fix(ci): hard-code 127.0.0.1 for BASE in local-provision E2E (#2478 follow-up)

The #2473 commits added MOLECULE_IN_DOCKER=false, PLATFORM_URL discovery, and BIND_ADDR=0.0.0.0, but missed the localhost→127.0.0.1 fix from e2e-api.yml #92. On some act_runner hosts localhost resolves to IPv6 (::1) first; curl then fails or hangs when the platform binds IPv4 only. This causes the Local Provision E2E stub to flake or hard-fail. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
chore(dead-code): remove unused QueueDepth function
2026-06-09 10:20:24 +00:00 · 2026-06-09 09:11:55 +00:00 · 2026-06-09 09:05:11 +00:00 · 2026-06-09 08:30:20 +00:00 · 2026-06-09 07:13:32 +00:00 · 2026-06-09 05:55:31 +00:00
194 changed files with 17058 additions and 3136 deletions
@@ -0,0 +1,247 @@
+#!/usr/bin/env python3
+"""
+SSOT fail-closed approval validator (SEV-1 internal#812).
+
+This module is the SINGLE source of truth for whether a Gitea review counts
+as a "genuine" approval. Both consumers must call into it — they MUST NOT
+duplicate the predicate:
+
+  - .gitea/scripts/gitea-merge-queue.py (Python) — imports directly.
+  - .gitea/scripts/review-check.sh (bash, jq) — calls the Python helper
+    at .gitea/scripts/_review_check_filter.py, which in turn calls this
+    module. There is no separate jq / bash copy of the predicate; a
+    reviewer who wants to weaken the gate has to weaken this one file.
+
+# The fail-closed contract
+
+A review counts as a GENUINE APPROVED on the current head ONLY IF ALL hold:
+
+  1. state == "APPROVED"
+  2. official == true
+  3. dismissed != true
+  4. stale != true
+  5. commit_id is present and equals the PR's current head SHA
+
+ANY failure of any of the above → REJECT.
+
+# The bug this fixes
+
+The previous gitea-merge-queue.py predicate had a `if isinstance(commit_id,
+str) and commit_id and headsha:` guard that *skipped* the commit_id check
+when the review carried no commit_id. The previous review-check.sh jq
+filter required `commit_id == $head`, which is also implicitly fail-closed
+on missing commit_id (null != head), but only one of the two consumers
+behaved correctly — a code-drift trap.
+
+Both behaviors are now defined here, as a single fail-closed predicate.
+A MISSING commit_id is the Gitea row signature of a spoofed or pre-commit
+review: a real reviewer cannot have submitted against a commit that
+doesn't exist. Accepting these is exactly the fail-open that SEV-1
+internal#812 describes and the re-opened path that closed #843 (with CR2
+ Researcher both flagging it) addresses.
+
+# Mutation-resistance
+
+The unit tests in tests/test_approval_validator.py assert rejection
+explicitly for each fail-closed case (missing commit_id, stale head,
+non-official, dismissed, etc.). A reviewer who tries to weaken the
+predicate by removing the commit_id check, by re-introducing the
+"no commit_id is accepted" escape hatch, or by changing `!=` to `==`
+in the head comparison will trip those tests in CI.
+"""
+
+from __future__ import annotations
+
+from typing import Iterable, Optional, Tuple
+
+# ---------------------------------------------------------------------------
+# Canonical Gitea review-state enum (EXACT match -- no case coercion).
+# ---------------------------------------------------------------------------
+#
+# Gitea's reviews API emits review.state as one of a fixed set of
+# UPPERCASE string constants: "APPROVED", "REQUEST_CHANGES",
+# "REQUEST_REVIEW", "COMMENT", "PENDING", "DISMISSED" (verified
+# against the live API across real molecule-core PRs). They are ALWAYS
+# uppercase on the wire.
+#
+# FAIL-CLOSED: we compare review.state to these constants with EXACT
+# equality. The previous code used str(state or "").upper(), which
+# coerced a lowercase/mixed-case "approved" or "request_changes" into
+# the canonical value and ACCEPTED it. A real Gitea row never carries a
+# lowercase state, so a case-variant value is the signature of a
+# hand-forged / spoofed row, not a legitimate review. Coercing it was a
+# residual fail-open (SEV-1 internal#812, RCs 9849/9851/9852). We reject
+# anything that is not byte-for-byte the canonical constant.
+STATE_APPROVED = "APPROVED"
+STATE_REQUEST_CHANGES = "REQUEST_CHANGES"
+
+
+# ---------------------------------------------------------------------------
+# Shared predicate — fail-closed on every condition
+# ---------------------------------------------------------------------------
+
+
+def is_official_current_head(review: object, headsha: object) -> bool:
+    """Common predicate: review is official, not dismissed, not stale, and
+    bound to the PR's current head SHA. EVERY condition is mandatory and
+    fail-closed. Both is_genuine_approval and is_open_request_changes build
+    on this so the rule cannot drift between the two cases.
+
+    `official` is checked with `is not True` (NOT `not review.get("official")`).
+    The latter is truthy on the string "false" or the integer 1, which is
+    exactly the fail-open surface we are closing here — a non-boolean
+    pass-through is treated as official. Gitea emits a real boolean, so
+    the stricter check rejects anything that isn't literally True.
+    """
+    if not isinstance(review, dict):
+        return False
+    if review.get("official") is not True:
+        return False
+    if review.get("dismissed"):
+        return False
+    if review.get("stale"):
+        return False
+    commit_id = review.get("commit_id")
+    # FAIL-CLOSED: a missing/empty/non-string commit_id is REJECTED. The
+    # previous code had `if isinstance(commit_id, str) and commit_id and
+    # headsha:` which SKIPPED the check when the review carried no
+    # commit_id. That was the spoof-bug surface.
+    if not isinstance(commit_id, str) or not commit_id:
+        return False
+    # FAIL-CLOSED: a present-but-wrong commit_id is also REJECTED. Stale
+    # reviews (on a previous head) cannot count.
+    if not isinstance(headsha, str) or not headsha or commit_id != headsha:
+        return False
+    return True
+
+
+# ---------------------------------------------------------------------------
+# Per-verdict predicates
+# ---------------------------------------------------------------------------
+
+
+def is_genuine_approval(
+    review: object,
+    *,
+    headsha: str,
+    reviewer_set: Optional[Iterable[str]] = None,
+) -> bool:
+    """Return True iff `review` is a genuine APPROVED on the current head.
+
+    When `reviewer_set` is provided, the review's `user.login` must be in
+    the set (the merge-queue uses this to count only "recognised"
+    reviewers for the 2-genuine floor; review-check.sh applies its own
+    team-membership probe separately and so does not pass a set).
+    """
+    if not isinstance(review, dict):
+        return False
+    # EXACT-ENUM (fail-closed): no .upper()/.strip() coercion. A
+    # case-variant or whitespace-padded state is a forged row and is
+    # rejected, not normalised into APPROVED.
+    if review.get("state") != STATE_APPROVED:
+        return False
+    if not is_official_current_head(review, headsha):
+        return False
+    if reviewer_set is not None:
+        user = (review.get("user") or {}).get("login")
+        if not isinstance(user, str) or user not in set(reviewer_set):
+            return False
+    return True
+
+
+def is_open_request_changes(review: object, *, headsha: str) -> bool:
+    """Return True iff `review` is an open official REQUEST_CHANGES on the
+    current head. Same fail-closed contract as is_genuine_approval —
+    a missing commit_id is REJECTED, not silently treated as 'still
+    blocking the merge from an old head'.
+    """
+    if not isinstance(review, dict):
+        return False
+    # EXACT-ENUM (fail-closed): same contract as is_genuine_approval. A
+    # lowercase/mixed-case "request_changes" must NOT be coerced into a
+    # block-erasing match; an exact REQUEST_CHANGES is required.
+    if review.get("state") != STATE_REQUEST_CHANGES:
+        return False
+    if not is_official_current_head(review, headsha):
+        return False
+    return True
+
+
+# ---------------------------------------------------------------------------
+# Consumer-facing reducer (returns the two call sites need)
+# ---------------------------------------------------------------------------
+
+
+def classify_reviews(
+    reviews: Iterable[object],
+    *,
+    headsha: str,
+    reviewer_set: Optional[Iterable[str]] = None,
+) -> Tuple[set[str], list[str]]:
+    """Reduce a PR's reviews to (approvers, request_changes) on the CURRENT head.
+
+    approvers: distinct logins whose LATEST official review on the current
+        head is APPROVED.
+    request_changes: distinct logins whose LATEST official review on the
+        current head is REQUEST_CHANGES.
+
+    Gitea returns reviews oldest-first. We keep the latest *VALID*
+    submission per user (later VALID entries overwrite earlier ones; an
+    invalid later row — a COMMENT, or a review with a null/old commit_id —
+    is ignored and can NOT overwrite or erase a genuine review). See the
+    inline VALIDATE-BEFORE-REDUCE note below for the exploit this closes.
+    """
+    reviewer_set_set = set(reviewer_set) if reviewer_set is not None else None
+
+    # VALIDATE-BEFORE-REDUCE (SEV-1 internal#812 follow-up).
+    #
+    # The earlier implementation reduced FIRST (latest row per user, keyed
+    # only on state in {APPROVED, REQUEST_CHANGES}) and validated the single
+    # surviving row AFTER. That is reduce-before-validate, and it is
+    # exploitable: a user posts a genuine current-head APPROVED (or
+    # REQUEST_CHANGES), then posts a LATER row that fails the fail-closed
+    # predicate (a COMMENT, or an APPROVED with a null/old commit_id). The
+    # later INVALID row overwrote the genuine one in latest_by_user, so a
+    # real approval was masked, and — worse — a real current-head
+    # REQUEST_CHANGES could be erased and the block silently evaporate.
+    #
+    # The fix: filter to VALID reviews FIRST (each row must pass
+    # is_official_current_head AND carry an APPROVED/REQUEST_CHANGES state),
+    # and only then reduce to the latest VALID review per user. An invalid
+    # later row is never eligible to become a user's "latest" state, so it
+    # cannot overwrite or erase a genuine review. A user's verdict is the
+    # state of their latest VALID (official, current-head, non-dismissed,
+    # non-stale, commit_id-present-and-matching) review.
+    latest_valid_by_user: dict = {}
+    for review in reviews:
+        if not isinstance(review, dict):
+            continue
+        user = (review.get("user") or {}).get("login")
+        if not isinstance(user, str):
+            continue
+        if reviewer_set_set is not None and user not in reviewer_set_set:
+            continue
+        # EXACT-ENUM (fail-closed): exact constants only, no coercion. A
+        # case-coerced row must not become eligible to overwrite/erase a
+        # genuine per-user verdict in the reduce below.
+        state = review.get("state")
+        if state not in (STATE_APPROVED, STATE_REQUEST_CHANGES):
+            continue
+        # Fail-closed predicate BEFORE the reduce: official, not dismissed,
+        # not stale, commit_id present AND == head. Invalid rows are dropped
+        # here and so can never become the per-user "latest".
+        if not is_official_current_head(review, headsha):
+            continue
+        latest_valid_by_user[user] = review
+
+    approvers: set[str] = set()
+    request_changes: list[str] = []
+    for user, review in latest_valid_by_user.items():
+        # Each surviving review already passed is_official_current_head, so
+        # the state alone determines the verdict. We still go through the
+        # per-verdict SSOT predicates so the rule cannot drift.
+        if is_genuine_approval(review, headsha=headsha, reviewer_set=None):
+            approvers.add(user)
+        elif is_open_request_changes(review, headsha=headsha):
+            request_changes.append(user)
+    return approvers, request_changes
@@ -0,0 +1,74 @@
+#!/usr/bin/env python3
+"""
+Helper for review-check.sh: applies the SSOT approval predicate to a
+PR's reviews and prints the candidate approver logins on stdout (one per
+line, de-duplicated, author excluded).
+
+review-check.sh uses this in place of its previous inline jq filter so the
+predicate is single-sourced. The jq filter is gone; if you want to change
+the predicate, edit .gitea/scripts/_approval_validator.py, not this file.
+
+Usage:
+  python3 _review_check_filter.py <reviews.json> <head-sha> <author-login>
+
+Output:
+  - Candidate approver logins, one per line, de-duplicated, sorted.
+  - Excludes `author-login` (the PR author cannot approve their own PR).
+  - Empty output → review-check.sh interprets as "no candidates" and exits 1
+    after the team-membership probe.
+"""
+
+from __future__ import annotations
+
+import json
+import sys
+from pathlib import Path
+
+# Same-dir import — script lives next to _approval_validator.py
+sys.path.insert(0, str(Path(__file__).resolve().parent))
+from _approval_validator import is_genuine_approval  # noqa: E402
+
+
+def main(argv: list[str]) -> int:
+    if len(argv) != 4:
+        print(
+            f"usage: {argv[0] if argv else '_review_check_filter.py'} "
+            "<reviews.json> <head-sha> <author-login>",
+            file=sys.stderr,
+        )
+        return 2
+    reviews_path = Path(argv[1])
+    headsha = argv[2]
+    author = argv[3]
+
+    try:
+        reviews = json.loads(reviews_path.read_text(encoding="utf-8"))
+    except (OSError, json.JSONDecodeError) as exc:
+        print(f"::error::could not read reviews JSON: {exc}", file=sys.stderr)
+        return 2
+    if not isinstance(reviews, list):
+        print("::error::reviews JSON was not a list", file=sys.stderr)
+        return 2
+
+    candidates: set[str] = set()
+    for review in reviews:
+        # We pass reviewer_set=None here because review-check.sh applies its
+        # own team-membership probe (CURL_AUTH_FILE + 200/204/403/404 logic)
+        # separately. The SSOT predicate enforces only the fail-closed
+        # commit_id / state / official / dismissed / stale contract here.
+        if not is_genuine_approval(review, headsha=headsha, reviewer_set=None):
+            continue
+        user = (review.get("user") or {}).get("login")
+        if not isinstance(user, str) or not user:
+            continue
+        if user == author:
+            continue
+        candidates.add(user)
+
+    for user in sorted(candidates):
+        print(user)
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main(sys.argv))
@@ -31,7 +31,7 @@
 #
 # REQUIRED_CHECKS (legacy) is a newline-separated list used when the
 # JSON variable is not set. Declared in the workflow YAML rather than
-# fetched from /branch_protections (which needs admin scope — sop-tier-bot
+# fetched from /branch_protections (which needs admin scope — 
 # has read-only). Trade dynamism for simplicity: when the required-check
 # set changes, update both branch protection AND this env. Keeping them
 # in sync is less complexity than granting the audit bot admin perms on
@@ -116,28 +116,65 @@ fi
 # 3. Status-check state at the PR HEAD (where checks ran). The merge
 #    commit doesn't get its own checks; we evaluate the PR's last
 #    commit, which is what branch protection compared against.
-# Fail-closed: verify HTTP 200. A 401/403/404 means the status is
-# unreadable — we must NOT treat that as "no statuses" and skip checks.
-STATUS_TMP=$(mktemp)
-STATUS_HTTP=$(curl -sS -o "$STATUS_TMP" -w '%{http_code}' -H "$AUTH" \
-  "${API}/repos/${OWNER}/${NAME}/commits/${HEAD_SHA}/status")
-STATUS=$(cat "$STATUS_TMP")
-rm -f "$STATUS_TMP"
-if [ "$STATUS_HTTP" != "200" ]; then
-  echo "::error::GET /commits/${HEAD_SHA}/status returned HTTP ${STATUS_HTTP} — cannot evaluate required checks."
-  exit 1
-fi
-# FAIL-CLOSED: a 200 status response missing the 'statuses' array, or with
-# 'statuses' set to a non-array type (null/string/object), must NOT be treated
-# as "no checks" — that would silently declare all checks green.
-if ! echo "$STATUS" | jq -e '(.statuses | type) == "array"' >/dev/null; then
-  echo "::error::GET /commits/${HEAD_SHA}/status returned HTTP 200 but 'statuses' is missing or not an array — cannot evaluate required checks."
-  exit 1
-fi
+#
+# Pagination (status-pagination RCA, #2440-family): the combined
+# /commits/{sha}/status endpoint caps its embedded `statuses` array at the
+# Gitea default page size (~30). On a high-churn PR an older-but-still-current
+# required-context SUCCESS row is pushed PAST that cap, so reading the combined
+# view would record that context as `missing` and emit a FALSE-POSITIVE
+# force-merge. We instead page through the dedicated /commits/{sha}/statuses
+# list to EXHAUSTION (until a short/empty page), accumulating every row.
+#
+# Fail-closed is preserved end to end: any non-200 page, or a page whose body
+# is not a JSON array, aborts with exit 1 (we never treat an unreadable/partial
+# page as "no checks"). A genuinely-absent required context appears on NO page,
+# so CHECK_STATE has no entry for it → `${...:-missing}` below keeps it
+# `missing` → it is still counted as not-green. No fail-open path is added.
+PER_PAGE=100
+page=1
+ALL_STATUSES_TMP=$(mktemp)
+printf '[]' > "$ALL_STATUSES_TMP"   # accumulator: a single JSON array of rows
+while :; do
+  STATUS_TMP=$(mktemp)
+  STATUS_HTTP=$(curl -sS -o "$STATUS_TMP" -w '%{http_code}' -H "$AUTH" \
+    "${API}/repos/${OWNER}/${NAME}/commits/${HEAD_SHA}/statuses?page=${page}&limit=${PER_PAGE}")
+  PAGE_BODY=$(cat "$STATUS_TMP")
+  rm -f "$STATUS_TMP"
+  if [ "$STATUS_HTTP" != "200" ]; then
+    rm -f "$ALL_STATUSES_TMP"
+    echo "::error::GET /commits/${HEAD_SHA}/statuses?page=${page} returned HTTP ${STATUS_HTTP} — cannot evaluate required checks."
+    exit 1
+  fi
+  # FAIL-CLOSED: the /statuses endpoint returns a bare JSON array. A non-array
+  # body (null/object/string) means the response is malformed — we must NOT
+  # treat that as "no checks", which would silently declare all checks green.
+  if ! echo "$PAGE_BODY" | jq -e 'type == "array"' >/dev/null 2>&1; then
+    rm -f "$ALL_STATUSES_TMP"
+    echo "::error::GET /commits/${HEAD_SHA}/statuses?page=${page} returned HTTP 200 but body is not a JSON array — cannot evaluate required checks."
+    exit 1
+  fi
+  PAGE_COUNT=$(echo "$PAGE_BODY" | jq 'length')
+  # Append this page's rows to the accumulator (insertion order is preserved
+  # but NOT relied upon — the collapse below selects max-by-id per context).
+  COMBINED=$(jq -s '.[0] + .[1]' "$ALL_STATUSES_TMP" <(echo "$PAGE_BODY"))
+  printf '%s' "$COMBINED" > "$ALL_STATUSES_TMP"
+  # Short page (fewer than PER_PAGE rows) ⇒ last page ⇒ stop.
+  if [ "$PAGE_COUNT" -lt "$PER_PAGE" ]; then
+    break
+  fi
+  page=$((page + 1))
+done
+STATUS=$(cat "$ALL_STATUSES_TMP")
+rm -f "$ALL_STATUSES_TMP"
 declare -A CHECK_STATE
+# Gitea's /commits/{sha}/statuses is roughly newest-first but NOT strictly
+# monotonic by id (observed first ids 157,155,156,… — local inversions from
+# re-runs and page boundaries), so neither first- nor last-occurrence reliably
+# yields the current row. Select the MAX-id row per context explicitly
+# (order-independent), matching prod-auto-deploy.py's latest_status_for_context.
 while IFS=$'\t' read -r ctx state; do
  [ -n "$ctx" ] && CHECK_STATE[$ctx]="$state"
-done < <(echo "$STATUS" | jq -r '.statuses | .[] | "\(.context)\t\(.status)"')
+done < <(echo "$STATUS" | jq -r 'group_by(.context) | map(max_by(.id)) | .[] | "\(.context)\t\(.status)"')

 # 4. For each required check, was it green at merge? YAML block scalars
 #    (`|`) leave a trailing newline; skip blank/whitespace-only lines.
@@ -26,10 +26,21 @@ PROFILES: dict[str, dict[str, str]] = {
        "handlers": (
            r"^workspace-server/internal/handlers/"
            r"|^workspace-server/internal/wsauth/"
+            # #2148: registry-auth real-PG integration tests (CanCommunicate
+            # parent_id hierarchy lives in internal/registry; org-admin token
+            # revoke/validate lives in internal/orgtoken) run in this same
+            # workflow, so a regression in either package MUST trigger the job.
+            r"|^workspace-server/internal/registry/"
+            r"|^workspace-server/internal/orgtoken/"
            # #2149: the scheduler real-PG integration tests run in this same
            # workflow (they reuse its migrated Postgres), so changes to the
            # scheduler package must trigger the job too.
            r"|^workspace-server/internal/scheduler/"
+            # #2150: the db package's real-PG migration-replay-from-scratch
+            # + InitPostgres ping tests also run in this same workflow (they
+            # reuse its sibling Postgres, against a separate `molecule_replay`
+            # database). Changes to db must trigger the job too.
+            r"|^workspace-server/internal/db/"
            r"|^workspace-server/migrations/"
            r"|^\.gitea/workflows/handlers-postgres-integration\.yml$"
        ),
@@ -39,13 +39,13 @@ queue. This script provides the missing serialized policy in user space:

 Authoritative gates (fail-closed):
  - The REQUIRED status contexts come from BRANCH PROTECTION
-    (`status_check_contexts`), not a hand-maintained env list. If branch
-    protection cannot be enumerated, the queue HOLDS (does not merge blindly).
-  - NON-required reds (qa-review, security-review, sop-tier, sop-checklist
-    when not branch-required, E2E Chat, Staging SaaS, ci-arm64-advisory, any
+    (`status_check_contexts`) PLUS the hardcoded governance checks
+    (qa-review, security-review, sop-checklist). If branch protection
+    cannot be enumerated, the queue HOLDS (does not merge blindly).
+  - NON-required reds (E2E Chat, Staging SaaS, ci-arm64-advisory, any
    continue-on-error job) MUST NOT block. They are reported, never gating.
  - `force_merge=true` is used ONLY when the merge is blocked *solely* by
-    missing-but-non-required governance contexts (required are green + genuine
+    missing-but-non-required advisory contexts (required are green + genuine
    approvals present). It is NEVER used to bypass a failing REQUIRED context
    or missing approvals.

@@ -105,6 +105,12 @@ import urllib.parse
 import urllib.request
 from typing import Any

+# SSOT fail-closed approval predicate (SEV-1 internal#812). review-check.sh
+# consumes the same module via _review_check_filter.py — do NOT duplicate
+# the predicate here. See _approval_validator.py for the fail-closed contract.
+sys.path.insert(0, os.path.dirname(os.path.abspath(__file__)))
+from _approval_validator import classify_reviews as _classify_reviews_ssot  # noqa: E402
+

 def _env(key: str, *, default: str = "") -> str:
    return os.environ.get(key, default)
@@ -144,6 +150,28 @@ OPT_OUT_LABELS = {
    ).split(",")
    if name.strip()
 } | ({HOLD_LABEL} if HOLD_LABEL else set())
+# Governance checks that are ALWAYS required for every PR, regardless of
+# branch-protection configuration. These are the uniform-gate checks that
+# must pass before any PR can merge (SOP tier removal makes them mandatory
+# for all PRs, not just tier:medium/tier:high).
+#
+# Context names use the (pull_request_target) suffix (not pull_request)
+# to match the workflow event_type that actually emits them — verified
+# live against PR#2419/#2331/etc.: the qa-review/security-review
+# workflows run on pull_request_target (their `on:` block uses
+# pull_request_target, not pull_request), and sop-checklist's
+# all-items-acked job also uses pull_request_target. The previous
+# (pull_request) suffix never matched the live emitted contexts,
+# which is what was painting ~16 ready PRs red (gate appeared
+# "missing" qa-review/security-review even after both passed).
+# Verified against the lint-bp-context-emit-match test which already
+# asserts (pull_request_target) for these names. No requirement
+# dropped; just a name correction.
+GOVERNANCE_REQUIRED_CONTEXTS = [
+    "qa-review / approved (pull_request_target)",
+    "security-review / approved (pull_request_target)",
+    "sop-checklist / all-items-acked (pull_request_target)",
+]
 REQUIRED_CONTEXTS_RAW = _env(
    "REQUIRED_CONTEXTS",
    default=(
@@ -337,41 +365,15 @@ def latest_statuses_by_context(statuses: list[dict]) -> dict[str, dict]:
    return latest


-def _is_tier_low_pending_ok(
-    latest_statuses: dict[str, dict],
-    context: str,
-    pr_labels: set[str],
-) -> bool:
-    """Return True if tier:low PR can tolerate sop-checklist pending state.
-
-    GENERIC PENDING-AS-GREEN REMOVED (Researcher + CR2 RC on #2368):
-    The prior soft-fail accepted ANY pending sop-checklist for tier:low,
-    which allowed required checks to pass without genuine verification.
-    Pending required sop-checklist must now always HOLD and appear in
-    missing_or_bad. This function is retained as a policy hook but
-    currently always returns False so pending never counts green.
-
-    If a positively identifiable genuine soft-fail state is defined in
-    future (e.g., a specific check-run conclusion), implement it here
-    with strict positive identification — never default to pass.
-    """
-    return False
-
-
 def required_contexts_green(
    latest_statuses: dict[str, dict],
    contexts: list[str],
-    pr_labels: set[str] | None = None,
 ) -> tuple[bool, list[str]]:
    missing_or_bad: list[str] = []
    for context in contexts:
        status = latest_statuses.get(context)
        state = status_state(status or {})
        if state != "success":
-            if pr_labels and _is_tier_low_pending_ok(
-                latest_statuses, context, pr_labels
-            ):
-                continue  # tier:low soft-fail: accept pending sop-checklist
            missing_or_bad.append(f"{context}={state or 'missing'}")
    return not missing_or_bad, missing_or_bad

@@ -428,57 +430,26 @@ def get_branch_protection(branch: str) -> BranchProtection:
 def genuine_approvals(
    reviews: list[dict],
    *,
-    head_sha: str,
+    headsha: str,
    reviewer_set: set[str],
 ) -> tuple[set[str], list[str]]:
-    """Reduce a PR's reviews to genuine official approvals on the CURRENT head.
+    """Thin wrapper over the SSOT predicate in _approval_validator.py.

-    Returns (approvers, request_changes) where:
-      - approvers is the set of distinct logins (in reviewer_set) whose LATEST
-        review on the current head is an official, non-stale, non-dismissed
-        APPROVED, and
-      - request_changes is the list of logins (in reviewer_set) whose latest
-        official review on the current head is REQUEST_CHANGES.
+    All logic — the per-review commit_id / state / official / dismissed /
+    stale contract — lives in _approval_validator.classify_reviews. This
+    wrapper exists only to keep the call site (and external readers of
+    the symbol) stable. Do NOT add any per-review logic here; if you need
+    to change the predicate, edit _approval_validator.py.

-    "Current head" is enforced two ways, because Gitea exposes both signals:
-    a review must be `official` and NOT `stale`/`dismissed`, AND when the
-    review carries a commit_id it must equal head_sha. A review with no
-    commit_id but stale=False/dismissed=False is accepted (older Gitea rows).
-    We take each reviewer's LATEST submission (reviews arrive oldest-first), so
-    a later REQUEST_CHANGES correctly supersedes an earlier APPROVED and vice
-    versa.
+    See _approval_validator.py for the full fail-closed contract
+    (SEV-1 internal#812). The previous inline implementation had a
+    `if isinstance(commit_id, str) and commit_id and headsha:` guard that
+    silently accepted reviews with no commit_id; that fail-open surface is
+    now closed at the SSOT.
    """
-    latest_by_user: dict[str, dict] = {}
-    for review in reviews:
-        if not isinstance(review, dict):
-            continue
-        user = (review.get("user") or {}).get("login")
-        if not isinstance(user, str) or user not in reviewer_set:
-            continue
-        state = str(review.get("state") or "").upper()
-        if state not in {"APPROVED", "REQUEST_CHANGES"}:
-            continue  # ignore COMMENT/PENDING/DISMISSED-state rows
-        # reviews are returned oldest-first; later entries overwrite → latest wins
-        latest_by_user[user] = review
-
-    approvers: set[str] = set()
-    request_changes: list[str] = []
-    for user, review in latest_by_user.items():
-        if not review.get("official"):
-            continue
-        if review.get("stale") or review.get("dismissed"):
-            continue
-        commit_id = review.get("commit_id")
-        if isinstance(commit_id, str) and commit_id and head_sha:
-            if commit_id != head_sha:
-                continue  # review was on a previous head
-        state = str(review.get("state") or "").upper()
-        if state == "APPROVED":
-            approvers.add(user)
-        elif state == "REQUEST_CHANGES":
-            request_changes.append(user)
-    return approvers, request_changes
-
+    return _classify_reviews_ssot(
+        reviews, headsha=headsha, reviewer_set=reviewer_set
+    )

 def get_pull_reviews(pr_number: int) -> list[dict]:
    _, body = api("GET", f"/repos/{OWNER}/{NAME}/pulls/{pr_number}/reviews")
@@ -672,13 +643,13 @@ def evaluate_merge_readiness(
            f"need {required_approvals}",
        )

-    # 4) Every BRANCH-PROTECTION-REQUIRED status context must be green. This is
-    #    the authoritative status gate — NON-required reds (qa-review,
-    #    security-review, sop-tier/sop-checklist when not BP-required, E2E Chat,
-    #    Staging SaaS, ci-arm64-advisory, continue-on-error jobs) are NOT
+    # 4) Every REQUIRED status context must be green. This includes both
+    #    branch-protection-required contexts AND the hardcoded governance checks
+    #    (qa-review, security-review, sop-checklist). NON-required reds (E2E
+    #    Chat, Staging SaaS, ci-arm64-advisory, continue-on-error jobs) are NOT
    #    consulted here and must not block.
    latest = latest_statuses_by_context(pr_status.get("statuses") or [])
-    ok, missing_or_bad = required_contexts_green(latest, required_contexts, pr_labels)
+    ok, missing_or_bad = required_contexts_green(latest, required_contexts)
    if not ok:
        return MergeDecision(False, "wait", "required contexts not green: " + ", ".join(missing_or_bad))

@@ -783,7 +754,7 @@ def list_queued_issues() -> list[dict]:
        query={
            "state": "open",
            "type": "pulls",
-            "labels": QUEUE_LABEL,
+            "label": QUEUE_LABEL,
        },
    )

@@ -945,7 +916,9 @@ def process_once(*, dry_run: bool = False) -> int:
            f"unavailable (fail-closed): {exc}\n"
        )
        return 0
-    contexts = bp.required_contexts
+    # Uniform gate: governance checks are ALWAYS required, even if branch
+    # protection does not enumerate them. Deduplicate against BP list.
+    contexts = list(dict.fromkeys(bp.required_contexts + GOVERNANCE_REQUIRED_CONTEXTS))
    required_approvals = bp.required_approvals
    print(
        f"::notice::queue policy from branch protection: "
@@ -1149,7 +1122,7 @@ def _evaluate_candidate(

    reviews = get_pull_reviews(pr_number)
    approvers, request_changes = genuine_approvals(
-        reviews, head_sha=head_sha, reviewer_set=REVIEWER_SET
+        reviews, headsha=head_sha, reviewer_set=REVIEWER_SET
    )

    decision = evaluate_merge_readiness(
@@ -1185,7 +1158,9 @@ def enumerate_readiness(*, dry_run: bool = False) -> list[ReadinessEntry]:
    post-batch summary can be printed.
    """
    bp = get_branch_protection(WATCH_BRANCH)
-    contexts = bp.required_contexts
+    # Uniform gate: governance checks are ALWAYS required, even if branch
+    # protection does not enumerate them. Deduplicate against BP list.
+    contexts = list(dict.fromkeys(bp.required_contexts + GOVERNANCE_REQUIRED_CONTEXTS))
    required_approvals = bp.required_approvals

    main_sha = get_branch_head(WATCH_BRANCH)
@@ -165,7 +165,7 @@ def api(
 # Format: "<workflow_name> / <job_name_or_key> (<event>)"
 # Examples observed on molecule-core/main:
 #   "Secret scan / Scan diff for credential-shaped strings (pull_request)"
-#   "sop-tier-check / tier-check (pull_request)"
+#   "sop-checklist / all-items-acked (pull_request)"
 #
 # Split strategy: peel off the trailing ` (<event>)` first, then split
 # the leading `<workflow> / <rest>` on the FIRST ` / ` (workflow names
@@ -17,7 +17,7 @@ Rules (4 fatal + 1 fatal cross-file + 1 heuristic-warn):
     enumeration; task #81). Workflow registers, fires for 0 events.
  3. `name:` containing `/` — breaks the
     `<workflow> / <job> (<event>)` commit-status context convention;
-     downstream parsers (sop-tier-check, status-reaper) tokenize on `/`.
+     downstream parsers (sop-checklist, status-reaper) tokenize on `/`.
  4. `name:` collision across files — Gitea routes commit-status updates
     by `name` and behavior on collision is undefined (status-reaper
     rev1 fail-loud).
@@ -150,7 +150,7 @@ def check_name_with_slash(filename: str, doc: Any) -> list[str]:
            f"::error file={filename}::Rule 3 (FATAL): workflow `name: "
            f"{name!r}` contains `/`. The commit-status context convention "
            f"is `<workflow> / <job> (<event>)`; embedding `/` in the "
-            f"workflow name makes downstream parsers (sop-tier-check, "
+            f"workflow name makes downstream parsers (sop-checklist, "
            f"status-reaper) tokenize ambiguously. Rename to use `-` or "
            f"` ` instead."
        )
@@ -49,8 +49,7 @@ Daily scheduled run + workflow_dispatch:
  4. If orphans exist:
     - File or PATCH a `[ci-bp-drift]` issue (idempotency contract:
       search for exact title prefix, edit existing if open).
-     - Apply labels `tier:high` + `ci-bp-drift` (lookup IDs per
-       repo; per `feedback_tier_label_ids_are_per_repo`).
+     - Apply label `ci-bp-drift` (lookup ID per repo).
     - Exit 1.

  5. If no orphans:
@@ -82,7 +81,7 @@ Memory cross-links
 ------------------
  - internal#350 (the RFC that specs this lint)
  - feedback_phantom_required_check_after_gitea_migration
-  - feedback_tier_label_ids_are_per_repo
+  - feedback_label_ids_are_per_repo
  - reference_post_suspension_pipeline
 """
 from __future__ import annotations
@@ -359,7 +358,7 @@ def file_or_update_issue(
                existing = h
                break

-    label_ids = _ensure_labels(repo, ["ci-bp-drift", "tier:high"])
+    label_ids = _ensure_labels(repo, ["ci-bp-drift"])

    if existing:
        api(
@@ -50,7 +50,7 @@ runtime contract enforcement lives in `_require_runtime_env()`.

 Run locally (dry-run, no API mutation):
    GITEA_TOKEN=... GITEA_HOST=git.moleculesai.app REPO=owner/repo \\
-      WATCH_BRANCH=main RED_LABEL=tier:high \\
+      WATCH_BRANCH=main RED_LABEL=ci-bp-drift \\
      python3 .gitea/scripts/main-red-watchdog.py --dry-run
 """
 from __future__ import annotations
@@ -81,7 +81,7 @@ GITEA_TOKEN = _env("GITEA_TOKEN")
 GITEA_HOST = _env("GITEA_HOST")
 REPO = _env("REPO")
 WATCH_BRANCH = _env("WATCH_BRANCH", default="main")
-RED_LABEL = _env("RED_LABEL", default="tier:high")
+RED_LABEL = _env("RED_LABEL", default="ci-bp-drift")

 OWNER, NAME = (REPO.split("/", 1) + [""])[:2] if REPO else ("", "")
 API = f"https://{GITEA_HOST}/api/v1" if GITEA_HOST else ""
@@ -95,17 +95,27 @@ def build_plan(env: dict[str, str]) -> dict:


 def latest_status_for_context(statuses: list[dict], context: str) -> dict | None:
-    """Return the first matching status.
+    """Return the NEWEST status row for ``context`` (highest ``id``).

-    Gitea's combined-status response is newest-first in practice. The merge
-    queue relies on the same contract; keeping the selector explicit makes
-    stale duplicate contexts easy to test.
+    This must work for BOTH orderings Gitea exposes: the combined
+    ``/status`` view is newest-first, but the exhaustively-paginated
+    ``/statuses`` list (see ``fetch_all_statuses``) is ascending id order
+    (oldest-first). Selecting by max ``id`` collapses duplicate context rows
+    to the current one regardless of input order, so a stale earlier run can
+    never shadow the latest result. Rows without an ``id`` are treated as
+    oldest (id -1) so a well-formed newer row always wins.
    """
-
+    newest: dict | None = None
+    newest_id = -1
    for status in statuses:
-        if status.get("context") == context:
-            return status
-    return None
+        if status.get("context") != context:
+            continue
+        raw_id = status.get("id")
+        sid = raw_id if isinstance(raw_id, int) else -1
+        if newest is None or sid >= newest_id:
+            newest = status
+            newest_id = sid
+    return newest


 def ci_context_state(statuses: list[dict], context: str) -> str:
@@ -351,6 +361,55 @@ def _api_json(url: str, token: str) -> dict:
        raise RuntimeError(f"GET {url} -> HTTP {exc.code}: {body}") from exc


+def _api_json_list(url: str, token: str) -> list:
+    """GET a Gitea list endpoint and return the JSON array.
+
+    Like ``_api_json`` but asserts the body is a list. Fail-closed: a non-list
+    body (or HTTP error) raises so the caller never mistakes an unreadable page
+    for "no more statuses" and silently truncates the required-context scan.
+    """
+    req = urllib.request.Request(url, headers={"Authorization": f"token {token}"})
+    try:
+        with urllib.request.urlopen(req, timeout=20) as resp:
+            body = json.loads(resp.read())
+    except urllib.error.HTTPError as exc:
+        detail = exc.read().decode("utf-8", errors="replace")[:500]
+        raise RuntimeError(f"GET {url} -> HTTP {exc.code}: {detail}") from exc
+    if not isinstance(body, list):
+        raise RuntimeError(f"GET {url} -> expected JSON array, got {type(body).__name__}")
+    return body
+
+
+def fetch_all_statuses(host: str, repo: str, sha: str, token: str, page_size: int = 100) -> list[dict]:
+    """Return EVERY commit-status row for ``sha``, paginating to exhaustion.
+
+    The combined ``/commits/{sha}/status`` endpoint caps its embedded
+    ``statuses`` array at the Gitea default page size (~30). On a high-churn
+    commit, an older-but-still-current required-context SUCCESS row is pushed
+    PAST that cap, so a reader of the combined view sees the required context
+    as ``missing`` and either blocks (force-merge audit) or waits forever
+    (this deploy gate). We instead walk ``/commits/{sha}/statuses`` page by
+    page until a short/empty page, accumulating ALL rows.
+
+    Fail-closed: any page that errors or is not a list raises (see
+    ``_api_json_list``) — we never degrade to a partial list and call a deploy
+    green. A genuinely-absent required context simply never appears on ANY
+    page, so the caller's ``ci_context_state`` still reports ``missing`` and
+    the gate stays closed.
+    """
+    base = f"https://{host}/api/v1/repos/{repo}/commits/{sha}/statuses"
+    results: list[dict] = []
+    page = 1
+    while True:
+        page_url = f"{base}?page={page}&limit={page_size}"
+        rows = _api_json_list(page_url, token)
+        results.extend(r for r in rows if isinstance(r, dict))
+        if len(rows) < page_size:
+            break
+        page += 1
+    return results
+
+
 def _api_json_optional(url: str, token: str) -> tuple[int, dict | None]:
    req = urllib.request.Request(url, headers={"Authorization": f"token {token}"})
    try:
@@ -472,12 +531,19 @@ def wait_for_ci_context(env: dict[str, str]) -> str:
    if not token:
        raise ValueError("GITEA_TOKEN is required to wait for CI status")

-    url = f"https://{host}/api/v1/repos/{repo}/commits/{sha}/status"
    deadline = time.time() + timeout
    last_states: dict[str, str] = {}
    while time.time() <= deadline:
-        body = _api_json(url, token)
-        statuses = body.get("statuses") or []
+        # Read the FULL, exhaustively-paginated /statuses list — NOT the
+        # combined /status view, whose embedded `statuses` array is capped at
+        # the Gitea page size (~30). On a high-churn commit a required-context
+        # SUCCESS row lands past that cap and the combined view would report
+        # it `missing`, so this gate would wait until timeout and refuse a
+        # legitimate prod deploy. Fetching every page closes that hole.
+        # Fail-closed is preserved: a genuinely-absent required context is on
+        # NO page, so ci_context_state() still returns "missing" → never
+        # satisfied → the deploy stays blocked.
+        statuses = fetch_all_statuses(host, repo, sha, token)
        states = {context: ci_context_state(statuses, context) for context in contexts}
        for context, state in states.items():
            if state != last_states.get(context):
@@ -197,17 +197,13 @@ if [ "$HTTP_CODE" != "200" ]; then
  exit 1
 fi

-# Filter: state=APPROVED, official=true, not-dismissed, non-author,
-# commit_id matches current PR head. All conditions are mandatory.
-JQ_FILTER='.[]
-  | select(.state == "APPROVED")
-  | select(.official == true)
-  | select(.dismissed != true)
-  | select(.user.login != $author)
-  | select(.commit_id == $head)
-  | .user.login'
-
-REVIEW_CANDIDATES=$(jq -r --arg author "$PR_AUTHOR" --arg head "$PR_HEAD_SHA" "$JQ_FILTER" "$REVIEWS_JSON" | sort -u)
+# Filter via the SSOT fail-closed predicate in _approval_validator.py
+# (same module gitea-merge-queue.py imports). The jq filter is gone
+# entirely — any change to the predicate must be made in
+# _approval_validator.py. See SEV-1 internal#812 for the fail-closed
+# contract this closes.
+SCRIPT_DIR_HERE="$(cd "$(dirname "$0")" && pwd)"
+REVIEW_CANDIDATES=$(python3 "$SCRIPT_DIR_HERE/_review_check_filter.py" "$REVIEWS_JSON" "$PR_HEAD_SHA" "$PR_AUTHOR")
 debug "candidate non-author approvers: $(echo "$REVIEW_CANDIDATES" | tr '\n' ' ')"

 if [ -z "$REVIEW_CANDIDATES" ]; then
@@ -11,7 +11,7 @@
 #
 # Flow:
 #   1. Load .gitea/sop-checklist-config.yaml (from BASE ref — trusted).
-#   2. GET /repos/{R}/pulls/{N}          — author, head.sha, tier label
+#   2. GET /repos/{R}/pulls/{N}          — author, head.sha, labels
 #   3. GET /repos/{R}/issues/{N}/comments — extract /sop-ack and /sop-revoke
 #   4. For each checklist item:
 #        a. Is the section marker present in PR body? (author answered)
@@ -665,8 +665,8 @@ def load_config(path: str) -> dict[str, Any]:
 def _load_config_minimal(path: str) -> dict[str, Any]:
    """Minimal YAML subset parser for our config shape.

-    Supports: top-level scalar:value, top-level map-of-map (e.g.
-    tier_failure_mode), top-level list of maps (items:), and within an
+    Supports: top-level scalar:value, top-level map-of-map,
+    top-level list of maps (items:), and within an
    item map: scalars + lists of scalars. Does NOT support nested lists,
    YAML anchors, multi-doc, or flow style.
    """
@@ -835,8 +835,7 @@ def render_status(

    state is "success" if every item has at least one valid ack
    (body section presence is informational only — peer-ack is the
-    real gate).  tier:low PRs receive state="success" (soft-fail — no
-    acks required); the description carries "[info tier:low]" prefix.
+    real gate).
    """
    n = len(items)
    fully_acked = [
@@ -863,35 +862,16 @@ def render_status(
    return state, " — ".join(desc_parts)


-def get_tier_mode(pr: dict[str, Any], cfg: dict[str, Any]) -> str:
-    """Read tier label, return 'hard' or 'soft' per cfg.tier_failure_mode."""
-    labels = pr.get("labels") or []
-    tier_labels = [label.get("name", "") for label in labels if (label.get("name", "") or "").startswith("tier:")]
-    mode_map = cfg.get("tier_failure_mode") or {}
-    default_mode = cfg.get("default_mode", "hard")
-    for tl in tier_labels:
-        if tl in mode_map:
-            return mode_map[tl]
-    return default_mode
-
-
 def is_high_risk(pr: dict[str, Any], cfg: dict[str, Any]) -> bool:
    """Return True when the PR is high-risk per RFC#450 Option C.

-    A PR is high-risk when ANY of:
-      - it carries the `tier:high` label (mechanically strictest tier), or
-      - it carries any label listed in cfg.high_risk_labels.
+    A PR is high-risk when it carries any label listed in cfg.high_risk_labels.

    High-risk PRs use `required_teams_high_risk` (when set on an item)
    instead of the default `required_teams`. Items without
    `required_teams_high_risk` are unaffected (the default applies).
-
-    Governance fix for internal#442 — closes the inconsistency between
-    sop-tier-check (tier-aware) and sop-checklist (was tier-blind).
    """
    label_set = {(label.get("name") or "") for label in (pr.get("labels") or [])}
-    if "tier:high" in label_set:
-        return True
    high_risk_labels = set(cfg.get("high_risk_labels") or [])
    return bool(label_set & high_risk_labels)

@@ -1169,13 +1149,6 @@ def main(argv: list[str] | None = None) -> int:
    body_state = {it["slug"]: section_marker_present(body, it["pr_section_marker"]) for it in items}

