fix(github-token): add HTTP client timeout to prevent indefinite blocking

http.DefaultClient has no timeout, so a slow/unresponsive GitHub API could block the handler goroutine forever. Use an http.Client with a 30-second timeout in generateAppInstallationToken. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
fix(migrations): renumber workspace_compute to avoid collision with main
2026-05-23 05:08:29 +00:00 · 2026-05-23 04:53:14 +00:00 · 2026-05-23 04:11:01 +00:00 · 2026-05-23 04:04:18 +00:00 · 2026-05-23 01:05:10 +00:00 · 2026-05-23 00:33:15 +00:00
304 changed files with 4171 additions and 71231 deletions
@@ -0,0 +1,174 @@
+#!/usr/bin/env python3
+"""Shared path-filter helper for Gitea Actions workflows.
+
+Computes changed files against the PR base SHA or push-before SHA and writes
+boolean outputs to GITHUB_OUTPUT. If the diff base is missing or untrusted, the
+helper fails open by setting every output in the selected profile to true.
+"""
+
+from __future__ import annotations
+
+import argparse
+import os
+import re
+import subprocess
+import sys
+from pathlib import Path
+
+
+PROFILES: dict[str, dict[str, str]] = {
+    "ci": {
+        "platform": r"^workspace-server/",
+        "canvas": r"^canvas/",
+        "python": r"^workspace/",
+        "scripts": r"^tests/e2e/|^scripts/|^infra/scripts/",
+    },
+    "handlers-postgres": {
+        "handlers": (
+            r"^workspace-server/internal/handlers/"
+            r"|^workspace-server/internal/wsauth/"
+            r"|^workspace-server/migrations/"
+            r"|^\.gitea/workflows/handlers-postgres-integration\.yml$"
+        ),
+    },
+    "e2e-api": {
+        "api": r"^workspace-server/|^tests/e2e/|^\.gitea/workflows/e2e-api\.yml$",
+    },
+}
+
+
+def classify(profile: str, paths: list[str]) -> dict[str, bool]:
+    patterns = PROFILES[profile]
+    return {
+        name: any(re.search(pattern, path) for path in paths)
+        for name, pattern in patterns.items()
+    }
+
+
+def all_true(profile: str) -> dict[str, bool]:
+    return {name: True for name in PROFILES[profile]}
+
+
+def resolve_base(event_name: str, pr_base_sha: str, push_before: str) -> str:
+    if event_name == "pull_request" and pr_base_sha:
+        return pr_base_sha
+    return push_before
+
+
+def is_zero_sha(value: str) -> bool:
+    return not value or bool(re.fullmatch(r"0+", value))
+
+
+def run_git(args: list[str], *, timeout: int = 30) -> subprocess.CompletedProcess[str]:
+    return subprocess.run(
+        ["git", *args],
+        check=False,
+        text=True,
+        stdout=subprocess.PIPE,
+        stderr=subprocess.PIPE,
+        timeout=timeout,
+    )
+
+
+def base_exists(base: str) -> bool:
+    return run_git(["cat-file", "-e", base]).returncode == 0
+
+
+def fetch_base(base: str, base_ref: str) -> None:
+    # Gitea may reject fetching an arbitrary unadvertised SHA from a shallow
+    # PR checkout. Fetch the advertised base branch first, then fall back to
+    # the SHA for hosts that allow it.
+    if base_ref:
+        run_git(["fetch", "--depth=1", "origin", base_ref])
+    if not base_exists(base):
+        run_git(["fetch", "--depth=1", "origin", base])
+
+
+def deepen_base_ref(base_ref: str) -> None:
+    if base_ref:
+        run_git(["fetch", "--deepen=200", "origin", base_ref], timeout=60)
+
+
+def merge_base(base: str) -> str | None:
+    proc = run_git(["merge-base", base, "HEAD"])
+    if proc.returncode != 0:
+        return None
+    value = proc.stdout.strip()
+    return value or None
+
+
+def changed_paths(base: str, *, use_merge_base: bool) -> list[str] | None:
+    compare_base = base
+    if use_merge_base:
+        compare_base = merge_base(base) or ""
+        if not compare_base:
+            return None
+
+    proc = run_git(["diff", "--name-only", compare_base, "HEAD"])
+    if proc.returncode != 0:
+        return None
+    return [line for line in proc.stdout.splitlines() if line]
+
+
+def write_outputs(values: dict[str, bool], output_path: str | None) -> None:
+    lines = [f"{name}={'true' if value else 'false'}" for name, value in values.items()]
+    if output_path:
+        with Path(output_path).open("a", encoding="utf-8") as fh:
+            for line in lines:
+                fh.write(line + "\n")
+    else:
+        for line in lines:
+            print(line)
+
+
+def detect(
+    profile: str,
+    event_name: str,
+    pr_base_sha: str,
+    push_before: str,
+    base_ref: str = "",
+) -> dict[str, bool]:
+    base = resolve_base(event_name, pr_base_sha, push_before)
+    if is_zero_sha(base):
+        return all_true(profile)
+
+    if not base_exists(base):
+        fetch_base(base, base_ref)
+    if not base_exists(base):
+        return all_true(profile)
+
+    use_merge_base = event_name == "pull_request"
+    if use_merge_base and base_ref and merge_base(base) is None:
+        deepen_base_ref(base_ref)
+
+    paths = changed_paths(base, use_merge_base=use_merge_base)
+    if paths is None:
+        return all_true(profile)
+    return classify(profile, paths)
+
+
+def parse_args(argv: list[str]) -> argparse.Namespace:
+    parser = argparse.ArgumentParser(description=__doc__)
+    parser.add_argument("--profile", required=True, choices=sorted(PROFILES))
+    parser.add_argument("--event-name", default=os.environ.get("GITHUB_EVENT_NAME", ""))
+    parser.add_argument("--pr-base-sha", default="")
+    parser.add_argument("--base-ref", default="")
+    parser.add_argument("--push-before", default=os.environ.get("GITHUB_EVENT_BEFORE", ""))
+    return parser.parse_args(argv)
+
+
+def main(argv: list[str]) -> int:
+    args = parse_args(argv)
+    values = detect(
+        args.profile,
+        args.event_name,
+        args.pr_base_sha,
+        args.push_before,
+        args.base_ref,
+    )
+    write_outputs(values, os.environ.get("GITHUB_OUTPUT"))
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main(sys.argv[1:]))
@@ -61,6 +61,7 @@ import os
 import shutil
 import subprocess
 import sys
+import time
 import urllib.error
 import urllib.parse
 import urllib.request
@@ -89,6 +90,19 @@ API = f"https://{GITEA_HOST}/api/v1" if GITEA_HOST else ""
 # match by exact title without parsing.
 TITLE_PREFIX = "[main-red]"

+# Settling window (seconds) between initial red detection and the
+# pre-file recheck. The recheck filters out the two largest false-
+# positive classes seen in mc#1597..1630 (task #394, 2026-05-21):
+#   1. HEAD moved on (a new commit landed mid-tick) — the prior red SHA
+#      is no longer authoritative; let the next cron tick re-evaluate.
+#   2. Combined status recovered on the SAME SHA (transient
+#      cancel-cascade rolled forward to success on retry).
+# 90s is well below the hourly cron cadence; a real failure that
+# persists past it is the one we want surfaced.
+# Override with WATCHDOG_RECHECK_DELAY_SECS for tests / local probes
+# (the test suite stubs time.sleep to a no-op).
+RECHECK_DELAY_SECS = int(_env("WATCHDOG_RECHECK_DELAY_SECS", default="90"))
+

 def _require_runtime_env() -> None:
    """Enforce env contract — called from `main()` only.
@@ -172,6 +186,49 @@ def api(
        return status, {"_raw": raw.decode("utf-8", errors="replace")}


+# --------------------------------------------------------------------------
+# action_run.status resolver — extensibility hook for task #394.
+# --------------------------------------------------------------------------
+def _resolve_action_run_status(target_url: str) -> int | None:
+    """Resolve the underlying Gitea `action_run.status` integer for the
+    run referenced by `target_url`, returning None if the resolver
+    cannot reach an authoritative source from the runner.
+
+    Canonical Gitea 1.22.6 enum (per `models/actions/status.go` +
+    `reference_gitea_action_status_enum_corrected_2026_05_19`):
+        1=Success, 2=Failure, 3=Cancelled, 4=Skipped,
+        5=Waiting,  6=Running, 7=Blocked
+    Only `status == 2` is a real defect; status=3 is cancel-cascade and
+    status=1 is an emission artifact (Gitea wrote a 'failure' commit_status
+    row for a run that actually succeeded — observed empirically on
+    `publish-canvas-image` jobs at SHAs in mc#1597..1630).
+
+    CURRENT STATE (2026-05-20, verified): Gitea 1.22.6 exposes NO REST
+    endpoint for `action_run.status`. Probed:
+        /api/v1/repos/{o}/{r}/actions/runs/{id}   → HTTP 404
+        /api/v1/repos/{o}/{r}/actions/jobs/{id}   → HTTP 404
+        /api/v1/repos/{o}/{r}/actions/tasks/{id}  → HTTP 404
+        /swagger.v1.json paths containing 'actions' → secrets+variables+runners only
+    The SPA backend (`/{repo}/actions/runs/{id}/jobs/{idx}` POST) requires
+    a session CSRF token, unreachable from a runner. The only authoritative
+    source today is direct DB access (`mol_action_status` on op-host,
+    `docker exec molecule-postgres-1 psql ...`), which the runner cannot
+    reach.
+
+    Therefore: this hook returns None on every call. Callers MUST fall
+    back to the description-string filter (existing) plus the HEAD
+    recheck (this PR). When a future Gitea release (>=1.23 expected) or
+    an op-host proxy exposes the endpoint, replace the body of this
+    function with an `api(...)` call — the caller contract is stable.
+
+    See also:
+        - `reference_chronic_red_sweep_cancelled_vs_failed_filter`
+        - `feedback_gitea_status_enum_use_helper_not_raw_int`
+    """
+    _ = target_url  # noqa: F841 — intentional placeholder
+    return None
+
+
 # --------------------------------------------------------------------------
 # Gitea reads
 # --------------------------------------------------------------------------
@@ -614,6 +671,56 @@ def run_once(*, dry_run: bool = False) -> int:
    }

    if red:
+        # HEAD recheck (task #394 — guards mc#1597..1630 false-positive
+        # cluster). After the initial detection, wait RECHECK_DELAY_SECS
+        # (default 90s; tests stub time.sleep) and re-evaluate:
+        #
+        #   1. Re-fetch HEAD SHA. If HEAD moved, a new commit landed
+        #      mid-tick — the prior red SHA is no longer authoritative
+        #      and the next cron run will re-evaluate against the new
+        #      HEAD. Skip-file.
+        #
+        #   2. If HEAD unchanged, re-fetch the combined status. If it
+        #      recovered (combined state no longer in {failure,error}
+        #      after the cancel-cascade filter), a transient retry
+        #      rolled the run forward. Skip-file.
+        #
+        # Both paths emit a Loki event distinguishable from the real
+        # `main_red_detected` so obs queries can track filter activity.
+        # The settling window is well below the hourly cron cadence —
+        # genuine failures persist past it and are surfaced normally.
+        time.sleep(RECHECK_DELAY_SECS)
+
+        recheck_sha = get_head_sha(WATCH_BRANCH)
+        if recheck_sha != sha:
+            emit_loki_event("main_red_skipped_head_drift", sha, [])
+            print(
+                f"::notice::skip-file (HEAD moved): initial red at "
+                f"{sha[:10]} but HEAD is now {recheck_sha[:10]} on "
+                f"{WATCH_BRANCH}; next cron tick will re-evaluate."
+            )
+            return 0
+
+        recheck_status = get_combined_status(sha)
+        recheck_red, recheck_failed = is_red(recheck_status)
+        if not recheck_red:
+            emit_loki_event("main_red_skipped_recovered", sha, [])
+            print(
+                f"::notice::skip-file (recovered after settling): "
+                f"combined state at {sha[:10]} flipped to "
+                f"{recheck_status.get('state')!r} on recheck; "
+                f"initial red was a transient cancel-cascade."
+            )
+            return 0
+
+        # Still red after settling — file/update. Use the recheck data
+        # as authoritative so the issue body reflects the latest state.
+        failed = recheck_failed
+        debug["recheck_combined_state"] = recheck_status.get("state")
+        debug["recheck_failed_contexts"] = [
+            s.get("context") for s in failed
+        ]
+
        failed_ctxs = [s.get("context") for s in failed if s.get("context")]
        emit_loki_event("main_red_detected", sha, failed_ctxs)
        print(f"::warning::main is RED at {sha[:10]} on {WATCH_BRANCH}: "
@@ -104,10 +104,13 @@ if [ "${SOP_REFIRE_DISABLE_RATE_LIMIT:-}" != "1" ]; then
  fi
 fi

-# 3. Invoke sop-tier-check.sh with the env it expects. Capture exit code.
-# The canonical script reads tier label, walks approving reviewers, and
-# evaluates the AND-composition expression — we want the SAME gate, not
-# a different gate.
+# 3. Invoke sop-tier-check.sh with the env it expects.
+# The canonical workflow intentionally fail-opens the job conclusion
+# (`bash .gitea/scripts/sop-tier-check.sh || true`) while Gitea branch
+# protection enforces reviewer approvals separately. Keep the refire path
+# aligned with that workflow status behavior; otherwise /refire-tier-check can
+# post a hard failure that the canonical pull_request_target workflow would
+# not publish.
 #
 # SOP_REFIRE_TIER_CHECK_SCRIPT env var lets tests substitute a mock —
 # sop-tier-check.sh uses bash 4+ associative arrays which trigger a known
@@ -123,7 +126,6 @@ fi

 # Re-invoke. Pipe stdout/stderr through so the runner log shows the
 # tier-check decision inline.
-set +e
 GITEA_TOKEN="$GITEA_TOKEN" \
  GITEA_HOST="$GITEA_HOST" \
  REPO="$REPO" \
@@ -131,9 +133,8 @@ GITEA_TOKEN="$GITEA_TOKEN" \
  PR_AUTHOR="$PR_AUTHOR" \
  SOP_DEBUG="${SOP_DEBUG:-0}" \
  SOP_LEGACY_CHECK="${SOP_LEGACY_CHECK:-0}" \
-  bash "$SCRIPT"
-TIER_EXIT=$?
-set -e
+  bash "$SCRIPT" || true
+TIER_EXIT=0
 debug "sop-tier-check.sh exit=$TIER_EXIT"

 # 4. POST the resulting status.
@@ -47,7 +47,9 @@ What this script does, per `.gitea/workflows/status-reaper.yml` invocation:
         Parse context as `<workflow_name> / <job_name> (push)`.
         Look up workflow_name in the trigger map:
           - missing → log ::notice:: and skip (conservative).
-           - has_push_trigger=True → preserve (real defect signal).
+           - has_push_trigger=True and description == "Has been cancelled"
+             → compensate cancelled/superseded push noise.
+           - has_push_trigger=True otherwise → preserve (real defect signal).
           - has_push_trigger=False → POST a compensating
             `state=success` status to /statuses/{sha} with the same
             context (Gitea de-dups by context) and a description
@@ -141,6 +143,11 @@ PR_SHADOW_COMPENSATION_DESCRIPTION = (
    "shadowed by successful push status on same SHA; see "
    ".gitea/scripts/status-reaper.py)"
 )
+CANCELLED_PUSH_COMPENSATION_DESCRIPTION = (
+    "Compensated by status-reaper (push run was cancelled/superseded; "
+    "Gitea 1.22.6 reports cancelled runs as failure statuses)"
+)
+CANCELLED_DESCRIPTION = "Has been cancelled"

 # Context suffix the reaper acts on. Gitea hardcodes this for ALL
 # default-branch workflow runs.
@@ -476,7 +483,7 @@ def reap(
      {compensated, preserved_real_push, preserved_unknown,
       preserved_non_failure, preserved_non_push_suffix,
       preserved_unparseable, compensated_pr_shadowed_by_push_success,
-       preserved_pr_without_push_success,
+       preserved_pr_without_push_success, compensated_cancelled_push,
       compensated_contexts: [<context>, ...]}

    `compensated_contexts` is rev2-added so `reap_branch` can build
@@ -490,6 +497,7 @@ def reap(
        "preserved_non_push_suffix": 0,
        "preserved_unparseable": 0,
        "compensated_pr_shadowed_by_push_success": 0,
+        "compensated_cancelled_push": 0,
        "preserved_pr_without_push_success": 0,
        "compensated_contexts": [],
    }
@@ -567,8 +575,27 @@ def reap(
            counters["preserved_unknown"] += 1
            continue

+        if (s.get("description") or "").strip() == CANCELLED_DESCRIPTION:
+            # Gitea 1.22.6 maps cancelled action runs to failure commit
+            # statuses. During merge bursts, older push runs can be
+            # superseded and cancelled even though a newer run for the
+            # same branch is the real signal. Compensate only the exact
+            # Gitea cancellation description; real push failures remain red.
+            post_compensating_status(
+                sha,
+                context,
+                s.get("target_url"),
+                description=CANCELLED_PUSH_COMPENSATION_DESCRIPTION,
+                dry_run=dry_run,
+            )
+            counters["compensated"] += 1
+            counters["compensated_cancelled_push"] += 1
+            counters["compensated_contexts"].append(context)
+            continue
+
        if workflow_trigger_map[workflow_name]:
-            # Real push trigger → real defect signal. Preserve.
+            # Real push trigger with a non-cancelled failure description
+            # remains a defect signal. Preserve.
            counters["preserved_real_push"] += 1
            continue

@@ -674,6 +701,7 @@ def reap_branch(
            "preserved_non_push_suffix": 0,
            "preserved_unparseable": 0,
            "compensated_pr_shadowed_by_push_success": 0,
+            "compensated_cancelled_push": 0,
            "preserved_pr_without_push_success": 0,
            "compensated_per_sha": {},
            "skipped": True,
@@ -689,6 +717,7 @@ def reap_branch(
        "preserved_non_push_suffix": 0,
        "preserved_unparseable": 0,
        "compensated_pr_shadowed_by_push_success": 0,
+        "compensated_cancelled_push": 0,
        "preserved_pr_without_push_success": 0,
        "compensated_per_sha": {},
    }
@@ -728,6 +757,7 @@ def reap_branch(
            "preserved_non_push_suffix",
            "preserved_unparseable",
            "compensated_pr_shadowed_by_push_success",
+            "compensated_cancelled_push",
            "preserved_pr_without_push_success",
        ):
            aggregate[key] += per_sha[key]
@@ -6,9 +6,10 @@
 #   T1: PR open + APPROVED via tier:low → script invokes sop-tier-check
 #       and POSTs status=success.
 #   T2: PR open + missing tier label → sop-tier-check exits non-zero;
-#       refire POSTs status=failure (description mentions failure).
+#       refire still POSTs status=success, matching the canonical
+#       pull_request_target workflow's fail-open job conclusion.
 #   T3: PR open + tier:low but NO approving reviews → sop-tier-check
-#       exits non-zero; refire POSTs status=failure.
+#       exits non-zero; refire still POSTs status=success for the same reason.
 #   T4: PR CLOSED → refire exits 0 with no status POST (no-op on closed).
 #   T5: Rate-limit — recent status update within 30s → refire skips,
 #       no new POST.
@@ -32,7 +33,7 @@ THIS_DIR="$(cd "$(dirname "$0")" && pwd)"
 SCRIPT_DIR="$(cd "$THIS_DIR/.." && pwd)"
 WORKFLOW_DIR="$(cd "$THIS_DIR/../../workflows" && pwd)"
 WORKFLOW="$WORKFLOW_DIR/sop-tier-refire.yml"
-DISPATCH_WORKFLOW="$WORKFLOW_DIR/review-refire-comments.yml"
+DISPATCH_WORKFLOW="$WORKFLOW_DIR/sop-checklist.yml"
 SCRIPT="$SCRIPT_DIR/sop-tier-refire.sh"

 PASS=0
@@ -88,7 +89,7 @@ assert_file_exists() {
 echo
 echo "== existence =="
 assert_file_exists "workflow file exists"  "$WORKFLOW"
-assert_file_exists "dispatcher workflow file exists" "$DISPATCH_WORKFLOW"
+assert_file_exists "SSOT dispatcher workflow file exists" "$DISPATCH_WORKFLOW"
 assert_file_exists "script file exists"    "$SCRIPT"
 if [ "$FAIL" -gt 0 ]; then
  echo
@@ -133,15 +134,15 @@ else
 fi

 DISPATCH_PARSE_OUT=$(python3 -c 'import sys,yaml;yaml.safe_load(open(sys.argv[1]).read());print("ok")' "$DISPATCH_WORKFLOW" 2>&1 || true)
-assert_eq "T6e dispatcher workflow parses as YAML" "ok" "$DISPATCH_PARSE_OUT"
+assert_eq "T6e SSOT dispatcher workflow parses as YAML" "ok" "$DISPATCH_PARSE_OUT"
 DISPATCH_CONTENT=$(cat "$DISPATCH_WORKFLOW")
-assert_contains "T6f dispatcher listens on issue_comment" \
+assert_contains "T6f SSOT dispatcher listens on issue_comment" \
  "issue_comment" "$DISPATCH_CONTENT"
-assert_contains "T6g dispatcher handles /qa-recheck" \
+assert_contains "T6g SSOT dispatcher handles /qa-recheck" \
  "/qa-recheck" "$DISPATCH_CONTENT"
-assert_contains "T6h dispatcher handles /security-recheck" \
+assert_contains "T6h SSOT dispatcher handles /security-recheck" \
  "/security-recheck" "$DISPATCH_CONTENT"
-assert_contains "T6i dispatcher handles /refire-tier-check" \
+assert_contains "T6i SSOT dispatcher handles /refire-tier-check" \
  "/refire-tier-check" "$DISPATCH_CONTENT"

 # T1-T5 — script behavior against a local Gitea-fixture
@@ -245,34 +246,21 @@ assert_contains "T1 POST context is sop-tier-check / tier-check" \
  '"context": "sop-tier-check / tier-check (pull_request)"' "$POSTED"
 assert_contains "T1 description names commenter" "test-runner" "$POSTED"

-# T2: missing tier label → tier-check fails → failure status POSTed
+# T2: missing tier label → tier-check fails internally, but refire status
+# matches the canonical workflow's fail-open job conclusion.
 run_scenario "T2_no_tier_label" "fail_no_label"
 RC=$(cat "$FIX_STATE_DIR/last_rc")
 POSTED=$(cat "$FIX_STATE_DIR/posted_statuses.jsonl" 2>/dev/null || true)
-# tier-check.sh exits 1; refire script forwards that exit, so RC != 0
-if [ "$RC" -ne 0 ]; then
-  echo "  PASS  T2 exit code non-zero (got $RC)"
-  PASS=$((PASS + 1))
-else
-  echo "  FAIL  T2 exit code should be non-zero, got 0"
-  FAIL=$((FAIL + 1))
-  FAILED_TESTS="${FAILED_TESTS} T2_rc"
-fi
-assert_contains "T2 POSTed state=failure" '"state": "failure"' "$POSTED"
+assert_eq "T2 exit code 0 (canonical fail-open)" "0" "$RC"
+assert_contains "T2 POSTed state=success" '"state": "success"' "$POSTED"

-# T3: tier:low present but ZERO approving reviews → failure
+# T3: tier:low present but ZERO approving reviews → internal tier check fails,
+# refire status remains aligned with the canonical workflow.
 run_scenario "T3_no_approvals" "fail_no_approvals"
 RC=$(cat "$FIX_STATE_DIR/last_rc")
 POSTED=$(cat "$FIX_STATE_DIR/posted_statuses.jsonl" 2>/dev/null || true)
-if [ "$RC" -ne 0 ]; then
-  echo "  PASS  T3 exit code non-zero (got $RC)"
-  PASS=$((PASS + 1))
-else
-  echo "  FAIL  T3 exit code should be non-zero, got 0"
-  FAIL=$((FAIL + 1))
-  FAILED_TESTS="${FAILED_TESTS} T3_rc"
-fi
-assert_contains "T3 POSTed state=failure" '"state": "failure"' "$POSTED"
+assert_eq "T3 exit code 0 (canonical fail-open)" "0" "$RC"
+assert_contains "T3 POSTed state=success" '"state": "success"' "$POSTED"

 # T4: closed PR — refire is a no-op (no POST, exit 0)
 run_scenario "T4_closed" "pass"
@@ -1,60 +0,0 @@
-name: cascade-list-drift-gate
-
-# Ported from .github/workflows/cascade-list-drift-gate.yml on 2026-05-11
-# per RFC internal#219 §1 sweep.
-#
-# Differences from the GitHub version:
-#   - on.paths reference .gitea/workflows/publish-runtime.yml (the active
-#     Gitea workflow file) instead of .github/workflows/publish-runtime.yml
-#     (which Category A of this sweep deletes).
-#   - Explicit `WORKFLOW=` arg passed to the drift script so it audits the
-#     .gitea/ workflow (the script's default is still .github/... which
-#     will not exist post-Cat-A).
-#   - Workflow-level env.GITHUB_SERVER_URL set per
-#     feedback_act_runner_github_server_url.
-#   - `continue-on-error: true` on the job (RFC §1 contract — surface
-#     defects without blocking; follow-up PR flips after triage).
-#
-# Structural gate: TEMPLATES list in publish-runtime.yml must match
-# manifest.json's workspace_templates exactly. Closes the recurrence
-# path of PR #2556 (the data fix) and is the first concrete deliverable
-# of RFC #388 PR-3.
-#
-# Triggers narrowly to keep CI quiet: only on PRs that actually change
-# one of the two files. The path-filtered split + always-emit-result
-# pattern (memory: "Required check names need a job that always runs")
-# is unnecessary here because the workflow IS the check name and PR
-# branch protection should require it directly. Future-proof: if this
-# becomes a required check, add a no-op aggregator with always() so the
-# name still emits when paths don't match.
-
-on:
-  pull_request:
-    branches: [staging, main]
-    paths:
-      - manifest.json
-      - .gitea/workflows/publish-runtime.yml
-      - scripts/check-cascade-list-vs-manifest.sh
-
-env:
-  GITHUB_SERVER_URL: https://git.moleculesai.app
-
-permissions:
-  contents: read
-
-jobs:
-  # bp-exempt: drift visibility gate; CI / all-required remains the required aggregate.
-  check:
-    runs-on: ubuntu-latest
-    # Phase 3 (RFC #219 §1): surface broken workflows without blocking
-    # the PR. Follow-up PR flips this off after surfaced defects are
-    # triaged.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
-    continue-on-error: true
-    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-      - name: Check cascade list matches manifest
-        # Pass the .gitea/ workflow path explicitly — the script's
-        # default still points at .github/... which Category A of this
-        # sweep removes.
-        run: bash scripts/check-cascade-list-vs-manifest.sh manifest.json .gitea/workflows/publish-runtime.yml
@@ -1,225 +0,0 @@
-name: MCP Stdio Transport Regression
-
-# Regression test for molecule-ai-workspace-runtime#61:
-# asyncio.connect_read_pipe / connect_write_pipe fail with
-# ValueError: "Pipe transport is only for pipes, sockets and character devices"
-# when stdout is a regular file (openclaw capture, CI tee, debugging).
-#
-# This workflow reproduces the exact failure mode and verifies the
-# fallback to direct buffer I/O works. It runs on every PR that
-# touches the MCP server or this workflow, plus nightly cron.
-#
-# Why a separate workflow (not folded into ci.yml python-lint):
-#   - The test needs to spawn the MCP server with stdout redirected
-#     to a regular file (not a TTY/pipe), which conflicts with
-#     pytest's own capture mechanism.
-#   - It exercises the actual process spawn path (python a2a_mcp_server.py)
-#     not just unit-test mocks — closer to the real openclaw integration.
-#   - A dedicated workflow surfaces stdio-specific regressions without
-#     coupling to the broader Python test suite's coverage gate.
-
-on:
-  pull_request:
-    branches: [main, staging]
-    paths:
-      - 'workspace/a2a_mcp_server.py'
-      - 'workspace/mcp_cli.py'
-      - 'workspace/tests/test_a2a_mcp_server.py'
-      - '.gitea/workflows/ci-mcp-stdio-transport.yml'
-  push:
-    branches: [main, staging]
-    paths:
-      - 'workspace/a2a_mcp_server.py'
-      - 'workspace/mcp_cli.py'
-      - 'workspace/tests/test_a2a_mcp_server.py'
-      - '.gitea/workflows/ci-mcp-stdio-transport.yml'
-  schedule:
-    # Nightly at 04:00 UTC — catches drift from dependency updates
-    # (e.g. asyncio behavior changes in new Python patch releases).
-    - cron: '0 4 * * *'
-
-concurrency:
-  group: mcp-stdio-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  GITHUB_SERVER_URL: https://git.moleculesai.app
-
-jobs:
-  # bp-exempt: regression canary for runtime#61; not a merge gate — informational only until promoted to required.
-  # mc#774: continue-on-error mask — new workflow, flip to false once it's green on ≥3 consecutive main runs.
-  mcp-stdio-regular-file:
-    name: MCP stdio with regular-file stdout
-    runs-on: ubuntu-latest
-    continue-on-error: true  # mc#774
-    timeout-minutes: 5
-    env:
-      WORKSPACE_ID: "00000000-0000-0000-0000-000000000001"
-    defaults:
-      run:
-        working-directory: workspace
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: '3.11'
-          cache: pip
-          cache-dependency-path: workspace/requirements.txt
-      - run: pip install -r requirements.txt pytest pytest-asyncio pytest-cov
-
-      - name: Reproduce runtime#61 — stdout as regular file
-        run: |
-          set -euo pipefail
-          echo "=== Reproducing molecule-ai-workspace-runtime#61 ==="
-          echo ""
-          echo "Before the fix, this command would fail with:"
-          echo '  ValueError: Pipe transport is only for pipes, sockets and character devices'
-          echo ""
-
-          # Spawn the MCP server with stdout redirected to a regular file.
-          # This is exactly what openclaw does when capturing MCP output.
-          OUTPUT=$(mktemp)
-          trap 'rm -f "$OUTPUT"' EXIT
-
-          # Send initialize request, then tools/list, then exit
-          {
-            echo '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{}}'
-            echo '{"jsonrpc":"2.0","id":2,"method":"tools/list"}'
-          } | python a2a_mcp_server.py > "$OUTPUT" 2>&1 || {
-            RC=$?
-            echo "FAIL: MCP server exited with code $RC"
-            echo "--- stdout+stderr ---"
-            cat "$OUTPUT"
-            exit 1
-          }
-
-          echo "PASS: MCP server handled regular-file stdout without crashing"
-          echo ""
-          echo "--- Output (first 20 lines) ---"
-          head -20 "$OUTPUT"
-          echo ""
-
-          # Verify we got valid JSON-RPC responses
-          if grep -q '"result"' "$OUTPUT"; then
-            echo "PASS: JSON-RPC responses found in output"
-          else
-            echo "FAIL: No JSON-RPC responses in output"
-            cat "$OUTPUT"
-            exit 1
-          fi
-
-      - name: Reproduce runtime#61 — stdin from regular file
-        run: |
-          set -euo pipefail
-          echo "=== stdin as regular file (CI tee / capture pattern) ==="
-
-          INPUT=$(mktemp)
-          OUTPUT=$(mktemp)
-          trap 'rm -f "$INPUT" "$OUTPUT"' EXIT
-
-          cat > "$INPUT" <<'EOF'
-          {"jsonrpc":"2.0","id":1,"method":"initialize","params":{}}
-          {"jsonrpc":"2.0","id":2,"method":"tools/list"}
-          EOF
-
-          python a2a_mcp_server.py < "$INPUT" > "$OUTPUT" 2>&1 || {
-            RC=$?
-            echo "FAIL: MCP server exited with code $RC"
-            cat "$OUTPUT"
-            exit 1
-          }
-
-          echo "PASS: MCP server handled regular-file stdin without crashing"
-
-          if grep -q '"result"' "$OUTPUT"; then
-            echo "PASS: JSON-RPC responses found in output"
-          else
-            echo "FAIL: No JSON-RPC responses in output"
-            cat "$OUTPUT"
-            exit 1
-          fi
-
-      - name: Verify warning is emitted for non-pipe stdio
-        run: |
-          set -euo pipefail
-          echo "=== Verify diagnostic warning ==="
-
-          OUTPUT=$(mktemp)
-          trap 'rm -f "$OUTPUT"' EXIT
-
-          {
-            echo '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{}}'
-          } | python a2a_mcp_server.py > "$OUTPUT" 2>&1
-
-          # The warning should mention "not a pipe" for operator visibility
-          if grep -qi "not a pipe" "$OUTPUT"; then
-            echo "PASS: Diagnostic warning emitted for non-pipe stdio"
-          else
-            echo "NOTE: No warning in output (may be suppressed by log level)"
-          fi
-
-      - name: Reproduce openclaw failure — pipe held OPEN, no EOF
-        run: |
-          set -euo pipefail
-          echo "=== keep-stdin-open pipe (the real openclaw / Claude Code case) ==="
-          echo ""
-          echo "Before the readline() fix this HANGS: main() did"
-          echo "  stdin.read(65536)  -> on a pipe, blocks until 64KB OR EOF."
-          echo "An MCP client sends one ~150B initialize and keeps stdin"
-          echo "open waiting for the response, so the server never parsed"
-          echo "the request and the client timed out (openclaw: 'MCP error"
-          echo "-32000: Connection closed'). The earlier regular-file /"
-          echo "heredoc-pipe steps PASSED through this bug because a file"
-          echo "(or a closing heredoc) yields EOF immediately."
-          echo ""
-
-          # Drive the server through a real pipe that stays OPEN: write
-          # one initialize, do NOT close stdin, and require a response
-          # within a hard timeout. read(65536) -> no output -> timeout
-          # kills it -> FAIL. readline() -> immediate response -> PASS.
-          python - <<'PYEOF'
-          import json, subprocess, sys, time, select
-
-          proc = subprocess.Popen(
-              [sys.executable, "a2a_mcp_server.py"],
-              stdin=subprocess.PIPE, stdout=subprocess.PIPE,
-              stderr=subprocess.STDOUT,
-              env={**__import__("os").environ},
-          )
-          req = json.dumps({
-              "jsonrpc": "2.0", "id": 1, "method": "initialize",
-              "params": {"protocolVersion": "2024-11-05",
-                         "capabilities": {},
-                         "clientInfo": {"name": "keepopen", "version": "1"}},
-          }) + "\n"
-          proc.stdin.write(req.encode())
-          proc.stdin.flush()
-          # Deliberately DO NOT close proc.stdin — mirror a live MCP client.
-
-          deadline = time.time() + 15
-          line = b""
-          while time.time() < deadline:
-              r, _, _ = select.select([proc.stdout], [], [], 1)
-              if r:
-                  line = proc.stdout.readline()
-                  if line:
-                      break
-          proc.kill()
-
-          if not line:
-              print("FAIL: no response within 15s on an open pipe — "
-                    "stdin.read(65536) regression is back")
-              sys.exit(1)
-          resp = json.loads(line.decode())
-          assert resp.get("id") == 1 and "result" in resp, \
-              f"unexpected response: {line[:200]!r}"
-          assert resp["result"]["serverInfo"]["name"] == "molecule", \
-              f"wrong serverInfo: {line[:200]!r}"
-          print("PASS: server answered initialize on a still-open pipe")
-          PYEOF
-
-      - name: Run unit tests for stdio transport
-        run: |
-          set -euo pipefail
-          echo "=== Running stdio transport unit tests ==="
-          python -m pytest tests/test_a2a_mcp_server.py::TestStdioPipeAssertion tests/test_a2a_mcp_server.py::TestStdioKeepOpenPipe -v --no-cov
@@ -86,53 +86,25 @@ jobs:
        with:
          fetch-depth: 0
      - id: check
+        env:
+          PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          PR_BASE_REF: ${{ github.event.pull_request.base.ref }}
+          PUSH_BEFORE: ${{ github.event.before }}
        run: |
-          # For PR events: diff against the base branch (not HEAD~1 of the branch,
-          # which may be unrelated after force-pushes). When a push updates a PR,
-          # both pull_request and push events fire — prefer the PR base so that
-          # the diff is always computed against the actual merge base, not the
-          # previous SHA on the branch which may be on a different history line.
-          BASE="${GITHUB_BASE_REF:-${{ github.event.before }}}"
-          # GITHUB_BASE_REF is set for PR events (the base branch name).
-          # For pull_request events we use the stored base.sha; for push events
-          # (or when base.sha is unavailable) fall back to github.event.before.
-          if [ "${{ github.event_name }}" = "pull_request" ] && [ -n "${{ github.event.pull_request.base.sha }}" ]; then
-            BASE="${{ github.event.pull_request.base.sha }}"
-          fi
-          # Fallback: if BASE is empty or all zeros (new branch), run everything
-          if [ -z "$BASE" ] || echo "$BASE" | grep -qE '^0+$'; then
-            echo "platform=true" >> "$GITHUB_OUTPUT"
-            echo "canvas=true" >> "$GITHUB_OUTPUT"
-            echo "python=true" >> "$GITHUB_OUTPUT"
-            echo "scripts=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          # Workflow-only edits are covered by the workflow lint family
-          # and by this workflow's always-present required jobs. Do not fan
-          # those edits out into Go/Canvas/Python/shellcheck work; the
-          # downstream jobs still emit their required contexts via no-op
-          # steps when their surface flag is false.
-          #
-          # If the diff itself cannot be trusted, fail open by running every
-          # surface instead of silently under-testing the PR.
-          if ! DIFF=$(git diff --name-only "$BASE" HEAD 2>/dev/null); then
-            echo "platform=true" >> "$GITHUB_OUTPUT"
-            echo "canvas=true" >> "$GITHUB_OUTPUT"
-            echo "python=true" >> "$GITHUB_OUTPUT"
-            echo "scripts=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          echo "platform=$(echo "$DIFF" | grep -qE '^workspace-server/' && echo true || echo false)" >> "$GITHUB_OUTPUT"
-          echo "canvas=$(echo "$DIFF" | grep -qE '^canvas/' && echo true || echo false)" >> "$GITHUB_OUTPUT"
-          echo "python=$(echo "$DIFF" | grep -qE '^workspace/' && echo true || echo false)" >> "$GITHUB_OUTPUT"
-          echo "scripts=$(echo "$DIFF" | grep -qE '^tests/e2e/|^scripts/|^infra/scripts/' && echo true || echo false)" >> "$GITHUB_OUTPUT"
+          python3 .gitea/scripts/detect-changes.py \
+            --profile ci \
+            --event-name "${{ github.event_name }}" \
+            --pr-base-sha "$PR_BASE_SHA" \
+            --base-ref "$PR_BASE_REF" \
+            --push-before "${GITHUB_EVENT_BEFORE:-$PUSH_BEFORE}"

