Support explicit platform provider labels

Merge pull request 'Prompt for template provider env config' (#1846 ) from fix/seo-template-provider-env-prompt into main
Prompt for template provider env config
2026-05-25 07:17:52 -07:00 · 2026-05-25 13:50:30 +00:00 · 2026-05-25 06:45:10 -07:00 · 2026-05-25 13:19:22 +00:00 · 2026-05-25 06:09:53 -07:00 · 2026-05-25 11:10:09 +00:00
37 changed files with 1235 additions and 113 deletions
@@ -25,6 +25,7 @@ DEFAULT_REQUIRED_CONTEXTS = [
    "Secret scan / Scan diff for credential-shaped strings (push)",
 ]
 TERMINAL_FAILURE_STATES = {"failure", "error", "cancelled", "canceled", "skipped"}
+REDEPLOY_PATH = "/cp/admin/tenants/redeploy-fleet"


 def truthy_flag(value: str | None) -> bool:
@@ -130,6 +131,154 @@ def required_contexts(env: dict[str, str]) -> list[str]:
    return [line.strip() for line in raw.replace(",", "\n").splitlines() if line.strip()]


+def chunks(items: list[str], size: int) -> list[list[str]]:
+    return [items[i : i + size] for i in range(0, len(items), size)]
+
+
+class RolloutFailed(RuntimeError):
+    def __init__(self, message: str, response: dict):
+        super().__init__(message)
+        self.response = response
+
+
+def slugs_from_redeploy_response(body: dict) -> list[str]:
+    slugs: list[str] = []
+    for row in body.get("results") or []:
+        slug = str(row.get("slug") or "").strip()
+        if slug:
+            slugs.append(slug)
+    return slugs
+
+
+def scoped_redeploy_body(base: dict, slugs: list[str]) -> dict:
+    body = dict(base)
+    body.pop("canary_slug", None)
+    body["only_slugs"] = slugs
+    body["soak_seconds"] = 0
+    body["batch_size"] = max(1, len(slugs))
+    return body
+
+
+def cp_api_json(method: str, url: str, token: str, body: dict | None = None) -> tuple[int, dict]:
+    data = None
+    headers = {
+        "Authorization": f"Bearer {token}",
+        "Accept": "application/json",
+    }
+    if body is not None:
+        data = json.dumps(body).encode("utf-8")
+        headers["Content-Type"] = "application/json"
+    req = urllib.request.Request(url, data=data, headers=headers, method=method)
+    try:
+        with urllib.request.urlopen(req, timeout=120) as resp:
+            return resp.status, json.loads(resp.read())
+    except urllib.error.HTTPError as exc:
+        raw = exc.read().decode("utf-8", errors="replace")
+        try:
+            parsed = json.loads(raw)
+        except json.JSONDecodeError:
+            parsed = {"error": raw[:500]}
+        return exc.code, parsed
+
+
+def plan_rollout_slugs(cp_url: str, token: str, body: dict, redeploy=None) -> list[str]:
+    if redeploy is None:
+        redeploy = redeploy_scoped
+    dry_run_body = dict(body)
+    dry_run_body["dry_run"] = True
+    status, resp = redeploy(cp_url, token, dry_run_body)
+    if status != 200:
+        raise RuntimeError(f"dry-run redeploy-fleet returned HTTP {status}: {resp.get('error', '')}")
+    if resp.get("ok") is not True:
+        raise RuntimeError(f"dry-run redeploy-fleet reported ok={resp.get('ok')}: {resp.get('error', '')}")
+    slugs = slugs_from_redeploy_response(resp)
+    if not slugs:
+        raise RuntimeError("dry-run redeploy-fleet returned no rollout candidates")
+    return slugs
+
+
+def redeploy_scoped(cp_url: str, token: str, body: dict) -> tuple[int, dict]:
+    return cp_api_json("POST", f"{cp_url}{REDEPLOY_PATH}", token, body)
+
+
+def _raise_for_redeploy_result(status: int, body: dict, slugs: list[str]) -> None:
+    if status != 200 or body.get("ok") is not True:
+        raise RuntimeError(
+            "redeploy scoped call failed for "
+            f"{','.join(slugs)}: HTTP {status}, ok={body.get('ok')}"
+        )
+
+
+def execute_scoped_rollout(
+    plan: dict,
+    token: str,
+    list_slugs=plan_rollout_slugs,
+    redeploy=redeploy_scoped,
+    sleep=time.sleep,
+) -> dict:
+    cp_url = plan["cp_url"]
+    base_body = plan["body"]
+    all_slugs = list_slugs(cp_url, token, base_body)
+    batch_size = int(base_body.get("batch_size") or 1)
+    canary_slug = str(base_body.get("canary_slug") or "").strip()
+    dry_run = bool(base_body.get("dry_run"))
+    aggregate = {"ok": True, "results": []}
+
+    if canary_slug:
+        if canary_slug not in all_slugs:
+            raise RuntimeError(f"configured canary slug {canary_slug!r} is not a running tenant")
+        body = scoped_redeploy_body(base_body, [canary_slug])
+        print(f"POST {cp_url}{REDEPLOY_PATH} only_slugs={','.join(body['only_slugs'])}")
+        status, resp = redeploy(cp_url, token, body)
+        aggregate["results"].extend(resp.get("results") or [])
+        try:
+            _raise_for_redeploy_result(status, resp, [canary_slug])
+        except RuntimeError as exc:
+            aggregate["ok"] = False
+            aggregate["error"] = str(exc)
+            raise RolloutFailed(str(exc), aggregate) from exc
+        soak_seconds = int(base_body.get("soak_seconds") or 0)
+        if soak_seconds > 0 and not dry_run:
+            print(f"Canary passed; soaking locally for {soak_seconds}s")
+            sleep(soak_seconds)
+
+    remaining = [slug for slug in all_slugs if slug != canary_slug]
+    for group in chunks(remaining, batch_size):
+        body = scoped_redeploy_body(base_body, group)
+        print(f"POST {cp_url}{REDEPLOY_PATH} only_slugs={','.join(group)}")
+        status, resp = redeploy(cp_url, token, body)
+        aggregate["results"].extend(resp.get("results") or [])
+        try:
+            _raise_for_redeploy_result(status, resp, group)
+        except RuntimeError as exc:
+            aggregate["ok"] = False
+            aggregate["error"] = str(exc)
+            raise RolloutFailed(str(exc), aggregate) from exc
+
+    return aggregate
+
+
+def rollout_from_plan_file(plan_path: str, response_path: str, env: dict[str, str]) -> None:
+    token = env.get("CP_ADMIN_API_TOKEN", "").strip()
+    if not token:
+        raise ValueError("CP_ADMIN_API_TOKEN is required for production auto-deploy")
+    with open(plan_path, "r", encoding="utf-8") as fh:
+        plan = json.load(fh)
+    if not plan.get("enabled"):
+        raise RuntimeError("production auto-deploy plan is disabled")
+    try:
+        response = execute_scoped_rollout(plan, token)
+    except RolloutFailed as exc:
+        response = exc.response
+        with open(response_path, "w", encoding="utf-8") as fh:
+            json.dump(response, fh, sort_keys=True)
+            fh.write("\n")
+        raise
+    with open(response_path, "w", encoding="utf-8") as fh:
+        json.dump(response, fh, sort_keys=True)
+        fh.write("\n")
+
+
 def _api_json(url: str, token: str) -> dict:
    req = urllib.request.Request(url, headers={"Authorization": f"token {token}"})
    try:
@@ -231,6 +380,9 @@ def main() -> int:
    sub.add_parser("plan", help="print production deploy plan as JSON")
    sub.add_parser("assert-enabled", help="fail if production deploy is currently disabled")
    sub.add_parser("wait-ci", help="block until required CI context is green")
+    rollout_parser = sub.add_parser("rollout", help="execute canary-first scoped production rollout")
+    rollout_parser.add_argument("--plan", required=True, help="path to prod-auto-deploy plan JSON")
+    rollout_parser.add_argument("--response", required=True, help="path to write aggregate response JSON")
    args = parser.parse_args()

