fix(registry,discovery,mcp): prevent cross-tenant peer metadata leak (#1953)

Three code paths used `parent_id IS NULL` to identify 'siblings' of a
root-level workspace. Because every org root has `parent_id IS NULL`,
this predicate matched ALL org roots across ALL tenants, leaking peer
metadata and allowing cross-tenant A2A delegation.

Fixes:
- registry/access.go: Remove the root-level sibling fast-path in
  `CanCommunicate`. Two distinct workspaces with `parent_id = NULL`
  are in different orgs and must not communicate.
- discovery.go: Skip the sibling query entirely when the caller is an
  org root (parent_id IS NULL). Each org has exactly one root.
- mcp_tools.go: Same fix for the MCP `list_peers` tool path.

Tests updated to reflect the new security boundary:
- TestCanCommunicate_RootSiblings → TestCanCommunicate_Denied_RootCrossTenant
- Tests that mocked root-root communication now use parent-child or
  shared-parent relationships so they continue to test allowed paths.

All 695 workspace-server tests pass with -race.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.env.example

@@ -51,7 +51,7 @@ MOLECULE_ENV=development                       # Environment label (development/
 # MOLECULE_IN_DOCKER=                    # Set when running the platform inside Docker (accepts 1/0, true/false). Triggers A2A proxy to rewrite 127.0.0.1:<port> agent URLs to Docker bridge hostnames. Auto-detected via /.dockerenv; only set if detection fails or to force off.
 
 # GitHub
-# GITHUB_REPO=owner/repo                 # Target repo for agent initial_prompt clone (e.g. Molecule-AI/molecule-monorepo). Read inside workspace containers.
+# GITHUB_REPO=owner/repo                 # Target repo for agent initial_prompt clone (e.g. Molecule-AI/molecule-core). Read inside workspace containers.
 # GITHUB_TOKEN=                          # Personal access token / installation token used by agents that clone private repos. Register as a global secret via POST /admin/secrets for propagation to workspace env. Token is used in-URL during clone and then scrubbed from .git/config via `git remote set-url`.
 
 # Webhooks

.gitea/scripts/sop-checklist.py

@@ -642,7 +642,7 @@ def load_config(path: str) -> dict[str, Any]:
         # requiring the dep, so the ignore is safe: if yaml loads, we use it;
         # otherwise we fall back silently.
         import yaml  # type: ignore[import-not-found]
-        with open(path, encoding="utf-8") as f:
+        with open(path) as f:
             return yaml.safe_load(f)
     except ImportError:
         return _load_config_minimal(path)
@@ -656,7 +656,7 @@ def _load_config_minimal(path: str) -> dict[str, Any]:
     item map: scalars + lists of scalars. Does NOT support nested lists,
     YAML anchors, multi-doc, or flow style.
     """
-    with open(path, encoding="utf-8") as f:
+    with open(path) as f:
         lines = f.readlines()
     return _parse_minimal_yaml(lines)
 

.gitea/scripts/tests/_refire_fixture.py

@@ -33,7 +33,7 @@ def scenario() -> str:
     p = os.path.join(STATE_DIR, "scenario")
     if not os.path.isfile(p):
         return "T1_success"
-    with open(p, encoding="utf-8") as f:
+    with open(p) as f:
         return f.read().strip()
 
 

.gitea/scripts/tests/_review_check_fixture.py

@@ -40,7 +40,7 @@ def scenario() -> str:
     p = os.path.join(STATE_DIR, "scenario")
     if not os.path.isfile(p):
         return "T1_pr_open"
-    with open(p, encoding="utf-8") as f:
+    with open(p) as f:
         return f.read().strip()
 
 

README.md

@@ -49,8 +49,8 @@
 ## Quick Start
 
 ```bash
-git clone https://git.moleculesai.app/molecule-ai/molecule-monorepo.git
-cd molecule-monorepo
+git clone https://git.moleculesai.app/molecule-ai/molecule-core.git
+cd molecule-core
 ./scripts/dev-start.sh
 ```
 

canvas/src/app/pricing/page.tsx

@@ -41,7 +41,7 @@ export default function PricingPage() {
         <p className="mt-2 text-ink-mid">
           We publish the{" "}
           <a
-            href="https://git.moleculesai.app/molecule-ai/molecule-monorepo"
+            href="https://git.moleculesai.app/molecule-ai/molecule-core"
             className="text-accent underline hover:text-accent"
           >
             full source on GitHub

canvas/src/components/tabs/ConfigTab.tsx

@@ -288,40 +288,6 @@ export function deriveProvidersFromModels(models: ModelSpec[]): string[] {
   return out;
 }
 
-// billingModeForProvider — maps a selected PROVIDER (vendor key) to the
-// LLM billing_mode it implies (internal#703 Gap 2).
-//
-// Today, picking a non-Platform provider in the Config tab writes the
-// credential env (CLAUDE_CODE_OAUTH_TOKEN / vendor key) but leaves
-// llm_billing_mode at its resolved default (`platform_managed`). The CP
-// tenant_config endpoint then keeps injecting the platform proxy base
-// URLs, so the OAuth token / vendor key is never actually used — BYOK
-// silently no-ops (the live SEO-Agent symptom in #703). The workspace-
-// server even hard-blocks vendor-key writes on platform_managed
-// workspaces (secrets.go:87), pointing the user at this exact billing-
-// mode switch. Wiring the provider change to also set billing_mode is
-// the UI half that makes BYOK take (the CP/workspace-server backend half
-// is being fixed in parallel — internal#703 Gap 1).
-//
-// Mapping:
-//   - "platform" (the Platform-managed proxy) OR "" (no explicit
-//     provider override → inherit, defaults to platform) → "platform_managed".
-//   - any other vendor key ("anthropic-oauth" = Claude Code subscription
-//     OAuth, "anthropic" = Anthropic API key, "minimax", "openrouter",
-//     etc.) → "byok".
-//
-// Returns the billing_mode string the PUT body should carry. The valid
-// set is fixed by workspace-server's recognizer (platform_managed | byok
-// | disabled); "disabled" is never auto-selected by a provider choice —
-// it's an explicit operator action via the LLM Billing section.
-export type LLMBillingMode = "platform_managed" | "byok";
-
-export function billingModeForProvider(provider: string): LLMBillingMode {
-  const v = provider.trim().toLowerCase();
-  if (v === "" || v === "platform") return "platform_managed";
-  return "byok";
-}
-
 // Fallback used when /templates can't be fetched (offline, older backend).
 // Keep in sync with manifest.json workspace_templates as a defensive default.
 // Model + env suggestions only flow when the backend is reachable.
@@ -736,36 +702,6 @@ export function ConfigTab({ workspaceId }: Props) {
         }
       }
 
-      // Provider → billing_mode linkage (internal#703 Gap 2). When the
-      // provider actually changed AND its implied billing_mode differs
-      // from the previously-selected provider's, push the new mode to
-      // the per-tenant llm-billing-mode endpoint (same path the LLM
-      // Billing section uses). Without this, selecting a non-Platform
-      // provider leaves billing_mode=platform_managed → CP keeps
-      // injecting the platform proxy → BYOK never takes.
-      //
-      // Gated on (a) the provider PUT having succeeded — no point setting
-      // byok if the credential write failed — and (b) the mode actually
-      // changing, so an unrelated provider tweak between two BYOK vendors
-      // (e.g. minimax → openrouter) doesn't re-issue a redundant
-      // platform_managed→byok PUT and trigger a needless restart.
-      let billingModeSaveError: string | null = null;
-      if (providerChanged && !providerSaveError) {
-        const nextMode = billingModeForProvider(provider);
-        const prevMode = billingModeForProvider(originalProvider);
-        if (nextMode !== prevMode) {
-          try {
-            await api.put(
-              `/admin/workspaces/${workspaceId}/llm-billing-mode`,
-              { mode: nextMode },
-            );
-          } catch (e) {
-            billingModeSaveError =
-              e instanceof Error ? e.message : "Billing mode update was rejected";
-          }
-        }
-      }
-
       setOriginalYaml(content);
       if (rawMode) {
         const parsed = parseYaml(content);
@@ -785,22 +721,16 @@ export function ConfigTab({ workspaceId }: Props) {
       } else if (!restart) {
         useCanvasStore.getState().updateNodeData(workspaceId, { needsRestart: !providerWillAutoRestart });
       }
-      // Aggregate partial-save errors. modelSaveError, providerSaveError,
-      // and billingModeSaveError describe rejected updates from
-      // independent endpoints — show whichever fired so the user knows
-      // which field reverts on next reload (otherwise they'd see "Saved"
-      // and be confused why Provider snapped back). The billing-mode case
-      // is the most important to surface: the provider credential saved
-      // but BYOK won't actually take until billing_mode flips, so a
-      // silent failure here is exactly the #703 "selecting a provider has
-      // no effect" symptom.
+      // Aggregate partial-save errors. Both modelSaveError and
+      // providerSaveError describe rejected updates from independent
+      // endpoints — show whichever fired so the user knows which
+      // field reverts on next reload (otherwise they'd see "Saved" and
+      // be confused why Provider snapped back).
       const partialError = providerSaveError
         ? `Other fields saved, but provider update failed: ${providerSaveError}`
-        : billingModeSaveError
-          ? `Provider saved, but switching billing mode failed — your own provider key/OAuth may not take effect until billing mode is set: ${billingModeSaveError}`
-          : modelSaveError
-            ? `Other fields saved, but model update failed: ${modelSaveError}`
-            : null;
+        : modelSaveError
+          ? `Other fields saved, but model update failed: ${modelSaveError}`
+          : null;
       if (partialError) {
         setError(partialError);
       } else {

