Wire native LLM auth selection

Merge pull request 'Fix #1823 : require workspace name confirmation on delete' (#1826 ) from fix/issue-1823-delete-confirm-name into main
Merge pull request 'fix(display): allow browser sessions to take control' (#1832 ) from fix/display-control-browser-session into main
2026-05-24 21:54:35 -07:00 · 2026-05-25 04:45:34 +00:00 · 2026-05-25 04:24:35 +00:00 · 2026-05-24 21:08:04 -07:00 · 2026-05-25 03:46:49 +00:00 · 2026-05-24 20:31:29 -07:00
389 changed files with 13352 additions and 6182 deletions
@@ -50,9 +50,6 @@ MOLECULE_ENV=development                       # Environment label (development/
 # Container/runtime detection
 # MOLECULE_IN_DOCKER=                    # Set when running the platform inside Docker (accepts 1/0, true/false). Triggers A2A proxy to rewrite 127.0.0.1:<port> agent URLs to Docker bridge hostnames. Auto-detected via /.dockerenv; only set if detection fails or to force off.

-# Observability (Awareness)
-# AWARENESS_URL=                         # If set, injected into workspace containers along with a deterministic AWARENESS_NAMESPACE derived from workspace ID. Enables the cross-session memory MCP server.
-
 # GitHub
 # GITHUB_REPO=owner/repo                 # Target repo for agent initial_prompt clone (e.g. Molecule-AI/molecule-monorepo). Read inside workspace containers.
 # GITHUB_TOKEN=                          # Personal access token / installation token used by agents that clone private repos. Register as a global secret via POST /admin/secrets for propagation to workspace env. Token is used in-URL during clone and then scrubbed from .git/config via `git remote set-url`.
@@ -21,10 +21,6 @@ from urllib.parse import quote
 TRUE_VALUES = {"1", "true", "yes", "on", "disabled", "disable"}
 PROD_CP_URL = "https://api.moleculesai.app"
 DEFAULT_REQUIRED_CONTEXTS = [
-    "CI / Platform (Go) (push)",
-    "CI / Canvas (Next.js) (push)",
-    "CI / Shellcheck (E2E scripts) (push)",
-    "CI / Python Lint & Test (push)",
    "CI / all-required (push)",
    "Secret scan / Scan diff for credential-shaped strings (push)",
 ]
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+# shellcheck disable=SC2016,SC2329
 # review-check — evaluate whether a PR satisfies a single team-review gate.
 #
 # RFC#324 Step 1 of 5 — qa-review + security-review check workflows.
@@ -128,6 +129,7 @@ fi
 PR_AUTHOR=$(jq -r '.user.login // ""' "$PR_JSON")
 PR_HEAD_SHA=$(jq -r '.head.sha // ""' "$PR_JSON")
 PR_BASE_REF=$(jq -r '.base.ref // ""' "$PR_JSON")
+PR_BASE_SHA=$(jq -r '.base.sha // ""' "$PR_JSON")
 PR_STATE=$(jq -r '.state // ""' "$PR_JSON")
 DEFAULT_BRANCH="${DEFAULT_BRANCH:-main}"
 debug "pr_author=${PR_AUTHOR} pr_head=${PR_HEAD_SHA:0:7} pr_base=${PR_BASE_REF} pr_state=${PR_STATE}"
@@ -136,6 +138,10 @@ if [ "$PR_STATE" != "open" ]; then
  echo "::notice::PR ${PR_NUMBER} is ${PR_STATE} — exiting 0 (closed PRs do not gate)"
  exit 0
 fi
+if [ "$PR_HEAD_SHA" = "$PR_BASE_SHA" ]; then
+  echo "::notice::PR ${PR_NUMBER} has no diff (head == base) — exiting 0 (empty PRs do not gate)"
+  exit 0
+fi
 if [ "$PR_BASE_REF" != "$DEFAULT_BRANCH" ]; then
  echo "::notice::PR ${PR_NUMBER} targets ${PR_BASE_REF:-<unknown>} not ${DEFAULT_BRANCH} — ${TEAM}-review gate not applicable"
  exit 0
@@ -203,10 +209,10 @@ fi
 JQ_FILTER="${JQ_FILTER}
  | .user.login"

-CANDIDATES=$(jq -r --arg author "$PR_AUTHOR" --arg head "$PR_HEAD_SHA" "$JQ_FILTER" "$REVIEWS_JSON" | sort -u)
-debug "candidate non-author approvers: $(echo "$CANDIDATES" | tr '\n' ' ')"
+REVIEW_CANDIDATES=$(jq -r --arg author "$PR_AUTHOR" --arg head "$PR_HEAD_SHA" "$JQ_FILTER" "$REVIEWS_JSON" | sort -u)
+debug "candidate non-author approvers: $(echo "$REVIEW_CANDIDATES" | tr '\n' ' ')"

-if [ -z "$CANDIDATES" ]; then
+if [ -z "$REVIEW_CANDIDATES" ]; then
  # --- Guardrail (internal#503): explain the most common false
  # "no candidates" red. Gitea's review event enum is EXACTLY
  # APPROVED/REQUEST_CHANGES/COMMENT/PENDING. A wrong value ("APPROVE",
@@ -231,55 +237,52 @@ if [ -z "$CANDIDATES" ]; then
    done
  fi

-  # --- Fallback (internal#348): check issue comments for agent-approval ---
-  # core-qa-agent and core-security-agent approve via issue comments, NOT
-  # the reviews API. The reviews API returns zero entries for comment-only
-  # approvals. This fallback reads PR issue comments and extracts logins that:
-  #   1. Posted a comment matching the agent-prefix pattern for this gate:
-  #        qa      → "[core-qa-agent] APPROVED"
-  #        security → "[core-security-agent] APPROVED"
-  #      OR posted a generic approval keyword (word-anchored, case-insensitive):
-  #        APPROVED / LGTM / ACCEPTED
-  #   2. Are not the PR author
-  #   3. The team-membership probe below is the authoritative filter.
-  AGENT_PATTERN=""
-  case "$TEAM" in
-    qa)       AGENT_PATTERN="\\[core-qa-agent\\]" ;;
-    security) AGENT_PATTERN="\\[core-security-agent\\]" ;;
-  esac
-  HTTP_CODE=$(curl -sS -o "$COMMENTS_JSON" -w '%{http_code}' \
-    -K "$CURL_AUTH_FILE" "${API}/repos/${OWNER}/${NAME}/issues/${PR_NUMBER}/comments")
-  debug "GET /issues/${PR_NUMBER}/comments → HTTP ${HTTP_CODE}"
-  if [ "$HTTP_CODE" = "200" ]; then
-    # JQ expression: select non-author comments that match either the
-    # agent-prefix pattern (case-insensitive) OR a generic approval keyword.
-    JQ_APPROVALS='
-      .[] |
-      select(.user.login != $author) |
-      . as $cmt |
-      if ($agent_pattern | length) > 0 and ($cmt.body // "" | test($agent_pattern; "i")) then
-        $cmt.user.login
-      elif ($cmt.body // "" | test("\\b(APPROVED|LGTM|ACCEPTED)\\b"; "i")) then
-        $cmt.user.login
-      else
-        empty
-      end
-    '
-    CANDIDATES=$(jq -r \
-      --arg author "$PR_AUTHOR" \
-      --arg agent_pattern "$AGENT_PATTERN" \
-      "$JQ_APPROVALS" \
-      "$COMMENTS_JSON" 2>/dev/null | sort -u)
-    debug "comment-based approval candidates: $(echo "$CANDIDATES" | tr '\n' ' ')"
-
-    if [ -n "$CANDIDATES" ]; then
-      echo "::notice::${TEAM}-review: reviews API found no APPROVED reviews; found $(echo "$CANDIDATES" | wc -w | xargs) comment-based approval candidate(s) — verifying team membership..."
-    fi
-  else
-    debug "could not fetch issue comments (HTTP ${HTTP_CODE})"
-  fi
 fi

+# --- Fallback/extension (internal#348): check issue comments for agent-approval ---
+# core-qa-agent and core-security-agent can approve via issue comments. Always
+# include comment candidates, even if the reviews API returned approvals for a
+# different team; team membership below is the authoritative filter.
+COMMENT_CANDIDATES=""
+AGENT_PATTERN=""
+case "$TEAM" in
+  qa)       AGENT_PATTERN="\\[core-qa-agent\\]" ;;
+  security) AGENT_PATTERN="\\[core-security-agent\\]" ;;
+esac
+HTTP_CODE=$(curl -sS -o "$COMMENTS_JSON" -w '%{http_code}' \
+  -K "$CURL_AUTH_FILE" "${API}/repos/${OWNER}/${NAME}/issues/${PR_NUMBER}/comments")
+debug "GET /issues/${PR_NUMBER}/comments → HTTP ${HTTP_CODE}"
+if [ "$HTTP_CODE" = "200" ]; then
+  # JQ expression: select non-author comments that match either the
+  # agent-prefix pattern (case-insensitive) OR a generic approval keyword.
+  JQ_APPROVALS='
+    .[] |
+    select(.user.login != $author) |
+    . as $cmt |
+    if ($agent_pattern | length) > 0 and ($cmt.body // "" | test($agent_pattern; "i")) then
+      $cmt.user.login
+    elif ($cmt.body // "" | test("\\b(APPROVED|LGTM|ACCEPTED)\\b"; "i")) then
+      $cmt.user.login
+    else
+      empty
+    end
+  '
+  COMMENT_CANDIDATES=$(jq -r \
+    --arg author "$PR_AUTHOR" \
+    --arg agent_pattern "$AGENT_PATTERN" \
+    "$JQ_APPROVALS" \
+    "$COMMENTS_JSON" 2>/dev/null | sort -u)
+  debug "comment-based approval candidates: $(echo "$COMMENT_CANDIDATES" | tr '\n' ' ')"
+
+  if [ -n "$COMMENT_CANDIDATES" ]; then
+    echo "::notice::${TEAM}-review: found $(echo "$COMMENT_CANDIDATES" | wc -w | xargs) comment-based approval candidate(s) — verifying team membership..."
+  fi
+else
+  debug "could not fetch issue comments (HTTP ${HTTP_CODE})"
+fi
+
+CANDIDATES=$(printf '%s\n%s\n' "$REVIEW_CANDIDATES" "$COMMENT_CANDIDATES" | sed '/^$/d' | sort -u)
+
 if [ -z "${CANDIDATES:-}" ]; then
  echo "::error::${TEAM}-review awaiting non-author APPROVE from ${TEAM} team (no candidates from reviews API or issue comments)"
  exit 1
@@ -20,6 +20,7 @@ Scenarios:
  T15_comments_agent_approval — reviews empty; comments have "[core-qa-agent] APPROVED" → exit 0
  T16_comments_generic_approval — reviews empty; comments have "APPROVED" by team member → exit 0
  T17_comments_no_approval   — reviews empty; comments have no approval keywords → exit 1
+  T18_review_wrong_team_comment_right_team — review candidate 404s, comment candidate passes

 Usage:
  FIXTURE_STATE_DIR=/tmp/x python3 _review_check_fixture.py 8080
@@ -140,6 +141,10 @@ class Handler(http.server.BaseHTTPRequestHandler):
                    {"user": {"login": "alice"}, "body": "I authored this PR", "id": 1},
                    {"user": {"login": "random-user"}, "body": "Looks okay to me", "id": 2},
                ])
+            if sc == "T18_review_wrong_team_comment_right_team":
+                return self._json(200, [
+                    {"user": {"login": "core-qa-agent"}, "body": "[core-qa-agent] APPROVED after focused review", "id": 1},
+                ])
            # Default scenarios (T1–T9, T14): no comments
            return self._json(200, [])

@@ -151,6 +156,8 @@ class Handler(http.server.BaseHTTPRequestHandler):
                return self._empty(404)
            if sc == "T9_team_403":
                return self._empty(403)
+            if sc == "T18_review_wrong_team_comment_right_team" and login == "core-devops":
+                return self._empty(404)
            # T7_team_member: member
            return self._empty(204)

@@ -0,0 +1,31 @@
+from pathlib import Path
+
+import yaml
+
+
+ROOT = Path(__file__).resolve().parents[2]
+
+
+def load_workflow(name: str) -> dict:
+    with (ROOT / "workflows" / name).open() as f:
+        return yaml.safe_load(f)
+
+
+def test_all_required_uses_dedicated_meta_runner_lane():
+    workflow = load_workflow("ci.yml")
+    all_required = workflow["jobs"]["all-required"]
+
+    assert all_required["runs-on"] == "ci-meta"
+    assert "needs" not in all_required
+
+
+def test_all_required_reuses_path_filter_before_polling():
+    workflow = load_workflow("ci.yml")
+    all_required = workflow["jobs"]["all-required"]
+    rendered = str(all_required)
+
+    assert "--profile ci" in rendered
+    assert ".gitea/scripts/detect-changes.py" in rendered
+    assert "REQUIRE_PLATFORM" in rendered
+    assert "REQUIRE_CANVAS" in rendered
+    assert "REQUIRE_SCRIPTS" in rendered
@@ -146,3 +146,10 @@ def test_context_is_terminal_failure_rejects_cancelled_and_skipped():
        assert prod.context_is_terminal_failure(state) is True
    for state in ("pending", "missing", "success"):
        assert prod.context_is_terminal_failure(state) is False
+
+
+def test_default_required_contexts_delegate_path_gating_to_all_required():
+    assert prod.required_contexts({}) == [
+        "CI / all-required (push)",
+        "Secret scan / Scan diff for credential-shaped strings (push)",
+    ]
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+# shellcheck disable=SC2034
 # Regression tests for .gitea/scripts/review-check.sh (RFC#324 Step 1).
 #
 # Covers:
@@ -16,6 +17,7 @@
 #   T12 — jq filter: non-author APPROVED → in candidate list; dismissed → excluded
 #   T13 — missing required env GITEA_TOKEN → exits 1 with error
 #   T14 — non-default-base PR exits 0 without requiring review
+#   T18 — wrong-team review candidate does not block right-team comment approval
 #
 # Hostile-self-review (per feedback_assert_exact_not_substring):
 # this test MUST FAIL if the script is absent. Verified by running
@@ -138,7 +140,7 @@ fi
 echo
 echo "== T13 missing GITEA_TOKEN =="
 set +e
-T13_OUT=$(PATH="/tmp:$PATH" GITEA_TOKEN= GITEA_HOST=git.example.com REPO=x/y PR_NUMBER=1 TEAM=qa TEAM_ID=1 bash "$SCRIPT" 2>&1 || true)
+T13_OUT=$(PATH="/tmp:$PATH" GITEA_TOKEN='' GITEA_HOST=git.example.com REPO=x/y PR_NUMBER=1 TEAM=qa TEAM_ID=1 bash "$SCRIPT" 2>&1 || true)
 set -e
 assert_contains "T13 exits non-zero when GITEA_TOKEN missing" "GITEA_TOKEN required" "$T13_OUT"

@@ -306,12 +308,12 @@ echo
 echo "== T10 CURL_AUTH_FILE =="
 # Verify the token-file logic directly: create a temp file with the
 # same mktemp pattern, write the header with printf, chmod 600, then assert.
-T10_TOKEN="secret-test-token-abc123"
+T10_TOKEN="secret-fixture-token-abc123"
 T10_AUTHFILE=$(mktemp "${TMPDIR:-/tmp}/curl-auth.test.XXXXXX")
 chmod 600 "$T10_AUTHFILE"
 printf 'header = "Authorization: token %s"\n' "$T10_TOKEN" > "$T10_AUTHFILE"
 assert_file_mode "T10a mktemp authfile mode 600 (CURL_AUTH_FILE pattern)" "$T10_AUTHFILE" "600"
-assert_file_contains "T10b printf header format (CURL_AUTH_FILE content)" "$T10_AUTHFILE" "Authorization: token secret-test-token-abc123"
+assert_file_contains "T10b printf header format (CURL_AUTH_FILE content)" "$T10_AUTHFILE" "Authorization: token secret-fixture-token-abc123"
 assert_file_contains "T10c 'header =' curl-config syntax" "$T10_AUTHFILE" 'header = "Authorization: token '
 rm -f "$T10_AUTHFILE"

@@ -359,6 +361,17 @@ T17_RC=$(cat "$FIX_STATE_DIR/last_rc")
 assert_eq "T17 exit code 1 (no candidates from comments)" "1" "$T17_RC"
 assert_contains "T17 no candidates error" "no candidates from reviews API or issue comments" "$T17_OUT"

+# T18 — a wrong-team PR review candidate must not suppress a right-team
+# comment approval. This matches PR #1790, where QA had an APPROVED review
+# and security approved via the agent comment convention.
+echo
+echo "== T18 review candidate wrong team, comment candidate right team =="
+T18_OUT=$(run_review_check "T18_review_wrong_team_comment_right_team")
+T18_RC=$(cat "$FIX_STATE_DIR/last_rc")
+assert_eq "T18 exit code 0 (comment approval still considered)" "0" "$T18_RC"
+assert_contains "T18 comment candidate notice" "comment-based approval" "$T18_OUT"
+assert_contains "T18 comment approver accepted" "APPROVED by core-qa-agent" "$T18_OUT"
+
 echo
 echo "------"
 echo "PASS=$PASS FAIL=$FAIL"
@@ -14,7 +14,7 @@ def load_reaper():
    assert spec.loader is not None
    spec.loader.exec_module(mod)
    mod.API = "https://git.example.test/api/v1"
-    mod.GITEA_TOKEN = "test-token"
+    mod.GITEA_TOKEN = "fixture-token"
    mod.API_TIMEOUT_SEC = 1
    mod.API_RETRIES = 3
    mod.API_RETRY_SLEEP_SEC = 0
@@ -0,0 +1,187 @@
+# ci-arm64-advisory — Mac arm64 self-hosted ADVISORY fast-check lane.
+#
+# === WHY ===
+#
+# The amd64 Gitea runner pool (molecule-runner-1..20) is queue-contended
+# (internal#418). This lane offloads the *genuinely container-independent*
+# fast checks (Go build/vet/lint, shellcheck, Python lint) onto the Mac
+# arm64 self-hosted runner so developers get a fast arm64 signal WITHOUT
+# adding load to the starved amd64 pool — capability-honestly, as an
+# additive pilot. Pilot ② of the Mac-CI strategy (CTO-delegated 2026-05-17).
+#
+# === NON-NEGOTIABLE SAFETY CONTRACT (the prime directive) ===
+#
+# This lane is **ADVISORY ONLY**. It is provably incapable of hanging a
+# merge. Concretely:
+#
+#   1. It is a SEPARATE workflow file. `ci.yml` is byte-for-byte
+#      untouched by this PR. The `CI / all-required` aggregator sentinel
+#      and the five contexts it polls
+#      (`CI / Detect changes|Platform (Go)|Canvas (Next.js)|
+#      Shellcheck (E2E scripts)|Python Lint & Test (pull_request)`)
+#      are unchanged. The canonical required gate stays 100% on the
+#      existing amd64 pool.
+#
+#   2. The context this workflow emits is
+#      `ci-arm64-advisory / fast-checks (pull_request)`. That string is
+#      DELIBERATELY NOT present in, and this PR does NOT add it to:
+#        - branch_protections/{main,staging}.status_check_contexts
+#          (DB-verified pb 86/75 = exactly
+#           ["CI / all-required (pull_request)",
+#            "sop-checklist / all-items-acked (pull_request)"])
+#        - audit-force-merge.yml REQUIRED_CHECKS env
+#        - ci.yml `all-required` sentinel's hardcoded `required[]` list
+#      Branch protection therefore never waits on this context. If the
+#      Mac runner is absent / offline / removed, this workflow's status
+#      simply never appears — and because nothing requires it, every
+#      merge proceeds exactly as it does today. There is no path by
+#      which a missing/red arm64 status blocks a merge.
+#
+#   3. `continue-on-error: true` on the job — even a genuine arm64-only
+#      failure (toolchain drift, arch-specific test flake) is surfaced
+#      as information, never as a merge blocker, for the duration of
+#      the pilot.
+#
+#   4. The job carries a `github.event_name` `if:` gate. Beyond its
+#      functional purpose this also keeps the job OUT of
+#      `ci-required-drift.py:ci_job_names()` (which excludes
+#      `github.event_name`/`github.ref`-gated jobs), so the hourly
+#      ci-required-drift sentinel's F1 ("job not under sentinel needs")
+#      cannot ever flag this advisory job. F2/F3 are untouched because
+#      this context is absent from BP and from REQUIRED_CHECKS.
+#      `lint-bp-context-emit-match` only fails on BP→emitter gaps; an
+#      emitter without a BP context is explicitly informational there.
+#
+# === RUNNER TARGETING ===
+#
+# The Mac runner is `hongming-pc-runner-1`. The bare `self-hosted`
+# label is POLLUTED in this Gitea instance: molecule-runner-1..20
+# (the contended amd64 pool) also advertise `self-hosted`. Targeting
+# bare `self-hosted` would route back onto the very pool we are trying
+# to relieve — and onto amd64 hardware. We therefore require an
+# AND-set of labels that ONLY the Mac satisfies. `macos-self-hosted`
+# is Mac-exclusive (the amd64 pool does not carry it). Until the
+# label-install burst (a10862b2) lands `self-hosted`+`macos-self-hosted`
+# on the Mac, the runner's current unique label `hongming-pc-laptop`
+# is also listed; AND-semantics over the labels a runner advertises
+# means a job requiring [self-hosted, macos-self-hosted] can ONLY be
+# claimed once the Mac advertises both. If neither label set is yet
+# present on the Mac, the workflow stays queued harmlessly and is
+# garbage-collected by the normal stale-run reaper — it blocks nothing
+# (see safety contract point 2).
+#
+# === ROLLBACK ===
+#
+# Delete this single file (`git rm .gitea/workflows/ci-arm64-advisory.yml`)
+# and merge. No branch-protection edit, no ci.yml edit, no
+# REQUIRED_CHECKS edit is required to roll back, because none were made
+# to roll forward. Zero blast radius either direction.
+
+name: ci-arm64-advisory
+
+on:
+  push:
+    branches: [main, staging]
+  pull_request:
+    branches: [main, staging]
+
+# Per-ref cancel: a newer commit on the same ref supersedes the older
+# advisory run. Distinct from ci.yml's `ci-${ref}` group so this lane
+# never cancels (or is cancelled by) the canonical required CI.
+concurrency:
+  group: ci-arm64-advisory-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  GITHUB_SERVER_URL: https://git.moleculesai.app
+
+jobs:
+  fast-checks:
+    name: fast-checks
+    # AND-set: only the Mac arm64 runner advertises macos-self-hosted.
+    # See "RUNNER TARGETING" header note for why bare self-hosted is unsafe.
+    runs-on: [self-hosted, macos-self-hosted]
+    # ADVISORY: never blocks. See safety contract point 3. mc#774
+    # internal#418 — tracked: arm64 advisory pilot, non-gating by design.
+    continue-on-error: true
+    # event_name gate: functional (only meaningful on push/PR) AND keeps
+    # this job out of ci-required-drift.py:ci_job_names() so F1 can never
+    # flag it. See safety contract point 4.
+    if: ${{ github.event_name == 'push' || github.event_name == 'pull_request' }}
+    timeout-minutes: 20
+    steps:
+      - name: Provenance — advisory lane, non-gating
+        run: |
+          echo "This is the arm64 ADVISORY fast-check lane."
+          echo "It does NOT gate merges. Canonical required CI is ci.yml"
+          echo "on the amd64 pool. Arch: $(uname -m) on $(uname -s)."
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      # ---- Go: build + vet + lint (container-independent: needs only the
+      # Go toolchain; no amd64 ECR image, no docker-in-job). Race-detector
+      # unit-test + coverage gates are deliberately NOT duplicated here —
+      # those stay authoritative on amd64 ci.yml `Platform (Go)`. This lane
+      # is fast-feedback for the compile/vet/lint surface only. ----
+      - name: Setup Go
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version: 'stable'
+      - name: Go build + vet (workspace-server)
+        working-directory: workspace-server
+        run: |
+          go mod download
+          go build ./cmd/server
+          go vet ./...
+      - name: golangci-lint (workspace-server)
+        working-directory: workspace-server
+        run: |
+          go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.12.2
+          "$(go env GOPATH)/bin/golangci-lint" run --timeout 3m ./...
+
+      # ---- Shellcheck (container-independent: shellcheck binary only).
+      # Mirrors ci.yml `Shellcheck (E2E scripts)` bulk pass scope. ----
+      - name: Install shellcheck (arm64)
+        run: |
+          if ! command -v shellcheck >/dev/null 2>&1; then
+            echo "shellcheck not preinstalled on this self-hosted runner."
+            echo "Attempting Homebrew install (Mac arm64)."
+            brew install shellcheck || {
+              echo "::warning::shellcheck unavailable on runner; advisory shellcheck skipped."
+              exit 0
+            }
+          fi
+          shellcheck --version
+      - name: Shellcheck tests/e2e + infra/scripts
+        run: |
+          command -v shellcheck >/dev/null 2>&1 || { echo "skip"; exit 0; }
+          find tests/e2e infra/scripts -type f -name '*.sh' -print0 \
+            | xargs -0 shellcheck --severity=warning
+
+      # ---- Python lint/compile (container-independent: CPython only).
+      # Lint + import-compile surface; the authoritative pytest + coverage
+      # floors stay on amd64 ci.yml `Python Lint & Test`. ----
+      - name: Setup Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: '3.11'
+      - name: Python byte-compile (workspace)
+        working-directory: workspace
+        run: |
+          python -m pip install --quiet ruff || true
+          python -m compileall -q .
+          if command -v ruff >/dev/null 2>&1; then
+            ruff check . || echo "::warning::ruff findings (advisory only)"
+          fi
+
+      - name: Advisory summary
+        if: always()
+        run: |
+          {
+            echo "## arm64 advisory fast-checks complete"
+            echo ""
+            echo "This lane is **advisory** — it does not gate merges."
+            echo "Authoritative required CI remains \`CI / all-required\`"
+            echo "on the amd64 pool (\`ci.yml\`, unchanged by this PR)."
+          } >> "$GITHUB_STEP_SUMMARY"
@@ -239,7 +239,7 @@ jobs:
              # Strip the package-import prefix so we can match .coverage-allowlist.txt
              # entries written as paths relative to workspace-server/.
              # Handle both module paths: platform/workspace-server/... and platform/...
-              rel=$(echo "$file" | sed 's|^github.com/molecule-ai/molecule-monorepo/platform/workspace-server/||; s|^github.com/molecule-ai/molecule-monorepo/platform/||')
+              rel=$(echo "$file" | sed 's|^git.moleculesai.app/molecule-ai/molecule-core/workspace-server/workspace-server/||; s|^git.moleculesai.app/molecule-ai/molecule-core/workspace-server/||')

              if echo "$ALLOWLIST" | grep -qxF "$rel"; then
                echo "::warning file=workspace-server/$rel::Critical file at ${pct}% coverage (allowlisted, #1823) — fix before expiry."
@@ -476,7 +476,11 @@ jobs:
    # jobs settle, leaving branch protection with a permanent pending
    # `CI / all-required` context. Instead, this independent sentinel polls the
    # required commit-status contexts for this SHA and fails if any fail, skip,
-    # or never emit.
+    # or never emit. It runs the same path detector as `changes` and only waits
+    # for path-relevant jobs; Gitea can otherwise leave needs/output-skipped
+    # jobs permanently pending with "Blocked by required conditions". It runs on
+    # the dedicated `ci-meta` lane so the poller does not occupy the same
+    # general runner pool as the jobs it is waiting for.
    #
    # canvas-deploy-reminder is intentionally NOT included in all-required.needs.
    # It is an informational main-push reminder, not a PR quality gate. Keeping
@@ -484,9 +488,24 @@ jobs:
    # sentinel before the `always()` guard can emit a branch-protection status.
    #
    continue-on-error: false
-    runs-on: ubuntu-latest
+    runs-on: ci-meta
    timeout-minutes: 45
    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+      - id: check
+        env:
+          PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          PR_BASE_REF: ${{ github.event.pull_request.base.ref }}
+          PUSH_BEFORE: ${{ github.event.before }}
+        run: |
+          python3 .gitea/scripts/detect-changes.py \
+            --profile ci \
+            --event-name "${{ github.event_name }}" \
+            --pr-base-sha "$PR_BASE_SHA" \
+            --base-ref "$PR_BASE_REF" \
+            --push-before "${GITHUB_EVENT_BEFORE:-$PUSH_BEFORE}"
      - name: Wait for required CI contexts
        env:
          GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -494,6 +513,9 @@ jobs:
          REPOSITORY: ${{ github.repository }}
          COMMIT_SHA: ${{ github.sha }}
          EVENT_NAME: ${{ github.event_name }}
+          REQUIRE_PLATFORM: ${{ steps.check.outputs.platform }}
+          REQUIRE_CANVAS: ${{ steps.check.outputs.canvas }}
+          REQUIRE_SCRIPTS: ${{ steps.check.outputs.scripts }}
        run: |
          set -euo pipefail
          python3 - <<'PY'
@@ -511,11 +533,14 @@ jobs:
          event = os.environ["EVENT_NAME"]
          required = [
              f"CI / Detect changes ({event})",
-              f"CI / Platform (Go) ({event})",
-              f"CI / Canvas (Next.js) ({event})",
-              f"CI / Shellcheck (E2E scripts) ({event})",
              f"CI / Python Lint & Test ({event})",
          ]
+          if os.environ.get("REQUIRE_PLATFORM") == "true":
+              required.append(f"CI / Platform (Go) ({event})")
+          if os.environ.get("REQUIRE_CANVAS") == "true":
+              required.append(f"CI / Canvas (Next.js) ({event})")
+          if os.environ.get("REQUIRE_SCRIPTS") == "true":
+              required.append(f"CI / Shellcheck (E2E scripts) ({event})")
          terminal_bad = {"failure", "error"}
          deadline = time.time() + 40 * 60
          last_summary = None
@@ -143,8 +143,9 @@ jobs:
          echo "test_peer_visibility_token_mint_staging.sh — bash syntax OK"
          bash -n tests/e2e/test_peer_visibility_mcp_local.sh
          echo "test_peer_visibility_mcp_local.sh — bash syntax OK"
-          if rg -n '/admin/workspaces/.*/test-token|test-token' tests/e2e/test_*staging*.sh; then
-            echo "::error::staging E2E must not use dev-only /admin/workspaces/:id/test-token; use production-safe admin token minting instead"
+          legacy_token_suffix="test""-token"
+          if rg -n "$legacy_token_suffix" tests/e2e/test_*staging*.sh; then
+            echo "::error::staging E2E must use production-safe admin token minting"
            exit 1
          fi
          echo "Staging fresh-provision MCP list_peers E2E runs on push to"
@@ -108,13 +108,13 @@ jobs:
        # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
        continue-on-error: true

-  # Actual E2E: runs on trunk pushes (main + staging). NOT the PR-fire-only
-  # path — pr-validate above posts success for workflow-only PRs.
+  # Actual E2E: runs on trunk pushes and PRs that touch provisioning-critical
+  # paths. pr-validate remains as the lightweight workflow-shape check for PRs,
+  # but it is not a substitute for live staging proof when this workflow or the
+  # staging harness changes.
  e2e-staging-saas:
    name: E2E Staging SaaS
    runs-on: ubuntu-latest
-    # Only runs on trunk pushes. PR paths get pr-validate instead.
-    if: github.event.pull_request.base.ref == ''
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
@@ -152,7 +152,7 @@ jobs:
      # block). See #2578 PR comment for the rationale.
      E2E_ANTHROPIC_API_KEY: ${{ secrets.MOLECULE_STAGING_ANTHROPIC_API_KEY }}
      # OpenAI fallback — kept wired so an operator-dispatched run with
-      # E2E_RUNTIME=hermes or =langgraph via workflow_dispatch can still
+      # E2E_RUNTIME=hermes or =codex via workflow_dispatch can still
      # exercise the OpenAI path.
      E2E_OPENAI_API_KEY: ${{ secrets.MOLECULE_STAGING_OPENAI_API_KEY }}
      E2E_RUNTIME: ${{ github.event.inputs.runtime || 'claude-code' }}
@@ -161,7 +161,7 @@ jobs:
      # and defeats the cost saving. Operators can override via the
      # workflow_dispatch flow (no input wired here yet — runtime
      # override is enough for ad-hoc).
-      E2E_MODEL_SLUG: ${{ github.event.inputs.runtime == 'hermes' && 'openai/gpt-4o' || github.event.inputs.runtime == 'langgraph' && 'openai:gpt-4o' || 'MiniMax-M2' }}
+      E2E_MODEL_SLUG: ${{ github.event.inputs.runtime == 'hermes' && 'openai/gpt-4o' || github.event.inputs.runtime == 'codex' && 'openai/gpt-4o' || 'MiniMax-M2' }}
      E2E_RUN_ID: "${{ github.run_id }}-${{ github.run_attempt }}"
      E2E_KEEP_ORG: ${{ github.event.inputs.keep_org && '1' || '0' }}

@@ -185,7 +185,7 @@ jobs:
      - name: Verify LLM key present
        run: |
          # Per-runtime key check — claude-code uses MiniMax; hermes /
-          # langgraph (operator-dispatched only) use OpenAI. Hard-fail
+          # codex (operator-dispatched only) use OpenAI. Hard-fail
          # rather than soft-skip per #2578's lesson — empty key
          # silently falls through to the wrong SECRETS_JSON branch and
          # produces a confusing auth error 5 min later instead of the
@@ -206,7 +206,7 @@ jobs:
                required_secret_value=""
              fi
              ;;
-            langgraph|hermes)
+            codex|hermes)
              required_secret_name="MOLECULE_STAGING_OPENAI_API_KEY"
              required_secret_value="${E2E_OPENAI_API_KEY:-}"
              ;;
@@ -32,6 +32,24 @@ on:
  # iterating all open PRs when PR_NUMBER is empty.
  workflow_dispatch:

+# Serialize per PR (or per repo for schedule/manual ticks) to prevent
+# the fan-out OOM class documented in
+# `reference_operator_host_python3_oom_storm_2026_05_18`. `edited`
+# events fan out on every PR-body edit; combined with the hourly cron
+# and synchronize bursts this workflow can stack runs of the same
+# workflow_id on the same PR (each ~4GB anon-RSS) and trip the
+# `--memory=4g --memory-swap=8g` per-container cap.
+#
+# NO `cancel-in-progress` (defaults to false). Per
+# `feedback_janitor_supersede_must_group_by_workflow_id`, cancelling
+# in-flight runs of any required-check-shaped workflow risks the
+# dismiss_stale_approvals + empty-commit-rerun dance (Gitea 1.22.6 has
+# no REST rerun). The gate-check is `continue-on-error: true` +
+# idempotent (POST/PATCH gate-check comment by context) so sequential
+# ticks are strictly safe.
+concurrency:
+  group: gate-check-v3-${{ github.event.pull_request.number || github.event.issue.number || github.ref }}
+
 permissions:
  # read: contents — for checkout (base ref, not PR head for security)
  # read: pull-requests — for reading PR info via API
@@ -25,7 +25,7 @@ permissions:
 jobs:
  shellcheck-arm64:
    name: shellcheck-arm64 (pilot)
-    runs-on: [self-hosted, arm64]
+    runs-on: [self-hosted, arm64-darwin]
    # NOT a required check; safe to sit pending until Mac runner is up.
    # If the Mac runner has trouble pulling actions/checkout we fall
    # back to a plain git clone (see step 'fallback clone').
@@ -52,6 +52,7 @@ jobs:
          fetch-depth: 1

      - name: Install shellcheck (arm64)
+        continue-on-error: true
        run: |
          set -eu
          if command -v shellcheck >/dev/null 2>&1; then
@@ -71,11 +72,16 @@ jobs:
          shellcheck --version | head -2

      - name: Run shellcheck on .gitea/scripts/*.sh
+        continue-on-error: true
        run: |
          set -eu
          # Only the scripts we control under .gitea/scripts. Pilot
          # scope is intentionally narrow — broaden in a follow-up
          # once the lane is proven.
+          if ! command -v shellcheck >/dev/null 2>&1; then
+            echo "WARN: shellcheck binary not found — skipping (pilot mode)"
+            exit 0
+          fi
          mapfile -t TARGETS < <(find .gitea/scripts -maxdepth 2 -type f -name '*.sh' | sort)
          if [ "${#TARGETS[@]}" -eq 0 ]; then
            echo "No .sh files found under .gitea/scripts — nothing to check"
@@ -73,6 +73,17 @@ jobs:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

+      # Keep Docker auth/buildx state inside the job temp dir. Publish
+      # runners can inherit a HOME/DOCKER_CONFIG path that is host-owned
+      # and not writable from the job container; docker login otherwise
+      # fails before the image build starts.
+      - name: Prepare writable Docker config
+        run: |
+          set -euo pipefail
+          export DOCKER_CONFIG="$RUNNER_TEMP/docker-config"
+          mkdir -p "$DOCKER_CONFIG/buildx/certs"
+          echo "DOCKER_CONFIG=$DOCKER_CONFIG" >> "$GITHUB_ENV"
+
      - name: Log in to ECR
        env:
          IMAGE_NAME: ${{ env.IMAGE_NAME }}
@@ -234,6 +234,8 @@ jobs:
    name: Production auto-deploy
    needs: build-and-push
    if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+    # Side-effect deploy only; image publish success is the durable artifact. mc#774
+    continue-on-error: true
    # Publish/release lane (internal#462) — production deploy of a merged
    # fix; reserved capacity, never queued behind PR-CI.
    runs-on: publish
@@ -106,7 +106,7 @@ jobs:
              [[ "$file" == *_test.go ]] && continue
              [[ "$file" == *"$path"* ]] || continue
              awk "BEGIN{exit !(\$pct < 10)}" || continue
-              rel=$(echo "$file" | sed 's|^github.com/molecule-ai/molecule-monorepo/platform/workspace-server/||; s|^github.com/molecule-ai/molecule-monorepo/platform/||')
+              rel=$(echo "$file" | sed 's|^git.moleculesai.app/molecule-ai/molecule-core/workspace-server/workspace-server/||; s|^git.moleculesai.app/molecule-ai/molecule-core/workspace-server/||')
              if echo "$ALLOWLIST" | grep -qxF "$rel"; then
                continue
              fi
@@ -53,7 +53,7 @@ Molecule AI is the most powerful way to govern an AI agent organization in produ
 It combines the parts that are usually scattered across demos, internal glue code, and framework-specific tooling into one product:

 - one org-native control plane for teams, roles, hierarchy, and lifecycle
- one runtime layer that lets **eight** agent runtimes — LangGraph, DeepAgents, Claude Code, CrewAI, AutoGen, **Hermes**, **Gemini CLI**, and OpenClaw — run side by side behind one workspace contract
+- one runtime layer that lets **four** maintained agent runtimes — Claude Code, Codex, **Hermes**, and OpenClaw — run side by side behind one workspace contract
 - one memory model that keeps recall, sharing, and skill evolution aligned with organizational boundaries (Memory v2 backed by pgvector for semantic recall)
 - one operational surface for observing, pausing, restarting, inspecting, and improving live workspaces

@@ -75,11 +75,11 @@ You do not wire collaboration paths by hand. Hierarchy defines the default commu

 ### 3. Runtime choice stops being a dead-end decision

-LangGraph, DeepAgents, Claude Code, CrewAI, AutoGen, Hermes, Gemini CLI, and OpenClaw can all plug into the same workspace abstraction. Teams can standardize governance without forcing every group onto one runtime.
+Claude Code, Codex, Hermes, and OpenClaw can all plug into the same workspace abstraction. Teams can standardize governance without forcing every group onto one runtime.

