fix(ci): add explicit utf-8 encoding to Python open() calls

Python 3's open() default encoding is platform-dependent (PEP 597). On CI runners it happens to be UTF-8, but being explicit avoids surprises on Windows dev boxes or custom runner images. Files touched: - sop-checklist.py: config loading (YAML + minimal parser) - tests/_review_check_fixture.py: test fixture scenario loader - tests/_refire_fixture.py: test fixture scenario loader Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Merge pull request 'fix(canvas): link provider selection to llm_billing_mode (internal#703 Gap 2)' (#1935 ) from fix/703-provider-billing-mode-ui into main
2026-05-27 15:35:36 +00:00 · 2026-05-27 15:33:17 +00:00 · 2026-05-27 15:24:34 +00:00 · 2026-05-27 15:00:24 +00:00 · 2026-05-27 07:38:26 -07:00 · 2026-05-27 14:30:11 +00:00
165 changed files with 7592 additions and 1247 deletions
@@ -274,7 +274,8 @@ def required_checks_env(audit_doc: dict) -> set[str]:
                    found.append(v)
    if not found:
        sys.stderr.write(
-            f"::error::REQUIRED_CHECKS env not found in any step of {AUDIT_WORKFLOW_PATH}\n"
+            f"::error::REQUIRED_CHECKS env not found in any step of "
+            f"{AUDIT_WORKFLOW_PATH}\n"
        )
        sys.exit(3)
    if len(found) > 1:
@@ -384,10 +385,15 @@ def detect_drift(branch: str) -> tuple[list[str], dict]:
    contexts = set(protection.get("status_check_contexts") or [])

    # ----- F1: job exists in CI but not under sentinel.needs -----
+    # Post-#1766 contract: the sentinel may deliberately have no `needs:`
+    # and instead poll path-relevant statuses dynamically. In that case
+    # F1 is a false positive — skip it. F1b (typos in existing needs)
+    # is naturally skipped when needs is empty.
    missing_from_needs = sorted(jobs - needs)
-    if missing_from_needs:
+    if missing_from_needs and needs:
        findings.append(
-            "F1 — jobs in ci.yml NOT under sentinel `needs:` (sentinel doesn't gate them):\n"
+            "F1 — jobs in ci.yml NOT under sentinel `needs:` "
+            "(sentinel doesn't gate them):\n"
            + "\n".join(f"  - {n}" for n in missing_from_needs)
        )

@@ -397,7 +403,8 @@ def detect_drift(branch: str) -> tuple[list[str], dict]:
    stale_needs = sorted(needs - jobs_all)
    if stale_needs:
        findings.append(
-            "F1b — sentinel `needs:` lists jobs NOT present in ci.yml (typo or removed job):\n"
+            "F1b — sentinel `needs:` lists jobs NOT present in ci.yml "
+            "(typo or removed job):\n"
            + "\n".join(f"  - {n}" for n in stale_needs)
        )

@@ -405,7 +412,9 @@ def detect_drift(branch: str) -> tuple[list[str], dict]:
    # Compute the contexts the CI YAML actually produces. The sentinel
    # is in (B) intentionally (`ci / all-required (pull_request)`); we
    # whitelist it explicitly.
-    emitted_contexts = {expected_context(j) for j in jobs} | {expected_context(SENTINEL_JOB)}
+    emitted_contexts = {
+        expected_context(j) for j in jobs
+    } | {expected_context(SENTINEL_JOB)}
    # Contexts NOT produced by ci.yml may still come from other
    # workflows in the repo (Secret scan etc). We can't enumerate
    # every workflow's emissions cheaply; instead, flag only contexts
@@ -418,8 +427,9 @@ def detect_drift(branch: str) -> tuple[list[str], dict]:
    )
    if stale_protection:
        findings.append(
-            "F2 — protection `status_check_contexts` entries with `ci / ` prefix that NO "
-            "job in ci.yml emits (stale name → silent advisory gate):\n"
+            "F2 — protection `status_check_contexts` entries with `ci / ` "
+            "prefix that NO job in ci.yml emits "
+            "(stale name → silent advisory gate):\n"
            + "\n".join(f"  - {c}" for c in stale_protection)
        )

@@ -494,7 +504,8 @@ def render_body(branch: str, findings: list[str], debug: dict) -> str:
        f"# Drift detected on `{REPO}/{branch}`",
        "",
        "Auto-filed by `.gitea/workflows/ci-required-drift.yml` "
-        "(RFC [internal#219](https://git.moleculesai.app/molecule-ai/internal/issues/219) §4 + §6).",
+        "(RFC [internal#219]"
+        "(https://git.moleculesai.app/molecule-ai/internal/issues/219) §4 + §6).",
        "",
        "## Findings",
        "",
@@ -505,8 +516,11 @@ def render_body(branch: str, findings: list[str], debug: dict) -> str:
            "",
            "## Resolution",
            "",
-            "- **F1 / F1b**: add the missing job to `all-required.needs:` "
-            "in `.gitea/workflows/ci.yml`, or remove the stale entry.",
+            "- **F1 / F1b**: if the sentinel job has a `needs:` block, add "
+            "the missing job to it in `.gitea/workflows/ci.yml`, or remove "
+            "the stale entry. If the sentinel deliberately has no `needs:` "
+            "(path-aware polling sentinel per post-#1766 contract), this "
+            "finding is expected and F1 is skipped.",
            "- **F2**: rename the protection context to match an emitter, "
            "or remove it from `status_check_contexts` "
            "(PATCH `/api/v1/repos/{owner}/{repo}/branch_protections/{branch}`).",
@@ -547,12 +561,12 @@ def file_or_update(

    if dry_run:
        print(f"::notice::[dry-run] would file/update drift issue for {branch}")
-        print(f"::group::[dry-run] title")
+        print("::group::[dry-run] title")
        print(title)
-        print(f"::endgroup::")
-        print(f"::group::[dry-run] body")
+        print("::endgroup::")
+        print("::group::[dry-run] body")
        print(body)
-        print(f"::endgroup::")
+        print("::endgroup::")
        return

    existing = find_open_issue(title)
@@ -15,7 +15,6 @@ import subprocess
 import sys
 from pathlib import Path

-
 PROFILES: dict[str, dict[str, str]] = {
    "ci": {
        "platform": r"^workspace-server/",
@@ -153,7 +152,10 @@ def parse_args(argv: list[str]) -> argparse.Namespace:
    parser.add_argument("--event-name", default=os.environ.get("GITHUB_EVENT_NAME", ""))
    parser.add_argument("--pr-base-sha", default="")
    parser.add_argument("--base-ref", default="")
-    parser.add_argument("--push-before", default=os.environ.get("GITHUB_EVENT_BEFORE", ""))
+    parser.add_argument(
+        "--push-before",
+        default=os.environ.get("GITHUB_EVENT_BEFORE", ""),
+    )
    return parser.parse_args(argv)


@@ -183,7 +183,9 @@ def required_contexts_green(
        status = latest_statuses.get(context)
        state = status_state(status or {})
        if state != "success":
-            if pr_labels and _is_tier_low_pending_ok(latest_statuses, context, pr_labels):
+            if pr_labels and _is_tier_low_pending_ok(
+                latest_statuses, context, pr_labels
+            ):
                continue  # tier:low soft-fail: accept pending sop-checklist
            missing_or_bad.append(f"{context}={state or 'missing'}")
    return not missing_or_bad, missing_or_bad
@@ -13,11 +13,9 @@ from __future__ import annotations
 import argparse
 import glob
 import re
-import sys
 from pathlib import Path
 from typing import NamedTuple

-
 SELF = ".gitea/workflows/lint-curl-status-capture.yml"


@@ -283,7 +283,7 @@ def _ensure_labels(repo: str, names: list[str]) -> list[int]:
    if status != "ok" or not isinstance(labels, list):
        return []
    out: list[int] = []
-    by_name = {l["name"]: l["id"] for l in labels if isinstance(l, dict)}
+    by_name = {label["name"]: label["id"] for label in labels if isinstance(label, dict)}
    for n in names:
        if n in by_name:
            out.append(by_name[n])
@@ -82,7 +82,7 @@ import sys
 import urllib.error
 import urllib.parse
 import urllib.request
-from datetime import datetime, timedelta, timezone
+from datetime import datetime, timezone
 from pathlib import Path
 from typing import Any

@@ -641,6 +641,15 @@ def main(argv: list[str] | None = None) -> int:

    base_workflows = workflows_at_sha(BASE_SHA)
    head_workflows = workflows_at_sha(HEAD_SHA)
+    # Ignore workflow files that are identical on both sides — old branches
+    # that haven't rebased onto main carry stale copies of workflows that
+    # were updated later. Comparing those stale copies against the current
+    # base produces false-positive "flips".
+    base_workflows = {
+        p: t for p, t in base_workflows.items()
+        if p in head_workflows and head_workflows[p] != t
+    }
+    head_workflows = {p: t for p, t in head_workflows.items() if p in base_workflows}
    flips = detect_flips(base_workflows, head_workflows)

    if not flips:
@@ -90,6 +90,15 @@ API = f"https://{GITEA_HOST}/api/v1" if GITEA_HOST else ""
 # match by exact title without parsing.
 TITLE_PREFIX = "[main-red]"

+# Contexts that are scheduled or non-required — their pending/failure
+# state should not block stale-issue closeout (mc#1789).
+SCHEDULED_CONTEXT_PATTERNS = (
+    "Staging SaaS smoke",
+    "Continuous synthetic E2E",
+    "main-red-watchdog",
+    "ci-arm64-advisory",
+)
+
 # Settling window (seconds) between initial red detection and the
 # pre-file recheck. The recheck filters out the two largest false-
 # positive classes seen in mc#1597..1630 (task #394, 2026-05-21):
@@ -265,6 +274,11 @@ def get_combined_status(sha: str) -> dict:
    return body


+def _entry_state(s: dict) -> str:
+    """Per-entry status key in Gitea 1.22.6 is `status`; fall back to `state`."""
+    return s.get("status") or s.get("state") or ""
+
+
 def is_red(status: dict) -> tuple[bool, list[dict]]:
    """Return (is_red, failed_statuses).

@@ -312,9 +326,6 @@ def is_red(status: dict) -> tuple[bool, list[dict]]:
    # "no per-context entries were in a red state" fallback even when
    # the combined-state correctly flagged red. See
    # `feedback_smoke_test_vendor_truth_not_shape_match`.
-    def _entry_state(s: dict) -> str:
-        return s.get("status") or s.get("state") or ""
-
    def _is_cancel_cascade(s: dict) -> bool:
        """status=3 entry per Gitea 1.22.6 description-string contract.
        Match exactly (after strip) — substring match would catch
@@ -353,6 +364,15 @@ def title_for(sha: str) -> str:
    return f"{TITLE_PREFIX} {REPO}: {sha[:10]}"


+def _is_scheduled_context(context: str) -> bool:
+    """Return True if `context` is a known scheduled/non-required job.
+
+    These contexts run on a schedule and should not block stale-issue
+    closeout when main's required CI has recovered (mc#1789).
+    """
+    return any(pattern.lower() in context.lower() for pattern in SCHEDULED_CONTEXT_PATTERNS)
+
+
 def list_open_red_issues() -> list[dict]:
    """All open issues whose title starts with `[main-red] {repo}: `.

@@ -362,23 +382,34 @@ def list_open_red_issues() -> list[dict]:
    file-or-update path to POST a duplicate — exactly the regression
    class the helper-raises contract closes.

-    Gitea issue search returns at most 50/page; we only need open
-    `[main-red]` issues which are by design ≤ 1 at any time per repo,
-    so a single page is enough.
+    Pagination is exhausted (mc#1789). The old "by design ≤ 1" invariant
+    was false — backlog can exceed 50 open issues.
    """
-    _, results = api(
-        "GET",
-        f"/repos/{OWNER}/{NAME}/issues",
-        query={"state": "open", "type": "issues", "limit": "50"},
-    )
-    if not isinstance(results, list):
-        raise ApiError(
-            f"issue search returned non-list body (got {type(results).__name__})"
-        )
    prefix = f"{TITLE_PREFIX} {REPO}: "
-    return [i for i in results if isinstance(i, dict)
+    all_issues: list[dict] = []
+    page = 1
+    limit = 50
+    while True:
+        _, results = api(
+            "GET",
+            f"/repos/{OWNER}/{NAME}/issues",
+            query={"state": "open", "type": "issues", "limit": str(limit), "page": str(page)},
+        )
+        if not isinstance(results, list):
+            raise ApiError(
+                f"issue search returned non-list body (got {type(results).__name__})"
+            )
+        matched = [
+            i for i in results
+            if isinstance(i, dict)
            and isinstance(i.get("title"), str)
-            and i["title"].startswith(prefix)]
+            and i["title"].startswith(prefix)
+        ]
+        all_issues.extend(matched)
+        if len(results) < limit:
+            break
+        page += 1
+    return all_issues


 def find_open_issue_for_sha(sha: str) -> dict | None:
@@ -574,10 +605,156 @@ def file_or_update_red(
        sys.stderr.write(f"::warning::label '{RED_LABEL}' not found on repo\n")


+def close_stale_red_issues(
+    current_sha: str,
+    current_status: dict,
+    *,
+    dry_run: bool = False,
+) -> int:
+    """Close open [main-red] issues whose specific failing contexts have
+    all recovered on `current_sha`, even though `main` is still red for
+    other reasons (mc#1789).
+
+    When main stays red across consecutive SHAs for *different* causes,
+    `close_open_red_issues_for_other_shas` never fires (it only runs when
+    main is green). This function prevents stale issues from accumulating
+    indefinitely by comparing per-context recovery across SHAs.
+
+    An issue is considered stale when every context that was in a failed
+    state on the issue's SHA is now either `success` on the current HEAD
+    or absent (workflow removed / renamed). Issues whose original SHA had
+    a combined-red-with-no-detail (empty statuses list) are skipped — we
+    cannot verify recovery without per-context data.
+
+    Returns the number of issues closed.
+    """
+    open_red = list_open_red_issues()
+    if not open_red:
+        return 0
+
+    current_statuses = current_status.get("statuses") or []
+    closed = 0
+
+    for issue in open_red:
+        title = issue.get("title", "")
+        prefix = f"{TITLE_PREFIX} {REPO}: "
+        if not title.startswith(prefix):
+            continue
+        short_sha = title[len(prefix):]
+        if short_sha == current_sha[:10]:
+            continue
+
+        # Query status for the old SHA. Short SHA should resolve; if it
+        # doesn't (GC'd, force-pushed, ambiguous), skip conservatively.
+        try:
+            old_status = get_combined_status(short_sha)
+        except ApiError:
+            continue
+
+        old_red, old_failed = is_red(old_status)
+        if not old_red:
+            # Open issue for a now-green SHA — close it via the normal path.
+            num = issue.get("number")
+            if isinstance(num, int):
+                comment = (
+                    f"Commit `{short_sha}` is no longer red. Closing as the "
+                    f"failure context has recovered or expired."
+                )
+                if dry_run:
+                    print(
+                        f"::notice::[dry-run] would close issue #{num} "
+                        f"({title}) — old SHA is now green"
+                    )
+                    closed += 1
+                    continue
+                api(
+                    "POST",
+                    f"/repos/{OWNER}/{NAME}/issues/{num}/comments",
+                    body={"body": comment},
+                )
+                api(
+                    "PATCH",
+                    f"/repos/{OWNER}/{NAME}/issues/{num}",
+                    body={"state": "closed"},
+                )
+                print(
+                    f"::notice::Closed stale main-red issue #{num} "
+                    f"(old SHA {short_sha} is now green)"
+                )
+                closed += 1
+            continue
+
+        if not old_failed:
+            # Combined red with no per-context detail — can't verify recovery.
+            continue
+
+        # Verify every failed context from the old SHA has recovered.
+        all_recovered = True
+        recovered_ctxs: list[str] = []
+        still_failing_ctxs: list[str] = []
+        for s in old_failed:
+            ctx = s.get("context", "")
+            if not ctx:
+                continue
+            current_match = None
+            for cs in current_statuses:
+                if isinstance(cs, dict) and cs.get("context") == ctx:
+                    current_match = cs
+                    break
+            if current_match is None:
+                recovered_ctxs.append(ctx)
+            elif _entry_state(current_match) == "success":
+                recovered_ctxs.append(ctx)
+            else:
+                all_recovered = False
+                still_failing_ctxs.append(ctx)
+
+        if not all_recovered:
+            continue
+
+        num = issue.get("number")
+        if not isinstance(num, int):
+            continue
+
+        comment = (
+            f"The failing contexts from this SHA (`{short_sha}`) have "
+            f"recovered on current HEAD `{current_sha[:10]}`: "
+            f"{', '.join(recovered_ctxs)}. "
+            f"Main is still red for other reasons; see the current "
+            f"`[main-red]` issue for `{current_sha[:10]}`."
+        )
+        if dry_run:
+            print(
+                f"::notice::[dry-run] would close stale issue #{num} "
+                f"({title}) — contexts recovered"
+            )
+            closed += 1
+            continue
+
+        api(
+            "POST",
+            f"/repos/{OWNER}/{NAME}/issues/{num}/comments",
+            body={"body": comment},
+        )
+        api(
+            "PATCH",
+            f"/repos/{OWNER}/{NAME}/issues/{num}",
+            body={"state": "closed"},
+        )
+        print(
+            f"::notice::Closed stale main-red issue #{num} "
+            f"(contexts recovered at {current_sha[:10]})"
+        )
+        closed += 1
+
+    return closed
+
+
 def close_open_red_issues_for_other_shas(
    current_sha: str,
    *,
    dry_run: bool = False,
+    close_same_sha: bool = False,
 ) -> int:
    """When main is green at current_sha, close any open `[main-red]`
    issues whose title references a different SHA. Returns the number
@@ -586,15 +763,25 @@ def close_open_red_issues_for_other_shas(
    Lineage note: we only close issues whose title prefix matches; if
    a human renamed the issue or added a suffix this won't touch it.
    That's intentional — manual editorial state takes precedence.
+
+    Args:
+        close_same_sha: set True when the caller already knows main is
+            green at current_sha (e.g. recovery block) and wants to close
+            the open issue for THIS SHA too. Defaults False so the
+            green-path callers never accidentally close an issue they just
+            filed on the same tick.
    """
    target_title = title_for(current_sha)
    open_red = list_open_red_issues()
    closed = 0
    for issue in open_red:
        if issue.get("title") == target_title:
-            # Same SHA — caller should not have invoked this if main is
-            # green. Skip defensively.
-            continue
+            if not close_same_sha:
+                # Same SHA — caller should not have invoked this if main is
+                # green. Skip defensively (guards against green-path callers
+                # that accidentally pass the SHA they just filed for).
+                continue
+            # close_same_sha=True: close even this SHA's issue (recovery path)
        num = issue.get("number")
        if not isinstance(num, int):
            continue
@@ -699,6 +886,10 @@ def run_once(*, dry_run: bool = False) -> int:
                f"{sha[:10]} but HEAD is now {recheck_sha[:10]} on "
                f"{WATCH_BRANCH}; next cron tick will re-evaluate."
            )
+            # HEAD drifted — close any stale main-red issue for the prior SHA
+            # before returning, so we don't leave stale open issues when main
+            # is no longer pointing at the red commit.
+            close_open_red_issues_for_other_shas(recheck_sha, dry_run=dry_run)
            return 0

        recheck_status = get_combined_status(sha)
@@ -711,6 +902,9 @@ def run_once(*, dry_run: bool = False) -> int:
                f"{recheck_status.get('state')!r} on recheck; "
                f"initial red was a transient cancel-cascade."
            )
+            # CI recovered on the same SHA — close any stale main-red issue
+            # that was filed on a prior tick for this SHA.
+            close_open_red_issues_for_other_shas(sha, dry_run=dry_run, close_same_sha=True)
            return 0

        # Still red after settling — file/update. Use the recheck data
@@ -726,24 +920,68 @@ def run_once(*, dry_run: bool = False) -> int:
        print(f"::warning::main is RED at {sha[:10]} on {WATCH_BRANCH}: "
              f"{len(failed)} failed context(s)")
        file_or_update_red(sha, failed, debug, dry_run=dry_run)
+        stale_closed = close_stale_red_issues(sha, recheck_status, dry_run=dry_run)
+        if stale_closed:
+            emit_loki_event("main_red_stale_closed", sha, [])
+            print(
+                f"::notice::Closed {stale_closed} stale main-red issue(s) "
+                f"whose contexts recovered at {sha[:10]}"
+            )
    else:
-        # Green (or pending — pending is treated as not-red so we don't
-        # spam during the post-merge CI window). Close any stale issues
-        # from earlier SHAs only when we're actually green; pending
-        # means CI hasn't finished and the prior issue might still be
-        # accurate.
-        if status.get("state") == "success":
+        # Green or pending-with-no-real-failures. Close stale issues
+        # from earlier SHAs when required CI has recovered.
+        #
+        # mc#1789: main often sits at combined `pending` because
+        # scheduled/non-required contexts (Staging SaaS smoke,
+        # Continuous synthetic E2E, main-red-watchdog itself,
+        # ci-arm64-advisory) are still running. We close stale issues
+        # as long as no *non-scheduled* context has failed and no
+        # *non-scheduled* context is still pending — i.e. required CI
+        # is effectively green.
+        #
+        # The success-only gate is preserved for the canonical green
+        # path; the extended check below only fires when combined is
+        # `pending` but all required work is done.
+        combined_state = status.get("state")
+        if combined_state == "success":
+            should_close = True
+            close_reason = "GREEN"
+        else:
+            statuses = status.get("statuses") or []
+            non_scheduled_pending = [
+                s for s in statuses
+                if isinstance(s, dict)
+                and (_entry_state(s) == "pending")
+                and not _is_scheduled_context(s.get("context", ""))
+            ]
+            non_scheduled_failed = [
+                s for s in statuses
+                if isinstance(s, dict)
+                and (_entry_state(s) in {"failure", "error"})
+                and not _is_scheduled_context(s.get("context", ""))
+            ]
+            # Cancel-cascade already filtered by is_red(); red=False
+            # here means no real failures. We additionally check that
+            # no non-scheduled context is still pending.
+            should_close = not non_scheduled_pending and not non_scheduled_failed
+            close_reason = "pending-but-required-green"
+
+        if should_close:
            closed = close_open_red_issues_for_other_shas(sha, dry_run=dry_run)
            if closed:
                emit_loki_event(
                    "main_returned_to_green", sha,
                    [],
                )
-            print(f"::notice::main is GREEN at {sha[:10]} on {WATCH_BRANCH} "
-                  f"(closed {closed} stale issue(s))")
+            print(
+                f"::notice::main is {close_reason} at {sha[:10]} on {WATCH_BRANCH} "
+                f"(closed {closed} stale issue(s))"
+            )
        else:
-            print(f"::notice::main is PENDING at {sha[:10]} on {WATCH_BRANCH} "
-                  f"(combined state={status.get('state')!r}; no action)")
+            print(
+                f"::notice::main has pending-or-failed required CI at {sha[:10]} "
+                f"on {WATCH_BRANCH} (combined state={combined_state!r}; no action)"
+            )
    return 0


@@ -17,7 +17,6 @@ import urllib.error
 import urllib.request
 from urllib.parse import quote

-
 TRUE_VALUES = {"1", "true", "yes", "on", "disabled", "disable"}
 PROD_CP_URL = "https://api.moleculesai.app"
 DEFAULT_REQUIRED_CONTEXTS = [
@@ -12,6 +12,7 @@
 #   ≥ 1 review on the PR where:
 #     • state == APPROVED
 #     • review.dismissed == false
+#     • review.official != false (excludes draft/mis-filed APPROVED reviews)
 #     • review.user.login != PR.user.login (non-author)
 #     • review.user.login ∈ team-members
 #
@@ -201,6 +202,7 @@ fi
 JQ_FILTER='.[]
  | select(.state == "APPROVED")
  | select(.dismissed != true)
+  | select(.official != false)
  | select(.user.login != $author)'
 if [ "${REVIEW_CHECK_STRICT:-}" = "1" ]; then
  JQ_FILTER="${JQ_FILTER}
@@ -304,12 +306,15 @@ for U in $CANDIDATES; do
      exit 0
      ;;
    403)
-      # Token owner is not in the team being probed; the API refuses to
-      # confirm membership. This is the RFC#324 follow-up token-scope gap.
-      # Fail closed — never grant approval on a 403; surface clearly.
-      echo "::error::team-probe for ${U} in ${TEAM} returned 403 (token owner not in ${TEAM} team — RFC#324 token-scope follow-up). Cannot confirm membership; failing closed."
+      # Token owner is not in the team being probed; Gitea 1.22.6 refuses
+      # to confirm membership in this case. Do NOT hard-fail the gate on a
+      # 403 — doing so would fail the entire gate if ANY candidate triggers
+      # a 403, even when other valid team-members exist. Instead skip this
+      # candidate and continue checking others. If all candidates produce
+      # 403 (token owner can't query any of them) the final exit fires.
+      echo "::warning::team-probe for ${U} in ${TEAM} returned 403 (token owner not in ${TEAM} team — skipping; cannot confirm membership)"
      cat "$TEAM_PROBE_TMP" >&2
-      exit 1
+      continue
      ;;
    404)
      debug "${U} not a member of ${TEAM}"
@@ -338,7 +338,6 @@ def compute_ack_state(
    # Filter out self-acks and unknown slugs.
    ackers_per_slug: dict[str, list[str]] = {s: [] for s in items_by_slug}
    rejected_self: dict[str, list[str]] = {s: [] for s in items_by_slug}
-    rejected_unknown: dict[str, list[str]] = {s: [] for s in items_by_slug}
    pending_team_check: dict[str, list[str]] = {s: [] for s in items_by_slug}

    for (user, slug), kind in latest_directive.items():
@@ -637,8 +636,13 @@ def load_config(path: str) -> dict[str, Any]:
    dep by keeping the config shape constrained.
    """
    try:
+        # yaml is an optional dep; the canonical loader is used when available,
+        # but the SOP runs on runners that may not have PyYAML installed. The
+        # fallback _load_config_minimal covers the same config shape without
+        # requiring the dep, so the ignore is safe: if yaml loads, we use it;
+        # otherwise we fall back silently.
        import yaml  # type: ignore[import-not-found]
-        with open(path) as f:
+        with open(path, encoding="utf-8") as f:
            return yaml.safe_load(f)
    except ImportError:
        return _load_config_minimal(path)
@@ -652,13 +656,19 @@ def _load_config_minimal(path: str) -> dict[str, Any]:
    item map: scalars + lists of scalars. Does NOT support nested lists,
    YAML anchors, multi-doc, or flow style.
    """
-    with open(path) as f:
+    with open(path, encoding="utf-8") as f:
        lines = f.readlines()
    return _parse_minimal_yaml(lines)


-def _parse_minimal_yaml(lines: list[str]) -> dict[str, Any]:  # noqa: C901
-    """Hand-rolled subset parser. See _load_config_minimal docstring."""
+def _parse_minimal_yaml(lines: list[str]) -> dict[str, Any]:
+    """Hand-rolled subset parser. See _load_config_minimal docstring.
+
+    C901: function is necessarily long — it implements a finite-state YAML
+    subset (scalars, maps, lists of maps at fixed depth). No utility refactors
+    meaningfully reduce length without degrading readability. All branches
+    are exhaustively tested in test_parse_minimal_yaml.py.
+    """
    # Strip comments + blank lines but preserve indentation.
    cleaned: list[tuple[int, str]] = []
    for raw in lines:
@@ -842,7 +852,7 @@ def render_status(
 def get_tier_mode(pr: dict[str, Any], cfg: dict[str, Any]) -> str:
    """Read tier label, return 'hard' or 'soft' per cfg.tier_failure_mode."""
    labels = pr.get("labels") or []
-    tier_labels = [l.get("name", "") for l in labels if (l.get("name", "") or "").startswith("tier:")]
+    tier_labels = [label.get("name", "") for label in labels if (label.get("name", "") or "").startswith("tier:")]
    mode_map = cfg.get("tier_failure_mode") or {}
    default_mode = cfg.get("default_mode", "hard")
    for tl in tier_labels:
@@ -865,7 +875,7 @@ def is_high_risk(pr: dict[str, Any], cfg: dict[str, Any]) -> bool:
    Governance fix for internal#442 — closes the inconsistency between
    sop-tier-check (tier-aware) and sop-checklist (was tier-blind).
    """
-    label_set = {(l.get("name") or "") for l in (pr.get("labels") or [])}
+    label_set = {(label.get("name") or "") for label in (pr.get("labels") or [])}
    if "tier:high" in label_set:
        return True
    high_risk_labels = set(cfg.get("high_risk_labels") or [])
@@ -1016,14 +1026,14 @@ def main(argv: list[str] | None = None) -> int:
            tid = client.resolve_team_id(args.owner, tn)
            if tid is None:
                # Try the list endpoint as a fallback.
-                code, data = client._req(  # noqa: SLF001
+                code, data = client._req(  # noqa: SLF001  # internal helper; called from loop in caller context
                    "GET", f"/orgs/{args.owner}/teams"
                )
                if code == 200 and isinstance(data, list):
                    for t in data:
                        if t.get("name") == tn:
                            tid = t.get("id")
-                            client._team_id_cache[(args.owner, tn)] = tid  # noqa: SLF001
+                            client._team_id_cache[(args.owner, tn)] = tid  # noqa: SLF001  # internal write-through cache
                            break
            if tid is not None:
                team_ids.append(tid)
@@ -33,7 +33,7 @@ def scenario() -> str:
    p = os.path.join(STATE_DIR, "scenario")
    if not os.path.isfile(p):
        return "T1_success"
-    with open(p) as f:
+    with open(p, encoding="utf-8") as f:
        return f.read().strip()


@@ -33,7 +33,6 @@ import re
 import sys
 import urllib.parse

-
 STATE_DIR = os.environ.get("FIXTURE_STATE_DIR", "/tmp")


@@ -41,7 +40,7 @@ def scenario() -> str:
    p = os.path.join(STATE_DIR, "scenario")
    if not os.path.isfile(p):
        return "T1_pr_open"
-    with open(p) as f:
+    with open(p, encoding="utf-8") as f:
        return f.read().strip()


@@ -81,7 +80,7 @@ class Handler(http.server.BaseHTTPRequestHandler):
        # GET /repos/{owner}/{name}/pulls/{pr_number}
        m = re.match(r"^/api/v1/repos/([^/]+)/([^/]+)/pulls/(\d+)$", path)
        if m:
-            owner, name, pr_num = m.group(1), m.group(2), m.group(3)
+            pr_num = m.group(3)
            if sc == "T2_pr_closed":
                return self._json(200, {
                    "number": int(pr_num),
@@ -151,7 +150,7 @@ class Handler(http.server.BaseHTTPRequestHandler):
        # GET /teams/{team_id}/members/{username}
        m = re.match(r"^/api/v1/teams/(\d+)/members/([^/]+)$", path)
        if m:
-            team_id, login = m.group(1), m.group(2)
+            login = m.group(2)
            if sc == "T8_team_not_member":
                return self._empty(404)
            if sc == "T9_team_403":
@@ -0,0 +1,176 @@
+import importlib.util
+import sys
+from pathlib import Path
+from unittest.mock import patch
+
+SCRIPT = Path(__file__).resolve().parents[1] / "ci-required-drift.py"
+spec = importlib.util.spec_from_file_location("ci_required_drift", SCRIPT)
+drift = importlib.util.module_from_spec(spec)
+sys.modules[spec.name] = drift
+spec.loader.exec_module(drift)
+
+# Module-level constants are loaded from env at import time; set them
+# explicitly so unit tests can import without the full env contract.
+drift.SENTINEL_JOB = "all-required"
+drift.CI_WORKFLOW_PATH = ".gitea/workflows/ci.yml"
+drift.AUDIT_WORKFLOW_PATH = ".gitea/workflows/audit-force-merge.yml"
+
+
+# ---------------------------------------------------------------------------
+# Helper fixtures
+# ---------------------------------------------------------------------------
+
+def _make_ci_doc(jobs: dict) -> dict:
+    return {"jobs": jobs}
+
+
+def _make_audit_doc(required_checks: list[str]) -> dict:
+    return {
+        "jobs": {
+            "audit": {
+                "steps": [
+                    {"env": {"REQUIRED_CHECKS": "\n".join(required_checks)}}
+                ]
+            }
+        }
+    }
+
+
+# ---------------------------------------------------------------------------
+# sentinel_needs
+# ---------------------------------------------------------------------------
+
+def test_sentinel_needs_returns_empty_when_absent():
+    doc = _make_ci_doc({"all-required": {"runs-on": "ubuntu-latest"}})
+    assert drift.sentinel_needs(doc) == set()
+
+
+def test_sentinel_needs_parses_list():
+    doc = _make_ci_doc(
+        {"all-required": {"needs": ["platform-build", "canvas-build"]}}
+    )
+    assert drift.sentinel_needs(doc) == {"platform-build", "canvas-build"}
+
+
+def test_sentinel_needs_parses_string():
+    doc = _make_ci_doc({"all-required": {"needs": "platform-build"}})
+    assert drift.sentinel_needs(doc) == {"platform-build"}
+
+
+# ---------------------------------------------------------------------------
+# ci_job_names / ci_jobs_all
+# ---------------------------------------------------------------------------
+
+def test_ci_job_names_excludes_sentinel_and_event_gated():
+    doc = _make_ci_doc(
+        {
+            "platform-build": {},
+            "canvas-build": {"if": "github.event_name == 'pull_request'"},
+            "main-push": {"if": "github.ref == 'refs/heads/main'"},
+            "all-required": {},
+        }
+    )
+    assert drift.ci_job_names(doc) == {"platform-build"}
+
+
+def test_ci_jobs_all_includes_event_gated():
+    doc = _make_ci_doc(
+        {
+            "platform-build": {},
+            "canvas-build": {"if": "github.event_name == 'pull_request'"},
+            "all-required": {},
+        }
+    )
+    assert drift.ci_jobs_all(doc) == {"platform-build", "canvas-build"}
+
+
+# ---------------------------------------------------------------------------
+# detect_drift — F1 / F1b with mocked I/O
+# ---------------------------------------------------------------------------
+
+SAMPLE_PROTECTION = {
+    "status_check_contexts": [
+        "CI / all-required (pull_request)",
+        "Secret scan / Scan diff for credential-shaped strings (pull_request)",
+    ]
+}
+
+
+def test_detect_drift_no_needs_sentinel_skips_f1():
+    """Post-#1766 contract: all-required has no needs: → F1 is a false positive."""
+    ci = _make_ci_doc(
+        {
+            "platform-build": {},
+            "canvas-build": {},
+            "all-required": {},
+        }
+    )
+    audit = _make_audit_doc(
+        [
+            "CI / all-required (pull_request)",
+            "Secret scan / Scan diff for credential-shaped strings (pull_request)",
+        ]
+    )
+
+    with patch.object(drift, "load_yaml", side_effect=[ci, audit]):
+        with patch.object(drift, "api", return_value=(200, SAMPLE_PROTECTION)):
+            findings, debug = drift.detect_drift("main")
+
+    assert findings == []
+    assert debug["sentinel_needs"] == []
+
+
+def test_detect_drift_typo_in_needs_triggers_f1b():
+    """F1b still catches typos when needs exists."""
+    ci = _make_ci_doc(
+        {
+            "platform-build": {},
+            "all-required": {"needs": ["platfom-build"]},  # typo
+        }
+    )
+    audit = _make_audit_doc(["CI / all-required (pull_request)"])
+
+    with patch.object(drift, "load_yaml", side_effect=[ci, audit]):
+        with patch.object(drift, "api", return_value=(200, SAMPLE_PROTECTION)):
+            findings, _ = drift.detect_drift("main")
+
+    assert any("F1b" in f for f in findings)
+    assert any("platfom-build" in f for f in findings)
+
+
+def test_detect_drift_missing_job_in_needs_triggers_f1():
+    """F1 still fires when needs is non-empty and jobs are missing."""
+    ci = _make_ci_doc(
+        {
+            "platform-build": {},
+            "canvas-build": {},
+            "all-required": {"needs": ["platform-build"]},
+        }
+    )
+    audit = _make_audit_doc(["CI / all-required (pull_request)"])
+
+    with patch.object(drift, "load_yaml", side_effect=[ci, audit]):
+        with patch.object(drift, "api", return_value=(200, SAMPLE_PROTECTION)):
+            findings, _ = drift.detect_drift("main")
+
+    assert any("F1 —" in f for f in findings)
+    assert any("canvas-build" in f for f in findings)
+    assert not any("F1b" in f for f in findings)
+
+
+def test_detect_drift_no_f1_when_needs_empty_even_with_jobs():
+    """Explicit regression guard: empty needs + existing jobs = no F1."""
+    ci = _make_ci_doc(
+        {
+            "platform-build": {},
+            "canvas-build": {},
+            "all-required": {"needs": []},
+        }
+    )
+    audit = _make_audit_doc(["CI / all-required (pull_request)"])
+
+    with patch.object(drift, "load_yaml", side_effect=[ci, audit]):
+        with patch.object(drift, "api", return_value=(200, SAMPLE_PROTECTION)):
+            findings, _ = drift.detect_drift("main")
+
+    assert not any("F1 —" in f for f in findings)
@@ -2,7 +2,6 @@ import importlib.util
 import sys
 from pathlib import Path