canvas/src/components/tabs/__tests__/ConfigTab.billingMode.test.tsx

@@ -1,255 +0,0 @@
-// @vitest-environment jsdom
-//
-// Tests for the provider → llm_billing_mode linkage (internal#703 Gap 2).
-//
-// What this pins: when the operator changes the PROVIDER in the Config
-// tab, the workspace's llm_billing_mode must follow — a non-Platform
-// provider sets billing_mode=byok; Platform sets platform_managed. Before
-// this wiring, selecting "Claude Code subscription (OAuth)" or any vendor
-// key wrote the credential env but left billing_mode=platform_managed, so
-// CP kept injecting the platform proxy base URL and the OAuth token /
-// vendor key was never used — BYOK silently no-op'd (the live jrs-auto
-// SEO-Agent symptom in #703).
-//
-// The billing-mode PUT targets the same per-tenant endpoint the LLM
-// Billing section uses: PUT /admin/workspaces/:id/llm-billing-mode with
-// body {mode: "byok" | "platform_managed"}.
-
-import { describe, it, expect, vi, afterEach, beforeEach } from "vitest";
-import { render, screen, cleanup, waitFor, fireEvent } from "@testing-library/react";
-import React from "react";
-
-afterEach(cleanup);
-
-const apiGet = vi.fn();
-const apiPatch = vi.fn();
-const apiPut = vi.fn();
-vi.mock("@/lib/api", () => ({
-  api: {
-    get: (path: string) => apiGet(path),
-    patch: (path: string, body: unknown) => apiPatch(path, body),
-    put: (path: string, body: unknown) => apiPut(path, body),
-    post: vi.fn(),
-    del: vi.fn(),
-  },
-}));
-
-const storeUpdateNodeData = vi.fn();
-const storeRestartWorkspace = vi.fn();
-vi.mock("@/store/canvas", () => ({
-  useCanvasStore: Object.assign(
-    (selector: (s: unknown) => unknown) =>
-      selector({ restartWorkspace: storeRestartWorkspace, updateNodeData: storeUpdateNodeData }),
-    {
-      getState: () => ({
-        restartWorkspace: storeRestartWorkspace,
-        updateNodeData: storeUpdateNodeData,
-      }),
-    },
-  ),
-}));
-
-vi.mock("../AgentCardSection", () => ({
-  AgentCardSection: () => <div data-testid="agent-card-stub" />,
-}));
-
-import { ConfigTab, billingModeForProvider } from "../ConfigTab";
-
-function wireApi(opts: { providerValue?: string | "missing" }) {
-  apiGet.mockImplementation((path: string) => {
-    if (path === `/workspaces/ws-test`) {
-      return Promise.resolve({ runtime: "hermes" });
-    }
-    if (path === `/workspaces/ws-test/model`) {
-      return Promise.resolve({ model: "nousresearch/hermes-4-70b" });
-    }
-    if (path === `/workspaces/ws-test/provider`) {
-      if (opts.providerValue === "missing") return Promise.reject(new Error("404"));
-      return Promise.resolve({
-        provider: opts.providerValue ?? "",
-        source: opts.providerValue ? "workspace_secrets" : "default",
-      });
-    }
-    if (path === `/workspaces/ws-test/files/config.yaml`) {
-      return Promise.resolve({ content: "name: ws\nruntime: hermes\n" });
-    }
-    if (path === "/templates") return Promise.resolve([]);
-    return Promise.reject(new Error(`unmocked api.get: ${path}`));
-  });
-}
-
-function billingModeCalls() {
-  return apiPut.mock.calls.filter(
-    ([path]) => path === "/admin/workspaces/ws-test/llm-billing-mode",
-  );
-}
-
-beforeEach(() => {
-  apiGet.mockReset();
-  apiPatch.mockReset();
-  apiPut.mockReset();
-  storeUpdateNodeData.mockReset();
-  storeRestartWorkspace.mockReset();
-});
-
-describe("billingModeForProvider — pure mapping (internal#703 Gap 2)", () => {
-  // Platform / empty → platform_managed. Empty means "no explicit
-  // override → inherit", which resolves to platform on the backend, so
-  // it must NOT flip the workspace into byok.
-  it("maps Platform and empty to platform_managed", () => {
-    expect(billingModeForProvider("platform")).toBe("platform_managed");
-    expect(billingModeForProvider("")).toBe("platform_managed");
-    expect(billingModeForProvider("  ")).toBe("platform_managed");
-    expect(billingModeForProvider("PLATFORM")).toBe("platform_managed");
-  });
-
-  // Every non-Platform provider → byok. If this regresses to returning
-  // platform_managed for a vendor, BYOK silently no-ops again (#703).
-  it("maps non-Platform providers to byok", () => {
-    expect(billingModeForProvider("anthropic-oauth")).toBe("byok"); // Claude Code subscription
-    expect(billingModeForProvider("anthropic")).toBe("byok"); // Anthropic API key
-    expect(billingModeForProvider("minimax")).toBe("byok");
-    expect(billingModeForProvider("openrouter")).toBe("byok");
-    expect(billingModeForProvider("openai")).toBe("byok");
-  });
-});
-
-describe("ConfigTab — provider change drives billing_mode (internal#703 Gap 2)", () => {
-  // The core fix: picking a non-Platform provider (here "anthropic-oauth"
-  // = Claude Code subscription OAuth) from a fresh/empty provider must
-  // PUT mode=byok to the per-tenant llm-billing-mode endpoint. This is
-  // the exact path that was missing — the credential env saved but the
-  // billing mode never followed, so the proxy stayed engaged.
-  it("PUTs mode=byok when switching to a non-Platform provider", async () => {
-    wireApi({ providerValue: "" });
-    apiPut.mockResolvedValue({ status: "saved" });
-
-    render(<ConfigTab workspaceId="ws-test" />);
-    const input = await screen.findByTestId("provider-input");
-    fireEvent.change(input, { target: { value: "anthropic-oauth" } });
-
-    fireEvent.click(screen.getByRole("button", { name: /^save$/i }));
-
-    await waitFor(() => {
-      const calls = billingModeCalls();
-      expect(calls.length).toBe(1);
-      expect(calls[0][1]).toEqual({ mode: "byok" });
-    });
-    // Provider credential PUT still happens too (independent endpoint).
-    expect(
-      apiPut.mock.calls.some(([path]) => path === "/workspaces/ws-test/provider"),
-    ).toBe(true);
-  });
-
-  // Switching FROM a byok provider back TO Platform must PUT
-  // mode=platform_managed so the workspace re-engages the proxy and stops
-  // expecting a (now-absent) vendor key.
-  it("PUTs mode=platform_managed when switching back to Platform", async () => {
-    wireApi({ providerValue: "anthropic-oauth" });
-    apiPut.mockResolvedValue({ status: "saved" });
-
-    render(<ConfigTab workspaceId="ws-test" />);
-    const input = await screen.findByTestId("provider-input");
-    await waitFor(() => expect((input as HTMLInputElement).value).toBe("anthropic-oauth"));
-    fireEvent.change(input, { target: { value: "platform" } });
-
-    fireEvent.click(screen.getByRole("button", { name: /^save$/i }));
-
-    await waitFor(() => {
-      const calls = billingModeCalls();
-      expect(calls.length).toBe(1);
-      expect(calls[0][1]).toEqual({ mode: "platform_managed" });
-    });
-  });
-
-  // Changing between two BYOK vendors (minimax → openrouter) keeps
-  // billing_mode=byok — the implied mode is unchanged, so re-PUTing it
-  // would be a wasteful no-op that risks an extra restart. Must NOT fire.
-  it("does NOT PUT billing-mode when the implied mode is unchanged", async () => {
-    wireApi({ providerValue: "minimax" });
-    apiPut.mockResolvedValue({ status: "saved" });
-
-    render(<ConfigTab workspaceId="ws-test" />);
-    const input = await screen.findByTestId("provider-input");
-    await waitFor(() => expect((input as HTMLInputElement).value).toBe("minimax"));
-    fireEvent.change(input, { target: { value: "openrouter" } });
-
-    fireEvent.click(screen.getByRole("button", { name: /^save$/i }));
-
-    await waitFor(() => {
-      // Provider PUT fires (vendor changed)...
-      expect(
-        apiPut.mock.calls.some(([path]) => path === "/workspaces/ws-test/provider"),
-      ).toBe(true);
-    });
-    // ...but billing-mode does NOT (byok → byok is a no-op).
-    expect(billingModeCalls().length).toBe(0);
-  });
-
-  // A Save that doesn't touch the provider must not PUT billing-mode —
-  // editing tier/name shouldn't disturb the workspace's billing mode.
-  it("does NOT PUT billing-mode on a Save that leaves provider unchanged", async () => {
-    wireApi({ providerValue: "anthropic-oauth" });
-    apiPut.mockResolvedValue({ status: "saved" });
-
-    render(<ConfigTab workspaceId="ws-test" />);
-    await screen.findByTestId("provider-input");
-
-    // Dirty an unrelated field so Save is enabled.
-    const tierSelect = screen.getByLabelText(/tier/i) as HTMLSelectElement;
-    fireEvent.change(tierSelect, { target: { value: "3" } });
-
-    fireEvent.click(screen.getByRole("button", { name: /^save$/i }));
-
-    await waitFor(() => {
-      // Some PUT may fire (e.g. /model); just assert billing-mode did not.
-      expect(billingModeCalls().length).toBe(0);
-    });
-  });
-
-  // If the provider credential PUT itself fails, we must NOT set byok —
-  // flipping billing_mode while the credential write failed would leave
-  // the workspace expecting a key it doesn't have (worse than no-op).
-  it("does NOT PUT billing-mode when the provider PUT fails", async () => {
-    wireApi({ providerValue: "" });
-    apiPut.mockImplementation((path: string) => {
-      if (path === "/workspaces/ws-test/provider") return Promise.reject(new Error("boom"));
-      return Promise.resolve({ status: "saved" });
-    });
-
-    render(<ConfigTab workspaceId="ws-test" />);
-    const input = await screen.findByTestId("provider-input");
-    fireEvent.change(input, { target: { value: "anthropic-oauth" } });
-
-    fireEvent.click(screen.getByRole("button", { name: /^save$/i }));
-
-    await waitFor(() => {
-      // The provider-failure error is surfaced (getByText throws if absent).
-      expect(screen.getByText(/provider update failed/i)).toBeTruthy();
-    });
-    expect(billingModeCalls().length).toBe(0);
-  });
-
-  // If the credential saved but the billing-mode PUT is rejected, the
-  // user must be warned that BYOK may not take — a silent failure here
-  // is precisely the #703 symptom we're fixing.
-  it("surfaces an error when billing-mode PUT fails after a successful provider save", async () => {
-    wireApi({ providerValue: "" });
-    apiPut.mockImplementation((path: string) => {
-      if (path === "/admin/workspaces/ws-test/llm-billing-mode") {
-        return Promise.reject(new Error("403 forbidden"));
-      }
-      return Promise.resolve({ status: "saved" });
-    });
-
-    render(<ConfigTab workspaceId="ws-test" />);
-    const input = await screen.findByTestId("provider-input");
-    fireEvent.change(input, { target: { value: "anthropic-oauth" } });
-
-    fireEvent.click(screen.getByRole("button", { name: /^save$/i }));
-
-    await waitFor(() => {
-      expect(screen.getByText(/switching billing mode failed/i)).toBeTruthy();
-    });
-  });
-});