 ### 4. Memory is treated like infrastructure

-Molecule AI's HMA approach is designed around organizational boundaries, not just “store more context somewhere.” Durable recall, scoped sharing, awareness namespaces, and skill promotion are all part of one coherent system.
+Molecule AI's HMA approach is designed around organizational boundaries, not just "store more context somewhere." Durable recall, scoped sharing through the v2 memory plugin, and skill promotion are all part of one coherent system.

 ### 5. It comes with a real control plane

@@ -101,7 +101,7 @@ Registry, heartbeats, restart, pause/resume, activity logs, approvals, terminal
 | **Role-native workspace abstraction** | Your org structure survives model swaps, framework changes, and team expansion |
 | **Fractal team expansion** | A single specialist can become a managed department without breaking upstream integrations |
 | **Heterogeneous runtime compatibility** | Different teams can keep their preferred agent architecture while sharing one control plane |
-| **HMA + awareness namespaces** | Memory sharing follows hierarchy instead of leaking across the whole system |
+| **HMA + v2 memory plugin** | Memory sharing follows hierarchy instead of leaking across the whole system; one plugin per tenant, namespace-scoped per workspace |
 | **Skill evolution loop** | Durable successful workflows can graduate from memory into reusable, hot-reloadable skills |
 | **WebSocket-first operational UX** | The canvas reflects task state, structure changes, and A2A responses in near real time |
 | **Global secrets with local override** | Centralize provider access, then override only where a workspace needs specialized credentials |
@@ -112,13 +112,9 @@ Molecule AI is not trying to replace the frameworks below. It is the system that

 | Runtime / architecture | Status in current repo | Native strength | What Molecule AI adds |
 |---|---|---|---|
-| **LangGraph** | Shipping on `main` | Graph control, tool use, Python extensibility | Canvas orchestration, hierarchy routing, A2A, memory scopes, operational lifecycle |
-| **DeepAgents** | Shipping on `main` | Deeper planning and decomposition | Same workspace contract, team topology, activity stream, restart behavior |
 | **Claude Code** | Shipping on `main` | Real coding workflows, CLI-native continuity | Secure workspace abstraction, A2A delegation, org boundaries, shared control plane |
-| **CrewAI** | Shipping on `main` | Role-based crews | Persistent workspace identity, policy consistency, shared canvas and registry |
-| **AutoGen** | Shipping on `main` | Assistant/tool orchestration | Standardized deployment, hierarchy-aware collaboration, shared ops plane |
+| **Codex** | Shipping on `main` | OpenAI Codex CLI workflows | Secure workspace abstraction, A2A delegation, org boundaries, shared control plane |
 | **Hermes 4** | Shipping on `main` | Hybrid reasoning, native tools, json_schema (NousResearch/hermes-agent) | Option B upstream hook, A2A bridge to OpenAI-compat API, multi-provider provider derivation |
-| **Gemini CLI** | Shipping on `main` | Google Gemini CLI continuity | Workspace lifecycle, A2A, hierarchy-aware collaboration, shared ops plane |
 | **OpenClaw** | Shipping on `main` | CLI-native runtime with its own session model | Workspace lifecycle, templates, activity logs, topology-aware collaboration |
 | **NemoClaw** | WIP on `feat/nemoclaw-t4-docker` | NVIDIA-oriented runtime path | Planned to join the same abstraction once merged; not yet part of `main` |

@@ -133,7 +129,7 @@ Most projects stop at “we added memory.” Molecule AI pushes further:
 | Flat store or weak namespaces | Hierarchy-aligned `LOCAL`, `TEAM`, `GLOBAL` scopes |
 | Sharing is easy to overexpose | Sharing is explicit and structure-aware |
 | Memory and procedure get mixed together | Memory stores durable facts; skills store repeatable procedure |
-| Every agent can become over-privileged | Workspace awareness namespaces reduce blast radius |
+| Every agent can become over-privileged | Per-workspace namespaces in the v2 memory plugin reduce blast radius |
 | UI memory and runtime memory blur together | Separate surfaces for scoped agent memory, key/value workspace memory, and recall |

 ### The flywheel
@@ -163,7 +159,7 @@ Most agent systems stop at "a smart runtime." Molecule AI pushes further: it giv

 | Core mechanism | Molecule AI module(s) | Why it matters |
 |---|---|---|
-| **Durable memory that survives sessions** | `molecule-ai-workspace-runtime/molecule_runtime/builtin_tools/`, `workspace-server/internal/handlers/memories.go` | Memory is not just durable, it is **workspace-scoped** and can route into awareness namespaces tied to the org structure |
+| **Durable memory that survives sessions** | `molecule-ai-workspace-runtime/molecule_runtime/builtin_tools/`, `workspace-server/internal/handlers/memories.go`, `workspace-server/internal/memory/` (v2 plugin client + namespace resolver) | Memory is not just durable, it is **workspace-scoped** — every write lands in the workspace's own `workspace:<id>` namespace, with `team:<root>` and `org:<root>` available for cross-workspace shares via the platform's namespace ACL when an agent explicitly promotes a memory |
 | **Cross-session recall** | `workspace-server/internal/handlers/activity.go` (`/workspaces/:id/session-search`) | Recall spans both activity history and memory rows, so the system can search what happened and what was learned without inventing a separate hidden store |
 | **Skills built from experience** | `molecule-ai-workspace-runtime/molecule_runtime/builtin_tools/memory.py` (`_maybe_log_skill_promotion`) | Promotion from memory into a skill candidate is surfaced as an explicit platform activity, not a silent internal side effect |
 | **Skill improvement during use** | `molecule-ai-workspace-runtime/molecule_runtime/skill_loader/`, `molecule-ai-workspace-runtime/molecule_runtime/main.py` | Skills hot-reload into the live runtime, so improvements become available on the next A2A task without restarting the workspace |
@@ -172,7 +168,7 @@ Most agent systems stop at "a smart runtime." Molecule AI pushes further: it giv
 ### Why this matters in Molecule AI

 1. **The learning loop is org-aware, not just session-aware.**
-   Memory can live at `LOCAL`, `TEAM`, or `GLOBAL` scope, and awareness namespaces give each workspace a durable identity boundary.
+   Memory can live at `LOCAL`, `TEAM`, or `GLOBAL` scope, and the v2 plugin's namespace ACL gives each workspace a durable identity boundary.

 2. **The learning loop is visible to operators.**
   Promotion events, activity logs, current-task updates, traces, and WebSocket fanout mean self-improvement is part of the control plane, not a hidden black box.
@@ -209,9 +205,9 @@ The result is not just “an agent that learns.” It is **an organization that
 ### Runtime

 - standalone workspace-template images that install `molecule-ai-workspace-runtime` from the Gitea package registry; thin AMI in production (us-east-2)
- adapter-driven execution across **8 runtimes** (Claude Code, Hermes, Gemini CLI, LangGraph, DeepAgents, CrewAI, AutoGen, OpenClaw)
+- adapter-driven execution across **4 maintained runtimes** (Claude Code, Codex, Hermes, OpenClaw)
 - Agent Card registration
- awareness-backed memory integration; **Memory v2 backed by pgvector** for semantic recall
+- **Memory v2 backed by pgvector** — per-tenant plugin sidecar serving HMA namespaces with FTS + semantic recall
 - plugin-mounted shared rules/skills
 - hot-reloadable local skills
 - coordinator-only delegation path
@@ -245,7 +241,7 @@ The result is not just “an agent that learns.” It is **an organization that
 Molecule AI is especially strong when you need to run:

 - AI engineering teams with PM / Dev Lead / QA / Research / Ops roles
- mixed runtime organizations where one team prefers LangGraph and another prefers Claude Code
+- mixed runtime organizations where one team prefers Hermes and another prefers Claude Code
 - long-lived agent organizations that need memory boundaries and reusable procedures
 - internal platforms that want to expose agent teams as structured infrastructure, not ad hoc scripts

@@ -260,9 +256,9 @@ Canvas (Next.js 15, warm-paper :3000)  <--HTTP / WS-->  Platform (Go 1.25 :8080)
         +------------------------- shows ------------------------> workspaces, teams, tasks, traces, events

 Workspace Runtime (Python ≥3.11, image with adapters)
-  - 8 adapters: LangGraph / DeepAgents / Claude Code / CrewAI / AutoGen / Hermes / Gemini CLI / OpenClaw
+  - 4 adapters: Claude Code / Codex / Hermes / OpenClaw
  - Agent Card + A2A server (typed-SSOT response path, RFC #2967)
-  - heartbeat + activity + awareness-backed memory (Memory v2 — pgvector semantic recall)
+  - heartbeat + activity + Memory v2 (pgvector semantic recall via per-tenant plugin sidecar)
  - skills + plugins + hot reload

 SaaS Control Plane (molecule-controlplane, private)
@@ -328,7 +324,7 @@ Then open `http://localhost:3000`:

 ## Current Scope

-The current `main` branch ships the core platform, Canvas v4 (warm-paper themed), Memory v2 (pgvector semantic recall), the typed-SSOT A2A response path (RFC #2967), **eight production adapters** (Claude Code, Hermes, Gemini CLI, LangGraph, DeepAgents, CrewAI, AutoGen, OpenClaw), skill lifecycle, and operational surfaces.
+The current `main` branch ships the core platform, Canvas v4 (warm-paper themed), Memory v2 (pgvector semantic recall), the typed-SSOT A2A response path (RFC #2967), **four maintained production adapters** (Claude Code, Codex, Hermes, OpenClaw), skill lifecycle, and operational surfaces.

 The companion private repo [`molecule-controlplane`](https://git.moleculesai.app/molecule-ai/molecule-controlplane) provides the SaaS surface — multi-tenant orchestration on EC2 + Neon + Cloudflare Tunnels, KMS envelope encryption, WorkOS auth, Stripe billing, and a `tenant_resources` audit table with a 30-min reconciler.

@@ -52,7 +52,7 @@ Molecule AI 是目前最强的 AI Agent 组织治理方案之一，用来把 age
 它把过去分散在 demo、内部胶水代码和各类 framework 私有工具里的关键能力，收敛成一个产品：

 - 一套组织原生 control plane，管理团队、角色、层级和生命周期
- 一套 runtime abstraction，让 **8 个** agent runtime —— LangGraph、DeepAgents、Claude Code、CrewAI、AutoGen、**Hermes**、**Gemini CLI**、OpenClaw —— 共用一套 workspace 契约
+- 一套 runtime abstraction，让 **4 个**维护中的 agent runtime —— Claude Code、Codex、**Hermes**、OpenClaw —— 共用一套 workspace 契约
 - 一套与组织边界对齐的 memory 模型，把 recall、sharing 和 skill evolution 放进同一体系（Memory v2 由 pgvector 支撑语义召回）
 - 一套面向线上 workspace 的运维面，统一完成观测、暂停、重启、检查和持续改进

@@ -74,11 +74,11 @@ Molecule AI 填的就是这个空白。

 ### 3. Runtime 选择不再是死路

-LangGraph、DeepAgents、Claude Code、CrewAI、AutoGen、Hermes、Gemini CLI、OpenClaw 都可以挂到同一个 workspace abstraction 下。团队可以统一治理方式，而不必统一到底层 runtime。
+Claude Code、Codex、Hermes、OpenClaw 都可以挂到同一个 workspace abstraction 下。团队可以统一治理方式，而不必统一到底层 runtime。

 ### 4. Memory 被当成基础设施来做

-Molecule AI 的 HMA 不是“多存一点上下文”而已。它关注组织边界、durable recall、scope sharing、awareness namespace、skill promotion，把这些放在一个完整体系里。
+Molecule AI 的 HMA 不是“多存一点上下文”而已。它关注组织边界、durable recall、scope sharing、v2 memory plugin、skill promotion，把这些放在一个完整体系里。

 ### 5. 它自带真正的 control plane

@@ -100,7 +100,7 @@ Registry、heartbeat、restart、pause/resume、activity、approval、terminal
 | **角色原生 workspace 抽象** | 模型切换、框架切换、团队扩容都不会打碎你的组织结构 |
 | **分形式团队扩展** | 一个 specialist 可以平滑升级成一个部门，而不影响上游集成 |
 | **异构 runtime 兼容** | 不同团队可以保留偏好的 agent 架构，但共用一套平台规则 |
-| **HMA + awareness namespace** | Memory 分享沿组织边界走，而不是全局乱穿透 |
+| **HMA + v2 memory plugin** | Memory 分享沿组织边界走，而不是全局乱穿透；每个 tenant 一个 plugin，按 workspace namespace 隔离 |
 | **Skill 演化闭环** | 成功工作流可以从 memory 逐步提升成可热加载的 skill |
 | **WebSocket-first 运维体验** | Canvas 能即时反映任务状态、结构变更和 A2A 响应 |
 | **Global secrets + local override** | 统一管理 provider 凭据，只在需要时做 workspace 级覆写 |
@@ -111,13 +111,9 @@ Molecule AI 并不是要替代下面这些 framework，而是把它们纳入更

 | Runtime / 架构 | 当前仓库状态 | 原生优势 | Molecule AI 额外补上的能力 |
 |---|---|---|---|
-| **LangGraph** | `main` 已支持 | 图控制强、工具调用成熟、Python 扩展性好 | Canvas orchestration、层级路由、A2A、memory scope、operational lifecycle |
-| **DeepAgents** | `main` 已支持 | 规划和任务拆解更强 | 同一套 workspace contract、团队拓扑、activity、restart 行为 |
 | **Claude Code** | `main` 已支持 | 真实编码工作流、CLI-native continuity | 安全 workspace 抽象、A2A delegation、组织边界、共享 control plane |
-| **CrewAI** | `main` 已支持 | 角色型 crew 模式清晰 | 持久 workspace 身份、统一策略、共享 Canvas 和 registry |
-| **AutoGen** | `main` 已支持 | assistant/tool orchestration | 统一部署、层级协作、共享运维平面 |
+| **Codex** | `main` 已支持 | OpenAI Codex CLI 工作流 | 安全 workspace 抽象、A2A delegation、组织边界、共享 control plane |
 | **Hermes 4** | `main` 已支持 | 混合推理、原生工具调用、json_schema 输出（NousResearch/hermes-agent） | Option B 上游 hook、A2A 桥接 OpenAI 兼容 API、多 provider 自动派生 |
-| **Gemini CLI** | `main` 已支持 | Google Gemini CLI 持续会话 | workspace 生命周期、A2A、层级感知协作、共享运维平面 |
 | **OpenClaw** | `main` 已支持 | CLI-native runtime，自有 session 模型 | workspace 生命周期、templates、activity logs、拓扑感知协作 |
 | **NemoClaw** | `feat/nemoclaw-t4-docker` 分支 WIP | NVIDIA 方向 runtime 路线 | 计划并入同一抽象层，但当前还不是 `main` 已合并能力 |

@@ -132,7 +128,7 @@ Molecule AI 并不是要替代下面这些 framework，而是把它们纳入更
 | 扁平 store 或弱命名空间隔离 | 与层级对齐的 `LOCAL`、`TEAM`、`GLOBAL` scope |
 | 分享很容易越界 | 分享是显式且结构感知的 |
 | Memory 和 procedure 混成一团 | Memory 存 durable facts，skills 存 repeatable procedure |
-| 任意 agent 容易过权 | workspace awareness namespace 缩小 blast radius |
+| 任意 agent 容易过权 | v2 memory plugin 的 per-workspace namespace 缩小 blast radius |
 | UI memory 和 runtime memory 混在一起 | scoped agent memory、key/value workspace memory、recall surface 分层清晰 |

 ### 这套飞轮怎么转
@@ -162,7 +158,7 @@ Molecule AI 并不是要替代下面这些 framework，而是把它们纳入更

 | 核心机制 | Molecule AI 对应模块 | 为什么重要 |
 |---|---|---|
-| **跨 session 的 durable memory** | `workspace/builtin_tools/memory.py`、`workspace/builtin_tools/awareness_client.py`、`workspace-server/internal/handlers/memories.go` | 不只是持久化，而且是**按 workspace 隔离**的，可进一步路由到和组织结构绑定的 awareness namespace |
+| **跨 session 的 durable memory** | `workspace/builtin_tools/memory.py`、`workspace-server/internal/handlers/memories.go`、`workspace-server/internal/memory/`（v2 plugin client + namespace resolver）| 不只是持久化，而且是**按 workspace 隔离**的 —— 每次写入都落在 workspace 自己的 `workspace:<id>` namespace 里；当 agent 显式升级到跨 workspace 共享时，可以通过平台 namespace ACL 写到 `team:<root>` 和 `org:<root>` |
 | **Cross-session recall** | `workspace-server/internal/handlers/activity.go` 中的 `/workspaces/:id/session-search` | Recall 同时覆盖 activity history 和 memory rows，不需要再造一个隐蔽的新存储层 |
 | **从经验里长出技能** | `workspace/builtin_tools/memory.py` 里的 `_maybe_log_skill_promotion` | 从 memory 到 skill candidate 的提升会被显式记录成平台 activity，而不是默默发生在黑盒里 |
 | **技能在使用中持续改进** | `workspace/skill_loader/watcher.py`、`workspace/skill_loader/loader.py`、`workspace/main.py` | Skill 改动可以热加载进 live runtime，下一次 A2A 任务就能直接使用，不需要重启 workspace |
@@ -171,7 +167,7 @@ Molecule AI 并不是要替代下面这些 framework，而是把它们纳入更
 ### 为什么这在 Molecule AI 里更适合团队级系统

 1. **学习闭环是 org-aware 的，而不只是 session-aware。**
-   Memory 可以按 `LOCAL`、`TEAM`、`GLOBAL` scope 运作，awareness namespace 让每个 workspace 都有清晰的持久边界。
+   Memory 可以按 `LOCAL`、`TEAM`、`GLOBAL` scope 运作，v2 plugin 的 namespace ACL 让每个 workspace 都有清晰的持久边界。

 2. **学习闭环是对运维可见的。**
   Promotion events、activity logs、current-task updates、traces、WebSocket fanout 让自我进化进入 control plane，而不是藏在黑盒内部。
@@ -208,9 +204,9 @@ Molecule AI 并不是要替代下面这些 framework，而是把它们纳入更
 ### Runtime

 - 统一 `workspace/` 镜像；生产环境采用 thin AMI（us-east-2）
- adapter 驱动执行，覆盖 **8 个 runtime**（Claude Code、Hermes、Gemini CLI、LangGraph、DeepAgents、CrewAI、AutoGen、OpenClaw）
+- adapter 驱动执行，覆盖 **4 个维护中的 runtime**（Claude Code、Codex、Hermes、OpenClaw）
 - Agent Card 注册
- awareness-backed memory；**Memory v2 由 pgvector 支撑**语义召回
+- **Memory v2 由 pgvector 支撑** —— 每个 tenant 一个 plugin sidecar，承载 HMA namespace、FTS 与语义召回
 - plugin 挂载共享 rules/skills
 - 本地 skills 热加载
 - coordinator-only delegation 路径
@@ -259,9 +255,9 @@ Canvas (Next.js 15, warm-paper :3000)  <--HTTP / WS-->  Platform (Go 1.25 :8080)
         +------------------------- 展示 ------------------------> workspaces, teams, tasks, traces, events

 Workspace Runtime (Python ≥3.11，含 adapter 集合的镜像)
-  - 8 个 adapter: LangGraph / DeepAgents / Claude Code / CrewAI / AutoGen / Hermes / Gemini CLI / OpenClaw
+  - 4 个 adapter: Claude Code / Codex / Hermes / OpenClaw
  - Agent Card + A2A server（typed-SSOT 响应路径，RFC #2967）
-  - heartbeat + activity + awareness-backed memory（Memory v2 —— pgvector 语义召回）
+  - heartbeat + activity + Memory v2（pgvector 语义召回，per-tenant plugin sidecar）
  - skills + plugins + hot reload

 SaaS Control Plane (molecule-controlplane，私有)
@@ -321,7 +317,7 @@ npm run dev

 ## 当前范围说明

-当前 `main` 已经包含核心平台、Canvas v4（warm-paper 主题）、Memory v2（pgvector 语义召回）、typed-SSOT A2A 响应路径（RFC #2967）、**8 个正式 adapter**（Claude Code、Hermes、Gemini CLI、LangGraph、DeepAgents、CrewAI、AutoGen、OpenClaw）、skill lifecycle，以及主要运维面。
+当前 `main` 已经包含核心平台、Canvas v4（warm-paper 主题）、Memory v2（pgvector 语义召回）、typed-SSOT A2A 响应路径（RFC #2967）、**4 个维护中的正式 adapter**（Claude Code、Codex、Hermes、OpenClaw）、skill lifecycle，以及主要运维面。

 配套的私有仓库 [`molecule-controlplane`](https://git.moleculesai.app/molecule-ai/molecule-controlplane) 提供 SaaS 层 —— 多租户编排（EC2 + Neon + Cloudflare Tunnels）、KMS 信封加密、WorkOS 鉴权、Stripe 计费，以及 `tenant_resources` 审计表加 30 分钟 reconciler。

@@ -15,9 +15,11 @@ test("FilesTab renders after split", async ({ page, request }) => {
  // Clean slate
  const { workspaces } = await request
    .get("http://localhost:8080/workspaces")
-    .then(async (r) => ({ workspaces: (await r.json()) as Array<{ id: string }> }));
+    .then(async (r) => ({ workspaces: (await r.json()) as Array<{ id: string; name: string }> }));
  for (const w of workspaces) {
-    await request.delete(`http://localhost:8080/workspaces/${w.id}?confirm=true`);
+    await request.delete(`http://localhost:8080/workspaces/${w.id}?confirm=true`, {
+      headers: { "X-Confirm-Name": w.name },
+    });
  }

  // Create a workspace
@@ -80,5 +82,7 @@ test("FilesTab renders after split", async ({ page, request }) => {
  await expect(editorEmpty.first()).toBeVisible({ timeout: 5_000 });

  // Cleanup
-  await request.delete(`http://localhost:8080/workspaces/${wsId}?confirm=true`);
+  await request.delete(`http://localhost:8080/workspaces/${wsId}?confirm=true`, {
+    headers: { "X-Confirm-Name": "FilesTab Smoke" },
+  });
 });
@@ -49,7 +49,7 @@ export async function seedWorkspace(echoURL: string): Promise<SeededWorkspace> {
  };
  let authToken = ws.connection?.auth_token;
  if (!authToken) {
-    authToken = await mintTestToken(ws.id);
+    authToken = await mintWorkspaceToken(ws.id);
  }
  if (!authToken) {
    throw new Error("Workspace created but no auth_token returned");
@@ -202,12 +202,18 @@ export async function cleanupWorkspace(workspaceId: string): Promise<void> {
 * Mint a workspace auth token so the canvas can make authenticated API
 * calls (WorkspaceAuth middleware).
 */
-export async function mintTestToken(workspaceId: string): Promise<string> {
-  const res = await fetch(
-    `${PLATFORM_URL}/admin/workspaces/${workspaceId}/test-token`,
-  );
+export async function mintWorkspaceToken(workspaceId: string): Promise<string> {
+  const headers: Record<string, string> = {};
+  const adminToken = process.env.E2E_ADMIN_TOKEN ?? process.env.ADMIN_TOKEN;
+  if (adminToken) {
+    headers.Authorization = `Bearer ${adminToken}`;
+  }
+  const res = await fetch(`${PLATFORM_URL}/admin/workspaces/${workspaceId}/tokens`, {
+    method: "POST",
+    headers,
+  });
  if (!res.ok) {
-    throw new Error(`Failed to mint test token: ${res.status}`);
+    throw new Error(`Failed to mint workspace token: ${res.status}`);
  }
  const data = (await res.json()) as { auth_token: string };
  return data.auth_token;
@@ -0,0 +1,35 @@
+import { dirname } from "path";
+import { fileURLToPath } from "url";
+import { FlatCompat } from "@eslint/eslintrc";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+
+const compat = new FlatCompat({
+  baseDirectory: __dirname,
+});
+
+const eslintConfig = [
+  {
+    ignores: [
+      ".next/**",
+      "coverage/**",
+      "out/**",
+      "build/**",
+      "next-env.d.ts",
+    ],
+  },
+  ...compat.extends("next/core-web-vitals", "next/typescript"),
+  {
+    rules: {
+      "@typescript-eslint/no-explicit-any": "warn",
+      "@typescript-eslint/no-require-imports": "warn",
+      "prefer-const": "warn",
+      "react-hooks/rules-of-hooks": "warn",
+      "react/display-name": "warn",
+      "react/no-unescaped-entities": "warn",
+    },
+  },
+];
+
+export default eslintConfig;
@@ -6,11 +6,12 @@
    "dev": "next dev --turbopack -p 3000",
    "build": "next build",
    "start": "next start",
-    "lint": "next lint",
+    "lint": "eslint .",
    "test": "vitest run",
    "test:coverage": "vitest run --coverage"
  },
  "dependencies": {
+    "@novnc/novnc": "^1.7.0",
    "@radix-ui/react-alert-dialog": "^1.1.15",
    "@radix-ui/react-dialog": "^1.1.15",
    "@radix-ui/react-tabs": "^1.1.12",
@@ -30,6 +31,7 @@
  },
  "devDependencies": {
    "@playwright/test": "^1.59.1",
+    "@tailwindcss/postcss": "^4.0.0",
    "@testing-library/jest-dom": "^6.6.0",
    "@testing-library/react": "^16.1.0",
    "@types/node": "^25.6.0",
@@ -37,7 +39,8 @@
    "@types/react-dom": "^19.0.0",
    "@vitejs/plugin-react": "^6.0.1",
    "@vitest/coverage-v8": "^4.1.5",
-    "@tailwindcss/postcss": "^4.0.0",
+    "eslint": "^9.39.4",
+    "eslint-config-next": "^15.5.15",
    "jsdom": "^29.1.1",
    "postcss": "^8.5.13",
    "tailwindcss": "^4.0.0",
@@ -232,7 +232,10 @@ function CanvasInner() {
    }
    state.beginDelete(subtree);
    try {
-      await api.del(`/workspaces/${id}?confirm=true`);
+      const workspaceName = state.nodes.find((n) => n.id === id)?.data.name ?? "";
+      await api.del(`/workspaces/${id}?confirm=true`, {
+        headers: { "X-Confirm-Name": workspaceName },
+      });
      // Mirror the server-side cascade locally — drop the parent AND
      // every descendant in one atomic update. The per-descendant
      // WORKSPACE_REMOVED WS events still arrive (and are no-ops
@@ -128,7 +128,7 @@ export function ConsoleModal({ workspaceId, workspaceName, open, onClose }: Prop

        <div className="flex-1 overflow-auto bg-black/80 p-4">
          {loading && (
-            <div className="text-[12px] text-ink-mid" data-testid="console-loading">
+            <div role="status" aria-live="polite" className="text-[12px] text-ink-mid" data-testid="console-loading">
              Loading console output…
            </div>
          )}
@@ -33,6 +33,56 @@ interface HermesProvider {
  models: string[];
 }

+type LLMAuthMode = "platform" | "api_key" | "oauth";
+
+interface NativeLLMProvider {
+  id: string;
+  label: string;
+  envVar?: string;
+  defaultModel: string;
+  models: string[];
+  authModes: LLMAuthMode[];
+}
+
+export const NATIVE_LLM_PROVIDERS: NativeLLMProvider[] = [
+  {
+    id: "minimax",
+    label: "MiniMax",
+    envVar: "MINIMAX_API_KEY",
+    defaultModel: "MiniMax-M2.7",
+    models: ["MiniMax-M2.7", "MiniMax-M2.7-highspeed", "MiniMax-M2.5"],
+    authModes: ["platform", "api_key"],
+  },
+  {
+    id: "kimi-coding",
+    label: "Kimi",
+    envVar: "KIMI_API_KEY",
+    defaultModel: "kimi-for-coding",
+    models: ["kimi-for-coding", "kimi-k2.5", "kimi-k2"],
+    authModes: ["platform", "api_key"],
+  },
+  {
+    id: "anthropic",
+    label: "Anthropic",
+    envVar: "ANTHROPIC_API_KEY",
+    defaultModel: "claude-sonnet-4-6",
+    models: ["claude-sonnet-4-6", "claude-opus-4-7", "claude-haiku-4-5"],
+    authModes: ["platform", "api_key"],
+  },
+  {
+    id: "anthropic-oauth",
+    label: "Claude OAuth",
+    envVar: "CLAUDE_CODE_OAUTH_TOKEN",
+    defaultModel: "sonnet",
+    models: ["sonnet", "opus", "haiku"],
+    authModes: ["oauth"],
+  },
+];
+const DEFAULT_HEADLESS_INSTANCE_TYPE = "t3.medium";
+const DEFAULT_HEADLESS_ROOT_GB = 30;
+const DEFAULT_DISPLAY_INSTANCE_TYPE = "t3.xlarge";
+const DEFAULT_DISPLAY_ROOT_GB = 80;
+
 // All providers supported by Hermes runtime via providers.resolve_provider().
 // `defaultModel` is the slug injected into the workspace provision request
 // when the user picks this provider — template-hermes's derive-provider.sh
@@ -68,6 +118,10 @@ export function CreateWorkspaceButton() {
  const [creating, setCreating] = useState(false);
  const [error, setError] = useState<string | null>(null);
  const [workspaces, setWorkspaces] = useState<WorkspaceOption[]>([]);
+  const [displayEnabled, setDisplayEnabled] = useState(false);
+  const [displayInstanceType, setDisplayInstanceType] = useState(DEFAULT_DISPLAY_INSTANCE_TYPE);
+  const [displayRootGB, setDisplayRootGB] = useState(String(DEFAULT_DISPLAY_ROOT_GB));
+  const [displayResolution, setDisplayResolution] = useState("1920x1080");
  // Templates fetched from /api/templates — drives the dynamic provider
  // filter below. Same data source ConfigTab uses (PR #2454). When the
  // selected template declares `runtime_config.providers` in its
@@ -95,11 +149,16 @@ export function CreateWorkspaceButton() {
  // (Anthropic), which 401s if the user's key is for a different
  // provider. Hence: require model when template=hermes.
  const [hermesModel, setHermesModel] = useState("");
+  const [llmAuthMode, setLLMAuthMode] = useState<LLMAuthMode>("platform");
+  const [llmProvider, setLLMProvider] = useState("minimax");
+  const [llmModel, setLLMModel] = useState("MiniMax-M2.7");
+  const [llmSecret, setLLMSecret] = useState("");

  // Tier picker: on SaaS every workspace gets its own EC2 VM (Full Access
  // by construction), so we hide the T1/T2/T3 Docker-sandbox tiers and
-  // lock to T4 — the full-host access tier, which maps to t3.large at the
-  // CP level. On self-hosted we still offer T1/T2/T3 because the Docker-
+  // lock to T4 — the full-host access tier. The EC2 size is controlled by
+  // the compute profile below. On self-hosted we still offer T1/T2/T3
+  // because the Docker-
  // sandbox distinction is a real choice there; T4 is available too for
  // operators who want the full-host tier.
  //
@@ -150,6 +209,14 @@ export function CreateWorkspaceButton() {
  );

  const isHermes = template.trim().toLowerCase() === "hermes";
+  const nativeLLMProviders = useMemo(
+    () => NATIVE_LLM_PROVIDERS.filter((p) => p.authModes.includes(llmAuthMode)),
+    [llmAuthMode],
+  );
+  const selectedNativeProvider = useMemo(
+    () => nativeLLMProviders.find((p) => p.id === llmProvider) ?? nativeLLMProviders[0],
+    [llmProvider, nativeLLMProviders],
+  );

  // Resolve the selected template's spec from the /templates response.
  // The `template` input is free-text; templates can be matched by id,
@@ -197,6 +264,22 @@ export function CreateWorkspaceButton() {
    // eslint-disable-next-line react-hooks/exhaustive-deps
  }, [availableProviders, isHermes]);

+  useEffect(() => {
+    if (isHermes) return;
+    if (nativeLLMProviders.length === 0) return;
+    if (!nativeLLMProviders.some((p) => p.id === llmProvider)) {
+      setLLMProvider(nativeLLMProviders[0].id);
+      setLLMModel(nativeLLMProviders[0].defaultModel);
+    }
+  }, [isHermes, llmProvider, nativeLLMProviders]);
+
+  useEffect(() => {
+    if (isHermes || !selectedNativeProvider) return;
+    if (!selectedNativeProvider.models.includes(llmModel)) {
+      setLLMModel(selectedNativeProvider.defaultModel);
+    }
+  }, [isHermes, llmModel, selectedNativeProvider]);
+
  // Auto-fill hermesModel with the provider's defaultModel whenever the
  // provider changes, but only if the user hasn't already typed their own
  // slug. Prevents the empty-model → "auto" → Anthropic-default 401 trap.
@@ -223,10 +306,18 @@ export function CreateWorkspaceButton() {
    setParentId("");
    setBudgetLimit("");
    setError(null);
+    setDisplayEnabled(false);
+    setDisplayInstanceType(DEFAULT_DISPLAY_INSTANCE_TYPE);
+    setDisplayRootGB(String(DEFAULT_DISPLAY_ROOT_GB));
+    setDisplayResolution("1920x1080");
    setHermesProvider("anthropic");
    setExternalRuntime("external");
    setHermesApiKey("");
    setHermesModel("");
+    setLLMAuthMode("platform");
+    setLLMProvider("minimax");
+    setLLMModel("MiniMax-M2.7");
+    setLLMSecret("");
    api
      .get<WorkspaceOption[]>("/workspaces")
      .then((ws) => setWorkspaces(ws))
@@ -253,17 +344,28 @@ export function CreateWorkspaceButton() {
      setError("Model is required for Hermes workspaces — provider routing depends on the model slug prefix");
      return;
    }
+    if (!isExternal && !isHermes && !llmModel.trim()) {
+      setError("Model is required");
+      return;
+    }
+    if (!isExternal && !isHermes && llmAuthMode !== "platform" && !llmSecret.trim()) {
+      setError(llmAuthMode === "oauth" ? "Claude OAuth token is required" : "API key is required");
+      return;
+    }
    setCreating(true);
    setError(null);

    const provider = isHermes
      ? HERMES_PROVIDERS.find((p) => p.id === hermesProvider)
      : undefined;
+    const nativeProvider = !isHermes ? selectedNativeProvider : undefined;

    try {
      const parsedBudget = budgetLimit.trim()
        ? parseFloat(budgetLimit)
        : null;
+      const [displayWidth, displayHeight] = displayResolution.split("x").map((v) => parseInt(v, 10));
+      const parsedRootGB = parseInt(displayRootGB, 10);

      const createResp = await api.post<{
        id: string;
@@ -280,6 +382,35 @@ export function CreateWorkspaceButton() {
        tier,
        parent_id: parentId || undefined,
        budget_limit: parsedBudget,
+        ...(!isExternal && !isHermes && nativeProvider
+          ? {
+              model: llmModel.trim(),
+              llm_provider: nativeProvider.id,
+              ...(llmAuthMode !== "platform" && nativeProvider.envVar
+                ? { secrets: { [nativeProvider.envVar]: llmSecret.trim() } }
+                : {}),
+            }
+          : {}),
+        ...(!isExternal
+          ? {
+              compute: displayEnabled
+                ? {
+                    instance_type: displayInstanceType,
+                    volume: { root_gb: Number.isFinite(parsedRootGB) ? parsedRootGB : DEFAULT_DISPLAY_ROOT_GB },
+                    display: {
+                      mode: "desktop-control",
+                      protocol: "novnc",
+                      width: Number.isFinite(displayWidth) ? displayWidth : 1920,
+                      height: Number.isFinite(displayHeight) ? displayHeight : 1080,
+                    },
+                  }
+                : {
+                    instance_type: DEFAULT_HEADLESS_INSTANCE_TYPE,
+                    volume: { root_gb: DEFAULT_HEADLESS_ROOT_GB },
+                    display: { mode: "none" },
+                  },
+            }
+          : {}),
        canvas: { x: Math.random() * 400 + 100, y: Math.random() * 300 + 100 },
        // Runtime=external flips the backend into awaiting-agent mode:
        // no container provisioning, token minted, connection payload
@@ -411,6 +542,82 @@ export function CreateWorkspaceButton() {
              />
            )}

+            {!isExternal && !isHermes && selectedNativeProvider && (
+              <div className="rounded-lg border border-line/50 bg-surface-card/40 p-3 space-y-3">
+                <div className="text-[11px] font-medium text-ink-mid">
+                  LLM
+                </div>
+                <div>
+                  <label htmlFor="llm-auth-mode" className="text-[11px] text-ink-mid block mb-1">
+                    Auth Mode
+                  </label>
+                  <select
+                    id="llm-auth-mode"
+                    value={llmAuthMode}
+                    onChange={(e) => setLLMAuthMode(e.target.value as LLMAuthMode)}
+                    className="w-full bg-surface-card/60 border border-line/50 rounded-lg px-3 py-2 text-sm text-ink focus:outline-none focus:border-accent/60 focus:ring-1 focus:ring-accent/20 transition-colors"
+                  >
+                    <option value="platform">Platform provided</option>
+                    <option value="api_key">API key</option>
+                    <option value="oauth">Claude OAuth</option>
+                  </select>
+                </div>
+                <div>
+                  <label htmlFor="llm-provider-select" className="text-[11px] text-ink-mid block mb-1">
+                    Provider
+                  </label>
+                  <select
+                    id="llm-provider-select"
+                    value={selectedNativeProvider.id}
+                    onChange={(e) => {
+                      const next = nativeLLMProviders.find((p) => p.id === e.target.value);
+                      setLLMProvider(e.target.value);
+                      if (next) setLLMModel(next.defaultModel);
+                    }}
+                    className="w-full bg-surface-card/60 border border-line/50 rounded-lg px-3 py-2 text-sm text-ink focus:outline-none focus:border-accent/60 focus:ring-1 focus:ring-accent/20 transition-colors"
+                  >
+                    {nativeLLMProviders.map((p) => (
+                      <option key={p.id} value={p.id}>
+                        {p.label}
+                      </option>
+                    ))}
+                  </select>
+                </div>
+                <div>
+                  <label htmlFor="llm-model-input" className="text-[11px] text-ink-mid block mb-1">
+                    Model
+                  </label>
+                  <input
+                    id="llm-model-input"
+                    type="text"
+                    value={llmModel}
+                    onChange={(e) => setLLMModel(e.target.value)}
+                    list="llm-model-suggestions"
+                    spellCheck={false}
+                    className="w-full bg-surface-card/60 border border-line/50 rounded-lg px-3 py-2 text-sm text-ink placeholder-ink-soft focus:outline-none focus:border-accent/60 focus:ring-1 focus:ring-accent/20 transition-colors font-mono"
+                  />
+                  <datalist id="llm-model-suggestions">
+                    {selectedNativeProvider.models.map((m) => <option key={m} value={m} />)}
+                  </datalist>
+                </div>
+                {llmAuthMode !== "platform" && (
+                  <div>
+                    <label htmlFor="llm-secret-input" className="text-[11px] text-ink-mid block mb-1">
+                      {llmAuthMode === "oauth" ? "OAuth Token" : "API Key"}
+                    </label>
+                    <input
+                      id="llm-secret-input"
+                      type="password"
+                      value={llmSecret}
+                      onChange={(e) => setLLMSecret(e.target.value)}
+                      autoComplete="off"
+                      className="w-full bg-surface-card/60 border border-line/50 rounded-lg px-3 py-2 text-sm text-ink placeholder-ink-soft focus:outline-none focus:border-accent/60 focus:ring-1 focus:ring-accent/20 transition-colors font-mono"
+                    />
+                  </div>
+                )}
+              </div>
+            )}
+
            <div>
              <div
                role="radiogroup"
@@ -447,11 +654,79 @@ export function CreateWorkspaceButton() {
              </div>
            </div>

