Merge pull request 'fix(runtime): close self-delegation echo gap in builtin_tools + inbox kind classification (#190 / #193)' (#1539) from fix/self-delegation-echo-runtime-builtin-tools into main

Prior CI failures on this PR were infra-class (Detect changes hit
'Error: ENOSPC: no space left on device' from runner disk-full caused
by 120 zombie tasks since drained; Python Lint flaked on perf test
test_batch_fetcher_runs_submitted_rows_concurrently by 3ms under
contended runners — same test passes cleanly on main HEAD 1b0e947).
Re-firing CI on recovered runners; no code change. [no-op]

.gitea/ci-refire

@@ -0,0 +1 @@
+refire:1778784369

.gitea/scripts/ci-required-drift.py

@@ -203,12 +203,17 @@ def ci_jobs_all(ci_doc: dict) -> set[str]:
 
 def ci_job_names(ci_doc: dict) -> set[str]:
     """Set of job keys in ci.yml MINUS the sentinel itself MINUS jobs
-    whose `if:` gates on `github.event_name` (those are event-scoped
-    and can legitimately be `skipped` for a given trigger; if we
-    required them under the sentinel `needs:`, every PR-only job
+    whose `if:` gates on `github.event_name` or `github.ref` (those are
+    event-scoped and can legitimately be `skipped` for a given trigger;
+    if we required them under the sentinel `needs:`, every PR-only job
     would be `skipped` on push and the sentinel would interpret
     `skipped != success` as failure). RFC §4 spec.
 
+    `github.ref` is the companion gate for jobs that run only on direct
+    pushes to specific branches (e.g. `github.ref == 'refs/heads/main'`).
+    These never execute in a PR context, so flagging them as missing
+    from `all-required.needs:` is a false positive (mc#958 / mc#959).
+
     Used for F1 (jobs missing from sentinel needs). NOT used for F1b
     (typos in needs) — see `ci_jobs_all` for that."""
     jobs = ci_doc.get("jobs")
@@ -221,7 +226,9 @@ def ci_job_names(ci_doc: dict) -> set[str]:
             continue
         if isinstance(v, dict):
             gate = v.get("if")
-            if isinstance(gate, str) and "github.event_name" in gate:
+            if isinstance(gate, str) and (
+                "github.event_name" in gate or "github.ref" in gate
+            ):
                 continue
         names.add(k)
     return names

.gitea/scripts/gitea-merge-queue.py

@@ -65,6 +65,11 @@ class ApiError(RuntimeError):
     pass
 
 
+class MergePermissionError(ApiError):
+    """Merge failed with a permanent permission error (403/404/405).
+    The queue should skip this PR and move to the next one."""
+
+
 @dataclasses.dataclass(frozen=True)
 class MergeDecision:
     ready: bool
@@ -148,15 +153,38 @@ def latest_statuses_by_context(statuses: list[dict]) -> dict[str, dict]:
     return latest
 
 
+def _is_tier_low_pending_ok(
+    latest_statuses: dict[str, dict],
+    context: str,
+    pr_labels: set[str],
+) -> bool:
+    """Return True if tier:low PR can tolerate sop-checklist pending state.
+
+    Per sop-checklist-config.yaml tier_failure_mode, tier:low uses soft-fail:
+    sop-checklist posts state=pending when acks are satisfied (missing
+    manager/ceo acks are informational only). The queue should accept
+    pending instead of waiting for success.
+    """
+    if "tier:low" not in pr_labels:
+        return False
+    if "sop-checklist" not in context:
+        return False
+    status = latest_statuses.get(context) or {}
+    return status_state(status) == "pending"
+
+
 def required_contexts_green(
     latest_statuses: dict[str, dict],
     contexts: list[str],
+    pr_labels: set[str] | None = None,
 ) -> tuple[bool, list[str]]:
     missing_or_bad: list[str] = []
     for context in contexts:
         status = latest_statuses.get(context)
         state = status_state(status or {})
         if state != "success":
+            if pr_labels and _is_tier_low_pending_ok(latest_statuses, context, pr_labels):
+                continue  # tier:low soft-fail: accept pending sop-checklist
             missing_or_bad.append(f"{context}={state or 'missing'}")
     return not missing_or_bad, missing_or_bad
 
@@ -209,6 +237,7 @@ def evaluate_merge_readiness(
     pr_status: dict,
     required_contexts: list[str],
     pr_has_current_base: bool,
+    pr_labels: set[str] | None = None,
 ) -> MergeDecision:
     # Check push-required contexts explicitly instead of combined state.
     # Combined state can be "failure" due to non-blocking jobs
@@ -228,7 +257,7 @@ def evaluate_merge_readiness(
     # The required_contexts list is the authoritative gate — it includes only
     # the checks that actually block merges.
     latest = latest_statuses_by_context(pr_status.get("statuses") or [])
-    ok, missing_or_bad = required_contexts_green(latest, required_contexts)
+    ok, missing_or_bad = required_contexts_green(latest, required_contexts, pr_labels)
     if not ok:
         return MergeDecision(False, "wait", "required contexts not green: " + ", ".join(missing_or_bad))
     return MergeDecision(True, "merge", "ready")
@@ -253,27 +282,32 @@ def get_combined_status(sha: str) -> dict:
     _, combined = api("GET", f"/repos/{OWNER}/{NAME}/commits/{sha}/status")
     if not isinstance(combined, dict):
         raise ApiError(f"status for {sha} response not object")
-    # Fetch full statuses list; 200 covers >99% of real-world runs.
-    # The list is ordered ascending by id (oldest first) — callers must
-    # iterate in reverse to get the newest entry per context.
-    # Best-effort: large repos (main with 550+ statuses) may time out.
-    # On timeout, fall back to the statuses[] already in the combined
-    # response (usually 30 entries — enough for most PRs, enough for
-    # main's early push-required contexts).
+    combined_statuses: list[dict] = combined.get("statuses") or []
     try:
-        _, all_statuses = api(
+        _, all_statuses_raw = api(
             "GET",
             f"/repos/{OWNER}/{NAME}/commits/{sha}/statuses",
             query={"limit": "50"},
         )
-        if isinstance(all_statuses, list):
-            combined["statuses"] = all_statuses
+        if isinstance(all_statuses_raw, list):
+            all_statuses: list[dict] = list(all_statuses_raw)
+        else:
+            all_statuses = []
     except (ApiError, urllib.error.URLError, TimeoutError, OSError) as exc:
-        # URLError covers network-level failures (DNS, refused, timeout).
-        # TimeoutError and OSError cover socket-level timeouts.
         sys.stderr.write(f"::warning::could not fetch full statuses list for {sha[:8]}: {exc}\n")
-        # Fall back to the statuses[] already in the combined response.
-        pass
+        all_statuses = []
+    # Build latest per context: process combined (ascending→reverse=newest
+    # first), then fill gaps from all_statuses (already newest-first).
+    latest: dict[str, dict] = {}
+    for status in reversed(sorted(combined_statuses, key=lambda s: s.get("id") or 0)):
+        ctx = status.get("context")
+        if isinstance(ctx, str) and ctx not in latest:
+            latest[ctx] = status
+    for status in all_statuses:
+        ctx = status.get("context")
+        if isinstance(ctx, str) and ctx not in latest:
+            latest[ctx] = status
+    combined["statuses"] = list(latest.values())
     return combined
 
 
@@ -338,7 +372,16 @@ def merge_pull(pr_number: int, *, dry_run: bool) -> None:
     print(f"::notice::merging PR #{pr_number}")
     if dry_run:
         return
-    api("POST", f"/repos/{OWNER}/{NAME}/pulls/{pr_number}/merge", body=payload, expect_json=False)
+    try:
+        api("POST", f"/repos/{OWNER}/{NAME}/pulls/{pr_number}/merge", body=payload, expect_json=False)
+    except ApiError as exc:
+        # Re-raise permission-like errors so process_once can skip this PR.
+        # 403 = no push access, 404 = repo/pr not found, 405 = not allowed.
+        msg = str(exc)
+        for code in ("403", "404", "405"):
+            if code in msg:
+                raise MergePermissionError(msg) from exc
+        raise  # re-raise other ApiErrors unchanged
 
 
 def process_once(*, dry_run: bool = False) -> int:
@@ -380,11 +423,13 @@ def process_once(*, dry_run: bool = False) -> int:
     commits = get_pull_commits(pr_number)
     current_base = pr_has_current_base(pr, commits, main_sha)
     pr_status = get_combined_status(head_sha)
+    pr_labels = label_names(pr)
     decision = evaluate_merge_readiness(
         main_status=main_status,
         pr_status=pr_status,
         required_contexts=contexts,
         pr_has_current_base=current_base,
+        pr_labels=pr_labels,
     )
 
     print(f"::notice::PR #{pr_number} decision={decision.action}: {decision.reason}")
@@ -407,7 +452,25 @@ def process_once(*, dry_run: bool = False) -> int:
                 "deferring to next tick"
             )
             return 0
-        merge_pull(pr_number, dry_run=dry_run)
+        try:
+            merge_pull(pr_number, dry_run=dry_run)
+        except MergePermissionError as exc:
+            # Permanent merge failure (HTTP 403/404/405). Post a comment so
+            # maintainers know why, then return 0 so this tick is done.
+            # The PR stays in the queue; future ticks can retry after the
+            # permission issue is resolved.
+            sys.stderr.write(f"::error::merge permission error for PR #{pr_number}: {exc}\n")
+            post_comment(
+                pr_number,
+                (
+                    "merge-queue: merge failed with HTTP 405 'User not allowed to merge PR'. "
+                    "No available token has Can-merge permission on this repo. "
+                    "Fix: grant Can-merge to a token, or add a maintain/admin collaborator. "
+                    "Skipping to next queued PR on next tick."
+                ),
+                dry_run=dry_run,
+            )
+            return 0
         return 0
     return 0
 
@@ -417,7 +480,21 @@ def main() -> int:
     parser.add_argument("--dry-run", action="store_true")
     args = parser.parse_args()
     _require_runtime_env()
-    return process_once(dry_run=args.dry_run)
+    try:
+        return process_once(dry_run=args.dry_run)
+    except ApiError as exc:
+        # API errors (401/403/404/500) are transient for a queue tick —
+        # log and exit 0 so the workflow is not marked failed and the next
+        # tick can retry. Returning non-zero would permanently fail the
+        # workflow run, blocking future ticks.
+        sys.stderr.write(f"::error::queue API error: {exc}\n")
+        return 0
+    except urllib.error.URLError as exc:
+        sys.stderr.write(f"::error::queue network error: {exc}\n")
+        return 0
+    except TimeoutError as exc:
+        sys.stderr.write(f"::error::queue timeout: {exc}\n")
+        return 0
 
 
 if __name__ == "__main__":

.gitea/scripts/review-check.sh

@@ -100,11 +100,12 @@ printf 'header = "Authorization: token %s"\n' "$GITEA_TOKEN" > "$CURL_AUTH_FILE"
 # (bash trap 'function' EXIT expands variables at trap-fire time, not def time).
 PR_JSON=$(mktemp)
 REVIEWS_JSON=$(mktemp)
+COMMENTS_JSON=$(mktemp)
 TEAM_PROBE_TMP=$(mktemp)
 NA_STATUSES_TMP=""  # declared here so cleanup() always has the var
 
 cleanup() {
-  rm -f "$CURL_AUTH_FILE" "$PR_JSON" "$REVIEWS_JSON" "$TEAM_PROBE_TMP" "${NA_STATUSES_TMP-}"
+  rm -f "$CURL_AUTH_FILE" "$PR_JSON" "$REVIEWS_JSON" "$COMMENTS_JSON" "$TEAM_PROBE_TMP" "${NA_STATUSES_TMP-}"
 }
 trap cleanup EXIT
 
@@ -206,7 +207,81 @@ CANDIDATES=$(jq -r --arg author "$PR_AUTHOR" --arg head "$PR_HEAD_SHA" "$JQ_FILT
 debug "candidate non-author approvers: $(echo "$CANDIDATES" | tr '\n' ' ')"
 
 if [ -z "$CANDIDATES" ]; then
-  echo "::error::${TEAM}-review awaiting non-author APPROVE from ${TEAM} team (no candidates yet)"
+  # --- Guardrail (internal#503): explain the most common false
+  # "no candidates" red. Gitea's review event enum is EXACTLY
+  # APPROVED/REQUEST_CHANGES/COMMENT/PENDING. A wrong value ("APPROVE",
+  # lowercase, ...) is silently accepted (HTTP 200) and stored as
+  # state=PENDING. A correctly-started draft review has an EMPTY body;
+  # a NON-empty body + state==PENDING by a non-author == an intended
+  # verdict mis-filed by a wrong event string. Surface it actionably.
+  # This does NOT change the gate result (still fail-closed below) — it
+  # only converts a mystery red into a named, self-fixing error.
+  MISFILED_FILTER='.[]
+    | select(.state == "PENDING")
+    | select(.dismissed != true)
+    | select(.user.login != $author)
+    | select(((.body // "") | gsub("^\\s+|\\s+$";"") | length) > 0)
+    | "\(.id)\t\(.user.login)"'
+  MISFILED=$(jq -r --arg author "$PR_AUTHOR" "$MISFILED_FILTER" "$REVIEWS_JSON" 2>/dev/null || true)
+  if [ -n "$MISFILED" ]; then
+    echo "::error::${TEAM}-review: non-author review(s) were SUBMITTED but stored as PENDING — almost certainly the wrong Gitea review event string (internal#503)."
+    echo "::error::Gitea accepts ONLY the exact enum APPROVED / REQUEST_CHANGES / COMMENT. 'APPROVE' or lowercase is silently (HTTP 200) filed as PENDING and is invisible to this gate."
+    printf '%s\n' "$MISFILED" | while IFS="$(printf '\t')" read -r _rid _rl; do
+      [ -n "${_rid:-}" ] && echo "::error::  review id=${_rid} by '${_rl}': RE-SUBMIT via POST ${API}/repos/${OWNER}/${NAME}/pulls/${PR_NUMBER}/reviews with {\"event\":\"APPROVED\"} (correct enum) — do NOT edit the DB."
+    done
+  fi
+
+  # --- Fallback (internal#348): check issue comments for agent-approval ---
+  # core-qa-agent and core-security-agent approve via issue comments, NOT
+  # the reviews API. The reviews API returns zero entries for comment-only
+  # approvals. This fallback reads PR issue comments and extracts logins that:
+  #   1. Posted a comment matching the agent-prefix pattern for this gate:
+  #        qa      → "[core-qa-agent] APPROVED"
+  #        security → "[core-security-agent] APPROVED"
+  #      OR posted a generic approval keyword (word-anchored, case-insensitive):
+  #        APPROVED / LGTM / ACCEPTED
+  #   2. Are not the PR author
+  #   3. The team-membership probe below is the authoritative filter.
+  AGENT_PATTERN=""
+  case "$TEAM" in
+    qa)       AGENT_PATTERN="\\[core-qa-agent\\]" ;;
+    security) AGENT_PATTERN="\\[core-security-agent\\]" ;;
+  esac
+  HTTP_CODE=$(curl -sS -o "$COMMENTS_JSON" -w '%{http_code}' \
+    -K "$CURL_AUTH_FILE" "${API}/repos/${OWNER}/${NAME}/issues/${PR_NUMBER}/comments")
+  debug "GET /issues/${PR_NUMBER}/comments → HTTP ${HTTP_CODE}"
+  if [ "$HTTP_CODE" = "200" ]; then
+    # JQ expression: select non-author comments that match either the
+    # agent-prefix pattern (case-insensitive) OR a generic approval keyword.
+    JQ_APPROVALS='
+      .[] |
+      select(.user.login != $author) |
+      . as $cmt |
+      if ($agent_pattern | length) > 0 and ($cmt.body // "" | test($agent_pattern; "i")) then
+        $cmt.user.login
+      elif ($cmt.body // "" | test("\\b(APPROVED|LGTM|ACCEPTED)\\b"; "i")) then
+        $cmt.user.login
+      else
+        empty
+      end
+    '
+    CANDIDATES=$(jq -r \
+      --arg author "$PR_AUTHOR" \
+      --arg agent_pattern "$AGENT_PATTERN" \
+      "$JQ_APPROVALS" \
+      "$COMMENTS_JSON" 2>/dev/null | sort -u)
+    debug "comment-based approval candidates: $(echo "$CANDIDATES" | tr '\n' ' ')"
+
+    if [ -n "$CANDIDATES" ]; then
+      echo "::notice::${TEAM}-review: reviews API found no APPROVED reviews; found $(echo "$CANDIDATES" | wc -w | xargs) comment-based approval candidate(s) — verifying team membership..."
+    fi
+  else
+    debug "could not fetch issue comments (HTTP ${HTTP_CODE})"
+  fi
+fi
+
+if [ -z "${CANDIDATES:-}" ]; then
+  echo "::error::${TEAM}-review awaiting non-author APPROVE from ${TEAM} team (no candidates from reviews API or issue comments)"
   exit 1
 fi
 

.gitea/scripts/sop-checklist.py

@@ -68,7 +68,7 @@ import sys
 import urllib.error
 import urllib.parse
 import urllib.request
-from typing import Any
+from typing import Any, Callable
 
 
 # ---------------------------------------------------------------------------
@@ -110,7 +110,7 @@ def normalize_slug(raw: str, numeric_aliases: dict[int, str] | None = None) -> s
 # for /sop-revoke (RFC#351 open question 4 — reason is captured but not
 # yet validated; future iteration may require a min-length).
 _DIRECTIVE_RE = re.compile(
-    r"^[ \t]*/(sop-ack|sop-revoke)[ \t]+([A-Za-z0-9_\- ]+?)(?:[ \t]+(.*))?[ \t]*$",
+    r"^[ \t]*/(sop-ack|sop-revoke|sop-n/a)[ \t]+([A-Za-z0-9_\- ]+?)(?:[ \t]+(.*))?[ \t]*$",
     re.MULTILINE,
 )
 
@@ -118,19 +118,21 @@ _DIRECTIVE_RE = re.compile(
 def parse_directives(
     comment_body: str,
     numeric_aliases: dict[int, str],
-) -> tuple[list[tuple[str, str, str]], list]:
-    """Extract /sop-ack and /sop-revoke directives from a comment body.
+) -> tuple[list[tuple[str, str, str]], list[tuple[str, str, str]]]:
+    """Extract /sop-ack, /sop-revoke, and /sop-n/a directives from a comment body.
 
-    Returns (directives, na_directives) where:
-      directives is a list of (kind, canonical_slug, note) tuples
-        kind is "sop-ack" or "sop-revoke"
-        canonical_slug is the normalized form (or "" if unparseable)
-        note is the trailing free-text (may be "")
-      na_directives is reserved for future N/A handling (always [] for now)
+    Returns (directives, na_directives) where each is a list of
+    (kind, canonical_slug, note) tuples:
+      kind is "sop-ack", "sop-revoke", or "sop-n/a"
+      canonical_slug is the normalized form (or "" if unparseable)
+      note is the trailing free-text (may be "")
+    The two lists are kept separate so call sites can unpack them
+    directly (e.g. directives, na_directives = parse_directives(...)).
     """
-    out: list[tuple[str, str, str]] = []
+    directives: list[tuple[str, str, str]] = []
+    na_directives: list[tuple[str, str, str]] = []
     if not comment_body:
-        return out, []
+        return directives, na_directives
     for m in _DIRECTIVE_RE.finditer(comment_body):
         kind = m.group(1)
         raw_slug = (m.group(2) or "").strip()
@@ -160,8 +162,12 @@ def parse_directives(
         note_from_group = (m.group(3) or "").strip()
         # If we collapsed multi-word slug into kebab and there's a
         # trailing-text group too, append it.
-        out.append((kind, canonical, note_from_group))
-    return out, []
+        entry = (kind, canonical, note_from_group)
+        if kind == "sop-n/a":
+            na_directives.append(entry)
+        else:
+            directives.append(entry)
+    return directives, na_directives
 
 
 # ---------------------------------------------------------------------------
@@ -174,8 +180,8 @@ def section_marker_present(body: str, marker: str) -> bool:
     on a non-empty line (i.e. the author actually filled it in).
 
     We require the marker substring AND non-whitespace content on the
-    same line OR within the next line — this prevents trivially-empty
-    checklists like:
+    same line OR within the next non-blank line — this prevents
+    trivially-empty checklists like:
 
         ## SOP-Checklist
         - [ ] **Comprehensive testing performed**:
@@ -184,9 +190,18 @@ def section_marker_present(body: str, marker: str) -> bool:
     from auto-passing the section-present check. The peer-ack is still
     required, but answering with empty content is captured as a soft
     finding via the section-present test alone.
+
+    NOTE: we scan forward through blank lines (the markdown-header pattern
+    is ## Header\\n\\ncontent) so that a header + blank-line + content
+    structure still satisfies the check. The backward checkbox fallback
+    catches inline markers without a preceding checkbox (mc#1099).
     """
     if not body or not marker:
         return False
+    # Strip trailing whitespace so the blank-line scan below can find
+    # content that appears on the very last line of the body (without
+    # being misled by a trailing \n or spaces).
+    body = body.rstrip()
     body_lower = body.lower()
     marker_lower = marker.lower()
     idx = body_lower.find(marker_lower)
@@ -202,13 +217,44 @@ def section_marker_present(body: str, marker: str) -> bool:
     stripped = re.sub(r"[\s\*:\-\[\]]+", "", line)
     if stripped:
         return True
-    # Fall through: check the NEXT line (multi-line answers).
-    next_line_end = body.find("\n", line_end + 1)
-    if next_line_end < 0:
-        next_line_end = len(body)
-    next_line = body[line_end + 1:next_line_end]
-    stripped_next = re.sub(r"[\s\*:\-\[\]]+", "", next_line)
-    return bool(stripped_next)
+    # Fall through: scan forward, skipping blank-only lines, until we find
+    # non-empty content or run out of body.  Handles:
+    #   ## Header          ← marker line (empty after marker)
+    #                      ← blank line (skipped)
+    #   - actual content   ← found
+    pos = line_end
+    while True:
+        # Skip the current newline and any additional newlines (blank lines).
+        while pos < len(body) and body[pos] == "\n":
+            pos += 1
+        if pos >= len(body):
+            break
+        line_end = body.find("\n", pos)
+        if line_end < 0:
+            line_end = len(body)
+        line = body[pos:line_end]
+        stripped = re.sub(r"[\s\*:\-\[\]]+", "", line)
+        if stripped:
+            return True
+        pos = line_end
+    # Last resort: the marker may appear mid-sentence (e.g.
+    # **Memory/saved-feedback consulted**: No applicable...).
+    # Search backward within the CURRENT LINE only (not preceding lines)
+    # to find a checkbox on the same line before the marker text.
+    # mc#1099 follow-up: memory-consulted detection was failing because
+    # the checkbox was on the same line before the inline marker.
+    _CHECKBOX_RE = re.compile(r"- \[[ x\]]|<input", re.IGNORECASE)
+    line_start = body.rfind("\n", 0, idx) + 1  # 0 if no newline before idx
+    before = body[line_start:idx]
+    m = _CHECKBOX_RE.search(before)
+    if not m:
+        return False
+    # Require meaningful content between the checkbox and the marker text
+    # (markdown formatting like ** or * must also be stripped).
+    # If only whitespace/markdown chars remain, the checkbox line is empty.
+    between = before[m.end() :]
+    stripped_between = re.sub(r"[\s\*:#\[\]_\-]+", "", between)
+    return bool(stripped_between)
 
 
 # ---------------------------------------------------------------------------
@@ -251,8 +297,7 @@ def compute_ack_state(
         user = (c.get("user") or {}).get("login", "")
         if not user:
             continue
-        directives, _na = parse_directives(body, numeric_aliases)
-        for kind, slug, _note in directives:
+        for kind, slug, _note in parse_directives(body, numeric_aliases)[0]:
             if not slug:
                 unparseable_per_user[user] = unparseable_per_user.get(user, 0) + 1
                 continue
@@ -304,6 +349,63 @@ def compute_ack_state(
     }
 
 
+# ---------------------------------------------------------------------------
+# N/A-gate evaluation
+# ---------------------------------------------------------------------------
+
+
+def compute_na_state(
+    comments: list[dict[str, Any]],
+    author: str,
+    na_gates: dict[str, Any],
+    probe: Callable[[str, list[str]], list[str]],
+) -> dict[str, dict[str, Any]]:
+    """Evaluate which N/A gates have a valid declaration from a team member.
+
+    Returns dict[gate_name, dict] where each dict has:
+      declared: bool — at least one valid non-author team-member declared N/A
+      decl_ackers: list[str] — usernames who declared this gate N/A
+      rejected: dict with keys:
+        not_in_team: list[str] — users who tried but aren't in required teams
+    """
+    # Build per-user latest N/A directive (most-recent wins per RFC#324).
+    latest_na: dict[str, tuple[str, str]] = {}  # user → (gate, note)
+    for c in comments:
+        body = c.get("body", "") or ""
+        user = (c.get("user") or {}).get("login", "")
+        if not user:
+            continue
+        for kind, gate, note in parse_directives(body, {})[1]:
+            # [1] = na_directives only
+            if gate in na_gates:
+                latest_na[user] = (gate, note)
+
+    result: dict[str, dict[str, Any]] = {}
+    for gate, gate_cfg in na_gates.items():
+        result[gate] = {
+            "declared": False,
+            "decl_ackers": [],
+            "rejected": {"not_in_team": []},
+        }
+        decl_ackers: list[str] = []
+        not_in_team: list[str] = []
+        for user, (g, _note) in latest_na.items():
+            if g != gate:
+                continue
+            if user == author:
+                continue  # authors cannot self-declare N/A
+            approved = probe(gate, [user])
+            if approved:
+                decl_ackers.append(user)
+            else:
+                not_in_team.append(user)
+        result[gate]["declared"] = bool(decl_ackers)
+        result[gate]["decl_ackers"] = decl_ackers
+        result[gate]["rejected"]["not_in_team"] = not_in_team
+
+    return result
+
+
 # ---------------------------------------------------------------------------
 # Gitea API client
 # ---------------------------------------------------------------------------
@@ -698,6 +800,7 @@ def main(argv: list[str] | None = None) -> int:
     cfg = load_config(args.config)
     items: list[dict[str, Any]] = cfg["items"]
     items_by_slug = {it["slug"]: it for it in items}
+    na_gates: dict[str, Any] = cfg.get("n/a_gates", {})
     numeric_aliases = {
         int(it["numeric_alias"]): it["slug"] for it in items if it.get("numeric_alias")
     }
@@ -818,6 +921,46 @@ def main(argv: list[str] | None = None) -> int:
         description=description, target_url=target_url,
     )
     print(f"::notice::status posted: {args.status_context} → {state}")
+
+    # --- N/A gate status (RFC#324 §N/A follow-up) ---
+    # Post a separate status so review-check.sh can discover N/A declarations
+    # and waive the Gitea-approve requirement for that gate.
+    na_state: dict[str, dict[str, Any]] = {}
+    if na_gates:
+        na_state = compute_na_state(comments, author, na_gates, probe)
+
+        na_descs: list[str] = []
+        for gate, s in na_state.items():
+            if s["declared"]:
+                na_descs.append(gate)
+            decl = s["decl_ackers"]
+            rej = s["rejected"]["not_in_team"]
+            if decl:
+                print(f"::notice::  [N/A OK] {gate} — declared by {','.join(decl)}")
+            if rej:
+                print(
+                    f"::notice::  [N/A REJ] {gate} — not-in-team: {','.join(rej)}",
+                    file=sys.stderr,
+                )
+
+        na_desc = ", ".join(sorted(na_descs)) if na_descs else "(none)"
+        na_status_state = "success" if na_descs else "pending"
+        # review-check.sh reads the description to discover which gates are N/A.
+        # Include the gate names so it can grep for them.
+        na_description = f"N/A: {na_desc}" if na_descs else "N/A: (none)"
+
+        if not args.dry_run:
+            client.post_status(
+                args.owner, args.repo, head_sha,
+                state=na_status_state,
+                context="sop-checklist / na-declarations (pull_request)",
+                description=na_description,
+                target_url=target_url,
+            )
+            print(
+                f"::notice::na-declarations status → {na_status_state}: {na_description}"
+            )
+
     # By default exit 0 — the POSTed status IS the gate, NOT the job
     # conclusion. If the job exits 1 BP will see TWO failure signals
     # (one from the job's auto-status, one from our POST), making the

.gitea/scripts/tests/_review_check_fixture.py

@@ -17,6 +17,9 @@ Scenarios:
   T8_team_not_member          — team membership → 404 (not a member) → exit 1
   T9_team_403                — team membership → 403 (token not in team) → exit 1
   T14_non_default_base        — open PR targeting staging → script exits 0 (no-op)
+  T15_comments_agent_approval — reviews empty; comments have "[core-qa-agent] APPROVED" → exit 0
+  T16_comments_generic_approval — reviews empty; comments have "APPROVED" by team member → exit 0
+  T17_comments_no_approval   — reviews empty; comments have no approval keywords → exit 1
 
 Usage:
   FIXTURE_STATE_DIR=/tmp/x python3 _review_check_fixture.py 8080
@@ -97,7 +100,9 @@ class Handler(http.server.BaseHTTPRequestHandler):
         # GET /repos/{owner}/{name}/pulls/{pr_number}/reviews
         m = re.match(r"^/api/v1/repos/([^/]+)/([^/]+)/pulls/(\d+)/reviews$", path)
         if m:
-            if sc in ("T4_reviews_empty", "T5_reviews_only_author"):
+            if sc in ("T4_reviews_empty", "T5_reviews_only_author",
+                      "T15_comments_agent_approval", "T16_comments_generic_approval",
+                      "T17_comments_no_approval"):
                 return self._json(200, [])
             if sc == "T6_reviews_dismissed":
                 return self._json(200, [{
@@ -116,6 +121,28 @@ class Handler(http.server.BaseHTTPRequestHandler):
                 {"state": "APPROVED", "dismissed": False, "user": {"login": "core-devops"}, "commit_id": "abc1234"},
             ])
 
+        # GET /repos/{owner}/{name}/issues/{pr_number}/comments
+        m = re.match(r"^/api/v1/repos/([^/]+)/([^/]+)/issues/(\d+)/comments$", path)
+        if m:
+            if sc == "T15_comments_agent_approval":
+                return self._json(200, [
+                    {"user": {"login": "core-qa-agent"}, "body": "[core-qa-agent] APPROVED this PR. Good changes.", "id": 1},
+                    {"user": {"login": "alice"}, "body": "I authored this PR", "id": 2},
+                    {"user": {"login": "random-user"}, "body": "Looks okay to me", "id": 3},
+                ])
+            if sc == "T16_comments_generic_approval":
+                return self._json(200, [
+                    {"user": {"login": "core-qa-agent"}, "body": "APPROVED — all acceptance criteria met", "id": 1},
+                    {"user": {"login": "alice"}, "body": "-authored", "id": 2},
+                ])
+            if sc == "T17_comments_no_approval":
+                return self._json(200, [
+                    {"user": {"login": "alice"}, "body": "I authored this PR", "id": 1},
+                    {"user": {"login": "random-user"}, "body": "Looks okay to me", "id": 2},
+                ])
+            # Default scenarios (T1–T9, T14): no comments
+            return self._json(200, [])
+
         # GET /teams/{team_id}/members/{username}
         m = re.match(r"^/api/v1/teams/(\d+)/members/([^/]+)$", path)
         if m:
@@ -127,6 +154,12 @@ class Handler(http.server.BaseHTTPRequestHandler):
             # T7_team_member: member
             return self._empty(204)
 
+        # GET /repos/{owner}/{name}/statuses/{sha} — for N/A declaration check
+        m = re.match(r"^/api/v1/repos/([^/]+)/([^/]+)/statuses/([a-f0-9]+)$", path)
+        if m:
+            # All comment-based scenarios have no N/A declarations
+            return self._json(200, [])
+
         return self._json(404, {"path": path, "msg": "fixture: no route"})
 
     def do_POST(self):

.gitea/scripts/tests/test_gitea_merge_queue.py

@@ -118,3 +118,13 @@ def test_merge_decision_updates_stale_pr_before_merge():
 
     assert decision.ready is False
     assert decision.action == "update"
+
+
+def test_MergePermissionError_inherits_from_ApiError():
+    assert issubclass(mq.MergePermissionError, mq.ApiError)
+
+
+def test_MergePermissionError_message_preserved():
+    exc = mq.MergePermissionError("POST /merge -> HTTP 405: User not allowed")
+    assert "405" in str(exc)
+    assert "User not allowed" in str(exc)

.gitea/scripts/tests/test_review_check.sh

@@ -334,6 +334,31 @@ assert_contains "T12 jq: core-devops (non-author APPROVED) in candidates" "core-
 assert_eq "T12 jq: alice (author) NOT in candidates" "" "$(echo "$T12_CANDIDATES" | grep '^alice$' || true)"
 assert_eq "T12 jq: carol (dismissed) NOT in candidates" "" "$(echo "$T12_CANDIDATES" | grep '^carol$' || true)"
 
+# T15 — comment-based approval via agent prefix pattern → exit 0
+echo
+echo "== T15 comment agent-prefix approval =="
+T15_OUT=$(run_review_check "T15_comments_agent_approval")
+T15_RC=$(cat "$FIX_STATE_DIR/last_rc")
+assert_eq "T15 exit code 0 (agent-comment approval + team member)" "0" "$T15_RC"
+assert_contains "T15 comment fallback notice" "comment-based approval" "$T15_OUT"
+assert_contains "T15 core-qa-agent APPROVED" "APPROVED by core-qa-agent" "$T15_OUT"
+
+# T16 — comment-based approval via generic APPROVED keyword → exit 0
+echo
+echo "== T16 comment generic keyword approval =="
+T16_OUT=$(run_review_check "T16_comments_generic_approval")
+T16_RC=$(cat "$FIX_STATE_DIR/last_rc")
+assert_eq "T16 exit code 0 (generic-approval comment + team member)" "0" "$T16_RC"
+assert_contains "T16 comment fallback notice" "comment-based approval" "$T16_OUT"
+
+# T17 — no approval keywords in comments → exit 1
+echo
+echo "== T17 comments with no approval keywords =="
+T17_OUT=$(run_review_check "T17_comments_no_approval")
+T17_RC=$(cat "$FIX_STATE_DIR/last_rc")
+assert_eq "T17 exit code 1 (no candidates from comments)" "1" "$T17_RC"
+assert_contains "T17 no candidates error" "no candidates from reviews API or issue comments" "$T17_OUT"
+
 echo
 echo "------"
 echo "PASS=$PASS FAIL=$FAIL"

.gitea/scripts/tests/test_sop_checklist.py

@@ -551,3 +551,55 @@ class TestEndToEndAckFlow(unittest.TestCase):
 
 if __name__ == "__main__":
     unittest.main(verbosity=2)
+
+
+# ---------------------------------------------------------------------------
+# compute_na_state
+# ---------------------------------------------------------------------------
+
+
+class TestComputeNaState(unittest.TestCase):
+    """Tests for /sop-n/a directive evaluation."""
+
+    def test_no_na_declarations(self):
+        cfg = sop.load_config(CONFIG_PATH)
+        na_gates = cfg.get("n/a_gates", {})
+        comments = []
+        na_state = sop.compute_na_state(comments, "alice", na_gates, lambda *_: [])
+        self.assertFalse(na_state["qa-review"]["declared"])
+        self.assertFalse(na_state["security-review"]["declared"])
+
+    def test_na_declared_by_authorized_user(self):
+        cfg = sop.load_config(CONFIG_PATH)
+        na_gates = cfg.get("n/a_gates", {})
+        comments = [_comment("bob", "/sop-n/a qa-review N/A: pure tooling change")]
+        na_state = sop.compute_na_state(comments, "alice", na_gates, lambda g, u: u)
+        self.assertTrue(na_state["qa-review"]["declared"])
+        self.assertEqual(na_state["qa-review"]["decl_ackers"], ["bob"])
+
+    def test_na_declared_by_unauthorized_user_rejected(self):
+        cfg = sop.load_config(CONFIG_PATH)
+        na_gates = cfg.get("n/a_gates", {})
+        comments = [_comment("mallory", "/sop-n/a qa-review N/A: not real team")]
+        na_state = sop.compute_na_state(comments, "alice", na_gates, lambda g, u: [])
+        self.assertFalse(na_state["qa-review"]["declared"])
+        self.assertEqual(na_state["qa-review"]["rejected"]["not_in_team"], ["mallory"])
+
+    def test_author_cannot_self_declare_na(self):
+        cfg = sop.load_config(CONFIG_PATH)
+        na_gates = cfg.get("n/a_gates", {})
+        comments = [_comment("alice", "/sop-n/a qa-review N/A: I am the author")]
+        na_state = sop.compute_na_state(comments, "alice", na_gates, lambda g, u: u)
+        self.assertFalse(na_state["qa-review"]["declared"])
+
+    def test_parse_directives_separates_na_from_ack(self):
+        directives, na_directives = sop.parse_directives(
+            "/sop-ack comprehensive-testing\n/sop-n/a qa-review N/A: no surface",
+            {},
+        )
+        self.assertEqual(len(directives), 1)
+        self.assertEqual(directives[0][0], "sop-ack")
+        self.assertEqual(len(na_directives), 1)
+        self.assertEqual(na_directives[0][0], "sop-n/a")
+        self.assertEqual(na_directives[0][1], "qa-review")
+        self.assertIn("no surface", na_directives[0][2])

.gitea/workflows/ci-mcp-stdio-transport.yml

@@ -158,8 +158,68 @@ jobs:
             echo "NOTE: No warning in output (may be suppressed by log level)"
           fi
 
+      - name: Reproduce openclaw failure — pipe held OPEN, no EOF
+        run: |
+          set -euo pipefail
+          echo "=== keep-stdin-open pipe (the real openclaw / Claude Code case) ==="
+          echo ""
+          echo "Before the readline() fix this HANGS: main() did"
+          echo "  stdin.read(65536)  -> on a pipe, blocks until 64KB OR EOF."
+          echo "An MCP client sends one ~150B initialize and keeps stdin"
+          echo "open waiting for the response, so the server never parsed"
+          echo "the request and the client timed out (openclaw: 'MCP error"
+          echo "-32000: Connection closed'). The earlier regular-file /"
+          echo "heredoc-pipe steps PASSED through this bug because a file"
+          echo "(or a closing heredoc) yields EOF immediately."
+          echo ""
+
+          # Drive the server through a real pipe that stays OPEN: write
+          # one initialize, do NOT close stdin, and require a response
+          # within a hard timeout. read(65536) -> no output -> timeout
+          # kills it -> FAIL. readline() -> immediate response -> PASS.
+          python - <<'PYEOF'
+          import json, subprocess, sys, time, select
+
+          proc = subprocess.Popen(
+              [sys.executable, "a2a_mcp_server.py"],
+              stdin=subprocess.PIPE, stdout=subprocess.PIPE,
+              stderr=subprocess.STDOUT,
+              env={**__import__("os").environ},
+          )
+          req = json.dumps({
+              "jsonrpc": "2.0", "id": 1, "method": "initialize",
+              "params": {"protocolVersion": "2024-11-05",
+                         "capabilities": {},
+                         "clientInfo": {"name": "keepopen", "version": "1"}},
+          }) + "\n"
+          proc.stdin.write(req.encode())
+          proc.stdin.flush()
+          # Deliberately DO NOT close proc.stdin — mirror a live MCP client.
+
+          deadline = time.time() + 15
+          line = b""
+          while time.time() < deadline:
+              r, _, _ = select.select([proc.stdout], [], [], 1)
+              if r:
+                  line = proc.stdout.readline()
+                  if line:
+                      break
+          proc.kill()
+
+          if not line:
+              print("FAIL: no response within 15s on an open pipe — "
+                    "stdin.read(65536) regression is back")
+              sys.exit(1)
+          resp = json.loads(line.decode())
+          assert resp.get("id") == 1 and "result" in resp, \
+              f"unexpected response: {line[:200]!r}"
+          assert resp["result"]["serverInfo"]["name"] == "molecule", \
+              f"wrong serverInfo: {line[:200]!r}"
+          print("PASS: server answered initialize on a still-open pipe")
+          PYEOF
+
       - name: Run unit tests for stdio transport
         run: |
           set -euo pipefail
           echo "=== Running stdio transport unit tests ==="
-          python -m pytest tests/test_a2a_mcp_server.py::TestStdioPipeAssertion -v --no-cov
+          python -m pytest tests/test_a2a_mcp_server.py::TestStdioPipeAssertion tests/test_a2a_mcp_server.py::TestStdioKeepOpenPipe -v --no-cov