docs/architecture/molecule-technical-doc.md

@@ -1,7 +1,7 @@
 # Molecule AI — Comprehensive Technical Documentation
 
 > Definitive technical reference for the Molecule AI Agent Team platform.
-> Based on a full non-invasive scan of the [molecule-monorepo](https://git.moleculesai.app/molecule-ai/molecule-monorepo) repository.
+> Based on a full non-invasive scan of the [molecule-core](https://git.moleculesai.app/molecule-ai/molecule-core) repository.
 
 ---
 
@@ -1131,11 +1131,11 @@ Molecule AI's workspace abstraction is **runtime-agnostic by design**. A workspa
 
 ## Links
 
-- **GitHub**: https://git.moleculesai.app/molecule-ai/molecule-monorepo
-- **Architecture Docs**: https://git.moleculesai.app/molecule-ai/molecule-monorepo/src/branch/main/docs/architecture
-- **API Protocol**: https://git.moleculesai.app/molecule-ai/molecule-monorepo/src/branch/main/docs/api-protocol
-- **Agent Runtime**: https://git.moleculesai.app/molecule-ai/molecule-monorepo/src/branch/main/docs/agent-runtime
-- **Product Docs**: https://git.moleculesai.app/molecule-ai/molecule-monorepo/src/branch/main/docs/product
+- **GitHub**: https://git.moleculesai.app/molecule-ai/molecule-core
+- **Architecture Docs**: https://git.moleculesai.app/molecule-ai/molecule-core/src/branch/main/docs/architecture
+- **API Protocol**: https://git.moleculesai.app/molecule-ai/molecule-core/src/branch/main/docs/api-protocol
+- **Agent Runtime**: https://git.moleculesai.app/molecule-ai/molecule-core/src/branch/main/docs/agent-runtime
+- **Product Docs**: https://git.moleculesai.app/molecule-ai/molecule-core/src/branch/main/docs/product
 
 ---
 

docs/development/local-development.md

@@ -82,7 +82,7 @@ DATABASE_URL=postgres://dev:dev@postgres:5432/molecule?sslmode=prefer
 REDIS_URL=redis://redis:6379
 PORT=8080
 SECRETS_ENCRYPTION_KEY=dev-key-change-in-production
-WORKSPACE_DIR=/path/to/molecule-monorepo   # Optional global fallback; prefer per-workspace workspace_dir in org.yaml or API
+WORKSPACE_DIR=/path/to/molecule-core   # Optional global fallback; prefer per-workspace workspace_dir in org.yaml or API
 ```
 
 ### Canvas (Next.js)

docs/infra/workspace-terminal.md

@@ -16,11 +16,9 @@ workspace container running on it) over an [EC2 Instance Connect
 Endpoint](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-setup-ec2-instance-connect-endpoint.html).
 End users see a terminal; no direct public SSH ingress is required.
 
-Tracking: originally `molecule-core#1528` (resolved 2026-04-22). The
-`molecule-core` repo has since been renamed to `molecule-monorepo` and no
-longer accepts new issues under the old name; future terminal work is
-tracked in `molecule-monorepo` issues (workspace-server scope) and in
-`molecule-controlplane` issues for the EIC / per-tenant SG path.
+Tracking: originally `molecule-core#1528` (resolved 2026-04-22). Future
+terminal work is tracked in `molecule-core` issues (workspace-server scope)
+and in `molecule-controlplane` issues for the EIC / per-tenant SG path.
 
 ## Where things are
 

docs/integrations/opencode.md

@@ -64,7 +64,7 @@ When opencode connects to the Molecule MCP endpoint, the agent gains access to:
   "tool": "delegate_task",
   "arguments": {
     "target": "research-lead",
-    "task": "Summarise the last 7 days of commits in Molecule-AI/molecule-monorepo"
+    "task": "Summarise the last 7 days of commits in Molecule-AI/molecule-core"
   }
 }
 ```