    state, description = render_status(items, ack_state, body_state)
-    mode = get_tier_mode(pr, cfg)
-    if mode == "soft":
-        # tier:low: acks are informational only — post success so BP gate passes.
-        # Description carries "[info tier:low]" prefix so reviewers know acks
-        # were not required (vs a tier:medium+ PR that truly passed all acks).
-        state = "success"
-        description = f"[info tier:low] {description}"
    if volume_skipped:
        # Above the comment-cap — we may have a partial view. Soft-pend
        # so neither BP nor the author gets stuck; surface the cap so
@@ -1189,7 +1162,7 @@ def main(argv: list[str] | None = None) -> int:
    # Diagnostics to job log.
    print(
        f"::notice::PR #{args.pr} author={author} head={head_sha[:7]} "
-        f"mode={mode} risk_class={'high' if high_risk else 'default'}"
+        f"risk_class={'high' if high_risk else 'default'}"
    )
    for it in items:
        slug = it["slug"]
@@ -1,423 +0,0 @@
-#!/usr/bin/env bash
-# sop-tier-check — verify a Gitea PR satisfies the §SOP-6 approval gate.
-#
-# Reads the PR's tier label, walks approving reviewers, and checks team
-# membership against the tier's approval expression. Passes only when
-# ALL clauses in the expression are satisfied by the set of approving
-# reviewers (AND-composition; internal#189).
-#
-# Expression syntax:
-#   "team-a"          — OR-set: any ONE of the comma-separated teams
-#   "team-a AND team-b" — AND: BOTH must each have ≥1 approver
-#   "(a,b,c)"         — OR-set wrapped in parens; same as "a,b,c"
-#
-# Example: "qa AND security AND (managers,ceo)" means:
-#   ≥1 approver in team "qa"  AND
-#   ≥1 approver in team "security"  AND
-#   ≥1 approver in team "managers" OR "ceo"
-#
-# Per the spec (internal#189), the hard gate here pairs with the
-# advisory gate of sop-conformance LLM-judge (internal#188): each
-# required-team click must reflect real verification (visible in review
-# body or A2A messages), not rubber-stamp APPROVE. Both gates together
-# close the "teammate clicks APPROVE without verifying" gap.
-#
-# Invoked from `.gitea/workflows/sop-tier-check.yml`. The workflow sets
-# the env vars below; this script does no IO outside of stdout/stderr +
-# the Gitea API.
-#
-# Required env:
-#   GITEA_TOKEN   — bot PAT with read:organization,read:user,
-#                   read:issue,read:repository scopes
-#   GITEA_HOST    — e.g. git.moleculesai.app
-#   REPO          — owner/name (from github.repository)
-#   PR_NUMBER     — int (from github.event.pull_request.number)
-#   PR_AUTHOR     — login (from github.event.pull_request.user.login)
-#
-# Optional:
-#   SOP_DEBUG=1        — print per-API-call diagnostic lines. Default: off.
-#   SOP_LEGACY_CHECK=1 — revert to OR-gate (≥1 approver from any eligible
-#                         team). Grace window for PRs in-flight when the
-#                         new AND-composition was deployed. Expires 2026-05-17
-#                         (7-day burn-in window; internal#189 Phase 1).
-#                         Set by workflow for PRs merged before the deploy.
-
-set -euo pipefail
-
-# Ensure jq is available. Runners may not have it pre-installed, and the
-# workflow-level jq install can fail on runners with network restrictions
-# (GitHub releases not reachable from some runner networks — infra#241
-# follow-up). This fallback is idempotent — no-op when jq is already on PATH.
-if ! command -v jq >/dev/null 2>&1; then
-  echo "::notice::jq not found on PATH — attempting install..."
-  _jq_installed="no"
-  # apt-get first (primary) — Ubuntu package mirrors are reliably reachable.
-  if apt-get update -qq && apt-get install -y -qq jq 2>/dev/null; then
-    echo "::notice::jq installed via apt-get: $(jq --version)"
-    _jq_installed="yes"
-  # GitHub binary as secondary fallback — may fail on restricted networks.
-  elif timeout 120 curl -sSL \
-    "https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-amd64" \
-    -o /usr/local/bin/jq \
-    && chmod +x /usr/local/bin/jq; then
-    echo "::notice::jq binary downloaded: $(/usr/local/bin/jq --version)"
-    _jq_installed="yes"
-  fi
-  if ! command -v jq >/dev/null 2>&1; then
-    echo "::error::jq installation failed — apt-get and GitHub binary both failed."
-    echo "::error::sop-tier-check requires jq for all JSON API parsing."
-    exit 1
-  fi
-fi
-
-debug() {
-  if [ "${SOP_DEBUG:-}" = "1" ]; then
-    echo "  [debug] $*" >&2
-  fi
-}
-
-# Validate env
-: "${GITEA_TOKEN:?GITEA_TOKEN required}"
-: "${GITEA_HOST:?GITEA_HOST required}"
-: "${REPO:?REPO required (owner/name)}"
-: "${PR_NUMBER:?PR_NUMBER required}"
-: "${PR_AUTHOR:?PR_AUTHOR required}"
-
-OWNER="${REPO%%/*}"
-NAME="${REPO##*/}"
-API="https://${GITEA_HOST}/api/v1"
-AUTH="Authorization: token ${GITEA_TOKEN}"
-echo "::notice::tier-check start: repo=$OWNER/$NAME pr=$PR_NUMBER author=$PR_AUTHOR"
-
-# Sanity: token resolves to a user.
-# Use || true on the jq pipeline so that set -euo pipefail (line 45) does not
-# cause the script to exit prematurely when the token is empty/invalid — the
-# if check below handles that case gracefully. Without || true, a 401 from an
-# empty/invalid token causes jq to exit 1, triggering set -e and exiting the
-# entire script before the error can be logged.
-WHOAMI=$(curl -sS -H "$AUTH" "${API}/user" | jq -r '.login // ""') || true
-if [ -z "$WHOAMI" ]; then
-  echo "::error::GITEA_TOKEN cannot resolve a user via /api/v1/user — check the token scope and that the secret is wired correctly."
-  exit 1
-fi
-echo "::notice::token resolves to user: $WHOAMI"
-
-# 0.5 Read PR head SHA so we can reject stale approvals after head moves
-# (internal#816). Reviews carry the commit_id they were submitted against.
-HEAD_SHA=$(curl -sS -H "$AUTH" "${API}/repos/${OWNER}/${NAME}/pulls/${PR_NUMBER}" | jq -r '.head.sha // ""') || true
-if [ -z "$HEAD_SHA" ]; then
-  echo "::error::Failed to fetch PR head SHA — token may be invalid."
-  exit 1
-fi
-debug "pr-head-sha=$HEAD_SHA"
-
-# 1. Read tier label. || true ensures set -euo pipefail does not abort the
-# script if curl or jq fails (e.g. 401 from empty token).
-LABELS=$(curl -sS -H "$AUTH" "${API}/repos/${OWNER}/${NAME}/issues/${PR_NUMBER}/labels" | jq -r '.[].name') || true
-TIER=""
-for L in $LABELS; do
-  case "$L" in
-    tier:low|tier:medium|tier:high)
-      if [ -n "$TIER" ]; then
-        echo "::error::Multiple tier labels: $TIER + $L. Apply exactly one."
-        exit 1
-      fi
-      TIER="$L"
-    ;;
-  esac
-done
-if [ -z "$TIER" ]; then
-  echo "::error::PR has no tier:low|tier:medium|tier:high label. Apply one before merge."
-  exit 1
-fi
-debug "tier=$TIER"
-
-# 2. Tier → required team expression (AND-composition; internal#189)
-#
-# Expression syntax:
-#   clause-a AND clause-b AND ...   — ALL clauses must pass
-#   team-a,team-b,team-c            — OR-set: ≥1 approver in ANY of these teams
-#   (team-a,team-b)                 — same as team-a,team-b (parens optional)
-#
-# This map is the single source of truth. Update it when the team structure
-# or policy changes. Teams referenced here but absent in Gitea are treated
-# as unachievable (would always fail) — operators notice the clear error
-# and create the missing team.
-#
-# Current Gitea teams: ceo, engineers, managers, qa, security
-declare -A TIER_EXPR=(
-  # tier:low — same as previous OR gate: any engineer, manager, or ceo.
-  ["tier:low"]="engineers,managers,ceo"
-
-  # tier:medium — AND of (managers) AND (engineers) AND (qa,security)
-  # ≥1 approver from managers AND ≥1 from engineers AND ≥1 from qa OR security.
-  ["tier:medium"]="managers AND engineers AND qa,security"
-
-  # tier:high — ceo only. The AND-composition adds no value for a
-  # single-team gate, but the framework is wired for consistency.
-  ["tier:high"]="ceo"
-)
-
-EXPR="${TIER_EXPR[$TIER]-}"
-if [ -z "$EXPR" ]; then
-  echo "::error::No expression defined for tier $TIER in TIER_EXPR map."
-  exit 1
-fi
-debug "expression=$EXPR"
-
-# 3. Legacy OR-gate override (7-day burn-in grace window; internal#189 Phase 1)
-if [ "${SOP_LEGACY_CHECK:-}" = "1" ]; then
-  LEGACY_ELIGIBLE=""
-  case "$TIER" in
-    tier:low)    LEGACY_ELIGIBLE="engineers managers ceo" ;;
-    tier:medium) LEGACY_ELIGIBLE="managers ceo" ;;
-    tier:high)   LEGACY_ELIGIBLE="ceo" ;;
-  esac
-  echo "::notice::SOP_LEGACY_CHECK=1 — using OR-gate ({$LEGACY_ELIGIBLE}) for this PR."
-  ELIGIBLE="$LEGACY_ELIGIBLE"
-fi
-
-# 4. Resolve all team names → IDs
-# /orgs/{org}/teams/{slug}/... endpoints don't exist on Gitea 1.22;
-# we use /teams/{id}.
-# set +e prevents set -e from aborting the script if curl fails (e.g. empty token).
-ORG_TEAMS_FILE=$(mktemp)
-trap 'rm -f "$ORG_TEAMS_FILE"' EXIT
-set +e
-HTTP_CODE=$(curl -sS -o "$ORG_TEAMS_FILE" -w '%{http_code}' -H "$AUTH" \
-  "${API}/orgs/${OWNER}/teams")
-_HTTP_EXIT=$?
-set -e
-debug "teams-list HTTP=$HTTP_CODE (curl exit=$_HTTP_EXIT) size=$(wc -c <"$ORG_TEAMS_FILE")"
-if [ "${SOP_DEBUG:-}" = "1" ]; then
-  echo "  [debug] teams-list body (first 300 chars):" >&2
-  head -c 300 "$ORG_TEAMS_FILE" >&2; echo >&2
-fi
-if [ "$_HTTP_EXIT" -ne 0 ] || [ "$HTTP_CODE" != "200" ]; then
-  echo "::error::GET /orgs/${OWNER}/teams failed (curl exit=$_HTTP_EXIT HTTP=$HTTP_CODE) — token may lack read:org scope or be invalid."
-  exit 1
-fi
-
-# Collect every team name that appears in the expression.
-# Bash word-splitting on $EXPR splits on spaces, so "AND" appears as a
-# token. We skip it explicitly.
-declare -A TEAM_ID
-_all_teams=""
-for _raw_clause in $EXPR; do
-  # Strip parens and split on comma.
-  _clause=${_raw_clause//[()]/}
-  for _t in $(echo "$_clause" | tr ',' '\n'); do
-    _t=$(echo "$_t" | tr -d '[:space:]')
-    [ -z "$_t" ] && continue
-    # Skip AND / OR operator tokens (bash word-split produced them from
-    # spaces in the expression string).
-    [ "$_t" = "AND" ] || [ "$_t" = "OR" ] && continue
-    # Skip if already in set.
-    case " $_all_teams " in
-      *" $_t "*) ;;  # already present
-      *) _all_teams="${_all_teams} $_t " ;;
-    esac
-  done
-done
-
-for _t in $_all_teams; do
-  _t=$(echo "$_t" | tr -d ' ')
-  [ -z "$_t" ] && continue
-  _id=$(jq -r --arg t "$_t" '.[] | select(.name==$t) | .id' <"$ORG_TEAMS_FILE" | head -1)
-  if [ -z "$_id" ] || [ "$_id" = "null" ]; then
-    # "??" suffix marks teams that don't exist yet (tier:medium qa/security).
-    # Treat as permanently failing clause; clear error message guides ops.
-    if [[ "$_t" == *"???" ]]; then
-      debug "team \"$_t\" not found (expected — pending team creation per internal#189)"
-      continue
-    fi
-    _visible=$(jq -r '.[]?.name? // empty' <"$ORG_TEAMS_FILE" 2>/dev/null | tr '\n' ' ')
-    echo "::error::Team \"$_t\" referenced in tier $TIER expression but not found in org $OWNER. Teams visible: $_visible"
-    exit 1
-  fi
-  TEAM_ID[$_t]="$_id"
-  debug "team-id: $_t → $_id"
-done
-
-# 5. Read approving reviewers. set +e disables set -e temporarily so that curl
-# failures (e.g. empty/invalid token → HTTP 401) do not abort the script before
-# set -e is restored immediately after.
-set +e
-REVIEWS=$(curl -sS -H "$AUTH" "${API}/repos/${OWNER}/${NAME}/pulls/${PR_NUMBER}/reviews")
-_REVIEWS_EXIT=$?
-set -e
-if [ $_REVIEWS_EXIT -ne 0 ] || [ -z "$REVIEWS" ]; then
-  echo "::error::Failed to fetch reviews (curl exit=$_REVIEWS_EXIT) — token may be invalid or unreachable."
-  exit 1
-fi
-APPROVERS=$(echo "$REVIEWS" | jq -r --arg head_sha "$HEAD_SHA" '[.[] | select(.state=="APPROVED" and .commit_id == $head_sha) | .user.login] | unique | .[]') || true
-if [ -z "$APPROVERS" ]; then
-  echo "::error::No approving reviews on this PR. Set SOP_DEBUG=1 and re-run for diagnostics."
-  exit 1
-fi
-debug "approvers: $(echo "$APPROVERS" | tr '\n' ' ')"
-
-# 6. For each approver: skip self-review; probe team membership by id.
-# Build $APPROVER_TEAMS[<user>]=space-surrounded team names (e.g. " managers ").
-# Pre/post spaces ensure case patterns *${_t}* match even when the name
-# is the first or last entry (bash case *word* needs delimiters on both sides).
-#
-# FAIL-CLOSED AUTHORIZATION (security: SOP tier gate is an AUTHORIZATION gate).
-#
-# This used to fall back to /orgs/{org}/members/{user} whenever every team
-# probe failed and credit any org member as a member of EVERY queried team.
-# That was a privilege-escalation: org membership is NOT team membership, so
-# a 403/visibility/token-scope gap on the team probes silently promoted a
-# plain org member to satisfy tier:high (ceo). An inability-to-verify became
-# an authorization GRANT. The fallback is REMOVED — org membership must never
-# satisfy a team-gated tier.
-#
-# A team-membership probe has exactly three meaningful outcomes:
-#   200 / 204  → the user IS a member of that team       (credit it)
-#   404        → the user is definitively NOT a member    (no credit, verified)
-#   anything else (403 / 401 / 5xx / curl failure / non-numeric)
-#              → membership CANNOT be read                 (cannot-verify)
-#
-# Per the dev-sop fail-closed rule (inability-to-verify = failure, never a
-# pass — and here, never an authorization grant), a cannot-verify outcome on
-# ANY probe is a HARD infra failure: we publish a loud cannot-verify error and
-# exit non-zero. We do NOT proceed to evaluate the tier expression on a partial
-# / unverifiable membership picture, because doing so could let an unverifiable
-# approver's clause silently fail-or-pass on incomplete data. Fix the token
-# scope (read:organization) or the runner network — not the gate.
-declare -A APPROVER_TEAMS
-_verify_failed=""   # accumulates "<user>:<team>(HTTP <code>)" for probes we could not read
-for U in $APPROVERS; do
-  [ "$U" = "$PR_AUTHOR" ] && debug "skip self-review by $U" && continue
-  for T in "${!TEAM_ID[@]}"; do
-    ID="${TEAM_ID[$T]}"
-    set +e
-    CODE=$(curl -sS -o /dev/null -w '%{http_code}' -H "$AUTH" \
-      "${API}/teams/${ID}/members/${U}")
-    _curl_exit=$?
-    set -e
-    debug "probe: $U in team $T (id=$ID) → HTTP $CODE (curl exit=$_curl_exit)"
-    if [ "$_curl_exit" -ne 0 ]; then
-      # curl itself failed (DNS, connection refused, timeout) — unreachable.
-      _verify_failed="${_verify_failed}${_verify_failed:+, }${U}:${T}(curl exit ${_curl_exit})"
-      continue
-    fi
-    case "$CODE" in
-      200|204)
-        APPROVER_TEAMS[$U]="${APPROVER_TEAMS[$U]:- } ${APPROVER_TEAMS[$U]:+ }$T "
-        debug "$U qualifies for team $T"
-        ;;
-      404)
-        # Definitively not a member of this team — a verified negative.
-        debug "$U is NOT a member of team $T (verified 404)"
-        ;;
-      *)
-        # 403/401/5xx/etc — membership is unreadable. Do NOT treat as "not a
-        # member" and do NOT fall back to org membership. This is cannot-verify.
-        _verify_failed="${_verify_failed}${_verify_failed:+, }${U}:${T}(HTTP ${CODE})"
-        ;;
-    esac
-  done
-done
-
-# Fail-closed: if ANY membership probe could not be read, we cannot make an
-# authorization decision. Publish a loud cannot-verify / infra-failed status
-# and exit non-zero. Never grant the tier on unverifiable membership.
-if [ -n "$_verify_failed" ]; then
-  echo "::error::sop-tier-check CANNOT VERIFY team membership — gate FAILS CLOSED."
-  echo "::error::Unreadable membership probe(s): ${_verify_failed}"
-  echo "::error::A team-membership probe returned 403/401/5xx (or curl failed). The SOP tier gate is an authorization gate; an inability to verify team membership is treated as a FAILURE, never a pass. Org membership is NOT team membership and is never credited as a fallback."
-  echo "::error::Fix: ensure GITEA_TOKEN (SOP_TIER_CHECK_TOKEN) has read:organization scope and the Gitea API is reachable from the runner, then re-run. Do NOT relax this gate."
-  exit 1
-fi
-
-# 7. Evaluate the tier expression.
-#
-# legacy OR-gate: use the simplified loop from before internal#189.
-if [ -n "${LEGACY_ELIGIBLE:-}" ]; then
-  OK=""
-  for _u in "${!APPROVER_TEAMS[@]}"; do
-    for _t2 in $LEGACY_ELIGIBLE; do
-      case "${APPROVER_TEAMS[$_u]}" in
-        *${_t2}*)
-          echo "::notice::approver $_u is in team $_t2 (eligible for $TIER)"
-          OK="yes"
-          break
-        ;;
-      esac
-    done
-    [ -n "$OK" ] && break
-  done
-  if [ -z "$OK" ]; then
-    echo "::error::Tier $TIER requires approval from a non-author member of {$LEGACY_ELIGIBLE}. Set SOP_DEBUG=1 to see per-probe HTTP codes."
-    exit 1
-  fi
-  echo "::notice::sop-tier-check passed: $TIER (legacy OR-gate)"
-  exit 0
-fi
-
-# AND-gate: evaluate the expression clause by clause.
-# _passed_clauses and _failed_clauses accumulate for the status description.
-_passed_clauses=""
-_failed_clauses=""
-
-for _raw_clause in $EXPR; do
-  # Normalise: strip parens, replace commas with spaces so bash word-split
-  # can iterate the OR-set members. The previous form
-  #   _clause=$(echo ... | tr ',' '\n' | tr -d '[:space:]' | grep -v '^$')
-  # collapsed every member into one concatenated token because
-  # `tr -d '[:space:]'` strips the very newlines that just separated them
-  # ("engineers,managers,ceo" -> "engineersmanagersceo"), so the OR-clause
-  # only ever evaluated as a single nonsense team name and never matched
-  # APPROVER_TEAMS. Fixed in #229: leave the comma-separated members as
-  # space-separated tokens for `for _t in $_clause`.
-  _no_parens=${_raw_clause//[()]/}
-  _clause=${_no_parens//,/ }
-  _clause_passed="no"
-  _clause_names=""
-  for _t in $_clause; do
-    # Append (don't overwrite) team name to the human-readable accumulator.
-    # The previous form `_clause_names="${_clause_names:+, }${_t}"`
-    # rewrote the variable on every iteration, so the FAIL message only
-    # ever showed the LAST team. Fixed: prepend prior value before the
-    # comma-separator, then append the new team name.
-    _clause_names="${_clause_names}${_clause_names:+, }${_t}"
-    # Skip teams not yet in Gitea (qa??? / security??? placeholders).
-    [[ "$_t" == *"???" ]] && debug "clause \"$_t\": skipped (team pending creation)" && continue
-    [ -z "${TEAM_ID[$_t]:-}" ] && debug "clause \"$_t\": no ID resolved, skipping" && continue
-    for _u in "${!APPROVER_TEAMS[@]}"; do
-      # Note: APPROVER_TEAMS values are space-surrounded (e.g. " managers ").
-      # Pattern *${_t}* matches team name anywhere in the space-padded string.
-      case "${APPROVER_TEAMS[$_u]}" in
-        *${_t}*)
-          _clause_passed="yes"
-          debug "clause \"$_t\": satisfied by $_u"
-          break
-        ;;
-      esac
-    done
-  done
-
-  # Label for display: strip "???" from pending teams.
-  _label=$(echo "$_raw_clause" | tr -d '()' | tr ',' '/' | tr -d '[:space:]' | sed 's/???//g')
-
-  if [ "$_clause_passed" = "yes" ]; then
-    # Append (don't overwrite) — same accumulator bug as _clause_names above.
-    _passed_clauses="${_passed_clauses}${_passed_clauses:+, }$_label"
-    echo "::notice::clause [$_label]: PASS — satisfied by approving reviewer(s)"
-  else
-    _failed_clauses="${_failed_clauses}${_failed_clauses:+, }$_label"
-    echo "::error::clause [$_label]: FAIL — no approving reviewer belongs to any of these teams (${_clause_names}). Set SOP_DEBUG=1 to see per-team probe results."
-  fi
-done
-
-if [ -n "$_failed_clauses" ]; then
-  echo ""
-  echo "::error::sop-tier-check FAILED for $TIER."
-  echo "  Passed :${_passed_clauses}"
-  echo "  Missing:${_failed_clauses}"
-  echo "  All clauses must be satisfied. Each missing team needs an APPROVED review from one of its members."
-  exit 1
-fi
-
-echo "::notice::sop-tier-check PASSED: $TIER — all required clauses satisfied [${_passed_clauses}]"
@@ -1,199 +0,0 @@
-#!/usr/bin/env bash
-# sop-tier-refire — re-evaluate sop-tier-check and POST status to PR head SHA.
-#
-# Invoked from `.gitea/workflows/sop-tier-refire.yml` when a repo
-# MEMBER/OWNER/COLLABORATOR comments `/refire-tier-check` on a PR.
-#
-# Behavior:
-#
-# 1. Resolve PR head SHA + author from PR_NUMBER.
-# 2. Rate-limit: if the sop-tier-check context has been POSTed in the
-#    last 30 seconds, skip (prevents comment-spam status thrash).
-# 3. Invoke `.gitea/scripts/sop-tier-check.sh` with the same env the
-#    canonical workflow provides. This is DRY: we re-use the exact AND-
-#    composition gate logic, not a watered-down approving-count check.
-# 4. POST the resulting status (success on exit 0, failure on non-zero)
-#    to `/repos/.../statuses/{HEAD_SHA}` with context
-#    "sop-tier-check / tier-check (pull_request)" — the same context name
-#    branch protection requires.
-#
-# Required env (set by sop-tier-refire.yml):
-#   GITEA_TOKEN    — org-level SOP_TIER_CHECK_TOKEN (read:org/user/issue/repo)
-#   GITEA_HOST     — e.g. git.moleculesai.app
-#   REPO           — owner/name
-#   PR_NUMBER      — PR number from issue_comment payload
-#   COMMENT_AUTHOR — login of the commenter (logged for audit)
-#
-# Optional:
-#   SOP_DEBUG=1                — verbose per-API-call diagnostics
-#   SOP_REFIRE_RATE_LIMIT_SEC  — override the 30s rate-limit (default 30)
-#   SOP_REFIRE_DISABLE_RATE_LIMIT=1 — for tests; skips the rate-limit check
-
-set -euo pipefail
-
-debug() {
-  if [ "${SOP_DEBUG:-}" = "1" ]; then
-    echo "  [debug] $*" >&2
-  fi
-}
-
-: "${GITEA_TOKEN:?GITEA_TOKEN required}"
-: "${GITEA_HOST:?GITEA_HOST required}"
-: "${REPO:?REPO required (owner/name)}"
-: "${PR_NUMBER:?PR_NUMBER required}"
-: "${COMMENT_AUTHOR:=unknown}"
-
-OWNER="${REPO%%/*}"
-NAME="${REPO##*/}"
-API="https://${GITEA_HOST}/api/v1"
-AUTH="Authorization: token ${GITEA_TOKEN}"
-CONTEXT="sop-tier-check / tier-check (pull_request)"
-RATE_LIMIT_SEC="${SOP_REFIRE_RATE_LIMIT_SEC:-30}"
-
-echo "::notice::sop-tier-refire start: repo=$OWNER/$NAME pr=$PR_NUMBER commenter=$COMMENT_AUTHOR"
-
-# 1. Fetch PR details — need head.sha and user.login.
-PR_FILE=$(mktemp)
-trap 'rm -f "$PR_FILE"' EXIT
-PR_HTTP=$(curl -sS -o "$PR_FILE" -w '%{http_code}' -H "$AUTH" \
-  "${API}/repos/${OWNER}/${NAME}/pulls/${PR_NUMBER}")
-if [ "$PR_HTTP" != "200" ]; then
-  echo "::error::GET /pulls/$PR_NUMBER returned HTTP $PR_HTTP (body $(head -c 200 "$PR_FILE"))"
-  exit 1
-fi
-HEAD_SHA=$(jq -r '.head.sha' <"$PR_FILE")
-PR_AUTHOR=$(jq -r '.user.login' <"$PR_FILE")
-PR_STATE=$(jq -r '.state' <"$PR_FILE")
-if [ -z "$HEAD_SHA" ] || [ "$HEAD_SHA" = "null" ]; then
-  echo "::error::Could not resolve head.sha from PR #$PR_NUMBER response"
-  exit 1
-fi
-debug "head_sha=$HEAD_SHA pr_author=$PR_AUTHOR state=$PR_STATE"
-
-if [ "$PR_STATE" != "open" ]; then
-  echo "::notice::PR #$PR_NUMBER state is $PR_STATE; refire is a no-op on closed PRs."
-  exit 0
-fi
-
-# 2. Rate-limit: skip if our context was updated in the last $RATE_LIMIT_SEC.
-# Gitea statuses endpoint returns latest first; we check the most recent
-# entry for our context name.
-if [ "${SOP_REFIRE_DISABLE_RATE_LIMIT:-}" != "1" ]; then
-  STATUSES_FILE=$(mktemp)
-  trap 'rm -f "$PR_FILE" "$STATUSES_FILE"' EXIT
-  ST_HTTP=$(curl -sS -o "$STATUSES_FILE" -w '%{http_code}' -H "$AUTH" \
-    "${API}/repos/${OWNER}/${NAME}/statuses/${HEAD_SHA}?limit=50&sort=newest")
-  debug "statuses-list HTTP=$ST_HTTP"
-  if [ "$ST_HTTP" = "200" ]; then
-    LAST_UPDATED=$(jq -r --arg c "$CONTEXT" \
-      '[.[] | select(.context == $c)] | first | .updated_at // ""' \
-      <"$STATUSES_FILE")
-    if [ -n "$LAST_UPDATED" ] && [ "$LAST_UPDATED" != "null" ]; then
-      # Parse RFC3339 → epoch. Use python -c for portability (date(1) -d
-      # differs between BSD/GNU; the Gitea runner is Ubuntu so GNU date
-      # works, but we keep python for future container variance).
-      LAST_EPOCH=$(python3 -c "import sys,datetime;print(int(datetime.datetime.fromisoformat(sys.argv[1].replace('Z','+00:00')).timestamp()))" "$LAST_UPDATED" 2>/dev/null || echo "0")
-      NOW_EPOCH=$(date -u +%s)
-      AGE=$((NOW_EPOCH - LAST_EPOCH))
-      debug "last status update: $LAST_UPDATED ($AGE seconds ago)"
-      if [ "$AGE" -lt "$RATE_LIMIT_SEC" ] && [ "$AGE" -ge 0 ]; then
-        echo "::notice::sop-tier-refire rate-limited — last status update was ${AGE}s ago (<${RATE_LIMIT_SEC}s window). Try again shortly."
-        exit 0
-      fi
-    fi
-  fi
-fi
-
-# 3. Invoke sop-tier-check.sh with the env it expects.
-#
-# FAIL-CLOSED contract (was fail-open — fixed 2026-06-05,
-# fix/core-ci-fail-closed). The previous shape was:
-#     bash "$SCRIPT" || true
-#     TIER_EXIT=0          # <-- hardcoded success
-# which discarded the real verdict and ALWAYS POSTed
-# `state=success` for the REQUIRED context
-# `sop-tier-check / tier-check (pull_request)`. That meant ANY
-# collaborator could comment `/refire-tier-check` to forcibly green
-# the SOP-6 approval gate on the PR head SHA — a fail-open AND a
-# privilege bypass of branch protection. The canonical
-# pull_request_target workflow's conclusion publishes the same
-# context honestly (red on a real violation); the refire MUST mirror
-# THAT honesty, not a discarded exit code.
-#
-# We now capture the script's real exit code under `set +e` and POST
-# success ONLY when it actually exited 0. sop-tier-check.sh itself
-# fails closed on infra faults (no SOP_FAIL_OPEN in this refire env),
-# so a bad token / unreachable API / missing jq → non-zero → we POST
-# `state=failure`, never a false green.
-#
-# SOP_REFIRE_TIER_CHECK_SCRIPT env var lets tests substitute a mock —
-# sop-tier-check.sh uses bash 4+ associative arrays which trigger a known
-# bash 3.2 parser bug (`tier: unbound variable` from declare -A with
-# `set -u`). Linux Gitea runners ship bash 4/5 so production is fine;
-# the override exists so the bash 3.2 dev box can still exercise the
-# refire glue logic end-to-end.
-SCRIPT="${SOP_REFIRE_TIER_CHECK_SCRIPT:-$(dirname "$0")/sop-tier-check.sh}"
-if [ ! -f "$SCRIPT" ]; then
-  echo "::error::sop-tier-check.sh not found at $SCRIPT — refire requires the canonical script"
-  exit 1
-fi
-
-# Re-invoke. Pipe stdout/stderr through so the runner log shows the
-# tier-check decision inline. Capture the REAL exit code (set +e so a
-# non-zero verdict doesn't abort this script under set -e) — the POST
-# below keys off it, so a failed tier-check posts state=failure.
-set +e
-GITEA_TOKEN="$GITEA_TOKEN" \
-  GITEA_HOST="$GITEA_HOST" \
-  REPO="$REPO" \
-  PR_NUMBER="$PR_NUMBER" \
-  PR_AUTHOR="$PR_AUTHOR" \
-  SOP_DEBUG="${SOP_DEBUG:-0}" \
-  SOP_LEGACY_CHECK="${SOP_LEGACY_CHECK:-0}" \
-  bash "$SCRIPT"
-TIER_EXIT=$?
-set -e
-debug "sop-tier-check.sh exit=$TIER_EXIT"
-
-# 4. POST the resulting status.
-if [ "$TIER_EXIT" -eq 0 ]; then
-  STATE="success"
-  DESCRIPTION="Refired via /refire-tier-check by $COMMENT_AUTHOR"
-else
-  STATE="failure"
-  DESCRIPTION="Refired via /refire-tier-check; tier-check failed (see workflow log)"
-fi
-
-# Status target_url points at the runner log so a curious reviewer can
-# follow it back. SERVER_URL + RUN_ID + JOB_ID isn't trivially constructible
-# from the bash env on Gitea 1.22.6, so we point at the PR itself.
-TARGET_URL="https://${GITEA_HOST}/${OWNER}/${NAME}/pulls/${PR_NUMBER}"
-
-POST_BODY=$(jq -nc \
-  --arg state "$STATE" \
-  --arg context "$CONTEXT" \
-  --arg description "$DESCRIPTION" \
-  --arg target_url "$TARGET_URL" \
-  '{state:$state, context:$context, description:$description, target_url:$target_url}')
-
-POST_FILE=$(mktemp)
-trap 'rm -f "$PR_FILE" "${STATUSES_FILE:-}" "$POST_FILE"' EXIT
-POST_HTTP=$(curl -sS -o "$POST_FILE" -w '%{http_code}' \
-  -X POST -H "$AUTH" -H "Content-Type: application/json" \
-  -d "$POST_BODY" \
-  "${API}/repos/${OWNER}/${NAME}/statuses/${HEAD_SHA}")
-if [ "$POST_HTTP" != "200" ] && [ "$POST_HTTP" != "201" ]; then
-  echo "::error::POST /statuses/$HEAD_SHA returned HTTP $POST_HTTP (body $(head -c 200 "$POST_FILE"))"
-  exit 1
-fi
-
-echo "::notice::sop-tier-refire posted state=$STATE for context=\"$CONTEXT\" on sha=$HEAD_SHA"
-# Exit 0: the refire JOB succeeded — it re-evaluated the gate and posted
-# an HONEST status. The gate VERDICT is carried by the POSTed status
-# ($STATE), which is what branch protection reads; a failing tier-check
-# posts state=failure (red on the PR), so there is no fail-open. We do
-# NOT also exit non-zero on a failing verdict — that would double-signal
-# the same failure as both a red status AND a red refire job. The
-# fail-open that mattered (TIER_EXIT hardcoded to 0 → always state=success)
-# is fixed above by capturing the real exit code.
-exit 0
@@ -1,28 +0,0 @@
-#!/usr/bin/env bash
-# Mock sop-tier-check.sh for sop-tier-refire tests.
-#
-# Exits 0 ("PASS") if $MOCK_TIER_RESULT == "pass", else exits 1.
-# This lets the refire tests cover the success + failure status-POST
-# paths without invoking the real sop-tier-check.sh (which uses bash 4+
-# associative arrays — known parser bug on macOS bash 3.2 dev box).
-
-set -euo pipefail
-
-case "${MOCK_TIER_RESULT:-pass}" in
-  pass)
-    echo "::notice::mock tier-check: PASS"
-    exit 0
-    ;;
-  fail_no_label)
-    echo "::error::mock tier-check: no tier label"
-    exit 1
-    ;;
-  fail_no_approvals)
-    echo "::error::mock tier-check: no approving reviews"
-    exit 1
-    ;;
-  *)
-    echo "::error::mock tier-check: unknown MOCK_TIER_RESULT=${MOCK_TIER_RESULT:-}"
-    exit 2
-    ;;
-esac
@@ -1,208 +0,0 @@
-#!/usr/bin/env python3
-"""Stub Gitea API for sop-tier-refire test scenarios.
-
-Reads $FIXTURE_STATE_DIR/scenario to decide what to return for each
-endpoint the sop-tier-refire.sh + sop-tier-check.sh scripts call.
-Captures every POST to /statuses/{sha} into posted_statuses.jsonl so
-the test can assert what the script tried to write.
-
-Scenarios:
-  T1_success         — tier:low + APPROVED by engineer → tier-check passes
-  T2_no_tier_label   — no tier label → tier-check exits 1 before POST
-  T3_no_approvals    — tier:low but zero approving reviews → exits 1
-  T4_closed          — PR state=closed → refire is a no-op
-  T5_rate_limited    — last status update 5 seconds ago → skip
-
-Usage:
-  FIXTURE_STATE_DIR=/tmp/x python3 _refire_fixture.py 8080
-"""
-
-import datetime
-import http.server
-import json
-import os
-import re
-import sys
-import urllib.parse
-
-
-STATE_DIR = os.environ["FIXTURE_STATE_DIR"]
-
-
-def scenario() -> str:
-    p = os.path.join(STATE_DIR, "scenario")
-    if not os.path.isfile(p):
-        return "T1_success"
-    with open(p, encoding="utf-8") as f:
-        return f.read().strip()
-
-
-def now_iso() -> str:
-    return datetime.datetime.now(datetime.timezone.utc).isoformat()
-
-
-def append_post(body: dict) -> None:
-    with open(os.path.join(STATE_DIR, "posted_statuses.jsonl"), "a") as f:
-        f.write(json.dumps(body) + "\n")
-
-
-def pr_payload() -> dict:
-    sc = scenario()
-    state = "closed" if sc == "T4_closed" else "open"
-    return {
-        "number": 999,
-        "state": state,
-        "head": {"sha": "deadbeef0000111122223333444455556666"},
-        "user": {"login": "feature-author"},
-    }
-
-
-def labels_payload() -> list:
-    sc = scenario()
-    if sc == "T2_no_tier_label":
-        return [{"name": "bug"}]
-    # All other scenarios use tier:low
-    return [{"name": "tier:low"}, {"name": "ci"}]
-
-
-def reviews_payload() -> list:
-    sc = scenario()
-    if sc == "T3_no_approvals":
-        return []
-    # All other scenarios have one APPROVED review by an engineer
-    return [
-        {
-            "state": "APPROVED",
-            "user": {"login": "reviewer-engineer"},
-        }
-    ]
-
-
-def teams_payload() -> list:
-    # Mirror the real molecule-ai org teams referenced in TIER_EXPR
-    return [
-        {"id": 5, "name": "ceo"},
-        {"id": 2, "name": "engineers"},
-        {"id": 6, "name": "managers"},
-    ]
-
-
-def statuses_payload() -> list:
-    sc = scenario()
-    if sc == "T5_rate_limited":
-        recent = (
-            datetime.datetime.now(datetime.timezone.utc)
-            - datetime.timedelta(seconds=5)
-        ).isoformat()
-        return [
-            {
-                "context": "sop-tier-check / tier-check (pull_request)",
-                "state": "failure",
-                "updated_at": recent,
-            }
-        ]
-    return []
-
-
-def user_payload() -> dict:
-    # Mirrors the WHOAMI probe in sop-tier-check.sh
-    return {"login": "sop-tier-bot-fixture"}
-
-
-class Handler(http.server.BaseHTTPRequestHandler):
-    # Quiet — keep stdout for explicit logs only.
-    def log_message(self, *args, **kwargs):  # noqa: D401
-        pass
-
-    def _json(self, code: int, body) -> None:
-        payload = json.dumps(body).encode()
-        self.send_response(code)
-        self.send_header("Content-Type", "application/json")
-        self.send_header("Content-Length", str(len(payload)))
-        self.end_headers()
-        self.wfile.write(payload)
-
-    def _empty(self, code: int) -> None:
-        self.send_response(code)
-        self.send_header("Content-Length", "0")
-        self.end_headers()
-
-    def do_GET(self):  # noqa: N802
-        u = urllib.parse.urlparse(self.path)
-        path = u.path
-
-        if path == "/_ping":
-            return self._json(200, {"ok": True})
-        if path == "/api/v1/user":
-            return self._json(200, user_payload())
-
-        # /api/v1/repos/{owner}/{name}/pulls/{n}
-        m = re.match(r"^/api/v1/repos/[^/]+/[^/]+/pulls/(\d+)$", path)
-        if m:
-            return self._json(200, pr_payload())
-
-        # /api/v1/repos/{owner}/{name}/issues/{n}/labels
-        if re.match(r"^/api/v1/repos/[^/]+/[^/]+/issues/\d+/labels$", path):
-            return self._json(200, labels_payload())
-
-        # /api/v1/repos/{owner}/{name}/pulls/{n}/reviews
-        if re.match(r"^/api/v1/repos/[^/]+/[^/]+/pulls/\d+/reviews$", path):
-            return self._json(200, reviews_payload())
-
-        # /api/v1/orgs/{owner}/teams
-        if re.match(r"^/api/v1/orgs/[^/]+/teams$", path):
-            return self._json(200, teams_payload())
-
-        # /api/v1/teams/{id}/members/{login} → 204 if user is an engineer
-        m = re.match(r"^/api/v1/teams/(\d+)/members/([^/]+)$", path)
-        if m:
-            team_id, login = m.group(1), m.group(2)
-            # In our fixture reviewer-engineer ∈ engineers (id=2)
-            if team_id == "2" and login == "reviewer-engineer":
-                return self._empty(204)
-            return self._empty(404)
-
-        # /api/v1/orgs/{owner}/members/{login} — fallback path used when
-        # team-member probes all 403. We don't need it for these tests.
-        if re.match(r"^/api/v1/orgs/[^/]+/members/[^/]+$", path):
-            return self._empty(404)
-
-        # /api/v1/repos/{owner}/{name}/statuses/{sha}
-        if re.match(r"^/api/v1/repos/[^/]+/[^/]+/statuses/[^/]+$", path):
-            return self._json(200, statuses_payload())
-
-        return self._json(404, {"path": path, "msg": "fixture: no route"})
-
-    def do_POST(self):  # noqa: N802
-        u = urllib.parse.urlparse(self.path)
-        path = u.path
-        length = int(self.headers.get("Content-Length") or 0)
-        raw = self.rfile.read(length) if length else b""
-        try:
-            body = json.loads(raw) if raw else {}
-        except Exception:
-            body = {"_raw": raw.decode(errors="replace")}
-
-        if re.match(r"^/api/v1/repos/[^/]+/[^/]+/statuses/[^/]+$", path):
-            append_post(body)
-            # Echo back something status-shaped — script only checks HTTP code.
-            return self._json(
-                201,
-                {
-                    "context": body.get("context"),
-                    "state": body.get("state"),
-                    "created_at": now_iso(),
-                },
-            )
-
-        return self._json(404, {"path": path, "msg": "fixture: no route"})
-
-
-def main():
-    port = int(sys.argv[1])
-    srv = http.server.ThreadingHTTPServer(("127.0.0.1", port), Handler)
-    srv.serve_forever()
-
-
-if __name__ == "__main__":
-    main()
@@ -134,6 +134,14 @@ class Handler(http.server.BaseHTTPRequestHandler):
                return self._json(200, [
                    {"state": "APPROVED", "dismissed": False, "user": {"login": "core-devops"}, "commit_id": "deadbeef0000111122223333444455556666"},
                ])
+            if sc == "T23_missing_commit_id":
+                # APPROVED review with NO commit_id field — the SEV-1
+                # internal#812 / closed-#843 spoof-bug signature. The
+                # fail-closed SSOT must REJECT (not silently accept as
+                # "older Gitea row" the way the old pre-fix code did).
+                return self._json(200, [
+                    {"state": "APPROVED", "official": True, "dismissed": False, "user": {"login": "core-devops"}},
+                ])
            # Default: one non-author APPROVED (current head, official)
            return self._json(200, [
                {"state": "APPROVED", "dismissed": False, "official": True, "user": {"login": "core-devops"}, "commit_id": "deadbeef0000111122223333444455556666"},
@@ -0,0 +1,610 @@
+#!/usr/bin/env python3
+"""
+Mutation-verified unit tests for the SSOT fail-closed approval predicate
+in _approval_validator.py (SEV-1 internal#812).
+
+Each test asserts REJECTION explicitly. A reviewer who weakens the
+predicate — e.g., by removing the commit_id check, by reintroducing the
+"no commit_id is accepted" escape hatch, by changing `!=` to `==` in the
+head comparison, or by allowing official == false — will trip these
+tests in CI.
+
+Run:
+  cd .gitea/scripts
+  python3 -m unittest tests.test_approval_validator -v
+  # or
+  python3 tests/test_approval_validator.py
+"""
+
+from __future__ import annotations
+
+import os
+import sys
+import unittest
+
+# Same-dir import — test lives next to _approval_validator.py
+sys.path.insert(
+    0,
+    os.path.dirname(os.path.dirname(os.path.abspath(__file__))),
+)
+from _approval_validator import (  # noqa: E402
+    classify_reviews,
+    is_genuine_approval,
+    is_official_current_head,
+    is_open_request_changes,
+)
+
+HEAD = "0123456789abcdef0123456789abcdef01234567"
+OTHER_HEAD = "fedcba9876543210fedcba9876543210fedcba98"
+
+
+def _review(
+    *,
+    state: str = "APPROVED",
+    official: bool = True,
+    dismissed: bool = False,
+    stale: bool = False,
+    commit_id: object = HEAD,
+    user: str = "reviewer-1",
+    body: str = "",
+) -> dict:
+    """Build a minimal review row shaped like the Gitea reviews API."""
+    return {
+        "id": 1,
+        "user": {"login": user, "id": 1},
+        "body": body,
+        "state": state,
+        "official": official,
+        "dismissed": dismissed,
+        "stale": stale,
+        "commit_id": commit_id,
+    }
+
+
+# ---------------------------------------------------------------------------
+# Hard contract: every fail-closed branch must reject
+# ---------------------------------------------------------------------------
+
+
+class IsOfficialCurrentHeadFailClosed(unittest.TestCase):
+    """is_official_current_head is the common predicate. EVERY condition
+    is mandatory. The tests below assert REJECTION for every possible
+    failure of any condition."""
+
+    def test_accepts_canonical_review(self):
+        self.assertTrue(is_official_current_head(_review(), HEAD))
+
+    def test_rejects_non_dict(self):
+        for bad in [None, "string", 42, [], (), object()]:
+            with self.subTest(bad=bad):
+                self.assertFalse(is_official_current_head(bad, HEAD))
+
+    def test_rejects_when_official_is_false(self):
+        for v in [False, None, 0, "false"]:
+            with self.subTest(v=v):
+                self.assertFalse(
+                    is_official_current_head(_review(official=v), HEAD)
+                )
+
+    def test_rejects_when_dismissed(self):
+        for v in [True, "true", 1]:
+            with self.subTest(v=v):
+                self.assertFalse(
+                    is_official_current_head(_review(dismissed=v), HEAD)
+                )
+
+    def test_rejects_when_stale(self):
+        for v in [True, "true", 1]:
+            with self.subTest(v=v):
+                self.assertFalse(
+                    is_official_current_head(_review(stale=v), HEAD)
+                )
+
+    def test_rejects_when_commit_id_missing(self):
+        """FAIL-CLOSED #1: missing commit_id is REJECTED.
+        This is the spoof signature that closed #843 (with CR2 + Researcher
+        both flagging it)."""
+        for bad in [None, "", 0, False, [], {}, ()]:
+            with self.subTest(commit_id=bad):
+                self.assertFalse(
+                    is_official_current_head(_review(commit_id=bad), HEAD),
+                    f"commit_id={bad!r} must reject (fail-closed)",
+                )
+
+    def test_rejects_when_commit_id_wrong_type(self):
+        for bad in [123, 1.5, True, ["abc"], {"sha": HEAD}, ("tuple",)]:
+            with self.subTest(commit_id=bad):
+                self.assertFalse(
+                    is_official_current_head(_review(commit_id=bad), HEAD)
+                )
+
+    def test_rejects_when_commit_id_stale(self):
+        """FAIL-CLOSED #2: present-but-wrong commit_id is REJECTED. Stale
+        reviews on a previous head cannot count."""
+        self.assertFalse(
+            is_official_current_head(_review(commit_id=OTHER_HEAD), HEAD)
+        )
+
+    def test_rejects_when_head_missing(self):
+        for bad in [None, "", 0, False]:
+            with self.subTest(head=bad):
+                self.assertFalse(
+                    is_official_current_head(_review(), bad)
+                )
+
+    def test_rejects_when_head_wrong_type(self):
+        self.assertFalse(is_official_current_head(_review(), 123))
+        self.assertFalse(is_official_current_head(_review(), ["x"]))
+
+
+# ---------------------------------------------------------------------------
+# is_genuine_approval
+# ---------------------------------------------------------------------------
+
+
+class IsGenuineApprovalContract(unittest.TestCase):
+    def test_accepts_canonical_approval(self):
+        self.assertTrue(
+            is_genuine_approval(_review(state="APPROVED"), headsha=HEAD)
+        )
+
+    def test_rejects_non_approved_states(self):
+        for state in ("REQUEST_CHANGES", "COMMENT", "PENDING", "DISMISSED", "approve", "", "bogus"):
+            with self.subTest(state=state):
+                self.assertFalse(
+                    is_genuine_approval(_review(state=state), headsha=HEAD)
+                )
+
+    def test_rejects_case_coerced_approved_states(self):
+        """EXACT-ENUM fail-closed (RCs 9849/9851/9852): Gitea always emits
+        the canonical UPPERCASE "APPROVED". A lowercase/mixed-case/padded
+        value is the signature of a forged row and MUST be rejected, not
+        coerced via .upper() into an accepted APPROVED. Each of these was
+        ACCEPTED before the exact-enum fix."""
+        for state in (
+            "approved", "Approved", "ApProVeD", "APPROVED ", " APPROVED",
+            "approved\n", "\tAPPROVED",
+        ):
+            with self.subTest(state=state):
+                self.assertFalse(
+                    is_genuine_approval(_review(state=state), headsha=HEAD),
+                    f"case-coerced/padded state {state!r} must NOT count as "
+                    "a genuine approval",
+                )
+
+    def test_rejects_non_official_approval(self):
+        """Comment-based / non-official 'APPROVED' is REJECTED.
+        PM: 'reject comment-based / non-official reviews'."""
+        self.assertFalse(
+            is_genuine_approval(
+                _review(state="APPROVED", official=False), headsha=HEAD
+            )
+        )
+
+    def test_rejects_dismissed_approval(self):
+        self.assertFalse(
+            is_genuine_approval(
+                _review(state="APPROVED", dismissed=True), headsha=HEAD
+            )
+        )
+
+    def test_rejects_stale_head_approval(self):
+        """commit_id != head is REJECTED. Stale-on-old-head approvals cannot
+        count, even if they were official and not dismissed."""
+        self.assertFalse(
+            is_genuine_approval(
+                _review(state="APPROVED", commit_id=OTHER_HEAD), headsha=HEAD
+            )
+        )
+
+    def test_rejects_missing_commit_id_approval(self):
+        """FAIL-CLOSED #3: the SEV-1 case. A APPROVED review with NO
+        commit_id is the spoof-bug signature. Reject."""
+        for bad in [None, "", 0, False]:
+            with self.subTest(commit_id=bad):
+                self.assertFalse(
+                    is_genuine_approval(
+                        _review(state="APPROVED", commit_id=bad), headsha=HEAD
+                    ),
+                    f"missing commit_id={bad!r} must reject",
+                )
+
+    def test_reviewer_set_filters_users(self):
+        self.assertTrue(
+            is_genuine_approval(
+                _review(user="alice"),
+                headsha=HEAD,
+                reviewer_set={"alice", "bob"},
+            )
+        )
+        self.assertFalse(
+            is_genuine_approval(
+                _review(user="carol"),
+                headsha=HEAD,
+                reviewer_set={"alice", "bob"},
+            )
+        )
+
+    def test_reviewer_set_none_skips_check(self):
+        # None means "no team filter at this layer" (e.g., review-check.sh
+        # applies its own team-membership probe separately).
+        self.assertTrue(
+            is_genuine_approval(
+                _review(user="anyone"),
+                headsha=HEAD,
+                reviewer_set=None,
+            )
+        )
+
+
+# ---------------------------------------------------------------------------
+# is_open_request_changes
+# ---------------------------------------------------------------------------
+
+
+class IsOpenRequestChangesContract(unittest.TestCase):
+    def test_accepts_canonical_request_changes(self):
+        self.assertTrue(
+            is_open_request_changes(
+                _review(state="REQUEST_CHANGES"), headsha=HEAD
+            )
+        )
+
+    def test_rejects_non_request_changes_states(self):
+        for state in ("APPROVED", "COMMENT", "PENDING", "DISMISSED"):
+            with self.subTest(state=state):
+                self.assertFalse(
+                    is_open_request_changes(
+                        _review(state=state), headsha=HEAD
+                    )
+                )
+
+    def test_rejects_case_coerced_request_changes_states(self):
+        """EXACT-ENUM fail-closed: a lowercase/mixed-case "request_changes"
+        must NOT be coerced into an open-block match. Before the exact-enum
+        fix, .upper() accepted these as REQUEST_CHANGES."""
+        for state in (
+            "request_changes", "Request_Changes", "REQUEST_CHANGES ",
+            " REQUEST_CHANGES", "request_changes\n",
+        ):
+            with self.subTest(state=state):
+                self.assertFalse(
+                    is_open_request_changes(
+                        _review(state=state), headsha=HEAD
+                    ),
+                    f"case-coerced/padded state {state!r} must NOT count as "
+                    "an open REQUEST_CHANGES",
+                )
+
+    def test_rejects_when_dismissed(self):
+        self.assertFalse(
+            is_open_request_changes(
+                _review(state="REQUEST_CHANGES", dismissed=True), headsha=HEAD
+            )
+        )
+
+    def test_rejects_when_stale_head(self):
+        self.assertFalse(
+            is_open_request_changes(
+                _review(state="REQUEST_CHANGES", commit_id=OTHER_HEAD),
+                headsha=HEAD,
+            )
+        )
+
+    def test_rejects_when_missing_commit_id(self):
+        for bad in [None, "", 0]:
+            with self.subTest(commit_id=bad):
+                self.assertFalse(
+                    is_open_request_changes(
+                        _review(state="REQUEST_CHANGES", commit_id=bad),
+                        headsha=HEAD,
+                    )
+                )
+
+
+# ---------------------------------------------------------------------------
+# classify_reviews — the merge-queue consumer
+# ---------------------------------------------------------------------------
+
+
+class ClassifyReviewsContract(unittest.TestCase):
+    def test_basic_approvers_and_request_changes(self):
+        reviews = [
+            _review(user="alice", state="APPROVED", commit_id=HEAD),
+            _review(user="bob", state="REQUEST_CHANGES", commit_id=HEAD),
+        ]
+        approvers, request_changes = classify_reviews(reviews, headsha=HEAD)
+        self.assertEqual(approvers, {"alice"})
+        self.assertEqual(request_changes, ["bob"])
+
+    def test_reviewer_set_filters_early(self):
+        reviews = [
+            _review(user="alice", state="APPROVED", commit_id=HEAD),
+            _review(user="carol", state="APPROVED", commit_id=HEAD),
+        ]
+        approvers, _ = classify_reviews(
+            reviews, headsha=HEAD, reviewer_set={"alice"}
+        )
+        self.assertEqual(approvers, {"alice"})
+
+    def test_latest_review_per_user_wins(self):
+        # alice's REQUEST_CHANGES (latest) supersedes her earlier APPROVED.
+        reviews = [
+            _review(user="alice", state="APPROVED", commit_id=HEAD),
+            _review(user="alice", state="REQUEST_CHANGES", commit_id=HEAD),
+        ]
+        approvers, request_changes = classify_reviews(reviews, headsha=HEAD)
+        self.assertNotIn("alice", approvers)
+        self.assertIn("alice", request_changes)
+
+    def test_stale_head_approval_excluded(self):
+        reviews = [
+            _review(user="alice", state="APPROVED", commit_id=OTHER_HEAD),
+        ]
+        approvers, _ = classify_reviews(reviews, headsha=HEAD)
+        self.assertEqual(approvers, set())
+
+    def test_missing_commit_id_approval_excluded(self):
+        """The SEV-1 fail-open surface. APPROVED + no commit_id → must NOT
+        count toward approvers, even with stale=False/dismissed=False."""
+        reviews = [
+            _review(user="alice", state="APPROVED", commit_id=None),
+            _review(user="bob", state="APPROVED", commit_id=""),
+        ]
+        approvers, _ = classify_reviews(reviews, headsha=HEAD)
+        self.assertEqual(approvers, set())
+
+    def test_dismissed_approval_excluded(self):
+        reviews = [
+            _review(user="alice", state="APPROVED", dismissed=True, commit_id=HEAD),
+        ]
+        approvers, _ = classify_reviews(reviews, headsha=HEAD)
+        self.assertEqual(approvers, set())
+
+    def test_non_official_approval_excluded(self):
+        reviews = [
+            _review(user="alice", state="APPROVED", official=False, commit_id=HEAD),
+        ]
+        approvers, _ = classify_reviews(reviews, headsha=HEAD)
+        self.assertEqual(approvers, set())
+
+    def test_comment_state_excluded(self):
+        reviews = [
+            _review(user="alice", state="COMMENT", commit_id=HEAD),
+        ]
+        approvers, _ = classify_reviews(reviews, headsha=HEAD)
+        self.assertEqual(approvers, set())
+
+    def test_case_coerced_approved_not_counted(self):
+        """EXACT-ENUM via the reducer: a lowercase 'approved' (otherwise
+        valid official current-head row) must NOT be counted as an approver.
+        Before the fix, classify_reviews coerced it via .upper()."""
+        for state in ("approved", "Approved", "APPROVED "):
+            with self.subTest(state=state):
+                reviews = [
+                    _review(user="alice", state=state, commit_id=HEAD),
+                ]
+                approvers, request_changes = classify_reviews(
+                    reviews, headsha=HEAD
+                )
+                self.assertEqual(approvers, set())
+                self.assertEqual(request_changes, [])
+
+    def test_case_coerced_request_changes_not_silently_dropped(self):
+        """EXACT-ENUM via the reducer: a lowercase 'request_changes' must be
+        rejected (not coerced into a block). Crucially, it must NOT silently
+        erase a SAME-USER genuine current-head REQUEST_CHANGES posted
+        earlier — the case-variant later row is invalid and is ignored, so
+        the genuine block stands."""
+        reviews = [
+            _review(user="bob", state="REQUEST_CHANGES", commit_id=HEAD),
+            _review(user="bob", state="request_changes", commit_id=HEAD),
+        ]
+        approvers, request_changes = classify_reviews(reviews, headsha=HEAD)
+        self.assertIn("bob", request_changes)
+        self.assertNotIn("bob", approvers)
+
+    def test_stale_head_request_changes_excluded(self):
+        # A REQUEST_CHANGES on a previous head must NOT block the current head.
+        reviews = [
+            _review(user="bob", state="REQUEST_CHANGES", commit_id=OTHER_HEAD),
+        ]
+        _, request_changes = classify_reviews(reviews, headsha=HEAD)
+        self.assertEqual(request_changes, [])
+
+    # -----------------------------------------------------------------
+    # VALIDATE-BEFORE-REDUCE regression tests (SEV-1 internal#812 follow-up).
+    #
+    # The bug: classify_reviews reduced to the LATEST row per user FIRST and
+    # validated AFTER. A later INVALID row (a COMMENT, or APPROVED/
+    # REQUEST_CHANGES with a null/old commit_id) from the same user could
+    # overwrite a genuine current-head review — masking an approval or
+    # ERASING a REQUEST_CHANGES block. The fix validates before the reduce,
+    # so an invalid later row is never eligible to be a user's "latest".
+    # -----------------------------------------------------------------
+
+    def test_genuine_approval_not_masked_by_later_comment(self):
+        """A genuine current-head APPROVED followed by a LATER COMMENT from
+        the SAME user must STILL count as an approval. A later non-
+        APPROVED/RC row (COMMENT) must not erase the approval. This is the
+        reduce-before-validate masking bug."""
+        reviews = [
+            _review(user="alice", state="APPROVED", commit_id=HEAD),
+            _review(user="alice", state="COMMENT", commit_id=HEAD),
+        ]
+        approvers, request_changes = classify_reviews(reviews, headsha=HEAD)
+        self.assertIn("alice", approvers)
+        self.assertEqual(request_changes, [])
+
+    def test_genuine_approval_not_masked_by_later_null_commit_id(self):
+        """A genuine current-head APPROVED followed by a LATER APPROVED with
+        a null commit_id (the spoof/invalid signature) from the SAME user
+        must STILL count. The invalid later row must be ignored, not allowed
+        to overwrite the valid earlier approval."""
+        for bad in [None, ""]:
+            with self.subTest(commit_id=bad):
+                reviews = [
+                    _review(user="alice", state="APPROVED", commit_id=HEAD),
+                    _review(user="alice", state="APPROVED", commit_id=bad),
+                ]
+                approvers, _ = classify_reviews(reviews, headsha=HEAD)
+                self.assertIn(
+                    "alice", approvers,
+                    f"later invalid commit_id={bad!r} must not mask the "
+                    "genuine current-head approval",
+                )
+
+    def test_genuine_approval_not_masked_by_later_stale_commit_id(self):
+        """A genuine current-head APPROVED followed by a LATER APPROVED on a
+        STALE (old) head from the SAME user must STILL count toward
+        approvers — the stale later row is invalid and must be ignored."""
+        reviews = [
+            _review(user="alice", state="APPROVED", commit_id=HEAD),
+            _review(user="alice", state="APPROVED", commit_id=OTHER_HEAD),
+        ]
+        approvers, _ = classify_reviews(reviews, headsha=HEAD)
+        self.assertIn("alice", approvers)
+
+    def test_request_changes_not_erased_by_later_comment(self):
+        """A genuine current-head REQUEST_CHANGES followed by a LATER COMMENT
+        from the SAME user must STILL block. The later invalid row must not
+        erase the REQUEST_CHANGES — this is the worse, silently-evaporating-
+        block variant of the bug."""
+        reviews = [
+            _review(user="bob", state="REQUEST_CHANGES", commit_id=HEAD),
+            _review(user="bob", state="COMMENT", commit_id=HEAD),
+        ]
+        approvers, request_changes = classify_reviews(reviews, headsha=HEAD)
+        self.assertIn("bob", request_changes)
+        self.assertNotIn("bob", approvers)
+
+    def test_request_changes_not_erased_by_later_null_commit_id(self):
+        """A genuine current-head REQUEST_CHANGES followed by a LATER
+        REQUEST_CHANGES with a null/old commit_id from the SAME user must
+        STILL block. The invalid later row must be ignored, not allowed to
+        relocate the user's verdict off the current head."""
+        for bad in [None, "", OTHER_HEAD]:
+            with self.subTest(commit_id=bad):
+                reviews = [
+                    _review(user="bob", state="REQUEST_CHANGES", commit_id=HEAD),
+                    _review(user="bob", state="REQUEST_CHANGES", commit_id=bad),
+                ]
+                _, request_changes = classify_reviews(reviews, headsha=HEAD)
+                self.assertIn(
+                    "bob", request_changes,
+                    f"later invalid commit_id={bad!r} must not erase the "
+                    "genuine current-head REQUEST_CHANGES block",
+                )
+
+    def test_request_changes_not_erased_by_later_approved_invalid(self):
+        """A genuine current-head REQUEST_CHANGES followed by a LATER
+        INVALID APPROVED (null commit_id) from the SAME user must STILL
+        block AND must NOT count the user as an approver. The invalid
+        approval must not flip a real block into a pass."""
+        reviews = [
+            _review(user="bob", state="REQUEST_CHANGES", commit_id=HEAD),
+            _review(user="bob", state="APPROVED", commit_id=None),
+        ]
+        approvers, request_changes = classify_reviews(reviews, headsha=HEAD)
+        self.assertIn("bob", request_changes)
+        self.assertNotIn("bob", approvers)
+
+    def test_genuine_request_changes_still_supersedes_genuine_approval(self):
+        """Sanity: a genuine LATER current-head REQUEST_CHANGES still
+        supersedes an earlier genuine APPROVED from the same user (the
+        valid-row supersession we MUST preserve — only INVALID later rows
+        are ignored). Guards against an over-correction that ignores all
+        later rows."""
+        reviews = [
+            _review(user="alice", state="APPROVED", commit_id=HEAD),
+            _review(user="alice", state="REQUEST_CHANGES", commit_id=HEAD),
+        ]
+        approvers, request_changes = classify_reviews(reviews, headsha=HEAD)
+        self.assertNotIn("alice", approvers)
+        self.assertIn("alice", request_changes)
+
+    def test_genuine_approval_still_supersedes_genuine_request_changes(self):
+        """Sanity: a genuine LATER current-head APPROVED supersedes an
+        earlier genuine REQUEST_CHANGES from the same user."""
+        reviews = [
+            _review(user="alice", state="REQUEST_CHANGES", commit_id=HEAD),
+            _review(user="alice", state="APPROVED", commit_id=HEAD),
+        ]
+        approvers, request_changes = classify_reviews(reviews, headsha=HEAD)
+        self.assertIn("alice", approvers)
+        self.assertEqual(request_changes, [])
+
+    def test_two_valid_approvers_plus_one_invalid_later_row(self):
+        """Two distinct users with valid current-head approvals + a third
+        user whose ONLY genuine approval is followed by an invalid later
+        row → all three real approvers are counted; the invalid later row
+        does not drop the third user."""
+        reviews = [
+            _review(user="alice", state="APPROVED", commit_id=HEAD),
+            _review(user="bob", state="APPROVED", commit_id=HEAD),
+            _review(user="carol", state="APPROVED", commit_id=HEAD),
+            _review(user="carol", state="COMMENT", commit_id=HEAD),
+        ]
+        approvers, request_changes = classify_reviews(reviews, headsha=HEAD)
+        self.assertEqual(approvers, {"alice", "bob", "carol"})
+        self.assertEqual(request_changes, [])
+
+
+# ---------------------------------------------------------------------------
+# Mutation-resistance smoke checks
+#
+# These tests document the mutations a reviewer would have to apply to
+# weaken the gate. They are not synthetic; they verify that the
+# predicate is structured so each known-softening mutation would also
+# fail at least one other test in this file. We can't actually mutate
+# the source in CI, but these tests are explicit about the mutations
+# that would slip through, and the suite is dense enough that any
+# loosening of the predicate will fail multiple cases.
+# ---------------------------------------------------------------------------
+
+
+class MutationResistance(unittest.TestCase):
+    def test_documented_mutation_remove_commit_id_check_fails(self):
+        """If a reviewer removes the commit_id check (e.g., reverts to
+        the pre-fix `if isinstance(commit_id, str) and commit_id and
+        headsha:` guard, or replaces `commit_id != headsha` with True),
+        the missing-commit_id tests above (test_rejects_when_commit_id_missing
+        in IsOfficialCurrentHeadFailClosed, test_rejects_missing_commit_id_approval
+        in IsGenuineApprovalContract, test_missing_commit_id_approval_excluded
+        in ClassifyReviewsContract) would all fail. The reviewer would have
+        to weaken all three test categories to slip the SEV-1 surface in."""
+        # Sanity: every missing-commit_id case is a False today.
+        for bad in [None, "", 0, False]:
+            with self.subTest(commit_id=bad):
+                self.assertFalse(
+                    is_official_current_head(_review(commit_id=bad), HEAD)
+                )
+                self.assertFalse(
+                    is_genuine_approval(
+                        _review(commit_id=bad), headsha=HEAD
+                    )
+                )
+
+    def test_documented_mutation_change_neq_to_eq_fails(self):
+        """If a reviewer changes `commit_id != headsha` to `commit_id == headsha`
+        in the head comparison (inverting the check), the stale-head tests
+        (test_rejects_when_commit_id_stale, test_stale_head_approval_excluded)
+        would fail because the wrong head would now match."""
+        self.assertFalse(
+            is_official_current_head(_review(commit_id=OTHER_HEAD), HEAD)
+        )
+
+    def test_documented_mutation_drop_official_check_fails(self):
+        """If a reviewer drops the `if not review.get('official')` check, the
+        non-official tests (test_rejects_when_official_is_false,
+        test_rejects_non_official_approval, test_non_official_approval_excluded)
+        would all fail."""
+        self.assertFalse(
+            is_genuine_approval(
+                _review(state="APPROVED", official=False), headsha=HEAD
+            )
+        )
+
+
+if __name__ == "__main__":
+    unittest.main()
@@ -115,5 +115,79 @@ T16=$(validate_required_checks_json "main" '{"main":"CI / all-required"}')
 [ "$T16" = "false" ] || fail "T16: string branch entry should fail"
 pass "T16: string branch entry fails"

+# ---------------------------------------------------------------------------
+# T17+ — /statuses pagination (status-pagination RCA, #2440-family).
+# The reader now pages /commits/{sha}/statuses to exhaustion instead of reading
+# the capped combined /status view. These lock the page-accumulation,
+# newest-wins collapse, short-page stop, and fail-closed contracts.
+# ---------------------------------------------------------------------------
+
+# Page-body type validator used per page (bare array, not an object).
+validate_page_is_array() { jq -e 'type == "array"' >/dev/null 2>&1 && echo true || echo false; }
+
+# newest-wins collapse: mirror the script's max-by-id jq (order-independent).
+collapse_newest_per_context() {
+  declare -A CS
+  while IFS=$'\t' read -r ctx state; do
+    [ -n "$ctx" ] && CS[$ctx]="$state"
+  done < <(jq -r 'group_by(.context) | map(max_by(.id)) | .[] | "\(.context)\t\(.status)"')
+  state="${CS[CI / all-required (push)]:-missing}"
+  echo "$state"
+}
+
+# T17 — a bare JSON array page passes the per-page array check.
+T17=$(echo '[{"context":"c1","status":"success"}]' | validate_page_is_array)
+[ "$T17" = "true" ] || fail "T17: bare array page should pass array check"
+pass "T17: bare array page passes array check"
+
+# T18 — a non-array page (object) fails the per-page array check → fail-closed.
+T18=$(echo '{"statuses":[]}' | validate_page_is_array)
+[ "$T18" = "false" ] || fail "T18: object page should fail array check (fail-closed)"
+pass "T18: object page fails array check (fail-closed)"
+
+# T19 — required SUCCESS on PAGE 2 is FOUND after accumulation (not missing).
+#   page1: 100 noise rows (older ids); page2: the required-context success.
+PAGE1=$(jq -nc '[range(0;100) | {id:., context:("noise-\(.) (push)"), status:"pending"}]')
+PAGE2='[{"id":200,"context":"CI / all-required (push)","status":"success"}]'
+# Accumulation matching the script: two-arg `jq -s '.[0] + .[1]'` over the
+# running accumulator and the new page.
+ACCUM=$(jq -s '.[0] + .[1]' <(echo "$PAGE1") <(echo "$PAGE2"))
+LEN=$(echo "$ACCUM" | jq 'length')
+[ "$LEN" = "101" ] || fail "T19: accumulated length should be 101, got $LEN"
+RESULT=$(echo "$ACCUM" | collapse_newest_per_context)
+[ "$RESULT" = "success" ] || fail "T19: required success on page2 must be FOUND, got '$RESULT'"
+pass "T19: required success on page2 is found after pagination"
+
+# T20 — genuinely-absent required context across all pages stays 'missing'
+#       → fail-closed (counted as not-green, flags the force-merge).
+ABSENT=$(jq -nc '[range(0;100) | {id:., context:("noise-\(.) (push)"), status:"success"}]')
+RESULT2=$(echo "$ABSENT" | collapse_newest_per_context)
+[ "$RESULT2" = "missing" ] || fail "T20: absent required context must stay 'missing', got '$RESULT2'"
+pass "T20: genuinely-absent required context stays missing (fail-closed)"
+
+# T21 — non-monotonic order: newest id (157, neither first nor last in list)
+#       a NEWER success row (oldest-first append → last overwrite wins).
+DUP='[{"id":155,"context":"CI / all-required (push)","status":"pending"},
+      {"id":157,"context":"CI / all-required (push)","status":"success"},
+      {"id":125,"context":"CI / all-required (push)","status":"failure"}]'
+RESULT3=$(echo "$DUP" | collapse_newest_per_context)
+[ "$RESULT3" = "success" ] || fail "T21: newest (success) must win over older (failure), got '$RESULT3'"
+pass "T21: newest row per context wins after pagination collapse"
+
+# T22 — short-page stop condition: a page with fewer than PER_PAGE rows ends
+#       the loop. Emulate the numeric comparison the script uses.
+PER_PAGE=100
+PAGE_COUNT=$(echo "$PAGE2" | jq 'length')   # 1 row
+if [ "$PAGE_COUNT" -lt "$PER_PAGE" ]; then SHORT=stop; else SHORT=continue; fi
+[ "$SHORT" = "stop" ] || fail "T22: short page should stop pagination"
+pass "T22: short page stops pagination loop"
+
+# T23 — a full page (== PER_PAGE) continues the loop.
+FULL=$(jq -nc '[range(0;100) | {id:., context:"x", status:"success"}]')
+FULL_COUNT=$(echo "$FULL" | jq 'length')
+if [ "$FULL_COUNT" -lt "$PER_PAGE" ]; then CONT=stop; else CONT=continue; fi
+[ "$CONT" = "continue" ] || fail "T23: full page should continue pagination"
+pass "T23: full page continues pagination loop"
+
 echo
 echo "ALL AUDIT-FORCE-MERGE CHECKS PASSED"
@@ -50,15 +50,15 @@ class TestQaReviewDirectTrigger:
            "pull_request_review must include 'submitted' type"
        )

-    def test_job_guard_requires_approved_state(self):
+    def test_job_guard_has_no_review_state_check(self):
        wf = load_workflow("qa-review.yml")
        guard = _job_guard_string(wf)
-        assert "github.event.review.state == 'APPROVED'" in guard, (
-            "job guard must check review.state for 'APPROVED'"
-        )
-        assert "github.event.review.state == 'approved'" in guard, (
-            "job guard must check review.state for 'approved' (case fallback per #2135)"
+        assert "github.event.review.state" not in guard, (
+            "job guard must NOT check review.state (#2159: Gitea 1.22.6 payload unreliable); "
+            "evaluator (review-check.sh) verifies actual APPROVE via API"
        )
+        assert "github.event_name == 'pull_request_target'" in guard
+        assert "github.event_name == 'pull_request_review'" in guard

    def test_post_step_uses_status_post_token(self):
        wf = load_workflow("qa-review.yml")
@@ -91,15 +91,15 @@ class TestSecurityReviewDirectTrigger:
            "pull_request_review must include 'submitted' type"
        )

-    def test_job_guard_requires_approved_state(self):
+    def test_job_guard_has_no_review_state_check(self):
        wf = load_workflow("security-review.yml")
        guard = _job_guard_string(wf)
-        assert "github.event.review.state == 'APPROVED'" in guard, (
-            "job guard must check review.state for 'APPROVED'"
-        )
-        assert "github.event.review.state == 'approved'" in guard, (
-            "job guard must check review.state for 'approved' (case fallback per #2135)"
+        assert "github.event.review.state" not in guard, (
+            "job guard must NOT check review.state (#2159: Gitea 1.22.6 payload unreliable); "
+            "evaluator (review-check.sh) verifies actual APPROVE via API"
        )
+        assert "github.event_name == 'pull_request_target'" in guard
+        assert "github.event_name == 'pull_request_review'" in guard

    def test_post_step_uses_status_post_token(self):
        wf = load_workflow("security-review.yml")
@@ -153,7 +153,7 @@ class TestRefireTokenSeparation:
            "qa refire must receive STATUS_POST_TOKEN env var"
        )
        # Evaluator stays on read token
-        assert "SOP_TIER_CHECK_TOKEN" in env.get("GITEA_TOKEN", "") or "GITHUB_TOKEN" in env.get("GITEA_TOKEN", ""), (
+        assert "SOP_CHECKLIST_GATE_TOKEN" in env.get("GITEA_TOKEN", "") or "GITHUB_TOKEN" in env.get("GITEA_TOKEN", ""), (
            "qa refire evaluator must stay on read-scoped token"
        )

@@ -163,6 +163,6 @@ class TestRefireTokenSeparation:
        assert env.get("STATUS_POST_TOKEN") == "${{ secrets.STATUS_POST_TOKEN }}", (
            "security refire must receive STATUS_POST_TOKEN env var"
        )
-        assert "SOP_TIER_CHECK_TOKEN" in env.get("GITEA_TOKEN", "") or "GITHUB_TOKEN" in env.get("GITEA_TOKEN", ""), (
+        assert "SOP_CHECKLIST_GATE_TOKEN" in env.get("GITEA_TOKEN", "") or "GITHUB_TOKEN" in env.get("GITEA_TOKEN", ""), (
            "security refire evaluator must stay on read-scoped token"
        )
@@ -14,49 +14,49 @@ spec.loader.exec_module(mq)
 def test_latest_statuses_dedupes_by_context_newest_first():
    statuses = [
        {"context": "CI / all-required (pull_request)", "status": "failure"},
-        {"context": "sop-checklist / all-items-acked (pull_request)", "state": "success"},
+        {"context": "sop-checklist / all-items-acked (pull_request_target)", "state": "success"},
        {"context": "CI / all-required (pull_request)", "status": "success"},
    ]

    latest = mq.latest_statuses_by_context(statuses)

    assert latest["CI / all-required (pull_request)"]["status"] == "failure"
-    assert latest["sop-checklist / all-items-acked (pull_request)"]["state"] == "success"
+    assert latest["sop-checklist / all-items-acked (pull_request_target)"]["state"] == "success"


 def test_required_contexts_green_rejects_missing_and_pending():
    latest = mq.latest_statuses_by_context([
        {"context": "CI / all-required (pull_request)", "status": "success"},
-        {"context": "sop-checklist / all-items-acked (pull_request)", "status": "pending"},
+        {"context": "sop-checklist / all-items-acked (pull_request_target)", "status": "pending"},
    ])

    ok, missing_or_bad = mq.required_contexts_green(
        latest,
        [
            "CI / all-required (pull_request)",
-            "sop-checklist / all-items-acked (pull_request)",
-            "qa-review / approved (pull_request)",
+            "sop-checklist / all-items-acked (pull_request_target)",
+            "qa-review / approved (pull_request_target)",
        ],
    )

    assert ok is False
    assert missing_or_bad == [
-        "sop-checklist / all-items-acked (pull_request)=pending",
-        "qa-review / approved (pull_request)=missing",
+        "sop-checklist / all-items-acked (pull_request_target)=pending",
+        "qa-review / approved (pull_request_target)=missing",
    ]


-def test_required_contexts_green_rejects_volume_skipped_even_for_tier_low():
+def test_required_contexts_green_rejects_volume_skipped():
    """volume-skipped pending is a partial view, not a genuine soft-fail.

    Per sop-checklist.py:1179-1187, volume_skipped posts pending with a
    '[volume-skipped]' prefix. The merge queue must NOT treat this as an
-    acceptable soft-fail for tier:low — the gate did not finish evaluating.
+    acceptable soft-fail — the gate did not finish evaluating.
    """
    latest = mq.latest_statuses_by_context([
        {"context": "CI / all-required (pull_request)", "status": "success"},
        {
-            "context": "sop-checklist / all-items-acked (pull_request)",
+            "context": "sop-checklist / all-items-acked (pull_request_target)",
            "status": "pending",
            "description": "[volume-skipped] comment-cap=1000 hit; please file ...",
        },
@@ -66,13 +66,12 @@ def test_required_contexts_green_rejects_volume_skipped_even_for_tier_low():
        latest,
        [
            "CI / all-required (pull_request)",
-            "sop-checklist / all-items-acked (pull_request)",
+            "sop-checklist / all-items-acked (pull_request_target)",
        ],
-        pr_labels={"tier:low"},
    )

    assert ok is False
-    assert "sop-checklist / all-items-acked (pull_request)=pending" in missing_or_bad
+    assert "sop-checklist / all-items-acked (pull_request_target)=pending" in missing_or_bad


 def test_choose_next_pr_sorts_by_queue_label_timestamp_then_number():
@@ -114,7 +113,13 @@ def test_pr_needs_update_when_base_sha_absent_from_commits():


 def _ready_kwargs(**overrides):
-    """Default kwargs for a fully-ready merge; override per test."""
+    """Default kwargs for a fully-ready merge; override per test.
+
+    Includes the uniform governance checks (qa-review, security-review,
+    sop-checklist) as required contexts and green statuses, matching the
+    behaviour of process_once which merges GOVERNANCE_REQUIRED_CONTEXTS
+    with branch-protection contexts.
+    """
    base = dict(
        main_status={
            "state": "success",
@@ -122,9 +127,19 @@ def _ready_kwargs(**overrides):
        },
        pr_status={
            "state": "success",
-            "statuses": [{"context": "CI / all-required (pull_request)", "status": "success"}],
+            "statuses": [
+                {"context": "CI / all-required (pull_request)", "status": "success"},
+                {"context": "qa-review / approved (pull_request_target)", "status": "success"},
+                {"context": "security-review / approved (pull_request_target)", "status": "success"},
+                {"context": "sop-checklist / all-items-acked (pull_request_target)", "status": "success"},
+            ],
        },
-        required_contexts=["CI / all-required (pull_request)"],
+        required_contexts=[
+            "CI / all-required (pull_request)",
+            "qa-review / approved (pull_request_target)",
+            "security-review / approved (pull_request_target)",
+            "sop-checklist / all-items-acked (pull_request_target)",
+        ],
        required_approvals=2,
        approvers={"agent-reviewer-cr2", "agent-researcher"},
        request_changes=[],
@@ -233,7 +248,7 @@ def test_genuine_approvals_counts_two_distinct_on_current_head():
        {"state": "APPROVED", "user": {"login": "agent-reviewer-cr2"},
         "official": True, "stale": False, "dismissed": False, "commit_id": "HEAD"},
    ]
-    approvers, rc = mq.genuine_approvals(reviews, head_sha="HEAD", reviewer_set=REVIEWERS)
+    approvers, rc = mq.genuine_approvals(reviews, headsha="HEAD", reviewer_set=REVIEWERS)
    assert approvers == {"agent-researcher", "agent-reviewer-cr2"}
    assert rc == []

@@ -250,7 +265,7 @@ def test_genuine_approvals_ignores_stale_dismissed_and_wrong_head():
        {"state": "APPROVED", "user": {"login": "agent-reviewer"},
         "official": True, "stale": False, "dismissed": False, "commit_id": "OLD"},
    ]
-    approvers, rc = mq.genuine_approvals(reviews, head_sha="HEAD", reviewer_set=REVIEWERS)
+    approvers, rc = mq.genuine_approvals(reviews, headsha="HEAD", reviewer_set=REVIEWERS)
    assert approvers == set()
    assert rc == []

@@ -264,7 +279,7 @@ def test_genuine_approvals_ignores_unofficial_and_outsiders():
        {"state": "APPROVED", "user": {"login": "hongming-codex-laptop"},
         "official": True, "stale": False, "dismissed": False, "commit_id": "HEAD"},
    ]
-    approvers, rc = mq.genuine_approvals(reviews, head_sha="HEAD", reviewer_set=REVIEWERS)
+    approvers, rc = mq.genuine_approvals(reviews, headsha="HEAD", reviewer_set=REVIEWERS)
    assert approvers == set()


@@ -276,7 +291,7 @@ def test_genuine_approvals_latest_review_supersedes_earlier():
        {"state": "REQUEST_CHANGES", "user": {"login": "agent-reviewer-cr2"},
         "official": True, "stale": False, "dismissed": False, "commit_id": "HEAD"},
    ]
-    approvers, rc = mq.genuine_approvals(reviews, head_sha="HEAD", reviewer_set=REVIEWERS)
+    approvers, rc = mq.genuine_approvals(reviews, headsha="HEAD", reviewer_set=REVIEWERS)
    assert approvers == set()
    assert rc == ["agent-reviewer-cr2"]

@@ -299,16 +314,56 @@ def test_merge_blocked_when_insufficient_genuine_approvals():
    assert "insufficient genuine approvals" in decision.reason


-def test_non_required_red_does_not_block_merge():
-    # Required (CI) green; non-required governance reds present → still merge,
-    # and force is set so force_merge bypasses ONLY those non-required reds.
+def test_governance_red_blocks_merge():
+    # Uniform gate: qa-review, security-review, sop-checklist are ALWAYS
+    # required. If any of them fail/pending, the PR is blocked.
    pr_status = {
-        "state": "failure",  # combined polluted by non-required reds
+        "state": "failure",
+        "statuses": [
+            {"context": "CI / all-required (pull_request)", "status": "success"},
+            {"context": "qa-review / approved (pull_request_target)", "status": "failure"},
+            {"context": "security-review / approved (pull_request_target)", "status": "pending"},
+            {"context": "sop-checklist / all-items-acked (pull_request_target)", "status": "failure"},
+            {"context": "Staging SaaS / e2e (pull_request)", "status": "failure"},
+        ],
+    }
+    decision = mq.evaluate_merge_readiness(**_ready_kwargs(pr_status=pr_status))
+    assert decision.ready is False
+    assert decision.action == "wait"
+    assert "required contexts not green" in decision.reason
+
+
+def test_non_required_red_does_not_block_merge():
+    # Uniform gate flip (CTO #2407): qa-review, security-review, sop-checklist
+    # are REQUIRED for ALL PRs. A PR with these failing/pending must NOT be
+    # force-mergeable, even if BP-required CI is green and approvals are genuine.
+    pr_status = {
+        "state": "failure",
        "statuses": [
            {"context": "CI / all-required (pull_request)", "status": "success"},
            {"context": "qa-review / approved (pull_request)", "status": "failure"},
            {"context": "security-review / approved (pull_request)", "status": "pending"},
-            {"context": "sop-tier-check / tier-check (pull_request)", "status": "failure"},
+            {"context": "sop-checklist / all-items-acked (pull_request)", "status": "failure"},
+            {"context": "Staging SaaS / e2e (pull_request)", "status": "failure"},
+        ],
+    }
+    decision = mq.evaluate_merge_readiness(**_ready_kwargs(pr_status=pr_status))
+    assert decision.ready is False
+    assert decision.action == "wait"
+    assert "required contexts not green" in decision.reason
+    assert decision.force is False
+
+
+def test_non_required_advisory_red_does_not_block_merge():
+    # Governance checks are green; only advisory non-required reds (Staging SaaS)
+    # are present → PR is still mergeable with force_merge bypassing the advisory.
+    pr_status = {
+        "state": "failure",  # combined polluted by advisory non-required reds
+        "statuses": [
+            {"context": "CI / all-required (pull_request)", "status": "success"},
+            {"context": "qa-review / approved (pull_request_target)", "status": "success"},
+            {"context": "security-review / approved (pull_request_target)", "status": "success"},
+            {"context": "sop-checklist / all-items-acked (pull_request_target)", "status": "success"},
            {"context": "Staging SaaS / e2e (pull_request)", "status": "failure"},
        ],
    }
@@ -412,8 +467,14 @@ def test_process_once_holds_pr_on_permanent_merge_error(monkeypatch):
    monkeypatch.setattr(mq, "get_branch_head", lambda branch: main_sha)

    def fake_combined(sha):
-        ctx = "CI / all-required (push)" if sha == main_sha else "CI / all-required (pull_request)"
-        return {"state": "success", "statuses": [{"context": ctx, "status": "success"}]}
+        if sha == main_sha:
+            return {"state": "success", "statuses": [{"context": "CI / all-required (push)", "status": "success"}]}
+        return {"state": "success", "statuses": [
+            {"context": "CI / all-required (pull_request)", "status": "success"},
+            {"context": "qa-review / approved (pull_request_target)", "status": "success"},
+            {"context": "security-review / approved (pull_request_target)", "status": "success"},
+            {"context": "sop-checklist / all-items-acked (pull_request_target)", "status": "success"},
+        ]}
    monkeypatch.setattr(mq, "get_combined_status", fake_combined)

    monkeypatch.setattr(mq, "list_candidate_issues", lambda *, auto_discover: [
@@ -479,8 +540,14 @@ def _fully_ready_process_once_monkeypatch(monkeypatch, mergeable, calls):
    monkeypatch.setattr(mq, "get_branch_head", lambda branch: main_sha)

    def fake_combined(sha):
-        ctx = "CI / all-required (push)" if sha == main_sha else "CI / all-required (pull_request)"
-        return {"state": "success", "statuses": [{"context": ctx, "status": "success"}]}
+        if sha == main_sha:
+            return {"state": "success", "statuses": [{"context": "CI / all-required (push)", "status": "success"}]}
+        return {"state": "success", "statuses": [
+            {"context": "CI / all-required (pull_request)", "status": "success"},
+            {"context": "qa-review / approved (pull_request_target)", "status": "success"},
+            {"context": "security-review / approved (pull_request_target)", "status": "success"},
+            {"context": "sop-checklist / all-items-acked (pull_request_target)", "status": "success"},
+        ]}
    monkeypatch.setattr(mq, "get_combined_status", fake_combined)

    monkeypatch.setattr(mq, "list_candidate_issues", lambda *, auto_discover: [
@@ -884,8 +951,14 @@ def _stale_pr_update_409_monkeypatch(monkeypatch, queued_issues, calls):
    monkeypatch.setattr(mq, "get_branch_head", lambda branch: main_sha)

    def fake_combined(sha):
-        ctx = "CI / all-required (push)" if sha == main_sha else "CI / all-required (pull_request)"
-        return {"state": "success", "statuses": [{"context": ctx, "status": "success"}]}
+        if sha == main_sha:
+            return {"state": "success", "statuses": [{"context": "CI / all-required (push)", "status": "success"}]}
+        return {"state": "success", "statuses": [
+            {"context": "CI / all-required (pull_request)", "status": "success"},
+            {"context": "qa-review / approved (pull_request_target)", "status": "success"},
+            {"context": "security-review / approved (pull_request_target)", "status": "success"},
+            {"context": "sop-checklist / all-items-acked (pull_request_target)", "status": "success"},
+        ]}
    monkeypatch.setattr(mq, "get_combined_status", fake_combined)