    try:
@@ -243,6 +395,9 @@ def main() -> int:
        if args.command == "wait-ci":
            wait_for_ci_context(dict(os.environ))
            return 0
+        if args.command == "rollout":
+            rollout_from_plan_file(args.plan, args.response, dict(os.environ))
+            return 0
    except Exception as exc:  # noqa: BLE001 - CLI should render operator-friendly errors.
        print(f"::error::{exc}", file=sys.stderr)
        return 1
@@ -153,3 +153,205 @@ def test_default_required_contexts_delegate_path_gating_to_all_required():
        "CI / all-required (push)",
        "Secret scan / Scan diff for credential-shaped strings (push)",
    ]
+
+
+def test_slugs_from_redeploy_response_uses_controlplane_plan_rows():
+    body = {
+        "results": [
+            {"slug": "hongming", "phase": "canary", "ssm_status": "DryRun"},
+            {"slug": "tenant-a", "phase": "batch-1", "ssm_status": "DryRun"},
+            {"slug": "", "phase": "batch-1", "ssm_status": "DryRun"},
+            {"phase": "batch-1", "ssm_status": "DryRun"},
+        ]
+    }
+
+    assert prod.slugs_from_redeploy_response(body) == ["hongming", "tenant-a"]
+
+
+def test_plan_rollout_slugs_asks_controlplane_for_dry_run_plan():
+    calls = []
+
+    def fake_redeploy(_cp_url, _token, body):
+        calls.append(body)
+        return 200, {
+            "ok": True,
+            "results": [
+                {"slug": "hongming", "phase": "canary", "ssm_status": "DryRun"},
+                {"slug": "tenant-a", "phase": "batch-1", "ssm_status": "DryRun"},
+            ],
+        }
+
+    slugs = prod.plan_rollout_slugs(
+        "https://api.moleculesai.app",
+        "secret",
+        {
+            "target_tag": "staging-abcdef1",
+            "canary_slug": "hongming",
+            "soak_seconds": 60,
+            "batch_size": 3,
+            "dry_run": False,
+            "confirm": True,
+        },
+        redeploy=fake_redeploy,
+    )
+
+    assert slugs == ["hongming", "tenant-a"]
+    assert calls == [
+        {
+            "target_tag": "staging-abcdef1",
+            "canary_slug": "hongming",
+            "soak_seconds": 60,
+            "batch_size": 3,
+            "dry_run": True,
+            "confirm": True,
+        }
+    ]
+
+
+def test_scoped_redeploy_body_removes_canary_and_local_soak():
+    base = {
+        "target_tag": "staging-abcdef1",
+        "canary_slug": "hongming",
+        "soak_seconds": 60,
+        "batch_size": 3,
+        "dry_run": False,
+        "confirm": True,
+    }
+
+    scoped = prod.scoped_redeploy_body(base, ["tenant-a", "tenant-b"])
+
+    assert scoped == {
+        "target_tag": "staging-abcdef1",
+        "soak_seconds": 0,
+        "batch_size": 2,
+        "dry_run": False,
+        "confirm": True,
+        "only_slugs": ["tenant-a", "tenant-b"],
+    }
+
+
+def test_plan_scoped_rollout_preserves_canary_then_batches():
+    calls, sleeps = [], []
+
+    def fake_list(_cp_url, _token, _body):
+        return ["tenant-a", "hongming", "tenant-b", "tenant-c"]
+
+    def fake_redeploy(_cp_url, _token, body):
+        calls.append(body)
+        return 200, {
+            "ok": True,
+            "results": [{"slug": slug, "healthz_ok": True} for slug in body["only_slugs"]],
+        }
+
+    aggregate = prod.execute_scoped_rollout(
+        {
+            "cp_url": "https://api.moleculesai.app",
+            "body": {
+                "target_tag": "staging-abcdef1",
+                "canary_slug": "hongming",
+                "soak_seconds": 60,
+                "batch_size": 2,
+                "dry_run": False,
+                "confirm": True,
+            },
+        },
+        token="secret",
+        list_slugs=fake_list,
+        redeploy=fake_redeploy,
+        sleep=sleeps.append,
+    )
+
+    assert [call["only_slugs"] for call in calls] == [
+        ["hongming"],
+        ["tenant-a", "tenant-b"],
+        ["tenant-c"],
+    ]
+    assert sleeps == [60]
+    assert aggregate["ok"] is True
+    assert [result["slug"] for result in aggregate["results"]] == [
+        "hongming",
+        "tenant-a",
+        "tenant-b",
+        "tenant-c",
+    ]
+
+
+def test_scoped_rollout_halts_after_failed_canary():
+    calls = []
+
+    def fake_redeploy(_cp_url, _token, body):
+        calls.append(body)
+        return 200, {"ok": False, "results": [{"slug": body["only_slugs"][0], "error": "bad"}]}
+
+    try:
+        prod.execute_scoped_rollout(
+            {
+                "cp_url": "https://api.moleculesai.app",
+                "body": {
+                    "target_tag": "staging-abcdef1",
+                    "canary_slug": "hongming",
+                    "soak_seconds": 60,
+                    "batch_size": 2,
+                    "dry_run": False,
+                    "confirm": True,
+                },
+            },
+            token="secret",
+            list_slugs=lambda _cp_url, _token, _body: ["hongming", "tenant-a"],
+            redeploy=fake_redeploy,
+            sleep=lambda _seconds: None,
+        )
+    except prod.RolloutFailed as exc:
+        assert "redeploy scoped call failed" in str(exc)
+        assert exc.response["ok"] is False
+        assert exc.response["results"] == [{"slug": "hongming", "error": "bad"}]
+    else:
+        raise AssertionError("expected failed canary to halt rollout")
+
+    assert [call["only_slugs"] for call in calls] == [["hongming"]]
+
+
+def test_rollout_from_plan_file_writes_partial_response_on_failure(tmp_path):
+    plan_path = tmp_path / "plan.json"
+    response_path = tmp_path / "response.json"
+    plan_path.write_text(
+        """
+        {
+          "enabled": true,
+          "cp_url": "https://api.moleculesai.app",
+          "body": {"target_tag": "staging-abcdef1", "confirm": true}
+        }
+        """,
+        encoding="utf-8",
+    )
+
+    original = prod.execute_scoped_rollout
+
+    def fake_execute(_plan, _token):
+        raise prod.RolloutFailed(
+            "redeploy scoped call failed for hongming: HTTP 500, ok=false",
+            {
+                "ok": False,
+                "error": "redeploy scoped call failed for hongming: HTTP 500, ok=false",
+                "results": [{"slug": "hongming", "error": "bad"}],
+            },
+        )
+
+    prod.execute_scoped_rollout = fake_execute
+    try:
+        try:
+            prod.rollout_from_plan_file(
+                str(plan_path),
+                str(response_path),
+                {"CP_ADMIN_API_TOKEN": "secret"},
+            )
+        except prod.RolloutFailed:
+            pass
+        else:
+            raise AssertionError("expected rollout failure")
+    finally:
+        prod.execute_scoped_rollout = original
+
+    assert response_path.read_text(encoding="utf-8").strip()
+    assert '"ok": false' in response_path.read_text(encoding="utf-8")
+    assert '"slug": "hongming"' in response_path.read_text(encoding="utf-8")
@@ -0,0 +1,242 @@
+name: E2E Legacy Advisory
+
+# Advisory lane for older/manual E2E scripts that are too broad or
+# environment-dependent for required PR CI. This intentionally does not run on
+# pull_request or push so it cannot block merges/deploys; scheduled/manual reds
+# still surface drift in scripts that would otherwise only be shellchecked.
+#
+# Gitea 1.22.6 rejects workflow_dispatch.inputs, so keep dispatch input-free.
+
+on:
+  schedule:
+    # Stagger after the staging smoke/canvas morning lanes.
+    - cron: '15 9 * * *'
+  workflow_dispatch:
+
+concurrency:
+  group: e2e-legacy-advisory
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+
+env:
+  GITHUB_SERVER_URL: https://git.moleculesai.app
+
+jobs:
+  legacy-local-platform:
+    name: Legacy local-platform E2E
+    runs-on: docker-host
+    timeout-minutes: 45
+    env:
+      PG_CONTAINER: pg-e2e-legacy-${{ github.run_id }}-${{ github.run_attempt }}
+      REDIS_CONTAINER: redis-e2e-legacy-${{ github.run_id }}-${{ github.run_attempt }}
+      MOLECULE_ENV: development
+      BIND_ADDR: 127.0.0.1
+      MOLECULE_IN_DOCKER: "false"
+      A2A_TIMEOUT: "30"
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version: 'stable'
+          cache: true
+          cache-dependency-path: workspace-server/go.sum
+
+      - name: Prepare local platform dependencies
+        run: |
+          set -euo pipefail
+          docker pull postgres:16 >/dev/null
+          docker pull redis:7 >/dev/null
+          docker pull alpine:latest >/dev/null
+          docker network create molecule-core-net >/dev/null 2>&1 || true
+
+      - name: Start Postgres
+        run: |
+          set -euo pipefail
+          docker rm -f "$PG_CONTAINER" 2>/dev/null || true
+          docker run -d --name "$PG_CONTAINER" \
+            -e POSTGRES_USER=dev -e POSTGRES_PASSWORD=dev -e POSTGRES_DB=molecule \
+            -p 0:5432 postgres:16 >/dev/null
+          PG_PORT=$(docker port "$PG_CONTAINER" 5432/tcp | awk -F: '/^0\.0\.0\.0:/ {print $2; exit}')
+          if [ -z "$PG_PORT" ]; then
+            PG_PORT=$(docker port "$PG_CONTAINER" 5432/tcp | head -1 | awk -F: '{print $NF}')
+          fi
+          if [ -z "$PG_PORT" ]; then
+            echo "::error::Could not resolve host port for $PG_CONTAINER"
+            docker port "$PG_CONTAINER" 5432/tcp || true
+            docker logs "$PG_CONTAINER" || true
+            exit 1
+          fi
+          echo "DATABASE_URL=postgres://dev:dev@127.0.0.1:${PG_PORT}/molecule?sslmode=disable" >> "$GITHUB_ENV"
+          for i in $(seq 1 30); do
+            docker exec "$PG_CONTAINER" pg_isready -U dev >/dev/null 2>&1 && exit 0
+            sleep 1
+          done
+          docker logs "$PG_CONTAINER" || true
+          exit 1
+
+      - name: Start Redis
+        run: |
+          set -euo pipefail
+          docker rm -f "$REDIS_CONTAINER" 2>/dev/null || true
+          docker run -d --name "$REDIS_CONTAINER" -p 0:6379 redis:7 >/dev/null
+          REDIS_PORT=$(docker port "$REDIS_CONTAINER" 6379/tcp | awk -F: '/^0\.0\.0\.0:/ {print $2; exit}')
+          if [ -z "$REDIS_PORT" ]; then
+            REDIS_PORT=$(docker port "$REDIS_CONTAINER" 6379/tcp | head -1 | awk -F: '{print $NF}')
+          fi
+          if [ -z "$REDIS_PORT" ]; then
+            echo "::error::Could not resolve host port for $REDIS_CONTAINER"
+            docker port "$REDIS_CONTAINER" 6379/tcp || true
+            docker logs "$REDIS_CONTAINER" || true
+            exit 1
+          fi
+          echo "REDIS_URL=redis://127.0.0.1:${REDIS_PORT}" >> "$GITHUB_ENV"
+          for i in $(seq 1 15); do
+            docker exec "$REDIS_CONTAINER" redis-cli ping 2>/dev/null | grep -q PONG && exit 0
+            sleep 1
+          done
+          docker logs "$REDIS_CONTAINER" || true
+          exit 1
+
+      - name: Pick platform port
+        run: |
+          set -euo pipefail
+          PLATFORM_PORT=$(python3 - <<'PY'
+          import socket
+          with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
+              s.bind(("127.0.0.1", 0))
+              print(s.getsockname()[1])
+          PY
+          )
+          echo "PORT=${PLATFORM_PORT}" >> "$GITHUB_ENV"
+          echo "BASE=http://127.0.0.1:${PLATFORM_PORT}" >> "$GITHUB_ENV"
+
+      - name: Build platform
+        working-directory: workspace-server
+        run: go build -o platform-server ./cmd/server
+
+      - name: Populate template manifests for dev-mode E2E
+        run: |
+          set -euo pipefail
+          if command -v jq >/dev/null 2>&1; then
+            bash scripts/clone-manifest.sh manifest.json workspace-configs-templates org-templates plugins
+          else
+            echo "::warning::jq unavailable; dev-mode template assertion may fail if templates are absent"
+          fi
+
+      - name: Start platform
+        run: |
+          set -euo pipefail
+          ./workspace-server/platform-server > workspace-server/platform.log 2>&1 &
+          echo $! > workspace-server/platform.pid
+          for i in $(seq 1 30); do
+            curl -sf "$BASE/health" >/dev/null && exit 0
+            sleep 1
+          done
+          cat workspace-server/platform.log || true
+          exit 1
+
+      - name: Run comprehensive E2E
+        run: bash tests/e2e/test_comprehensive_e2e.sh
+
+      - name: Run workspace abilities E2E
+        run: bash tests/e2e/test_workspace_abilities_e2e.sh
+
+      - name: Run dev-mode E2E
+        run: bash tests/e2e/test_dev_mode.sh
+
+      - name: Start stub A2A agents
+        run: |
+          set -euo pipefail
+          cat > /tmp/molecule-stub-a2a.py <<'PY'
+          import json
+          from http.server import BaseHTTPRequestHandler, HTTPServer
+
+          class Handler(BaseHTTPRequestHandler):
+              def do_POST(self):
+                  length = int(self.headers.get("content-length", "0"))
+                  raw = self.rfile.read(length) if length else b"{}"
+                  try:
+                      req = json.loads(raw)
+                  except Exception:
+                      req = {}
+                  method = req.get("method")
+                  if method not in ("message/send", None):
+                      body = {"jsonrpc": "2.0", "id": req.get("id"), "error": {"code": -32601, "message": "method not found"}}
+                  else:
+                      body = {
+                          "jsonrpc": "2.0",
+                          "id": req.get("id", "stub"),
+                          "result": {
+                              "role": "agent",
+                              "parts": [{"kind": "text", "type": "text", "text": "stub agent response"}],
+                          },
+                      }
+                  data = json.dumps(body, separators=(",", ":")).encode()
+                  self.send_response(200)
+                  self.send_header("content-type", "application/json")
+                  self.send_header("content-length", str(len(data)))
+                  self.end_headers()
+                  self.wfile.write(data)
+              def log_message(self, *_):
+                  return
+
+          HTTPServer(("127.0.0.1", 18080), Handler).serve_forever()
+          PY
+          python3 /tmp/molecule-stub-a2a.py > /tmp/molecule-stub-a2a.log 2>&1 &
+          echo $! > /tmp/molecule-stub-a2a.pid
+
+      - name: Seed external agents for legacy A2A/activity scripts
+        run: |
+          set -euo pipefail
+          create_agent() {
+            local name="$1" role="$2"
+            curl -sS -X POST "$BASE/workspaces" \
+              -H "Content-Type: application/json" \
+              -d "{\"name\":\"${name}\",\"role\":\"${role}\",\"tier\":1,\"runtime\":\"external\",\"external\":true,\"url\":\"http://127.0.0.1:18080\"}" \
+              | python3 -c "import json,sys; print(json.load(sys.stdin)['id'])"
+          }
+          ECHO_ID=$(create_agent "Echo Agent" "Echo")
+          SEO_ID=$(create_agent "SEO Agent" "SEO")
+          curl -sS -X POST "$BASE/registry/register" -H "Content-Type: application/json" \
+            -d "{\"id\":\"$ECHO_ID\",\"url\":\"http://127.0.0.1:18080\",\"agent_card\":{\"name\":\"Echo Agent\",\"skills\":[{\"id\":\"echo\",\"name\":\"Echo\"}]}}" >/dev/null
+          curl -sS -X POST "$BASE/registry/register" -H "Content-Type: application/json" \
+            -d "{\"id\":\"$SEO_ID\",\"url\":\"http://127.0.0.1:18080\",\"agent_card\":{\"name\":\"SEO Agent\",\"skills\":[{\"id\":\"seo\",\"name\":\"SEO\"}]}}" >/dev/null
+
+      - name: Run activity E2E
+        run: bash tests/e2e/test_activity_e2e.sh
+
+      - name: Run A2A E2E
+        run: bash tests/e2e/test_a2a_e2e.sh
+
+      - name: Runtime-dependent legacy E2E preflight
+        run: |
+          set -euo pipefail
+          if [ -f workspace-configs-templates/claude-code-default/.auth-token ] && docker image inspect workspace:latest >/dev/null 2>&1; then
+            bash tests/e2e/test_claude_code_e2e.sh
+            bash tests/e2e/test_chat_upload_e2e.sh
+          else
+            echo "::notice::Skipping test_claude_code_e2e.sh and test_chat_upload_e2e.sh: require workspace:latest plus workspace-configs-templates/claude-code-default/.auth-token"
+          fi
+
+      - name: Dump platform log on failure
+        if: failure()
+        run: cat workspace-server/platform.log || true
+
+      - name: Stop platform and stub agents
+        if: always()
+        run: |
+          if [ -f workspace-server/platform.pid ]; then
+            kill "$(cat workspace-server/platform.pid)" 2>/dev/null || true
+          fi
+          if [ -f /tmp/molecule-stub-a2a.pid ]; then
+            kill "$(cat /tmp/molecule-stub-a2a.pid)" 2>/dev/null || true
+          fi
+
+      - name: Stop service containers
+        if: always()
+        run: |
+          docker rm -f "$PG_CONTAINER" 2>/dev/null || true
+          docker rm -f "$REDIS_CONTAINER" 2>/dev/null || true
@@ -303,26 +303,19 @@ jobs:
          python3 .gitea/scripts/prod-auto-deploy.py assert-enabled
          PLAN="$RUNNER_TEMP/prod-auto-deploy-plan.json"
          TARGET_TAG="$(jq -r '.target_tag' "$PLAN")"
-          BODY="$(jq -c '.body' "$PLAN")"
-
-          echo "POST $CP_URL/cp/admin/tenants/redeploy-fleet"
-          echo "  target_tag: $TARGET_TAG"
-          echo "  body: $BODY"