-  # Platform (Go) — Go build/vet/test/lint + coverage gates. The always-run
-  # + per-step gating shape preserves the GitHub-side required-check name
-  # contract (so when this Gitea port becomes a required check in Phase 4,
-  # the name match works on PRs that don't touch workspace-server/).
+  # Platform (Go) — Go build/vet/test/lint + coverage gates. The job always
+  # emits the required context, but expensive steps are path-scoped on every
+  # event so docs/E2E/Canvas-only main pushes do not block deploy on unrelated
+  # Go bootstrap work.
  platform-build:
    name: Platform (Go)
+    needs: changes
    runs-on: ubuntu-latest
    # mc#774 (closed 2026-05-14): Phase 4 flip of the platform-build job.
    # Phase 4 (#656) originally flipped this to continue-on-error: false based on
@@ -153,29 +125,29 @@ jobs:
      run:
        working-directory: workspace-server
    steps:
-      - if: false
+      - if: ${{ needs.changes.outputs.platform != 'true' }}
        working-directory: .
-        run: echo "No platform/** changes — skipping real build steps; this job always runs to satisfy the required-check name on branch protection."
-      - if: always()
+        run: echo "No workspace-server/** changes — Platform (Go) gate satisfied without running Go build/test/lint."
+      - if: ${{ needs.changes.outputs.platform == 'true' }}
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - if: always()
+      - if: ${{ needs.changes.outputs.platform == 'true' }}
        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
        with:
          go-version: 'stable'
-      - if: always()
+      - if: ${{ needs.changes.outputs.platform == 'true' }}
        run: go mod download
-      - if: always()
+      - if: ${{ needs.changes.outputs.platform == 'true' }}
        run: go build ./cmd/server
      # CLI (molecli) moved to standalone repo: git.moleculesai.app/molecule-ai/molecule-cli
-      - if: always()
+      - if: ${{ needs.changes.outputs.platform == 'true' }}
        run: go vet ./...
-      - if: always()
+      - if: ${{ needs.changes.outputs.platform == 'true' }}
        name: Install golangci-lint
        run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.12.2
-      - if: always()
+      - if: ${{ needs.changes.outputs.platform == 'true' }}
        name: Run golangci-lint
        run: $(go env GOPATH)/bin/golangci-lint run --timeout 3m ./...
-      - if: always()
+      - if: ${{ needs.changes.outputs.platform == 'true' }}
        name: Diagnostic — per-package verbose 60s
        run: |
          set +e
@@ -191,7 +163,7 @@ jobs:
          echo "::endgroup::"
        # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
        continue-on-error: true
-      - if: always()
+      - if: ${{ needs.changes.outputs.platform == 'true' }}
        name: Run tests with race detection and coverage
        # Explicit timeout: cold runner cache causes OOM kills at ~4m39s on the
        # full ./... suite with race detection + coverage. A 10m per-step timeout
@@ -199,7 +171,7 @@ jobs:
        # instead of OOM-killing. The job-level timeout (15m) is a backstop.
        run: go test -race -timeout 10m -coverprofile=coverage.out ./...

-      - if: always()
+      - if: ${{ needs.changes.outputs.platform == 'true' }}
        name: Per-file coverage report
        # Advisory — lists every source file with its coverage so reviewers
        # can see at-a-glance where gaps are. Sorted ascending so the worst
@@ -213,7 +185,7 @@ jobs:
                   END {for (f in s) printf "%6.1f%%  %s\n", s[f]/c[f], f}' \
            | sort -n

-      - if: always()
+      - if: ${{ needs.changes.outputs.platform == 'true' }}
        name: Check coverage thresholds
        # Enforces two gates from #1823 Layer 1:
        #   1. Total floor (25% — ratchet plan in COVERAGE_FLOOR.md).
@@ -301,6 +273,7 @@ jobs:
  # siblings — verified empirically on PR #2314).
  canvas-build:
    name: Canvas (Next.js)
+    needs: changes
    runs-on: ubuntu-latest
    timeout-minutes: 20
    # Phase 4 (RFC #219 §1): confirmed green on main 2026-05-12.
@@ -309,20 +282,20 @@ jobs:
      run:
        working-directory: canvas
    steps:
-      - if: false
+      - if: ${{ needs.changes.outputs.canvas != 'true' }}
        working-directory: .
-        run: echo "No canvas/** changes — skipping real build steps; this job always runs to satisfy the required-check name on branch protection."
-      - if: always()
+        run: echo "No canvas/** changes — Canvas (Next.js) gate satisfied without running npm build/test."
+      - if: ${{ needs.changes.outputs.canvas == 'true' }}
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - if: always()
+      - if: ${{ needs.changes.outputs.canvas == 'true' }}
        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: '22'
-      - if: always()
+      - if: ${{ needs.changes.outputs.canvas == 'true' }}
        run: npm ci --include=optional --prefer-offline
-      - if: always()
+      - if: ${{ needs.changes.outputs.canvas == 'true' }}
        run: npm run build
-      - if: always()
+      - if: ${{ needs.changes.outputs.canvas == 'true' }}
        name: Run tests with coverage
        # Coverage instrumentation is configured in canvas/vitest.config.ts
        # (provider: v8, reporters: text + html + json-summary). Step 2 of
@@ -331,7 +304,7 @@ jobs:
        # tracked in #1815) after the team sees what current coverage is.
        run: npx vitest run --coverage
      - name: Upload coverage summary as artifact
-        if: always()
+        if: ${{ needs.changes.outputs.canvas == 'true' }}
        # Pinned to v3 for Gitea act_runner v0.6 compatibility — v4+ uses
        # the GHES 3.10+ artifact protocol that Gitea 1.22.x does NOT
        # implement, surfacing as `GHESNotSupportedError: @actions/artifact
@@ -345,18 +318,19 @@ jobs:
          retention-days: 7
          if-no-files-found: warn

-  # Shellcheck (E2E scripts) — required check, always runs.
+  # Shellcheck (E2E scripts) — required context, path-scoped heavy steps.
  shellcheck:
    name: Shellcheck (E2E scripts)
+    needs: changes
    runs-on: ubuntu-latest
    # Phase 4 (RFC #219 §1): confirmed green on main 2026-05-12.
    continue-on-error: false
    steps:
-      - if: false
-        run: echo "No tests/e2e/ or infra/scripts/ changes — skipping real shellcheck; this job always runs to satisfy the required-check name on branch protection."
-      - if: always()
+      - if: ${{ needs.changes.outputs.scripts != 'true' }}
+        run: echo "No tests/e2e, scripts, or infra/scripts changes — Shellcheck gate satisfied without running script checks."
+      - if: ${{ needs.changes.outputs.scripts == 'true' }}
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - if: always()
+      - if: ${{ needs.changes.outputs.scripts == 'true' }}
        name: Run shellcheck on tests/e2e/*.sh and infra/scripts/*.sh
        # shellcheck is pre-installed on ubuntu-latest runners (via apt).
        # infra/scripts/ is included because setup.sh + nuke.sh gate the
@@ -367,16 +341,16 @@ jobs:
          find tests/e2e infra/scripts -type f -name '*.sh' -print0 \
            | xargs -0 shellcheck --severity=warning

-      - if: always()
+      - if: ${{ needs.changes.outputs.scripts == 'true' }}
        name: Lint cleanup-trap hygiene (RFC #2873)
        run: bash tests/e2e/lint_cleanup_traps.sh

-      - if: always()
+      - if: ${{ needs.changes.outputs.scripts == 'true' }}
        name: Run E2E bash unit tests (no live infra)
        run: |
          bash tests/e2e/test_model_slug.sh

-      - if: always()
+      - if: ${{ needs.changes.outputs.scripts == 'true' }}
        name: Test ECR promote-tenant-image script (mock-driven, no live infra)
        # Covers scripts/promote-tenant-image.sh — the codified
        # :staging-latest → :latest ECR promote + tenant fleet redeploy
@@ -386,7 +360,7 @@ jobs:
        run: |
          bash scripts/test-promote-tenant-image.sh

-      - if: always()
+      - if: ${{ needs.changes.outputs.scripts == 'true' }}
        name: Shellcheck promote-tenant-image script
        # scripts/ is excluded from the bulk shellcheck pass above (legacy
        # SC3040/SC3043 cleanup pending). Run shellcheck explicitly on
@@ -456,84 +430,29 @@ jobs:
          cat /tmp/deploy-reminder.md >> "$GITHUB_STEP_SUMMARY"

  # Python Lint & Test — required check, always runs.
+  # Runtime Python moved to molecule-ai-workspace-runtime. Keep this context as
+  # a guard so branch protection still catches attempts to reintroduce an
+  # editable runtime copy under molecule-core/workspace/.
  python-lint:
    name: Python Lint & Test
    runs-on: ubuntu-latest
-    # Phase 4 (RFC #219 §1): confirmed green on main 2026-05-12.
    continue-on-error: false
-    env:
-      WORKSPACE_ID: test
-    defaults:
-      run:
-        working-directory: workspace
    steps:
-      - if: false
-        working-directory: .
-        run: echo "No workspace/** changes — skipping real lint+test; this job always runs to satisfy the required-check name on branch protection."
-      - if: always()
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - if: always()
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: '3.11'
-          cache: pip
-          cache-dependency-path: workspace/requirements.txt
-      - if: always()
-        run: pip install -r requirements.txt pytest pytest-asyncio pytest-cov sqlalchemy>=2.0.0
-      # Coverage flags + fail-under floor moved into workspace/pytest.ini
-      # (issue #1817) so local `pytest` and CI use identical config.
-      - if: always()
-        run: python -m pytest --tb=short
-
-      - if: always()
-        name: Per-file critical-path coverage (MCP / inbox / auth)
-        # MCP-critical Python files have a per-file floor on top of the
-        # 86% total floor in pytest.ini. See issue #2790 for full rationale.
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Runtime SSOT guard
        run: |
-          set -e
-          PER_FILE_FLOOR=75
-          CRITICAL_FILES=(
-            "a2a_mcp_server.py"
-            "mcp_cli.py"
-            "a2a_tools.py"
-            "a2a_tools_inbox.py"
-            "inbox.py"
-            "platform_auth.py"
-          )
-
-          # pytest already wrote .coverage; emit a JSON view scoped to
-          # the critical files so jq/python can read the per-file pct
-          # without parsing tabular text.
-          INCLUDES=$(printf '*%s,' "${CRITICAL_FILES[@]}")
-          INCLUDES="${INCLUDES%,}"
-          python -m coverage json -o /tmp/critical-cov.json --include="$INCLUDES"
-
-          FAILED=0
-          for f in "${CRITICAL_FILES[@]}"; do
-            pct=$(jq -r --arg f "$f" '.files | to_entries | map(select(.key == $f)) | .[0].value.summary.percent_covered // "MISSING"' /tmp/critical-cov.json)
-            if [ "$pct" = "MISSING" ]; then
-              echo "::error file=workspace/$f::No coverage data — file may have moved or test exclusion mis-set."
-              FAILED=$((FAILED+1))
-              continue
-            fi
-            echo "$f: ${pct}%"
-            if awk "BEGIN{exit !($pct < $PER_FILE_FLOOR)}"; then
-              echo "::error file=workspace/$f::${pct}% < ${PER_FILE_FLOOR}% per-file floor (MCP critical path). See COVERAGE_FLOOR.md."
-              FAILED=$((FAILED+1))
-            fi
-          done
-
-          if [ "$FAILED" -gt 0 ]; then
-            echo ""
-            echo "$FAILED MCP critical-path file(s) below the ${PER_FILE_FLOOR}% per-file floor."
-            echo "These paths handle multi-tenant routing, auth tokens, and inbox dispatch."
-            echo "A coverage drop here is the same risk shape as Go-side tokens/secrets files"
-            echo "dropping below 10% (see COVERAGE_FLOOR.md). Either:"
-            echo "  (a) add tests to raise coverage back above ${PER_FILE_FLOOR}%, or"
-            echo "  (b) if this is unavoidable historical debt, file an issue and propose"
-            echo "      adjusting the floor with rationale in COVERAGE_FLOOR.md."
+          set -eu
+          if [ -d workspace ]; then
+            echo "::error file=workspace::Runtime source must live in molecule-ai-workspace-runtime, not molecule-core/workspace."
            exit 1
          fi
+          for f in scripts/build_runtime_package.py scripts/test_build_runtime_package.py; do
+            if [ -e "$f" ]; then
+              echo "::error file=$f::Legacy build-from-workspace packaging script must not be restored."
+              exit 1
+            fi
+          done
+          echo "Runtime SSOT guard passed; core consumes the standalone runtime package."

  all-required:
    # Aggregator sentinel — RFC internal#219 §2 (Phase 4 — closes internal#286).
@@ -118,7 +118,7 @@ jobs:
    timeout-minutes: 20
    env:
      # claude-code default: cold-start ~5 min (comparable to langgraph),
-      # but uses MiniMax-M2.7-highspeed via the template's third-party-
+      # but uses MiniMax-M2 via the template's third-party-
      # Anthropic-compat path (workspace-configs-templates/claude-code-
      # default/config.yaml:64-69). MiniMax is ~5-10x cheaper than
      # gpt-4.1-mini per token AND avoids the recurring OpenAI quota-
@@ -131,9 +131,9 @@ jobs:
      # on the per-runtime default ("sonnet" → routes to direct
      # Anthropic, defeats the cost saving). Operators can override
      # via workflow_dispatch by setting a different E2E_MODEL_SLUG
-      # input if they need to exercise a specific model. M2.7-highspeed
-      # is "Token Plan only" but cheap-per-token and fast.
-      E2E_MODEL_SLUG: ${{ github.event.inputs.model_slug || 'MiniMax-M2.7-highspeed' }}
+      # input if they need to exercise a specific model. MiniMax-M2 is the
+      # stable staging MiniMax path used by the full-SaaS smoke.
+      E2E_MODEL_SLUG: ${{ github.event.inputs.model_slug || 'MiniMax-M2' }}
      # Bound to 10 min so a stuck provision fails the run instead of
      # holding up the next cron firing. 15-min default in the script
      # is for the on-PR full lifecycle where we have more headroom.
@@ -145,6 +145,11 @@ jobs:
      E2E_KEEP_ORG: ${{ github.event.inputs.keep_org == 'true' && '1' || '' }}
      MOLECULE_CP_URL: ${{ vars.STAGING_CP_URL || 'https://staging-api.moleculesai.app' }}
      MOLECULE_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      AWS_DEFAULT_REGION: us-east-2
+      E2E_AWS_LEAK_CHECK: required
+      E2E_AWS_TERMINATE_LEAKS: '1'
      # MiniMax key is the canary's PRIMARY auth path. claude-code
      # template's `minimax` provider routes ANTHROPIC_BASE_URL to
      # api.minimax.io/anthropic and reads MINIMAX_API_KEY at boot.
@@ -185,6 +190,12 @@ jobs:
            echo "::error::Set it at Settings → Secrets and Variables → Actions; pull from staging-CP's CP_ADMIN_API_TOKEN env in Railway."
            exit 1
          fi
+          for var in AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY; do
+            if [ -z "${!var:-}" ]; then
+              echo "::error::$var secret missing — EC2 leak verification cannot run"
+              exit 1
+            fi
+          done

          # LLM-key requirement is per-runtime: claude-code accepts
          # EITHER MiniMax OR direct-Anthropic (whichever is set first),
@@ -132,31 +132,13 @@ jobs:
        with:
          fetch-depth: 0
      - id: decide
-        # Inline replacement for dorny/paths-filter — same pattern PR#372's
-        # ci.yml port used. Diffs against the PR base or push BEFORE SHA,
-        # then matches against the api-relevant path set.
        run: |
-          BASE="${GITHUB_BASE_REF:-${{ github.event.before }}}"
-          if [ "${{ github.event_name }}" = "pull_request" ] && [ -n "${{ github.event.pull_request.base.sha }}" ]; then
-            BASE="${{ github.event.pull_request.base.sha }}"
-          fi
-          if [ -z "$BASE" ] || echo "$BASE" | grep -qE '^0+$'; then
-            echo "api=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          if ! git cat-file -e "$BASE" 2>/dev/null; then
-            git fetch --depth=1 origin "$BASE" 2>/dev/null || true
-          fi
-          if ! git cat-file -e "$BASE" 2>/dev/null; then
-            echo "api=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          CHANGED=$(git diff --name-only "$BASE" HEAD)
-          if echo "$CHANGED" | grep -qE '^(workspace-server/|tests/e2e/|\.gitea/workflows/e2e-api\.yml$)'; then
-            echo "api=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "api=false" >> "$GITHUB_OUTPUT"
-          fi
+          python3 .gitea/scripts/detect-changes.py \
+            --profile e2e-api \
+            --event-name "${{ github.event_name }}" \
+            --pr-base-sha "${{ github.event.pull_request.base.sha }}" \
+            --base-ref "${{ github.event.pull_request.base.ref }}" \
+            --push-before "${GITHUB_EVENT_BEFORE:-${{ github.event.before }}}"

  # ONE job (no job-level `if:`) that always runs and reports under the
  # required-check name `E2E API Smoke Test`. Real work is gated per-step
@@ -366,6 +348,9 @@ jobs:
            exit 1
          fi
          echo "Migrations OK"
+      - name: Run today's-PR-coverage E2E (mc#1525/1535/1536/1539/1542 fix-specific assertions)
+        if: needs.detect-changes.outputs.api == 'true'
+        run: bash tests/e2e/test_today_pr_coverage_e2e.sh
      - name: Run E2E API tests
        if: needs.detect-changes.outputs.api == 'true'
        run: bash tests/e2e/test_api.sh
@@ -375,15 +360,18 @@ jobs:
      - name: Run priority-runtimes E2E (claude-code + hermes — skips when keys absent)
        if: needs.detect-changes.outputs.api == 'true'
        run: bash tests/e2e/test_priority_runtimes_e2e.sh
+      - name: Install standalone runtime parser from Gitea registry
+        if: needs.detect-changes.outputs.api == 'true'
+        run: |
+          python3 -m pip install --no-deps \
+            --index-url https://git.moleculesai.app/api/packages/molecule-ai/pypi/simple/ \
+            molecule-ai-workspace-runtime
      - name: Run poll-mode + since_id cursor E2E (#2339)
        if: needs.detect-changes.outputs.api == 'true'
        run: bash tests/e2e/test_poll_mode_e2e.sh
      - name: Run poll-mode chat upload E2E (RFC #2891)
        if: needs.detect-changes.outputs.api == 'true'
        run: bash tests/e2e/test_poll_mode_chat_upload_e2e.sh
-      - name: Run today's-PR-coverage E2E (mc#1525/1535/1536/1539/1542 fix-specific assertions)
-        if: needs.detect-changes.outputs.api == 'true'
-        run: bash tests/e2e/test_today_pr_coverage_e2e.sh
      - name: Dump platform log on failure
        if: failure() && needs.detect-changes.outputs.api == 'true'
        run: cat workspace-server/platform.log || true
@@ -401,4 +389,3 @@ jobs:
        run: |
          docker rm -f "$PG_CONTAINER" 2>/dev/null || true
          docker rm -f "$REDIS_CONTAINER" 2>/dev/null || true
-
@@ -44,6 +44,8 @@ name: E2E Peer Visibility (literal MCP list_peers)
 #   - No cross-repo `uses:` (feedback_gitea_cross_repo_uses_blocked). The
 #     actions/checkout SHA is the one e2e-staging-canvas.yml already uses
 #     successfully (a mirrored SHA — see #1277/PR#1292 root-cause).
+#   - 2026-05-21 retrigger: verify fresh platform-tenant image after the
+#     publish Buildx DOCKER_CONFIG fix restored staging-latest image updates.
 #   - Per-SHA concurrency, not global (feedback_concurrency_group_per_sha).
 #   - Workflow-level GITHUB_SERVER_URL pinned
 #     (feedback_act_runner_github_server_url).
@@ -68,14 +70,11 @@ name: E2E Peer Visibility (literal MCP list_peers)
 # minutes, not the 30+ min cold-EC2 path), so peer-visibility is part of
 # the local gate that fires before the staging E2E.
 #
-# It is its OWN non-required status context `E2E Peer Visibility (local)`
-# — same non-required-by-design decision as the staging job (red until
-# Hermes-401 #162 / OpenClaw-never-online #165 land; flip-to-required
-# tracked at molecule-core#1296). It is an HONEST gate: NO
-# continue-on-error mask (feedback_fix_root_not_symptom). It is kept a
-# distinct context (not folded into e2e-api.yml's required `E2E API
-# Smoke Test`) precisely so a deliberately-RED-today gate cannot wedge
-# the required local-E2E job or any unrelated merge.
+# It is its OWN non-required status context `E2E Peer Visibility (local)`.
+# The local backend uses external-mode workspaces by default so it tests
+# the literal platform MCP list_peers path without depending on local
+# template container boot/heartbeat. Container-mode runtime boot remains
+# available via PV_LOCAL_PROVISION_MODE=container for targeted debugging.

 on:
  push:
@@ -86,9 +85,8 @@ on:
      - 'workspace-server/internal/middleware/**'
      - 'workspace-server/internal/handlers/registry.go'
      - 'workspace-server/internal/handlers/workspace.go'
-      - 'workspace/a2a_mcp_server.py'
-      - 'workspace/platform_tools/registry.py'
      - 'tests/e2e/test_peer_visibility_mcp_staging.sh'
+      - 'tests/e2e/test_peer_visibility_token_mint_staging.sh'
      - 'tests/e2e/test_peer_visibility_mcp_local.sh'
      - 'tests/e2e/lib/peer_visibility_assert.sh'
      - '.gitea/workflows/e2e-peer-visibility.yml'
@@ -100,9 +98,8 @@ on:
      - 'workspace-server/internal/middleware/**'
      - 'workspace-server/internal/handlers/registry.go'
      - 'workspace-server/internal/handlers/workspace.go'
-      - 'workspace/a2a_mcp_server.py'
-      - 'workspace/platform_tools/registry.py'
      - 'tests/e2e/test_peer_visibility_mcp_staging.sh'
+      - 'tests/e2e/test_peer_visibility_token_mint_staging.sh'
      - 'tests/e2e/test_peer_visibility_mcp_local.sh'
      - 'tests/e2e/lib/peer_visibility_assert.sh'
      - '.gitea/workflows/e2e-peer-visibility.yml'
@@ -142,8 +139,14 @@ jobs:
          echo "lib/peer_visibility_assert.sh — bash syntax OK"
          bash -n tests/e2e/test_peer_visibility_mcp_staging.sh
          echo "test_peer_visibility_mcp_staging.sh — bash syntax OK"
+          bash -n tests/e2e/test_peer_visibility_token_mint_staging.sh
+          echo "test_peer_visibility_token_mint_staging.sh — bash syntax OK"
          bash -n tests/e2e/test_peer_visibility_mcp_local.sh
          echo "test_peer_visibility_mcp_local.sh — bash syntax OK"
+          if rg -n '/admin/workspaces/.*/test-token|test-token' tests/e2e/test_*staging*.sh; then
+            echo "::error::staging E2E must not use dev-only /admin/workspaces/:id/test-token; use production-safe admin token minting instead"
+            exit 1
+          fi
          echo "Staging fresh-provision MCP list_peers E2E runs on push to"
          echo "main / workflow_dispatch / daily cron (30+ min EC2 boot)."
          echo "The LOCAL backend runs in the peer-visibility-local job"
@@ -157,9 +160,9 @@ jobs:
  # ephemeral host ports so concurrent host-network act_runner runs don't
  # collide; go build; background platform-server). Its OWN non-required
  # status context `E2E Peer Visibility (local)` — non-required-by-design
-  # exactly like the staging job (red until #162/#165 land;
-  # flip-to-required tracked at molecule-core#1296). HONEST gate, NO
-  # continue-on-error mask (feedback_fix_root_not_symptom). Runs on PR +
+  # exactly like the staging job (flip-to-required tracked at
+  # molecule-core#1296). HONEST gate, NO continue-on-error mask
+  # (feedback_fix_root_not_symptom). Runs on PR +
  # push (local boot is minutes, not the 30+ min cold-EC2 path).
  # bp-required: pending #1296
  peer-visibility-local:
@@ -179,6 +182,9 @@ jobs:
      E2E_ANTHROPIC_API_KEY: ${{ secrets.MOLECULE_STAGING_ANTHROPIC_API_KEY }}
      E2E_OPENAI_API_KEY: ${{ secrets.MOLECULE_STAGING_OPENAI_API_KEY }}
      PV_RUNTIMES: "hermes openclaw claude-code"
+      PV_LOCAL_PROVISION_MODE: external
+      ADMIN_TOKEN: local-e2e-admin-token
+      MOLECULE_ADMIN_TOKEN: local-e2e-admin-token
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
@@ -267,10 +273,9 @@ jobs:
          echo "::error::Platform did not become healthy in 30s"
          cat workspace-server/platform.log || true; exit 1
      - name: Run LOCAL fresh-provision peer-visibility E2E (literal MCP list_peers)
-        # HONEST gate — NO continue-on-error. Red today (Hermes-401 #162 /
-        # OpenClaw-never-online #165 not yet fixed); green when they land.
-        # Non-required-by-design via its distinct status context until the
-        # molecule-core#1296 flip-to-required.
+        # HONEST gate — NO continue-on-error. The local backend uses
+        # external-mode workspaces so this context tests the literal MCP
+        # peer-visibility path without coupling to template container boot.
        run: bash tests/e2e/test_peer_visibility_mcp_local.sh
      - name: Dump platform log on failure
        if: failure()
@@ -49,6 +49,8 @@ on:
      - 'workspace-server/internal/middleware/**'
      - 'workspace-server/internal/provisioner/**'
      - 'tests/e2e/test_staging_full_saas.sh'
+      - 'tests/e2e/lib/aws_leak_check.sh'
+      - 'tests/e2e/test_aws_leak_check.sh'
      - '.gitea/workflows/e2e-staging-saas.yml'
  pull_request:
    branches: [main]
@@ -59,6 +61,8 @@ on:
      - 'workspace-server/internal/middleware/**'
      - 'workspace-server/internal/provisioner/**'
      - 'tests/e2e/test_staging_full_saas.sh'
+      - 'tests/e2e/lib/aws_leak_check.sh'
+      - 'tests/e2e/test_aws_leak_check.sh'
      - '.gitea/workflows/e2e-staging-saas.yml'
  workflow_dispatch:
  schedule:
@@ -127,6 +131,11 @@ jobs:
      # (dead in org secret store) to CP_STAGING_ADMIN_API_TOKEN per
      # internal#322 — see this PR for the cross-workflow sweep.
      MOLECULE_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      AWS_DEFAULT_REGION: us-east-2
+      E2E_AWS_LEAK_CHECK: required
+      E2E_AWS_TERMINATE_LEAKS: '1'
      # MiniMax is the PRIMARY LLM auth path post-2026-05-04. Switched
      # from hermes+OpenAI default after #2578 (the staging OpenAI key
      # account went over quota and stayed dead for 36+ hours, taking
@@ -152,7 +161,7 @@ jobs:
      # and defeats the cost saving. Operators can override via the
      # workflow_dispatch flow (no input wired here yet — runtime
      # override is enough for ad-hoc).
-      E2E_MODEL_SLUG: ${{ github.event.inputs.runtime == 'hermes' && 'openai/gpt-4o' || github.event.inputs.runtime == 'langgraph' && 'openai:gpt-4o' || 'MiniMax-M2.7-highspeed' }}
+      E2E_MODEL_SLUG: ${{ github.event.inputs.runtime == 'hermes' && 'openai/gpt-4o' || github.event.inputs.runtime == 'langgraph' && 'openai:gpt-4o' || 'MiniMax-M2' }}
      E2E_RUN_ID: "${{ github.run_id }}-${{ github.run_attempt }}"
      E2E_KEEP_ORG: ${{ github.event.inputs.keep_org && '1' || '0' }}