    # Scan-loop process_once enumerates candidates via list_candidate_issues.
@@ -1130,7 +1203,7 @@ def test_list_candidate_issues_omits_label_filter_when_auto_discover(monkeypatch
    assert captured["query"].get("type") == "pulls"

    mq.list_candidate_issues(auto_discover=False)
-    assert captured["query"].get("labels") == "merge-queue"
+    assert captured["query"].get("label") == "merge-queue"


 def _wire_ready_process_once(monkeypatch, *, issues, pr_payload, calls):
@@ -1153,8 +1226,16 @@ def _wire_ready_process_once(monkeypatch, *, issues, pr_payload, calls):
    monkeypatch.setattr(mq, "get_branch_head", lambda branch: main_sha)

    def fake_combined(sha):
-        ctx = "CI / all-required (push)" if sha == main_sha else "CI / all-required (pull_request)"
-        return {"state": "success", "statuses": [{"context": ctx, "status": "success"}]}
+        if sha == main_sha:
+            return {"state": "success", "statuses": [
+                {"context": "CI / all-required (push)", "status": "success"},
+            ]}
+        return {"state": "success", "statuses": [
+            {"context": "CI / all-required (pull_request)", "status": "success"},
+            {"context": "qa-review / approved (pull_request_target)", "status": "success"},
+            {"context": "security-review / approved (pull_request_target)", "status": "success"},
+            {"context": "sop-checklist / all-items-acked (pull_request_target)", "status": "success"},
+        ]}
    monkeypatch.setattr(mq, "get_combined_status", fake_combined)
    monkeypatch.setattr(mq, "list_candidate_issues", lambda *, auto_discover: issues)
    monkeypatch.setattr(mq, "get_pull", lambda n: dict(pr_payload, number=n))
@@ -1335,8 +1416,14 @@ def _wire_multi_candidate_process_once(monkeypatch, *, issues, pulls, reviews, c
    monkeypatch.setattr(mq, "get_branch_head", lambda branch: MAIN_SHA)

    def fake_combined(sha):
-        ctx = "CI / all-required (push)" if sha == MAIN_SHA else "CI / all-required (pull_request)"
-        return {"state": "success", "statuses": [{"context": ctx, "status": "success"}]}
+        if sha == MAIN_SHA:
+            return {"state": "success", "statuses": [{"context": "CI / all-required (push)", "status": "success"}]}
+        return {"state": "success", "statuses": [
+            {"context": "CI / all-required (pull_request)", "status": "success"},
+            {"context": "qa-review / approved (pull_request_target)", "status": "success"},
+            {"context": "security-review / approved (pull_request_target)", "status": "success"},
+            {"context": "sop-checklist / all-items-acked (pull_request_target)", "status": "success"},
+        ]}
    monkeypatch.setattr(mq, "get_combined_status", fake_combined)

    monkeypatch.setattr(mq, "list_candidate_issues", lambda *, auto_discover: issues)
@@ -1468,7 +1555,12 @@ def test_hol_unready_red_required_ci_is_skipped_for_ready_pr(monkeypatch):
                    "statuses": [{"context": "CI / all-required (push)", "status": "success"}]}
        state = "failure" if sha == red_head else "success"
        return {"state": state,
-                "statuses": [{"context": "CI / all-required (pull_request)", "status": state}]}
+                "statuses": [
+                    {"context": "CI / all-required (pull_request)", "status": state},
+                    {"context": "qa-review / approved (pull_request_target)", "status": "success"},
+                    {"context": "security-review / approved (pull_request_target)", "status": "success"},
+                    {"context": "sop-checklist / all-items-acked (pull_request_target)", "status": "success"},
+                ]}
    monkeypatch.setattr(mq, "get_combined_status", fake_combined)

    rc = mq.process_once(dry_run=False)
@@ -17,7 +17,7 @@ wd.REPO = "molecule-ai/molecule-core"
 wd.OWNER = "molecule-ai"
 wd.NAME = "molecule-core"
 wd.WATCH_BRANCH = "main"
-wd.RED_LABEL = "tier:high"
+wd.RED_LABEL = "ci-bp-drift"
 wd.API = "https://git.example.com/api/v1"


@@ -0,0 +1,70 @@
+#!/usr/bin/env bash
+set -euo pipefail
+# Anti-regression gate for #2403: fail if any SOP tier artifact reappears.
+
+cd "$(dirname "$0")/../../.."
+
+fail=0
+
+# 1. Deleted workflow files must stay deleted
+for f in .gitea/workflows/sop-tier-check.yml .gitea/workflows/sop-tier-refire.yml; do
+  if [ -e "$f" ]; then
+    echo "FAIL: $f was re-added (must stay deleted per #2403)" >&2
+    fail=1
+  fi
+done
+
+# 2. Deleted script files must stay deleted
+for f in .gitea/scripts/sop-tier-check.sh .gitea/scripts/sop-tier-refire.sh; do
+  if [ -e "$f" ]; then
+    echo "FAIL: $f was re-added (must stay deleted per #2403)" >&2
+    fail=1
+  fi
+done
+
+# 3. No tier branching logic in gate_check.py
+if grep -qE '_get_pr_tier|TIER_AGENTS' tools/gate-check-v3/gate_check.py; then
+  echo "FAIL: tier branching reappeared in gate_check.py" >&2
+  fail=1
+fi
+
+# 4. No _is_tier_low_pending_ok in merge queue
+if grep -q '_is_tier_low_pending_ok' .gitea/scripts/gitea-merge-queue.py; then
+  echo "FAIL: tier soft-fail reappeared in gitea-merge-queue.py" >&2
+  fail=1
+fi
+
+# 5. No sop-tier-check context references in workflow YAML
+if grep -rI --exclude-dir='__pycache__' 'sop-tier-check' .gitea/workflows/; then
+  echo "FAIL: sop-tier-check context reappeared in workflows" >&2
+  fail=1
+fi
+
+# 6. No SOP_TIER_CHECK_TOKEN references in workflow YAML or scripts
+if grep -rI --exclude-dir='__pycache__' --exclude='test_no_tier_regression.sh' 'SOP_TIER_CHECK_TOKEN' .gitea/workflows/ .gitea/scripts/; then
+  echo "FAIL: SOP_TIER_CHECK_TOKEN reference reappeared (use SOP_CHECKLIST_GATE_TOKEN)" >&2
+  fail=1
+fi
+
+# 7. qa-review and security-review must have labeled/unlabeled triggers (#2139)
+for f in .gitea/workflows/qa-review.yml .gitea/workflows/security-review.yml; do
+  if ! grep -q 'labeled, unlabeled' "$f"; then
+    echo "FAIL: $f missing labeled/unlabeled triggers (#2139)" >&2
+    fail=1
+  fi
+done
+
+# 8. qa-review and security-review must NOT have review.state guard (#2159)
+for f in .gitea/workflows/qa-review.yml .gitea/workflows/security-review.yml; do
+  if grep -q 'github.event.review.state' "$f"; then
+    echo "FAIL: $f has review.state guard reappeared (#2159)" >&2
+    fail=1
+  fi
+done
+
+if [ "$fail" -eq 1 ]; then
+  echo "TIER_REGRESSION_DETECTED" >&2
+  exit 1
+fi
+
+echo "PASS: no tier regression detected"
@@ -105,16 +105,25 @@ def test_build_plan_disable_flag_short_circuits_before_credentials():
    assert plan["disabled_reason"] == "PROD_AUTO_DEPLOY_DISABLED=true"


-def test_latest_status_for_context_uses_first_matching_status():
+def test_latest_status_for_context_picks_newest_by_id_regardless_of_order():
+    # The exhaustively-paginated /statuses list is ascending id order
+    # (oldest-first), the opposite of the combined /status view. The selector
+    # must collapse duplicate context rows to the NEWEST (max id) so a stale
+    # earlier run never shadows the current result, whichever way they arrive.
    statuses = [
-        {"context": "CI / all-required (push)", "status": "pending"},
-        {"context": "CI / all-required (pull_request)", "status": "success"},
-        {"context": "CI / all-required (push)", "status": "success"},
+        {"id": 10, "context": "CI / all-required (push)", "status": "pending"},
+        {"id": 11, "context": "CI / all-required (pull_request)", "status": "success"},
+        {"id": 12, "context": "CI / all-required (push)", "status": "success"},
    ]

    latest = prod.latest_status_for_context(statuses, "CI / all-required (push)")

-    assert latest == {"context": "CI / all-required (push)", "status": "pending"}
+    assert latest == {"id": 12, "context": "CI / all-required (push)", "status": "success"}
+
+    # Same rows shuffled (newest-first, as the combined view would deliver)
+    # must still resolve to the same newest row.
+    latest_rev = prod.latest_status_for_context(list(reversed(statuses)), "CI / all-required (push)")
+    assert latest_rev == {"id": 12, "context": "CI / all-required (push)", "status": "success"}


 def test_ci_context_state_handles_missing_and_gitea_status_key():
@@ -612,3 +621,123 @@ def test_superseded_by_none_for_latest_job_so_it_still_rolls(monkeypatch):
        )
        is None
    )
+
+
+# ---------------------------------------------------------------------------
+# /statuses pagination — required-context SUCCESS on page 2+ must be FOUND,
+# genuinely-absent context must STILL fail-closed (no fail-open).
+# Regression for the single-page-status bug (#2440-family, pagination RCA):
+# the combined /status view caps `statuses` at ~30, so on a high-churn commit
+# the still-current required-context row is pushed past page 1 and the reader
+# falsely reports it `missing`.
+# ---------------------------------------------------------------------------
+def _paged_statuses_stub(pages):
+    """Return a fake _api_json_list that serves `pages` keyed by ?page=N."""
+    def fake(url, _token):
+        # url looks like .../statuses?page=N&limit=100
+        page = 1
+        for part in url.split("?", 1)[-1].split("&"):
+            if part.startswith("page="):
+                page = int(part.split("=", 1)[1])
+        return pages.get(page, [])
+    return fake
+
+
+def test_fetch_all_statuses_finds_required_success_on_page_two(monkeypatch):
+    # Page 1 is a full 100 rows of unrelated/older churn; the required-context
+    # SUCCESS only appears on page 2. A single-page reader would miss it.
+    page1 = [
+        {"id": i, "context": f"noise-{i} (push)", "status": "pending"}
+        for i in range(100)
+    ]
+    page2 = [
+        {"id": 200, "context": "CI / all-required (push)", "status": "success"},
+        {"id": 201, "context": "Secret scan / Scan diff for credential-shaped strings (push)",
+         "status": "success"},
+    ]
+    monkeypatch.setattr(prod, "_api_json_list", _paged_statuses_stub({1: page1, 2: page2}))
+
+    rows = prod.fetch_all_statuses("git.moleculesai.app", "molecule-ai/molecule-core", "a" * 40, "tok")
+    # Must have walked to page 2 and accumulated every row.
+    assert len(rows) == 102
+    assert prod.ci_context_state(rows, "CI / all-required (push)") == "success"
+    assert (
+        prod.ci_context_state(
+            rows, "Secret scan / Scan diff for credential-shaped strings (push)"
+        )
+        == "success"
+    )
+
+
+def test_fetch_all_statuses_genuinely_absent_context_stays_missing(monkeypatch):
+    # The required context is on NO page → fail-closed: ci_context_state must
+    # report "missing", which context_is_satisfied() rejects → gate stays shut.
+    page1 = [
+        {"id": i, "context": f"noise-{i} (push)", "status": "success"}
+        for i in range(100)
+    ]
+    page2 = [{"id": 200, "context": "some-other (push)", "status": "success"}]
+    monkeypatch.setattr(prod, "_api_json_list", _paged_statuses_stub({1: page1, 2: page2}))
+
+    rows = prod.fetch_all_statuses("git.moleculesai.app", "molecule-ai/molecule-core", "b" * 40, "tok")
+    state = prod.ci_context_state(rows, "CI / all-required (push)")
+    assert state == "missing"
+    assert prod.context_is_satisfied(state) is False
+
+
+def test_fetch_all_statuses_fail_closed_on_page_error(monkeypatch):
+    # A page that raises (unreadable) must propagate, never silently truncate
+    # the scan and let the caller treat a partial list as complete.
+    def boom(url, _token):
+        if "page=2" in url:
+            raise RuntimeError("GET .../statuses?page=2 -> HTTP 502: bad gateway")
+        return [{"id": i, "context": f"n-{i}", "status": "success"} for i in range(100)]
+
+    monkeypatch.setattr(prod, "_api_json_list", boom)
+    try:
+        prod.fetch_all_statuses("h", "r", "c" * 40, "tok")
+    except RuntimeError as exc:
+        assert "502" in str(exc)
+    else:
+        raise AssertionError("expected page-2 error to propagate (fail-closed)")
+
+
+def test_wait_for_ci_context_succeeds_when_required_status_is_past_page_one(monkeypatch):
+    # End-to-end: the gate reads the EXHAUSTIVE list, so a required SUCCESS that
+    # only exists past page 1 lets the deploy proceed instead of timing out.
+    full = [
+        {"id": i, "context": f"noise-{i} (push)", "status": "success"}
+        for i in range(100)
+    ] + [
+        {"id": 500, "context": "CI / all-required (push)", "status": "success"},
+        {"id": 501, "context": "Secret scan / Scan diff for credential-shaped strings (push)",
+         "status": "success"},
+    ]
+    monkeypatch.setattr(prod, "fetch_all_statuses", lambda *a, **k: full)
+    result = prod.wait_for_ci_context(
+        {"GITHUB_SHA": "d" * 40, "GITEA_TOKEN": "tok", "CI_STATUS_TIMEOUT_SECONDS": "30"}
+    )
+    assert result == "success"
+
+
+def test_wait_for_ci_context_times_out_fail_closed_when_required_absent(monkeypatch):
+    # Genuinely-absent required context across all pages → never satisfied →
+    # the gate times out rather than green-lighting the deploy (no fail-open).
+    present_but_irrelevant = [
+        {"id": 500, "context": "some-other (push)", "status": "success"},
+    ]
+    monkeypatch.setattr(prod, "fetch_all_statuses", lambda *a, **k: present_but_irrelevant)
+    # Zero timeout + 0 interval → single poll then TimeoutError.
+    try:
+        prod.wait_for_ci_context(
+            {
+                "GITHUB_SHA": "e" * 40,
+                "GITEA_TOKEN": "tok",
+                "CI_STATUS_TIMEOUT_SECONDS": "1",
+                "CI_STATUS_POLL_INTERVAL_SECONDS": "1",
+            }
+        )
+    except TimeoutError as exc:
+        assert "missing" in str(exc)
+    else:
+        raise AssertionError("expected fail-closed TimeoutError, not a satisfied gate")
@@ -25,6 +25,11 @@
 #   T20 — ai-sop-ack APPROVED review excluded from security-review gate
 #   T21 — stale-head APPROVED review → exit 1 (commit_id mismatch)
 #   T22 — missing/non-official APPROVED review → exit 1 (official != true)
+#   T23 — missing-commit_id APPROVED review → exit 1 (SEV-1 internal#812
+#         fail-closed contract: a missing/empty commit_id is REJECTED, not
+#         silently accepted as "older Gitea row" the way the pre-fix
+#         gitea-merge-queue.py did. Closes the spoof-bug surface that
+#         #843 had.)
 #
 # Hostile-self-review (per feedback_assert_exact_not_substring):
 # this test MUST FAIL if the script is absent. Verified by running
@@ -427,6 +432,22 @@ T22_RC=$(cat "$FIX_STATE_DIR/last_rc")
 assert_eq "T22 exit code 1 (missing official rejected)" "1" "$T22_RC"
 assert_contains "T22 no candidates error" "no candidates from reviews API or issue comments" "$T22_OUT"

+# T23 — missing-commit_id APPROVED review must be rejected.
+# SEV-1 internal#812 (supersedes closed internal#843). A review with NO
+# commit_id field is the spoof-bug signature: a real reviewer cannot
+# have submitted against a commit that doesn't exist. The fail-closed
+# SSOT must REJECT — the pre-fix gitea-merge-queue.py silently accepted
+# these (the "older Gitea row" escape hatch), which is the exact surface
+# that closed #843 had. The Python unit tests in
+# test_approval_validator.py cover the predicate at the unit level;
+# this T23 covers the bash + jq pipeline end-to-end.
+echo
+echo "== T23 missing commit_id APPROVED review rejected (SEV-1 fail-closed) =="
+T23_OUT=$(run_review_check "T23_missing_commit_id")
+T23_RC=$(cat "$FIX_STATE_DIR/last_rc")
+assert_eq "T23 exit code 1 (missing commit_id rejected)" "1" "$T23_RC"
+assert_contains "T23 no candidates error" "no candidates from reviews API or issue comments" "$T23_OUT"
+
 echo
 echo "------"
 echo "PASS=$PASS FAIL=$FAIL"
@@ -11,7 +11,7 @@
 #   - compute_ack_state (self-ack rejected, team probe applied, revoke
 #     invalidates own prior ack, peer's ack survives unrevoked)
 #   - render_status (state + description format)
-#   - get_tier_mode (label-driven, default fallback)
+#   - is_high_risk (label-driven, default fallback)
 #   - load_config (default config parses cleanly with both PyYAML and
 #     the bundled minimal parser)
 #
@@ -432,37 +432,6 @@ class TestRenderStatus(unittest.TestCase):
        self.assertIn("body-unfilled", desc)


-# ---------------------------------------------------------------------------
-# get_tier_mode
-# ---------------------------------------------------------------------------
-
-
-class TestGetTierMode(unittest.TestCase):
-    def setUp(self):
-        self.cfg = sop.load_config(CONFIG_PATH)
-
-    def test_tier_high_is_hard(self):
-        pr = {"labels": [{"name": "tier:high"}, {"name": "area:ci"}]}
-        self.assertEqual(sop.get_tier_mode(pr, self.cfg), "hard")
-
-    def test_tier_medium_is_hard(self):
-        pr = {"labels": [{"name": "tier:medium"}]}
-        self.assertEqual(sop.get_tier_mode(pr, self.cfg), "hard")
-
-    def test_tier_low_is_soft(self):
-        pr = {"labels": [{"name": "tier:low"}]}
-        self.assertEqual(sop.get_tier_mode(pr, self.cfg), "soft")
-
-    def test_no_tier_label_defaults_to_hard(self):
-        # Per feedback_fix_root_not_symptom — never silently lower the bar.
-        pr = {"labels": [{"name": "area:ci"}]}
-        self.assertEqual(sop.get_tier_mode(pr, self.cfg), "hard")
-
-    def test_no_labels_defaults_to_hard(self):
-        self.assertEqual(sop.get_tier_mode({"labels": []}, self.cfg), "hard")
-        self.assertEqual(sop.get_tier_mode({}, self.cfg), "hard")
-
-
 # ---------------------------------------------------------------------------
 # load_config
 # ---------------------------------------------------------------------------
@@ -487,13 +456,6 @@ class TestLoadConfig(unittest.TestCase):
            },
        )

-    def test_default_config_tier_mode_shape(self):
-        cfg = sop.load_config(CONFIG_PATH)
-        self.assertEqual(cfg["tier_failure_mode"]["tier:high"], "hard")
-        self.assertEqual(cfg["tier_failure_mode"]["tier:medium"], "hard")
-        self.assertEqual(cfg["tier_failure_mode"]["tier:low"], "soft")
-        self.assertEqual(cfg["default_mode"], "hard")
-
    def test_each_item_has_required_fields(self):
        cfg = sop.load_config(CONFIG_PATH)
        for it in cfg["items"]:
@@ -627,7 +589,7 @@ class TestComputeNaState(unittest.TestCase):
 class TestIsHighRisk(unittest.TestCase):
    """The high-risk predicate decides which required_teams list applies.

-    Predicate: tier:high label OR any label in cfg.high_risk_labels.
+    Predicate: any label in cfg.high_risk_labels.
    """

    def setUp(self):
@@ -637,23 +599,8 @@ class TestIsHighRisk(unittest.TestCase):
        pr = {"labels": []}
        self.assertFalse(sop.is_high_risk(pr, self.cfg))

-    def test_tier_high_is_high_risk(self):
-        pr = {"labels": [{"name": "tier:high"}]}
-        self.assertTrue(sop.is_high_risk(pr, self.cfg))
-
-    def test_tier_low_is_default_class(self):
-        pr = {"labels": [{"name": "tier:low"}]}
-        self.assertFalse(sop.is_high_risk(pr, self.cfg))
-
-    def test_tier_medium_is_default_class(self):
-        # tier:medium alone is NOT high-risk (Option C — medium routes
-        # to the wider engineers OR-set).
-        pr = {"labels": [{"name": "tier:medium"}]}
-        self.assertFalse(sop.is_high_risk(pr, self.cfg))
-
    def test_area_security_label_is_high_risk(self):
-        pr = {"labels": [{"name": "tier:medium"}, {"name": "area:security"}]}
-        self.assertTrue(sop.is_high_risk(pr, self.cfg))
+        pr = {"labels": [{"name": "area:security"}]}

    def test_area_schema_label_is_high_risk(self):
        pr = {"labels": [{"name": "area:schema"}]}
@@ -668,7 +615,7 @@ class TestIsHighRisk(unittest.TestCase):
        self.assertTrue(sop.is_high_risk(pr, self.cfg))

    def test_area_gate_meta_label_is_high_risk(self):
-        # Gate-meta = changes to sop-checklist/sop-tier-check itself.
+        # Gate-meta = changes to sop-checklist/sop-checklist itself.
        pr = {"labels": [{"name": "area:gate-meta"}]}
        self.assertTrue(sop.is_high_risk(pr, self.cfg))

@@ -722,7 +669,7 @@ class TestRootCauseAckEligibilityWidened(unittest.TestCase):
    root-cause / no-backwards-compat for the default class.

    The dead-managers/ceo-persona-token gridlock is the symptom; the
-    root cause is that sop-checklist ignored tier-class. These tests
+    root cause is that sop-checklist ignored high-risk class. These tests
    pin the new wider-default behavior so it can't regress silently.
    """

@@ -793,7 +740,7 @@ class TestHighRiskClassUsesElevatedListInConfig(unittest.TestCase):

    def test_root_cause_high_risk_elevated_to_ceo_only(self):
        items = _items_by_slug()
-        # tier:high alone makes the PR high-risk → root-cause needs ceo.
+        # area:schema alone makes the PR high-risk → root-cause needs ceo.
        self.assertEqual(
            sop.resolve_required_teams(items["root-cause"], high_risk=True),
            ["ceo"],
@@ -1,272 +0,0 @@
-#!/usr/bin/env bash
-# Security regression test for the SOP tier-gate AUTHORIZATION bypass.
-#
-# Bug (fixed in fix/sop-tier-authz-no-org-fallback):
-#   sop-tier-check.sh probed team membership at /teams/{id}/members/{user}.
-#   If EVERY team probe failed (e.g. 403 — token lacks read:organization, or
-#   any visibility/flakiness gap), it FELL BACK to /orgs/{org}/members/{user}
-#   and credited that org member as a member of EVERY queried team. The
-#   evaluator then treated those synthetic memberships as real, so a plain
-#   NON-CEO org member satisfied tier:high (ceo). A visibility/auth gap became
-#   a real highest-tier authorization PASS — privilege escalation.
-#
-# Fix (fail-closed authorization):
-#   - The org-member ⇒ "member of all teams" fallback is REMOVED. Org
-#     membership is never credited as team membership.
-#   - A team probe that returns anything other than 200/204 (member) or 404
-#     (verified non-member) is a CANNOT-VERIFY condition: the gate fails loud
-#     (exit 1) with a cannot-verify status and never grants the tier.
-#
-# Method: this is a true end-to-end test. It prepends a fake `curl` to PATH
-# that serves canned Gitea API responses keyed by URL, then runs the REAL
-# sop-tier-check.sh. The fake exercises the genuine probe→credit→evaluate
-# path — no logic is re-implemented in the test.
-
-set -euo pipefail
-
-THIS_DIR="$(cd "$(dirname "$0")" && pwd)"
-SCRIPT_DIR="$(cd "$THIS_DIR/.." && pwd)"
-SCRIPT="$SCRIPT_DIR/sop-tier-check.sh"
-
-command -v jq >/dev/null 2>&1 || { echo "::error::jq required but not found"; exit 1; }
-[ -f "$SCRIPT" ] || { echo "::error::sop-tier-check.sh not found at $SCRIPT — test must fail loudly if the script is absent"; exit 1; }
-
-# sop-tier-check.sh uses `declare -A` (associative arrays), which require
-# bash >= 4. CI runners (Ubuntu) ship bash 5; macOS ships 3.2. Resolve a
-# bash >= 4 to run the script under.
-pick_bash() {
-  local c
-  for c in bash /opt/homebrew/bin/bash /usr/local/bin/bash /bin/bash; do
-    local p; p="$(command -v "$c" 2>/dev/null || true)"
-    [ -n "$p" ] || continue
-    local maj; maj="$("$p" -c 'echo "${BASH_VERSINFO[0]}"' 2>/dev/null || echo 0)"
-    if [ "${maj:-0}" -ge 4 ]; then echo "$p"; return 0; fi
-  done
-  return 1
-}
-BASH4="$(pick_bash)" || { echo "::error::need bash >= 4 to run sop-tier-check.sh (associative arrays); none found"; exit 1; }
-echo "using bash: $BASH4 ($("$BASH4" -c 'echo $BASH_VERSION'))"
-
-PASS=0
-FAIL=0
-
-assert_eq() {
-  local label="$1" expected="$2" got="$3"
-  if [ "$expected" = "$got" ]; then
-    echo "  PASS  $label"
-    PASS=$((PASS + 1))
-  else
-    echo "  FAIL  $label"
-    echo "        expected: <$expected>"
-    echo "        got:      <$got>"
-    FAIL=$((FAIL + 1))
-  fi
-}
-
-assert_contains() {
-  local label="$1" haystack="$2" needle="$3"
-  if printf '%s' "$haystack" | grep -qF -- "$needle"; then
-    echo "  PASS  $label"
-    PASS=$((PASS + 1))
-  else
-    echo "  FAIL  $label (missing substring: <$needle>)"
-    FAIL=$((FAIL + 1))
-  fi
-}
-
-assert_not_contains() {
-  local label="$1" haystack="$2" needle="$3"
-  if printf '%s' "$haystack" | grep -qF -- "$needle"; then
-    echo "  FAIL  $label (unexpected substring present: <$needle>)"
-    FAIL=$((FAIL + 1))
-  else
-    echo "  PASS  $label"
-    PASS=$((PASS + 1))
-  fi
-}
-
-# ---------------------------------------------------------------------------
-# Fake-curl harness.
-#
-# The real script calls curl in two shapes:
-#   (a) body capture:   curl -sS -H AUTH URL                 -> prints JSON body
-#   (b) http-code:      curl -sS -o FILE -w '%{http_code}' -H AUTH URL
-#   (c) http-code only: curl -sS -o /dev/null -w '%{http_code}' -H AUTH URL
-#
-# Our fake reads the URL (last non-flag arg), looks up a response in fixture
-# files under $FIXDIR, and emits body and/or http-code accordingly.
-# ---------------------------------------------------------------------------
-
-make_harness() {
-  # $1 = scenario dir to populate with fixtures
-  local FIXDIR="$1"
-  local BIN="$FIXDIR/bin"
-  mkdir -p "$BIN"
-  cat > "$BIN/curl" <<'FAKE'
-#!/usr/bin/env bash
-# Fake curl for sop-tier-check authz tests. Looks up canned responses by URL.
-set -u
-FIXDIR="${SOP_TEST_FIXDIR:?SOP_TEST_FIXDIR unset}"
-
-url=""
-out=""
-want_code="no"
-prev=""
-for a in "$@"; do
-  case "$prev" in
-    -o) out="$a" ;;
-  esac
-  case "$a" in
-    http*://*) url="$a" ;;
-    '%{http_code}') want_code="yes" ;;
-  esac
-  # -w '%{http_code}' arrives as the value of the -w flag
-  if [ "$prev" = "-w" ] && [ "$a" = '%{http_code}' ]; then want_code="yes"; fi
-  prev="$a"
-done
-
-# Map URL -> fixture key (a filename-safe slug).
-# We only need the path after /api/v1.
-path="${url#*/api/v1}"
-slug="$(printf '%s' "$path" | tr '/?=&' '____')"
-
-body_file="$FIXDIR/body${slug}"
-code_file="$FIXDIR/code${slug}"
-
-# Emit body to -o target (or capture for stdout) when a body fixture exists.
-body=""
-if [ -f "$body_file" ]; then body="$(cat "$body_file")"; fi
-if [ -n "$out" ]; then
-  printf '%s' "$body" > "$out"
-else
-  printf '%s' "$body"
-fi
-
-# Emit http code when requested.
-if [ "$want_code" = "yes" ]; then
-  if [ -f "$code_file" ]; then
-    printf '%s' "$(cat "$code_file")"
-  else
-    printf '200'
-  fi
-fi
-exit 0
-FAKE
-  chmod +x "$BIN/curl"
-  echo "$BIN"
-}
-
-# Common fixtures shared by scenarios. $1 = FIXDIR, $2 = approver login,
-# $3 = tier label name (e.g. tier:high), $4 = teams JSON.
-seed_common() {
-  local FIXDIR="$1" approver="$2" tier="$3" teams_json="$4"
-  mkdir -p "$FIXDIR"
-  # /user -> whoami
-  printf '%s' '{"login":"sop-bot"}' > "$FIXDIR/body_user"
-  # PR head sha
-  printf '%s' '{"head":{"sha":"headsha1"}}' \
-    > "$FIXDIR/body_repos_molecule-ai_molecule-core_pulls_42"
-  # labels
-  printf '%s' "[{\"name\":\"$tier\"}]" \
-    > "$FIXDIR/body_repos_molecule-ai_molecule-core_issues_42_labels"
-  # org teams list
-  printf '%s' "$teams_json" > "$FIXDIR/body_orgs_molecule-ai_teams"
-  printf '%s' '200' > "$FIXDIR/code_orgs_molecule-ai_teams"
-  # reviews: one APPROVED on current head by $approver
-  printf '%s' "[{\"state\":\"APPROVED\",\"commit_id\":\"headsha1\",\"user\":{\"login\":\"$approver\"}}]" \
-    > "$FIXDIR/body_repos_molecule-ai_molecule-core_pulls_42_reviews"
-}
-
-run_script() {
-  # $1 = FIXDIR (must contain bin/curl). Returns combined stdout+stderr; sets RC.
-  local FIXDIR="$1"
-  local BIN="$FIXDIR/bin"
-  set +e
-  OUT=$(
-    SOP_TEST_FIXDIR="$FIXDIR" \
-    PATH="$BIN:$PATH" \
-    GITEA_TOKEN="faketoken" \
-    GITEA_HOST="git.moleculesai.app" \
-    REPO="molecule-ai/molecule-core" \
-    PR_NUMBER="42" \
-    PR_AUTHOR="pr-author" \
-    SOP_DEBUG="0" \
-    SOP_LEGACY_CHECK="0" \
-    "$BASH4" "$SCRIPT" 2>&1
-  )
-  RC=$?
-  set -e
-  printf '%s' "$OUT"
-  return $RC
-}
-
-TEAMS_JSON='[{"name":"ceo","id":10},{"name":"engineers","id":11},{"name":"managers","id":12}]'
-
-echo "=============================================================="
-echo "Scenario 1: tier:high, team probe 403 (cannot read), approver"
-echo "            is a plain org member but NOT in ceo team."
-echo "            EXPECT: tier NOT granted (fail-closed cannot-verify)."
-echo "=============================================================="
-S1="$(mktemp -d)"
-make_harness "$S1" >/dev/null
-seed_common "$S1" "org-only-bob" "tier:high" "$TEAMS_JSON"
-# Team membership probe for ceo (id=10) returns 403 — cannot read.
-printf '%s' '403' > "$S1/code_teams_10_members_org-only-bob"
-# The OLD bug path: org membership probe would 204 and synthetic-credit.
-printf '%s' '204' > "$S1/code_orgs_molecule-ai_members_org-only-bob"
-set +e
-OUT1="$(run_script "$S1")"; RC1=$?
-set -e
-echo "$OUT1" | sed 's/^/    /'
-echo "    (exit=$RC1)"
-assert_eq "S1 exit non-zero (tier NOT granted)" "1" "$([ "$RC1" -ne 0 ] && echo 1 || echo 0)"
-assert_not_contains "S1 did NOT print PASSED" "$OUT1" "sop-tier-check PASSED"
-assert_contains "S1 cannot-verify error surfaced" "$OUT1" "CANNOT VERIFY"
-assert_contains "S1 names the unreadable probe (403)" "$OUT1" "HTTP 403"
-rm -rf "$S1"
-
-echo
-echo "=============================================================="
-echo "Scenario 2: tier:high, genuine ceo team member (probe 204)."
-echo "            EXPECT: tier GRANTED."
-echo "=============================================================="
-S2="$(mktemp -d)"
-make_harness "$S2" >/dev/null
-seed_common "$S2" "real-ceo" "tier:high" "$TEAMS_JSON"
-printf '%s' '204' > "$S2/code_teams_10_members_real-ceo"   # ceo team: member
-set +e
-OUT2="$(run_script "$S2")"; RC2=$?
-set -e
-echo "$OUT2" | sed 's/^/    /'
-echo "    (exit=$RC2)"
-assert_eq "S2 exit zero (granted)" "0" "$RC2"
-assert_contains "S2 printed PASSED" "$OUT2" "sop-tier-check PASSED"
-rm -rf "$S2"
-
-echo
-echo "=============================================================="
-echo "Scenario 3: tier:high, approver is an org member but a VERIFIED"
-echo "            non-member of ceo (team probe 404). Org probe would"
-echo "            204 — must NEVER be synthetic-credited."
-echo "            EXPECT: tier NOT granted (clause FAIL), no fallback."
-echo "=============================================================="
-S3="$(mktemp -d)"
-make_harness "$S3" >/dev/null
-seed_common "$S3" "org-member-carol" "tier:high" "$TEAMS_JSON"
-printf '%s' '404' > "$S3/code_teams_10_members_org-member-carol"  # verified NOT in ceo
-printf '%s' '204' > "$S3/code_orgs_molecule-ai_members_org-member-carol" # org member (must be ignored)
-set +e
-OUT3="$(run_script "$S3")"; RC3=$?
-set -e
-echo "$OUT3" | sed 's/^/    /'
-echo "    (exit=$RC3)"
-assert_eq "S3 exit non-zero (tier NOT granted)" "1" "$([ "$RC3" -ne 0 ] && echo 1 || echo 0)"
-assert_not_contains "S3 did NOT print PASSED" "$OUT3" "sop-tier-check PASSED"
-assert_contains "S3 reported a real clause FAIL (not cannot-verify)" "$OUT3" "FAILED for tier:high"
-assert_not_contains "S3 did NOT cannot-verify (404 is a verified negative)" "$OUT3" "CANNOT VERIFY"
-rm -rf "$S3"
-
-echo
-echo "------"
-echo "PASS=$PASS FAIL=$FAIL"
-[ "$FAIL" -eq 0 ]
@@ -1,101 +0,0 @@
-#!/usr/bin/env bash
-# Regression test for #229 — sop-tier-check tier:low OR-clause splitter.
-#
-# Bug (PR #225 → still broken after PR #231):
-#   Line ~289 of sop-tier-check.sh used:
-#     _clause=$(echo "$_raw_clause" | tr -d '()' | tr ',' '\n' | tr -d '[:space:]' | grep -v '^$')
-#   `tr -d '[:space:]'` strips the newlines that `tr ',' '\n'` just
-#   inserted, collapsing "engineers,managers,ceo" into a single token
-#   "engineersmanagersceo". The for-loop then iterates ONCE on a name
-#   that matches no team, so every tier:low PR fails:
-#     ::error::clause [engineers/managers/ceo]: FAIL — no approving
-#     reviewer belongs to any of these teamsengineersmanagersceo
-#   (note also: missing separators in the error string is bug #2 —
-#    `_clause_names` used "${var:+, }$x" which OVERWRITES per iteration).
-#
-# Fix shape (this PR):
-#   _no_parens=${_raw_clause//[()]/}
-#   _clause=${_no_parens//,/ }    # comma -> space, bash word-split iterates
-#   _clause_names="${_clause_names}${_clause_names:+, }${_t}"  # APPEND, not overwrite
-#
-# This test extracts the splitter logic and asserts it produces the right
-# token list for each of the three tier expressions live in the script.
-
-set -euo pipefail
-
-PASS=0
-FAIL=0
-
-assert_eq() {
-  local label="$1"
-  local expected="$2"
-  local got="$3"
-  if [ "$expected" = "$got" ]; then
-    echo "  PASS  $label"
-    PASS=$((PASS + 1))
-  else
-    echo "  FAIL  $label"
-    echo "        expected: <$expected>"
-    echo "        got:      <$got>"
-    FAIL=$((FAIL + 1))
-  fi
-}
-
-# ----- Splitter under test (mirrors the fixed sop-tier-check.sh block) -----
-split_clause() {
-  local raw="$1"
-  local no_parens=${raw//[()]/}
-  local clause=${no_parens//,/ }
-  local out=""
-  for _t in $clause; do
-    out="${out}${out:+|}$_t"
-  done
-  echo "$out"
-}
-
-echo "test: tier:low OR-clause splits to 3 tokens"
-assert_eq "tier:low" "engineers|managers|ceo" "$(split_clause "engineers,managers,ceo")"
-
-echo "test: tier:medium AND-expression — bash word-split on \$EXPR yields 5 tokens"
-EXPR="managers AND engineers AND qa,security"
-out=""
-for _raw in $EXPR; do
-  out="${out}${out:+ ; }$(split_clause "$_raw")"
-done
-assert_eq "tier:medium" "managers ; AND ; engineers ; AND ; qa|security" "$out"
-
-echo "test: tier:high single-team OR-clause"
-assert_eq "tier:high" "ceo" "$(split_clause "ceo")"
-
-echo "test: paren-wrapped OR-set unwraps + splits"
-assert_eq "paren OR" "managers|ceo" "$(split_clause "(managers,ceo)")"
-
-# ----- _clause_names accumulator (was overwriting per iteration) -----
-acc=""
-for t in engineers managers ceo; do
-  acc="${acc}${acc:+, }${t}"
-done
-assert_eq "_clause_names append" "engineers, managers, ceo" "$acc"
-
-# ----- _failed_clauses / _passed_clauses accumulator across raw clauses -----
-acc=""
-for c in clauseA clauseB clauseC; do
-  acc="${acc}${acc:+, }${c}"
-done
-assert_eq "_failed_clauses append" "clauseA, clauseB, clauseC" "$acc"
-
-# ----- End-to-end OR-gate: simulate APPROVER_TEAMS[core-lead]=' managers ' -----
-# The script's case pattern is *${_t}* with a space-padded value.
-APPROVER_TEAMS_VAL=" managers "
-matched=""
-for _t in $(split_clause "engineers,managers,ceo" | tr '|' ' '); do
-  case "$APPROVER_TEAMS_VAL" in
-    *${_t}*) matched="$_t"; break ;;
-  esac
-done
-assert_eq "OR-gate matches managers" "managers" "$matched"
-
-echo
-echo "------"
-echo "PASS=$PASS FAIL=$FAIL"
-[ "$FAIL" -eq 0 ]
@@ -1,66 +0,0 @@
-#!/usr/bin/env bash
-# Regression test for internal#816 — sop-tier-check must ignore APPROVED
-# reviews that were submitted against an old PR head SHA.
-#
-# Bug: the script collected approvers with
-#   jq '[.[] | select(.state=="APPROVED") | .user.login]'
-# without filtering on .commit_id == HEAD_SHA. After a PR head moved,
-# stale approvals looked valid to the tier gate.
-#
-# Fix: the jq filter now includes
-#   select(.state=="APPROVED" and .commit_id == $head_sha)
-# where $head_sha is the current PR head fetched from the API.
-
-set -euo pipefail
-
-# jq may not be on PATH in all environments (e.g. dev containers).
-PATH="/tmp/bin:$PATH"
-command -v jq >/dev/null 2>&1 || { echo "::error::jq required but not found"; exit 1; }
-
-PASS=0
-FAIL=0
-
-assert_eq() {
-  local label="$1"
-  local expected="$2"
-  local got="$3"
-  if [ "$expected" = "$got" ]; then
-    echo "  PASS  $label"
-    PASS=$((PASS + 1))
-  else
-    echo "  FAIL  $label"
-    echo "        expected: <$expected>"
-    echo "        got:      <$got>"
-    FAIL=$((FAIL + 1))
-  fi
-}
-
-# Sample reviews matching the shape from Gitea API
-REVIEWS_JSON='[
-  {"state":"APPROVED","commit_id":"abc123","user":{"login":"bob"}},
-  {"state":"APPROVED","commit_id":"old456","user":{"login":"alice"}},
-  {"state":"COMMENT","commit_id":"abc123","user":{"login":"carol"}},
-  {"state":"APPROVED","commit_id":"abc123","user":{"login":"dave"}},
-  {"state":"REQUEST_CHANGES","commit_id":"abc123","user":{"login":"eve"}}
-]'
-
-echo "test: jq filter keeps only APPROVED on current head"
-GOT=$(echo "$REVIEWS_JSON" | jq -r --arg head_sha "abc123" \
-  '[.[] | select(.state=="APPROVED" and .commit_id == $head_sha) | .user.login] | unique | .[]')
-assert_eq "current-head approvers" "bob dave" "$(echo "$GOT" | tr '\n' ' ' | sed 's/ $//')"
-
-echo "test: jq filter with all-stale reviews yields empty"
-GOT=$(echo "$REVIEWS_JSON" | jq -r --arg head_sha "new789" \
-  '[.[] | select(.state=="APPROVED" and .commit_id == $head_sha) | .user.login] | unique | .[]')
-assert_eq "all-stale yields empty" "" "$GOT"
-
-echo "test: jq filter handles null commit_id gracefully"
-NULL_JSON='[{"state":"APPROVED","commit_id":null,"user":{"login":"mallory"}}]'
-GOT=$(echo "$NULL_JSON" | jq -r --arg head_sha "abc123" \
-  '[.[] | select(.state=="APPROVED" and .commit_id == $head_sha) | .user.login] | unique | .[]')
-assert_eq "null commit_id excluded" "" "$GOT"
-
-echo
-echo "------"
-echo "PASS=$PASS FAIL=$FAIL"
-[ "$FAIL" -eq 0 ]
@@ -1,304 +0,0 @@
-#!/usr/bin/env bash
-# Tests for sop-tier-refire.{yml,sh} — internal#292.
-#
-# Behavior matrix:
-#
-#   T1: PR open + APPROVED via tier:low → script invokes sop-tier-check
-#       and POSTs status=success.
-#   T2: PR open + missing tier label → sop-tier-check exits non-zero;
-#       refire still POSTs status=success, matching the canonical
-#       pull_request_target workflow's fail-open job conclusion.
-#   T3: PR open + tier:low but NO approving reviews → sop-tier-check
-#       exits non-zero; refire still POSTs status=success for the same reason.
-#   T4: PR CLOSED → refire exits 0 with no status POST (no-op on closed).
-#   T5: Rate-limit — recent status update within 30s → refire skips,
-#       no new POST.
-#   T6 (yaml-lint): workflow `if:` expression contains author_association
-#       gate + slash-command-trigger gate + PR-not-issue gate.
-#   T7 (yaml-lint): workflow file is parseable YAML.
-#
-# Tests T1-T5 run the real script against a local-fixture HTTP server
-# (python http.server with a stub handler — `tests/_refire_fixture.py`)
-# so the script's Gitea API calls hit the fixture, not the real Gitea.
-#
-# Tests T6/T7 are pure YAML checks against the workflow file.
-#
-# Hostile-self-review (per feedback_assert_exact_not_substring):
-# this test MUST FAIL if the workflow or script is absent. Verified by
-# running the test before the files exist (covered in the PR body).
-
-set -euo pipefail
-
-THIS_DIR="$(cd "$(dirname "$0")" && pwd)"
-SCRIPT_DIR="$(cd "$THIS_DIR/.." && pwd)"
-WORKFLOW_DIR="$(cd "$THIS_DIR/../../workflows" && pwd)"
-WORKFLOW="$WORKFLOW_DIR/sop-tier-refire.yml"
-DISPATCH_WORKFLOW="$WORKFLOW_DIR/sop-checklist.yml"
-SCRIPT="$SCRIPT_DIR/sop-tier-refire.sh"
-
-PASS=0
-FAIL=0
-FAILED_TESTS=""
-
-assert_eq() {
-  local label="$1"
-  local expected="$2"
-  local got="$3"
-  if [ "$expected" = "$got" ]; then
-    echo "  PASS  $label"
-    PASS=$((PASS + 1))
-  else
-    echo "  FAIL  $label"
-    echo "        expected: <$expected>"
-    echo "        got:      <$got>"
-    FAIL=$((FAIL + 1))
-    FAILED_TESTS="${FAILED_TESTS} ${label}"
-  fi
-}
-
-assert_contains() {
-  local label="$1"
-  local needle="$2"
-  local haystack="$3"
-  if printf '%s' "$haystack" | grep -qF "$needle"; then
-    echo "  PASS  $label"
-    PASS=$((PASS + 1))
-  else
-    echo "  FAIL  $label"
-    echo "        needle:    <$needle>"
-    echo "        haystack:  <$(printf '%s' "$haystack" | head -c 400)>"
-    FAIL=$((FAIL + 1))
-    FAILED_TESTS="${FAILED_TESTS} ${label}"
-  fi
-}
-
-assert_file_exists() {
-  local label="$1"
-  local path="$2"
-  if [ -f "$path" ]; then
-    echo "  PASS  $label"
-    PASS=$((PASS + 1))
-  else
-    echo "  FAIL  $label (not found: $path)"
-    FAIL=$((FAIL + 1))
-    FAILED_TESTS="${FAILED_TESTS} ${label}"
-  fi
-}
-
-# Existence (foundation — every other test depends on these)
-echo
-echo "== existence =="
-assert_file_exists "workflow file exists"  "$WORKFLOW"
-assert_file_exists "SSOT dispatcher workflow file exists" "$DISPATCH_WORKFLOW"
-assert_file_exists "script file exists"    "$SCRIPT"
-if [ "$FAIL" -gt 0 ]; then
-  echo
-  echo "------"
-  echo "PASS=$PASS FAIL=$FAIL (existence)"
-  echo "Cannot proceed without these files."
-  exit 1
-fi
-
-# T6 / T7 — workflow YAML structure
-echo
-echo "== T6/T7 workflow yaml =="
-
-# YAML parseability
-PARSE_OUT=$(python3 -c 'import sys,yaml;yaml.safe_load(open(sys.argv[1]).read());print("ok")' "$WORKFLOW" 2>&1 || true)
-assert_eq "T7 workflow parses as YAML" "ok" "$PARSE_OUT"
-
-# The old per-workflow issue_comment listener caused queue storms because
-# Gitea queues jobs before evaluating job-level `if:`. The script remains,
-# but comment-triggered refires route through the single dispatcher.
-WORKFLOW_CONTENT=$(cat "$WORKFLOW")
-if printf '%s' "$WORKFLOW_CONTENT" | grep -q '^  issue_comment:'; then
-  echo "  FAIL  T6a manual fallback workflow must not listen on issue_comment"
-  FAIL=$((FAIL + 1))
-  FAILED_TESTS="${FAILED_TESTS} T6a"
-else
-  echo "  PASS  T6a manual fallback workflow does not listen on issue_comment"
-  PASS=$((PASS + 1))
-fi
-assert_contains "T6b workflow exposes workflow_dispatch" \
-  "workflow_dispatch" "$WORKFLOW_CONTENT"
-assert_contains "T6c workflow documents unsupported manual inputs" \
-  "workflow_dispatch inputs" "$WORKFLOW_CONTENT"
-# Does NOT check out PR HEAD (security)
-if grep -q 'ref: \${{ github.event.pull_request.head' "$WORKFLOW"; then
-  echo "  FAIL  T6d workflow MUST NOT check out PR head (security)"
-  FAIL=$((FAIL + 1))
-  FAILED_TESTS="${FAILED_TESTS} T6d"
-else
-  echo "  PASS  T6d workflow does not check out PR head"
-  PASS=$((PASS + 1))
-fi
-
-DISPATCH_PARSE_OUT=$(python3 -c 'import sys,yaml;yaml.safe_load(open(sys.argv[1]).read());print("ok")' "$DISPATCH_WORKFLOW" 2>&1 || true)
-assert_eq "T6e SSOT dispatcher workflow parses as YAML" "ok" "$DISPATCH_PARSE_OUT"
-DISPATCH_CONTENT=$(cat "$DISPATCH_WORKFLOW")
-assert_contains "T6f SSOT dispatcher listens on issue_comment" \
-  "issue_comment" "$DISPATCH_CONTENT"
-assert_contains "T6g SSOT dispatcher handles /qa-recheck" \
-  "/qa-recheck" "$DISPATCH_CONTENT"
-assert_contains "T6h SSOT dispatcher handles /security-recheck" \
-  "/security-recheck" "$DISPATCH_CONTENT"
-assert_contains "T6i SSOT dispatcher handles /refire-tier-check" \
-  "/refire-tier-check" "$DISPATCH_CONTENT"
-
-# T1-T5 — script behavior against a local Gitea-fixture
-echo
-echo "== T1-T5 script behavior (vs local fixture) =="
-
-# Spin up the fixture HTTP server.
-FIXTURE_DIR=$(mktemp -d)
-trap 'rm -rf "$FIXTURE_DIR"; [ -n "${FIX_PID:-}" ] && kill "$FIX_PID" 2>/dev/null || true' EXIT
-FIXTURE_PY="$THIS_DIR/_refire_fixture.py"
-if [ ! -f "$FIXTURE_PY" ]; then
-  echo "::error::fixture server $FIXTURE_PY missing"
-  exit 1
-fi
-
-FIX_LOG="$FIXTURE_DIR/fixture.log"
-FIX_STATE_DIR="$FIXTURE_DIR/state"
-mkdir -p "$FIX_STATE_DIR"
-
-# Find an unused port.
-FIX_PORT=$(python3 -c 'import socket;s=socket.socket();s.bind(("127.0.0.1",0));print(s.getsockname()[1]);s.close()')
-
-FIXTURE_STATE_DIR="$FIX_STATE_DIR" python3 "$FIXTURE_PY" "$FIX_PORT" \
-  >"$FIX_LOG" 2>&1 &
-FIX_PID=$!
-
-# Wait for fixture readiness.
-for _ in $(seq 1 50); do
-  if curl -fsS "http://127.0.0.1:${FIX_PORT}/_ping" >/dev/null 2>&1; then
-    break
-  fi
-  sleep 0.1
-done
-if ! curl -fsS "http://127.0.0.1:${FIX_PORT}/_ping" >/dev/null 2>&1; then
-  echo "::error::fixture server failed to start. Log:"
-  cat "$FIX_LOG"
-  exit 1
-fi
-
-# Helper: set fixture state for a scenario, then run the script.
-# tier_result is one of: pass | fail_no_label | fail_no_approvals.
-# The refire script's tier-check invocation is mocked because the real
-# sop-tier-check.sh uses bash 4+ associative arrays — incompatible with
-# the macOS bash 3.2 dev shell. Linux Gitea runners use bash 4/5 so
-# production runs the real script. The mock exercises the success +
-# failure branches of refire's status-POST glue.
-run_scenario() {
-  local scenario="$1"
-  local tier_result="${2:-pass}"
-  echo "$scenario" >"$FIX_STATE_DIR/scenario"
-  : >"$FIX_STATE_DIR/posted_statuses.jsonl"  # clear status log
-
-  local out
-  set +e
-  out=$(
-    PATH="$FIXTURE_DIR/bin:$PATH" \
-    GITEA_TOKEN="fixture-token" \
-    GITEA_HOST="fixture.local" \
-    REPO="molecule-ai/molecule-core" \
-    PR_NUMBER="999" \
-    COMMENT_AUTHOR="test-runner" \
-    SOP_REFIRE_DISABLE_RATE_LIMIT="1" \
-    SOP_REFIRE_TIER_CHECK_SCRIPT="$THIS_DIR/_mock_tier_check.sh" \
-    MOCK_TIER_RESULT="$tier_result" \
-    FIXTURE_PORT="$FIX_PORT" \
-    bash "$SCRIPT" 2>&1
-  )
-  local rc=$?
-  set -e
-  echo "$out" >"$FIX_STATE_DIR/last_run.log"
-  echo "$rc" >"$FIX_STATE_DIR/last_rc"
-}
-
-# Install a curl shim that rewrites https://fixture.local → http://127.0.0.1:$PORT
-# Use bash prefix-strip (${var#prefix}) — it sidesteps the `/` delimiter
-# confusion of ${var/pattern/replacement}.
-mkdir -p "$FIXTURE_DIR/bin"
-cat >"$FIXTURE_DIR/bin/curl" <<SHIM
-#!/usr/bin/env bash
-# Test shim: rewrite https://fixture.local/* -> http://127.0.0.1:${FIX_PORT}/*
-# The fixture doesn't authenticate; -H Authorization passes through harmlessly.
-new_args=()
-for a in "\$@"; do
-  if [[ "\$a" == https://fixture.local/* ]]; then
-    rest="\${a#https://fixture.local}"
-    a="http://127.0.0.1:${FIX_PORT}\${rest}"
-  fi
-  new_args+=("\$a")
-done
-exec /usr/bin/curl "\${new_args[@]}"
-SHIM
-chmod +x "$FIXTURE_DIR/bin/curl"
-
-# T1: tier:low + 1 APPROVED + author is in engineers team → success
-run_scenario "T1_success" "pass"
-RC=$(cat "$FIX_STATE_DIR/last_rc")
-POSTED=$(cat "$FIX_STATE_DIR/posted_statuses.jsonl" 2>/dev/null || true)
-assert_eq "T1 exit code 0 (success)" "0" "$RC"
-assert_contains "T1 POSTed state=success" '"state": "success"' "$POSTED"
-assert_contains "T1 POST context is sop-tier-check / tier-check" \
-  '"context": "sop-tier-check / tier-check (pull_request)"' "$POSTED"
-assert_contains "T1 description names commenter" "test-runner" "$POSTED"
-
-# T2: missing tier label → tier-check fails internally (mock exits 1).
-# FAIL-CLOSED contract (fix/core-ci-fail-closed): refire now captures the
-# REAL exit code and POSTs state=failure — it does NOT forge a green on
-# the required context. The refire job itself still exits 0 (it succeeded
-# at posting an honest failure status).
-run_scenario "T2_no_tier_label" "fail_no_label"
-RC=$(cat "$FIX_STATE_DIR/last_rc")
-POSTED=$(cat "$FIX_STATE_DIR/posted_statuses.jsonl" 2>/dev/null || true)
-assert_eq "T2 exit code 0 (posted an honest status)" "0" "$RC"
-assert_contains "T2 POSTed state=failure (no forged green)" '"state": "failure"' "$POSTED"
-
-# T3: tier:low present but ZERO approving reviews → internal tier check
-# fails (mock exits 1). Refire POSTs state=failure, never a false green.
-run_scenario "T3_no_approvals" "fail_no_approvals"
-RC=$(cat "$FIX_STATE_DIR/last_rc")
-POSTED=$(cat "$FIX_STATE_DIR/posted_statuses.jsonl" 2>/dev/null || true)
-assert_eq "T3 exit code 0 (posted an honest status)" "0" "$RC"
-assert_contains "T3 POSTed state=failure (no forged green)" '"state": "failure"' "$POSTED"
-
-# T4: closed PR — refire is a no-op (no POST, exit 0)
-run_scenario "T4_closed" "pass"
-RC=$(cat "$FIX_STATE_DIR/last_rc")
-POSTED=$(cat "$FIX_STATE_DIR/posted_statuses.jsonl" 2>/dev/null || true)
-assert_eq "T4 closed PR exits 0" "0" "$RC"
-assert_eq "T4 closed PR posts no status" "" "$POSTED"
-
-# T5: rate-limit — disable the env override and let scenario set a
-# recent statuses entry. Re-enable rate-limit for this scenario by NOT
-# passing SOP_REFIRE_DISABLE_RATE_LIMIT.
-echo "T5_rate_limited" >"$FIX_STATE_DIR/scenario"
-: >"$FIX_STATE_DIR/posted_statuses.jsonl"
-set +e
-T5_OUT=$(
-  PATH="$FIXTURE_DIR/bin:$PATH" \
-  GITEA_TOKEN="fixture-token" \
-  GITEA_HOST="fixture.local" \
-  REPO="molecule-ai/molecule-core" \
-  PR_NUMBER="999" \
-  COMMENT_AUTHOR="test-runner" \
-  FIXTURE_PORT="$FIX_PORT" \
-  bash "$SCRIPT" 2>&1
-)
-T5_RC=$?
-set -e
-POSTED=$(cat "$FIX_STATE_DIR/posted_statuses.jsonl" 2>/dev/null || true)
-assert_eq "T5 rate-limited exits 0" "0" "$T5_RC"
-assert_contains "T5 rate-limited log says skipped" "rate-limited" "$T5_OUT"
-assert_eq "T5 rate-limited posts no status" "" "$POSTED"
-
-echo
-echo "------"
-echo "PASS=$PASS FAIL=$FAIL"
-if [ "$FAIL" -gt 0 ]; then
-  echo "Failed:$FAILED_TESTS"
-fi
-[ "$FAIL" -eq 0 ]
@@ -55,38 +55,22 @@

 version: 1

-# Tier-aware failure mode (RFC#351 open question 2):
-#   For tier:high — hard-fail (status `failure`, blocks merge via BP).
-#   For tier:medium — hard-fail (same as high; medium is non-trivial).
-#   For tier:low — soft-fail (status `pending` with `acked: N/M` in the
-#                  description). BP can choose to require the context
-#                  or not for low-tier PRs.
-# If no tier label is present, default to medium (hard-fail) — every PR
-# should have a tier label per sop-tier-check, and absence indicates
-# a missing-tier defect we should surface, not silently lower the bar.
-tier_failure_mode:
-  "tier:high": hard
-  "tier:medium": hard
-  "tier:low": soft
-default_mode: hard  # used when no tier:* label is present
+# Uniform hard-fail mode (CTO 2026-06-07):
+#   Every PR uses the same gate — no tier branching.
+#   Missing acks → status `failure`, blocks merge via branch protection.