          HTTP_RESPONSE="$RUNNER_TEMP/prod-redeploy-response.json"
-          HTTP_CODE_FILE="$RUNNER_TEMP/prod-redeploy-http-code.txt"
          set +e
-          curl -sS -o "$HTTP_RESPONSE" -w '%{http_code}' \
-            -m 1200 \
-            -H "Authorization: Bearer $CP_ADMIN_API_TOKEN" \
-            -H "Content-Type: application/json" \
-            -X POST "$CP_URL/cp/admin/tenants/redeploy-fleet" \
-            -d "$BODY" > "$HTTP_CODE_FILE"
+          python3 .gitea/scripts/prod-auto-deploy.py rollout \
+            --plan "$PLAN" \
+            --response "$HTTP_RESPONSE"
+          ROLLOUT_EXIT=$?
          set -e

-          HTTP_CODE="$(cat "$HTTP_CODE_FILE" 2>/dev/null || echo "000")"
-          [ -z "$HTTP_CODE" ] && HTTP_CODE="000"
-          echo "HTTP $HTTP_CODE"
+          if [ ! -s "$HTTP_RESPONSE" ]; then
+            jq -nc --arg error "rollout command exited $ROLLOUT_EXIT before writing a response" \
+              '{ok:false, results:[], error:$error}' > "$HTTP_RESPONSE"
+          fi
          jq '{ok, result_count: (.results // [] | length)}' "$HTTP_RESPONSE" || true

          {
@@ -330,7 +323,6 @@ jobs:
            echo ""
            echo "**Commit:** \`${GITHUB_SHA:0:7}\`"
            echo "**Target tag:** \`$TARGET_TAG\`"
-            echo "**HTTP:** $HTTP_CODE"
            echo ""
            echo "### Per-tenant result"
            echo ""
@@ -339,15 +331,15 @@ jobs:
            jq -r '.results[]? | "| \(.slug) | \(.phase) | \(.ssm_status // "-") | \(.ssm_exit_code) | \(.healthz_ok) | \((.error // "") != "") |"' "$HTTP_RESPONSE" || true
          } >> "$GITHUB_STEP_SUMMARY"

-          if [ "$HTTP_CODE" != "200" ]; then
-            echo "::error::redeploy-fleet returned HTTP $HTTP_CODE"
-            exit 1
-          fi
          OK="$(jq -r '.ok' "$HTTP_RESPONSE")"
          if [ "$OK" != "true" ]; then
            echo "::error::redeploy-fleet reported ok=false; production rollout halted."
            exit 1
          fi
+          if [ "$ROLLOUT_EXIT" -ne 0 ]; then
+            echo "::error::redeploy-fleet rollout failed with exit code $ROLLOUT_EXIT."
+            exit "$ROLLOUT_EXIT"
+          fi

      - name: Verify reachable tenants report this SHA
        if: ${{ steps.plan.outputs.enabled == 'true' }}
@@ -41,6 +41,12 @@ describe("buildCsp — production", () => {
    expect(csp).toContain("object-src 'none'");
  });

+  it("allows blob: in frame-src for authenticated PDF previews", () => {
+    const frameSrc = csp.match(/frame-src[^;]*/)?.[0] ?? "";
+    expect(frameSrc).toContain("'self'");
+    expect(frameSrc).toContain("blob:");
+  });
+
  it("locks base-uri to 'self' (prevents base-tag injection)", () => {
    expect(csp).toContain("base-uri 'self'");
  });
@@ -4,7 +4,7 @@ import { useState, useEffect, useCallback } from "react";
 import { api } from "@/lib/api";
 import { useCanvasStore } from "@/store/canvas";
 import { OrgTemplatesSection } from "./TemplatePalette";
-import { type Template } from "@/lib/deploy-preflight";
+import { isUserVisibleWorkspaceTemplate, type Template } from "@/lib/deploy-preflight";
 import { useTemplateDeploy } from "@/hooks/useTemplateDeploy";
 import { Spinner } from "./Spinner";
 import { TIER_CONFIG } from "@/lib/design-tokens";
@@ -18,7 +18,7 @@ export function EmptyState() {
  useEffect(() => {
    api
      .get<Template[]>("/templates")
-      .then((t) => setTemplates(t))
+      .then((t) => setTemplates(t.filter(isUserVisibleWorkspaceTemplate)))
      .catch(() => setTemplates([]))
      .finally(() => setLoading(false));
  }, []);
@@ -23,6 +23,8 @@ interface Props {
  /** Grouped provider options derived from the template's models[] /
   *  required_env. When length ≥ 2 the modal shows a radio picker. */
  providers?: ProviderChoice[];
+  /** Optional keys to offer in the deploy modal without blocking Deploy. */
+  optionalKeys?: string[];
  /** Runtime slug — used only for the "The <runtime> runtime …"
   *  headline; behavior is driven by providers/missingKeys. */
  runtime: string;
@@ -94,13 +96,13 @@ export function MissingKeysModal({
  open,
  missingKeys,
  providers,
+  optionalKeys,
  runtime,
  onKeysAdded,
  onCancel,
  onOpenSettings,
  workspaceId,
  configuredKeys,
-  modelSuggestions,
  models,
  initialModel,
  title,
@@ -114,13 +116,13 @@ export function MissingKeysModal({
      <ProviderPickerModal
        open={open}
        providers={pickerProviders}
+        optionalKeys={optionalKeys ?? []}
        runtime={runtime}
        onKeysAdded={onKeysAdded}
        onCancel={onCancel}
        onOpenSettings={onOpenSettings}
        workspaceId={workspaceId}
        configuredKeys={configuredKeys}
-        modelSuggestions={modelSuggestions}
        models={models}
        initialModel={initialModel}
        title={title}
@@ -138,11 +140,15 @@ export function MissingKeysModal({
    <AllKeysModal
      open={open}
      missingKeys={keys}
+      optionalKeys={optionalKeys ?? []}
      runtime={runtime}
      onKeysAdded={onKeysAdded}
      onCancel={onCancel}
      onOpenSettings={onOpenSettings}
      workspaceId={workspaceId}
+      configuredKeys={configuredKeys}
+      title={title}
+      description={description}
    />
  );
 }
@@ -170,13 +176,13 @@ export function providerIdForModel(
 function ProviderPickerModal({
  open,
  providers,
+  optionalKeys,
  runtime,
  onKeysAdded,
  onCancel,
  onOpenSettings,
  workspaceId,
  configuredKeys,
-  modelSuggestions,
  models,
  initialModel,
  title,
@@ -184,13 +190,13 @@ function ProviderPickerModal({
 }: {
  open: boolean;
  providers: ProviderChoice[];
+  optionalKeys: string[];
  runtime: string;
  onKeysAdded: (model?: string) => void;
  onCancel: () => void;
  onOpenSettings?: () => void;
  workspaceId?: string;
  configuredKeys?: Set<string>;
-  modelSuggestions?: string[];
  models?: ModelSpec[];
  initialModel?: string;
  title?: string;
@@ -250,16 +256,9 @@ function ProviderPickerModal({

  const [selectorValue, setSelectorValue] = useState<SelectorValue>(initial);
  const [entries, setEntries] = useState<KeyEntry[]>([]);
+  const [optionalEntries, setOptionalEntries] = useState<KeyEntry[]>([]);
  const firstInputRef = useRef<HTMLInputElement>(null);

-  // Legacy compat: map the selector value back into the old `selected`/
-  // `model` shape for the rest of the modal body (footer copy, etc.).
-  const selected = useMemo(
-    () =>
-      providers.find((p) => p.id === selectorValue.providerId) ??
-      providers[0],
-    [providers, selectorValue.providerId],
-  );
  const model = selectorValue.model;
  const showModelInput = catalog.length > 0;

@@ -282,7 +281,18 @@ function ProviderPickerModal({
        error: null,
      })),
    );
-  }, [open, selectorValue.envVars, configuredKeys]);
+    setOptionalEntries(
+      optionalKeys
+        .filter((key) => !selectorValue.envVars.includes(key))
+        .map((key) => ({
+          key,
+          value: "",
+          saved: configuredKeys?.has(key) ?? false,
+          saving: false,
+          error: null,
+        })),
+    );
+  }, [open, selectorValue.envVars, configuredKeys, optionalKeys]);

  useEffect(() => {
    if (!open) return;
@@ -336,6 +346,43 @@ function ProviderPickerModal({
    [entries, updateEntry, workspaceId],
  );

+  const updateOptionalEntry = useCallback(
+    (index: number, updates: Partial<KeyEntry>) => {
+      setOptionalEntries((prev) =>
+        prev.map((e, i) => (i === index ? { ...e, ...updates } : e)),
+      );
+    },
+    [],
+  );
+
+  const handleSaveOptionalKey = useCallback(
+    async (index: number) => {
+      const entry = optionalEntries[index];
+      if (!entry.value.trim()) return;
+      updateOptionalEntry(index, { saving: true, error: null });
+      try {
+        if (workspaceId) {
+          await api.put(`/workspaces/${workspaceId}/secrets`, {
+            key: entry.key,
+            value: entry.value.trim(),
+          });
+        } else {
+          await api.put("/settings/secrets", {
+            key: entry.key,
+            value: entry.value.trim(),
+          });
+        }
+        updateOptionalEntry(index, { saved: true, saving: false });
+      } catch (e) {
+        updateOptionalEntry(index, {
+          saving: false,
+          error: e instanceof Error ? e.message : "Failed to save",
+        });
+      }
+    },
+    [optionalEntries, updateOptionalEntry, workspaceId],
+  );
+
  if (!open) return null;
  // Portal to document.body for the same reason as
  // OrgImportPreflightModal — several callers (TemplatePalette,
@@ -465,6 +512,62 @@ function ProviderPickerModal({
              </div>
            ))}
          </div>
+
+          {optionalEntries.length > 0 && (
+            <div className="space-y-2">
+              <div className="text-[10px] uppercase tracking-wide text-ink-mid font-semibold">
+                Optional
+              </div>
+              {optionalEntries.map((entry, index) => (
+                <div
+                  key={entry.key}
+                  className="bg-surface-card/30 rounded-lg px-3 py-2.5 border border-line/40"
+                >
+                  <div className="flex items-center justify-between mb-1.5">
+                    <div>
+                      <div className="text-[11px] text-ink-mid font-medium">
+                        {getKeyLabel(entry.key)}
+                      </div>
+                      <div className="text-[9px] font-mono text-ink-mid">{entry.key}</div>
+                    </div>
+                    {entry.saved && (
+                      <span className="text-[9px] text-good bg-emerald-900/30 px-1.5 py-0.5 rounded flex items-center gap-1">
+                        Saved
+                      </span>
+                    )}
+                  </div>
+                  {!entry.saved && (
+                    <div className="flex gap-2 mt-2">
+                      <input
+                        value={entry.value}
+                        onChange={(e) => updateOptionalEntry(index, { value: e.target.value.trimStart() })}
+                        placeholder={entry.key.includes("API_KEY") ? "sk-..." : "Enter value"}
+                        type="password"
+                        aria-label={`Optional value for ${entry.key}`}
+                        onKeyDown={(e) => {
+                          if (e.key === "Enter" && entry.value.trim()) {
+                            handleSaveOptionalKey(index);
+                          }
+                        }}
+                        className="flex-1 bg-surface-sunken border border-line rounded px-2 py-1.5 text-[11px] text-ink font-mono focus:outline-none focus:border-accent focus:ring-1 focus:ring-accent/20 transition-colors"
+                      />
+                      <button
+                        type="button"
+                        onClick={() => handleSaveOptionalKey(index)}
+                        disabled={!entry.value.trim() || entry.saving}
+                        className="px-3 py-1.5 bg-surface-card hover:bg-surface-card/80 text-[11px] rounded text-ink border border-line disabled:opacity-30 transition-colors shrink-0 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
+                      >
+                        {entry.saving ? "..." : "Save"}
+                      </button>
+                    </div>
+                  )}
+                  {entry.error && (
+                    <div role="alert" aria-live="assertive" className="mt-1.5 text-[10px] text-bad">{entry.error}</div>
+                  )}
+                </div>
+              ))}
+            </div>
+          )}
        </div>