-
 SCRIPT = Path(__file__).resolve().parents[1] / "gitea-merge-queue.py"
 spec = importlib.util.spec_from_file_location("gitea_merge_queue", SCRIPT)
 mq = importlib.util.module_from_spec(spec)
@@ -15,7 +15,6 @@ Mirrors the pattern in scripts/ops/test_check_migration_collisions.py
 from __future__ import annotations

 import importlib.util
-import os
 import sys
 import unittest
 from pathlib import Path
@@ -0,0 +1,283 @@
+import importlib.util
+import sys
+from pathlib import Path
+from unittest.mock import patch, MagicMock
+
+SCRIPT = Path(__file__).resolve().parents[1] / "main-red-watchdog.py"
+spec = importlib.util.spec_from_file_location("main_red_watchdog", SCRIPT)
+wd = importlib.util.module_from_spec(spec)
+sys.modules[spec.name] = wd
+spec.loader.exec_module(wd)
+
+# Module-level constants are loaded from env at import time; set them
+# explicitly so unit tests can import without the full env contract.
+wd.GITEA_TOKEN = "fake-token"
+wd.GITEA_HOST = "git.example.com"
+wd.REPO = "molecule-ai/molecule-core"
+wd.OWNER = "molecule-ai"
+wd.NAME = "molecule-core"
+wd.WATCH_BRANCH = "main"
+wd.RED_LABEL = "tier:high"
+wd.API = "https://git.example.com/api/v1"
+
+
+# ---------------------------------------------------------------------------
+# _is_scheduled_context
+# ---------------------------------------------------------------------------
+
+def test_is_scheduled_context_matches_staging_saas_smoke():
+    assert wd._is_scheduled_context("Staging SaaS smoke") is True
+
+
+def test_is_scheduled_context_matches_case_insensitive():
+    assert wd._is_scheduled_context("continuous synthetic e2e") is True
+
+
+def test_is_scheduled_context_no_match_for_required_ci():
+    assert wd._is_scheduled_context("CI / all-required") is False
+
+
+# ---------------------------------------------------------------------------
+# _entry_state
+# ---------------------------------------------------------------------------
+
+def test_entry_state_prefers_status_over_state():
+    """Gitea 1.22.6 per-entry key is `status`; `state` is fallback."""
+    assert wd._entry_state({"status": "failure", "state": "success"}) == "failure"
+
+
+def test_entry_state_falls_back_to_state():
+    assert wd._entry_state({"state": "pending"}) == "pending"
+
+
+def test_entry_state_empty_when_neither_key_present():
+    assert wd._entry_state({"context": "foo"}) == ""
+
+
+# ---------------------------------------------------------------------------
+# is_red
+# ---------------------------------------------------------------------------
+
+def test_is_red_combined_failure_no_statuses():
+    """Combined failure with empty statuses[] still trips red."""
+    red, failed = wd.is_red({"state": "failure", "statuses": []})
+    assert red is True
+    assert failed == []
+
+
+def test_is_red_cancel_cascade_filtered():
+    """status=3 (cancelled) mapped to failure string must be filtered."""
+    status = {
+        "state": "failure",
+        "statuses": [
+            {"context": "CI / build", "status": "failure", "description": "Has been cancelled"},
+        ],
+    }
+    red, failed = wd.is_red(status)
+    assert red is False
+    assert failed == []
+
+
+def test_is_red_real_failure_not_filtered():
+    """Real failures with different descriptions are kept."""
+    status = {
+        "state": "failure",
+        "statuses": [
+            {"context": "CI / build", "status": "failure", "description": "Failing after 12s"},
+        ],
+    }
+    red, failed = wd.is_red(status)
+    assert red is True
+    assert len(failed) == 1
+    assert failed[0]["context"] == "CI / build"
+
+
+def test_is_red_uses_entry_state_not_top_level_state():
+    """Regression: per-entry key is `status`, not `state`."""
+    status = {
+        "state": "failure",
+        "statuses": [
+            # Only `status` present; pre-rev4 code read `state` and got None
+            {"context": "CI / test", "status": "failure"},
+        ],
+    }
+    red, failed = wd.is_red(status)
+    assert red is True
+    assert len(failed) == 1
+
+
+# ---------------------------------------------------------------------------
+# list_open_red_issues — pagination (mc#1789)
+# ---------------------------------------------------------------------------
+
+def test_list_open_red_issues_exhausts_pagination():
+    """Backlog can exceed 50 issues; all pages must be fetched."""
+    calls = []
+
+    def fake_api(method, path, **kwargs):
+        calls.append((method, path, kwargs))
+        query = (kwargs.get("query") or {})
+        page = int(query.get("page", "1"))
+        limit = int(query.get("limit", "50"))
+        # Page 1 returns full limit; page 2 returns partial → break
+        if page == 1:
+            return 200, [
+                {"title": f"[main-red] molecule-ai/molecule-core: sha{i:04d}"}
+                for i in range(limit)
+            ]
+        if page == 2:
+            return 200, [
+                {"title": "[main-red] molecule-ai/molecule-core: extra1"},
+                {"title": "[main-red] molecule-ai/molecule-core: extra2"},
+                {"title": " unrelated issue "},  # filtered out
+            ]
+        return 200, []
+
+    with patch.object(wd, "api", side_effect=fake_api):
+        issues = wd.list_open_red_issues()
+
+    assert len(issues) == 52  # 50 + 2 matched
+    titles = {i["title"] for i in issues}
+    assert "[main-red] molecule-ai/molecule-core: extra1" in titles
+    assert "[main-red] molecule-ai/molecule-core: extra2" in titles
+
+
+def test_list_open_red_issues_single_page():
+    """When results < limit, loop breaks after first page."""
+    def fake_api(method, path, **kwargs):
+        return 200, [
+            {"title": "[main-red] molecule-ai/molecule-core: abc123"},
+        ]
+
+    with patch.object(wd, "api", side_effect=fake_api):
+        issues = wd.list_open_red_issues()
+
+    assert len(issues) == 1
+
+
+# ---------------------------------------------------------------------------
+# run_once — close logic (mc#1789)
+# ---------------------------------------------------------------------------
+
+def test_run_once_green_closes_stale_issues(monkeypatch):
+    """Combined success → close stale issues."""
+    monkeypatch.setattr(wd, "get_head_sha", lambda b: "abc123")
+    monkeypatch.setattr(wd, "get_combined_status", lambda s: {"state": "success", "statuses": []})
+    monkeypatch.setattr(wd, "is_red", lambda s: (False, []))
+
+    closed = []
+
+    def capture_close(current_sha, *, dry_run=False, close_same_sha=False):
+        closed.append(current_sha)
+        return 1
+
+    monkeypatch.setattr(wd, "close_open_red_issues_for_other_shas", capture_close)
+    monkeypatch.setattr(wd, "emit_loki_event", lambda *a, **k: None)
+
+    assert wd.run_once(dry_run=True) == 0
+    assert closed == ["abc123"]
+
+
+def test_run_once_pending_scheduled_only_closes_stale_issues(monkeypatch):
+    """Combined pending, but only scheduled contexts pending → close stale."""
+    monkeypatch.setattr(wd, "get_head_sha", lambda b: "abc123")
+    monkeypatch.setattr(
+        wd, "get_combined_status",
+        lambda s: {
+            "state": "pending",
+            "statuses": [
+                {"context": "CI / all-required", "status": "success"},
+                {"context": "Staging SaaS smoke", "status": "pending"},
+            ],
+        }
+    )
+    monkeypatch.setattr(wd, "is_red", lambda s: (False, []))
+
+    closed = []
+
+    def capture_close(current_sha, *, dry_run=False, close_same_sha=False):
+        closed.append(current_sha)
+        return 1
+
+    monkeypatch.setattr(wd, "close_open_red_issues_for_other_shas", capture_close)
+    monkeypatch.setattr(wd, "emit_loki_event", lambda *a, **k: None)
+
+    assert wd.run_once(dry_run=True) == 0
+    assert closed == ["abc123"]
+
+
+def test_run_once_pending_required_does_not_close(monkeypatch):
+    """Combined pending with a real required context still pending → no close."""
+    monkeypatch.setattr(wd, "get_head_sha", lambda b: "abc123")
+    monkeypatch.setattr(
+        wd, "get_combined_status",
+        lambda s: {
+            "state": "pending",
+            "statuses": [
+                {"context": "CI / all-required", "status": "pending"},
+                {"context": "Staging SaaS smoke", "status": "success"},
+            ],
+        }
+    )
+    monkeypatch.setattr(wd, "is_red", lambda s: (False, []))
+
+    closed = []
+
+    def capture_close(current_sha, *, dry_run=False, close_same_sha=False):
+        closed.append(current_sha)
+        return 0
+
+    monkeypatch.setattr(wd, "close_open_red_issues_for_other_shas", capture_close)
+    monkeypatch.setattr(wd, "emit_loki_event", lambda *a, **k: None)
+
+    assert wd.run_once(dry_run=True) == 0
+    assert closed == []
+
+
+def test_run_once_failure_does_not_close(monkeypatch):
+    """Real failure in non-scheduled context → no close."""
+    monkeypatch.setattr(wd, "get_head_sha", lambda b: "abc123")
+    monkeypatch.setattr(
+        wd, "get_combined_status",
+        lambda s: {
+            "state": "failure",
+            "statuses": [
+                {"context": "CI / all-required", "status": "failure"},
+            ],
+        }
+    )
+    # is_red will return True, so we enter the red path, not the green close path
+    monkeypatch.setattr(wd, "is_red", lambda s: (True, s.get("statuses", [])))
+    monkeypatch.setattr(wd, "time", MagicMock(sleep=lambda x: None))
+    monkeypatch.setattr(wd, "emit_loki_event", lambda *a, **k: None)
+
+    filed = []
+
+    def capture_file(sha, failed, debug, *, dry_run=False):
+        filed.append(sha)
+
+    monkeypatch.setattr(wd, "file_or_update_red", capture_file)
+    monkeypatch.setattr(wd, "close_open_red_issues_for_other_shas", lambda *a, **k: 0)
+    monkeypatch.setattr(wd, "close_stale_red_issues", lambda *a, **k: 0)
+
+    assert wd.run_once(dry_run=True) == 0
+    assert filed == ["abc123"]
+
+
+# ---------------------------------------------------------------------------
+# title_for / find_open_issue_for_sha
+# ---------------------------------------------------------------------------
+
+def test_title_for_uses_short_sha():
+    assert wd.title_for("abcdef123456") == "[main-red] molecule-ai/molecule-core: abcdef1234"
+
+
+def test_find_open_issue_for_sha_matches_exact_title(monkeypatch):
+    fake_issue = {"title": "[main-red] molecule-ai/molecule-core: abc1234567", "number": 42}
+    monkeypatch.setattr(wd, "list_open_red_issues", lambda: [fake_issue])
+    assert wd.find_open_issue_for_sha("abc1234567") == fake_issue
+
+
+def test_find_open_issue_for_sha_returns_none_when_no_match(monkeypatch):
+    monkeypatch.setattr(wd, "list_open_red_issues", lambda: [])
+    assert wd.find_open_issue_for_sha("abc123") is None
@@ -22,7 +22,6 @@ from __future__ import annotations

 import os
 import sys
-import tempfile
 import unittest

 # Resolve sibling script regardless of where pytest is invoked from.
@@ -54,5 +54,6 @@ jobs:
          # read-only by design (least-privilege).
          REQUIRED_CHECKS: |
            CI / all-required (pull_request)
-            sop-checklist / all-items-acked (pull_request)
+            E2E API Smoke Test / E2E API Smoke Test (pull_request)
+            Handlers Postgres Integration / Handlers Postgres Integration (pull_request)
        run: bash .gitea/scripts/audit-force-merge.sh
@@ -164,12 +164,20 @@ jobs:
        # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
        continue-on-error: true
      - if: ${{ needs.changes.outputs.platform == 'true' }}
-        name: Run tests with race detection and coverage
-        # Explicit timeout: cold runner cache causes OOM kills at ~4m39s on the
-        # full ./... suite with race detection + coverage. A 10m per-step timeout
-        # lets the suite complete on cold cache (~5-7m) while failing cleanly
-        # instead of OOM-killing. The job-level timeout (15m) is a backstop.
-        run: go test -race -timeout 10m -coverprofile=coverage.out ./...
+        name: Run tests with coverage (blocking gate)
+        # Removed -race from the blocking gate per #1184: cold runners
+        # take 13-25 min to compile with race instrumentation, exceeding
+        # the 10m step timeout and causing false failures. Race detection
+        # now runs as a non-blocking advisory step below.
+        run: go test -timeout 10m -coverprofile=coverage.out ./...
+
+      - if: ${{ needs.changes.outputs.platform == 'true' }}
+        name: Race detection (advisory, non-blocking)
+        # mc#1184: runs race detector as an advisory check so cold-runner
+        # compile-time spikes don't block merges. Failures here surface in
+        # the run log but do not fail the build.
+        run: go test -race -timeout 10m ./...
+        continue-on-error: true

      - if: ${{ needs.changes.outputs.platform == 'true' }}
        name: Per-file coverage report
@@ -0,0 +1,242 @@
+name: E2E Legacy Advisory
+
+# Advisory lane for older/manual E2E scripts that are too broad or
+# environment-dependent for required PR CI. This intentionally does not run on
+# pull_request or push so it cannot block merges/deploys; scheduled/manual reds
+# still surface drift in scripts that would otherwise only be shellchecked.
+#
+# Gitea 1.22.6 rejects workflow_dispatch.inputs, so keep dispatch input-free.
+
+on:
+  schedule:
+    # Stagger after the staging smoke/canvas morning lanes.
+    - cron: '15 9 * * *'
+  workflow_dispatch:
+
+concurrency:
+  group: e2e-legacy-advisory
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+
+env:
+  GITHUB_SERVER_URL: https://git.moleculesai.app
+
+jobs:
+  legacy-local-platform:
+    name: Legacy local-platform E2E
+    runs-on: docker-host
+    timeout-minutes: 45
+    env:
+      PG_CONTAINER: pg-e2e-legacy-${{ github.run_id }}-${{ github.run_attempt }}
+      REDIS_CONTAINER: redis-e2e-legacy-${{ github.run_id }}-${{ github.run_attempt }}
+      MOLECULE_ENV: development
+      BIND_ADDR: 127.0.0.1
+      MOLECULE_IN_DOCKER: "false"
+      A2A_TIMEOUT: "30"
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version: 'stable'
+          cache: true
+          cache-dependency-path: workspace-server/go.sum
+
+      - name: Prepare local platform dependencies
+        run: |
+          set -euo pipefail
+          docker pull postgres:16 >/dev/null
+          docker pull redis:7 >/dev/null
+          docker pull alpine:latest >/dev/null
+          docker network create molecule-core-net >/dev/null 2>&1 || true
+
+      - name: Start Postgres
+        run: |
+          set -euo pipefail
+          docker rm -f "$PG_CONTAINER" 2>/dev/null || true
+          docker run -d --name "$PG_CONTAINER" \
+            -e POSTGRES_USER=dev -e POSTGRES_PASSWORD=dev -e POSTGRES_DB=molecule \
+            -p 0:5432 postgres:16 >/dev/null
+          PG_PORT=$(docker port "$PG_CONTAINER" 5432/tcp | awk -F: '/^0\.0\.0\.0:/ {print $2; exit}')
+          if [ -z "$PG_PORT" ]; then
+            PG_PORT=$(docker port "$PG_CONTAINER" 5432/tcp | head -1 | awk -F: '{print $NF}')
+          fi
+          if [ -z "$PG_PORT" ]; then
+            echo "::error::Could not resolve host port for $PG_CONTAINER"
+            docker port "$PG_CONTAINER" 5432/tcp || true
+            docker logs "$PG_CONTAINER" || true
+            exit 1
+          fi
+          echo "DATABASE_URL=postgres://dev:dev@127.0.0.1:${PG_PORT}/molecule?sslmode=disable" >> "$GITHUB_ENV"
+          for i in $(seq 1 30); do
+            docker exec "$PG_CONTAINER" pg_isready -U dev >/dev/null 2>&1 && exit 0
+            sleep 1
+          done
+          docker logs "$PG_CONTAINER" || true
+          exit 1
+
+      - name: Start Redis
+        run: |
+          set -euo pipefail
+          docker rm -f "$REDIS_CONTAINER" 2>/dev/null || true
+          docker run -d --name "$REDIS_CONTAINER" -p 0:6379 redis:7 >/dev/null
+          REDIS_PORT=$(docker port "$REDIS_CONTAINER" 6379/tcp | awk -F: '/^0\.0\.0\.0:/ {print $2; exit}')
+          if [ -z "$REDIS_PORT" ]; then
+            REDIS_PORT=$(docker port "$REDIS_CONTAINER" 6379/tcp | head -1 | awk -F: '{print $NF}')
+          fi
+          if [ -z "$REDIS_PORT" ]; then
+            echo "::error::Could not resolve host port for $REDIS_CONTAINER"
+            docker port "$REDIS_CONTAINER" 6379/tcp || true
+            docker logs "$REDIS_CONTAINER" || true
+            exit 1
+          fi
+          echo "REDIS_URL=redis://127.0.0.1:${REDIS_PORT}" >> "$GITHUB_ENV"
+          for i in $(seq 1 15); do
+            docker exec "$REDIS_CONTAINER" redis-cli ping 2>/dev/null | grep -q PONG && exit 0
+            sleep 1
+          done
+          docker logs "$REDIS_CONTAINER" || true
+          exit 1
+
+      - name: Pick platform port
+        run: |
+          set -euo pipefail
+          PLATFORM_PORT=$(python3 - <<'PY'
+          import socket
+          with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
+              s.bind(("127.0.0.1", 0))
+              print(s.getsockname()[1])
+          PY
+          )
+          echo "PORT=${PLATFORM_PORT}" >> "$GITHUB_ENV"
+          echo "BASE=http://127.0.0.1:${PLATFORM_PORT}" >> "$GITHUB_ENV"
+
+      - name: Build platform
+        working-directory: workspace-server
+        run: go build -o platform-server ./cmd/server
+
+      - name: Populate template manifests for dev-mode E2E
+        run: |
+          set -euo pipefail
+          if command -v jq >/dev/null 2>&1; then
+            bash scripts/clone-manifest.sh manifest.json workspace-configs-templates org-templates plugins
+          else
+            echo "::warning::jq unavailable; dev-mode template assertion may fail if templates are absent"
+          fi
+
+      - name: Start platform
+        run: |
+          set -euo pipefail
+          ./workspace-server/platform-server > workspace-server/platform.log 2>&1 &
+          echo $! > workspace-server/platform.pid
+          for i in $(seq 1 30); do
+            curl -sf "$BASE/health" >/dev/null && exit 0
+            sleep 1
+          done
+          cat workspace-server/platform.log || true
+          exit 1
+
+      - name: Run comprehensive E2E
+        run: bash tests/e2e/test_comprehensive_e2e.sh
+
+      - name: Run workspace abilities E2E
+        run: bash tests/e2e/test_workspace_abilities_e2e.sh
+
+      - name: Run dev-mode E2E
+        run: bash tests/e2e/test_dev_mode.sh
+
+      - name: Start stub A2A agents
+        run: |
+          set -euo pipefail
+          cat > /tmp/molecule-stub-a2a.py <<'PY'
+          import json
+          from http.server import BaseHTTPRequestHandler, HTTPServer
+
+          class Handler(BaseHTTPRequestHandler):
+              def do_POST(self):
+                  length = int(self.headers.get("content-length", "0"))
+                  raw = self.rfile.read(length) if length else b"{}"
+                  try:
+                      req = json.loads(raw)
+                  except Exception:
+                      req = {}
+                  method = req.get("method")
+                  if method not in ("message/send", None):
+                      body = {"jsonrpc": "2.0", "id": req.get("id"), "error": {"code": -32601, "message": "method not found"}}
+                  else:
+                      body = {
+                          "jsonrpc": "2.0",
+                          "id": req.get("id", "stub"),
+                          "result": {
+                              "role": "agent",
+                              "parts": [{"kind": "text", "type": "text", "text": "stub agent response"}],
+                          },
+                      }
+                  data = json.dumps(body, separators=(",", ":")).encode()
+                  self.send_response(200)
+                  self.send_header("content-type", "application/json")
+                  self.send_header("content-length", str(len(data)))
+                  self.end_headers()
+                  self.wfile.write(data)
+              def log_message(self, *_):
+                  return
+
+          HTTPServer(("127.0.0.1", 18080), Handler).serve_forever()
+          PY
+          python3 /tmp/molecule-stub-a2a.py > /tmp/molecule-stub-a2a.log 2>&1 &
+          echo $! > /tmp/molecule-stub-a2a.pid
+
+      - name: Seed external agents for legacy A2A/activity scripts
+        run: |
+          set -euo pipefail
+          create_agent() {
+            local name="$1" role="$2"
+            curl -sS -X POST "$BASE/workspaces" \
+              -H "Content-Type: application/json" \
+              -d "{\"name\":\"${name}\",\"role\":\"${role}\",\"tier\":1,\"runtime\":\"external\",\"external\":true,\"url\":\"http://127.0.0.1:18080\"}" \
+              | python3 -c "import json,sys; print(json.load(sys.stdin)['id'])"
+          }
+          ECHO_ID=$(create_agent "Echo Agent" "Echo")
+          SEO_ID=$(create_agent "SEO Agent" "SEO")
+          curl -sS -X POST "$BASE/registry/register" -H "Content-Type: application/json" \
+            -d "{\"id\":\"$ECHO_ID\",\"url\":\"http://127.0.0.1:18080\",\"agent_card\":{\"name\":\"Echo Agent\",\"skills\":[{\"id\":\"echo\",\"name\":\"Echo\"}]}}" >/dev/null
+          curl -sS -X POST "$BASE/registry/register" -H "Content-Type: application/json" \
+            -d "{\"id\":\"$SEO_ID\",\"url\":\"http://127.0.0.1:18080\",\"agent_card\":{\"name\":\"SEO Agent\",\"skills\":[{\"id\":\"seo\",\"name\":\"SEO\"}]}}" >/dev/null
+
+      - name: Run activity E2E
+        run: bash tests/e2e/test_activity_e2e.sh
+
+      - name: Run A2A E2E
+        run: bash tests/e2e/test_a2a_e2e.sh
+
+      - name: Runtime-dependent legacy E2E preflight
+        run: |
+          set -euo pipefail
+          if [ -f workspace-configs-templates/claude-code-default/.auth-token ] && docker image inspect workspace:latest >/dev/null 2>&1; then
+            bash tests/e2e/test_claude_code_e2e.sh
+            bash tests/e2e/test_chat_upload_e2e.sh
+          else
+            echo "::notice::Skipping test_claude_code_e2e.sh and test_chat_upload_e2e.sh: require workspace:latest plus workspace-configs-templates/claude-code-default/.auth-token"
+          fi
+
+      - name: Dump platform log on failure
+        if: failure()
+        run: cat workspace-server/platform.log || true
+
+      - name: Stop platform and stub agents
+        if: always()
+        run: |
+          if [ -f workspace-server/platform.pid ]; then
+            kill "$(cat workspace-server/platform.pid)" 2>/dev/null || true
+          fi
+          if [ -f /tmp/molecule-stub-a2a.pid ]; then
+            kill "$(cat /tmp/molecule-stub-a2a.pid)" 2>/dev/null || true
+          fi
+
+      - name: Stop service containers
+        if: always()
+        run: |
+          docker rm -f "$PG_CONTAINER" 2>/dev/null || true
+          docker rm -f "$REDIS_CONTAINER" 2>/dev/null || true
@@ -7,10 +7,11 @@
 #   PR_NUMBER  — set via ${{ github.event.pull_request.number }} from the trigger
 #   POST_COMMENT — "true" to post/update comment on PR
 #
-# Gating logic (MVP signals 1,2,3,6):
+# Gating logic (MVP signals 1,2,3,4,6):
 #   1. Author-aware agent-tag comment scan
 #   2. REQUEST_CHANGES reviews state machine
 #   3. Staleness detection (SOP-12: review.commit_id != PR.head_sha + >1 working day)
+#   4. Branch divergence / scope-creep guard (base-sha vs target HEAD; mc#365)
 #   6. CI required-checks awareness
 #
 # Exit code: 0=CLEAR, 1=BLOCKED, 2=ERROR
@@ -3,11 +3,26 @@ name: Lint shellcheck (arm64 pilot)
 # Mac-CI dual-track pilot (#233). ADDITIVE / NOT REQUIRED.
 #
 # Validates the arm64 self-hosted lane (no docker.sock, no privileged
-# ops) before any required gate moves onto it. Until a Mac arm64 runner
-# is registered with the `arm64` label, this workflow sits PENDING —
-# that is FINE: `arm64` is NOT in branch_protections required contexts.
+# ops) before any required gate moves onto it.
 #
-# Pairs with internal#543 (RFC: Mac arm64 multi-arch runner-base).
+# Runner label mapping (2026-05-22 fix): the actual Mac mini runner
+# registered in this Gitea ships labels
+#   ["self-hosted","macos-self-hosted-arm64","arm64-darwin"]
+# — no plain `arm64`. The earlier `runs-on: [self-hosted, arm64]`
+# could not match any registered runner so every fire of this workflow
+# was assigned task_id=0 / runner_id=NULL → Gitea cancelled it. The
+# rows showed up as Cancelled in the action status feed (not Failed)
+# but the lane never actually ran. Workflow now selects on
+# `arm64-darwin` which is the canonical Mac-arm64 label per the
+# Mac mini's registration (per internal#494 capability-honest labels).
+#
+# If we later want to add a Linux-arm64 runner to the same lane, add
+# both labels to that runner's registration AND broaden the selector
+# here — don't rename `arm64-darwin` (it's Mac-specific by design and
+# `feedback_pc2_runner_labels_must_stay_narrow` rule applies).
+#
+# Pairs with internal#543 (RFC: Mac arm64 multi-arch runner-base) and
+# internal#494 (multi-arch runner-base capability-honest labels).
 # No paths: filter on purpose (feedback_path_filtered_workflow_cant_be_required).

 on:
@@ -82,7 +97,15 @@ jobs:
            echo "WARN: shellcheck binary not found — skipping (pilot mode)"
            exit 0
          fi
-          mapfile -t TARGETS < <(find .gitea/scripts -maxdepth 2 -type f -name '*.sh' | sort)
+          # NOTE: macOS ships Bash 3.2 (Apple license), no `mapfile`
+          # (Bash 4+ builtin). Mac mini runner empirically failed at
+          # `mapfile: command not found` (run 79275 / task 145654).
+          # Use the portable `while read` pattern instead — works on
+          # both Bash 3.2 (macOS) and Bash 4+ (Linux).
+          TARGETS=()
+          while IFS= read -r f; do
+            TARGETS+=("$f")
+          done < <(find .gitea/scripts -maxdepth 2 -type f -name '*.sh' | sort)
          if [ "${#TARGETS[@]}" -eq 0 ]; then
            echo "No .sh files found under .gitea/scripts — nothing to check"
            exit 0
@@ -239,12 +239,13 @@ jobs:
    # Publish/release lane (internal#462) — production deploy of a merged
    # fix; reserved capacity, never queued behind PR-CI.
    runs-on: publish
-    timeout-minutes: 75
+    timeout-minutes: 90
    env:
      CP_URL: ${{ vars.PROD_CP_URL || 'https://api.moleculesai.app' }}
      CP_ADMIN_API_TOKEN: ${{ secrets.CP_ADMIN_API_TOKEN }}
      GITEA_HOST: git.moleculesai.app
      GITEA_TOKEN: ${{ secrets.PROD_AUTO_DEPLOY_CONTROL_TOKEN || secrets.AUTO_SYNC_TOKEN }}
+      CI_STATUS_TIMEOUT_SECONDS: "3600"
      PROD_AUTO_DEPLOY_DISABLED: ${{ vars.PROD_AUTO_DEPLOY_DISABLED || secrets.PROD_AUTO_DEPLOY_DISABLED || '' }}
      PROD_AUTO_DEPLOY_CANARY_SLUG: ${{ vars.PROD_AUTO_DEPLOY_CANARY_SLUG || 'hongming' }}
      PROD_AUTO_DEPLOY_SOAK_SECONDS: ${{ vars.PROD_AUTO_DEPLOY_SOAK_SECONDS || '60' }}
@@ -46,6 +46,18 @@

 ---

+## Quick Start
+
+```bash
+git clone https://git.moleculesai.app/molecule-ai/molecule-monorepo.git
+cd molecule-monorepo
+./scripts/dev-start.sh
+```
+
+Then open [http://localhost:3000](http://localhost:3000), add your model API key in **Config → Secrets & API Keys → Global**, and create a workspace from a template.
+
+See the full [Quickstart Guide](./docs/quickstart.md) for prerequisites, manual setup, and troubleshooting.
+
 ## The Pitch

 Molecule AI is the most powerful way to govern an AI agent organization in production.
@@ -5,6 +5,13 @@ import * as Dialog from "@radix-ui/react-dialog";
 import { api } from "@/lib/api";
 import { isSaaSTenant } from "@/lib/tenant";
 import { ExternalConnectModal, type ExternalConnectionInfo } from "./ExternalConnectModal";
+import {
+  ProviderModelSelector,
+  buildProviderCatalog,
+  findProviderForModel,
+  type SelectorModel,
+  type SelectorValue,
+} from "./ProviderModelSelector";

 interface WorkspaceOption {
  id: string;
@@ -22,96 +29,29 @@ interface TemplateSpec {
  id: string;
  name?: string;
  runtime?: string;
+  model?: string;
+  models?: SelectorModel[];
  providers?: string[];
 }

-interface HermesProvider {
-  id: string;
-  label: string;
-  envVar: string;
-  defaultModel: string;
-  models: string[];
-}
-
-type LLMAuthMode = "platform" | "api_key" | "oauth";
-
-interface NativeLLMProvider {
-  id: string;
-  label: string;
-  envVar?: string;
-  defaultModel: string;
-  models: string[];
-  authModes: LLMAuthMode[];
-}
-
-export const NATIVE_LLM_PROVIDERS: NativeLLMProvider[] = [
-  {
-    id: "minimax",
-    label: "MiniMax",
-    envVar: "MINIMAX_API_KEY",
-    defaultModel: "MiniMax-M2.7",
-    models: ["MiniMax-M2.7", "MiniMax-M2.7-highspeed", "MiniMax-M2.5"],
-    authModes: ["platform", "api_key"],
-  },
-  {
-    id: "kimi-coding",
-    label: "Kimi",
-    envVar: "KIMI_API_KEY",
-    defaultModel: "kimi-for-coding",
-    models: ["kimi-for-coding", "kimi-k2.5", "kimi-k2"],
-    authModes: ["platform", "api_key"],
-  },
-  {
-    id: "anthropic",
-    label: "Anthropic",
-    envVar: "ANTHROPIC_API_KEY",
-    defaultModel: "claude-sonnet-4-6",
-    models: ["claude-sonnet-4-6", "claude-opus-4-7", "claude-haiku-4-5"],
-    authModes: ["platform", "api_key"],
-  },
-  {
-    id: "anthropic-oauth",
-    label: "Claude OAuth",
-    envVar: "CLAUDE_CODE_OAUTH_TOKEN",
-    defaultModel: "sonnet",
-    models: ["sonnet", "opus", "haiku"],
-    authModes: ["oauth"],
-  },
+const DEFAULT_RUNTIME = "claude-code";
+const RUNTIME_OPTIONS = [
+  { value: "claude-code", label: "Claude Code" },
+  { value: "codex", label: "OpenAI Codex CLI" },
+  { value: "hermes", label: "Hermes" },
+  { value: "openclaw", label: "OpenClaw" },
 ];
+const BASE_RUNTIME_TEMPLATE_IDS = new Set(["claude-code-default", "codex", "hermes", "openclaw"]);
 const DEFAULT_HEADLESS_INSTANCE_TYPE = "t3.medium";
 const DEFAULT_HEADLESS_ROOT_GB = 30;
 const DEFAULT_DISPLAY_INSTANCE_TYPE = "t3.xlarge";
 const DEFAULT_DISPLAY_ROOT_GB = 80;

-// All providers supported by Hermes runtime via providers.resolve_provider().
-// `defaultModel` is the slug injected into the workspace provision request
-// when the user picks this provider — template-hermes's derive-provider.sh
-// maps the prefix back to the provider name at install time, so this is
-// the canonical handshake. `models` are additional suggestions surfaced in
-// the datalist so the user can pick a different size without typing the
-// whole slug.
-export const HERMES_PROVIDERS: HermesProvider[] = [
-  { id: "anthropic",  label: "Anthropic (Claude)",    envVar: "ANTHROPIC_API_KEY",  defaultModel: "anthropic/claude-sonnet-4-5",   models: ["anthropic/claude-opus-4-5", "anthropic/claude-sonnet-4-5", "anthropic/claude-haiku-4-5"] },
-  { id: "openai",     label: "OpenAI",                envVar: "OPENAI_API_KEY",     defaultModel: "openai/gpt-4o",                 models: ["openai/gpt-4o", "openai/gpt-4o-mini", "openai/o3-mini"] },
-  { id: "openrouter", label: "OpenRouter",            envVar: "OPENROUTER_API_KEY", defaultModel: "openrouter/auto",               models: ["openrouter/auto", "openrouter/anthropic/claude-sonnet-4", "openrouter/meta-llama/llama-3.3-70b"] },
-  { id: "xai",        label: "xAI (Grok)",            envVar: "XAI_API_KEY",        defaultModel: "xai/grok-4",                    models: ["xai/grok-4", "xai/grok-4-mini"] },
-  { id: "gemini",     label: "Google Gemini",         envVar: "GEMINI_API_KEY",     defaultModel: "gemini/gemini-2.5-pro",         models: ["gemini/gemini-2.5-pro", "gemini/gemini-2.5-flash"] },
-  { id: "qwen",       label: "Qwen (Alibaba)",        envVar: "QWEN_API_KEY",       defaultModel: "alibaba/qwen3-max",             models: ["alibaba/qwen3-max", "alibaba/qwen3-coder"] },
-  { id: "glm",        label: "GLM (Zhipu AI)",        envVar: "GLM_API_KEY",        defaultModel: "zai/glm-4.6",                   models: ["zai/glm-4.6", "zai/glm-4.5-air"] },
-  { id: "kimi",       label: "Kimi (Moonshot)",       envVar: "KIMI_API_KEY",       defaultModel: "kimi-coding/kimi-k2",           models: ["kimi-coding/kimi-k2", "kimi-coding/kimi-k1.5"] },
-  { id: "minimax",    label: "MiniMax",               envVar: "MINIMAX_API_KEY",    defaultModel: "minimax/MiniMax-M2.7",          models: ["minimax/MiniMax-M2.7", "minimax/MiniMax-M2.7-highspeed", "minimax/MiniMax-M1"] },
-  { id: "deepseek",   label: "DeepSeek",              envVar: "DEEPSEEK_API_KEY",   defaultModel: "deepseek/deepseek-chat",        models: ["deepseek/deepseek-chat", "deepseek/deepseek-reasoner"] },
-  { id: "groq",       label: "Groq",                  envVar: "GROQ_API_KEY",       defaultModel: "openrouter/groq/llama-3.3-70b", models: ["openrouter/groq/llama-3.3-70b"] },
-  { id: "mistral",    label: "Mistral",               envVar: "MISTRAL_API_KEY",    defaultModel: "openrouter/mistralai/mistral-large", models: ["openrouter/mistralai/mistral-large"] },
-  { id: "together",   label: "Together AI",           envVar: "TOGETHER_API_KEY",   defaultModel: "openrouter/meta-llama/llama-3.3-70b", models: ["openrouter/meta-llama/llama-3.3-70b"] },
-  { id: "fireworks",  label: "Fireworks AI",          envVar: "FIREWORKS_API_KEY",  defaultModel: "openrouter/meta-llama/llama-3.3-70b", models: ["openrouter/meta-llama/llama-3.3-70b"] },
-  { id: "hermes",     label: "Hermes / Nous (legacy)", envVar: "HERMES_API_KEY",    defaultModel: "nousresearch/Hermes-3-Llama-3.1-405B", models: ["nousresearch/Hermes-3-Llama-3.1-405B", "nousresearch/Hermes-4-14B"] },
-];
-
 export function CreateWorkspaceButton() {
  const [open, setOpen] = useState(false);
  const [name, setName] = useState("");
  const [role, setRole] = useState("");
+  const [runtime, setRuntime] = useState(DEFAULT_RUNTIME);
  const [template, setTemplate] = useState("");
  const [parentId, setParentId] = useState("");
  const [budgetLimit, setBudgetLimit] = useState("");
@@ -126,32 +66,22 @@ export function CreateWorkspaceButton() {
  // filter below. Same data source ConfigTab uses (PR #2454). When the
  // selected template declares `runtime_config.providers` in its
  // config.yaml, the modal surfaces only those providers in the
-  // <select>. Empty/missing list falls back to the full HERMES_PROVIDERS
-  // catalog so older templates without the field keep working.
+  // <select>. Provider/model options are derived from template models.
  const [templateSpecs, setTemplateSpecs] = useState<TemplateSpec[]>([]);
  // External-runtime path: skip docker provision, mint a workspace_auth_token,
  // and surface the connection snippet in a modal after create. When
-  // isExternal is true the template / model / hermes-provider fields are
-  // hidden (they're meaningless for BYO-compute agents).
+  // isExternal is true the template and model fields are hidden (they're
+  // meaningless for BYO-compute agents).
  const [isExternal, setIsExternal] = useState(false);
  const [externalRuntime, setExternalRuntime] = useState("external");
  const [externalConnection, setExternalConnection] =
    useState<ExternalConnectionInfo | null>(null);

-  // Hermes-specific state
-  const [hermesProvider, setHermesProvider] = useState("anthropic");
-  const [hermesApiKey, setHermesApiKey] = useState("");
-  // Model slug is sent to CP as `model` and plumbed to the workspace EC2
-  // as HERMES_DEFAULT_MODEL env var. template-hermes's derive-provider.sh
-  // reads the prefix (`minimax/…`, `anthropic/…`) to set
-  // HERMES_INFERENCE_PROVIDER at install time. Missing model → provider
-  // falls back to "auto" and hermes picks its compiled-in default
-  // (Anthropic), which 401s if the user's key is for a different
-  // provider. Hence: require model when template=hermes.
-  const [hermesModel, setHermesModel] = useState("");
-  const [llmAuthMode, setLLMAuthMode] = useState<LLMAuthMode>("platform");
-  const [llmProvider, setLLMProvider] = useState("minimax");
-  const [llmModel, setLLMModel] = useState("MiniMax-M2.7");
+  const [llmSelection, setLLMSelection] = useState<SelectorValue>({
+    providerId: "",
+    model: "",
+    envVars: [],
+  });
  const [llmSecret, setLLMSecret] = useState("");

  // Tier picker: on SaaS every workspace gets its own EC2 VM (Full Access
@@ -208,93 +138,65 @@ export function CreateWorkspaceButton() {
    []
  );

-  const isHermes = template.trim().toLowerCase() === "hermes";
-  const nativeLLMProviders = useMemo(
-    () => NATIVE_LLM_PROVIDERS.filter((p) => p.authModes.includes(llmAuthMode)),
-    [llmAuthMode],
-  );
-  const selectedNativeProvider = useMemo(
-    () => nativeLLMProviders.find((p) => p.id === llmProvider) ?? nativeLLMProviders[0],
-    [llmProvider, nativeLLMProviders],
-  );
+  const handleRuntimeChange = useCallback((nextRuntime: string) => {
+    setRuntime(nextRuntime);
+    setTemplate("");
+    setLLMSelection({ providerId: "", model: "", envVars: [] });
+    setLLMSecret("");
+  }, []);

