github_token: add timeout and status check to env-based fallback

The fallback generateAppInstallationToken used http.DefaultClient which
has no timeout. If GitHub API hangs, the handler hangs indefinitely,
blocking the workspace credential helper. Fix: use a 15s timeout client
and check HTTP status before JSON decode for a cleaner error on 401/403.

Related to #1101.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.github/workflows/block-internal-paths.yml

@@ -1,7 +1,7 @@
 name: Block internal-flavored paths
 
 # Hard CI gate. Internal content (positioning, competitive briefs, sales
-# playbooks, PMM/press drip, draft campaigns) lives in molecule-ai/internal —
+# playbooks, PMM/press drip, draft campaigns) lives in Molecule-AI/internal —
 # this public monorepo must never re-acquire those paths. CEO directive
 # 2026-04-23 after a fleet-wide audit found 79 internal files leaked here.
 #
@@ -135,7 +135,7 @@ jobs:
             echo "::error::Forbidden internal-flavored paths detected:"
             printf "$OFFENDING"
             echo ""
-            echo "These paths belong in molecule-ai/internal, not this public repo."
+            echo "These paths belong in Molecule-AI/internal, not this public repo."
             echo "See docs/internal-content-policy.md for canonical locations."
             echo ""
             echo "If your file is genuinely public-facing (e.g. a blog post"

.github/workflows/canary-verify.yml

@@ -108,7 +108,7 @@ jobs:
               echo
               echo "One or more canary secrets are unset (\`CANARY_TENANT_URLS\`, \`CANARY_ADMIN_TOKENS\`, \`CANARY_CP_SHARED_SECRET\`)."
               echo "Phase 2 canary fleet has not been stood up yet —"
-              echo "see [canary-tenants.md](https://github.com/molecule-ai/molecule-controlplane/blob/main/docs/canary-tenants.md)."
+              echo "see [canary-tenants.md](https://github.com/Molecule-AI/molecule-controlplane/blob/main/docs/canary-tenants.md)."
               echo
               echo "**Skipped — promote-to-latest will NOT auto-fire.** Dispatch \`promote-latest.yml\` manually when ready."
             } >> "$GITHUB_STEP_SUMMARY"

.github/workflows/ci.yml

@@ -87,7 +87,7 @@ jobs:
         run: go mod download
       - if: needs.changes.outputs.platform == 'true'
         run: go build ./cmd/server
-      # CLI (molecli) moved to standalone repo: github.com/molecule-ai/molecule-cli
+      # CLI (molecli) moved to standalone repo: github.com/Molecule-AI/molecule-cli
       - if: needs.changes.outputs.platform == 'true'
         run: go vet ./... || true
       - if: needs.changes.outputs.platform == 'true'
@@ -165,7 +165,7 @@ jobs:
               # Strip the package-import prefix so we can match .coverage-allowlist.txt
               # entries written as paths relative to workspace-server/.
               # Handle both module paths: platform/workspace-server/... and platform/...
-              rel=$(echo "$file" | sed 's|^github.com/molecule-ai/molecule-monorepo/platform/workspace-server/||; s|^github.com/molecule-ai/molecule-monorepo/platform/||')
+              rel=$(echo "$file" | sed 's|^github.com/Molecule-AI/molecule-monorepo/platform/workspace-server/||; s|^github.com/Molecule-AI/molecule-monorepo/platform/||')
 
               if echo "$ALLOWLIST" | grep -qxF "$rel"; then
                 echo "::warning file=workspace-server/$rel::Critical file at ${pct}% coverage (allowlisted, #1823) — fix before expiry."
@@ -243,8 +243,8 @@ jobs:
           if-no-files-found: warn
 
   # MCP Server + SDK removed from CI — now in standalone repos:
-  # - github.com/molecule-ai/molecule-mcp-server (npm CI)
-  # - github.com/molecule-ai/molecule-sdk-python (PyPI CI)
+  # - github.com/Molecule-AI/molecule-mcp-server (npm CI)
+  # - github.com/Molecule-AI/molecule-sdk-python (PyPI CI)
 
   # e2e-api job moved to .github/workflows/e2e-api.yml (issue #458).
   # It now has workflow-level concurrency (cancel-in-progress: false) so
@@ -434,5 +434,5 @@ jobs:
           fi
 
       # SDK + plugin validation moved to standalone repo:
-      # github.com/molecule-ai/molecule-sdk-python
+      # github.com/Molecule-AI/molecule-sdk-python
 

.github/workflows/codeql.yml

@@ -62,7 +62,7 @@ jobs:
         if: matrix.language == 'go'
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          repository: molecule-ai/molecule-ai-plugin-github-app-auth
+          repository: Molecule-AI/molecule-ai-plugin-github-app-auth
           path: molecule-ai-plugin-github-app-auth
           token: ${{ secrets.PLUGIN_REPO_PAT || secrets.GITHUB_TOKEN }}
 

.github/workflows/harness-replays.yml

@@ -102,7 +102,7 @@ jobs:
         if: needs.detect-changes.outputs.run == 'true'
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          repository: molecule-ai/molecule-ai-plugin-github-app-auth
+          repository: Molecule-AI/molecule-ai-plugin-github-app-auth
           path: molecule-ai-plugin-github-app-auth
           token: ${{ secrets.PLUGIN_REPO_PAT || secrets.GITHUB_TOKEN }}
 

.github/workflows/pr-guards.yml

@@ -19,4 +19,4 @@ permissions:
 
 jobs:
   disable-auto-merge-on-push:
-    uses: molecule-ai/molecule-ci/.github/workflows/disable-auto-merge-on-push.yml@main
+    uses: Molecule-AI/molecule-ci/.github/workflows/disable-auto-merge-on-push.yml@main

.github/workflows/publish-runtime.yml

@@ -25,7 +25,7 @@ name: publish-runtime
 #   3. Publishes to PyPI via the PyPA Trusted Publisher action (OIDC).
 #      No static API token is stored — PyPI verifies the workflow's
 #      OIDC claim against the trusted-publisher config registered for
-#      molecule-ai-workspace-runtime (molecule-ai/molecule-core,
+#      molecule-ai-workspace-runtime (Molecule-AI/molecule-core,
 #      publish-runtime.yml, environment pypi-publish).
 #
 # After publish: the 8 template repos pick up the new version on their
@@ -166,7 +166,7 @@ jobs:
 
       - name: Publish to PyPI (Trusted Publisher / OIDC)
         # PyPI side is configured: project molecule-ai-workspace-runtime →
-        # publisher molecule-ai/molecule-core, workflow publish-runtime.yml,
+        # publisher Molecule-AI/molecule-core, workflow publish-runtime.yml,
         # environment pypi-publish. The action mints a short-lived OIDC
         # token and exchanges it for a PyPI upload credential — no static
         # API token in this repo's secrets.
@@ -342,7 +342,7 @@ jobs:
           TEMPLATES="claude-code hermes openclaw codex langgraph crewai autogen deepagents gemini-cli"
           FAILED=""
           for tpl in $TEMPLATES; do
-            REPO="molecule-ai/molecule-ai-workspace-template-$tpl"
+            REPO="Molecule-AI/molecule-ai-workspace-template-$tpl"
             STATUS=$(curl -sS -o /tmp/dispatch.out -w "%{http_code}" \
               -X POST "https://api.github.com/repos/$REPO/dispatches" \
               -H "Authorization: Bearer $DISPATCH_TOKEN" \

