refactor(chat): unify mobile and desktop chat via shared hooks

Extract three shared hooks from desktop ChatTab and consume them in MobileChat, eliminating ~880 lines of duplicated logic: - useChatHistory — paginated history load, deduped append, scroll anchor - useChatSend — file upload + A2A send with history context, guard refs - useChatSocket — WS activity log + agent push delivery via callbacks MobileChat gains desktop features: • History context sent with every A2A message (last 20 msgs) • sendInFlightRef / sendingFromAPIRef double-send guards • WS push releaseSendGuards integration • Proper error handling for unreachable agents Desktop ChatTab sheds inline state management in favor of the same hooks, keeping its rich UI (AttachmentPreview, activity feed, etc.). All 31 existing tests pass (12 ChatTab + 19 MobileChat). TypeScript clean. Dev server compiles without errors.
Merge branch 'local-main' into fix/push-notifications
2026-05-14 18:38:06 -07:00 · 2026-05-14 17:10:20 -07:00 · 2026-05-14 16:40:30 -07:00 · 2026-05-14 16:39:41 -07:00 · 2026-05-14 16:25:55 -07:00 · 2026-05-14 16:21:52 -07:00
152 changed files with 11743 additions and 1733 deletions
@@ -0,0 +1 @@
+refire:1778784369
@@ -203,12 +203,17 @@ def ci_jobs_all(ci_doc: dict) -> set[str]:

 def ci_job_names(ci_doc: dict) -> set[str]:
    """Set of job keys in ci.yml MINUS the sentinel itself MINUS jobs
-    whose `if:` gates on `github.event_name` (those are event-scoped
-    and can legitimately be `skipped` for a given trigger; if we
-    required them under the sentinel `needs:`, every PR-only job
+    whose `if:` gates on `github.event_name` or `github.ref` (those are
+    event-scoped and can legitimately be `skipped` for a given trigger;
+    if we required them under the sentinel `needs:`, every PR-only job
    would be `skipped` on push and the sentinel would interpret
    `skipped != success` as failure). RFC §4 spec.

+    `github.ref` is the companion gate for jobs that run only on direct
+    pushes to specific branches (e.g. `github.ref == 'refs/heads/main'`).
+    These never execute in a PR context, so flagging them as missing
+    from `all-required.needs:` is a false positive (mc#958 / mc#959).
+
    Used for F1 (jobs missing from sentinel needs). NOT used for F1b
    (typos in needs) — see `ci_jobs_all` for that."""
    jobs = ci_doc.get("jobs")
@@ -221,7 +226,9 @@ def ci_job_names(ci_doc: dict) -> set[str]:
            continue
        if isinstance(v, dict):
            gate = v.get("if")
-            if isinstance(gate, str) and "github.event_name" in gate:
+            if isinstance(gate, str) and (
+                "github.event_name" in gate or "github.ref" in gate
+            ):
                continue
        names.add(k)
    return names
@@ -47,6 +47,15 @@ REQUIRED_CONTEXTS_RAW = _env(
        "sop-checklist / all-items-acked (pull_request)"
    ),
 )
+# Required contexts for push (main/staging) runs. The push CI uses the same
+# aggregator names with " (push)" suffix. Checking these explicitly instead of
+# the combined state avoids false-pause when non-blocking jobs (e.g. Platform
+# Go with continue-on-error: true due to mc#774) have failed — their failures
+# pollute the combined state but do not block merges.
+PUSH_REQUIRED_CONTEXTS_RAW = _env(
+    "PUSH_REQUIRED_CONTEXTS",
+    default="CI / all-required (push)",
+)

 OWNER, NAME = (REPO.split("/", 1) + [""])[:2] if REPO else ("", "")
 API = f"https://{GITEA_HOST}/api/v1" if GITEA_HOST else ""
@@ -118,16 +127,24 @@ def required_contexts(raw: str) -> list[str]:
    return [part.strip() for part in raw.split(",") if part.strip()]


+def push_required_contexts() -> list[str]:
+    """Required contexts for push (branch) CI runs. See PUSH_REQUIRED_CONTEXTS_RAW."""
+    return required_contexts(PUSH_REQUIRED_CONTEXTS_RAW)
+
+
 def status_state(status: dict) -> str:
    return str(status.get("status") or status.get("state") or "").lower()


 def latest_statuses_by_context(statuses: list[dict]) -> dict[str, dict]:
+    # Gitea /statuses endpoint returns entries in ascending id order (oldest
+    # first). We need the LAST occurrence of each context, so iterate in
+    # reverse to prefer newer entries.
    latest: dict[str, dict] = {}
-    for status in statuses:
+    for status in reversed(statuses):
        context = status.get("context")
-        if isinstance(context, str) and context not in latest:
-            latest[context] = status
+        if isinstance(context, str):
+            latest[context] = status  # overwrite: reverse order → newest wins
    return latest


@@ -193,16 +210,23 @@ def evaluate_merge_readiness(
    required_contexts: list[str],
    pr_has_current_base: bool,
 ) -> MergeDecision:
-    main_state = str(main_status.get("state") or "").lower()
-    if main_state != "success":
-        return MergeDecision(False, "pause", f"main status is {main_state or 'missing'}")
+    # Check push-required contexts explicitly instead of combined state.
+    # Combined state can be "failure" due to non-blocking jobs
+    # (continue-on-error: true) that don't actually gate merges.
+    # CI / all-required (push) is the authoritative gate — it respects
+    # continue-on-error and correctly aggregates all blocking failures.
+    main_latest = latest_statuses_by_context(main_status.get("statuses") or [])
+    main_ok, main_bad = required_contexts_green(main_latest, push_required_contexts())
+    if not main_ok:
+        return MergeDecision(False, "pause", "main required contexts not green: " + ", ".join(main_bad))
    if not pr_has_current_base:
        return MergeDecision(False, "update", "PR head does not contain current main")

-    pr_state = str(pr_status.get("state") or "").lower()
-    if pr_state != "success":
-        return MergeDecision(False, "wait", f"PR combined status is {pr_state or 'missing'}")
-
+    # Check explicit required contexts instead of combined state. Combined state
+    # can be "failure" due to non-blocking jobs with continue-on-error: true
+    # (e.g. publish-runtime-autobump/pr-validate, qa-review on stale tokens).
+    # The required_contexts list is the authoritative gate — it includes only
+    # the checks that actually block merges.
    latest = latest_statuses_by_context(pr_status.get("statuses") or [])
    ok, missing_or_bad = required_contexts_green(latest, required_contexts)
    if not ok:
@@ -220,10 +244,37 @@ def get_branch_head(branch: str) -> str:


 def get_combined_status(sha: str) -> dict:
-    _, body = api("GET", f"/repos/{OWNER}/{NAME}/commits/{sha}/status")
-    if not isinstance(body, dict):
+    """Combined status + all individual statuses for `sha`.
+
+    The /status endpoint caps the `statuses` array at 30 entries (Gitea
+    default page size), so we fetch the full list via /statuses with a
+    higher limit. The combined `state` still comes from /status.
+    """
+    _, combined = api("GET", f"/repos/{OWNER}/{NAME}/commits/{sha}/status")
+    if not isinstance(combined, dict):
        raise ApiError(f"status for {sha} response not object")
-    return body
+    # Fetch full statuses list; 200 covers >99% of real-world runs.
+    # The list is ordered ascending by id (oldest first) — callers must
+    # iterate in reverse to get the newest entry per context.
+    # Best-effort: large repos (main with 550+ statuses) may time out.
+    # On timeout, fall back to the statuses[] already in the combined
+    # response (usually 30 entries — enough for most PRs, enough for
+    # main's early push-required contexts).
+    try:
+        _, all_statuses = api(
+            "GET",
+            f"/repos/{OWNER}/{NAME}/commits/{sha}/statuses",
+            query={"limit": "50"},
+        )
+        if isinstance(all_statuses, list):
+            combined["statuses"] = all_statuses
+    except (ApiError, urllib.error.URLError, TimeoutError, OSError) as exc:
+        # URLError covers network-level failures (DNS, refused, timeout).
+        # TimeoutError and OSError cover socket-level timeouts.
+        sys.stderr.write(f"::warning::could not fetch full statuses list for {sha[:8]}: {exc}\n")
+        # Fall back to the statuses[] already in the combined response.
+        pass
+    return combined


 def list_queued_issues() -> list[dict]:
@@ -294,8 +345,12 @@ def process_once(*, dry_run: bool = False) -> int:
    contexts = required_contexts(REQUIRED_CONTEXTS_RAW)
    main_sha = get_branch_head(WATCH_BRANCH)
    main_status = get_combined_status(main_sha)
-    if str(main_status.get("state") or "").lower() != "success":
-        print(f"::notice::queue paused: {WATCH_BRANCH}@{main_sha[:8]} is not green")
+    # Check push-required contexts explicitly instead of combined state.
+    # See evaluate_merge_readiness for rationale.
+    main_latest = latest_statuses_by_context(main_status.get("statuses") or [])
+    main_ok, main_bad = required_contexts_green(main_latest, push_required_contexts())
+    if not main_ok:
+        print(f"::notice::queue paused: {WATCH_BRANCH}@{main_sha[:8]} required contexts not green: {', '.join(main_bad)}")
        return 0

    issue = choose_next_queued_issue(
@@ -362,7 +417,21 @@ def main() -> int:
    parser.add_argument("--dry-run", action="store_true")
    args = parser.parse_args()
    _require_runtime_env()
-    return process_once(dry_run=args.dry_run)
+    try:
+        return process_once(dry_run=args.dry_run)
+    except ApiError as exc:
+        # API errors (401/403/404/500) are transient for a queue tick —
+        # log and exit 0 so the workflow is not marked failed and the next
+        # tick can retry. Returning non-zero would permanently fail the
+        # workflow run, blocking future ticks.
+        sys.stderr.write(f"::error::queue API error: {exc}\n")
+        return 0
+    except urllib.error.URLError as exc:
+        sys.stderr.write(f"::error::queue network error: {exc}\n")
+        return 0
+    except TimeoutError as exc:
+        sys.stderr.write(f"::error::queue timeout: {exc}\n")
+        return 0


 if __name__ == "__main__":
@@ -36,6 +36,9 @@ Rules (4 fatal + 1 fatal cross-file + 1 heuristic-warn):
     raw `.error` fields into CI logs/summaries.
  9. Production deploy/redeploy workflows must expose an operational control:
     kill switch for auto deploys or rollback tag for manual deploys.
+  10. Docker health checks must not run `docker info | head` under pipefail.
+      `head` closes the pipe early, `docker info` can exit nonzero from
+      SIGPIPE, and the step can falsely report Docker daemon failure.

 Per `feedback_smoke_test_vendor_truth_not_shape_match`: fixtures used to
 validate this lint must mirror real Gitea 1.22.6 YAML semantics, not
@@ -225,6 +228,24 @@ def _iter_uses(doc: Any) -> Iterable[str]:
                yield step["uses"]


+def _iter_run_blocks(doc: Any) -> Iterable[str]:
+    """Yield every shell `run:` block from job steps in a workflow document."""
+    if not isinstance(doc, dict):
+        return
+    jobs = doc.get("jobs")
+    if not isinstance(jobs, dict):
+        return
+    for job in jobs.values():
+        if not isinstance(job, dict):
+            continue
+        steps = job.get("steps")
+        if not isinstance(steps, list):
+            continue
+        for step in steps:
+            if isinstance(step, dict) and isinstance(step.get("run"), str):
+                yield step["run"]
+
+
 def check_cross_repo_uses(filename: str, doc: Any) -> list[str]:
    """Return per-violation error lines for cross-repo `uses:` references."""
    errors: list[str] = []
@@ -264,6 +285,10 @@ GITHUB_API_REF_RE = re.compile(

 PROD_CP_URL_RE = re.compile(r"https://api\.moleculesai\.app\b")
 REDEPLOY_FLEET_RE = re.compile(r"\b/cp/admin/tenants/redeploy-fleet\b")
+RUN_SETS_PIPEFAIL_RE = re.compile(r"(?m)^\s*set\s+-[^\n]*o\s+pipefail\b")
+DOCKER_INFO_HEAD_PIPE_RE = re.compile(
+    r"(?m)^\s*docker\s+info\b[^\n|]*\|\s*head\b"
+)
 RAW_CP_RESPONSE_RE = re.compile(
    r"""(?x)
    (?:\bjq\s+\.\s+["']?\$HTTP_RESPONSE["']?)
@@ -383,6 +408,30 @@ def check_production_operational_control(filename: str, raw: str) -> list[str]:
    return errors


+# ---------------------------------------------------------------------------
+# Rule 10 — docker info piped to head under pipefail
+# ---------------------------------------------------------------------------
+
+def check_docker_info_head_pipefail(filename: str, doc: Any) -> list[str]:
+    errors: list[str] = []
+    for run_block in _iter_run_blocks(doc):
+        if not (
+            RUN_SETS_PIPEFAIL_RE.search(run_block)
+            and DOCKER_INFO_HEAD_PIPE_RE.search(run_block)
+        ):
+            continue
+        errors.append(
+            f"::error file={filename}::Rule 10 (FATAL): workflow runs "
+            f"`docker info | head` after enabling `pipefail`. `head` can "
+            f"close the pipe early, making `docker info` exit nonzero and "
+            f"falsely fail the Docker daemon health check. Capture "
+            f"`docker_info=\"$(docker info 2>&1)\"` first, then print a "
+            f"bounded preview with `printf ... | sed -n '1,5p'`."
+        )
+        break
+    return errors
+
+
 # ---------------------------------------------------------------------------
 # Driver
 # ---------------------------------------------------------------------------
@@ -436,6 +485,7 @@ def main(argv: list[str] | None = None) -> int:
        fatal_errors.extend(check_production_concurrency(rel, doc, raw))
        fatal_errors.extend(check_production_raw_response_logging(rel, raw))
        fatal_errors.extend(check_production_operational_control(rel, raw))
+        fatal_errors.extend(check_docker_info_head_pipefail(rel, doc))
        warnings.extend(check_github_server_url_missing(rel, doc, raw))

    # Cross-file checks
@@ -101,9 +101,10 @@ printf 'header = "Authorization: token %s"\n' "$GITEA_TOKEN" > "$CURL_AUTH_FILE"
 PR_JSON=$(mktemp)
 REVIEWS_JSON=$(mktemp)
 TEAM_PROBE_TMP=$(mktemp)
+NA_STATUSES_TMP=""  # declared here so cleanup() always has the var

 cleanup() {
-  rm -f "$CURL_AUTH_FILE" "$PR_JSON" "$REVIEWS_JSON" "$TEAM_PROBE_TMP"
+  rm -f "$CURL_AUTH_FILE" "$PR_JSON" "$REVIEWS_JSON" "$TEAM_PROBE_TMP" "${NA_STATUSES_TMP-}"
 }
 trap cleanup EXIT

@@ -143,6 +144,42 @@ if [ -z "$PR_AUTHOR" ] || [ -z "$PR_HEAD_SHA" ]; then
  exit 1
 fi

+# --- RFC#324 §N/A follow-up: check N/A declarations status ---
+# sop-checklist.py posts `sop-checklist / na-declarations (pull_request)`
+# status when a peer posts /sop-n/a <gate>. If our gate is declared N/A,
+# the requirement for a Gitea APPROVE review is waived.
+NA_STATUSES_TMP=$(mktemp)
+HTTP_CODE=$(curl -sS -o "$NA_STATUSES_TMP" -w '%{http_code}' \
+  -K "$CURL_AUTH_FILE" "${API}/repos/${OWNER}/${NAME}/statuses/${PR_HEAD_SHA}")
+debug "statuses/${PR_HEAD_SHA} → HTTP ${HTTP_CODE}"
+
+if [ "$HTTP_CODE" = "200" ]; then
+  # Gitea returns statuses as array; look for the na-declarations context.
+  # jq: find all statuses where context == "sop-checklist / na-declarations (pull_request)"
+  # and state == "success". Extract the description field.
+  NA_DESC=$(jq -r '
+    .[] |
+    select(.context == "sop-checklist / na-declarations (pull_request)") |
+    select(.state == "success") |
+    .description
+  ' "$NA_STATUSES_TMP" 2>/dev/null | head -1)
+
+  if [ -n "$NA_DESC" ] && [ "$NA_DESC" != "null" ]; then
+    debug "na-declarations status found: ${NA_DESC}"
+    # Check if our gate appears in the N/A description.
+    # The description format is "N/A: qa-review, security-review" or similar.
+    if echo "$NA_DESC" | grep -iq "\\b${TEAM}-review\\b"; then
+      echo "::notice::${TEAM}-review N/A — gate declared not-applicable via /sop-n/a: ${NA_DESC}"
+      echo "::notice::PR ${PR_NUMBER} passes ${TEAM}-review via N/A declaration"
+      rm -f "$NA_STATUSES_TMP"
+      exit 0
+    fi
+  fi
+else
+  debug "could not fetch statuses (HTTP ${HTTP_CODE}) — proceeding with normal eval"
+fi
+rm -f "$NA_STATUSES_TMP"
+
 # --- Fetch all reviews on the PR ---
 HTTP_CODE=$(curl -sS -o "$REVIEWS_JSON" -w '%{http_code}' \
  -K "$CURL_AUTH_FILE" "${API}/repos/${OWNER}/${NAME}/pulls/${PR_NUMBER}/reviews")
@@ -0,0 +1,81 @@
+#!/usr/bin/env bash
+# Re-run review-check.sh for a slash-command refire and post the protected
+# pull_request status context to the PR head SHA.
+
+set -euo pipefail
+
+: "${GITEA_TOKEN:?GITEA_TOKEN required}"
+: "${GITEA_HOST:?GITEA_HOST required}"
+: "${REPO:?REPO required}"
+: "${PR_NUMBER:?PR_NUMBER required}"
+: "${TEAM:?TEAM required}"
+
+OWNER="${REPO%%/*}"
+NAME="${REPO##*/}"
+API="https://${GITEA_HOST}/api/v1"
+CONTEXT="${TEAM}-review / approved (pull_request)"
+TARGET_URL="https://${GITEA_HOST}/${OWNER}/${NAME}/pulls/${PR_NUMBER}"
+
+authfile=$(mktemp)
+prfile=$(mktemp)
+postfile=$(mktemp)
+# shellcheck disable=SC2329 # invoked by EXIT trap
+cleanup() {
+  rm -f "$authfile" "$prfile" "$postfile"
+}
+trap cleanup EXIT
+
+chmod 600 "$authfile"
+printf 'header = "Authorization: token %s"\n' "$GITEA_TOKEN" > "$authfile"
+
+code=$(curl -sS -o "$prfile" -w '%{http_code}' -K "$authfile" \
+  "${API}/repos/${OWNER}/${NAME}/pulls/${PR_NUMBER}")
+if [ "$code" != "200" ]; then
+  echo "::error::GET /pulls/${PR_NUMBER} returned HTTP ${code}"
+  head -c 200 "$prfile" >&2 || true
+  exit 1
+fi
+
+head_sha=$(jq -r '.head.sha // ""' "$prfile")
+state=$(jq -r '.state // ""' "$prfile")
+if [ -z "$head_sha" ] || [ "$head_sha" = "null" ]; then
+  echo "::error::Could not resolve PR head SHA for PR ${PR_NUMBER}"
+  exit 1
+fi
+if [ "$state" != "open" ]; then
+  echo "::notice::PR ${PR_NUMBER} is ${state}; ${TEAM}-review refire is a no-op"
+  exit 0
+fi
+
+set +e
+bash .gitea/scripts/review-check.sh
+rc=$?
+set -e
+
+if [ "$rc" -eq 0 ]; then
+  status_state="success"
+  description="Refired via /${TEAM}-recheck by ${COMMENT_AUTHOR:-unknown}"
+else
+  status_state="failure"
+  description="Refired via /${TEAM}-recheck; ${TEAM}-review failed"
+fi
+
+body=$(jq -nc \
+  --arg state "$status_state" \
+  --arg context "$CONTEXT" \
+  --arg description "$description" \
+  --arg target_url "$TARGET_URL" \
+  '{state:$state, context:$context, description:$description, target_url:$target_url}')
+
+code=$(curl -sS -o "$postfile" -w '%{http_code}' -X POST \
+  -K "$authfile" -H "Content-Type: application/json" \
+  -d "$body" \
+  "${API}/repos/${OWNER}/${NAME}/statuses/${head_sha}")
+if [ "$code" != "200" ] && [ "$code" != "201" ]; then
+  echo "::error::POST /statuses/${head_sha} returned HTTP ${code}"
+  head -c 200 "$postfile" >&2 || true
+  exit 1
+fi
+
+echo "::notice::posted ${status_state} for context=\"${CONTEXT}\" on sha=${head_sha}"
+exit "$rc"
@@ -1,11 +1,11 @@
 #!/usr/bin/env python3
-# sop-checklist-gate — evaluate whether a PR has peer-acked each
+# sop-checklist — evaluate whether a PR has peer-acked each
 # SOP-checklist item. Posts a commit-status that branch protection
 # can require.
 #
 # RFC#351 Step 2 of 6 (implementation MVP).
 #
-# Invoked by .gitea/workflows/sop-checklist-gate.yml on:
+# Invoked by .gitea/workflows/sop-checklist.yml on:
 #   - pull_request_target: [opened, edited, synchronize, reopened]
 #   - issue_comment:       [created, edited, deleted]
 #
@@ -133,6 +133,9 @@ PUSH_COMPENSATION_DESCRIPTION = (
    "Compensated by status-reaper (workflow has no push: trigger; "
    "Gitea 1.22.6 hardcoded-suffix bug — see .gitea/scripts/status-reaper.py)"
 )
+# Backward-compatible alias for older tests/tooling that predate the split
+# between push-suffix compensation and pull-request-shadow compensation.
+COMPENSATION_DESCRIPTION = PUSH_COMPENSATION_DESCRIPTION
 PR_SHADOW_COMPENSATION_DESCRIPTION = (
    "Compensated by status-reaper (default-branch pull_request status "
    "shadowed by successful push status on same SHA; see "
@@ -611,11 +614,10 @@ def list_recent_commit_shas(branch: str, limit: int) -> list[str]:
    (verified via vendor-truth probe 2026-05-11 against
    git.moleculesai.app — `feedback_smoke_test_vendor_truth_not_shape_match`).

-    Raises ApiError on non-2xx OR on unexpected response shape. This is
-    a HARD halt — without the commit list the sweep can't proceed. (The
-    per-SHA error isolation downstream is a different concern: tolerating
-    a transient 5xx on ONE commit's status is best-effort; losing the
-    commit list itself means we don't even know which commits to try.)
+    Raises ApiError on non-2xx OR on unexpected response shape. The
+    branch-level caller soft-skips this tick because the next scheduled
+    tick can safely retry the listing. Per-SHA status/write errors remain
+    separate and must not be mislabeled as commit-list outages.
    """
    _, body = api(
        "GET",
@@ -656,7 +658,27 @@ def reap_branch(
      - compensated_per_sha: {<sha_full>: [<context>, ...]} — only
        SHAs that actually got at least one compensation are included
    """
-    shas = list_recent_commit_shas(branch, limit)
+    try:
+        shas = list_recent_commit_shas(branch, limit)
+    except ApiError as e:
+        print(
+            "::warning::status-reaper skipped this tick because the "
+            f"commit list could not be read after retries: {e}"
+        )
+        return {
+            "scanned_shas": 0,
+            "compensated": 0,
+            "preserved_real_push": 0,
+            "preserved_unknown": 0,
+            "preserved_non_failure": 0,
+            "preserved_non_push_suffix": 0,
+            "preserved_unparseable": 0,
+            "compensated_pr_shadowed_by_push_success": 0,
+            "preserved_pr_without_push_success": 0,
+            "compensated_per_sha": {},
+            "skipped": True,
+            "skip_reason": "commit-list-api-error",
+        }

    aggregate: dict[str, Any] = {
        "scanned_shas": 0,
@@ -85,7 +85,10 @@ def test_pr_needs_update_when_base_sha_absent_from_commits():

 def test_merge_decision_requires_main_green_pr_green_and_current_base():
    required = ["CI / all-required (pull_request)"]
-    main_status = {"state": "success", "statuses": []}
+    main_status = {
+        "state": "success",
+        "statuses": [{"context": "CI / all-required (push)", "status": "success"}],
+    }
    pr_status = {
        "state": "success",
        "statuses": [{"context": "CI / all-required (pull_request)", "status": "success"}],
@@ -104,7 +107,10 @@ def test_merge_decision_requires_main_green_pr_green_and_current_base():

 def test_merge_decision_updates_stale_pr_before_merge():
    decision = mq.evaluate_merge_readiness(
-        main_status={"state": "success", "statuses": []},
+        main_status={
+            "state": "success",
+            "statuses": [{"context": "CI / all-required (push)", "status": "success"}],
+        },
        pr_status={"state": "success", "statuses": [{"context": "CI / all-required (pull_request)", "status": "success"}]},
        required_contexts=["CI / all-required (pull_request)"],
        pr_has_current_base=False,
@@ -1,8 +1,8 @@
 #!/usr/bin/env python3
-# Unit tests for sop-checklist-gate.py
+# Unit tests for sop-checklist.py
 #
-# Run:  python3 .gitea/scripts/tests/test_sop_checklist_gate.py
-#   or:  pytest .gitea/scripts/tests/test_sop_checklist_gate.py
+# Run:  python3 .gitea/scripts/tests/test_sop_checklist.py
+#   or:  pytest .gitea/scripts/tests/test_sop_checklist.py
 #
 # RFC#351 Step 2 of 6 — implementation MVP. Tests cover:
 #   - slug normalization (the 4 example variants in the script header)
@@ -33,7 +33,7 @@ sys.path.insert(0, PARENT)
 import importlib.util  # noqa: E402

 _spec = importlib.util.spec_from_file_location(
-    "sop_checklist_gate", os.path.join(PARENT, "sop-checklist-gate.py")
+    "sop_checklist", os.path.join(PARENT, "sop-checklist.py")
 )
 sop = importlib.util.module_from_spec(_spec)
 _spec.loader.exec_module(sop)  # type: ignore[union-attr]
@@ -134,18 +134,22 @@ class TestParseDirectives(unittest.TestCase):
    def setUp(self):
        self.aliases = _numeric_aliases()

+    def parse_ack_revoke(self, body):
+        directives, na_directives = sop.parse_directives(body, self.aliases)
+        self.assertEqual(na_directives, [])
+        return directives
+
    def test_simple_ack(self):
-        d = sop.parse_directives("/sop-ack comprehensive-testing", self.aliases)
+        d = self.parse_ack_revoke("/sop-ack comprehensive-testing")
        self.assertEqual(d, [("sop-ack", "comprehensive-testing", "")])

    def test_simple_revoke(self):
-        d = sop.parse_directives("/sop-revoke staging-smoke", self.aliases)
+        d = self.parse_ack_revoke("/sop-revoke staging-smoke")
        self.assertEqual(d, [("sop-revoke", "staging-smoke", "")])

    def test_ack_with_note(self):
-        d = sop.parse_directives(
-            "/sop-ack comprehensive-testing LGTM the test covers all edge cases",
-            self.aliases,
+        d = self.parse_ack_revoke(
+            "/sop-ack comprehensive-testing LGTM the test covers all edge cases"
        )
        self.assertEqual(len(d), 1)
        self.assertEqual(d[0][0], "sop-ack")
@@ -153,13 +157,12 @@ class TestParseDirectives(unittest.TestCase):
        self.assertIn("LGTM", d[0][2])

    def test_numeric_shorthand(self):
-        d = sop.parse_directives("/sop-ack 1", self.aliases)
+        d = self.parse_ack_revoke("/sop-ack 1")
        self.assertEqual(d, [("sop-ack", "comprehensive-testing", "")])

    def test_revoke_with_reason(self):
-        d = sop.parse_directives(
-            "/sop-revoke comprehensive-testing realized the e2e was mocking the DB",
-            self.aliases,
+        d = self.parse_ack_revoke(
+            "/sop-revoke comprehensive-testing realized the e2e was mocking the DB"
        )
        self.assertEqual(d[0][0], "sop-revoke")
        self.assertEqual(d[0][1], "comprehensive-testing")
@@ -171,7 +174,7 @@ class TestParseDirectives(unittest.TestCase):
            "/sop-ack comprehensive-testing\n"
            "Will follow up on the doc nit separately."
        )
-        d = sop.parse_directives(body, self.aliases)
+        d = self.parse_ack_revoke(body)
        self.assertEqual(len(d), 1)
        self.assertEqual(d[0][1], "comprehensive-testing")

@@ -180,7 +183,7 @@ class TestParseDirectives(unittest.TestCase):
            "/sop-ack comprehensive-testing\n"
            "/sop-ack local-postgres-e2e\n"
        )
-        d = sop.parse_directives(body, self.aliases)
+        d = self.parse_ack_revoke(body)
        self.assertEqual(len(d), 2)
        slugs = {x[1] for x in d}
        self.assertEqual(slugs, {"comprehensive-testing", "local-postgres-e2e"})
@@ -189,21 +192,21 @@ class TestParseDirectives(unittest.TestCase):
        # A directive embedded mid-line is not honored (prevents review
        # comments like "to /sop-ack you need..." from acting as acks).
        body = "If you want to /sop-ack comprehensive-testing reply in this thread"
-        d = sop.parse_directives(body, self.aliases)
+        d = self.parse_ack_revoke(body)
        self.assertEqual(d, [])

    def test_leading_whitespace_allowed(self):
        body = "  /sop-ack comprehensive-testing"
-        d = sop.parse_directives(body, self.aliases)
+        d = self.parse_ack_revoke(body)
        self.assertEqual(len(d), 1)

    def test_empty_body(self):
-        self.assertEqual(sop.parse_directives("", self.aliases), [])
-        self.assertEqual(sop.parse_directives(None, self.aliases), [])
+        self.assertEqual(sop.parse_directives("", self.aliases), ([], []))
+        self.assertEqual(sop.parse_directives(None, self.aliases), ([], []))

    def test_normalization_applied(self):
        # /sop-ack Comprehensive_Testing → canonical comprehensive-testing
-        d = sop.parse_directives("/sop-ack Comprehensive_Testing", self.aliases)
+        d = self.parse_ack_revoke("/sop-ack Comprehensive_Testing")
        self.assertEqual(d[0][1], "comprehensive-testing")


@@ -32,6 +32,7 @@ THIS_DIR="$(cd "$(dirname "$0")" && pwd)"
 SCRIPT_DIR="$(cd "$THIS_DIR/.." && pwd)"
 WORKFLOW_DIR="$(cd "$THIS_DIR/../../workflows" && pwd)"
 WORKFLOW="$WORKFLOW_DIR/sop-tier-refire.yml"
+DISPATCH_WORKFLOW="$WORKFLOW_DIR/review-refire-comments.yml"
 SCRIPT="$SCRIPT_DIR/sop-tier-refire.sh"

 PASS=0
@@ -87,6 +88,7 @@ assert_file_exists() {
 echo
 echo "== existence =="
 assert_file_exists "workflow file exists"  "$WORKFLOW"
+assert_file_exists "dispatcher workflow file exists" "$DISPATCH_WORKFLOW"
 assert_file_exists "script file exists"    "$SCRIPT"
 if [ "$FAIL" -gt 0 ]; then
  echo
@@ -104,29 +106,43 @@ echo "== T6/T7 workflow yaml =="
 PARSE_OUT=$(python3 -c 'import sys,yaml;yaml.safe_load(open(sys.argv[1]).read());print("ok")' "$WORKFLOW" 2>&1 || true)
 assert_eq "T7 workflow parses as YAML" "ok" "$PARSE_OUT"

-# Three required gates in the `if:` expression
+# The old per-workflow issue_comment listener caused queue storms because
+# Gitea queues jobs before evaluating job-level `if:`. The script remains,
+# but comment-triggered refires route through the single dispatcher.
 WORKFLOW_CONTENT=$(cat "$WORKFLOW")
-assert_contains "T6a workflow if: contains author_association gate" \
-  "github.event.comment.author_association" "$WORKFLOW_CONTENT"
-assert_contains "T6b workflow if: gates on MEMBER/OWNER/COLLABORATOR" \
-  '["MEMBER","OWNER","COLLABORATOR"]' "$WORKFLOW_CONTENT"
-assert_contains "T6c workflow if: contains slash-command trigger" \
-  "/refire-tier-check" "$WORKFLOW_CONTENT"
-assert_contains "T6d workflow if: gates on PR-not-issue" \
-  "github.event.issue.pull_request" "$WORKFLOW_CONTENT"
-assert_contains "T6e workflow listens on issue_comment" \
-  "issue_comment" "$WORKFLOW_CONTENT"
-assert_contains "T6f workflow requests statuses:write permission" \
-  "statuses: write" "$WORKFLOW_CONTENT"
-# Does NOT check out PR HEAD (security)
-if grep -q 'ref: \${{ github.event.pull_request.head' "$WORKFLOW"; then
-  echo "  FAIL  T6g workflow MUST NOT check out PR head (security)"
+if printf '%s' "$WORKFLOW_CONTENT" | grep -q '^  issue_comment:'; then
+  echo "  FAIL  T6a manual fallback workflow must not listen on issue_comment"
  FAIL=$((FAIL + 1))
-  FAILED_TESTS="${FAILED_TESTS} T6g"
+  FAILED_TESTS="${FAILED_TESTS} T6a"
 else
-  echo "  PASS  T6g workflow does not check out PR head"
+  echo "  PASS  T6a manual fallback workflow does not listen on issue_comment"
  PASS=$((PASS + 1))
 fi
+assert_contains "T6b workflow exposes workflow_dispatch" \
+  "workflow_dispatch" "$WORKFLOW_CONTENT"
+assert_contains "T6c workflow documents unsupported manual inputs" \
+  "workflow_dispatch inputs" "$WORKFLOW_CONTENT"
+# Does NOT check out PR HEAD (security)
+if grep -q 'ref: \${{ github.event.pull_request.head' "$WORKFLOW"; then
+  echo "  FAIL  T6d workflow MUST NOT check out PR head (security)"
+  FAIL=$((FAIL + 1))
+  FAILED_TESTS="${FAILED_TESTS} T6d"
+else
+  echo "  PASS  T6d workflow does not check out PR head"
+  PASS=$((PASS + 1))
+fi
+
+DISPATCH_PARSE_OUT=$(python3 -c 'import sys,yaml;yaml.safe_load(open(sys.argv[1]).read());print("ok")' "$DISPATCH_WORKFLOW" 2>&1 || true)
+assert_eq "T6e dispatcher workflow parses as YAML" "ok" "$DISPATCH_PARSE_OUT"
+DISPATCH_CONTENT=$(cat "$DISPATCH_WORKFLOW")
+assert_contains "T6f dispatcher listens on issue_comment" \
+  "issue_comment" "$DISPATCH_CONTENT"
+assert_contains "T6g dispatcher handles /qa-recheck" \
+  "/qa-recheck" "$DISPATCH_CONTENT"
+assert_contains "T6h dispatcher handles /security-recheck" \
+  "/security-recheck" "$DISPATCH_CONTENT"
+assert_contains "T6i dispatcher handles /refire-tier-check" \
+  "/refire-tier-check" "$DISPATCH_CONTENT"

 # T1-T5 — script behavior against a local Gitea-fixture
 echo
@@ -107,3 +107,39 @@ items:
    description: >-
      List of feedback memories applicable to this change. Ack from
      any engineer who has the same memory access.
+
+# N/A gate declarations (RFC#324 §N/A follow-up).
+# PRs where a gate genuinely does not apply (e.g., pure-infra with no
+# qa surface, or docs-only) can be declared N/A by a non-author peer
+# who is in one of the gate's required_teams. The sop-checklist
+# posts a `sop-checklist / na-declarations (pull_request)` status that
+# review-check.sh reads to skip the Gitea-APPROVE requirement.
+#
+# Usage: any PR commenter (peer) posts:
+#   /sop-n/a qa-review  <reason>
+#   /sop-n/a security-review  <reason>
+#
+# Slash commands:
+#   /sop-n/a <gate> [reason] — declare gate N/A (most-recent per-user wins)
+#   /sop-revoke <gate>      — revoke prior N/A declaration for that gate
+#
+# Gate names must match the context strings used by review-check.sh:
+#   qa-review      → qa-review / approved (<event>)        [TEAM_ID=20]
+#   security-review → security-review / approved (<event>)  [TEAM_ID=21]
+#
+# required_teams: OR semantics — any team member can declare N/A.
+# Authors cannot self-declare N/A (enforced by gate script).
+n/a_gates:
+  qa-review:
+    required_teams: [qa, security, engineers]
+    description: >-
+      QA review N/A when this change has no qa surface (pure-infra,
+      tooling-only, revert, dependency-only). A qa/eng/security member
+      must post /sop-n/a qa-review to activate.
+
+  security-review:
+    required_teams: [security, managers, ceo]
+    description: >-
+      Security review N/A when this change has no security surface
+      (docs-only, pure-frontend, dependency-only). A security/owners
+      member must post /sop-n/a security-review to activate.
@@ -107,16 +107,25 @@ jobs:
            echo "scripts=true" >> "$GITHUB_OUTPUT"
            exit 0
          fi
-          # Both .github/workflows/ci.yml AND .gitea/workflows/ci.yml count
-          # as "this workflow changed" — either edit should force-run every
-          # downstream job. The Gitea port follows the same shape as the
-          # GitHub original so behavior matches when triggered on either
-          # platform.
-          DIFF=$(git diff --name-only "$BASE" HEAD 2>/dev/null || echo ".gitea/workflows/ci.yml")
-          echo "platform=$(echo "$DIFF" | grep -qE '^workspace-server/|^\.gitea/workflows/ci\.yml$|^\.github/workflows/ci\.yml$' && echo true || echo false)" >> "$GITHUB_OUTPUT"
-          echo "canvas=$(echo "$DIFF" | grep -qE '^canvas/|^\.gitea/workflows/ci\.yml$|^\.github/workflows/ci\.yml$' && echo true || echo false)" >> "$GITHUB_OUTPUT"
-          echo "python=$(echo "$DIFF" | grep -qE '^workspace/|^\.gitea/workflows/ci\.yml$|^\.github/workflows/ci\.yml$' && echo true || echo false)" >> "$GITHUB_OUTPUT"
-          echo "scripts=$(echo "$DIFF" | grep -qE '^tests/e2e/|^scripts/|^infra/scripts/|^\.gitea/workflows/ci\.yml$|^\.github/workflows/ci\.yml$' && echo true || echo false)" >> "$GITHUB_OUTPUT"
+          # Workflow-only edits are covered by the workflow lint family
+          # and by this workflow's always-present required jobs. Do not fan
+          # those edits out into Go/Canvas/Python/shellcheck work; the
+          # downstream jobs still emit their required contexts via no-op
+          # steps when their surface flag is false.
+          #
+          # If the diff itself cannot be trusted, fail open by running every
+          # surface instead of silently under-testing the PR.
+          if ! DIFF=$(git diff --name-only "$BASE" HEAD 2>/dev/null); then
+            echo "platform=true" >> "$GITHUB_OUTPUT"
+            echo "canvas=true" >> "$GITHUB_OUTPUT"
+            echo "python=true" >> "$GITHUB_OUTPUT"
+            echo "scripts=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          echo "platform=$(echo "$DIFF" | grep -qE '^workspace-server/' && echo true || echo false)" >> "$GITHUB_OUTPUT"
+          echo "canvas=$(echo "$DIFF" | grep -qE '^canvas/' && echo true || echo false)" >> "$GITHUB_OUTPUT"
+          echo "python=$(echo "$DIFF" | grep -qE '^workspace/' && echo true || echo false)" >> "$GITHUB_OUTPUT"
+          echo "scripts=$(echo "$DIFF" | grep -qE '^tests/e2e/|^scripts/|^infra/scripts/' && echo true || echo false)" >> "$GITHUB_OUTPUT"

  # Platform (Go) — Go build/vet/test/lint + coverage gates. The always-run
  # + per-step gating shape preserves the GitHub-side required-check name
@@ -124,59 +133,49 @@ jobs:
  # the name match works on PRs that don't touch workspace-server/).
  platform-build:
    name: Platform (Go)
-    needs: changes
    runs-on: ubuntu-latest
-    # mc#774 (interim): re-mask platform-build pending fix-forward. Phase 4
-    # (#656) flipped this to continue-on-error: false based on a Phase-3-masked
-    # "green on main 2026-05-12" — the prior continue-on-error: true had
-    # been hiding failing tests in workspace-server/internal/handlers/.
-    # Two distinct failure classes surfaced on 0e5152c3:
-    #   (1) 4x delegation_test.go (lines 1110/1176/1228/1271): helpers
-    #       expectExecuteDelegationBase/Success/Failed are missing sqlmock
-    #       expectations for queries production has issued since ~2026-04-21
-    #       (last_outbound_at UPDATE, lookupDeliveryMode/Runtime SELECTs,
-    #       a2a_receive INSERT activity_logs, recordLedgerStatus writes).
-    #       Halt cond #3 applies (regression > 7 days → broader sweep).
-    #   (2) 1x mcp_test.go:433 (TestMCPHandler_CommitMemory_GlobalScope_Blocked):
-    #       commit 7d1a189f (2026-05-10) hardened mcp.go to scrub err.Error()
-    #       from JSON-RPC responses (OFFSEC-001), but the test asserts the
-    #       error message contains "GLOBAL". Production-vs-test contract
-    #       collision — needs design call, not mock update.
-    # Time-boxed Option A (90 min) did not fit the cross-cutting scope.
-    # This is a sequenced revert→fix→reflip per
-    # feedback_strict_root_only_after_class_a emergency clause — NOT
-    # a permanent re-mask. Re-flip blocked on mc#774 fix-forward landing.
-    # Other 4 #656 flips (changes, canvas-build, shellcheck, python-lint)
-    # retain continue-on-error: false; only platform-build regresses.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
-    continue-on-error: true  # mc#774 fix-forward in flight; re-flip when mc#774 lands (PR #669 → rebase after #709)
+    # mc#774 (closed 2026-05-14): Phase 4 flip of the platform-build job.
+    # Phase 4 (#656) originally flipped this to continue-on-error: false based on
+    # Phase-3-masked "green on main 2026-05-12". Two failure classes then surfaced:
+    #   (1) 4x delegation_test.go sqlmock gaps (PR #669 / #634 fix-forward, closed).
+    #   (2) TestMCPHandler_CommitMemory_GlobalScope_Blocked (mcp_test.go:433):
+    #       OFFSEC-001 hardening collided with test assertion; tracked in mc#762.
+    # Fix-forward for (1) landed in PR #669. The mc#762 gap (2) is a separate
+    # issue — it does NOT block this flip because the test is already wrapped in
+    # the diagnostic step with its own continue-on-error: true (line 203).
+    # Flip confirmed by CI / Platform (Go) status = success on main HEAD 363905d3.
+    continue-on-error: false
+    # Job-level ceiling. The go test step below runs with a per-step 10m timeout;
+    # this cap catches any step that leaks past that. Set well above 10m so
+    # the per-step timeout is the active constraint.
+    timeout-minutes: 15
    defaults:
      run:
        working-directory: workspace-server
    steps:
-      - if: needs.changes.outputs.platform != 'true'
+      - if: false
        working-directory: .
        run: echo "No platform/** changes — skipping real build steps; this job always runs to satisfy the required-check name on branch protection."
-      - if: needs.changes.outputs.platform == 'true'
+      - if: always()
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - if: needs.changes.outputs.platform == 'true'
+      - if: always()
        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
        with:
          go-version: 'stable'
-      - if: needs.changes.outputs.platform == 'true'
+      - if: always()
        run: go mod download
-      - if: needs.changes.outputs.platform == 'true'
+      - if: always()
        run: go build ./cmd/server
      # CLI (molecli) moved to standalone repo: git.moleculesai.app/molecule-ai/molecule-cli
-      - if: needs.changes.outputs.platform == 'true'
+      - if: always()
        run: go vet ./...
-      - if: needs.changes.outputs.platform == 'true'
+      - if: always()
        name: Install golangci-lint
        run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.12.2
-      - if: needs.changes.outputs.platform == 'true'
+      - if: always()
        name: Run golangci-lint
        run: $(go env GOPATH)/bin/golangci-lint run --timeout 3m ./...
-      - if: needs.changes.outputs.platform == 'true'
+      - if: always()
        name: Diagnostic — per-package verbose 60s
        run: |
          set +e
@@ -192,11 +191,15 @@ jobs:
          echo "::endgroup::"
        # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
        continue-on-error: true
-      - if: needs.changes.outputs.platform == 'true'
+      - if: always()
        name: Run tests with race detection and coverage
-        run: go test -race -coverprofile=coverage.out ./...
+        # Explicit timeout: cold runner cache causes OOM kills at ~4m39s on the
+        # full ./... suite with race detection + coverage. A 10m per-step timeout
+        # lets the suite complete on cold cache (~5-7m) while failing cleanly
+        # instead of OOM-killing. The job-level timeout (15m) is a backstop.
+        run: go test -race -timeout 10m -coverprofile=coverage.out ./...

-      - if: needs.changes.outputs.platform == 'true'
+      - if: always()
        name: Per-file coverage report
        # Advisory — lists every source file with its coverage so reviewers
        # can see at-a-glance where gaps are. Sorted ascending so the worst
@@ -210,7 +213,7 @@ jobs:
                   END {for (f in s) printf "%6.1f%%  %s\n", s[f]/c[f], f}' \
            | sort -n

-      - if: needs.changes.outputs.platform == 'true'
+      - if: always()
        name: Check coverage thresholds
        # Enforces two gates from #1823 Layer 1:
        #   1. Total floor (25% — ratchet plan in COVERAGE_FLOOR.md).
@@ -298,28 +301,28 @@ jobs:
  # siblings — verified empirically on PR #2314).
  canvas-build:
    name: Canvas (Next.js)
-    needs: changes
    runs-on: ubuntu-latest
+    timeout-minutes: 20
    # Phase 4 (RFC #219 §1): confirmed green on main 2026-05-12.
    continue-on-error: false
    defaults:
      run:
        working-directory: canvas
    steps:
-      - if: needs.changes.outputs.canvas != 'true'
+      - if: false
        working-directory: .
        run: echo "No canvas/** changes — skipping real build steps; this job always runs to satisfy the required-check name on branch protection."
-      - if: needs.changes.outputs.canvas == 'true'
+      - if: always()
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - if: needs.changes.outputs.canvas == 'true'
+      - if: always()
        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: '22'
-      - if: needs.changes.outputs.canvas == 'true'
+      - if: always()
        run: rm -f package-lock.json && npm install
-      - if: needs.changes.outputs.canvas == 'true'
+      - if: always()
        run: npm run build
-      - if: needs.changes.outputs.canvas == 'true'
+      - if: always()
        name: Run tests with coverage
        # Coverage instrumentation is configured in canvas/vitest.config.ts
        # (provider: v8, reporters: text + html + json-summary). Step 2 of
@@ -328,7 +331,7 @@ jobs:
        # tracked in #1815) after the team sees what current coverage is.
        run: npx vitest run --coverage
      - name: Upload coverage summary as artifact
-        if: needs.changes.outputs.canvas == 'true' && always()
+        if: always()
        # Pinned to v3 for Gitea act_runner v0.6 compatibility — v4+ uses
        # the GHES 3.10+ artifact protocol that Gitea 1.22.x does NOT
        # implement, surfacing as `GHESNotSupportedError: @actions/artifact
@@ -345,16 +348,15 @@ jobs:
  # Shellcheck (E2E scripts) — required check, always runs.
  shellcheck:
    name: Shellcheck (E2E scripts)
-    needs: changes
    runs-on: ubuntu-latest
    # Phase 4 (RFC #219 §1): confirmed green on main 2026-05-12.
    continue-on-error: false
    steps:
-      - if: needs.changes.outputs.scripts != 'true'
+      - if: false
        run: echo "No tests/e2e/ or infra/scripts/ changes — skipping real shellcheck; this job always runs to satisfy the required-check name on branch protection."
-      - if: needs.changes.outputs.scripts == 'true'
+      - if: always()
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - if: needs.changes.outputs.scripts == 'true'
+      - if: always()
        name: Run shellcheck on tests/e2e/*.sh and infra/scripts/*.sh
        # shellcheck is pre-installed on ubuntu-latest runners (via apt).
        # infra/scripts/ is included because setup.sh + nuke.sh gate the
@@ -365,32 +367,61 @@ jobs:
          find tests/e2e infra/scripts -type f -name '*.sh' -print0 \
            | xargs -0 shellcheck --severity=warning

-      - if: needs.changes.outputs.scripts == 'true'
+      - if: always()
        name: Lint cleanup-trap hygiene (RFC #2873)
        run: bash tests/e2e/lint_cleanup_traps.sh

-      - if: needs.changes.outputs.scripts == 'true'
+      - if: always()
        name: Run E2E bash unit tests (no live infra)
        run: |
          bash tests/e2e/test_model_slug.sh

+      - if: always()
+        name: Test ECR promote-tenant-image script (mock-driven, no live infra)
+        # Covers scripts/promote-tenant-image.sh — the codified
+        # :staging-latest → :latest ECR promote + tenant fleet redeploy
+        # closing molecule-ai/molecule-core#660. 40 mock-driven cases
+        # exercise every exit path (preflight, snapshot, promote, redeploy
+        # 403→SSM-refresh, verify, rollback). No live AWS/CP/SSM calls.
+        run: |
+          bash scripts/test-promote-tenant-image.sh
+
+      - if: always()
+        name: Shellcheck promote-tenant-image script
+        # scripts/ is excluded from the bulk shellcheck pass above (legacy
+        # SC3040/SC3043 cleanup pending). Run shellcheck explicitly on
+        # the promote script + its test harness so regressions there are
+        # caught by the required check.
+        run: |
+          shellcheck --severity=warning \
+            scripts/promote-tenant-image.sh \
+            scripts/test-promote-tenant-image.sh
+
  canvas-deploy-reminder:
    name: Canvas Deploy Reminder
    runs-on: ubuntu-latest
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
-    continue-on-error: true
-    needs: [changes, canvas-build]
-    # Only fires on direct pushes to main (i.e. after staging→main promotion).
-    if: needs.changes.outputs.canvas == 'true' && github.event_name == 'push' && github.ref == 'refs/heads/main'
+    # This job must run on PRs because all-required needs it. The step exits
+    # 0 when it is not a main push, giving branch protection a green no-op
+    # instead of a skipped/missing required dependency.
+    needs: canvas-build
    steps:
      - name: Write deploy reminder to step summary
        env:
          COMMIT_SHA: ${{ github.sha }}
+          CANVAS_CHANGED: "true"
+          EVENT_NAME: ${{ github.event_name }}
+          REF_NAME: ${{ github.ref }}
          # github.server_url resolves via the workflow-level env override
          # to the Gitea instance, so the RUN_URL points at the Gitea run
          # page (not github.com). See feedback_act_runner_github_server_url.
          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
        run: |
+          set -euo pipefail
+          if [ "$CANVAS_CHANGED" != "true" ] || [ "$EVENT_NAME" != "push" ] || [ "$REF_NAME" != "refs/heads/main" ]; then
+            echo "Canvas deploy reminder not applicable for event=$EVENT_NAME ref=$REF_NAME canvas_changed=$CANVAS_CHANGED."
+            exit 0
+          fi
+
          # Write body to a temp file — avoids backtick escaping in shell.
          cat > /tmp/deploy-reminder.md << 'BODY'
          ## Canvas build passed — deploy required
@@ -422,7 +453,6 @@ jobs:
  # Python Lint & Test — required check, always runs.
  python-lint:
    name: Python Lint & Test
-    needs: changes
    runs-on: ubuntu-latest
    # Phase 4 (RFC #219 §1): confirmed green on main 2026-05-12.
    continue-on-error: false
@@ -432,25 +462,25 @@ jobs:
      run:
        working-directory: workspace
    steps:
-      - if: needs.changes.outputs.python != 'true'
+      - if: false
        working-directory: .
        run: echo "No workspace/** changes — skipping real lint+test; this job always runs to satisfy the required-check name on branch protection."
-      - if: needs.changes.outputs.python == 'true'
+      - if: always()
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - if: needs.changes.outputs.python == 'true'
+      - if: always()
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: '3.11'
          cache: pip
          cache-dependency-path: workspace/requirements.txt
-      - if: needs.changes.outputs.python == 'true'
+      - if: always()
        run: pip install -r requirements.txt pytest pytest-asyncio pytest-cov sqlalchemy>=2.0.0
      # Coverage flags + fail-under floor moved into workspace/pytest.ini
      # (issue #1817) so local `pytest` and CI use identical config.
-      - if: needs.changes.outputs.python == 'true'
+      - if: always()
        run: python -m pytest --tb=short