.gitea/workflows/ci.yml

@@ -348,16 +348,15 @@ jobs:
   # Shellcheck (E2E scripts) — required check, always runs.
   shellcheck:
     name: Shellcheck (E2E scripts)
-    needs: changes
     runs-on: ubuntu-latest
     # Phase 4 (RFC #219 §1): confirmed green on main 2026-05-12.
     continue-on-error: false
     steps:
-      - if: needs.changes.outputs.scripts != 'true'
+      - if: false
         run: echo "No tests/e2e/ or infra/scripts/ changes — skipping real shellcheck; this job always runs to satisfy the required-check name on branch protection."
-      - if: needs.changes.outputs.scripts == 'true'
+      - if: always()
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - if: needs.changes.outputs.scripts == 'true'
+      - if: always()
         name: Run shellcheck on tests/e2e/*.sh and infra/scripts/*.sh
         # shellcheck is pre-installed on ubuntu-latest runners (via apt).
         # infra/scripts/ is included because setup.sh + nuke.sh gate the
@@ -368,16 +367,16 @@ jobs:
           find tests/e2e infra/scripts -type f -name '*.sh' -print0 \
             | xargs -0 shellcheck --severity=warning
 
-      - if: needs.changes.outputs.scripts == 'true'
+      - if: always()
         name: Lint cleanup-trap hygiene (RFC #2873)
         run: bash tests/e2e/lint_cleanup_traps.sh
 
-      - if: needs.changes.outputs.scripts == 'true'
+      - if: always()
         name: Run E2E bash unit tests (no live infra)
         run: |
           bash tests/e2e/test_model_slug.sh
 
-      - if: needs.changes.outputs.scripts == 'true'
+      - if: always()
         name: Test ECR promote-tenant-image script (mock-driven, no live infra)
         # Covers scripts/promote-tenant-image.sh — the codified
         # :staging-latest → :latest ECR promote + tenant fleet redeploy
@@ -387,7 +386,7 @@ jobs:
         run: |
           bash scripts/test-promote-tenant-image.sh
 
-      - if: needs.changes.outputs.scripts == 'true'
+      - if: always()
         name: Shellcheck promote-tenant-image script
         # scripts/ is excluded from the bulk shellcheck pass above (legacy
         # SC3040/SC3043 cleanup pending). Run shellcheck explicitly on
@@ -407,8 +406,8 @@ jobs:
     # ci_job_names() detects this as github.ref-gated and skips it from F1.
     # The step-level exit 0 handles the "not main push" case; the job-level
     # `if:` makes the gating explicit so the drift script sees it.
-    # continue-on-error removed (was mc#774 mask): step exits 0 when not applicable.
-    if: ${{ github.ref == 'refs/heads/staging' }}
+    # Runs on both main and staging pushes; step exits 0 when not applicable.
+    if: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/staging' }}
     needs: [changes, canvas-build]
     steps:
       - name: Write deploy reminder to step summary
@@ -459,7 +458,6 @@ jobs:
   # Python Lint & Test — required check, always runs.
   python-lint:
     name: Python Lint & Test
-    needs: changes
     runs-on: ubuntu-latest
     # Phase 4 (RFC #219 §1): confirmed green on main 2026-05-12.
     continue-on-error: false
@@ -469,25 +467,25 @@ jobs:
       run:
         working-directory: workspace
     steps:
-      - if: needs.changes.outputs.python != 'true'
+      - if: false
         working-directory: .
         run: echo "No workspace/** changes — skipping real lint+test; this job always runs to satisfy the required-check name on branch protection."
-      - if: needs.changes.outputs.python == 'true'
+      - if: always()
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - if: needs.changes.outputs.python == 'true'
+      - if: always()
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.11'
           cache: pip
           cache-dependency-path: workspace/requirements.txt
-      - if: needs.changes.outputs.python == 'true'
+      - if: always()
         run: pip install -r requirements.txt pytest pytest-asyncio pytest-cov sqlalchemy>=2.0.0
       # Coverage flags + fail-under floor moved into workspace/pytest.ini
       # (issue #1817) so local `pytest` and CI use identical config.
-      - if: needs.changes.outputs.python == 'true'
+      - if: always()
         run: python -m pytest --tb=short
 
-      - if: needs.changes.outputs.python == 'true'
+      - if: always()
         name: Per-file critical-path coverage (MCP / inbox / auth)
         # MCP-critical Python files have a per-file floor on top of the
         # 86% total floor in pytest.ini. See issue #2790 for full rationale.
@@ -540,11 +538,13 @@ jobs:
   all-required:
     # Aggregator sentinel — RFC internal#219 §2 (Phase 4 — closes internal#286).
     #
-    # Single stable required-status name that branch protection points at;
-    # CI churns underneath in `needs:` without any protection edits. Mirrors
-    # the molecule-controlplane Phase 2a impl shipped in CP PR#112 and
-    # referenced by `internal#286` ("Phase 4 is a single small PR... mirrors
-    # CP's existing one").
+    # Emits `CI / all-required (<event>)` where <event> is the workflow trigger
+    # (e.g. `CI / all-required (pull_request)`, `CI / all-required (push)`).
+    # Branch protection MUST be updated to require the event-suffixed name —
+    # requiring `CI / all-required` (bare, no suffix) silently blocks all merges
+    # because Gitea treats absent status contexts as pending (not skipped), and
+    # no workflow emits the bare name. Fixed: BP now requires
+    # `CI / all-required (pull_request)` per issue #1473.
     #
     # Closes the failure mode where status_check_contexts on molecule-core/main
     # only listed `Secret scan` + `sop-tier-check` (the 2 meta-gates), so real
@@ -552,86 +552,104 @@ jobs:
     # red silently merged through. See internal#286 for the three concrete
     # tonight-of-2026-05-11 incidents that prompted the emergency bump.
     #
-    # Three properties of this job each close a failure mode:
+    # This job deliberately has no `needs:`. Gitea 1.22/act_runner can mark a
+    # job-level `if: always()` + `needs:` sentinel as skipped before upstream
+    # jobs settle, leaving branch protection with a permanent pending
+    # `CI / all-required` context. Instead, this independent sentinel polls the
+    # required commit-status contexts for this SHA and fails if any fail, skip,
+    # or never emit.
     #
-    #  1. `if: always()` — runs even when an upstream fails. Without it the
-    #     sentinel is `skipped` and protection treats that as missing → merge
-    #     ungated.
+    # canvas-deploy-reminder is intentionally NOT included in all-required.needs.
+    # It is an informational main-push reminder, not a PR quality gate. Keeping
+    # it in this dependency list lets a skipped reminder skip the required
+    # sentinel before the `always()` guard can emit a branch-protection status.
     #
-    #  2. Assertion is `result == "success"` per dep, NOT `!= "failure"`.
-    #     A `skipped` upstream (job gated by `if:` evaluating false, matrix
-    #     entry that couldn't run) must NOT silently pass through.
-    #     `skipped`-as-green is exactly the failure mode this gate closes.
-    #
-    #  3. `needs:` is the canonical list of "what counts as required."
-    #     status_check_contexts will reference only `ci/all-required` (Step 5
-    #     follow-up — branch-protection PATCH is Owners-tier per
-    #     `feedback_never_admin_merge_bypass`, separate PR); a new job is
-    #     added simply by listing it in `needs:` here.
-    #     `.gitea/workflows/ci-required-drift.yml` files a [ci-drift] issue
-    #     hourly if this list diverges from status_check_contexts or from
-    #     audit-force-merge.yml's REQUIRED_CHECKS env (RFC §4 + §6).
-    #
-    # canvas-deploy-reminder is intentionally excluded from all-required.needs:
-    # it needs canvas-build, which is skipped on CI-only PRs (canvas=false).
-    # Including it in all-required.needs causes all-required to hang on
-    # every CI-only PR. Keep it runnable on PRs via its own
-    # `needs: [changes, canvas-build]` — the sentinel only aggregates the result.
-    #
-    # Phase 3 (RFC #219 §1) safety: underlying build jobs carry
-    # continue-on-error: true so their failures are masked to null (2026-05-12: re-enabled mc#774 interim)
-    # (Gitea suppresses status reporting for CoE jobs). This sentinel
-    # runs with continue-on-error: false so it always reports its
-    # result to the API — without this, the required-status entry
-    # (CI / all-required (pull_request)) is never created, which
-    # blocks PR merges. When Phase 3 ends, flip underlying jobs to
-    # continue-on-error: false; this sentinel can then be flipped to
-    # continue-on-error: true if a Phase-4 regression requires it.
     continue-on-error: false
     runs-on: ubuntu-latest
-    timeout-minutes: 1
-    needs:
-      - changes
-      - platform-build
-      - canvas-build
-      - shellcheck
-      - python-lint
-      - canvas-deploy-reminder
-    if: ${{ always() }}
+    timeout-minutes: 45
     steps:
-      - name: Assert every required dependency succeeded
+      - name: Wait for required CI contexts
+        env:
+          GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          API_ROOT: ${{ github.server_url }}/api/v1
+          REPOSITORY: ${{ github.repository }}
+          COMMIT_SHA: ${{ github.sha }}
+          EVENT_NAME: ${{ github.event_name }}
         run: |
           set -euo pipefail
-          # `needs.*.result` is one of: success | failure | cancelled | skipped | null.
-          # We assert success per dep (not != failure) — see RFC §2 reasoning above.
-          # Null results are skipped: they come from Phase 3 (continue-on-error: true
-          # suppresses status) or from jobs still in-flight. The sentinel succeeds
-          # rather than blocking PRs on Phase 3 noise.
-          results='${{ toJSON(needs) }}'
-          echo "$results"
-          echo "$results" | python3 -c '
-          import json, sys
-          ns = json.load(sys.stdin)
-          # Phase 3 masked: jobs with continue-on-error: true may report "failure"
-          # Remove when mc#774 handler test failures are resolved.
-          PHASE3_MASKED = {"platform-build"}
-          # Exclude null (Phase 3 suppressed / in-flight) from the bad list.
-          bad = [(k, v.get("result")) for k, v in ns.items()
-                 if v.get("result") not in ("success", None, "cancelled", "skipped") and k not in PHASE3_MASKED]
-          if bad:
-              print(f"FAIL: jobs not green:", file=sys.stderr)
-              for k, r in bad:
-                  print(f"  - {k}: {r}", file=sys.stderr)
-              sys.exit(1)
-          pending = [(k, v.get("result")) for k, v in ns.items()
-                     if v.get("result") is None]
-          cancelled = [(k, v.get("result")) for k, v in ns.items()
-                       if v.get("result") == "cancelled"]
-          if pending:
-              print(f"WARN: {len(pending)} job(s) still in-flight (result=null): " +
-                    ", ".join(k for k, _ in pending), file=sys.stderr)
-          if cancelled:
-              print(f"INFO: {len(cancelled)} job(s) masked by continue-on-error: " +
-                    ", ".join(k for k, _ in cancelled), file=sys.stderr)
-          print(f"OK: all {len(ns)} required jobs succeeded (or Phase-3 suppressed)")
-          '
+          python3 - <<'PY'
+          import json
+          import os
+          import sys
+          import time
+          import urllib.error
+          import urllib.request
+
+          token = os.environ["GITEA_TOKEN"]
+          api_root = os.environ["API_ROOT"].rstrip("/")
+          repo = os.environ["REPOSITORY"]
+          sha = os.environ["COMMIT_SHA"]
+          event = os.environ["EVENT_NAME"]
+          required = [
+              f"CI / Detect changes ({event})",
+              f"CI / Platform (Go) ({event})",
+              f"CI / Canvas (Next.js) ({event})",
+              f"CI / Shellcheck (E2E scripts) ({event})",
+              f"CI / Python Lint & Test ({event})",
+          ]
+          terminal_bad = {"failure", "error"}
+          deadline = time.time() + 40 * 60
+          last_summary = None
+
+          def fetch_statuses():
+              statuses = []
+              for page in range(1, 6):
+                  url = f"{api_root}/repos/{repo}/commits/{sha}/statuses?page={page}&limit=100"
+                  req = urllib.request.Request(url, headers={"Authorization": f"token {token}"})
+                  with urllib.request.urlopen(req, timeout=10) as resp:
+                      chunk = json.load(resp)
+                  if not chunk:
+                      break
+                  statuses.extend(chunk)
+              latest = {}
+              for item in statuses:
+                  ctx = item.get("context")
+                  if not ctx:
+                      continue
+                  prev = latest.get(ctx)
+                  if prev is None or (item.get("updated_at") or item.get("created_at") or "") >= (prev.get("updated_at") or prev.get("created_at") or ""):
+                      latest[ctx] = item
+              return latest
+
+          while True:
+              try:
+                  latest = fetch_statuses()
+              except (TimeoutError, OSError, urllib.error.URLError) as exc:
+                  if time.time() >= deadline:
+                      print(f"FAIL: status polling did not recover before deadline: {exc}", file=sys.stderr)
+                      sys.exit(1)
+                  print(f"WARN: status poll failed, retrying: {exc}", flush=True)
+                  time.sleep(15)
+                  continue
+              states = {ctx: (latest.get(ctx) or {}).get("status") or (latest.get(ctx) or {}).get("state") or "missing" for ctx in required}
+              summary = ", ".join(f"{ctx}={state}" for ctx, state in states.items())
+              if summary != last_summary:
+                  print(summary, flush=True)
+                  last_summary = summary
+              bad = {ctx: state for ctx, state in states.items() if state in terminal_bad}
+              if bad:
+                  print("FAIL: required CI context failed:", file=sys.stderr)
+                  for ctx, state in bad.items():
+                      desc = (latest.get(ctx) or {}).get("description") or ""
+                      print(f"  - {ctx}: {state} {desc}", file=sys.stderr)
+                  sys.exit(1)
+              if all(state == "success" for state in states.values()):
+                  print(f"OK: all {len(required)} required CI contexts succeeded")
+                  sys.exit(0)
+              if time.time() >= deadline:
+                  print("FAIL: timed out waiting for required CI contexts:", file=sys.stderr)
+                  for ctx, state in states.items():
+                      print(f"  - {ctx}: {state}", file=sys.stderr)
+                  sys.exit(1)
+              time.sleep(15)
+          PY

.gitea/workflows/e2e-api.yml

@@ -69,6 +69,13 @@ name: E2E API Smoke Test
 # 2318) shows Postgres ready in 3s, Redis in 1s, Platform in 1s when
 # they DO come up. Timeouts are not the bottleneck; not bumped.
 #
+# Item #1046 (fixed 2026-05-14): Stale platform-server from cancelled runs
+#   lingers on :8080 after "Stop platform" step is skipped (workflow cancelled
+#   before reaching line 335). Added a pre-start "Kill stale platform-server"
+#   step (line 286) that scans /proc for zombie platform-server processes
+#   and kills them before the port probe or bind. Makes the ephemeral port
+#   probe + start sequence deterministic.
+#
 # Item explicitly NOT fixed here: failing test `Status back online`
 # fails because the platform's langgraph workspace template image
 # (ghcr.io/molecule-ai/workspace-template-langgraph:latest) returns
@@ -283,6 +290,35 @@ jobs:
           echo "PORT=${PLATFORM_PORT}" >> "$GITHUB_ENV"
           echo "BASE=http://127.0.0.1:${PLATFORM_PORT}" >> "$GITHUB_ENV"
           echo "Platform host port: ${PLATFORM_PORT}"
+      - name: Kill stale platform-server before start (issue #1046)
+        if: needs.detect-changes.outputs.api == 'true'
+        run: |
+          # Concurrent runs on the same host-network act_runner can leave a
+          # zombie platform-server from a cancelled/timeout run. Cancelled
+          # runs never reach the "Stop platform" step (line 335), so the
+          # old process lingers. Kill it before the ephemeral port probe
+          # or start so the port is definitively free.
+          #
+          # /proc scan — works on any Linux without pkill/lsof/ss.
+          # comm field is truncated to 15 chars: "platform-serve" matches
+          # "platform-server". Verify with cmdline to avoid false positives.
+          killed=0
+          for pid in $(grep -l "platform-serve" /proc/[0-9]*/comm 2>/dev/null); do
+            kpid="${pid%/comm}"
+            kpid="${kpid##*/}"
+            cmdline=$(cat "/proc/${kpid}/cmdline" 2>/dev/null | tr '\0' ' ')
+            if echo "$cmdline" | grep -q "platform-server"; then
+              echo "Killing stale platform-server pid ${kpid}: ${cmdline}"
+              kill "$kpid" 2>/dev/null || true
+              killed=$((killed + 1))
+            fi
+          done
+          if [ "$killed" -gt 0 ]; then
+            sleep 2
+            echo "Killed $killed stale process(es); port(s) released."
+          else
+            echo "No stale platform-server found."
+          fi
       - name: Start platform (background)
         if: needs.detect-changes.outputs.api == 'true'
         working-directory: workspace-server
@@ -346,3 +382,4 @@ jobs:
         run: |
           docker rm -f "$PG_CONTAINER" 2>/dev/null || true
           docker rm -f "$REDIS_CONTAINER" 2>/dev/null || true
+

.gitea/workflows/e2e-chat.yml

@@ -97,7 +97,7 @@ jobs:
           cache-dependency-path: workspace-server/go.sum
 
       - if: needs.detect-changes.outputs.chat == 'true'
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d6f5 # v4
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: '22'
           cache: 'npm'
@@ -175,6 +175,19 @@ jobs:
           echo "E2E_PLATFORM_URL=http://127.0.0.1:${PLATFORM_PORT}" >> "$GITHUB_ENV"
           echo "Platform host port: ${PLATFORM_PORT}"
 
+      - name: Pick canvas port
+        if: needs.detect-changes.outputs.chat == 'true'
+        run: |
+          CANVAS_PORT=$(python3 - <<'PY'
+          import socket
+          with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
+              s.bind(("127.0.0.1", 0))
+              print(s.getsockname()[1])
+          PY
+          )
+          echo "CANVAS_PORT=${CANVAS_PORT}" >> "$GITHUB_ENV"
+          echo "Canvas host port: ${CANVAS_PORT}"
+
       - name: Start platform (background)
         if: needs.detect-changes.outputs.chat == 'true'
         working-directory: workspace-server
@@ -183,6 +196,7 @@ jobs:
           export DATABASE_URL="${DATABASE_URL}"
           export REDIS_URL="${REDIS_URL}"
           export PORT="${PLATFORM_PORT}"
+          export CORS_ORIGINS="http://localhost:3000,http://localhost:3001,http://localhost:${CANVAS_PORT},http://127.0.0.1:${CANVAS_PORT}"
           ./platform-server > platform.log 2>&1 &
           echo $! > platform.pid
 
@@ -216,10 +230,10 @@ jobs:
         run: |
           export NEXT_PUBLIC_PLATFORM_URL="http://127.0.0.1:${PLATFORM_PORT}"
           export NEXT_PUBLIC_WS_URL="ws://127.0.0.1:${PLATFORM_PORT}/ws"
-          npm run dev > canvas.log 2>&1 &
+          npx next dev --turbopack -p "${CANVAS_PORT}" > canvas.log 2>&1 &
           echo $! > canvas.pid
           for i in $(seq 1 30); do
-            if curl -sf http://localhost:3000 > /dev/null 2>&1; then
+            if curl -sf "http://localhost:${CANVAS_PORT}" > /dev/null 2>&1; then
               echo "Canvas up after ${i}s"
               exit 0
             fi
@@ -235,6 +249,7 @@ jobs:
         run: |
           export E2E_PLATFORM_URL="http://127.0.0.1:${PLATFORM_PORT}"
           export E2E_DATABASE_URL="${DATABASE_URL}"
+          export PLAYWRIGHT_BASE_URL="http://localhost:${CANVAS_PORT}"
           npx playwright test e2e/chat-desktop.spec.ts e2e/chat-mobile.spec.ts
 
       - name: Dump platform log on failure

.gitea/workflows/e2e-peer-visibility.yml

@@ -0,0 +1,225 @@
+name: E2E Peer Visibility (literal MCP list_peers)
+
+# WHY A DEDICATED WORKFLOW (not folded into e2e-staging-saas.yml)
+# --------------------------------------------------------------
+# This is the systemic fix for a real trust failure. Hermes and OpenClaw
+# were reported "fleet-verified / cascade-complete" because the *proxy*
+# signals were green (registry registration + heartbeat for Hermes; model
+# round-trip 200 for OpenClaw). A freshly-provisioned workspace asked on
+# canvas "can you see your peers" actually FAILS:
+#   - Hermes: 401 on the molecule MCP `list_peers` call
+#   - OpenClaw: native `sessions_list` fallback, sees no platform peers
+# Tasks #142/#159 were even marked "completed" under this proxy flaw.
+#
+# A dedicated workflow (vs extending e2e-staging-saas.yml) because:
+#   - It must provision MULTIPLE distinct runtimes (hermes, openclaw,
+#     claude-code) in ONE org and assert each sees the others. The
+#     full-saas script is single-runtime-per-run (E2E_RUNTIME) and folding
+#     a multi-runtime matrix into it would conflate concerns and bloat its
+#     already-45-min run.
+#   - It needs its own concurrency group so it doesn't fight full-saas /
+#     canvas for the staging org-creation quota.
+#   - It needs an independent, non-required status-context name so it can
+#     be RED today (the in-flight Hermes-401 / OpenClaw-MCP-wiring fixes
+#     have not landed) WITHOUT wedging unrelated merges — and flipped to
+#     REQUIRED in one branch-protection edit once it goes green
+#     (flip-to-required checklist: molecule-core#1296).
+#
+# THE ASSERTION IS NOT A PROXY. The driving script
+# tests/e2e/test_peer_visibility_mcp_staging.sh issues the byte-for-byte
+# JSON-RPC `tools/call name=list_peers` envelope to `POST
+# /workspaces/:id/mcp` using each workspace's OWN bearer token, through
+# the real WorkspaceAuth + MCPRateLimiter middleware chain — the exact
+# call mcp_molecule_list_peers makes from a canvas agent. It does NOT
+# read a registry row, /health, the heartbeat table, or
+# GET /registry/:id/peers.
+#
+# HONEST GATE — NO continue-on-error. Per feedback_fix_root_not_symptom a
+# fake-green mask would defeat the entire purpose. This workflow goes red
+# on today's broken behavior and green only when the root-cause fixes
+# actually land. It is intentionally NOT in branch_protections — see PR
+# body for the required-vs-not decision + flip tracking issue.
+#
+# Gitea 1.22.6 / act_runner notes honored:
+#   - No cross-repo `uses:` (feedback_gitea_cross_repo_uses_blocked). The
+#     actions/checkout SHA is the one e2e-staging-canvas.yml already uses
+#     successfully (a mirrored SHA — see #1277/PR#1292 root-cause).
+#   - Per-SHA concurrency, not global (feedback_concurrency_group_per_sha).
+#   - Workflow-level GITHUB_SERVER_URL pinned
+#     (feedback_act_runner_github_server_url).
+#   - pr-validate posts a status under the same check name so a
+#     workflow-only PR is not silently statusless and the context is
+#     flip-to-required-ready (mirrors e2e-staging-saas.yml's proven shape;
+#     real EC2-provisioning E2E is push/dispatch/cron only — it is 30+ min
+#     and cannot run per-PR-update).
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'workspace-server/internal/handlers/mcp.go'
+      - 'workspace-server/internal/handlers/mcp_tools.go'
+      - 'workspace-server/internal/middleware/**'
+      - 'workspace-server/internal/handlers/registry.go'
+      - 'workspace-server/internal/handlers/workspace.go'
+      - 'workspace/a2a_mcp_server.py'
+      - 'workspace/platform_tools/registry.py'
+      - 'tests/e2e/test_peer_visibility_mcp_staging.sh'
+      - '.gitea/workflows/e2e-peer-visibility.yml'
+  pull_request:
+    branches: [main]
+    paths:
+      - 'workspace-server/internal/handlers/mcp.go'
+      - 'workspace-server/internal/handlers/mcp_tools.go'
+      - 'workspace-server/internal/middleware/**'
+      - 'workspace-server/internal/handlers/registry.go'
+      - 'workspace-server/internal/handlers/workspace.go'
+      - 'workspace/a2a_mcp_server.py'
+      - 'workspace/platform_tools/registry.py'
+      - 'tests/e2e/test_peer_visibility_mcp_staging.sh'
+      - '.gitea/workflows/e2e-peer-visibility.yml'
+  workflow_dispatch:
+  schedule:
+    # 07:30 UTC daily — catches AMI / template-hermes / template-openclaw
+    # drift even on quiet days. Offset 30m from e2e-staging-saas (07:00)
+    # so the two don't collide on the staging org-creation quota.
+    - cron: '30 7 * * *'
+
+concurrency:
+  # Per-SHA (feedback_concurrency_group_per_sha). A single global group
+  # would let a queued staging/main push behind a PR run get cancelled,
+  # leaving any gate that reads "completed run at SHA" stuck.
+  group: e2e-peer-visibility-${{ github.event.pull_request.head.sha || github.sha }}
+  cancel-in-progress: false
+
+env:
+  GITHUB_SERVER_URL: https://git.moleculesai.app
+
+jobs:
+  # PR path: post a real status under the required-ready check name so a
+  # workflow-only PR is never silently statusless. The actual EC2 E2E is
+  # push/dispatch/cron only (30+ min). This is NOT a fake-green mask of
+  # the real assertion — it validates the driving script's bash syntax
+  # and inline-python so a broken test script fails at PR time.
+  pr-validate:
+    name: E2E Peer Visibility
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Validate driving script
+        run: |
+          bash -n tests/e2e/test_peer_visibility_mcp_staging.sh
+          echo "test_peer_visibility_mcp_staging.sh — bash syntax OK"
+          echo "Real fresh-provision MCP list_peers E2E runs on push to"
+          echo "main / workflow_dispatch / daily cron (30+ min EC2 boot)."
+
+  # Real gate: provisions a throwaway org + sibling-per-runtime, drives
+  # the LITERAL list_peers MCP call per runtime, asserts 200 + expected
+  # peer set, then scoped teardown. push(main)/dispatch/cron only.
+  peer-visibility:
+    name: E2E Peer Visibility
+    runs-on: ubuntu-latest
+    if: github.event_name != 'pull_request'
+    timeout-minutes: 60
+
+    env:
+      MOLECULE_CP_URL: https://staging-api.moleculesai.app
+      MOLECULE_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
+      # LLM provider key so each runtime can authenticate at boot.
+      # Priority MiniMax → direct-Anthropic → OpenAI matches
+      # test_staging_full_saas.sh's secrets-injection chain.
+      E2E_MINIMAX_API_KEY: ${{ secrets.MOLECULE_STAGING_MINIMAX_API_KEY }}
+      E2E_ANTHROPIC_API_KEY: ${{ secrets.MOLECULE_STAGING_ANTHROPIC_API_KEY }}
+      E2E_OPENAI_API_KEY: ${{ secrets.MOLECULE_STAGING_OPENAI_API_KEY }}
+      E2E_RUN_ID: "${{ github.run_id }}-${{ github.run_attempt }}"
+      PV_RUNTIMES: "hermes openclaw claude-code"
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Verify admin token present
+        run: |
+          if [ -z "$MOLECULE_ADMIN_TOKEN" ]; then
+            echo "::error::CP_STAGING_ADMIN_API_TOKEN secret not set (Railway staging CP_ADMIN_API_TOKEN)"
+            exit 2
+          fi
+          echo "Admin token present"
+
+      - name: Verify an LLM key present
+        run: |
+          if [ -z "${E2E_MINIMAX_API_KEY:-}" ] && [ -z "${E2E_ANTHROPIC_API_KEY:-}" ] && [ -z "${E2E_OPENAI_API_KEY:-}" ]; then
+            echo "::error::No LLM provider key set — workspaces fail at boot with 'No provider API key found'. Set MOLECULE_STAGING_MINIMAX_API_KEY (or ANTHROPIC / OPENAI)."
+            exit 2
+          fi
+          echo "LLM key present"
+
+      - name: CP staging health preflight
+        run: |
+          code=$(curl -sS -o /dev/null -w "%{http_code}" --max-time 10 "$MOLECULE_CP_URL/health")
+          if [ "$code" != "200" ]; then
+            echo "::error::Staging CP unhealthy (HTTP $code) — infra, not a workspace bug. Failing loud per feedback_fix_root_not_symptom."
+            exit 1
+          fi
+          echo "Staging CP healthy"
+
+      - name: Run fresh-provision peer-visibility E2E (literal MCP list_peers)
+        run: bash tests/e2e/test_peer_visibility_mcp_staging.sh
+
+      # Belt-and-braces scoped teardown: the script installs an EXIT/INT/
+      # TERM trap, but if the runner itself is cancelled the trap may not
+      # fire. This always() step deletes ONLY the e2e-pv-<run_id> org this
+      # run created — never a cluster-wide sweep
+      # (feedback_never_run_cluster_cleanup_tests_on_live_platform). The
+      # admin DELETE is idempotent so double-invoking is safe;
+      # sweep-stale-e2e-orgs is the final net (slug starts with 'e2e-').
+      - name: Teardown safety net (runs on cancel/failure)
+        if: always()
+        env:
+          ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
+        run: |
+          set +e
+          orgs=$(curl -sS "$MOLECULE_CP_URL/cp/admin/orgs?limit=500" \
+            -H "Authorization: Bearer $ADMIN_TOKEN" 2>/dev/null \
+            | python3 -c "
+          import json, sys, os, datetime
+          run_id = os.environ.get('GITHUB_RUN_ID', '')
+          try:
+              d = json.load(sys.stdin)
+          except Exception:
+              print(''); sys.exit(0)
+          # ONLY sweep slugs from THIS run. e2e-pv-<YYYYMMDD>-<run_id>-...
+          # Sweep today AND yesterday's UTC date so a midnight-crossing run
+          # still matches its own slug (same bug class as the saas/canvas
+          # safety nets).
+          today = datetime.date.today()
+          yest = today - datetime.timedelta(days=1)
+          dates = (today.strftime('%Y%m%d'), yest.strftime('%Y%m%d'))
+          if run_id:
+              prefixes = tuple(f'e2e-pv-{dt}-{run_id}-' for dt in dates)
+          else:
+              prefixes = tuple(f'e2e-pv-{dt}-' for dt in dates)
+          orgs = d if isinstance(d, list) else d.get('orgs', [])
+          cands = [o['slug'] for o in orgs
+                   if any(o.get('slug','').startswith(p) for p in prefixes)
+                   and o.get('instance_status') not in ('purged',)]
+          print('\n'.join(cands))
+          " 2>/dev/null)
+          for slug in $orgs; do
+            echo "Safety-net teardown: $slug"
+            set +e
+            curl -sS -o /tmp/pv-cleanup.out -w "%{http_code}" \
+              -X DELETE "$MOLECULE_CP_URL/cp/admin/tenants/$slug" \
+              -H "Authorization: Bearer $ADMIN_TOKEN" \
+              -H "Content-Type: application/json" \
+              -d "{\"confirm\":\"$slug\"}" >/tmp/pv-cleanup.code
+            set -e
+            code=$(cat /tmp/pv-cleanup.code 2>/dev/null || echo "000")
+            if [ "$code" = "200" ] || [ "$code" = "204" ]; then
+              echo "[teardown] deleted $slug (HTTP $code)"
+            else
+              echo "::warning::pv teardown for $slug returned HTTP $code — sweep-stale-e2e-orgs will catch it within MAX_AGE_MINUTES. Body: $(head -c 300 /tmp/pv-cleanup.out 2>/dev/null)"
+            fi
+          done
+          exit 0

.gitea/workflows/gate-check-v3.yml

@@ -83,25 +83,41 @@ jobs:
           REPO: ${{ github.repository }}
         run: |
           set -euo pipefail
-          # Fetch all open PRs and run gate-check on each
-          # socket.setdefaulttimeout(15): defence-in-depth for missing SOP_TIER_CHECK_TOKEN.
-          # gate_check.py uses timeout=15 on every urlopen call; this catches the
-          # inline Python polling loop too (issue #603).
+          # Fetch all open PRs and run gate-check on each. This scheduled
+          # refresher is advisory; a transient Gitea list timeout must not turn
+          # main red. PR-specific gate-check runs still use normal failure
+          # semantics.
           pr_numbers=$(python3 <<'PY'
           import json
           import os
           import socket
+          import sys
+          import time
+          import urllib.error
           import urllib.request
 
-          socket.setdefaulttimeout(15)
+          socket.setdefaulttimeout(30)
           token = os.environ["GITEA_TOKEN"]
           repo = os.environ["REPO"]
-          req = urllib.request.Request(
-              f"https://git.moleculesai.app/api/v1/repos/{repo}/pulls?state=open&limit=100",
-              headers={"Authorization": f"token {token}", "Accept": "application/json"},
-          )
-          with urllib.request.urlopen(req) as r:
-              prs = json.loads(r.read())
+          url = f"https://git.moleculesai.app/api/v1/repos/{repo}/pulls?state=open&limit=100"
+          last_error = None
+          for attempt in range(1, 4):
+              req = urllib.request.Request(
+                  url,
+                  headers={"Authorization": f"token {token}", "Accept": "application/json"},
+              )
+              try:
+                  with urllib.request.urlopen(req, timeout=30) as r:
+                      prs = json.loads(r.read())
+                  break
+              except (TimeoutError, OSError, urllib.error.URLError, urllib.error.HTTPError) as exc:
+                  last_error = exc
+                  print(f"warning: PR list fetch attempt {attempt}/3 failed: {exc}", file=sys.stderr)
+                  if attempt < 3:
+                      time.sleep(2 * attempt)
+          else:
+              print(f"warning: skipped scheduled gate-check refresh; failed to list open PRs after 3 attempts: {last_error}", file=sys.stderr)
+              raise SystemExit(0)
           for pr in prs:
               print(pr["number"])
           PY

.gitea/workflows/gitea-merge-queue.yml

@@ -52,5 +52,9 @@ jobs:
           # explicitly instead of the combined state avoids false-pause when
           # non-blocking jobs (continue-on-error: true) have failed — those
           # failures pollute combined state but do not gate merges.
+          # NOTE: the event-suffixed context name is intentional — branch protection
+          # MUST require `CI / all-required (pull_request)` (with suffix), NOT the
+          # bare `CI / all-required`. Gitea treats absent contexts as pending, not
+          # skipped; requiring the bare name silently blocks all merges (issue #1473).
           PUSH_REQUIRED_CONTEXTS: CI / all-required (push)
         run: python3 .gitea/scripts/gitea-merge-queue.py

.gitea/workflows/handlers-postgres-integration.yml

@@ -86,7 +86,11 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          fetch-depth: 0
+          # A full-history checkout can exceed the runner's quiet/startup
+          # window before the path filter emits logs. Fetch the common push
+          # case cheaply; the script below fetches the exact BASE SHA if it is
+          # not present in the shallow checkout.
+          fetch-depth: 2
       - id: filter
         # Inline replacement for dorny/paths-filter — see e2e-api.yml.
         run: |

.gitea/workflows/lint-continue-on-error-tracking.yml

@@ -93,7 +93,7 @@ jobs:
   lint:
     name: lint-continue-on-error-tracking
     runs-on: ubuntu-latest
-    timeout-minutes: 10
+    timeout-minutes: 20
     # Phase 3 (RFC #219 §1): surface masked defects without blocking
     # PRs. Pre-existing continue-on-error: true directives on main
     # all violate this lint at first — intentional. Flip to false

.gitea/workflows/publish-canvas-image.yml

@@ -49,13 +49,17 @@ jobs:
   # bp-exempt: post-merge image publication side effect; CI / all-required gates source changes.
   build-and-push:
     name: Build & push canvas image
-    # REVERTED (infra/revert-docker-runner-label): `runs-on: ubuntu-latest` restored.
-    # The `docker` label is not registered on any act_runner. `runs-on: [ubuntu-latest, docker]`
-    # causes jobs to queue indefinitely with zero eligible runners — strictly worse than the
-    # pre-#599 coin-flip (50% success rate). Once the `docker` label is registered on
-    # ≥2 runners, re-apply the fix from #599 (infra/docker-runner-label).
-    # See issue #576 + infra-lead pulse ~00:30Z.
-    runs-on: ubuntu-latest
+    # Dedicated publish/release lane (internal#462 / #394 / #399). Ship
+    # path (on: push:main, canvas/**) — reserved capacity so a merged
+    # canvas fix's image build never FIFO-queues behind PR required-CI.
+    # The `publish` label resolves ONLY to the molecule-runner-publish-*
+    # sub-pool (config.publish.yaml). HARD DEPENDENCY: this MUST land
+    # AFTER the publish-lane runners are registered/advertising `publish`
+    # — the earlier #599 `docker` label attempt queued indefinitely with
+    # zero eligible runners precisely because the label was targeted
+    # before any runner advertised it (see #576). The lane is registered
+    # in this rollout (internal#462) so the precondition holds.
+    runs-on: publish
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
     # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
     continue-on-error: true

.gitea/workflows/publish-runtime-autobump.yml

@@ -104,7 +104,7 @@ jobs:
         with:
           python-version: "3.11"
 
-      - name: Compute next version from PyPI latest
+      - name: Compute next version from PyPI latest and existing tags
         id: bump
         run: |
           set -eu
@@ -112,9 +112,24 @@ jobs:
             | python -c "import sys,json; print(json.load(sys.stdin)['info']['version'])")
           MAJOR=$(echo "$LATEST" | cut -d. -f1)
           MINOR=$(echo "$LATEST" | cut -d. -f2)
-          PATCH=$(echo "$LATEST" | cut -d. -f3)
-          VERSION="${MAJOR}.${MINOR}.$((PATCH+1))"
-          echo "PyPI latest=$LATEST -> next=$VERSION"
+          TAG_LATEST=$(git tag --list "runtime-v${MAJOR}.${MINOR}.*" \
+            | sed -E 's/^runtime-v//' \
+            | grep -E '^[0-9]+\.[0-9]+\.[0-9]+$' \
+            | sort -V \
+            | tail -1 || true)
+          VERSION=$(PYPI_LATEST="$LATEST" TAG_LATEST="$TAG_LATEST" python - <<'PY'
+          import os
+
+          def parse(v):
+              return tuple(int(part) for part in v.split("."))
+
+          pypi = os.environ["PYPI_LATEST"]
+          tag = os.environ.get("TAG_LATEST") or pypi
+          base = max(parse(pypi), parse(tag))
+          print(f"{base[0]}.{base[1]}.{base[2] + 1}")
+          PY
+          )
+          echo "PyPI latest=$LATEST, latest runtime tag=${TAG_LATEST:-none} -> next=$VERSION"
           if ! echo "$VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+$'; then
             echo "::error::computed version $VERSION does not match PEP 440 X.Y.Z"
             exit 1

.gitea/workflows/publish-runtime.yml

@@ -66,7 +66,10 @@ concurrency:
 
 jobs:
   publish:
-    runs-on: ubuntu-latest
+    # Dedicated publish/release lane (internal#462 / #394 / #399). Ship
+    # path (on: push tag runtime-v*) — reserved capacity, never FIFO
+    # behind PR-CI. `publish` resolves only to molecule-runner-publish-*.
+    runs-on: publish
     outputs:
       version: ${{ steps.version.outputs.version }}
       wheel_sha256: ${{ steps.wheel_hash.outputs.wheel_sha256 }}
@@ -159,6 +162,7 @@ jobs:
             exit 1
           fi
           python -m twine upload \
+            --verbose \
             --repository pypi \
             --username __token__ \
             --password "$PYPI_TOKEN" \
@@ -166,7 +170,9 @@ jobs:
 
   cascade:
     needs: publish
-    runs-on: ubuntu-latest
+    # Publish/release lane (internal#462) — downstream of the runtime
+    # publish ship job; keep it on the reserved lane too.
+    runs-on: publish
     steps:
       - name: Wait for PyPI to propagate the new version
         env:

.gitea/workflows/publish-workspace-server-image.yml

@@ -54,7 +54,14 @@ env:
 
 jobs:
   build-and-push:
-    runs-on: ubuntu-latest
+    # Dedicated publish/release lane (internal#462 / #394 / #399). This
+    # is a post-merge ship job (on: push:main) — it must NOT FIFO-compete
+    # with PR required-CI on the shared pool (PR#1350's prod image build
+    # was delayed ~25min this way). The `publish` label resolves ONLY to
+    # the reserved molecule-runner-publish-* sub-pool (config.publish.yaml,
+    # OUTSIDE the managed 1..20 range) so a merged fix's image build
+    # starts immediately while PR-CI keeps the general pool.
+    runs-on: publish
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -181,7 +188,9 @@ jobs:
     name: Production auto-deploy
     needs: build-and-push
     if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
-    runs-on: ubuntu-latest
+    # Publish/release lane (internal#462) — production deploy of a merged
+    # fix; reserved capacity, never queued behind PR-CI.
+    runs-on: publish
     timeout-minutes: 75
     env:
       CP_URL: ${{ vars.PROD_CP_URL || 'https://api.moleculesai.app' }}

.gitea/workflows/qa-review.yml

@@ -89,6 +89,7 @@ on:
 permissions:
   contents: read
   pull-requests: read
+  secrets: read
 
 jobs:
   # bp-exempt: PR review bot signal; required merge state is enforced by CI / all-required.