+            {!isExternal && (
+              <div className="rounded-lg border border-line/50 bg-surface-card/40 p-3">
+                <div className="mb-2 text-[11px] font-medium text-ink-mid">
+                  Container Config
+                </div>
+                <label className="flex items-center justify-between gap-3">
+                  <span className="text-xs font-medium text-ink">Display</span>
+                  <input
+                    type="checkbox"
+                    checked={displayEnabled}
+                    onChange={(e) => setDisplayEnabled(e.target.checked)}
+                    aria-label="Enable display"
+                    className="h-4 w-4"
+                  />
+                </label>
+                {displayEnabled && (
+                  <div className="mt-3 grid grid-cols-2 gap-2">
+                    <div>
+                      <label htmlFor="display-instance-type" className="mb-1 block text-[11px] text-ink-mid">
+                        Instance
+                      </label>
+                      <select
+                        id="display-instance-type"
+                        value={displayInstanceType}
+                        onChange={(e) => setDisplayInstanceType(e.target.value)}
+                        className="w-full bg-surface-card/60 border border-line/50 rounded-lg px-2 py-2 text-xs text-ink focus:outline-none focus:border-accent/60 focus:ring-1 focus:ring-accent/20 transition-colors"
+                      >
+                        <option value="t3.large">t3.large</option>
+                        <option value="t3.xlarge">t3.xlarge</option>
+                        <option value="m6i.xlarge">m6i.xlarge</option>
+                        <option value="c6i.xlarge">c6i.xlarge</option>
+                      </select>
+                    </div>
+                    <div>
+                      <label htmlFor="display-root-gb" className="mb-1 block text-[11px] text-ink-mid">
+                        Disk GB
+                      </label>
+                      <input
+                        id="display-root-gb"
+                        type="number"
+                        min="30"
+                        max="500"
+                        value={displayRootGB}
+                        onChange={(e) => setDisplayRootGB(e.target.value)}
+                        className="w-full bg-surface-card/60 border border-line/50 rounded-lg px-2 py-2 text-xs text-ink focus:outline-none focus:border-accent/60 focus:ring-1 focus:ring-accent/20 transition-colors"
+                      />
+                    </div>
+                    <div className="col-span-2">
+                      <label htmlFor="display-resolution" className="mb-1 block text-[11px] text-ink-mid">
+                        Resolution
+                      </label>
+                      <select
+                        id="display-resolution"
+                        value={displayResolution}
+                        onChange={(e) => setDisplayResolution(e.target.value)}
+                        className="w-full bg-surface-card/60 border border-line/50 rounded-lg px-2 py-2 text-xs text-ink focus:outline-none focus:border-accent/60 focus:ring-1 focus:ring-accent/20 transition-colors"
+                      >
+                        <option value="1920x1080">1920 x 1080</option>
+                        <option value="1600x900">1600 x 900</option>
+                        <option value="1280x720">1280 x 720</option>
+                      </select>
+                    </div>
+                  </div>
+                )}
+              </div>
+            )}
+
            <div>
-              <label className="text-[11px] text-ink-mid block mb-1">
+              <label htmlFor="parent-workspace-select" className="text-[11px] text-ink-mid block mb-1">
                Parent Workspace
              </label>
              <select
+                id="parent-workspace-select"
                value={parentId}
                onChange={(e) => setParentId(e.target.value)}
                className="w-full bg-surface-card/60 border border-line/50 rounded-lg px-3 py-2 text-sm text-ink focus:outline-none focus:border-accent/60 focus:ring-1 focus:ring-accent/20 transition-colors"
@@ -24,9 +24,10 @@
 * "no memories yet".
 */

-import { useCallback, useEffect, useMemo, useState } from 'react';
+import { useCallback, useEffect, useMemo, useRef, useState } from 'react';
 import { api } from '@/lib/api';
 import { ConfirmDialog } from '@/components/ConfirmDialog';
+import { useSocketEvent } from '@/hooks/useSocketEvent';

 // ── Types ─────────────────────────────────────────────────────────────────────

@@ -246,6 +247,60 @@ export function MemoryInspectorPanel({ workspaceId }: Props) {
    loadEntries();
  }, [loadEntries]);

+  // Live-refresh on ACTIVITY_LOGGED events that look like memory writes
+  // for this workspace (#1734). Without this, the user sees a stale
+  // empty state after an agent commits — agent says "wrote memory",
+  // panel keeps showing nothing until they hit Refresh.
+  //
+  // What actually broadcasts ACTIVITY_LOGGED on the server today
+  // (workspace-server/internal/handlers/activity.go LogActivity /
+  // LogActivityTx — those are the only emitters):
+  //
+  //   - `memory_write_global`  — `POST /workspaces/:id/memories` for GLOBAL scope
+  //   - `memory_edit_global`   — `PATCH /workspaces/:id/memories/:id` for GLOBAL scope
+  //   - `memory_delete_global` — `DELETE /workspaces/:id/memories/:id` for GLOBAL scope
+  //   - `agent_log`            — generic catch-all an agent emits via
+  //                              `POST /workspaces/:id/activity`
+  //
+  // The MCP-tool path (`commit_memory`, `commit_memory_v2`,
+  // `commit_summary`) does NOT broadcast on the wire today; it inserts
+  // into agent_memories (pre-A1) or calls the v2 plugin (post-A1) and
+  // never round-trips through LogActivity. Server-side follow-up is
+  // tracked in **#1754** — once the MCP handlers emit `memory_write`
+  // via LogActivity, the `agent_log` arm of the filter below can be
+  // dropped. `memory_write` is included pre-emptively so this code
+  // lights up the moment #1754 lands. Until then, `agent_log` catches
+  // MCP commits over-inclusively; the 300ms debounce bounds the
+  // refetch rate. Issue #1734 review finding.
+  //
+  // The 300ms debounce coalesces bursts so a chatty agent (e.g. an
+  // agent in a long task emitting agent_log every few hundred ms)
+  // doesn't hammer /v2/memories on every keystroke-equivalent.
+  const refetchTimerRef = useRef<ReturnType<typeof setTimeout> | null>(null);
+  useEffect(() => () => {
+    if (refetchTimerRef.current) clearTimeout(refetchTimerRef.current);
+  }, []);
+  useSocketEvent((msg) => {
+    if (msg.event !== 'ACTIVITY_LOGGED') return;
+    if (msg.workspace_id !== workspaceId) return;
+    const p = (msg.payload || {}) as Record<string, unknown>;
+    const activityType = (p.activity_type as string) || '';
+    switch (activityType) {
+      case 'memory_write':
+      case 'memory_write_global':
+      case 'memory_edit_global':
+      case 'memory_delete_global':
+      case 'agent_log':
+        break;
+      default:
+        return;
+    }
+    if (refetchTimerRef.current) clearTimeout(refetchTimerRef.current);
+    refetchTimerRef.current = setTimeout(() => {
+      loadEntries();
+    }, 300);
+  });
+
  // ── Delete handlers ─────────────────────────────────────────────────────────

  const confirmDelete = useCallback(async () => {
@@ -242,10 +242,13 @@ export function ProvisioningTimeout({
  const handleCancelConfirm = useCallback(async () => {
    if (!confirmingCancel) return;
    const workspaceId = confirmingCancel;
+    const workspaceName = timedOut.find((e) => e.workspaceId === workspaceId)?.workspaceName ?? "";
    setConfirmingCancel(null);
    setCancelling((prev) => new Set(prev).add(workspaceId));
    try {
-      await api.del(`/workspaces/${workspaceId}`);
+      await api.del(`/workspaces/${workspaceId}`, {
+        headers: { "X-Confirm-Name": workspaceName },
+      });
      setTimedOut((prev) => prev.filter((e) => e.workspaceId !== workspaceId));
      trackingRef.current.delete(workspaceId);
      showToast("Deployment cancelled", "info");
@@ -305,7 +305,9 @@ export function SidePanel() {
        {panelTab === "chat" && <ChatTab key={selectedNodeId} workspaceId={selectedNodeId} data={node.data} />}
        {panelTab === "terminal" && <TerminalTab key={selectedNodeId} workspaceId={selectedNodeId} data={node.data} />}
        {panelTab === "display" && <DisplayTab key={selectedNodeId} workspaceId={selectedNodeId} />}
-        {panelTab === "container-config" && <ContainerConfigTab key={selectedNodeId} data={node.data} />}
+        {panelTab === "container-config" && selectedNodeId && (
+          <ContainerConfigTab key={selectedNodeId} workspaceId={selectedNodeId} data={node.data} />
+        )}
        {panelTab === "config" && <ConfigTab key={selectedNodeId} workspaceId={selectedNodeId} />}
        {panelTab === "schedule" && <ScheduleTab key={selectedNodeId} workspaceId={selectedNodeId} />}
        {panelTab === "channels" && <ChannelsTab key={selectedNodeId} workspaceId={selectedNodeId} />}
@@ -63,7 +63,7 @@ describe("CreateWorkspaceDialog", () => {

  it('first option is "None (root level)" with empty value', async () => {
    await openDialog();
-    const select = document.querySelector("select") as HTMLSelectElement;
+    const select = screen.getByLabelText("Parent Workspace") as HTMLSelectElement;
    expect(select).toBeTruthy();
    const firstOption = select.options[0];
    expect(firstOption.value).toBe("");
@@ -73,12 +73,12 @@ describe("CreateWorkspaceDialog", () => {
  it("populates select with workspace names from GET /workspaces", async () => {
    await openDialog();
    await waitFor(() => {
-      const select = document.querySelector("select") as HTMLSelectElement;
+      const select = screen.getByLabelText("Parent Workspace") as HTMLSelectElement;
      const optionValues = Array.from(select.options).map((o) => o.value);
      expect(optionValues).toContain("ws-1");
      expect(optionValues).toContain("ws-2");
    });
-    const select = document.querySelector("select") as HTMLSelectElement;
+    const select = screen.getByLabelText("Parent Workspace") as HTMLSelectElement;
    const optionTexts = Array.from(select.options).map((o) => o.text.trim());
    expect(optionTexts.some((t) => t.includes("Platform Team"))).toBe(true);
    expect(optionTexts.some((t) => t.includes("Research Agent"))).toBe(true);
@@ -87,7 +87,7 @@ describe("CreateWorkspaceDialog", () => {
  it("sends parent_id in POST body when a workspace is selected", async () => {
    await openDialog();
    await waitFor(() => {
-      const select = document.querySelector("select") as HTMLSelectElement;
+      const select = screen.getByLabelText("Parent Workspace") as HTMLSelectElement;
      expect(select.options.length).toBeGreaterThan(1);
    });

@@ -95,7 +95,7 @@ describe("CreateWorkspaceDialog", () => {
      target: { value: "My Agent" },
    });

-    const select = document.querySelector("select") as HTMLSelectElement;
+    const select = screen.getByLabelText("Parent Workspace") as HTMLSelectElement;
    fireEvent.change(select, { target: { value: "ws-1" } });

    const createBtn = screen.getAllByRole("button").find((b) => b.textContent === "Create");
@@ -112,7 +112,7 @@ describe("CreateWorkspaceDialog", () => {
      target: { value: "Root Agent" },
    });

-    const select = document.querySelector("select") as HTMLSelectElement;
+    const select = screen.getByLabelText("Parent Workspace") as HTMLSelectElement;
    fireEvent.change(select, { target: { value: "" } });

    const createBtn = screen.getAllByRole("button").find((b) => b.textContent === "Create");
@@ -123,13 +123,120 @@ describe("CreateWorkspaceDialog", () => {
    expect(body.parent_id).toBeUndefined();
  });

+  it("sends the cost-efficient headless compute profile by default", async () => {
+    await openDialog();
+    fireEvent.change(screen.getByPlaceholderText("e.g. SEO Agent"), {
+      target: { value: "Plain Agent" },
+    });
+
+    const createBtn = screen.getAllByRole("button").find((b) => b.textContent === "Create");
+    fireEvent.click(createBtn!);
+
+    await waitFor(() => expect(mockPost).toHaveBeenCalled());
+    const body = mockPost.mock.calls[0][1] as Record<string, unknown>;
+    expect(body.compute).toEqual({
+      instance_type: "t3.medium",
+      volume: { root_gb: 30 },
+      display: { mode: "none" },
+    });
+    expect(body.model).toBe("MiniMax-M2.7");
+    expect(body.llm_provider).toBe("minimax");
+    expect(body.secrets).toBeUndefined();
+  });
+
+  it("does not send managed compute for external agents", async () => {
+    await openDialog();
+    fireEvent.change(screen.getByPlaceholderText("e.g. SEO Agent"), {
+      target: { value: "External Agent" },
+    });
+    fireEvent.click(screen.getByLabelText(/External agent/));
+
+    const createBtn = screen.getAllByRole("button").find((b) => b.textContent === "Create");
+    fireEvent.click(createBtn!);
+
+    await waitFor(() => expect(mockPost).toHaveBeenCalled());
+    const body = mockPost.mock.calls[0][1] as Record<string, unknown>;
+    expect(body.compute).toBeUndefined();
+    expect(body.runtime).toBe("external");
+  });
+
+  it("sends display compute profile when desktop display is enabled", async () => {
+    await openDialog();
+    fireEvent.change(screen.getByPlaceholderText("e.g. SEO Agent"), {
+      target: { value: "Desktop Agent" },
+    });
+    fireEvent.click(screen.getByLabelText("Enable display"));
+
+    const createBtn = screen.getAllByRole("button").find((b) => b.textContent === "Create");
+    fireEvent.click(createBtn!);
+
+    await waitFor(() => expect(mockPost).toHaveBeenCalled());
+    const body = mockPost.mock.calls[0][1] as Record<string, unknown>;
+    expect(body.model).toBe("MiniMax-M2.7");
+    expect(body.llm_provider).toBe("minimax");
+    expect(body.compute).toEqual({
+      instance_type: "t3.xlarge",
+      volume: { root_gb: 80 },
+      display: {
+        mode: "desktop-control",
+        protocol: "novnc",
+        width: 1920,
+        height: 1080,
+      },
+    });
+  });
+
+  it("sends BYOK API key secrets when API key auth mode is selected", async () => {
+    await openDialog();
+    fireEvent.change(screen.getByPlaceholderText("e.g. SEO Agent"), {
+      target: { value: "BYOK Agent" },
+    });
+    fireEvent.change(document.getElementById("llm-auth-mode") as HTMLSelectElement, {
+      target: { value: "api_key" },
+    });
+    fireEvent.change(document.getElementById("llm-secret-input") as HTMLInputElement, {
+      target: { value: "sk-minimax-test" },
+    });
+
+    const createBtn = screen.getAllByRole("button").find((b) => b.textContent === "Create");
+    fireEvent.click(createBtn!);
+
+    await waitFor(() => expect(mockPost).toHaveBeenCalled());
+    const body = mockPost.mock.calls[0][1] as Record<string, unknown>;
+    expect(body.model).toBe("MiniMax-M2.7");
+    expect(body.llm_provider).toBe("minimax");
+    expect(body.secrets).toEqual({ MINIMAX_API_KEY: "sk-minimax-test" });
+  });
+
+  it("sends Claude OAuth token separately from platform-managed mode", async () => {
+    await openDialog();
+    fireEvent.change(screen.getByPlaceholderText("e.g. SEO Agent"), {
+      target: { value: "OAuth Agent" },
+    });
+    fireEvent.change(document.getElementById("llm-auth-mode") as HTMLSelectElement, {
+      target: { value: "oauth" },
+    });
+    fireEvent.change(document.getElementById("llm-secret-input") as HTMLInputElement, {
+      target: { value: "oauth-token" },
+    });
+
+    const createBtn = screen.getAllByRole("button").find((b) => b.textContent === "Create");
+    fireEvent.click(createBtn!);
+
+    await waitFor(() => expect(mockPost).toHaveBeenCalled());
+    const body = mockPost.mock.calls[0][1] as Record<string, unknown>;
+    expect(body.model).toBe("sonnet");
+    expect(body.llm_provider).toBe("anthropic-oauth");
+    expect(body.secrets).toEqual({ CLAUDE_CODE_OAUTH_TOKEN: "oauth-token" });
+  });
+
  it("renders gracefully when GET /workspaces fails", async () => {
    mockGet.mockRejectedValueOnce(new Error("Network error"));
    await openDialog();

    // Dialog still renders; select exists with only the root option
    await waitFor(() => {
-      const select = document.querySelector("select") as HTMLSelectElement;
+      const select = screen.getByLabelText("Parent Workspace") as HTMLSelectElement;
      expect(select.options.length).toBe(1);
      expect(select.options[0].value).toBe("");
    });
@@ -16,7 +16,7 @@
 *   - handleDeployed fires after 500ms delay
 *
 * Uses vi.hoisted + vi.mock to fully isolate the api module, matching
- * the pattern established in ApprovalBanner, MemoryTab, and ScheduleTab tests.
+ * the pattern established in ApprovalBanner and ScheduleTab tests.
 */
 import React from "react";
 import { render, screen, fireEvent, cleanup, act } from "@testing-library/react";
@@ -1,93 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Unit tests for pure helpers from MemoryInspectorPanel:
- *   isPluginUnavailableError, formatRelativeTime, formatTTL
- *
- * These are the three exported non-component functions. The component
- * itself (MemoryInspectorPanel) requires full API + store mocking and
- * is exercised by the existing MemoryTab.test.tsx.
- */
-import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
-import { isPluginUnavailableError, formatTTL } from "../MemoryInspectorPanel";
-
-// formatRelativeTime is not exported — tested via the component in MemoryTab.test.tsx
-
-describe("isPluginUnavailableError", () => {
-  it("returns true when Error message contains MEMORY_PLUGIN_URL", () => {
-    const err = new Error("memory: could not resolve MEMORY_PLUGIN_URL — plugin not configured");
-    expect(isPluginUnavailableError(err)).toBe(true);
-  });
-
-  it("returns true for Error containing MEMORY_PLUGIN_URL", () => {
-    expect(isPluginUnavailableError(new Error("MEMORY_PLUGIN_URL is not set"))).toBe(true);
-  });
-
-  it("returns false for unrelated error messages", () => {
-    expect(isPluginUnavailableError(new Error("workspace not found"))).toBe(false);
-  });
-
-  it("returns false for null", () => {
-    expect(isPluginUnavailableError(null)).toBe(false);
-  });
-
-  it("returns false for undefined", () => {
-    expect(isPluginUnavailableError(undefined)).toBe(false);
-  });
-
-  it("returns false for plain objects without message", () => {
-    expect(isPluginUnavailableError({ code: 503 })).toBe(false);
-  });
-
-  it("is case-sensitive (MEMORY_PLUGIN_URL must match exactly)", () => {
-    const lowerErr = new Error("memory_plugin_url missing");
-    const upperErr = new Error("MEMORY_PLUGIN_URL missing");
-    expect(isPluginUnavailableError(lowerErr)).toBe(false);
-    expect(isPluginUnavailableError(upperErr)).toBe(true);
-  });
-});
-
-describe("formatTTL", () => {
-  beforeEach(() => { vi.useFakeTimers(); });
-  afterEach(() => { vi.useRealTimers(); });
-
-  it("returns '' for null", () => {
-    expect(formatTTL(null)).toBe("");
-  });
-
-  it("returns '' for undefined", () => {
-    expect(formatTTL(undefined)).toBe("");
-  });
-
-  it('returns "expired" when expiresAt is in the past', () => {
-    const past = new Date(Date.now() - 60_000).toISOString();
-    expect(formatTTL(past)).toBe("expired");
-  });
-
-  it('returns "Xs" for less than a minute', () => {
-    const soon = new Date(Date.now() + 30_000).toISOString();
-    expect(formatTTL(soon)).toBe("30s");
-  });
-
-  it('returns "Xm" for less than an hour', () => {
-    const soon = new Date(Date.now() + 5 * 60_000).toISOString();
-    expect(formatTTL(soon)).toBe("5m");
-  });
-
-  it('returns "Xh" for less than a day', () => {
-    const soon = new Date(Date.now() + 3 * 3_600_000).toISOString();
-    expect(formatTTL(soon)).toBe("3h");
-  });
-
-  it('returns "Xd" for more than a day', () => {
-    const soon = new Date(Date.now() + 2 * 86_400_000).toISOString();
-    expect(formatTTL(soon)).toBe("2d");
-  });
-
-  it("returns '' for invalid date string", () => {
-    expect(formatTTL("not-a-date")).toBe("");
-  });
-
-  it("returns '' for empty string", () => {
-    expect(formatTTL("")).toBe("");
-  });
-});
@@ -31,6 +31,17 @@ vi.mock('@/lib/api', () => ({
  },
 }));

+// Capture the socket-event handler the panel registers so individual
+// tests can replay an ACTIVITY_LOGGED message without spinning up a
+// real WebSocket. One handler at a time is fine — the panel mounts
+// exactly one useSocketEvent subscriber.
+let __socketHandler: ((msg: unknown) => void) | null = null;
+vi.mock('@/hooks/useSocketEvent', () => ({
+  useSocketEvent: (handler: (msg: unknown) => void) => {
+    __socketHandler = handler;
+  },
+}));
+
 vi.mock('@/components/ConfirmDialog', () => ({
  ConfirmDialog: ({
    open,
@@ -516,3 +527,156 @@ describe('MemoryInspectorPanel — refresh', () => {
    });
  });
 });
+
+// Live-refresh subscription wired in #1734 so the panel reacts to
+// ACTIVITY_LOGGED events for memory writes on this workspace without
+// the user clicking Refresh. The hook is mocked at the top of the
+// file to capture the registered handler in __socketHandler.
+describe('MemoryInspectorPanel — live refresh on activity', () => {
+  it('refetches memories when ACTIVITY_LOGGED arrives with activity_type=memory_write for the same workspace', async () => {
+    vi.useFakeTimers({ shouldAdvanceTime: true });
+    stubFetch([MEM_BASIC]);
+    render(<MemoryInspectorPanel workspaceId="ws-1" />);
+    await waitFor(() => screen.getByLabelText('Refresh memories'));
+    expect(__socketHandler).toBeTruthy();
+
+    const before = mockGet.mock.calls.filter((c) =>
+      (c[0] as string).includes('/v2/memories'),
+    ).length;
+
+    __socketHandler!({
+      event: 'ACTIVITY_LOGGED',
+      workspace_id: 'ws-1',
+      payload: { activity_type: 'memory_write' },
+    });
+
+    // 300ms debounce inside the panel — advance the fake timer so the
+    // queued refetch fires.
+    await vi.advanceTimersByTimeAsync(350);
+
+    await waitFor(() => {
+      const after = mockGet.mock.calls.filter((c) =>
+        (c[0] as string).includes('/v2/memories'),
+      ).length;
+      expect(after).toBe(before + 1);
+    });
+    vi.useRealTimers();
+  });
+
+  it('ignores ACTIVITY_LOGGED events from other workspaces', async () => {
+    vi.useFakeTimers({ shouldAdvanceTime: true });
+    stubFetch([MEM_BASIC]);
+    render(<MemoryInspectorPanel workspaceId="ws-1" />);
+    await waitFor(() => screen.getByLabelText('Refresh memories'));
+
+    const before = mockGet.mock.calls.filter((c) =>
+      (c[0] as string).includes('/v2/memories'),
+    ).length;
+
+    __socketHandler!({
+      event: 'ACTIVITY_LOGGED',
+      workspace_id: 'ws-OTHER',
+      payload: { activity_type: 'memory_write' },
+    });
+
+    await vi.advanceTimersByTimeAsync(500);
+
+    const after = mockGet.mock.calls.filter((c) =>
+      (c[0] as string).includes('/v2/memories'),
+    ).length;
+    expect(after).toBe(before);
+    vi.useRealTimers();
+  });
+
+  it('ignores activity types that are not memory-related', async () => {
+    vi.useFakeTimers({ shouldAdvanceTime: true });
+    stubFetch([MEM_BASIC]);
+    render(<MemoryInspectorPanel workspaceId="ws-1" />);
+    await waitFor(() => screen.getByLabelText('Refresh memories'));
+
+    const before = mockGet.mock.calls.filter((c) =>
+      (c[0] as string).includes('/v2/memories'),
+    ).length;
+
+    __socketHandler!({
+      event: 'ACTIVITY_LOGGED',
+      workspace_id: 'ws-1',
+      payload: { activity_type: 'a2a_send' },
+    });
+
+    await vi.advanceTimersByTimeAsync(500);
+
+    const after = mockGet.mock.calls.filter((c) =>
+      (c[0] as string).includes('/v2/memories'),
+    ).length;
+    expect(after).toBe(before);
+    vi.useRealTimers();
+  });
+
+  // Server-side emitters confirmed via grep of workspace-server/internal/handlers
+  // are `memory_write_global`, `memory_edit_global`, `memory_delete_global`
+  // (memories.go `LogActivity` calls for GLOBAL-scope writes). Pin each
+  // so a future filter narrow-down can't silently drop one and let the
+  // panel go stale on its actual production trigger.
+  it.each([
+    'memory_write',          // pre-emptive: not yet emitted by server, see component comment
+    'memory_write_global',   // memories.go:218 (Commit)
+    'memory_edit_global',    // memories.go:617 (Update)
+    'memory_delete_global',  // memories.go (Delete) — paired with the above two
+    'agent_log',             // generic catch-all
+  ])('refetches on activity_type=%s', async (activityType) => {
+    vi.useFakeTimers({ shouldAdvanceTime: true });
+    stubFetch([MEM_BASIC]);
+    render(<MemoryInspectorPanel workspaceId="ws-1" />);
+    await waitFor(() => screen.getByLabelText('Refresh memories'));
+
+    const before = mockGet.mock.calls.filter((c) =>
+      (c[0] as string).includes('/v2/memories'),
+    ).length;
+
+    __socketHandler!({
+      event: 'ACTIVITY_LOGGED',
+      workspace_id: 'ws-1',
+      payload: { activity_type: activityType },
+    });
+
+    await vi.advanceTimersByTimeAsync(350);
+
+    await waitFor(() => {
+      const after = mockGet.mock.calls.filter((c) =>
+        (c[0] as string).includes('/v2/memories'),
+      ).length;
+      expect(after).toBe(before + 1);
+    });
+    vi.useRealTimers();
+  });
+
+  it('coalesces a burst of memory_write events into one refetch', async () => {
+    vi.useFakeTimers({ shouldAdvanceTime: true });
+    stubFetch([MEM_BASIC]);
+    render(<MemoryInspectorPanel workspaceId="ws-1" />);
+    await waitFor(() => screen.getByLabelText('Refresh memories'));
+
+    const before = mockGet.mock.calls.filter((c) =>
+      (c[0] as string).includes('/v2/memories'),
+    ).length;
+
+    for (let i = 0; i < 5; i++) {
+      __socketHandler!({
+        event: 'ACTIVITY_LOGGED',
+        workspace_id: 'ws-1',
+        payload: { activity_type: 'memory_write' },
+      });
+    }
+
+    await vi.advanceTimersByTimeAsync(350);
+
+    await waitFor(() => {
+      const after = mockGet.mock.calls.filter((c) =>
+        (c[0] as string).includes('/v2/memories'),
+      ).length;
+      expect(after).toBe(before + 1);
+    });
+    vi.useRealTimers();
+  });
+});
@@ -272,7 +272,9 @@ describe("OrgCancelButton — API interactions", () => {
    fireEvent.click(screen.getByRole("button", { name: /cancel deployment of test org/i }));
    fireEvent.click(screen.getByRole("button", { name: /yes/i }));
    await act(async () => { /* flush */ });
-    expect(mockApiDel).toHaveBeenCalledWith("/workspaces/root-1?confirm=true");
+    expect(mockApiDel).toHaveBeenCalledWith("/workspaces/root-1?confirm=true", {
+      headers: { "X-Confirm-Name": "Test Org" },
+    });
  });

  it("shows success toast on DELETE success", async () => {
@@ -57,6 +57,7 @@ export function OrgCancelButton({ rootId, rootName, workspaceCount }: Props) {
    try {
      await api.del<{ status: string }>(
        `/workspaces/${rootId}?confirm=true`,
+        { headers: { "X-Confirm-Name": rootName } },
      );
      showToast(`Cancelled deployment of "${rootName}"`, "success");
      // Optimistic local removal — workspace-server broadcasts
@@ -199,7 +199,9 @@ describe("OrgCancelButton — Yes / cascade delete", () => {
    });

    // 1) API call hit the cascade-delete endpoint with confirm=true
-    expect(mockApiDel).toHaveBeenCalledWith("/workspaces/ws-root?confirm=true");
+    expect(mockApiDel).toHaveBeenCalledWith("/workspaces/ws-root?confirm=true", {
+      headers: { "X-Confirm-Name": "My Org" },
+    });

    // 2) beginDelete locked the WHOLE subtree (root + 2 children) — NOT the unrelated node
    expect(mockState.beginDelete).toHaveBeenCalledTimes(1);
@@ -369,7 +369,7 @@ export function ChannelsTab({ workspaceId }: Props) {
            onClick={handleCreate}
            // Was bg-accent-strong hover:bg-accent — accent is the
            // LIGHTER variant; same AA contrast trap fixed in
-            // ScheduleTab/MemoryTab/OnboardingWizard.
+            // ScheduleTab/OnboardingWizard.
            className="w-full text-xs py-1.5 rounded bg-accent hover:bg-accent-strong text-white transition focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-2 focus-visible:ring-offset-surface"
          >
            Connect Channel
@@ -253,7 +253,7 @@ interface RuntimeOption {
  // its config.yaml under runtime_config.providers. The /templates API
  // surfaces it (workspace-server templates.go) so canvas stays
  // adapter-driven: hermes ships ~20 slugs, claude-code ships
-  // ["anthropic"], gemini-cli ships ["gemini"], etc. Empty list →
+  // ["anthropic"], codex ships OpenAI-compatible model ids, etc. Empty list →
  // canvas falls back to deriving unique vendor prefixes from
  // models[].id (still adapter-driven, just inferred).
  providers: string[];
@@ -301,16 +301,13 @@ export function deriveProvidersFromModels(models: ModelSpec[]): string[] {
 // config.yaml` on the container is a separate runtime-internal file,
 // not this one.
 const RUNTIMES_WITH_OWN_CONFIG = new Set<string>(["external", "kimi", "kimi-cli", "openclaw"]);
+const SUPPORTED_RUNTIME_VALUES = new Set(["claude-code", "codex", "openclaw", "hermes"]);

 const FALLBACK_RUNTIME_OPTIONS: RuntimeOption[] = [
-  { value: "", label: "LangGraph (default)", models: [], providers: [] },
  { value: "claude-code", label: "Claude Code", models: [], providers: [] },
-  { value: "crewai", label: "CrewAI", models: [], providers: [] },
-  { value: "autogen", label: "AutoGen", models: [], providers: [] },
-  { value: "deepagents", label: "DeepAgents", models: [], providers: [] },
+  { value: "codex", label: "Codex", models: [], providers: [] },
  { value: "openclaw", label: "OpenClaw", models: [], providers: [] },
  { value: "hermes", label: "Hermes", models: [], providers: [] },
-  { value: "gemini-cli", label: "Gemini CLI", models: [], providers: [] },
 ];

 export function ConfigTab({ workspaceId }: Props) {
@@ -499,10 +496,9 @@ export function ConfigTab({ workspaceId }: Props) {
      .then((rows) => {
        if (cancelled || !Array.isArray(rows)) return;
        const byRuntime = new Map<string, RuntimeOption>();
-        byRuntime.set("", { value: "", label: "LangGraph (default)", models: [], providers: [] });
        for (const r of rows) {
          const v = (r.runtime || "").trim();
-          if (!v || v === "langgraph") continue;
+          if (!SUPPORTED_RUNTIME_VALUES.has(v)) continue;
          // Last template wins if two templates share a runtime — rare, and the
          // one with the richer models list is probably newer.
          const existing = byRuntime.get(v);
@@ -512,7 +508,7 @@ export function ConfigTab({ workspaceId }: Props) {
            byRuntime.set(v, { value: v, label: r.name || v, models, providers });
          }
        }
-        if (byRuntime.size > 1) setRuntimeOptions(Array.from(byRuntime.values()));
+        if (byRuntime.size > 0) setRuntimeOptions(Array.from(byRuntime.values()));
      })
      .catch(() => { /* keep fallback */ });
    return () => { cancelled = true; };
@@ -1,46 +1,210 @@
 "use client";

+import { useEffect, useMemo, useState } from "react";
+import { api } from "@/lib/api";
 import { runtimeDisplayName } from "@/lib/runtime-names";
-import type { WorkspaceNodeData } from "@/store/canvas";
+import { useCanvasStore, type WorkspaceNodeData } from "@/store/canvas";
+import type { WorkspaceCompute } from "@/store/socket";
+
+const INSTANCE_TYPES = ["t3.medium", "t3.large", "t3.xlarge", "t3.2xlarge", "m6i.large", "m6i.xlarge", "c6i.xlarge"];
+const RUNTIME_OPTIONS = ["claude-code", "codex", "hermes", "openclaw", "kimi", "kimi-cli", "external"];
+const RESOLUTIONS = ["1280x720", "1440x900", "1920x1080", "2560x1440"];
+const DEFAULT_HEADLESS_INSTANCE_TYPE = "t3.medium";
+const DEFAULT_HEADLESS_ROOT_GB = 30;

 type Props = {
+  workspaceId: string;
  data: Pick<
    WorkspaceNodeData,
    "runtime" | "status" | "needsRestart" | "activeTasks" | "deliveryMode"
-    | "workspaceAccess" | "maxConcurrentTasks"
+    | "workspaceAccess" | "maxConcurrentTasks" | "compute" | "applyTemplateOnRestart"
  >;
 };

-export function ContainerConfigTab({ data }: Props) {
-  const runtime = data.runtime || "unknown";
+type FormState = {
+  runtime: string;
+  instanceType: string;
+  rootGB: string;
+  displayEnabled: boolean;
+  displayMode: string;
+  displayProtocol: string;
+  resolution: string;
+};
+
+export function ContainerConfigTab({ workspaceId, data }: Props) {
+  const runtime = data.runtime;
+  const instanceType = data.compute?.instance_type;
+  const rootGB = data.compute?.volume?.root_gb;
+  const displayMode = data.compute?.display?.mode;
+  const displayProtocol = data.compute?.display?.protocol;
+  const displayWidth = data.compute?.display?.width;
+  const displayHeight = data.compute?.display?.height;
+  const initial = useMemo(
+    () => formFromData({ runtime, instanceType, rootGB, displayMode, displayProtocol, displayWidth, displayHeight }),
+    [runtime, instanceType, rootGB, displayMode, displayProtocol, displayWidth, displayHeight],
+  );
+  const [form, setForm] = useState<FormState>(initial);
+  const [saving, setSaving] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+  const [success, setSuccess] = useState(false);
+
+  useEffect(() => {
+    setForm(initial);
+    setError(null);
+    setSuccess(false);
+  }, [initial]);
+
  const workspaceAccess = formatAccess(data.workspaceAccess);
  const maxConcurrentTasks = data.maxConcurrentTasks ? String(data.maxConcurrentTasks) : "platform-managed";
-  const mountedPath = "/workspace";
-  const privilegeStatus = "standard";
  const deliveryMode = data.deliveryMode || "push";
+  const dirty = JSON.stringify(form) !== JSON.stringify(initial);
+  const restartLabel = dirty ? "Save & Restart" : "Restart to apply";
+  const resolutionOptions = RESOLUTIONS.includes(form.resolution)
+    ? RESOLUTIONS
+    : [form.resolution, ...RESOLUTIONS];
+
+  const save = async (restart: boolean) => {
+    setError(null);
+    setSuccess(false);
+
+    setSaving(true);
+    try {
+      let applyTemplateOnRestart = data.applyTemplateOnRestart ?? false;
+      if (dirty) {
+        const rootGB = parseInt(form.rootGB, 10);
+        if (!Number.isFinite(rootGB)) {
+          setError("Root volume must be a number");
+          return;
+        }
+
+        const [width, height] = form.resolution.split("x").map((v) => parseInt(v, 10));
+        const compute: WorkspaceCompute = {
+          instance_type: form.instanceType,
+          volume: { root_gb: rootGB },
+          display: form.displayEnabled
+            ? { mode: form.displayMode, protocol: form.displayProtocol, width, height }
+            : { mode: "none" },
+        };
+
+        const resp = await api.patch<{ needs_restart?: boolean }>(`/workspaces/${workspaceId}`, {
+          runtime: form.runtime,
+          compute,
+        });
+        useCanvasStore.getState().updateNodeData(workspaceId, {
+          runtime: form.runtime,
+          compute,
+          needsRestart: resp.needs_restart ?? true,
+          applyTemplateOnRestart: form.runtime !== initial.runtime,
+        });
+        applyTemplateOnRestart = form.runtime !== initial.runtime;
+      }
+
+      if (restart) {
+        await useCanvasStore.getState().restartWorkspace(workspaceId, {
+          applyTemplate: applyTemplateOnRestart,
+        });
+      }
+      setSuccess(true);
+    } catch (e) {
+      setError(e instanceof Error ? e.message : "Failed to save");
+    } finally {
+      setSaving(false);
+    }
+  };

  return (
    <div className="p-4 space-y-4">
      <section className="rounded-lg border border-line/50 bg-surface-card/40 p-4">
-        <div className="mb-3">
+        <div className="mb-3 flex items-center justify-between gap-3">
          <h3 className="text-sm font-semibold text-ink">Container Config</h3>
+          {data.needsRestart && <span className="text-[11px] text-warm">Restart required</span>}
        </div>

-        <dl className="grid grid-cols-1 gap-2 text-[11px]">
-          <ConfigRow label="Runtime image" value={runtimeDisplayName(runtime)} detail={runtime} />
-          <ConfigRow label="Workspace access" value={workspaceAccess} />
-          <ConfigRow label="Max concurrent tasks" value={maxConcurrentTasks} />
-          <ConfigRow label="Mounted workspace path" value={mountedPath} />
-          <ConfigRow label="Container privileges" value={privilegeStatus} />
-          <ConfigRow label="Delivery mode" value={deliveryMode} />
-        </dl>
-      </section>
+        <div className="grid grid-cols-1 gap-3 text-[11px]">
+          <SelectField
+            id="runtime-image-profile"
+            label="Runtime image"
+            value={form.runtime}
+            options={RUNTIME_OPTIONS}
+            optionLabel={runtimeDisplayName}
+            onChange={(runtime) => setForm((s) => ({ ...s, runtime }))}
+          />
+          <SelectField
+            id="instance-type"
+            label="Instance type"
+            value={form.instanceType}
+            options={INSTANCE_TYPES}
+            onChange={(instanceType) => setForm((s) => ({ ...s, instanceType }))}
+          />
+          <label className="grid gap-1" htmlFor="root-volume-gb">
+            <span className="text-ink-mid">Root volume</span>
+            <div className="flex items-center gap-2">
+              <input
+                id="root-volume-gb"
+                aria-label="Root volume"
+                type="number"
+                min={30}
+                max={500}
+                value={form.rootGB}
+                onChange={(e) => setForm((s) => ({ ...s, rootGB: e.target.value }))}
+                className="min-w-0 flex-1 rounded-md border border-line/60 bg-surface-sunken px-3 py-2 font-mono text-ink outline-none focus:border-accent"
+              />
+              <span className="text-ink-mid">GB</span>
+            </div>
+          </label>
+          <label className="flex items-center justify-between gap-3 rounded-md bg-surface-sunken/40 px-3 py-2">
+            <span className="text-ink-mid">Display</span>
+            <input
+              type="checkbox"
+              aria-label="Enable display"
+              checked={form.displayEnabled}
+              onChange={(e) => setForm((s) => ({
+                ...s,
+                displayEnabled: e.target.checked,
+                displayMode: e.target.checked && s.displayMode === "none" ? "desktop-control" : s.displayMode,
+                displayProtocol: e.target.checked && !s.displayProtocol ? "novnc" : s.displayProtocol,
+              }))}
+              className="h-4 w-4 accent-accent"
+            />
+          </label>
+          {form.displayEnabled && (
+            <SelectField
+              id="display-resolution"
+              label="Resolution"
+              value={form.resolution}
+              options={resolutionOptions}
+              onChange={(resolution) => setForm((s) => ({ ...s, resolution }))}
+            />
+          )}
+        </div>