-  // Resolve the selected template's spec from the /templates response.
-  // The `template` input is free-text; templates can be matched by id,
-  // name, or runtime so any of those work. Lower-cased compare keeps
-  // "Hermes" / "hermes" / "HERMES" interchangeable.
+  // Resolve the selected workspace template from /templates. Runtime is
+  // deliberately separate: "SEO Agent" is a workspace template, not a
+  // runtime, so it must never appear in the runtime selector.
  const selectedTemplateSpec = useMemo<TemplateSpec | null>(() => {
-    const t = template.trim().toLowerCase();
-    if (!t) return null;
-    return (
-      templateSpecs.find(
-        (s) =>
-          (s.id || "").toLowerCase() === t ||
-          (s.name || "").toLowerCase() === t ||
-          (s.runtime || "").toLowerCase() === t,
-      ) ?? null
-    );
+    if (!template) return null;
+    return templateSpecs.find((s) => s.id === template) ?? null;
  }, [template, templateSpecs]);
-
-  // Filter HERMES_PROVIDERS by what the template declares it supports.
-  // Empty/missing declared list → fall back to the full catalog so
-  // templates that haven't migrated to the explicit `providers:` field
-  // (and self-hosted setups without /templates) keep working unchanged.
-  const availableProviders = useMemo<HermesProvider[]>(() => {
-    const declared = selectedTemplateSpec?.providers;
-    if (!declared || declared.length === 0) return HERMES_PROVIDERS;
-    const allowed = new Set(declared.map((p) => p.toLowerCase()));
-    const filtered = HERMES_PROVIDERS.filter((p) => allowed.has(p.id.toLowerCase()));
-    // Defensive: if the template's declared list doesn't match anything
-    // in our static catalog (e.g. brand-new provider id we don't have
-    // metadata for yet), fall back to the full list rather than render
-    // an empty <select>. Better to over-show than to lock the user out.
-    return filtered.length > 0 ? filtered : HERMES_PROVIDERS;
-  }, [selectedTemplateSpec]);
-
-  // If the currently-selected provider is filtered out by a template
-  // change, snap back to the first available. Without this, the
-  // hermesProvider state could refer to a provider not in the dropdown
-  // — confusing UI + the API key field's envVar would be wrong.
-  useEffect(() => {
-    if (!isHermes) return;
-    if (availableProviders.length === 0) return;
-    if (!availableProviders.some((p) => p.id === hermesProvider)) {
-      setHermesProvider(availableProviders[0].id);
-    }
-    // eslint-disable-next-line react-hooks/exhaustive-deps
-  }, [availableProviders, isHermes]);
+  const selectedRuntimeTemplateSpec = useMemo<TemplateSpec | null>(() => (
+    templateSpecs.find((s) => {
+      if (!BASE_RUNTIME_TEMPLATE_IDS.has(s.id)) return false;
+      const specRuntime = (s.runtime ?? s.id).trim().toLowerCase();
+      return s.id === runtime || specRuntime === runtime;
+    }) ?? null
+  ), [runtime, templateSpecs]);
+  const visibleTemplateSpecs = useMemo(
+    () => templateSpecs.filter((spec) => {
+      if (BASE_RUNTIME_TEMPLATE_IDS.has(spec.id)) return false;
+      const specRuntime = (spec.runtime ?? DEFAULT_RUNTIME).trim().toLowerCase();
+      return specRuntime === runtime;
+    }),
+    [runtime, templateSpecs],
+  );
+  const llmModels = useMemo(
+    () => {
+      const sourceSpec = selectedTemplateSpec ?? selectedRuntimeTemplateSpec;
+      if (!sourceSpec?.models?.length) return [];
+      return sourceSpec.models;
+    },
+    [selectedRuntimeTemplateSpec, selectedTemplateSpec],
+  );
+  const llmCatalog = useMemo(() => buildProviderCatalog(llmModels), [llmModels]);
+  const selectedLLMProvider = useMemo(
+    () => llmCatalog.find((p) => p.id === llmSelection.providerId) ?? llmCatalog[0],
+    [llmCatalog, llmSelection.providerId],
+  );

  useEffect(() => {
-    if (isHermes) return;
-    if (nativeLLMProviders.length === 0) return;
-    if (!nativeLLMProviders.some((p) => p.id === llmProvider)) {
-      setLLMProvider(nativeLLMProviders[0].id);
-      setLLMModel(nativeLLMProviders[0].defaultModel);
-    }
-  }, [isHermes, llmProvider, nativeLLMProviders]);
-
-  useEffect(() => {
-    if (isHermes || !selectedNativeProvider) return;
-    if (!selectedNativeProvider.models.includes(llmModel)) {
-      setLLMModel(selectedNativeProvider.defaultModel);
-    }
-  }, [isHermes, llmModel, selectedNativeProvider]);
-
-  // Auto-fill hermesModel with the provider's defaultModel whenever the
-  // provider changes, but only if the user hasn't already typed their own
-  // slug. Prevents the empty-model → "auto" → Anthropic-default 401 trap.
-  useEffect(() => {
-    if (!isHermes) return;
-    const p = HERMES_PROVIDERS.find((x) => x.id === hermesProvider);
-    if (!p) return;
-    // Replace model only if current value matches another provider's
-    // default (user hasn't customized it) OR is empty.
-    const isUntouched =
-      hermesModel === "" ||
-      HERMES_PROVIDERS.some((x) => x.defaultModel === hermesModel);
-    if (isUntouched) setHermesModel(p.defaultModel);
-    // eslint-disable-next-line react-hooks/exhaustive-deps
-  }, [hermesProvider, isHermes]);
+    if (llmCatalog.length === 0) return;
+    const sourceDefault = (selectedTemplateSpec ?? selectedRuntimeTemplateSpec)?.model?.trim();
+    const platformProvider = llmCatalog.find((p) => p.vendor === "platform");
+    const matched = sourceDefault ? findProviderForModel(llmCatalog, sourceDefault) : null;
+    const next = platformProvider ?? matched ?? llmCatalog[0];
+    const defaultModel = next.models.find((model) => model.id === sourceDefault)?.id
+      ?? next.models[0]?.id
+      ?? "";
+    setLLMSelection({
+      providerId: next.id,
+      model: next.wildcard ? "" : defaultModel,
+      envVars: next.envVars,
+    });
+    setLLMSecret("");
+  }, [llmCatalog, selectedRuntimeTemplateSpec, selectedTemplateSpec]);

  // Reset form and load workspaces whenever dialog opens
  useEffect(() => {
@@ -302,6 +204,7 @@ export function CreateWorkspaceButton() {
    setName("");
    setRole("");
    setTier(defaultTier);
+    setRuntime(DEFAULT_RUNTIME);
    setTemplate("");
    setParentId("");
    setBudgetLimit("");
@@ -310,13 +213,8 @@ export function CreateWorkspaceButton() {
    setDisplayInstanceType(DEFAULT_DISPLAY_INSTANCE_TYPE);
    setDisplayRootGB(String(DEFAULT_DISPLAY_ROOT_GB));
    setDisplayResolution("1920x1080");
-    setHermesProvider("anthropic");
    setExternalRuntime("external");
-    setHermesApiKey("");
-    setHermesModel("");
-    setLLMAuthMode("platform");
-    setLLMProvider("minimax");
-    setLLMModel("MiniMax-M2.7");
+    setLLMSelection({ providerId: "", model: "", envVars: [] });
    setLLMSecret("");
    api
      .get<WorkspaceOption[]>("/workspaces")
@@ -325,7 +223,7 @@ export function CreateWorkspaceButton() {
    api
      .get<TemplateSpec[]>("/templates")
      .then((rows) => setTemplateSpecs(Array.isArray(rows) ? rows : []))
-      .catch(() => { /* keep empty — HERMES_PROVIDERS fallback below */ });
+      .catch(() => { /* keep empty; create stays blocked until the catalog loads */ });
    // defaultTier is stable for the session (derived from window.location),
    // safe to omit from deps.
    // eslint-disable-next-line react-hooks/exhaustive-deps
@@ -336,29 +234,18 @@ export function CreateWorkspaceButton() {
      setError("Name is required");
      return;
    }
-    if (isHermes && !hermesApiKey.trim()) {
-      setError("API key is required for Hermes workspaces");
-      return;
-    }
-    if (isHermes && !hermesModel.trim()) {
-      setError("Model is required for Hermes workspaces — provider routing depends on the model slug prefix");
-      return;
-    }
-    if (!isExternal && !isHermes && !llmModel.trim()) {
+    if (!isExternal && !llmSelection.model.trim()) {
      setError("Model is required");
      return;
    }
-    if (!isExternal && !isHermes && llmAuthMode !== "platform" && !llmSecret.trim()) {
-      setError(llmAuthMode === "oauth" ? "Claude OAuth token is required" : "API key is required");
+    if (!isExternal && selectedLLMProvider?.envVars.length && !llmSecret.trim()) {
+      setError("Provider credential is required");
      return;
    }
    setCreating(true);
    setError(null);

-    const provider = isHermes
-      ? HERMES_PROVIDERS.find((p) => p.id === hermesProvider)
-      : undefined;
-    const nativeProvider = !isHermes ? selectedNativeProvider : undefined;
+    const nativeProvider = selectedLLMProvider;

    try {
      const parsedBudget = budgetLimit.trim()
@@ -382,12 +269,12 @@ export function CreateWorkspaceButton() {
        tier,
        parent_id: parentId || undefined,
        budget_limit: parsedBudget,
-        ...(!isExternal && !isHermes && nativeProvider
+        ...(!isExternal && nativeProvider
          ? {
-              model: llmModel.trim(),
-              llm_provider: nativeProvider.id,
-              ...(llmAuthMode !== "platform" && nativeProvider.envVar
-                ? { secrets: { [nativeProvider.envVar]: llmSecret.trim() } }
+              model: llmSelection.model.trim(),
+              llm_provider: nativeProvider.vendor,
+              ...(nativeProvider.envVars.length > 0
+                ? { secrets: { [nativeProvider.envVars[0]]: llmSecret.trim() } }
                : {}),
            }
          : {}),
@@ -415,13 +302,7 @@ export function CreateWorkspaceButton() {
        // Runtime=external flips the backend into awaiting-agent mode:
        // no container provisioning, token minted, connection payload
        // returned in the response for the modal below.
-        ...(isExternal ? { runtime: externalRuntime } : {}),
-        ...(!isExternal && isHermes && provider
-          ? {
-              secrets: { [provider.envVar]: hermesApiKey.trim() },
-              model: hermesModel.trim(),
-            }
-          : {}),
+        ...(isExternal ? { runtime: externalRuntime } : { runtime }),
      });
      // External path: keep the create dialog open just long enough to
      // hand control to the connect modal, then close. The connect
@@ -533,77 +414,64 @@ export function CreateWorkspaceButton() {
            )}

            {!isExternal && (
-              <InputField
-                label="Template"
-                value={template}
-                onChange={setTemplate}
-                placeholder="e.g. seo-agent (from workspace-configs-templates/)"
-                mono
-              />
-            )}
-
-            {!isExternal && !isHermes && selectedNativeProvider && (
-              <div className="rounded-lg border border-line/50 bg-surface-card/40 p-3 space-y-3">
-                <div className="text-[11px] font-medium text-ink-mid">
-                  LLM
-                </div>
+              <div className="space-y-3">
                <div>
-                  <label htmlFor="llm-auth-mode" className="text-[11px] text-ink-mid block mb-1">
-                    Auth Mode
+                  <label htmlFor="runtime-select" className="text-[11px] text-ink-mid block mb-1">
+                    Runtime
                  </label>
                  <select
-                    id="llm-auth-mode"
-                    value={llmAuthMode}
-                    onChange={(e) => setLLMAuthMode(e.target.value as LLMAuthMode)}
+                    id="runtime-select"
+                    value={runtime}
+                    onChange={(e) => handleRuntimeChange(e.target.value)}
                    className="w-full bg-surface-card/60 border border-line/50 rounded-lg px-3 py-2 text-sm text-ink focus:outline-none focus:border-accent/60 focus:ring-1 focus:ring-accent/20 transition-colors"
                  >
-                    <option value="platform">Platform provided</option>
-                    <option value="api_key">API key</option>
-                    <option value="oauth">Claude OAuth</option>
-                  </select>
-                </div>
-                <div>
-                  <label htmlFor="llm-provider-select" className="text-[11px] text-ink-mid block mb-1">
-                    Provider
-                  </label>
-                  <select
-                    id="llm-provider-select"
-                    value={selectedNativeProvider.id}
-                    onChange={(e) => {
-                      const next = nativeLLMProviders.find((p) => p.id === e.target.value);
-                      setLLMProvider(e.target.value);
-                      if (next) setLLMModel(next.defaultModel);
-                    }}
-                    className="w-full bg-surface-card/60 border border-line/50 rounded-lg px-3 py-2 text-sm text-ink focus:outline-none focus:border-accent/60 focus:ring-1 focus:ring-accent/20 transition-colors"
-                  >
-                    {nativeLLMProviders.map((p) => (
-                      <option key={p.id} value={p.id}>
-                        {p.label}
+                    {RUNTIME_OPTIONS.map((option) => (
+                      <option key={option.value} value={option.value}>
+                        {option.label}
                      </option>
                    ))}
                  </select>
                </div>
                <div>
-                  <label htmlFor="llm-model-input" className="text-[11px] text-ink-mid block mb-1">
-                    Model
+                  <label htmlFor="workspace-template-select" className="text-[11px] text-ink-mid block mb-1">
+                    Workspace Template
                  </label>
-                  <input
-                    id="llm-model-input"
-                    type="text"
-                    value={llmModel}
-                    onChange={(e) => setLLMModel(e.target.value)}
-                    list="llm-model-suggestions"
-                    spellCheck={false}
-                    className="w-full bg-surface-card/60 border border-line/50 rounded-lg px-3 py-2 text-sm text-ink placeholder-ink-soft focus:outline-none focus:border-accent/60 focus:ring-1 focus:ring-accent/20 transition-colors font-mono"
-                  />
-                  <datalist id="llm-model-suggestions">
-                    {selectedNativeProvider.models.map((m) => <option key={m} value={m} />)}
-                  </datalist>
+                  <select
+                    id="workspace-template-select"
+                    value={template}
+                    onChange={(e) => setTemplate(e.target.value)}
+                    className="w-full bg-surface-card/60 border border-line/50 rounded-lg px-3 py-2 text-sm text-ink focus:outline-none focus:border-accent/60 focus:ring-1 focus:ring-accent/20 transition-colors"
+                  >
+                    <option value="">Blank workspace</option>
+                    {visibleTemplateSpecs.map((spec) => (
+                      <option key={spec.id} value={spec.id}>
+                        {spec.name || spec.id}
+                      </option>
+                    ))}
+                  </select>
                </div>
-                {llmAuthMode !== "platform" && (
+              </div>
+            )}
+
+            {!isExternal && selectedLLMProvider && (
+              <div className="rounded-lg border border-line/50 bg-surface-card/40 p-3 space-y-3">
+                <div className="text-[11px] font-medium text-ink-mid">
+                  LLM
+                </div>
+                <ProviderModelSelector
+                  models={llmModels}
+                  value={llmSelection}
+                  onChange={(next) => {
+                    setLLMSelection(next);
+                    setLLMSecret("");
+                  }}
+                  idPrefix="create-workspace-llm"
+                  variant="stack"
+                />
+                {selectedLLMProvider.envVars.length > 0 && (
                  <div>
                    <label htmlFor="llm-secret-input" className="text-[11px] text-ink-mid block mb-1">
-                      {llmAuthMode === "oauth" ? "OAuth Token" : "API Key"}
+                      {selectedLLMProvider.envVars[0]}
                    </label>
                    <input
                      id="llm-secret-input"
@@ -741,100 +609,6 @@ export function CreateWorkspaceButton() {
            </div>
          </div>

-          {/* Hermes provider configuration — shown only when template === "hermes" */}
-          {isHermes && (
-            <div
-              className="mt-4 rounded-xl border border-violet-700/40 bg-violet-950/20 p-4 space-y-3"
-              data-testid="hermes-provider-section"
-            >
-              <p className="text-[11px] font-semibold text-violet-400 uppercase tracking-wide">
-                Hermes Provider
-              </p>
-              <p className="text-[11px] text-ink-mid -mt-1">
-                Choose the AI provider and paste your API key. The key is
-                stored as an encrypted workspace secret.
-              </p>
-
-              <div>
-                <label
-                  htmlFor="hermes-provider-select"
-                  className="text-[11px] text-ink-mid block mb-1"
-                >
-                  Provider
-                </label>
-                <select
-                  id="hermes-provider-select"
-                  value={hermesProvider}
-                  onChange={(e) => setHermesProvider(e.target.value)}
-                  aria-label="Hermes provider"
-                  className="w-full bg-surface-card/60 border border-line/50 rounded-lg px-3 py-2 text-sm text-ink focus:outline-none focus:border-violet-500/60 focus:ring-1 focus:ring-violet-500/20 transition-colors"
-                >
-                  {availableProviders.map((p) => (
-                    <option key={p.id} value={p.id}>
-                      {p.label}
-                    </option>
-                  ))}
-                </select>
-              </div>
-
-              <div>
-                <label
-                  htmlFor="hermes-api-key-input"
-                  className="text-[11px] text-ink-mid block mb-1"
-                >
-                  API Key{" "}
-                  <span aria-hidden="true" className="text-bad">
-                    *
-                  </span>
-                  <span className="sr-only"> (required)</span>
-                </label>
-                <input
-                  id="hermes-api-key-input"
-                  type="password"
-                  value={hermesApiKey}
-                  onChange={(e) => setHermesApiKey(e.target.value)}
-                  placeholder="sk-…"
-                  aria-label="Hermes API key"
-                  autoComplete="off"
-                  className="w-full bg-surface-card/60 border border-line/50 rounded-lg px-3 py-2 text-sm text-ink placeholder-ink-soft focus:outline-none focus:border-violet-500/60 focus:ring-1 focus:ring-violet-500/20 transition-colors font-mono"
-                />
-              </div>
-
-              <div>
-                <label
-                  htmlFor="hermes-model-input"
-                  className="text-[11px] text-ink-mid block mb-1"
-                >
-                  Model{" "}
-                  <span aria-hidden="true" className="text-bad">
-                    *
-                  </span>
-                  <span className="sr-only"> (required)</span>
-                </label>
-                <input
-                  id="hermes-model-input"
-                  type="text"
-                  value={hermesModel}
-                  onChange={(e) => setHermesModel(e.target.value)}
-                  placeholder="e.g. minimax/MiniMax-M2.7"
-                  aria-label="Hermes model slug"
-                  autoComplete="off"
-                  spellCheck={false}
-                  list="hermes-model-suggestions"
-                  className="w-full bg-surface-card/60 border border-line/50 rounded-lg px-3 py-2 text-sm text-ink placeholder-ink-soft focus:outline-none focus:border-violet-500/60 focus:ring-1 focus:ring-violet-500/20 transition-colors font-mono"
-                />
-                <datalist id="hermes-model-suggestions">
-                  {HERMES_PROVIDERS.find((p) => p.id === hermesProvider)?.models.map(
-                    (m) => <option key={m} value={m} />,
-                  )}
-                </datalist>
-                <p className="text-[10px] text-ink-mid mt-1">
-                  Slug determines which provider hermes routes to at install time.
-                </p>
-              </div>
-            </div>
-          )}
-
          {error && (
            <div
              role="alert"
@@ -4,7 +4,7 @@ import { useState, useEffect, useCallback } from "react";
 import { api } from "@/lib/api";
 import { useCanvasStore } from "@/store/canvas";
 import { OrgTemplatesSection } from "./TemplatePalette";
-import { type Template } from "@/lib/deploy-preflight";
+import { isUserVisibleWorkspaceTemplate, type Template } from "@/lib/deploy-preflight";
 import { useTemplateDeploy } from "@/hooks/useTemplateDeploy";
 import { Spinner } from "./Spinner";
 import { TIER_CONFIG } from "@/lib/design-tokens";
@@ -18,7 +18,7 @@ export function EmptyState() {
  useEffect(() => {
    api
      .get<Template[]>("/templates")
-      .then((t) => setTemplates(t))
+      .then((t) => setTemplates(t.filter(isUserVisibleWorkspaceTemplate)))
      .catch(() => setTemplates([]))
      .finally(() => setLoading(false));
  }, []);
@@ -23,6 +23,8 @@ interface Props {
  /** Grouped provider options derived from the template's models[] /
   *  required_env. When length ≥ 2 the modal shows a radio picker. */
  providers?: ProviderChoice[];
+  /** Optional keys to offer in the deploy modal without blocking Deploy. */
+  optionalKeys?: string[];
  /** Runtime slug — used only for the "The <runtime> runtime …"
   *  headline; behavior is driven by providers/missingKeys. */
  runtime: string;
@@ -94,13 +96,13 @@ export function MissingKeysModal({
  open,
  missingKeys,
  providers,
+  optionalKeys,
  runtime,
  onKeysAdded,
  onCancel,
  onOpenSettings,
  workspaceId,
  configuredKeys,
-  modelSuggestions,
  models,
  initialModel,
  title,
@@ -114,13 +116,13 @@ export function MissingKeysModal({
      <ProviderPickerModal
        open={open}
        providers={pickerProviders}
+        optionalKeys={optionalKeys ?? []}
        runtime={runtime}
        onKeysAdded={onKeysAdded}
        onCancel={onCancel}
        onOpenSettings={onOpenSettings}
        workspaceId={workspaceId}
        configuredKeys={configuredKeys}
-        modelSuggestions={modelSuggestions}
        models={models}
        initialModel={initialModel}
        title={title}
@@ -138,11 +140,15 @@ export function MissingKeysModal({
    <AllKeysModal
      open={open}
      missingKeys={keys}
+      optionalKeys={optionalKeys ?? []}
      runtime={runtime}
      onKeysAdded={onKeysAdded}
      onCancel={onCancel}
      onOpenSettings={onOpenSettings}
      workspaceId={workspaceId}
+      configuredKeys={configuredKeys}
+      title={title}
+      description={description}
    />
  );
 }
@@ -170,13 +176,13 @@ export function providerIdForModel(
 function ProviderPickerModal({
  open,
  providers,
+  optionalKeys,
  runtime,
  onKeysAdded,
  onCancel,
  onOpenSettings,
  workspaceId,
  configuredKeys,
-  modelSuggestions,
  models,
  initialModel,
  title,
@@ -184,13 +190,13 @@ function ProviderPickerModal({
 }: {
  open: boolean;
  providers: ProviderChoice[];
+  optionalKeys: string[];
  runtime: string;
  onKeysAdded: (model?: string) => void;
  onCancel: () => void;
  onOpenSettings?: () => void;
  workspaceId?: string;
  configuredKeys?: Set<string>;
-  modelSuggestions?: string[];
  models?: ModelSpec[];
  initialModel?: string;
  title?: string;
@@ -250,16 +256,9 @@ function ProviderPickerModal({

  const [selectorValue, setSelectorValue] = useState<SelectorValue>(initial);
  const [entries, setEntries] = useState<KeyEntry[]>([]);
+  const [optionalEntries, setOptionalEntries] = useState<KeyEntry[]>([]);
  const firstInputRef = useRef<HTMLInputElement>(null);

-  // Legacy compat: map the selector value back into the old `selected`/
-  // `model` shape for the rest of the modal body (footer copy, etc.).
-  const selected = useMemo(
-    () =>
-      providers.find((p) => p.id === selectorValue.providerId) ??
-      providers[0],
-    [providers, selectorValue.providerId],
-  );
  const model = selectorValue.model;
  const showModelInput = catalog.length > 0;

@@ -282,7 +281,18 @@ function ProviderPickerModal({
        error: null,
      })),
    );
-  }, [open, selectorValue.envVars, configuredKeys]);
+    setOptionalEntries(
+      optionalKeys
+        .filter((key) => !selectorValue.envVars.includes(key))
+        .map((key) => ({
+          key,
+          value: "",
+          saved: configuredKeys?.has(key) ?? false,
+          saving: false,
+          error: null,
+        })),
+    );
+  }, [open, selectorValue.envVars, configuredKeys, optionalKeys]);

  useEffect(() => {
    if (!open) return;
@@ -336,6 +346,43 @@ function ProviderPickerModal({
    [entries, updateEntry, workspaceId],
  );

+  const updateOptionalEntry = useCallback(
+    (index: number, updates: Partial<KeyEntry>) => {
+      setOptionalEntries((prev) =>
+        prev.map((e, i) => (i === index ? { ...e, ...updates } : e)),
+      );
+    },
+    [],
+  );
+
+  const handleSaveOptionalKey = useCallback(
+    async (index: number) => {
+      const entry = optionalEntries[index];
+      if (!entry.value.trim()) return;
+      updateOptionalEntry(index, { saving: true, error: null });
+      try {
+        if (workspaceId) {
+          await api.put(`/workspaces/${workspaceId}/secrets`, {
+            key: entry.key,
+            value: entry.value.trim(),
+          });
+        } else {
+          await api.put("/settings/secrets", {
+            key: entry.key,
+            value: entry.value.trim(),
+          });
+        }
+        updateOptionalEntry(index, { saved: true, saving: false });
+      } catch (e) {
+        updateOptionalEntry(index, {
+          saving: false,
+          error: e instanceof Error ? e.message : "Failed to save",
+        });
+      }
+    },
+    [optionalEntries, updateOptionalEntry, workspaceId],
+  );
+
  if (!open) return null;
  // Portal to document.body for the same reason as
  // OrgImportPreflightModal — several callers (TemplatePalette,
@@ -465,6 +512,62 @@ function ProviderPickerModal({
              </div>
            ))}
          </div>
+
+          {optionalEntries.length > 0 && (
+            <div className="space-y-2">
+              <div className="text-[10px] uppercase tracking-wide text-ink-mid font-semibold">
+                Optional
+              </div>
+              {optionalEntries.map((entry, index) => (
+                <div
+                  key={entry.key}
+                  className="bg-surface-card/30 rounded-lg px-3 py-2.5 border border-line/40"
+                >
+                  <div className="flex items-center justify-between mb-1.5">
+                    <div>
+                      <div className="text-[11px] text-ink-mid font-medium">
+                        {getKeyLabel(entry.key)}
+                      </div>
+                      <div className="text-[9px] font-mono text-ink-mid">{entry.key}</div>
+                    </div>
+                    {entry.saved && (
+                      <span className="text-[9px] text-good bg-emerald-900/30 px-1.5 py-0.5 rounded flex items-center gap-1">
+                        Saved
+                      </span>
+                    )}
+                  </div>
+                  {!entry.saved && (
+                    <div className="flex gap-2 mt-2">
+                      <input
+                        value={entry.value}
+                        onChange={(e) => updateOptionalEntry(index, { value: e.target.value.trimStart() })}
+                        placeholder={entry.key.includes("API_KEY") ? "sk-..." : "Enter value"}
+                        type="password"
+                        aria-label={`Optional value for ${entry.key}`}
+                        onKeyDown={(e) => {
+                          if (e.key === "Enter" && entry.value.trim()) {
+                            handleSaveOptionalKey(index);
+                          }
+                        }}
+                        className="flex-1 bg-surface-sunken border border-line rounded px-2 py-1.5 text-[11px] text-ink font-mono focus:outline-none focus:border-accent focus:ring-1 focus:ring-accent/20 transition-colors"
+                      />
+                      <button
+                        type="button"
+                        onClick={() => handleSaveOptionalKey(index)}
+                        disabled={!entry.value.trim() || entry.saving}
+                        className="px-3 py-1.5 bg-surface-card hover:bg-surface-card/80 text-[11px] rounded text-ink border border-line disabled:opacity-30 transition-colors shrink-0 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
+                      >
+                        {entry.saving ? "..." : "Save"}
+                      </button>
+                    </div>
+                  )}
+                  {entry.error && (
+                    <div role="alert" aria-live="assertive" className="mt-1.5 text-[10px] text-bad">{entry.error}</div>
+                  )}
+                </div>
+              ))}
+            </div>
+          )}
        </div>

        <div className="px-5 py-3 border-t border-line bg-surface/50 flex items-center justify-between gap-2">
@@ -512,21 +615,30 @@ function ProviderPickerModal({
 function AllKeysModal({
  open,
  missingKeys,
+  optionalKeys,
  runtime,
  onKeysAdded,
  onCancel,
  onOpenSettings,
  workspaceId,
+  configuredKeys,
+  title,
+  description,
 }: {
  open: boolean;
  missingKeys: string[];
+  optionalKeys: string[];
  runtime: string;
  onKeysAdded: () => void;
  onCancel: () => void;
  onOpenSettings?: () => void;
  workspaceId?: string;
+  configuredKeys?: Set<string>;
+  title?: string;
+  description?: string;
 }) {
  const [entries, setEntries] = useState<KeyEntry[]>([]);
+  const [optionalEntries, setOptionalEntries] = useState<KeyEntry[]>([]);
  const [globalError, setGlobalError] = useState<string | null>(null);

  useEffect(() => {
@@ -535,13 +647,24 @@ function AllKeysModal({
      missingKeys.map((key) => ({
        key,
        value: "",
-        saved: false,
+        saved: configuredKeys?.has(key) ?? false,
        saving: false,
        error: null,
      })),
    );
+    setOptionalEntries(
+      optionalKeys
+        .filter((key) => !missingKeys.includes(key))
+        .map((key) => ({
+          key,
+          value: "",
+          saved: configuredKeys?.has(key) ?? false,
+          saving: false,
+          error: null,
+        })),
+    );
    setGlobalError(null);
-  }, [open, missingKeys]);
+  }, [open, missingKeys, optionalKeys, configuredKeys]);

  useEffect(() => {
    if (!open) return;
@@ -591,6 +714,45 @@ function AllKeysModal({
    [entries, updateEntry, workspaceId],
  );

+  const updateOptionalEntry = useCallback(
+    (index: number, updates: Partial<KeyEntry>) => {
+      setOptionalEntries((prev) =>
+        prev.map((entry, i) => (i === index ? { ...entry, ...updates } : entry)),
+      );
+    },
+    [],
+  );
+
+  const handleSaveOptionalKey = useCallback(
+    async (index: number) => {
+      const entry = optionalEntries[index];
+      if (!entry.value.trim()) return;
+
+      updateOptionalEntry(index, { saving: true, error: null });
+
+      try {
+        if (workspaceId) {
+          await api.put(`/workspaces/${workspaceId}/secrets`, {
+            key: entry.key,
+            value: entry.value.trim(),
+          });
+        } else {
+          await api.put("/settings/secrets", {
+            key: entry.key,
+            value: entry.value.trim(),
+          });
+        }
+        updateOptionalEntry(index, { saved: true, saving: false });
+      } catch (e) {
+        updateOptionalEntry(index, {
+          saving: false,
+          error: e instanceof Error ? e.message : "Failed to save",
+        });
+      }
+    },
+    [optionalEntries, updateOptionalEntry, workspaceId],
+  );
+
  const handleAddKeysAndDeploy = useCallback(() => {
    const anySaving = entries.some((e) => e.saving);
    if (anySaving) {
@@ -656,12 +818,16 @@ function AllKeysModal({
              </svg>
            </div>
            <h3 id="missing-keys-title" className="text-sm font-semibold text-ink">
-              Missing API Keys
+              {title ?? "Missing API Keys"}
            </h3>
          </div>
          <p className="text-[12px] text-ink-mid leading-relaxed">
-            The <span className="text-warm font-medium">{runtimeLabel}</span>{" "}
-            runtime requires the following keys to be configured before deploying.
+            {description ?? (
+              <>
+                The <span className="text-warm font-medium">{runtimeLabel}</span>{" "}
+                runtime requires the following keys to be configured before deploying.
+              </>
+            )}
          </p>
        </div>

@@ -719,6 +885,62 @@ function AllKeysModal({
            </div>
          ))}

+          {optionalEntries.length > 0 && (
+            <div className="space-y-2">
+              <div className="text-[10px] uppercase tracking-wide text-ink-mid font-semibold">
+                Optional
+              </div>
+              {optionalEntries.map((entry, index) => (
+                <div
+                  key={entry.key}
+                  className="bg-surface-card/30 rounded-lg px-3 py-2.5 border border-line/40"
+                >
+                  <div className="flex items-center justify-between mb-1">
+                    <div>
+                      <div className="text-[11px] text-ink-mid font-medium">
+                        {getKeyLabel(entry.key)}
+                      </div>
+                      <div className="text-[9px] font-mono text-ink-mid">{entry.key}</div>
+                    </div>
+                    {entry.saved && (
+                      <span className="text-[9px] text-good bg-emerald-900/30 px-1.5 py-0.5 rounded">
+                        Saved
+                      </span>
+                    )}
+                  </div>
+
+                  {!entry.saved && (
+                    <div className="flex gap-2 mt-2">
+                      <input
+                        value={entry.value}
+                        onChange={(e) => updateOptionalEntry(index, { value: e.target.value.trimStart() })}
+                        placeholder={entry.key.includes("API_KEY") ? "sk-..." : "Enter value"}
+                        type="password"
+                        aria-label={`Optional value for ${entry.key}`}
+                        onKeyDown={(e) => {
+                          if (e.key === "Enter" && entry.value.trim()) {
+                            handleSaveOptionalKey(index);
+                          }
+                        }}
+                        className="flex-1 bg-surface-sunken border border-line rounded px-2 py-1.5 text-[11px] text-ink font-mono focus:outline-none focus:border-accent focus:ring-1 focus:ring-accent/20 transition-colors"
+                      />
+                      <button
+                        type="button"
+                        onClick={() => handleSaveOptionalKey(index)}
+                        disabled={!entry.value.trim() || entry.saving}
+                        className="px-3 py-1.5 bg-surface-card hover:bg-surface-card/80 text-[11px] rounded text-ink border border-line disabled:opacity-30 transition-colors shrink-0 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
+                      >
+                        {entry.saving ? "..." : "Save"}
+                      </button>
+                    </div>
+                  )}
+
+                  {entry.error && <div className="mt-1.5 text-[10px] text-bad">{entry.error}</div>}
+                </div>
+              ))}
+            </div>
+          )}
+
          {globalError && (
            <div role="alert" aria-live="assertive" className="px-3 py-2 bg-red-950/40 border border-red-800/50 rounded-lg text-[11px] text-bad">
              {globalError}
@@ -28,6 +28,7 @@ import { useId, useMemo } from "react";
 export interface SelectorModel {
  id: string;
  name?: string;
+  provider?: string;
  required_env?: string[];
 }

@@ -88,6 +89,7 @@ interface Props {
 /** Vendor keys → human label. Add new vendors here when templates pick
 *  up new model families. */
 const VENDOR_LABELS: Record<string, string> = {
+  "platform": "Platform",
  "anthropic-oauth": "Claude Code subscription",
  anthropic: "Anthropic API",
  minimax: "MiniMax",
@@ -118,6 +120,8 @@ const VENDOR_LABELS: Record<string, string> = {

 /** Optional per-vendor tooltip shown on hover. */
 const VENDOR_TOOLTIPS: Record<string, string> = {
+  "platform":
+    "Use the Molecule platform-managed LLM proxy. No vendor API key is required.",
  "anthropic-oauth":
    "Use your Claude.ai (Pro/Max/Team) subscription via OAuth. Run `claude login` in the workspace terminal to mint the token, then paste it here. No API spend.",
  anthropic:
@@ -165,6 +169,9 @@ const BARE_VENDOR_PATTERNS: Array<{ test: (id: string) => boolean; vendor: strin
 /** Infer a vendor key from a model spec. Combines id-prefix and env
 *  signals. Exported for tests. */
 export function inferVendor(model: SelectorModel): string {
+  const explicitProvider = model.provider?.trim().toLowerCase();
+  if (explicitProvider) return explicitProvider;
+
  const id = model.id || "";
  const envSet = new Set(model.required_env ?? []);

@@ -5,7 +5,7 @@ import { flushSync } from "react-dom";
 import { api } from "@/lib/api";
 import { useCanvasStore } from "@/store/canvas";
 import type { WorkspaceData } from "@/store/socket";
-import { type Template } from "@/lib/deploy-preflight";
+import { isUserVisibleWorkspaceTemplate, type Template } from "@/lib/deploy-preflight";
 import { useTemplateDeploy } from "@/hooks/useTemplateDeploy";
 import {
  OrgImportPreflightModal,
@@ -446,7 +446,7 @@ export function TemplatePalette() {
    setLoading(true);
    try {
      const data = await api.get<Template[]>("/templates");
-      setTemplates(data);
+      setTemplates(data.filter(isUserVisibleWorkspaceTemplate));
    } catch {
      setTemplates([]);
    } finally {
@@ -224,12 +224,14 @@ export function Toolbar() {
  useEffect(() => {
    const handler = (e: KeyboardEvent) => {
      if (e.key !== "?") return;
-      const tag = (e.target as HTMLElement).tagName;
+      const target = e.target as HTMLElement;
+      if (target.closest?.('[data-display-stream="true"]')) return;
+      const tag = target.tagName;
      const inInput =
        tag === "INPUT" ||
        tag === "TEXTAREA" ||
        tag === "SELECT" ||
-        (e.target as HTMLElement).isContentEditable;
+        target.isContentEditable;
      if (inInput) return;
      // Don't fire when a modal/dialog is already mounted (canvas modals,
      // side panel, etc. use z-50 or above).
@@ -201,15 +201,13 @@ describe("CreateWorkspaceDialog — WCAG SC 1.3.1 label/input association", () =
    expect(label?.textContent).toContain("Budget limit");
  });

-  it("Template input has a <label> whose htmlFor matches the input id", async () => {
+  it("Workspace Template select has a <label> whose htmlFor matches the select id", async () => {
    await openDialog();
-    const templateInput = screen.getByPlaceholderText(
-      "e.g. seo-agent (from workspace-configs-templates/)"
-    ) as HTMLInputElement;
-    expect(templateInput.id).toBeTruthy();
-    const label = document.querySelector(`label[for="${templateInput.id}"]`);
+    const templateSelect = screen.getByLabelText("Workspace Template") as HTMLSelectElement;
+    expect(templateSelect.id).toBeTruthy();
+    const label = document.querySelector(`label[for="${templateSelect.id}"]`);
    expect(label).toBeTruthy();
-    expect(label?.textContent).toContain("Template");
+    expect(label?.textContent).toContain("Workspace Template");
  });

  it("each InputField generates a distinct id (no id collisions)", async () => {
@@ -218,13 +216,16 @@ describe("CreateWorkspaceDialog — WCAG SC 1.3.1 label/input association", () =
      screen.getByPlaceholderText("e.g. SEO Agent"),
      screen.getByPlaceholderText("e.g. SEO Specialist"),
      screen.getByPlaceholderText("e.g. 100"),
-      screen.getByPlaceholderText("e.g. seo-agent (from workspace-configs-templates/)"),
    ] as HTMLInputElement[];
+    const selects = [
+      screen.getByLabelText("Runtime"),
+      screen.getByLabelText("Workspace Template"),
+    ] as HTMLSelectElement[];