.gitea/workflows/redeploy-tenants-on-main.yml

@@ -68,7 +68,10 @@ jobs:
   # bp-exempt: production redeploy is a side-effect workflow, not a merge gate.
   redeploy:
     if: ${{ github.event_name == 'workflow_dispatch' }}
-    runs-on: ubuntu-latest
+    # Dedicated publish/release lane (internal#462 / #394 / #399).
+    # Production tenant redeploy — a deploy action, reserved capacity so
+    # it never queues behind PR-CI. `publish` -> molecule-runner-publish-*.
+    runs-on: publish
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
     # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
     continue-on-error: true

.gitea/workflows/redeploy-tenants-on-staging.yml

@@ -75,7 +75,10 @@ env:
 jobs:
   # bp-exempt: post-merge staging redeploy side effect; CI / all-required gates source changes.
   redeploy:
-    runs-on: ubuntu-latest
+    # Dedicated publish/release lane (internal#462 / #394 / #399).
+    # Post-merge staging redeploy — a deploy action, reserved capacity.
+    # `publish` -> molecule-runner-publish-* sub-pool.
+    runs-on: publish
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
     # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
     continue-on-error: true

.gitea/workflows/review-refire-comments.yml

@@ -18,6 +18,10 @@ permissions:
   pull-requests: read
   statuses: write
 
+concurrency:
+  group: ${{ github.repository }}-${{ github.workflow }}-${{ github.event.issue.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   dispatch:
     runs-on: ubuntu-latest

.gitea/workflows/secret-scan.yml

@@ -30,6 +30,11 @@ jobs:
   scan:
     name: Scan diff for credential-shaped strings
     runs-on: ubuntu-latest
+    # Hard CI gate — must complete or the PR is unmergable. 10-minute ceiling
+    # is generous for a diff-scan against a single SHA. If this times out, the
+    # runner is frozen and holding a slot — the step timeout triggers clean
+    # failure, releasing the runner for the next job.
+    timeout-minutes: 10
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -133,6 +138,14 @@ jobs:
             [ -z "$f" ] && continue
             [ "$f" = "$SELF_GITHUB" ] && continue
             [ "$f" = "$SELF_GITEA" ] && continue
+            # Test-fixture exclude (internal#425): the secrets-detector's OWN
+            # unit-test corpus deliberately embeds credential-SHAPED example
+            # strings to exercise the detector. Verified 2026-05-18 synthetic
+            # (fabricated ghp_* fixtures, not real). Without this the scanner
+            # self-trips on its own fixtures and fail-closes every deploy.
+            # Same rationale as the SELF_* excludes above; gate NOT weakened
+            # (all other paths still fully scanned).
+            [ "$f" = "workspace-server/internal/secrets/patterns_test.go" ] && continue
             if [ -n "$DIFF_RANGE" ]; then
               ADDED=$(git diff --no-color --unified=0 "$BASE" "$HEAD" -- "$f" 2>/dev/null | grep -E '^\+[^+]' || true)
             else

.gitea/workflows/security-review.yml

@@ -16,6 +16,7 @@ on:
 permissions:
   contents: read
   pull-requests: read
+  secrets: read
 
 jobs:
   # bp-exempt: PR security review bot signal; required merge state is enforced by CI / all-required.

.gitea/workflows/sop-checklist.yml

@@ -70,7 +70,7 @@ name: sop-checklist
 # Cancel any in-progress runs for the same PR to prevent
 # stale runs from overwriting newer status contexts.
 concurrency:
-  group: ${{ github.repository }}-${{ github.event.pull_request.number }}
+  group: ${{ github.repository }}-${{ github.workflow }}-${{ github.event.pull_request.number || github.event.issue.number || github.ref }}
   cancel-in-progress: true
 
 # bp-required: yes  ← emits sop-checklist / all-items-acked (pull_request)
@@ -84,11 +84,8 @@ on:
 permissions:
   contents: read
   pull-requests: read
-  # NOTE: `statuses: write` is the GitHub-Actions name for POST /statuses.
-  # Gitea 1.22.6 may not gate on this permission key (it just checks the
-  # token), but listing it explicitly documents intent for the next
-  # platform-version upgrade.
   statuses: write
+  secrets: read
 
 jobs:
   all-items-acked:

.gitea/workflows/sop-tier-check.yml

@@ -61,12 +61,17 @@ on:
   pull_request_review:
     types: [submitted, dismissed, edited]
 
+concurrency:
+  group: ${{ github.repository }}-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   tier-check:
     runs-on: ubuntu-latest
     permissions:
       contents: read
       pull-requests: read
+      secrets: read
     steps:
       - name: Check out base branch (for the script)
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2

.staging-trigger

@@ -1 +1 @@
-staging trigger
+staging trigger 2026-05-14T17:35:02Z

CONTRIBUTING.md

@@ -57,24 +57,24 @@ See `CLAUDE.md` for a full list of environment variables and their purposes.
 
 This repo is scoped to **code** (canvas, workspace, workspace-server, related
 infra). Public content (blog posts, marketing copy, OG images, SEO briefs,
-DevRel demos) lives in [`Molecule-AI/docs`](https://git.moleculesai.app/molecule-ai/docs).
+DevRel demos) lives in [`molecule-ai/docs`](https://git.moleculesai.app/molecule-ai/docs).
 The `Block forbidden paths` CI gate fails any PR that writes to `marketing/`
-or other removed paths — open against `Molecule-AI/docs` instead.
+or other removed paths — open against `molecule-ai/docs` instead.
 
 | Content type | Target |
 |---|---|
-| Blog posts | `Molecule-AI/docs` → `content/blog/<YYYY-MM-DD-slug>/` |
-| Doc pages | `Molecule-AI/docs` → `content/docs/` |
-| Marketing copy / PMM positioning | `Molecule-AI/docs` → `marketing/` |
-| OG images, visual assets | `Molecule-AI/docs` → `app/` or `marketing/` |
-| SEO briefs | `Molecule-AI/docs` → `marketing/` |
-| DevRel demos (runnable code) | Standalone repo under `Molecule-AI/`, OR embedded in `Molecule-AI/docs` |
+| Blog posts | `molecule-ai/docs` → `content/blog/<YYYY-MM-DD-slug>/` |
+| Doc pages | `molecule-ai/docs` → `content/docs/` |
+| Marketing copy / PMM positioning | `molecule-ai/docs` → `marketing/` |
+| OG images, visual assets | `molecule-ai/docs` → `app/` or `marketing/` |
+| SEO briefs | `molecule-ai/docs` → `marketing/` |
+| DevRel demos (runnable code) | Standalone repo under `molecule-ai/`, OR embedded in `molecule-ai/docs` |
 | Launch checklists, internal tracking | GitHub Issues — **not** committed files |
 | Engineering docs (`docs/adr/`, `docs/architecture/`, `docs/incidents/`) | This repo (internal, not published) |
 | Live product pages (e.g. `canvas/src/app/pricing/page.tsx`) | This repo (these are app code, not marketing copy) |
 
 If a PR fails the `Block forbidden paths` check, the contents belong in
-`Molecule-AI/docs`. No CI drag, no Canvas E2E, content lands in minutes.
+`molecule-ai/docs`. No CI drag, no Canvas E2E, content lands in minutes.
 
 ## Development Workflow
 
@@ -190,9 +190,9 @@ Runs the full regression suite against a fixture HTTP server. No network access
 Code in this repo lands in molecule-core. Some related runtime artifacts
 live in their own repos:
 
-- [`Molecule-AI/molecule-ai-workspace-runtime`](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-runtime) — Python adapter SDK (`molecule_runtime`) that runs inside containerized Molecule workspaces. Bridges Claude Code SDK / hermes / langgraph / etc. → A2A queue.
-- [`Molecule-AI/molecule-sdk-python`](https://git.moleculesai.app/molecule-ai/molecule-sdk-python) — `A2AServer` + `RemoteAgentClient` for external agents that register over the public `/registry/register` flow.
-- [`Molecule-AI/molecule-mcp-claude-channel`](https://git.moleculesai.app/molecule-ai/molecule-mcp-claude-channel) — Claude Code channel plugin. Bridges A2A traffic into a running Claude Code session via MCP `notifications/claude/channel`. Polling-based (no tunnel required); install with `claude --channels plugin:molecule@Molecule-AI/molecule-mcp-claude-channel`.
+- [`molecule-ai/molecule-ai-workspace-runtime`](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-runtime) — Python adapter SDK (`molecule_runtime`) that runs inside containerized Molecule workspaces. Bridges Claude Code SDK / hermes / langgraph / etc. → A2A queue.
+- [`molecule-ai/molecule-sdk-python`](https://git.moleculesai.app/molecule-ai/molecule-sdk-python) — `A2AServer` + `RemoteAgentClient` for external agents that register over the public `/registry/register` flow.
+- [`molecule-ai/molecule-mcp-claude-channel`](https://git.moleculesai.app/molecule-ai/molecule-mcp-claude-channel) — Claude Code channel plugin. Bridges A2A traffic into a running Claude Code session via MCP `notifications/claude/channel`. Polling-based (no tunnel required); install inside Claude Code via `/plugin marketplace add https://git.moleculesai.app/molecule-ai/molecule-mcp-claude-channel.git` → `/plugin install molecule@molecule-channel`, then launch with `claude --dangerously-load-development-channels --channels plugin:molecule@molecule-channel`.
 
 When extending the **A2A surface** in molecule-core (`workspace-server/internal/handlers/a2a_proxy.go` etc.), consider whether the change has a downstream impact on the runtime SDK or the channel plugin — they're versioned independently but share the wire shape.
 

README.md

@@ -238,7 +238,7 @@ The result is not just “an agent that learns.” It is **an organization that
 - subscribe to one or more workspaces; peer messages surface as conversation turns; replies route back through Molecule's A2A
 - no tunnel, no public endpoint — the plugin self-registers each watched workspace as `delivery_mode=poll` and long-polls `/activity?since_id=…`
 - multi-tenant friendly: one plugin install can watch workspaces across multiple Molecule tenants (`MOLECULE_PLATFORM_URLS` per-workspace)
-- install via the standard marketplace flow: `/plugin marketplace add Molecule-AI/molecule-mcp-claude-channel` → `/plugin install molecule-channel@molecule-mcp-claude-channel`
+- install via the standard marketplace flow: `/plugin marketplace add https://git.moleculesai.app/molecule-ai/molecule-mcp-claude-channel.git` → `/plugin install molecule@molecule-channel`, then launch with `claude --dangerously-load-development-channels --channels plugin:molecule@molecule-channel`
 
 ## Built For Teams That Need More Than A Demo
 

README.zh-CN.md

@@ -237,7 +237,7 @@ Molecule AI 并不是要替代下面这些 framework，而是把它们纳入更
 - 订阅一个或多个 workspace；peer 的消息会以 user-turn 出现，回复会经 Molecule A2A 路由出去
 - 无需公网隧道、无需公开端点 —— 插件启动时自动把每个 watched workspace 注册成 `delivery_mode=poll`，长轮询 `/activity?since_id=…`
 - 多租户友好：单次安装即可同时 watch 跨多个 Molecule 租户的 workspace（`MOLECULE_PLATFORM_URLS` 按 workspace 配置）
-- 通过标准 marketplace 流程安装：`/plugin marketplace add Molecule-AI/molecule-mcp-claude-channel` → `/plugin install molecule-channel@molecule-mcp-claude-channel`
+- 通过标准 marketplace 流程安装：`/plugin marketplace add https://git.moleculesai.app/molecule-ai/molecule-mcp-claude-channel.git` → `/plugin install molecule@molecule-channel`，然后用 `claude --dangerously-load-development-channels --channels plugin:molecule@molecule-channel` 启动
 
 ## 适合什么团队
 

_ci_trigger.txt

@@ -0,0 +1 @@
+trigger

canvas/playwright.config.ts

@@ -8,7 +8,7 @@ export default defineConfig({
   workers: 1,
   retries: 0,
   use: {
-    baseURL: "http://localhost:3000",
+    baseURL: process.env.PLAYWRIGHT_BASE_URL || "http://localhost:3000",
     headless: true,
     screenshot: "only-on-failure",
   },

canvas/src/app/__tests__/seo-routes.test.ts

@@ -0,0 +1,113 @@
+import { describe, it, expect, vi } from "vitest";
+
+// Marketing-launch SEO (mc#1486). These tests pin the public crawler
+// contract: anything that flips public marketing routes to disallow,
+// drops the sitemap from robots.txt, or removes the OG image
+// reference from root metadata should fail loudly here.
+
+// next/font and the rest of the layout's runtime tree are not
+// vitest-compatible (next/font expects the Next.js compiler swc
+// transform). We import layout.tsx only for its exported `metadata`
+// constant — mock the font module to a constructor-returning stub.
+vi.mock("next/font/google", () => ({
+  Inter: () => ({ variable: "--font-inter" }),
+  JetBrains_Mono: () => ({ variable: "--font-jetbrains" }),
+}));
+
+import robots from "../robots";
+import sitemap from "../sitemap";
+import { metadata } from "../layout";
+
+describe("robots.ts", () => {
+  it("allows public marketing routes and blocks authed/app routes", () => {
+    const r = robots();
+    expect(r.rules).toBeDefined();
+    const rule = Array.isArray(r.rules) ? r.rules[0] : r.rules!;
+    expect(rule.userAgent).toBe("*");
+    const allow = Array.isArray(rule.allow) ? rule.allow : [rule.allow];
+    expect(allow).toEqual(expect.arrayContaining(["/", "/pricing", "/blog"]));
+    const disallow = Array.isArray(rule.disallow)
+      ? rule.disallow
+      : [rule.disallow];
+    expect(disallow).toEqual(
+      expect.arrayContaining(["/api/", "/orgs", "/cp/"]),
+    );
+  });
+
+  it("declares the sitemap URL", () => {
+    const r = robots();
+    expect(r.sitemap).toMatch(/\/sitemap\.xml$/);
+  });
+
+  it("declares a canonical host", () => {
+    const r = robots();
+    expect(r.host).toMatch(/^https:\/\//);
+  });
+});
+
+describe("sitemap.ts", () => {
+  it("includes apex, pricing, and the live blog post", () => {
+    const entries = sitemap();
+    const urls = entries.map((e) => e.url);
+    expect(urls.some((u) => u.endsWith("/"))).toBe(true);
+    expect(urls.some((u) => u.endsWith("/pricing"))).toBe(true);
+    expect(
+      urls.some((u) => u.includes("/blog/2026-04-20-chrome-devtools-mcp")),
+    ).toBe(true);
+  });
+
+  it("does NOT include authed/app routes", () => {
+    const entries = sitemap();
+    const urls = entries.map((e) => e.url);
+    expect(urls.some((u) => u.includes("/orgs"))).toBe(false);
+    expect(urls.some((u) => u.includes("/api/"))).toBe(false);
+  });
+
+  it("sets a non-zero priority and a valid changeFrequency on every entry", () => {
+    const valid = new Set([
+      "always",
+      "hourly",
+      "daily",
+      "weekly",
+      "monthly",
+      "yearly",
+      "never",
+    ]);
+    for (const e of sitemap()) {
+      expect(e.priority).toBeGreaterThan(0);
+      expect(valid.has(String(e.changeFrequency))).toBe(true);
+    }
+  });
+});
+
+describe("root layout metadata", () => {
+  it("sets a templated title + non-empty description", () => {
+    const t = metadata.title as { default: string; template: string };
+    expect(t.default).toMatch(/Molecule AI/);
+    expect(t.template).toMatch(/%s/);
+    expect((metadata.description ?? "").length).toBeGreaterThan(50);
+  });
+
+  it("declares OG + Twitter text fields (image comes from opengraph-image.tsx)", () => {
+    const og = metadata.openGraph;
+    expect(og).toBeDefined();
+    expect((og as { title: string }).title).toMatch(/Molecule AI/);
+    expect((og as { description: string }).description.length).toBeGreaterThan(
+      50,
+    );
+    const tw = metadata.twitter;
+    expect(tw).toBeDefined();
+    // Next.js typings narrow twitter.card to a union — assert via cast.
+    expect((tw as { card: string }).card).toBe("summary_large_image");
+  });
+
+  it("sets a canonical alternate", () => {
+    expect(metadata.alternates?.canonical).toBe("/");
+  });
+
+  it("enables indexing at the metadata level (robots.ts owns per-route)", () => {
+    const r = metadata.robots as { index: boolean; follow: boolean };
+    expect(r.index).toBe(true);
+    expect(r.follow).toBe(true);
+  });
+});

canvas/src/app/layout.tsx

@@ -27,9 +27,78 @@ import {
   themeBootScript,
 } from "@/lib/theme-cookie";
 
+// Marketing-launch SEO (mc#1486). Canonical apex is app.moleculesai.app —
+// tenant subdomains (<slug>.moleculesai.app) reuse the same Next.js build
+// but are gated behind auth (AuthGate redirects anonymous → /cp/auth/login)
+// and are de-indexed in robots.ts. The metadata here applies to the
+// public marketing surface served from the apex host.
+//
+// Override per-route by exporting a page-level `metadata`/`generateMetadata`
+// — Next.js merges page metadata over layout metadata using
+// `title.template` for "<page> | Molecule AI" composition.
+const SITE_URL =
+  process.env.NEXT_PUBLIC_SITE_URL ?? "https://app.moleculesai.app";
+
 export const metadata: Metadata = {
-  title: "Molecule AI",
-  description: "AI Org Chart Canvas",
+  metadataBase: new URL(SITE_URL),
+  title: {
+    default: "Molecule AI — the AI org chart canvas",
+    template: "%s | Molecule AI",
+  },
+  description:
+    "Molecule AI is an org-chart canvas for AI agent teams. Wire Claude Code, Codex, Hermes, and OpenClaw agents into a governed multi-agent workspace with credit metering, audit, and one-click runtime provisioning.",
+  applicationName: "Molecule AI",
+  keywords: [
+    "AI agents",
+    "multi-agent",
+    "agent orchestration",
+    "AI org chart",
+    "Claude Code",
+    "Codex",
+    "MCP",
+    "agent governance",
+    "A2A",
+    "agent runtime",
+  ],
+  authors: [{ name: "Molecule AI" }],
+  creator: "Molecule AI",
+  publisher: "Molecule AI",
+  alternates: { canonical: "/" },
+  // OG + Twitter images come from the file-convention sibling
+  // `opengraph-image.tsx` — Next.js auto-attaches them to og:image
+  // and twitter:image when present at the segment root. We keep the
+  // text fields here so they win over per-page metadata when a page
+  // doesn't override them. `images: []` as the structural fallback
+  // for hosts that won't follow the file convention; the real URL
+  // is injected by Next.js at build time from opengraph-image.tsx.
+  openGraph: {
+    type: "website",
+    siteName: "Molecule AI",
+    url: SITE_URL,
+    title: "Molecule AI — the AI org chart canvas",
+    description:
+      "Wire Claude Code, Codex, Hermes, and OpenClaw agents into a governed multi-agent workspace. Credit metering, audit, and one-click runtime provisioning.",
+    locale: "en_US",
+  },
+  twitter: {
+    card: "summary_large_image",
+    title: "Molecule AI — the AI org chart canvas",
+    description:
+      "Wire Claude Code, Codex, Hermes, and OpenClaw agents into a governed multi-agent workspace.",
+  },
+  icons: {
+    icon: "/molecule-icon.png",
+    apple: "/molecule-icon.png",
+  },
+  // robots.ts owns the per-route allow/disallow contract; this is the
+  // header-level fallback for routes the crawler reaches before
+  // robots.txt resolves. Default = index public marketing routes;
+  // app/auth/api/orgs are noindex'd by robots.ts.
+  robots: {
+    index: true,
+    follow: true,
+    googleBot: { index: true, follow: true, "max-image-preview": "large" },
+  },
 };
 
 export default async function RootLayout({
@@ -94,6 +163,75 @@ export default async function RootLayout({
           nonce={nonce}
           dangerouslySetInnerHTML={{ __html: themeBootScript }}
         />
+        {/*
+         * JSON-LD structured data (mc#1486). Two graph nodes:
+         *
+         *   - Organization: surfaces the brand to Google Knowledge
+         *     Graph + Bing entity index. URL+logo+sameAs are the
+         *     minimum recommended set for new brands without a
+         *     Wikipedia page.
+         *
+         *   - WebSite: enables the sitelinks search box and tells
+         *     crawlers the canonical site URL when the same content
+         *     is reachable via multiple subdomains (apex + tenant).
+         *
+         * Type-application/ld+json runs synchronously without
+         * executing JS, so 'strict-dynamic' isn't required — we still
+         * carry the nonce because production CSP's default-src 'self'
+         * applies to any <script> element. The "type" attribute is
+         * what keeps the browser from running the body as JS, but
+         * CSP nonces are gated on the element not the type, so we
+         * include the nonce too.
+         */}
+        <script
+          type="application/ld+json"
+          nonce={nonce}
+          dangerouslySetInnerHTML={{
+            __html: JSON.stringify({
+              "@context": "https://schema.org",
+              "@graph": [
+                {
+                  "@type": "Organization",
+                  "@id": `${SITE_URL}#organization`,
+                  name: "Molecule AI",
+                  url: SITE_URL,
+                  logo: `${SITE_URL}/molecule-icon.png`,
+                  sameAs: [
+                    "https://github.com/molecule-ai",
+                    "https://x.com/moleculeai",
+                  ],
+                },
+                {
+                  "@type": "WebSite",
+                  "@id": `${SITE_URL}#website`,
+                  url: SITE_URL,
+                  name: "Molecule AI",
+                  publisher: { "@id": `${SITE_URL}#organization` },
+                  inLanguage: "en-US",
+                },
+                {
+                  "@type": "SoftwareApplication",
+                  "@id": `${SITE_URL}#software`,
+                  name: "Molecule AI",
+                  applicationCategory: "DeveloperApplication",
+                  operatingSystem: "Web",
+                  description:
+                    "Org-chart canvas for AI agent teams with credit metering, audit, and one-click runtime provisioning.",
+                  url: SITE_URL,
+                  offers: {
+                    "@type": "AggregateOffer",
+                    priceCurrency: "USD",
+                    lowPrice: "0",
+                    highPrice: "99",
+                    offerCount: "3",
+                    url: `${SITE_URL}/pricing`,
+                  },
+                  publisher: { "@id": `${SITE_URL}#organization` },
+                },
+              ],
+            }),
+          }}
+        />
       </head>
       <body className={`bg-surface text-ink ${interFont.variable} ${monoFont.variable}`}>
         <ThemeProvider initialTheme={theme}>

canvas/src/app/opengraph-image.tsx

@@ -0,0 +1,82 @@
+import { ImageResponse } from "next/og";
+
+// Marketing-launch SEO (mc#1486). Next.js App-Router file-system OG
+// convention: served as `/opengraph-image` and auto-attached as
+// `og:image` + `twitter:image`. Dynamic (not a static PNG in /public)
+// so we can iterate the brand mark + tagline pre-launch without
+// churning a binary blob in git history.
+export const runtime = "edge";
+
+export const alt = "Molecule AI — the AI org chart canvas";
+export const size = { width: 1200, height: 630 };
+export const contentType = "image/png";
+
+export default function OG() {
+  return new ImageResponse(
+    (
+      <div
+        style={{
+          width: "100%",
+          height: "100%",
+          display: "flex",
+          flexDirection: "column",
+          alignItems: "flex-start",
+          justifyContent: "center",
+          padding: "80px",
+          background:
+            "linear-gradient(135deg, #0a0a0a 0%, #1a1a2e 60%, #16213e 100%)",
+          color: "#ffffff",
+          fontFamily: "system-ui, -apple-system, sans-serif",
+        }}
+      >
+        <div
+          style={{
+            fontSize: 28,
+            color: "#a3a3c2",
+            letterSpacing: "0.18em",
+            textTransform: "uppercase",
+            marginBottom: 24,
+          }}
+        >
+          Molecule AI
+        </div>
+        <div
+          style={{
+            fontSize: 76,
+            fontWeight: 700,
+            lineHeight: 1.05,
+            letterSpacing: "-0.02em",
+            maxWidth: 980,
+          }}
+        >
+          The AI org chart canvas
+        </div>
+        <div
+          style={{
+            fontSize: 32,
+            color: "#c8c8d8",
+            marginTop: 32,
+            lineHeight: 1.3,
+            maxWidth: 980,
+          }}
+        >
+          Wire Claude Code, Codex, Hermes, and OpenClaw agents into a governed
+          multi-agent workspace.
+        </div>
+        <div
+          style={{
+            position: "absolute",
+            right: 80,
+            bottom: 80,
+            fontSize: 22,
+            color: "#7a7a96",
+            display: "flex",
+          }}
+        >
+          moleculesai.app
+        </div>
+      </div>
+    ),
+    { ...size },
+  );
+}

canvas/src/app/page.tsx

@@ -103,7 +103,7 @@ export default function Home() {
                 setHydrationError(null);
                 window.location.reload();
               }}
-              className="px-4 py-2 bg-accent-strong hover:bg-accent text-white rounded-md text-sm"
+              className="px-4 py-2 bg-accent-strong hover:bg-accent text-white rounded-md text-sm focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
             >
               Retry
             </button>
@@ -115,7 +115,9 @@ export default function Home() {
 
   return (
     <>
-      <Canvas />
+      <main aria-label="Agent canvas">
+        <Canvas />
+      </main>
       <Legend />
       <CommunicationOverlay />
       {hydrationError && (
@@ -134,7 +136,7 @@ export default function Home() {
               setHydrationError(null);
               window.location.reload();
             }}
-            className="px-4 py-2 bg-accent-strong hover:bg-accent text-white rounded-md text-sm"
+            className="px-4 py-2 bg-accent-strong hover:bg-accent text-white rounded-md text-sm focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
           >
             Retry
           </button>
@@ -176,7 +178,7 @@ brew services start redis`}</pre>
       </p>
       <button
         onClick={() => window.location.reload()}
-        className="px-4 py-2 bg-accent-strong hover:bg-accent text-white rounded-md text-sm mt-2"
+        className="px-4 py-2 bg-accent-strong hover:bg-accent text-white rounded-md text-sm mt-2 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
       >
         Reload
       </button>

canvas/src/app/robots.ts

@@ -0,0 +1,45 @@
+import type { MetadataRoute } from "next";
+
+// Marketing-launch SEO (mc#1486). Next.js App-Router robots convention:
+// this file is served as `/robots.txt` at build time and is the single
+// source of truth for crawler allow/disallow.
+//
+// Contract:
+//   - Public marketing routes (/, /pricing, /blog/*) are crawlable.
+//   - Authed/app routes (/orgs, /api/*) are noindex'd. They render
+//     useful content only after a session round-trip, so a crawler hit
+//     just wastes our crawl budget and exposes endpoint shapes.
+//   - Tenant subdomains (<slug>.moleculesai.app) share this build but
+//     are blocked at the host level by the canvas middleware sending
+//     an `X-Robots-Tag: noindex` header — robots.txt is per-host and
+//     this file's `host` field claims the apex as canonical.
+//
+// Note: `sitemap` is published via the sibling `sitemap.ts` route; we
+// reference it explicitly here so crawlers don't have to guess.
+const SITE_URL =
+  process.env.NEXT_PUBLIC_SITE_URL ?? "https://app.moleculesai.app";
+
+export default function robots(): MetadataRoute.Robots {
+  return {
+    rules: [
+      {
+        userAgent: "*",
+        allow: ["/", "/pricing", "/blog"],
+        // Authed app surface + API + transient checkout returns. The
+        // /orgs route boots the org-selector behind AuthGate; even
+        // though SSR returns markup, that markup is a login wall when
+        // hit by an unauthenticated crawler, so indexing it dilutes
+        // brand searches with a "Please sign in" snippet.
+        disallow: [
+          "/orgs",
+          "/orgs/",
+          "/api/",
+          "/cp/",
+          "/checkout/",
+        ],
+      },
+    ],
+    sitemap: `${SITE_URL}/sitemap.xml`,
+    host: SITE_URL,
+  };
+}

canvas/src/app/sitemap.ts

@@ -0,0 +1,42 @@
+import type { MetadataRoute } from "next";
+
+// Marketing-launch SEO (mc#1486). App-Router sitemap convention: this
+// file is served as `/sitemap.xml` and enumerates the public marketing
+// surface for search crawlers + AI training pipelines.
+//
+// Scope deliberately narrow:
+//   - Apex landing, pricing, and the (currently single) blog post.
+//   - Authed app routes are excluded — they're disallowed in robots.ts
+//     and would appear as "Please sign in" wall to a crawler.
+//
+// `lastModified` uses a build-time timestamp rather than per-route
+// fs.stat so the same value applies regardless of where the build
+// runs (Vercel/Railway/local). When we add CMS-backed blog content,
+// swap to a per-entry timestamp from the source-of-truth metadata.
+const SITE_URL =
+  process.env.NEXT_PUBLIC_SITE_URL ?? "https://app.moleculesai.app";
+
+const BUILD_DATE = new Date();
+
+export default function sitemap(): MetadataRoute.Sitemap {
+  return [
+    {
+      url: `${SITE_URL}/`,
+      lastModified: BUILD_DATE,
+      changeFrequency: "weekly",
+      priority: 1.0,
+    },
+    {
+      url: `${SITE_URL}/pricing`,
+      lastModified: BUILD_DATE,
+      changeFrequency: "weekly",
+      priority: 0.9,
+    },
+    {
+      url: `${SITE_URL}/blog/2026-04-20-chrome-devtools-mcp`,
+      lastModified: new Date("2026-04-20"),
+      changeFrequency: "monthly",
+      priority: 0.6,
+    },
+  ];
+}

canvas/src/components/AuditTrailPanel.tsx

@@ -132,7 +132,7 @@ export function AuditTrailPanel({ workspaceId }: Props) {
 
   if (loading) {
     return (
-      <div className="flex items-center justify-center h-32">
+      <div role="status" aria-live="polite" className="flex items-center justify-center h-32">
         <span className="text-xs text-ink-mid">Loading audit trail…</span>
       </div>
     );

canvas/src/components/ConversationTraceModal.tsx

@@ -133,13 +133,13 @@ export function ConversationTraceModal({ open, workspaceId: _workspaceId, onClos
             {/* Timeline */}
             <div className="flex-1 overflow-y-auto px-5 py-4">
               {loading && (
-                <div className="text-xs text-ink-mid text-center py-8">
+                <div role="status" aria-live="polite" className="text-xs text-ink-mid text-center py-8">
                   Loading trace from all workspaces...
                 </div>
               )}
 
               {!loading && entries.length === 0 && (
-                <div className="text-xs text-ink-mid text-center py-8">
+                <div role="status" aria-live="polite" className="text-xs text-ink-mid text-center py-8">
                   No activity found
                 </div>
               )}

canvas/src/components/EmptyState.tsx

@@ -105,7 +105,7 @@ export function EmptyState() {
 
         {/* Template grid */}
         {loading ? (
-          <div className="flex items-center justify-center gap-2 text-xs text-ink-mid py-4">
+          <div role="status" aria-live="polite" className="flex items-center justify-center gap-2 text-xs text-ink-mid py-4">
             <Spinner />
             Loading templates...
           </div>

canvas/src/components/ExternalConnectModal.tsx

@@ -15,7 +15,7 @@
 //     ($AGENT_URL). They ARE NOT filled in server-side because the
 //     server doesn't know where the operator's agent will live.
 
