN_ID}-${RUN_ATTEMPT}` is unique even across reruns of the
-#      same run_id.
-#   2. Ephemeral host port per run (`-p 0:5432`), then read the actual
-#      bound port via `docker port` and export DATABASE_URL/REDIS_URL
-#      pointing at it. No fixed host-port → no port collision.
-#   3. `127.0.0.1` (NOT `localhost`) in URLs — IPv6 first-resolve was
-#      the original flake fixed in #92 and the script's still IPv6-
-#      enabled.
-#   4. `if: always()` cleanup so containers don't leak when test steps
-#      fail.
-#
-# Issue #94 items #2 + #3 (also fixed here):
-#   * Pre-pull `alpine:latest` so the platform-server's provisioner
-#     (`internal/handlers/container_files.go`) can stand up its
-#     ephemeral token-write helper without a daemon.io round-trip.
-#   * Create `molecule-core-net` bridge network if missing so the
-#     provisioner's container.HostConfig {NetworkMode: ...} attach
-#     succeeds.
-# Item #1 (timeouts) — evidence on recent runs (77/3191, ae/4270, 0e/
-# 2318) shows Postgres ready in 3s, Redis in 1s, Platform in 1s when
-# they DO come up. Timeouts are not the bottleneck; not bumped.
-#
-# Item explicitly NOT fixed here: failing test `Status back online`
-# fails because the platform's langgraph workspace template image
-# (ghcr.io/molecule-ai/workspace-template-langgraph:latest) returns
-# 403 Forbidden post-2026-05-06 GitHub org suspension. That is a
-# template-registry resolution issue (ADR-002 / local-build mode) and
-# belongs in a separate change that touches workspace-server, not
-# this workflow file.
-
-on:
-  push:
-    branches: [main, staging]
-  pull_request:
-    branches: [main, staging]
-  workflow_dispatch:
-
-concurrency:
-  # Per-SHA grouping (changed 2026-04-28 from per-ref). Per-ref had the
-  # same auto-promote-staging brittleness as e2e-staging-canvas — back-
-  # to-back staging pushes share refs/heads/staging, so the older push's
-  # queued run gets cancelled when a newer push lands. Auto-promote-
-  # staging then sees `completed/cancelled` for the older SHA and stays
-  # put; the newer SHA's gates may eventually save the day, but if the
-  # newer push gets cancelled too, we deadlock.
-  #
-  # See e2e-staging-canvas.yml's identical concurrency block for the full
-  # rationale and the 2026-04-28 incident reference.
-  group: e2e-api-${{ github.event.pull_request.head.sha || github.sha }}
-  cancel-in-progress: false
-
-jobs:
-  detect-changes:
-    runs-on: ubuntu-latest
-    outputs:
-      api: ${{ steps.decide.outputs.api }}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
-        id: filter
-        with:
-          filters: |
-            api:
-              - 'workspace-server/**'
-              - 'tests/e2e/**'
-              - '.github/workflows/e2e-api.yml'
-      - id: decide
-        # Always run real work for manual dispatch — no diff context to
-        # filter against and ops dispatching this expects the suite to
-        # actually exercise the platform.
-        run: |
-          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            echo "api=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "api=${{ steps.filter.outputs.api }}" >> "$GITHUB_OUTPUT"
-          fi
-
-  # ONE job (no job-level `if:`) that always runs and reports under the
-  # required-check name `E2E API Smoke Test`. Real work is gated per-step
-  # on `needs.detect-changes.outputs.api`. Reason: GitHub registers a
-  # check run for every job that matches `name:`, and a job-level
-  # `if: false` produces a SKIPPED check run. Branch protection treats
-  # all check runs with a matching context name on the latest commit as a
-  # SET — any SKIPPED in the set fails the required-check eval, even with
-  # SUCCESS siblings. Verified 2026-04-29 on PR #2264 (staging→main):
-  # 4 check runs (2 SKIPPED + 2 SUCCESS) at the head SHA blocked
-  # promotion despite all real work succeeding. Collapsing to a single
-  # always-running job with conditional steps emits exactly one SUCCESS
-  # check run regardless of paths filter — branch-protection-clean.
-  e2e-api:
-    needs: detect-changes
-    name: E2E API Smoke Test
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    env:
-      # Unique per-run container names so concurrent runs on the host-
-      # network act_runner don't collide on name OR port.
-      # `${RUN_ID}-${RUN_ATTEMPT}` stays unique across reruns of the
-      # same run_id. PORT is set later (after docker port lookup) since
-      # we let Docker assign an ephemeral host port.
-      PG_CONTAINER: pg-e2e-api-${{ github.run_id }}-${{ github.run_attempt }}
-      REDIS_CONTAINER: redis-e2e-api-${{ github.run_id }}-${{ github.run_attempt }}
-      PORT: "8080"
-    steps:
-      - name: No-op pass (paths filter excluded this commit)
-        if: needs.detect-changes.outputs.api != 'true'
-        run: |
-          echo "No workspace-server / tests/e2e / workflow changes — E2E API gate satisfied without running tests."
-          echo "::notice::E2E API Smoke Test no-op pass (paths filter excluded this commit)."
-      - if: needs.detect-changes.outputs.api == 'true'
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - if: needs.detect-changes.outputs.api == 'true'
-        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
-        with:
-          go-version: 'stable'
-          cache: true
-          cache-dependency-path: workspace-server/go.sum
-      - name: Pre-pull alpine + ensure provisioner network (Issue #94 items #2 + #3)
-        if: needs.detect-changes.outputs.api == 'true'
-        run: |
-          # Provisioner uses alpine:latest for ephemeral token-write
-          # containers (workspace-server/internal/handlers/container_files.go).
-          # Pre-pull so the first provision in test_api.sh doesn't race
-          # the daemon's pull cache. Idempotent — `docker pull` is a no-op
-          # when the image is already present.
-          docker pull alpine:latest >/dev/null
-          # Provisioner attaches workspace containers to
-          # molecule-core-net (workspace-server/internal/provisioner/
-          # provisioner.go::DefaultNetwork). The bridge already exists on
-          # the operator host's docker daemon — `network create` is
-          # idempotent via `|| true`.
-          docker network create molecule-core-net >/dev/null 2>&1 || true
-          echo "alpine:latest pre-pulled; molecule-core-net ensured."
-      - name: Start Postgres (docker)
-        if: needs.detect-changes.outputs.api == 'true'
-        run: |
-          # Defensive cleanup — only matches THIS run's container name,
-          # so it cannot kill a sibling run's postgres. (Pre-fix the
-          # name was static and this rm hit other runs' containers.)
-          docker rm -f "$PG_CONTAINER" 2>/dev/null || true
-          # `-p 0:5432` requests an ephemeral host port; we read it back
-          # below and export DATABASE_URL.
-          docker run -d --name "$PG_CONTAINER" \
-            -e POSTGRES_USER=dev -e POSTGRES_PASSWORD=dev -e POSTGRES_DB=molecule \
-            -p 0:5432 postgres:16 >/dev/null
-          # Resolve the host-side port assignment. `docker port` prints
-          # `0.0.0.0:NNNN` (and on host-net runners may also print an
-          # IPv6 line — take the first IPv4 line).
-          PG_PORT=$(docker port "$PG_CONTAINER" 5432/tcp | awk -F: '/^0\.0\.0\.0:/ {print $2; exit}')
-          if [ -z "$PG_PORT" ]; then
-            # Fallback: any first line. Some Docker versions print only
-            # one line.
-            PG_PORT=$(docker port "$PG_CONTAINER" 5432/tcp | head -1 | awk -F: '{print $NF}')
-          fi
-          if [ -z "$PG_PORT" ]; then
-            echo "::error::Could not resolve host port for $PG_CONTAINER"
-            docker port "$PG_CONTAINER" 5432/tcp || true
-            docker logs "$PG_CONTAINER" || true
-            exit 1
-          fi
-          # 127.0.0.1 (NOT localhost) — IPv6 first-resolve flake (#92).
-          echo "PG_PORT=${PG_PORT}" >> "$GITHUB_ENV"
-          echo "DATABASE_URL=postgres://dev:dev@127.0.0.1:${PG_PORT}/molecule?sslmode=disable" >> "$GITHUB_ENV"
-          echo "Postgres host port: ${PG_PORT}"
-          for i in $(seq 1 30); do
-            if docker exec "$PG_CONTAINER" pg_isready -U dev >/dev/null 2>&1; then
-              echo "Postgres ready after ${i}s"
-              exit 0
-            fi
-            sleep 1
-          done
-          echo "::error::Postgres did not become ready in 30s"
-          docker logs "$PG_CONTAINER" || true
-          exit 1
-      - name: Start Redis (docker)
-        if: needs.detect-changes.outputs.api == 'true'
-        run: |
-          docker rm -f "$REDIS_CONTAINER" 2>/dev/null || true
-          docker run -d --name "$REDIS_CONTAINER" -p 0:6379 redis:7 >/dev/null
-          REDIS_PORT=$(docker port "$REDIS_CONTAINER" 6379/tcp | awk -F: '/^0\.0\.0\.0:/ {print $2; exit}')
-          if [ -z "$REDIS_PORT" ]; then
-            REDIS_PORT=$(docker port "$REDIS_CONTAINER" 6379/tcp | head -1 | awk -F: '{print $NF}')
-          fi
-          if [ -z "$REDIS_PORT" ]; then
-            echo "::error::Could not resolve host port for $REDIS_CONTAINER"
-            docker port "$REDIS_CONTAINER" 6379/tcp || true
-            docker logs "$REDIS_CONTAINER" || true
-            exit 1
-          fi
-          echo "REDIS_PORT=${REDIS_PORT}" >> "$GITHUB_ENV"
-          echo "REDIS_URL=redis://127.0.0.1:${REDIS_PORT}" >> "$GITHUB_ENV"
-          echo "Redis host port: ${REDIS_PORT}"
-          for i in $(seq 1 15); do
-            if docker exec "$REDIS_CONTAINER" redis-cli ping 2>/dev/null | grep -q PONG; then
-              echo "Redis ready after ${i}s"
-              exit 0
-            fi
-            sleep 1
-          done
-          echo "::error::Redis did not become ready in 15s"
-          docker logs "$REDIS_CONTAINER" || true
-          exit 1
-      - name: Build platform
-        if: needs.detect-changes.outputs.api == 'true'
-        working-directory: workspace-server
-        run: go build -o platform-server ./cmd/server
-      - name: Start platform (background)
-        if: needs.detect-changes.outputs.api == 'true'
-        working-directory: workspace-server
-        run: |
-          # DATABASE_URL + REDIS_URL exported by the start-postgres /
-          # start-redis steps point at this run's per-run host ports.
-          ./platform-server > platform.log 2>&1 &
-          echo $! > platform.pid
-      - name: Wait for /health
-        if: needs.detect-changes.outputs.api == 'true'
-        run: |
-          for i in $(seq 1 30); do
-            if curl -sf http://127.0.0.1:8080/health > /dev/null; then
-              echo "Platform up after ${i}s"
-              exit 0
-            fi
-            sleep 1
-          done
-          echo "::error::Platform did not become healthy in 30s"
-          cat workspace-server/platform.log || true
-          exit 1
-      - name: Assert migrations applied
-        if: needs.detect-changes.outputs.api == 'true'
-        run: |
-          tables=$(docker exec "$PG_CONTAINER" psql -U dev -d molecule -tAc "SELECT count(*) FROM information_schema.tables WHERE table_schema='public' AND table_name='workspaces'")
-          if [ "$tables" != "1" ]; then
-            echo "::error::Migrations did not apply"
-            cat workspace-server/platform.log || true
-            exit 1
-          fi
-          echo "Migrations OK"
-      - name: Run E2E API tests
-        if: needs.detect-changes.outputs.api == 'true'
-        run: bash tests/e2e/test_api.sh
-      - name: Run notify-with-attachments E2E
-        if: needs.detect-changes.outputs.api == 'true'
-        run: bash tests/e2e/test_notify_attachments_e2e.sh
-      - name: Run priority-runtimes E2E (claude-code + hermes — skips when keys absent)
-        if: needs.detect-changes.outputs.api == 'true'
-        run: bash tests/e2e/test_priority_runtimes_e2e.sh
-      - name: Run poll-mode + since_id cursor E2E (#2339)
-        if: needs.detect-changes.outputs.api == 'true'
-        run: bash tests/e2e/test_poll_mode_e2e.sh
-      - name: Run poll-mode chat upload E2E (RFC #2891)
-        if: needs.detect-changes.outputs.api == 'true'
-        run: bash tests/e2e/test_poll_mode_chat_upload_e2e.sh
-      - name: Dump platform log on failure
-        if: failure() && needs.detect-changes.outputs.api == 'true'
-        run: cat workspace-server/platform.log || true
-      - name: Stop platform
-        if: always() && needs.detect-changes.outputs.api == 'true'
-        run: |
-          if [ -f workspace-server/platform.pid ]; then
-            kill "$(cat workspace-server/platform.pid)" 2>/dev/null || true
-          fi
-      - name: Stop service containers
-        # always() so containers don't leak when test steps fail. The
-        # cleanup is best-effort: if the container is already gone
-        # (e.g. concurrent rerun race), don't fail the job.
-        if: always() && needs.detect-changes.outputs.api == 'true'
-        run: |
-          docker rm -f "$PG_CONTAINER" 2>/dev/null || true
-          docker rm -f "$REDIS_CONTAINER" 2>/dev/null || true
@@ -1,216 +0,0 @@
-name: E2E Staging Canvas (Playwright)
-
-# Playwright test suite that provisions a fresh staging org per run and
-# verifies every workspace-panel tab renders without crashing. Complements
-# e2e-staging-saas.yml (which tests the API shape) by exercising the
-# actual browser + canvas bundle against live staging.
-#
-# Triggers: push to main/staging or PR touching canvas sources + this workflow,
-# manual dispatch, and weekly cron to catch browser/runtime drift even
-# when canvas is quiet.
-# Added staging to push/pull_request branches so the auto-promote gate
-# check (--event push --branch staging) can see a completed run for this
-# workflow — mirrors what PR #1891 does for e2e-api.yml.
-
-on:
-  # Trigger model (revised 2026-04-29):
-  #
-  # Always fires on push/pull_request; real work is gated per-step on
-  # `needs.detect-changes.outputs.canvas`. When canvas/ paths haven't
-  # changed, the no-op step alone runs and emits SUCCESS for the
-  # `Canvas tabs E2E` check, satisfying branch protection without
-  # spending CI cycles. See e2e-api.yml for the rationale on why this
-  # is a single job rather than two-jobs-sharing-name.
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
-  workflow_dispatch:
-  schedule:
-    # Weekly on Sunday 08:00 UTC — catches Chrome / Playwright / Next.js
-    # release-note-shaped regressions that don't ride in with a PR.
-    - cron: '0 8 * * 0'
-
-concurrency:
-  # Per-SHA grouping (changed 2026-04-28 from a single global group). The
-  # global group made auto-promote-staging brittle: when a staging push
-  # queued behind an in-flight run and a third entrant (a PR run, a
-  # follow-on push) entered the group, the staging push got cancelled —
-  # leaving auto-promote-staging looking at `completed/cancelled` for a
-  # required gate and refusing to advance main. Observed 2026-04-28
-  # 23:51-23:53 on staging tip 3f99fede.
-  #
-  # The original intent of the global group was to throttle parallel
-  # E2E provisions (each spins a fresh EC2). At our scale that throttle
-  # isn't worth the correctness cost — fresh-org-per-run isolates the
-  # state, and the cost of two parallel runs (~$0.001/min × 10min × 2)
-  # is rounding error vs. the cost of a stuck pipeline.
-  #
-  # Per-SHA still dedupes accidental double-triggers for the SAME SHA.
-  # It does NOT cancel obsolete-PR-version runs on force-push; that
-  # wasted CI is acceptable given the alternative is losing staging-tip
-  # data that auto-promote-staging needs.
-  group: e2e-staging-canvas-${{ github.event.pull_request.head.sha || github.sha }}
-  cancel-in-progress: false
-
-jobs:
-  detect-changes:
-    runs-on: ubuntu-latest
-    outputs:
-      canvas: ${{ steps.decide.outputs.canvas }}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
-        id: filter
-        with:
-          filters: |
-            canvas:
-              - 'canvas/**'
-              - '.github/workflows/e2e-staging-canvas.yml'
-      - id: decide
-        # Always run real tests for manual dispatch and the weekly cron —
-        # both exist precisely to exercise the suite, regardless of diff.
-        run: |
-          if [ "${{ github.event_name }}" = "workflow_dispatch" ] || [ "${{ github.event_name }}" = "schedule" ]; then
-            echo "canvas=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "canvas=${{ steps.filter.outputs.canvas }}" >> "$GITHUB_OUTPUT"
-          fi
-
-  # ONE job (no job-level `if:`) that always runs and reports under the
-  # required-check name `Canvas tabs E2E`. Real work is gated per-step on
-  # `needs.detect-changes.outputs.canvas`. See e2e-api.yml for the full
-  # rationale — same path-filter check-name parity issue blocked PR #2264
-  # (staging→main) on 2026-04-29 because branch protection treats matching-
-  # name check runs as a SET, and any SKIPPED member fails the eval.
-  playwright:
-    needs: detect-changes
-    name: Canvas tabs E2E
-    runs-on: ubuntu-latest
-    timeout-minutes: 40
-
-    env:
-      CANVAS_E2E_STAGING: '1'
-      MOLECULE_CP_URL: https://staging-api.moleculesai.app
-      MOLECULE_ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
-
-    defaults:
-      run:
-        working-directory: canvas
-
-    steps:
-      - name: No-op pass (paths filter excluded this commit)
-        if: needs.detect-changes.outputs.canvas != 'true'
-        working-directory: .
-        run: |
-          echo "No canvas / workflow changes — E2E Staging Canvas gate satisfied without running tests."
-          echo "::notice::E2E Staging Canvas no-op pass (paths filter excluded this commit)."
-
-      - if: needs.detect-changes.outputs.canvas == 'true'
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - name: Verify admin token present
-        if: needs.detect-changes.outputs.canvas == 'true'
-        run: |
-          if [ -z "$MOLECULE_ADMIN_TOKEN" ]; then
-            echo "::error::Missing MOLECULE_STAGING_ADMIN_TOKEN"
-            exit 2
-          fi
-
-      - name: Set up Node
-        if: needs.detect-changes.outputs.canvas == 'true'
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
-        with:
-          node-version: '20'
-          cache: 'npm'
-          cache-dependency-path: canvas/package-lock.json
-
-      - name: Install canvas deps
-        if: needs.detect-changes.outputs.canvas == 'true'
-        run: npm ci
-
-      - name: Install Playwright browsers
-        if: needs.detect-changes.outputs.canvas == 'true'
-        timeout-minutes: 10
-        run: npx playwright install --with-deps chromium
-
-      - name: Run staging canvas E2E
-        if: needs.detect-changes.outputs.canvas == 'true'
-        run: npx playwright test --config=playwright.staging.config.ts
-
-      - name: Upload Playwright report on failure
-        if: failure() && needs.detect-changes.outputs.canvas == 'true'
-        # Pinned to v3 for Gitea act_runner v0.6 compatibility — v4+ uses
-        # the GHES 3.10+ artifact protocol that Gitea 1.22.x does NOT
-        # implement (see ci.yml upload step for the canonical error
-        # cite). Drop this pin when Gitea ships the v4 protocol.
-        uses: actions/upload-artifact@c6a366c94c3e0affe28c06c8df20a878f24da3cf # v3.2.2
-        with:
-          name: playwright-report-staging
-          path: canvas/playwright-report-staging/
-          retention-days: 14
-
-      - name: Upload screenshots on failure
-        if: failure() && needs.detect-changes.outputs.canvas == 'true'
-        # Pinned to v3 for Gitea act_runner v0.6 compatibility (see above).
-        uses: actions/upload-artifact@c6a366c94c3e0affe28c06c8df20a878f24da3cf # v3.2.2
-        with:
-          name: playwright-screenshots
-          path: canvas/test-results/
-          retention-days: 14
-
-      # Safety-net teardown — fires only when Playwright's globalTeardown
-      # didn't (worker crash, runner cancel). Reads the slug from
-      # canvas/.playwright-staging-state.json (written by staging-setup
-      # as its first action, before any CP call) and deletes only that
-      # slug.
-      #
-      # Earlier versions of this step pattern-swept `e2e-canvas-<today>-*`
-      # orgs to compensate for setup-crash-before-state-file-write. That
-      # over-aggressive cleanup raced concurrent canvas-E2E runs and
-      # poisoned each other's tenants — observed 2026-04-30 when three
-      # real-test runs killed each other mid-test, surfacing as
-      # `getaddrinfo ENOTFOUND` once CP had cleaned up the just-deleted
-      # DNS record. Pattern-sweep removed; setup now writes the state
-      # file before any CP work, so the slug is always recoverable.
-      - name: Teardown safety net
-        if: always() && needs.detect-changes.outputs.canvas == 'true'
-        env:
-          ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
-        run: |
-          set +e
-          STATE_FILE=".playwright-staging-state.json"
-          if [ ! -f "$STATE_FILE" ]; then
-            echo "::notice::No state file at canvas/$STATE_FILE — Playwright globalTeardown handled it (or setup never ran)."
-            exit 0
-          fi
-          slug=$(python3 -c "import json; print(json.load(open('$STATE_FILE')).get('slug',''))")
-          if [ -z "$slug" ]; then
-            echo "::warning::State file present but slug missing; nothing to clean up."
-            exit 0
-          fi
-          echo "Deleting orphan tenant: $slug"
-          # Verify HTTP 2xx instead of `>/dev/null || true` swallowing
-          # failures. A 5xx or timeout previously looked identical to
-          # success, leaving the tenant alive for up to ~45 min until
-          # sweep-stale-e2e-orgs caught it. Surface failures as
-          # workflow warnings naming the slug. Don't `exit 1` — a single
-          # cleanup miss shouldn't fail-flag the canvas test when the
-          # actual smoke check passed; the sweeper is the safety net.
-          # See molecule-controlplane#420.
-          # Tempfile-routed -w + set +e/-e prevents curl-exit-code
-          # pollution of the captured status (lint-curl-status-capture.yml).
-          set +e
-          curl -sS -o /tmp/canvas-cleanup.out -w "%{http_code}" \
-            -X DELETE "$MOLECULE_CP_URL/cp/admin/tenants/$slug" \
-            -H "Authorization: Bearer $ADMIN_TOKEN" \
-            -H "Content-Type: application/json" \
-            -d "{\"confirm\":\"$slug\"}" >/tmp/canvas-cleanup.code
-          set -e
-          code=$(cat /tmp/canvas-cleanup.code 2>/dev/null || echo "000")
-          if [ "$code" = "200" ] || [ "$code" = "204" ]; then
-            echo "[teardown] deleted $slug (HTTP $code)"
-          else
-            echo "::warning::canvas teardown for $slug returned HTTP $code — sweep-stale-e2e-orgs will catch it within ~45 min. Body: $(head -c 300 /tmp/canvas-cleanup.out 2>/dev/null)"
-          fi
-          exit 0
@@ -1,184 +0,0 @@
-name: E2E Staging External Runtime
-
-# Regression for the four/five workspaces.status=awaiting_agent transitions
-# that silently failed in production for five days before migration 046
-# extended the workspace_status enum (see
-# workspace-server/migrations/046_workspace_status_awaiting_agent.up.sql).
-#
-# Why this is its own workflow (not folded into e2e-staging-saas.yml):
-#   - The full-saas harness defaults to runtime=hermes, never exercises
-#     external-runtime. Adding an `external` parameter to that script
-#     would force every push to staging through both lifecycles in
-#     series, doubling the EC2 cold-start budget.
-#   - The external lifecycle has unique timing (REMOTE_LIVENESS_STALE_AFTER
-#     window, 90s default + sweep interval), which we wait through
-#     deliberately. Folding it into hermes would make the long path
-#     even longer.
-#   - It can run in parallel with the hermes E2E since both create
-#     fresh tenant orgs with distinct slug prefixes (`e2e-ext-...` vs
-#     `e2e-...`).
-#
-# Triggers:
-#   - Push to staging when any source affecting external runtime,
-#     hibernation, or the migration set changes.
-#   - PR review for the same set.
-#   - Manual workflow_dispatch.
-#   - Daily cron at 07:30 UTC (catches drift on quiet days; staggered
-#     30 min after e2e-staging-saas.yml's 07:00 UTC cron).
-#
-# Concurrency: serialized so two staging pushes don't fight for the
-# same EC2 quota window. cancel-in-progress=false so a half-rolled
-# tenant always finishes its teardown.
-
-on:
-  push:
-    branches: [main]
-    paths:
-      - 'workspace-server/internal/handlers/workspace.go'
-      - 'workspace-server/internal/handlers/registry.go'
-      - 'workspace-server/internal/handlers/workspace_restart.go'
-      - 'workspace-server/internal/registry/healthsweep.go'
-      - 'workspace-server/internal/registry/liveness.go'
-      - 'workspace-server/migrations/**'
-      - 'workspace-server/internal/db/workspace_status_enum_drift_test.go'
-      - 'tests/e2e/test_staging_external_runtime.sh'
-      - '.github/workflows/e2e-staging-external.yml'
-  pull_request:
-    branches: [main]
-    paths:
-      - 'workspace-server/internal/handlers/workspace.go'
-      - 'workspace-server/internal/handlers/registry.go'
-      - 'workspace-server/internal/handlers/workspace_restart.go'
-      - 'workspace-server/internal/registry/healthsweep.go'
-      - 'workspace-server/internal/registry/liveness.go'
-      - 'workspace-server/migrations/**'
-      - 'workspace-server/internal/db/workspace_status_enum_drift_test.go'
-      - 'tests/e2e/test_staging_external_runtime.sh'
-      - '.github/workflows/e2e-staging-external.yml'
-  workflow_dispatch:
-    inputs:
-      keep_org:
-        description: "Skip teardown for debugging (only via manual dispatch)"
-        required: false
-        type: boolean
-        default: false
-      stale_wait_secs:
-        description: "Seconds to wait for the heartbeat-staleness sweep (default 180 = 90s window + 90s buffer)"
-        required: false
-        default: "180"
-  schedule:
-    - cron: '30 7 * * *'
-
-concurrency:
-  group: e2e-staging-external
-  cancel-in-progress: false
-
-permissions:
-  contents: read
-
-jobs:
-  e2e-staging-external:
-    name: E2E Staging External Runtime
-    runs-on: ubuntu-latest
-    timeout-minutes: 25
-
-    env:
-      MOLECULE_CP_URL: https://staging-api.moleculesai.app
-      MOLECULE_ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
-      E2E_RUN_ID: "${{ github.run_id }}-${{ github.run_attempt }}"
-      E2E_KEEP_ORG: ${{ github.event.inputs.keep_org && '1' || '0' }}
-      E2E_STALE_WAIT_SECS: ${{ github.event.inputs.stale_wait_secs || '180' }}
-
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - name: Verify admin token present
-        run: |
-          if [ -z "$MOLECULE_ADMIN_TOKEN" ]; then
-            # Schedule + push triggers must hard-fail when the token is
-            # missing — silent skip would mask infra rot. Manual dispatch
-            # gets the same hard-fail; an operator running this on a fork
-            # without secrets configured needs to know up-front.
-            echo "::error::MOLECULE_STAGING_ADMIN_TOKEN secret not set (Railway staging CP_ADMIN_API_TOKEN)"
-            exit 2
-          fi
-          echo "Admin token present ✓"
-
-      - name: CP staging health preflight
-        run: |
-          code=$(curl -sS -o /dev/null -w "%{http_code}" --max-time 10 "$MOLECULE_CP_URL/health")
-          if [ "$code" != "200" ]; then
-            echo "::error::Staging CP unhealthy (got HTTP $code). Skipping — not a workspace bug."
-            exit 1
-          fi
-          echo "Staging CP healthy ✓"
-
-      - name: Run external-runtime E2E
-        id: e2e
-        run: bash tests/e2e/test_staging_external_runtime.sh
-
-      # Mirror the e2e-staging-saas.yml safety net: if the runner is
-      # cancelled (e.g. concurrent staging push), the test script's
-      # EXIT trap may not fire, so we sweep e2e-ext-* slugs scoped to
-      # *this* run id.
-      - name: Teardown safety net (runs on cancel/failure)
-        if: always()
-        env:
-          ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
-        run: |
-          set +e
-          orgs=$(curl -sS "$MOLECULE_CP_URL/cp/admin/orgs" \
-            -H "Authorization: Bearer $ADMIN_TOKEN" 2>/dev/null \
-            | python3 -c "
-          import json, sys, os, datetime
-          run_id = os.environ.get('GITHUB_RUN_ID', '')
-          d = json.load(sys.stdin)
-          # Scope STRICTLY to this run id (e2e-ext-YYYYMMDD-<runid>-...)
-          # so concurrent runs and unrelated dev probes are not touched.
-          # Sweep today AND yesterday so a midnight-crossing run still
-          # cleans up its own slug.
-          today = datetime.date.today()
-          yesterday = today - datetime.timedelta(days=1)
-          dates = (today.strftime('%Y%m%d'), yesterday.strftime('%Y%m%d'))
-          if not run_id:
-              # Without a run id we cannot scope safely; bail rather
-              # than risk deleting unrelated tenants.
-              sys.exit(0)
-          prefixes = tuple(f'e2e-ext-{d}-{run_id}-' for d in dates)
-          for o in d.get('orgs', []):
-              s = o.get('slug', '')
-              if s.startswith(prefixes) and o.get('status') != 'purged':
-                  print(s)
-          " 2>/dev/null)
-          if [ -n "$orgs" ]; then
-            echo "Safety-net sweep: deleting leftover orgs:"
-            echo "$orgs"
-            # Per-slug verified DELETE — see molecule-controlplane#420.
-            # `>/dev/null 2>&1` previously hid every failure; surface
-            # non-2xx as workflow warnings so the run page names what
-            # leaked. Sweeper catches the rest within ~45 min.
-            leaks=()
-            for slug in $orgs; do
-              # Tempfile-routed -w + set +e/-e prevents curl-exit-code
-              # pollution of the captured status (lint-curl-status-capture.yml).
-              set +e
-              curl -sS -o /tmp/external-cleanup.out -w "%{http_code}" \
-                -X DELETE "$MOLECULE_CP_URL/cp/admin/tenants/$slug" \
-                -H "Authorization: Bearer $ADMIN_TOKEN" \
-                -H "Content-Type: application/json" \
-                -d "{\"confirm\":\"$slug\"}" >/tmp/external-cleanup.code
-              set -e
-              code=$(cat /tmp/external-cleanup.code 2>/dev/null || echo "000")
-              if [ "$code" = "200" ] || [ "$code" = "204" ]; then
-                echo "[teardown] deleted $slug (HTTP $code)"
-              else
-                echo "::warning::external teardown for $slug returned HTTP $code — sweep-stale-e2e-orgs will catch it within ~45 min. Body: $(head -c 300 /tmp/external-cleanup.out 2>/dev/null)"
-                leaks+=("$slug")
-              fi
-            done
-            if [ ${#leaks[@]} -gt 0 ]; then
-              echo "::warning::external teardown left ${#leaks[@]} leak(s): ${leaks[*]}"
-            fi
-          else
-            echo "Safety-net sweep: no leftover orgs to clean."
-          fi
@@ -1,246 +0,0 @@
-name: E2E Staging SaaS (full lifecycle)
-
-# Dedicated workflow that provisions a fresh staging org per run, exercises
-# the full workspace lifecycle (register → heartbeat → A2A → delegation →
-# HMA memory → activity → peers), then tears down and asserts leak-free.
-#
-# Why a separate workflow (not folded into ci.yml):
-#   - The run takes ~25-35 min (EC2 boot + cloudflared DNS + provision sweeps +
-#     agent bootstrap), way too slow for every PR.
-#   - Needs its own concurrency group so two pushes don't fight over the
-#     same staging org slug prefix.
-#   - Has its own required secrets (session cookie, admin token) that most
-#     PRs don't need to read.
-#
-# Triggers:
-#   - Push to main (regression guard)
-#   - workflow_dispatch (manual re-run from UI)
-#   - Nightly cron (catches drift even when no pushes land)
-#   - Changes to any provisioning-critical file under PR review (opt-in
-#     via the same paths watcher that e2e-api.yml uses)
-
-on:
-  # Trunk-based (Phase 3 of internal#81): main is the only branch.
-  # Previously this fired on staging push too because staging was a
-  # superset of main and ran the gate ahead of auto-promote; with no
-  # staging branch, main is where E2E gates the deploy.
-  push:
-    branches: [main]
-    paths:
-      - 'workspace-server/internal/handlers/registry.go'
-      - 'workspace-server/internal/handlers/workspace_provision.go'
-      - 'workspace-server/internal/handlers/a2a_proxy.go'
-      - 'workspace-server/internal/middleware/**'
-      - 'workspace-server/internal/provisioner/**'
-      - 'tests/e2e/test_staging_full_saas.sh'
-      - '.github/workflows/e2e-staging-saas.yml'
-  pull_request:
-    branches: [main]
-    paths:
-      - 'workspace-server/internal/handlers/registry.go'
-      - 'workspace-server/internal/handlers/workspace_provision.go'
-      - 'workspace-server/internal/handlers/a2a_proxy.go'
-      - 'workspace-server/internal/middleware/**'
-      - 'workspace-server/internal/provisioner/**'
-      - 'tests/e2e/test_staging_full_saas.sh'
-      - '.github/workflows/e2e-staging-saas.yml'
-  workflow_dispatch:
-    inputs:
-      runtime:
-        description: "Runtime to test (claude-code [default, MiniMax] | hermes [OpenAI] | langgraph [OpenAI])"
-        required: false
-        default: "claude-code"
-      keep_org:
-        description: "Skip teardown for debugging (only use via manual dispatch!)"
-        required: false
-        type: boolean
-        default: false
-  schedule:
-    # 07:00 UTC every day — catches AMI drift, WorkOS cert rotation,
-    # Cloudflare API regressions, etc. even on quiet days.
-    - cron: '0 7 * * *'
-
-# Serialize: staging has a finite per-hour org creation quota. Two pushes
-# landing in quick succession should queue, not race. `cancel-in-progress:
-# false` mirrors e2e-api.yml — GitHub would otherwise cancel the running
-# teardown step and leave orphan EC2s.
-concurrency:
-  group: e2e-staging-saas
-  cancel-in-progress: false
-
-jobs:
-  e2e-staging-saas:
-    name: E2E Staging SaaS
-    runs-on: ubuntu-latest
-    timeout-minutes: 45
-    permissions:
-      contents: read
-
-    env:
-      MOLECULE_CP_URL: https://staging-api.moleculesai.app
-      # Single admin-bearer secret drives provision + tenant-token
-      # retrieval + teardown. Configure in
-      # Settings → Secrets and variables → Actions → Repository secrets.
-      MOLECULE_ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
-      # MiniMax is the PRIMARY LLM auth path post-2026-05-04. Switched
-      # from hermes+OpenAI default after #2578 (the staging OpenAI key
-      # account went over quota and stayed dead for 36+ hours, taking
-      # the full-lifecycle E2E red on every provisioning-critical push).
-      # claude-code template's `minimax` provider routes
-      # ANTHROPIC_BASE_URL to api.minimax.io/anthropic and reads
-      # MINIMAX_API_KEY at boot — separate billing account so an
-      # OpenAI quota collapse no longer wedges the gate. Mirrors the
-      # canary-staging.yml + continuous-synth-e2e.yml migrations.
-      E2E_MINIMAX_API_KEY: ${{ secrets.MOLECULE_STAGING_MINIMAX_API_KEY }}
-      # Direct-Anthropic alternative for operators who don't want to
-      # set up a MiniMax account (priority below MiniMax — first
-      # non-empty wins in test_staging_full_saas.sh's secrets-injection
-      # block). See #2578 PR comment for the rationale.
-      E2E_ANTHROPIC_API_KEY: ${{ secrets.MOLECULE_STAGING_ANTHROPIC_API_KEY }}
-      # OpenAI fallback — kept wired so an operator-dispatched run with
-      # E2E_RUNTIME=hermes or =langgraph via workflow_dispatch can still
-      # exercise the OpenAI path.
-      E2E_OPENAI_API_KEY: ${{ secrets.MOLECULE_STAGING_OPENAI_KEY }}
-      E2E_RUNTIME: ${{ github.event.inputs.runtime || 'claude-code' }}
-      # Pin the model when running on the default claude-code path —
-      # the per-runtime default ("sonnet") routes to direct Anthropic
-      # and defeats the cost saving. Operators can override via the
-      # workflow_dispatch flow (no input wired here yet — runtime
-      # override is enough for ad-hoc).
-      E2E_MODEL_SLUG: ${{ github.event.inputs.runtime == 'hermes' && 'openai/gpt-4o' || github.event.inputs.runtime == 'langgraph' && 'openai:gpt-4o' || 'MiniMax-M2.7-highspeed' }}
-      E2E_RUN_ID: "${{ github.run_id }}-${{ github.run_attempt }}"
-      E2E_KEEP_ORG: ${{ github.event.inputs.keep_org && '1' || '0' }}
-
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - name: Verify admin token present
-        run: |
-          if [ -z "$MOLECULE_ADMIN_TOKEN" ]; then
-            echo "::error::MOLECULE_STAGING_ADMIN_TOKEN secret not set (Railway staging CP_ADMIN_API_TOKEN)"
-            exit 2
-          fi
-          echo "Admin token present ✓"
-
-      - name: Verify LLM key present
-        run: |
-          # Per-runtime key check — claude-code uses MiniMax; hermes /
-          # langgraph (operator-dispatched only) use OpenAI. Hard-fail
-          # rather than soft-skip per #2578's lesson — empty key
-          # silently falls through to the wrong SECRETS_JSON branch and
-          # produces a confusing auth error 5 min later instead of the
-          # clean "secret missing" message at the top.
-          case "${E2E_RUNTIME}" in
-            claude-code)
-              # Either MiniMax OR direct-Anthropic works — first
-              # non-empty wins in the test script's secrets-injection
-              # priority chain.
-              if [ -n "${E2E_MINIMAX_API_KEY:-}" ]; then
-                required_secret_name="MOLECULE_STAGING_MINIMAX_API_KEY"
-                required_secret_value="${E2E_MINIMAX_API_KEY}"
-              elif [ -n "${E2E_ANTHROPIC_API_KEY:-}" ]; then
-                required_secret_name="MOLECULE_STAGING_ANTHROPIC_API_KEY"
-                required_secret_value="${E2E_ANTHROPIC_API_KEY}"
-              else
-                required_secret_name="MOLECULE_STAGING_MINIMAX_API_KEY or MOLECULE_STAGING_ANTHROPIC_API_KEY"
-                required_secret_value=""
-              fi
-              ;;
-            langgraph|hermes)
-              required_secret_name="MOLECULE_STAGING_OPENAI_KEY"
-              required_secret_value="${E2E_OPENAI_API_KEY:-}"
-              ;;
-            *)
-              echo "::warning::Unknown E2E_RUNTIME='${E2E_RUNTIME}' — skipping LLM-key check"
-              required_secret_name=""
-              required_secret_value="present"
-              ;;
-          esac
-          if [ -n "$required_secret_name" ] && [ -z "$required_secret_value" ]; then
-            echo "::error::${required_secret_name} secret not set for runtime=${E2E_RUNTIME} — workspaces will fail at boot with 'No provider API key found'"
-            exit 2
-          fi
-          echo "LLM key present ✓ (runtime=${E2E_RUNTIME}, key=${required_secret_name}, len=${#required_secret_value})"
-
-      - name: CP staging health preflight
-        run: |
-          code=$(curl -sS -o /dev/null -w "%{http_code}" --max-time 10 "$MOLECULE_CP_URL/health")
-          if [ "$code" != "200" ]; then
-            echo "::error::Staging CP unhealthy (got HTTP $code). Skipping — not a workspace bug."
-            exit 1
-          fi
-          echo "Staging CP healthy ✓"
-
-      - name: Run full-lifecycle E2E
-        id: e2e
-        run: bash tests/e2e/test_staging_full_saas.sh
-
-      # Belt-and-braces teardown: the test script itself installs a trap
-      # for EXIT/INT/TERM, but if the GH runner itself is cancelled (e.g.
-      # someone pushes a new commit and workflow concurrency is set to
-      # cancel), the trap may not fire. This `always()` step runs even on
-      # cancellation and attempts the delete a second time. The admin
-      # DELETE endpoint is idempotent so double-invoking is safe.
-      - name: Teardown safety net (runs on cancel/failure)
-        if: always()
-        env:
-          ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
-        run: |
-          # Best-effort: find any e2e-YYYYMMDD-* orgs matching this run and
-          # nuke them. Catches the case where the script died before
-          # exporting its slug.
-          set +e
-          orgs=$(curl -sS "$MOLECULE_CP_URL/cp/admin/orgs" \
-            -H "Authorization: Bearer $ADMIN_TOKEN" 2>/dev/null \
-            | python3 -c "
-          import json, sys, os, datetime
-          run_id = os.environ.get('GITHUB_RUN_ID', '')
-          d = json.load(sys.stdin)
-          # ONLY sweep slugs from *this* CI run. Previously the filter was
-          # f'e2e-{today}-' which stomped on parallel CI runs AND any manual
-          # E2E probes a dev was running against staging (incident 2026-04-21
-          # 15:02Z: this workflow's safety net deleted an unrelated manual
-          # run's tenant 1s after it hit 'running').
-          # Sweep both today AND yesterday's UTC dates so a run that crosses
-          # midnight still matches its own slug — see the 2026-04-26→27
-          # canvas-safety-net incident for the same bug class.
-          today = datetime.date.today()
-          yesterday = today - datetime.timedelta(days=1)
-          dates = (today.strftime('%Y%m%d'), yesterday.strftime('%Y%m%d'))
-          if run_id:
-              prefixes = tuple(f'e2e-{d}-{run_id}-' for d in dates)
-          else:
-              prefixes = tuple(f'e2e-{d}-' for d in dates)
-          candidates = [o['slug'] for o in d.get('orgs', [])
-                        if any(o.get('slug','').startswith(p) for p in prefixes)
-                        and o.get('instance_status') not in ('purged',)]
-          print('\n'.join(candidates))
-          " 2>/dev/null)
-          # Per-slug verified DELETE (was `>/dev/null || true` — see
-          # molecule-controlplane#420). Surface non-2xx as a workflow
-          # warning naming the leaked slug; don't exit 1 (sweeper is
-          # the safety net within ~45 min).
-          leaks=()
-          for slug in $orgs; do
-            echo "Safety-net teardown: $slug"
-            # Tempfile-routed -w + set +e/-e prevents curl-exit-code
-            # pollution of the captured status (lint-curl-status-capture.yml).
-            set +e
-            curl -sS -o /tmp/saas-cleanup.out -w "%{http_code}" \
-              -X DELETE "$MOLECULE_CP_URL/cp/admin/tenants/$slug" \
-              -H "Authorization: Bearer $ADMIN_TOKEN" \
-              -H "Content-Type: application/json" \
-              -d "{\"confirm\":\"$slug\"}" >/tmp/saas-cleanup.code
-            set -e
-            code=$(cat /tmp/saas-cleanup.code 2>/dev/null || echo "000")
-            if [ "$code" = "200" ] || [ "$code" = "204" ]; then
-              echo "[teardown] deleted $slug (HTTP $code)"
-            else
-              echo "::warning::saas teardown for $slug returned HTTP $code — sweep-stale-e2e-orgs will catch it within ~45 min. Body: $(head -c 300 /tmp/saas-cleanup.out 2>/dev/null)"
-              leaks+=("$slug")
-            fi
-          done
-          if [ ${#leaks[@]} -gt 0 ]; then
-            echo "::warning::saas teardown left ${#leaks[@]} leak(s): ${leaks[*]}"
-          fi
-          exit 0
@@ -1,171 +0,0 @@
-name: E2E Staging Sanity (leak-detection self-check)
-
-# Periodic assertion that the teardown safety nets in e2e-staging-saas
-# and canary-staging actually work. Runs the E2E harness with
-# E2E_INTENTIONAL_FAILURE=1, which poisons the tenant admin token after
-# the org is provisioned. The workspace-provision step then fails, the
-# script exits non-zero, and the EXIT trap + workflow always()-step
-# must still tear down cleanly.
-#
-# A green run means:
-#   - The script exited non-zero (intentional failure caught)
-#   - The trap fired teardown
-#   - The leak-detection poll found zero orphan orgs
-#
-# A red run means the teardown path itself is broken — act on this the
-# same way you'd act on a canary failure (the whole E2E safety net is
-# compromised until it's fixed).
-#
-# Cadence: once a week, Monday 06:00 UTC. Drift-slow, not per-PR — the
-# teardown path rarely changes, and a weekly heartbeat is enough to
-# catch silent regressions in cleanup code paths.
-
-on:
-  schedule:
-    - cron: '0 6 * * 1'
-  workflow_dispatch:
-
-concurrency:
-  # Shares the group with canary + full so they don't collide on
-  # staging org-create quota.
-  group: e2e-staging-sanity
-  cancel-in-progress: false
-
-permissions:
-  issues: write
-  contents: read
-
-jobs:
-  sanity:
-    name: Intentional-failure teardown sanity
-    runs-on: ubuntu-latest
-    timeout-minutes: 20
-
-    env:
-      MOLECULE_CP_URL: https://staging-api.moleculesai.app
-      MOLECULE_ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
-      E2E_MODE: canary            # lean lifecycle; we only need the org to exist
-      E2E_RUNTIME: hermes
-      E2E_RUN_ID: "sanity-${{ github.run_id }}"
-      E2E_INTENTIONAL_FAILURE: "1"
-
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - name: Verify admin token present
-        run: |
-          if [ -z "$MOLECULE_ADMIN_TOKEN" ]; then
-            echo "::error::MOLECULE_STAGING_ADMIN_TOKEN not set"
-            exit 2
-          fi
-
-      # Inverted assertion: the run MUST fail. If it passes, the
-      # E2E_INTENTIONAL_FAILURE path is broken (token not being
-      # poisoned correctly, or the harness silently recovered).
-      - name: Run harness — expecting exit !=0
-        id: harness
-        run: |
-          set +e
-          bash tests/e2e/test_staging_full_saas.sh
-          rc=$?
-          echo "harness_rc=$rc" >> "$GITHUB_OUTPUT"
-          # The only acceptable outcomes:
-          #   1 — harness failed mid-run, teardown ran, leak-check passed
-          #   (exit 4 means teardown left a leak — that's the real bug
-          #    this sanity check exists to catch)
-          if [ "$rc" = "1" ]; then
-            echo "✓ Harness failed as expected (rc=1); teardown trap ran, leak-check passed"
-            exit 0
-          elif [ "$rc" = "0" ]; then
-            echo "::error::Harness succeeded under E2E_INTENTIONAL_FAILURE=1 — the poisoning path is broken"
-            exit 1
-          elif [ "$rc" = "4" ]; then
-            echo "::error::LEAK DETECTED (rc=4) — teardown failed to clean up the org. Safety net broken."
-            exit 4
-          else
-            echo "::error::Unexpected rc=$rc — neither clean-failure nor leak. Investigate harness."
-            exit 1
-          fi
-
-      - name: Open issue if safety net is broken