-    const ids = inputs.map((i) => i.id).filter(Boolean);
+    const ids = [...inputs, ...selects].map((i) => i.id).filter(Boolean);
    const unique = new Set(ids);
    expect(unique.size).toBe(ids.length); // no duplicates
-    expect(ids.length).toBe(4);
+    expect(ids.length).toBe(5);
  });

  it("Name label text contains the required asterisk indicator", async () => {
@@ -1,7 +1,7 @@
 // @vitest-environment jsdom
 import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
 import { render, screen, fireEvent, waitFor, cleanup } from "@testing-library/react";
-import { CreateWorkspaceButton, HERMES_PROVIDERS } from "../CreateWorkspaceDialog";
+import { CreateWorkspaceButton } from "../CreateWorkspaceDialog";

 vi.mock("@/lib/api", () => ({
  api: {
@@ -20,10 +20,63 @@ const SAMPLE_WORKSPACES = [
  { id: "ws-2", name: "Research Agent", tier: 2 },
 ];

+const SAMPLE_TEMPLATES = [
+  {
+    id: "claude-code-default",
+    name: "Claude Code Agent",
+    runtime: "claude-code",
+    model: "moonshot/kimi-k2.6",
+    providers: ["platform", "minimax", "kimi-coding", "anthropic", "anthropic-oauth"],
+    models: [
+      { id: "moonshot/kimi-k2.6", name: "Kimi K2.6", provider: "platform", required_env: [] },
+      { id: "MiniMax-M2.7", name: "MiniMax M2.7", required_env: ["MINIMAX_API_KEY"] },
+      { id: "kimi-k2-turbo-preview", name: "Kimi K2 Turbo Preview", required_env: ["KIMI_API_KEY"] },
+      { id: "claude-sonnet-4-6", name: "Claude Sonnet 4.6", required_env: ["ANTHROPIC_API_KEY"] },
+      { id: "sonnet", name: "Claude Sonnet", required_env: ["CLAUDE_CODE_OAUTH_TOKEN"] },
+      { id: "opus", name: "Claude Opus", required_env: ["CLAUDE_CODE_OAUTH_TOKEN"] },
+      { id: "haiku", name: "Claude Haiku", required_env: ["CLAUDE_CODE_OAUTH_TOKEN"] },
+    ],
+  },
+  {
+    id: "seo-agent",
+    name: "SEO Agent",
+    runtime: "claude-code",
+    model: "moonshot/kimi-k2.6",
+    providers: ["platform", "minimax", "kimi-coding", "anthropic", "anthropic-oauth"],
+    models: [
+      { id: "moonshot/kimi-k2.6", name: "Kimi K2.6", provider: "platform", required_env: [] },
+      { id: "MiniMax-M2.7", name: "MiniMax M2.7", required_env: ["MINIMAX_API_KEY"] },
+      { id: "kimi-k2-turbo-preview", name: "Kimi K2 Turbo Preview", required_env: ["KIMI_API_KEY"] },
+      { id: "claude-sonnet-4-6", name: "Claude Sonnet 4.6", required_env: ["ANTHROPIC_API_KEY"] },
+      { id: "sonnet", name: "Claude Sonnet", required_env: ["CLAUDE_CODE_OAUTH_TOKEN"] },
+      { id: "opus", name: "Claude Opus", required_env: ["CLAUDE_CODE_OAUTH_TOKEN"] },
+      { id: "haiku", name: "Claude Haiku", required_env: ["CLAUDE_CODE_OAUTH_TOKEN"] },
+    ],
+  },
+  {
+    id: "hermes",
+    name: "Hermes",
+    runtime: "hermes",
+    model: "openai/gpt-4o",
+    providers: ["openai", "anthropic", "platform"],
+    models: [
+      { id: "openai/gpt-4o", name: "GPT-4o", required_env: ["OPENAI_API_KEY"] },
+      { id: "anthropic/claude-sonnet-4-5", name: "Claude Sonnet 4.5", required_env: ["ANTHROPIC_API_KEY"] },
+      { id: "moonshot/kimi-k2.6", name: "Kimi K2.6", provider: "platform", required_env: [] },
+    ],
+  },
+];
+
 beforeEach(() => {
  vi.clearAllMocks();
-  // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  mockGet.mockResolvedValue(SAMPLE_WORKSPACES as any);
+  mockGet.mockImplementation(async (url: string) => {
+    if (url === "/templates") {
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      return SAMPLE_TEMPLATES as any;
+    }
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    return SAMPLE_WORKSPACES as any;
+  });
  // eslint-disable-next-line @typescript-eslint/no-explicit-any
  mockPost.mockResolvedValue({} as any);
 });
@@ -42,7 +95,14 @@ async function openDialog() {

 async function setTemplate(value: string) {
  fireEvent.change(
-    screen.getByPlaceholderText("e.g. seo-agent (from workspace-configs-templates/)"),
+    screen.getByLabelText("Workspace Template"),
+    { target: { value } }
+  );
+}
+
+async function setRuntime(value: string) {
+  fireEvent.change(
+    screen.getByLabelText("Runtime"),
    { target: { value } }
  );
 }
@@ -139,11 +199,33 @@ describe("CreateWorkspaceDialog", () => {
      volume: { root_gb: 30 },
      display: { mode: "none" },
    });
-    expect(body.model).toBe("MiniMax-M2.7");
-    expect(body.llm_provider).toBe("minimax");
+    expect(body.model).toBe("moonshot/kimi-k2.6");
+    expect(body.llm_provider).toBe("platform");
+    expect(body.runtime).toBe("claude-code");
    expect(body.secrets).toBeUndefined();
  });

+  it("keeps runtime and workspace template as separate selectors", async () => {
+    await openDialog();
+
+    const runtimeSelect = screen.getByLabelText("Runtime") as HTMLSelectElement;
+    const runtimeTexts = Array.from(runtimeSelect.options).map((o) => o.text.trim());
+    expect(runtimeTexts).toEqual([
+      "Claude Code",
+      "OpenAI Codex CLI",
+      "Hermes",
+      "OpenClaw",
+    ]);
+    expect(runtimeTexts).not.toContain("SEO Agent");
+
+    await waitFor(() => {
+      const templateSelect = screen.getByLabelText("Workspace Template") as HTMLSelectElement;
+      const templateTexts = Array.from(templateSelect.options).map((o) => o.text.trim());
+      expect(templateTexts).toContain("SEO Agent");
+      expect(templateTexts).not.toContain("Hermes");
+    });
+  });
+
  it("does not send managed compute for external agents", async () => {
    await openDialog();
    fireEvent.change(screen.getByPlaceholderText("e.g. SEO Agent"), {
@@ -172,8 +254,8 @@ describe("CreateWorkspaceDialog", () => {

    await waitFor(() => expect(mockPost).toHaveBeenCalled());
    const body = mockPost.mock.calls[0][1] as Record<string, unknown>;
-    expect(body.model).toBe("MiniMax-M2.7");
-    expect(body.llm_provider).toBe("minimax");
+    expect(body.model).toBe("moonshot/kimi-k2.6");
+    expect(body.llm_provider).toBe("platform");
    expect(body.compute).toEqual({
      instance_type: "t3.xlarge",
      volume: { root_gb: 80 },
@@ -191,8 +273,8 @@ describe("CreateWorkspaceDialog", () => {
    fireEvent.change(screen.getByPlaceholderText("e.g. SEO Agent"), {
      target: { value: "BYOK Agent" },
    });
-    fireEvent.change(document.getElementById("llm-auth-mode") as HTMLSelectElement, {
-      target: { value: "api_key" },
+    fireEvent.change(document.querySelector("[data-testid='provider-select']") as HTMLSelectElement, {
+      target: { value: "minimax|MINIMAX_API_KEY" },
    });
    fireEvent.change(document.getElementById("llm-secret-input") as HTMLInputElement, {
      target: { value: "sk-minimax-test" },
@@ -213,8 +295,11 @@ describe("CreateWorkspaceDialog", () => {
    fireEvent.change(screen.getByPlaceholderText("e.g. SEO Agent"), {
      target: { value: "OAuth Agent" },
    });
-    fireEvent.change(document.getElementById("llm-auth-mode") as HTMLSelectElement, {
-      target: { value: "oauth" },
+    fireEvent.change(document.querySelector("[data-testid='provider-select']") as HTMLSelectElement, {
+      target: { value: "anthropic-oauth|CLAUDE_CODE_OAUTH_TOKEN" },
+    });
+    fireEvent.change(document.querySelector("[data-testid='model-select']") as HTMLSelectElement, {
+      target: { value: "sonnet" },
    });
    fireEvent.change(document.getElementById("llm-secret-input") as HTMLInputElement, {
      target: { value: "oauth-token" },
@@ -230,6 +315,18 @@ describe("CreateWorkspaceDialog", () => {
    expect(body.secrets).toEqual({ CLAUDE_CODE_OAUTH_TOKEN: "oauth-token" });
  });

+  it("lists all Claude Code subscription aliases for blank workspaces", async () => {
+    await openDialog();
+
+    fireEvent.change(document.querySelector("[data-testid='provider-select']") as HTMLSelectElement, {
+      target: { value: "anthropic-oauth|CLAUDE_CODE_OAUTH_TOKEN" },
+    });
+
+    const modelSelect = document.querySelector("[data-testid='model-select']") as HTMLSelectElement;
+    const optionValues = Array.from(modelSelect.options).map((option) => option.value);
+    expect(optionValues).toEqual(expect.arrayContaining(["sonnet", "opus", "haiku"]));
+  });
+
  it("renders gracefully when GET /workspaces fails", async () => {
    mockGet.mockRejectedValueOnce(new Error("Network error"));
    await openDialog();
@@ -244,225 +341,103 @@ describe("CreateWorkspaceDialog", () => {
 });

 // ---------------------------------------------------------------------------
-// Hermes provider picker tests
+// Dynamic runtime provider picker tests
 // ---------------------------------------------------------------------------

-describe("CreateWorkspaceDialog — Hermes provider picker", () => {
-  it("does NOT show hermes provider section for non-hermes templates", async () => {
+describe("CreateWorkspaceDialog — dynamic runtime provider picker", () => {
+  it("does not render the old Hermes-only provider section", async () => {
    await openDialog();
-    await setTemplate("seo-agent");
+    await setRuntime("hermes");
    expect(document.querySelector("[data-testid='hermes-provider-section']")).toBeNull();
  });

-  it("shows hermes provider section when template is 'hermes'", async () => {
+  it("derives Hermes provider and model options from the /templates runtime row", async () => {
    await openDialog();
-    await setTemplate("hermes");
-    await waitFor(() =>
-      expect(document.querySelector("[data-testid='hermes-provider-section']")).toBeTruthy()
-    );
+    await setRuntime("hermes");
+
+    const providerSelect = document.querySelector("[data-testid='provider-select']") as HTMLSelectElement;
+    await waitFor(() => expect(providerSelect.options.length).toBe(4));
+
+    const providerValues = Array.from(providerSelect.options).map((option) => option.value);
+    expect(providerValues).toEqual(expect.arrayContaining([
+      "platform|",
+      "openai|OPENAI_API_KEY",
+      "anthropic|ANTHROPIC_API_KEY",
+    ]));
+    expect(providerValues).not.toContain("gemini|GEMINI_API_KEY");
  });

-  it("shows hermes provider section for template 'HERMES' (case-insensitive)", async () => {
+  it("uses the template-declared default provider/model for Hermes", async () => {
    await openDialog();
-    await setTemplate("HERMES");
-    await waitFor(() =>
-      expect(document.querySelector("[data-testid='hermes-provider-section']")).toBeTruthy()
-    );
+    await setRuntime("hermes");
+
+    await waitFor(() => {
+      const providerSelect = document.querySelector("[data-testid='provider-select']") as HTMLSelectElement;
+      expect(providerSelect.value).toBe("platform|");
+    });
+    const modelSelect = document.querySelector("[data-testid='model-select']") as HTMLSelectElement;
+    expect(modelSelect.value).toBe("moonshot/kimi-k2.6");
  });

-  it("hermes provider dropdown defaults to 'anthropic'", async () => {
+  it("prompts for the provider credential required by the selected Hermes model", async () => {
    await openDialog();
-    await setTemplate("hermes");
-    await waitFor(() =>
-      expect(document.querySelector("[data-testid='hermes-provider-section']")).toBeTruthy()
-    );
-    const providerSelect = document.getElementById("hermes-provider-select") as HTMLSelectElement;
-    expect(providerSelect).toBeTruthy();
-    expect(providerSelect.value).toBe("anthropic");
-  });
+    await setRuntime("hermes");

-  it("hermes provider dropdown lists all 15 providers", async () => {
-    await openDialog();
-    await setTemplate("hermes");
-    await waitFor(() =>
-      expect(document.querySelector("[data-testid='hermes-provider-section']")).toBeTruthy()
-    );
-    const providerSelect = document.getElementById("hermes-provider-select") as HTMLSelectElement;
-    expect(providerSelect.options.length).toBe(HERMES_PROVIDERS.length);
-    const ids = Array.from(providerSelect.options).map((o) => o.value);
-    expect(ids).toContain("anthropic");
-    expect(ids).toContain("openai");
-    expect(ids).toContain("gemini");
-    expect(ids).toContain("deepseek");
-    expect(ids).toContain("hermes");
-  });
-
-  // Pins the dynamic-providers behavior: when the matched template's
-  // /templates row declares `providers`, the dropdown filters to that
-  // subset instead of showing the full HERMES_PROVIDERS catalog. Same
-  // data source ConfigTab uses (PR #2454) — keeps the modal and the
-  // settings tab honest about which providers a template supports.
-  it("hermes provider dropdown filters to template-declared providers when /templates ships them", async () => {
-    // Per-URL mock: /workspaces returns the existing fixture, /templates
-    // returns a hermes row that only allows anthropic + minimax + openai.
-    mockGet.mockImplementation(async (url: string) => {
-      if (url === "/templates") {
-        return [
-          { id: "hermes", name: "Hermes", runtime: "hermes", providers: ["anthropic", "minimax", "openai"] },
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        ] as any;
-      }
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      return SAMPLE_WORKSPACES as any;
+    fireEvent.change(document.querySelector("[data-testid='provider-select']") as HTMLSelectElement, {
+      target: { value: "openai|OPENAI_API_KEY" },
    });

-    await openDialog();
-    await setTemplate("hermes");
-    await waitFor(() =>
-      expect(document.querySelector("[data-testid='hermes-provider-section']")).toBeTruthy()
-    );
-    const providerSelect = document.getElementById("hermes-provider-select") as HTMLSelectElement;
-    // Filtered list arrives async after /templates fetch resolves —
-    // keep waiting until the dropdown shrinks below the full catalog.
-    await waitFor(() => expect(providerSelect.options.length).toBe(3));
-    const ids = Array.from(providerSelect.options).map((o) => o.value);
-    expect(ids).toEqual(expect.arrayContaining(["anthropic", "minimax", "openai"]));
-    expect(ids).not.toContain("gemini");
-    expect(ids).not.toContain("deepseek");
-  });
-
-  // Back-compat: a template that hasn't migrated to runtime_config.providers
-  // (older templates, self-hosted setups without /templates server) keeps
-  // showing the full provider catalog. Operators picking from those
-  // templates can't be locked out of providers we know hermes supports.
-  it("hermes provider dropdown falls back to all providers when template declares no providers list", async () => {
-    mockGet.mockImplementation(async (url: string) => {
-      if (url === "/templates") {
-        // No `providers` field — empty/missing → fall back to full catalog.
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        return [{ id: "hermes", name: "Hermes", runtime: "hermes" }] as any;
-      }
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      return SAMPLE_WORKSPACES as any;
-    });
-
-    await openDialog();
-    await setTemplate("hermes");
-    await waitFor(() =>
-      expect(document.querySelector("[data-testid='hermes-provider-section']")).toBeTruthy()
-    );
-    const providerSelect = document.getElementById("hermes-provider-select") as HTMLSelectElement;
-    expect(providerSelect.options.length).toBe(HERMES_PROVIDERS.length);
-  });
-
-  // Defensive: a template's declared list with NO matches against our
-  // static catalog (e.g. a brand-new provider id we don't have label/
-  // envVar metadata for yet) must not render an empty <select> — the
-  // operator can't pick a provider, the form locks. Component falls
-  // back to the full catalog so the user can still proceed.
-  it("hermes provider dropdown falls back to all providers when template declares only unknown providers", async () => {
-    mockGet.mockImplementation(async (url: string) => {
-      if (url === "/templates") {
-        return [
-          { id: "hermes", name: "Hermes", runtime: "hermes", providers: ["totally-new-provider-2030"] },
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        ] as any;
-      }
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      return SAMPLE_WORKSPACES as any;
-    });
-
-    await openDialog();
-    await setTemplate("hermes");
-    await waitFor(() =>
-      expect(document.querySelector("[data-testid='hermes-provider-section']")).toBeTruthy()
-    );
-    const providerSelect = document.getElementById("hermes-provider-select") as HTMLSelectElement;
-    // Stays at full catalog length — no flapping to 0 then back.
-    expect(providerSelect.options.length).toBe(HERMES_PROVIDERS.length);
-  });
-
-  it("hermes API key field is a password input (masked)", async () => {
-    await openDialog();
-    await setTemplate("hermes");
-    await waitFor(() =>
-      expect(document.querySelector("[data-testid='hermes-provider-section']")).toBeTruthy()
-    );
-    const keyInput = document.getElementById("hermes-api-key-input") as HTMLInputElement;
+    const keyInput = document.getElementById("llm-secret-input") as HTMLInputElement;
    expect(keyInput).toBeTruthy();
    expect(keyInput.type).toBe("password");
  });

-  it("shows an error if hermes template is set but API key is empty on submit", async () => {
+  it("shows an error if the selected runtime provider requires a credential", async () => {
    await openDialog();
    fireEvent.change(screen.getByPlaceholderText("e.g. SEO Agent"), {
      target: { value: "Hermes Agent" },
    });
-    await setTemplate("hermes");
-    await waitFor(() =>
-      expect(document.querySelector("[data-testid='hermes-provider-section']")).toBeTruthy()
-    );
+    await setRuntime("hermes");
+    fireEvent.change(document.querySelector("[data-testid='provider-select']") as HTMLSelectElement, {
+      target: { value: "openai|OPENAI_API_KEY" },
+    });

-    // Submit without API key
    const createBtn = screen.getAllByRole("button").find((b) => b.textContent === "Create");
    fireEvent.click(createBtn!);

    await waitFor(() => {
      const alert = screen.getByRole("alert");
-      expect(alert.textContent).toContain("API key");
+      expect(alert.textContent).toContain("Provider credential");
    });
    expect(mockPost).not.toHaveBeenCalled();
  });

-  it("includes secrets in POST body with correct env var for selected provider", async () => {
-    await openDialog();
-    fireEvent.change(screen.getByPlaceholderText("e.g. SEO Agent"), {
-      target: { value: "Hermes Agent" },
-    });
-    await setTemplate("hermes");
-    await waitFor(() =>
-      expect(document.querySelector("[data-testid='hermes-provider-section']")).toBeTruthy()
-    );
-
-    // Fill in the API key
-    const keyInput = document.getElementById("hermes-api-key-input") as HTMLInputElement;
-    fireEvent.change(keyInput, { target: { value: "sk-test-anthropic-key" } });
-
-    const createBtn = screen.getAllByRole("button").find((b) => b.textContent === "Create");
-    fireEvent.click(createBtn!);
-
-    await waitFor(() => expect(mockPost).toHaveBeenCalled());
-    const body = mockPost.mock.calls[0][1] as Record<string, unknown>;
-    expect(body.secrets).toEqual({ ANTHROPIC_API_KEY: "sk-test-anthropic-key" });
-    expect(body.template).toBe("hermes");
-  });
-
-  it("uses the correct env var when a non-default provider is selected", async () => {
+  it("includes runtime-derived provider/model/secrets in POST body", async () => {
    await openDialog();
    fireEvent.change(screen.getByPlaceholderText("e.g. SEO Agent"), {
      target: { value: "Hermes OpenAI" },
    });
-    await setTemplate("hermes");
-    await waitFor(() =>
-      expect(document.querySelector("[data-testid='hermes-provider-section']")).toBeTruthy()
-    );
-
-    // Switch to openai
-    const providerSelect = document.getElementById("hermes-provider-select") as HTMLSelectElement;
-    fireEvent.change(providerSelect, { target: { value: "openai" } });
-
-    const keyInput = document.getElementById("hermes-api-key-input") as HTMLInputElement;
-    fireEvent.change(keyInput, { target: { value: "sk-openai-test" } });
+    await setRuntime("hermes");
+    fireEvent.change(document.querySelector("[data-testid='provider-select']") as HTMLSelectElement, {
+      target: { value: "openai|OPENAI_API_KEY" },
+    });
+    fireEvent.change(document.getElementById("llm-secret-input") as HTMLInputElement, {
+      target: { value: "sk-openai-test" },
+    });

    const createBtn = screen.getAllByRole("button").find((b) => b.textContent === "Create");
    fireEvent.click(createBtn!);

    await waitFor(() => expect(mockPost).toHaveBeenCalled());
    const body = mockPost.mock.calls[0][1] as Record<string, unknown>;
+    expect(body.runtime).toBe("hermes");
+    expect(body.template).toBeUndefined();
+    expect(body.model).toBe("openai/gpt-4o");
+    expect(body.llm_provider).toBe("openai");
    expect(body.secrets).toEqual({ OPENAI_API_KEY: "sk-openai-test" });
  });

-  it("does NOT include secrets field when template is not hermes", async () => {
+  it("does NOT include secrets field when provider is platform-managed", async () => {
    await openDialog();
    fireEvent.change(screen.getByPlaceholderText("e.g. SEO Agent"), {
      target: { value: "Normal Agent" },
@@ -476,20 +451,6 @@ describe("CreateWorkspaceDialog — Hermes provider picker", () => {
    const body = mockPost.mock.calls[0][1] as Record<string, unknown>;
    expect(body.secrets).toBeUndefined();
  });
-
-  it("hides hermes section and resets state when template is cleared", async () => {
-    await openDialog();
-    await setTemplate("hermes");
-    await waitFor(() =>
-      expect(document.querySelector("[data-testid='hermes-provider-section']")).toBeTruthy()
-    );
-
-    // Clear template
-    await setTemplate("");
-    await waitFor(() =>
-      expect(document.querySelector("[data-testid='hermes-provider-section']")).toBeNull()
-    );
-  });
 });

 // ---------------------------------------------------------------------------
@@ -96,12 +96,12 @@ vi.mock("@/lib/design-tokens", () => ({
 // ─── Fixtures ─────────────────────────────────────────────────────────────────

 const TEMPLATE = {
-  id: "tpl-1",
-  name: "Claude Code Agent",
-  description: "A general-purpose coding assistant",
+  id: "seo-agent",
+  name: "SEO Agent",
+  description: "SEO workspace template",
  tier: 2,
  skill_count: 3,
-  model: "claude-opus-4-5",
+  model: "MiniMax-M2.7",
 };

 function template(overrides: Partial<typeof TEMPLATE> = {}): typeof TEMPLATE {
@@ -159,7 +159,7 @@ describe("EmptyState — loading", () => {
  it("does not render template buttons while loading", async () => {
    renderEmpty();
    await flush();
-    expect(screen.queryByText("Claude Code Agent")).toBeNull();
+    expect(screen.queryByText("SEO Agent")).toBeNull();
  });
 });

@@ -183,8 +183,8 @@ describe("EmptyState — templates", () => {
  it("renders template buttons with name and description", async () => {
    renderEmpty();
    await flush();
-    expect(screen.getByText("Claude Code Agent")).toBeTruthy();
-    expect(screen.getByText("A general-purpose coding assistant")).toBeTruthy();
+    expect(screen.getByText("SEO Agent")).toBeTruthy();
+    expect(screen.getByText("SEO workspace template")).toBeTruthy();
  });

  it("renders tier badge and skill count", async () => {
@@ -198,25 +198,42 @@ describe("EmptyState — templates", () => {
  it("renders model name when present", async () => {
    renderEmpty();
    await flush();
-    expect(screen.getByText(/claude-opus/i)).toBeTruthy();
+    expect(screen.getByText(/MiniMax-M2.7/i)).toBeTruthy();
  });

  it("calls deploy with the template on click", async () => {
    renderEmpty();
    await flush();
-    fireEvent.click(screen.getByText("Claude Code Agent"));
+    fireEvent.click(screen.getByText("SEO Agent"));
    expect(_deploy.deployFn).toHaveBeenCalledWith(template());
  });

+  it("hides runtime-default templates from the product template grid", async () => {
+    mockApiGet.mockResolvedValue([
+      template({ id: "claude-code-default", name: "Claude Code Agent" }),
+      template({ id: "codex", name: "OpenAI Codex CLI" }),
+      template({ id: "hermes", name: "Hermes Agent" }),
+      template({ id: "openclaw", name: "OpenClaw Agent" }),
+      template(),
+    ]);
+    renderEmpty();
+    await flush();
+    expect(screen.getByText("SEO Agent")).toBeTruthy();
+    expect(screen.queryByText("Claude Code Agent")).toBeNull();
+    expect(screen.queryByText("OpenAI Codex CLI")).toBeNull();
+    expect(screen.queryByText("Hermes Agent")).toBeNull();
+    expect(screen.queryByText("OpenClaw Agent")).toBeNull();
+  });
+
  it("shows 'Deploying...' on the button of the template being deployed", async () => {
-    _deploy.deploying = "tpl-1";
+    _deploy.deploying = "seo-agent";
    renderEmpty();
    await flush();
    expect(screen.getByText("Deploying...")).toBeTruthy();
  });

  it("disables the template button of the deploying template", async () => {
-    _deploy.deploying = "tpl-1";
+    _deploy.deploying = "seo-agent";
    renderEmpty();
    await flush();
    const btn = screen.getByText("Deploying...").closest("button") as HTMLButtonElement;
@@ -224,7 +241,7 @@ describe("EmptyState — templates", () => {
  });

  it("disables 'create blank' while a template is deploying", async () => {
-    _deploy.deploying = "tpl-1";
+    _deploy.deploying = "seo-agent";
    renderEmpty();
    await flush();
    expect(screen.getByRole("button", { name: "+ Create blank workspace" }).disabled).toBe(true);
@@ -245,7 +262,7 @@ describe("EmptyState — fetch failure / empty templates", () => {
  it("does not render template grid when GET /templates returns []", async () => {
    renderEmpty();
    await flush();
-    expect(screen.queryByText("Claude Code Agent")).toBeNull();
+    expect(screen.queryByText("SEO Agent")).toBeNull();
  });

  it("renders 'create blank' button when templates list is empty", async () => {
@@ -258,7 +275,7 @@ describe("EmptyState — fetch failure / empty templates", () => {
    mockApiGet.mockReset().mockRejectedValue(new Error("Network failure"));
    renderEmpty();
    await flush();
-    expect(screen.queryByText("Claude Code Agent")).toBeNull();
+    expect(screen.queryByText("SEO Agent")).toBeNull();
  });
 });

@@ -316,7 +333,7 @@ describe("EmptyState — create blank", () => {
    await flush();
    fireEvent.click(screen.getByRole("button", { name: "+ Create blank workspace" }));
    await act(async () => { await Promise.resolve(); });
-    expect((screen.getByText("Claude Code Agent").closest("button") as HTMLButtonElement).disabled).toBe(true);
+    expect((screen.getByText("SEO Agent").closest("button") as HTMLButtonElement).disabled).toBe(true);
  });

  it("shows error banner when POST /workspaces fails", async () => {
@@ -402,6 +402,31 @@ describe("MissingKeysModal — add keys and deploy", () => {
    expect(onKeysAdded).toHaveBeenCalled();
  });

+  it("shows optional keys without blocking deploy", () => {
+    const onKeysAdded = vi.fn();
+    render(
+      <MissingKeysModal
+        open={true}
+        missingKeys={[]}
+        optionalKeys={["GOOGLE_GSC_SITE"]}
+        runtime="claude-code"
+        title="Configure Workspace"
+        onKeysAdded={onKeysAdded}
+        onCancel={vi.fn()}
+      />
+    );
+
+    expect(screen.getByText("Optional")).toBeTruthy();
+    expect(screen.getAllByText("GOOGLE_GSC_SITE").length).toBeGreaterThan(0);
+    const deployBtn = Array.from(document.querySelectorAll("button")).find(
+      (b) => b.textContent?.trim() === "Deploy",
+    );
+    expect(deployBtn).toBeTruthy();
+    expect(deployBtn!.disabled).toBe(false);
+    act(() => { fireEvent.click(deployBtn!); });
+    expect(onKeysAdded).toHaveBeenCalled();
+  });
+
  it("shows global error when not all keys saved", async () => {
    const onKeysAdded = vi.fn();
    render(
@@ -529,4 +554,4 @@ describe("MissingKeysModal — cancel and settings", () => {
    );
    expect(screen.queryByRole("button", { name: /open settings/i })).toBeNull();
  });
-});
+});
@@ -44,6 +44,14 @@ const HERMES_MODELS: SelectorModel[] = [
 ];

 describe("inferVendor", () => {
+  it("uses explicit provider metadata before slug heuristics", () => {
+    expect(inferVendor({
+      id: "moonshot/kimi-k2.6",
+      provider: "platform",
+      required_env: [],
+    })).toBe("platform");
+  });
+
  it("uses slash prefix when present", () => {
    expect(inferVendor({ id: "nousresearch/hermes-4-70b", required_env: ["HERMES_API_KEY"] }))
      .toBe("nousresearch");
@@ -105,6 +113,22 @@ describe("buildProviderCatalog", () => {
    expect(oauth!.models.map((m) => m.id).sort()).toEqual(["haiku", "opus", "sonnet"]);
  });

+  it("labels explicit platform-managed providers", () => {
+    const catalog = buildProviderCatalog([
+      {
+        id: "moonshot/kimi-k2.6",
+        name: "Kimi K2.6",
+        provider: "platform",
+        required_env: [],
+      },
+    ]);
+    expect(catalog[0]).toMatchObject({
+      vendor: "platform",
+      label: "Platform",
+      envVars: [],
+    });
+  });
+
  it("flags wildcard providers", () => {
    const catalog = buildProviderCatalog(HERMES_MODELS);
    const hf = catalog.find((p) => p.vendor === "huggingface");
@@ -189,6 +189,23 @@ describe("TemplatePalette — sidebar", () => {
    expect(screen.getByText("Researcher")).toBeTruthy();
  });

+  it("hides runtime-default templates from the deployable product template list", async () => {
+    mockGet.mockResolvedValue([
+      { id: "claude-code-default", name: "Claude Code Agent", description: "", tier: 4, skills: [] },
+      { id: "codex", name: "OpenAI Codex CLI", description: "", tier: 4, skills: [] },
+      { id: "hermes", name: "Hermes Agent", description: "", tier: 4, skills: [] },
+      { id: "openclaw", name: "OpenClaw Agent", description: "", tier: 4, skills: [] },
+      { id: "seo-agent", name: "SEO Agent", description: "SEO workspace template", tier: 4, skills: ["seo"] },
+    ]);
+    render(<TemplatePalette />);
+    await openSidebar();
+    expect(screen.getByText("SEO Agent")).toBeTruthy();
+    expect(screen.queryByText("Claude Code Agent")).toBeNull();
+    expect(screen.queryByText("OpenAI Codex CLI")).toBeNull();
+    expect(screen.queryByText("Hermes Agent")).toBeNull();
+    expect(screen.queryByText("OpenClaw Agent")).toBeNull();
+  });
+
  it("shows template description", async () => {
    mockGet.mockResolvedValue(MOCK_TEMPLATES);
    render(<TemplatePalette />);
@@ -68,7 +68,11 @@ afterEach(() => {

 function ShortcutTestComponent() {
  useKeyboardShortcuts();
-  return <div data-testid="canvas-root" />;
+  return (
+    <div data-testid="canvas-root">
+      <div data-testid="display-stream" data-display-stream="true" />
+    </div>
+  );
 }

 function renderWithProvider() {
@@ -78,6 +82,13 @@ function renderWithProvider() {
 // ─── Tests ───────────────────────────────────────────────────────────────────

 describe("Esc — deselect / close context menu", () => {
+  it("does not handle keys targeted at the display stream", () => {
+    mockStoreState.contextMenu = { x: 100, y: 100, nodeId: "n1" };
+    const { getByTestId } = renderWithProvider();
+    fireEvent.keyDown(getByTestId("display-stream"), { key: "Escape" });
+    expect(mockStoreState.closeContextMenu).not.toHaveBeenCalled();
+  });
+
  it("closes the context menu when one is open", () => {
    mockStoreState.contextMenu = { x: 100, y: 100, nodeId: "n1" };
    renderWithProvider();
@@ -28,12 +28,14 @@ function hasChildren(nodeId: string, nodes: Node<WorkspaceNodeData>[]): boolean
 export function useKeyboardShortcuts() {
  useEffect(() => {
    const handler = (e: KeyboardEvent) => {
-      const tag = (e.target as HTMLElement).tagName;
+      const target = e.target as HTMLElement;
+      if (target.closest?.('[data-display-stream="true"]')) return;
+      const tag = target.tagName;
      const inInput =
        tag === "INPUT" ||
        tag === "TEXTAREA" ||
        tag === "SELECT" ||
-        (e.target as HTMLElement).isContentEditable;
+        target.isContentEditable;

      if (e.key === "Escape") {
        const state = useCanvasStore.getState();
@@ -131,7 +131,7 @@ export function OrgTokensTab() {
        <button
          onClick={handleCreate}
          disabled={creating}
-          className="px-3 py-1.5 bg-accent-strong/20 hover:bg-accent-strong/30 border border-accent/30 rounded-lg text-[11px] text-accent font-medium transition-colors disabled:opacity-50 disabled:cursor-not-allowed flex items-center gap-1.5"
+          className="px-3 py-1.5 bg-accent-strong/20 hover:bg-accent-strong/30 border border-accent/30 rounded-lg text-[11px] text-accent font-medium transition-colors disabled:opacity-50 disabled:cursor-not-allowed flex items-center gap-1.5 focus:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
        >
          {creating ? (
            <>
@@ -175,7 +175,7 @@ export function OrgTokensTab() {
      )}

      {error && (
-        <div className="px-3 py-2 bg-red-950/40 border border-red-800/50 rounded-lg text-[10px] text-bad">
+        <div role="alert" aria-live="assertive" className="px-3 py-2 bg-red-950/40 border border-red-800/50 rounded-lg text-[10px] text-bad">
          {error}
        </div>
      )}
@@ -152,7 +152,7 @@ export function SecretRow({ secret, workspaceId }: SecretRowProps) {
            className="secret-row__action-btn"
            title="Edit"
          >
-            ✏
+            <span aria-hidden="true">✏</span>
          </button>
          <button
            type="button"
@@ -161,7 +161,7 @@ export function SecretRow({ secret, workspaceId }: SecretRowProps) {
            className="secret-row__action-btn secret-row__action-btn--delete"
            title="Delete"
          >
-            🗑
+            <span aria-hidden="true">🗑</span>
          </button>
        </div>
      </div>
@@ -121,7 +121,7 @@ function WorkspaceTokensTab({ workspaceId }: TokensTabProps) {
        <button
          onClick={handleCreate}
          disabled={creating}
-          className="px-3 py-1.5 bg-accent-strong/20 hover:bg-accent-strong/30 border border-accent/30 rounded-lg text-[11px] text-accent font-medium transition-colors disabled:opacity-50 disabled:cursor-not-allowed flex items-center gap-1.5"
+          className="px-3 py-1.5 bg-accent-strong/20 hover:bg-accent-strong/30 border border-accent/30 rounded-lg text-[11px] text-accent font-medium transition-colors disabled:opacity-50 disabled:cursor-not-allowed flex items-center gap-1.5 focus:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
        >
          {creating ? <><Spinner size="sm" /> Creating...</> : '+ New Token'}
        </button>
@@ -155,7 +155,7 @@ function WorkspaceTokensTab({ workspaceId }: TokensTabProps) {
      )}

      {error && (
-        <div className="px-3 py-2 bg-red-950/40 border border-red-800/50 rounded-lg text-[10px] text-bad">
+        <div role="alert" aria-live="assertive" className="px-3 py-2 bg-red-950/40 border border-red-800/50 rounded-lg text-[10px] text-bad">
          {error}
        </div>
      )}
@@ -6,6 +6,7 @@ import { useCanvasStore } from "@/store/canvas";
 import { type ConfigData, DEFAULT_CONFIG, TextInput, NumberInput, Toggle, TagList, Section } from "./config/form-inputs";
 import { parseYaml, toYaml } from "./config/yaml-utils";
 import { SecretsSection } from "./config/secrets-section";
+import { LLMBillingSection } from "./config/llm-billing-section";
 import { ExternalConnectionSection } from "./ExternalConnectionSection";
 import {
  ProviderModelSelector,
@@ -287,6 +288,40 @@ export function deriveProvidersFromModels(models: ModelSpec[]): string[] {
  return out;
 }

+// billingModeForProvider — maps a selected PROVIDER (vendor key) to the
+// LLM billing_mode it implies (internal#703 Gap 2).
+//
+// Today, picking a non-Platform provider in the Config tab writes the
+// credential env (CLAUDE_CODE_OAUTH_TOKEN / vendor key) but leaves
+// llm_billing_mode at its resolved default (`platform_managed`). The CP
+// tenant_config endpoint then keeps injecting the platform proxy base
+// URLs, so the OAuth token / vendor key is never actually used — BYOK
+// silently no-ops (the live SEO-Agent symptom in #703). The workspace-
+// server even hard-blocks vendor-key writes on platform_managed
+// workspaces (secrets.go:87), pointing the user at this exact billing-
+// mode switch. Wiring the provider change to also set billing_mode is
+// the UI half that makes BYOK take (the CP/workspace-server backend half
+// is being fixed in parallel — internal#703 Gap 1).
+//
+// Mapping:
+//   - "platform" (the Platform-managed proxy) OR "" (no explicit
+//     provider override → inherit, defaults to platform) → "platform_managed".
+//   - any other vendor key ("anthropic-oauth" = Claude Code subscription
+//     OAuth, "anthropic" = Anthropic API key, "minimax", "openrouter",
+//     etc.) → "byok".
+//
+// Returns the billing_mode string the PUT body should carry. The valid
+// set is fixed by workspace-server's recognizer (platform_managed | byok
+// | disabled); "disabled" is never auto-selected by a provider choice —
+// it's an explicit operator action via the LLM Billing section.
+export type LLMBillingMode = "platform_managed" | "byok";
+
+export function billingModeForProvider(provider: string): LLMBillingMode {
+  const v = provider.trim().toLowerCase();
+  if (v === "" || v === "platform") return "platform_managed";
+  return "byok";
+}
+
 // Fallback used when /templates can't be fetched (offline, older backend).
 // Keep in sync with manifest.json workspace_templates as a defensive default.
 // Model + env suggestions only flow when the backend is reachable.
@@ -701,6 +736,36 @@ export function ConfigTab({ workspaceId }: Props) {
        }
      }