docs/internal-content-policy.md

@@ -1,6 +1,6 @@
 # Internal content policy
 
-The `Molecule-AI/molecule-monorepo` repo is **public**. Anything internal
+The `Molecule-AI/molecule-core` repo is **public**. Anything internal
 (positioning, competitive briefs, sales playbooks, PMM/press drip, draft
 campaigns, raw research notes, ops runbooks, retrospectives) lives in
 **`Molecule-AI/internal`**.
@@ -18,14 +18,14 @@ This page is the canonical decision tree.
 | Draft campaign asset (still iterating, not yet customer-visible) | `Molecule-AI/internal/marketing/campaigns/` |
 | Roadmap discussion, planning doc, retrospective | `Molecule-AI/internal/PLAN.md` or `Molecule-AI/internal/retrospectives/` |
 | Runbook, ops procedure, incident postmortem | `Molecule-AI/internal/runbooks/` |
-| **Public-ready** blog post (final draft, ready to ship to docs site) | `Molecule-AI/molecule-monorepo/docs/blog/` |
-| **Public-ready** tutorial / quickstart | `Molecule-AI/molecule-monorepo/docs/tutorials/` |
-| Public DevRel content (code samples, demos for users) | `Molecule-AI/molecule-monorepo/docs/devrel/` |
-| API reference, architecture docs for external developers | `Molecule-AI/molecule-monorepo/docs/api/` |
+| **Public-ready** blog post (final draft, ready to ship to docs site) | `Molecule-AI/molecule-core/docs/blog/` |
+| **Public-ready** tutorial / quickstart | `Molecule-AI/molecule-core/docs/tutorials/` |
+| Public DevRel content (code samples, demos for users) | `Molecule-AI/molecule-core/docs/devrel/` |
+| API reference, architecture docs for external developers | `Molecule-AI/molecule-core/docs/api/` |
 | Code, tests, infrastructure | wherever is appropriate inside this repo |
 
 **Rule of thumb:** *"Would I be comfortable if a competitor / journalist / customer
-read this verbatim today?"* — yes → `monorepo/docs/`. No / not yet → `internal/`.
+read this verbatim today?"* — yes → `molecule-core/docs/`. No / not yet → `internal/`.
 
 ## Why
 
@@ -82,7 +82,7 @@ git push -u origin HEAD
 gh pr create --base main --fill
 ```
 
-Yes, this is more steps than `cd molecule-monorepo && git add research/foo.md`.
+Yes, this is more steps than `cd molecule-core && git add research/foo.md`.
 That cost is intentional: the friction is the point. Public space and
 internal space are different products with different audiences and
 different durability guarantees.

docs/quickstart.md

@@ -17,8 +17,8 @@ This path is aligned to the current repository and current UI. It gets you from
 ## The one-command path
 
 ```bash
-git clone https://git.moleculesai.app/molecule-ai/molecule-monorepo.git
-cd molecule-monorepo
+git clone https://git.moleculesai.app/molecule-ai/molecule-core.git
+cd molecule-core
 ./scripts/dev-start.sh
 ```
 
@@ -42,8 +42,8 @@ If you'd rather run each component yourself — useful when you're iterating on
 ### Step 1: Clone the repository
 