 # High-risk class (RFC#450 Option C, governance-fix for internal#442).
 #
-# A PR is "high-risk" when ANY of the listed labels are applied OR when
-# the PR has `tier:high` (mechanically the strictest existing tier).
+# A PR is "high-risk" when ANY of the listed labels are applied.
 # High-risk items use `required_teams_high_risk` (when present on the
 # item); non-high-risk items use the default `required_teams`.
 #
-# This closes the inconsistency that the SOP charter already mandates
-# `tier:high → ceo only` for the sibling `sop-tier-check` gate; the
-# sop-checklist's `root-cause` and `no-backwards-compat` items now
-# follow the same risk-classed two-eyes shape:
-#   - Default class (tier:low/medium, not high-risk): a non-author
-#     engineers/managers/ceo ack satisfies the item — 25+ live
-#     identities, no dependency on a dead/inactive senior persona
-#     token.
-#   - High-risk class (tier:high OR any high_risk_label): still
-#     requires a non-author ceo ack (durable human team).
+# Risk-classed two-eyes shape:
+#   - Default class (not high-risk): a non-author engineers/managers/ceo
+#     ack satisfies the item — 25+ live identities, no dependency on a
+#     dead/inactive senior persona token.
+#   - High-risk class (any high_risk_label): still requires a non-author
+#     ceo ack (durable human team).
 #
 # Tightening: add labels to high_risk_labels.
 # Loosening: remove labels.
@@ -165,7 +149,11 @@ items:

  - slug: memory-consulted
    numeric_alias: 7
-    pr_section_marker: "Memory/saved-feedback consulted"
+    # #1973: normalize marker so it matches the slug. Previously the
+    # slash produced a checklist status that never resolved because
+    # normalize_slug() collapses / to - and the Gitea PR body parser
+    # would not find the expected heading.
+    pr_section_marker: "Memory consulted"
    required_teams: [engineers]
    ai_ack_eligible: true
    description: >-
@@ -13,14 +13,14 @@
 # the structured JSON shape is forward-compatible.
 #
 # Logic in `.gitea/scripts/audit-force-merge.sh` per the same script-
-# extract pattern as sop-tier-check.
+# extract pattern as sop-checklist.

 name: audit-force-merge

 # pull_request_target loads from the base branch — same security model
-# as sop-tier-check. Without this, an attacker could rewrite the
+# as sop-checklist. Without this, an attacker could rewrite the
 # workflow on a PR and skip the audit emission for their own
-# force-merge. See `.gitea/workflows/sop-tier-check.yml` for the full
+# force-merge. See `.gitea/workflows/sop-checklist.yml` for the full
 # rationale.
 on:
  pull_request_target:
@@ -41,8 +41,8 @@ jobs:
          ref: ${{ github.event.pull_request.base.sha }}
      - name: Detect force-merge + emit audit event
        env:
-          # Same org-level secret the sop-tier-check workflow uses.
-          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
+          # Same org-level secret the sop-checklist workflow uses.
+          GITEA_TOKEN: ${{ secrets.SOP_CHECKLIST_GATE_TOKEN || secrets.GITHUB_TOKEN }}
          GITEA_HOST: git.moleculesai.app
          REPO: ${{ github.repository }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
@@ -54,7 +54,7 @@ jobs:
          # required checks) for each branch listed here.
          #
          # Declared here rather than fetched from /branch_protections
-          # because that endpoint requires admin write — sop-tier-bot is
+          # because that endpoint requires admin write — sop-checklist-bot is
          # read-only by design (least-privilege).
          REQUIRED_CHECKS_JSON: |
            {
@@ -12,7 +12,7 @@
 # (SHA 0adf2098) per RFC internal#219 Phase 2b+c — replicate repo-by-repo.
 #
 # When any pair diverges, a `[ci-drift]` issue is opened or updated
-# (idempotent by title) and labelled `tier:high`. This is the
+# (idempotent by title) and labelled `ci-bp-drift`. This is the
 # auto-detection that closes the regression class identified in
 # RFC §1 finding 3 (protection only listed 2 of 6 real jobs for
 # ~weeks, undetected) and §6 (audit env drifts silently from
@@ -81,7 +81,7 @@ jobs:
          # Gitea persona whose ONLY job is reading branch_protections
          # and posting the [ci-drift] tracking issue. The endpoint
          # `GET /repos/.../branch_protections/{branch}` requires
-          # repo-ADMIN role (Gitea 1.22.6) — SOP_TIER_CHECK_TOKEN and the
+          # repo-ADMIN role (Gitea 1.22.6) — the default GITHUB_TOKEN and the
          # auto-injected GITHUB_TOKEN do NOT have it (read-only / write
          # without admin), so the previous fallback chain 403'd.
          # Mirrors the controlplane fix landed in CP PR#134.
@@ -106,7 +106,7 @@ jobs:
          AUDIT_WORKFLOW_PATH: '.gitea/workflows/audit-force-merge.yml'
          # Path to the CI workflow with the sentinel + the jobs.
          CI_WORKFLOW_PATH: '.gitea/workflows/ci.yml'
-          # Issue label applied on file/update. `tier:high` exists in
+          # Issue label applied on file/update. `ci-bp-drift` exists in
          # the molecule-core label set (verified 2026-05-11, label id 9).
-          DRIFT_LABEL: 'tier:high'
+          DRIFT_LABEL: 'ci-bp-drift'
        run: python3 .gitea/scripts/ci-required-drift.py
@@ -148,6 +148,11 @@ jobs:
        run: $(go env GOPATH)/bin/golangci-lint run --timeout 3m ./...
      - if: ${{ needs.changes.outputs.platform == 'true' }}
        name: Diagnostic — per-package verbose 60s
+        # DIAGNOSTIC ONLY (continue-on-error below): this step exists to dump
+        # verbose per-package output for triage, NOT to gate. The blocking gate
+        # is "Run tests with coverage (blocking gate)" immediately below. The
+        # `set +e` / swallowed exits here are intentional — do not "fix" them
+        # like a gate; the real gate is the next step.
        run: |
          set +e
          go test -race -v -timeout 60s ./internal/handlers/... 2>&1 | tee /tmp/test-handlers.log
@@ -309,6 +314,11 @@ jobs:
        # #1815 — wires coverage into CI so we get a baseline visible on
        # every PR. No threshold gate yet; thresholds dial in (Step 3, also
        # tracked in #1815) after the team sees what current coverage is.
+        # Memory: the full vitest+v8-coverage process tree peaks at ~1.33 GB
+        # (measured 2026-06-08), comfortably within the runner — so this single
+        # run is BOTH the pass/fail gate and the coverage artifact (one SSOT, no
+        # split). The earlier intermittent red here was a DisplayTab paste-race
+        # (fixed in this PR), NOT a coverage OOM.
        run: npx vitest run --coverage
      - name: Upload coverage summary as artifact
        if: ${{ needs.changes.outputs.canvas == 'true' }}
@@ -499,7 +509,7 @@ jobs:
    # `CI / all-required (pull_request)` per issue #1473.
    #
    # Closes the failure mode where status_check_contexts on molecule-core/main
-    # only listed `Secret scan` + `sop-tier-check` (the 2 meta-gates), so real
+    # only listed `Secret scan` + `sop-checklist` (the 2 meta-gates), so real
    # `Platform (Go)` / `Canvas (Next.js)` / `Python Lint & Test` / `Shellcheck`
    # red silently merged through. See internal#286 for the three concrete
    # tonight-of-2026-05-11 incidents that prompted the emergency bump.
@@ -429,6 +429,9 @@ jobs:
        # round-trip is covered by the priority-runtimes `mock` arm, not here.
        if: needs.detect-changes.outputs.api == 'true'
        run: bash tests/e2e/test_keyless_feature_contracts_e2e.sh
+      - name: Run user_tasks E2E (REST + MCP — agent→user action requests)
+        if: needs.detect-changes.outputs.api == 'true'
+        run: bash tests/e2e/test_user_tasks_e2e.sh
      - name: Run secrets-dispatch contract test (keyless SECRETS_JSON branch order)
        # Previously orphaned (no workflow referenced it). Hermetic unit-style
        # contract over test_staging_full_saas.sh's LLM-key branch precedence —
@@ -54,6 +54,13 @@ on:
      - 'tests/e2e/lib/model_slug.sh'
      - 'tests/e2e/lib/aws_leak_check.sh'
      - 'tests/e2e/test_aws_leak_check.sh'
+      - 'tests/e2e/test_staging_concierge_e2e.sh'
+      - 'tests/e2e/test_staging_concierge_creates_workspace_e2e.sh'
+      - 'workspace-server/internal/staginge2e/**'
+      - 'workspace-server/internal/handlers/platform_agent.go'
+      - 'workspace-server/internal/handlers/user_tasks.go'
+      - 'workspace-server/internal/handlers/llm_billing_mode_handler.go'
+      - 'workspace-server/internal/handlers/discovery.go'
      - '.gitea/workflows/e2e-staging-saas.yml'
  pull_request:
    branches: [main]
@@ -69,6 +76,13 @@ on:
      - 'tests/e2e/lib/model_slug.sh'
      - 'tests/e2e/lib/aws_leak_check.sh'
      - 'tests/e2e/test_aws_leak_check.sh'
+      - 'tests/e2e/test_staging_concierge_e2e.sh'
+      - 'tests/e2e/test_staging_concierge_creates_workspace_e2e.sh'
+      - 'workspace-server/internal/staginge2e/**'
+      - 'workspace-server/internal/handlers/platform_agent.go'
+      - 'workspace-server/internal/handlers/user_tasks.go'
+      - 'workspace-server/internal/handlers/llm_billing_mode_handler.go'
+      - 'workspace-server/internal/handlers/discovery.go'
      - '.gitea/workflows/e2e-staging-saas.yml'
  workflow_dispatch:
  schedule:
@@ -496,3 +510,341 @@ jobs:
            echo "::warning::platform-boot teardown left ${#leaks[@]} leak(s): ${leaks[*]}"
          fi
          exit 0
+
+  # ── CONCIERGE user_tasks PRIMITIVE (Feature 3) — real-staging REST+MCP+authz ──
+  #
+  # Drives tests/e2e/test_staging_concierge_e2e.sh against a fresh throwaway
+  # tenant: the full agent→user "ask" contract over BOTH surfaces (REST +
+  # the MCP tools/call envelope a canvas concierge agent uses) PLUS the
+  # cross-workspace authz scoping (ws-B can't touch ws-A's task). Reuses the
+  # same CP-admin org-provision/teardown scaffolding + _lib.sh + AWS-leak-check
+  # lib as the full-SaaS harness (the script SOURCEs them — no duplication).
+  #
+  # GATING (no continue-on-error): user_tasks is a pure DB/handler primitive
+  # with NO LLM container dependency (workspaces are created 'external' — row
+  # only, no EC2), so this is fast (~provision + TLS, no 10-min cold boot) and
+  # NOT subject to the cp#245 boot-timeout flake the full-SaaS job carries. It
+  # therefore has no honest reason to be masked. Runs on push-to-main /
+  # workflow_dispatch / cron only (needs live staging infra — never on PR, where
+  # the pr-validate job above already posts the workflow's PR status).
+  # bp-required: pending #2430
+  e2e-staging-concierge-user-tasks:
+    name: E2E Staging Concierge user_tasks
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' || github.event_name == 'schedule'
+    timeout-minutes: 30
+    permissions:
+      contents: read
+    env:
+      MOLECULE_CP_URL: https://staging-api.moleculesai.app
+      MOLECULE_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      AWS_DEFAULT_REGION: us-east-2
+      E2E_AWS_LEAK_CHECK: required
+      E2E_AWS_TERMINATE_LEAKS: '1'
+      E2E_RUN_ID: "${{ github.run_id }}-${{ github.run_attempt }}"
+      E2E_KEEP_ORG: ${{ github.event.inputs.keep_org && '1' || '0' }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: "3.11"
+
+      - name: Verify admin token + AWS creds present
+        run: |
+          if [ -z "$MOLECULE_ADMIN_TOKEN" ]; then
+            echo "::error::CP_STAGING_ADMIN_API_TOKEN secret not set (Railway staging CP_ADMIN_API_TOKEN)"
+            exit 2
+          fi
+          for var in AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY; do
+            if [ -z "${!var:-}" ]; then
+              echo "::error::$var not set — EC2 leak verification cannot run"
+              exit 2
+            fi
+          done
+          echo "Admin token + AWS creds present ✓"
+
+      - name: CP staging health preflight
+        run: |
+          code=$(curl -sS -o /dev/null -w "%{http_code}" --max-time 10 "$MOLECULE_CP_URL/health")
+          if [ "$code" != "200" ]; then
+            echo "::error::Staging CP unhealthy (got HTTP $code). Skipping — not a workspace bug."
+            exit 1
+          fi
+          echo "Staging CP healthy ✓"
+
+      - name: Run concierge user_tasks E2E
+        run: bash tests/e2e/test_staging_concierge_e2e.sh
+
+      - name: Teardown safety net (runs on cancel/failure)
+        if: always()
+        env:
+          ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
+        run: |
+          # Sweep any e2e-cncrg-YYYYMMDD-<run_id>-* org this run created if the
+          # script died before its EXIT trap fired. Run-id scoped so it never
+          # stomps a concurrent run's fresh tenant (see the saas job's note).
+          set +e
+          orgs=$(curl -sS "$MOLECULE_CP_URL/cp/admin/orgs" \
+            -H "Authorization: Bearer $ADMIN_TOKEN" 2>/dev/null \
+            | python3 -c "
+          import json, sys, os, datetime
+          run_id = os.environ.get('GITHUB_RUN_ID', '')
+          d = json.load(sys.stdin)
+          today = datetime.date.today()
+          yesterday = today - datetime.timedelta(days=1)
+          dates = (today.strftime('%Y%m%d'), yesterday.strftime('%Y%m%d'))
+          if run_id:
+              prefixes = tuple(f'e2e-cncrg-{d}-{run_id}-' for d in dates)
+          else:
+              prefixes = tuple(f'e2e-cncrg-{d}-' for d in dates)
+          candidates = [o['slug'] for o in d.get('orgs', [])
+                        if any(o.get('slug','').startswith(p) for p in prefixes)
+                        and o.get('instance_status') not in ('purged',)]
+          print('\n'.join(candidates))
+          " 2>/dev/null)
+          leaks=()
+          for slug in $orgs; do
+            echo "Safety-net teardown: $slug"
+            set +e
+            curl -sS -o /tmp/cncrg-cleanup.out -w "%{http_code}" \
+              -X DELETE "$MOLECULE_CP_URL/cp/admin/tenants/$slug" \
+              -H "Authorization: Bearer $ADMIN_TOKEN" \
+              -H "Content-Type: application/json" \
+              -d "{\"confirm\":\"$slug\"}" >/tmp/cncrg-cleanup.code
+            set -e
+            code=$(cat /tmp/cncrg-cleanup.code 2>/dev/null || echo "000")
+            if [ "$code" = "200" ] || [ "$code" = "204" ]; then
+              echo "[teardown] deleted $slug (HTTP $code)"
+            else
+              echo "::warning::concierge teardown for $slug returned HTTP $code — sweep-stale-e2e-orgs will catch it within ~45 min. Body: $(head -c 300 /tmp/cncrg-cleanup.out 2>/dev/null)"
+              leaks+=("$slug")
+            fi
+          done
+          if [ ${#leaks[@]} -gt 0 ]; then
+            echo "::warning::concierge teardown left ${#leaks[@]} leak(s): ${leaks[*]}"
+          fi
+          exit 0
+
+  # ── CONCIERGE FUNCTIONAL: it ACTUALLY CREATES A WORKSPACE (real-LLM) ─────────
+  #
+  # Drives tests/e2e/test_staging_concierge_creates_workspace_e2e.sh — the
+  # RFC docs/design/rfc-platform-agent.md §11.4 "Reach" check turned into a gate:
+  # send the org concierge a natural-language A2A message ("create a workspace
+  # named e2e-cncrg-worker-<runid> with role engineer") and assert the
+  # DETERMINISTIC SIDE EFFECT — that named workspace now EXISTS in GET /workspaces
+  # — which can only happen if the concierge's LLM really invoked the
+  # create_workspace platform-MCP tool (a real org mutation), NOT just that a REST
+  # API returned 200.
+  #
+  # GATING (no continue-on-error), but FALSE-GREEN-PROOF via E2E_REQUIRE_LIVE=1:
+  # this is a REAL-LLM, REAL-tool test, so it depends on the concierge being
+  # provisioned on the DEDICATED platform-agent image (Dockerfile.platform-agent,
+  # ships /opt/molecule-mcp-server — the ONLY image where create_workspace lights
+  # up; see platform_agent.go's SELF-HOST CAVEAT). A parallel agent is wiring that
+  # image into the staging provision path. The script SKIPs LOUD when the
+  # concierge is absent / not online / not on the platform-agent image — but with
+  # E2E_REQUIRE_LIVE=1 the harness converts that skip into a HARD FAIL (exit 5) so
+  # a silently-missing platform-agent image can NEVER false-green this gate. Runs
+  # on push-to-main / workflow_dispatch / cron only (needs live staging infra +
+  # a model — never on PR, where pr-validate posts the workflow's PR status).
+  # bp-required: pending #2430
+  e2e-staging-concierge-creates-workspace:
+    name: E2E Staging Concierge Creates Workspace
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' || github.event_name == 'schedule'
+    timeout-minutes: 45
+    permissions:
+      contents: read
+    env:
+      MOLECULE_CP_URL: https://staging-api.moleculesai.app
+      MOLECULE_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      AWS_DEFAULT_REGION: us-east-2
+      E2E_AWS_LEAK_CHECK: required
+      E2E_AWS_TERMINATE_LEAKS: '1'
+      # The concierge is platform_managed on SaaS (the CP-exported LLM proxy
+      # supplies its model — no BYOK key needed for the concierge itself). The
+      # MiniMax key is wired anyway so a staging image that boots the concierge
+      # BYOK-MiniMax (parallel-agent image work) still has a model; harmless when
+      # the concierge is platform-managed.
+      E2E_MINIMAX_API_KEY: ${{ secrets.MOLECULE_STAGING_MINIMAX_API_KEY }}
+      # False-green guard: a concierge that is absent / not on the platform-agent
+      # image / never online must FAIL this gate (exit 5), not silently skip.
+      E2E_REQUIRE_LIVE: '1'
+      E2E_RUN_ID: "${{ github.run_id }}-${{ github.run_attempt }}"
+      E2E_KEEP_ORG: ${{ github.event.inputs.keep_org && '1' || '0' }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: "3.11"
+
+      - name: Verify admin token + AWS creds present
+        run: |
+          if [ -z "$MOLECULE_ADMIN_TOKEN" ]; then
+            echo "::error::CP_STAGING_ADMIN_API_TOKEN secret not set (Railway staging CP_ADMIN_API_TOKEN)"
+            exit 2
+          fi
+          for var in AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY; do
+            if [ -z "${!var:-}" ]; then
+              echo "::error::$var not set — EC2 leak verification cannot run"
+              exit 2
+            fi
+          done
+          echo "Admin token + AWS creds present ✓"
+
+      - name: CP staging health preflight
+        run: |
+          code=$(curl -sS -o /dev/null -w "%{http_code}" --max-time 10 "$MOLECULE_CP_URL/health")
+          if [ "$code" != "200" ]; then
+            echo "::error::Staging CP unhealthy (got HTTP $code). Skipping — not a workspace bug."
+            exit 1
+          fi
+          echo "Staging CP healthy ✓"
+
+      - name: Run concierge-creates-workspace functional E2E
+        run: bash tests/e2e/test_staging_concierge_creates_workspace_e2e.sh
+
+      - name: Teardown safety net (runs on cancel/failure)
+        if: always()
+        env:
+          ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
+        run: |
+          # Sweep any e2e-cncrg-mk-YYYYMMDD-<run_id>-* org this run created if the
+          # script died before its EXIT trap fired. Run-id scoped so it never
+          # stomps a concurrent run's fresh tenant.
+          set +e
+          orgs=$(curl -sS "$MOLECULE_CP_URL/cp/admin/orgs" \
+            -H "Authorization: Bearer $ADMIN_TOKEN" 2>/dev/null \
+            | python3 -c "
+          import json, sys, os, datetime
+          run_id = os.environ.get('GITHUB_RUN_ID', '')
+          d = json.load(sys.stdin)
+          today = datetime.date.today()
+          yesterday = today - datetime.timedelta(days=1)
+          dates = (today.strftime('%Y%m%d'), yesterday.strftime('%Y%m%d'))
+          if run_id:
+              prefixes = tuple(f'e2e-cncrg-mk-{d}-{run_id}-' for d in dates)
+          else:
+              prefixes = tuple(f'e2e-cncrg-mk-{d}-' for d in dates)
+          candidates = [o['slug'] for o in d.get('orgs', [])
+                        if any(o.get('slug','').startswith(p) for p in prefixes)
+                        and o.get('instance_status') not in ('purged',)]
+          print('\n'.join(candidates))
+          " 2>/dev/null)
+          leaks=()
+          for slug in $orgs; do
+            echo "Safety-net teardown: $slug"
+            set +e
+            curl -sS -o /tmp/cncrg-mk-cleanup.out -w "%{http_code}" \
+              -X DELETE "$MOLECULE_CP_URL/cp/admin/tenants/$slug" \
+              -H "Authorization: Bearer $ADMIN_TOKEN" \
+              -H "Content-Type: application/json" \
+              -d "{\"confirm\":\"$slug\"}" >/tmp/cncrg-mk-cleanup.code
+            set -e
+            code=$(cat /tmp/cncrg-mk-cleanup.code 2>/dev/null || echo "000")
+            if [ "$code" = "200" ] || [ "$code" = "204" ]; then
+              echo "[teardown] deleted $slug (HTTP $code)"
+            else
+              echo "::warning::concierge-mk teardown for $slug returned HTTP $code — sweep-stale-e2e-orgs will catch it within ~45 min. Body: $(head -c 300 /tmp/cncrg-mk-cleanup.out 2>/dev/null)"
+              leaks+=("$slug")
+            fi
+          done
+          if [ ${#leaks[@]} -gt 0 ]; then
+            echo "::warning::concierge-mk teardown left ${#leaks[@]} leak(s): ${leaks[*]}"
+          fi
+          exit 0
+
+  # ── CONCIERGE / PLATFORM-AGENT Go staginge2e (Features 1,2,4,5,6) ────────────
+  #
+  # Drives TestConciergePlatformAgent_Staging (workspace-server/internal/
+  # staginge2e/concierge_platform_test.go), which REUSES the lifecycle suite's
+  # harness (requireStagingEnv / adminCreateOrg / tenantAdminToken /
+  # tenantCreateWorkspace / doTenantJSON / jsonField) to assert, against a real
+  # tenant: platform-agent install + /org/identity (1), kind on the workspace
+  # API (2), discovery peers admin-auth regression guard (4), BYOK billing-mode
+  # round-trip (5), and the concierge config-tab auth sweep (6). It asserts
+  # OBSERVABLE state (sole root re-parenting, kind discriminator, resolved_mode,
+  # non-401 tabs) — not just HTTP 200.
+  #
+  # Two jobs, mirroring e2e-workspace-lifecycle.yml's honest pattern:
+  #   • concierge-compile-skip (every push/PR/dispatch): proves the staginge2e
+  #     suite still COMPILES under -tags=staging_e2e and SKIPs LOUD without
+  #     creds. GATING (no mask) — a broken test file fails at PR time.
+  #   • concierge-staging (push-to-main/dispatch/cron): the real live run with
+  #     staging creds + t.Cleanup teardown.
+  # bp-exempt: PR-time compile-only check (build the concierge e2e test, then
+  # skip execution — no staging creds on PR). pr-validate posts the workflow's
+  # PR status; this job is not itself a branch-protection gate.
+  e2e-staging-concierge-compile-skip:
+    name: E2E Staging Concierge (compile+skip)
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version: 'stable'
+          cache: true
+          cache-dependency-path: workspace-server/go.sum
+      - name: go vet (staging_e2e tag)
+        working-directory: workspace-server
+        run: go vet -tags staging_e2e ./internal/staginge2e/...
+      - name: Compile + skip-run (must SKIP LOUD without STAGING_E2E)
+        working-directory: workspace-server
+        run: |
+          # No STAGING_E2E / creds → the suite MUST skip (not pass-with-zero-
+          # assertions). go test exit 0 with a SKIP line is the contract.
+          out=$(go test -tags staging_e2e ./internal/staginge2e/ -run TestConciergePlatformAgent -count=1 -v 2>&1)
+          echo "$out"
+          echo "$out" | grep -q "SKIP: TestConciergePlatformAgent_Staging" \
+            || { echo "::error::expected a LOUD skip of TestConciergePlatformAgent_Staging without creds"; exit 1; }
+
+  # bp-required: pending #2430
+  e2e-staging-concierge-platform:
+    name: E2E Staging Concierge Platform Agent
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' || github.event_name == 'schedule'
+    timeout-minutes: 40
+    permissions:
+      contents: read
+    env:
+      CP_BASE_URL: https://staging-api.moleculesai.app
+      CP_ADMIN_API_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
+      STAGING_E2E: '1'
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version: 'stable'
+          cache: true
+          cache-dependency-path: workspace-server/go.sum
+      - name: Verify admin token present
+        run: |
+          if [ -z "$CP_ADMIN_API_TOKEN" ]; then
+            echo "::error::CP_STAGING_ADMIN_API_TOKEN secret not set (Railway staging CP_ADMIN_API_TOKEN)"
+            exit 2
+          fi
+          echo "Admin token present"
+      - name: CP staging health preflight
+        run: |
+          code=$(curl -sS -o /dev/null -w "%{http_code}" --max-time 10 "$CP_BASE_URL/health")
+          if [ "$code" != "200" ]; then
+            echo "::error::Staging CP unhealthy (HTTP $code) — infra, not a concierge bug."
+            exit 1
+          fi
+          echo "Staging CP healthy"
+      - name: Run concierge/platform-agent staginge2e
+        working-directory: workspace-server
+        run: go test -tags staging_e2e ./internal/staginge2e/ -run TestConciergePlatformAgent_Staging -count=1 -v -timeout 35m
+      # Teardown: the test installs a t.Cleanup admin-DELETE of its own tenant
+      # (e2e-cncrg-* slug), running even on a t.Fatal. The age-guarded
+      # sweep-stale-e2e-orgs workflow (30-min floor, e2e- prefix) is the final
+      # net for a tenant orphaned by a hard runner cancel.
@@ -82,7 +82,7 @@ jobs:
      - name: Run gate-check-v3 (single PR mode)
        if: github.event_name == 'pull_request_target' || github.event.inputs.pr_number != ''
        env:
-          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.SOP_CHECKLIST_GATE_TOKEN || secrets.GITHUB_TOKEN }}
          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
          PR_NUMBER: ${{ github.event.pull_request.number || github.event.inputs.pr_number }}
          POST_COMMENT: ${{ github.event.inputs.post_comment || 'true' }}
@@ -97,7 +97,7 @@ jobs:
      - name: Run gate-check-v3 (all open PRs — cron mode)
        if: github.event_name == 'schedule'
        env:
-          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.SOP_CHECKLIST_GATE_TOKEN || secrets.GITHUB_TOKEN }}
          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
          REPO: ${{ github.repository }}
        run: |
@@ -73,7 +73,7 @@ jobs:
          # NOTE: REQUIRED_CONTEXTS is no longer the authoritative PR gate. The
          # queue now reads the required status contexts from BRANCH PROTECTION
          # (status_check_contexts) so non-required governance reds (qa-review,
-          # security-review, sop-tier, sop-checklist when not branch-required,
+          # security-review, sop-checklist when not branch-required,
          # E2E Chat, Staging SaaS, ci-arm64-advisory) cannot block a merge.
          # If branch protection cannot be enumerated the queue HOLDS
          # (fail-closed). REQUIRED_APPROVALS below is only a fallback used when
@@ -244,7 +244,12 @@ jobs:
          # fail if any didn't land — that would be a real regression we
          # want loud.
          # workspace_schedules added for the #2149 scheduler integration tests.
-          for tbl in delegations workspaces activity_logs pending_uploads workspace_schedules; do
+          # workspace_auth_tokens + org_api_tokens added for the #2156
+          # registry-auth TestIntegration_ suite (#2148). Without this
+          # guard, a silently-skipped migration 020 (workspace_auth_tokens)
+          # or 035 (org_api_tokens) would let the auth tests run against
+          # missing tables and falsely green.
+          for tbl in delegations workspaces activity_logs pending_uploads workspace_schedules workspace_auth_tokens org_api_tokens; do
            if ! psql -h "${PG_HOST}" -U postgres -d molecule -tA \
                -c "SELECT 1 FROM information_schema.tables WHERE table_name = '$tbl'" \
                | grep -q 1; then
@@ -285,6 +290,33 @@ jobs:
          # / workspaces all landed by the migration replay step above).
          go test -tags=integration -timeout 5m -v ./internal/scheduler/ -run "^TestIntegration_"

+      - if: needs.detect-changes.outputs.handlers == 'true'
+        name: Migration replay-from-scratch gate (#2150)
+        env:
+          PGPASSWORD: test
+        run: |
+          # Issue #2150 (SOP internal#765): prove the FULL forward migration
+          # chain (.up + legacy .sql) replays from a blank schema via the
+          # PRODUCTION db.RunMigrations entrypoint — hard-fail on any error.
+          #
+          # This is the gap the psql apply loop above does NOT cover: that
+          # loop deliberately SKIPS failing migrations (`⊘ skipped`), so it
+          # stays green even if the chain stops replaying. The Go test below
+          # uses the real boot-time runner with hard-fail semantics, catching
+          # the #211 .down-wipe class and the 045 non-idempotent crash-loop
+          # class (it runs the chain twice).
+          #
+          # Run against a SEPARATE database so the destructive
+          # `DROP SCHEMA public CASCADE` inside the test never touches the
+          # `molecule` DB the handlers integration tests above migrated. No
+          # ordering coupling with the handlers step.
+          createdb -h "${PG_HOST}" -U postgres molecule_replay 2>/dev/null || \
+            psql -h "${PG_HOST}" -U postgres -d molecule \
+              -c "CREATE DATABASE molecule_replay" >/dev/null 2>&1 || true
+          INTEGRATION_DB_URL="postgres://postgres:test@${PG_HOST}:5432/molecule_replay?sslmode=disable" \
+            go test -tags=integration -timeout 5m -v ./internal/db/ \
+              -run '^TestIntegration_Migration|^TestIntegration_InitPostgres'
+
      - if: failure() && needs.detect-changes.outputs.handlers == 'true'
        name: Diagnostic dump on failure
        env:
@@ -19,7 +19,7 @@
 # Forward-compat scope:
 #   Today (2026-05-11) molecule-core/main protects 3 contexts:
 #     - "Secret scan / Scan diff for credential-shaped strings (pull_request)"
-#     - "sop-tier-check / tier-check (pull_request)"
+#     - "sop-checklist / all-items-acked (pull_request)"
 #     - "CI / all-required (pull_request)"
 #   Per RFC#324 Step 2 the required-list expands to ~5 contexts
 #   (qa-review, security-review added). Each new required context's
@@ -16,7 +16,7 @@ name: Lint workflow YAML (Gitea-1.22.6-hostile shapes)
 #
 # Empirical history this hardens against:
 #   - status-reaper rev1 caught rule-4 (name-collision) class
-#   - sop-tier-refire DOA'd on rule-2 (workflow_run partial)
+#   - sop-checklist DOA'd on rule-2 (workflow_run partial)
 #   - #319 bootstrap-paradox (chained-defect class, related)
 #   - internal#329 dispatcher race (adjacent)
 #   - 2026-05-11 publish-runtime: rule-1, 24h PyPI freeze
@@ -0,0 +1,473 @@
+name: Local Provision Lifecycle E2E
+
+# MANDATORY coverage for the LOCAL Docker provisioner (MOLECULE_ENV=development,
+# docker.sock) — the path self-hosters + dev runs use. Every OTHER e2e exercises
+# the SaaS/EC2 (control-plane) provisioner; nothing mandatory drove the local
+# Docker path, which is why a config-volume restart-survival bug went undetected.
+# This workflow provisions a REAL workspace via the local Docker provisioner and
+# asserts the full lifecycle, INCLUDING the restart-survival assertion.
+#
+# Two jobs:
+#   * lifecycle-stub  (REQUIRED gate) — builds the tiny stub runtime image, tags
+#     it to the provisioner's RegistryModeLocal cache tag, and runs the full
+#     lifecycle e2e (provision -> online -> restart-survive -> proxy-reach). Fast
+#     (seconds of agent boot, no LLM, no 2.5GB image).
+#   * lifecycle-real  (ADVISORY, continue-on-error) — runs the SAME script against
+#     the real claude-code template image with a REAL MiniMax BYOK credential
+#     (LIFECYCLE_LLM=minimax). The proxy-reach step asserts an ACTUAL model reply
+#     (real round-trip through the ws-<id>:8000 proxy), not just reachability.
+#     MiniMax is the cheapest LLM the platform offers, and its `minimax` provider
+#     dials api.minimax.io directly (no CP proxy needed on this local stack).
+#     Heavy + network-dependent (pulls/builds the template + a real LLM call), so
+#     it is non-blocking. Needs the MOLECULE_STAGING_MINIMAX_API_KEY CI secret:
+#     when ABSENT the script SKIPS loud (exit 0) — it never reds on a missing
+#     secret (serving-e2e skip-if-absent pattern).
+#
+# SUBSTRATE REQUIREMENT (read before wiring into branch protection)
+# -----------------------------------------------------------------
+# This workflow provisions SIBLING docker containers from a HOST Go binary via
+# the runner's docker.sock — exactly like e2e-api.yml, which already provisions
+# the `mock` + `priority-runtimes` arms on `docker-host`. So the docker-in-runner
+# capability IS available on the molecule-runner-* (docker-host) lane. If the
+# operator ever moves these to a runner WITHOUT docker.sock access for the
+# platform binary, this lane will red — keep it on `docker-host`.
+#
+# Both jobs pin `runs-on: docker-host` (Linux operator-host runners with the
+# molecule-core-net bridge + a working docker.sock). The bare `ubuntu-latest`
+# label is also advertised by the Windows act_runner, where docker.sock-bound
+# steps fail non-deterministically — see lint-required-workflows-docker-host-
+# pinned.yml + internal#512.
+
+on:
+  push:
+    branches: [main, staging]
+  pull_request:
+    branches: [main, staging]
+
+concurrency:
+  # Per-SHA grouping (mirrors e2e-api.yml). cancel-in-progress:false so a queued
+  # run for an older SHA isn't cancelled by a newer push (auto-promote brittleness).
+  group: local-provision-e2e-${{ github.event.pull_request.head.sha || github.sha }}
+  cancel-in-progress: false
+
+env:
+  GITHUB_SERVER_URL: https://git.moleculesai.app
+
+jobs:
+  # ===========================================================================
+  # REQUIRED gate — stub runtime, fast. This IS meant to be a required merge gate
+  # (the only mandatory coverage for the LOCAL Docker provisioner), but the new
+  # context is not yet in branch_protections/main — wire it in once the operator
+  # confirms the docker-host runners reliably provision sibling containers from
+  # the host platform binary for this lane (see SUBSTRATE REQUIREMENT above), then
+  # flip the directive below to `# bp-required: yes`. Until then it runs gating
+  # locally (continue-on-error: false) but un-wired in BP, an acknowledged
+  # asymmetry tracked for follow-up. (Earlier this block read `# bp-exempt`, which
+  # contradicted "REQUIRED gate" and tripped lint-required-context-exists-in-bp.)
+  # bp-required: pending #2409
+  # ===========================================================================
+  lifecycle-stub:
+    name: Local Provision Lifecycle E2E (stub)
+    runs-on: docker-host
+    continue-on-error: false
+    timeout-minutes: 15
+    env:
+      PG_CONTAINER: pg-lpe2e-${{ github.run_id }}-${{ github.run_attempt }}
+      REDIS_CONTAINER: redis-lpe2e-${{ github.run_id }}-${{ github.run_attempt }}
+      # Hard-code dev mode at the job level so the platform server ALWAYS sees it,
+      # even if the runner's $GITHUB_ENV propagation is flaky (#2468 RCA).
+      MOLECULE_ENV: development
+      SECRETS_ENCRYPTION_KEY: lpe2e-test-encryption-key-32bytes!!
+      # act_runner runs the job inside a Docker container, so /.dockerenv exists
+      # and the platform auto-detects platformInDocker=true. But the job container
+      # is NOT on molecule-core-net, so it cannot resolve workspace container
+      # hostnames (ws-<id>:8000). Force false so the proxy keeps using the
+      # host-mapped 127.0.0.1:<ephemeral_port> URL, which IS reachable.
+      MOLECULE_IN_DOCKER: false
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version: 'stable'
+          cache: true
+          cache-dependency-path: workspace-server/go.sum
+
+      - name: Ensure provisioner network + pre-pull alpine
+        run: |
+          # The local provisioner attaches workspace containers to
+          # molecule-core-net and seeds /configs via an alpine helper; the
+          # lifecycle script also uses alpine to seed config.yaml into the
+          # named config volume. Pre-pull + ensure the bridge (idempotent).
+          docker pull alpine:3 >/dev/null
+          docker network create molecule-core-net >/dev/null 2>&1 || true
+          echo "alpine:3 pre-pulled; molecule-core-net ensured."
+
+      - name: Start Postgres (docker, ephemeral host port)
+        run: |
+          docker rm -f "$PG_CONTAINER" 2>/dev/null || true
+          docker run -d --name "$PG_CONTAINER" \
+            -e POSTGRES_USER=dev -e POSTGRES_PASSWORD=dev -e POSTGRES_DB=molecule \
+            -p 0:5432 postgres:16 >/dev/null
+          PG_PORT=$(docker port "$PG_CONTAINER" 5432/tcp | awk -F: '/^0\.0\.0\.0:/ {print $2; exit}')
+          [ -z "$PG_PORT" ] && PG_PORT=$(docker port "$PG_CONTAINER" 5432/tcp | head -1 | awk -F: '{print $NF}')
+          if [ -z "$PG_PORT" ]; then echo "::error::no host port for $PG_CONTAINER"; docker logs "$PG_CONTAINER" || true; exit 1; fi
+          echo "DATABASE_URL=postgres://dev:dev@127.0.0.1:${PG_PORT}/molecule?sslmode=disable" >> "$GITHUB_ENV"
+          for i in $(seq 1 30); do
+            docker exec "$PG_CONTAINER" pg_isready -U dev >/dev/null 2>&1 && { echo "pg ready ${i}s"; exit 0; }
+            sleep 1
+          done
+          echo "::error::Postgres not ready in 30s"; docker logs "$PG_CONTAINER" || true; exit 1
+
+      - name: Start Redis (docker, ephemeral host port)
+        run: |
+          docker rm -f "$REDIS_CONTAINER" 2>/dev/null || true
+          docker run -d --name "$REDIS_CONTAINER" -p 0:6379 redis:7 >/dev/null
+          REDIS_PORT=$(docker port "$REDIS_CONTAINER" 6379/tcp | awk -F: '/^0\.0\.0\.0:/ {print $2; exit}')
+          [ -z "$REDIS_PORT" ] && REDIS_PORT=$(docker port "$REDIS_CONTAINER" 6379/tcp | head -1 | awk -F: '{print $NF}')
+          if [ -z "$REDIS_PORT" ]; then echo "::error::no host port for $REDIS_CONTAINER"; docker logs "$REDIS_CONTAINER" || true; exit 1; fi
+          echo "REDIS_URL=redis://127.0.0.1:${REDIS_PORT}" >> "$GITHUB_ENV"
+          for i in $(seq 1 15); do
+            docker exec "$REDIS_CONTAINER" redis-cli ping 2>/dev/null | grep -q PONG && { echo "redis ready ${i}s"; exit 0; }
+            sleep 1
+          done
+          echo "::error::Redis not ready in 15s"; docker logs "$REDIS_CONTAINER" || true; exit 1
+
+      - name: Configure platform env (admin token + local Docker provisioner)
+        run: |
+          # Allocate an unused ephemeral port to avoid collision with concurrent
+          # jobs or stale processes from prior cancelled runs (see #2450).
+          PORT=$(python3 -c "import socket; s=socket.socket(); s.bind(('', 0)); print(s.getsockname()[1]); s.close()")
+          echo "PORT=${PORT}" >> "$GITHUB_ENV"
+          echo "BASE=http://127.0.0.1:${PORT}" >> "$GITHUB_ENV"
+          # Discover an IP that Docker containers can use to reach the host platform.
+          # host.docker.internal is not reliably available on Linux (act_runner), so
+          # workspace containers cannot resolve it and fail to register/heartbeat.
+          # Workspace containers join molecule-core-net; the host is reachable via that
+          # network's gateway. Ensure the network exists first (the provisioner creates
+          # it lazily, but we need the gateway BEFORE starting the platform).
+          docker network inspect molecule-core-net >/dev/null 2>&1 || docker network create molecule-core-net >/dev/null
+          # Parse Gateway from raw JSON because --format '{{.IPAM.Config}}' is
+          # inconsistent across Docker versions (sometimes omits Gateway field).
+          PLATFORM_HOST_IP=$(docker network inspect molecule-core-net 2>/dev/null | sed -n 's/.*"Gateway": "\([^"]*\)".*/\1/p' | head -1)
+          if [ -z "$PLATFORM_HOST_IP" ]; then
+            PLATFORM_HOST_IP=$(docker network inspect bridge 2>/dev/null | sed -n 's/.*"Gateway": "\([^"]*\)".*/\1/p' | head -1)
+          fi
+          if [ -z "$PLATFORM_HOST_IP" ]; then
+            PLATFORM_HOST_IP=$(ip route | awk '/default/ {print $3}' | head -1 || true)
+          fi
+          if [ -z "$PLATFORM_HOST_IP" ]; then
+            echo "::error::Could not determine PLATFORM_HOST_IP for Docker containers to reach the platform"
+            exit 1
+          fi
+          echo "PLATFORM_HOST_IP=${PLATFORM_HOST_IP}"
+          echo "PLATFORM_URL=http://${PLATFORM_HOST_IP}:${PORT}" >> "$GITHUB_ENV"
+          # Deterministic admin token: the script sends MOLECULE_ADMIN_TOKEN as the
+          # bearer; the platform checks ADMIN_TOKEN. Set both to the same value.
+          T="lpe2e-admin-${{ github.run_id }}-${{ github.run_attempt }}"
+          echo "ADMIN_TOKEN=${T}" >> "$GITHUB_ENV"
+          echo "MOLECULE_ADMIN_TOKEN=${T}" >> "$GITHUB_ENV"
+          # MOLECULE_ENV=development: dev posture. MOLECULE_ORG_ID is left UNSET so
+          # main.go wires the LOCAL Docker provisioner (not the CP provisioner), and
+          # MOLECULE_IMAGE_REGISTRY is left UNSET so image resolution uses
+          # RegistryModeLocal (the dockerHasTag cache-check the stub pre-tags into).
+          echo "MOLECULE_ENV=development" >> "$GITHUB_ENV"
+          echo "SECRETS_ENCRYPTION_KEY=lpe2e-test-encryption-key-32bytes!!" >> "$GITHUB_ENV"
+
+      - name: Build platform
+        working-directory: workspace-server
+        run: go build -o platform-server ./cmd/server
+
+      - name: Kill stale platform-server before start (issue #1046)
+        run: |
+          # Dynamic port allocation (see #2450) eliminates the fixed-port race
+          # that caused this gate to red when a prior run left a zombie process.
+          # We still sweep by process name to avoid leaking platform-server
+          # processes on the shared runner.
+          killed=0
+          for pid in $(grep -l "platform-serve" /proc/[0-9]*/comm 2>/dev/null); do
+            kpid="${pid%/comm}"; kpid="${kpid##*/}"
+            cmdline=$(cat "/proc/${kpid}/cmdline" 2>/dev/null | tr '\0' ' ')
+            if echo "$cmdline" | grep -q "platform-server"; then
+              echo "Killing stale platform-server pid ${kpid}: ${cmdline}"
+              kill "$kpid" 2>/dev/null || true
+              killed=$((killed + 1))
+            fi
+          done
+          if [ "$killed" -gt 0 ]; then echo "Killed $killed stale platform-server process(es)."; else echo "No platform-server-named process found."; fi
+          sleep 1
+
+      - name: Start platform (background)
+        working-directory: workspace-server
+        run: |
+          # Bind to the dynamically allocated port (see #2450).
+          # DATABASE_URL/REDIS_URL/ADMIN_TOKEN/MOLECULE_ENV are inherited from
+          # $GITHUB_ENV. PLATFORM_URL is also passed explicitly because
+          # $GITHUB_ENV propagation can be flaky on act_runner (#2468 RCA).
+          echo "starting platform with PLATFORM_URL=${PLATFORM_URL:-<fallback>} PORT=$PORT BIND_ADDR=0.0.0.0"
+          PORT=$PORT BIND_ADDR=0.0.0.0 PLATFORM_URL="${PLATFORM_URL:-http://host.docker.internal:$PORT}" ./platform-server > platform.log 2>&1 &
+          echo $! > platform.pid
+
+      - name: Wait for /health (+ migrations applied)
+        run: |
+          DEADLINE=300; PID="$(cat workspace-server/platform.pid 2>/dev/null || true)"; start=$(date +%s)
+          while :; do
+            # Verify OUR server is still alive before trusting /health. Our server
+            # binds the allocated port or exits FATAL, so "our PID alive" <=>
+            # "we own the port"; checking it first stops a squatter that answers
+            # /health on the same port (our bind having failed) from false-positiving
+            # the gate (no-flakes RCA).
+            if [ -n "$PID" ] && ! kill -0 "$PID" 2>/dev/null; then
+              echo "::error::platform-server exited early (failed to bind or crashed)"; cat workspace-server/platform.log || true; exit 1
+            fi
+            if curl -sf "$BASE/health" >/dev/null; then
+              tables=$(docker exec "$PG_CONTAINER" psql -U dev -d molecule -tAc \
+                "SELECT count(*) FROM information_schema.tables WHERE table_schema='public' AND table_name='workspaces'" 2>/dev/null || echo 0)
+              [ "$tables" = "1" ] && { echo "healthy + migrated after $(( $(date +%s) - start ))s"; exit 0; }
+            fi
+            [ "$(( $(date +%s) - start ))" -ge "$DEADLINE" ] && { echo "::error::platform not healthy in ${DEADLINE}s"; cat workspace-server/platform.log || true; exit 1; }
+            sleep 1
+          done
+
+      - name: Verify platform reachable from molecule-core-net
+        run: |
+          echo "Testing platform reachability from molecule-core-net container..."
+          docker run --rm --network molecule-core-net alpine:latest sh -c "wget -qO- http://${PLATFORM_URL#http://}/health" || echo "WARN: platform not reachable from molecule-core-net"
+
+      - name: Run local-provision lifecycle E2E (stub — REQUIRED)
+        run: bash tests/e2e/test_local_provision_lifecycle_e2e.sh
+
+      - name: Dump platform log on failure
+        if: failure()
+        run: cat workspace-server/platform.log || true
+
+      - name: Dump workspace container logs on failure
+        if: failure()
+        run: |
+          WS_NAME=$(docker ps --filter "name=ws-" --format '{{.Names}}' | head -1 || true)
+          if [ -n "$WS_NAME" ]; then
+            echo "=== Workspace container logs for $WS_NAME ==="
+            docker logs "$WS_NAME" 2>&1 | tail -n 80 || true
+          fi
+
+      - name: Stop platform
+        if: always()
+        run: |
+          [ -f workspace-server/platform.pid ] && kill "$(cat workspace-server/platform.pid)" 2>/dev/null || true
+
+      - name: Stop service containers
+        if: always()
+        run: |
+          docker rm -f "$PG_CONTAINER" 2>/dev/null || true
+          docker rm -f "$REDIS_CONTAINER" 2>/dev/null || true
+
+  # ===========================================================================
+  # ADVISORY — real claude-code image, lifecycle-only. Non-blocking. It pulls/
+  # builds the 2.5GB template image, makes a real (cheap) MiniMax LLM call, and is
+  # network-dependent, so a miss must not block. It proves the REAL runtime
+  # survives a restart AND serves a genuine LLM round-trip on the local
+  # provisioner (proxy-reach asserts a real MiniMax reply, not just reachability).
+  # ===========================================================================
+  # bp-exempt: advisory lane (continue-on-error: true) — informational, never a merge gate.
+  lifecycle-real:
+    name: Local Provision Lifecycle E2E (real image + MiniMax LLM, advisory)
+    runs-on: docker-host
+    # Serialise behind the gating stub job: both jobs share the same docker-host
+    # runner and provision sibling containers. `needs:` forces this advisory job
+    # to start only AFTER lifecycle-stub finishes, avoiding resource contention.
+    # (Dynamic ports eliminated the fixed-port race; serialisation remains for
+    # docker-host capacity hygiene.) continue-on-error keeps a real-job miss
+    # non-blocking; `needs:` does NOT gate on the stub's success (a failed
+    # required gate still lets this advisory dependent run).
+    needs: lifecycle-stub
+    if: ${{ always() }}
+    # Tracker for lint-continue-on-error-tracking (Tier 2e / internal#350): this
+    # mask has a forced 14-day renewal cycle. mc#2408 tracks promoting this
+    # advisory MiniMax round-trip to a gating job (then flip to false).
+    continue-on-error: true  # mc#2408 — promote advisory MiniMax e2e to gating
+    timeout-minutes: 30
+    env:
+      PG_CONTAINER: pg-lpe2e-real-${{ github.run_id }}-${{ github.run_attempt }}
+      REDIS_CONTAINER: redis-lpe2e-real-${{ github.run_id }}-${{ github.run_attempt }}
+      # Hard-code dev mode at the job level so the platform server ALWAYS sees it,
+      # even if the runner's $GITHUB_ENV propagation is flaky (#2468 RCA).
+      MOLECULE_ENV: development
+      SECRETS_ENCRYPTION_KEY: lpe2e-test-encryption-key-32bytes!!
+      # act_runner runs the job inside a Docker container, so /.dockerenv exists
+      # and the platform auto-detects platformInDocker=true. But the job container
+      # is NOT on molecule-core-net, so it cannot resolve workspace container
+      # hostnames (ws-<id>:8000). Force false so the proxy keeps using the
+      # host-mapped 127.0.0.1:<ephemeral_port> URL, which IS reachable.
+      MOLECULE_IN_DOCKER: false
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version: 'stable'
+          cache: true
+          cache-dependency-path: workspace-server/go.sum
+
+      - name: Ensure provisioner network + pre-pull alpine
+        run: |
+          docker pull alpine:3 >/dev/null
+          docker network create molecule-core-net >/dev/null 2>&1 || true
+
+      - name: Start Postgres (docker, ephemeral host port)
+        run: |
+          docker rm -f "$PG_CONTAINER" 2>/dev/null || true
+          docker run -d --name "$PG_CONTAINER" \
+            -e POSTGRES_USER=dev -e POSTGRES_PASSWORD=dev -e POSTGRES_DB=molecule \
+            -p 0:5432 postgres:16 >/dev/null
+          PG_PORT=$(docker port "$PG_CONTAINER" 5432/tcp | awk -F: '/^0\.0\.0\.0:/ {print $2; exit}')
+          [ -z "$PG_PORT" ] && PG_PORT=$(docker port "$PG_CONTAINER" 5432/tcp | head -1 | awk -F: '{print $NF}')
+          if [ -z "$PG_PORT" ]; then echo "::error::no host port"; docker logs "$PG_CONTAINER" || true; exit 1; fi
+          echo "DATABASE_URL=postgres://dev:dev@127.0.0.1:${PG_PORT}/molecule?sslmode=disable" >> "$GITHUB_ENV"
+          for i in $(seq 1 30); do
+            docker exec "$PG_CONTAINER" pg_isready -U dev >/dev/null 2>&1 && { echo "pg ready ${i}s"; exit 0; }
+            sleep 1
+          done
+          echo "::error::Postgres not ready"; docker logs "$PG_CONTAINER" || true; exit 1
+
+      - name: Start Redis (docker, ephemeral host port)
+        run: |
+          docker rm -f "$REDIS_CONTAINER" 2>/dev/null || true
+          docker run -d --name "$REDIS_CONTAINER" -p 0:6379 redis:7 >/dev/null
+          REDIS_PORT=$(docker port "$REDIS_CONTAINER" 6379/tcp | awk -F: '/^0\.0\.0\.0:/ {print $2; exit}')
+          [ -z "$REDIS_PORT" ] && REDIS_PORT=$(docker port "$REDIS_CONTAINER" 6379/tcp | head -1 | awk -F: '{print $NF}')
+          if [ -z "$REDIS_PORT" ]; then echo "::error::no host port"; docker logs "$REDIS_CONTAINER" || true; exit 1; fi
+          echo "REDIS_URL=redis://127.0.0.1:${REDIS_PORT}" >> "$GITHUB_ENV"
+          for i in $(seq 1 15); do
+            docker exec "$REDIS_CONTAINER" redis-cli ping 2>/dev/null | grep -q PONG && { echo "redis ready ${i}s"; exit 0; }
+            sleep 1
+          done
+          echo "::error::Redis not ready"; docker logs "$REDIS_CONTAINER" || true; exit 1
+
+      - name: Configure platform env
+        run: |
+          # Allocate an unused ephemeral port to avoid collision with concurrent
+          # jobs or stale processes from prior cancelled runs (see #2450).
+          PORT=$(python3 -c "import socket; s=socket.socket(); s.bind(('', 0)); print(s.getsockname()[1]); s.close()")
+          echo "PORT=${PORT}" >> "$GITHUB_ENV"
+          echo "BASE=http://127.0.0.1:${PORT}" >> "$GITHUB_ENV"
+          # Discover an IP that Docker containers can use to reach the host platform.
+          # host.docker.internal is not reliably available on Linux (act_runner), so
+          # workspace containers cannot resolve it and fail to register/heartbeat.
+          # Workspace containers join molecule-core-net; the host is reachable via that
+          # network's gateway. Ensure the network exists first (the provisioner creates
+          # it lazily, but we need the gateway BEFORE starting the platform).
+          docker network inspect molecule-core-net >/dev/null 2>&1 || docker network create molecule-core-net >/dev/null
+          # Parse Gateway from raw JSON because --format '{{.IPAM.Config}}' is
+          # inconsistent across Docker versions (sometimes omits Gateway field).
+          PLATFORM_HOST_IP=$(docker network inspect molecule-core-net 2>/dev/null | sed -n 's/.*"Gateway": "\([^"]*\)".*/\1/p' | head -1)
+          if [ -z "$PLATFORM_HOST_IP" ]; then
+            PLATFORM_HOST_IP=$(docker network inspect bridge 2>/dev/null | sed -n 's/.*"Gateway": "\([^"]*\)".*/\1/p' | head -1)
+          fi
+          if [ -z "$PLATFORM_HOST_IP" ]; then
+            PLATFORM_HOST_IP=$(ip route | awk '/default/ {print $3}' | head -1 || true)
+          fi
+          if [ -z "$PLATFORM_HOST_IP" ]; then
+            echo "::error::Could not determine PLATFORM_HOST_IP for Docker containers to reach the platform"
+            exit 1
+          fi
+          echo "PLATFORM_URL=http://${PLATFORM_HOST_IP}:${PORT}" >> "$GITHUB_ENV"
+          T="lpe2e-real-admin-${{ github.run_id }}-${{ github.run_attempt }}"
+          echo "ADMIN_TOKEN=${T}" >> "$GITHUB_ENV"
+          echo "MOLECULE_ADMIN_TOKEN=${T}" >> "$GITHUB_ENV"
+          echo "MOLECULE_ENV=development" >> "$GITHUB_ENV"
+          echo "SECRETS_ENCRYPTION_KEY=lpe2e-test-encryption-key-32bytes!!" >> "$GITHUB_ENV"
+
+      - name: Build platform
+        working-directory: workspace-server
+        run: go build -o platform-server ./cmd/server
+
+      - name: Kill stale platform-server before start (issue #1046)
+        run: |
+          # Dynamic port allocation (see #2450) eliminates the fixed-port race.
+          # We still sweep by process name to avoid leaking platform-server
+          # processes on the shared runner.
+          killed=0
+          for pid in $(grep -l "platform-serve" /proc/[0-9]*/comm 2>/dev/null); do
+            kpid="${pid%/comm}"; kpid="${kpid##*/}"
+            cmdline=$(cat "/proc/${kpid}/cmdline" 2>/dev/null | tr '\0' ' ')
+            if echo "$cmdline" | grep -q "platform-server"; then
+              echo "Killing stale platform-server pid ${kpid}: ${cmdline}"
+              kill "$kpid" 2>/dev/null || true
+              killed=$((killed + 1))
+            fi
+          done
+          if [ "$killed" -gt 0 ]; then echo "Killed $killed stale platform-server process(es)."; else echo "No platform-server-named process found."; fi
+          sleep 1
+
+      - name: Start platform (background)
+        working-directory: workspace-server
+        run: |
+          echo "starting platform with PLATFORM_URL=${PLATFORM_URL:-<fallback>} PORT=$PORT BIND_ADDR=0.0.0.0"
+          PORT=$PORT BIND_ADDR=0.0.0.0 PLATFORM_URL="${PLATFORM_URL:-http://host.docker.internal:$PORT}" ./platform-server > platform.log 2>&1 &
+          echo $! > platform.pid
+
+      - name: Wait for /health (+ migrations applied)
+        run: |
+          DEADLINE=300; PID="$(cat workspace-server/platform.pid 2>/dev/null || true)"; start=$(date +%s)
+          while :; do
+            # Verify OUR server is still alive before trusting /health. Our server
+            # binds the allocated port or exits FATAL, so checking our PID first
+            # stops a squatter from false-positiving the gate (no-flakes RCA).
+            if [ -n "$PID" ] && ! kill -0 "$PID" 2>/dev/null; then
+              echo "::error::platform-server exited early (failed to bind or crashed)"; cat workspace-server/platform.log || true; exit 1
+            fi
+            if curl -sf "$BASE/health" >/dev/null; then
+              tables=$(docker exec "$PG_CONTAINER" psql -U dev -d molecule -tAc \
+                "SELECT count(*) FROM information_schema.tables WHERE table_schema='public' AND table_name='workspaces'" 2>/dev/null || echo 0)
+              [ "$tables" = "1" ] && { echo "healthy after $(( $(date +%s) - start ))s"; exit 0; }
+            fi
+            [ "$(( $(date +%s) - start ))" -ge "$DEADLINE" ] && { echo "::error::platform not healthy in ${DEADLINE}s"; cat workspace-server/platform.log || true; exit 1; }
+            sleep 1
+          done
+
+      - name: Verify platform reachable from molecule-core-net
+        run: |
+          echo "Testing platform reachability from molecule-core-net container..."
+          docker run --rm --network molecule-core-net alpine:latest sh -c "wget -qO- http://${PLATFORM_URL#http://}/health" || echo "WARN: platform not reachable from molecule-core-net"
+
+      - name: Run local-provision lifecycle E2E (real image + MiniMax LLM — ADVISORY)
+        env:
+          # LIFECYCLE_LLM=minimax: provision the REAL claude-code template image
+          # (the mode forces LIFECYCLE_PROVISIONER_BUILDS=1 — the provisioner
+          # clones + docker-builds the template from Gitea via RegistryModeLocal)
+          # with a real MiniMax BYOK credential, and assert an ACTUAL model reply
+          # at the proxy-reach step (a genuine round-trip through ws-<id>:8000).
+          # MiniMax is the cheapest LLM the platform offers; its `minimax`
+          # provider dials api.minimax.io directly, so no CP proxy env is needed.
+          #
+          # Key wiring (DO NOT hardcode): the script reads MINIMAX_API_KEY from
+          # the env; we feed it from the MOLECULE_STAGING_MINIMAX_API_KEY CI
+          # secret (the same secret the staging-smoke + e2e-api MiniMax arms use).
+          # When that secret is ABSENT, MINIMAX_API_KEY is empty and the script
+          # SKIPS loud (exit 0) — it never reds on a missing secret (serving-e2e
+          # skip-if-absent pattern). The advisory job stays green either way.
+          LIFECYCLE_LLM: minimax
+          MINIMAX_API_KEY: ${{ secrets.MOLECULE_STAGING_MINIMAX_API_KEY }}
+        run: bash tests/e2e/test_local_provision_lifecycle_e2e.sh
+
+      - name: Dump platform log on failure
+        if: failure()
+        run: cat workspace-server/platform.log || true
+
+      - name: Dump workspace container logs on failure
+        if: failure()
+        run: |
+          WS_NAME=$(docker ps --filter "name=ws-" --format '{{.Names}}' | head -1 || true)
+          if [ -n "$WS_NAME" ]; then
+            echo "=== Workspace container logs for $WS_NAME ==="
+            docker logs "$WS_NAME" 2>&1 | tail -n 80 || true
+          fi
+
+      - name: Stop platform
+        if: always()
+        run: |
+          [ -f workspace-server/platform.pid ] && kill "$(cat workspace-server/platform.pid)" 2>/dev/null || true
+
+      - name: Stop service containers
+        if: always()
+        run: |
+          docker rm -f "$PG_CONTAINER" 2>/dev/null || true
+          docker rm -f "$REDIS_CONTAINER" 2>/dev/null || true
@@ -95,10 +95,10 @@ jobs:
          # included here — staging green is a separate gate
          # (`feedback_staging_e2e_merge_gate`).
          WATCH_BRANCH: 'main'
-          # Issue label applied on file/open. `tier:high` exists in the
+          # Issue label applied on file/open. `ci-bp-drift` exists in the
          # molecule-core label set (verified 2026-05-11, label id 9).
          # Rationale for high: main red blocks the promotion train and
          # poisons every PR's auto-rebase base; treat as a fire even
          # if intermittent.
-          RED_LABEL: 'tier:high'
+          RED_LABEL: 'ci-bp-drift'
        run: python3 .gitea/scripts/main-red-watchdog.py
@@ -248,16 +248,36 @@ jobs:
            --tag "${STAGING_TENANT_IMAGE_NAME}:${TAG_LATEST}"
          )

-          docker buildx build \
-            --file ./workspace-server/Dockerfile.tenant \
-            --build-arg NEXT_PUBLIC_PLATFORM_URL= \
-            --build-arg GIT_SHA="${GIT_SHA}" \
-            --label "org.opencontainers.image.source=https://git.moleculesai.app/molecule-ai/${REPO}" \
-            --label "org.opencontainers.image.revision=${GIT_SHA}" \
-            --label "org.opencontainers.image.created=$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
-            --label "molecule.workflow.run_id=${GITHUB_RUN_ID}" \
-            "${build_tags[@]}" \
-            --push .
+          # Retry loop: buildkit EOF (internal#2468) is often transient on the
+          # publish runner under memory pressure. Up to 3 attempts with a fresh
+          # builder each time so a crashed buildkit doesn't poison the next try.
+          for attempt in 1 2 3; do
+            echo "::notice::Tenant image build attempt ${attempt}/3 ..."
+            builder="tenant-builder-${GITHUB_RUN_ID}-${attempt}"
+            docker buildx create --name "${builder}" --use >/dev/null 2>&1 || true
+            if docker buildx build \
+                --builder "${builder}" \
+                --file ./workspace-server/Dockerfile.tenant \
+                --build-arg NEXT_PUBLIC_PLATFORM_URL= \
+                --build-arg GIT_SHA="${GIT_SHA}" \
+                --label "org.opencontainers.image.source=https://git.moleculesai.app/molecule-ai/${REPO}" \
+                --label "org.opencontainers.image.revision=${GIT_SHA}" \
+                --label "org.opencontainers.image.created=$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
+                --label "molecule.workflow.run_id=${GITHUB_RUN_ID}" \
+                "${build_tags[@]}" \
+                --push .; then
+              docker buildx rm "${builder}" >/dev/null 2>&1 || true
+              echo "::notice::Tenant image build succeeded on attempt ${attempt}"
+              break
+            fi
+            echo "::warning::Tenant image build attempt ${attempt} failed — cleaning builder and retrying"
+            docker buildx rm "${builder}" >/dev/null 2>&1 || true
+            sleep 10
+            if [ "$attempt" -eq 3 ]; then
+              echo "::error::Tenant image build failed after 3 attempts"
+              exit 1
+            fi
+          done

  # bp-exempt: production deploy side-effect; merge is gated by CI / all-required and this job waits for push CI before acting.
  deploy-production:
@@ -7,18 +7,25 @@
 #
 # A1-α (refire mechanism):
 #   Triggers on:
-#     - `pull_request_target`: opened, synchronize, reopened
-#         → initial status posts when PR opens / re-pushes
+#     - `pull_request_target`: opened, synchronize, reopened, labeled, unlabeled
+#         → initial status posts when PR opens / re-pushes, and re-evaluates
+#           when labels change (e.g. risk-indicator labels).
 #     - `pull_request_review` types: [submitted]
 #         → re-evaluate when a team member submits an APPROVE review so
 #           the gate flips immediately (no wait for the next push or
-#           slash-command). Verified live: sop-tier-check.yml uses this
+#           slash-command). Verified live: sop-checklist.yml uses this
 #           same event and provably fires (produces
-#           `sop-tier-check / tier-check (pull_request_review)` contexts).
-#           The job-level `if:` guard checks
-#           `github.event.review.state == 'APPROVED' || 'approved'` so
-#           only APPROVE reviews run the evaluator; COMMENT and
-#           REQUEST_CHANGES are skipped at the job level.
+#           `sop-checklist / all-items-acked (pull_request_review)` contexts).
+#           The job-level `if:` does NOT guard on review.state (issue
+#           #2159): Gitea 1.22.6's payload shape for this event does not
+#           reliably expose the state field that the GitHub-style guard
+#           expects.  The evaluator (review-check.sh) reads actual reviews
+#           from the API and checks for a real APPROVE, so running on
+#           COMMENT or REQUEST_CHANGES is harmless (read-only,
+#           idempotent).  Branch-protection requires the
+#           `(pull_request_target)` context variant, so the review-event
+#           path EXPLICITLY POSTS the required context via the API. Trust
+#           boundary preserved (BASE ref, no PR-head).
 #           Branch-protection requires the `(pull_request_target)`
 #           context variant, so the review-event path EXPLICITLY POSTS
 #           the required context via the API. Trust boundary preserved
@@ -53,7 +60,7 @@
 #
 #   We MUST NOT use `github.event.comment.author_association` (the
 #   field doesn't exist on Gitea 1.22.6 webhook payload — this was
-#   sop-tier-refire's defect #1).
+#   's defect #1).
 #
 # A4 (no PR-head checkout under pull_request_target):
 #   We check out the BASE ref explicitly so the review-check.sh script is
@@ -73,7 +80,7 @@
 # also not in qa/security teams → also 403.
 #
 # Resolution: a dedicated `RFC_324_TEAM_READ_TOKEN` secret, owned by an
-# identity that IS in both `qa` and `security` teams (Owners-tier
+# identity that IS in both `qa` and `security` teams (Owners-level
 # claude-ceo-assistant, or a new service-bot added to both teams).
 # Provisioning of this secret is tracked as a follow-up issue (filed by
 # core-devops at PR open).
@@ -96,7 +103,7 @@ name: qa-review

 on:
  pull_request_target:
-    types: [opened, synchronize, reopened]
+    types: [opened, synchronize, reopened, labeled, unlabeled]
  pull_request_review:
    types: [submitted]

@@ -110,13 +117,19 @@ jobs:
  approved:
    # Gate the job:
    #   - On pull_request_target events: always run.
-    #   - On pull_request_review_approved events: run so the gate flips
-    #     immediately when a team member submits an APPROVE review.
+    #   - On pull_request_review events: always run.  We do NOT guard on
+    #     review.state here because Gitea 1.22.6's payload shape for this
+    #     event does not reliably expose the state field (issue #2159).
+    #     The evaluator (review-check.sh) reads actual reviews from the
+    #     API and checks for a real APPROVE, so running on COMMENT or
+    #     REQUEST_CHANGES is harmless (read-only, idempotent).
+    #   - On labeled/unlabeled events: re-evaluate when labels change.
+    #     This ensures qa-review flips when risk-indicator labels are
+    #     added or removed.
    # Comment-triggered refires live in sop-checklist.yml review-refire job.
    if: |
      github.event_name == 'pull_request_target' ||
-      (github.event_name == 'pull_request_review' &&
-       (github.event.review.state == 'APPROVED' || github.event.review.state == 'approved'))
+      github.event_name == 'pull_request_review'
    runs-on: ubuntu-latest
    steps:
      - name: Privilege check (A1.1 — INFORMATIONAL log only, NOT a gate)
@@ -130,7 +143,7 @@ jobs:
        # no comment.user.login so the step is a no-op skip there.
        if: github.event_name == 'issue_comment'
        env:
-          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.SOP_CHECKLIST_GATE_TOKEN || secrets.GITHUB_TOKEN }}
        run: |
          set -euo pipefail
          login="${{ github.event.comment.user.login }}"
@@ -162,7 +175,7 @@ jobs:
      - name: Evaluate qa-review
        id: eval
        env:
-          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.SOP_CHECKLIST_GATE_TOKEN || secrets.GITHUB_TOKEN }}
          GITEA_HOST: git.moleculesai.app
          REPO: ${{ github.repository }}
          # PR number lives in different places per event:
@@ -185,7 +198,7 @@ jobs:
        # TOKEN FIX (RC 8326): uses STATUS_POST_TOKEN (CTO-granted,
        # msg d52cc72a). Dedicated narrow-scoped write:repository token
        # for the explicit status POST. Evaluator step stays on
-        # SOP_TIER_CHECK_TOKEN (read-only) per deliberate security
+        # SOP_CHECKLIST_GATE_TOKEN (read-only) per deliberate security
        # separation: eval computes, POST writes, never the same cred.
        if: github.event_name == 'pull_request_review' && always()
        env:
@@ -21,15 +21,21 @@ on:
    branches: [main, staging]
    paths:
      - '.gitea/scripts/review-check.sh'
+      - '.gitea/scripts/_approval_validator.py'
+      - '.gitea/scripts/_review_check_filter.py'
      - '.gitea/scripts/tests/test_review_check.sh'
      - '.gitea/scripts/tests/_review_check_fixture.py'
+      - '.gitea/scripts/tests/test_approval_validator.py'
      - '.gitea/workflows/review-check-tests.yml'
  pull_request:
    branches: [main, staging]
    paths:
      - '.gitea/scripts/review-check.sh'
+      - '.gitea/scripts/_approval_validator.py'
+      - '.gitea/scripts/_review_check_filter.py'
      - '.gitea/scripts/tests/test_review_check.sh'
      - '.gitea/scripts/tests/_review_check_fixture.py'
+      - '.gitea/scripts/tests/test_approval_validator.py'
      - '.gitea/workflows/review-check-tests.yml'
  workflow_dispatch:

@@ -70,3 +76,16 @@ jobs:

      - name: Run review-check.sh regression suite
        run: bash .gitea/scripts/tests/test_review_check.sh
+
+      - name: SSOT approval-validator unit tests (SEV-1 internal#812)
+        # The Python unit tests for _approval_validator.py are
+        # mutation-verified — every fail-closed branch has an explicit
+        # REJECT assertion. A reviewer who weakens the predicate trips
+        # these in CI.
+        run: |
+          # The test file lives in .gitea/scripts/tests/ with no __init__.py,
+          # so `unittest discover -s .gitea/scripts` finds 0 tests (the SEV-1
+          # suite silently never ran — a CI gap fixed alongside internal#812).
+          # Run the file directly; it self-inserts its sys.path and calls
+          # unittest.main(), so a failing assertion exits non-zero and fails CI.
+          python3 .gitea/scripts/tests/test_approval_validator.py -v
@@ -10,20 +10,23 @@
 # A1-α addendum (internal#760): review-event trigger added so the security
 # gate flips immediately when a team member submits an APPROVE review.
 # Uses `pull_request_review` types: [submitted] — verified live via
-# sop-tier-check.yml which provably fires this event (produces
-# `sop-tier-check / tier-check (pull_request_review)` contexts).
-# The job-level `if:` guard checks
-# `github.event.review.state == 'APPROVED' || 'approved'` so only APPROVE
-# reviews run the evaluator; COMMENT and REQUEST_CHANGES are skipped at
-# the job level. Branch-protection requires the `(pull_request_target)`
-# context variant, so the review-event path EXPLICITLY POSTS the required
-# context via the API. Trust boundary preserved (BASE ref, no PR-head).
+# sop-checklist.yml which provably fires this event (produces
+# `sop-checklist / all-items-acked (pull_request_review)` contexts).
+# The job-level `if:` does NOT guard on review.state (issue #2159):
+# Gitea 1.22.6's payload shape for this event does not reliably expose
+# the state field that the GitHub-style guard expects.  The evaluator
+# (review-check.sh) reads actual reviews from the API and checks for a
+# real APPROVE, so running on COMMENT or REQUEST_CHANGES is harmless
+# (read-only, idempotent).  Branch-protection requires the
+# `(pull_request_target)` context variant, so the review-event path
+# EXPLICITLY POSTS the required context via the API. Trust boundary
+# preserved (BASE ref, no PR-head).

 name: security-review

 on:
  pull_request_target:
-    types: [opened, synchronize, reopened]
+    types: [opened, synchronize, reopened, labeled, unlabeled]
  pull_request_review:
    types: [submitted]