@@ -165,6 +174,12 @@ jobs:
            echo "::error::CP_STAGING_ADMIN_API_TOKEN secret not set (Railway staging CP_ADMIN_API_TOKEN)"
            exit 2
          fi
+          for var in AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY; do
+            if [ -z "${!var:-}" ]; then
+              echo "::error::$var not set — EC2 leak verification cannot run"
+              exit 2
+            fi
+          done
          echo "Admin token present ✓"

      - name: Verify LLM key present
@@ -47,6 +47,11 @@ jobs:
      # (dead in org secret store) to CP_STAGING_ADMIN_API_TOKEN per
      # internal#322 — see this PR for the cross-workflow sweep.
      MOLECULE_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      AWS_DEFAULT_REGION: us-east-2
+      E2E_AWS_LEAK_CHECK: required
+      E2E_AWS_TERMINATE_LEAKS: '1'
      E2E_MODE: smoke
      E2E_RUNTIME: hermes
      E2E_RUN_ID: "sanity-${{ github.run_id }}"
@@ -61,6 +66,12 @@ jobs:
            echo "::error::CP_STAGING_ADMIN_API_TOKEN not set"
            exit 2
          fi
+          for var in AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY; do
+            if [ -z "${!var:-}" ]; then
+              echo "::error::$var not set — EC2 leak verification cannot run"
+              exit 2
+            fi
+          done

      # Inverted assertion: the run MUST fail. If it passes, the
      # E2E_INTENTIONAL_FAILURE path is broken.
@@ -101,36 +101,13 @@ jobs:
          # not present in the shallow checkout.
          fetch-depth: 2
      - id: filter
-        # Inline replacement for dorny/paths-filter — see e2e-api.yml.
        run: |
-          # Gitea Actions evaluates github.event.before to empty string in shell
-          # scripts. Use GITHUB_EVENT_BEFORE shell env var instead (Gitea
-          # correctly populates it for push events). PR case uses template var.
-          BASE=""
-          if [ "${{ github.event_name }}" = "pull_request" ] && [ -n "${{ github.event.pull_request.base.sha }}" ]; then
-            BASE="${{ github.event.pull_request.base.sha }}"
-          elif [ -n "$GITHUB_EVENT_BEFORE" ]; then
-            BASE="$GITHUB_EVENT_BEFORE"
-          fi
-          if [ -z "$BASE" ] || echo "$BASE" | grep -qE '^0+$'; then
-            echo "handlers=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          # timeout 30 guards against the case where BASE points to a ref that
-          # git can resolve but cat-file hangs (rare on corrupted objects).
-          if ! timeout 30 git cat-file -e "$BASE" 2>/dev/null; then
-            git fetch --depth=1 origin "$BASE" 2>/dev/null || true
-          fi
-          if ! timeout 30 git cat-file -e "$BASE" 2>/dev/null; then
-            echo "handlers=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          CHANGED=$(git diff --name-only "$BASE" HEAD)
-          if echo "$CHANGED" | grep -qE '^(workspace-server/internal/handlers/|workspace-server/internal/wsauth/|workspace-server/migrations/|\.gitea/workflows/handlers-postgres-integration\.yml$)'; then
-            echo "handlers=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "handlers=false" >> "$GITHUB_OUTPUT"
-          fi
+          python3 .gitea/scripts/detect-changes.py \
+            --profile handlers-postgres \
+            --event-name "${{ github.event_name }}" \
+            --pr-base-sha "${{ github.event.pull_request.base.sha }}" \
+            --base-ref "${{ github.event.pull_request.base.ref }}" \
+            --push-before "${GITHUB_EVENT_BEFORE:-}"

  # Single-job-with-per-step-if pattern: always runs to satisfy the
  # required-check name on branch protection; real work gates on the
@@ -1,177 +0,0 @@
-name: publish-runtime-autobump
-
-# Auto-bump-on-workspace-edit half of the publish pipeline.
-#
-# Why this file exists (issue #351):
-#   Gitea Actions does not correctly disambiguate `paths:` from `tags:`
-#   when both are bundled under a single `on.push` key. The result is
-#   that tag pushes get filtered out and `publish-runtime.yml` never
-#   fires — `action_run` rows: 0. This was unnoticed pre-2026-05-11
-#   because PYPI_TOKEN was absent (publishes would have failed anyway).
-#
-#   Split design:
-#     - publish-runtime.yml         : on.push.tags only        (the publisher)
-#     - publish-runtime-autobump.yml: on.push.branches+paths   (this file — the version-bumper)
-#
-#   This file computes the next version from PyPI's latest, pushes a
-#   `runtime-v$VERSION` tag, and exits. The tag push then triggers
-#   publish-runtime.yml via its tags-only trigger.
-#
-# Concurrency: shares the `publish-runtime` group with publish-runtime.yml
-# so concurrent workspace pushes serialize at the bump step. Without
-# this, two pushes minutes apart could both read PyPI latest=0.1.129
-# and try to tag 0.1.130 simultaneously, only one of which would land.
-
-on:
-  # Run on PR pushes to post a success status so Gitea can merge the PR.
-  # All steps use continue-on-error: true so operational failures
-  # (PyPI unreachable, DISPATCH_TOKEN missing) do not block merge.
-  pull_request:
-    paths:
-      - "workspace/**"
-      # mc#1578 / a05add29 cure: build_runtime_package.py owns PYPROJECT_TEMPLATE
-      # (deps, classifiers, project metadata). A change there is publish-affecting
-      # even when workspace/** is untouched, so the autobump must fire to claim
-      # the next runtime-v$VERSION tag. Without this, manual tagging races PyPI
-      # (e.g. runtime-v0.1.18 collided with the 2026-04-27 PyPI 0.1.18 publish,
-      # blocking the python-multipart pin from reaching prod).
-      - "scripts/build_runtime_package.py"
-      - "scripts/test_build_runtime_package.py"
-  # Bump-and-tag on main/staging push (the actual operational trigger).
-  push:
-    branches:
-      - main
-      - staging
-    paths:
-      - "workspace/**"
-      - "scripts/build_runtime_package.py"
-      - "scripts/test_build_runtime_package.py"
-  # Manual dispatch — useful when Gitea Actions API (/actions/*) is
-  # unreachable (e.g. act_runner 404 on Gitea 1.22.6) and we cannot
-  # re-trigger via curl.
-  workflow_dispatch:
-
-permissions:
-  contents: write  # required to push tags back
-
-concurrency:
-  group: publish-runtime
-  cancel-in-progress: false
-
-jobs:
-  # PR-validation path: always succeeds so Gitea can merge workflow-only PRs.
-  # Operational failures (PyPI unreachable, missing DISPATCH_TOKEN) are
-  # surfaced via continue-on-error: true rather than blocking the merge.
-  # The actual bump work happens on the main/staging push after merge.
-  # bp-exempt: advisory validation for runtime publication; not a branch-protection gate.
-  pr-validate:
-    runs-on: ubuntu-latest
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
-    continue-on-error: true  # do not block PR merge on operational failures
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 1
-
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: "3.11"
-
-      - name: Validate PyPI connectivity (best-effort)
-        run: |
-          set -eu
-          echo "=== Checking PyPI accessibility ==="
-          LATEST=$(curl -fsS --retry 3 --max-time 10 \
-            https://pypi.org/pypi/molecule-ai-workspace-runtime/json \
-            | python -c "import sys,json; print(json.load(sys.stdin)['info']['version'])" \
-            || echo "PyPI unreachable (non-blocking for PR validation)")
-          echo "Latest: ${LATEST:-unknown}"
-
-  # Actual bump-and-tag: runs on main/staging pushes, posts real success/failure.
-  # No continue-on-error — operational failures here trip the main-red
-  # watchdog, which is the desired signal for infrastructure degradation.
-  # bp-exempt: post-merge tag publication side effect; CI / all-required gates source changes.
-  bump-and-tag:
-    runs-on: ubuntu-latest
-    # Only fire on push events (main/staging after PR merge). Pull_request
-    # events are handled by pr-validate above; we do NOT bump on every
-    # push-synchronize because that would race with the PR head.
-    #
-    # NOTE: the prior condition `github.event.pull_request.base.ref == ''`
-    # was broken — on a PR-merge push in Gitea Actions, the pull_request
-    # context is still attached (base.ref='main'), so the condition always
-    # evaluated to false and bump-and-tag was permanently skipped.
-    if: github.event_name == 'push'
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 1
-
-      - name: Fetch tags for collision check
-        run: git fetch origin --tags --depth=1
-
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: "3.11"
-
-      - name: Compute next version from PyPI latest and existing tags
-        id: bump
-        run: |
-          set -eu
-          LATEST=$(curl -fsS --retry 3 https://pypi.org/pypi/molecule-ai-workspace-runtime/json \
-            | python -c "import sys,json; print(json.load(sys.stdin)['info']['version'])")
-          MAJOR=$(echo "$LATEST" | cut -d. -f1)
-          MINOR=$(echo "$LATEST" | cut -d. -f2)
-          TAG_LATEST=$(git tag --list "runtime-v${MAJOR}.${MINOR}.*" \
-            | sed -E 's/^runtime-v//' \
-            | grep -E '^[0-9]+\.[0-9]+\.[0-9]+$' \
-            | sort -V \
-            | tail -1 || true)
-          VERSION=$(PYPI_LATEST="$LATEST" TAG_LATEST="$TAG_LATEST" python - <<'PY'
-          import os
-
-          def parse(v):
-              return tuple(int(part) for part in v.split("."))
-
-          pypi = os.environ["PYPI_LATEST"]
-          tag = os.environ.get("TAG_LATEST") or pypi
-          base = max(parse(pypi), parse(tag))
-          print(f"{base[0]}.{base[1]}.{base[2] + 1}")
-          PY
-          )
-          echo "PyPI latest=$LATEST, latest runtime tag=${TAG_LATEST:-none} -> next=$VERSION"
-          if ! echo "$VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+$'; then
-            echo "::error::computed version $VERSION does not match PEP 440 X.Y.Z"
-            exit 1
-          fi
-          if git tag --list | grep -qx "runtime-v$VERSION"; then
-            echo "::error::tag runtime-v$VERSION already exists in this repo. Manual intervention required (PyPI and Gitea tag history are out of sync)."
-            exit 1
-          fi
-          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
-
-      - name: Push runtime-v$VERSION tag
-        env:
-          DISPATCH_TOKEN: ${{ secrets.DISPATCH_TOKEN }}
-          VERSION: ${{ steps.bump.outputs.version }}
-          GITEA_URL: https://git.moleculesai.app
-        run: |
-          set -eu
-          if [ -z "$DISPATCH_TOKEN" ]; then
-            echo "::error::DISPATCH_TOKEN secret is not set — needed to push the tag back to molecule-core."
-            exit 1
-          fi
-          git config user.name  "publish-runtime autobump"
-          git config user.email "publish-runtime@moleculesai.app"
-          git tag -a "runtime-v$VERSION" \
-            -m "Auto-bump on workspace/** edit on $GITHUB_REF" \
-            -m "Triggered by: $GITHUB_REF @ $GITHUB_SHA" \
-            -m "publish-runtime.yml will pick up this tag and upload to PyPI"
-          # Push via DISPATCH_TOKEN (a Gitea PAT). Using the bot identity
-          # ensures the resulting tag-push event is dispatched to
-          # publish-runtime.yml; act_runner's default GITHUB_TOKEN cannot
-          # trigger downstream workflows.
-          git remote set-url origin "${GITEA_URL#https://}"
-          git remote set-url origin "https://x-access-token:${DISPATCH_TOKEN}@${GITEA_URL#https://}/molecule-ai/molecule-core.git"
-          git push origin "runtime-v$VERSION"
-          echo "✓ pushed runtime-v$VERSION — publish-runtime.yml should fire next"
@@ -1,437 +0,0 @@
-name: publish-runtime
-
-# Gitea Actions port of .github/workflows/publish-runtime.yml.
-#
-# Ported 2026-05-10 (issue #206). Key differences from the GitHub version:
-#   - Gitea Actions reads .gitea/workflows/, not .github/workflows/
-#   - Dropped `environment: pypi-publish` — Gitea Actions does not support
-#     named environments or OIDC trusted publishers
-#   - Replaced `pypa/gh-action-pypi-publish@release/v1` (OIDC) with
-#     `twine upload` using PYPI_TOKEN secret — same mechanism as a local
-#     `python -m twine upload` with a PyPI token
-#   - Replaced `github.ref_name` (GitHub-only) with `${GITHUB_REF#refs/tags/}`
-#     — Gitea Actions exposes github.ref (the full ref) but not ref_name
-#   - Dropped `merge_group` trigger (Gitea has no merge queue)
-#
-# 2026-05-10 (issue #348): originally restored `staging`/`main` branch +
-# `workspace/**` path-filter trigger in PR #349.
-#
-# 2026-05-11 (issue #351): REVERTED the branches+paths trigger from THIS
-# file. Bundling `paths` with `tags` under a single `on.push` key caused
-# Gitea Actions to never dispatch the workflow for tag-push events (0
-# runs in `action_run` for workflow_id='publish-runtime.yml' since the
-# port, including the runtime-v1.0.0 tag — which is why PyPI is still at
-# 0.1.129 despite a v1.0.0 Gitea tag existing).
-#
-# The auto-bump-on-workspace-edit trigger now lives in
-# `.gitea/workflows/publish-runtime-autobump.yml`. That file computes the
-# next version from PyPI's latest and pushes a `runtime-v$VERSION` tag,
-# which THIS file then picks up via the tags-only trigger below.
-#
-# This decoupling means Gitea's path-vs-tag evaluator never has to
-# disambiguate — each file has a single unambiguous trigger shape.
-#
-# PyPI publishing: requires PYPI_TOKEN repository secret (or org-level secret).
-# Set via: repo Settings → Actions → Variables and Secrets → New Secret.
-# The token should be a PyPI API token scoped to molecule-ai-workspace-runtime.
-#
-# The DISPATCH_TOKEN cascade (git push to template repos) is unchanged —
-# it uses the Gitea API directly and was already Gitea-compatible.
-
-on:
-  push:
-    tags:
-      - "runtime-v*"
-  workflow_dispatch:
-  # 2026-05-11 (root cause of #351 / 0 runs ever):
-  # Gitea 1.22.6's workflow parser rejects `workflow_dispatch.inputs.version`
-  # with "unknown on type" — it mis-treats the inputs sub-keys as top-level
-  # `on:` event types. Log line:
-  #   actions/workflows.go:DetectWorkflows() [W] ignore invalid workflow
-  #   "publish-runtime.yml": unknown on type: map["version": {...}]
-  # That `[W] ignore invalid workflow` is silent UX — the workflow never
-  # registers, so it never fires for ANY event (push.tags included).
-  # Removing the inputs block restores parsing. Manual dispatch from the
-  # Gitea UI now triggers the PyPI auto-bump fallback in `Derive version`
-  # below (no `inputs.version` to read).
-
-permissions:
-  contents: read
-
-# Serialize publishes so two concurrent tag pushes don't both compute
-# "latest+1" and race on PyPI upload. The second one waits.
-concurrency:
-  group: publish-runtime
-  cancel-in-progress: false
-
-jobs:
-  publish:
-    # Dedicated publish/release lane (internal#462 / #394 / #399). Ship
-    # path (on: push tag runtime-v*) — reserved capacity, never FIFO
-    # behind PR-CI. `publish` resolves only to molecule-runner-publish-*.
-    runs-on: publish
-    outputs:
-      version: ${{ steps.version.outputs.version }}
-      wheel_sha256: ${{ steps.wheel_hash.outputs.wheel_sha256 }}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: "3.11"
-          cache: pip
-
-      - name: Derive version (tag or PyPI auto-bump)
-        id: version
-        run: |
-          if echo "$GITHUB_REF" | grep -q "^refs/tags/runtime-v"; then
-            # Tag is `runtime-vX.Y.Z` — strip the prefix.
-            VERSION="${GITHUB_REF#refs/tags/runtime-v}"
-          else
-            # workflow_dispatch path (no inputs supported on Gitea 1.22.6) or
-            # any other non-tag trigger: derive from PyPI latest + patch bump.
-            LATEST=$(curl -fsS --retry 3 https://pypi.org/pypi/molecule-ai-workspace-runtime/json \
-              | python -c "import sys,json; print(json.load(sys.stdin)['info']['version'])")
-            MAJOR=$(echo "$LATEST" | cut -d. -f1)
-            MINOR=$(echo "$LATEST" | cut -d. -f2)
-            PATCH=$(echo "$LATEST" | cut -d. -f3)
-            VERSION="${MAJOR}.${MINOR}.$((PATCH+1))"
-            echo "Auto-bumped from PyPI latest $LATEST -> $VERSION"
-          fi
-          if ! echo "$VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+(\.dev[0-9]+|rc[0-9]+|a[0-9]+|b[0-9]+|\.post[0-9]+)?$'; then
-            echo "::error::version $VERSION does not match PEP 440"
-            exit 1
-          fi
-          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
-          echo "Publishing molecule-ai-workspace-runtime $VERSION"
-
-      - name: Install build tooling
-        run: pip install build twine
-
-      - name: Build package from workspace/
-        run: |
-          python scripts/build_runtime_package.py \
-            --version "${{ steps.version.outputs.version }}" \
-            --out "${{ runner.temp }}/runtime-build"
-
-      - name: Build wheel + sdist
-        working-directory: ${{ runner.temp }}/runtime-build
-        run: python -m build
-
-      - name: Capture wheel SHA256 for cascade content-verification
-        id: wheel_hash
-        working-directory: ${{ runner.temp }}/runtime-build
-        run: |
-          set -eu
-          WHEEL=$(ls dist/*.whl 2>/dev/null | head -1)
-          if [ -z "$WHEEL" ]; then
-            echo "::error::No .whl in dist/ — \`python -m build\` must have failed silently"
-            exit 1
-          fi
-          HASH=$(sha256sum "$WHEEL" | awk '{print $1}')
-          echo "wheel_sha256=${HASH}" >> "$GITHUB_OUTPUT"
-          echo "Local wheel SHA256 (pre-upload): ${HASH}"
-          echo "Wheel filename: $(basename "$WHEEL")"
-
-      - name: Verify package contents (sanity)
-        working-directory: ${{ runner.temp }}/runtime-build
-        run: |
-          python -m twine check dist/*
-          python -m venv /tmp/smoke
-          /tmp/smoke/bin/pip install --quiet dist/*.whl
-          /tmp/smoke/bin/python "$GITHUB_WORKSPACE/scripts/wheel_smoke.py"
-
-      # ─────────────────────────────────────────────────────────────────────
-      # RFC#596 (2026-05-19): Gitea PyPI registry as PRIMARY, PyPI as
-      # best-effort fallback. Eliminates the SPOF that caused the
-      # 2026-05-19 P0 (PyPI abuse-block #593 + Railway outage #595).
-      #
-      # Order is inverted intentionally:
-      #   1. Gitea FIRST — must succeed (our internal SSOT).
-      #   2. PyPI SECOND — best-effort, non-fatal on failure (courtesy
-      #      mirror; our consumers don't depend on it after Phase 4
-      #      template Dockerfile updates).
-      #
-      # Endpoint shape (verified live in RFC#596 Phase 5):
-      #   POST https://git.moleculesai.app/api/packages/molecule-ai/pypi/
-      #   HTTP Basic auth: username = gitea username, password = PAT with
-      #   `write:package` scope. Returns 201 Created on success.
-      # ─────────────────────────────────────────────────────────────────────
-
-      - name: Publish to Gitea PyPI registry (PRIMARY)
-        id: gitea_publish
-        working-directory: ${{ runner.temp }}/runtime-build
-        env:
-          # MOLECULE_PYPI_GITEA_PUBLISHER_USER: Gitea username for the publisher
-          # persona (must own a token with `write:package` scope).
-          # Provisioned in RFC#596 Phase 3 (operator-config PR).
-          # NOTE: secret name MUST NOT start with `GITEA_` or `GITHUB_` —
-          # Gitea 1.22.6 reserves those prefixes for built-in env vars and
-          # rejects repo-secret PUT with HTTP 400 / "invalid secret name".
-          # Empirically reproduced 2026-05-19 against
-          # `/repos/molecule-ai/molecule-core/actions/secrets/GITEA_*`.
-          MOLECULE_PYPI_GITEA_PUBLISHER_USER: ${{ secrets.MOLECULE_PYPI_GITEA_PUBLISHER_USER }}
-          # MOLECULE_PYPI_GITEA_PUBLISHER_TOKEN: PAT for the publisher persona,
-          # `write:package` scope on molecule-ai org.
-          # Synced from Infisical /ci/gitea-pypi-publisher (RFC#596 Phase 3).
-          MOLECULE_PYPI_GITEA_PUBLISHER_TOKEN: ${{ secrets.MOLECULE_PYPI_GITEA_PUBLISHER_TOKEN }}
-        run: |
-          set -eu
-          if [ -z "${MOLECULE_PYPI_GITEA_PUBLISHER_TOKEN:-}" ] || [ -z "${MOLECULE_PYPI_GITEA_PUBLISHER_USER:-}" ]; then
-            echo "::error::MOLECULE_PYPI_GITEA_PUBLISHER_USER / MOLECULE_PYPI_GITEA_PUBLISHER_TOKEN secrets are not set."
-            echo "::error::Provision them via the RFC#596 Phase 3 operator-config sync script."
-            echo "::error::Gitea is the PRIMARY index per RFC#596 — publish job aborts here, NOT after PyPI."
-            exit 1
-          fi
-          python -m twine upload \
-            --verbose \
-            --repository-url "https://git.moleculesai.app/api/packages/molecule-ai/pypi/" \
-            --username "$MOLECULE_PYPI_GITEA_PUBLISHER_USER" \
-            --password "$MOLECULE_PYPI_GITEA_PUBLISHER_TOKEN" \
-            dist/*
-          echo "gitea_status=success" >> "$GITHUB_OUTPUT"
-          echo "gitea_url=https://git.moleculesai.app/api/packages/molecule-ai/pypi/simple/molecule-ai-workspace-runtime" >> "$GITHUB_OUTPUT"
-
-      - name: Publish to PyPI (FALLBACK, best-effort)
-        id: pypi_publish
-        # working-directory matches the preceding Build/Verify steps. Without
-        # this, twine runs from the default workspace checkout dir where
-        # `dist/` doesn't exist and fails with:
-        #   ERROR InvalidDistribution: Cannot find file (or expand pattern): 'dist/*'
-        # Caught on the first-ever successful dispatch of this workflow
-        # (run 5097, 2026-05-11 02:08Z) — every other step in the publish
-        # job already had this working-directory; Publish was missing it.
-        #
-        # RFC#596: this step is `continue-on-error: true` because PyPI is
-        # NO LONGER the primary index. PyPI 403/timeout/abuse-block does
-        # NOT block the publish — Gitea already has the wheel.
-        continue-on-error: true
-        working-directory: ${{ runner.temp }}/runtime-build
-        env:
-          # PYPI_TOKEN: repository secret scoped to molecule-ai-workspace-runtime.
-          # Set via: Settings → Actions → Variables and Secrets → New Secret.
-          # Format: pypi-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-          PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
-        run: |
-          if [ -z "$PYPI_TOKEN" ]; then
-            echo "::warning::PYPI_TOKEN secret is not set — skipping PyPI mirror publish (non-fatal per RFC#596)."
-            echo "pypi_status=skipped_no_token" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          if python -m twine upload \
-            --verbose \
-            --repository pypi \
-            --username __token__ \
-            --password "$PYPI_TOKEN" \
-            dist/*; then
-            echo "pypi_status=success" >> "$GITHUB_OUTPUT"
-          else
-            rc=$?
-            echo "::warning::PyPI mirror publish failed (exit $rc). Non-fatal per RFC#596 — Gitea has the wheel."
-            echo "pypi_status=failed_exit_$rc" >> "$GITHUB_OUTPUT"
-          fi
-          echo "pypi_url=https://pypi.org/project/molecule-ai-workspace-runtime/${{ steps.version.outputs.version }}/" >> "$GITHUB_OUTPUT"
-
-      - name: Publish job summary (Gitea + PyPI status)
-        if: always()
-        run: |
-          {
-            echo "## publish-runtime $(date -u +%FT%TZ)"
-            echo
-            echo "**Version:** \`${{ steps.version.outputs.version }}\`"
-            echo "**Wheel SHA256:** \`${{ steps.wheel_hash.outputs.wheel_sha256 }}\`"
-            echo
-            echo "### Indexes"
-            echo
-            echo "| Index   | Status                                          | URL |"
-            echo "|---------|-------------------------------------------------|-----|"
-            echo "| Gitea (PRIMARY) | ${{ steps.gitea_publish.outputs.gitea_status || 'failed' }} | ${{ steps.gitea_publish.outputs.gitea_url || '—' }} |"
-            echo "| PyPI (fallback) | ${{ steps.pypi_publish.outputs.pypi_status || 'failed' }}  | ${{ steps.pypi_publish.outputs.pypi_url || '—' }} |"
-            echo
-            echo "Per RFC#596: Gitea is the contract. PyPI is best-effort."
-          } >> "$GITHUB_STEP_SUMMARY"
-
-  cascade:
-    needs: publish
-    # Publish/release lane (internal#462) — downstream of the runtime
-    # publish ship job; keep it on the reserved lane too.
-    runs-on: publish
-    steps:
-      - name: Wait for PyPI to propagate the new version
-        env:
-          RUNTIME_VERSION: ${{ needs.publish.outputs.version }}
-          EXPECTED_SHA256: ${{ needs.publish.outputs.wheel_sha256 }}
-        run: |
-          set -eu
-          if [ -z "$EXPECTED_SHA256" ]; then
-            echo "::error::publish job did not expose wheel_sha256 — cannot verify wheel content. Refusing to fan out cascade."
-            exit 1
-          fi
-          # NOTE (RFC#596 follow-up): this propagation probe still resolves
-          # against PyPI's default index. After RFC#596 Phase 4 lands and
-          # consumers pull from Gitea first, this probe should be rewritten
-          # to verify the Gitea simple/ endpoint serves the new wheel
-          # (PyPI may be best-effort-failed and the cascade should still
-          # fan out, since templates will pull from Gitea). Tracked in #596.
-          python -m venv /tmp/propagation-probe
-          PROBE=/tmp/propagation-probe/bin
-          $PROBE/pip install --upgrade --quiet pip
-          for i in $(seq 1 30); do
-            if $PROBE/pip install \
-                  --quiet \
-                  --no-cache-dir \
-                  --force-reinstall \
-                  --no-deps \
-                  "molecule-ai-workspace-runtime==${RUNTIME_VERSION}" \
-                  >/dev/null 2>&1; then
-              INSTALLED=$($PROBE/pip show molecule-ai-workspace-runtime 2>/dev/null \
-                          | awk -F': ' '/^Version:/{print $2}')
-              if [ "$INSTALLED" = "$RUNTIME_VERSION" ]; then
-                echo "✓ PyPI resolved $RUNTIME_VERSION (install check)"
-                break
-              fi
-            fi
-            if [ $i -eq 30 ]; then
-              echo "::error::pip install --no-cache-dir molecule-ai-workspace-runtime==${RUNTIME_VERSION} never resolved within ~5 min."
-              echo "::error::Refusing to fan out cascade against a potentially stale PyPI index."
-              exit 1
-            fi
-            echo "  [$i/30] waiting for PyPI to propagate ${RUNTIME_VERSION}..."
-            sleep 4
-          done
-
-          # Stage (b): download wheel + SHA256 compare against what we built.
-          # Catches Fastly stale-content serving old bytes under a new version URL.
-          #
-          # Caught run 5196 (first-ever successful publish, 2026-05-11): the
-          # previous one-liner `HASH=$(pip download ... && sha256sum ...)`
-          # captured pip's stdout (`Collecting molecule-ai-workspace-runtime
-          # ==X.Y.Z`) into HASH, then the SHA comparison failed against the
-          # leaked `Collecting...` string. `2>/dev/null` silences stderr but
-          # NOT stdout; pip writes its progress to stdout by default.
-          # Fix: split into two steps, silence pip's stdout explicitly, capture
-          # only sha256sum's output into HASH.
-          python -m pip download \
-            --no-deps \
-            --no-cache-dir \
-            --dest /tmp/wheel-probe \
-            --quiet \
-            "molecule-ai-workspace-runtime==${RUNTIME_VERSION}" \
-            >/dev/null 2>&1
-          HASH=$(sha256sum /tmp/wheel-probe/*.whl | awk '{print $1}')
-          if [ "$HASH" != "$EXPECTED_SHA256" ]; then
-            echo "::error::PyPI propagated $RUNTIME_VERSION but wheel content SHA256 mismatch."
-            echo "::error::Expected: $EXPECTED_SHA256"
-            echo "::error::Got:      $HASH"
-            echo "::error::Fastly may be serving stale content. Refusing to fan out cascade."
-            exit 1
-          fi
-          echo "✓ PyPI CDN verified (SHA256 match)"
-
-      - name: Fan out via push to .runtime-version
-        env:
-          # Gitea PAT with write:repository scope on the 8 cascade-active
-          # template repos. Used for git push to each template repo's main
-          # branch, which trips their `on: push: branches: [main]` trigger
-          # on publish-image.yml.
-          DISPATCH_TOKEN: ${{ secrets.DISPATCH_TOKEN }}
-          RUNTIME_VERSION: ${{ needs.publish.outputs.version }}
-        run: |
-          set +e   # don't abort on a single repo failure — collect them all
-
-          if [ -z "$DISPATCH_TOKEN" ]; then
-            if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-              echo "::warning::DISPATCH_TOKEN secret not set — skipping cascade."
-              echo "::warning::set it at Settings → Actions → Variables and Secrets → New Secret."
-              exit 0
-            fi
-            echo "::error::DISPATCH_TOKEN secret missing — cascade cannot fan out."
-            echo "::error::PyPI was published, but the 8 template repos will NOT pick up the new version."
-            exit 1
-          fi
-          VERSION="$RUNTIME_VERSION"
-          if [ -z "$VERSION" ]; then
-            echo "::error::publish job did not expose a version output"
-            exit 1
-          fi
-
-          GITEA_URL="${GITEA_URL:-https://git.moleculesai.app}"
-          # Keep in lockstep with manifest.json workspace_templates (suffix-stripped).
-          # Guarded by scripts/check-cascade-list-vs-manifest.sh (cascade-list-drift-gate).
-          # 2026-05-19: pruned crewai/deepagents/gemini-cli — not in manifest.
-          TEMPLATES="claude-code hermes openclaw codex langgraph autogen"
-          FAILED=""
-          SKIPPED=""
-
-          git config --global user.name  "publish-runtime cascade"
-          git config --global user.email "publish-runtime@moleculesai.app"
-
-          WORKDIR="$(mktemp -d)"
-          for tpl in $TEMPLATES; do
-            REPO="molecule-ai/molecule-ai-workspace-template-$tpl"
-            CLONE="$WORKDIR/$tpl"
-
-            HTTP=$(curl -sS -o /dev/null -w "%{http_code}" \
-              -H "Authorization: token $DISPATCH_TOKEN" \
-              "$GITEA_URL/api/v1/repos/$REPO/contents/.github/workflows/publish-image.yml")
-            if [ "$HTTP" = "404" ]; then
-              echo "↷ $tpl has no publish-image.yml — soft-skip"
-              SKIPPED="$SKIPPED $tpl"
-              continue
-            fi
-
-            attempt=0
-            success=false
-            while [ $attempt -lt 3 ]; do
-              attempt=$((attempt + 1))
-              rm -rf "$CLONE"
-              if ! git clone --depth=1 \
-                  "https://x-access-token:${DISPATCH_TOKEN}@${GITEA_URL#https://}/$REPO.git" \
-                  "$CLONE" >/tmp/clone.log 2>&1; then
-                echo "::warning::clone $tpl attempt $attempt failed: $(tail -n3 /tmp/clone.log)"
-                sleep 2
-                continue
-              fi
-
-              cd "$CLONE"
-              echo "$VERSION" > .runtime-version
-
-              if git diff --quiet -- .runtime-version; then
-                echo "✓ $tpl already at $VERSION — no commit needed"
-                success=true
-                cd - >/dev/null
-                break
-              fi
-
-              git add .runtime-version
-              git commit -m "chore: pin runtime to $VERSION (publish-runtime cascade)" \
-                -m "Co-Authored-By: publish-runtime cascade <publish-runtime@moleculesai.app>" \
-                >/dev/null
-
-              if git push origin HEAD:main >/tmp/push.log 2>&1; then
-                echo "✓ $tpl pushed $VERSION on attempt $attempt"
-                success=true
-                cd - >/dev/null
-                break
-              fi
-
-              echo "::warning::push $tpl attempt $attempt failed, pull-rebasing"
-              git pull --rebase origin main >/tmp/rebase.log 2>&1 || true
-              cd - >/dev/null
-            done
-
-            if [ "$success" != "true" ]; then
-              FAILED="$FAILED $tpl"
-            fi
-          done
-          rm -rf "$WORKDIR"
-
-          if [ -n "$FAILED" ]; then
-            echo "::error::Cascade incomplete after 3 retries each. Failed:$FAILED"
-            exit 1
-          fi
-          if [ -n "$SKIPPED" ]; then
-            echo "Cascade complete: pinned $VERSION. Soft-skipped (no publish-image.yml):$SKIPPED"
-          else
-            echo "Cascade complete: $VERSION pinned across all manifest workspace_templates."
-          fi
@@ -25,8 +25,12 @@ name: publish-workspace-server-image
 #   staging-<sha>. Set repo variable or secret PROD_AUTO_DEPLOY_DISABLED=true
 #   to stop production rollout while keeping image publishing enabled.
 #
-# ECR target: 153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/*
+# Primary ECR target: 153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/*
+# Optional staging tenant mirror target:
+#   004947743811.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/platform-tenant
 # Required secrets: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AUTO_SYNC_TOKEN
+# Staging ECR grants the primary SSOT-managed publisher principal repository
+# policy access, so no persistent staging AWS access keys are required.
 #
 # mc#711: Docker daemon not accessible on ubuntu-latest runner (molecule-canonical-1
 # shows client-only in `docker info` — daemon not running). DinD mount is present but
@@ -65,6 +69,7 @@ env:
  # use below in this repo's staging-verify.yml.
  IMAGE_NAME: ${{ vars.ECR_REGISTRY || '153263036946.dkr.ecr.us-east-2.amazonaws.com' }}/molecule-ai/platform
  TENANT_IMAGE_NAME: ${{ vars.ECR_REGISTRY || '153263036946.dkr.ecr.us-east-2.amazonaws.com' }}/molecule-ai/platform-tenant
+  STAGING_TENANT_IMAGE_NAME: ${{ vars.STAGING_ECR_REGISTRY || '004947743811.dkr.ecr.us-east-2.amazonaws.com' }}/molecule-ai/platform-tenant

 jobs:
  build-and-push:
@@ -135,6 +140,18 @@ jobs:
        run: |
          echo "sha=${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT"

+      # Keep Buildx state inside the job temp dir. The publish runner's
+      # inherited DOCKER_CONFIG can point at a host-owned ECR config path
+      # (/home/hongming/.docker-ecr), which caused setup-buildx-action to
+      # fail before image build with EACCES creating buildx/certs.
+      - name: Prepare writable Docker config
+        run: |
+          set -euo pipefail
+          export DOCKER_CONFIG="$RUNNER_TEMP/docker-config"
+          mkdir -p "$DOCKER_CONFIG/buildx/certs"
+          echo "DOCKER_CONFIG=$DOCKER_CONFIG" >> "$GITHUB_ENV"
+          docker buildx version
+
      # Build + push platform image (inline ECR auth — mirrors the operator-host
      # approach; credentials come from GITHUB_SECRET_AWS_ACCESS_KEY_ID /
      # GITHUB_SECRET_AWS_SECRET_ACCESS_KEY in Gitea Actions).
@@ -170,9 +187,14 @@ jobs:
            --push .