-import { useCallback, useState } from "react";
+import { useCallback, useRef, useState } from "react";
 import * as Dialog from "@radix-ui/react-dialog";
 
 type Tab = "python" | "curl" | "claude" | "mcp" | "hermes" | "codex" | "openclaw" | "kimi" | "fields";
@@ -84,6 +84,33 @@ export function ExternalConnectModal({ info, onClose }: Props) {
     : "python";
   const [tab, setTab] = useState<Tab>(initialTab);
   const [copiedKey, setCopiedKey] = useState<string | null>(null);
+  const tabRefs = useRef<Map<Tab, HTMLButtonElement | null>>(new Map());
+
+  const handleTabKeyDown = useCallback(
+    (e: React.KeyboardEvent<HTMLButtonElement>, current: Tab, tabs: Tab[]) => {
+      const idx = tabs.indexOf(current);
+      if (e.key === "ArrowRight" || e.key === "ArrowDown") {
+        e.preventDefault();
+        const next = tabs[(idx + 1) % tabs.length];
+        setTab(next);
+        tabRefs.current.get(next)?.focus();
+      } else if (e.key === "ArrowLeft" || e.key === "ArrowUp") {
+        e.preventDefault();
+        const prev = tabs[(idx - 1 + tabs.length) % tabs.length];
+        setTab(prev);
+        tabRefs.current.get(prev)?.focus();
+      } else if (e.key === "Home") {
+        e.preventDefault();
+        setTab(tabs[0]);
+        tabRefs.current.get(tabs[0])?.focus();
+      } else if (e.key === "End") {
+        e.preventDefault();
+        setTab(tabs[tabs.length - 1]);
+        tabRefs.current.get(tabs[tabs.length - 1])?.focus();
+      }
+    },
+    [],
+  );
 
   const copy = useCallback(async (value: string, key: string) => {
     try {
@@ -160,6 +187,19 @@ export function ExternalConnectModal({ info, onClose }: Props) {
     `MOLECULE_WORKSPACE_TOKEN=${info.auth_token}`,
   );
 
+  // Build the tab list once so both the tab bar and keyboard handler
+  // share the same ordered array. Computed here (after all filled* vars)
+  // so TypeScript's block-scoping analysis can reach them.
+  const tabList: Tab[] = [];
+  if (filledUniversalMcp) tabList.push("mcp");
+  tabList.push("python");
+  if (filledChannel) tabList.push("claude");
+  if (filledHermes) tabList.push("hermes");
+  if (filledCodex) tabList.push("codex");
+  if (filledOpenClaw) tabList.push("openclaw");
+  if (filledKimi) tabList.push("kimi");
+  tabList.push("curl", "fields");
+
   return (
     <Dialog.Root open onOpenChange={(o) => !o && onClose()}>
       <Dialog.Portal>
@@ -180,34 +220,18 @@ export function ExternalConnectModal({ info, onClose }: Props) {
             aria-label="Connection snippet format"
             className="mt-4 flex gap-1 border-b border-line"
           >
-            {(() => {
-              // Build the tab order dynamically. Claude Code first
-              // (when offered) since it's the simplest setup; Python
-              // SDK second (full register+heartbeat+inbound); Universal
-              // MCP third (any MCP-aware runtime, outbound-only); curl
-              // for one-shot register; Fields for raw values.
-              // Tab order: Universal MCP first (default, runtime-
-              // agnostic primitives), then runtime-specific channel/
-              // SDK tabs, then curl + Fields. Each runtime tab only
-              // appears when the platform supplies the snippet — no
-              // dead "tab missing snippet" UX.
-              const tabs: Tab[] = [];
-              if (filledUniversalMcp) tabs.push("mcp");
-              tabs.push("python");
-              if (filledChannel) tabs.push("claude");
-              if (filledHermes) tabs.push("hermes");
-              if (filledCodex) tabs.push("codex");
-              if (filledOpenClaw) tabs.push("openclaw");
-              if (filledKimi) tabs.push("kimi");
-              tabs.push("curl", "fields");
-              return tabs;
-            })().map((t) => (
+            {tabList.map((t) => (
               <button
                 key={t}
                 type="button"
                 role="tab"
+                id={`tab-${t}`}
                 aria-selected={tab === t}
+                aria-controls={`panel-${t}`}
+                tabIndex={tab === t ? 0 : -1}
+                ref={(el) => { tabRefs.current.set(t, el); }}
                 onClick={() => setTab(t)}
+                onKeyDown={(e) => handleTabKeyDown(e, t, tabList)}
                 className={`px-3 py-2 text-sm border-b-2 -mb-px transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface ${
                   tab === t
                     ? "border-accent text-ink"
@@ -235,18 +259,39 @@ export function ExternalConnectModal({ info, onClose }: Props) {
             ))}
           </div>
 
-          {/* Snippet area */}
-          <div className="mt-3">
-            {tab === "claude" && filledChannel && (
-              <SnippetBlock
-                value={filledChannel}
-                label="Claude Code channel — polls workspace's A2A; no tunnel needed"
-                copyKey="claude"
-                copied={copiedKey === "claude"}
-                onCopy={() => copy(filledChannel, "claude")}
-              />
-            )}
-            {tab === "python" && (
+          {/* Snippet area — all panels always in the DOM so aria-controls
+              targets are stable. Hidden panels use aria-hidden so screen
+              readers skip them; active panel uses role=tabpanel with
+              aria-labelledby pointing to the tab button. */}
+          <div className="mt-3" data-testid="snippet-panels">
+            {/* Claude Code tab */}
+            <div
+              id="panel-claude"
+              data-testid="panel-claude"
+              role="tabpanel"
+              aria-labelledby="tab-claude"
+              hidden={tab !== "claude" || !filledChannel}
+              className={tab === "claude" && filledChannel ? "" : "hidden"}
+            >
+              {filledChannel && (
+                <SnippetBlock
+                  value={filledChannel}
+                  label="Claude Code channel — polls workspace's A2A; no tunnel needed"
+                  copyKey="claude"
+                  copied={copiedKey === "claude"}
+                  onCopy={() => copy(filledChannel, "claude")}
+                />
+              )}
+            </div>
+            {/* Python SDK tab */}
+            <div
+              id="panel-python"
+              data-testid="panel-python"
+              role="tabpanel"
+              aria-labelledby="tab-python"
+              hidden={tab !== "python"}
+              className={tab === "python" ? "" : "hidden"}
+            >
               <SnippetBlock
                 value={filledPython}
                 label="Python SDK — includes heartbeat loop (push-mode, needs public URL)"
@@ -254,8 +299,16 @@ export function ExternalConnectModal({ info, onClose }: Props) {
                 copied={copiedKey === "python"}
                 onCopy={() => copy(filledPython, "python")}
               />
-            )}
-            {tab === "curl" && (
+            </div>
+            {/* curl tab */}
+            <div
+              id="panel-curl"
+              data-testid="panel-curl"
+              role="tabpanel"
+              aria-labelledby="tab-curl"
+              hidden={tab !== "curl"}
+              className={tab === "curl" ? "" : "hidden"}
+            >
               <SnippetBlock
                 value={filledCurl}
                 label="curl — one-shot register only (no heartbeat)"
@@ -263,53 +316,111 @@ export function ExternalConnectModal({ info, onClose }: Props) {
                 copied={copiedKey === "curl"}
                 onCopy={() => copy(filledCurl, "curl")}
               />
-            )}
-            {tab === "mcp" && filledUniversalMcp && (
-              <SnippetBlock
-                value={filledUniversalMcp}
-                label="Universal MCP — standalone register + heartbeat + tools for any MCP-aware runtime (Claude Code, hermes, codex). Pair with Python or Claude Code tab if you need inbound A2A delivery."
-                copyKey="mcp"
-                copied={copiedKey === "mcp"}
-                onCopy={() => copy(filledUniversalMcp, "mcp")}
-              />
-            )}
-            {tab === "hermes" && filledHermes && (
-              <SnippetBlock
-                value={filledHermes}
-                label="Hermes channel — bridges this workspace's A2A traffic into your hermes-agent session as platform messages (push parity with Claude Code). Long-poll based; no tunnel needed."
-                copyKey="hermes"
-                copied={copiedKey === "hermes"}
-                onCopy={() => copy(filledHermes, "hermes")}
-              />
-            )}
-            {tab === "codex" && filledCodex && (
-              <SnippetBlock
-                value={filledCodex}
-                label="Codex MCP config — wires the molecule MCP server into ~/.codex/config.toml. Outbound tools today; inbound A2A push needs the Python SDK tab paired in (codex's MCP runtime doesn't route arbitrary notifications/* yet)."
-                copyKey="codex"
-                copied={copiedKey === "codex"}
-                onCopy={() => copy(filledCodex, "codex")}
-              />
-            )}
-            {tab === "openclaw" && filledOpenClaw && (
-              <SnippetBlock
-                value={filledOpenClaw}
-                label="OpenClaw MCP config — wires the molecule MCP server via openclaw mcp set + starts the gateway on loopback. Outbound tools today; inbound A2A push on an external openclaw needs the Python SDK tab paired in (a sessions.steer bridge daemon is future work)."
-                copyKey="openclaw"
-                copied={copiedKey === "openclaw"}
-                onCopy={() => copy(filledOpenClaw, "openclaw")}
-              />
-            )}
-            {tab === "kimi" && filledKimi && (
-              <SnippetBlock
-                value={filledKimi}
-                label="Kimi CLI — self-contained Python bridge. Registers, heartbeats, polls for canvas messages, and echoes replies back. NAT-safe (no public URL). Run in a background terminal or via launchd."
-                copyKey="kimi"
-                copied={copiedKey === "kimi"}
-                onCopy={() => copy(filledKimi, "kimi")}
-              />
-            )}
-            {tab === "fields" && (
+            </div>
+            {/* Universal MCP tab */}
+            <div
+              id="panel-mcp"
+              data-testid="panel-mcp"
+              role="tabpanel"
+              aria-labelledby="tab-mcp"
+              hidden={tab !== "mcp" || !filledUniversalMcp}
+              className={tab === "mcp" && filledUniversalMcp ? "" : "hidden"}
+            >
+              {filledUniversalMcp && (
+                <SnippetBlock
+                  value={filledUniversalMcp}
+                  label="Universal MCP — standalone register + heartbeat + tools for any MCP-aware runtime (Claude Code, hermes, codex). Pair with Python or Claude Code tab if you need inbound A2A delivery."
+                  copyKey="mcp"
+                  copied={copiedKey === "mcp"}
+                  onCopy={() => copy(filledUniversalMcp, "mcp")}
+                />
+              )}
+            </div>
+            {/* Hermes tab */}
+            <div
+              id="panel-hermes"
+              data-testid="panel-hermes"
+              role="tabpanel"
+              aria-labelledby="tab-hermes"
+              hidden={tab !== "hermes" || !filledHermes}
+              className={tab === "hermes" && filledHermes ? "" : "hidden"}
+            >
+              {filledHermes && (
+                <SnippetBlock
+                  value={filledHermes}
+                  label="Hermes channel — bridges this workspace's A2A traffic into your hermes-agent session as platform messages (push parity with Claude Code). Long-poll based; no tunnel needed."
+                  copyKey="hermes"
+                  copied={copiedKey === "hermes"}
+                  onCopy={() => copy(filledHermes, "hermes")}
+                />
+              )}
+            </div>
+            {/* Codex tab */}
+            <div
+              id="panel-codex"
+              data-testid="panel-codex"
+              role="tabpanel"
+              aria-labelledby="tab-codex"
+              hidden={tab !== "codex" || !filledCodex}
+              className={tab === "codex" && filledCodex ? "" : "hidden"}
+            >
+              {filledCodex && (
+                <SnippetBlock
+                  value={filledCodex}
+                  label="Codex MCP config — wires the molecule MCP server into ~/.codex/config.toml. Outbound tools today; inbound A2A push needs the Python SDK tab paired in (codex's MCP runtime doesn't route arbitrary notifications/* yet)."
+                  copyKey="codex"
+                  copied={copiedKey === "codex"}
+                  onCopy={() => copy(filledCodex, "codex")}
+                />
+              )}
+            </div>
+            {/* OpenClaw tab */}
+            <div
+              id="panel-openclaw"
+              data-testid="panel-openclaw"
+              role="tabpanel"
+              aria-labelledby="tab-openclaw"
+              hidden={tab !== "openclaw" || !filledOpenClaw}
+              className={tab === "openclaw" && filledOpenClaw ? "" : "hidden"}
+            >
+              {filledOpenClaw && (
+                <SnippetBlock
+                  value={filledOpenClaw}
+                  label="OpenClaw MCP config — wires the molecule MCP server via openclaw mcp set + starts the gateway on loopback. Outbound tools today; inbound A2A push on an external openclaw needs the Python SDK tab paired in (a sessions.steer bridge daemon is future work)."
+                  copyKey="openclaw"
+                  copied={copiedKey === "openclaw"}
+                  onCopy={() => copy(filledOpenClaw, "openclaw")}
+                />
+              )}
+            </div>
+            {/* Kimi tab */}
+            <div
+              id="panel-kimi"
+              data-testid="panel-kimi"
+              role="tabpanel"
+              aria-labelledby="tab-kimi"
+              hidden={tab !== "kimi" || !filledKimi}
+              className={tab === "kimi" && filledKimi ? "" : "hidden"}
+            >
+              {filledKimi && (
+                <SnippetBlock
+                  value={filledKimi}
+                  label="Kimi CLI — self-contained Python bridge. Registers, heartbeats, polls for canvas messages, and echoes replies back. NAT-safe (no public URL). Run in a background terminal or via launchd."
+                  copyKey="kimi"
+                  copied={copiedKey === "kimi"}
+                  onCopy={() => copy(filledKimi, "kimi")}
+                />
+              )}
+            </div>
+            {/* Fields tab */}
+            <div
+              id="panel-fields"
+              data-testid="panel-fields"
+              role="tabpanel"
+              aria-labelledby="tab-fields"
+              hidden={tab !== "fields"}
+              className={tab === "fields" ? "" : "hidden"}
+            >
               <div className="space-y-2">
                 <Field label="workspace_id" value={info.workspace_id} onCopy={() => copy(info.workspace_id, "wsid")} copied={copiedKey === "wsid"} />
                 <Field label="platform_url" value={info.platform_url} onCopy={() => copy(info.platform_url, "url")} copied={copiedKey === "url"} />
@@ -323,7 +434,7 @@ export function ExternalConnectModal({ info, onClose }: Props) {
                 <Field label="registry_endpoint" value={info.registry_endpoint} onCopy={() => copy(info.registry_endpoint, "reg")} copied={copiedKey === "reg"} />
                 <Field label="heartbeat_endpoint" value={info.heartbeat_endpoint} onCopy={() => copy(info.heartbeat_endpoint, "hb")} copied={copiedKey === "hb"} />
               </div>
-            )}
+            </div>
           </div>
 
           <div className="mt-5 flex justify-end gap-2">

canvas/src/components/MissingKeysModal.tsx

@@ -440,6 +440,7 @@ function ProviderPickerModal({
                       onChange={(e) => updateEntry(index, { value: e.target.value.trimStart() })}
                       placeholder={entry.key.includes("API_KEY") ? "sk-..." : "Enter value"}
                       type="password"
+                      aria-label={`Value for ${entry.key}`}
                       ref={index === 0 ? firstInputRef : undefined}
                       onKeyDown={(e) => {
                         if (e.key === "Enter" && entry.value.trim()) {
@@ -459,7 +460,7 @@ function ProviderPickerModal({
                 )}
 
                 {entry.error && (
-                  <div className="mt-1.5 text-[10px] text-bad">{entry.error}</div>
+                  <div role="alert" aria-live="assertive" className="mt-1.5 text-[10px] text-bad">{entry.error}</div>
                 )}
               </div>
             ))}
@@ -694,6 +695,7 @@ function AllKeysModal({
                     onChange={(e) => updateEntry(index, { value: e.target.value.trimStart() })}
                     placeholder={entry.key.includes("API_KEY") ? "sk-..." : "Enter value"}
                     type="password"
+                    aria-label={`Value for ${entry.key}`}
                     autoFocus={index === 0}
                     onKeyDown={(e) => {
                       if (e.key === "Enter" && entry.value.trim()) {
@@ -718,7 +720,7 @@ function AllKeysModal({
           ))}
 
           {globalError && (
-            <div className="px-3 py-2 bg-red-950/40 border border-red-800/50 rounded-lg text-[11px] text-bad">
+            <div role="alert" aria-live="assertive" className="px-3 py-2 bg-red-950/40 border border-red-800/50 rounded-lg text-[11px] text-bad">
               {globalError}
             </div>
           )}

canvas/src/components/WorkspaceUsage.tsx

@@ -71,7 +71,7 @@ export function WorkspaceUsage({ workspaceId }: WorkspaceUsageProps) {
             <SkeletonRow />
           </>
         ) : error ? (
-          <p className="text-xs text-bad" data-testid="usage-error">
+          <p role="alert" aria-live="assertive" className="text-xs text-bad" data-testid="usage-error">
             {error}
           </p>
         ) : metrics ? (

canvas/src/components/__tests__/ExternalConnectModal.test.tsx

@@ -131,7 +131,9 @@ describe("ExternalConnectModal — tab switching", () => {
   it("switches to the Python SDK tab and shows the snippet with stamped token", () => {
     renderAndFlush(defaultInfo);
     fireEvent.click(screen.getByRole("tab", { name: /python sdk/i }));
-    const preEl = document.querySelector("pre");
+    // Query within the python panel so we get the right pre (not the first in DOM).
+    const pythonPanel = document.querySelector("[data-testid='panel-python']");
+    const preEl = pythonPanel?.querySelector("pre");
     expect(preEl?.textContent).toContain("AUTH_TOKEN");
     // The placeholder is replaced with the real auth token
     expect(preEl?.textContent).toContain("secret-auth-token-abc");
@@ -140,7 +142,9 @@ describe("ExternalConnectModal — tab switching", () => {
   it("switches to the curl tab and shows the snippet with stamped token", () => {
     renderAndFlush(defaultInfo);
     fireEvent.click(screen.getByRole("tab", { name: /curl/i }));
-    const preEl = document.querySelector("pre");
+    // Query within the curl panel so we get the right pre (not the first in DOM).
+    const curlPanel = document.querySelector("[data-testid='panel-curl']");
+    const preEl = curlPanel?.querySelector("pre");
     expect(preEl?.textContent).toContain("curl");
     expect(preEl?.textContent).toContain("secret-auth-token-abc");
   });
@@ -148,9 +152,11 @@ describe("ExternalConnectModal — tab switching", () => {
   it("switches to the Fields tab and shows raw values", () => {
     renderAndFlush(defaultInfo);
     fireEvent.click(screen.getByRole("tab", { name: /fields/i }));
-    expect(screen.getByText("ws-123")).toBeTruthy();
-    expect(screen.getByText("https://app.example.com")).toBeTruthy();
-    expect(screen.getByText("secret-auth-token-abc")).toBeTruthy();
+    // Query within the fields panel for specific values.
+    const fieldsPanel = document.querySelector("[data-testid='panel-fields']");
+    expect(fieldsPanel?.textContent).toContain("ws-123");
+    expect(fieldsPanel?.textContent).toContain("https://app.example.com");
+    expect(fieldsPanel?.textContent).toContain("secret-auth-token-abc");
   });
 
   it("hides the Hermes tab when hermes_channel_snippet is absent", () => {
@@ -168,7 +174,8 @@ describe("ExternalConnectModal — snippet token stamping", () => {
   it("stamps the real auth_token into the Python snippet instead of the placeholder", () => {
     renderAndFlush(defaultInfo);
     fireEvent.click(screen.getByRole("tab", { name: /python sdk/i }));
-    const preEl = document.querySelector("pre");
+    const pythonPanel = document.querySelector("[data-testid='panel-python']");
+    const preEl = pythonPanel?.querySelector("pre");
     expect(preEl?.textContent).not.toContain("<paste from create response>");
     expect(preEl?.textContent).toContain("secret-auth-token-abc");
   });
@@ -176,7 +183,8 @@ describe("ExternalConnectModal — snippet token stamping", () => {
   it("stamps the real auth_token into the curl snippet", () => {
     renderAndFlush(defaultInfo);
     fireEvent.click(screen.getByRole("tab", { name: /curl/i }));
-    const preEl = document.querySelector("pre");
+    const curlPanel = document.querySelector("[data-testid='panel-curl']");
+    const preEl = curlPanel?.querySelector("pre");
     // curl template uses WORKSPACE_AUTH_TOKEN placeholder, not the generic one
     expect(preEl?.textContent).toContain("secret-auth-token-abc");
   });
@@ -184,7 +192,8 @@ describe("ExternalConnectModal — snippet token stamping", () => {
   it("stamps the real auth_token into the Universal MCP snippet", () => {
     renderAndFlush(defaultInfo);
     // Default tab is Universal MCP
-    const preEl = document.querySelector("pre");
+    const mcpPanel = document.querySelector("[data-testid='panel-mcp']");
+    const preEl = mcpPanel?.querySelector("pre");
     expect(preEl?.textContent).toContain("secret-auth-token-abc");
     expect(preEl?.textContent).not.toContain("<paste from create response>");
   });
@@ -193,8 +202,10 @@ describe("ExternalConnectModal — snippet token stamping", () => {
 describe("ExternalConnectModal — copy functionality", () => {
   it("calls navigator.clipboard.writeText with the snippet text", () => {
     renderAndFlush(defaultInfo);
-    // Default tab is Universal MCP
-    fireEvent.click(screen.getByRole("button", { name: /^copy$/i }));
+    // Default tab is Universal MCP — query the copy button within the mcp panel.
+    const mcpPanel = document.querySelector("[data-testid='panel-mcp']");
+    const copyBtn = mcpPanel?.querySelector("button");
+    if (copyBtn) fireEvent.click(copyBtn);
     expect(clipboardWriteText).toHaveBeenCalledWith(
       expect.stringContaining("secret-auth-token-abc"),
     );
@@ -227,7 +238,8 @@ describe("ExternalConnectModal — missing optional fields", () => {
     };
     renderAndFlush(minimalInfo);
     fireEvent.click(screen.getByRole("tab", { name: /fields/i }));
-    expect(screen.getByText("(missing)")).toBeTruthy();
+    const fieldsPanel = document.querySelector("[data-testid='panel-fields']");
+    expect(fieldsPanel?.textContent).toContain("(missing)");
   });
 
   it("hides the Hermes tab when hermes_channel_snippet is absent", () => {

canvas/src/components/__tests__/ThemeToggle.test.tsx

@@ -24,8 +24,12 @@ vi.mock("@/lib/theme-provider", () => ({
   })),
 }));
 
+// Wrap cleanup in act() so any pending React state updates (e.g. from
+// keyDown handlers that call setTheme) flush before DOM unmount. Without
+// this, cleanup() can race against pending renders and cause INDEX_SIZE_ERR
+// when the handleKeyDown callback tries to query the DOM mid-teardown.
 afterEach(() => {
-  cleanup();
+  act(() => { cleanup(); });
   vi.clearAllMocks();
 });
 
@@ -146,7 +150,7 @@ describe("ThemeToggle — keyboard navigation (WCAG 2.1.1 / ARIA radiogroup)", (
     const radios = screen.getAllByRole("radio");
     // dark (index 2) is current; ArrowRight should wrap to light (index 0)
     act(() => { radios[2].focus(); });
-    fireEvent.keyDown(radios[2], { key: "ArrowRight" });
+    act(() => { fireEvent.keyDown(radios[2], { key: "ArrowRight" }); });
     expect(mockSetTheme).toHaveBeenCalledWith("light");
   });
 
@@ -160,7 +164,7 @@ describe("ThemeToggle — keyboard navigation (WCAG 2.1.1 / ARIA radiogroup)", (
     const radios = screen.getAllByRole("radio");
     // light (index 0) is current; ArrowLeft should go to dark (index 2)
     act(() => { radios[0].focus(); });
-    fireEvent.keyDown(radios[0], { key: "ArrowLeft" });
+    act(() => { fireEvent.keyDown(radios[0], { key: "ArrowLeft" }); });
     expect(mockSetTheme).toHaveBeenCalledWith("dark");
   });
 
@@ -174,7 +178,7 @@ describe("ThemeToggle — keyboard navigation (WCAG 2.1.1 / ARIA radiogroup)", (
     const radios = screen.getAllByRole("radio");
     // light (index 0) is current; ArrowDown should go to system (index 1)
     act(() => { radios[0].focus(); });
-    fireEvent.keyDown(radios[0], { key: "ArrowDown" });
+    act(() => { fireEvent.keyDown(radios[0], { key: "ArrowDown" }); });
     expect(mockSetTheme).toHaveBeenCalledWith("system");
   });
 
@@ -187,7 +191,7 @@ describe("ThemeToggle — keyboard navigation (WCAG 2.1.1 / ARIA radiogroup)", (
     render(<ThemeToggle />);
     const radios = screen.getAllByRole("radio");
     act(() => { radios[2].focus(); });
-    fireEvent.keyDown(radios[2], { key: "Home" });
+    act(() => { fireEvent.keyDown(radios[2], { key: "Home" }); });
     expect(mockSetTheme).toHaveBeenCalledWith("light");
   });
 
@@ -200,14 +204,14 @@ describe("ThemeToggle — keyboard navigation (WCAG 2.1.1 / ARIA radiogroup)", (
     render(<ThemeToggle />);
     const radios = screen.getAllByRole("radio");
     act(() => { radios[0].focus(); });
-    fireEvent.keyDown(radios[0], { key: "End" });
+    act(() => { fireEvent.keyDown(radios[0], { key: "End" }); });
     expect(mockSetTheme).toHaveBeenCalledWith("dark");
   });
 
   it("does nothing on unrelated keys", () => {
     render(<ThemeToggle />);
     const radios = screen.getAllByRole("radio");
-    fireEvent.keyDown(radios[0], { key: "Enter" });
+    act(() => { fireEvent.keyDown(radios[0], { key: "Enter" }); });
     expect(mockSetTheme).not.toHaveBeenCalled();
   });
 });

canvas/src/components/mobile/MobileCanvas.tsx

@@ -223,6 +223,7 @@ export function MobileCanvas({
             textTransform: "uppercase",
             fontWeight: 600,
           }}
+          className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
         >
           Reset
         </button>

canvas/src/components/mobile/MobileChat.tsx

@@ -2,8 +2,11 @@
 
 // 04 · Chat — message thread + composer + sub-tabs.
 // Wired to the same /workspaces/:id/a2a (method message/send) endpoint
-// that the desktop ChatTab uses, but with a slimmer surface: no
-// attachments, no A2A topology overlay, no conversation tracing.
+// that the desktop ChatTab uses. Render parity with desktop ChatTab is
+// achieved by reusing its renderers rather than forking a reduced
+// mobile path: the Agent Comms sub-tab mounts the same AgentCommsPanel,
+// and message attachments route through the same AttachmentPreview
+// dispatch the desktop My-Chat bubble uses (#231/#232).
 
 import { useEffect, useMemo, useRef, useState } from "react";
 import ReactMarkdown from "react-markdown";
@@ -16,6 +19,9 @@ import {
   useChatSend,
   useChatSocket,
 } from "@/components/tabs/chat/hooks";
+import { AgentCommsPanel } from "@/components/tabs/chat/AgentCommsPanel";
+import { AttachmentPreview } from "@/components/tabs/chat/AttachmentPreview";
+import { downloadChatFile } from "@/components/tabs/chat/uploads";
 
 import { toMobileAgent } from "./components";
 import { MOBILE_FONT_MONO, MOBILE_FONT_SANS, usePalette } from "./palette";
@@ -304,6 +310,17 @@ export function MobileChat({
   const removePendingFile = (index: number) =>
     setPendingFiles((prev) => prev.filter((_, i) => i !== index));
 
+  // Route attachment downloads through the same authenticated helper
+  // the desktop ChatTab uses (downloadChatFile) so platform-scheme
+  // URIs get a real Blob with auth headers instead of about:blank.
+  const downloadAttachment = (att: ChatAttachment) => {
+    downloadChatFile(agentId, att).catch(() => {
+      // AttachmentPreview's own error affordance covers the in-bubble
+      // failure state; matches ChatTab's behaviour of not double-
+      // reporting a download failure.
+    });
+  };
+
   const send = async () => {
     const text = draft.trim();
     if ((!text && pendingFiles.length === 0) || sending || !reachable) return;
@@ -339,6 +356,7 @@ export function MobileChat({
             type="button"
             onClick={onBack}
             aria-label="Back"
+            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
             style={{
               width: 36,
               height: 36,
@@ -385,6 +403,7 @@ export function MobileChat({
           <button
             type="button"
             aria-label="More"
+            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
             style={{
               width: 36,
               height: 36,
@@ -415,6 +434,7 @@ export function MobileChat({
                 key={t.id}
                 type="button"
                 onClick={() => setTab(t.id)}
+                className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
                 style={{
                   padding: "4px 0 8px",
                   border: "none",
@@ -433,7 +453,19 @@ export function MobileChat({
         </div>
       </div>
 
+      {/* Agent Comms — reuse the desktop AgentCommsPanel verbatim so
+          mobile renders the identical peer/A2A + delegation feed
+          (history GET + live socket events) instead of a placeholder
+          (#231). The panel owns its own scroll/load/error/empty
+          states, matching ChatTab's agent-comms tabpanel. */}
+      {tab === "a2a" && (
+        <div style={{ flex: 1, minHeight: 0, overflow: "hidden" }}>
+          <AgentCommsPanel workspaceId={agentId} />
+        </div>
+      )}
+
       {/* Messages */}
+      {tab === "my" && (
       <div
         ref={scrollRef}
         style={{
@@ -445,20 +477,8 @@ export function MobileChat({
           gap: 8,
         }}
       >
-        {tab === "a2a" && (
-          <div
-            style={{
-              padding: "20px 4px",
-              textAlign: "center",
-              color: p.text3,
-              fontSize: 13,
-            }}
-          >
-            Agent Comms — peer-to-peer A2A traffic surfaces in the Comms tab.
-          </div>
-        )}
         {tab === "my" && historyLoading && (
-          <div style={{ padding: "20px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
+          <div role="status" aria-live="polite" style={{ padding: "20px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
             Loading chat history…
           </div>
         )}
@@ -478,6 +498,8 @@ export function MobileChat({
               onClick={() => {
                 loadInitial();
               }}
+              aria-label="Retry loading chat history"
+              className="focus:outline-none focus-visible:ring-2 focus-visible:ring-red-400"
               style={{
                 padding: "6px 14px",
                 borderRadius: 14,
@@ -493,7 +515,7 @@ export function MobileChat({
           </div>
         )}
         {tab === "my" && !historyLoading && !historyError && messages.length === 0 && (
-          <div style={{ padding: "20px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
+          <div role="status" aria-live="polite" style={{ padding: "20px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
             Send a message to start chatting.
           </div>
         )}
@@ -521,9 +543,31 @@ export function MobileChat({
                     overflowWrap: "anywhere",
                   }}
                 >
-                  <MarkdownBubble dark={dark} accent={p.accent}>
-                    {m.content}
-                  </MarkdownBubble>
+                  {m.content && (
+                    <MarkdownBubble dark={dark} accent={p.accent}>
+                      {m.content}
+                    </MarkdownBubble>
+                  )}
+                  {m.attachments && m.attachments.length > 0 && (
+                    <div
+                      style={{
+                        display: "flex",
+                        flexWrap: "wrap",
+                        gap: 4,
+                        marginTop: m.content ? 6 : 0,
+                      }}
+                    >
+                      {m.attachments.map((att, i) => (
+                        <AttachmentPreview
+                          key={`${m.id}-${i}`}
+                          workspaceId={agentId}
+                          attachment={att}
+                          onDownload={downloadAttachment}
+                          tone={mine ? "user" : "agent"}
+                        />
+                      ))}
+                    </div>
+                  )}
                   <div
                     style={{
                       fontSize: 10,
@@ -554,7 +598,13 @@ export function MobileChat({
           </div>
         )}
       </div>
+      )}
 
+      {/* Footer ID + composer belong to My Chat only. The Agent Comms
+          tab is a read-only peer/A2A feed (parity with desktop
+          ChatTab, where the agent-comms tabpanel has no composer). */}
+      {tab === "my" && (
+      <>
       {/* Footer ID */}
       <div
         style={{
@@ -619,6 +669,7 @@ export function MobileChat({
                   type="button"
                   onClick={() => removePendingFile(i)}
                   aria-label={`Remove ${f.name}`}
+                  className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
                   style={{
                     border: "none",
                     background: "transparent",
@@ -659,6 +710,7 @@ export function MobileChat({
             onClick={() => fileInputRef.current?.click()}
             disabled={!reachable || sending || uploading}
             aria-label="Attach"
+            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
             style={{
               width: 32,
               height: 32,
@@ -680,6 +732,7 @@ export function MobileChat({
             ref={composerRef}
             value={draft}
             onChange={(e) => setDraft(e.target.value)}
+            aria-label="Message"
             onKeyDown={(e) => {
               // Enter sends; Shift+Enter inserts a newline. Skip when the
               // IME is composing — pressing Enter to commit a Chinese/
@@ -703,7 +756,12 @@ export function MobileChat({
               border: "none",
               outline: "none",
               background: "transparent",
-              fontSize: 14.5,
+              // iOS Safari/PWA zooms the viewport when a focused textarea
+              // has a computed font-size below 16px. 14.5 triggers that
+              // focus-zoom; the page looks broken until the user pinches
+              // back (#224, same class as desktop #1434 / sibling #225).
+              // 16px is the minimum that keeps focus from zooming.
+              fontSize: 16,
               lineHeight: 1.4,
               color: p.text,
               padding: "6px 0",
@@ -719,12 +777,13 @@ export function MobileChat({
             onClick={send}
             disabled={(!draft.trim() && pendingFiles.length === 0) || !reachable || sending || uploading}
             aria-label="Send"
+            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
             style={{
               width: 36,
               height: 36,
               borderRadius: 999,
               border: "none",
-              cursor: (draft.trim() || pendingFiles.length > 0) && !sending && !uploading ? "pointer" : "not-allowed",
+              cursor: (draft.trim() || pendingFiles.length === 0) && !sending && !uploading ? "pointer" : "not-allowed",
               flexShrink: 0,
               background:
                 (draft.trim() || pendingFiles.length > 0) && reachable && !sending && !uploading
@@ -746,6 +805,8 @@ export function MobileChat({
           </button>
         </div>
       </div>
+      </>
+      )}
     </div>
   );
 }

canvas/src/components/mobile/MobileComms.tsx

@@ -231,6 +231,7 @@ export function MobileComms({ dark }: { dark: boolean }) {
                 fontSize: 13,
                 fontWeight: 500,
               }}
+              className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
             >
               {o.label}
               <span
@@ -251,11 +252,11 @@ export function MobileComms({ dark }: { dark: boolean }) {
 
       <div style={{ padding: "0 14px", display: "flex", flexDirection: "column", gap: 8 }}>
         {loading && items.length === 0 ? (
-          <div style={{ padding: "30px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
+          <div role="status" aria-live="polite" style={{ padding: "30px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
             Loading recent comms…
           </div>
         ) : filtered.length === 0 ? (
-          <div style={{ padding: "30px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
+          <div role="status" aria-live="polite" style={{ padding: "30px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
             No A2A traffic yet.
           </div>
         ) : (

canvas/src/components/mobile/MobileDetail.tsx

@@ -83,11 +83,12 @@ export function MobileDetail({
             type="button"
             onClick={onBack}
             aria-label="Back"
+            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
             style={iconButtonStyle(p, dark)}
           >
             {Icons.back({ size: 18 })}
           </button>
-          <button type="button" aria-label="More" style={iconButtonStyle(p, dark)}>
+          <button type="button" aria-label="More" className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900" style={iconButtonStyle(p, dark)}>
             {Icons.more({ size: 18 })}
           </button>
         </div>
@@ -183,6 +184,7 @@ export function MobileDetail({
               key={t.id}
               type="button"
               onClick={() => setTab(t.id)}
+              className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
               style={{
                 padding: "8px 14px",
                 borderRadius: 999,
@@ -215,6 +217,7 @@ export function MobileDetail({
           type="button"
           onClick={onChat}
           data-testid="mobile-chat-cta"
+          className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
           style={{
             width: "100%",
             height: 52,
@@ -416,6 +419,8 @@ function DetailActivity({ workspaceId, dark }: { workspaceId: string; dark: bool
   if (items === null) {
     return (
       <div
+        role="status"
+        aria-live="polite"
         style={{
           background: p.surface,
           borderRadius: 16,

canvas/src/components/mobile/MobileHome.tsx

@@ -200,6 +200,7 @@ export function MobileHome({
           justifyContent: "center",
           boxShadow: "0 8px 24px rgba(40,30,20,0.25), 0 2px 6px rgba(40,30,20,0.15)",
         }}
+        className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
       >
         {Icons.plus({ size: 22 })}
       </button>

canvas/src/components/mobile/MobileMe.tsx

@@ -92,6 +92,7 @@ export function MobileMe({
                     border: on ? `2px solid ${p.text}` : "2px solid transparent",
                     boxShadow: on ? `0 0 0 2px ${p.bg} inset` : "none",
                   }}
+                  className="focus:outline-none focus-visible:ring-2 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
                 />
               );
             })}
@@ -184,6 +185,7 @@ function SegmentedRow({
               fontSize: 13,
               fontWeight: 600,
             }}
+            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
           >
             {o.label}
           </button>

canvas/src/components/mobile/MobileSpawn.tsx

@@ -12,6 +12,7 @@ import { useEffect, useState } from "react";
 
 import { api } from "@/lib/api";
 import { type Template } from "@/lib/deploy-preflight";
+import { isSaaSTenant } from "@/lib/tenant";
 
 import { tierCode } from "./palette";
 import { MOBILE_FONT_MONO, MOBILE_FONT_SANS, type MobilePalette, usePalette } from "./palette";
@@ -26,6 +27,7 @@ const TIER_LABEL: Record<"T1" | "T2" | "T3" | "T4", string> = {
 
 export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => void }) {
   const p = usePalette(dark);
+  const isSaaS = isSaaSTenant();
   const [templates, setTemplates] = useState<Template[]>([]);
   const [loadingTemplates, setLoadingTemplates] = useState(true);
   const [tplId, setTplId] = useState<string | null>(null);
@@ -43,7 +45,7 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
         setTemplates(list);
         if (list.length > 0) {
           setTplId(list[0].id);
-          setTier(tierCode(list[0].tier));
+          setTier(isSaaS ? "T4" : tierCode(list[0].tier));
         }
       })
       .catch(() => {
@@ -55,7 +57,7 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
     return () => {
       cancelled = true;
     };
-  }, []);
+  }, [isSaaS]);
 
   const handleSpawn = async () => {
     if (busy || !tplId) return;
@@ -67,7 +69,7 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
       await api.post<{ id: string }>("/workspaces", {
         name: (name.trim() || chosen.name),
         template: chosen.id,
-        tier: Number(tier.slice(1)),
+        tier: isSaaS ? 4 : Number(tier.slice(1)),
         canvas: {
           x: Math.random() * 400 + 100,
           y: Math.random() * 300 + 100,
@@ -146,6 +148,7 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
             type="button"
             onClick={onClose}
             aria-label="Close"
+            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
             style={{
               width: 32,
               height: 32,
@@ -168,6 +171,8 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
         <div style={{ padding: "0 14px" }}>
           {loadingTemplates ? (
             <div
+              role="status"
+              aria-live="polite"
               style={{
                 padding: "24px 8px",
                 textAlign: "center",
@@ -203,7 +208,7 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
             >
               {templates.map((t) => {
                 const on = tplId === t.id;
-                const tCode = tierCode(t.tier);
+                const tCode = isSaaS ? "T4" : tierCode(t.tier);
                 return (
                   <button
                     key={t.id}
@@ -212,6 +217,8 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
                       setTplId(t.id);
                       setTier(tCode);
                     }}
+                    aria-label={`Select template: ${t.name} (tier ${t.tier})`}
+                    className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
                     style={{
                       background: on
                         ? dark
@@ -300,6 +307,7 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
           <input
             value={name}
             onChange={(e) => setName(e.target.value)}
+            aria-label="Agent name"
             placeholder={tplId
               ? (templates.find((t) => t.id === tplId)?.name ?? "agent-name")
               : "agent-name"}
@@ -310,7 +318,12 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
               border: `0.5px solid ${p.border}`,
               borderRadius: 12,
               fontFamily: MOBILE_FONT_MONO,
-              fontSize: 13.5,
+              // iOS Safari/PWA zooms the viewport when a focused input has
+              // a computed font-size below 16px; the layout jumps and the
+              // page looks broken until the user pinches back (#224 / #225,
+              // same class as desktop #1434). 16px is the minimum that
+              // suppresses that focus-zoom.
+              fontSize: 16,
               color: p.text,
               outline: "none",
               boxSizing: "border-box",
@@ -328,6 +341,8 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
                 key={t}
                 type="button"
                 onClick={() => setTier(t)}
+                aria-label={`Select tier ${t}: ${TIER_LABEL[t]}`}
+                className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
                 style={{
                   flex: 1,
                   padding: "10px 8px",
@@ -375,6 +390,8 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
             type="button"
             onClick={handleSpawn}
             disabled={busy || !tplId || templates.length === 0}
+            aria-label="Spawn agent"
+            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
             style={{
               width: "100%",
               height: 52,

canvas/src/components/mobile/__tests__/MobileChat.test.tsx

@@ -21,6 +21,14 @@ import { MobileChat } from "../MobileChat";
 vi.mock("@/lib/api");
 import { api } from "@/lib/api";
 
+// AgentCommsPanel (mounted by the Agent Comms sub-tab, #231) subscribes
+// to the global socket via useSocketEvent. Stub it to a no-op so the
+// panel mounts without the real ReconnectingSocket — the parity tests
+// only assert the panel renders (vs the old static placeholder).
+vi.mock("@/hooks/useSocketEvent", () => ({
+  useSocketEvent: vi.fn(),
+}));
+
 // ─── Mock store ───────────────────────────────────────────────────────────────
 
 const mockAgentId = "ws-chat-test";
@@ -155,6 +163,12 @@ beforeEach(() => {
   mockOnBack.mockClear();
   mockStoreState.nodes = [];
   mockStoreState.agentMessages = {};
+  // jsdom doesn't implement scrollIntoView. The Agent Comms tab now
+  // mounts AgentCommsPanel (#231), which scrolls its feed to bottom on
+  // arrival; a no-op stub keeps the panel from throwing under jsdom
+  // (same stub AgentCommsPanel's own render test installs).
+  Element.prototype.scrollIntoView =
+    vi.fn() as unknown as Element["scrollIntoView"];
   // Set up spies on the real api methods. Tests override these per-call.
   const getSpy = vi.spyOn(api, "get");
   const postSpy = vi.spyOn(api, "post");
@@ -249,6 +263,20 @@ describe("MobileChat — composer", () => {
     const sendBtn = container.querySelector('[aria-label="Send"]') as HTMLButtonElement;
     expect(sendBtn.disabled).toBe(true);
   });
+
+  // Regression #224: the composer textarea must render with font-size
+  // ≥ 16px. iOS Safari and PWAs auto-zoom the viewport when a focused
+  // input has a computed font-size below 16px — the layout jumps and
+  // the page looks broken until the user pinches back. Same class as
+  // desktop #1434 / sibling MobileSpawn #225.
+  it("composer textarea renders at font-size 16px or greater (iOS focus-zoom regression #224)", () => {
+    const { container } = renderChat(mockAgentId);
+    const textarea = container.querySelector("textarea") as HTMLTextAreaElement;
+    expect(textarea).toBeTruthy();
+    const fs = Number.parseFloat(textarea.style.fontSize);
+    expect(Number.isFinite(fs)).toBe(true);
+    expect(fs).toBeGreaterThanOrEqual(16);
+  });
 });
 