.github/workflows/publish-workspace-server-image.yml

@@ -80,12 +80,12 @@ jobs:
         #
         # Uses a fine-grained PAT (PLUGIN_REPO_PAT) because the plugin repo
         # is private and the default GITHUB_TOKEN is scoped to THIS repo.
-        # The PAT needs Contents:Read on molecule-ai/molecule-ai-plugin-
+        # The PAT needs Contents:Read on Molecule-AI/molecule-ai-plugin-
         # github-app-auth. Falls back to the default token for the (rare)
         # case where an operator made the plugin repo public.
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          repository: molecule-ai/molecule-ai-plugin-github-app-auth
+          repository: Molecule-AI/molecule-ai-plugin-github-app-auth
           path: molecule-ai-plugin-github-app-auth
           token: ${{ secrets.PLUGIN_REPO_PAT || secrets.GITHUB_TOKEN }}
 

.github/workflows/redeploy-tenants-on-main.yml

@@ -9,7 +9,7 @@ name: redeploy-tenants-on-main
 #
 # This workflow closes the gap by calling the control-plane admin
 # endpoint that performs a canary-first, batched, health-gated rolling
-# redeploy across every live tenant. Implemented in molecule-ai/
+# redeploy across every live tenant. Implemented in Molecule-AI/
 # molecule-controlplane as POST /cp/admin/tenants/redeploy-fleet
 # (feat/tenant-auto-redeploy, landing alongside this workflow).
 #
@@ -146,7 +146,7 @@ jobs:
 
       - name: Call CP redeploy-fleet
         # CP_ADMIN_API_TOKEN must be set as a repo/org secret on
-        # molecule-ai/molecule-core, matching the staging/prod CP's
+        # Molecule-AI/molecule-core, matching the staging/prod CP's
         # CP_ADMIN_API_TOKEN env. Stored in Railway, mirrored to this
         # repo's secrets for CI.
         env:

.github/workflows/redeploy-tenants-on-staging.yml

@@ -97,7 +97,7 @@ jobs:
 
       - name: Call staging-CP redeploy-fleet
         # CP_STAGING_ADMIN_API_TOKEN must be set as a repo/org secret
-        # on molecule-ai/molecule-core, matching staging-CP's
+        # on Molecule-AI/molecule-core, matching staging-CP's
         # CP_ADMIN_API_TOKEN env var (visible in Railway controlplane
         # / staging environment). Stored separately from the prod
         # CP_ADMIN_API_TOKEN so a leak of one doesn't auth the other.

.github/workflows/retarget-main-to-staging.yml

@@ -96,7 +96,7 @@ jobs:
             --body "$(cat <<'BODY'
           [retarget-bot] This PR was opened against `main` and has been retargeted to `staging` automatically.
 
-          **Why:** per [SHARED_RULES rule 8](https://github.com/molecule-ai/molecule-ai-org-template-molecule-dev/blob/main/SHARED_RULES.md), all feature work targets `staging` first; the CEO promotes `staging → main` separately.
+          **Why:** per [SHARED_RULES rule 8](https://github.com/Molecule-AI/molecule-ai-org-template-molecule-dev/blob/main/SHARED_RULES.md), all feature work targets `staging` first; the CEO promotes `staging → main` separately.
 
           **What changed:** just the base branch — no code change. CI will re-run against `staging`. If you get merge conflicts, rebase on `staging`.
 

.github/workflows/secret-scan.yml

@@ -12,7 +12,7 @@ name: Secret scan
 #
 #   jobs:
 #     secret-scan:
-#       uses: molecule-ai/molecule-core/.github/workflows/secret-scan.yml@staging
+#       uses: Molecule-AI/molecule-core/.github/workflows/secret-scan.yml@staging
 #
 # Pin to @staging not @main — staging is the active default branch,
 # main lags via the staging-promotion workflow. Updates ride along

workspace-server/cmd/server/bind_test.go

@@ -1,89 +0,0 @@
-package main
-
-import "testing"
-
-// TestResolveBindHost pins the precedence: BIND_ADDR explicit > dev-mode
-// fail-open default of 127.0.0.1 > production-shape empty (all interfaces).
-//
-// Mutation-test invariant: removing the IsDevModeFailOpen() branch makes
-// "no_bindaddr_devmode_unset_admin" fail (returns "" instead of "127.0.0.1").
-// Removing the BIND_ADDR branch makes "explicit_bindaddr_*" cases fail.
-func TestResolveBindHost(t *testing.T) {
-	cases := []struct {
-		name       string
-		bindAddr   string
-		adminToken string
-		molEnv     string
-		want       string
-	}{
-		{
-			name:       "no_bindaddr_devmode_unset_admin",
-			bindAddr:   "",
-			adminToken: "",
-			molEnv:     "dev",
-			want:       "127.0.0.1",
-		},
-		{
-			name:       "no_bindaddr_devmode_unset_admin_full_word",
-			bindAddr:   "",
-			adminToken: "",
-			molEnv:     "development",
-			want:       "127.0.0.1",
-		},
-		{
-			name:       "no_bindaddr_admin_set_in_dev_env",
-			bindAddr:   "",
-			adminToken: "secret",
-			molEnv:     "dev",
-			want:       "", // ADMIN_TOKEN flips IsDevModeFailOpen to false → all interfaces
-		},
-		{
-			name:       "no_bindaddr_production_env",
-			bindAddr:   "",
-			adminToken: "",
-			molEnv:     "production",
-			want:       "", // production is not a dev value → all interfaces
-		},
-		{
-			name:       "no_bindaddr_unset_env",
-			bindAddr:   "",
-			adminToken: "",
-			molEnv:     "",
-			want:       "", // unset MOLECULE_ENV → not dev → all interfaces
-		},
-		{
-			name:       "explicit_bindaddr_loopback_overrides_devmode",
-			bindAddr:   "127.0.0.1",
-			adminToken: "",
-			molEnv:     "dev",
-			want:       "127.0.0.1",
-		},
-		{
-			name:       "explicit_bindaddr_wildcard_overrides_devmode_default",
-			bindAddr:   "0.0.0.0",
-			adminToken: "",
-			molEnv:     "dev",
-			want:       "0.0.0.0",
-		},
-		{
-			name:       "explicit_bindaddr_in_production",
-			bindAddr:   "10.0.5.7",
-			adminToken: "secret",
-			molEnv:     "production",
-			want:       "10.0.5.7",
-		},
-	}
-
-	for _, tc := range cases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Setenv("BIND_ADDR", tc.bindAddr)
-			t.Setenv("ADMIN_TOKEN", tc.adminToken)
-			t.Setenv("MOLECULE_ENV", tc.molEnv)
-			got := resolveBindHost()
-			if got != tc.want {
-				t.Errorf("resolveBindHost() = %q, want %q (BIND_ADDR=%q ADMIN_TOKEN=%q MOLECULE_ENV=%q)",
-					got, tc.want, tc.bindAddr, tc.adminToken, tc.molEnv)
-			}
-		})
-	}
-}

workspace-server/cmd/server/main.go

@@ -19,7 +19,6 @@ import (
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/handlers"
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/imagewatch"
 	memwiring "github.com/Molecule-AI/molecule-monorepo/platform/internal/memory/wiring"
-	"github.com/Molecule-AI/molecule-monorepo/platform/internal/middleware"
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/pendinguploads"
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/provisioner"
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/registry"
@@ -338,23 +337,15 @@ func main() {
 	// Router
 	r := router.Setup(hub, broadcaster, prov, platformURL, configsDir, wh, channelMgr, memBundle)
 