 ```bash
-git clone https://git.moleculesai.app/molecule-ai/molecule-monorepo.git
-cd molecule-monorepo
+git clone https://git.moleculesai.app/molecule-ai/molecule-core.git
+cd molecule-core
 ```
 
 ### Step 2: Start the shared infrastructure

tools/check-template-parity.sh

@@ -13,7 +13,7 @@
 #
 # Invocation (from template-hermes repo's CI):
 #
-#     bash /path/to/molecule-monorepo/tools/check-template-parity.sh \
+#     bash /path/to/molecule-core/tools/check-template-parity.sh \
 #          install.sh start.sh
 #
 # Or inline via curl:

workspace-server/internal/handlers/a2a_queue_status.go

@@ -153,15 +153,7 @@ func queueRowAuthFields(ctx context.Context, queueID string) (callerID, workspac
 	if err != nil {
 		return "", "", err
 	}
-	callerID = ""
-	if callerNS.Valid {
-		callerID = callerNS.String
-	}
-	workspaceID = ""
-	if workspaceNS.Valid {
-		workspaceID = workspaceNS.String
-	}
-	return callerID, workspaceID, nil
+	return callerNS.String, workspaceNS.String, nil
 }
 
 // GetA2AQueueStatus handles GET /workspaces/:id/a2a/queue/:queue_id.

workspace-server/internal/handlers/a2a_queue_status_test.go

@@ -1,62 +1,9 @@
 package handlers
 
 import (
-	"context"
 	"testing"
-
-	"github.com/DATA-DOG/go-sqlmock"
 )
 
-// TestQueueRowAuthFields_NilSafeScan proves queueRowAuthFields returns empty
-// strings (not a panic / garbage) when the a2a_queue row has NULL caller_id
-// or workspace_id. Before the fix it dereferenced NullString.String directly,
-// which is only the zero value when Valid is false but masked the NULL-vs-""
-// distinction; the guard makes the intent explicit and safe.
-func TestQueueRowAuthFields_NilSafeScan(t *testing.T) {
-	mock := setupTestDB(t)
-	queueID := "queue-123"
-
-	mock.ExpectQuery(`SELECT caller_id, workspace_id FROM a2a_queue WHERE id = \$1`).
-		WithArgs(queueID).
-		WillReturnRows(sqlmock.NewRows([]string{"caller_id", "workspace_id"}).AddRow(nil, nil))
-
-	caller, workspace, err := queueRowAuthFields(context.Background(), queueID)
-	if err != nil {
-		t.Fatalf("queueRowAuthFields returned error: %v", err)
-	}
-	if caller != "" {
-		t.Errorf("callerID = %q, want empty string for NULL caller_id", caller)
-	}
-	if workspace != "" {
-		t.Errorf("workspaceID = %q, want empty string for NULL workspace_id", workspace)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Fatalf("unmet expectations: %v", err)
-	}
-}
-
-// TestQueueRowAuthFields_PopulatedRow confirms the non-NULL path still returns
-// the scanned values unchanged.
-func TestQueueRowAuthFields_PopulatedRow(t *testing.T) {
-	mock := setupTestDB(t)
-	queueID := "queue-456"
-
-	mock.ExpectQuery(`SELECT caller_id, workspace_id FROM a2a_queue WHERE id = \$1`).
-		WithArgs(queueID).
-		WillReturnRows(sqlmock.NewRows([]string{"caller_id", "workspace_id"}).AddRow("caller-x", "ws-y"))
-
-	caller, workspace, err := queueRowAuthFields(context.Background(), queueID)
-	if err != nil {
-		t.Fatalf("queueRowAuthFields returned error: %v", err)
-	}
-	if caller != "caller-x" || workspace != "ws-y" {
-		t.Fatalf("got caller=%q workspace=%q, want caller-x / ws-y", caller, workspace)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Fatalf("unmet expectations: %v", err)
-	}
-}
-
 // TestExtractExpiresInSeconds covers the JSON parser used at enqueue time
 // to honor a caller-specified TTL. Zero return = "no TTL" — caller leaves
 // expires_at NULL on the queue row.

workspace-server/internal/handlers/delegation_test.go

@@ -1059,13 +1059,13 @@ func expectExecuteDelegationBase(mock sqlmock.Sqlmock) {
 		WillReturnResult(sqlmock.NewResult(0, 1))
 
 	// CanCommunicate: getWorkspaceRef(source) + getWorkspaceRef(target).
-	// Both are root-level workspaces (parent_id=NULL) → root-level siblings → allowed.
+	// Source is root-level, target is its child → parent→child communication allowed.
 	mock.ExpectQuery("SELECT id, parent_id FROM workspaces WHERE id = ").
 		WithArgs(testDeliverySourceID).
 		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow(testDeliverySourceID, nil))
 	mock.ExpectQuery("SELECT id, parent_id FROM workspaces WHERE id = ").
 		WithArgs(testDeliveryTargetID).
-		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow(testDeliveryTargetID, nil))
+		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow(testDeliveryTargetID, testDeliverySourceID))
 
 	// resolveAgentURL: test callers always set the URL in Redis (mr.Set ws:{id}:url),
 	// so resolveAgentURL gets a cache hit and never falls back to DB.

workspace-server/internal/handlers/discovery.go

@@ -246,15 +246,11 @@ func (h *DiscoveryHandler) Peers(c *gin.Context) {
 			FROM workspaces w WHERE w.parent_id = $1 AND w.id != $2 AND w.status != 'removed'`,
 			parentID.String, workspaceID)
 		peers = append(peers, siblings...)
-	} else {
-		siblings, _ := queryPeerMaps(`
-			SELECT w.id, w.name, COALESCE(w.role, ''), w.tier, w.status,
-				   COALESCE(w.agent_card, 'null'::jsonb), COALESCE(w.url, ''),
-				   w.parent_id, w.active_tasks
-			FROM workspaces w WHERE w.parent_id IS NULL AND w.id != $1 AND w.status != 'removed'`,
-			workspaceID)
-		peers = append(peers, siblings...)
 	}
+	// Root workspaces (parent_id IS NULL) have no siblings: each org has
+	// exactly one root, so a distinct workspace with parent_id IS NULL
+	// belongs to a different tenant. Querying `parent_id IS NULL` would
+	// leak every org root across tenants (security #1953).
 
 	// Children — exclude self defensively. A child row whose parent_id
 	// equals the requesting workspaceID can never legitimately be the

workspace-server/internal/handlers/discovery_test.go

@@ -223,10 +223,8 @@ func TestPeers_RootWorkspace_NoPeers(t *testing.T) {
 
 	peerCols := []string{"id", "name", "role", "tier", "status", "agent_card", "url", "parent_id", "active_tasks"}
 
-	// Siblings (other root-level workspaces) — none
-	mock.ExpectQuery("SELECT w.id, w.name.*WHERE w.parent_id IS NULL AND w.id != \\$1").
-		WithArgs("ws-root-alone").
-		WillReturnRows(sqlmock.NewRows(peerCols))
+	// Siblings — root workspaces have none (each org has exactly one root;
+	// querying `parent_id IS NULL` would leak all org roots cross-tenant).
 
 	// Children — none. #383 added explicit `w.id != $2` self-filter.
 	mock.ExpectQuery("SELECT w.id, w.name.*WHERE w.parent_id = \\$1 AND w.id != \\$2").
@@ -959,15 +957,12 @@ func TestPeers_DevModeFailOpen_AllowsBearerlessRequest(t *testing.T) {
 
 	peersAuthFixtureHasLiveToken(mock, "ws-dev")
 
-	// Root workspace → children+parent queries still fire but the
-	// parent_id lookup comes first.
+	// Root workspace → no sibling query (security #1953), children+parent
+	// queries still fire, and the parent_id lookup comes first.
 	mock.ExpectQuery("SELECT parent_id FROM workspaces WHERE id =").
 		WithArgs("ws-dev").
 		WillReturnRows(sqlmock.NewRows([]string{"parent_id"}).AddRow(nil))
 	peerCols := []string{"id", "name", "role", "tier", "status", "agent_card", "url", "parent_id", "active_tasks"}
-	mock.ExpectQuery("SELECT w.id.+WHERE w.parent_id IS NULL AND w.id").
-		WithArgs("ws-dev").
-		WillReturnRows(sqlmock.NewRows(peerCols))
 	// #383 — children query gained explicit `w.id != $2` self-filter.
 	mock.ExpectQuery("SELECT w.id.+WHERE w.parent_id = \\$1 AND w.id != \\$2 AND w.status").
 		WithArgs("ws-dev", "ws-dev").

workspace-server/internal/handlers/github_token.go

@@ -167,9 +167,6 @@ func generateAppInstallationToken() (string, time.Time, error) {
 		return "", time.Time{}, err
 	}
 	defer func() { _ = resp.Body.Close() }()
-	if resp.StatusCode != http.StatusCreated {
-		return "", time.Time{}, fmt.Errorf("github token endpoint returned status %d", resp.StatusCode)
-	}
 	var result struct {
 		Token     string    `json:"token"`
 		ExpiresAt time.Time `json:"expires_at"`

workspace-server/internal/handlers/handlers_additional_test.go

@@ -576,13 +576,13 @@ func TestDiscover_TargetOffline(t *testing.T) {
 	setupTestRedis(t)