 // ─── Tabs ─────────────────────────────────────────────────────────────────────
@@ -474,3 +502,146 @@ describe("MobileChat — chat history", () => {
     expect(getSpy).toHaveBeenCalledTimes(2);
   });
 });
+
+// ─── #232 · Attachment render parity with desktop ChatTab ────────────────────
+//
+// Regression for the CTO-reported mobile bug: MobileChat used to render
+// only m.content (no attachment surface), so files sent/received in a
+// conversation were invisible on mobile while desktop showed them. The
+// fix routes m.attachments through the same AttachmentPreview the
+// desktop ChatTab bubble uses.
+
+describe("MobileChat — attachment render parity (#232)", () => {
+  beforeEach(() => {
+    mockStoreState.nodes = [onlineNode];
+  });
+
+  it("renders an attachment from a history message via AttachmentPreview", async () => {
+    const getSpy = vi.spyOn(api, "get");
+    // useChatHistory reads { messages, reached_end }.
+    getSpy.mockResolvedValueOnce({
+      messages: [
+        {
+          id: "m-att-1",
+          role: "agent",
+          content: "Here is the report",
+          attachments: [
+            {
+              name: "report.csv",
+              uri: "workspace://out/report.csv",
+              mimeType: "text/csv",
+              size: 2048,
+            },
+          ],
+          timestamp: new Date().toISOString(),
+        },
+      ],
+      reached_end: true,
+    });
+
+    let rr: ReturnType<typeof renderChat>;
+    await act(async () => {
+      rr = renderChat(mockAgentId);
+    });
+    const { container } = rr!;
+
+    // A non-image attachment renders the AttachmentChip download button
+    // with title="Download <name>" — same component the desktop bubble
+    // dispatches through AttachmentPreview.
+    await waitFor(() => {
+      const chip = container.querySelector('[title="Download report.csv"]');
+      expect(chip).toBeTruthy();
+    });
+    expect(container.textContent ?? "").toContain("report.csv");
+  });
+});
+
+// ─── #231 · Agent Comms (A2A/peer) render parity with desktop ChatTab ────────
+//
+// Regression for the CTO-reported mobile bug: the Agent Comms sub-tab
+// rendered a static placeholder string ("peer-to-peer A2A traffic
+// surfaces in the Comms tab") instead of the real feed. The fix mounts
+// the same AgentCommsPanel the desktop ChatTab agent-comms tabpanel
+// uses, so peer/A2A + delegation activity is visible on mobile.
+
+describe("MobileChat — Agent Comms render parity (#231)", () => {
+  beforeEach(() => {
+    mockStoreState.nodes = [onlineNode];
+  });
+
+  it("mounts AgentCommsPanel on the Agent Comms tab (not the old placeholder)", async () => {
+    const getSpy = vi.spyOn(api, "get");
+    // 1st GET: useChatHistory (My Chat) on mount.
+    getSpy.mockResolvedValueOnce({ messages: [], reached_end: true });
+    // 2nd GET: AgentCommsPanel's activity load when the tab is shown.
+    // Empty list → panel renders its own empty state, which still
+    // proves AgentCommsPanel mounted (vs. the removed placeholder).
+    getSpy.mockResolvedValueOnce([]);
+
+    let rr: ReturnType<typeof renderChat>;
+    await act(async () => {
+      rr = renderChat(mockAgentId);
+    });
+    const { container } = rr!;
+
+    const commsTab = Array.from(container.querySelectorAll("button")).find(
+      (b) => b.textContent?.trim() === "Agent Comms",
+    );
+    expect(commsTab).toBeTruthy();
+    await act(async () => {
+      commsTab!.click();
+    });
+
+    await waitFor(() => {
+      const text = container.textContent ?? "";
+      // The panel's empty state — proves AgentCommsPanel mounted.
+      expect(text).toContain("No agent-to-agent communications yet.");
+    });
+    // The old hard-coded placeholder must be gone.
+    expect(container.textContent ?? "").not.toContain(
+      "peer-to-peer A2A traffic surfaces in the Comms tab",
+    );
+    // The panel hit its activity endpoint.
+    expect(getSpy).toHaveBeenCalledWith(
+      expect.stringContaining(`/workspaces/${mockAgentId}/activity`),
+    );
+  });
+
+  it("renders a peer message on the Agent Comms tab", async () => {
+    const getSpy = vi.spyOn(api, "get");
+    getSpy.mockResolvedValueOnce({ messages: [], reached_end: true });
+    // a2a_receive from a peer → AgentCommsPanel.toCommMessage maps it
+    // to an inbound bubble with the request text.
+    getSpy.mockResolvedValueOnce([
+      {
+        id: "act-1",
+        activity_type: "a2a_receive",
+        source_id: "peer-ws-uuid",
+        target_id: mockAgentId,
+        method: "message/send",
+        summary: "peer asked something",
+        request_body: { task: "Please review PR 42" },
+        response_body: null,
+        status: "ok",
+        created_at: new Date().toISOString(),
+      },
+    ]);
+
+    let rr: ReturnType<typeof renderChat>;
+    await act(async () => {
+      rr = renderChat(mockAgentId);
+    });
+    const { container } = rr!;
+
+    const commsTab = Array.from(container.querySelectorAll("button")).find(
+      (b) => b.textContent?.trim() === "Agent Comms",
+    );
+    await act(async () => {
+      commsTab!.click();
+    });
+
+    await waitFor(() => {
+      expect(container.textContent ?? "").toContain("Please review PR 42");
+    });
+  });
+});

canvas/src/components/mobile/__tests__/MobileSpawn.test.tsx

@@ -93,6 +93,24 @@ describe("MobileSpawn — render", () => {
     expect(input).toBeTruthy();
   });
 
+  // Regression #224 / #225: the agent-name input must render with a
+  // font-size ≥ 16px. iOS Safari and PWAs auto-zoom the viewport when a
+  // focused input has a computed font-size below 16px — the layout
+  // jumps and the page looks broken until the user pinches back.
+  it("renders the name input at font-size 16px or greater (iOS focus-zoom regression)", () => {
+    apiGetSpy.mockResolvedValue(mockTemplates);
+    render(<MobileSpawn dark={true} onClose={vi.fn()} />);
+    const input = document.querySelector(
+      'input[aria-label="Agent name"]',
+    ) as HTMLInputElement | null;
+    expect(input).toBeTruthy();
+    // Parse the inline style font-size — jsdom doesn't run a layout
+    // engine, so getComputedStyle reports the inline value verbatim.
+    const fs = Number.parseFloat(input!.style.fontSize);
+    expect(Number.isFinite(fs)).toBe(true);
+    expect(fs).toBeGreaterThanOrEqual(16);
+  });
+
   it("renders all 4 tier buttons", () => {
     apiGetSpy.mockResolvedValue(mockTemplates);
     render(<MobileSpawn dark={true} onClose={vi.fn()} />);

canvas/src/components/mobile/components.tsx

@@ -133,6 +133,7 @@ export function TabBar({
             aria-label={t.label}
             onClick={() => onChange(t.id)}
             onKeyDown={(e) => handleKeyDown(e, idx)}
+            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
             style={{
               background: "none",
               border: "none",
@@ -291,6 +292,7 @@ export function AgentCard({
       data-testid="workspace-card"
       aria-label={`${agent.name}, status: ${agent.status}, tier ${agent.tier}${agent.remote ? ", remote" : ""}`}
       onClick={onClick}
+      className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
       style={{
         display: "block",
         width: "100%",
@@ -444,6 +446,7 @@ export function FilterChips({
             type="button"
             aria-checked={on}
             onClick={() => onChange(o.id)}
+            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
             style={{
               display: "inline-flex",
               alignItems: "center",

canvas/src/components/settings/OrgTokensTab.tsx

@@ -160,14 +160,14 @@ export function OrgTokensTab() {
             </code>
             <button
               onClick={handleCopy}
-              className="shrink-0 px-2 py-1.5 bg-emerald-800/40 hover:bg-emerald-700/50 border border-emerald-700/40 rounded text-[10px] text-good transition-colors"
+              className="shrink-0 px-2 py-1.5 bg-emerald-800/40 hover:bg-emerald-700/50 border border-emerald-700/40 rounded text-[10px] text-good transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
             >
               {copied ? 'Copied' : 'Copy'}
             </button>
           </div>
           <button
             onClick={() => setNewToken(null)}
-            className="text-[9px] text-good/60 hover:text-good transition-colors"
+            className="text-[9px] text-good/60 hover:text-good transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
           >
             Dismiss
           </button>
@@ -219,7 +219,7 @@ export function OrgTokensTab() {
               </div>
               <button
                 onClick={() => setRevokeTarget(t)}
-                className="text-[10px] text-bad/70 hover:text-bad transition-colors px-2 py-1 shrink-0"
+                className="text-[10px] text-bad/70 hover:text-bad transition-colors px-2 py-1 shrink-0 focus:outline-none focus-visible:ring-2 focus-visible:ring-red-400 focus-visible:ring-offset-1"
               >
                 Revoke
               </button>

canvas/src/components/settings/TokensTab.tsx

@@ -140,14 +140,14 @@ function WorkspaceTokensTab({ workspaceId }: TokensTabProps) {
             </code>
             <button
               onClick={handleCopy}
-              className="shrink-0 px-2 py-1.5 bg-emerald-800/40 hover:bg-emerald-700/50 border border-emerald-700/40 rounded text-[10px] text-good transition-colors"
+              className="shrink-0 px-2 py-1.5 bg-emerald-800/40 hover:bg-emerald-700/50 border border-emerald-700/40 rounded text-[10px] text-good transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
             >
               {copied ? 'Copied' : 'Copy'}
             </button>
           </div>
           <button
             onClick={() => setNewToken(null)}
-            className="text-[9px] text-good/60 hover:text-good transition-colors"
+            className="text-[9px] text-good/60 hover:text-good transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
           >
             Dismiss
           </button>
@@ -192,7 +192,7 @@ function WorkspaceTokensTab({ workspaceId }: TokensTabProps) {
               </div>
               <button
                 onClick={() => setRevokeTarget(t)}
-                className="text-[10px] text-bad/70 hover:text-bad transition-colors px-2 py-1"
+                className="text-[10px] text-bad/70 hover:text-bad transition-colors px-2 py-1 focus:outline-none focus-visible:ring-2 focus-visible:ring-red-400 focus-visible:ring-offset-1"
               >
                 Revoke
               </button>

canvas/src/components/tabs/ActivityTab.tsx

@@ -185,7 +185,7 @@ export function ActivityTab({ workspaceId }: Props) {
       {/* Activity list */}
       <div className="flex-1 overflow-y-auto p-3 space-y-1.5">
         {loading && activities.length === 0 && (
-          <div className="text-xs text-ink-mid text-center py-8">Loading activity...</div>
+          <div role="status" aria-live="polite" className="text-xs text-ink-mid text-center py-8">Loading activity...</div>
         )}
 
         {error && (

canvas/src/components/tabs/ChannelsTab.tsx

@@ -262,7 +262,7 @@ export function ChannelsTab({ workspaceId }: Props) {
       </div>
 
       {error && (
-        <div className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
+        <div role="alert" aria-live="assertive" className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
           {error}
         </div>
       )}

canvas/src/components/tabs/ConfigTab.tsx

@@ -81,7 +81,7 @@ function AgentCardSection({ workspaceId }: { workspaceId: string }) {
             spellCheck={false} rows={12}
             className="w-full bg-surface-card border border-line rounded p-2 text-[10px] font-mono text-ink focus:outline-none focus:border-accent resize-none"
           />
-          {error && <div className="px-2 py-1 bg-red-900/30 border border-red-800 rounded text-[10px] text-bad">{error}</div>}
+          {error && <div role="alert" aria-live="assertive" className="px-2 py-1 bg-red-900/30 border border-red-800 rounded text-[10px] text-bad">{error}</div>}
           <div className="flex gap-2">
             <button type="button" onClick={handleSave} disabled={saving}
               className="px-2 py-1 bg-accent hover:bg-accent-strong text-[10px] rounded text-white disabled:opacity-50 transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface">
@@ -109,6 +109,130 @@ function AgentCardSection({ workspaceId }: { workspaceId: string }) {
   );
 }
 
+// --- Agent Abilities Section ---
+//
+// Always-visible on/off controls for the two workspace-level ability flags
+// (broadcast_enabled, talk_to_user_enabled). Both are mutated through the
+// same admin endpoint the ChatTab recovery banner already uses
+// (PATCH /workspaces/:id/abilities) and reflected into the canvas store node
+// data (broadcastEnabled / talkToUserEnabled) so every surface that reads
+// useCanvasStore.nodes stays consistent without a full re-hydrate.
+//
+// Before this section there was NO canvas control for either flag: the
+// backend was fully wired (workspace_abilities.go / workspace_broadcast.go /
+// agent_message_writer.go, see commit 29b4bffb + internal#510/#511) but the
+// only frontend affordance was the ChatTab recovery banner, which renders
+// solely when talk_to_user_enabled===false and so is invisible under the
+// TRUE default and never existed at all for broadcast.
+function AgentAbilitiesSection({ workspaceId }: { workspaceId: string }) {
+  // Read the live ability flags off the canvas store node — the platform
+  // event stream hydrates these (canvas-topology.ts maps the workspace row's
+  // broadcast_enabled/talk_to_user_enabled onto node data), so this stays in
+  // sync with the recovery banner and avoids a duplicate GET. Mirrors the
+  // store-read pattern used by AgentCardSection above.
+  const node = useCanvasStore((s) =>
+    s.nodes?.find?.((n) => n.id === workspaceId),
+  );
+  // Defaults match the backend column defaults + canvas-topology mapping:
+  // broadcast_enabled defaults FALSE, talk_to_user_enabled defaults TRUE.
+  const broadcastEnabled = node?.data.broadcastEnabled ?? false;
+  const talkToUserEnabled = node?.data.talkToUserEnabled ?? true;
+
+  // Track an in-flight PATCH per field so a double-click can't fire two
+  // racing writes, and surface a one-line error if the server rejects.
+  const [pending, setPending] = useState<null | "broadcast" | "talk">(null);
+  const [error, setError] = useState<string | null>(null);
+
+  const patchAbility = async (
+    which: "broadcast" | "talk",
+    body: { broadcast_enabled: boolean } | { talk_to_user_enabled: boolean },
+    optimistic: Partial<{ broadcastEnabled: boolean; talkToUserEnabled: boolean }>,
+  ) => {
+    setError(null);
+    setPending(which);
+    // Optimistic store update — the toggle flips immediately; on failure we
+    // roll back to the server-truth value the store last held.
+    const prev = {
+      broadcastEnabled,
+      talkToUserEnabled,
+    };
+    useCanvasStore.getState().updateNodeData(workspaceId, optimistic);
+    try {
+      await api.patch(`/workspaces/${workspaceId}/abilities`, body);
+    } catch (e) {
+      // Roll back the optimistic change to last-known server truth.
+      useCanvasStore.getState().updateNodeData(workspaceId, {
+        broadcastEnabled: prev.broadcastEnabled,
+        talkToUserEnabled: prev.talkToUserEnabled,
+      });
+      setError(
+        e instanceof Error ? e.message : "Failed to update ability — try again",
+      );
+    } finally {
+      setPending(null);
+    }
+  };
+
+  return (
+    <Section title="Agent Abilities">
+      <p className="text-[10px] text-ink-mid px-1 pb-1">
+        Workspace-level permissions for this agent. Changes apply immediately
+        (no restart required).
+      </p>
+      <div className="space-y-2">
+        <div>
+          <Toggle
+            label="Talk to user"
+            checked={talkToUserEnabled}
+            onChange={(v) =>
+              pending
+                ? undefined
+                : patchAbility(
+                    "talk",
+                    { talk_to_user_enabled: v },
+                    { talkToUserEnabled: v },
+                  )
+            }
+          />
+          <p className="text-[10px] text-ink-mid mt-0.5 ml-6">
+            When off, the agent&apos;s <code className="font-mono">send_message_to_user</code>{" "}
+            and <code className="font-mono">POST /notify</code> calls are
+            rejected (403) — it must route updates through a parent workspace.
+          </p>
+        </div>
+        <div>
+          <Toggle
+            label="Broadcast to peers"
+            checked={broadcastEnabled}
+            onChange={(v) =>
+              pending
+                ? undefined
+                : patchAbility(
+                    "broadcast",
+                    { broadcast_enabled: v },
+                    { broadcastEnabled: v },
+                  )
+            }
+          />
+          <p className="text-[10px] text-ink-mid mt-0.5 ml-6">
+            When on, the agent may <code className="font-mono">POST /broadcast</code>{" "}
+            to message all non-removed agent workspaces in the org. Off by
+            default — only privileged orchestrators should hold this.
+          </p>
+        </div>
+      </div>
+      {pending && (
+        <div className="mt-2 text-[10px] text-ink-mid">Saving…</div>
+      )}
+      {error && (
+        <div role="alert" aria-live="assertive" className="mt-2 px-2 py-1 bg-red-900/30 border border-red-800 rounded text-[10px] text-bad">
+          {error}
+        </div>
+      )}
+    </Section>
+  );
+}
+
 // --- Main ConfigTab ---
 
 interface ModelSpec {
@@ -795,6 +919,7 @@ export function ConfigTab({ workspaceId }: Props) {
                   <label className="text-[10px] text-ink-mid block mb-1">Model</label>
                   <input
                     type="text"
+                    aria-label="Model"
                     value={currentModelId}
                     onChange={(e) => {
                       const v = e.target.value;
@@ -885,6 +1010,8 @@ export function ConfigTab({ workspaceId }: Props) {
             )}
           </Section>
 
+          <AgentAbilitiesSection workspaceId={workspaceId} />
+
           {/* Claude Settings — shown for claude-code runtime or claude/anthropic model names */}
           {(config.runtime === "claude-code" ||
             (config.runtime_config?.model || config.model || "").toLowerCase().includes("claude") ||
@@ -995,7 +1122,7 @@ export function ConfigTab({ workspaceId }: Props) {
       )}
 
       {error && (
-        <div className="mx-3 mb-2 px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">{error}</div>
+        <div role="alert" aria-live="assertive" className="mx-3 mb-2 px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">{error}</div>
       )}
       {!error && RUNTIMES_WITH_OWN_CONFIG.has(config.runtime || "") && (
         <div className="mx-3 mb-2 px-3 py-1.5 bg-surface-sunken/50 border border-line rounded text-xs text-ink-mid">

canvas/src/components/tabs/DetailsTab.tsx

@@ -157,7 +157,7 @@ export function DetailsTab({ workspaceId, data }: Props) {
               </select>
             </Field>
             {saveError && (
-              <div className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
+              <div role="alert" aria-live="assertive" className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
                 {saveError}
               </div>
             )}
@@ -203,7 +203,7 @@ export function DetailsTab({ workspaceId, data }: Props) {
             {isRestartable && (
               <div className="pt-2">
                 {restartError && (
-                  <div className="mb-2 px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
+                  <div role="alert" aria-live="assertive" className="mb-2 px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
                     {restartError}
                   </div>
                 )}
@@ -307,7 +307,7 @@ export function DetailsTab({ workspaceId, data }: Props) {
       {/* Delete */}
       <Section title="Danger Zone">
         {deleteError && (
-          <div className="mb-2 px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
+          <div role="alert" aria-live="assertive" className="mb-2 px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
             {deleteError}
           </div>
         )}

canvas/src/components/tabs/EventsTab.tsx

@@ -82,7 +82,7 @@ export function EventsTab({ workspaceId }: Props) {
       </div>
 
       {error && (
-        <div className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
+        <div role="alert" aria-live="assertive" className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
           {error}
         </div>
       )}

canvas/src/components/tabs/ExternalConnectionSection.tsx

@@ -102,7 +102,7 @@ export function ExternalConnectionSection({ workspaceId }: Props) {
       </div>
 
       {error && (
-        <div className="mt-2 px-2 py-1 bg-red-900/30 border border-red-800 rounded text-[10px] text-bad">
+        <div role="alert" aria-live="assertive" className="mt-2 px-2 py-1 bg-red-900/30 border border-red-800 rounded text-[10px] text-bad">
           {error}
         </div>
       )}

canvas/src/components/tabs/FilesTab.tsx

@@ -266,7 +266,7 @@ function PlatformOwnedFilesTab({
         // immediately. Delete-All hovers DARKER (bg-red-700) — same AA
         // contrast trap that bit ConfirmDialog/ApprovalBanner. Cancel
         // lifts to surface-elevated instead of the prior no-op hover.
-        <div role="alertdialog" aria-labelledby="files-delete-all-msg" className="mx-3 mt-2 px-3 py-2 bg-red-950/30 border border-red-800/40 rounded space-y-1.5">
+        <div role="alertdialog" aria-modal="false" aria-labelledby="files-delete-all-msg" className="mx-3 mt-2 px-3 py-2 bg-red-950/30 border border-red-800/40 rounded space-y-1.5">
           <p id="files-delete-all-msg" className="text-xs text-bad">Delete all {files.filter((f) => !f.dir).length} files? This cannot be undone.</p>
           <div className="flex gap-2">
             <button type="button" onClick={() => { handleDeleteAll(); setShowDeleteAll(false); }} className="px-2 py-0.5 bg-red-700 hover:bg-red-600 text-[10px] rounded text-white transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-red-500/60 focus-visible:ring-offset-1 focus-visible:ring-offset-surface">Delete All</button>
@@ -280,7 +280,7 @@ function PlatformOwnedFilesTab({
       )}
 
       {confirmDelete && (
-        <div role="alertdialog" aria-labelledby="files-delete-one-msg" className="mx-3 mt-2 px-3 py-2 bg-amber-950/30 border border-amber-800/40 rounded space-y-1.5">
+        <div role="alertdialog" aria-modal="false" aria-labelledby="files-delete-one-msg" className="mx-3 mt-2 px-3 py-2 bg-amber-950/30 border border-amber-800/40 rounded space-y-1.5">
           <p id="files-delete-one-msg" className="text-xs text-warm">Delete <span className="font-mono">{confirmDelete}</span>{files.find((f) => f.path === confirmDelete && f.dir) ? " and all its contents" : ""}?</p>
           <div className="flex gap-2">
             <button type="button" onClick={confirmDeleteFile} className="px-2 py-0.5 bg-red-700 hover:bg-red-600 text-[10px] rounded text-white transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-red-500/60 focus-visible:ring-offset-1 focus-visible:ring-offset-surface">Delete</button>

canvas/src/components/tabs/ScheduleTab.tsx

@@ -275,7 +275,7 @@ export function ScheduleTab({ workspaceId }: Props) {
               Enabled
             </label>
           </div>
-          {error && <div className="text-[10px] text-bad">{error}</div>}
+          {error && <div role="alert" aria-live="assertive" className="text-[10px] text-bad">{error}</div>}
           <div className="flex gap-2">
             <button
               type="button"

canvas/src/components/tabs/TracesTab.tsx

@@ -67,7 +67,7 @@ export function TracesTab({ workspaceId }: Props) {
       </div>
 
       {error && (
-        <div className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
+        <div role="alert" aria-live="assertive" className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
           {error}
         </div>
       )}

canvas/src/components/tabs/__tests__/ConfigTab.abilities.test.tsx

@@ -0,0 +1,165 @@
+// @vitest-environment jsdom
+//
+// Tests for the always-visible "Agent Abilities" section added to ConfigTab
+// (internal#510 broadcast_enabled, internal#511 talk_to_user_enabled; backend
+// wired in commit 29b4bffb).
+//
+// Problem this pins: the two workspace ability flags had complete wired
+// backends but NO canvas control — broadcast had none at all, talk-to-user
+// only surfaced as a ChatTab recovery banner that is invisible under its
+// TRUE default. The CTO could not see or toggle either from canvas.
+//
+// What this suite pins:
+//   1. An "Agent Abilities" section renders (always visible, not gated).
+//   2. Both toggles render and reflect the store node's ability fields,
+//      including the asymmetric defaults (broadcast FALSE, talk TRUE).
+//   3. Toggling a switch calls PATCH /workspaces/:id/abilities with the
+//      correct snake_case body and optimistically updates the store.
+
+import { describe, it, expect, vi, afterEach, beforeEach } from "vitest";
+import { render, screen, cleanup, waitFor, fireEvent } from "@testing-library/react";
+import React from "react";
+
+afterEach(cleanup);
+
+const apiGet = vi.fn();
+const apiPatch = vi.fn();
+vi.mock("@/lib/api", () => ({
+  api: {
+    get: (path: string) => apiGet(path),
+    patch: (path: string, body?: unknown) => apiPatch(path, body),
+    put: vi.fn(),
+    post: vi.fn(),
+    del: vi.fn(),
+  },
+}));
+
+// Store node carries the ability flags hydrated by the platform stream
+// (canvas-topology.ts maps broadcast_enabled/talk_to_user_enabled onto
+// node.data). Mirror that shape so the section reads real values.
+const storeUpdateNodeData = vi.fn();
+const storeRestartWorkspace = vi.fn();
+let nodeData: { broadcastEnabled?: boolean; talkToUserEnabled?: boolean } = {};
+const makeState = () => ({
+  nodes: [{ id: "ws-test", data: nodeData }],
+  restartWorkspace: storeRestartWorkspace,
+  updateNodeData: storeUpdateNodeData,
+});
+vi.mock("@/store/canvas", () => ({
+  useCanvasStore: Object.assign(
+    (selector: (s: unknown) => unknown) => selector(makeState()),
+    { getState: () => makeState() },
+  ),
+}));
+
+vi.mock("../AgentCardSection", () => ({
+  AgentCardSection: () => <div data-testid="agent-card-stub" />,
+}));
+
+import { ConfigTab } from "../ConfigTab";
+
+beforeEach(() => {
+  apiGet.mockReset();
+  apiPatch.mockReset();
+  apiPatch.mockResolvedValue({ status: "updated" });
+  storeUpdateNodeData.mockReset();
+  apiGet.mockImplementation((path: string) => {
+    if (path === `/workspaces/ws-test`) {
+      return Promise.resolve({ runtime: "claude-code" });
+    }
+    if (path === `/workspaces/ws-test/model`) {
+      return Promise.resolve({ model: "claude-opus-4-7" });
+    }
+    if (path === `/workspaces/ws-test/provider`) {
+      return Promise.resolve({ provider: "anthropic-oauth", source: "default" });
+    }
+    if (path === `/workspaces/ws-test/files/config.yaml`) {
+      return Promise.resolve({ content: "name: test\nruntime: claude-code\n" });
+    }
+    if (path === "/templates") {
+      return Promise.resolve([
+        { id: "claude-code", name: "Claude Code", runtime: "claude-code", providers: [] },
+      ]);
+    }
+    return Promise.reject(new Error(`unmocked api.get: ${path}`));
+  });
+});
+
+describe("ConfigTab Agent Abilities section", () => {
+  it("renders an always-visible 'Agent Abilities' section with both toggles", async () => {
+    nodeData = {}; // unset → defaults
+    render(<ConfigTab workspaceId="ws-test" />);
+    await waitFor(() => expect(apiGet).toHaveBeenCalled());
+    expect(
+      await screen.findByRole("button", { name: /Agent Abilities/i }),
+    ).toBeTruthy();
+    expect(screen.getByText("Talk to user")).toBeTruthy();
+    expect(screen.getByText("Broadcast to peers")).toBeTruthy();
+  });
+
+  it("reflects the asymmetric defaults: talk-to-user ON, broadcast OFF", async () => {
+    nodeData = {}; // unset → backend defaults
+    render(<ConfigTab workspaceId="ws-test" />);
+    await waitFor(() => expect(apiGet).toHaveBeenCalled());
+    const talk = (await screen.findByText("Talk to user"))
+      .closest("label")!
+      .querySelector("input") as HTMLInputElement;
+    const broadcast = screen
+      .getByText("Broadcast to peers")
+      .closest("label")!
+      .querySelector("input") as HTMLInputElement;
+    expect(talk.checked).toBe(true);
+    expect(broadcast.checked).toBe(false);
+  });
+
+  it("reflects explicit store values", async () => {
+    nodeData = { broadcastEnabled: true, talkToUserEnabled: false };
+    render(<ConfigTab workspaceId="ws-test" />);
+    await waitFor(() => expect(apiGet).toHaveBeenCalled());
+    const talk = (await screen.findByText("Talk to user"))
+      .closest("label")!
+      .querySelector("input") as HTMLInputElement;
+    const broadcast = screen
+      .getByText("Broadcast to peers")
+      .closest("label")!
+      .querySelector("input") as HTMLInputElement;
+    expect(talk.checked).toBe(false);
+    expect(broadcast.checked).toBe(true);
+  });
+
+  it("PATCHes /abilities with talk_to_user_enabled and optimistically updates the store", async () => {
+    nodeData = {}; // talk defaults true
+    render(<ConfigTab workspaceId="ws-test" />);
+    await waitFor(() => expect(apiGet).toHaveBeenCalled());
+    const talk = (await screen.findByText("Talk to user"))
+      .closest("label")!
+      .querySelector("input") as HTMLInputElement;
+    fireEvent.click(talk); // true → false
+    await waitFor(() =>
+      expect(apiPatch).toHaveBeenCalledWith("/workspaces/ws-test/abilities", {
+        talk_to_user_enabled: false,
+      }),
+    );
+    expect(storeUpdateNodeData).toHaveBeenCalledWith("ws-test", {
+      talkToUserEnabled: false,
+    });
+  });
+
+  it("PATCHes /abilities with broadcast_enabled when the broadcast toggle is flipped", async () => {
+    nodeData = {}; // broadcast defaults false
+    render(<ConfigTab workspaceId="ws-test" />);
+    await waitFor(() => expect(apiGet).toHaveBeenCalled());
+    const broadcast = (await screen.findByText("Broadcast to peers"))
+      .closest("label")!
+      .querySelector("input") as HTMLInputElement;
+    fireEvent.click(broadcast); // false → true
+    await waitFor(() =>
+      expect(apiPatch).toHaveBeenCalledWith("/workspaces/ws-test/abilities", {
+        broadcast_enabled: true,
+      }),
+    );
+    expect(storeUpdateNodeData).toHaveBeenCalledWith("ws-test", {
+      broadcastEnabled: true,
+    });
+  });
+});

canvas/src/components/tabs/chat/AgentCommsPanel.tsx

@@ -405,7 +405,7 @@ export function AgentCommsPanel({ workspaceId }: { workspaceId: string }) {
         </p>
         <button
           onClick={loadInitial}
-          className="text-[10px] px-2 py-0.5 rounded bg-red-800/40 text-bad hover:bg-red-700/50 transition-colors"
+          className="text-[10px] px-2 py-0.5 rounded bg-red-800/40 text-bad hover:bg-red-700/50 transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-red-500/60 focus-visible:ring-offset-1"
         >
           Retry
         </button>
@@ -610,7 +610,7 @@ function PeerTabButton({
       aria-selected={active}
       tabIndex={active ? 0 : -1}
       onClick={onClick}
-      className={`shrink-0 px-3 py-1.5 text-[10px] font-medium transition-colors whitespace-nowrap ${
+      className={`shrink-0 px-3 py-1.5 text-[10px] font-medium transition-colors whitespace-nowrap focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-cyan-500/60 focus-visible:ring-offset-1 ${
         active
           ? "border-b-2 border-cyan-500 text-cyan-200"
           : "border-b-2 border-transparent text-ink-mid hover:text-ink-mid"

canvas/src/components/tabs/chat/AttachmentViews.tsx

@@ -33,7 +33,7 @@ export function PendingAttachmentPill({
       <button
         onClick={onRemove}
         aria-label={`Remove ${file.name}`}
-        className="ml-0.5 text-ink-mid hover:text-ink transition-colors shrink-0"
+        className="ml-0.5 text-ink-mid hover:text-ink transition-colors shrink-0 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent/60 focus-visible:ring-offset-1"
       >
         <svg width="10" height="10" viewBox="0 0 16 16" fill="none" aria-hidden="true">
           <path d="M4 4l8 8M12 4l-8 8" stroke="currentColor" strokeWidth="1.6" strokeLinecap="round" />
@@ -62,8 +62,9 @@ export function AttachmentChip({
   return (
     <button
       onClick={() => onDownload(attachment)}
+      aria-label={`Download ${attachment.name}`}
       title={`Download ${attachment.name}`}
-      className={`flex items-center gap-1.5 rounded-md border px-2 py-1 text-[10px] transition-colors max-w-full ${toneClasses}`}
+      className={`flex items-center gap-1.5 rounded-md border px-2 py-1 text-[10px] transition-colors max-w-full focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent/60 focus-visible:ring-offset-1 ${toneClasses}`}
     >
       <FileGlyph className="shrink-0 opacity-70" />
       <span className="truncate">{attachment.name}</span>

canvas/src/components/tabs/config/secrets-section.tsx

@@ -351,8 +351,10 @@ export function SecretsSection({ workspaceId, requiredEnv }: { workspaceId: stri
           {showAdd ? (
             <div className="bg-surface-card/50 rounded p-2 space-y-1.5 border border-line/50">
               <input value={newKey} onChange={(e) => setNewKey(e.target.value.toUpperCase())} placeholder="KEY_NAME"
+                aria-label="Secret key name"
                 className="w-full bg-surface-sunken border border-line rounded px-2 py-1 text-[10px] font-mono text-ink focus:outline-none focus:border-accent" />
               <input value={newValue} onChange={(e) => setNewValue(e.target.value)} placeholder="Value" type="password"
+                aria-label="Secret value"
                 className="w-full bg-surface-sunken border border-line rounded px-2 py-1 text-[10px] text-ink focus:outline-none focus:border-accent" />
               <div className="flex gap-2">
                 <button type="button" onClick={() => { if (newKey && newValue) handleSave(newKey, newValue); }} disabled={!newKey || !newValue}

canvas/src/components/ui/TestConnectionButton.tsx

@@ -99,7 +99,7 @@ export function TestConnectionButton({
 
 function Spinner() {
   return (
-    <svg className="spinner" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+    <svg aria-hidden="true" className="spinner" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
       <path d="M12 2v4M12 18v4M4.93 4.93l2.83 2.83M16.24 16.24l2.83 2.83M2 12h4M18 12h4M4.93 19.07l2.83-2.83M16.24 7.76l2.83-2.83" />
     </svg>
   );

canvas/src/hooks/useTemplateDeploy.tsx

@@ -8,6 +8,7 @@ import {
   type PreflightResult,
   type Template,
 } from "@/lib/deploy-preflight";
+import { isSaaSTenant } from "@/lib/tenant";
 import { MissingKeysModal } from "@/components/MissingKeysModal";
 
 /**
@@ -105,7 +106,7 @@ export function useTemplateDeploy(
         const ws = await api.post<{ id: string }>("/workspaces", {
           name: template.name,
           template: template.id,
-          tier: template.tier,
+          tier: isSaaSTenant() ? 4 : template.tier,
           canvas: coords,
           ...(model ? { model } : {}),
         });

canvas/src/store/__tests__/socket.test.ts

@@ -63,7 +63,7 @@ class MockWebSocket {
 (globalThis as unknown as Record<string, unknown>).WebSocket = MockWebSocket;
 
 // Now import the socket module (uses globalThis.WebSocket at call time)
-import { connectSocket, disconnectSocket } from "../socket";
+import { connectSocket, disconnectSocket, wakeSocket } from "../socket";
 import { useCanvasStore } from "../canvas";
 
 // ---------------------------------------------------------------------------
@@ -416,3 +416,84 @@ describe("RehydrateDedup", () => {
     expect(d.shouldSkip(2_700)).toBe(true);
   });
 });
+
+// ---------------------------------------------------------------------------
+// wakeSocket() — visibility-wake reconnect (regression #223 / #228)
+// ---------------------------------------------------------------------------
+//
+// Mobile browsers (iOS Safari, Chrome on Android in deep-sleep) silently
+// drop the WebSocket when the tab is backgrounded; the in-page onclose
+// fires very late or never. Without a visibility wake, the canvas stays
+// frozen until the user manually refreshes.
+//
+// The real wiring lives at module level: connectSocket installs a
+// visibilitychange/pageshow listener that calls wake() on foreground.
+// We can't dispatch DOM events here because the suite runs under the
+// `node` test environment (no `document`/`window` — see canvas/vitest
+// .config.ts). Instead we test wake() directly through the wakeSocket
+// public export, which is the same code path the listener invokes.
+
+describe("wakeSocket → reconnect (#223 / #228 — mobile visibility wake)", () => {
+  it("wake on a healthy OPEN socket does not create a new WebSocket", () => {
+    connectSocket();
+    const ws = getLastWS();
+    ws.triggerOpen();
+    // OPEN === 1. wake() should take the healthy-no-op branch.
+    (ws as unknown as { readyState: number }).readyState = 1;
+    const before = MockWebSocket.instances.length;
+    wakeSocket();
+    expect(MockWebSocket.instances.length).toBe(before);
+  });
+
+  it("wake on a CLOSED socket creates a new WebSocket (the actual #223 fix)", () => {
+    connectSocket();
+    const ws = getLastWS();
+    ws.triggerOpen();
+    // CLOSED === 3. Simulates the OS killing the socket while the tab
+    // was backgrounded. We deliberately don't fire triggerClose() —
+    // the whole point of #223 is that mobile browsers don't fire
+    // onclose when they kill the WS, so reconnect never schedules.
+    (ws as unknown as { readyState: number }).readyState = 3;
+    const before = MockWebSocket.instances.length;
+    wakeSocket();
+    expect(MockWebSocket.instances.length).toBe(before + 1);
+  });
+
+  it("wake while CONNECTING (readyState=0) does not pile another handshake", () => {
+    connectSocket();
+    const ws = getLastWS();
+    // CONNECTING === 0 — a handshake is already in flight.
+    (ws as unknown as { readyState: number }).readyState = 0;
+    const before = MockWebSocket.instances.length;
+    wakeSocket();
+    expect(MockWebSocket.instances.length).toBe(before);
+  });
+
+  it("wake cancels any pending backoff reconnect", () => {
+    const clearTimeoutSpy = vi.spyOn(globalThis, "clearTimeout");
+    connectSocket();
+    const ws = getLastWS();
+    ws.triggerOpen();
+    // Drop the socket — onclose schedules a backoff reconnect.
+    ws.triggerClose();
+    // Now wake the page. wake() should pre-empt the backoff so the
+    // user sees the canvas come back immediately, not after the
+    // exponential delay window.
+    (ws as unknown as { readyState: number }).readyState = 3;
+    clearTimeoutSpy.mockClear();
+    wakeSocket();
+    expect(clearTimeoutSpy).toHaveBeenCalled();
+    clearTimeoutSpy.mockRestore();
+  });
+
+  it("wake after disconnectSocket is a no-op (no zombie reconnect)", () => {
+    connectSocket();
+    const ws = getLastWS();
+    ws.triggerOpen();
+    disconnectSocket();
+    const before = MockWebSocket.instances.length;
+    // Singleton is null now — wake() should silently do nothing.
+    expect(() => wakeSocket()).not.toThrow();
+    expect(MockWebSocket.instances.length).toBe(before);
+  });
+});

canvas/src/store/socket.ts

@@ -268,6 +268,46 @@ class ReconnectingSocket {
     }
     useCanvasStore.getState().setWsStatus("disconnected");
   }
+
+  /** Force a reconnect attempt now, skipping the backoff window.
+   *  Used by the visibilitychange / pageshow handler: when a mobile
+   *  browser backgrounds the tab, the OS silently kills the WebSocket
+   *  but the in-page onclose either fires very late or never fires at
+   *  all (iOS Safari, Chrome on Android in deep-sleep). Once the user
+   *  brings the tab back, the canvas needs to reconnect within human
+   *  perception — not on whatever backoff delay was last scheduled,
+   *  which can be up to 30s. (#223 / #228)
+   *
+   *  Idempotent: if the socket is already OPEN we leave it alone; the
+   *  WebSocket is still healthy and a reconnect would just churn. */
+  wake() {
+    if (this.disposed) return;
+    // OPEN === 1. Use the numeric literal so we don't have to import
+    // WebSocket type values; the runtime constant is well-defined.
+    if (this.ws && this.ws.readyState === 1) {
+      // Healthy. Run a rehydrate to catch any events we may have missed
+      // while the tab was backgrounded — the OS does deliver some
+      // packets late, but it can also drop them, and the dedup gate
+      // collapses this with any subsequent health-check rehydrate.
+      void this.rehydrate();
+      return;
+    }
+    // CONNECTING === 0 means a handshake is already in flight. Don't
+    // pile another one on; the existing attempt or its onclose-driven
+    // reconnect will resolve.
+    if (this.ws && this.ws.readyState === 0) return;
+    // Otherwise (CLOSING, CLOSED, or null) we're in limbo. Cancel any
+    // pending backoff and reconnect now.
+    if (this.reconnectTimer) {
+      clearTimeout(this.reconnectTimer);
+      this.reconnectTimer = null;
+    }
+    // Reset attempt counter so the *next* failure (if any) starts from
+    // a short delay again — we just had a real user interaction, not
+    // an unattended-tab failure cascade.
+    this.attempt = 0;
+    this.connect();
+  }
 }
 
 export interface WorkspaceData {
@@ -306,11 +346,49 @@ export interface WorkspaceData {
 
 let socket: ReconnectingSocket | null = null;
 