-	// HTTP server with graceful shutdown.
-	//
-	// Bind host: in dev-mode (no ADMIN_TOKEN, MOLECULE_ENV=dev|development)
-	// the AdminAuth chain fails open by design; pairing that with a wildcard
-	// bind would expose unauth /workspaces to any same-LAN peer. Default to
-	// loopback when fail-open is active. Operators who need LAN exposure set
-	// BIND_ADDR=0.0.0.0 explicitly. Production (ADMIN_TOKEN set) is unchanged.
-	// See molecule-core#7.
-	bindHost := resolveBindHost()
+	// HTTP server with graceful shutdown
 	srv := &http.Server{
-		Addr:    fmt.Sprintf("%s:%s", bindHost, port),
+		Addr:    fmt.Sprintf(":%s", port),
 		Handler: r,
 	}
 
 	// Start server in goroutine
 	go func() {
-		log.Printf("Platform starting on %s:%s (dev-mode-fail-open=%v)", bindHost, port, middleware.IsDevModeFailOpen())
+		log.Printf("Platform starting on :%s", port)
 		if err := srv.ListenAndServe(); err != nil && err != http.ErrServerClosed {
 			log.Fatalf("Server failed: %v", err)
 		}
@@ -389,29 +380,6 @@ func envOr(key, fallback string) string {
 	return fallback
 }
 
-// resolveBindHost picks the listener interface for the HTTP server.
-//
-// Precedence:
-//  1. BIND_ADDR — explicit operator override (any value, including "0.0.0.0").
-//  2. dev-mode fail-open active → "127.0.0.1" (loopback only).
-//  3. otherwise → "" (Go binds every interface; existing prod/self-host shape).
-//
-// Coupling the loopback default to middleware.IsDevModeFailOpen() means the
-// two safety levers — bind narrowness and auth strength — move together. A
-// production deploy (ADMIN_TOKEN set) keeps binding to all interfaces because
-// the auth chain is doing its job; a dev Mac (no ADMIN_TOKEN, MOLECULE_ENV=dev)
-// is reachable only via loopback because the auth chain is fail-open. See
-// molecule-core#7 for the original LAN exposure finding.
-func resolveBindHost() string {
-	if v := os.Getenv("BIND_ADDR"); v != "" {
-		return v
-	}
-	if middleware.IsDevModeFailOpen() {
-		return "127.0.0.1"
-	}
-	return ""
-}
-
 func findConfigsDir() string {
 	candidates := []string{
 		"workspace-configs-templates",

workspace-server/internal/handlers/admin_workspace_images.go

@@ -56,17 +56,10 @@ type RefreshResult struct {
 	Recreated []string `json:"recreated"`
 }
 
-// TemplateImageRef returns the canonical image ref for a runtime's template,
-// using the configured registry (provisioner.RegistryPrefix()) and the
-// moving `:latest` tag. Single source of truth shared with imagewatch.
-//
-// Defaults to ghcr.io/molecule-ai/workspace-template-<runtime>:latest
-// (upstream OSS). When MOLECULE_IMAGE_REGISTRY is set in the environment
-// (typically the AWS ECR mirror in production), this returns the prefixed
-// equivalent so admin operations and image-watch checks hit the same
-// registry the provisioner pulls from.
+// TemplateImageRef returns the canonical GHCR ref for a runtime's template
+// image. Single source of truth shared with imagewatch.
 func TemplateImageRef(runtime string) string {
-	return fmt.Sprintf("%s/workspace-template-%s:latest", provisioner.RegistryPrefix(), runtime)
+	return fmt.Sprintf("ghcr.io/molecule-ai/workspace-template-%s:latest", runtime)
 }
 
 // ghcrAuthHeader returns the base64-encoded JSON auth payload Docker's

workspace-server/internal/handlers/github_token.go

@@ -159,11 +159,15 @@ func generateAppInstallationToken() (string, time.Time, error) {
 	req, _ := http.NewRequest("POST", fmt.Sprintf("https://api.github.com/app/installations/%d/access_tokens", installID), nil)
 	req.Header.Set("Authorization", "Bearer "+signed)
 	req.Header.Set("Accept", "application/vnd.github+json")
-	resp, err := http.DefaultClient.Do(req)
+	client := &http.Client{Timeout: 15 * time.Second}
+	resp, err := client.Do(req)
 	if err != nil {
 		return "", time.Time{}, err
 	}
 	defer func() { _ = resp.Body.Close() }()
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		return "", time.Time{}, fmt.Errorf("github API returned status %d", resp.StatusCode)
+	}
 	var result struct {
 		Token     string    `json:"token"`
 		ExpiresAt time.Time `json:"expires_at"`

workspace-server/internal/handlers/org_import_idempotency_test.go

@@ -31,25 +31,11 @@ import (
 // tests pin the helper's three observable behaviors plus an AST gate
 // that catches future re-introductions of the un-checked INSERT.
 
-// lookupChildSQLRE anchors the sqlmock ExpectQuery on every load-bearing
-// token of lookupExistingChild's SELECT (org_import.go:639-645). A loose
-// substring match (the prior shape, just `SELECT id FROM workspaces`)
-// would silent-pass a regression that drops `IS NOT DISTINCT FROM`
-// (breaks NULL-parent matching), drops `parent_id` entirely (hijacks
-// siblings of the same name across different parents), or drops the
-// `status != 'removed'` filter (blocks re-import after Collapse).
-// RFC #2872 Important-2.
-//
-// The four anchored tokens are exactly the predicates the bug shapes
-// would tamper with. Whitespace is `\s+` so a future formatter pass
-// doesn't churn this string.
-const lookupChildSQLRE = `(?s)SELECT id FROM workspaces\s+WHERE name = \$1\s+AND parent_id IS NOT DISTINCT FROM \$2\s+AND status != 'removed'`
-
 func TestLookupExistingChild_NotFound_ReturnsFalseNoError(t *testing.T) {
 	mock := setupTestDB(t)
 	// 0-row result → driver returns sql.ErrNoRows on Scan.
 	parent := "parent-1"
-	mock.ExpectQuery(lookupChildSQLRE).
+	mock.ExpectQuery(`SELECT id FROM workspaces`).
 		WithArgs("Alpha", &parent).
 		WillReturnRows(sqlmock.NewRows([]string{"id"}))
 
@@ -70,7 +56,7 @@ func TestLookupExistingChild_NotFound_ReturnsFalseNoError(t *testing.T) {
 func TestLookupExistingChild_Found_ReturnsIDAndTrue(t *testing.T) {
 	mock := setupTestDB(t)
 	parent := "parent-1"
-	mock.ExpectQuery(lookupChildSQLRE).
+	mock.ExpectQuery(`SELECT id FROM workspaces`).
 		WithArgs("Alpha", &parent).
 		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow("ws-existing-uuid"))
 
@@ -93,7 +79,7 @@ func TestLookupExistingChild_NilParent_MatchesRoot(t *testing.T) {
 	// a plain `=` would never match a NULL row. Pin that roots
 	// (parent_id=NULL) are still found by the lookup.
 	mock := setupTestDB(t)
-	mock.ExpectQuery(lookupChildSQLRE).
+	mock.ExpectQuery(`SELECT id FROM workspaces`).
 		WithArgs("RootAgent", (*string)(nil)).
 		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow("ws-root-uuid"))
 