        <div className="px-5 py-3 border-t border-line bg-surface/50 flex items-center justify-between gap-2">
@@ -512,21 +615,30 @@ function ProviderPickerModal({
 function AllKeysModal({
  open,
  missingKeys,
+  optionalKeys,
  runtime,
  onKeysAdded,
  onCancel,
  onOpenSettings,
  workspaceId,
+  configuredKeys,
+  title,
+  description,
 }: {
  open: boolean;
  missingKeys: string[];
+  optionalKeys: string[];
  runtime: string;
  onKeysAdded: () => void;
  onCancel: () => void;
  onOpenSettings?: () => void;
  workspaceId?: string;
+  configuredKeys?: Set<string>;
+  title?: string;
+  description?: string;
 }) {
  const [entries, setEntries] = useState<KeyEntry[]>([]);
+  const [optionalEntries, setOptionalEntries] = useState<KeyEntry[]>([]);
  const [globalError, setGlobalError] = useState<string | null>(null);

  useEffect(() => {
@@ -535,13 +647,24 @@ function AllKeysModal({
      missingKeys.map((key) => ({
        key,
        value: "",
-        saved: false,
+        saved: configuredKeys?.has(key) ?? false,
        saving: false,
        error: null,
      })),
    );
+    setOptionalEntries(
+      optionalKeys
+        .filter((key) => !missingKeys.includes(key))
+        .map((key) => ({
+          key,
+          value: "",
+          saved: configuredKeys?.has(key) ?? false,
+          saving: false,
+          error: null,
+        })),
+    );
    setGlobalError(null);
-  }, [open, missingKeys]);
+  }, [open, missingKeys, optionalKeys, configuredKeys]);

  useEffect(() => {
    if (!open) return;
@@ -591,6 +714,45 @@ function AllKeysModal({
    [entries, updateEntry, workspaceId],
  );

+  const updateOptionalEntry = useCallback(
+    (index: number, updates: Partial<KeyEntry>) => {
+      setOptionalEntries((prev) =>
+        prev.map((entry, i) => (i === index ? { ...entry, ...updates } : entry)),
+      );
+    },
+    [],
+  );
+
+  const handleSaveOptionalKey = useCallback(
+    async (index: number) => {
+      const entry = optionalEntries[index];
+      if (!entry.value.trim()) return;
+
+      updateOptionalEntry(index, { saving: true, error: null });
+
+      try {
+        if (workspaceId) {
+          await api.put(`/workspaces/${workspaceId}/secrets`, {
+            key: entry.key,
+            value: entry.value.trim(),
+          });
+        } else {
+          await api.put("/settings/secrets", {
+            key: entry.key,
+            value: entry.value.trim(),
+          });
+        }
+        updateOptionalEntry(index, { saved: true, saving: false });
+      } catch (e) {
+        updateOptionalEntry(index, {
+          saving: false,
+          error: e instanceof Error ? e.message : "Failed to save",
+        });
+      }
+    },
+    [optionalEntries, updateOptionalEntry, workspaceId],
+  );
+
  const handleAddKeysAndDeploy = useCallback(() => {
    const anySaving = entries.some((e) => e.saving);
    if (anySaving) {
@@ -656,12 +818,16 @@ function AllKeysModal({
              </svg>
            </div>
            <h3 id="missing-keys-title" className="text-sm font-semibold text-ink">
-              Missing API Keys
+              {title ?? "Missing API Keys"}
            </h3>
          </div>
          <p className="text-[12px] text-ink-mid leading-relaxed">
-            The <span className="text-warm font-medium">{runtimeLabel}</span>{" "}
-            runtime requires the following keys to be configured before deploying.
+            {description ?? (
+              <>
+                The <span className="text-warm font-medium">{runtimeLabel}</span>{" "}
+                runtime requires the following keys to be configured before deploying.
+              </>
+            )}
          </p>
        </div>

@@ -719,6 +885,62 @@ function AllKeysModal({
            </div>
          ))}

+          {optionalEntries.length > 0 && (
+            <div className="space-y-2">
+              <div className="text-[10px] uppercase tracking-wide text-ink-mid font-semibold">
+                Optional
+              </div>
+              {optionalEntries.map((entry, index) => (
+                <div
+                  key={entry.key}
+                  className="bg-surface-card/30 rounded-lg px-3 py-2.5 border border-line/40"
+                >
+                  <div className="flex items-center justify-between mb-1">
+                    <div>
+                      <div className="text-[11px] text-ink-mid font-medium">
+                        {getKeyLabel(entry.key)}
+                      </div>
+                      <div className="text-[9px] font-mono text-ink-mid">{entry.key}</div>
+                    </div>
+                    {entry.saved && (
+                      <span className="text-[9px] text-good bg-emerald-900/30 px-1.5 py-0.5 rounded">
+                        Saved
+                      </span>
+                    )}
+                  </div>
+
+                  {!entry.saved && (
+                    <div className="flex gap-2 mt-2">
+                      <input
+                        value={entry.value}
+                        onChange={(e) => updateOptionalEntry(index, { value: e.target.value.trimStart() })}
+                        placeholder={entry.key.includes("API_KEY") ? "sk-..." : "Enter value"}
+                        type="password"
+                        aria-label={`Optional value for ${entry.key}`}
+                        onKeyDown={(e) => {
+                          if (e.key === "Enter" && entry.value.trim()) {
+                            handleSaveOptionalKey(index);
+                          }
+                        }}
+                        className="flex-1 bg-surface-sunken border border-line rounded px-2 py-1.5 text-[11px] text-ink font-mono focus:outline-none focus:border-accent focus:ring-1 focus:ring-accent/20 transition-colors"
+                      />
+                      <button
+                        type="button"
+                        onClick={() => handleSaveOptionalKey(index)}
+                        disabled={!entry.value.trim() || entry.saving}
+                        className="px-3 py-1.5 bg-surface-card hover:bg-surface-card/80 text-[11px] rounded text-ink border border-line disabled:opacity-30 transition-colors shrink-0 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
+                      >
+                        {entry.saving ? "..." : "Save"}
+                      </button>
+                    </div>
+                  )}
+
+                  {entry.error && <div className="mt-1.5 text-[10px] text-bad">{entry.error}</div>}
+                </div>
+              ))}
+            </div>
+          )}
+
          {globalError && (
            <div role="alert" aria-live="assertive" className="px-3 py-2 bg-red-950/40 border border-red-800/50 rounded-lg text-[11px] text-bad">
              {globalError}
@@ -28,6 +28,7 @@ import { useId, useMemo } from "react";
 export interface SelectorModel {
  id: string;
  name?: string;
+  provider?: string;
  required_env?: string[];
 }

@@ -88,6 +89,7 @@ interface Props {
 /** Vendor keys → human label. Add new vendors here when templates pick
 *  up new model families. */
 const VENDOR_LABELS: Record<string, string> = {
+  "platform": "Platform",
  "anthropic-oauth": "Claude Code subscription",
  anthropic: "Anthropic API",
  minimax: "MiniMax",
@@ -118,6 +120,8 @@ const VENDOR_LABELS: Record<string, string> = {

 /** Optional per-vendor tooltip shown on hover. */
 const VENDOR_TOOLTIPS: Record<string, string> = {
+  "platform":
+    "Use the Molecule platform-managed LLM proxy. No vendor API key is required.",
  "anthropic-oauth":
    "Use your Claude.ai (Pro/Max/Team) subscription via OAuth. Run `claude login` in the workspace terminal to mint the token, then paste it here. No API spend.",
  anthropic:
@@ -165,6 +169,9 @@ const BARE_VENDOR_PATTERNS: Array<{ test: (id: string) => boolean; vendor: strin
 /** Infer a vendor key from a model spec. Combines id-prefix and env
 *  signals. Exported for tests. */
 export function inferVendor(model: SelectorModel): string {
+  const explicitProvider = model.provider?.trim().toLowerCase();
+  if (explicitProvider) return explicitProvider;
+
  const id = model.id || "";
  const envSet = new Set(model.required_env ?? []);

@@ -5,7 +5,7 @@ import { flushSync } from "react-dom";
 import { api } from "@/lib/api";
 import { useCanvasStore } from "@/store/canvas";
 import type { WorkspaceData } from "@/store/socket";
-import { type Template } from "@/lib/deploy-preflight";
+import { isUserVisibleWorkspaceTemplate, type Template } from "@/lib/deploy-preflight";
 import { useTemplateDeploy } from "@/hooks/useTemplateDeploy";
 import {
  OrgImportPreflightModal,
@@ -446,7 +446,7 @@ export function TemplatePalette() {
    setLoading(true);
    try {
      const data = await api.get<Template[]>("/templates");
-      setTemplates(data);
+      setTemplates(data.filter(isUserVisibleWorkspaceTemplate));
    } catch {
      setTemplates([]);
    } finally {
@@ -96,12 +96,12 @@ vi.mock("@/lib/design-tokens", () => ({
 // ─── Fixtures ─────────────────────────────────────────────────────────────────

 const TEMPLATE = {
-  id: "tpl-1",
-  name: "Claude Code Agent",
-  description: "A general-purpose coding assistant",
+  id: "seo-agent",
+  name: "SEO Agent",
+  description: "SEO workspace template",
  tier: 2,
  skill_count: 3,
-  model: "claude-opus-4-5",
+  model: "MiniMax-M2.7",
 };

 function template(overrides: Partial<typeof TEMPLATE> = {}): typeof TEMPLATE {
@@ -159,7 +159,7 @@ describe("EmptyState — loading", () => {
  it("does not render template buttons while loading", async () => {
    renderEmpty();
    await flush();
-    expect(screen.queryByText("Claude Code Agent")).toBeNull();
+    expect(screen.queryByText("SEO Agent")).toBeNull();
  });
 });

@@ -183,8 +183,8 @@ describe("EmptyState — templates", () => {
  it("renders template buttons with name and description", async () => {
    renderEmpty();
    await flush();
-    expect(screen.getByText("Claude Code Agent")).toBeTruthy();
-    expect(screen.getByText("A general-purpose coding assistant")).toBeTruthy();
+    expect(screen.getByText("SEO Agent")).toBeTruthy();
+    expect(screen.getByText("SEO workspace template")).toBeTruthy();
  });

  it("renders tier badge and skill count", async () => {
@@ -198,25 +198,42 @@ describe("EmptyState — templates", () => {
  it("renders model name when present", async () => {
    renderEmpty();
    await flush();
-    expect(screen.getByText(/claude-opus/i)).toBeTruthy();
+    expect(screen.getByText(/MiniMax-M2.7/i)).toBeTruthy();
  });

  it("calls deploy with the template on click", async () => {
    renderEmpty();
    await flush();
-    fireEvent.click(screen.getByText("Claude Code Agent"));
+    fireEvent.click(screen.getByText("SEO Agent"));
    expect(_deploy.deployFn).toHaveBeenCalledWith(template());
  });