@@ -37,13 +40,19 @@ jobs:
  approved:
    # Gate the job:
    #   - On pull_request_target events: always run.
-    #   - On pull_request_review_approved events: run so the gate flips
-    #     immediately when a team member submits an APPROVE review.
+    #   - On pull_request_review events: always run.  We do NOT guard on
+    #     review.state here because Gitea 1.22.6's payload shape for this
+    #     event does not reliably expose the state field (issue #2159).
+    #     The evaluator (review-check.sh) reads actual reviews from the
+    #     API and checks for a real APPROVE, so running on COMMENT or
+    #     REQUEST_CHANGES is harmless (read-only, idempotent).
+    #   - On labeled/unlabeled events: re-evaluate when labels change.
+    #     This ensures security-review flips when risk-indicator labels
+    #     are added or removed.
    # Comment-triggered refires live in sop-checklist.yml review-refire job.
    if: |
      github.event_name == 'pull_request_target' ||
-      (github.event_name == 'pull_request_review' &&
-       (github.event.review.state == 'APPROVED' || github.event.review.state == 'approved'))
+      github.event_name == 'pull_request_review'
    runs-on: ubuntu-latest
    steps:
      - name: Privilege check (A1.1 — INFORMATIONAL log only, NOT a gate)
@@ -52,7 +61,7 @@ jobs:
        # so re-running on a non-collaborator comment is harmless.
        if: github.event_name == 'issue_comment'
        env:
-          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.SOP_CHECKLIST_GATE_TOKEN || secrets.GITHUB_TOKEN }}
        run: |
          set -euo pipefail
          login="${{ github.event.comment.user.login }}"
@@ -78,7 +87,7 @@ jobs:
      - name: Evaluate security-review
        id: eval
        env:
-          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.SOP_CHECKLIST_GATE_TOKEN || secrets.GITHUB_TOKEN }}
          GITEA_HOST: git.moleculesai.app
          REPO: ${{ github.repository }}
          PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
@@ -98,7 +107,7 @@ jobs:
        # TOKEN FIX (RC 8326): uses STATUS_POST_TOKEN (CTO-granted,
        # msg d52cc72a). Dedicated narrow-scoped write:repository token
        # for the explicit status POST. Evaluator step stays on
-        # SOP_TIER_CHECK_TOKEN (read-only) per deliberate security
+        # SOP_CHECKLIST_GATE_TOKEN (read-only) per deliberate security
        # separation: eval computes, POST writes, never the same cred.
        if: github.event_name == 'pull_request_review' && always()
        env:
@@ -14,10 +14,10 @@
 # Fix (PR #1345 / issue #1280):
 #   - ONE workflow, ONE issue_comment:[created] subscription (no edited/deleted)
 #   - all-items-acked job: pull_request_target OR sop slash-command comments
-#   - review-refire job: qa/security/tier refire slash commands
+#   - review-refire job: qa/security refire slash commands
 #   → ~50% reduction in comment-triggered runner occupancy vs pre-fix.
 #
-# Trust boundary (mirrors RFC#324 §A4 + sop-tier-check security note):
+# Trust boundary (mirrors RFC#324 §A4 + sop-checklist security note):
 #   `pull_request_target` (not `pull_request`) — workflow def is loaded
 #   from BASE branch, so a PR cannot rewrite this workflow to exfiltrate
 #   the token. The `actions/checkout` step pins `ref: base.sha` so the
@@ -34,14 +34,6 @@
 #     via a repo secret `SOP_CHECKLIST_GATE_TOKEN`. Provisioning of that
 #     secret is a follow-up authorization step (separate from this PR).
 #
-# Failure mode: tier-aware (RFC#351 open question 2):
-#   - tier:high   → state=failure (hard-fail; BP blocks merge)
-#   - tier:medium → state=failure (hard-fail; same)
-#   - tier:low    → state=pending (soft-fail; BP can choose to require
-#                    this context or skip for low-tier PRs)
-#   - missing/no-tier → state=failure (default-mode: hard — never lower
-#                    the bar per feedback_fix_root_not_symptom)
-#
 # Slash-command contract (RFC#351 v1 + §A1.1-style notes from RFC#324):
 #
 #   /sop-ack <slug-or-numeric-alias> [optional note]
@@ -61,7 +53,7 @@
 #       — declare a gate (qa-review, security-review) N/A.
 #       — see sop-checklist-config.yaml n/a_gates section.
 #
-#   /qa-recheck /security-recheck /refire-tier-check
+#   /qa-recheck /security-recheck
 #       — refire the corresponding status check on the PR head.
 #
 # The eval is read-only + idempotent (read PR + comments + team
@@ -149,7 +141,6 @@ jobs:
          {
            echo "run_qa=false"
            echo "run_security=false"
-            echo "run_tier=false"
          } >> "$GITHUB_OUTPUT"
          first_line=$(printf '%s\n' "$COMMENT_BODY" | sed -n '1p')
          case "$first_line" in
@@ -159,9 +150,6 @@ jobs:
            /security-recheck*)
              echo "run_security=true" >> "$GITHUB_OUTPUT"
              ;;
-            /refire-tier-check*)
-              echo "run_tier=true" >> "$GITHUB_OUTPUT"
-              ;;
            *)
              echo "::notice::no supported review refire slash command; no-op"
              ;;
@@ -170,8 +158,7 @@ jobs:
      - name: Check out BASE ref for trusted scripts
        if: |
          steps.classify.outputs.run_qa == 'true' ||
-          steps.classify.outputs.run_security == 'true' ||
-          steps.classify.outputs.run_tier == 'true'
+          steps.classify.outputs.run_security == 'true'
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          ref: ${{ github.event.repository.default_branch }}
@@ -180,7 +167,7 @@ jobs:
        if: steps.classify.outputs.run_qa == 'true'
        env:
          # Evaluator (review-check.sh + GET /pulls) stays on read-scoped token.
-          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.SOP_CHECKLIST_GATE_TOKEN || secrets.GITHUB_TOKEN }}
          # Explicit POST /statuses uses narrow-scoped write:repository token.
          STATUS_POST_TOKEN: ${{ secrets.STATUS_POST_TOKEN }}
          GITEA_HOST: git.moleculesai.app
@@ -199,7 +186,7 @@ jobs:
        if: steps.classify.outputs.run_security == 'true'
        env:
          # Evaluator (review-check.sh + GET /pulls) stays on read-scoped token.
-          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.SOP_CHECKLIST_GATE_TOKEN || secrets.GITHUB_TOKEN }}
          # Explicit POST /statuses uses narrow-scoped write:repository token.
          STATUS_POST_TOKEN: ${{ secrets.STATUS_POST_TOKEN }}
          GITEA_HOST: git.moleculesai.app
@@ -213,13 +200,3 @@ jobs:
        run: |
          set -euo pipefail
          .gitea/scripts/review-refire-status.sh
-
-      - name: Refire sop-tier-check status
-        if: steps.classify.outputs.run_tier == 'true'
-        env:
-          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
-          GITEA_HOST: git.moleculesai.app
-          REPO: ${{ github.repository }}
-          PR_NUMBER: ${{ github.event.issue.number }}
-          SOP_DEBUG: '0'
-        run: bash .gitea/scripts/sop-tier-refire.sh
@@ -1,162 +0,0 @@
-# sop-tier-check — canonical Gitea Actions workflow for §SOP-6 enforcement.
-#
-# Logic lives in `.gitea/scripts/sop-tier-check.sh` (extracted 2026-05-09
-# from the previous inline-bash version). The script is the single source
-# of truth; this workflow file just sets env + invokes it.
-#
-# Copy BOTH files (`.gitea/workflows/sop-tier-check.yml` +
-# `.gitea/scripts/sop-tier-check.sh`) into any repo that wants the
-# §SOP-6 PR gate enforced. Pair with branch protection on the protected
-# branch:
-#   required_status_checks:    ["sop-tier-check / tier-check (pull_request)"]
-#   required_approving_reviews: 1
-#   approving_review_teams:    ["ceo", "managers", "engineers"]
-#
-# Tier → required-team expression (internal#189 AND-composition):
-#   tier:low    → engineers,managers,ceo        (OR: any one suffices)
-#   tier:medium → managers AND engineers AND qa???,security???  (AND: all required)
-#   tier:high   → ceo                           (OR: single team, wired for AND)
-#
-# "???" = teams not yet created in Gitea. When qa + security teams are
-# added, update TIER_EXPR["tier:medium"] in the script to remove the
-# markers. PRs already in-flight when qa/security are created continue
-# to work because their authors explicitly requested those reviews.
-#
-# Force-merge: Owners-team override remains available out-of-band via
-# the Gitea merge API; force-merge writes `incident.force_merge` to
-# `structure_events` per §Persistent structured logging gate (Phase 3).
-#
-# Environment variables:
-#   SOP_DEBUG=1          — per-API-call diagnostic lines. Default: off.
-#   SOP_LEGACY_CHECK=1   — revert to OR-gate for this run. Intended for
-#                           emergency use only; burn-in window closed
-#                           2026-05-17 (internal#189 Phase 1).
-#
-# BURN-IN CLOSED 2026-05-17 (internal#189 Phase 1): The 7-day burn-in
-# window closed. As of 2026-06-04 the residual masks left behind by the
-# burn-in are removed for real (the comment previously claimed this while
-# the masks still persisted — that was stale):
-#   - continue-on-error: true on the jq-install step (redundant; the step
-#     already exits 0) and on the tier-check step (the burn-in mask).
-#   - the `|| true` after the sop-tier-check.sh invocation, which masked
-#     real tier-gate verdicts.
-# AND-composition is now fully enforced and the tier-check step can
-# honestly red CI on a real SOP-6 violation.
-#
-# SOP_FAIL_OPEN REMOVED 2026-06-05 (fix/core-ci-fail-closed): this is a
-# REQUIRED branch-protected gate on `pull_request_target` (always
-# same-repo, secrets always present — no fork/advisory split). Failing
-# open on a token/network/jq fault greened the SOP-6 approval gate
-# WITHOUT verifying approvals — a fail-open on a required context. The
-# gate now FAILS CLOSED on infra faults too: fix the token/runner, not
-# the gate. If you ever need to temporarily re-introduce a mask, file a
-# tracker and follow the mc#1982 protocol.
-
-name: sop-tier-check
-
-# SECURITY: triggers MUST use `pull_request_target`, not `pull_request`.
-# `pull_request_target` loads the workflow definition from the BASE
-# branch (i.e. `main`), not the PR's HEAD. With `pull_request`, anyone
-# with write access to a feature branch could rewrite this file in
-# their PR to dump SOP_TIER_CHECK_TOKEN (org-read scope) to logs and
-# exfiltrate it. Verified 2026-05-09 against Gitea 1.22.6 —
-# `pull_request_target` (added in Gitea 1.21 via go-gitea/gitea#25229)
-# is the documented mitigation.
-#
-# This workflow does NOT call `actions/checkout` of PR HEAD code, so no
-# untrusted code is ever executed in the runner — we only HTTP-call the
-# Gitea API. If a future change adds a checkout step, it MUST pin to
-# `${{ github.event.pull_request.base.sha }}` (NOT `head.sha`) to keep
-# the trust boundary.
-on:
-  pull_request_target:
-    types: [opened, edited, synchronize, reopened, labeled, unlabeled]
-  pull_request_review:
-    types: [submitted, dismissed, edited]
-
-concurrency:
-  group: ${{ github.repository }}-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  tier-check:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: read
-      secrets: read
-    steps:
-      - name: Check out base branch (for the script)
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          # Pin to base.sha — pull_request_target's protection only
-          # works if we never check out PR HEAD. Same SHA the workflow
-          # itself was loaded from.
-          ref: ${{ github.event.pull_request.base.sha }}
-      - name: Install jq
-        # Gitea Actions runners (ubuntu-latest label) do not bundle jq.
-        # The sop-tier-check script uses jq for all JSON API parsing.
-        # Install jq before the script runs so sop-tier-check can pass.
-        #
-        # Method: apt-get first (reliable for Ubuntu runners with internet
-        # access to package mirrors). Falls back to GitHub binary download.
-        # GitHub releases may be unreachable from some runner networks
-        # (infra#241 follow-up: GitHub timeout after 3s on 5.78.80.188
-        # runners). The sop-tier-check script has its own fallback as a
-        # third line of defense, and this step's final command
-        # (`jq --version ... || echo`) already exits 0 unconditionally — so
-        # the step cannot fail the job on its own.
-        # continue-on-error REMOVED 2026-06-04 (mc#1982 directive: root-fix
-        # and remove, do not renew). It was redundant masking, not a gate.
-        run: |
-          # apt-get is the primary method — Ubuntu package mirrors are reliably
-          # reachable from runner containers. GitHub releases may be blocked
-          # or slow on some networks (infra#241 follow-up).
-          if apt-get update -qq && apt-get install -y -qq jq; then
-            echo "::notice::jq installed via apt-get: $(jq --version)"
-          elif timeout 120 curl -sSL \
-            "https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-amd64" \
-            -o /usr/local/bin/jq && chmod +x /usr/local/bin/jq; then
-            echo "::notice::jq binary downloaded: $(/usr/local/bin/jq --version)"
-          else
-            echo "::warning::jq install failed — apt-get and GitHub download both failed."
-          fi
-          jq --version 2>/dev/null || echo "::notice::jq not yet available — script fallback will retry"
-
-      - name: Verify tier label + reviewer team membership
-        # continue-on-error REMOVED 2026-06-04 (expired internal#189 Phase 1
-        # burn-in, window closed 2026-05-17; mc#1982 directive: root-fix and
-        # remove, do not renew). SOP_FAIL_OPEN REMOVED 2026-06-05
-        # (fix/core-ci-fail-closed): the gate now fails CLOSED on infra
-        # faults too (see the env block below), not just on a real verdict.
-        env:
-          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
-          GITEA_HOST: git.moleculesai.app
-          REPO: ${{ github.repository }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
-          SOP_DEBUG: '0'
-          SOP_LEGACY_CHECK: '0'
-          # SOP_FAIL_OPEN REMOVED 2026-06-05 (fix/core-ci-fail-closed).
-          #
-          # This is the REQUIRED branch-protected gate
-          # `sop-tier-check / tier-check (pull_request)`. It runs on
-          # `pull_request_target`, which ALWAYS executes from the base
-          # branch WITH secrets present — there is NO fork/advisory split
-          # and no legitimate "secrets genuinely absent" degradation here.
-          #
-          # SOP_FAIL_OPEN=1 made the script `exit 0` on an empty/invalid
-          # token, an unreachable Gitea API, or missing jq — i.e. an AUTH
-          # FAILURE or unreachable-dependency would green the SOP-6
-          # approval gate WITHOUT verifying that the required teams
-          # actually approved. That is a fail-open on a required gate: a
-          # mis-wired or under-scoped SOP_TIER_CHECK_TOKEN would let any PR
-          # merge past the approval requirement.
-          #
-          # Removing the env unsets it → `${SOP_FAIL_OPEN:-}` is empty in
-          # sop-tier-check.sh → every guarded `exit 0` branch instead falls
-          # through to `exit 1`. Infra faults (bad token / API down / no
-          # jq) now FAIL CLOSED with a loud `::error::`, exactly like a real
-          # SOP-6 violation. Fix the token/runner, not the gate.
-        run: |
-          bash .gitea/scripts/sop-tier-check.sh
@@ -1,52 +0,0 @@
-# sop-tier-refire — manual fallback for sop-tier-check refire.
-#
-# Closes internal#292. Gitea 1.22.6 doesn't refire workflows on the
-# `pull_request_review` event (go-gitea/gitea#33700); the `sop-tier-check`
-# workflow's review-event subscription is silently dead. The result:
-# PRs that get their approving review AFTER the tier-check ran on open/
-# synchronize keep their failing status check forever, and the only way
-# to merge is the admin force-merge path (audited via `audit-force-merge`
-# but the audit trail keeps growing; see `feedback_never_admin_merge_bypass`).
-#
-# Comment-triggered refires now live in `review-refire-comments.yml`. Gitea
-# queues issue_comment workflows before evaluating job-level `if:`, so having
-# qa-review, security-review, sop-checklist, and sop-tier-refire all subscribe
-# to every comment caused queue storms on SOP-heavy PRs. This workflow is a
-# non-automatic breadcrumb only; Gitea 1.22.6 does not support
-# workflow_dispatch inputs, so real refires must use `/refire-tier-check`.
-#
-# SECURITY MODEL:
-#
-# 1. `pull_request` exists on the issue (issue_comment fires on issues
-#    AND PRs; we only want PRs).
-# 2. `comment.author_association` must be MEMBER/OWNER/COLLABORATOR.
-#    Per the internal#292 core-security review (review#1066 ask): anyone
-#    can comment, but only repo collaborators+ can flip the status.
-#    Without this gate, a drive-by commenter on a public-issue-tracker
-#    surface could trigger a status flip.
-# 3. Comment body must contain `/refire-tier-check` — a slash-command-
-#    shaped trigger (not just any comment word). Prevents accidental
-#    triggering from prose like "we should refire tests" in a review.
-# 4. This workflow does NOT check out PR HEAD code. Like sop-tier-check,
-#    it only HTTP-calls the Gitea API. Trust boundary preserved.
-#
-# Note: `issue_comment` fires from the BASE branch's workflow file. There
-# is no `pull_request_target` equivalent to set; the trigger inherently
-# loads the workflow from the default branch.
-#
-# Rate-limit: a 1s pre-sleep + a "skip if status posted in last 30s"
-# guard prevents comment-spam from thrashing the status. See the script.
-
-name: sop-tier-check refire (manual)
-
-on:
-  workflow_dispatch:
-
-jobs:
-  refire:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Explain supported refire path
-        run: |
-          echo "::error::Gitea 1.22.6 does not support workflow_dispatch inputs here; comment /refire-tier-check on the PR instead."
-          exit 1
@@ -58,22 +58,51 @@ jobs:
          python-version: '3.11'
      - name: Install .gitea script test dependencies
        run: python -m pip install --quiet 'pytest==9.0.2' 'PyYAML==6.0.2'
-      - name: Run scripts/ unittests, if any
+      - name: Run scripts/ unittests (fail-closed on 0 collected)
        # Top-level scripts/ tests live alongside their target file. The
        # runtime packaging tests moved to molecule-ai-workspace-runtime, so
-        # this pass may legitimately find no tests.
+        # this pass may legitimately find NO test files today.
+        #
+        # Gate-integrity fix: the previous guard keyed off `rc==5` to detect
+        # "no tests collected", but Python 3.12's unittest exits 0 (not 5)
+        # when discovery finds 0 tests ("NO TESTS RAN"). The guard therefore
+        # never fired, so any test_*.py added here would silently run 0 tests
+        # while this step stayed GREEN. A green step that runs 0 tests is
+        # worse than a red one. We now fail-closed:
+        #   - genuinely NO test_*.py present  -> loud SKIP (legitimate no-op)
+        #   - test_*.py present but 0 collected -> FAIL (broken import/empty)
        working-directory: scripts
        run: |
-          set +e
-          python -m unittest discover -t . -p 'test_*.py' -v
-          rc=$?
-          if [ "$rc" -eq 5 ]; then
-            echo "No top-level scripts/ unittest files found; skipping."
+          set -euo pipefail
+          # Non-recursive count: scripts/ has no __init__.py, so unittest
+          # discover does not recurse into subdirs (ops/ is run separately
+          # below) — top-level files are the entire discovery scope here.
+          nfiles=$(find . -maxdepth 1 -name 'test_*.py' | wc -l | tr -d ' ')
+          if [ "$nfiles" -eq 0 ]; then
+            echo "SKIP: no top-level scripts/ test_*.py files present (genuine no-op)."
            exit 0
          fi
-          exit "$rc"
+          echo "Found $nfiles top-level scripts/ test_*.py file(s); asserting they collect >0 tests."
+          ncollected=$(python -c "import unittest; print(unittest.TestLoader().discover('.', pattern='test_*.py', top_level_dir='.').countTestCases())")
+          echo "Collected $ncollected test case(s)."
+          if [ "$ncollected" -eq 0 ]; then
+            echo "FAIL: test_*.py file(s) present but 0 tests collected (broken import / empty file / discovery error)."
+            exit 1
+          fi
+          python -m unittest discover -t . -p 'test_*.py' -v
      - name: Run scripts/ops/ unittests (sweep_cf_decide, ...)
+        # Real gate: scripts/ops/ must always run tests. Assert >0 collected so
+        # deleting all test files (or breaking an import) can't pass GREEN by
+        # running 0 tests — same gate-integrity class as the scripts/ step.
        working-directory: scripts/ops
-        run: python -m unittest discover -p 'test_*.py' -v
+        run: |
+          set -euo pipefail
+          ncollected=$(python -c "import unittest; print(unittest.TestLoader().discover('.', pattern='test_*.py').countTestCases())")
+          echo "scripts/ops/ collected $ncollected test case(s)."
+          if [ "$ncollected" -eq 0 ]; then
+            echo "FAIL: scripts/ops/ collected 0 tests — this gate must run real tests (deleted/broken import?)."
+            exit 1
+          fi
+          python -m unittest discover -p 'test_*.py' -v
      - name: Run .gitea/scripts pytest suite
        run: python -m pytest .gitea/scripts/tests -q
@@ -26,7 +26,7 @@ name: verify-providers-gen
 #   * It is intentionally absent from ci.yml's job set so the ci-required-drift
 #     sentinel (jobs ↔ branch-protection ↔ audit-env) does NOT fire on it, and
 #     from branch protection (turning it into a hard merge gate has blast radius
-#     — operator GO required, same pattern as sop-tier-check / verify-providers-gen
+#     — operator GO required, same pattern as sop-checklist / verify-providers-gen
 #     on controlplane). Promote it into branch protection in a follow-up once
 #     P2 has soaked.
 # Until then it behaves like secret-scan / block-internal-paths: a standalone
@@ -4,7 +4,7 @@
 # use this Makefile; CI calls docker compose / go test directly so the
 # Makefile can evolve without breaking the build.

-.PHONY: help dev up down logs build test e2e-peer-visibility openapi-spec openapi-spec-check gen gen-docker gen-check gen-check-docker
+.PHONY: help dev up down logs build test e2e-peer-visibility e2e-concierge-creates-workspace openapi-spec openapi-spec-check gen gen-docker gen-check gen-check-docker

 # ─── Provider-registry SSOT codegen (internal#718) ─────────────────────
 # The Go module lives in workspace-server/. The checked-in artifact
@@ -57,6 +57,16 @@ test: ## Run Go unit tests in workspace-server/.
 e2e-peer-visibility: ## Run the LOCAL peer-visibility MCP gate vs the running stack (needs `make up` first).
 	bash tests/e2e/test_peer_visibility_mcp_local.sh

+# FUNCTIONAL local proof that the org concierge actually DOES org-management:
+# send it a natural-language A2A request and assert it really CREATES a workspace
+# via its platform MCP (create_workspace) — the deterministic side effect, not a
+# REST 200. SKIPs LOUD (exit 0) unless the local concierge is seeded, online, and
+# running on the platform-agent image (so create_workspace exists). To run it
+# green locally: seed the concierge (MOLECULE_SEED_PLATFORM_AGENT=1) on the
+# platform-agent image WITH a model key. See the script header for the contract.
+e2e-concierge-creates-workspace: ## Prove the concierge actually creates a workspace via its platform MCP (skips loud if not runnable).
+	bash tests/e2e/test_concierge_creates_workspace_local.sh
+
 # ─── OpenAPI spec generation (RFC #1706, Phase 1) ─────────────────────
 # Regenerate workspace-server/docs/openapi/swagger.{yaml,json} from
 # swaggo annotations on the gin handlers. Commit the output. CI runs
@@ -1,7 +1,14 @@
 import { test, expect } from "@playwright/test";
+import type { Page } from "@playwright/test";
 import { startEchoRuntime } from "./fixtures/echo-runtime";
 import { seedWorkspace, startHeartbeat, cleanupWorkspace } from "./fixtures/chat-seed";

+/** Enter the Org-map view so the Canvas (React Flow graph) mounts. */
+async function enterMapView(page: Page): Promise<void> {
+  const btn = page.getByTestId("nav-map");
+  await expect(btn, "rail button nav-map missing").toBeVisible({ timeout: 10_000 });
+  await btn.click();
+}

 test.describe("Desktop ChatTab", () => {
  let cleanup: () => Promise<void> = async () => {};
@@ -29,6 +36,7 @@ test.describe("Desktop ChatTab", () => {
  test.beforeEach(async ({ page }) => {
    await page.setViewportSize({ width: 1280, height: 800 });
    await page.goto("/");
+    await enterMapView(page);
    await page.waitForSelector(".react-flow__node", { timeout: 10_000 });
    // Dismiss onboarding guide if present.
    const skipGuide = page.getByText("Skip guide");
@@ -67,6 +75,7 @@ test.describe("Desktop ChatTab", () => {
    await expect(page.getByText("Echo: Persistence test")).toBeVisible({ timeout: 15_000 });

    await page.reload();
+    await enterMapView(page);
    await page.waitForSelector(".react-flow__node", { timeout: 10_000 });
    await page.getByText(workspaceName, { exact: true }).first().click();
    await page.locator('#tab-chat').click();
@@ -143,6 +152,7 @@ test.describe("Desktop ChatTab — Markdown rendering", () => {
  test.beforeEach(async ({ page }) => {
    await page.setViewportSize({ width: 1280, height: 800 });
    await page.goto("/");
+    await enterMapView(page);
    await page.waitForSelector(".react-flow__node", { timeout: 10_000 });
    const skipGuide2 = page.getByText("Skip guide");
    if (await skipGuide2.isVisible().catch(() => false)) {
@@ -0,0 +1,648 @@
+/**
+ * Staging concierge canvas E2E — exercises the platform-agent CONCIERGE shell
+ * (canvas/src/components/concierge/ConciergeShell.tsx and the Settings split)
+ * against a fresh staging org provisioned by the shared global setup
+ * (e2e/staging-setup.ts). Each `test.describe` covers ONE concierge function
+ * and asserts the behaviour works — not merely that an element exists.
+ *
+ * Why this is a SEPARATE spec from staging-tabs.spec.ts (which drives the
+ * Org-map SidePanel tab UI): the two assert different surfaces of the same
+ * tenant. Both reuse the EXACT shared harness — same global setup (one
+ * provisioned org/workspace), same Playwright staging config (matched by the
+ * `staging-*.spec.ts` testMatch), same gated `Canvas tabs E2E` workflow check.
+ * No new harness, no new seeding mechanism.
+ *
+ * One extra precondition this spec needs that staging-tabs does NOT: a
+ * kind='platform' concierge ROW. The CI/SaaS tenant does not self-seed one
+ * (MOLECULE_SEED_PLATFORM_AGENT is unset on CI — workspace-server
+ * cmd/server/main.go), so without it the concierge shell falls back to
+ * roots[0] as a *pseudo*-platform surface and the platform-specific
+ * behaviours (root tag, hidden-from-map) can't be asserted. So this spec
+ * installs one via the SAME admin endpoint the control plane uses at
+ * org-provision time — POST /admin/org/platform-agent (AdminAuth, accepts the
+ * per-tenant admin bearer that global setup already exports). Installing it
+ * re-parents the provisioned hermes workspace UNDER the platform agent
+ * (handlers/platform_agent.go installPlatformAgent), giving us a real
+ * platform ROOT + a real child workspace — exactly the topology the concierge
+ * Home tree and Org-map filter are built to handle.
+ *
+ * This install mutates the shared tenant (re-parents the workspace). It is the
+ * LAST staging spec alphabetically among the topology-touching ones, and
+ * staging-tabs / staging-display read the workspace by id (not by root-ness),
+ * so the re-parent does not break them; Playwright runs workers=1 in file
+ * order, and the install is idempotent.
+ *
+ * Auth model is identical to staging-tabs.spec.ts: feed the per-tenant admin
+ * token as an Authorization: Bearer header on every browser request, mock
+ * /cp/auth/me so AuthGate resolves, and fall any non-auth 401 back to an
+ * empty 200 so a workspace-scoped 401 can't yank us to AuthKit.
+ */
+
+import { test, expect, type Page, type BrowserContext } from "@playwright/test";
+
+const STAGING = process.env.CANVAS_E2E_STAGING === "1";
+
+// Fail-closed, not skip-green (mirrors staging-tabs.spec.ts): a staging run
+// that was REQUESTED (CANVAS_E2E_STAGING=1) but has no tenant state is a
+// provisioning failure, asserted loudly inside the test body — not a skip.
+// CANVAS_E2E_STAGING unset = operator did not request staging = clean skip.
+test.skip(!STAGING, "CANVAS_E2E_STAGING not set — staging-only suite, not requested");
+
+/** Resolve + validate the tenant handoff that global setup exported. */
+function tenantEnv() {
+  const tenantURL = process.env.STAGING_TENANT_URL;
+  const tenantToken = process.env.STAGING_TENANT_TOKEN;
+  const workspaceId = process.env.STAGING_WORKSPACE_ID;
+  const orgID = process.env.STAGING_ORG_ID;
+  if (!tenantURL || !tenantToken || !workspaceId) {
+    throw new Error(
+      "staging-setup.ts did not export STAGING_TENANT_URL / " +
+        "STAGING_TENANT_TOKEN / STAGING_WORKSPACE_ID. CANVAS_E2E_STAGING=1 was " +
+        "set (staging WAS requested) but global setup produced no tenant — a " +
+        "provisioning failure, NOT a reason to skip. See the [staging-setup] " +
+        "log above.",
+    );
+  }
+  return { tenantURL, tenantToken, workspaceId, orgID };
+}
+
+// A fixed, valid uuid for the installed platform agent. Any valid uuid works
+// (the install upserts on this id); reusing one constant keeps re-runs
+// idempotent on the same row. Chosen out of the e2e namespace so it can't
+// collide with a CP-derived org id.
+const PLATFORM_AGENT_ID = "e2e0c1e2-0000-4000-a000-000000c0ce0e";
+const PLATFORM_AGENT_NAME = "E2E Concierge";
+
+/**
+ * Idempotently install the platform-agent (concierge) row on the shared
+ * tenant so the concierge shell resolves a REAL kind='platform' root. Uses
+ * the per-tenant admin bearer + org-id headers, same as staging-display.spec.
+ * Tolerant of a pre-existing install (the endpoint is idempotent) and of a
+ * backend that predates the endpoint (404/405) — in that degraded case the
+ * spec proceeds against the roots[0] fallback and the two platform-specific
+ * assertions self-document why they're loosened.
+ */
+async function installPlatformAgent(
+  page: Page,
+  tenantURL: string,
+  tenantToken: string,
+  orgID: string | undefined,
+): Promise<{ installed: boolean }> {
+  const headers: Record<string, string> = {
+    Authorization: `Bearer ${tenantToken}`,
+    "Content-Type": "application/json",
+  };
+  if (orgID) headers["X-Molecule-Org-Id"] = orgID;
+  const resp = await page.request.post(`${tenantURL}/admin/org/platform-agent`, {
+    headers,
+    data: { id: PLATFORM_AGENT_ID, name: PLATFORM_AGENT_NAME },
+  });
+  const status = resp.status();
+  if (status >= 200 && status < 300) {
+    console.log(`[staging-concierge] platform agent installed (HTTP ${status})`);
+    return { installed: true };
+  }
+  // Endpoint absent on an older backend — proceed against the fallback root.
+  if (status === 404 || status === 405) {
+    console.warn(
+      `[staging-concierge] POST /admin/org/platform-agent returned ${status} — ` +
+        `backend predates the platform-agent endpoint. Proceeding against the ` +
+        `roots[0] concierge fallback; the platform-root / map-hidden assertions ` +
+        `are loosened accordingly.`,
+    );
+    return { installed: false };
+  }
+  throw new Error(
+    `POST /admin/org/platform-agent ${status}: ${await resp.text().catch(() => "")}`,
+  );
+}
+
+/**
+ * Wire the per-tenant bearer + the /cp/auth/me mock + the 401→empty-200
+ * fallback. Verbatim contract from staging-tabs.spec.ts so the concierge spec
+ * authenticates identically (no WorkOS session available to Playwright).
+ */
+async function authenticate(
+  context: BrowserContext,
+  tenantToken: string,
+  workspaceId: string,
+): Promise<void> {
+  await context.setExtraHTTPHeaders({ Authorization: `Bearer ${tenantToken}` });
+
+  await context.route("**/cp/auth/me", (route) =>
+    route.fulfill({
+      status: 200,
+      contentType: "application/json",
+      body: JSON.stringify({
+        user_id: `e2e-test-user-${workspaceId}`,
+        org_id: "e2e-test-org",
+        email: "e2e@test.local",
+      }),
+    }),
+  );
+
+  await context.route("**", async (route, request) => {
+    if (request.resourceType() !== "fetch") return route.fallback();
+    if (request.url().includes("/cp/auth/me")) return route.fallback();
+    let resp;
+    try {
+      resp = await route.fetch();
+    } catch {
+      return route.fallback();
+    }
+    if (resp.status() !== 401) return route.fulfill({ response: resp });
+    const lastSeg =
+      new URL(request.url()).pathname.split("/").filter(Boolean).pop() || "";
+    const looksLikeList = !/^[0-9a-f-]{8,}$/.test(lastSeg);
+    await route.fulfill({
+      status: 200,
+      contentType: "application/json",
+      body: looksLikeList ? "[]" : "{}",
+    });
+  });
+}
+
+/**
+ * Load the concierge shell and wait for hydration. Returns once the icon rail
+ * (the concierge's left nav) is visible — the rail is the shell's outermost
+ * stable landmark and only renders after the canvas store has hydrated.
+ */
+async function loadConcierge(page: Page, tenantURL: string): Promise<void> {
+  page.on("console", (msg) => {
+    if (msg.type() === "error") console.log(`[e2e/console-error] ${msg.text()}`);
+  });
+  await page.goto(tenantURL, { waitUntil: "domcontentloaded" });
+
+  // The canvas store hydrates /workspaces before the desktop shell paints.
+  // Wait for the concierge nav rail OR the hydration-error banner — whichever
+  // wins. Don't wait on networkidle: the shell keeps a WS + polling open.
+  await page.waitForSelector(
+    '[data-testid="nav-home"], [data-testid="hydration-error"]',
+    { timeout: 45_000 },
+  );
+  const hydrationErr = await page
+    .locator('[data-testid="hydration-error"]')
+    .count();
+  expect(
+    hydrationErr,
+    "canvas hydration failed — check staging CP + tenant reachability",
+  ).toBe(0);
+  await expect(
+    page.getByText("Something went wrong", { exact: false }),
+    "app-level ErrorBoundary tripped during concierge hydration",
+  ).toHaveCount(0);
+}
+
+/** Switch the concierge top-level view via the left rail. */
+async function navTo(page: Page, view: "home" | "map" | "settings"): Promise<void> {
+  const btn = page.getByTestId(`nav-${view}`);
+  await expect(btn, `rail button nav-${view} missing`).toBeVisible({ timeout: 10_000 });
+  await btn.click();
+}
+
+// ── shared per-spec setup ──────────────────────────────────────────────────
+// Each test gets a freshly-authenticated context + an installed platform
+// agent. Install lives in beforeEach (idempotent) so any single test can run
+// in isolation (`--grep`), not only in whole-file order.
+let platformInstalled = false;
+
+test.beforeEach(async ({ page, context }) => {
+  const { tenantURL, tenantToken, workspaceId, orgID } = tenantEnv();
+  await authenticate(context, tenantToken, workspaceId);
+  const { installed } = await installPlatformAgent(page, tenantURL, tenantToken, orgID);
+  platformInstalled = installed;
+});
+
+/* ───────────────────────── 1. Concierge shell / nav ──────────────────────── */
+test.describe("concierge shell + nav", () => {
+  test("left rail switches Home / Org map / Settings; topbar shows the org name", async ({
+    page,
+  }) => {
+    const { tenantURL } = tenantEnv();
+    await loadConcierge(page, tenantURL);
+
+    // All three rail destinations are present.
+    for (const v of ["home", "map", "settings"] as const) {
+      await expect(page.getByTestId(`nav-${v}`)).toBeVisible();
+    }
+
+    // Topbar org name is dynamic from GET /org/identity. The endpoint returns
+    // MOLECULE_ORG_NAME (may be "" on a staging tenant), in which case the
+    // shell falls back to "Molecule AI". Either way it must render a
+    // non-empty name — assert the element resolves to real text.
+    const orgName = page.getByTestId("topbar-org-name");
+    await expect(orgName).toBeVisible();
+    await expect
+      .poll(async () => ((await orgName.innerText()) || "").trim().length, {
+        message: "topbar org name never resolved to non-empty text",
+        timeout: 10_000,
+      })
+      .toBeGreaterThan(0);
+
+    // Nav actually switches the active view. Home → Settings → Map → Home,
+    // asserting the destination rail button reflects active state each hop
+    // (the shell toggles the active class; we assert the view content too).
+    await navTo(page, "settings");
+    await expect(page.getByRole("heading", { name: "Settings" })).toBeVisible({
+      timeout: 10_000,
+    });
+
+    await navTo(page, "map");
+    await expect(page.locator('[aria-label="Agent canvas"]')).toBeVisible({
+      timeout: 15_000,
+    });
+
+    await navTo(page, "home");
+    // Home shows the agents/tasks/approvals sub-tab bar.
+    await expect(page.getByTestId("home-subtab-agents")).toBeVisible({
+      timeout: 10_000,
+    });
+  });
+});
+
+/* ─────────────────────────────── 2. Home ─────────────────────────────────── */
+test.describe("concierge Home", () => {
+  test("renders the canonical ChatTab, Agents/Tasks/Approvals sub-tabs, and the platform agent as ROOT", async ({
+    page,
+  }) => {
+    const { tenantURL } = tenantEnv();
+    await loadConcierge(page, tenantURL);
+    await navTo(page, "home");
+
+    // (a) The Home chat panel reuses the EXACT canonical ChatTab — so it must
+    // expose the My Chat / Agent Comms sub-tabs, a message input, and the
+    // attachment affordance, exactly like the map SidePanel chat. The
+    // [data-testid="chat-panel"] root is ChatTab's own marker (canvas/src/
+    // components/tabs/ChatTab.tsx) — asserting it proves the canonical
+    // component is mounted, not a bespoke concierge re-implementation.
+    const chatPanel = page.getByTestId("chat-panel");
+    await expect(chatPanel, "Home did not mount the canonical ChatTab").toBeVisible({
+      timeout: 15_000,
+    });
+    await expect(chatPanel.locator("#chat-tab-my-chat")).toHaveText(/My Chat/);
+    await expect(chatPanel.locator("#chat-tab-agent-comms")).toHaveText(/Agent Comms/);
+    // Switching the chat sub-tab works (My Chat active by default → Agent Comms).
+    await chatPanel.locator("#chat-tab-agent-comms").click();
+    await expect(chatPanel.locator("#chat-tab-agent-comms")).toHaveAttribute(
+      "aria-selected",
+      "true",
+    );
+    await chatPanel.locator("#chat-tab-my-chat").click();
+    await expect(chatPanel.locator("#chat-tab-my-chat")).toHaveAttribute(
+      "aria-selected",
+      "true",
+    );
+    // Message input + attachment affordance (My Chat panel). The attach
+    // control is the labelled button (the underlying <input type=file> is
+    // aria-hidden); both are always present (disabled when the agent is
+    // unreachable), so assert presence, not enabled-state.
+    await expect(
+      chatPanel.locator('textarea[aria-label="Message to agent"]'),
+      "ChatTab message input missing",
+    ).toHaveCount(1);
+    await expect(
+      chatPanel.locator('button[aria-label="Attach file"]'),
+      "ChatTab attachment affordance missing",
+    ).toHaveCount(1);
+
+    // (b) Agents / Tasks / Approvals sub-tabs switch the Home sidebar pane.
+    await page.getByTestId("home-subtab-tasks").click();
+    await expect(page.getByTestId("home-subtab-tasks")).toHaveClass(/active/);
+    await page.getByTestId("home-subtab-approvals").click();
+    await expect(page.getByTestId("home-subtab-approvals")).toHaveClass(/active/);
+    await page.getByTestId("home-subtab-agents").click();
+    await expect(page.getByTestId("home-subtab-agents")).toHaveClass(/active/);
+
+    // (c) The agent tree shows the platform agent as ROOT. After install the
+    // platform agent is a kind='platform' root carrying the "root" tag, with
+    // the provisioned workspace re-parented under it (depth>0). When the
+    // backend predates the install endpoint, roots[0] is the pseudo-root and
+    // the "root" tag is absent (it only renders for a real kind='platform'
+    // root) — so we gate the strong assertion on a successful install.
+    const tree = page.getByTestId("agent-tree-node");
+    await expect(tree.first(), "agent tree rendered no nodes").toBeVisible({
+      timeout: 10_000,
+    });
+    if (platformInstalled) {
+      // The depth-0 node is the platform agent and it carries the root tag.
+      const rootNode = page
+        .locator('[data-testid="agent-tree-node"][data-depth="0"]')
+        .first();
+      await expect(rootNode).toHaveAttribute("data-platform", "true");
+      await expect(
+        rootNode.locator('[data-testid="agent-tree-root-tag"]'),
+        "platform root is missing the ROOT tag",
+      ).toBeVisible();
+      // And the provisioned workspace is nested beneath it (a child node exists).
+      await expect(
+        page.locator('[data-testid="agent-tree-node"][data-depth="1"]'),
+        "the provisioned workspace did not re-parent under the platform root",
+      ).toHaveCount(1, { timeout: 10_000 });
+    } else {
+      // Degraded backend: at least the tree renders a root-level node.
+      await expect(
+        page.locator('[data-testid="agent-tree-node"][data-depth="0"]'),
+      ).not.toHaveCount(0);
+    }
+  });
+});
+
+/* ─────────────────────────────── 3. Org map ──────────────────────────────── */
+test.describe("concierge Org map", () => {
+  test("hides the platform agent from the node graph; normal workspaces render", async ({
+    page,
+  }) => {
+    const { tenantURL } = tenantEnv();
+    await loadConcierge(page, tenantURL);
+    await navTo(page, "map");
+
+    // The React Flow canvas renders.
+    await expect(page.locator('[aria-label="Molecule AI workspace canvas"]')).toBeVisible({
+      timeout: 15_000,
+    });
+
+    // Normal workspaces render as map node cards (WorkspaceNode →
+    // data-testid="workspace-node"). The provisioned hermes workspace must
+    // appear. expect.poll lets React Flow finish its layout pass.
+    await expect
+      .poll(async () => page.locator('[data-testid="workspace-node"]').count(), {
+        message: "no workspace nodes rendered on the org map",
+        timeout: 15_000,
+      })
+      .toBeGreaterThan(0);
+
+    // The concierge (platform agent) is HIDDEN from the graph: no map node
+    // carries its name. WorkspaceNode's aria-label is "<name> workspace —
+    // <status>" — assert none matches the platform agent name. This is the
+    // real behaviour stripPlatformRootForMap implements (Canvas.tsx /
+    // canvas-topology.ts). Only meaningful when we actually installed one.
+    if (platformInstalled) {
+      const platformNode = page.locator(
+        `[data-testid="workspace-node"][aria-label^="${PLATFORM_AGENT_NAME} workspace"]`,
+      );
+      await expect(
+        platformNode,
+        "the platform agent (concierge) leaked into the org-map node graph — " +
+          "stripPlatformRootForMap should exclude it",
+      ).toHaveCount(0);
+    }
+  });
+});
+
+/* ─────────────────────── 4. Settings — two tabs ──────────────────────────── */
+test.describe("concierge Settings — two tabs", () => {
+  test("Platform-agent config and Org & canvas settings are separate panes; platform tab shows the full WorkspacePanelTabs defaulting to Config", async ({
+    page,
+  }) => {
+    const { tenantURL } = tenantEnv();
+    await loadConcierge(page, tenantURL);
+    await navTo(page, "settings");
+
+    const platformTab = page.getByTestId("settings-tab-platform");
+    const orgTab = page.getByTestId("settings-tab-org");
+    await expect(platformTab).toBeVisible({ timeout: 10_000 });
+    await expect(orgTab).toBeVisible();
+
+    // Platform tab is the default; its pane is shown and the org pane is not.
+    await expect(platformTab).toHaveAttribute("aria-selected", "true");
+    await expect(page.getByTestId("settings-pane-platform")).toBeVisible();
+    await expect(page.getByTestId("settings-pane-org")).toHaveCount(0);
+
+    // The platform pane embeds the FULL WorkspacePanelTabs (the SAME tablist
+    // the map SidePanel renders) and defaults to the Config tab. Assert the
+    // canonical workspace tablist is present, that Config is the active tab,
+    // and that the other signature tabs exist (Plugins, Container, Display,
+    // Details, Activity, Terminal, Channels, Schedule).
+    const wsTablist = page.getByRole("tablist", { name: "Workspace panel tabs" });
+    await expect(
+      wsTablist,
+      "platform-agent Settings tab did not embed WorkspacePanelTabs",
+    ).toBeVisible({ timeout: 15_000 });
+    await expect(page.locator("#tab-config")).toHaveAttribute(
+      "aria-selected",
+      "true",
+    );
+    for (const id of [
+      "config",
+      "skills",
+      "container-config",
+      "display",
+      "details",
+      "activity",
+      "terminal",
+      "channels",
+      "schedule",
+    ]) {
+      await expect(
+        page.locator(`#tab-${id}`),
+        `WorkspacePanelTabs is missing #tab-${id}`,
+      ).toHaveCount(1);
+    }
+
+    // Clicking the OTHER settings tab switches panes (not just toggles a
+    // class): the org pane mounts and the platform pane unmounts.
+    await orgTab.click();
+    await expect(orgTab).toHaveAttribute("aria-selected", "true");
+    await expect(page.getByTestId("settings-pane-org")).toBeVisible();
+    await expect(page.getByTestId("settings-pane-platform")).toHaveCount(0);
+
+    // And back.
+    await platformTab.click();
+    await expect(page.getByTestId("settings-pane-platform")).toBeVisible();
+    await expect(page.getByTestId("settings-pane-org")).toHaveCount(0);
+  });
+});
+
+/* ─────────────────────── 5. Settings — Config tab ────────────────────────── */
+test.describe("concierge Settings — Config tab dropdowns", () => {
+  test("runtime dropdown is SSOT-driven; provider hides Platform on self-host but lists BYOK; model follows provider", async ({
+    page,
+  }) => {
+    const { tenantURL } = tenantEnv();
+    await loadConcierge(page, tenantURL);
+    await navTo(page, "settings");
+
+    // Platform tab defaults to the Config tab — the runtime select is in the
+    // ConfigTab "Runtime" section (label "Runtime"). Wait for it to settle.
+    await expect(
+      page.getByRole("tablist", { name: "Workspace panel tabs" }),
+    ).toBeVisible({ timeout: 15_000 });
+    // The runtime <select> sits under the "Runtime" label inside the Config
+    // panel. Use the label association for a stable hook.
+    const runtimeByLabel = page.locator('#panel-config').getByLabel("Runtime", {
+      exact: true,
+    });
+    await expect(
+      runtimeByLabel,
+      "ConfigTab runtime dropdown never rendered",
+    ).toBeVisible({ timeout: 15_000 });
+
+    // (a) Runtime dropdown is SSOT-driven: the options come from GET
+    // /templates (loadRuntimesFromManifest), so the live tenant must serve a
+    // non-trivial set. Assert >= 1 runtime option AND that the provisioned
+    // workspace's runtime (hermes) is among them — proving the list reflects
+    // what /templates actually serves, not a stale hard-coded allowlist.
+    const runtimeOptionValues = await runtimeByLabel
+      .locator("option")
+      .evaluateAll((els) => els.map((e) => (e as HTMLOptionElement).value));
+    expect(
+      runtimeOptionValues.length,
+      "runtime dropdown rendered no options — SSOT /templates feed is empty",
+    ).toBeGreaterThan(0);
+    expect(
+      runtimeOptionValues,
+      "runtime dropdown does not list the provisioned 'hermes' runtime — the " +
+        "SSOT /templates list has drifted",
+    ).toContain("hermes");
+
+    // (b) Provider dropdown: on self-host (no platform proxy) it must NOT
+    // offer the "Platform" billing option but MUST list BYOK providers. The
+    // ProviderModelSelector exposes data-testid="provider-select". Read its
+    // option labels: none should be the "Platform" proxy entry, and the list
+    // must be non-empty (BYOK providers present). /org/identity's
+    // platform_managed_available=false on a staging tenant drives this.
+    const providerSelect = page.getByTestId("provider-select");
+    await expect(
+      providerSelect,
+      "ConfigTab provider dropdown (ProviderModelSelector) never rendered",
+    ).toBeVisible({ timeout: 15_000 });
+    const providerLabels = await providerSelect
+      .locator("option")
+      .evaluateAll((els) =>
+        els
+          .map((e) => (e.textContent || "").trim())
+          .filter((t) => t && !t.startsWith("—")),
+      );
+    expect(
+      providerLabels.length,
+      "provider dropdown lists no BYOK providers",
+    ).toBeGreaterThan(0);
+    expect(
+      providerLabels.map((l) => l.toLowerCase()),
+      'provider dropdown offered the "Platform" proxy option on a self-host / ' +
+        "no-proxy tenant (platform_managed_available should hide it)",
+    ).not.toContain("platform");
+
+    // (c) Model dropdown follows the provider. The model control is
+    // data-testid="model-select" (dropdown) or model-input (free-text
+    // wildcard). Whichever renders, it must be present — proving the model
+    // control is wired to the provider selection.
+    const modelControl = page
+      .locator('[data-testid="model-select"], [data-testid="model-input"]')
+      .first();
+    await expect(
+      modelControl,
+      "model control did not follow the provider selection",
+    ).toBeVisible({ timeout: 10_000 });
+  });
+});
+
+/* ────────────────── 6. Settings — Org & canvas settings ──────────────────── */
+test.describe("concierge Settings — Org & canvas", () => {
+  test("Secrets / Workspace Tokens / Org API Keys / Organization sub-tabs render; Organization shows the org (no 404)", async ({
+    page,
+  }) => {
+    const { tenantURL } = tenantEnv();
+    await loadConcierge(page, tenantURL);
+    await navTo(page, "settings");
+
+    await page.getByTestId("settings-tab-org").click();
+    const orgPane = page.getByTestId("settings-pane-org");
+    await expect(orgPane).toBeVisible({ timeout: 10_000 });
+
+    // The four SettingsTabs (canvas/src/components/settings/SettingsTabs.tsx)
+    // render as a radix tablist labelled "Settings sections". Assert all four
+    // triggers are present.
+    const settingsTablist = orgPane.getByRole("tablist", {
+      name: "Settings sections",
+    });
+    await expect(settingsTablist).toBeVisible({ timeout: 10_000 });
+    for (const label of [
+      "Secrets",
+      "Workspace Tokens",
+      "Org API Keys",
+      "Organization",
+    ]) {
+      await expect(
+        settingsTablist.getByRole("tab", { name: label }),
+        `Org & canvas settings is missing the "${label}" sub-tab`,
+      ).toBeVisible();
+    }
+
+    // Click the Organization sub-tab — on self-host the canvas reads
+    // /org/identity (NOT the CP /cp/orgs endpoint), so it must render the org
+    // identity card and NOT a 404 / error state. Assert the pane settles to
+    // real, non-error content.
+    await settingsTablist.getByRole("tab", { name: "Organization" }).click();
+    const orgInfoPanel = orgPane.locator(
+      '[role="tabpanel"]:not([hidden])',
+    );
+    await expect(orgInfoPanel).toBeVisible({ timeout: 10_000 });
+    await expect
+      .poll(
+        async () => {
+          const text = ((await orgInfoPanel.innerText()) || "").trim();
+          return text.length > 0 && !/404|not found/i.test(text);
+        },
+        {
+          message:
+            "Organization sub-tab rendered empty or a 404/not-found — the " +
+            "self-host /org/identity path is broken",
+          timeout: 15_000,
+        },
+      )
+      .toBe(true);
+    // And no visible error alert inside the org settings pane.
+    await expect(orgPane.locator('[role="alert"]:visible')).toHaveCount(0);
+  });
+});
+
+/* ───────────────────────────── 7. Map toolbar ────────────────────────────── */
+test.describe("concierge Org map toolbar", () => {
+  test("settings gear, theme toggle and legend are NOT on the map toolbar (moved to Settings/topbar)", async ({
+    page,
+  }) => {
+    const { tenantURL } = tenantEnv();
+    await loadConcierge(page, tenantURL);
+    await navTo(page, "map");
+    await expect(page.locator('[aria-label="Molecule AI workspace canvas"]')).toBeVisible({
+      timeout: 15_000,
+    });
+
+    // The map toolbar no longer carries a settings gear, a theme toggle, or a
+    // legend — those moved to the concierge Settings (left rail) + topbar
+    // (Toolbar.tsx: "Theme picker + settings gear removed from the map
+    // toolbar"). Assert the map view contains none of them.
+    //
+    // Scope to the map mount (<main aria-label="Agent canvas">, ConciergeShell)
+    // so the legitimate left-rail Settings button + the topbar theme toggle
+    // (which live OUTSIDE the map) are not counted.
+    const mapRegion = page.locator('[aria-label="Agent canvas"]');
+    await expect(mapRegion).toBeVisible({ timeout: 10_000 });
+
+    // No settings-gear control inside the map. The old gear used
+    // title="Settings" / aria-label "Settings".
+    await expect(
+      mapRegion.locator('button[title="Settings"], button[aria-label="Settings"]'),
+      "a settings gear is still on the map toolbar (should be moved to Settings)",
+    ).toHaveCount(0);
+
+    // No theme toggle inside the map. The toggle's accessible name is
+    // "Toggle theme" — it now lives only in the topbar.
+    await expect(
+      mapRegion.locator('button[title="Toggle theme"], button[aria-label*="theme" i]'),
+      "a theme toggle is still on the map toolbar (should be in the topbar)",
+    ).toHaveCount(0);
+
+    // No legend inside the map. The Legend component's controls have accessible
+    // names "Show legend" / "Hide legend" and the panel carries
+    // data-testid="legend-panel" (canvas/src/components/Legend.tsx). It is no
+    // longer mounted in Canvas/Toolbar at all — assert none of its surfaces.
+    await expect(
+      mapRegion.locator(
+        '[data-testid="legend-panel"], button[aria-label="Show legend"], button[aria-label="Hide legend"]',
+      ),
+      "a legend is still on the map toolbar (should be removed)",
+    ).toHaveCount(0);
+  });
+});
@@ -341,11 +341,15 @@ export default async function globalSetup(_config: FullConfig): Promise<void> {
          );
          return true;
        }
-        // Real boot regression — hard-throw immediately with full detail.
+        // #2032: tolerate transient 'failed' during boot — some runtimes
+        // briefly report failed before recovering to online (e.g. agent
+        // restart during init). Retry instead of hard-throwing; genuine
+        // terminal failures will still surface via waitFor timeout.
        const detail = sampleErr
          ? sampleErr
          : `(no last_sample_error) full body: ${JSON.stringify(r.body)}`;
-        throw new Error(`Workspace failed: ${detail}`);
+        console.warn(`[staging-setup] transient failed (retrying): ${detail}`);
+        return null;
      }
      return null;
    },
@@ -52,8 +52,10 @@ describe("prefers-reduced-motion compliance", () => {
    expect(src).toContain("motion-safe:animate-pulse");
  });

-  it("SidePanel.tsx uses motion-safe:animate-pulse", () => {
-    const src = readSrc("components/SidePanel.tsx");
+  it("WorkspacePanelTabs.tsx uses motion-safe:animate-pulse", () => {
+    // The connection-status dot moved out of SidePanel.tsx into the extracted
+    // WorkspacePanelTabs.tsx; verify the reduced-motion guard followed it.
+    const src = readSrc("components/WorkspacePanelTabs.tsx");
    expect(src.includes("animate-pulse") && !src.includes("motion-safe:animate-pulse")).toBe(false);
    expect(src).toContain("motion-safe:animate-pulse");
  });
@@ -10,7 +10,7 @@ import { describe, it, expect, vi } from "vitest";
 // transform). We import layout.tsx only for its exported `metadata`
 // constant — mock the font module to a constructor-returning stub.
 vi.mock("next/font/google", () => ({
-  Inter: () => ({ variable: "--font-inter" }),
+  Hanken_Grotesk: () => ({ variable: "--font-hanken" }),
  JetBrains_Mono: () => ({ variable: "--font-jetbrains" }),
 }));

@@ -42,48 +42,52 @@
 * before paint to eliminate flash.
 */
@theme {
+  /* Org Concierge palette (RFC platform-agent / canvas redesign). Warm-paper
+     light theme + purple accent replacing the old blue brand. */
  /* Surface — page / elevated card / sunken input / deep card */
-  --color-surface: #fafaf7;
+  --color-surface: #f1efe8;
  --color-surface-elevated: #ffffff;
-  --color-surface-sunken: #f3f1ec;
-  --color-surface-card: #efece4;
+  --color-surface-sunken: #f6f4ee;
+  --color-surface-card: #faf9f4;

  /* Borders */
-  --color-line: #e6e2d8;
-  --color-line-soft: #efece4;
+  --color-line: #ddd9cf;
+  --color-line-soft: #ebe8df;

  /* Text */
-  --color-ink: #15181c;
-  --color-ink-mid: #5a5e66;
-  --color-ink-soft: #8b8e95;
+  --color-ink: #21201b;
+  --color-ink-mid: #5c5a52;
+  --color-ink-soft: #6f6c62;

-  /* Brand + state */
-  --color-accent: #3b5bdb;
-  --color-accent-strong: #1a2f99;
-  --color-warm: #c0532b;
-  --color-good: #2f7a4d;
-  --color-bad: #b94e4a;
+  /* Brand + state — purple accent (concept #7c3aed); light good/bad kept
+     slightly darker than the raw concept hues for WCAG AA on the paper tints. */
+  --color-accent: #7c3aed;
+  --color-accent-strong: #6d28d9;
+  --color-warm: #c47e12;
+  --color-good: #0c8a52;
+  --color-bad: #c2403c;
 }

 [data-theme="dark"] {
-  --color-surface: #0e1014;
-  --color-surface-elevated: #15181c;
-  --color-surface-sunken: #0a0b0e;
-  --color-surface-card: #1a1d23;
+  /* Org Concierge dark palette — near-black panels, bright purple accent. */
+  --color-surface: #08080a;
+  --color-surface-elevated: #16161d;
+  --color-surface-sunken: #0d0d11;
+  --color-surface-card: #1b1b23;

-  --color-line: #2a2f3a;
-  --color-line-soft: #1f2329;
+  --color-line: #26262e;
+  --color-line-soft: #1b1b22;

-  --color-ink: #f4f1e9;
-  --color-ink-mid: #c8c2b4;
-  --color-ink-soft: #8d92a0;
+  --color-ink: #ececf1;
+  --color-ink-mid: #9b9baa;
+  --color-ink-soft: #65656f;

-  /* Accents brighten slightly for AA contrast on dark backgrounds. */
-  --color-accent: #6883e8;
-  --color-accent-strong: #8aa1ee;
-  --color-warm: #d96f48;
-  --color-good: #4ca06e;
-  --color-bad: #d27773;
+  /* Purple accent brightened for AA on the near-black surfaces. */
+  --color-accent: #a78bfa;
+  --color-accent-strong: #c4b5fd;
+  --color-warm: #fbbf24;
+  --color-good: #34d399;
+  --color-bad: #f87171;
 }

 :root {
@@ -107,15 +111,22 @@
 * component, not per theme.
 */
@theme {
-  --color-bg: rgb(9 9 11);            /* zinc-950 */
-  --color-bg-elev: rgb(24 24 27);     /* zinc-900 */
-  --color-bg-card: rgb(39 39 42);     /* zinc-800 */
-  --color-line-strong: rgb(63 63 70); /* zinc-700 */
-  --color-ink-mute: rgb(161 161 170); /* zinc-400 */
-  --color-ink-dim: rgb(113 113 122);  /* zinc-500 */
-  --color-accent-dim: rgb(96 165 250);/* blue-400 */
-  --color-plasma: rgb(59 130 246);    /* blue-500 */
+  /* Org Concierge canvas palette (near-black + purple). */
+  --color-bg: rgb(8 8 10);            /* concept --bg #08080a */
+  --color-bg-elev: rgb(22 22 29);     /* concept --card #16161d */
+  --color-bg-card: rgb(27 27 35);     /* concept --card-2 #1b1b23 */
+  --color-line-strong: rgb(54 54 64);
+  --color-ink-mute: rgb(155 155 170); /* concept --tx-2 */
+  --color-ink-dim: rgb(101 101 111);  /* concept --tx-3 */
+  --color-accent-dim: rgb(167 139 250);/* concept --accent-2 #a78bfa */
+  --color-plasma: rgb(139 92 246);    /* concept --accent #8b5cf6 */
  --color-warn: rgb(251 191 36);      /* amber-400 */
+
+  /* Typography — Org Concierge (Hanken Grotesk UI, JetBrains Mono code).
+     next/font variables are set on <html> in the canvas layout. */
+  --font-sans: var(--font-hanken), ui-sans-serif, system-ui, -apple-system,
+    "Segoe UI", Roboto, sans-serif;
+  --font-mono: var(--font-jetbrains), ui-monospace, "SF Mono", Menlo, monospace;
 }

 body {
@@ -124,7 +135,8 @@ body {
  overflow: hidden;
  background-color: var(--color-surface);
  color: var(--color-ink);
-  font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", sans-serif;
+  font-family: var(--font-hanken), -apple-system, BlinkMacSystemFont, "Segoe UI",
+    Roboto, "Helvetica Neue", sans-serif;
  -webkit-font-smoothing: antialiased;
  -moz-osx-font-smoothing: grayscale;
 }
@@ -1,5 +1,5 @@
 import type { Metadata } from "next";
-import { Inter, JetBrains_Mono } from "next/font/google";
+import { Hanken_Grotesk, JetBrains_Mono } from "next/font/google";
 import { cookies, headers } from "next/headers";
 import "./globals.css";

@@ -7,10 +7,13 @@ import "./globals.css";
 // because Next.js serves the .woff2 from /_next/static). Exposed as
 // CSS variables so the mobile palette can reference them without
 // importing this module.
-const interFont = Inter({
+// Org Concierge UI typeface (canvas redesign): Hanken Grotesk, exposed as
+// --font-hanken and consumed by the --font-sans theme token in globals.css.
+const interFont = Hanken_Grotesk({
  subsets: ["latin"],
+  weight: ["400", "500", "600", "700"],
  display: "swap",
-  variable: "--font-inter",
+  variable: "--font-hanken",
 });
 const monoFont = JetBrains_Mono({
  subsets: ["latin"],
@@ -161,6 +164,12 @@ export default async function RootLayout({
         */}
        <script
          nonce={nonce}
+          // The browser strips the nonce attribute off <script> after applying
+          // CSP, so the hydrated DOM shows nonce="" while React's tree carries
+          // the real value — a benign, expected server/client diff. Suppress
+          // the hydration warning for this element (same rationale as the
+          // <html> suppressHydrationWarning above).
+          suppressHydrationWarning
          dangerouslySetInnerHTML={{ __html: themeBootScript }}
        />
        {/*
@@ -186,6 +195,7 @@ export default async function RootLayout({
        <script
          type="application/ld+json"
          nonce={nonce}
+          suppressHydrationWarning
          dangerouslySetInnerHTML={{
            __html: JSON.stringify({
              "@context": "https://schema.org",
@@ -179,7 +179,6 @@ function Shell({
          <p className="mt-2 text-ink-mid">
            Each org is an isolated Molecule workspace.
          </p>
-          <DataResidencyNotice />
          <div className="mt-8">{children}</div>
        </div>
      </TermsGate>
@@ -220,25 +219,6 @@ function AccountBar({ session }: { session: Session }) {
    </div>
  );
 }
-
-// DataResidencyNotice surfaces where workspace data lives so EU-based
-// signups can make an informed choice (GDPR Art. 13 disclosure
-// requirement). Plain text, no icon — the goal is clarity, not
-// decoration. A future EU region selector can replace this with a
-// region dropdown.
-function DataResidencyNotice() {
-  return (
-    <p className="mt-3 rounded border border-line bg-surface-sunken/60 px-3 py-2 text-xs text-ink-mid">
-      Workspaces run in AWS us-east-2 (Ohio, United States). EU region support is on the roadmap — reach out to
-      {" "}
-      <a href="mailto:support@moleculesai.app" className="underline">
-        support@moleculesai.app
-      </a>
-      {" "}if you need data residency in another region today.
-    </p>
-  );
-}
-
 function OrgRow({ org }: { org: Org }) {
  return (
    <li className="rounded-lg border border-line bg-surface-sunken p-4">
@@ -1,9 +1,7 @@
 "use client";

 import { useEffect, useState } from "react";
-import { Canvas } from "@/components/Canvas";
-import { Legend } from "@/components/Legend";
-import { CommunicationOverlay } from "@/components/CommunicationOverlay";
+import { ConciergeShell } from "@/components/concierge/ConciergeShell";
 import { MobileApp } from "@/components/mobile/MobileApp";
 import { Spinner } from "@/components/Spinner";
 import { connectSocket, disconnectSocket } from "@/store/socket";
@@ -115,11 +113,7 @@ export default function Home() {

  return (
    <>
-      <main aria-label="Agent canvas">
-        <Canvas />
-      </main>
-      <Legend />
-      <CommunicationOverlay />
+      <ConciergeShell />
      {hydrationError && (
        <div
          role="alert"
@@ -13,8 +13,11 @@ import {
 import "@xyflow/react/dist/style.css";

 import { useCanvasStore } from "@/store/canvas";
+import { WORKSPACE_KIND } from "@/lib/workspace-kind";
+import { stripPlatformRootForMap } from "@/store/canvas-topology";
 import { useTheme } from "@/lib/theme-provider";
 import { A2ATopologyOverlay } from "./A2ATopologyOverlay";
+import { MessageFlightLayer } from "./MessageFlightLayer";
 import { WorkspaceNode } from "./WorkspaceNode";
 import { SidePanel } from "./SidePanel";
 import { CreateWorkspaceButton } from "./CreateWorkspaceDialog";
@@ -78,15 +81,38 @@ function CanvasInner() {
  // half-themed page. Pull resolvedTheme so the canvas matches the user's
  // selected mode (and the system preference when they pick "system").
  const { resolvedTheme } = useTheme();
-  const rawNodes = useCanvasStore((s) => s.nodes);
-  const edges = useCanvasStore((s) => s.edges);
+  const storeNodes = useCanvasStore((s) => s.nodes);
+  const storeEdges = useCanvasStore((s) => s.edges);
  const a2aEdges = useCanvasStore((s) => s.a2aEdges);
  const showA2AEdges = useCanvasStore((s) => s.showA2AEdges);
  const deletingIds = useCanvasStore((s) => s.deletingIds);
-  const allEdges = useMemo(
-    () => (showA2AEdges ? [...edges, ...a2aEdges] : edges),
-    [edges, a2aEdges, showA2AEdges],
+  // Hide the org-level platform agent (the concierge) from the map graph: it is
+  // the undeletable org ROOT surfaced in the shell (topbar + Home tree), not a
+  // draggable/deletable map node. Its direct children are reparented to
+  // top-level and tree edges touching it are dropped. The store keeps the full
+  // node set, so the shell's Home agent tree still renders it as ROOT.
+  const { nodes: rawNodes, edges } = useMemo(
+    () => stripPlatformRootForMap(storeNodes, storeEdges),
+    [storeNodes, storeEdges],
  );
+  const platformIds = useMemo(
+    () =>
+      new Set(
+        storeNodes
+          .filter((n) => n.data.kind === WORKSPACE_KIND.Platform)
+          .map((n) => n.id),
+      ),
+    [storeNodes],
+  );
+  const allEdges = useMemo(() => {
+    if (!showA2AEdges) return edges;
+    // Drop A2A edges that touch the hidden platform root so React Flow doesn't
+    // warn about an edge to a missing node.
+    const a2a = a2aEdges.filter(
+      (e) => !platformIds.has(e.source) && !platformIds.has(e.target),
+    );
+    return [...edges, ...a2a];
+  }, [edges, a2aEdges, showA2AEdges, platformIds]);
  // Drag-lock during a system-owned operation (deploy OR delete).
  // React Flow respects Node.draggable, which stops the gesture
  // before it starts — preventDefault() on the drag-start callback
@@ -277,7 +303,7 @@ function CanvasInner() {
      >
        Skip to canvas
      </a>
-      <main id="canvas-main" className="w-screen h-screen bg-surface">
+      <main id="canvas-main" className="w-full h-full bg-surface">
        <ReactFlow
          colorMode={resolvedTheme}
          nodes={nodes}
@@ -346,6 +372,10 @@ function CanvasInner() {
            nodeBorderRadius={4}
          />
          <DropTargetBadge />
+          {/* Flies an envelope between agents on each delegate/message event.
+              Inside <ReactFlow> so its ViewportPortal renders in flow coords
+              and tracks pan/zoom. */}
+          <MessageFlightLayer />
        </ReactFlow>