+      // Provider → billing_mode linkage (internal#703 Gap 2). When the
+      // provider actually changed AND its implied billing_mode differs
+      // from the previously-selected provider's, push the new mode to
+      // the per-tenant llm-billing-mode endpoint (same path the LLM
+      // Billing section uses). Without this, selecting a non-Platform
+      // provider leaves billing_mode=platform_managed → CP keeps
+      // injecting the platform proxy → BYOK never takes.
+      //
+      // Gated on (a) the provider PUT having succeeded — no point setting
+      // byok if the credential write failed — and (b) the mode actually
+      // changing, so an unrelated provider tweak between two BYOK vendors
+      // (e.g. minimax → openrouter) doesn't re-issue a redundant
+      // platform_managed→byok PUT and trigger a needless restart.
+      let billingModeSaveError: string | null = null;
+      if (providerChanged && !providerSaveError) {
+        const nextMode = billingModeForProvider(provider);
+        const prevMode = billingModeForProvider(originalProvider);
+        if (nextMode !== prevMode) {
+          try {
+            await api.put(
+              `/admin/workspaces/${workspaceId}/llm-billing-mode`,
+              { mode: nextMode },
+            );
+          } catch (e) {
+            billingModeSaveError =
+              e instanceof Error ? e.message : "Billing mode update was rejected";
+          }
+        }
+      }
+
      setOriginalYaml(content);
      if (rawMode) {
        const parsed = parseYaml(content);
@@ -720,16 +785,22 @@ export function ConfigTab({ workspaceId }: Props) {
      } else if (!restart) {
        useCanvasStore.getState().updateNodeData(workspaceId, { needsRestart: !providerWillAutoRestart });
      }
-      // Aggregate partial-save errors. Both modelSaveError and
-      // providerSaveError describe rejected updates from independent
-      // endpoints — show whichever fired so the user knows which
-      // field reverts on next reload (otherwise they'd see "Saved" and
-      // be confused why Provider snapped back).
+      // Aggregate partial-save errors. modelSaveError, providerSaveError,
+      // and billingModeSaveError describe rejected updates from
+      // independent endpoints — show whichever fired so the user knows
+      // which field reverts on next reload (otherwise they'd see "Saved"
+      // and be confused why Provider snapped back). The billing-mode case
+      // is the most important to surface: the provider credential saved
+      // but BYOK won't actually take until billing_mode flips, so a
+      // silent failure here is exactly the #703 "selecting a provider has
+      // no effect" symptom.
      const partialError = providerSaveError
        ? `Other fields saved, but provider update failed: ${providerSaveError}`
-        : modelSaveError
-          ? `Other fields saved, but model update failed: ${modelSaveError}`
-          : null;
+        : billingModeSaveError
+          ? `Provider saved, but switching billing mode failed — your own provider key/OAuth may not take effect until billing mode is set: ${billingModeSaveError}`
+          : modelSaveError
+            ? `Other fields saved, but model update failed: ${modelSaveError}`
+            : null;
      if (partialError) {
        setError(partialError);
      } else {
@@ -1108,6 +1179,8 @@ export function ConfigTab({ workspaceId }: Props) {
            </div>
          </Section>

+          <LLMBillingSection workspaceId={workspaceId} />
+
          <SecretsSection
            workspaceId={workspaceId}
            requiredEnv={config.runtime_config?.required_env}
@@ -313,11 +313,21 @@ function DisplayControlBar({

 function DesktopStream({ sessionUrl }: { sessionUrl: string }) {
  const containerRef = useRef<HTMLDivElement | null>(null);
+  const rfbRef = useRef<RFB | null>(null);
  const [streamError, setStreamError] = useState<string | null>(null);
+  const [clipboardStatus, setClipboardStatus] = useState<string | null>(null);
+  const [remoteClipboardText, setRemoteClipboardText] = useState("");

  useEffect(() => {
    let cancelled = false;
    let rfb: RFB | null = null;
+    let clipboardTimer: ReturnType<typeof setTimeout> | null = null;
+
+    const setTemporaryClipboardStatus = (message: string) => {
+      setClipboardStatus(message);
+      if (clipboardTimer) clearTimeout(clipboardTimer);
+      clipboardTimer = setTimeout(() => setClipboardStatus(null), 2500);
+    };

    async function connect() {
      setStreamError(null);
@@ -328,9 +338,19 @@ function DesktopStream({ sessionUrl }: { sessionUrl: string }) {
        rfb = new mod.default(containerRef.current, stream.url, {
          wsProtocols: ["binary", `molecule-display-token.${stream.token}`],
        });
+        rfbRef.current = rfb;
        rfb.scaleViewport = true;
        rfb.resizeSession = true;
        rfb.focusOnClick = true;
+        rfb.focus({ preventScroll: true });
+        rfb.addEventListener("clipboard", (event: Event) => {
+          const text = (event as CustomEvent<{ text?: string }>).detail?.text ?? "";
+          if (!text) return;
+          setRemoteClipboardText(text);
+          void navigator.clipboard?.writeText(text)
+            .then(() => setTemporaryClipboardStatus("Copied remote clipboard"))
+            .catch(() => setTemporaryClipboardStatus("Remote clipboard ready"));
+        });
        rfb.addEventListener("disconnect", (event: Event) => {
          const detail = (event as CustomEvent<{ clean?: boolean }>).detail;
          if (!cancelled && !detail?.clean) setStreamError("Desktop stream disconnected.");
@@ -343,13 +363,83 @@ function DesktopStream({ sessionUrl }: { sessionUrl: string }) {
    connect();
    return () => {
      cancelled = true;
+      if (clipboardTimer) clearTimeout(clipboardTimer);
+      rfbRef.current = null;
      rfb?.disconnect();
    };
  }, [sessionUrl]);

+  useEffect(() => {
+    const onPaste = (event: ClipboardEvent) => {
+      if (!isDisplayEventTarget(containerRef.current, event.target)) return;
+      const text = event.clipboardData?.getData("text/plain") ?? "";
+      if (!text) return;
+      event.preventDefault();
+      rfbRef.current?.clipboardPasteFrom(text);
+      rfbRef.current?.focus({ preventScroll: true });
+      setClipboardStatus("Pasted to desktop");
+    };
+    window.addEventListener("paste", onPaste, true);
+    return () => window.removeEventListener("paste", onPaste, true);
+  }, []);
+
+  const pasteLocalClipboard = async () => {
+    try {
+      const text = await navigator.clipboard?.readText();
+      if (!text) {
+        setClipboardStatus("Clipboard is empty");
+        return;
+      }
+      rfbRef.current?.clipboardPasteFrom(text);
+      rfbRef.current?.focus({ preventScroll: true });
+      setClipboardStatus("Pasted to desktop");
+    } catch {
+      setClipboardStatus("Press Ctrl/Cmd+V while the desktop is focused");
+    }
+  };
+
+  const copyRemoteClipboard = async () => {
+    if (!remoteClipboardText) {
+      setClipboardStatus("No remote clipboard yet");
+      return;
+    }
+    try {
+      await navigator.clipboard.writeText(remoteClipboardText);
+      setClipboardStatus("Copied remote clipboard");
+    } catch {
+      setClipboardStatus("Browser blocked clipboard copy");
+    }
+  };
+
  return (
-    <div className="relative min-h-0 flex-1 bg-black">
+    <div
+      data-display-stream="true"
+      className="relative min-h-0 flex-1 bg-black"
+      onMouseDown={() => rfbRef.current?.focus({ preventScroll: true })}
+    >
      <div ref={containerRef} title="Workspace desktop" className="h-full w-full overflow-hidden bg-black" />
+      <div className="absolute right-3 top-3 flex items-center gap-2">
+        {clipboardStatus && (
+          <span className="rounded border border-line/50 bg-black/80 px-2 py-1 text-[10px] text-white">
+            {clipboardStatus}
+          </span>
+        )}
+        <button
+          type="button"
+          onClick={pasteLocalClipboard}
+          className="h-7 rounded border border-line/50 bg-black/75 px-2 text-[10px] font-medium text-white hover:bg-black"
+        >
+          Paste
+        </button>
+        <button
+          type="button"
+          onClick={copyRemoteClipboard}
+          className="h-7 rounded border border-line/50 bg-black/75 px-2 text-[10px] font-medium text-white hover:bg-black disabled:cursor-not-allowed disabled:opacity-50"
+          disabled={!remoteClipboardText}
+        >
+          Copy
+        </button>
+      </div>
      {streamError && (
        <div className="absolute inset-x-4 top-4 rounded border border-red-500/30 bg-red-950/80 px-3 py-2 text-[11px] text-red-100">
          {streamError}
@@ -359,6 +449,13 @@ function DesktopStream({ sessionUrl }: { sessionUrl: string }) {
  );
 }

+function isDisplayEventTarget(container: HTMLElement | null, target: EventTarget | null): boolean {
+  if (!container) return false;
+  if (target instanceof Node && container.contains(target)) return true;
+  const active = document.activeElement;
+  return active instanceof Node && container.contains(active);
+}
+
 function displayWebSocketConnection(sessionUrl: string): { url: string; token: string } {
  const url = new URL(sessionUrl, window.location.href);
  const token = new URLSearchParams(url.hash.replace(/^#/, "")).get("token") ?? "";
@@ -0,0 +1,255 @@
+// @vitest-environment jsdom
+//
+// Tests for the provider → llm_billing_mode linkage (internal#703 Gap 2).
+//
+// What this pins: when the operator changes the PROVIDER in the Config
+// tab, the workspace's llm_billing_mode must follow — a non-Platform
+// provider sets billing_mode=byok; Platform sets platform_managed. Before
+// this wiring, selecting "Claude Code subscription (OAuth)" or any vendor
+// key wrote the credential env but left billing_mode=platform_managed, so
+// CP kept injecting the platform proxy base URL and the OAuth token /
+// vendor key was never used — BYOK silently no-op'd (the live jrs-auto
+// SEO-Agent symptom in #703).
+//
+// The billing-mode PUT targets the same per-tenant endpoint the LLM
+// Billing section uses: PUT /admin/workspaces/:id/llm-billing-mode with
+// body {mode: "byok" | "platform_managed"}.
+
+import { describe, it, expect, vi, afterEach, beforeEach } from "vitest";
+import { render, screen, cleanup, waitFor, fireEvent } from "@testing-library/react";
+import React from "react";
+
+afterEach(cleanup);
+
+const apiGet = vi.fn();
+const apiPatch = vi.fn();
+const apiPut = vi.fn();
+vi.mock("@/lib/api", () => ({
+  api: {
+    get: (path: string) => apiGet(path),
+    patch: (path: string, body: unknown) => apiPatch(path, body),
+    put: (path: string, body: unknown) => apiPut(path, body),
+    post: vi.fn(),
+    del: vi.fn(),
+  },
+}));
+
+const storeUpdateNodeData = vi.fn();
+const storeRestartWorkspace = vi.fn();
+vi.mock("@/store/canvas", () => ({
+  useCanvasStore: Object.assign(
+    (selector: (s: unknown) => unknown) =>
+      selector({ restartWorkspace: storeRestartWorkspace, updateNodeData: storeUpdateNodeData }),
+    {
+      getState: () => ({
+        restartWorkspace: storeRestartWorkspace,
+        updateNodeData: storeUpdateNodeData,
+      }),
+    },
+  ),
+}));
+
+vi.mock("../AgentCardSection", () => ({
+  AgentCardSection: () => <div data-testid="agent-card-stub" />,
+}));
+
+import { ConfigTab, billingModeForProvider } from "../ConfigTab";
+
+function wireApi(opts: { providerValue?: string | "missing" }) {
+  apiGet.mockImplementation((path: string) => {
+    if (path === `/workspaces/ws-test`) {
+      return Promise.resolve({ runtime: "hermes" });
+    }
+    if (path === `/workspaces/ws-test/model`) {
+      return Promise.resolve({ model: "nousresearch/hermes-4-70b" });
+    }
+    if (path === `/workspaces/ws-test/provider`) {
+      if (opts.providerValue === "missing") return Promise.reject(new Error("404"));
+      return Promise.resolve({
+        provider: opts.providerValue ?? "",
+        source: opts.providerValue ? "workspace_secrets" : "default",
+      });
+    }
+    if (path === `/workspaces/ws-test/files/config.yaml`) {
+      return Promise.resolve({ content: "name: ws\nruntime: hermes\n" });
+    }
+    if (path === "/templates") return Promise.resolve([]);
+    return Promise.reject(new Error(`unmocked api.get: ${path}`));
+  });
+}
+
+function billingModeCalls() {
+  return apiPut.mock.calls.filter(
+    ([path]) => path === "/admin/workspaces/ws-test/llm-billing-mode",
+  );
+}
+
+beforeEach(() => {
+  apiGet.mockReset();
+  apiPatch.mockReset();
+  apiPut.mockReset();
+  storeUpdateNodeData.mockReset();
+  storeRestartWorkspace.mockReset();
+});
+
+describe("billingModeForProvider — pure mapping (internal#703 Gap 2)", () => {
+  // Platform / empty → platform_managed. Empty means "no explicit
+  // override → inherit", which resolves to platform on the backend, so
+  // it must NOT flip the workspace into byok.
+  it("maps Platform and empty to platform_managed", () => {
+    expect(billingModeForProvider("platform")).toBe("platform_managed");
+    expect(billingModeForProvider("")).toBe("platform_managed");
+    expect(billingModeForProvider("  ")).toBe("platform_managed");
+    expect(billingModeForProvider("PLATFORM")).toBe("platform_managed");
+  });
+
+  // Every non-Platform provider → byok. If this regresses to returning
+  // platform_managed for a vendor, BYOK silently no-ops again (#703).
+  it("maps non-Platform providers to byok", () => {
+    expect(billingModeForProvider("anthropic-oauth")).toBe("byok"); // Claude Code subscription
+    expect(billingModeForProvider("anthropic")).toBe("byok"); // Anthropic API key
+    expect(billingModeForProvider("minimax")).toBe("byok");
+    expect(billingModeForProvider("openrouter")).toBe("byok");
+    expect(billingModeForProvider("openai")).toBe("byok");
+  });
+});
+
+describe("ConfigTab — provider change drives billing_mode (internal#703 Gap 2)", () => {
+  // The core fix: picking a non-Platform provider (here "anthropic-oauth"
+  // = Claude Code subscription OAuth) from a fresh/empty provider must
+  // PUT mode=byok to the per-tenant llm-billing-mode endpoint. This is
+  // the exact path that was missing — the credential env saved but the
+  // billing mode never followed, so the proxy stayed engaged.
+  it("PUTs mode=byok when switching to a non-Platform provider", async () => {
+    wireApi({ providerValue: "" });
+    apiPut.mockResolvedValue({ status: "saved" });
+
+    render(<ConfigTab workspaceId="ws-test" />);
+    const input = await screen.findByTestId("provider-input");
+    fireEvent.change(input, { target: { value: "anthropic-oauth" } });
+
+    fireEvent.click(screen.getByRole("button", { name: /^save$/i }));
+
+    await waitFor(() => {
+      const calls = billingModeCalls();
+      expect(calls.length).toBe(1);
+      expect(calls[0][1]).toEqual({ mode: "byok" });
+    });
+    // Provider credential PUT still happens too (independent endpoint).
+    expect(
+      apiPut.mock.calls.some(([path]) => path === "/workspaces/ws-test/provider"),
+    ).toBe(true);
+  });
+
+  // Switching FROM a byok provider back TO Platform must PUT
+  // mode=platform_managed so the workspace re-engages the proxy and stops
+  // expecting a (now-absent) vendor key.
+  it("PUTs mode=platform_managed when switching back to Platform", async () => {
+    wireApi({ providerValue: "anthropic-oauth" });
+    apiPut.mockResolvedValue({ status: "saved" });
+
+    render(<ConfigTab workspaceId="ws-test" />);
+    const input = await screen.findByTestId("provider-input");
+    await waitFor(() => expect((input as HTMLInputElement).value).toBe("anthropic-oauth"));
+    fireEvent.change(input, { target: { value: "platform" } });
+
+    fireEvent.click(screen.getByRole("button", { name: /^save$/i }));
+
+    await waitFor(() => {
+      const calls = billingModeCalls();
+      expect(calls.length).toBe(1);
+      expect(calls[0][1]).toEqual({ mode: "platform_managed" });
+    });
+  });
+
+  // Changing between two BYOK vendors (minimax → openrouter) keeps
+  // billing_mode=byok — the implied mode is unchanged, so re-PUTing it
+  // would be a wasteful no-op that risks an extra restart. Must NOT fire.
+  it("does NOT PUT billing-mode when the implied mode is unchanged", async () => {
+    wireApi({ providerValue: "minimax" });
+    apiPut.mockResolvedValue({ status: "saved" });
+
+    render(<ConfigTab workspaceId="ws-test" />);
+    const input = await screen.findByTestId("provider-input");
+    await waitFor(() => expect((input as HTMLInputElement).value).toBe("minimax"));
+    fireEvent.change(input, { target: { value: "openrouter" } });
+
+    fireEvent.click(screen.getByRole("button", { name: /^save$/i }));
+
+    await waitFor(() => {
+      // Provider PUT fires (vendor changed)...
+      expect(
+        apiPut.mock.calls.some(([path]) => path === "/workspaces/ws-test/provider"),
+      ).toBe(true);
+    });
+    // ...but billing-mode does NOT (byok → byok is a no-op).
+    expect(billingModeCalls().length).toBe(0);
+  });
+
+  // A Save that doesn't touch the provider must not PUT billing-mode —
+  // editing tier/name shouldn't disturb the workspace's billing mode.
+  it("does NOT PUT billing-mode on a Save that leaves provider unchanged", async () => {
+    wireApi({ providerValue: "anthropic-oauth" });
+    apiPut.mockResolvedValue({ status: "saved" });
+
+    render(<ConfigTab workspaceId="ws-test" />);
+    await screen.findByTestId("provider-input");
+
+    // Dirty an unrelated field so Save is enabled.
+    const tierSelect = screen.getByLabelText(/tier/i) as HTMLSelectElement;
+    fireEvent.change(tierSelect, { target: { value: "3" } });
+
+    fireEvent.click(screen.getByRole("button", { name: /^save$/i }));
+
+    await waitFor(() => {
+      // Some PUT may fire (e.g. /model); just assert billing-mode did not.
+      expect(billingModeCalls().length).toBe(0);
+    });
+  });
+
+  // If the provider credential PUT itself fails, we must NOT set byok —
+  // flipping billing_mode while the credential write failed would leave
+  // the workspace expecting a key it doesn't have (worse than no-op).
+  it("does NOT PUT billing-mode when the provider PUT fails", async () => {
+    wireApi({ providerValue: "" });
+    apiPut.mockImplementation((path: string) => {
+      if (path === "/workspaces/ws-test/provider") return Promise.reject(new Error("boom"));
+      return Promise.resolve({ status: "saved" });
+    });
+
+    render(<ConfigTab workspaceId="ws-test" />);
+    const input = await screen.findByTestId("provider-input");
+    fireEvent.change(input, { target: { value: "anthropic-oauth" } });
+
+    fireEvent.click(screen.getByRole("button", { name: /^save$/i }));
+
+    await waitFor(() => {
+      // The provider-failure error is surfaced (getByText throws if absent).
+      expect(screen.getByText(/provider update failed/i)).toBeTruthy();
+    });
+    expect(billingModeCalls().length).toBe(0);
+  });
+
+  // If the credential saved but the billing-mode PUT is rejected, the
+  // user must be warned that BYOK may not take — a silent failure here
+  // is precisely the #703 symptom we're fixing.
+  it("surfaces an error when billing-mode PUT fails after a successful provider save", async () => {
+    wireApi({ providerValue: "" });
+    apiPut.mockImplementation((path: string) => {
+      if (path === "/admin/workspaces/ws-test/llm-billing-mode") {
+        return Promise.reject(new Error("403 forbidden"));
+      }
+      return Promise.resolve({ status: "saved" });
+    });
+
+    render(<ConfigTab workspaceId="ws-test" />);
+    const input = await screen.findByTestId("provider-input");
+    fireEvent.change(input, { target: { value: "anthropic-oauth" } });
+
+    fireEvent.click(screen.getByRole("button", { name: /^save$/i }));
+
+    await waitFor(() => {
+      expect(screen.getByText(/switching billing mode failed/i)).toBeTruthy();
+    });
+  });
+});
@@ -2,10 +2,12 @@
 import { describe, it, expect, vi, beforeEach } from "vitest";
 import { cleanup, fireEvent, render, screen, waitFor } from "@testing-library/react";

-const { mockGet, mockPost, mockRFBConstructor } = vi.hoisted(() => ({
+const { mockGet, mockPost, mockRFBConstructor, mockRFBClipboardPasteFrom, mockRFBFocus } = vi.hoisted(() => ({
  mockGet: vi.fn(),
  mockPost: vi.fn(),
  mockRFBConstructor: vi.fn(),
+  mockRFBClipboardPasteFrom: vi.fn(),
+  mockRFBFocus: vi.fn(),
 }));

 vi.mock("@/lib/api", () => ({
@@ -30,6 +32,12 @@ vi.mock("@novnc/novnc", () => ({
      this.options = options;
      mockRFBConstructor(target, url, options);
    }
+    clipboardPasteFrom(text: string) {
+      mockRFBClipboardPasteFrom(text);
+    }
+    focus(options?: FocusOptions) {
+      mockRFBFocus(options);
+    }
    disconnect() {}
  },
 }));
@@ -42,6 +50,8 @@ describe("DisplayTab", () => {
    mockGet.mockReset();
    mockPost.mockReset();
    mockRFBConstructor.mockReset();
+    mockRFBClipboardPasteFrom.mockReset();
+    mockRFBFocus.mockReset();
  });

  it("renders unavailable state for non-display workspaces", async () => {
@@ -157,6 +167,43 @@ describe("DisplayTab", () => {
    expect(mockRFBConstructor.mock.calls[0][1]).not.toContain("token=");
  });

+  it("forwards browser paste events into the noVNC clipboard", async () => {
+    mockGet
+      .mockResolvedValueOnce({
+        available: true,
+        mode: "desktop-control",
+        protocol: "novnc",
+        width: 1920,
+        height: 1080,
+      })
+      .mockResolvedValueOnce({
+        controller: "none",
+      });
+    mockPost.mockResolvedValueOnce({
+      controller: "user",
+      controlled_by: "admin-token",
+      expires_at: "2026-05-23T08:48:27Z",
+      session_url: "/workspaces/ws-display/display/session/websockify#token=signed",
+    });
+
+    render(<DisplayTab workspaceId="ws-display" />);
+
+    await waitFor(() => {
+      expect(screen.getByRole("button", { name: "Take control" })).toBeTruthy();
+    });
+    fireEvent.click(screen.getByRole("button", { name: "Take control" }));
+
+    const desktop = await screen.findByTitle("Workspace desktop");
+    fireEvent.paste(desktop, {
+      clipboardData: {
+        getData: (type: string) => (type === "text/plain" ? "Paste Me" : ""),
+      },
+    });
+
+    expect(mockRFBClipboardPasteFrom).toHaveBeenCalledWith("Paste Me");
+    expect(mockRFBFocus).toHaveBeenCalledWith({ preventScroll: true });
+  });
+
  it("releases user display control", async () => {
    mockGet
      .mockResolvedValueOnce({
@@ -166,11 +166,12 @@ export function AttachmentImage({ workspaceId, attachment, onDownload, tone }: P
        open={open}
        onClose={() => setOpen(false)}
        ariaLabel={`Preview of ${attachment.name}`}
+        contained
      >
        <img
          src={state.blobUrl}
          alt={attachment.name}
-          className="max-w-[95vw] max-h-[90vh] object-contain"
+          className="max-w-full max-h-full object-contain"
        />
      </AttachmentLightbox>
    </>
@@ -1,6 +1,6 @@
 "use client";

-// AttachmentLightbox — shared fullscreen modal for image / PDF /
+// AttachmentLightbox — shared modal for image / PDF /
 // (future) any-fullscreen-renderable kind. Owns:
 //   - Backdrop + centered viewport
 //   - Esc to close
@@ -14,11 +14,11 @@
 //
 // Design choices:
 //
-// 1. Portals — we don't use ReactDOM.createPortal because the canvas
-//    chat surface already renders at a high z-index and the modal's
-//    fixed-position layout reaches the viewport regardless. Saves a
-//    portal mount in the common case + avoids the SSR warning (canvas
-//    is "use client" but the parent shell is server-rendered).
+// 1. Portals — we don't use ReactDOM.createPortal because the chat tab
+//    already gives us a positioned container and the preview should stay
+//    inside that panel. Saves a portal mount in the common case + avoids
+//    the SSR warning (canvas is "use client" but the parent shell is
+//    server-rendered).
 //
 // 2. Focus trap — inline implementation (not a 3rd-party dep). The
 //    chat lightbox needs to trap focus only across two interactive
@@ -41,13 +41,17 @@ interface Props {
   *  the dialog opens. The caller knows what's inside (image alt
   *  text, PDF filename) and supplies it. */
  ariaLabel: string;
+  /** Constrain the preview to the nearest positioned ancestor instead
+   *  of the whole browser viewport. ChatTab passes this so previews
+   *  stay inside the active side-panel tab. */
+  contained?: boolean;
  /** The thing being shown in fullscreen — <img>, <embed>, etc.
   *  Caller is responsible for sizing it to fit the viewport (we
   *  give it max-w-full max-h-full via CSS). */
  children: ReactNode;
 }

-export function AttachmentLightbox({ open, onClose, ariaLabel, children }: Props) {
+export function AttachmentLightbox({ open, onClose, ariaLabel, contained = false, children }: Props) {
  const closeButtonRef = useRef<HTMLButtonElement>(null);
  const previousFocusRef = useRef<HTMLElement | null>(null);

@@ -90,12 +94,19 @@ export function AttachmentLightbox({ open, onClose, ariaLabel, children }: Props

  if (!open) return null;

+  const rootClass = contained
+    ? "absolute inset-0 z-50 flex items-center justify-center bg-black/85 motion-reduce:transition-none transition-opacity"
+    : "fixed inset-0 z-50 flex items-center justify-center bg-black/85 motion-reduce:transition-none transition-opacity";
+  const contentClass = contained
+    ? "h-full w-full p-3 flex items-center justify-center"
+    : "max-w-[95vw] max-h-[90vh] flex items-center justify-center";
+
  return (
    <div
      role="dialog"
      aria-modal="true"
      aria-label={ariaLabel}
-      className="fixed inset-0 z-50 flex items-center justify-center bg-black/85 motion-reduce:transition-none transition-opacity"
+      className={rootClass}
      onClick={onBackdropClick}
    >
      {/* Close button — top-right, large hit area, keyboard-focusable.
@@ -112,7 +123,7 @@ export function AttachmentLightbox({ open, onClose, ariaLabel, children }: Props
        </svg>
      </button>
      <div
-        className="max-w-[95vw] max-h-[90vh] flex items-center justify-center"
+        className={contentClass}
        onClick={(e) => e.stopPropagation()}
      >
        {children}
@@ -19,8 +19,8 @@
 // suppress the toolbar; we keep it on so the user gets standard
 // PDF affordances.
 //
-// Fullscreen: AttachmentLightbox hosts the PDF at viewport size on
-// click. Same shared modal as image — third caller justifies the
+// Preview: AttachmentLightbox hosts the PDF inside the active chat tab
+// on click. Same shared modal as image — third caller justifies the
 // abstraction (per RFC #2991 design).
 //
 // Failure modes:
@@ -144,8 +144,9 @@ export function AttachmentPDF({ workspaceId, attachment, onDownload, tone }: Pro
        open={open}
        onClose={() => setOpen(false)}
        ariaLabel={`Preview of ${attachment.name}`}
+        contained
      >
-        <div className="h-[90vh] w-[95vw] overflow-hidden rounded-lg border border-white/20 bg-white shadow-2xl">
+        <div className="h-full w-full overflow-hidden rounded-lg border border-white/20 bg-white shadow-2xl">
          <iframe
            src={`${state.blobUrl}#view=FitH`}
            title={attachment.name}
@@ -1,6 +1,6 @@
 // @vitest-environment jsdom
 /**
- * AttachmentLightbox — fullscreen modal for image / PDF preview.
+ * AttachmentLightbox — modal for image / PDF preview.
 *
 * Owns: backdrop + viewport, Esc to close, click-outside to close,
 * focus trap (close button focus on open, restore on close),
@@ -135,6 +135,22 @@ describe("AttachmentLightbox — render", () => {
    const closeBtn = document.querySelector('button[aria-label="Close preview"]');
    expect(closeBtn).toBeTruthy();
  });
+
+  it("uses absolute positioning when contained=true", () => {
+    render(
+      <AttachmentLightbox
+        open={true}
+        onClose={vi.fn()}
+        ariaLabel="Preview"
+        contained
+      >
+        <MockContent />
+      </AttachmentLightbox>,
+    );
+    const dialog = document.querySelector('[role="dialog"]');
+    expect(dialog?.className).toContain("absolute");
+    expect(dialog?.className).not.toContain("fixed");
+  });
 });

 // ─── Focus management ─────────────────────────────────────────────────────────
@@ -1,12 +1,12 @@
 // @vitest-environment jsdom
 /**
- * AttachmentPDF — inline PDF preview button + click-to-fullscreen lightbox.
+ * AttachmentPDF — inline PDF preview button + click-to-panel lightbox.
 *
 * Per RFC #2991 PR-3: platform-auth URIs fetch bytes → Blob → ObjectURL;
 * external URIs use the raw URL directly. State machine: idle → loading →
 * ready/error. Loading skeleton shown while fetching. Error falls back to
 * AttachmentChip. Clicking the preview button opens AttachmentLightbox with
- * <embed>. Blob URL cleaned up on unmount.
+ * a browser PDF iframe. Blob URL cleaned up on unmount.
 *
 * NOTE: No @testing-library/jest-dom import — use DOM APIs for assertions.
 *
@@ -158,10 +158,12 @@ describe("AttachmentPDF — ready", () => {
    });
    const dialog = document.querySelector('[role="dialog"]');
    expect(dialog?.getAttribute("aria-label")).toContain("report.pdf");
+    expect(dialog?.className).toContain("absolute");
    const frame = dialog?.querySelector("iframe") as HTMLIFrameElement | null;
    expect(frame).toBeTruthy();
    expect(frame?.getAttribute("title")).toBe("report.pdf");
    expect(frame?.className).toContain("bg-white");
+    expect(frame?.parentElement?.className).toContain("w-full");
    expect(dialog?.querySelector("embed")).toBeNull();
  });

@@ -237,11 +237,13 @@ describe("AttachmentPreview dispatch", () => {
      expect(screen.getByLabelText(/Open doc\.pdf preview/i)).toBeTruthy();
    });

-    // Click → lightbox opens with <embed> inside.
+    // Click → panel-contained lightbox opens with a browser PDF iframe.
    fireEvent.click(screen.getByLabelText(/Open doc\.pdf preview/i));
    const dialog = await screen.findByRole("dialog");
    expect(dialog).toBeTruthy();
-    expect(dialog.querySelector("embed[type='application/pdf']")).not.toBeNull();
+    expect(dialog.className).toContain("absolute");
+    expect(dialog.querySelector("iframe")).not.toBeNull();
+    expect(dialog.querySelector("embed")).toBeNull();
  });

  it("kind=pdf fetch fails → falls back to chip", async () => {
@@ -113,6 +113,31 @@ describe("resolveAttachmentHref — platform-pending: scheme (poll-mode uploads)
  });
 });

+describe("resolveAttachmentHref — legacy platform content URLs", () => {
+  const chatWs = "chat-ws-aaaaaaaa";
+  const sourceWs = "d76977b1-d620-4f42-a57e-111111111111";
+  const fileID = "e2dfaf2e-1111-4abc-9999-222222222222";
+
+  it("rewrites /workspaces/<ws>/content/<file>/content to the authenticated pending-upload endpoint", () => {
+    const url = resolveAttachmentHref(
+      chatWs,
+      `/workspaces/${sourceWs}/content/${fileID}/content`,
+    );
+    expect(url).toContain(`/workspaces/${sourceWs}/pending-uploads/${fileID}/content`);
+    expect(url).not.toContain(`/workspaces/${chatWs}/`);
+  });
+
+  it("treats legacy content URLs as platform attachments so previews fetch with auth headers", () => {
+    expect(isPlatformAttachment(`/workspaces/${sourceWs}/content/${fileID}/content`)).toBe(true);
+  });
+
+  it("passes malformed legacy content URLs through unchanged", () => {
+    const malformed = `/workspaces/${sourceWs}/content//content`;
+    expect(resolveAttachmentHref(chatWs, malformed)).toBe(malformed);
+    expect(isPlatformAttachment(malformed)).toBe(false);
+  });
+});
+
 describe("isPlatformAttachment", () => {
  it("returns true for platform-pending: URIs", () => {
    expect(isPlatformAttachment("platform-pending:abc/file")).toBe(true);
@@ -125,6 +125,8 @@ export async function uploadChatFiles(
 *    - `/workspace/...` (bare absolute path inside the container)
 *    - `platform-pending:<wsid>/<file_id>` (poll-mode upload, staged
 *      on platform side; resolves to /pending-uploads/<file_id>/content)
+ *    - `/workspaces/<wsid>/content/<file_id>/content` (legacy platform
+ *      content URL; normalizes to the same pending-upload endpoint)
 *  Everything that looks like an allowed-root container path is
 *  rewritten to the authenticated /chat/download endpoint. HTTP(S)
 *  URIs pass through unchanged so we can also render links to
@@ -163,6 +165,11 @@ export function resolveAttachmentHref(
    }
    return uri;
  }
+  const legacy = parseLegacyPlatformContentUri(uri);
+  if (legacy) {
+    const [wsid, fileID] = legacy;
+    return `${PLATFORM_URL}/workspaces/${encodeURIComponent(wsid)}/pending-uploads/${encodeURIComponent(fileID)}/content`;
+  }
  const containerPath = normalizeWorkspaceUri(uri);
  if (containerPath) {
    return `${PLATFORM_URL}/workspaces/${workspaceId}/chat/download?path=${encodeURIComponent(containerPath)}`;
@@ -175,6 +182,7 @@ export function resolveAttachmentHref(
 *  downloadChatFile rather than letting the browser navigate. */
 export function isPlatformAttachment(uri: string): boolean {
  if (uri.startsWith("platform-pending:")) return true;
+  if (parseLegacyPlatformContentUri(uri)) return true;
  return normalizeWorkspaceUri(uri) !== null;
 }

@@ -183,6 +191,12 @@ export function isPlatformAttachment(uri: string): boolean {
 *  mirror the server's `allowedRoots` allowlist. */
 const ALLOWED_CONTAINER_ROOTS = ["/configs", "/workspace", "/home", "/plugins"];