-        if: failure()
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
-        with:
-          script: |
-            const title = "🚨 E2E teardown safety net broken";
-            const runURL = `https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`;
-            const body =
-              `The weekly sanity run (E2E_INTENTIONAL_FAILURE=1) did not exit ` +
-              `as expected. This means one of:\n` +
-              `  - poisoning didn't actually cause failure (test harness regression), OR\n` +
-              `  - teardown left an orphan org (leak detection caught a real bug)\n\n` +
-              `Run: ${runURL}\n\n` +
-              `This is higher priority than a canary failure — the whole ` +
-              `E2E safety net can't be trusted until this is resolved.`;
-
-            const { data: existing } = await github.rest.issues.listForRepo({
-              owner: context.repo.owner, repo: context.repo.repo,
-              state: 'open', labels: 'e2e-safety-net',
-            });
-            const match = existing.find(i => i.title === title);
-            if (match) {
-              await github.rest.issues.createComment({
-                owner: context.repo.owner, repo: context.repo.repo,
-                issue_number: match.number,
-                body: `Still broken. ${runURL}`,
-              });
-            } else {
-              await github.rest.issues.create({
-                owner: context.repo.owner, repo: context.repo.repo,
-                title, body,
-                labels: ['e2e-safety-net', 'bug', 'priority-high'],
-              });
-            }
-
-      # Belt-and-braces: if teardown left anything behind, nuke it here
-      # so we don't bleed staging quota. Different label from the
-      # always()-steps in the other workflows so sanity-only orgs get
-      # cleaned up by sanity runs.
-      - name: Teardown safety net
-        if: always()
-        env:
-          ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
-        run: |
-          set +e
-          orgs=$(curl -sS "$MOLECULE_CP_URL/cp/admin/orgs" \
-            -H "Authorization: Bearer $ADMIN_TOKEN" 2>/dev/null \
-            | python3 -c "
-          import json, sys
-          d = json.load(sys.stdin)
-          today = __import__('datetime').date.today().strftime('%Y%m%d')
-          candidates = [o['slug'] for o in d.get('orgs', [])
-                        if o.get('slug','').startswith(f'e2e-canary-{today}-sanity-')
-                        and o.get('status') not in ('purged',)]
-          print('\n'.join(candidates))
-          " 2>/dev/null)
-          # Per-slug verified DELETE — see molecule-controlplane#420.
-          # Failures surface as workflow warnings; the sweeper is the
-          # safety net within ~45 min.
-          leaks=()
-          for slug in $orgs; do
-            # Tempfile-routed -w + set +e/-e prevents curl-exit-code
-            # pollution of the captured status (lint-curl-status-capture.yml).
-            set +e
-            curl -sS -o /tmp/sanity-cleanup.out -w "%{http_code}" \
-              -X DELETE "$MOLECULE_CP_URL/cp/admin/tenants/$slug" \
-              -H "Authorization: Bearer $ADMIN_TOKEN" \
-              -H "Content-Type: application/json" \
-              -d "{\"confirm\":\"$slug\"}" >/tmp/sanity-cleanup.code
-            set -e
-            code=$(cat /tmp/sanity-cleanup.code 2>/dev/null || echo "000")
-            if [ "$code" = "200" ] || [ "$code" = "204" ]; then
-              echo "[teardown] deleted $slug (HTTP $code)"
-            else
-              echo "::warning::sanity teardown for $slug returned HTTP $code — sweep-stale-e2e-orgs will catch it within ~45 min. Body: $(head -c 300 /tmp/sanity-cleanup.out 2>/dev/null)"
-              leaks+=("$slug")
-            fi
-          done
-          if [ ${#leaks[@]} -gt 0 ]; then
-            echo "::warning::sanity teardown left ${#leaks[@]} leak(s): ${leaks[*]}"
-          fi
-          exit 0
@@ -1,252 +0,0 @@
-name: Handlers Postgres Integration
-
-# Real-Postgres integration tests for workspace-server/internal/handlers/.
-# Triggered on every PR/push that touches the handlers package.
-#
-# Why this workflow exists
-# ------------------------
-# Strict-sqlmock unit tests pin which SQL statements fire — they're fast
-# and let us iterate without a DB. But sqlmock CANNOT detect bugs that
-# depend on the row state AFTER the SQL runs. The result_preview-lost
-# bug shipped to staging in PR #2854 because every unit test was
-# satisfied with "an UPDATE statement fired" — none verified the row's
-# preview field actually landed. The local-postgres E2E that retrofit
-# self-review caught it took 2 minutes to set up and would have caught
-# the bug at PR-time.
-#
-# Why this workflow does NOT use `services: postgres:` (Class B fix)
-# ------------------------------------------------------------------
-# Our act_runner config has `container.network: host` (operator host
-# /opt/molecule/runners/config.yaml), which act_runner applies to BOTH
-# the job container AND every service container. With host-net, two
-# concurrent runs of this workflow both try to bind 0.0.0.0:5432 — the
-# second postgres FATALs with `could not create any TCP/IP sockets:
-# Address in use`, and Docker auto-removes it (act_runner sets
-# AutoRemove:true on service containers). By the time the migrations
-# step runs `psql`, the postgres container is gone, hence
-# `Connection refused` then `failed to remove container: No such
-# container` at cleanup time.
-#
-# Per-job `container.network` override is silently ignored by
-# act_runner — `--network and --net in the options will be ignored.`
-# appears in the runner log. Documented constraint.
-#
-# So we sidestep `services:` entirely. The job container still uses
-# host-net (inherited from runner config; required for cache server
-# discovery on the bridge IP 172.18.0.17:42631). We launch a sibling
-# postgres on the existing `molecule-core-net` bridge with a
-# UNIQUE name per run — `pg-handlers-${RUN_ID}-${RUN_ATTEMPT}` — and
-# read its bridge IP via `docker inspect`. A host-net job container
-# can reach a bridge-net container directly via the bridge IP (verified
-# manually on operator host 2026-05-08).
-#
-# Trade-offs vs. the original `services:` shape:
-#   + No host-port collision; N parallel runs share the bridge cleanly
-#   + `if: always()` cleanup runs even on test-step failure
-#   - One more step in the workflow (+~3 lines)
-#   - Requires `molecule-core-net` to exist on the operator host
-#     (it does; declared in docker-compose.yml + docker-compose.infra.yml)
-#
-# Class B Hongming-owned CICD red sweep, 2026-05-08.
-#
-# Cost: ~30s job (postgres pull from cache + go build + 4 tests).
-
-on:
-  push:
-    branches: [main, staging]
-  pull_request:
-    branches: [main, staging]
-  merge_group:
-    types: [checks_requested]
-  workflow_dispatch:
-
-concurrency:
-  group: handlers-pg-integ-${{ github.event.pull_request.head.sha || github.sha }}
-  cancel-in-progress: false
-
-jobs:
-  detect-changes:
-    name: detect-changes
-    runs-on: ubuntu-latest
-    outputs:
-      handlers: ${{ steps.filter.outputs.handlers }}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
-        id: filter
-        with:
-          filters: |
-            handlers:
-              - 'workspace-server/internal/handlers/**'
-              - 'workspace-server/internal/wsauth/**'
-              - 'workspace-server/migrations/**'
-              - '.github/workflows/handlers-postgres-integration.yml'
-
-  # Single-job-with-per-step-if pattern: always runs to satisfy the
-  # required-check name on branch protection; real work gates on the
-  # paths filter. See ci.yml's Platform (Go) for the same shape.
-  integration:
-    name: Handlers Postgres Integration
-    needs: detect-changes
-    runs-on: ubuntu-latest
-    env:
-      # Unique name per run so concurrent jobs don't collide on the
-      # bridge network. ${RUN_ID}-${RUN_ATTEMPT} is unique even across
-      # workflow_dispatch reruns of the same run_id.
-      PG_NAME: pg-handlers-${{ github.run_id }}-${{ github.run_attempt }}
-      # Bridge network already exists on the operator host (declared
-      # in docker-compose.yml + docker-compose.infra.yml).
-      PG_NETWORK: molecule-core-net
-    defaults:
-      run:
-        working-directory: workspace-server
-    steps:
-      - if: needs.detect-changes.outputs.handlers != 'true'
-        working-directory: .
-        run: echo "No handlers/migrations changes — skipping; this job always runs to satisfy the required-check name."
-
-      - if: needs.detect-changes.outputs.handlers == 'true'
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - if: needs.detect-changes.outputs.handlers == 'true'
-        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
-        with:
-          go-version: 'stable'
-
-      - if: needs.detect-changes.outputs.handlers == 'true'
-        name: Start sibling Postgres on bridge network
-        working-directory: .
-        run: |
-          # Sanity: the bridge network must exist on the operator host.
-          # Hard-fail loud if it doesn't — easier to spot than a silent
-          # auto-create that diverges from the rest of the stack.
-          if ! docker network inspect "${PG_NETWORK}" >/dev/null 2>&1; then
-            echo "::error::Bridge network '${PG_NETWORK}' missing on operator host. Re-run docker-compose.infra.yml or check ops handbook."
-            exit 1
-          fi
-
-          # If a stale container with the same name exists (rerun on
-          # the same run_id), wipe it first.
-          docker rm -f "${PG_NAME}" >/dev/null 2>&1 || true
-
-          docker run -d \
-            --name "${PG_NAME}" \
-            --network "${PG_NETWORK}" \
-            --health-cmd "pg_isready -U postgres" \
-            --health-interval 5s \
-            --health-timeout 5s \
-            --health-retries 10 \
-            -e POSTGRES_PASSWORD=test \
-            -e POSTGRES_DB=molecule \
-            postgres:15-alpine >/dev/null
-
-          # Read back the bridge IP. Always present immediately after
-          # `docker run -d` for bridge networks.
-          PG_HOST=$(docker inspect "${PG_NAME}" \
-            --format "{{(index .NetworkSettings.Networks \"${PG_NETWORK}\").IPAddress}}")
-          if [ -z "${PG_HOST}" ]; then
-            echo "::error::Could not resolve PG_HOST for ${PG_NAME} on ${PG_NETWORK}"
-            docker logs "${PG_NAME}" || true
-            exit 1
-          fi
-          echo "PG_HOST=${PG_HOST}" >> "$GITHUB_ENV"
-          echo "INTEGRATION_DB_URL=postgres://postgres:test@${PG_HOST}:5432/molecule?sslmode=disable" >> "$GITHUB_ENV"
-          echo "Started ${PG_NAME} at ${PG_HOST}:5432"
-
-      - if: needs.detect-changes.outputs.handlers == 'true'
-        name: Apply migrations to Postgres service
-        env:
-          PGPASSWORD: test
-        run: |
-          # Wait for postgres to actually accept connections. Docker's
-          # health-cmd handles container-side readiness, but the wire
-          # to the bridge IP is best-tested with pg_isready directly.
-          for i in {1..15}; do
-            if pg_isready -h "${PG_HOST}" -p 5432 -U postgres -q; then break; fi
-            echo "waiting for postgres at ${PG_HOST}:5432..."; sleep 2
-          done
-
-          # Apply every .up.sql in lexicographic order with
-          # ON_ERROR_STOP=0 — failing migrations are SKIPPED rather than
-          # blocking the suite. This handles the current schema state
-          # where a few historical migrations (e.g. 017_memories_fts_*)
-          # depend on tables that were later renamed/dropped and so
-          # cannot replay from scratch. The migrations that DO succeed
-          # land their tables, which is sufficient for the integration
-          # tests in handlers/.
-          #
-          # Why not maintain a curated allowlist: every new migration
-          # touching a handlers/-tested table would have to update this
-          # workflow. With apply-all-or-skip, a future migration that
-          # adds a column to delegations runs automatically (its base
-          # table 049_delegations.up.sql already succeeded above it in
-          # the order). Operators only need to revisit this if the
-          # migration chain becomes legitimately replayable end-to-end.
-          #
-          # Per-migration result is logged so a failed migration that
-          # SHOULD have been replayable surfaces in the CI log instead
-          # of silently failing.
-          # Apply both *.sql (legacy, lives next to its module) and
-          # *.up.sql (newer up/down convention) in a single
-          # lexicographically-sorted pass. Excluding *.down.sql so the
-          # newest-naming-convention pairs don't undo themselves mid-run.
-          # Pre-#149-followup this loop only globbed *.up.sql, which
-          # silently skipped 001_workspaces.sql + 009_activity_logs.sql
-          # — fine while no integration test depended on those tables,
-          # not fine once a cross-table atomicity test came in.
-          set +e
-          for migration in $(ls migrations/*.sql 2>/dev/null | grep -v '\.down\.sql$' | sort); do
-            if psql -h "${PG_HOST}" -U postgres -d molecule -v ON_ERROR_STOP=1 \
-                  -f "$migration" >/dev/null 2>&1; then
-              echo "✓ $(basename "$migration")"
-            else
-              echo "⊘ $(basename "$migration") (skipped — see comment in workflow)"
-            fi
-          done
-          set -e
-
-          # Sanity: the delegations + workspaces + activity_logs tables
-          # MUST exist for the integration tests to be meaningful. Hard-
-          # fail if any didn't land — that would be a real regression we
-          # want loud.
-          for tbl in delegations workspaces activity_logs pending_uploads; do
-            if ! psql -h "${PG_HOST}" -U postgres -d molecule -tA \
-                -c "SELECT 1 FROM information_schema.tables WHERE table_name = '$tbl'" \
-                | grep -q 1; then
-              echo "::error::$tbl table missing after migration replay — handler integration tests would be meaningless"
-              exit 1
-            fi
-            echo "✓ $tbl table present"
-          done
-
-      - if: needs.detect-changes.outputs.handlers == 'true'
-        name: Run integration tests
-        run: |
-          # INTEGRATION_DB_URL is exported by the start-postgres step;
-          # points at the per-run bridge IP, not 127.0.0.1, so concurrent
-          # workflow runs don't fight over a host-net 5432 port.
-          go test -tags=integration -timeout 5m -v ./internal/handlers/ -run "^TestIntegration_"
-
-      - if: failure() && needs.detect-changes.outputs.handlers == 'true'
-        name: Diagnostic dump on failure
-        env:
-          PGPASSWORD: test
-        run: |
-          echo "::group::postgres container status"
-          docker ps -a --filter "name=${PG_NAME}" --format '{{.Status}} {{.Names}}' || true
-          docker logs "${PG_NAME}" 2>&1 | tail -50 || true
-          echo "::endgroup::"
-          echo "::group::delegations table state"
-          psql -h "${PG_HOST}" -U postgres -d molecule -c "SELECT * FROM delegations LIMIT 50;" || true
-          echo "::endgroup::"
-
-      - if: always() && needs.detect-changes.outputs.handlers == 'true'
-        name: Stop sibling Postgres
-        working-directory: .
-        run: |
-          # always() so containers don't leak when migrations or tests
-          # fail. The cleanup is best-effort: if the container is
-          # already gone (e.g. concurrent rerun race), don't fail the job.
-          docker rm -f "${PG_NAME}" >/dev/null 2>&1 || true
-          echo "Cleaned up ${PG_NAME}"
-
@@ -1,248 +0,0 @@
-name: Harness Replays
-
-# Boots tests/harness (production-shape compose topology with TenantGuard,
-# /cp/* proxy, canvas proxy, real production Dockerfile.tenant) and runs
-# every replay under tests/harness/replays/. Fails the PR if any replay
-# fails.
-#
-# Why this exists: 2026-04-30 we shipped #2398 which added /buildinfo as
-# a public route in router.go but forgot to add it to TenantGuard's
-# allowlist. The handler-level test in buildinfo_test.go constructed a
-# minimal gin engine without TenantGuard — green. The harness's
-# buildinfo-stale-image.sh replay would have caught it (cf-proxy doesn't
-# inject X-Molecule-Org-Id, so the curl path is identical to production's
-# redeploy verifier), but no one ran the harness pre-merge. The bug
-# shipped; the redeploy verifier silently soft-warned every tenant as
-# "unreachable" for ~1 day before being noticed.
-#
-# This gate makes "did you actually run the harness?" a CI invariant
-# instead of a memory-discipline thing.
-#
-# Trigger model — match e2e-api.yml: always FIRES on push/pull_request
-# to staging+main, real work is gated per-step on detect-changes output.
-# One job → one check run → branch-protection-clean (the SKIPPED-in-set
-# trap from PR #2264 is documented in e2e-api.yml's e2e-api job comment).
-
-on:
-  push:
-    branches: [main, staging]
-    paths:
-      - 'workspace-server/**'
-      - 'canvas/**'
-      - 'tests/harness/**'
-      - '.github/workflows/harness-replays.yml'
-  pull_request:
-    branches: [main, staging]
-    paths:
-      - 'workspace-server/**'
-      - 'canvas/**'
-      - 'tests/harness/**'
-      - '.github/workflows/harness-replays.yml'
-  workflow_dispatch:
-  merge_group:
-    types: [checks_requested]
-
-concurrency:
-  # Per-SHA grouping. Per-ref kept hitting the auto-promote-staging
-  # cancellation deadlock — see e2e-api.yml's concurrency block for
-  # the 2026-04-28 incident that codified this pattern.
-  group: harness-replays-${{ github.event.pull_request.head.sha || github.sha }}
-  cancel-in-progress: false
-
-jobs:
-  detect-changes:
-    runs-on: ubuntu-latest
-    outputs:
-      run: ${{ steps.decide.outputs.run }}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - id: decide
-        run: |
-          # workflow_dispatch: always run (manual trigger)
-          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            echo "run=true" >> "$GITHUB_OUTPUT"
-            echo "debug=manual-trigger" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          # Determine the base commit to diff against.
-          # For pull_request: use base.sha (the merge-base with main/staging).
-          # For push: use github.event.before (the previous tip of the branch).
-          # Fallback for new branches (all-zeros SHA): run everything.
-          if [ "${{ github.event_name }}" = "pull_request" ] && \
-             [ -n "${{ github.event.pull_request.base.sha }}" ]; then
-            BASE="${{ github.event.pull_request.base.sha }}"
-          elif [ -n "${{ github.event.before }}" ] && \
-               ! echo "${{ github.event.before }}" | grep -qE '^0+$'; then
-            BASE="${{ github.event.before }}"
-          else
-            # New branch or github.event.before unavailable — run everything.
-            echo "run=true" >> "$GITHUB_OUTPUT"
-            echo "debug=new-branch-fallback" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          # GitHub Actions and Gitea Actions both expose github.sha for HEAD.
-          DIFF=$(git diff --name-only "$BASE" "${{ github.sha }}" 2>/dev/null)
-          echo "debug=diff-base=$BASE diff-files=$DIFF" >> "$GITHUB_OUTPUT"
-
-          if echo "$DIFF" | grep -qE '^workspace-server/|^canvas/|^tests/harness/|^.github/workflows/harness-replays\.yml$'; then
-            echo "run=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "run=false" >> "$GITHUB_OUTPUT"
-          fi
-
-  # ONE job that always runs. Real work is gated per-step on
-  # detect-changes.outputs.run so an unrelated PR (e.g. doc-only
-  # change to molecule-controlplane wired here later) emits the
-  # required check without spending CI cycles. Single-job pattern
-  # matches e2e-api.yml — see that workflow's comment for why a
-  # job-level `if: false` would block branch protection via the
-  # SKIPPED-in-set bug.
-  harness-replays:
-    needs: detect-changes
-    name: Harness Replays
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    steps:
-      - name: No-op pass (paths filter excluded this commit)
-        if: needs.detect-changes.outputs.run != 'true'
-        run: |
-          echo "No workspace-server / canvas / tests/harness / workflow changes — Harness Replays gate satisfied without running."
-          echo "::notice::Harness Replays no-op pass (paths filter excluded this commit)."
-          echo "::notice::Debug: ${{ needs.detect-changes.outputs.debug }}"
-
-      - if: needs.detect-changes.outputs.run == 'true'
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      # Log what files were detected so future failures include the diff.
-      - name: Log detected changes
-        if: needs.detect-changes.outputs.run == 'true'
-        run: |
-          echo "::notice::detect-changes debug: ${{ needs.detect-changes.outputs.debug }}"
-
-      # github-app-auth sibling-checkout removed 2026-05-07 (#157):
-      # the plugin was dropped + Dockerfile.tenant no longer COPYs it.
-
-      # Pre-clone manifest deps before docker compose builds the tenant
-      # image (Task #173 followup — same pattern as
-      # publish-workspace-server-image.yml's "Pre-clone manifest deps"
-      # step).
-      #
-      # Why pre-clone here too: tests/harness/compose.yml builds tenant-alpha
-      # and tenant-beta from workspace-server/Dockerfile.tenant with
-      # context=../.. (repo root). That Dockerfile expects
-      # .tenant-bundle-deps/{workspace-configs-templates,org-templates,plugins}
-      # to be present at build context root (post-#173 it COPYs from there
-      # instead of running an in-image clone — the in-image clone failed
-      # with "could not read Username for https://git.moleculesai.app"
-      # because there's no auth path inside the build sandbox).
-      #
-      # Without this step harness-replays fails before any replay runs,
-      # with `failed to calculate checksum of ref ...
-      # "/.tenant-bundle-deps/plugins": not found`. Caught by run #892
-      # (main, 2026-05-07T20:28:53Z) and run #964 (staging — same
-      # symptom, different root cause: staging still has the in-image
-      # clone path, hits the auth error directly).
-      #
-      # 2026-05-08 sub-finding (#192): the clone step ALSO fails when
-      # any referenced workspace-template repo is private and the
-      # AUTO_SYNC_TOKEN bearer (devops-engineer persona) lacks read
-      # access. Root cause: 5 of 9 workspace-template repos
-      # (openclaw, codex, crewai, deepagents, gemini-cli) had been
-      # marked private with no team grant. Resolution: flipped them
-      # to public per `feedback_oss_first_repo_visibility_default`
-      # (the OSS surface should be public). Layer-3 (customer-private +
-      # marketplace third-party repos) tracked separately in
-      # internal#102.
-      #
-      # Token shape matches publish-workspace-server-image.yml: AUTO_SYNC_TOKEN
-      # is the devops-engineer persona PAT, NOT the founder PAT (per
-      # `feedback_per_agent_gitea_identity_default`). clone-manifest.sh
-      # embeds it as basic-auth for the duration of the clones and strips
-      # .git directories — the token never enters the resulting image.
-      - name: Pre-clone manifest deps
-        if: needs.detect-changes.outputs.run == 'true'
-        env:
-          MOLECULE_GITEA_TOKEN: ${{ secrets.AUTO_SYNC_TOKEN }}
-        run: |
-          set -euo pipefail
-          if [ -z "${MOLECULE_GITEA_TOKEN}" ]; then
-            echo "::error::AUTO_SYNC_TOKEN secret is empty — register the devops-engineer persona PAT in repo Actions secrets"
-            exit 1
-          fi
-          mkdir -p .tenant-bundle-deps
-          bash scripts/clone-manifest.sh \
-            manifest.json \
-            .tenant-bundle-deps/workspace-configs-templates \
-            .tenant-bundle-deps/org-templates \
-            .tenant-bundle-deps/plugins
-          # Sanity-check counts so a silent partial clone fails fast
-          # instead of producing a half-empty image.
-          ws_count=$(find .tenant-bundle-deps/workspace-configs-templates -mindepth 1 -maxdepth 1 -type d | wc -l)
-          org_count=$(find .tenant-bundle-deps/org-templates -mindepth 1 -maxdepth 1 -type d | wc -l)
-          plugins_count=$(find .tenant-bundle-deps/plugins -mindepth 1 -maxdepth 1 -type d | wc -l)
-          echo "Cloned: ws=$ws_count org=$org_count plugins=$plugins_count"
-
-      - name: Install Python deps for replays
-        # peer-discovery-404 (and future replays) eval Python against the
-        # running tenant — importing workspace/a2a_client.py pulls in
-        # httpx. tests/harness/requirements.txt holds just the HTTP-client
-        # surface to keep CI install fast (~3s) vs the full
-        # workspace/requirements.txt (~30s).
-        if: needs.detect-changes.outputs.run == 'true'
-        run: pip install -r tests/harness/requirements.txt
-
-      - name: Run all replays against the harness
-        # run-all-replays.sh: boot via up.sh → seed via seed.sh → run
-        # every replays/*.sh → tear down via down.sh on EXIT (trap).
-        # Non-zero exit on any replay failure.
-        #
-        # KEEP_UP=1: without this, the script's trap-on-EXIT tears
-        # down containers immediately on failure, leaving the dump
-        # step below with nothing to dump (verified on PR #2410's
-        # first run — tenant became unhealthy, trap fired, dump
-        # step saw empty containers). Keeping them up lets the
-        # failure path collect tenant/cp-stub/cf-proxy logs. The
-        # always-run "Force teardown" step does the actual cleanup.
-        if: needs.detect-changes.outputs.run == 'true'
-        working-directory: tests/harness
-        env:
-          KEEP_UP: "1"
-        run: ./run-all-replays.sh
-
-      - name: Dump compose logs on failure
-        # SECRETS_ENCRYPTION_KEY: docker compose validates the entire compose
-        # file even for read-only `logs` calls. up.sh generates a per-run key
-        # and exports it to its OWN shell — this step runs in a fresh shell
-        # that wouldn't see it, so without a placeholder the validate step
-        # errors before logs print (verified against PR #2492's first run:
-        # "required variable SECRETS_ENCRYPTION_KEY is missing a value").
-        # A placeholder is fine — we're only reading log streams, not booting.
-        if: failure() && needs.detect-changes.outputs.run == 'true'
-        working-directory: tests/harness
-        env:
-          SECRETS_ENCRYPTION_KEY: dump-logs-placeholder
-        run: |
-          echo "=== docker compose ps ==="
-          docker compose -f compose.yml ps || true
-          echo "=== tenant-alpha logs ==="
-          docker compose -f compose.yml logs tenant-alpha || true
-          echo "=== tenant-beta logs ==="
-          docker compose -f compose.yml logs tenant-beta || true
-          echo "=== cp-stub logs ==="
-          docker compose -f compose.yml logs cp-stub || true
-          echo "=== cf-proxy logs ==="
-          docker compose -f compose.yml logs cf-proxy || true
-          echo "=== postgres-alpha logs (last 100) ==="
-          docker compose -f compose.yml logs --tail 100 postgres-alpha || true
-          echo "=== postgres-beta logs (last 100) ==="
-          docker compose -f compose.yml logs --tail 100 postgres-beta || true
-
-      - name: Force teardown
-        # We pass KEEP_UP=1 to run-all-replays.sh so the dump step
-        # above sees real containers — that means we own teardown
-        # explicitly here. Always run.
-        if: always() && needs.detect-changes.outputs.run == 'true'
-        working-directory: tests/harness
-        run: ./down.sh || true
@@ -1,94 +0,0 @@
-name: Lint curl status-code capture
-
-# Pins the workflow-bash anti-pattern that produced "HTTP 000000" on the
-# 2026-05-04 redeploy-tenants-on-main run for sha 2b862f6:
-#
-#   HTTP_CODE=$(curl ... -w '%{http_code}' ... || echo "000")
-#
-# When curl exits non-zero (connection reset → 56, --fail-with-body 4xx/5xx
-# → 22), the `-w '%{http_code}'` already wrote a status to stdout — usually
-# "000" for connection failures or the actual code for HTTP errors. The
-# `|| echo "000"` then fires AND appends ANOTHER "000" to the captured
-# stdout, producing values like "000000" or "409000" that fail string
-# comparisons against "200" while looking superficially right.
-#
-# Same class of bug the synth-E2E §7c gate hit twice (PRs #2779/#2783 +
-# #2797). Memory: feedback_curl_status_capture_pollution.md.
-#
-# Fix shape (route -w into a tempfile so curl's exit code can't pollute):
-#
-#   set +e
-#   curl ... -w '%{http_code}' >code.txt 2>/dev/null
-#   set -e
-#   HTTP_CODE=$(cat code.txt 2>/dev/null)
-#   [ -z "$HTTP_CODE" ] && HTTP_CODE="000"
-
-on:
-  pull_request:
-    paths: ['.github/workflows/**']
-  push:
-    branches: [main, staging]
-    paths: ['.github/workflows/**']
-  merge_group:
-    types: [checks_requested]
-
-jobs:
-  scan:
-    name: Scan workflows for curl status-capture pollution
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Find curl ... -w '%{http_code}' ... || echo "000" subshells
-        run: |
-          set -uo pipefail
-          # Multi-line aware: look for `$(curl ... -w '%{http_code}' ... || echo "000")`
-          # subshell where the entire command-substitution wraps a curl that
-          # ends with `|| echo "000"`. Must distinguish from the SAFE shape
-          # `$(cat tempfile 2>/dev/null || echo "000")` — `cat` with a missing
-          # tempfile produces empty stdout, no pollution.
-          python3 <<'PY'
-          import os, re, sys, glob
-
-          BAD_FILES = []
-
-          # Match the buggy substitution across newlines: $(curl ... -w '%{http_code}' ... || echo "000")
-          # The `\\n` is the bash line-continuation that lets curl flags span lines.
-          # We collapse continuation lines first, then look for the single-line bad pattern.
-          PATTERN = re.compile(
-              r'\$\(\s*curl\b[^)]*-w\s*[\'"]%\{http_code\}[\'"][^)]*\|\|\s*echo\s+"000"\s*\)',
-              re.DOTALL,
-          )
-
-          # Self-skip: this lint workflow contains the literal anti-pattern in
-          # its own docstring — that's intentional, not a bug.
-          SELF = ".github/workflows/lint-curl-status-capture.yml"
-
-          for f in sorted(glob.glob(".github/workflows/*.yml")):
-              if f == SELF:
-                  continue
-              with open(f) as fh:
-                  content = fh.read()
-              # Collapse bash line-continuations (\\\n + leading whitespace)
-              # into a single logical line so the regex can see the full
-              # curl invocation as one chunk.
-              flat = re.sub(r'\\\s*\n\s*', ' ', content)
-              for m in PATTERN.finditer(flat):
-                  BAD_FILES.append((f, m.group(0)[:120]))
-
-          if not BAD_FILES:
-              print("✓ No curl-status-capture pollution patterns detected")
-              sys.exit(0)
-
-          print(f"::error::Found {len(BAD_FILES)} curl-status-capture pollution site(s):")
-          for f, snippet in BAD_FILES:
-              print(f"::error file={f}::Curl status-capture pollution: '|| echo \"000\"' inside a $(curl ... -w '%{{http_code}}' ...) subshell. On non-2xx or connection failure, curl's -w writes a status, then exits non-zero, then the || echo appends another '000' — producing 'HTTP 000000' or '409000' that fails comparisons silently. Fix: route -w into a tempfile so the exit code can't pollute stdout. See memory feedback_curl_status_capture_pollution.md.")
-              print(f"   matched: {snippet}…")
-          print()
-          print("Fix template:")
-          print('  set +e')
-          print('  curl ... -w \'%{http_code}\' >code.txt 2>/dev/null')
-          print('  set -e')
-          print('  HTTP_CODE=$(cat code.txt 2>/dev/null)')
-          print('  [ -z "$HTTP_CODE" ] && HTTP_CODE="000"')
-          sys.exit(1)
-          PY
@@ -1,121 +0,0 @@
-name: publish-canvas-image
-
-# Builds and pushes the canvas Docker image to GHCR whenever a commit lands
-# on main that touches canvas code. Previously canvas changes were visible in
-# CI (npm run build passed) but the live container was never updated —
-# operators had to manually run `docker compose build canvas` each time.
-#
-# Mirror of publish-platform-image.yml, adapted for the Next.js canvas layer.
-# See that workflow for inline notes on macOS Keychain isolation and QEMU.
-
-on:
-  push:
-    branches: [main]
-    paths:
-      # Only rebuild when canvas source changes — saves GHA minutes on
-      # platform-only / docs-only / MCP-only merges.
-      - 'canvas/**'
-      - '.github/workflows/publish-canvas-image.yml'
-  # Manual trigger: use after a non-canvas merge that still needs a fresh
-  # image (e.g. a Dockerfile change lives outside the canvas/ tree).
-  workflow_dispatch:
-    inputs:
-      platform_url:
-        description: 'NEXT_PUBLIC_PLATFORM_URL baked into the bundle (default: http://localhost:8080)'
-        required: false
-        default: ''
-      ws_url:
-        description: 'NEXT_PUBLIC_WS_URL baked into the bundle (default: ws://localhost:8080/ws)'
-        required: false
-        default: ''
-
-permissions:
-  contents: read
-  packages: write  # required to push to ghcr.io/${{ github.repository_owner }}/*
-
-env:
-  IMAGE_NAME: ghcr.io/molecule-ai/canvas
-
-jobs:
-  build-and-push:
-    name: Build & push canvas image
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - name: Log in to GHCR
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
-
-      # Health check: verify Docker daemon is accessible before attempting any
-      # build steps. This fails loudly at step 1 when the runner's docker.sock
-      # is inaccessible rather than silently continuing to the build step
-      # where docker build fails deep in ECR auth with a cryptic error.
-      - name: Verify Docker daemon access
-        run: |
-          set -euo pipefail
-          echo "::group::Docker daemon health check"
-          docker info 2>&1 | head -5 || {
-            echo "::error::Docker daemon is not accessible at /var/run/docker.sock"
-            echo "::error::Check: (1) daemon running, (2) runner user in docker group, (3) sock perms 660+"
-            exit 1
-          }
-          echo "Docker daemon OK"
-          echo "::endgroup::"
-
-      - name: Compute tags
-        id: tags
-        shell: bash
-        run: |
-          echo "sha=${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT"
-
-      - name: Resolve build args
-        id: build_args
-        # Priority: workflow_dispatch input > repo secret > hardcoded default.
-        # NEXT_PUBLIC_* env vars are baked into the JS bundle at build time by
-        # Next.js — they cannot be changed at runtime without a full rebuild.
-        # For local docker-compose deployments the defaults (localhost:8080)
-        # work as-is; production deployments should set CANVAS_PLATFORM_URL
-        # and CANVAS_WS_URL as repository secrets.
-        #
-        # Inputs are passed via env vars (not direct ${{ }} interpolation) to
-        # prevent shell injection from workflow_dispatch string inputs.
-        shell: bash
-        env:
-          INPUT_PLATFORM_URL: ${{ github.event.inputs.platform_url }}
-          SECRET_PLATFORM_URL: ${{ secrets.CANVAS_PLATFORM_URL }}
-          INPUT_WS_URL: ${{ github.event.inputs.ws_url }}
-          SECRET_WS_URL: ${{ secrets.CANVAS_WS_URL }}
-        run: |
-          PLATFORM_URL="${INPUT_PLATFORM_URL:-${SECRET_PLATFORM_URL:-http://localhost:8080}}"
-          WS_URL="${INPUT_WS_URL:-${SECRET_WS_URL:-ws://localhost:8080/ws}}"
-
-          echo "platform_url=${PLATFORM_URL}" >> "$GITHUB_OUTPUT"
-          echo "ws_url=${WS_URL}" >> "$GITHUB_OUTPUT"
-
-      - name: Build & push canvas image to GHCR
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
-        with:
-          context: ./canvas
-          file: ./canvas/Dockerfile
-          platforms: linux/amd64
-          push: true
-          build-args: |
-            NEXT_PUBLIC_PLATFORM_URL=${{ steps.build_args.outputs.platform_url }}
-            NEXT_PUBLIC_WS_URL=${{ steps.build_args.outputs.ws_url }}
-          tags: |
-            ${{ env.IMAGE_NAME }}:latest
-            ${{ env.IMAGE_NAME }}:sha-${{ steps.tags.outputs.sha }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          labels: |
-            org.opencontainers.image.source=https://github.com/${{ github.repository }}
-            org.opencontainers.image.revision=${{ github.sha }}
-            org.opencontainers.image.description=Molecule AI canvas (Next.js 15 + React Flow)
@@ -1,207 +0,0 @@
-name: Railway pin audit (drift detection)
-
-# Daily audit of Railway env vars for drift-prone image-tag pins —
-# automation-cadence layer over the detection script + regression test
-# shipped in PR #2168 (#2001 closure).
-#
-# Background: on 2026-04-24 a stale `:staging-a14cf86` SHA pin in CP's
-# TENANT_IMAGE caused 3+ hours of E2E failure with the appearance that
-# "every fix didn't propagate" — really the tenant image was so old it
-# didn't read the env vars those fixes produced. The audit script
-# (scripts/ops/audit-railway-sha-pins.sh) flags drift; this workflow
-# runs the same check unattended on a daily cron.
-#
-# Cadence: once a day, 13:00 UTC (06:00 PT). Daily is the right
-# cadence for variables-tier config — Railway env var changes are
-# deliberate operator actions, low-frequency. Hourly would risk
-# Railway API rate-limit surprises and is overkill for the change rate.
-#
-# Issue-on-failure: drift triggers a priority-high issue, mirroring
-# .github/workflows/e2e-staging-sanity.yml's pattern. Drift is
-# medium-priority "config slipped, fix at next ops window," not
-# active-outage paging.
-#
-# Secret hardening: per feedback_schedule_vs_dispatch_secrets_hardening,
-# the schedule trigger HARD-FAILS on missing RAILWAY_AUDIT_TOKEN
-# (silent-success on schedule was the failure-mode class that bit the
-# team before; cron firing without checking anything is worse than no
-# cron). The workflow_dispatch trigger SOFT-SKIPS on missing secret so
-# an operator can dry-run the workflow shape during initial provisioning
-# without tripping a fake red.
-
-on:
-  schedule:
-    - cron: '0 13 * * *'
-  workflow_dispatch:
-
-concurrency:
-  group: railway-pin-audit
-  cancel-in-progress: false
-
-permissions:
-  issues: write
-  contents: read
-
-jobs:
-  audit:
-    name: Audit Railway env vars for drift-prone pins
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - name: Verify RAILWAY_AUDIT_TOKEN present
-        # Schedule trigger: hard-fail when the secret is missing —
-        # otherwise the cron silently runs against the wrong scope (or
-        # exits 2 from the script and we issue-spam) without anyone
-        # noticing the token rot.
-        # Dispatch trigger: soft-skip — operator may be dry-running the
-        # workflow shape before provisioning the secret. Logged as a
-        # workflow notice, not a failure.
-        env:
-          RAILWAY_AUDIT_TOKEN: ${{ secrets.RAILWAY_AUDIT_TOKEN }}
-          EVENT_NAME: ${{ github.event_name }}
-        id: secret_check
-        run: |
-          set -euo pipefail
-          if [ -n "${RAILWAY_AUDIT_TOKEN:-}" ]; then
-            echo "have_secret=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          echo "have_secret=false" >> "$GITHUB_OUTPUT"
-          if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
-            echo "::notice::RAILWAY_AUDIT_TOKEN not configured — soft-skipping (manual dispatch)"
-            exit 0
-          fi
-          echo "::error::RAILWAY_AUDIT_TOKEN secret missing — schedule trigger requires it. Provision the token (read-only \`variables\` scope on the molecule-platform Railway project) and store as repo secret RAILWAY_AUDIT_TOKEN."
-          exit 1
-
-      - name: Install Railway CLI
-        if: steps.secret_check.outputs.have_secret == 'true'
-        # Pinned hash matching the public install instructions; bump in
-        # tandem with the audit-script's documented Railway CLI version.
-        run: |
-          set -euo pipefail
-          curl -fsSL https://railway.com/install.sh | sh
-          # The installer drops the binary in ~/.railway/bin
-          echo "$HOME/.railway/bin" >> "$GITHUB_PATH"
-
-      - name: Verify Railway CLI authenticated
-        if: steps.secret_check.outputs.have_secret == 'true'
-        env:
-          RAILWAY_TOKEN: ${{ secrets.RAILWAY_AUDIT_TOKEN }}
-        run: |
-          set -euo pipefail
-          # `railway whoami` exits non-zero when the token is
-          # unauthenticated or doesn't have any project access.
-          if ! railway whoami >/dev/null 2>&1; then
-            echo "::error::Railway CLI failed to authenticate with RAILWAY_AUDIT_TOKEN — token may be revoked or scoped incorrectly"
-            exit 2
-          fi
-
-      - name: Link molecule-platform project
-        if: steps.secret_check.outputs.have_secret == 'true'
-        env:
-          RAILWAY_TOKEN: ${{ secrets.RAILWAY_AUDIT_TOKEN }}
-        # Project ID from reference_production_stack: molecule-platform
-        # / 7ccc8c68-61f4-42ab-9be5-586eeee11768. Linking is per-process,
-        # so we re-link in this CI shell (the audit script comment says
-        # it deliberately doesn't chdir for you because the linked
-        # project's identity matters).
-        run: |
-          set -euo pipefail
-          railway link --project 7ccc8c68-61f4-42ab-9be5-586eeee11768
-
-      - name: Run drift audit
-        if: steps.secret_check.outputs.have_secret == 'true'
-        id: audit
-        env:
-          RAILWAY_TOKEN: ${{ secrets.RAILWAY_AUDIT_TOKEN }}
-        run: |
-          set +e
-          bash scripts/ops/audit-railway-sha-pins.sh 2>&1 | tee /tmp/audit.log
-          rc=${PIPESTATUS[0]}
-          echo "rc=$rc" >> "$GITHUB_OUTPUT"
-          # Capture the audit log for the issue body.
-          {
-            echo 'log<<AUDIT_EOF'
-            cat /tmp/audit.log
-            echo 'AUDIT_EOF'
-          } >> "$GITHUB_OUTPUT"
-          # Exit codes from the script:
-          #   0 — no drift; workflow goes green
-          #   1 — drift detected; we'll file an issue and fail the run
-          #   2 — railway CLI unauthenticated / project unlinked; fail
-          # Anything else: also fail.
-          case "$rc" in
-            0) exit 0 ;;
-            1) echo "::warning::Drift-prone pin(s) detected — issue will be filed"; exit 1 ;;
-            2) echo "::error::Railway CLI auth/link failed mid-script — token or project ID drift"; exit 2 ;;
-            *) echo "::error::Unexpected audit rc=$rc"; exit 1 ;;
-          esac
-
-      - name: Open / update drift issue
-        if: failure() && steps.audit.outputs.rc == '1'
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
-        env:
-          AUDIT_LOG: ${{ steps.audit.outputs.log }}
-        with:
-          script: |
-            const title = "🚨 Railway env-var drift detected";
-            const runURL = `https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`;
-            const body =
-              `Daily Railway pin audit found drift-prone image-tag pins in the molecule-platform Railway project.\n\n` +
-              `**What this means:** an env var (likely on \`controlplane\`) is pinned to a SHA-shaped or semver tag instead of a floating tag. ` +
-              `Same pattern that caused the 2026-04-24 TENANT_IMAGE incident — fix-PRs land but the running service doesn't pick them up.\n\n` +
-              `**Recovery:** open the Railway dashboard, replace the flagged value with a floating tag (\`:staging-latest\`, \`:main\`) unless the pin is intentional and documented in the ops runbook.\n\n` +
-              `**Audit output:**\n\n\`\`\`\n${process.env.AUDIT_LOG || '(log unavailable)'}\n\`\`\`\n\n` +
-              `Run: ${runURL}\n\n` +
-              `Closes automatically when a subsequent daily run reports clean.`;
-
-            const { data: existing } = await github.rest.issues.listForRepo({
-              owner: context.repo.owner, repo: context.repo.repo,
-              state: 'open', labels: 'railway-drift',
-            });
-            const match = existing.find(i => i.title === title);
-            if (match) {
-              await github.rest.issues.createComment({
-                owner: context.repo.owner, repo: context.repo.repo,
-                issue_number: match.number,
-                body: `Still drifting. ${runURL}\n\n\`\`\`\n${process.env.AUDIT_LOG || '(log unavailable)'}\n\`\`\``,
-              });
-            } else {
-              await github.rest.issues.create({
-                owner: context.repo.owner, repo: context.repo.repo,
-                title, body,
-                labels: ['railway-drift', 'bug', 'priority-high'],
-              });
-            }
-
-      - name: Close stale drift issue on clean run
-        # When a previously-flagged drift gets fixed by an operator,
-        # the next daily run goes green. Close any open `railway-drift`
-        # issue with a confirmation comment so the queue doesn't carry
-        # stale ones.
-        if: success() && steps.audit.outputs.rc == '0'
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
-        with:
-          script: |
-            const runURL = `https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`;
-            const { data: existing } = await github.rest.issues.listForRepo({
-              owner: context.repo.owner, repo: context.repo.repo,
-              state: 'open', labels: 'railway-drift',
-            });
-            for (const issue of existing) {
-              await github.rest.issues.createComment({
-                owner: context.repo.owner, repo: context.repo.repo,
-                issue_number: issue.number,
-                body: `Daily audit clean — drift resolved. ${runURL}`,
-              });
-              await github.rest.issues.update({
-                owner: context.repo.owner, repo: context.repo.repo,
-                issue_number: issue.number,
-                state: 'closed',
-                state_reason: 'completed',
-              });
-            }
@@ -1,91 +0,0 @@
-name: Runtime Pin Compatibility
-
-# CI gate that prevents the 5-hour staging outage from 2026-04-24 from