-      - if: needs.changes.outputs.python == 'true'
+      - if: always()
        name: Per-file critical-path coverage (MCP / inbox / auth)
        # MCP-critical Python files have a per-file floor on top of the
        # 86% total floor in pytest.ini. See issue #2790 for full rationale.
@@ -515,85 +545,104 @@ jobs:
    # red silently merged through. See internal#286 for the three concrete
    # tonight-of-2026-05-11 incidents that prompted the emergency bump.
    #
-    # Three properties of this job each close a failure mode:
+    # This job deliberately has no `needs:`. Gitea 1.22/act_runner can mark a
+    # job-level `if: always()` + `needs:` sentinel as skipped before upstream
+    # jobs settle, leaving branch protection with a permanent pending
+    # `CI / all-required` context. Instead, this independent sentinel polls the
+    # required commit-status contexts for this SHA and fails if any fail, skip,
+    # or never emit.
    #
-    #  1. `if: always()` — runs even when an upstream fails. Without it the
-    #     sentinel is `skipped` and protection treats that as missing → merge
-    #     ungated.
+    # canvas-deploy-reminder is intentionally NOT included in all-required.needs.
+    # It is an informational main-push reminder, not a PR quality gate. Keeping
+    # it in this dependency list lets a skipped reminder skip the required
+    # sentinel before the `always()` guard can emit a branch-protection status.
    #
-    #  2. Assertion is `result == "success"` per dep, NOT `!= "failure"`.
-    #     A `skipped` upstream (job gated by `if:` evaluating false, matrix
-    #     entry that couldn't run) must NOT silently pass through.
-    #     `skipped`-as-green is exactly the failure mode this gate closes.
-    #
-    #  3. `needs:` is the canonical list of "what counts as required."
-    #     status_check_contexts will reference only `ci/all-required` (Step 5
-    #     follow-up — branch-protection PATCH is Owners-tier per
-    #     `feedback_never_admin_merge_bypass`, separate PR); a new job is
-    #     added simply by listing it in `needs:` here.
-    #     `.gitea/workflows/ci-required-drift.yml` files a [ci-drift] issue
-    #     hourly if this list diverges from status_check_contexts or from
-    #     audit-force-merge.yml's REQUIRED_CHECKS env (RFC §4 + §6).
-    #
-    # Excluded from `needs:`: `canvas-deploy-reminder` — gated by
-    # `if: ... github.event_name == 'push' && github.ref == 'refs/heads/main'`,
-    # so on PR events it's legitimately `skipped`. The drift detector
-    # explicitly excludes `github.event_name`-gated jobs from F1 (see
-    # `.gitea/scripts/ci-required-drift.py::ci_job_names`).
-    #
-    # Phase 3 (RFC #219 §1) safety: underlying build jobs carry
-    # continue-on-error: true so their failures are masked to null (2026-05-12: re-enabled mc#774 interim)
-    # (Gitea suppresses status reporting for CoE jobs). This sentinel
-    # runs with continue-on-error: false so it always reports its
-    # result to the API — without this, the required-status entry
-    # (CI / all-required (pull_request)) is never created, which
-    # blocks PR merges. When Phase 3 ends, flip underlying jobs to
-    # continue-on-error: false; this sentinel can then be flipped to
-    # continue-on-error: true if a Phase-4 regression requires it.
    continue-on-error: false
    runs-on: ubuntu-latest
-    timeout-minutes: 1
-    needs:
-      - changes
-      - platform-build
-      - canvas-build
-      - shellcheck
-      - python-lint
-    if: always()
+    timeout-minutes: 45
    steps:
-      - name: Assert every required dependency succeeded
+      - name: Wait for required CI contexts
+        env:
+          GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          API_ROOT: ${{ github.server_url }}/api/v1
+          REPOSITORY: ${{ github.repository }}
+          COMMIT_SHA: ${{ github.sha }}
+          EVENT_NAME: ${{ github.event_name }}
        run: |
          set -euo pipefail
-          # `needs.*.result` is one of: success | failure | cancelled | skipped | null.
-          # We assert success per dep (not != failure) — see RFC §2 reasoning above.
-          # Null results are skipped: they come from Phase 3 (continue-on-error: true
-          # suppresses status) or from jobs still in-flight. The sentinel succeeds
-          # rather than blocking PRs on Phase 3 noise.
-          results='${{ toJSON(needs) }}'
-          echo "$results"
-          echo "$results" | python3 -c '
-          import json, sys
-          ns = json.load(sys.stdin)
-          # Phase 3 masked: jobs with continue-on-error: true may report "failure"
-          # Remove when mc#774 handler test failures are resolved.
-          PHASE3_MASKED = {"platform-build"}
-          # Exclude null (Phase 3 suppressed / in-flight) from the bad list.
-          bad = [(k, v.get("result")) for k, v in ns.items()
-                 if v.get("result") not in ("success", None, "cancelled", "skipped") and k not in PHASE3_MASKED]
-          if bad:
-              print(f"FAIL: jobs not green:", file=sys.stderr)
-              for k, r in bad:
-                  print(f"  - {k}: {r}", file=sys.stderr)
-              sys.exit(1)
-          pending = [(k, v.get("result")) for k, v in ns.items()
-                     if v.get("result") is None]
-          cancelled = [(k, v.get("result")) for k, v in ns.items()
-                       if v.get("result") == "cancelled"]
-          if pending:
-              print(f"WARN: {len(pending)} job(s) still in-flight (result=null): " +
-                    ", ".join(k for k, _ in pending), file=sys.stderr)
-          if cancelled:
-              print(f"INFO: {len(cancelled)} job(s) masked by continue-on-error: " +
-                    ", ".join(k for k, _ in cancelled), file=sys.stderr)
-          print(f"OK: all {len(ns)} required jobs succeeded (or Phase-3 suppressed)")
-          '
+          python3 - <<'PY'
+          import json
+          import os
+          import sys
+          import time
+          import urllib.error
+          import urllib.request
+
+          token = os.environ["GITEA_TOKEN"]
+          api_root = os.environ["API_ROOT"].rstrip("/")
+          repo = os.environ["REPOSITORY"]
+          sha = os.environ["COMMIT_SHA"]
+          event = os.environ["EVENT_NAME"]
+          required = [
+              f"CI / Detect changes ({event})",
+              f"CI / Platform (Go) ({event})",
+              f"CI / Canvas (Next.js) ({event})",
+              f"CI / Shellcheck (E2E scripts) ({event})",
+              f"CI / Python Lint & Test ({event})",
+          ]
+          terminal_bad = {"failure", "error"}
+          deadline = time.time() + 40 * 60
+          last_summary = None
+
+          def fetch_statuses():
+              statuses = []
+              for page in range(1, 6):
+                  url = f"{api_root}/repos/{repo}/commits/{sha}/statuses?page={page}&limit=100"
+                  req = urllib.request.Request(url, headers={"Authorization": f"token {token}"})
+                  with urllib.request.urlopen(req, timeout=10) as resp:
+                      chunk = json.load(resp)
+                  if not chunk:
+                      break
+                  statuses.extend(chunk)
+              latest = {}
+              for item in statuses:
+                  ctx = item.get("context")
+                  if not ctx:
+                      continue
+                  prev = latest.get(ctx)
+                  if prev is None or (item.get("updated_at") or item.get("created_at") or "") >= (prev.get("updated_at") or prev.get("created_at") or ""):
+                      latest[ctx] = item
+              return latest
+
+          while True:
+              try:
+                  latest = fetch_statuses()
+              except (TimeoutError, OSError, urllib.error.URLError) as exc:
+                  if time.time() >= deadline:
+                      print(f"FAIL: status polling did not recover before deadline: {exc}", file=sys.stderr)
+                      sys.exit(1)
+                  print(f"WARN: status poll failed, retrying: {exc}", flush=True)
+                  time.sleep(15)
+                  continue
+              states = {ctx: (latest.get(ctx) or {}).get("status") or (latest.get(ctx) or {}).get("state") or "missing" for ctx in required}
+              summary = ", ".join(f"{ctx}={state}" for ctx, state in states.items())
+              if summary != last_summary:
+                  print(summary, flush=True)
+                  last_summary = summary
+              bad = {ctx: state for ctx, state in states.items() if state in terminal_bad}
+              if bad:
+                  print("FAIL: required CI context failed:", file=sys.stderr)
+                  for ctx, state in bad.items():
+                      desc = (latest.get(ctx) or {}).get("description") or ""
+                      print(f"  - {ctx}: {state} {desc}", file=sys.stderr)
+                  sys.exit(1)
+              if all(state == "success" for state in states.values()):
+                  print(f"OK: all {len(required)} required CI contexts succeeded")
+                  sys.exit(0)
+              if time.time() >= deadline:
+                  print("FAIL: timed out waiting for required CI contexts:", file=sys.stderr)
+                  for ctx, state in states.items():
+                      print(f"  - {ctx}: {state}", file=sys.stderr)
+                  sys.exit(1)
+              time.sleep(15)
+          PY
@@ -69,6 +69,13 @@ name: E2E API Smoke Test
 # 2318) shows Postgres ready in 3s, Redis in 1s, Platform in 1s when
 # they DO come up. Timeouts are not the bottleneck; not bumped.
 #
+# Item #1046 (fixed 2026-05-14): Stale platform-server from cancelled runs
+#   lingers on :8080 after "Stop platform" step is skipped (workflow cancelled
+#   before reaching line 335). Added a pre-start "Kill stale platform-server"
+#   step (line 286) that scans /proc for zombie platform-server processes
+#   and kills them before the port probe or bind. Makes the ephemeral port
+#   probe + start sequence deterministic.
+#
 # Item explicitly NOT fixed here: failing test `Status back online`
 # fails because the platform's langgraph workspace template image
 # (ghcr.io/molecule-ai/workspace-template-langgraph:latest) returns
@@ -283,6 +290,35 @@ jobs:
          echo "PORT=${PLATFORM_PORT}" >> "$GITHUB_ENV"
          echo "BASE=http://127.0.0.1:${PLATFORM_PORT}" >> "$GITHUB_ENV"
          echo "Platform host port: ${PLATFORM_PORT}"
+      - name: Kill stale platform-server before start (issue #1046)
+        if: needs.detect-changes.outputs.api == 'true'
+        run: |
+          # Concurrent runs on the same host-network act_runner can leave a
+          # zombie platform-server from a cancelled/timeout run. Cancelled
+          # runs never reach the "Stop platform" step (line 335), so the
+          # old process lingers. Kill it before the ephemeral port probe
+          # or start so the port is definitively free.
+          #
+          # /proc scan — works on any Linux without pkill/lsof/ss.
+          # comm field is truncated to 15 chars: "platform-serve" matches
+          # "platform-server". Verify with cmdline to avoid false positives.
+          killed=0
+          for pid in $(grep -l "platform-serve" /proc/[0-9]*/comm 2>/dev/null); do
+            kpid="${pid%/comm}"
+            kpid="${kpid##*/}"
+            cmdline=$(cat "/proc/${kpid}/cmdline" 2>/dev/null | tr '\0' ' ')
+            if echo "$cmdline" | grep -q "platform-server"; then
+              echo "Killing stale platform-server pid ${kpid}: ${cmdline}"
+              kill "$kpid" 2>/dev/null || true
+              killed=$((killed + 1))
+            fi
+          done
+          if [ "$killed" -gt 0 ]; then
+            sleep 2
+            echo "Killed $killed stale process(es); port(s) released."
+          else
+            echo "No stale platform-server found."
+          fi
      - name: Start platform (background)
        if: needs.detect-changes.outputs.api == 'true'
        working-directory: workspace-server
@@ -346,3 +382,4 @@ jobs:
        run: |
          docker rm -f "$PG_CONTAINER" 2>/dev/null || true
          docker rm -f "$REDIS_CONTAINER" 2>/dev/null || true
+
@@ -48,4 +48,9 @@ jobs:
          REQUIRED_CONTEXTS: >-
            CI / all-required (pull_request),
            sop-checklist / all-items-acked (pull_request)
+          # Push-side required contexts. Checking CI / all-required (push)
+          # explicitly instead of the combined state avoids false-pause when
+          # non-blocking jobs (continue-on-error: true) have failed — those
+          # failures pollute combined state but do not gate merges.
+          PUSH_REQUIRED_CONTEXTS: CI / all-required (push)
        run: python3 .gitea/scripts/gitea-merge-queue.py
@@ -90,18 +90,25 @@ jobs:
      - id: filter
        # Inline replacement for dorny/paths-filter — see e2e-api.yml.
        run: |
-          BASE="${GITHUB_BASE_REF:-${{ github.event.before }}}"
+          # Gitea Actions evaluates github.event.before to empty string in shell
+          # scripts. Use GITHUB_EVENT_BEFORE shell env var instead (Gitea
+          # correctly populates it for push events). PR case uses template var.
+          BASE=""
          if [ "${{ github.event_name }}" = "pull_request" ] && [ -n "${{ github.event.pull_request.base.sha }}" ]; then
            BASE="${{ github.event.pull_request.base.sha }}"
+          elif [ -n "$GITHUB_EVENT_BEFORE" ]; then
+            BASE="$GITHUB_EVENT_BEFORE"
          fi
          if [ -z "$BASE" ] || echo "$BASE" | grep -qE '^0+$'; then
            echo "handlers=true" >> "$GITHUB_OUTPUT"
            exit 0
          fi
-          if ! git cat-file -e "$BASE" 2>/dev/null; then
+          # timeout 30 guards against the case where BASE points to a ref that
+          # git can resolve but cat-file hangs (rare on corrupted objects).
+          if ! timeout 30 git cat-file -e "$BASE" 2>/dev/null; then
            git fetch --depth=1 origin "$BASE" 2>/dev/null || true
          fi
-          if ! git cat-file -e "$BASE" 2>/dev/null; then
+          if ! timeout 30 git cat-file -e "$BASE" 2>/dev/null; then
            echo "handlers=true" >> "$GITHUB_OUTPUT"
            exit 0
          fi
@@ -37,12 +37,6 @@ name: publish-workspace-server-image
 on:
  push:
    branches: [main]
-    paths:
-      - 'workspace-server/**'
-      - 'canvas/**'
-      - 'manifest.json'
-      - 'scripts/**'
-      - '.gitea/workflows/publish-workspace-server-image.yml'
  workflow_dispatch:

 # No `concurrency:` block here. Gitea 1.22.6 can cancel queued runs despite
@@ -74,12 +68,14 @@ jobs:
          set -euo pipefail
          echo "::group::Docker daemon health check"
          echo "Runner: ${HOSTNAME:-unknown}"
-          docker info 2>&1 | head -5 || {
+          docker_info="$(docker info 2>&1)" || {
            echo "::error::Docker daemon is not accessible at /var/run/docker.sock"
            echo "::error::Runner: ${HOSTNAME:-unknown}"
+            printf '%s\n' "${docker_info}"
            echo "::error::Check: (1) daemon is running, (2) runner user is in docker group, (3) sock permissions are 660+"
            exit 1
          }
+          printf '%s\n' "${docker_info}" | sed -n '1,5p'
          echo "Docker daemon OK"
          echo "::endgroup::"

@@ -9,10 +9,10 @@
 #   Triggers on:
 #     - `pull_request_target`: opened, synchronize, reopened
 #         → initial status posts when PR opens / re-pushes
-#     - `issue_comment`: /qa-recheck slash-command on the PR
-#         → manual re-fire after a QA reviewer clicks APPROVE
-#           (Gitea 1.22.6 doesn't re-fire on pull_request_review, per
-#           go-gitea/gitea#33700 + feedback_pull_request_review_no_refire)
+#     - comment refires are handled by `review-refire-comments.yml`
+#         → a single issue_comment dispatcher prevents every SOP/review
+#           comment from enqueueing separate qa/security/tier jobs on
+#           Gitea 1.22.6 before job-level `if:` can skip them.
 #   Workflow name = `qa-review` ; job name = `approved`.
 #   The job's own pass/fail conclusion publishes the status context
 #   `qa-review / approved (<event>)` — NO `POST /statuses` call → NO
@@ -85,8 +85,6 @@ name: qa-review
 on:
  pull_request_target:
    types: [opened, synchronize, reopened]
-  issue_comment:
-    types: [created]

 permissions:
  contents: read
@@ -97,16 +95,10 @@ jobs:
  approved:
    # Gate the job:
    #   - On pull_request_target events: always run.
-    #   - On issue_comment events: only when it's a PR comment and the body
-    #     contains the slash-command. NO privilege gate at the step level
-    #     (RFC#324 v1.3 §A1.1): a non-collaborator's /qa-recheck is fine
-    #     because the eval is read-only and idempotent — re-running it
-    #     just re-confirms whether a real team-member APPROVE exists.
+    # Comment-triggered refires live in review-refire-comments.yml. Keeping
+    # this workflow PR-only avoids comment-triggered queue storms.
    if: |
-      github.event_name == 'pull_request_target' ||
-      (github.event_name == 'issue_comment' &&
-       github.event.issue.pull_request != null &&
-       startsWith(github.event.comment.body, '/qa-recheck'))
+      github.event_name == 'pull_request_target'
    runs-on: ubuntu-latest
    steps:
      - name: Privilege check (A1.1 — INFORMATIONAL log only, NOT a gate)
@@ -120,7 +112,7 @@ jobs:
        # no comment.user.login so the step is a no-op skip there.
        if: github.event_name == 'issue_comment'
        env:
-          GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
        run: |
          set -euo pipefail
          login="${{ github.event.comment.user.login }}"
@@ -151,7 +143,7 @@ jobs:

      - name: Evaluate qa-review
        env:
-          GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
          GITEA_HOST: git.moleculesai.app
          REPO: ${{ github.repository }}
          # PR number lives in different places per event:
@@ -9,19 +9,17 @@ name: redeploy-tenants-on-main
 #   - Workflow-level env.GITHUB_SERVER_URL pinned per
 #     feedback_act_runner_github_server_url.
 #   - `continue-on-error: true` on each job (RFC §1 contract).
-#   - ~~**Gitea workflow_run trigger limitation**~~ FIXED: replaced with
-#     push+paths filter per this PR. Gitea 1.22.6 does not support
-#     `workflow_run` (task #81). The push trigger fires on every
-#     commit to publish-workspace-server-image.yml which is the
-#     same signal (only successful runs commit to main).
+#   - Dropped unsupported `workflow_run` (task #81).
+#   - Later changed to manual-only after publish-workspace-server-image.yml
+#     gained an integrated ordered production deploy job.
 #

-# Auto-refresh prod tenant EC2s after every main merge.
+# Manual production tenant redeploy/rollback helper.
 #
-# Why this workflow exists: publish-workspace-server-image builds and
-# pushes a new platform-tenant :<sha> to ECR on every merge to main,
-# but running tenants pulled their image once at boot and never re-pull.
-# Users see stale code indefinitely.
+# Why this workflow is manual-only: publish-workspace-server-image now owns
+# the ordered build -> push -> production auto-deploy sequence in one workflow.
+# A separate push-triggered redeploy workflow races before the new ECR image
+# exists and can paint main red with a false deployment failure.
 #
 # This workflow closes the gap by calling the control-plane admin
 # endpoint that performs a canary-first, batched, health-gated rolling
@@ -34,36 +32,26 @@ name: redeploy-tenants-on-main
 # Gitea suspension migration. The staging-verify.yml promote step now
 # uses the same redeploy-fleet endpoint (fixes the silent-GHCR gap).
 #
-# Runtime ordering:
-#   1. publish-workspace-server-image completes → new :staging-<sha> in ECR.
-#   2. This workflow fires via workflow_run, calls redeploy-fleet with
-#      target_tag=staging-<sha>. No CDN propagation wait needed —
-#      ECR image manifest is consistent immediately after push.
-#   3. Calls redeploy-fleet with canary_slug (if set) and a soak
-#      period. Canary proves the image boots; batches follow.
-#   4. Any failure aborts the rollout and leaves older tenants on the
-#      prior image — safer default than half-and-half state.
+# Runtime ordering for automatic deploys now lives in
+# publish-workspace-server-image.yml:
+#   1. build-and-push creates new :staging-<sha> images in ECR.
+#   2. deploy-production waits for required push contexts on that SHA.
+#   3. deploy-production calls redeploy-fleet canary-first.
 #
-# Rollback path: re-run this workflow with a specific SHA pinned via
-# the workflow_dispatch input. That calls redeploy-fleet with
-# target_tag=<sha>, re-pulling the older image on every tenant.
+# Rollback path: set PROD_MANUAL_REDEPLOY_TARGET_TAG as a repo/org
+# variable or secret, run workflow_dispatch, then unset it after the
+# rollback. That calls redeploy-fleet with target_tag=<value>,
+# re-pulling the pinned image on every tenant.

 on:
-  push:
-    branches: [main]
-    paths:
-      - '.gitea/workflows/publish-workspace-server-image.yml'
  workflow_dispatch:
 permissions:
  contents: read
  # No write scopes needed — the workflow hits an external CP endpoint,
  # not the GitHub API.

-# Serialize redeploys so two rapid main pushes' redeploys don't overlap
-# and cause confusing per-tenant SSM state. Without this, GitHub's
-# implicit workflow_run queueing would *probably* serialize them, but
-# the explicit block makes the invariant defensible. Mirrors the
-# concurrency block on redeploy-tenants-on-staging.yml for shape parity.
+# Serialize manual redeploys so two operator-triggered rollbacks do not
+# overlap and cause confusing per-tenant SSM state.
 #
 # NOTE: cancel-in-progress: false removed (Rule 7 fix). Gitea 1.22.6
 # cancels queued runs regardless of this setting, so it provides no
@@ -77,22 +65,17 @@ env:
  GITHUB_SERVER_URL: https://git.moleculesai.app

 jobs:
+  # bp-exempt: production redeploy is a side-effect workflow, not a merge gate.
  redeploy:
-    # Skip the auto-trigger if publish-workspace-server-image didn't
-    # actually succeed. workflow_run fires on any completion state; we
-    # don't want to redeploy against a half-built image.
-    # NOTE (Gitea port): workflow_dispatch trigger dropped; only the
-    # workflow_run path remains.
-    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    if: ${{ github.event_name == 'workflow_dispatch' }}
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    timeout-minutes: 25
    env:
-      # Rule 9 fix: operational kill switch for auto-triggered deployments.
-      # Set repo variable or secret PROD_AUTO_DEPLOY_DISABLED=true to prevent
-      # this workflow from redeploying. Manual workflow_dispatch bypasses this.
+      # Rule 9 fix: keep the same operational kill switch surface as the
+      # integrated auto-deploy workflow.
      PROD_AUTO_DEPLOY_DISABLED: ${{ vars.PROD_AUTO_DEPLOY_DISABLED || secrets.PROD_AUTO_DEPLOY_DISABLED || '' }}
    steps:
      - name: Kill-switch guard
@@ -114,21 +97,16 @@ jobs:
        #      tag) → used verbatim. Lets ops pin `latest` for emergency
        #      rollback to last canary-verified digest, or pin a specific
        #      `staging-<sha>` to roll back to a known-good build.
-        #   2. Default → `staging-<short_head_sha>`. The just-published
-        #      digest. Bypasses the `:latest` retag path that's currently
-        #      dead (staging-verify soft-skips without canary fleet, so
-        #      the only thing retagging `:latest` today is the manual
-        #      promote-latest.yml — last run 2026-04-28). Auto-trigger
-        #      from workflow_run uses workflow_run.head_sha; manual
-        #      dispatch with no input falls through to github.sha.
+        #   2. Default → `staging-<short_head_sha>` for manual reruns from
+        #      the current default-branch SHA.
        env:
-          INPUT_TAG: ${{ inputs.target_tag }}
-          HEAD_SHA: ${{ github.event.workflow_run.head_sha || github.sha }}
+          PROD_MANUAL_REDEPLOY_TARGET_TAG: ${{ vars.PROD_MANUAL_REDEPLOY_TARGET_TAG || secrets.PROD_MANUAL_REDEPLOY_TARGET_TAG || '' }}
+          HEAD_SHA: ${{ github.sha }}
        run: |
          set -euo pipefail
-          if [ -n "${INPUT_TAG:-}" ]; then
-            echo "target_tag=$INPUT_TAG" >> "$GITHUB_OUTPUT"
-            echo "Using operator-pinned tag: $INPUT_TAG"
+          if [ -n "${PROD_MANUAL_REDEPLOY_TARGET_TAG:-}" ]; then
+            echo "target_tag=$PROD_MANUAL_REDEPLOY_TARGET_TAG" >> "$GITHUB_OUTPUT"
+            echo "Using operator-pinned tag from PROD_MANUAL_REDEPLOY_TARGET_TAG."
          else
            SHORT="${HEAD_SHA:0:7}"
            echo "target_tag=staging-$SHORT" >> "$GITHUB_OUTPUT"
@@ -144,13 +122,26 @@ jobs:
          CP_URL: ${{ vars.CP_URL || 'https://api.moleculesai.app' }}
          CP_ADMIN_API_TOKEN: ${{ secrets.CP_ADMIN_API_TOKEN }}
          TARGET_TAG: ${{ steps.tag.outputs.target_tag }}
-          CANARY_SLUG: ${{ inputs.canary_slug || 'hongming' }}
-          SOAK_SECONDS: ${{ inputs.soak_seconds || '60' }}
-          BATCH_SIZE: ${{ inputs.batch_size || '3' }}
-          DRY_RUN: ${{ inputs.dry_run || false }}
+          CANARY_SLUG: ${{ vars.PROD_REDEPLOY_CANARY_SLUG || secrets.PROD_REDEPLOY_CANARY_SLUG || '' }}
+          SOAK_SECONDS: ${{ vars.PROD_REDEPLOY_SOAK_SECONDS || secrets.PROD_REDEPLOY_SOAK_SECONDS || '' }}
+          BATCH_SIZE: ${{ vars.PROD_REDEPLOY_BATCH_SIZE || secrets.PROD_REDEPLOY_BATCH_SIZE || '' }}
+          DRY_RUN: ${{ vars.PROD_REDEPLOY_DRY_RUN || secrets.PROD_REDEPLOY_DRY_RUN || '' }}
+          PROD_AUTO_DEPLOY_DISABLED: ${{ vars.PROD_AUTO_DEPLOY_DISABLED || secrets.PROD_AUTO_DEPLOY_DISABLED || '' }}
        run: |
          set -euo pipefail

+          case "${PROD_AUTO_DEPLOY_DISABLED,,}" in
+            1|true|yes|on)
+              echo "::notice::PROD_AUTO_DEPLOY_DISABLED is set; skipping production redeploy."
+              exit 0
+              ;;
+          esac
+
+          CANARY_SLUG="${CANARY_SLUG:-hongming}"
+          SOAK_SECONDS="${SOAK_SECONDS:-60}"
+          BATCH_SIZE="${BATCH_SIZE:-3}"
+          DRY_RUN="${DRY_RUN:-false}"
+
          if [ -z "${CP_ADMIN_API_TOKEN:-}" ]; then
            echo "::error::CP_ADMIN_API_TOKEN secret not set — skipping redeploy"
            echo "::notice::Set CP_ADMIN_API_TOKEN in repo secrets to enable auto-redeploy."
@@ -172,7 +163,7 @@ jobs:
            }')

          echo "POST $CP_URL/cp/admin/tenants/redeploy-fleet"
-          echo "  body: $BODY"
+          echo "  target_tag=$TARGET_TAG canary=$CANARY_SLUG soak_seconds=$SOAK_SECONDS batch_size=$BATCH_SIZE dry_run=$DRY_RUN"

          HTTP_RESPONSE=$(mktemp)
          HTTP_CODE_FILE=$(mktemp)
@@ -261,13 +252,11 @@ jobs:
        # fail the workflow, which is what `ok=true` should have
        # guaranteed all along.
        #
-        # When the redeploy was triggered by workflow_dispatch with a
-        # specific tag (target_tag != "latest"), the expected SHA may
-        # not equal ${{ github.sha }} — in that case we resolve via
-        # GHCR's manifest. For workflow_run (default :latest) the
-        # workflow_run.head_sha is the SHA that just published.
+        # When the redeploy is triggered manually with a specific tag
+        # (target_tag != "latest"), the expected SHA may not equal
+        # ${{ github.sha }}.
        env:
-          EXPECTED_SHA: ${{ github.event.workflow_run.head_sha || github.sha }}
+          EXPECTED_SHA: ${{ github.sha }}
          TARGET_TAG: ${{ steps.tag.outputs.target_tag }}
          # Tenant subdomain template — slugs from the response are
          # appended. Production CP issues `<slug>.moleculesai.app`;
@@ -281,10 +270,10 @@ jobs:
          if [ "$TARGET_TAG" != "latest" ] \
             && [ "$TARGET_TAG" != "$EXPECTED_SHA" ] \
             && [ "$TARGET_TAG" != "staging-$EXPECTED_SHORT" ]; then
-            # workflow_dispatch with a pinned tag that isn't the head
+            # Manual redeploy with a pinned tag that isn't the head
            # SHA — operator is rolling back / pinning. Skip the
            # verification because we don't have the expected SHA in
-            # this context (would need to crane-inspect the GHCR
+            # this context (would need to inspect the ECR
            # manifest, which is a follow-up). Failing-open here is
            # safe: the operator chose the tag deliberately.
            #
@@ -0,0 +1,109 @@
+# Consolidated comment dispatcher for manual review/tier refires.
+#
+# Gitea 1.22 queues one run per workflow subscribed to `issue_comment` before
+# evaluating job-level `if:`. SOP-heavy PRs therefore created queue storms when
+# qa-review, security-review, sop-checklist, and sop-tier-refire all
+# listened to comments. This workflow is the single non-SOP comment subscriber:
+# ordinary comments no-op quickly; slash commands post the required status
+# contexts to the PR head SHA.
+
+name: review-refire-comments
+
+on:
+  issue_comment:
+    types: [created]
+
+permissions:
+  contents: read
+  pull-requests: read
+  statuses: write
+
+jobs:
+  dispatch:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Classify comment
+        id: classify
+        env:
+          COMMENT_BODY: ${{ github.event.comment.body }}
+          IS_PR: ${{ github.event.issue.pull_request != null }}
+        run: |
+          set -euo pipefail
+          {
+            echo "run_qa=false"
+            echo "run_security=false"
+            echo "run_tier=false"
+          } >> "$GITHUB_OUTPUT"
+          if [ "$IS_PR" != "true" ]; then
+            echo "::notice::not a PR comment; no-op"
+            exit 0
+          fi
+          first_line=$(printf '%s\n' "$COMMENT_BODY" | sed -n '1p')
+          case "$first_line" in
+            /qa-recheck*)
+              echo "run_qa=true" >> "$GITHUB_OUTPUT"
+              ;;
+            /security-recheck*)
+              echo "run_security=true" >> "$GITHUB_OUTPUT"
+              ;;
+            /refire-tier-check*)
+              echo "run_tier=true" >> "$GITHUB_OUTPUT"
+              ;;
+            *)
+              echo "::notice::no supported review refire slash command; no-op"
+              ;;
+          esac
+
+      - name: Check out BASE ref for trusted scripts
+        if: |
+          steps.classify.outputs.run_qa == 'true' ||
+          steps.classify.outputs.run_security == 'true' ||
+          steps.classify.outputs.run_tier == 'true'
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+
+      - name: Refire qa-review status
+        if: steps.classify.outputs.run_qa == 'true'
+        env:
+          GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
+          GITEA_HOST: git.moleculesai.app
+          REPO: ${{ github.repository }}
+          PR_NUMBER: ${{ github.event.issue.number }}
+          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+          TEAM: qa
+          TEAM_ID: '20'
+          REVIEW_CHECK_DEBUG: '0'
+          REVIEW_CHECK_STRICT: '0'
+          COMMENT_AUTHOR: ${{ github.event.comment.user.login }}
+        run: |
+          set -euo pipefail
+          .gitea/scripts/review-refire-status.sh
+
+      - name: Refire security-review status
+        if: steps.classify.outputs.run_security == 'true'
+        env:
+          GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
+          GITEA_HOST: git.moleculesai.app
+          REPO: ${{ github.repository }}
+          PR_NUMBER: ${{ github.event.issue.number }}
+          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+          TEAM: security
+          TEAM_ID: '21'
+          REVIEW_CHECK_DEBUG: '0'
+          REVIEW_CHECK_STRICT: '0'
+          COMMENT_AUTHOR: ${{ github.event.comment.user.login }}
+        run: |
+          set -euo pipefail
+          .gitea/scripts/review-refire-status.sh
+
+      - name: Refire sop-tier-check status
+        if: steps.classify.outputs.run_tier == 'true'
+        env:
+          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
+          GITEA_HOST: git.moleculesai.app
+          REPO: ${{ github.repository }}
+          PR_NUMBER: ${{ github.event.issue.number }}
+          COMMENT_AUTHOR: ${{ github.event.comment.user.login }}
+          SOP_DEBUG: '0'
+        run: bash .gitea/scripts/sop-tier-refire.sh
@@ -66,19 +66,28 @@ jobs:
          # PR#372's ci.yml port used. Diffs against the PR base or the
          # previous push SHA, then matches against the wheel-relevant
          # path set.
-          BASE="${GITHUB_BASE_REF:-${{ github.event.before }}}"
-          if [ "${{ github.event_name }}" = "pull_request" ] && [ -n "${{ github.event.pull_request.base.sha }}" ]; then
+          #
+          # NOTE: Gitea Actions does not expose github.event.before as a
+          # shell environment variable. The ${{ github.event.before }} template
+          # expression works inside YAML run: blocks but is evaluated to an
+          # empty string for push events, making the ${VAR:-fallback} always
+          # use the fallback. Use GITHUB_EVENT_BEFORE instead — it IS set in
+          # the runner's shell environment for push events.
+          BASE=""
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
            BASE="${{ github.event.pull_request.base.sha }}"
+          elif [ -n "$GITHUB_EVENT_BEFORE" ]; then
+            BASE="$GITHUB_EVENT_BEFORE"
          fi
          if [ -z "$BASE" ] || echo "$BASE" | grep -qE '^0+$'; then
            # New branch or no previous SHA: treat as wheel-relevant.
            echo "wheel=true" >> "$GITHUB_OUTPUT"
            exit 0
          fi
-          if ! git cat-file -e "$BASE" 2>/dev/null; then
+          if ! timeout 30 git cat-file -e "$BASE" 2>/dev/null; then
            git fetch --depth=1 origin "$BASE" 2>/dev/null || true
          fi
-          if ! git cat-file -e "$BASE" 2>/dev/null; then
+          if ! timeout 30 git cat-file -e "$BASE" 2>/dev/null; then
            echo "wheel=true" >> "$GITHUB_OUTPUT"
            exit 0
          fi
@@ -12,8 +12,6 @@ name: security-review
 on:
  pull_request_target:
    types: [opened, synchronize, reopened]
-  issue_comment:
-    types: [created]

 permissions:
  contents: read
@@ -22,13 +20,10 @@ permissions:
 jobs:
  # bp-exempt: PR security review bot signal; required merge state is enforced by CI / all-required.
  approved:
-    # See qa-review.yml header for full A1-α / A1.1 (v1.3 — informational
-    # log only, NOT a gate) / A4 / A5 design rationale.
+    # Comment-triggered refires live in review-refire-comments.yml. Keeping
+    # this workflow PR-only avoids comment-triggered queue storms.
    if: |
-      github.event_name == 'pull_request_target' ||
-      (github.event_name == 'issue_comment' &&
-       github.event.issue.pull_request != null &&
-       startsWith(github.event.comment.body, '/security-recheck'))
+      github.event_name == 'pull_request_target'
    runs-on: ubuntu-latest
    steps:
      - name: Privilege check (A1.1 — INFORMATIONAL log only, NOT a gate)
@@ -37,7 +32,7 @@ jobs:
        # so re-running on a non-collaborator comment is harmless.
        if: github.event_name == 'issue_comment'
        env:
-          GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
        run: |
          set -euo pipefail
          login="${{ github.event.comment.user.login }}"
@@ -62,7 +57,7 @@ jobs:

      - name: Evaluate security-review
        env:
-          GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
          GITEA_HOST: git.moleculesai.app
          REPO: ${{ github.repository }}
          PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
@@ -1,4 +1,4 @@
-# sop-checklist-gate — peer-ack merge gate for SOP-checklist items.
+# sop-checklist — peer-ack merge gate for SOP-checklist items.
 #
 # RFC#351 Step 2 of 6 (implementation MVP).
 #
@@ -65,7 +65,15 @@
 # membership, compute, post status). Re-running on any event is safe —
 # the new status overwrites the previous one for the same context.

-name: sop-checklist-gate
+name: sop-checklist
+
+# Cancel any in-progress runs for the same PR to prevent
+# stale runs from overwriting newer status contexts.
+concurrency:
+  group: ${{ github.repository }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+# bp-required: yes  ← emits sop-checklist / all-items-acked (pull_request)

 on:
  pull_request_target:
@@ -83,7 +91,7 @@ permissions:
  statuses: write

 jobs:
-  gate:
+  all-items-acked:
    # Run on pull_request_target events always. On issue_comment events,
    # only when the comment is on a PR (issue_comment fires for issues
    # too) and the body contains one of the slash-commands.
@@ -92,7 +100,8 @@ jobs:
      (github.event_name == 'issue_comment' &&
       github.event.issue.pull_request != null &&
       (contains(github.event.comment.body, '/sop-ack') ||
-        contains(github.event.comment.body, '/sop-revoke')))
+        contains(github.event.comment.body, '/sop-revoke') ||
+        contains(github.event.comment.body, '/sop-n/a')))
    runs-on: ubuntu-latest
    steps:
      - name: Check out BASE ref (trust boundary — never PR-head)
@@ -105,7 +114,7 @@ jobs:
          # qa-review.yml so the script source is always trusted.
          ref: ${{ github.event.repository.default_branch }}

-      - name: Run sop-checklist-gate
+      - name: Run sop-checklist
        env:
          GITEA_TOKEN: ${{ secrets.SOP_CHECKLIST_GATE_TOKEN || secrets.GITHUB_TOKEN }}
          PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
@@ -113,7 +122,7 @@ jobs:
          REPO_NAME: ${{ github.event.repository.name }}
        run: |
          set -euo pipefail
-          python3 .gitea/scripts/sop-checklist-gate.py \
+          python3 .gitea/scripts/sop-checklist.py \
            --owner "$OWNER" \
            --repo "$REPO_NAME" \
            --pr "$PR_NUMBER" \
@@ -1,4 +1,4 @@
-# sop-tier-refire — issue_comment-triggered refire of sop-tier-check.
+# sop-tier-refire — manual fallback for sop-tier-check refire.
 #
 # Closes internal#292. Gitea 1.22.6 doesn't refire workflows on the
 # `pull_request_review` event (go-gitea/gitea#33700); the `sop-tier-check`
@@ -8,12 +8,12 @@
 # to merge is the admin force-merge path (audited via `audit-force-merge`
 # but the audit trail keeps growing; see `feedback_never_admin_merge_bypass`).
 #
-# Workaround pattern from `feedback_pull_request_review_no_refire`:
-# `issue_comment` events DO fire reliably on 1.22.6. When a repo
-# MEMBER/OWNER/COLLABORATOR comments `/refire-tier-check` on a PR, this
-# workflow re-runs the sop-tier-check logic and POSTs the resulting
-# status to the PR head SHA directly. No empty commit, no git history
-# bloat, no cascade re-fire of every other workflow on the PR.
+# Comment-triggered refires now live in `review-refire-comments.yml`. Gitea
+# queues issue_comment workflows before evaluating job-level `if:`, so having
+# qa-review, security-review, sop-checklist, and sop-tier-refire all subscribe
+# to every comment caused queue storms on SOP-heavy PRs. This workflow is a
+# non-automatic breadcrumb only; Gitea 1.22.6 does not support
+# workflow_dispatch inputs, so real refires must use `/refire-tier-check`.
 #
 # SECURITY MODEL:
 #
@@ -37,43 +37,16 @@
 # Rate-limit: a 1s pre-sleep + a "skip if status posted in last 30s"
 # guard prevents comment-spam from thrashing the status. See the script.

-name: sop-tier-check refire (issue_comment)
+name: sop-tier-check refire (manual)

 on:
-  issue_comment:
-    types: [created]
+  workflow_dispatch:

 jobs:
  refire:
-    # Three gates, all required:
-    #   - comment is on a PR (not a plain issue)
-    #   - commenter is MEMBER, OWNER, or COLLABORATOR
-    #   - comment body contains the slash-command trigger
-    if: |
-      github.event.issue.pull_request != null &&
-      contains(fromJson('["MEMBER","OWNER","COLLABORATOR"]'), github.event.comment.author_association) &&
-      contains(github.event.comment.body, '/refire-tier-check')
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: read
-      statuses: write
    steps:
-      - name: Check out base branch (for the script)
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          # Load the script from the default branch (main), matching the
-          # sop-tier-check.yml security model.
-          ref: ${{ github.event.repository.default_branch }}
-      - name: Re-evaluate sop-tier-check and POST status
-        env:
-          # Same org-level secret sop-tier-check.yml + audit-force-merge.yml use.
-          # Fallback to GITHUB_TOKEN with a clear error if missing.
-          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
-          GITEA_HOST: git.moleculesai.app
-          REPO: ${{ github.repository }}
-          PR_NUMBER: ${{ github.event.issue.number }}
-          COMMENT_AUTHOR: ${{ github.event.comment.user.login }}
-          # Set to '1' for diagnostic per-API-call output. Off by default.
-          SOP_DEBUG: '0'
-        run: bash .gitea/scripts/sop-tier-refire.sh
+      - name: Explain supported refire path
+        run: |
+          echo "::error::Gitea 1.22.6 does not support workflow_dispatch inputs here; comment /refire-tier-check on the PR instead."
+          exit 1
@@ -1 +1 @@
-staging trigger
+staging trigger 2026-05-14T17:35:02Z
@@ -0,0 +1 @@
+trigger
@@ -327,7 +327,7 @@ function OrgCTA({ org }: { org: Org }) {
    return (
      <a
        href={href}
-        className="rounded bg-emerald-600 px-4 py-2 text-sm font-medium text-white hover:bg-emerald-500"
+        className="rounded bg-emerald-700 px-4 py-2 text-sm font-medium text-white hover:bg-emerald-600"
      >
        Open
      </a>
@@ -337,7 +337,7 @@ function OrgCTA({ org }: { org: Org }) {
    return (
      <a
        href={`/pricing?org=${encodeURIComponent(org.slug)}`}
-        className="rounded bg-amber-600 px-4 py-2 text-sm font-medium text-white hover:bg-amber-500"
+        className="rounded bg-amber-800 px-4 py-2 text-sm font-medium text-white hover:bg-amber-700"
      >
        Complete payment
      </a>
@@ -8,11 +8,17 @@ import type { AuditEntry, AuditResponse } from "@/types/audit";

 type EventFilter = "all" | AuditEntry["event_type"];

+// Contrast note: text is rendered on near-black bg (bg-*-950/40). Every text
+// color below is chosen to pass WCAG 2.1 AA 4.5:1 on that background:
+//   blue-300   ( delegation ) ≈ 8.8:1
+//   violet-300 ( decision   ) ≈ 9.5:1
+//   yellow-200 ( gate       ) ≈ 11.5:1
+//   orange-300 ( hitl       ) ≈ 9.1:1
 const BADGE_COLORS: Record<AuditEntry["event_type"], { text: string; bg: string; border: string }> = {
-  delegation: { text: "text-accent",   bg: "bg-blue-950/40",   border: "border-blue-800/40" },
-  decision:   { text: "text-violet-400", bg: "bg-violet-950/40", border: "border-violet-800/40" },
-  gate:       { text: "text-yellow-400", bg: "bg-yellow-950/40", border: "border-yellow-800/40" },
-  hitl:       { text: "text-orange-400", bg: "bg-orange-950/40", border: "border-orange-800/40" },
+  delegation: { text: "text-blue-300",   bg: "bg-blue-950/40",   border: "border-blue-800/40" },
+  decision:   { text: "text-violet-300", bg: "bg-violet-950/40", border: "border-violet-800/40" },
+  gate:       { text: "text-yellow-200", bg: "bg-yellow-950/40", border: "border-yellow-800/40" },
+  hitl:       { text: "text-orange-300", bg: "bg-orange-950/40", border: "border-orange-800/40" },
 };

 const FILTERS: { id: EventFilter; label: string }[] = [
@@ -164,7 +170,10 @@ export function AuditTrailPanel({ workspaceId }: Props) {

      {/* Error banner */}
      {error && (
-        <div className="mx-4 mt-3 px-3 py-2 bg-red-950/30 border border-red-800/40 rounded text-xs text-bad shrink-0">
+        <div
+          role="alert"
+          className="mx-4 mt-3 px-3 py-2 bg-red-950/30 border border-red-800/40 rounded text-xs text-bad shrink-0"
+        >
          {error}
        </div>
      )}
@@ -242,7 +251,6 @@ export function AuditEntryRow({ entry, now }: AuditEntryRowProps) {
        {/* Event-type badge */}
        <span
          className={`shrink-0 text-[9px] font-semibold uppercase tracking-wider px-1.5 py-0.5 rounded border ${badge.text} ${badge.bg} ${badge.border}`}
-          aria-label={`Event type: ${entry.event_type}`}
        >
          {entry.event_type}
        </span>
@@ -100,8 +100,8 @@ export function BatchActionBar() {
      aria-label="Batch workspace actions"
      className="fixed bottom-6 left-1/2 -translate-x-1/2 z-[200] flex items-center gap-3 px-4 py-2.5 rounded-2xl bg-surface-sunken/95 border border-line/70 shadow-2xl shadow-black/50 backdrop-blur-md"
    >
-      {/* Selection count badge */}
-      <span className="text-[12px] font-semibold text-white bg-accent-strong/80 px-2.5 py-0.5 rounded-full tabular-nums">
+      {/* Selection count badge — bg-zinc-700 passes 7.2:1 on white text */}
+      <span className="text-[12px] font-semibold text-white bg-zinc-700 px-2.5 py-0.5 rounded-full tabular-nums">
        {count} selected
      </span>

@@ -112,7 +112,7 @@ export function BatchActionBar() {
        type="button"
        disabled={busy}
        onClick={() => setPending("restart")}
-        className="flex items-center gap-1.5 px-3 py-1.5 rounded-lg text-[12px] font-medium text-sky-300 bg-sky-900/30 hover:bg-sky-800/50 border border-sky-700/30 hover:border-sky-600/50 transition-colors disabled:opacity-50 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-sky-500/70"
+        className="flex items-center gap-1.5 px-3 py-1.5 rounded-lg text-[12px] font-medium text-white bg-sky-900/30 hover:bg-sky-800/50 border border-sky-700/30 hover:border-sky-600/50 transition-colors disabled:opacity-50 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-sky-500/70"
      >
        <span aria-hidden="true">↻</span>
        Restart All
@@ -122,7 +122,7 @@ export function BatchActionBar() {
        type="button"
        disabled={busy}
        onClick={() => setPending("pause")}
-        className="flex items-center gap-1.5 px-3 py-1.5 rounded-lg text-[12px] font-medium text-warm bg-amber-900/30 hover:bg-amber-800/50 border border-amber-700/30 hover:border-amber-600/50 transition-colors disabled:opacity-50 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-amber-500/70"
+        className="flex items-center gap-1.5 px-3 py-1.5 rounded-lg text-[12px] font-medium text-white bg-amber-900/30 hover:bg-amber-800/50 border border-amber-700/30 hover:border-amber-600/50 transition-colors disabled:opacity-50 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-amber-500/70"
      >
        <span aria-hidden="true">⏸</span>
        Pause All
@@ -132,7 +132,7 @@ export function BatchActionBar() {
        type="button"
        disabled={busy}
        onClick={() => setPending("delete")}
-        className="flex items-center gap-1.5 px-3 py-1.5 rounded-lg text-[12px] font-medium text-bad bg-red-900/30 hover:bg-red-800/50 border border-red-700/30 hover:border-red-600/50 transition-colors disabled:opacity-50 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-red-500/70"
+        className="flex items-center gap-1.5 px-3 py-1.5 rounded-lg text-[12px] font-medium text-white bg-red-900/30 hover:bg-red-800/50 border border-red-700/30 hover:border-red-600/50 transition-colors disabled:opacity-50 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-red-500/70"
      >
        <span aria-hidden="true">✕</span>
        Delete All
@@ -96,7 +96,7 @@ export function ConfirmDialog({
  // readable in both light and dark themes.
  const confirmColors =
    confirmVariant === "danger"
-      ? "bg-red-600 hover:bg-red-700 text-white"
+      ? "bg-red-700 hover:bg-red-600 text-white"
      : confirmVariant === "warning"
        ? "bg-amber-800 hover:bg-amber-700 text-white"
        : "bg-accent hover:bg-accent-strong text-white";
@@ -318,7 +318,7 @@ export function ContextMenu() {
            aria-hidden="true"
            className={`w-1.5 h-1.5 rounded-full ${statusDotClass(contextMenu.nodeData.status)}`}
          />
-          <span className="text-[10px] text-ink-mid">{contextMenu.nodeData.status}</span>
+          <span className="text-[10px] text-ink">{contextMenu.nodeData.status}</span>
        </div>
      </div>

@@ -187,7 +187,7 @@ export function ConversationTraceModal({ open, workspaceId: _workspaceId, onClos
                                isError
                                  ? "bg-red-950/50 text-bad"
                                  : isSend
-                                  ? "bg-cyan-950/50 text-cyan-400"
+                                  ? "bg-cyan-950 text-cyan-300"
                                  : isReceive
                                  ? "bg-blue-950/50 text-accent"
                                  : "bg-surface-card text-ink-mid"
@@ -251,7 +251,7 @@ export function ConversationTraceModal({ open, workspaceId: _workspaceId, onClos

                          {/* Error */}
                          {isError && entry.error_detail && (
-                            <div className="text-[10px] text-bad/80 mt-1 truncate">
+                            <div className="text-[10px] text-bad mt-1 truncate">
                              {entry.error_detail.slice(0, 200)}
                            </div>
                          )}
@@ -272,7 +272,7 @@ export function ConversationTraceModal({ open, workspaceId: _workspaceId, onClos
                          )}
                          {responseText && (
                            <div className="mt-1 bg-surface/60 border border-emerald-900/30 rounded-lg px-3 py-2 max-h-32 overflow-y-auto">
-                              <div className="text-[8px] text-good/60 uppercase mb-1">Response</div>
+                              <div className="text-[8px] text-good uppercase mb-1">Response</div>
                              <div className="text-[10px] text-ink-mid whitespace-pre-wrap break-words leading-relaxed">
                                {responseText.slice(0, 2000)}
                                {responseText.length > 2000 && (
@@ -126,8 +126,8 @@ export function DeleteCascadeConfirmDialog({

          {/* Cascade warning */}
          <div className="rounded border border-red-900/40 bg-red-950/20 px-3 py-2.5 mb-4">
-            <p className="text-[12px] text-bad/80 leading-relaxed">
-              Deleting will cascade — <strong className="text-red-200">all child workspaces and their data will be permanently removed.</strong> This cannot be undone.
+            <p className="text-[12px] text-red-300 leading-relaxed">
+              Deleting will cascade — <strong className="text-red-100">all child workspaces and their data will be permanently removed.</strong> This cannot be undone.
            </p>
          </div>

@@ -164,13 +164,13 @@ export function DeleteCascadeConfirmDialog({
            type="button"
            onClick={onConfirm}
            disabled={!checked}
-            // Hover goes DARKER, not lighter — bg-red-500 on white text
-            // drops contrast below AA vs bg-red-700. Same trap fixed in
-            // ConfirmDialog and ApprovalBanner. focus-visible ring matches.
+            // Hover goes DARKER, not lighter — bg-red-600 on white text
+            // drops contrast below AA. Same trap fixed in ConfirmDialog.
+            // focus-visible ring matches the canvas chrome.
            className={`px-3.5 py-1.5 text-[13px] rounded-lg transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-red-500/60 focus-visible:ring-offset-2 focus-visible:ring-offset-surface-sunken
              ${checked
-                ? "bg-red-600 hover:bg-red-700 text-white cursor-pointer"
-                : "bg-red-900/30 text-bad/40 cursor-not-allowed"
+                ? "bg-red-700 hover:bg-red-600 text-white cursor-pointer"
+                : "bg-red-900/30 text-red-400 cursor-not-allowed"
              }`}
          >
            Delete All
@@ -51,7 +51,7 @@ export class ErrorBoundary extends React.Component<
  render() {
    if (this.state.hasError) {
      return (
-        <div className="fixed inset-0 flex items-center justify-center bg-surface z-50">
+        <div role="alert" aria-live="assertive" className="fixed inset-0 flex items-center justify-center bg-surface z-50">
          <div className="max-w-md rounded-2xl border border-red-500/30 bg-surface-sunken/90 px-8 py-8 text-center shadow-2xl shadow-black/40">
            <div className="mx-auto mb-4 flex h-14 w-14 items-center justify-center rounded-full bg-red-500/10 border border-red-500/30">
              <svg
@@ -76,7 +76,7 @@ export class ErrorBoundary extends React.Component<
            <p className="text-sm text-ink-mid mb-1">
              An unexpected error occurred while rendering the application.
            </p>
-            <p className="text-xs text-bad/80 mb-6 font-mono break-all">
+            <p className="text-xs text-bad mb-6 font-mono break-all">
              {this.state.error?.message ?? "Unknown error"}
            </p>
            <div className="flex items-center justify-center gap-3">
@@ -360,7 +360,7 @@ function SnippetBlock({
        <button
          type="button"
          onClick={onCopy}
-          className="text-xs px-2 py-1 rounded bg-accent-strong/80 hover:bg-accent text-white focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
+          className="text-xs px-2 py-1 rounded bg-accent text-white hover:bg-accent-strong transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
        >
          {copied ? "Copied!" : "Copy"}
        </button>
@@ -451,7 +451,7 @@ function ProviderPickerModal({
                    <button
                      onClick={() => handleSaveKey(index)}
                      disabled={!entry.value.trim() || entry.saving}
-                      className="px-3 py-1.5 bg-accent-strong hover:bg-accent text-[11px] rounded text-white disabled:opacity-30 transition-colors shrink-0"
+                      className="px-3 py-1.5 bg-accent-strong hover:bg-accent text-[11px] rounded text-white disabled:opacity-30 transition-colors shrink-0 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
                    >
                      {entry.saving ? "..." : "Save"}
                    </button>
@@ -492,7 +492,7 @@ function ProviderPickerModal({
                !selectorValue.providerId ||
                (showModelInput && model.trim() === "")
              }
-              className="px-3.5 py-1.5 text-[12px] bg-accent-strong hover:bg-accent text-white rounded-lg transition-colors disabled:opacity-40"
+              className="px-3.5 py-1.5 text-[12px] bg-accent-strong hover:bg-accent text-white rounded-lg transition-colors disabled:opacity-40 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
            >
              {allSaved ? "Deploy" : entries.length > 1 ? "Add Keys" : "Add Key"}
            </button>
@@ -420,7 +420,7 @@ export function ProviderModelSelector({
              spellCheck={false}
              autoComplete="off"
              data-testid="model-input"
-              className="w-full bg-surface-sunken border border-line rounded px-2 py-1.5 text-[11px] text-ink font-mono focus:outline-none focus:border-accent focus:ring-1 focus:ring-accent/20 transition-colors disabled:opacity-50"
+              className="w-full bg-surface-sunken border border-line rounded px-2 py-1.5 text-[11px] text-ink font-mono focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:border-accent transition-colors disabled:opacity-50"
            />
            <p className="text-[9px] text-ink-mid mt-1 leading-relaxed">
              {selected?.wildcard
@@ -389,7 +389,7 @@ export function ProvisioningTimeout({
              <button
                type="button"
                onClick={handleCancelConfirm}
-                className="px-3.5 py-1.5 text-[12px] bg-red-600 hover:bg-red-500 text-white rounded-lg transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-red-400 focus-visible:ring-offset-1"
+                className="px-3.5 py-1.5 text-[12px] bg-red-800 hover:bg-red-700 text-white rounded-lg transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-red-400 focus-visible:ring-offset-1"
              >
                Remove Workspace
              </button>
@@ -61,9 +61,22 @@ export function ThemeToggle({ className = "" }: { className?: string }) {
        return;
      }
      setTheme(OPTIONS[next].value);
-      // Move focus to the new button so arrow-key navigation is continuous
-      const btns = (e.currentTarget.closest("[role=radiogroup]") as HTMLElement)?.querySelectorAll<HTMLButtonElement>("[role=radio]");
-      btns?.[next]?.focus();
+      // Move focus to the new button so arrow-key navigation is continuous.
+      // Use direct-child query to scope strictly to this radiogroup's buttons
+      // and avoid accidentally focusing unrelated [role=radio] elements
+      // elsewhere in the DOM (e.g. React Flow canvas nodes).
+      // Guard: skip focus if the current target is no longer in the document
+      // (e.g. React StrictMode double-invokes handlers during re-render).
+      if (!e.currentTarget.isConnected) return;
+      const radiogroup = e.currentTarget.closest("[role=radiogroup]") as HTMLElement | null;
+      if (!radiogroup) return;
+      // Use children[] instead of querySelectorAll("> [role=radio]") to avoid
+      // jsdom's child-combinator selector parsing issues in test environments.
+      const btns = Array.from(radiogroup.children).filter(
+        (el): el is HTMLButtonElement =>
+          el.tagName === "BUTTON" && el.getAttribute("role") === "radio"
+      );
+      if (next < btns.length) btns[next]?.focus();
    },
    []
  );
@@ -24,8 +24,12 @@ vi.mock("@/lib/theme-provider", () => ({
  })),
 }));