+  it("hides runtime-default templates from the product template grid", async () => {
+    mockApiGet.mockResolvedValue([
+      template({ id: "claude-code-default", name: "Claude Code Agent" }),
+      template({ id: "codex", name: "OpenAI Codex CLI" }),
+      template({ id: "hermes", name: "Hermes Agent" }),
+      template({ id: "openclaw", name: "OpenClaw Agent" }),
+      template(),
+    ]);
+    renderEmpty();
+    await flush();
+    expect(screen.getByText("SEO Agent")).toBeTruthy();
+    expect(screen.queryByText("Claude Code Agent")).toBeNull();
+    expect(screen.queryByText("OpenAI Codex CLI")).toBeNull();
+    expect(screen.queryByText("Hermes Agent")).toBeNull();
+    expect(screen.queryByText("OpenClaw Agent")).toBeNull();
+  });
+
  it("shows 'Deploying...' on the button of the template being deployed", async () => {
-    _deploy.deploying = "tpl-1";
+    _deploy.deploying = "seo-agent";
    renderEmpty();
    await flush();
    expect(screen.getByText("Deploying...")).toBeTruthy();
  });

  it("disables the template button of the deploying template", async () => {
-    _deploy.deploying = "tpl-1";
+    _deploy.deploying = "seo-agent";
    renderEmpty();
    await flush();
    const btn = screen.getByText("Deploying...").closest("button") as HTMLButtonElement;
@@ -224,7 +241,7 @@ describe("EmptyState — templates", () => {
  });

  it("disables 'create blank' while a template is deploying", async () => {
-    _deploy.deploying = "tpl-1";
+    _deploy.deploying = "seo-agent";
    renderEmpty();
    await flush();
    expect(screen.getByRole("button", { name: "+ Create blank workspace" }).disabled).toBe(true);
@@ -245,7 +262,7 @@ describe("EmptyState — fetch failure / empty templates", () => {
  it("does not render template grid when GET /templates returns []", async () => {
    renderEmpty();
    await flush();
-    expect(screen.queryByText("Claude Code Agent")).toBeNull();
+    expect(screen.queryByText("SEO Agent")).toBeNull();
  });

  it("renders 'create blank' button when templates list is empty", async () => {
@@ -258,7 +275,7 @@ describe("EmptyState — fetch failure / empty templates", () => {
    mockApiGet.mockReset().mockRejectedValue(new Error("Network failure"));
    renderEmpty();
    await flush();
-    expect(screen.queryByText("Claude Code Agent")).toBeNull();
+    expect(screen.queryByText("SEO Agent")).toBeNull();
  });
 });

@@ -316,7 +333,7 @@ describe("EmptyState — create blank", () => {
    await flush();
    fireEvent.click(screen.getByRole("button", { name: "+ Create blank workspace" }));
    await act(async () => { await Promise.resolve(); });
-    expect((screen.getByText("Claude Code Agent").closest("button") as HTMLButtonElement).disabled).toBe(true);
+    expect((screen.getByText("SEO Agent").closest("button") as HTMLButtonElement).disabled).toBe(true);
  });

  it("shows error banner when POST /workspaces fails", async () => {
@@ -402,6 +402,31 @@ describe("MissingKeysModal — add keys and deploy", () => {
    expect(onKeysAdded).toHaveBeenCalled();
  });

+  it("shows optional keys without blocking deploy", () => {
+    const onKeysAdded = vi.fn();
+    render(
+      <MissingKeysModal
+        open={true}
+        missingKeys={[]}
+        optionalKeys={["GOOGLE_GSC_SITE"]}
+        runtime="claude-code"
+        title="Configure Workspace"
+        onKeysAdded={onKeysAdded}
+        onCancel={vi.fn()}
+      />
+    );
+
+    expect(screen.getByText("Optional")).toBeTruthy();
+    expect(screen.getAllByText("GOOGLE_GSC_SITE").length).toBeGreaterThan(0);
+    const deployBtn = Array.from(document.querySelectorAll("button")).find(
+      (b) => b.textContent?.trim() === "Deploy",
+    );
+    expect(deployBtn).toBeTruthy();
+    expect(deployBtn!.disabled).toBe(false);
+    act(() => { fireEvent.click(deployBtn!); });
+    expect(onKeysAdded).toHaveBeenCalled();
+  });
+
  it("shows global error when not all keys saved", async () => {
    const onKeysAdded = vi.fn();
    render(
@@ -529,4 +554,4 @@ describe("MissingKeysModal — cancel and settings", () => {
    );
    expect(screen.queryByRole("button", { name: /open settings/i })).toBeNull();
  });
-});
+});
@@ -44,6 +44,14 @@ const HERMES_MODELS: SelectorModel[] = [
 ];

 describe("inferVendor", () => {
+  it("uses explicit provider metadata before slug heuristics", () => {
+    expect(inferVendor({
+      id: "moonshot/kimi-k2.6",
+      provider: "platform",
+      required_env: [],
+    })).toBe("platform");
+  });
+
  it("uses slash prefix when present", () => {
    expect(inferVendor({ id: "nousresearch/hermes-4-70b", required_env: ["HERMES_API_KEY"] }))
      .toBe("nousresearch");
@@ -105,6 +113,22 @@ describe("buildProviderCatalog", () => {
    expect(oauth!.models.map((m) => m.id).sort()).toEqual(["haiku", "opus", "sonnet"]);
  });

+  it("labels explicit platform-managed providers", () => {
+    const catalog = buildProviderCatalog([
+      {
+        id: "moonshot/kimi-k2.6",
+        name: "Kimi K2.6",
+        provider: "platform",
+        required_env: [],
+      },
+    ]);
+    expect(catalog[0]).toMatchObject({
+      vendor: "platform",
+      label: "Platform",
+      envVars: [],
+    });
+  });
+
  it("flags wildcard providers", () => {
    const catalog = buildProviderCatalog(HERMES_MODELS);
    const hf = catalog.find((p) => p.vendor === "huggingface");
@@ -189,6 +189,23 @@ describe("TemplatePalette — sidebar", () => {
    expect(screen.getByText("Researcher")).toBeTruthy();
  });

+  it("hides runtime-default templates from the deployable product template list", async () => {
+    mockGet.mockResolvedValue([
+      { id: "claude-code-default", name: "Claude Code Agent", description: "", tier: 4, skills: [] },
+      { id: "codex", name: "OpenAI Codex CLI", description: "", tier: 4, skills: [] },
+      { id: "hermes", name: "Hermes Agent", description: "", tier: 4, skills: [] },
+      { id: "openclaw", name: "OpenClaw Agent", description: "", tier: 4, skills: [] },
+      { id: "seo-agent", name: "SEO Agent", description: "SEO workspace template", tier: 4, skills: ["seo"] },
+    ]);
+    render(<TemplatePalette />);
+    await openSidebar();
+    expect(screen.getByText("SEO Agent")).toBeTruthy();
+    expect(screen.queryByText("Claude Code Agent")).toBeNull();
+    expect(screen.queryByText("OpenAI Codex CLI")).toBeNull();
+    expect(screen.queryByText("Hermes Agent")).toBeNull();
+    expect(screen.queryByText("OpenClaw Agent")).toBeNull();
+  });
+
  it("shows template description", async () => {
    mockGet.mockResolvedValue(MOCK_TEMPLATES);
    render(<TemplatePalette />);
@@ -166,11 +166,12 @@ export function AttachmentImage({ workspaceId, attachment, onDownload, tone }: P
        open={open}
        onClose={() => setOpen(false)}
        ariaLabel={`Preview of ${attachment.name}`}
+        contained
      >
        <img
          src={state.blobUrl}
          alt={attachment.name}
-          className="max-w-[95vw] max-h-[90vh] object-contain"
+          className="max-w-full max-h-full object-contain"
        />
      </AttachmentLightbox>
    </>
@@ -1,6 +1,6 @@
 "use client";

-// AttachmentLightbox — shared fullscreen modal for image / PDF /
+// AttachmentLightbox — shared modal for image / PDF /
 // (future) any-fullscreen-renderable kind. Owns:
 //   - Backdrop + centered viewport
 //   - Esc to close
@@ -14,11 +14,11 @@
 //
 // Design choices:
 //
-// 1. Portals — we don't use ReactDOM.createPortal because the canvas
-//    chat surface already renders at a high z-index and the modal's
-//    fixed-position layout reaches the viewport regardless. Saves a
-//    portal mount in the common case + avoids the SSR warning (canvas
-//    is "use client" but the parent shell is server-rendered).
+// 1. Portals — we don't use ReactDOM.createPortal because the chat tab
+//    already gives us a positioned container and the preview should stay
+//    inside that panel. Saves a portal mount in the common case + avoids
+//    the SSR warning (canvas is "use client" but the parent shell is
+//    server-rendered).
 //
 // 2. Focus trap — inline implementation (not a 3rd-party dep). The
 //    chat lightbox needs to trap focus only across two interactive
@@ -41,13 +41,17 @@ interface Props {
   *  the dialog opens. The caller knows what's inside (image alt
   *  text, PDF filename) and supplies it. */
  ariaLabel: string;
+  /** Constrain the preview to the nearest positioned ancestor instead
+   *  of the whole browser viewport. ChatTab passes this so previews
+   *  stay inside the active side-panel tab. */
+  contained?: boolean;
  /** The thing being shown in fullscreen — <img>, <embed>, etc.
   *  Caller is responsible for sizing it to fit the viewport (we
   *  give it max-w-full max-h-full via CSS). */
  children: ReactNode;
 }

-export function AttachmentLightbox({ open, onClose, ariaLabel, children }: Props) {
+export function AttachmentLightbox({ open, onClose, ariaLabel, contained = false, children }: Props) {
  const closeButtonRef = useRef<HTMLButtonElement>(null);
  const previousFocusRef = useRef<HTMLElement | null>(null);

@@ -90,12 +94,19 @@ export function AttachmentLightbox({ open, onClose, ariaLabel, children }: Props

  if (!open) return null;

+  const rootClass = contained
+    ? "absolute inset-0 z-50 flex items-center justify-center bg-black/85 motion-reduce:transition-none transition-opacity"
+    : "fixed inset-0 z-50 flex items-center justify-center bg-black/85 motion-reduce:transition-none transition-opacity";
+  const contentClass = contained
+    ? "h-full w-full p-3 flex items-center justify-center"
+    : "max-w-[95vw] max-h-[90vh] flex items-center justify-center";
+
  return (
    <div
      role="dialog"
      aria-modal="true"
      aria-label={ariaLabel}
-      className="fixed inset-0 z-50 flex items-center justify-center bg-black/85 motion-reduce:transition-none transition-opacity"
+      className={rootClass}
      onClick={onBackdropClick}
    >
      {/* Close button — top-right, large hit area, keyboard-focusable.
@@ -112,7 +123,7 @@ export function AttachmentLightbox({ open, onClose, ariaLabel, children }: Props
        </svg>
      </button>
      <div
-        className="max-w-[95vw] max-h-[90vh] flex items-center justify-center"
+        className={contentClass}
        onClick={(e) => e.stopPropagation()}
      >
        {children}
@@ -19,8 +19,8 @@
 // suppress the toolbar; we keep it on so the user gets standard
 // PDF affordances.
 //
-// Fullscreen: AttachmentLightbox hosts the PDF at viewport size on
-// click. Same shared modal as image — third caller justifies the
+// Preview: AttachmentLightbox hosts the PDF inside the active chat tab
+// on click. Same shared modal as image — third caller justifies the
 // abstraction (per RFC #2991 design).
 //
 // Failure modes:
@@ -144,16 +144,15 @@ export function AttachmentPDF({ workspaceId, attachment, onDownload, tone }: Pro
        open={open}
        onClose={() => setOpen(false)}
        ariaLabel={`Preview of ${attachment.name}`}
+        contained
      >
-        <embed
-          src={state.blobUrl}
-          type="application/pdf"
-          // The lightbox's content slot caps at 95vw / 90vh, so size
-          // 100% within that and let the user scroll inside the PDF
-          // viewer.
-          style={{ width: "95vw", height: "90vh" }}
-          aria-label={attachment.name}
-        />
+        <div className="h-full w-full overflow-hidden rounded-lg border border-white/20 bg-white shadow-2xl">
+          <iframe
+            src={`${state.blobUrl}#view=FitH`}
+            title={attachment.name}
+            className="h-full w-full bg-white"
+          />
+        </div>
      </AttachmentLightbox>
    </>
  );
@@ -1,6 +1,6 @@
 // @vitest-environment jsdom
 /**
- * AttachmentLightbox — fullscreen modal for image / PDF preview.
+ * AttachmentLightbox — modal for image / PDF preview.
 *
 * Owns: backdrop + viewport, Esc to close, click-outside to close,
 * focus trap (close button focus on open, restore on close),
@@ -135,6 +135,22 @@ describe("AttachmentLightbox — render", () => {
    const closeBtn = document.querySelector('button[aria-label="Close preview"]');
    expect(closeBtn).toBeTruthy();
  });
+
+  it("uses absolute positioning when contained=true", () => {
+    render(
+      <AttachmentLightbox
+        open={true}
+        onClose={vi.fn()}
+        ariaLabel="Preview"
+        contained
+      >
+        <MockContent />
+      </AttachmentLightbox>,
+    );
+    const dialog = document.querySelector('[role="dialog"]');
+    expect(dialog?.className).toContain("absolute");
+    expect(dialog?.className).not.toContain("fixed");
+  });
 });