-# recurring (controlplane#253). The original failure mode:
-#   1. molecule-ai-workspace-runtime 0.1.13 declared `a2a-sdk<1.0` in its
-#      requires_dist metadata (incorrect — it actually imports
-#      a2a.server.routes which only exists in a2a-sdk 1.0+)
-#   2. `pip install molecule-ai-workspace-runtime` resolved cleanly
-#   3. `from molecule_runtime.main import main_sync` raised ImportError
-#   4. Every tenant workspace crashed; the canary tenant caught it but
-#      only after 5 hours of degraded staging
-#
-# This workflow installs the CURRENTLY PUBLISHED runtime from PyPI on
-# top of `workspace/requirements.txt` and smoke-imports. Catches:
-#   - Upstream PyPI yanks
-#   - Bad re-releases of molecule-ai-workspace-runtime
-#   - Already-shipped wheels that stop importing because a transitive
-#     dep moved underneath
-#
-# This is the "PyPI artifact health" half of pin compatibility. The
-# companion workflow `runtime-prbuild-compat.yml` covers the
-# "PR-introduced breakage" half by building the wheel from THIS PR's
-# workspace/ source. Splitting the two means each gets a narrow
-# `paths:` filter — the pypi-latest job no longer fires on doc-only
-# workspace/ edits whose content can't change what's currently on PyPI.
-
-on:
-  push:
-    branches: [main, staging]
-    paths:
-      # Narrow filter: pypi-latest is sensitive only to changes that
-      # affect what we're INSTALLING (requirements.txt) or WHAT THE
-      # CHECK ITSELF DOES (this workflow file). Edits to workspace/
-      # source code don't change what's on PyPI right now, so they
-      # don't change this gate's verdict.
-      - 'workspace/requirements.txt'
-      - '.github/workflows/runtime-pin-compat.yml'
-  pull_request:
-    branches: [main, staging]
-    paths:
-      - 'workspace/requirements.txt'
-      - '.github/workflows/runtime-pin-compat.yml'
-  # Daily catch for upstream PyPI publishes that break the pin combo
-  # without any change in our repo (e.g. someone re-yanks an a2a-sdk
-  # release or molecule-ai-workspace-runtime publishes a bad bump).
-  schedule:
-    - cron: '0 13 * * *'  # 06:00 PT
-  workflow_dispatch:
-  # Required-check support: when this becomes a branch-protection gate,
-  # merge_group runs let the queue green-check this in addition to PRs.
-  merge_group:
-    types: [checks_requested]
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  pypi-latest-install:
-    name: PyPI-latest install + import smoke
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: '3.11'
-          cache: pip
-          cache-dependency-path: workspace/requirements.txt
-      - name: Install runtime + workspace requirements
-        # Install order is load-bearing: install the runtime FIRST so pip
-        # honors whatever a2a-sdk constraint the runtime metadata declares
-        # (this is the surface that broke in 2026-04-24 — runtime declared
-        # `a2a-sdk<1.0` but actually needed >=1.0). The follow-up install
-        # of workspace/requirements.txt then upgrades a2a-sdk to the
-        # constraint our runtime image actually pins. The import smoke
-        # below verifies the upgraded combination is consistent.
-        run: |
-          python -m venv /tmp/venv
-          /tmp/venv/bin/pip install --upgrade pip
-          /tmp/venv/bin/pip install molecule-ai-workspace-runtime
-          /tmp/venv/bin/pip install -r workspace/requirements.txt
-          /tmp/venv/bin/pip show molecule-ai-workspace-runtime a2a-sdk \
-            | grep -E '^(Name|Version):'
-      - name: Smoke import — fail if metadata declares deps that don't satisfy real imports
-        # WORKSPACE_ID is validated at import time by platform_auth.py — EC2
-        # user-data sets it from the cloud-init template; set a placeholder
-        # here so the import smoke doesn't trip on the env-var guard.
-        env:
-          WORKSPACE_ID: 00000000-0000-0000-0000-000000000001
-        run: |
-          /tmp/venv/bin/python -c "from molecule_runtime.main import main_sync; print('runtime imports OK')"
@@ -1,152 +0,0 @@
-name: Runtime PR-Built Compatibility
-
-# Companion to `runtime-pin-compat.yml`. That workflow tests what's
-# CURRENTLY PUBLISHED on PyPI; this workflow tests what WOULD BE
-# PUBLISHED if THIS PR merges.
-#
-# Why two workflows: the chicken-and-egg #128 fix added a "PR-built
-# wheel" job to the original runtime-pin-compat.yml, but both jobs
-# shared a `paths:` filter that was the union of their needs
-# (`workspace/**`). That meant the PyPI-latest job ran on every doc
-# edit even though the upstream PyPI artifact can't change with our
-# workspace/ source. Splitting the two means each gets a narrow
-# `paths:` filter that matches the inputs it actually depends on.
-#
-# Catches the failure mode where a PR adds an import requiring a newer
-# SDK than `workspace/requirements.txt` pins:
-#   1. Pip resolves the existing PyPI wheel + the old SDK pin → smoke
-#      passes (it imports the OLD main.py from the wheel, not the PR's
-#      new main.py).
-#   2. Merge → publish-runtime.yml ships a wheel WITH the new import.
-#   3. Tenant images redeploy → all crash on first boot with
-#      ImportError.
-#
-# By building from the PR's source and smoke-importing THAT wheel, we
-# fail at PR-time instead of after publish.
-#
-# Required-check shape (2026-05-01): the workflow runs on EVERY push +
-# PR + merge_group event with no top-level `paths:` filter, then uses a
-# detect-changes job + per-step `if:` gates inside ONE always-running
-# job named `PR-built wheel + import smoke`. PRs that don't touch
-# wheel-relevant paths get a no-op SUCCESS check run, satisfying branch
-# protection without re-running the heavy build. Same pattern as
-# e2e-api.yml — see its comment for the full rationale + the 2026-04-29
-# PR #2264 incident that motivated the always-run-with-if-gates shape.
-
-on:
-  push:
-    branches: [main, staging]
-  pull_request:
-    branches: [main, staging]
-  workflow_dispatch:
-  merge_group:
-    types: [checks_requested]
-
-concurrency:
-  # Include event_name so a PR sync (event=pull_request) and the
-  # subsequent staging push (event=push) on the SAME merge SHA don't
-  # collide in one group. Without event_name, both runs hashed to
-  # the same key and cancel-in-progress=true cancelled whichever
-  # arrived second — usually the push run, which staging branch-
-  # protection then sees as a CANCELLED required check and refuses
-  # to mark merged. Caught 2026-05-05 across PR #2869's runs (run
-  # ids 25371863455 / 25371811486 / 25371078157 / 25370403142 — every
-  # staging push run cancelled, every matching PR run green).
-  #
-  # Per memory `feedback_concurrency_group_per_sha.md` — same drift
-  # class that broke auto-promote-staging on 2026-04-28. Pin invariant:
-  # event_name + sha is the minimum unique key for these workflows.
-  group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.head.sha || github.sha }}
-  cancel-in-progress: true
-
-jobs:
-  detect-changes:
-    runs-on: ubuntu-latest
-    outputs:
-      wheel: ${{ steps.decide.outputs.wheel }}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
-        id: filter
-        with:
-          filters: |
-            wheel:
-              - 'workspace/**'
-              - 'scripts/build_runtime_package.py'
-              - 'scripts/wheel_smoke.py'
-              - '.github/workflows/runtime-prbuild-compat.yml'
-      - id: decide
-        # Always run real work for manual dispatch + merge_group — no
-        # diff-against-base in those contexts, and the gate exists to
-        # validate the to-be-merged state regardless of which paths it
-        # touched (paths-filter would default to "no changes" which is
-        # the wrong answer when the queue is composing many PRs).
-        run: |
-          if [ "${{ github.event_name }}" = "workflow_dispatch" ] || [ "${{ github.event_name }}" = "merge_group" ]; then
-            echo "wheel=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "wheel=${{ steps.filter.outputs.wheel }}" >> "$GITHUB_OUTPUT"
-          fi
-
-  # ONE job (no job-level `if:`) that always runs and reports under the
-  # required-check name `PR-built wheel + import smoke`. Real work is
-  # gated per-step on `needs.detect-changes.outputs.wheel`. Same shape
-  # as e2e-api.yml's e2e-api job — see its comment block for the full
-  # rationale (SKIPPED check runs block branch protection even with
-  # SUCCESS siblings; collapsing to one always-run job emits exactly
-  # one SUCCESS check run).
-  local-build-install:
-    needs: detect-changes
-    name: PR-built wheel + import smoke
-    runs-on: ubuntu-latest
-    steps:
-      - name: No-op pass (paths filter excluded this commit)
-        if: needs.detect-changes.outputs.wheel != 'true'
-        run: |
-          echo "No workspace/ / scripts/{build_runtime_package,wheel_smoke}.py / workflow changes — wheel gate satisfied without rebuilding."
-          echo "::notice::PR-built wheel + import smoke no-op pass (paths filter excluded this commit)."
-      - if: needs.detect-changes.outputs.wheel == 'true'
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - if: needs.detect-changes.outputs.wheel == 'true'
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: '3.11'
-          cache: pip
-          cache-dependency-path: workspace/requirements.txt
-      - name: Install build tooling
-        if: needs.detect-changes.outputs.wheel == 'true'
-        run: pip install build
-      - name: Build wheel from PR source (mirrors publish-runtime.yml)
-        if: needs.detect-changes.outputs.wheel == 'true'
-        # Use a fixed test version so the wheel filename is predictable.
-        # Doesn't reach PyPI — this build is local-only for the smoke.
-        # Use the SAME build script with the SAME args as
-        # publish-runtime.yml's build step. The temp dir path differs
-        # (`/tmp/runtime-build` here vs `${{ runner.temp }}/runtime-build`
-        # in publish-runtime.yml — they coincide on ubuntu-latest but
-        # the call sites are not byte-identical). The smoke import is
-        # also intentionally narrower than publish's: this gate exists
-        # to catch SDK-version-import drift specifically; full invariant
-        # coverage lives in publish-runtime.yml's own pre-PyPI smoke.
-        run: |
-          python scripts/build_runtime_package.py \
-            --version "0.0.0.dev0+pin-compat" \
-            --out /tmp/runtime-build
-          cd /tmp/runtime-build && python -m build
-      - name: Install built wheel + workspace requirements
-        if: needs.detect-changes.outputs.wheel == 'true'
-        run: |
-          python -m venv /tmp/venv-built
-          /tmp/venv-built/bin/pip install --upgrade pip
-          /tmp/venv-built/bin/pip install /tmp/runtime-build/dist/*.whl
-          /tmp/venv-built/bin/pip install -r workspace/requirements.txt
-          /tmp/venv-built/bin/pip show molecule-ai-workspace-runtime a2a-sdk \
-            | grep -E '^(Name|Version):'
-      - name: Smoke import the PR-built wheel
-        if: needs.detect-changes.outputs.wheel == 'true'
-        # Same script publish-runtime.yml runs against the to-be-PyPI wheel.
-        # Closes the PR-time vs publish-time gap: a PR adding a new SDK
-        # call-shape no longer passes here (narrow `import main_sync`) only
-        # to fail post-merge in publish-runtime's broader smoke.
-        run: |
-          /tmp/venv-built/bin/python "$GITHUB_WORKSPACE/scripts/wheel_smoke.py"
@@ -1,58 +0,0 @@
-name: SECRET_PATTERNS drift lint
-
-# Detects when the canonical SECRET_PATTERNS array in
-# .github/workflows/secret-scan.yml diverges from known consumer
-# mirrors (workspace-runtime's bundled pre-commit hook today; more
-# can be added as the consumer set grows).
-#
-# Why this exists: every side that scans for credentials has its own
-# copy of the pattern list. They drift — most recently the runtime
-# hook lagged the canonical by one pattern (sk-cp- / MiniMax F1088),
-# so a developer's local pre-commit would let a sk-cp- token through
-# while the org-wide CI scan would refuse it. The cost of that drift
-# is dev confusion + delayed feedback; the fix is automated detection.
-#
-# Triggers:
-#   - schedule: daily 05:00 UTC. Catches drift introduced by edits
-#     to a consumer copy that didn't update canonical here.
-#   - push to main/staging where the canonical or this lint changed:
-#     catches the inverse — canonical updated but consumers not yet
-#     bumped. The lint will fail the push; that's intentional, the
-#     person editing canonical is the right person to also update
-#     the consumer.
-#   - workflow_dispatch: ad-hoc operator runs.
-
-on:
-  schedule:
-    # 05:00 UTC = 22:00 PT / 01:00 ET. Quiet hours so a failure
-    # email lands when humans are starting their day, not
-    # interrupting it.
-    - cron: "0 5 * * *"
-  push:
-    branches: [main, staging]
-    paths:
-      - ".github/workflows/secret-scan.yml"
-      - ".github/workflows/secret-pattern-drift.yml"
-      - ".github/scripts/lint_secret_pattern_drift.py"
-      - ".githooks/pre-commit"
-  workflow_dispatch:
-
-# GITHUB_TOKEN scoped to read-only. The lint only does git checkout
-# + HTTPS GETs to public consumer files; no writes to anything.
-permissions:
-  contents: read
-
-jobs:
-  lint:
-    name: Detect SECRET_PATTERNS drift
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: "3.11"
-
-      - name: Run drift lint
-        run: python3 .github/scripts/lint_secret_pattern_drift.py
@@ -1,129 +0,0 @@
-name: Sweep stale AWS Secrets Manager secrets
-
-# Janitor for per-tenant AWS Secrets Manager secrets
-# (`molecule/tenant/<org_id>/bootstrap`) whose backing tenant no
-# longer exists. Parallel-shape to sweep-cf-tunnels.yml and
-# sweep-cf-orphans.yml — different cloud, same justification.
-#
-# Why this exists separately from a long-term reconciler integration:
-#   - molecule-controlplane's tenant_resources audit table (mig 024)
-#     currently tracks four resource kinds: CloudflareTunnel,
-#     CloudflareDNS, EC2Instance, SecurityGroup. SecretsManager is
-#     not in the list, so the existing reconciler doesn't catch
-#     orphan secrets.
-#   - At ~$0.40/secret/month the cost grew to ~$19/month before this
-#     sweeper was written, indicating ~45+ orphan secrets from
-#     crashed provisions and incomplete deprovision flows.
-#   - The proper fix (KindSecretsManagerSecret + recorder hook +
-#     reconciler enumerator) is filed as a separate controlplane
-#     issue. This sweeper is the immediate cost-relief stopgap.
-#
-# IAM principal: AWS_JANITOR_ACCESS_KEY_ID / AWS_JANITOR_SECRET_ACCESS_KEY.
-# This is a DEDICATED principal — the production `molecule-cp` IAM
-# user lacks `secretsmanager:ListSecrets` (it only has
-# Get/Create/Update/Delete on specific resources, scoped to its
-# operational needs). The janitor needs ListSecrets across the
-# `molecule/tenant/*` prefix, which warrants a separate principal so
-# we don't broaden the prod-CP policy.
-#
-# Safety: the script's MAX_DELETE_PCT gate (default 50%, mirroring
-# sweep-cf-orphans.yml — tenant secrets are durable by design, unlike
-# the mostly-orphan tunnels) refuses to nuke past the threshold.
-
-on:
-  schedule:
-    # Hourly at :30 — offsets from sweep-cf-orphans (:15) and
-    # sweep-cf-tunnels (:45) so the three janitors don't burst the
-    # CP admin endpoints at the same minute.
-    - cron: '30 * * * *'
-  workflow_dispatch:
-    inputs:
-      dry_run:
-        description: "Dry run only — list what would be deleted, no deletion"
-        required: false
-        type: boolean
-        default: true
-      max_delete_pct:
-        description: "Override safety gate (default 50, set higher only for major cleanup)"
-        required: false
-        default: "50"
-      grace_hours:
-        description: "Skip secrets created within this many hours (default 24)"
-        required: false
-        default: "24"
-
-# Don't let two sweeps race the same AWS account.
-concurrency:
-  group: sweep-aws-secrets
-  cancel-in-progress: false
-
-permissions:
-  contents: read
-
-jobs:
-  sweep:
-    name: Sweep AWS Secrets Manager
-    runs-on: ubuntu-latest
-    # 30 min cap, mirroring the other janitors. AWS DeleteSecret is
-    # fast (~0.3s/call) so even a 100+ backlog drains in seconds
-    # under the 8-way xargs parallelism, but the cap is set generously
-    # to leave headroom for any actual API hang.
-    timeout-minutes: 30
-    env:
-      AWS_REGION: ${{ secrets.AWS_REGION || 'us-east-1' }}
-      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_JANITOR_ACCESS_KEY_ID }}
-      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_JANITOR_SECRET_ACCESS_KEY }}
-      CP_PROD_ADMIN_TOKEN: ${{ secrets.CP_PROD_ADMIN_TOKEN }}
-      CP_STAGING_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_TOKEN }}
-      MAX_DELETE_PCT: ${{ github.event.inputs.max_delete_pct || '50' }}
-      GRACE_HOURS: ${{ github.event.inputs.grace_hours || '24' }}
-
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - name: Verify required secrets present
-        id: verify
-        # Schedule-vs-dispatch behaviour split mirrors sweep-cf-orphans
-        # and sweep-cf-tunnels (hardened 2026-04-28). Same principle:
-        #   - schedule → exit 1 on missing secrets (red CI surfaces it)
-        #   - workflow_dispatch → exit 0 with warning (operator-driven,
-        #     they already accepted the repo state)
-        run: |
-          missing=()
-          for var in AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY CP_PROD_ADMIN_TOKEN CP_STAGING_ADMIN_TOKEN; do
-            if [ -z "${!var:-}" ]; then
-              missing+=("$var")
-            fi
-          done
-          if [ ${#missing[@]} -gt 0 ]; then
-            if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-              echo "::warning::skipping sweep — secrets not configured: ${missing[*]}"
-              echo "::warning::set them at Settings → Secrets and Variables → Actions, then rerun."
-              echo "::warning::AWS_JANITOR_* must belong to a principal with secretsmanager:ListSecrets and secretsmanager:DeleteSecret on molecule/tenant/* (the prod molecule-cp principal lacks ListSecrets)."
-              echo "skip=true" >> "$GITHUB_OUTPUT"
-              exit 0
-            fi
-            echo "::error::sweep cannot run — required secrets missing: ${missing[*]}"
-            echo "::error::set them at Settings → Secrets and Variables → Actions, or disable this workflow."
-            echo "::error::AWS_JANITOR_* must belong to a principal with secretsmanager:ListSecrets and secretsmanager:DeleteSecret on molecule/tenant/*."
-            exit 1
-          fi
-          echo "All required secrets present ✓"
-          echo "skip=false" >> "$GITHUB_OUTPUT"
-
-      - name: Run sweep
-        if: steps.verify.outputs.skip != 'true'
-        # Schedule-vs-dispatch dry-run asymmetry mirrors sweep-cf-tunnels:
-        #   - Scheduled: input empty → "false" → --execute (the whole
-        #     point of an hourly janitor).
-        #   - Manual workflow_dispatch: input default true → dry-run;
-        #     operator must flip it to actually delete.
-        run: |
-          set -euo pipefail
-          if [ "${{ github.event.inputs.dry_run || 'false' }}" = "true" ]; then
-            echo "Running in dry-run mode — no deletions"
-            bash scripts/ops/sweep-aws-secrets.sh
-          else
-            echo "Running with --execute — will delete identified orphans"
-            bash scripts/ops/sweep-aws-secrets.sh --execute
-          fi
@@ -1,146 +0,0 @@
-name: Sweep stale Cloudflare DNS records
-
-# Janitor for Cloudflare DNS records whose backing tenant/workspace no
-# longer exists. Without this loop, every short-lived E2E or canary
-# leaves a CF record on the moleculesai.app zone — the zone has a
-# 200-record quota (controlplane#239 hit it 2026-04-23+) and provisions
-# start failing with code 81045 once exhausted.
-#
-# Why a separate workflow vs sweep-stale-e2e-orgs.yml:
-#   - That workflow operates at the CP layer (DELETE /cp/admin/tenants/:slug
-#     drives the cascade). It assumes CP has the org row to drive the
-#     deprovision from. It doesn't catch records left behind when CP
-#     itself never knew about the tenant (canary scratch, manual ops
-#     experiments) or when the cascade's CF-delete branch failed.
-#   - sweep-cf-orphans.sh enumerates the CF zone directly and matches
-#     each record against live CP slugs + AWS EC2 names. It catches
-#     leaks the CP-driven sweep can't.
-#
-# Safety: the script's own MAX_DELETE_PCT gate refuses to nuke more
-# than 50% of records in a single run. If something has gone weird
-# (CP admin endpoint returns no orgs → every tenant looks orphan) the
-# gate halts before damage. Decision-function unit tests in
-# scripts/ops/test_sweep_cf_decide.py (#2027) cover the rule
-# classifier.
-
-on:
-  schedule:
-    # Hourly. Mirrors sweep-stale-e2e-orgs cadence so the two janitors
-    # converge on the same tick. CF API rate budget is generous (1200
-    # req/5min); a single sweep makes ~1 list + N deletes (N<=quota/2).
-    - cron: '15 * * * *'  # offset from sweep-stale-e2e-orgs (top of hour)
-  workflow_dispatch:
-    inputs:
-      dry_run:
-        description: "Dry run only — list what would be deleted, no deletion"
-        required: false
-        type: boolean
-        default: true
-      max_delete_pct:
-        description: "Override safety gate (default 50, set higher only for major cleanup)"
-        required: false
-        default: "50"
-  # No `merge_group:` trigger on purpose. This is a janitor — it doesn't
-  # need to gate merges, and including it as written before #2088 fired
-  # the full sweep job (or its secret-check) on every PR going through
-  # the merge queue, generating one red CI run per merge-queue eval. If
-  # this workflow is ever wired up as a required check, re-add
-  #   merge_group: { types: [checks_requested] }
-  # AND gate the sweep step with `if: github.event_name != 'merge_group'`
-  # so merge-queue evals report success without actually running.
-
-# Don't let two sweeps race the same zone. workflow_dispatch during a
-# scheduled run would otherwise issue duplicate DELETE calls.
-concurrency:
-  group: sweep-cf-orphans
-  cancel-in-progress: false
-
-permissions:
-  contents: read
-
-jobs:
-  sweep:
-    name: Sweep CF orphans
-    runs-on: ubuntu-latest
-    # 3 min surfaces hangs (CF API stall, AWS describe-instances stuck)
-    # within one cron interval instead of burning a full tick. Realistic
-    # worst case is ~2 min: 4 sequential curls + 1 aws + N×CF-DELETE
-    # each individually capped at 10s by the script's curl -m flag.
-    timeout-minutes: 3
-    env:
-      CF_API_TOKEN: ${{ secrets.CF_API_TOKEN }}
-      CF_ZONE_ID: ${{ secrets.CF_ZONE_ID }}
-      CP_PROD_ADMIN_TOKEN: ${{ secrets.CP_PROD_ADMIN_TOKEN }}
-      CP_STAGING_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_TOKEN }}
-      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-      AWS_DEFAULT_REGION: us-east-2
-      MAX_DELETE_PCT: ${{ github.event.inputs.max_delete_pct || '50' }}
-
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - name: Verify required secrets present
-        id: verify
-        # Schedule-vs-dispatch behaviour split (hardened 2026-04-28
-        # after the silent-no-op incident below):
-        #
-        # The earlier soft-skip-on-schedule policy hid a real leak. All
-        # six secrets were unset on this repo for an unknown duration;
-        # every hourly run printed a yellow ::warning:: and exited 0,
-        # so the workflow registered as "passing" while doing nothing.
-        # CF orphans accumulated to 152/200 (~76% of the zone quota
-        # gone) before a manual `dig`-driven audit caught it. Anything
-        # that runs as a janitor and reports green while idle is
-        # indistinguishable from "the janitor is healthy" — so we now
-        # treat schedule (and any future workflow_run/push triggers)
-        # as a hard-fail when secrets are missing.
-        #
-        #   - schedule / workflow_run / push → exit 1 (red CI run
-        #     surfaces the misconfiguration the next tick)
-        #   - workflow_dispatch              → exit 0 with a warning
-        #     (an operator ran this ad-hoc; they already accepted the
-        #     state of the repo and want the workflow to short-circuit
-        #     so they can rerun after fixing the secret)
-        run: |
-          missing=()
-          for var in CF_API_TOKEN CF_ZONE_ID CP_PROD_ADMIN_TOKEN CP_STAGING_ADMIN_TOKEN AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY; do
-            if [ -z "${!var:-}" ]; then
-              missing+=("$var")
-            fi
-          done
-          if [ ${#missing[@]} -gt 0 ]; then
-            if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-              echo "::warning::skipping sweep — secrets not configured: ${missing[*]}"
-              echo "::warning::set them at Settings → Secrets and Variables → Actions, then rerun."
-              echo "skip=true" >> "$GITHUB_OUTPUT"
-              exit 0
-            fi
-            echo "::error::sweep cannot run — required secrets missing: ${missing[*]}"
-            echo "::error::set them at Settings → Secrets and Variables → Actions, or disable this workflow."
-            echo "::error::a silent skip masked an active CF DNS leak (152/200 zone records) caught only by a manual audit on 2026-04-28; this gate exists to make the gap visible."
-            exit 1
-          fi
-          echo "All required secrets present ✓"
-          echo "skip=false" >> "$GITHUB_OUTPUT"
-
-      - name: Run sweep
-        if: steps.verify.outputs.skip != 'true'
-        # Schedule-vs-dispatch dry-run asymmetry (intentional):
-        #   - Scheduled runs: github.event.inputs.dry_run is empty →
-        #     defaults to "false" below → script runs with --execute
-        #     (the whole point of an hourly janitor).
-        #   - Manual workflow_dispatch: input default is true (line 38)
-        #     so an ad-hoc operator-triggered run is dry-run by default;
-        #     they have to flip the toggle to actually delete.
-        # The script's MAX_DELETE_PCT gate (default 50%) is the second
-        # line of defense regardless of mode.
-        run: |
-          set -euo pipefail
-          if [ "${{ github.event.inputs.dry_run || 'false' }}" = "true" ]; then
-            echo "Running in dry-run mode — no deletions"
-            bash scripts/ops/sweep-cf-orphans.sh
-          else
-            echo "Running with --execute — will delete identified orphans"
-            bash scripts/ops/sweep-cf-orphans.sh --execute
-          fi
@@ -1,124 +0,0 @@
-name: Sweep stale Cloudflare Tunnels
-
-# Janitor for Cloudflare Tunnels whose backing tenant no longer
-# exists. Parallel-shape to sweep-cf-orphans.yml (which sweeps DNS
-# records); same justification, different CF resource.
-#
-# Why this exists separately from sweep-cf-orphans:
-#   - DNS records live on the zone (`/zones/<id>/dns_records`).
-#   - Tunnels live on the account (`/accounts/<id>/cfd_tunnel`).
-#   - Different CF API surface, different scopes; the existing CF
-#     token might not have `account:cloudflare_tunnel:edit`. Splitting
-#     the workflows keeps each one's secret-presence gate independent
-#     so neither silent-skips when the other's secret is missing.
-#   - Cleaner blast radius — operators can disable one without the
-#     other if a regression surfaces.
-#
-# Safety: the script's MAX_DELETE_PCT gate (default 90% — higher than
-# the DNS sweep's 50% because tenant-shaped tunnels are mostly
-# orphans by design) refuses to nuke past the threshold.
-
-on:
-  schedule:
-    # Hourly at :45 — offset from sweep-cf-orphans (:15) so the two
-    # janitors don't issue parallel CF API bursts at the same minute.
-    - cron: '45 * * * *'
-  workflow_dispatch:
-    inputs:
-      dry_run:
-        description: "Dry run only — list what would be deleted, no deletion"
-        required: false
-        type: boolean
-        default: true
-      max_delete_pct:
-        description: "Override safety gate (default 90, set higher only for major cleanup)"
-        required: false
-        default: "90"
-
-# Don't let two sweeps race the same account.
-concurrency:
-  group: sweep-cf-tunnels
-  cancel-in-progress: false
-
-permissions:
-  contents: read
-
-jobs:
-  sweep:
-    name: Sweep CF tunnels
-    runs-on: ubuntu-latest
-    # 30 min cap. Was 5 min on the theory that the only thing that
-    # could take >5min is a CF-API hang — but on 2026-05-02 a backlog
-    # of 672 stale tunnels accumulated (large staging E2E run + delayed
-    # sweep) and the serial `curl -X DELETE` loop (~0.7s/tunnel) needed
-    # ~7-8min to drain. The 5-min cap killed the run mid-sweep
-    # (cancelled at 424/672, see run 25248788312); a manual rerun
-    # finished the remainder fine.
-    #
-    # The fix is two-part: parallelize the delete loop (8-way xargs in
-    # the script — see scripts/ops/sweep-cf-tunnels.sh), AND raise the
-    # cap so a one-off backlog doesn't trip a hangs-detector that
-    # turned out to be a real-job-too-slow detector. With 8-way
-    # parallelism, 600+ tunnels drains in ~60s; 30 min is generous
-    # headroom for actual hangs to still surface (and is in line with
-    # the sweep-cf-orphans companion job).
-    timeout-minutes: 30
-    env:
-      CF_API_TOKEN: ${{ secrets.CF_API_TOKEN }}
-      CF_ACCOUNT_ID: ${{ secrets.CF_ACCOUNT_ID }}
-      CP_PROD_ADMIN_TOKEN: ${{ secrets.CP_PROD_ADMIN_TOKEN }}
-      CP_STAGING_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_TOKEN }}
-      MAX_DELETE_PCT: ${{ github.event.inputs.max_delete_pct || '90' }}
-
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - name: Verify required secrets present
-        id: verify
-        # Schedule-vs-dispatch behaviour split mirrors sweep-cf-orphans
-        # (hardened 2026-04-28 after the silent-no-op incident: the
-        # janitor reported green while doing nothing because secrets
-        # were unset, masking a 152/200 zone-record leak). Same
-        # principle applies here:
-        #   - schedule → exit 1 on missing secrets (red CI surfaces it)
-        #   - workflow_dispatch → exit 0 with warning (operator-driven,
-        #     they already accepted the repo state)
-        run: |
-          missing=()
-          for var in CF_API_TOKEN CF_ACCOUNT_ID CP_PROD_ADMIN_TOKEN CP_STAGING_ADMIN_TOKEN; do
-            if [ -z "${!var:-}" ]; then
-              missing+=("$var")
-            fi
-          done
-          if [ ${#missing[@]} -gt 0 ]; then
-            if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-              echo "::warning::skipping sweep — secrets not configured: ${missing[*]}"
-              echo "::warning::set them at Settings → Secrets and Variables → Actions, then rerun."
-              echo "::warning::CF_API_TOKEN must include account:cloudflare_tunnel:edit scope (separate from the zone:dns:edit scope used by sweep-cf-orphans)."
-              echo "skip=true" >> "$GITHUB_OUTPUT"
-              exit 0
-            fi
-            echo "::error::sweep cannot run — required secrets missing: ${missing[*]}"
-            echo "::error::set them at Settings → Secrets and Variables → Actions, or disable this workflow."
-            echo "::error::CF_API_TOKEN must include account:cloudflare_tunnel:edit scope."
-            exit 1
-          fi
-          echo "All required secrets present ✓"
-          echo "skip=false" >> "$GITHUB_OUTPUT"
-
-      - name: Run sweep
-        if: steps.verify.outputs.skip != 'true'
-        # Schedule-vs-dispatch dry-run asymmetry mirrors sweep-cf-orphans:
-        #   - Scheduled: input empty → "false" → --execute (the whole
-        #     point of an hourly janitor).
-        #   - Manual workflow_dispatch: input default true → dry-run;
-        #     operator must flip it to actually delete.
-        run: |
-          set -euo pipefail
-          if [ "${{ github.event.inputs.dry_run || 'false' }}" = "true" ]; then
-            echo "Running in dry-run mode — no deletions"
-            bash scripts/ops/sweep-cf-tunnels.sh
-          else
-            echo "Running with --execute — will delete identified orphans"
-            bash scripts/ops/sweep-cf-tunnels.sh --execute
-          fi
@@ -1,239 +0,0 @@
-name: Sweep stale e2e-* orgs (staging)
-
-# Janitor for staging tenants left behind when E2E cleanup didn't run:
-# CI cancellations, runner crashes, transient AWS errors mid-cascade,
-# bash trap missed (signal 9), etc. Without this loop, every failed
-# teardown leaks an EC2 + DNS + DB row until manual ops cleanup —
-# 2026-04-23 staging hit the 64 vCPU AWS quota from ~27 such orphans.
-#
-# Why not rely on per-test-run teardown:
-#   - Per-run teardown is best-effort by definition. Any process death
-#     after the test starts but before the trap fires leaves debris.
-#   - GH Actions cancellation kills the runner without grace period.
-#     The workflow's `if: always()` step usually catches this, but it
-#     too can fail (CP transient 5xx, runner network issue at the
-#     wrong moment).
-#   - Even when teardown runs, the CP cascade is best-effort in places
-#     (cascadeTerminateWorkspaces logs+continues; DNS deletion same).
-#   - This sweep is the catch-all that converges staging back to clean
-#     regardless of which specific path leaked.
-#
-# The PROPER fix is making CP cleanup transactional + verify-after-
-# terminate (filed separately as cleanup-correctness work). This
-# workflow is the safety net that catches everything else AND any
-# future leak source we haven't yet identified.
-
-on:
-  schedule:
-    # Every 15 min. E2E orgs are short-lived (~8-25 min wall clock from
-    # create to teardown — canary is ~8 min, full SaaS ~25 min). The
-    # previous hourly + 120-min stale threshold meant a leaked tenant
-    # could keep an EC2 alive for up to 2 hours, eating ~2 vCPU per
-    # leak. Tightening the cadence + threshold reduces the worst-case
-    # leak window from 120 min to ~45 min (15-min sweep cadence + 30-min
-    # threshold) without risk of catching in-progress runs (the longest
-    # e2e run is the 25-min canary, well under the 30-min threshold).
-    # See molecule-controlplane#420 for the leak-class accounting that
-    # motivated this tightening.
-    - cron: '*/15 * * * *'
-  workflow_dispatch:
-    inputs:
-      max_age_minutes:
-        description: "Delete e2e-* orgs older than N minutes (default 30)"
-        required: false
-        default: "30"
-      dry_run:
-        description: "Dry run only — list what would be deleted"
-        required: false
-        type: boolean
-        default: false
-
-# Don't let two sweeps fight. Cron + workflow_dispatch could overlap
-# on a manual trigger; queue rather than parallel-delete.
-concurrency:
-  group: sweep-stale-e2e-orgs
-  cancel-in-progress: false
-
-permissions:
-  contents: read
-
-jobs:
-  sweep:
-    name: Sweep e2e orgs
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    env:
-      MOLECULE_CP_URL: https://staging-api.moleculesai.app
-      ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
-      MAX_AGE_MINUTES: ${{ github.event.inputs.max_age_minutes || '30' }}
-      DRY_RUN: ${{ github.event.inputs.dry_run || 'false' }}
-      # Refuse to delete more than this many orgs in one tick. If the
-      # CP DB is briefly empty (or the admin endpoint goes weird and
-      # returns no created_at), every e2e- org would look stale.
-      # Bailing protects against runaway nukes.
-      SAFETY_CAP: 50
-
-    steps:
-      - name: Verify admin token present
-        run: |
-          if [ -z "$ADMIN_TOKEN" ]; then
-            echo "::error::MOLECULE_STAGING_ADMIN_TOKEN not set"
-            exit 2
-          fi
-          echo "Admin token present ✓"
-
-      - name: Identify stale e2e orgs
-        id: identify
-        run: |
-          set -euo pipefail
-          # Fetch into a file so the python step reads it via stdin —
-          # cleaner than embedding $(curl ...) into a heredoc.
-          curl -sS --fail-with-body --max-time 30 \
-            "$MOLECULE_CP_URL/cp/admin/orgs?limit=500" \
-            -H "Authorization: Bearer $ADMIN_TOKEN" \
-            > orgs.json
-
-          # Filter:
-          #   1. slug starts with one of the ephemeral test prefixes:
-          #        - 'e2e-'    — covers e2e-canary-, e2e-canvas-*, etc.
-          #        - 'rt-e2e-' — runtime-test harness fixtures (RFC #2251);
-          #                      missing this prefix left two such tenants
-          #                      orphaned 8h on staging (2026-05-03), then
-          #                      hard-failed redeploy-tenants-on-staging
-          #                      and broke the staging→main auto-promote
-          #                      chain. Kept in sync with the EPHEMERAL_PREFIX_RE
-          #                      regex in redeploy-tenants-on-staging.yml.
-          #   2. created_at is older than MAX_AGE_MINUTES ago
-          # Output one slug per line to a file the next step reads.
-          python3 > stale_slugs.txt <<'PY'
-          import json, os
-          from datetime import datetime, timezone, timedelta
-          # SSOT for this list lives in the controlplane Go code:
-          # molecule-controlplane/internal/slugs/ephemeral.go
-          # (var EphemeralPrefixes). The redeploy-fleet auto-rollout
-          # also reads from there to SKIP these slugs — without that
-          # filter, fleet redeploy SSM-failed in-flight E2E tenants
-          # whose containers were still booting, breaking the test
-          # that just spun them up (molecule-controlplane#493).
-          # Update both files together.
-          EPHEMERAL_PREFIXES = ("e2e-", "rt-e2e-")
-          with open("orgs.json") as f:
-              data = json.load(f)
-          max_age = int(os.environ["MAX_AGE_MINUTES"])
-          cutoff = datetime.now(timezone.utc) - timedelta(minutes=max_age)
-          for o in data.get("orgs", []):
-              slug = o.get("slug", "")
-              if not slug.startswith(EPHEMERAL_PREFIXES):
-                  continue
-              created = o.get("created_at")
-              if not created:
-                  # Defensively skip rows without created_at — better
-                  # to leave one orphan than nuke a brand-new row
-                  # whose timestamp didn't render.
-                  continue
-              # Python 3.11+ handles RFC3339 with Z directly via
-              # fromisoformat; older runners need the trailing Z swap.
-              created_dt = datetime.fromisoformat(created.replace("Z", "+00:00"))
-              if created_dt < cutoff:
-                  print(slug)
-          PY
-
-          count=$(wc -l < stale_slugs.txt | tr -d ' ')
-          echo "Found $count stale e2e org(s) older than ${MAX_AGE_MINUTES}m"
-          if [ "$count" -gt 0 ]; then
-            echo "First 20:"
-            head -20 stale_slugs.txt | sed 's/^/  /'
-          fi
-          echo "count=$count" >> "$GITHUB_OUTPUT"
-
-      - name: Safety gate
-        if: steps.identify.outputs.count != '0'
-        run: |
-          count="${{ steps.identify.outputs.count }}"
-          if [ "$count" -gt "$SAFETY_CAP" ]; then
-            echo "::error::Refusing to delete $count orgs in one sweep (cap=$SAFETY_CAP). Investigate manually — this usually means the CP admin API returned no created_at or returned a degraded result. Re-run with workflow_dispatch + max_age_minutes if intentional."
-            exit 1
-          fi
-          echo "Within safety cap ($count ≤ $SAFETY_CAP) ✓"
-
-      - name: Delete stale orgs
-        if: steps.identify.outputs.count != '0' && env.DRY_RUN != 'true'
-        run: |
-          set -uo pipefail
-          deleted=0
-          failed=0
-          while IFS= read -r slug; do
-            [ -z "$slug" ] && continue
-            # The DELETE handler requires {"confirm": "<slug>"} matching
-            # the URL slug — fat-finger guard. Idempotent: re-issuing
-            # picks up via org_purges.last_step.
-            # Tempfile-routed -w + set +e/-e prevents curl-exit-code
-            # pollution of the captured status (lint-curl-status-capture.yml).
-            set +e
-            curl -sS -o /tmp/del_resp -w "%{http_code}" \
-              --max-time 60 \
-              -X DELETE "$MOLECULE_CP_URL/cp/admin/tenants/$slug" \
-              -H "Authorization: Bearer $ADMIN_TOKEN" \
-              -H "Content-Type: application/json" \
-              -d "{\"confirm\":\"$slug\"}" >/tmp/del_code
-            set -e
-            # Stderr from curl (-sS shows dial errors etc.) goes to runner log.
-            http_code=$(cat /tmp/del_code 2>/dev/null || echo "000")
-            if [ "$http_code" = "200" ] || [ "$http_code" = "204" ]; then
-              deleted=$((deleted+1))
-              echo "  deleted: $slug"
-            else
-              failed=$((failed+1))
-              echo "  FAILED ($http_code): $slug — $(cat /tmp/del_resp 2>/dev/null | head -c 200)"
-            fi
-          done < stale_slugs.txt
-          echo ""
-          echo "Sweep summary: deleted=$deleted failed=$failed"
-          # Don't fail the workflow on per-org delete errors — the
-          # sweeper is best-effort. Next hourly tick re-attempts. We
-          # only fail loud at the safety-cap gate above.
-
-      - name: Sweep orphan tunnels
-        # Stale-org cleanup deletes the org (which cascades to tunnel
-        # delete inside the CP). But when that cascade fails partway —
-        # CP transient 5xx after the org row is deleted but before the
-        # CF tunnel delete completes — the tunnel persists with no
-        # matching org row. The reconciler in internal/sweep flags this
-        # as `cf_tunnel kind=orphan`, but nothing automatically reaps it.
-        #
-        # `/cp/admin/orphan-tunnels/cleanup` is the operator-triggered
-        # reaper. Calling it here at the end of every sweep tick
-        # converges the staging CF account to clean even when CP
-        # cascades half-fail.
-        #
-        # PR #492 made the underlying DeleteTunnel actually check
-        # status — pre-fix it silent-succeeded on CF code 1022
-        # ("active connections"), so this step would have been a no-op
-        # against stuck connectors. Post-fix the cleanup invokes
-        # CleanupTunnelConnections + retry, which actually clears the
-        # 1022 case. (#2987)
-        #
-        # Best-effort. Failure here doesn't fail the workflow — next
-        # tick re-attempts. Errors flow to step output for ops review.
-        if: env.DRY_RUN != 'true'
-        run: |
-          set +e
-          curl -sS -o /tmp/cleanup_resp -w "%{http_code}" \
-            --max-time 60 \
-            -X POST "$MOLECULE_CP_URL/cp/admin/orphan-tunnels/cleanup" \
-            -H "Authorization: Bearer $ADMIN_TOKEN" >/tmp/cleanup_code
-          set -e
-          http_code=$(cat /tmp/cleanup_code 2>/dev/null || echo "000")
-          body=$(cat /tmp/cleanup_resp 2>/dev/null | head -c 500)
-          if [ "$http_code" = "200" ]; then
-            count=$(echo "$body" | python3 -c "import sys,json; d=json.loads(sys.stdin.read() or '{}'); print(d.get('deleted_count', 0))" 2>/dev/null || echo "0")
-            failed_n=$(echo "$body" | python3 -c "import sys,json; d=json.loads(sys.stdin.read() or '{}'); print(len(d.get('failed') or {}))" 2>/dev/null || echo "0")
-            echo "Orphan-tunnel sweep: deleted=$count failed=$failed_n"
-          else
-            echo "::warning::orphan-tunnels cleanup returned HTTP $http_code — body: $body"
-          fi
-
-      - name: Dry-run summary
-        if: env.DRY_RUN == 'true'
-        run: |
-          echo "DRY RUN — would have deleted ${{ steps.identify.outputs.count }} org(s) AND triggered orphan-tunnels cleanup. Re-run with dry_run=false to actually delete."
@@ -1,52 +0,0 @@
-name: Ops Scripts Tests
-
-# Runs the unittest suite for scripts/ on every PR + push that touches
-# anything under scripts/. Kept separate from the main CI so a script-only
-# change doesn't trigger the heavier Go/Canvas/Python pipelines.
-#
-# Discovery layout: tests sit alongside the code they test (see
-# scripts/ops/test_sweep_cf_decide.py for the pattern; scripts/
-# test_build_runtime_package.py for the rewriter coverage). The job
-# below runs `unittest discover` TWICE — once from `scripts/`, once
-# from `scripts/ops/` — because neither dir has an `__init__.py`, so
-# a single discover from `scripts/` doesn't recurse into the ops
-# subdir. Two passes is simpler than retrofitting namespace packages.
-
-on:
-  push:
-    branches: [main, staging]
-    paths:
-      - 'scripts/**'
-      - '.github/workflows/test-ops-scripts.yml'
-  pull_request:
-    branches: [main, staging]
-    paths:
-      - 'scripts/**'
-      - '.github/workflows/test-ops-scripts.yml'
-  merge_group:
-    types: [checks_requested]
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    name: Ops scripts (unittest)
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: '3.11'
-      - name: Run scripts/ unittests (build_runtime_package, …)
-        # Top-level scripts/ tests live alongside their target file
-        # (e.g. scripts/test_build_runtime_package.py exercises
-        # scripts/build_runtime_package.py). discover from scripts/
-        # picks up only top-level test_*.py because scripts/ops/ has
-        # no __init__.py — that's intentional, so we run two passes.
-        working-directory: scripts
-        run: python -m unittest discover -t . -p 'test_*.py' -v
-      - name: Run scripts/ops/ unittests (sweep_cf_decide, …)
-        working-directory: scripts/ops
-        run: python -m unittest discover -p 'test_*.py' -v
@@ -69,7 +69,7 @@ or other removed paths — open against `molecule-ai/docs` instead.
 | OG images, visual assets | `molecule-ai/docs` → `app/` or `marketing/` |
 | SEO briefs | `molecule-ai/docs` → `marketing/` |
 | DevRel demos (runnable code) | Standalone repo under `molecule-ai/`, OR embedded in `molecule-ai/docs` |
-| Launch checklists, internal tracking | GitHub Issues — **not** committed files |
+| Launch checklists, internal tracking | Gitea Issues — **not** committed files |
 | Engineering docs (`docs/adr/`, `docs/architecture/`, `docs/incidents/`) | This repo (internal, not published) |
 | Live product pages (e.g. `canvas/src/app/pricing/page.tsx`) | This repo (these are app code, not marketing copy) |