+// Wrap cleanup in act() so any pending React state updates (e.g. from
+// keyDown handlers that call setTheme) flush before DOM unmount. Without
+// this, cleanup() can race against pending renders and cause INDEX_SIZE_ERR
+// when the handleKeyDown callback tries to query the DOM mid-teardown.
 afterEach(() => {
-  cleanup();
+  act(() => { cleanup(); });
  vi.clearAllMocks();
 });

@@ -146,7 +150,7 @@ describe("ThemeToggle — keyboard navigation (WCAG 2.1.1 / ARIA radiogroup)", (
    const radios = screen.getAllByRole("radio");
    // dark (index 2) is current; ArrowRight should wrap to light (index 0)
    act(() => { radios[2].focus(); });
-    fireEvent.keyDown(radios[2], { key: "ArrowRight" });
+    act(() => { fireEvent.keyDown(radios[2], { key: "ArrowRight" }); });
    expect(mockSetTheme).toHaveBeenCalledWith("light");
  });

@@ -160,7 +164,7 @@ describe("ThemeToggle — keyboard navigation (WCAG 2.1.1 / ARIA radiogroup)", (
    const radios = screen.getAllByRole("radio");
    // light (index 0) is current; ArrowLeft should go to dark (index 2)
    act(() => { radios[0].focus(); });
-    fireEvent.keyDown(radios[0], { key: "ArrowLeft" });
+    act(() => { fireEvent.keyDown(radios[0], { key: "ArrowLeft" }); });
    expect(mockSetTheme).toHaveBeenCalledWith("dark");
  });

@@ -174,7 +178,7 @@ describe("ThemeToggle — keyboard navigation (WCAG 2.1.1 / ARIA radiogroup)", (
    const radios = screen.getAllByRole("radio");
    // light (index 0) is current; ArrowDown should go to system (index 1)
    act(() => { radios[0].focus(); });
-    fireEvent.keyDown(radios[0], { key: "ArrowDown" });
+    act(() => { fireEvent.keyDown(radios[0], { key: "ArrowDown" }); });
    expect(mockSetTheme).toHaveBeenCalledWith("system");
  });

@@ -187,7 +191,7 @@ describe("ThemeToggle — keyboard navigation (WCAG 2.1.1 / ARIA radiogroup)", (
    render(<ThemeToggle />);
    const radios = screen.getAllByRole("radio");
    act(() => { radios[2].focus(); });
-    fireEvent.keyDown(radios[2], { key: "Home" });
+    act(() => { fireEvent.keyDown(radios[2], { key: "Home" }); });
    expect(mockSetTheme).toHaveBeenCalledWith("light");
  });

@@ -200,14 +204,14 @@ describe("ThemeToggle — keyboard navigation (WCAG 2.1.1 / ARIA radiogroup)", (
    render(<ThemeToggle />);
    const radios = screen.getAllByRole("radio");
    act(() => { radios[0].focus(); });
-    fireEvent.keyDown(radios[0], { key: "End" });
+    act(() => { fireEvent.keyDown(radios[0], { key: "End" }); });
    expect(mockSetTheme).toHaveBeenCalledWith("dark");
  });

  it("does nothing on unrelated keys", () => {
    render(<ThemeToggle />);
    const radios = screen.getAllByRole("radio");
-    fireEvent.keyDown(radios[0], { key: "Enter" });
+    act(() => { fireEvent.keyDown(radios[0], { key: "Enter" }); });
    expect(mockSetTheme).not.toHaveBeenCalled();
  });
 });
@@ -64,6 +64,7 @@ export function DropTargetBadge() {
      {ghostVisible && (
        <div
          data-testid="ghost-slot"
+          aria-hidden="true"
          className="pointer-events-none absolute z-40 rounded-lg border-2 border-dashed border-emerald-400/70 bg-emerald-500/10"
          style={{
            left: slotTL.x,
@@ -75,7 +76,9 @@ export function DropTargetBadge() {
      )}
      <div
        data-testid="drop-badge"
-        className="pointer-events-none absolute z-50 -translate-x-1/2 -translate-y-full rounded-md bg-emerald-500 px-2 py-0.5 text-[11px] font-medium text-white shadow-lg shadow-emerald-950/40"
+        role="status"
+        aria-label={`Drop target: ${targetName}`}
+        className="pointer-events-none absolute z-50 -translate-x-1/2 -translate-y-full rounded-md bg-emerald-700 px-2 py-0.5 text-[11px] font-medium text-white shadow-lg shadow-emerald-950/40"
        style={{ left: badge.x, top: badge.y - 6 }}
      >
        Drop into: {targetName}
@@ -0,0 +1,311 @@
+/**
+ * Unit tests for buildDeployMap — the pure tree-traversal core of
+ * useOrgDeployState.
+ *
+ * What is tested here:
+ *   - Root / leaf identification via parent-chain walk
+ *   - isDeployingRoot: true when any descendant is "provisioning"
+ *   - isActivelyProvisioning: true only for the node itself in that state
+ *   - isLockedChild: true for non-root nodes in a deploying tree
+ *   - isLockedChild: also true for nodes in deletingIds (even if not deploying)
+ *   - descendantProvisioningCount: non-zero only on root nodes
+ *   - Performance contract: O(n) single-pass walk — tested by verifying
+ *     correctness across 50-node trees (n=50, all cases above)
+ *
+ * What is NOT tested here (hook integration — appropriate for E2E):
+ *   - The useMemo / Zustand subscription wiring
+ *   - React Flow integration (flowToScreenPosition, getInternalNode)
+ *
+ * Issue: #2071 (Canvas test gaps follow-up).
+ */
+import { describe, expect, it } from "vitest";
+import { buildDeployMap, type OrgDeployState } from "../useOrgDeployState";
+
+// ── Helpers ──────────────────────────────────────────────────────────────────
+
+type Projection = { id: string; parentId: string | null; status: string };
+
+function proj(
+  id: string,
+  parentId: string | null,
+  status: string,
+): Projection {
+  return { id, parentId, status };
+}
+
+/** Unchecked cast — test helpers aren't production code paths. */
+function m(
+  ps: Projection[],
+  deletingIds: string[] = [],
+): Map<string, OrgDeployState> {
+  return buildDeployMap(ps, new Set(deletingIds));
+}
+
+function s(
+  map: Map<string, OrgDeployState>,
+  id: string,
+): OrgDeployState {
+  const got = map.get(id);
+  if (!got) throw new Error(`no entry for id=${id}`);
+  return got;
+}
+
+// ── Empty / trivial ───────────────────────────────────────────────────────────
+
+describe("buildDeployMap — empty", () => {
+  it("returns empty map for empty projections", () => {
+    expect(m([]).size).toBe(0);
+  });
+});
+
+// ── Single node ─────────────────────────────────────────────────────────────
+
+describe("buildDeployMap — single node", () => {
+  it("isolated node is its own root and not deploying", () => {
+    const map = m([proj("a", null, "online")]);
+    expect(s(map, "a")).toEqual({
+      isActivelyProvisioning: false,
+      isDeployingRoot: false,
+      isLockedChild: false,
+      descendantProvisioningCount: 0,
+    });
+  });
+
+  it("isolated provisioning node is deploying root", () => {
+    const map = m([proj("a", null, "provisioning")]);
+    expect(s(map, "a")).toEqual({
+      isActivelyProvisioning: true,
+      isDeployingRoot: true,
+      isLockedChild: false,
+      descendantProvisioningCount: 1,
+    });
+  });
+});
+
+// ── Parent / child chains ─────────────────────────────────────────────────────
+
+describe("buildDeployMap — parent / child chains", () => {
+  it("root with online child: root is not deploying, child is not locked", () => {
+    // A ──► B
+    const map = m([
+      proj("A", null, "online"),
+      proj("B", "A", "online"),
+    ]);
+    expect(s(map, "A")).toMatchObject({ isDeployingRoot: false, isLockedChild: false });
+    expect(s(map, "B")).toMatchObject({ isDeployingRoot: false, isLockedChild: false });
+  });
+
+  it("root with provisioning child: root is deploying, child is locked", () => {
+    // A ──► B (B is provisioning)
+    const map = m([
+      proj("A", null, "online"),
+      proj("B", "A", "provisioning"),
+    ]);
+    expect(s(map, "A")).toMatchObject({ isDeployingRoot: true, descendantProvisioningCount: 1 });
+    expect(s(map, "B")).toMatchObject({ isLockedChild: true, isActivelyProvisioning: true });
+  });
+
+  it("provisioning root with online child: root is deploying, child is locked", () => {
+    // A (provisioning) ──► B (online)
+    const map = m([
+      proj("A", null, "provisioning"),
+      proj("B", "A", "online"),
+    ]);
+    expect(s(map, "A")).toMatchObject({ isDeployingRoot: true, isActivelyProvisioning: true });
+    expect(s(map, "B")).toMatchObject({ isLockedChild: true, isActivelyProvisioning: false });
+  });
+
+  it("grandchild inherits deploy lock through intermediate online node", () => {
+    // A ──► B ──► C  (A is provisioning)
+    const map = m([
+      proj("A", null, "provisioning"),
+      proj("B", "A", "online"),
+      proj("C", "B", "online"),
+    ]);
+    // B and C are both non-root descendants of the deploying root
+    expect(s(map, "B")).toMatchObject({ isLockedChild: true });
+    expect(s(map, "C")).toMatchObject({ isLockedChild: true });
+    expect(s(map, "A")).toMatchObject({ isDeployingRoot: true, descendantProvisioningCount: 1 });
+  });
+
+  it("deep chain: only the topmost node with a null parent counts as root", () => {
+    // A ──► B ──► C ──► D  (A is provisioning)
+    const map = m([
+      proj("A", null, "provisioning"),
+      proj("B", "A", "online"),
+      proj("C", "B", "online"),
+      proj("D", "C", "online"),
+    ]);
+    const roots = ["A", "B", "C", "D"].filter((id) => s(map, id).isDeployingRoot);
+    expect(roots).toEqual(["A"]);
+  });
+});
+
+// ── Sibling branching ─────────────────────────────────────────────────────────
+
+describe("buildDeployMap — sibling branching", () => {
+  it("parent with multiple children: deploying root propagates to all children", () => {
+    //         A (provisioning)
+    //        / \
+    //       B   C
+    const map = m([
+      proj("A", null, "provisioning"),
+      proj("B", "A", "online"),
+      proj("C", "A", "online"),
+    ]);
+    expect(s(map, "B")).toMatchObject({ isLockedChild: true });
+    expect(s(map, "C")).toMatchObject({ isLockedChild: true });
+    expect(s(map, "A")).toMatchObject({ descendantProvisioningCount: 1 });
+  });
+
+  it("only one provisioning descendant marks the root as deploying", () => {
+    //           A
+    //         / | \
+    //        B  C  D   (only C is provisioning)
+    const map = m([
+      proj("A", null, "online"),
+      proj("B", "A", "online"),
+      proj("C", "A", "provisioning"),
+      proj("D", "A", "online"),
+    ]);
+    expect(s(map, "A")).toMatchObject({ isDeployingRoot: true, descendantProvisioningCount: 1 });
+    expect(s(map, "B")).toMatchObject({ isLockedChild: true });
+    expect(s(map, "C")).toMatchObject({ isLockedChild: true, isActivelyProvisioning: true });
+    expect(s(map, "D")).toMatchObject({ isLockedChild: true });
+  });
+
+  it("two provisioning siblings: count reflects both", () => {
+    const map = m([
+      proj("A", null, "online"),
+      proj("B", "A", "provisioning"),
+      proj("C", "A", "provisioning"),
+    ]);
+    expect(s(map, "A")).toMatchObject({ descendantProvisioningCount: 2 });
+    expect(s(map, "B")).toMatchObject({ isActivelyProvisioning: true });
+    expect(s(map, "C")).toMatchObject({ isActivelyProvisioning: true });
+  });
+});
+
+// ── Multiple disjoint trees ───────────────────────────────────────────────────
+
+describe("buildDeployMap — multiple disjoint trees", () => {
+  it("each tree has its own root; deploying nodes are independent", () => {
+    // Tree 1: X (provisioning) ──► Y
+    // Tree 2: P ──► Q  (no provisioning)
+    const map = m([
+      proj("X", null, "provisioning"),
+      proj("Y", "X", "online"),
+      proj("P", null, "online"),
+      proj("Q", "P", "online"),
+    ]);
+    expect(s(map, "X")).toMatchObject({ isDeployingRoot: true });
+    expect(s(map, "Y")).toMatchObject({ isLockedChild: true });
+    expect(s(map, "P")).toMatchObject({ isDeployingRoot: false, isLockedChild: false });
+    expect(s(map, "Q")).toMatchObject({ isDeployingRoot: false, isLockedChild: false });
+  });
+});
+
+// ── Deleting nodes ────────────────────────────────────────────────────────────
+
+describe("buildDeployMap — deletingIds", () => {
+  it("node in deletingIds is locked even if tree is not deploying", () => {
+    const map = m(
+      [
+        proj("A", null, "online"),
+        proj("B", "A", "online"),
+      ],
+      ["B"], // B is being deleted
+    );
+    expect(s(map, "A")).toMatchObject({ isLockedChild: false });
+    expect(s(map, "B")).toMatchObject({ isLockedChild: true, isActivelyProvisioning: false });
+  });
+
+  it("node in deletingIds: isLockedChild is true regardless of provisioning", () => {
+    const map = m(
+      [
+        proj("A", null, "provisioning"),
+        proj("B", "A", "online"),
+      ],
+      ["B"],
+    );
+    // B is both a deploying-child AND a deleting node — either alone locks it
+    expect(s(map, "B")).toMatchObject({ isLockedChild: true });
+  });
+
+  it("empty deletingIds set has no effect", () => {
+    const map = m(
+      [
+        proj("A", null, "online"),
+        proj("B", "A", "online"),
+      ],
+      [],
+    );
+    expect(s(map, "B")).toMatchObject({ isLockedChild: false });
+  });
+});
+
+// ── descendantProvisioningCount ───────────────────────────────────────────────
+
+describe("buildDeployMap — descendantProvisioningCount", () => {
+  it("is 0 for non-root nodes", () => {
+    const map = m([
+      proj("A", null, "provisioning"),
+      proj("B", "A", "provisioning"),
+    ]);
+    expect(s(map, "B").descendantProvisioningCount).toBe(0);
+  });
+
+  it("includes the root's own status when provisioning", () => {
+    const map = m([
+      proj("A", null, "provisioning"),
+      proj("B", "A", "online"),
+    ]);
+    // A is both root and provisioning → count includes itself
+    expect(s(map, "A").descendantProvisioningCount).toBe(1);
+  });
+
+  it("accumulates all provisioning descendants (not just immediate children)", () => {
+    const map = m([
+      proj("A", null, "online"),
+      proj("B", "A", "online"),
+      proj("C", "B", "provisioning"),
+    ]);
+    expect(s(map, "A").descendantProvisioningCount).toBe(1);
+  });
+});
+
+// ── O(n) performance ─────────────────────────────────────────────────────────
+
+describe("buildDeployMap — O(n) performance contract", () => {
+  it("handles a 50-node three-level tree without incorrect node assignments", () => {
+    // Level 0: 1 root
+    // Level 1: 7 children
+    // Level 2: 42 leaves
+    // Total: 50 nodes
+    const projections: Projection[] = [];
+    projections.push(proj("root", null, "provisioning"));
+    for (let i = 0; i < 7; i++) {
+      projections.push(proj(`l1-${i}`, "root", "online"));
+    }
+    for (let i = 0; i < 42; i++) {
+      const parent = `l1-${Math.floor(i / 6)}`;
+      projections.push(proj(`l2-${i}`, parent, "online"));
+    }
+    const map = m(projections);
+
+    // Root is the only deploying node
+    expect(s(map, "root")).toMatchObject({
+      isDeployingRoot: true,
+      isLockedChild: false,
+      descendantProvisioningCount: 1,
+    });
+
+    // Every other node is a locked child
+    for (let i = 0; i < 7; i++) {
+      expect(s(map, `l1-${i}`)).toMatchObject({ isLockedChild: true, isDeployingRoot: false });
+    }
+    for (let i = 0; i < 42; i++) {
+      expect(s(map, `l2-${i}`)).toMatchObject({ isLockedChild: true, isDeployingRoot: false });
+    }
+  });
+});
@@ -6,21 +6,21 @@
 // attachments, no A2A topology overlay, no conversation tracing.

 import { useEffect, useRef, useState } from "react";
+import ReactMarkdown from "react-markdown";
+import remarkGfm from "remark-gfm";

-import { api } from "@/lib/api";
 import { useCanvasStore } from "@/store/canvas";
+import { type ChatAttachment, type ChatMessage, createMessage } from "@/components/tabs/chat/types";
+import {
+  useChatHistory,
+  useChatSend,
+  useChatSocket,
+} from "@/components/tabs/chat/hooks";

 import { toMobileAgent } from "./components";
 import { MOBILE_FONT_MONO, MOBILE_FONT_SANS, usePalette } from "./palette";
 import { Icons, StatusDot, TierChip } from "./primitives";

-interface ChatMessage {
-  id: string;
-  role: "user" | "agent" | "system";
-  text: string;
-  ts: string;
-}
-
 const formatStoredTimestamp = (iso: string): string => {
  const d = new Date(iso);
  if (isNaN(d.getTime())) return "";
@@ -29,15 +29,170 @@ const formatStoredTimestamp = (iso: string): string => {

 type SubTab = "my" | "a2a";

-interface A2AResponseShape {
-  result?: {
-    parts?: Array<{ kind?: string; text?: string }>;
-  };
-  error?: { message?: string };
-}
+function MarkdownBubble({
+  children,
+  dark,
+  accent,
+}: {
+  children: string;
+  dark: boolean;
+  accent: string;
+}) {
+  const codeBg = dark ? "rgba(255,255,255,0.08)" : "rgba(0,0,0,0.06)";
+  const codeBlockBg = dark ? "#1a1a1a" : "#f5f5f0";
+  const linkColor = accent;
+  const quoteBorder = dark ? "rgba(255,250,240,0.15)" : "rgba(40,30,20,0.15)";

-const formatTime = (date: Date) =>
-  date.toLocaleTimeString([], { hour: "numeric", minute: "2-digit" });
+  return (
+    <ReactMarkdown
+      remarkPlugins={[remarkGfm]}
+      components={{
+        p: ({ children }) => (
+          <div style={{ margin: "2px 0", lineHeight: "inherit" }}>{children}</div>
+        ),
+        a: ({ href, children }) => (
+          <a
+            href={href}
+            target="_blank"
+            rel="noopener noreferrer"
+            style={{ color: linkColor, textDecoration: "underline" }}
+          >
+            {children}
+          </a>
+        ),
+        pre: ({ children }) => (
+          <pre
+            style={{
+              background: codeBlockBg,
+              padding: "8px 10px",
+              borderRadius: 8,
+              overflow: "auto",
+              fontSize: 12,
+              lineHeight: 1.5,
+              fontFamily: MOBILE_FONT_MONO,
+              margin: "4px 0",
+            }}
+          >
+            {children}
+          </pre>
+        ),
+        code: ({ children, className }) => {
+          const isBlock = className != null && String(className).length > 0;
+          if (isBlock) {
+            return (
+              <code style={{ fontFamily: MOBILE_FONT_MONO, fontSize: 12 }}>
+                {children}
+              </code>
+            );
+          }
+          return (
+            <code
+              style={{
+                background: codeBg,
+                padding: "1px 4px",
+                borderRadius: 4,
+                fontSize: 13,
+                fontFamily: MOBILE_FONT_MONO,
+              }}
+            >
+              {children}
+            </code>
+          );
+        },
+        ul: ({ children }) => (
+          <ul style={{ margin: "4px 0", paddingLeft: 18, listStyle: "disc" }}>
+            {children}
+          </ul>
+        ),
+        ol: ({ children }) => (
+          <ol style={{ margin: "4px 0", paddingLeft: 18, listStyle: "decimal" }}>
+            {children}
+          </ol>
+        ),
+        li: ({ children }) => <li style={{ margin: "2px 0" }}>{children}</li>,
+        strong: ({ children }) => (
+          <strong style={{ fontWeight: 600 }}>{children}</strong>
+        ),
+        em: ({ children }) => <em style={{ fontStyle: "italic" }}>{children}</em>,
+        h1: ({ children }) => (
+          <div style={{ fontSize: 16, fontWeight: 700, margin: "4px 0" }}>{children}</div>
+        ),
+        h2: ({ children }) => (
+          <div style={{ fontSize: 15, fontWeight: 700, margin: "4px 0" }}>{children}</div>
+        ),
+        h3: ({ children }) => (
+          <div style={{ fontSize: 14, fontWeight: 700, margin: "4px 0" }}>{children}</div>
+        ),
+        h4: ({ children }) => (
+          <div style={{ fontSize: 14, fontWeight: 600, margin: "4px 0" }}>{children}</div>
+        ),
+        h5: ({ children }) => (
+          <div style={{ fontSize: 13, fontWeight: 600, margin: "4px 0" }}>{children}</div>
+        ),
+        h6: ({ children }) => (
+          <div style={{ fontSize: 13, fontWeight: 600, margin: "4px 0" }}>{children}</div>
+        ),
+        blockquote: ({ children }) => (
+          <blockquote
+            style={{
+              borderLeft: `2px solid ${quoteBorder}`,
+              margin: "4px 0",
+              paddingLeft: 8,
+              opacity: 0.85,
+            }}
+          >
+            {children}
+          </blockquote>
+        ),
+        hr: () => (
+          <hr
+            style={{
+              border: "none",
+              borderTop: `0.5px solid ${quoteBorder}`,
+              margin: "6px 0",
+            }}
+          />
+        ),
+        table: ({ children }) => (
+          <table
+            style={{
+              borderCollapse: "collapse",
+              fontSize: 13,
+              margin: "4px 0",
+              width: "100%",
+            }}
+          >
+            {children}
+          </table>
+        ),
+        thead: ({ children }) => <thead style={{ fontWeight: 600 }}>{children}</thead>,
+        th: ({ children }) => (
+          <th
+            style={{
+              border: `0.5px solid ${quoteBorder}`,
+              padding: "4px 6px",
+              textAlign: "left",
+            }}
+          >
+            {children}
+          </th>
+        ),
+        td: ({ children }) => (
+          <td
+            style={{
+              border: `0.5px solid ${quoteBorder}`,
+              padding: "4px 6px",
+            }}
+          >
+            {children}
+          </td>
+        ),
+      }}
+    >
+      {children}
+    </ReactMarkdown>
+  );
+}

 export function MobileChat({
  agentId,
@@ -50,33 +205,37 @@ export function MobileChat({
 }) {
  const p = usePalette(dark);
  const node = useCanvasStore((s) => s.nodes.find((n) => n.id === agentId));
-  // Bootstrap from the canvas store's per-workspace message buffer so the
-  // user sees their prior thread on entry. The store is updated by the
-  // socket → ChatTab flows the desktop runs; on mobile we read from the
-  // same buffer to keep state coherent across viewports.
-  // NOTE: selector returns undefined (stable) — do NOT use ?? [] here,
-  // that creates a new [] reference on every store update when the key is
-  // absent, causing infinite re-render (React error #185).
-  const storedMessages = useCanvasStore((s) => s.agentMessages[agentId]);
-  const [messages, setMessages] = useState<ChatMessage[]>(() =>
-    (storedMessages ?? []).map((m) => ({
-      id: m.id,
-      role: "agent",
-      text: m.content,
-      ts: formatStoredTimestamp(m.timestamp),
-    })),
-  );
  const [draft, setDraft] = useState("");
  const [tab, setTab] = useState<SubTab>("my");
-  const [sending, setSending] = useState(false);
-  const [error, setError] = useState<string | null>(null);
  const scrollRef = useRef<HTMLDivElement>(null);
-  // Synchronous re-entry guard. `setSending(true)` schedules a state
-  // update but doesn't flush before a second tap can fire send() — a ref
-  // mirrors the desktop ChatTab pattern (sendInFlightRef) and closes the
-  // double-send race a stale `sending` lets through.
-  const sendInFlightRef = useRef(false);
  const composerRef = useRef<HTMLTextAreaElement>(null);
+  const fileInputRef = useRef<HTMLInputElement>(null);
+  const [pendingFiles, setPendingFiles] = useState<File[]>([]);
+
+  const {
+    messages,
+    loading: historyLoading,
+    loadError: historyError,
+    appendMessageDeduped,
+  } = useChatHistory(agentId);
+
+  const {
+    sending,
+    uploading,
+    sendMessage,
+    error: sendError,
+    clearError,
+    releaseSendGuards,
+  } = useChatSend(agentId, {
+    getHistoryMessages: () => messages,
+    onUserMessage: appendMessageDeduped,
+    onAgentMessage: appendMessageDeduped,
+  });
+
+  useChatSocket(agentId, {
+    onAgentMessage: appendMessageDeduped,
+    onSendComplete: releaseSendGuards,
+  });

  // Auto-grow the textarea: reset height to 'auto' so the scrollHeight
  // shrinks when the user deletes text, then size to scrollHeight up to
@@ -95,6 +254,20 @@ export function MobileChat({
    }
  }, [messages]);

+  // Consume any agent messages that arrived while history was loading.
+  const initialConsumeDoneRef = useRef(false);
+  useEffect(() => {
+    if (historyLoading || initialConsumeDoneRef.current) return;
+    initialConsumeDoneRef.current = true;
+    const consume = useCanvasStore.getState().consumeAgentMessages;
+    const msgs = consume(agentId);
+    for (const m of msgs) {
+      appendMessageDeduped(
+        createMessage("agent", m.content, m.attachments),
+      );
+    }
+  }, [historyLoading, agentId, appendMessageDeduped]);
+
  if (!node) {
    return (
      <div
@@ -116,54 +289,27 @@ export function MobileChat({
  const a = toMobileAgent(node);
  const reachable = a.status === "online" || a.status === "degraded";

+  const onFilesPicked = (fileList: FileList | null) => {
+    if (!fileList) return;
+    const picked = Array.from(fileList);
+    setPendingFiles((prev) => {
+      const keyed = new Set(prev.map((f) => `${f.name}:${f.size}`));
+      return [...prev, ...picked.filter((f) => !keyed.has(`${f.name}:${f.size}`))];
+    });
+    if (fileInputRef.current) fileInputRef.current.value = "";
+  };
+
+  const removePendingFile = (index: number) =>
+    setPendingFiles((prev) => prev.filter((_, i) => i !== index));
+
  const send = async () => {
    const text = draft.trim();
-    if (!text || sending || !reachable) return;
-    if (sendInFlightRef.current) return;
-    sendInFlightRef.current = true;
+    if ((!text && pendingFiles.length === 0) || sending || !reachable) return;
+    clearError();
    setDraft("");
-    setError(null);
-    setSending(true);
-    const myMsg: ChatMessage = {
-      id: crypto.randomUUID(),
-      role: "user",
-      text,
-      ts: formatTime(new Date()),
-    };
-    setMessages((m) => [...m, myMsg]);
-
-    try {
-      const res = await api.post<A2AResponseShape>(`/workspaces/${agentId}/a2a`, {
-        method: "message/send",
-        params: {
-          message: {
-            role: "user",
-            messageId: crypto.randomUUID(),
-            parts: [{ kind: "text", text }],
-          },
-        },
-      });
-      const reply =
-        res.result?.parts?.find((part) => part.kind === "text")?.text ?? "";
-      if (reply) {
-        setMessages((m) => [
-          ...m,
-          {
-            id: crypto.randomUUID(),
-            role: "agent",
-            text: reply,
-            ts: formatTime(new Date()),
-          },
-        ]);
-      } else if (res.error?.message) {
-        setError(res.error.message);
-      }
-    } catch (e) {
-      setError(e instanceof Error ? e.message : "Failed to send");
-    } finally {
-      setSending(false);
-      sendInFlightRef.current = false;
-    }
+    const files = pendingFiles;
+    setPendingFiles([]);
+    await sendMessage(text, files);
  };

  return (
@@ -308,7 +454,17 @@ export function MobileChat({
            Agent Comms — peer-to-peer A2A traffic surfaces in the Comms tab.
          </div>
        )}
-        {tab === "my" && messages.length === 0 && (
+        {tab === "my" && historyLoading && (
+          <div style={{ padding: "20px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
+            Loading chat history…
+          </div>
+        )}
+        {tab === "my" && !historyLoading && historyError && messages.length === 0 && (
+          <div style={{ padding: "20px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
+            {historyError}
+          </div>
+        )}
+        {tab === "my" && !historyLoading && !historyError && messages.length === 0 && (
          <div style={{ padding: "20px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
            Send a message to start chatting.
          </div>
@@ -337,7 +493,9 @@ export function MobileChat({
                    overflowWrap: "anywhere",
                  }}
                >
-                  {m.text}
+                  <MarkdownBubble dark={dark} accent={p.accent}>
+                    {m.content}
+                  </MarkdownBubble>
                  <div
                    style={{
                      fontSize: 10,
@@ -346,13 +504,13 @@ export function MobileChat({
                      fontFamily: MOBILE_FONT_MONO,
                    }}
                  >
-                    {m.ts}
+                    {formatStoredTimestamp(m.timestamp)}
                  </div>
                </div>
              </div>
            );
          })}
-        {error && (
+        {sendError && (
          <div
            role="alert"
            style={{
@@ -364,7 +522,7 @@ export function MobileChat({
              fontSize: 12,
            }}
          >
-            {error}
+            {sendError}
          </div>
        )}
      </div>
@@ -395,6 +553,60 @@ export function MobileChat({
          backdropFilter: "blur(14px)",
        }}
      >
+        {pendingFiles.length > 0 && (
+          <div
+            style={{
+              display: "flex",
+              flexWrap: "wrap",
+              gap: 6,
+              marginBottom: 8,
+              paddingLeft: 2,
+            }}
+          >
+            {pendingFiles.map((f, i) => (
+              <div
+                key={`${f.name}:${f.size}`}
+                style={{
+                  display: "flex",
+                  alignItems: "center",
+                  gap: 4,
+                  padding: "3px 8px",
+                  borderRadius: 10,
+                  background: dark ? "#2a2823" : "#ece9e0",
+                  fontSize: 12,
+                  color: p.text2,
+                  maxWidth: "100%",
+                }}
+              >
+                <span
+                  style={{
+                    overflow: "hidden",
+                    textOverflow: "ellipsis",
+                    whiteSpace: "nowrap",
+                  }}
+                >
+                  {f.name}
+                </span>
+                <button
+                  type="button"
+                  onClick={() => removePendingFile(i)}
+                  aria-label={`Remove ${f.name}`}
+                  style={{
+                    border: "none",
+                    background: "transparent",
+                    color: p.text3,
+                    cursor: "pointer",
+                    fontSize: 12,
+                    padding: 0,
+                    lineHeight: 1,
+                  }}
+                >
+                  ✕
+                </button>
+              </div>
+            ))}
+          </div>
+        )}
        <div
          style={{
            display: "flex",
@@ -406,21 +618,32 @@ export function MobileChat({
            padding: "6px 6px 6px 12px",
          }}
        >
+          <input
+            ref={fileInputRef}
+            type="file"
+            multiple
+            style={{ display: "none" }}
+            onChange={(e) => onFilesPicked(e.target.files)}
+            aria-hidden="true"
+          />
          <button
            type="button"
+            onClick={() => fileInputRef.current?.click()}
+            disabled={!reachable || sending || uploading}
            aria-label="Attach"
            style={{
              width: 32,
              height: 32,
              borderRadius: 999,
              border: "none",
-              cursor: "pointer",
+              cursor: reachable && !sending && !uploading ? "pointer" : "not-allowed",
              background: "transparent",
              color: p.text3,
              flexShrink: 0,
              display: "flex",
              alignItems: "center",
              justifyContent: "center",
+              opacity: !reachable || sending || uploading ? 0.4 : 1,
            }}
          >
            {Icons.attach({ size: 16 })}
@@ -466,28 +689,32 @@ export function MobileChat({
          <button
            type="button"
            onClick={send}
-            disabled={!draft.trim() || !reachable || sending}
+            disabled={(!draft.trim() && pendingFiles.length === 0) || !reachable || sending || uploading}
            aria-label="Send"
            style={{
              width: 36,
              height: 36,
              borderRadius: 999,
              border: "none",
-              cursor: draft.trim() && !sending ? "pointer" : "not-allowed",
+              cursor: (draft.trim() || pendingFiles.length > 0) && !sending && !uploading ? "pointer" : "not-allowed",
              flexShrink: 0,
              background:
-                draft.trim() && reachable && !sending
+                (draft.trim() || pendingFiles.length > 0) && reachable && !sending && !uploading
                  ? p.accent
                  : dark
                    ? "#2a2823"
                    : "#ece9e0",
-              color: draft.trim() && reachable && !sending ? "#fff" : p.text3,
+              color: (draft.trim() || pendingFiles.length > 0) && reachable && !sending && !uploading ? "#fff" : p.text3,
              display: "flex",
              alignItems: "center",
              justifyContent: "center",
            }}
          >
-            {Icons.send({ size: 16 })}
+            {uploading ? (
+              <span style={{ fontSize: 10, fontWeight: 600 }}>↑</span>
+            ) : (
+              Icons.send({ size: 16 })
+            )}
          </button>
        </div>
      </div>
@@ -12,6 +12,7 @@ import { useEffect, useState } from "react";

 import { api } from "@/lib/api";
 import { type Template } from "@/lib/deploy-preflight";
+import { isSaaSTenant } from "@/lib/tenant";

 import { tierCode } from "./palette";
 import { MOBILE_FONT_MONO, MOBILE_FONT_SANS, type MobilePalette, usePalette } from "./palette";
@@ -26,6 +27,7 @@ const TIER_LABEL: Record<"T1" | "T2" | "T3" | "T4", string> = {

 export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => void }) {
  const p = usePalette(dark);
+  const isSaaS = isSaaSTenant();
  const [templates, setTemplates] = useState<Template[]>([]);
  const [loadingTemplates, setLoadingTemplates] = useState(true);
  const [tplId, setTplId] = useState<string | null>(null);
@@ -43,7 +45,7 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
        setTemplates(list);
        if (list.length > 0) {
          setTplId(list[0].id);
-          setTier(tierCode(list[0].tier));
+          setTier(isSaaS ? "T4" : tierCode(list[0].tier));
        }
      })
      .catch(() => {
@@ -55,7 +57,7 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
    return () => {
      cancelled = true;
    };
-  }, []);
+  }, [isSaaS]);

  const handleSpawn = async () => {
    if (busy || !tplId) return;
@@ -67,7 +69,7 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
      await api.post<{ id: string }>("/workspaces", {
        name: (name.trim() || chosen.name),
        template: chosen.id,
-        tier: Number(tier.slice(1)),
+        tier: isSaaS ? 4 : Number(tier.slice(1)),
        canvas: {
          x: Math.random() * 400 + 100,
          y: Math.random() * 300 + 100,
@@ -203,7 +205,7 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
            >
              {templates.map((t) => {
                const on = tplId === t.id;
-                const tCode = tierCode(t.tier);
+                const tCode = isSaaS ? "T4" : tierCode(t.tier);
                return (
                  <button
                    key={t.id}
@@ -8,7 +8,7 @@
 * NOTE: No @testing-library/jest-dom — use DOM APIs.
 */
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { cleanup, render } from "@testing-library/react";
+import { cleanup, render, waitFor } from "@testing-library/react";
 import React from "react";

 import { MobileChat } from "../MobileChat";
@@ -33,7 +33,12 @@ const mockStoreState = {
 vi.mock("@/store/canvas", () => ({
  useCanvasStore: Object.assign(
    vi.fn((sel) => sel(mockStoreState)),
-    { getState: () => mockStoreState },
+    {
+      getState: () => ({
+        ...mockStoreState,
+        consumeAgentMessages: vi.fn(() => []),
+      }),
+    },
  ),
  summarizeWorkspaceCapabilities: vi.fn((data: Record<string, unknown>) => {
    const agentCard = data.agentCard as Record<string, unknown> | null;
@@ -60,8 +65,12 @@ const { mockApiPost } = vi.hoisted(() => ({
  mockApiPost: vi.fn().mockResolvedValue({ result: { parts: [] } }),
 }));

+const { mockApiGet } = vi.hoisted(() => ({
+  mockApiGet: vi.fn().mockResolvedValue({ messages: [] }),
+}));
+
 vi.mock("@/lib/api", () => ({
-  api: { post: mockApiPost },
+  api: { get: mockApiGet, post: mockApiPost },
 }));

 // ─── Fixtures ────────────────────────────────────────────────────────────────
@@ -148,6 +157,7 @@ function renderChat(agentId: string, dark = false) {

 beforeEach(() => {
  mockOnBack.mockClear();
+  mockApiGet.mockClear();
  mockStoreState.nodes = [];
  mockStoreState.agentMessages = {};
  mockApiPost.mockClear();
@@ -266,16 +276,19 @@ describe("MobileChat — empty state", () => {
    mockStoreState.nodes = [onlineNode];
  });

-  it('shows "Send a message to start chatting." when no messages', () => {
+  it('shows "Send a message to start chatting." when no messages', async () => {
    const { container } = renderChat(mockAgentId);
-    expect(container.textContent ?? "").toContain("Send a message to start chatting.");
+    await waitFor(() =>
+      expect(container.textContent ?? "").toContain("Send a message to start chatting."),
+    );
  });

-  it("shows no messages when agentMessages[agentId] is absent (undefined)", () => {
-    // Explicitly set to empty to simulate no stored messages
+  it("shows no messages when agentMessages[agentId] is absent (undefined)", async () => {
    mockStoreState.agentMessages = {};
    const { container } = renderChat(mockAgentId);
-    expect(container.textContent ?? "").toContain("Send a message to start chatting.");
+    await waitFor(() =>
+      expect(container.textContent ?? "").toContain("Send a message to start chatting."),
+    );
  });
 });

@@ -307,7 +307,7 @@ function ActivityRow({

        {/* Error detail */}
        {isError && entry.error_detail && (
-          <div className="text-[9px] text-bad/80 mt-1 truncate">
+          <div className="text-[9px] text-bad mt-1 truncate">
            {entry.error_detail}
          </div>
        )}
@@ -358,10 +358,10 @@ function A2AErrorPreview({ label, raw }: { label: string; raw: string }) {
  const hint = inferA2AErrorHint(detail);
  return (
    <div>
-      <div className="text-[8px] text-bad/80 uppercase tracking-wider mb-1">{label} — delivery failed</div>
+      <div className="text-[8px] text-bad uppercase tracking-wider mb-1">{label} — delivery failed</div>
      <div className="text-[10px] text-bad bg-red-950/30 border border-red-800/40 rounded p-2 space-y-1.5">
        <div className="font-mono whitespace-pre-wrap break-words max-h-32 overflow-y-auto">{detail}</div>
-        <div className="text-[9px] text-bad/70 leading-relaxed border-t border-red-800/30 pt-1.5">{hint}</div>
+        <div className="text-[9px] text-bad leading-relaxed border-t border-red-800/30 pt-1.5">{hint}</div>
      </div>
    </div>
  );
@@ -3,18 +3,20 @@
 import { useState, useRef, useEffect, useCallback, useLayoutEffect } from "react";
 import ReactMarkdown from "react-markdown";
 import remarkGfm from "remark-gfm";
-import { api } from "@/lib/api";
 import { useCanvasStore, type WorkspaceNodeData } from "@/store/canvas";
-import { useSocketEvent } from "@/hooks/useSocketEvent";
 import { type ChatMessage, type ChatAttachment, createMessage, appendMessageDeduped } from "./chat/types";
-import { uploadChatFiles, downloadChatFile, isPlatformAttachment } from "./chat/uploads";
+import { downloadChatFile, isPlatformAttachment } from "./chat/uploads";
 import { PendingAttachmentPill } from "./chat/AttachmentViews";
 import { AttachmentPreview } from "./chat/AttachmentPreview";
-import { extractFilesFromTask } from "./chat/message-parser";
 import { AgentCommsPanel } from "./chat/AgentCommsPanel";
 import { appendActivityLine } from "./chat/activityLog";
 import { runtimeDisplayName } from "@/lib/runtime-names";
 import { ConfirmDialog } from "@/components/ConfirmDialog";
+import { useChatHistory } from "./chat/hooks/useChatHistory";
+import { useChatSend } from "./chat/hooks/useChatSend";
+import { useChatSocket } from "./chat/hooks/useChatSocket";
+
+export { extractReplyText } from "./chat/hooks/useChatSend";

 interface Props {
  workspaceId: string;
@@ -23,147 +25,6 @@ interface Props {

 type ChatSubTab = "my-chat" | "agent-comms";

-// A2A response shape (subset). The full schema is in @a2a-js/sdk but we only
-// need parts/artifacts text + file extraction for the synchronous fallback.
-interface A2AFileRef {
-  name?: string;
-  mimeType?: string;
-  uri?: string;
-  bytes?: string;
-  size?: number;
-}
-// Outbound shape matches a2a-sdk's JSON-RPC `SendMessageRequest`
-// Pydantic union (TextPart | FilePart | DataPart). The flat
-// protobuf shape `{url, filename, mediaType}` is rejected at the
-// request boundary with `Field required` errors — keep this
-// outbound shape unless a2a-sdk migrates the JSON-RPC schema.
-interface A2APart {
-  kind: string;
-  text?: string;
-  file?: A2AFileRef;
-}
-interface A2AResponse {
-  result?: {
-    parts?: A2APart[];
-    artifacts?: Array<{ parts: A2APart[] }>;
-  };
-}
-
-// Internal-self-message filtering moved server-side in RFC #2945
-// PR-C/D — the platform's /chat-history endpoint applies the
-// IsInternalSelfMessage predicate before returning rows, so the
-// client no longer needs the local backstop on the history path.
-// The proper fix is still X-Workspace-ID header (source_id=workspace_id);
-// the platform-side prefix filter handles the residual cases.
-
-// extractReplyText pulls the agent's text reply out of an A2A response.
-// Concatenates ALL text parts (joined with "\n") rather than returning
-// just the first. Claude Code and other runtimes commonly emit multi-
-// part text replies for long content (markdown tables, code blocks),
-// and the prior "first part wins" implementation silently truncated
-// the rest — observed on a 15k-char Wave 1 brief that rendered only
-// the table header. Mirrors extractTextsFromParts in message-parser.ts.
-//
-// Server-side counterpart in workspace-server/internal/channels/
-// manager.go has the same single-part bug; fix that too if/when a
-// channel-delivered reply (Slack, Lark, etc.) gets truncated.
-export function extractReplyText(resp: A2AResponse): string {
-  const collect = (parts: A2APart[] | undefined): string => {
-    if (!parts) return "";
-    return parts
-      .filter((p) => p.kind === "text")
-      .map((p) => p.text ?? "")
-      .filter(Boolean)
-      .join("\n");
-  };
-  const result = resp?.result;
-  const collected: string[] = [];
-  const fromParts = collect(result?.parts);
-  if (fromParts) collected.push(fromParts);
-  // Walk artifacts even if parts had text — some producers (Hermes
-  // tool calls) emit a summary in parts AND details in artifacts.
-  // Returning early on parts dropped the artifact body silently.
-  if (result?.artifacts) {
-    for (const a of result.artifacts) {
-      const t = collect(a.parts);
-      if (t) collected.push(t);
-    }
-  }
-  return collected.join("\n");
-}
-
-// Agent-returned files live on the same response shape as text —
-// delegated to extractFilesFromTask in message-parser.ts, which also
-// walks status.message.parts (that ChatTab's legacy text extractor
-// doesn't). Single source of truth for file-part parsing across
-// live chat, activity log replay, and any future consumers.
-
-/** Initial chat history page size. The newest N messages are rendered
- *  on first paint; older history is fetched on demand via loadOlder()
- *  when the user scrolls the top sentinel into view. */
-const INITIAL_HISTORY_LIMIT = 10;
-/** Subsequent older-history batch size. Larger than INITIAL so a long
- *  scroll-back doesn't fan out into many round-trips. */
-const OLDER_HISTORY_BATCH = 20;
-
-/**
- * Load chat history from the platform's typed /chat-history endpoint.
- *
- * Server-side rendering of activity_logs rows into ChatMessage shape
- * lives in workspace-server/internal/messagestore/postgres_store.go
- * (RFC #2945 PR-C/D). The server already applies the canvas-source
- * filter, the internal-self-message predicate, the role decision
- * (status=error vs agent-error prefix → system), and the v0/v1
- * file-shape extraction. Canvas just renders what it receives.
- *
- * Wire shape (mirrors ChatMessage exactly, no per-row mapping needed):
- *
- *   GET /workspaces/:id/chat-history?limit=N&before_ts=T
- *   200 → {"messages": ChatMessage[], "reached_end": boolean}
- *
- * Pagination:
- *  - Pass `limit` to bound the page size (newest-first from server).
- *  - Pass `beforeTs` (RFC3339) to fetch rows STRICTLY OLDER than that
- *    timestamp. Combined with limit, this yields the next-older page
- *    when scrolling backward through history.
- *
- * `reachedEnd` is propagated from the server. The server computes it
- * by comparing rowCount vs limit so a partial last page is correctly
- * detected even when the row→bubble fan-out is non-1:1 (each row
- * produces 1-2 bubbles).
- */
-async function loadMessagesFromDB(
-  workspaceId: string,
-  limit: number,
-  beforeTs?: string,
-): Promise<{ messages: ChatMessage[]; error: string | null; reachedEnd: boolean }> {
-  try {
-    const params = new URLSearchParams({ limit: String(limit) });
-    if (beforeTs) params.set("before_ts", beforeTs);
-    const resp = await api.get<{ messages: ChatMessage[]; reached_end: boolean }>(
-      `/workspaces/${workspaceId}/chat-history?${params.toString()}`,
-    );
-
-    // Server emits oldest-first within the page (RFC #2945 PR-C-2
-    // post-fix: server reverses row-aware before returning so the
-    // wire is display-ready). Canvas appends/prepends without
-    // reordering — this avoids the pair-flip bug a naive flat
-    // reverse causes when each row produces a (user, agent) pair
-    // with the same timestamp.
-    return {
-      messages: resp.messages ?? [],
-      error: null,
-      reachedEnd: resp.reached_end,
-    };
-  } catch (err) {
-    return {
-      messages: [],
-      error: err instanceof Error ? err.message : "Failed to load chat history",
-      reachedEnd: true,
-    };
-  }
-}
-
 /**
 * ChatTab container — renders sub-tab bar + My Chat or Agent Comms panel.
 */
@@ -247,268 +108,68 @@ export function ChatTab({ workspaceId, data }: Props) {
 * MyChatPanel — user↔agent conversation (extracted from original ChatTab).
 */
 function MyChatPanel({ workspaceId, data }: Props) {
-  const [messages, setMessages] = useState<ChatMessage[]>([]);
  const [input, setInput] = useState("");
-  // `sending` is strictly the "this tab kicked off a send and hasn't
-  // seen the reply yet" signal. Previously this was initialized from
-  // data.currentTask to pick up in-flight agent work on mount, but
-  // that conflated agent-busy (workspace heartbeat) with user-
-  // in-flight (local send): when the WS dropped a TASK_COMPLETE event,
-  // currentTask lingered, the component re-mounted with sending=true,
-  // and the Send button stayed disabled forever even though nothing
-  // local was in flight. For the "agent is busy, show spinner" UX,
-  // use data.currentTask directly in the render path.
-  const [sending, setSending] = useState(false);
-  const [thinkingElapsed, setThinkingElapsed] = useState(0);
+  const [pendingFiles, setPendingFiles] = useState<File[]>([]);
  const [activityLog, setActivityLog] = useState<string[]>([]);
-  const [loading, setLoading] = useState(true);
-  const [loadError, setLoadError] = useState<string | null>(null);
-  const currentTaskRef = useRef(data.currentTask);
-  const sendingFromAPIRef = useRef(false);
+  const [thinkingElapsed, setThinkingElapsed] = useState(0);
  const [agentReachable, setAgentReachable] = useState(false);
  const [error, setError] = useState<string | null>(null);
  const [confirmRestart, setConfirmRestart] = useState(false);
-  const bottomRef = useRef<HTMLDivElement>(null);
-  // First-mount scroll-to-bottom needs `behavior: "instant"` — long
-  // conversations smooth-animate for ~300ms which any concurrent
-  // re-render can interrupt, leaving the user stuck mid-conversation
-  // when the chat tab opens. Subsequent appends (new agent messages)
-  // keep `smooth` for the visual "landing" feel. Flipped the first
-  // time messages.length goes positive, so a workspace switch (which
-  // remounts ChatTab) gets a fresh instant jump too.
-  const hasInitialScrollRef = useRef(false);
-  // Lazy-load older history on scroll-up.
-  // - containerRef = the scrollable messages viewport
-  // - topRef       = sentinel above the messages list; IO observes it
-  //                  and triggers loadOlder() when it enters view
-  // - hasMore      = false once a fetch returns < limit rows; stops IO
-  // - loadingOlder = drives the "Loading older messages…" UI label
-  // - inflightRef  = synchronous guard against double-entry of loadOlder
-  //                  when the IO callback fires twice in the same
-  //                  microtask (state-based guard would be stale until
-  //                  the next React commit)
-  // - scrollAnchorRef = saves distance-from-bottom before a prepend
-  //                  so the useLayoutEffect below can restore the
-  //                  user's exact viewport position. Without this,
-  //                  prepending older messages would jump the scroll
-  //                  position by the height of the new content.
-  // - oldestMessageRef / hasMoreRef = let the loadOlder closure read
-  //                  the latest values without taking them as deps —
-  //                  every live agent push mutates `messages`, and
-  //                  having loadOlder depend on `messages` would tear
-  //                  down + re-arm the IntersectionObserver on every
-  //                  push. Refs decouple the observer lifecycle from
-  //                  message-list updates.
+  const [dragOver, setDragOver] = useState(false);
+
  const containerRef = useRef<HTMLDivElement>(null);
  const topRef = useRef<HTMLDivElement>(null);
-  const [hasMore, setHasMore] = useState(true);
-  const [loadingOlder, setLoadingOlder] = useState(false);
-  const inflightRef = useRef(false);
-  // The scroll anchor includes the first-message id as it was BEFORE
-  // the prepend — see useLayoutEffect below for why. Without this tag,
-  // a live agent push that appends WHILE loadOlder is in flight would
-  // run useLayoutEffect against the append (anchor still set), the
-  // "restore" math would scroll the user to a stale offset, AND the
-  // append's normal scroll-to-bottom would be swallowed.
-  const scrollAnchorRef = useRef<
-    { savedDistanceFromBottom: number; expectFirstIdNotEqual: string | null } | null
-  >(null);
-  const oldestMessageRef = useRef<ChatMessage | null>(null);
-  const hasMoreRef = useRef(true);
-  // Monotonic token bumped on workspace switch + on every loadOlder
-  // entry. Each fetch's .then() captures its own token; if the token
-  // has moved, the resolved messages belong to a stale workspace or a
-  // superseded fetch and we silently drop them. Without this guard, a
-  // workspace switch mid-fetch would have the in-flight promise
-  // resolve into the new workspace's setMessages — the user sees
-  // someone else's history briefly.
-  const fetchTokenRef = useRef(0);
-  // Files the user has picked but not yet sent. Cleared on send
-  // (upload success) or by the × on each pill.
-  const [pendingFiles, setPendingFiles] = useState<File[]>([]);
-  const [uploading, setUploading] = useState(false);
+  const bottomRef = useRef<HTMLDivElement>(null);
+  const hasInitialScrollRef = useRef(false);
  const fileInputRef = useRef<HTMLInputElement>(null);
-  // Guard against a double-click during the upload phase: React
-  // state updates from the click that started the upload haven't
-  // flushed yet, so the disabled-button logic sees `uploading=false`
-  // from the closure and lets a second `sendMessage` enter. A ref
-  // observes the latest value synchronously.
-  const sendInFlightRef = useRef(false);
-  // Monotonic token bumped on every sendMessage entry. Each .then()/
-  // .catch() captures its own token in closure and bails if a newer
-  // send has superseded it — prevents a late HTTP response for an
-  // earlier message from clobbering the flags / appending text that
-  // belong to a newer in-flight send. Race scenario the token closes:
-  // (1) send msg #1 (2) WS push for msg #1 arrives, releases guards
-  // (3) user sends msg #2 (4) HTTP for msg #1 finally lands — without
-  // the token check, .then() sees sendingFromAPIRef=true (set by
-  // msg #2's send), enters the main body, and processes msg #1's body
-  // as if it were msg #2's reply.
-  const sendTokenRef = useRef(0);
+  const dragDepthRef = useRef(0);
+  const pasteCounterRef = useRef(0);

-  // Release every in-flight send guard at once. Used by every site
-  // that ends a send: pendingAgentMsgs WS push, ACTIVITY_LOGGED
-  // a2a_receive ok/error WS event, HTTP .then() success, and HTTP
-  // .catch() success. Keep these in lockstep — a future contributor
-  // adding a new "I saw the reply" path that only clears `sending` +
-  // `sendingFromAPIRef` (the natural pair) silently re-introduces
-  // the post-WS Send-button freeze, because the disabled-button
-  // logic can't see `sendInFlightRef` and so the visible state diverges
-  // from the synchronous re-entry guard at line 464.
-  const releaseSendGuards = useCallback(() => {
-    setSending(false);
-    sendingFromAPIRef.current = false;
-    sendInFlightRef.current = false;
-  }, []);
+  const history = useChatHistory(workspaceId, containerRef);
+  const chatSend = useChatSend(workspaceId, {
+    getHistoryMessages: () => history.messages,
+    onUserMessage: (msg) => history.setMessages((prev) => [...prev, msg]),
+    onAgentMessage: (msg) => history.setMessages((prev) => appendMessageDeduped(prev, msg)),
+  });
+  const { sending, uploading, sendMessage, error: sendError, clearError: clearSendError, releaseSendGuards, sendingFromAPIRef } = chatSend;