 	handler := NewDiscoveryHandler()
 
-	// Both root-level, access allowed
+	// Same-parent siblings, access allowed
 	mock.ExpectQuery("SELECT id, parent_id FROM workspaces WHERE id =").
 		WithArgs("ws-caller").
-		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow("ws-caller", nil))
+		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow("ws-caller", "ws-parent"))
 	mock.ExpectQuery("SELECT id, parent_id FROM workspaces WHERE id =").
 		WithArgs("ws-off").
-		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow("ws-off", nil))
+		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow("ws-off", "ws-parent"))
 
 	// Name + runtime lookup (discovery now queries both)
 	mock.ExpectQuery("SELECT COALESCE").
@@ -622,13 +622,13 @@ func TestCheckAccess_SiblingsAllowed(t *testing.T) {
 	setupTestRedis(t)
 	handler := NewDiscoveryHandler()
 
-	// Both root-level siblings → allowed
+	// Siblings under a shared parent → allowed
 	mock.ExpectQuery("SELECT id, parent_id FROM workspaces WHERE id =").
 		WithArgs("ws-a").
-		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow("ws-a", nil))
+		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow("ws-a", "ws-parent"))
 	mock.ExpectQuery("SELECT id, parent_id FROM workspaces WHERE id =").
 		WithArgs("ws-b").
-		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow("ws-b", nil))
+		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow("ws-b", "ws-parent"))
 
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)

workspace-server/internal/handlers/handlers_extended_test.go

@@ -376,14 +376,13 @@ func TestExtended_DiscoverWithCallerID(t *testing.T) {
 	handler := NewDiscoveryHandler()
 
 	// CanCommunicate needs to look up both workspaces
-	// Caller: root-level (no parent)
+	// Caller and target are siblings under a shared parent
 	mock.ExpectQuery("SELECT id, parent_id FROM workspaces WHERE id =").
 		WithArgs("ws-caller").
-		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow("ws-caller", nil))
-	// Target: also root-level (no parent) — root-level siblings are allowed
+		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow("ws-caller", "ws-parent"))
 	mock.ExpectQuery("SELECT id, parent_id FROM workspaces WHERE id =").
 		WithArgs("ws-target").
-		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow("ws-target", nil))
+		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow("ws-target", "ws-parent"))
 
 	// Discover handler looks up workspace name + runtime
 	mock.ExpectQuery("SELECT COALESCE").
@@ -458,14 +457,14 @@ func TestExtended_Peers(t *testing.T) {
 	setupTestRedis(t)
 	handler := NewDiscoveryHandler()
 
-	// Expect parent_id lookup for requesting workspace (root-level, no parent)
+	// Expect parent_id lookup for requesting workspace (has a parent)
 	mock.ExpectQuery("SELECT parent_id FROM workspaces WHERE id =").
 		WithArgs("ws-peer").
-		WillReturnRows(sqlmock.NewRows([]string{"parent_id"}).AddRow(nil))
+		WillReturnRows(sqlmock.NewRows([]string{"parent_id"}).AddRow("ws-parent"))
 
-	// Expect root-level siblings query (parent IS NULL, excluding self)
+	// Expect siblings query (same parent, excluding self)
 	mock.ExpectQuery("SELECT w.id, w.name").
-		WithArgs("ws-peer").
+		WithArgs("ws-parent", "ws-peer").
 		WillReturnRows(sqlmock.NewRows([]string{"id", "name", "role", "tier", "status", "agent_card", "url", "parent_id", "active_tasks"}).
 			AddRow("ws-sibling", "Sibling Agent", "worker", 1, "online", []byte("null"), "http://localhost:9001", nil, 0))
 
@@ -512,13 +511,13 @@ func TestExtended_CheckAccess(t *testing.T) {
 	handler := NewDiscoveryHandler()
 
 	// CanCommunicate will look up both workspaces
-	// Both root-level — should be allowed
+	// Siblings under a shared parent — should be allowed
 	mock.ExpectQuery("SELECT id, parent_id FROM workspaces WHERE id =").
 		WithArgs("ws-a").
-		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow("ws-a", nil))
+		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow("ws-a", "ws-parent"))
 	mock.ExpectQuery("SELECT id, parent_id FROM workspaces WHERE id =").
 		WithArgs("ws-b").
-		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow("ws-b", nil))
+		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow("ws-b", "ws-parent"))
 
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)

workspace-server/internal/handlers/mcp_test.go

@@ -336,36 +336,6 @@ func TestMCPHandler_DelegateTaskAsync_MarshalFailureDoesNotCallProxy(t *testing.
 	}
 }
 
-// TestMCPHandler_CheckTaskStatus_NullStatusDefaultsToUnknown proves the
-// extracted #1933 hardening: when the activity_logs row has a NULL status,
-// check_task_status reports "unknown" instead of an empty string (the old
-// status.String zero value).
-func TestMCPHandler_CheckTaskStatus_NullStatusDefaultsToUnknown(t *testing.T) {
-	h, mock := newMCPHandler(t)
-	callerID := "11111111-1111-1111-1111-111111111111"
-	targetID := "22222222-2222-2222-2222-222222222222"
-	taskID := "task-abc"
-
-	mock.ExpectQuery(`(?s)SELECT status, error_detail, response_body.*FROM activity_logs`).
-		WithArgs(callerID, targetID, taskID).
-		WillReturnRows(sqlmock.NewRows([]string{"status", "error_detail", "response_body"}).
-			AddRow(nil, nil, nil))
-
-	out, err := h.toolCheckTaskStatus(context.Background(), callerID, map[string]interface{}{
-		"workspace_id": targetID,
-		"task_id":      taskID,
-	})
-	if err != nil {
-		t.Fatalf("check_task_status returned error: %v", err)
-	}
-	if !strings.Contains(out, `"status": "unknown"`) {
-		t.Fatalf("expected status \"unknown\" for NULL status row, got: %s", out)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Fatalf("unmet expectations: %v", err)
-	}
-}
-
 // ─────────────────────────────────────────────────────────────────────────────
 // notifications/initialized
 // ─────────────────────────────────────────────────────────────────────────────

workspace-server/internal/handlers/mcp_tools.go

@@ -107,16 +107,10 @@ func (h *MCPHandler) toolListPeers(ctx context.Context, workspaceID string) (str
 				log.Printf("MCP toolListPeers: sibling scan error: %v", scanErr)
 			}
 		}
-	} else {
-		rows, err := h.database.QueryContext(ctx,
-			cols+` FROM workspaces w WHERE w.parent_id IS NULL AND w.id != $1 AND w.status != 'removed'`,
-			workspaceID)
-		if err == nil {
-			if scanErr := scanPeers(rows); scanErr != nil {
-				log.Printf("MCP toolListPeers: sibling scan error: %v", scanErr)
-			}
-		}
 	}
+	// Root workspaces (parent_id IS NULL) have no siblings: each org has
+	// exactly one root. Querying `parent_id IS NULL` would leak every org
+	// root across tenants (security #1953).
 
 	// Children
 	{
@@ -149,7 +143,6 @@ func (h *MCPHandler) toolListPeers(ctx context.Context, workspaceID string) (str
 	b, marshalErr := json.MarshalIndent(peers, "", "  ")
 	if marshalErr != nil {
 		log.Printf("toolListPeers: json.MarshalIndent peers failed: %v", marshalErr)
-		return "", fmt.Errorf("marshal response: %w", marshalErr)
 	}
 	return string(b), nil
 }
@@ -183,7 +176,6 @@ func (h *MCPHandler) toolGetWorkspaceInfo(ctx context.Context, workspaceID strin
 	b, marshalErr := json.MarshalIndent(info, "", "  ")
 	if marshalErr != nil {
 		log.Printf("toolGetWorkspaceInfo %s: json.MarshalIndent info failed: %v", workspaceID, marshalErr)
-		return "", fmt.Errorf("marshal response: %w", marshalErr)
 	}
 	return string(b), nil
 }
@@ -340,13 +332,9 @@ func (h *MCPHandler) toolCheckTaskStatus(ctx context.Context, callerID string, a
 
 	result := map[string]interface{}{
 		"task_id":   taskID,
+		"status":    status.String,
 		"target_id": targetID,
 	}
-	if status.Valid {
-		result["status"] = status.String
-	} else {
-		result["status"] = "unknown"
-	}
 	if errorDetail.Valid && errorDetail.String != "" {
 		result["error"] = errorDetail.String
 	}
@@ -356,7 +344,6 @@ func (h *MCPHandler) toolCheckTaskStatus(ctx context.Context, callerID string, a
 	b, marshalErr := json.MarshalIndent(result, "", "  ")