@@ -106,7 +106,7 @@ causing a render loop when any node position changed.

 #### Auto-merge & the "extra commit" trap

-**Two system guards protect against pushing commits after auto-merge has been enabled.** Don't try to work around them — they exist because we shipped a half-merged PR on 2026-04-27 (`#2174` merged with only its first commit; the second was orphaned on a branch GitHub had already deleted).
+**Two system guards protect against pushing commits after auto-merge has been enabled.** Don't try to work around them — they exist because we shipped a half-merged PR on 2026-04-27 (`#2174` merged with only its first commit; the second was orphaned on a branch the host had already deleted).

 1. **Repo-wide:** "Automatically delete head branches" is on. Once a PR merges, the branch is deleted server-side. Any subsequent `git push` to that branch fails with `remote rejected — no such branch`.

@@ -145,7 +145,7 @@ Fix violations before committing — the hook will reject the commit.

 ### CI Pipeline

-CI runs on GitHub Actions with a self-hosted runner. External contributors:
+CI runs on Gitea Actions with self-hosted runners. External contributors:
 PRs from forks will not trigger CI automatically. A maintainer will review
 and run CI manually.

@@ -192,7 +192,7 @@ live in their own repos:

 - [`molecule-ai/molecule-ai-workspace-runtime`](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-runtime) — Python adapter SDK (`molecule_runtime`) that runs inside containerized Molecule workspaces. Bridges Claude Code SDK / hermes / langgraph / etc. → A2A queue.
 - [`molecule-ai/molecule-sdk-python`](https://git.moleculesai.app/molecule-ai/molecule-sdk-python) — `A2AServer` + `RemoteAgentClient` for external agents that register over the public `/registry/register` flow.
- [`molecule-ai/molecule-mcp-claude-channel`](https://git.moleculesai.app/molecule-ai/molecule-mcp-claude-channel) — Claude Code channel plugin. Bridges A2A traffic into a running Claude Code session via MCP `notifications/claude/channel`. Polling-based (no tunnel required); install inside Claude Code via `/plugin marketplace add https://git.moleculesai.app/molecule-ai/molecule-mcp-claude-channel.git` → `/plugin install molecule@molecule-channel`, then launch with `claude --dangerously-load-development-channels --channels plugin:molecule@molecule-channel`.
+- [`molecule-ai/molecule-mcp-claude-channel`](https://git.moleculesai.app/molecule-ai/molecule-mcp-claude-channel) — Claude Code channel plugin. Bridges A2A traffic into a running Claude Code session via MCP `notifications/claude/channel`. Polling-based (no tunnel required); install inside Claude Code via `/plugin marketplace add https://git.moleculesai.app/molecule-ai/molecule-mcp-claude-channel.git` → `/plugin install molecule@molecule-channel`, then launch with `claude --dangerously-load-development-channels=plugin:molecule@molecule-channel`.

 When extending the **A2A surface** in molecule-core (`workspace-server/internal/handlers/a2a_proxy.go` etc.), consider whether the change has a downstream impact on the runtime SDK or the channel plugin — they're versioned independently but share the wire shape.

@@ -206,7 +206,7 @@ See `CLAUDE.md` for detailed architecture documentation, including:

 ## Reporting Issues

-Use GitHub Issues with a clear title and reproduction steps. Include:
+Use Gitea Issues with a clear title and reproduction steps. Include:
 - What you expected
 - What actually happened
 - Platform/OS version
@@ -214,8 +214,9 @@ Use GitHub Issues with a clear title and reproduction steps. Include:

 ## Security

-If you discover a security vulnerability, please report it privately via
-GitHub Security Advisories rather than opening a public issue.
+If you discover a security vulnerability, please report it privately by
+opening an issue against `molecule-ai/internal` (a private repo only
+maintainers can see) rather than filing a public issue here.

 ## License

@@ -4,10 +4,10 @@
 # use this Makefile; CI calls docker compose / go test directly so the
 # Makefile can evolve without breaking the build.

-.PHONY: help dev up down logs build test
+.PHONY: help dev up down logs build test e2e-peer-visibility

 help: ## Show this help.
-	@grep -E '^[a-zA-Z_-]+:.*?## ' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-12s\033[0m %s\n", $$1, $$2}'
+	@grep -E '^[a-zA-Z0-9_-]+:.*?## ' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-22s\033[0m %s\n", $$1, $$2}'

 dev: ## Start the full stack with air hot-reload for the platform service.
 	docker compose -f docker-compose.yml -f docker-compose.dev.yml up
@@ -26,3 +26,13 @@ build: ## Force a fresh build of the platform image (no cache).

 test: ## Run Go unit tests in workspace-server/.
 	cd workspace-server && go test -race ./...
+
+# ─── Local prod-mimic E2E gates ────────────────────────────────────────
+# Run the LITERAL peer-visibility MCP list_peers gate against the
+# already-running local stack (`make up` or `make dev`). Same byte-
+# identical assertion as the staging gate — only provisioning differs.
+# Skips any runtime whose provider key is absent (partially-keyed env
+# is fine). See tests/e2e/test_peer_visibility_mcp_local.sh for the
+# env contract (CLAUDE_CODE_OAUTH_TOKEN / E2E_MINIMAX_API_KEY / etc).
+e2e-peer-visibility: ## Run the LOCAL peer-visibility MCP gate vs the running stack (needs `make up` first).
+	bash tests/e2e/test_peer_visibility_mcp_local.sh
@@ -163,11 +163,11 @@ Most agent systems stop at "a smart runtime." Molecule AI pushes further: it giv

 | Core mechanism | Molecule AI module(s) | Why it matters |
 |---|---|---|
-| **Durable memory that survives sessions** | `workspace/builtin_tools/memory.py`, `workspace/builtin_tools/awareness_client.py`, `workspace-server/internal/handlers/memories.go` | Memory is not just durable, it is **workspace-scoped** and can route into awareness namespaces tied to the org structure |
+| **Durable memory that survives sessions** | `molecule-ai-workspace-runtime/molecule_runtime/builtin_tools/`, `workspace-server/internal/handlers/memories.go` | Memory is not just durable, it is **workspace-scoped** and can route into awareness namespaces tied to the org structure |
 | **Cross-session recall** | `workspace-server/internal/handlers/activity.go` (`/workspaces/:id/session-search`) | Recall spans both activity history and memory rows, so the system can search what happened and what was learned without inventing a separate hidden store |
-| **Skills built from experience** | `workspace/builtin_tools/memory.py` (`_maybe_log_skill_promotion`) | Promotion from memory into a skill candidate is surfaced as an explicit platform activity, not a silent internal side effect |
-| **Skill improvement during use** | `workspace/skill_loader/watcher.py`, `workspace/skill_loader/loader.py`, `workspace/main.py` | Skills hot-reload into the live runtime, so improvements become available on the next A2A task without restarting the workspace |
-| **Persistent skill lifecycle** | `workspace-server/cmd/cli/cmd_agent_skill.go`, `workspace/plugins.py` | Skills are not just generated once; they can be audited, installed, published, shared, mounted by plugins, and governed as reusable operational assets |
+| **Skills built from experience** | `molecule-ai-workspace-runtime/molecule_runtime/builtin_tools/memory.py` (`_maybe_log_skill_promotion`) | Promotion from memory into a skill candidate is surfaced as an explicit platform activity, not a silent internal side effect |
+| **Skill improvement during use** | `molecule-ai-workspace-runtime/molecule_runtime/skill_loader/`, `molecule-ai-workspace-runtime/molecule_runtime/main.py` | Skills hot-reload into the live runtime, so improvements become available on the next A2A task without restarting the workspace |
+| **Persistent skill lifecycle** | `workspace-server/cmd/cli/cmd_agent_skill.go`, `molecule-ai-workspace-runtime/molecule_runtime/plugins.py` | Skills are not just generated once; they can be audited, installed, published, shared, mounted by plugins, and governed as reusable operational assets |

 ### Why this matters in Molecule AI

@@ -208,7 +208,7 @@ The result is not just “an agent that learns.” It is **an organization that

 ### Runtime

- unified `workspace/` image; thin AMI in production (us-east-2)
+- standalone workspace-template images that install `molecule-ai-workspace-runtime` from the Gitea package registry; thin AMI in production (us-east-2)
 - adapter-driven execution across **8 runtimes** (Claude Code, Hermes, Gemini CLI, LangGraph, DeepAgents, CrewAI, AutoGen, OpenClaw)
 - Agent Card registration
 - awareness-backed memory integration; **Memory v2 backed by pgvector** for semantic recall
@@ -238,7 +238,7 @@ The result is not just “an agent that learns.” It is **an organization that
 - subscribe to one or more workspaces; peer messages surface as conversation turns; replies route back through Molecule's A2A
 - no tunnel, no public endpoint — the plugin self-registers each watched workspace as `delivery_mode=poll` and long-polls `/activity?since_id=…`
 - multi-tenant friendly: one plugin install can watch workspaces across multiple Molecule tenants (`MOLECULE_PLATFORM_URLS` per-workspace)
- install via the standard marketplace flow: `/plugin marketplace add https://git.moleculesai.app/molecule-ai/molecule-mcp-claude-channel.git` → `/plugin install molecule@molecule-channel`, then launch with `claude --dangerously-load-development-channels --channels plugin:molecule@molecule-channel`
+- install via the standard marketplace flow: `/plugin marketplace add https://git.moleculesai.app/molecule-ai/molecule-mcp-claude-channel.git` → `/plugin install molecule@molecule-channel`, then launch with `claude --dangerously-load-development-channels=plugin:molecule@molecule-channel`

 ## Built For Teams That Need More Than A Demo

@@ -237,7 +237,7 @@ Molecule AI 并不是要替代下面这些 framework，而是把它们纳入更
 - 订阅一个或多个 workspace；peer 的消息会以 user-turn 出现，回复会经 Molecule A2A 路由出去
 - 无需公网隧道、无需公开端点 —— 插件启动时自动把每个 watched workspace 注册成 `delivery_mode=poll`，长轮询 `/activity?since_id=…`
 - 多租户友好：单次安装即可同时 watch 跨多个 Molecule 租户的 workspace（`MOLECULE_PLATFORM_URLS` 按 workspace 配置）
- 通过标准 marketplace 流程安装：`/plugin marketplace add https://git.moleculesai.app/molecule-ai/molecule-mcp-claude-channel.git` → `/plugin install molecule@molecule-channel`，然后用 `claude --dangerously-load-development-channels --channels plugin:molecule@molecule-channel` 启动
+- 通过标准 marketplace 流程安装：`/plugin marketplace add https://git.moleculesai.app/molecule-ai/molecule-mcp-claude-channel.git` → `/plugin install molecule@molecule-channel`，然后用 `claude --dangerously-load-development-channels=plugin:molecule@molecule-channel` 启动

 ## 适合什么团队

@@ -1 +1,2 @@
-trigger
+trigger
+retrigger 2026-05-20T04:09Z after op-config#110 (HOME=/home/runner) deploy to fleet — internal#603
@@ -55,7 +55,7 @@ test.describe("Desktop ChatTab", () => {
    await textarea.fill("What is the weather?");
    await page.getByRole("button", { name: /Send/ }).first().click();

-    await expect(page.getByText("What is the weather?")).toBeVisible({ timeout: 5_000 });
+    await expect(page.getByText("What is the weather?", { exact: true })).toBeVisible({ timeout: 5_000 });
    await expect(page.getByText("Echo: What is the weather?")).toBeVisible({ timeout: 15_000 });
  });

@@ -49,7 +49,7 @@ test.describe("MobileChat", () => {
    await textarea.fill("Mobile test message");
    await page.getByRole("button", { name: /Send/ }).first().click();

-    await expect(page.getByText("Mobile test message")).toBeVisible({ timeout: 5_000 });
+    await expect(page.getByText("Mobile test message", { exact: true })).toBeVisible({ timeout: 5_000 });
    await expect(page.getByText("Echo: Mobile test message")).toBeVisible({ timeout: 15_000 });
  });

@@ -9,6 +9,7 @@
 */

 import { randomUUID } from "node:crypto";
+import { execFileSync, execSync } from "node:child_process";

 const PLATFORM_URL = process.env.E2E_PLATFORM_URL ?? "http://localhost:8080";

@@ -23,13 +24,19 @@ export interface SeededWorkspace {
 * Create an external workspace and wire it to the echo runtime.
 */
 export async function seedWorkspace(echoURL: string): Promise<SeededWorkspace> {
-  // 1. Create external workspace (no URL — platform will mint an auth token).
+  // 1. Create external workspace pointing at the in-process echo runtime.
  const runId = Math.random().toString(36).slice(2, 8);
  const wsName = `Chat E2E Agent ${runId}`;
  const createRes = await fetch(`${PLATFORM_URL}/workspaces`, {
    method: "POST",
    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({ name: wsName, tier: 1, external: true, runtime: "external" }),
+    body: JSON.stringify({
+      name: wsName,
+      tier: 1,
+      external: true,
+      runtime: "external",
+      url: echoURL,
+    }),
  });
  if (!createRes.ok) {
    const text = await createRes.text();
@@ -40,7 +47,10 @@ export async function seedWorkspace(echoURL: string): Promise<SeededWorkspace> {
    name: string;
    connection?: { auth_token?: string };
  };
-  const authToken = ws.connection?.auth_token;
+  let authToken = ws.connection?.auth_token;
+  if (!authToken) {
+    authToken = await mintTestToken(ws.id);
+  }
  if (!authToken) {
    throw new Error("Workspace created but no auth_token returned");
  }
@@ -73,16 +83,35 @@ export async function seedWorkspace(echoURL: string): Promise<SeededWorkspace> {
    `-c "UPDATE workspaces SET status = 'online', url = '${echoURL}', platform_inbound_secret = '${inboundSecret}' WHERE id = '${ws.id}'"`,
  ].join(" ");

-  const { execSync } = await import("node:child_process");
  try {
    execSync(psql, { stdio: "pipe", timeout: 30_000 });
  } catch (err) {
    throw new Error(`DB update failed: ${err}`);
  }

+  cacheWorkspaceURL(ws.id, echoURL);
+
  return { id: ws.id, name: wsName, agentURL: echoURL, authToken };
 }

+function cacheWorkspaceURL(workspaceId: string, agentURL: string): void {
+  const redisContainer = process.env.REDIS_CONTAINER;
+  if (!redisContainer) return;
+
+  const keys = [`ws:${workspaceId}:url`, `ws:${workspaceId}:internal_url`];
+  for (const key of keys) {
+    try {
+      execFileSync(
+        "docker",
+        ["exec", redisContainer, "redis-cli", "SET", key, agentURL],
+        { stdio: "pipe", timeout: 10_000 },
+      );
+    } catch (err) {
+      throw new Error(`Redis URL cache update failed for ${key}: ${err}`);
+    }
+  }
+}
+
 /**
 * Start a heartbeat interval that keeps an external workspace alive.
 * Returns a stop function.
@@ -141,7 +170,6 @@ export async function seedChatHistory(

  const sql = `INSERT INTO chat_messages (id, workspace_id, role, content, created_at) VALUES ${values};`;

-  const { execSync } = await import("node:child_process");
  const psql = `PGPASSWORD=${pass} psql -h ${host} -p ${port} -U ${user} -d ${db} -c "${sql}"`;
  execSync(psql, { stdio: "pipe", timeout: 10_000 });
 }
@@ -163,7 +191,6 @@ export async function cleanupWorkspace(workspaceId: string): Promise<void> {

  const psql = `PGPASSWORD=${pass} psql -h ${host} -p ${port} -U ${user} -d ${db} -c "DELETE FROM workspaces WHERE id = '${workspaceId}'"`;

-  const { execSync } = await import("node:child_process");
  try {
    execSync(psql, { stdio: "pipe", timeout: 30_000 });
  } catch {
@@ -162,10 +162,10 @@ export async function startEchoRuntime(): Promise<EchoRuntime> {
    });
  });

-  await new Promise<void>((resolve) => server.listen(0, "127.0.0.1", resolve));
+  await new Promise<void>((resolve) => server.listen(0, resolve));
  const address = server.address();
  const port = typeof address === "object" && address ? address.port : 0;
-  const baseURL = `http://127.0.0.1:${port}`;
+  const baseURL = `http://localhost:${port}`;

  return {
    baseURL,
@@ -68,14 +68,103 @@ export function Toolbar() {
    return c;
  }, [nodes]);

+  /**
+   * Stop All - task #377 fix.
+   *
+   * BEFORE this PR: directly POSTed `/workspaces/:id/restart`, which tears
+   * the container down and back up. That kills in-flight tool subprocesses
+   * (e.g. `bash -c 'sleep 600'`) but is heavy and discards any in-progress
+   * agent state. It also bypasses the runtime-side fast cancel path (task
+   * #377 PR#40 in template-claude-code) - meaning flipping
+   * `MOLECULE_STOP_PROPAGATE=true` would produce zero canary signal because
+   * nothing ever invokes `executor.cancel()` in production.
+   *
+   * AFTER this PR (two-phase polite cancel):
+   *
+   * 1. POST `tasks/cancel` (A2A JSON-RPC) to each active workspace's
+   *    `/workspaces/:id/a2a` proxy. The platform proxies the envelope to
+   *    the workspace runtime; the a2a-sdk framework dispatches `tasks/cancel`
+   *    to `AgentExecutor.cancel()` (a2a-sdk 1.0.3
+   *    `a2a/compat/v0_3/types.py` line 1125 pins the wire literal as
+   *    `Literal["tasks/cancel"]`; A2A protocol spec section 9.4.5 maps the
+   *    abstract `CancelTask` operation to that wire string). The runtime's
+   *    executor cancel path signals the CLI subprocess group with
+   *    SIGTERM/grace/SIGKILL (template-claude-code PR#40 `stop_propagate.py`).
+   *
+   * 2. Poll the canvas store (the platform pushes `TASK_UPDATED` over WS
+   *    on `active_tasks` changes - `canvas-events.ts` line 400) for up to
+   *    `STOP_ALL_DRAIN_TIMEOUT_MS`. A workspace whose `activeTasks` drops
+   *    to 0 is considered drained and is NOT restarted.
+   *
+   * 3. For any workspace that DID NOT drain inside the timeout - runtime
+   *    is on an old image without the cancel path, or the cancel
+   *    propagation is stuck - fall back to the original heavy
+   *    `/workspaces/:id/restart`. The original behavior is preserved as a
+   *    floor so a stuck workspace still gets stopped; the polite path is
+   *    a fast top-up that lets well-behaved workspaces cancel without
+   *    losing context.
+   *
+   * The polite-cancel envelope mirrors `ScheduleTab.handleRunNow` (line 168)
+   * which is the only other place in canvas that POSTs `/workspaces/:id/a2a`
+   * directly. Method string `tasks/cancel` and empty `params` match the
+   * a2a-sdk shape verified above. The proxy adds `jsonrpc:"2.0"` and `id`
+   * via `normalizeA2APayload` server-side, so the canvas envelope omits them.
+   */
  const stopAll = useCallback(async () => {
    setStopping(true);
    const active = nodes.filter((n) => (n.data.activeTasks as number) > 0);
+    const activeIds = active.map((n) => n.id);
+
+    // Phase 1 - polite cancel on every active workspace in parallel.
+    // Errors are swallowed (same shape as the pre-fix /restart
+    // Promise.all): a 4xx/5xx on tasks/cancel just means we fall through
+    // to /restart for that workspace below.
    await Promise.all(
-      active.map((n) =>
-        api.post(`/workspaces/${n.id}/restart`).catch(() => {})
+      activeIds.map((id) =>
+        api
+          .post(`/workspaces/${id}/a2a`, {
+            method: "tasks/cancel",
+            params: {},
+          })
+          .catch(() => {})
      )
    );
+
+    // Phase 2 - poll the store for activeTasks reaching 0, with a hard
+    // timeout. STOP_ALL_DRAIN_TIMEOUT_MS is sized to cover the runtime's
+    // own SIGTERM-grace (5s in template-claude-code stop_propagate.py
+    // `_SIGTERM_GRACE_S`) plus a small WS round-trip buffer for the
+    // TASK_UPDATED push. STOP_ALL_POLL_INTERVAL_MS keeps the poll cheap
+    // (no animation jitter, no busy-wait).
+    const STOP_ALL_DRAIN_TIMEOUT_MS = 8000;
+    const STOP_ALL_POLL_INTERVAL_MS = 250;
+    const deadline = Date.now() + STOP_ALL_DRAIN_TIMEOUT_MS;
+    let undrained = new Set(activeIds);
+    while (undrained.size > 0 && Date.now() < deadline) {
+      await new Promise((r) => setTimeout(r, STOP_ALL_POLL_INTERVAL_MS));
+      const fresh = useCanvasStore.getState().nodes;
+      const stillActive = new Set<string>();
+      for (const id of undrained) {
+        const n = fresh.find((x) => x.id === id);
+        // Missing node (workspace deleted mid-cancel) is treated as
+        // drained - there's nothing left to restart and reporting it as
+        // "still running" would be a lie.
+        if (n && (n.data.activeTasks as number) > 0) stillActive.add(id);
+      }
+      undrained = stillActive;
+    }
+
+    // Phase 3 - hard-restart anything that did not drain. This is the
+    // same call shape as the pre-fix Stop All, so behavior is strictly a
+    // superset: undrained workspaces still get the heavy stop, drained
+    // ones are spared.
+    if (undrained.size > 0) {
+      await Promise.all(
+        Array.from(undrained).map((id) =>
+          api.post(`/workspaces/${id}/restart`).catch(() => {})
+        )
+      );
+    }
    setStopping(false);
  }, [nodes]);