 // ─── Focus management ─────────────────────────────────────────────────────────
@@ -1,19 +1,19 @@
 // @vitest-environment jsdom
 /**
- * AttachmentPDF — inline PDF preview button + click-to-fullscreen lightbox.
+ * AttachmentPDF — inline PDF preview button + click-to-panel lightbox.
 *
 * Per RFC #2991 PR-3: platform-auth URIs fetch bytes → Blob → ObjectURL;
 * external URIs use the raw URL directly. State machine: idle → loading →
 * ready/error. Loading skeleton shown while fetching. Error falls back to
 * AttachmentChip. Clicking the preview button opens AttachmentLightbox with
- * <embed>. Blob URL cleaned up on unmount.
+ * a browser PDF iframe. Blob URL cleaned up on unmount.
 *
 * NOTE: No @testing-library/jest-dom import — use DOM APIs for assertions.
 *
 * Covers:
 *   - Renders loading skeleton with PdfGlyph + filename text
 *   - Renders preview button with PDF glyph, filename, and "PDF" label
- *   - Opens lightbox with <embed> on button click
+ *   - Opens lightbox with a framed <iframe> viewer on button click
 *   - Lightbox closes on Escape
 *   - tone=user applies blue/accent classes on button
 *   - tone=agent applies neutral border on button
@@ -136,7 +136,7 @@ describe("AttachmentPDF — ready", () => {
    expect(btn?.textContent).toContain("PDF");
  });

-  it("opens lightbox with <embed> on button click", async () => {
+  it("opens lightbox with a framed iframe viewer on button click", async () => {
    mockFetchOk("data");
    const att = makeAttachment("report.pdf");
    render(
@@ -158,8 +158,13 @@ describe("AttachmentPDF — ready", () => {
    });
    const dialog = document.querySelector('[role="dialog"]');
    expect(dialog?.getAttribute("aria-label")).toContain("report.pdf");
-    // Lightbox contains an <embed>
-    expect(dialog?.querySelector("embed")).toBeTruthy();
+    expect(dialog?.className).toContain("absolute");
+    const frame = dialog?.querySelector("iframe") as HTMLIFrameElement | null;
+    expect(frame).toBeTruthy();
+    expect(frame?.getAttribute("title")).toBe("report.pdf");
+    expect(frame?.className).toContain("bg-white");
+    expect(frame?.parentElement?.className).toContain("w-full");
+    expect(dialog?.querySelector("embed")).toBeNull();
  });

  it("closes lightbox on Escape key", async () => {
@@ -237,11 +237,13 @@ describe("AttachmentPreview dispatch", () => {
      expect(screen.getByLabelText(/Open doc\.pdf preview/i)).toBeTruthy();
    });

-    // Click → lightbox opens with <embed> inside.
+    // Click → panel-contained lightbox opens with a browser PDF iframe.
    fireEvent.click(screen.getByLabelText(/Open doc\.pdf preview/i));
    const dialog = await screen.findByRole("dialog");
    expect(dialog).toBeTruthy();
-    expect(dialog.querySelector("embed[type='application/pdf']")).not.toBeNull();
+    expect(dialog.className).toContain("absolute");
+    expect(dialog.querySelector("iframe")).not.toBeNull();
+    expect(dialog.querySelector("embed")).toBeNull();
  });

  it("kind=pdf fetch fails → falls back to chip", async () => {
@@ -113,6 +113,31 @@ describe("resolveAttachmentHref — platform-pending: scheme (poll-mode uploads)
  });
 });

+describe("resolveAttachmentHref — legacy platform content URLs", () => {
+  const chatWs = "chat-ws-aaaaaaaa";
+  const sourceWs = "d76977b1-d620-4f42-a57e-111111111111";
+  const fileID = "e2dfaf2e-1111-4abc-9999-222222222222";
+
+  it("rewrites /workspaces/<ws>/content/<file>/content to the authenticated pending-upload endpoint", () => {
+    const url = resolveAttachmentHref(
+      chatWs,
+      `/workspaces/${sourceWs}/content/${fileID}/content`,
+    );
+    expect(url).toContain(`/workspaces/${sourceWs}/pending-uploads/${fileID}/content`);
+    expect(url).not.toContain(`/workspaces/${chatWs}/`);
+  });
+
+  it("treats legacy content URLs as platform attachments so previews fetch with auth headers", () => {
+    expect(isPlatformAttachment(`/workspaces/${sourceWs}/content/${fileID}/content`)).toBe(true);
+  });
+
+  it("passes malformed legacy content URLs through unchanged", () => {
+    const malformed = `/workspaces/${sourceWs}/content//content`;
+    expect(resolveAttachmentHref(chatWs, malformed)).toBe(malformed);
+    expect(isPlatformAttachment(malformed)).toBe(false);
+  });
+});
+
 describe("isPlatformAttachment", () => {
  it("returns true for platform-pending: URIs", () => {
    expect(isPlatformAttachment("platform-pending:abc/file")).toBe(true);
@@ -125,6 +125,8 @@ export async function uploadChatFiles(
 *    - `/workspace/...` (bare absolute path inside the container)
 *    - `platform-pending:<wsid>/<file_id>` (poll-mode upload, staged
 *      on platform side; resolves to /pending-uploads/<file_id>/content)
+ *    - `/workspaces/<wsid>/content/<file_id>/content` (legacy platform
+ *      content URL; normalizes to the same pending-upload endpoint)
 *  Everything that looks like an allowed-root container path is
 *  rewritten to the authenticated /chat/download endpoint. HTTP(S)
 *  URIs pass through unchanged so we can also render links to
@@ -163,6 +165,11 @@ export function resolveAttachmentHref(
    }
    return uri;
  }
+  const legacy = parseLegacyPlatformContentUri(uri);
+  if (legacy) {
+    const [wsid, fileID] = legacy;
+    return `${PLATFORM_URL}/workspaces/${encodeURIComponent(wsid)}/pending-uploads/${encodeURIComponent(fileID)}/content`;
+  }
  const containerPath = normalizeWorkspaceUri(uri);
  if (containerPath) {
    return `${PLATFORM_URL}/workspaces/${workspaceId}/chat/download?path=${encodeURIComponent(containerPath)}`;
@@ -175,6 +182,7 @@ export function resolveAttachmentHref(
 *  downloadChatFile rather than letting the browser navigate. */
 export function isPlatformAttachment(uri: string): boolean {
  if (uri.startsWith("platform-pending:")) return true;
+  if (parseLegacyPlatformContentUri(uri)) return true;
  return normalizeWorkspaceUri(uri) !== null;
 }

@@ -183,6 +191,12 @@ export function isPlatformAttachment(uri: string): boolean {
 *  mirror the server's `allowedRoots` allowlist. */
 const ALLOWED_CONTAINER_ROOTS = ["/configs", "/workspace", "/home", "/plugins"];

+function parseLegacyPlatformContentUri(uri: string): [string, string] | null {
+  const m = uri.match(/^\/workspaces\/([^/]+)\/content\/([^/]+)\/content(?:[?#].*)?$/);
+  if (!m || !m[1] || !m[2]) return null;
+  return [m[1], m[2]];
+}
+
 function normalizeWorkspaceUri(uri: string): string | null {
  let path: string | null = null;
  if (uri.startsWith("workspace:")) {
@@ -63,6 +63,7 @@ vi.mock("@/components/MissingKeysModal", () => ({
    onKeysAdded: (model?: string) => void;
    onCancel: () => void;
    configuredKeys?: Set<string>;
+    optionalKeys?: string[];
    modelSuggestions?: string[];
    initialModel?: string;
    title?: string;
@@ -77,6 +78,9 @@ vi.mock("@/components/MissingKeysModal", () => ({
        </span>
        <span data-testid="modal-initial-model">{props.initialModel ?? ""}</span>
        <span data-testid="modal-title">{props.title ?? ""}</span>
+        <span data-testid="modal-optional-keys">
+          {(props.optionalKeys ?? []).join(",")}
+        </span>
        <button
          data-testid="modal-keys-added"
          onClick={() => props.onKeysAdded()}
@@ -113,6 +117,7 @@ function makeTemplate(over: Partial<Template> = {}): Template {
    runtime: "claude-code",
    models: [],
    required_env: [],
+    recommended_env: [],
    ...over,
  };
 }
@@ -129,6 +134,7 @@ beforeEach(() => {
    missingKeys: [],
    providers: [],
    runtime: "claude-code",
+    optionalKeys: [],
    configuredKeys: new Set(),
  });
  mockApiPost.mockResolvedValue({ id: "ws-new" });
@@ -243,6 +249,7 @@ describe("useTemplateDeploy — preflight failure modes", () => {
      missingKeys: ["ANTHROPIC_API_KEY"],
      providers: [],
      runtime: "claude-code",
+      optionalKeys: [],
      configuredKeys: new Set(),
    });
    const onDeployed = vi.fn();
@@ -271,6 +278,7 @@ describe("useTemplateDeploy — modal lifecycle", () => {
      missingKeys: ["ANTHROPIC_API_KEY"],
      providers: [],
      runtime: "claude-code",
+      optionalKeys: [],
      configuredKeys: new Set(),
    });
    const onDeployed = vi.fn();
@@ -306,6 +314,7 @@ describe("useTemplateDeploy — modal lifecycle", () => {
      missingKeys: ["ANTHROPIC_API_KEY"],
      providers: [],
      runtime: "claude-code",
+      optionalKeys: [],
      configuredKeys: new Set(),
    });
    const { result, rerender } = renderHook(() => useTemplateDeploy());
@@ -359,6 +368,7 @@ describe("useTemplateDeploy — multi-provider always-ask flow", () => {
        { id: "ANTHROPIC_API_KEY", label: "Anthropic", envVars: ["ANTHROPIC_API_KEY"] },
      ],
      runtime: "hermes",
+      optionalKeys: [],
      configuredKeys: new Set(["MINIMAX_API_KEY", "ANTHROPIC_API_KEY"]),
    });
    const { result, rerender } = renderHook(() => useTemplateDeploy());
@@ -392,6 +402,7 @@ describe("useTemplateDeploy — multi-provider always-ask flow", () => {
        { id: "ANTHROPIC_API_KEY", label: "Anthropic", envVars: ["ANTHROPIC_API_KEY"] },
      ],
      runtime: "hermes",
+      optionalKeys: [],
      configuredKeys: new Set(),
    });
    const { result, rerender } = renderHook(() => useTemplateDeploy());
@@ -420,6 +431,7 @@ describe("useTemplateDeploy — multi-provider always-ask flow", () => {
        { id: "ANTHROPIC_API_KEY", label: "Anthropic", envVars: ["ANTHROPIC_API_KEY"] },
      ],
      runtime: "hermes",
+      optionalKeys: [],
      configuredKeys: new Set(),
    });
    const { result, rerender } = renderHook(() => useTemplateDeploy());
@@ -484,6 +496,7 @@ describe("useTemplateDeploy — multi-provider always-ask flow", () => {
        { id: "ANTHROPIC_API_KEY", label: "Anthropic", envVars: ["ANTHROPIC_API_KEY"] },
      ],
      runtime: "hermes",
+      optionalKeys: [],
      configuredKeys: new Set(),
    });
    const { result, rerender } = renderHook(() => useTemplateDeploy());
@@ -499,6 +512,35 @@ describe("useTemplateDeploy — multi-provider always-ask flow", () => {
    expect(screen.getByTestId("modal-configured-size").textContent).toBe("0");
    expect(mockApiPost).not.toHaveBeenCalled();
  });
+
+  it("opens configure modal for optional env prompts even when no required provider key is missing", async () => {
+    mockCheckDeploySecrets.mockResolvedValueOnce({
+      ok: true,
+      missingKeys: [],
+      providers: [],
+      runtime: "claude-code",
+      optionalKeys: ["GOOGLE_GSC_SITE", "GOOGLE_GA4_PROPERTY_ID"],
+      configuredKeys: new Set(),
+    });
+    const { result, rerender } = renderHook(() => useTemplateDeploy());
+
+    await act(async () => {
+      await result.current.deploy(makeTemplate({
+        id: "seo-agent",
+        name: "SEO Agent",
+        recommended_env: ["GOOGLE_GSC_SITE", "GOOGLE_GA4_PROPERTY_ID"],
+      }));
+    });
+
+    rerender();
+    render(<>{result.current.modal}</>);
+
+    expect(screen.getByTestId("missing-keys-modal")).toBeTruthy();
+    expect(screen.getByTestId("modal-optional-keys").textContent).toBe(
+      "GOOGLE_GSC_SITE,GOOGLE_GA4_PROPERTY_ID",
+    );
+    expect(mockApiPost).not.toHaveBeenCalled();
+  });
 });