-      <section className="rounded-lg border border-line/50 bg-surface-card/40 p-4">
-        <h3 className="mb-3 text-sm font-semibold text-ink">Session Controls</h3>
-        <div className="grid grid-cols-2 gap-2">
-          <ReadOnlyAction label={data.needsRestart ? "Restart required" : "Restart"} />
-          <ReadOnlyAction label="Reset session" />
+        <div className="mt-4 flex items-center justify-end gap-2">
+          {error && <span className="mr-auto text-[11px] text-bad">{error}</span>}
+          {success && <span className="mr-auto text-[11px] text-good">Saved</span>}
+          <button
+            type="button"
+            disabled={!dirty || saving}
+            onClick={() => setForm(initial)}
+            className="rounded-md border border-line/60 px-3 py-2 text-[11px] text-ink-mid disabled:cursor-not-allowed disabled:opacity-50"
+          >
+            Reset
+          </button>
+          <button
+            type="button"
+            disabled={!dirty || saving}
+            onClick={() => save(false)}
+            className="rounded-md bg-accent px-3 py-2 text-[11px] font-medium text-white disabled:cursor-not-allowed disabled:opacity-50"
+          >
+            {saving ? "Saving..." : "Save"}
+          </button>
+          <button
+            type="button"
+            disabled={(!dirty && !data.needsRestart) || saving}
+            onClick={() => save(true)}
+            className="rounded-md bg-ink px-3 py-2 text-[11px] font-medium text-surface disabled:cursor-not-allowed disabled:opacity-50"
+          >
+            {saving ? "Restarting..." : restartLabel}
+          </button>
        </div>
      </section>

@@ -49,13 +213,73 @@ export function ContainerConfigTab({ data }: Props) {
        <dl className="grid grid-cols-1 gap-2 text-[11px]">
          <ConfigRow label="Container status" value={data.status} />
          <ConfigRow label="Active tasks" value={String(data.activeTasks ?? 0)} />
-          <ConfigRow label="Mounted path access" value="available" />
+          <ConfigRow label="Workspace access" value={workspaceAccess} />
+          <ConfigRow label="Max concurrent tasks" value={maxConcurrentTasks} />
+          <ConfigRow label="Mounted workspace path" value="/workspace" />
+          <ConfigRow label="Delivery mode" value={deliveryMode} />
        </dl>
      </section>
    </div>
  );
 }

+function formFromData(data: {
+  runtime?: string;
+  instanceType?: string;
+  rootGB?: number;
+  displayMode?: string;
+  displayProtocol?: string;
+  displayWidth?: number;
+  displayHeight?: number;
+}): FormState {
+  const width = data.displayWidth ?? 1920;
+  const height = data.displayHeight ?? 1080;
+  const resolution = `${width}x${height}`;
+  return {
+    runtime: data.runtime || "claude-code",
+    instanceType: data.instanceType || DEFAULT_HEADLESS_INSTANCE_TYPE,
+    rootGB: String(data.rootGB || DEFAULT_HEADLESS_ROOT_GB),
+    displayEnabled: !!data.displayMode && data.displayMode !== "none",
+    displayMode: data.displayMode && data.displayMode !== "none" ? data.displayMode : "desktop-control",
+    displayProtocol: data.displayProtocol || "novnc",
+    resolution,
+  };
+}
+
+function SelectField({
+  id,
+  label,
+  value,
+  options,
+  optionLabel = (v: string) => v,
+  onChange,
+}: {
+  id: string;
+  label: string;
+  value: string;
+  options: string[];
+  optionLabel?: (value: string) => string;
+  onChange: (value: string) => void;
+}) {
+  return (
+    <label className="grid gap-1" htmlFor={id}>
+      <span className="text-ink-mid">{label}</span>
+      <select
+        id={id}
+        value={value}
+        onChange={(e) => onChange(e.target.value)}
+        className="rounded-md border border-line/60 bg-surface-sunken px-3 py-2 font-mono text-ink outline-none focus:border-accent"
+      >
+        {options.map((option) => (
+          <option key={option} value={option}>
+            {optionLabel(option)}
+          </option>
+        ))}
+      </select>
+    </label>
+  );
+}
+
 function formatAccess(value: string | null | undefined): string {
  if (!value) return "none";
  return value.replace(/_/g, "-");
@@ -64,33 +288,16 @@ function formatAccess(value: string | null | undefined): string {
 function ConfigRow({
  label,
  value,
-  detail,
 }: {
  label: string;
  value: string;
-  detail?: string;
 }) {
  return (
    <div className="flex items-start justify-between gap-3 rounded-md bg-surface-sunken/40 px-3 py-2">
      <dt className="text-ink-mid">{label}</dt>
      <dd className="min-w-0 text-right">
        <div className="font-mono text-ink break-words">{value}</div>
-        {detail && detail !== value && (
-          <div className="mt-0.5 font-mono text-[10px] text-ink-mid break-words">{detail}</div>
-        )}
      </dd>
    </div>
  );
 }
-
-function ReadOnlyAction({ label }: { label: string }) {
-  return (
-    <button
-      type="button"
-      disabled
-      className="rounded-md border border-line/50 bg-surface-sunken/40 px-3 py-2 text-[11px] text-ink-mid disabled:cursor-not-allowed disabled:opacity-70"
-    >
-      {label}
-    </button>
-  );
-}
@@ -93,7 +93,9 @@ export function DetailsTab({ workspaceId, data }: Props) {
  const handleDelete = async () => {
    setDeleteError(null);
    try {
-      await api.del(`/workspaces/${workspaceId}?confirm=true`);
+      await api.del(`/workspaces/${workspaceId}?confirm=true`, {
+        headers: { "X-Confirm-Name": name },
+      });
      // Mirror the server-side cascade — drop the row + every
      // descendant locally so the canvas reflects the deletion
      // immediately, even when the WS is dead and the per-descendant
@@ -1,7 +1,8 @@
 "use client";

-import { useEffect, useState } from "react";
+import { useEffect, useRef, useState } from "react";
 import { api } from "@/lib/api";
+import type RFB from "@novnc/novnc";

 interface DisplayStatus {
  available: boolean;
@@ -13,31 +14,116 @@ interface DisplayStatus {
  height?: number;
 }

+interface DisplayControlStatus {
+  controller: "none" | "user" | "agent";
+  controlled_by?: string;
+  expires_at?: string;
+  session_url?: string;
+}
+
 interface Props {
  workspaceId: string;
 }

 export function DisplayTab({ workspaceId }: Props) {
  const [status, setStatus] = useState<DisplayStatus | null>(null);
+  const [control, setControl] = useState<DisplayControlStatus | null>(null);
  const [error, setError] = useState<string | null>(null);
+  const [controlError, setControlError] = useState<string | null>(null);
+  const [controlBusy, setControlBusy] = useState(false);
+  const [sessionUrl, setSessionUrl] = useState<string | null>(null);
+  const requestGeneration = useRef(0);

  useEffect(() => {
+    const generation = requestGeneration.current + 1;
+    requestGeneration.current = generation;
    let cancelled = false;
    setStatus(null);
+    setControl(null);
+    setSessionUrl(null);
    setError(null);
-    api
-      .get<DisplayStatus>(`/workspaces/${workspaceId}/display`)
-      .then((data) => {
-        if (!cancelled) setStatus(data);
-      })
-      .catch((err) => {
-        if (!cancelled) setError(err instanceof Error ? err.message : "Display status unavailable");
-      });
+    setControlError(null);
+    setControlBusy(false);
+    async function load() {
+      try {
+        const displayStatus = await api.get<DisplayStatus>(`/workspaces/${workspaceId}/display`);
+        if (cancelled || requestGeneration.current !== generation) return;
+        setStatus(displayStatus);
+        if (displayStatus.reason === "display_not_enabled") return;
+        try {
+          const displayControl = await api.get<DisplayControlStatus>(`/workspaces/${workspaceId}/display/control`);
+          if (!cancelled && requestGeneration.current === generation) setControl(displayControl);
+        } catch (err) {
+          if (!cancelled && requestGeneration.current === generation) {
+            setControl(null);
+            setControlError("Display control unavailable");
+          }
+        }
+      } catch (err) {
+        if (!cancelled && requestGeneration.current === generation) setError("The display status could not be loaded.");
+      }
+    }
+    load();
    return () => {
      cancelled = true;
    };
  }, [workspaceId]);

+  const acquireControl = async () => {
+    const generation = requestGeneration.current;
+    const controlPath = `/workspaces/${workspaceId}/display/control`;
+    setControlBusy(true);
+    setControlError(null);
+    try {
+      const next = await api.post<DisplayControlStatus>(`${controlPath}/acquire`, {
+        controller: "user",
+        ttl_seconds: 300,
+      });
+      if (requestGeneration.current !== generation) return;
+      setControl(next);
+      setSessionUrl(next.session_url || null);
+    } catch (err) {
+      if (requestGeneration.current !== generation) return;
+      setControlError("Failed to take control");
+      try {
+        const latest = await api.get<DisplayControlStatus>(controlPath);
+        if (requestGeneration.current !== generation) return;
+        setControl(latest);
+      } catch {
+        if (requestGeneration.current !== generation) return;
+        setControl(null);
+      }
+    } finally {
+      if (requestGeneration.current === generation) setControlBusy(false);
+    }
+  };
+
+  const releaseControl = async () => {
+    const generation = requestGeneration.current;
+    const controlPath = `/workspaces/${workspaceId}/display/control`;
+    setControlBusy(true);
+    setControlError(null);
+    try {
+      const next = await api.post<DisplayControlStatus>(`${controlPath}/release`, {});
+      if (requestGeneration.current !== generation) return;
+      setControl(next);
+      setSessionUrl(null);
+    } catch (err) {
+      if (requestGeneration.current !== generation) return;
+      setControlError("Failed to release control");
+      try {
+        const latest = await api.get<DisplayControlStatus>(controlPath);
+        if (requestGeneration.current !== generation) return;
+        setControl(latest);
+      } catch {
+        if (requestGeneration.current !== generation) return;
+        setControl(null);
+      }
+    } finally {
+      if (requestGeneration.current === generation) setControlBusy(false);
+    }
+  };
+
  if (error) {
    return (
      <div className="p-5">
@@ -81,16 +167,210 @@ export function DisplayTab({ workspaceId }: Props) {
            : "This workspace has display configuration, but the desktop session infrastructure is not configured yet."}
        </p>
        {!isNotEnabled && (
-          <dl className="mt-5 grid grid-cols-2 gap-x-4 gap-y-2 text-left text-[11px]">
-            <dt className="text-ink-mid">Mode</dt>
-            <dd className="font-mono text-ink">{status.mode || "unknown"}</dd>
-            <dt className="text-ink-mid">Status</dt>
-            <dd className="font-mono text-ink">{status.status || "unknown"}</dd>
-          </dl>
+          <>
+            <dl className="mt-5 grid grid-cols-2 gap-x-4 gap-y-2 text-left text-[11px]">
+              <dt className="text-ink-mid">Mode</dt>
+              <dd className="font-mono text-ink">{status.mode || "unknown"}</dd>
+              <dt className="text-ink-mid">Status</dt>
+              <dd className="font-mono text-ink">{status.status || "unknown"}</dd>
+            </dl>
+            <div className="mt-5 w-full max-w-xs border-t border-line/50 pt-4">
+              {control ? (
+                <div className="flex items-center justify-between gap-3 text-left">
+                  <div className="min-w-0">
+                    <p className="text-[11px] font-medium text-ink">
+                      {control.controller === "none"
+                        ? "No active controller"
+                        : `Controlled by ${displayControlActorLabel(control)}`}
+                    </p>
+                    {control.expires_at && (
+                      <p className="mt-1 truncate font-mono text-[10px] text-ink-mid">
+                        Until {new Date(control.expires_at).toLocaleTimeString()}
+                      </p>
+                    )}
+                    {controlError && <p className="mt-1 text-[10px] leading-snug text-red-200">{controlError}</p>}
+                  </div>
+                  {control.controller === "none" && (
+                    <button
+                      type="button"
+                      onClick={acquireControl}
+                      disabled={controlBusy}
+                      className="h-8 shrink-0 rounded border border-line bg-surface px-3 text-[11px] font-medium text-ink hover:bg-surface-elevated disabled:cursor-not-allowed disabled:opacity-60"
+                    >
+                      Take control
+                    </button>
+                  )}
+                </div>
+              ) : (
+                <div className="text-left">
+                  {!controlError && (
+                    <div className="h-8 rounded border border-line/40 bg-surface-sunken/30 motion-safe:animate-pulse" />
+                  )}
+                  {controlError && <p className="mt-2 text-[10px] leading-snug text-red-200">{controlError}</p>}
+                </div>
+              )}
+            </div>
+          </>
        )}
      </div>
    );
  }

-  return null;
+  return (
+    <div className="flex h-full min-h-[360px] flex-col bg-surface-sunken/30">
+      <div className="flex items-center justify-between gap-3 border-b border-line/50 px-4 py-3">
+        <div className="min-w-0">
+          <h3 className="text-sm font-medium text-ink">Desktop</h3>
+          <p className="mt-0.5 font-mono text-[10px] text-ink-mid">
+            {status.mode || "desktop-control"} · {status.protocol || "display"}
+          </p>
+        </div>
+        <DisplayControlBar
+          control={control}
+          controlBusy={controlBusy}
+          controlError={controlError}
+          hasSession={!!sessionUrl}
+          onAcquire={acquireControl}
+          onRelease={releaseControl}
+        />
+      </div>
+      {sessionUrl ? (
+        <DesktopStream sessionUrl={sessionUrl} />
+      ) : (
+        <div className="flex flex-1 items-center justify-center p-8 text-center">
+          <div>
+            <h3 className="mb-1.5 text-sm font-medium text-ink">Take control to open the desktop.</h3>
+            <p className="max-w-xs text-[11px] leading-relaxed text-ink-mid">
+              The display service is ready. Control access opens a short-lived desktop stream.
+            </p>
+          </div>
+        </div>
+      )}
+    </div>
+  );
+}
+
+function DisplayControlBar({
+  control,
+  controlBusy,
+  controlError,
+  hasSession,
+  onAcquire,
+  onRelease,
+}: {
+  control: DisplayControlStatus | null;
+  controlBusy: boolean;
+  controlError: string | null;
+  hasSession: boolean;
+  onAcquire: () => void;
+  onRelease: () => void;
+}) {
+  const userControl = control?.controller === "user";
+  const adminControl = userControl && control?.controlled_by === "admin-token";
+  const canAcquireUserControl = control?.controller === "none" || (userControl && !hasSession);
+  const canReleaseUserControl = adminControl || (userControl && hasSession);
+
+  return (
+    <div className="flex min-w-0 items-center gap-3">
+      {control && (
+        <div className="min-w-0 text-right">
+          <p className="truncate text-[11px] font-medium text-ink">
+            {control.controller === "none"
+              ? "No active controller"
+              : `Controlled by ${displayControlActorLabel(control)}`}
+          </p>
+          {control.expires_at && (
+            <p className="mt-0.5 truncate font-mono text-[10px] text-ink-mid">
+              Until {new Date(control.expires_at).toLocaleTimeString()}
+            </p>
+          )}
+          {controlError && <p className="mt-0.5 text-[10px] text-red-200">{controlError}</p>}
+        </div>
+      )}
+      {canAcquireUserControl && (
+        <button
+          type="button"
+          onClick={onAcquire}
+          disabled={controlBusy}
+          className="h-8 shrink-0 rounded border border-line bg-surface px-3 text-[11px] font-medium text-ink hover:bg-surface-elevated disabled:cursor-not-allowed disabled:opacity-60"
+        >
+          Take control
+        </button>
+      )}
+      {canReleaseUserControl && (
+        <button
+          type="button"
+          onClick={onRelease}
+          disabled={controlBusy}
+          className="h-8 shrink-0 rounded border border-line bg-surface px-3 text-[11px] font-medium text-ink hover:bg-surface-elevated disabled:cursor-not-allowed disabled:opacity-60"
+        >
+          Release
+        </button>
+      )}
+    </div>
+  );
+}
+
+function DesktopStream({ sessionUrl }: { sessionUrl: string }) {
+  const containerRef = useRef<HTMLDivElement | null>(null);
+  const [streamError, setStreamError] = useState<string | null>(null);
+
+  useEffect(() => {
+    let cancelled = false;
+    let rfb: RFB | null = null;
+
+    async function connect() {
+      setStreamError(null);
+      try {
+        const mod = await import("@novnc/novnc");
+        if (cancelled || !containerRef.current) return;
+        const stream = displayWebSocketConnection(sessionUrl);
+        rfb = new mod.default(containerRef.current, stream.url, {
+          wsProtocols: ["binary", `molecule-display-token.${stream.token}`],
+        });
+        rfb.scaleViewport = true;
+        rfb.resizeSession = true;
+        rfb.focusOnClick = true;
+        rfb.addEventListener("disconnect", (event: Event) => {
+          const detail = (event as CustomEvent<{ clean?: boolean }>).detail;
+          if (!cancelled && !detail?.clean) setStreamError("Desktop stream disconnected.");
+        });
+      } catch {
+        if (!cancelled) setStreamError("Desktop stream could not be opened.");
+      }
+    }
+
+    connect();
+    return () => {
+      cancelled = true;
+      rfb?.disconnect();
+    };
+  }, [sessionUrl]);
+
+  return (
+    <div className="relative min-h-0 flex-1 bg-black">
+      <div ref={containerRef} title="Workspace desktop" className="h-full w-full overflow-hidden bg-black" />
+      {streamError && (
+        <div className="absolute inset-x-4 top-4 rounded border border-red-500/30 bg-red-950/80 px-3 py-2 text-[11px] text-red-100">
+          {streamError}
+        </div>
+      )}
+    </div>
+  );
+}
+
+function displayWebSocketConnection(sessionUrl: string): { url: string; token: string } {
+  const url = new URL(sessionUrl, window.location.href);
+  const token = new URLSearchParams(url.hash.replace(/^#/, "")).get("token") ?? "";
+  if (!token) throw new Error("display session token missing");
+  url.hash = "";
+  url.protocol = window.location.protocol === "https:" ? "wss:" : "ws:";
+  return { url: url.toString(), token };
+}
+
+function displayControlActorLabel(control: DisplayControlStatus): string {
+  if (control.controller === "agent") return "Agent";
+  if (control.controlled_by === "admin-token") return "Admin";
+  if (control.controlled_by?.startsWith("org-token:")) return "Automation";
+  return "User";
 }
@@ -67,7 +67,7 @@ export function FileEditor({
    return (
      <div className="flex-1 flex items-center justify-center">
        <div className="text-center">
-          <div className="text-2xl opacity-20 mb-2">📄</div>
+          <div aria-hidden="true" className="text-2xl opacity-20 mb-2">📄</div>
          <p className="text-[10px] text-ink-mid">Select a file to edit</p>
        </div>
      </div>
@@ -79,16 +79,16 @@ export function FileEditor({
      {/* File header */}
      <div className="flex items-center justify-between px-3 py-1.5 border-b border-line/40 bg-surface-sunken/20">
        <div className="flex items-center gap-1.5 min-w-0">
-          <span className="text-[10px] opacity-50">{getIcon(selectedFile, false)}</span>
+          <span aria-hidden="true" className="text-[10px] opacity-50">{getIcon(selectedFile, false)}</span>
          <span className="text-[10px] font-mono text-ink-mid truncate">{selectedFile}</span>
          {isDirty && <span className="text-[9px] text-warm">modified</span>}
        </div>
        <div className="flex items-center gap-2">
-          {success && <span className="text-[9px] text-good">{success}</span>}
+          {success && <span role="status" aria-live="polite" className="text-[9px] text-good">{success}</span>}
          <button
            onClick={onDownload}
            aria-label="Download file"
-            className="text-[10px] text-ink-mid hover:text-ink-mid"
+            className="text-[10px] text-ink-mid hover:text-ink-mid focus:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
          >
            ↓
          </button>
@@ -96,7 +96,7 @@ export function FileEditor({
            <button
              onClick={onSave}
              disabled={!isDirty || saving}
-              className="text-[10px] text-accent hover:text-accent disabled:opacity-30"
+              className="text-[10px] text-accent hover:text-accent disabled:opacity-30 focus:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
            >
              {saving ? "Saving..." : "Save"}
            </button>
@@ -166,6 +166,7 @@ export function FileEditor({
            }
          }}
          spellCheck={false}
+          aria-label="File content editor"
          className="flex-1 w-full bg-surface p-3 text-[11px] font-mono text-ink leading-relaxed resize-none focus:outline-none"
          style={{ tabSize: 2 }}
        />
@@ -29,8 +29,8 @@ afterEach(() => {

 const defaultProps = {
  selectedFile: "/configs/agent.yaml",
-  fileContent: "name: test\nruntime: langgraph",
-  editContent: "name: test\nruntime: langgraph",
+  fileContent: "name: test\nruntime: claude-code",
+  editContent: "name: test\nruntime: claude-code",
  setEditContent: vi.fn(),
  loadingFile: false,
  saving: false,
@@ -197,12 +197,12 @@ describe("FileEditor — textarea", () => {
    render(
      <FileEditor
        {...defaultProps}
-        editContent="runtime: langgraph"
+        editContent="runtime: claude-code"
      />,
    );
    const ta = document.querySelector("textarea");
    expect(ta).toBeTruthy();
-    expect(ta?.value).toBe("runtime: langgraph");
+    expect(ta?.value).toBe("runtime: claude-code");
  });

  it("textarea is readOnly when root is not /configs", () => {
@@ -210,7 +210,7 @@ describe("FileEditor — textarea", () => {
      <FileEditor
        {...defaultProps}
        root="/workspace"
-        editContent="runtime: langgraph"
+        editContent="runtime: claude-code"
      />,
    );
    const ta = document.querySelector("textarea");
@@ -222,7 +222,7 @@ describe("FileEditor — textarea", () => {
      <FileEditor
        {...defaultProps}
        root="/configs"
-        editContent="runtime: langgraph"
+        editContent="runtime: claude-code"
      />,
    );
    const ta = document.querySelector("textarea");
@@ -78,11 +78,11 @@ describe("walkEntry — file entry", () => {
  });

  it("populates the File object with correct content", async () => {
-    const { entry, file } = makeFile("config.yaml", "runtime: langgraph");
+    const { entry, file } = makeFile("config.yaml", "runtime: claude-code");
    const out: CollectedEntry[] = [];
    await walkEntry(entry as never, "", out);
    expect(out[0]!.file).toBe(file);
-    expect(await out[0]!.file.text()).toBe("runtime: langgraph");
+    expect(await out[0]!.file.text()).toBe("runtime: claude-code");
  });

  it("appends to existing entries array (non-destructive)", async () => {
@@ -1,471 +0,0 @@
-"use client";
-
-import { useCallback, useEffect, useMemo, useState } from "react";
-import { api } from "@/lib/api";
-
-interface Props {
-  workspaceId: string;
-}
-
-interface MemoryEntry {
-  key: string;
-  value: unknown;
-  version?: number;
-  expires_at: string | null;
-  updated_at: string;
-}
-
-const AWARENESS_BASE_URL =
-  process.env.NEXT_PUBLIC_AWARENESS_URL || "http://localhost:37800";
-
-export function MemoryTab({ workspaceId }: Props) {
-  const [entries, setEntries] = useState<MemoryEntry[]>([]);
-  const [loading, setLoading] = useState(true);
-  const [showAwareness, setShowAwareness] = useState(true);
-  const [showAdvanced, setShowAdvanced] = useState(false);
-  const [expanded, setExpanded] = useState<string | null>(null);
-  const [showAdd, setShowAdd] = useState(false);
-  const [newKey, setNewKey] = useState("");
-  const [newValue, setNewValue] = useState("");
-  const [newTTL, setNewTTL] = useState("");
-  const [error, setError] = useState<string | null>(null);
-  const [editingKey, setEditingKey] = useState<string | null>(null);
-  const [editValue, setEditValue] = useState("");
-  const [editTTL, setEditTTL] = useState("");
-  const [editError, setEditError] = useState<string | null>(null);
-
-  const awarenessUrl = useMemo(() => {
-    try {
-      const url = new URL(AWARENESS_BASE_URL);
-      url.searchParams.set("workspaceId", workspaceId);
-      return url.toString();
-    } catch {
-      return AWARENESS_BASE_URL;
-    }
-  }, [workspaceId]);
-
-  const awarenessStatus = useMemo(() => {
-    try {
-      const url = new URL(AWARENESS_BASE_URL);
-      return url.origin.includes("localhost") ? "local" : url.hostname;
-    } catch {
-      return "unavailable";
-    }
-  }, []);
-
-  const loadMemory = useCallback(async () => {
-    setLoading(true);
-    setError(null);
-    try {
-      const data = await api.get<MemoryEntry[]>(`/workspaces/${workspaceId}/memory`);
-      setEntries(data);
-    } catch (e) {
-      setEntries([]);
-      setError(e instanceof Error ? e.message : "Failed to load memory");
-    } finally {
-      setLoading(false);
-    }
-  }, [workspaceId]);
-
-  useEffect(() => {
-    loadMemory();
-  }, [loadMemory]);
-
-  const handleAdd = async () => {
-    setError(null);
-    if (!newKey.trim()) {
-      setError("Key is required");
-      return;
-    }
-
-    let parsedValue: unknown;
-    try {
-      parsedValue = JSON.parse(newValue);
-    } catch {
-      parsedValue = newValue;
-    }
-
-    const body: Record<string, unknown> = { key: newKey, value: parsedValue };
-    if (newTTL) {
-      const ttl = parseInt(newTTL);
-      if (!Number.isNaN(ttl) && ttl > 0) body.ttl_seconds = ttl;
-    }
-
-    try {
-      await api.post(`/workspaces/${workspaceId}/memory`, body);
-      setNewKey("");
-      setNewValue("");
-      setNewTTL("");
-      setShowAdd(false);
-      loadMemory();
-    } catch (e) {
-      setError(e instanceof Error ? e.message : "Failed to add");
-    }
-  };
-
-  const handleDelete = async (key: string) => {
-    setError(null);
-    try {
-      await api.del(`/workspaces/${workspaceId}/memory/${encodeURIComponent(key)}`);
-      setEntries((prev) => prev.filter((e) => e.key !== key));
-      if (expanded === key) setExpanded(null);
-    } catch (e) {
-      setError(e instanceof Error ? e.message : "Failed to delete entry");
-    }
-  };
-
-  const beginEdit = (entry: MemoryEntry) => {
-    setEditError(null);
-    setEditingKey(entry.key);
-    // Stringify objects/arrays as pretty JSON; render plain strings raw so the
-    // editor doesn't surprise users with surrounding quotes.
-    setEditValue(
-      typeof entry.value === "string"
-        ? entry.value
-        : JSON.stringify(entry.value, null, 2),
-    );
-    if (entry.expires_at) {
-      const remainingMs = new Date(entry.expires_at).getTime() - Date.now();
-      const ttl = Math.max(0, Math.floor(remainingMs / 1000));
-      setEditTTL(ttl > 0 ? String(ttl) : "");
-    } else {
-      setEditTTL("");
-    }
-  };
-
-  const cancelEdit = () => {
-    setEditingKey(null);
-    setEditValue("");
-    setEditTTL("");
-    setEditError(null);
-  };
-
-  const handleEditSave = async (entry: MemoryEntry) => {
-    setEditError(null);
-
-    let parsedValue: unknown;
-    try {
-      parsedValue = JSON.parse(editValue);
-    } catch {
-      parsedValue = editValue;
-    }
-
-    // if_match_version closes the silent-overwrite hole when two writers
-    // race. The handler returns 409 with the current version on mismatch
-    // — surface that as a retry hint and reload to pick up the new state.
-    const body: Record<string, unknown> = { key: entry.key, value: parsedValue };
-    if (typeof entry.version === "number") {
-      body.if_match_version = entry.version;
-    }
-    if (editTTL) {
-      const ttl = parseInt(editTTL);
-      if (!Number.isNaN(ttl) && ttl > 0) body.ttl_seconds = ttl;
-    }
-
-    try {
-      await api.post(`/workspaces/${workspaceId}/memory`, body);
-      cancelEdit();
-      loadMemory();
-    } catch (e) {
-      const message = e instanceof Error ? e.message : "Failed to save";
-      if (message.includes("409") || /if_match_version mismatch/i.test(message)) {
-        setEditError("This entry changed since you opened it. Reloading.");
-        loadMemory();
-      } else {
-        setEditError(message);
-      }
-    }
-  };
-
-  const openAwareness = () => {
-    window.open(awarenessUrl, "_blank", "noopener,noreferrer");
-  };
-
-  if (loading) {
-    return <div className="p-4 text-xs text-ink-mid">Loading memory...</div>;
-  }
-
-  return (
-    <div className="p-4 space-y-4">
-      {error && !showAdd && (
-        <div role="alert" className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
-          {error}
-        </div>
-      )}
-
-      <section className="space-y-3">
-        <div className="flex items-center justify-between gap-3">
-          <div>
-            <div className="text-xs font-medium text-ink">Awareness dashboard</div>
-            <p className="text-[10px] text-ink-mid">
-              Embedded view for the local Awareness memory UI. The current workspace id is appended to the URL for workspace-scoped routing or future filtering.
-            </p>
-          </div>
-          <div className="flex items-center gap-2">
-            <button
-              type="button"
-              onClick={() => setShowAwareness((prev) => !prev)}
-              className="shrink-0 px-2 py-1 bg-surface-card hover:bg-surface-elevated text-[10px] rounded text-ink focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
-            >
-              {showAwareness ? "Collapse" : "Expand"}
-            </button>
-            <button
-              type="button"
-              onClick={openAwareness}
-              className="shrink-0 px-2 py-1 bg-surface-card hover:bg-surface-elevated text-[10px] rounded text-ink focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
-            >
-              Open
-            </button>
-          </div>
-        </div>
-
-        {showAwareness ? (
-          AWARENESS_BASE_URL ? (
-            <div className="overflow-hidden rounded-xl border border-line bg-surface-sunken/70 shadow-[0_0_0_1px_rgba(255,255,255,0.02)]">
-              <iframe
-                title="Awareness dashboard"
-                src={awarenessUrl}
-                className="h-[520px] w-full border-0"
-                loading="lazy"
-              />
-            </div>
-          ) : (
-            <div className="rounded-xl border border-dashed border-line bg-surface-sunken/40 p-4 text-xs text-ink-mid">
-              Set <code className="font-mono text-ink-mid">NEXT_PUBLIC_AWARENESS_URL</code> to embed the Awareness dashboard here.
-            </div>
-          )
-        ) : (
-          <div className="rounded-xl border border-line bg-surface-sunken/50 px-4 py-3 flex items-center justify-between gap-3">
-            <div className="min-w-0">
-              <p className="text-xs text-ink">Awareness dashboard is collapsed</p>
-              <p className="text-[10px] text-ink-mid truncate">
-                Workspace context stays linked through <span className="font-mono text-ink-mid">{workspaceId}</span>.
-              </p>
-            </div>
-            <button
-              type="button"
-              onClick={() => setShowAwareness(true)}
-              className="shrink-0 px-2 py-1 bg-accent hover:bg-accent-strong text-[10px] rounded text-white focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
-            >
-              Expand
-            </button>
-          </div>
-        )}
-
-        <div className="grid gap-2 rounded-xl border border-line bg-surface/40 px-3 py-2 text-[10px] text-ink-mid sm:grid-cols-3">
-          <div className="flex items-center justify-between gap-2">
-            <span className="uppercase tracking-[0.18em] text-ink-mid">Status</span>
-            <span className="font-medium text-good">Connected</span>
-          </div>
-          <div className="flex items-center justify-between gap-2">
-            <span className="uppercase tracking-[0.18em] text-ink-mid">Mode</span>
-            <span className="font-medium text-ink">{awarenessStatus}</span>
-          </div>
-          <div className="flex items-center justify-between gap-2 min-w-0">
-            <span className="uppercase tracking-[0.18em] text-ink-mid">Workspace</span>
-            <span className="font-mono text-ink-mid truncate">{workspaceId}</span>
-          </div>
-        </div>
-      </section>
-
-      <section className="space-y-3 border-t border-line/60 pt-4">
-        <div className="flex items-center justify-between">
-          <div>
-            <div className="text-xs font-medium text-ink">Workspace KV memory</div>
-            <p className="text-[10px] text-ink-mid">
-              Native platform key-value memory for workspace <span className="font-mono text-ink-mid">{workspaceId}</span>.
-            </p>
-          </div>
-          <div className="flex gap-2">
-            <button
-              type="button"
-              onClick={() => setShowAdvanced((prev) => !prev)}
-              className="px-2 py-1 bg-surface-card hover:bg-surface-elevated text-[10px] rounded text-ink-mid focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
-            >
-              {showAdvanced ? "Hide Advanced" : "Advanced"}
-            </button>
-            <button
-              type="button"
-              onClick={loadMemory}
-              className="px-2 py-1 bg-surface-card hover:bg-surface-elevated text-[10px] rounded text-ink-mid focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
-            >
-              Refresh
-            </button>
-            <button
-              type="button"
-              onClick={() => { setShowAdd(!showAdd); if (!showAdd) setShowAdvanced(true); }}
-              className="px-2 py-1 bg-accent hover:bg-accent-strong text-[10px] rounded text-white focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
-            >
-              + Add
-            </button>
-          </div>
-        </div>
-
-        {showAdvanced && showAdd && (
-          <div className="bg-surface-card rounded p-3 space-y-2 border border-line">
-            <input
-              value={newKey}
-              onChange={(e) => setNewKey(e.target.value)}
-              placeholder="Key"
-              aria-label="Memory key"
-              className="w-full bg-surface-sunken border border-line rounded px-2 py-1 text-xs text-ink focus:outline-none focus:border-accent"
-            />
-            <textarea
-              value={newValue}
-              onChange={(e) => setNewValue(e.target.value)}
-              placeholder='Value (JSON or plain text)'
-              rows={3}
-              aria-label="Memory value (JSON or plain text)"
-              className="w-full bg-surface-sunken border border-line rounded px-2 py-1 text-xs font-mono text-ink focus:outline-none focus:border-accent resize-none"
-            />
-            <input
-              value={newTTL}
-              onChange={(e) => setNewTTL(e.target.value)}
-              placeholder="TTL in seconds (optional)"
-              aria-label="TTL in seconds (optional)"
-              className="w-full bg-surface-sunken border border-line rounded px-2 py-1 text-xs text-ink focus:outline-none focus:border-accent"
-            />
-            {error && <div role="alert" className="text-xs text-bad">{error}</div>}
-            <div className="flex gap-2">
-              <button
-                type="button"
-                onClick={handleAdd}
-                className="px-3 py-1 bg-accent hover:bg-accent-strong text-xs rounded text-white focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
-              >
-                Save
-              </button>
-              <button
-                type="button"
-                onClick={() => {
-                  setShowAdd(false);
-                  setError(null);
-                }}
-                className="px-3 py-1 bg-surface-card hover:bg-surface-elevated text-xs rounded text-ink-mid focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
-              >
-                Cancel
-              </button>
-            </div>
-          </div>
-        )}
-
-        {showAdvanced ? (
-          entries.length === 0 ? (
-            <p className="text-xs text-ink-mid text-center py-4">No memory entries</p>
-          ) : (
-            <div className="space-y-1">
-              {entries.map((entry) => (
-                <div key={entry.key} className="bg-surface-card rounded border border-line">
-                  <button
-                    type="button"
-                    onClick={() => setExpanded(expanded === entry.key ? null : entry.key)}
-                    className="w-full flex items-center justify-between px-3 py-2 text-left focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
-                    aria-expanded={expanded === entry.key}
-                  >
-                    <span className="text-xs font-mono text-accent">{entry.key}</span>
-                    <div className="flex items-center gap-2">
-                      {entry.expires_at && (
-                        <span className="text-[9px] text-ink-mid">
-                          TTL {new Date(entry.expires_at).toLocaleString()}
-                        </span>
-                      )}
-                      <span className="text-[10px] text-ink-mid">
-                        {expanded === entry.key ? "▼" : "▶"}
-                      </span>
-                    </div>
-                  </button>
-
-                  {expanded === entry.key && (
-                    <div className="px-3 pb-2 space-y-2">
-                      {editingKey === entry.key ? (
-                        <div className="space-y-2">
-                          <textarea
-                            value={editValue}
-                            onChange={(e) => setEditValue(e.target.value)}
-                            rows={4}
-                            aria-label={`Edit value for ${entry.key}`}
-                            className="w-full bg-surface-sunken border border-line rounded px-2 py-1 text-xs font-mono text-ink focus:outline-none focus:border-accent resize-none"
-                          />
-                          <input
-                            value={editTTL}
-                            onChange={(e) => setEditTTL(e.target.value)}
-                            placeholder="TTL in seconds (blank = no expiry)"
-                            aria-label={`Edit TTL for ${entry.key}`}
-                            className="w-full bg-surface-sunken border border-line rounded px-2 py-1 text-xs text-ink focus:outline-none focus:border-accent"
-                          />
-                          {editError && (
-                            <div role="alert" className="text-[10px] text-bad">
-                              {editError}
-                            </div>
-                          )}
-                          <div className="flex gap-2">
-                            <button
-                              type="button"
-                              onClick={() => handleEditSave(entry)}
-                              className="px-3 py-1 bg-accent hover:bg-accent-strong text-xs rounded text-white focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
-                            >
-                              Save
-                            </button>
-                            <button
-                              type="button"
-                              onClick={cancelEdit}
-                              className="px-3 py-1 bg-surface-card hover:bg-surface-elevated text-xs rounded text-ink-mid focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
-                            >
-                              Cancel
-                            </button>
-                          </div>
-                        </div>
-                      ) : (
-                        <pre className="text-[10px] text-ink-mid bg-surface-sunken rounded p-2 overflow-x-auto max-h-40">
-                          {JSON.stringify(entry.value, null, 2)}
-                        </pre>
-                      )}
-                      <div className="flex items-center justify-between">
-                        <span className="text-[9px] text-ink-mid">
-                          Updated: {new Date(entry.updated_at).toLocaleString()}
-                        </span>
-                        <div className="flex items-center gap-2">
-                          {editingKey !== entry.key && (
-                            <button
-                              type="button"
-                              onClick={() => beginEdit(entry)}
-                              className="text-[10px] text-ink-mid hover:bg-surface-elevated rounded px-1 transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
-                            >
-                              Edit
-                            </button>
-                          )}
-                          <button
-                            type="button"
-                            onClick={() => handleDelete(entry.key)}
-                            className="text-[10px] text-bad hover:bg-red-950/40 rounded px-1 transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-red-500 focus-visible:ring-offset-1"
-                          >
-                            Delete
-                          </button>
-                        </div>
-                      </div>
-                    </div>
-                  )}
-                </div>
-              ))}
-            </div>
-          )
-        ) : (
-          <div className="rounded-xl border border-line bg-surface/30 px-4 py-3 flex items-center justify-between gap-3">
-            <div className="min-w-0">
-              <p className="text-xs text-ink">Advanced workspace memory is hidden</p>
-              <p className="text-[10px] text-ink-mid truncate">
-                KV entries remain available if you need the raw platform store.
-              </p>
-            </div>
-            <button
-              type="button"
-              onClick={() => setShowAdvanced(true)}
-              className="shrink-0 px-2 py-1 bg-accent hover:bg-accent-strong text-[10px] rounded text-white focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
-            >
-              Show
-            </button>
-          </div>
-        )}
-      </section>
-    </div>
-  );
-}
@@ -32,7 +32,7 @@ interface PluginInfo {
  author: string;
  tags: string[];
  skills: string[];
-  // Declared supported runtimes (e.g. ["claude_code", "deepagents"]).
+  // Declared supported runtimes (e.g. ["claude_code", "hermes"]).
  // Empty / absent = "unspecified, try it".
  runtimes?: string[];
  // Only present on /workspaces/:id/plugins responses — true if the
@@ -3,10 +3,10 @@
 // Regression tests for ConfigTab hermes-workspace UX (#1894 + #1900).
 //
 // All four bugs this suite pins hit the same workspace on 2026-04-23:
-// a hermes-runtime workspace whose Config tab showed "LangGraph
+// a hermes-runtime workspace whose Config tab showed "Claude Code
 // (default)" in the runtime dropdown, an empty Model field, and a
 // scary red "No config.yaml found" banner. Clicking Save would
-// silently PATCH runtime back to LangGraph, breaking the workspace.
+// silently PATCH runtime back to Claude Code, breaking the workspace.
 //
 // Each test pins one invariant. If any fails, the bug is back.