@@ -131,14 +131,30 @@ const defaultStore = {
  batchDelete: vi.fn(() => Promise.resolve()),
 };

-vi.mock("@/store/canvas", () => ({
-  useCanvasStore: vi.fn((selector: (s: typeof defaultStore) => unknown) =>
+vi.mock("@/store/canvas", () => {
+  // useCanvasStore is used in two shapes:
+  //   1. As a hook: `useCanvasStore((s) => s.x)` — selector path.
+  //   2. As a static accessor: `useCanvasStore.getState().nodes` —
+  //      used by stopAll's drain-poll loop (task #377 Toolbar fix) and
+  //      restartAll's success-clear loop. Both read the LIVE
+  //      defaultStore object so tests that mutate `defaultStore.nodes`
+  //      mid-flight (e.g. simulating a TASK_UPDATED that drops
+  //      activeTasks to 0) see the update on the next poll tick.
+  const hook = vi.fn((selector: (s: typeof defaultStore) => unknown) =>
    selector(defaultStore)
-  ),
-}));
+  ) as unknown as ((selector: (s: typeof defaultStore) => unknown) => unknown) & {
+    getState: () => typeof defaultStore;
+  };
+  hook.getState = () => defaultStore;
+  return { useCanvasStore: hook };
+});

 // ── Component under test ───────────────────────────────────────────────────────
 import { Toolbar } from "../Toolbar";
+// Imported AFTER vi.mock("@/lib/api", ...) above (hoisted) so this
+// resolves to the mock module; gives the new task #377 tests a typed
+// handle on api.post without a CJS require() (Vitest runs ESM).
+import { api as mockedApi } from "@/lib/api";

 // ── Tests ─────────────────────────────────────────────────────────────────────

@@ -315,3 +331,157 @@ describe("Toolbar — ? shortcut opens shortcuts dialog", () => {
    expect(screen.queryByTestId("shortcuts-dialog")).toBeNull();
  });
 });
+
+// ── Toolbar — Stop All polite-cancel flow (task #377) ───────────────────────
+
+describe("Toolbar — Stop All polite cancel before restart (#377)", () => {
+  // `api` resolves to the top-level vi.mock factory's mocked `post`.
+  // We type-cast so TS allows mockReset/mockResolvedValue/mockImplementation
+  // calls without leaking the mock surface into the production type.
+  const api = mockedApi as unknown as { post: ReturnType<typeof vi.fn> };
+
+  /**
+   * Build a working set of two active workspaces so the assertions can
+   * distinguish per-id behavior (drained vs undrained) within one test.
+   */
+  const seedTwoActive = () => {
+    defaultStore.nodes = toStoreNodes(makeNodes(["online", "online"], [2, 2]));
+  };
+
+  /**
+   * Drive an async useCallback handler to completion. Vitest's fake
+   * timers don't see microtasks unless we yield between advances; the
+   * helper interleaves `vi.advanceTimersByTimeAsync` with macrotask
+   * yields so pending fetch resolutions and setTimeout callbacks both
+   * settle before the assertion runs.
+   */
+  const advanceUntilSettled = async (ms: number) => {
+    await vi.advanceTimersByTimeAsync(ms);
+    // One extra tick lets any chained .then() after a setTimeout
+    // resolution fire before the test moves on.
+    await Promise.resolve();
+  };
+
+  beforeEach(() => {
+    vi.useFakeTimers();
+    api.post.mockReset();
+  });
+
+  afterEach(() => {
+    vi.useRealTimers();
+  });
+
+  it("phase 1: issues tasks/cancel via /workspaces/:id/a2a BEFORE any /restart", async () => {
+    seedTwoActive();
+    // Hold both tasks/cancel responses open so the click handler is
+    // observably paused at phase 1. We don't actually need to resolve
+    // them for the order assertion — just inspect the call log.
+    let resolveCancels!: () => void;
+    const cancelGate = new Promise<void>((r) => { resolveCancels = r; });
+    api.post.mockImplementation(async (path: string) => {
+      if (path.endsWith("/a2a")) {
+        await cancelGate;
+      }
+      return undefined;
+    });
+
+    render(<Toolbar />);
+    const btn = screen.getByRole("button", { name: /stop all running tasks/i });
+    fireEvent.click(btn);
+
+    // Yield once so the click handler enters phase 1 and dispatches the
+    // two /a2a POSTs.
+    await Promise.resolve();
+    await Promise.resolve();
+
+    const a2aCalls = api.post.mock.calls.filter((c) => String(c[0]).endsWith("/a2a"));
+    const restartCalls = api.post.mock.calls.filter((c) => String(c[0]).endsWith("/restart"));
+    expect(a2aCalls.length).toBe(2);
+    expect(restartCalls.length).toBe(0);
+
+    // Each /a2a POST carries the canonical tasks/cancel envelope.
+    for (const call of a2aCalls) {
+      expect(call[1]).toEqual({ method: "tasks/cancel", params: {} });
+    }
+
+    // Release the gate so the test cleanup doesn't dangle.
+    resolveCancels();
+    await advanceUntilSettled(10_000);
+  });
+
+  it("phase 2: when activeTasks drains to 0 during the poll window, /restart is NOT called", async () => {
+    seedTwoActive();
+    api.post.mockResolvedValue(undefined);
+
+    render(<Toolbar />);
+    fireEvent.click(screen.getByRole("button", { name: /stop all running tasks/i }));
+
+    // Let phase 1 fire (the two tasks/cancel calls).
+    await Promise.resolve();
+    await Promise.resolve();
+
+    // Simulate the platform pushing TASK_UPDATED with active_tasks=0
+    // on both workspaces — emulate by mutating the store directly,
+    // which is what canvas-events.ts does in production.
+    defaultStore.nodes = toStoreNodes(makeNodes(["online", "online"], [0, 0]));
+
+    // Advance past the first poll interval (250ms) so the loop sees
+    // the drained store and exits early.
+    await advanceUntilSettled(400);
+    // Drain any remaining timers so the handler returns cleanly.
+    await advanceUntilSettled(10_000);
+
+    const restartCalls = api.post.mock.calls.filter((c) => String(c[0]).endsWith("/restart"));
+    expect(restartCalls.length).toBe(0);
+  });
+
+  it("phase 3: when activeTasks does NOT drain inside the timeout, falls through to /restart for each stuck workspace", async () => {
+    seedTwoActive();
+    api.post.mockResolvedValue(undefined);
+
+    render(<Toolbar />);
+    fireEvent.click(screen.getByRole("button", { name: /stop all running tasks/i }));
+
+    // Phase 1 dispatch.
+    await Promise.resolve();
+    await Promise.resolve();
+
+    // Do NOT drain — activeTasks stays at 2 for both. Advance past the
+    // 8000ms drain timeout plus a buffer so phase 3's /restart POSTs fire.
+    await advanceUntilSettled(9_000);
+    await advanceUntilSettled(1_000);
+
+    const a2aCalls = api.post.mock.calls.filter((c) => String(c[0]).endsWith("/a2a"));
+    const restartCalls = api.post.mock.calls.filter((c) => String(c[0]).endsWith("/restart"));
+    expect(a2aCalls.length).toBe(2);
+    expect(restartCalls.length).toBe(2);
+
+    // Order check: every /a2a call comes before every /restart call.
+    const lastA2AIdx = Math.max(
+      ...api.post.mock.calls.map((c, i) => (String(c[0]).endsWith("/a2a") ? i : -1))
+    );
+    const firstRestartIdx = Math.min(
+      ...api.post.mock.calls.map((c, i) => (String(c[0]).endsWith("/restart") ? i : Infinity))
+    );
+    expect(lastA2AIdx).toBeLessThan(firstRestartIdx);
+  });
+
+  it("phase 3 selective: drains only one of two workspaces — /restart is called only for the stuck one", async () => {
+    seedTwoActive();
+    api.post.mockResolvedValue(undefined);
+
+    render(<Toolbar />);
+    fireEvent.click(screen.getByRole("button", { name: /stop all running tasks/i }));
+
+    await Promise.resolve();
+    await Promise.resolve();
+
+    // ws-0 drains immediately, ws-1 stays stuck for the full timeout.
+    defaultStore.nodes = toStoreNodes(makeNodes(["online", "online"], [0, 2]));
+    await advanceUntilSettled(9_500);
+
+    const restartCalls = api.post.mock.calls.filter((c) => String(c[0]).endsWith("/restart"));
+    expect(restartCalls.length).toBe(1);
+    expect(restartCalls[0][0]).toBe("/workspaces/ws-1/restart");
+  });
+});
@@ -0,0 +1,181 @@
+'use client';
+
+import { useCallback, useEffect, useState } from 'react';
+import { api } from '@/lib/api';
+import { fetchSession, type Session } from '@/lib/auth';
+import { getTenantSlug } from '@/lib/tenant';
+import { Spinner } from '@/components/Spinner';
+
+/**
+ * Organization-identity surface inside SettingsPanel.
+ *
+ * Closes a chronic UX gap where users (and our own AI agents) had to
+ * call /cp/auth/me or /cp/orgs from browser devtools to read their
+ * org_id UUID. Now: a copy-buttoned view of name + slug + UUID for the
+ * currently-active org, plus a switcher list when the user belongs to
+ * multiple orgs.
+ *
+ * Data path:
+ *   1. fetchSession() → /cp/auth/me → current org_id
+ *   2. api.get('/cp/orgs') → list of all orgs the user belongs to
+ *   3. Match by id === session.org_id; fall back to host-slug match
+ *      if the session probe loses the race.
+ *
+ * Read-only — this tab never mutates. Org creation/switching lives at
+ * /orgs (the post-signup landing page).
+ */
+
+interface Org {
+  id: string;
+  slug: string;
+  name: string;
+  status?: string;
+}
+
+// /cp/orgs may return a bare array or {orgs: []} — see orgs/page.tsx
+// for the same defensive unwrap.
+type OrgsResponse = Org[] | { orgs?: Org[] };
+
+export function OrgInfoTab() {
+  const [orgs, setOrgs] = useState<Org[] | null>(null);
+  const [session, setSession] = useState<Session | null>(null);
+  const [error, setError] = useState<string | null>(null);
+  const [loading, setLoading] = useState(true);
+
+  useEffect(() => {
+    let cancelled = false;
+    (async () => {
+      try {
+        const [sess, body] = await Promise.all([
+          fetchSession().catch(() => null),
+          api.get<OrgsResponse>('/cp/orgs'),
+        ]);
+        if (cancelled) return;
+        setSession(sess);
+        setOrgs(Array.isArray(body) ? body : body.orgs ?? []);
+      } catch (e) {
+        if (!cancelled) setError(e instanceof Error ? e.message : 'Failed to load org info');
+      } finally {
+        if (!cancelled) setLoading(false);
+      }
+    })();
+    return () => {
+      cancelled = true;
+    };
+  }, []);
+
+  const tenantSlug = getTenantSlug();
+  const currentOrg =
+    orgs?.find((o) => session && o.id === session.org_id) ??
+    orgs?.find((o) => tenantSlug && o.slug === tenantSlug) ??
+    null;
+  const otherOrgs = orgs?.filter((o) => o.id !== currentOrg?.id) ?? [];
+
+  if (loading) {
+    return (
+      <div
+        role="status"
+        aria-live="polite"
+        className="flex items-center justify-center gap-2 py-6 text-ink-mid text-xs"
+      >
+        <Spinner /> Loading organization…
+      </div>
+    );
+  }
+  if (error) {
+    return (
+      <div className="p-4">
+        <div className="px-3 py-2 bg-red-950/40 border border-red-800/50 rounded-lg text-[10px] text-bad">
+          {error}
+        </div>
+      </div>
+    );
+  }
+  if (!currentOrg) {
+    return (
+      <div className="p-4">
+        <p className="text-xs text-ink-mid">
+          No organization found for this session. If this is unexpected, sign out and back in, or visit{' '}
+          <a href="/orgs" className="underline">/orgs</a>.
+        </p>
+      </div>
+    );
+  }
+
+  return (
+    <div className="p-4 space-y-4">
+      <div>
+        <h3 className="text-sm font-semibold text-ink mb-1">Current Organization</h3>
+        <p className="text-[10px] text-ink-mid leading-relaxed">
+          IDs you can paste into API calls, support tickets, or CLI arguments. The UUID never changes;
+          the slug is the URL subdomain.
+        </p>
+      </div>
+      <OrgIdentityCard org={currentOrg} highlighted />
+      {otherOrgs.length > 0 && (
+        <div className="space-y-2 pt-2">
+          <h4 className="text-[11px] font-semibold text-ink-mid uppercase tracking-wider">
+            Your other organizations ({otherOrgs.length})
+          </h4>
+          {otherOrgs.map((o) => (
+            <OrgIdentityCard key={o.id} org={o} />
+          ))}
+        </div>
+      )}
+    </div>
+  );
+}
+
+function OrgIdentityCard({ org, highlighted }: { org: Org; highlighted?: boolean }) {
+  return (
+    <div
+      className={`rounded-lg border p-3 space-y-2 ${
+        highlighted ? 'border-accent/40 bg-accent-strong/5' : 'border-line/40 bg-surface-card/40'
+      }`}
+      data-testid={`org-card-${org.slug}`}
+    >
+      <div className="flex items-baseline justify-between gap-2">
+        <span className="text-[12px] font-medium text-ink truncate">{org.name}</span>
+        {org.status && (
+          <span className="text-[9px] text-ink-mid uppercase tracking-wider shrink-0">{org.status}</span>
+        )}
+      </div>
+      <IdentityRow label="Slug" value={org.slug} />
+      <IdentityRow label="UUID" value={org.id} mono />
+    </div>
+  );
+}
+
+function IdentityRow({ label, value, mono }: { label: string; value: string; mono?: boolean }) {
+  const [copied, setCopied] = useState(false);
+  const onCopy = useCallback(() => {
+    // Best-effort: jsdom + old Safari throw synchronously on writeText.
+    try {
+      navigator.clipboard.writeText(value);
+    } catch {
+      /* user can still triple-click select */
+    }
+    setCopied(true);
+    setTimeout(() => setCopied(false), 2000);
+  }, [value]);
+  return (
+    <div className="flex items-center gap-2">
+      <span className="text-[10px] text-ink-mid w-10 shrink-0">{label}</span>
+      <code
+        className={`flex-1 text-[11px] text-ink bg-surface-sunken/60 px-2 py-1 rounded select-all break-all ${
+          mono ? 'font-mono' : ''
+        }`}
+      >
+        {value}
+      </code>
+      <button
+        type="button"
+        onClick={onCopy}
+        aria-label={`Copy ${label}`}
+        className="shrink-0 px-2 py-1 bg-surface-card/60 hover:bg-surface-card border border-line/40 rounded text-[10px] text-ink-mid hover:text-ink transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
+      >
+        {copied ? 'Copied' : 'Copy'}
+      </button>
+    </div>
+  );
+}
@@ -8,6 +8,7 @@ import { useKeyboardShortcut } from '@/hooks/use-keyboard-shortcut';
 import { SecretsTab } from './SecretsTab';
 import { TokensTab } from './TokensTab';
 import { OrgTokensTab } from './OrgTokensTab';
+import { OrgInfoTab } from './OrgInfoTab';
 import { UnsavedChangesGuard } from './UnsavedChangesGuard';

 /** Module-level ref so TopBar's SettingsButton can receive focus back on close. */
@@ -116,6 +117,9 @@ export function SettingsPanel({ workspaceId }: SettingsPanelProps) {
                <Tabs.Trigger value="org-tokens" className="settings-panel__tab">
                  Org API Keys
                </Tabs.Trigger>
+                <Tabs.Trigger value="org-info" className="settings-panel__tab">
+                  Organization
+                </Tabs.Trigger>
              </Tabs.List>

              <Tabs.Content value="api-keys" className="settings-panel__content">
@@ -129,6 +133,10 @@ export function SettingsPanel({ workspaceId }: SettingsPanelProps) {
              <Tabs.Content value="org-tokens" className="settings-panel__content">
                <OrgTokensTab />
              </Tabs.Content>
+
+              <Tabs.Content value="org-info" className="settings-panel__content">
+                <OrgInfoTab />
+              </Tabs.Content>
            </Tabs.Root>

            <div className="settings-panel__footer">
@@ -0,0 +1,207 @@
+// @vitest-environment jsdom
+/**
+ * Tests for OrgInfoTab — surfaces current org name/slug/UUID with copy
+ * buttons, plus a list of the user's other orgs when applicable.
+ *
+ * Covers (≥3 cases per the closing-the-UX-gap brief):
+ *   - Loading state (spinner + aria-live)
+ *   - Renders current org matched by session.org_id, with UUID + slug + name
+ *   - Copy button writes the UUID to navigator.clipboard
+ *   - Falls back to host-slug match when session lookup fails
+ *   - Lists other orgs when user belongs to multiple
+ *   - Error banner when /cp/orgs throws
+ *   - Empty/no-match state renders the recovery hint, not a crash
+ */
+import React from "react";
+import { render, screen, fireEvent, cleanup, act, waitFor } from "@testing-library/react";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { OrgInfoTab } from "../OrgInfoTab";
+
+const mockGet = vi.fn();
+const mockFetchSession = vi.fn();
+const mockGetTenantSlug = vi.fn();
+
+vi.mock("@/lib/api", () => ({
+  api: { get: (...args: unknown[]) => mockGet(...args) },
+}));
+vi.mock("@/lib/auth", () => ({
+  fetchSession: (...args: unknown[]) => mockFetchSession(...args),
+}));
+vi.mock("@/lib/tenant", () => ({
+  getTenantSlug: (...args: unknown[]) => mockGetTenantSlug(...args),
+}));
+
+// Stub clipboard
+vi.stubGlobal("navigator", {
+  clipboard: { writeText: vi.fn().mockResolvedValue(undefined) },
+});
+
+beforeEach(() => {
+  vi.useRealTimers();
+  mockGet.mockReset();
+  mockFetchSession.mockReset();
+  mockGetTenantSlug.mockReset();
+  mockGetTenantSlug.mockReturnValue("");
+  vi.mocked(navigator.clipboard.writeText).mockReset();
+});
+
+afterEach(() => {
+  cleanup();
+});
+
+async function flush() {
+  await act(async () => {
+    await Promise.resolve();
+    await Promise.resolve();
+  });
+}
+
+const AGENTS_TEAM = {
+  id: "2355b568-0799-4cc7-9e7f-806747f9958c",
+  slug: "agents-team",
+  name: "Agents Team",
+  status: "running",
+};
+const OTHER_ORG = {
+  id: "11111111-1111-4111-8111-111111111111",
+  slug: "skunkworks",
+  name: "Skunkworks",
+  status: "running",
+};
+
+// ─── Loading ─────────────────────────────────────────────────────────────────
+
+describe("OrgInfoTab — loading", () => {
+  it("shows spinner while fetching", () => {
+    mockGet.mockImplementation(() => new Promise(() => {}));
+    mockFetchSession.mockImplementation(() => new Promise(() => {}));
+    render(<OrgInfoTab />);
+    const status = screen.getByRole("status");
+    expect(status).toBeTruthy();
+    expect(status.getAttribute("aria-live")).toBe("polite");
+    expect(status.textContent).toContain("Loading organization");
+  });
+});
+
+// ─── Current org renders + copy ──────────────────────────────────────────────
+
+describe("OrgInfoTab — current org", () => {
+  it("renders the org matched by session.org_id with name, slug, UUID", async () => {
+    mockFetchSession.mockResolvedValue({
+      user_id: "u-1",
+      org_id: AGENTS_TEAM.id,
+      email: "hongming@moleculesai.app",
+    });
+    mockGet.mockResolvedValue([AGENTS_TEAM, OTHER_ORG]);
+
+    render(<OrgInfoTab />);
+    await flush();
+    await waitFor(() => screen.getByText("Current Organization"));
+
+    // Name shown
+    expect(screen.getByText("Agents Team")).toBeTruthy();
+    // Slug shown
+    expect(screen.getByText("agents-team")).toBeTruthy();
+    // UUID shown
+    expect(screen.getByText(AGENTS_TEAM.id)).toBeTruthy();
+  });
+
+  it("copy-UUID button writes the UUID to navigator.clipboard", async () => {
+    mockFetchSession.mockResolvedValue({
+      user_id: "u-1",
+      org_id: AGENTS_TEAM.id,
+      email: "hongming@moleculesai.app",
+    });
+    mockGet.mockResolvedValue([AGENTS_TEAM]);
+
+    render(<OrgInfoTab />);
+    await flush();
+    await waitFor(() => screen.getByText(AGENTS_TEAM.id));
+
+    const copyUuid = screen.getByRole("button", { name: /Copy UUID/i });
+    fireEvent.click(copyUuid);
+
+    expect(navigator.clipboard.writeText).toHaveBeenCalledWith(AGENTS_TEAM.id);
+    // Optimistic "Copied" label flip
+    await waitFor(() =>
+      expect(
+        screen.getByRole("button", { name: /Copy UUID/i }).textContent,
+      ).toContain("Copied"),
+    );
+  });
+
+  it("copy-Slug button writes the slug to navigator.clipboard", async () => {
+    mockFetchSession.mockResolvedValue({
+      user_id: "u-1",
+      org_id: AGENTS_TEAM.id,
+      email: "hongming@moleculesai.app",
+    });
+    mockGet.mockResolvedValue([AGENTS_TEAM]);
+
+    render(<OrgInfoTab />);
+    await flush();
+    await waitFor(() => screen.getByText(AGENTS_TEAM.slug));
+
+    fireEvent.click(screen.getByRole("button", { name: /Copy Slug/i }));
+    expect(navigator.clipboard.writeText).toHaveBeenCalledWith(AGENTS_TEAM.slug);
+  });
+});
+
+// ─── Fallback: host-slug match when session fails ────────────────────────────
+
+describe("OrgInfoTab — fallbacks", () => {
+  it("falls back to host-slug match when fetchSession rejects", async () => {
+    mockFetchSession.mockRejectedValue(new Error("session probe failed"));
+    mockGetTenantSlug.mockReturnValue("agents-team");
+    mockGet.mockResolvedValue({ orgs: [AGENTS_TEAM, OTHER_ORG] }); // wrapped shape
+
+    render(<OrgInfoTab />);
+    await flush();
+    await waitFor(() => screen.getByText("Current Organization"));
+
+    expect(screen.getByText("Agents Team")).toBeTruthy();
+    expect(screen.getByText(AGENTS_TEAM.id)).toBeTruthy();
+  });
+
+  it("lists other orgs the user belongs to under a separate header", async () => {
+    mockFetchSession.mockResolvedValue({
+      user_id: "u-1",
+      org_id: AGENTS_TEAM.id,
+      email: "hongming@moleculesai.app",
+    });
+    mockGet.mockResolvedValue([AGENTS_TEAM, OTHER_ORG]);
+
+    render(<OrgInfoTab />);
+    await flush();
+    await waitFor(() => screen.getByText(/Your other organizations/));
+
+    expect(screen.getByText("Skunkworks")).toBeTruthy();
+    expect(screen.getByText(OTHER_ORG.id)).toBeTruthy();
+  });
+});
+
+// ─── Error + empty handling ──────────────────────────────────────────────────
+
+describe("OrgInfoTab — error + empty", () => {
+  it("renders an error banner when /cp/orgs throws", async () => {
+    mockFetchSession.mockResolvedValue(null);
+    mockGet.mockRejectedValue(new Error("API GET /cp/orgs: 500 boom"));
+
+    render(<OrgInfoTab />);
+    await flush();
+    await waitFor(() => screen.getByText(/500 boom/));
+    expect(screen.queryByText("Current Organization")).toBeNull();
+  });
+
+  it("renders the recovery hint when no org matches (no crash)", async () => {
+    mockFetchSession.mockResolvedValue(null);
+    mockGetTenantSlug.mockReturnValue("");
+    mockGet.mockResolvedValue([]);
+
+    render(<OrgInfoTab />);
+    await flush();
+    await waitFor(() =>
+      screen.getByText(/No organization found for this session/),
+    );
+  });
+});
@@ -8,3 +8,4 @@ export { SearchBar } from './SearchBar';
 export { EmptyState } from './EmptyState';
 export { DeleteConfirmDialog } from './DeleteConfirmDialog';
 export { UnsavedChangesGuard } from './UnsavedChangesGuard';
+export { OrgInfoTab } from './OrgInfoTab';
@@ -10,6 +10,7 @@ import { downloadChatFile, isPlatformAttachment } from "./chat/uploads";
 import { PendingAttachmentPill } from "./chat/AttachmentViews";
 import { AttachmentPreview } from "./chat/AttachmentPreview";
 import { AgentCommsPanel } from "./chat/AgentCommsPanel";
+import { ChatErrorBanner } from "./chat/ChatErrorBanner";
 import { appendActivityLine } from "./chat/activityLog";
 import { runtimeDisplayName } from "@/lib/runtime-names";
 import { ConfirmDialog } from "@/components/ConfirmDialog";
@@ -592,22 +593,19 @@ function MyChatPanel({ workspaceId, data }: Props) {
        <div ref={bottomRef} />
      </div>

-      {/* Error banner */}
-      {displayError && (
-        <div className="px-3 py-2 bg-red-900/20 border-t border-red-800/30">
-          <div className="flex items-center justify-between">
-            <span className="text-[10px] text-red-300">{displayError}</span>
-            {!isOnline && (
-              <button
-                onClick={() => setConfirmRestart(true)}
-                className="text-[11px] px-2 py-0.5 bg-red-800 text-red-200 rounded hover:bg-red-700"
-              >
-                Restart
-              </button>
-            )}
-          </div>
-        </div>
-      )}
+      {/* Error banner — internal#212: surfaces the secret-safe
+          actionable failure reason that ws-server places on
+          ACTIVITY_LOGGED.error_detail (propagated via
+          useChatSocket → onSendError → setError) and offers a
+          "View activity log" affordance that navigates the user to
+          the Activity tab where the full row lives. The previous
+          inline JSX hardcoded "see workspace logs for details" with
+          no link — there is no separate Logs tab. */}
+      <ChatErrorBanner
+        message={displayError}
+        isOnline={isOnline}
+        onRestart={() => setConfirmRestart(true)}
+      />

      {/* Input */}
      <div className="p-3 border-t border-line">
@@ -0,0 +1,99 @@
+// @vitest-environment jsdom
+//
+// Pins internal#212 — the chat error banner must:
+//
+//   1. Render the secret-safe failure reason (e.g. the provider's own
+//      "403 oauth_org_not_allowed: ..." string), NOT the opaque
+//      hardcoded "Agent error (Exception) — see workspace logs for
+//      details." that points at a workspace-logs tab that doesn't
+//      exist.
+//
+//   2. Offer a working "View activity log" affordance that navigates
+//      the user to the Activity tab where the full row lives.
+//
+// Tested at the banner-component seam (ChatErrorBanner). The
+// hook-level path is pinned separately by
+// chat/hooks/__tests__/useChatSocket.test.tsx — together they cover
+// wire-payload → callback → render without each test needing to drive
+// the full ChatTab send-state machinery.
+
+import { describe, it, expect, vi, afterEach, beforeEach } from "vitest";
+import { render, screen, cleanup, fireEvent } from "@testing-library/react";
+
+afterEach(cleanup);
+
+const mocks = vi.hoisted(() => ({
+  setPanelTabMock: vi.fn(),
+}));
+
+vi.mock("@/store/canvas", () => {
+  const state = {
+    setPanelTab: mocks.setPanelTabMock,
+    panelTab: "chat",
+  };
+  const hook = (selector?: (s: typeof state) => unknown) =>
+    selector ? selector(state) : state;
+  hook.getState = () => state;
+  return { useCanvasStore: hook };
+});
+
+beforeEach(() => {
+  mocks.setPanelTabMock.mockClear();
+});
+
+import { ChatErrorBanner } from "../chat/ChatErrorBanner";
+
+describe("ChatErrorBanner — surfaces actionable reason (internal#212)", () => {
+  it("renders the secret-safe failure reason verbatim, not a hardcoded opaque message", () => {
+    const reason =
+      "Anthropic 403 oauth_org_not_allowed: Your organization has disabled Claude subscription access for Claude Code — use an Anthropic API key or ask your admin to enable access.";
+    render(<ChatErrorBanner message={reason} isOnline={true} onRestart={() => {}} />);
+    expect(screen.getByText(/oauth_org_not_allowed/i)).toBeDefined();
+    expect(screen.getByText(/disabled Claude subscription access/i)).toBeDefined();
+    // The legacy boilerplate must NOT leak through when a real reason
+    // is provided.
+    expect(screen.queryByText(/see workspace logs for details/i)).toBeNull();
+  });
+
+  it("falls back to the message when it IS the legacy boilerplate (older ws-server)", () => {
+    // Graceful degradation: an older ws-server passes through the
+    // hardcoded text; the banner still renders SOMETHING — never
+    // silently swallow.
+    render(
+      <ChatErrorBanner
+        message="Agent error (Exception) — see workspace logs for details."
+        isOnline={true}
+        onRestart={() => {}}
+      />,
+    );
+    expect(
+      screen.getByText(/Agent error \(Exception\) — see workspace logs for details\./),
+    ).toBeDefined();
+  });
+
+  it("offers a 'View activity log' button that calls setPanelTab('activity')", () => {
+    render(
+      <ChatErrorBanner message="kimi 401 invalid_api_key" isOnline={true} onRestart={() => {}} />,
+    );
+    const btn = screen.getByRole("button", { name: /view activity log/i });
+    fireEvent.click(btn);
+    expect(mocks.setPanelTabMock).toHaveBeenCalledWith("activity");
+  });
+
+  it("still shows the Restart button when offline (existing behavior preserved)", () => {
+    const onRestart = vi.fn();
+    render(
+      <ChatErrorBanner message="Agent is offline" isOnline={false} onRestart={onRestart} />,
+    );
+    const btn = screen.getByRole("button", { name: /^restart$/i });
+    fireEvent.click(btn);
+    expect(onRestart).toHaveBeenCalledTimes(1);
+  });
+
+  it("renders nothing when message is null", () => {
+    const { container } = render(
+      <ChatErrorBanner message={null} isOnline={true} onRestart={() => {}} />,
+    );
+    expect(container.textContent).toBe("");
+  });
+});
@@ -649,7 +649,17 @@ function WaitingBubbles({ visible }: { visible: CommMessage[] }) {
    if (!prev || m.timestamp > prev.timestamp) tailByPeer.set(m.peerId, m);
  }
  const waitingPeers = Array.from(tailByPeer.values()).filter(
-    (m) => m.flow === "out" && (m.status === "pending" || m.status === "queued"),
+    // Task #227 — also light the indicator for status="dispatched": that's
+    // the platform's marker for a poll-mode delegation that's been
+    // recorded into the peer's inbox but not yet picked up. Without this
+    // arm, external/MCP peer threads showed an outbound bubble and then
+    // dead silence until the eventual reply landed — no parity with the
+    // native push-path "pending" indicator.
+    (m) =>
+      m.flow === "out" &&
+      (m.status === "pending" ||
+        m.status === "queued" ||
+        m.status === "dispatched"),
  );
  if (waitingPeers.length === 0) return null;
  return (
@@ -688,7 +698,9 @@ function WaitingBubbles({ visible }: { visible: CommMessage[] }) {
              <span className="text-[10px]">
                {m.status === "queued"
                  ? `${m.peerName} is busy — reply will arrive when they're free`
-                  : `Waiting for ${m.peerName}…`}
+                  : m.status === "dispatched"
+                    ? `Queued — ${m.peerName} will pick up on next poll`
+                    : `Waiting for ${m.peerName}…`}
              </span>
            </span>
          </div>
@@ -0,0 +1,85 @@
+"use client";
+
+/**
+ * ChatErrorBanner — error-state banner rendered under the chat
+ * message list when an agent turn fails or the workspace is offline.
+ *
+ * internal#212 closes the "see workspace logs for details" pointer-to-
+ * nowhere defect:
+ *
+ *   - The banner now renders the actionable, secret-safe failure
+ *     reason that ws-server places on `ACTIVITY_LOGGED.error_detail`
+ *     (provider HTTP status + error code + provider's own human
+ *     message). The hook (`useChatSocket`) forwards this through
+ *     `onSendError`, which the ChatTab routes into this banner's
+ *     `message` prop. No hardcoded opaque text in this component.
+ *
+ *   - A "View activity log" button navigates the user to the Activity
+ *     tab where the full row (request body, response body, timing,
+ *     full error_detail) lives. Until internal#212, the banner
+ *     mentioned "workspace logs" with no link — there is no separate
+ *     Logs tab in the side panel; the Activity tab IS the workspace-
+ *     logs surface. Routing through the existing tab makes the
+ *     reference real instead of dangling.
+ *
+ *   - The existing Restart button (shown only when the workspace is
+ *     offline) is preserved unchanged so the recovery affordance the
+ *     old banner offered does not regress.
+ *
+ * Pure presentational — no socket subscription, no state machine. Easy
+ * to unit-test in isolation and easy to compose into the ChatTab.
+ */
+
+import { useCanvasStore } from "@/store/canvas";
+
+export interface ChatErrorBannerProps {
+  /** The user-visible reason. Pass `null` to render nothing. */
+  message: string | null;
+  /** Workspace reachable state — gates the Restart affordance. */
+  isOnline: boolean;
+  /** Fires when the user clicks Restart (offline-only). */
+  onRestart: () => void;
+}
+
+export function ChatErrorBanner({ message, isOnline, onRestart }: ChatErrorBannerProps) {
+  // Pulled from the global store rather than threaded through props so
+  // the chat tab does not need to know about the side-panel tab state.
+  // Matches how Toolbar.tsx triggers the audit tab (the existing
+  // precedent for cross-tab navigation).
+  const setPanelTab = useCanvasStore((s) => s.setPanelTab);
+
+  if (!message) return null;
+
+  return (
+    <div
+      // role="alert" + aria-live mirrors the project's existing WCAG
+      // 4.1.3 banner pattern (see fix/canvas-errors-aria-alert) — a
+      // screen reader announces the failure as soon as it lands.
+      role="alert"
+      aria-live="assertive"
+      className="px-3 py-2 bg-red-900/20 border-t border-red-800/30"
+    >
+      <div className="flex items-center justify-between gap-2">
+        <span className="text-[10px] text-red-300 break-words flex-1">{message}</span>
+        <div className="flex items-center gap-1.5 shrink-0">
+          <button
+            type="button"
+            onClick={() => setPanelTab("activity")}
+            className="text-[10px] px-2 py-0.5 bg-red-900/40 hover:bg-red-800/60 border border-red-700/40 text-red-200 rounded transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
+          >
+            View activity log
+          </button>
+          {!isOnline && (
+            <button
+              type="button"
+              onClick={onRestart}
+              className="text-[11px] px-2 py-0.5 bg-red-800 text-red-200 rounded hover:bg-red-700"
+            >
+              Restart
+            </button>
+          )}
+        </div>
+      </div>
+    </div>
+  );
+}
@@ -41,6 +41,19 @@ describe("inferA2AErrorHint", () => {
    expect(inferA2AErrorHint("RuntimeException in tool call")).toMatch(/runtime threw an exception/);
  });