        {/* Screen-reader live region — announces workspace count on initial load and
@@ -60,6 +60,16 @@ const BASE_RUNTIME_TEMPLATE_IDS = new Set(["claude-code-default", "codex", "goog
 const DEFAULT_HEADLESS_INSTANCE_TYPE = "t3.medium";
 const DEFAULT_HEADLESS_ROOT_GB = 30;
 const DEFAULT_DISPLAY_INSTANCE_TYPE = "t3.xlarge";
+
+// Per-workspace cloud/compute backend (multi-provider RFC). "aws" is the default
+// EC2 path; "gcp"/"hetzner" route to the matching CP WorkspaceProvisioner. A
+// workspace whose cloud differs from its tenant's is reached over a per-workspace
+// Cloudflare tunnel (runtime#95). Distinct from the LLM/model provider.
+const CLOUD_PROVIDER_OPTIONS = [
+  { value: "aws", label: "AWS (default)" },
+  { value: "gcp", label: "GCP" },
+  { value: "hetzner", label: "Hetzner" },
+];
 const DEFAULT_DISPLAY_ROOT_GB = 80;

 export function CreateWorkspaceButton() {
@@ -77,6 +87,10 @@ export function CreateWorkspaceButton() {
  const [displayInstanceType, setDisplayInstanceType] = useState(DEFAULT_DISPLAY_INSTANCE_TYPE);
  const [displayRootGB, setDisplayRootGB] = useState(String(DEFAULT_DISPLAY_ROOT_GB));
  const [displayResolution, setDisplayResolution] = useState("1920x1080");
+  // Cloud/compute backend for the workspace box (multi-provider, per-workspace).
+  // "aws" default; "gcp"/"hetzner" route to the matching CP WorkspaceProvisioner
+  // (a non-tenant-cloud box is reached over a per-workspace tunnel, runtime#95).
+  const [cloudProvider, setCloudProvider] = useState("aws");
  // Templates fetched from /api/templates — drives the dynamic provider
  // filter below. Same data source ConfigTab uses (PR #2454). When the
  // selected template declares `runtime_config.providers` in its
@@ -266,6 +280,7 @@ export function CreateWorkspaceButton() {
    setDisplayInstanceType(DEFAULT_DISPLAY_INSTANCE_TYPE);
    setDisplayRootGB(String(DEFAULT_DISPLAY_ROOT_GB));
    setDisplayResolution("1920x1080");
+    setCloudProvider("aws");
    setExternalRuntime("external");
    setLLMSelection({ providerId: "", model: "", envVars: [] });
    setLLMSecret("");
@@ -355,11 +370,16 @@ export function CreateWorkspaceButton() {
                      width: Number.isFinite(displayWidth) ? displayWidth : 1920,
                      height: Number.isFinite(displayHeight) ? displayHeight : 1080,
                    },
+                    // Only meaningful when CP provisions the box (SaaS), where
+                    // the picker is shown. Omit on self-hosted so the payload is
+                    // unchanged there.
+                    ...(isSaaS ? { provider: cloudProvider } : {}),
                  }
                : {
                    instance_type: DEFAULT_HEADLESS_INSTANCE_TYPE,
                    volume: { root_gb: DEFAULT_HEADLESS_ROOT_GB },
                    display: { mode: "none" },
+                    ...(isSaaS ? { provider: cloudProvider } : {}),
                  },
            }
          : {}),
@@ -599,6 +619,26 @@ export function CreateWorkspaceButton() {
                <div className="mb-2 text-[11px] font-medium text-ink-mid">
                  Container Config
                </div>
+                {/* Cloud provider — only meaningful when CP provisions the box
+                    (SaaS). A non-tenant-cloud workspace is reached over a
+                    per-workspace Cloudflare tunnel (runtime#95). */}
+                {isSaaS && (
+                  <label htmlFor="workspace-cloud-provider" className="mb-3 grid gap-1">
+                    <span className="text-xs font-medium text-ink">Cloud provider</span>
+                    <select
+                      id="workspace-cloud-provider"
+                      value={cloudProvider}
+                      onChange={(e) => setCloudProvider(e.target.value)}
+                      className="w-full bg-surface-card/60 border border-line/50 rounded-lg px-3 py-2 text-sm text-ink focus:outline-none focus:border-accent/60 focus:ring-1 focus:ring-accent/20 transition-colors"
+                    >
+                      {CLOUD_PROVIDER_OPTIONS.map((p) => (
+                        <option key={p.value} value={p.value}>
+                          {p.label}
+                        </option>
+                      ))}
+                    </select>
+                  </label>
+                )}
                <label className="flex items-center justify-between gap-3">
                  <span className="text-xs font-medium text-ink">Display</span>
                  <input
@@ -0,0 +1,84 @@
+/** FlightEnvelope — a single envelope that animates from `from` to `to` and
+ *  fades out, used by both the canvas (flow coords inside a ViewportPortal) and
+ *  the concierge home (screen coords inside a fixed overlay). The parent owns
+ *  the coordinate space; this component only animates the translate delta.
+ *
+ *  Uses the Web Animations API so the from/to delta can be dynamic per flight
+ *  (a static CSS @keyframes can't translate to a runtime-computed point). */
+import { useEffect, useRef } from "react";
+import { FLIGHT_DURATION_MS, type A2AFlightKind } from "@/hooks/useA2AFlights";
+
+/** Stroke colour by activity kind — mirrors CommunicationOverlay's palette
+ *  (send = cyan, receive = violet/accent, task = warm) so the two surfaces
+ *  read as the same event. */
+const KIND_COLOR: Record<A2AFlightKind, string> = {
+  send: "#22d3ee",
+  receive: "#8b5cf6",
+  task: "#f5a623",
+};
+
+export interface Point {
+  x: number;
+  y: number;
+}
+
+export function FlightEnvelope({
+  from,
+  to,
+  kind,
+}: {
+  from: Point;
+  to: Point;
+  kind: A2AFlightKind;
+}) {
+  const ref = useRef<HTMLDivElement>(null);
+
+  useEffect(() => {
+    const el = ref.current;
+    // Element.animate is unavailable in some test/SSR environments — degrade to
+    // a static (instantly-finished) envelope rather than throw.
+    if (!el || typeof el.animate !== "function") return;
+    const dx = to.x - from.x;
+    const dy = to.y - from.y;
+    const anim = el.animate(
+      [
+        { transform: "translate(-50%,-50%) translate(0px,0px) scale(0.45)", opacity: 0 },
+        { opacity: 1, offset: 0.16 },
+        { opacity: 1, offset: 0.8 },
+        { transform: `translate(-50%,-50%) translate(${dx}px,${dy}px) scale(1)`, opacity: 0 },
+      ],
+      { duration: FLIGHT_DURATION_MS, easing: "cubic-bezier(0.45, 0, 0.25, 1)", fill: "forwards" },
+    );
+    return () => anim.cancel();
+  }, [from.x, from.y, to.x, to.y]);
+
+  const color = KIND_COLOR[kind];
+  return (
+    <div
+      ref={ref}
+      data-testid="flight-envelope"
+      aria-hidden="true"
+      style={{
+        position: "absolute",
+        left: from.x,
+        top: from.y,
+        pointerEvents: "none",
+        willChange: "transform, opacity",
+        filter: "drop-shadow(0 1px 3px rgba(0,0,0,0.45))",
+        zIndex: 6,
+      }}
+    >
+      <svg width="22" height="22" viewBox="0 0 24 24" fill="none" aria-hidden="true">
+        <rect x="2.5" y="5.5" width="19" height="13" rx="2.5" fill="#0b0b0f" stroke={color} strokeWidth="1.6" />
+        <path
+          d="M3.5 7.5l8.5 6 8.5-6"
+          stroke={color}
+          strokeWidth="1.6"
+          fill="none"
+          strokeLinecap="round"
+          strokeLinejoin="round"
+        />
+      </svg>
+    </div>
+  );
+}
@@ -0,0 +1,46 @@
+/** MessageFlightLayer — flies an envelope from the source agent to the target
+ *  agent on the spatial canvas whenever a delegate / message event fires.
+ *
+ *  Mounted INSIDE <ReactFlow> so its ViewportPortal places the envelope in flow
+ *  coordinates; it therefore pans and zooms with the canvas for free. The
+ *  flight lifecycle (which events become envelopes, reduced-motion opt-out,
+ *  expiry) lives in useA2AFlights — this component only resolves node centres
+ *  and renders. */
+import { ViewportPortal, type Node } from "@xyflow/react";
+import { useCanvasStore } from "@/store/canvas";
+import { useA2AFlights } from "@/hooks/useA2AFlights";
+import { FlightEnvelope, type Point } from "./FlightEnvelope";
+import type { WorkspaceNodeData } from "@/store/canvas";
+
+// Fallback node footprint when React Flow has not measured a node yet. Matches
+// WorkspaceNode's leaf size (w-[300px] min-h-[176px]); a slightly-off centre
+// for the first frame after mount is invisible at flight scale.
+const DEFAULT_W = 300;
+const DEFAULT_H = 176;
+
+function nodeCenter(n: Node<WorkspaceNodeData>): Point {
+  const w = n.measured?.width ?? DEFAULT_W;
+  const h = n.measured?.height ?? DEFAULT_H;
+  return { x: n.position.x + w / 2, y: n.position.y + h / 2 };
+}
+
+export function MessageFlightLayer() {
+  const flights = useA2AFlights();
+  const nodes = useCanvasStore((s) => s.nodes);
+
+  if (flights.length === 0) return null;
+
+  return (
+    <ViewportPortal>
+      {flights.map((f) => {
+        const src = nodes.find((n) => n.id === f.sourceId);
+        const dst = nodes.find((n) => n.id === f.targetId);
+        // Both endpoints must be on-canvas to draw a path between them.
+        if (!src || !dst) return null;
+        return (
+          <FlightEnvelope key={f.key} from={nodeCenter(src)} to={nodeCenter(dst)} kind={f.kind} />
+        );
+      })}
+    </ViewportPortal>
+  );
+}
@@ -12,6 +12,7 @@ import {
  ProviderModelSelector,
  buildProviderCatalog,
  findProviderForModel,
+  isPlatformManagedProvider,
  type SelectorValue,
 } from "./ProviderModelSelector";

@@ -267,10 +268,21 @@ function ProviderPickerModal({
    setSelectorValue(initial);
  }, [open, initial]);

+  // #2248: filter out provisioner-injected internal tokens for platform-managed
+  // providers so the user can't clobber them. Memoized so the array reference is
+  // stable across renders and does not churn the entries useEffect.
+  const userEditableEnvVars = useMemo(() => {
+    const selectedProvider = catalog.find((p) => p.id === selectorValue.providerId);
+    const isPlatformManaged = selectedProvider ? isPlatformManagedProvider(selectedProvider) : false;
+    return isPlatformManaged
+      ? selectorValue.envVars.filter((k) => k !== "MOLECULE_LLM_USAGE_TOKEN")
+      : selectorValue.envVars;
+  }, [catalog, selectorValue.providerId, selectorValue.envVars]);
+
  useEffect(() => {
    if (!open) return;
    setEntries(
-      selectorValue.envVars.map((key) => ({
+      userEditableEnvVars.map((key) => ({
        key,
        value: "",
        // Pre-mark as saved when the key is already in the configured
@@ -283,7 +295,7 @@ function ProviderPickerModal({
    );
    setOptionalEntries(
      optionalKeys
-        .filter((key) => !selectorValue.envVars.includes(key))
+        .filter((key) => !userEditableEnvVars.includes(key))
        .map((key) => ({
          key,
          value: "",
@@ -292,7 +304,7 @@ function ProviderPickerModal({
          error: null,
        })),
    );
-  }, [open, selectorValue.envVars, configuredKeys, optionalKeys]);
+  }, [open, userEditableEnvVars, configuredKeys, optionalKeys]);

  useEffect(() => {
    if (!open) return;
@@ -91,6 +91,7 @@ export interface RegistryModel {
  name?: string;
  provider?: string;
  billing_mode?: "platform_managed" | "byok";
+  required_env?: string[];
 }

 export interface SelectorValue {
@@ -1,25 +1,9 @@
 "use client";

 import { useState, useCallback, useRef, useEffect } from "react";
-import { useCanvasStore, type PanelTab } from "@/store/canvas";
-import { showToast } from "@/components/Toaster";
+import { useCanvasStore } from "@/store/canvas";
 import { StatusDot } from "./StatusDot";
-import { Tooltip } from "./Tooltip";
-import { DetailsTab } from "./tabs/DetailsTab";
-import { SkillsTab } from "./tabs/SkillsTab";
-import { ChatTab } from "./tabs/ChatTab";
-import { ConfigTab } from "./tabs/ConfigTab";
-import { ContainerConfigTab } from "./tabs/ContainerConfigTab";
-import { DisplayTab } from "./tabs/DisplayTab";
-import { TerminalTab } from "./tabs/TerminalTab";
-import { FilesTab } from "./tabs/FilesTab";
-import { MemoryInspectorPanel } from "./MemoryInspectorPanel";
-import { AuditTrailPanel } from "./AuditTrailPanel";
-import { TracesTab } from "./tabs/TracesTab";
-import { EventsTab } from "./tabs/EventsTab";
-import { ActivityTab } from "./tabs/ActivityTab";
-import { ScheduleTab } from "./tabs/ScheduleTab";
-import { ChannelsTab } from "./tabs/ChannelsTab";
+import { WorkspacePanelTabs } from "./WorkspacePanelTabs";
 import { summarizeWorkspaceCapabilities } from "@/store/canvas";

 const SIDEPANEL_WIDTH_KEY = "molecule:sidepanel-width";
@@ -27,24 +11,6 @@ const SIDEPANEL_DEFAULT_WIDTH = 480;
 const SIDEPANEL_MIN_WIDTH = 320;
 const SIDEPANEL_MAX_WIDTH = 800;

-const TABS: { id: PanelTab; label: string; icon: string }[] = [
-  { id: "chat", label: "Chat", icon: "◈" },
-  { id: "activity", label: "Activity", icon: "⊙" },
-  { id: "details", label: "Details", icon: "◉" },
-  { id: "skills", label: "Plugins", icon: "✦" },
-  { id: "terminal", label: "Terminal", icon: "▸" },
-  { id: "display", label: "Display", icon: "▣" },
-  { id: "container-config", label: "Container", icon: "▤" },
-  { id: "config", label: "Config", icon: "⚙" },
-  { id: "schedule", label: "Schedule", icon: "⏲" },
-  { id: "channels", label: "Channels", icon: "⇌" },
-  { id: "files", label: "Files", icon: "⊞" },
-  { id: "memory", label: "Memory", icon: "◇" },
-  { id: "traces", label: "Traces", icon: "◎" },
-  { id: "events", label: "Events", icon: "◊" },
-  { id: "audit",  label: "Audit",  icon: "⊟" },
-];
-
 export function SidePanel() {
  const selectedNodeId = useCanvasStore((s) => s.selectedNodeId);
  const panelTab = useCanvasStore((s) => s.panelTab);
@@ -219,104 +185,12 @@ export function SidePanel() {
        </div>
      </div>

-      {/* Tabs — relative wrapper lets the fade gradient position against the scroll container */}
-      <div className="relative border-b border-line/40">
-        {/* Right-edge fade: signals more tabs are hidden off-screen when the bar overflows */}
-        <div className="pointer-events-none absolute inset-y-0 right-0 w-8 bg-gradient-to-l from-surface to-transparent z-10" aria-hidden="true" />
-      <div
-        role="tablist"
-        aria-label="Workspace panel tabs"
-        className="flex overflow-x-auto bg-surface-sunken/20 px-1"
-        onKeyDown={(e) => {
-          const idx = TABS.findIndex((t) => t.id === panelTab);
-          let next: number | null = null;
-          if (e.key === "ArrowRight") { e.preventDefault(); next = (idx + 1) % TABS.length; }
-          else if (e.key === "ArrowLeft") { e.preventDefault(); next = (idx - 1 + TABS.length) % TABS.length; }
-          else if (e.key === "Home") { e.preventDefault(); next = 0; }
-          else if (e.key === "End") { e.preventDefault(); next = TABS.length - 1; }
-          if (next !== null) {
-            setPanelTab(TABS[next].id);
-            requestAnimationFrame(() => { const el = document.getElementById(`tab-${TABS[next!].id}`); el?.focus(); el?.scrollIntoView({ block: "nearest", inline: "nearest" }); });
-          }
-        }}
-      >
-        {TABS.map((tab) => (
-          <button
-            type="button"
-            key={tab.id}
-            id={`tab-${tab.id}`}
-            role="tab"
-            aria-selected={panelTab === tab.id}
-            aria-controls={`panel-${tab.id}`}
-            tabIndex={panelTab === tab.id ? 0 : -1}
-            onClick={() => setPanelTab(tab.id)}
-            className={`shrink-0 px-3 py-2.5 text-[10px] font-medium tracking-wide transition-all rounded-t-lg mx-0.5 focus:outline-none focus-visible:ring-2 focus-visible:ring-accent/70 ${
-              panelTab === tab.id
-                ? "text-ink bg-surface-card border-b-2 border-accent"
-                : "text-ink-mid hover:text-ink hover:bg-surface-card/60"
-            }`}
-          >
-            <span className="mr-1 opacity-50" aria-hidden="true">{tab.icon}</span>
-            {tab.label}
-          </button>
-        ))}
-      </div>
-      </div>
-
-      {/* Needs Restart Banner */}
-      {node.data.needsRestart && !node.data.currentTask && selectedNodeId && (
-        <div className="px-4 py-2 bg-sky-950/20 border-b border-sky-800/20 flex items-center justify-between">
-          <span className="text-[10px] text-sky-300/90">Config changed — restart to apply</span>
-          <button
-            type="button"
-            onClick={() => {
-              useCanvasStore.getState().restartWorkspace(selectedNodeId).catch(() => showToast("Restart failed", "error"));
-            }}
-            className="text-[11px] px-2 py-1 bg-sky-800/40 hover:bg-sky-700/50 text-sky-200 rounded transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
-          >
-            Restart Now
-          </button>
-        </div>
-      )}
-
-      {/* Current Task Banner */}
-      {node.data.currentTask && (
-        <Tooltip text={node.data.currentTask as string}>
-          <div className="px-4 py-2 bg-amber-950/20 border-b border-amber-800/20 flex items-center gap-2 cursor-default">
-            <div className="w-1.5 h-1.5 rounded-full bg-amber-400 motion-safe:animate-pulse shrink-0" />
-            <span className="text-[10px] text-warm/90 truncate">
-              {node.data.currentTask}
-            </span>
-          </div>
-        </Tooltip>
-      )}
-
-      {/* Tab Content */}
-      <div
-        role="tabpanel"
-        id={`panel-${panelTab}`}
-        aria-labelledby={`tab-${panelTab}`}
-        tabIndex={0}
-        className="flex-1 overflow-y-auto focus:outline-none"
-      >
-        {panelTab === "details" && <DetailsTab key={selectedNodeId} workspaceId={selectedNodeId} data={node.data} />}
-        {panelTab === "skills" && <SkillsTab key={selectedNodeId} workspaceId={selectedNodeId} data={node.data} />}
-        {panelTab === "activity" && <ActivityTab key={selectedNodeId} workspaceId={selectedNodeId} />}
-        {panelTab === "chat" && <ChatTab key={selectedNodeId} workspaceId={selectedNodeId} data={node.data} />}
-        {panelTab === "terminal" && <TerminalTab key={selectedNodeId} workspaceId={selectedNodeId} data={node.data} />}
-        {panelTab === "display" && <DisplayTab key={selectedNodeId} workspaceId={selectedNodeId} />}
-        {panelTab === "container-config" && selectedNodeId && (
-          <ContainerConfigTab key={selectedNodeId} workspaceId={selectedNodeId} data={node.data} />
-        )}
-        {panelTab === "config" && <ConfigTab key={selectedNodeId} workspaceId={selectedNodeId} />}
-        {panelTab === "schedule" && <ScheduleTab key={selectedNodeId} workspaceId={selectedNodeId} />}
-        {panelTab === "channels" && <ChannelsTab key={selectedNodeId} workspaceId={selectedNodeId} />}
-        {panelTab === "files" && <FilesTab key={selectedNodeId} workspaceId={selectedNodeId} data={node.data} />}
-        {panelTab === "memory" && <MemoryInspectorPanel key={selectedNodeId} workspaceId={selectedNodeId} />}
-        {panelTab === "traces" && <TracesTab key={selectedNodeId} workspaceId={selectedNodeId} />}
-        {panelTab === "events" && <EventsTab key={selectedNodeId} workspaceId={selectedNodeId} />}
-        {panelTab === "audit" && <AuditTrailPanel key={selectedNodeId} workspaceId={selectedNodeId} />}
-      </div>
+      {/* Tabs + tab content — extracted into WorkspacePanelTabs so the same
+          tab bar/body is reused verbatim by the concierge Settings page. The
+          map drawer stays store-driven: we thread the global panelTab /
+          setPanelTab through as the controlled active-tab pair, preserving the
+          existing selection + keyboard behaviour. */}
+      <WorkspacePanelTabs node={node} activeTab={panelTab} onTabChange={setPanelTab} />

      {/* Footer — workspace ID */}
      <div className="px-4 sm:px-5 py-2 border-t border-line/40 bg-surface-sunken/20">
@@ -3,11 +3,9 @@
 import { useMemo, useState, useCallback, useEffect, useRef } from "react";
 import { api } from "@/lib/api";
 import { useCanvasStore } from "@/store/canvas";
-import { SettingsButton } from "@/components/settings/SettingsButton";
-import { settingsGearRef } from "@/components/settings/SettingsPanel";
+import { WORKSPACE_KIND } from "@/lib/workspace-kind";
 import { ConfirmDialog } from "@/components/ConfirmDialog";
 import { showToast } from "@/components/Toaster";
-import { ThemeToggle } from "@/components/ThemeToggle";
 import { statusDotClass } from "@/lib/design-tokens";
 import { KeyboardShortcutsDialog } from "@/components/KeyboardShortcutsDialog";

@@ -55,8 +53,11 @@ export function Toolbar() {
  }, [wsStatus]);

  const counts = useMemo(() => {
-    const c = { total: nodes.length, roots: 0, children: 0, online: 0, offline: 0, failed: 0, provisioning: 0, activeTasks: 0 };
-    for (const n of nodes) {
+    // Exclude the org-level platform agent (the concierge) — it's the
+    // undeletable org root surfaced in the shell, not a counted map workspace.
+    const mapNodes = nodes.filter((n) => n.data.kind !== WORKSPACE_KIND.Platform);
+    const c = { total: mapNodes.length, roots: 0, children: 0, online: 0, offline: 0, failed: 0, provisioning: 0, activeTasks: 0 };
+    for (const n of mapNodes) {
      if (n.data.parentId) c.children++; else c.roots++;
      const s = n.data.status;
      if (s === "online") c.online++;
@@ -460,11 +461,8 @@ export function Toolbar() {
        )}
      </div>

-      {/* Theme picker — System / Light / Dark */}
-      <ThemeToggle />
-
-      {/* Settings gear icon */}
-      <SettingsButton ref={settingsGearRef} />
+      {/* Theme picker + settings gear removed from the map toolbar — both now
+          live in the concierge global Settings (left rail) + topbar. */}

      <ConfirmDialog
        open={restartConfirmOpen}
@@ -1,7 +1,7 @@
 "use client";

-import { useCallback, useMemo, type KeyboardEvent } from "react";
-import { Handle, NodeResizer, Position, type NodeProps, type Node } from "@xyflow/react";
+import { useMemo, type KeyboardEvent } from "react";
+import { Handle, Position, type NodeProps, type Node } from "@xyflow/react";
 import { useCanvasStore, type WorkspaceNodeData } from "@/store/canvas";
 import { getConfigurationError, getConfigurationStatus } from "@/store/canvas-topology";
 import { showToast } from "@/components/Toaster";
@@ -21,7 +21,8 @@ function useDescendantCount(nodeId: string): number {
  return useMemo(() => countDescendants(nodeId, nodes), [nodeId, nodes]);
 }

-/** Boolean flag used to drive min-size and NodeResizer dimensions.
+/** Boolean flag used to drive the container's system-controlled size
+ *  (leaves render fixed-size; parents grow to fit children).
 *  Selecting `nodes` stably avoids re-render loops (same issue as
 *  useDescendantCount). */
 function useHasChildren(nodeId: string): boolean {
@@ -87,16 +88,9 @@ export function WorkspaceNode({ id, data }: NodeProps<Node<WorkspaceNodeData>>)

  return (
    <>
-      {/* NodeResizer — visible only on the selected card. Lets the user
-       *  drag any edge/corner to grow or shrink the workspace, which is
-       *  useful on cards that contain nested child workspaces. */}
-      <NodeResizer
-        isVisible={isSelected}
-        minWidth={hasChildren ? 360 : 210}
-        minHeight={hasChildren ? 200 : 110}
-        lineClassName="!border-accent/40"
-        handleClassName="!w-2 !h-2 !bg-accent !border !border-blue-300"
-      />
+      {/* Free-resize removed (was NodeResizer). Container size + shape are now
+       *  system-controlled: leaf workspaces render at a fixed width; parent
+       *  workspaces grow to fit their nested children (store grow logic). */}
    <div
      role="button"
      tabIndex={0}
@@ -161,20 +155,22 @@ export function WorkspaceNode({ id, data }: NodeProps<Node<WorkspaceNodeData>>)
        }
      }}
      className={`
-        group relative rounded-xl h-full w-full
-        ${hasChildren && !data.collapsed ? "min-w-[360px] min-h-[200px]" : "min-w-[210px]"}
+        group relative rounded-xl
+        ${hasChildren && !data.collapsed
+          ? "h-full w-full min-w-[420px] min-h-[240px]"
+          : "w-[300px] min-h-[176px]"}
        cursor-pointer overflow-hidden
        transition-all duration-200 ease-out
        ${isDragTarget
          ? "bg-emerald-950/40 border-2 border-emerald-400/60 ring-2 ring-emerald-400/20 scale-[1.03]"
          : isBatchSelected
-          ? "bg-surface-sunken/95 border-2 border-accent/80 ring-2 ring-accent/30 shadow-lg shadow-blue-500/15"
+          ? "bg-surface-sunken/95 border-2 border-accent/80 ring-2 ring-accent/30 shadow-lg shadow-accent/15"
          : isSelected
-          ? "bg-surface-sunken/95 border border-accent/70 ring-1 ring-accent/30 shadow-lg shadow-blue-500/10"
-          : "bg-surface-sunken/90 border border-line/80 hover:border-zinc-500/60 shadow-lg shadow-black/30 hover:shadow-xl hover:shadow-black/40"
+          ? "bg-surface-sunken/95 border border-accent/70 ring-1 ring-accent/30 shadow-lg shadow-accent/10"
+          : "bg-surface-sunken/90 border border-line/80 hover:border-ink-soft/60 shadow-lg shadow-black/30 hover:shadow-xl hover:shadow-black/40"
        }
        backdrop-blur-sm
-        focus:outline-none focus-visible:ring-2 focus-visible:ring-accent/70 focus-visible:ring-offset-1 focus-visible:ring-offset-zinc-950
+        focus:outline-none focus-visible:ring-2 focus-visible:ring-accent/70 focus-visible:ring-offset-1 focus-visible:ring-offset-surface
        ${deploy.isActivelyProvisioning ? "mol-deploy-shimmer" : ""}
        ${deploy.isLockedChild ? "mol-deploy-locked" : ""}
      `}
@@ -212,27 +208,45 @@ export function WorkspaceNode({ id, data }: NodeProps<Node<WorkspaceNodeData>>)
            }
          }
        }}
-        className="!w-2.5 !h-1 !rounded-full !bg-surface-card/80 !border-0 !-top-0.5 hover:!bg-blue-400 hover:!h-1.5 focus-visible:!bg-blue-400 focus-visible:!h-1.5 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-blue-400/60 focus-visible:ring-offset-1 focus-visible:ring-offset-zinc-950 transition-all"
+        className="!w-2.5 !h-1 !rounded-full !bg-surface-card/80 !border-0 !-top-0.5 hover:!bg-accent hover:!h-1.5 focus-visible:!bg-accent focus-visible:!h-1.5 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent/60 focus-visible:ring-offset-1 focus-visible:ring-offset-surface transition-all"
      />

-      <div className="relative px-3.5 py-2.5">
+      <div className="relative px-4 py-3.5">
        {/* Header row */}
-        <div className="flex items-center justify-between gap-2 mb-1">
-          <div className="flex items-center gap-2 min-w-0">
-            <div className={`w-2 h-2 rounded-full shrink-0 ${statusCfg.dot} ${statusCfg.glow} shadow-sm`} />
-            <span className="text-[13px] font-semibold text-ink truncate leading-tight">
+        <div className="flex items-center justify-between gap-2 mb-2.5">
+          <div className="flex items-center gap-2.5 min-w-0">
+            <div className={`w-2.5 h-2.5 rounded-full shrink-0 ${statusCfg.dot} ${statusCfg.glow} shadow-sm`} />
+            <span className="text-[15px] font-semibold text-ink truncate leading-tight">
              {data.name}
            </span>
          </div>
          <div className="flex items-center gap-1.5 shrink-0">
-            {hasChildren && (
-              <span className="text-[10px] font-mono text-accent bg-accent/15 border border-accent/40 px-1.5 py-0.5 rounded-md">
-                {descendantCount} sub
-              </span>
-            )}
-            <span className={`text-[10px] font-mono px-1.5 py-0.5 rounded-md ${tierCfg.color}`}>
-              {tierCfg.label}
-            </span>
+            {/* Model pill (concept top-right). Shortens the agent_card model to
+                a family label (Opus/Sonnet/Haiku/Kimi); falls back to the raw
+                last segment, then to the tier badge when no model is known. */}
+            {(() => {
+              const m = (data.agentCard as Record<string, unknown> | null)?.model;
+              const model = typeof m === "string" && m ? m : null;
+              if (!model) {
+                return (
+                  <span className={`text-[11px] font-mono px-2 py-1 rounded-md ${tierCfg.color}`}>
+                    {tierCfg.label}
+                  </span>
+                );
+              }
+              const label = /opus/i.test(model) ? "Opus"
+                : /sonnet/i.test(model) ? "Sonnet"
+                : /haiku/i.test(model) ? "Haiku"
+                : /kimi/i.test(model) ? "Kimi"
+                : /gpt|openai/i.test(model) ? "GPT"
+                : /gemini/i.test(model) ? "Gemini"
+                : (model.split(/[/:]/).pop() || model);
+              return (
+                <span className="text-[11px] font-mono px-2 py-1 rounded-md text-white bg-accent" title={model}>
+                  {label}
+                </span>
+              );
+            })()}
          </div>
        </div>

@@ -242,6 +256,9 @@ export function WorkspaceNode({ id, data }: NodeProps<Node<WorkspaceNodeData>>)
            We treat empty-string DB values as "missing" so an unbackfilled
            row falls through to the agent-card value rather than rendering
            a blank pill. */}
+        {/* Role pill (concept) — uppercase, accent-bordered. Platform root
+            shows "PLATFORM · ROOT"; Phase 30 external-runtime agents get the
+            REMOTE marker alongside. */}
        {(() => {
          const dbRuntime = typeof data.runtime === "string" && data.runtime !== ""
            ? data.runtime : null;
@@ -249,32 +266,46 @@ export function WorkspaceNode({ id, data }: NodeProps<Node<WorkspaceNodeData>>)
            ? (data.agentCard as Record<string, string>).runtime
            : null;
          const runtime = dbRuntime ?? cardRuntime;
-          if (!runtime) return null;
+          const isRemote = !!runtime && isExternalLikeRuntime(runtime);
+          const isPlatformRoot = !data.parentId && hasChildren;
+          const roleLabel = isPlatformRoot ? "PLATFORM · ROOT" : (data.role || null);
+          if (!roleLabel && !isRemote) return null;
          return (
-            <div className="mb-1 flex items-center gap-1">
-              {isExternalLikeRuntime(runtime) ? (
+            <div className="mb-2.5 flex items-center gap-1.5">
+              {roleLabel && (
+                <span className="max-w-[220px] truncate text-[10px] font-mono uppercase tracking-[0.04em] px-2 py-1 rounded-md text-accent bg-accent/12 border border-accent/35">
+                  {roleLabel}
+                </span>
+              )}
+              {isRemote && (
                <span
-                  className="text-[7px] font-mono px-1.5 py-0.5 rounded-md text-white bg-violet-800 border border-violet-900"
+                  className="text-[10px] font-mono uppercase px-2 py-1 rounded-md text-white bg-violet-800 border border-violet-900"
                  title="Phase 30 remote agent — runs outside this platform's Docker network. Lifecycle managed via heartbeat-based polling, not Docker exec."
                >
                  ★ REMOTE
                </span>
-              ) : (
-                <span className="text-[7px] font-mono px-1.5 py-0.5 rounded-md text-ink-mid bg-surface-card border border-line">
-                  {runtime}
-                </span>
              )}
            </div>
          );
        })()}

-        {/* Role — clamp to 2 lines. Without this, a verbose role
-         *  description (common on org-template imports) lets the card
-         *  grow arbitrarily tall, which wrecks the grid-slot layout
-         *  because siblings all plan for the same CHILD_DEFAULT_HEIGHT. */}
-        {data.role && (
-          <div className="text-[10px] text-ink-mid mb-1.5 leading-tight line-clamp-2">{data.role}</div>
-        )}
+        {/* Status line (concept) — uppercase status, "· N AGENTS" for parents,
+            with a queued pill on the right. */}
+        <div className="mb-2 flex items-center justify-between gap-2">
+          <span className={`text-[11px] font-mono uppercase tracking-[0.04em] ${
+            isOnline ? "text-good"
+              : effectiveStatus === "failed" ? "text-bad"
+              : (effectiveStatus === "provisioning" || effectiveStatus === "degraded") ? "text-warm"
+              : "text-ink-soft"
+          }`}>
+            {statusCfg.label}{hasChildren ? ` · ${descendantCount} agents` : ""}
+          </span>
+          {data.activeTasks > 0 && (
+            <span className="shrink-0 text-[11px] font-mono px-2 py-1 rounded-md text-ink-mid bg-surface-card border border-line">
+              ≡ {data.activeTasks} queued
+            </span>
+          )}
+        </div>

        {/* Skills */}
        {skills.length > 0 && (
@@ -328,29 +359,7 @@ export function WorkspaceNode({ id, data }: NodeProps<Node<WorkspaceNodeData>>)
          </button>
        )}

-        {/* Bottom row: status / active tasks */}
-        <div className="flex items-center justify-between mt-0.5">
-          {effectiveStatus !== "online" ? (
-            <div className={`text-[10px] uppercase tracking-widest font-medium ${
-              effectiveStatus === "failed" ? "text-bad" :
-              effectiveStatus === "degraded" ? "text-warm" :
-              effectiveStatus === "not_configured" ? "text-warm" :
-              effectiveStatus === "provisioning" ? "text-accent" :
-              "text-ink-mid"
-            }`}>
-              {statusCfg.label}
-            </div>
-          ) : <div />}
-
-          {data.activeTasks > 0 && (
-            <div className="flex items-center gap-1">
-              <div className="w-1 h-1 rounded-full bg-warm motion-safe:animate-pulse" />
-              <span className="text-[10px] text-warm tabular-nums">
-                {data.activeTasks} task{data.activeTasks > 1 ? "s" : ""}
-              </span>
-            </div>
-          )}
-        </div>
+        {/* (status + queued now rendered above, concept-style) */}

        {/* Degraded error preview */}
        {data.status === "degraded" && data.lastSampleError && (
@@ -395,7 +404,7 @@ export function WorkspaceNode({ id, data }: NodeProps<Node<WorkspaceNodeData>>)
            }
          }
        }}
-        className="!w-2.5 !h-1 !rounded-full !bg-surface-card/80 !border-0 !-bottom-0.5 hover:!bg-blue-400 hover:!h-1.5 focus-visible:!bg-blue-400 focus-visible:!h-1.5 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-blue-400/60 focus-visible:ring-offset-1 focus-visible:ring-offset-zinc-950 transition-all"
+        className="!w-2.5 !h-1 !rounded-full !bg-surface-card/80 !border-0 !-bottom-0.5 hover:!bg-accent hover:!h-1.5 focus-visible:!bg-accent focus-visible:!h-1.5 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent/60 focus-visible:ring-offset-1 focus-visible:ring-offset-surface transition-all"
      />
    </div>
    </>
@@ -0,0 +1,195 @@
+"use client";
+
+import { useState } from "react";
+import type { Node } from "@xyflow/react";
+import {
+  useCanvasStore,
+  type PanelTab,
+  type WorkspaceNodeData,
+} from "@/store/canvas";
+import { showToast } from "@/components/Toaster";
+import { Tooltip } from "./Tooltip";
+import { DetailsTab } from "./tabs/DetailsTab";
+import { SkillsTab } from "./tabs/SkillsTab";
+import { ChatTab } from "./tabs/ChatTab";
+import { ConfigTab } from "./tabs/ConfigTab";
+import { ContainerConfigTab } from "./tabs/ContainerConfigTab";
+import { DisplayTab } from "./tabs/DisplayTab";
+import { TerminalTab } from "./tabs/TerminalTab";
+import { FilesTab } from "./tabs/FilesTab";
+import { MemoryInspectorPanel } from "./MemoryInspectorPanel";
+import { AuditTrailPanel } from "./AuditTrailPanel";
+import { TracesTab } from "./tabs/TracesTab";
+import { EventsTab } from "./tabs/EventsTab";
+import { ActivityTab } from "./tabs/ActivityTab";
+import { ScheduleTab } from "./tabs/ScheduleTab";
+import { ChannelsTab } from "./tabs/ChannelsTab";
+
+/**
+ * Canonical workspace tab set — the SAME ids/labels/icons the map's
+ * SidePanel has always rendered. Single source of truth so the map drawer
+ * and any other host (the concierge Settings page) can't drift.
+ */
+export const WORKSPACE_PANEL_TABS: { id: PanelTab; label: string; icon: string }[] = [
+  { id: "chat", label: "Chat", icon: "◈" },
+  { id: "activity", label: "Activity", icon: "⊙" },
+  { id: "details", label: "Details", icon: "◉" },
+  { id: "skills", label: "Plugins", icon: "✦" },
+  { id: "terminal", label: "Terminal", icon: "▸" },
+  { id: "display", label: "Display", icon: "▣" },
+  { id: "container-config", label: "Container", icon: "▤" },
+  { id: "config", label: "Config", icon: "⚙" },
+  { id: "schedule", label: "Schedule", icon: "⏲" },
+  { id: "channels", label: "Channels", icon: "⇌" },
+  { id: "files", label: "Files", icon: "⊞" },
+  { id: "memory", label: "Memory", icon: "◇" },
+  { id: "traces", label: "Traces", icon: "◎" },
+  { id: "events", label: "Events", icon: "◊" },
+  { id: "audit", label: "Audit", icon: "⊟" },
+];
+
+interface Props {
+  /** The workspace node whose tabs to render (id + data blob). */
+  node: Node<WorkspaceNodeData>;
+  /**
+   * Controlled active tab. When provided together with `onTabChange`, the
+   * caller owns the active-tab state (the map's SidePanel threads the global
+   * `panelTab`/`setPanelTab` here so the store stays the source of truth and
+   * the existing keyboard/selection behaviour is preserved verbatim).
+   * When omitted, the component manages its OWN local active-tab state —
+   * which is what the concierge Settings page uses so the embedded tabs
+   * don't fight the map's selection.
+   */
+  activeTab?: PanelTab;
+  onTabChange?: (tab: PanelTab) => void;
+  /** Initial tab for the uncontrolled (local-state) mode. Defaults to "chat". */
+  defaultTab?: PanelTab;
+}
+
+/**
+ * The workspace tab bar + tab body, extracted from SidePanel so it can be
+ * reused verbatim outside the map (e.g. the concierge Settings "Platform
+ * agent configuration" section). Renders the canonical ARIA tablist and the
+ * exact same tab content components keyed on the active tab.
+ *
+ * Does NOT render the workspace header / meta pills / resize handle / footer —
+ * those are host chrome and stay in the host (SidePanel for the map).
+ */
+export function WorkspacePanelTabs({ node, activeTab, onTabChange, defaultTab = "chat" }: Props) {
+  const restartWorkspace = useCanvasStore((s) => s.restartWorkspace);
+
+  // Controlled when both props are present; otherwise own the state locally.
+  const controlled = activeTab !== undefined && onTabChange !== undefined;
+  const [localTab, setLocalTab] = useState<PanelTab>(defaultTab);
+  const tab = controlled ? (activeTab as PanelTab) : localTab;
+  const setTab = (next: PanelTab) => {
+    if (controlled) onTabChange!(next);
+    else setLocalTab(next);
+  };
+
+  const workspaceId = node.id;
+  const data = node.data;
+
+  return (
+    <>
+      {/* Tabs — relative wrapper lets the fade gradient position against the scroll container */}
+      <div className="relative border-b border-line/40">
+        {/* Right-edge fade: signals more tabs are hidden off-screen when the bar overflows */}
+        <div className="pointer-events-none absolute inset-y-0 right-0 w-8 bg-gradient-to-l from-surface to-transparent z-10" aria-hidden="true" />
+        <div
+          role="tablist"
+          aria-label="Workspace panel tabs"
+          className="flex overflow-x-auto bg-surface-sunken/20 px-1"
+          onKeyDown={(e) => {
+            const idx = WORKSPACE_PANEL_TABS.findIndex((t) => t.id === tab);
+            let next: number | null = null;
+            if (e.key === "ArrowRight") { e.preventDefault(); next = (idx + 1) % WORKSPACE_PANEL_TABS.length; }
+            else if (e.key === "ArrowLeft") { e.preventDefault(); next = (idx - 1 + WORKSPACE_PANEL_TABS.length) % WORKSPACE_PANEL_TABS.length; }
+            else if (e.key === "Home") { e.preventDefault(); next = 0; }
+            else if (e.key === "End") { e.preventDefault(); next = WORKSPACE_PANEL_TABS.length - 1; }
+            if (next !== null) {
+              setTab(WORKSPACE_PANEL_TABS[next].id);
+              requestAnimationFrame(() => { const el = document.getElementById(`tab-${WORKSPACE_PANEL_TABS[next!].id}`); el?.focus(); el?.scrollIntoView({ block: "nearest", inline: "nearest" }); });
+            }
+          }}
+        >
+          {WORKSPACE_PANEL_TABS.map((t) => (
+            <button
+              type="button"
+              key={t.id}
+              id={`tab-${t.id}`}
+              role="tab"
+              aria-selected={tab === t.id}
+              aria-controls={`panel-${t.id}`}
+              tabIndex={tab === t.id ? 0 : -1}
+              onClick={() => setTab(t.id)}
+              className={`shrink-0 px-3 py-2.5 text-[10px] font-medium tracking-wide transition-all rounded-t-lg mx-0.5 focus:outline-none focus-visible:ring-2 focus-visible:ring-accent/70 ${
+                tab === t.id
+                  ? "text-ink bg-surface-card border-b-2 border-accent"
+                  : "text-ink-mid hover:text-ink hover:bg-surface-card/60"
+              }`}
+            >
+              <span className="mr-1 opacity-50" aria-hidden="true">{t.icon}</span>
+              {t.label}
+            </button>
+          ))}
+        </div>
+      </div>
+
+      {/* Needs Restart Banner */}
+      {data.needsRestart && !data.currentTask && (
+        <div className="px-4 py-2 bg-sky-950/20 border-b border-sky-800/20 flex items-center justify-between">
+          <span className="text-[10px] text-sky-300/90">Config changed — restart to apply</span>
+          <button
+            type="button"
+            onClick={() => {
+              restartWorkspace(workspaceId).catch(() => showToast("Restart failed", "error"));
+            }}
+            className="text-[11px] px-2 py-1 bg-sky-800/40 hover:bg-sky-700/50 text-sky-200 rounded transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
+          >
+            Restart Now
+          </button>
+        </div>
+      )}
+
+      {/* Current Task Banner */}
+      {data.currentTask && (
+        <Tooltip text={data.currentTask as string}>
+          <div className="px-4 py-2 bg-amber-950/20 border-b border-amber-800/20 flex items-center gap-2 cursor-default">
+            <div className="w-1.5 h-1.5 rounded-full bg-amber-400 motion-safe:animate-pulse shrink-0" />
+            <span className="text-[10px] text-warm/90 truncate">
+              {data.currentTask}
+            </span>
+          </div>
+        </Tooltip>
+      )}
+
+      {/* Tab Content */}
+      <div
+        role="tabpanel"
+        id={`panel-${tab}`}
+        aria-labelledby={`tab-${tab}`}
+        tabIndex={0}
+        className="flex-1 overflow-y-auto focus:outline-none"
+      >
+        {tab === "details" && <DetailsTab key={workspaceId} workspaceId={workspaceId} data={data} />}
+        {tab === "skills" && <SkillsTab key={workspaceId} workspaceId={workspaceId} data={data} />}
+        {tab === "activity" && <ActivityTab key={workspaceId} workspaceId={workspaceId} />}
+        {tab === "chat" && <ChatTab key={workspaceId} workspaceId={workspaceId} data={data} />}
+        {tab === "terminal" && <TerminalTab key={workspaceId} workspaceId={workspaceId} data={data} />}
+        {tab === "display" && <DisplayTab key={workspaceId} workspaceId={workspaceId} />}
+        {tab === "container-config" && (
+          <ContainerConfigTab key={workspaceId} workspaceId={workspaceId} data={data} />
+        )}
+        {tab === "config" && <ConfigTab key={workspaceId} workspaceId={workspaceId} />}
+        {tab === "schedule" && <ScheduleTab key={workspaceId} workspaceId={workspaceId} />}
+        {tab === "channels" && <ChannelsTab key={workspaceId} workspaceId={workspaceId} />}
+        {tab === "files" && <FilesTab key={workspaceId} workspaceId={workspaceId} data={data} />}
+        {tab === "memory" && <MemoryInspectorPanel key={workspaceId} workspaceId={workspaceId} />}
+        {tab === "traces" && <TracesTab key={workspaceId} workspaceId={workspaceId} />}
+        {tab === "events" && <EventsTab key={workspaceId} workspaceId={workspaceId} />}
+        {tab === "audit" && <AuditTrailPanel key={workspaceId} workspaceId={workspaceId} />}
+      </div>
+    </>
+  );
+}
@@ -0,0 +1,84 @@
+// @vitest-environment jsdom
+//
+// SaaS-mode coverage for the per-workspace cloud-provider picker. The main
+// CreateWorkspaceDialog.test.tsx runs non-SaaS (the picker is hidden and the
+// payload omits `provider`); this file forces SaaS by mocking isSaaSTenant so
+// the picker renders and the selected provider flows into compute.provider.
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+import { render, screen, fireEvent, waitFor, cleanup } from "@testing-library/react";
+import { CreateWorkspaceButton } from "../CreateWorkspaceDialog";
+
+vi.mock("@/lib/api", () => ({
+  api: { get: vi.fn(), post: vi.fn() },
+}));
+
+// Force SaaS so the Cloud provider picker is shown and the payload carries it.
+vi.mock("@/lib/tenant", async (importOriginal) => ({
+  ...(await importOriginal<typeof import("@/lib/tenant")>()),
+  isSaaSTenant: () => true,
+}));
+
+import { api } from "@/lib/api";
+
+const mockGet = vi.mocked(api.get);
+const mockPost = vi.mocked(api.post);
+
+const SAMPLE_TEMPLATES = [
+  {
+    id: "claude-code-default",
+    name: "Claude Code Agent",
+    runtime: "claude-code",
+    model: "moonshot/kimi-k2.6",
+    providers: ["platform", "minimax"],
+    models: [{ id: "moonshot/kimi-k2.6", name: "Kimi K2.6", provider: "platform", required_env: [] }],
+  },
+];
+
+beforeEach(() => {
+  vi.clearAllMocks();
+  mockGet.mockImplementation(async (url: string) => {
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    if (url === "/templates") return SAMPLE_TEMPLATES as any;
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    return [] as any;
+  });
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  mockPost.mockResolvedValue({} as any);
+});
+
+afterEach(() => cleanup());
+
+async function openDialog() {
+  render(<CreateWorkspaceButton />);
+  const btn = screen.getAllByRole("button").find((b) => b.textContent?.includes("New Workspace"));
+  fireEvent.click(btn!);
+  await waitFor(() => expect(screen.getByText("Create Workspace")).toBeTruthy());
+}
+
+describe("CreateWorkspaceDialog — cloud provider (SaaS)", () => {
+  it("shows the Cloud provider picker, defaulting to AWS", async () => {
+    await openDialog();
+    const select = screen.getByLabelText("Cloud provider") as HTMLSelectElement;
+    expect(select).toBeTruthy();
+    expect(select.value).toBe("aws");
+  });
+
+  it("defaults compute.provider to aws when the picker is untouched", async () => {
+    await openDialog();
+    fireEvent.change(screen.getByPlaceholderText("e.g. SEO Agent"), { target: { value: "AWS Agent" } });
+    fireEvent.click(screen.getAllByRole("button").find((b) => b.textContent === "Create")!);
+    await waitFor(() => expect(mockPost).toHaveBeenCalled());
+    const body = mockPost.mock.calls[0][1] as Record<string, unknown>;
+    expect(body.compute).toMatchObject({ provider: "aws" });
+  });
+
+  it("threads the selected cloud provider into compute.provider", async () => {
+    await openDialog();
+    fireEvent.change(screen.getByPlaceholderText("e.g. SEO Agent"), { target: { value: "GCP Agent" } });
+    fireEvent.change(screen.getByLabelText("Cloud provider"), { target: { value: "gcp" } });
+    fireEvent.click(screen.getAllByRole("button").find((b) => b.textContent === "Create")!);
+    await waitFor(() => expect(mockPost).toHaveBeenCalled());
+    const body = mockPost.mock.calls[0][1] as Record<string, unknown>;
+    expect(body.compute).toMatchObject({ provider: "gcp" });
+  });
+});
@@ -0,0 +1,175 @@
+// @vitest-environment jsdom
+/**
+ * Regression tests for #2248 — platform-managed provider credential suppression.
+ *
+ * Covers:
+ *  - MOLECULE_LLM_USAGE_TOKEN is hidden when the selected provider is platform-managed
+ *  - MOLECULE_LLM_USAGE_TOKEN is still shown for BYOK providers
+ *  - No render churn from unstable array references (useMemo guard)
+ */
+import { describe, it, expect, vi, afterEach } from "vitest";
+import { render, screen, fireEvent, cleanup, waitFor, act } from "@testing-library/react";
+import { MissingKeysModal } from "../MissingKeysModal";
+import type { ModelSpec, ProviderChoice } from "@/lib/deploy-preflight";
+
+vi.mock("@/lib/api", () => ({
+  api: { get: vi.fn(), put: vi.fn() },
+}));
+
+vi.mock("@/lib/deploy-preflight", async () => {
+  const actual = await vi.importActual<typeof import("@/lib/deploy-preflight")>(
+    "@/lib/deploy-preflight",
+  );
+  return actual;
+});
+
+const PLATFORM_MANAGED_MODELS: ModelSpec[] = [
+  { id: "platform-claude", provider: "platform", required_env: ["ANTHROPIC_API_KEY", "MOLECULE_LLM_USAGE_TOKEN"] },
+];
+
+const BYOK_MODELS: ModelSpec[] = [
+  { id: "byok-claude", provider: "anthropic", required_env: ["ANTHROPIC_API_KEY", "MOLECULE_LLM_USAGE_TOKEN"] },
+];
+
+function makeProviders(billingMode: "platform_managed" | "byok"): ProviderChoice[] {
+  const main = {
+    id: billingMode === "platform_managed" ? "platform|ANTHROPIC_API_KEY|MOLECULE_LLM_USAGE_TOKEN" : "anthropic|ANTHROPIC_API_KEY|MOLECULE_LLM_USAGE_TOKEN",
+    label: billingMode === "platform_managed" ? "Platform Anthropic" : "BYOK Anthropic",
+    envVars: ["ANTHROPIC_API_KEY", "MOLECULE_LLM_USAGE_TOKEN"],
+    billingMode,
+  };
+  // Need ≥2 providers so MissingKeysModal enters picker mode (pickerMode = providers.length > 1).
+  const dummy = {
+    id: "openai|OPENAI_API_KEY",
+    label: "OpenAI",
+    envVars: ["OPENAI_API_KEY"],
+  };
+  return [main, dummy];
+}
+
+describe("ProviderPickerModal — platform-managed suppression (#2248)", () => {
+  afterEach(() => cleanup());
+
+  it("hides MOLECULE_LLM_USAGE_TOKEN when provider is platform-managed", () => {
+    render(
+      <MissingKeysModal
+        open
+        missingKeys={["ANTHROPIC_API_KEY", "MOLECULE_LLM_USAGE_TOKEN"]}
+        providers={makeProviders("platform_managed")}
+        models={PLATFORM_MANAGED_MODELS}
+        runtime="claude-code"
+        onKeysAdded={vi.fn()}
+        onCancel={vi.fn()}
+      />,
+    );
+    // Only ANTHROPIC_API_KEY should be rendered; MOLECULE_LLM_USAGE_TOKEN suppressed
+    expect(screen.getByText("ANTHROPIC_API_KEY")).toBeTruthy();
+    expect(screen.queryByText("MOLECULE_LLM_USAGE_TOKEN")).toBeNull();
+  });
+
+  it("shows MOLECULE_LLM_USAGE_TOKEN when provider is BYOK", () => {
+    render(
+      <MissingKeysModal
+        open
+        missingKeys={["ANTHROPIC_API_KEY", "MOLECULE_LLM_USAGE_TOKEN"]}
+        providers={makeProviders("byok")}
+        models={BYOK_MODELS}
+        runtime="claude-code"
+        onKeysAdded={vi.fn()}
+        onCancel={vi.fn()}
+      />,
+    );
+    // Both keys visible for BYOK
+    expect(screen.getByText("ANTHROPIC_API_KEY")).toBeTruthy();
+    expect(screen.getByText("MOLECULE_LLM_USAGE_TOKEN")).toBeTruthy();
+  });
+
+  it("does not churn renders when the modal is open and platform-managed", () => {
+    let renderCount = 0;
+
+    function RenderSpy({ children }: { children: React.ReactNode }) {
+      renderCount++;
+      return <>{children}</>;
+    }
+
+    render(
+      <RenderSpy>
+        <MissingKeysModal
+          open
+          missingKeys={["ANTHROPIC_API_KEY", "MOLECULE_LLM_USAGE_TOKEN"]}
+          providers={makeProviders("platform_managed")}
+          models={PLATFORM_MANAGED_MODELS}
+          runtime="claude-code"
+          onKeysAdded={vi.fn()}
+          onCancel={vi.fn()}
+        />
+      </RenderSpy>,
+    );
+
+    const countAfterInitial = renderCount;
+
+    // Wait a tick — if useEffect were looping, renderCount would climb.
+    // In jsdom without real timers there's no automatic re-render, so we
+    // just assert the count is stable immediately after the single
+    // commit required by the initial open state.
+    expect(renderCount).toBe(countAfterInitial);
+    expect(renderCount).toBeLessThanOrEqual(2); // StrictMode double-render ceiling
+  });
+
+  it("updates suppression correctly when switching from BYOK to platform-managed", async () => {
+    const providers: ProviderChoice[] = [
+      {
+        id: "anthropic|ANTHROPIC_API_KEY|MOLECULE_LLM_USAGE_TOKEN",
+        label: "BYOK Anthropic",
+        envVars: ["ANTHROPIC_API_KEY", "MOLECULE_LLM_USAGE_TOKEN"],
+        billingMode: "byok",
+      },
+      {
+        id: "platform|ANTHROPIC_API_KEY|MOLECULE_LLM_USAGE_TOKEN",
+        label: "Platform Anthropic",
+        envVars: ["ANTHROPIC_API_KEY", "MOLECULE_LLM_USAGE_TOKEN"],
+        billingMode: "platform_managed",
+      },
+      {
+        id: "openai|OPENAI_API_KEY",
+        label: "OpenAI",
+        envVars: ["OPENAI_API_KEY"],
+      },
+    ];
+
+    const models: ModelSpec[] = [
+      { id: "byok-claude", provider: "anthropic", required_env: ["ANTHROPIC_API_KEY", "MOLECULE_LLM_USAGE_TOKEN"] },
+      { id: "platform-claude", provider: "platform", required_env: ["ANTHROPIC_API_KEY", "MOLECULE_LLM_USAGE_TOKEN"] },
+    ];
+
+    render(
+      <MissingKeysModal
+        open
+        missingKeys={["ANTHROPIC_API_KEY", "MOLECULE_LLM_USAGE_TOKEN"]}
+        providers={providers}
+        models={models}
+        runtime="claude-code"
+        onKeysAdded={vi.fn()}
+        onCancel={vi.fn()}
+      />,
+    );
+
+    // Default selection is providers[0] (BYOK) — both keys visible
+    expect(screen.getByText("ANTHROPIC_API_KEY")).toBeTruthy();
+    expect(screen.getByText("MOLECULE_LLM_USAGE_TOKEN")).toBeTruthy();
+
+    // Switch to platform-managed provider
+    const providerSelect = screen.getByTestId("provider-select") as HTMLSelectElement;
+    act(() => {
+      fireEvent.change(providerSelect, {
+        target: { value: "platform|ANTHROPIC_API_KEY|MOLECULE_LLM_USAGE_TOKEN" },
+      });
+    });
+
+    // MOLECULE_LLM_USAGE_TOKEN should now be suppressed
+    await waitFor(() => {
+      expect(screen.getByText("ANTHROPIC_API_KEY")).toBeTruthy();
+    });
+    expect(screen.queryByText("MOLECULE_LLM_USAGE_TOKEN")).toBeNull();
+  });
+});
@@ -275,9 +275,9 @@ describe("WorkspaceNode — status states", () => {
    expect(screen.getByText("STARTING")).toBeTruthy();
  });

-  it("suppresses status label for online node", () => {
+  it("shows status label for online node (concept: status always visible)", () => {
    renderNode({ status: "online" });
-    expect(screen.queryByText("ONLINE")).toBeNull();
+    expect(screen.getByText("ONLINE")).toBeTruthy();
  });

  it("shows degraded error preview when status is degraded and lastSampleError is set", () => {
@@ -404,14 +404,18 @@ describe("WorkspaceNode — double-click interactions", () => {
 });

 describe("WorkspaceNode — active tasks", () => {
-  it("shows active tasks badge when activeTasks > 0", () => {
+  it("shows the queued count when activeTasks > 0", () => {
    renderNode({ activeTasks: 3 });
-    expect(screen.getByText("3 tasks")).toBeTruthy();
+    expect(
+      screen.getByText((_, el) => el?.tagName === "SPAN" && (el.textContent ?? "").includes("3 queued")),
+    ).toBeTruthy();
  });

-  it("shows singular 'task' when activeTasks is 1", () => {
+  it("shows the queued count for a single task", () => {
    renderNode({ activeTasks: 1 });
-    expect(screen.getByText("1 task")).toBeTruthy();
+    expect(
+      screen.getByText((_, el) => el?.tagName === "SPAN" && (el.textContent ?? "").includes("1 queued")),
+    ).toBeTruthy();
  });

  it("suppresses badge when no active tasks", () => {
@@ -471,13 +475,15 @@ describe("WorkspaceNode — needs restart", () => {
 });

 describe("WorkspaceNode — descendant badge", () => {
-  it("shows descendant count badge when node has children in store", () => {
+  it("shows the agent count in the status line when node has children", () => {
    store().nodes = [
      makeNode({ id: "ws-1" }),
      { id: "child-1", data: { ...makeNode({ id: "ws-1" }).data, parentId: "ws-1" } },
    ];
    renderNode();
-    expect(screen.getByText("1 sub")).toBeTruthy();
+    expect(
+      screen.getByText((_, el) => el?.tagName === "SPAN" && (el.textContent ?? "").includes("1 agents")),
+    ).toBeTruthy();
  });

  it("suppresses badge when node has no children", () => {
@@ -527,9 +533,9 @@ describe("WorkspaceNode — skills pills", () => {
 });

 describe("WorkspaceNode — runtime badge", () => {
-  it("shows runtime badge when runtime is set", () => {
-    renderNode({ runtime: "hermes" });
-    expect(screen.getByText("hermes")).toBeTruthy();
+  it("shows the role pill (runtime pill replaced by role pill in the concept redesign)", () => {
+    renderNode({ role: "researcher" });
+    expect(screen.getByText("researcher")).toBeTruthy();
  });

  it("shows REMOTE badge for external runtime", () => {
@@ -0,0 +1,103 @@
+// @vitest-environment jsdom
+import { describe, it, expect, vi, afterEach } from "vitest";
+import { render, screen, fireEvent, cleanup } from "@testing-library/react";
+
+afterEach(() => {
+  cleanup();
+});
+
+// ── Mock every tab content component to a sentinel so we can assert which
+//    body renders without dragging in API calls / heavy children. ───────────
+vi.mock("../tabs/DetailsTab", () => ({ DetailsTab: () => <div data-testid="body-details" /> }));
+vi.mock("../tabs/SkillsTab", () => ({ SkillsTab: () => <div data-testid="body-skills" /> }));
+vi.mock("../tabs/ChatTab", () => ({ ChatTab: () => <div data-testid="body-chat" /> }));
+vi.mock("../tabs/ConfigTab", () => ({ ConfigTab: () => <div data-testid="body-config" /> }));
+vi.mock("../tabs/ContainerConfigTab", () => ({ ContainerConfigTab: () => <div data-testid="body-container" /> }));
+vi.mock("../tabs/DisplayTab", () => ({ DisplayTab: () => <div data-testid="body-display" /> }));
+vi.mock("../tabs/TerminalTab", () => ({ TerminalTab: () => <div data-testid="body-terminal" /> }));
+vi.mock("../tabs/FilesTab", () => ({ FilesTab: () => <div data-testid="body-files" /> }));
+vi.mock("../MemoryInspectorPanel", () => ({ MemoryInspectorPanel: () => <div data-testid="body-memory" /> }));
+vi.mock("../tabs/TracesTab", () => ({ TracesTab: () => <div data-testid="body-traces" /> }));
+vi.mock("../tabs/EventsTab", () => ({ EventsTab: () => <div data-testid="body-events" /> }));
+vi.mock("../tabs/ActivityTab", () => ({ ActivityTab: () => <div data-testid="body-activity" /> }));
+vi.mock("../tabs/ScheduleTab", () => ({ ScheduleTab: () => <div data-testid="body-schedule" /> }));
+vi.mock("../tabs/ChannelsTab", () => ({ ChannelsTab: () => <div data-testid="body-channels" /> }));
+vi.mock("../AuditTrailPanel", () => ({ AuditTrailPanel: () => <div data-testid="body-audit" /> }));
+
+vi.mock("../Tooltip", () => ({
+  Tooltip: ({ children }: { children: React.ReactNode }) => <>{children}</>,
+}));
+vi.mock("@/components/Toaster", () => ({ showToast: vi.fn() }));
+
+// The store is only consulted for restartWorkspace.
+const mockRestart = vi.fn(() => Promise.resolve());
+vi.mock("@/store/canvas", () => ({
+  useCanvasStore: vi.fn((selector: (s: { restartWorkspace: typeof mockRestart }) => unknown) =>
+    selector({ restartWorkspace: mockRestart })
+  ),
+}));
+
+import { WorkspacePanelTabs, WORKSPACE_PANEL_TABS } from "../WorkspacePanelTabs";
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+const node: any = {
+  id: "platform-1",
+  data: {
+    name: "Org Concierge",
+    status: "online",
+    tier: 0,
+    role: "platform",
+    parentId: null,
+    needsRestart: false,
+    currentTask: null,
+    agentCard: null,
+  },
+};
+
+describe("WorkspacePanelTabs — uncontrolled (Settings usage)", () => {
+  it("renders the canonical 15-tab tablist for an explicit node", () => {
+    render(<WorkspacePanelTabs node={node} />);
+    const tablist = screen.getByRole("tablist");
+    expect(tablist.getAttribute("aria-label")).toBe("Workspace panel tabs");
+    expect(screen.getAllByRole("tab").length).toBe(WORKSPACE_PANEL_TABS.length);
+    expect(WORKSPACE_PANEL_TABS.length).toBe(15);
+  });
+
+  it("defaults to the chat tab when no defaultTab is given", () => {
+    render(<WorkspacePanelTabs node={node} />);
+    expect(screen.getByTestId("body-chat")).toBeTruthy();
+    expect(document.getElementById("tab-chat")?.getAttribute("aria-selected")).toBe("true");
+  });
+
+  it("honours defaultTab='config' (the concierge Settings entry point)", () => {
+    render(<WorkspacePanelTabs node={node} defaultTab="config" />);
+    expect(screen.getByTestId("body-config")).toBeTruthy();
+    expect(document.getElementById("tab-config")?.getAttribute("aria-selected")).toBe("true");
+  });
+
+  it("clicking a tab swaps the body using local state (no store panelTab)", () => {
+    render(<WorkspacePanelTabs node={node} />);
+    fireEvent.click(document.getElementById("tab-channels")!);
+    expect(screen.getByTestId("body-channels")).toBeTruthy();
+    expect(document.getElementById("tab-channels")?.getAttribute("aria-selected")).toBe("true");
+  });
+});
+
+describe("WorkspacePanelTabs — controlled (SidePanel usage)", () => {
+  it("renders activeTab and calls onTabChange instead of local state", () => {
+    const onTabChange = vi.fn();
+    render(<WorkspacePanelTabs node={node} activeTab="details" onTabChange={onTabChange} />);
+    expect(screen.getByTestId("body-details")).toBeTruthy();
+    fireEvent.click(document.getElementById("tab-config")!);
+    expect(onTabChange).toHaveBeenCalledWith("config");
+    // Controlled: body does NOT change on its own (parent owns the state).
+    expect(screen.getByTestId("body-details")).toBeTruthy();
+  });
+
+  it("ArrowRight from chat calls onTabChange with the next tab", () => {
+    const onTabChange = vi.fn();
+    render(<WorkspacePanelTabs node={node} activeTab="chat" onTabChange={onTabChange} />);
+    fireEvent.keyDown(screen.getByRole("tablist"), { key: "ArrowRight" });
+    expect(onTabChange).toHaveBeenCalledWith("activity");
+  });
+});
@@ -188,11 +188,13 @@ describe("DropTargetBadge — renders ghost slot + badge for valid drag target",
    });
    render(<DropTargetBadge />);
    expect(screen.getByTestId("ghost-slot")).toBeTruthy();
-    // Ghost uses slotBR from 3rd call: slotBR - slotTL = (712-232, 920-660)
+    // Ghost spans one default child slot at zoom 2: width = CHILD_DEFAULT_WIDTH
+    // (300) × 2 = 600; height = CHILD_DEFAULT_HEIGHT (176) × 2 = 352. left/top
+    // are the column-0/row-0 slot origin (unchanged by the card-size bump).
    expect(screen.getByTestId("ghost-slot").style.left).toBe("232px");
    expect(screen.getByTestId("ghost-slot").style.top).toBe("660px");
-    expect(screen.getByTestId("ghost-slot").style.width).toBe("480px");
-    expect(screen.getByTestId("ghost-slot").style.height).toBe("260px");
+    expect(screen.getByTestId("ghost-slot").style.width).toBe("600px");
+    expect(screen.getByTestId("ghost-slot").style.height).toBe("352px");
  });

  it("ghost is hidden when slot falls entirely outside parent bounds", () => {
@@ -325,7 +325,7 @@ describe("all shortcuts respect inInput guard", () => {
  });
 });

-describe("Cmd/Ctrl+Arrow — keyboard node resize", () => {
+describe("Cmd/Ctrl+Arrow — free-resize removed (system-controlled sizing)", () => {
  beforeEach(() => {
    mockStoreState.nodes = [
      {
@@ -340,81 +340,15 @@ describe("Cmd/Ctrl+Arrow — keyboard node resize", () => {
    renderWithProvider();
  });

-  it("resizes height down (smaller) on Cmd/Ctrl+ArrowUp", () => {
-    // Node starts at minHeight=110 (no children). Shrinking clamps to min —
-    // height stays 110. Width is unchanged.
+  it("no longer resizes the node on Cmd/Ctrl+Arrow (free-resize removed)", () => {
+    // Sizing is system-controlled now: leaves render fixed-size and parents
+    // grow to fit their children, so Cmd/Ctrl+Arrow must not emit a
+    // `dimensions` change anymore.
    fireEvent.keyDown(window, { key: "ArrowUp", metaKey: true });
-    expect(mockStoreState.onNodesChange).toHaveBeenCalledWith([
-      expect.objectContaining({
-        type: "dimensions",
-        id: "n1",
-        dimensions: { width: 210, height: 110 },
-      }),
-    ]);
-  });
-
-  it("resizes height up (larger) on Cmd/Ctrl+ArrowDown", () => {
    fireEvent.keyDown(window, { key: "ArrowDown", ctrlKey: true });
-    expect(mockStoreState.onNodesChange).toHaveBeenCalledWith([
-      expect.objectContaining({
-        type: "dimensions",
-        id: "n1",
-        dimensions: { width: 210, height: 120 },
-      }),
-    ]);
-  });
-
-  it("resizes width down (smaller) on Cmd/Ctrl+ArrowLeft", () => {
-    // Node starts at minWidth=210 (no children). Shrinking clamps to min —
-    // width stays 210. Height is unchanged.
    fireEvent.keyDown(window, { key: "ArrowLeft", metaKey: true });
-    expect(mockStoreState.onNodesChange).toHaveBeenCalledWith([
-      expect.objectContaining({
-        type: "dimensions",
-        id: "n1",
-        dimensions: { width: 210, height: 110 },
-      }),
-    ]);
-  });
-
-  it("resizes width up (larger) on Cmd/Ctrl+ArrowRight", () => {
    fireEvent.keyDown(window, { key: "ArrowRight", ctrlKey: true });
-    expect(mockStoreState.onNodesChange).toHaveBeenCalledWith([
-      expect.objectContaining({
-        type: "dimensions",
-        id: "n1",
-        dimensions: { width: 220, height: 110 },
-      }),
-    ]);
-  });
-
-  it("uses 2px step with Shift held", () => {
-    // Step is 2px with Shift, but minHeight=110 clamps the result.
-    // 110 - 2 = 108, Math.max(110, 108) = 110. Width is unchanged.
-    fireEvent.keyDown(window, { key: "ArrowUp", metaKey: true, shiftKey: true });
-    expect(mockStoreState.onNodesChange).toHaveBeenCalledWith([
-      expect.objectContaining({
-        dimensions: { width: 210, height: 110 },
-      }),
-    ]);
-  });
-
-  it("respects min-height constraint (no children)", () => {
-    fireEvent.keyDown(window, { key: "ArrowUp", metaKey: true });
-    fireEvent.keyDown(window, { key: "ArrowUp", metaKey: true });
-    // After shrinking from 110 to 100, another ArrowUp hits min-height of 110
-    // (110 - 10 = 100, but 100 < 110 so it should stay at 110)
-    // Actually: 110 -> 100 -> 110 (resets to min)
-    // Let me check: the hook does Math.max(minHeight, currentHeight - step)
-    // minHeight=110, step=10, so 110 - 10 = 100, but Math.max(110, 100) = 110
-    // So two ArrowUp calls should both result in height=100 then height=110?
-    // Wait: 110 - 10 = 100, Math.max(110, 100) = 110 (not 100)
-    // So the height never goes below 110. After first: 110 -> 100, but clamped to 110.
-    // Actually Math.max(110, 100) = 110, so the height never changes.
-    // The min constraint is respected — height stays at 110.
-    expect(mockStoreState.onNodesChange).toHaveBeenLastCalledWith([
-      expect.objectContaining({ dimensions: { width: 210, height: 110 } }),
-    ]);
+    expect(mockStoreState.onNodesChange).not.toHaveBeenCalled();
  });

  it("does NOT fire when no node is selected", () => {
@@ -2,13 +2,6 @@

 import { useEffect } from "react";
 import { useCanvasStore } from "@/store/canvas";
-import { type NodeChange, type Node } from "@xyflow/react";
-import type { WorkspaceNodeData } from "@/store/canvas";
-
-/** Returns true if the node has any direct child in the node list. */
-function hasChildren(nodeId: string, nodes: Node<WorkspaceNodeData>[]): boolean {
-  return nodes.some((n) => n.data.parentId === nodeId);
-}