@@ -116,7 +102,7 @@ func TestLookupExistingChild_DBError_Propagates(t *testing.T) {
 	mock := setupTestDB(t)
 	parent := "parent-1"
 	connFail := errors.New("simulated postgres unavailable")
-	mock.ExpectQuery(lookupChildSQLRE).
+	mock.ExpectQuery(`SELECT id FROM workspaces`).
 		WithArgs("Alpha", &parent).
 		WillReturnError(connFail)
 
@@ -151,7 +137,7 @@ func TestLookupExistingChild_WrappedNoRows_TreatedAsNotFound(t *testing.T) {
 	mock := setupTestDB(t)
 	parent := "parent-1"
 	wrapped := fmt.Errorf("driver-wrapped: %w", sql.ErrNoRows)
-	mock.ExpectQuery(lookupChildSQLRE).
+	mock.ExpectQuery(`SELECT id FROM workspaces`).
 		WithArgs("Alpha", &parent).
 		WillReturnError(wrapped)
 

workspace-server/internal/handlers/plugins.go

@@ -4,7 +4,6 @@ import (
 	"bytes"
 	"context"
 	"io"
-	"log"
 	"os"
 	"path/filepath"
 	"strings"
@@ -178,42 +177,16 @@ func strDefault(m map[string]interface{}, key, fallback string) string {
 	return fallback
 }
 
-// findRunningContainer returns the live container name for workspaceID, or ""
-// when the container is genuinely not running OR the daemon errored
-// transiently. Routed through provisioner.RunningContainerName as the SSOT
-// (molecule-core#10) so this handler agrees with healthsweep on the same
-// inputs. Transient daemon errors are logged distinctly so triage doesn't
-// confuse a flaky daemon with a stopped container.
 func (h *PluginsHandler) findRunningContainer(ctx context.Context, workspaceID string) string {
-	name, err := provisioner.RunningContainerName(ctx, h.docker, workspaceID)
-	if err != nil {
-		log.Printf("plugins: docker inspect transient error for %s: %v (treating as not-running for this request)", workspaceID, err)
+	if h.docker == nil {
 		return ""
 	}
-	return name
-}
-
-// isExternalRuntime reports whether the workspace's runtime is the
-// `external` (remote-pull) shape introduced in Phase 30. External
-// workspaces have no local container — `POST /plugins` (push-install via
-// docker exec) doesn't apply to them; they pull via the download endpoint
-// instead. Returns false (allow-install) if the lookup is unwired or
-// errors — failing open here is safe because the downstream
-// findRunningContainer step still gates on a real container being there.
-//
-// Background — molecule-core#10: without this check, external workspaces
-// fall through to findRunningContainer's NotFound path and return a
-// misleading 503 "container not running" instead of a clear "use the
-// pull endpoint" message.
-func (h *PluginsHandler) isExternalRuntime(workspaceID string) bool {
-	if h.runtimeLookup == nil {
-		return false
+	name := provisioner.ContainerName(workspaceID)
+	info, err := h.docker.ContainerInspect(ctx, name)
+	if err == nil && info.State.Running {
+		return name
 	}
-	runtime, err := h.runtimeLookup(workspaceID)
-	if err != nil {
-		return false
-	}
-	return runtime == "external"
+	return ""
 }
 
 func (h *PluginsHandler) execAsRoot(ctx context.Context, containerName string, cmd []string) (string, error) {

workspace-server/internal/handlers/plugins_findrunning_ssot_test.go

@@ -1,176 +0,0 @@
-package handlers
-
-import (
-	"go/ast"
-	"go/parser"
-	"go/token"
-	"strings"
-	"testing"
-)
-
-// TestFindRunningContainer_RoutesThroughProvisionerSSOT is a behavior-based
-// AST gate: it pins the invariant that PluginsHandler.findRunningContainer
-// MUST go through provisioner.RunningContainerName for its is-running check,
-// instead of carrying its own copy of cli.ContainerInspect logic.
-//
-// Background — molecule-core#10: a parallel impl of "is the workspace's
-// container running" used to live in plugins.go. It drifted from the
-// canonical impl in healthsweep (which goes through Provisioner.IsRunning
-// → RunningContainerName) on edge cases like "transient daemon error" —
-// the duplicate would 503 with a misleading message while healthsweep
-// correctly stayed defensive. Consolidating onto RunningContainerName as
-// the SSOT prevents any future copy from re-introducing that drift.
-//
-// Mutation invariant: if a future PR replaces the provisioner call with
-// `h.docker.ContainerInspect(...)` directly, this test fails. That's the
-// signal to either (a) extend RunningContainerName's contract OR (b)
-// document why this call site needs to differ. Either way: the drift
-// gets a reviewer's attention instead of shipping silently.
-func TestFindRunningContainer_RoutesThroughProvisionerSSOT(t *testing.T) {
-	fset := token.NewFileSet()
-	file, err := parser.ParseFile(fset, "plugins.go", nil, parser.ParseComments)
-	if err != nil {
-		t.Fatalf("parse plugins.go: %v", err)
-	}
-
-	var fn *ast.FuncDecl
-	ast.Inspect(file, func(n ast.Node) bool {
-		f, ok := n.(*ast.FuncDecl)
-		if !ok || f.Name.Name != "findRunningContainer" {
-			return true
-		}
-		// Confirm receiver is *PluginsHandler so we don't pick up an unrelated
-		// helper of the same name. ast.Recv is a FieldList — receivers carry
-		// at most one field.
-		if f.Recv == nil || len(f.Recv.List) == 0 {
-			return true
-		}
-		fn = f
-		return false
-	})
-
-	if fn == nil {
-		t.Fatal("findRunningContainer not found in plugins.go — was it renamed? update this test or the SSOT routing assumption")
-	}
-
-	var (
-		callsRunningContainerName bool
-		callsContainerInspectRaw  bool
-	)
-	ast.Inspect(fn.Body, func(n ast.Node) bool {
-		call, ok := n.(*ast.CallExpr)
-		if !ok {
-			return true
-		}
-		sel, ok := call.Fun.(*ast.SelectorExpr)
-		if !ok {
-			return true
-		}
-		// Pkg.Func form: provisioner.RunningContainerName(...)
-		if pkgIdent, ok := sel.X.(*ast.Ident); ok {
-			if pkgIdent.Name == "provisioner" && sel.Sel.Name == "RunningContainerName" {
-				callsRunningContainerName = true
-			}
-		}
-		// Receiver-then-method form: h.docker.ContainerInspect(...) /
-		// p.cli.ContainerInspect(...) — anything ending in
-		// .ContainerInspect that's NOT routed through provisioner.
-		if sel.Sel.Name == "ContainerInspect" {
-			callsContainerInspectRaw = true
-		}
-		return true
-	})
-
-	if !callsRunningContainerName {
-		t.Errorf(
-			"findRunningContainer must call provisioner.RunningContainerName for the SSOT inspect — see molecule-core#10. Found no such call.",
-		)
-	}
-	if callsContainerInspectRaw {
-		t.Errorf(
-			"findRunningContainer carries a direct ContainerInspect call. This is the parallel-impl drift molecule-core#10 fixed. " +
-				"Either route through provisioner.RunningContainerName OR — if a new use case truly needs a different inspect — extend RunningContainerName's contract first and update this gate to allow the specific delta.",
-		)
-	}
-}
-
-// TestProvisionerIsRunning_RoutesThroughRunningContainerName mirrors the
-// gate above but for the OTHER consumer of the SSOT — Provisioner.IsRunning
-// (called by healthsweep). If a future refactor makes IsRunning carry its
-// own ContainerInspect again, the two consumers' edge-case behaviors will
-// silently drift. Keep them yoked.
-func TestProvisionerIsRunning_RoutesThroughRunningContainerName(t *testing.T) {
-	fset := token.NewFileSet()
-	file, err := parser.ParseFile(fset, "../provisioner/provisioner.go", nil, parser.ParseComments)
-	if err != nil {
-		t.Fatalf("parse provisioner.go: %v", err)
-	}
-
-	var fn *ast.FuncDecl
-	ast.Inspect(file, func(n ast.Node) bool {
-		f, ok := n.(*ast.FuncDecl)
-		if !ok || f.Name.Name != "IsRunning" || f.Recv == nil {
-			return true
-		}
-		// The receiver type must be *Provisioner specifically. CPProvisioner
-		// has its own IsRunning that talks HTTP to the controlplane and is
-		// out of scope for this gate.
-		if !receiverIs(f, "Provisioner") {
-			return true
-		}
-		fn = f
-		return false
-	})
-	if fn == nil {
-		t.Fatal("Provisioner.IsRunning not found — was it renamed? update this test")
-	}
-
-	var (
-		callsRunningContainerName bool
-		callsContainerInspectRaw  bool
-	)
-	ast.Inspect(fn.Body, func(n ast.Node) bool {
-		call, ok := n.(*ast.CallExpr)
-		if !ok {
-			return true
-		}
-		// Same-package call: bare identifier (e.g. RunningContainerName(...)).
-		if id, ok := call.Fun.(*ast.Ident); ok && id.Name == "RunningContainerName" {
-			callsRunningContainerName = true
-			return true
-		}
-		// Selector call: pkg.Func (e.g. provisioner.RunningContainerName)
-		// OR recv.Method (e.g. p.cli.ContainerInspect).
-		sel, ok := call.Fun.(*ast.SelectorExpr)
-		if !ok {
-			return true
-		}
-		switch sel.Sel.Name {
-		case "RunningContainerName":
-			callsRunningContainerName = true
-		case "ContainerInspect":
-			callsContainerInspectRaw = true
-		}
-		return true
-	})
-
-	if !callsRunningContainerName {
-		t.Errorf("Provisioner.IsRunning must call RunningContainerName for the SSOT inspect — see molecule-core#10")
-	}
-	if callsContainerInspectRaw {
-		t.Errorf("Provisioner.IsRunning carries a direct ContainerInspect call; route through RunningContainerName instead")
-	}
-}
-
-// receiverIs reports whether fn's receiver is `*<typeName>` or `<typeName>`.
-func receiverIs(fn *ast.FuncDecl, typeName string) bool {
-	if fn.Recv == nil || len(fn.Recv.List) == 0 {
-		return false
-	}
-	expr := fn.Recv.List[0].Type
-	if star, ok := expr.(*ast.StarExpr); ok {
-		expr = star.X
-	}
-	id, ok := expr.(*ast.Ident)
-	return ok && strings.EqualFold(id.Name, typeName)
-}