@@ -91,7 +91,7 @@ describe("ConfigTab — hermes workspace", () => {
  it("loads runtime from workspace metadata when config.yaml is missing (#1894 bug 1)", async () => {
    // This is the hermes case: no platform config.yaml, so the form must
    // fall back to GET /workspaces/:id's runtime field. Before the fix, the
-    // runtime dropdown showed "LangGraph (default)" because the fallback
+    // runtime dropdown showed "Claude Code (default)" because the fallback
    // didn't exist.
    wireApi({
      workspaceRuntime: "hermes",
@@ -150,9 +150,9 @@ describe("ConfigTab — hermes workspace", () => {
    expect(screen.queryByText(/Hermes manages its own config/i)).toBeNull();
  });

-  it("DOES show 'No config.yaml found' error for langgraph workspace (default runtime)", async () => {
+  it("DOES show 'No config.yaml found' error for claude-code workspace (default runtime)", async () => {
    // Regression guard the other way — the gray info banner is hermes-
-    // specific. A langgraph workspace with no config.yaml SHOULD still
+    // specific. A claude-code workspace with no config.yaml SHOULD still
    // see the red error so the user knows to provide a template config.
    wireApi({
      workspaceRuntime: "",
@@ -302,21 +302,21 @@ describe("ConfigTab — config.yaml on disk", () => {
    // MCP server list, etc.) but runtime/model/tier come from the
    // workspace row so the node badge matches the form.
    //
-    // Scenario: DB says "hermes", config.yaml says "crewai". The form
+    // Scenario: DB says "hermes", config.yaml says "openclaw". The form
    // must show hermes (DB wins).
    //
-    // We pick hermes (not langgraph) on the DB side because "langgraph"
-    // is collapsed to the empty-string "LangGraph (default)" option in
-    // the runtime dropdown — so a "langgraph" DB value would render as
+    // We pick hermes (not claude-code) on the DB side because "claude-code"
+    // is collapsed to the empty-string "Claude Code (default)" option in
+    // the runtime dropdown — so a "claude-code" DB value would render as
    // the empty-valued option and obscure whether the DB-wins logic
    // actually fired. Hermes has its own non-empty option value and
    // gives the assertion a clean signal.
    wireApi({
      workspaceRuntime: "hermes", // DB — authoritative
-      configYamlContent: 'runtime: crewai\nmodel: "claude-opus"\n',
+      configYamlContent: 'runtime: openclaw\nmodel: "claude-opus"\n',
      templates: [
        { id: "t-hermes", name: "Hermes", runtime: "hermes", models: [] },
-        { id: "t-crewai", name: "CrewAI", runtime: "crewai", models: [] },
+        { id: "t-openclaw", name: "OpenClaw", runtime: "openclaw", models: [] },
      ],
    });

@@ -1,21 +1,66 @@
 // @vitest-environment jsdom
-import { cleanup, render, screen } from "@testing-library/react";
-import { afterEach, describe, expect, it, vi } from "vitest";
+import { cleanup, fireEvent, render, screen, waitFor } from "@testing-library/react";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+
+const apiPatch = vi.fn();
+const updateNodeData = vi.fn();
+const restartWorkspace = vi.fn();
+
+vi.mock("@/lib/api", () => ({
+  api: {
+    patch: (path: string, body: unknown) => apiPatch(path, body),
+  },
+}));

 vi.mock("@/lib/runtime-names", () => ({
  runtimeDisplayName: (runtime: string) => runtime,
 }));

+vi.mock("@/store/canvas", () => ({
+  useCanvasStore: Object.assign(
+    (selector: (s: unknown) => unknown) => selector({ restartWorkspace, updateNodeData }),
+    { getState: () => ({ restartWorkspace, updateNodeData }) },
+  ),
+}));
+
 import { ContainerConfigTab } from "../ContainerConfigTab";

 afterEach(() => {
  cleanup();
 });

+beforeEach(() => {
+  apiPatch.mockReset();
+  restartWorkspace.mockReset();
+  updateNodeData.mockReset();
+});
+
 describe("ContainerConfigTab", () => {
-  it("renders read-only runtime and container settings separate from compute shape", () => {
+  it("defaults missing compute to the cost-efficient headless profile", () => {
    render(
      <ContainerConfigTab
+        workspaceId="ws-compute"
+        data={{
+          runtime: "claude-code",
+          status: "online",
+          needsRestart: false,
+          activeTasks: 0,
+          maxConcurrentTasks: null,
+          workspaceAccess: "none",
+          deliveryMode: "push",
+          compute: undefined,
+        }}
+      />,
+    );
+
+    expect(screen.getByLabelText("Instance type")).toHaveProperty("value", "t3.medium");
+    expect(screen.getByLabelText("Root volume")).toHaveProperty("value", "30");
+  });
+
+  it("renders persisted compute and status settings", () => {
+    render(
+      <ContainerConfigTab
+        workspaceId="ws-compute"
        data={{
          runtime: "claude-code",
          status: "online",
@@ -24,19 +69,249 @@ describe("ContainerConfigTab", () => {
          maxConcurrentTasks: 3,
          workspaceAccess: "read_write",
          deliveryMode: "poll",
+          compute: {
+            instance_type: "t3.xlarge",
+            volume: { root_gb: 80 },
+            display: { mode: "desktop-control", protocol: "novnc", width: 1920, height: 1080 },
+          },
        }}
      />,
    );

-    expect(screen.getByText("Runtime image")).toBeTruthy();
-    expect(screen.getByText("claude-code")).toBeTruthy();
+    expect(screen.getByLabelText("Runtime image")).toHaveProperty("value", "claude-code");
+    expect(screen.getByLabelText("Instance type")).toHaveProperty("value", "t3.xlarge");
+    expect(screen.getByLabelText("Root volume")).toHaveProperty("value", "80");
+    expect(screen.getByLabelText("Enable display")).toHaveProperty("checked", true);
+    expect(screen.getByLabelText("Resolution")).toHaveProperty("value", "1920x1080");
    expect(screen.getByText("Workspace access")).toBeTruthy();
    expect(screen.getByText("read-write")).toBeTruthy();
-    expect(screen.getByText("Max concurrent tasks")).toBeTruthy();
-    expect(screen.getByText("3")).toBeTruthy();
-    expect(screen.getByText("/workspace")).toBeTruthy();
-    expect(screen.getByText("Container privileges")).toBeTruthy();
-    expect(screen.queryByText("Instance type")).toBeNull();
-    expect(screen.queryByText("Root volume")).toBeNull();
+  });
+
+  it("does not reset dirty form edits on unrelated status rerender", () => {
+    const { rerender } = render(
+      <ContainerConfigTab
+        workspaceId="ws-compute"
+        data={{
+          runtime: "claude-code",
+          status: "online",
+          needsRestart: false,
+          activeTasks: 0,
+          maxConcurrentTasks: null,
+          workspaceAccess: "none",
+          deliveryMode: "push",
+          compute: {
+            instance_type: "t3.large",
+            volume: { root_gb: 50 },
+            display: { mode: "none" },
+          },
+        }}
+      />,
+    );
+
+    fireEvent.change(screen.getByLabelText("Root volume"), { target: { value: "120" } });
+
+    rerender(
+      <ContainerConfigTab
+        workspaceId="ws-compute"
+        data={{
+          runtime: "claude-code",
+          status: "online",
+          needsRestart: false,
+          activeTasks: 1,
+          maxConcurrentTasks: null,
+          workspaceAccess: "none",
+          deliveryMode: "push",
+          compute: {
+            instance_type: "t3.large",
+            volume: { root_gb: 50 },
+            display: { mode: "none" },
+          },
+        }}
+      />,
+    );
+
+    expect(screen.getByLabelText("Root volume")).toHaveProperty("value", "120");
+  });
+
+  it("saves runtime and compute changes through workspace PATCH", async () => {
+    apiPatch.mockResolvedValueOnce({ needs_restart: true });
+
+    render(
+      <ContainerConfigTab
+        workspaceId="ws-compute"
+        data={{
+          runtime: "claude-code",
+          status: "online",
+          needsRestart: false,
+          activeTasks: 0,
+          maxConcurrentTasks: null,
+          workspaceAccess: "none",
+          deliveryMode: "push",
+          compute: {
+            instance_type: "t3.large",
+            volume: { root_gb: 50 },
+            display: { mode: "none" },
+          },
+        }}
+      />,
+    );
+
+    fireEvent.change(screen.getByLabelText("Runtime image"), { target: { value: "hermes" } });
+    fireEvent.change(screen.getByLabelText("Instance type"), { target: { value: "m6i.xlarge" } });
+    fireEvent.change(screen.getByLabelText("Root volume"), { target: { value: "100" } });
+    fireEvent.click(screen.getByLabelText("Enable display"));
+    fireEvent.change(screen.getByLabelText("Resolution"), { target: { value: "2560x1440" } });
+    fireEvent.click(screen.getByRole("button", { name: "Save" }));
+
+    await waitFor(() => expect(apiPatch).toHaveBeenCalledTimes(1));
+    expect(apiPatch).toHaveBeenCalledWith("/workspaces/ws-compute", {
+      runtime: "hermes",
+      compute: {
+        instance_type: "m6i.xlarge",
+        volume: { root_gb: 100 },
+        display: { mode: "desktop-control", protocol: "novnc", width: 2560, height: 1440 },
+      },
+    });
+    expect(updateNodeData).toHaveBeenCalledWith("ws-compute", {
+      runtime: "hermes",
+      compute: {
+        instance_type: "m6i.xlarge",
+        volume: { root_gb: 100 },
+        display: { mode: "desktop-control", protocol: "novnc", width: 2560, height: 1440 },
+      },
+      needsRestart: true,
+      applyTemplateOnRestart: true,
+    });
+    expect(restartWorkspace).not.toHaveBeenCalled();
+  });
+
+  it("preserves existing custom display mode and resolution when saving unrelated compute", async () => {
+    apiPatch.mockResolvedValueOnce({ needs_restart: true });
+
+    render(
+      <ContainerConfigTab
+        workspaceId="ws-compute"
+        data={{
+          runtime: "claude-code",
+          status: "online",
+          needsRestart: false,
+          activeTasks: 0,
+          maxConcurrentTasks: null,
+          workspaceAccess: "none",
+          deliveryMode: "push",
+          compute: {
+            instance_type: "t3.large",
+            volume: { root_gb: 50 },
+            display: { mode: "gpu-desktop-control", protocol: "dcv", width: 1600, height: 1000 },
+          },
+        }}
+      />,
+    );
+
+    expect(screen.getByLabelText("Resolution")).toHaveProperty("value", "1600x1000");
+
+    fireEvent.change(screen.getByLabelText("Instance type"), { target: { value: "t3.xlarge" } });
+    fireEvent.click(screen.getByRole("button", { name: "Save" }));
+
+    await waitFor(() => expect(apiPatch).toHaveBeenCalledTimes(1));
+    expect(apiPatch).toHaveBeenCalledWith("/workspaces/ws-compute", {
+      runtime: "claude-code",
+      compute: {
+        instance_type: "t3.xlarge",
+        volume: { root_gb: 50 },
+        display: { mode: "gpu-desktop-control", protocol: "dcv", width: 1600, height: 1000 },
+      },
+    });
+  });
+
+  it("can save changed compute and restart the workspace to apply it", async () => {
+    apiPatch.mockResolvedValueOnce({ needs_restart: true });
+    restartWorkspace.mockResolvedValueOnce(undefined);
+
+    render(
+      <ContainerConfigTab
+        workspaceId="ws-compute"
+        data={{
+          runtime: "claude-code",
+          status: "online",
+          needsRestart: false,
+          activeTasks: 0,
+          maxConcurrentTasks: null,
+          workspaceAccess: "none",
+          deliveryMode: "push",
+          compute: {
+            instance_type: "t3.large",
+            volume: { root_gb: 50 },
+            display: { mode: "none" },
+          },
+        }}
+      />,
+    );
+
+    fireEvent.change(screen.getByLabelText("Instance type"), { target: { value: "t3.xlarge" } });
+    fireEvent.click(screen.getByRole("button", { name: "Save & Restart" }));
+
+    await waitFor(() => expect(apiPatch).toHaveBeenCalledTimes(1));
+    await waitFor(() => expect(restartWorkspace).toHaveBeenCalledWith("ws-compute", { applyTemplate: false }));
+  });
+
+  it("requests template re-apply when saving a runtime change and restarting", async () => {
+    apiPatch.mockResolvedValueOnce({ needs_restart: true });
+    restartWorkspace.mockResolvedValueOnce(undefined);
+
+    render(
+      <ContainerConfigTab
+        workspaceId="ws-compute"
+        data={{
+          runtime: "claude-code",
+          status: "online",
+          needsRestart: false,
+          activeTasks: 0,
+          maxConcurrentTasks: null,
+          workspaceAccess: "none",
+          deliveryMode: "push",
+          compute: {
+            instance_type: "t3.large",
+            volume: { root_gb: 50 },
+            display: { mode: "none" },
+          },
+        }}
+      />,
+    );
+
+    fireEvent.change(screen.getByLabelText("Runtime image"), { target: { value: "hermes" } });
+    fireEvent.click(screen.getByRole("button", { name: "Save & Restart" }));
+
+    await waitFor(() => expect(restartWorkspace).toHaveBeenCalledWith("ws-compute", { applyTemplate: true }));
+  });
+
+  it("can restart without re-saving when changes are already pending", async () => {
+    restartWorkspace.mockResolvedValueOnce(undefined);
+
+    render(
+      <ContainerConfigTab
+        workspaceId="ws-compute"
+        data={{
+          runtime: "claude-code",
+          status: "online",
+          needsRestart: true,
+          activeTasks: 0,
+          maxConcurrentTasks: null,
+          workspaceAccess: "none",
+          deliveryMode: "push",
+          applyTemplateOnRestart: true,
+          compute: {
+            instance_type: "t3.large",
+            volume: { root_gb: 50 },
+            display: { mode: "none" },
+          },
+        }}
+      />,
+    );
+
+    fireEvent.click(screen.getByRole("button", { name: "Restart to apply" }));
+
+    await waitFor(() => expect(restartWorkspace).toHaveBeenCalledWith("ws-compute", { applyTemplate: true }));
+    expect(apiPatch).not.toHaveBeenCalled();
  });
 });
@@ -290,7 +290,9 @@ describe("DetailsTab — delete workflow", () => {
    ) as HTMLButtonElement;
    fireEvent(confirmBtn, new MouseEvent("click", { bubbles: true }));
    await flush();
-    expect(mockApi.del).toHaveBeenCalledWith("/workspaces/ws-1?confirm=true");
+    expect(mockApi.del).toHaveBeenCalledWith("/workspaces/ws-1?confirm=true", {
+      headers: { "X-Confirm-Name": "Test Workspace" },
+    });
    expect(mockRemoveSubtree).toHaveBeenCalledWith("ws-1");
    expect(mockSelectNode).toHaveBeenCalledWith(null);
  });
@@ -1,12 +1,36 @@
 // @vitest-environment jsdom
 import { describe, it, expect, vi, beforeEach } from "vitest";
-import { render, screen, waitFor } from "@testing-library/react";
+import { cleanup, fireEvent, render, screen, waitFor } from "@testing-library/react";

-const { mockGet } = vi.hoisted(() => ({ mockGet: vi.fn() }));
+const { mockGet, mockPost, mockRFBConstructor } = vi.hoisted(() => ({
+  mockGet: vi.fn(),
+  mockPost: vi.fn(),
+  mockRFBConstructor: vi.fn(),
+}));

 vi.mock("@/lib/api", () => ({
  api: {
    get: mockGet,
+    post: mockPost,
+  },
+}));
+
+vi.mock("@novnc/novnc", () => ({
+  default: class MockRFB extends EventTarget {
+    scaleViewport = false;
+    resizeSession = false;
+    focusOnClick = false;
+    target: HTMLElement;
+    url: string;
+    options?: { wsProtocols?: string[] };
+    constructor(target: HTMLElement, url: string, options?: { wsProtocols?: string[] }) {
+      super();
+      this.target = target;
+      this.url = url;
+      this.options = options;
+      mockRFBConstructor(target, url, options);
+    }
+    disconnect() {}
  },
 }));

@@ -14,7 +38,10 @@ import { DisplayTab } from "../DisplayTab";

 describe("DisplayTab", () => {
  beforeEach(() => {
+    cleanup();
    mockGet.mockReset();
+    mockPost.mockReset();
+    mockRFBConstructor.mockReset();
  });

  it("renders unavailable state for non-display workspaces", async () => {
@@ -29,5 +56,311 @@ describe("DisplayTab", () => {
      expect(screen.getByText("Display is not enabled for this workspace.")).toBeTruthy();
    });
    expect(mockGet).toHaveBeenCalledWith("/workspaces/ws-no-display/display");
+    expect(mockGet).not.toHaveBeenCalledWith("/workspaces/ws-no-display/display/control");
+  });
+
+  it("renders control acquisition for display-configured workspaces", async () => {
+    mockGet
+      .mockResolvedValueOnce({
+        available: false,
+        reason: "display_session_unavailable",
+        mode: "desktop-control",
+        status: "not_configured",
+      })
+      .mockResolvedValueOnce({
+        controller: "none",
+      });
+    mockPost.mockResolvedValueOnce({
+      controller: "user",
+      controlled_by: "admin-token",
+      expires_at: "2026-05-23T08:48:27Z",
+    });
+
+    render(<DisplayTab workspaceId="ws-display" />);
+
+    await waitFor(() => {
+      expect(screen.getByRole("button", { name: "Take control" })).toBeTruthy();
+    });
+    expect(mockGet).toHaveBeenCalledWith("/workspaces/ws-display/display");
+    expect(mockGet).toHaveBeenCalledWith("/workspaces/ws-display/display/control");
+
+    fireEvent.click(screen.getByRole("button", { name: "Take control" }));
+
+    await waitFor(() => {
+      expect(screen.getByText("Controlled by Admin")).toBeTruthy();
+    });
+    expect(mockPost).toHaveBeenCalledWith("/workspaces/ws-display/display/control/acquire", {
+      controller: "user",
+      ttl_seconds: 300,
+    });
+  });
+
+  it("waits for takeover before opening a ready display stream", async () => {
+    mockGet
+      .mockResolvedValueOnce({
+        available: true,
+        mode: "desktop-control",
+        protocol: "novnc",
+        width: 1920,
+        height: 1080,
+      })
+      .mockResolvedValueOnce({
+        controller: "none",
+      });
+
+    render(<DisplayTab workspaceId="ws-display" />);
+
+    await waitFor(() => {
+      expect(screen.getByText("Take control to open the desktop.")).toBeTruthy();
+    });
+    expect(screen.getByRole("button", { name: "Take control" })).toBeTruthy();
+  });
+
+  it("opens the trusted noVNC client after takeover returns a stream URL", async () => {
+    mockGet
+      .mockResolvedValueOnce({
+        available: true,
+        mode: "desktop-control",
+        protocol: "novnc",
+        width: 1920,
+        height: 1080,
+      })
+      .mockResolvedValueOnce({
+        controller: "none",
+      });
+    mockPost.mockResolvedValueOnce({
+      controller: "user",
+      controlled_by: "admin-token",
+      expires_at: "2026-05-23T08:48:27Z",
+      session_url: "/workspaces/ws-display/display/session/websockify#token=signed",
+    });
+
+    render(<DisplayTab workspaceId="ws-display" />);
+
+    await waitFor(() => {
+      expect(screen.getByRole("button", { name: "Take control" })).toBeTruthy();
+    });
+    fireEvent.click(screen.getByRole("button", { name: "Take control" }));
+
+    await waitFor(() => {
+      expect(screen.getByTitle("Workspace desktop")).toBeTruthy();
+    });
+    expect(mockPost).toHaveBeenCalledWith("/workspaces/ws-display/display/control/acquire", {
+      controller: "user",
+      ttl_seconds: 300,
+    });
+    expect(mockRFBConstructor).toHaveBeenCalledWith(
+      expect.any(HTMLElement),
+      expect.stringContaining("/workspaces/ws-display/display/session/websockify"),
+      { wsProtocols: ["binary", "molecule-display-token.signed"] },
+    );
+    expect(mockRFBConstructor.mock.calls[0][1]).not.toContain("token=");
+  });
+
+  it("releases user display control", async () => {
+    mockGet
+      .mockResolvedValueOnce({
+        available: true,
+        mode: "desktop-control",
+        protocol: "novnc",
+      })
+      .mockResolvedValueOnce({
+        controller: "user",
+        controlled_by: "admin-token",
+        expires_at: "2026-05-23T08:48:27Z",
+      });
+    mockPost.mockResolvedValueOnce({
+      controller: "none",
+    });
+
+    render(<DisplayTab workspaceId="ws-display" />);
+
+    await waitFor(() => {
+      expect(screen.getByRole("button", { name: "Release" })).toBeTruthy();
+    });
+
+    fireEvent.click(screen.getByRole("button", { name: "Release" }));
+
+    await waitFor(() => {
+      expect(screen.getByRole("button", { name: "Take control" })).toBeTruthy();
+    });
+    expect(mockPost).toHaveBeenCalledWith("/workspaces/ws-display/display/control/release", {});
+  });
+
+  it("renders active display control locks as observe-only", async () => {
+    mockGet
+      .mockResolvedValueOnce({
+        available: false,
+        reason: "display_session_unavailable",
+        mode: "desktop-control",
+        status: "not_configured",
+      })
+      .mockResolvedValueOnce({
+        controller: "agent",
+        controlled_by: "sidecar",
+        expires_at: "2026-05-23T08:48:27Z",
+      });
+
+    render(<DisplayTab workspaceId="ws-display" />);
+
+    await waitFor(() => {
+      expect(screen.getByText("Controlled by Agent")).toBeTruthy();
+    });
+    expect(screen.queryByRole("button", { name: "Release" })).toBeNull();
+    expect(screen.queryByRole("button", { name: "Take control" })).toBeNull();
+    expect(mockPost).not.toHaveBeenCalled();
+  });
+
+  it("labels org-token display control locks as automation", async () => {
+    mockGet
+      .mockResolvedValueOnce({
+        available: false,
+        reason: "display_session_unavailable",
+        mode: "desktop-control",
+        status: "not_configured",
+      })
+      .mockResolvedValueOnce({
+        controller: "user",
+        controlled_by: "org-token:abc123",
+        expires_at: "2026-05-23T08:48:27Z",
+      });
+
+    render(<DisplayTab workspaceId="ws-display" />);
+
+    await waitFor(() => {
+      expect(screen.getByText("Controlled by Automation")).toBeTruthy();
+    });
+    expect(screen.queryByText("org-token:abc123")).toBeNull();
+    expect(screen.queryByRole("button", { name: "Take control" })).toBeNull();
+  });
+
+  it("refreshes display control state after failed acquisition", async () => {
+    mockGet
+      .mockResolvedValueOnce({
+        available: false,
+        reason: "display_session_unavailable",
+        mode: "desktop-control",
+        status: "not_configured",
+      })
+      .mockResolvedValueOnce({
+        controller: "none",
+      })
+      .mockResolvedValueOnce({
+        controller: "agent",
+        controlled_by: "sidecar",
+        expires_at: "2026-05-23T08:48:27Z",
+      });
+    mockPost.mockRejectedValueOnce(new Error("API POST /workspaces/ws-display/display/control/acquire: 409 conflict"));
+
+    render(<DisplayTab workspaceId="ws-display" />);
+
+    await waitFor(() => {
+      expect(screen.getByRole("button", { name: "Take control" })).toBeTruthy();
+    });
+
+    fireEvent.click(screen.getByRole("button", { name: "Take control" }));
+
+    await waitFor(() => {
+      expect(screen.getByText("Controlled by Agent")).toBeTruthy();
+    });
+    expect(screen.getByText("Failed to take control")).toBeTruthy();
+    expect(mockGet).toHaveBeenCalledWith("/workspaces/ws-display/display/control");
+    expect(mockGet).toHaveBeenCalledTimes(3);
+    expect(mockPost).toHaveBeenCalledWith("/workspaces/ws-display/display/control/acquire", {
+      controller: "user",
+      ttl_seconds: 300,
+    });
+  });
+
+  it("keeps display status visible without takeover actions when control status fails", async () => {
+    mockGet
+      .mockResolvedValueOnce({
+        available: false,
+        reason: "display_session_unavailable",
+        mode: "desktop-control",
+        status: "not_configured",
+      })
+      .mockRejectedValueOnce(new Error("API GET /workspaces/ws-display/display/control: 401 unauthorized"));
+
+    render(<DisplayTab workspaceId="ws-display" />);
+
+    await waitFor(() => {
+      expect(screen.getByText("Display session is not ready.")).toBeTruthy();
+    });
+    expect(screen.queryByRole("button", { name: "Take control" })).toBeNull();
+    expect(screen.getByText("Display control unavailable")).toBeTruthy();
+  });
+
+  it("does not render raw display status errors", async () => {
+    mockGet.mockRejectedValueOnce(new Error("API GET /workspaces/ws-display/display: 500 secret backend details"));
+
+    render(<DisplayTab workspaceId="ws-display" />);
+
+    await waitFor(() => {
+      expect(screen.getByText("Display status unavailable")).toBeTruthy();
+    });
+    expect(screen.queryByText(/secret backend details/)).toBeNull();
+  });
+
+  it("ignores stale acquire responses after workspace changes", async () => {
+    const acquire = deferred<{ controller: "user"; controlled_by: string; expires_at: string }>();
+    mockGet
+      .mockResolvedValueOnce({
+        available: false,
+        reason: "display_session_unavailable",
+        mode: "desktop-control",
+        status: "not_configured",
+      })
+      .mockResolvedValueOnce({
+        controller: "none",
+      })
+      .mockResolvedValueOnce({
+        available: false,
+        reason: "display_session_unavailable",
+        mode: "desktop-control",
+        status: "not_configured",
+      })
+      .mockResolvedValueOnce({
+        controller: "none",
+      });
+    mockPost.mockReturnValueOnce(acquire.promise);
+
+    const { rerender } = render(<DisplayTab workspaceId="ws-a" />);
+
+    await waitFor(() => {
+      expect(screen.getByRole("button", { name: "Take control" })).toBeTruthy();
+    });
+    fireEvent.click(screen.getByRole("button", { name: "Take control" }));
+
+    rerender(<DisplayTab workspaceId="ws-b" />);
+
+    await waitFor(() => {
+      expect(mockGet).toHaveBeenCalledWith("/workspaces/ws-b/display/control");
+    });
+    await waitFor(() => {
+      expect(screen.getByRole("button", { name: "Take control" })).toBeTruthy();
+    });
+
+    acquire.resolve({
+      controller: "user",
+      controlled_by: "admin-token",
+      expires_at: "2026-05-23T08:48:27Z",
+    });
+    await acquire.promise;
+
+    await waitFor(() => {
+      expect(screen.queryByText("Controlled by Admin")).toBeNull();
+    });
+    expect(screen.getByRole("button", { name: "Take control" })).toBeTruthy();
  });
 });
+
+function deferred<T>() {
+  let resolve!: (value: T) => void;
+  let reject!: (reason?: unknown) => void;
+  const promise = new Promise<T>((res, rej) => {
+    resolve = res;
+    reject = rej;
+  });
+  return { promise, resolve, reject };
+}
@@ -1,632 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for MemoryTab — awareness dashboard + workspace KV memory management.
- *
- * Coverage:
- *   - Loading state
- *   - Error state when GET /memory fails
- *   - Empty state (no memory entries)
- *   - Memory list rendering (single + multiple entries)
- *   - Expand/collapse memory entries
- *   - Add memory entry (key + value + TTL)
- *   - Add validates required key
- *   - Add parses JSON values
- *   - Delete memory entry
- *   - Edit memory entry (inline)
- *   - Edit 409 conflict shows retry hint
- *   - Advanced toggle shows/hides KV section
- *   - Awareness dashboard expand/collapse
- *   - Awareness URL includes workspaceId
- *   - Refresh button reloads memory
- *   - Error clears when appropriate actions are taken
- */
-import React from "react";
-import { render, screen, fireEvent, cleanup, act, waitFor } from "@testing-library/react";
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { MemoryTab } from "../MemoryTab";
-
-const mockGet = vi.hoisted(() => vi.fn<[], Promise<unknown[]>>());
-const mockPost = vi.hoisted(() => vi.fn<[], Promise<unknown>>());
-const mockDel = vi.hoisted(() => vi.fn<[], Promise<unknown>>());
-
-vi.mock("@/lib/api", () => ({
-  api: { get: mockGet, post: mockPost, del: mockDel },
-}));
-
-// ─── Fixtures ─────────────────────────────────────────────────────────────────
-
-const MEMORY_ENTRY = {
-  key: "user_context",
-  value: { name: "Alice", role: "engineer" },
-  version: 3,
-  expires_at: null,
-  updated_at: new Date(Date.now() - 60000).toISOString(),
-};
-
-function entry(overrides: Partial<typeof MEMORY_ENTRY> = {}): typeof MEMORY_ENTRY {
-  return { ...MEMORY_ENTRY, ...overrides };
-}
-
-// ─── Helpers ───────────────────────────────────────────────────────────────────
-
-async function flush() {
-  await act(async () => { await Promise.resolve(); });
-}
-
-function typeIn(el: HTMLElement, value: string) {
-  Object.defineProperty(el, "value", { value, writable: true, configurable: true });
-  // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  fireEvent.change(el as any, { target: el });
-}
-
-// ─── Tests ─────────────────────────────────────────────────────────────────────
-
-describe("MemoryTab", () => {
-  beforeEach(() => {
-    mockGet.mockReset();
-    mockPost.mockReset();
-    mockDel.mockReset();
-    vi.useRealTimers();
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.useRealTimers();
-  });
-
-  // ── Loading / Error ──────────────────────────────────────────────────────────
-
-  it("shows loading state when memory is being fetched", async () => {
-    mockGet.mockImplementation(() => new Promise(() => {}));
-    render(<MemoryTab workspaceId="ws-1" />);
-    await act(async () => { /* flush initial render */ });
-    expect(screen.getByText("Loading memory...")).toBeTruthy();
-  });
-
-  it("shows error banner when GET /memory rejects", async () => {
-    mockGet.mockRejectedValue(new Error("network failure"));
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText(/network failure/i)).toBeTruthy();
-  });
-
-  it("shows 'Failed to load memory' when GET rejects with non-Error", async () => {
-    mockGet.mockRejectedValue("unknown error");
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText(/Failed to load memory/i)).toBeTruthy();
-  });
-
-  // ── Awareness Dashboard ─────────────────────────────────────────────────────
-
-  it("shows Awareness dashboard section", async () => {
-    mockGet.mockResolvedValue([]);
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText("Awareness dashboard")).toBeTruthy();
-  });
-
-  it("renders an iframe with workspaceId in URL", async () => {
-    mockGet.mockResolvedValue([]);
-    render(<MemoryTab workspaceId="ws-xyz" />);
-    await flush();
-    const iframe = screen.getByTitle("Awareness dashboard");
-    expect(iframe.getAttribute("src")).toContain("workspaceId=ws-xyz");
-  });
-
-  it("shows 'Connected' status", async () => {
-    mockGet.mockResolvedValue([]);
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText("Connected")).toBeTruthy();
-  });
-
-  it("shows workspace ID in the status grid", async () => {
-    mockGet.mockResolvedValue([]);
-    render(<MemoryTab workspaceId="ws-test-id" />);
-    await flush();
-    // workspaceId appears in two places (description + status grid).
-    // Target the font-mono span in the status grid specifically.
-    const spans = Array.from(document.querySelectorAll("span.font-mono"));
-    expect(spans.some(s => s.textContent === "ws-test-id")).toBeTruthy();
-  });
-
-  it("shows 'Collapse' and 'Open' buttons for awareness (starts visible)", async () => {
-    mockGet.mockResolvedValue([]);
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByRole("button", { name: /collapse/i })).toBeTruthy();
-    expect(screen.getByRole("button", { name: /open/i })).toBeTruthy();
-  });
-
-  it("hides awareness iframe when Collapse is clicked", async () => {
-    mockGet.mockResolvedValue([]);
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /collapse/i }));
-    await flush();
-    expect(screen.queryByTitle("Awareness dashboard")).toBeNull();
-    expect(screen.getByText(/awareness dashboard is collapsed/i)).toBeTruthy();
-  });
-
-  it("re-shows awareness iframe when collapsed state Expand is clicked", async () => {
-    mockGet.mockResolvedValue([]);
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    // Start with awareness visible (default) — verify iframe is there
-    expect(screen.getByTitle("Awareness dashboard")).toBeTruthy();
-    // Click Collapse in the awareness header to hide the iframe
-    fireEvent.click(screen.getByRole("button", { name: /collapse/i }));
-    await flush();
-    expect(screen.queryByTitle("Awareness dashboard")).toBeNull();
-    // The collapsed awareness state has a different "Expand" button.
-    // Directly click the button whose text is exactly "Expand".
-    const allBtns = screen.getAllByRole("button");
-    const expandInCollapsed = allBtns.find(b => b.textContent?.trim() === "Expand");
-    expect(expandInCollapsed).toBeTruthy();
-    act(() => { expandInCollapsed!.click(); });
-    await flush();
-    expect(screen.getByTitle("Awareness dashboard")).toBeTruthy();
-  });
-
-  // ── KV Memory: Empty / Advanced toggle ───────────────────────────────────────
-
-  it("shows 'Advanced workspace memory is hidden' when advanced is collapsed", async () => {
-    mockGet.mockResolvedValue([]);
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText(/advanced workspace memory is hidden/i)).toBeTruthy();
-  });
-
-  it("shows 'Show' button when advanced is collapsed", async () => {
-    mockGet.mockResolvedValue([]);
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByRole("button", { name: /show/i })).toBeTruthy();
-  });
-
-  it("shows 'Hide Advanced' after clicking Show", async () => {
-    mockGet.mockResolvedValue([]);
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    await flush();
-    expect(screen.getByRole("button", { name: /hide advanced/i })).toBeTruthy();
-  });
-
-  it("shows empty state 'No memory entries' when advanced is shown and list is empty", async () => {
-    mockGet.mockResolvedValue([]);
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    await flush();
-    expect(screen.getByText("No memory entries")).toBeTruthy();
-  });
-
-  // ── KV Memory: List rendering ───────────────────────────────────────────────
-
-  it("renders memory entries when advanced is open", async () => {
-    mockGet.mockResolvedValue([entry()]);
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    await flush();
-    expect(screen.getByText("user_context")).toBeTruthy();
-  });
-
-  it("renders multiple memory entries", async () => {
-    mockGet.mockResolvedValue([
-      entry({ key: "key1", value: "value1" }),
-      entry({ key: "key2", value: "value2" }),
-    ]);
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    await flush();
-    expect(screen.getByText("key1")).toBeTruthy();
-    expect(screen.getByText("key2")).toBeTruthy();
-  });
-
-  it("shows chevron pointing right when entry is collapsed", async () => {
-    mockGet.mockResolvedValue([entry()]);
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    await flush();
-    expect(screen.getByText("▶")).toBeTruthy();
-  });
-
-  it("shows chevron pointing down when entry is expanded", async () => {
-    mockGet.mockResolvedValue([entry()]);
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    await flush();
-    fireEvent.click(screen.getByText("user_context"));
-    await flush();
-    expect(screen.getByText("▼")).toBeTruthy();
-  });
-
-  it("shows entry value when expanded", async () => {
-    mockGet.mockResolvedValue([entry({ value: { foo: "bar" } })]);
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    await flush();
-    fireEvent.click(screen.getByText("user_context"));
-    await flush();
-    expect(screen.getByText(/"foo": "bar"/)).toBeTruthy();
-  });
-
-  it("shows updated_at timestamp when entry is expanded", async () => {
-    mockGet.mockResolvedValue([entry()]);
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    await flush();
-    fireEvent.click(screen.getByText("user_context"));
-    await flush();
-    expect(screen.getByText(/updated:/i)).toBeTruthy();
-  });
-
-  it("shows Edit and Delete buttons when entry is expanded", async () => {
-    mockGet.mockResolvedValue([entry()]);
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    await flush();
-    fireEvent.click(screen.getByText("user_context"));
-    await flush();
-    expect(screen.getByRole("button", { name: /edit/i })).toBeTruthy();
-    expect(screen.getByRole("button", { name: /delete/i })).toBeTruthy();
-  });
-
-  it("shows TTL when entry has expires_at", async () => {
-    const future = new Date(Date.now() + 3600000).toISOString();
-    mockGet.mockResolvedValue([entry({ expires_at: future })]);
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    await flush();
-    fireEvent.click(screen.getByText("user_context"));
-    await flush();
-    expect(screen.getByText(/ttl/i)).toBeTruthy();
-  });
-
-  // ── Add Memory Entry ─────────────────────────────────────────────────────────
-
-  it("shows + Add button in KV section", async () => {
-    mockGet.mockResolvedValue([]);
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    await flush();
-    expect(screen.getByRole("button", { name: /\+ add/i })).toBeTruthy();
-  });
-
-  it("opens add form when + Add is clicked", async () => {
-    mockGet.mockResolvedValue([]);
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /\+ add/i }));
-    await flush();
-    expect(screen.getByLabelText("Memory key")).toBeTruthy();
-    expect(screen.getByLabelText("Memory value (JSON or plain text)")).toBeTruthy();
-  });
-
-  it("requires key to be non-empty", async () => {
-    mockGet.mockResolvedValue([]);
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /\+ add/i }));
-    await flush();
-    act(() => { screen.getByRole("button", { name: /save/i }).click(); });
-    await flush();
-    expect(screen.getByText(/key is required/i)).toBeTruthy();
-  });
-
-  it("POSTs correct payload when adding a string value", async () => {
-    mockGet.mockResolvedValue([]);
-    mockPost.mockResolvedValue({});
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /\+ add/i }));
-    await flush();
-    typeIn(screen.getByLabelText("Memory key") as HTMLElement, "my_key");
-    typeIn(screen.getByLabelText("Memory value (JSON or plain text)") as HTMLElement, "plain text value");
-    await flush();
-    act(() => { screen.getByRole("button", { name: /save/i }).click(); });
-    await flush();
-    await waitFor(() => {
-      expect(screen.queryByLabelText("Memory key")).not.toBeTruthy();
-    });
-    expect(mockPost).toHaveBeenCalledWith(
-      "/workspaces/ws-1/memory",
-      expect.objectContaining({ key: "my_key", value: "plain text value" }),
-    );
-  });
-
-  it("POSTs parsed JSON when value is valid JSON", async () => {
-    mockGet.mockResolvedValue([]);
-    mockPost.mockResolvedValue({});
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /\+ add/i }));
-    await flush();
-    typeIn(screen.getByLabelText("Memory key") as HTMLElement, "config");
-    typeIn(screen.getByLabelText("Memory value (JSON or plain text)") as HTMLElement, '{"debug": true}');
-    await flush();
-    act(() => { screen.getByRole("button", { name: /save/i }).click(); });
-    await flush();
-    expect(mockPost).toHaveBeenCalledWith(
-      "/workspaces/ws-1/memory",
-      expect.objectContaining({ key: "config", value: { debug: true } }),
-    );
-  });
-
-  it("POSTs with ttl_seconds when TTL is provided", async () => {
-    mockGet.mockResolvedValue([]);
-    mockPost.mockResolvedValue({});
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /\+ add/i }));
-    await flush();
-    typeIn(screen.getByLabelText("Memory key") as HTMLElement, "temp_data");
-    typeIn(screen.getByLabelText("Memory value (JSON or plain text)") as HTMLElement, "value");
-    typeIn(screen.getByLabelText("TTL in seconds (optional)") as HTMLElement, "3600");
-    await flush();
-    act(() => { screen.getByRole("button", { name: /save/i }).click(); });
-    await flush();
-    expect(mockPost).toHaveBeenCalledWith(
-      "/workspaces/ws-1/memory",
-      expect.objectContaining({ key: "temp_data", value: "value", ttl_seconds: 3600 }),
-    );
-  });
-
-  it("shows error when add fails", async () => {
-    mockGet.mockResolvedValue([]);
-    mockPost.mockRejectedValue(new Error("add failed"));
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /\+ add/i }));
-    await flush();
-    typeIn(screen.getByLabelText("Memory key") as HTMLElement, "key");
-    typeIn(screen.getByLabelText("Memory value (JSON or plain text)") as HTMLElement, "val");
-    await flush();
-    act(() => { screen.getByRole("button", { name: /save/i }).click(); });
-    await flush();
-    expect(screen.getByText(/add failed/i)).toBeTruthy();
-  });
-
-  it("closes add form and refreshes after successful add", async () => {
-    mockGet.mockResolvedValue([]);
-    mockPost.mockResolvedValue({});
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /\+ add/i }));
-    await flush();
-    typeIn(screen.getByLabelText("Memory key") as HTMLElement, "new_key");
-    typeIn(screen.getByLabelText("Memory value (JSON or plain text)") as HTMLElement, "new_val");
-    await flush();
-    act(() => { screen.getByRole("button", { name: /save/i }).click(); });
-    await flush();
-    await waitFor(() => {
-      expect(screen.queryByLabelText("Memory key")).not.toBeTruthy();
-    });
-    expect(mockGet).toHaveBeenCalledWith("/workspaces/ws-1/memory");
-  });
-
-  it("closes add form when Cancel is clicked", async () => {
-    mockGet.mockResolvedValue([]);
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /\+ add/i }));
-    await flush();
-    expect(screen.getByLabelText("Memory key")).toBeTruthy();
-    act(() => { screen.getByRole("button", { name: /cancel/i }).click(); });
-    await flush();
-    await waitFor(() => {
-      expect(screen.queryByLabelText("Memory key")).not.toBeTruthy();
-    });
-  });
-
-  // ── Delete Memory Entry ─────────────────────────────────────────────────────
-
-  it("calls DEL when Delete is clicked", async () => {
-    mockGet.mockResolvedValue([entry()]);
-    mockDel.mockResolvedValue({});
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    await flush();
-    fireEvent.click(screen.getByText("user_context"));
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /delete/i }));
-    await flush();
-    expect(mockDel).toHaveBeenCalledWith(
-      "/workspaces/ws-1/memory/user_context",
-    );
-  });
-
-  it("removes entry from list after successful delete", async () => {
-    mockGet.mockResolvedValue([entry()]);
-    mockDel.mockResolvedValue({});
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    await flush();
-    fireEvent.click(screen.getByText("user_context"));
-    await flush();
-    expect(screen.getByText("user_context")).toBeTruthy();
-    fireEvent.click(screen.getByRole("button", { name: /delete/i }));
-    await flush();
-    expect(screen.queryByText("user_context")).toBeFalsy();
-  });
-
-  it("collapses entry if it was expanded when deleted", async () => {
-    mockGet.mockResolvedValue([entry()]);
-    mockDel.mockResolvedValue({});
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    await flush();
-    // Expand the entry
-    fireEvent.click(screen.getByText("user_context"));
-    await flush();
-    expect(screen.getByText("▼")).toBeTruthy();
-    // Delete
-    fireEvent.click(screen.getByRole("button", { name: /delete/i }));
-    await flush();
-    expect(screen.queryByText("user_context")).toBeFalsy();
-  });
-
-  it("shows error when delete fails", async () => {
-    mockGet.mockResolvedValue([entry()]);
-    mockDel.mockRejectedValue(new Error("delete failed"));
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    await flush();
-    fireEvent.click(screen.getByText("user_context"));
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /delete/i }));
-    await flush();
-    expect(screen.getByText(/delete failed/i)).toBeTruthy();
-  });
-
-  // ── Edit Memory Entry ────────────────────────────────────────────────────────
-
-  it("shows edit form when Edit is clicked", async () => {
-    mockGet.mockResolvedValue([entry()]);
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    await flush();
-    fireEvent.click(screen.getByText("user_context"));
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /edit/i }));
-    await flush();
-    expect(screen.getByLabelText(/edit value for user_context/i)).toBeTruthy();
-  });
-
-  it("pre-fills edit form with existing value", async () => {
-    mockGet.mockResolvedValue([entry({ value: { name: "Alice" } })]);
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    await flush();
-    fireEvent.click(screen.getByText("user_context"));
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /edit/i }));
-    await flush();
-    const textarea = screen.getByLabelText(/edit value for user_context/i);
-    expect((textarea as HTMLTextAreaElement).value).toContain("Alice");
-  });
-
-  it("POSTs updated value when Save is clicked", async () => {
-    mockGet.mockResolvedValue([entry()]);
-    mockPost.mockResolvedValue({});
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    await flush();
-    fireEvent.click(screen.getByText("user_context"));
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /edit/i }));
-    await flush();
-    typeIn(screen.getByLabelText(/edit value for user_context/i) as HTMLElement, "updated_value");
-    await flush();
-    act(() => { screen.getByRole("button", { name: /save/i }).click(); });
-    await flush();
-    await waitFor(() => {
-      expect(screen.queryByLabelText(/edit value for user_context/i)).not.toBeTruthy();
-    });
-    expect(mockPost).toHaveBeenCalledWith(
-      "/workspaces/ws-1/memory",
-      expect.objectContaining({ key: "user_context", value: "updated_value", if_match_version: 3 }),
-    );
-  });
-
-  it("shows retry hint on 409 conflict during edit", async () => {
-    mockGet.mockResolvedValue([entry()]);
-    mockPost.mockRejectedValue(new Error("409 Conflict: if_match_version mismatch"));
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    await flush();
-    fireEvent.click(screen.getByText("user_context"));
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /edit/i }));
-    await flush();
-    typeIn(screen.getByLabelText(/edit value for user_context/i) as HTMLElement, "new_val");
-    await flush();
-    act(() => { screen.getByRole("button", { name: /save/i }).click(); });
-    await flush();
-    expect(screen.getByText(/this entry changed since you opened it/i)).toBeTruthy();
-  });
-
-  it("shows generic error when edit save fails", async () => {
-    mockGet.mockResolvedValue([entry()]);
-    mockPost.mockRejectedValue(new Error("save failed"));
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    await flush();
-    fireEvent.click(screen.getByText("user_context"));
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /edit/i }));
-    await flush();
-    typeIn(screen.getByLabelText(/edit value for user_context/i) as HTMLElement, "x");
-    await flush();
-    act(() => { screen.getByRole("button", { name: /save/i }).click(); });
-    await flush();
-    expect(screen.getByText(/save failed/i)).toBeTruthy();
-  });
-
-  it("closes edit form when Cancel is clicked", async () => {
-    mockGet.mockResolvedValue([entry()]);
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /show/i }));
-    await flush();
-    fireEvent.click(screen.getByText("user_context"));
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /edit/i }));
-    await flush();
-    expect(screen.getByLabelText(/edit value for user_context/i)).toBeTruthy();
-    act(() => { screen.getByRole("button", { name: /cancel/i }).click(); });
-    await flush();
-    await waitFor(() => {
-      expect(screen.queryByLabelText(/edit value for/i)).not.toBeTruthy();
-    });
-  });
-
-  // ── Refresh ────────────────────────────────────────────────────────────────
-
-  it("Refresh button calls loadMemory", async () => {
-    mockGet.mockResolvedValue([]);
-    render(<MemoryTab workspaceId="ws-1" />);
-    await flush();
-    mockGet.mockClear();
-    fireEvent.click(screen.getByRole("button", { name: /refresh/i }));
-    await flush();
-    expect(mockGet).toHaveBeenCalledWith("/workspaces/ws-1/memory");
-  });
-
-});
@@ -40,7 +40,7 @@ vi.mock("../uploads", () => ({
 }));