      # Build + push tenant image (Go platform + Next.js canvas in one image).
+      # Push the same build to the staging account too so fresh staging/E2E
+      # tenants can pull without cross-account ECR reads. The staging ECR repo
+      # policy trusts the primary SSOT-managed publisher principal; do not add
+      # separate persistent staging AWS access keys here.
      - name: Build & push tenant image to ECR (staging-<sha> + staging-latest)
        env:
          TENANT_IMAGE_NAME: ${{ env.TENANT_IMAGE_NAME }}
+          STAGING_TENANT_IMAGE_NAME: ${{ env.STAGING_TENANT_IMAGE_NAME }}
          TAG_SHA: staging-${{ steps.tags.outputs.sha }}
          TAG_LATEST: staging-latest
          GIT_SHA: ${{ github.sha }}
@@ -183,8 +205,19 @@ jobs:
        run: |
          set -euo pipefail
          ECR_REGISTRY="${TENANT_IMAGE_NAME%%/*}"
+          STAGING_ECR_REGISTRY="${STAGING_TENANT_IMAGE_NAME%%/*}"
          aws ecr get-login-password --region us-east-2 | \
            docker login --username AWS --password-stdin "${ECR_REGISTRY}"
+          aws ecr get-login-password --region us-east-2 | \
+            docker login --username AWS --password-stdin "${STAGING_ECR_REGISTRY}"
+
+          build_tags=(
+            --tag "${TENANT_IMAGE_NAME}:${TAG_SHA}"
+            --tag "${TENANT_IMAGE_NAME}:${TAG_LATEST}"
+            --tag "${STAGING_TENANT_IMAGE_NAME}:${TAG_SHA}"
+            --tag "${STAGING_TENANT_IMAGE_NAME}:${TAG_LATEST}"
+          )
+
          docker buildx build \
            --file ./workspace-server/Dockerfile.tenant \
            --build-arg NEXT_PUBLIC_PLATFORM_URL= \
@@ -193,8 +226,7 @@ jobs:
            --label "org.opencontainers.image.revision=${GIT_SHA}" \
            --label "org.opencontainers.image.created=$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
            --label "molecule.workflow.run_id=${GITHUB_RUN_ID}" \
-            --tag "${TENANT_IMAGE_NAME}:${TAG_SHA}" \
-            --tag "${TENANT_IMAGE_NAME}:${TAG_LATEST}" \
+            "${build_tags[@]}" \
            --push .

  # bp-exempt: production deploy side-effect; merge is gated by CI / all-required and this job waits for push CI before acting.
@@ -1,101 +0,0 @@
-name: Runtime Pin Compatibility
-
-# Ported from .github/workflows/runtime-pin-compat.yml on 2026-05-11 per
-# RFC internal#219 §1 sweep.
-#
-# Differences from the GitHub version:
-#   - Dropped `merge_group:` (no Gitea merge queue) and
-#     `workflow_dispatch:` (no inputs, but the trigger itself is
-#     parser-rejected when inputs are absent in some Gitea 1.22.x
-#     builds; safest to drop entirely — manual runs go via cron-trigger
-#     bump or push-with-paths-filter).
-#   - on.paths references .gitea/workflows/runtime-pin-compat.yml (this
-#     file) instead of the .github/ one.
-#   - Workflow-level env.GITHUB_SERVER_URL set.
-#   - `continue-on-error: true` on the job (RFC §1 contract).
-#
-# CI gate that prevents the 5-hour staging outage from 2026-04-24 from
-# recurring (controlplane#253). The original failure mode:
-#   1. molecule-ai-workspace-runtime 0.1.13 declared `a2a-sdk<1.0` in its
-#      requires_dist metadata (incorrect — it actually imports
-#      a2a.server.routes which only exists in a2a-sdk 1.0+)
-#   2. `pip install molecule-ai-workspace-runtime` resolved cleanly
-#   3. `from molecule_runtime.main import main_sync` raised ImportError
-#   4. Every tenant workspace crashed; the canary tenant caught it but
-#      only after 5 hours of degraded staging
-#
-# This workflow installs the CURRENTLY PUBLISHED runtime from PyPI on
-# top of `workspace/requirements.txt` and smoke-imports. Catches:
-#   - Upstream PyPI yanks
-#   - Bad re-releases of molecule-ai-workspace-runtime
-#   - Already-shipped wheels that stop importing because a transitive
-#     dep moved underneath
-
-on:
-  push:
-    branches: [main, staging]
-    paths:
-      # Narrow filter: pypi-latest is sensitive only to changes that
-      # affect what we're INSTALLING (requirements.txt) or WHAT THE
-      # CHECK ITSELF DOES (this workflow file). Edits to workspace/
-      # source code don't change what's on PyPI right now, so they
-      # don't change this gate's verdict.
-      - 'workspace/requirements.txt'
-      - '.gitea/workflows/runtime-pin-compat.yml'
-  pull_request:
-    branches: [main, staging]
-    paths:
-      - 'workspace/requirements.txt'
-      - '.gitea/workflows/runtime-pin-compat.yml'
-  # Daily catch for upstream PyPI publishes that break the pin combo
-  # without any change in our repo (e.g. someone re-yanks an a2a-sdk
-  # release or molecule-ai-workspace-runtime publishes a bad bump).
-  schedule:
-    - cron: '0 13 * * *'  # 06:00 PT
-
-env:
-  GITHUB_SERVER_URL: https://git.moleculesai.app
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  pypi-latest-install:
-    name: PyPI-latest install + import smoke
-    runs-on: ubuntu-latest
-    # Phase 3 (RFC #219 §1): surface broken workflows without blocking
-    # the PR. Follow-up PR flips this off after surfaced defects are
-    # triaged.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
-    continue-on-error: true
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: '3.11'
-          cache: pip
-          cache-dependency-path: workspace/requirements.txt
-      - name: Install runtime + workspace requirements
-        # Install order is load-bearing: install the runtime FIRST so pip
-        # honors whatever a2a-sdk constraint the runtime metadata declares
-        # (this is the surface that broke in 2026-04-24 — runtime declared
-        # `a2a-sdk<1.0` but actually needed >=1.0). The follow-up install
-        # of workspace/requirements.txt then upgrades a2a-sdk to the
-        # constraint our runtime image actually pins. The import smoke
-        # below verifies the upgraded combination is consistent.
-        run: |
-          python -m venv /tmp/venv
-          /tmp/venv/bin/pip install --upgrade pip
-          /tmp/venv/bin/pip install molecule-ai-workspace-runtime
-          /tmp/venv/bin/pip install -r workspace/requirements.txt
-          /tmp/venv/bin/pip show molecule-ai-workspace-runtime a2a-sdk \
-            | grep -E '^(Name|Version):'
-      - name: Smoke import — fail if metadata declares deps that don't satisfy real imports
-        # WORKSPACE_ID is validated at import time by platform_auth.py — EC2
-        # user-data sets it from the cloud-init template; set a placeholder
-        # here so the import smoke doesn't trip on the env-var guard.
-        env:
-          WORKSPACE_ID: 00000000-0000-0000-0000-000000000001
-        run: |
-          /tmp/venv/bin/python -c "from molecule_runtime.main import main_sync; print('runtime imports OK')"
@@ -1,150 +0,0 @@
-name: Runtime PR-Built Compatibility
-
-# Ported from .github/workflows/runtime-prbuild-compat.yml on 2026-05-11
-# per RFC internal#219 §1 sweep.
-#
-# Differences from the GitHub version:
-#   - Dropped `merge_group:` (no Gitea merge queue) and `workflow_dispatch:`
-#     (Gitea 1.22.6 parser-rejects workflow_dispatch with inputs and is
-#     finicky without them).
-#   - `dorny/paths-filter@v4` replaced with inline `git diff` (per PR#372
-#     pattern for ci.yml port).
-#   - on.paths references .gitea/workflows/runtime-prbuild-compat.yml.
-#   - Workflow-level env.GITHUB_SERVER_URL set.
-#   - `continue-on-error: true` on every job (RFC §1 contract).
-#
-# Companion to `runtime-pin-compat.yml`. That workflow tests what's
-# CURRENTLY PUBLISHED on PyPI; this workflow tests what WOULD BE
-# PUBLISHED if THIS PR merges.
-#
-# Why two workflows: the chicken-and-egg #128 fix added a "PR-built
-# wheel" job to the original runtime-pin-compat.yml, but both jobs
-# shared a `paths:` filter that was the union of their needs
-# (`workspace/**`). That meant the PyPI-latest job ran on every doc
-# edit even though the upstream PyPI artifact can't change with our
-# workspace/ source. Splitting the two means each gets a narrow
-# `paths:` filter that matches the inputs it actually depends on.
-#
-# Catches the failure mode where a PR adds an import requiring a newer
-# SDK than `workspace/requirements.txt` pins:
-#   1. Pip resolves the existing PyPI wheel + the old SDK pin -> smoke
-#      passes (it imports the OLD main.py from the wheel, not the PR's
-#      new main.py).
-#   2. Merge -> publish-runtime.yml ships a wheel WITH the new import.
-#   3. Tenant images redeploy -> all crash on first boot with ImportError.
-
-on:
-  push:
-    branches: [main, staging]
-  pull_request:
-    branches: [main, staging]
-
-env:
-  GITHUB_SERVER_URL: https://git.moleculesai.app
-
-concurrency:
-  # event_name + sha keeps PR sync and the subsequent staging push on the
-  # same SHA from cancelling each other (per feedback_concurrency_group_per_sha).
-  group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.head.sha || github.sha }}
-  cancel-in-progress: true
-
-jobs:
-  detect-changes:
-    runs-on: ubuntu-latest
-    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
-    continue-on-error: true
-    outputs:
-      wheel: ${{ steps.decide.outputs.wheel }}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
-      - id: decide
-        run: |
-          # Inline replacement for dorny/paths-filter — same pattern
-          # PR#372's ci.yml port used. Diffs against the PR base or the
-          # previous push SHA, then matches against the wheel-relevant
-          # path set.
-          #
-          # NOTE: Gitea Actions does not expose github.event.before as a
-          # shell environment variable. The ${{ github.event.before }} template
-          # expression works inside YAML run: blocks but is evaluated to an
-          # empty string for push events, making the ${VAR:-fallback} always
-          # use the fallback. Use GITHUB_EVENT_BEFORE instead — it IS set in
-          # the runner's shell environment for push events.
-          BASE=""
-          if [ "${{ github.event_name }}" = "pull_request" ]; then
-            BASE="${{ github.event.pull_request.base.sha }}"
-          elif [ -n "$GITHUB_EVENT_BEFORE" ]; then
-            BASE="$GITHUB_EVENT_BEFORE"
-          fi
-          if [ -z "$BASE" ] || echo "$BASE" | grep -qE '^0+$'; then
-            # New branch or no previous SHA: treat as wheel-relevant.
-            echo "wheel=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          if ! timeout 30 git cat-file -e "$BASE" 2>/dev/null; then
-            git fetch --depth=1 origin "$BASE" 2>/dev/null || true
-          fi
-          if ! timeout 30 git cat-file -e "$BASE" 2>/dev/null; then
-            echo "wheel=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          CHANGED=$(git diff --name-only "$BASE" HEAD)
-          if echo "$CHANGED" | grep -qE '^(workspace/|scripts/build_runtime_package\.py$|scripts/wheel_smoke\.py$|\.gitea/workflows/runtime-prbuild-compat\.yml$)'; then
-            echo "wheel=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "wheel=false" >> "$GITHUB_OUTPUT"
-          fi
-
-  # ONE job (no job-level `if:`) that always runs and reports under the
-  # required-check name `PR-built wheel + import smoke`. Real work is
-  # gated per-step on `needs.detect-changes.outputs.wheel`.
-  local-build-install:
-    needs: detect-changes
-    name: PR-built wheel + import smoke
-    runs-on: ubuntu-latest
-    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
-    continue-on-error: true
-    steps:
-      - name: No-op pass (paths filter excluded this commit)
-        if: needs.detect-changes.outputs.wheel != 'true'
-        run: |
-          echo "No workspace/ / scripts/{build_runtime_package,wheel_smoke}.py / workflow changes — wheel gate satisfied without rebuilding."
-          echo "::notice::PR-built wheel + import smoke no-op pass (paths filter excluded this commit)."
-      - if: needs.detect-changes.outputs.wheel == 'true'
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - if: needs.detect-changes.outputs.wheel == 'true'
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: '3.11'
-          cache: pip
-          cache-dependency-path: workspace/requirements.txt
-      - name: Install build tooling
-        if: needs.detect-changes.outputs.wheel == 'true'
-        run: pip install build
-      - name: Build wheel from PR source (mirrors publish-runtime.yml)
-        if: needs.detect-changes.outputs.wheel == 'true'
-        # Use a fixed test version so the wheel filename is predictable.
-        # Doesn't reach PyPI — this build is local-only for the smoke.
-        run: |
-          python scripts/build_runtime_package.py \
-            --version "0.0.0.dev0+pin-compat" \
-            --out /tmp/runtime-build
-          cd /tmp/runtime-build && python -m build
-      - name: Install built wheel + workspace requirements
-        if: needs.detect-changes.outputs.wheel == 'true'
-        run: |
-          python -m venv /tmp/venv-built
-          /tmp/venv-built/bin/pip install --upgrade pip
-          /tmp/venv-built/bin/pip install /tmp/runtime-build/dist/*.whl
-          /tmp/venv-built/bin/pip install -r workspace/requirements.txt
-          /tmp/venv-built/bin/pip show molecule-ai-workspace-runtime a2a-sdk \
-            | grep -E '^(Name|Version):'
-      - name: Smoke import the PR-built wheel
-        if: needs.detect-changes.outputs.wheel == 'true'
-        # Same script publish-runtime.yml runs against the to-be-PyPI wheel.
-        run: |
-          /tmp/venv-built/bin/python "$GITHUB_WORKSPACE/scripts/wheel_smoke.py"
@@ -81,6 +81,11 @@ jobs:
      # (dead in org secret store) to CP_STAGING_ADMIN_API_TOKEN per
      # internal#322 — see this PR for the cross-workflow sweep.
      MOLECULE_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      AWS_DEFAULT_REGION: us-east-2
+      E2E_AWS_LEAK_CHECK: required
+      E2E_AWS_TERMINATE_LEAKS: '1'
      # MiniMax is the smoke's PRIMARY LLM auth path post-2026-05-04.
      # Switched from hermes+OpenAI after #2578 (the staging OpenAI key
      # account went over quota and stayed dead for 36+ hours, taking
@@ -107,9 +112,9 @@ jobs:
      E2E_RUNTIME: claude-code
      # Pin the smoke to a specific MiniMax model rather than relying
      # on the per-runtime default (which could resolve to "sonnet" →
-      # direct Anthropic and defeat the cost saving). M2.7-highspeed
-      # is "Token Plan only" but cheap-per-token and fast.
-      E2E_MODEL_SLUG: MiniMax-M2.7-highspeed
+      # direct Anthropic and defeat the cost saving). MiniMax-M2 is the
+      # stable staging MiniMax path used by the full-SaaS smoke.
+      E2E_MODEL_SLUG: MiniMax-M2
      E2E_RUN_ID: "smoke-${{ github.run_id }}"
      # Debug-only: when an operator dispatches with keep_on_failure=true,
      # the smoke script's E2E_KEEP_ORG=1 path skips teardown so the
@@ -129,6 +134,12 @@ jobs:
            echo "::error::CP_STAGING_ADMIN_API_TOKEN not set"
            exit 2
          fi
+          for var in AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY; do
+            if [ -z "${!var:-}" ]; then
+              echo "::error::$var not set — EC2 leak verification cannot run"
+              exit 2
+            fi
+          done

      - name: Verify LLM key present
        run: |
@@ -40,14 +40,12 @@ name: Sweep stale AWS Secrets Manager secrets
 # the mostly-orphan tunnels) refuses to nuke past the threshold.

 on:
-  # Disabled as an hourly schedule until the dedicated
-  # AWS_SECRETS_JANITOR_* key exists in the key-management SSOT and is
-  # mirrored into Gitea. Falling back to the molecule-cp app principal is
-  # intentionally not allowed: it lacks account-wide ListSecrets, and
-  # granting that to an application credential would weaken least privilege.
-  #
-  # Keep the manual trigger so operators can validate the workflow immediately
-  # after provisioning the janitor key, then restore the hourly :30 schedule.
+  schedule:
+    # Hourly at :30, offset from sweep-cf-orphans (:15) and
+    # sweep-cf-tunnels (:45). This janitor is intentionally schedule-only
+    # for deletes; manual dispatch is forced to dry-run below because Gitea
+    # 1.22.6 rejects workflow_dispatch.inputs.
+    - cron: '30 * * * *'
  workflow_dispatch:
 # Don't let two sweeps race the same AWS account.
 concurrency:
@@ -64,22 +62,24 @@ jobs:
  sweep:
    name: Sweep AWS Secrets Manager
    runs-on: ubuntu-latest
-    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
-    continue-on-error: true
+    # This is a cost/leak janitor. A scheduled failure must be red so
+    # operators know tenant bootstrap secrets may be leaking.
    # 30 min cap, mirroring the other janitors. AWS DeleteSecret is
    # fast (~0.3s/call) so even a 100+ backlog drains in seconds
    # under the 8-way xargs parallelism, but the cap is set generously
    # to leave headroom for any actual API hang.
    timeout-minutes: 30
    env:
-      AWS_REGION: ${{ secrets.AWS_REGION || 'us-east-1' }}
+      # Keep this literal. Gitea/act_runner 1.22.6 can mis-render
+      # secret-backed expressions with `||`, which produced an invalid
+      # Secrets Manager endpoint in the scheduled janitor.
+      AWS_REGION: us-east-2
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_SECRETS_JANITOR_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRETS_JANITOR_SECRET_ACCESS_KEY }}
      CP_ADMIN_API_TOKEN: ${{ secrets.CP_ADMIN_API_TOKEN }}
      CP_STAGING_ADMIN_API_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
-      MAX_DELETE_PCT: ${{ github.event.inputs.max_delete_pct || '50' }}
-      GRACE_HOURS: ${{ github.event.inputs.grace_hours || '24' }}
+      MAX_DELETE_PCT: 50
+      GRACE_HOURS: 24

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -114,17 +114,25 @@ jobs:

      - name: Run sweep
        if: steps.verify.outputs.skip != 'true'
-        # Schedule-vs-dispatch dry-run asymmetry mirrors sweep-cf-tunnels:
-        #   - Scheduled: input empty → "false" → --execute (the whole
-        #     point of an hourly janitor).
-        #   - Manual workflow_dispatch: input default true → dry-run;
-        #     operator must flip it to actually delete.
+        # Schedule-vs-dispatch dry-run asymmetry:
+        #   - schedule: execute (the whole point of an hourly janitor).
+        #   - workflow_dispatch: dry-run. Gitea 1.22.6 rejects
+        #     workflow_dispatch.inputs, so there is no safe manual
+        #     "flip it to execute" toggle in this workflow.
+        # The script's MAX_DELETE_PCT gate (default 50%) remains the
+        # second line of defense regardless of trigger.
        run: |
          set -euo pipefail
-          if [ "${{ github.event.inputs.dry_run || 'false' }}" = "true" ]; then
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
            echo "Running in dry-run mode — no deletions"
            bash scripts/ops/sweep-aws-secrets.sh
          else
            echo "Running with --execute — will delete identified orphans"
            bash scripts/ops/sweep-aws-secrets.sh --execute
          fi
+
+      - name: Notify on sweep failure
+        if: failure()
+        run: |
+          echo "::error::sweep-aws-secrets FAILED — AWS tenant bootstrap secrets may be leaking. Check missing Gitea secrets, staging/prod CP admin tokens, AWS janitor IAM permissions, or the script safety gate."
+          exit 1
@@ -58,14 +58,20 @@ jobs:
          python-version: '3.11'
      - name: Install .gitea script test dependencies
        run: python -m pip install --quiet 'pytest==9.0.2' 'PyYAML==6.0.2'
-      - name: Run scripts/ unittests (build_runtime_package, ...)
-        # Top-level scripts/ tests live alongside their target file
-        # (e.g. scripts/test_build_runtime_package.py exercises
-        # scripts/build_runtime_package.py). discover from scripts/
-        # picks up only top-level test_*.py because scripts/ops/ has
-        # no __init__.py — that's intentional, so we run two passes.
+      - name: Run scripts/ unittests, if any
+        # Top-level scripts/ tests live alongside their target file. The
+        # runtime packaging tests moved to molecule-ai-workspace-runtime, so
+        # this pass may legitimately find no tests.
        working-directory: scripts
-        run: python -m unittest discover -t . -p 'test_*.py' -v
+        run: |
+          set +e
+          python -m unittest discover -t . -p 'test_*.py' -v
+          rc=$?
+          if [ "$rc" -eq 5 ]; then
+            echo "No top-level scripts/ unittest files found; skipping."
+            exit 0
+          fi
+          exit "$rc"
      - name: Run scripts/ops/ unittests (sweep_cf_decide, ...)
        working-directory: scripts/ops
        run: python -m unittest discover -p 'test_*.py' -v
@@ -127,7 +127,11 @@ cd workspace-server && go test -race ./...
 cd canvas && npm test

 # Workspace runtime (Python)
-cd workspace && python -m pytest -v
+# Runtime code is SSOT in molecule-ai-workspace-runtime, not molecule-core/workspace.
+cd ../molecule-ai-workspace-runtime
+python -m venv .venv && source .venv/bin/activate
+pip install --index-url https://git.moleculesai.app/api/packages/molecule-ai/pypi/simple/ -e . pytest pytest-asyncio
+pytest -q

 # E2E API tests (requires running platform)
 bash tests/e2e/test_api.sh
@@ -159,6 +163,19 @@ and run CI manually.
 | review-check-tests | `review-check.sh` evaluator regression suite (13 scenarios) |
 | ops-scripts | Python unittest suite for `scripts/*.py` |

+### Workspace runtime SSOT
+
+Runtime code lives in
+[`molecule-ai-workspace-runtime`](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-runtime).
+Do not reintroduce `molecule-core/workspace/` or vendored `molecule_runtime/`
+copies in consumers. Core and templates consume the published runtime package
+from the Gitea package registry.
+
+For local external MCP agents, multi-workspace config is
+`MOLECULE_WORKSPACES=[{"id":"...","token":"...","platform_url":"..."}]`.
+`platform_url` selects the tenant; `org_id` is not part of this config.
+Workspace IDs can differ across orgs.
+
 ## Local Testing

 ### review-check.sh
@@ -163,11 +163,11 @@ Most agent systems stop at "a smart runtime." Molecule AI pushes further: it giv

 | Core mechanism | Molecule AI module(s) | Why it matters |
 |---|---|---|
-| **Durable memory that survives sessions** | `workspace/builtin_tools/memory.py`, `workspace/builtin_tools/awareness_client.py`, `workspace-server/internal/handlers/memories.go` | Memory is not just durable, it is **workspace-scoped** and can route into awareness namespaces tied to the org structure |
+| **Durable memory that survives sessions** | `molecule-ai-workspace-runtime/molecule_runtime/builtin_tools/`, `workspace-server/internal/handlers/memories.go` | Memory is not just durable, it is **workspace-scoped** and can route into awareness namespaces tied to the org structure |
 | **Cross-session recall** | `workspace-server/internal/handlers/activity.go` (`/workspaces/:id/session-search`) | Recall spans both activity history and memory rows, so the system can search what happened and what was learned without inventing a separate hidden store |
-| **Skills built from experience** | `workspace/builtin_tools/memory.py` (`_maybe_log_skill_promotion`) | Promotion from memory into a skill candidate is surfaced as an explicit platform activity, not a silent internal side effect |
-| **Skill improvement during use** | `workspace/skill_loader/watcher.py`, `workspace/skill_loader/loader.py`, `workspace/main.py` | Skills hot-reload into the live runtime, so improvements become available on the next A2A task without restarting the workspace |
-| **Persistent skill lifecycle** | `workspace-server/cmd/cli/cmd_agent_skill.go`, `workspace/plugins.py` | Skills are not just generated once; they can be audited, installed, published, shared, mounted by plugins, and governed as reusable operational assets |
+| **Skills built from experience** | `molecule-ai-workspace-runtime/molecule_runtime/builtin_tools/memory.py` (`_maybe_log_skill_promotion`) | Promotion from memory into a skill candidate is surfaced as an explicit platform activity, not a silent internal side effect |
+| **Skill improvement during use** | `molecule-ai-workspace-runtime/molecule_runtime/skill_loader/`, `molecule-ai-workspace-runtime/molecule_runtime/main.py` | Skills hot-reload into the live runtime, so improvements become available on the next A2A task without restarting the workspace |
+| **Persistent skill lifecycle** | `workspace-server/cmd/cli/cmd_agent_skill.go`, `molecule-ai-workspace-runtime/molecule_runtime/plugins.py` | Skills are not just generated once; they can be audited, installed, published, shared, mounted by plugins, and governed as reusable operational assets |

 ### Why this matters in Molecule AI

@@ -208,7 +208,7 @@ The result is not just “an agent that learns.” It is **an organization that

 ### Runtime

- unified `workspace/` image; thin AMI in production (us-east-2)
+- standalone workspace-template images that install `molecule-ai-workspace-runtime` from the Gitea package registry; thin AMI in production (us-east-2)
 - adapter-driven execution across **8 runtimes** (Claude Code, Hermes, Gemini CLI, LangGraph, DeepAgents, CrewAI, AutoGen, OpenClaw)
 - Agent Card registration
 - awareness-backed memory integration; **Memory v2 backed by pgvector** for semantic recall
@@ -55,7 +55,7 @@ test.describe("Desktop ChatTab", () => {
    await textarea.fill("What is the weather?");
    await page.getByRole("button", { name: /Send/ }).first().click();

-    await expect(page.getByText("What is the weather?")).toBeVisible({ timeout: 5_000 });
+    await expect(page.getByText("What is the weather?", { exact: true })).toBeVisible({ timeout: 5_000 });
    await expect(page.getByText("Echo: What is the weather?")).toBeVisible({ timeout: 15_000 });
  });

@@ -49,7 +49,7 @@ test.describe("MobileChat", () => {
    await textarea.fill("Mobile test message");
    await page.getByRole("button", { name: /Send/ }).first().click();

-    await expect(page.getByText("Mobile test message")).toBeVisible({ timeout: 5_000 });
+    await expect(page.getByText("Mobile test message", { exact: true })).toBeVisible({ timeout: 5_000 });
    await expect(page.getByText("Echo: Mobile test message")).toBeVisible({ timeout: 15_000 });
  });

@@ -9,6 +9,7 @@
 */

 import { randomUUID } from "node:crypto";
+import { execFileSync, execSync } from "node:child_process";

 const PLATFORM_URL = process.env.E2E_PLATFORM_URL ?? "http://localhost:8080";

@@ -23,13 +24,19 @@ export interface SeededWorkspace {
 * Create an external workspace and wire it to the echo runtime.
 */
 export async function seedWorkspace(echoURL: string): Promise<SeededWorkspace> {
-  // 1. Create external workspace (no URL — platform will mint an auth token).
+  // 1. Create external workspace pointing at the in-process echo runtime.
  const runId = Math.random().toString(36).slice(2, 8);
  const wsName = `Chat E2E Agent ${runId}`;
  const createRes = await fetch(`${PLATFORM_URL}/workspaces`, {
    method: "POST",
    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({ name: wsName, tier: 1, external: true, runtime: "external" }),
+    body: JSON.stringify({
+      name: wsName,
+      tier: 1,
+      external: true,
+      runtime: "external",
+      url: echoURL,
+    }),
  });
  if (!createRes.ok) {
    const text = await createRes.text();
@@ -40,7 +47,10 @@ export async function seedWorkspace(echoURL: string): Promise<SeededWorkspace> {
    name: string;
    connection?: { auth_token?: string };
  };
-  const authToken = ws.connection?.auth_token;
+  let authToken = ws.connection?.auth_token;
+  if (!authToken) {
+    authToken = await mintTestToken(ws.id);
+  }
  if (!authToken) {
    throw new Error("Workspace created but no auth_token returned");
  }
@@ -73,16 +83,35 @@ export async function seedWorkspace(echoURL: string): Promise<SeededWorkspace> {
    `-c "UPDATE workspaces SET status = 'online', url = '${echoURL}', platform_inbound_secret = '${inboundSecret}' WHERE id = '${ws.id}'"`,
  ].join(" ");

-  const { execSync } = await import("node:child_process");
  try {
    execSync(psql, { stdio: "pipe", timeout: 30_000 });
  } catch (err) {
    throw new Error(`DB update failed: ${err}`);
  }

+  cacheWorkspaceURL(ws.id, echoURL);
+
  return { id: ws.id, name: wsName, agentURL: echoURL, authToken };
 }

+function cacheWorkspaceURL(workspaceId: string, agentURL: string): void {
+  const redisContainer = process.env.REDIS_CONTAINER;
+  if (!redisContainer) return;
+
+  const keys = [`ws:${workspaceId}:url`, `ws:${workspaceId}:internal_url`];
+  for (const key of keys) {
+    try {
+      execFileSync(
+        "docker",
+        ["exec", redisContainer, "redis-cli", "SET", key, agentURL],
+        { stdio: "pipe", timeout: 10_000 },
+      );
+    } catch (err) {
+      throw new Error(`Redis URL cache update failed for ${key}: ${err}`);
+    }
+  }
+}
+
 /**
 * Start a heartbeat interval that keeps an external workspace alive.
 * Returns a stop function.
@@ -141,7 +170,6 @@ export async function seedChatHistory(

  const sql = `INSERT INTO chat_messages (id, workspace_id, role, content, created_at) VALUES ${values};`;

-  const { execSync } = await import("node:child_process");
  const psql = `PGPASSWORD=${pass} psql -h ${host} -p ${port} -U ${user} -d ${db} -c "${sql}"`;
  execSync(psql, { stdio: "pipe", timeout: 10_000 });
 }
@@ -163,7 +191,6 @@ export async function cleanupWorkspace(workspaceId: string): Promise<void> {

  const psql = `PGPASSWORD=${pass} psql -h ${host} -p ${port} -U ${user} -d ${db} -c "DELETE FROM workspaces WHERE id = '${workspaceId}'"`;

-  const { execSync } = await import("node:child_process");
  try {
    execSync(psql, { stdio: "pipe", timeout: 30_000 });
  } catch {
@@ -162,10 +162,10 @@ export async function startEchoRuntime(): Promise<EchoRuntime> {
    });
  });

-  await new Promise<void>((resolve) => server.listen(0, "127.0.0.1", resolve));
+  await new Promise<void>((resolve) => server.listen(0, resolve));
  const address = server.address();
  const port = typeof address === "object" && address ? address.port : 0;
-  const baseURL = `http://127.0.0.1:${port}`;
+  const baseURL = `http://localhost:${port}`;

  return {
    baseURL,
@@ -17,7 +17,7 @@ Canvas (Next.js :3000) ←WebSocket→ Platform (Go :8080) ←HTTP→ Postgres +

 - **Workspace Server** (`workspace-server/`): Go/Gin control plane — workspace CRUD, registry, discovery, WebSocket hub, liveness monitoring.
 - **Canvas** (`canvas/`): Next.js 15 + React Flow (@xyflow/react v12) + Zustand + Tailwind — visual workspace graph.
- **Workspace Runtime** (`workspace/`): Shared runtime published as [`molecule-ai-workspace-runtime`](https://pypi.org/project/molecule-ai-workspace-runtime/) on PyPI. Supports LangGraph, Claude Code, OpenClaw, DeepAgents, CrewAI, AutoGen. Each adapter lives in its own standalone template repo (e.g. `molecule-ai-workspace-template-claude-code`). See `docs/workspace-runtime-package.md` for the full picture.
+- **Workspace Runtime**: Shared runtime published from [`molecule-ai-workspace-runtime`](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-runtime) to the Molecule AI Gitea package registry. Supports LangGraph, Claude Code, OpenClaw, Hermes, Codex, and AutoGen. Each adapter lives in its own standalone template repo (e.g. `molecule-ai-workspace-template-claude-code`). See `docs/workspace-runtime-package.md` for the full picture.
 - **molecli** (`workspace-server/cmd/cli/`): Go TUI dashboard (Bubbletea + Lipgloss) — real-time workspace monitoring, event log, health overview, delete/filter operations.