 describe("useTemplateDeploy — POST failure", () => {
@@ -152,6 +152,7 @@ export function useTemplateDeploy(
          runtime,
          models: template.models,
          required_env: template.required_env,
+          recommended_env: template.recommended_env,
        });
      } catch (e) {
        // Preflight network failure used to strand `deploying` — the
@@ -165,7 +166,11 @@ export function useTemplateDeploy(
        setDeploying(null);
        return;
      }
-      if (preflight.ok && preflight.providers.length === 0) {
+      if (
+        preflight.ok &&
+        preflight.providers.length === 0 &&
+        preflight.optionalKeys.length === 0
+      ) {
        await executeDeploy(template);
        return;
      }
@@ -220,6 +225,7 @@ export function useTemplateDeploy(
    <MissingKeysModal
      open={!!missingKeysInfo}
      missingKeys={missingKeysInfo?.preflight.missingKeys ?? []}
+      optionalKeys={missingKeysInfo?.preflight.optionalKeys ?? []}
      providers={missingKeysInfo?.preflight.providers ?? []}
      runtime={missingKeysInfo?.preflight.runtime ?? ""}
      configuredKeys={missingKeysInfo?.preflight.configuredKeys}
@@ -37,6 +37,11 @@ const CLAUDE_CODE: TemplateLike = {
  required_env: ["OPENAI_API_KEY"],
 };

+const OPTIONAL_ONLY: TemplateLike = {
+  runtime: "claude-code",
+  recommended_env: ["GOOGLE_GSC_SITE", "GOOGLE_GA4_PROPERTY_ID"],
+};
+
 const UNKNOWN: TemplateLike = { runtime: "nothing-declared" };

 // -----------------------------------------------------------------------------
@@ -154,6 +159,7 @@ describe("checkDeploySecrets", () => {
    const result = await checkDeploySecrets(CLAUDE_CODE);
    expect(result.ok).toBe(true);
    expect(result.missingKeys).toEqual([]);
+    expect(result.optionalKeys).toEqual([]);
    expect(result.runtime).toBe("claude-code");
  });

@@ -184,6 +190,7 @@ describe("checkDeploySecrets", () => {
    );
    // Grouped providers preserved for the picker.
    expect(result.providers).toHaveLength(3);
+    expect(result.optionalKeys).toEqual([]);
  });

  it("treats has_value=false as not-configured", async () => {
@@ -207,6 +214,22 @@ describe("checkDeploySecrets", () => {
    expect(global.fetch).not.toHaveBeenCalled();
  });

+  it("prompts optional-only env without treating it as missing", async () => {
+    (global.fetch as ReturnType<typeof vi.fn>).mockResolvedValueOnce({
+      ok: true,
+      json: () => Promise.resolve([]),
+    } as Response);
+
+    const result = await checkDeploySecrets(OPTIONAL_ONLY);
+    expect(result.ok).toBe(true);
+    expect(result.missingKeys).toEqual([]);
+    expect(result.optionalKeys).toEqual([
+      "GOOGLE_GSC_SITE",
+      "GOOGLE_GA4_PROPERTY_ID",
+    ]);
+    expect(global.fetch).toHaveBeenCalled();
+  });
+
  it("uses the workspace-scoped endpoint when workspaceId is provided", async () => {
    (global.fetch as ReturnType<typeof vi.fn>).mockResolvedValueOnce({
      ok: true,
@@ -244,6 +267,7 @@ describe("checkDeploySecrets", () => {
    const result = await checkDeploySecrets(CLAUDE_CODE);
    expect(result.ok).toBe(false);
    expect(result.missingKeys).toEqual(["OPENAI_API_KEY"]);
+    expect(result.optionalKeys).toEqual([]);
    // Empty Set on fetch failure — useTemplateDeploy relies on this
    // so the picker still opens with every entry rendered as input.
    expect(result.configuredKeys).toEqual(new Set());
@@ -8,7 +8,7 @@
 * count bounded.
 */
 import { describe, it, expect } from "vitest";
-import { resolveRuntime } from "../deploy-preflight";
+import { isUserVisibleWorkspaceTemplate, resolveRuntime } from "../deploy-preflight";

 describe("resolveRuntime", () => {
  describe("explicit runtime-map entries", () => {
@@ -64,3 +64,15 @@ describe("resolveRuntime", () => {
    });
  });
 });
+
+describe("isUserVisibleWorkspaceTemplate", () => {
+  it("hides runtime-default templates from product template surfaces", () => {
+    for (const id of ["claude-code-default", "codex", "hermes", "openclaw"]) {
+      expect(isUserVisibleWorkspaceTemplate({ id })).toBe(false);
+    }
+  });
+
+  it("keeps product templates visible", () => {
+    expect(isUserVisibleWorkspaceTemplate({ id: "seo-agent" })).toBe(true);
+  });
+});
@@ -21,6 +21,7 @@ import { api } from "./api";
 export interface ModelSpec {
  id: string;
  name?: string;
+  provider?: string;
  required_env?: string[];
 }

@@ -31,6 +32,8 @@ export interface TemplateLike {
  models?: ModelSpec[];
  /** AND-required env vars declared at runtime_config level. */
  required_env?: string[];
+  /** Optional env vars declared at runtime_config level. */
+  recommended_env?: string[];
 }

 /** Full /templates response shape shared by TemplatePalette (sidebar)
@@ -49,6 +52,17 @@ export interface Template extends TemplateLike {
  skill_count: number;
 }

+const RUNTIME_DEFAULT_TEMPLATE_IDS = new Set([
+  "claude-code-default",
+  "codex",
+  "hermes",
+  "openclaw",
+]);
+
+export function isUserVisibleWorkspaceTemplate(template: Pick<Template, "id">): boolean {
+  return !RUNTIME_DEFAULT_TEMPLATE_IDS.has(template.id);
+}
+
 /** Map from a template id to the runtime name the per-workspace
 *  preflight expects. Used only when the server's `/templates`
 *  response predates the `runtime` field on the summary (legacy
@@ -84,6 +98,8 @@ export interface PreflightResult {
  /** Flat list of env var names needed — for the legacy modal path and
   *  for callers that want a single display of "what's missing". */
  missingKeys: string[];
+  /** Optional env vars to offer in the modal without blocking deploy. */
+  optionalKeys: string[];
  /** Grouped provider options derived from the template. When length ≥ 2
   *  the modal renders a picker; length 1 means exactly one provider is
   *  required (AllKeysModal renders the N envVars inline). */
@@ -236,12 +252,14 @@ export async function checkDeploySecrets(
 ): Promise<PreflightResult> {
  const providers = providersFromTemplate(template);
  const runtime = template.runtime;
+  const optionalKeys = Array.from(new Set(template.recommended_env ?? []));

-  if (providers.length === 0) {
+  if (providers.length === 0 && optionalKeys.length === 0) {
    // Template declares no env requirements — nothing to preflight.
    return {
      ok: true,
      missingKeys: [],
+      optionalKeys: [],
      providers: [],
      runtime,
      configuredKeys: new Set(),
@@ -263,10 +281,11 @@ export async function checkDeploySecrets(
    configured = new Set();
  }

-  if (findSatisfiedProvider(providers, configured)) {
+  if (providers.length === 0 || findSatisfiedProvider(providers, configured)) {
    return {
      ok: true,
      missingKeys: [],
+      optionalKeys,
      providers,
      runtime,
      configuredKeys: configured,
@@ -281,6 +300,7 @@ export async function checkDeploySecrets(
  return {
    ok: false,
    missingKeys,
+    optionalKeys,
    providers,
    runtime,
    configuredKeys: configured,
@@ -12,7 +12,9 @@ import type { NextRequest } from "next/server";
 *   • style-src retains 'unsafe-inline': React Flow positions nodes via
 *     element-level style="" attributes which cannot be nonce'd; CSS injection
 *     is significantly lower risk than script injection and is acceptable here.
- *   • object-src / base-uri / frame-ancestors locked to 'none'/'self'.
+ *   • object-src locked to 'none'; frame-src allows self + blob: for
+ *     browser-native PDF previews backed by authenticated Blob URLs.
+ *   • base-uri / frame-ancestors locked to 'self'/'none'.
 *   • upgrade-insecure-requests forces HTTPS on mixed-content.
 *
 * Development — permissive policy:
@@ -61,6 +63,7 @@ export function buildCsp(nonce: string, isDev: boolean): string {
    "img-src 'self' blob: data:",
    "font-src 'self'",
    "object-src 'none'",
+    "frame-src 'self' blob:",
    "base-uri 'self'",
    "form-action 'self'",
    "frame-ancestors 'none'",
@@ -28,7 +28,8 @@
    {"name": "claude-code-default", "repo": "molecule-ai/molecule-ai-workspace-template-claude-code", "ref": "main"},
    {"name": "hermes", "repo": "molecule-ai/molecule-ai-workspace-template-hermes", "ref": "main"},
    {"name": "openclaw", "repo": "molecule-ai/molecule-ai-workspace-template-openclaw", "ref": "main"},
-    {"name": "codex", "repo": "molecule-ai/molecule-ai-workspace-template-codex", "ref": "main"}
+    {"name": "codex", "repo": "molecule-ai/molecule-ai-workspace-template-codex", "ref": "main"},
+    {"name": "seo-agent", "repo": "molecule-ai/molecule-ai-workspace-template-seo-agent", "ref": "main"}
  ],
  "org_templates": [
    {"name": "molecule-dev", "repo": "molecule-ai/molecule-ai-org-template-molecule-dev", "ref": "main"},
@@ -1,11 +1,14 @@
 #!/usr/bin/env bash
 set -euo pipefail

-BASE="http://localhost:8080"
+BASE="${BASE:-http://localhost:8080}"
 PASS=0
 FAIL=0
 TIMEOUT="${A2A_TIMEOUT:-120}"  # seconds per A2A call (override via A2A_TIMEOUT env var)

+# shellcheck source=_lib.sh
+source "$(dirname "$0")/_lib.sh"
+
 check() {
  local desc="$1"
  local expected="$2"
@@ -130,7 +133,7 @@ echo ""
 # ========================================
 echo "--- Test 6: Offline workspace ---"
 # Create a workspace but don't provision it
-R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" -d '{"name":"Offline Test","tier":1}')
+R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" -d '{"name":"Offline Test","tier":1,"runtime":"external","external":true}')
 OFFLINE_ID=$(echo "$R" | python3 -c "import sys,json; print(json.load(sys.stdin)['id'])")
 R=$(curl -s --max-time 10 -X POST "$BASE/workspaces/$OFFLINE_ID/a2a" \
  -H "Content-Type: application/json" \
@@ -215,7 +215,7 @@ echo ""
 echo "--- Activity Isolation ---"

 # Test 19: Create a second workspace to verify isolation
-R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" -d '{"name":"Activity Test Workspace","tier":1}')
+R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" -d '{"name":"Activity Test Workspace","tier":1,"runtime":"external","external":true}')
 TEMP_ID=$(echo "$R" | python3 -c "import sys,json; print(json.load(sys.stdin)['id'])")

 # Test 20: New workspace has empty activity
@@ -76,8 +76,8 @@ echo "--- Section 2: Workspace CRUD ---"
 # create; sections that depend on container readiness (RT_* in 2b)
 # still run normally.
 R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" \
-  -d '{"name":"Test PM","role":"Project Manager","tier":2}')
-check "Create PM" '"status":"provisioning"' "$R"
+  -d '{"name":"Test PM","role":"Project Manager","tier":2,"runtime":"external","external":true}')
+check "Create PM" '"status":"awaiting_agent"' "$R"
 PM_ID=$(echo "$R" | jq_extract "['id']")
 echo "  PM_ID=$PM_ID"
 RR=$(curl -s -X POST "$BASE/registry/register" -H "Content-Type: application/json" \
@@ -86,8 +86,8 @@ PM_TOKEN=$(echo "$RR" | e2e_extract_token)