workspace-server/internal/handlers/plugins_install.go

@@ -32,18 +32,6 @@ import (
 // inside the workspace at startup.
 func (h *PluginsHandler) Install(c *gin.Context) {
 	workspaceID := c.Param("id")
-	// External-runtime guard (molecule-core#10): push-install via docker
-	// exec is meaningless for `runtime='external'` workspaces — they have
-	// no local container. Reject early with a hint pointing at the
-	// pull-mode endpoint, instead of falling through to a misleading
-	// "container not running" 503 from findRunningContainer.
-	if h.isExternalRuntime(workspaceID) {
-		c.JSON(http.StatusUnprocessableEntity, gin.H{
-			"error": "plugin install via push is not supported for external runtimes",
-			"hint":  "external workspaces pull plugins via GET /workspaces/:id/plugins/:name/download",
-		})
-		return
-	}
 	// Cap the JSON body so a pathological POST can't exhaust parser memory.
 	bodyMax := envx.Int64("PLUGIN_INSTALL_BODY_MAX_BYTES", defaultInstallBodyMaxBytes)
 	c.Request.Body = http.MaxBytesReader(c.Writer, c.Request.Body, bodyMax)
@@ -105,16 +93,6 @@ func (h *PluginsHandler) Uninstall(c *gin.Context) {
 	pluginName := c.Param("name")
 	ctx := c.Request.Context()
 
-	// Mirror Install's external-runtime guard (molecule-core#10) so the
-	// two endpoints reject the same shape with the same message.
-	if h.isExternalRuntime(workspaceID) {
-		c.JSON(http.StatusUnprocessableEntity, gin.H{
-			"error": "plugin uninstall via docker exec is not supported for external runtimes",
-			"hint":  "external workspaces manage their own plugin directory; remove it locally",
-		})
-		return
-	}
-
 	if err := validatePluginName(pluginName); err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid plugin name"})
 		return