 	if marshalErr != nil {
 		log.Printf("toolCheckTaskStatus: json.MarshalIndent result failed: %v", marshalErr)
-		return "", fmt.Errorf("marshal response: %w", marshalErr)
 	}
 	return string(b), nil
 }

workspace-server/internal/handlers/mcp_tools_memory_legacy_shim.go

@@ -194,7 +194,6 @@ func (h *MCPHandler) recallMemoryLegacyShim(ctx context.Context, workspaceID str
 	b, marshalErr := json.MarshalIndent(out, "", "  ")
 	if marshalErr != nil {
 		log.Printf("toolRecallMemory: json.MarshalIndent out failed: %v", marshalErr)
-		return "", fmt.Errorf("marshal response: %w", marshalErr)
 	}
 	return string(b), nil
 }

workspace-server/internal/handlers/mcp_tools_memory_v2.go

@@ -166,7 +166,6 @@ func (h *MCPHandler) toolCommitMemoryV2(ctx context.Context, workspaceID string,
 	out, marshalErr := json.Marshal(resp)
 	if marshalErr != nil {
 		log.Printf("toolCommitMemoryV2 %s: json.Marshal resp failed: %v", workspaceID, marshalErr)
-		return "", fmt.Errorf("marshal response: %w", marshalErr)
 	}
 	return string(out), nil
 }
@@ -224,7 +223,6 @@ func (h *MCPHandler) toolSearchMemory(ctx context.Context, workspaceID string, a
 	out, marshalErr := json.Marshal(resp)
 	if marshalErr != nil {
 		log.Printf("toolSearchMemory %s: json.Marshal resp failed: %v", workspaceID, marshalErr)
-		return "", fmt.Errorf("marshal response: %w", marshalErr)
 	}
 	return string(out), nil
 }
@@ -283,7 +281,6 @@ func (h *MCPHandler) toolCommitSummary(ctx context.Context, workspaceID string,
 	out, marshalErr := json.Marshal(resp)
 	if marshalErr != nil {
 		log.Printf("toolCommitSummary %s: json.Marshal resp failed: %v", workspaceID, marshalErr)
-		return "", fmt.Errorf("marshal response: %w", marshalErr)
 	}
 	return string(out), nil
 }
@@ -303,7 +300,6 @@ func (h *MCPHandler) toolListWritableNamespaces(ctx context.Context, workspaceID
 	b, marshalErr := json.MarshalIndent(ns, "", "  ")
 	if marshalErr != nil {
 		log.Printf("toolListWritableNamespaces %s: json.MarshalIndent ns failed: %v", workspaceID, marshalErr)
-		return "", fmt.Errorf("marshal response: %w", marshalErr)
 	}
 	return string(b), nil
 }
@@ -319,7 +315,6 @@ func (h *MCPHandler) toolListReadableNamespaces(ctx context.Context, workspaceID
 	b, marshalErr := json.MarshalIndent(ns, "", "  ")
 	if marshalErr != nil {
 		log.Printf("toolListReadableNamespaces %s: json.MarshalIndent ns failed: %v", workspaceID, marshalErr)
-		return "", fmt.Errorf("marshal response: %w", marshalErr)
 	}
 	return string(b), nil
 }

workspace-server/internal/handlers/registry.go

@@ -345,16 +345,8 @@ func (h *RegistryHandler) Register(c *gin.Context) {
 		if qErr := db.DB.QueryRowContext(ctx,
 			`SELECT name, role FROM workspaces WHERE id = $1`, payload.ID,
 		).Scan(&dbName, &dbRole); qErr == nil {
-			name := ""
-			if dbName.Valid {
-				name = dbName.String
-			}
-			role := ""
-			if dbRole.Valid {
-				role = dbRole.String
-			}
 			if rc, did := reconcileAgentCardIdentity(
-				payload.AgentCard, payload.ID, name, role,
+				payload.AgentCard, payload.ID, dbName.String, dbRole.String,
 			); did {
 				reconciledCard = rc
 				log.Printf("Registry register: reconciled agent_card identity for %s from workspaces row", payload.ID)

workspace-server/internal/handlers/schedules.go

@@ -160,14 +160,13 @@ func (h *ScheduleHandler) Create(c *gin.Context) {
 	}
 
 	// Validate timezone
-	loc, err := time.LoadLocation(body.Timezone)
-	if err != nil {
+	if _, err := time.LoadLocation(body.Timezone); err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid timezone: " + body.Timezone})
 		return
 	}
 
 	// Validate and compute next run
-	nextRun, err := scheduler.ComputeNextRun(body.CronExpr, body.Timezone, time.Now().In(loc))
+	nextRun, err := scheduler.ComputeNextRun(body.CronExpr, body.Timezone, time.Now())
 	if err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid request body"})
 		return
@@ -261,12 +260,11 @@ func (h *ScheduleHandler) Update(c *gin.Context) {
 		if body.Timezone != nil {
 			tz = *body.Timezone
 		}
-		loc, err := time.LoadLocation(tz)
-		if err != nil {
+		if _, err := time.LoadLocation(tz); err != nil {
 			c.JSON(http.StatusBadRequest, gin.H{"error": "invalid timezone: " + tz})
 			return
 		}
-		nextRun, err := scheduler.ComputeNextRun(cronExpr, tz, time.Now().In(loc))
+		nextRun, err := scheduler.ComputeNextRun(cronExpr, tz, time.Now())
 		if err != nil {
 			c.JSON(http.StatusBadRequest, gin.H{"error": "invalid request body"})
 			return

workspace-server/internal/handlers/workspace_provision.go

@@ -953,24 +953,14 @@ func applyPlatformManagedLLMEnv(ctx context.Context, envVars map[string]string,
 		log.Printf("workspace_provision: resolve billing mode workspace=%s err=%v (defaulting to platform_managed)", workspaceID, resolveErr)
 	}
 	log.Printf("workspace_provision: billing mode workspace=%s resolved=%s source=%s org_default=%s", workspaceID, res.ResolvedMode, res.Source, res.OrgDefault)
-	// internal#703: MOLECULE_LLM_BILLING_MODE in the container must reflect the
-	// RESOLVED per-workspace mode, not a hardcoded literal. Pre-fix this var was
-	// only emitted (hardcoded "platform_managed") on the strip path below, so a
-	// byok/disabled container never carried a truthful billing-mode value — only
-	// MOLECULE_LLM_BILLING_MODE_RESOLVED. Emit both here, resolver-driven, for
-	// every mode so the value is correct on the byok/disabled early-return path
-	// too (and downstream consumers / debug shells see byok, not platform_managed).
-	envVars["MOLECULE_LLM_BILLING_MODE"] = res.ResolvedMode
 	// Observability: surface the resolved mode in the container env so the
 	// agent / debug shell can answer "why is my key being stripped" without
 	// pulling logs or hitting the admin route.
 	envVars["MOLECULE_LLM_BILLING_MODE_RESOLVED"] = res.ResolvedMode
 	if res.ResolvedMode != LLMBillingModePlatformManaged {
-		// byok or disabled — DO NOT strip vendor keys, DO NOT force-route to CP,
-		// DO NOT override the workspace own ANTHROPIC_BASE_URL / OAuth token.
+		// byok or disabled — DO NOT strip vendor keys, DO NOT force-route to CP.
 		// Leave envVars alone so CLAUDE_CODE_OAUTH_TOKEN / vendor API keys
-		// pulled from workspace_secrets survive into the container, and the
-		// workspace talks to its own provider directly (internal#703).
+		// pulled from workspace_secrets survive into the container.
 		return
 	}
 	baseURL := firstNonEmptyEnv("MOLECULE_LLM_BASE_URL", "OPENAI_BASE_URL")
@@ -981,8 +971,7 @@ func applyPlatformManagedLLMEnv(ctx context.Context, envVars map[string]string,
 	}
 	stripPlatformManagedLLMBypassEnv(envVars)
 
-	// MOLECULE_LLM_BILLING_MODE is already set to res.ResolvedMode (==
-	// platform_managed on this path) above (internal#703); no hardcode here.
+	envVars["MOLECULE_LLM_BILLING_MODE"] = "platform_managed"
 	envVars["MOLECULE_LLM_BASE_URL"] = baseURL
 	envVars["MOLECULE_LLM_USAGE_TOKEN"] = token
 	if anthropicBaseURL != "" {
@@ -1015,7 +1004,7 @@ func stripPlatformManagedLLMBypassEnv(envVars map[string]string) {
 }
 
 func runtimeUsesAnthropicNativeProxy(runtime string) bool {
-	return strings.EqualFold(strings.TrimSpace(runtime), "claude-code")
+	return strings.TrimSpace(strings.ToLower(runtime)) == "claude-code"
 }
 
 func firstNonEmptyEnv(names ...string) string {

workspace-server/internal/handlers/workspace_provision_shared_test.go

@@ -1106,112 +1106,6 @@ func TestApplyPlatformManagedLLMEnv_NoopsOutsidePlatformManaged(t *testing.T) {
 	}
 }
 
-// TestApplyPlatformManagedLLMEnv_ClaudeCodeByokKeepsOwnProviderEnv is the
-// internal#703 regression guard: a per-workspace byok override (org-level
-// MOLECULE_LLM_BILLING_MODE left at the platform_managed bootstrap floor)
-// must resolve to byok and leave the workspace own provider env intact —
-// the CP-injected proxy ANTHROPIC_BASE_URL / usage token must NOT be forced,
-// the OAuth token must NOT be stripped, and MOLECULE_LLM_BILLING_MODE in the