 vi.mock("@/lib/api", () => ({
-  platformAuthHeaders: () => ({ Authorization: "Bearer test-token" }),
+  platformAuthHeaders: () => ({ Authorization: "Bearer fixture-token" }),
 }));

 // ─── Helpers ──────────────────────────────────────────────────────────────────
@@ -41,7 +41,7 @@ vi.mock("../uploads", () => ({
 }));

 vi.mock("@/lib/api", () => ({
-  platformAuthHeaders: () => ({ Authorization: "Bearer test-token" }),
+  platformAuthHeaders: () => ({ Authorization: "Bearer fixture-token" }),
 }));

 // ─── Helpers ──────────────────────────────────────────────────────────────────
@@ -42,7 +42,7 @@ vi.mock("../uploads", () => ({
 }));

 vi.mock("@/lib/api", () => ({
-  platformAuthHeaders: () => ({ Authorization: "Bearer test-token" }),
+  platformAuthHeaders: () => ({ Authorization: "Bearer fixture-token" }),
 }));

 // ─── Helpers ──────────────────────────────────────────────────────────────────
@@ -16,7 +16,7 @@ afterEach(cleanup);

 // Mock the auth-token env var so AttachmentImage's fetch doesn't
 // hit a real network. The fetch is itself mocked below.
-vi.stubEnv("NEXT_PUBLIC_ADMIN_TOKEN", "test-token");
+vi.stubEnv("NEXT_PUBLIC_ADMIN_TOKEN", "fixture-token");

 // Mock fetch so the AttachmentImage path can return a synthetic blob.
 // Tests override per-case to simulate success / 404 / network fail.
@@ -44,7 +44,7 @@ vi.mock("../uploads", () => ({
 }));

 vi.mock("@/lib/api", () => ({
-  platformAuthHeaders: () => ({ Authorization: "Bearer test-token" }),
+  platformAuthHeaders: () => ({ Authorization: "Bearer fixture-token" }),
 }));

 // ─── Helpers ──────────────────────────────────────────────────────────────────
@@ -43,7 +43,7 @@ vi.mock("../uploads", () => ({

 // Mock platformAuthHeaders so fetch gets auth headers
 vi.mock("@/lib/api", () => ({
-  platformAuthHeaders: () => ({ Authorization: "Bearer test-token" }),
+  platformAuthHeaders: () => ({ Authorization: "Bearer fixture-token" }),
 }));

 // ─── Helpers ──────────────────────────────────────────────────────────────────
@@ -143,46 +143,30 @@ afterEach(() => {

 // ── Tests ────────────────────────────────────────────────────────────────────

-/**
- * Drive the always-show-picker flow to completion: deploy() opens the
- * modal, then we click "keys added" to fire the actual POST. Centralised
- * here because as of the always-prompt change, every happy-path test
- * must click through the modal before asserting on POST.
- */
-async function deployThroughPicker<T>(
-  result: { current: ReturnType<typeof useTemplateDeploy> },
-  rerender: () => void,
-  template: Template,
-): Promise<void> {
-  await act(async () => {
-    await result.current.deploy(template);
-  });
-  rerender();
-  render(<>{result.current.modal}</>);
-  await act(async () => {
-    fireEvent.click(screen.getByTestId("modal-keys-added"));
-    // Let the fire-and-forget executeDeploy resolve.
-    await Promise.resolve();
-    await Promise.resolve();
-  });
-}
-
 describe("useTemplateDeploy — happy path", () => {
-  it("preflight ok → modal opens → keys-added → POST /workspaces → onDeployed fires", async () => {
+  it("preflight ok with no key requirements → POST /workspaces directly → onDeployed fires", async () => {
    const onDeployed = vi.fn();
-    const { result, rerender } = renderHook(() =>
+    const { result } = renderHook(() =>
      useTemplateDeploy({ onDeployed }),
    );

-    await deployThroughPicker(result, rerender, makeTemplate());
+    await act(async () => {
+      await result.current.deploy(makeTemplate({
+        id: "seo-agent",
+        name: "SEO Agent",
+        model: "MiniMax-M2.7",
+      }));
+    });

    expect(mockCheckDeploySecrets).toHaveBeenCalledTimes(1);
    expect(mockApiPost).toHaveBeenCalledWith(
      "/workspaces",
      expect.objectContaining({
-        name: "Claude Code",
-        template: "claude-code-default",
+        name: "SEO Agent",
+        template: "seo-agent",
        tier: 1,
+        model: "MiniMax-M2.7",
+        llm_provider: "minimax",
      }),
    );
    expect(onDeployed).toHaveBeenCalledWith("ws-new");
@@ -192,11 +176,13 @@ describe("useTemplateDeploy — happy path", () => {

  it("uses caller-supplied canvasCoords when provided", async () => {
    const canvasCoords = vi.fn(() => ({ x: 42, y: 99 }));
-    const { result, rerender } = renderHook(() =>
+    const { result } = renderHook(() =>
      useTemplateDeploy({ canvasCoords }),
    );

-    await deployThroughPicker(result, rerender, makeTemplate());
+    await act(async () => {
+      await result.current.deploy(makeTemplate());
+    });

    expect(canvasCoords).toHaveBeenCalledTimes(1);
    expect(mockApiPost).toHaveBeenCalledWith(
@@ -206,9 +192,11 @@ describe("useTemplateDeploy — happy path", () => {
  });

  it("falls back to random coords inside [100,500] × [100,400] when canvasCoords omitted", async () => {
-    const { result, rerender } = renderHook(() => useTemplateDeploy());
+    const { result } = renderHook(() => useTemplateDeploy());

-    await deployThroughPicker(result, rerender, makeTemplate());
+    await act(async () => {
+      await result.current.deploy(makeTemplate());
+    });

    const body = (mockApiPost as Mock).mock.calls[0]?.[1] as {
      canvas: { x: number; y: number };
@@ -458,16 +446,9 @@ describe("useTemplateDeploy — multi-provider always-ask flow", () => {
    );
  });

-  it("single-provider template ALSO opens picker when preflight.ok (always-prompt rule)", async () => {
-    // Default preflight mock: ok=true, providers=[]. claude-code is
-    // single-provider, but the always-prompt rule means the user must
-    // still click through the picker to confirm provider+model — even
-    // when keys are saved and the runtime has only one provider option.
-    // Reason: the user needs an explicit chance to override the
-    // template's default model (e.g. opus vs sonnet vs haiku) before
-    // an EC2 boots and burns billing on the wrong tier.
+  it("template with no provider requirements deploys directly on platform-managed defaults", async () => {
    const onDeployed = vi.fn();
-    const { result, rerender } = renderHook(() =>
+    const { result } = renderHook(() =>
      useTemplateDeploy({ onDeployed }),
    );

@@ -475,13 +456,18 @@ describe("useTemplateDeploy — multi-provider always-ask flow", () => {
      await result.current.deploy(makeTemplate());
    });

-    rerender();
    render(<>{result.current.modal}</>);

-    expect(screen.getByTestId("missing-keys-modal")).toBeTruthy();
-    // POST does NOT fire until the user confirms in the picker.
-    expect(mockApiPost).not.toHaveBeenCalled();
-    expect(onDeployed).not.toHaveBeenCalled();
+    expect(screen.queryByTestId("missing-keys-modal")).toBeNull();
+    expect(mockApiPost).toHaveBeenCalledWith(
+      "/workspaces",
+      expect.objectContaining({
+        template: "claude-code-default",
+        model: "claude-sonnet-4-5",
+        llm_provider: "anthropic",
+      }),
+    );
+    expect(onDeployed).toHaveBeenCalledWith("ws-new");
    expect(result.current.deploying).toBeNull();
  });

@@ -519,11 +505,13 @@ describe("useTemplateDeploy — POST failure", () => {
  it("POST rejection sets error and clears deploying", async () => {
    mockApiPost.mockRejectedValueOnce(new Error("server 500"));
    const onDeployed = vi.fn();
-    const { result, rerender } = renderHook(() =>
+    const { result } = renderHook(() =>
      useTemplateDeploy({ onDeployed }),
    );

-    await deployThroughPicker(result, rerender, makeTemplate());
+    await act(async () => {
+      await result.current.deploy(makeTemplate());
+    });

    expect(result.current.error).toBe("server 500");
    expect(result.current.deploying).toBeNull();
@@ -532,9 +520,11 @@ describe("useTemplateDeploy — POST failure", () => {

  it("non-Error rejection still surfaces a message (defensive)", async () => {
    mockApiPost.mockRejectedValueOnce("plain string");
-    const { result, rerender } = renderHook(() => useTemplateDeploy());
+    const { result } = renderHook(() => useTemplateDeploy());

-    await deployThroughPicker(result, rerender, makeTemplate());
+    await act(async () => {
+      await result.current.deploy(makeTemplate());
+    });

    expect(result.current.error).toBe("Deploy failed");
    expect(result.current.deploying).toBeNull();
@@ -55,6 +55,22 @@ interface MissingKeysInfo {
  preflight: PreflightResult;
 }

+function nativeProviderForClaudeCodeModel(model: string): string | undefined {
+  const trimmed = model.trim();
+  const lower = trimmed.toLowerCase();
+  if (!trimmed) return undefined;
+  if (lower.startsWith("minimax")) return "minimax";
+  if (lower.startsWith("kimi")) return "kimi-coding";
+  if (lower.startsWith("claude")) return "anthropic";
+  if (/^(sonnet|opus|haiku)$/.test(lower)) return "anthropic-oauth";
+  return undefined;
+}
+
+function isNativeClaudeCodeRuntime(template: Template): boolean {
+  const runtime = template.runtime ?? resolveRuntime(template.id);
+  return runtime === "claude-code";
+}
+
 export interface UseTemplateDeployResult {
  /** Template id currently being deployed (incl. the preflight
   *  network call), or null when idle. Callers pass this to disable
@@ -97,6 +113,10 @@ export function useTemplateDeploy(
      setDeploying(template.id);
      setError(null);
      try {
+        const selectedModel = model?.trim() || template.model?.trim();
+        const nativeProvider = isNativeClaudeCodeRuntime(template) && selectedModel
+          ? nativeProviderForClaudeCodeModel(selectedModel)
+          : undefined;
        const coords = canvasCoords
          ? canvasCoords()
          : {
@@ -108,7 +128,8 @@ export function useTemplateDeploy(
          template: template.id,
          tier: isSaaSTenant() ? 4 : template.tier,
          canvas: coords,
-          ...(model ? { model } : {}),
+          ...(selectedModel ? { model: selectedModel } : {}),
+          ...(nativeProvider ? { llm_provider: nativeProvider } : {}),
        });
        onDeployed?.(ws.id);
      } catch (e) {
@@ -144,8 +165,13 @@ export function useTemplateDeploy(
        setDeploying(null);
        return;
      }
-      // Always open the picker — every deploy goes through an
-      // explicit confirm-provider/model step. Reasons:
+      if (preflight.ok && preflight.providers.length === 0) {
+        await executeDeploy(template);
+        return;
+      }
+      // Open the picker whenever a template declares provider/key choices.
+      // Templates with no provider requirements deploy directly on the
+      // platform-managed default above. Reasons to keep the picker here:
      //   1. Multi-provider templates (e.g. hermes) need a per-
      //      workspace pick or the adapter falls back to its
      //      compiled-in default and 500s with "No LLM provider
@@ -164,7 +190,7 @@ export function useTemplateDeploy(
      setMissingKeysInfo({ template, preflight });
      setDeploying(null);
    },
-    [],
+    [executeDeploy],
  );

  // No useCallback here — consumers call this on every render anyway
@@ -32,8 +32,8 @@ const hermesModels: ModelSpec[] = [

 const HERMES: TemplateLike = { runtime: "hermes", models: hermesModels };

-const LANGGRAPH: TemplateLike = {
-  runtime: "langgraph",
+const CLAUDE_CODE: TemplateLike = {
+  runtime: "claude-code",
  required_env: ["OPENAI_API_KEY"],
 };

@@ -69,7 +69,7 @@ describe("providersFromTemplate", () => {
  });

  it("falls back to top-level required_env when no models[] are declared", () => {
-    const providers = providersFromTemplate(LANGGRAPH);
+    const providers = providersFromTemplate(CLAUDE_CODE);
    expect(providers).toHaveLength(1);
    expect(providers[0].envVars).toEqual(["OPENAI_API_KEY"]);
  });
@@ -151,10 +151,10 @@ describe("checkDeploySecrets", () => {
        ]),
    } as Response);

-    const result = await checkDeploySecrets(LANGGRAPH);
+    const result = await checkDeploySecrets(CLAUDE_CODE);
    expect(result.ok).toBe(true);
    expect(result.missingKeys).toEqual([]);
-    expect(result.runtime).toBe("langgraph");
+    expect(result.runtime).toBe("claude-code");
  });

  it("returns ok=true on a multi-provider template when ANY provider is configured", async () => {
@@ -195,7 +195,7 @@ describe("checkDeploySecrets", () => {
        ]),
    } as Response);

-    const result = await checkDeploySecrets(LANGGRAPH);
+    const result = await checkDeploySecrets(CLAUDE_CODE);
    expect(result.ok).toBe(false);
    expect(result.missingKeys).toEqual(["OPENAI_API_KEY"]);
  });
@@ -216,7 +216,7 @@ describe("checkDeploySecrets", () => {
        ]),
    } as Response);

-    await checkDeploySecrets(LANGGRAPH, "ws-123");
+    await checkDeploySecrets(CLAUDE_CODE, "ws-123");
    expect(global.fetch).toHaveBeenCalledWith(
      expect.stringContaining("/workspaces/ws-123/secrets"),
      expect.any(Object),
@@ -229,7 +229,7 @@ describe("checkDeploySecrets", () => {
      json: () => Promise.resolve([]),
    } as Response);

-    await checkDeploySecrets(LANGGRAPH);
+    await checkDeploySecrets(CLAUDE_CODE);
    expect(global.fetch).toHaveBeenCalledWith(
      expect.stringContaining("/settings/secrets"),
      expect.any(Object),
@@ -241,7 +241,7 @@ describe("checkDeploySecrets", () => {
      new Error("Network error"),
    );

-    const result = await checkDeploySecrets(LANGGRAPH);
+    const result = await checkDeploySecrets(CLAUDE_CODE);
    expect(result.ok).toBe(false);
    expect(result.missingKeys).toEqual(["OPENAI_API_KEY"]);
    // Empty Set on fetch failure — useTemplateDeploy relies on this
@@ -28,8 +28,8 @@ describe("isExternalLikeRuntime", () => {
      "docker",
      "local",
      "agent",
-      "crewai",
-      "langgraph",
+      "legacy-runtime",
+      "codex",
      "openclaw",
      "custom-runtime",
    ])("%q returns false", (runtime) => {
@@ -12,47 +12,35 @@ import { resolveRuntime } from "../deploy-preflight";

 describe("resolveRuntime", () => {
  describe("explicit runtime-map entries", () => {
-    it('maps "langgraph" to "langgraph"', () => {
-      expect(resolveRuntime("langgraph")).toBe("langgraph");
-    });
-
    it('maps "claude-code-default" to "claude-code"', () => {
      expect(resolveRuntime("claude-code-default")).toBe("claude-code");
    });

+    it('maps "codex" to "codex"', () => {
+      expect(resolveRuntime("codex")).toBe("codex");
+    });
+
+    it('maps "hermes" to "hermes"', () => {
+      expect(resolveRuntime("hermes")).toBe("hermes");
+    });
+
    it('maps "openclaw" to "openclaw"', () => {
      expect(resolveRuntime("openclaw")).toBe("openclaw");
    });
-
-    it('maps "deepagents" to "deepagents"', () => {
-      expect(resolveRuntime("deepagents")).toBe("deepagents");
-    });
-
-    it('maps "crewai" to "crewai"', () => {
-      expect(resolveRuntime("crewai")).toBe("crewai");
-    });
-
-    it('maps "autogen" to "autogen"', () => {
-      expect(resolveRuntime("autogen")).toBe("autogen");
-    });
  });

  describe("identity fallback for modern template ids", () => {
-    it("returns the id unchanged when not in the map", () => {
-      expect(resolveRuntime("hermes")).toBe("hermes");
-    });
-
    it("strips trailing -default suffix as fallback", () => {
      expect(resolveRuntime("hermes-default")).toBe("hermes");
    });

    it("strips -default only when it is the suffix", () => {
      // "default-something" should NOT strip
-      expect(resolveRuntime("default-langgraph")).toBe("default-langgraph");
+      expect(resolveRuntime("default-custom")).toBe("default-custom");
    });

    it("returns the id unchanged when id has no -default suffix", () => {
-      expect(resolveRuntime("gemini-cli")).toBe("gemini-cli");
+      expect(resolveRuntime("custom-runtime")).toBe("custom-runtime");
    });

    it("handles custom template ids from community templates", () => {
@@ -13,11 +13,9 @@ import { runtimeDisplayName } from "../runtime-names";
 describe("runtimeDisplayName", () => {
  it.each([
    ["claude-code", "Claude Code"],
-    ["langgraph", "LangGraph"],
-    ["deepagents", "DeepAgents"],
+    ["codex", "Codex"],
+    ["hermes", "Hermes"],
    ["openclaw", "OpenClaw"],
-    ["crewai", "CrewAI"],
-    ["autogen", "AutoGen"],
  ])("known runtime %q maps to %q", (input, expected) => {
    expect(runtimeDisplayName(input)).toBe(expected);
  });
@@ -25,7 +23,6 @@ describe("runtimeDisplayName", () => {
  it("unknown runtime falls back to the input string verbatim", () => {
    // A future runtime not yet in the lookup map should render with
    // its own id — better than a generic placeholder for ops debugging.
-    expect(runtimeDisplayName("hermes")).toBe("hermes");
    expect(runtimeDisplayName("custom-runtime-9000")).toBe(
      "custom-runtime-9000",
    );
@@ -43,6 +40,6 @@ describe("runtimeDisplayName", () => {
    // the input "for safety" doesn't silently change behavior — the
    // upstream slug is already normalized lowercase.
    expect(runtimeDisplayName("Claude-Code")).toBe("Claude-Code");
-    expect(runtimeDisplayName("LANGGRAPH")).toBe("LANGGRAPH");
+    expect(runtimeDisplayName("CODEX")).toBe("CODEX");
  });
 });
@@ -68,8 +68,7 @@ describe("provisionTimeoutForRuntime", () => {
  });

  it("returns 120_000 for any unknown runtime", () => {
-    expect(provisionTimeoutForRuntime("langgraph")).toBe(120_000);
-    expect(provisionTimeoutForRuntime("crewai")).toBe(120_000);
+    expect(provisionTimeoutForRuntime("legacy-runtime")).toBe(120_000);
    expect(provisionTimeoutForRuntime("some-new-runtime")).toBe(120_000);
  });

@@ -77,7 +76,7 @@ describe("provisionTimeoutForRuntime", () => {
    const cases: Array<[string | undefined, { provisionTimeoutMs?: number } | undefined]> = [
      [undefined, undefined],
      ["claude-code", undefined],
-      ["langgraph", { provisionTimeoutMs: 500_000 }],
+      ["claude-code", { provisionTimeoutMs: 500_000 }],
      [undefined, { provisionTimeoutMs: 45_000 }],
    ];
    for (const [runtime, overrides] of cases) {
@@ -23,6 +23,7 @@ const DEFAULT_TIMEOUT_MS = 35_000;

 export interface RequestOptions {
  timeoutMs?: number;
+  headers?: Record<string, string>;
 }

 /**
@@ -76,6 +77,7 @@ async function request<T>(
  const headers: Record<string, string> = {
    "Content-Type": "application/json",
    ...platformAuthHeaders(),
+    ...(options?.headers ?? {}),
  };
  // Re-read slug locally for the 401 handler below — `headers` already
  // has it, but the 401 branch needs the bare value to gate the
@@ -44,7 +44,7 @@ export const plans: Plan[] = [
    price: "$0",
    features: [
      "3 workspaces",
-      "Claude Code, LangGraph, OpenClaw runtimes",
+      "Claude Code, Codex, Hermes, OpenClaw runtimes",
      "Shared Redis + bounded storage",
      "Community support",
    ],
@@ -63,12 +63,10 @@ export interface Template extends TemplateLike {
 *  id needs a non-identity mapping. */
 export function resolveRuntime(templateId: string): string {
  const runtimeMap: Record<string, string> = {
-    langgraph: "langgraph",
    "claude-code-default": "claude-code",
+    codex: "codex",
+    hermes: "hermes",
    openclaw: "openclaw",
-    deepagents: "deepagents",
-    crewai: "crewai",
-    autogen: "autogen",
  };
  return runtimeMap[templateId] ?? templateId.replace(/-default$/, "");
 }
@@ -4,11 +4,9 @@

 const RUNTIME_NAMES: Record<string, string> = {
  "claude-code": "Claude Code",
-  langgraph: "LangGraph",
-  deepagents: "DeepAgents",
+  codex: "Codex",
+  hermes: "Hermes",
  openclaw: "OpenClaw",
-  crewai: "CrewAI",
-  autogen: "AutoGen",
  kimi: "Kimi",
  "kimi-cli": "Kimi CLI",
 };
@@ -49,7 +49,7 @@ export interface RuntimeProfile {
 }

 /** The floor every runtime inherits unless it overrides. Calibrated for
- *  docker-local fast runtimes (claude-code, langgraph, crewai) where cold
+ *  docker-local fast runtimes (claude-code, codex, openclaw) where cold
 *  boot is 30-90s. */
 export const DEFAULT_RUNTIME_PROFILE: Required<
  Pick<RuntimeProfile, "provisionTimeoutMs">
@@ -528,6 +528,7 @@ export function buildNodesAndEdges(
        // A2A delivery mode (task #227). Absent on older ws-server builds
        // — leave undefined so the chat UI's "?? 'push'" fallback applies.
        deliveryMode: ws.delivery_mode,
+        compute: ws.compute,
      },
    };
    if (hasParent) {
@@ -7,7 +7,7 @@ import {
 } from "@xyflow/react";
 import { api } from "@/lib/api";
 import { showToast } from "@/components/Toaster";
-import type { WorkspaceData, WSMessage } from "./socket";
+import type { WorkspaceCompute, WorkspaceData, WSMessage } from "./socket";
 import { handleCanvasEvent } from "./canvas-events";
 import { markDeleted, wasRecentlyDeleted } from "./deleteTombstones";
 import {
@@ -130,6 +130,14 @@ export interface WorkspaceNodeData extends Record<string, unknown> {
   *  builds — that fallthrough is treated as "push" to match
   *  ws-server's `lookupDeliveryMode` default. */
  deliveryMode?: string;
+  /** Desired EC2/container shape persisted in workspaces.compute. Applied
+   *  at next restart/reprovision, and used to determine Display tab
+   *  availability. */
+  compute?: WorkspaceCompute;
+  /** Runtime image changed through Container Config; next restart must
+   *  re-apply the runtime-default template instead of reusing the old
+   *  config volume. UI-only, cleared after restart. */
+  applyTemplateOnRestart?: boolean;
 }

 export type PanelTab = "details" | "skills" | "chat" | "terminal" | "display" | "container-config" | "config" | "schedule" | "channels" | "files" | "memory" | "traces" | "events" | "activity" | "audit";
@@ -168,7 +176,7 @@ interface CanvasState {
  setPanelTab: (tab: PanelTab) => void;
  getSelectedNode: () => Node<WorkspaceNodeData> | null;
  updateNodeData: (id: string, data: Partial<WorkspaceNodeData>) => void;
-  restartWorkspace: (id: string) => Promise<void>;
+  restartWorkspace: (id: string, options?: { applyTemplate?: boolean }) => Promise<void>;
  removeNode: (id: string) => void;
  /** Remove a node AND every descendant in one atomic update. Mirrors
   *  the server-side cascade — `DELETE /workspaces/:id?confirm=true`
@@ -329,8 +337,11 @@ export const useCanvasStore = create<CanvasState>((set, get) => ({
  },
  batchDelete: async () => {
    const ids = Array.from(get().selectedNodeIds);
+    const names = new Map(get().nodes.map((node) => [node.id, node.data.name]));
    const results = await Promise.allSettled(
-      ids.map((id) => api.del(`/workspaces/${id}`))
+      ids.map((id) => api.del(`/workspaces/${id}`, {
+        headers: { "X-Confirm-Name": names.get(id) ?? "" },
+      }))
    );
    const failed: string[] = [];
    results.forEach((r, i) => {
@@ -821,9 +832,10 @@ export const useCanvasStore = create<CanvasState>((set, get) => ({
    });
  },

-  restartWorkspace: async (id) => {
-    await api.post(`/workspaces/${id}/restart`);
-    get().updateNodeData(id, { needsRestart: false });
+  restartWorkspace: async (id, options) => {
+    const body = options?.applyTemplate ? { apply_template: true } : undefined;
+    await api.post(`/workspaces/${id}/restart`, body);
+    get().updateNodeData(id, { needsRestart: false, applyTemplateOnRestart: false });
  },

  removeNode: (id) => {
@@ -354,6 +354,20 @@ export interface WorkspaceData {
   *  collapsing the spinner the moment the synchronous queued-200 returns
   *  (task #227 — external/MCP workspaces had no progress UX). */
  delivery_mode?: string;
+  compute?: WorkspaceCompute;
+}
+
+export interface WorkspaceCompute {
+  instance_type?: string;
+  volume?: {
+    root_gb?: number;
+  };
+  display?: {
+    mode?: string;
+    protocol?: string;
+    width?: number;
+    height?: number;
+  };
 }

 let socket: ReconnectingSocket | null = null;
@@ -0,0 +1,9 @@
+declare module "@novnc/novnc" {
+  export default class RFB extends EventTarget {
+    scaleViewport: boolean;
+    resizeSession: boolean;
+    focusOnClick: boolean;
+    constructor(target: HTMLElement, url: string, options?: { wsProtocols?: string[]; [key: string]: unknown });
+    disconnect(): void;
+  }
+}
@@ -27,7 +27,7 @@ of the following:

 | Endpoint | Impact |
 |----------|--------|
-| `GET /admin/workspaces/:id/test-token` | Mint a fresh bearer token for any workspace |
+| `POST /admin/workspaces/:id/tokens` | Mint a fresh real bearer token for any workspace |
 | `DELETE /workspaces/:id` | Delete any workspace and auto-revoke its tokens |
 | `PUT /settings/secrets` / `POST /admin/secrets` | Overwrite any global secret (env-poisons every agent on restart) |
 | `DELETE /settings/secrets/:key` / `DELETE /admin/secrets/:key` | Delete any global secret; same fan-out restart |
@@ -68,8 +68,9 @@ malicious workspace with a pre-configured `initial_prompt` and elevated secrets.
 - **`ValidateAnyToken` removed-workspace JOIN** — tokens belonging to deleted
  workspaces are filtered at the DB layer (PR #682 defense-in-depth) so
  post-deletion token replay is blocked.
- **`MOLECULE_ENV=production` gate** — hides the `/admin/workspaces/:id/test-token`
-  endpoint in production deployments unless `MOLECULE_ENABLE_TEST_TOKENS=1`.
+- **Production token mint route** — production and staging automation use
+  `POST /admin/workspaces/:id/tokens`; development-only shortcuts are not part
+  of the production contract.

 ## Phase-H remediation plan

@@ -2,14 +2,14 @@

 ## Overview

-The workspace runtime uses a **pluggable adapter architecture** — each agent infrastructure (Claude Code, OpenClaw, LangGraph, CrewAI, AutoGen, etc.) has its own adapter that bridges the A2A protocol to the infra's native interface.
+The workspace runtime uses a **pluggable adapter architecture** — each maintained agent infrastructure (Claude Code, Codex, Hermes, OpenClaw) has its own adapter that bridges the A2A protocol to the infra's native interface.

 Adapters live in `workspace/adapters/<runtime>/` and are auto-discovered at startup. Each adapter implements `BaseAdapter` (from `adapters/base.py`) with `setup()` and `create_executor()` methods.

 The runtime is selected via `config.yaml`:

 ```yaml
-runtime: claude-code    # or: langgraph, openclaw, deepagents, crewai, autogen
+runtime: claude-code    # or: codex, hermes, openclaw
 runtime_config:
  model: sonnet
  auth_token_file: .auth-token
@@ -18,7 +18,7 @@ runtime_config:

 ## How It Works

-The unified `workspace-template` Docker image includes both Python (LangGraph) and Node.js (CLI runtimes). At startup, `main.py` checks the `runtime` field in `config.yaml`, discovers the matching adapter in `adapters/<runtime>/`, calls `adapter.setup(config)` then `adapter.create_executor(config)` to get an `AgentExecutor` that handles A2A requests.
+The unified runtime checks the `runtime` field in `config.yaml`, discovers the matching adapter, calls `adapter.setup(config)` then `adapter.create_executor(config)` to get an `AgentExecutor` that handles A2A requests.