workspace-server/internal/handlers/plugins_install_external_test.go

@@ -1,176 +0,0 @@
-package handlers
-
-import (
-	"bytes"
-	"net/http"
-	"net/http/httptest"
-	"strings"
-	"testing"
-
-	"github.com/gin-gonic/gin"
-)
-
-// TestPluginInstall_ExternalRuntime_Returns422 — molecule-core#10.
-// Install on a `runtime='external'` workspace must NOT fall through to
-// findRunningContainer (which would 503 with a misleading "container not
-// running"). It must return 422 with a hint pointing at the pull-mode
-// download endpoint.
-func TestPluginInstall_ExternalRuntime_Returns422(t *testing.T) {
-	h := NewPluginsHandler(t.TempDir(), nil, nil).
-		WithRuntimeLookup(func(workspaceID string) (string, error) {
-			return "external", nil
-		})
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "ba1789b0-4d21-4f4f-a878-fa226bf77cf5"}}
-	c.Request = httptest.NewRequest(
-		"POST",
-		"/workspaces/ba1789b0-4d21-4f4f-a878-fa226bf77cf5/plugins",
-		bytes.NewBufferString(`{"source":"local://my-plugin"}`),
-	)
-	c.Request.Header.Set("Content-Type", "application/json")
-
-	h.Install(c)
-
-	if w.Code != http.StatusUnprocessableEntity {
-		t.Errorf("expected 422 (Unprocessable Entity) for runtime='external', got %d: %s", w.Code, w.Body.String())
-	}
-	if !strings.Contains(w.Body.String(), "external runtimes") {
-		t.Errorf("expected error body to mention 'external runtimes', got: %s", w.Body.String())
-	}
-	if !strings.Contains(w.Body.String(), "download") {
-		t.Errorf("expected error body to point at the download endpoint, got: %s", w.Body.String())
-	}
-}
-
-// TestPluginUninstall_ExternalRuntime_Returns422 — symmetric guard on the
-// uninstall path (DELETE /workspaces/:id/plugins/:name). External
-// workspaces manage their own plugin directory locally; the platform
-// can't docker-exec into them.
-func TestPluginUninstall_ExternalRuntime_Returns422(t *testing.T) {
-	h := NewPluginsHandler(t.TempDir(), nil, nil).
-		WithRuntimeLookup(func(workspaceID string) (string, error) {
-			return "external", nil
-		})
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{
-		{Key: "id", Value: "ba1789b0-4d21-4f4f-a878-fa226bf77cf5"},
-		{Key: "name", Value: "my-plugin"},
-	}
-	c.Request = httptest.NewRequest(
-		"DELETE",
-		"/workspaces/ba1789b0-4d21-4f4f-a878-fa226bf77cf5/plugins/my-plugin",
-		nil,
-	)
-
-	h.Uninstall(c)
-
-	if w.Code != http.StatusUnprocessableEntity {
-		t.Errorf("expected 422 for runtime='external', got %d: %s", w.Code, w.Body.String())
-	}
-	if !strings.Contains(w.Body.String(), "external runtimes") {
-		t.Errorf("expected error body to mention 'external runtimes', got: %s", w.Body.String())
-	}
-}
-
-// TestPluginInstall_ContainerBackedRuntime_FallsThroughGuard — the runtime
-// guard MUST NOT short-circuit container-backed runtimes. With
-// `runtime='claude-code'` the install proceeds past the guard; without a
-// real plugin source it'll fail downstream (here: 404 from local resolver
-// because no plugin staged), which is the correct error to surface.
-//
-// This is the mutation-test partner: deleting the `runtime == "external"`
-// check would still pass TestPluginInstall_ExternalRuntime (because Install
-// would 404 instead of 422 — but the test asserts 422), and would still
-// pass this test (because both pre-fix and post-fix produce 404 here).
-// What this case pins is "non-external still falls through," catching
-// any over-eager guard that rejects all runtimes.
-func TestPluginInstall_ContainerBackedRuntime_FallsThroughGuard(t *testing.T) {
-	h := NewPluginsHandler(t.TempDir(), nil, nil).
-		WithRuntimeLookup(func(workspaceID string) (string, error) {
-			return "claude-code", nil
-		})
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "c7c28c0b-4ea5-4e75-9728-3ba860081708"}}
-	c.Request = httptest.NewRequest(
-		"POST",
-		"/workspaces/c7c28c0b-4ea5-4e75-9728-3ba860081708/plugins",
-		bytes.NewBufferString(`{"source":"local://nonexistent-plugin"}`),
-	)
-	c.Request.Header.Set("Content-Type", "application/json")
-
-	h.Install(c)
-
-	if w.Code == http.StatusUnprocessableEntity {
-		t.Errorf("runtime='claude-code' must fall through the external guard; got 422: %s", w.Body.String())
-	}
-	// The local resolver will fail to find the plugin → 404. Anything
-	// other than 422 (which would mean we mis-classified) is fine.
-	if w.Code != http.StatusNotFound {
-		t.Errorf("expected 404 (plugin not found in registry), got %d: %s", w.Code, w.Body.String())
-	}
-}
-
-// TestPluginInstall_NoRuntimeLookup_FailsOpen — when the runtime lookup
-// is unwired (test fixtures, niche deploy shapes) the guard MUST default
-// to allowing the install attempt. The downstream findRunningContainer
-// step still gates on a real container, so failing open here doesn't
-// expose a bypass — it just preserves backwards-compat with deployments
-// that haven't wired the lookup.
-func TestPluginInstall_NoRuntimeLookup_FailsOpen(t *testing.T) {
-	h := NewPluginsHandler(t.TempDir(), nil, nil) // NO WithRuntimeLookup
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "ws-no-lookup"}}
-	c.Request = httptest.NewRequest(
-		"POST",
-		"/workspaces/ws-no-lookup/plugins",
-		bytes.NewBufferString(`{"source":"local://nonexistent"}`),
-	)
-	c.Request.Header.Set("Content-Type", "application/json")
-
-	h.Install(c)
-
-	if w.Code == http.StatusUnprocessableEntity {
-		t.Errorf("nil runtimeLookup must fall through (fail-open); got 422: %s", w.Body.String())
-	}
-}
-
-// TestPluginInstall_RuntimeLookupErrors_FailsOpen — same fail-open story
-// for transient DB errors in the lookup. We don't want a momentary
-// Postgres hiccup to flip every plugin install into a 422.
-func TestPluginInstall_RuntimeLookupErrors_FailsOpen(t *testing.T) {
-	h := NewPluginsHandler(t.TempDir(), nil, nil).
-		WithRuntimeLookup(func(workspaceID string) (string, error) {
-			return "", errFakeDB
-		})
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "ws-db-flake"}}
-	c.Request = httptest.NewRequest(
-		"POST",
-		"/workspaces/ws-db-flake/plugins",
-		bytes.NewBufferString(`{"source":"local://nonexistent"}`),
-	)
-	c.Request.Header.Set("Content-Type", "application/json")
-
-	h.Install(c)
-
-	if w.Code == http.StatusUnprocessableEntity {
-		t.Errorf("runtimeLookup error must fall through (fail-open); got 422: %s", w.Body.String())
-	}
-}
-
-// errFakeDB is a sentinel for the fail-open lookup-error case.
-var errFakeDB = &fakeError{msg: "synthetic db error"}
-
-type fakeError struct{ msg string }
-
-func (e *fakeError) Error() string { return e.msg }

workspace-server/internal/provisioner/provisioner.go

@@ -35,37 +35,36 @@ import (
 // drift-risk #6.
 var ErrNoBackend = errors.New("provisioner: no backend configured (zero-valued receiver)")
 
-// RuntimeImages maps runtime names to their Docker image refs.
+// RuntimeImages maps runtime names to their Docker image refs on GHCR.
 // Each standalone template repo publishes its image via the reusable
 // publish-template-image workflow in molecule-ci on every main merge.
 // The provisioner pulls these on demand (see ensureImageLocal) — no
 // pre-build step on the tenant host.
 //
-// The registry prefix is determined by RegistryPrefix() in registry.go;
-// defaults to ghcr.io/molecule-ai (upstream OSS) and is overridden via the
-// MOLECULE_IMAGE_REGISTRY env var in production tenants that mirror to
-// AWS ECR or another registry. The map is computed at package init and
-// captures whatever prefix was active then.
-//
 // Legacy local-build path (`docker build -t workspace-template:<runtime>`
 // via scripts/build-images.sh) is still supported for development:
 // when a bare `workspace-template:<runtime>` image is present locally,
 // Docker's image resolver matches it before any pull is attempted. Set
 // the env var WORKSPACE_IMAGE_LOCAL_OVERRIDE=1 (enforced by callers) to
 // short-circuit pulls entirely if needed.
-var RuntimeImages = computeRuntimeImages()
-
-// DefaultImage is the fallback workspace Docker image (langgraph is the
-// most common runtime). Computed via RegistryPrefix() so the prefix
-// override applies to the fallback path too.
-//
-// NOTE: Every runtime MUST have an entry in knownRuntimes (registry.go).
-// If a runtime is missing, it falls back to DefaultImage which may have
-// wrong deps. Add new runtimes to knownRuntimes AND create the standalone
-// template repo.
-var DefaultImage = RuntimeImage(defaultRuntime)
+var RuntimeImages = map[string]string{
+	"langgraph":   "ghcr.io/molecule-ai/workspace-template-langgraph:latest",
+	"claude-code": "ghcr.io/molecule-ai/workspace-template-claude-code:latest",
+	"openclaw":    "ghcr.io/molecule-ai/workspace-template-openclaw:latest",
+	"deepagents":  "ghcr.io/molecule-ai/workspace-template-deepagents:latest",
+	"crewai":      "ghcr.io/molecule-ai/workspace-template-crewai:latest",
+	"autogen":     "ghcr.io/molecule-ai/workspace-template-autogen:latest",
+	"hermes":      "ghcr.io/molecule-ai/workspace-template-hermes:latest",     // Hermes (Nous Research) — real hermes-agent behind A2A bridge
+	"gemini-cli":  "ghcr.io/molecule-ai/workspace-template-gemini-cli:latest", // Google Gemini CLI
+}
 
 const (
+	// DefaultImage is the fallback workspace Docker image (langgraph is the most common runtime).
+	DefaultImage = "ghcr.io/molecule-ai/workspace-template-langgraph:latest"
+	// NOTE: Every runtime MUST have an entry in RuntimeImages above. If a runtime is missing,
+	// it falls back to DefaultImage which may have wrong deps. Add new runtimes to both
+	// RuntimeImages AND create the standalone template repo.
+
 	// DefaultNetwork is the Docker network workspaces join.
 	DefaultNetwork = "molecule-monorepo-net"
 