 # Create child workspace under PM
 R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" \
-  -d "{\"name\":\"Test Dev\",\"role\":\"Developer\",\"tier\":2,\"parent_id\":\"$PM_ID\"}")
-check "Create Dev (child of PM)" '"status":"provisioning"' "$R"
+  -d "{\"name\":\"Test Dev\",\"role\":\"Developer\",\"tier\":2,\"parent_id\":\"$PM_ID\",\"runtime\":\"external\",\"external\":true}")
+check "Create Dev (child of PM)" '"status":"awaiting_agent"' "$R"
 DEV_ID=$(echo "$R" | jq_extract "['id']")
 RR=$(curl -s -X POST "$BASE/registry/register" -H "Content-Type: application/json" \
  -d "{\"id\":\"$DEV_ID\",\"url\":\"http://localhost:9001\",\"agent_card\":{\"name\":\"Dev Agent\",\"skills\":[],\"version\":\"1.0.0\"}}")
@@ -95,16 +95,16 @@ DEV_TOKEN=$(echo "$RR" | e2e_extract_token)

 # Create sibling
 R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" \
-  -d "{\"name\":\"Test QA\",\"role\":\"QA\",\"tier\":1,\"parent_id\":\"$PM_ID\"}")
-check "Create QA (sibling of Dev)" '"status":"provisioning"' "$R"
+  -d "{\"name\":\"Test QA\",\"role\":\"QA\",\"tier\":1,\"parent_id\":\"$PM_ID\",\"runtime\":\"external\",\"external\":true}")
+check "Create QA (sibling of Dev)" '"status":"awaiting_agent"' "$R"
 QA_ID=$(echo "$R" | jq_extract "['id']")
 curl -s -X POST "$BASE/registry/register" -H "Content-Type: application/json" \
  -d "{\"id\":\"$QA_ID\",\"url\":\"http://localhost:9002\",\"agent_card\":{\"name\":\"QA\",\"skills\":[]}}" > /dev/null

 # Create unrelated workspace
 R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" \
-  -d '{"name":"Test Outsider","role":"External","tier":1}')
-check "Create Outsider (unrelated)" '"status":"provisioning"' "$R"
+  -d '{"name":"Test Outsider","role":"External","tier":1,"runtime":"external","external":true}')
+check "Create Outsider (unrelated)" '"status":"awaiting_agent"' "$R"
 OUTSIDER_ID=$(echo "$R" | jq_extract "['id']")

 # List workspaces
@@ -130,19 +130,24 @@ check "PM position persisted" '"x":100' "$R"
 echo ""
 echo "--- Section 2b: Runtime Assignment ---"

+if [ "${RUN_SPAWNED_RUNTIME_LEGACY_E2E:-0}" != "1" ]; then
+  echo "  SKIP: spawned-runtime image checks require local runtime images; set RUN_SPAWNED_RUNTIME_LEGACY_E2E=1 to enable"
+  SKIP=$((SKIP + 5))
+else
+
 # Create workspace with explicit runtime
 R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" \
-  -d '{"name":"RT Claude","role":"Test","tier":2,"runtime":"claude-code"}')
+  -d '{"name":"RT Claude","role":"Test","tier":2,"runtime":"claude-code","model":"sonnet"}')
 check "Create claude-code workspace" '"status":"provisioning"' "$R"
 RT_CC_ID=$(echo "$R" | jq_extract "['id']")

 R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" \
-  -d '{"name":"RT Codex","role":"Test","tier":2,"runtime":"codex"}')
+  -d '{"name":"RT Codex","role":"Test","tier":2,"runtime":"codex","model":"openai:gpt-5"}')
 check "Create codex workspace" '"status":"provisioning"' "$R"
 RT_CX_ID=$(echo "$R" | jq_extract "['id']")

 R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" \
-  -d '{"name":"RT Hermes","role":"Test","tier":2,"runtime":"hermes"}')
+  -d '{"name":"RT Hermes","role":"Test","tier":2,"runtime":"hermes","model":"openai:gpt-5"}')
 check "Create hermes workspace" '"status":"provisioning"' "$R"
 RT_HM_ID=$(echo "$R" | jq_extract "['id']")

@@ -235,6 +240,8 @@ sleep 0.3
 e2e_delete_workspace "$RT_HM_ID" "RT Hermes"
 sleep 0.3

+fi
+
 # ============================================================
 # Section 3: Registry & Heartbeat
 # ============================================================
@@ -71,7 +71,7 @@ check_http "GET /workspaces (empty DB)" "200" "$R"
 # Create a workspace so tokens land in the DB.
 R=$(curl -s -w "\n%{http_code}" -X POST "$BASE/workspaces" \
  -H "Content-Type: application/json" \
-  -d '{"name":"Dev-Mode-Test","tier":1}')
+  -d '{"name":"Dev-Mode-Test","tier":1,"runtime":"external","external":true}')
 CODE=$(echo "$R" | tail -n1)
 BODY=$(echo "$R" | sed '$d')
 check_http "POST /workspaces (create)" "201" "$CODE"
@@ -97,7 +97,7 @@ except Exception:
 done

 R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" \
-  -d '{"name":"Abilities Sender","tier":1}')
+  -d '{"name":"Abilities Sender","tier":1,"runtime":"external","external":true}')
 SENDER_ID=$(echo "$R" | python3 -c 'import json,sys;print(json.load(sys.stdin)["id"])' 2>/dev/null || true)
 [ -n "$SENDER_ID" ] || { echo "Failed to create sender workspace: $R"; exit 1; }
 SENDER_TOKEN=$(echo "$R" | e2e_extract_token)
@@ -113,7 +113,7 @@ ADMIN_TOKEN="${MOLECULE_ADMIN_TOKEN:-$SENDER_TOKEN}"
 ADMIN_AUTH="Authorization: Bearer $ADMIN_TOKEN"

 R=$(curl -s -X POST "$BASE/workspaces" -H "$ADMIN_AUTH" -H "Content-Type: application/json" \
-  -d '{"name":"Abilities Receiver","tier":1}')
+  -d '{"name":"Abilities Receiver","tier":1,"runtime":"external","external":true}')
 RECEIVER_ID=$(echo "$R" | python3 -c 'import json,sys;print(json.load(sys.stdin)["id"])' 2>/dev/null || true)
 [ -n "$RECEIVER_ID" ] || { echo "Failed to create receiver workspace: $R"; exit 1; }
 RECEIVER_TOKEN=$(echo "$R" | e2e_extract_token)
@@ -77,6 +77,7 @@ func NewTemplatesHandler(configsDir string, dockerCli *client.Client, wh *Worksp
 type modelSpec struct {
 	ID          string   `json:"id" yaml:"id"`
 	Name        string   `json:"name,omitempty" yaml:"name"`
+	Provider    string   `json:"provider,omitempty" yaml:"provider"`
 	RequiredEnv []string `json:"required_env,omitempty" yaml:"required_env"`
 }

@@ -116,6 +117,10 @@ type templateSummary struct {
 	// preflight uses this as the fallback provider when `models` is empty
 	// so provider picker stays data-driven instead of hardcoded in the UI.
 	RequiredEnv []string `json:"required_env,omitempty"`
+	// RecommendedEnv mirrors runtime_config.recommended_env from the
+	// template's config.yaml. Canvas prompts for these as non-blocking
+	// optional secrets during template deploy.
+	RecommendedEnv []string `json:"recommended_env,omitempty"`
 	// Providers is the runtime's own list of supported provider slugs,
 	// sourced from runtime_config.providers in the template's config.yaml.
 	// The canvas Config tab surfaces this as the Provider override
@@ -188,6 +193,7 @@ func (h *TemplatesHandler) List(c *gin.Context) {
 				Model                   string      `yaml:"model"`
 				Models                  []modelSpec `yaml:"models"`
 				RequiredEnv             []string    `yaml:"required_env"`
+				RecommendedEnv          []string    `yaml:"recommended_env"`
 				Providers               []string    `yaml:"providers"`
 				ProvisionTimeoutSeconds int         `yaml:"provision_timeout_seconds"`
 			} `yaml:"runtime_config"`
@@ -229,6 +235,7 @@ func (h *TemplatesHandler) List(c *gin.Context) {
 			Model:                   model,
 			Models:                  raw.RuntimeConfig.Models,
 			RequiredEnv:             raw.RuntimeConfig.RequiredEnv,
+			RecommendedEnv:          raw.RuntimeConfig.RecommendedEnv,
 			Providers:               raw.RuntimeConfig.Providers,
 			ProviderRegistry:        raw.Providers,
 			Skills:                  raw.Skills,
@@ -148,12 +148,14 @@ tier: 2
 runtime: hermes
 runtime_config:
  model: nous-hermes-3-70b
+  recommended_env: [GOOGLE_GSC_SITE, GOOGLE_GA4_PROPERTY_ID]
  models:
    - id: nous-hermes-3-70b
      name: Nous Hermes 3 70B
      required_env: [HERMES_API_KEY]
    - id: minimax/minimax-m2.7
      name: MiniMax M2.7 (via OpenRouter)
+      provider: platform
      required_env: [OPENROUTER_API_KEY]
 skills: []
 `
@@ -196,9 +198,17 @@ skills: []
 	if got.Models[1].ID != "minimax/minimax-m2.7" {
 		t.Errorf("Models[1].ID: got %q", got.Models[1].ID)
 	}
+	if got.Models[1].Provider != "platform" {
+		t.Errorf("Models[1].Provider: got %q", got.Models[1].Provider)
+	}
 	if len(got.Models[1].RequiredEnv) != 1 || got.Models[1].RequiredEnv[0] != "OPENROUTER_API_KEY" {
 		t.Errorf("Models[1] required_env: want [OPENROUTER_API_KEY], got %+v", got.Models[1].RequiredEnv)
 	}
+	if len(got.RecommendedEnv) != 2 ||
+		got.RecommendedEnv[0] != "GOOGLE_GSC_SITE" ||
+		got.RecommendedEnv[1] != "GOOGLE_GA4_PROPERTY_ID" {
+		t.Errorf("RecommendedEnv: want [GOOGLE_GSC_SITE GOOGLE_GA4_PROPERTY_ID], got %+v", got.RecommendedEnv)
+	}
 }

 // TestTemplatesList_SurfacesProviders pins the Option B PR-5 wiring:
@@ -23,7 +23,7 @@ var apiPrefixes = []string{
 	"/settings",
 	"/bundles",
 	"/org",
-	"/orgs",   // #610 — per-org plugin allowlist routes
+	"/orgs", // #610 — per-org plugin allowlist routes
 	"/templates",
 	"/plugins",
 	"/webhooks",
@@ -95,6 +95,7 @@ func SecurityHeaders() gin.HandlerFunc {
 					"script-src 'self' 'unsafe-inline'; "+
 					"style-src 'self' 'unsafe-inline'; "+
 					"img-src 'self' data: blob:; "+
+					"frame-src 'self' blob:; "+
 					"connect-src 'self' ws: wss:; "+
 					"font-src 'self' data:")
 		}
@@ -57,6 +57,7 @@ func TestSecurityHeaders(t *testing.T) {
 		"script-src 'self' 'unsafe-inline'",
 		"style-src 'self' 'unsafe-inline'",
 		"img-src 'self' data: blob:",
+		"frame-src 'self' blob:",
 		"connect-src 'self' ws: wss:",
 		"font-src 'self' data:",
 	} {
@@ -195,6 +196,9 @@ func TestCSPCanvasRoutesGetPermissivePolicy(t *testing.T) {
 			if strings.Contains(csp, "'unsafe-eval'") {
 				t.Errorf("canvas path %q: CSP must not contain 'unsafe-eval', got %q", path, csp)
 			}
+			if !strings.Contains(csp, "frame-src 'self' blob:") {
+				t.Errorf("canvas path %q: CSP should allow blob: frames for PDF previews, got %q", path, csp)
+			}
 		})
 	}
 }
@@ -267,7 +271,7 @@ func TestIsAPIPath(t *testing.T) {
 		{"/ws", true},
 		{"/events", true},
 		{"/approvals", true},
-		{"/orgs", true},                          // #610 allowlist routes
+		{"/orgs", true}, // #610 allowlist routes
 		{"/orgs/org-1/plugins/allowlist", true},
 		// Sub-paths
 		{"/workspaces/abc-123", true},