-  // Initial-load fetch — used by the mount effect and the "Retry"
-  // button below. Single source of truth so the two paths can't drift
-  // (e.g. INITIAL_HISTORY_LIMIT bumped in the effect but not the
-  // retry, leading to inconsistent first-paint sizes).
-  const loadInitial = useCallback(() => {
-    setLoading(true);
-    setLoadError(null);
-    setHasMore(true);
-    // Bump the token; any in-flight fetch from the previous workspace
-    // (or a previous retry) will see token != myToken in its .then()
-    // and silently bail — the late response can't clobber the new
-    // workspace's state.
-    fetchTokenRef.current += 1;
-    const myToken = fetchTokenRef.current;
-    loadMessagesFromDB(workspaceId, INITIAL_HISTORY_LIMIT).then(
-      ({ messages: msgs, error: fetchErr, reachedEnd }) => {
-        if (fetchTokenRef.current !== myToken) return;
-        setMessages(msgs);
-        setLoadError(fetchErr);
-        setHasMore(!reachedEnd);
-        setLoading(false);
-      },
-    );
-  }, [workspaceId]);
+  const displayError = error || sendError;

-  // Load chat history on mount / workspace switch.
-  // Initial load is bounded to INITIAL_HISTORY_LIMIT (newest 10) — the
-  // rest streams in as the user scrolls up via loadOlder() below. Pre-
-  // 2026-05-05 this fetched the newest 50 in one shot; on a long-running
-  // workspace that meant 50× message-bubble paint + DOM cost on every
-  // tab-open even when the user only wanted to read the last few.
-  useEffect(() => {
-    loadInitial();
-  }, [loadInitial]);
-
-  // Mirror the latest oldest-message + hasMore into refs so loadOlder
-  // can read them without taking `messages` as a dep. Every live push
-  // through agentMessages would otherwise recreate loadOlder and tear
-  // down the IO observer.
-  useEffect(() => {
-    oldestMessageRef.current = messages[0] ?? null;
-  }, [messages]);
-  useEffect(() => {
-    hasMoreRef.current = hasMore;
-  }, [hasMore]);
-
-  // Fetch the next-older batch and prepend. Stable identity (deps =
-  // [workspaceId]) so the IntersectionObserver effect below doesn't
-  // re-arm on every messages update.
-  const loadOlder = useCallback(async () => {
-    // inflightRef is the load-bearing guard — synchronous, set BEFORE
-    // any await, so two IO callbacks dispatched in the same microtask
-    // can't both pass. The state checks are defensive secondary
-    // gates for the slow-scroll case.
-    if (inflightRef.current || !hasMoreRef.current) return;
-    const oldest = oldestMessageRef.current;
-    if (!oldest) return;
-    const container = containerRef.current;
-    if (!container) return;
-    inflightRef.current = true;
-    // Capture the user's distance-from-bottom BEFORE we prepend so the
-    // useLayoutEffect can restore it after the new DOM lands. The
-    // expectFirstIdNotEqual tag is what the layout effect checks
-    // against `messages[0].id` to disambiguate prepend (id changed) vs
-    // append (id unchanged → live message landed mid-fetch). Without
-    // it, an agent push during loadOlder runs the "restore" against a
-    // stale anchor — user gets yanked + the append's bottom-pin is
-    // swallowed.
-    scrollAnchorRef.current = {
-      savedDistanceFromBottom: container.scrollHeight - container.scrollTop,
-      expectFirstIdNotEqual: oldest.id,
-    };
-    fetchTokenRef.current += 1;
-    const myToken = fetchTokenRef.current;
-    setLoadingOlder(true);
-    try {
-      const { messages: older, reachedEnd } = await loadMessagesFromDB(
-        workspaceId,
-        OLDER_HISTORY_BATCH,
-        oldest.timestamp,
-      );
-      // Workspace switched (or another loadOlder bumped the token)
-      // mid-fetch — drop these results, they belong to a stale tab.
-      if (fetchTokenRef.current !== myToken) {
-        scrollAnchorRef.current = null;
-        return;
+  useChatSocket(workspaceId, {
+    onAgentMessage: (msg) => {
+      history.setMessages((prev) => appendMessageDeduped(prev, msg));
+      if (sendingFromAPIRef.current) {
+        releaseSendGuards();
      }
-      if (older.length > 0) {
-        setMessages((prev) => [...older, ...prev]);
-      } else {
-        // Nothing came back — clear the anchor so the next paint doesn't
-        // try to "restore" against a no-op prepend.
-        scrollAnchorRef.current = null;
+    },
+    onActivityLog: (entry) => {
+      if (!sending) return;
+      setActivityLog((prev) => appendActivityLine(prev, entry));
+    },
+    onSendComplete: () => {
+      if (sendingFromAPIRef.current) {
+        releaseSendGuards();
      }
-      setHasMore(!reachedEnd);
-    } finally {
-      setLoadingOlder(false);
-      inflightRef.current = false;
-    }
-  }, [workspaceId]);
-
-  // IntersectionObserver on the top sentinel. Fires loadOlder() the
-  // moment the user scrolls within 200px of the top. AbortController
-  // unwires cleanly on workspace switch / unmount; root is the
-  // scrollable container so we observe only what's visible inside it.
-  //
-  // Dependencies:
-  //  - loadOlder    — stable per workspaceId (refs decouple it from
-  //                   message updates), so this dep is here for the
-  //                   workspace-switch case only
-  //  - hasMore      — re-run when older history runs out so we
-  //                   disconnect cleanly
-  //  - hasMessages  — load-bearing: the sentinel JSX is gated on
-  //                   `messages.length > 0`, so topRef.current is null
-  //                   on the empty-messages render. We re-arm exactly
-  //                   once when messages first land. NOT depending on
-  //                   `messages.length` (or `messages`) directly so
-  //                   each subsequent message append doesn't tear down
-  //                   + re-arm the observer.
-  const hasMessages = messages.length > 0;
-  useEffect(() => {
-    const top = topRef.current;
-    const container = containerRef.current;
-    if (!top || !container) return;
-    if (!hasMore) return; // stop observing when no older history exists
-    const ac = new AbortController();
-    const io = new IntersectionObserver(
-      (entries) => {
-        if (ac.signal.aborted) return;
-        if (entries[0]?.isIntersecting) loadOlder();
-      },
-      { root: container, rootMargin: "200px 0px 0px 0px", threshold: 0 },
-    );
-    io.observe(top);
-    ac.signal.addEventListener("abort", () => io.disconnect());
-    return () => ac.abort();
-  }, [loadOlder, hasMore, hasMessages]);
+    },
+    onSendError: (err) => {
+      if (sendingFromAPIRef.current) {
+        releaseSendGuards();
+        setError(err);
+      }
+    },
+  });

  // Agent reachability
  useEffect(() => {
    const reachable = data.status === "online" || data.status === "degraded";
    setAgentReachable(reachable);
-    setError(reachable ? null : `Agent is ${data.status}`);
-  }, [data.status]);
-
-  useEffect(() => {
-    currentTaskRef.current = data.currentTask;
-  }, [data.currentTask]);
+    if (reachable) {
+      setError(null);
+      clearSendError();
+    } else {
+      setError(`Agent is ${data.status}`);
+    }
+  }, [data.status, clearSendError]);

  // Scroll behavior across messages updates:
  //  - Prepend (loadOlder landed)  → restore the user's saved
@@ -518,71 +179,24 @@ function MyChatPanel({ workspaceId, data }: Props) {
  // paint — otherwise the user sees the page jump for one frame.
  useLayoutEffect(() => {
    const container = containerRef.current;
-    const anchor = scrollAnchorRef.current;
-    // Only honor the anchor when this messages-update is the prepend
-    // we expected. messages[0].id is the test:
-    //   - prepend  → messages[0] is one of the older rows → id !== expectFirstIdNotEqual
-    //   - append   → messages[0] unchanged → id === expectFirstIdNotEqual → fall through
-    // Without this check, an agent push that lands mid-loadOlder would
-    // run the restore against the append's update, yank the user's
-    // scroll, AND swallow the append's bottom-pin.
+    const anchor = history.scrollAnchorRef.current;
    if (
      anchor &&
      container &&
-      messages.length > 0 &&
-      messages[0].id !== anchor.expectFirstIdNotEqual
+      history.messages.length > 0 &&
+      history.messages[0].id !== anchor.expectFirstIdNotEqual
    ) {
      container.scrollTop = container.scrollHeight - anchor.savedDistanceFromBottom;
-      scrollAnchorRef.current = null;
+      history.scrollAnchorRef.current = null;
      return;
    }
-    // Instant on first arrival of messages — smooth-scroll on a long
-    // conversation gets interrupted by concurrent renders and leaves
-    // the user stuck in the middle. After the first jump, subsequent
-    // appends animate as before.
-    if (!hasInitialScrollRef.current && messages.length > 0) {
+    if (!hasInitialScrollRef.current && history.messages.length > 0) {
      hasInitialScrollRef.current = true;
      bottomRef.current?.scrollIntoView({ behavior: "instant" as ScrollBehavior });
      return;
    }
    bottomRef.current?.scrollIntoView({ behavior: "smooth" });
-  }, [messages]);
-
-  // Consume agent push messages (send_message_to_user) from global store.
-  // Runtimes like Claude Code SDK deliver their reply via a WS push rather
-  // than the /a2a HTTP response — when that happens, the push is the
-  // authoritative "reply arrived" signal for the UI, so clear `sending`
-  // here too. The HTTP .then() coordinates through sendingFromAPIRef so
-  // whichever path clears first wins.
-  const pendingAgentMsgs = useCanvasStore((s) => s.agentMessages[workspaceId]);
-  useEffect(() => {
-    if (!pendingAgentMsgs || pendingAgentMsgs.length === 0) return;
-    const consume = useCanvasStore.getState().consumeAgentMessages;
-    const msgs = consume(workspaceId);
-    for (const m of msgs) {
-      // Dedupe in case the agent proactively pushed the same text the
-      // HTTP /a2a response already delivered (observed with the Hermes
-      // runtime, which emits both a reply body and a send_message_to_user
-      // push for the same content). Attachments ride along with the
-      // message so files returned by the A2A_RESPONSE WS path render
-      // their download chips.
-      setMessages((prev) => appendMessageDeduped(prev, createMessage("agent", m.content, m.attachments)));
-    }
-    if (sendingFromAPIRef.current && msgs.length > 0) {
-      // Reply arrived via WS push (e.g. claude-code SDK). Release all
-      // three guards together — without sendInFlightRef the next
-      // sendMessage() silently no-ops at the synchronous re-entry
-      // check.
-      releaseSendGuards();
-    }
-  }, [pendingAgentMsgs, workspaceId]);
-
-  // Resolve workspace ID → name for activity display
-  const resolveWorkspaceName = useCallback((id: string) => {
-    const nodes = useCanvasStore.getState().nodes;
-    const node = nodes.find((n) => n.id === id);
-    return (node?.data as WorkspaceNodeData)?.name || id.slice(0, 8);
-  }, []);
+  }, [history.messages, history.scrollAnchorRef]);

  // Elapsed timer while sending
  useEffect(() => {
@@ -609,211 +223,43 @@ function MyChatPanel({ workspaceId, data }: Props) {
    setActivityLog([`Processing with ${runtimeDisplayName(data.runtime)}...`]);
  }, [sending, data.runtime]);

-  // Subscribe to global WS via the singleton ReconnectingSocket (no
-  // per-component WebSocket — the previous pattern dropped events
-  // silently on any reconnect because each panel's raw socket had no
-  // onclose handler).
-  useSocketEvent((msg) => {
-    if (!sending) return;
-    try {
-        if (msg.event === "ACTIVITY_LOGGED") {
-          // Filter to events for THIS workspace. The platform's
-          // BroadcastOnly fires to every connected client, and
-          // without this guard a sibling workspace's a2a_send would
-          // surface as "→ Delegating to X..." inside the wrong
-          // chat panel. (workspace_id on the WS envelope is the
-          // workspace whose activity_log row we just wrote.)
-          if (msg.workspace_id !== workspaceId) return;
+  // IntersectionObserver on the top sentinel. Fires loadOlder() the
+  // moment the user scrolls within 200px of the top. AbortController
+  // unwires cleanly on workspace switch / unmount; root is the
+  // scrollable container so we observe only what's visible inside it.
+  const hasMessages = history.messages.length > 0;
+  useEffect(() => {
+    const top = topRef.current;
+    const container = containerRef.current;
+    if (!top || !container) return;
+    if (!history.hasMore) return;
+    const ac = new AbortController();
+    const io = new IntersectionObserver(
+      (entries) => {
+        if (ac.signal.aborted) return;
+        if (entries[0]?.isIntersecting) history.loadOlder();
+      },
+      { root: container, rootMargin: "200px 0px 0px 0px", threshold: 0 },
+    );
+    io.observe(top);
+    ac.signal.addEventListener("abort", () => io.disconnect());
+    return () => ac.abort();
+  }, [history.loadOlder, history.hasMore, hasMessages]);

-          const p = msg.payload || {};
-          const type = p.activity_type as string;
-          const method = (p.method as string) || "";
-          const status = (p.status as string) || "";
-          const targetId = (p.target_id as string) || "";
-          const durationMs = p.duration_ms as number | undefined;
-          const summary = (p.summary as string) || "";
-
-          let line = "";
-          if (type === "a2a_receive" && method === "message/send") {
-            const targetName = resolveWorkspaceName(targetId || msg.workspace_id);
-            if (status === "ok" && durationMs) {
-              const sec = Math.round(durationMs / 1000);
-              line = `← ${targetName} responded (${sec}s)`;
-              // The platform logs a successful a2a_receive once the workspace
-              // has fully produced its reply. That's the authoritative "done"
-              // signal for the spinner — clear it even if the reply hasn't
-              // surfaced through the store yet (it may be delivered shortly
-              // via pendingAgentMsgs or the HTTP .then()).
-              const own = (targetId || msg.workspace_id) === workspaceId;
-              if (own && sendingFromAPIRef.current) {
-                releaseSendGuards();
-              }
-            } else if (status === "error") {
-              line = `⚠ ${targetName} error`;
-              const own = (targetId || msg.workspace_id) === workspaceId;
-              if (own && sendingFromAPIRef.current) {
-                releaseSendGuards();
-                setError("Agent error (Exception) — see workspace logs for details.");
-              }
-            }
-          } else if (type === "a2a_send") {
-            const targetName = resolveWorkspaceName(targetId);
-            line = `→ Delegating to ${targetName}...`;
-          } else if (type === "task_update") {
-            if (summary) line = `⟳ ${summary}`;
-          } else if (type === "agent_log") {
-            // Per-tool-use telemetry from claude_sdk_executor's
-            // _report_tool_use. The summary already carries an icon
-            // + human-readable args (📄 Read /path, ⚡ Bash: …)
-            // so we render it verbatim. No icon prefix here — the
-            // emoji at the start of summary is the visual marker.
-            if (summary) line = summary;
-          }
-
-          if (line) {
-            setActivityLog((prev) => appendActivityLine(prev, line));
-          }
-        } else if (msg.event === "TASK_UPDATED" && msg.workspace_id === workspaceId) {
-          const task = (msg.payload?.current_task as string) || "";
-          if (task) {
-            setActivityLog((prev) => appendActivityLine(prev, `⟳ ${task}`));
-          }
-        }
-        // A2A_RESPONSE is already consumed by the store and its text is
-        // appended to messages via the pendingAgentMsgs effect above; we
-        // don't need to duplicate it here.
-    } catch { /* ignore */ }
-  });
-
-  const sendMessage = async () => {
+  const handleSend = async () => {
    const text = input.trim();
-    const filesToSend = pendingFiles;
-    // Allow sending if EITHER text OR attachments are present — a user
-    // can drop a file with no text and the agent still receives it.
-    if ((!text && filesToSend.length === 0) || !agentReachable || sending || uploading) return;
-    // Synchronous re-entry guard — see sendInFlightRef comment.
-    if (sendInFlightRef.current) return;
-    sendInFlightRef.current = true;
-
-    // Upload attachments first so we can include URIs in the A2A
-    // message parts. Sequential-before-send: a message with references
-    // to files not yet staged would fail agent-side; staging happens
-    // synchronously via /chat/uploads before message/send dispatch.
-    let uploaded: ChatAttachment[] = [];
-    if (filesToSend.length > 0) {
-      setUploading(true);
-      try {
-        uploaded = await uploadChatFiles(workspaceId, filesToSend);
-      } catch (e) {
-        setUploading(false);
-        sendInFlightRef.current = false;
-        setError(e instanceof Error ? `Upload failed: ${e.message}` : "Upload failed");
-        return;
-      }
-      setUploading(false);
-    }
-
+    const files = pendingFiles;
+    if ((!text && files.length === 0) || !agentReachable || sending || uploading) return;
    setInput("");
    setPendingFiles([]);
-    setMessages((prev) => [...prev, createMessage("user", text, uploaded)]);
-    setSending(true);
-    sendingFromAPIRef.current = true;
+    clearSendError();
    setError(null);
-    // Capture this send's token so the .then()/.catch() callbacks can
-    // detect a newer send that may have superseded them. See the
-    // sendTokenRef declaration for the race scenario this closes.
-    const myToken = ++sendTokenRef.current;
-
-    // Build conversation history from prior messages (last 20)
-    const history = messages
-      .filter((m) => m.role === "user" || m.role === "agent")
-      .slice(-20)
-      .map((m) => ({
-        role: m.role === "user" ? "user" : "agent",
-        parts: [{ kind: "text", text: m.content }],
-      }));
-
-    // A2A parts: text part (if any) + file parts (per attachment). The
-    // agent sees both in a single turn, matching the A2A spec shape.
-    // Wire shape is v0 — see A2APart definition above.
-    const parts: A2APart[] = [];
-    if (text) parts.push({ kind: "text", text });
-    for (const att of uploaded) {
-      parts.push({
-        kind: "file",
-        file: {
-          name: att.name,
-          mimeType: att.mimeType,
-          uri: att.uri,
-          size: att.size,
-        },
-      });
-    }
-
-    // A2A calls can legitimately take minutes — LLM latency +
-    // multi-turn tool use is common on slower providers (Hermes+minimax,
-    // Claude Code invoking bash/file tools, etc.). The 15s default
-    // would silently abort the fetch here, leaving the server to
-    // complete the reply and the user staring at
-    // "agent may be unreachable". Match the upload timeout (60s × 2)
-    // for the happy-path ceiling; anything longer is genuinely stuck.
-    api.post<A2AResponse>(`/workspaces/${workspaceId}/a2a`, {
-      method: "message/send",
-      params: {
-        message: {
-          role: "user",
-          messageId: crypto.randomUUID(),
-          parts,
-        },
-        metadata: { history },
-      },
-    }, { timeoutMs: 120_000 })
-      .then((resp) => {
-        // Bail without touching any flags if a newer sendMessage has
-        // already run — its myToken bumped sendTokenRef, so this is
-        // a stale callback for an earlier message. The newer send
-        // owns the in-flight guards now.
-        if (sendTokenRef.current !== myToken) return;
-        // Skip if the WS A2A_RESPONSE event already handled this response.
-        // Both paths (WS + HTTP) check sendingFromAPIRef — whichever clears
-        // it first wins, the other becomes a no-op (no duplicate messages).
-        if (!sendingFromAPIRef.current) {
-          sendInFlightRef.current = false;
-          return;
-        }
-        const replyText = extractReplyText(resp);
-        const replyFiles = extractFilesFromTask((resp?.result ?? {}) as Record<string, unknown>);
-        if (replyText || replyFiles.length > 0) {
-          setMessages((prev) =>
-            appendMessageDeduped(prev, createMessage("agent", replyText, replyFiles)),
-          );
-        }
-        releaseSendGuards();
-      })
-      .catch(() => {
-        // Stale-callback guard — same rationale as .then().
-        if (sendTokenRef.current !== myToken) return;
-        // Same dedup guard as .then(): if a WS path (pendingAgentMsgs
-        // or ACTIVITY_LOGGED a2a_receive ok) already delivered the
-        // reply, sendingFromAPIRef is already false and there's
-        // nothing to roll back. Surfacing "Failed to send" here would
-        // contradict the agent reply the user is currently reading —
-        // exactly the false-positive observed when the HTTP request
-        // hung up (proxy idle / 502) after WS already won.
-        if (!sendingFromAPIRef.current) {
-          sendInFlightRef.current = false;
-          return;
-        }
-        releaseSendGuards();
-        setError("Failed to send message — agent may be unreachable");
-      });
+    await sendMessage(text, files);
  };

  const onFilesPicked = (fileList: FileList | null) => {
    if (!fileList) return;
    const picked = Array.from(fileList);
-    // Deduplicate against current pending set by name+size — user
-    // picking the same file twice shouldn't append it.
    setPendingFiles((prev) => {
      const keyed = new Set(prev.map((f) => `${f.name}:${f.size}`));
      return [...prev, ...picked.filter((f) => !keyed.has(`${f.name}:${f.size}`))];
@@ -824,35 +270,7 @@ function MyChatPanel({ workspaceId, data }: Props) {
  const removePendingFile = (index: number) =>
    setPendingFiles((prev) => prev.filter((_, i) => i !== index));

-  // Monotonic counter so two paste events within the same wall-clock
-  // second still produce distinct filenames. Without this, on
-  // Firefox (where pasted images have an empty `file.name`), two
-  // pastes ~100ms apart could yield identical synthetic names AND
-  // identical sizes, collapsing into one attachment via the
-  // `name:size` dedup in onFilesPicked.
-  const pasteCounterRef = useRef(0);
-
-  /** Paste-from-clipboard image attachment.
-   *
-   *  Browser clipboard image items arrive as `File`s whose `name` is
-   *  often a generic "image.png" (Chrome) or empty (Firefox/Safari),
-   *  so two consecutive screenshot pastes collide on the name+size
-   *  dedup the file-picker uses. Re-tag each pasted image with a
-   *  per-paste unique name so dedup keeps them apart and the upload
-   *  pipeline (which expects a non-empty filename) is happy.
-   *
-   *  Falls through to onFilesPicked via direct File[] (NOT through
-   *  the DataTransfer constructor — that throws on Safari < 14.1
-   *  and old Edge, silently aborting the paste).
-   *
-   *  Only intercepts the paste when the clipboard has at least one
-   *  image; text-only pastes fall through to the textarea's default
-   *  behaviour. */
  const mimeToExt = (mime: string): string => {
-    // Avoid raw `mime.split("/")[1]` — that yields `"svg+xml"`,
-    // `"jpeg"`, `"webp"` etc. which produce ugly filenames and may
-    // trip server-side extension allowlists. Map known types
-    // explicitly; unknown falls back to a safe default.
    if (mime === "image/svg+xml") return "svg";
    if (mime === "image/jpeg") return "jpg";
    if (mime === "image/png") return "png";
@@ -873,26 +291,16 @@ function MyChatPanel({ workspaceId, data }: Props) {
      const file = item.getAsFile();
      if (!file) continue;
      const ext = mimeToExt(file.type);
-      const stamp = new Date()
-        .toISOString()
-        .replace(/[:.]/g, "-")
-        .slice(0, 19);
+      const stamp = new Date().toISOString().replace(/[:.]/g, "-").slice(0, 19);
      const seq = pasteCounterRef.current++;
      const fname = `pasted-${stamp}-${seq}-${i}.${ext}`;
      imageFiles.push(new File([file], fname, { type: file.type }));
    }
    if (imageFiles.length === 0) return;
    e.preventDefault();
-    // Reuse the picker path so file-size guards, dedup, and pending-
-    // list state all run through the same code. Build a synthetic
-    // FileList-like object to avoid the DataTransfer constructor —
-    // that's missing on Safari < 14.1 / old Edge and would silently
-    // throw, leaving the paste a no-op.
    addPastedFiles(imageFiles);
  };

-  // Variant of onFilesPicked that accepts a File[] directly, sidestepping
-  // the DataTransfer-FileList round-trip. Same dedup + state shape.
  const addPastedFiles = (files: File[]) => {
    setPendingFiles((prev) => {
      const keyed = new Set(prev.map((f) => `${f.name}:${f.size}`));
@@ -900,11 +308,6 @@ function MyChatPanel({ workspaceId, data }: Props) {
    });
  };

-  // Drag-and-drop staging. dragDepthRef counts enter vs leave events so
-  // the overlay doesn't flicker when the cursor crosses nested children
-  // (textarea, buttons) — dragenter/dragleave fire for every boundary.
-  const [dragOver, setDragOver] = useState(false);
-  const dragDepthRef = useRef(0);
  const dropEnabled = agentReachable && !sending && !uploading;
  const isFileDrag = (e: React.DragEvent) =>
    Array.from(e.dataTransfer.types || []).includes("Files");
@@ -934,9 +337,6 @@ function MyChatPanel({ workspaceId, data }: Props) {
  };

  const downloadAttachment = (att: ChatAttachment) => {
-    // Errors here are rare but user-visible (401 on a revoked token,
-    // 404 if the agent deleted the file). Surface via the inline
-    // error banner — the message list itself stays untouched.
    downloadChatFile(workspaceId, att).catch((e) => {
      setError(e instanceof Error ? `Download failed: ${e.message}` : "Download failed");
    });
@@ -964,26 +364,26 @@ function MyChatPanel({ workspaceId, data }: Props) {
      )}
      {/* Messages */}
      <div ref={containerRef} className="flex-1 overflow-y-auto p-3 space-y-3">
-        {loading && (
+        {history.loading && (
          <div className="text-xs text-ink-mid text-center py-4">Loading chat history...</div>
        )}
-        {!loading && loadError !== null && messages.length === 0 && (
+        {!history.loading && history.loadError !== null && history.messages.length === 0 && (
          <div
            role="alert"
            className="mx-2 mt-2 rounded-lg border border-red-800/50 bg-red-950/30 px-3 py-2.5"
          >
            <p className="text-[11px] text-bad mb-1.5">
-              Failed to load chat history: {loadError}
+              Failed to load chat history: {history.loadError}
            </p>
            <button
-              onClick={loadInitial}
-              className="text-[10px] px-2 py-0.5 rounded bg-red-800/40 text-bad hover:bg-red-700/50 transition-colors"
+              onClick={history.loadInitial}
+              className="text-[10px] px-2 py-0.5 rounded bg-red-800 text-red-200 hover:bg-red-700 transition-colors"
            >
              Retry
            </button>
          </div>
        )}
-        {!loading && loadError === null && messages.length === 0 && (
+        {!history.loading && history.loadError === null && history.messages.length === 0 && (
          <div className="text-xs text-ink-mid text-center py-8">
            No messages yet. Send a message to start chatting with this agent.
          </div>
@@ -1001,21 +401,20 @@ function MyChatPanel({ workspaceId, data }: Props) {
            instead of showing a "no more messages" footer — the user's
            scroll resting against the top of the conversation IS the
            signal. */}
-        {hasMore && messages.length > 0 && (
+        {history.hasMore && history.messages.length > 0 && (
          <div ref={topRef} className="text-xs text-ink-mid text-center py-1">
-            {loadingOlder ? "Loading older messages…" : " "}
+            {history.loadingOlder ? "Loading older messages…" : " "}
          </div>
        )}
-        {messages.map((msg) => (
+        {history.messages.map((msg) => (
          <div key={msg.id} className={`flex ${msg.role === "user" ? "justify-end" : "justify-start"}`}>
            <div
              className={`max-w-[85%] rounded-lg px-3 py-2 text-xs ${
                msg.role === "user"
-                  // Solid blue-600 in both modes — `bg-accent` themes
-                  // lighter in dark, dropping white-text contrast to
-                  // ~3:1 (fails AA). blue-600 keeps ~5:1 against white
-                  // on both warm-paper and dark-slate panels.
-                  ? "bg-blue-600 text-white border border-blue-700 dark:bg-blue-500 dark:border-blue-400 shadow-sm"
+                  // Blue-600 on white = 3.0:1 (WCAG AA FAIL) in light mode.
+                  // Blue-700 on white = 4.5:1 (PASS). In dark mode, blue-600
+                  // on zinc-800 = 4.9:1 (PASS). So: blue-700 light, blue-600 dark.
+                  ? "bg-blue-700 text-white border border-blue-800 dark:bg-blue-600 dark:border-blue-700 shadow-sm"
                  : msg.role === "system"
                    // Bump the system bubble's opacity in dark — /10
                    // overlay was nearly invisible against the dark
@@ -1130,7 +529,7 @@ function MyChatPanel({ workspaceId, data }: Props) {
                  ))}
                </div>
              )}
-              <div className={`text-[9px] mt-1 ${msg.role === "user" ? "text-white/70" : "text-ink-mid"}`}>
+              <div className={`text-[9px] mt-1 ${msg.role === "user" ? "text-white/80" : "text-ink-mid"}`}>
                {new Date(msg.timestamp).toLocaleTimeString()}
              </div>
            </div>
@@ -1167,14 +566,14 @@ function MyChatPanel({ workspaceId, data }: Props) {
      </div>

      {/* Error banner */}
-      {error && (
+      {displayError && (
        <div className="px-3 py-2 bg-red-900/20 border-t border-red-800/30">
          <div className="flex items-center justify-between">
-            <span className="text-[10px] text-bad">{error}</span>
+            <span className="text-[10px] text-red-300">{displayError}</span>
            {!isOnline && (
              <button
                onClick={() => setConfirmRestart(true)}
-                className="text-[11px] px-2 py-0.5 bg-red-800/40 text-bad rounded hover:bg-red-700/50"
+                className="text-[11px] px-2 py-0.5 bg-red-800 text-red-200 rounded hover:bg-red-700"
              >
                Restart
              </button>
@@ -1238,7 +637,7 @@ function MyChatPanel({ workspaceId, data }: Props) {
                e.keyCode !== 229
              ) {
                e.preventDefault();
-                sendMessage();
+                handleSend();
              }
            }}
            onPaste={onPasteIntoComposer}
@@ -1248,7 +647,7 @@ function MyChatPanel({ workspaceId, data }: Props) {
            className="flex-1 bg-surface-card border border-line rounded-lg px-3 py-2 text-xs text-ink placeholder-ink-soft dark:bg-zinc-800 dark:border-zinc-600 dark:placeholder-zinc-500 focus:outline-none focus:border-accent focus-visible:ring-2 focus-visible:ring-accent/40 resize-none disabled:opacity-50"
          />
          <button
-            onClick={sendMessage}
+            onClick={handleSend}
            disabled={(!input.trim() && pendingFiles.length === 0) || !agentReachable || sending || uploading}
            className="px-4 py-2 bg-accent-strong hover:bg-accent text-xs font-medium rounded-lg text-white disabled:opacity-30 transition-colors shrink-0"
          >
@@ -325,10 +325,10 @@ export function DetailsTab({ workspaceId, data }: Props) {
              <button
                type="button"
                onClick={handleDelete}
-                // hover:bg-red-500 LIGHTER on white text drops AA;
-                // flipped to bg-red-700 + focus-visible danger ring,
-                // matching the ConfirmDialog/DeleteCascade pattern.
-                className="px-3 py-1 bg-red-600 hover:bg-red-700 text-xs rounded text-white transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-red-500/60 focus-visible:ring-offset-1 focus-visible:ring-offset-surface"
+                // Red-600 on white text = 3.9:1 (WCAG AA FAIL).
+                // Red-700 = 4.6:1 (PASS). Hover goes DARKER (red-600)
+                // to signal press. Same pattern as ConfirmDialog/DeleteCascade.
+                className="px-3 py-1 bg-red-700 hover:bg-red-600 text-xs rounded text-white transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-red-500/60 focus-visible:ring-offset-1 focus-visible:ring-offset-surface"
              >
                Confirm Delete
              </button>
@@ -131,7 +131,7 @@ export function ExternalConnectionSection({ workspaceId }: Props) {
              <button
                type="button"
                onClick={doRotate}
-                className="px-3 py-1.5 bg-red-700 hover:bg-red-600 text-xs rounded text-white focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-red-500 focus-visible:ring-offset-1"
+                className="px-3 py-1.5 bg-red-800 hover:bg-red-700 text-xs rounded text-white focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-red-500 focus-visible:ring-offset-1"
              >
                Rotate
              </button>
@@ -226,7 +226,7 @@ function PlatformOwnedFilesTab({ workspaceId }: { workspaceId: string }) {
        <div role="alertdialog" aria-labelledby="files-delete-all-msg" className="mx-3 mt-2 px-3 py-2 bg-red-950/30 border border-red-800/40 rounded space-y-1.5">
          <p id="files-delete-all-msg" className="text-xs text-bad">Delete all {files.filter((f) => !f.dir).length} files? This cannot be undone.</p>
          <div className="flex gap-2">
-            <button type="button" onClick={() => { handleDeleteAll(); setShowDeleteAll(false); }} className="px-2 py-0.5 bg-red-600 hover:bg-red-700 text-[10px] rounded text-white transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-red-500/60 focus-visible:ring-offset-1 focus-visible:ring-offset-surface">Delete All</button>
+            <button type="button" onClick={() => { handleDeleteAll(); setShowDeleteAll(false); }} className="px-2 py-0.5 bg-red-700 hover:bg-red-600 text-[10px] rounded text-white transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-red-500/60 focus-visible:ring-offset-1 focus-visible:ring-offset-surface">Delete All</button>
            <button type="button" onClick={() => setShowDeleteAll(false)} className="px-2 py-0.5 bg-surface-card hover:bg-surface-elevated hover:text-ink text-[10px] rounded text-ink-mid transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-accent/40 focus-visible:ring-offset-1 focus-visible:ring-offset-surface">Cancel</button>
          </div>
        </div>
@@ -240,7 +240,7 @@ function PlatformOwnedFilesTab({ workspaceId }: { workspaceId: string }) {
        <div role="alertdialog" aria-labelledby="files-delete-one-msg" className="mx-3 mt-2 px-3 py-2 bg-amber-950/30 border border-amber-800/40 rounded space-y-1.5">
          <p id="files-delete-one-msg" className="text-xs text-warm">Delete <span className="font-mono">{confirmDelete}</span>{files.find((f) => f.path === confirmDelete && f.dir) ? " and all its contents" : ""}?</p>
          <div className="flex gap-2">
-            <button type="button" onClick={confirmDeleteFile} className="px-2 py-0.5 bg-red-600 hover:bg-red-700 text-[10px] rounded text-white transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-red-500/60 focus-visible:ring-offset-1 focus-visible:ring-offset-surface">Delete</button>
+            <button type="button" onClick={confirmDeleteFile} className="px-2 py-0.5 bg-red-700 hover:bg-red-600 text-[10px] rounded text-white transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-red-500/60 focus-visible:ring-offset-1 focus-visible:ring-offset-surface">Delete</button>
            <button type="button" onClick={() => setConfirmDelete(null)} className="px-2 py-0.5 bg-surface-card hover:bg-surface-elevated hover:text-ink text-[10px] rounded text-ink-mid transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-accent/40 focus-visible:ring-offset-1 focus-visible:ring-offset-surface">Cancel</button>
          </div>
        </div>
@@ -32,7 +32,7 @@ export function FilesToolbar({
          value={root}
          onChange={(e) => setRoot(e.target.value)}
          aria-label="File root directory"
-          className="text-[10px] bg-surface-card text-ink-mid border border-line rounded px-1.5 py-0.5 outline-none"
+          className="text-[10px] bg-surface-card text-ink-mid border border-line rounded px-1.5 py-0.5 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
        >
          <option value="/configs">/configs</option>
          <option value="/home">/home</option>
@@ -1,217 +1,181 @@
 // @vitest-environment jsdom
 /**
- * FilesTab: NotAvailablePanel + FilesToolbar coverage.
+ * Tests for the main FilesTab / PlatformOwnedFilesTab component.
 *
- * NotAvailablePanel: pure presentational component — renders a "feature not
- * available" placeholder for external-runtime workspaces.
- * FilesToolbar: pure props-driven component — directory selector, file count,
- * action buttons (New, Upload, Export, Clear, Refresh) with correct aria-labels.
+ * Covers: NotAvailablePanel (external runtime), loading/empty/error states,
+ * FilesToolbar actions, and the /configs-only upload guard.
 *
- * No @testing-library/jest-dom import — use textContent / className /
- * getAttribute checks to avoid "expect is not defined" errors.
+ * No @testing-library/jest-dom — use textContent / className / getAttribute.
 */
 import { afterEach, describe, expect, it, vi } from "vitest";
-import { cleanup, render, screen } from "@testing-library/react";
+import { cleanup, fireEvent, render, screen, waitFor } from "@testing-library/react";
 import React from "react";

-import { FilesToolbar } from "../FilesToolbar";
-import { NotAvailablePanel } from "../NotAvailablePanel";
+import { FilesTab } from "../../FilesTab.tsx";
+import { FilesToolbar } from "../FilesToolbar.tsx";
+import type { FileEntry } from "../../FilesTab/tree";

-// ─── afterEach ─────────────────────────────────────────────────────────────────
+// ─── Mock ──────────────────────────────────────────────────────────────────
+
+const _mockGet = vi.hoisted(() => vi.fn<() => Promise<unknown>>());
+vi.mock("@/lib/api", () => ({
+  api: { get: _mockGet, put: vi.fn(), del: vi.fn() },
+}));

 afterEach(() => {
  cleanup();
-  vi.restoreAllMocks();
+  _mockGet.mockReset();
 });

-// ─── NotAvailablePanel ─────────────────────────────────────────────────────────
+// ─── Helpers ───────────────────────────────────────────────────────────────

-describe("NotAvailablePanel", () => {
-  it("renders heading 'Files not available'", () => {
-    const { container } = render(<NotAvailablePanel runtime="external" />);
-    expect(container.textContent).toContain("Files not available");
-  });
+const emptyFileList: FileEntry[] = [];

-  it("renders the runtime name in monospace", () => {
-    const { container } = render(<NotAvailablePanel runtime="external" />);
-    expect(container.textContent).toContain("external");
-    const spans = container.querySelectorAll("span");
-    const monoSpans = Array.from(spans).filter(
-      (s) => s.className && s.className.includes("font-mono"),
-    );
-    expect(monoSpans.length).toBeGreaterThan(0);
-  });
+/** Render FilesTab with a non-external runtime (triggers PlatformOwnedFilesTab). */
+function renderPlatformTab(extraProps: Partial<React.ComponentProps<typeof FilesTab>> = {}) {
+  return render(
+    <FilesTab
+      workspaceId="ws-1"
+      data={{ id: "ws-1", name: "Test", runtime: "claude-code", status: "online", tier: 0, skills: [], created_at: "" }}
+      {...extraProps}
+    />,
+  );
+}

-  it("renders a Chat tab hint in description", () => {
-    const { container } = render(<NotAvailablePanel runtime="remote-agent" />);
-    expect(container.textContent).toContain("Chat tab");
-  });
+/** Render FilesToolbar directly with stub handlers. */
+function renderToolbar(extraProps: Partial<React.ComponentProps<typeof FilesToolbar>> = {}) {
+  return render(
+    <FilesToolbar
+      root="/configs"
+      setRoot={vi.fn()}
+      fileCount={0}
+      onNewFile={vi.fn()}
+      onUpload={vi.fn()}
+      onDownloadAll={vi.fn()}
+      onClearAll={vi.fn()}
+      onRefresh={vi.fn()}
+      {...extraProps}
+    />
+  );
+}

-  it("SVG icon has aria-hidden=true", () => {
-    const { container } = render(<NotAvailablePanel runtime="external" />);
-    const svg = container.querySelector("svg");
-    expect(svg?.getAttribute("aria-hidden")).toBe("true");
-  });
+// ─── NotAvailablePanel ──────────────────────────────────────────────────────

-  it("renders without crashing for any runtime string", () => {
-    const { container } = render(<NotAvailablePanel runtime="unknown-runtime" />);
-    expect(container.textContent).toContain("unknown-runtime");
-  });
-
-  it("applies the correct layout classes to root div", () => {
-    const { container } = render(<NotAvailablePanel runtime="external" />);
-    const root = container.firstElementChild as HTMLElement;
-    expect(root.className).toContain("flex");
-    expect(root.className).toContain("flex-col");
-    expect(root.className).toContain("items-center");
-  });
-});
-
-// ─── FilesToolbar ───────────────────────────────────────────────────────────────
-
-describe("FilesToolbar", () => {
-  const noop = vi.fn();
-
-  function renderToolbar(props: Partial<React.ComponentProps<typeof FilesToolbar>> = {}) {
-    return render(
-      <FilesToolbar
-        root="/configs"
-        setRoot={noop}
-        fileCount={0}
-        onNewFile={noop}
-        onUpload={noop}
-        onDownloadAll={noop}
-        onClearAll={noop}
-        onRefresh={noop}
-        {...props}
+describe("FilesTab — NotAvailablePanel", () => {
+  it("renders NotAvailablePanel when runtime is external", async () => {
+    _mockGet.mockResolvedValueOnce(emptyFileList);
+    render(
+      <FilesTab
+        workspaceId="ws-1"
+        data={{ id: "ws-1", name: "Test", runtime: "external", status: "online", tier: 0, skills: [], created_at: "" }}
      />,
    );
-  }
-
-  it("renders the directory selector with correct aria-label", () => {
-    const { container } = renderToolbar();
-    const select = container.querySelector("select");
-    expect(select?.getAttribute("aria-label")).toBe("File root directory");
+    expect(screen.getByText(/Files not available/i)).toBeTruthy();
  });

-  it("directory selector has all four options", () => {
-    const { container } = renderToolbar();
-    const select = container.querySelector("select") as HTMLSelectElement;
-    const options = Array.from(select?.options ?? []);
-    const values = options.map((o) => o.value);
-    expect(values).toContain("/configs");
-    expect(values).toContain("/home");
-    expect(values).toContain("/workspace");
-    expect(values).toContain("/plugins");
-  });
-
-  it("calls setRoot when directory changes", () => {
-    const setRoot = vi.fn();
-    const { container } = renderToolbar({ setRoot });
-    const select = container.querySelector("select") as HTMLSelectElement;
-    select.value = "/home";
-    select.dispatchEvent(new Event("change", { bubbles: true }));
-    expect(setRoot).toHaveBeenCalledWith("/home");
-  });
-
-  it("displays the file count", () => {
-    const { container } = renderToolbar({ fileCount: 42 });
-    expect(container.textContent).toContain("42 files");
-  });
-
-  it("shows New + Upload + Clear buttons for /configs", () => {
-    const { container } = renderToolbar({ root: "/configs" });
-    const texts = Array.from(container.querySelectorAll("button")).map(
-      (b) => b.textContent?.trim(),
+  it("renders the runtime name in NotAvailablePanel", async () => {
+    _mockGet.mockResolvedValueOnce(emptyFileList);
+    render(
+      <FilesTab
+        workspaceId="ws-1"
+        data={{ id: "ws-1", name: "Test", runtime: "external", status: "online", tier: 0, skills: [], created_at: "" }}
+      />,
    );
-    expect(texts).toContain("+ New");
-    expect(texts).toContain("Upload");
-    expect(texts).toContain("Clear");
-    expect(texts).toContain("Export");
-    expect(texts).toContain("↻");
+    expect(screen.getByText(/external/i)).toBeTruthy();
  });

-  it("hides New + Upload + Clear for /workspace", () => {
-    const { container } = renderToolbar({ root: "/workspace" });
-    const texts = Array.from(container.querySelectorAll("button")).map(
-      (b) => b.textContent?.trim(),
+  it("does NOT call api.get when runtime is external", async () => {
+    render(
+      <FilesTab
+        workspaceId="ws-1"
+        data={{ id: "ws-1", name: "Test", runtime: "external", status: "online", tier: 0, skills: [], created_at: "" }}
+      />,
    );
-    expect(texts).not.toContain("+ New");
-    expect(texts).not.toContain("Upload");
-    expect(texts).not.toContain("Clear");
-    expect(texts).toContain("Export");
+    expect(_mockGet).not.toHaveBeenCalled();
  });
+});

-  it("hides New + Upload + Clear for /home", () => {
-    const { container } = renderToolbar({ root: "/home" });
-    const texts = Array.from(container.querySelectorAll("button")).map(
-      (b) => b.textContent?.trim(),
+// ─── Loading / Empty / Error states ────────────────────────────────────────
+
+describe("FilesTab — states", () => {
+  it("shows loading text while fetching files", () => {
+    _mockGet.mockImplementation(
+      () => new Promise<unknown>(() => {}) as unknown as Promise<unknown>,
    );
-    expect(texts).not.toContain("+ New");
-    expect(texts).not.toContain("Upload");
-    expect(texts).not.toContain("Clear");
+    renderPlatformTab();
+    expect(screen.getByText("Loading files...")).toBeTruthy();
  });

-  it("hides New + Upload + Clear for /plugins", () => {
-    const { container } = renderToolbar({ root: "/plugins" });
-    const texts = Array.from(container.querySelectorAll("button")).map(
-      (b) => b.textContent?.trim(),
-    );
-    expect(texts).not.toContain("+ New");
-    expect(texts).not.toContain("Upload");
-    expect(texts).not.toContain("Clear");
+  it("shows 'No config files yet' when root is /configs and no files", async () => {
+    _mockGet.mockResolvedValueOnce(emptyFileList);
+    renderPlatformTab();
+    await waitFor(() => {
+      expect(screen.getByText(/No config files yet/i)).toBeTruthy();
+    });
  });

-  it("New button has correct aria-label", () => {
-    const { container } = renderToolbar({ root: "/configs" });
-    const newBtn = container.querySelector('button[aria-label="Create new file"]');
-    expect(newBtn?.textContent?.trim()).toBe("+ New");
+  it("fetches from the correct endpoint", async () => {
+    _mockGet.mockResolvedValueOnce(emptyFileList);
+    renderPlatformTab();
+    await waitFor(() => {
+      expect(_mockGet).toHaveBeenCalledWith(expect.stringContaining("/workspaces/ws-1/files"));
+    });
  });

-  it("Export button has correct aria-label", () => {
-    const { container } = renderToolbar();
-    const exportBtn = container.querySelector('button[aria-label="Download all files"]');
-    expect(exportBtn?.textContent?.trim()).toBe("Export");
+  it("shows file count from toolbar when files exist", async () => {
+    _mockGet.mockResolvedValue([
+      { path: "configs/a.yaml", size: 10, dir: false },
+      { path: "configs/b.yaml", size: 20, dir: false },
+    ]);
+    renderPlatformTab();
+    await waitFor(() => {
+      expect(screen.getByText("2 files")).toBeTruthy();
+    });
+  });
+});
+
+// ─── FilesToolbar ──────────────────────────────────────────────────────────
+
+describe("FilesTab — FilesToolbar", () => {
+  it("shows Refresh button", async () => {
+    _mockGet.mockResolvedValueOnce(emptyFileList);
+    renderPlatformTab();
+    await waitFor(() => {
+      expect(screen.getByLabelText("Refresh file list")).toBeTruthy();
+    });
  });

-  it("Clear button has correct aria-label", () => {
-    const { container } = renderToolbar({ root: "/configs" });
-    const clearBtn = container.querySelector('button[aria-label="Delete all files"]');
-    expect(clearBtn?.textContent?.trim()).toBe("Clear");
+  it("shows root directory selector", async () => {
+    _mockGet.mockResolvedValueOnce(emptyFileList);
+    renderPlatformTab();
+    await waitFor(() => {
+      expect(screen.getByRole("combobox")).toBeTruthy();
+    });
  });

-  it("Refresh button has correct aria-label", () => {
-    const { container } = renderToolbar();
-    const refreshBtn = container.querySelector('button[aria-label="Refresh file list"]');
-    expect(refreshBtn?.textContent?.trim()).toBe("↻");
+  it("Refresh button triggers a reload", async () => {
+    // Use persistent mock — loadFiles fires on mount AND on Refresh click.
+    _mockGet.mockResolvedValue(emptyFileList);
+    renderPlatformTab();
+    await waitFor(() => screen.getByLabelText("Refresh file list"));
+    const before = _mockGet.mock.calls.length;
+    fireEvent.click(screen.getByLabelText("Refresh file list"));
+    await waitFor(() => {
+      expect(_mockGet.mock.calls.length).toBeGreaterThan(before);
+    });
  });
+});

-  it("calls onNewFile when New button is clicked", () => {
-    const onNewFile = vi.fn();
-    const { container } = renderToolbar({ root: "/configs", onNewFile });
-    container.querySelector('button[aria-label="Create new file"]')!.click();
-    expect(onNewFile).toHaveBeenCalledTimes(1);
-  });
+// ─── Upload guard ──────────────────────────────────────────────────────────

-  it("calls onDownloadAll when Export button is clicked", () => {
-    const onDownloadAll = vi.fn();
-    const { container } = renderToolbar({ onDownloadAll });
-    container.querySelector('button[aria-label="Download all files"]')!.click();
-    expect(onDownloadAll).toHaveBeenCalledTimes(1);
-  });
+describe("FilesTab — upload guard", () => {
+  it("no error alert on dragover when root is /configs (default)", async () => {
+    _mockGet.mockResolvedValue(emptyFileList);
+    renderPlatformTab();
+    await waitFor(() => screen.getByText(/No config files yet/i));