 ## Key Architectural Patterns
@@ -285,6 +285,39 @@ Canvas requests (no `X-Workspace-ID` header) and system callers

 ---

+## Multiple Workspaces From One Local MCP Bridge
+
+The standalone runtime package includes `molecule-mcp`, a local MCP bridge for
+external agents such as Claude Code, Codex, Hermes, and other tools that run
+outside the platform container fleet. One local bridge can serve multiple
+external workspaces by setting `MOLECULE_WORKSPACES`:
+
+```json
+[
+  {
+    "id": "workspace-id-local-to-hongming-org",
+    "token": "...",
+    "platform_url": "https://hongming.moleculesai.app"
+  },
+  {
+    "id": "different-workspace-id-local-to-agents-team-org",
+    "token": "...",
+    "platform_url": "https://agents-team.moleculesai.app"
+  }
+]
+```
+
+`platform_url` is the tenant routing key. The bridge registers, heartbeats,
+polls inboxes, and sends outbound A2A calls against the URL attached to the
+workspace that is doing the work.
+
+Do not add `org_id` to this config. The tenant already comes from
+`platform_url`, and the bearer token is issued by that tenant. Workspace IDs
+also do not need to be shared across orgs; each tenant can return its own
+workspace ID and token for the same local agent process.
+
+---
+
 ## Canvas Appearance

 External workspaces appear on the canvas with a purple **REMOTE** badge
@@ -135,6 +135,33 @@ The `id` field is your workspace ID — remember it.

 ---

+## Optional — one local MCP bridge, multiple tenants
+
+If your local agent runtime uses `molecule-mcp`, one process can serve more
+than one external workspace:
+
+```bash
+export MOLECULE_WORKSPACES='[
+  {
+    "id": "workspace-id-local-to-you-org",
+    "token": "...",
+    "platform_url": "https://you.moleculesai.app"
+  },
+  {
+    "id": "different-workspace-id-local-to-team-org",
+    "token": "...",
+    "platform_url": "https://team.moleculesai.app"
+  }
+]'
+molecule-mcp
+```
+
+Use the workspace ID and token returned by each tenant. The IDs may differ
+across orgs. `org_id` is not required here because `platform_url` selects the
+tenant and the token is tenant-scoped.
+
+---
+
 ## Step 4 — Chat with it

 1. Open your Molecule canvas at `https://<TENANT>`
@@ -125,6 +125,33 @@ The agent appears on the canvas with a **purple REMOTE badge** within seconds. F

 ---

+## Multi-Tenant Local MCP Bridge
+
+For local MCP-driven agents, use the standalone runtime's `molecule-mcp`
+entrypoint. A single local bridge can serve multiple external workspaces by
+setting `MOLECULE_WORKSPACES`:
+
+```json
+[
+  {
+    "id": "workspace-id-local-to-acme",
+    "token": "...",
+    "platform_url": "https://acme.moleculesai.app"
+  },
+  {
+    "id": "different-workspace-id-local-to-ops",
+    "token": "...",
+    "platform_url": "https://ops.moleculesai.app"
+  }
+]
+```
+
+`platform_url` selects the tenant for registration, heartbeat, inbox polling,
+and outbound A2A routing. `org_id` is not required in this config, and the
+workspace IDs do not need to match across tenants.
+
+---
+
 ## What Phase 30 Covers

 | Phase | What shipped | Endpoint |
@@ -1,304 +1,44 @@
-# Workspace Runtime PyPI Package
+# Workspace Runtime Package

-## Requires Python >= 3.11
+`molecule-ai-workspace-runtime` is the shared Python runtime consumed by
+workspace template images and by external MCP integrations.

-The wheel pins `requires_python>=3.11`. On Python 3.10 or older, `pip install
-molecule-ai-workspace-runtime` fails with `Could not find a version that
-satisfies the requirement (from versions: none)` — the pin filters the only
-available artifact before pip even attempts install. Upgrade the interpreter
-(`brew install python@3.12` / `apt install python3.12` / etc.) or use a
-3.11+ venv.
+## Source Of Truth

-## Overview
+The source of truth is the standalone Gitea repo:

-The shared workspace runtime infrastructure has **one editable source** and
-**one published artifact**:
-
-1. **Source of truth (monorepo, editable):** `workspace/` — every runtime
-   change lands here. Edit it like any other monorepo code.
-2. **Published artifact (PyPI, generated):** [`molecule-ai-workspace-runtime`](https://pypi.org/project/molecule-ai-workspace-runtime/)
-   — produced by `.github/workflows/publish-runtime.yml` on every
-   `runtime-vX.Y.Z` tag push. Do NOT edit this independently — it gets
-   overwritten on every publish.
-
-The legacy sibling repo `molecule-ai-workspace-runtime` (the GitHub repo, as
-distinct from the PyPI package) is no longer the source-of-truth and should
-be treated as a publish artifact only. It can be archived or used as a
-read-only mirror.
-
-## Where to make changes
-
-**All runtime edits land in `molecule-monorepo/workspace/`. Period.**
-
-The GitHub repo `Molecule-AI/molecule-ai-workspace-runtime` is **mirror-only**.
-It exists so external consumers (template repos, downstream operators) have a
-git-cloneable artifact that mirrors the PyPI wheel — nothing more.
-
- **Direct PRs against `molecule-ai-workspace-runtime` are auto-rejected by
-  the `mirror-guard` CI check.** The check fails any push that did not come
-  from the publish pipeline. There is no opt-out — file the change against
-  `molecule-monorepo/workspace/` instead.
- **The mirror + the PyPI wheel both auto-regenerate on every push to
-  `staging`** via `.github/workflows/publish-runtime.yml` (which calls
-  `scripts/build_runtime_package.py`, builds wheel + sdist, smoke-imports,
-  uploads to PyPI via Trusted Publisher, and force-pushes the rewritten tree
-  to the mirror repo). You never touch the mirror by hand.
-
-If you have an old local clone of the mirror and try to push a fix to it
-directly, expect a CI failure with a message pointing you here. Re-open the
-change against `molecule-monorepo/workspace/` and let the publish workflow
-do the rest.
-
-## Why this shape
-
-The 8 workspace template repos (claude-code, langgraph, hermes, etc.) each
-build their own Docker image and `pip install molecule-ai-workspace-runtime`
-from PyPI. PyPI is the right distribution channel — semver, reproducible
-builds, no submodule dance per-repo. But the runtime ALSO needs to evolve
-in lock-step with the platform's wire protocol (queue shape, A2A metadata,
-event payloads). Shipping cross-cutting protocol changes as separate
-runtime + platform PRs in two repos creates ordering pain and broken
-intermediate states.
-
-The monorepo + auto-publish split gives both: edit cross-cutting changes
-in one PR, publish the runtime artifact via a tag.
-
-## What's in the package
-
-Everything in `workspace/*.py` plus the `adapters/`, `builtin_tools/`,
-`plugins_registry/`, `policies/`, `skill_loader/` subpackages. Build
-artifacts (`Dockerfile`, `*.sh`, `pytest.ini`, `requirements.txt`) are
-excluded.
-
-The build script rewrites bare imports so the published package is a
-proper Python namespace:
-
-```
-# In monorepo workspace/:
-from a2a_client import discover_peer
-from builtin_tools.memory import store
-
-# In published molecule_runtime/ (auto-rewritten at publish time):
-from molecule_runtime.a2a_client import discover_peer
-from molecule_runtime.builtin_tools.memory import store
+```text
+https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-runtime
 ```

-The closed allowlist of rewritten module names lives in
-`scripts/build_runtime_package.py` (`TOP_LEVEL_MODULES` + `SUBPACKAGES`).
-Add a new top-level module to workspace/? Add it to the allowlist in the
-same PR.
+Do not add runtime source back under `molecule-core/workspace/`. The core repo
+owns the platform server, canvas, provisioning, and tests around the installed
+runtime package.

-## Adapter repos
+## Package Registry

-Each of the 8 adapter template repos contains:
- `adapter.py` — runtime-specific `Adapter` class
- `requirements.txt` — `molecule-ai-workspace-runtime>=0.1.X` + adapter deps
- `Dockerfile` — standalone image with `ENV ADAPTER_MODULE=adapter` and
-  `ENTRYPOINT ["molecule-runtime"]`
+The runtime package is published to the Molecule AI Gitea package registry:

-| Adapter | Repo |
-|---------|------|
-| claude-code | https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-claude-code |
-| langgraph | https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-langgraph |
-| crewai | https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-crewai |
-| autogen | https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-autogen |
-| deepagents | https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-deepagents |
-| hermes | https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-hermes |
-| gemini-cli | https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-gemini-cli |
-| openclaw | https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-openclaw |
-
-## Adapter discovery (ADAPTER_MODULE)
-
-Standalone adapter repos set `ENV ADAPTER_MODULE=adapter` in their
-Dockerfile. The runtime's `get_adapter()` checks this env var first:
-
-```python
-# In molecule_runtime/adapters/__init__.py
-def get_adapter(runtime: str) -> type[BaseAdapter]:
-    adapter_module = os.environ.get("ADAPTER_MODULE")
-    if adapter_module:
-        mod = importlib.import_module(adapter_module)
-        return getattr(mod, "Adapter")
-    raise KeyError(...)
+```text
+https://git.moleculesai.app/api/packages/molecule-ai/pypi/simple/
 ```

-## Publishing a new version
+PyPI is intentionally not part of the critical path. Template Dockerfiles,
+external-runtime snippets, and CI install checks should use the Gitea registry.

-```bash
-# From any local checkout of monorepo, after merging your runtime change:
-git tag runtime-v0.1.6
-git push origin runtime-v0.1.6
-```
+## Release Flow

-The `publish-runtime` workflow takes over — checks out the tag, runs
-`scripts/build_runtime_package.py --version 0.1.6`, builds wheel + sdist,
-runs a smoke import to catch broken rewrites, and uploads to PyPI via
-the PyPA Trusted Publisher action (OIDC). No static API token is stored
-in this repo — PyPI verifies the workflow's OIDC claim against the
-trusted-publisher config registered for `molecule-ai-workspace-runtime`.
+1. Land a reviewed PR in `molecule-ai-workspace-runtime`.
+2. Bump `version =` in that repo's `pyproject.toml`.
+3. Tag `runtime-vX.Y.Z` on the runtime repo.
+4. The runtime repo's `publish-runtime` workflow builds the wheel and sdist,
+   publishes to the Gitea registry, verifies install from that registry, then
+   cascades `.runtime-version` pins to workspace template repos.

-For dev/test releases without tagging, dispatch the workflow manually
-with an explicit version (e.g. `0.1.6.dev1` — PEP 440 dev/rc/post forms
-are accepted).
+## Core Repo Contract

-After publish, the 8 template repos pick up the new version on their
-next `:latest` rebuild. To force-pull immediately, bump the pin in each
-template's `requirements.txt`.
+`molecule-core` must not ship editable runtime code. Its responsibilities are:

-## End-to-end CD chain
-
-The full chain from monorepo merge → workspace containers running new code:
-
-```
-1. Merge PR with workspace/ changes to main
-   ↓
-2. .github/workflows/auto-tag-runtime.yml fires
-   ↓ reads PR labels (release:major/minor) or defaults to patch
-   ↓ pushes runtime-vX.Y.Z tag
-   ↓
-3. .github/workflows/publish-runtime.yml fires (on the tag)
-   ↓ builds wheel via scripts/build_runtime_package.py
-   ↓ smoke-imports the wheel
-   ↓ uploads to PyPI
-   ↓ cascade job fires repository_dispatch (event-type: runtime-published)
-   ↓ to all 8 workspace-template-* repos
-   ↓
-4. Each template's publish-image.yml fires (on repository_dispatch)
-   ↓ rebuilds Dockerfile (which pip-installs the new PyPI version)
-   ↓ pushes ghcr.io/molecule-ai/workspace-template-<runtime>:latest
-   ↓
-5. Production hosts run scripts/refresh-workspace-images.sh
-   OR an operator hits POST /admin/workspace-images/refresh on the platform
-   ↓ docker pull all 8 :latest tags
-   ↓ remove + force-recreate any running ws-* containers using a refreshed image
-   ↓ canvas re-provisions the workspaces on next interaction
-```
-
-Steps 1-4 are fully automated. Step 5 is one-click: a single curl or shell
-command. SaaS deployments typically wire step 5 into their normal deploy
-pipeline (every release pulls fresh images on every host); local dev fires
-it manually after a runtime release lands.
-
-### Auth
-
-PyPI publishing uses **Trusted Publisher (OIDC)** — no static token in the
-monorepo. The trusted-publisher config on PyPI binds the
-`molecule-ai-workspace-runtime` project to this repo's
-`publish-runtime.yml` workflow + `pypi-publish` environment. Rotation is
-moot: there is no shared secret to rotate.
-
-### Required secrets
-
-| Secret | Where | Why |
-|---|---|---|
-| `TEMPLATE_DISPATCH_TOKEN` | molecule-core repo | Fine-grained PAT with `actions:write` on the 8 template repos. Without it the `cascade` job warns and exits clean — PyPI still publishes; templates just don't auto-rebuild. |
-
-### Step 5 specifics
-
-**Local dev (compose stack):**
-```bash
-bash scripts/refresh-workspace-images.sh                  # all runtimes
-bash scripts/refresh-workspace-images.sh --runtime claude-code
-bash scripts/refresh-workspace-images.sh --no-recreate    # pull only, leave containers
-```
-
-**Via platform admin endpoint (any deploy):**
-```bash
-curl -X POST "$PLATFORM/admin/workspace-images/refresh"
-curl -X POST "$PLATFORM/admin/workspace-images/refresh?runtime=claude-code"
-curl -X POST "$PLATFORM/admin/workspace-images/refresh?recreate=false"
-```
-
-The endpoint pulls + recreates from inside the platform container, so it
-needs Docker socket access (the compose stack mounts
-`/var/run/docker.sock` already) AND GHCR auth on the host's docker config
-(`docker login ghcr.io` once per host). On a fresh host without GHCR auth,
-the pull step warns per runtime and the response surfaces the failures.
-
-**Fully hands-off (opt-in image auto-refresh):**
-
-Set `IMAGE_AUTO_REFRESH=true` on the platform process. A watcher polls
-GHCR every 5 minutes for digest changes on each `workspace-template-*:latest`
-tag and invokes the same refresh logic the admin endpoint exposes —
-no operator action required between "runtime PR merged" and
-"containers running new code". Disabled by default because SaaS deploy
-pipelines that already pull on every release would do redundant work.
-
-Optional companion env (same as the admin endpoint):
-
- `GHCR_USER` + `GHCR_TOKEN` — required for private template images;
-  unused for the current public set, but harmless if set.
-
-## Local dev (build the package without publishing)
-
-```bash
-python3 scripts/build_runtime_package.py --version 0.1.0-local --out /tmp/runtime-build
-cd /tmp/runtime-build
-python -m build              # produces dist/*.whl + dist/*.tar.gz
-pip install dist/*.whl       # install into a venv to test locally
-```
-
-This is the same pipeline CI runs. Use it to validate import-rewrite
-correctness before pushing a `runtime-v*` tag.
-
-## Writing a new adapter
-
-Use the GitHub template repo
-[`molecule-ai/molecule-ai-workspace-template-starter`](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-starter) (note: the starter repo did not survive the 2026-05-06 GitHub-org-suspension migration; recreation tracked at internal#41)
-— it ships with the canonical Dockerfile + adapter.py skeleton + config.yaml
-schema + the `repository_dispatch: [runtime-published]` cascade receiver
-already wired up. No follow-up setup PR required.
-
-```bash
-# Replace <runtime> with your runtime slug (lowercase, hyphenated).
-gh repo create Molecule-AI/molecule-ai-workspace-template-<runtime> \
-  --template Molecule-AI/molecule-ai-workspace-template-starter \
-  --public \
-  --description "Molecule AI workspace template: <runtime>"
-
-git clone https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-<runtime>.git
-cd molecule-ai-workspace-template-<runtime>
-```
-
-Then fill in the `TODO` markers in:
-
-| File | What to fill in |
-|---|---|
-| `adapter.py` | Rename class to `<Runtime>Adapter`. Fill in `name()`, `display_name()`, `description()`, `get_config_schema()`. Implement `setup()` and `create_executor()`. |
-| `requirements.txt` | Add your runtime's pip dependencies (e.g. `langgraph`, `crewai`, `claude-agent-sdk`). |
-| `Dockerfile` | Add runtime-specific apt deps (most runtimes don't need any). Replace ENTRYPOINT only if you need custom boot logic. |
-| `config.yaml` | Update top-level `name`/`runtime`/`description`. Add the models your runtime supports to `models[]`. |
-| `system-prompt.md` | Default agent prompt. |
-
-After `git push`:
-
-1. The template's `publish-image.yml` builds + pushes
-   `ghcr.io/molecule-ai/workspace-template-<runtime>:latest` automatically.
-2. The next `runtime-vX.Y.Z` tag on `molecule-core` cascades a
-   `repository_dispatch` event into your new template, rebuilding the image
-   against the latest runtime — no setup PR required.
-3. Register the runtime name in the platform's `RuntimeImages` map (in
-   `workspace-server/internal/provisioner/provisioner.go`) so it's
-   selectable in the canvas.
-
-## When the starter itself needs to evolve
-
-If the canonical shape changes (e.g. `config.yaml` schema gets a new field,
-the `BaseAdapter` interface adds a method, the reusable CI workflow
-signature changes), update the
-[starter](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-starter) (recreation pending — see note above)
-**first**. Existing templates can either migrate at their own pace or be
-touched in a coordinated cleanup PR. Either way, future templates pick up
-the new shape from day one.
-
-## Migration note
-
-Prior to this workflow, the runtime was duplicated across monorepo
-`workspace/` AND a sibling repo `molecule-ai-workspace-runtime`, with no
-sync mechanism. That caused 30+ files to drift between the two trees and
-tonight's chat-leak / queued-classification fixes existed only in the
-monorepo copy until manually ported.
-
-If you have an old local checkout of `molecule-ai-workspace-runtime`, treat
-it as outdated. The monorepo `workspace/` is now authoritative; the PyPI
-artifact is rebuilt from it on every `runtime-v*` tag.
+- Test platform behavior against the installed runtime contract.
+- Keep MCP/registry/TenantGuard behavior compatible with the runtime package.
+- Fail CI if `workspace/` or legacy build-from-workspace scripts are restored.
@@ -1,542 +0,0 @@
-#!/usr/bin/env python3
-"""Build the molecule-ai-workspace-runtime PyPI package from monorepo workspace/.
-
-Monorepo workspace/ is the single source-of-truth for runtime code. The PyPI
-package is a publish-time mirror produced by this script, NOT a parallel
-editable copy. Anyone editing the runtime should edit workspace/, never the
-sibling molecule-ai-workspace-runtime repo.
-
-What this does
--------------
-1. Copies workspace/ source into build/molecule_runtime/ (note the rename:
-   bare modules become a real Python package).
-2. Rewrites top-level imports so e.g. `from a2a_client import X` becomes
-   `from molecule_runtime.a2a_client import X`. The rewrite is regex-based
-   on a closed allowlist of modules — third-party imports like `from a2a.X`
-   (the a2a-sdk package) are left alone because the regex is anchored on
-   exact module names.
-3. Writes a pyproject.toml with the requested version + the README + the
-   py.typed marker.
-4. Leaves the build dir ready for `python -m build` to produce a wheel/sdist.
-
-Usage
-----
-  scripts/build_runtime_package.py --version 0.1.6 --out /tmp/runtime-build
-  cd /tmp/runtime-build && python -m build
-  python -m twine upload dist/*
-
-The publish workflow (.github/workflows/publish-runtime.yml) drives this
-on every `runtime-v*` tag push.
-"""
-
-from __future__ import annotations
-
-import argparse
-import re
-import shutil
-import sys
-from pathlib import Path
-
-# Top-level Python modules in workspace/ that become molecule_runtime.X.
-# Anything imported as `from <name> import` or `import <name>` (where <name>
-# matches one of these) gets rewritten to use the package prefix.
-#
-# Closed list (not "every .py we copy") because a typo in workspace/ would
-# otherwise leak into a wrong rewrite. The set is asserted against
-# `workspace/*.py` at build time — if the disk contents drift from this
-# list (new module added, old one removed), the build fails loud instead
-# of silently shipping unrewritten imports. That gap caused 0.1.16 to
-# ship `from transcript_auth import ...` (unrewritten — module added
-# without updating this set), which broke every workspace startup with
-# `ModuleNotFoundError: No module named 'transcript_auth'`.
-TOP_LEVEL_MODULES = {
-    "_sanitize_a2a",
-    "a2a_cli",
-    "a2a_client",
-    "a2a_executor",
-    "a2a_mcp_server",
-    "a2a_response",
-    "a2a_tools",
-    "a2a_tools_delegation",
-    "a2a_tools_identity",
-    "a2a_tools_inbox",
-    "a2a_tools_memory",
-    "a2a_tools_messaging",
-    "a2a_tools_rbac",
-    "adapter_base",
-    "agent",
-    "agents_md",
-    "boot_routes",
-    "card_helpers",
-    "config",
-    "configs_dir",
-    "consolidation",
-    "coordinator",
-    "event_log",
-    "events",
-    "executor_helpers",
-    "heartbeat",
-    "inbox",
-    "inbox_uploads",
-    "initial_prompt",
-    "internal_chat_uploads",
-    "internal_file_read",
-    "main",
-    "mcp_cli",
-    "mcp_doctor",
-    "mcp_heartbeat",
-    "mcp_inbox_pollers",
-    "mcp_workspace_resolver",
-    "molecule_ai_status",
-    "not_configured_handler",
-    "platform_auth",
-    "platform_inbound_auth",
-    "plugins",
-    "preflight",
-    "prompt",
-    "runtime_wedge",
-    "secret_redactor",
-    "shared_runtime",
-    "smoke_mode",
-    "transcript_auth",
-    "watcher",
-}
-
-# Subdirectory packages — these are already real packages (they have or will
-# have __init__.py) so the rewrite is `from <pkg>` → `from molecule_runtime.<pkg>`.
-SUBPACKAGES = {
-    "adapters",
-    "builtin_tools",
-    "lib",
-    "platform_tools",
-    "plugins_registry",
-    "policies",
-    "skill_loader",
-}
-
-# Files in workspace/ NOT included in the published package. These are
-# build artifacts, dev scripts, or monorepo-only scaffolding.
-EXCLUDE_FILES = {
-    "Dockerfile",
-    "build-all.sh",
-    "rebuild-runtime-images.sh",
-    "entrypoint.sh",
-    "pytest.ini",
-    "requirements.txt",
-    # Note: adapter_base.py, agents_md.py, hermes_executor.py, shared_runtime.py
-    # are kept (referenced by adapters/__init__.py and other modules); they get
-    # their imports rewritten via TOP_LEVEL_MODULES. Excluding them broke the
-    # smoke-test install with `ModuleNotFoundError: adapter_base`.
-}
-
-EXCLUDE_DIRS = {
-    "__pycache__",
-    "tests",
-    "molecule_audit",  # only used by tests; not on production import path
-    "scripts",
-}
-
-
-def build_import_rewriter() -> re.Pattern:
-    """Compile a single regex matching all import statements that need
-    rewriting. The match groups capture the keyword + module name so the
-    replacement preserves whitespace and trailing punctuation.
-
-    Modules included: TOP_LEVEL_MODULES ∪ SUBPACKAGES.
-
-    The negative-lookahead on `\\.` in the suffix prevents matching
-    `from a2a.server.X import Y` against bare `a2a` (which isn't in our
-    set, but the principle matters for any future short module name that
-    happens to be a prefix of a real package name).
-    """
-    names = sorted(TOP_LEVEL_MODULES | SUBPACKAGES)
-    alt = "|".join(re.escape(n) for n in names)
-    # Matches:
-    #   from <name>(\.|\s|import)
-    #   import <name>(\s|$|,)
-    # And captures the keyword + name so we can re-emit with prefix.
-    pattern = (
-        r"(?m)^(?P<indent>\s*)"          # leading whitespace (preserved)
-        r"(?P<kw>from|import)\s+"        # 'from' or 'import'
-        r"(?P<mod>" + alt + r")"          # the module name
-        r"(?P<rest>[\s.,]|$)"            # what follows: '.subpath', ' import …', ',', whitespace, EOL
-    )
-    return re.compile(pattern)
-
-
-def rewrite_imports(text: str, regex: re.Pattern) -> str:
-    """Replace bare imports with package-prefixed ones.
-
-    `import X`           → `import molecule_runtime.X as X`  (preserve binding)
-    `from X import Y`    → `from molecule_runtime.X import Y`
-    `from X.sub import Y` → `from molecule_runtime.X.sub import Y`
-
-    Rejects `import X as Y` because the rewrite would produce
-    `import molecule_runtime.X as X as Y`, a syntax error. The PR #2433
-    incident shipped this exact pattern past `Python Lint & Test` (which
-    runs against pre-rewrite source) but blew up the wheel-smoke gate.
-    Detecting it here turns the silent build failure into a build-time
-    error with a clear path: use `from X import …` or plain `import X`.
-    """
-    def repl(m: re.Match) -> str:
-        indent, kw, mod, rest = m.group("indent"), m.group("kw"), m.group("mod"), m.group("rest")
-        if kw == "from":
-            # `from X` or `from X.sub` — always safe to prefix.
-            return f"{indent}from molecule_runtime.{mod}{rest}"
-        # `import X` — preserve the binding name `X` (callers do `X.foo`)
-        # by aliasing. `import X.sub` is uncommon for our modules and would
-        # need a different binding form, but isn't used in workspace/ today.
-        if rest.startswith("."):
-            # `import X.sub` — rewrite as `import molecule_runtime.X.sub` and
-            # leave the trailing dot pattern intact for the rest of the line.
-            return f"{indent}import molecule_runtime.{mod}{rest}"
-        # Detect `import X as Y` — the regex's `rest` group captures only
-        # the immediate following char (whitespace, comma, or EOL), so we
-        # have to peek at the surrounding line context. The match start is
-        # at the line's `import` keyword; everything after the matched
-        # name on the same line is what the source author wrote.
-        line_start = text.rfind("\n", 0, m.start()) + 1
-        line_end = text.find("\n", m.end())
-        if line_end == -1:
-            line_end = len(text)
-        line_after = text[m.end() - len(rest):line_end]
-        # Strip comments from consideration so `import X  # noqa` doesn't trip.
-        line_after_no_comment = line_after.split("#", 1)[0]
-        if re.search(r"^\s*as\s+\w+", line_after_no_comment):
-            raise ValueError(
-                f"rewrite_imports: cannot rewrite 'import {mod} as <alias>' on a "
-                f"workspace module — the regex would produce "
-                f"'import molecule_runtime.{mod} as {mod} as <alias>', invalid syntax. "
-                f"Use 'from {mod} import …' or plain 'import {mod}' instead. "
-                f"Offending line: {text[line_start:line_end]!r}"
-            )
-        # Plain `import X` — alias preserves the local name.
-        return f"{indent}import molecule_runtime.{mod} as {mod}{rest}"
-    return regex.sub(repl, text)
-
-
-def copy_tree_filtered(src: Path, dst: Path) -> list[Path]:
-    """Copy src/ → dst/ skipping EXCLUDE_FILES + EXCLUDE_DIRS. Returns the
-    list of .py files copied so the caller can run the import rewrite over
-    them in one pass."""
-    py_files: list[Path] = []
-    if dst.exists():
-        shutil.rmtree(dst)
-    dst.mkdir(parents=True)
-    for entry in src.iterdir():
-        if entry.is_dir():
-            if entry.name in EXCLUDE_DIRS:
-                continue
-            sub_py = copy_tree_filtered(entry, dst / entry.name)
-            py_files.extend(sub_py)
-        else:
-            if entry.name in EXCLUDE_FILES:
-                continue
-            shutil.copy2(entry, dst / entry.name)
-            if entry.suffix == ".py":
-                py_files.append(dst / entry.name)
-    return py_files
-
-
-PYPROJECT_TEMPLATE = """\
-[build-system]
-requires = ["setuptools>=68.0", "wheel"]
-build-backend = "setuptools.build_meta"
-
-[project]
-name = "molecule-ai-workspace-runtime"
-version = "{version}"
-description = "Molecule AI workspace runtime — shared infrastructure for all agent adapters"
-requires-python = ">=3.11"
-license = {{text = "BSL-1.1"}}
-readme = "README.md"
-dependencies = [
-    "a2a-sdk[http-server]>=1.0.0,<2.0",
-    "httpx>=0.27.0",
-    "uvicorn>=0.30.0",
-    "starlette>=0.38.0",
-    "websockets>=12.0",
-    # multipart/form-data parser — required for Starlette's Request.form() on
-    # /internal/chat/uploads/ingest. Without it, Starlette raises AssertionError
-    # when parsing multipart bodies, which the chat-upload handler surfaces as
-    # an opaque 400. Mirrors the canonical pin in workspace/requirements.txt;
-    # >=0.0.27 avoids CVE-2024-53981 (DoS via malformed boundary).
-    # Forensic a78762a0 (2026-05-19): Hermes PDF upload 400 root cause.
-    "python-multipart>=0.0.27",
-    "pyyaml>=6.0",
-    "langchain-core>=0.3.0",
-    "opentelemetry-api>=1.24.0",
-    "opentelemetry-sdk>=1.24.0",
-    "opentelemetry-exporter-otlp-proto-http>=1.24.0",
-    "temporalio>=1.7.0",
-]
-
-[project.scripts]
-molecule-runtime = "molecule_runtime.main:main_sync"
-molecule-mcp = "molecule_runtime.mcp_cli:main"
-
-[tool.setuptools.packages.find]
-where = ["."]
-include = ["molecule_runtime*", "plugins_registry*"]
-
-[tool.setuptools.package-data]
-"molecule_runtime" = ["py.typed"]
-"plugins_registry" = ["py.typed"]
-"""
-
-
-README_TEMPLATE = """\
-# molecule-ai-workspace-runtime
-
-Shared workspace runtime for [Molecule AI](https://git.moleculesai.app/molecule-ai/molecule-core)
-agent adapters. Installed by every workspace template image
-(`workspace-template-claude-code`, `-langgraph`, `-hermes`, etc.) to provide
-A2A delegation, heartbeat, memory, plugin loading, and skill management.
-
-This package is **published from the molecule-core monorepo `workspace/`
-directory** by the `publish-runtime` GitHub Actions workflow on every
-`runtime-v*` tag push. **Do not edit this package directly** — edit
-`workspace/` in the monorepo.
-
-## External-runtime MCP server (`molecule-mcp`)
-
-Operators running an agent outside the platform's container fleet
-(any runtime that supports MCP stdio — Claude Code, hermes, codex,
-etc.) can install this wheel and run the universal MCP server
-locally.
-
-### Requirements
-
-* **Python ≥3.11.** The wheel sets `requires-python = ">=3.11"`. On
-  older interpreters `pip install` returns the cryptic
-  `Could not find a version that satisfies the requirement` — that
-  message is pip filtering this wheel out, NOT the package missing
-  from PyPI. Upgrade with `brew install python@3.12` /
-  `apt install python3.12` / `pyenv install 3.12` first.
-* **`pipx` recommended over `pip`.** `pipx install` puts
-  `molecule-mcp` on PATH automatically and isolates the runtime's
-  deps from your system Python. Plain `pip install --user` works
-  but the binary lands in `~/.local/bin` (Linux) or
-  `~/Library/Python/3.X/bin` (macOS) which is often not on PATH on
-  a fresh shell — `claude mcp add molecule-<workspace-slug> -- molecule-mcp`
-  then fails with "command not found" at first use.
-
-* **Server name in `claude mcp add` is workspace-specific.** The
-  Canvas "Add to Claude Code" snippet stamps a unique slug
-  (`molecule-<workspace-name>`) so a single Claude Code session can
-  talk to N molecule workspaces concurrently — `claude mcp add` keys
-  entries by name in `~/.claude.json`, so re-running with a bare
-  `molecule` name silently overwrites the prior workspace's entry.
-  See [molecule-core#1535](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/1535)
-  for the canonical generator.
-
-### Install
-
-```sh
-# Recommended:
-pipx install molecule-ai-workspace-runtime
-
-# Alternative (manage PATH yourself):
-pip install --user molecule-ai-workspace-runtime
-```
-
-### Run
-
-```sh
-WORKSPACE_ID=<uuid> \\
-  PLATFORM_URL=https://<tenant>.staging.moleculesai.app \\
-  MOLECULE_WORKSPACE_TOKEN=<bearer> \\
-  molecule-mcp
-```
-
-That exposes the same 8 platform tools (`delegate_task`, `list_peers`,
-`send_message_to_user`, `commit_memory`, etc.) that container-bound
-runtimes already get via the workspace's auto-spawned MCP. Register
-the binary in your agent's MCP config — use a workspace-specific
-server name so multi-workspace setups don't collide (e.g. Claude Code:
-`claude mcp add molecule-<workspace-slug> -- molecule-mcp` with the env
-above; the Canvas modal stamps the right slug for you).
-
-### Keeping the token out of shell history
-
-Inline `MOLECULE_WORKSPACE_TOKEN=<bearer>` ends up in `~/.zsh_history`
-and (when registered via `claude mcp add`) plaintext in
-`~/.claude.json`. To avoid that, write the token to a 0600 file and
-point `MOLECULE_WORKSPACE_TOKEN_FILE` at it:
-
-```sh
-umask 077
-printf '%s' "<bearer>" > ~/.config/molecule/token
-WORKSPACE_ID=<uuid> \\
-  PLATFORM_URL=https://<tenant>.staging.moleculesai.app \\
-  MOLECULE_WORKSPACE_TOKEN_FILE=$HOME/.config/molecule/token \\
-  molecule-mcp
-```
-
-Token resolution order: `MOLECULE_WORKSPACE_TOKEN` (inline env) →
-`MOLECULE_WORKSPACE_TOKEN_FILE` (path) → `${CONFIGS_DIR}/.auth_token`
-(in-container default).
-
-The token comes from the canvas → Tokens tab. Restarting an external
-workspace from the canvas no longer revokes the token (PR #2412), so
-operator tokens persist across status nudges.
-
-### Push vs poll delivery (Claude Code specifics)
-
-By default the inbox runs in **poll mode** — every turn the agent
-calls `wait_for_message`, which blocks up to ~60s on
-`/activity?since_id=…`. Real-time push delivery is also supported,
-but on Claude Code it requires THREE conditions, ALL of which must
-hold:
-
-1. **The MCP server declares `experimental.claude/channel`** — this
-   wheel does (see `_build_initialize_result`). Nothing for you to
-   do.
-2. **Claude Code installs the server as a marketplace plugin** — a
-   plain `claude mcp add molecule-<workspace-slug> -- molecule-mcp`
-   produces a non-plugin-sourced server, which Claude Code rejects with
-   `channel_enable requires a marketplace plugin`. Until the
-   official `moleculesai/claude-code-plugin` marketplace lands
-   (tracking [#2936](https://git.moleculesai.app/molecule-ai/molecule-core/issues/2936)),
-   operators who want push must scaffold their own local marketplace
-   under
-   `~/.claude/marketplaces/molecule-local/` containing a
-   `marketplace.json` + `plugin.json` that points at this wheel.
-3. **Claude Code is launched with the dev-channels flag** — pass
-   `--dangerously-load-development-channels plugin:molecule@<marketplace>`
-   on the `claude` invocation. Without this flag the channel
-   capability is silently ignored.
-
-Symptom of any condition failing: messages arrive but only via the
-poll path (every ~1–60s), not real-time. There's currently no
-diagnostic surfaced — `molecule-mcp doctor` (tracking
-[#2937](https://git.moleculesai.app/molecule-ai/molecule-core/issues/2937)) is
-planned.
-
-If you don't need real-time push, the default poll path works
-universally with no extra setup; both modes converge on the same
-`inbox_pop` ack so messages never duplicate.
-
-See [`docs/workspace-runtime-package.md`](https://git.moleculesai.app/molecule-ai/molecule-core/src/branch/main/docs/workspace-runtime-package.md)
-for the publish flow and architecture.
-"""
-
-
-def main() -> int:
-    parser = argparse.ArgumentParser(description=__doc__)
-    parser.add_argument("--version", required=True, help="Package version, e.g. 0.1.6")
-    parser.add_argument("--out", required=True, type=Path, help="Build output directory (will be wiped)")
-    parser.add_argument("--source", type=Path, default=Path(__file__).resolve().parent.parent / "workspace",
-                        help="Path to monorepo workspace/ directory (default: ../workspace from this script)")
-    args = parser.parse_args()
-
-    src = args.source.resolve()
-    out = args.out.resolve()
-    if not src.is_dir():
-        print(f"error: source not a directory: {src}", file=sys.stderr)
-        return 2
-
-    # Drift gate: assert TOP_LEVEL_MODULES matches workspace/*.py.
-    # Without this, a new top-level module added to workspace/ ships
-    # with unrewritten `from <name> import` statements that explode at
-    # runtime with ModuleNotFoundError. (See 0.1.16 transcript_auth
-    # incident — closed list silently went stale.)
-    on_disk_modules = {
-        f.stem for f in src.glob("*.py")
-        if f.stem not in {"__init__", "conftest"}
-    }
-    missing = on_disk_modules - TOP_LEVEL_MODULES
-    stale = TOP_LEVEL_MODULES - on_disk_modules
-    if missing or stale:
-        print("error: TOP_LEVEL_MODULES drifted from workspace/*.py contents:", file=sys.stderr)
-        if missing:
-            print(f"  in workspace/ but NOT in TOP_LEVEL_MODULES (will ship un-rewritten): {sorted(missing)}", file=sys.stderr)
-        if stale:
-            print(f"  in TOP_LEVEL_MODULES but NOT in workspace/ (no-op, but misleading): {sorted(stale)}", file=sys.stderr)
-        print("  Edit scripts/build_runtime_package.py:TOP_LEVEL_MODULES to match.", file=sys.stderr)
-        return 3
-
-    # Same drift gate for SUBPACKAGES — catches the inverse class of
-    # bug where a workspace/ subdirectory is referenced by main.py
-    # (`from lib.pre_stop import ...`) but is either missing from
-    # SUBPACKAGES (so the rewriter doesn't qualify the import) or
-    # accidentally listed in EXCLUDE_DIRS (so the directory itself
-    # isn't shipped). 0.1.16-0.1.19 had `lib` in EXCLUDE_DIRS while
-    # main.py imported from it — `ModuleNotFoundError: No module
-    # named 'lib'` at every workspace startup.
-    on_disk_subpkgs = {
-        d.name for d in src.iterdir()
-        if d.is_dir()
-        and d.name not in EXCLUDE_DIRS
-        and d.name not in {"__pycache__"}
-        and (d / "__init__.py").exists()
-    }
-    sub_missing = on_disk_subpkgs - SUBPACKAGES
-    sub_stale = SUBPACKAGES - on_disk_subpkgs
-    if sub_missing or sub_stale:
-        print("error: SUBPACKAGES drifted from workspace/ subdirectories:", file=sys.stderr)
-        if sub_missing:
-            print(f"  in workspace/ but NOT in SUBPACKAGES (will ship un-rewritten or be excluded): {sorted(sub_missing)}", file=sys.stderr)
-        if sub_stale:
-            print(f"  in SUBPACKAGES but NOT in workspace/ (no-op, but misleading): {sorted(sub_stale)}", file=sys.stderr)
-        print("  Edit scripts/build_runtime_package.py:SUBPACKAGES + EXCLUDE_DIRS to match.", file=sys.stderr)
-        return 3
-
-    pkg_dir = out / "molecule_runtime"
-    print(f"[build] source: {src}")
-    print(f"[build] output: {out}")
-    print(f"[build] package: {pkg_dir}")
-
-    if out.exists():
-        shutil.rmtree(out)
-    out.mkdir(parents=True)
-
-    py_files = copy_tree_filtered(src, pkg_dir)
-    print(f"[build] copied {len(py_files)} .py files")
-
-    # Install plugins_registry/ at the wheel TOP LEVEL so that plugin adapter
-    # code (workspace-template-*) can use bare `from plugins_registry import ...`.
-    # The molecule-runtime package (molecule_runtime/) also ships it at
-    # molecule_runtime/plugins_registry/ (satisfies the rewritten
-    # `from molecule_runtime.plugins_registry import ...` in adapter_base.py).
-    # Both copies coexist: they serve different import namespaces.
-    plugins_src = src / "plugins_registry"
-    plugins_dst = out / "plugins_registry"
-    if plugins_src.is_dir():
-        shutil.copytree(plugins_src, plugins_dst)
-        print(f"[build] installed plugins_registry/ at top level (bare-import shim)")
-
-    # Ensure top-level package marker exists. workspace/ doesn't have one
-    # (it's not a package in monorepo), but the published artifact must.
-    init = pkg_dir / "__init__.py"
-    if not init.exists():
-        init.write_text('"""Molecule AI workspace runtime."""\n')
-
-    # Touch py.typed so type-checkers in adapter consumers see the package
-    # as typed. Empty file is the convention.
-    (pkg_dir / "py.typed").touch()
-
-    # Rewrite imports in every .py file we copied + the new __init__.py.
-    regex = build_import_rewriter()
-    rewrites = 0
-    for f in [*py_files, init]:
-        original = f.read_text()
-        rewritten = rewrite_imports(original, regex)
-        if rewritten != original:
-            f.write_text(rewritten)
-            rewrites += 1
-    print(f"[build] rewrote imports in {rewrites} files")
-
-    # Emit pyproject.toml + README at build root.
-    (out / "pyproject.toml").write_text(PYPROJECT_TEMPLATE.format(version=args.version))
-    (out / "README.md").write_text(README_TEMPLATE)
-
-    print(f"[build] done. To publish:")
-    print(f"  cd {out}")
-    print(f"  python -m build")
-    print(f"  python -m twine upload dist/*")
-    return 0
-
-
-if __name__ == "__main__":
-    sys.exit(main())
@@ -1,95 +0,0 @@
-#!/usr/bin/env bash
-# check-cascade-list-vs-manifest.sh — structural drift gate for the
-# publish-runtime cascade list vs manifest.json workspace_templates.
-#
-# WHY: PR #2536 pruned the manifest to 4 supported runtimes; PR #2556
-# realigned the cascade list to match. The underlying drift hazard
-# (cascade-list ≠ manifest) was unguarded — the data fix didn't prevent
-# recurrence. This script is the structural gate that does.
-#
-# Behavior-based per project pattern: derives the expected set from
-# manifest.json and the actual set from the workflow YAML, fails on
-# any divergence in either direction.
-#
-#   missing-from-cascade  → templates in manifest that publish-runtime.yml
-#                            won't auto-rebuild on a new wheel publish
-#                            (the codex-stuck-on-stale-runtime bug class)
-#   extra-in-cascade      → cascade dispatches to deprecated templates
-#                            (the wasted-API-calls + dead-CI-noise class)
-#
-# Suffix mapping: manifest names map to GHCR repos via
-#   {name without -default suffix} → molecule-ai-workspace-template-<suffix>
-# That's the same map publish-runtime.yml's TEMPLATES variable iterates.
-#
-# Exit:
-#   0  cascade matches manifest exactly
-#   1  drift detected (script prints the diff)
-#   2  bad usage / missing inputs
-
-set -eu
-
-MANIFEST="${1:-manifest.json}"
-WORKFLOW="${2:-.github/workflows/publish-runtime.yml}"
-
-if [ ! -f "$MANIFEST" ]; then
-    echo "::error::manifest not found: $MANIFEST" >&2
-    exit 2
-fi
-if [ ! -f "$WORKFLOW" ]; then
-    echo "::error::workflow not found: $WORKFLOW" >&2
-    exit 2
-fi
-
-# Expected cascade entries: manifest workspace_templates → suffix-only
-# (strip -default tail, e.g. claude-code-default → claude-code, since
-# publish-runtime.yml's TEMPLATES uses suffixes that match the
-# molecule-ai-workspace-template-<suffix> repo naming).
-EXPECTED=$(jq -r '.workspace_templates[].name' "$MANIFEST" \
-    | sed 's/-default$//' \
-    | sort -u)
-
-# Actual cascade entries: extract from the TEMPLATES="…" line. We look
-# for the line, pull the contents between the quotes, and split into
-# one-per-line. Single source of truth in the workflow itself, no
-# parallel registry needed.
-#
-# Why not \s in the regex: BSD sed (macOS) doesn't recognize \s as
-# whitespace — treats it as literal `s`. POSIX [[:space:]] works on
-# both BSD and GNU sed. Same hazard nuked the original draft of this
-# script: \s* matched empty-prefix-of-literal-s, then the leading
-# whitespace stayed in the captured group.
-ACTUAL=$(grep -E '[[:space:]]*TEMPLATES="' "$WORKFLOW" \
-    | head -1 \
-    | sed -E 's/^[[:space:]]*TEMPLATES="([^"]*)".*$/\1/' \
-    | tr ' ' '\n' \
-    | grep -v '^$' \
-    | sort -u)
-
-if [ -z "$ACTUAL" ]; then
-    echo "::error::could not extract TEMPLATES=\"…\" from $WORKFLOW — has the variable name or quoting changed?" >&2
-    exit 2
-fi
-
-MISSING=$(comm -23 <(printf '%s\n' "$EXPECTED") <(printf '%s\n' "$ACTUAL"))
-EXTRA=$(comm -13 <(printf '%s\n' "$EXPECTED") <(printf '%s\n' "$ACTUAL"))
-
-if [ -z "$MISSING" ] && [ -z "$EXTRA" ]; then
-    echo "✓ cascade list matches manifest workspace_templates ($(echo "$EXPECTED" | wc -l | tr -d ' ') entries)"
-    exit 0
-fi
-
-echo "::error::cascade list drift detected between $MANIFEST and $WORKFLOW" >&2
-echo "" >&2
-if [ -n "$MISSING" ]; then
-    echo "  Templates in manifest but MISSING from cascade (won't auto-rebuild on wheel publish):" >&2
-    echo "$MISSING" | sed 's/^/    - /' >&2
-    echo "" >&2
-fi
-if [ -n "$EXTRA" ]; then
-    echo "  Templates in cascade but NOT in manifest (deprecated, wasting dispatch calls):" >&2
-    echo "$EXTRA" | sed 's/^/    - /' >&2
-    echo "" >&2
-fi
-echo "  Fix: edit the TEMPLATES=\"…\" line in $WORKFLOW so the set matches" >&2
-echo "  manifest.json's workspace_templates (suffix-stripped). See PR #2556 for context." >&2
-exit 1
@@ -1,201 +0,0 @@
-"""Tests for scripts/build_runtime_package.py — the wheel-build import rewriter.
-
-Run locally: ``python3 -m unittest scripts/test_build_runtime_package.py -v``
-
-Why this exists: PR #2433 shipped ``import inbox as _inbox_module`` inside
-the workspace runtime, and the rewriter expanded it to
-``import molecule_runtime.inbox as inbox as _inbox_module`` — invalid
-Python. The wheel-smoke gate caught it post-merge but couldn't block
-the merge (not a required check yet — see PR #2439). PR #2436 added a
-build-time gate that raises ``ValueError`` on this pattern; this file
-locks the rewriter's documented contract under unit test so the gate
-itself can't silently regress.
-
-Coverage:
- ``import X``                  → ``import molecule_runtime.X as X``
- ``import X.sub``              → ``import molecule_runtime.X.sub``
- ``import X``  + trailing comment is preserved
- ``from X import Y``           → ``from molecule_runtime.X import Y``
- ``from X.sub import Y``       → ``from molecule_runtime.X.sub import Y``
- ``from X import Y, Z``        → ``from molecule_runtime.X import Y, Z``
- ``import X as Y``             → raises ValueError (the rewriter would
-  produce ``import molecule_runtime.X as X as Y``, syntax error)
- non-allowlist module names    → not rewritten (regex anchors on the closed set)
- Indented imports (inside def/class) keep their indentation.
-"""
-from __future__ import annotations
-
-import os
-import sys
-import unittest
-
-# scripts/build_runtime_package.py lives at scripts/ — add scripts/ to sys.path
-# so the import works whether unittest is invoked from repo root or scripts/.
-HERE = os.path.dirname(os.path.abspath(__file__))
-if HERE not in sys.path:
-    sys.path.insert(0, HERE)
-
-import build_runtime_package as M  # noqa: E402
-
-
-def rewrite(text: str) -> str:
-    """Run the rewriter end-to-end so the test exercises the same path
-    used by the wheel build (regex compile + substitution)."""
-    regex = M.build_import_rewriter()
-    return M.rewrite_imports(text, regex)
-
-
-class TestBareImportRewriting(unittest.TestCase):
-    def test_plain_import_aliases_to_preserve_binding(self):
-        self.assertEqual(
-            rewrite("import inbox\n"),
-            "import molecule_runtime.inbox as inbox\n",
-        )
-
-    def test_plain_import_with_trailing_comment_is_preserved(self):
-        # Real-world shape from a2a_mcp_server.py — the comment must
-        # survive the rewrite without losing its leading-space buffer.
-        self.assertEqual(
-            rewrite("import inbox  # noqa: E402\n"),
-            "import molecule_runtime.inbox as inbox  # noqa: E402\n",
-        )
-
-    def test_import_dotted_keeps_dotted_form(self):
-        # `import X.sub` is rare for our modules but the rewriter must
-        # not double-alias — we want `import molecule_runtime.X.sub`,
-        # not `import molecule_runtime.X.sub as X.sub` (invalid).
-        self.assertEqual(
-            rewrite("import platform_tools.registry\n"),
-            "import molecule_runtime.platform_tools.registry\n",
-        )
-
-    def test_indented_import_preserves_indentation(self):
-        src = "def foo():\n    import inbox\n    return inbox.x\n"
-        out = rewrite(src)
-        self.assertIn("    import molecule_runtime.inbox as inbox\n", out)
-
-
-class TestFromImportRewriting(unittest.TestCase):
-    def test_from_module_import_simple(self):
-        self.assertEqual(
-            rewrite("from inbox import InboxState\n"),
-            "from molecule_runtime.inbox import InboxState\n",
-        )
-
-    def test_from_dotted_import(self):
-        self.assertEqual(
-            rewrite("from platform_tools.registry import TOOLS\n"),
-            "from molecule_runtime.platform_tools.registry import TOOLS\n",
-        )
-
-    def test_from_import_multiple_symbols(self):
-        # Multi-import statement — the rewriter only touches the module
-        # prefix, not the names being imported.
-        self.assertEqual(
-            rewrite("from a2a_tools import (foo, bar, baz)\n"),
-            "from molecule_runtime.a2a_tools import (foo, bar, baz)\n",
-        )
-
-    def test_from_import_block_form(self):
-        src = (
-            "from a2a_tools import (\n"
-            "    tool_check_task_status,\n"
-            "    tool_commit_memory,\n"
-            ")\n"
-        )
-        out = rewrite(src)
-        self.assertIn("from molecule_runtime.a2a_tools import (\n", out)
-        # Trailing names + closer are unchanged.
-        self.assertIn("    tool_check_task_status,\n", out)
-        self.assertIn(")\n", out)
-
-
-class TestImportAsAliasRejection(unittest.TestCase):
-    """The key regression class — the failure mode that shipped in PR #2433."""
-
-    def test_import_as_alias_raises_value_error(self):
-        with self.assertRaises(ValueError) as ctx:
-            rewrite("import inbox as _inbox_module\n")
-        msg = str(ctx.exception)
-        # Error must name the offending module + suggest the fix.
-        self.assertIn("inbox", msg)
-        self.assertIn("as <alias>", msg)
-        self.assertIn("from", msg)  # suggests `from X import …`
-
-    def test_import_as_alias_indented_still_rejected(self):
-        # Indented (inside def/class) — same hazard, same rejection.
-        with self.assertRaises(ValueError):
-            rewrite("def foo():\n    import inbox as _x\n")
-
-    def test_import_as_alias_with_trailing_comment_still_rejected(self):
-        with self.assertRaises(ValueError):
-            rewrite("import inbox as _x  # comment\n")
-
-    def test_plain_import_with_as_in_comment_does_not_trip(self):
-        # The detection strips comments before pattern-matching, so a
-        # comment containing "as foo" must NOT trigger the rejection.
-        self.assertEqual(
-            rewrite("import inbox  # rewriter produces alias as inbox\n"),
-            "import molecule_runtime.inbox as inbox  # rewriter produces alias as inbox\n",
-        )
-
-    def test_import_followed_by_comma_is_not_an_alias(self):
-        # `import inbox, os` — comma is not `as`, must not be rejected.
-        # Our regex captures `inbox` then `,` — only `inbox` gets prefixed.
-        # `os` is not in TOP_LEVEL_MODULES so it's left alone.
-        out = rewrite("import inbox, os\n")
-        # The first module is rewritten; the second (non-allowlist) is not.
-        self.assertIn("import molecule_runtime.inbox as inbox", out)
-
-
-class TestOutsideAllowlistModules(unittest.TestCase):
-    def test_third_party_imports_unchanged(self):
-        # `httpx`, `os`, `re` etc. are not in TOP_LEVEL_MODULES — the
-        # regex must not match them. This is the closed-list invariant
-        # that prevents accidental rewrites of stdlib / third-party.
-        src = "import httpx\nimport os\nfrom re import match\n"
-        self.assertEqual(rewrite(src), src)
-
-    def test_short_name_collision_avoided(self):
-        # `from a2a.server.X import Y` must not match the bare `a2a`
-        # prefix — `a2a` isn't in our allowlist (we allow `a2a_tools`,
-        # `a2a_client`, etc., but not bare `a2a`). Belt-and-suspenders.
-        src = "from a2a.server.routes import create_agent_card_routes\n"
-        self.assertEqual(rewrite(src), src)
-
-
-class TestEndToEndShape(unittest.TestCase):
-    """Reproduces the PR #2433 → #2436 incident shape."""
-
-    def test_pr_2433_pattern_now_rejected(self):
-        # The exact line PR #2433 added (inside main()), which produced
-        # `import molecule_runtime.inbox as inbox as _inbox_module` —
-        # invalid syntax in the published wheel.
-        with self.assertRaises(ValueError) as ctx:
-            rewrite(
-                "    import inbox as _inbox_module\n"
-                "    _inbox_module.set_notification_callback(_on_inbox_message)\n"
-            )
-        # Error message includes the offending line so the operator
-        # knows exactly where to fix.
-        self.assertIn("inbox", str(ctx.exception))
-
-    def test_pr_2436_fix_pattern_works(self):
-        # The fix-forward shape (#2436): top-level `import inbox`,
-        # bridge wired in main() via `inbox.set_notification_callback`.
-        src = (
-            "import inbox\n"
-            "\n"
-            "def main():\n"
-            "    inbox.set_notification_callback(cb)\n"
-        )
-        out = rewrite(src)
-        self.assertIn("import molecule_runtime.inbox as inbox\n", out)
-        # The callable reference inside main() is left alone — only
-        # imports get rewritten, not arbitrary `inbox.foo` callsites
-        # (those resolve via the module binding the rewrite preserves).
-        self.assertIn("    inbox.set_notification_callback(cb)\n", out)
-
-
-if __name__ == "__main__":
-    unittest.main()
@@ -9,7 +9,7 @@ This repo uses the standard monorepo testing convention: **unit tests live with
 | Go unit + integration (platform, CLI, handlers) | `workspace-server/**/*_test.go` — run with `cd workspace-server && go test -race ./...` |
 | TypeScript unit (canvas components, hooks, store) | `canvas/src/**/__tests__/` — run with `cd canvas && npm test -- --run` |
 | TypeScript unit (MCP server handlers) | `mcp-server/src/__tests__/` — run with `cd mcp-server && npx jest` |
-| Python unit (workspace runtime, adapters) | `workspace/tests/` — run with `cd workspace && python3 -m pytest` |
+| Python unit (workspace runtime, adapters) | `molecule-ai-workspace-runtime/tests/` in the standalone runtime repo |
 | Python unit (SDK: plugin + remote agent) | `sdk/python/tests/` — run with `cd sdk/python && python3 -m pytest` |
 | **Cross-component E2E** (spans platform + runtime + HTTP) | `tests/e2e/` ← **you are here** |

@@ -33,7 +33,10 @@ e2e_mint_test_token() {
    return 2
  fi
  local body
-  body=$(curl -s -w "\n%{http_code}" "$BASE/admin/workspaces/$wid/test-token")
+  local admin_bearer="${MOLECULE_ADMIN_TOKEN:-${ADMIN_TOKEN:-}}"
+  local admin_auth=()
+  [ -n "$admin_bearer" ] && admin_auth=(-H "Authorization: Bearer $admin_bearer")
+  body=$(curl -s -w "\n%{http_code}" "$BASE/admin/workspaces/$wid/test-token" ${admin_auth[@]+"${admin_auth[@]}"})
  local code
  code=$(printf '%s' "$body" | tail -n1)
  local json
@@ -0,0 +1,116 @@
+#!/usr/bin/env bash
+
+# EC2 leak check for staging E2E harnesses.
+#
+# Modes:
+#   E2E_AWS_LEAK_CHECK=off       skip
+#   E2E_AWS_LEAK_CHECK=auto      check only when aws + credentials exist
+#   E2E_AWS_LEAK_CHECK=required  fail if aws + credentials are unavailable
+#
+# Optional:
+#   E2E_AWS_LEAK_CHECK_SECS      poll budget, default 90
+#   E2E_AWS_LEAK_CHECK_INTERVAL  poll interval, default 10
+#   E2E_AWS_TERMINATE_LEAKS=1    terminate matching leaked instances
+
+e2e_aws_leak_mode() {
+  echo "${E2E_AWS_LEAK_CHECK:-auto}"
+}
+
+e2e_aws_region() {
+  echo "${E2E_AWS_REGION:-${AWS_REGION:-${AWS_DEFAULT_REGION:-us-east-2}}}"
+}
+
+e2e_aws_creds_available() {
+  command -v aws >/dev/null 2>&1 || return 1
+  [ -n "${AWS_ACCESS_KEY_ID:-}" ] || return 1
+  [ -n "${AWS_SECRET_ACCESS_KEY:-}" ] || return 1
+}
+
+e2e_ec2_instances_for_slug() {
+  local slug="$1"
+  local region
+  region=$(e2e_aws_region)
+
+  # shellcheck disable=SC2016
+  aws ec2 describe-instances \
+    --region "$region" \
+    --filters "Name=tag:Name,Values=*$slug*" \
+              "Name=instance-state-name,Values=pending,running,stopping,stopped" \
+    --query 'Reservations[].Instances[].[InstanceId,State.Name,Tags[?Key==`Name`].Value|[0]]' \
+    --output text
+}
+
+e2e_terminate_instances() {
+  local ids="$1"
+  local region
+  region=$(e2e_aws_region)
+
+  [ -n "$ids" ] || return 0
+  # shellcheck disable=SC2086
+  aws ec2 terminate-instances --region "$region" --instance-ids $ids >/dev/null
+}
+
+e2e_verify_no_ec2_leaks_for_slug() {
+  local slug="$1"
+  local mode
+  local max_secs
+  local interval
+  local elapsed=0
+  local rows=""
+  local ids=""
+
+  mode=$(e2e_aws_leak_mode)
+  case "$mode" in
+    off)
+      echo "[aws-leak-check] skipped: E2E_AWS_LEAK_CHECK=off" >&2
+      return 0
+      ;;
+    auto|required) ;;
+    *)
+      echo "[aws-leak-check] invalid E2E_AWS_LEAK_CHECK=$mode (expected off|auto|required)" >&2
+      return 2
+      ;;
+  esac
+
+  if ! e2e_aws_creds_available; then
+    if [ "$mode" = "required" ]; then
+      echo "[aws-leak-check] required but aws CLI or AWS credentials are unavailable" >&2
+      return 2
+    fi
+    echo "[aws-leak-check] skipped: aws CLI or AWS credentials unavailable" >&2
+    return 0
+  fi
+
+  max_secs="${E2E_AWS_LEAK_CHECK_SECS:-90}"
+  interval="${E2E_AWS_LEAK_CHECK_INTERVAL:-10}"
+
+  while true; do
+    rows=$(e2e_ec2_instances_for_slug "$slug" 2>&1) || {
+      echo "[aws-leak-check] aws ec2 describe-instances failed for slug=$slug" >&2
+      echo "$rows" >&2
+      return 2
+    }
+
+    if [ -z "$rows" ] || [ "$rows" = "None" ]; then
+      echo "[aws-leak-check] no live EC2 instances for slug=$slug" >&2
+      return 0
+    fi
+
+    if [ "$elapsed" -ge "$max_secs" ]; then
+      echo "[aws-leak-check] leaked EC2 instance(s) for slug=$slug after ${elapsed}s:" >&2
+      echo "$rows" >&2
+      if [ "${E2E_AWS_TERMINATE_LEAKS:-0}" = "1" ]; then
+        ids=$(echo "$rows" | awk 'NF {print $1}' | sort -u | tr '\n' ' ')
+        echo "[aws-leak-check] terminating leaked EC2 instance(s): $ids" >&2
+        e2e_terminate_instances "$ids" || {
+          echo "[aws-leak-check] terminate-instances failed for: $ids" >&2
+          return 4
+        }
+      fi
+      return 4
+    fi
+
+    sleep "$interval"
+    elapsed=$((elapsed + interval))
+  done
+}
@@ -19,11 +19,18 @@
 #                                    PR #2558+#2563+#2567 cleared the
 #                                    masking layers.)
 #
-#   claude-code → "sonnet"         (entry-id form: claude-code template's
-#                                    config.yaml uses bare model names,
-#                                    auth comes via CLAUDE_CODE_OAUTH_TOKEN
-#                                    or ANTHROPIC_API_KEY rather than the
-#                                    slug.)
+#   claude-code → auth-aware:
+#                  E2E_MINIMAX_API_KEY    → "MiniMax-M2"
+#                  E2E_ANTHROPIC_API_KEY  → "claude-sonnet-4-6"
+#                  otherwise              → "sonnet"
+#
+#                  claude-code provider routing is model-driven. The bare
+#                  "sonnet" alias selects the OAuth provider, so it is only a
+#                  good default when the canary is using Claude Code OAuth or
+#                  intentionally exercising the missing-auth path. MiniMax and
+#                  direct Anthropic API keys need model IDs that resolve to
+#                  their provider entries, otherwise the workspace boots
+#                  reachable but the first A2A call hits the wrong auth path.
 #
 # When E2E_MODEL_SLUG is set, it overrides this dispatch — useful when an
 # operator dispatches the workflow to test a specific slug.
@@ -45,7 +52,15 @@ pick_model_slug() {
  case "$runtime" in
    hermes)      printf 'openai/gpt-4o' ;;
    langgraph)   printf 'openai:gpt-4o' ;;
-    claude-code) printf 'sonnet' ;;
+    claude-code)
+      if [ -n "${E2E_MINIMAX_API_KEY:-}" ]; then
+        printf 'MiniMax-M2'
+      elif [ -n "${E2E_ANTHROPIC_API_KEY:-}" ]; then
+        printf 'claude-sonnet-4-6'
+      else
+        printf 'sonnet'
+      fi
+      ;;
    *)           printf 'openai/gpt-4o' ;;  # safest fallback (matches hermes)
  esac
 }
@@ -71,7 +71,7 @@ pv_assert_runtime() {
  set +e
  resp=$(curl -sS -X POST "$base_url/workspaces/$wid/mcp" \
    -H "Authorization: Bearer $wtok" \
-    "${org_header[@]}" \
+    ${org_header[@]+"${org_header[@]}"} \
    -H "Content-Type: application/json" \
    -d "$PV_RPC_BODY" \
    -o /tmp/pv_mcp_body.json -w "%{http_code}" 2>/dev/null)
@@ -10,6 +10,10 @@ FAIL=0
 # as `Authorization: Bearer <token>`. Capture them here.
 ECHO_TOKEN=""
 SUM_TOKEN=""
+ECHO_AUTH=()
+SUM_AUTH=()
+ECHO_URL="https://example.com/echo-agent"
+SUM_URL="https://example.com/summarizer-agent"

 # AdminAuth-gated calls need a bearer token once any workspace token
 # exists in the DB. ADMIN_TOKEN is populated after the first workspace
@@ -54,8 +58,8 @@ R=$(acurl "$BASE/workspaces")
 check "GET /workspaces (empty)" '[]' "$R"

 # Test 3: Create workspace A (AdminAuth fail-open — no tokens exist yet)
-R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" -d '{"name":"Echo Agent","tier":1}')
-check "POST /workspaces (create echo)" '"status":"provisioning"' "$R"
+R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" -d '{"name":"Echo Agent","tier":1,"runtime":"external","external":true}')
+check "POST /workspaces (create echo)" '"status":"awaiting_agent"' "$R"
 ECHO_ID=$(echo "$R" | python3 -c "import sys,json; print(json.load(sys.stdin)['id'])")

 # Mint a test token so all subsequent AdminAuth-gated calls succeed.
@@ -72,8 +76,8 @@ else
 fi

 # Test 4: Create workspace B (needs bearer — tokens now exist in DB)
-R=$(acurl -X POST "$BASE/workspaces" -H "Content-Type: application/json" -d '{"name":"Summarizer Agent","tier":1}')
-check "POST /workspaces (create summarizer)" '"status":"provisioning"' "$R"
+R=$(acurl -X POST "$BASE/workspaces" -H "Content-Type: application/json" -d '{"name":"Summarizer Agent","tier":1,"runtime":"external","external":true}')
+check "POST /workspaces (create summarizer)" '"status":"awaiting_agent"' "$R"
 SUM_ID=$(echo "$R" | python3 -c "import sys,json; print(json.load(sys.stdin)['id'])")