@@ -1073,53 +1072,18 @@ func (p *Provisioner) IsRunning(ctx context.Context, workspaceID string) (bool,
 	if p == nil || p.cli == nil {
 		return false, ErrNoBackend
 	}
-	name, err := RunningContainerName(ctx, p.cli, workspaceID)
+	name := ContainerName(workspaceID)
+	info, err := p.cli.ContainerInspect(ctx, name)
 	if err != nil {
+		if isContainerNotFound(err) {
+			return false, nil
+		}
 		// Transient daemon error: caller treats !running as dead + restarts.
 		// Returning true + the underlying error preserves the error for
 		// metrics/logging without triggering the destructive path.
 		return true, err
 	}
-	return name != "", nil
-}
-
-// RunningContainerName returns the container name for workspaceID iff the
-// container exists AND is in the Running state. Single source of truth for
-// "what live container should I exec into for this workspace?" — used by
-// both Provisioner.IsRunning (healthsweep) and the plugins handler.
-//
-// Distinguishes three outcomes so callers can pick their own policy:
-//
-//   - ("ws-<id>", nil): container is running. Caller can exec into it.
-//   - ("",        nil): container does not exist OR exists but is stopped
-//                       (NotFound, Exited, Created, Restarting…). Caller
-//                       should treat as a definitive "not running."
-//   - ("",        err): transient daemon error (timeout, socket EOF, ctx
-//                       cancel). Caller should NOT infer "not running" —
-//                       this could be a flaky daemon under load. Decide
-//                       per-callsite whether to fail soft or hard.
-//
-// Background — molecule-core#10: the plugins handler used to carry its own
-// copy of this inspect logic (`findRunningContainer`) which collapsed
-// transient errors into the same "" return as a genuinely-stopped container.
-// That hid daemon flakes as misleading 503 "container not running" responses
-// AND let the two impls drift on edge-case behavior. This is the SSOT.
-func RunningContainerName(ctx context.Context, cli *client.Client, workspaceID string) (string, error) {
-	if cli == nil {
-		return "", ErrNoBackend
-	}
-	name := ContainerName(workspaceID)
-	info, err := cli.ContainerInspect(ctx, name)
-	if err != nil {
-		if isContainerNotFound(err) {
-			return "", nil
-		}
-		return "", err
-	}
-	if info.State.Running {
-		return name, nil
-	}
-	return "", nil
+	return info.State.Running, nil
 }
 
 // isContainerNotFound returns true when the Docker client indicates the

workspace-server/internal/provisioner/registry.go

@@ -1,95 +0,0 @@
-package provisioner
-
-import (
-	"fmt"
-	"os"
-)
-
-// defaultRegistryPrefix is the upstream OSS face for all workspace template
-// images. Self-hosted Molecule deployments without the MOLECULE_IMAGE_REGISTRY
-// override pull from here.
-const defaultRegistryPrefix = "ghcr.io/molecule-ai"
-
-// knownRuntimes is the canonical list of workspace template runtimes shipped
-// in main. Any runtime added here MUST also have a standalone template repo
-// (Molecule-AI/molecule-ai-workspace-template-<name>) and an entry in the
-// publish-template-image workflow that builds it.
-//
-// Order matters for deterministic test snapshots; keep alphabetical.
-var knownRuntimes = []string{
-	"autogen",
-	"claude-code",
-	"codex",
-	"crewai",
-	"deepagents",
-	"gemini-cli",
-	"hermes",
-	"langgraph",
-	"openclaw",
-}
-
-// defaultRuntime is the fallback when a workspace's config doesn't specify a
-// runtime. Picked because LangGraph is the most common in our org templates
-// and has the smallest "first impression" cold-start surface.
-const defaultRuntime = "langgraph"
-
-// RegistryPrefix returns the registry prefix all workspace-template image
-// references should use. Defaults to ghcr.io/molecule-ai (the upstream OSS
-// face) and is overridden by the MOLECULE_IMAGE_REGISTRY env var in
-// production tenants where we mirror images to a private registry.
-//
-// The override is set at deploy time (Railway env, EC2 user-data) — never
-// from user-supplied input — so the value is trusted by the time it reaches
-// this code. Validation is deliberately minimal: an operator-supplied
-// prefix that points at a registry the EC2 can't authenticate to will fail
-// loudly at docker-pull time, which is the right blast radius.
-//
-// Example values:
-//
-//	(unset)                                              → ghcr.io/molecule-ai (OSS default)
-//	"123456789012.dkr.ecr.us-east-2.amazonaws.com/molecule-ai"  → AWS ECR mirror
-//	"git.moleculesai.app/molecule-ai"                    → self-hosted Gitea Container Registry (future)
-//
-// Auth is registry-specific and configured outside this function:
-//   - GHCR: GHCR_USER/GHCR_TOKEN env vars consumed by ghcrAuthHeader()
-//   - ECR: docker credential helper (amazon-ecr-credential-helper) configured
-//     in EC2 user-data; ~/.docker/config.json has credHelpers entry; the
-//     daemon resolves auth automatically on every pull.
-func RegistryPrefix() string {
-	if v := os.Getenv("MOLECULE_IMAGE_REGISTRY"); v != "" {
-		return v
-	}
-	return defaultRegistryPrefix
-}
-
-// RuntimeImage returns the canonical image reference for the given runtime,
-// using the current RegistryPrefix() and the moving `:latest` tag.
-//
-// For SHA-pinned references (production thin-AMI launches), the
-// runtime_image_pins lookup in handlers/runtime_image_pin.go strips the
-// `:latest` suffix and appends an immutable `@sha256:<digest>` from the DB.
-// That code path naturally inherits any RegistryPrefix() change because it
-// reads from RuntimeImages[runtime] and only re-formats the tag suffix.
-//
-// Returns the empty string for unknown runtimes; callers should fall through
-// to DefaultImage in that case (matching legacy behavior).
-func RuntimeImage(runtime string) string {
-	for _, r := range knownRuntimes {
-		if r == runtime {
-			return fmt.Sprintf("%s/workspace-template-%s:latest", RegistryPrefix(), runtime)
-		}
-	}
-	return ""
-}
-
-// computeRuntimeImages returns the {runtime: image-ref} map evaluated against
-// the current RegistryPrefix(). Called at package init to populate the
-// exported RuntimeImages var. Tests that flip MOLECULE_IMAGE_REGISTRY between
-// expected values use this helper to rebuild the map mid-run.
-func computeRuntimeImages() map[string]string {
-	out := make(map[string]string, len(knownRuntimes))
-	for _, r := range knownRuntimes {
-		out[r] = RuntimeImage(r)
-	}
-	return out
-}