+function parseLegacyPlatformContentUri(uri: string): [string, string] | null {
+  const m = uri.match(/^\/workspaces\/([^/]+)\/content\/([^/]+)\/content(?:[?#].*)?$/);
+  if (!m || !m[1] || !m[2]) return null;
+  return [m[1], m[2]];
+}
+
 function normalizeWorkspaceUri(uri: string): string | null {
  let path: string | null = null;
  if (uri.startsWith("workspace:")) {
@@ -0,0 +1,176 @@
+// @vitest-environment jsdom
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+import {
+  render,
+  screen,
+  waitFor,
+  cleanup,
+  fireEvent,
+} from "@testing-library/react";
+import { LLMBillingSection } from "../llm-billing-section";
+
+// Tests for LLMBillingSection (internal#691). Locks in:
+//  - the section renders the resolved mode + source label
+//  - the dropdown maps "inherit" → PUT {mode: null}
+//  - the dropdown maps "byok" → PUT {mode: "byok"}
+//  - a garbled override surfaces the warning banner
+//  - the post-write resolution updates the UI without a refetch
+
+const apiGet = vi.fn();
+const apiPut = vi.fn();
+
+vi.mock("@/lib/api", () => ({
+  api: {
+    get: (...args: unknown[]) => apiGet(...args),
+    put: (...args: unknown[]) => apiPut(...args),
+    post: vi.fn().mockResolvedValue({}),
+    del: vi.fn().mockResolvedValue({}),
+    patch: vi.fn().mockResolvedValue({}),
+  },
+}));
+
+// Collapsed-by-default Section wrapper would hide the content; replace
+// it with a passthrough so the dropdown is reachable in the test DOM.
+vi.mock("../form-inputs", async () => {
+  const actual = await vi.importActual<typeof import("../form-inputs")>(
+    "../form-inputs",
+  );
+  return {
+    ...actual,
+    Section: ({ children }: { children: React.ReactNode }) => (
+      <div>{children}</div>
+    ),
+  };
+});
+
+beforeEach(() => {
+  vi.clearAllMocks();
+});
+
+afterEach(() => {
+  cleanup();
+});
+
+describe("LLMBillingSection — internal#691", () => {
+  it("renders the resolved mode + source for an inherited workspace", async () => {
+    apiGet.mockResolvedValueOnce({
+      workspace_id: "ws-1",
+      resolved_mode: "platform_managed",
+      workspace_override: null,
+      org_default: "platform_managed",
+      source: "org_default",
+    });
+
+    render(<LLMBillingSection workspaceId="ws-1" />);
+
+    await waitFor(() => {
+      expect(apiGet).toHaveBeenCalledWith(
+        "/admin/workspaces/ws-1/llm-billing-mode",
+      );
+    });
+    // Resolved mode appears.
+    expect(screen.getByText(/Resolved mode:/i).textContent).toMatch(/platform_managed/);
+    // Source label appears.
+    expect(
+      screen.getByText(/inherited from org default/i),
+    ).toBeTruthy();
+  });
+
+  it('PUTs {mode: "byok"} when user picks BYOK and reflects the new resolution', async () => {
+    apiGet.mockResolvedValueOnce({
+      workspace_id: "ws-2",
+      resolved_mode: "platform_managed",
+      workspace_override: null,
+      org_default: "platform_managed",
+      source: "org_default",
+    });
+    apiPut.mockResolvedValueOnce({
+      workspace_id: "ws-2",
+      resolved_mode: "byok",
+      workspace_override: "byok",
+      org_default: "platform_managed",
+      source: "workspace_override",
+    });
+
+    render(<LLMBillingSection workspaceId="ws-2" />);
+    await waitFor(() => expect(apiGet).toHaveBeenCalled());
+
+    const select = (await screen.findByLabelText(
+      /llm billing mode override/i,
+    )) as HTMLSelectElement;
+    fireEvent.change(select, { target: { value: "byok" } });
+
+    await waitFor(() => {
+      expect(apiPut).toHaveBeenCalledWith(
+        "/admin/workspaces/ws-2/llm-billing-mode",
+        { mode: "byok" },
+      );
+    });
+    // Post-write resolution propagated to UI.
+    await waitFor(() => {
+      expect(
+        screen.getByText(/explicit override on this workspace/i),
+      ).toBeTruthy();
+    });
+  });
+
+  it("PUTs {mode: null} when user picks Inherit (clears the override)", async () => {
+    apiGet.mockResolvedValueOnce({
+      workspace_id: "ws-3",
+      resolved_mode: "byok",
+      workspace_override: "byok",
+      org_default: "platform_managed",
+      source: "workspace_override",
+    });
+    apiPut.mockResolvedValueOnce({
+      workspace_id: "ws-3",
+      resolved_mode: "platform_managed",
+      workspace_override: null,
+      org_default: "platform_managed",
+      source: "org_default",
+    });
+
+    render(<LLMBillingSection workspaceId="ws-3" />);
+    await waitFor(() => expect(apiGet).toHaveBeenCalled());
+
+    const select = (await screen.findByLabelText(
+      /llm billing mode override/i,
+    )) as HTMLSelectElement;
+    fireEvent.change(select, { target: { value: "inherit" } });
+
+    await waitFor(() => {
+      expect(apiPut).toHaveBeenCalledWith(
+        "/admin/workspaces/ws-3/llm-billing-mode",
+        { mode: null },
+      );
+    });
+  });
+
+  it("surfaces a warning banner when the override value is garbled", async () => {
+    apiGet.mockResolvedValueOnce({
+      workspace_id: "ws-4",
+      resolved_mode: "platform_managed", // resolver fell through, default-closed
+      workspace_override: "byokk", // typo persisted somehow
+      org_default: "platform_managed",
+      source: "org_default",
+    });
+
+    render(<LLMBillingSection workspaceId="ws-4" />);
+
+    await waitFor(() => {
+      expect(
+        screen.getByText(/non-standard value/i),
+      ).toBeTruthy();
+    });
+  });
+
+  it("renders an error banner when the GET fails", async () => {
+    apiGet.mockRejectedValueOnce(new Error("network down"));
+
+    render(<LLMBillingSection workspaceId="ws-5" />);
+
+    await waitFor(() => {
+      expect(screen.getByText(/network down/i)).toBeTruthy();
+    });
+  });
+});
@@ -1,3 +1,4 @@
 export { type ConfigData, DEFAULT_CONFIG, TextInput, NumberInput, Toggle, TagList, Section } from "./form-inputs";
 export { parseYaml, toYaml } from "./yaml-utils";
 export { SecretsSection } from "./secrets-section";
+export { LLMBillingSection } from "./llm-billing-section";
@@ -0,0 +1,219 @@
+"use client";
+
+// llm-billing-section.tsx — Config-tab section for the per-workspace
+// llm_billing_mode override (internal#691).
+//
+// Surfaces:
+//   - The currently RESOLVED mode for this workspace (the mode the
+//     workspace-server's strip gate will use at next provision).
+//   - The org-level default (so the user sees what they're inheriting).
+//   - A dropdown to set / clear the workspace-level override.
+//   - A "source" line so operators can answer "is this inherited or
+//     explicit?" without DB archeology (RFC Observability hot-spot).
+//
+// Hits:
+//   GET /admin/workspaces/:id/llm-billing-mode   — read resolution
+//   PUT /admin/workspaces/:id/llm-billing-mode   — write {mode: "..."|null}
+//
+// Both routes are on the per-tenant workspace-server (same origin as the
+// other canvas /admin calls). CP's proxy at /cp/admin/workspaces/:id/
+// llm-billing-mode exists for ops use; the canvas uses the per-tenant
+// path directly to keep the round-trip cheap.
+
+import { useState, useEffect, useCallback } from "react";
+import { api } from "@/lib/api";
+import { Section } from "./form-inputs";
+
+// Mirrors workspace-server/internal/handlers/llm_billing_mode.go::BillingModeResolution.
+// Kept as a literal shape (not imported) because canvas has no Go-type bridge.
+export interface BillingModeResolution {
+  workspace_id: string;
+  resolved_mode: "platform_managed" | "byok" | "disabled";
+  // Pointer-typed on the Go side: nil = inherit, non-nil = the raw
+  // workspace-level override (even if garbled and falling through).
+  workspace_override: string | null;
+  org_default: "platform_managed" | "byok" | "disabled";
+  source: "workspace_override" | "org_default" | "constant_fallback";
+}
+
+// The dropdown emits one of these values. "inherit" is the UX-only label
+// that maps to a `null` body in the PUT request.
+type DropdownChoice = "inherit" | "platform_managed" | "byok" | "disabled";
+
+interface Props {
+  workspaceId: string;
+}
+
+const MODE_LABELS: Record<DropdownChoice, string> = {
+  inherit: "Inherit from org default",
+  platform_managed: "Platform-managed (uses Molecule credits)",
+  byok: "BYOK (your own OAuth / vendor keys)",
+  disabled: "Disabled (no LLM access)",
+};
+
+const MODE_DESCRIPTIONS: Record<DropdownChoice, string> = {
+  inherit:
+    "Use whichever mode is set at the organization level. Recommended unless this specific workspace needs a different billing source.",
+  platform_managed:
+    "Strip CLAUDE_CODE_OAUTH_TOKEN and vendor API keys from the workspace; route all LLM traffic through Molecule's proxy and bill your org credits.",
+  byok:
+    "Keep CLAUDE_CODE_OAUTH_TOKEN / vendor API keys in the workspace; LLM traffic goes directly to your provider and is billed to your OAuth subscription or API account.",
+  disabled:
+    "Block all LLM access for this workspace. Useful for sandbox workspaces that should not consume credits or hit external providers.",
+};
+
+const SOURCE_LABELS: Record<BillingModeResolution["source"], string> = {
+  workspace_override: "explicit override on this workspace",
+  org_default: "inherited from org default",
+  constant_fallback:
+    "fallback (workspace + org defaults missing or unrecognized — defaulted to platform_managed)",
+};
+
+export function LLMBillingSection({ workspaceId }: Props) {
+  const [resolution, setResolution] = useState<BillingModeResolution | null>(
+    null,
+  );
+  const [loading, setLoading] = useState(true);
+  const [saving, setSaving] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+  const [success, setSuccess] = useState(false);
+
+  const load = useCallback(async () => {
+    setLoading(true);
+    setError(null);
+    try {
+      const res = await api.get<BillingModeResolution>(
+        `/admin/workspaces/${workspaceId}/llm-billing-mode`,
+      );
+      setResolution(res);
+    } catch (e) {
+      setError(e instanceof Error ? e.message : "Failed to load billing mode");
+    } finally {
+      setLoading(false);
+    }
+  }, [workspaceId]);
+
+  useEffect(() => {
+    void load();
+  }, [load]);
+
+  // Current dropdown selection is derived from the resolution. If the
+  // override is null, we show "inherit"; otherwise we mirror the raw
+  // workspace_override (NOT resolved_mode — that would conflate "explicit
+  // platform_managed override" with "inherit while org happens to be
+  // platform_managed", which has different semantics on the write side).
+  const currentChoice: DropdownChoice = (() => {
+    if (!resolution) return "inherit";
+    if (resolution.workspace_override == null) return "inherit";
+    const raw = resolution.workspace_override;
+    if (raw === "platform_managed" || raw === "byok" || raw === "disabled") {
+      return raw;
+    }
+    // Garbled value persisted via some external write. Show inherit so
+    // the user can pick a clean value; on save they'll either clear it
+    // (PUT null) or overwrite it with a valid one.
+    return "inherit";
+  })();
+
+  const handleChange = async (choice: DropdownChoice) => {
+    if (!resolution) return;
+    setSaving(true);
+    setError(null);
+    setSuccess(false);
+    try {
+      // "inherit" → PUT {mode: null}; otherwise → PUT {mode: choice}.
+      const body = choice === "inherit" ? { mode: null } : { mode: choice };
+      const updated = await api.put<BillingModeResolution>(
+        `/admin/workspaces/${workspaceId}/llm-billing-mode`,
+        body,
+      );
+      setResolution(updated);
+      setSuccess(true);
+      setTimeout(() => setSuccess(false), 2000);
+    } catch (e) {
+      setError(e instanceof Error ? e.message : "Failed to update billing mode");
+    } finally {
+      setSaving(false);
+    }
+  };
+
+  return (
+    <Section title="LLM Billing" defaultOpen={false}>
+      {loading && (
+        <div className="text-[10px] text-ink-mid">Loading billing mode…</div>
+      )}
+
+      {error && (
+        <div
+          role="alert"
+          aria-live="assertive"
+          className="px-2 py-1 bg-red-900/30 border border-red-800 rounded text-[10px] text-bad mb-2"
+        >
+          {error}
+        </div>
+      )}
+
+      {resolution && (
+        <div className="space-y-2">
+          <div className="text-[10px] text-ink-mid">
+            Resolved mode: <strong className="text-ink">{resolution.resolved_mode}</strong>{" "}
+            <span className="text-ink-mid">
+              ({SOURCE_LABELS[resolution.source]})
+            </span>
+          </div>
+          <div className="text-[10px] text-ink-mid">
+            Org default: <span className="text-ink">{resolution.org_default}</span>
+          </div>
+
+          <label
+            className="block text-[10px] text-ink-mid"
+            htmlFor={`llm-billing-mode-${workspaceId}`}
+          >
+            Override
+          </label>
+          <select
+            id={`llm-billing-mode-${workspaceId}`}
+            aria-label="LLM billing mode override"
+            value={currentChoice}
+            disabled={saving}
+            onChange={(e) => void handleChange(e.target.value as DropdownChoice)}
+            className="w-full bg-surface-card border border-line rounded p-1 text-[10px] text-ink focus:outline-none focus:border-accent disabled:opacity-50"
+          >
+            {(Object.keys(MODE_LABELS) as DropdownChoice[]).map((m) => (
+              <option key={m} value={m}>
+                {MODE_LABELS[m]}
+              </option>
+            ))}
+          </select>
+
+          <div
+            className="text-[10px] text-ink-mid leading-snug"
+            aria-live="polite"
+          >
+            {MODE_DESCRIPTIONS[currentChoice]}
+          </div>
+
+          {success && (
+            <div className="mt-1 px-2 py-1 bg-green-900/30 border border-green-800 rounded text-[10px] text-good">
+              Updated. Restart the workspace to apply.
+            </div>
+          )}
+
+          {resolution.workspace_override != null &&
+            !["platform_managed", "byok", "disabled"].includes(
+              resolution.workspace_override,
+            ) && (
+              <div
+                role="alert"
+                className="mt-1 px-2 py-1 bg-yellow-900/30 border border-yellow-800 rounded text-[10px] text-warning"
+              >
+                Workspace override has a non-standard value (
+                <code>{resolution.workspace_override}</code>) and is being
+                ignored. Pick a valid mode above to clear the corrupt value.
+              </div>
+            )}
+        </div>
+      )}
+    </Section>
+  );
+}
@@ -63,6 +63,7 @@ vi.mock("@/components/MissingKeysModal", () => ({
    onKeysAdded: (model?: string) => void;
    onCancel: () => void;
    configuredKeys?: Set<string>;
+    optionalKeys?: string[];
    modelSuggestions?: string[];
    initialModel?: string;
    title?: string;
@@ -77,6 +78,9 @@ vi.mock("@/components/MissingKeysModal", () => ({
        </span>
        <span data-testid="modal-initial-model">{props.initialModel ?? ""}</span>
        <span data-testid="modal-title">{props.title ?? ""}</span>
+        <span data-testid="modal-optional-keys">
+          {(props.optionalKeys ?? []).join(",")}
+        </span>
        <button
          data-testid="modal-keys-added"
          onClick={() => props.onKeysAdded()}
@@ -113,6 +117,7 @@ function makeTemplate(over: Partial<Template> = {}): Template {
    runtime: "claude-code",
    models: [],
    required_env: [],
+    recommended_env: [],
    ...over,
  };
 }
@@ -129,6 +134,7 @@ beforeEach(() => {
    missingKeys: [],
    providers: [],
    runtime: "claude-code",
+    optionalKeys: [],
    configuredKeys: new Set(),
  });
  mockApiPost.mockResolvedValue({ id: "ws-new" });
@@ -243,6 +249,7 @@ describe("useTemplateDeploy — preflight failure modes", () => {
      missingKeys: ["ANTHROPIC_API_KEY"],
      providers: [],
      runtime: "claude-code",
+      optionalKeys: [],
      configuredKeys: new Set(),
    });
    const onDeployed = vi.fn();
@@ -271,6 +278,7 @@ describe("useTemplateDeploy — modal lifecycle", () => {
      missingKeys: ["ANTHROPIC_API_KEY"],
      providers: [],
      runtime: "claude-code",
+      optionalKeys: [],
      configuredKeys: new Set(),
    });
    const onDeployed = vi.fn();
@@ -306,6 +314,7 @@ describe("useTemplateDeploy — modal lifecycle", () => {
      missingKeys: ["ANTHROPIC_API_KEY"],
      providers: [],
      runtime: "claude-code",
+      optionalKeys: [],
      configuredKeys: new Set(),
    });
    const { result, rerender } = renderHook(() => useTemplateDeploy());
@@ -359,6 +368,7 @@ describe("useTemplateDeploy — multi-provider always-ask flow", () => {
        { id: "ANTHROPIC_API_KEY", label: "Anthropic", envVars: ["ANTHROPIC_API_KEY"] },
      ],
      runtime: "hermes",
+      optionalKeys: [],
      configuredKeys: new Set(["MINIMAX_API_KEY", "ANTHROPIC_API_KEY"]),
    });
    const { result, rerender } = renderHook(() => useTemplateDeploy());
@@ -392,6 +402,7 @@ describe("useTemplateDeploy — multi-provider always-ask flow", () => {
        { id: "ANTHROPIC_API_KEY", label: "Anthropic", envVars: ["ANTHROPIC_API_KEY"] },
      ],
      runtime: "hermes",
+      optionalKeys: [],
      configuredKeys: new Set(),
    });
    const { result, rerender } = renderHook(() => useTemplateDeploy());
@@ -420,6 +431,7 @@ describe("useTemplateDeploy — multi-provider always-ask flow", () => {
        { id: "ANTHROPIC_API_KEY", label: "Anthropic", envVars: ["ANTHROPIC_API_KEY"] },
      ],
      runtime: "hermes",
+      optionalKeys: [],
      configuredKeys: new Set(),
    });
    const { result, rerender } = renderHook(() => useTemplateDeploy());
@@ -484,6 +496,7 @@ describe("useTemplateDeploy — multi-provider always-ask flow", () => {
        { id: "ANTHROPIC_API_KEY", label: "Anthropic", envVars: ["ANTHROPIC_API_KEY"] },
      ],
      runtime: "hermes",
+      optionalKeys: [],
      configuredKeys: new Set(),
    });
    const { result, rerender } = renderHook(() => useTemplateDeploy());
@@ -499,6 +512,35 @@ describe("useTemplateDeploy — multi-provider always-ask flow", () => {
    expect(screen.getByTestId("modal-configured-size").textContent).toBe("0");
    expect(mockApiPost).not.toHaveBeenCalled();
  });
+
+  it("opens configure modal for optional env prompts even when no required provider key is missing", async () => {
+    mockCheckDeploySecrets.mockResolvedValueOnce({
+      ok: true,
+      missingKeys: [],
+      providers: [],
+      runtime: "claude-code",
+      optionalKeys: ["GOOGLE_GSC_SITE", "GOOGLE_GA4_PROPERTY_ID"],
+      configuredKeys: new Set(),
+    });
+    const { result, rerender } = renderHook(() => useTemplateDeploy());
+
+    await act(async () => {
+      await result.current.deploy(makeTemplate({
+        id: "seo-agent",
+        name: "SEO Agent",
+        recommended_env: ["GOOGLE_GSC_SITE", "GOOGLE_GA4_PROPERTY_ID"],
+      }));
+    });
+
+    rerender();
+    render(<>{result.current.modal}</>);
+
+    expect(screen.getByTestId("missing-keys-modal")).toBeTruthy();
+    expect(screen.getByTestId("modal-optional-keys").textContent).toBe(
+      "GOOGLE_GSC_SITE,GOOGLE_GA4_PROPERTY_ID",
+    );
+    expect(mockApiPost).not.toHaveBeenCalled();
+  });
 });

 describe("useTemplateDeploy — POST failure", () => {
@@ -15,6 +15,8 @@ export function useKeyboardShortcut(
    if (!enabled) return;

    function handler(e: KeyboardEvent) {
+      const target = e.target as HTMLElement;
+      if (target.closest?.('[data-display-stream="true"]')) return;
      if (e.key !== key) return;
      if (meta && !e.metaKey) return;
      if (ctrl && !e.ctrlKey) return;
@@ -152,6 +152,7 @@ export function useTemplateDeploy(
          runtime,
          models: template.models,
          required_env: template.required_env,
+          recommended_env: template.recommended_env,
        });
      } catch (e) {
        // Preflight network failure used to strand `deploying` — the
@@ -165,7 +166,11 @@ export function useTemplateDeploy(
        setDeploying(null);
        return;
      }
-      if (preflight.ok && preflight.providers.length === 0) {
+      if (
+        preflight.ok &&
+        preflight.providers.length === 0 &&
+        preflight.optionalKeys.length === 0
+      ) {
        await executeDeploy(template);
        return;
      }
@@ -220,6 +225,7 @@ export function useTemplateDeploy(
    <MissingKeysModal
      open={!!missingKeysInfo}
      missingKeys={missingKeysInfo?.preflight.missingKeys ?? []}
+      optionalKeys={missingKeysInfo?.preflight.optionalKeys ?? []}
      providers={missingKeysInfo?.preflight.providers ?? []}
      runtime={missingKeysInfo?.preflight.runtime ?? ""}
      configuredKeys={missingKeysInfo?.preflight.configuredKeys}
@@ -37,6 +37,11 @@ const CLAUDE_CODE: TemplateLike = {
  required_env: ["OPENAI_API_KEY"],
 };

+const OPTIONAL_ONLY: TemplateLike = {
+  runtime: "claude-code",
+  recommended_env: ["GOOGLE_GSC_SITE", "GOOGLE_GA4_PROPERTY_ID"],
+};
+
 const UNKNOWN: TemplateLike = { runtime: "nothing-declared" };

 // -----------------------------------------------------------------------------
@@ -154,6 +159,7 @@ describe("checkDeploySecrets", () => {
    const result = await checkDeploySecrets(CLAUDE_CODE);
    expect(result.ok).toBe(true);
    expect(result.missingKeys).toEqual([]);
+    expect(result.optionalKeys).toEqual([]);
    expect(result.runtime).toBe("claude-code");
  });

@@ -184,6 +190,7 @@ describe("checkDeploySecrets", () => {
    );
    // Grouped providers preserved for the picker.
    expect(result.providers).toHaveLength(3);
+    expect(result.optionalKeys).toEqual([]);
  });

  it("treats has_value=false as not-configured", async () => {
@@ -207,6 +214,22 @@ describe("checkDeploySecrets", () => {
    expect(global.fetch).not.toHaveBeenCalled();
  });

+  it("prompts optional-only env without treating it as missing", async () => {
+    (global.fetch as ReturnType<typeof vi.fn>).mockResolvedValueOnce({
+      ok: true,
+      json: () => Promise.resolve([]),
+    } as Response);
+
+    const result = await checkDeploySecrets(OPTIONAL_ONLY);
+    expect(result.ok).toBe(true);
+    expect(result.missingKeys).toEqual([]);
+    expect(result.optionalKeys).toEqual([
+      "GOOGLE_GSC_SITE",
+      "GOOGLE_GA4_PROPERTY_ID",
+    ]);
+    expect(global.fetch).toHaveBeenCalled();
+  });
+
  it("uses the workspace-scoped endpoint when workspaceId is provided", async () => {
    (global.fetch as ReturnType<typeof vi.fn>).mockResolvedValueOnce({
      ok: true,
@@ -244,6 +267,7 @@ describe("checkDeploySecrets", () => {
    const result = await checkDeploySecrets(CLAUDE_CODE);
    expect(result.ok).toBe(false);
    expect(result.missingKeys).toEqual(["OPENAI_API_KEY"]);
+    expect(result.optionalKeys).toEqual([]);
    // Empty Set on fetch failure — useTemplateDeploy relies on this
    // so the picker still opens with every entry rendered as input.
    expect(result.configuredKeys).toEqual(new Set());
@@ -8,7 +8,7 @@
 * count bounded.
 */
 import { describe, it, expect } from "vitest";
-import { resolveRuntime } from "../deploy-preflight";
+import { isUserVisibleWorkspaceTemplate, resolveRuntime } from "../deploy-preflight";

 describe("resolveRuntime", () => {
  describe("explicit runtime-map entries", () => {
@@ -64,3 +64,15 @@ describe("resolveRuntime", () => {
    });
  });
 });
+
+describe("isUserVisibleWorkspaceTemplate", () => {
+  it("hides runtime-default templates from product template surfaces", () => {
+    for (const id of ["claude-code-default", "codex", "hermes", "openclaw"]) {
+      expect(isUserVisibleWorkspaceTemplate({ id })).toBe(false);
+    }
+  });
+
+  it("keeps product templates visible", () => {
+    expect(isUserVisibleWorkspaceTemplate({ id: "seo-agent" })).toBe(true);
+  });
+});
@@ -21,6 +21,7 @@ import { api } from "./api";
 export interface ModelSpec {
  id: string;
  name?: string;
+  provider?: string;
  required_env?: string[];
 }

@@ -31,6 +32,8 @@ export interface TemplateLike {
  models?: ModelSpec[];
  /** AND-required env vars declared at runtime_config level. */
  required_env?: string[];
+  /** Optional env vars declared at runtime_config level. */
+  recommended_env?: string[];
 }

 /** Full /templates response shape shared by TemplatePalette (sidebar)
@@ -49,6 +52,17 @@ export interface Template extends TemplateLike {
  skill_count: number;
 }

+const RUNTIME_DEFAULT_TEMPLATE_IDS = new Set([
+  "claude-code-default",
+  "codex",
+  "hermes",
+  "openclaw",
+]);
+
+export function isUserVisibleWorkspaceTemplate(template: Pick<Template, "id">): boolean {
+  return !RUNTIME_DEFAULT_TEMPLATE_IDS.has(template.id);
+}
+
 /** Map from a template id to the runtime name the per-workspace
 *  preflight expects. Used only when the server's `/templates`
 *  response predates the `runtime` field on the summary (legacy
@@ -84,6 +98,8 @@ export interface PreflightResult {
  /** Flat list of env var names needed — for the legacy modal path and
   *  for callers that want a single display of "what's missing". */
  missingKeys: string[];
+  /** Optional env vars to offer in the modal without blocking deploy. */
+  optionalKeys: string[];
  /** Grouped provider options derived from the template. When length ≥ 2
   *  the modal renders a picker; length 1 means exactly one provider is
   *  required (AllKeysModal renders the N envVars inline). */
@@ -236,12 +252,14 @@ export async function checkDeploySecrets(
 ): Promise<PreflightResult> {
  const providers = providersFromTemplate(template);
  const runtime = template.runtime;
+  const optionalKeys = Array.from(new Set(template.recommended_env ?? []));

-  if (providers.length === 0) {
+  if (providers.length === 0 && optionalKeys.length === 0) {
    // Template declares no env requirements — nothing to preflight.
    return {
      ok: true,
      missingKeys: [],
+      optionalKeys: [],
      providers: [],
      runtime,
      configuredKeys: new Set(),
@@ -263,10 +281,11 @@ export async function checkDeploySecrets(
    configured = new Set();
  }

-  if (findSatisfiedProvider(providers, configured)) {
+  if (providers.length === 0 || findSatisfiedProvider(providers, configured)) {
    return {
      ok: true,
      missingKeys: [],
+      optionalKeys,
      providers,
      runtime,
      configuredKeys: configured,
@@ -281,6 +300,7 @@ export async function checkDeploySecrets(
  return {
    ok: false,
    missingKeys,
+    optionalKeys,
    providers,
    runtime,
    configuredKeys: configured,
@@ -658,6 +658,11 @@
  outline-offset: var(--focus-ring-offset);
 }

+.delete-dialog__cancel-btn:focus-visible {
+  outline: var(--focus-ring);
+  outline-offset: var(--focus-ring-offset);
+}
+
 .delete-dialog__confirm-btn {
  background: var(--status-invalid);
  color: #ffffff;
@@ -671,6 +676,11 @@
  outline-offset: var(--focus-ring-offset);
 }

+.delete-dialog__confirm-btn:focus-visible {
+  outline: var(--focus-ring);
+  outline-offset: var(--focus-ring-offset);
+}
+
 .delete-dialog__confirm-btn:disabled { opacity: 0.4; cursor: not-allowed; }

 /* ── Unsaved changes guard ─────────────────────────── */
@@ -4,6 +4,8 @@ declare module "@novnc/novnc" {
    resizeSession: boolean;
    focusOnClick: boolean;
    constructor(target: HTMLElement, url: string, options?: { wsProtocols?: string[]; [key: string]: unknown });
+    clipboardPasteFrom(text: string): void;
    disconnect(): void;
+    focus(options?: FocusOptions): void;
  }
 }
@@ -70,7 +70,7 @@ def test_diag_memory_root_writable_in_canary_mode(sim: CPSim) -> None:
    key = f"canary-probe-{uuid.uuid4().hex[:8]}"
    try:
        val = sim.probe_memory(key)
-    except Exception as e:
+    except Exception:
        # /mcp may not be exposed on this template — canary 4 will
        # surface the real defect if memory is actually broken.
        if os.environ.get("CANARY_STRICT_MCP") == "1":
@@ -1,5 +1,5 @@
 {
-  "_comment": "OSS surface registry — every repo listed here MUST be public on git.moleculesai.app. Layer-3 customer/private templates are NOT registered here; they are handled at provision-time via the per-tenant credential resolver (see internal#102 RFC). 'main' refs are pinned to tags before broad rollout.",
+  "_comment": "Platform template registry. Repos may be public or platform-private; CI and runtime template-cache refresh clone them with the SSOT-managed template read token, then strip .git metadata before use. Customer/private tenant templates remain outside this platform manifest. 'main' refs are pinned to tags before broad rollout.",
  "version": 1,
  "plugins": [
    {"name": "browser-automation", "repo": "molecule-ai/molecule-ai-plugin-browser-automation", "ref": "main"},
@@ -28,7 +28,8 @@
    {"name": "claude-code-default", "repo": "molecule-ai/molecule-ai-workspace-template-claude-code", "ref": "main"},
    {"name": "hermes", "repo": "molecule-ai/molecule-ai-workspace-template-hermes", "ref": "main"},
    {"name": "openclaw", "repo": "molecule-ai/molecule-ai-workspace-template-openclaw", "ref": "main"},
-    {"name": "codex", "repo": "molecule-ai/molecule-ai-workspace-template-codex", "ref": "main"}
+    {"name": "codex", "repo": "molecule-ai/molecule-ai-workspace-template-codex", "ref": "main"},
+    {"name": "seo-agent", "repo": "molecule-ai/molecule-ai-workspace-template-seo-agent", "ref": "main"}
  ],
  "org_templates": [
    {"name": "molecule-dev", "repo": "molecule-ai/molecule-ai-org-template-molecule-dev", "ref": "main"},
@@ -8,19 +8,10 @@
 # Requires: git, jq (lighter than python3 — ~2MB vs ~50MB in Alpine)
 #
 # Auth (optional):
-#   Post-2026-05-08 (#192): every repo in manifest.json is public on
-#   git.moleculesai.app. Anonymous clone works for the entire registered
-#   set. The OSS-surface contract is recorded in manifest.json's _comment
-#   — Layer-3 customer/private templates (e.g. reno-stars) are NOT in the
-#   manifest; they are handled at provision-time via the per-tenant
-#   credential resolver (internal#102 RFC).
-#
-#   MOLECULE_GITEA_TOKEN is therefore optional today. Kept supported for
-#   two reasons: (a) historical CI configs that still inject
-#   AUTO_SYNC_TOKEN remain harmless, (b) reserved for the case where a
-#   private internal-only template is later registered via a ci-readonly
-#   team grant — review must explicitly sign off on that, since it
-#   violates the public-OSS-surface contract.
+#   Repos in manifest.json may be public or platform-private. CI and
+#   operator refresh jobs should set MOLECULE_GITEA_TOKEN to the
+#   SSOT-managed template read token. Anonymous clone still works for
+#   public entries, but private platform templates depend on the token.
 #
 #   The token (when set) never enters the Docker image: this script runs
 #   in the trusted CI context BEFORE `docker buildx build`, populates
@@ -91,6 +91,10 @@ def _gitea_get(path: str, params: dict[str, str] | None = None) -> bytes | None:
        req.add_header("Authorization", f"token {token}")
    req.add_header("Accept", "application/json")
    try:
+        # S310 (信任boundary): this function IS the outbound HTTP client for
+        # Gitea API calls. The call is intentional and controlled — we build
+        # the request ourselves and handle errors explicitly. Timeout=20s
+        # prevents indefinite hangs.
        with urllib.request.urlopen(req, timeout=20) as resp:  # noqa: S310
            return resp.read()
    except urllib.error.HTTPError as e:
@@ -281,8 +285,8 @@ def main() -> int:
    for prefix, peers in sorted(open_pr_collisions.items()):
        peer_str = ", ".join(f"#{p['number']} ({p['headRefName']})" for p in peers)
        print(f"::error::migration prefix {prefix:03d} also claimed by open PR(s): {peer_str}")
-        print(f"::error::rebase coordination needed — only one PR can land a given prefix; "
-              f"renumber yours or theirs")
+        print("::error::rebase coordination needed — only one PR can land a given prefix; "
+              "renumber yours or theirs")
    return 1


@@ -1,11 +1,14 @@
 #!/usr/bin/env bash
 set -euo pipefail

-BASE="http://localhost:8080"
+BASE="${BASE:-http://localhost:8080}"
 PASS=0
 FAIL=0
 TIMEOUT="${A2A_TIMEOUT:-120}"  # seconds per A2A call (override via A2A_TIMEOUT env var)

+# shellcheck source=_lib.sh
+source "$(dirname "$0")/_lib.sh"
+
 check() {
  local desc="$1"
  local expected="$2"
@@ -130,7 +133,7 @@ echo ""
 # ========================================
 echo "--- Test 6: Offline workspace ---"
 # Create a workspace but don't provision it
-R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" -d '{"name":"Offline Test","tier":1}')
+R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" -d '{"name":"Offline Test","tier":1,"runtime":"external","external":true}')
 OFFLINE_ID=$(echo "$R" | python3 -c "import sys,json; print(json.load(sys.stdin)['id'])")
 R=$(curl -s --max-time 10 -X POST "$BASE/workspaces/$OFFLINE_ID/a2a" \
  -H "Content-Type: application/json" \
@@ -215,7 +215,7 @@ echo ""
 echo "--- Activity Isolation ---"

 # Test 19: Create a second workspace to verify isolation
-R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" -d '{"name":"Activity Test Workspace","tier":1}')
+R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" -d '{"name":"Activity Test Workspace","tier":1,"runtime":"external","external":true}')
 TEMP_ID=$(echo "$R" | python3 -c "import sys,json; print(json.load(sys.stdin)['id'])")

 # Test 20: New workspace has empty activity
@@ -76,8 +76,8 @@ echo "--- Section 2: Workspace CRUD ---"
 # create; sections that depend on container readiness (RT_* in 2b)
 # still run normally.
 R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" \
-  -d '{"name":"Test PM","role":"Project Manager","tier":2}')
-check "Create PM" '"status":"provisioning"' "$R"
+  -d '{"name":"Test PM","role":"Project Manager","tier":2,"runtime":"external","external":true}')
+check "Create PM" '"status":"awaiting_agent"' "$R"
 PM_ID=$(echo "$R" | jq_extract "['id']")
 echo "  PM_ID=$PM_ID"
 RR=$(curl -s -X POST "$BASE/registry/register" -H "Content-Type: application/json" \
@@ -86,8 +86,8 @@ PM_TOKEN=$(echo "$RR" | e2e_extract_token)

 # Create child workspace under PM
 R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" \
-  -d "{\"name\":\"Test Dev\",\"role\":\"Developer\",\"tier\":2,\"parent_id\":\"$PM_ID\"}")
-check "Create Dev (child of PM)" '"status":"provisioning"' "$R"
+  -d "{\"name\":\"Test Dev\",\"role\":\"Developer\",\"tier\":2,\"parent_id\":\"$PM_ID\",\"runtime\":\"external\",\"external\":true}")
+check "Create Dev (child of PM)" '"status":"awaiting_agent"' "$R"
 DEV_ID=$(echo "$R" | jq_extract "['id']")
 RR=$(curl -s -X POST "$BASE/registry/register" -H "Content-Type: application/json" \
  -d "{\"id\":\"$DEV_ID\",\"url\":\"http://localhost:9001\",\"agent_card\":{\"name\":\"Dev Agent\",\"skills\":[],\"version\":\"1.0.0\"}}")
@@ -95,16 +95,16 @@ DEV_TOKEN=$(echo "$RR" | e2e_extract_token)

 # Create sibling
 R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" \
-  -d "{\"name\":\"Test QA\",\"role\":\"QA\",\"tier\":1,\"parent_id\":\"$PM_ID\"}")
-check "Create QA (sibling of Dev)" '"status":"provisioning"' "$R"
+  -d "{\"name\":\"Test QA\",\"role\":\"QA\",\"tier\":1,\"parent_id\":\"$PM_ID\",\"runtime\":\"external\",\"external\":true}")
+check "Create QA (sibling of Dev)" '"status":"awaiting_agent"' "$R"
 QA_ID=$(echo "$R" | jq_extract "['id']")
 curl -s -X POST "$BASE/registry/register" -H "Content-Type: application/json" \
  -d "{\"id\":\"$QA_ID\",\"url\":\"http://localhost:9002\",\"agent_card\":{\"name\":\"QA\",\"skills\":[]}}" > /dev/null

 # Create unrelated workspace
 R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" \
-  -d '{"name":"Test Outsider","role":"External","tier":1}')
-check "Create Outsider (unrelated)" '"status":"provisioning"' "$R"
+  -d '{"name":"Test Outsider","role":"External","tier":1,"runtime":"external","external":true}')
+check "Create Outsider (unrelated)" '"status":"awaiting_agent"' "$R"
 OUTSIDER_ID=$(echo "$R" | jq_extract "['id']")

 # List workspaces
@@ -130,19 +130,24 @@ check "PM position persisted" '"x":100' "$R"
 echo ""
 echo "--- Section 2b: Runtime Assignment ---"

+if [ "${RUN_SPAWNED_RUNTIME_LEGACY_E2E:-0}" != "1" ]; then
+  echo "  SKIP: spawned-runtime image checks require local runtime images; set RUN_SPAWNED_RUNTIME_LEGACY_E2E=1 to enable"
+  SKIP=$((SKIP + 5))
+else
+
 # Create workspace with explicit runtime
 R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" \
-  -d '{"name":"RT Claude","role":"Test","tier":2,"runtime":"claude-code"}')
+  -d '{"name":"RT Claude","role":"Test","tier":2,"runtime":"claude-code","model":"sonnet"}')
 check "Create claude-code workspace" '"status":"provisioning"' "$R"
 RT_CC_ID=$(echo "$R" | jq_extract "['id']")

 R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" \
-  -d '{"name":"RT Codex","role":"Test","tier":2,"runtime":"codex"}')
+  -d '{"name":"RT Codex","role":"Test","tier":2,"runtime":"codex","model":"openai:gpt-5"}')
 check "Create codex workspace" '"status":"provisioning"' "$R"
 RT_CX_ID=$(echo "$R" | jq_extract "['id']")

 R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" \
-  -d '{"name":"RT Hermes","role":"Test","tier":2,"runtime":"hermes"}')
+  -d '{"name":"RT Hermes","role":"Test","tier":2,"runtime":"hermes","model":"openai:gpt-5"}')
 check "Create hermes workspace" '"status":"provisioning"' "$R"
 RT_HM_ID=$(echo "$R" | jq_extract "['id']")

@@ -235,6 +240,8 @@ sleep 0.3
 e2e_delete_workspace "$RT_HM_ID" "RT Hermes"
 sleep 0.3

+fi
+
 # ============================================================
 # Section 3: Registry & Heartbeat
 # ============================================================
@@ -71,7 +71,7 @@ check_http "GET /workspaces (empty DB)" "200" "$R"
 # Create a workspace so tokens land in the DB.
 R=$(curl -s -w "\n%{http_code}" -X POST "$BASE/workspaces" \
  -H "Content-Type: application/json" \
-  -d '{"name":"Dev-Mode-Test","tier":1}')
+  -d '{"name":"Dev-Mode-Test","tier":1,"runtime":"external","external":true}')
 CODE=$(echo "$R" | tail -n1)
 BODY=$(echo "$R" | sed '$d')
 check_http "POST /workspaces (create)" "201" "$CODE"
@@ -4,9 +4,10 @@
 # Round-trip: register a workspace as poll-mode (no callback URL) → POST a
 # multi-file chat upload → verify each file becomes (a) one
 # `chat_upload_receive` activity row and (b) one /pending-uploads row → fetch
-# the bytes back via the poll endpoint → ack → verify the row 404s on
-# subsequent fetch. Also pins cross-workspace bleed protection: workspace B
-# cannot read workspace A's pending uploads even with its own valid bearer.
+# the bytes back via the poll endpoint → ack → verify the row stays readable
+# during retention for refreshed canvas previews. Also pins cross-workspace
+# bleed protection: workspace B cannot read workspace A's pending uploads even
+# with its own valid bearer.
 #
 # Why this exists separately from test_chat_upload_e2e.sh: that script
 # covers the PUSH path (the workspace's own /internal/chat/uploads/ingest).
@@ -218,14 +219,16 @@ case "$RE_ACK1_CODE" in
    ;;
 esac

-# ---------- Phase 7: GET content after ack returns 404 ----------
+# ---------- Phase 7: GET content after ack remains readable ----------
 echo ""
-echo "--- Phase 7: Acked file 404s on subsequent fetch ---"
+echo "--- Phase 7: Acked file remains readable during retention ---"