 /**
 * Canvas-wide keyboard shortcuts. All bound to the document window so
@@ -22,8 +15,9 @@ function hasChildren(nodeId: string, nodes: Node<WorkspaceNodeData>[]): boolean
 *   Cmd/Ctrl+[           — bump selected node backward in z-order
 *   Z                    — zoom-to-team if the selected node has children
 *   Arrow keys           — move selected node 10px (50px with Shift)
- *   Cmd/Ctrl+Arrow       — resize selected node (↑↓ height, ←→ width)
- *   Cmd/Ctrl+Shift+Arrow — resize by 2px per press (fine control)
+ *
+ * Node resize shortcuts were removed: container size + shape are now
+ * system-controlled (leaves fixed-size, parents grow to fit children).
 */
 export function useKeyboardShortcuts() {
  useEffect(() => {
@@ -96,8 +90,8 @@ export function useKeyboardShortcuts() {
      // Arrow-key node movement — Figma-style keyboard drag for keyboard users.
      // 10 px per press, 50 px with Shift held. Only fires when a node
      // is selected and the target isn't a form control. Skipped when a
-      // modifier key (Cmd/Ctrl/Alt) is held so those combos can be used
-      // for other shortcuts (e.g. Cmd+Arrow = resize).
+      // modifier key (Cmd/Ctrl/Alt) is held so those combos stay free for
+      // browser/OS shortcuts (node resize via Cmd+Arrow was removed).
      if (
        !inInput &&
        !e.metaKey &&
@@ -125,43 +119,9 @@ export function useKeyboardShortcuts() {
        state.moveNode(selectedId, dx, dy);
      }

-      // Cmd/Ctrl+Arrow — keyboard-accessible node resize.
-      // ↑/↓ resizes height, ←/→ resizes width.
-      // 10 px per press (2 px with Shift for fine control).
-      // Uses the same onNodesChange('dimensions') path that NodeResizer uses.
-      if (
-        !inInput &&
-        (e.metaKey || e.ctrlKey) &&
-        (e.key === "ArrowUp" ||
-          e.key === "ArrowDown" ||
-          e.key === "ArrowLeft" ||
-          e.key === "ArrowRight")
-      ) {
-        const state = useCanvasStore.getState();
-        const selectedId = state.selectedNodeId;
-        if (!selectedId) return;
-        if (document.querySelector('[role="dialog"][aria-modal="true"]')) return;
-        e.preventDefault();
-        const step = e.shiftKey ? 2 : 10;
-        const node = state.nodes.find((n) => n.id === selectedId);
-        if (!node) return;
-        const currentWidth = (node.width ?? 210) as number;
-        const currentHeight = (node.height ?? 110) as number;
-        const minWidth = hasChildren(node.id, state.nodes) ? 360 : 210;
-        const minHeight = hasChildren(node.id, state.nodes) ? 200 : 110;
-        let newWidth = currentWidth;
-        let newHeight = currentHeight;
-        if (e.key === "ArrowUp") newHeight = Math.max(minHeight, currentHeight - step);
-        else if (e.key === "ArrowDown") newHeight = currentHeight + step;
-        else if (e.key === "ArrowLeft") newWidth = Math.max(minWidth, currentWidth - step);
-        else newWidth = currentWidth + step;
-        const change: NodeChange = {
-          type: "dimensions",
-          id: selectedId,
-          dimensions: { width: newWidth, height: newHeight },
-        };
-        state.onNodesChange([change]);
-      }
+      // Node resize (was Cmd/Ctrl+Arrow) removed — container size + shape are
+      // now system-controlled: leaves render at a fixed size and parents grow
+      // to fit their children, so there is no user-driven resize affordance.
    };
    window.addEventListener("keydown", handler);
    return () => window.removeEventListener("keydown", handler);
@@ -0,0 +1,339 @@
+/* Faithful port of the Org Concierge concept (molecule-concierge-v1).
+   Scoped under .root so the concept's generic class names (.btn, .view,
+   .msg, .node …) cannot collide with the rest of the canvas app. Theme
+   tokens are redefined here (not the app tokens) so the port matches the
+   concept palette exactly; they key off the same [data-theme] on <html>. */
+
+.root {
+  --mono: "JetBrains Mono", ui-monospace, monospace;
+  --sans: var(--font-hanken), "Hanken Grotesk", system-ui, sans-serif;
+  /* dark (default) */
+  --bg: #08080a; --panel: #0d0d11; --panel-2: #101015;
+  --card: #16161d; --card-2: #1b1b23; --card-hover: #1f1f28;
+  --hair: rgba(255,255,255,.07); --hair-2: rgba(255,255,255,.11);
+  --tx: #ececf1; --tx-2: #9b9baa; --tx-3: #65656f;
+  --accent: #8b5cf6; --accent-2: #a78bfa; --accent-soft: rgba(139,92,246,.14);
+  --green: #34d399; --green-soft: rgba(52,211,153,.13); --green-bd: rgba(52,211,153,.26);
+  --amber: #fbbf24; --grey: #6a6a78; --warn: #f5a623; --red: #f87171;
+  --dot: rgba(255,255,255,.06);
+  --shadow: 0 18px 50px rgba(0,0,0,.5);
+  --user-bubble-tx: #fff;
+
+  font-family: var(--sans);
+  background: var(--bg);
+  color: var(--tx);
+  font-size: 14px;
+  -webkit-font-smoothing: antialiased;
+  position: fixed;
+  inset: 0;
+  overflow: hidden;
+}
+:global([data-theme="light"]) .root {
+  --bg: #f1efe8; --panel: #fbfaf6; --panel-2: #f6f4ee;
+  --card: #ffffff; --card-2: #faf9f4; --card-hover: #f3f1ea;
+  --hair: rgba(20,18,12,.10); --hair-2: rgba(20,18,12,.16);
+  --tx: #21201b; --tx-2: #5c5a52; --tx-3: #8e8b81;
+  --accent: #7c3aed; --accent-2: #7c3aed; --accent-soft: rgba(124,58,237,.10);
+  --green: #0f9d63; --green-soft: rgba(15,157,99,.10); --green-bd: rgba(15,157,99,.24);
+  --amber: #c98a04; --grey: #a8a59b; --warn: #c47e12; --red: #dc4d4d;
+  --dot: rgba(20,18,12,.10);
+  --shadow: 0 18px 50px rgba(60,56,40,.14);
+}
+.root *, .root *::before, .root *::after { box-sizing: border-box; }
+.root ::-webkit-scrollbar { width: 8px; height: 8px; }
+.root ::-webkit-scrollbar-thumb { background: var(--hair-2); border-radius: 8px; }
+.root ::-webkit-scrollbar-track { background: transparent; }
+
+.app { display: flex; height: 100%; width: 100%; }
+
+/* ===== ICON RAIL ===== */
+.rail {
+  width: 52px; flex: 0 0 52px; background: var(--panel);
+  border-right: 1px solid var(--hair);
+  display: flex; flex-direction: column; padding: 12px 8px; gap: 3px;
+  transition: width .22s cubic-bezier(.4,0,.2,1), flex-basis .22s cubic-bezier(.4,0,.2,1);
+  overflow: hidden;
+}
+.app.railOpen .rail { width: 212px; flex-basis: 212px; }
+.railTop { display: flex; align-items: center; gap: 8px; height: 36px; margin-bottom: 8px; }
+.logo {
+  width: 36px; height: 36px; flex: 0 0 36px; border-radius: 10px; display: grid; place-items: center; cursor: pointer;
+  background: linear-gradient(150deg,#7c3aed,#a78bfa);
+  box-shadow: 0 4px 14px rgba(124,58,237,.45), inset 0 1px 0 rgba(255,255,255,.25);
+}
+.railWordmark { font-weight: 700; font-size: 14.5px; letter-spacing: -.01em; white-space: nowrap; opacity: 0; transition: opacity .16s; pointer-events: none; }
+.app.railOpen .railWordmark { opacity: 1; transition: opacity .18s .08s; }
+.railToggle { margin-left: auto; width: 30px; height: 30px; flex: 0 0 30px; border-radius: 8px; display: grid; place-items: center; color: var(--tx-3); cursor: pointer; transition: .16s; border: none; background: none; }
+.railToggle:hover { color: var(--tx); background: var(--hair); }
+.railToggle svg { width: 18px; height: 18px; }
+.app:not(.railOpen) .railToggle { display: none; }
+.navbtn { height: 40px; border-radius: 10px; color: var(--tx-3); cursor: pointer; position: relative; transition: .16s; display: flex; align-items: center; gap: 12px; padding: 0; justify-content: flex-start; width: 100%; background: none; border: none; }
+.app.railOpen .navbtn { padding: 0 11px; }
+.navbtn .ico { width: 36px; flex: 0 0 36px; display: grid; place-items: center; }
+.app.railOpen .navbtn .ico { width: 20px; flex: 0 0 20px; }
+.navbtn .lbl { font-size: 13.5px; font-weight: 500; white-space: nowrap; opacity: 0; transition: opacity .16s; pointer-events: none; }
+.app.railOpen .navbtn .lbl { opacity: 1; transition: opacity .18s .08s; }
+.navbtn:hover { color: var(--tx-2); background: var(--hair); }
+.navbtn.active { color: var(--accent-2); background: var(--accent-soft); }
+.navbtn.active::before { content: ""; position: absolute; left: -8px; top: 50%; transform: translateY(-50%); width: 3px; height: 18px; border-radius: 0 3px 3px 0; background: var(--accent-2); }
+.navbtn svg { width: 20px; height: 20px; }
+.spacer { flex: 1; }
+
+/* ===== MAIN ===== */
+.main { flex: 1; display: flex; flex-direction: column; min-width: 0; }
+.topbar { height: 56px; flex: 0 0 56px; border-bottom: 1px solid var(--hair); background: var(--panel); display: flex; align-items: center; justify-content: space-between; padding: 0 18px 0 20px; }
+.org { display: flex; align-items: center; gap: 10px; cursor: pointer; padding: 6px 10px; border-radius: 9px; transition: .16s; margin-left: -6px; }
+.org:hover { background: var(--hair); }
+.orgBadge { width: 24px; height: 24px; border-radius: 7px; display: grid; place-items: center; background: linear-gradient(150deg,#2d2d36,#3a3a46); font-size: 12px; font-weight: 700; color: #d8d8e2; border: 1px solid var(--hair-2); }
+:global([data-theme="light"]) .orgBadge { background: linear-gradient(150deg,#7c3aed,#a78bfa); color: #fff; border: none; }
+.orgName { font-weight: 600; font-size: 14.5px; letter-spacing: -.01em; }
+.chev { color: var(--tx-3); display: flex; }
+.chev svg { width: 15px; height: 15px; }
+.topbarRight { display: flex; align-items: center; gap: 10px; }
+.iconPill { width: 34px; height: 34px; border-radius: 9px; display: grid; place-items: center; color: var(--tx-3); cursor: pointer; transition: .16s; border: none; background: none; }
+.iconPill:hover { color: var(--tx-2); background: var(--hair); }
+.iconPill svg { width: 18px; height: 18px; }
+.themeToggle { width: 34px; height: 34px; border-radius: 9px; display: grid; place-items: center; color: var(--tx-2); cursor: pointer; transition: .16s; border: 1px solid var(--hair); background: none; }
+.themeToggle:hover { background: var(--hair); color: var(--tx); }
+.themeToggle svg { width: 17px; height: 17px; }
+.avatar { width: 32px; height: 32px; border-radius: 50%; background: linear-gradient(150deg,#f0a36b,#e8638a); display: grid; place-items: center; font-weight: 700; font-size: 12.5px; color: #1a0d12; cursor: pointer; border: 1px solid rgba(255,255,255,.16); box-shadow: 0 2px 8px rgba(0,0,0,.3); margin-left: 4px; }
+
+/* ===== VIEWS ===== */
+.viewArea { flex: 1; min-height: 0; position: relative; }
+.view { position: absolute; inset: 0; display: none; }
+.view.active { display: flex; }
+/* A transform turns this into the containing block for its position:fixed
+   descendants — so the canvas's own overlays (Toolbar, Legend, Communications,
+   New Workspace, minimap) anchor to THIS box (the map view area, right of the
+   rail and below the topbar) instead of the viewport, and stop overlapping the
+   shell chrome. */
+.canvasMount { position: absolute; inset: 0; transform: translateZ(0); overflow: hidden; }
+
+/* ===== HOME VIEW ===== */
+.homeSidebar { flex: 0 0 296px; max-width: 296px; background: var(--panel-2); border-right: 1px solid var(--hair); display: flex; flex-direction: column; min-height: 0; }
+.sbTabs { display: flex; gap: 2px; padding: 12px 12px 0; border-bottom: 1px solid var(--hair); }
+.sbTab { flex: 1; text-align: center; padding: 9px 4px 11px; font-size: 12.5px; font-weight: 600; color: var(--tx-3); cursor: pointer; position: relative; transition: .14s; border-radius: 8px 8px 0 0; border: none; background: none; }
+.sbTab:hover { color: var(--tx-2); }
+.sbTab.active { color: var(--tx); }
+.sbTab.active::after { content: ""; position: absolute; left: 8px; right: 8px; bottom: -1px; height: 2px; border-radius: 2px; background: var(--accent); }
+.cnt { font-family: var(--mono); font-size: 10px; font-weight: 600; margin-left: 5px; background: var(--hair); color: var(--tx-2); padding: 1px 5px; border-radius: 10px; }
+.sbTab.active .cnt { background: var(--accent-soft); color: var(--accent-2); }
+.sbBody { flex: 1; overflow-y: auto; padding: 14px 12px; }
+
+.wsList { display: flex; flex-direction: column; gap: 6px; }
+.treeChildren { position: relative; padding-left: 22px; display: flex; flex-direction: column; gap: 6px; margin-top: 6px; }
+.tnode { position: relative; display: flex; flex-direction: column; gap: 6px; }
+.tnode::before { content: ""; position: absolute; left: -14px; top: -6px; width: 1.5px; height: calc(100% + 6px); background: var(--hair-2); }
+.tnode.last::before { height: 33px; }
+.tnode::after { content: ""; position: absolute; left: -14px; top: 27px; width: 14px; height: 1.5px; background: var(--hair-2); }
+.ws { display: flex; align-items: center; gap: 11px; padding: 10px 11px; border-radius: 13px; cursor: pointer; border: 1px solid transparent; background: transparent; transition: .16s; position: relative; width: 100%; text-align: left; }
+.ws:hover { background: var(--card); }
+.ws.active { background: var(--accent-soft); border-color: rgba(139,92,246,.34); }
+.wsAv { width: 34px; height: 34px; border-radius: 50%; flex: 0 0 34px; position: relative; display: grid; place-items: center; font-weight: 700; font-size: 12px; color: #0c0c10; box-shadow: inset 0 1px 0 rgba(255,255,255,.3); }
+.wsAv .dot { position: absolute; right: -1px; bottom: -1px; width: 10px; height: 10px; border-radius: 50%; border: 2.5px solid var(--panel-2); }
+.ws.active .wsAv .dot { border-color: var(--card); }
+.wsMeta { min-width: 0; flex: 1; }
+.wsName { font-weight: 600; font-size: 13.5px; letter-spacing: -.01em; white-space: nowrap; overflow: hidden; text-overflow: ellipsis; }
+.wsSub { display: flex; align-items: center; gap: 6px; margin-top: 1px; min-width: 0; }
+.wsRole { font-family: var(--mono); font-size: 10.5px; color: var(--tx-3); white-space: nowrap; overflow: hidden; text-overflow: ellipsis; min-width: 0; flex: 0 1 auto; }
+.wsStatus { font-size: 10.5px; font-weight: 500; display: flex; align-items: center; gap: 4px; flex: 0 0 auto; }
+.wsStatus .sdot { width: 6px; height: 6px; border-radius: 50%; }
+.rootTag { margin-left: auto; font-family: var(--mono); font-size: 9px; letter-spacing: .1em; text-transform: uppercase; color: var(--accent-2); background: var(--accent-soft); padding: 3px 6px; border-radius: 6px; border: 1px solid rgba(139,92,246,.28); }
+.wsQ { margin-left: auto; flex: 0 0 auto; font-family: var(--mono); font-size: 10px; font-weight: 700; color: var(--tx-2); background: var(--hair); border: 1px solid var(--hair-2); padding: 2px 7px; border-radius: 20px; display: inline-flex; align-items: center; gap: 4px; }
+.wsQ svg { width: 9px; height: 9px; color: var(--tx-3); }
+.wsQ.zero { color: var(--tx-3); opacity: .65; }
+.wsCaret { flex: 0 0 auto; width: 20px; height: 20px; margin-left: 4px; border: none; background: none; color: var(--tx-3); cursor: pointer; display: grid; place-items: center; border-radius: 6px; transition: .14s; }
+.wsCaret:hover { background: var(--hair); color: var(--tx); }
+.wsCaret svg { width: 13px; height: 13px; }
+
+.sbSection { font-size: 11px; font-weight: 600; letter-spacing: .12em; text-transform: uppercase; color: var(--tx-3); font-family: var(--mono); padding: 18px 4px 10px; }
+
+/* tasks */
+.task { display: flex; flex-direction: column; align-items: stretch; gap: 0; padding: 11px; border-radius: 12px; border: 1px solid var(--hair); background: var(--card); margin-bottom: 7px; }
+.taskRow { display: flex; gap: 11px; }
+.taskIc { width: 28px; height: 28px; border-radius: 8px; flex: 0 0 28px; display: grid; place-items: center; }
+.taskIc svg { width: 15px; height: 15px; }
+.taskIc.done { background: var(--green-soft); color: var(--green); border: 1px solid var(--green-bd); }
+.taskIc.run { background: rgba(245,166,35,.12); color: var(--amber); border: 1px solid rgba(245,166,35,.28); }
+.taskIc.sched { background: var(--accent-soft); color: var(--accent-2); border: 1px solid rgba(139,92,246,.26); }
+.taskMeta { flex: 1; min-width: 0; }
+.taskT { font-size: 13px; font-weight: 600; letter-spacing: -.01em; line-height: 1.35; }
+.taskS { font-size: 11px; color: var(--tx-3); margin-top: 3px; display: flex; align-items: center; gap: 6px; }
+.taskS .pip { width: 4px; height: 4px; border-radius: 50%; background: var(--tx-3); }
+.taskActions { display: flex; gap: 7px; margin-top: 11px; padding-left: 39px; }
+.tbtn { font-family: var(--sans); font-size: 11.5px; font-weight: 600; cursor: pointer; padding: 5px 12px; border-radius: 8px; border: 1px solid var(--hair-2); background: var(--card-2); color: var(--tx-2); transition: .14s; display: inline-flex; align-items: center; gap: 5px; }
+.tbtn svg { width: 13px; height: 13px; }
+.tbtn:hover { background: var(--card-hover); color: var(--tx); }
+.tbtn.done { background: var(--green-soft); color: var(--green); border-color: var(--green-bd); }
+.task.isDone .taskT { color: var(--tx-2); }
+
+/* activity */
+.act { display: flex; gap: 11px; padding: 6px 4px; }
+.actTime { font-family: var(--mono); font-size: 10.5px; color: var(--tx-3); flex: 0 0 52px; padding-top: 1px; font-variant-numeric: tabular-nums; }
+.actLine { position: relative; padding-left: 15px; flex: 1; }
+.actLine::before { content: ""; position: absolute; left: 0; top: 6px; width: 6px; height: 6px; border-radius: 50%; background: var(--accent); }
+.actLine.grn::before { background: var(--green); }
+.actText { font-size: 12px; color: var(--tx-2); line-height: 1.45; }
+.actText b { color: var(--tx); font-weight: 600; }
+
+/* approvals */
+.apprCard { background: var(--card); border: 1px solid var(--hair); border-radius: 14px; overflow: hidden; }
+.apprRow { display: flex; align-items: flex-start; gap: 11px; padding: 13px; }
+.apprIc { width: 30px; height: 30px; border-radius: 8px; flex: 0 0 30px; display: grid; place-items: center; background: rgba(239,68,68,.12); color: var(--red); border: 1px solid rgba(239,68,68,.22); }
+.apprIc svg { width: 15px; height: 15px; }
+.apprMeta { flex: 1; min-width: 0; }
+.apprT { font-size: 13px; font-weight: 600; letter-spacing: -.01em; line-height: 1.35; }
+.apprT code { font-family: var(--mono); font-size: 11px; color: var(--tx-2); background: var(--hair); padding: 1px 5px; border-radius: 5px; font-weight: 500; }
+.apprS { font-size: 11px; color: var(--tx-3); margin-top: 3px; }
+.apprActions { display: flex; gap: 7px; padding: 0 13px 13px; }
+.empty { text-align: center; color: var(--tx-3); font-size: 12.5px; padding: 30px 16px; line-height: 1.6; }
+.empty svg { width: 30px; height: 30px; margin-bottom: 10px; color: var(--tx-3); opacity: .6; }
+
+/* buttons */
+.btn { font-family: var(--sans); font-size: 12px; font-weight: 600; cursor: pointer; padding: 6px 13px; border-radius: 8px; border: 1px solid var(--hair-2); background: var(--card-2); color: var(--tx-2); transition: .14s; white-space: nowrap; }
+.btn:hover { background: var(--card-hover); color: var(--tx); }
+.btn.approve { background: var(--accent); color: #fff; border-color: transparent; box-shadow: 0 2px 10px rgba(124,58,237,.4); }
+.btn.approve:hover { background: #9d6ef8; }
+.btn.deny:hover { background: rgba(239,68,68,.14); color: var(--red); border-color: rgba(239,68,68,.3); }
+.btn.flex { flex: 1; text-align: center; }
+
+/* ===== CHAT ===== */
+.chat { flex: 1; display: flex; flex-direction: column; min-width: 0; background: var(--bg); }
+.chatHead { height: 56px; flex: 0 0 56px; border-bottom: 1px solid var(--hair); display: flex; align-items: center; gap: 12px; padding: 0 22px; background: var(--panel-2); }
+.chAv { width: 30px; height: 30px; border-radius: 9px; display: grid; place-items: center; background: linear-gradient(150deg,#7c3aed,#a78bfa); color: #fff; box-shadow: 0 2px 8px rgba(124,58,237,.4); }
+.chAv svg { width: 16px; height: 16px; }
+.chMeta { flex: 1; }
+.chTitle { font-size: 14.5px; font-weight: 600; letter-spacing: -.01em; }
+.chSub { font-size: 11.5px; color: var(--tx-3); display: flex; align-items: center; gap: 6px; margin-top: 1px; }
+.chSub .sdot { width: 6px; height: 6px; border-radius: 50%; background: var(--green); }
+.chTools { display: flex; gap: 6px; }
+.chatScroll { flex: 1; overflow-y: auto; padding: 30px 0; }
+.chatInner { max-width: 720px; margin: 0 auto; padding: 0 28px; display: flex; flex-direction: column; gap: 22px; }
+.msg { display: flex; gap: 13px; max-width: 100%; }
+.msg.user { flex-direction: row-reverse; }
+.msgAv { width: 30px; height: 30px; border-radius: 9px; flex: 0 0 30px; display: grid; place-items: center; font-weight: 700; font-size: 12px; }
+.msg.user .msgAv { background: linear-gradient(150deg,#f0a36b,#e8638a); color: #1a0d12; }
+.msg.bot .msgAv { background: linear-gradient(150deg,#7c3aed,#a78bfa); color: #fff; }
+.msg.bot .msgAv svg { width: 16px; height: 16px; }
+.bubbleWrap { display: flex; flex-direction: column; gap: 11px; min-width: 0; max-width: 560px; }
+.msg.user .bubbleWrap { align-items: flex-end; }
+.bubble { padding: 12px 15px; border-radius: 15px; font-size: 14px; line-height: 1.55; letter-spacing: -.005em; }
+.msg.user .bubble { background: var(--accent); color: var(--user-bubble-tx); border-bottom-right-radius: 5px; box-shadow: 0 3px 14px rgba(124,58,237,.3); }
+.msg.bot .bubble { background: var(--card); border: 1px solid var(--hair); border-bottom-left-radius: 5px; color: var(--tx); }
+.bubble b { font-weight: 600; }
+.actionCard { background: var(--card); border: 1px solid var(--hair); border-radius: 14px; padding: 13px 15px; display: flex; align-items: center; gap: 13px; width: 100%; }
+.acIc { width: 34px; height: 34px; border-radius: 10px; flex: 0 0 34px; display: grid; place-items: center; background: var(--green-soft); border: 1px solid var(--green-bd); color: var(--green); }
+.acIc svg { width: 18px; height: 18px; }
+.acMeta { flex: 1; min-width: 0; }
+.acLabel { font-family: var(--mono); font-size: 10px; letter-spacing: .1em; text-transform: uppercase; color: var(--tx-3); margin-bottom: 3px; }
+.acTitle { font-size: 13.5px; font-weight: 600; letter-spacing: -.01em; display: flex; align-items: center; gap: 7px; flex-wrap: wrap; }
+.acTitle .pill { font-family: var(--mono); font-size: 11px; font-weight: 500; color: var(--accent-2); white-space: nowrap; background: var(--accent-soft); padding: 2px 8px; border-radius: 6px; border: 1px solid rgba(139,92,246,.24); }
+.acCheck { color: var(--green); display: flex; }
+.acCheck svg { width: 18px; height: 18px; }
+.reqCard { background: linear-gradient(180deg,rgba(245,166,35,.08),rgba(245,166,35,.02)); border: 1px solid rgba(245,166,35,.3); border-radius: 16px; padding: 16px; width: 100%; }
+.reqTop { display: flex; align-items: flex-start; gap: 13px; }
+.reqIc { width: 36px; height: 36px; border-radius: 10px; flex: 0 0 36px; display: grid; place-items: center; background: rgba(245,166,35,.15); border: 1px solid rgba(245,166,35,.34); color: var(--warn); }
+.reqIc svg { width: 19px; height: 19px; }
+.reqMeta { flex: 1; }
+.reqLabel { font-family: var(--mono); font-size: 10px; letter-spacing: .1em; text-transform: uppercase; color: var(--warn); margin-bottom: 4px; font-weight: 600; }
+.reqTitle { font-size: 14.5px; font-weight: 600; letter-spacing: -.01em; line-height: 1.4; }
+.reqTitle code { font-family: var(--mono); font-size: 12.5px; color: var(--amber); background: rgba(245,166,35,.12); padding: 1px 6px; border-radius: 5px; font-weight: 500; }
+.reqDesc { font-size: 12.5px; color: var(--tx-2); margin-top: 6px; line-height: 1.5; }
+.reqActions { display: flex; gap: 9px; margin-top: 14px; padding-left: 49px; }
+.reqActions .btn { padding: 8px 18px; font-size: 12.5px; }
+
+.composer { padding: 14px 28px 20px; border-top: 1px solid var(--hair); background: var(--panel-2); }
+.composerInner { max-width: 720px; margin: 0 auto; }
+.inputBox { background: var(--card); border: 1px solid var(--hair-2); border-radius: 16px; padding: 12px 12px 10px 16px; transition: .16s; }
+.inputBox:focus-within { border-color: rgba(139,92,246,.5); box-shadow: 0 0 0 3px rgba(139,92,246,.12); }
+.inputTop { display: flex; align-items: flex-end; gap: 10px; }
+.msgInput { flex: 1; background: none; border: none; outline: none; color: var(--tx); font-family: var(--sans); font-size: 14px; line-height: 1.5; resize: none; max-height: 120px; padding: 5px 0; }
+.msgInput::placeholder { color: var(--tx-3); }
+.send { width: 36px; height: 36px; flex: 0 0 36px; border-radius: 11px; border: none; cursor: pointer; background: var(--accent); color: #fff; display: grid; place-items: center; transition: .16s; box-shadow: 0 2px 10px rgba(124,58,237,.4); }
+.send:hover { background: #9d6ef8; transform: translateY(-1px); }
+.send svg { width: 17px; height: 17px; }
+.inputBottom { display: flex; align-items: center; gap: 10px; margin-top: 8px; }
+.hint { margin-left: auto; font-size: 11px; color: var(--tx-3); font-family: var(--mono); }
+.hint kbd { background: var(--hair); border: 1px solid var(--hair); border-radius: 4px; padding: 1px 5px; font-family: var(--mono); font-size: 10px; }
+
+/* greeting (empty chat state) */
+.greetWrap { flex: 1; display: flex; flex-direction: column; align-items: center; justify-content: center; gap: 26px; padding: 0 28px; }
+.greet { display: flex; align-items: center; gap: 14px; font-size: 34px; font-weight: 400; letter-spacing: -.02em; color: var(--tx); }
+.greet .stamp { color: #f0a36b; }
+.greetChips { display: flex; flex-wrap: wrap; gap: 10px; justify-content: center; }
+.chip { display: inline-flex; align-items: center; gap: 7px; font-size: 13px; font-weight: 600; color: var(--tx-2); background: var(--card); border: 1px solid var(--hair); padding: 8px 13px; border-radius: 10px; cursor: pointer; transition: .14s; }
+.chip:hover { background: var(--card-hover); color: var(--tx); border-color: var(--hair-2); }
+
+/* placeholder (settings) */
+.ph { flex: 1; display: flex; flex-direction: column; align-items: center; justify-content: center; gap: 14px; color: var(--tx-3); text-align: center; }
+.ph svg { width: 42px; height: 42px; opacity: .5; }
+.ph h2 { font-size: 18px; font-weight: 600; color: var(--tx-2); }
+.ph p { font-size: 13.5px; max-width: 340px; line-height: 1.55; }
+
+/* settings view */
+.settingsScroll { flex: 1; min-height: 0; overflow-y: auto; padding: 28px 32px 60px; }
+.settingsInner { max-width: 720px; margin: 0 auto; display: flex; flex-direction: column; gap: 26px; }
+.settingsHead { display: flex; flex-direction: column; gap: 5px; }
+.settingsHead h1 { font-size: 21px; font-weight: 600; letter-spacing: -.01em; color: var(--tx); }
+.settingsHead p { font-size: 13px; color: var(--tx-3); line-height: 1.55; max-width: 540px; }
+
+.scard { background: var(--card); border: 1px solid var(--hair); border-radius: 14px; padding: 18px 20px; display: flex; flex-direction: column; gap: 14px; }
+.scardHead { display: flex; flex-direction: column; gap: 4px; }
+.scardTitle { font-size: 14.5px; font-weight: 600; color: var(--tx); display: flex; align-items: center; gap: 9px; }
+.scardDesc { font-size: 12.5px; color: var(--tx-3); line-height: 1.5; }
+
+/* billing radio options */
+.optList { display: flex; flex-direction: column; gap: 10px; }
+.opt { display: flex; gap: 12px; padding: 13px 14px; border: 1px solid var(--hair); border-radius: 11px; cursor: pointer; transition: .14s; background: var(--card-2); align-items: flex-start; }
+.opt:hover { border-color: var(--hair-2); background: var(--card-hover); }
+.opt.optActive { border-color: rgba(139,92,246,.5); background: var(--accent-soft); }
+.optRadio { width: 16px; height: 16px; flex: 0 0 16px; border-radius: 50%; border: 2px solid var(--hair-2); margin-top: 2px; position: relative; transition: .14s; }
+.opt.optActive .optRadio { border-color: var(--accent); }
+.opt.optActive .optRadio::after { content: ""; position: absolute; inset: 2px; border-radius: 50%; background: var(--accent); }
+.optBody { display: flex; flex-direction: column; gap: 3px; min-width: 0; }
+.optTitle { font-size: 13px; font-weight: 600; color: var(--tx); display: flex; align-items: center; gap: 8px; }
+.optDesc { font-size: 12px; color: var(--tx-3); line-height: 1.5; }
+.optTag { font-family: var(--mono); font-size: 9.5px; font-weight: 600; letter-spacing: .06em; text-transform: uppercase; color: var(--green); background: var(--green-soft); border: 1px solid var(--green-bd); padding: 1px 7px; border-radius: 20px; }
+.optTagCur { color: var(--accent-2); background: var(--accent-soft); border-color: rgba(139,92,246,.3); }
+
+/* byok key entry */
+.keyRow { display: flex; flex-direction: column; gap: 9px; padding: 14px; border: 1px solid var(--hair); border-radius: 11px; background: var(--card-2); }
+.keyLabel { font-size: 11px; font-weight: 600; letter-spacing: .04em; color: var(--tx-2); font-family: var(--mono); }
+.keyInputRow { display: flex; gap: 9px; }
+.keyInput { flex: 1; min-width: 0; background: var(--panel); border: 1px solid var(--hair-2); border-radius: 8px; padding: 8px 11px; font-family: var(--mono); font-size: 12px; color: var(--tx); outline: none; transition: .14s; }
+.keyInput:focus { border-color: var(--accent); }
+.keyInput::placeholder { color: var(--tx-3); }
+.keyNote { font-size: 11.5px; color: var(--tx-3); line-height: 1.5; }
+.keyNote code { font-family: var(--mono); font-size: 11px; color: var(--tx-2); background: var(--hair); padding: 1px 5px; border-radius: 4px; }
+
+.sMsg { font-size: 12px; padding: 8px 11px; border-radius: 8px; line-height: 1.45; }
+.sMsgErr { color: var(--red); background: rgba(239,68,68,.12); border: 1px solid rgba(239,68,68,.28); }
+.sMsgOk { color: var(--green); background: var(--green-soft); border: 1px solid var(--green-bd); }
+
+.btn.primary { background: var(--accent); color: #fff; border-color: transparent; box-shadow: 0 2px 10px rgba(124,58,237,.4); }
+.btn.primary:hover { background: #9d6ef8; }
+.btn.primary:disabled { opacity: .4; cursor: default; box-shadow: none; }
+
+/* embedded canvas settings tabs */
+.embedSettings { border: 1px solid var(--hair); border-radius: 14px; overflow: hidden; background: var(--card); }
+
+/* embedded full workspace tab panel (the SAME WorkspacePanelTabs the Org-map
+   SidePanel renders), pointed at the platform agent. A bordered card with a
+   bounded height + flex column so the tab body's own overflow-y scroller works
+   inside it (mirrors .embedChat's min-height:0 trick). */
+.embedPanel {
+  border: 1px solid var(--hair);
+  border-radius: 14px;
+  overflow: hidden;
+  background: var(--card);
+  display: flex;
+  flex-direction: column;
+  min-height: 0;
+  height: 70vh;
+  max-height: 760px;
+}
+
+/* embedded canonical ChatTab (shared with the Org-map SidePanel).
+   Fills the chat column below the concierge header; min-height:0 lets the
+   ChatTab's own overflow-y scroller work inside the flex column. */
+.embedChat { flex: 1; min-height: 0; display: flex; flex-direction: column; }
@@ -0,0 +1,604 @@
+"use client";
+
+import { useCallback, useEffect, useMemo, useState } from "react";
+import { useCanvasStore, type TopView } from "@/store/canvas";
+import { WORKSPACE_KIND } from "@/lib/workspace-kind";
+import { useTheme } from "@/lib/theme-provider";
+import { api } from "@/lib/api";
+import { showToast } from "@/components/Toaster";
+import type { ActivityEntry } from "@/types/activity";
+import { Canvas } from "@/components/Canvas";
+import { CommunicationOverlay } from "@/components/CommunicationOverlay";
+import { MessageFlightHome } from "./MessageFlightHome";
+import { ChatTab } from "@/components/tabs/ChatTab";
+import { WorkspacePanelTabs } from "@/components/WorkspacePanelTabs";
+import { SettingsTabs } from "@/components/settings";
+import s from "./Concierge.module.css";
+import {
+  IcHome, IcOrgMap, IcSettings, IcSearch, IcBell, IcSun, IcMoon, IcChevDown,
+  IcQueue, IcCaret, IcMolecule, IcClock, IcCheck, IcTrash, IcChat,
+} from "./icons";
+
+/* ── status → concept palette ─────────────────────────────────────────── */
+function statusInfo(status: string): { color: string; label: string } {
+  switch (status) {
+    case "online": return { color: "var(--green)", label: "online" };
+    case "provisioning":
+    case "starting": return { color: "var(--amber)", label: "starting" };
+    case "degraded": return { color: "var(--amber)", label: "degraded" };
+    case "building": return { color: "var(--amber)", label: "building" };
+    case "failed": return { color: "var(--red)", label: "failed" };
+    case "paused": return { color: "var(--accent-2)", label: "paused" };
+    default: return { color: "var(--grey)", label: status || "idle" };
+  }
+}
+
+const AV_GRADIENTS = [
+  "linear-gradient(150deg,#a78bfa,#7c3aed)",
+  "linear-gradient(150deg,#60a5fa,#3b82f6)",
+  "linear-gradient(150deg,#34d399,#10b981)",
+  "linear-gradient(150deg,#fbbf77,#f59e0b)",
+  "linear-gradient(150deg,#5eead4,#14b8a6)",
+  "linear-gradient(150deg,#f0a36b,#e8638a)",
+];
+function initials(name: string): string {
+  const parts = name.trim().split(/\s+/).filter(Boolean);
+  if (parts.length === 0) return "?";
+  if (parts.length === 1) return parts[0].slice(0, 2).toUpperCase();
+  return (parts[0][0] + parts[parts.length - 1][0]).toUpperCase();
+}
+function gradientFor(id: string): string {
+  let h = 0;
+  for (let i = 0; i < id.length; i++) h = (h * 31 + id.charCodeAt(i)) >>> 0;
+  return AV_GRADIENTS[h % AV_GRADIENTS.length];
+}
+
+type SbTab = "agents" | "tasks" | "approvals";
+
+interface PendingApproval {
+  id: string;
+  workspace_id: string;
+  workspace_name: string;
+  action: string;
+  reason: string | null;
+  status: string;
+  created_at: string;
+}
+interface UserTask {
+  id: string;
+  workspace_id: string;
+  workspace_name: string;
+  title: string;
+  detail: string | null;
+  status: string;
+  created_at: string;
+}
+
+/** ISO timestamp → "9:05 PM" (local). Empty string on a bad/missing value. */
+function clockTime(iso: string | null | undefined): string {
+  if (!iso) return "";
+  const d = new Date(iso);
+  if (Number.isNaN(d.getTime())) return "";
+  return d.toLocaleTimeString([], { hour: "numeric", minute: "2-digit" });
+}
+
+/** A human action label from an activity row. */
+function activityText(a: ActivityEntry): string {
+  if (a.summary) return a.summary;
+  const verb = a.activity_type?.replace(/_/g, " ") ?? "activity";
+  return a.method ? `${verb} · ${a.method}` : verb;
+}
+
+export function ConciergeShell() {
+  const nodes = useCanvasStore((st) => st.nodes);
+  const topView = useCanvasStore((st) => st.topView);
+  const setTopView = useCanvasStore((st) => st.setTopView);
+  const selectNode = useCanvasStore((st) => st.selectNode);
+  const selectedNodeId = useCanvasStore((st) => st.selectedNodeId);
+  const { resolvedTheme, setTheme } = useTheme();
+
+  const [railOpen, setRailOpen] = useState(false);
+  const [sbTab, setSbTab] = useState<SbTab>("agents");
+  const [settingsTab, setSettingsTab] = useState<"platform" | "org">("platform");
+  const [collapsed, setCollapsed] = useState<Record<string, boolean>>({});
+
+  // Dynamic org name for the topbar. Sourced from GET /org/identity
+  // ({name} ← MOLECULE_ORG_NAME, added by a parallel backend change).
+  // Falls back to "Molecule AI" when the endpoint 404s / errors or
+  // returns an empty name, so the topbar never breaks before the backend
+  // lands.
+  const [orgName, setOrgName] = useState("Molecule AI");
+  useEffect(() => {
+    let cancelled = false;
+    api
+      .get<{ name?: string }>("/org/identity")
+      .then((r) => {
+        const name = (r?.name || "").trim();
+        if (!cancelled && name) setOrgName(name);
+      })
+      .catch(() => {
+        // No endpoint / not reachable — keep the "Molecule AI" fallback.
+      });
+    return () => {
+      cancelled = true;
+    };
+  }, []);
+
+  // Build the agent hierarchy from live nodes.
+  const { roots, childrenOf } = useMemo(() => {
+    const childrenOf = new Map<string, typeof nodes>();
+    const roots: typeof nodes = [];
+    for (const n of nodes) {
+      const p = n.data.parentId;
+      if (p) {
+        const arr = childrenOf.get(p) ?? [];
+        arr.push(n);
+        childrenOf.set(p, arr);
+      } else {
+        roots.push(n);
+      }
+    }
+    return { roots, childrenOf };
+  }, [nodes]);
+
+  const platformRoot = useMemo(
+    () =>
+      // Resolve the platform agent by the authoritative kind='platform' marker
+      // only — the backend in this branch always returns kind
+      // (COALESCE(w.kind,'workspace')) and the map-side filter
+      // (canvas-topology/Canvas/Toolbar) is kind-only, so the shell must not
+      // disagree via a name/role heuristic. Fall back to the first root only as
+      // graceful degradation if no node is tagged platform.
+      roots.find((r) => r.data.kind === WORKSPACE_KIND.Platform) ??
+      roots[0] ??
+      null,
+    [roots],
+  );
+
+  const platformId = platformRoot?.id ?? null;
+
+  // ── live data: approvals + user-tasks (org-wide), activity (platform agent) ──
+  const [approvals, setApprovals] = useState<PendingApproval[]>([]);
+  const [userTasks, setUserTasks] = useState<UserTask[]>([]);
+  const [activity, setActivity] = useState<ActivityEntry[]>([]);
+  const [deciding, setDeciding] = useState<string | null>(null);
+  const [resolving, setResolving] = useState<string | null>(null);
+
+  const loadApprovals = useCallback(() => {
+    api.get<PendingApproval[]>("/approvals/pending")
+      .then((r) => setApprovals(r ?? []))
+      .catch(() => setApprovals([]));
+  }, []);
+  const loadUserTasks = useCallback(() => {
+    api.get<UserTask[]>("/user-tasks/pending")
+      .then((r) => setUserTasks(r ?? []))
+      .catch(() => setUserTasks([]));
+  }, []);
+  useEffect(() => { loadApprovals(); loadUserTasks(); }, [loadApprovals, loadUserTasks]);
+
+  useEffect(() => {
+    if (!platformId) return;
+    let cancelled = false;
+    api.get<ActivityEntry[]>(`/workspaces/${platformId}/activity?limit=12`)
+      .then((r) => { if (!cancelled) setActivity(r ?? []); })
+      .catch(() => { if (!cancelled) setActivity([]); });
+    return () => { cancelled = true; };
+  }, [platformId]);
+
+  const decide = useCallback(async (a: PendingApproval, decision: "approved" | "denied") => {
+    if (deciding) return;
+    setDeciding(a.id);
+    try {
+      await api.post(`/workspaces/${a.workspace_id}/approvals/${a.id}/decide`, {
+        decision, decided_by: "human",
+      });
+      showToast(decision === "approved" ? "Approved" : "Denied", decision === "approved" ? "success" : "info");
+      setApprovals((prev) => prev.filter((x) => x.id !== a.id));
+    } catch {
+      showToast("Failed to record decision", "error");
+    } finally {
+      setDeciding(null);
+    }
+  }, [deciding]);
+
+  const resolveTask = useCallback(async (t: UserTask, status: "done" | "dismissed") => {
+    if (resolving) return;
+    setResolving(t.id);
+    try {
+      await api.post(`/workspaces/${t.workspace_id}/user-tasks/${t.id}/resolve`, {
+        status, resolved_by: "human",
+      });
+      showToast(status === "done" ? "Marked done" : "Dismissed", status === "done" ? "success" : "info");
+      setUserTasks((prev) => prev.filter((x) => x.id !== t.id));
+    } catch {
+      showToast("Failed to resolve task", "error");
+    } finally {
+      setResolving(null);
+    }
+  }, [resolving]);
+
+  const nav = (v: TopView) => setTopView(v);
+
+  /* ── agents tree (recursive) ──────────────────────────────────────── */
+  function renderNode(n: (typeof nodes)[number], depth: number) {
+    const kids = childrenOf.get(n.id) ?? [];
+    const hasKids = kids.length > 0;
+    const isCollapsed = collapsed[n.id];
+    const st = statusInfo(n.data.status);
+    const isRoot = depth === 0;
+    const isPlatform = n.id === platformRoot?.id;
+    const q = (n.data.activeTasks as number) ?? 0;
+    // Role can be a long descriptor (e.g. "Coding Executor (Kimi) — …"); render
+    // it compact (single-line, truncated by .wsRole) and surface the full text
+    // on hover via the native tooltip.
+    const roleLabel = isPlatform ? "platform" : n.data.role || "agent";
+    const row = (
+      <div
+        role="button"
+        tabIndex={0}
+        data-testid="agent-tree-node"
+        data-node-name={n.data.name}
+        data-ws-id={n.id}
+        data-platform={isPlatform ? "true" : "false"}
+        data-depth={depth}
+        className={`${s.ws} ${selectedNodeId === n.id ? s.active : ""}`}
+        onClick={() => selectNode(n.id)}
+        onKeyDown={(e) => {
+          if (e.key === "Enter" || e.key === " ") {
+            e.preventDefault();
+            selectNode(n.id);
+          }
+        }}
+      >
+        <div className={s.wsAv} style={{ background: gradientFor(n.id) }}>
+          {initials(n.data.name)}
+          <span className={s.dot} style={{ background: st.color }} />
+        </div>
+        <div className={s.wsMeta}>
+          <div className={s.wsName}>{n.data.name}</div>
+          <div className={s.wsSub}>
+            <span className={s.wsRole} title={roleLabel}>{roleLabel}</span>
+            <span className={s.wsStatus} style={{ color: st.color }}>
+              <span className={s.sdot} style={{ background: st.color }} />
+              {st.label}
+            </span>
+          </div>
+        </div>
+        {isRoot && isPlatform ? (
+          <span data-testid="agent-tree-root-tag" className={s.rootTag}>root</span>
+        ) : (
+          <span className={`${s.wsQ} ${q === 0 ? s.zero : ""}`} title="Tasks in queue">
+            <IcQueue />
+            {q}
+          </span>
+        )}
+        {hasKids && (
+          <button
+            className={s.wsCaret}
+            title="Expand / collapse"
+            onClick={(e) => {
+              e.stopPropagation();
+              setCollapsed((c) => ({ ...c, [n.id]: !c[n.id] }));
+            }}
+            style={{ transform: isCollapsed ? "none" : "rotate(90deg)", transition: "transform .18s" }}
+          >
+            <IcCaret />
+          </button>
+        )}
+      </div>
+    );
+    return (
+      <div key={n.id} className={s.tnode}>
+        {row}
+        {hasKids && !isCollapsed && (
+          <div className={s.treeChildren}>
+            {kids.map((k) => renderNode(k, depth + 1))}
+          </div>
+        )}
+      </div>
+    );
+  }
+
+  return (
+    <div className={s.root}>
+      {/* Envelope flies between agent rows on each delegate/message event. */}
+      <MessageFlightHome />
+      <div className={`${s.app} ${railOpen ? s.railOpen : ""}`}>
+        {/* ICON RAIL */}
+        <nav className={s.rail}>
+          <div className={s.railTop}>
+            <div className={s.logo} title="Toggle sidebar" onClick={() => setRailOpen((o) => !o)}>
+              <IcMolecule />
+            </div>
+            <span className={s.railWordmark}>Molecule</span>
+            <button className={s.railToggle} title="Collapse sidebar" onClick={() => setRailOpen((o) => !o)}>
+              <IcOrgMap />
+            </button>
+          </div>
+          <button data-testid="nav-home" className={`${s.navbtn} ${topView === "home" ? s.active : ""}`} title="Home" onClick={() => nav("home")}>
+            <span className={s.ico}><IcHome /></span><span className={s.lbl}>Home</span>
+          </button>
+          <button data-testid="nav-map" className={`${s.navbtn} ${topView === "map" ? s.active : ""}`} title="Org map" onClick={() => nav("map")}>
+            <span className={s.ico}><IcOrgMap /></span><span className={s.lbl}>Org map</span>
+          </button>
+          <div className={s.spacer} />
+          <button data-testid="nav-settings" className={`${s.navbtn} ${topView === "settings" ? s.active : ""}`} title="Settings" onClick={() => nav("settings")}>
+            <span className={s.ico}><IcSettings /></span><span className={s.lbl}>Settings</span>
+          </button>
+        </nav>
+
+        <div className={s.main}>
+          {/* TOPBAR */}
+          <header className={s.topbar}>
+            <div className={s.org}>
+              <div className={s.orgBadge}>{initials(orgName).slice(0, 1)}</div>
+              <span data-testid="topbar-org-name" className={s.orgName}>{orgName}</span>
+              <span className={s.chev}><IcChevDown /></span>
+            </div>
+            <div className={s.topbarRight}>
+              <button className={s.iconPill} title="Search"><IcSearch /></button>
+              <button className={s.iconPill} title="Notifications"><IcBell /></button>
+              <button
+                className={s.themeToggle}
+                title="Toggle theme"
+                onClick={() => setTheme(resolvedTheme === "dark" ? "light" : "dark")}
+              >
+                {resolvedTheme === "dark" ? <IcMoon /> : <IcSun />}
+              </button>
+              <div className={s.avatar} title="You">HW</div>
+            </div>
+          </header>
+
+          <div className={s.viewArea}>
+            {/* HOME VIEW */}
+            <div className={`${s.view} ${topView === "home" ? s.active : ""}`}>
+              <aside className={s.homeSidebar}>
+                <div className={s.sbTabs}>
+                  <button data-testid="home-subtab-agents" className={`${s.sbTab} ${sbTab === "agents" ? s.active : ""}`} onClick={() => setSbTab("agents")}>Agents</button>
+                  <button data-testid="home-subtab-tasks" className={`${s.sbTab} ${sbTab === "tasks" ? s.active : ""}`} onClick={() => setSbTab("tasks")}>
+                    Tasks{userTasks.length > 0 && <span className={s.cnt}>{userTasks.length}</span>}
+                  </button>
+                  <button data-testid="home-subtab-approvals" className={`${s.sbTab} ${sbTab === "approvals" ? s.active : ""}`} onClick={() => setSbTab("approvals")}>
+                    Approvals{approvals.length > 0 && <span className={s.cnt}>{approvals.length}</span>}
+                  </button>
+                </div>
+                <div className={s.sbBody}>
+                  {sbTab === "agents" && (
+                    <>
+                      <div className={s.wsList}>
+                        {roots.length === 0 && (
+                          <div className={s.empty}>No agents yet. Ask the concierge to spin up a team.</div>
+                        )}
+                        {roots.map((r) => renderNode(r, 0))}
+                      </div>
+                      <div className={s.sbSection}>Recent activity</div>
+                      <div>
+                        {activity.length === 0 && (
+                          <div className={s.empty}>No recent activity yet.</div>
+                        )}
+                        {activity.map((a) => {
+                          const ok = a.status !== "error" && a.status !== "failed";
+                          return (
+                            <div key={a.id} className={s.act}>
+                              <span className={s.actTime}>{clockTime(a.created_at)}</span>
+                              <div className={`${s.actLine} ${ok ? s.grn : ""}`}>
+                                <div className={s.actText}>{activityText(a)}</div>
+                              </div>
+                            </div>
+                          );
+                        })}
+                      </div>
+                    </>
+                  )}
+                  {sbTab === "tasks" && (
+                    <>
+                      {userTasks.length === 0 && (
+                        <div className={s.empty}>Nothing needs you right now. When an agent needs you to do something, it shows up here.</div>
+                      )}
+                      {userTasks.map((t) => (
+                        <div key={t.id} className={s.task}>
+                          <div className={s.taskRow}>
+                            <div className={`${s.taskIc} ${s.run}`}><IcClock /></div>
+                            <div className={s.taskMeta}>
+                              <div className={s.taskT}>{t.title}</div>
+                              <div className={s.taskS}>
+                                {t.workspace_name}<span className={s.pip} />asked {clockTime(t.created_at)}
+                              </div>
+                              {t.detail && (
+                                <div style={{ fontSize: 12, color: "var(--tx-3)", marginTop: 6, lineHeight: 1.45 }}>
+                                  {t.detail}
+                                </div>
+                              )}
+                            </div>
+                          </div>
+                          <div className={s.taskActions}>
+                            <button className={`${s.tbtn} ${s.done}`} disabled={resolving === t.id} onClick={() => resolveTask(t, "done")}>
+                              <IcCheck />Done
+                            </button>
+                            <button className={s.tbtn} disabled={resolving === t.id} onClick={() => resolveTask(t, "dismissed")}>
+                              Dismiss
+                            </button>
+                          </div>
+                        </div>
+                      ))}
+                    </>
+                  )}
+                  {sbTab === "approvals" && (
+                    <>
+                      {approvals.length === 0 && (
+                        <div className={s.empty}>No pending approvals. Destructive actions await sign-off here.</div>
+                      )}
+                      {approvals.map((a) => (
+                        <div key={a.id} className={s.apprCard} style={{ marginBottom: 7 }}>
+                          <div className={s.apprRow}>
+                            <div className={s.apprIc}><IcTrash /></div>
+                            <div className={s.apprMeta}>
+                              <div className={s.apprT}>{a.action.replace(/_/g, " ")} <code>{a.workspace_name}</code></div>
+                              <div className={s.apprS}>{a.reason || "destructive"}</div>
+                            </div>
+                          </div>
+                          <div className={s.apprActions}>
+                            <button className={`${s.btn} ${s.approve} ${s.flex}`} disabled={deciding === a.id} onClick={() => decide(a, "approved")}>
+                              {deciding === a.id ? "…" : "Approve"}
+                            </button>
+                            <button className={`${s.btn} ${s.deny} ${s.flex}`} disabled={deciding === a.id} onClick={() => decide(a, "denied")}>
+                              {deciding === a.id ? "…" : "Deny"}
+                            </button>
+                          </div>
+                        </div>
+                      ))}
+                    </>
+                  )}
+                </div>
+              </aside>
+
+              {/* CHAT — reuses the EXACT canonical chat the Org-map SidePanel
+                  renders (My Chat / Agent Comms sub-tabs, attachments, history,
+                  delivery-mode handling), pointed at the platform agent. A thin
+                  concierge-styled header keeps the Home look; the ChatTab body
+                  below is identical to the map path so features can't drift. */}
+              {platformId && platformRoot ? (
+                <section className={s.chat}>
+                  <div className={s.chatHead}>
+                    <div className={s.chAv}><IcChat /></div>
+                    <div className={s.chMeta}>
+                      <div className={s.chTitle}>{platformRoot.data.name ?? "Org Concierge"}</div>
+                      <div className={s.chSub}>
+                        {(() => {
+                          const online =
+                            platformRoot.data.status === "online" ||
+                            platformRoot.data.status === "degraded";
+                          return (
+                            <>
+                              <span
+                                className={s.sdot}
+                                style={{ background: online ? "var(--green)" : "var(--grey)" }}
+                              />
+                              {online ? "online" : statusInfo(platformRoot.data.status ?? "").label} · platform agent
+                            </>
+                          );
+                        })()}
+                      </div>
+                    </div>
+                  </div>
+                  <div className={s.embedChat}>
+                    <ChatTab key={platformId} workspaceId={platformId} data={platformRoot.data} />
+                  </div>
+                </section>
+              ) : (
+                <section className={s.chat}>
+                  <div className={s.greetWrap}>
+                    <div className={s.greet}>
+                      <span className={s.stamp}>✷</span> No platform agent yet
+                    </div>
+                  </div>
+                </section>
+              )}
+            </div>
+
+            {/* ORG MAP VIEW — the live canvas */}
+            <div className={`${s.view} ${topView === "map" ? s.active : ""}`}>
+              {topView === "map" && (
+                <div className={s.canvasMount}>
+                  <main aria-label="Agent canvas" style={{ position: "absolute", inset: 0 }}>
+                    <Canvas />
+                  </main>
+                  <CommunicationOverlay />
+                </div>
+              )}
+            </div>
+
+            {/* SETTINGS VIEW */}
+            <div className={`${s.view} ${topView === "settings" ? s.active : ""}`}>
+              <div className={s.settingsScroll}>
+                <div className={s.settingsInner}>
+                  <div className={s.settingsHead}>
+                    <h1>Settings</h1>
+                    <p>
+                      Org-level settings for the platform concierge. Configure the
+                      concierge exactly like any workspace — config.yaml, plugins
+                      and skills, container/compute, display, channels, schedule
+                      and secrets — plus how it pays for model usage and org
+                      identity.
+                    </p>
+                  </div>
+
+                  {/* Two tabs instead of one long sheet: Platform agent
+                      configuration vs Org & canvas settings. Reuses the same
+                      .sbTabs purple-underline tab style as the Home sub-tabs. */}
+                  <div className={s.sbTabs} role="tablist" aria-label="Settings sections">
+                    <button
+                      type="button"
+                      role="tab"
+                      data-testid="settings-tab-platform"
+                      aria-selected={settingsTab === "platform"}
+                      className={`${s.sbTab} ${settingsTab === "platform" ? s.active : ""}`}
+                      onClick={() => setSettingsTab("platform")}
+                    >
+                      Platform agent configuration
+                    </button>
+                    <button
+                      type="button"
+                      role="tab"
+                      data-testid="settings-tab-org"
+                      aria-selected={settingsTab === "org"}
+                      className={`${s.sbTab} ${settingsTab === "org" ? s.active : ""}`}
+                      onClick={() => setSettingsTab("org")}
+                    >
+                      Org &amp; canvas settings
+                    </button>
+                  </div>
+
+                  {/* Platform agent configuration — the FULL workspace tab UI
+                      (Config, Plugins/Skills, Container, Display, Details,
+                      Activity, Terminal, Channels, Schedule, Files, Memory,
+                      Traces, Events, Audit), reusing the exact same
+                      WorkspacePanelTabs the Org-map SidePanel renders so the two
+                      surfaces can't drift. Pointed at the platform agent; the
+                      panel owns its own local active-tab state so it doesn't
+                      fight the map's node selection. */}
+                  {settingsTab === "platform" && (
+                    <div data-testid="settings-pane-platform" className={s.scard}>
+                      <div className={s.scardHead}>
+                        <div className={s.scardDesc}>
+                          Update the concierge like any workspace: its config.yaml,
+                          plugins &amp; skills, container/compute, display, channels,
+                          schedule and more.
+                        </div>
+                      </div>
+                      {platformRoot ? (
+                        <div className={s.embedPanel}>
+                          <WorkspacePanelTabs key={platformRoot.id} node={platformRoot} defaultTab="config" />
+                        </div>
+                      ) : (
+                        <div className={s.scardDesc}>
+                          No platform agent yet. Spin one up from Home to configure it.
+                        </div>
+                      )}
+                    </div>
+                  )}
+
+                  {settingsTab === "org" && (
+                    <div data-testid="settings-pane-org" className={s.scard}>
+                      <div className={s.scardHead}>
+                        <div className={s.scardDesc}>
+                          Secrets, workspace tokens, org API keys and organization
+                          identity. These also live behind the gear in the top bar.
+                        </div>
+                      </div>
+                      {platformId && (
+                        <div className={s.embedSettings}>
+                          <SettingsTabs workspaceId={platformId} />
+                        </div>
+                      )}
+                    </div>
+                  )}
+                </div>
+              </div>
+            </div>
+          </div>
+        </div>
+      </div>
+    </div>
+  );
+}
@@ -0,0 +1,50 @@
+/** MessageFlightHome — the concierge-home counterpart of MessageFlightLayer.
+ *  The home view is a vertical agent tree (not a spatial canvas), so an envelope
+ *  flies between the source and target agent ROWS. It shares the exact same
+ *  flight stream (useA2AFlights) as the canvas, and resolves endpoints from each
+ *  row's DOM rect (rows carry data-ws-id). Reduced-motion is honoured by the
+ *  shared hook (it emits no flights). */
+import { useRef } from "react";
+import { useA2AFlights, type A2AFlight } from "@/hooks/useA2AFlights";
+import { FlightEnvelope, type Point } from "../FlightEnvelope";
+
+function rowCenter(wsId: string): Point | null {
+  if (typeof document === "undefined") return null;
+  const sel =
+    typeof CSS !== "undefined" && typeof CSS.escape === "function"
+      ? CSS.escape(wsId)
+      : wsId;
+  const el = document.querySelector<HTMLElement>(`[data-ws-id="${sel}"]`);
+  if (!el) return null;
+  const r = el.getBoundingClientRect();
+  return { x: r.left + r.width / 2, y: r.top + r.height / 2 };
+}
+
+/** One flight. Captures the source/target row rects ONCE on mount (a ref, not
+ *  per-render) so a later re-render or scroll mid-flight does not restart the
+ *  animation. */
+function HomeFlight({ flight }: { flight: A2AFlight }) {
+  const pos = useRef<{ from: Point; to: Point } | null>(null);
+  if (pos.current === null) {
+    const from = rowCenter(flight.sourceId);
+    const to = rowCenter(flight.targetId);
+    if (from && to) pos.current = { from, to };
+  }
+  if (!pos.current) return null; // one or both agents not visible in the tree
+  return <FlightEnvelope from={pos.current.from} to={pos.current.to} kind={flight.kind} />;
+}
+
+export function MessageFlightHome() {
+  const flights = useA2AFlights();
+  if (flights.length === 0) return null;
+  return (
+    <div
+      aria-hidden="true"
+      style={{ position: "fixed", inset: 0, pointerEvents: "none", zIndex: 50 }}
+    >
+      {flights.map((f) => (
+        <HomeFlight key={f.key} flight={f} />
+      ))}
+    </div>
+  );
+}
@@ -0,0 +1,113 @@
+/* Inline SVG icons lifted from the Org Concierge concept (molecule-concierge-v1).
+   Stroke icons inherit currentColor; size comes from the CSS (svg{width/height}). */
+import type { SVGProps } from "react";
+
+const stroke = {
+  fill: "none",
+  stroke: "currentColor",
+  strokeWidth: 1.8,
+  strokeLinecap: "round" as const,
+  strokeLinejoin: "round" as const,
+};
+
+export const IcMolecule = (p: SVGProps<SVGSVGElement>) => (
+  <svg viewBox="0 0 24 24" fill="none" {...p}>
+    <circle cx="12" cy="5" r="2.4" fill="#fff" />
+    <circle cx="5.5" cy="16" r="2.4" fill="#fff" opacity=".85" />
+    <circle cx="18.5" cy="16" r="2.4" fill="#fff" opacity=".85" />
+    <path d="M12 7.4L6 14.2M12 7.4L18 14.2M7.6 16h8.8" stroke="#fff" strokeWidth="1.4" strokeLinecap="round" />
+  </svg>
+);
+
+export const IcChat = (p: SVGProps<SVGSVGElement>) => (
+  <svg viewBox="0 0 24 24" fill="none" {...p}>
+    <circle cx="12" cy="5" r="2.2" fill="#fff" />
+    <circle cx="5.5" cy="16" r="2.2" fill="#fff" opacity=".85" />
+    <circle cx="18.5" cy="16" r="2.2" fill="#fff" opacity=".85" />
+    <path d="M12 7.2L6 14M12 7.2L18 14M7.6 16h8.8" stroke="#fff" strokeWidth="1.3" strokeLinecap="round" />
+  </svg>
+);
+
+export const IcHome = (p: SVGProps<SVGSVGElement>) => (
+  <svg viewBox="0 0 24 24" {...stroke} {...p}><path d="M3 10.5L12 3l9 7.5" /><path d="M5 9.5V20h14V9.5" /></svg>
+);
+
+export const IcOrgMap = (p: SVGProps<SVGSVGElement>) => (
+  <svg viewBox="0 0 24 24" {...stroke} {...p}>
+    <rect x="8.5" y="3" width="7" height="6" rx="1.5" />
+    <rect x="2.5" y="15" width="6.5" height="6" rx="1.5" />
+    <rect x="15" y="15" width="6.5" height="6" rx="1.5" />
+    <path d="M12 9v3M12 12H5.75v3M12 12h6.25v3" />
+  </svg>
+);
+
+export const IcSettings = (p: SVGProps<SVGSVGElement>) => (
+  <svg viewBox="0 0 24 24" {...stroke} {...p}>
+    <circle cx="12" cy="12" r="3" />
+    <path d="M19.4 15a1.7 1.7 0 0 0 .34 1.87l.06.06a2 2 0 1 1-2.83 2.83l-.06-.06a1.7 1.7 0 0 0-1.87-.34 1.7 1.7 0 0 0-1.03 1.56V21a2 2 0 1 1-4 0v-.09A1.7 1.7 0 0 0 9 19.4a1.7 1.7 0 0 0-1.87.34l-.06.06a2 2 0 1 1-2.83-2.83l.06-.06A1.7 1.7 0 0 0 4.6 15a1.7 1.7 0 0 0-1.56-1.03H3a2 2 0 1 1 0-4h.09A1.7 1.7 0 0 0 4.6 9a1.7 1.7 0 0 0-.34-1.87l-.06-.06a2 2 0 1 1 2.83-2.83l.06.06A1.7 1.7 0 0 0 9 4.6a1.7 1.7 0 0 0 1.03-1.56V3a2 2 0 1 1 4 0v.09A1.7 1.7 0 0 0 15 4.6a1.7 1.7 0 0 0 1.87-.34l.06-.06a2 2 0 1 1 2.83 2.83l-.06.06A1.7 1.7 0 0 0 19.4 9c.13.31.4.55.73.66" />
+  </svg>
+);
+
+export const IcSearch = (p: SVGProps<SVGSVGElement>) => (
+  <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="1.8" strokeLinecap="round" {...p}><circle cx="11" cy="11" r="7" /><path d="M20 20l-3.5-3.5" /></svg>
+);
+
+export const IcBell = (p: SVGProps<SVGSVGElement>) => (
+  <svg viewBox="0 0 24 24" {...stroke} {...p}><path d="M18 8a6 6 0 1 0-12 0c0 7-3 9-3 9h18s-3-2-3-9" /><path d="M13.7 21a2 2 0 0 1-3.4 0" /></svg>
+);
+
+export const IcSun = (p: SVGProps<SVGSVGElement>) => (
+  <svg viewBox="0 0 24 24" {...stroke} {...p}><circle cx="12" cy="12" r="4.2" /><path d="M12 2v2.5M12 19.5V22M2 12h2.5M19.5 12H22M4.9 4.9l1.8 1.8M17.3 17.3l1.8 1.8M19.1 4.9l-1.8 1.8M6.7 17.3l-1.8 1.8" /></svg>
+);
+
+export const IcMoon = (p: SVGProps<SVGSVGElement>) => (
+  <svg viewBox="0 0 24 24" {...stroke} {...p}><path d="M21 12.8A9 9 0 1 1 11.2 3a7 7 0 0 0 9.8 9.8z" /></svg>
+);
+
+export const IcChevDown = (p: SVGProps<SVGSVGElement>) => (
+  <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round" {...p}><path d="M6 9l6 6 6-6" /></svg>
+);
+
+export const IcCaret = (p: SVGProps<SVGSVGElement>) => (
+  <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2.4" strokeLinecap="round" strokeLinejoin="round" {...p}><path d="M9 6l6 6-6 6" /></svg>
+);
+
+export const IcQueue = (p: SVGProps<SVGSVGElement>) => (
+  <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2.2" strokeLinecap="round" {...p}><path d="M8 6h12M8 12h12M8 18h12M4 6h.01M4 12h.01M4 18h.01" /></svg>
+);
+
+export const IcCheck = (p: SVGProps<SVGSVGElement>) => (
+  <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2.2" strokeLinecap="round" strokeLinejoin="round" {...p}><path d="M20 6L9 17l-5-5" /></svg>
+);
+
+export const IcSchedule = (p: SVGProps<SVGSVGElement>) => (
+  <svg viewBox="0 0 24 24" {...stroke} {...p}><rect x="3.5" y="4.5" width="17" height="16" rx="2.5" /><path d="M3.5 9h17M8 3v3M16 3v3" /></svg>
+);
+
+export const IcWorkspace = (p: SVGProps<SVGSVGElement>) => (
+  <svg viewBox="0 0 24 24" {...stroke} {...p}><rect x="3.5" y="3.5" width="7" height="7" rx="1.5" /><rect x="13.5" y="13.5" width="7" height="7" rx="1.5" /><path d="M13.5 7h7M7 13.5v7" /></svg>
+);
+
+export const IcWarn = (p: SVGProps<SVGSVGElement>) => (
+  <svg viewBox="0 0 24 24" {...stroke} {...p}><path d="M12 9v4M12 17h.01" /><path d="M10.3 3.9 1.8 18a2 2 0 0 0 1.7 3h17a2 2 0 0 0 1.7-3L13.7 3.9a2 2 0 0 0-3.4 0Z" /></svg>
+);
+
+export const IcSend = (p: SVGProps<SVGSVGElement>) => (
+  <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round" {...p}><path d="M5 12h14M13 6l6 6-6 6" /></svg>
+);
+
+export const IcHistory = (p: SVGProps<SVGSVGElement>) => (
+  <svg viewBox="0 0 24 24" {...stroke} {...p}><path d="M3 12a9 9 0 1 0 3-6.7L3 8" /><path d="M3 4v4h4M12 8v4l3 2" /></svg>
+);
+
+export const IcDots = (p: SVGProps<SVGSVGElement>) => (
+  <svg viewBox="0 0 24 24" fill="currentColor" {...p}><circle cx="5" cy="12" r="1.6" /><circle cx="12" cy="12" r="1.6" /><circle cx="19" cy="12" r="1.6" /></svg>
+);
+
+export const IcClock = (p: SVGProps<SVGSVGElement>) => (
+  <svg viewBox="0 0 24 24" {...stroke} {...p}><path d="M12 7v5l3 2" /><circle cx="12" cy="12" r="9" /></svg>
+);
+
+export const IcTrash = (p: SVGProps<SVGSVGElement>) => (
+  <svg viewBox="0 0 24 24" {...stroke} {...p}><path d="M3 6h18M8 6V4h8v2M19 6l-1 14H6L5 6M10 11v5M14 11v5" /></svg>
+);
@@ -120,7 +120,7 @@ export { usePalette } from "./palette-context";
 // References the CSS variables that next/font/google emits in
 // app/layout.tsx. Falls through to system fonts if the variable is
 // undefined (e.g. in unit tests with no <body> font class).
-export const MOBILE_FONT_SANS = "var(--font-inter), 'Inter', ui-sans-serif, system-ui, sans-serif";
+export const MOBILE_FONT_SANS = "var(--font-hanken), 'Hanken Grotesk', ui-sans-serif, system-ui, sans-serif";
 export const MOBILE_FONT_MONO = "var(--font-jetbrains), 'JetBrains Mono', ui-monospace, monospace";