+/** visibilitychange / pageshow handler. Mobile browsers (iOS Safari,
+ *  Chrome on Android in deep-sleep) silently drop the WebSocket when
+ *  the tab is backgrounded — the in-page `onclose` fires very late or
+ *  never. Without this listener, the canvas appears frozen after the
+ *  user backgrounds the PWA and returns to it: status events, agent
+ *  messages, and cross-device chat broadcast don't arrive until a
+ *  manual refresh (#223 / #228).
+ *
+ *  Both events are wired: `visibilitychange` covers tab-switch on a
+ *  live page; `pageshow` covers Safari's bfcache restore, where the
+ *  page comes back from cache without firing visibilitychange. */
+function onPageWake() {
+  // document is undefined in SSR; the listener never installs there,
+  // but defensively guard anyway in case this code is run via a test
+  // harness that doesn't shim it.
+  if (typeof document !== "undefined" && document.hidden) return;
+  socket?.wake();
+}
+let visibilityHandlerInstalled = false;
+function installVisibilityHandler() {
+  if (visibilityHandlerInstalled) return;
+  if (typeof document === "undefined" || typeof window === "undefined") return;
+  document.addEventListener("visibilitychange", onPageWake);
+  // `pageshow` with `event.persisted === true` is the bfcache restore
+  // signal — relevant on iOS Safari. We don't need to inspect
+  // `persisted` because waking an OPEN socket is a no-op.
+  window.addEventListener("pageshow", onPageWake);
+  visibilityHandlerInstalled = true;
+}
+function uninstallVisibilityHandler() {
+  if (!visibilityHandlerInstalled) return;
+  if (typeof document === "undefined" || typeof window === "undefined") return;
+  document.removeEventListener("visibilitychange", onPageWake);
+  window.removeEventListener("pageshow", onPageWake);
+  visibilityHandlerInstalled = false;
+}
+
 export function connectSocket() {
   if (!socket) {
     socket = new ReconnectingSocket(WS_URL);
   }
   socket.connect();
+  installVisibilityHandler();
 }
 
 export function disconnectSocket() {
@@ -318,4 +396,14 @@ export function disconnectSocket() {
     socket.disconnect();
     socket = null;
   }
+  uninstallVisibilityHandler();
+}
+
+/** Manually trigger the visibility-wake path. Exported so the test suite
+ *  can exercise `ReconnectingSocket.wake()` without depending on a
+ *  jsdom DOM (the rest of this file's tests run under the node env).
+ *  Real-world callers don't need this — the visibility/pageshow listener
+ *  drives it. */
+export function wakeSocket() {
+  socket?.wake();
 }

canvas/src/styles/settings-panel.css

@@ -584,6 +584,10 @@
 .secrets-tab__refresh-btn:hover {
   background: #1e40af;
 }
+.secrets-tab__refresh-btn:focus-visible {
+  outline: 2px solid #1d4ed8;
+  outline-offset: 2px;
+}
 
 .secrets-tab__no-results {
   text-align: center;
@@ -649,6 +653,10 @@
   border-radius: 6px;
   cursor: pointer;
 }
+.delete-dialog__cancel-btn:focus-visible {
+  outline: var(--focus-ring);
+  outline-offset: var(--focus-ring-offset);
+}
 
 .delete-dialog__confirm-btn {
   background: var(--status-invalid);
@@ -658,6 +666,10 @@
   border-radius: 6px;
   cursor: pointer;
 }
+.delete-dialog__confirm-btn:focus-visible {
+  outline: var(--focus-ring);
+  outline-offset: var(--focus-ring-offset);
+}
 
 .delete-dialog__confirm-btn:disabled { opacity: 0.4; cursor: not-allowed; }
 

manifest.json

@@ -30,10 +30,7 @@
     {"name": "openclaw", "repo": "molecule-ai/molecule-ai-workspace-template-openclaw", "ref": "main"},
     {"name": "codex", "repo": "molecule-ai/molecule-ai-workspace-template-codex", "ref": "main"},
     {"name": "langgraph", "repo": "molecule-ai/molecule-ai-workspace-template-langgraph", "ref": "main"},
-    {"name": "crewai", "repo": "molecule-ai/molecule-ai-workspace-template-crewai", "ref": "main"},
-    {"name": "autogen", "repo": "molecule-ai/molecule-ai-workspace-template-autogen", "ref": "main"},
-    {"name": "deepagents", "repo": "molecule-ai/molecule-ai-workspace-template-deepagents", "ref": "main"},
-    {"name": "gemini-cli", "repo": "molecule-ai/molecule-ai-workspace-template-gemini-cli", "ref": "main"}
+    {"name": "autogen", "repo": "molecule-ai/molecule-ai-workspace-template-autogen", "ref": "main"}
   ],
   "org_templates": [
     {"name": "molecule-dev", "repo": "molecule-ai/molecule-ai-org-template-molecule-dev", "ref": "main"},

scripts/build_runtime_package.py

@@ -58,6 +58,7 @@ TOP_LEVEL_MODULES = {
     "a2a_response",
     "a2a_tools",
     "a2a_tools_delegation",
+    "a2a_tools_identity",
     "a2a_tools_inbox",
     "a2a_tools_memory",
     "a2a_tools_messaging",
@@ -310,8 +311,17 @@ locally.
   deps from your system Python. Plain `pip install --user` works
   but the binary lands in `~/.local/bin` (Linux) or
   `~/Library/Python/3.X/bin` (macOS) which is often not on PATH on
-  a fresh shell — `claude mcp add molecule -- molecule-mcp` then
-  fails with "command not found" at first use.
+  a fresh shell — `claude mcp add molecule-<workspace-slug> -- molecule-mcp`
+  then fails with "command not found" at first use.
+
+* **Server name in `claude mcp add` is workspace-specific.** The
+  Canvas "Add to Claude Code" snippet stamps a unique slug
+  (`molecule-<workspace-name>`) so a single Claude Code session can
+  talk to N molecule workspaces concurrently — `claude mcp add` keys
+  entries by name in `~/.claude.json`, so re-running with a bare
+  `molecule` name silently overwrites the prior workspace's entry.
+  See [molecule-core#1535](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/1535)
+  for the canonical generator.
 
 ### Install
 
@@ -335,8 +345,10 @@ WORKSPACE_ID=<uuid> \\
 That exposes the same 8 platform tools (`delegate_task`, `list_peers`,
 `send_message_to_user`, `commit_memory`, etc.) that container-bound
 runtimes already get via the workspace's auto-spawned MCP. Register
-the binary in your agent's MCP config (e.g. Claude Code's
-`claude mcp add molecule -- molecule-mcp` with the env above).
+the binary in your agent's MCP config — use a workspace-specific
+server name so multi-workspace setups don't collide (e.g. Claude Code:
+`claude mcp add molecule-<workspace-slug> -- molecule-mcp` with the env
+above; the Canvas modal stamps the right slug for you).
 
 ### Keeping the token out of shell history
 
@@ -374,8 +386,8 @@ hold:
    wheel does (see `_build_initialize_result`). Nothing for you to
    do.
 2. **Claude Code installs the server as a marketplace plugin** — a
-   plain `claude mcp add molecule -- molecule-mcp` produces a
-   non-plugin-sourced server, which Claude Code rejects with
+   plain `claude mcp add molecule-<workspace-slug> -- molecule-mcp`
+   produces a non-plugin-sourced server, which Claude Code rejects with
    `channel_enable requires a marketplace plugin`. Until the
    official `moleculesai/claude-code-plugin` marketplace lands
    (tracking [#2936](https://git.moleculesai.app/molecule-ai/molecule-core/issues/2936)),

tests/e2e/test_peer_visibility_mcp_staging.sh

@@ -0,0 +1,376 @@
+#!/usr/bin/env bash
+# Staging E2E — fresh-provision peer-visibility gate via the LITERAL MCP path.
+#
+# WHY THIS EXISTS
+# ---------------
+# Hermes and OpenClaw were repeatedly reported "fleet-verified / cascade-
+# complete" because the *proxy* signals were green:
+#   - registry-registration + heartbeat (Hermes), and
+#   - model round-trip 200 (OpenClaw).
+# But a freshly-provisioned workspace, asked on canvas "can you see your
+# peers", actually FAILS:
+#   - Hermes: 401 on the molecule MCP `list_peers` call,
+#   - OpenClaw: falls back to native `sessions_list`, sees no platform peers.
+# Tasks #142/#159 were even marked "completed" under this same proxy flaw.
+#
+# This script codifies the LITERAL user-facing path so it can never silently
+# regress: it provisions a brand-new throwaway org + sibling workspaces via
+# the real control-plane provisioning path, then for each runtime that should
+# have platform peer-visibility it drives the EXACT MCP call the canvas agent
+# makes — `POST /workspaces/:id/mcp` JSON-RPC tools/call name=list_peers,
+# authenticated by that workspace's own bearer token through the real
+# WorkspaceAuth + MCPRateLimiter middleware chain. It then asserts:
+#   (1) HTTP 200,
+#   (2) JSON-RPC `result` present (NOT an `error` object — a -32000
+#       "tool call failed" or a 401 from WorkspaceAuth fails here),
+#   (3) the returned peer set CONTAINS the other provisioned sibling
+#       workspace IDs — not an empty list, not a native-sessions fallback.
+#
+# This is NOT a proxy. It does not look at a registry row, /health, the
+# heartbeat table, or `GET /registry/:id/peers`. It drives the byte-for-byte
+# JSON-RPC envelope that mcp_molecule_list_peers issues from a real agent.
+#
+# It is written to FAIL on today's broken Hermes/OpenClaw behavior and go
+# green only when the in-flight root-cause fixes (Hermes-401, OpenClaw MCP
+# wiring) actually land. That is the point: it is the objective proof gate.
+#
+# AUTH MODEL (mirrors tests/e2e/test_staging_full_saas.sh)
+# --------------------------------------------------------
+#   Single MOLECULE_ADMIN_TOKEN (= CP_ADMIN_API_TOKEN on Railway staging)
+#   drives: POST /cp/admin/orgs (provision), GET
+#   /cp/admin/orgs/:slug/admin-token (per-tenant token), DELETE
+#   /cp/admin/tenants/:slug (teardown). The per-tenant admin token drives
+#   tenant workspace creation; each workspace's OWN auth_token (returned by
+#   POST /workspaces) drives its MCP call.
+#
+# Required env:
+#   MOLECULE_ADMIN_TOKEN   CP admin bearer — Railway staging CP_ADMIN_API_TOKEN
+# Optional env:
+#   MOLECULE_CP_URL        default https://staging-api.moleculesai.app
+#   E2E_RUN_ID             slug suffix; CI passes ${GITHUB_RUN_ID}
+#   PV_RUNTIMES            space list; default "hermes openclaw claude-code"
+#   E2E_PROVISION_TIMEOUT_SECS  default 1800 (hermes/openclaw cold EC2 budget)
+#   E2E_MINIMAX_API_KEY / E2E_ANTHROPIC_API_KEY / E2E_OPENAI_API_KEY
+#                          LLM provider key injected so the runtime can boot
+#   E2E_KEEP_ORG           1 → skip teardown (local debugging only)
+#
+# Exit codes:
+#   0  every runtime saw its peers via the literal MCP call
+#   1  generic failure
+#   2  missing required env
+#   3  provisioning timed out
+#   4  teardown left orphan resources
+#   10 peer-visibility regression reproduced (the gate firing as designed)
+
+set -uo pipefail
+
+CP_URL="${MOLECULE_CP_URL:-https://staging-api.moleculesai.app}"
+ADMIN_TOKEN="${MOLECULE_ADMIN_TOKEN:?MOLECULE_ADMIN_TOKEN required — Railway staging CP_ADMIN_API_TOKEN}"
+RUN_ID_SUFFIX="${E2E_RUN_ID:-$(date +%H%M%S)-$$}"
+PV_RUNTIMES="${PV_RUNTIMES:-hermes openclaw claude-code}"
+PROVISION_TIMEOUT_SECS="${E2E_PROVISION_TIMEOUT_SECS:-1800}"
+
+# Slug MUST start with 'e2e-' so the sweep-stale-e2e-orgs safety net
+# (EPHEMERAL_PREFIXES) catches any leak this run fails to tear down.
+SLUG="e2e-pv-$(date +%Y%m%d)-${RUN_ID_SUFFIX}"
+SLUG=$(echo "$SLUG" | tr '[:upper:]' '[:lower:]' | tr -cd 'a-z0-9-' | head -c 32)
+
+ORG_ID=""
+TENANT_URL=""
+TENANT_TOKEN=""
+
+log()  { echo "[$(date +%H:%M:%S)] $*"; }
+fail() { echo "[$(date +%H:%M:%S)] ❌ $*" >&2; exit 1; }
+ok()   { echo "[$(date +%H:%M:%S)] ✅ $*"; }
+
+admin_call() {
+  local method="$1" path="$2"; shift 2
+  curl -sS -X "$method" "$CP_URL$path" \
+    -H "Authorization: Bearer $ADMIN_TOKEN" \
+    -H "Content-Type: application/json" "$@"
+}
+tenant_call() {
+  local method="$1" path="$2"; shift 2
+  curl -sS -X "$method" "$TENANT_URL$path" \
+    -H "Authorization: Bearer $TENANT_TOKEN" \
+    -H "X-Molecule-Org-Id: $ORG_ID" \
+    -H "Content-Type: application/json" "$@"
+}
+
+# ─── Scoped teardown ───────────────────────────────────────────────────
+# Deletes ONLY the org this run created (DELETE /cp/admin/tenants/$SLUG
+# with the {"confirm":$SLUG} fat-finger guard). Never a cluster-wide
+# sweep — honors feedback_cleanup_after_each_test and
+# feedback_never_run_cluster_cleanup_tests_on_live_platform. The
+# workflow's always() step + sweep-stale-e2e-orgs are the outer nets.
+teardown() {
+  local rc=$?
+  set +e
+  if [ "${E2E_KEEP_ORG:-0}" = "1" ]; then
+    echo ""
+    log "[teardown] E2E_KEEP_ORG=1 — leaving $SLUG for debugging (REMEMBER TO DELETE)"
+    exit $rc
+  fi
+  echo ""
+  log "[teardown] DELETE /cp/admin/tenants/$SLUG (scoped to this run only)"
+  admin_call DELETE "/cp/admin/tenants/$SLUG" --max-time 120 \
+    -d "{\"confirm\":\"$SLUG\"}" >/dev/null 2>&1
+  for j in $(seq 1 24); do
+    LIST=$(admin_call GET "/cp/admin/orgs?limit=500" 2>/dev/null)
+    LEAK=$(echo "$LIST" | python3 -c "
+import sys, json
+try: d = json.load(sys.stdin)
+except Exception: print(1); sys.exit(0)
+orgs = d if isinstance(d, list) else d.get('orgs', [])
+print(sum(1 for o in orgs if o.get('slug') == '$SLUG' and o.get('instance_status') not in ('purged',) and o.get('status') != 'purged'))
+" 2>/dev/null || echo 1)
+    if [ "$LEAK" = "0" ]; then
+      log "[teardown] ✓ $SLUG purged (after ${j}x5s)"
+      exit $rc
+    fi
+    sleep 5
+  done
+  echo "::warning::[teardown] $SLUG still present after 120s — sweep-stale-e2e-orgs will catch it within MAX_AGE_MINUTES" >&2
+  [ $rc -eq 0 ] && rc=4
+  exit $rc
+}
+trap teardown EXIT INT TERM
+
+# ─── 1. Provision the throwaway org ────────────────────────────────────
+log "1/6 POST /cp/admin/orgs — slug=$SLUG"
+CREATE=$(admin_call POST /cp/admin/orgs \
+  -d "{\"slug\":\"$SLUG\",\"name\":\"E2E peer-visibility $SLUG\",\"owner_user_id\":\"e2e-runner:$SLUG\"}")
+ORG_ID=$(echo "$CREATE" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null)
+[ -n "$ORG_ID" ] || fail "org creation failed: $(echo "$CREATE" | head -c 300)"
+log "    ORG_ID=$ORG_ID"
+
+# ─── 2. Wait for tenant EC2 + DNS ──────────────────────────────────────
+log "2/6 waiting for tenant instance_status=running (cold EC2 + cloudflared)..."
+DEADLINE=$(( $(date +%s) + PROVISION_TIMEOUT_SECS ))
+while true; do
+  [ "$(date +%s)" -gt "$DEADLINE" ] && fail "tenant never came up within ${PROVISION_TIMEOUT_SECS}s"
+  STATUS=$(admin_call GET "/cp/admin/orgs?limit=500" 2>/dev/null | python3 -c "
+import sys, json
+try: d = json.load(sys.stdin)
+except Exception: sys.exit(0)
+orgs = d if isinstance(d, list) else d.get('orgs', [])
+for o in orgs:
+    if o.get('slug') == '$SLUG':
+        print(o.get('instance_status') or o.get('status') or 'unknown'); break
+" 2>/dev/null)
+  case "$STATUS" in running|online|ready) break ;; esac
+  sleep 10
+done
+log "    tenant status=$STATUS"
+
+# ─── 3. Per-tenant admin token + tenant URL ────────────────────────────
+log "3/6 fetching per-tenant admin token..."
+TT_RESP=$(admin_call GET "/cp/admin/orgs/$SLUG/admin-token")
+TENANT_TOKEN=$(echo "$TT_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin).get('admin_token',''))" 2>/dev/null)
+[ -n "$TENANT_TOKEN" ] || fail "tenant token fetch failed: $(echo "$TT_RESP" | head -c 200)"
+
+CP_HOST=$(echo "$CP_URL" | sed -E 's#^https?://##; s#/.*$##')
+case "$CP_HOST" in
+  api.*)         DERIVED_DOMAIN="${CP_HOST#api.}" ;;
+  staging-api.*) DERIVED_DOMAIN="staging.${CP_HOST#staging-api.}" ;;
+  *)             DERIVED_DOMAIN="$CP_HOST" ;;
+esac
+TENANT_URL="https://${SLUG}.${DERIVED_DOMAIN}"
+log "    tenant url: $TENANT_URL"
+
+log "3b. waiting for tenant /health (TLS/DNS, up to 10min)..."
+for i in $(seq 1 120); do
+  curl -fsS "$TENANT_URL/health" -m 5 -k >/dev/null 2>&1 && { log "    /health ok (attempt $i)"; break; }
+  sleep 5
+done
+
+# ─── 4. Provision the parent + one sibling per runtime under test ──────
+# Inject the LLM provider key so each runtime can authenticate at boot.
+# Priority: MiniMax → direct-Anthropic → OpenAI (mirrors
+# test_staging_full_saas.sh's secrets-injection chain).
+SECRETS_JSON='{}'
+if [ -n "${E2E_MINIMAX_API_KEY:-}" ]; then
+  SECRETS_JSON=$(python3 -c "import json,os;k=os.environ['E2E_MINIMAX_API_KEY'];print(json.dumps({'ANTHROPIC_BASE_URL':'https://api.minimax.io/anthropic','ANTHROPIC_AUTH_TOKEN':k,'MINIMAX_API_KEY':k}))")
+elif [ -n "${E2E_ANTHROPIC_API_KEY:-}" ]; then
+  SECRETS_JSON=$(python3 -c "import json,os;k=os.environ['E2E_ANTHROPIC_API_KEY'];print(json.dumps({'ANTHROPIC_API_KEY':k}))")
+elif [ -n "${E2E_OPENAI_API_KEY:-}" ]; then
+  SECRETS_JSON=$(python3 -c "import json,os;k=os.environ['E2E_OPENAI_API_KEY'];print(json.dumps({'OPENAI_API_KEY':k,'OPENAI_BASE_URL':'https://api.openai.com/v1','MODEL_PROVIDER':'openai:gpt-4o','HERMES_INFERENCE_PROVIDER':'custom','HERMES_CUSTOM_BASE_URL':'https://api.openai.com/v1','HERMES_CUSTOM_API_KEY':k,'HERMES_CUSTOM_API_MODE':'chat_completions'}))")
+fi
+
+log "4/6 provisioning parent (claude-code) + one sibling per runtime under test..."
+P_RESP=$(tenant_call POST /workspaces \
+  -d "{\"name\":\"pv-parent\",\"runtime\":\"claude-code\",\"tier\":3,\"secrets\":$SECRETS_JSON}")
+PARENT_ID=$(echo "$P_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null)
+[ -n "$PARENT_ID" ] || fail "parent create failed: $(echo "$P_RESP" | head -c 300)"
+log "    PARENT_ID=$PARENT_ID"
+
+# WS_IDS[runtime]=id ; WS_TOKENS[runtime]=auth_token (the MCP bearer)
+declare -A WS_IDS WS_TOKENS
+ALL_WS_IDS="$PARENT_ID"
+for rt in $PV_RUNTIMES; do
+  R=$(tenant_call POST /workspaces \
+    -d "{\"name\":\"pv-$rt\",\"runtime\":\"$rt\",\"tier\":2,\"parent_id\":\"$PARENT_ID\",\"secrets\":$SECRETS_JSON}")
+  WID=$(echo "$R" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null)
+  # auth_token is top-level for container runtimes; external-like nest it
+  # under connection.auth_token (verified vs staging response shape).
+  WTOK=$(echo "$R" | python3 -c "
+import sys, json
+try: d = json.load(sys.stdin)
+except Exception: print(''); sys.exit(0)
+print(d.get('auth_token') or d.get('connection', {}).get('auth_token') or '')
+" 2>/dev/null)
+  [ -n "$WID" ] || fail "$rt workspace create failed: $(echo "$R" | head -c 300)"
+  [ -n "$WTOK" ] || fail "$rt workspace did not return an auth_token — cannot drive its MCP call (resp: $(echo "$R" | head -c 300))"
+  WS_IDS[$rt]="$WID"
+  WS_TOKENS[$rt]="$WTOK"
+  ALL_WS_IDS="$ALL_WS_IDS $WID"
+  log "    $rt → $WID"
+done
+
+# ─── 5. Wait for every sibling online ──────────────────────────────────
+log "5/6 waiting for all workspaces status=online (up to ${PROVISION_TIMEOUT_SECS}s — cold boot)..."
+WS_DEADLINE=$(( $(date +%s) + PROVISION_TIMEOUT_SECS ))
+for rt in $PV_RUNTIMES; do
+  wid="${WS_IDS[$rt]}"
+  LAST=""
+  while true; do
+    [ "$(date +%s)" -gt "$WS_DEADLINE" ] && fail "$rt ($wid) never reached online (last=$LAST)"
+    S=$(tenant_call GET "/workspaces/$wid" 2>/dev/null | python3 -c "
+import sys, json
+try: d = json.load(sys.stdin)
+except Exception: sys.exit(0)
+w = d.get('workspace') if isinstance(d.get('workspace'), dict) else d
+print(w.get('status') or '')
+" 2>/dev/null)
+    [ "$S" != "$LAST" ] && { log "    $rt → $S"; LAST="$S"; }
+    case "$S" in
+      online) break ;;
+      failed) sleep 10 ;;   # transient: bootstrap-watcher 5-min deadline, heartbeat recovers
+      *)      sleep 10 ;;
+    esac
+  done
+  ok "    $rt online"
+done
+
+# ─── 6. THE GATE — literal mcp_molecule_list_peers via POST /:id/mcp ────
+# This is the byte-for-byte user-facing call. NOT GET /registry/:id/peers,
+# NOT /health, NOT the heartbeat table. JSON-RPC 2.0 tools/call,
+# name=list_peers, authenticated by the workspace's OWN bearer token
+# through WorkspaceAuth + MCPRateLimiter.
+log "6/6 driving the LITERAL list_peers MCP call per runtime..."
+echo ""
+RPC_BODY='{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"list_peers","arguments":{}}}'
+REGRESSED=0
+declare -A VERDICT
+
+for rt in $PV_RUNTIMES; do
+  wid="${WS_IDS[$rt]}"
+  wtok="${WS_TOKENS[$rt]}"
+  # The expected peer set = every OTHER provisioned workspace (parent +
+  # the sibling runtimes), excluding the caller itself.
+  EXPECT_IDS=$(echo "$ALL_WS_IDS" | tr ' ' '\n' | grep -v "^${wid}$" | grep -v '^$')
+
+  set +e
+  RESP=$(curl -sS -X POST "$TENANT_URL/workspaces/$wid/mcp" \
+    -H "Authorization: Bearer $wtok" \
+    -H "X-Molecule-Org-Id: $ORG_ID" \
+    -H "Content-Type: application/json" \
+    -d "$RPC_BODY" \
+    -o /tmp/pv_mcp_body.json -w "%{http_code}" 2>/dev/null)
+  set -e
+  HTTP_CODE="$RESP"
+  BODY=$(cat /tmp/pv_mcp_body.json 2>/dev/null || echo '')
+
+  echo "--- $rt (ws=$wid) ---"
+  echo "    HTTP $HTTP_CODE"
+  echo "    body: $(echo "$BODY" | head -c 600)"
+
+  # (1) HTTP 200 — a 401 (WorkspaceAuth reject, the Hermes symptom) fails here.
+  if [ "$HTTP_CODE" != "200" ]; then
+    echo "  ✗ $rt: list_peers MCP call returned HTTP $HTTP_CODE (expected 200)"
+    VERDICT[$rt]="FAIL(http=$HTTP_CODE)"
+    REGRESSED=1
+    continue
+  fi
+
+  # (2) JSON-RPC result present, not an error object.
+  PARSE=$(echo "$BODY" | python3 -c "
+import sys, json
+expect = set(filter(None, '''$EXPECT_IDS'''.split()))
+try:
+    d = json.load(sys.stdin)
+except Exception as e:
+    print('PARSE_ERROR:' + str(e)); sys.exit(0)
+if isinstance(d, dict) and d.get('error') is not None:
+    print('RPC_ERROR:' + json.dumps(d['error'])[:200]); sys.exit(0)
+res = d.get('result') if isinstance(d, dict) else None
+if res is None:
+    print('NO_RESULT'); sys.exit(0)
+# MCP tools/call result shape: {content:[{type:text,text:'<json or prose>'}]}
+text = ''
+if isinstance(res, dict):
+    for c in res.get('content', []):
+        if c.get('type') == 'text':
+            text += c.get('text', '')
+text_l = text.lower()
+# Native-sessions fallback signature (the OpenClaw symptom): the agent
+# answered from its own runtime session list, not the platform peer set.
+if 'sessions_list' in text_l or 'no platform peers' in text_l or 'native session' in text_l:
+    print('NATIVE_FALLBACK:' + text[:200]); sys.exit(0)
+# The expected sibling IDs must literally appear in the returned peer text.
+found = sorted(i for i in expect if i in text)
+missing = sorted(expect - set(found))
+if not expect:
+    print('NO_EXPECTED_PEERS_CONFIGURED'); sys.exit(0)
+if missing:
+    print('MISSING_PEERS:found=%d/%d missing=%s' % (len(found), len(expect), ','.join(m[:8] for m in missing)))
+    sys.exit(0)
+print('OK:found=%d/%d' % (len(found), len(expect)))
+" 2>/dev/null)
+
+  case "$PARSE" in
+    OK:*)
+      echo "  ✓ $rt: list_peers returned 200 and contains all expected peers ($PARSE)"
+      VERDICT[$rt]="OK"
+      ;;
+    NATIVE_FALLBACK:*)
+      echo "  ✗ $rt: list_peers fell back to NATIVE sessions — sees no platform peers ($PARSE)"
+      VERDICT[$rt]="FAIL(native-fallback)"
+      REGRESSED=1
+      ;;
+    RPC_ERROR:*|NO_RESULT|PARSE_ERROR:*)
+      echo "  ✗ $rt: list_peers MCP call did not return a usable result ($PARSE)"
+      VERDICT[$rt]="FAIL(rpc=$PARSE)"
+      REGRESSED=1
+      ;;
+    MISSING_PEERS:*)
+      echo "  ✗ $rt: list_peers returned 200 but peer set is wrong/empty ($PARSE)"
+      VERDICT[$rt]="FAIL(peers=$PARSE)"
+      REGRESSED=1
+      ;;
+    *)
+      echo "  ✗ $rt: unexpected verdict '$PARSE'"
+      VERDICT[$rt]="FAIL(unknown)"
+      REGRESSED=1
+      ;;
+  esac
+  echo ""
+done
+
+echo "=== SUMMARY — fresh-provision peer-visibility (literal MCP list_peers) ==="
+for rt in $PV_RUNTIMES; do
+  printf '  %-14s %s\n' "$rt" "${VERDICT[$rt]:-NO_RUN}"
+done
+echo ""
+
+if [ "$REGRESSED" -ne 0 ]; then
+  echo "✗ GATE FAILED — at least one runtime cannot see its peers via the"
+  echo "  literal mcp_molecule_list_peers call. This is the real user-facing"
+  echo "  failure the proxy signals (registry row / heartbeat / model 200)"
+  echo "  were hiding. Expected RED until the Hermes-401 + OpenClaw-MCP-wiring"
+  echo "  root-cause fixes land; goes green only when they actually do."
+  exit 10
+fi
+
+ok "GATE PASSED — every runtime under test sees its platform peers via the literal MCP call."
+exit 0

workspace-server/cmd/t4-contract-dump/main.go

@@ -0,0 +1,35 @@
+// Command t4-contract-dump prints the T4 privilege contract as YAML.
+//
+// Usage:
+//
+//	go run ./workspace-server/cmd/t4-contract-dump > t4_capabilities.yaml
+//
+// This is the seam that template-repo CI workflows consume:
+//
+//	- Template CI fetches molecule-core at pinned ref
+//	- Runs `go run ./workspace-server/cmd/t4-contract-dump` to produce
+//	  t4_capabilities.yaml
+//	- Iterates capabilities and runs each Probe inside a freshly-built
+//	  privileged container
+//	- Aggregates structured pass/fail; fails the gate on any hard miss.
+//
+// Keeping this trivial and pure-stdlib means a fork user does not need
+// a Molecule-AI Gitea token or any internal infrastructure to consume
+// the contract — `go run` against molecule-core's public source is
+// enough.
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/Molecule-AI/molecule-monorepo/platform/internal/provisioner"
+)
+
+func main() {
+	caps := provisioner.T4PrivilegeContract()
+	if _, err := os.Stdout.WriteString(provisioner.AsYAML(caps)); err != nil {
+		fmt.Fprintln(os.Stderr, "t4-contract-dump: write failed:", err)
+		os.Exit(1)
+	}
+}

workspace-server/internal/handlers/a2a_poll_ingest_persist_test.go

@@ -0,0 +1,160 @@
+package handlers
+
+// Regression coverage for the POLL-mode arm of the canvas user-message
+// data-loss bug (internal#470 sibling — tracked on internal#471).
+//
+// Bug (reported 2026-05-16 by CTO Hongming): "in canvas i sometimes lose
+// my own message when i exit chat". The push-mode arm was fixed by
+// #1347 (persistUserMessageAtIngest — a SYNCHRONOUS, before-dispatch,
+// context.WithoutCancel INSERT). #1347's framing asserted "poll-mode
+// workspaces were never affected — logA2AReceiveQueued already persists
+// at ingest". That assertion is OVERSTATED.
+//
+// Hongming's tenant (slug `hongming`, org 2c940477-...) has 4 workspaces,
+// ALL runtime=external with empty URL → ALL delivery_mode=poll (proven
+// empirically: a benign A2A probe returns the synthetic
+// {"delivery_mode":"poll","status":"queued"} envelope for every one).
+// So his reported loss is the POLL path, NOT the push path #1347 fixes.
+//
+// Root cause (poll arm): the poll-mode short-circuit (a2a_proxy.go ~402)
+// calls logA2AReceiveQueued and then IMMEDIATELY returns the synthetic
+// 200 {status:"queued"} to the canvas. But logA2AReceiveQueued's durable
+// INSERT runs inside h.goAsync(...) — a DETACHED goroutine with NO
+// happens-before barrier against the HTTP response. The canvas sees 200
+// ("message accepted") while the activity_logs row may not yet be — and,
+// on a workspace-server restart / deploy / OOM / EC2 hibernation between
+// the 200 and the goroutine's commit, NEVER will be — durable. There is
+// also no fallback (unlike push-mode's legacy-INSERT fallback): a
+// swallowed LogActivity error loses the message with only a log line.
+// Chat-history reads activity_logs (postgres_store.go:165-187); a missing
+// row = message gone on reopen. That is exactly Hongming's symptom.
+//
+// Fix (parity with push-mode): the poll-mode ingest persist of the
+// canvas user message must be SYNCHRONOUS — committed before the queued
+// 200 is returned — on a context.WithoutCancel derived context, so a
+// client disconnect on chat-exit and a post-response restart cannot lose
+// it. Behavior is never worse than today (best-effort; a persist error
+// still returns queued).
+//
+// TEST DESIGN NOTE: sqlmock.ExpectationsWereMet() hangs indefinitely if
+// the expected query never fires. We use a select+default+time.After
+// pattern so the test FAILS fast (not hangs) when the production code
+// regresses to async (the INSERT never fires before handler returns),
+// while still returning promptly when all expectations are met. The
+// insertDelay is kept small (50ms) to minimise suite-level timing
+// impact under -race detection, where mock delays are amplified by
+// the instrumenter's goroutine overhead.
+
+import (
+	"bytes"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/DATA-DOG/go-sqlmock"
+	"github.com/gin-gonic/gin"
+)
+
+// TestProxyA2A_PollMode_PersistsUserMessageSynchronouslyBeforeQueuedResponse
+// is the defining contract: for a poll-mode workspace, the canvas user
+// message MUST be durably INSERTed into activity_logs BEFORE the synthetic
+// queued 200 is returned to the client — with NO reliance on a detached
+// async goroutine completing later.
+//
+// The test proves the ordering by making the INSERT block briefly and
+// asserting the handler does NOT return until the INSERT has completed.
+// Pre-fix (INSERT in h.goAsync, response returned immediately) the
+// handler returns ~instantly while the INSERT is still pending in the
+// goroutine → the elapsed time is far below the injected INSERT delay and
+// ExpectationsWereMet() is racy/unmet at return. Post-fix (synchronous
+// persist before the queued response) the handler return is gated on the
+// INSERT, so elapsed >= the injected delay and the expectation is met
+// deterministically at return WITHOUT any waitAsyncForTest()/sleep.
+func TestProxyA2A_PollMode_PersistsUserMessageSynchronouslyBeforeQueuedResponse(t *testing.T) {
+	mock := setupTestDB(t)
+	setupTestRedis(t)
+	broadcaster := newTestBroadcaster()
+	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+
+	const wsID = "ws-poll-sync-persist"
+	// Keep delay small: -race detection amplifies mock delays significantly.
+	// A 50ms delay is sufficient to prove synchronous blocking (~50× the
+	// normal INSERT latency) without bloating the full ./... suite runtime.
+	const insertDelay = 50 * time.Millisecond
+
+	expectBudgetCheck(mock, wsID)
+
+	// lookupDeliveryMode → poll, triggering the short-circuit.
+	mock.ExpectQuery("SELECT delivery_mode FROM workspaces WHERE id").
+		WithArgs(wsID).
+		WillReturnRows(sqlmock.NewRows([]string{"delivery_mode"}).AddRow("poll"))
+
+	// workspace-name lookup inside logA2AReceiveQueued.
+	mock.ExpectQuery(`SELECT name FROM workspaces WHERE id`).
+		WithArgs(wsID).
+		WillReturnRows(sqlmock.NewRows([]string{"name"}).AddRow("Poll WS"))
+
+	// The durable user-message write. We delay it so a synchronous
+	// persist visibly gates the handler return; a detached-goroutine
+	// persist (pre-fix) does not. The fix must keep using
+	// context.WithoutCancel so this write survives a chat-exit cancel.
+	mock.ExpectExec("INSERT INTO activity_logs").
+		WillDelayFor(insertDelay).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: wsID}}
+
+	// callerID == "" (no X-Workspace-ID) → this is a canvas_user message,
+	// exactly Hongming's case.
+	body := `{"jsonrpc":"2.0","id":"poll-canvas-1","method":"message/send","params":{"message":{"role":"user","parts":[{"text":"my own message"}]}}}`
+	c.Request = httptest.NewRequest("POST", "/workspaces/"+wsID+"/a2a", bytes.NewBufferString(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	start := time.Now()
+	handler.ProxyA2A(c)
+	elapsed := time.Since(start)
+
+	// Defining assertion #1: the handler must not have returned the
+	// queued response before the durable INSERT committed. Pre-fix this
+	// fails (elapsed ≈ 0, INSERT still racing in goAsync).
+	if elapsed < insertDelay {
+		t.Fatalf("poll-mode queued response returned in %v, before the %v user-message INSERT — "+
+			"the message is not durable when the client/process goes away (DATA LOSS). "+
+			"Persist must be synchronous before the queued 200.", elapsed, insertDelay)
+	}
+
+	// Defining assertion #2: the durable write actually happened by the
+	// time the handler returned. ExpectionsWereMet() hangs indefinitely if
+	// the mock never fires (e.g. production code regressed to async),
+	// so we check it in a goroutine with a hard 2s timeout — fails fast
+	// (no CI hang) on regression while returning promptly on success.
+	expectDone := make(chan error, 1)
+	go func() { expectDone <- mock.ExpectationsWereMet() }()
+	select {
+	case err := <-expectDone:
+		if err != nil {
+			t.Fatalf("user-message INSERT was not durable at handler return (unmet sqlmock expectations): %v", err)
+		}
+	case <-time.After(2 * time.Second):
+		t.Fatalf("ExpectationsWereMet() hung for >2s — INSERT mock never fired. " +
+			"Likely cause: production code regressed logA2AReceiveQueued to goAsync " +
+			"(INSERT fires after handler returns, not before).")
+	}
+
+	// Sanity: still the correct poll-mode envelope + status.
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200 (queued), got %d: %s", w.Code, w.Body.String())
+	}
+	var resp map[string]interface{}
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("response is not valid JSON: %v", err)
+	}
+	if resp["status"] != "queued" || resp["delivery_mode"] != "poll" {
+		t.Errorf("poll envelope changed: got status=%v delivery_mode=%v, want queued/poll",
+			resp["status"], resp["delivery_mode"])
+	}
+}