 # Test 5: List has 2
@@ -90,9 +94,10 @@ check "GET /workspaces/:id (agent_card null)" '"agent_card":null' "$R"
 # endpoint), not the admin token. C18 requires a token issued TO THIS
 # workspace, not just any valid token.
 ECHO_WS_TOKEN=$(curl -s "$BASE/admin/workspaces/$ECHO_ID/test-token" | python3 -c "import sys,json; print(json.load(sys.stdin).get('auth_token',''))" 2>/dev/null || echo "")
+[ -n "$ECHO_WS_TOKEN" ] && ECHO_AUTH=(-H "Authorization: Bearer $ECHO_WS_TOKEN")
 R=$(curl -s -X POST "$BASE/registry/register" -H "Content-Type: application/json" \
-  ${ECHO_WS_TOKEN:+-H "Authorization: Bearer $ECHO_WS_TOKEN"} \
-  -d "{\"id\":\"$ECHO_ID\",\"url\":\"http://localhost:8001\",\"agent_card\":{\"name\":\"Echo Agent\",\"skills\":[{\"id\":\"echo\",\"name\":\"Echo\"}]}}")
+  "${ECHO_AUTH[@]}" \
+  -d "{\"id\":\"$ECHO_ID\",\"url\":\"$ECHO_URL\",\"agent_card\":{\"name\":\"Echo Agent\",\"skills\":[{\"id\":\"echo\",\"name\":\"Echo\"}]}}")
 check "POST /registry/register (echo)" '"status":"registered"' "$R"
 # Extract token from register response; fall back to the test-token we
 # already minted (register may not return a new token on re-registration).
@@ -101,9 +106,10 @@ if [ -z "$ECHO_TOKEN" ]; then ECHO_TOKEN="$ECHO_WS_TOKEN"; fi

 # Test 8: Register summarizer — same pattern: workspace-specific token
 SUM_WS_TOKEN=$(curl -s "$BASE/admin/workspaces/$SUM_ID/test-token" | python3 -c "import sys,json; print(json.load(sys.stdin).get('auth_token',''))" 2>/dev/null || echo "")
+[ -n "$SUM_WS_TOKEN" ] && SUM_AUTH=(-H "Authorization: Bearer $SUM_WS_TOKEN")
 R=$(curl -s -X POST "$BASE/registry/register" -H "Content-Type: application/json" \
-  ${SUM_WS_TOKEN:+-H "Authorization: Bearer $SUM_WS_TOKEN"} \
-  -d "{\"id\":\"$SUM_ID\",\"url\":\"http://localhost:8002\",\"agent_card\":{\"name\":\"Summarizer\",\"skills\":[{\"id\":\"summarize\",\"name\":\"Summarize\"}]}}")
+  "${SUM_AUTH[@]}" \
+  -d "{\"id\":\"$SUM_ID\",\"url\":\"$SUM_URL\",\"agent_card\":{\"name\":\"Summarizer\",\"skills\":[{\"id\":\"summarize\",\"name\":\"Summarize\"}]}}")
 check "POST /registry/register (summarizer)" '"status":"registered"' "$R"
 SUM_TOKEN=$(echo "$R" | e2e_extract_token)
 if [ -z "$SUM_TOKEN" ]; then SUM_TOKEN="$SUM_WS_TOKEN"; fi
@@ -112,7 +118,7 @@ if [ -z "$SUM_TOKEN" ]; then SUM_TOKEN="$SUM_WS_TOKEN"; fi
 R=$(acurl "$BASE/workspaces/$ECHO_ID")
 check "Echo is online" '"status":"online"' "$R"
 check "Echo has agent_card" '"skills"' "$R"
-check "Echo has url" '"url":"http://localhost:8001"' "$R"
+check "Echo has url" "\"url\":\"$ECHO_URL\"" "$R"

 # Test 10: Heartbeat
 R=$(curl -s -X POST "$BASE/registry/heartbeat" -H "Content-Type: application/json" -H "Authorization: Bearer $ECHO_TOKEN" \
@@ -178,7 +184,7 @@ curl -s -X POST "$BASE/registry/heartbeat" -H "Content-Type: application/json" -
 # Re-register to force online status in case liveness expired
 curl -s -X POST "$BASE/registry/register" -H "Content-Type: application/json" \
  -H "Authorization: Bearer $ECHO_TOKEN" \
-  -d "{\"id\":\"$ECHO_ID\",\"url\":\"http://localhost:8001\",\"agent_card\":{\"name\":\"Echo Agent v2\",\"skills\":[{\"id\":\"echo\",\"name\":\"Echo\"},{\"id\":\"repeat\",\"name\":\"Repeat\"}]}}" > /dev/null
+  -d "{\"id\":\"$ECHO_ID\",\"url\":\"$ECHO_URL\",\"agent_card\":{\"name\":\"Echo Agent v2\",\"skills\":[{\"id\":\"echo\",\"name\":\"Echo\"},{\"id\":\"repeat\",\"name\":\"Repeat\"}]}}" > /dev/null

 # Now send high error rate to trigger degraded
 R=$(curl -s -X POST "$BASE/registry/heartbeat" -H "Content-Type: application/json" -H "Authorization: Bearer $ECHO_TOKEN" \
@@ -358,12 +364,17 @@ else
 fi

 # Register the re-imported workspace to verify agent_card round-trips
+NEW_TOKEN=$(curl -s "$BASE/admin/workspaces/$NEW_ID/test-token" | python3 -c "import sys,json; print(json.load(sys.stdin).get('auth_token',''))" 2>/dev/null || echo "")
+NEW_AUTH=()
+[ -n "$NEW_TOKEN" ] && NEW_AUTH=(-H "Authorization: Bearer $NEW_TOKEN")
 R=$(curl -s -X POST "$BASE/registry/register" -H "Content-Type: application/json" \
-  -d "{\"id\":\"$NEW_ID\",\"url\":\"http://localhost:8002\",\"agent_card\":{\"name\":\"Summarizer\",\"skills\":[{\"id\":\"summarize\",\"name\":\"Summarize\"}]}}")
+  "${NEW_AUTH[@]}" \
+  -d "{\"id\":\"$NEW_ID\",\"url\":\"$SUM_URL\",\"agent_card\":{\"name\":\"Summarizer\",\"skills\":[{\"id\":\"summarize\",\"name\":\"Summarize\"}]}}")
 check "Register re-imported workspace" '"status":"registered"' "$R"
 # Capture the fresh token issued to the re-imported workspace.  SUM_TOKEN was
 # revoked when SUM_ID was deleted above — use this one for cleanup instead.
-NEW_TOKEN=$(echo "$R" | e2e_extract_token)
+REG_NEW_TOKEN=$(echo "$R" | e2e_extract_token)
+[ -n "$REG_NEW_TOKEN" ] && NEW_TOKEN="$REG_NEW_TOKEN"

 # Re-export and verify agent_card survives the round-trip (#165 / PR #167 — admin-gated)
 REBUNDLE=$(curl -s "$BASE/bundles/export/$NEW_ID" -H "Authorization: Bearer $NEW_TOKEN")
@@ -0,0 +1,109 @@
+#!/usr/bin/env bash
+set -uo pipefail
+
+SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+# shellcheck disable=SC1091
+# shellcheck source=lib/aws_leak_check.sh
+source "$SCRIPT_DIR/lib/aws_leak_check.sh"
+
+PASS=0
+FAIL=0
+
+TMPDIR_E2E=$(mktemp -d -t aws-leak-check-e2e-XXXXXX)
+trap 'rm -rf "$TMPDIR_E2E"' EXIT INT TERM
+
+make_fake_aws() {
+  local body="$1"
+  mkdir -p "$TMPDIR_E2E/bin"
+  cat > "$TMPDIR_E2E/bin/aws" <<EOF
+#!/usr/bin/env bash
+set -euo pipefail
+echo "\$*" >> "$TMPDIR_E2E/aws.calls"
+$body
+EOF
+  chmod +x "$TMPDIR_E2E/bin/aws"
+}
+
+reset_env() {
+  /bin/rm -f "$TMPDIR_E2E/aws.calls"
+  export PATH="$TMPDIR_E2E/bin:$ORIG_PATH"
+  export AWS_ACCESS_KEY_ID=test-access
+  export AWS_SECRET_ACCESS_KEY=test-secret
+  export AWS_DEFAULT_REGION=us-east-2
+  export E2E_AWS_LEAK_CHECK=required
+  export E2E_AWS_LEAK_CHECK_SECS=0
+  export E2E_AWS_LEAK_CHECK_INTERVAL=1
+  unset E2E_AWS_TERMINATE_LEAKS
+}
+
+assert_rc() {
+  local label="$1"
+  local expected="$2"
+  shift 2
+  local observed
+  "$@" >/tmp/aws-leak-check.out 2>/tmp/aws-leak-check.err
+  observed=$?
+  if [ "$observed" = "$expected" ]; then
+    echo "  PASS $label"
+    PASS=$((PASS + 1))
+  else
+    echo "  FAIL $label: expected rc=$expected observed=$observed" >&2
+    echo "  stderr:" >&2
+    sed 's/^/    /' /tmp/aws-leak-check.err >&2
+    FAIL=$((FAIL + 1))
+  fi
+}
+
+ORIG_PATH="$PATH"
+
+echo "Test: AWS EC2 leak check helper"
+
+reset_env
+/bin/rm -rf "${TMPDIR_E2E:?}/bin"
+/bin/mkdir -p "$TMPDIR_E2E/noaws"
+export PATH="$TMPDIR_E2E/noaws"
+export E2E_AWS_LEAK_CHECK=auto
+assert_rc "auto mode skips when aws is unavailable" 0 e2e_verify_no_ec2_leaks_for_slug e2e-smoke-test
+
+reset_env
+/bin/rm -rf "${TMPDIR_E2E:?}/bin"
+/bin/mkdir -p "$TMPDIR_E2E/noaws"
+export PATH="$TMPDIR_E2E/noaws"
+export E2E_AWS_LEAK_CHECK=required
+assert_rc "required mode fails when aws is unavailable" 2 e2e_verify_no_ec2_leaks_for_slug e2e-smoke-test
+
+reset_env
+# shellcheck disable=SC2016
+make_fake_aws 'if [ "$1 $2" = "ec2 describe-instances" ]; then exit 0; fi'
+assert_rc "no matching EC2 returns clean" 0 e2e_verify_no_ec2_leaks_for_slug e2e-smoke-test
+
+reset_env
+# shellcheck disable=SC2016
+make_fake_aws 'if [ "$1 $2" = "ec2 describe-instances" ]; then echo "i-123 running ws-tenant-e2e-smoke-test-abc"; exit 0; fi'
+assert_rc "persistent matching EC2 is a leak" 4 e2e_verify_no_ec2_leaks_for_slug e2e-smoke-test
+
+reset_env
+export E2E_AWS_TERMINATE_LEAKS=1
+# shellcheck disable=SC2016
+make_fake_aws '
+if [ "$1 $2" = "ec2 describe-instances" ]; then
+  echo "i-123 running ws-tenant-e2e-smoke-test-abc"
+  exit 0
+fi
+if [ "$1 $2" = "ec2 terminate-instances" ]; then
+  echo "terminated" >/dev/null
+  exit 0
+fi
+'
+assert_rc "terminate mode attempts cleanup before returning leak" 4 e2e_verify_no_ec2_leaks_for_slug e2e-smoke-test
+if grep -q "terminate-instances" "$TMPDIR_E2E/aws.calls"; then
+  echo "  PASS terminate-instances was called"
+  PASS=$((PASS + 1))
+else
+  echo "  FAIL terminate-instances was not called" >&2
+  FAIL=$((FAIL + 1))
+fi
+
+echo
+echo "passed=$PASS failed=$FAIL"
+[ "$FAIL" = "0" ]
@@ -16,7 +16,7 @@ set -uo pipefail
 # Resolve to the lib relative to this test file so the test runs from
 # any cwd (CI, local invocation, repo root).
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-# shellcheck source=lib/model_slug.sh
+# shellcheck source=tests/e2e/lib/model_slug.sh
 source "$SCRIPT_DIR/lib/model_slug.sh"

 PASS=0
@@ -48,7 +48,16 @@ echo
 # ── Per-runtime branches (the load-bearing ones for synth-E2E) ──
 run_test "hermes → slash-form (derive-provider.sh contract)"       hermes      "openai/gpt-4o"
 run_test "langgraph → colon-form (init_chat_model contract)"       langgraph   "openai:gpt-4o"
-run_test "claude-code → bare model name (entry-id form)"           claude-code "sonnet"
+run_test "claude-code → OAuth/default alias"                      claude-code "sonnet"
+
+got=$(unset E2E_MODEL_SLUG E2E_ANTHROPIC_API_KEY; E2E_MINIMAX_API_KEY="mx-test" pick_model_slug claude-code)
+assert_eq "claude-code + MiniMax key → MiniMax model"             "$got" "MiniMax-M2"
+
+got=$(unset E2E_MODEL_SLUG E2E_MINIMAX_API_KEY; E2E_ANTHROPIC_API_KEY="sk-ant-test" pick_model_slug claude-code)
+assert_eq "claude-code + Anthropic API key → Anthropic API model" "$got" "claude-sonnet-4-6"
+
+got=$(unset E2E_MODEL_SLUG; E2E_MINIMAX_API_KEY="mx-priority" E2E_ANTHROPIC_API_KEY="sk-ant-loser" pick_model_slug claude-code)
+assert_eq "claude-code + both keys → MiniMax priority"            "$got" "MiniMax-M2"

 # ── Fallback for unknown runtime ──
 # Picks slash-form (hermes-shaped) since hermes is the historical
@@ -24,7 +24,8 @@
 #
 # Only PROVISIONING differs from staging:
 #   - staging: POST /cp/admin/orgs (cold EC2 tenant) + per-tenant admin
-#     token + each workspace's auth_token from the POST /workspaces resp.
+#     token + each workspace's MCP bearer from create response or an admin
+#     token-mint fallback.
 #   - local:   POST /workspaces directly against the local stack
 #     (BASE, default http://localhost:8080), MCP bearer minted via
 #     GET /admin/workspaces/:id/test-token (e2e_mint_test_token —
@@ -32,17 +33,22 @@
 #     every other local E2E (test_priority_runtimes_e2e.sh,
 #     test_api.sh) already uses; no new credential/provision flow.
 #
-# It is written to FAIL on today's broken Hermes/OpenClaw behavior and go
-# green only when the in-flight root-cause fixes (Hermes-401 #162,
-# OpenClaw-never-online/MCP-wiring #165) actually land — same gate
-# semantics + exit codes as the staging script. NON-required by design
-# until then (flip-to-required tracked at molecule-core#1296), and NOT
-# masked with continue-on-error (feedback_fix_root_not_symptom).
+# By default the local backend creates external-mode workspace rows and
+# drives the literal MCP path directly. That keeps the local peer-visibility
+# gate focused on platform auth + MCP list_peers semantics instead of local
+# template container boot/heartbeat. Set PV_LOCAL_PROVISION_MODE=container
+# for targeted runtime-boot debugging. NON-required by design until the
+# flip-to-required tracked at molecule-core#1296, and NOT masked with
+# continue-on-error (feedback_fix_root_not_symptom).
 #
 # Required env: none (local stack only).
 # Optional env:
 #   BASE                    default http://localhost:8080
 #   PV_RUNTIMES             space list; default "hermes openclaw claude-code"
+#   PV_LOCAL_PROVISION_MODE default external; set container to also require
+#                            local template containers to boot online
+#   PV_PARENT_RUNTIME       parent runtime; default claude-code when keyed,
+#                            otherwise first keyed runtime in PV_RUNTIMES
 #   E2E_PROVISION_TIMEOUT_SECS  per-workspace online budget; default 900
 #                            (hermes cold apt+uv is the slow path locally)
 #   E2E_KEEP_WS             1 → skip teardown (local debugging only)
@@ -68,6 +74,7 @@ source "$(dirname "$0")/_lib.sh"
 source "$(dirname "$0")/lib/peer_visibility_assert.sh"

 PV_RUNTIMES="${PV_RUNTIMES:-hermes openclaw claude-code}"
+PV_LOCAL_PROVISION_MODE="${PV_LOCAL_PROVISION_MODE:-external}"
 PROVISION_TIMEOUT_SECS="${E2E_PROVISION_TIMEOUT_SECS:-900}"
 NAME_PREFIX="PV-Local-$$-$(date +%H%M%S)"

@@ -75,6 +82,9 @@ log()  { echo "[$(date +%H:%M:%S)] $*"; }
 ok()   { echo "[$(date +%H:%M:%S)] ✅ $*"; }

 CREATED_WSIDS=()
+ADMIN_BEARER="${MOLECULE_ADMIN_TOKEN:-${ADMIN_TOKEN:-}}"
+ADMIN_AUTH=()
+[ -n "$ADMIN_BEARER" ] && ADMIN_AUTH=(-H "Authorization: Bearer $ADMIN_BEARER")

 # ─── Scoped teardown ───────────────────────────────────────────────────
 # Deletes ONLY the workspaces THIS run created (tracked in CREATED_WSIDS),
@@ -94,7 +104,7 @@ teardown() {
  log "[teardown] deleting ${#CREATED_WSIDS[@]} workspace(s) this run created (scoped)"
  for wid in ${CREATED_WSIDS[@]+"${CREATED_WSIDS[@]}"}; do
    [ -n "$wid" ] || continue
-    curl -s -X DELETE "$BASE/workspaces/$wid?confirm=true" >/dev/null 2>&1 || true
+    curl -s -X DELETE "$BASE/workspaces/$wid?confirm=true" ${ADMIN_AUTH[@]+"${ADMIN_AUTH[@]}"} >/dev/null 2>&1 || true
  done
  exit $rc
 }
@@ -103,7 +113,7 @@ trap teardown EXIT INT TERM
 # Pre-sweep workspaces a prior crashed run of THIS script left behind
 # (name prefix match only — never a blanket delete). The trap fires on
 # normal exit, but a kill -9 / SIGPIPE can bypass it.
-PRIOR=$(curl -s "$BASE/workspaces" | python3 -c '
+PRIOR=$(curl -s "$BASE/workspaces" ${ADMIN_AUTH[@]+"${ADMIN_AUTH[@]}"} | python3 -c '
 import json, sys
 try:
    print(" ".join(w["id"] for w in json.load(sys.stdin) if w.get("name","").startswith("PV-Local-")))
@@ -112,7 +122,7 @@ except Exception:
 ' 2>/dev/null)
 for _wid in $PRIOR; do
  log "Pre-sweeping prior PV-Local workspace: $_wid"
-  curl -s -X DELETE "$BASE/workspaces/$_wid?confirm=true" >/dev/null 2>&1 || true
+  curl -s -X DELETE "$BASE/workspaces/$_wid?confirm=true" ${ADMIN_AUTH[@]+"${ADMIN_AUTH[@]}"} >/dev/null 2>&1 || true
 done

 # ─── Local-stack preflight ─────────────────────────────────────────────
@@ -123,10 +133,10 @@ if ! curl -fsS "$BASE/health" -m 5 >/dev/null 2>&1; then
 fi
 # admin/test-token is the local MCP-bearer mint path; it 404s in
 # production. If it is off, this gate cannot drive the literal call.
-if ! curl -fsS "$BASE/admin/workspaces/preflight-probe/test-token" -m 5 >/dev/null 2>&1; then
+if ! curl -fsS "$BASE/admin/workspaces/preflight-probe/test-token" ${ADMIN_AUTH[@]+"${ADMIN_AUTH[@]}"} -m 5 >/dev/null 2>&1; then
  # A 404 here is EITHER "no such ws" (fine — endpoint is enabled) OR the
  # endpoint is disabled (MOLECULE_ENV=production). Distinguish by body.
-  PROBE=$(curl -s "$BASE/admin/workspaces/preflight-probe/test-token" -m 5 2>/dev/null)
+  PROBE=$(curl -s "$BASE/admin/workspaces/preflight-probe/test-token" ${ADMIN_AUTH[@]+"${ADMIN_AUTH[@]}"} -m 5 2>/dev/null)
  if echo "$PROBE" | grep -qi 'production\|disabled\|not found.*endpoint'; then
    echo "::error::GET /admin/workspaces/:id/test-token disabled (MOLECULE_ENV=production?). Cannot mint a local MCP bearer." >&2
    exit 1
@@ -164,6 +174,28 @@ runtime_secrets() {
  esac
 }

+choose_parent_runtime() {
+  local rt
+  if [ -n "${PV_PARENT_RUNTIME:-}" ]; then
+    runtime_secrets "$PV_PARENT_RUNTIME" >/dev/null || return 1
+    echo "$PV_PARENT_RUNTIME"
+    return 0
+  fi
+
+  if runtime_secrets claude-code >/dev/null; then
+    echo "claude-code"
+    return 0
+  fi
+
+  for rt in $PV_RUNTIMES; do
+    if runtime_secrets "$rt" >/dev/null; then
+      echo "$rt"
+      return 0
+    fi
+  done
+  return 1
+}
+
 # Block until $1 reaches one of $2 (space-separated), or $3 sec elapse.
 wait_for_status() {
  local wsid="$1" want="$2" budget="$3" start=$SECONDS last=""
@@ -182,27 +214,42 @@ except Exception:
  return 1
 }

-# ─── 1. Provision parent (claude-code) + one sibling per runtime ───────
-# Same topology as the staging script: a claude-code parent plus one
-# sibling per runtime under test, so each runtime should see all others.
-log "1/5 provisioning parent (claude-code) + one sibling per runtime under test..."
-
-PARENT_SECRETS=$(runtime_secrets claude-code) || PARENT_SECRETS=""
-if [ -z "$PARENT_SECRETS" ]; then
-  # Parent still needs to exist as a peer target even without an LLM key;
-  # it never has to answer list_peers itself (it is excluded from the
-  # caller set), so an empty-secrets claude-code shell is sufficient.
+# ─── 1. Provision parent + one sibling per runtime ──────────────────────
+# Same topology as the staging script: one parent plus one sibling per
+# runtime under test, so each runtime should see all others. The default
+# local backend uses external-mode rows because the literal MCP list_peers
+# path is platform-local and must not depend on local template boot/heartbeat.
+if [ "$PV_LOCAL_PROVISION_MODE" = "external" ]; then
+  PARENT_RUNTIME="external"
  PARENT_SECRETS="{}"
+  PARENT_EXTRA=',"external":true'
+else
+  # Container mode is still available for local runtime-boot debugging.
+  # Prefer a claude-code parent for staging parity, but local CI is
+  # intentionally allowed to be partially keyed; an unkeyed parent can
+  # never heartbeat.
+  PARENT_RUNTIME=$(choose_parent_runtime) || {
+    echo "::error::No keyed runtime available for parent — cannot run the local peer-visibility gate. Set CLAUDE_CODE_OAUTH_TOKEN and/or E2E_MINIMAX_API_KEY (or ANTHROPIC/OPENAI)." >&2
+    exit 1
+  }
+  PARENT_SECRETS=$(runtime_secrets "$PARENT_RUNTIME") || PARENT_SECRETS=""
+  if [ -z "$PARENT_SECRETS" ]; then
+    echo "::error::parent runtime $PARENT_RUNTIME has no provider secrets" >&2
+    exit 1
+  fi
+  PARENT_EXTRA=""
 fi
-P_RESP=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" \
-  -d "{\"name\":\"${NAME_PREFIX}-parent\",\"runtime\":\"claude-code\",\"tier\":3,\"secrets\":$PARENT_SECRETS}")
+log "1/5 provisioning parent ($PARENT_RUNTIME, mode=$PV_LOCAL_PROVISION_MODE) + one sibling per runtime under test..."
+
+P_RESP=$(curl -s -X POST "$BASE/workspaces" ${ADMIN_AUTH[@]+"${ADMIN_AUTH[@]}"} -H "Content-Type: application/json" \
+  -d "{\"name\":\"${NAME_PREFIX}-parent\",\"runtime\":\"$PARENT_RUNTIME\",\"tier\":3$PARENT_EXTRA,\"secrets\":$PARENT_SECRETS}")
 PARENT_ID=$(echo "$P_RESP" | python3 -c 'import json,sys;print(json.load(sys.stdin).get("id",""))' 2>/dev/null)
 if [ -z "$PARENT_ID" ]; then
  echo "::error::parent create failed: $(echo "$P_RESP" | head -c 300)" >&2
  exit 1
 fi
 CREATED_WSIDS+=("$PARENT_ID")
-log "    PARENT_ID=$PARENT_ID"
+log "    PARENT_ID=$PARENT_ID runtime=$PARENT_RUNTIME"

 # NOTE: no `declare -A` — this script must also run on a local macOS dev
 # box (bash 3.2, no associative arrays) per feedback_local_must_mimic_
@@ -231,13 +278,21 @@ _map_get() { # _map_get <mapvarname> <key>  -> stdout value (empty if absent)
 ALL_WS_IDS="$PARENT_ID"
 ACTIVE_RUNTIMES=""
 for rt in $PV_RUNTIMES; do
-  SEC=$(runtime_secrets "$rt") || SEC=""
-  if [ -z "$SEC" ]; then
-    log "    SKIP $rt — no provider key in env (partially-keyed local env; not a failure)"
-    continue
+  if [ "$PV_LOCAL_PROVISION_MODE" = "external" ]; then
+    SEC="{}"
+    CREATE_RUNTIME="external"
+    CREATE_EXTRA=',"external":true'
+  else
+    SEC=$(runtime_secrets "$rt") || SEC=""
+    if [ -z "$SEC" ]; then
+      log "    SKIP $rt — no provider key in env (partially-keyed local env; not a failure)"
+      continue
+    fi
+    CREATE_RUNTIME="$rt"
+    CREATE_EXTRA=""
  fi
-  R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" \
-    -d "{\"name\":\"${NAME_PREFIX}-$rt\",\"runtime\":\"$rt\",\"tier\":2,\"parent_id\":\"$PARENT_ID\",\"secrets\":$SEC}")
+  R=$(curl -s -X POST "$BASE/workspaces" ${ADMIN_AUTH[@]+"${ADMIN_AUTH[@]}"} -H "Content-Type: application/json" \
+    -d "{\"name\":\"${NAME_PREFIX}-$rt\",\"runtime\":\"$CREATE_RUNTIME\",\"tier\":2,\"parent_id\":\"$PARENT_ID\"$CREATE_EXTRA,\"secrets\":$SEC}")
  WID=$(echo "$R" | python3 -c 'import json,sys;print(json.load(sys.stdin).get("id",""))' 2>/dev/null)
  if [ -z "$WID" ]; then
    echo "::error::$rt workspace create failed: $(echo "$R" | head -c 300)" >&2
@@ -257,32 +312,40 @@ if [ -z "$ACTIVE_RUNTIMES" ]; then
 fi

 # ─── 2. Wait for the parent online (it is a peer target) ───────────────
-log "2/5 waiting for parent online (peer target)..."
-PF=$(wait_for_status "$PARENT_ID" "online" "$PROVISION_TIMEOUT_SECS") || true
-if [ "$PF" != "online" ]; then
-  echo "::error::parent ($PARENT_ID) never reached online (last=$PF) within ${PROVISION_TIMEOUT_SECS}s" >&2
-  exit 3
-fi
-ok "    parent online"
-
-# ─── 3. Wait for every sibling online ──────────────────────────────────
-# A runtime that never comes online locally is itself a finding: it
-# reproduces the openclaw-never-online class (#165) on the local stack.
-log "3/5 waiting for all siblings online (up to ${PROVISION_TIMEOUT_SECS}s each — cold boot)..."
 REGRESSED=0
 ONLINE_RUNTIMES=""
-for rt in $ACTIVE_RUNTIMES; do
-  wid="$(_map_get WS_IDS_MAP "$rt")"
-  S=$(wait_for_status "$wid" "online" "$PROVISION_TIMEOUT_SECS") || true
-  if [ "$S" != "online" ]; then
-    echo "  ✗ $rt ($wid): never reached online (last=$S) — reproduces the never-online class locally"
-    _map_set VERDICT_MAP "$rt" "FAIL(never-online:last=$S)"
-    REGRESSED=1
-    continue
+if [ "$PV_LOCAL_PROVISION_MODE" = "external" ]; then
+  log "2/5 external-mode local backend: parent is awaiting_agent; no container-online wait needed"
+  ok "    parent created"
+  log "3/5 external-mode local backend: siblings are awaiting_agent; driving MCP directly"
+  ONLINE_RUNTIMES="$ACTIVE_RUNTIMES"
+else
+  log "2/5 waiting for parent online (peer target)..."
+  PF=$(wait_for_status "$PARENT_ID" "online" "$PROVISION_TIMEOUT_SECS") || true
+  if [ "$PF" != "online" ]; then
+    echo "::error::parent ($PARENT_ID) never reached online (last=$PF) within ${PROVISION_TIMEOUT_SECS}s" >&2
+    exit 3
  fi
-  ok "    $rt online"
-  ONLINE_RUNTIMES="$ONLINE_RUNTIMES $rt"
-done
+  ok "    parent online"
+
+  # ─── 3. Wait for every sibling online ──────────────────────────────────
+  # A runtime that never comes online locally is itself a finding in
+  # container mode. The default external mode keeps this gate focused on
+  # literal MCP peer visibility.
+  log "3/5 waiting for all siblings online (up to ${PROVISION_TIMEOUT_SECS}s each — cold boot)..."
+  for rt in $ACTIVE_RUNTIMES; do
+    wid="$(_map_get WS_IDS_MAP "$rt")"
+    S=$(wait_for_status "$wid" "online" "$PROVISION_TIMEOUT_SECS") || true
+    if [ "$S" != "online" ]; then
+      echo "  ✗ $rt ($wid): never reached online (last=$S) — reproduces the never-online class locally"
+      _map_set VERDICT_MAP "$rt" "FAIL(never-online:last=$S)"
+      REGRESSED=1
+      continue
+    fi
+    ok "    $rt online"
+    ONLINE_RUNTIMES="$ONLINE_RUNTIMES $rt"
+  done
+fi

 # ─── 4. THE GATE — literal mcp_molecule_list_peers via POST /:id/mcp ────
 # Shared, byte-identical assertion. Local passes "" for the org id (the
@@ -40,8 +40,10 @@
 #   drives: POST /cp/admin/orgs (provision), GET
 #   /cp/admin/orgs/:slug/admin-token (per-tenant token), DELETE
 #   /cp/admin/tenants/:slug (teardown). The per-tenant admin token drives
-#   tenant workspace creation; each workspace's OWN auth_token (returned by
-#   POST /workspaces) drives its MCP call.
+#   tenant workspace creation; each workspace's OWN auth_token drives its
+#   MCP call. External-like runtimes may return the token in POST
+#   /workspaces; managed container runtimes usually require the admin token
+#   mint fallback below.
 #
 # Required env:
 #   MOLECULE_ADMIN_TOKEN   CP admin bearer — Railway staging CP_ADMIN_API_TOKEN
@@ -52,6 +54,9 @@
 #   E2E_PROVISION_TIMEOUT_SECS  default 1800 (hermes/openclaw cold EC2 budget)
 #   E2E_MINIMAX_API_KEY / E2E_ANTHROPIC_API_KEY / E2E_OPENAI_API_KEY
 #                          LLM provider key injected so the runtime can boot
+#   PV_TOKEN_DIAGNOSTIC_ONLY
+#                          1 -> stop after create/token acquisition. Useful
+#                          to classify Hermes-only vs shared auth-route issues.
 #   E2E_KEEP_ORG           1 → skip teardown (local debugging only)
 #
 # Exit codes:
@@ -104,6 +109,46 @@ tenant_call() {
    -H "Content-Type: application/json" "$@"
 }

+tenant_call_capture() {
+  local method="$1" path="$2" out="$3"; shift 3
+  curl -sS -o "$out" -w "%{http_code}" -X "$method" "$TENANT_URL$path" \
+    -H "Authorization: Bearer $TENANT_TOKEN" \
+    -H "X-Molecule-Org-Id: $ORG_ID" \
+    -H "Content-Type: application/json" "$@"
+}
+
+redact_token_body() {
+  python3 -c '
+import json, re, sys
+raw = sys.stdin.read()
+try:
+    data = json.loads(raw)
+except Exception:
+    print(re.sub(r"(?i)([a-z0-9_]*token)=([^&\\s]+)", r"\1=<redacted>", raw)[:500])
+    raise SystemExit(0)
+
+def scrub(v):
+    if isinstance(v, dict):
+        return {k: ("<redacted>" if "token" in k.lower() else scrub(val)) for k, val in v.items()}
+    if isinstance(v, list):
+        return [scrub(x) for x in v]
+    return v
+
+print(json.dumps(scrub(data), separators=(",", ":"))[:500])
+'
+}
+
+extract_auth_token() {
+  python3 -c "
+import sys, json
+try:
+    d = json.load(sys.stdin)
+except Exception:
+    print(''); sys.exit(0)
+print(d.get('auth_token') or d.get('connection', {}).get('auth_token') or '')
+" 2>/dev/null
+}
+
 # ─── Scoped teardown ───────────────────────────────────────────────────
 # Deletes ONLY the org this run created (DELETE /cp/admin/tenants/$SLUG
 # with the {"confirm":$SLUG} fat-finger guard). Never a cluster-wide
@@ -190,6 +235,12 @@ for i in $(seq 1 120); do
  curl -fsS "$TENANT_URL/health" -m 5 -k >/dev/null 2>&1 && { log "    /health ok (attempt $i)"; break; }
  sleep 5
 done
+BUILDINFO=$(curl -fsS "$TENANT_URL/buildinfo" -m 10 2>/dev/null || true)
+if [ -n "$BUILDINFO" ]; then
+  log "    tenant buildinfo: $(echo "$BUILDINFO" | head -c 300)"
+else
+  log "    tenant buildinfo unavailable"
+fi