-// container must read the RESOLVED mode (byok), not the hardcoded literal.
-//
-// This is the discriminating test for the byok end-to-end fix: pre-fix the
-// strip path was the only emitter of MOLECULE_LLM_BILLING_MODE (hardcoded
-// "platform_managed"), so a byok container carried no truthful billing mode.
-func TestApplyPlatformManagedLLMEnv_ClaudeCodeByokKeepsOwnProviderEnv(t *testing.T) {
-	const wsID = "77777777-7777-7777-7777-777777777777"
-	mock := setupTestDB(t)
-	mock.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
-		WithArgs(wsID).
-		WillReturnRows(sqlmock.NewRows([]string{"llm_billing_mode"}).AddRow(LLMBillingModeBYOK))
-
-	// Org-level env left at the bootstrap floor — the per-workspace override
-	// is what must flip this workspace to byok (the realistic prod shape).
-	t.Setenv("MOLECULE_LLM_BILLING_MODE", LLMBillingModePlatformManaged)
-	t.Setenv("MOLECULE_LLM_BASE_URL", "https://api.example.test/api/v1/internal/llm/openai/v1")
-	t.Setenv("MOLECULE_LLM_ANTHROPIC_BASE_URL", "https://api.example.test/api/v1/internal/llm/anthropic")
-	t.Setenv("MOLECULE_LLM_USAGE_TOKEN", "tenant-admin-token")
-
-	// The workspace brought its own Claude Code OAuth token (BYOK via the
-	// subscription provider). It must survive untouched.
-	envVars := map[string]string{
-		"CLAUDE_CODE_OAUTH_TOKEN": "user-oauth-token",
-		"MODEL":                   "sonnet",
-	}
-	applyPlatformManagedLLMEnv(context.Background(), envVars, wsID, "claude-code", "")
-
-	// 1. OAuth token intact — not stripped.
-	if got := envVars["CLAUDE_CODE_OAUTH_TOKEN"]; got != "user-oauth-token" {
-		t.Fatalf("CLAUDE_CODE_OAUTH_TOKEN = %q, want it left intact for byok", got)
-	}
-	// 2. No CP proxy base URL / usage token forced onto the workspace.
-	if got, ok := envVars["ANTHROPIC_BASE_URL"]; ok {
-		t.Fatalf("ANTHROPIC_BASE_URL must NOT be injected for byok, got %q", got)
-	}
-	if got, ok := envVars["ANTHROPIC_API_KEY"]; ok {
-		t.Fatalf("ANTHROPIC_API_KEY must NOT be injected for byok, got %q", got)
-	}
-	if got, ok := envVars["MOLECULE_LLM_ANTHROPIC_BASE_URL"]; ok {
-		t.Fatalf("MOLECULE_LLM_ANTHROPIC_BASE_URL must NOT be injected for byok, got %q", got)
-	}
-	if got, ok := envVars["MOLECULE_LLM_USAGE_TOKEN"]; ok {
-		t.Fatalf("MOLECULE_LLM_USAGE_TOKEN must NOT be injected for byok, got %q", got)
-	}
-	// 3. Billing mode in the container reflects the RESOLVED mode (byok).
-	if got := envVars["MOLECULE_LLM_BILLING_MODE"]; got != LLMBillingModeBYOK {
-		t.Fatalf("MOLECULE_LLM_BILLING_MODE = %q, want %q (resolver-driven, not hardcoded)", got, LLMBillingModeBYOK)
-	}
-	if got := envVars["MOLECULE_LLM_BILLING_MODE_RESOLVED"]; got != LLMBillingModeBYOK {
-		t.Fatalf("MOLECULE_LLM_BILLING_MODE_RESOLVED = %q, want %q", got, LLMBillingModeBYOK)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
-
-// TestApplyPlatformManagedLLMEnv_PlatformManagedStillEmitsResolvedMode is the
-// no-regression companion: a workspace that resolves to platform_managed must
-// still strip + force the proxy AND emit MOLECULE_LLM_BILLING_MODE=
-// platform_managed (now resolver-driven, internal#703). Proves the byok fix
-// did not alter the platform_managed contract.
-func TestApplyPlatformManagedLLMEnv_PlatformManagedStillEmitsResolvedMode(t *testing.T) {
-	const wsID = "88888888-8888-8888-8888-888888888888"
-	mock := setupTestDB(t)
-	mock.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
-		WithArgs(wsID).
-		WillReturnRows(sqlmock.NewRows([]string{"llm_billing_mode"}).AddRow(LLMBillingModePlatformManaged))
-
-	t.Setenv("MOLECULE_LLM_BILLING_MODE", LLMBillingModePlatformManaged)
-	t.Setenv("MOLECULE_LLM_BASE_URL", "https://api.example.test/api/v1/internal/llm/openai/v1")
-	t.Setenv("MOLECULE_LLM_ANTHROPIC_BASE_URL", "https://api.example.test/api/v1/internal/llm/anthropic")
-	t.Setenv("MOLECULE_LLM_USAGE_TOKEN", "tenant-admin-token")
-
-	envVars := map[string]string{
-		"CLAUDE_CODE_OAUTH_TOKEN": "user-oauth-token",
-		"MODEL":                   "sonnet",
-	}
-	applyPlatformManagedLLMEnv(context.Background(), envVars, wsID, "claude-code", "")
-
-	// OAuth stripped, proxy forced — unchanged platform_managed contract.
-	if _, ok := envVars["CLAUDE_CODE_OAUTH_TOKEN"]; ok {
-		t.Fatalf("CLAUDE_CODE_OAUTH_TOKEN should be stripped for platform_managed")
-	}
-	if got := envVars["ANTHROPIC_BASE_URL"]; got != "https://api.example.test/api/v1/internal/llm/anthropic" {
-		t.Fatalf("ANTHROPIC_BASE_URL = %q, want proxy forced for platform_managed", got)
-	}
-	if got := envVars["ANTHROPIC_API_KEY"]; got != "tenant-admin-token" {
-		t.Fatalf("ANTHROPIC_API_KEY = %q, want usage token for platform_managed", got)
-	}
-	if got := envVars["MOLECULE_LLM_BILLING_MODE"]; got != LLMBillingModePlatformManaged {
-		t.Fatalf("MOLECULE_LLM_BILLING_MODE = %q, want %q", got, LLMBillingModePlatformManaged)
-	}
-	if got := envVars["MOLECULE_LLM_BILLING_MODE_RESOLVED"]; got != LLMBillingModePlatformManaged {
-		t.Fatalf("MOLECULE_LLM_BILLING_MODE_RESOLVED = %q, want %q", got, LLMBillingModePlatformManaged)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
-
 // TestApplyRuntimeModelEnv_PersonaEnvMODELSecretPreserved locks in the
 // 2026-05-08 fix that prevents the MODEL_PROVIDER-as-slug fallback from
 // silently overwriting a per-persona MODEL workspace_secret on restart,

workspace-server/internal/handlers/workspace_provision_test.go

@@ -1616,28 +1616,3 @@ func (*mockResolver) Scheme() string { return "" }
 func (m *mockResolver) Fetch(_ context.Context, _, _ string) (string, error) {
 	return m.fetchName, m.fetchErr
 }
-
-// TestRuntimeUsesAnthropicNativeProxy_CaseAndWhitespace proves the
-// strings.EqualFold hardening: the runtime check now matches "claude-code"
-// case-insensitively (and after trimming whitespace) instead of relying on
-// a lowercased exact compare.
-func TestRuntimeUsesAnthropicNativeProxy_CaseAndWhitespace(t *testing.T) {
-	cases := []struct {
-		runtime string
-		want    bool
-	}{
-		{"claude-code", true},
-		{"Claude-Code", true},
-		{"CLAUDE-CODE", true},
-		{"  claude-code  ", true},
-		{"\tClaude-Code\n", true},
-		{"claude-code-x", false},
-		{"codex", false},
-		{"", false},
-	}
-	for _, c := range cases {
-		if got := runtimeUsesAnthropicNativeProxy(c.runtime); got != c.want {
-			t.Errorf("runtimeUsesAnthropicNativeProxy(%q) = %v, want %v", c.runtime, got, c.want)
-		}
-	}
-}

workspace-server/internal/registry/access.go

@@ -94,15 +94,13 @@ func CanCommunicate(callerID, targetID string) bool {
 		return false
 	}
 
-	// Siblings — same parent (including root-level where both have no parent)
+	// Siblings — same parent (excluding root-level; each org has exactly one
+	// root workspace, so two distinct root-level workspaces are in different
+	// orgs and must not communicate cross-tenant).
 	if caller.ParentID != nil && target.ParentID != nil &&
 		*caller.ParentID == *target.ParentID {
 		return true
 	}
-	// Root-level siblings — both have no parent
-	if caller.ParentID == nil && target.ParentID == nil {
-		return true
-	}
 
 	// Direct parent → child (fast path; avoids the ancestor walk)
 	if target.ParentID != nil && caller.ID == *target.ParentID {

workspace-server/internal/registry/access_test.go

@@ -63,14 +63,16 @@ func TestCanCommunicate_Siblings(t *testing.T) {
 	}
 }
 
-func TestCanCommunicate_RootSiblings(t *testing.T) {
+func TestCanCommunicate_Denied_RootCrossTenant(t *testing.T) {
 	mock := setupMockDB(t)
-	// Both at root level (no parent)
+	// Both at root level (no parent) but in different orgs.
+	// parent_id = NULL means org root; each org has exactly one root,
+	// so two distinct root workspaces must NOT communicate.
 	expectLookup(mock, "ws-a", nil)
 	expectLookup(mock, "ws-b", nil)
 
-	if !CanCommunicate("ws-a", "ws-b") {
-		t.Error("root-level siblings should communicate")
+	if CanCommunicate("ws-a", "ws-b") {
+		t.Error("distinct root-level workspaces should NOT communicate cross-tenant")
 	}
 }