+  it("points at the Activity tab (the real in-product logs surface), not 'workspace/container logs' (internal#212)", () => {
+    // Pre-#212 these hints sent users to "workspace logs" / "container
+    // logs" — neither has a UI affordance in the canvas. Activity tab
+    // is the in-product surface where the full row lives. Lock the
+    // copy so a future refactor cannot re-introduce the dangling
+    // pointer.
+    expect(inferA2AErrorHint("Agent error: boom")).toMatch(/Activity tab/);
+    expect(inferA2AErrorHint("some completely novel error nobody has matched yet")).toMatch(/Activity tab/);
+    // And the two strings together must not regress to the old text.
+    expect(inferA2AErrorHint("Agent error: boom")).not.toMatch(/container logs/);
+    expect(inferA2AErrorHint("some novel error")).not.toMatch(/workspace logs/);
+  });
+
  it("recognises peer-unreachable cases (Activity-tab originals)", () => {
    expect(inferA2AErrorHint("workspace not found")).toMatch(/can't be reached/);
    expect(inferA2AErrorHint("not accessible")).toMatch(/can't be reached/);
@@ -53,7 +66,8 @@ describe("inferA2AErrorHint", () => {

  it("returns a generic fallback for unrecognised text", () => {
    const hint = inferA2AErrorHint("some completely novel error nobody has matched yet");
-    expect(hint).toMatch(/Check the workspace logs|delivery failure/);
+    // Fallback now sends the user to the Activity tab (post-#212).
+    expect(hint).toMatch(/Activity tab|delivery failure/);
  });

  it("Claude SDK wedge wins over the more general timeout pattern", () => {
@@ -0,0 +1,179 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+import {
+  uploadChatFiles,
+  FileTooLargeError,
+  MAX_UPLOAD_BYTES,
+  computeUploadTimeoutMs,
+} from "../uploads";
+
+// Tests for the 100 MB upload-cap raise + correct-reason error mapping
+// (CTO 2026-05-19 directive on forensic a99ab0a1: "if its file size
+// issue, should have error that instead saying timeout which is
+// wrong"). Each case has its own specific reason; conflation is the
+// bug this PR fixes.
+
+// File constructor in node's vitest env supports size via array length.
+// Allocate a typed-array of N bytes and wrap it — File reads .size off
+// the underlying Blob. Allocating 101 MB once per test is fine (vitest
+// maxWorkers=1, single test process).
+function makeFile(name: string, size: number): File {
+  const buf = new Uint8Array(size);
+  return new File([buf], name);
+}
+
+const wsId = "00000000-0000-0000-0000-000000000001";
+
+describe("uploadChatFiles — MAX_UPLOAD_BYTES + pre-flight gate", () => {
+  it("MAX_UPLOAD_BYTES is exactly 100 MB (mirrors server constant)", () => {
+    // Pinned so a regression that flipped the constant back to 50 MB
+    // would fail loudly here — without this the canvas would
+    // silently start rejecting files the server now accepts.
+    expect(MAX_UPLOAD_BYTES).toBe(100 * 1024 * 1024);
+  });
+
+  it("throws FileTooLargeError for a 101 MB file BEFORE any network I/O", async () => {
+    const oversize = makeFile("big.bin", 101 * 1024 * 1024);
+    const fetchSpy = vi.spyOn(globalThis, "fetch");
+    try {
+      await uploadChatFiles(wsId, [oversize]);
+      throw new Error("expected uploadChatFiles to throw, but it resolved");
+    } catch (e) {
+      // The exact class name matters — useChatSend's mapUploadErrorToReason
+      // routes off `instanceof FileTooLargeError`. A regression that
+      // demoted to a plain Error would silently re-introduce the
+      // wrong-reason conflation CTO flagged.
+      expect(e).toBeInstanceOf(FileTooLargeError);
+      const err = e as FileTooLargeError;
+      // Message must contain the 100MB cap (so the user knows what the
+      // limit is) and a number-with-MB form of the actual size.
+      expect(err.message).toContain("100MB");
+      // Some toFixed(1) renderings: 101.0MB. Loose match: contains "MB".
+      expect(err.message).toMatch(/got\s+\d+(\.\d+)?MB/);
+      expect(err.fileSize).toBe(101 * 1024 * 1024);
+    }
+    // CRITICAL: no fetch may have been initiated. Pre-flight is the
+    // whole point — if a network round-trip happened we'd be back to
+    // surfacing a downstream timeout / 413 instead of the actionable
+    // file-size message.
+    expect(fetchSpy).not.toHaveBeenCalled();
+    fetchSpy.mockRestore();
+  });
+
+  it("accepts a file exactly at the cap (== MAX_UPLOAD_BYTES)", async () => {
+    // Equality must NOT trip the gate — the cap is inclusive on the
+    // server side and the canvas must match. Without this, an exact-
+    // cap file would 503 client-side while the server accepts it.
+    const exact = makeFile("max.bin", MAX_UPLOAD_BYTES);
+    const fetchSpy = vi
+      .spyOn(globalThis, "fetch")
+      .mockResolvedValue(
+        new Response(JSON.stringify({ files: [] }), {
+          status: 200,
+          headers: { "content-type": "application/json" },
+        }),
+      );
+    await expect(uploadChatFiles(wsId, [exact])).resolves.toBeDefined();
+    expect(fetchSpy).toHaveBeenCalledOnce();
+    fetchSpy.mockRestore();
+  });
+});
+
+describe("computeUploadTimeoutMs — scaled timeout curve", () => {
+  it("100 KB file → 60s floor (small-file ergonomics)", () => {
+    // Below the floor, the small-file UX (typo'd hostname surfacing as
+    // connect-error quickly) takes priority over the slow-uplink
+    // assumption.
+    expect(computeUploadTimeoutMs(100 * 1024)).toBe(60_000);
+  });
+
+  it("1 MB file → 60s floor", () => {
+    expect(computeUploadTimeoutMs(1 * 1024 * 1024)).toBe(60_000);
+  });
+
+  it("100 MB file → ~1000s (matches the slow-uplink design budget)", () => {
+    // Pin the upper-bound case the design targets: at 100 MB / 100 KB/s
+    // a legitimate slow uplink completes in ~1000s, comfortably
+    // before the platform's 1200s http.Client timeout. Without this
+    // scaling, the previous fixed 60s deadline aborted Ryan's ~60 MB
+    // upload in forensic a99ab0a1.
+    const ms = computeUploadTimeoutMs(100 * 1024 * 1024);
+    // 100*1024*1024 / 100 = 1048576 ms ≈ 1048.6s — pin to ±1ms.
+    expect(ms).toBe(Math.floor((100 * 1024 * 1024) / 100));
+    expect(ms).toBeGreaterThan(1_000_000);
+    expect(ms).toBeLessThan(1_100_000);
+  });
+
+  it("strictly monotonic above the floor", () => {
+    // A regression that capped or non-monotonised the curve would
+    // silently re-introduce premature aborts for mid-size files.
+    const a = computeUploadTimeoutMs(10 * 1024 * 1024);
+    const b = computeUploadTimeoutMs(50 * 1024 * 1024);
+    const c = computeUploadTimeoutMs(100 * 1024 * 1024);
+    expect(b).toBeGreaterThan(a);
+    expect(c).toBeGreaterThan(b);
+  });
+});
+
+describe("uploadChatFiles — error path shapes (for downstream reason-mapping)", () => {
+  let fetchSpy: ReturnType<typeof vi.spyOn> | null = null;
+
+  beforeEach(() => {
+    fetchSpy = vi.spyOn(globalThis, "fetch");
+  });
+  afterEach(() => {
+    fetchSpy?.mockRestore();
+    fetchSpy = null;
+  });
+
+  it("propagates the server's 413 reason verbatim (not as 'timeout')", async () => {
+    // The error message text is what useChatSend surfaces via
+    // `Upload failed: ${e.message}` — pin that the server's reason
+    // is present, not swallowed.
+    fetchSpy!.mockResolvedValue(
+      new Response('{"error":"file exceeds per-file limit (100 MB)"}', {
+        status: 413,
+        headers: { "content-type": "application/json" },
+      }),
+    );
+    const f = makeFile("small.bin", 1024);
+    await expect(uploadChatFiles(wsId, [f])).rejects.toThrow(
+      /upload failed:.*413.*per-file limit/i,
+    );
+  });
+
+  it("propagates AbortSignal timeout as a DOMException with name=TimeoutError", async () => {
+    // Reason-routing in useChatSend.mapUploadErrorToReason discriminates
+    // by e.name === 'TimeoutError'. Pin the shape so a future browser /
+    // polyfill change that renamed it would fail loudly here, NOT
+    // silently fall through to the generic "Upload failed" path
+    // (which is what made forensic a99ab0a1 hard to root-cause).
+    const abortErr = new DOMException("signal timed out", "TimeoutError");
+    fetchSpy!.mockRejectedValue(abortErr);
+    const f = makeFile("small.bin", 1024);
+    try {
+      await uploadChatFiles(wsId, [f]);
+      throw new Error("expected throw");
+    } catch (e) {
+      expect(e).toBeInstanceOf(DOMException);
+      expect((e as DOMException).name).toBe("TimeoutError");
+      // CRITICAL negative: the rejection must NOT be a
+      // FileTooLargeError, because pre-flight already excluded that.
+      expect(e).not.toBeInstanceOf(FileTooLargeError);
+    }
+  });
+
+  it("a 50 MB file does NOT trip the pre-flight gate (sub-cap)", async () => {
+    // The forensic case: Ryan's file was over the OLD 50MB cap but
+    // under the NEW 100MB cap. Pin that the pre-flight does NOT
+    // misfire on a sub-100MB file.
+    fetchSpy!.mockResolvedValue(
+      new Response('{"files":[]}', {
+        status: 200,
+        headers: { "content-type": "application/json" },
+      }),
+    );
+    const f = makeFile("ryan.bin", 50 * 1024 * 1024);
+    await expect(uploadChatFiles(wsId, [f])).resolves.toBeDefined();
+    expect(fetchSpy!).toHaveBeenCalledOnce();
+  });
+});
@@ -38,7 +38,11 @@ export function inferA2AErrorHint(detail: string): string {
    return "The connection to the remote agent dropped before a reply arrived. Usually a transient network blip — retry once. If it repeats, the remote container may have crashed mid-request; check its logs.";
  }
  if (t.includes("agent error") || t.includes("exception")) {
-    return "The remote agent's runtime threw an exception. Check the workspace's container logs for the traceback. Restart usually clears transient runtime crashes.";
+    // internal#212 closeout: end users have no "container logs" surface
+    // in the canvas; the Activity tab IS the user-visible logs surface
+    // (full row carries request/response body + error_detail). Point
+    // there so the hint is actionable from inside the product.
+    return "The remote agent's runtime threw an exception. Open the Activity tab for the full row (request body, response, error_detail) — Restart usually clears transient runtime crashes.";
  }
  if (
    t.includes("not found") ||
@@ -50,5 +54,9 @@ export function inferA2AErrorHint(detail: string): string {
  if (detail === "") {
    return "The remote agent returned no error detail (the underlying httpx exception had an empty message — typically a connection-reset or silent timeout). A workspace restart is the safe first move.";
  }
-  return "The remote agent reported a delivery failure. Check the workspace logs or try restarting.";
+  // internal#212 closeout: "workspace logs" pointed at a tab that does
+  // not exist — Activity tab is the in-product logs surface. Keep the
+  // hint generic enough for the unrecognised-detail fallback but point
+  // the user at a real affordance.
+  return "The remote agent reported a delivery failure. Open the Activity tab for the full row, or try restarting the workspace.";
 }
@@ -0,0 +1,79 @@
+import { describe, it, expect } from "vitest";
+import { mapUploadErrorToReason } from "../useChatSend";
+import { FileTooLargeError } from "../../uploads";
+
+// Pin the case-by-case error mapping (CTO 2026-05-19 directive on
+// forensic a99ab0a1: each cause maps to ITS OWN message, no
+// conflation). The four cases — FileTooLargeError, TimeoutError,
+// other Error, non-Error — are the entire user-facing contract this
+// PR ships; each gets a dedicated assertion so a regression that
+// re-conflated them would surface here.
+
+describe("mapUploadErrorToReason", () => {
+  it("FileTooLargeError → surfaces the pre-flight message verbatim", () => {
+    const err = new FileTooLargeError(
+      101 * 1024 * 1024,
+      "File too large (got 101.0MB) — limit is 100MB. Please use a smaller file.",
+    );
+    const out = mapUploadErrorToReason(err);
+    // Verbatim, no "Upload failed:" prefix — the FileTooLargeError
+    // message is already a complete, user-facing sentence.
+    expect(out).toBe(err.message);
+    expect(out).not.toMatch(/^Upload failed:/);
+    // Must mention the cap so the user knows what to aim for.
+    expect(out).toContain("100MB");
+    // Must NOT mention timeout — wrong-reason conflation guard.
+    expect(out.toLowerCase()).not.toContain("timeout");
+    expect(out.toLowerCase()).not.toContain("connection");
+  });
+
+  it("TimeoutError → connection-too-slow message, NOT file-size", () => {
+    const err = new DOMException("signal timed out", "TimeoutError");
+    const out = mapUploadErrorToReason(err);
+    // The user-facing reason matches the design contract: tells the
+    // user the connection is slow, gives them the actionable retry
+    // hint, and does NOT mention file-size (pre-flight already
+    // excluded that — this is the case CTO flagged).
+    expect(out).toContain("Upload timed out");
+    expect(out).toContain("connection is too slow");
+    // CRITICAL negatives — guard against the wrong-reason conflation.
+    expect(out).not.toMatch(/100MB|file too large|File too large/);
+  });
+
+  it("plain Error from server (e.g. 413) → wraps with 'Upload failed:' + server reason", () => {
+    // What uploadChatFiles throws when res.ok is false. The message
+    // already encodes the status + body; the mapper just prefixes
+    // "Upload failed:" so the chat error banner makes sense.
+    const err = new Error("upload failed: 413 file exceeds per-file limit");
+    const out = mapUploadErrorToReason(err);
+    expect(out).toBe("Upload failed: upload failed: 413 file exceeds per-file limit");
+    // Server's actual reason must survive — that's the whole
+    // feedback_surface_actionable_failure_reason_to_user point.
+    expect(out).toContain("413");
+    expect(out).toContain("per-file limit");
+  });
+
+  it("non-Error throw → generic fallback", () => {
+    // A string-throw (or a frozen object) is unusual but possible in
+    // some catch paths. The fallback must NOT crash and must still
+    // give the user a non-empty reason.
+    expect(mapUploadErrorToReason("some random string")).toBe("Upload failed");
+    expect(mapUploadErrorToReason(undefined)).toBe("Upload failed");
+    expect(mapUploadErrorToReason(null)).toBe("Upload failed");
+    expect(mapUploadErrorToReason(42)).toBe("Upload failed");
+  });
+
+  it("an AbortError that ISN'T a TimeoutError falls through to generic Error path", () => {
+    // Belt-and-braces: a regression that loosened the name check to
+    // ANY DOMException would silently rewrite legitimate AbortError
+    // (user-initiated cancel) into "connection too slow". Pin the
+    // narrow check.
+    const err = new DOMException("user aborted", "AbortError");
+    const out = mapUploadErrorToReason(err);
+    // Falls through to non-Error branch (DOMException is not an Error
+    // subclass in node's vitest environment); accept either generic
+    // fallback or the Error-message form depending on the runtime.
+    expect(out).not.toContain("connection is too slow");
+    expect(out).not.toContain("File too large");
+  });
+});
@@ -0,0 +1,178 @@
+// @vitest-environment jsdom
+//
+// Task #227 — external/MCP workspace progress UX parity.
+//
+// ws-server's `proxyA2ARequest` poll-mode short-circuit
+// (workspace-server/internal/handlers/a2a_proxy.go:402-432) returns a
+// synthetic `{status:"queued", delivery_mode:"poll", method:"message/send"}`
+// HTTP 200 within ~50ms when the target workspace is registered with
+// `delivery_mode=poll` — i.e. an operator's laptop running
+// `molecule-mcp-claude-channel`, a hermes/codex MCP bridge, or a Cursor
+// MCP client. The real agent reply arrives separately via the
+// AGENT_MESSAGE WebSocket event after the agent's next
+// `wait_for_message` poll (could be 1s, could be 60s).
+//
+// Pre-#227 behaviour: useChatSend treated the queued-200 as a successful
+// round-trip — extractReplyText returned "", no agent bubble was
+// created, `releaseSendGuards` flipped `sending` off, and the user saw
+// dead silence between their user bubble and the eventual reply with
+// NO progress indicator. That's the user-reported gap this task fixes.
+//
+// These tests pin the new behaviour: on a queued-200, the hook MUST NOT
+// call onAgentMessage (no empty bubble) AND MUST NOT call
+// releaseSendGuards (spinner persists). The eventual AGENT_MESSAGE WS
+// event is what clears the spinner — that path is covered by
+// useChatSocket.test.tsx already.
+
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { renderHook, act } from "@testing-library/react";
+
+// Capture the api.post invocations + control responses per-test.
+const apiPostMock = vi.fn<
+  (url: string, body?: unknown, opts?: unknown) => Promise<unknown>
+>();
+vi.mock("@/lib/api", () => ({
+  api: {
+    post: (url: string, body?: unknown, opts?: unknown) =>
+      apiPostMock(url, body, opts),
+    get: vi.fn(),
+  },
+}));
+
+// uploads — tests don't go through the upload path; stub the helpers
+// useChatSend imports so the module loads.
+vi.mock("../../uploads", () => ({
+  uploadChatFiles: vi.fn(),
+  FileTooLargeError: class FileTooLargeError extends Error {},
+}));
+
+// types — re-export the createMessage helper unchanged; only the
+// uploads stub matters above.
+import { useChatSend } from "../useChatSend";
+
+beforeEach(() => {
+  apiPostMock.mockReset();
+});
+
+describe("useChatSend — poll-mode (external/MCP) queued-200 handling — task #227", () => {
+  it("does NOT call onAgentMessage when the synthetic {status:'queued'} response lands (no empty bubble)", async () => {
+    // Mock the platform's poll-mode short-circuit response shape exactly
+    // as ws-server's `proxyA2ARequest` returns it (a2a_proxy.go:420-431).
+    apiPostMock.mockResolvedValueOnce({
+      status: "queued",
+      delivery_mode: "poll",
+      method: "message/send",
+    });
+
+    const onUserMessage = vi.fn();
+    const onAgentMessage = vi.fn();
+
+    const { result } = renderHook(() =>
+      useChatSend("ws-poll-target", {
+        getHistoryMessages: () => [],
+        onUserMessage,
+        onAgentMessage,
+      }),
+    );
+
+    await act(async () => {
+      await result.current.sendMessage("hello external workspace");
+      // Yield one microtask so the .then runs.
+      await Promise.resolve();
+    });
+
+    // User bubble fires — the user typed, that part is unconditional.
+    expect(onUserMessage).toHaveBeenCalledTimes(1);
+    // CRITICAL: no agent bubble. extractReplyText on a queued envelope
+    // returns "" — the pre-#227 code would still have hit the
+    // "releaseSendGuards + no bubble" path, BUT it would have ended
+    // `sending`. The new code returns early BEFORE that release, so the
+    // contract under test is "no synthesised empty bubble".
+    expect(onAgentMessage).not.toHaveBeenCalled();
+  });
+
+  it("keeps `sending` true after a queued-200 — the spinner must persist until the real AGENT_MESSAGE arrives", async () => {
+    apiPostMock.mockResolvedValueOnce({
+      status: "queued",
+      delivery_mode: "poll",
+      method: "message/send",
+    });
+
+    const { result } = renderHook(() =>
+      useChatSend("ws-poll-target", {
+        getHistoryMessages: () => [],
+      }),
+    );
+
+    await act(async () => {
+      await result.current.sendMessage("waiting for the operator laptop");
+      await Promise.resolve();
+    });
+
+    // The spinner-driving state is `sending`. On a queued-200, it must
+    // remain true — clearing it here is the exact bug task #227
+    // resurfaces (collapsing the spinner before the agent has even seen
+    // the message).
+    expect(result.current.sending).toBe(true);
+  });
+
+  it("ALSO keeps `sending` true even after a follow-up microtask flush — guards against an accidental late release", async () => {
+    // Defense: ensure no chained .then / .finally accidentally calls
+    // releaseSendGuards on the queued path. Run several microtask
+    // ticks and re-assert.
+    apiPostMock.mockResolvedValueOnce({
+      status: "queued",
+      delivery_mode: "poll",
+    });
+
+    const { result } = renderHook(() =>
+      useChatSend("ws-poll-target", {
+        getHistoryMessages: () => [],
+      }),
+    );
+
+    await act(async () => {
+      await result.current.sendMessage("late-release-guard");
+      // Flush multiple microtask ticks.
+      await Promise.resolve();
+      await Promise.resolve();
+      await Promise.resolve();
+    });
+
+    expect(result.current.sending).toBe(true);
+  });
+
+  it("push-mode (real reply parts) still flips sending=false + creates an agent bubble — non-regression for the default path", async () => {
+    // Sanity-check the push path still works: a real reply must call
+    // onAgentMessage and flip sending=false. Without this assertion an
+    // overzealous "return early on any non-result body" would silently
+    // break the dominant push-mode path.
+    apiPostMock.mockResolvedValueOnce({
+      result: {
+        parts: [{ kind: "text", text: "hi from native workspace" }],
+      },
+    });
+
+    const onAgentMessage = vi.fn();
+    const { result } = renderHook(() =>
+      useChatSend("ws-native-push", {
+        getHistoryMessages: () => [],
+        onAgentMessage,
+      }),
+    );
+
+    await act(async () => {
+      await result.current.sendMessage("native push test");
+      await Promise.resolve();
+    });
+
+    expect(onAgentMessage).toHaveBeenCalledTimes(1);
+    const msg = onAgentMessage.mock.calls[0][0] as {
+      role: string;
+      content: string;
+    };
+    expect(msg.role).toBe("agent");
+    expect(msg.content).toBe("hi from native workspace");
+    expect(result.current.sending).toBe(false);
+  });
+});
@@ -0,0 +1,211 @@
+// @vitest-environment jsdom
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+import { renderHook, act } from "@testing-library/react";
+
+// Capture the handler so we can drive WS events from tests. useSocketEvent
+// stores the latest handler in a ref under the hood, but since we mock
+// the hook entirely, just remember the last passed-in handler.
+let capturedHandler: ((msg: unknown) => void) | null = null;
+vi.mock("@/hooks/useSocketEvent", () => ({
+  useSocketEvent: (h: (msg: unknown) => void) => {
+    capturedHandler = h;
+  },
+}));
+
+// Canvas store mock — useChatSocket calls
+// useCanvasStore.getState().nodes for peer name resolution and reads
+// agentMessages via the selector form. Support both.
+vi.mock("@/store/canvas", () => {
+  const state = {
+    nodes: [
+      { id: "ws-self", data: { name: "Self" } },
+      { id: "ws-peer", data: { name: "Peer Agent" } },
+    ],
+    agentMessages: {} as Record<string, unknown[]>,
+    consumeAgentMessages: () => [],
+  };
+  const hook = (selector?: (s: typeof state) => unknown) =>
+    selector ? selector(state) : state;
+  hook.getState = () => state;
+  return { useCanvasStore: hook };
+});
+
+import { useChatSocket } from "../useChatSocket";
+
+beforeEach(() => {
+  capturedHandler = null;
+});
+
+afterEach(() => {
+  vi.clearAllMocks();
+});
+
+// Helper: assemble an ACTIVITY_LOGGED a2a_receive error event the way
+// the ws-server emits one when a peer call errors out. Fields mirror
+// workspace-server/internal/handlers/activity.go::logActivityExec
+// broadcast payload shape.
+function makeActivityErrorEvent(opts: { workspaceId: string; targetId?: string; errorDetail?: string | undefined }) {
+  return {
+    event: "ACTIVITY_LOGGED",
+    workspace_id: opts.workspaceId,
+    payload: {
+      activity_type: "a2a_receive",
+      method: "message/send",
+      status: "error",
+      target_id: opts.targetId ?? opts.workspaceId,
+      duration_ms: 1500,
+      ...(opts.errorDetail !== undefined ? { error_detail: opts.errorDetail } : {}),
+    },
+    timestamp: "2026-05-18T00:00:00Z",
+  };
+}
+
+describe("useChatSocket — surface error_detail to onSendError (internal#212)", () => {
+  it("forwards the secret-safe error_detail from the broadcast as the onSendError reason", () => {
+    const onSendError = vi.fn();
+    const onSendComplete = vi.fn();
+    renderHook(() =>
+      useChatSocket("ws-self", {
+        onSendError,
+        onSendComplete,
+      }),
+    );
+
+    expect(capturedHandler).not.toBeNull();
+    act(() => {
+      capturedHandler!(
+        makeActivityErrorEvent({
+          workspaceId: "ws-self",
+          errorDetail:
+            "Anthropic 403 oauth_org_not_allowed: Your organization has disabled Claude subscription access for Claude Code",
+        }),
+      );
+    });
+
+    // The hook must NOT fall back to the opaque hardcoded
+    // "Agent error (Exception) — see workspace logs for details." —
+    // that was internal#212. When the broadcast carries an
+    // error_detail, that string is the user-facing reason.
+    expect(onSendError).toHaveBeenCalledTimes(1);
+    const reason = onSendError.mock.calls[0][0] as string;
+    expect(reason).toContain("403");
+    expect(reason).toContain("oauth_org_not_allowed");
+    expect(reason).toContain("disabled Claude subscription");
+    expect(reason).not.toMatch(/see workspace logs for details/i);
+  });
+
+  it("gracefully degrades to the legacy opaque message when error_detail is absent (older ws-server)", () => {
+    // An older ws-server doesn't include error_detail in the payload.
+    // The hook must still fire onSendError with the legacy hardcoded
+    // text so the chat banner has SOMETHING to show. The fix is
+    // additive — never depend on the new field's presence.
+    const onSendError = vi.fn();
+    renderHook(() =>
+      useChatSocket("ws-self", {
+        onSendError,
+      }),
+    );
+
+    act(() => {
+      capturedHandler!(makeActivityErrorEvent({ workspaceId: "ws-self" }));
+    });
+
+    expect(onSendError).toHaveBeenCalledTimes(1);
+    const reason = onSendError.mock.calls[0][0] as string;
+    // Legacy boilerplate is the floor — never silently swallow.
+    expect(reason.length).toBeGreaterThan(0);
+  });
+
+  // Task #227 — external/MCP (poll-mode) workspace progress UX.
+  //
+  // ws-server's `proxyA2ARequest` poll-mode short-circuit fires the
+  // ACTIVITY_LOGGED a2a_receive with status="ok" and NO duration_ms (no
+  // reply yet — the request is queued for the agent's next poll). Before
+  // task #227 the (status==="ok" && durationMs) guard silently dropped
+  // this row, so the chat UI had ZERO progress signal between "user
+  // typed" and "agent eventually polled and replied". Lock the queued
+  // line in so future refactors don't regress to the silent-drop state.
+  it("emits a 'queued — will pick up on next poll' activity line when a2a_receive status=ok has no duration_ms (poll-mode)", () => {
+    const onActivityLog = vi.fn();
+    renderHook(() =>
+      useChatSocket("ws-self", {
+        onActivityLog,
+      }),
+    );
+
+    expect(capturedHandler).not.toBeNull();
+    act(() => {
+      capturedHandler!({
+        event: "ACTIVITY_LOGGED",
+        workspace_id: "ws-self",
+        payload: {
+          activity_type: "a2a_receive",
+          method: "message/send",
+          status: "ok",
+          target_id: "ws-self",
+          // No duration_ms — this is the queued-for-poll signal.
+        },
+        timestamp: "2026-05-20T00:00:00Z",
+      });
+    });
+
+    expect(onActivityLog).toHaveBeenCalledTimes(1);
+    const line = onActivityLog.mock.calls[0][0] as string;
+    // The line MUST be present (not the empty-string silent-drop pattern)
+    // and MUST mention the queued state so the user has actionable signal.
+    expect(line.length).toBeGreaterThan(0);
+    expect(line.toLowerCase()).toMatch(/queued|poll/);
+  });
+
+  // Pair with the above: poll-mode acknowledgement must NOT prematurely
+  // call onSendComplete — the spinner has to stay up until the actual
+  // AGENT_MESSAGE reply lands. (The reply-success path with duration_ms
+  // still calls onSendComplete; that's the push-mode case.)
+  it("does NOT call onSendComplete on a poll-mode queued a2a_receive (spinner must persist)", () => {
+    const onSendComplete = vi.fn();
+    renderHook(() =>
+      useChatSocket("ws-self", {
+        onSendComplete,
+      }),
+    );
+
+    act(() => {
+      capturedHandler!({
+        event: "ACTIVITY_LOGGED",
+        workspace_id: "ws-self",
+        payload: {
+          activity_type: "a2a_receive",
+          method: "message/send",
+          status: "ok",
+          target_id: "ws-self",
+          // No duration_ms.
+        },
+        timestamp: "2026-05-20T00:00:00Z",
+      });
+    });
+
+    expect(onSendComplete).not.toHaveBeenCalled();
+  });
+
+  it("ignores errors targeted at a different workspace's peer", () => {
+    // Defense against a race where the WS hub fans out to all clients —
+    // each chat panel must only react when target_id matches its own
+    // workspace.
+    const onSendError = vi.fn();
+    renderHook(() =>
+      useChatSocket("ws-self", {
+        onSendError,
+      }),
+    );
+    act(() => {
+      capturedHandler!(
+        makeActivityErrorEvent({
+          workspaceId: "ws-self",
+          targetId: "ws-someone-else",
+          errorDetail: "irrelevant",
+        }),
+      );
+    });
+    expect(onSendError).not.toHaveBeenCalled();
+  });
+});
@@ -2,7 +2,7 @@

 import { useCallback, useRef, useState } from "react";
 import { api } from "@/lib/api";
-import { uploadChatFiles } from "../uploads";
+import { uploadChatFiles, FileTooLargeError } from "../uploads";
 import { createMessage, type ChatMessage, type ChatAttachment } from "../types";
 import { extractFilesFromTask } from "../message-parser";

@@ -22,6 +22,28 @@ interface A2AResponse {
    parts?: A2APart[];
    artifacts?: Array<{ parts: A2APart[] }>;
  };
+  /** Set by ws-server's poll-mode short-circuit in `proxyA2ARequest`
+   *  (a2a_proxy.go:416-431) when the target workspace is registered as
+   *  `delivery_mode=poll` — e.g. an operator's laptop running
+   *  `molecule-mcp-claude-channel`, a hermes/codex MCP bridge, or a
+   *  Cursor MCP client. The HTTP 200 carries the synthetic envelope
+   *  `{status:"queued", delivery_mode:"poll", method:"message/send"}`
+   *  immediately (~50ms), BEFORE the agent has produced a reply.
+   *
+   *  Task #227 routing: when this field is "queued" the caller must NOT
+   *  treat the 200 as "agent done" — there are no `result.parts` yet
+   *  (the reply will arrive separately via the AGENT_MESSAGE WS event
+   *  after the agent's next poll). Keep the spinner up; the eventual
+   *  AGENT_MESSAGE flips `sending` off via the existing useChatSocket
+   *  `onSendComplete` path. Without this distinction the spinner
+   *  disappeared immediately and external/MCP workspaces had no progress
+   *  UX between send and reply. */
+  status?: string;
+  /** Companion to `status` — "poll" when the queued short-circuit fired.
+   *  Defensive: we key the poll-mode-skip decision on status==="queued"
+   *  (the canonical signal) rather than on this field, but it's surfaced
+   *  here so future debugging / tests can assert on the full envelope. */
+  delivery_mode?: string;
 }

 export function extractReplyText(resp: A2AResponse): string {
@@ -46,6 +68,52 @@ export function extractReplyText(resp: A2AResponse): string {
  return collected.join("\n");
 }

+/** Map a thrown error from `uploadChatFiles` to the user-facing reason
+ *  shown in the chat error banner.
+ *
+ *  Cases (per `feedback_surface_actionable_failure_reason_to_user` —
+ *  user-facing failures MUST tell the user WHY):
+ *
+ *    1. FileTooLargeError → use the error's message verbatim. The
+ *       pre-flight already built the actionable string with the actual
+ *       size + the cap; don't re-wrap it (which would prepend a
+ *       redundant "Upload failed:" prefix).
+ *
+ *    2. DOMException name="TimeoutError" → AbortSignal.timeout fired
+ *       during the fetch. Pre-flight already excluded file-size, so
+ *       this CANNOT mean "file too large". Surface a connection-speed
+ *       message — the user's actionable next step is retry or check
+ *       network, NOT shrink the file.
+ *
+ *    3. Other Error → use the wrapped form so the server's reason
+ *       (e.g. "upload failed: 413 ...") reaches the user instead of
+ *       being swallowed.
+ *
+ *    4. Non-Error throw → generic fallback.
+ *
+ *  Exported for unit testing — the case-by-case mapping is the
+ *  load-bearing contract this PR ships. */
+export function mapUploadErrorToReason(e: unknown): string {
+  if (e instanceof FileTooLargeError) {
+    // Already a complete, user-facing sentence — surface verbatim.
+    return e.message;
+  }
+  // DOMException with name="TimeoutError" is what AbortSignal.timeout
+  // produces on abort. Browsers represent it as a DOMException, not a
+  // regular Error subclass — feature-detect via .name to avoid coupling
+  // to a global that's missing in test envs.
+  if (
+    e !== null && typeof e === "object" &&
+    "name" in e && (e as { name: unknown }).name === "TimeoutError"
+  ) {
+    return "Upload timed out — your connection is too slow for this file. Try again, or reduce file size.";
+  }
+  if (e instanceof Error) {
+    return `Upload failed: ${e.message}`;
+  }
+  return "Upload failed";
+}
+
 export interface UseChatSendOptions {
  getHistoryMessages: () => ChatMessage[];
  onUserMessage?: (msg: ChatMessage) => void;
@@ -85,9 +153,12 @@ export function useChatSend(workspaceId: string, options: UseChatSendOptions) {
        } catch (e) {
          setUploading(false);
          sendInFlightRef.current = false;
-          setError(
-            e instanceof Error ? `Upload failed: ${e.message}` : "Upload failed",
-          );
+          // Error-reason routing (CTO 2026-05-19 on forensic a99ab0a1:
+          // "if its file size issue, should have error that instead
+          // saying timeout which is wrong"). Each cause maps to ITS
+          // OWN message — NO conflation between file-size and
+          // connection-too-slow.
+          setError(mapUploadErrorToReason(e));
          return;
        }
        setUploading(false);
@@ -146,6 +217,30 @@ export function useChatSend(workspaceId: string, options: UseChatSendOptions) {
            sendInFlightRef.current = false;
            return;
          }
+          // Task #227 — poll-mode (external/MCP workspace) queued-200
+          // short-circuit. ws-server's `proxyA2ARequest` returns
+          // `{status:"queued", delivery_mode:"poll", ...}` immediately
+          // when the target has no URL (delivery_mode=poll), BEFORE the
+          // agent has produced any reply. There is no `result.parts`
+          // payload here — the actual reply will arrive separately via
+          // the AGENT_MESSAGE WebSocket event after the agent's next
+          // `wait_for_message` poll.
+          //
+          // Keep the spinner up by deliberately NOT calling
+          // releaseSendGuards: the user-facing "thinking" state must
+          // persist until the AGENT_MESSAGE lands (handled by the
+          // useChatSocket `onAgentMessage`/`onSendComplete` path) or an
+          // explicit error fires (`onSendError` from an ACTIVITY_LOGGED
+          // status="error"). Don't synthesise an empty agent bubble.
+          //
+          // sendInFlightRef stays true intentionally — it's the dedup
+          // guard for the user typing two messages back-to-back; for
+          // poll mode the second message would race the first agent's
+          // reply, so blocking is correct (matches push-mode behaviour
+          // where `sending` blocks the textarea).
+          if (resp?.status === "queued") {
+            return;
+          }
          const replyText = extractReplyText(resp);
          const replyFiles = extractFilesFromTask(
            (resp?.result ?? {}) as Record<string, unknown>,
@@ -62,14 +62,47 @@ export function useChatSocket(
            line = `← ${targetName} responded (${sec}s)`;
            const own = (targetId || msg.workspace_id) === workspaceId;
            if (own) callbacksRef.current.onSendComplete?.();
+          } else if (status === "ok" && !durationMs) {
+            // Task #227 — poll-mode (external/MCP workspace) queued receipt.
+            // ws-server `logA2AReceiveQueued` writes a "received but no
+            // reply yet" row with status="ok" and NO duration_ms, then
+            // immediately returns the synthetic {status:"queued"} 200 to
+            // the caller. Before this branch the row was silently dropped
+            // by the (status==="ok" && durationMs) guard above — leaving
+            // the chat UI with zero progress signal for the entire window
+            // between "user typed" and "agent eventually polled and
+            // replied". Surface the queued state explicitly so the user
+            // sees acknowledgement (matches the queued-delegation
+            // indicator in AgentCommsPanel.WaitingBubbles).
+            //
+            // We intentionally do NOT call onSendComplete here: the
+            // outbound is not done — only acknowledged. The MyChatPanel
+            // spinner stays up until the actual AGENT_MESSAGE reply lands
+            // (poll path) or an explicit error fires (which still hits
+            // the status==="error" branch below).
+            line = `⧗ ${targetName} queued — agent will pick up on next poll`;
          } else if (status === "error") {
            line = `⚠ ${targetName} error`;
            const own = (targetId || msg.workspace_id) === workspaceId;
            if (own) {
              callbacksRef.current.onSendComplete?.();
-              callbacksRef.current.onSendError?.(
-                "Agent error (Exception) — see workspace logs for details.",
-              );
+              // internal#212 — surface the actionable, secret-safe
+              // failure reason (provider HTTP status + error code +
+              // human-readable message) the ws-server now puts on
+              // ACTIVITY_LOGGED.error_detail. The old hardcoded
+              // "Agent error (Exception) — see workspace logs for
+              // details." is the fallback only — it pointed at a
+              // workspace-logs tab that doesn't exist, telling the
+              // user nothing they could act on.
+              //
+              // Graceful degradation: older ws-server builds don't
+              // include error_detail, so the legacy boilerplate is
+              // still the floor (never silently swallow).
+              const detail = (p.error_detail as string) || "";
+              const reason = detail
+                ? detail
+                : "Agent error (Exception) — see workspace logs for details.";
+              callbacksRef.current.onSendError?.(reason);
            }
          }
        } else if (type === "a2a_send") {
@@ -1,6 +1,55 @@
 import { PLATFORM_URL, platformAuthHeaders } from "@/lib/api";
 import type { ChatAttachment } from "./types";

+/** Hard cap on a single chat upload. Pre-flight gate: this constant is
+ *  checked BEFORE any network I/O so a file-size violation surfaces
+ *  immediately with an actionable reason ("File too large (got X MB)
+ *  — limit is 100MB") rather than as a downstream timeout or 413.
+ *
+ *  SERVER_MIRROR: keep aligned with
+ *    - workspace-server/internal/handlers/chat_files.go chatUploadMaxBytes
+ *    - workspace/internal_chat_uploads.py CHAT_UPLOAD_MAX_BYTES /
+ *      CHAT_UPLOAD_MAX_FILE_BYTES
+ *
+ *  Three mirror sites exist because each layer must enforce / pre-flight
+ *  on its own (no shared codegen yet). Tracked for SSOT follow-up:
+ *  expose via GET /uploads/limits so the client can fetch the live cap
+ *  instead of duplicating the constant. */
+export const MAX_UPLOAD_BYTES = 100 * 1024 * 1024;
+
+/** Thrown by `uploadChatFiles` when a candidate file exceeds
+ *  MAX_UPLOAD_BYTES. Caught by `useChatSend` and surfaced verbatim —
+ *  the message is already user-actionable. Distinct name lets the
+ *  catch path route it correctly without parsing the message string.
+ *
+ *  Why a distinct class instead of a sentinel string match: the catch
+ *  in `useChatSend` already needs to discriminate this case from a
+ *  `TimeoutError` (which has a structurally similar surface but a
+ *  DIFFERENT root cause). Conflating them was the bug CTO flagged on
+ *  forensic a99ab0a1: "if its file size issue, should have error that
+ *  instead saying timeout which is wrong". */
+export class FileTooLargeError extends Error {
+  readonly name = "FileTooLargeError";
+  readonly fileSize: number;
+  constructor(fileSize: number, message: string) {
+    super(message);
+    this.fileSize = fileSize;
+  }
+}
+
+/** Compute the abort timeout for an upload of `totalBytes`. Floor at
+ *  60s (small-file ergonomics: a 100 KB image shouldn't wait 1000s to
+ *  see a typo'd hostname surface as a connect error). Above the floor,
+ *  scale linearly at ~100 KB/s assumed minimum uplink — at the 100 MB
+ *  cap this yields ~1000s, comfortable for the slow-mobile-tether case
+ *  that motivated forensic a99ab0a1 (Ryan's >50 MB upload aborted at
+ *  the fixed 60s timeout while still streaming).
+ *
+ *  Exported for the unit test that pins the curve at the boundary. */
+export function computeUploadTimeoutMs(totalBytes: number): number {
+  return Math.max(60_000, totalBytes / 100); // 100KB/s → ms = bytes/100
+}
+
 /** Chat attachments are intentionally uploaded via a direct fetch()
 *  instead of the `api.post` helper — `api.post` JSON-stringifies the
 *  body, which would 500 on a Blob. Auth headers (tenant slug, admin
@@ -10,25 +59,57 @@ import type { ChatAttachment } from "./types";
 *  Content-Type so the browser writes the multipart boundary into the
 *  header; setting it manually would yield a multipart body the server
 *  can't parse. See lib/api.ts platformAuthHeaders() for the full
- *  rationale on why this pair must stay matched. */
+ *  rationale on why this pair must stay matched.
+ *
+ *  Failure-reason contract (CTO 2026-05-19 directive on forensic
+ *  a99ab0a1: each cause maps to ITS OWN message, no conflation):
+ *    1. file.size > MAX_UPLOAD_BYTES  → throws FileTooLargeError
+ *       BEFORE any network I/O, with the offending size + the cap.
+ *    2. fetch aborts via AbortSignal  → DOMException name="TimeoutError";
+ *       caller surfaces "connection too slow" (file-size already
+ *       excluded by gate 1, so the TimeoutError CANNOT mean file-size).
+ *    3. server returns !res.ok        → throws Error with the server's
+ *       reason embedded (status + body); caller surfaces verbatim.
+ *    4. any other thrown error        → falls through as-is. */
 export async function uploadChatFiles(
  workspaceId: string,
  files: File[],
 ): Promise<ChatAttachment[]> {
  if (files.length === 0) return [];