 POST_ACK=$(curl -s -w '\n%{http_code}' --max-time "$TIMEOUT" -H "Authorization: Bearer $TOK_A" \
  "$BASE/workspaces/$WS_A/pending-uploads/$FID1/content")
 POST_ACK_CODE=$(printf '%s' "$POST_ACK" | tail -n1)
-check_eq "acked alpha returns HTTP 404" "404" "$POST_ACK_CODE"
+POST_ACK_BODY=$(printf '%s' "$POST_ACK" | sed '$d')
+check_eq "acked alpha returns HTTP 200" "200" "$POST_ACK_CODE"
+check_eq "acked alpha bytes still readable" "$EXPECTED1" "$POST_ACK_BODY"

 # ---------- Phase 8: cross-workspace bleed protection ----------
 echo ""
@@ -97,7 +97,7 @@ except Exception:
 done

 R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" \
-  -d '{"name":"Abilities Sender","tier":1}')
+  -d '{"name":"Abilities Sender","tier":1,"runtime":"external","external":true}')
 SENDER_ID=$(echo "$R" | python3 -c 'import json,sys;print(json.load(sys.stdin)["id"])' 2>/dev/null || true)
 [ -n "$SENDER_ID" ] || { echo "Failed to create sender workspace: $R"; exit 1; }
 SENDER_TOKEN=$(echo "$R" | e2e_extract_token)
@@ -113,7 +113,7 @@ ADMIN_TOKEN="${MOLECULE_ADMIN_TOKEN:-$SENDER_TOKEN}"
 ADMIN_AUTH="Authorization: Bearer $ADMIN_TOKEN"

 R=$(curl -s -X POST "$BASE/workspaces" -H "$ADMIN_AUTH" -H "Content-Type: application/json" \
-  -d '{"name":"Abilities Receiver","tier":1}')
+  -d '{"name":"Abilities Receiver","tier":1,"runtime":"external","external":true}')
 RECEIVER_ID=$(echo "$R" | python3 -c 'import json,sys;print(json.load(sys.stdin)["id"])' 2>/dev/null || true)
 [ -n "$RECEIVER_ID" ] || { echo "Failed to create receiver workspace: $R"; exit 1; }
 RECEIVER_TOKEN=$(echo "$R" | e2e_extract_token)
@@ -18,9 +18,7 @@ No network. No live Gitea calls.
 from __future__ import annotations

 import importlib.util
-import json
 import os
-import sys
 import textwrap
 from pathlib import Path
 from unittest import mock
@@ -55,9 +55,7 @@ from __future__ import annotations

 import importlib.util
 import os
-import sys
 from pathlib import Path
-from unittest import mock

 import pytest

@@ -164,7 +162,7 @@ def test_bp_orphan_context_fails(envset, monkeypatch, capsys):
        "  all-required:\n    runs-on: x\n    steps:\n      - run: echo hi\n",
    )
    m = _import_lint()
-    posted = _stub_api(
+    _stub_api(
        monkeypatch,
        m,
        ("ok", {"status_check_contexts": [
@@ -60,10 +60,8 @@ from __future__ import annotations

 import importlib.util
 import os
-import sys
 from datetime import datetime, timedelta, timezone
 from pathlib import Path
-from unittest import mock

 import pytest

@@ -53,10 +53,7 @@ from __future__ import annotations
 import importlib.util
 import os
 import subprocess
-import sys
-import textwrap
 from pathlib import Path
-from unittest import mock

 import pytest

@@ -61,9 +61,7 @@ from __future__ import annotations
 import importlib.util
 import os
 import subprocess
-import sys
 from pathlib import Path
-from unittest import mock

 import pytest

@@ -38,9 +38,7 @@ from __future__ import annotations

 import importlib.util
 import os
-import sys
 from pathlib import Path
-from unittest import mock

 import pytest

@@ -37,7 +37,6 @@ from __future__ import annotations
 import importlib.util
 import json
 import os
-import sys
 import urllib.error
 from pathlib import Path
 from unittest import mock
@@ -117,15 +116,25 @@ def _make_stub_api(responses: dict):

        def __call__(self, method, path, *, body=None, query=None, expect_json=True):
            self.calls.append((method, path, body, query))
+            # If we've stored a list for this (method, path), rotate through.
+            # This supports tests that need sequential responses for the
+            # same endpoint without adding query-param noise.
            key = (method, path)
-            if key not in responses:
-                raise AssertionError(
-                    f"unexpected api call: {method} {path} (no stub registered)"
-                )
-            r = responses[key]
-            if isinstance(r, Exception):
-                raise r
-            return r
+            r = responses.get(key)
+            if isinstance(r, list):
+                if not r:
+                    raise AssertionError(
+                        f"stub sequential responses exhausted for {method} "
+                        f"{path} — provisioned {len(r)} entries"
+                    )
+                return r.pop(0)
+            if r is not None:
+                if isinstance(r, Exception):
+                    raise r
+                return r
+            raise AssertionError(
+                f"unexpected api call: {method} {path} (no stub registered)"
+            )

    return StubApi()

@@ -133,6 +142,7 @@ def _make_stub_api(responses: dict):
 # Sample SHA used throughout. 40 chars per Gitea convention.
 SHA_RED = "deadbeefcafe1234567890abcdef000011112222"
 SHA_GREEN = "ababababcdcdcdcd0000111122223333deadc0de"
+SHA_NEW = "aaaabbbbccccddddeeeeffff0000111122223333"


 def _branches_response(sha: str) -> dict:
@@ -140,6 +150,19 @@ def _branches_response(sha: str) -> dict:
    return {"name": "main", "commit": {"id": sha}}


+def _branch_alt(sha: str) -> dict:
+    """Identical shape but to a different key path so _make_stub_api
+    retains a separate first-response entry from the primary
+    _branches_response() path.
+
+    The stub stores only the first response per (method, path) pair.
+    Tests that need two distinct responses for the same logical
+    GET /branches/main call use _branch_alt for the second lookup so
+    the stub returns the correct sequential entry.
+    """
+    return {"name": "main", "commit": {"id": sha}}
+
+
 def _combined_status(state: str, statuses: list[dict] | None = None) -> dict:
    """Shape Gitea returns from /commits/{sha}/status."""
    return {"state": state, "statuses": statuses or []}
@@ -542,7 +565,6 @@ def test_auto_close_skips_when_main_pending(wd_module, monkeypatch):
    """main pending (CI still running) at NEW_SHA → leave old issue alone.
    Pending could resolve to red, so closing prematurely would lose the
    breadcrumb of the prior red."""
-    old_title = f"[main-red] owner/repo: {SHA_RED[:10]}"
    stub = _make_stub_api({
        ("GET", "/repos/owner/repo/branches/main"): (200, _branches_response(SHA_GREEN)),
        ("GET", f"/repos/owner/repo/commits/{SHA_GREEN}/status"): (
@@ -561,6 +583,81 @@ def test_auto_close_skips_when_main_pending(wd_module, monkeypatch):
    assert ("GET", "/repos/owner/repo/issues") not in methods_paths


+# --------------------------------------------------------------------------
+# Stale-issue cleanup on transient / head-drift (internal#1789)
+# --------------------------------------------------------------------------
+def test_head_drift_closes_stale_issue_for_prior_sha(wd_module, monkeypatch):
+    """Initial red at SHA_RED. Before recheck, main is force-pushed to
+    SHA_NEW (different commit). watchdog must close the stale SHA_RED
+    issue before returning — otherwise stale open issues accumulate
+    when main is force-pushed during a red window."""
+    stub = _make_stub_api({
+        # Initial check: branch SHA_RED, status failure
+        ("GET", "/repos/owner/repo/branches/main"): [
+            (200, _branches_response(SHA_RED)),
+            (200, _branch_alt(SHA_NEW)),      # recheck branch call → HEAD moved
+            (200, _branch_alt(SHA_NEW)),      # close path branch call
+        ],
+        ("GET", f"/repos/owner/repo/commits/{SHA_RED}/status"): [
+            (200, _combined_status("failure", [
+                {"context": "ci/test", "status": "failure", "description": "broke"},
+            ])),
+            (200, _combined_status("success", [    # recheck: CI result arrived
+                {"context": "ci/test", "status": "success"},
+            ])),
+        ],
+        ("GET", f"/repos/owner/repo/commits/{SHA_NEW}/status"): [
+            (200, _combined_status("success", [
+                {"context": "ci/test", "status": "success"},
+            ])),
+        ],
+        # close_open_red_issues_for_other_shas(SHA_NEW): issue for SHA_RED found
+        ("GET", "/repos/owner/repo/issues"): [
+            (200, [{"number": 9, "title": f"[main-red] owner/repo: {SHA_RED[:10]}"}]),
+        ],
+        ("POST", "/repos/owner/repo/issues/9/comments"): (201, {"id": 200}),
+        ("PATCH", "/repos/owner/repo/issues/9"): (200, {"number": 9, "state": "closed"}),
+    })
+    monkeypatch.setattr(wd_module, "api", stub)
+    rc = wd_module.run_once(dry_run=False)
+    assert rc == 0
+    methods_paths = [(c[0], c[1]) for c in stub.calls]
+    assert ("PATCH", "/repos/owner/repo/issues/9") in methods_paths, \
+        "head-drift should close the stale SHA_RED issue"
+
+
+def test_recovery_on_same_sha_closes_issue_filed_on_prior_tick(wd_module, monkeypatch):
+    """Same SHA shows red on initial check, but CI recovers before recheck
+    completes. watchdog must close the issue that was filed on an earlier
+    tick for this same SHA — otherwise stale open issues accumulate when CI
+    recovers within the settling window."""
+    stub = _make_stub_api({
+        ("GET", "/repos/owner/repo/branches/main"): (200, _branches_response(SHA_RED)),
+        # Sequential: initial check → failure, recheck (≥2nd call) → success.
+        # Using a list so Python dict keeps a single key (avoids overwrite).
+        ("GET", f"/repos/owner/repo/commits/{SHA_RED}/status"): [
+            (200, _combined_status("failure", [
+                {"context": "ci/test", "status": "failure", "description": "broke"},
+            ])),
+            (200, _combined_status("success", [
+                {"context": "ci/test", "state": "success"},
+            ])),
+        ],
+        # List open red issues → find stale issue for this SHA
+        ("GET", "/repos/owner/repo/issues"): (
+            200, [{"number": 11, "title": f"[main-red] owner/repo: {SHA_RED[:10]}"}],
+        ),
+        ("POST", "/repos/owner/repo/issues/11/comments"): (201, {"id": 300}),
+        ("PATCH", "/repos/owner/repo/issues/11"): (200, {"number": 11, "state": "closed"}),
+    })
+    monkeypatch.setattr(wd_module, "api", stub)
+    rc = wd_module.run_once(dry_run=False)
+    assert rc == 0
+    methods_paths = [(c[0], c[1]) for c in stub.calls]
+    assert ("PATCH", "/repos/owner/repo/issues/11") in methods_paths, \
+        "recovery-on-same-SHA should close the stale issue"
+
+
 # --------------------------------------------------------------------------
 # HTTP-failure / api() raises — duplicate-write regression guard
 # --------------------------------------------------------------------------
@@ -790,7 +887,7 @@ def test_emit_loki_event_prints_json_line(wd_module, capsys, monkeypatch):
    captured = capsys.readouterr()
    assert "main-red-watchdog event:" in captured.out
    # Find the JSON payload after the prefix and verify it parses
-    line = [l for l in captured.out.splitlines() if "main-red-watchdog event:" in l][0]
+    line = [ln for ln in captured.out.splitlines() if "main-red-watchdog event:" in ln][0]
    payload = json.loads(line.split("main-red-watchdog event:", 1)[1].strip())
    assert payload["event_type"] == "main_red_detected"
    assert payload["repo"] == "owner/repo"
@@ -40,7 +40,6 @@ Dependencies: stdlib + pytest + PyYAML. No network.
 from __future__ import annotations

 import importlib.util
-import json
 import os
 import sys
 from pathlib import Path
@@ -853,7 +852,6 @@ def test_reap_skips_combined_success_shas(sr_module, monkeypatch):
    Mock 2 SHAs with combined=success + 1 with combined=failure → only
    the failure-SHA's statuses get the per-context loop applied.
    """
-    per_context_iterated_for: list[str] = []
    posts: list[tuple[str, dict]] = []

    failure_statuses = [
@@ -6,10 +6,11 @@ Emits structured verdict + human-readable summary. Designed to run as:
  1. CLI:  python gate_check.py --repo org/repo --pr N
  2. Gitea Actions step: runs this script, captures stdout JSON

-Signals (MVP — signals 1,2,3,6):
+Signals (MVP — signals 1,2,3,4,6):
  1. Author-aware agent-tag comment scan
  2. REQUEST_CHANGES reviews state machine
  3. Staleness detection (review.commit_id != PR.head_sha)
+  4. Branch divergence / scope-creep guard (base-sha vs target HEAD)
  6. CI required-checks awareness

 Exit codes:
@@ -23,11 +24,9 @@ import json
 import os
 import re
 import sys
-import time
 import urllib.request
 import urllib.error
 from datetime import datetime, timezone
-from typing import Any, Optional

 # ── Gitea API client ────────────────────────────────────────────────────────

@@ -160,9 +159,9 @@ def signal_1_comment_scan(pr_number: int, repo: str) -> dict:
    # Build reverse map: login -> (group, agent_key)
    login_to_group = {}
    for group, login in relevant_roles.items():
-        for role, l in AGENT_LOGIN_MAP.items():
-            if l == login:
-                login_to_group[l] = (group, f"core-{role}")
+        for role, role_login in AGENT_LOGIN_MAP.items():
+            if role_login == login:
+                login_to_group[role_login] = (group, f"core-{role}")

    # Collect all agent-tag matches from comments
    comments = []
@@ -179,7 +178,7 @@ def signal_1_comment_scan(pr_number: int, repo: str) -> dict:
    try:
        reviews = api_list(f"/repos/{owner}/{name}/pulls/{pr_number}/reviews")
        for r in reviews:
-            login = r.get("user", {}).get("login", "")
+            login = (r.get("user") or {}).get("login", "")
            canonical = LOGIN_ALIASES.get(login, login)
            if canonical in login_to_group and r.get("state") == "APPROVED":
                comments.append(
@@ -200,7 +199,7 @@ def signal_1_comment_scan(pr_number: int, repo: str) -> dict:
        matches = []
        for c in comments:
            body = c.get("body", "") or ""
-            user_login = c.get("user", {}).get("login", "")
+            user_login = (c.get("user") or {}).get("login", "")
            # Resolve LOGIN_ALIASES so alternate logins satisfy the canonical gate
            user_login = LOGIN_ALIASES.get(user_login, user_login)
            if user_login != login:
@@ -266,11 +265,18 @@ def signal_2_reviews(pr_number: int, repo: str) -> dict:

    blocking = []
    for r in reviews:
-        if r.get("state") == "REQUEST_CHANGES" and not r.get("dismissed", False):
+        if (
+            r.get("state") == "REQUEST_CHANGES"
+            and not r.get("dismissed", False)
+            and r.get("official") is not False
+        ):
+            login = (r.get("user") or {}).get("login", "")
+            if not login:
+                continue
            blocking.append(
                {
                    "review_id": r["id"],
-                    "user": r["user"]["login"],
+                    "user": login,
                    "commit_id": r.get("commit_id", ""),
                    "created_at": r.get("submitted_at") or r.get("created_at", ""),
                }
@@ -330,6 +336,132 @@ def signal_3_staleness(pr_number: int, repo: str) -> dict:
    }


+# ── Signal 4: Branch divergence / scope-creep guard ─────────────────────────
+# Detects stale PR branches where the base SHA has drifted behind target HEAD.
+# Distinguishes files that are "inherited" from base divergence (already on
+# target via prior commits) from genuinely new PR work. Prevents misattribution
+# of scope creep when branches are stale (molecule-core#365).
+
+
+def _commits_and_files_behind(
+    owner: str, name: str, base_sha: str, target_branch: str
+) -> tuple[int | None, set[str]]:
+    """Paginate target-branch commits from HEAD back to base_sha.
+    Return (commits_behind_count, set of filenames changed in those commits).
+    Safety-capped at 20 pages (~1000 commits) to avoid runaway pagination.
+    """
+    commits_behind = 0
+    target_files: set[str] = set()
+    page = 1
+    max_pages = 20
+    per_page = 50
+
+    while page <= max_pages:
+        try:
+            commits = api_get(
+                f"/repos/{owner}/{name}/commits?sha={target_branch}&page={page}&limit={per_page}"
+            )
+        except GiteaError:
+            return (None, target_files)
+
+        if not isinstance(commits, list):
+            return (None, target_files)
+
+        for c in commits:
+            if c.get("sha") == base_sha:
+                return (commits_behind, target_files)
+            commits_behind += 1
+            for f in c.get("files", []):
+                fname = f.get("filename") or f.get("name", "")
+                if fname:
+                    target_files.add(fname)
+
+        if len(commits) < per_page:
+            break
+        page += 1
+
+    return (commits_behind if commits_behind > 0 else None, target_files)
+
+
+def signal_4_branch_divergence(
+    pr_number: int, repo: str, pr_data: dict | None = None
+) -> dict:
+    """
+    Compare PR.base.sha to current target-branch HEAD.
+    If diverged, show "inherited from base divergence" vs "actual new work"
+    file fractions using the commits API.
+    Returns: {signal, verdict, diverged, commits_behind, inherited_fraction, ...}
+    """
+    owner, name = repo.split("/", 1)
+
+    if pr_data is None:
+        pr_data = api_get(f"/repos/{owner}/{name}/pulls/{pr_number}")
+
+    base_sha = pr_data["base"]["sha"]
+    target_branch = pr_data["base"]["ref"]
+
+    try:
+        branch_info = api_get(f"/repos/{owner}/{name}/branches/{target_branch}")
+        target_head = branch_info["commit"]["id"]
+    except GiteaError as e:
+        return {"signal": "branch_divergence", "verdict": "N/A", "error": str(e)}
+
+    if base_sha == target_head:
+        return {
+            "signal": "branch_divergence",
+            "verdict": "CLEAR",
+            "diverged": False,
+            "commits_behind": 0,
+            "pr_files_count": 0,
+            "inherited_files": [],
+            "new_work_files": [],
+            "inherited_fraction": 0.0,
+        }
+
+    # Branch is diverged — count commits behind and collect files changed on
+    # target since the PR's base snapshot.
+    commits_behind, target_files = _commits_and_files_behind(
+        owner, name, base_sha, target_branch
+    )
+
+    # Get PR files
+    try:
+        pr_files_data = api_list(f"/repos/{owner}/{name}/pulls/{pr_number}/files")
+        pr_files = {
+            f.get("filename") or f.get("name", "") for f in pr_files_data
+        }
+        pr_files.discard("")
+    except GiteaError:
+        pr_files = set()
+
+    inherited_files = sorted(pr_files & target_files)
+    new_work_files = sorted(pr_files - target_files)
+    total = len(pr_files)
+    inherited_fraction = len(inherited_files) / total if total else 0.0
+
+    # Verdict: WARNING if significant divergence.
+    # Thresholds: >50 % inherited files, or >5 commits behind with any inherited files.
+    if inherited_fraction > 0.5 or (
+        commits_behind and commits_behind > 5 and inherited_files
+    ):
+        verdict = "WARNING"
+    else:
+        verdict = "CLEAR"
+
+    return {
+        "signal": "branch_divergence",
+        "verdict": verdict,
+        "diverged": True,
+        "base_sha": base_sha,
+        "target_head": target_head,
+        "commits_behind": commits_behind,
+        "pr_files_count": total,
+        "inherited_files": inherited_files,
+        "new_work_files": new_work_files,
+        "inherited_fraction": round(inherited_fraction, 2),
+    }
+
+
 # ── Signal 6: CI required-checks awareness ───────────────────────────────────

 def signal_6_ci(pr_number: int, repo: str, branch: str | None = None, pr_data: dict | None = None) -> dict:
@@ -410,7 +542,7 @@ def signal_6_ci(pr_number: int, repo: str, branch: str | None = None, pr_data: d

 # ── Gate evaluation ───────────────────────────────────────────────────────────

-VERDICT_ORDER = {"ERROR": 0, "CI_FAIL": 1, "BLOCKED": 2, "STALE-RC": 3, "CI_PENDING": 4, "N/A": 5, "CLEAR": 6}
+VERDICT_ORDER = {"ERROR": 0, "CI_FAIL": 1, "BLOCKED": 2, "STALE-RC": 3, "CI_PENDING": 4, "N/A": 5, "WARNING": 6, "CLEAR": 7}


 def compute_verdict(gates: list[dict]) -> tuple[str, list[dict]]:
@@ -441,6 +573,7 @@ def format_comment(repo: str, pr_number: int, verdict: str, gates: list[dict], b
        "agent_tag_comments": "Agent-tag gates",
        "request_changes_reviews": "REQUEST_CHANGES reviews",
        "stale_reviews": "Staleness check",
+        "branch_divergence": "Branch divergence / scope-creep guard",
        "ci_checks": "CI required checks",
    }

@@ -476,6 +609,25 @@ def format_comment(repo: str, pr_number: int, verdict: str, gates: list[dict], b
                    lines.append(
                        f"  - @{r['user']} stale (commit={r.get('review_commit','?')[:7]}, age={r.get('age_hours','?')}h)"
                    )
+            elif sig == "branch_divergence":
+                if b.get("diverged"):
+                    lines.append(
+                        f"  - Branch is {b.get('commits_behind', '?')} commits behind target "
+                        f"({b.get('target_head', '?')[:7]})"
+                    )
+                    frac = b.get("inherited_fraction", 0)
+                    lines.append(
+                        f"  - {frac * 100:.0f}% of PR files inherited from base divergence "
+                        f"({len(b.get('inherited_files', []))}/{b.get('pr_files_count', 0)} files)"
+                    )
+                    for f in b.get("inherited_files", [])[:5]:
+                        lines.append(f"    - inherited: `{f}`")
+                    if len(b.get("inherited_files", [])) > 5:
+                        lines.append(
+                            f"    - ... and {len(b.get('inherited_files', [])) - 5} more"
+                        )
+                else:
+                    lines.append("  - Branch is up to date with target")
            elif sig == "agent_tag_comments":
                for agent, res in b.get("results", {}).items():
                    v = res.get("verdict", "MISSING")
@@ -518,6 +670,7 @@ def run(repo: str, pr_number: int, post_comment: bool = False) -> dict:
            signal_1_comment_scan(pr_number, repo),
            signal_2_reviews(pr_number, repo),
            signal_3_staleness(pr_number, repo),
+            signal_4_branch_divergence(pr_number, repo, pr_data=pr),
            signal_6_ci(pr_number, repo, branch=base_ref, pr_data=pr),
        ]
        verdict, blockers = compute_verdict(gates)
@@ -74,3 +74,247 @@ def test_signal_1_infra_sre_login_alias_resolved_to_core_devops(monkeypatch):
    engineers = result["results"]["core-devops"]
    assert engineers["verdict"] == "APPROVED"
    assert engineers["group"] == "engineers"
+
+
+def test_signal_1_null_user_in_review_does_not_crash(monkeypatch):
+    """Regression: Gitea may return reviews with user=null (deleted/bot edge case).
+    signal_1_comment_scan must survive this without AttributeError."""
+    mod = load_gate_check()
+
+    def fake_api_get(path):
+        if path == "/repos/molecule-ai/molecule-core/pulls/901":
+            return {
+                "number": 901,
+                "labels": [{"name": "tier:low"}],
+            }
+        raise AssertionError(f"unexpected api_get: {path}")
+
+    def fake_api_list(path):
+        if path == "/repos/molecule-ai/molecule-core/issues/901/comments":
+            return []
+        if path == "/repos/molecule-ai/molecule-core/pulls/901/comments":
+            return []
+        if path == "/repos/molecule-ai/molecule-core/pulls/901/reviews":
+            return [
+                {
+                    "id": 1,
+                    "user": None,  # <-- the regression trigger
+                    "state": "APPROVED",
+                    "submitted_at": "2026-05-13T10:00:00Z",
+                },
+                {
+                    "id": 2,
+                    "user": {"login": "core-devops"},
+                    "state": "APPROVED",
+                    "submitted_at": "2026-05-13T10:01:00Z",
+                },
+            ]
+        raise AssertionError(f"unexpected api_list: {path}")
+
+    monkeypatch.setattr(mod, "api_get", fake_api_get)
+    monkeypatch.setattr(mod, "api_list", fake_api_list)
+
+    result = mod.signal_1_comment_scan(901, "molecule-ai/molecule-core")
+
+    # Should not crash; the valid review from core-devops still satisfies engineers gate
+    assert result["verdict"] == "CLEAR"
+    assert result["results"]["core-devops"]["verdict"] == "APPROVED"
+
+
+# ── Signal 2: Draft REQUEST_CHANGES guard ───────────────────────────────────
+
+
+def test_signal_2_draft_request_changes_does_not_block(monkeypatch):
+    """official=False REQUEST_CHANGES is a draft/pending review and must NOT
+    block the gate (matching review-check.sh post-#1818 official-filter)."""
+    mod = load_gate_check()
+
+    def fake_api_list(path):
+        if path == "/repos/molecule-ai/molecule-core/pulls/902/reviews":
+            return [
+                {
+                    "id": 1,
+                    "user": {"login": "agent-reviewer"},
+                    "state": "REQUEST_CHANGES",
+                    "official": False,
+                    "dismissed": False,
+                    "submitted_at": "2026-05-13T10:00:00Z",
+                }
+            ]
+        raise AssertionError(f"unexpected api_list: {path}")
+
+    monkeypatch.setattr(mod, "api_list", fake_api_list)
+
+    result = mod.signal_2_reviews(902, "molecule-ai/molecule-core")
+    assert result["verdict"] == "CLEAR"
+    assert result["blocking_reviews"] == []
+
+
+def test_signal_2_null_user_in_request_changes_does_not_crash(monkeypatch):
+    """Regression: Gitea may return user=null on a REQUEST_CHANGES review.
+    signal_2_reviews must survive this without AttributeError."""
+    mod = load_gate_check()
+
+    def fake_api_list(path):
+        if path == "/repos/molecule-ai/molecule-core/pulls/903/reviews":
+            return [
+                {
+                    "id": 1,
+                    "user": None,
+                    "state": "REQUEST_CHANGES",
+                    "official": True,
+                    "dismissed": False,
+                    "submitted_at": "2026-05-13T10:00:00Z",
+                }
+            ]
+        raise AssertionError(f"unexpected api_list: {path}")
+
+    monkeypatch.setattr(mod, "api_list", fake_api_list)
+
+    result = mod.signal_2_reviews(903, "molecule-ai/molecule-core")
+    assert result["verdict"] == "CLEAR"
+    assert result["blocking_reviews"] == []
+
+
+# ── Signal 4: Branch divergence / scope-creep guard ─────────────────────────
+
+
+def test_signal_4_no_divergence_returns_clear(monkeypatch):
+    """When PR.base.sha equals target branch HEAD, divergence is zero."""
+    mod = load_gate_check()
+
+    shared_sha = "abc123"
+
+    def fake_api_get(path):
+        if path == "/repos/molecule-ai/molecule-core/pulls/100":
+            return {
+                "base": {"sha": shared_sha, "ref": "main"},
+                "head": {"sha": "def456"},
+            }
+        if path == "/repos/molecule-ai/molecule-core/branches/main":
+            return {"commit": {"id": shared_sha}}
+        raise AssertionError(f"unexpected api_get: {path}")
+
+    monkeypatch.setattr(mod, "api_get", fake_api_get)
+
+    result = mod.signal_4_branch_divergence(100, "molecule-ai/molecule-core")
+
+    assert result["verdict"] == "CLEAR"
+    assert result["diverged"] is False
+    assert result["commits_behind"] == 0
+    assert result["inherited_fraction"] == 0.0
+
+
+def test_signal_4_divergence_with_inherited_files_warning(monkeypatch):
+    """Stale branch with overlapping files triggers WARNING and correct fractions."""
+    mod = load_gate_check()
+
+    base_sha = "base000"
+    target_head = "head111"
+
+    def fake_api_get(path):
+        if path == "/repos/molecule-ai/molecule-core/pulls/101":
+            return {
+                "base": {"sha": base_sha, "ref": "main"},
+                "head": {"sha": "pr222"},
+            }
+        if path == "/repos/molecule-ai/molecule-core/branches/main":
+            return {"commit": {"id": target_head}}
+        if path == "/repos/molecule-ai/molecule-core/commits?sha=main&page=1&limit=50":
+            return [
+                {
+                    "sha": target_head,
+                    "files": [
+                        {"filename": "ci.yml"},
+                        {"filename": "README.md"},
+                    ],
+                },
+                {"sha": base_sha, "files": []},
+            ]
+        raise AssertionError(f"unexpected api_get: {path}")
+
+    def fake_api_list(path):
+        if path == "/repos/molecule-ai/molecule-core/pulls/101/files":
+            return [
+                {"filename": "ci.yml"},
+                {"filename": "README.md"},
+                {"filename": "new_feature.go"},
+            ]
+        raise AssertionError(f"unexpected api_list: {path}")
+
+    monkeypatch.setattr(mod, "api_get", fake_api_get)
+    monkeypatch.setattr(mod, "api_list", fake_api_list)
+
+    result = mod.signal_4_branch_divergence(101, "molecule-ai/molecule-core")
+
+    assert result["verdict"] == "WARNING"
+    assert result["diverged"] is True
+    assert result["commits_behind"] == 1
+    assert result["pr_files_count"] == 3
+    assert result["inherited_files"] == ["README.md", "ci.yml"]
+    assert result["new_work_files"] == ["new_feature.go"]
+    assert result["inherited_fraction"] == round(2 / 3, 2)
+
+
+def test_signal_4_divergence_no_inherited_files_clear(monkeypatch):
+    """Stale branch but zero file overlap → still CLEAR (no scope-creep risk)."""
+    mod = load_gate_check()
+
+    base_sha = "base000"
+    target_head = "head111"
+
+    def fake_api_get(path):
+        if path == "/repos/molecule-ai/molecule-core/pulls/102":
+            return {
+                "base": {"sha": base_sha, "ref": "main"},
+                "head": {"sha": "pr222"},
+            }
+        if path == "/repos/molecule-ai/molecule-core/branches/main":
+            return {"commit": {"id": target_head}}
+        if path == "/repos/molecule-ai/molecule-core/commits?sha=main&page=1&limit=50":
+            return [
+                {
+                    "sha": target_head,
+                    "files": [{"filename": "other.go"}],
+                },
+                {"sha": base_sha, "files": []},
+            ]
+        raise AssertionError(f"unexpected api_get: {path}")
+
+    def fake_api_list(path):
+        if path == "/repos/molecule-ai/molecule-core/pulls/102/files":
+            return [{"filename": "new_feature.go"}]
+        raise AssertionError(f"unexpected api_list: {path}")
+
+    monkeypatch.setattr(mod, "api_get", fake_api_get)
+    monkeypatch.setattr(mod, "api_list", fake_api_list)
+
+    result = mod.signal_4_branch_divergence(102, "molecule-ai/molecule-core")
+
+    assert result["verdict"] == "CLEAR"
+    assert result["diverged"] is True
+    assert result["inherited_files"] == []
+    assert result["new_work_files"] == ["new_feature.go"]
+    assert result["inherited_fraction"] == 0.0
+
+
+def test_signal_4_branch_api_error_returns_na(monkeypatch):
+    """If the branch endpoint 404s, signal degrades to N/A rather than crashing."""
+    mod = load_gate_check()
+
+    def fake_api_get(path):
+        if path == "/repos/molecule-ai/molecule-core/pulls/103":
+            return {
+                "base": {"sha": "base000", "ref": "main"},
+                "head": {"sha": "pr222"},
+            }
+        if path == "/repos/molecule-ai/molecule-core/branches/main":
+            raise mod.GiteaError("GET .../branches/main → 404: not found")
+        raise AssertionError(f"unexpected api_get: {path}")
+
+    monkeypatch.setattr(mod, "api_get", fake_api_get)
+
+    result = mod.signal_4_branch_divergence(103, "molecule-ai/molecule-core")
+
+    assert result["verdict"] == "N/A"
+    assert "error" in result
@@ -71,6 +71,7 @@ RUN apk add --no-cache ca-certificates docker-cli docker-cli-buildx git tzdata w
 COPY --from=builder /platform /platform
 COPY --from=builder /memory-plugin /memory-plugin
 COPY workspace-server/migrations /migrations
+COPY manifest.json /app/manifest.json
 # Templates + plugins (pre-cloned by scripts/clone-manifest.sh in the
 # trusted CI / operator-host context, .git already stripped). The Gitea
 # token used to clone them never enters this image — same shape as
@@ -118,6 +118,7 @@ RUN deluser --remove-home node 2>/dev/null || true; \
 COPY --from=go-builder /platform /platform
 COPY --from=go-builder /memory-plugin /memory-plugin
 COPY workspace-server/migrations /migrations
+COPY manifest.json /app/manifest.json

 # Templates + plugins (pre-cloned by scripts/clone-manifest.sh in the
 # trusted CI / operator-host context, .git already stripped — see
@@ -50,6 +50,7 @@ import (
 	"git.moleculesai.app/molecule-ai/molecule-core/workspace-server/internal/router"
 	"git.moleculesai.app/molecule-ai/molecule-core/workspace-server/internal/scheduler"
 	"git.moleculesai.app/molecule-ai/molecule-core/workspace-server/internal/supervised"
+	"git.moleculesai.app/molecule-ai/molecule-core/workspace-server/internal/templatecache"
 	"git.moleculesai.app/molecule-ai/molecule-core/workspace-server/internal/ws"

 	// External plugins — each registers EnvMutator(s) that run at workspace
@@ -58,6 +59,7 @@ import (
 	ghidentity "go.moleculesai.app/plugin/gh-identity/pluginloader"

 	"git.moleculesai.app/molecule-ai/molecule-core/workspace-server/pkg/provisionhook"
+	"github.com/gin-gonic/gin"
 )

 func main() {
@@ -147,8 +149,13 @@ func main() {
 				result, err := db.DB.ExecContext(ctx, `DELETE FROM activity_logs WHERE created_at < now() - ($1 || ' days')::interval`, retentionDays)
 				if err != nil {
 					log.Printf("Activity log cleanup error: %v", err)
-				} else if n, _ := result.RowsAffected(); n > 0 {
-					log.Printf("Activity log cleanup: purged %d old entries", n)
+				} else {
+					n, err := result.RowsAffected()
+					if err != nil {
+						log.Printf("Activity log cleanup RowsAffected error: %v", err)
+					} else if n > 0 {
+						log.Printf("Activity log cleanup: purged %d old entries", n)
+					}
 				}
 			}
 		}
@@ -193,11 +200,28 @@ func main() {
 	port := envOr("PORT", "8080")
 	platformURL := envOr("PLATFORM_URL", fmt.Sprintf("http://host.docker.internal:%s", port))
 	configsDir := envOr("CONFIGS_DIR", findConfigsDir())
+	templateCacheDir := envOr("TEMPLATE_CACHE_DIR", filepath.Join(os.TempDir(), "molecule-template-cache"))
+	manifestPath := findWorkspaceManifestPath()
+	templateToken := templateCacheToken()
+	refreshTemplates := func(ctx context.Context) (templatecache.RefreshReport, error) {
+		return templatecache.RefreshWorkspaceTemplates(ctx, manifestPath, templateCacheDir, templateToken)
+	}
+	if shouldRefreshTemplateCache(templateToken, manifestPath) {
+		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
+		report, err := refreshTemplates(ctx)
+		cancel()
+		if err != nil {
+			log.Printf("template cache refresh: %v (continuing with baked templates)", err)
+		} else {
+			log.Printf("template cache refresh: refreshed %d workspace templates into %s", len(report.Results), templateCacheDir)
+		}
+	}

 	// Init order: wh → onWorkspaceOffline → liveness/healthSweep → router
 	// WorkspaceHandler is created before the router so RestartByID can be wired into
 	// the offline callbacks used by both the liveness monitor and the health sweep.
-	wh := handlers.NewWorkspaceHandler(broadcaster, prov, platformURL, configsDir)
+	wh := handlers.NewWorkspaceHandler(broadcaster, prov, platformURL, configsDir).
+		WithTemplateCacheDir(templateCacheDir)
 	if cpProv != nil {
 		wh.SetCPProvisioner(cpProv)
 	}
@@ -377,7 +401,12 @@ func main() {
 	// require a plugins/ dir on disk (nil in CP/SaaS mode).
 	pluginRegistry := plugins.NewRegistry()
 	pluginRegistry.Register(plugins.NewGithubResolver())
-	r := router.Setup(hub, broadcaster, prov, platformURL, configsDir, wh, channelMgr, memBundle, pluginRegistry)
+	refreshTemplatesHTTP := func(c *gin.Context) (any, error) {
+		ctx, cancel := context.WithTimeout(c.Request.Context(), 2*time.Minute)
+		defer cancel()
+		return refreshTemplates(ctx)
+	}
+	r := router.Setup(hub, broadcaster, prov, platformURL, configsDir, templateCacheDir, wh, channelMgr, memBundle, pluginRegistry, refreshTemplatesHTTP)

 	// Plugin drift sweeper — periodic detection of upstream plugin version drift
 	// (core#123). Scans workspace_plugins rows where tracked_ref != 'none',
@@ -493,6 +522,40 @@ func findConfigsDir() string {
 	return "workspace-configs-templates"
 }

+func findWorkspaceManifestPath() string {
+	if v := os.Getenv("WORKSPACE_MANIFEST_PATH"); v != "" {
+		return v
+	}
+	for _, p := range []string{"/app/manifest.json", "manifest.json", "../manifest.json", "../../manifest.json"} {
+		if abs, err := filepath.Abs(p); err == nil {
+			if _, err := os.Stat(abs); err == nil {
+				return abs
+			}
+		}
+	}
+	return ""
+}
+
+func templateCacheToken() string {
+	for _, key := range []string{"MOLECULE_TEMPLATE_GITEA_TOKEN", "MOLECULE_GITEA_TOKEN"} {
+		if v := strings.TrimSpace(os.Getenv(key)); v != "" {
+			return v
+		}
+	}
+	return ""
+}
+
+func shouldRefreshTemplateCache(token, manifestPath string) bool {
+	switch strings.ToLower(strings.TrimSpace(os.Getenv("TEMPLATE_CACHE_REFRESH"))) {
+	case "0", "false", "off", "no":
+		return false
+	case "1", "true", "on", "yes":
+		return token != "" && manifestPath != ""
+	default:
+		return token != "" && manifestPath != ""
+	}
+}
+
 func findMigrationsDir() string {
 	candidates := []string{
 		"migrations",
@@ -3,6 +3,7 @@ package bundle
 import (
 	"context"
 	"fmt"
+	"log"
 	"strings"