-  it("calls onClearAll when Clear button is clicked", () => {
-    const onClearAll = vi.fn();
-    const { container } = renderToolbar({ root: "/configs", onClearAll });
-    container.querySelector('button[aria-label="Delete all files"]')!.click();
-    expect(onClearAll).toHaveBeenCalledTimes(1);
-  });
-
-  it("calls onRefresh when Refresh button is clicked", () => {
-    const onRefresh = vi.fn();
-    const { container } = renderToolbar({ onRefresh });
-    container.querySelector('button[aria-label="Refresh file list"]')!.click();
-    expect(onRefresh).toHaveBeenCalledTimes(1);
+    // No alert should be present
+    expect(screen.queryByRole("alert")).toBeNull();
  });

  it("applies focus-visible ring to all interactive buttons", () => {
@@ -0,0 +1,218 @@
+// @vitest-environment jsdom
+/**
+ * Tests for tree.ts — buildTree and getIcon pure functions.
+ */
+import { describe, expect, it } from "vitest";
+import type { FileEntry } from "../tree";
+import { buildTree, getIcon } from "../tree";
+
+// ─── getIcon ─────────────────────────────────────────────────────────────────
+
+describe("getIcon", () => {
+  it("returns folder emoji for directories", () => {
+    expect(getIcon("/configs", true)).toBe("📁");
+  });
+
+  it("returns correct emoji for .md", () => {
+    expect(getIcon("readme.md", false)).toBe("📄");
+  });
+
+  it("returns correct emoji for .yaml", () => {
+    expect(getIcon("config.yaml", false)).toBe("⚙");
+  });
+
+  it("returns correct emoji for .yml", () => {
+    expect(getIcon("config.yml", false)).toBe("⚙");
+  });
+
+  it("returns correct emoji for .py", () => {
+    expect(getIcon("script.py", false)).toBe("🐍");
+  });
+
+  it("returns correct emoji for .ts", () => {
+    expect(getIcon("index.ts", false)).toBe("💠");
+  });
+
+  it("returns correct emoji for .tsx", () => {
+    expect(getIcon("App.tsx", false)).toBe("💠");
+  });
+
+  it("returns correct emoji for .js", () => {
+    expect(getIcon("index.js", false)).toBe("📜");
+  });
+
+  it("returns correct emoji for .json", () => {
+    expect(getIcon("package.json", false)).toBe("{}");
+  });
+
+  it("returns correct emoji for .html", () => {
+    expect(getIcon("index.html", false)).toBe("🌐");
+  });
+
+  it("returns correct emoji for .css", () => {
+    expect(getIcon("style.css", false)).toBe("🎨");
+  });
+
+  it("returns correct emoji for .sh", () => {
+    expect(getIcon("deploy.sh", false)).toBe("▸");
+  });
+
+  it("returns default file emoji for unknown extensions", () => {
+    expect(getIcon("Makefile", false)).toBe("📄");
+    expect(getIcon("Dockerfile", false)).toBe("📄");
+    expect(getIcon("Rakefile", false)).toBe("📄");
+  });
+
+  it("extension matching is case-insensitive", () => {
+    expect(getIcon("readme.MD", false)).toBe("📄");
+    expect(getIcon("script.PY", false)).toBe("🐍");
+  });
+});
+
+// ─── buildTree ───────────────────────────────────────────────────────────────
+
+describe("buildTree", () => {
+  it("returns empty array for empty input", () => {
+    expect(buildTree([])).toEqual([]);
+  });
+
+  it("adds a single file at root", () => {
+    const files: FileEntry[] = [{ path: "config.yaml", size: 128, dir: false }];
+    const tree = buildTree(files);
+    expect(tree).toHaveLength(1);
+    expect(tree[0]).toMatchObject({
+      name: "config.yaml",
+      path: "config.yaml",
+      isDir: false,
+      children: [],
+      size: 128,
+    });
+  });
+
+  it("adds a single directory at root", () => {
+    const files: FileEntry[] = [{ path: "skills", size: 0, dir: true }];
+    const tree = buildTree(files);
+    expect(tree).toHaveLength(1);
+    expect(tree[0]).toMatchObject({
+      name: "skills",
+      path: "skills",
+      isDir: true,
+      children: [],
+      size: 0,
+    });
+  });
+
+  it("sorts dirs before files at the same level", () => {
+    const files: FileEntry[] = [
+      { path: "b.txt", size: 10, dir: false },
+      { path: "a.txt", size: 10, dir: false },
+      { path: "z-dir", size: 0, dir: true },
+      { path: "a-dir", size: 0, dir: true },
+    ];
+    const tree = buildTree(files);
+    expect(tree).toHaveLength(4);
+    // Dirs first: z-dir, a-dir alphabetically → a before z
+    expect(tree[0].name).toBe("a-dir");
+    expect(tree[1].name).toBe("z-dir");
+    // Then files alphabetically
+    expect(tree[2].name).toBe("a.txt");
+    expect(tree[3].name).toBe("b.txt");
+  });
+
+  it("alphabetically sorts files within the same level", () => {
+    const files: FileEntry[] = [
+      { path: "z.yaml", size: 10, dir: false },
+      { path: "a.yaml", size: 10, dir: false },
+      { path: "m.yaml", size: 10, dir: false },
+    ];
+    const tree = buildTree(files);
+    expect(tree.map((n) => n.name)).toEqual(["a.yaml", "m.yaml", "z.yaml"]);
+  });
+
+  it("nests a file under its parent directory", () => {
+    const files: FileEntry[] = [
+      { path: "skills", size: 0, dir: true },
+      { path: "skills/readme.md", size: 64, dir: false },
+    ];
+    const tree = buildTree(files);
+    expect(tree).toHaveLength(1);
+    expect(tree[0].name).toBe("skills");
+    expect(tree[0].children).toHaveLength(1);
+    expect(tree[0].children[0]).toMatchObject({
+      name: "readme.md",
+      path: "skills/readme.md",
+      isDir: false,
+      size: 64,
+    });
+  });
+
+  it("creates intermediate directories automatically", () => {
+    const files: FileEntry[] = [
+      { path: "a/b/c/deep.txt", size: 32, dir: false },
+    ];
+    const tree = buildTree(files);
+    // Root has one child: "a"
+    expect(tree).toHaveLength(1);
+    expect(tree[0].name).toBe("a");
+    expect(tree[0].isDir).toBe(true);
+    // "a" has one child: "b"
+    expect(tree[0].children).toHaveLength(1);
+    expect(tree[0].children[0].name).toBe("b");
+    // "b" has one child: "c"
+    expect(tree[0].children[0].children).toHaveLength(1);
+    expect(tree[0].children[0].children[0].name).toBe("c");
+    // "c" has the file
+    expect(tree[0].children[0].children[0].children[0].name).toBe("deep.txt");
+    expect(tree[0].children[0].children[0].children[0].size).toBe(32);
+  });
+
+  it("adds multiple files to the same directory", () => {
+    const files: FileEntry[] = [
+      { path: "configs", size: 0, dir: true },
+      { path: "configs/a.yaml", size: 10, dir: false },
+      { path: "configs/b.yaml", size: 20, dir: false },
+    ];
+    const tree = buildTree(files);
+    expect(tree).toHaveLength(1);
+    expect(tree[0].children.map((n) => n.name).sort()).toEqual(["a.yaml", "b.yaml"]);
+  });
+
+  it("does not duplicate a directory already created as intermediate", () => {
+    const files: FileEntry[] = [
+      { path: "a/b.txt", size: 5, dir: false },
+      { path: "a", size: 0, dir: true },
+    ];
+    const tree = buildTree(files);
+    // "a" should appear only once
+    expect(tree).toHaveLength(1);
+    expect(tree[0].name).toBe("a");
+    // The dir "a" should still contain "b.txt"
+    expect(tree[0].children).toHaveLength(1);
+    expect(tree[0].children[0].name).toBe("b.txt");
+  });
+
+  it("intermediate dirs have size 0", () => {
+    const files: FileEntry[] = [
+      { path: "a/b/c/file.txt", size: 1, dir: false },
+    ];
+    const tree = buildTree(files);
+    expect(tree[0].size).toBe(0);
+    expect(tree[0].children[0].size).toBe(0);
+  });
+
+  it("handles deeply nested mixed dirs and files", () => {
+    const files: FileEntry[] = [
+      { path: "a", size: 0, dir: true },
+      { path: "a/b", size: 0, dir: true },
+      { path: "a/b/c", size: 0, dir: true },
+      { path: "a/b/c/d.txt", size: 1, dir: false },
+      { path: "a/b/e.txt", size: 2, dir: false },
+      { path: "a/f.txt", size: 3, dir: false },
+    ];
+    const tree = buildTree(files);
+    expect(tree).toHaveLength(1); // root: "a"
+    expect(tree[0].children.map((n) => n.name).sort()).toEqual(["b", "f.txt"]);
+    expect(tree[0].children.find((n) => n.name === "b")!.children.map((n) => n.name).sort())
+      .toEqual(["c", "e.txt"]);
+  });
+});
@@ -332,6 +332,13 @@ export function ScheduleTab({ workspaceId }: Props) {
                  <div className="flex items-center gap-1.5">
                    <button
                      onClick={() => handleToggle(sched)}
+                      aria-label={
+                        sched.last_status === "error"
+                          ? "Last run failed — click to disable"
+                          : sched.last_status === "ok"
+                          ? "Last run OK — click to disable"
+                          : "Never run — click to enable"
+                      }
                      className={`w-2 h-2 rounded-full flex-shrink-0 ${
                        sched.last_status === "error"
                          ? "bg-red-400"
@@ -360,7 +367,7 @@ export function ScheduleTab({ workspaceId }: Props) {
                    <span>Runs: {sched.run_count}</span>
                  </div>
                  {sched.last_error && (
-                    <div className="text-[8px] text-bad/70 mt-0.5 truncate">
+                    <div className="text-[8px] text-bad mt-0.5 truncate">
                      Error: {sched.last_error}
                    </div>
                  )}
@@ -492,7 +492,7 @@ export function SkillsTab({ workspaceId, data }: Props) {
                <div className="text-[10px] text-bad font-semibold mb-0.5">
                  Couldn't load the plugin registry
                </div>
-                <div className="text-[10px] text-bad/80">{registryError}</div>
+                <div className="text-[10px] text-bad">{registryError}</div>
                <div className="mt-1 text-[10px] text-ink-mid">
                  Check the platform server is reachable at /plugins. The Retry button is in the header above.
                </div>
@@ -0,0 +1,3 @@
+export { useChatHistory } from "./useChatHistory";
+export { useChatSend } from "./useChatSend";
+export { useChatSocket } from "./useChatSocket";
@@ -0,0 +1,11 @@
+"use client";
+
+import { useCanvasStore, type WorkspaceNodeData } from "@/store/canvas";
+
+/** Resolve a workspace ID to its human-readable name.
+ *  Falls back to the first 8 chars of the ID. */
+export function resolveWorkspaceName(id: string): string {
+  const nodes = useCanvasStore.getState().nodes;
+  const node = nodes.find((n) => n.id === id);
+  return (node?.data as WorkspaceNodeData)?.name || id.slice(0, 8);
+}
@@ -0,0 +1,134 @@
+"use client";
+
+import { useCallback, useEffect, useRef, useState } from "react";
+import { api } from "@/lib/api";
+import { type ChatMessage, appendMessageDeduped as appendMessageDedupedFn } from "../types";
+
+const INITIAL_HISTORY_LIMIT = 10;
+const OLDER_HISTORY_BATCH = 20;
+
+async function loadMessagesFromDB(
+  workspaceId: string,
+  limit: number,
+  beforeTs?: string,
+): Promise<{ messages: ChatMessage[]; error: string | null; reachedEnd: boolean }> {
+  try {
+    const params = new URLSearchParams({ limit: String(limit) });
+    if (beforeTs) params.set("before_ts", beforeTs);
+    const resp = await api.get<{ messages: ChatMessage[]; reached_end: boolean }>(
+      `/workspaces/${workspaceId}/chat-history?${params.toString()}`,
+    );
+    return {
+      messages: resp.messages ?? [],
+      error: null,
+      reachedEnd: resp.reached_end,
+    };
+  } catch (err) {
+    return {
+      messages: [],
+      error: err instanceof Error ? err.message : "Failed to load chat history",
+      reachedEnd: true,
+    };
+  }
+}
+
+export interface ScrollAnchor {
+  savedDistanceFromBottom: number;
+  expectFirstIdNotEqual: string | null;
+}
+
+export function useChatHistory(
+  workspaceId: string,
+  containerRef?: React.RefObject<HTMLDivElement | null>,
+) {
+  const [messages, setMessages] = useState<ChatMessage[]>([]);
+  const [loading, setLoading] = useState(true);
+  const [loadError, setLoadError] = useState<string | null>(null);
+  const [loadingOlder, setLoadingOlder] = useState(false);
+  const [hasMore, setHasMore] = useState(true);
+
+  const fetchTokenRef = useRef(0);
+  const oldestMessageRef = useRef<ChatMessage | null>(null);
+  const hasMoreRef = useRef(true);
+  const inflightRef = useRef(false);
+  const scrollAnchorRef = useRef<ScrollAnchor | null>(null);
+
+  useEffect(() => {
+    oldestMessageRef.current = messages[0] ?? null;
+  }, [messages]);
+
+  useEffect(() => {
+    hasMoreRef.current = hasMore;
+  }, [hasMore]);
+
+  const loadInitial = useCallback(() => {
+    setLoading(true);
+    setLoadError(null);
+    setHasMore(true);
+    fetchTokenRef.current += 1;
+    const myToken = fetchTokenRef.current;
+    return loadMessagesFromDB(workspaceId, INITIAL_HISTORY_LIMIT).then(
+      ({ messages: msgs, error: fetchErr, reachedEnd }) => {
+        if (fetchTokenRef.current !== myToken) return;
+        setMessages(msgs);
+        setLoadError(fetchErr);
+        setHasMore(!reachedEnd);
+        setLoading(false);
+      },
+    );
+  }, [workspaceId]);
+
+  useEffect(() => {
+    loadInitial();
+  }, [loadInitial]);
+
+  const loadOlder = useCallback(async () => {
+    if (inflightRef.current || !hasMoreRef.current) return;
+    const oldest = oldestMessageRef.current;
+    if (!oldest) return;
+    const container = containerRef?.current;
+    if (!container) return;
+    inflightRef.current = true;
+    scrollAnchorRef.current = {
+      savedDistanceFromBottom: container.scrollHeight - container.scrollTop,
+      expectFirstIdNotEqual: oldest.id,
+    };
+    fetchTokenRef.current += 1;
+    const myToken = fetchTokenRef.current;
+    setLoadingOlder(true);
+    try {
+      const { messages: older, reachedEnd } = await loadMessagesFromDB(
+        workspaceId,
+        OLDER_HISTORY_BATCH,
+        oldest.timestamp,
+      );
+      if (fetchTokenRef.current !== myToken) {
+        scrollAnchorRef.current = null;
+        return;
+      }
+      if (older.length > 0) {
+        setMessages((prev) => [...older, ...prev]);
+      } else {
+        scrollAnchorRef.current = null;
+      }
+      setHasMore(!reachedEnd);
+    } finally {
+      setLoadingOlder(false);
+      inflightRef.current = false;
+    }
+  }, [workspaceId, containerRef]);
+
+  return {
+    messages,
+    loading,
+    loadError,
+    loadingOlder,
+    hasMore,
+    loadInitial,
+    loadOlder,
+    appendMessageDeduped: (msg: ChatMessage) =>
+      setMessages((prev) => appendMessageDedupedFn(prev, msg)),
+    setMessages,
+    scrollAnchorRef,
+  };
+}
@@ -0,0 +1,182 @@
+"use client";
+
+import { useCallback, useRef, useState } from "react";
+import { api } from "@/lib/api";
+import { uploadChatFiles } from "../uploads";
+import { createMessage, type ChatMessage, type ChatAttachment } from "../types";
+import { extractFilesFromTask } from "../message-parser";
+
+interface A2APart {
+  kind: string;
+  text?: string;
+  file?: {
+    name?: string;
+    mimeType?: string;
+    uri?: string;
+    size?: number;
+  };
+}
+
+interface A2AResponse {
+  result?: {
+    parts?: A2APart[];
+    artifacts?: Array<{ parts: A2APart[] }>;
+  };
+}
+
+export function extractReplyText(resp: A2AResponse): string {
+  const collect = (parts: A2APart[] | undefined): string => {
+    if (!parts) return "";
+    return parts
+      .filter((p) => p.kind === "text")
+      .map((p) => p.text ?? "")
+      .filter(Boolean)
+      .join("\n");
+  };
+  const result = resp?.result;
+  const collected: string[] = [];
+  const fromParts = collect(result?.parts);
+  if (fromParts) collected.push(fromParts);
+  if (result?.artifacts) {
+    for (const a of result.artifacts) {
+      const t = collect(a.parts);
+      if (t) collected.push(t);
+    }
+  }
+  return collected.join("\n");
+}
+
+export interface UseChatSendOptions {
+  getHistoryMessages: () => ChatMessage[];
+  onUserMessage?: (msg: ChatMessage) => void;
+  onAgentMessage?: (msg: ChatMessage) => void;
+}
+
+export function useChatSend(workspaceId: string, options: UseChatSendOptions) {
+  const [sending, setSending] = useState(false);
+  const [uploading, setUploading] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+  const sendInFlightRef = useRef(false);
+  const sendingFromAPIRef = useRef(false);
+  const sendTokenRef = useRef(0);
+  const optionsRef = useRef(options);
+  optionsRef.current = options;
+
+  const releaseSendGuards = useCallback(() => {
+    setSending(false);
+    sendingFromAPIRef.current = false;
+    sendInFlightRef.current = false;
+  }, []);
+
+  const clearError = useCallback(() => setError(null), []);
+
+  const sendMessage = useCallback(
+    async (text: string, files: File[] = []) => {
+      const trimmed = text.trim();
+      if ((!trimmed && files.length === 0) || sending || uploading) return;
+      if (sendInFlightRef.current) return;
+      sendInFlightRef.current = true;
+
+      let uploaded: ChatAttachment[] = [];
+      if (files.length > 0) {
+        setUploading(true);
+        try {
+          uploaded = await uploadChatFiles(workspaceId, files);
+        } catch (e) {
+          setUploading(false);
+          sendInFlightRef.current = false;
+          setError(
+            e instanceof Error ? `Upload failed: ${e.message}` : "Upload failed",
+          );
+          return;
+        }
+        setUploading(false);
+      }
+
+      const userMsg = createMessage("user", trimmed, uploaded);
+      optionsRef.current.onUserMessage?.(userMsg);
+
+      setSending(true);
+      sendingFromAPIRef.current = true;
+      setError(null);
+      const myToken = ++sendTokenRef.current;
+
+      const history = optionsRef.current
+        .getHistoryMessages()
+        .filter((m) => m.role === "user" || m.role === "agent")
+        .slice(-20)
+        .map((m) => ({
+          role: m.role === "user" ? "user" : "agent",
+          parts: [{ kind: "text", text: m.content }],
+        }));
+
+      const parts: A2APart[] = [];
+      if (trimmed) parts.push({ kind: "text", text: trimmed });
+      for (const att of uploaded) {
+        parts.push({
+          kind: "file",
+          file: {
+            name: att.name,
+            mimeType: att.mimeType,
+            uri: att.uri,
+            size: att.size,
+          },
+        });
+      }
+
+      api
+        .post<A2AResponse>(
+          `/workspaces/${workspaceId}/a2a`,
+          {
+            method: "message/send",
+            params: {
+              message: {
+                role: "user",
+                messageId: crypto.randomUUID(),
+                parts,
+              },
+              metadata: { history },
+            },
+          },
+          { timeoutMs: 120_000 },
+        )
+        .then((resp) => {
+          if (sendTokenRef.current !== myToken) return;
+          if (!sendingFromAPIRef.current) {
+            sendInFlightRef.current = false;
+            return;
+          }
+          const replyText = extractReplyText(resp);
+          const replyFiles = extractFilesFromTask(
+            (resp?.result ?? {}) as Record<string, unknown>,
+          );
+          if (replyText || replyFiles.length > 0) {
+            optionsRef.current.onAgentMessage?.(
+              createMessage("agent", replyText, replyFiles),
+            );
+          }
+          releaseSendGuards();
+        })
+        .catch(() => {
+          if (sendTokenRef.current !== myToken) return;
+          if (!sendingFromAPIRef.current) {
+            sendInFlightRef.current = false;
+            return;
+          }
+          releaseSendGuards();
+          setError("Failed to send message — agent may be unreachable");
+        });
+    },
+    [workspaceId, sending, uploading],
+  );
+
+  return {
+    sending,
+    uploading,
+    sendMessage,
+    error,
+    clearError,
+    releaseSendGuards,
+    sendingFromAPIRef,
+  };
+}
@@ -0,0 +1,100 @@
+"use client";
+
+import { useCallback, useEffect, useRef } from "react";
+import { useCanvasStore, type WorkspaceNodeData } from "@/store/canvas";
+import { useSocketEvent } from "@/hooks/useSocketEvent";
+import { createMessage, type ChatMessage } from "../types";
+
+export interface UseChatSocketCallbacks {
+  onAgentMessage?: (msg: ChatMessage) => void;
+  onActivityLog?: (entry: string) => void;
+  onSendComplete?: () => void;
+  onSendError?: (error: string) => void;
+}
+
+export function useChatSocket(
+  workspaceId: string,
+  callbacks: UseChatSocketCallbacks,
+): void {
+  const callbacksRef = useRef(callbacks);
+  callbacksRef.current = callbacks;
+
+  // Agent push messages from global store
+  const pendingAgentMsgs = useCanvasStore((s) => s.agentMessages[workspaceId]);
+  useEffect(() => {
+    if (!pendingAgentMsgs || pendingAgentMsgs.length === 0) return;
+    const consume = useCanvasStore.getState().consumeAgentMessages;
+    const msgs = consume(workspaceId);
+    for (const m of msgs) {
+      callbacksRef.current.onAgentMessage?.(
+        createMessage("agent", m.content, m.attachments),
+      );
+    }
+    if (msgs.length > 0) {
+      callbacksRef.current.onSendComplete?.();
+    }
+  }, [pendingAgentMsgs, workspaceId]);
+
+  const resolveWorkspaceName = useCallback((id: string) => {
+    const nodes = useCanvasStore.getState().nodes;
+    const node = nodes.find((n) => n.id === id);
+    return (node?.data as WorkspaceNodeData)?.name || id.slice(0, 8);
+  }, []);
+
+  useSocketEvent((msg) => {
+    try {
+      if (msg.event === "ACTIVITY_LOGGED") {
+        if (msg.workspace_id !== workspaceId) return;
+
+        const p = msg.payload || {};
+        const type = p.activity_type as string;
+        const method = (p.method as string) || "";
+        const status = (p.status as string) || "";
+        const targetId = (p.target_id as string) || "";
+        const durationMs = p.duration_ms as number | undefined;
+        const summary = (p.summary as string) || "";
+
+        let line = "";
+        if (type === "a2a_receive" && method === "message/send") {
+          const targetName = resolveWorkspaceName(targetId || msg.workspace_id);
+          if (status === "ok" && durationMs) {
+            const sec = Math.round(durationMs / 1000);
+            line = `← ${targetName} responded (${sec}s)`;
+            const own = (targetId || msg.workspace_id) === workspaceId;
+            if (own) callbacksRef.current.onSendComplete?.();
+          } else if (status === "error") {
+            line = `⚠ ${targetName} error`;
+            const own = (targetId || msg.workspace_id) === workspaceId;
+            if (own) {
+              callbacksRef.current.onSendComplete?.();
+              callbacksRef.current.onSendError?.(
+                "Agent error (Exception) — see workspace logs for details.",
+              );
+            }
+          }
+        } else if (type === "a2a_send") {
+          const targetName = resolveWorkspaceName(targetId);
+          line = `→ Delegating to ${targetName}...`;
+        } else if (type === "task_update") {
+          if (summary) line = `⟳ ${summary}`;
+        } else if (type === "agent_log") {
+          if (summary) line = summary;
+        }
+
+        if (line) {
+          callbacksRef.current.onActivityLog?.(line);
+        }
+      } else if (
+        msg.event === "TASK_UPDATED" &&
+        msg.workspace_id === workspaceId
+      ) {
+        const task = (msg.payload?.current_task as string) || "";
+        if (task) {
+          callbacksRef.current.onActivityLog?.(`⟳ ${task}`);
+        }
+      }
+    } catch {
+      /* ignore */
+    }
+  });
+}
@@ -1,2 +1,5 @@
 export { type ChatMessage, createMessage, appendMessageDeduped } from "./types";
 export { extractAgentText, extractTextsFromParts, extractResponseText } from "./message-parser";
+export { useChatHistory } from "./hooks/useChatHistory";
+export { useChatSend } from "./hooks/useChatSend";
+export { useChatSocket } from "./hooks/useChatSocket";
@@ -8,6 +8,7 @@ import {
  type PreflightResult,
  type Template,
 } from "@/lib/deploy-preflight";
+import { isSaaSTenant } from "@/lib/tenant";
 import { MissingKeysModal } from "@/components/MissingKeysModal";

 /**
@@ -105,7 +106,7 @@ export function useTemplateDeploy(
        const ws = await api.post<{ id: string }>("/workspaces", {
          name: template.name,
          template: template.id,
-          tier: template.tier,
+          tier: isSaaSTenant() ? 4 : template.tier,
          canvas: coords,
          ...(model ? { model } : {}),
        });
@@ -0,0 +1,189 @@
+// @vitest-environment jsdom
+/**
+ * Tests for hydrate.ts — canvas store hydration with exponential backoff.
+ *
+ * Covers:
+ *   - Successful hydration on first attempt (no retries)
+ *   - Retry with exponential backoff on failure
+ *   - onRetrying callback called at correct intervals
+ *   - Error propagation after MAX_RETRIES exhausted
+ *   - Viewport persisted on success
+ *   - Viewport failure is non-fatal
+ */
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+import type { WorkspaceData } from "@/store/socket";
+
+// ---------------------------------------------------------------------------
+// Mock modules — must precede imports that use them
+// ---------------------------------------------------------------------------
+
+const mockHydrate = vi.fn();
+const mockSetViewport = vi.fn();
+
+vi.mock("@/lib/api", () => ({
+  api: {
+    get: vi.fn(),
+  },
+  PLATFORM_URL: "https://platform.test",
+}));
+
+vi.mock("@/store/canvas", () => ({
+  useCanvasStore: Object.assign(
+    () => ({}),
+    {
+      getState: () => ({
+        hydrate: mockHydrate,
+        setViewport: mockSetViewport,
+      }),
+    },
+  ),
+}));
+
+// ---------------------------------------------------------------------------
+// Import after mocks
+// ---------------------------------------------------------------------------
+
+import { api } from "@/lib/api";
+import { hydrateCanvas, MAX_RETRIES } from "../hydrate";
+
+// ---------------------------------------------------------------------------
+// Mock data
+// ---------------------------------------------------------------------------
+
+const WORKSPACES: WorkspaceData[] = [
+  { id: "ws-1", name: "Test Workspace" } as WorkspaceData,
+];
+
+const VIEWPORT = { x: 10, y: 20, zoom: 1.5 };
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+const mockApiGet = vi.mocked(api.get);
+
+/** Resolves successfully for `count` parallel workspace fetches; viewport always succeeds. */
+function succeedTimes(count: number) {
+  let workspaceRemaining = count;
+  mockApiGet.mockImplementation(async (url: string) => {
+    if (url === "/canvas/viewport") return VIEWPORT;
+    if (workspaceRemaining > 0) {
+      workspaceRemaining--;
+      return WORKSPACES;
+    }
+    throw new Error("API error");
+  });
+}
+
+/** Always fails with the given message. */
+function alwaysFail(msg = "Network error") {
+  mockApiGet.mockRejectedValue(new Error(msg));
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("hydrateCanvas", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    mockApiGet.mockReset();
+    mockHydrate.mockReset();
+    mockSetViewport.mockReset();
+  });
+
+  // ── Success on first attempt ─────────────────────────────────────────────
+
+  it("hydrates the store and returns null error on first attempt success", async () => {
+    succeedTimes(1);
+    const result = await hydrateCanvas();
+    expect(result).toEqual({ error: null });
+    expect(mockHydrate).toHaveBeenCalledOnce();
+  });
+
+  it("persists viewport when returned by the API", async () => {
+    succeedTimes(1);
+    const result = await hydrateCanvas();
+    expect(result).toEqual({ error: null });
+    expect(mockSetViewport).toHaveBeenCalledWith(VIEWPORT);
+  });
+
+  // ── Viewport failure is non-fatal ─────────────────────────────────────────
+
+  it("returns null error when viewport fetch fails but workspaces succeed", async () => {
+    mockApiGet.mockImplementation(async (url: string) => {
+      if (url === "/canvas/viewport") throw new Error("Viewport error");
+      return WORKSPACES;
+    });
+    const result = await hydrateCanvas();
+    expect(result).toEqual({ error: null });
+    expect(mockHydrate).toHaveBeenCalledOnce();
+    expect(mockSetViewport).not.toHaveBeenCalled();
+  });
+
+  // ── Retry logic ──────────────────────────────────────────────────────────
+
+  it("retries MAX_RETRIES times before returning an error", async () => {
+    alwaysFail();
+    const onRetrying = vi.fn();
+    const result = await Promise.race([
+      hydrateCanvas(onRetrying),
+      new Promise<"timeout">((resolve) => setTimeout(() => resolve("timeout"), 5000)),
+    ]);
+    if (result === "timeout") throw new Error("Test timed out — retries not awaited correctly");
+    expect(result.error).not.toBeNull();
+    expect(onRetrying).toHaveBeenCalledTimes(MAX_RETRIES - 1);
+  }, 10000);
+
+  it("onRetrying is called with attempt number before each retry", async () => {
+    alwaysFail();
+    const onRetrying = vi.fn();
+    await Promise.race([
+      hydrateCanvas(onRetrying),
+      new Promise<"timeout">((resolve) => setTimeout(() => resolve("timeout"), 5000)),
+    ]);
+    expect(onRetrying).toHaveBeenNthCalledWith(1, 1);
+    expect(onRetrying).toHaveBeenNthCalledWith(2, 2);
+  }, 10000);
+
+  it("succeeds on second attempt — hydrates after transient failure", async () => {
+    let callCount = 0;
+    mockApiGet.mockImplementation(async (url: string) => {
+      if (url === "/canvas/viewport") return null;
+      callCount++;
+      if (callCount === 1) throw new Error("Transient error");
+      return WORKSPACES;
+    });
+    const result = await Promise.race([
+      hydrateCanvas(),
+      new Promise<"timeout">((resolve) => setTimeout(() => resolve("timeout"), 5000)),
+    ]);
+    if (result === "timeout") throw new Error("Test timed out");
+    expect(result).toEqual({ error: null });
+    expect(mockHydrate).toHaveBeenCalledOnce();
+  }, 10000);
+
+  // ── Error messages ────────────────────────────────────────────────────────
+
+  it("error message includes the platform URL after all retries exhausted", async () => {
+    alwaysFail("Connection refused");
+    const result = await Promise.race([
+      hydrateCanvas(),
+      new Promise<"timeout">((resolve) => setTimeout(() => resolve("timeout"), 5000)),
+    ]);
+    if (result === "timeout") throw new Error("Test timed out");
+    expect(result.error).toContain("platform.test");
+    expect(result.error).toContain("Unable to connect");
+  }, 10000);
+
+  it("error message includes the underlying error message", async () => {
+    alwaysFail("TLS certificate expired");
+    const result = await Promise.race([
+      hydrateCanvas(),
+      new Promise<"timeout">((resolve) => setTimeout(() => resolve("timeout"), 5000)),
+    ]);
+    if (result === "timeout") throw new Error("Test timed out");
+    expect(result.error).not.toBeNull();
+    expect(typeof result.error).toBe("string");
+  }, 10000);
+});
@@ -0,0 +1,205 @@
+// @vitest-environment jsdom
+"use client";
+/**
+ * Tests for palette-context.tsx — MobileAccentProvider context + usePalette hook.
+ *
+ * Test coverage (9 cases):
+ * 1. MobileAccentProvider renders children
+ * 2. usePalette(false) without provider → MOL_LIGHT
+ * 3. usePalette(true) without provider → MOL_DARK
+ * 4. accent=null returns base palette unchanged
+ * 5. accent=base.accent returns base palette unchanged (identity guard)
+ * 6. accent="#custom" overrides both accent and online
+ * 7. MOL_LIGHT singleton never mutated
+ * 8. MOL_DARK singleton never mutated
+ *
+ * Plus pure-function coverage for normalizeStatus + tierCode.
+ */
+import { describe, expect, it, vi, beforeEach, afterEach } from "vitest";
+import React from "react";
+import { render, screen, cleanup } from "@testing-library/react";
+import {
+  MOL_LIGHT,
+  MOL_DARK,
+  getPalette,
+  normalizeStatus,
+  tierCode,
+  MobileAccentProvider,
+  usePalette,
+} from "../palette-context";
+
+// ─── usePalette test helper ───────────────────────────────────────────────────
+// usePalette reads document.documentElement.dataset.theme internally.
+// We set this before rendering so the hook sees the right value.
+
+function setDataTheme(theme: "light" | "dark") {
+  if (typeof document !== "undefined") {
+    document.documentElement.dataset.theme = theme;
+  }
+}
+
+// ─── Pure function tests ──────────────────────────────────────────────────────
+
+describe("normalizeStatus", () => {
+  it("returns emerald-400 for online status", () => {
+    expect(normalizeStatus("online", false)).toBe("bg-emerald-400");
+    expect(normalizeStatus("online", true)).toBe("bg-emerald-400");
+  });
+
+  it("returns emerald-400 for degraded status", () => {
+    expect(normalizeStatus("degraded", false)).toBe("bg-emerald-400");
+    expect(normalizeStatus("degraded", true)).toBe("bg-emerald-400");
+  });
+
+  it("returns red-400 for failed status", () => {
+    expect(normalizeStatus("failed", false)).toBe("bg-red-400");
+    expect(normalizeStatus("failed", true)).toBe("bg-red-400");
+  });
+
+  it("returns amber-400 for paused status", () => {
+    expect(normalizeStatus("paused", false)).toBe("bg-amber-400");
+    expect(normalizeStatus("paused", true)).toBe("bg-amber-400");
+  });
+
+  it("returns amber-400 for not_configured status", () => {
+    expect(normalizeStatus("not_configured", false)).toBe("bg-amber-400");
+  });
+
+  it("returns zinc-400 for unknown status", () => {
+    expect(normalizeStatus("unknown", false)).toBe("bg-zinc-400");
+    expect(normalizeStatus("", false)).toBe("bg-zinc-400");
+  });
+});
+
+describe("tierCode", () => {
+  it("returns T1 for tier 1", () => {
+    expect(tierCode(1)).toBe("T1");
+  });
+
+  it("returns T2 for tier 2", () => {
+    expect(tierCode(2)).toBe("T2");
+  });
+
+  it("returns T4 for tier 4", () => {
+    expect(tierCode(4)).toBe("T4");
+  });
+
+  it("returns generic T{n} for non-standard tiers", () => {
+    expect(tierCode(99)).toBe("T99");
+  });
+});
+
+// ─── getPalette tests ─────────────────────────────────────────────────────────
+
+describe("getPalette — accent override", () => {
+  it("accent=null returns base palette unchanged (light)", () => {
+    const result = getPalette(null, false);
+    expect(result).toEqual({ ...MOL_LIGHT });
+    expect(result).not.toBe(MOL_LIGHT); // returned object is a copy
+  });
+
+  it("accent=null returns base palette unchanged (dark)", () => {
+    const result = getPalette(null, true);
+    expect(result).toEqual({ ...MOL_DARK });
+    expect(result).not.toBe(MOL_DARK);
+  });
+
+  it("accent=base.accent returns base palette unchanged (identity guard, light)", () => {
+    const result = getPalette(MOL_LIGHT.accent, false);
+    expect(result).toEqual({ ...MOL_LIGHT });
+    expect(result).not.toBe(MOL_LIGHT);
+  });
+
+  it("accent=base.accent returns base palette unchanged (identity guard, dark)", () => {
+    const result = getPalette(MOL_DARK.accent, true);
+    expect(result).toEqual({ ...MOL_DARK });
+    expect(result).not.toBe(MOL_DARK);
+  });
+
+  it("accent='#custom' overrides accent and online (light)", () => {
+    const result = getPalette("#ff0000", false);
+    expect(result.accent).toBe("#ff0000");
+    expect(result.online).toBe("bg-emerald-400"); // normalizeStatus("online", false)
+  });
+
+  it("accent='#custom' overrides accent and online (dark)", () => {
+    const result = getPalette("#00ff00", true);
+    expect(result.accent).toBe("#00ff00");
+    expect(result.online).toBe("bg-emerald-400"); // normalizeStatus("online", true)
+  });
+
+  it("MOL_LIGHT singleton is never mutated", () => {
+    getPalette("#mutate", false);
+    // All fields must still match the original freeze definition
+    expect(MOL_LIGHT.accent).toBe("bg-blue-500");
+    expect(MOL_LIGHT.online).toBe("bg-emerald-400");
+    expect(MOL_LIGHT.surface).toBe("bg-zinc-900");
+    expect(MOL_LIGHT.ink).toBe("text-zinc-100");
+    expect(MOL_LIGHT.line).toBe("border-zinc-700");
+    expect(MOL_LIGHT.bg).toBe("bg-zinc-950");
+  });
+
+  it("MOL_DARK singleton is never mutated", () => {
+    getPalette("#mutate", true);
+    expect(MOL_DARK.accent).toBe("bg-sky-400");
+    expect(MOL_DARK.online).toBe("bg-emerald-400");
+    expect(MOL_DARK.surface).toBe("bg-zinc-800");
+    expect(MOL_DARK.ink).toBe("text-zinc-100");
+    expect(MOL_DARK.line).toBe("border-zinc-700");
+    expect(MOL_DARK.bg).toBe("bg-zinc-950");
+  });
+
+  it("getPalette always returns a new object (no shared mutation risk)", () => {
+    const a = getPalette("#a", false);
+    const b = getPalette("#b", false);
+    expect(a).not.toBe(b);
+    expect(a.accent).not.toBe(b.accent);
+  });
+});
+
+// ─── MobileAccentProvider tests ───────────────────────────────────────────────
+
+describe("MobileAccentProvider", () => {
+  beforeEach(() => {
+    setDataTheme("light");
+  });
+
+  afterEach(() => {
+    cleanup();
+    if (typeof document !== "undefined") {
+      document.documentElement.dataset.theme = "";
+    }
+  });
+
+  it("renders children", () => {
+    render(
+      <MobileAccentProvider accent={null}>
+        <span data-testid="child">Hello</span>
+      </MobileAccentProvider>,
+    );
+    expect(screen.getByTestId("child")).toBeTruthy();
+  });
+
+  // usePalette hook reads data-theme from <html> to determine light/dark.
+  // In the test environment, data-theme is empty, which falls through to
+  // the "light" default in usePalette, giving MOL_LIGHT.
+  it("usePalette(false) without provider → MOL_LIGHT", () => {
+    setDataTheme("light");
+    function ShowPalette() {
+      const p = usePalette(false);
+      return <span data-testid="accent-light">{p.accent}</span>;
+    }
+    render(<ShowPalette />);
+    expect(screen.getByTestId("accent-light").textContent).toBe(MOL_LIGHT.accent);
+  });
+
+  it("usePalette(true) without provider → MOL_DARK when data-theme=dark", () => {
+    setDataTheme("dark");
+    function ShowPalette() {
+      const p = usePalette(true);
+      return <span data-testid="accent-dark">{p.accent}</span>;
+    }
+    render(<ShowPalette />);
+    expect(screen.getByTestId("accent-dark").textContent).toBe(MOL_DARK.accent);
+  });
+});
@@ -21,8 +21,8 @@ export function statusDotClass(status: string): string {
 export const TIER_CONFIG: Record<number, { label: string; color: string; border: string }> = {
  1: { label: "T1", color: "text-ink-mid bg-surface-card border border-line", border: "text-ink-mid border-line" },
  2: { label: "T2", color: "text-white bg-accent border border-accent-strong", border: "text-accent border-accent" },
-  3: { label: "T3", color: "text-white bg-violet-600 border border-violet-700", border: "text-violet-600 border-violet-500" },
-  4: { label: "T4", color: "text-white bg-warm border border-warm", border: "text-warm border-warm" },
+  3: { label: "T3", color: "text-white bg-violet-600 border border-violet-700", border: "text-white border-violet-500" },
+  4: { label: "T4", color: "text-white bg-warm border border-warm", border: "text-white border-warm" },
 };

 export const COMM_TYPE_LABELS: Record<string, string> = {
@@ -0,0 +1,167 @@
+"use client";
+
+/**
+ * palette-context.tsx
+ *
+ * Mobile canvas accent palette system.
+ *
+ * - MOL_LIGHT / MOL_DARK  — immutable base singletons
+ * - getPalette(accent, isDark) — returns base palette or accent-overridden copy
+ * - normalizeStatus(status, isDark) — maps workspace status → online dot color
+ * - tierCode(tier) — maps tier number → display label
+ * - MobileAccentProvider — React context that propagates accent override
+ * - usePalette(allowAccentOverride) — hook; returns the effective palette
+ */
+
+import { createContext, useContext } from "react";
+
+// ─── Types ─────────────────────────────────────────────────────────────────────
+
+export interface Palette {
+  /** Accent colour (CSS colour string). */
+  accent: string;
+  /** Online indicator colour (CSS class string, e.g. "bg-emerald-400"). */
+  online: string;
+  /** Surface background colour class. */
+  surface: string;
+  /** Primary text colour class. */
+  ink: string;
+  /** Border/divider colour class. */
+  line: string;
+  /** Background colour class. */
+  bg: string;
+  /** Tier display code, e.g. "T1". */
+  tier: string;
+}
+
+// ─── Singleton base palettes ────────────────────────────────────────────────────
+
+/** Light-mode base palette — must never be mutated. */
+export const MOL_LIGHT: Readonly<Palette> = Object.freeze({
+  accent: "bg-blue-500",
+  online: "bg-emerald-400",
+  surface: "bg-zinc-900",
+  ink: "text-zinc-100",
+  line: "border-zinc-700",
+  bg: "bg-zinc-950",
+  tier: "T1",
+});
+
+/** Dark-mode base palette — must never be mutated. */
+export const MOL_DARK: Readonly<Palette> = Object.freeze({
+  accent: "bg-sky-400",
+  online: "bg-emerald-400",
+  surface: "bg-zinc-800",
+  ink: "text-zinc-100",
+  line: "border-zinc-700",
+  bg: "bg-zinc-950",
+  tier: "T1",
+});
+
+// ─── Pure helpers ─────────────────────────────────────────────────────────────
+
+/**
+ * Maps workspace status string → online dot colour class.
+ * Returns the appropriate green for light/dark mode.
+ */
+export function normalizeStatus(
+  status: string,
+  _isDark: boolean,
+): string {
+  if (status === "online" || status === "degraded") {
+    return "bg-emerald-400";
+  }
+  if (status === "failed") {
+    return "bg-red-400";
+  }
+  if (status === "paused" || status === "not_configured") {
+    return "bg-amber-400";
+  }
+  return "bg-zinc-400";
+}
+
+/**
+ * Maps tier number → display code.
+ */
+export function tierCode(tier: number): string {
+  return `T${tier}`;
+}
+
+/**
+ * Returns the effective palette.
+ *
+ * - `accent = null` → base palette (light or dark) unchanged
+ * - `accent = basePalette.accent` → base palette unchanged (identity guard)
+ * - `accent = "#custom"` → copy with `accent` and `online` overridden
+ *
+ * Always returns a new object; neither MOL_LIGHT nor MOL_DARK is ever mutated.
+ */
+export function getPalette(
+  accent: string | null,
+  isDark: boolean,
+): Palette {
+  const base: Readonly<Palette> = isDark ? MOL_DARK : MOL_LIGHT;
+
+  // null accent → use base unchanged
+  if (accent === null) return { ...base };
+
+  // identity guard — accent same as base accent → no override needed
+  if (accent === base.accent) return { ...base };
+
+  // Custom accent: override accent + online to keep them in sync
+  return { ...base, accent, online: normalizeStatus("online", isDark) };
+}
+
+// ─── Context ──────────────────────────────────────────────────────────────────
+
+type MobileAccentContextValue = {
+  /** Override accent colour (null = no override, use default). */
+  accent: string | null;
+};
+
+const MobileAccentContext = createContext<MobileAccentContextValue>({
+  accent: null,
+});
+
+export { MobileAccentContext };
+
+/**
+ * Renders children inside the accent override context.
+ */
+export function MobileAccentProvider({
+  accent,
+  children,
+}: {
+  accent: string | null;
+  children: React.ReactNode;
+}) {
+  return (
+    <MobileAccentContext.Provider value={{ accent }}>
+      {children}
+    </MobileAccentContext.Provider>
+  );
+}
+
+// ─── Hook ─────────────────────────────────────────────────────────────────────
+
+/**
+ * Returns the effective `Palette` for the current context.
+ *
+ * @param allowAccentOverride  When false, always returns the base palette
+ *                              even when an override is set (useful for
+ *                              non-accent-aware child components).
+ */
+export function usePalette(allowAccentOverride: boolean): Palette {
+  const { accent } = useContext(MobileAccentContext);
+
+  // Resolved from the OS-level theme preference. In a real app this would
+  // be derived from useTheme().resolvedTheme; for this hook we default
+  // to light (the safe default for SSR / component-library use).
+  // We read data-theme from <html> to stay in sync with the theme system.
+  const isDark =
+    typeof document !== "undefined" &&
+    document.documentElement.dataset.theme === "dark";
+
+  const effectiveAccent = allowAccentOverride ? accent : null;
+  return getPalette(effectiveAccent, isDark);
+}
@@ -282,13 +282,17 @@
 }

 .secret-row__save-btn {
-  background: #2563eb;
+  background: #1d4ed8;
  color: #ffffff;
  border: none;
  padding: 6px 12px;
  border-radius: 6px;
  font-size: 13px;
  cursor: pointer;
+  transition: background-color 0.15s;
+}
+.secret-row__save-btn:hover {
+  background: #1e40af;
 }

 .secret-row__save-btn:focus-visible {
@@ -370,13 +374,17 @@
 }

 .add-key-form__save-btn {
-  background: #2563eb;
+  background: #1d4ed8;
  color: #ffffff;
  border: none;
  padding: 8px 16px;
  border-radius: 6px;
  font-size: 13px;
  cursor: pointer;
+  transition: background-color 0.15s;
+}
+.add-key-form__save-btn:hover {
+  background: #1e40af;
 }

 .add-key-form__save-btn:focus-visible {
@@ -510,7 +518,7 @@
 .empty-state__body { font-size: 14px; color: #a1a1aa; margin: 0 0 24px; line-height: 1.5; }

 .empty-state__cta {
-  background: #2563eb;
+  background: #1d4ed8;
  color: #ffffff;
  border: none;
  padding: 10px 20px;
@@ -518,6 +526,10 @@
  font-size: 14px;
  font-weight: 500;
  cursor: pointer;
+  transition: background-color 0.15s;
+}
+.empty-state__cta:hover {
+  background: #1e40af;
 }

 .empty-state__cta:focus-visible { outline: var(--focus-ring); outline-offset: var(--focus-ring-offset); }
@@ -561,12 +573,16 @@
 .secrets-tab__error p { color: var(--status-invalid); margin: 0 0 12px; }

 .secrets-tab__refresh-btn {
-  background: #2563eb;
+  background: #1d4ed8;
  color: #ffffff;
  border: none;
  padding: 8px 16px;
  border-radius: 6px;
  cursor: pointer;
+  transition: background-color 0.15s;
+}
+.secrets-tab__refresh-btn:hover {
+  background: #1e40af;
 }

 .secrets-tab__no-results {
@@ -690,12 +706,16 @@
 }

 .guard-dialog__discard-btn {
-  background: #2563eb;
+  background: #1d4ed8;
  color: #ffffff;
  border: none;
  padding: 8px 16px;
  border-radius: 6px;
  cursor: pointer;
+  transition: background-color 0.15s;
+}
+.guard-dialog__discard-btn:hover {
+  background: #1e40af;
 }

 .guard-dialog__discard-btn:focus-visible {
@@ -747,12 +767,20 @@
 .top-bar__name { font-size: 14px; font-weight: 500; color: #d4d4d8; }

 .top-bar__btn {
-  background: #2563eb;
+  background: #1d4ed8;
  color: #ffffff;
  border: none;
  padding: 6px 12px;
  border-radius: 6px;
  font-size: 13px;
  cursor: pointer;
+  transition: background-color 0.15s;
+}
+.top-bar__btn:hover {
+  background: #1e40af;
+}
+.top-bar__btn:focus-visible {
+  outline: none;
+  box-shadow: 0 0 0 2px #18181b, 0 0 0 4px #3b82f6;
 }

@@ -179,6 +179,7 @@ cp_redeploy_tenant() {
  #   1  — any other failure
  # stdout = response body. stderr = "HTTP_STATUS=NNN" line.
  local slug="$1" tag="$2"
+  validate_slug "$slug"
  _mock_call cp_redeploy_tenant "$slug" "$tag"; local _mrc=$?
  [[ $_mrc -ne 99 ]] && return $_mrc
  local tok="${!CP_TOKEN_ENV:-}"
@@ -204,6 +205,7 @@ cp_redeploy_tenant() {
 tenant_buildinfo() {
  # args: <slug>; prints JSON
  local slug="$1"
+  validate_slug "$slug"
  _mock_call tenant_buildinfo "$slug"; local _mrc=$?
  [[ $_mrc -ne 99 ]] && return $_mrc
  curl -sf --max-time 10 "https://${slug}.moleculesai.app/buildinfo"
@@ -212,6 +214,7 @@ tenant_buildinfo() {
 tenant_health() {
  # args: <slug>; prints raw response, returns 0 if "ok"
  local slug="$1"
+  validate_slug "$slug"
  _mock_call tenant_health "$slug"; local _mrc=$?
  [[ $_mrc -ne 99 ]] && return $_mrc
  curl -sf --max-time 10 "https://${slug}.moleculesai.app/health"
@@ -256,6 +259,7 @@ print(json.dumps({'commands': [ecr_login]}))
 resolve_tenant_instance_id() {
  # args: <slug>; prints i-xxx
  local slug="$1"
+  validate_slug "$slug"
  _mock_call resolve_tenant_instance_id "$slug"; local _mrc=$?
  [[ $_mrc -ne 99 ]] && return $_mrc
  local tok="${!CP_TOKEN_ENV:-}"
@@ -271,6 +275,19 @@ resolve_tenant_instance_id() {
 log() { printf '[%s] %s\n' "$(date -u +%H:%M:%SZ)" "$*"; }
 err() { printf '[%s] ERROR: %s\n' "$(date -u +%H:%M:%SZ)" "$*" >&2; }

+# validate_slug — exit 64 if slug contains characters outside the safe set.
+# Prevents SSRF via query-separator injection (?foo) and subdomain takeover
+# (@evil) when slug is interpolated into URL paths or subdomains.
+# OFFSEC-006 fix.
+validate_slug() {
+  local slug="$1"
+  if ! [[ "$slug" =~ ^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$ ]]; then
+    printf '[%s] ERROR: invalid slug: %s\n' \
+      "$(date -u +%H:%M:%SZ)" "$slug" >&2
+    exit 64
+  fi
+}
+
 preflight() {
  log "preflight: source=$SOURCE_TAG dest=$DEST_TAG repo=$REPO region=$REGION"
  local src_manifest
@@ -339,6 +356,7 @@ promote() {
 redeploy_tenant() {
  # args: <slug> — handle the 403→SSM-refresh→retry pattern
  local slug="$1"
+  validate_slug "$slug"
  log "  redeploy: $slug"
  if [[ "$DRY_RUN" == "true" ]]; then
    log "    [dry-run] would POST /redeploy slug=$slug"
@@ -372,6 +390,7 @@ redeploy_tenant() {

 verify_tenant() {
  local slug="$1"
+  validate_slug "$slug"
  log "  verify: $slug"
  if [[ "$DRY_RUN" == "true" ]]; then
    log "    [dry-run] would curl /buildinfo + /health"
@@ -398,6 +417,7 @@ rollback() {
  rm -f "$mfile"
  IFS=',' read -ra slugs <<<"$TENANTS"
  for slug in "${slugs[@]}"; do
+    validate_slug "$slug"
    redeploy_tenant "$slug" || err "  rollback redeploy failed for $slug"
  done
  log "rollback: complete"
@@ -408,6 +428,13 @@ rollback() {
 # ─────────────────────────────────────────────────────────────────────────────

 main() {
+  # OFFSEC-006: validate slugs before any network I/O.
+  IFS=',' read -ra _slugs <<<"$TENANTS"
+  for _slug in "${_slugs[@]}"; do
+    validate_slug "$_slug"
+  done
+  unset _slugs _slug
+
  preflight || return 1
  snapshot_dest_tag || return 2
  promote || return 2
@@ -415,8 +442,15 @@ main() {
  local promote_rc=0
  IFS=',' read -ra slugs <<<"$TENANTS"
  for slug in "${slugs[@]}"; do
-    redeploy_tenant "$slug" || promote_rc=1
-    [[ $promote_rc -eq 0 ]] && { verify_tenant "$slug" || promote_rc=1; }
+    validate_slug "$slug"
+    if ! redeploy_tenant "$slug"; then
+      promote_rc=1
+    fi
+    if [[ $promote_rc -eq 0 ]]; then
+      if ! verify_tenant "$slug"; then
+        promote_rc=1
+      fi
+    fi
    [[ $promote_rc -ne 0 ]] && break
  done

@@ -267,7 +267,51 @@ else
  printf '  ✗ unknown-flag should fail (got %s)\n' "$rc"
 fi

-printf '\n== Test 9: ROLLBACK_TAG follows YYYYMMDD via NOW_OVERRIDE_DATE ==\n'
+printf '\n== Test 9: slug validation — invalid slugs rejected with exit 64 (OFFSEC-006) ==\n'
+# Attack vectors: SSRF via ? (curl query separator), subdomain takeover via @,
+# path traversal via /, shell metacharacters.  Use a newline-delimited temp file
+# so slugs containing spaces are NOT split by shell word-splitting.
+_invalid_tmp=$(mktemp)
+cat > "$_invalid_tmp" <<'INVALID_EOF'
+a?url=https://evil.com
+a&url=https://evil.com
+a@evil.com
+a/b
+a\b
+a b
+chloe-dong?url=http://evil.com
+evil.com@legitimate
+INVALID_EOF
+while IFS= read -r attack || [[ -n "$attack" ]]; do
+  set +e
+  out=$("$SCRIPT" --source-tag x --dest-tag y --tenants "$attack" 2>&1); rc=$?
+  set -e
+  if [[ $rc -eq 64 ]] && printf '%s' "$out" | grep -q 'invalid slug'; then
+    PASS=$((PASS + 1)); printf '  ✓ slug rejected: %s\n' "$(printf '%q' "$attack")"
+  else
+    FAIL=$((FAIL + 1)); FAIL_NAMES+=("slug-reject:$attack")
+    printf '  ✗ slug should be rejected: %s — got exit %s\n' "$(printf '%q' "$attack")" "$rc"
+  fi
+done < "$_invalid_tmp"
+rm -f "$_invalid_tmp"
+
+printf '\n== Test 10: slug validation — valid slugs pass through ==\n'
+valid_slugs='chloe-dong hongming ab a abc123 my-tenant-42'
+for slug in $valid_slugs; do
+  set +e
+  out=$("$SCRIPT" --source-tag x --dest-tag y --tenants "$slug" --mock-dir /nonexistent 2>&1); rc=$?
+  set -e
+  # valid slugs: script should fail at preflight (no such mock dir / no real infra),
+  # but NOT at slug validation (exit 64). So we check exit != 64.
+  if [[ $rc -ne 64 ]]; then
+    PASS=$((PASS + 1)); printf '  ✓ valid slug accepted: %s\n' "$slug"
+  else
+    FAIL=$((FAIL + 1)); FAIL_NAMES+=("slug-accept:$slug")
+    printf '  ✗ valid slug rejected: %s (should have passed slug check)\n' "$slug"
+  fi
+done
+
+printf '\n== Test 11: ROLLBACK_TAG follows YYYYMMDD via NOW_OVERRIDE_DATE ==\n'
 m=$(mkmock)
 mock_set "$m" aws_ecr_get_image       '{}' 0
 mock_set "$m" aws_ecr_describe_image  '' 1
@@ -289,7 +333,7 @@ fi
 assert_calls_contain "rollback tag uses NOW_OVERRIDE_DATE (20260603)" "$m" 'aws_ecr_put_image b-prev-20260603'
 rm -rf "$m"

-printf '\n== Test 10: empty source manifest fails preflight ==\n'
+printf '\n== Test 12: empty source manifest fails preflight ==\n'
 m=$(mkmock)
 mock_set "$m" aws_ecr_get_image '' 0   # rc=0 but empty body (the "None" case)
 out=$(run_script "$m")
@@ -297,7 +341,7 @@ assert_exit "empty source manifest fails preflight" "$out" 1
 assert_contains "empty manifest message" "$out" 'returned empty manifest'
 rm -rf "$m"

-printf '\n== Test 11: tenant_buildinfo failure during verify → rollback ==\n'
+printf '\n== Test 13: tenant_buildinfo failure during verify → rollback ==\n'
 m=$(mkmock)
 mock_set "$m" aws_ecr_get_image          '{"manifests":[]}' 0
 mock_set "$m" aws_ecr_describe_image     '' 1
@@ -311,7 +355,7 @@ assert_contains "logs buildinfo failure" "$out" '/buildinfo failed for chloe-don
 assert_contains "rollback fired after verify fail" "$out" 'ROLLBACK:'
 rm -rf "$m"

-printf '\n== Test 12: ssm_refresh_ecr_auth JSON escaping (CWE-78 / OFFSEC-001) ==\n'
+printf '\n== Test 14: ssm_refresh_ecr_auth JSON escaping (CWE-78 / OFFSEC-001) ==\n'
 # Verify the python3 snippet in ssm_refresh_ecr_auth produces valid JSON and
 # correctly escapes shell-injection characters in region + account ID fields.
 # The fix replaces unquoted shell-printf interpolation with json.dumps.
@@ -22,6 +22,7 @@ Cross-links:
 """
 from __future__ import annotations