+  // PRE-FLIGHT: bail before any network I/O if any file exceeds the cap.
+  // After this gate, an AbortSignal.timeout firing during the fetch
+  // CANNOT be attributed to file size — it's necessarily a slow
+  // connection. That distinction is what makes the downstream error
+  // mapping unambiguous.
+  let totalBytes = 0;
+  for (const f of files) {
+    if (f.size > MAX_UPLOAD_BYTES) {
+      const sizeMb = (f.size / (1024 * 1024)).toFixed(1);
+      throw new FileTooLargeError(
+        f.size,
+        `File too large (got ${sizeMb}MB) — limit is 100MB. Please use a smaller file.`,
+      );
+    }
+    totalBytes += f.size;
+  }
+
  const form = new FormData();
  for (const f of files) form.append("files", f, f.name);

-  // Uploads legitimately take a while on cold cache (tar write +
-  // docker cp into the container). 60s is comfortable for the 25MB/
-  // 50MB caps the server enforces.
+  // Scale the abort timeout with payload size so a legitimate slow-
+  // uplink upload of a large file isn't aborted before the body has
+  // finished streaming. The fixed 60s previous-version was the root
+  // cause of forensic a99ab0a1: Ryan's ~60 MB upload over a constrained
+  // uplink streamed past 60s, AbortSignal fired client-side, server
+  // got a truncated body, the user saw "signal timed out" — when the
+  // real cause was simply "uplink slower than our hard-coded deadline".
  const res = await fetch(`${PLATFORM_URL}/workspaces/${workspaceId}/chat/uploads`, {
    method: "POST",
    headers: platformAuthHeaders(),
    body: form,
    credentials: "include",
-    signal: AbortSignal.timeout(60_000),
+    signal: AbortSignal.timeout(computeUploadTimeoutMs(totalBytes)),
  });
  if (!res.ok) {
    const text = await res.text().catch(() => "");
@@ -523,6 +523,9 @@ export function buildNodesAndEdges(
        // that don't yet include these columns in the GET response.
        broadcastEnabled: ws.broadcast_enabled ?? false,
        talkToUserEnabled: ws.talk_to_user_enabled ?? true,
+        // A2A delivery mode (task #227). Absent on older ws-server builds
+        // — leave undefined so the chat UI's "?? 'push'" fallback applies.
+        deliveryMode: ws.delivery_mode,
      },
    };
    if (hasParent) {
@@ -106,6 +106,28 @@ export interface WorkspaceNodeData extends Record<string, unknown> {
   *  send_message_to_user / POST /notify return 403 and the canvas
   *  shows a "not enabled" state with a button to re-enable. Default true. */
  talkToUserEnabled?: boolean;
+  /** A2A inbound delivery mode for this workspace — "push" (default —
+   *  synchronous HTTP dispatch by ws-server `proxyA2ARequest`) or "poll"
+   *  (workspace has no URL; ws-server logs the request and the agent
+   *  consumes it via `wait_for_message` / GET /activity?since_id=).
+   *
+   *  Why surfaced to the UI: poll-mode targets (external/MCP workspaces:
+   *  `molecule-mcp-claude-channel` on an operator laptop, hermes/codex
+   *  bridge clients, Cursor MCP) acknowledge a canvas `message/send` with
+   *  a synthetic `{status:"queued"}` 200 within ~50ms. Without this flag
+   *  the chat UI cannot tell that gap from a real round-trip — the
+   *  spinner disappears immediately and the user sees dead silence until
+   *  the agent eventually polls and replies via the AGENT_MESSAGE WS
+   *  event (could be seconds, could be minutes). Task #227 — render a
+   *  "queued — agent will pick up on next poll" state for poll-mode
+   *  sends so external/MCP workspaces have progress UX parity with
+   *  native runtimes (claude-code / codex / hermes / openclaw).
+   *
+   *  Sourced from the GET /workspaces response (`delivery_mode` snake_case
+   *  field, mapped here in canvas-topology.ts). Absent on older platform
+   *  builds — that fallthrough is treated as "push" to match
+   *  ws-server's `lookupDeliveryMode` default. */
+  deliveryMode?: string;
 }

 export type PanelTab = "details" | "skills" | "chat" | "terminal" | "config" | "schedule" | "channels" | "files" | "memory" | "traces" | "events" | "activity" | "audit";
@@ -342,6 +342,16 @@ export interface WorkspaceData {
  /** Workspace ability flags (migration 20260514). */
  broadcast_enabled?: boolean;
  talk_to_user_enabled?: boolean;
+  /** A2A delivery mode for inbound messages — "push" (default, synchronous
+   *  HTTP dispatch to `url`) or "poll" (queued to activity_logs, agent
+   *  picks up via `wait_for_message` / GET /activity?since_id=). Surfaced
+   *  in the GET /workspaces response since #2339 PR 1; older platform
+   *  versions return it absent so the canvas treats absent as "push" (the
+   *  documented default in `lookupDeliveryMode`). Used by the chat UI to
+   *  render an "agent will pick up on next poll" indicator instead of
+   *  collapsing the spinner the moment the synchronous queued-200 returns
+   *  (task #227 — external/MCP workspaces had no progress UX). */
+  delivery_mode?: string;
 }

 let socket: ReconnectingSocket | null = null;
@@ -17,7 +17,7 @@ Canvas (Next.js :3000) ←WebSocket→ Platform (Go :8080) ←HTTP→ Postgres +

 - **Workspace Server** (`workspace-server/`): Go/Gin control plane — workspace CRUD, registry, discovery, WebSocket hub, liveness monitoring.
 - **Canvas** (`canvas/`): Next.js 15 + React Flow (@xyflow/react v12) + Zustand + Tailwind — visual workspace graph.
- **Workspace Runtime** (`workspace/`): Shared runtime published as [`molecule-ai-workspace-runtime`](https://pypi.org/project/molecule-ai-workspace-runtime/) on PyPI. Supports LangGraph, Claude Code, OpenClaw, DeepAgents, CrewAI, AutoGen. Each adapter lives in its own standalone template repo (e.g. `molecule-ai-workspace-template-claude-code`). See `docs/workspace-runtime-package.md` for the full picture.
+- **Workspace Runtime**: Shared runtime published from [`molecule-ai-workspace-runtime`](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-runtime) to the Molecule AI Gitea package registry. Supports LangGraph, Claude Code, OpenClaw, Hermes, Codex, and AutoGen. Each adapter lives in its own standalone template repo (e.g. `molecule-ai-workspace-template-claude-code`). See `docs/workspace-runtime-package.md` for the full picture.
 - **molecli** (`workspace-server/cmd/cli/`): Go TUI dashboard (Bubbletea + Lipgloss) — real-time workspace monitoring, event log, health overview, delete/filter operations.

 ## Key Architectural Patterns
@@ -1,304 +1,44 @@
-# Workspace Runtime PyPI Package
+# Workspace Runtime Package

-## Requires Python >= 3.11
+`molecule-ai-workspace-runtime` is the shared Python runtime consumed by
+workspace template images and by external MCP integrations.

-The wheel pins `requires_python>=3.11`. On Python 3.10 or older, `pip install
-molecule-ai-workspace-runtime` fails with `Could not find a version that
-satisfies the requirement (from versions: none)` — the pin filters the only
-available artifact before pip even attempts install. Upgrade the interpreter
-(`brew install python@3.12` / `apt install python3.12` / etc.) or use a
-3.11+ venv.
+## Source Of Truth

-## Overview
+The source of truth is the standalone Gitea repo:

-The shared workspace runtime infrastructure has **one editable source** and
-**one published artifact**:
-
-1. **Source of truth (monorepo, editable):** `workspace/` — every runtime
-   change lands here. Edit it like any other monorepo code.
-2. **Published artifact (PyPI, generated):** [`molecule-ai-workspace-runtime`](https://pypi.org/project/molecule-ai-workspace-runtime/)
-   — produced by `.github/workflows/publish-runtime.yml` on every
-   `runtime-vX.Y.Z` tag push. Do NOT edit this independently — it gets
-   overwritten on every publish.
-
-The legacy sibling repo `molecule-ai-workspace-runtime` (the GitHub repo, as
-distinct from the PyPI package) is no longer the source-of-truth and should
-be treated as a publish artifact only. It can be archived or used as a
-read-only mirror.
-
-## Where to make changes
-
-**All runtime edits land in `molecule-monorepo/workspace/`. Period.**
-
-The GitHub repo `Molecule-AI/molecule-ai-workspace-runtime` is **mirror-only**.
-It exists so external consumers (template repos, downstream operators) have a
-git-cloneable artifact that mirrors the PyPI wheel — nothing more.
-
- **Direct PRs against `molecule-ai-workspace-runtime` are auto-rejected by
-  the `mirror-guard` CI check.** The check fails any push that did not come
-  from the publish pipeline. There is no opt-out — file the change against
-  `molecule-monorepo/workspace/` instead.
- **The mirror + the PyPI wheel both auto-regenerate on every push to
-  `staging`** via `.github/workflows/publish-runtime.yml` (which calls
-  `scripts/build_runtime_package.py`, builds wheel + sdist, smoke-imports,
-  uploads to PyPI via Trusted Publisher, and force-pushes the rewritten tree
-  to the mirror repo). You never touch the mirror by hand.
-
-If you have an old local clone of the mirror and try to push a fix to it
-directly, expect a CI failure with a message pointing you here. Re-open the
-change against `molecule-monorepo/workspace/` and let the publish workflow
-do the rest.
-
-## Why this shape
-
-The 8 workspace template repos (claude-code, langgraph, hermes, etc.) each
-build their own Docker image and `pip install molecule-ai-workspace-runtime`
-from PyPI. PyPI is the right distribution channel — semver, reproducible
-builds, no submodule dance per-repo. But the runtime ALSO needs to evolve
-in lock-step with the platform's wire protocol (queue shape, A2A metadata,
-event payloads). Shipping cross-cutting protocol changes as separate
-runtime + platform PRs in two repos creates ordering pain and broken
-intermediate states.
-
-The monorepo + auto-publish split gives both: edit cross-cutting changes
-in one PR, publish the runtime artifact via a tag.
-
-## What's in the package
-
-Everything in `workspace/*.py` plus the `adapters/`, `builtin_tools/`,
-`plugins_registry/`, `policies/`, `skill_loader/` subpackages. Build
-artifacts (`Dockerfile`, `*.sh`, `pytest.ini`, `requirements.txt`) are
-excluded.
-
-The build script rewrites bare imports so the published package is a
-proper Python namespace:
-
-```
-# In monorepo workspace/:
-from a2a_client import discover_peer
-from builtin_tools.memory import store
-
-# In published molecule_runtime/ (auto-rewritten at publish time):
-from molecule_runtime.a2a_client import discover_peer
-from molecule_runtime.builtin_tools.memory import store
+```text
+https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-runtime
 ```

-The closed allowlist of rewritten module names lives in
-`scripts/build_runtime_package.py` (`TOP_LEVEL_MODULES` + `SUBPACKAGES`).
-Add a new top-level module to workspace/? Add it to the allowlist in the
-same PR.
+Do not add runtime source back under `molecule-core/workspace/`. The core repo
+owns the platform server, canvas, provisioning, and tests around the installed
+runtime package.

-## Adapter repos
+## Package Registry

-Each of the 8 adapter template repos contains:
- `adapter.py` — runtime-specific `Adapter` class
- `requirements.txt` — `molecule-ai-workspace-runtime>=0.1.X` + adapter deps
- `Dockerfile` — standalone image with `ENV ADAPTER_MODULE=adapter` and
-  `ENTRYPOINT ["molecule-runtime"]`
+The runtime package is published to the Molecule AI Gitea package registry:

-| Adapter | Repo |
-|---------|------|
-| claude-code | https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-claude-code |
-| langgraph | https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-langgraph |
-| crewai | https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-crewai |
-| autogen | https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-autogen |
-| deepagents | https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-deepagents |
-| hermes | https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-hermes |
-| gemini-cli | https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-gemini-cli |
-| openclaw | https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-openclaw |
-
-## Adapter discovery (ADAPTER_MODULE)
-
-Standalone adapter repos set `ENV ADAPTER_MODULE=adapter` in their
-Dockerfile. The runtime's `get_adapter()` checks this env var first:
-
-```python
-# In molecule_runtime/adapters/__init__.py
-def get_adapter(runtime: str) -> type[BaseAdapter]:
-    adapter_module = os.environ.get("ADAPTER_MODULE")
-    if adapter_module:
-        mod = importlib.import_module(adapter_module)
-        return getattr(mod, "Adapter")
-    raise KeyError(...)
+```text
+https://git.moleculesai.app/api/packages/molecule-ai/pypi/simple/
 ```

-## Publishing a new version
+PyPI is intentionally not part of the critical path. Template Dockerfiles,
+external-runtime snippets, and CI install checks should use the Gitea registry.

-```bash
-# From any local checkout of monorepo, after merging your runtime change:
-git tag runtime-v0.1.6
-git push origin runtime-v0.1.6
-```
+## Release Flow

-The `publish-runtime` workflow takes over — checks out the tag, runs
-`scripts/build_runtime_package.py --version 0.1.6`, builds wheel + sdist,
-runs a smoke import to catch broken rewrites, and uploads to PyPI via
-the PyPA Trusted Publisher action (OIDC). No static API token is stored
-in this repo — PyPI verifies the workflow's OIDC claim against the
-trusted-publisher config registered for `molecule-ai-workspace-runtime`.
+1. Land a reviewed PR in `molecule-ai-workspace-runtime`.
+2. Bump `version =` in that repo's `pyproject.toml`.
+3. Tag `runtime-vX.Y.Z` on the runtime repo.
+4. The runtime repo's `publish-runtime` workflow builds the wheel and sdist,
+   publishes to the Gitea registry, verifies install from that registry, then
+   cascades `.runtime-version` pins to workspace template repos.

-For dev/test releases without tagging, dispatch the workflow manually
-with an explicit version (e.g. `0.1.6.dev1` — PEP 440 dev/rc/post forms
-are accepted).
+## Core Repo Contract

-After publish, the 8 template repos pick up the new version on their
-next `:latest` rebuild. To force-pull immediately, bump the pin in each
-template's `requirements.txt`.
+`molecule-core` must not ship editable runtime code. Its responsibilities are:

-## End-to-end CD chain
-
-The full chain from monorepo merge → workspace containers running new code:
-
-```
-1. Merge PR with workspace/ changes to main
-   ↓
-2. .github/workflows/auto-tag-runtime.yml fires
-   ↓ reads PR labels (release:major/minor) or defaults to patch
-   ↓ pushes runtime-vX.Y.Z tag
-   ↓
-3. .github/workflows/publish-runtime.yml fires (on the tag)
-   ↓ builds wheel via scripts/build_runtime_package.py
-   ↓ smoke-imports the wheel
-   ↓ uploads to PyPI
-   ↓ cascade job fires repository_dispatch (event-type: runtime-published)
-   ↓ to all 8 workspace-template-* repos
-   ↓
-4. Each template's publish-image.yml fires (on repository_dispatch)
-   ↓ rebuilds Dockerfile (which pip-installs the new PyPI version)
-   ↓ pushes ghcr.io/molecule-ai/workspace-template-<runtime>:latest
-   ↓
-5. Production hosts run scripts/refresh-workspace-images.sh
-   OR an operator hits POST /admin/workspace-images/refresh on the platform
-   ↓ docker pull all 8 :latest tags
-   ↓ remove + force-recreate any running ws-* containers using a refreshed image
-   ↓ canvas re-provisions the workspaces on next interaction
-```
-
-Steps 1-4 are fully automated. Step 5 is one-click: a single curl or shell
-command. SaaS deployments typically wire step 5 into their normal deploy
-pipeline (every release pulls fresh images on every host); local dev fires
-it manually after a runtime release lands.
-
-### Auth
-
-PyPI publishing uses **Trusted Publisher (OIDC)** — no static token in the
-monorepo. The trusted-publisher config on PyPI binds the
-`molecule-ai-workspace-runtime` project to this repo's
-`publish-runtime.yml` workflow + `pypi-publish` environment. Rotation is
-moot: there is no shared secret to rotate.
-
-### Required secrets
-
-| Secret | Where | Why |
-|---|---|---|
-| `TEMPLATE_DISPATCH_TOKEN` | molecule-core repo | Fine-grained PAT with `actions:write` on the 8 template repos. Without it the `cascade` job warns and exits clean — PyPI still publishes; templates just don't auto-rebuild. |
-
-### Step 5 specifics
-
-**Local dev (compose stack):**
-```bash
-bash scripts/refresh-workspace-images.sh                  # all runtimes
-bash scripts/refresh-workspace-images.sh --runtime claude-code
-bash scripts/refresh-workspace-images.sh --no-recreate    # pull only, leave containers
-```
-
-**Via platform admin endpoint (any deploy):**
-```bash
-curl -X POST "$PLATFORM/admin/workspace-images/refresh"
-curl -X POST "$PLATFORM/admin/workspace-images/refresh?runtime=claude-code"
-curl -X POST "$PLATFORM/admin/workspace-images/refresh?recreate=false"
-```
-
-The endpoint pulls + recreates from inside the platform container, so it
-needs Docker socket access (the compose stack mounts
-`/var/run/docker.sock` already) AND GHCR auth on the host's docker config
-(`docker login ghcr.io` once per host). On a fresh host without GHCR auth,
-the pull step warns per runtime and the response surfaces the failures.
-
-**Fully hands-off (opt-in image auto-refresh):**
-
-Set `IMAGE_AUTO_REFRESH=true` on the platform process. A watcher polls
-GHCR every 5 minutes for digest changes on each `workspace-template-*:latest`
-tag and invokes the same refresh logic the admin endpoint exposes —
-no operator action required between "runtime PR merged" and
-"containers running new code". Disabled by default because SaaS deploy
-pipelines that already pull on every release would do redundant work.
-
-Optional companion env (same as the admin endpoint):
-
- `GHCR_USER` + `GHCR_TOKEN` — required for private template images;
-  unused for the current public set, but harmless if set.
-
-## Local dev (build the package without publishing)
-
-```bash
-python3 scripts/build_runtime_package.py --version 0.1.0-local --out /tmp/runtime-build
-cd /tmp/runtime-build
-python -m build              # produces dist/*.whl + dist/*.tar.gz
-pip install dist/*.whl       # install into a venv to test locally
-```
-
-This is the same pipeline CI runs. Use it to validate import-rewrite
-correctness before pushing a `runtime-v*` tag.
-
-## Writing a new adapter
-
-Use the GitHub template repo
-[`molecule-ai/molecule-ai-workspace-template-starter`](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-starter) (note: the starter repo did not survive the 2026-05-06 GitHub-org-suspension migration; recreation tracked at internal#41)
-— it ships with the canonical Dockerfile + adapter.py skeleton + config.yaml
-schema + the `repository_dispatch: [runtime-published]` cascade receiver
-already wired up. No follow-up setup PR required.
-
-```bash
-# Replace <runtime> with your runtime slug (lowercase, hyphenated).
-gh repo create Molecule-AI/molecule-ai-workspace-template-<runtime> \
-  --template Molecule-AI/molecule-ai-workspace-template-starter \
-  --public \
-  --description "Molecule AI workspace template: <runtime>"
-
-git clone https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-<runtime>.git
-cd molecule-ai-workspace-template-<runtime>
-```
-
-Then fill in the `TODO` markers in:
-
-| File | What to fill in |
-|---|---|
-| `adapter.py` | Rename class to `<Runtime>Adapter`. Fill in `name()`, `display_name()`, `description()`, `get_config_schema()`. Implement `setup()` and `create_executor()`. |
-| `requirements.txt` | Add your runtime's pip dependencies (e.g. `langgraph`, `crewai`, `claude-agent-sdk`). |
-| `Dockerfile` | Add runtime-specific apt deps (most runtimes don't need any). Replace ENTRYPOINT only if you need custom boot logic. |
-| `config.yaml` | Update top-level `name`/`runtime`/`description`. Add the models your runtime supports to `models[]`. |
-| `system-prompt.md` | Default agent prompt. |
-
-After `git push`:
-
-1. The template's `publish-image.yml` builds + pushes
-   `ghcr.io/molecule-ai/workspace-template-<runtime>:latest` automatically.
-2. The next `runtime-vX.Y.Z` tag on `molecule-core` cascades a
-   `repository_dispatch` event into your new template, rebuilding the image
-   against the latest runtime — no setup PR required.
-3. Register the runtime name in the platform's `RuntimeImages` map (in
-   `workspace-server/internal/provisioner/provisioner.go`) so it's
-   selectable in the canvas.
-
-## When the starter itself needs to evolve
-
-If the canonical shape changes (e.g. `config.yaml` schema gets a new field,
-the `BaseAdapter` interface adds a method, the reusable CI workflow
-signature changes), update the
-[starter](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-starter) (recreation pending — see note above)
-**first**. Existing templates can either migrate at their own pace or be
-touched in a coordinated cleanup PR. Either way, future templates pick up
-the new shape from day one.
-
-## Migration note
-
-Prior to this workflow, the runtime was duplicated across monorepo
-`workspace/` AND a sibling repo `molecule-ai-workspace-runtime`, with no
-sync mechanism. That caused 30+ files to drift between the two trees and
-tonight's chat-leak / queued-classification fixes existed only in the
-monorepo copy until manually ported.
-
-If you have an old local checkout of `molecule-ai-workspace-runtime`, treat
-it as outdated. The monorepo `workspace/` is now authoritative; the PyPI
-artifact is rebuilt from it on every `runtime-v*` tag.
+- Test platform behavior against the installed runtime contract.
+- Keep MCP/registry/TenantGuard behavior compatible with the runtime package.
+- Fail CI if `workspace/` or legacy build-from-workspace scripts are restored.
@@ -37,8 +37,7 @@
    {"name": "free-beats-all", "repo": "molecule-ai/molecule-ai-org-template-free-beats-all", "ref": "main"},
    {"name": "medo-smoke", "repo": "molecule-ai/molecule-ai-org-template-medo-smoke", "ref": "main"},
    {"name": "molecule-worker-gemini", "repo": "molecule-ai/molecule-ai-org-template-molecule-worker-gemini", "ref": "main"},
-    {"name": "ux-ab-lab", "repo": "molecule-ai/molecule-ai-org-template-ux-ab-lab", "ref": "main"},
-    {"name": "mock-bigorg", "repo": "molecule-ai/molecule-ai-org-template-mock-bigorg", "ref": "main"}
+    {"name": "ux-ab-lab", "repo": "molecule-ai/molecule-ai-org-template-ux-ab-lab", "ref": "main"}
  ]
 }
 // Triggered by Integration Tester at 2026-05-10T08:52Z
@@ -1,535 +0,0 @@
-#!/usr/bin/env python3
-"""Build the molecule-ai-workspace-runtime PyPI package from monorepo workspace/.
-
-Monorepo workspace/ is the single source-of-truth for runtime code. The PyPI
-package is a publish-time mirror produced by this script, NOT a parallel
-editable copy. Anyone editing the runtime should edit workspace/, never the
-sibling molecule-ai-workspace-runtime repo.
-
-What this does
--------------
-1. Copies workspace/ source into build/molecule_runtime/ (note the rename:
-   bare modules become a real Python package).
-2. Rewrites top-level imports so e.g. `from a2a_client import X` becomes
-   `from molecule_runtime.a2a_client import X`. The rewrite is regex-based
-   on a closed allowlist of modules — third-party imports like `from a2a.X`
-   (the a2a-sdk package) are left alone because the regex is anchored on
-   exact module names.
-3. Writes a pyproject.toml with the requested version + the README + the
-   py.typed marker.
-4. Leaves the build dir ready for `python -m build` to produce a wheel/sdist.
-
-Usage
-----
-  scripts/build_runtime_package.py --version 0.1.6 --out /tmp/runtime-build
-  cd /tmp/runtime-build && python -m build
-  python -m twine upload dist/*
-
-The publish workflow (.github/workflows/publish-runtime.yml) drives this
-on every `runtime-v*` tag push.
-"""
-
-from __future__ import annotations
-
-import argparse
-import re
-import shutil
-import sys
-from pathlib import Path
-
-# Top-level Python modules in workspace/ that become molecule_runtime.X.
-# Anything imported as `from <name> import` or `import <name>` (where <name>
-# matches one of these) gets rewritten to use the package prefix.
-#
-# Closed list (not "every .py we copy") because a typo in workspace/ would
-# otherwise leak into a wrong rewrite. The set is asserted against
-# `workspace/*.py` at build time — if the disk contents drift from this
-# list (new module added, old one removed), the build fails loud instead
-# of silently shipping unrewritten imports. That gap caused 0.1.16 to
-# ship `from transcript_auth import ...` (unrewritten — module added
-# without updating this set), which broke every workspace startup with
-# `ModuleNotFoundError: No module named 'transcript_auth'`.
-TOP_LEVEL_MODULES = {
-    "_sanitize_a2a",
-    "a2a_cli",
-    "a2a_client",
-    "a2a_executor",
-    "a2a_mcp_server",
-    "a2a_response",
-    "a2a_tools",
-    "a2a_tools_delegation",
-    "a2a_tools_identity",
-    "a2a_tools_inbox",
-    "a2a_tools_memory",
-    "a2a_tools_messaging",
-    "a2a_tools_rbac",
-    "adapter_base",
-    "agent",
-    "agents_md",
-    "boot_routes",
-    "card_helpers",
-    "config",
-    "configs_dir",
-    "consolidation",
-    "coordinator",
-    "event_log",
-    "events",
-    "executor_helpers",
-    "heartbeat",
-    "inbox",
-    "inbox_uploads",
-    "initial_prompt",
-    "internal_chat_uploads",
-    "internal_file_read",
-    "main",
-    "mcp_cli",
-    "mcp_doctor",
-    "mcp_heartbeat",
-    "mcp_inbox_pollers",
-    "mcp_workspace_resolver",
-    "molecule_ai_status",
-    "not_configured_handler",
-    "platform_auth",
-    "platform_inbound_auth",
-    "plugins",
-    "preflight",
-    "prompt",
-    "runtime_wedge",
-    "secret_redactor",
-    "shared_runtime",
-    "smoke_mode",
-    "transcript_auth",
-    "watcher",
-}
-
-# Subdirectory packages — these are already real packages (they have or will
-# have __init__.py) so the rewrite is `from <pkg>` → `from molecule_runtime.<pkg>`.
-SUBPACKAGES = {
-    "adapters",
-    "builtin_tools",
-    "lib",
-    "platform_tools",
-    "plugins_registry",
-    "policies",
-    "skill_loader",
-}
-
-# Files in workspace/ NOT included in the published package. These are
-# build artifacts, dev scripts, or monorepo-only scaffolding.
-EXCLUDE_FILES = {
-    "Dockerfile",
-    "build-all.sh",
-    "rebuild-runtime-images.sh",
-    "entrypoint.sh",
-    "pytest.ini",
-    "requirements.txt",
-    # Note: adapter_base.py, agents_md.py, hermes_executor.py, shared_runtime.py
-    # are kept (referenced by adapters/__init__.py and other modules); they get
-    # their imports rewritten via TOP_LEVEL_MODULES. Excluding them broke the
-    # smoke-test install with `ModuleNotFoundError: adapter_base`.
-}
-
-EXCLUDE_DIRS = {
-    "__pycache__",
-    "tests",
-    "molecule_audit",  # only used by tests; not on production import path
-    "scripts",
-}
-
-
-def build_import_rewriter() -> re.Pattern:
-    """Compile a single regex matching all import statements that need
-    rewriting. The match groups capture the keyword + module name so the
-    replacement preserves whitespace and trailing punctuation.
-
-    Modules included: TOP_LEVEL_MODULES ∪ SUBPACKAGES.
-
-    The negative-lookahead on `\\.` in the suffix prevents matching
-    `from a2a.server.X import Y` against bare `a2a` (which isn't in our
-    set, but the principle matters for any future short module name that
-    happens to be a prefix of a real package name).
-    """
-    names = sorted(TOP_LEVEL_MODULES | SUBPACKAGES)
-    alt = "|".join(re.escape(n) for n in names)
-    # Matches:
-    #   from <name>(\.|\s|import)
-    #   import <name>(\s|$|,)
-    # And captures the keyword + name so we can re-emit with prefix.
-    pattern = (
-        r"(?m)^(?P<indent>\s*)"          # leading whitespace (preserved)
-        r"(?P<kw>from|import)\s+"        # 'from' or 'import'
-        r"(?P<mod>" + alt + r")"          # the module name
-        r"(?P<rest>[\s.,]|$)"            # what follows: '.subpath', ' import …', ',', whitespace, EOL
-    )
-    return re.compile(pattern)
-
-
-def rewrite_imports(text: str, regex: re.Pattern) -> str:
-    """Replace bare imports with package-prefixed ones.
-
-    `import X`           → `import molecule_runtime.X as X`  (preserve binding)
-    `from X import Y`    → `from molecule_runtime.X import Y`
-    `from X.sub import Y` → `from molecule_runtime.X.sub import Y`
-
-    Rejects `import X as Y` because the rewrite would produce
-    `import molecule_runtime.X as X as Y`, a syntax error. The PR #2433
-    incident shipped this exact pattern past `Python Lint & Test` (which
-    runs against pre-rewrite source) but blew up the wheel-smoke gate.
-    Detecting it here turns the silent build failure into a build-time
-    error with a clear path: use `from X import …` or plain `import X`.
-    """
-    def repl(m: re.Match) -> str:
-        indent, kw, mod, rest = m.group("indent"), m.group("kw"), m.group("mod"), m.group("rest")
-        if kw == "from":
-            # `from X` or `from X.sub` — always safe to prefix.
-            return f"{indent}from molecule_runtime.{mod}{rest}"
-        # `import X` — preserve the binding name `X` (callers do `X.foo`)
-        # by aliasing. `import X.sub` is uncommon for our modules and would
-        # need a different binding form, but isn't used in workspace/ today.
-        if rest.startswith("."):
-            # `import X.sub` — rewrite as `import molecule_runtime.X.sub` and
-            # leave the trailing dot pattern intact for the rest of the line.
-            return f"{indent}import molecule_runtime.{mod}{rest}"
-        # Detect `import X as Y` — the regex's `rest` group captures only
-        # the immediate following char (whitespace, comma, or EOL), so we
-        # have to peek at the surrounding line context. The match start is
-        # at the line's `import` keyword; everything after the matched
-        # name on the same line is what the source author wrote.
-        line_start = text.rfind("\n", 0, m.start()) + 1
-        line_end = text.find("\n", m.end())
-        if line_end == -1:
-            line_end = len(text)
-        line_after = text[m.end() - len(rest):line_end]
-        # Strip comments from consideration so `import X  # noqa` doesn't trip.
-        line_after_no_comment = line_after.split("#", 1)[0]
-        if re.search(r"^\s*as\s+\w+", line_after_no_comment):
-            raise ValueError(
-                f"rewrite_imports: cannot rewrite 'import {mod} as <alias>' on a "
-                f"workspace module — the regex would produce "
-                f"'import molecule_runtime.{mod} as {mod} as <alias>', invalid syntax. "
-                f"Use 'from {mod} import …' or plain 'import {mod}' instead. "
-                f"Offending line: {text[line_start:line_end]!r}"
-            )
-        # Plain `import X` — alias preserves the local name.
-        return f"{indent}import molecule_runtime.{mod} as {mod}{rest}"
-    return regex.sub(repl, text)
-
-
-def copy_tree_filtered(src: Path, dst: Path) -> list[Path]:
-    """Copy src/ → dst/ skipping EXCLUDE_FILES + EXCLUDE_DIRS. Returns the
-    list of .py files copied so the caller can run the import rewrite over
-    them in one pass."""
-    py_files: list[Path] = []
-    if dst.exists():
-        shutil.rmtree(dst)
-    dst.mkdir(parents=True)
-    for entry in src.iterdir():
-        if entry.is_dir():
-            if entry.name in EXCLUDE_DIRS:
-                continue
-            sub_py = copy_tree_filtered(entry, dst / entry.name)
-            py_files.extend(sub_py)
-        else:
-            if entry.name in EXCLUDE_FILES:
-                continue
-            shutil.copy2(entry, dst / entry.name)
-            if entry.suffix == ".py":
-                py_files.append(dst / entry.name)
-    return py_files
-
-
-PYPROJECT_TEMPLATE = """\
-[build-system]
-requires = ["setuptools>=68.0", "wheel"]
-build-backend = "setuptools.build_meta"
-
-[project]
-name = "molecule-ai-workspace-runtime"
-version = "{version}"
-description = "Molecule AI workspace runtime — shared infrastructure for all agent adapters"
-requires-python = ">=3.11"
-license = {{text = "BSL-1.1"}}
-readme = "README.md"
-dependencies = [
-    "a2a-sdk[http-server]>=1.0.0,<2.0",
-    "httpx>=0.27.0",
-    "uvicorn>=0.30.0",
-    "starlette>=0.38.0",
-    "websockets>=12.0",
-    "pyyaml>=6.0",
-    "langchain-core>=0.3.0",
-    "opentelemetry-api>=1.24.0",
-    "opentelemetry-sdk>=1.24.0",
-    "opentelemetry-exporter-otlp-proto-http>=1.24.0",
-    "temporalio>=1.7.0",
-]
-
-[project.scripts]
-molecule-runtime = "molecule_runtime.main:main_sync"
-molecule-mcp = "molecule_runtime.mcp_cli:main"
-
-[tool.setuptools.packages.find]
-where = ["."]
-include = ["molecule_runtime*", "plugins_registry*"]
-
-[tool.setuptools.package-data]
-"molecule_runtime" = ["py.typed"]
-"plugins_registry" = ["py.typed"]
-"""
-
-
-README_TEMPLATE = """\
-# molecule-ai-workspace-runtime
-
-Shared workspace runtime for [Molecule AI](https://git.moleculesai.app/molecule-ai/molecule-core)
-agent adapters. Installed by every workspace template image
-(`workspace-template-claude-code`, `-langgraph`, `-hermes`, etc.) to provide
-A2A delegation, heartbeat, memory, plugin loading, and skill management.
-
-This package is **published from the molecule-core monorepo `workspace/`
-directory** by the `publish-runtime` GitHub Actions workflow on every
-`runtime-v*` tag push. **Do not edit this package directly** — edit
-`workspace/` in the monorepo.
-
-## External-runtime MCP server (`molecule-mcp`)
-
-Operators running an agent outside the platform's container fleet
-(any runtime that supports MCP stdio — Claude Code, hermes, codex,
-etc.) can install this wheel and run the universal MCP server
-locally.
-
-### Requirements
-
-* **Python ≥3.11.** The wheel sets `requires-python = ">=3.11"`. On
-  older interpreters `pip install` returns the cryptic
-  `Could not find a version that satisfies the requirement` — that
-  message is pip filtering this wheel out, NOT the package missing
-  from PyPI. Upgrade with `brew install python@3.12` /
-  `apt install python3.12` / `pyenv install 3.12` first.
-* **`pipx` recommended over `pip`.** `pipx install` puts
-  `molecule-mcp` on PATH automatically and isolates the runtime's
-  deps from your system Python. Plain `pip install --user` works
-  but the binary lands in `~/.local/bin` (Linux) or
-  `~/Library/Python/3.X/bin` (macOS) which is often not on PATH on
-  a fresh shell — `claude mcp add molecule-<workspace-slug> -- molecule-mcp`
-  then fails with "command not found" at first use.
-
-* **Server name in `claude mcp add` is workspace-specific.** The
-  Canvas "Add to Claude Code" snippet stamps a unique slug
-  (`molecule-<workspace-name>`) so a single Claude Code session can
-  talk to N molecule workspaces concurrently — `claude mcp add` keys
-  entries by name in `~/.claude.json`, so re-running with a bare
-  `molecule` name silently overwrites the prior workspace's entry.
-  See [molecule-core#1535](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/1535)
-  for the canonical generator.
-
-### Install
-
-```sh
-# Recommended:
-pipx install molecule-ai-workspace-runtime
-
-# Alternative (manage PATH yourself):
-pip install --user molecule-ai-workspace-runtime
-```
-
-### Run
-
-```sh
-WORKSPACE_ID=<uuid> \\
-  PLATFORM_URL=https://<tenant>.staging.moleculesai.app \\
-  MOLECULE_WORKSPACE_TOKEN=<bearer> \\
-  molecule-mcp
-```
-
-That exposes the same 8 platform tools (`delegate_task`, `list_peers`,
-`send_message_to_user`, `commit_memory`, etc.) that container-bound
-runtimes already get via the workspace's auto-spawned MCP. Register
-the binary in your agent's MCP config — use a workspace-specific
-server name so multi-workspace setups don't collide (e.g. Claude Code:
-`claude mcp add molecule-<workspace-slug> -- molecule-mcp` with the env
-above; the Canvas modal stamps the right slug for you).
-
-### Keeping the token out of shell history
-
-Inline `MOLECULE_WORKSPACE_TOKEN=<bearer>` ends up in `~/.zsh_history`
-and (when registered via `claude mcp add`) plaintext in
-`~/.claude.json`. To avoid that, write the token to a 0600 file and
-point `MOLECULE_WORKSPACE_TOKEN_FILE` at it:
-
-```sh
-umask 077
-printf '%s' "<bearer>" > ~/.config/molecule/token
-WORKSPACE_ID=<uuid> \\
-  PLATFORM_URL=https://<tenant>.staging.moleculesai.app \\
-  MOLECULE_WORKSPACE_TOKEN_FILE=$HOME/.config/molecule/token \\
-  molecule-mcp
-```
-
-Token resolution order: `MOLECULE_WORKSPACE_TOKEN` (inline env) →
-`MOLECULE_WORKSPACE_TOKEN_FILE` (path) → `${CONFIGS_DIR}/.auth_token`
-(in-container default).
-
-The token comes from the canvas → Tokens tab. Restarting an external
-workspace from the canvas no longer revokes the token (PR #2412), so
-operator tokens persist across status nudges.
-
-### Push vs poll delivery (Claude Code specifics)
-
-By default the inbox runs in **poll mode** — every turn the agent
-calls `wait_for_message`, which blocks up to ~60s on
-`/activity?since_id=…`. Real-time push delivery is also supported,
-but on Claude Code it requires THREE conditions, ALL of which must
-hold:
-
-1. **The MCP server declares `experimental.claude/channel`** — this
-   wheel does (see `_build_initialize_result`). Nothing for you to
-   do.
-2. **Claude Code installs the server as a marketplace plugin** — a
-   plain `claude mcp add molecule-<workspace-slug> -- molecule-mcp`
-   produces a non-plugin-sourced server, which Claude Code rejects with
-   `channel_enable requires a marketplace plugin`. Until the
-   official `moleculesai/claude-code-plugin` marketplace lands
-   (tracking [#2936](https://git.moleculesai.app/molecule-ai/molecule-core/issues/2936)),
-   operators who want push must scaffold their own local marketplace
-   under
-   `~/.claude/marketplaces/molecule-local/` containing a
-   `marketplace.json` + `plugin.json` that points at this wheel.
-3. **Claude Code is launched with the dev-channels flag** — pass
-   `--dangerously-load-development-channels plugin:molecule@<marketplace>`
-   on the `claude` invocation. Without this flag the channel
-   capability is silently ignored.
-
-Symptom of any condition failing: messages arrive but only via the
-poll path (every ~1–60s), not real-time. There's currently no
-diagnostic surfaced — `molecule-mcp doctor` (tracking
-[#2937](https://git.moleculesai.app/molecule-ai/molecule-core/issues/2937)) is
-planned.
-
-If you don't need real-time push, the default poll path works
-universally with no extra setup; both modes converge on the same
-`inbox_pop` ack so messages never duplicate.
-
-See [`docs/workspace-runtime-package.md`](https://git.moleculesai.app/molecule-ai/molecule-core/src/branch/main/docs/workspace-runtime-package.md)
-for the publish flow and architecture.
-"""
-
-
-def main() -> int:
-    parser = argparse.ArgumentParser(description=__doc__)
-    parser.add_argument("--version", required=True, help="Package version, e.g. 0.1.6")
-    parser.add_argument("--out", required=True, type=Path, help="Build output directory (will be wiped)")
-    parser.add_argument("--source", type=Path, default=Path(__file__).resolve().parent.parent / "workspace",
-                        help="Path to monorepo workspace/ directory (default: ../workspace from this script)")
-    args = parser.parse_args()
-
-    src = args.source.resolve()
-    out = args.out.resolve()
-    if not src.is_dir():
-        print(f"error: source not a directory: {src}", file=sys.stderr)
-        return 2
-
-    # Drift gate: assert TOP_LEVEL_MODULES matches workspace/*.py.
-    # Without this, a new top-level module added to workspace/ ships
-    # with unrewritten `from <name> import` statements that explode at
-    # runtime with ModuleNotFoundError. (See 0.1.16 transcript_auth
-    # incident — closed list silently went stale.)
-    on_disk_modules = {
-        f.stem for f in src.glob("*.py")
-        if f.stem not in {"__init__", "conftest"}
-    }
-    missing = on_disk_modules - TOP_LEVEL_MODULES
-    stale = TOP_LEVEL_MODULES - on_disk_modules
-    if missing or stale:
-        print("error: TOP_LEVEL_MODULES drifted from workspace/*.py contents:", file=sys.stderr)
-        if missing:
-            print(f"  in workspace/ but NOT in TOP_LEVEL_MODULES (will ship un-rewritten): {sorted(missing)}", file=sys.stderr)
-        if stale:
-            print(f"  in TOP_LEVEL_MODULES but NOT in workspace/ (no-op, but misleading): {sorted(stale)}", file=sys.stderr)
-        print("  Edit scripts/build_runtime_package.py:TOP_LEVEL_MODULES to match.", file=sys.stderr)
-        return 3
-
-    # Same drift gate for SUBPACKAGES — catches the inverse class of
-    # bug where a workspace/ subdirectory is referenced by main.py
-    # (`from lib.pre_stop import ...`) but is either missing from
-    # SUBPACKAGES (so the rewriter doesn't qualify the import) or
-    # accidentally listed in EXCLUDE_DIRS (so the directory itself
-    # isn't shipped). 0.1.16-0.1.19 had `lib` in EXCLUDE_DIRS while
-    # main.py imported from it — `ModuleNotFoundError: No module
-    # named 'lib'` at every workspace startup.
-    on_disk_subpkgs = {
-        d.name for d in src.iterdir()
-        if d.is_dir()
-        and d.name not in EXCLUDE_DIRS
-        and d.name not in {"__pycache__"}
-        and (d / "__init__.py").exists()
-    }
-    sub_missing = on_disk_subpkgs - SUBPACKAGES
-    sub_stale = SUBPACKAGES - on_disk_subpkgs
-    if sub_missing or sub_stale:
-        print("error: SUBPACKAGES drifted from workspace/ subdirectories:", file=sys.stderr)
-        if sub_missing:
-            print(f"  in workspace/ but NOT in SUBPACKAGES (will ship un-rewritten or be excluded): {sorted(sub_missing)}", file=sys.stderr)
-        if sub_stale:
-            print(f"  in SUBPACKAGES but NOT in workspace/ (no-op, but misleading): {sorted(sub_stale)}", file=sys.stderr)
-        print("  Edit scripts/build_runtime_package.py:SUBPACKAGES + EXCLUDE_DIRS to match.", file=sys.stderr)
-        return 3
-
-    pkg_dir = out / "molecule_runtime"
-    print(f"[build] source: {src}")
-    print(f"[build] output: {out}")
-    print(f"[build] package: {pkg_dir}")
-
-    if out.exists():
-        shutil.rmtree(out)
-    out.mkdir(parents=True)
-
-    py_files = copy_tree_filtered(src, pkg_dir)
-    print(f"[build] copied {len(py_files)} .py files")
-
-    # Install plugins_registry/ at the wheel TOP LEVEL so that plugin adapter
-    # code (workspace-template-*) can use bare `from plugins_registry import ...`.
-    # The molecule-runtime package (molecule_runtime/) also ships it at
-    # molecule_runtime/plugins_registry/ (satisfies the rewritten
-    # `from molecule_runtime.plugins_registry import ...` in adapter_base.py).
-    # Both copies coexist: they serve different import namespaces.
-    plugins_src = src / "plugins_registry"
-    plugins_dst = out / "plugins_registry"
-    if plugins_src.is_dir():
-        shutil.copytree(plugins_src, plugins_dst)
-        print(f"[build] installed plugins_registry/ at top level (bare-import shim)")
-
-    # Ensure top-level package marker exists. workspace/ doesn't have one
-    # (it's not a package in monorepo), but the published artifact must.
-    init = pkg_dir / "__init__.py"
-    if not init.exists():
-        init.write_text('"""Molecule AI workspace runtime."""\n')
-
-    # Touch py.typed so type-checkers in adapter consumers see the package
-    # as typed. Empty file is the convention.
-    (pkg_dir / "py.typed").touch()
-
-    # Rewrite imports in every .py file we copied + the new __init__.py.
-    regex = build_import_rewriter()
-    rewrites = 0
-    for f in [*py_files, init]:
-        original = f.read_text()
-        rewritten = rewrite_imports(original, regex)
-        if rewritten != original:
-            f.write_text(rewritten)
-            rewrites += 1
-    print(f"[build] rewrote imports in {rewrites} files")
-
-    # Emit pyproject.toml + README at build root.
-    (out / "pyproject.toml").write_text(PYPROJECT_TEMPLATE.format(version=args.version))
-    (out / "README.md").write_text(README_TEMPLATE)
-
-    print(f"[build] done. To publish:")
-    print(f"  cd {out}")
-    print(f"  python -m build")
-    print(f"  python -m twine upload dist/*")
-    return 0
-
-
-if __name__ == "__main__":
-    sys.exit(main())
@@ -1,95 +0,0 @@
-#!/usr/bin/env bash
-# check-cascade-list-vs-manifest.sh — structural drift gate for the
-# publish-runtime cascade list vs manifest.json workspace_templates.
-#
-# WHY: PR #2536 pruned the manifest to 4 supported runtimes; PR #2556
-# realigned the cascade list to match. The underlying drift hazard
-# (cascade-list ≠ manifest) was unguarded — the data fix didn't prevent
-# recurrence. This script is the structural gate that does.
-#
-# Behavior-based per project pattern: derives the expected set from
-# manifest.json and the actual set from the workflow YAML, fails on
-# any divergence in either direction.
-#
-#   missing-from-cascade  → templates in manifest that publish-runtime.yml
-#                            won't auto-rebuild on a new wheel publish
-#                            (the codex-stuck-on-stale-runtime bug class)
-#   extra-in-cascade      → cascade dispatches to deprecated templates
-#                            (the wasted-API-calls + dead-CI-noise class)
-#
-# Suffix mapping: manifest names map to GHCR repos via
-#   {name without -default suffix} → molecule-ai-workspace-template-<suffix>
-# That's the same map publish-runtime.yml's TEMPLATES variable iterates.
-#
-# Exit:
-#   0  cascade matches manifest exactly
-#   1  drift detected (script prints the diff)
-#   2  bad usage / missing inputs
-
-set -eu
-
-MANIFEST="${1:-manifest.json}"
-WORKFLOW="${2:-.github/workflows/publish-runtime.yml}"
-
-if [ ! -f "$MANIFEST" ]; then
-    echo "::error::manifest not found: $MANIFEST" >&2
-    exit 2
-fi
-if [ ! -f "$WORKFLOW" ]; then
-    echo "::error::workflow not found: $WORKFLOW" >&2
-    exit 2
-fi
-
-# Expected cascade entries: manifest workspace_templates → suffix-only
-# (strip -default tail, e.g. claude-code-default → claude-code, since
-# publish-runtime.yml's TEMPLATES uses suffixes that match the
-# molecule-ai-workspace-template-<suffix> repo naming).
-EXPECTED=$(jq -r '.workspace_templates[].name' "$MANIFEST" \
-    | sed 's/-default$//' \
-    | sort -u)
-
-# Actual cascade entries: extract from the TEMPLATES="…" line. We look
-# for the line, pull the contents between the quotes, and split into
-# one-per-line. Single source of truth in the workflow itself, no
-# parallel registry needed.
-#
-# Why not \s in the regex: BSD sed (macOS) doesn't recognize \s as
-# whitespace — treats it as literal `s`. POSIX [[:space:]] works on
-# both BSD and GNU sed. Same hazard nuked the original draft of this
-# script: \s* matched empty-prefix-of-literal-s, then the leading
-# whitespace stayed in the captured group.
-ACTUAL=$(grep -E '[[:space:]]*TEMPLATES="' "$WORKFLOW" \
-    | head -1 \
-    | sed -E 's/^[[:space:]]*TEMPLATES="([^"]*)".*$/\1/' \
-    | tr ' ' '\n' \
-    | grep -v '^$' \
-    | sort -u)
-
-if [ -z "$ACTUAL" ]; then
-    echo "::error::could not extract TEMPLATES=\"…\" from $WORKFLOW — has the variable name or quoting changed?" >&2
-    exit 2
-fi
-
-MISSING=$(comm -23 <(printf '%s\n' "$EXPECTED") <(printf '%s\n' "$ACTUAL"))
-EXTRA=$(comm -13 <(printf '%s\n' "$EXPECTED") <(printf '%s\n' "$ACTUAL"))
-
-if [ -z "$MISSING" ] && [ -z "$EXTRA" ]; then
-    echo "✓ cascade list matches manifest workspace_templates ($(echo "$EXPECTED" | wc -l | tr -d ' ') entries)"
-    exit 0
-fi
-
-echo "::error::cascade list drift detected between $MANIFEST and $WORKFLOW" >&2
-echo "" >&2
-if [ -n "$MISSING" ]; then
-    echo "  Templates in manifest but MISSING from cascade (won't auto-rebuild on wheel publish):" >&2
-    echo "$MISSING" | sed 's/^/    - /' >&2
-    echo "" >&2
-fi
-if [ -n "$EXTRA" ]; then
-    echo "  Templates in cascade but NOT in manifest (deprecated, wasting dispatch calls):" >&2
-    echo "$EXTRA" | sed 's/^/    - /' >&2
-    echo "" >&2
-fi
-echo "  Fix: edit the TEMPLATES=\"…\" line in $WORKFLOW so the set matches" >&2
-echo "  manifest.json's workspace_templates (suffix-stripped). See PR #2556 for context." >&2
-exit 1
@@ -1,201 +0,0 @@
-"""Tests for scripts/build_runtime_package.py — the wheel-build import rewriter.
-
-Run locally: ``python3 -m unittest scripts/test_build_runtime_package.py -v``
-
-Why this exists: PR #2433 shipped ``import inbox as _inbox_module`` inside
-the workspace runtime, and the rewriter expanded it to
-``import molecule_runtime.inbox as inbox as _inbox_module`` — invalid
-Python. The wheel-smoke gate caught it post-merge but couldn't block
-the merge (not a required check yet — see PR #2439). PR #2436 added a
-build-time gate that raises ``ValueError`` on this pattern; this file
-locks the rewriter's documented contract under unit test so the gate
-itself can't silently regress.
-
-Coverage:
- ``import X``                  → ``import molecule_runtime.X as X``
- ``import X.sub``              → ``import molecule_runtime.X.sub``
- ``import X``  + trailing comment is preserved
- ``from X import Y``           → ``from molecule_runtime.X import Y``
- ``from X.sub import Y``       → ``from molecule_runtime.X.sub import Y``
- ``from X import Y, Z``        → ``from molecule_runtime.X import Y, Z``
- ``import X as Y``             → raises ValueError (the rewriter would
-  produce ``import molecule_runtime.X as X as Y``, syntax error)
- non-allowlist module names    → not rewritten (regex anchors on the closed set)
- Indented imports (inside def/class) keep their indentation.
-"""
-from __future__ import annotations
-
-import os
-import sys
-import unittest
-
-# scripts/build_runtime_package.py lives at scripts/ — add scripts/ to sys.path
-# so the import works whether unittest is invoked from repo root or scripts/.
-HERE = os.path.dirname(os.path.abspath(__file__))
-if HERE not in sys.path:
-    sys.path.insert(0, HERE)
-
-import build_runtime_package as M  # noqa: E402
-
-
-def rewrite(text: str) -> str:
-    """Run the rewriter end-to-end so the test exercises the same path
-    used by the wheel build (regex compile + substitution)."""
-    regex = M.build_import_rewriter()
-    return M.rewrite_imports(text, regex)
-
-
-class TestBareImportRewriting(unittest.TestCase):
-    def test_plain_import_aliases_to_preserve_binding(self):
-        self.assertEqual(
-            rewrite("import inbox\n"),
-            "import molecule_runtime.inbox as inbox\n",
-        )
-
-    def test_plain_import_with_trailing_comment_is_preserved(self):
-        # Real-world shape from a2a_mcp_server.py — the comment must
-        # survive the rewrite without losing its leading-space buffer.
-        self.assertEqual(
-            rewrite("import inbox  # noqa: E402\n"),
-            "import molecule_runtime.inbox as inbox  # noqa: E402\n",
-        )
-
-    def test_import_dotted_keeps_dotted_form(self):
-        # `import X.sub` is rare for our modules but the rewriter must
-        # not double-alias — we want `import molecule_runtime.X.sub`,
-        # not `import molecule_runtime.X.sub as X.sub` (invalid).
-        self.assertEqual(
-            rewrite("import platform_tools.registry\n"),
-            "import molecule_runtime.platform_tools.registry\n",
-        )
-
-    def test_indented_import_preserves_indentation(self):
-        src = "def foo():\n    import inbox\n    return inbox.x\n"
-        out = rewrite(src)
-        self.assertIn("    import molecule_runtime.inbox as inbox\n", out)
-
-
-class TestFromImportRewriting(unittest.TestCase):
-    def test_from_module_import_simple(self):
-        self.assertEqual(
-            rewrite("from inbox import InboxState\n"),
-            "from molecule_runtime.inbox import InboxState\n",
-        )
-
-    def test_from_dotted_import(self):
-        self.assertEqual(
-            rewrite("from platform_tools.registry import TOOLS\n"),
-            "from molecule_runtime.platform_tools.registry import TOOLS\n",
-        )
-
-    def test_from_import_multiple_symbols(self):
-        # Multi-import statement — the rewriter only touches the module
-        # prefix, not the names being imported.
-        self.assertEqual(
-            rewrite("from a2a_tools import (foo, bar, baz)\n"),
-            "from molecule_runtime.a2a_tools import (foo, bar, baz)\n",
-        )
-
-    def test_from_import_block_form(self):
-        src = (
-            "from a2a_tools import (\n"
-            "    tool_check_task_status,\n"
-            "    tool_commit_memory,\n"
-            ")\n"
-        )
-        out = rewrite(src)
-        self.assertIn("from molecule_runtime.a2a_tools import (\n", out)
-        # Trailing names + closer are unchanged.
-        self.assertIn("    tool_check_task_status,\n", out)
-        self.assertIn(")\n", out)
-
-
-class TestImportAsAliasRejection(unittest.TestCase):
-    """The key regression class — the failure mode that shipped in PR #2433."""
-
-    def test_import_as_alias_raises_value_error(self):
-        with self.assertRaises(ValueError) as ctx:
-            rewrite("import inbox as _inbox_module\n")
-        msg = str(ctx.exception)
-        # Error must name the offending module + suggest the fix.
-        self.assertIn("inbox", msg)
-        self.assertIn("as <alias>", msg)
-        self.assertIn("from", msg)  # suggests `from X import …`
-
-    def test_import_as_alias_indented_still_rejected(self):
-        # Indented (inside def/class) — same hazard, same rejection.
-        with self.assertRaises(ValueError):
-            rewrite("def foo():\n    import inbox as _x\n")
-
-    def test_import_as_alias_with_trailing_comment_still_rejected(self):
-        with self.assertRaises(ValueError):
-            rewrite("import inbox as _x  # comment\n")
-
-    def test_plain_import_with_as_in_comment_does_not_trip(self):
-        # The detection strips comments before pattern-matching, so a
-        # comment containing "as foo" must NOT trigger the rejection.
-        self.assertEqual(
-            rewrite("import inbox  # rewriter produces alias as inbox\n"),
-            "import molecule_runtime.inbox as inbox  # rewriter produces alias as inbox\n",
-        )
-
-    def test_import_followed_by_comma_is_not_an_alias(self):
-        # `import inbox, os` — comma is not `as`, must not be rejected.
-        # Our regex captures `inbox` then `,` — only `inbox` gets prefixed.
-        # `os` is not in TOP_LEVEL_MODULES so it's left alone.
-        out = rewrite("import inbox, os\n")
-        # The first module is rewritten; the second (non-allowlist) is not.
-        self.assertIn("import molecule_runtime.inbox as inbox", out)
-
-
-class TestOutsideAllowlistModules(unittest.TestCase):
-    def test_third_party_imports_unchanged(self):
-        # `httpx`, `os`, `re` etc. are not in TOP_LEVEL_MODULES — the
-        # regex must not match them. This is the closed-list invariant
-        # that prevents accidental rewrites of stdlib / third-party.
-        src = "import httpx\nimport os\nfrom re import match\n"
-        self.assertEqual(rewrite(src), src)
-
-    def test_short_name_collision_avoided(self):
-        # `from a2a.server.X import Y` must not match the bare `a2a`
-        # prefix — `a2a` isn't in our allowlist (we allow `a2a_tools`,
-        # `a2a_client`, etc., but not bare `a2a`). Belt-and-suspenders.
-        src = "from a2a.server.routes import create_agent_card_routes\n"
-        self.assertEqual(rewrite(src), src)
-
-
-class TestEndToEndShape(unittest.TestCase):
-    """Reproduces the PR #2433 → #2436 incident shape."""
-
-    def test_pr_2433_pattern_now_rejected(self):
-        # The exact line PR #2433 added (inside main()), which produced
-        # `import molecule_runtime.inbox as inbox as _inbox_module` —
-        # invalid syntax in the published wheel.
-        with self.assertRaises(ValueError) as ctx:
-            rewrite(
-                "    import inbox as _inbox_module\n"
-                "    _inbox_module.set_notification_callback(_on_inbox_message)\n"
-            )
-        # Error message includes the offending line so the operator
-        # knows exactly where to fix.
-        self.assertIn("inbox", str(ctx.exception))
-
-    def test_pr_2436_fix_pattern_works(self):
-        # The fix-forward shape (#2436): top-level `import inbox`,
-        # bridge wired in main() via `inbox.set_notification_callback`.
-        src = (
-            "import inbox\n"
-            "\n"
-            "def main():\n"
-            "    inbox.set_notification_callback(cb)\n"
-        )
-        out = rewrite(src)
-        self.assertIn("import molecule_runtime.inbox as inbox\n", out)
-        # The callable reference inside main() is left alone — only
-        # imports get rewritten, not arbitrary `inbox.foo` callsites
-        # (those resolve via the module binding the rewrite preserves).
-        self.assertIn("    inbox.set_notification_callback(cb)\n", out)
-
-
-if __name__ == "__main__":
-    unittest.main()
@@ -9,7 +9,7 @@ This repo uses the standard monorepo testing convention: **unit tests live with
 | Go unit + integration (platform, CLI, handlers) | `workspace-server/**/*_test.go` — run with `cd workspace-server && go test -race ./...` |
 | TypeScript unit (canvas components, hooks, store) | `canvas/src/**/__tests__/` — run with `cd canvas && npm test -- --run` |
 | TypeScript unit (MCP server handlers) | `mcp-server/src/__tests__/` — run with `cd mcp-server && npx jest` |
-| Python unit (workspace runtime, adapters) | `workspace/tests/` — run with `cd workspace && python3 -m pytest` |
+| Python unit (workspace runtime, adapters) | `molecule-ai-workspace-runtime/tests/` in the standalone runtime repo |
 | Python unit (SDK: plugin + remote agent) | `sdk/python/tests/` — run with `cd sdk/python && python3 -m pytest` |
 | **Cross-component E2E** (spans platform + runtime + HTTP) | `tests/e2e/` ← **you are here** |