workspace-server/internal/provisioner/registry_test.go

@@ -1,140 +0,0 @@
-package provisioner
-
-import (
-	"strings"
-	"testing"
-)
-
-// TestRegistryPrefix_DefaultsToGHCR pins the OSS-default behavior. If a future
-// refactor accidentally drops the default, OSS users self-hosting Molecule
-// would silently lose image pulls — this test should fail loudly instead.
-func TestRegistryPrefix_DefaultsToGHCR(t *testing.T) {
-	t.Setenv("MOLECULE_IMAGE_REGISTRY", "")
-	got := RegistryPrefix()
-	want := "ghcr.io/molecule-ai"
-	if got != want {
-		t.Fatalf("RegistryPrefix() = %q, want %q (default must remain GHCR for OSS users)", got, want)
-	}
-}
-
-// TestRegistryPrefix_RespectsEnv verifies the override path used in
-// production tenants where MOLECULE_IMAGE_REGISTRY points at a private
-// mirror (AWS ECR, self-hosted Harbor, etc.).
-func TestRegistryPrefix_RespectsEnv(t *testing.T) {
-	t.Setenv("MOLECULE_IMAGE_REGISTRY", "123456789012.dkr.ecr.us-east-2.amazonaws.com/molecule-ai")
-	got := RegistryPrefix()
-	want := "123456789012.dkr.ecr.us-east-2.amazonaws.com/molecule-ai"
-	if got != want {
-		t.Fatalf("RegistryPrefix() = %q, want %q (env override path is the production cutover mechanism)", got, want)
-	}
-}
-
-// TestRegistryPrefix_EmptyEnvFallsBackToDefault — guard against an operator
-// setting MOLECULE_IMAGE_REGISTRY="" by mistake (e.g. unset deploy variable
-// becomes empty string, not literally absent). We treat "" as "use default"
-// so a misconfigured env doesn't mean an empty registry prefix.
-func TestRegistryPrefix_EmptyEnvFallsBackToDefault(t *testing.T) {
-	t.Setenv("MOLECULE_IMAGE_REGISTRY", "")
-	if RegistryPrefix() != defaultRegistryPrefix {
-		t.Fatalf("empty MOLECULE_IMAGE_REGISTRY should fall back to %q, got %q", defaultRegistryPrefix, RegistryPrefix())
-	}
-}
-
-// TestRuntimeImage_AllKnownRuntimes — every runtime in the canonical list
-// must produce a properly-formatted image ref. If a new runtime is added to
-// knownRuntimes but the format changes, this catches it.
-func TestRuntimeImage_AllKnownRuntimes(t *testing.T) {
-	t.Setenv("MOLECULE_IMAGE_REGISTRY", "")
-	for _, r := range knownRuntimes {
-		got := RuntimeImage(r)
-		want := "ghcr.io/molecule-ai/workspace-template-" + r + ":latest"
-		if got != want {
-			t.Errorf("RuntimeImage(%q) = %q, want %q", r, got, want)
-		}
-	}
-	// Pin the count so adding a runtime requires explicit test acknowledgement.
-	if len(knownRuntimes) != 9 {
-		t.Errorf("knownRuntimes length = %d, want 9 (autogen, claude-code, codex, crewai, deepagents, gemini-cli, hermes, langgraph, openclaw)", len(knownRuntimes))
-	}
-}
-
-// TestRuntimeImage_UnknownRuntime — defensive: callers must fall back to
-// DefaultImage when a runtime is unknown, never silently use the wrong
-// prefix. Returning "" enforces an explicit fallback at every call site.
-func TestRuntimeImage_UnknownRuntime(t *testing.T) {
-	for _, name := range []string{"", "nonexistent", "WORKSPACE-TEMPLATE-FAKE", "../../../etc/passwd"} {
-		if got := RuntimeImage(name); got != "" {
-			t.Errorf("RuntimeImage(%q) = %q, want empty string for unknown runtime", name, got)
-		}
-	}
-}
-
-// TestRuntimeImage_RegistryOverrideAppliesToAllRuntimes — the override
-// flips ALL runtimes consistently. If a refactor accidentally hardcoded
-// the prefix in some runtimes but not others (the failure mode that
-// triggered this whole rollout), this test catches it.
-func TestRuntimeImage_RegistryOverrideAppliesToAllRuntimes(t *testing.T) {
-	const ecr = "999999999999.dkr.ecr.us-east-2.amazonaws.com/molecule-ai"
-	t.Setenv("MOLECULE_IMAGE_REGISTRY", ecr)
-
-	for _, r := range knownRuntimes {
-		got := RuntimeImage(r)
-		if !strings.HasPrefix(got, ecr+"/workspace-template-") {
-			t.Errorf("RuntimeImage(%q) = %q, must start with override prefix %q", r, got, ecr)
-		}
-		if !strings.HasSuffix(got, ":latest") {
-			t.Errorf("RuntimeImage(%q) = %q, must keep :latest tag suffix", r, got)
-		}
-	}
-}
-
-// TestComputeRuntimeImages_AllRuntimesPresent — the map must contain every
-// known runtime. Drift between knownRuntimes and computeRuntimeImages would
-// silently break the runtime → image lookup that provisioner.Start uses.
-func TestComputeRuntimeImages_AllRuntimesPresent(t *testing.T) {
-	t.Setenv("MOLECULE_IMAGE_REGISTRY", "")
-	m := computeRuntimeImages()
-	if len(m) != len(knownRuntimes) {
-		t.Fatalf("computeRuntimeImages() has %d entries, want %d (one per knownRuntime)", len(m), len(knownRuntimes))
-	}
-	for _, r := range knownRuntimes {
-		img, ok := m[r]
-		if !ok {
-			t.Errorf("computeRuntimeImages() missing runtime %q", r)
-			continue
-		}
-		if img == "" {
-			t.Errorf("computeRuntimeImages()[%q] is empty", r)
-		}
-	}
-}
-
-// TestComputeRuntimeImages_ReflectsCurrentEnv — calling computeRuntimeImages
-// after env change rebuilds the map with new prefix. Tests + ops procedures
-// that flip the env in-process rely on this.
-func TestComputeRuntimeImages_ReflectsCurrentEnv(t *testing.T) {
-	t.Setenv("MOLECULE_IMAGE_REGISTRY", "")
-	defaultMap := computeRuntimeImages()
-	if !strings.HasPrefix(defaultMap["claude-code"], "ghcr.io/molecule-ai/") {
-		t.Fatalf("default map should be GHCR-prefixed, got %q", defaultMap["claude-code"])
-	}
-
-	const mirror = "registry.example.com/molecule-ai"
-	t.Setenv("MOLECULE_IMAGE_REGISTRY", mirror)
-	mirrorMap := computeRuntimeImages()
-	if !strings.HasPrefix(mirrorMap["claude-code"], mirror+"/") {
-		t.Fatalf("mirror-prefixed map should start with %q, got %q", mirror, mirrorMap["claude-code"])
-	}
-}
-
-// TestKnownRuntimes_AlphabeticalOrder — pin the order so test snapshots
-// (and human readers diffing the file) see deterministic output. Adding a
-// new runtime out of alphabetical order will fail this test, which is the
-// nudge to keep the file readable.
-func TestKnownRuntimes_AlphabeticalOrder(t *testing.T) {
-	for i := 1; i < len(knownRuntimes); i++ {
-		if knownRuntimes[i-1] >= knownRuntimes[i] {
-			t.Errorf("knownRuntimes not alphabetical: %q comes before %q", knownRuntimes[i-1], knownRuntimes[i])
-		}
-	}
-}