+import re
 import subprocess
 import sys
 import textwrap
@@ -542,3 +543,153 @@ def test_rule9_prod_manual_deploy_allows_rollback_control(tmp_path):
    _write(tmp_path, "ok.yml", PROD_ROLLBACK_OK)
    r = _run_lint(tmp_path)
    assert r.returncode == 0, f"stdout={r.stdout}\nstderr={r.stderr}"
+
+
+# ---------------------------------------------------------------------------
+# Rule 10 — docker info piped to head under pipefail
+# ---------------------------------------------------------------------------
+
+DOCKER_INFO_HEAD_BAD = """
+    name: docker-info-head-bad
+    on: [push]
+    jobs:
+      build:
+        runs-on: ubuntu-latest
+        steps:
+          - run: |
+              set -euo pipefail
+              docker info 2>&1 | head -5 || exit 1
+"""
+
+DOCKER_INFO_CAPTURE_OK = """
+    name: docker-info-capture-ok
+    on: [push]
+    jobs:
+      build:
+        runs-on: ubuntu-latest
+        steps:
+          - run: |
+              set -euo pipefail
+              docker_info="$(docker info 2>&1)" || exit 1
+              printf '%s\\n' "${docker_info}" | sed -n '1,5p'
+"""
+
+DOCKER_INFO_SEPARATE_STEP_OK = """
+    name: docker-info-separate-step-ok
+    on: [push]
+    jobs:
+      build:
+        runs-on: ubuntu-latest
+        steps:
+          - run: |
+              set -euo pipefail
+              echo setup
+          - run: |
+              docker info 2>&1 | head -5 || true
+"""
+
+
+def test_rule10_docker_info_head_under_pipefail_detects_violation(tmp_path):
+    _write(tmp_path, "bad.yml", DOCKER_INFO_HEAD_BAD)
+    r = _run_lint(tmp_path)
+    assert r.returncode == 1
+    assert "docker info" in r.stdout.lower()
+    assert "pipefail" in r.stdout.lower()
+
+
+def test_rule10_docker_info_capture_passes(tmp_path):
+    _write(tmp_path, "ok.yml", DOCKER_INFO_CAPTURE_OK)
+    r = _run_lint(tmp_path)
+    assert r.returncode == 0, f"stdout={r.stdout}\nstderr={r.stderr}"
+
+
+def test_rule10_docker_info_head_in_separate_step_without_pipefail_passes(tmp_path):
+    _write(tmp_path, "ok.yml", DOCKER_INFO_SEPARATE_STEP_OK)
+    r = _run_lint(tmp_path)
+    assert r.returncode == 0, f"stdout={r.stdout}\nstderr={r.stderr}"
+
+
+# ---------------------------------------------------------------------------
+# CI change detector fanout — workflow-only PRs keep required contexts without
+# running Go/Canvas/Python/shellcheck heavy steps.
+# ---------------------------------------------------------------------------
+
+CI_WORKFLOW = REPO_ROOT / ".gitea" / "workflows" / "ci.yml"
+CI_SURFACES = ("platform", "canvas", "python", "scripts")
+
+
+def _ci_change_patterns() -> dict[str, re.Pattern[str]]:
+    text = CI_WORKFLOW.read_text(encoding="utf-8")
+    patterns: dict[str, re.Pattern[str]] = {}
+    for surface, pattern in re.findall(
+        r'echo "(platform|canvas|python|scripts)=.*?grep -qE \'([^\']+)\'',
+        text,
+    ):
+        patterns[surface] = re.compile(pattern)
+    assert set(patterns) == set(CI_SURFACES)
+    return patterns
+
+
+def _classify_ci_change(*paths: str) -> dict[str, bool]:
+    patterns = _ci_change_patterns()
+    return {
+        surface: any(pattern.search(path) for path in paths)
+        for surface, pattern in patterns.items()
+    }
+
+
+def test_ci_change_detector_workflow_only_edits_do_not_trigger_heavy_surfaces():
+    assert _classify_ci_change(".gitea/workflows/ci.yml") == {
+        "platform": False,
+        "canvas": False,
+        "python": False,
+        "scripts": False,
+    }
+    assert _classify_ci_change(".github/workflows/ci.yml") == {
+        "platform": False,
+        "canvas": False,
+        "python": False,
+        "scripts": False,
+    }
+
+
+def test_ci_change_detector_narrow_surface_edits_only_trigger_their_surface():
+    assert _classify_ci_change("workspace-server/internal/handlers/foo.go") == {
+        "platform": True,
+        "canvas": False,
+        "python": False,
+        "scripts": False,
+    }
+    assert _classify_ci_change("canvas/app/page.tsx") == {
+        "platform": False,
+        "canvas": True,
+        "python": False,
+        "scripts": False,
+    }
+    assert _classify_ci_change("workspace/a2a_mcp_server.py") == {
+        "platform": False,
+        "canvas": False,
+        "python": True,
+        "scripts": False,
+    }
+    assert _classify_ci_change("tests/e2e/test_model_slug.sh") == {
+        "platform": False,
+        "canvas": False,
+        "python": False,
+        "scripts": True,
+    }
+
+
+def test_ci_change_detector_docs_and_meta_scripts_do_not_trigger_surfaces():
+    assert _classify_ci_change("README.md") == {
+        "platform": False,
+        "canvas": False,
+        "python": False,
+        "scripts": False,
+    }
+    assert _classify_ci_change(".gitea/scripts/lint-workflow-yaml.py") == {
+        "platform": False,
+        "canvas": False,
+        "python": False,
+        "scripts": False,
+    }
@@ -495,7 +495,7 @@ def test_reap_required_check_pull_request_suffix_never_touched(sr_module, monkey
    }
    counters = sr_module.reap(workflow_map, combined, SHA, dry_run=False)
    assert counters["compensated"] == 0
-    assert counters["preserved_non_push_suffix"] == 1
+    assert counters["preserved_pr_without_push_success"] == 1
    assert calls == []


@@ -1009,3 +1009,64 @@ def test_reap_continues_on_per_sha_apierror(sr_module, monkeypatch, capsys):
    captured = capsys.readouterr()
    assert "::warning::" in captured.out or "::notice::" in captured.out
    assert SHA_A[:10] in captured.out
+
+
+def test_main_soft_skips_when_commit_listing_times_out(sr_module, monkeypatch, capsys):
+    """A transient outage while listing recent commits should not paint main red.
+
+    Per-SHA status read failures are already isolated inside `reap_branch`.
+    The real 2026-05-14 failure was earlier: `/commits?sha=main&limit=30`
+    timed out after all retries, aborting the tick. The next 5-minute tick can
+    retry safely, so `main()` should emit an observable warning and return 0.
+    """
+
+    monkeypatch.setattr(sr_module, "scan_workflows", lambda _: {"workflow-without-push": False})
+
+    def fake_list_recent_commit_shas(*args, **kwargs):
+        raise sr_module.ApiError(
+            "GET /repos/owner/repo/commits failed after 4 attempts: timed out"
+        )
+
+    monkeypatch.setattr(sr_module, "list_recent_commit_shas", fake_list_recent_commit_shas)
+    monkeypatch.setattr(sys, "argv", ["status-reaper.py"])
+
+    assert sr_module.main() == 0
+    captured = capsys.readouterr()
+    assert "::warning::status-reaper skipped this tick" in captured.out
+    assert '"skipped": true' in captured.out
+    assert '"skip_reason": "commit-list-api-error"' in captured.out
+
+
+def test_main_does_not_soft_skip_status_write_failures(sr_module, monkeypatch):
+    """Only commit-list read failures are soft-skipped.
+
+    A compensation write failure means the reaper could not repair a red
+    status. That must still fail the job loudly instead of being mislabeled as
+    a transient commit-list outage.
+    """
+
+    monkeypatch.setattr(sr_module, "scan_workflows", lambda _: {"workflow-without-push": False})
+    monkeypatch.setattr(sr_module, "list_recent_commit_shas", lambda *_args, **_kwargs: [SHA_A])
+    monkeypatch.setattr(
+        sr_module,
+        "get_combined_status",
+        lambda _sha: {
+            "state": "failure",
+            "statuses": [
+                {
+                    "context": "workflow-without-push / job (push)",
+                    "status": "failure",
+                    "description": "stranded class-O red",
+                }
+            ],
+        },
+    )
+
+    def fake_post_compensating_status(*args, **kwargs):
+        raise sr_module.ApiError("POST /statuses failed: 403")
+
+    monkeypatch.setattr(sr_module, "post_compensating_status", fake_post_compensating_status)
+    monkeypatch.setattr(sys, "argv", ["status-reaper.py"])
+
+    with pytest.raises(sr_module.ApiError, match="POST /statuses failed"):
+        sr_module.main()
@@ -18,6 +18,7 @@ require (
 	github.com/opencontainers/image-spec v1.1.1
 	github.com/redis/go-redis/v9 v9.19.0
 	github.com/robfig/cron/v3 v3.0.1
+	github.com/stretchr/testify v1.11.1
 	go.moleculesai.app/plugin/gh-identity v0.0.0-20260509010445-788988195fce
 	golang.org/x/crypto v0.50.0
 	gopkg.in/yaml.v3 v3.0.1
@@ -33,6 +34,7 @@ require (
 	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
@@ -58,6 +60,7 @@ require (
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/quic-go/quic-go v0.59.0 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
@@ -0,0 +1,261 @@
+package bundle
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+// ---------------------------------------------------------------------------
+// extractDescription
+// ---------------------------------------------------------------------------
+
+func TestExtractDescription_WithFrontmatter(t *testing.T) {
+	// YAML frontmatter is skipped; first non-comment, non-empty line after
+	// the closing `---` is the description.
+	content := `---
+title: My Workspace
+---
+# This is a comment
+This is the description line.
+Another line.`
+	got := extractDescription(content)
+	if got != "This is the description line." {
+		t.Errorf("got %q, want %q", got, "This is the description line.")
+	}
+}
+
+func TestExtractDescription_NoFrontmatter(t *testing.T) {
+	// No frontmatter: first non-comment, non-empty line is returned.
+	content := `# Copyright header
+My workspace description
+Another line.`
+	got := extractDescription(content)
+	if got != "My workspace description" {
+		t.Errorf("got %q, want %q", got, "My workspace description")
+	}
+}
+
+func TestExtractDescription_CommentOnly(t *testing.T) {
+	// All content is comments or empty → empty string.
+	content := `# comment only
+# another comment
+`
+	got := extractDescription(content)
+	if got != "" {
+		t.Errorf("got %q, want empty string", got)
+	}
+}
+
+func TestExtractDescription_EmptyInput(t *testing.T) {
+	got := extractDescription("")
+	if got != "" {
+		t.Errorf("got %q, want empty string", got)
+	}
+}
+
+func TestExtractDescription_UnclosedFrontmatter(t *testing.T) {
+	// With no closing `---`, inFrontmatter stays true after the opening
+	// delimiter, so all subsequent lines are skipped and "" is returned.
+	// This is the documented behaviour: without a closing delimiter,
+	// all lines are considered frontmatter.
+	content := `---
+title: No closing delimiter
+This is the description.`
+	got := extractDescription(content)
+	if got != "" {
+		t.Errorf("unclosed frontmatter: got %q, want empty string", got)
+	}
+}
+
+func TestExtractDescription_FrontmatterThenCommentThenContent(t *testing.T) {
+	content := `---
+tags: [test]
+---
+# internal comment
+Real description here.
+`
+	got := extractDescription(content)
+	if got != "Real description here." {
+		t.Errorf("got %q, want %q", got, "Real description here.")
+	}
+}
+
+func TestExtractDescription_BlankLinesSkipped(t *testing.T) {
+	// Empty lines (len=0) are skipped; whitespace-only lines (spaces) are NOT
+	// skipped because len(line)>0. First non-comment, non-empty line is returned.
+	content := "\n\n\n\nA. Description\nB. Should not be returned.\n"
+	got := extractDescription(content)
+	if got != "A. Description" {
+		t.Errorf("got %q, want %q", got, "A. Description")
+	}
+}
+
+// ---------------------------------------------------------------------------
+// splitLines
+// ---------------------------------------------------------------------------
+
+func TestSplitLines_Basic(t *testing.T) {
+	got := splitLines("a\nb\nc")
+	want := []string{"a", "b", "c"}
+	if len(got) != len(want) {
+		t.Fatalf("len=%d, want %d", len(got), len(want))
+	}
+	for i := range want {
+		if got[i] != want[i] {
+			t.Errorf("got[%d]=%q, want %q", i, got[i], want[i])
+		}
+	}
+}
+
+func TestSplitLines_TrailingNewline(t *testing.T) {
+	got := splitLines("line1\nline2\n")
+	want := []string{"line1", "line2"}
+	if len(got) != len(want) {
+		t.Errorf("trailing newline: got %v, want %v", got, want)
+	}
+}
+
+func TestSplitLines_NoNewline(t *testing.T) {
+	got := splitLines("no newline")
+	want := []string{"no newline"}
+	if len(got) != 1 || got[0] != want[0] {
+		t.Errorf("got %v, want %v", got, want)
+	}
+}
+
+func TestSplitLines_EmptyString(t *testing.T) {
+	got := splitLines("")
+	if len(got) != 0 {
+		t.Errorf("empty string: got %v, want []", got)
+	}
+}
+
+func TestSplitLines_OnlyNewlines(t *testing.T) {
+	got := splitLines("\n\n\n")
+	// Three consecutive '\n' characters → s[start:i] at each '\n' gives
+	// the empty string between newlines → 3 empty segments.
+	// (No trailing segment because start == len(s) at the end.)
+	if len(got) != 3 {
+		t.Errorf("only newlines: got %v (len=%d), want 3 empty strings", got, len(got))
+	}
+	for i, s := range got {
+		if s != "" {
+			t.Errorf("got[%d]=%q, want empty string", i, s)
+		}
+	}
+}
+
+func TestSplitLines_MultipleConsecutiveNewlines(t *testing.T) {
+	got := splitLines("a\n\n\nb")
+	// a\n\n\nb → ["a", "", "", "b"]
+	if len(got) != 4 {
+		t.Errorf("consecutive newlines: got %v (len=%d)", got, len(got))
+	}
+	if got[0] != "a" || got[3] != "b" {
+		t.Errorf("first/last: got %v, want [a, ..., b]", got)
+	}
+}
+
+// ---------------------------------------------------------------------------
+// findConfigDir
+// ---------------------------------------------------------------------------
+
+func TestFindConfigDir_NameMatch(t *testing.T) {
+	tmp := t.TempDir()
+
+	// Create two sub-dirs; only the one with matching name should be found.
+	mustMkdir(filepath.Join(tmp, "workspace-a"))
+	mustWrite(filepath.Join(tmp, "workspace-a", "config.yaml"),
+		"name: other-workspace\ntier: 1\n")
+
+	mustMkdir(filepath.Join(tmp, "workspace-b"))
+	mustWrite(filepath.Join(tmp, "workspace-b", "config.yaml"),
+		"name: target-workspace\nruntime: claude-code\n")
+
+	got := findConfigDir(tmp, "target-workspace")
+	want := filepath.Join(tmp, "workspace-b")
+	if got != want {
+		t.Errorf("got %q, want %q", got, want)
+	}
+}
+
+func TestFindConfigDir_NoMatch_UsesFallback(t *testing.T) {
+	tmp := t.TempDir()
+
+	mustMkdir(filepath.Join(tmp, "first"))
+	mustWrite(filepath.Join(tmp, "first", "config.yaml"), "name: workspace-a\n")
+
+	mustMkdir(filepath.Join(tmp, "second"))
+	mustWrite(filepath.Join(tmp, "second", "config.yaml"), "name: workspace-b\n")
+
+	// No exact name match → fallback to the first directory with a config.yaml.
+	got := findConfigDir(tmp, "nonexistent")
+	want := filepath.Join(tmp, "first")
+	if got != want {
+		t.Errorf("no match: got %q, want fallback %q", got, want)
+	}
+}
+
+func TestFindConfigDir_MissingDir(t *testing.T) {
+	got := findConfigDir("/nonexistent/path/for/findConfigDir", "any-name")
+	if got != "" {
+		t.Errorf("missing dir: got %q, want empty string", got)
+	}
+}
+
+func TestFindConfigDir_NoSubdirs(t *testing.T) {
+	tmp := t.TempDir()
+	// Empty directory → no matches, no fallback.
+	got := findConfigDir(tmp, "any")
+	if got != "" {
+		t.Errorf("empty dir: got %q, want empty string", got)
+	}
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+func mustMkdir(path string) {
+	os.MkdirAll(path, 0o755)
+}
+
+func mustWrite(path, content string) {
+	os.WriteFile(path, []byte(content), 0o644)
+}
+
+// ---------------------------------------------------------------------------
+// findConfigDir
+// ---------------------------------------------------------------------------
+
+func TestFindConfigDir_SubdirWithoutConfig(t *testing.T) {
+	tmp := t.TempDir()
+	mustMkdir(filepath.Join(tmp, "empty-skill"))
+	// Sub-dir without config.yaml → skipped.
+	got := findConfigDir(tmp, "any")
+	if got != "" {
+		t.Errorf("no config.yaml: got %q, want empty string", got)
+	}
+}
+
+func TestFindConfigDir_FirstWithConfigIsFallback(t *testing.T) {
+	// When name doesn't match, fallback is the FIRST dir with config.yaml,
+	// not the last. Confirm ordering by creating three dirs.
+	tmp := t.TempDir()
+
+	mustMkdir(filepath.Join(tmp, "a"))
+	mustWrite(filepath.Join(tmp, "a", "config.yaml"), "name: alpha\n")
+
+	mustMkdir(filepath.Join(tmp, "b"))
+	mustWrite(filepath.Join(tmp, "b", "config.yaml"), "name: beta\n")
+
+	mustMkdir(filepath.Join(tmp, "c"))
+	mustWrite(filepath.Join(tmp, "c", "config.yaml"), "name: gamma\n")
+
+	got := findConfigDir(tmp, "nonexistent")
+	want := filepath.Join(tmp, "a") // first dir with config.yaml
+	if got != want {
+		t.Errorf("fallback order: got %q, want first-with-config %q", got, want)
+	}
+}
@@ -0,0 +1,317 @@
+package bundle
+
+import (
+	"testing"
+)
+
+func TestBuildBundleConfigFiles_EmptyBundle(t *testing.T) {
+	b := &Bundle{}
+	files := buildBundleConfigFiles(b)
+	if len(files) != 0 {
+		t.Errorf("empty bundle: want 0 files, got %d", len(files))
+	}
+}
+
+func TestBuildBundleConfigFiles_SystemPromptOnly(t *testing.T) {
+	b := &Bundle{
+		SystemPrompt: "You are a helpful assistant.",
+	}
+	files := buildBundleConfigFiles(b)
+	if n := len(files); n != 1 {
+		t.Fatalf("system-prompt only: want 1 file, got %d", n)
+	}
+	if content, ok := files["system-prompt.md"]; !ok {
+		t.Fatal("missing system-prompt.md")
+	} else if string(content) != "You are a helpful assistant." {
+		t.Errorf("system-prompt content: got %q", string(content))
+	}
+}
+
+func TestBuildBundleConfigFiles_ConfigYamlOnly(t *testing.T) {
+	b := &Bundle{
+		Prompts: map[string]string{
+			"config.yaml": "runtime: langgraph\ntier: 2\n",
+		},
+	}
+	files := buildBundleConfigFiles(b)
+	if n := len(files); n != 1 {
+		t.Fatalf("config.yaml only: want 1 file, got %d", n)
+	}
+	if content, ok := files["config.yaml"]; !ok {
+		t.Fatal("missing config.yaml")
+	} else if string(content) != "runtime: langgraph\ntier: 2\n" {
+		t.Errorf("config.yaml content: got %q", string(content))
+	}
+}
+
+func TestBuildBundleConfigFiles_SystemPromptAndConfigYaml(t *testing.T) {
+	b := &Bundle{
+		SystemPrompt: "Be concise.",
+		Prompts: map[string]string{
+			"config.yaml": "runtime: langgraph\n",
+		},
+	}
+	files := buildBundleConfigFiles(b)
+	if n := len(files); n != 2 {
+		t.Fatalf("system-prompt + config.yaml: want 2 files, got %d", n)
+	}
+	if _, ok := files["system-prompt.md"]; !ok {
+		t.Error("missing system-prompt.md")
+	}
+	if _, ok := files["config.yaml"]; !ok {
+		t.Error("missing config.yaml")
+	}
+}
+
+func TestBuildBundleConfigFiles_Skills(t *testing.T) {
+	b := &Bundle{
+		Skills: []BundleSkill{
+			{
+				ID:   "web-search",
+				Files: map[string]string{"readme.md": "# Web Search\n"},
+			},
+			{
+				ID:   "code-interpreter",
+				Files: map[string]string{"readme.md": "# Code Interpreter\n"},
+			},
+		},
+	}
+	files := buildBundleConfigFiles(b)
+	// 2 skills × 1 file each = 2 files
+	if n := len(files); n != 2 {
+		t.Fatalf("skills: want 2 files, got %d", n)
+	}
+	if _, ok := files["skills/web-search/readme.md"]; !ok {
+		t.Error("missing skills/web-search/readme.md")
+	}
+	if _, ok := files["skills/code-interpreter/readme.md"]; !ok {
+		t.Error("missing skills/code-interpreter/readme.md")
+	}
+}
+
+func TestBuildBundleConfigFiles_SkillSubPaths(t *testing.T) {
+	b := &Bundle{
+		Skills: []BundleSkill{
+			{
+				ID: "multi-file",
+				Files: map[string]string{
+					"readme.md":        "# Multi",
+					"instructions.txt": "Step 1, Step 2",
+				},
+			},
+		},
+	}
+	files := buildBundleConfigFiles(b)
+	if n := len(files); n != 2 {
+		t.Fatalf("skill with sub-paths: want 2 files, got %d", n)
+	}
+	if _, ok := files["skills/multi-file/readme.md"]; !ok {
+		t.Error("missing skills/multi-file/readme.md")
+	}
+	if _, ok := files["skills/multi-file/instructions.txt"]; !ok {
+		t.Error("missing skills/multi-file/instructions.txt")
+	}
+}
+
+func TestBuildBundleConfigFiles_EmptySystemPrompt(t *testing.T) {
+	b := &Bundle{
+		SystemPrompt: "",
+		Prompts: map[string]string{
+			"config.yaml": "runtime: langgraph\n",
+		},
+	}
+	files := buildBundleConfigFiles(b)
+	// Empty system-prompt should not produce a file
+	if n := len(files); n != 1 {
+		t.Errorf("empty system-prompt: want 1 file, got %d", n)
+	}
+}
+
+func TestBuildBundleConfigFiles_EmptyPrompts(t *testing.T) {
+	b := &Bundle{
+		Prompts: map[string]string{},
+	}
+	files := buildBundleConfigFiles(b)
+	if n := len(files); n != 0 {
+		t.Errorf("empty prompts map: want 0 files, got %d", n)
+	}
+}
+
+func TestBuildBundleConfigFiles_emptyBundle(t *testing.T) {
+	b := &Bundle{}
+	files := buildBundleConfigFiles(b)
+	if len(files) != 0 {
+		t.Errorf("expected empty map for empty bundle, got %d entries", len(files))
+	}
+}
+
+func TestBuildBundleConfigFiles_systemPrompt(t *testing.T) {
+	b := &Bundle{SystemPrompt: "You are a helpful assistant."}
+	files := buildBundleConfigFiles(b)
+	if len(files) != 1 {
+		t.Fatalf("expected 1 file, got %d", len(files))
+	}
+	if string(files["system-prompt.md"]) != "You are a helpful assistant." {
+		t.Errorf("unexpected system prompt content: %q", files["system-prompt.md"])
+	}
+}
+
+func TestBuildBundleConfigFiles_configYaml(t *testing.T) {
+	b := &Bundle{Prompts: map[string]string{
+		"config.yaml": "runtime: langgraph\nmodel: claude-sonnet-4-20250514\n",
+	}}
+	files := buildBundleConfigFiles(b)
+	if len(files) != 1 {
+		t.Fatalf("expected 1 file, got %d", len(files))
+	}
+	if string(files["config.yaml"]) != "runtime: langgraph\nmodel: claude-sonnet-4-20250514\n" {
+		t.Errorf("unexpected config.yaml content: %q", files["config.yaml"])
+	}
+}
+
+func TestBuildBundleConfigFiles_systemPromptAndConfigYaml(t *testing.T) {
+	b := &Bundle{
+		SystemPrompt: "# System",
+		Prompts:     map[string]string{"config.yaml": "runtime: langgraph"},
+	}
+	files := buildBundleConfigFiles(b)
+	if len(files) != 2 {
+		t.Fatalf("expected 2 files, got %d", len(files))
+	}
+	if _, ok := files["system-prompt.md"]; !ok {
+		t.Error("missing system-prompt.md")
+	}
+	if _, ok := files["config.yaml"]; !ok {
+		t.Error("missing config.yaml")
+	}
+}
+
+func TestBuildBundleConfigFiles_skills(t *testing.T) {
+	b := &Bundle{
+		Skills: []BundleSkill{
+			{
+				ID:          "web-search",
+				Name:        "Web Search",
+				Description: "Search the web",
+				Files:       map[string]string{"readme.md": "# Web Search"},
+			},
+			{
+				ID:          "code-runner",
+				Name:        "Code Runner",
+				Description: "Execute code",
+				Files:       map[string]string{"handler.py": "print('hello')"},
+			},
+		},
+	}
+	files := buildBundleConfigFiles(b)
+	if len(files) != 2 {
+		t.Fatalf("expected 2 skill files, got %d", len(files))
+	}
+
+	if content, ok := files["skills/web-search/readme.md"]; !ok {
+		t.Error("missing skills/web-search/readme.md")
+	} else if string(content) != "# Web Search" {
+		t.Errorf("unexpected readme.md: %q", content)
+	}
+
+	if _, ok := files["skills/code-runner/handler.py"]; !ok {
+		t.Error("missing skills/code-runner/handler.py")
+	}
+}
+
+func TestBuildBundleConfigFiles_skillsWithSubPaths(t *testing.T) {
+	b := &Bundle{
+		Skills: []BundleSkill{
+			{
+				ID:    "nested-skill",
+				Files: map[string]string{"src/main.py": "def main(): pass", "pyproject.toml": "[tool.foo]"},
+			},
+		},
+	}
+	files := buildBundleConfigFiles(b)
+	if len(files) != 2 {
+		t.Fatalf("expected 2 files, got %d", len(files))
+	}
+	if _, ok := files["skills/nested-skill/src/main.py"]; !ok {
+		t.Error("missing skills/nested-skill/src/main.py")
+	}
+	if _, ok := files["skills/nested-skill/pyproject.toml"]; !ok {
+		t.Error("missing skills/nested-skill/pyproject.toml")
+	}
+}
+
+func TestBuildBundleConfigFiles_skipsEmptyPrompts(t *testing.T) {
+	b := &Bundle{Prompts: map[string]string{}}
+	files := buildBundleConfigFiles(b)
+	if len(files) != 0 {
+		t.Errorf("expected 0 files for empty prompts map, got %d", len(files))
+	}
+}
+
+func TestBuildBundleConfigFiles_skipsMissingConfigYaml(t *testing.T) {
+	b := &Bundle{
+		SystemPrompt: "# My Prompt",
+		Prompts:      map[string]string{"other.yaml": "something: else"},
+	}
+	files := buildBundleConfigFiles(b)
+	if len(files) != 1 {
+		t.Fatalf("expected 1 file (system-prompt only), got %d", len(files))
+	}
+	if _, ok := files["config.yaml"]; ok {
+		t.Error("config.yaml should not be written when not in Prompts")
+	}
+}
+
+func TestNilIfEmpty_emptyString(t *testing.T) {
+	result := nilIfEmpty("")
+	if result != nil {
+		t.Errorf("expected nil for empty string, got %v", result)
+	}
+}
+
+func TestNilIfEmpty_nonEmptyString(t *testing.T) {
+	result := nilIfEmpty("hello")
+	if result == nil {
+		t.Fatal("expected non-nil result for non-empty string")
+	}
+	if result != "hello" {
+		t.Errorf("expected hello, got %q", result)
+	}
+}
+
+func TestNilIfEmpty_whitespaceString(t *testing.T) {
+	// Whitespace is not empty — nilIfEmpty only checks for zero-length
+	result := nilIfEmpty("   ")
+	if result == nil {
+		t.Error("expected non-nil for whitespace string")
+	} else if result != "   " {
+		t.Errorf("expected '   ', got %q", result)
+	}
+}
+
+func TestNilIfEmpty_EmptyString(t *testing.T) {
+	got := nilIfEmpty("")
+	if got != nil {
+		t.Errorf("nilIfEmpty(\"\"): want nil, got %v", got)
+	}
+}
+
+func TestNilIfEmpty_NonEmptyString(t *testing.T) {
+	got := nilIfEmpty("hello")
+	if got == nil {
+		t.Fatal("nilIfEmpty(\"hello\"): want \"hello\", got nil")
+	}
+	if s, ok := got.(string); !ok || s != "hello" {
+		t.Errorf("nilIfEmpty(\"hello\"): got %v (%T)", got, got)
+	}
+}
+
+func TestNilIfEmpty_Whitespace(t *testing.T) {
+	got := nilIfEmpty("   ")
+	if got == nil {
+		t.Fatal("nilIfEmpty(\"   \"): want \"   \", got nil (whitespace is not empty)")
+	}
+	if s, ok := got.(string); !ok || s != "   " {
+		t.Errorf("nilIfEmpty(\"   \"): got %v (%T)", got, got)
+	}
+}
@@ -97,28 +97,28 @@ const maxProxyResponseBody = 10 << 20
 //
 // Timeout model — three independent budgets, none of which gets in each other's way:
 //
-//   1. Client.Timeout — DELIBERATELY UNSET. Client.Timeout is a hard wall on
-//      the entire request including streamed body reads, and would pre-empt
-//      legitimate slow cold-start flows (Claude Code first-token over OAuth
-//      can take 30-60s on boot; long-running agent synthesis can stream
-//      tokens for minutes). Total-request budget is enforced per-request
-//      via context deadline (canvas = idle-only, agent-to-agent = 30 min ceiling).
+//  1. Client.Timeout — DELIBERATELY UNSET. Client.Timeout is a hard wall on
+//     the entire request including streamed body reads, and would pre-empt
+//     legitimate slow cold-start flows (Claude Code first-token over OAuth
+//     can take 30-60s on boot; long-running agent synthesis can stream
+//     tokens for minutes). Total-request budget is enforced per-request
+//     via context deadline (canvas = idle-only, agent-to-agent = 30 min ceiling).
 //
-//   2. Transport.DialContext — 10s connect timeout. When a workspace's EC2
-//      black-holes TCP connects (instance terminated mid-flight, security group
-//      flipped, NACL bug), the OS default is 75s on Linux / 21s on macOS — long
-//      enough that Cloudflare's ~100s edge timeout can fire first and surface
-//      a generic 502 page to canvas. 10s is well above realistic intra-region
-//      latencies and well below CF's edge timeout.
+//  2. Transport.DialContext — 10s connect timeout. When a workspace's EC2
+//     black-holes TCP connects (instance terminated mid-flight, security group
+//     flipped, NACL bug), the OS default is 75s on Linux / 21s on macOS — long
+//     enough that Cloudflare's ~100s edge timeout can fire first and surface
+//     a generic 502 page to canvas. 10s is well above realistic intra-region
+//     latencies and well below CF's edge timeout.
 //
-//   3. Transport.ResponseHeaderTimeout — 180s default. From request-body-end
-//      to response-headers-start. Configurable via
-//      A2A_PROXY_RESPONSE_HEADER_TIMEOUT (envx.Duration). Covers cold-start
-//      first-byte (30-60s OAuth flow above) with enough room for Opus agent
-//      turns (big context + internal delegate_task round-trips routinely exceed
-//      the old 60s ceiling). Body streaming after headers is governed by the
-//      per-request context deadline, NOT this timeout — so multi-minute agent
-//      responses still work fine.
+//  3. Transport.ResponseHeaderTimeout — 180s default. From request-body-end
+//     to response-headers-start. Configurable via
+//     A2A_PROXY_RESPONSE_HEADER_TIMEOUT (envx.Duration). Covers cold-start
+//     first-byte (30-60s OAuth flow above) with enough room for Opus agent
+//     turns (big context + internal delegate_task round-trips routinely exceed
+//     the old 60s ceiling). Body streaming after headers is governed by the
+//     per-request context deadline, NOT this timeout — so multi-minute agent
+//     responses still work fine.
 //
 // The point of (2) and (3) is to surface a *structured* 503 from
 // handleA2ADispatchError when the workspace agent is unreachable, so canvas
@@ -645,7 +645,7 @@ func (h *WorkspaceHandler) resolveAgentURL(ctx context.Context, workspaceID stri
 			// the caller can retry once the workspace is back online (~10s).
 			if status == "hibernated" {
 				log.Printf("ProxyA2A: waking hibernated workspace %s", workspaceID)
-				go h.RestartByID(workspaceID)
+				h.goAsync(func() { h.RestartByID(workspaceID) })
 				return "", &proxyA2AError{
 					Status:  http.StatusServiceUnavailable,
 					Headers: map[string]string{"Retry-After": "15"},
@@ -194,7 +194,7 @@ func (h *WorkspaceHandler) maybeMarkContainerDead(ctx context.Context, workspace
 	}
 	db.ClearWorkspaceKeys(ctx, workspaceID)
 	h.broadcaster.RecordAndBroadcast(ctx, string(events.EventWorkspaceOffline), workspaceID, map[string]interface{}{})
-	go h.RestartByID(workspaceID)
+	h.goAsync(func() { h.RestartByID(workspaceID) })
 	return true
 }

@@ -241,7 +241,7 @@ func (h *WorkspaceHandler) preflightContainerHealth(ctx context.Context, workspa
 	}
 	db.ClearWorkspaceKeys(ctx, workspaceID)
 	h.broadcaster.RecordAndBroadcast(ctx, string(events.EventWorkspaceOffline), workspaceID, map[string]interface{}{})
-	go h.RestartByID(workspaceID)
+	h.goAsync(func() { h.RestartByID(workspaceID) })
 	return &proxyA2AError{
 		Status: http.StatusServiceUnavailable,
 		Response: gin.H{
@@ -262,8 +262,8 @@ func (h *WorkspaceHandler) logA2AFailure(ctx context.Context, workspaceID, calle
 		errWsName = workspaceID
 	}
 	summary := "A2A request to " + errWsName + " failed: " + errMsg
-	go func(parent context.Context) {
-		logCtx, cancel := context.WithTimeout(context.WithoutCancel(parent), 30*time.Second)
+	h.goAsync(func() {
+		logCtx, cancel := context.WithTimeout(context.WithoutCancel(ctx), 30*time.Second)
 		defer cancel()
 		LogActivity(logCtx, h.broadcaster, ActivityParams{
 			WorkspaceID:  workspaceID,
@@ -277,7 +277,7 @@ func (h *WorkspaceHandler) logA2AFailure(ctx context.Context, workspaceID, calle
 			Status:       "error",
 			ErrorDetail:  &errMsg,
 		})
-	}(ctx)
+	})
 }

 // logA2ASuccess records a successful A2A round-trip and (for canvas-initiated
@@ -298,19 +298,19 @@ func (h *WorkspaceHandler) logA2ASuccess(ctx context.Context, workspaceID, calle
 	// silent workspaces. Only update when callerID is a real workspace (not
 	// canvas, not a system caller) and the target returned 2xx/3xx.
 	if callerID != "" && !isSystemCaller(callerID) && statusCode < 400 {
-		go func() {
+		h.goAsync(func() {
 			bgCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 			defer cancel()
 			if _, err := db.DB.ExecContext(bgCtx,
 				`UPDATE workspaces SET last_outbound_at = NOW() WHERE id = $1`, callerID); err != nil {
 				log.Printf("last_outbound_at update failed for %s: %v", callerID, err)
 			}
-		}()
+		})
 	}
 	summary := a2aMethod + " → " + wsNameForLog
 	toolTrace := extractToolTrace(respBody)
-	go func(parent context.Context) {
-		logCtx, cancel := context.WithTimeout(context.WithoutCancel(parent), 30*time.Second)
+	h.goAsync(func() {
+		logCtx, cancel := context.WithTimeout(context.WithoutCancel(ctx), 30*time.Second)
 		defer cancel()
 		LogActivity(logCtx, h.broadcaster, ActivityParams{
 			WorkspaceID:  workspaceID,
@@ -325,7 +325,7 @@ func (h *WorkspaceHandler) logA2ASuccess(ctx context.Context, workspaceID, calle
 			DurationMs:   &durationMs,
 			Status:       logStatus,
 		})
-	}(ctx)
+	})

 	if callerID == "" && statusCode < 400 {
 		h.broadcaster.BroadcastOnly(workspaceID, string(events.EventA2AResponse), map[string]interface{}{
@@ -510,8 +510,8 @@ func (h *WorkspaceHandler) logA2AReceiveQueued(ctx context.Context, workspaceID,
 		wsName = workspaceID
 	}
 	summary := a2aMethod + " → " + wsName + " (queued for poll)"
-	go func(parent context.Context) {
-		logCtx, cancel := context.WithTimeout(context.WithoutCancel(parent), 30*time.Second)
+	h.goAsync(func() {
+		logCtx, cancel := context.WithTimeout(context.WithoutCancel(ctx), 30*time.Second)
 		defer cancel()
 		LogActivity(logCtx, h.broadcaster, ActivityParams{
 			WorkspaceID:  workspaceID,
@@ -523,7 +523,7 @@ func (h *WorkspaceHandler) logA2AReceiveQueued(ctx context.Context, workspaceID,
 			RequestBody:  json.RawMessage(body),
 			Status:       "ok",
 		})
-	}(ctx)
+	})
 }

 // readUsageMap extracts input_tokens / output_tokens from the "usage" key of m.
@@ -54,6 +54,7 @@ func TestPreflight_ContainerRunning_ReturnsNil(t *testing.T) {
 	_ = setupTestDB(t)
 	stub := &preflightLocalProv{running: true, err: nil}
 	h := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
+	waitForHandlerAsyncBeforeDBCleanup(t, h)
 	h.provisioner = stub

 	if err := h.preflightContainerHealth(context.Background(), "ws-running-123"); err != nil {
@@ -186,8 +187,8 @@ func TestProxyA2A_Preflight_RoutesThroughProvisionerSSOT(t *testing.T) {
 	}

 	var (
-		callsIsRunning             bool
-		callsContainerInspectRaw   bool
+		callsIsRunning                  bool
+		callsContainerInspectRaw        bool
 		callsRunningContainerNameDirect bool
 	)
 	ast.Inspect(fn.Body, func(n ast.Node) bool {
@@ -262,6 +262,7 @@ func TestProxyA2A_Upstream502_TriggersContainerDeadCheck(t *testing.T) {
 	allowLoopbackForTest(t)
 	broadcaster := newTestBroadcaster()
 	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+	waitForHandlerAsyncBeforeDBCleanup(t, handler)
 	cp := &fakeCPProv{running: false}
 	handler.SetCPProvisioner(cp)

@@ -324,6 +325,7 @@ func TestProxyA2A_Upstream502_AliveAgent_PropagatesAsIs(t *testing.T) {
 	allowLoopbackForTest(t)
 	broadcaster := newTestBroadcaster()
 	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+	waitForHandlerAsyncBeforeDBCleanup(t, handler)
 	cp := &fakeCPProv{running: true}
 	handler.SetCPProvisioner(cp)

@@ -513,6 +515,7 @@ func TestProxyA2A_AllowedSelf_SkipsAccessCheck(t *testing.T) {
 	allowLoopbackForTest(t)
 	broadcaster := newTestBroadcaster()
 	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+	waitForHandlerAsyncBeforeDBCleanup(t, handler)

 	agentServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
@@ -661,18 +664,18 @@ func TestProxyA2A_CallerIDDerivedFromBearer(t *testing.T) {
 	//    (column order: workspace_id, activity_type, source_id, target_id, ...)
 	mock.ExpectExec("INSERT INTO activity_logs").
 		WithArgs(
-			"ws-target",                       // $1 workspace_id
-			"a2a_receive",                     // $2 activity_type
-			sqlmock.AnyArg(),                  // $3 source_id — *string("ws-caller"), checked below
-			sqlmock.AnyArg(),                  // $4 target_id
-			sqlmock.AnyArg(),                  // $5 method
-			sqlmock.AnyArg(),                  // $6 summary
-			sqlmock.AnyArg(),                  // $7 request_body
-			sqlmock.AnyArg(),                  // $8 response_body
-			sqlmock.AnyArg(),                  // $9 tool_trace
-			sqlmock.AnyArg(),                  // $10 duration_ms
-			sqlmock.AnyArg(),                  // $11 status
-			sqlmock.AnyArg(),                  // $12 error_detail
+			"ws-target",      // $1 workspace_id
+			"a2a_receive",    // $2 activity_type
+			sqlmock.AnyArg(), // $3 source_id — *string("ws-caller"), checked below
+			sqlmock.AnyArg(), // $4 target_id
+			sqlmock.AnyArg(), // $5 method
+			sqlmock.AnyArg(), // $6 summary
+			sqlmock.AnyArg(), // $7 request_body
+			sqlmock.AnyArg(), // $8 response_body
+			sqlmock.AnyArg(), // $9 tool_trace
+			sqlmock.AnyArg(), // $10 duration_ms
+			sqlmock.AnyArg(), // $11 status
+			sqlmock.AnyArg(), // $12 error_detail
 		).
 		WillReturnResult(sqlmock.NewResult(0, 1))

@@ -1716,7 +1719,6 @@ func TestDispatchA2A_RejectsUnsafeURL(t *testing.T) {
 	}
 }

-
 // --- handleA2ADispatchError ---

 func TestHandleA2ADispatchError_ContextDeadline(t *testing.T) {
@@ -1803,6 +1805,7 @@ func TestMaybeMarkContainerDead_CPOnly_NotRunning(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t)
 	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
+	waitForHandlerAsyncBeforeDBCleanup(t, handler)
 	cp := &fakeCPProv{running: false}
 	handler.SetCPProvisioner(cp)

@@ -1955,6 +1958,7 @@ func TestLogA2AFailure_Smoke(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t)
 	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
+	waitForHandlerAsyncBeforeDBCleanup(t, handler)

 	// Sync workspace-name lookup (called in the caller goroutine).
 	mock.ExpectQuery(`SELECT name FROM workspaces WHERE id =`).
@@ -1973,6 +1977,7 @@ func TestLogA2AFailure_EmptyNameFallback(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t)
 	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
+	waitForHandlerAsyncBeforeDBCleanup(t, handler)

 	// Empty name from DB → summary uses the workspaceID as the name.
 	mock.ExpectQuery(`SELECT name FROM workspaces WHERE id =`).
@@ -1989,6 +1994,7 @@ func TestLogA2ASuccess_Smoke(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t)
 	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
+	waitForHandlerAsyncBeforeDBCleanup(t, handler)

 	mock.ExpectQuery(`SELECT name FROM workspaces WHERE id =`).
 		WithArgs("ws-ok").
@@ -2005,6 +2011,7 @@ func TestLogA2ASuccess_ErrorStatus(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t)
 	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
+	waitForHandlerAsyncBeforeDBCleanup(t, handler)

 	mock.ExpectQuery(`SELECT name FROM workspaces WHERE id =`).
 		WithArgs("ws-err").
@@ -26,14 +26,19 @@ import (
 // setupTestDBForQueueTests creates a sqlmock DB using QueryMatcherEqual (exact
 // string matching) so that ExpectQuery/ExpectExec patterns are compared verbatim.
 // Uses the same global db.DB as setupTestDB so the handler can use it.
+//
+// IMPORTANT: db.DB is saved before assignment and restored via t.Cleanup so
+// that tests running after this one are not polluted by a closed mock.
+// Same fix as setupTestDB (handlers_test.go); same root cause as mc#975.
 func setupTestDBForQueueTests(t *testing.T) sqlmock.Sqlmock {
 	t.Helper()
 	mockDB, mock, err := sqlmock.New(sqlmock.QueryMatcherOption(sqlmock.QueryMatcherEqual))
 	if err != nil {
 		t.Fatalf("failed to create sqlmock: %v", err)
 	}
+	prevDB := db.DB
 	db.DB = mockDB
-	t.Cleanup(func() { mockDB.Close() })
+	t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })
 	return mock
 }

@@ -14,16 +14,18 @@ import (

 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/events"
+	"github.com/Molecule-AI/molecule-monorepo/platform/internal/push"
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 )

 type ActivityHandler struct {
 	broadcaster *events.Broadcaster
+	notifier    *push.Notifier
 }

-func NewActivityHandler(b *events.Broadcaster) *ActivityHandler {
-	return &ActivityHandler{broadcaster: b}
+func NewActivityHandler(b *events.Broadcaster, notifier *push.Notifier) *ActivityHandler {
+	return &ActivityHandler{broadcaster: b, notifier: notifier}
 }

 // List handles GET /workspaces/:id/activity?type=&source=&limit=&since_secs=&since_id=
@@ -476,7 +478,7 @@ func (h *ActivityHandler) Notify(c *gin.Context) {
 	for _, a := range body.Attachments {
 		attachments = append(attachments, AgentMessageAttachment(a))
 	}
-	writer := NewAgentMessageWriter(db.DB, h.broadcaster)
+	writer := NewAgentMessageWriter(db.DB, h.broadcaster, h.notifier)
 	if err := writer.Send(c.Request.Context(), workspaceID, body.Message, attachments); err != nil {
 		if errors.Is(err, ErrWorkspaceNotFound) {
 			c.JSON(http.StatusNotFound, gin.H{"error": "workspace not found"})
@@ -40,7 +40,7 @@ func TestActivityHandler_SinceID_ReturnsNewerASC(t *testing.T) {
 		WillReturnRows(newActivityRows())

 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -69,7 +69,7 @@ func TestActivityHandler_SinceID_CursorNotFound_410(t *testing.T) {
 		WillReturnError(sql.ErrNoRows)

 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -101,7 +101,7 @@ func TestActivityHandler_SinceID_CrossWorkspaceCursor_410(t *testing.T) {
 		WillReturnError(sql.ErrNoRows)

 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -137,7 +137,7 @@ func TestActivityHandler_SinceID_CombinedWithSinceSecs(t *testing.T) {
 		WillReturnRows(newActivityRows())

 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -41,7 +41,7 @@ func TestActivityHandler_SinceSecs_Accepted(t *testing.T) {
 		WillReturnRows(newActivityRows())

 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -70,7 +70,7 @@ func TestActivityHandler_SinceSecs_ClampedAt30Days(t *testing.T) {
 		WillReturnRows(newActivityRows())

 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -106,7 +106,7 @@ func TestActivityHandler_SinceSecs_InvalidRejected(t *testing.T) {
 			// No DB call expected; bad input must be caught before the query.
 			setupTestDB(t)
 			broadcaster := newTestBroadcaster()
-			handler := NewActivityHandler(broadcaster)
+			handler := NewActivityHandler(broadcaster, nil)

 			w := httptest.NewRecorder()
 			c, _ := gin.CreateTestContext(w)
@@ -142,7 +142,7 @@ func TestActivityHandler_SinceSecs_Omitted(t *testing.T) {
 		WillReturnRows(newActivityRows())

 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -22,7 +22,7 @@ func TestSessionSearchReturnsActivityAndMemory(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	rows := sqlmock.NewRows([]string{
 		"kind", "id", "workspace_id", "label", "content", "method", "status", "request_body", "response_body", "created_at",
@@ -68,7 +68,7 @@ func TestSessionSearchReturnsActivityAndMemory(t *testing.T) {
 func TestActivityList_SourceCanvas(t *testing.T) {
 	mock := setupTestDB(t)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	// Expect query with "source_id IS NULL"
 	mock.ExpectQuery(`SELECT .+ FROM activity_logs WHERE workspace_id = .+ AND source_id IS NULL`).
@@ -97,7 +97,7 @@ func TestActivityList_SourceCanvas(t *testing.T) {
 func TestActivityList_SourceAgent(t *testing.T) {
 	mock := setupTestDB(t)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	// Expect query with "source_id IS NOT NULL"
 	mock.ExpectQuery(`SELECT .+ FROM activity_logs WHERE workspace_id = .+ AND source_id IS NOT NULL`).
@@ -126,7 +126,7 @@ func TestActivityList_SourceAgent(t *testing.T) {
 func TestActivityList_SourceInvalid(t *testing.T) {
 	gin.SetMode(gin.TestMode)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -142,7 +142,7 @@ func TestActivityList_SourceInvalid(t *testing.T) {
 func TestActivityList_SourceWithType(t *testing.T) {
 	mock := setupTestDB(t)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	// Both type and source filters
 	mock.ExpectQuery(`SELECT .+ FROM activity_logs WHERE workspace_id = .+ AND activity_type = .+ AND source_id IS NULL`).
@@ -181,7 +181,7 @@ const testPeerUUID = "11111111-2222-3333-4444-555555555555"
 func TestActivityList_PeerIDFilter(t *testing.T) {
 	mock := setupTestDB(t)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	// peer_id binds twice in the query (source_id OR target_id) but is
 	// added to args once — sqlmock matches positional args, so the
@@ -220,7 +220,7 @@ func TestActivityList_PeerIDComposesWithType(t *testing.T) {
 	// of the builder can't silently rearrange placeholders.
 	mock := setupTestDB(t)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	mock.ExpectQuery(
 		`SELECT .+ FROM activity_logs WHERE workspace_id = .+ AND activity_type = .+ AND source_id IS NOT NULL AND \(source_id = .+ OR target_id = .+\)`,
@@ -258,7 +258,7 @@ func TestActivityList_PeerIDRejectsNonUUID(t *testing.T) {
 	// otherwise interpolate the value into the URL or another query.
 	gin.SetMode(gin.TestMode)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	for _, bad := range []string{
 		"not-a-uuid",
@@ -292,7 +292,7 @@ func TestActivityList_PeerIDRejectsNonUUID(t *testing.T) {
 func TestActivityList_BeforeTSFilter(t *testing.T) {
 	mock := setupTestDB(t)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	cutoff, _ := time.Parse(time.RFC3339, "2026-05-01T00:00:00Z")
 	mock.ExpectQuery(
@@ -328,7 +328,7 @@ func TestActivityList_BeforeTSComposesWithPeerID(t *testing.T) {
 	// can't silently drop one filter or reorder placeholders.
 	mock := setupTestDB(t)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	cutoff, _ := time.Parse(time.RFC3339, "2026-05-01T00:00:00Z")
 	mock.ExpectQuery(
@@ -363,7 +363,7 @@ func TestActivityList_BeforeTSComposesWithPeerID(t *testing.T) {
 func TestActivityList_BeforeTSRejectsInvalidFormat(t *testing.T) {
 	gin.SetMode(gin.TestMode)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	for _, bad := range []string{
 		"yesterday",
@@ -388,15 +388,19 @@ func TestActivityList_BeforeTSRejectsInvalidFormat(t *testing.T) {
 // ---------- Activity type allowlist (#125: memory_write added) ----------

 func TestActivityReport_AcceptsMemoryWriteType(t *testing.T) {
-	mockDB, mock, _ := sqlmock.New()
-	defer mockDB.Close()
+	mockDB, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("failed to create sqlmock: %v", err)
+	}
+	prevDB := db.DB
 	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })

 	mock.ExpectExec(`INSERT INTO activity_logs`).
 		WillReturnResult(sqlmock.NewResult(1, 1))

 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	gin.SetMode(gin.TestMode)
 	w := httptest.NewRecorder()
@@ -413,12 +417,16 @@ func TestActivityReport_AcceptsMemoryWriteType(t *testing.T) {
 }

 func TestActivityReport_RejectsUnknownType(t *testing.T) {
-	mockDB, _, _ := sqlmock.New()
-	defer mockDB.Close()
+	mockDB, _, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("failed to create sqlmock: %v", err)
+	}
+	prevDB := db.DB
 	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })

 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	gin.SetMode(gin.TestMode)
 	w := httptest.NewRecorder()
@@ -447,9 +455,13 @@ func TestNotify_PersistsToActivityLogsForReloadRecovery(t *testing.T) {
 	//   - Have source_id NULL (canvas-source filter)
 	//   - Carry the message text in response_body so extractResponseText
 	//     can reconstruct the agent reply on reload
-	mockDB, mock, _ := sqlmock.New()
-	defer mockDB.Close()
+	mockDB, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("failed to create sqlmock: %v", err)
+	}
+	prevDB := db.DB
 	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })

 	// Workspace existence check
 	mock.ExpectQuery(`SELECT name FROM workspaces`).
@@ -466,7 +478,7 @@ func TestNotify_PersistsToActivityLogsForReloadRecovery(t *testing.T) {
 		WillReturnResult(sqlmock.NewResult(1, 1))

 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	gin.SetMode(gin.TestMode)
 	w := httptest.NewRecorder()
@@ -491,9 +503,13 @@ func TestNotify_WithAttachments_PersistsFilePartsForReload(t *testing.T) {
 	// download chips after a page reload. Without `parts`, the bubble
 	// shows up but the attachment chip is silently dropped on every
 	// refresh.
-	mockDB, mock, _ := sqlmock.New()
-	defer mockDB.Close()
+	mockDB, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("failed to create sqlmock: %v", err)
+	}
+	prevDB := db.DB
 	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })

 	mock.ExpectQuery(`SELECT name FROM workspaces`).
 		WithArgs("ws-attach").
@@ -511,7 +527,7 @@ func TestNotify_WithAttachments_PersistsFilePartsForReload(t *testing.T) {
 		WillReturnResult(sqlmock.NewResult(1, 1))

 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	gin.SetMode(gin.TestMode)
 	w := httptest.NewRecorder()
@@ -565,15 +581,19 @@ func TestNotify_RejectsAttachmentWithEmptyURIOrName(t *testing.T) {
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
-			mockDB, _, _ := sqlmock.New()
-			defer mockDB.Close()
+			mockDB, _, err := sqlmock.New()
+			if err != nil {
+				t.Fatalf("failed to create sqlmock: %v", err)
+			}
+			prevDB := db.DB
 			db.DB = mockDB
+			t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })
 			// No DB expectations — handler must reject with 400 BEFORE
 			// reaching SELECT/INSERT. sqlmock will fail "expectations not met"
 			// only if the handler unexpectedly queries.

 			broadcaster := newTestBroadcaster()
-			handler := NewActivityHandler(broadcaster)
+			handler := NewActivityHandler(broadcaster, nil)
 			gin.SetMode(gin.TestMode)
 			w := httptest.NewRecorder()
 			c, _ := gin.CreateTestContext(w)
@@ -612,9 +632,13 @@ func TestNotify_DBFailure_StillBroadcastsAnd200(t *testing.T) {
 	// WebSocket push (which the user is already seeing in their open
 	// canvas). Pre-fix the WS push always succeeded; we don't want
 	// the new persistence step to regress that path.
-	mockDB, mock, _ := sqlmock.New()
-	defer mockDB.Close()
+	mockDB, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("failed to create sqlmock: %v", err)
+	}
+	prevDB := db.DB
 	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })

 	mock.ExpectQuery(`SELECT name FROM workspaces`).
 		WithArgs("ws-x").
@@ -623,7 +647,7 @@ func TestNotify_DBFailure_StillBroadcastsAnd200(t *testing.T) {
 		WillReturnError(fmt.Errorf("simulated db hiccup"))

 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	gin.SetMode(gin.TestMode)
 	w := httptest.NewRecorder()
@@ -44,6 +44,7 @@ import (
 	"log"

 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/events"
+	"github.com/Molecule-AI/molecule-monorepo/platform/internal/push"
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/textutil"
 )

@@ -76,12 +77,14 @@ type AgentMessageAttachment struct {
 type AgentMessageWriter struct {
 	db          *sql.DB
 	broadcaster events.EventEmitter
+	notifier    *push.Notifier
 }

 // NewAgentMessageWriter binds the writer to the platform's DB pool +
-// WebSocket broadcaster.
-func NewAgentMessageWriter(db *sql.DB, broadcaster events.EventEmitter) *AgentMessageWriter {
-	return &AgentMessageWriter{db: db, broadcaster: broadcaster}
+// WebSocket broadcaster. notifier may be nil if push notifications are
+// not configured.
+func NewAgentMessageWriter(db *sql.DB, broadcaster events.EventEmitter, notifier *push.Notifier) *AgentMessageWriter {
+	return &AgentMessageWriter{db: db, broadcaster: broadcaster, notifier: notifier}
 }

 // Send delivers a single agent → user message. Look up + broadcast +
@@ -132,7 +135,12 @@ func (w *AgentMessageWriter) Send(
 	}
 	w.broadcaster.BroadcastOnly(workspaceID, string(events.EventAgentMessage), broadcastPayload)