@@ -33,7 +33,10 @@ e2e_mint_test_token() {
    return 2
  fi
  local body
-  body=$(curl -s -w "\n%{http_code}" "$BASE/admin/workspaces/$wid/test-token")
+  local admin_bearer="${MOLECULE_ADMIN_TOKEN:-${ADMIN_TOKEN:-}}"
+  local admin_auth=()
+  [ -n "$admin_bearer" ] && admin_auth=(-H "Authorization: Bearer $admin_bearer")
+  body=$(curl -s -w "\n%{http_code}" "$BASE/admin/workspaces/$wid/test-token" "${admin_auth[@]}")
  local code
  code=$(printf '%s' "$body" | tail -n1)
  local json
@@ -0,0 +1,167 @@
+# shellcheck shell=bash
+# Shared peer-visibility assertion core — runtime/backend-AGNOSTIC.
+#
+# WHY THIS FILE EXISTS
+# --------------------
+# The peer-visibility gate (PR #1298) was staging-only. Per the standing
+# rule that the local prod-mimic stack must run a MANDATORY local-Postgres
+# E2E BEFORE staging E2E (memory: feedback_local_must_mimic_production,
+# feedback_mandatory_local_e2e_before_ship, feedback_local_test_before_
+# staging_e2e), peer-visibility must also run against the local stack.
+#
+# The ASSERTION must be byte-identical between local and staging — only
+# provisioning differs. So the literal MCP `list_peers` call + every
+# anti-proxy / anti-native-fallback guarantee lives HERE, sourced by both
+# tests/e2e/test_peer_visibility_mcp_staging.sh (staging/CP backend) and
+# tests/e2e/test_peer_visibility_mcp_local.sh (local docker-compose
+# backend). If this assertion ever diverges between the two, that is the
+# bug — keep it in one place.
+#
+# THIS IS NOT A PROXY. pv_assert_runtime issues the byte-for-byte
+# JSON-RPC `tools/call name=list_peers` envelope to `POST
+# /workspaces/:id/mcp` using the workspace's OWN bearer token, through
+# the real WorkspaceAuth + MCPRateLimiter middleware chain — the exact
+# call mcp_molecule_list_peers makes from a canvas agent. It does NOT
+# read a registry row, /health, the heartbeat table, or
+# GET /registry/:id/peers.
+#
+# Contract:
+#   pv_assert_runtime <runtime> <ws_id> <ws_bearer> <base_url> \
+#                     <org_id_or_empty> <all_ws_ids_space_separated>
+#
+#     <org_id_or_empty>  staging: the X-Molecule-Org-Id header value.
+#                        local:   "" (the local single-tenant stack does
+#                                 not gate on the org header; the header
+#                                 is simply omitted when empty).
+#     <all_ws_ids>       every provisioned workspace id (parent + every
+#                        runtime sibling). The expected peer set for this
+#                        runtime is every id in here EXCEPT <ws_id>.
+#
+#   Sets the global PV_VERDICT to one of:
+#     OK
+#     FAIL(http=<code>)
+#     FAIL(native-fallback)
+#     FAIL(rpc=<detail>)
+#     FAIL(peers=<detail>)
+#     FAIL(unknown)
+#   Returns 0 when PV_VERDICT=OK, 1 otherwise. Never exits — the caller
+#   owns aggregation + the gate exit code (10 = regression reproduced).
+#
+# The literal JSON-RPC envelope. Identical to what
+# workspace/platform_tools/registry.py's mcp_molecule_list_peers emits.
+PV_RPC_BODY='{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"list_peers","arguments":{}}}'
+
+pv_assert_runtime() {
+  local rt="$1" wid="$2" wtok="$3" base_url="$4" org_id="$5" all_ws_ids="$6"
+
+  # Expected peer set = every OTHER provisioned workspace, excluding the
+  # caller itself. Byte-identical selection to the original staging script.
+  local expect_ids
+  expect_ids=$(echo "$all_ws_ids" | tr ' ' '\n' | grep -v "^${wid}$" | grep -v '^$')
+
+  # X-Molecule-Org-Id only when the backend supplies one (staging multi-
+  # tenant). Local single-tenant omits it — the same WorkspaceAuth +
+  # MCPRateLimiter chain still runs; only the tenant-routing header differs.
+  local org_header=()
+  if [ -n "$org_id" ]; then
+    org_header=(-H "X-Molecule-Org-Id: $org_id")
+  fi
+
+  local resp http_code body
+  set +e
+  resp=$(curl -sS -X POST "$base_url/workspaces/$wid/mcp" \
+    -H "Authorization: Bearer $wtok" \
+    "${org_header[@]}" \
+    -H "Content-Type: application/json" \
+    -d "$PV_RPC_BODY" \
+    -o /tmp/pv_mcp_body.json -w "%{http_code}" 2>/dev/null)
+  set -e
+  http_code="$resp"
+  body=$(cat /tmp/pv_mcp_body.json 2>/dev/null || echo '')
+
+  echo "--- $rt (ws=$wid) ---"
+  echo "    HTTP $http_code"
+  echo "    body: $(echo "$body" | head -c 600)"
+
+  # (1) HTTP 200 — a 401 (WorkspaceAuth reject, the Hermes symptom) fails here.
+  if [ "$http_code" != "200" ]; then
+    echo "  ✗ $rt: list_peers MCP call returned HTTP $http_code (expected 200)"
+    PV_VERDICT="FAIL(http=$http_code)"
+    return 1
+  fi
+
+  # (2) JSON-RPC result present, not an error object; expected sibling IDs
+  #     present; not a native-sessions fallback. Byte-identical to the
+  #     original staging script's inline python.
+  local parse
+  parse=$(echo "$body" | python3 -c "
+import sys, json
+expect = set(filter(None, '''$expect_ids'''.split()))
+try:
+    d = json.load(sys.stdin)
+except Exception as e:
+    print('PARSE_ERROR:' + str(e)); sys.exit(0)
+if isinstance(d, dict) and d.get('error') is not None:
+    print('RPC_ERROR:' + json.dumps(d['error'])[:200]); sys.exit(0)
+res = d.get('result') if isinstance(d, dict) else None
+if res is None:
+    print('NO_RESULT'); sys.exit(0)
+# MCP tools/call result shape: {content:[{type:text,text:'<json or prose>'}]}
+text = ''
+if isinstance(res, dict):
+    for c in res.get('content', []):
+        if c.get('type') == 'text':
+            text += c.get('text', '')
+text_l = text.lower()
+# Native-sessions fallback signature (the OpenClaw symptom): the agent
+# answered from its own runtime session list, not the platform peer set.
+if 'sessions_list' in text_l or 'no platform peers' in text_l or 'native session' in text_l:
+    print('NATIVE_FALLBACK:' + text[:200]); sys.exit(0)
+# The expected sibling IDs must literally appear in the returned peer text.
+found = sorted(i for i in expect if i in text)
+missing = sorted(expect - set(found))
+if not expect:
+    print('NO_EXPECTED_PEERS_CONFIGURED'); sys.exit(0)
+if missing:
+    print('MISSING_PEERS:found=%d/%d missing=%s' % (len(found), len(expect), ','.join(m[:8] for m in missing)))
+    sys.exit(0)
+print('OK:found=%d/%d' % (len(found), len(expect)))
+" 2>/dev/null)
+
+  case "$parse" in
+    OK:*)
+      echo "  ✓ $rt: list_peers returned 200 and contains all expected peers ($parse)"
+      PV_VERDICT="OK"
+      return 0
+      ;;
+    NATIVE_FALLBACK:*)
+      echo "  ✗ $rt: list_peers fell back to NATIVE sessions — sees no platform peers ($parse)"
+      PV_VERDICT="FAIL(native-fallback)"
+      return 1
+      ;;
+    RPC_ERROR:*|NO_RESULT|PARSE_ERROR:*)
+      echo "  ✗ $rt: list_peers MCP call did not return a usable result ($parse)"
+      PV_VERDICT="FAIL(rpc=$parse)"
+      return 1
+      ;;
+    MISSING_PEERS:*)
+      echo "  ✗ $rt: list_peers returned 200 but peer set is wrong/empty ($parse)"
+      PV_VERDICT="FAIL(peers=$parse)"
+      return 1
+      ;;
+    NO_EXPECTED_PEERS_CONFIGURED)
+      # Caller bug, not a runtime regression — surface loudly so a
+      # mis-wired backend can't mint a false green.
+      echo "  ✗ $rt: no expected peers were configured for this caller"
+      # shellcheck disable=SC2034 # exported verdict is read by the caller's map plumbing.
+      PV_VERDICT="FAIL(rpc=NO_EXPECTED_PEERS_CONFIGURED)"
+      return 1
+      ;;
+    *)
+      echo "  ✗ $rt: unexpected verdict '$parse'"
+      # shellcheck disable=SC2034 # exported verdict is read by the caller's map plumbing.
+      PV_VERDICT="FAIL(unknown)"
+      return 1
+      ;;
+  esac
+}
@@ -10,6 +10,10 @@ FAIL=0
 # as `Authorization: Bearer <token>`. Capture them here.
 ECHO_TOKEN=""
 SUM_TOKEN=""
+ECHO_AUTH=()
+SUM_AUTH=()
+ECHO_URL="https://example.com/echo-agent"
+SUM_URL="https://example.com/summarizer-agent"

 # AdminAuth-gated calls need a bearer token once any workspace token
 # exists in the DB. ADMIN_TOKEN is populated after the first workspace
@@ -54,8 +58,8 @@ R=$(acurl "$BASE/workspaces")
 check "GET /workspaces (empty)" '[]' "$R"

 # Test 3: Create workspace A (AdminAuth fail-open — no tokens exist yet)
-R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" -d '{"name":"Echo Agent","tier":1}')
-check "POST /workspaces (create echo)" '"status":"provisioning"' "$R"
+R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" -d '{"name":"Echo Agent","tier":1,"runtime":"external","external":true}')
+check "POST /workspaces (create echo)" '"status":"awaiting_agent"' "$R"
 ECHO_ID=$(echo "$R" | python3 -c "import sys,json; print(json.load(sys.stdin)['id'])")

 # Mint a test token so all subsequent AdminAuth-gated calls succeed.
@@ -72,8 +76,8 @@ else
 fi

 # Test 4: Create workspace B (needs bearer — tokens now exist in DB)
-R=$(acurl -X POST "$BASE/workspaces" -H "Content-Type: application/json" -d '{"name":"Summarizer Agent","tier":1}')
-check "POST /workspaces (create summarizer)" '"status":"provisioning"' "$R"
+R=$(acurl -X POST "$BASE/workspaces" -H "Content-Type: application/json" -d '{"name":"Summarizer Agent","tier":1,"runtime":"external","external":true}')
+check "POST /workspaces (create summarizer)" '"status":"awaiting_agent"' "$R"
 SUM_ID=$(echo "$R" | python3 -c "import sys,json; print(json.load(sys.stdin)['id'])")

 # Test 5: List has 2
@@ -90,9 +94,10 @@ check "GET /workspaces/:id (agent_card null)" '"agent_card":null' "$R"
 # endpoint), not the admin token. C18 requires a token issued TO THIS
 # workspace, not just any valid token.
 ECHO_WS_TOKEN=$(curl -s "$BASE/admin/workspaces/$ECHO_ID/test-token" | python3 -c "import sys,json; print(json.load(sys.stdin).get('auth_token',''))" 2>/dev/null || echo "")
+[ -n "$ECHO_WS_TOKEN" ] && ECHO_AUTH=(-H "Authorization: Bearer $ECHO_WS_TOKEN")
 R=$(curl -s -X POST "$BASE/registry/register" -H "Content-Type: application/json" \
-  ${ECHO_WS_TOKEN:+-H "Authorization: Bearer $ECHO_WS_TOKEN"} \
-  -d "{\"id\":\"$ECHO_ID\",\"url\":\"http://localhost:8001\",\"agent_card\":{\"name\":\"Echo Agent\",\"skills\":[{\"id\":\"echo\",\"name\":\"Echo\"}]}}")
+  "${ECHO_AUTH[@]}" \
+  -d "{\"id\":\"$ECHO_ID\",\"url\":\"$ECHO_URL\",\"agent_card\":{\"name\":\"Echo Agent\",\"skills\":[{\"id\":\"echo\",\"name\":\"Echo\"}]}}")
 check "POST /registry/register (echo)" '"status":"registered"' "$R"
 # Extract token from register response; fall back to the test-token we
 # already minted (register may not return a new token on re-registration).
@@ -101,9 +106,10 @@ if [ -z "$ECHO_TOKEN" ]; then ECHO_TOKEN="$ECHO_WS_TOKEN"; fi

 # Test 8: Register summarizer — same pattern: workspace-specific token
 SUM_WS_TOKEN=$(curl -s "$BASE/admin/workspaces/$SUM_ID/test-token" | python3 -c "import sys,json; print(json.load(sys.stdin).get('auth_token',''))" 2>/dev/null || echo "")
+[ -n "$SUM_WS_TOKEN" ] && SUM_AUTH=(-H "Authorization: Bearer $SUM_WS_TOKEN")
 R=$(curl -s -X POST "$BASE/registry/register" -H "Content-Type: application/json" \
-  ${SUM_WS_TOKEN:+-H "Authorization: Bearer $SUM_WS_TOKEN"} \
-  -d "{\"id\":\"$SUM_ID\",\"url\":\"http://localhost:8002\",\"agent_card\":{\"name\":\"Summarizer\",\"skills\":[{\"id\":\"summarize\",\"name\":\"Summarize\"}]}}")
+  "${SUM_AUTH[@]}" \
+  -d "{\"id\":\"$SUM_ID\",\"url\":\"$SUM_URL\",\"agent_card\":{\"name\":\"Summarizer\",\"skills\":[{\"id\":\"summarize\",\"name\":\"Summarize\"}]}}")
 check "POST /registry/register (summarizer)" '"status":"registered"' "$R"
 SUM_TOKEN=$(echo "$R" | e2e_extract_token)
 if [ -z "$SUM_TOKEN" ]; then SUM_TOKEN="$SUM_WS_TOKEN"; fi
@@ -112,7 +118,7 @@ if [ -z "$SUM_TOKEN" ]; then SUM_TOKEN="$SUM_WS_TOKEN"; fi
 R=$(acurl "$BASE/workspaces/$ECHO_ID")
 check "Echo is online" '"status":"online"' "$R"
 check "Echo has agent_card" '"skills"' "$R"
-check "Echo has url" '"url":"http://localhost:8001"' "$R"
+check "Echo has url" "\"url\":\"$ECHO_URL\"" "$R"

 # Test 10: Heartbeat
 R=$(curl -s -X POST "$BASE/registry/heartbeat" -H "Content-Type: application/json" -H "Authorization: Bearer $ECHO_TOKEN" \
@@ -178,7 +184,7 @@ curl -s -X POST "$BASE/registry/heartbeat" -H "Content-Type: application/json" -
 # Re-register to force online status in case liveness expired
 curl -s -X POST "$BASE/registry/register" -H "Content-Type: application/json" \
  -H "Authorization: Bearer $ECHO_TOKEN" \
-  -d "{\"id\":\"$ECHO_ID\",\"url\":\"http://localhost:8001\",\"agent_card\":{\"name\":\"Echo Agent v2\",\"skills\":[{\"id\":\"echo\",\"name\":\"Echo\"},{\"id\":\"repeat\",\"name\":\"Repeat\"}]}}" > /dev/null
+  -d "{\"id\":\"$ECHO_ID\",\"url\":\"$ECHO_URL\",\"agent_card\":{\"name\":\"Echo Agent v2\",\"skills\":[{\"id\":\"echo\",\"name\":\"Echo\"},{\"id\":\"repeat\",\"name\":\"Repeat\"}]}}" > /dev/null

 # Now send high error rate to trigger degraded
 R=$(curl -s -X POST "$BASE/registry/heartbeat" -H "Content-Type: application/json" -H "Authorization: Bearer $ECHO_TOKEN" \
@@ -358,12 +364,17 @@ else
 fi

 # Register the re-imported workspace to verify agent_card round-trips
+NEW_TOKEN=$(curl -s "$BASE/admin/workspaces/$NEW_ID/test-token" | python3 -c "import sys,json; print(json.load(sys.stdin).get('auth_token',''))" 2>/dev/null || echo "")
+NEW_AUTH=()
+[ -n "$NEW_TOKEN" ] && NEW_AUTH=(-H "Authorization: Bearer $NEW_TOKEN")
 R=$(curl -s -X POST "$BASE/registry/register" -H "Content-Type: application/json" \
-  -d "{\"id\":\"$NEW_ID\",\"url\":\"http://localhost:8002\",\"agent_card\":{\"name\":\"Summarizer\",\"skills\":[{\"id\":\"summarize\",\"name\":\"Summarize\"}]}}")
+  "${NEW_AUTH[@]}" \
+  -d "{\"id\":\"$NEW_ID\",\"url\":\"$SUM_URL\",\"agent_card\":{\"name\":\"Summarizer\",\"skills\":[{\"id\":\"summarize\",\"name\":\"Summarize\"}]}}")
 check "Register re-imported workspace" '"status":"registered"' "$R"
 # Capture the fresh token issued to the re-imported workspace.  SUM_TOKEN was
 # revoked when SUM_ID was deleted above — use this one for cleanup instead.
-NEW_TOKEN=$(echo "$R" | e2e_extract_token)
+REG_NEW_TOKEN=$(echo "$R" | e2e_extract_token)
+[ -n "$REG_NEW_TOKEN" ] && NEW_TOKEN="$REG_NEW_TOKEN"

 # Re-export and verify agent_card survives the round-trip (#165 / PR #167 — admin-gated)
 REBUNDLE=$(curl -s "$BASE/bundles/export/$NEW_ID" -H "Authorization: Bearer $NEW_TOKEN")
--- a/Show More
+++ b/Show More