 	"git.moleculesai.app/molecule-ai/molecule-core/workspace-server/internal/db"
@@ -72,7 +73,9 @@ func Import(
 		}
 	}
 	// Store runtime in DB
-	_, _ = db.DB.ExecContext(ctx, `UPDATE workspaces SET runtime = $1 WHERE id = $2`, bundleRuntime, wsID)
+	if _, err := db.DB.ExecContext(ctx, `UPDATE workspaces SET runtime = $1 WHERE id = $2`, bundleRuntime, wsID); err != nil {
+		log.Printf("bundle import: failed to store runtime for workspace %s: %v", wsID, err)
+	}

 	// Provision the container if provisioner is available
 	if prov != nil {
@@ -92,7 +95,9 @@ func Import(
 			if err != nil {
 				markFailed(provCtx, wsID, broadcaster, err)
 			} else if url != "" {
-				db.DB.ExecContext(provCtx, `UPDATE workspaces SET url = $1 WHERE id = $2`, url, wsID)
+				if _, err := db.DB.ExecContext(provCtx, `UPDATE workspaces SET url = $1 WHERE id = $2`, url, wsID); err != nil {
+					log.Printf("bundle import: failed to store URL for workspace %s: %v", wsID, err)
+				}
 			}
 		}()
 	}
@@ -139,9 +144,11 @@ func markFailed(ctx context.Context, wsID string, broadcaster *events.Broadcaste
 	// markProvisionFailed in workspace-server/internal/handlers/
 	// workspace_provision_shared.go.
 	msg := err.Error()
-	db.DB.ExecContext(ctx,
+	if _, dbErr := db.DB.ExecContext(ctx,
 		`UPDATE workspaces SET status = $1, last_sample_error = $2, updated_at = now() WHERE id = $3`,
-		models.StatusFailed, msg, wsID)
+		models.StatusFailed, msg, wsID); dbErr != nil {
+		log.Printf("bundle import: failed to mark workspace %s as failed: %v", wsID, dbErr)
+	}
 	broadcaster.RecordAndBroadcast(ctx, string(events.EventWorkspaceProvisionFailed), wsID, map[string]interface{}{
 		"error": msg,
 	})
@@ -18,6 +18,11 @@ const (
 	discordHTTPTimeout   = 10 * time.Second
 )

+// httpClient abstracts http.Client for test injection.
+type httpClient interface {
+	Do(req *http.Request) (*http.Response, error)
+}
+
 // DiscordAdapter implements ChannelAdapter for Discord.
 //
 // Outbound messages are sent via Discord Incoming Webhooks. The webhook URL
@@ -33,7 +38,11 @@ const (
 //
 // StartPolling returns nil immediately — Discord does not support long-polling;
 // use the Interactions webhook route instead.
-type DiscordAdapter struct{}
+type DiscordAdapter struct {
+	// client allows dependency injection for testing. If nil, the default
+	// http.Client is used at call time (safe for production use).
+	client httpClient
+}

 func (d *DiscordAdapter) Type() string        { return "discord" }
 func (d *DiscordAdapter) DisplayName() string { return "Discord" }
@@ -95,7 +104,10 @@ func (d *DiscordAdapter) SendMessage(ctx context.Context, config map[string]inte
 	// Split long messages into chunks at word boundaries where possible.
 	chunks := splitMessage(text, maxLen)

-	client := &http.Client{Timeout: discordHTTPTimeout}
+	client := d.client
+	if client == nil {
+		client = &http.Client{Timeout: discordHTTPTimeout}
+	}
 	for _, chunk := range chunks {
 		payload, err := json.Marshal(map[string]string{"content": chunk})
 		if err != nil {
@@ -3,6 +3,7 @@ package channels
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"strings"
@@ -13,6 +14,17 @@ import (

 // ==================== DiscordAdapter unit tests ====================

+// fatalClient is a deterministic httpClient stub that always returns a
+// fixed error. Used to test that error messages from SendMessage do not
+// contain the Discord webhook token.
+type fatalClient struct {
+	err error
+}
+
+func (c *fatalClient) Do(*http.Request) (*http.Response, error) {
+	return nil, c.err
+}
+
 func TestDiscordAdapter_Type(t *testing.T) {
 	a := &DiscordAdapter{}
 	if a.Type() != "discord" {
@@ -288,17 +300,36 @@ func TestSplitMessage_LongMessage(t *testing.T) {
 }

 // TestDiscordAdapter_SendMessage_ErrorDoesNotLeakToken verifies that when the
-// HTTP call to the Discord webhook fails (e.g. DNS error), the returned error
+// HTTP call to the Discord webhook fails (network error), the returned error
 // message does NOT contain the webhook URL — which embeds the Discord token.
 // Regression test for the MEDIUM security finding in PR #659.
+//
+// This test uses a deterministic httptest.Server (connection refused) rather
+// than a live network call, so it always exercises the error path regardless
+// of environment routing.
 func TestDiscordAdapter_SendMessage_ErrorDoesNotLeakToken(t *testing.T) {
-	a := &DiscordAdapter{}
-	// Use a valid-looking webhook URL with a fake token so we can check it
-	// doesn't appear in the error string.
 	fakeToken := "SUPER_SECRET_DISCORD_TOKEN_12345"
 	webhookURL := discordWebhookPrefix + "123456789/" + fakeToken

-	// Point at an unroutable address to force a dial error.
+	// httptest.Server with no handler → connection refused / immediate close.
+	// Deterministic in all environments; no skip condition.
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		t.Fatal("server handler called — should have been unreachable")
+	}))
+	defer ts.Close()
+
+	// Point the webhook URL at the test server so DiscordAdapter sends there.
+	// We intercept the *request* (not the URL) by swapping the client's base URL.
+	// The adapter always resolves webhookURL from config, so we set up a
+	// test server that refuses connections on the real discord.com domain
+	// by having the adapter's HTTP client hit an unreachable host.
+	//
+	// Simpler: construct a URL with the fake token that won't route anywhere,
+	// but use a mock httpClient to control the error exactly.
+	a := &DiscordAdapter{
+		client: &fatalClient{err: fmt.Errorf("connection refused")},
+	}
+
 	err := a.SendMessage(
 		context.Background(),
 		map[string]interface{}{"webhook_url": webhookURL},
@@ -307,12 +338,14 @@ func TestDiscordAdapter_SendMessage_ErrorDoesNotLeakToken(t *testing.T) {
 	)

 	if err == nil {
-		// In some environments the request might actually succeed; that's fine.
-		t.Skip("request unexpectedly succeeded — skipping token-leak check")
+		t.Fatal("expected error from fatalClient")
 	}
 	if strings.Contains(err.Error(), fakeToken) {
 		t.Errorf("error message leaks Discord webhook token: %q", err.Error())
 	}
+	if strings.Contains(err.Error(), "123456789") {
+		t.Errorf("error message leaks webhook ID: %q", err.Error())
+	}
 }

 func TestSplitMessage_SplitsAtNewline(t *testing.T) {
@@ -82,7 +82,10 @@ func NewManager(proxy A2AProxy, broadcaster Broadcaster) *Manager {
 			log.Printf("Channels: failed to disable telegram chat_id=%s: %v", chatID, err)
 			return
 		}
-		if rows, _ := res.RowsAffected(); rows > 0 {
+		rows, err := res.RowsAffected()
+		if err != nil {
+			log.Printf("Channels: disable telegram RowsAffected error chat_id=%s: %v", chatID, err)
+		} else if rows > 0 {
 			log.Printf("Channels: disabled %d telegram channel(s) for chat_id=%s (bot removed)", rows, chatID)
 			// Reload so the in-memory poller map drops the now-disabled row.
 			m.Reload(ctx)
@@ -310,7 +313,7 @@ func (m *Manager) HandleInbound(ctx context.Context, ch ChannelRow, msg *Inbound
 	history := m.loadHistory(ctx, historyKey)

 	// Build A2A JSON-RPC payload
-	a2aBody, _ := json.Marshal(map[string]interface{}{
+	a2aBody, marshalErr := json.Marshal(map[string]interface{}{
 		"method": "message/send",
 		"params": map[string]interface{}{
 			"message": map[string]interface{}{
@@ -330,6 +333,10 @@ func (m *Manager) HandleInbound(ctx context.Context, ch ChannelRow, msg *Inbound
 			},
 		},
 	})
+	if marshalErr != nil {
+		log.Printf("Channels %s: json.Marshal a2aBody failed: %v", ch.ChannelType, marshalErr)
+		return fmt.Errorf("marshal a2a body: %w", marshalErr)
+	}

 	callerID := "channel:" + ch.ChannelType

@@ -389,11 +396,13 @@ func (m *Manager) HandleInbound(ctx context.Context, ch ChannelRow, msg *Inbound

 	// Update stats in DB
 	if db.DB != nil {
-		db.DB.ExecContext(ctx, `
+		if _, err := db.DB.ExecContext(ctx, `
 			UPDATE workspace_channels
 			SET last_message_at = now(), message_count = message_count + 1, updated_at = now()
 			WHERE id = $1
-		`, ch.ID)
+		`, ch.ID); err != nil {
+			log.Printf("Channels: inbound stats update failed for channel %s: %v", ch.ID, err)
+		}
 	}

 	// Broadcast event
@@ -434,11 +443,13 @@ func (m *Manager) SendOutbound(ctx context.Context, channelID string, text strin
 	}

 	if db.DB != nil {
-		db.DB.ExecContext(ctx, `
+		if _, err := db.DB.ExecContext(ctx, `
 			UPDATE workspace_channels
 			SET last_message_at = now(), message_count = message_count + 1, updated_at = now()
 			WHERE id = $1
-		`, channelID)
+		`, channelID); err != nil {
+			log.Printf("Channels: outbound stats update failed for channel %s: %v", channelID, err)
+		}
 	}

 	if m.broadcaster != nil {
@@ -508,14 +519,20 @@ func (m *Manager) FetchWorkspaceChannelContext(ctx context.Context, workspaceID
 	}
 	defer rows.Close()
 	if !rows.Next() {
+		if err := rows.Err(); err != nil {
+			log.Printf("ChannelManager: FetchWorkspaceChannelContext rows error for %s: %v", workspaceID, err)
+		}
 		return ""
 	}
 	var configJSON []byte
-	if rows.Scan(&configJSON) != nil {
+	if err := rows.Scan(&configJSON); err != nil {
+		log.Printf("ChannelManager: FetchWorkspaceChannelContext scan error for %s: %v", workspaceID, err)
 		return ""
 	}
 	var config map[string]interface{}
-	json.Unmarshal(configJSON, &config)
+	if err := json.Unmarshal(configJSON, &config); err != nil {
+		log.Printf("ChannelManager: unmarshal config: %v", err)
+	}
 	if err := DecryptSensitiveFields(config); err != nil {
 		return ""
 	}
@@ -652,12 +669,16 @@ func (m *Manager) appendHistory(ctx context.Context, key string, username, userM
 	if db.RDB == nil {
 		return
 	}
-	entry, _ := json.Marshal(map[string]string{
+	entry, marshalErr := json.Marshal(map[string]string{
 		"user":    username,
 		"message": userMsg,
 		"reply":   agentReply,
 		"time":    time.Now().UTC().Format(time.RFC3339),
 	})
+	if marshalErr != nil {
+		log.Printf("appendHistory %s: json.Marshal entry failed: %v", key, marshalErr)
+		return
+	}
 	db.RDB.LPush(ctx, key, string(entry))
 	db.RDB.LTrim(ctx, key, 0, int64(maxHistoryEntries-1))
 	db.RDB.Expire(ctx, key, historyTTL)
@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"log"
 	"net/http"
 	"strings"
 	"time"
@@ -159,7 +160,11 @@ func (s *SlackAdapter) sendBotMessage(ctx context.Context, config map[string]int
 			payload["icon_emoji"] = iconEmoji
 		}

-		body, _ := json.Marshal(payload)
+		body, marshalErr := json.Marshal(payload)
+		if marshalErr != nil {
+			log.Printf("slack SendMessage: json.Marshal payload failed: %v", marshalErr)
+			return fmt.Errorf("slack: marshal payload: %w", marshalErr)
+		}
 		req, err := http.NewRequestWithContext(ctx, http.MethodPost, "https://slack.com/api/chat.postMessage", bytes.NewReader(body))
 		if err != nil {
 			return fmt.Errorf("slack: build request: %w", err)
@@ -482,12 +482,14 @@ func (t *TelegramAdapter) StartPolling(ctx context.Context, config map[string]in
 				if apiErr.Code == 429 {
 					retryAfter := time.Duration(apiErr.RetryAfter) * time.Second
 					log.Printf("Channels: Telegram poll rate-limited, sleeping %s", retryAfter)
+					timer := time.NewTimer(retryAfter)
 					select {
 					case <-ctx.Done():
+						timer.Stop()
 						return nil
-					case <-time.After(retryAfter):
-						continue
+					case <-timer.C:
 					}
+					continue
 				}
 				if apiErr.Code == 401 {
 					invalidateBot(token)
@@ -495,12 +497,14 @@ func (t *TelegramAdapter) StartPolling(ctx context.Context, config map[string]in
 				}
 			}
 			log.Printf("Channels: Telegram poll error: %v", err)
+			timer := time.NewTimer(telegramPollInterval)
 			select {
 			case <-ctx.Done():
+				timer.Stop()
 				return nil
-			case <-time.After(telegramPollInterval):
-				continue
+			case <-timer.C:
 			}
+			continue
 		}

 		for _, update := range updates {
@@ -115,12 +115,15 @@ func (h *WorkspaceHandler) handleA2ADispatchError(ctx context.Context, workspace
 			if logActivity {
 				h.logA2ABusyQueued(ctx, workspaceID, callerID, body, a2aMethod, durationMs)
 			}
-			respBody, _ := json.Marshal(gin.H{
+			respBody, marshalErr := json.Marshal(gin.H{
 				"queued":      true,
 				"queue_id":    qid,
 				"queue_depth": depth,
 				"message":     "workspace agent busy — request queued, will dispatch when capacity available",
 			})
+			if marshalErr != nil {
+				log.Printf("ProxyA2A %s: json.Marshal respBody failed: %v", workspaceID, marshalErr)
+			}
 			return http.StatusAccepted, respBody, nil
 		} else {
 			// Queue insert failed — fall through to legacy 503 behavior
@@ -423,16 +426,34 @@ func nilIfEmpty(s string) *string {
 // (their next /registry/register will mint their first token, after
 // which this branch never fires again for them).
 //
-// Post-RFC#637 addition: when the tokenless workspace is accompanied by
-// canvas or admin auth (same-origin request, admin bearer, or org-level
-// token), the caller is identified as a canvas-user identity rather than
-// a legacy peer agent. The returned isCanvasUser flag lets the A2A proxy
-// bypass CanCommunicate for human users, who sit outside the workspace
-// hierarchy.
+// Post-RFC#637 addition: a request may instead be carrying a HUMAN's
+// canvas-user identity (e.g. the 344a2623-… identity workspace from the
+// RFC#637 rollout). That human sits OUTSIDE the workspace org hierarchy, so
+// the returned isCanvasUser flag lets the A2A proxy bypass CanCommunicate for
+// it. Canvas-user classification is decided by isGenuineCanvasUser using
+// NON-FORGEABLE credentials only (see that function) — never by the caller's
+// X-Workspace-ID alone, and never by a bare same-origin Host/Referer in a
+// SaaS image (those are forgeable; see middleware.IsSameOriginCanvas).
+//
+// #1673: this canvas-user check is now evaluated BEFORE the HasAnyLiveToken
+// peer-token contract. Previously it lived only in the !hasLive branch, so a
+// canvas-user identity workspace that had acquired live tokens fell into the
+// hasLive=true branch, which demands a bearer the canvas frontend never sends
+// → silent 401 → the message was dropped before logA2AReceiveQueued wrote the
+// activity_logs row, breaking canvas chat for poll-mode workspaces. A genuine
+// canvas user is identified by the human's session/admin/org credential, which
+// is independent of whether the identity workspace happens to hold peer tokens.
 //
 // On auth failure this writes the 401 via c and returns an error so the
 // handler aborts without running the proxy.
 func validateCallerToken(ctx context.Context, c *gin.Context, callerID string) (isCanvasUser bool, err error) {
+	// Genuine canvas-user identity? Decided independently of the caller
+	// workspace's token state (the #1673 fix) and using only non-forgeable
+	// signals (the #1944 escalation guard).
+	if isGenuineCanvasUser(ctx, c) {
+		return true, nil
+	}
+
 	hasLive, dbErr := wsauth.HasAnyLiveToken(ctx, db.DB, callerID)
 	if dbErr != nil {
 		// Fail-open here matches the heartbeat path — A2A caller auth is
@@ -443,22 +464,10 @@ func validateCallerToken(ctx context.Context, c *gin.Context, callerID string) (
 		return false, nil
 	}
 	if !hasLive {
-		// Tokenless workspace — could be legacy/pre-upgrade caller or
-		// canvas-user identity. Distinguish by request auth signals.
-		if middleware.IsSameOriginCanvas(c) {
-			return true, nil
-		}
-		tok := wsauth.BearerTokenFromHeader(c.GetHeader("Authorization"))
-		if tok != "" {
-			adminSecret := os.Getenv("ADMIN_TOKEN")
-			if adminSecret != "" && subtle.ConstantTimeCompare([]byte(tok), []byte(adminSecret)) == 1 {
-				return true, nil
-			}
-			if _, _, _, err := orgtoken.Validate(ctx, db.DB, tok); err == nil {
-				return true, nil
-			}
-		}
-		return false, nil // legacy / pre-upgrade caller
+		// Tokenless, non-canvas-user workspace — legacy / pre-upgrade peer.
+		// Grandfather it through (its next /registry/register mints its
+		// first token, after which it lands in the hasLive=true branch).
+		return false, nil
 	}
 	tok := wsauth.BearerTokenFromHeader(c.GetHeader("Authorization"))
 	if tok == "" {
@@ -472,6 +481,61 @@ func validateCallerToken(ctx context.Context, c *gin.Context, callerID string) (
 	return false, nil
 }

+// isGenuineCanvasUser reports whether the request is a real human acting
+// through the canvas UI (RFC#637 canvas-user identity), as opposed to a peer
+// workspace agent. A true result lets the A2A proxy bypass CanCommunicate, so
+// it MUST only accept signals an attacker on the platform network cannot forge:
+//
+//   - A control-plane-verified canvas session: the WorkOS session cookie is
+//     confirmed upstream to belong to a MEMBER of THIS tenant's org
+//     (middleware.IsVerifiedCanvasSession → /cp/auth/tenant-member). This is
+//     the production SaaS canvas path.
+//   - An Authorization: Bearer matching ADMIN_TOKEN (break-glass / molecli).
+//   - An Authorization: Bearer matching a live org_api_tokens row (user-minted
+//     org-scoped API token).
+//
+// Deliberately NOT accepted as a canvas-user signal in a SaaS image:
+//
+//   - A bare same-origin Host/Referer/Origin (middleware.IsSameOriginCanvas).
+//     Those headers are trivially forgeable by any container on the Docker
+//     network, and the combined-tenant image (CANVAS_PROXY_URL set) is exactly
+//     where a forged Referer + an arbitrary X-Workspace-ID could otherwise
+//     bypass CanCommunicate and reach cross-workspace A2A — the PR #1944
+//     privilege escalation. Same-origin is only honored as a fallback when CP
+//     session verification is NOT configured (self-hosted / dev), a
+//     single-tenant topology with no cross-tenant boundary to escalate across;
+//     even there the org hierarchy still owns intra-org routing.
+//
+// Note this classification is about the human's credential, not the caller
+// workspace's X-Workspace-ID — so it never trusts an attacker-supplied caller
+// ID, and it is independent of whether that workspace holds peer tokens.
+func isGenuineCanvasUser(ctx context.Context, c *gin.Context) bool {
+	// Production SaaS: control-plane-verified org-member session cookie.
+	if middleware.IsVerifiedCanvasSession(c) {
+		return true
+	}
+
+	if tok := wsauth.BearerTokenFromHeader(c.GetHeader("Authorization")); tok != "" {
+		adminSecret := os.Getenv("ADMIN_TOKEN")
+		if adminSecret != "" && subtle.ConstantTimeCompare([]byte(tok), []byte(adminSecret)) == 1 {
+			return true
+		}
+		if _, _, _, err := orgtoken.Validate(ctx, db.DB, tok); err == nil {
+			return true
+		}
+	}
+
+	// Self-hosted / dev fallback ONLY: when upstream session verification is
+	// not configured there is no verified-cookie signal to use, and the
+	// deployment is single-tenant, so the forgeable same-origin check is an
+	// acceptable canvas signal. In SaaS (CP session configured) this branch is
+	// skipped, closing the forged-same-origin escalation.
+	if !middleware.CPSessionConfigured() && middleware.IsSameOriginCanvas(c) {
+		return true
+	}
+	return false
+}
+
 // errInvalidCallerToken is a sentinel for validateCallerToken's "missing
 // token" branch so the handler-level guard can detect it without string
 // matching (the wsauth errors are typed for the invalid case).
@@ -11,6 +11,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"os"
+	"os/exec"
 	"strings"
 	"testing"
 	"time"
@@ -1244,13 +1245,12 @@ func TestValidateCallerToken_WrongWorkspaceBindingRejected(t *testing.T) {
 }

 func TestValidateCallerToken_CanvasUser_AdminToken(t *testing.T) {
-	mock := setupTestDB(t)
+	setupTestDB(t)
 	setupTestRedis(t)

-	// Tokenless workspace
-	mock.ExpectQuery(`SELECT COUNT\(\*\) FROM workspace_auth_tokens`).
-		WithArgs("ws-canvas-admin").
-		WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(0))
+	// #1673/#1944: the genuine-canvas-user check (admin bearer here) now runs
+	// BEFORE HasAnyLiveToken, so no SELECT COUNT(*) is issued — the human's
+	// credential, not the caller workspace's token state, decides canvas-user.

 	t.Setenv("ADMIN_TOKEN", "admin-secret-42")

@@ -1276,10 +1276,9 @@ func TestValidateCallerToken_CanvasUser_OrgToken(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t)

-	// Tokenless workspace
-	mock.ExpectQuery(`SELECT COUNT\(\*\) FROM workspace_auth_tokens`).
-		WithArgs("ws-canvas-org").
-		WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(0))
+	// #1673/#1944: the genuine-canvas-user check (org token here) now runs
+	// BEFORE HasAnyLiveToken, so the first DB query is orgtoken.Validate's
+	// lookup — there is no SELECT COUNT(*) expectation anymore.

 	// orgtoken.Validate lookup
 	mock.ExpectQuery(`SELECT id, prefix, org_id FROM org_api_tokens WHERE token_hash = .* AND revoked_at IS NULL`).
@@ -2341,6 +2340,197 @@ func TestProxyA2A_PollMode_ShortCircuits_NoSSRF_NoDispatch(t *testing.T) {
 	}
 }

+// stubVerifiedCPSession points VerifiedCPSession at a stub control-plane that
+// confirms the given cookie belongs to a tenant-member, so tests can exercise
+// the genuine (non-forgeable) canvas-session path end-to-end without a live CP.
+// It sets CP_UPSTREAM_URL + MOLECULE_ORG_SLUG for the test's lifetime; the
+// real middleware.VerifiedCPSession HTTP+cache code path runs unchanged.
+func stubVerifiedCPSession(t *testing.T, member bool) {
+	t.Helper()
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		if member {
+			fmt.Fprint(w, `{"member":true,"user_id":"user-canvas-1"}`)
+		} else {
+			w.WriteHeader(http.StatusForbidden)
+			fmt.Fprint(w, `{"member":false}`)
+		}
+	}))
+	t.Cleanup(srv.Close)
+	t.Setenv("CP_UPSTREAM_URL", srv.URL)
+	t.Setenv("MOLECULE_ORG_SLUG", "test-tenant")
+}
+
+// TestProxyA2A_PollMode_CanvasUserWithVerifiedSession is the #1673 regression
+// guard. A poll-mode canvas-user identity workspace that HAS acquired live
+// tokens (the exact condition that made #1673 fire) sends a canvas message
+// carrying a control-plane-verified session cookie but no bearer token. The
+// fix must classify it as a canvas user BEFORE the HasAnyLiveToken peer-token
+// contract, so the request is queued (200) and logA2AReceiveQueued writes the
+// activity_logs row — instead of the pre-fix silent 401 that dropped the
+// message before any row landed (breaking canvas chat + chat-history).
+//
+// Runs in a subprocess with CANVAS_PROXY_URL set so middleware.canvasProxyActive
+// is true at package-init time (matching the combined-tenant image), proving the
+// fix does not depend on disabling same-origin detection.
+func TestProxyA2A_PollMode_CanvasUserWithVerifiedSession(t *testing.T) {
+	if os.Getenv("CANVAS_PROXY_URL") == "" {
+		cmd := exec.Command(os.Args[0], "-test.run=^TestProxyA2A_PollMode_CanvasUserWithVerifiedSession$", "-test.v")
+		cmd.Env = append(os.Environ(), "CANVAS_PROXY_URL=http://localhost")
+		out, err := cmd.CombinedOutput()
+		if err != nil {
+			t.Fatalf("subprocess test failed: %v\n%s", err, out)
+		}
+		return
+	}
+
+	stubVerifiedCPSession(t, true)
+
+	mock := setupTestDB(t)
+	setupTestRedis(t)
+	broadcaster := newTestBroadcaster()
+	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+
+	const wsTarget = "ws-poll-canvas-target"
+	const wsCanvasUser = "ws-canvas-user-344a"
+
+	// CRUCIAL: no SELECT COUNT(*) FROM workspace_auth_tokens expectation. The
+	// genuine-canvas-user check (verified session) must short-circuit BEFORE
+	// HasAnyLiveToken — that is the #1673 regression path. An identity
+	// workspace that already holds live tokens must NOT fall into the
+	// hasLive=true bearer-required branch.
+
+	// isCanvasUser=true → CanCommunicate is skipped (no parent_id lookups).
+	expectBudgetCheck(mock, wsTarget)
+	mock.ExpectQuery("SELECT delivery_mode FROM workspaces WHERE id").
+		WithArgs(wsTarget).
+		WillReturnRows(sqlmock.NewRows([]string{"delivery_mode"}).AddRow("poll"))
+	// logA2AReceiveQueued must fire synchronously and write the row.
+	mock.ExpectExec("INSERT INTO activity_logs").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: wsTarget}}
+
+	body := `{"jsonrpc":"2.0","id":"canvas-1","method":"message/send","params":{"message":{"role":"user","parts":[{"text":"hello from canvas"}]}}}`
+	req := httptest.NewRequest("POST", "/workspaces/"+wsTarget+"/a2a", bytes.NewBufferString(body))
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("X-Workspace-ID", wsCanvasUser)
+	// Verified canvas session cookie (the genuine, non-forgeable signal).
+	req.Header.Set("Cookie", "wos-session=valid-canvas-session-cookie")
+	// Same-origin headers, present as a real canvas request would send them —
+	// but they are NOT what authorizes the bypass here (the verified session is).
+	req.Host = "localhost"
+	req.Header.Set("Referer", "https://localhost/")
+	c.Request = req
+
+	handler.ProxyA2A(c)
+
+	time.Sleep(50 * time.Millisecond)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200 (queued) for canvas-user with verified session, got %d: %s", w.Code, w.Body.String())
+	}
+	var resp map[string]interface{}
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("response is not valid JSON: %v", err)
+	}
+	if resp["status"] != "queued" {
+		t.Errorf("response.status = %v, want %q", resp["status"], "queued")
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations (activity_logs row must be written): %v", err)
+	}
+}
+
+// TestProxyA2A_ForgedSameOrigin_CannotBypassCanCommunicate is the security
+// crux of the #1673 fix and the reason PR #1944 was held. In the combined-
+// tenant SaaS image (CANVAS_PROXY_URL set, CP session verification configured),
+// an attacker forges a same-origin request — correct Host + a matching
+// `Referer: https://<host>/` — and supplies an arbitrary X-Workspace-ID naming
+// a workspace it does not control, targeting a workspace it is NOT authorized
+// to reach. It presents NO verified session cookie, NO admin token, NO org
+// token.
+//
+// PR #1944's same-origin bypass would have classified this as a canvas user and
+// skipped CanCommunicate, granting cross-workspace A2A — a privilege
+// escalation. The safe fix must instead fall through to the standard
+// peer-token contract and CanCommunicate, which rejects the cross-hierarchy
+// call with 403. This test proves the escalation is closed.
+func TestProxyA2A_ForgedSameOrigin_CannotBypassCanCommunicate(t *testing.T) {
+	if os.Getenv("CANVAS_PROXY_URL") == "" {
+		cmd := exec.Command(os.Args[0], "-test.run=^TestProxyA2A_ForgedSameOrigin_CannotBypassCanCommunicate$", "-test.v")
+		cmd.Env = append(os.Environ(), "CANVAS_PROXY_URL=http://localhost")
+		out, err := cmd.CombinedOutput()
+		if err != nil {
+			t.Fatalf("subprocess test failed: %v\n%s", err, out)
+		}
+		return
+	}
+
+	// SaaS image with CP session verification configured. The stub CP rejects
+	// any cookie as a non-member; the attacker sends none anyway. This asserts
+	// that with verification configured, same-origin alone is NOT a canvas
+	// signal (CPSessionConfigured()==true disables the dev fallback).
+	stubVerifiedCPSession(t, false)
+
+	mock := setupTestDB(t)
+	setupTestRedis(t)
+	broadcaster := newTestBroadcaster()
+	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+
+	const wsTarget = "ws-victim-target"
+	const wsForgedCaller = "ws-attacker-caller"
+
+	// validateCallerToken: not a genuine canvas user (no verified session, no
+	// admin/org token, and the dev same-origin fallback is disabled in SaaS).
+	// So it consults the peer-token contract: HasAnyLiveToken for the forged
+	// caller. Return 0 → tokenless legacy peer → grandfathered through token
+	// validation (isCanvasUser stays false). The request must then still be
+	// gated by CanCommunicate.
+	mock.ExpectQuery(`SELECT COUNT\(\*\) FROM workspace_auth_tokens`).
+		WithArgs(wsForgedCaller).
+		WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(0))
+
+	// CanCommunicate MUST run (the escalation guard) and DENY: caller and
+	// target sit under different parents.
+	mockCanCommunicate(mock, wsForgedCaller, wsTarget, false)
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: wsTarget}}
+
+	body := `{"jsonrpc":"2.0","id":"exploit-1","method":"message/send","params":{"message":{"role":"user","parts":[{"text":"cross-workspace exploit"}]}}}`
+	req := httptest.NewRequest("POST", "/workspaces/"+wsTarget+"/a2a", bytes.NewBufferString(body))
+	req.Header.Set("Content-Type", "application/json")
+	// Arbitrary caller workspace the attacker does not own.
+	req.Header.Set("X-Workspace-ID", wsForgedCaller)
+	// Forged same-origin signals (the #1944 bypass vector).
+	req.Host = "localhost"
+	req.Header.Set("Referer", "https://localhost/")
+	req.Header.Set("Origin", "https://localhost")
+	// No Cookie / Authorization — no genuine canvas credential.
+	c.Request = req
+
+	handler.ProxyA2A(c)
+
+	if w.Code != http.StatusForbidden {
+		t.Fatalf("ESCALATION NOT CLOSED: forged same-origin + arbitrary X-Workspace-ID "+
+			"reached an unauthorized target with status %d (want 403): %s", w.Code, w.Body.String())
+	}
+	var resp map[string]interface{}
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("body not JSON: %v", err)
+	}
+	if !strings.Contains(fmt.Sprint(resp["error"]), "access denied") {
+		t.Errorf("expected an access-denied error from CanCommunicate, got %v", resp["error"])
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations — CanCommunicate must have been consulted: %v", err)
+	}
+}
+
 // TestProxyA2A_PushMode_NoShortCircuit verifies the symmetric contract:
 // a push-mode workspace (default) is NOT affected by the new short-circuit.
 // It still proceeds to resolveAgentURL + dispatch. Without this guard, a
@@ -160,10 +160,12 @@ func EnqueueA2A(
 	}

 	// Return current queue depth for the caller's visibility.
-	_ = db.DB.QueryRowContext(ctx, `
+	if err := db.DB.QueryRowContext(ctx, `
 		SELECT COUNT(*) FROM a2a_queue
 		WHERE workspace_id = $1 AND status = 'queued'
-	`, workspaceID).Scan(&depth)
+	`, workspaceID).Scan(&depth); err != nil {
+		log.Printf("A2AQueue: depth query failed for workspace %s: %v", workspaceID, err)
+	}

 	log.Printf("A2AQueue: enqueued %s for workspace %s (priority=%d, depth=%d)", id, workspaceID, priority, depth)
 	return id, depth, nil
@@ -249,10 +251,12 @@ func MarkQueueItemFailed(ctx context.Context, id, errMsg string) {
 // can see how many ahead of them.
 func QueueDepth(ctx context.Context, workspaceID string) int {
 	var n int
-	_ = db.DB.QueryRowContext(ctx,
+	if err := db.DB.QueryRowContext(ctx,
 		`SELECT COUNT(*) FROM a2a_queue WHERE workspace_id = $1 AND status = 'queued'`,
 		workspaceID,
-	).Scan(&n)
+	).Scan(&n); err != nil {
+		log.Printf("A2AQueue: QueueDepth query failed for workspace %s: %v", workspaceID, err)
+	}
 	return n
 }

@@ -415,10 +419,14 @@ func (h *WorkspaceHandler) stitchDrainResponseToDelegation(ctx context.Context,
 		return
 	}
 	responseText := extractResponseText(respBody)
-	respJSON, _ := json.Marshal(map[string]interface{}{
+	respJSON, marshalErr := json.Marshal(map[string]interface{}{
 		"text":          responseText,
 		"delegation_id": delegationID,
 	})
+	if marshalErr != nil {
+		log.Printf("a2aQueue stitch %s: json.Marshal respJSON failed: %v", delegationID, marshalErr)
+		return
+	}
 	res, err := db.DB.ExecContext(ctx, `
 		UPDATE activity_logs
 		   SET status        = 'completed',
@@ -434,7 +442,12 @@ func (h *WorkspaceHandler) stitchDrainResponseToDelegation(ctx context.Context,
 		log.Printf("A2AQueue drain stitch: update failed for delegation %s: %v", delegationID, err)
 		return
 	}
-	if rows, _ := res.RowsAffected(); rows == 0 {
+	rows, err := res.RowsAffected()
+	if err != nil {
+		log.Printf("A2AQueue drain stitch: RowsAffected error for delegation %s: %v", delegationID, err)
+		return
+	}
+	if rows == 0 {
 		log.Printf("A2AQueue drain stitch: no delegate_result row for delegation %s (queued-row may not exist yet)", delegationID)
 		return
 	}
@@ -153,7 +153,15 @@ func queueRowAuthFields(ctx context.Context, queueID string) (callerID, workspac
 	if err != nil {
 		return "", "", err
 	}
-	return callerNS.String, workspaceNS.String, nil
+	callerID = ""
+	if callerNS.Valid {
+		callerID = callerNS.String
+	}
+	workspaceID = ""
+	if workspaceNS.Valid {
+		workspaceID = workspaceNS.String
+	}
+	return callerID, workspaceID, nil
 }

 // GetA2AQueueStatus handles GET /workspaces/:id/a2a/queue/:queue_id.
@@ -1,9 +1,62 @@
 package handlers

 import (
+	"context"
 	"testing"
+
+	"github.com/DATA-DOG/go-sqlmock"
 )

+// TestQueueRowAuthFields_NilSafeScan proves queueRowAuthFields returns empty
+// strings (not a panic / garbage) when the a2a_queue row has NULL caller_id
+// or workspace_id. Before the fix it dereferenced NullString.String directly,
+// which is only the zero value when Valid is false but masked the NULL-vs-""
+// distinction; the guard makes the intent explicit and safe.
+func TestQueueRowAuthFields_NilSafeScan(t *testing.T) {
+	mock := setupTestDB(t)
+	queueID := "queue-123"
+
+	mock.ExpectQuery(`SELECT caller_id, workspace_id FROM a2a_queue WHERE id = \$1`).
+		WithArgs(queueID).
+		WillReturnRows(sqlmock.NewRows([]string{"caller_id", "workspace_id"}).AddRow(nil, nil))
+
+	caller, workspace, err := queueRowAuthFields(context.Background(), queueID)
+	if err != nil {
+		t.Fatalf("queueRowAuthFields returned error: %v", err)
+	}
+	if caller != "" {
+		t.Errorf("callerID = %q, want empty string for NULL caller_id", caller)
+	}
+	if workspace != "" {
+		t.Errorf("workspaceID = %q, want empty string for NULL workspace_id", workspace)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Fatalf("unmet expectations: %v", err)
+	}
+}
+
+// TestQueueRowAuthFields_PopulatedRow confirms the non-NULL path still returns
+// the scanned values unchanged.
+func TestQueueRowAuthFields_PopulatedRow(t *testing.T) {
+	mock := setupTestDB(t)
+	queueID := "queue-456"
+
+	mock.ExpectQuery(`SELECT caller_id, workspace_id FROM a2a_queue WHERE id = \$1`).
+		WithArgs(queueID).
+		WillReturnRows(sqlmock.NewRows([]string{"caller_id", "workspace_id"}).AddRow("caller-x", "ws-y"))
+
+	caller, workspace, err := queueRowAuthFields(context.Background(), queueID)
+	if err != nil {
+		t.Fatalf("queueRowAuthFields returned error: %v", err)
+	}
+	if caller != "caller-x" || workspace != "ws-y" {
+		t.Fatalf("got caller=%q workspace=%q, want caller-x / ws-y", caller, workspace)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Fatalf("unmet expectations: %v", err)
+	}
+}
+
 // TestExtractExpiresInSeconds covers the JSON parser used at enqueue time
 // to honor a caller-specified TTL. Zero return = "no TTL" — caller leaves
 // expires_at NULL on the queue row.
@@ -164,7 +164,11 @@ func (w *AgentMessageWriter) Send(
 		}
 		respPayload["parts"] = fileParts
 	}
-	respJSON, _ := json.Marshal(respPayload)
+	respJSON, marshalErr := json.Marshal(respPayload)
+	if marshalErr != nil {
+		log.Printf("AgentMessageWriter %s: json.Marshal respPayload failed: %v", workspaceID, marshalErr)
+		return nil
+	}
 	preview := textutil.TruncateRunes(message, 80)
 	if _, err := w.db.ExecContext(ctx, `
 		INSERT INTO activity_logs (workspace_id, activity_type, method, summary, response_body, status)
--- a/Show More
+++ b/Show More