-	// 3. Persist for chat-history hydration. response_body shape MUST stay
+	// 3. Send push notifications to mobile devices.
+	if w.notifier != nil {
+		w.notifier.NotifyAgentMessage(ctx, workspaceID, wsName, message)
+	}
+
+	// 4. Persist for chat-history hydration. response_body shape MUST stay
 	//    in sync with extractResponseText + extractFilesFromTask in
 	//    canvas/src/components/tabs/chat/historyHydration.ts:
 	//      - extractResponseText reads body.result (string) → renders text
@@ -86,7 +86,7 @@ func (c *capturingEmitter) RecordAndBroadcast(_ context.Context, eventType strin
 // path: workspace lookup, broadcast, INSERT, return nil.
 func TestAgentMessageWriter_Send_Success_NoAttachments(t *testing.T) {
 	mock := setupTestDB(t)
-	w := NewAgentMessageWriter(db.DB, newTestBroadcaster())
+	w := NewAgentMessageWriter(db.DB, newTestBroadcaster(), nil)

 	mock.ExpectQuery("SELECT name FROM workspaces").
 		WithArgs("ws-1").
@@ -114,7 +114,7 @@ func TestAgentMessageWriter_Send_Success_NoAttachments(t *testing.T) {
 // Drift here = chips disappear on chat reload.
 func TestAgentMessageWriter_Send_Success_WithAttachments(t *testing.T) {
 	mock := setupTestDB(t)
-	w := NewAgentMessageWriter(db.DB, newTestBroadcaster())
+	w := NewAgentMessageWriter(db.DB, newTestBroadcaster(), nil)

 	mock.ExpectQuery("SELECT name FROM workspaces").
 		WithArgs("ws-att").
@@ -171,7 +171,7 @@ func TestAgentMessageWriter_Send_Success_WithAttachments(t *testing.T) {
 func TestAgentMessageWriter_Send_WorkspaceNotFound(t *testing.T) {
 	mock := setupTestDB(t)
 	emitter := &capturingEmitter{}
-	w := NewAgentMessageWriter(db.DB, emitter)
+	w := NewAgentMessageWriter(db.DB, emitter, nil)

 	mock.ExpectQuery("SELECT name FROM workspaces").
 		WithArgs("ws-missing").
@@ -200,7 +200,7 @@ func TestAgentMessageWriter_Send_WorkspaceNotFound(t *testing.T) {
 // broadcast.
 func TestAgentMessageWriter_Send_DBInsertFailureStillReturnsNil(t *testing.T) {
 	mock := setupTestDB(t)
-	w := NewAgentMessageWriter(db.DB, newTestBroadcaster())
+	w := NewAgentMessageWriter(db.DB, newTestBroadcaster(), nil)

 	mock.ExpectQuery("SELECT name FROM workspaces").
 		WithArgs("ws-dbfail").
@@ -221,7 +221,7 @@ func TestAgentMessageWriter_Send_DBInsertFailureStillReturnsNil(t *testing.T) {
 // table doesn't carry multi-KB summaries that bloat list queries.
 func TestAgentMessageWriter_Send_PreviewTruncation(t *testing.T) {
 	mock := setupTestDB(t)
-	w := NewAgentMessageWriter(db.DB, newTestBroadcaster())
+	w := NewAgentMessageWriter(db.DB, newTestBroadcaster(), nil)

 	mock.ExpectQuery("SELECT name FROM workspaces").
 		WithArgs("ws-trunc").
@@ -261,7 +261,7 @@ func TestAgentMessageWriter_Send_PreviewTruncation(t *testing.T) {
 func TestAgentMessageWriter_Send_BroadcastsAgentMessageEvent(t *testing.T) {
 	mock := setupTestDB(t)
 	emitter := &capturingEmitter{}
-	w := NewAgentMessageWriter(db.DB, emitter)
+	w := NewAgentMessageWriter(db.DB, emitter, nil)

 	mock.ExpectQuery("SELECT name FROM workspaces").
 		WithArgs("ws-bc").
@@ -312,7 +312,7 @@ func TestAgentMessageWriter_Send_BroadcastsAgentMessageEvent(t *testing.T) {
 // real incidents in alerting.
 func TestAgentMessageWriter_Send_DBErrorOnLookupReturnsWrapped(t *testing.T) {
 	mock := setupTestDB(t)
-	w := NewAgentMessageWriter(db.DB, newTestBroadcaster())
+	w := NewAgentMessageWriter(db.DB, newTestBroadcaster(), nil)

 	transientErr := errors.New("connection refused")
 	mock.ExpectQuery("SELECT name FROM workspaces").
@@ -344,7 +344,7 @@ func TestAgentMessageWriter_Send_DBErrorOnLookupReturnsWrapped(t *testing.T) {
 // coverage. Now it does.
 func TestAgentMessageWriter_Send_NonASCIIMessagePersists(t *testing.T) {
 	mock := setupTestDB(t)
-	w := NewAgentMessageWriter(db.DB, newTestBroadcaster())
+	w := NewAgentMessageWriter(db.DB, newTestBroadcaster(), nil)

 	// 200-rune CJK message — exceeds the 80-rune cap, would have hit
 	// the byte-slice bug.
@@ -393,7 +393,7 @@ func TestAgentMessageWriter_Send_NonASCIIMessagePersists(t *testing.T) {
 func TestAgentMessageWriter_Send_OmitsAttachmentsKeyWhenEmpty(t *testing.T) {
 	mock := setupTestDB(t)
 	emitter := &capturingEmitter{}
-	w := NewAgentMessageWriter(db.DB, emitter)
+	w := NewAgentMessageWriter(db.DB, emitter, nil)

 	mock.ExpectQuery("SELECT name FROM workspaces").
 		WithArgs("ws-noatt").
@@ -15,6 +15,7 @@ import (

 	sqlmock "github.com/DATA-DOG/go-sqlmock"
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/channels"
+	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
 	"github.com/gin-gonic/gin"
 )

@@ -364,6 +365,20 @@ func TestChannelHandler_Discover_MissingToken(t *testing.T) {
 }

 func TestChannelHandler_Discover_UnsupportedType(t *testing.T) {
+	// Set up db.DB so PausePollersForToken (called inside Discover) doesn't panic.
+	mockDB, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("sqlmock: %v", err)
+	}
+	t.Cleanup(func() { mockDB.Close() })
+	prevDB := db.DB
+	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB })
+
+	mock.ExpectQuery(`SELECT id, channel_config FROM workspace_channels WHERE enabled = true AND workspace_id`).
+		WithArgs("ws-test").
+		WillReturnRows(sqlmock.NewRows([]string{"id", "channel_config"}))
+
 	handler := NewChannelHandler(newTestChannelManager())

 	// #329: workspace_id required — include so we actually reach the
@@ -387,6 +402,20 @@ func TestChannelHandler_Discover_UnsupportedType(t *testing.T) {
 }

 func TestChannelHandler_Discover_InvalidBotToken(t *testing.T) {
+	// Set up db.DB so PausePollersForToken (called inside Discover) doesn't panic.
+	mockDB, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("sqlmock: %v", err)
+	}
+	t.Cleanup(func() { mockDB.Close() })
+	prevDB := db.DB
+	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB })
+
+	mock.ExpectQuery(`SELECT id, channel_config FROM workspace_channels WHERE enabled = true AND workspace_id`).
+		WithArgs("ws-test").
+		WillReturnRows(sqlmock.NewRows([]string{"id", "channel_config"}))
+
 	handler := NewChannelHandler(newTestChannelManager())

 	body, _ := json.Marshal(map[string]interface{}{
@@ -2,6 +2,7 @@ package handlers

 import (
 	"context"
+	"database/sql"
 	"encoding/json"
 	"log"
 	"net/http"
@@ -262,14 +263,20 @@ func insertDelegationRow(ctx context.Context, c *gin.Context, sourceID string, b
 		"task":          body.Task,
 		"delegation_id": delegationID,
 	})
+	// Store delegation_id in response_body so agent check_delegation_status
+	// (which reads response_body->>delegation_id) can locate this row even
+	// when request_body hasn't propagated yet. Fixes mc#984.
+	respJSON, _ := json.Marshal(map[string]interface{}{
+		"delegation_id": delegationID,
+	})
 	var idemArg interface{}
 	if body.IdempotencyKey != "" {
 		idemArg = body.IdempotencyKey
 	}
 	_, err := db.DB.ExecContext(ctx, `
-		INSERT INTO activity_logs (workspace_id, activity_type, method, source_id, target_id, summary, request_body, status, idempotency_key)
-		VALUES ($1, 'delegation', 'delegate', $2, $3, $4, $5::jsonb, 'pending', $6)
-	`, sourceID, sourceID, body.TargetID, "Delegating to "+body.TargetID, string(taskJSON), idemArg)
+		INSERT INTO activity_logs (workspace_id, activity_type, method, source_id, target_id, summary, request_body, response_body, status, idempotency_key)
+		VALUES ($1, 'delegation', 'delegate', $2, $3, $4, $5::jsonb, $6::jsonb, 'pending', $7)
+	`, sourceID, sourceID, body.TargetID, "Delegating to "+body.TargetID, string(taskJSON), string(respJSON), idemArg)
 	if err == nil {
 		// RFC #2829 #318 — mirror to the durable delegations ledger
 		// (gated by DELEGATION_LEDGER_WRITE; default off → no-op).
@@ -544,10 +551,15 @@ func (h *DelegationHandler) Record(c *gin.Context) {
 		"task":          body.Task,
 		"delegation_id": body.DelegationID,
 	})
+	// Store delegation_id in response_body so agent check_delegation_status
+	// can locate this row. Fixes mc#984.
+	respJSON, _ := json.Marshal(map[string]interface{}{
+		"delegation_id": body.DelegationID,
+	})
 	if _, err := db.DB.ExecContext(ctx, `
-		INSERT INTO activity_logs (workspace_id, activity_type, method, source_id, target_id, summary, request_body, status)
-		VALUES ($1, 'delegation', 'delegate', $2, $3, $4, $5::jsonb, 'dispatched')
-	`, sourceID, sourceID, body.TargetID, "Delegating to "+body.TargetID, string(taskJSON)); err != nil {
+		INSERT INTO activity_logs (workspace_id, activity_type, method, source_id, target_id, summary, request_body, response_body, status)
+		VALUES ($1, 'delegation', 'delegate', $2, $3, $4, $5::jsonb, $6::jsonb, 'dispatched')
+	`, sourceID, sourceID, body.TargetID, "Delegating to "+body.TargetID, string(taskJSON), string(respJSON)); err != nil {
 		log.Printf("Delegation Record: insert failed for %s: %v", body.DelegationID, err)
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to record delegation"})
 		return
@@ -687,7 +699,8 @@ func (h *DelegationHandler) listDelegationsFromLedger(ctx context.Context, works

 	var result []map[string]interface{}
 	for rows.Next() {
-		var delegationID, callerID, calleeID, taskPreview, status, resultPreview, errorDetail string
+		var delegationID, callerID, calleeID, taskPreview, status string
+		var resultPreview, errorDetail sql.NullString
 		var lastHeartbeat, deadline, createdAt, updatedAt *time.Time
 		if err := rows.Scan(
 			&delegationID, &callerID, &calleeID, &taskPreview,
@@ -706,11 +719,11 @@ func (h *DelegationHandler) listDelegationsFromLedger(ctx context.Context, works
 			"updated_at":    updatedAt,
 			"_ledger":       true, // marker so callers know this row is from the ledger
 		}
-		if resultPreview != "" {
-			entry["response_preview"] = textutil.TruncateBytes(resultPreview, 300)
+		if resultPreview.Valid && resultPreview.String != "" {
+			entry["response_preview"] = textutil.TruncateBytes(resultPreview.String, 300)
 		}
-		if errorDetail != "" {
-			entry["error"] = errorDetail
+		if errorDetail.Valid && errorDetail.String != "" {
+			entry["error"] = errorDetail.String
 		}
 		if lastHeartbeat != nil {
 			entry["last_heartbeat"] = lastHeartbeat
@@ -0,0 +1,224 @@
+package handlers
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// extractResponseText tests — walks A2A JSON-RPC response bodies and
+// returns the first text part, falling back to raw body on parse failures.
+
+func TestExtractResponseText_PartsWithTextKind(t *testing.T) {
+	resp := map[string]interface{}{
+		"result": map[string]interface{}{
+			"parts": []interface{}{
+				map[string]interface{}{"kind": "text", "text": "hello world"},
+				map[string]interface{}{"kind": "text", "text": "second part"},
+			},
+		},
+	}
+	body, _ := json.Marshal(resp)
+	assert.Equal(t, "hello world", extractResponseText(body))
+}
+
+func TestExtractResponseText_PartNotTextKind(t *testing.T) {
+	resp := map[string]interface{}{
+		"result": map[string]interface{}{
+			"parts": []interface{}{
+				map[string]interface{}{"kind": "image", "data": "base64..."},
+				map[string]interface{}{"kind": "text", "text": "visible"},
+			},
+		},
+	}
+	body, _ := json.Marshal(resp)
+	assert.Equal(t, "visible", extractResponseText(body))
+}
+
+func TestExtractResponseText_PartsEmpty(t *testing.T) {
+	// Empty parts array — falls through to artifacts, then raw body
+	resp := map[string]interface{}{
+		"result": map[string]interface{}{
+			"parts":     []interface{}{},
+			"artifacts": []interface{}{},
+		},
+	}
+	body, _ := json.Marshal(resp)
+	// Falls through to raw body (which is the JSON string)
+	result := extractResponseText(body)
+	assert.NotEmpty(t, result)
+}
+
+func TestExtractResponseText_ArtifactPartsWithText(t *testing.T) {
+	resp := map[string]interface{}{
+		"result": map[string]interface{}{
+			"parts": []interface{}{},
+			"artifacts": []interface{}{
+				map[string]interface{}{
+					"kind": "file",
+					"parts": []interface{}{
+						map[string]interface{}{"kind": "text", "text": "artifact text"},
+					},
+				},
+			},
+		},
+	}
+	body, _ := json.Marshal(resp)
+	assert.Equal(t, "artifact text", extractResponseText(body))
+}
+
+func TestExtractResponseText_ArtifactPartNotTextKind(t *testing.T) {
+	resp := map[string]interface{}{
+		"result": map[string]interface{}{
+			"parts": []interface{}{},
+			"artifacts": []interface{}{
+				map[string]interface{}{
+					"kind": "code",
+					"parts": []interface{}{
+						map[string]interface{}{"kind": "image", "data": "..."},
+						map[string]interface{}{"kind": "text", "text": "code comment"},
+					},
+				},
+			},
+		},
+	}
+	body, _ := json.Marshal(resp)
+	assert.Equal(t, "code comment", extractResponseText(body))
+}
+
+func TestExtractResponseText_ArtifactsEmpty(t *testing.T) {
+	resp := map[string]interface{}{
+		"result": map[string]interface{}{
+			"parts":     []interface{}{},
+			"artifacts": []interface{}{},
+		},
+	}
+	body, _ := json.Marshal(resp)
+	result := extractResponseText(body)
+	// Falls back to raw body
+	assert.Equal(t, string(body), result)
+}
+
+func TestExtractResponseText_NoResult(t *testing.T) {
+	// No "result" key at all — falls back to raw body
+	body := []byte(`{"error": {"code": -32600, "message": "Invalid Request"}}`)
+	result := extractResponseText(body)
+	assert.Equal(t, string(body), result)
+}
+
+func TestExtractResponseText_ResultNotMap(t *testing.T) {
+	// result is a string, not a map — falls back to raw body
+	body := []byte(`{"result": "just a string"}`)
+	result := extractResponseText(body)
+	assert.Equal(t, string(body), result)
+}
+
+func TestExtractResponseText_NonJSONBody(t *testing.T) {
+	// Non-JSON bytes — returns the raw string
+	body := []byte("plain text response, not JSON at all")
+	result := extractResponseText(body)
+	assert.Equal(t, "plain text response, not JSON at all", result)
+}
+
+func TestExtractResponseText_PartWithNilText(t *testing.T) {
+	// Text field is nil — kind is "text" but text is nil, should skip
+	resp := map[string]interface{}{
+		"result": map[string]interface{}{
+			"parts": []interface{}{
+				map[string]interface{}{"kind": "text", "text": nil},
+				map[string]interface{}{"kind": "text", "text": "found"},
+			},
+		},
+	}
+	body, _ := json.Marshal(resp)
+	assert.Equal(t, "found", extractResponseText(body))
+}
+
+func TestExtractResponseText_ArtifactPartWithNilText(t *testing.T) {
+	resp := map[string]interface{}{
+		"result": map[string]interface{}{
+			"parts": []interface{}{},
+			"artifacts": []interface{}{
+				map[string]interface{}{
+					"parts": []interface{}{
+						map[string]interface{}{"kind": "text", "text": nil},
+						map[string]interface{}{"kind": "text", "text": "artifact-found"},
+					},
+				},
+			},
+		},
+	}
+	body, _ := json.Marshal(resp)
+	assert.Equal(t, "artifact-found", extractResponseText(body))
+}
+
+func TestExtractResponseText_PartsWithNonMapElement(t *testing.T) {
+	// parts contains a non-map element — should be skipped gracefully
+	resp := map[string]interface{}{
+		"result": map[string]interface{}{
+			"parts": []interface{}{
+				"not a map",
+				123,
+				nil,
+				map[string]interface{}{"kind": "text", "text": "parsed"},
+			},
+		},
+	}
+	body, _ := json.Marshal(resp)
+	assert.Equal(t, "parsed", extractResponseText(body))
+}
+
+func TestExtractResponseText_ArtifactWithNonMapElement(t *testing.T) {
+	resp := map[string]interface{}{
+		"result": map[string]interface{}{
+			"parts": []interface{}{},
+			"artifacts": []interface{}{
+				"not a map",
+				nil,
+				map[string]interface{}{
+					"parts": []interface{}{
+						"not a map",
+						map[string]interface{}{"kind": "text", "text": "safe"},
+					},
+				},
+			},
+		},
+	}
+	body, _ := json.Marshal(resp)
+	assert.Equal(t, "safe", extractResponseText(body))
+}
+
+func TestExtractResponseText_PartKindNotString(t *testing.T) {
+	// kind is an integer, not a string — should be skipped
+	resp := map[string]interface{}{
+		"result": map[string]interface{}{
+			"parts": []interface{}{
+				map[string]interface{}{"kind": 123, "text": "ignored"},
+				map[string]interface{}{"kind": "text", "text": "found"},
+			},
+		},
+	}
+	body, _ := json.Marshal(resp)
+	assert.Equal(t, "found", extractResponseText(body))
+}
+
+func TestExtractResponseText_EmptyResponse(t *testing.T) {
+	body := []byte("{}")
+	result := extractResponseText(body)
+	// Falls back to raw "{}"
+	assert.Equal(t, "{}", result)
+}
+
+func TestExtractResponseText_NilBody(t *testing.T) {
+	// nil byte slice — string(nil) = ""
+	result := extractResponseText(nil)
+	assert.Equal(t, "", result)
+}
+
+func TestExtractResponseText_WhitespaceBody(t *testing.T) {
+	body := []byte("   \n\t  ")
+	result := extractResponseText(body)
+	// Unmarshals to empty map, no result, returns raw string
+	assert.Equal(t, "   \n\t  ", result)
+}
@@ -0,0 +1,488 @@
+package handlers
+
+// delegation_list_test.go — unit tests for listDelegationsFromLedger and
+// listDelegationsFromActivityLogs. Both methods are the data-backend of the
+// ListDelegations handler; coverage was missing (cf. infra-sre review of PR #942).
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/DATA-DOG/go-sqlmock"
+	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
+)
+
+// ---------- listDelegationsFromLedger ----------
+
+func TestListDelegationsFromLedger_EmptyResult(t *testing.T) {
+	mockDB, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("failed to create sqlmock: %v", err)
+	}
+	prevDB := db.DB
+	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })
+
+	rows := sqlmock.NewRows([]string{
+		"delegation_id", "caller_id", "callee_id", "task_preview",
+		"status", "result_preview", "error_detail",
+		"last_heartbeat", "deadline", "created_at", "updated_at",
+	})
+	mock.ExpectQuery("SELECT .+ FROM delegations").
+		WithArgs("ws-1").
+		WillReturnRows(rows)
+
+	broadcaster := newTestBroadcaster()
+	wh := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+	dh := NewDelegationHandler(wh, broadcaster)
+
+	got := dh.listDelegationsFromLedger(context.Background(), "ws-1")
+	if got != nil {
+		t.Errorf("empty result: expected nil, got %v", got)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("sqlmock expectations: %v", err)
+	}
+}
+
+func TestListDelegationsFromLedger_SingleRow(t *testing.T) {
+	mockDB, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("failed to create sqlmock: %v", err)
+	}
+	prevDB := db.DB
+	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })
+
+	now := time.Now()
+	// Use time.Time{} for nullable *time.Time columns — sqlmock passes the
+	// zero value to the handler's scan destination. The handler checks Valid
+	// before using each nullable field, so zero values are safe.
+	rows := sqlmock.NewRows([]string{
+		"delegation_id", "caller_id", "callee_id", "task_preview",
+		"status", "result_preview", "error_detail",
+		"last_heartbeat", "deadline", "created_at", "updated_at",
+	}).AddRow(
+		"del-1", "ws-1", "ws-2", "summarise the report",
+		"completed", "the report is about Q1",
+		"", now, now, now, now,
+	)
+	mock.ExpectQuery("SELECT .+ FROM delegations").
+		WithArgs("ws-1").
+		WillReturnRows(rows)
+
+	broadcaster := newTestBroadcaster()
+	wh := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+	dh := NewDelegationHandler(wh, broadcaster)
+
+	got := dh.listDelegationsFromLedger(context.Background(), "ws-1")
+	if len(got) != 1 {
+		t.Fatalf("expected 1 entry, got %d", len(got))
+	}
+	e := got[0]
+	if e["delegation_id"] != "del-1" {
+		t.Errorf("delegation_id: got %v, want del-1", e["delegation_id"])
+	}
+	if e["source_id"] != "ws-1" {
+		t.Errorf("source_id: got %v, want ws-1", e["source_id"])
+	}
+	if e["target_id"] != "ws-2" {
+		t.Errorf("target_id: got %v, want ws-2", e["target_id"])
+	}
+	if e["status"] != "completed" {
+		t.Errorf("status: got %v, want completed", e["status"])
+	}
+	if e["response_preview"] != "the report is about Q1" {
+		t.Errorf("response_preview: got %v", e["response_preview"])
+	}
+	if _, ok := e["error"]; ok {
+		t.Errorf("error should be absent when empty, got %v", e["error"])
+	}
+	if e["_ledger"] != true {
+		t.Errorf("_ledger marker: got %v, want true", e["_ledger"])
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("sqlmock expectations: %v", err)
+	}
+}
+
+func TestListDelegationsFromLedger_MultipleRows(t *testing.T) {
+	mockDB, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("failed to create sqlmock: %v", err)
+	}
+	prevDB := db.DB
+	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })
+
+	now := time.Now()
+	rows := sqlmock.NewRows([]string{
+		"delegation_id", "caller_id", "callee_id", "task_preview",
+		"status", "result_preview", "error_detail",
+		"last_heartbeat", "deadline", "created_at", "updated_at",
+	}).
+		AddRow("del-a", "ws-1", "ws-2", "task a", "in_progress", "", "", now, now, now, now).
+		AddRow("del-b", "ws-1", "ws-3", "task b", "failed", "", "timeout", now, now, now, now).
+		AddRow("del-c", "ws-1", "ws-4", "task c", "completed", "result c", "", now, now, now, now)
+	mock.ExpectQuery("SELECT .+ FROM delegations").
+		WithArgs("ws-1").
+		WillReturnRows(rows)
+
+	broadcaster := newTestBroadcaster()
+	wh := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+	dh := NewDelegationHandler(wh, broadcaster)
+
+	got := dh.listDelegationsFromLedger(context.Background(), "ws-1")
+	if len(got) != 3 {
+		t.Fatalf("expected 3 entries, got %d", len(got))
+	}
+	if got[0]["delegation_id"] != "del-a" || got[1]["delegation_id"] != "del-b" || got[2]["delegation_id"] != "del-c" {
+		t.Errorf("unexpected order: %v", got)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("sqlmock expectations: %v", err)
+	}
+}
+
+func TestListDelegationsFromLedger_NullsOmitted(t *testing.T) {
+	// last_heartbeat, deadline, result_preview, error_detail are all NULL.
+	// Handler must not panic and must omit those keys from the map.
+	mockDB, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("failed to create sqlmock: %v", err)
+	}
+	prevDB := db.DB
+	db.DB = mockDB
+	t.Cleanup(func() { mockDB.Close(); db.DB = prevDB })
+
+	now := time.Now()
+	rows := sqlmock.NewRows([]string{
+		"delegation_id", "caller_id", "callee_id", "task_preview",
+		"status", "result_preview", "error_detail",
+		"last_heartbeat", "deadline", "created_at", "updated_at",
+	}).
+		AddRow("del-1", "ws-1", "ws-2", "task", "queued", nil, nil, nil, nil, now, now)
+	mock.ExpectQuery("SELECT .+ FROM delegations").
+		WithArgs("ws-1").
+		WillReturnRows(rows)
+
+	broadcaster := newTestBroadcaster()
+	wh := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+	dh := NewDelegationHandler(wh, broadcaster)
+
+	got := dh.listDelegationsFromLedger(context.Background(), "ws-1")
+	if len(got) != 1 {
+		t.Fatalf("expected 1 entry, got %d", len(got))
+	}
+	e := got[0]
+	if _, ok := e["last_heartbeat"]; ok {
+		t.Error("last_heartbeat should be absent when NULL")
+	}
+	if _, ok := e["deadline"]; ok {
+		t.Error("deadline should be absent when NULL")
+	}
+	if _, ok := e["response_preview"]; ok {
+		t.Error("response_preview should be absent when NULL result_preview")
+	}
+	if _, ok := e["error"]; ok {
+		t.Error("error should be absent when NULL error_detail")
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("sqlmock expectations: %v", err)
+	}
+}
+
+func TestListDelegationsFromLedger_QueryError(t *testing.T) {
+	// Query failure returns nil — graceful fallback, no panic.
+	mockDB, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("failed to create sqlmock: %v", err)
+	}
+	prevDB := db.DB
+	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })
+
+	mock.ExpectQuery("SELECT .+ FROM delegations").
+		WithArgs("ws-1").
+		WillReturnError(context.DeadlineExceeded)
+
+	broadcaster := newTestBroadcaster()
+	wh := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+	dh := NewDelegationHandler(wh, broadcaster)
+
+	got := dh.listDelegationsFromLedger(context.Background(), "ws-1")
+	if got != nil {
+		t.Errorf("query error: expected nil, got %v", got)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("sqlmock expectations: %v", err)
+	}
+}
+
+func TestListDelegationsFromLedger_RowsErr(t *testing.T) {
+	// rows.Err() mid-stream: handler collects partial results and returns them.
+	mockDB, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("failed to create sqlmock: %v", err)
+	}
+	prevDB := db.DB
+	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })
+
+	now := time.Now()
+	// RowError(0) before AddRow(0): row 0 is "bad", rows.Next() returns false
+	// on first call — the row never scans, result stays nil. To get partial
+	// results (row 0 scanned) with rows.Err() non-nil, we use 2 rows and put
+	// RowError(1) after AddRow(1): row 0 scans normally, row 1 is bad,
+	// rows.Err() is error, handler returns partial result.
+	rows := sqlmock.NewRows([]string{
+		"delegation_id", "caller_id", "callee_id", "task_preview",
+		"status", "result_preview", "error_detail",
+		"last_heartbeat", "deadline", "created_at", "updated_at",
+	}).
+		AddRow("del-1", "ws-1", "ws-2", "task", "queued", "", "", now, now, now, now).
+		AddRow("del-2", "ws-1", "ws-3", "another task", "queued", "", "", now, now, now, now).
+		RowError(1, context.DeadlineExceeded)
+	mock.ExpectQuery("SELECT .+ FROM delegations").
+		WithArgs("ws-1").
+		WillReturnRows(rows)
+
+	broadcaster := newTestBroadcaster()
+	wh := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+	dh := NewDelegationHandler(wh, broadcaster)
+
+	got := dh.listDelegationsFromLedger(context.Background(), "ws-1")
+	// Row 0 scanned and appended; row 1 is bad; rows.Err() is non-nil.
+	// Handler logs the error but returns result (partial results because result != nil).
+	if got == nil || len(got) != 1 {
+		t.Errorf("rows.Err path: expected 1 partial result, got %v", got)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("sqlmock expectations: %v", err)
+	}
+}
+
+// TestListDelegationsFromLedger_ScanError is removed.
+//
+// In Go 1.25 sqlmock.NewRows validates column count at AddRow() time and
+// panics when len(values) != len(columns). The old pattern
+//   sqlmock.NewRows([]string{}).AddRow("only-one-col")
+// therefore panics in test SETUP, not inside the handler. The handler has no
+// recover(), so a scan panic would propagate out of listDelegationsFromLedger
+// and crash the process — this is the correct behaviour (not silently skipping
+// a row). The correct way to cover this path is a real-DB integration test.
+//
+// ---------- listDelegationsFromActivityLogs ----------
+
+func TestListDelegationsFromActivityLogs_EmptyResult(t *testing.T) {
+	mockDB, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("failed to create sqlmock: %v", err)
+	}
+	prevDB := db.DB
+	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })
+
+	rows := sqlmock.NewRows([]string{
+		"id", "activity_type", "source_id", "target_id",
+		"summary", "status", "error_detail",
+		"response_preview", "delegation_id", "created_at",
+	})
+	mock.ExpectQuery("SELECT .+ FROM activity_logs").
+		WithArgs("ws-1").
+		WillReturnRows(rows)
+
+	broadcaster := newTestBroadcaster()
+	wh := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+	dh := NewDelegationHandler(wh, broadcaster)
+
+	got := dh.listDelegationsFromActivityLogs(context.Background(), "ws-1")
+	if len(got) != 0 {
+		t.Errorf("empty result: expected empty slice, got %v", got)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("sqlmock expectations: %v", err)
+	}
+}
+
+func TestListDelegationsFromActivityLogs_SingleDelegateRow(t *testing.T) {
+	mockDB, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("failed to create sqlmock: %v", err)
+	}
+	prevDB := db.DB
+	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })
+
+	now := time.Now()
+	rows := sqlmock.NewRows([]string{
+		"id", "activity_type", "source_id", "target_id",
+		"summary", "status", "error_detail",
+		"response_preview", "delegation_id", "created_at",
+	}).AddRow(
+		"act-1", "delegate",
+		"ws-1", "ws-2",
+		"analyse Q1 numbers",
+		"in_progress",
+		"", "", "",
+		now,
+	)
+	mock.ExpectQuery("SELECT .+ FROM activity_logs").
+		WithArgs("ws-1").
+		WillReturnRows(rows)
+
+	broadcaster := newTestBroadcaster()
+	wh := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+	dh := NewDelegationHandler(wh, broadcaster)
+
+	got := dh.listDelegationsFromActivityLogs(context.Background(), "ws-1")
+	if len(got) != 1 {
+		t.Fatalf("expected 1 entry, got %d", len(got))
+	}
+	e := got[0]
+	if e["id"] != "act-1" {
+		t.Errorf("id: got %v, want act-1", e["id"])
+	}
+	if e["type"] != "delegate" {
+		t.Errorf("type: got %v, want delegate", e["type"])
+	}
+	if e["source_id"] != "ws-1" {
+		t.Errorf("source_id: got %v, want ws-1", e["source_id"])
+	}
+	if e["target_id"] != "ws-2" {
+		t.Errorf("target_id: got %v, want ws-2", e["target_id"])
+	}
+	if e["summary"] != "analyse Q1 numbers" {
+		t.Errorf("summary: got %v", e["summary"])
+	}
+	if e["status"] != "in_progress" {
+		t.Errorf("status: got %v", e["status"])
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("sqlmock expectations: %v", err)
+	}
+}
+
+func TestListDelegationsFromActivityLogs_DelegateResultWithError(t *testing.T) {
+	mockDB, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("failed to create sqlmock: %v", err)
+	}
+	prevDB := db.DB
+	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })
+
+	now := time.Now()
+	rows := sqlmock.NewRows([]string{
+		"id", "activity_type", "source_id", "target_id",
+		"summary", "status", "error_detail",
+		"response_preview", "delegation_id", "created_at",
+	}).AddRow(
+		"act-2", "delegate_result",
+		"ws-1", "ws-2",
+		"result summary",
+		"failed",
+		"Callee workspace not reachable",
+		`{"text":"the result body text"}`,
+		"del-abc",
+		now,
+	)
+	mock.ExpectQuery("SELECT .+ FROM activity_logs").
+		WithArgs("ws-1").
+		WillReturnRows(rows)
+
+	broadcaster := newTestBroadcaster()
+	wh := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+	dh := NewDelegationHandler(wh, broadcaster)
+
+	got := dh.listDelegationsFromActivityLogs(context.Background(), "ws-1")
+	if len(got) != 1 {
+		t.Fatalf("expected 1 entry, got %d", len(got))
+	}
+	e := got[0]
+	if e["type"] != "delegate_result" {
+		t.Errorf("type: got %v", e["type"])
+	}
+	if e["error"] != "Callee workspace not reachable" {
+		t.Errorf("error: got %v", e["error"])
+	}
+	if e["response_preview"] != `{"text":"the result body text"}` {
+		t.Errorf("response_preview: got %v", e["response_preview"])
+	}
+	if e["delegation_id"] != "del-abc" {
+		t.Errorf("delegation_id: got %v", e["delegation_id"])
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("sqlmock expectations: %v", err)
+	}
+}
+
+func TestListDelegationsFromActivityLogs_QueryError(t *testing.T) {
+	mockDB, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("failed to create sqlmock: %v", err)
+	}
+	prevDB := db.DB
+	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })
+
+	mock.ExpectQuery("SELECT .+ FROM activity_logs").
+		WithArgs("ws-1").
+		WillReturnError(context.DeadlineExceeded)
+
+	broadcaster := newTestBroadcaster()
+	wh := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+	dh := NewDelegationHandler(wh, broadcaster)
+
+	got := dh.listDelegationsFromActivityLogs(context.Background(), "ws-1")
+	// Error → returns empty slice, not nil.
+	if len(got) != 0 {
+		t.Errorf("query error: expected empty slice, got %v", got)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("sqlmock expectations: %v", err)
+	}
+}
+
+func TestListDelegationsFromActivityLogs_RowsErr(t *testing.T) {
+	mockDB, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("failed to create sqlmock: %v", err)
+	}
+	prevDB := db.DB
+	db.DB = mockDB
+	t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })
+
+	now := time.Now()
+	// RowError(0) before AddRow(0): row 0 is "bad", rows.Next() returns false
+	// on first call — the row never scans, result stays nil. To get partial
+	// results (row 0 scanned) with rows.Err() non-nil, we use 2 rows and put
+	// RowError(1) after AddRow(1): row 0 scans normally, row 1 is bad,
+	// rows.Err() is error, handler returns partial result.
+	rows := sqlmock.NewRows([]string{
+		"id", "activity_type", "source_id", "target_id",
+		"summary", "status", "error_detail",
+		"response_preview", "delegation_id", "created_at",
+	}).
+		AddRow("act-1", "delegate", "ws-1", "ws-2", "task", "queued", "", "", "", now).
+		AddRow("act-2", "delegate", "ws-1", "ws-3", "another task", "queued", "", "", "", now).
+		RowError(1, context.DeadlineExceeded)
+	mock.ExpectQuery("SELECT .+ FROM activity_logs").
+		WithArgs("ws-1").
+		WillReturnRows(rows)
+
+	broadcaster := newTestBroadcaster()
+	wh := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+	dh := NewDelegationHandler(wh, broadcaster)
+
+	got := dh.listDelegationsFromActivityLogs(context.Background(), "ws-1")
+	// Row 0 scanned and appended; row 1 is bad; rows.Err() is non-nil.
+	// Handler logs the error but returns result (partial results because result != nil).
+	if got == nil || len(got) != 1 {
+		t.Errorf("rows.Err path: expected 1 partial result, got %v", got)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("sqlmock expectations: %v", err)
+	}
+}
@@ -133,9 +133,9 @@ func TestDelegate_Success(t *testing.T) {
 	targetID := "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"

 	// Expect INSERT into activity_logs for delegation tracking
-	// (6th arg is idempotency_key — nil here since the request omits it)
+	// (6th arg is response_body, 7th is idempotency_key — nil here since the request omits it)
 	mock.ExpectExec("INSERT INTO activity_logs").
-		WithArgs("ws-source", "ws-source", targetID, "Delegating to "+targetID, sqlmock.AnyArg(), nil).
+		WithArgs("ws-source", "ws-source", targetID, "Delegating to "+targetID, sqlmock.AnyArg(), sqlmock.AnyArg(), nil).
 		WillReturnResult(sqlmock.NewResult(0, 1))

 	// Expect RecordAndBroadcast INSERT into structure_events
@@ -189,9 +189,9 @@ func TestDelegate_DBInsertFails_Still202WithWarning(t *testing.T) {

 	targetID := "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"

-	// DB insert fails (6th arg = idempotency_key, nil for this test)
+	// DB insert fails (6th arg = response_body, 7th = idempotency_key, nil for this test)
 	mock.ExpectExec("INSERT INTO activity_logs").
-		WithArgs("ws-source", "ws-source", targetID, "Delegating to "+targetID, sqlmock.AnyArg(), nil).
+		WithArgs("ws-source", "ws-source", targetID, "Delegating to "+targetID, sqlmock.AnyArg(), sqlmock.AnyArg(), nil).
 		WillReturnError(fmt.Errorf("database connection lost"))

 	// RecordAndBroadcast still fires
@@ -491,6 +491,7 @@ func TestDelegationRecord_InsertsActivityLogRow(t *testing.T) {
 			"550e8400-e29b-41d4-a716-446655440001",               // target_id
 			"Delegating to 550e8400-e29b-41d4-a716-446655440001", // summary
 			sqlmock.AnyArg(), // request_body (jsonb)
+			sqlmock.AnyArg(), // response_body (jsonb) — mc#984 fix
 		).
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	// RecordAndBroadcast INSERT for DELEGATION_SENT
@@ -699,9 +700,9 @@ func TestDelegate_IdempotentFailedRowIsReleasedAndReplaced(t *testing.T) {
 	mock.ExpectExec("DELETE FROM activity_logs").
 		WithArgs("ws-source", "retry-key").
 		WillReturnResult(sqlmock.NewResult(0, 1))
-	// Fresh insert with the same idempotency key.
+	// Fresh insert with the same idempotency key (response_body added as mc#984 fix).
 	mock.ExpectExec("INSERT INTO activity_logs").
-		WithArgs("ws-source", "ws-source", targetID, "Delegating to "+targetID, sqlmock.AnyArg(), "retry-key").
+		WithArgs("ws-source", "ws-source", targetID, "Delegating to "+targetID, sqlmock.AnyArg(), sqlmock.AnyArg(), "retry-key").
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectExec("INSERT INTO structure_events").
 		WillReturnResult(sqlmock.NewResult(0, 1))
@@ -745,9 +746,9 @@ func TestDelegate_IdempotentRaceUniqueViolationReturnsExisting(t *testing.T) {
 	mock.ExpectQuery("SELECT request_body->>'delegation_id', status, target_id").
 		WithArgs("ws-source", "race-key").
 		WillReturnError(fmt.Errorf("sql: no rows in result set"))
-	// Insert loses the race against a concurrent caller.
+	// Insert loses the race against a concurrent caller (response_body added as mc#984 fix).
 	mock.ExpectExec("INSERT INTO activity_logs").
-		WithArgs("ws-source", "ws-source", targetID, "Delegating to "+targetID, sqlmock.AnyArg(), "race-key").
+		WithArgs("ws-source", "ws-source", targetID, "Delegating to "+targetID, sqlmock.AnyArg(), sqlmock.AnyArg(), "race-key").
 		WillReturnError(fmt.Errorf("pq: duplicate key value violates unique constraint \"activity_logs_idempotency_uniq\""))
 	// Re-query returns the winner.
 	mock.ExpectQuery("SELECT request_body->>'delegation_id', status").
@@ -0,0 +1,160 @@
+package handlers
+
+import (
+	"testing"
+)
+
+// filterPeersByQuery tests — nil-safe role/name filtering for peer discovery.
+
+func TestFilterPeersByQuery_EmptyQueryNoOp(t *testing.T) {
+	peers := []map[string]interface{}{
+		{"name": "foo", "role": "bar"},
+		{"name": "baz", "role": "qux"},
+	}
+	result := filterPeersByQuery(peers, "")
+	if len(result) != 2 {
+		t.Errorf("empty query: expected 2, got %d", len(result))
+	}
+}
+
+func TestFilterPeersByQuery_WhitespaceQueryNoOp(t *testing.T) {
+	peers := []map[string]interface{}{
+		{"name": "foo", "role": "bar"},
+	}
+	result := filterPeersByQuery(peers, "   ")
+	if len(result) != 1 {
+		t.Errorf("whitespace-only query: expected 1, got %d", len(result))
+	}
+}
+
+func TestFilterPeersByQuery_MatchName(t *testing.T) {
+	peers := []map[string]interface{}{
+		{"name": "backend-agent", "role": "sre"},
+		{"name": "frontend-agent", "role": "ui"},
+	}
+	result := filterPeersByQuery(peers, "backend")
+	if len(result) != 1 || result[0]["name"] != "backend-agent" {
+		t.Errorf("expected backend-agent, got %v", result)
+	}
+}
+
+func TestFilterPeersByQuery_MatchRole(t *testing.T) {
+	peers := []map[string]interface{}{
+		{"name": "agent-alpha", "role": "security engineer"},
+		{"name": "agent-beta", "role": "devops"},
+	}
+	result := filterPeersByQuery(peers, "engineer")
+	if len(result) != 1 || result[0]["name"] != "agent-alpha" {
+		t.Errorf("expected agent-alpha, got %v", result)
+	}
+}
+
+func TestFilterPeersByQuery_CaseInsensitive(t *testing.T) {
+	peers := []map[string]interface{}{
+		{"name": "AgentX", "role": "SRE"},
+	}
+	result := filterPeersByQuery(peers, "AGENTx")
+	if len(result) != 1 {
+		t.Errorf("expected 1 match (case-insensitive), got %d", len(result))
+	}
+}
+
+func TestFilterPeersByQuery_NilRoleNoPanic(t *testing.T) {
+	// This is the regression case for #730: queryPeerMaps explicitly sets
+	// peer["role"] = nil when the DB role is empty string. Before the fix,
+	// p["role"].(string) panics on nil. After the fix, it returns "" and
+	// no match occurs — which is the correct behaviour.
+	defer func() {
+		if r := recover(); r != nil {
+			t.Errorf("filterPeersByQuery panicked on nil role: %v", r)
+		}
+	}()
+	peers := []map[string]interface{}{
+		{"name": "some-agent", "role": nil},
+	}
+	result := filterPeersByQuery(peers, "some-agent")
+	if len(result) != 1 {
+		t.Errorf("expected 1 match by name, got %d", len(result))
+	}
+}
+
+func TestFilterPeersByQuery_NilRoleQueryNoMatch(t *testing.T) {
+	// When role is nil and query does not match name, nothing matches.
+	defer func() {
+		if r := recover(); r != nil {
+			t.Errorf("filterPeersByQuery panicked on nil role: %v", r)
+		}
+	}()
+	peers := []map[string]interface{}{
+		{"name": "agent-alpha", "role": nil},
+	}
+	result := filterPeersByQuery(peers, "no-match")
+	if len(result) != 0 {
+		t.Errorf("expected 0 matches, got %d", len(result))
+	}
+}
+
+func TestFilterPeersByQuery_NilNameNoPanic(t *testing.T) {
+	// Defensive check: name could also theoretically be nil.
+	defer func() {
+		if r := recover(); r != nil {
+			t.Errorf("filterPeersByQuery panicked on nil name: %v", r)
+		}
+	}()
+	peers := []map[string]interface{}{
+		{"name": nil, "role": "sre"},
+	}
+	result := filterPeersByQuery(peers, "sre")
+	if len(result) != 1 {
+		t.Errorf("expected 1 match by role, got %d", len(result))
+	}
+}
+
+func TestFilterPeersByQuery_BothNilNoPanic(t *testing.T) {
+	defer func() {
+		if r := recover(); r != nil {
+			t.Errorf("filterPeersByQuery panicked on nil name+role: %v", r)
+		}
+	}()
+	peers := []map[string]interface{}{
+		{"name": nil, "role": nil},
+	}
+	result := filterPeersByQuery(peers, "")
+	if len(result) != 1 {
+		t.Errorf("empty query with nil name/role: expected 1, got %d", len(result))
+	}
+	result = filterPeersByQuery(peers, "anything")
+	if len(result) != 0 {
+		t.Errorf("non-empty query with nil name/role: expected 0, got %d", len(result))
+	}
+}
+
+func TestFilterPeersByQuery_NoMatches(t *testing.T) {
+	peers := []map[string]interface{}{
+		{"name": "alpha", "role": "beta"},
+		{"name": "gamma", "role": "delta"},
+	}
+	result := filterPeersByQuery(peers, "zzz")
+	if len(result) != 0 {
+		t.Errorf("expected 0, got %d", len(result))
+	}
+}
+
+func TestFilterPeersByQuery_EmptyPeers(t *testing.T) {
+	result := filterPeersByQuery([]map[string]interface{}{}, "query")
+	if len(result) != 0 {
+		t.Errorf("empty peers: expected 0, got %d", len(result))
+	}
+}
+
+func TestFilterPeersByQuery_MultipleMatches(t *testing.T) {
+	peers := []map[string]interface{}{
+		{"name": "backend-alpha", "role": "eng"},
+		{"name": "backend-beta", "role": "eng"},
+		{"name": "frontend", "role": "ui"},
+	}
+	result := filterPeersByQuery(peers, "backend")
+	if len(result) != 2 {
+		t.Errorf("expected 2 backend matches, got %d", len(result))
+	}
+}
@@ -29,14 +29,20 @@ func init() {
 // setupTestDB creates a sqlmock DB and assigns it to the global db.DB.
 // It also disables the SSRF URL check so that httptest.NewServer loopback
 // URLs and fake hostnames (*.example) used in tests don't trigger rejections.
+//
+// IMPORTANT: db.DB is saved before assignment and restored via t.Cleanup so
+// that tests running after this one are not polluted by a closed mock.
+// This is the single root cause of the systemic CI/Platform (Go) failures on
+// main HEAD 8026f020 (mc#975).
 func setupTestDB(t *testing.T) sqlmock.Sqlmock {
 	t.Helper()
 	mockDB, mock, err := sqlmock.New()
 	if err != nil {
 		t.Fatalf("failed to create sqlmock: %v", err)
 	}
+	prevDB := db.DB
 	db.DB = mockDB
-	t.Cleanup(func() { mockDB.Close() })
+	t.Cleanup(func() { db.DB = prevDB; mockDB.Close() })

 	// Disable SSRF checks for the duration of this test only. Restore
 	// the previous state via t.Cleanup so that TestIsSafeURL_* tests
@@ -56,6 +62,11 @@ func setupTestDB(t *testing.T) sqlmock.Sqlmock {
 	return mock
 }

+func waitForHandlerAsyncBeforeDBCleanup(t *testing.T, h *WorkspaceHandler) {
+	t.Helper()
+	t.Cleanup(h.waitAsyncForTest)
+}
+
 // setupTestRedis creates a miniredis instance and assigns it to the global db.RDB.
 func setupTestRedis(t *testing.T) *miniredis.Miniredis {
 	t.Helper()
@@ -355,6 +366,11 @@ func TestWorkspaceCreate(t *testing.T) {
 }

 func TestBuildProvisionerConfig_IncludesAwarenessSettings(t *testing.T) {
+	mock := setupTestDB(t)
+	mock.ExpectQuery(`SELECT digest FROM runtime_image_pins`).
+		WithArgs("claude-code").
+		WillReturnError(sql.ErrNoRows)
+
 	broadcaster := newTestBroadcaster()
 	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", "/tmp/configs")

@@ -366,7 +382,7 @@ func TestBuildProvisionerConfig_IncludesAwarenessSettings(t *testing.T) {
 		"ws-123",
 		"/tmp/configs/template",
 		map[string][]byte{"config.yaml": []byte("name: test")},
-		models.CreateWorkspacePayload{Tier: 2, Runtime: "claude-code"},
+		models.CreateWorkspacePayload{Tier: 2, Runtime: "claude-code", WorkspaceDir: "/tmp/workspace", WorkspaceAccess: "read_write"},
 		map[string]string{"OPENAI_API_KEY": "sk-test"},
 		"/tmp/plugins",
 		"workspace:ws-123",
@@ -630,7 +646,7 @@ func TestActivityHandler_List(t *testing.T) {
 		WillReturnRows(rows)

 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -679,7 +695,7 @@ func TestActivityHandler_ListByType(t *testing.T) {
 		WillReturnRows(rows)

 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -707,7 +723,7 @@ func TestActivityHandler_Report(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	// Expect the INSERT into activity_logs
 	mock.ExpectExec("INSERT INTO activity_logs").
@@ -736,7 +752,7 @@ func TestActivityHandler_Report_InvalidType(t *testing.T) {
 	setupTestDB(t)
 	setupTestRedis(t)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -964,7 +980,7 @@ func TestActivityHandler_ListEmpty(t *testing.T) {
 		WillReturnRows(sqlmock.NewRows(columns))

 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -998,7 +1014,7 @@ func TestActivityHandler_ListCustomLimit(t *testing.T) {
 		WillReturnRows(sqlmock.NewRows(columns))

 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -1031,7 +1047,7 @@ func TestActivityHandler_ListMaxLimit(t *testing.T) {
 		WillReturnRows(sqlmock.NewRows(columns))

 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -1059,7 +1075,7 @@ func TestActivityHandler_ReportAllValidTypes(t *testing.T) {
 			mock := setupTestDB(t)
 			setupTestRedis(t)
 			broadcaster := newTestBroadcaster()
-			handler := NewActivityHandler(broadcaster)
+			handler := NewActivityHandler(broadcaster, nil)

 			mock.ExpectExec("INSERT INTO activity_logs").
 				WillReturnResult(sqlmock.NewResult(0, 1))
@@ -1090,7 +1106,7 @@ func TestActivityHandler_ReportAllValidTypes(t *testing.T) {
 func TestActivityHandler_ReportMissingBody(t *testing.T) {
 	setupTestDB(t)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -1163,7 +1179,7 @@ func TestActivityHandler_Report_SourceIDSpoofRejected(t *testing.T) {
 	setupTestDB(t)
 	setupTestRedis(t)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -1186,7 +1202,7 @@ func TestActivityHandler_Report_MatchingSourceIDAccepted(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	mock.ExpectExec("INSERT INTO activity_logs").
 		WillReturnResult(sqlmock.NewResult(0, 1))
@@ -1216,7 +1232,7 @@ func TestActivityHandler_Report_SourceIDLogInjection(t *testing.T) {
 	setupTestDB(t)
 	setupTestRedis(t)
 	broadcaster := newTestBroadcaster()
-	handler := NewActivityHandler(broadcaster)
+	handler := NewActivityHandler(broadcaster, nil)

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -34,6 +34,7 @@ import (
 	"time"

 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/events"
+	"github.com/Molecule-AI/molecule-monorepo/platform/internal/push"
 	"github.com/gin-gonic/gin"
 )

@@ -84,6 +85,7 @@ type mcpTool struct {
 type MCPHandler struct {
 	database    *sql.DB
 	broadcaster *events.Broadcaster
+	notifier    *push.Notifier

 	// memv2 is the v2 memory plugin wiring (RFC #2728). nil-safe:
 	// every v2 tool calls memoryV2Available() first and returns a
@@ -94,8 +96,9 @@ type MCPHandler struct {

 // NewMCPHandler wires the handler to db and broadcaster.
 // Pass db.DB and the platform broadcaster at router-setup time.
-func NewMCPHandler(database *sql.DB, broadcaster *events.Broadcaster) *MCPHandler {
-	return &MCPHandler{database: database, broadcaster: broadcaster}
+// notifier may be nil if push notifications are not configured.
+func NewMCPHandler(database *sql.DB, broadcaster *events.Broadcaster, notifier *push.Notifier) *MCPHandler {
+	return &MCPHandler{database: database, broadcaster: broadcaster, notifier: notifier}
 }

 // ─────────────────────────────────────────────────────────────────────────────
@@ -26,7 +26,7 @@ import (
 func newMCPHandler(t *testing.T) (*MCPHandler, sqlmock.Sqlmock) {
 	t.Helper()
 	mock := setupTestDB(t)
-	h := NewMCPHandler(db.DB, newTestBroadcaster())
+	h := NewMCPHandler(db.DB, newTestBroadcaster(), nil)
 	return h, mock
 }

@@ -392,7 +392,7 @@ func (h *MCPHandler) toolSendMessageToUser(ctx context.Context, workspaceID stri
 	// (the tool args don't accept them); pass nil. If a future tool
 	// schema adds an attachments arg, build []AgentMessageAttachment
 	// and pass through.
-	writer := NewAgentMessageWriter(h.database, h.broadcaster)
+	writer := NewAgentMessageWriter(h.database, h.broadcaster, h.notifier)
 	if err := writer.Send(ctx, workspaceID, message, nil); err != nil {
 		if errors.Is(err, ErrWorkspaceNotFound) {
 			return "", fmt.Errorf("workspace not found")
@@ -15,6 +15,7 @@ import (

 	"gopkg.in/yaml.v3"
 )
+
 // resolvePromptRef reads a prompt body from either an inline string or a
 // file ref relative to the workspace's files_dir. Inline always wins when
 // both are non-empty (caller-provided inline is more authoritative than a
@@ -78,17 +79,105 @@ func hasUnresolvedVarRef(original, expanded string) bool {
 }

 // expandWithEnv expands ${VAR} and $VAR references in s using the env map.
-// Falls back to the platform process env if a var isn't in the map.
+// Falls back to the platform process env only when the whole value is a
+// single variable reference; embedded process-env expansion is too broad for
+// imported org YAML because host variables such as HOME are not template data.
 func expandWithEnv(s string, env map[string]string) string {
-	return os.Expand(s, func(key string) string {
-		if v, ok := env[key]; ok {
-			return v
+	if s == "" {
+		return ""
+	}
+	var b strings.Builder
+	for i := 0; i < len(s); {
+		if s[i] != '$' {
+			b.WriteByte(s[i])
+			i++
+			continue
 		}
-		return os.Getenv(key)
-	})
+
+		if i+1 >= len(s) {
+			b.WriteByte('$')
+			i++
+			continue
+		}
+
+		if s[i+1] == '{' {
+			end := strings.IndexByte(s[i+2:], '}')
+			if end < 0 {
+				b.WriteByte('$')
+				i++
+				continue
+			}
+			end += i + 2
+			key := s[i+2 : end]
+			ref := s[i : end+1]
+			b.WriteString(expandEnvRef(key, ref, s, env))
+			i = end + 1
+			continue
+		}
+
+		if !isEnvIdentStart(s[i+1]) {
+			b.WriteByte('$')
+			i++
+			continue
+		}
+		j := i + 2
+		for j < len(s) && isEnvIdentPart(s[j]) {
+			j++
+		}
+		key := s[i+1 : j]
+		ref := s[i:j]
+		b.WriteString(expandEnvRef(key, ref, s, env))
+		i = j
+	}
+	return b.String()
 }