 ```
 A2A request arrives
@@ -28,7 +28,7 @@ AgentExecutor.execute(context, event_queue)
      |  - extracts user message from A2A parts
      |  - extracts conversation history from params.metadata.history
      |  - sets current_task on heartbeat (shows on canvas card)
-      |  - invokes the runtime (LangGraph graph, CLI subprocess, etc.)
+      |  - invokes the runtime adapter
      v
 Response → A2A event queue → JSON-RPC response
 ```
@@ -37,9 +37,9 @@ Response → A2A event queue → JSON-RPC response

 Chat sessions in the Canvas UI send prior messages (up to 20) via `params.metadata.history` in each A2A `message/send` request. Executors extract this history:

- **LangGraph/DeepAgents**: Prepends history as `("human", text)` / `("ai", text)` tuples to the LangGraph message list
- **CrewAI/AutoGen**: Prepends history as a text prefix in the task description (`"Conversation so far:\n..."`)
 - **Claude Code**: Uses `--resume <session_id>` for native session continuity (history not needed)
+- **Codex**: Uses the Codex runtime's native session state
+- **Hermes**: Uses Hermes' agent runtime session handling
 - **OpenClaw**: Uses `--session-id` for native session continuity

 ### Current Task Reporting
@@ -48,10 +48,6 @@ All executors update the workspace's `current_task` via the heartbeat during exe

 ## Built-in Adapters

-### LangGraph (`runtime: langgraph`) — Default
-
-Full Python agent with LangGraph ReAct pattern. Supports skills, tools, plugins, peer coordination, and team routing.
-
 ### Claude Code (`runtime: claude-code`)

 ```yaml
@@ -71,35 +67,18 @@ The SDK uses the same Claude Code engine under the hood — plugins, CLAUDE.md d

 **Important:** Claude Code refuses to run as root with `--dangerously-skip-permissions`. The Dockerfile creates a non-root `agent` user.

-### CrewAI (`runtime: crewai`)
-
-Role-based multi-agent framework. Creates a CrewAI Agent + Task + Crew per request with A2A delegation tools (`delegate_to_peer`, `list_available_peers`).
+### Codex (`runtime: codex`)

 ```yaml
-runtime: crewai
-model: openrouter:google/gemini-2.5-flash
+runtime: codex
+model: openai/gpt-5.3-codex
 ```

-**Auth:** Uses `OPENROUTER_API_KEY` or `OPENAI_API_KEY` env var.
-
-### AutoGen (`runtime: autogen`)
-
-Microsoft AutoGen AssistantAgent with tool use. Creates an `AssistantAgent` per request with A2A delegation tools.
+### Hermes (`runtime: hermes`)

 ```yaml
-runtime: autogen
-model: openai:gpt-4.1-mini
-```
-
-**Auth:** Uses `OPENAI_API_KEY` env var.
-
-### DeepAgents (`runtime: deepagents`)
-
-LangGraph-based agent with deep planning capabilities. Uses the same `LangGraphA2AExecutor` as the default runtime but with a specialized agent setup including delegation, memory, and search tools.
-
-```yaml
-runtime: deepagents
-model: openrouter:google/gemini-2.5-flash
+runtime: hermes
+model: openai/gpt-4o
 ```

 ### OpenClaw (`runtime: openclaw`)
@@ -219,9 +198,9 @@ a2a info                           # Show workspace info

 Both approaches use the same backend: platform registry for discovery, A2A protocol for messaging, and access control enforcement (parent↔child, siblings only).

-## Workspace Awareness
+## Memory Tools

-CLI runtimes keep the same memory tool surface as the Python runtime. When `AWARENESS_URL` and `AWARENESS_NAMESPACE` are injected into the workspace, `commit_memory` and `search_memory` route to the workspace's own awareness namespace instead of the fallback platform memory API. This keeps the agent contract stable while giving each workspace an isolated memory scope.
+CLI runtimes keep the same memory tool surface as the Python runtime: `commit_memory` / `commit_memory_v2` / `search_memory` / `commit_summary` / `forget_memory` are exposed via the workspace's MCP bridge and route through the platform's v2 memory plugin under the workspace's `workspace:<id>` namespace. See [Memory Architecture](../architecture/memory.md) for the backend.

 ## Task Status Reporting

@@ -103,8 +103,6 @@ env:
  required:
    - ANTHROPIC_API_KEY
  optional:
-    - AWARENESS_URL
-    - AWARENESS_NAMESPACE
    - ANTHROPIC_BASE_URL
    - OPENAI_BASE_URL
    - GSC_CLIENT_ID
@@ -4,13 +4,11 @@ The `workspace/` directory is Molecule AI's unified runtime image. Every provisi

 ## Runtime Matrix In Current `main`

-Current `main` ships six adapters:
+Current `main` ships four maintained adapters:

- `langgraph`
- `deepagents`
 - `claude-code`
- `crewai`
- `autogen`
+- `codex`
+- `hermes`
 - `openclaw`

 This is the merged runtime surface today. Branch-level experiments such as NemoClaw are separate and should be treated as roadmap/WIP, not merged support.
@@ -27,7 +25,7 @@ Adapter-specific behavior is documented in [Agent Runtime Adapters](./cli-runtim
 - serving A2A over HTTP
 - registering with the platform and sending heartbeats
 - reporting activity and task state
- integrating with awareness-backed memory when configured
+- proxying durable memory tools through the v2 memory plugin
 - hot-reloading skills while the workspace is running

 ## Environment Model
@@ -39,8 +37,6 @@ WORKSPACE_ID=ws-123
 WORKSPACE_CONFIG_PATH=/configs
 PLATFORM_URL=http://platform:8080
 PARENT_ID=
-AWARENESS_URL=http://awareness:37800
-AWARENESS_NAMESPACE=workspace:ws-123
 LANGFUSE_HOST=http://langfuse-web:3000
 LANGFUSE_PUBLIC_KEY=...
 LANGFUSE_SECRET_KEY=...
@@ -49,8 +45,7 @@ LANGFUSE_SECRET_KEY=...
 Important behavior:

 - `WORKSPACE_CONFIG_PATH` points at the mounted config directory for that workspace.
- `AWARENESS_URL` + `AWARENESS_NAMESPACE` enable workspace-scoped awareness-backed memory.
- If awareness is absent, runtime memory tools fall back to the platform memory endpoints for compatibility.
+- Memory MCP tools route through the platform's v2 memory plugin (see Memory Architecture doc); there is no per-workspace memory env var anymore — the plugin sidecar is provisioned at the tenant EC2 boundary.

 ## Startup Sequence

@@ -82,8 +77,7 @@ At a high level, `workspace/main.py` does this:
 | `skills/loader.py` | Parses `SKILL.md`, loads tool modules, returns loaded skill metadata |
 | `skills/watcher.py` | Hot reload path for skill changes |
 | `plugins.py` | Scans mounted plugins for shared rules, prompt fragments, and extra skills |
-| `tools/memory.py` | Agent memory tools |
-| `tools/awareness_client.py` | Awareness-backed persistence wrapper |
+| `tools/memory.py` | Agent memory tools (route through the platform's v2 memory plugin via the workspace-server proxy) |
 | `coordinator.py` | Coordinator-only delegation path for team leads |

 ## Skills, Plugins, And Hot Reload
@@ -103,23 +97,28 @@ Hot reload matters because the runtime is designed to keep a workspace alive whi

 The watcher rescans the skill package, rebuilds the agent tool surface, and updates the Agent Card so peers and the canvas reflect the new capabilities.

-## Awareness And Memory Integration
+## Memory Integration

 The runtime keeps the agent-facing contract stable:

- `commit_memory(content, scope)`
- `search_memory(query, scope)`
+- `commit_memory(content, scope)` — legacy MCP name, routed through the
+  v2 plugin's scope→namespace shim
+- `commit_memory_v2(content, namespace)` — direct v2 surface
+- `search_memory(query, namespace?)` — v2 plugin search with FTS +
+  semantic scoring when the plugin declares the capability

-When awareness is configured:
+All writes land in the workspace's `workspace:<workspace_id>` namespace
+unless the agent passes an explicit one. Cross-workspace namespaces
+(`team:<root>`, `org:<root>`) follow the platform's namespace ACL
+(`internal/memory/namespace/resolver.go`). There is no per-workspace
+memory env var on the runtime side — the plugin lives on the tenant
+EC2 at `localhost:9100`, spawned by `entrypoint-tenant.sh` when
+`MEMORY_PLUGIN_URL` is present in the tenant-server's env (CP
+user-data injects it during tenant provisioning). The workspace-server
+proxies all memory calls through that sidecar.

- the tools route durable facts to the workspace's own awareness namespace
- the namespace defaults to `workspace:<workspace_id>` unless explicitly overridden
-
-When awareness is not configured:
-
- the same tools fall back to the platform memory endpoints
-
-That design lets the platform improve the backend memory boundary without forcing every agent prompt or tool signature to change.
+See [Memory Architecture](../architecture/memory.md) for the full
+backend story.

 ## Coordinator Enforcement

@@ -90,8 +90,6 @@ Poll `GET /workspaces/:id/delegations` to check results. Each entry includes `de

 This is the recommended way for agents to delegate work — it works for all runtimes (Claude Code, LangGraph, etc.) since it operates at the platform level.

-Workspace creation also assigns an `awareness_namespace` on the workspace row. That namespace is later injected into the provisioned runtime.
-
 ### Registry

 | Method | Path | Description | Auth |
@@ -26,7 +26,7 @@ Full contract: `docs/runbooks/admin-auth.md`.
 |--------|------|---------|
 | GET | /health | inline |
 | GET | /metrics | metrics.Handler() — Prometheus text format; no auth, scrape-safe |
-| POST/GET/PATCH/DELETE | /workspaces[/:id] | workspace.go — `GET /workspaces`, `POST /workspaces`, and `DELETE /workspaces/:id` require `AdminAuth`. `PATCH /workspaces/:id` enforces field-level authz: cosmetic fields (name, role, x, y, canvas) pass through; sensitive fields (tier, parent_id, runtime, workspace_dir) require a valid bearer token when any live token exists. |
+| POST/GET/PATCH/DELETE | /workspaces[/:id] | workspace.go — `GET /workspaces`, `POST /workspaces`, and `DELETE /workspaces/:id` require `AdminAuth`. `DELETE /workspaces/:id` also requires `X-Confirm-Name: <workspace name>`; cascading deletes still require `?confirm=true`. `PATCH /workspaces/:id` enforces field-level authz: cosmetic fields (name, role, x, y, canvas) pass through; sensitive fields (tier, parent_id, runtime, workspace_dir) require a valid bearer token when any live token exists. |
 | GET/PATCH | /workspaces/:id/config | workspace.go |
 | GET/POST | /workspaces/:id/memory | workspace.go |
 | DELETE | /workspaces/:id/memory/:key | workspace.go |
@@ -38,7 +38,7 @@ Full contract: `docs/runbooks/admin-auth.md`.
 | GET | /settings/secrets | secrets.go — list global secrets (keys only, values masked) |
 | PUT/POST | /settings/secrets | secrets.go — set a global secret `{key, value}`; auto-restarts every non-paused/non-removed/non-external workspace that does not shadow the key with a workspace-level override |
 | DELETE | /settings/secrets/:key | secrets.go — delete a global secret; same auto-restart fan-out as PUT/POST |
-| GET | /admin/workspaces/:id/test-token | admin_test_token.go — mint a fresh bearer token for E2E scripts; returns 404 unless `MOLECULE_ENV != production` or `MOLECULE_ENABLE_TEST_TOKENS=1` |
+| POST | /admin/workspaces/:id/tokens | admin_workspace_tokens.go — mint a real workspace bearer token; requires `AdminAuth`; plaintext is returned once |
 | GET/POST/DELETE | /admin/secrets[/:key] | secrets.go — legacy aliases for /settings/secrets |
 | WS | /workspaces/:id/terminal | terminal.go |
 | POST/GET | /workspaces/:id/approvals | approvals.go |
@@ -103,7 +103,7 @@ Migration files live in `workspace-server/migrations/` (latest: `022_workspace_s

 | Table | Description |
 |-------|-------------|
-| `workspaces` | Core entity — status, runtime, `agent_card` JSONB, heartbeat columns, `current_task`, `awareness_namespace`, `workspace_dir` |
+| `workspaces` | Core entity — status, runtime, `agent_card` JSONB, heartbeat columns, `current_task`, `workspace_dir` |
 | `canvas_layouts` | Per-workspace x/y canvas position |
 | `structure_events` | Append-only event log (workspace lifecycle, agent, approval events) |
 | `activity_logs` | A2A communications, task updates, agent logs, errors. `error_detail` is populated by the scheduler so cron run history can surface failure reasons. |
@@ -6,6 +6,8 @@ Molecule AI's memory model is built around one principle:

 That is the purpose of **HMA: Hierarchical Memory Architecture**.

+The organizational boundary is enforced **physically**, not at the application layer: each org runs as its own tenant on its own EC2, with its own memory plugin sidecar and its own Postgres. Memory writes are loopback-only — never cross-tenant. See [`workspace-placement.md`](workspace-placement.md) for the architecture contract that makes HMA tenant-isolated by construction.
+
 ## The Three Scopes

 | Scope | Meaning | Intended use |
@@ -47,18 +49,26 @@ It is useful for structured per-workspace state and optional TTL entries. It is

 `GET /workspaces/:id/session-search` provides a thin recall surface over recent activity rows and memory rows. It is for “what just happened in this workspace?” rather than long-term semantic storage.

-### 4. Awareness-backed persistence
+### 4. Memory v2 plugin (`memory_records` / `memory_namespaces`)

-When the runtime receives:
+This is the production-direction backend, behind the RFC #2728 HTTP
+contract. The plugin runs as a sidecar on each tenant EC2 (auto-spawned
+by `entrypoint-tenant.sh` when `MEMORY_PLUGIN_URL` is set), owns its
+own tables under the `memory_plugin` schema, and serves:

-```bash
-AWARENESS_URL=...
-AWARENESS_NAMESPACE=workspace:<id>
-```
+- `POST /workspaces/:id/v2/memories` (canvas `MemoryInspectorPanel`)
+- `GET /workspaces/:id/v2/memories`
+- `DELETE /workspaces/:id/v2/memories/:id`
+- runtime tools `commit_memory_v2`, `search_memory`, `commit_summary`,
+  `forget_memory`
+- legacy MCP tool names `commit_memory` / `recall_memory` via the
+  scope→namespace shim in `mcp_tools_memory_legacy_shim.go`

-the same memory tools keep the same interface, but durable memory writes/reads are routed through the workspace's awareness namespace.
-
-This is the current production direction of the memory boundary: stable tool surface, stronger backend isolation.
+Capability negotiation (FTS, embedding, TTL, pin, propagation) is
+declared by the plugin via `GET /v1/health`; workspace-server adapts
+the tool surface to what the plugin actually supports. See
+[`memory-plugin-v1.yaml`](../api-protocol/memory-plugin-v1.yaml) for
+the full wire contract.

 ## Access Model

@@ -121,7 +131,7 @@ If you need:
 - **org-wide guidance**: use `GLOBAL`
 - **simple UI-visible structured state**: use `workspace_memory`
 - **recent decision/task recall**: use `session-search`
- **stronger durable isolation**: enable awareness namespaces
+- **semantic / FTS search across memories**: use the v2 plugin endpoints (`/v2/memories?q=…`); they go through the plugin's pgvector + tsvector indexes when the plugin declares the capability

 ## Related Docs

@@ -84,6 +84,8 @@ Six runtime adapters ship production-ready on `main`: LangGraph, DeepAgents, Cla

 ## 3. System Architecture

+> **Workspace placement contract:** every Molecule org runs as a fully isolated tenant on its own EC2, with workspace-server, memory plugin, Postgres, and Redis all co-located. The platform (controlplane on Railway) handles provisioning, billing, and DNS only — it never holds tenant data. See [`workspace-placement.md`](workspace-placement.md) for the formal RFC.
+
 ### System Boundary Diagram

 ```
@@ -426,10 +428,10 @@ submitted → working → completed

 | Surface | Storage | Endpoint | Purpose |
 |---------|---------|----------|---------|
-| **Scoped agent memory** | `agent_memories` table | `POST /workspaces/:id/memories` | HMA-backed distributed memory with scope enforcement |
-| **Key/value workspace memory** | `workspace_memory` table | `POST /workspaces/:id/memory` | Simple structured state, UI-visible, optional TTL |
-| **Activity recall** | `activity_logs` + `agent_memories` | `GET /workspaces/:id/session-search` | "What just happened?" contextual recall |
-| **Awareness-backed** | External service | Same tool interface | When `AWARENESS_URL` + `AWARENESS_NAMESPACE` configured |
+| **Memory v2 plugin (SSOT)** | `memory_plugin.memory_records` table via RFC #2728 HTTP plugin | `POST /workspaces/:id/v2/memories`, MCP tools `commit_memory` / `commit_memory_v2` / `commit_summary` | Production memory backend — agent reads/writes route through here exclusively |
+| **Key/value workspace memory** | `workspace_memory` table | `POST /workspaces/:id/memory` | Simple structured state, UI-visible, optional TTL — separate from agent memory |
+| **Activity recall** | `activity_logs` + `agent_memories` (legacy read-only) | `GET /workspaces/:id/session-search` | "What just happened?" contextual recall |
+| **Legacy `agent_memories`** | `agent_memories` table | `POST /workspaces/:id/memories` (REST) | Frozen post-A1 — kept only for the REST canvas-side path; the workspace-create `seedInitialMemories` writer routes through the v2 plugin once #1755 (PR #1759) lands. Scheduled for drop in Phase A3 (#1733). |

 ### Memory → Skill Compounding Flywheel

@@ -511,7 +513,7 @@ description: ""
 version: "1.0.0"
 tier: 2                                    # 1=sandboxed, 2=standard, 3=privileged, 4=full-host
 model: "anthropic:claude-sonnet-4-6"       # provider:model syntax
-runtime: "langgraph"                       # langgraph | deepagents | claude-code | crewai | autogen | openclaw
+runtime: "claude-code"                     # claude-code | codex | hermes | openclaw
 runtime_config:                            # Runtime-specific settings
  command: "claude"                        # For CLI runtimes
  args: []
@@ -565,15 +567,13 @@ compliance:
  max_task_duration_seconds: 300
 ```

-### Six Runtime Adapters
+### Four Runtime Adapters

 | Adapter | Core Strength | Image Tag |
 |---------|--------------|-----------|
-| **LangGraph** | Graph-based state machine, tool use, streaming | `workspace-template:langgraph` |
-| **DeepAgents** | Deep planning, multi-step task decomposition | `workspace-template:deepagents` |
 | **Claude Code** | Native coding workflows, CLI continuity, OAuth auth | `workspace-template:claude-code` |
-| **CrewAI** | Role-based crews, structured task orchestration | `workspace-template:crewai` |
-| **AutoGen** | Multi-agent conversations, explicit strategies | `workspace-template:autogen` |
+| **Codex** | OpenAI Codex coding workflows | `workspace-template:codex` |
+| **Hermes** | Hermes agent runtime | `workspace-template:hermes` |
 | **OpenClaw** | CLI-native runtime, own session model | `workspace-template:openclaw` |

 **Branch-level WIP**: NemoClaw (NVIDIA T4 + Docker socket) on `feat/nemoclaw-t4-docker`.
@@ -740,7 +740,6 @@ requires:
 | `hitl.py` | Multi-channel HITL (dashboard, Slack, email) | hitl.bypass_roles |
 | `sandbox.py` | Code execution (subprocess or Docker backend) | sandbox access |
 | `telemetry.py` | OpenTelemetry span creation and tracing | trace emission |
-| `awareness_client.py` | Awareness namespace memory wrapper | memory scope |
 | `security_scan.py` | CVE and security scanning (pip-audit/Snyk) | security audit |
 | `temporal_workflow.py` | Temporal.io workflow integration | workflow engine |
 | `a2a_tools.py` | A2A delegation helpers and route resolution | delegate/receive |
@@ -749,8 +748,7 @@ requires:

 | Server | Purpose |
 |--------|---------|
-| `molecule` | 20+ platform management tools (workspace CRUD, chat, memory, teams, secrets, files, approvals) |
-| `awareness-memory` | Persistent cross-session memory via Awareness SDK |
+| `molecule` | 20+ platform management tools (workspace CRUD, chat, memory, teams, secrets, files, approvals) — includes `commit_memory` / `commit_memory_v2` / `search_memory` routed through the v2 plugin |

 ---

@@ -909,7 +907,7 @@ Postgres + Redis + Langfuse only (for local development without containerized wo
 | `CORS_ORIGINS` | `http://localhost:3000,...` | CORS whitelist |
 | `RATE_LIMIT` | `600` | Requests per minute |
 | `WORKSPACE_DIR` | Optional | Shared workspace volume |
-| `AWARENESS_URL` | Optional | Awareness service URL |
+| `MEMORY_PLUGIN_URL` | Unset by default | v2 memory plugin sidecar address. Typically set externally — CP user-data injects `http://localhost:9100` on tenant EC2 boot, which `entrypoint-tenant.sh` reads as the signal to spawn the bundled `memory-plugin` sidecar on the matching loopback port. When unset, today (pre-#1747) the legacy `agent_memories` SQL path is used as silent fallback; after #1747 (RFC #1733 Phase A1) lands, memory MCP tools return a "plugin not configured" error instead. |

 ### Canvas (Next.js)

@@ -927,8 +925,6 @@ Postgres + Redis + Langfuse only (for local development without containerized wo
 | `WORKSPACE_CONFIG_PATH` | `/configs` | Config directory mount |
 | `PLATFORM_URL` | `http://platform:8080` | Platform connection |
 | `PARENT_ID` | Empty | Parent workspace ID (set if nested) |
-| `AWARENESS_URL` | Optional | Awareness service |
-| `AWARENESS_NAMESPACE` | Optional | Scoped namespace for awareness memory |
 | `LANGFUSE_HOST` | `http://langfuse-web:3000` | Langfuse endpoint |
 | `LANGFUSE_PUBLIC_KEY` | Optional | Langfuse auth |
 | `LANGFUSE_SECRET_KEY` | Optional | Langfuse auth |
@@ -1091,20 +1087,6 @@ Every Tier 1 launch (Open Interpreter, CrewAI) had all four elements.
 }
 ```

-### Awareness MCP Server
-
-For persistent cross-session memory:
-
-```json
-{
-  "awareness-memory": {
-    "type": "stdio",
-    "command": "npx",
-    "args": ["-y", "@awareness-sdk/local", "mcp"]
-  }
-}
-```
-
 ---

 ## 29. Summary Statistics
@@ -44,7 +44,7 @@ All three call `onWorkspaceOffline`, which broadcasts `WORKSPACE_OFFLINE` and ca

 ### Template Resolution (Workspace Create)

-Runtime detection happens **before** the DB insert: if `payload.Runtime` is empty and a template is specified, the handler reads `runtime:` from `configsDir/template/config.yaml` first. If still empty, it defaults to `"langgraph"`. This ensures the correct runtime (e.g. `claude-code`) is persisted in the DB and used for container image selection.
+Runtime detection happens **before** the DB insert: if `payload.Runtime` is empty and a template is specified, the handler reads `runtime:` from `configsDir/template/config.yaml` first. If still empty, it defaults to `"claude-code"`. This ensures the correct runtime is persisted in the DB and used for container image selection.

 When the requested template does not exist, the Create handler falls back in order:

@@ -0,0 +1,194 @@
+# Workspace placement — org-per-EC2 architecture
+
+Status: Accepted (implicit since 2026-05; formalized 2026-05-24)
+Owners: hongming (CTO), cui (CEO)
+Tracking: #1793
+
+This RFC formalizes the architecture decision that has been implicit in the system since the post-suspension rebuild: **each Molecule AI org is one isolated tenant on its own EC2 instance**, with every functional surface (workspace-server, memory plugin, Postgres, Redis, canvas) co-located on that instance. The platform's role is provisioning, billing, and the cross-tenant control plane — never the data path.
+
+The implementation already follows this pattern in every direction we look (provisioner, memory v2 cutover, tenant entrypoint, controlplane user-data, even the OSS deploy story). Writing it down so it stays that way.
+
+## TL;DR
+
+```
+                ┌──────────────────────────────────┐
+                │  Platform (controlplane)         │
+                │  Railway-hosted                  │
+                │  api.moleculesai.app             │
+                │                                  │
+                │  - org provisioning              │
+                │  - billing + Stripe integration  │
+                │  - DNS + tunnel orchestration    │
+                │  - auth / org-token issuance     │
+                │  - fleet redeploy orchestration  │
+                │                                  │
+                │  NEVER holds tenant data         │
+                └──────────────────────────────────┘
+                         │                      │
+              provision  │                      │  provision
+              + billing  │                      │  + billing
+                         ▼                      ▼
+       ┌─────────────────────────┐    ┌─────────────────────────┐
+       │  Tenant: agents-team    │    │  Tenant: <other-org>    │
+       │  Own EC2 (us-east-2)    │    │  Own EC2 (us-east-2)    │
+       │  agents-team.molecule.. │    │  <slug>.moleculesai.app │
+       │                         │    │                         │
+       │  ┌───────────────────┐  │    │  ┌───────────────────┐  │
+       │  │ molecule-tenant   │  │    │  │ molecule-tenant   │  │
+       │  │ (workspace-server │  │    │  │ (workspace-server │  │
+       │  │  + canvas + go)   │  │    │  │  + canvas + go)   │  │
+       │  └───────────────────┘  │    │  └───────────────────┘  │
+       │  ┌───────────────────┐  │    │  ┌───────────────────┐  │
+       │  │ memory-plugin     │  │    │  │ memory-plugin     │  │
+       │  │ (loopback :9100)  │  │    │  │ (loopback :9100)  │  │
+       │  └───────────────────┘  │    │  └───────────────────┘  │
+       │  ┌───────────────────┐  │    │  ┌───────────────────┐  │
+       │  │ postgres pgvector │  │    │  │ postgres pgvector │  │
+       │  │ (172.17.0.1:5432) │  │    │  │ (172.17.0.1:5432) │  │
+       │  └───────────────────┘  │    │  └───────────────────┘  │
+       │  ┌───────────────────┐  │    │  ┌───────────────────┐  │
+       │  │ redis             │  │    │  │ redis             │  │
+       │  └───────────────────┘  │    │  └───────────────────┘  │
+       │  ┌───────────────────┐  │    │  ┌───────────────────┐  │
+       │  │ workspace runtime │  │    │  │ workspace runtime │  │
+       │  │ containers (ws-*) │  │    │  │ containers (ws-*) │  │
+       │  └───────────────────┘  │    │  └───────────────────┘  │
+       └─────────────────────────┘    └─────────────────────────┘
+```
+
+Every tenant is a self-contained molecule-core instance. The platform is a thin coordinator above them.
+
+## What crosses the platform/tenant boundary
+
+What the platform sends down to the tenant:
+
+- Initial EC2 provisioning (user-data script via SSM) — see `molecule-controlplane/internal/provisioner/ec2.go`
+- Per-tenant secrets (DB password, `SECRETS_ENCRYPTION_KEY`, `MOLECULE_CP_SHARED_SECRET`) injected as env at boot
+- Image redeploys via `POST /cp/admin/tenants/:slug/redeploy` → SSM → `docker pull && docker stop && docker run`
+- DNS records (Cloudflare) and tunnel registration (cloudflared)
+- Billing-state changes (subscription status, plan upgrades)
+
+What the tenant sends up to the platform:
+
+- Boot-stage telemetry (`report_stage` calls during EC2 user-data execution)
+- LLM usage events (for billing aggregation; documented in `controlplane/migrations/037_llm_usage_billing.up.sql`)
+- Workspace lifecycle events for cross-tenant analytics — read-only, no remote control implied
+
+What does NOT cross the boundary:
+
+- Memory contents (HMA scopes, agent_memories before A3, memory_plugin records after)
+- Workspace state, files, canvas layouts
+- Workspace runtime container state
+- Per-org user authentication state (tenant issues its own session tokens via `wsauth`)
+
+If a feature design wants to put any of those on the platform side, that's a violation of this RFC and needs explicit justification.
+
+## SSOT rationale
+
+The single-source-of-truth boundary is **the tenant EC2**.
+
+This decision was the implicit basis for the memory v1→v2 migration that ran 2026-05-24 (issues #1747 → #1791 → #1792). The v2 memory plugin runs as a sidecar on each tenant EC2, sharing the tenant's Postgres under a dedicated `memory_plugin` schema. There is no platform-side memory aggregation, no central index, no cross-tenant memory federation. Memory writes are loopback-only (workspace-server → memory-plugin on `127.0.0.1:9100`).
+
+Why this is correct:
+
+1. **Organizational isolation is the product.** A tenant's memory, workspaces, secrets, and conversation history must not be readable by another org, ever. The simplest enforcement is physical: different EC2, different DB, different network. Application-level multi-tenancy adds a class of cross-tenant data leak bugs that can't happen here.
+
+2. **The platform must remain horizontally scalable independent of tenant data volume.** If memory aggregation lived on the platform, billing/provisioning/auth would scale with the volume of memory across all tenants. With per-tenant storage, the platform's scaling envelope depends only on the number of orgs.
+
+3. **OSS-deployability requires it.** molecule-core is open-source; anyone can deploy it. If functional state lived on a centralized platform, OSS deployers would either have to run their own platform (high barrier) or call ours (privacy concern + scale concern). Per-tenant SSOT means the OSS molecule-core instance is functionally complete — it just talks to a platform for billing.
+
+## OSS-deployment shape
+
+A workspace inside any tenant reaches its parent tenant by injecting two env vars at container start:
+
+- `MOLECULE_ORG_ID` — the UUID of the org this workspace belongs to
+- `MOLECULE_PLATFORM_URL` — the tenant's HTTPS URL (e.g. `https://agents-team.moleculesai.app`)
+
+These are baked into the workspace runtime's docker run by the workspace-server when it provisions a workspace. The workspace's agent runtime uses them to:
+
+- Register itself in the tenant's `workspaces` table
+- Send heartbeats (Redis TTL key on the tenant)
+- Subscribe to A2A messages via the tenant's WebSocket hub
+- Commit memories via the tenant's MCP bridge or HTTP `/memories` endpoints
+
+An OSS deployer running their own molecule-core instance gets the same shape: their workspaces inject the deployer's tenant URL and org ID. The agent runtime is **agnostic** to whether it's talking to our hosted platform or a self-hosted one.
+
+The only thing tying a tenant to **our** platform is the billing/auth path:
+
+- `MOLECULE_CP_URL` env on the tenant container points at `api.moleculesai.app`
+- `MOLECULE_CP_SHARED_SECRET` env authenticates the tenant→platform direction
+- LLM usage events POST to `cp_url/cp/llm-usage-events` for billing aggregation
+
+An OSS deployer can leave `MOLECULE_CP_URL` unset (or point at their own platform). The workspace-server's `wiring.go` and `cp_provisioner.go` already handle the absent-CP case gracefully — the tenant is fully functional without it.
+
+## Scaling envelope
+
+Per-tenant resource shape (current):
+
+| Layer | Sizing |
+|---|---|
+| EC2 | t3.medium (2 vCPU, 4 GiB) for default-tier orgs |
+| Postgres | Single container, pgvector pre-installed, ~1-10 GiB per org expected |
+| Memory plugin | Loopback only, ~50 MB resident, scales with memory record count |
+| Workspace runtime containers (ws-\*) | One per workspace; sized by template tier |
+
+The platform's scaling envelope:
+
+| Layer | Sizing |
+|---|---|
+| controlplane | Single Railway service, scales horizontally |
+| Postgres | One Railway-hosted Postgres for billing + org registry + auth tokens |
+| DNS | Cloudflare zone with one CNAME per tenant |
+| Tunnels | One Cloudflare tunnel per tenant |
+
+Order-of-magnitude:
+
+- 100 orgs: trivial (100 EC2s, controlplane unchanged)
+- 10K orgs: needs an EC2 placement strategy (region pinning, dedicated-tier hosts), but the platform is still a single service
+- 1M orgs: this design starts to strain — Cloudflare tunnel-per-tenant becomes expensive, EC2-per-tenant becomes resource-wasteful, and we'd want a denser tenant-on-shared-infra mode
+
+The current architecture is sized for the 100–10K range. The 1M-org variant is explicitly out of scope for this RFC.
+
+## Decision points for new feature design
+
+When proposing a new feature, the design must answer "where does the data live?" Pick one:
+
+1. **On the tenant.** Default choice for anything functional. Tenant DB, tenant memory plugin, tenant filesystem. The feature ships in `molecule-core` and is deployed via the tenant image.
+
+2. **On the platform.** ONLY for billing, cross-org analytics (anonymized), org registry, auth tokens, DNS/tunnel state. The feature ships in `molecule-controlplane`.
+
+3. **Both, with one as SSOT.** Rare. The tenant is the SSOT; the platform may cache for cross-tenant queries but must be willing to re-read from the tenant on miss. Document the cache invalidation contract.
+
+When in doubt, default to #1. If you find yourself wanting to put HMA memory, workspace state, or session history on the platform, stop — you're re-introducing the SSOT violation the v1→v2 memory migration was designed to remove.
+
+## Migration path for non-conforming code
+
+The implementation already conforms. There is no migration backlog as of 2026-05-24:
+
+- Memory: v1→v2 migration complete (#1747 → #1791 → #1792). v2 plugin per-tenant is SSOT.
+- Workspace state: always per-tenant (the `workspaces` table lives in the tenant Postgres).
+- Activity logs: per-tenant `activity_logs` table.
+- Files: per-tenant (Docker volumes attached to ws-\* containers).
+- Secrets: per-tenant (`workspace_secrets` + `global_secrets` tables in tenant DB).
+- LLM usage events: tenant emits, platform aggregates for billing — correct shape.
+
+If a future PR proposes platform-side aggregation of something functional, link this RFC in the review.
+
+## What this RFC does NOT cover
+
+Out of scope for this document; tracked separately if needed:
+
+- **Multi-region tenant placement** — current design is single-region (us-east-2). Multi-region needs its own RFC because it changes the EC2 placement contract.
+- **BYO-compute / customer-managed VPC** — adjacent design; the org-per-EC2 boundary holds but the EC2 ownership shifts to the customer.
+- **Workspace runtime selection** — separately documented in `docs/architecture/workspace-tiers.md`.
+- **Tenant image upgrade strategy** — separately documented in `docs/architecture/tenant-image-upgrades.md`.
+- **OSS billing alternatives** — how OSS deployers handle billing without our controlplane is a separate go-to-market decision.
+
+## References
+
+- `docs/architecture/memory.md` — HMA scopes + v2 plugin
+- `docs/architecture/saas-prod-migration-2026-04-19.md` — provisioning pipeline reference
+- `docs/architecture/molecule-technical-doc.md` §3 (System Architecture) — top-level picture
+- `molecule-controlplane/internal/provisioner/ec2.go` — the canonical user-data + docker run for tenants
+- `workspace-server/entrypoint-tenant.sh` — the canonical tenant boot script
+- Memory system migration: #1747 (kill v1 fallback), #1791 (Phase A2 backfill), #1792 (Phase A3 drop table)
@@ -109,8 +109,9 @@ curl -X POST http://localhost:8080/registry/register \
 # Response: {"auth_token": "...", ...}
 ```

-For development, the test-token endpoint is also available (disabled in production):
+Tenant admins can mint a real workspace token through the production-safe admin route:
 ```bash
-curl http://localhost:8080/admin/workspaces/<id>/test-token
+curl -X POST http://localhost:8080/admin/workspaces/<id>/tokens \
+  -H "Authorization: Bearer <ADMIN_TOKEN>"
 # Response: {"auth_token": "...", "workspace_id": "..."}
 ```
@@ -24,10 +24,10 @@ features:
    details: Build agent organizations as nested workspaces on a live React Flow canvas with drag-to-nest hierarchy, template deployment, bundles, and real-time updates.
    icon: "🗺️"
  - title: Runtime Compatibility
-    details: Current main ships adapters for LangGraph, DeepAgents, Claude Code, CrewAI, AutoGen, and OpenClaw under one workspace contract and A2A surface.
+    details: Current main ships adapters for Claude Code, Codex, Hermes, and OpenClaw under one workspace contract and A2A surface.
    icon: "⚙️"
  - title: Hierarchical Memory
-    details: HMA-style LOCAL, TEAM, and GLOBAL scopes plus workspace-scoped awareness namespaces when awareness is configured.
+    details: HMA-style LOCAL, TEAM, and GLOBAL scopes backed by the v2 memory plugin (per-tenant pgvector sidecar with FTS + semantic recall).
    icon: "🧠"
  - title: Skill Evolution
    details: Local SKILL.md packages, tool loading, plugin-mounted shared capabilities, hot reload, and a documented memory-to-skill promotion path.
@@ -49,13 +49,13 @@ features:
 |---|---|
 | **Canvas** | Empty-state deployment, onboarding guide, 10-tab side panel, template palette, bundle import/export, drag-to-nest teams, search, activity and trace views |
 | **Platform** | Workspace CRUD, registry, A2A proxy, team expansion, approvals, secrets, global secrets, memory APIs, files API, terminal, viewport persistence, WebSocket fanout |
-| **Runtime** | One workspace image with six shipping adapters on `main`: LangGraph, DeepAgents, Claude Code, CrewAI, AutoGen, OpenClaw |
-| **Memory** | Scoped agent memories, key/value workspace memory, session-search recall, awareness namespace injection |
+| **Runtime** | One workspace image with four shipping adapters on `main`: Claude Code, Codex, Hermes, OpenClaw |
+| **Memory** | v2 plugin (pgvector + FTS) serving scoped agent memories under per-workspace namespaces; key/value workspace memory; session-search recall |
 | **Skills** | Local skill packages, plugin-mounted shared skills/rules, audit/install/publish CLI helpers, hot reload |

 ## Compatibility Note

-`main` currently ships six runtime adapters. `NemoClaw` appears in branch-level work (`feat/nemoclaw-t4-docker`) and is not documented here as merged `main` functionality.
+`main` currently ships four runtime adapters: Claude Code, Codex, Hermes, and OpenClaw. `NemoClaw` appears in branch-level work (`feat/nemoclaw-t4-docker`) and is not documented here as merged `main` functionality.