 // Status keys we surface in the mobile UI. Anything else from the
@@ -15,12 +15,21 @@ import { Spinner } from '@/components/Spinner';
 * currently-active org, plus a switcher list when the user belongs to
 * multiple orgs.
 *
- * Data path:
+ * Data path (SaaS — control plane present):
 *   1. fetchSession() → /cp/auth/me → current org_id
 *   2. api.get('/cp/orgs') → list of all orgs the user belongs to
 *   3. Match by id === session.org_id; fall back to host-slug match
 *      if the session probe loses the race.
 *
+ * Data path (self-host — NO control plane):
+ *   /cp/orgs is a control-plane route that does not exist on a self-hosted
+ *   stack, so it 404s. When that probe fails we fall back to the open
+ *   GET /org/identity route (served by the tenant workspace-server in both
+ *   modes) and render a single org card from name + slug + org_id. On a
+ *   fresh self-host only `name` is populated (MOLECULE_ORG_SLUG /
+ *   MOLECULE_ORG_ID are unset) — the card omits the empty rows and shows
+ *   no error and no "other organizations" list.
+ *
 * Read-only — this tab never mutates. Org creation/switching lives at
 * /orgs (the post-signup landing page).
 */
@@ -36,25 +45,50 @@ interface Org {
 // for the same defensive unwrap.
 type OrgsResponse = Org[] | { orgs?: Org[] };

+// GET /org/identity (self-host fallback) — open route on the tenant
+// workspace-server. slug/org_id are "" on a fresh self-host.
+interface OrgIdentity {
+  name?: string;
+  slug?: string;
+  org_id?: string;
+}
+
 export function OrgInfoTab() {
  const [orgs, setOrgs] = useState<Org[] | null>(null);
  const [session, setSession] = useState<Session | null>(null);
+  // selfHostOrg is set only when /cp/orgs is unavailable (self-host) and the
+  // /org/identity fallback yields an org. When non-null we render exactly one
+  // card from it and never show the "other organizations" list or an error.
+  const [selfHostOrg, setSelfHostOrg] = useState<Org | null>(null);
  const [error, setError] = useState<string | null>(null);
  const [loading, setLoading] = useState(true);

  useEffect(() => {
    let cancelled = false;
    (async () => {
+      const sess = await fetchSession().catch(() => null);
+      if (cancelled) return;
+      setSession(sess);
      try {
-        const [sess, body] = await Promise.all([
-          fetchSession().catch(() => null),
-          api.get<OrgsResponse>('/cp/orgs'),
-        ]);
+        const body = await api.get<OrgsResponse>('/cp/orgs');
        if (cancelled) return;
-        setSession(sess);
        setOrgs(Array.isArray(body) ? body : body.orgs ?? []);
-      } catch (e) {
-        if (!cancelled) setError(e instanceof Error ? e.message : 'Failed to load org info');
+      } catch {
+        // /cp/orgs is a control-plane route — absent on a self-hosted stack
+        // (404 / network error). Fall back to the open /org/identity route on
+        // the tenant server instead of surfacing a red error banner.
+        try {
+          const id = await api.get<OrgIdentity>('/org/identity');
+          if (cancelled) return;
+          setSelfHostOrg({
+            id: id.org_id ?? '',
+            slug: id.slug ?? '',
+            name: id.name ?? '',
+          });
+        } catch (e2) {
+          if (!cancelled)
+            setError(e2 instanceof Error ? e2.message : 'Failed to load org info');
+        }
      } finally {
        if (!cancelled) setLoading(false);
      }
@@ -66,10 +100,14 @@ export function OrgInfoTab() {

  const tenantSlug = getTenantSlug();
  const currentOrg =
+    selfHostOrg ??
    orgs?.find((o) => session && o.id === session.org_id) ??
    orgs?.find((o) => tenantSlug && o.slug === tenantSlug) ??
    null;
-  const otherOrgs = orgs?.filter((o) => o.id !== currentOrg?.id) ?? [];
+  // Self-host renders a single org only — no "other organizations" list.
+  const otherOrgs = selfHostOrg
+    ? []
+    : orgs?.filter((o) => o.id !== currentOrg?.id) ?? [];

  if (loading) {
    return (
@@ -127,21 +165,25 @@ export function OrgInfoTab() {
 }

 function OrgIdentityCard({ org, highlighted }: { org: Org; highlighted?: boolean }) {
+  // On self-host, slug / UUID may be unconfigured ("") — omit those rows
+  // gracefully rather than rendering an empty code box.
  return (
    <div
      className={`rounded-lg border p-3 space-y-2 ${
        highlighted ? 'border-accent/40 bg-accent-strong/5' : 'border-line/40 bg-surface-card/40'
      }`}
-      data-testid={`org-card-${org.slug}`}
+      data-testid={`org-card-${org.slug || org.id || 'self-host'}`}
    >
      <div className="flex items-baseline justify-between gap-2">
-        <span className="text-[12px] font-medium text-ink truncate">{org.name}</span>
+        <span className="text-[12px] font-medium text-ink truncate">
+          {org.name || 'This organization'}
+        </span>
        {org.status && (
          <span className="text-[9px] text-ink-mid uppercase tracking-wider shrink-0">{org.status}</span>
        )}
      </div>
-      <IdentityRow label="Slug" value={org.slug} />
-      <IdentityRow label="UUID" value={org.id} mono />
+      {org.slug && <IdentityRow label="Slug" value={org.slug} />}
+      {org.id && <IdentityRow label="UUID" value={org.id} mono />}
    </div>
  );
 }
@@ -2,13 +2,9 @@

 import { createRef, useCallback, useEffect, useState } from 'react';
 import * as Dialog from '@radix-ui/react-dialog';
-import * as Tabs from '@radix-ui/react-tabs';
 import { useSecretsStore } from '@/stores/secrets-store';
 import { useKeyboardShortcut } from '@/hooks/use-keyboard-shortcut';
-import { SecretsTab } from './SecretsTab';
-import { TokensTab } from './TokensTab';
-import { OrgTokensTab } from './OrgTokensTab';
-import { OrgInfoTab } from './OrgInfoTab';
+import { SettingsTabs } from './SettingsTabs';
 import { UnsavedChangesGuard } from './UnsavedChangesGuard';

 /** Module-level ref so TopBar's SettingsButton can receive focus back on close. */
@@ -106,38 +102,7 @@ export function SettingsPanel({ workspaceId }: SettingsPanelProps) {
              </Dialog.Close>
            </div>

-            <Tabs.Root defaultValue="api-keys">
-              <Tabs.List className="settings-panel__tabs" aria-label="Settings sections">
-                <Tabs.Trigger value="api-keys" className="settings-panel__tab">
-                  Secrets
-                </Tabs.Trigger>
-                <Tabs.Trigger value="tokens" className="settings-panel__tab">
-                  Workspace Tokens
-                </Tabs.Trigger>
-                <Tabs.Trigger value="org-tokens" className="settings-panel__tab">
-                  Org API Keys
-                </Tabs.Trigger>
-                <Tabs.Trigger value="org-info" className="settings-panel__tab">
-                  Organization
-                </Tabs.Trigger>
-              </Tabs.List>
-
-              <Tabs.Content value="api-keys" className="settings-panel__content">
-                <SecretsTab workspaceId={workspaceId} />
-              </Tabs.Content>
-
-              <Tabs.Content value="tokens" className="settings-panel__content">
-                <TokensTab workspaceId={workspaceId} />
-              </Tabs.Content>
-
-              <Tabs.Content value="org-tokens" className="settings-panel__content">
-                <OrgTokensTab />
-              </Tabs.Content>
-
-              <Tabs.Content value="org-info" className="settings-panel__content">
-                <OrgInfoTab />
-              </Tabs.Content>
-            </Tabs.Root>
+            <SettingsTabs workspaceId={workspaceId} />

            <div className="settings-panel__footer">
              <span className="settings-panel__shortcut-hint">
@@ -0,0 +1,60 @@
+'use client';
+
+import * as Tabs from '@radix-ui/react-tabs';
+import { SecretsTab } from './SecretsTab';
+import { TokensTab } from './TokensTab';
+import { OrgTokensTab } from './OrgTokensTab';
+import { OrgInfoTab } from './OrgInfoTab';
+
+interface SettingsTabsProps {
+  workspaceId: string;
+}
+
+/**
+ * The tabbed body of the workspace settings surface — Secrets, Workspace
+ * Tokens, Org API Keys, Organization.
+ *
+ * Extracted from SettingsPanel so the same content can render in two
+ * places without duplication:
+ *   1. The right-anchored slide-over drawer (the gear popover) — SettingsPanel.
+ *   2. The concierge Settings view (embedded inline) — ConciergeShell.
+ *
+ * Pure presentation of the four tabs; all dirty-form / unsaved-guard /
+ * keyboard-shortcut wiring stays in SettingsPanel where the popover owns it.
+ */
+export function SettingsTabs({ workspaceId }: SettingsTabsProps) {
+  return (
+    <Tabs.Root defaultValue="api-keys">
+      <Tabs.List className="settings-panel__tabs" aria-label="Settings sections">
+        <Tabs.Trigger value="api-keys" className="settings-panel__tab">
+          Secrets
+        </Tabs.Trigger>
+        <Tabs.Trigger value="tokens" className="settings-panel__tab">
+          Workspace Tokens
+        </Tabs.Trigger>
+        <Tabs.Trigger value="org-tokens" className="settings-panel__tab">
+          Org API Keys
+        </Tabs.Trigger>
+        <Tabs.Trigger value="org-info" className="settings-panel__tab">
+          Organization
+        </Tabs.Trigger>
+      </Tabs.List>
+
+      <Tabs.Content value="api-keys" className="settings-panel__content">
+        <SecretsTab workspaceId={workspaceId} />
+      </Tabs.Content>
+
+      <Tabs.Content value="tokens" className="settings-panel__content">
+        <TokensTab workspaceId={workspaceId} />
+      </Tabs.Content>
+
+      <Tabs.Content value="org-tokens" className="settings-panel__content">
+        <OrgTokensTab />
+      </Tabs.Content>
+
+      <Tabs.Content value="org-info" className="settings-panel__content">
+        <OrgInfoTab />
+      </Tabs.Content>
+    </Tabs.Root>
+  );
+}
@@ -9,7 +9,9 @@
 *   - Copy button writes the UUID to navigator.clipboard
 *   - Falls back to host-slug match when session lookup fails
 *   - Lists other orgs when user belongs to multiple
- *   - Error banner when /cp/orgs throws
+ *   - Self-host fallback: /cp/orgs 404 → /org/identity single-org card (no error)
+ *   - Self-host fallback with only a name (slug/org_id unset) — omits empty rows
+ *   - Error banner only when BOTH /cp/orgs AND /org/identity fail
 *   - Empty/no-match state renders the recovery hint, not a crash
 */
 import React from "react";
@@ -180,12 +182,69 @@ describe("OrgInfoTab — fallbacks", () => {
  });
 });

+// ─── Self-host fallback: /cp/orgs absent → /org/identity ─────────────────────
+
+describe("OrgInfoTab — self-host fallback", () => {
+  it("renders a single org card from /org/identity when /cp/orgs 404s", async () => {
+    mockFetchSession.mockResolvedValue(null);
+    mockGet.mockImplementation((path: string) => {
+      if (path === "/cp/orgs")
+        return Promise.reject(new Error("API GET /cp/orgs: 404 page not found"));
+      if (path === "/org/identity")
+        return Promise.resolve({
+          name: "Molecule AI",
+          slug: "molecule-ai",
+          org_id: "abc-123",
+        });
+      return Promise.reject(new Error(`unexpected path ${path}`));
+    });
+
+    render(<OrgInfoTab />);
+    await flush();
+    await waitFor(() => screen.getByText("Current Organization"));
+
+    // Single card from /org/identity — name + slug + UUID, no error banner.
+    expect(screen.getByText("Molecule AI")).toBeTruthy();
+    expect(screen.getByText("molecule-ai")).toBeTruthy();
+    expect(screen.getByText("abc-123")).toBeTruthy();
+    // No "other organizations" list and no error.
+    expect(screen.queryByText(/Your other organizations/)).toBeNull();
+    expect(screen.queryByText(/404/)).toBeNull();
+  });
+
+  it("renders only the name when slug/org_id are unset (fresh self-host)", async () => {
+    mockFetchSession.mockResolvedValue(null);
+    mockGet.mockImplementation((path: string) => {
+      if (path === "/cp/orgs")
+        return Promise.reject(new Error("API GET /cp/orgs: 404 page not found"));
+      if (path === "/org/identity")
+        return Promise.resolve({ name: "Molecule AI", slug: "", org_id: "" });
+      return Promise.reject(new Error(`unexpected path ${path}`));
+    });
+
+    render(<OrgInfoTab />);
+    await flush();
+    await waitFor(() => screen.getByText("Current Organization"));
+
+    expect(screen.getByText("Molecule AI")).toBeTruthy();
+    // Empty slug/UUID rows omitted — no copy buttons rendered.
+    expect(screen.queryByRole("button", { name: /Copy Slug/i })).toBeNull();
+    expect(screen.queryByRole("button", { name: /Copy UUID/i })).toBeNull();
+  });
+});
+
 // ─── Error + empty handling ──────────────────────────────────────────────────

 describe("OrgInfoTab — error + empty", () => {
-  it("renders an error banner when /cp/orgs throws", async () => {
+  it("renders an error banner only when BOTH /cp/orgs and /org/identity fail", async () => {
    mockFetchSession.mockResolvedValue(null);
-    mockGet.mockRejectedValue(new Error("API GET /cp/orgs: 500 boom"));
+    mockGet.mockImplementation((path: string) => {
+      if (path === "/cp/orgs")
+        return Promise.reject(new Error("API GET /cp/orgs: 404 page not found"));
+      if (path === "/org/identity")
+        return Promise.reject(new Error("API GET /org/identity: 500 boom"));
+      return Promise.reject(new Error(`unexpected path ${path}`));
+    });

    render(<OrgInfoTab />);
    await flush();
@@ -193,10 +252,14 @@ describe("OrgInfoTab — error + empty", () => {
    expect(screen.queryByText("Current Organization")).toBeNull();
  });

-  it("renders the recovery hint when no org matches (no crash)", async () => {
+  it("renders the recovery hint when /cp/orgs returns an empty list (no crash)", async () => {
    mockFetchSession.mockResolvedValue(null);
    mockGetTenantSlug.mockReturnValue("");
-    mockGet.mockResolvedValue([]);
+    mockGet.mockImplementation((path: string) =>
+      path === "/cp/orgs"
+        ? Promise.resolve([])
+        : Promise.reject(new Error(`unexpected path ${path}`)),
+    );

    render(<OrgInfoTab />);
    await flush();
@@ -1,4 +1,5 @@
 export { SettingsPanel } from './SettingsPanel';
+export { SettingsTabs } from './SettingsTabs';
 export { SettingsButton } from './SettingsButton';
 export { SecretsTab } from './SecretsTab';
 export { SecretRow } from './SecretRow';
@@ -13,6 +13,7 @@ import {
  buildProviderCatalog,
  buildProviderCatalogFromRegistry,
  findProviderForModel,
+  isPlatformManagedProvider,
  type SelectorValue,
  type ProviderEntry,
  type RegistryProvider,
@@ -682,6 +683,9 @@ export function ConfigTab({ workspaceId }: Props) {
            name: m.name,
            // carry the derived provider so the selector buckets correctly
            ...(m.provider ? { provider: m.provider } : {}),
+            // carry required_env so wasTemplateDriven can detect
+            // template-driven env lists for registry-backed runtimes
+            ...(m.required_env ? { required_env: m.required_env } : {}),
          }))
        : availableModels,
    [registryBacked, selectedRuntime?.registryModels, availableModels],
@@ -1017,6 +1021,15 @@ export function ConfigTab({ workspaceId }: Props) {
                  // top-level model. required_env follows the selected
                  // provider's envVars when the existing required_env
                  // was template-driven (don't clobber user-typed envs).
+                  //
+                  // #2248: suppress provisioner-injected internal tokens
+                  // (MOLECULE_LLM_USAGE_TOKEN) for platform-managed providers
+                  // so the user can't clobber them.
+                  const selectedEntry = providerCatalog.find((p) => p.id === next.providerId);
+                  const isPlatformManaged = selectedEntry ? isPlatformManagedProvider(selectedEntry) : false;
+                  const filteredEnvVars = isPlatformManaged
+                    ? next.envVars.filter((k) => k !== "MOLECULE_LLM_USAGE_TOKEN")
+                    : next.envVars;
                  setConfig((prev) => {
                    const v = next.model;
                    const prevModelId = prev.runtime_config?.model || prev.model || "";
@@ -1029,8 +1042,8 @@ export function ConfigTab({ workspaceId }: Props) {
                          prevRequired.every((e, i) => e === prevSpec.required_env![i])
                        : false);
                    const nextRequired =
-                      next.envVars.length > 0 && wasTemplateDriven
-                        ? next.envVars
+                      wasTemplateDriven
+                        ? filteredEnvVars
                        : prevRequired;
                    if (prev.runtime) {
                      return {
@@ -1038,7 +1051,7 @@ export function ConfigTab({ workspaceId }: Props) {
                        runtime_config: {
                          ...prev.runtime_config,
                          model: v,
-                          ...(next.envVars.length > 0 && wasTemplateDriven
+                          ...(wasTemplateDriven
                            ? { required_env: nextRequired }
                            : {}),
                        },
@@ -3,13 +3,36 @@
 import { useEffect, useMemo, useState } from "react";
 import { api } from "@/lib/api";
 import { runtimeDisplayName } from "@/lib/runtime-names";
+import { isSaaSTenant } from "@/lib/tenant";
 import { useCanvasStore, type WorkspaceNodeData } from "@/store/canvas";
 import type { WorkspaceCompute } from "@/store/socket";

-const INSTANCE_TYPES = ["t3.medium", "t3.large", "t3.xlarge", "t3.2xlarge", "m6i.large", "m6i.xlarge", "c6i.xlarge"];
+// Machine sizes keyed by cloud provider — an AWS t3.* is meaningless on Hetzner,
+// etc. MUST mirror the workspace-server workspaceComputeInstanceAllowlist (which
+// mirrors the CP provider configs); the PATCH validation rejects a mismatch 400.
+const INSTANCE_TYPES_BY_PROVIDER: Record<string, string[]> = {
+  aws: ["t3.medium", "t3.large", "t3.xlarge", "t3.2xlarge", "m6i.large", "m6i.xlarge", "c6i.xlarge"],
+  hetzner: ["cpx11", "cpx21", "cpx31", "cpx41", "cpx51", "cax11", "cax21", "cax31", "cax41"],
+  gcp: ["e2-small", "e2-medium", "e2-standard-2", "e2-standard-4", "e2-standard-8"],
+};
+const DEFAULT_INSTANCE_BY_PROVIDER: Record<string, string> = {
+  aws: "t3.medium", hetzner: "cpx31", gcp: "e2-standard-2",
+};
+const normalizeProvider = (p?: string): string => (p === "gcp" || p === "hetzner" ? p : "aws");
+const instanceTypesForProvider = (p?: string): string[] =>
+  INSTANCE_TYPES_BY_PROVIDER[normalizeProvider(p)] ?? INSTANCE_TYPES_BY_PROVIDER.aws;
+const defaultInstanceForProvider = (p?: string): string =>
+  DEFAULT_INSTANCE_BY_PROVIDER[normalizeProvider(p)] ?? "t3.medium";
+
+// Editable cloud-provider options (multi-provider RFC) — mirrors CreateWorkspaceDialog.
+const CLOUD_PROVIDER_OPTIONS = [
+  { value: "aws", label: "AWS (default)" },
+  { value: "gcp", label: "GCP" },
+  { value: "hetzner", label: "Hetzner" },
+];
+
 const RUNTIME_OPTIONS = ["claude-code", "codex", "hermes", "openclaw", "kimi", "kimi-cli", "external"];
 const RESOLUTIONS = ["1280x720", "1440x900", "1920x1080", "2560x1440"];
-const DEFAULT_HEADLESS_INSTANCE_TYPE = "t3.medium";
 const DEFAULT_HEADLESS_ROOT_GB = 30;

 type Props = {
@@ -23,6 +46,7 @@ type Props = {

 type FormState = {
  runtime: string;
+  provider: string; // cloud backend; editable in SaaS (in-place switch recreates the box)
  instanceType: string;
  rootGB: string;
  displayEnabled: boolean;
@@ -38,8 +62,16 @@ const DATA_PERSISTENCE_OPTIONS = ["", "persist", "ephemeral"];
 const dataPersistenceLabel = (v: string): string =>
  v === "persist" ? "Always keep (persist)" : v === "ephemeral" ? "Don't keep (ephemeral)" : "Auto";

+// Cloud/compute backend display name (read-only fallback for non-SaaS / legacy).
+const cloudProviderLabel = (v: string | undefined): string =>
+  v === "gcp" ? "GCP" : v === "hetzner" ? "Hetzner" : "AWS";
+
 export function ContainerConfigTab({ workspaceId, data }: Props) {
+  // Provider is editable only in SaaS (CP-provisioned boxes). Local/Docker has no
+  // cloud-provider concept, so we keep the read-only badge there.
+  const isSaaS = useMemo(() => isSaaSTenant(), []);
  const runtime = data.runtime;
+  const provider = data.compute?.provider;
  const instanceType = data.compute?.instance_type;
  const rootGB = data.compute?.volume?.root_gb;
  const displayMode = data.compute?.display?.mode;
@@ -48,8 +80,8 @@ export function ContainerConfigTab({ workspaceId, data }: Props) {
  const displayHeight = data.compute?.display?.height;
  const dataPersistence = data.compute?.data_persistence;
  const initial = useMemo(
-    () => formFromData({ runtime, instanceType, rootGB, displayMode, displayProtocol, displayWidth, displayHeight, dataPersistence }),
-    [runtime, instanceType, rootGB, displayMode, displayProtocol, displayWidth, displayHeight, dataPersistence],
+    () => formFromData({ runtime, provider, instanceType, rootGB, displayMode, displayProtocol, displayWidth, displayHeight, dataPersistence }),
+    [runtime, provider, instanceType, rootGB, displayMode, displayProtocol, displayWidth, displayHeight, dataPersistence],
  );
  const [form, setForm] = useState<FormState>(initial);
  const [saving, setSaving] = useState(false);
@@ -79,6 +111,21 @@ export function ContainerConfigTab({ workspaceId, data }: Props) {
    try {
      let applyTemplateOnRestart = data.applyTemplateOnRestart ?? false;
      if (dirty) {
+        // In-place cloud switch is DESTRUCTIVE: changing the provider recreates the
+        // box on the new cloud (the workspace-server deprovisions the old box on
+        // its old cloud first, then the restart provisions on the new one). Confirm
+        // before doing it — the current box and any non-persisted state are lost.
+        const providerChanged = normalizeProvider(form.provider) !== normalizeProvider(initial.provider);
+        if (providerChanged && typeof window !== "undefined") {
+          const ok = window.confirm(
+            `Switch this workspace to ${cloudProviderLabel(form.provider)}? This RECREATES the box on the new cloud — the current box and any non-persisted state are replaced.`,
+          );
+          if (!ok) {
+            setSaving(false);
+            return;
+          }
+        }
+
        const rootGB = parseInt(form.rootGB, 10);
        if (!Number.isFinite(rootGB)) {
          setError("Root volume must be a number");
@@ -94,6 +141,11 @@ export function ContainerConfigTab({ workspaceId, data }: Props) {
            : { mode: "none" },
          // internal#734: omit when "auto" so the wire/default behavior is unchanged.
          ...(form.dataPersistence ? { data_persistence: form.dataPersistence } : {}),
+          // Cloud backend: send the (possibly switched) provider. Omit for the
+          // default (aws) so a non-switching AWS save keeps the wire unchanged;
+          // a switch TO aws (omit) vs FROM aws (explicit) both register correctly
+          // because the workspace-server normalizes ""→aws when diffing.
+          ...(normalizeProvider(form.provider) !== "aws" ? { provider: normalizeProvider(form.provider) } : {}),
        };

        const resp = await api.patch<{ needs_restart?: boolean }>(`/workspaces/${workspaceId}`, {
@@ -126,7 +178,19 @@ export function ContainerConfigTab({ workspaceId, data }: Props) {
    <div className="p-4 space-y-4">
      <section className="rounded-lg border border-line/50 bg-surface-card/40 p-4">
        <div className="mb-3 flex items-center justify-between gap-3">
-          <h3 className="text-sm font-semibold text-ink">Container Config</h3>
+          <div className="flex items-center gap-2">
+            <h3 className="text-sm font-semibold text-ink">Container Config</h3>
+            {/* Non-SaaS (local/Docker) has no cloud-provider concept → read-only
+                badge. In SaaS the provider is an editable selector in the form. */}
+            {!isSaaS && (
+              <span
+                title="Cloud provider for this workspace's compute"
+                className="rounded-full border border-line/60 bg-surface-sunken px-2 py-0.5 font-mono text-[10px] uppercase tracking-wide text-ink-mid"
+              >
+                {cloudProviderLabel(provider)}
+              </span>
+            )}
+          </div>
          {data.needsRestart && <span className="text-[11px] text-warm">Restart required</span>}
        </div>

@@ -139,11 +203,32 @@ export function ContainerConfigTab({ workspaceId, data }: Props) {
            optionLabel={runtimeDisplayName}
            onChange={(runtime) => setForm((s) => ({ ...s, runtime }))}
          />
+          {isSaaS && (
+            <SelectField
+              id="cloud-provider"
+              label="Cloud provider"
+              value={normalizeProvider(form.provider)}
+              options={CLOUD_PROVIDER_OPTIONS.map((p) => p.value)}
+              optionLabel={(v) => CLOUD_PROVIDER_OPTIONS.find((p) => p.value === v)?.label ?? v}
+              // Switching cloud resets the instance type to the new provider's
+              // default (an AWS t3.* is invalid on Hetzner, etc.) — also keeps the
+              // instance-type dropdown below in sync with the provider's sizes.
+              onChange={(provider) =>
+                setForm((s) => ({
+                  ...s,
+                  provider,
+                  instanceType: instanceTypesForProvider(provider).includes(s.instanceType)
+                    ? s.instanceType
+                    : defaultInstanceForProvider(provider),
+                }))
+              }
+            />
+          )}
          <SelectField
            id="instance-type"
            label="Instance type"
            value={form.instanceType}
-            options={INSTANCE_TYPES}
+            options={instanceTypesForProvider(form.provider)}
            onChange={(instanceType) => setForm((s) => ({ ...s, instanceType }))}
          />
          <label className="grid gap-1" htmlFor="root-volume-gb">
@@ -247,6 +332,7 @@ export function ContainerConfigTab({ workspaceId, data }: Props) {

 function formFromData(data: {
  runtime?: string;
+  provider?: string;
  instanceType?: string;
  rootGB?: number;
  displayMode?: string;
@@ -258,9 +344,11 @@ function formFromData(data: {
  const width = data.displayWidth ?? 1920;
  const height = data.displayHeight ?? 1080;
  const resolution = `${width}x${height}`;
+  const provider = normalizeProvider(data.provider);
  return {
    runtime: data.runtime || "claude-code",
-    instanceType: data.instanceType || DEFAULT_HEADLESS_INSTANCE_TYPE,
+    provider,
+    instanceType: data.instanceType || defaultInstanceForProvider(provider),
    rootGB: String(data.rootGB || DEFAULT_HEADLESS_ROOT_GB),
    displayEnabled: !!data.displayMode && data.displayMode !== "none",
    displayMode: data.displayMode && data.displayMode !== "none" ? data.displayMode : "desktop-control",
@@ -0,0 +1,229 @@
+// @vitest-environment jsdom
+//
+// Regression tests for #2248 — platform-managed provider credential suppression
+// in ConfigTab.
+//
+// Covers:
+//  - required_env is cleared to [] when switching to a platform-managed provider
+//    whose only declared env var is MOLECULE_LLM_USAGE_TOKEN (single-token case).
+//  - required_env preserves non-internal tokens for BYOK providers.
+
+import { describe, it, expect, vi, afterEach, beforeEach } from "vitest";
+import { render, screen, cleanup, waitFor, fireEvent } from "@testing-library/react";
+import React from "react";
+
+afterEach(cleanup);
+
+const apiGet = vi.fn();
+const apiPatch = vi.fn();
+const apiPut = vi.fn();
+vi.mock("@/lib/api", () => ({
+  api: {
+    get: (path: string) => apiGet(path),
+    patch: (path: string, body: unknown) => apiPatch(path, body),
+    put: (path: string, body: unknown) => apiPut(path, body),
+    post: vi.fn(),
+    del: vi.fn(),
+  },
+}));
+
+vi.mock("@/store/canvas", () => ({
+  useCanvasStore: Object.assign(
+    (selector: (s: unknown) => unknown) =>
+      selector({ restartWorkspace: vi.fn(), updateNodeData: vi.fn() }),
+    { getState: () => ({ restartWorkspace: vi.fn(), updateNodeData: vi.fn() }) },
+  ),
+}));
+
+vi.mock("../AgentCardSection", () => ({
+  AgentCardSection: () => <div data-testid="agent-card-stub" />,
+}));
+
+import { ConfigTab } from "../ConfigTab";
+
+function wireApi(opts: {
+  workspaceRuntime?: string;
+  workspaceModel?: string;
+  configYamlContent?: string | null;
+  templates?: Array<{
+    id: string;
+    name?: string;
+    runtime?: string;
+    models?: unknown[];
+    registry_backed?: boolean;
+    registry_providers?: unknown[];
+    registry_models?: unknown[];
+  }>;
+}) {
+  apiGet.mockImplementation((path: string) => {
+    if (path === `/workspaces/ws-test`) {
+      return Promise.resolve({ runtime: opts.workspaceRuntime ?? "" });
+    }
+    if (path === `/workspaces/ws-test/model`) {
+      return Promise.resolve({ model: opts.workspaceModel ?? "" });
+    }
+    if (path === `/workspaces/ws-test/files/config.yaml`) {
+      if (opts.configYamlContent === null) {
+        return Promise.reject(new Error("not found"));
+      }
+      return Promise.resolve({ content: opts.configYamlContent ?? "" });
+    }
+    if (path === "/templates") {
+      return Promise.resolve(opts.templates ?? []);
+    }
+    return Promise.reject(new Error(`unmocked api.get: ${path}`));
+  });
+}
+
+beforeEach(() => {
+  apiGet.mockReset();
+  apiPatch.mockReset();
+  apiPut.mockReset();
+});
+
+describe("ConfigTab — platform-managed credential suppression (#2248)", () => {
+  it("clears required_env to [] when switching to a single-token platform-managed provider", async () => {
+    // Setup: workspace currently has a BYOK provider selected with both keys.
+    // The user switches to a platform-managed provider whose ONLY auth_env
+    // is MOLECULE_LLM_USAGE_TOKEN. After filtering, envVars becomes [];
+    // wasTemplateDriven must still overwrite required_env with [] so the
+    // old MOLECULE_LLM_USAGE_TOKEN requirement does not linger.
+    wireApi({
+      workspaceRuntime: "claude-code",
+      workspaceModel: "byok-sonnet",
+      configYamlContent: [
+        "runtime: claude-code",
+        "runtime_config:",
+        "  model: byok-sonnet",
+        "  required_env:",
+        "    - ANTHROPIC_API_KEY",
+        "    - MOLECULE_LLM_USAGE_TOKEN",
+      ].join("\n"),
+      templates: [
+        {
+          id: "t-claude-code",
+          name: "Claude Code",
+          runtime: "claude-code",
+          models: [],
+          registry_backed: true,
+          registry_providers: [
+            {
+              name: "anthropic",
+              display_name: "BYOK Anthropic",
+              auth_env: ["ANTHROPIC_API_KEY", "MOLECULE_LLM_USAGE_TOKEN"],
+              billing_mode: "byok",
+            },
+            {
+              name: "platform",
+              display_name: "Platform Anthropic",
+              auth_env: ["MOLECULE_LLM_USAGE_TOKEN"],
+              billing_mode: "platform_managed",
+            },
+          ],
+          registry_models: [
+            { id: "byok-sonnet", provider: "anthropic", billing_mode: "byok", required_env: ["ANTHROPIC_API_KEY", "MOLECULE_LLM_USAGE_TOKEN"] },
+            { id: "platform-sonnet", provider: "platform", billing_mode: "platform_managed", required_env: ["MOLECULE_LLM_USAGE_TOKEN"] },
+          ],
+        },
+      ],
+    });
+
+    apiPut.mockResolvedValue({});
+    apiPatch.mockResolvedValue({});
+
+    render(<ConfigTab workspaceId="ws-test" />);
+
+    // Wait for the provider dropdown to populate.
+    const providerSelect = (await waitFor(() =>
+      screen.getByTestId("provider-select"),
+    )) as HTMLSelectElement;
+
+    // Switch from BYOK to platform-managed provider.
+    const platformOption = Array.from(providerSelect.options).find((o) =>
+      o.text.includes("Platform"),
+    );
+    expect(platformOption).toBeTruthy();
+    fireEvent.change(providerSelect, { target: { value: platformOption!.value } });
+
+    // Save & Restart.
+    fireEvent.click(screen.getByRole("button", { name: /save & restart/i }));
+
+    await waitFor(() => {
+      expect(apiPut).toHaveBeenCalledWith(
+        "/workspaces/ws-test/files/config.yaml",
+        expect.objectContaining({
+          content: expect.not.stringContaining("ANTHROPIC_API_KEY"),
+        }),
+      );
+    });
+
+    // Verify the specific put call no longer carries the suppressed token.
+    const putCall = apiPut.mock.calls.find(
+      ([path]) => path === "/workspaces/ws-test/files/config.yaml",
+    );
+    expect(putCall?.[1].content).not.toContain("MOLECULE_LLM_USAGE_TOKEN");
+  });
+
+  it("preserves non-internal tokens for BYOK providers", async () => {
+    wireApi({
+      workspaceRuntime: "claude-code",
+      workspaceModel: "byok-sonnet",
+      configYamlContent: [
+        "runtime: claude-code",
+        "runtime_config:",
+        "  model: byok-sonnet",
+        "  required_env:",
+        "    - ANTHROPIC_API_KEY",
+        "    - MOLECULE_LLM_USAGE_TOKEN",
+      ].join("\n"),
+      templates: [
+        {
+          id: "t-claude-code",
+          name: "Claude Code",
+          runtime: "claude-code",
+          models: [],
+          registry_backed: true,
+          registry_providers: [
+            {
+              name: "anthropic",
+              display_name: "BYOK Anthropic",
+              auth_env: ["ANTHROPIC_API_KEY", "MOLECULE_LLM_USAGE_TOKEN"],
+              billing_mode: "byok",
+            },
+          ],
+          registry_models: [
+            { id: "byok-sonnet", provider: "anthropic", billing_mode: "byok" },
+          ],
+        },
+      ],
+    });
+
+    apiPut.mockResolvedValue({});
+    apiPatch.mockResolvedValue({});
+
+    render(<ConfigTab workspaceId="ws-test" />);
+
+    // Wait for load.
+    await waitFor(() =>
+      screen.getByRole("button", { name: /save & restart/i }),
+    );
+
+    // Click Save without changing provider — BYOK should keep both keys.
+    fireEvent.click(screen.getByRole("button", { name: /save & restart/i }));
+
+    await waitFor(() => {
+      expect(apiPut).toHaveBeenCalledWith(
+        "/workspaces/ws-test/files/config.yaml",
+        expect.objectContaining({
+          content: expect.stringContaining("required_env:"),
+        }),
+      );
+    });
+
+    const putCall = apiPut.mock.calls.find(
+      ([path]) => path === "/workspaces/ws-test/files/config.yaml",
+    );
+    expect(putCall?.[1].content).toContain("ANTHROPIC_API_KEY");
+    expect(putCall?.[1].content).toContain("MOLECULE_LLM_USAGE_TOKEN");
+  });
+});
@@ -23,6 +23,13 @@ vi.mock("@/store/canvas", () => ({
  ),
 }));

+// SaaS so the editable cloud-provider selector renders (non-SaaS shows a read-only
+// badge). Existing tests keep provider=aws (default), which is omitted from the
+// PATCH payload, so their assertions are unaffected.
+vi.mock("@/lib/tenant", () => ({
+  isSaaSTenant: () => true,
+}));
+
 import { ContainerConfigTab } from "../ContainerConfigTab";

 afterEach(() => {
@@ -314,4 +321,67 @@ describe("ContainerConfigTab", () => {
    await waitFor(() => expect(restartWorkspace).toHaveBeenCalledWith("ws-compute", { applyTemplate: true }));
    expect(apiPatch).not.toHaveBeenCalled();
  });
+
+  it("switches cloud provider — keys the instance-type list to the provider, confirms the recreate, and PATCHes the new provider", async () => {
+    const confirmSpy = vi.spyOn(window, "confirm").mockReturnValue(true);
+    render(
+      <ContainerConfigTab
+        workspaceId="ws-switch"
+        data={{
+          runtime: "claude-code",
+          status: "online",
+          needsRestart: false,
+          activeTasks: 0,
+          maxConcurrentTasks: null,
+          workspaceAccess: "read-write",
+          deliveryMode: "push",
+          compute: { instance_type: "t3.large", provider: "aws", volume: { root_gb: 30 } },
+        }}
+      />,
+    );
+
+    const providerSel = screen.getByLabelText("Cloud provider");
+    expect(providerSel).toHaveProperty("value", "aws");
+    expect(screen.getByLabelText("Instance type")).toHaveProperty("value", "t3.large");
+
+    // Switch to Hetzner → the instance type resets to the Hetzner default (an AWS
+    // t3.* is invalid on Hetzner) and the options become Hetzner sizes.
+    fireEvent.change(providerSel, { target: { value: "hetzner" } });
+    expect(screen.getByLabelText("Instance type")).toHaveProperty("value", "cpx31");
+
+    fireEvent.click(screen.getByRole("button", { name: "Save" }));
+    await waitFor(() => expect(apiPatch).toHaveBeenCalledTimes(1));
+    expect(confirmSpy).toHaveBeenCalled(); // destructive recreate confirmed
+    const body = apiPatch.mock.calls[0][1] as { compute: { provider?: string; instance_type?: string } };
+    expect(body.compute.provider).toBe("hetzner");
+    expect(body.compute.instance_type).toBe("cpx31");
+    confirmSpy.mockRestore();
+  });
+
+  it("does not treat a non-provider edit as a recreate (no confirm; aws default omitted)", async () => {
+    const confirmSpy = vi.spyOn(window, "confirm").mockReturnValue(true);
+    render(
+      <ContainerConfigTab
+        workspaceId="ws-noswitch"
+        data={{
+          runtime: "claude-code",
+          status: "online",
+          needsRestart: false,
+          activeTasks: 0,
+          maxConcurrentTasks: null,
+          workspaceAccess: "read-write",
+          deliveryMode: "push",
+          compute: { instance_type: "t3.large", provider: "aws", volume: { root_gb: 30 } },
+        }}
+      />,
+    );
+
+    fireEvent.change(screen.getByLabelText("Root volume"), { target: { value: "60" } });
+    fireEvent.click(screen.getByRole("button", { name: "Save" }));
+    await waitFor(() => expect(apiPatch).toHaveBeenCalledTimes(1));
+    expect(confirmSpy).not.toHaveBeenCalled();
+    const body = apiPatch.mock.calls[0][1] as { compute: { provider?: string } };
+    expect(body.compute.provider).toBeUndefined(); // aws default omitted (wire unchanged)
+    confirmSpy.mockRestore();
+  });
 });
@@ -162,6 +162,11 @@ describe("DisplayTab", () => {
      controller: "user",
      ttl_seconds: 300,
    });
+    // Defensive: the noVNC constructor is async (dynamic import), so wait
+    // for it to be called before asserting arguments (prevents flake in CI).
+    await waitFor(() => {
+      expect(mockRFBConstructor).toHaveBeenCalled();
+    });
    expect(mockRFBConstructor).toHaveBeenCalledWith(
      expect.any(HTMLElement),
      expect.stringContaining("/workspaces/ws-display/display/session/websockify"),
@@ -197,6 +202,14 @@ describe("DisplayTab", () => {
    fireEvent.click(screen.getByRole("button", { name: "Take control" }));

    const desktop = await screen.findByTitle("Workspace desktop");
+    // Wait for the RFB instance to actually connect before pasting. The component
+    // sets rfbRef.current synchronously right after `new RFB()` (which fires
+    // mockRFBConstructor) INSIDE the async connect() — but the "Workspace desktop"
+    // title renders before that await resolves. Firing paste immediately races
+    // rfbRef.current===null, so the window paste handler's
+    // `rfbRef.current?.clipboardPasteFrom(text)` no-ops (0 calls). This lost the
+    // race under CI runner load; waiting for the constructor makes it deterministic.
+    await waitFor(() => expect(mockRFBConstructor).toHaveBeenCalled());
    fireEvent.paste(desktop, {
      clipboardData: {
        getData: (type: string) => (type === "text/plain" ? "Paste Me" : ""),
@@ -0,0 +1,105 @@
+// @vitest-environment jsdom
+/** Unit tests for useA2AFlights — the event→flight lifecycle that drives the
+ *  envelope animations on the canvas (MessageFlightLayer) and the concierge
+ *  home (MessageFlightHome). useSocketEvent is mocked so we can drive the
+ *  ACTIVITY_LOGGED handler directly. */
+import { renderHook, act } from "@testing-library/react";
+import { describe, it, expect, vi, beforeEach } from "vitest";
+
+// Capture the handler the hook registers with the socket bus. vi.hoisted is
+// required because vi.mock factories are hoisted above normal declarations and
+// may only close over hoisted state.
+const h = vi.hoisted(() => ({ captured: null as ((msg: unknown) => void) | null }));
+vi.mock("@/hooks/useSocketEvent", () => ({
+  useSocketEvent: (cb: (msg: unknown) => void) => {
+    h.captured = cb;
+  },
+}));
+
+import { useA2AFlights, FLIGHT_DURATION_MS } from "@/hooks/useA2AFlights";
+
+function setReducedMotion(reduce: boolean) {
+  window.matchMedia = vi.fn().mockImplementation((q: string) => ({
+    matches: reduce && q.includes("reduce"),
+    media: q,
+    onchange: null,
+    addEventListener: vi.fn(),
+    removeEventListener: vi.fn(),
+    addListener: vi.fn(),
+    removeListener: vi.fn(),
+    dispatchEvent: vi.fn(),
+  }));
+}
+
+const msg = (payload: Record<string, unknown>, event = "ACTIVITY_LOGGED") => ({
+  event,
+  workspace_id: "a",
+  timestamp: "2026-06-08T00:00:00Z",
+  payload,
+});
+const a2aSend = (over: Record<string, unknown> = {}) =>
+  msg({ activity_type: "a2a_send", source_id: "a", target_id: "b", ...over });
+
+describe("useA2AFlights", () => {
+  beforeEach(() => {
+    h.captured = null;
+    vi.useRealTimers();
+    setReducedMotion(false);
+  });
+
+  it("emits a flight for an a2a_send between two distinct agents", () => {
+    const { result } = renderHook(() => useA2AFlights());
+    act(() => h.captured?.(a2aSend()));
+    expect(result.current).toHaveLength(1);
+    expect(result.current[0]).toMatchObject({ sourceId: "a", targetId: "b", kind: "send" });
+  });
+
+  it("maps a2a_receive / task_update to their kinds", () => {
+    const { result } = renderHook(() => useA2AFlights());
+    act(() => h.captured?.(a2aSend({ activity_type: "a2a_receive" })));
+    act(() => h.captured?.(a2aSend({ activity_type: "task_update" })));
+    const kinds = result.current.map((f) => f.kind);
+    expect(kinds).toContain("receive");
+    expect(kinds).toContain("task");
+  });
+
+  it("ignores non-A2A activity and non-ACTIVITY_LOGGED events", () => {
+    const { result } = renderHook(() => useA2AFlights());
+    act(() => h.captured?.(msg({ activity_type: "status_change", source_id: "a", target_id: "b" })));
+    act(() => h.captured?.(a2aSend({}, )));
+    act(() => h.captured?.({ event: "WORKSPACE_UPDATED", workspace_id: "a", payload: {} }));
+    expect(result.current.every((f) => f.kind === "send")).toBe(true);
+    expect(result.current).toHaveLength(1); // only the one valid a2aSend
+  });
+
+  it("skips self-loops and flights with no target", () => {
+    const { result } = renderHook(() => useA2AFlights());
+    act(() => h.captured?.(a2aSend({ target_id: "a" }))); // self-loop
+    act(() => h.captured?.(a2aSend({ target_id: "" }))); // missing target
+    expect(result.current).toHaveLength(0);
+  });
+
+  it("emits nothing when prefers-reduced-motion is set", () => {
+    setReducedMotion(true);
+    const { result } = renderHook(() => useA2AFlights());
+    act(() => h.captured?.(a2aSend()));
+    expect(result.current).toHaveLength(0);
+  });
+
+  it("emits nothing when disabled", () => {
+    const { result } = renderHook(() => useA2AFlights(false));
+    act(() => h.captured?.(a2aSend()));
+    expect(result.current).toHaveLength(0);
+  });
+
+  it("expires a flight after the TTL", () => {
+    vi.useFakeTimers();
+    const { result } = renderHook(() => useA2AFlights());
+    act(() => h.captured?.(a2aSend()));
+    expect(result.current).toHaveLength(1);
+    act(() => {
+      vi.advanceTimersByTime(FLIGHT_DURATION_MS + 300);
+    });
+    expect(result.current).toHaveLength(0);
+  });
+});
@@ -0,0 +1,103 @@
+/** useA2AFlights — turns the org's live A2A activity stream into transient
+ *  "flights" (one per delegate / message event, source → target) that an
+ *  overlay can animate as an envelope travelling between two agents.
+ *
+ *  This hook owns ONLY the event→flight lifecycle: it subscribes to the same
+ *  ACTIVITY_LOGGED WS bus the CommunicationOverlay uses, keeps a small bounded
+ *  list of in-flight envelopes, and expires each after the animation window.
+ *  The caller resolves positions and renders the envelope, so the exact same
+ *  flight data drives both the spatial canvas (flow coords) and the concierge
+ *  home (DOM row rects).
+ *
+ *  Honours `prefers-reduced-motion`: when the user opts out of motion the hook
+ *  emits no flights at all, so no envelope ever animates. */
+import { useEffect, useRef, useState } from "react";
+import { useSocketEvent } from "@/hooks/useSocketEvent";
+
+export type A2AFlightKind = "send" | "receive" | "task";
+
+export interface A2AFlight {
+  /** unique per flight instance (not per pair) so a burst renders distinct envelopes */
+  key: string;
+  sourceId: string;
+  targetId: string;
+  kind: A2AFlightKind;
+}
+
+/** Total time an envelope is alive (ms). Kept in sync with the overlay's
+ *  Web-Animations duration; the extra tail gives the fade-out room to finish
+ *  before the element unmounts. */
+export const FLIGHT_DURATION_MS = 1200;
+const FLIGHT_TTL_MS = FLIGHT_DURATION_MS + 120;
+
+/** Cap concurrent envelopes so a delegation storm can't spawn unbounded DOM. */
+const MAX_CONCURRENT = 12;
+
+function reducedMotionNow(): boolean {
+  return (
+    typeof window !== "undefined" &&
+    typeof window.matchMedia === "function" &&
+    window.matchMedia("(prefers-reduced-motion: reduce)").matches
+  );
+}
+
+export function useA2AFlights(enabled = true): A2AFlight[] {
+  const [flights, setFlights] = useState<A2AFlight[]>([]);
+  const reduced = useRef<boolean>(reducedMotionNow());
+  const timers = useRef<number[]>([]);
+
+  // Track reduced-motion preference changes live (a user can toggle it mid-session).
+  useEffect(() => {
+    if (typeof window === "undefined" || typeof window.matchMedia !== "function") return;
+    const mq = window.matchMedia("(prefers-reduced-motion: reduce)");
+    const onChange = () => {
+      reduced.current = mq.matches;
+      if (mq.matches) setFlights([]); // drop any in-flight envelopes immediately
+    };
+    mq.addEventListener?.("change", onChange);
+    return () => mq.removeEventListener?.("change", onChange);
+  }, []);
+
+  // Clear pending expiry timers on unmount.
+  useEffect(() => {
+    const t = timers.current;
+    return () => {
+      t.forEach((id) => window.clearTimeout(id));
+    };
+  }, []);
+
+  useSocketEvent((msg) => {
+    if (!enabled || reduced.current) return;
+    if (msg.event !== "ACTIVITY_LOGGED") return;
+
+    const p = (msg.payload || {}) as {
+      activity_type?: string;
+      source_id?: string | null;
+      target_id?: string | null;
+    };
+    const t = p.activity_type;
+    if (t !== "a2a_send" && t !== "a2a_receive" && t !== "task_update") return;
+
+    const sourceId = p.source_id || msg.workspace_id;
+    const targetId = p.target_id || "";
+    // A flight needs two distinct endpoints; a self-loop or missing peer has
+    // nowhere to fly, so skip it.
+    if (!sourceId || !targetId || sourceId === targetId) return;
+
+    const kind: A2AFlightKind =
+      t === "a2a_receive" ? "receive" : t === "task_update" ? "task" : "send";
+    const key = `${msg.timestamp || Date.now()}:${sourceId}:${targetId}:${Math.random()
+      .toString(36)
+      .slice(2, 8)}`;
+
+    setFlights((prev) => [...prev.slice(-(MAX_CONCURRENT - 1)), { key, sourceId, targetId, kind }]);
+
+    const id = window.setTimeout(() => {
+      setFlights((prev) => prev.filter((f) => f.key !== key));
+      timers.current = timers.current.filter((x) => x !== id);
+    }, FLIGHT_TTL_MS);
+    timers.current.push(id);
+  });
+
+  return flights;
+}
@@ -1,5 +1,5 @@
 import type { Secret } from '@/types/secrets';
-import { getTenantSlug } from '../tenant';
+import { platformAuthHeaders } from '@/lib/api';

 const PLATFORM_URL = process.env.NEXT_PUBLIC_PLATFORM_URL ?? 'http://localhost:8080';

@@ -13,16 +13,19 @@ function apiUrl(workspaceId: string, path = ''): string {
 }

 async function request<T>(url: string, init?: RequestInit): Promise<T> {
-  // Match api.ts shape — slug header + cross-origin credentials so SaaS
-  // cross-subdomain fetches work. See lib/api.ts for the rationale.
-  const slug = getTenantSlug();
-  const saasHeaders: Record<string, string> = { 'Content-Type': 'application/json' };
-  if (slug) saasHeaders['X-Molecule-Org-Slug'] = slug;
+  // Auth pair (admin/org Bearer token + tenant slug) + JSON Content-Type come
+  // from the shared `platformAuthHeaders()` helper. This bespoke fetch
+  // previously hand-rolled only the slug + Content-Type and OMITTED the
+  // Authorization bearer — so against a workspace-server with ADMIN_TOKEN set
+  // (local dev, every SaaS tenant), WorkspaceAuth saw no bearer and no verified
+  // CP session and returned 401 "missing workspace auth token". That's exactly
+  // the #178 raw-fetch-forgets-a-header bug shape the helper exists to prevent.
  const res = await fetch(url, {
    ...init,
    credentials: 'include',
    headers: {
-      ...saasHeaders,
+      'Content-Type': 'application/json',
+      ...platformAuthHeaders(),
      ...init?.headers,
    },
  });
@@ -0,0 +1,17 @@
+/** Canonical workspace `kind` values — the TS mirror of Go's models.Kind*
+ *  constants (`models.KindPlatform` / `models.KindWorkspace`).
+ *
+ *  Single source of truth for the `kind` magic strings used across the canvas
+ *  (topology, map strip, toolbar, concierge shell). Kept in a leaf module so
+ *  both `@/store/canvas` and `@/store/canvas-topology` can import it without a
+ *  circular dependency. `WorkspaceNodeData.kind` stays a plain `string` — these
+ *  are the well-known values to compare against, not an exhaustive enum.
+ *
+ *  - `Platform`  = the org-level concierge (the undeletable org root, hidden
+ *                  from the map graph, surfaced as the shell's org root).
+ *  - `Workspace` = an ordinary agent. Also the fallback for older ws-server
+ *                  builds that predate the `kind` column. */
+export const WORKSPACE_KIND = {
+  Platform: "platform",
+  Workspace: "workspace",
+} as const;
@@ -11,7 +11,25 @@ import {
  childSlotInGrid,
  parentMinSize,
  parentMinSizeFromChildren,
+  CHILD_DEFAULT_WIDTH,
+  CHILD_DEFAULT_HEIGHT,
+  CHILD_GUTTER,
+  PARENT_SIDE_PADDING,
+  PARENT_HEADER_PADDING,
+  PARENT_BOTTOM_PADDING,
+  stripPlatformRootForMap,
 } from "../canvas-topology";
+import { WORKSPACE_KIND } from "../../lib/workspace-kind";
+
+// Layout-math aliases so these assertions track the card-size constants
+// instead of hard-coding pixel values (which drift when the card size
+// changes — e.g. the 240×130 → 300×176 "bigger cards" redesign).
+const W = CHILD_DEFAULT_WIDTH;
+const H = CHILD_DEFAULT_HEIGHT;
+const GUT = CHILD_GUTTER;
+const SIDE = PARENT_SIDE_PADDING;
+const HEAD = PARENT_HEADER_PADDING;
+const BOTTOM = PARENT_BOTTOM_PADDING;

 // ─── sortParentsBeforeChildren ─────────────────────────────────────────────────

@@ -115,34 +133,34 @@ describe("sortParentsBeforeChildren", () => {

 // ─── defaultChildSlot ─────────────────────────────────────────────────────────

-describe("defaultChildSlot — 2-column grid (240×130 cards)", () => {
+describe("defaultChildSlot — 2-column grid", () => {
  it("slot 0 → column 0, row 0", () => {
    const s = defaultChildSlot(0);
-    expect(s).toEqual({ x: 16, y: 130 });
+    expect(s).toEqual({ x: SIDE, y: HEAD });
  });

  it("slot 1 → column 1, row 0", () => {
    const s = defaultChildSlot(1);
-    expect(s.x).toBe(16 + 240 + 14); // PARENT_SIDE_PADDING + CHILD_DEFAULT_WIDTH + CHILD_GUTTER
-    expect(s.y).toBe(130);
+    expect(s.x).toBe(SIDE + W + GUT); // PARENT_SIDE_PADDING + CHILD_DEFAULT_WIDTH + CHILD_GUTTER
+    expect(s.y).toBe(HEAD);
  });

  it("slot 2 → column 0, row 1", () => {
    const s = defaultChildSlot(2);
-    expect(s.x).toBe(16);
-    expect(s.y).toBe(130 + 130 + 14); // row 0 height + gutter
+    expect(s.x).toBe(SIDE);
+    expect(s.y).toBe(HEAD + H + GUT); // row 0 height + gutter
  });

  it("slot 3 → column 1, row 1", () => {
    const s = defaultChildSlot(3);
-    expect(s.x).toBe(16 + 240 + 14);
-    expect(s.y).toBe(130 + 130 + 14);
+    expect(s.x).toBe(SIDE + W + GUT);
+    expect(s.y).toBe(HEAD + H + GUT);
  });

  it("slot 4 → column 0, row 2", () => {
    const s = defaultChildSlot(4);
-    expect(s.x).toBe(16);
-    expect(s.y).toBe(130 + (130 + 14) * 2); // row 1 end + gutter
+    expect(s.x).toBe(SIDE);
+    expect(s.y).toBe(HEAD + (H + GUT) * 2); // row 1 end + gutter
  });
 });

@@ -194,36 +212,35 @@ describe("parentMinSize — uniform-size children", () => {

  it("1 child → 1 col, 1 row", () => {
    const s = parentMinSize(1);
-    // width = 16*2 + 1*240 + 0 = 272; height = 130 + 1*130 + 0 + 16 = 276
-    expect(s.width).toBe(16 * 2 + 240);
-    expect(s.height).toBe(130 + 130 + 16);
+    // width = SIDE*2 + 1*W; height = HEAD + 1*H + BOTTOM
+    expect(s.width).toBe(SIDE * 2 + W);
+    expect(s.height).toBe(HEAD + H + BOTTOM);
  });

  it("2 children → 2 cols, 1 row", () => {
    const s = parentMinSize(2);
-    // width = 16*2 + 2*240 + 1*14 = 526; height = 130 + 1*130 + 0 + 16 = 276
-    expect(s.width).toBe(16 * 2 + 2 * 240 + 14);
-    expect(s.height).toBe(130 + 130 + 16);
+    // width = SIDE*2 + 2*W + 1*GUT; height = HEAD + 1*H + BOTTOM
+    expect(s.width).toBe(SIDE * 2 + 2 * W + GUT);
+    expect(s.height).toBe(HEAD + H + BOTTOM);
  });

  it("3 children → 2 cols, 2 rows", () => {
    const s = parentMinSize(3);
-    // width = 16*2 + 2*240 + 1*14 = 526
-    expect(s.width).toBe(16 * 2 + 2 * 240 + 14);
-    // height = 130 + 2*130 + 1*14 + 16 = 416
-    expect(s.height).toBe(130 + 2 * 130 + 14 + 16);
+    expect(s.width).toBe(SIDE * 2 + 2 * W + GUT);
+    // height = HEAD + 2*H + 1*GUT + BOTTOM
+    expect(s.height).toBe(HEAD + 2 * H + GUT + BOTTOM);
  });

  it("4 children → 2 cols, 2 rows (full grid)", () => {
    const s = parentMinSize(4);
-    expect(s.width).toBe(16 * 2 + 2 * 240 + 14);
-    expect(s.height).toBe(130 + 2 * 130 + 14 + 16);
+    expect(s.width).toBe(SIDE * 2 + 2 * W + GUT);
+    expect(s.height).toBe(HEAD + 2 * H + GUT + BOTTOM);
  });

  it("5 children → 2 cols, 3 rows", () => {
    const s = parentMinSize(5);
-    expect(s.width).toBe(16 * 2 + 2 * 240 + 14);
-    expect(s.height).toBe(130 + 3 * 130 + 2 * 14 + 16);
+    expect(s.width).toBe(SIDE * 2 + 2 * W + GUT);
+    expect(s.height).toBe(HEAD + 3 * H + 2 * GUT + BOTTOM);
  });
 });

@@ -243,8 +260,8 @@ describe("parentMinSizeFromChildren — variable-size children", () => {

  it("two equal-width children → same as parentMinSize(2)", () => {
    const fromChildren = parentMinSizeFromChildren([
-      { width: 240, height: 130 },
-      { width: 240, height: 130 },
+      { width: W, height: H },
+      { width: W, height: H },
    ]);
    expect(fromChildren.width).toBe(parentMinSize(2).width);
    expect(fromChildren.height).toBe(parentMinSize(2).height);
@@ -262,3 +279,74 @@ describe("parentMinSizeFromChildren — variable-size children", () => {
    expect(wide.width).toBeGreaterThan(narrow.width);
  });
 });
+
+// ─── stripPlatformRootForMap ───────────────────────────────────────────────────
+
+describe("stripPlatformRootForMap", () => {
+  // Minimal Node<WorkspaceNodeData> builder — only the fields the function reads.
+  const node = (
+    id: string,
+    opts: { kind?: string; parentId?: string; x?: number; y?: number } = {},
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  ): any => ({
+    id,
+    position: { x: opts.x ?? 0, y: opts.y ?? 0 },
+    parentId: opts.parentId,
+    data: { kind: opts.kind ?? WORKSPACE_KIND.Workspace, parentId: opts.parentId ?? null },
+  });
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  const edge = (source: string, target: string): any => ({ id: `${source}->${target}`, source, target });
+
+  it("returns input unchanged when there is no platform node", () => {
+    const nodes = [node("a"), node("b", { parentId: "a", x: 5, y: 5 })];
+    const edges = [edge("a", "b")];
+    const out = stripPlatformRootForMap(nodes, edges);
+    expect(out.nodes).toBe(nodes); // same reference — no work done
+    expect(out.edges).toBe(edges);
+  });
+
+  it("removes the platform root, promotes its direct children to absolute positions, and drops platform-touching edges", () => {
+    const platform = node("P", { kind: WORKSPACE_KIND.Platform, x: 100, y: 50 });
+    const child = node("c", { parentId: "P", x: 10, y: 20 }); // RF-relative to P
+    const grandchild = node("g", { parentId: "c", x: 5, y: 5 });
+    const out = stripPlatformRootForMap(
+      [platform, child, grandchild],
+      [edge("P", "c"), edge("c", "g")],
+    );
+
+    // Platform node is gone.
+    expect(out.nodes.find((n) => n.id === "P")).toBeUndefined();
+
+    // Direct child promoted to top-level with absolute position (parentPos + childPos).
+    const c = out.nodes.find((n) => n.id === "c")!;
+    expect(c.parentId).toBeUndefined();
+    expect(c.extent).toBeUndefined();
+    expect(c.position).toEqual({ x: 110, y: 70 });
+    expect(c.data.parentId).toBeNull();
+
+    // Grandchild (child of a non-platform node) is untouched.
+    const g = out.nodes.find((n) => n.id === "g")!;
+    expect(g.parentId).toBe("c");
+    expect(g.position).toEqual({ x: 5, y: 5 });
+
+    // Edge touching the platform node dropped; the other preserved.
+    expect(out.edges.map((e) => e.id)).toEqual(["c->g"]);
+  });
+
+  it("leaves children of an ordinary (non-platform) parent untouched", () => {
+    const platform = node("P", { kind: WORKSPACE_KIND.Platform });
+    const ordinaryParent = node("op", { parentId: "P", x: 200, y: 0 });
+    const grandchild = node("gc", { parentId: "op", x: 7, y: 9 });
+    const out = stripPlatformRootForMap([platform, ordinaryParent, grandchild], []);
+
+    // op is a direct child of platform → promoted (absolute = 200+0, 0+0).
+    const op = out.nodes.find((n) => n.id === "op")!;
+    expect(op.parentId).toBeUndefined();
+    expect(op.position).toEqual({ x: 200, y: 0 });
+
+    // gc's parent is the ordinary node, not platform → relative position preserved.
+    const gc = out.nodes.find((n) => n.id === "gc")!;
+    expect(gc.parentId).toBe("op");
+    expect(gc.position).toEqual({ x: 7, y: 9 });
+  });
+});
@@ -162,6 +162,27 @@ describe("hydrate", () => {
    useCanvasStore.getState().hydrate([ws]);
    expect(useCanvasStore.getState().nodes[0].data.currentTask).toBe("");
  });
+
+  it("preserves in-flight turn status after refresh (issue #2391)", () => {
+    // Simulates a page refresh: the canvas re-hydrates from GET /workspaces
+    // while the agent has an active in-flight turn. The store must reflect
+    // "working" immediately — no dependence on a subsequent TASK_UPDATED
+    // socket event. This prevents the "stuck idle" UX after reload.
+    const ws = makeWS({
+      id: "ws-1",
+      status: "online",
+      current_task: "Analyzing data",
+      active_tasks: 2,
+    });
+    useCanvasStore.getState().hydrate([ws]);
+    const node = useCanvasStore.getState().nodes[0];
+    expect(node.data.currentTask).toBe("Analyzing data");
+    expect(node.data.activeTasks).toBe(2);
+    expect(node.data.status).toBe("online");
+    // Defensive: the node must be considered "working" for any UI that
+    // gates on currentTask (e.g. ChatTab thinking indicator).
+    expect(!!node.data.currentTask).toBe(true);
+  });
 });

 describe("summarizeWorkspaceCapabilities", () => {
--- a/Show More
+++ b/Show More