-// loadWorkspaceEnv reads the org root .env and the workspace-specific .env
+
+func isEnvIdentStart(c byte) bool {
+	return (c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || c == '_'
+}
+
+func isEnvIdentPart(c byte) bool {
+	return isEnvIdentStart(c) || (c >= '0' && c <= '9')
+}
+
+// expandEnvRef resolves a single variable reference extracted from s.
+//
+// Guards:
+//   - Empty key → "$$" escape, return "$"
+//   - key[0] not POSIX ident start → "$" + partial chars, return "$<chars>"
+//   - Key in env map → return the mapped value (template override wins)
+//   - Otherwise → only fall back to os.Getenv if the whole input string IS the
+//     variable reference (ref == whole).
+//
+// Bare $VAR format:
+//   $HOME (alone) → ref==whole → os.Getenv ✓  (host HOME is org-template HOME)
+//   $HOME/path (partial) → ref!=whole → literal "$HOME" ✓  (CWE-78: prevents host leak)
+//
+// Braced ${VAR} format:
+//   ${HOME} (alone) → ref==whole → os.Getenv ✓
+//   ${ROLE}/admin (partial) → ref!=whole → literal ✓
+//   "yes and ${NOT_SET}" (embedded) → ref!=whole → literal ✓
+//
+// This is the CWE-78 fix from commit a3a358f9.
+func expandEnvRef(key, ref, whole string, env map[string]string) string {
+	if key == "" {
+		return "$"
+	}
+	if !isEnvIdentStart(key[0]) {
+		return "$" + key
+	}
+	if v, ok := env[key]; ok {
+		return v
+	}
+	if ref == whole {
+		return os.Getenv(key)
+	}
+	return ref
+}
+
+
+// loadWorkspaceEnv reads the org root .env and the workspace-specific .env .env and the workspace-specific .env
 // (workspace overrides org root). Used by both secret injection and channel
 // config expansion.
 //
@@ -0,0 +1,126 @@
+package handlers
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// setupOrgEnv creates a temp dir with an optional org .env file and returns the dir.
+func setupOrgEnv(t *testing.T, orgEnvContent string) string {
+	t.Helper()
+	dir := t.TempDir()
+	if orgEnvContent != "" {
+		require.NoError(t, os.WriteFile(filepath.Join(dir, ".env"), []byte(orgEnvContent), 0o600))
+	}
+	return dir
+}
+
+func Test_loadWorkspaceEnv_orgRootOnly(t *testing.T) {
+	org := setupOrgEnv(t, "ORG_VAR=orgval\nORG_DEBUG=true")
+	vars := loadWorkspaceEnv(org, "")
+	assert.Equal(t, "orgval", vars["ORG_VAR"])
+	assert.Equal(t, "true", vars["ORG_DEBUG"])
+}
+
+func Test_loadWorkspaceEnv_orgRootMissing(t *testing.T) {
+	// No .env at org root — should return empty map without error.
+	dir := t.TempDir()
+	vars := loadWorkspaceEnv(dir, "")
+	assertEmpty(t, vars)
+}
+
+func Test_loadWorkspaceEnv_workspaceEnvMerges(t *testing.T) {
+	org := setupOrgEnv(t, "SHARED=sharedval\nORG_ONLY=orgonly")
+	wsDir := filepath.Join(org, "myworkspace")
+	require.NoError(t, os.MkdirAll(wsDir, 0o700))
+	require.NoError(t, os.WriteFile(filepath.Join(wsDir, ".env"), []byte("WS_VAR=wsval\nSHARED=overridden"), 0o600))
+
+	vars := loadWorkspaceEnv(org, "myworkspace")
+	assert.Equal(t, "wsval", vars["WS_VAR"])
+	assert.Equal(t, "overridden", vars["SHARED"]) // workspace overrides org
+	assert.Equal(t, "orgonly", vars["ORG_ONLY"])   // org vars preserved
+}
+
+func Test_loadWorkspaceEnv_emptyFilesDir(t *testing.T) {
+	org := setupOrgEnv(t, "VAR=val")
+	vars := loadWorkspaceEnv(org, "")
+	assert.Equal(t, "val", vars["VAR"])
+}
+
+func Test_loadWorkspaceEnv_traversalRejects(t *testing.T) {
+	// #321 / CWE-22: filesDir "../../../etc" must not escape the org root.
+	// resolveInsideRoot rejects the traversal so workspace .env is skipped;
+	// org root .env is still loaded (it's before the guard).
+	org := setupOrgEnv(t, "INNOCENT=val\nSAFE_WS=wsval")
+	parent := filepath.Dir(org)
+	require.NoError(t, os.WriteFile(filepath.Join(parent, ".env"), []byte("MALICIOUS=evil"), 0o600))
+	// Also create a workspace dir inside org to prove it IS accessible normally.
+	wsDir := filepath.Join(org, "legit-workspace")
+	require.NoError(t, os.MkdirAll(wsDir, 0o700))
+	require.NoError(t, os.WriteFile(filepath.Join(wsDir, ".env"), []byte("WS_SECRET=ssh-key-123"), 0o600))
+
+	// Traversal is blocked.
+	vars := loadWorkspaceEnv(org, "../../../etc")
+	// Org root vars present; workspace vars blocked.
+	assert.Equal(t, "val", vars["INNOCENT"])
+	assert.Equal(t, "wsval", vars["SAFE_WS"]) // from org root .env
+	assert.Empty(t, vars["WS_SECRET"])        // workspace .env blocked by traversal guard
+	_, hasEvil := vars["MALICIOUS"]
+	assert.False(t, hasEvil, "MALICIOUS from escaped path must not appear")
+}
+
+func Test_loadWorkspaceEnv_traversalWithDots(t *testing.T) {
+	// A sibling-traversal attempt: go up one level then into a sibling dir.
+	// The sibling dir is NOT inside org, so it must be rejected.
+	org := setupOrgEnv(t, "INNOCENT=val")
+	parent := filepath.Dir(org)
+	require.NoError(t, os.MkdirAll(filepath.Join(parent, "sibling"), 0o700))
+	require.NoError(t, os.WriteFile(filepath.Join(parent, "sibling/.env"), []byte("LEAKED=secret"), 0o600))
+
+	vars := loadWorkspaceEnv(org, "../sibling")
+	// Org vars loaded; sibling vars blocked.
+	assert.Equal(t, "val", vars["INNOCENT"])
+	assert.Empty(t, vars["LEAKED"], "sibling traversal must be rejected")
+}
+
+func Test_loadWorkspaceEnv_absolutePathRejected(t *testing.T) {
+	// Absolute paths are rejected outright by resolveInsideRoot.
+	org := setupOrgEnv(t, "INNOCENT=val")
+	vars := loadWorkspaceEnv(org, "/etc")
+	assert.Equal(t, "val", vars["INNOCENT"]) // org root still loaded
+	assert.Empty(t, vars["SAFE_WS"])
+}
+
+func Test_loadWorkspaceEnv_dotPathRejected(t *testing.T) {
+	// "." resolves to the org root itself — this is NOT a traversal but
+	// would create org-root/.env which is the org root .env, not a
+	// workspace .env. resolveInsideRoot accepts this; the workspace .env
+	// path is org/.env, which IS the org root .env (already loaded).
+	// So the correct result is the org vars (same as org root, no change).
+	org := setupOrgEnv(t, "INNOCENT=val")
+	vars := loadWorkspaceEnv(org, ".")
+	// "." passes resolveInsideRoot (resolves to org root, which is valid).
+	// But workspace path org/.env is the same as org/.env already loaded.
+	assert.Equal(t, "val", vars["INNOCENT"])
+}
+
+func Test_loadWorkspaceEnv_emptyOrgRootReturnsEmpty(t *testing.T) {
+	vars := loadWorkspaceEnv("", "some/dir")
+	assertEmpty(t, vars)
+}
+
+func Test_loadWorkspaceEnv_missingWorkspaceDir(t *testing.T) {
+	org := setupOrgEnv(t, "ORG=val")
+	// Workspace dir doesn't exist — org vars still loaded.
+	vars := loadWorkspaceEnv(org, "nonexistent")
+	assert.Equal(t, "val", vars["ORG"])
+}
+
+func assertEmpty(t *testing.T, m map[string]string) {
+	t.Helper()
+	assert.Equal(t, 0, len(m), "expected empty map, got %v", m)
+}
@@ -0,0 +1,759 @@
+package handlers
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// ── isSafeRoleName ────────────────────────────────────────────────────────────
+
+func TestIsSafeRoleName_Valid(t *testing.T) {
+	cases := []string{
+		"backend",
+		"frontend",
+		"backend-engineer",
+		"Frontend_Engineer",
+		"DevOps123",
+		"sre-team",
+		"a",
+		"ABC",
+		"Role_With_Underscores_And-Numbers123",
+	}
+	for _, r := range cases {
+		t.Run(r, func(t *testing.T) {
+			if !isSafeRoleName(r) {
+				t.Errorf("isSafeRoleName(%q): expected true, got false", r)
+			}
+		})
+	}
+}
+
+func TestIsSafeRoleName_Invalid(t *testing.T) {
+	cases := []struct {
+		name string
+		role string
+	}{
+		{"empty", ""},
+		{"dot", "."},
+		{"double dot", ".."},
+		{"path separator", "backend/engineer"},
+		{"space", "backend engineer"},
+		{"special char", "backend@engineer"},
+		{"at sign", "role@team"},
+		{"colon", "role:admin"},
+		{"hash", "role#1"},
+		{"percent", "role%20"},
+		{"quote", `role"name`},
+		{"backslash", `role\name`},
+		{"tilde", "role~test"},
+		{"backtick", "`role"},
+		{"bracket open", "[role]"},
+		{"bracket close", "role]"},
+		{"plus", "role+admin"},
+		{"equals", "role=admin"},
+		{"caret", "role^admin"},
+		{"question mark", "role?"},
+		{"pipe at end", "role|"},
+		{"greater than", "role>"},
+		{"asterisk", "role*"},
+		{"ampersand", "role&"},
+		{"exclamation at end", "role!"},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			if isSafeRoleName(tc.role) {
+				t.Errorf("isSafeRoleName(%q): expected false, got true", tc.role)
+			}
+		})
+	}
+}
+
+// ── hasUnresolvedVarRef ───────────────────────────────────────────────────────
+
+func TestHasUnresolvedVarRef_NoVars(t *testing.T) {
+	cases := []string{
+		"",
+		"plain text",
+		"no variables here",
+		"123 numeric",
+		"$",
+		"${}",
+		"$5",
+		"$$$$",
+	}
+	for _, s := range cases {
+		t.Run(s, func(t *testing.T) {
+			if hasUnresolvedVarRef(s, s) {
+				t.Errorf("hasUnresolvedVarRef(%q, %q): expected false, got true", s, s)
+			}
+		})
+	}
+}
+
+func TestHasUnresolvedVarRef_Resolved(t *testing.T) {
+	// Expansion consumed the var refs (where "consumed" means the output no longer
+	// contains the original var reference syntax).
+	cases := []struct {
+		orig     string
+		expanded string
+		want     bool // true = unresolved (function returns true), false = resolved
+	}{
+		// Empty output: function conservatively returns true — it cannot distinguish
+		// "var was set to empty" from "var was not found and stripped". The test
+		// documents this design choice; callers who need empty=resolved should
+		// pre-process the output before calling hasUnresolvedVarRef.
+		{"${VAR}", "", true},
+		{"${VAR}", "value", false}, // var replaced
+		{"$VAR", "value", false},   // bare var replaced
+		{"prefix${VAR}suffix", "prefixvaluesuffix", false},
+		{"${A}${B}", "ab", false},
+		// FOO=FOO and BAR=BAR — both vars found and replaced. Expanded output
+		// "FOO and BAR" has no ${...} syntax left, so function returns false.
+		{"${FOO} and ${BAR}", "FOO and BAR", false},
+	}
+	for _, tc := range cases {
+		t.Run(tc.orig, func(t *testing.T) {
+			got := hasUnresolvedVarRef(tc.orig, tc.expanded)
+			if got != tc.want {
+				t.Errorf("hasUnresolvedVarRef(%q, %q): got %v, want %v", tc.orig, tc.expanded, got, tc.want)
+			}
+		})
+	}
+}
+
+func TestHasUnresolvedVarRef_Unresolved(t *testing.T) {
+	// Expansion left the refs intact → unresolved.
+	cases := []struct {
+		orig     string
+		expanded string
+	}{
+		{"${VAR}", "${VAR}"}, // untouched
+		{"$VAR", "$VAR"},     // bare untouched
+		{"prefix${VAR}suffix", "prefix${VAR}suffix"},
+		{"${A}${B}", "${A}${B}"}, // both unresolved
+		{"${FOO}", ""},           // empty result with var ref in original
+	}
+	for _, tc := range cases {
+		t.Run(tc.orig, func(t *testing.T) {
+			if !hasUnresolvedVarRef(tc.orig, tc.expanded) {
+				t.Errorf("hasUnresolvedVarRef(%q, %q): expected true, got false", tc.orig, tc.expanded)
+			}
+		})
+	}
+}
+
+// ── expandWithEnv ─────────────────────────────────────────────────────────────
+
+func TestExpandWithEnv_Basic(t *testing.T) {
+	env := map[string]string{"FOO": "bar", "BAZ": "qux"}
+	cases := []struct {
+		input string
+		want  string
+	}{
+		{"", ""},
+		{"no vars", "no vars"},
+		{"${FOO}", "bar"},
+		{"$FOO", "bar"},
+		{"prefix${FOO}suffix", "prefixbarsuffix"},
+		{"${FOO}${BAZ}", "barqux"},
+		{"${MISSING}", ""}, // not in env, not in os env → empty
+	}
+	for _, tc := range cases {
+		t.Run(tc.input, func(t *testing.T) {
+			got := expandWithEnv(tc.input, env)
+			if got != tc.want {
+				t.Errorf("expandWithEnv(%q, %v) = %q, want %q", tc.input, env, got, tc.want)
+			}
+		})
+	}
+}
+
+// ── mergeCategoryRouting ─────────────────────────────────────────────────────
+
+func TestMergeCategoryRouting_EmptyInputs(t *testing.T) {
+	// Both empty → empty
+	r := mergeCategoryRouting(nil, nil)
+	if len(r) != 0 {
+		t.Errorf("mergeCategoryRouting(nil, nil): got %v, want empty", r)
+	}
+
+	r = mergeCategoryRouting(map[string][]string{}, map[string][]string{})
+	if len(r) != 0 {
+		t.Errorf("mergeCategoryRouting({}, {}): got %v, want empty", r)
+	}
+}
+
+func TestMergeCategoryRouting_DefaultsOnly(t *testing.T) {
+	defaults := map[string][]string{
+		"security": {"Backend Engineer", "DevOps"},
+		"ui":       {"Frontend Engineer"},
+		"data":     {"Data Engineer"},
+	}
+	r := mergeCategoryRouting(defaults, nil)
+	if len(r) != 3 {
+		t.Errorf("got %d keys, want 3", len(r))
+	}
+	if len(r["security"]) != 2 {
+		t.Errorf("security roles: got %v, want 2", r["security"])
+	}
+}
+
+func TestMergeCategoryRouting_WorkspaceOverrides(t *testing.T) {
+	defaults := map[string][]string{
+		"security": {"Backend Engineer", "DevOps"},
+		"ui":       {"Frontend Engineer"},
+	}
+	ws := map[string][]string{
+		"security": {"SRE Team"},      // narrows
+		"ui":       {},                // drops
+		"infra":    {"Platform Team"}, // adds
+	}
+	r := mergeCategoryRouting(defaults, ws)
+	if len(r["security"]) != 1 || r["security"][0] != "SRE Team" {
+		t.Errorf("security: got %v, want [SRE Team]", r["security"])
+	}
+	if _, ok := r["ui"]; ok {
+		t.Errorf("ui should be dropped, got %v", r["ui"])
+	}
+	if len(r["infra"]) != 1 || r["infra"][0] != "Platform Team" {
+		t.Errorf("infra: got %v, want [Platform Team]", r["infra"])
+	}
+}
+
+func TestMergeCategoryRouting_EmptyListDrops(t *testing.T) {
+	defaults := map[string][]string{"foo": {"A", "B"}}
+	ws := map[string][]string{"foo": {}}
+	r := mergeCategoryRouting(defaults, ws)
+	if _, ok := r["foo"]; ok {
+		t.Errorf("foo with empty ws list: should be dropped, got %v", r["foo"])
+	}
+}
+
+func TestMergeCategoryRouting_EmptyKeySkipped(t *testing.T) {
+	defaults := map[string][]string{"": {"Role"}}
+	ws := map[string][]string{"": {}}
+	r := mergeCategoryRouting(defaults, ws)
+	if _, ok := r[""]; ok {
+		t.Errorf("empty key should be skipped, got %v", r[""])
+	}
+}
+
+// ── renderCategoryRoutingYAML ────────────────────────────────────────────────
+
+func TestRenderCategoryRoutingYAML_Empty(t *testing.T) {
+	out, err := renderCategoryRoutingYAML(nil)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if out != "" {
+		t.Errorf("got %q, want empty string", out)
+	}
+
+	out, err = renderCategoryRoutingYAML(map[string][]string{})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if out != "" {
+		t.Errorf("got %q, want empty string", out)
+	}
+}
+
+func TestRenderCategoryRoutingYAML_StableOrdering(t *testing.T) {
+	// Keys are sorted so output is deterministic regardless of map iteration order.
+	m := map[string][]string{
+		"zebra":  {"A"},
+		"alpha":  {"B"},
+		"middle": {"C"},
+	}
+	out, err := renderCategoryRoutingYAML(m)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	// alpha must come before middle, which must come before zebra
+	ai := 0
+	zi := 0
+	mi := 0
+	for i, c := range out {
+		switch {
+		case c == 'a' && i < len(out)-5 && out[i:i+5] == "alpha":
+			ai = i
+		case c == 'z' && i < len(out)-5 && out[i:i+5] == "zebra":
+			zi = i
+		case c == 'm' && i < len(out)-6 && out[i:i+6] == "middle":
+			mi = i
+		}
+	}
+	if ai <= 0 || zi <= 0 || mi <= 0 {
+		t.Fatalf("could not locate all keys in output: %s", out)
+	}
+	if !(ai < mi && mi < zi) {
+		t.Errorf("keys not sorted: alpha=%d middle=%d zebra=%d, output:\n%s", ai, mi, zi, out)
+	}
+}
+
+func TestRenderCategoryRoutingYAML_SpecialCharsEscaped(t *testing.T) {
+	// YAML library should escape characters that need quoting.
+	m := map[string][]string{
+		"key:with:colons": {"Role: Admin"},
+		"key with space":  {"Role"},
+	}
+	out, err := renderCategoryRoutingYAML(m)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	// The output must be valid YAML (yaml.Marshal handles quoting).
+	// The key with colons should appear quoted in the output.
+	if out == "" {
+		t.Error("output is empty")
+	}
+}
+
+// ── appendYAMLBlock ───────────────────────────────────────────────────────────
+
+func TestAppendYAMLBlock_NoExisting(t *testing.T) {
+	got := appendYAMLBlock(nil, "key: value")
+	if string(got) != "key: value" {
+		t.Errorf("got %q, want 'key: value'", string(got))
+	}
+}
+
+func TestAppendYAMLBlock_EmptyBlock(t *testing.T) {
+	// When existing lacks a trailing \n, the function adds one before appending
+	// the empty block — so the result always has a clean terminator.
+	got := appendYAMLBlock([]byte("existing: data"), "")
+	want := "existing: data\n"
+	if string(got) != want {
+		t.Errorf("got %q, want %q", string(got), want)
+	}
+}
+
+func TestAppendYAMLBlock_AppendsWithNewline(t *testing.T) {
+	existing := []byte("key: value")
+	block := "new: entry"
+	got := appendYAMLBlock(existing, block)
+	want := "key: value\nnew: entry"
+	if string(got) != want {
+		t.Errorf("got %q, want %q", string(got), want)
+	}
+}
+
+func TestAppendYAMLBlock_AlreadyEndsWithNewline(t *testing.T) {
+	existing := []byte("key: value\n")
+	block := "new: entry"
+	got := appendYAMLBlock(existing, block)
+	want := "key: value\nnew: entry"
+	if string(got) != want {
+		t.Errorf("got %q, want %q", string(got), want)
+	}
+}
+
+// ── mergePlugins ─────────────────────────────────────────────────────────────
+
+func TestMergePlugins_EmptyInputs(t *testing.T) {
+	r := mergePlugins(nil, nil)
+	if len(r) != 0 {
+		t.Errorf("got %v, want []", r)
+	}
+	r = mergePlugins([]string{}, []string{})
+	if len(r) != 0 {
+		t.Errorf("got %v, want []", r)
+	}
+}
+
+func TestMergePlugins_BasicMerge(t *testing.T) {
+	defaults := []string{"plugin-a", "plugin-b"}
+	ws := []string{"plugin-b", "plugin-c"}
+	r := mergePlugins(defaults, ws)
+	// defaults first, ws appended, b deduplicated
+	if len(r) != 3 {
+		t.Errorf("got %v, want 3 items", r)
+	}
+	if r[0] != "plugin-a" || r[1] != "plugin-b" || r[2] != "plugin-c" {
+		t.Errorf("got %v, want [a, b, c]", r)
+	}
+}
+
+func TestMergePlugins_ExcludeWithBang(t *testing.T) {
+	defaults := []string{"plugin-a", "plugin-b", "plugin-c"}
+	ws := []string{"!plugin-b"}
+	r := mergePlugins(defaults, ws)
+	if len(r) != 2 {
+		t.Errorf("got %v, want 2 items", r)
+	}
+	if r[0] != "plugin-a" || r[1] != "plugin-c" {
+		t.Errorf("got %v, want [a, c]", r)
+	}
+}
+
+func TestMergePlugins_ExcludeWithDash(t *testing.T) {
+	defaults := []string{"plugin-a", "plugin-b", "plugin-c"}
+	ws := []string{"-plugin-b"}
+	r := mergePlugins(defaults, ws)
+	if len(r) != 2 || r[0] != "plugin-a" || r[1] != "plugin-c" {
+		t.Errorf("got %v, want [a, c]", r)
+	}
+}
+
+func TestMergePlugins_ExcludeNonexistent(t *testing.T) {
+	defaults := []string{"plugin-a", "plugin-b"}
+	ws := []string{"!plugin-c"} // c not present
+	r := mergePlugins(defaults, ws)
+	if len(r) != 2 {
+		t.Errorf("got %v, want 2 items", r)
+	}
+}
+
+func TestMergePlugins_ExcludeEmptyTarget(t *testing.T) {
+	defaults := []string{"plugin-a", "plugin-b"}
+	ws := []string{"!"}
+	r := mergePlugins(defaults, ws)
+	if len(r) != 2 {
+		t.Errorf("got %v, want 2 items", r)
+	}
+}
+
+func TestMergePlugins_EmptyPlugin(t *testing.T) {
+	defaults := []string{"", "plugin-a", ""}
+	ws := []string{"plugin-b", ""}
+	r := mergePlugins(defaults, ws)
+	if len(r) != 2 {
+		t.Errorf("got %v, want 2 items", r)
+	}
+}
+
+// ── Additional coverage: expandWithEnv ──────────────────────────────
+func TestExpandWithEnv_BracedVar(t *testing.T) {
+	env := map[string]string{"FOO": "bar", "BAZ": "qux"}
+	result := expandWithEnv("value is ${FOO}", env)
+	assert.Equal(t, "value is bar", result)
+}
+
+func TestExpandWithEnv_DollarVar(t *testing.T) {
+	env := map[string]string{"X": "1", "Y": "2"}
+	result := expandWithEnv("$X + $Y = 3", env)
+	assert.Equal(t, "1 + 2 = 3", result)
+}
+
+func TestExpandWithEnv_Mixed(t *testing.T) {
+	env := map[string]string{"A": "alpha", "B": "beta"}
+	result := expandWithEnv("${A}_${B}", env)
+	assert.Equal(t, "alpha_beta", result)
+}
+
+func TestExpandWithEnv_MissingVar(t *testing.T) {
+	// Missing vars stay as-is (os.Getenv fallback returns "" for unset vars).
+	env := map[string]string{}
+	result := expandWithEnv("${UNSET}", env)
+	assert.Equal(t, "", result)
+}
+
+func TestExpandWithEnv_EmptyMap(t *testing.T) {
+	result := expandWithEnv("no vars here", map[string]string{})
+	assert.Equal(t, "no vars here", result)
+}
+
+func TestExpandWithEnv_LiteralDollar(t *testing.T) {
+	// A bare $ not followed by a valid identifier char stays as-is.
+	result := expandWithEnv("cost $100", map[string]string{})
+	assert.Equal(t, "cost $100", result)
+}
+
+func TestExpandWithEnv_PartiallyPresent(t *testing.T) {
+	env := map[string]string{"SET": "yes"}
+	result := expandWithEnv("${SET} and ${NOT_SET}", env)
+	assert.Equal(t, "yes and ${NOT_SET}", result)
+}
+
+func TestExpandWithEnv_EmbeddedMissingProcessEnvStaysLiteral(t *testing.T) {
+	t.Setenv("MOL_TEST_EMBEDDED_MISSING", "")
+
+	result := expandWithEnv("prefix/${MOL_TEST_EMBEDDED_MISSING}/suffix", map[string]string{})
+	assert.Equal(t, "prefix/${MOL_TEST_EMBEDDED_MISSING}/suffix", result)
+}
+
+// POSIX identifier guard regression tests (CWE-78 fix).
+// Keys not starting with [a-zA-Z_] must not be looked up in env or os.Getenv.
+func TestExpandWithEnv_DigitPrefix_NotExpanded(t *testing.T) {
+	// ${0}, ${5}, ${1VAR} — numeric prefix → not a valid shell identifier.
+	// Guard must return "$0", "$5", "$1VAR" literally; no env lookup.
+	cases := []struct {
+		input string
+		want  string
+	}{
+		{"${0}", "$0"},
+		{"${5}", "$5"},
+		{"${1VAR}", "$1VAR"},
+		{"prefix ${0} suffix", "prefix $0 suffix"},
+		{"$0", "$0"},
+		{"$5", "$5"},
+		{"HOME=${HOME}", "HOME=${HOME}"}, // HOME is valid but embedded in larger string
+	}
+	for _, tc := range cases {
+		t.Run(tc.input, func(t *testing.T) {
+			got := expandWithEnv(tc.input, map[string]string{})
+			assert.Equal(t, tc.want, got)
+		})
+	}
+}
+
+func TestExpandWithEnv_EmptyKey_ReturnsDollar(t *testing.T) {
+	// ${} → "$" (empty key, guard returns "$")
+	result := expandWithEnv("value=${}", map[string]string{})
+	assert.Equal(t, "value=$", result)
+}
+
+// mergeCategoryRouting tests — unions defaults with per-workspace routing.
+
+// ── Additional coverage: mergeCategoryRouting ──────────────────────
+func TestMergeCategoryRouting_WorkspaceAddsCategory(t *testing.T) {
+	defaults := map[string][]string{
+		"security": {"Backend Engineer"},
+	}
+	wsRouting := map[string][]string{
+		"ui": {"Frontend Engineer"},
+	}
+	result := mergeCategoryRouting(defaults, wsRouting)
+	assert.Equal(t, []string{"Backend Engineer"}, result["security"])
+	assert.Equal(t, []string{"Frontend Engineer"}, result["ui"])
+}
+
+func TestMergeCategoryRouting_EmptyListDropsCategory(t *testing.T) {
+	defaults := map[string][]string{
+		"security": {"Backend Engineer"},
+		"infra":    {"SRE"},
+	}
+	wsRouting := map[string][]string{
+		"security": {}, // empty list = explicit drop
+	}
+	result := mergeCategoryRouting(defaults, wsRouting)
+	_, hasSecurity := result["security"]
+	assert.False(t, hasSecurity)
+	assert.Equal(t, []string{"SRE"}, result["infra"])
+}
+
+func TestMergeCategoryRouting_EmptyDefaultKeySkipped(t *testing.T) {
+	defaults := map[string][]string{
+		"": {"Backend Engineer"}, // empty key should be skipped
+	}
+	result := mergeCategoryRouting(defaults, nil)
+	_, has := result[""]
+	assert.False(t, has)
+}
+
+func TestMergeCategoryRouting_EmptyWorkspaceKeySkipped(t *testing.T) {
+	defaults := map[string][]string{
+		"security": {"Backend Engineer"},
+	}
+	wsRouting := map[string][]string{
+		"": {"Some Role"},
+	}
+	result := mergeCategoryRouting(defaults, wsRouting)
+	_, has := result[""]
+	assert.False(t, has)
+	assert.Equal(t, []string{"Backend Engineer"}, result["security"])
+}
+
+func TestMergeCategoryRouting_DoesNotMutateInputs(t *testing.T) {
+	defaults := map[string][]string{
+		"security": {"Backend Engineer"},
+	}
+	wsRouting := map[string][]string{
+		"security": {"DevOps"},
+	}
+	orig := defaults["security"][0]
+	_ = mergeCategoryRouting(defaults, wsRouting)
+	assert.Equal(t, orig, defaults["security"][0])
+}
+
+// renderCategoryRoutingYAML tests — deterministic YAML emission.
+
+// ── Additional coverage: renderCategoryRoutingYAML ────────────────
+func TestRenderCategoryRoutingYAML_SingleCategory(t *testing.T) {
+	routing := map[string][]string{
+		"security": {"Backend Engineer", "DevOps"},
+	}
+	result, err := renderCategoryRoutingYAML(routing)
+	assert.NoError(t, err)
+	assert.Contains(t, result, "security:")
+	assert.Contains(t, result, "Backend Engineer")
+	assert.Contains(t, result, "DevOps")
+}
+
+func TestRenderCategoryRoutingYAML_MultipleCategoriesSorted(t *testing.T) {
+	routing := map[string][]string{
+		"zebra":      {"RoleZ"},
+		"alpha":      {"RoleA"},
+		"middleware": {"RoleM"},
+	}
+	result, err := renderCategoryRoutingYAML(routing)
+	assert.NoError(t, err)
+	// Keys are sorted alphabetically.
+	idxAlpha := assertFind(t, result, "alpha:")
+	idxZebra := assertFind(t, result, "zebra:")
+	idxMid := assertFind(t, result, "middleware:")
+	if idxAlpha > -1 && idxZebra > -1 {
+		assert.True(t, idxAlpha < idxZebra, "alpha should appear before zebra")
+	}
+	if idxMid > -1 && idxZebra > -1 {
+		assert.True(t, idxMid < idxZebra, "middleware should appear before zebra")
+	}
+}
+
+func TestRenderCategoryRoutingYAML_EmptyListCategory(t *testing.T) {
+	// Empty-list category should still render (mergeCategoryRouting drops
+	// them before they reach this function, but we test the render in isolation).
+	routing := map[string][]string{
+		"security": {},
+	}
+	result, err := renderCategoryRoutingYAML(routing)
+	assert.NoError(t, err)
+	assert.Contains(t, result, "security:")
+}
+
+func TestRenderCategoryRoutingYAML_SpecialCharactersEscaped(t *testing.T) {
+	routing := map[string][]string{
+		"notes": {`has: colon`, `and "quotes"`, "emoji: 🚀"},
+	}
+	result, err := renderCategoryRoutingYAML(routing)
+	assert.NoError(t, err)
+	// Should not panic and should produce valid YAML.
+	assert.Contains(t, result, "notes:")
+}
+
+// appendYAMLBlock tests — safe concatenation with newline boundary.
+
+// ── Additional coverage: appendYAMLBlock ───────────────────────────
+func TestAppendYAMLBlock_BothEmpty(t *testing.T) {
+	result := appendYAMLBlock(nil, "")
+	assert.Nil(t, result)
+}
+
+func TestAppendYAMLBlock_ExistingHasNewline(t *testing.T) {
+	existing := []byte("existing:\n")
+	block := "key: value\n"
+	result := appendYAMLBlock(existing, block)
+	assert.Equal(t, "existing:\nkey: value\n", string(result))
+}
+
+func TestAppendYAMLBlock_ExistingNoNewline(t *testing.T) {
+	existing := []byte("existing:")
+	block := "key: value\n"
+	result := appendYAMLBlock(existing, block)
+	assert.Equal(t, "existing:\nkey: value\n", string(result))
+}
+
+func TestAppendYAMLBlock_ExistingEmpty(t *testing.T) {
+	existing := []byte("")
+	block := "key: value\n"
+	result := appendYAMLBlock(existing, block)
+	assert.Equal(t, "key: value\n", string(result))
+}
+
+func TestAppendYAMLBlock_NilExisting(t *testing.T) {
+	block := "key: value\n"
+	result := appendYAMLBlock(nil, block)
+	assert.Equal(t, "key: value\n", string(result))
+}
+
+// mergePlugins tests — union with exclusion prefix (!/-).
+
+// ── Additional coverage: mergePlugins (additional cases) ───────────
+func TestMergePlugins_DefaultsOnly(t *testing.T) {
+	defaults := []string{"plugin-a", "plugin-b"}
+	result := mergePlugins(defaults, nil)
+	assert.Equal(t, []string{"plugin-a", "plugin-b"}, result)
+}
+
+func TestMergePlugins_WorkspaceAdds(t *testing.T) {
+	defaults := []string{"plugin-a"}
+	wsPlugins := []string{"plugin-b", "plugin-a"} // duplicate of default
+	result := mergePlugins(defaults, wsPlugins)
+	assert.Equal(t, []string{"plugin-a", "plugin-b"}, result)
+}
+
+func TestMergePlugins_ExclusionWithBang(t *testing.T) {
+	defaults := []string{"plugin-a", "plugin-b", "plugin-c"}
+	wsPlugins := []string{"!plugin-b"}
+	result := mergePlugins(defaults, wsPlugins)
+	assert.Equal(t, []string{"plugin-a", "plugin-c"}, result)
+}
+
+func TestMergePlugins_ExclusionWithDash(t *testing.T) {
+	defaults := []string{"plugin-a", "plugin-b", "plugin-c"}
+	wsPlugins := []string{"-plugin-b"}
+	result := mergePlugins(defaults, wsPlugins)
+	assert.Equal(t, []string{"plugin-a", "plugin-c"}, result)
+}
+
+func TestMergePlugins_ExclusionEmptyTarget(t *testing.T) {
+	defaults := []string{"plugin-a", "plugin-b"}
+	wsPlugins := []string{"!", "-"} // no-op exclusions
+	result := mergePlugins(defaults, wsPlugins)
+	assert.Equal(t, []string{"plugin-a", "plugin-b"}, result)
+}
+
+func TestMergePlugins_ExclusionNotInDefaults(t *testing.T) {
+	// Excluding something not in defaults is a no-op.
+	defaults := []string{"plugin-a"}
+	wsPlugins := []string{"!plugin-b"}
+	result := mergePlugins(defaults, wsPlugins)
+	assert.Equal(t, []string{"plugin-a"}, result)
+}
+
+func TestMergePlugins_WorkspaceAddsNew(t *testing.T) {
+	defaults := []string{"plugin-a"}
+	wsPlugins := []string{"plugin-b"}
+	result := mergePlugins(defaults, wsPlugins)
+	assert.Equal(t, []string{"plugin-a", "plugin-b"}, result)
+}
+
+func TestMergePlugins_DeduplicationOrder(t *testing.T) {
+	// Defaults first; workspace entries deduplicated.
+	defaults := []string{"plugin-a", "plugin-a", "plugin-b"}
+	wsPlugins := []string{"plugin-b", "plugin-c", "plugin-c"}
+	result := mergePlugins(defaults, wsPlugins)
+	assert.Equal(t, []string{"plugin-a", "plugin-b", "plugin-c"}, result)
+}
+
+func TestMergePlugins_ExclusionThenAddSameName(t *testing.T) {
+	// Remove then re-add: order matters.
+	defaults := []string{"plugin-a", "plugin-b"}
+	wsPlugins := []string{"!plugin-a", "plugin-a"}
+	result := mergePlugins(defaults, wsPlugins)
+	assert.Equal(t, []string{"plugin-b", "plugin-a"}, result)
+}
+
+// isSafeRoleName tests — alphanumeric + hyphen/underscore, no path separators.
+
+// ── Additional coverage: isSafeRoleName ───────────────────────────
+func TestIsSafeRoleName_SpecialCharsRejected(t *testing.T) {
+	bad := []string{
+		"role@name",
+		"role#name",
+		"role$name",
+		"role%name",
+		"role&name",
+		"role*name",
+		"role?name",
+		"role=name",
+	}
+	for _, r := range bad {
+		if isSafeRoleName(r) {
+			t.Errorf("isSafeRoleName(%q) expected false, got true", r)
+		}
+	}
+}
+
+// assertFind is a helper: returns index of first occurrence of substr in s, or -1.
+func assertFind(t *testing.T, s, substr string) int {
+	t.Helper()
+	idx := -1
+	for i := 0; i <= len(s)-len(substr); i++ {
+		if s[i:i+len(substr)] == substr {
+			idx = i
+			break
+		}
+	}
+	return idx
+}
@@ -0,0 +1,432 @@
+package handlers
+
+import (
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+// org_helpers_security_test.go — security-critical path sanitization + role-name
+// validation for org template processing. Covers OFFSEC-006-class attacks:
+// path traversal via user-controlled files_dir / prompt_file refs, and role-name
+// injection via the persona env loader.
+
+// ── resolveInsideRoot ──────────────────────────────────────────────────────────
+
+func TestResolveInsideRoot_EmptyUserPath(t *testing.T) {
+	_, err := resolveInsideRoot("/safe/root", "")
+	if err == nil {
+		t.Fatalf("empty userPath: expected error, got nil")
+	}
+	if err.Error() != "path is empty" {
+		t.Errorf("empty userPath: got %q, want %q", err.Error(), "path is empty")
+	}
+}
+
+func TestResolveInsideRoot_AbsolutePathRejected(t *testing.T) {
+	_, err := resolveInsideRoot("/safe/root", "/etc/passwd")
+	if err == nil {
+		t.Fatalf("absolute userPath: expected error, got nil")
+	}
+	if err.Error() != "absolute paths are not allowed" {
+		t.Errorf("absolute userPath: got %q, want %q", err.Error(), "absolute paths are not allowed")
+	}
+}
+
+func TestResolveInsideRoot_DotDotTraversal(t *testing.T) {
+	// ../../etc/passwd from /safe/root
+	got, err := resolveInsideRoot("/safe/root", "../../etc/passwd")
+	if err == nil {
+		t.Fatalf("dotdot traversal: expected error, got %q", got)
+	}
+	if err.Error() != "path escapes root" {
+		t.Errorf("dotdot traversal: got %q, want %q", err.Error(), "path escapes root")
+	}
+}
+
+// TestResolveInsideRoot_DotDotWithIntermediate verifies that a/b/../../c does NOT
+// escape when root=/safe/root. After normalization: a/b/../.. = ., so a/b/../../c = c,
+// which is a valid descendant of /safe/root. The original test expected an error
+// but resolveInsideRoot correctly returns nil (the path stays within root).
+// The OFFSEC-006 concern is covered by ../../etc/passwd which DOES escape.
+func TestResolveInsideRoot_DotDotWithIntermediate(t *testing.T) {
+	// a/b/../../c normalises to "c" — a valid descendant inside any root.
+	// Must use t.TempDir() for a real filesystem path so filepath.Abs resolves.
+	root := t.TempDir()
+	got, err := resolveInsideRoot(root, "a/b/../../c")
+	if err != nil {
+		t.Fatalf("a/b/../../c should resolve within root: %v", err)
+	}
+	// Verify result is inside root and ends with "c"
+	if !strings.HasPrefix(got, root+string(filepath.Separator)) {
+		t.Errorf("result should be inside root %q, got %q", root, got)
+	}
+	if got[len(got)-1:] != "c" {
+		t.Errorf("resolved path should end in 'c', got %q", got)
+	}
+}
+
+func TestResolveInsideRoot_ValidRelativePath(t *testing.T) {
+	// This test uses the real filesystem since resolveInsideRoot calls filepath.Abs.
+	// Use t.TempDir() so we have a real root to work with.
+	root := t.TempDir()
+	got, err := resolveInsideRoot(root, "subdir/file.txt")
+	if err != nil {
+		t.Fatalf("valid relative: unexpected error: %v", err)
+	}
+	// Must be inside root
+	if got[:len(root)] != root {
+		t.Errorf("result should start with root %q, got %q", root, got)
+	}
+}
+
+func TestResolveInsideRoot_ExactRootMatch(t *testing.T) {
+	root := t.TempDir()
+	got, err := resolveInsideRoot(root, ".")
+	if err != nil {
+		t.Fatalf("exact root: unexpected error: %v", err)
+	}
+	if got != root {
+		t.Errorf("exact root match: got %q, want %q", got, root)
+	}
+}
+
+func TestResolveInsideRoot_DotPathComponent(t *testing.T) {
+	root := t.TempDir()
+	// ./subdir/./file.txt should resolve to root/subdir/file.txt
+	got, err := resolveInsideRoot(root, "./subdir/./file.txt")
+	if err != nil {
+		t.Fatalf("dot path component: unexpected error: %v", err)
+	}
+	// Verify the file component is subdir/file.txt regardless of root length.
+	suffix := string(filepath.Separator) + "subdir" + string(filepath.Separator) + "file.txt"
+	if !strings.HasSuffix(got, suffix) {
+		t.Errorf("dot path component: got %q, want suffix %q", got, suffix)
+	}
+}
+
+func TestResolveInsideRoot_NestedDotDotEscapes(t *testing.T) {
+	root := t.TempDir()
+	// a/../../b from /tmp/xyz → /tmp/b (escapes temp dir)
+	got, err := resolveInsideRoot(root, "a/../../b")
+	if err == nil {
+		t.Fatalf("nested dotdot: expected error, got %q", got)
+	}
+	if err.Error() != "path escapes root" {
+		t.Errorf("nested dotdot: got %q, want %q", err.Error(), "path escapes root")
+	}
+}
+
+func TestResolveInsideRoot_DotdotAtStart(t *testing.T) {
+	root := t.TempDir()
+	got, err := resolveInsideRoot(root, "../sibling")
+	if err == nil {
+		t.Fatalf("../sibling: expected error, got %q", got)
+	}
+	if err.Error() != "path escapes root" {
+		t.Errorf("../sibling: got %q, want %q", err.Error(), "path escapes root")
+	}
+}
+
+func TestResolveInsideRoot_SiblingNotEscaped(t *testing.T) {
+	// /foo/bar and /foo/baz are siblings — the prefix check with
+	// filepath.Separator guard must allow /foo/bar/child without matching /foo/baz
+	// (which would be wrong if the check were just strings.HasPrefix).
+	root := t.TempDir()
+	got, err := resolveInsideRoot(root, "valid-subdir/file.txt")
+	if err != nil {
+		t.Fatalf("sibling not escaped: unexpected error: %v", err)
+	}
+	// Must be inside root
+	if !strings.HasPrefix(got, root+string(filepath.Separator)) {
+		t.Errorf("result should be inside root %q, got %q", root, got)
+	}
+}
+
+// ── isSafeRoleName ────────────────────────────────────────────────────────────
+
+func TestIsSafeRoleName_Empty(t *testing.T) {
+	if isSafeRoleName("") {
+		t.Error("isSafeRoleName(\"\"): expected false, got true")
+	}
+}
+
+func TestIsSafeRoleName_Dot(t *testing.T) {
+	if isSafeRoleName(".") {
+		t.Error("isSafeRoleName(\".\"): expected false, got true")
+	}
+}
+
+func TestIsSafeRoleName_DotDot(t *testing.T) {
+	if isSafeRoleName("..") {
+		t.Error("isSafeRoleName(\"..\"): expected false, got true")
+	}
+}
+
+func TestIsSafeRoleName_PathTraversal(t *testing.T) {
+	unsafe := []string{
+		"../etc",
+		"foo/../../../etc",
+		"foo/../../bar",
+	}
+	for _, name := range unsafe {
+		if isSafeRoleName(name) {
+			t.Errorf("isSafeRoleName(%q): expected false (path traversal), got true", name)
+		}
+	}
+}
+
+func TestIsSafeRoleName_SpecialChars(t *testing.T) {
+	unsafe := []string{
+		"foo:bar",
+		"foo bar",
+		"foo\tbar",
+		"foo\nbar",
+		"foo\x00bar",
+		"foo@bar",
+		"foo#bar",
+		"foo$bar",
+	}
+	for _, name := range unsafe {
+		if isSafeRoleName(name) {
+			t.Errorf("isSafeRoleName(%q): expected false (special char), got true", name)
+		}
+	}
+}
+
+// ── mergeCategoryRouting ──────────────────────────────────────────────────────
+// Duplicate mergeCategoryRouting tests removed to avoid redeclaration with
+// org_helpers_pure_test.go. Only security-specific behaviour lives here.
+
+func TestSecureRouting_BothNil(t *testing.T) {
+	got := mergeCategoryRouting(nil, nil)
+	if len(got) != 0 {
+		t.Errorf("both nil: got %v, want empty", got)
+	}
+}
+
+func TestSecureRouting_DefaultOnly(t *testing.T) {
+	defaultRouting := map[string][]string{
+		"security": {"Backend Engineer", "DevOps"},
+	}
+	got := mergeCategoryRouting(defaultRouting, nil)
+	if len(got) != 1 {
+		t.Fatalf("default only: got %d entries, want 1", len(got))
+	}
+	if len(got["security"]) != 2 {
+		t.Errorf("security roles: got %v, want [Backend Engineer, DevOps]", got["security"])
+	}
+}
+
+func TestSecureRouting_WorkspaceOnly(t *testing.T) {
+	wsRouting := map[string][]string{
+		"ui": {"Frontend Engineer"},
+	}
+	got := mergeCategoryRouting(nil, wsRouting)
+	if len(got) != 1 {
+		t.Fatalf("ws only: got %d entries, want 1", len(got))
+	}
+	if got["ui"][0] != "Frontend Engineer" {
+		t.Errorf("ui roles: got %v, want [Frontend Engineer]", got["ui"])
+	}
+}
+
+func TestSecureRouting_MergeNoOverlap(t *testing.T) {
+	defaultRouting := map[string][]string{
+		"security": {"Backend Engineer"},
+	}
+	wsRouting := map[string][]string{
+		"ui": {"Frontend Engineer"},
+	}
+	got := mergeCategoryRouting(defaultRouting, wsRouting)
+	if len(got) != 2 {
+		t.Errorf("merge no overlap: got %d entries, want 2", len(got))
+	}
+}
+
+func TestSecureRouting_WsOverrideDropsDefault(t *testing.T) {
+	defaultRouting := map[string][]string{
+		"security": {"Backend Engineer", "DevOps"},
+	}
+	wsRouting := map[string][]string{
+		"security": {"Security Engineer"},
+	}
+	got := mergeCategoryRouting(defaultRouting, wsRouting)
+	if len(got["security"]) != 1 {
+		t.Errorf("ws override: got %v, want [Security Engineer]", got["security"])
+	}
+	if got["security"][0] != "Security Engineer" {
+		t.Errorf("ws override: got %v, want [Security Engineer]", got["security"])
+	}
+}
+
+func TestSecureRouting_EmptyListDropsCategory(t *testing.T) {
+	defaultRouting := map[string][]string{
+		"security": {"Backend Engineer"},
+		"ui":       {"Frontend Engineer"},
+	}
+	wsRouting := map[string][]string{
+		"security": {}, // empty list = opt out
+	}
+	got := mergeCategoryRouting(defaultRouting, wsRouting)
+	if _, exists := got["security"]; exists {
+		t.Error("empty ws list should delete the category from output")
+	}
+	if len(got["ui"]) != 1 {
+		t.Errorf("ui should still exist: got %v", got["ui"])
+	}
+}
+
+func TestSecureRouting_EmptyKeySkipped(t *testing.T) {
+	defaultRouting := map[string][]string{
+		"": {"Backend Engineer"},
+	}
+	got := mergeCategoryRouting(defaultRouting, nil)
+	if _, exists := got[""]; exists {
+		t.Error("empty key should be skipped")
+	}
+}
+
+func TestSecureRouting_EmptyRolesInDefaultSkipped(t *testing.T) {
+	defaultRouting := map[string][]string{
+		"security": {},
+	}
+	got := mergeCategoryRouting(defaultRouting, nil)
+	if len(got) != 0 {
+		t.Errorf("empty roles in default should be skipped, got %v", got)
+	}
+}
+
+func TestSecureRouting_OriginalMapsUnmodified(t *testing.T) {
+	defaultRouting := map[string][]string{
+		"security": {"Backend Engineer"},
+	}
+	wsRouting := map[string][]string{
+		"ui": {"Frontend Engineer"},
+	}
+	mergeCategoryRouting(defaultRouting, wsRouting)
+	if len(defaultRouting) != 1 || len(defaultRouting["security"]) != 1 {
+		t.Error("default routing should be unmodified after merge")
+	}
+	if len(wsRouting) != 1 {
+		t.Error("ws routing should be unmodified after merge")
+	}
+}
+
+// ── expandWithEnv ─────────────────────────────────────────────────────────────
+//
+// CWE-78 regression tests. The original fix (a3a358f9) ensures that partial
+// variable references like $HOME/path are NOT resolved via os.Getenv — the
+// host HOME env var must not leak into org template values. Only whole-string
+// references ($VAR or ${VAR}) may fall back to the host process environment.
+
+func TestExpandWithEnv_PartialRefDollarHomePath(t *testing.T) {
+	// $HOME/path must NOT resolve to the host's HOME env var.
+	// The literal $HOME must be returned as-is.
+	got := expandWithEnv("$HOME/path", nil)
+	if got != "$HOME/path" {
+		t.Errorf("$HOME/path: got %q, want literal $HOME/path", got)
+	}
+}
+
+func TestExpandWithEnv_PartialRefBracedRoleAdmin(t *testing.T) {
+	// ${ROLE}/admin — ROLE is not in env, so expand to the literal ${ROLE}/admin.
+	got := expandWithEnv("${ROLE}/admin", nil)
+	if got != "${ROLE}/admin" {
+		t.Errorf("${ROLE}/admin: got %q, want literal ${ROLE}/admin", got)
+	}
+}
+
+func TestExpandWithEnv_PartialRefMiddleOfString(t *testing.T) {
+	// $ROLE in the middle of a string — literal, not os.Getenv.
+	got := expandWithEnv("prefix/$ROLE/suffix", nil)
+	if got != "prefix/$ROLE/suffix" {
+		t.Errorf("prefix/$ROLE/suffix: got %q, want literal", got)
+	}
+}
+
+func TestExpandWithEnv_WholeVarInEnv(t *testing.T) {
+	// Whole-string $VAR that IS in env — env value wins.
+	env := map[string]string{"FOO": "barvalue"}
+	got := expandWithEnv("$FOO", env)
+	if got != "barvalue" {
+		t.Errorf("$FOO with FOO=barvalue: got %q, want barvalue", got)
+	}
+}
+
+func TestExpandWithEnv_WholeVarBracedInEnv(t *testing.T) {
+	// Whole-string ${VAR} that IS in env — env value wins.
+	env := map[string]string{"FOO": "barvalue"}
+	got := expandWithEnv("${FOO}", env)
+	if got != "barvalue" {
+		t.Errorf("${FOO} with FOO=barvalue: got %q, want barvalue", got)
+	}
+}
+
+func TestExpandWithEnv_WholeVarNotInEnvBare(t *testing.T) {
+	// Whole-string $VAR not in env — falls back to os.Getenv.
+	// If the host has the var, we get the host value. If not, empty.
+	// At minimum, the result must NOT be the literal "$UNDEFINED_VAR_9Z".
+	got := expandWithEnv("$UNDEFINED_VAR_9Z", nil)
+	if got == "$UNDEFINED_VAR_9Z" {
+		t.Errorf("$UNDEFINED_VAR_9Z: should expand (whole-string fallback to os.Getenv), got literal")
+	}
+}
+
+func TestExpandWithEnv_WholeVarNotInEnvBraced(t *testing.T) {
+	// Whole-string ${VAR} not in env — falls back to os.Getenv.
+	got := expandWithEnv("${UNDEFINED_VAR_9Z}", nil)
+	if got == "${UNDEFINED_VAR_9Z}" {
+		t.Errorf("${UNDEFINED_VAR_9Z}: should expand (whole-string fallback to os.Getenv), got literal")
+	}
+}
+
+func TestExpandWithEnv_EmptyString(t *testing.T) {
+	got := expandWithEnv("", map[string]string{"FOO": "bar"})
+	if got != "" {
+		t.Errorf("empty string: got %q, want empty", got)
+	}
+}
+
+func TestExpandWithEnv_NoVarRefs(t *testing.T) {
+	got := expandWithEnv("plain string with no vars", map[string]string{"FOO": "bar"})
+	if got != "plain string with no vars" {
+		t.Errorf("plain string: got %q, want unchanged", got)
+	}
+}
+
+func TestExpandWithEnv_MultipleVarRefs(t *testing.T) {
+	// Two vars, both whole — both expand from env.
+	env := map[string]string{"A": "alpha", "B": "beta"}
+	got := expandWithEnv("$A and $B and more", env)
+	if got != "alpha and beta and more" {
+		t.Errorf("multiple vars: got %q, want alpha and beta and more", got)
+	}
+}
+
+func TestExpandWithEnv_NumericVarRef(t *testing.T) {
+	// $5 — starts with digit, not a valid identifier start.
+	// Must return the literal "$5", not expand via os.Getenv.
+	got := expandWithEnv("$5", map[string]string{"5": "five"})
+	if got != "$5" {
+		t.Errorf("$5: got %q, want literal $5", got)
+	}
+}
+
+func TestExpandWithEnv_DollarEscape(t *testing.T) {
+	// $$ → both $ written literally (each $ is not followed by an identifier char,
+	// so it is written as-is). No special escape sequence for $$.
+	got := expandWithEnv("$$", nil)
+	if got != "$$" {
+		t.Errorf("$$: got %q, want literal $$", got)
+	}
+}
+
+func TestExpandWithEnv_MixedPartialAndWhole(t *testing.T) {
+	// $A is in env (whole), $HOME is partial — only $A expands.
+	env := map[string]string{"A": "alpha"}
+	got := expandWithEnv("$A at $HOME", env)
+	if got != "alpha at $HOME" {
+		t.Errorf("$A at $HOME: got %q, want alpha at $HOME", got)
+	}
+}
--- a/Show More
+++ b/Show More