workspace-server/internal/handlers/a2a_proxy.go

@@ -97,28 +97,28 @@ const maxProxyResponseBody = 10 << 20
 //
 // Timeout model — three independent budgets, none of which gets in each other's way:
 //
-//   1. Client.Timeout — DELIBERATELY UNSET. Client.Timeout is a hard wall on
-//      the entire request including streamed body reads, and would pre-empt
-//      legitimate slow cold-start flows (Claude Code first-token over OAuth
-//      can take 30-60s on boot; long-running agent synthesis can stream
-//      tokens for minutes). Total-request budget is enforced per-request
-//      via context deadline (canvas = idle-only, agent-to-agent = 30 min ceiling).
+//  1. Client.Timeout — DELIBERATELY UNSET. Client.Timeout is a hard wall on
+//     the entire request including streamed body reads, and would pre-empt
+//     legitimate slow cold-start flows (Claude Code first-token over OAuth
+//     can take 30-60s on boot; long-running agent synthesis can stream
+//     tokens for minutes). Total-request budget is enforced per-request
+//     via context deadline (canvas = idle-only, agent-to-agent = 30 min ceiling).
 //
-//   2. Transport.DialContext — 10s connect timeout. When a workspace's EC2
-//      black-holes TCP connects (instance terminated mid-flight, security group
-//      flipped, NACL bug), the OS default is 75s on Linux / 21s on macOS — long
-//      enough that Cloudflare's ~100s edge timeout can fire first and surface
-//      a generic 502 page to canvas. 10s is well above realistic intra-region
-//      latencies and well below CF's edge timeout.
+//  2. Transport.DialContext — 10s connect timeout. When a workspace's EC2
+//     black-holes TCP connects (instance terminated mid-flight, security group
+//     flipped, NACL bug), the OS default is 75s on Linux / 21s on macOS — long
+//     enough that Cloudflare's ~100s edge timeout can fire first and surface
+//     a generic 502 page to canvas. 10s is well above realistic intra-region
+//     latencies and well below CF's edge timeout.
 //
-//   3. Transport.ResponseHeaderTimeout — 180s default. From request-body-end
-//      to response-headers-start. Configurable via
-//      A2A_PROXY_RESPONSE_HEADER_TIMEOUT (envx.Duration). Covers cold-start
-//      first-byte (30-60s OAuth flow above) with enough room for Opus agent
-//      turns (big context + internal delegate_task round-trips routinely exceed
-//      the old 60s ceiling). Body streaming after headers is governed by the
-//      per-request context deadline, NOT this timeout — so multi-minute agent
-//      responses still work fine.
+//  3. Transport.ResponseHeaderTimeout — 180s default. From request-body-end
+//     to response-headers-start. Configurable via
+//     A2A_PROXY_RESPONSE_HEADER_TIMEOUT (envx.Duration). Covers cold-start
+//     first-byte (30-60s OAuth flow above) with enough room for Opus agent
+//     turns (big context + internal delegate_task round-trips routinely exceed
+//     the old 60s ceiling). Body streaming after headers is governed by the
+//     per-request context deadline, NOT this timeout — so multi-minute agent
+//     responses still work fine.
 //
 // The point of (2) and (3) is to surface a *structured* 503 from
 // handleA2ADispatchError when the workspace agent is unreachable, so canvas

workspace-server/internal/handlers/a2a_proxy_helpers.go

@@ -538,26 +538,49 @@ func lookupDeliveryMode(ctx context.Context, workspaceID string) (string, error)
 // reads in PR 3 — that's how a poll-mode workspace receives inbound A2A
 // without a public URL.
 func (h *WorkspaceHandler) logA2AReceiveQueued(ctx context.Context, workspaceID, callerID string, body []byte, a2aMethod string) {
+	// DATA-LOSS FIX (internal#471 — poll-mode sibling of #1347/internal#470):
+	// this is the ONLY durable write of a poll-mode inbound message,
+	// including a canvas_user message (callerID == "") typed in the canvas
+	// chat. It MUST be SYNCHRONOUS and complete BEFORE the caller returns
+	// the synthetic {status:"queued"} 200 — otherwise the canvas sees the
+	// send acknowledged while the activity_logs row is still racing in a
+	// detached goroutine, and a workspace-server restart / deploy / OOM /
+	// EC2 hibernation between the 200 and the goroutine's commit loses the
+	// user's message permanently (chat-history reads activity_logs, so a
+	// missing row = message gone on reopen). Hongming's tenant is entirely
+	// poll-mode (4 external workspaces, no URL — verified empirically), so
+	// his reported loss is THIS path; #1347 (push-mode, persists AFTER the
+	// poll short-circuit) structurally cannot cover it.
+	//
+	// Mirrors persistUserMessageAtIngest's discipline:
+	//   - context.WithoutCancel: a client disconnect on chat-exit (which
+	//     cancels the inbound request ctx) MUST NOT abort this write.
+	//   - SYNCHRONOUS (no goAsync): the row must be durable before the
+	//     queued 200 is returned to the caller.
+	//   - Best-effort: LogActivity already logs+swallows INSERT errors, so
+	//     a hiccup never blocks or fails the user's send (behavior for
+	//     that one request is never worse than the pre-fix async path).
+	// The post-commit broadcast still fires inside LogActivity; a missed
+	// WebSocket event is not data loss (the durable row is the truth the
+	// canvas re-reads on reopen).
+	insCtx, cancel := context.WithTimeout(context.WithoutCancel(ctx), 30*time.Second)
+	defer cancel()
+
 	var wsName string
-	db.DB.QueryRowContext(ctx, `SELECT name FROM workspaces WHERE id = $1`, workspaceID).Scan(&wsName)
+	db.DB.QueryRowContext(insCtx, `SELECT name FROM workspaces WHERE id = $1`, workspaceID).Scan(&wsName)
 	if wsName == "" {
 		wsName = workspaceID
 	}
 	summary := a2aMethod + " → " + wsName + " (queued for poll)"
-	parent := ctx
-	h.goAsync(func() {
-		logCtx, cancel := context.WithTimeout(context.WithoutCancel(parent), 30*time.Second)
-		defer cancel()
-		LogActivity(logCtx, h.broadcaster, ActivityParams{
-			WorkspaceID:  workspaceID,
-			ActivityType: "a2a_receive",
-			SourceID:     nilIfEmpty(callerID),
-			TargetID:     &workspaceID,
-			Method:       &a2aMethod,
-			Summary:      &summary,
-			RequestBody:  json.RawMessage(body),
-			Status:       "ok",
-		})
+	LogActivity(insCtx, h.broadcaster, ActivityParams{
+		WorkspaceID:  workspaceID,
+		ActivityType: "a2a_receive",
+		SourceID:     nilIfEmpty(callerID),
+		TargetID:     &workspaceID,
+		Method:       &a2aMethod,
+		Summary:      &summary,
+		RequestBody:  json.RawMessage(body),
+		Status:       "ok",
 	})
 }
 

workspace-server/internal/handlers/a2a_proxy_preflight_test.go

@@ -54,6 +54,7 @@ func TestPreflight_ContainerRunning_ReturnsNil(t *testing.T) {
 	_ = setupTestDB(t)
 	stub := &preflightLocalProv{running: true, err: nil}
 	h := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
+	waitForHandlerAsyncBeforeDBCleanup(t, h)
 	h.provisioner = stub
 
 	if err := h.preflightContainerHealth(context.Background(), "ws-running-123"); err != nil {
@@ -186,8 +187,8 @@ func TestProxyA2A_Preflight_RoutesThroughProvisionerSSOT(t *testing.T) {
 	}
 
 	var (
-		callsIsRunning             bool
-		callsContainerInspectRaw   bool
+		callsIsRunning                  bool
+		callsContainerInspectRaw        bool
 		callsRunningContainerNameDirect bool
 	)
 	ast.Inspect(fn.Body, func(n ast.Node) bool {

workspace-server/internal/handlers/a2a_proxy_test.go

@@ -262,6 +262,7 @@ func TestProxyA2A_Upstream502_TriggersContainerDeadCheck(t *testing.T) {
 	allowLoopbackForTest(t)
 	broadcaster := newTestBroadcaster()
 	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+	waitForHandlerAsyncBeforeDBCleanup(t, handler)
 	cp := &fakeCPProv{running: false}
 	handler.SetCPProvisioner(cp)
 
@@ -324,6 +325,7 @@ func TestProxyA2A_Upstream502_AliveAgent_PropagatesAsIs(t *testing.T) {
 	allowLoopbackForTest(t)
 	broadcaster := newTestBroadcaster()
 	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+	waitForHandlerAsyncBeforeDBCleanup(t, handler)
 	cp := &fakeCPProv{running: true}
 	handler.SetCPProvisioner(cp)
 
@@ -513,6 +515,7 @@ func TestProxyA2A_AllowedSelf_SkipsAccessCheck(t *testing.T) {
 	allowLoopbackForTest(t)
 	broadcaster := newTestBroadcaster()
 	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+	waitForHandlerAsyncBeforeDBCleanup(t, handler)
 
 	agentServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
@@ -661,18 +664,18 @@ func TestProxyA2A_CallerIDDerivedFromBearer(t *testing.T) {
 	//    (column order: workspace_id, activity_type, source_id, target_id, ...)
 	mock.ExpectExec("INSERT INTO activity_logs").
 		WithArgs(
-			"ws-target",                       // $1 workspace_id
-			"a2a_receive",                     // $2 activity_type
-			sqlmock.AnyArg(),                  // $3 source_id — *string("ws-caller"), checked below
-			sqlmock.AnyArg(),                  // $4 target_id
-			sqlmock.AnyArg(),                  // $5 method
-			sqlmock.AnyArg(),                  // $6 summary
-			sqlmock.AnyArg(),                  // $7 request_body
-			sqlmock.AnyArg(),                  // $8 response_body
-			sqlmock.AnyArg(),                  // $9 tool_trace
-			sqlmock.AnyArg(),                  // $10 duration_ms
-			sqlmock.AnyArg(),                  // $11 status
-			sqlmock.AnyArg(),                  // $12 error_detail
+			"ws-target",      // $1 workspace_id
+			"a2a_receive",    // $2 activity_type
+			sqlmock.AnyArg(), // $3 source_id — *string("ws-caller"), checked below
+			sqlmock.AnyArg(), // $4 target_id
+			sqlmock.AnyArg(), // $5 method
+			sqlmock.AnyArg(), // $6 summary
+			sqlmock.AnyArg(), // $7 request_body
+			sqlmock.AnyArg(), // $8 response_body
+			sqlmock.AnyArg(), // $9 tool_trace
+			sqlmock.AnyArg(), // $10 duration_ms
+			sqlmock.AnyArg(), // $11 status
+			sqlmock.AnyArg(), // $12 error_detail
 		).
 		WillReturnResult(sqlmock.NewResult(0, 1))
 
@@ -1716,7 +1719,6 @@ func TestDispatchA2A_RejectsUnsafeURL(t *testing.T) {
 	}
 }
 
-
 // --- handleA2ADispatchError ---
 
 func TestHandleA2ADispatchError_ContextDeadline(t *testing.T) {
@@ -1803,6 +1805,7 @@ func TestMaybeMarkContainerDead_CPOnly_NotRunning(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t)
 	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
+	waitForHandlerAsyncBeforeDBCleanup(t, handler)
 	cp := &fakeCPProv{running: false}
 	handler.SetCPProvisioner(cp)
 
@@ -1955,6 +1958,7 @@ func TestLogA2AFailure_Smoke(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t)
 	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
+	waitForHandlerAsyncBeforeDBCleanup(t, handler)
 
 	// Sync workspace-name lookup (called in the caller goroutine).
 	mock.ExpectQuery(`SELECT name FROM workspaces WHERE id =`).
@@ -1973,6 +1977,7 @@ func TestLogA2AFailure_EmptyNameFallback(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t)
 	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
+	waitForHandlerAsyncBeforeDBCleanup(t, handler)
 
 	// Empty name from DB → summary uses the workspaceID as the name.
 	mock.ExpectQuery(`SELECT name FROM workspaces WHERE id =`).
@@ -1989,6 +1994,7 @@ func TestLogA2ASuccess_Smoke(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t)
 	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
+	waitForHandlerAsyncBeforeDBCleanup(t, handler)
 
 	mock.ExpectQuery(`SELECT name FROM workspaces WHERE id =`).
 		WithArgs("ws-ok").
@@ -2005,6 +2011,7 @@ func TestLogA2ASuccess_ErrorStatus(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t)
 	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
+	waitForHandlerAsyncBeforeDBCleanup(t, handler)
 
 	mock.ExpectQuery(`SELECT name FROM workspaces WHERE id =`).
 		WithArgs("ws-err").

workspace-server/internal/handlers/a2a_queue_test.go

@@ -26,6 +26,10 @@ import (
 // setupTestDBForQueueTests creates a sqlmock DB using QueryMatcherEqual (exact
 // string matching) so that ExpectQuery/ExpectExec patterns are compared verbatim.
 // Uses the same global db.DB as setupTestDB so the handler can use it.
+//
+// IMPORTANT: db.DB is saved before assignment and restored via t.Cleanup so
+// that tests running after this one are not polluted by a closed mock.
+// Same fix as setupTestDB (handlers_test.go); same root cause as mc#975.
 func setupTestDBForQueueTests(t *testing.T) sqlmock.Sqlmock {
 	t.Helper()
 	mockDB, mock, err := sqlmock.New(sqlmock.QueryMatcherOption(sqlmock.QueryMatcherEqual))

workspace-server/internal/handlers/admin_workspace_images.go

@@ -44,8 +44,8 @@ func NewWorkspaceImageService(docker *dockerclient.Client) *WorkspaceImageServic
 // AllRuntimes is the canonical list mirroring docs/workspace-runtime-package.md.
 // Update both when a new template is added.
 var AllRuntimes = []string{
-	"claude-code", "langgraph", "crewai", "autogen",
-	"deepagents", "hermes", "gemini-cli", "openclaw",
+	"claude-code", "langgraph", "autogen",
+	"hermes", "openclaw",
 }
 
 // RefreshResult is the per-call outcome surfaced to HTTP callers AND logged

workspace-server/internal/handlers/agent_git_identity.go

@@ -17,6 +17,17 @@ var gitIdentitySlugPattern = regexp.MustCompile(`[^a-z0-9]+`)
 // docs/authorship.md (when it exists).
 const gitIdentityEmailDomain = "agents.moleculesai.app"
 
+// gitAskpassHelperPath is the in-container path of the askpass helper
+// installed by every workspace runtime image (workspace/Dockerfile in
+// molecule-core; scripts/git-askpass.sh → /usr/local/bin/molecule-askpass
+// in each external template-* repo). The helper reads GIT_HTTP_USERNAME
+// / GIT_HTTP_PASSWORD (falling back to GITEA_USER / GITEA_TOKEN) from
+// env and emits them on the git credential-prompt protocol. Setting
+// GIT_ASKPASS to this path is what wires container-side HTTPS git auth
+// to the persona credentials already arriving via workspace_secrets,
+// with no on-disk .gitconfig / .git-credentials mutation required.
+const gitAskpassHelperPath = "/usr/local/bin/molecule-askpass"
+
 // applyAgentGitIdentity sets GIT_AUTHOR_* / GIT_COMMITTER_* env vars so
 // every commit from this workspace container carries a distinct author
 // in `git log` and `git blame`. Git reads these env vars before falling
@@ -50,6 +61,34 @@ func applyAgentGitIdentity(envVars map[string]string, workspaceName string) {
 	setIfEmpty(envVars, "GIT_AUTHOR_EMAIL", authorEmail)
 	setIfEmpty(envVars, "GIT_COMMITTER_NAME", authorName)
 	setIfEmpty(envVars, "GIT_COMMITTER_EMAIL", authorEmail)
+
+	applyGitAskpass(envVars)
+}
+
+// applyGitAskpass points git at the in-image askpass helper so that any
+// HTTPS git operation against a remote without a pre-configured
+// credential.helper picks up the persona credentials already present in
+// the container env (GIT_HTTP_USERNAME / GIT_HTTP_PASSWORD, or
+// GITEA_USER / GITEA_TOKEN as fallback — the latter pair is what
+// loadPersonaEnvFile delivers from the operator-host bootstrap kit).
+//
+// Idempotent: if GIT_ASKPASS is already set (e.g. by an operator-
+// supplied workspace_secret or an env-mutator plugin), the existing
+// value wins. This lets a workspace opt out by setting GIT_ASKPASS=""
+// or pointing at a different helper.
+//
+// No vendor-specific behaviour lives in this function — the host the
+// credentials apply to is determined entirely by the deployer choosing
+// when to populate GIT_HTTP_USERNAME / GIT_HTTP_PASSWORD (or
+// GITEA_USER / GITEA_TOKEN). The helper script itself is generic and
+// has no hardcoded hostnames, so it's safe to ship inside the
+// open-source workspace template images alongside the platform-managed
+// claude-code image.
+func applyGitAskpass(envVars map[string]string) {
+	if envVars == nil {
+		return
+	}
+	setIfEmpty(envVars, "GIT_ASKPASS", gitAskpassHelperPath)
 }
 
 // slugifyForEmail collapses a workspace name to a safe email localpart:

workspace-server/internal/handlers/agent_git_identity_test.go

@@ -75,6 +75,53 @@ func TestApplyAgentGitIdentity_NilMapIsSafe(t *testing.T) {
 	applyAgentGitIdentity(nil, "PM")
 }
 
+func TestApplyAgentGitIdentity_SetsGitAskpass(t *testing.T) {
+	// GIT_ASKPASS is what wires container-side HTTPS git auth to the
+	// persona credentials (GITEA_USER/GITEA_TOKEN, etc.) that
+	// loadPersonaEnvFile delivers via workspace_secrets. Without this,
+	// `git push` inside the container would fall through to interactive
+	// prompts (impossible) or a missing credential.helper (401).
+	env := map[string]string{}
+	applyAgentGitIdentity(env, "Frontend Engineer")
+	if env["GIT_ASKPASS"] != "/usr/local/bin/molecule-askpass" {
+		t.Errorf("GIT_ASKPASS: got %q, want %q",
+			env["GIT_ASKPASS"], "/usr/local/bin/molecule-askpass")
+	}
+}
+
+func TestApplyAgentGitIdentity_RespectsAskpassOverride(t *testing.T) {
+	// A workspace_secret or env-mutator plugin must be able to point at
+	// a custom askpass helper without us clobbering it. Symmetric with
+	// the GIT_AUTHOR_NAME override test above.
+	env := map[string]string{
+		"GIT_ASKPASS": "/opt/custom/askpass",
+	}
+	applyAgentGitIdentity(env, "Backend Engineer")
+	if env["GIT_ASKPASS"] != "/opt/custom/askpass" {
+		t.Errorf("GIT_ASKPASS should not be overwritten, got %q", env["GIT_ASKPASS"])
+	}
+}
+
+func TestApplyAgentGitIdentity_AskpassSkippedOnEmptyName(t *testing.T) {
+	// The empty-name early-return covers GIT_ASKPASS too — a provisioning
+	// glitch that dropped the workspace name shouldn't half-configure the
+	// container (identity vars empty but askpass wired). All-or-nothing.
+	env := map[string]string{}
+	applyAgentGitIdentity(env, "")
+	if _, ok := env["GIT_ASKPASS"]; ok {
+		t.Errorf("empty name should not set GIT_ASKPASS, got %q", env["GIT_ASKPASS"])
+	}
+}
+
+func TestApplyGitAskpass_NilMapIsSafe(t *testing.T) {
+	defer func() {
+		if r := recover(); r != nil {
+			t.Errorf("applyGitAskpass panicked on nil map: %v", r)
+		}
+	}()
+	applyGitAskpass(nil)
+}
+
 func TestSlugifyForEmail(t *testing.T) {
 	cases := []struct {
 		in, want string

workspace-server/internal/handlers/delegation.go

@@ -2,6 +2,7 @@ package handlers
 
 import (
 	"context"
+	"database/sql"
 	"encoding/json"
 	"log"
 	"net/http"
@@ -722,7 +723,8 @@ func (h *DelegationHandler) listDelegationsFromLedger(ctx context.Context, works
 
 	var result []map[string]interface{}
 	for rows.Next() {
-		var delegationID, callerID, calleeID, taskPreview, status, resultPreview, errorDetail string
+		var delegationID, callerID, calleeID, taskPreview, status string
+		var resultPreview, errorDetail sql.NullString
 		var lastHeartbeat, deadline, createdAt, updatedAt *time.Time
 		if err := rows.Scan(
 			&delegationID, &callerID, &calleeID, &taskPreview,
@@ -741,11 +743,11 @@ func (h *DelegationHandler) listDelegationsFromLedger(ctx context.Context, works
 			"updated_at":    updatedAt,
 			"_ledger":       true, // marker so callers know this row is from the ledger
 		}
-		if resultPreview != "" {
-			entry["response_preview"] = textutil.TruncateBytes(resultPreview, 300)
+		if resultPreview.Valid && resultPreview.String != "" {
+			entry["response_preview"] = textutil.TruncateBytes(resultPreview.String, 300)
 		}
-		if errorDetail != "" {
-			entry["error"] = errorDetail
+		if errorDetail.Valid && errorDetail.String != "" {
+			entry["error"] = errorDetail.String
 		}
 		if lastHeartbeat != nil {
 			entry["last_heartbeat"] = lastHeartbeat

workspace-server/internal/handlers/delegation_list_test.go

@@ -145,6 +145,54 @@ func TestListDelegationsFromLedger_MultipleRows(t *testing.T) {
 	}
 }
 
+func TestListDelegationsFromLedger_NullsOmitted(t *testing.T) {
+	// last_heartbeat, deadline, result_preview, error_detail are all NULL.
+	// Handler must not panic and must omit those keys from the map.
+	mockDB, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("failed to create sqlmock: %v", err)
+	}
+	prevDB := db.DB
+	db.DB = mockDB
+	t.Cleanup(func() { mockDB.Close(); db.DB = prevDB })
+
+	now := time.Now()
+	rows := sqlmock.NewRows([]string{
+		"delegation_id", "caller_id", "callee_id", "task_preview",
+		"status", "result_preview", "error_detail",
+		"last_heartbeat", "deadline", "created_at", "updated_at",
+	}).
+		AddRow("del-1", "ws-1", "ws-2", "task", "queued", nil, nil, nil, nil, now, now)
+	mock.ExpectQuery("SELECT .+ FROM delegations").
+		WithArgs("ws-1").
+		WillReturnRows(rows)
+
+	broadcaster := newTestBroadcaster()
+	wh := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+	dh := NewDelegationHandler(wh, broadcaster)
+
+	got := dh.listDelegationsFromLedger(context.Background(), "ws-1")
+	if len(got) != 1 {
+		t.Fatalf("expected 1 entry, got %d", len(got))
+	}
+	e := got[0]
+	if _, ok := e["last_heartbeat"]; ok {
+		t.Error("last_heartbeat should be absent when NULL")
+	}
+	if _, ok := e["deadline"]; ok {
+		t.Error("deadline should be absent when NULL")
+	}
+	if _, ok := e["response_preview"]; ok {
+		t.Error("response_preview should be absent when NULL result_preview")
+	}
+	if _, ok := e["error"]; ok {
+		t.Error("error should be absent when NULL error_detail")
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("sqlmock expectations: %v", err)
+	}
+}
+
 func TestListDelegationsFromLedger_QueryError(t *testing.T) {
 	// Query failure returns nil — graceful fallback, no panic.
 	mockDB, mock, err := sqlmock.New()

workspace-server/internal/handlers/external_connection.go

@@ -24,17 +24,30 @@ import (
 
 // BuildExternalConnectionPayload assembles the gin.H payload that the
 // canvas's ExternalConnectModal consumes. Pure data — caller owns DB
-// reads (workspace_id) and token minting (auth_token).
+// reads (workspace_id, workspace_name) and token minting (auth_token).
 //
 // authToken may be empty for the read-only "show instructions again"
 // path; the modal masks the field in that case rather than displaying
 // an empty string.
-func BuildExternalConnectionPayload(platformURL, workspaceID, authToken string) gin.H {
+//
+// workspaceName feeds the per-workspace MCP server-name in the snippets
+// that wire molecule-mcp into an external Claude Code (or other
+// MCP-stdio) client. Without a unique server name a second
+// `claude mcp add molecule` call REPLACES the first entry, collapsing
+// multi-workspace use into a single per-session slot — see
+// mcpServerNameForWorkspace below. May be empty (re-show / rotate paths
+// that don't plumb the name); the helper falls back to the workspace
+// ID's short prefix so the snippet is always unique.
+func BuildExternalConnectionPayload(platformURL, workspaceID, workspaceName, authToken string) gin.H {
 	pURL := strings.TrimSuffix(platformURL, "/")
+	mcpName := mcpServerNameForWorkspace(workspaceID, workspaceName)
 	stamp := func(tmpl string) string {
 		return strings.ReplaceAll(
-			strings.ReplaceAll(tmpl, "{{PLATFORM_URL}}", pURL),
-			"{{WORKSPACE_ID}}", workspaceID,
+			strings.ReplaceAll(
+				strings.ReplaceAll(tmpl, "{{PLATFORM_URL}}", pURL),
+				"{{WORKSPACE_ID}}", workspaceID,
+			),
+			"{{MCP_SERVER_NAME}}", mcpName,
 		)
 	}
 	return gin.H{
@@ -77,6 +90,81 @@ func externalPlatformURL(c *gin.Context) string {
 	return scheme + "://" + host
 }
 
+// mcpServerNameForWorkspace derives the unique MCP server name used in
+// the Universal MCP snippet's `claude mcp add <name> -- ...` line.
+//
+// Why per-workspace, not a fixed "molecule": `claude mcp add` keys
+// entries by name in ~/.claude.json, so re-running with the same name
+// silently REPLACES the previous entry. A single external Claude Code
+// session that connects to N molecule workspaces must therefore use N
+// distinct server names — otherwise the second install collapses the
+// first, and the user experiences "MCP is per-session". MCP itself
+// supports many servers per session; the install-snippet name was the
+// only thing standing in the way.
+//
+// Pattern: "molecule-<slug>" where slug comes from the workspace name
+// (lowercased, non-alphanumeric → hyphen, collapsed, trimmed, <=24
+// chars). Falls back to the workspace ID's first 8 chars when the name
+// is empty or slugifies to nothing — both produce a deterministic,
+// Claude-Code-name-safe (alphanumeric + hyphens, no spaces / dots /
+// slashes) identifier that disambiguates per-workspace.
+//
+// Two workspaces with identical names still produce identical slugs by
+// design — the user picked them to look the same. The
+// `claude mcp add` step will overwrite the older one in that case;
+// the workaround is to rename one, then re-run. Documented in the
+// snippet header so users aren't surprised.
+func mcpServerNameForWorkspace(workspaceID, workspaceName string) string {
+	const fallbackIDPrefixLen = 8
+	const maxSlugLen = 24
+	slug := slugifyForMcpName(workspaceName, maxSlugLen)
+	if slug == "" {
+		id := strings.ReplaceAll(workspaceID, "-", "")
+		if len(id) > fallbackIDPrefixLen {
+			id = id[:fallbackIDPrefixLen]
+		}
+		slug = id
+	}
+	if slug == "" {
+		// Defensive: empty workspaceID at this layer means the caller
+		// is misusing the API; we still return a usable (non-colliding
+		// in the common case) constant rather than producing "molecule-"
+		// which Claude Code would reject.
+		return "molecule"
+	}
+	return "molecule-" + slug
+}
+
+// slugifyForMcpName lowercases, replaces non-[a-z0-9] runs with a single
+// '-', trims leading/trailing '-', and truncates to maxLen. Returns ""
+// if nothing usable remains. Pure helper; no allocations beyond the
+// builder.
+func slugifyForMcpName(s string, maxLen int) string {
+	var b strings.Builder
+	b.Grow(len(s))
+	lastHyphen := true // suppress leading hyphens
+	for _, r := range s {
+		switch {
+		case r >= 'A' && r <= 'Z':
+			b.WriteRune(r + ('a' - 'A'))
+			lastHyphen = false
+		case (r >= 'a' && r <= 'z') || (r >= '0' && r <= '9'):
+			b.WriteRune(r)
+			lastHyphen = false
+		default:
+			if !lastHyphen {
+				b.WriteByte('-')
+				lastHyphen = true
+			}
+		}
+	}
+	out := strings.TrimRight(b.String(), "-")
+	if len(out) > maxLen {
+		out = strings.TrimRight(out[:maxLen], "-")
+	}
+	return out
+}
+
 // externalCurlTemplate — zero-dependency register snippet. Placeholders:
 //   - {{PLATFORM_URL}}, {{WORKSPACE_ID}}   — filled server-side
 //   - $WORKSPACE_AUTH_TOKEN                — env var, operator sets
@@ -216,6 +304,14 @@ const externalUniversalMcpTemplate = `# Universal MCP — standalone register +
 # for any MCP-aware runtime (Claude Code, hermes, codex, etc.).
 # Pair with the Claude Code or Python SDK tab if your runtime needs
 # inbound A2A delivery (canvas messages → agent conversation turns).
+#
+# Multi-workspace: MCP supports many servers per Claude Code session.
+# This snippet uses a workspace-specific server name ({{MCP_SERVER_NAME}})
+# so installing for a second workspace ADDS another entry instead of
+# overwriting the first — run the snippet from each workspace's modal
+# in turn and ` + "`claude mcp list`" + ` will show all of them. If two
+# workspaces have the same name, slugs collide and the second install
+# overwrites the first; rename one workspace to disambiguate.
 
 # Requires Python >= 3.11. On 3.10 or older pip says
 # "Could not find a version that satisfies the requirement
@@ -224,11 +320,14 @@ const externalUniversalMcpTemplate = `# Universal MCP — standalone register +
 # Upgrade the interpreter (brew install python@3.12 / apt install
 # python3.12 / etc.) or use a 3.11+ venv.
 
-# 1. Install the workspace runtime wheel:
+# 1. Install the workspace runtime wheel (once per machine — safe to
+#    re-run; subsequent workspaces share the same wheel):
 pip install molecule-ai-workspace-runtime
 
 # 2. Wire molecule-mcp into your agent's MCP config. Claude Code:
-claude mcp add molecule -s user -- env \
+#    NOTE the server name is workspace-specific ("{{MCP_SERVER_NAME}}") so
+#    multiple molecule workspaces co-exist in one Claude Code session.
+claude mcp add {{MCP_SERVER_NAME}} -s user -- env \
   WORKSPACE_ID={{WORKSPACE_ID}} \
   PLATFORM_URL={{PLATFORM_URL}} \
   MOLECULE_WORKSPACE_TOKEN="<paste from create response>" \
@@ -249,8 +348,11 @@ claude mcp add molecule -s user -- env \
 #   Documentation: https://doc.moleculesai.app/docs/guides/mcp-server-setup
 #   Common errors:
 #     • "Tools not appearing in your agent" — run ` + "`claude mcp list`" + ` (or
-#       your runtime's equivalent) and confirm the molecule entry. If
-#       missing, re-run the ` + "`claude mcp add`" + ` line above.
+#       your runtime's equivalent) and confirm the {{MCP_SERVER_NAME}} entry.
+#       If missing, re-run the ` + "`claude mcp add`" + ` line above.
+#     • "Connecting a second workspace overwrote the first" — re-check that
+#       the server name in the line above is {{MCP_SERVER_NAME}} (not a bare
+#       "molecule"); each workspace's modal generates a distinct name.
 #     • "ConnectionRefused / DNS error on first call" — PLATFORM_URL must
 #       include the scheme (https://) and have NO trailing slash. Verify
 #       with: curl ${PLATFORM_URL}/healthz
@@ -331,6 +433,13 @@ const externalHermesChannelTemplate = `# Hermes channel — bridges this workspa
 # hermes-agent session. No tunnel/public URL needed (long-poll based,
 # same shape as the Claude Code channel).
 #
+# Multi-workspace: each workspace's plugin_platforms entry is keyed by a
+# workspace-specific slug ("{{MCP_SERVER_NAME}}") so two molecule
+# workspaces can coexist in one hermes config — YAML rejects duplicate
+# mapping keys, so re-using the same "molecule:" key for a second
+# workspace would silently overwrite the first. Re-running this snippet
+# for another workspace ADDS a sibling entry instead.
+#
 # Prereq: a hermes-agent install on the target machine. Latest builds
 # (post #17751) ship the platform-plugin API natively; older ones are
 # also supported via the plugin's dual-mode fallback.
@@ -345,13 +454,17 @@ export MOLECULE_PLATFORM_URL={{PLATFORM_URL}}
 export MOLECULE_WORKSPACE_TOKEN="<paste from create response>"
 
 # 3. Edit ~/.hermes/config.yaml — under your existing top-level
-#    gateway: block, add a plugin_platforms entry:
+#    gateway: block, add a plugin_platforms entry. The platform key
+#    ({{MCP_SERVER_NAME}}) is workspace-specific so multiple molecule
+#    workspaces coexist; re-using the same key for a second workspace
+#    would silently overwrite the first (YAML duplicate-key collapse):
 #
 #      gateway:
 #        # ...your existing gateway settings...
 #        plugin_platforms:
-#          molecule:
+#          {{MCP_SERVER_NAME}}:
 #            enabled: true
+#            workspace_id: {{WORKSPACE_ID}}
 #
 #    If you don't yet have a gateway: block, create one with just
 #    that plugin_platforms entry. Don't append blindly — YAML
@@ -404,6 +517,14 @@ hermes gateway --replace
 const externalCodexTemplate = `# Codex external setup — outbound tools (MCP) + inbound push (bridge).
 # For operators whose external agent is a codex CLI (@openai/codex)
 # session.
+#
+# Multi-workspace: the TOML table name is workspace-specific
+# ("{{MCP_SERVER_NAME}}") so two molecule workspaces can coexist in one
+# ~/.codex/config.toml — TOML rejects duplicate
+# [mcp_servers.<name>] tables, so re-using a bare "molecule" name for a
+# second workspace would either break codex parsing or silently
+# overwrite the first. Re-running this snippet for another workspace
+# ADDS a sibling table instead.
 
 # 1. Install codex CLI, the workspace runtime, and the bridge daemon:
 npm install -g @openai/codex@latest
@@ -412,23 +533,21 @@ pip install codex-channel-molecule
 
 # 2. Wire the molecule MCP server into codex's config.toml — this is
 #    the OUTBOUND path (codex calls list_peers / delegate_task /
-#    send_message_to_user / commit_memory).
-#
-#    Don't append blindly — TOML rejects duplicate
-#    [mcp_servers.molecule] tables, so re-running on an existing
-#    config will break codex parsing. If [mcp_servers.molecule]
-#    already exists (e.g. you set this up before), replace the
-#    existing block instead of appending.
+#    send_message_to_user / commit_memory). The table name
+#    ({{MCP_SERVER_NAME}}) is workspace-specific; re-running the
+#    snippet for a DIFFERENT workspace appends a sibling table without
+#    touching the first. Re-running for the SAME workspace produces
+#    the same name, so replace the existing block instead of appending.
 
 mkdir -p ~/.codex
 # (then open ~/.codex/config.toml in your editor and paste:)
 #
-# [mcp_servers.molecule]
+# [mcp_servers.{{MCP_SERVER_NAME}}]
 # command = "molecule-mcp"
 # args = []
 # startup_timeout_sec = 30
 #
-# [mcp_servers.molecule.env]
+# [mcp_servers.{{MCP_SERVER_NAME}}.env]
 # WORKSPACE_ID = "{{WORKSPACE_ID}}"
 # PLATFORM_URL = "{{PLATFORM_URL}}"
 # MOLECULE_WORKSPACE_TOKEN = "<paste from create response>"
@@ -472,11 +591,13 @@ codex
 # Need help?
 #   Documentation: https://doc.moleculesai.app/docs/guides/mcp-server-setup
 #   Common errors:
-#     • [mcp_servers.molecule] not loaded — codex must be ≥ 0.57.
+#     • [mcp_servers.{{MCP_SERVER_NAME}}] not loaded — codex must be ≥ 0.57.
 #       Check with ` + "`codex --version`" + `; upgrade via npm install -g @openai/codex@latest.
-#     • TOML parse error after re-running setup — TOML rejects duplicate
-#       [mcp_servers.molecule] tables. Open ~/.codex/config.toml and
-#       remove the old block before pasting the new one.
+#     • TOML parse error after re-running setup for the SAME workspace —
+#       TOML rejects duplicate [mcp_servers.<name>] tables. Open
+#       ~/.codex/config.toml and remove the old block before pasting the
+#       new one. (A second molecule workspace gets a DIFFERENT table
+#       name, so coexisting workspaces don't conflict.)
 #     • Canvas messages don't wake codex — step 3 (codex-channel-molecule
 #       bridge daemon) is required for inbound push. Check
 #       pgrep -f codex-channel-molecule and tail ~/.codex-channel-molecule/daemon.log.
@@ -502,23 +623,23 @@ const externalKimiTemplate = `# Kimi CLI external setup — register + heartbeat
 pip install molecule-ai-workspace-runtime
 
 # 2. Save credentials and the bridge script:
-mkdir -p ~/.molecule-ai/kimi-workspace
-chmod 700 ~/.molecule-ai/kimi-workspace
-cat > ~/.molecule-ai/kimi-workspace/env <<'EOF'
+mkdir -p ~/.molecule-ai/kimi-{{MCP_SERVER_NAME}}
+chmod 700 ~/.molecule-ai/kimi-{{MCP_SERVER_NAME}}
+cat > ~/.molecule-ai/kimi-{{MCP_SERVER_NAME}}/env <<'EOF'
 WORKSPACE_ID={{WORKSPACE_ID}}
 PLATFORM_URL={{PLATFORM_URL}}
 MOLECULE_WORKSPACE_TOKEN=<paste from create response>
 EOF
-chmod 600 ~/.molecule-ai/kimi-workspace/env
+chmod 600 ~/.molecule-ai/kimi-{{MCP_SERVER_NAME}}/env
 
-cat > ~/.molecule-ai/kimi-workspace/kimi_bridge.py <<'PYEOF'
+cat > ~/.molecule-ai/kimi-{{MCP_SERVER_NAME}}/kimi_bridge.py <<'PYEOF'
 #!/usr/bin/env python3
 """Kimi bridge — keeps workspace online and polls for canvas messages."""
 import json, logging, time
 from pathlib import Path
 import httpx
 
-ENV = Path.home() / ".molecule-ai" / "kimi-workspace" / "env"
+ENV = Path.home() / ".molecule-ai" / "kimi-{{MCP_SERVER_NAME}}" / "env"
 HEARTBEAT_INTERVAL = 20
 POLL_INTERVAL = 5
 
@@ -608,10 +729,10 @@ def main():
 if __name__ == "__main__":
     main()
 PYEOF
-chmod +x ~/.molecule-ai/kimi-workspace/kimi_bridge.py
+chmod +x ~/.molecule-ai/kimi-{{MCP_SERVER_NAME}}/kimi_bridge.py
 
 # 3. Start the bridge (run in a persistent terminal or via launchd):
-python3 ~/.molecule-ai/kimi-workspace/kimi_bridge.py
+python3 ~/.molecule-ai/kimi-{{MCP_SERVER_NAME}}/kimi_bridge.py
 
 # What the script does:
 #   • Registers the workspace in poll mode (no public URL needed)
@@ -622,7 +743,7 @@ python3 ~/.molecule-ai/kimi-workspace/kimi_bridge.py
 # To change the reply logic, edit the send_reply() call inside the loop.
 # To send a one-off reply from another terminal:
 #   curl -fsS -X POST "{{PLATFORM_URL}}/workspaces/{{WORKSPACE_ID}}/notify" \
-#     -H "Authorization: Bearer $(cat ~/.molecule-ai/kimi-workspace/env | grep TOKEN | cut -d= -f2)" \
+#     -H "Authorization: Bearer $(cat ~/.molecule-ai/kimi-{{MCP_SERVER_NAME}}/env | grep TOKEN | cut -d= -f2)" \
 #     -H "Content-Type: application/json" \
 #     -d '{"message":"Hello from Kimi"}'
 #
@@ -644,10 +765,21 @@ const externalOpenClawTemplate = `# OpenClaw MCP config — outbound tool path.
 # sessions.steer push path; an external setup would need the same
 # bridge daemon the template uses. For inbound delivery on an
 # external machine today, pair with the Python SDK tab.
+#
+# Multi-workspace: each workspace registers under a workspace-specific
+# MCP server name ("{{MCP_SERVER_NAME}}"). openclaw keys MCP servers by
+# name in its config (~/.openclaw/mcp/<name>.json), so re-running with
+# a bare "molecule" name would overwrite the prior workspace's entry.
+# Re-run this snippet for another workspace to ADD a sibling entry
+# instead.
 