 ## Recommended Reading

@@ -19,8 +19,8 @@ import (
    "context"
    "testing"

-    mclient "github.com/Molecule-AI/molecule-monorepo/platform/internal/memory/client"
-    "github.com/Molecule-AI/molecule-monorepo/platform/internal/memory/contract"
+    mclient "git.moleculesai.app/molecule-ai/molecule-core/workspace-server/internal/memory/client"
+    "git.moleculesai.app/molecule-ai/molecule-core/workspace-server/internal/memory/contract"
 )

 func TestMyPlugin_FullRoundTrip(t *testing.T) {
@@ -238,7 +238,7 @@ No inbound firewall rules needed — the agent initiates the outbound WebSocket
 ## What To Try Next

 - **Expand to a team:** right-click a workspace and choose `Expand to Team`.
- **Switch runtime:** use `Config -> Runtime` to move between LangGraph, DeepAgents, Claude Code, CrewAI, AutoGen, and OpenClaw.
+- **Switch runtime:** use `Config -> Runtime` to move between Claude Code, Codex, Hermes, and OpenClaw.
 - **Inspect operations:** check `Activity`, `Traces`, `Events`, and `Terminal`.
 - **Use global keys:** configure one provider once in `Secrets & API Keys -> Global`.
 - **Import a template:** use the template palette or `POST /templates/import`.
@@ -268,7 +268,7 @@ Browser  -->  Canvas (Next.js :3000)
                                |
                                v
                       Provisioned workspaces
-                     (LangGraph / Claude Code / CrewAI / AutoGen / etc.)
+                     (Claude Code / Codex / Hermes / OpenClaw)
 ```

 For the full system model, see [Architecture](./architecture/architecture.md).
@@ -1,51 +1,16 @@
 # Admin Authentication Runbook

-## Test-token route: lock in staging and production
-
-The `GET /admin/workspaces/:id/test-token` endpoint mints fresh workspace auth tokens.
-It is gated by `TestTokensEnabled()` which returns `true` only when `MOLECULE_ENV != "production"`.
-
-**Effect**: if `MOLECULE_ENV` is unset or set to `development` / `dev` in a staging or production
-tenant, the test-token route remains enabled. While the route is protected by `subtle.ConstantTimeCompare`
-against `ADMIN_TOKEN` (returns 404 when disabled, not 403), the safest posture is to lock it
-out in any environment where it is not intentionally used.
-
-### Required: set MOLECULE_ENV in all non-dev environments
+## Required: set `MOLECULE_ENV` in all non-dev environments

 ```bash
 # In your tenant / EC2 / Railway environment variables:
 MOLECULE_ENV=production
 ```

-This matches the production tenant default. When `MOLECULE_ENV=production`:
-
- `TestTokensEnabled()` → `false`
- `GET /admin/workspaces/:id/test-token` → 404 (route disabled)
-
-### Startup visibility
-
-workspace-server logs the test-token route state at boot:
-
-```
-Platform starting on ... (dev-mode-fail-open=...)
-```
-
-Additionally, when `TestTokensEnabled()` is `true` (route enabled), the server emits an INFO line
-so operators can confirm the setting in logs:
-
-```
-[molecule-git-token-helper] NOTE: /admin/workspaces/:id/test-token is ENABLED
-(running with MOLECULE_ENV != production)
-```
-
-If you do not see this line and the route is still accessible, verify `MOLECULE_ENV` is not set to
-`development`, `dev`, or any value that is not exactly `production`.
-
-### Dev environments
-
-In local dev (`MOLECULE_ENV=development` or unset with no `ADMIN_TOKEN`), the test-token route
-is intentionally enabled — it is the only way to bootstrap a workspace bearer token without a running
-canvas. This is the correct default for developer workstations.
+This matches the production tenant default and disables development-only
+shortcuts. Staging and production smoke tests should use the real user/API
+workflow: create a workspace, then mint a one-time displayed workspace bearer
+with `POST /admin/workspaces/:id/tokens`.

 ## Admin bearer token (`ADMIN_TOKEN`)

@@ -56,7 +21,7 @@ The platform uses `ADMIN_TOKEN` as the bearer credential for admin-gated endpoin
 | `GET/POST/PATCH/DELETE /workspaces` | `Authorization: Bearer <ADMIN_TOKEN>` |
 | `GET /admin/liveness` | `Authorization: Bearer <ADMIN_TOKEN>` |
 | `POST /org/import` | `Authorization: Bearer <ADMIN_TOKEN>` |
-| `GET /admin/workspaces/:id/test-token` | `Authorization: Bearer <ADMIN_TOKEN>` (enabled only when `MOLECULE_ENV != "production"`) |
+| `POST /admin/workspaces/:id/tokens` | `Authorization: Bearer <ADMIN_TOKEN>`; plaintext token returned once |

 Missing or invalid `ADMIN_TOKEN` → AdminAuth fails open in dev mode (no token set), or
 returns 401 in production mode (token set but invalid).
@@ -0,0 +1,79 @@
+# Runbook: stale CI umbrella with green sub-jobs — compensating status
+
+**When to use this:** A PR's `CI / all-required (pull_request)` status is `failure` (so branch protection blocks the merge), but all 5 required sub-jobs (`Detect changes`, `Platform (Go)`, `Canvas (Next.js)`, `Shellcheck (E2E scripts)`, `Python Lint & Test`) actually succeeded. The umbrella job's internal 40-min poll deadline elapsed before the success statuses propagated through Gitea's commit-status pipeline.
+
+**When NOT to use this:** Any required sub-job actually failed. The umbrella correctly reflects reality; a compensating-status post would lie.
+
+This pattern parallels what `.gitea/workflows/status-reaper.yml` does for default-branch `(push)` status drift, but applied to PR umbrellas instead of main-branch contexts.
+
+## Diagnose
+
+1. Look up the umbrella status:
+
+   ```bash
+   TOK=$(cat ~/.molecule-ai/gitea-token)
+   API=https://git.moleculesai.app/api/v1/repos/molecule-ai/molecule-core
+   PR=<pr-number>
+   sha=$(curl -sS -H "Authorization: token $TOK" "$API/pulls/$PR" | python3 -c "import sys,json; print(json.load(sys.stdin)['head']['sha'])")
+   curl -sS -H "Authorization: token $TOK" "$API/commits/$sha/status" \
+     | python3 -c "import sys,json; [print(s['status'], s['context']) for s in json.load(sys.stdin)['statuses'] if 'all-required' in s['context']]"
+   ```
+
+2. Look up the actual sub-job statuses in the Gitea DB:
+
+   ```bash
+   ssh root@5.78.80.188 "docker exec molecule-postgres-1 psql -U gitea -d gitea -tAc \"
+     SELECT aj.name,
+       CASE aj.status WHEN 1 THEN 'success' WHEN 2 THEN 'failure' WHEN 3 THEN 'cancelled' WHEN 4 THEN 'skipped' WHEN 5 THEN 'waiting' WHEN 6 THEN 'running' END
+     FROM action_run ar JOIN action_run_job aj ON aj.run_id=ar.id
+     WHERE ar.repo_id=17 AND ar.workflow_id='ci.yml' AND ar.commit_sha='$sha'
+     ORDER BY aj.id;\""
+   ```
+
+   The 5 required-by-umbrella sub-jobs must all be `success`. (`Canvas Deploy Reminder` is intentionally not required — its state doesn't matter.)
+
+## Recover
+
+If diagnosis confirms all 5 required sub-jobs are success but the umbrella is stuck at failure:
+
+```bash
+curl -sS -X POST -H "Authorization: token $TOK" -H "Content-Type: application/json" \
+  "$API/statuses/$sha" -d '{
+    "context": "CI / all-required (pull_request)",
+    "state": "success",
+    "description": "Compensating status: all 5 required sub-jobs verified success in action_run_job; umbrella stale due to commit-status propagation race. Posted by <operator> per ci-umbrella-stale-compensating-status runbook."
+  }'
+```
+
+The status posts immediately; the merge gate flips green within ~5 seconds.
+
+**Always include WHO and WHY in the `description` field** so the audit trail is honest. Future operators (and `audit-force-merge.yml` consumers) need to be able to tell a recovery from a real bypass.
+
+## Why this happens
+
+- The umbrella's 40-min internal poll loop (`.gitea/workflows/ci.yml` → `all-required` job → `Wait for required CI contexts` step) treats `missing` statuses as pending.
+- Status propagation: a job completing on a runner posts its `action_run_job.status=1` row first, then Gitea's notifier walks `action_run_job` → `commit_status` table. Under high write load (many concurrent PRs synchronizing) the notifier walk can lag by several minutes.
+- If propagation lag pushes the last sub-job's commit-status past the umbrella's 40-min wall-clock deadline, the umbrella fails even though the sub-jobs were green well within the window.
+- The umbrella correctly does not retry once it has emitted a terminal status (per RFC internal#219 design — retries would mask real failures).
+
+## Prevent
+
+Most cases are downstream of the runner-pool dispatch deadlock fixed by commit `7da843f2` (issue #1779). With the umbrella running on the dedicated `ci-meta` pool, sub-jobs are no longer competing for runners with their own umbrella, so propagation completes well before the 40-min deadline in normal load.
+
+If you find yourself reaching for this runbook frequently, that's the signal to either:
+- Raise `timeout-minutes` on the umbrella above 45.
+- Build the `umbrella-reaper.yml` auto-recovery described in issue #1780 (this runbook is its precursor).
+
+## Cross-refs
+
+- Issue #1780 — original write-up; tracks auto-recovery
+- Issue #1779 — runner-pool deadlock; root cause of the propagation lag in most cases
+- `.gitea/workflows/status-reaper.yml` — sibling pattern for default-branch `(push)` status drift
+- `.gitea/workflows/audit-force-merge.yml` — audits bypass merges; this runbook's `description` field is what makes a compensating-status merge auditable vs. opaque
+
+## Session-local examples
+
+The pattern was used twice during the 2026-05-24 CTO-bypass session:
+
+- **PR #1737** merged via compensating-status — all 5 sub-jobs green, umbrella timed out on propagation race. Merge commit `d5941906`.
+- **PR #1759** merged via compensating-status — 4/5 sub-jobs green, the 5th (`Platform (Go)`) was an inherited-from-main failure (templates_test fixtures bug, tracked as #1778, fixed in #1781). The compensating-status description called out the inherited failure honestly. Merge commit `220a04b1`.
@@ -0,0 +1,104 @@
+# local-e2e — session-continuity canary harness
+
+Self-contained Docker-Compose harness that gates RFC#600-class template
+changes (session continuity, file-only messages, multimodal prompts,
+cross-session memory) **before** they reach customer canary.
+
+Per CTO standing directive "fully tested + separate CI": this is a
+dedicated, *fast* (target <3 min), *small-surface* harness that uses a
+Python tenant-CP simulator (not the full `workspace-server` Go service)
+to exercise the runtime image end-to-end against canonical canary turns.
+
+See [`feedback_no_single_source_of_truth`] — the harness IS the canonical
+session-continuity validator. Per-runtime unit tests still cover their
+own guard logic; the harness covers the live conversational behaviour
+that those unit tests cannot prove.
+
+See [`feedback_image_promote_is_not_user_live`] — every assertion reads
+state back from the *running container*, never from a publish-pipeline
+ack.
+
+## What it tests (the 4 canaries)
+
+| # | Scenario | Asserts |
+|---|----------|---------|
+| 1 | 2-turn name canary | turn 2 reply contains "Hongming" → SessionStore continuity |
+| 2 | File-only message (no caption) | NOT "(empty prompt — nothing to do)" + reply references filename or asks for clarification |
+| 3 | File + caption ("summarize this") | reply addresses attachment + caption |
+| 4 | Cross-session memory recall | new session pulls "blue" via memory tool |
+
+Each scenario re-uses the same A2A wire-shape that the production
+`workspace-server` POSTs to runtime `:8000` (canvas-thread-id semantics
+via `context_id`).
+
+## Architecture
+
+```
+local-e2e/
+  docker-compose.yml           # runtime under test + cp_sim
+  cp_sim/                      # ≈300 LoC Python A2A poster + file uploader
+    cp_sim.py
+    Dockerfile
+    requirements.txt
+  canary/
+    conftest.py
+    test_session_continuity.py # 4 canary scenarios
+    test_layer_diagnostics.py  # SessionStore state probe + key derivation
+  scripts/
+    run-canary.sh              # one-shot orchestration entrypoint
+```
+
+The CP simulator emits the **exact** JSON-RPC `message/send` envelope
+that `workspace-server` produces (verified against
+`tests/e2e/test_chat_attachments_e2e.sh`). No Go service is in the loop —
+this keeps the harness lean per the CTO directive.
+
+## Run locally
+
+```bash
+# from molecule-core repo root:
+export TEMPLATE_IMAGE=ghcr.io/molecule-ai/workspace-template-hermes:latest
+./local-e2e/scripts/run-canary.sh
+```
+
+Exit code 0 = all 4 canaries pass. Non-zero = at least one canary failed
+and the harness dumped SessionStore state + last 200 log lines from the
+runtime container into `./local-e2e/artifacts/`.
+
+## How it integrates into CI
+
+Each template repo's `.gitea/workflows/session-continuity-e2e.yml` calls
+`run-canary.sh` with its own freshly-built `TEMPLATE_IMAGE`. The
+template repo's Gitea branch-protection lists
+`session-continuity-e2e (pull_request)` as a required context.
+
+Rollout order (deliberate — per `feedback_image_promote_is_not_user_live`
+we bake before we cascade):
+
+1. `molecule-ai-workspace-template-hermes` — highest-traffic + most
+   recent RFC#600-class fixes — REQUIRED gate
+2. Bake for 5 business days
+3. Cascade to claude-code, langgraph, autogen, openclaw, smolagents,
+   google-adk (one PR per template — see `scripts/onboard-template.sh`)
+
+## Future extensions (out of scope for the initial PR)
+
+- Multi-session memory consistency (3+ sessions deep)
+- Tool-use canary (workspace seeded with skills/, agent must invoke)
+- Streaming-cancellation canary (mid-stream client disconnect)
+- Cross-runtime A2A peer call (currently covered by `e2e-peer-visibility`)
+
+## Why a thin Python simulator and not the real `workspace-server`?
+
+`workspace-server` is a 60+ MB Go binary that requires Postgres, Redis,
+admin-token wiring, registry plumbing, and a 30+ second cold-boot. None
+of that touches session-continuity behaviour, which is fully owned by
+the runtime container's `a2a_executor.py`. Per CTO directive "separate
+CI as possible" + the <3 min target, we excise the platform-tenant Go
+service from the loop and emit identical wire-shape envelopes from a
+single Python file.
+
+If the simulator diverges from `workspace-server` wire shape, the gate
+goes red — fix the simulator to match production. The wire shape is
+asserted in `tests/e2e/test_chat_attachments_e2e.sh` and the runtime's
+`workspace/a2a_executor.py:_core_execute`.
@@ -0,0 +1,19 @@
+# Python tenant-CP simulator + canary test driver.
+# Single image — pytest + httpx + the canary tests baked in.
+FROM python:3.11-slim@sha256:e78299e55776ca065dcb769f80161f48465ad352014240eb5fe4712e22505e9b
+
+WORKDIR /harness
+
+COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+# Test files are bind-mounted by docker-compose at run time so a `pytest -x`
+# rerun loop doesn't require a rebuild. The COPY here is for the
+# self-contained image used by Gitea Actions (where bind mounts are awkward).
+COPY cp_sim.py /harness/cp_sim.py
+COPY canary /harness/canary
+
+ENV PYTHONUNBUFFERED=1
+
+# Default: run the 4 canaries with verbose output + JUnit XML for CI.
+CMD ["pytest", "-v", "--tb=short", "--junitxml=/harness/artifacts/junit.xml", "canary/"]
@@ -0,0 +1,31 @@
+"""Shared pytest fixtures for the canary suite."""
+
+from __future__ import annotations
+
+import os
+import sys
+import uuid
+
+# cp_sim.py lives one dir up — make it importable without packaging.
+sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
+
+import pytest  # noqa: E402
+
+from cp_sim import CPSim, CPSimConfig  # noqa: E402
+
+
+@pytest.fixture
+def sim() -> CPSim:
+    """Fresh CPSim per test — cheap, isolates connection state."""
+    return CPSim(
+        cfg=CPSimConfig(
+            runtime_url=os.environ.get("RUNTIME_URL", "http://localhost:18000"),
+        )
+    )
+
+
+@pytest.fixture
+def context_id() -> str:
+    """A unique canvas-thread-id per test — guarantees SessionStore isolation
+    between scenarios so a failing canary doesn't poison the next one."""
+    return f"canary-ctx-{uuid.uuid4().hex[:12]}"
@@ -0,0 +1,80 @@
+"""Layer-isolation diagnostics — runs alongside the 4 canaries.
+
+These probes are not strict pass/fail gates by themselves; they exist so
+when a canary fails, the artifacts include enough state to tell whether
+the regression is in the wire-shape layer, the SessionStore layer, or
+the memory layer. Each test always passes (returns early) when the
+underlying surface is unavailable on the runtime under test — different
+templates expose different debug endpoints.
+
+Cross-refs:
+  - feedback_verify_actual_endstate_not_ack_follow_sop — we read state
+    back, not the side-effect ack.
+  - feedback_image_promote_is_not_user_live — the verification is at
+    the running-container layer.
+"""
+
+from __future__ import annotations
+
+import os
+import uuid
+
+import httpx
+
+from cp_sim import CPSim
+
+
+def test_diag_agent_card_advertises_a2a(sim: CPSim) -> None:
+    """The runtime's /agent-card must advertise A2A capabilities.
+
+    If this fails, the canaries' transport assumption (POST /a2a) is
+    already broken — diagnose the runtime image, not the canary.
+    """
+    url = f"{sim.cfg.runtime_url}/agent-card"
+    r = httpx.get(url, timeout=10.0)
+    assert r.status_code == 200, (
+        f"/agent-card returned {r.status_code}: {r.text[:300]!r}"
+    )
+    body = r.json()
+    # AgentCard spec: capabilities object must exist, even if empty.
+    assert isinstance(body, dict), f"/agent-card body not an object: {body!r}"
+    # We don't require any specific capability flag — different templates
+    # advertise different sets. The point of this diag is "is the card
+    # there at all", which signals the runtime booted past entrypoint.
+
+
+def test_diag_context_id_required_for_continuity(sim: CPSim) -> None:
+    """Same context_id in two turns must not crash the runtime.
+
+    Pure smoke probe — proves the executor accepts a continuation
+    message without 5xx-ing. The substantive assertion is canary 1; this
+    one just guarantees the path is reachable.
+    """
+    ctx = f"diag-{uuid.uuid4().hex[:8]}"
+    r1 = sim.send_text("ping", context_id=ctx)
+    r2 = sim.send_text("ping again", context_id=ctx, task_id=r1.get("result", {}).get("id"))
+    # Both replies must parse — non-empty envelope, no JSON-RPC error.
+    for label, env in (("turn1", r1), ("turn2", r2)):
+        assert "error" not in env, f"{label} returned JSON-RPC error: {env['error']}"
+
+
+def test_diag_memory_root_writable_in_canary_mode(sim: CPSim) -> None:
+    """When MOLECULE_CANARY_MODE=1, the memory root must accept writes.
+
+    Probes via the recall_memory MCP tool — if /mcp is not exposed,
+    returns early (skip-style; we still pass because some templates
+    proxy MCP elsewhere).
+    """
+    # We can't write directly here — only confirm the read path doesn't
+    # 500 on a missing key. A real write happens in canary 4.
+    key = f"canary-probe-{uuid.uuid4().hex[:8]}"
+    try:
+        val = sim.probe_memory(key)
+    except Exception as e:
+        # /mcp may not be exposed on this template — canary 4 will
+        # surface the real defect if memory is actually broken.
+        if os.environ.get("CANARY_STRICT_MCP") == "1":
+            raise
+        return
+    # Unknown key → None is fine. The point is the call didn't crash.
+    assert val is None or isinstance(val, str)
@@ -0,0 +1,204 @@
+"""The 4 canonical session-continuity canaries (task #342, RFC#600 class).
+
+These tests speak A2A directly to the runtime under test. They are the
+authoritative gate that the runtime preserves conversation continuity,
+handles file-only messages without dropping to the empty-prompt error,
+addresses multimodal prompts, and persists memory across sessions.
+
+Wire-shape source of truth: see ../cp_sim.py docstring.
+"""
+
+from __future__ import annotations
+
+import re
+import uuid
+
+from cp_sim import CPSim
+
+
+# ---------- canary 1: 2-turn name continuity -------------------------------
+
+
+def test_canary_1_two_turn_name_continuity(sim: CPSim, context_id: str) -> None:
+    """SessionStore continuity — turn 2 must recall the name from turn 1.
+
+    Empirically tests:
+      - ``a2a_executor._core_execute`` injects prior-turn history via
+        ``_extract_history(context)`` (workspace/a2a_executor.py:313).
+      - The runtime's session store is keyed on ``context_id`` (canvas
+        thread id) NOT ``task_id`` — task_id is per-turn, context_id is
+        per-conversation. Regressions to that key derivation were the
+        root cause of the 2026-05 multi-turn-amnesia incidents
+        (#a60623344 diagnosis).
+    """
+    # Turn 1 — establish the fact.
+    r1 = sim.send_text(
+        "Hi, my name is Hongming.",
+        context_id=context_id,
+    )
+    reply1 = sim.extract_text_parts(r1)
+    assert reply1, f"Turn 1 produced empty reply. envelope={r1!r}"
+
+    # Turn 2 — ask back. Same context_id → same SessionStore key.
+    r2 = sim.send_text(
+        "What's my name?",
+        context_id=context_id,
+    )
+    reply2 = sim.extract_text_parts(r2)
+    assert reply2, f"Turn 2 produced empty reply. envelope={r2!r}"
+
+    # Substring match, case-insensitive — agents may reply
+    # "Your name is Hongming." or "It's Hongming!" or similar.
+    assert re.search(r"\bhongming\b", reply2, flags=re.IGNORECASE), (
+        f"Turn 2 reply does not contain 'Hongming' — SessionStore "
+        f"continuity regression suspected. context_id={context_id} "
+        f"turn1_reply={reply1[:200]!r} turn2_reply={reply2[:400]!r}"
+    )
+
+
+# ---------- canary 2: file-only message (no caption) -----------------------
+
+
+_DROPPED_TURN_MARKERS = (
+    "(empty prompt — nothing to do)",
+    "empty prompt",
+    "message contained no text content",
+    "no text content",
+)
+
+
+def test_canary_2_file_only_message(sim: CPSim, context_id: str) -> None:
+    """File-attached A2A message with NO text part must not be dropped.
+
+    Root cause this guards against: a long-standing executor bug where
+    ``extract_message_text`` returned "" for file-only messages and the
+    executor short-circuited with the "Error: message contained no text
+    content." reply, even though the attached file was the entire point
+    of the turn.
+
+    Hard assertions:
+      - Reply is non-empty AND not the dropped-turn marker.
+      - Reply references the file by name OR asks an actionable
+        clarifying question (NOT a flat error).
+    """
+    file_name = f"canary-{uuid.uuid4().hex[:8]}.txt"
+    file_body = b"Project status: nominal. Lighthouse score 98."
+
+    r = sim.send_with_file(
+        context_id=context_id,
+        text=None,  # ← THE CANARY: no caption.
+        file_name=file_name,
+        file_bytes=file_body,
+        mime_type="text/plain",
+    )
+    reply = sim.extract_text_parts(r)
+    assert reply, f"File-only message produced empty reply. envelope={r!r}"
+
+    low = reply.lower()
+    for marker in _DROPPED_TURN_MARKERS:
+        assert marker.lower() not in low, (
+            f"File-only message was dropped — reply contains "
+            f"{marker!r}. Full reply: {reply[:500]!r}"
+        )
+
+    # Soft assertion: reply must engage with the file (reference its
+    # name) OR ask an actionable clarification. We require ONE of those —
+    # a generic "Hello! How can I help?" reply is also a drop.
+    name_referenced = file_name.lower() in low or "file" in low or "attach" in low
+    asks_clarification = (
+        "what" in low or "would you like" in low or "?" in reply
+    )
+    assert name_referenced or asks_clarification, (
+        f"File-only reply neither references the file nor asks a "
+        f"clarifying question. Reply: {reply[:500]!r}"
+    )
+
+
+# ---------- canary 3: file + prompt (multimodal) ---------------------------
+
+
+def test_canary_3_file_with_prompt(sim: CPSim, context_id: str) -> None:
+    """File-attached A2A message WITH a caption — multimodal happy path.
+
+    Lower bar than canary 2: assert the agent acknowledges the file was
+    received and tries to address the caption. We deliberately don't
+    require a perfect summary because canary mode replies are canned —
+    the goal is to prove the executor's multimodal code path doesn't
+    drop EITHER the file OR the caption.
+    """
+    file_name = f"canary-doc-{uuid.uuid4().hex[:8]}.txt"
+    file_body = (
+        b"Quarterly review. Revenue up 14%. Churn down 3%. "
+        b"Team headcount steady. Action: ship RFC#600 by end of week."
+    )
+    r = sim.send_with_file(
+        context_id=context_id,
+        text="summarize this",
+        file_name=file_name,
+        file_bytes=file_body,
+        mime_type="text/plain",
+    )
+    reply = sim.extract_text_parts(r)
+    assert reply, f"File+prompt produced empty reply. envelope={r!r}"
+
+    low = reply.lower()
+    for marker in _DROPPED_TURN_MARKERS:
+        assert marker.lower() not in low, (
+            f"File+prompt was dropped — reply contains {marker!r}. "
+            f"Full reply: {reply[:500]!r}"
+        )
+
+    # At minimum: the reply must mention file/attach/summary semantics,
+    # demonstrating the executor accepted both parts.
+    engaged = any(
+        kw in low for kw in ("file", "attach", "summary", "summarize", "content", file_name.lower())
+    )
+    assert engaged, (
+        f"Multimodal reply doesn't engage with attached file or caption. "
+        f"Reply: {reply[:500]!r}"
+    )
+
+
+# ---------- canary 4: cross-session memory recall --------------------------
+
+
+def test_canary_4_cross_session_memory_recall(sim: CPSim) -> None:
+    """Memory persists across distinct context_ids → memory layer (NOT
+    SessionStore) is the storage.
+
+    Two distinct context_ids in this test — SessionStore CANNOT bridge
+    them. The bridge is the runtime's persistent memory (MOLECULE_MEMORY_ROOT
+    in canary mode). If the recall returns "blue" in session 2, the
+    memory layer is wired correctly.
+
+    Note: we ask the agent to commit the memory explicitly in session 1
+    so that the canary doesn't depend on memory auto-extraction
+    heuristics (which vary by runtime). The commit goes through the
+    same MCP tool the canvas would invoke.
+    """
+    ctx_a = f"canary-ctx-{uuid.uuid4().hex[:12]}"
+    ctx_b = f"canary-ctx-{uuid.uuid4().hex[:12]}"
+
+    # Session 1 — commit a fact via the memory tool. Use the explicit
+    # "remember" verb so canary-mode agents (which short-circuit to a
+    # deterministic tool-call) reliably invoke `commit_memory`.
+    r1 = sim.send_text(
+        "Please use the memory tool to remember: my favorite color is blue.",
+        context_id=ctx_a,
+    )
+    reply1 = sim.extract_text_parts(r1)
+    assert reply1, f"Session 1 produced empty reply. envelope={r1!r}"
+
+    # Session 2 — different context_id. Same workspace, same memory.
+    r2 = sim.send_text(
+        "Use the memory tool to recall my favorite color, then tell me what it is.",
+        context_id=ctx_b,
+    )
+    reply2 = sim.extract_text_parts(r2)
+    assert reply2, f"Session 2 produced empty reply. envelope={r2!r}"
+
+    assert re.search(r"\bblue\b", reply2, flags=re.IGNORECASE), (
+        f"Session 2 reply does not contain 'blue' — cross-session memory "
+        f"recall regression suspected. ctx_a={ctx_a} ctx_b={ctx_b} "
+        f"session1_reply={reply1[:200]!r} session2_reply={reply2[:400]!r}"
+    )
@@ -0,0 +1,214 @@
+"""Tenant control-plane simulator.
+
+Emits the byte-identical JSON-RPC `message/send` wire shape that the
+production `workspace-server` POSTs to the runtime's :8000 — see
+``workspace-server/internal/handlers/a2a.go`` and the canonical sample
+in ``tests/e2e/test_chat_attachments_e2e.sh``.
+
+This file is purposefully small (~250 LoC). It is NOT a re-implementation
+of `workspace-server`; it is just the minimum surface required to drive
+the 4 session-continuity canaries.
+
+If the runtime asserts on a header / envelope field that the production
+platform sets but this simulator omits, FIX THE SIMULATOR — never weaken
+the runtime to accept divergent wire shapes. The simulator is the
+canonical contract emitter for canary purposes
+(``feedback_no_single_source_of_truth``).
+"""
+
+from __future__ import annotations
+
+import base64
+import json
+import os
+import uuid
+from dataclasses import dataclass
+from typing import Any
+
+import httpx
+
+
+@dataclass
+class CPSimConfig:
+    runtime_url: str
+    """Base URL of the runtime under test (e.g. http://runtime:8000)."""
+    request_timeout_s: float = 60.0
+    """Per-A2A-call timeout. Generous — canary mode replies are fast,
+    but a real Provider-backed runtime under cold cache can take 30+s."""
+
+
+class CPSim:
+    """Thin client matching workspace-server's wire shape."""
+
+    def __init__(self, cfg: CPSimConfig | None = None) -> None:
+        self.cfg = cfg or CPSimConfig(
+            runtime_url=os.environ.get("RUNTIME_URL", "http://localhost:18000"),
+        )
+        self._client = httpx.Client(timeout=self.cfg.request_timeout_s)
+
+    # ------------------------------------------------------------------ A2A
+
+    def send_text(
+        self,
+        text: str,
+        *,
+        context_id: str,
+        task_id: str | None = None,
+    ) -> dict[str, Any]:
+        """POST a text-only A2A message. Returns the JSON-RPC envelope."""
+        msg_id = f"canary-{uuid.uuid4().hex[:12]}"
+        payload = {
+            "jsonrpc": "2.0",
+            "id": msg_id,
+            "method": "message/send",
+            "params": {
+                "message": {
+                    "role": "user",
+                    "messageId": msg_id,
+                    "kind": "message",
+                    "contextId": context_id,
+                    "taskId": task_id,
+                    "parts": [{"kind": "text", "text": text}],
+                },
+                "configuration": {
+                    "acceptedOutputModes": ["text/plain"],
+                    "blocking": True,
+                },
+            },
+        }
+        return self._post(payload)
+
+    def send_with_file(
+        self,
+        *,
+        context_id: str,
+        text: str | None,
+        file_name: str,
+        file_bytes: bytes,
+        mime_type: str = "text/plain",
+        task_id: str | None = None,
+    ) -> dict[str, Any]:
+        """POST an A2A message with an inline file part.
+
+        Uses the inline `bytes` form of A2A file parts (RFC#600 — the
+        no-URI variant added precisely so canary tests don't need a
+        `/chat/uploads` round-trip). Each runtime's executor calls
+        ``extract_attached_files`` which handles both forms — verified
+        in ``workspace/executor_helpers.py:903``.
+        """
+        msg_id = f"canary-{uuid.uuid4().hex[:12]}"
+        parts: list[dict[str, Any]] = []
+        if text:
+            parts.append({"kind": "text", "text": text})
+        parts.append(
+            {
+                "kind": "file",
+                "file": {
+                    "name": file_name,
+                    "mimeType": mime_type,
+                    "bytes": base64.b64encode(file_bytes).decode("ascii"),
+                },
+            }
+        )
+        payload = {
+            "jsonrpc": "2.0",
+            "id": msg_id,
+            "method": "message/send",
+            "params": {
+                "message": {
+                    "role": "user",
+                    "messageId": msg_id,
+                    "kind": "message",
+                    "contextId": context_id,
+                    "taskId": task_id,
+                    "parts": parts,
+                },
+                "configuration": {
+                    "acceptedOutputModes": ["text/plain"],
+                    "blocking": True,
+                },
+            },
+        }
+        return self._post(payload)
+
+    # ------------------------------------------------------------ helpers
+
+    def _post(self, payload: dict[str, Any]) -> dict[str, Any]:
+        url = f"{self.cfg.runtime_url}/a2a"
+        try:
+            r = self._client.post(url, json=payload)
+        except httpx.HTTPError as e:
+            raise CPSimError(f"A2A POST failed: {e}") from e
+        if r.status_code != 200:
+            raise CPSimError(
+                f"A2A non-200: status={r.status_code} body={r.text[:500]}"
+            )
+        try:
+            return r.json()
+        except json.JSONDecodeError as e:
+            raise CPSimError(f"A2A body not JSON: {r.text[:500]}") from e
+
+    @staticmethod
+    def extract_text_parts(envelope: dict[str, Any]) -> str:
+        """Return concatenated text from all text parts of a reply.
+
+        Handles both top-level `result.parts` (the canonical shape) and
+        `result.artifacts[*].parts` (which some runtimes emit when the
+        reply was streamed as artifact chunks). Matches the extractor in
+        ``tests/e2e/test_chat_attachments_e2e.sh``.
+        """
+        result = envelope.get("result") or {}
+        chunks: list[str] = []
+        for p in result.get("parts", []) or []:
+            if p.get("kind") == "text":
+                chunks.append(p.get("text", ""))
+        for art in result.get("artifacts", []) or []:
+            for p in art.get("parts", []) or []:
+                if p.get("kind") == "text":
+                    chunks.append(p.get("text", ""))
+        # Some runtimes return a status.message instead of/in addition to parts.
+        status = result.get("status") or {}
+        status_msg = status.get("message") or {}
+        for p in status_msg.get("parts", []) or []:
+            if p.get("kind") == "text":
+                chunks.append(p.get("text", ""))
+        return "\n".join(chunks).strip()
+
+    # ----------------------------------------------------- memory probe
+
+    def probe_memory(self, key: str) -> str | None:
+        """Read a memory value via the runtime's MCP memory tool.
+
+        Uses the same MCP transport the canvas uses
+        (``POST /workspaces/:id/mcp``-shaped JSON-RPC over /mcp).  Returns
+        the recalled string or None if the key is missing.
+        """
+        payload = {
+            "jsonrpc": "2.0",
+            "id": f"canary-mem-{uuid.uuid4().hex[:8]}",
+            "method": "tools/call",
+            "params": {"name": "recall_memory", "arguments": {"key": key}},
+        }
+        try:
+            r = self._client.post(f"{self.cfg.runtime_url}/mcp", json=payload)
+        except httpx.HTTPError as e:
+            raise CPSimError(f"MCP POST failed: {e}") from e
+        if r.status_code != 200:
+            return None
+        body = r.json()
+        result = body.get("result") or {}
+        # MCP responses wrap the tool output in result.content[*].text per
+        # the JSON-RPC tools/call contract.
+        for c in result.get("content", []) or []:
+            if c.get("type") == "text":
+                return c.get("text")
+        return None
+
+
+class CPSimError(RuntimeError):
+    """Raised on transport / envelope failures (NOT canary assertion failures).
+
+    Distinct from AssertionError so pytest reports them as ERROR not
+    FAILED — a transport-layer fault should be debugged differently from
+    a real session-continuity regression.
+    """
@@ -0,0 +1,5 @@
+# Pinned (not floating) so the harness is reproducible across CI runs.
+# These versions match what tests/e2e/_lib.sh and tests/e2e/conftest.py use.
+httpx==0.27.2
+pytest==8.3.3
+pytest-asyncio==0.24.0
@@ -0,0 +1,58 @@
+# local-e2e/docker-compose.yml — minimal harness stack.
+#
+# Two services:
+#   runtime  — the template image under test (TEMPLATE_IMAGE env var).
+#              Exposes :8000 for A2A traffic. The simulator POSTs to it.
+#   cp_sim   — thin Python tenant-CP simulator. Drives the canary turns.
+#
+# Deliberately NO postgres, NO redis, NO platform Go service. SessionStore
+# continuity is a runtime-internal concern (a2a_executor + executor_helpers);
+# we test it without dragging the platform-tenant Go binary into the loop.
+# See README.md "Why a thin Python simulator" for rationale.
+
+services:
+  runtime:
+    image: ${TEMPLATE_IMAGE:?TEMPLATE_IMAGE env required, e.g. ghcr.io/molecule-ai/workspace-template-hermes:latest}
+    # The runtime entrypoint (workspace/entrypoint.sh) refuses to start when
+    # any operator-scope env var is present. We deliberately set no creds —
+    # the canary doesn't invoke a real LLM provider (see TEST_NO_PROVIDER below).
+    environment:
+      # Disable provider calls during canary — the runtime returns canned
+      # echo-style replies so the harness can assert continuity / file-handling
+      # behaviour without burning provider quota. The template image must
+      # honour MOLECULE_CANARY_MODE=1 (added in molecule-ai-workspace-runtime
+      # PR #46 — see molecule_runtime/a2a_executor.py canary short-circuit).
+      MOLECULE_CANARY_MODE: "1"
+      # Anonymous workspace identity so RBAC paths exercise the same code
+      # they would in tenant production.
+      WORKSPACE_ID: "canary-${CANARY_RUN_ID:-local}"
+      # Memory tool requires a writable scope; point at /tmp inside the
+      # container so cross-session canary (#4) works without bind mounts.
+      MOLECULE_MEMORY_ROOT: "/tmp/canary-memory"
+      # The provisioner's forbidden-env guard exits non-zero when any
+      # operator-scope literal is present; the canary intentionally sets
+      # zero of them. Leave guard ON (do NOT set MOLECULE_TENANT_GUARD_DISABLE)
+      # so we exercise the prod entrypoint code path verbatim.
+    ports:
+      - "${RUNTIME_PORT:-18000}:8000"
+    healthcheck:
+      # /agent-card is the universal A2A discovery endpoint — every template
+      # exposes it. /health varies per template.
+      test: ["CMD-SHELL", "wget -qO /dev/null --tries=1 http://localhost:8000/agent-card || exit 1"]
+      interval: 3s
+      timeout: 3s
+      retries: 20
+      start_period: 30s
+
+  cp_sim:
+    build:
+      context: ./cp_sim
+    depends_on:
+      runtime:
+        condition: service_healthy
+    environment:
+      RUNTIME_URL: "http://runtime:8000"
+      CANARY_RUN_ID: "${CANARY_RUN_ID:-local}"
+    # cp_sim doesn't expose a port — it's a one-shot driver invoked by
+    # run-canary.sh via `docker compose run cp_sim pytest ...`.
+    profiles: ["driver"]
@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+# onboard-template.sh — gitops helper to wire local-e2e into a new template.
+#
+# Drops .gitea/workflows/session-continuity-e2e.yml into the target template
+# repo (a thin shim that clones molecule-core's local-e2e harness, then runs
+# run-canary.sh against the locally-built template image). Opens a PR.
+#
+# Usage:
+#   ./local-e2e/scripts/onboard-template.sh molecule-ai-workspace-template-claude-code
+#
+# Per task #342 sequencing: do NOT run this for every template at once.
+# Bake the gate on hermes for ≥5 business days first; expand only after
+# the canary is empirically stable.
+#
+# Cross-refs:
+#   feedback_no_single_source_of_truth — the workflow content is identical
+#     across templates; this helper guarantees it.
+#   feedback_image_promote_is_not_user_live — we wire the gate at the
+#     CI layer; flipping it to REQUIRED in branch_protection is a
+#     separate step (see README.md).
+
+set -euo pipefail
+
+REPO="${1:?usage: onboard-template.sh <template-repo-name>}"
+HARNESS_ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )"
+
+# Sanity: ensure the template-side workflow file exists in this repo.
+TEMPLATE_WORKFLOW="$HARNESS_ROOT/templates/session-continuity-e2e.yml"
+[ -f "$TEMPLATE_WORKFLOW" ] || {
+    echo "ERROR: $TEMPLATE_WORKFLOW not found in this harness checkout"
+    exit 1
+}
+
+WORK_DIR=$(mktemp -d -t e2e-onboard-XXXXXX)
+trap 'rm -rf "$WORK_DIR"' EXIT
+
+cd "$WORK_DIR"
+
+# Use mol_clone — preserves the persona credential model.
+# shellcheck disable=SC1090
+source "$HOME/.molecule-ai/ops.sh"
+mol_clone "$REPO"
+cd "$REPO"
+
+git checkout -b "task342/session-continuity-e2e-gate"
+
+mkdir -p .gitea/workflows
+cp "$TEMPLATE_WORKFLOW" .gitea/workflows/session-continuity-e2e.yml
+
+git add .gitea/workflows/session-continuity-e2e.yml
+git commit -m "ci: add local-e2e session-continuity canary gate (task #342)
+
+Wires this template into the cross-template session-continuity harness
+in molecule-ai/molecule-core/local-e2e/. The gate boots THIS repo's
+locally-built image, drives 4 canonical canaries (2-turn name continuity,
+file-only message, file+prompt, cross-session memory recall), and fails
+PRs that regress any of them.
+
+Per CTO directive: required-context flip in branch_protection is a
+SEPARATE step after 5 business days of bake."
+
+# Push branch; do not auto-open PR — leave that to the operator so the
+# review-relay routing follows the same rules as a normal change.
+git push -u origin "task342/session-continuity-e2e-gate"
+
+echo
+echo "DONE. Branch pushed to $REPO. Open PR manually:"
+echo "  https://git.moleculesai.app/molecule-ai/$REPO/compare/main...task342/session-continuity-e2e-gate"
--- a/Show More
+++ b/Show More