 # 1. Install openclaw CLI + the workspace runtime wheel:
+#    The version pin (>=0.1.999) ensures the "molecule-mcp" console
+#    script is present — it is what keeps the workspace ALIVE on canvas
+#    (register-on-startup + 20s heartbeat). Older versions only ship
+#    a2a_mcp_server which does not heartbeat.
 npm install -g openclaw@latest
-pip install molecule-ai-workspace-runtime
+pip install "molecule-ai-workspace-runtime>=0.1.999"
 
 # 2. Onboard openclaw against your model provider (one-time setup).
 #    --non-interactive needs an explicit --provider + --model so it
@@ -670,7 +802,7 @@ pip install molecule-ai-workspace-runtime
 # workspace as awaiting_agent (OFFLINE) within 60-90s even while
 # tools work.
 WORKSPACE_TOKEN="<paste from create response>"
-openclaw mcp set molecule "$(cat <<EOF
+openclaw mcp set {{MCP_SERVER_NAME}} "$(cat <<EOF
 {
   "command": "molecule-mcp",
   "args": [],
@@ -700,6 +832,6 @@ openclaw agent --message "list my peers"
 #     • Gateway not starting — tail ~/.openclaw/gateway.log. The loopback
 #       bind requires :18789 to be free; check with ` + "`lsof -iTCP:18789`" + `.
 #     • ` + "`openclaw mcp set`" + ` rejected — the heredoc generates JSON;
-#       verify with ` + "`jq < ~/.openclaw/mcp/molecule.json`" + ` and re-run
+#       verify with ` + "`jq < ~/.openclaw/mcp/{{MCP_SERVER_NAME}}.json`" + ` and re-run
 #       ` + "`openclaw mcp set`" + ` if the file is malformed.
 `

workspace-server/internal/handlers/external_rotate.go

@@ -52,7 +52,7 @@ func (h *WorkspaceHandler) RotateExternalCredentials(c *gin.Context) {
 	}
 	ctx := c.Request.Context()
 
-	runtime, err := lookupWorkspaceRuntime(ctx, db.DB, id)
+	runtime, name, err := lookupWorkspaceRuntimeAndName(ctx, db.DB, id)
 	if errors.Is(err, sql.ErrNoRows) {
 		c.JSON(http.StatusNotFound, gin.H{"error": "workspace not found"})
 		return
@@ -108,7 +108,7 @@ func (h *WorkspaceHandler) RotateExternalCredentials(c *gin.Context) {
 
 	platformURL := externalPlatformURL(c)
 	c.JSON(http.StatusOK, gin.H{
-		"connection": BuildExternalConnectionPayload(platformURL, id, tok),
+		"connection": BuildExternalConnectionPayload(platformURL, id, name, tok),
 	})
 }
 
@@ -129,7 +129,7 @@ func (h *WorkspaceHandler) GetExternalConnection(c *gin.Context) {
 	}
 	ctx := c.Request.Context()
 
-	runtime, err := lookupWorkspaceRuntime(ctx, db.DB, id)
+	runtime, name, err := lookupWorkspaceRuntimeAndName(ctx, db.DB, id)
 	if errors.Is(err, sql.ErrNoRows) {
 		c.JSON(http.StatusNotFound, gin.H{"error": "workspace not found"})
 		return
@@ -149,16 +149,20 @@ func (h *WorkspaceHandler) GetExternalConnection(c *gin.Context) {
 
 	platformURL := externalPlatformURL(c)
 	c.JSON(http.StatusOK, gin.H{
-		"connection": BuildExternalConnectionPayload(platformURL, id, ""),
+		"connection": BuildExternalConnectionPayload(platformURL, id, name, ""),
 	})
 }
 
-// lookupWorkspaceRuntime returns the workspace's runtime field. Wrapped
-// for readability + so tests can mock the single SELECT.
-func lookupWorkspaceRuntime(ctx context.Context, handle *sql.DB, id string) (string, error) {
-	var runtime string
-	err := handle.QueryRowContext(ctx, `
-		SELECT COALESCE(runtime, '') FROM workspaces WHERE id = $1
-	`, id).Scan(&runtime)
-	return runtime, err
+// lookupWorkspaceRuntimeAndName returns runtime + name in one round-trip.
+// Wrapped for readability + so tests can mock the single SELECT.
+// Used by rotate / re-show paths: runtime gates the external-only check;
+// name feeds the per-workspace MCP server slug in BuildExternalConnectionPayload
+// (so the Universal MCP snippet uses a stable per-workspace name instead
+// of overwriting prior `claude mcp add molecule` entries).
+// Returns sql.ErrNoRows when the workspace doesn't exist.
+func lookupWorkspaceRuntimeAndName(ctx context.Context, handle *sql.DB, id string) (runtime, name string, err error) {
+	err = handle.QueryRowContext(ctx, `
+		SELECT COALESCE(runtime, ''), COALESCE(name, '') FROM workspaces WHERE id = $1
+	`, id).Scan(&runtime, &name)
+	return runtime, name, err
 }

workspace-server/internal/handlers/external_rotate_test.go

@@ -35,9 +35,9 @@ func TestRotateExternalCredentials_HappyPath(t *testing.T) {
 	wh := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
 
 	// 1. Runtime lookup
-	mock.ExpectQuery(`SELECT COALESCE\(runtime, ''\) FROM workspaces WHERE id = \$1`).
+	mock.ExpectQuery(`SELECT COALESCE\(runtime, ''\), COALESCE\(name, ''\) FROM workspaces WHERE id = \$1`).
 		WithArgs("ws-ext").
-		WillReturnRows(sqlmock.NewRows([]string{"runtime"}).AddRow("external"))
+		WillReturnRows(sqlmock.NewRows([]string{"runtime", "name"}).AddRow("external", "test-ws"))
 
 	// 2. Revoke all live tokens
 	mock.ExpectExec(`UPDATE workspace_auth_tokens`).
@@ -98,9 +98,9 @@ func TestRotateExternalCredentials_RejectsNonExternal(t *testing.T) {
 	setupTestRedis(t)
 	wh := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
 
-	mock.ExpectQuery(`SELECT COALESCE\(runtime, ''\) FROM workspaces WHERE id = \$1`).
+	mock.ExpectQuery(`SELECT COALESCE\(runtime, ''\), COALESCE\(name, ''\) FROM workspaces WHERE id = \$1`).
 		WithArgs("ws-hermes").
-		WillReturnRows(sqlmock.NewRows([]string{"runtime"}).AddRow("hermes"))
+		WillReturnRows(sqlmock.NewRows([]string{"runtime", "name"}).AddRow("hermes", "test-ws"))
 
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -129,9 +129,9 @@ func TestRotateExternalCredentials_NotFound(t *testing.T) {
 	setupTestRedis(t)
 	wh := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
 
-	mock.ExpectQuery(`SELECT COALESCE\(runtime, ''\) FROM workspaces WHERE id = \$1`).
+	mock.ExpectQuery(`SELECT COALESCE\(runtime, ''\), COALESCE\(name, ''\) FROM workspaces WHERE id = \$1`).
 		WithArgs("ws-missing").
-		WillReturnRows(sqlmock.NewRows([]string{"runtime"})) // no rows
+		WillReturnRows(sqlmock.NewRows([]string{"runtime", "name"})) // no rows
 
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -172,9 +172,9 @@ func TestGetExternalConnection_HappyPathReturnsBlankToken(t *testing.T) {
 	setupTestRedis(t)
 	wh := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
 
-	mock.ExpectQuery(`SELECT COALESCE\(runtime, ''\) FROM workspaces WHERE id = \$1`).
+	mock.ExpectQuery(`SELECT COALESCE\(runtime, ''\), COALESCE\(name, ''\) FROM workspaces WHERE id = \$1`).
 		WithArgs("ws-ext").
-		WillReturnRows(sqlmock.NewRows([]string{"runtime"}).AddRow("external"))
+		WillReturnRows(sqlmock.NewRows([]string{"runtime", "name"}).AddRow("external", "test-ws"))
 
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -211,9 +211,9 @@ func TestGetExternalConnection_RejectsNonExternal(t *testing.T) {
 	setupTestRedis(t)
 	wh := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
 
-	mock.ExpectQuery(`SELECT COALESCE\(runtime, ''\) FROM workspaces WHERE id = \$1`).
+	mock.ExpectQuery(`SELECT COALESCE\(runtime, ''\), COALESCE\(name, ''\) FROM workspaces WHERE id = \$1`).
 		WithArgs("ws-claude").
-		WillReturnRows(sqlmock.NewRows([]string{"runtime"}).AddRow("claude-code"))
+		WillReturnRows(sqlmock.NewRows([]string{"runtime", "name"}).AddRow("claude-code", "test-ws"))
 
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -233,9 +233,9 @@ func TestGetExternalConnection_NotFound(t *testing.T) {
 	setupTestRedis(t)
 	wh := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
 
-	mock.ExpectQuery(`SELECT COALESCE\(runtime, ''\) FROM workspaces WHERE id = \$1`).
+	mock.ExpectQuery(`SELECT COALESCE\(runtime, ''\), COALESCE\(name, ''\) FROM workspaces WHERE id = \$1`).
 		WithArgs("ws-missing").
-		WillReturnRows(sqlmock.NewRows([]string{"runtime"}))
+		WillReturnRows(sqlmock.NewRows([]string{"runtime", "name"}))
 
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -253,7 +253,7 @@ func TestGetExternalConnection_NotFound(t *testing.T) {
 // ---------- BuildExternalConnectionPayload (pure helper) ----------
 
 func TestBuildExternalConnectionPayload_StampsPlaceholders(t *testing.T) {
-	got := BuildExternalConnectionPayload("https://platform.test", "ws-7", "tok-abc")
+	got := BuildExternalConnectionPayload("https://platform.test", "ws-7", "my-bot", "tok-abc")
 
 	if got["workspace_id"] != "ws-7" {
 		t.Errorf("workspace_id: %v", got["workspace_id"])
@@ -267,6 +267,18 @@ func TestBuildExternalConnectionPayload_StampsPlaceholders(t *testing.T) {
 	if got["registry_endpoint"] != "https://platform.test/registry/register" {
 		t.Errorf("registry_endpoint: %v", got["registry_endpoint"])
 	}
+	// Universal MCP snippet must contain a workspace-specific server
+	// name derived from the workspace name. Without this each new
+	// `claude mcp add` would overwrite the previous entry in the user's
+	// ~/.claude.json (servers are keyed by name) — collapsing
+	// multi-workspace use into one slot. See mcpServerNameForWorkspace.
+	mcp, _ := got["universal_mcp_snippet"].(string)
+	if !strings.Contains(mcp, "claude mcp add molecule-my-bot ") {
+		t.Errorf("universal_mcp_snippet missing per-workspace server name 'molecule-my-bot':\n%s", mcp)
+	}
+	if strings.Contains(mcp, "{{MCP_SERVER_NAME}}") {
+		t.Errorf("universal_mcp_snippet still contains literal {{MCP_SERVER_NAME}}")
+	}
 	// {{PLATFORM_URL}} + {{WORKSPACE_ID}} placeholders must be substituted
 	// out of every snippet — if any snippet still contains a literal
 	// "{{PLATFORM_URL}}" or "{{WORKSPACE_ID}}", a future template author
@@ -292,7 +304,7 @@ func TestBuildExternalConnectionPayload_TrimsTrailingSlash(t *testing.T) {
 	// being concatenated into endpoint paths — otherwise the operator
 	// gets `https://platform.test//registry/register` (double slash) which
 	// some servers reject as a redirect target.
-	got := BuildExternalConnectionPayload("https://platform.test/", "ws-7", "")
+	got := BuildExternalConnectionPayload("https://platform.test/", "ws-7", "", "")
 	if got["platform_url"] != "https://platform.test" {
 		t.Errorf("platform_url: trailing slash not trimmed; got %v", got["platform_url"])
 	}
@@ -304,8 +316,100 @@ func TestBuildExternalConnectionPayload_TrimsTrailingSlash(t *testing.T) {
 func TestBuildExternalConnectionPayload_BlankAuthTokenIsAllowed(t *testing.T) {
 	// Re-show path: auth_token="" is the contract; the modal masks the
 	// field and labels it "rotate to reveal a new token".
-	got := BuildExternalConnectionPayload("https://platform.test", "ws-7", "")
+	got := BuildExternalConnectionPayload("https://platform.test", "ws-7", "", "")
 	if got["auth_token"] != "" {
 		t.Errorf("blank token must propagate as \"\"; got %v", got["auth_token"])
 	}
 }
+
+// TestBuildExternalConnectionPayload_McpServerNameUniquePerWorkspace
+// pins the multi-workspace install contract: two distinct workspaces
+// must produce two distinct `claude mcp add` server-name lines, or
+// installing the second one will overwrite the first entry in the
+// user's ~/.claude.json (servers are keyed by name) — collapsing
+// multi-workspace use into a single per-session slot, which is the
+// "this is per-session" UX the CTO observed 2026-05-18.
+func TestBuildExternalConnectionPayload_McpServerNameUniquePerWorkspace(t *testing.T) {
+	cases := []struct {
+		name        string
+		workspaceID string
+		wsName      string
+		wantAddLine string // must appear in universal_mcp_snippet
+	}{
+		{"plain name", "id-a", "my-bot", "claude mcp add molecule-my-bot "},
+		{"name with spaces + caps", "id-b", "My Bot 1", "claude mcp add molecule-my-bot-1 "},
+		// Symbol/punctuation collapses to single hyphens and trims.
+		{"name with symbols", "id-c", "--Foo!!Bar--", "claude mcp add molecule-foo-bar "},
+		// Empty name falls back to the first 8 chars of the (de-hyphenated)
+		// workspace UUID — keeps the snippet unique per workspace even
+		// when callers (rotate/re-show pre-name-lookup) pass "".
+		{"empty name, uuid id", "12345678-aaaa-bbbb-cccc-deadbeef0000", "", "claude mcp add molecule-12345678 "},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			got := BuildExternalConnectionPayload("https://p.test", tc.workspaceID, tc.wsName, "tok")
+			mcp, _ := got["universal_mcp_snippet"].(string)
+			if !strings.Contains(mcp, tc.wantAddLine) {
+				t.Errorf("missing %q in universal_mcp_snippet:\n%s", tc.wantAddLine, mcp)
+			}
+			// Belt + suspenders: never the bare fixed `molecule` name —
+			// that was the bug. (Match with trailing space so the
+			// "molecule-…" form passes.)
+			if strings.Contains(mcp, "claude mcp add molecule ") {
+				t.Errorf("snippet regressed to fixed `claude mcp add molecule `; got:\n%s", mcp)
+			}
+		})
+	}
+}
+
+// TestBuildExternalConnectionPayload_AllRuntimeSnippetsAreWorkspaceUnique
+// extends the multi-workspace install contract to every runtime tab in
+// the modal. Each MCP-host config keyspace has the SAME equivalence
+// class as Claude Code's `claude mcp add <name>`:
+//
+//   - codex: ~/.codex/config.toml [mcp_servers.<name>] — TOML rejects
+//     duplicate table keys, so a second workspace with the same name
+//     either breaks parsing or overwrites the first table.
+//   - openclaw: ~/.openclaw/mcp/<name>.json — file is keyed by <name>,
+//     `openclaw mcp set <same-name>` overwrites.
+//   - hermes: ~/.hermes/config.yaml gateway.plugin_platforms.<key>:
+//     YAML rejects duplicate mapping keys.
+//   - kimi: ~/.molecule-ai/kimi-<slug>/ per-workspace dir — single
+//     "kimi-workspace" dir would have both workspaces' envs collide.
+//
+// All four must therefore stamp the workspace-specific
+// {{MCP_SERVER_NAME}} slug. This test catches a future template author
+// who introduces a new runtime tab without plumbing the slug.
+func TestBuildExternalConnectionPayload_AllRuntimeSnippetsAreWorkspaceUnique(t *testing.T) {
+	got := BuildExternalConnectionPayload("https://p.test", "id-a", "my-bot", "tok")
+
+	// Per-template literal that proves the slug was stamped through.
+	wantPerSnippet := map[string]string{
+		"universal_mcp_snippet": "claude mcp add molecule-my-bot ",
+		"codex_snippet":         "[mcp_servers.molecule-my-bot]",
+		"openclaw_snippet":      "openclaw mcp set molecule-my-bot ",
+		"hermes_channel_snippet": "          molecule-my-bot:",
+		"kimi_snippet":          "~/.molecule-ai/kimi-molecule-my-bot",
+	}
+	for key, needle := range wantPerSnippet {
+		v, _ := got[key].(string)
+		if !strings.Contains(v, needle) {
+			t.Errorf("%s missing per-workspace slug literal %q:\n%s", key, needle, v)
+		}
+	}
+
+	// No template should still contain the unstamped placeholder — that
+	// would mean BuildExternalConnectionPayload's stamp() didn't sweep
+	// it, which is the regression we're guarding against.
+	for _, k := range []string{
+		"curl_register_template", "python_snippet",
+		"claude_code_channel_snippet", "universal_mcp_snippet",
+		"hermes_channel_snippet", "codex_snippet", "openclaw_snippet",
+		"kimi_snippet",
+	} {
+		v, _ := got[k].(string)
+		if strings.Contains(v, "{{MCP_SERVER_NAME}}") {
+			t.Errorf("%s still contains literal {{MCP_SERVER_NAME}}", k)
+		}
+	}
+}

workspace-server/internal/handlers/handlers_test.go

@@ -61,6 +61,11 @@ func drainTestAsync() {
 // setupTestDB creates a sqlmock DB and assigns it to the global db.DB.
 // It also disables the SSRF URL check so that httptest.NewServer loopback
 // URLs and fake hostnames (*.example) used in tests don't trigger rejections.
+//
+// IMPORTANT: db.DB is saved before assignment and restored via t.Cleanup so
+// that tests running after this one are not polluted by a closed mock.
+// This is the single root cause of the systemic CI/Platform (Go) failures on
+// main HEAD 8026f020 (mc#975).
 func setupTestDB(t *testing.T) sqlmock.Sqlmock {
 	t.Helper()
 	mockDB, mock, err := sqlmock.New()
@@ -98,6 +103,11 @@ func setupTestDB(t *testing.T) sqlmock.Sqlmock {
 	return mock
 }
 
+func waitForHandlerAsyncBeforeDBCleanup(t *testing.T, h *WorkspaceHandler) {
+	t.Helper()
+	t.Cleanup(h.waitAsyncForTest)
+}
+
 // setupTestRedis creates a miniredis instance and assigns it to the global db.RDB.
 func setupTestRedis(t *testing.T) *miniredis.Miniredis {
 	t.Helper()
@@ -397,6 +407,11 @@ func TestWorkspaceCreate(t *testing.T) {
 }
 
 func TestBuildProvisionerConfig_IncludesAwarenessSettings(t *testing.T) {
+	mock := setupTestDB(t)
+	mock.ExpectQuery(`SELECT digest FROM runtime_image_pins`).
+		WithArgs("claude-code").
+		WillReturnError(sql.ErrNoRows)
+
 	broadcaster := newTestBroadcaster()
 	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", "/tmp/configs")
 

workspace-server/internal/handlers/instructions_test.go

@@ -2,10 +2,12 @@ package handlers
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"errors"
 	"net/http"
 	"net/http/httptest"
+	"regexp"
 	"testing"
 	"time"
 
@@ -80,117 +82,135 @@ func TestInstructionsList_ByWorkspaceID(t *testing.T) {
 	if w.Code != http.StatusOK {
 		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
 	}
-	var out []Instruction
-	if err := json.Unmarshal(w.Body.Bytes(), &out); err != nil {
-		t.Fatalf("response not valid JSON: %v", err)
+	var result []Instruction
+	if err := json.Unmarshal(w.Body.Bytes(), &result); err != nil {
+		t.Fatalf("invalid JSON: %v", err)
 	}
-	if len(out) != 2 {
-		t.Errorf("expected 2 instructions, got %d", len(out))
+	if len(result) != 2 {
+		t.Fatalf("expected 2 instructions, got %d", len(result))
 	}
-	if out[0].Scope != "global" {
-		t.Errorf("first row scope: expected global, got %s", out[0].Scope)
+	if result[0].Scope != "global" || result[1].Scope != "workspace" {
+		t.Fatalf("expected global then workspace instructions, got %#v", result)
 	}
 	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet expectations: %v", err)
+		t.Fatalf("unmet expectations: %v", err)
 	}
 }
 
-func TestInstructionsList_ByScope(t *testing.T) {
+func TestInstructionsHandler_List_WithScopeFilter(t *testing.T) {
 	mock := setupTestDB(t)
-	h := NewInstructionsHandler()
+	handler := NewInstructionsHandler()
 
-	w, c := newGetRequest("/instructions?scope=global")
-	c.Request = httptest.NewRequest(http.MethodGet, "/instructions?scope=global", nil)
+	rows := sqlmock.NewRows([]string{
+		"id", "scope", "scope_target", "title", "content", "priority", "enabled", "created_at", "updated_at",
+	}).AddRow("inst-1", "global", nil, "Be kind", "Always be kind", 10, true,
+		time.Now(), time.Now())
 
-	rows := sqlmock.NewRows(instructionCols).
-		AddRow("inst-g", "global", nil, "Global Rule", "Follow policy.", 10, true, time.Now(), time.Now())
-	mock.ExpectQuery("SELECT id, scope, scope_target, title, content, priority, enabled, created_at, updated_at FROM platform_instructions WHERE 1=1").
+	mock.ExpectQuery(regexp.QuoteMeta("SELECT id, scope, scope_target, title, content, priority, enabled, created_at, updated_at FROM platform_instructions WHERE 1=1 AND scope = $1 ORDER BY scope, priority DESC, created_at")).
 		WithArgs("global").
 		WillReturnRows(rows)
 
-	h.List(c)
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("GET", "/instructions?scope=global", nil)
+
+	handler.List(c)
 
 	if w.Code != http.StatusOK {
-		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+		t.Fatalf("expected 200, got %d", w.Code)
 	}
-	var out []Instruction
-	if err := json.Unmarshal(w.Body.Bytes(), &out); err != nil {
-		t.Fatalf("response not valid JSON: %v", err)
+	var result []Instruction
+	if err := json.Unmarshal(w.Body.Bytes(), &result); err != nil {
+		t.Fatalf("invalid JSON: %v", err)
 	}
-	if len(out) != 1 || out[0].Scope != "global" {
-		t.Errorf("unexpected response: %v", out)
+	if len(result) != 1 {
+		t.Fatalf("expected 1 instruction, got %d", len(result))
+	}
+	if result[0].Scope != "global" {
+		t.Errorf("expected scope 'global', got %q", result[0].Scope)
 	}
 	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet expectations: %v", err)
+		t.Fatalf("unmet expectations: %v", err)
 	}
 }
 
-func TestInstructionsList_AllNoParams(t *testing.T) {
+func TestInstructionsHandler_List_WithWorkspaceID(t *testing.T) {
 	mock := setupTestDB(t)
-	h := NewInstructionsHandler()
+	handler := NewInstructionsHandler()
+	wsID := "ws-test-123"
 
-	w, c := newGetRequest("/instructions")
+	rows := sqlmock.NewRows([]string{
+		"id", "scope", "scope_target", "title", "content", "priority", "enabled", "created_at", "updated_at",
+	}).AddRow("inst-1", "global", nil, "Global rule", "Stay safe", 5, true,
+		time.Now(), time.Now()).
+		AddRow("inst-2", "workspace", &wsID, "WS rule", "Use HTTPS", 10, true,
+			time.Now(), time.Now())
 
-	rows := sqlmock.NewRows(instructionCols)
-	mock.ExpectQuery("SELECT id, scope, scope_target, title, content, priority, enabled, created_at, updated_at FROM platform_instructions WHERE 1=1").
+	mock.ExpectQuery("SELECT id, scope, scope_target, title, content, priority, enabled, created_at, updated_at FROM platform_instructions WHERE enabled = true AND \\(").
+		WithArgs(wsID).
 		WillReturnRows(rows)
 
-	h.List(c)
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("GET", "/instructions?workspace_id="+wsID, nil)
+
+	handler.List(c)
 
 	if w.Code != http.StatusOK {
-		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+		t.Fatalf("expected 200, got %d", w.Code)
 	}
-	var out []Instruction
-	if err := json.Unmarshal(w.Body.Bytes(), &out); err != nil {
-		t.Fatalf("response not valid JSON: %v", err)
+	var result []Instruction
+	if err := json.Unmarshal(w.Body.Bytes(), &result); err != nil {
+		t.Fatalf("invalid JSON: %v", err)
 	}
-	// Empty slice, not nil
-	if out == nil {
-		t.Error("expected empty slice, got nil")
+	if len(result) != 2 {
+		t.Fatalf("expected 2 instructions, got %d", len(result))
 	}
 	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet expectations: %v", err)
+		t.Fatalf("unmet expectations: %v", err)
 	}
 }
 
-func TestInstructionsList_DBError(t *testing.T) {
+func TestInstructionsHandler_List_QueryError(t *testing.T) {
 	mock := setupTestDB(t)
-	h := NewInstructionsHandler()
-
-	w, c := newGetRequest("/instructions")
-	c.Request = httptest.NewRequest(http.MethodGet, "/instructions", nil)
+	handler := NewInstructionsHandler()
 
 	mock.ExpectQuery("SELECT id, scope, scope_target, title, content, priority, enabled, created_at, updated_at FROM platform_instructions WHERE 1=1").
-		WillReturnError(errors.New("connection refused"))
+		WillReturnError(context.DeadlineExceeded)
 
-	h.List(c)
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("GET", "/instructions", nil)
+
+	handler.List(c)
 
 	if w.Code != http.StatusInternalServerError {
-		t.Fatalf("expected 500, got %d: %s", w.Code, w.Body.String())
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet expectations: %v", err)
+		t.Fatalf("expected 500, got %d", w.Code)
 	}
 }
 
-// ─── Create ───────────────────────────────────────────────────────────────────
+// ── Create ──────────────────────────────────────────────────────────────────────
 
-func TestInstructionsCreate_ValidGlobal(t *testing.T) {
+func TestInstructionsHandler_Create_Success(t *testing.T) {
 	mock := setupTestDB(t)
-	h := NewInstructionsHandler()
-
-	w, c := newPostRequest("/instructions", map[string]interface{}{
-		"scope":    "global",
-		"title":    "Be Helpful",
-		"content":  "Always be helpful to the user.",
-		"priority": 10,
-	})
+	handler := NewInstructionsHandler()
 
 	mock.ExpectQuery("INSERT INTO platform_instructions").
-		WithArgs("global", nil, "Be Helpful", "Always be helpful to the user.", 10).
-		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow("new-inst-1"))
+		WithArgs("global", nil, "Be kind", "Always be kind", 5).
+		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow("new-inst-id"))
 
-	h.Create(c)
+	body, _ := json.Marshal(map[string]interface{}{
+		"scope":    "global",
+		"title":    "Be kind",
+		"content":  "Always be kind",
+		"priority": 5,
+	})
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("POST", "/instructions", bytes.NewReader(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Create(c)
 
 	if w.Code != http.StatusCreated {
 		t.Fatalf("expected 201, got %d: %s", w.Code, w.Body.String())
@@ -199,8 +219,8 @@ func TestInstructionsCreate_ValidGlobal(t *testing.T) {
 	if err := json.Unmarshal(w.Body.Bytes(), &out); err != nil {
 		t.Fatalf("response not valid JSON: %v", err)
 	}
-	if out["id"] != "new-inst-1" {
-		t.Errorf("expected id new-inst-1, got %s", out["id"])
+	if out["id"] != "new-inst-id" {
+		t.Errorf("expected id new-inst-id, got %s", out["id"])
 	}
 	if err := mock.ExpectationsWereMet(); err != nil {
 		t.Errorf("unmet expectations: %v", err)
@@ -299,56 +319,65 @@ func TestInstructionsCreate_InvalidScope(t *testing.T) {
 	}
 }
 
-func TestInstructionsCreate_WorkspaceScopeNoTarget(t *testing.T) {
+func TestInstructionsHandler_Create_WorkspaceScopeMissingScopeTarget(t *testing.T) {
 	setupTestDB(t)
-	h := NewInstructionsHandler()
+	handler := NewInstructionsHandler()
 
-	w, c := newPostRequest("/instructions", map[string]interface{}{
+	body, _ := json.Marshal(map[string]interface{}{
 		"scope":   "workspace",
-		"title":   "Missing Target",
-		"content": "Workspace scope without scope_target.",
+		"title":   "Test",
+		"content": "Test content",
 	})
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("POST", "/instructions", bytes.NewReader(body))
+	c.Request.Header.Set("Content-Type", "application/json")
 
-	h.Create(c)
+	handler.Create(c)
 
 	if w.Code != http.StatusBadRequest {
 		t.Fatalf("expected 400, got %d: %s", w.Code, w.Body.String())
 	}
 }
 
-func TestInstructionsCreate_ContentTooLong(t *testing.T) {
+func TestInstructionsHandler_Create_ContentTooLong(t *testing.T) {
 	setupTestDB(t)
-	h := NewInstructionsHandler()
+	handler := NewInstructionsHandler()
 
-	// Build a string longer than maxInstructionContentLen (8192).
-	longContent := string(make([]byte, maxInstructionContentLen+1))
-
-	w, c := newPostRequest("/instructions", map[string]interface{}{
+	longContent := string(bytes.Repeat([]byte("x"), 8193))
+	body, _ := json.Marshal(map[string]interface{}{
 		"scope":   "global",
-		"title":   "Too Long",
+		"title":   "Test",
 		"content": longContent,
 	})
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("POST", "/instructions", bytes.NewReader(body))
+	c.Request.Header.Set("Content-Type", "application/json")
 
-	h.Create(c)
+	handler.Create(c)
 
 	if w.Code != http.StatusBadRequest {
 		t.Fatalf("expected 400, got %d: %s", w.Code, w.Body.String())
 	}
 }
 
-func TestInstructionsCreate_TitleTooLong(t *testing.T) {
+func TestInstructionsHandler_Create_TitleTooLong(t *testing.T) {
 	setupTestDB(t)
-	h := NewInstructionsHandler()
+	handler := NewInstructionsHandler()
 
-	longTitle := string(make([]byte, 201))
-
-	w, c := newPostRequest("/instructions", map[string]interface{}{
+	longTitle := string(bytes.Repeat([]byte("x"), 201))
+	body, _ := json.Marshal(map[string]interface{}{
 		"scope":   "global",
 		"title":   longTitle,
-		"content": "Short content.",
+		"content": "Short content",
 	})
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("POST", "/instructions", bytes.NewReader(body))
+	c.Request.Header.Set("Content-Type", "application/json")
 
-	h.Create(c)
+	handler.Create(c)
 
 	if w.Code != http.StatusBadRequest {
 		t.Fatalf("expected 400, got %d: %s", w.Code, w.Body.String())
@@ -842,43 +871,250 @@ func TestInstructionsResolve_ScopeTransitionOnlyGlobal(t *testing.T) {
 	if w.Code != http.StatusOK {
 		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
 	}
-	var out struct {
-		Instructions string `json:"instructions"`
-	}
-	if err := json.Unmarshal(w.Body.Bytes(), &out); err != nil {
-		t.Fatalf("response not valid JSON: %v", err)
-	}
-	// Two global instructions share one section header.
-	if bytes.Count([]byte(out.Instructions), []byte("Platform-Wide Rules")) != 1 {
-		t.Error("expect exactly one 'Platform-Wide Rules' header for consecutive global rows")
-	}
 	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet expectations: %v", err)
+		t.Fatalf("unmet expectations: %v", err)
 	}
 }
 
-// ─── Update: empty body (all nil — no-op update) ─────────────────────────────
-
-func TestInstructionsUpdate_EmptyBody(t *testing.T) {
+func TestInstructionsHandler_Update_NotFound(t *testing.T) {
 	mock := setupTestDB(t)
-	h := NewInstructionsHandler()
+	handler := NewInstructionsHandler()
 
-	instID := "inst-empty-update"
-	w, c := newPutRequest("/instructions/"+instID, map[string]interface{}{})
-	c.Params = []gin.Param{{Key: "id", Value: instID}}
+	mock.ExpectExec(regexp.QuoteMeta("UPDATE platform_instructions SET\n\t\t\t\ttitle = COALESCE($2, title),\n\t\t\t\tcontent = COALESCE($3, content),\n\t\t\t\tpriority = COALESCE($4, priority),\n\t\t\t\tenabled = COALESCE($5, enabled),\n\t\t\t\tupdated_at = NOW()\n\t\t\t\tWHERE id = $1")).
+		WithArgs("nonexistent", sqlmock.AnyArg(), nil, nil, nil).
+		WillReturnResult(sqlmock.NewResult(0, 0))
 
-	// COALESCE(nil, ...) = unchanged; still updates updated_at.
-	// Args order: ($1=id, $2=title, $3=content, $4=priority, $5=enabled)
-	mock.ExpectExec("UPDATE platform_instructions SET").
-		WithArgs(instID, sqlmock.AnyArg(), sqlmock.AnyArg(), sqlmock.AnyArg(), sqlmock.AnyArg()).
+	body, _ := json.Marshal(map[string]interface{}{"title": "Updated title"})
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "nonexistent"}}
+	c.Request = httptest.NewRequest("PUT", "/instructions/nonexistent", bytes.NewReader(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Update(c)
+
+	if w.Code != http.StatusNotFound {
+		t.Fatalf("expected 404, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Fatalf("unmet expectations: %v", err)
+	}
+}
+
+func TestInstructionsHandler_Update_ContentTooLong(t *testing.T) {
+	setupTestDB(t)
+	handler := NewInstructionsHandler()
+
+	longContent := string(bytes.Repeat([]byte("x"), 8193))
+	body, _ := json.Marshal(map[string]interface{}{"content": longContent})
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "inst-1"}}
+	c.Request = httptest.NewRequest("PUT", "/instructions/inst-1", bytes.NewReader(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Update(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("expected 400, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestInstructionsHandler_Update_TitleTooLong(t *testing.T) {
+	setupTestDB(t)
+	handler := NewInstructionsHandler()
+
+	longTitle := string(bytes.Repeat([]byte("x"), 201))
+	body, _ := json.Marshal(map[string]interface{}{"title": longTitle})
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "inst-1"}}
+	c.Request = httptest.NewRequest("PUT", "/instructions/inst-1", bytes.NewReader(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Update(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("expected 400, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+// ── Delete ─────────────────────────────────────────────────────────────────────
+
+func TestInstructionsHandler_Delete_Success(t *testing.T) {
+	mock := setupTestDB(t)
+	handler := NewInstructionsHandler()
+
+	mock.ExpectExec(regexp.QuoteMeta("DELETE FROM platform_instructions WHERE id = $1")).
+		WithArgs("inst-1").
 		WillReturnResult(sqlmock.NewResult(0, 1))
 
-	h.Update(c)
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "inst-1"}}
+	c.Request = httptest.NewRequest("DELETE", "/instructions/inst-1", nil)
+
+	handler.Delete(c)
 
 	if w.Code != http.StatusOK {
-		t.Fatalf("expected 200 for empty body, got %d: %s", w.Code, w.Body.String())
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
 	}
 	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet expectations: %v", err)
+		t.Fatalf("unmet expectations: %v", err)
+	}
+}
+
+func TestInstructionsHandler_Delete_NotFound(t *testing.T) {
+	mock := setupTestDB(t)
+	handler := NewInstructionsHandler()
+
+	mock.ExpectExec(regexp.QuoteMeta("DELETE FROM platform_instructions WHERE id = $1")).
+		WithArgs("nonexistent").
+		WillReturnResult(sqlmock.NewResult(0, 0))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "nonexistent"}}
+	c.Request = httptest.NewRequest("DELETE", "/instructions/nonexistent", nil)
+
+	handler.Delete(c)
+
+	if w.Code != http.StatusNotFound {
+		t.Fatalf("expected 404, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Fatalf("unmet expectations: %v", err)
+	}
+}
+
+// ── Resolve ────────────────────────────────────────────────────────────────────
+
+func TestInstructionsHandler_Resolve_Empty(t *testing.T) {
+	mock := setupTestDB(t)
+	handler := NewInstructionsHandler()
+	wsID := "ws-resolve-1"
+
+	mock.ExpectQuery("SELECT scope, title, content FROM platform_instructions WHERE enabled = true AND").
+		WithArgs(wsID).
+		WillReturnRows(sqlmock.NewRows([]string{"scope", "title", "content"}))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: wsID}}
+	c.Request = httptest.NewRequest("GET", "/workspaces/"+wsID+"/instructions/resolve", nil)
+
+	handler.Resolve(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	var resp map[string]interface{}
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("invalid JSON: %v", err)
+	}
+	if resp["workspace_id"] != wsID {
+		t.Errorf("expected workspace_id %q, got %v", wsID, resp["workspace_id"])
+	}
+	if resp["instructions"] != "" {
+		t.Errorf("expected empty instructions, got %q", resp["instructions"])
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Fatalf("unmet expectations: %v", err)
+	}
+}
+
+func TestInstructionsHandler_Resolve_WithInstructions(t *testing.T) {
+	mock := setupTestDB(t)
+	handler := NewInstructionsHandler()
+	wsID := "ws-resolve-2"
+
+	rows := sqlmock.NewRows([]string{"scope", "title", "content"}).
+		AddRow("global", "Be safe", "No SSRF").
+		AddRow("workspace", "WS Rule", "Use HTTPS")
+
+	mock.ExpectQuery("SELECT scope, title, content FROM platform_instructions WHERE enabled = true AND").
+		WithArgs(wsID).
+		WillReturnRows(rows)
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: wsID}}
+	c.Request = httptest.NewRequest("GET", "/workspaces/"+wsID+"/instructions/resolve", nil)
+
+	handler.Resolve(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	var resp map[string]interface{}
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("invalid JSON: %v", err)
+	}
+	instructions, ok := resp["instructions"].(string)
+	if !ok {
+		t.Fatalf("instructions field is not a string: %T", resp["instructions"])
+	}
+	if instructions == "" {
+		t.Fatalf("expected non-empty instructions")
+	}
+	// Verify scope headers are present
+	if !bytes.Contains([]byte(instructions), []byte("Platform-Wide Rules")) {
+		t.Errorf("expected 'Platform-Wide Rules' header in instructions")
+	}
+	if !bytes.Contains([]byte(instructions), []byte("Role-Specific Rules")) {
+		t.Errorf("expected 'Role-Specific Rules' header in instructions")
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Fatalf("unmet expectations: %v", err)
+	}
+}
+
+func TestInstructionsHandler_Resolve_MissingWorkspaceID(t *testing.T) {
+	setupTestDB(t)
+	handler := NewInstructionsHandler()
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: ""}}
+	c.Request = httptest.NewRequest("GET", "/workspaces//instructions/resolve", nil)
+
+	handler.Resolve(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("expected 400, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+// scanInstructions is called by the List handler — verify it handles
+// rows.Err() gracefully without panicking.
+func TestInstructionsHandler_List_ScanErrorContinues(t *testing.T) {
+	mock := setupTestDB(t)
+	handler := NewInstructionsHandler()
+
+	rows := sqlmock.NewRows([]string{
+		"id", "scope", "scope_target", "title", "content", "priority", "enabled", "created_at", "updated_at",
+	}).AddRow("inst-1", "global", nil, "Good", "Content here", 5, true, time.Now(), time.Now()).
+		RowError(1, context.DeadlineExceeded) // error on row 2 (if it existed)
+
+	mock.ExpectQuery("SELECT id, scope, scope_target, title, content, priority, enabled, created_at, updated_at FROM platform_instructions WHERE 1=1").
+		WillReturnRows(rows)
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("GET", "/instructions", nil)
+
+	handler.List(c)
+
+	// Should still return 200 and the one valid row
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d", w.Code)
+	}
+	var result []Instruction
+	if err := json.Unmarshal(w.Body.Bytes(), &result); err != nil {
+		t.Fatalf("invalid JSON: %v", err)
+	}
+	// The valid row should still be returned (error is logged, not fatal)
+	if len(result) != 1 {
+		t.Fatalf("expected 1 instruction despite row error, got %d", len(result))
 	}
 }