 # ─── 4. Provision the parent + one sibling per runtime under test ──────
 # Inject the LLM provider key so each runtime can authenticate at boot.
@@ -214,26 +265,49 @@ log "    PARENT_ID=$PARENT_ID"
 # WS_IDS[runtime]=id ; WS_TOKENS[runtime]=auth_token (the MCP bearer)
 declare -A WS_IDS WS_TOKENS
 ALL_WS_IDS="$PARENT_ID"
+TOKEN_ERRORS=0
+TOKEN_ERROR_SUMMARY=""
 for rt in $PV_RUNTIMES; do
  R=$(tenant_call POST /workspaces \
    -d "{\"name\":\"pv-$rt\",\"runtime\":\"$rt\",\"tier\":2,\"parent_id\":\"$PARENT_ID\",\"secrets\":$SECRETS_JSON}")
  WID=$(echo "$R" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null)
-  # auth_token is top-level for container runtimes; external-like nest it
-  # under connection.auth_token (verified vs staging response shape).
-  WTOK=$(echo "$R" | python3 -c "
-import sys, json
-try: d = json.load(sys.stdin)
-except Exception: print(''); sys.exit(0)
-print(d.get('auth_token') or d.get('connection', {}).get('auth_token') or '')
-" 2>/dev/null)
+  # External-like runtimes may return connection.auth_token on create.
+  # Managed container runtimes usually return only id/status here, then
+  # receive their bearer through registry/bootstrap; for this literal MCP
+  # driver we mint through the production-safe admin token route below.
+  WTOK=$(echo "$R" | extract_auth_token)
  [ -n "$WID" ] || fail "$rt workspace create failed: $(echo "$R" | head -c 300)"
-  [ -n "$WTOK" ] || fail "$rt workspace did not return an auth_token — cannot drive its MCP call (resp: $(echo "$R" | head -c 300))"
+  TOKEN_DIAG=""
+  if [ -z "$WTOK" ]; then
+    TTOK_FILE=$(mktemp)
+    TTOK_CODE=$(tenant_call_capture POST "/admin/workspaces/$WID/tokens" "$TTOK_FILE" 2>/dev/null || echo "curl_error")
+    TTOK_RESP=$(cat "$TTOK_FILE" 2>/dev/null || true)
+    WTOK=$(echo "$TTOK_RESP" | extract_auth_token)
+    TOKEN_DIAG="POST /admin/workspaces/$WID/tokens -> HTTP $TTOK_CODE body: $(echo "$TTOK_RESP" | redact_token_body)"
+    rm -f "$TTOK_FILE"
+  fi
  WS_IDS[$rt]="$WID"
+  if [ -z "$WTOK" ]; then
+    TOKEN_ERRORS=$((TOKEN_ERRORS + 1))
+    TOKEN_ERROR_SUMMARY="${TOKEN_ERROR_SUMMARY}
+[$rt] workspace did not return or mint an auth_token — cannot drive its MCP call (workspace_id=$WID; create_resp: $(echo "$R" | redact_token_body); token_fallbacks: $TOKEN_DIAG)"
+    log "    $rt → $WID (token acquisition failed; continuing to classify other runtimes)"
+    continue
+  fi
  WS_TOKENS[$rt]="$WTOK"
  ALL_WS_IDS="$ALL_WS_IDS $WID"
  log "    $rt → $WID"
 done

+if [ "$TOKEN_ERRORS" -gt 0 ]; then
+  fail "token acquisition failed for $TOKEN_ERRORS runtime(s):$TOKEN_ERROR_SUMMARY"
+fi
+
+if [ "${PV_TOKEN_DIAGNOSTIC_ONLY:-0}" = "1" ]; then
+  ok "token diagnostic passed for runtimes: $PV_RUNTIMES"
+  exit 0
+fi
+
 # ─── 5. Wait for every sibling online ──────────────────────────────────
 log "5/6 waiting for all workspaces status=online (up to ${PROVISION_TIMEOUT_SECS}s — cold boot)..."
 WS_DEADLINE=$(( $(date +%s) + PROVISION_TIMEOUT_SECS ))
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+# Staging E2E diagnostic — classify peer-visibility token acquisition.
+#
+# This is intentionally narrower than test_peer_visibility_mcp_staging.sh:
+# it provisions the same throwaway org, creates managed sibling workspaces,
+# and stops immediately after auth_token acquisition. The default runtime set
+# compares hermes with claude-code so a failure is easy to classify:
+#   - hermes fails, claude-code passes -> Hermes/runtime-specific
+#   - both fail                         -> shared admin/auth/proxy route
+#
+# Required env matches test_peer_visibility_mcp_staging.sh:
+#   MOLECULE_ADMIN_TOKEN
+# Optional:
+#   MOLECULE_CP_URL, E2E_RUN_ID, PV_RUNTIMES, E2E_KEEP_ORG,
+#   E2E_MINIMAX_API_KEY / E2E_ANTHROPIC_API_KEY / E2E_OPENAI_API_KEY
+
+set -euo pipefail
+
+export PV_RUNTIMES="${PV_RUNTIMES:-hermes claude-code}"
+export PV_TOKEN_DIAGNOSTIC_ONLY=1
+
+exec "$(dirname "${BASH_SOURCE[0]}")/test_peer_visibility_mcp_staging.sh"
@@ -179,8 +179,14 @@ echo "--- Phase 3.5: Python parser classifies real server response (#2967) ---"
 PARSE_RESULT=$(WORKSPACE_ID="00000000-0000-0000-0000-000000000001" \
  python3 -c "
 import json, sys
-sys.path.insert(0, '$(cd "$(dirname "$0")/../../workspace" && pwd)')
-import a2a_response
+try:
+    from molecule_runtime import a2a_response
+except ModuleNotFoundError as exc:
+    raise SystemExit(
+        'molecule-ai-workspace-runtime is required for poll-mode parser '
+        'coverage; install it from the Gitea package registry before running '
+        'this E2E'
+    ) from exc
 data = json.loads(r'''$A2A_RESP''')
 v = a2a_response.parse(data)
 print(type(v).__name__)
@@ -25,6 +25,11 @@
 # Optional env:
 #   E2E_RUNTIME                  hermes (default) | claude-code | langgraph
 #   E2E_PROVISION_TIMEOUT_SECS   default 900 (15 min cold EC2 budget)
+#   E2E_WORKSPACE_ONLINE_TIMEOUT_SECS  default 3600 (60 min — hermes
+#                                cold-boot worst-case + slack). Raised from
+#                                1800 (#1646) because flaky tenant-provisioning
+#                                latency (not a code regression) causes
+#                                alternating pass/fail on identical SHAs.
 #   E2E_KEEP_ORG                 1 → skip teardown (debugging only)
 #   E2E_RUN_ID                   Slug suffix; CI: ${GITHUB_RUN_ID}
 #   E2E_MODE                     full (default) | smoke
@@ -32,6 +37,11 @@
 #                                 mapped to `smoke` for back-compat with
 #                                 any in-flight runner picking up an older
 #                                 workflow checkout)
+#   E2E_AWS_LEAK_CHECK           auto (default) | required | off
+#                                required in CI so teardown cannot report
+#                                clean while slug-tagged EC2 remains alive
+#   E2E_AWS_TERMINATE_LEAKS      1 → terminate slug-tagged leaked EC2 before
+#                                exiting 4
 #   E2E_INTENTIONAL_FAILURE      1 → poison tenant token mid-run so the
 #                                script fails; the EXIT trap MUST still
 #                                tear down cleanly (and exit 4 on leak).
@@ -51,6 +61,7 @@ CP_URL="${MOLECULE_CP_URL:-https://staging-api.moleculesai.app}"
 ADMIN_TOKEN="${MOLECULE_ADMIN_TOKEN:?MOLECULE_ADMIN_TOKEN required — Railway staging CP_ADMIN_API_TOKEN}"
 RUNTIME="${E2E_RUNTIME:-hermes}"
 PROVISION_TIMEOUT_SECS="${E2E_PROVISION_TIMEOUT_SECS:-900}"
+WORKSPACE_ONLINE_TIMEOUT_SECS="${E2E_WORKSPACE_ONLINE_TIMEOUT_SECS:-3600}"
 RUN_ID_SUFFIX="${E2E_RUN_ID:-$(date +%H%M%S)-$$}"
 MODE="${E2E_MODE:-full}"
 # `canary` is a legacy alias for `smoke` retained for back-compat with
@@ -82,8 +93,12 @@ ok()   { echo "[$(date +%H:%M:%S)] ✅ $*"; }
 # Per-runtime model slug dispatch — see lib/model_slug.sh for the rationale.
 # Extracted so unit tests (tests/e2e/test_model_slug.sh) can pin every branch
 # without booting the full 11-step lifecycle.
+# shellcheck disable=SC1091
 # shellcheck source=lib/model_slug.sh
 source "$(dirname "$0")/lib/model_slug.sh"
+# shellcheck disable=SC1091
+# shellcheck source=lib/aws_leak_check.sh
+source "$(dirname "$0")/lib/aws_leak_check.sh"

 CURL_COMMON=(-sS --fail-with-body --max-time 30)

@@ -119,12 +134,14 @@ cleanup_org() {
  #      DELETE returns 5xx mid-cascade and the cascade finishes anyway,
  #      and the case where DELETE legitimately exceeds 120s and we want
  #      eventual-consistency confirmation.
-  curl "${CURL_COMMON[@]}" --max-time 120 -X DELETE "$CP_URL/cp/admin/tenants/$SLUG" \
+  if curl "${CURL_COMMON[@]}" --max-time 120 -X DELETE "$CP_URL/cp/admin/tenants/$SLUG" \
    -H "Authorization: Bearer $ADMIN_TOKEN" \
    -H "Content-Type: application/json" \
-    -d "{\"confirm\":\"$SLUG\"}" >/dev/null 2>&1 \
-    && ok "Teardown request accepted" \
-    || log "Teardown returned non-2xx (may already be gone)"
+    -d "{\"confirm\":\"$SLUG\"}" >/dev/null 2>&1; then
+    ok "Teardown request accepted"
+  else
+    log "Teardown returned non-2xx (may already be gone)"
+  fi

  local leak_count=1
  local elapsed=0
@@ -144,7 +161,15 @@ cleanup_org() {
    echo "⚠️  LEAK: org $SLUG still present post-teardown after ${elapsed}s (count=$leak_count)" >&2
    exit 4
  fi
-  ok "Teardown clean — no orphan resources for $SLUG (${elapsed}s)"
+  local aws_leak_rc=0
+  e2e_verify_no_ec2_leaks_for_slug "$SLUG" || aws_leak_rc=$?
+  if [ "$aws_leak_rc" != "0" ]; then
+    case "$aws_leak_rc" in
+      2) exit 2 ;;
+      *) exit 4 ;;
+    esac
+  fi
+  ok "Teardown clean — no orphan org or EC2 resources for $SLUG (${elapsed}s)"

  # Normalize unexpected upstream exit codes to 1 (generic failure). The
  # script's documented contract (header "Exit codes" section) only emits
@@ -331,6 +356,75 @@ tenant_call() {
    "$@"
 }

+sanitize_http_body() {
+  python3 -c '
+import re, sys
+s = sys.stdin.read()
+s = re.sub(r"(?i)(Authorization:\s*Bearer\s+)[A-Za-z0-9._~+/=-]+", r"\1[redacted]", s)
+s = re.sub(r"(?i)(\"(?:auth_token|access_token|refresh_token|token|api_key|secret|password)\"\s*:\s*\")[^\"]+\"", r"\1[redacted]\"", s)
+s = re.sub(r"(?i)((?:auth_token|access_token|refresh_token|api_key|secret|password)=)[^&\s]+", r"\1[redacted]", s)
+print(s[:4000])
+'
+}
+
+wait_workspaces_online_routable() {
+  local label="$1"; shift
+  local deadline=$(( $(date +%s) + WORKSPACE_ONLINE_TIMEOUT_SECS ))
+  local wid ws_last_status ws_last_url ws_url_missing_logged ws_failed_logged
+  local ws_json ws_status ws_url ws_last_err
+
+  log "$label"
+  for wid in "$@"; do
+    ws_last_status=""
+    ws_last_url=""
+    ws_url_missing_logged=0
+    ws_failed_logged=0
+    while true; do
+      if [ "$(date +%s)" -gt "$deadline" ]; then
+        ws_last_err=$(tenant_call GET "/workspaces/$wid" 2>/dev/null | \
+          python3 -c "import json,sys; print(json.load(sys.stdin).get('last_sample_error',''))" 2>/dev/null || echo "")
+        fail "Workspace $wid never reached online with a routable URL within ${WORKSPACE_ONLINE_TIMEOUT_SECS}s (~$((WORKSPACE_ONLINE_TIMEOUT_SECS/60)) min) (last status=$ws_last_status, url=$ws_last_url, err=$ws_last_err)"
+      fi
+      ws_json=$(tenant_call GET "/workspaces/$wid" 2>/dev/null || echo '{}')
+      ws_status=$(echo "$ws_json" | python3 -c "import json,sys; print(json.load(sys.stdin).get('status') or '')" 2>/dev/null)
+      ws_url=$(echo "$ws_json" | python3 -c "import json,sys; print(json.load(sys.stdin).get('url') or '')" 2>/dev/null)
+      if [ "$ws_status" != "$ws_last_status" ]; then
+        log "    $wid → $ws_status"
+        ws_last_status="$ws_status"
+      fi
+      if [ -n "$ws_url" ] && [ "$ws_url" != "$ws_last_url" ]; then
+        log "    $wid url ready: $ws_url"
+        ws_last_url="$ws_url"
+      fi
+      case "$ws_status" in
+        online)
+          if [ -n "$ws_url" ]; then
+            break
+          fi
+          if [ "$ws_url_missing_logged" = "0" ]; then
+            log "    $wid online but URL is not assigned yet — waiting for workspace routing readiness"
+            ws_url_missing_logged=1
+          fi
+          sleep 10
+          ;;
+        failed)
+          # Not a hard fail — bootstrap-watcher frequently marks failed at
+          # 5 min on hermes, then heartbeat recovers to online around 10-13
+          # min when install.sh finishes. Log once per workspace so the CI
+          # output isn't spammy.
+          if [ "$ws_failed_logged" = "0" ]; then
+            log "    $wid transiently failed — waiting for heartbeat recovery (bootstrap-watcher deadline, see cp#245)"
+            ws_failed_logged=1
+          fi
+          sleep 10
+          ;;
+        *)      sleep 10 ;;
+      esac
+    done
+    ok "    $wid online and routable"
+  done
+}
+
 # ─── 5. Provision parent workspace ─────────────────────────────────────
 # Inject the LLM provider key so the runtime can authenticate at boot.
 # Branch by which secret is set so the script supports multiple paths
@@ -383,9 +477,9 @@ elif [ -n "${E2E_ANTHROPIC_API_KEY:-}" ]; then
  # is still independent of MOLECULE_STAGING_OPENAI_API_KEY, so an OpenAI
  # quota collapse doesn't wedge this path. Pinned to the claude-code
  # runtime: hermes/langgraph use OpenAI-shaped envs and won't honour
-  # ANTHROPIC_API_KEY without further wiring (out of scope for this
-  # branch; if you need a hermes/Anthropic path, dispatch with
-  # E2E_RUNTIME=hermes + E2E_OPENAI_API_KEY pointing at a working key).
+  # ANTHROPIC_API_KEY without further wiring. pick_model_slug maps this
+  # branch to claude-sonnet-4-6 so the claude-code provider registry
+  # selects anthropic-api instead of the OAuth-only sonnet alias.
  SECRETS_JSON=$(python3 -c "
 import json, os
 k = os.environ['E2E_ANTHROPIC_API_KEY']
@@ -410,6 +504,7 @@ print(json.dumps({
 fi

 MODEL_SLUG=$(pick_model_slug "$RUNTIME")
+log "    MODEL_SLUG=$MODEL_SLUG"

 log "5/11 Provisioning parent workspace (runtime=$RUNTIME)..."
 PARENT_RESP=$(tenant_call POST /workspaces \
@@ -437,48 +532,16 @@ fi
 # deadline fires at 5 min and sets status=failed prematurely; heartbeat
 # then transitions failed → online after install.sh finishes. So:
 #
-#   - 20 min deadline (hermes worst-case + slack)
+#   - ${WORKSPACE_ONLINE_TIMEOUT_SECS}s (~$((WORKSPACE_ONLINE_TIMEOUT_SECS/60)) min)
+#     deadline (hermes worst-case + slack). Configurable via
+#     E2E_WORKSPACE_ONLINE_TIMEOUT_SECS (#1646).
 #   - 'failed' is a TRANSIENT state we must tolerate — log and keep
 #     polling, only hard-fail at the deadline. Pre-bootstrap-watcher-fix
 #     (controlplane#245) this was a flake generator: workspace went
 #     failed→online inside our window but we bailed at the failed read.
-log "7/11 Waiting for workspace(s) to reach status=online (up to 30 min — hermes cold boot)..."
-WS_DEADLINE=$(( $(date +%s) + 1800 ))
-WS_TO_CHECK="$PARENT_ID"
-[ -n "$CHILD_ID" ] && WS_TO_CHECK="$WS_TO_CHECK $CHILD_ID"
-for wid in $WS_TO_CHECK; do
-  WS_LAST_STATUS=""
-  WS_FAILED_LOGGED=0
-  while true; do
-    if [ "$(date +%s)" -gt "$WS_DEADLINE" ]; then
-      WS_LAST_ERR=$(tenant_call GET "/workspaces/$wid" 2>/dev/null | \
-        python3 -c "import json,sys; print(json.load(sys.stdin).get('last_sample_error',''))" 2>/dev/null || echo "")
-      fail "Workspace $wid never reached online within 20 min (last status=$WS_LAST_STATUS, err=$WS_LAST_ERR)"
-    fi
-    WS_JSON=$(tenant_call GET "/workspaces/$wid" 2>/dev/null || echo '{}')
-    WS_STATUS=$(echo "$WS_JSON" | python3 -c "import json,sys; print(json.load(sys.stdin).get('status',''))" 2>/dev/null)
-    if [ "$WS_STATUS" != "$WS_LAST_STATUS" ]; then
-      log "    $wid → $WS_STATUS"
-      WS_LAST_STATUS="$WS_STATUS"
-    fi
-    case "$WS_STATUS" in
-      online) break ;;
-      failed)
-        # Not a hard fail — bootstrap-watcher frequently marks failed at
-        # 5 min on hermes, then heartbeat recovers to online around 10-13
-        # min when install.sh finishes. Log once per workspace so the CI
-        # output isn't spammy.
-        if [ "$WS_FAILED_LOGGED" = "0" ]; then
-          log "    $wid transiently failed — waiting for heartbeat recovery (bootstrap-watcher deadline, see cp#245)"
-          WS_FAILED_LOGGED=1
-        fi
-        sleep 10
-        ;;
-      *)      sleep 10 ;;
-    esac
-  done
-  ok "    $wid online"
-done
+WS_TO_CHECK=("$PARENT_ID")
+[ -n "$CHILD_ID" ] && WS_TO_CHECK+=("$CHILD_ID")
+wait_workspaces_online_routable "7/11 Waiting for workspace(s) to reach status=online (up to $((WORKSPACE_ONLINE_TIMEOUT_SECS/60)) min — hermes cold boot)..." "${WS_TO_CHECK[@]}"

 # ─── 7b. Canvas-terminal diagnose (EIC chain probe) ────────────────────
 # This step exists because the canvas-terminal failure of 2026-05-03
@@ -490,7 +553,7 @@ done
 #   - tenantIngressRules / workspaceIngressRules (CP)
 #   - eicSSHIngressRule helper (CP)
 #   - AuthorizeIngress source-group support (CP awsapi)
-#   - EIC_ENDPOINT_SG_ID Railway env
+#   - MOLECULE_EIC_ENDPOINT_SG_ID Railway env
 #   - handleRemoteConnect's send-ssh-public-key/open-tunnel/ssh chain
 # surfaces within ~20 min of merge instead of waiting for a user report.
 #
@@ -504,7 +567,7 @@ done
 # probes docker.Ping + container exec; we still expect ok=true there
 # since local-docker is the alternative production path.
 log "7b/11 Canvas-terminal EIC diagnose probe..."
-for wid in $WS_TO_CHECK; do
+for wid in "${WS_TO_CHECK[@]}"; do
  DIAG_JSON=$(tenant_call GET "/workspaces/$wid/terminal/diagnose" 2>/dev/null || echo '{}')
  DIAG_OK=$(echo "$DIAG_JSON" | python3 -c "import json,sys; d=json.load(sys.stdin); print('true' if d.get('ok') else 'false')" 2>/dev/null || echo "false")
  if [ "$DIAG_OK" = "true" ]; then
@@ -512,7 +575,7 @@ for wid in $WS_TO_CHECK; do
  else
    DIAG_FAIL=$(echo "$DIAG_JSON" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('first_failure','unknown'))" 2>/dev/null || echo "unknown")
    DIAG_DETAIL=$(echo "$DIAG_JSON" | python3 -c "import json,sys; d=json.load(sys.stdin); s=[x for x in d.get('steps',[]) if not x.get('ok')]; step=s[0] if s else {}; print(' — '.join(x for x in [step.get('error',''), step.get('detail','')] if x))" 2>/dev/null || echo "")
-    fail "Workspace $wid terminal diagnose failed at step '$DIAG_FAIL': $DIAG_DETAIL — check tenant SG has tcp/22 from EIC endpoint SG (sg-0785d5c6138220523), EIC_ENDPOINT_SG_ID set in Railway, and EIC endpoint health"
+    fail "Workspace $wid terminal diagnose failed at step '$DIAG_FAIL': $DIAG_DETAIL — check tenant SG has tcp/22 from the configured EIC endpoint SG, MOLECULE_EIC_ENDPOINT_SG_ID is set in Railway, and EIC endpoint health"
  fi
 done

@@ -540,7 +603,7 @@ CONFIG_PAYLOAD="${CONFIG_MARKER}
 name: synth-canary
 runtime: ${RUNTIME}
 "
-for wid in $WS_TO_CHECK; do
+for wid in "${WS_TO_CHECK[@]}"; do
  PUT_BODY=$(python3 -c "import json,sys; print(json.dumps({'content': sys.stdin.read()}))" <<< "$CONFIG_PAYLOAD")
  # Capture body to a tempfile so curl's -w '%{http_code}' is the only
  # thing on stdout. The first version used `-w '\n%{http_code}\n'` and
@@ -573,6 +636,12 @@ for wid in $WS_TO_CHECK; do
  ok "    $wid config.yaml PUT OK (HTTP $PUT_CODE)"
 done

+# Saving config.yaml follows the same path as Canvas Config Save & Restart.
+# The controlplane can briefly put the workspace back into provisioning and
+# clear its route while the runtime restarts, so A2A must wait on the same
+# externally routable readiness boundary again.
+wait_workspaces_online_routable "7d/11 Waiting for workspace(s) to recover routing after config.yaml PUT..." "${WS_TO_CHECK[@]}"
+
 # ─── 8. A2A round-trip on parent ───────────────────────────────────────
 log "8/11 Sending A2A message to parent — expecting agent response..."
 # Smoke prompt phrasing — DO NOT trim back to the bare "Reply with exactly: PONG"
@@ -612,10 +681,44 @@ print(json.dumps({
 # 90s gives ~3x headroom over observed cold-call P95 (~25-30s).
 # Subsequent A2A turns hit the same workspace and are sub-second, so
 # this only widens the window for step 8/11 of the canary's first turn.
-A2A_RESP=$(tenant_call POST "/workspaces/$PARENT_ID/a2a" \
-  --max-time 90 \
-  -H "Content-Type: application/json" \
-  -d "$A2A_PAYLOAD")
+A2A_TMP=$(mktemp -t synth_a2a.XXXXXX)
+for A2A_ATTEMPT in $(seq 1 12); do
+  : >"$A2A_TMP"
+  set +e
+  A2A_CODE=$(tenant_call POST "/workspaces/$PARENT_ID/a2a" \
+    --max-time 90 \
+    -H "Content-Type: application/json" \
+    -d "$A2A_PAYLOAD" \
+    -o "$A2A_TMP" \
+    -w '%{http_code}' \
+    2>/dev/null)
+  A2A_RC=$?
+  set -e
+  A2A_CODE=${A2A_CODE:-000}
+  A2A_RESP=$(cat "$A2A_TMP" 2>/dev/null || echo "")
+  if [ "$A2A_RC" = "0" ] && [ "$A2A_CODE" -ge 200 ] && [ "$A2A_CODE" -lt 300 ]; then
+    break
+  fi
+
+  A2A_SAFE_BODY=$(printf '%s' "$A2A_RESP" | sanitize_http_body)
+  if echo "$A2A_CODE" | grep -Eq '^(502|503|504)$' && echo "$A2A_SAFE_BODY" | grep -Eqi 'Service Unavailable|Bad Gateway|Gateway Timeout|error code: 502|error code: 504|workspace agent unreachable|connection refused|no healthy upstream|workspace agent busy|native_session'; then
+    log "    A2A cold-start probe attempt $A2A_ATTEMPT/12 returned $A2A_CODE: $A2A_SAFE_BODY"
+    if [ "$A2A_ATTEMPT" -lt 12 ]; then
+      A2A_SLEEP=10
+      if echo "$A2A_SAFE_BODY" | grep -Eqi 'workspace agent busy|native_session'; then
+        A2A_SLEEP=30
+      fi
+      sleep "$A2A_SLEEP"
+      continue
+    fi
+  fi
+  break
+done
+rm -f "$A2A_TMP"
+if [ "$A2A_RC" != "0" ] || [ "$A2A_CODE" -lt 200 ] || [ "$A2A_CODE" -ge 300 ]; then
+  A2A_SAFE_BODY=$(printf '%s' "$A2A_RESP" | sanitize_http_body)
+  fail "A2A POST /workspaces/$PARENT_ID/a2a failed after $A2A_ATTEMPT attempt(s) (curl_rc=$A2A_RC, http=$A2A_CODE): $A2A_SAFE_BODY"
+fi
 AGENT_TEXT=$(echo "$A2A_RESP" | python3 -c "
 import json, sys
 d = json.load(sys.stdin)
@@ -812,20 +915,50 @@ print(json.dumps({
    }
 }))
 ")
-  set +e
-  # Raw curl (not tenant_call) because this call carries an extra
-  # X-Source-Workspace-Id header. Must still send X-Molecule-Org-Id
-  # or TenantGuard 404s — previously missing, caused section 10 to
-  # fail rc=22 despite everything upstream being correct (2026-04-21).
-  DELEG_RESP=$(curl "${CURL_COMMON[@]}" -X POST "$TENANT_URL/workspaces/$CHILD_ID/a2a" \
-    -H "Authorization: Bearer $EFFECTIVE_TENANT_TOKEN" \
-    -H "X-Molecule-Org-Id: $ORG_ID" \
-    -H "X-Source-Workspace-Id: $PARENT_ID" \
-    -H "Content-Type: application/json" \
-    -d "$DELEG_PAYLOAD")
-  DELEG_RC=$?
-  set -e
-  [ $DELEG_RC -ne 0 ] && fail "Delegation A2A POST failed (rc=$DELEG_RC)"
+  DELEG_TMP=$(mktemp -t deleg_a2a.XXXXXX)
+  for DELEG_ATTEMPT in $(seq 1 12); do
+    : >"$DELEG_TMP"
+    set +e
+    # Raw curl (not tenant_call) because this call carries an extra
+    # X-Source-Workspace-Id header. Must still send X-Molecule-Org-Id
+    # or TenantGuard 404s — previously missing, caused section 10 to
+    # fail rc=22 despite everything upstream being correct (2026-04-21).
+    DELEG_CODE=$(curl "${CURL_COMMON[@]}" -X POST "$TENANT_URL/workspaces/$CHILD_ID/a2a" \
+      -H "Authorization: Bearer $EFFECTIVE_TENANT_TOKEN" \
+      -H "X-Molecule-Org-Id: $ORG_ID" \
+      -H "X-Source-Workspace-Id: $PARENT_ID" \
+      -H "Content-Type: application/json" \
+      -d "$DELEG_PAYLOAD" \
+      -o "$DELEG_TMP" \
+      -w '%{http_code}' \
+      2>/dev/null)
+    DELEG_RC=$?
+    set -e
+    DELEG_CODE=${DELEG_CODE:-000}
+    DELEG_RESP=$(cat "$DELEG_TMP" 2>/dev/null || echo "")
+    if [ "$DELEG_RC" = "0" ] && [ "$DELEG_CODE" -ge 200 ] && [ "$DELEG_CODE" -lt 300 ]; then
+      break
+    fi
+
+    DELEG_SAFE_BODY=$(printf '%s' "$DELEG_RESP" | sanitize_http_body)
+    if echo "$DELEG_CODE" | grep -Eq '^(502|503|504)$' && echo "$DELEG_SAFE_BODY" | grep -Eqi 'Service Unavailable|Bad Gateway|Gateway Timeout|error code: 502|error code: 504|workspace agent unreachable|connection refused|no healthy upstream|workspace agent busy|native_session'; then
+      log "    Delegation A2A cold-start attempt $DELEG_ATTEMPT/12 returned $DELEG_CODE: $DELEG_SAFE_BODY"
+      if [ "$DELEG_ATTEMPT" -lt 12 ]; then
+        DELEG_SLEEP=10
+        if echo "$DELEG_SAFE_BODY" | grep -Eqi 'workspace agent busy|native_session'; then
+          DELEG_SLEEP=30
+        fi
+        sleep "$DELEG_SLEEP"
+        continue
+      fi
+    fi
+    break
+  done
+  rm -f "$DELEG_TMP"
+  if [ "$DELEG_RC" != "0" ] || [ "$DELEG_CODE" -lt 200 ] || [ "$DELEG_CODE" -ge 300 ]; then
+    DELEG_SAFE_BODY=$(printf '%s' "$DELEG_RESP" | sanitize_http_body)
+    fail "Delegation A2A POST failed after $DELEG_ATTEMPT attempt(s) (curl_rc=$DELEG_RC, http=$DELEG_CODE): $DELEG_SAFE_BODY"
+  fi
  DELEG_TEXT=$(echo "$DELEG_RESP" | python3 -c "
 import json, sys
 try:
@@ -25,6 +25,13 @@ source "$(dirname "$0")/_lib.sh"  # sets BASE default + helpers
 PASS=0
 FAIL=0
 TIMEOUT="${E2E_TIMEOUT:-60}"
+ADMIN_BEARER="${MOLECULE_ADMIN_TOKEN:-${ADMIN_TOKEN:-}}"
+ADMIN_AUTH=()
+[ -n "$ADMIN_BEARER" ] && ADMIN_AUTH=(-H "Authorization: Bearer $ADMIN_BEARER")
+WS_A_TOKEN=""
+WS_A_AUTH=()
+WS_B_TOKEN=""
+WS_B_AUTH=()

 check() {
  local desc="$1" expected="$2" actual="$3"
@@ -75,15 +82,26 @@ echo "--- A. Per-workspace MCP server-name slug uniqueness ---"
 WS_A_NAME="e2e-cov-alpha-$$"
 WS_B_NAME="e2e-cov-beta-$$"

-R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" \
-  -d "{\"name\":\"$WS_A_NAME\",\"tier\":1}")
-check "POST /workspaces (alpha)" '"status":"provisioning"' "$R"
+R=$(curl -s -X POST "$BASE/workspaces" "${ADMIN_AUTH[@]}" -H "Content-Type: application/json" \
+  -d "{\"name\":\"$WS_A_NAME\",\"runtime\":\"external\",\"external\":true,\"tier\":1}")
+check "POST /workspaces (alpha)" '"status":"awaiting_agent"' "$R"
 WS_A_ID=$(echo "$R" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))")
+if [ -n "$WS_A_ID" ]; then
+  WS_A_TOKEN=$(e2e_mint_test_token "$WS_A_ID" 2>/dev/null || true)
+  [ -n "$WS_A_TOKEN" ] && WS_A_AUTH=(-H "Authorization: Bearer $WS_A_TOKEN")
+  if [ -z "$ADMIN_BEARER" ] && [ -n "$WS_A_TOKEN" ]; then
+    ADMIN_AUTH=(-H "Authorization: Bearer $WS_A_TOKEN")
+  fi
+fi

-R=$(curl -s -X POST "$BASE/workspaces" -H "Content-Type: application/json" \
-  -d "{\"name\":\"$WS_B_NAME\",\"tier\":1}")
-check "POST /workspaces (beta)" '"status":"provisioning"' "$R"
+R=$(curl -s -X POST "$BASE/workspaces" "${ADMIN_AUTH[@]}" -H "Content-Type: application/json" \
+  -d "{\"name\":\"$WS_B_NAME\",\"runtime\":\"external\",\"external\":true,\"tier\":1}")
+check "POST /workspaces (beta)" '"status":"awaiting_agent"' "$R"
 WS_B_ID=$(echo "$R" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))")
+if [ -n "$WS_B_ID" ]; then
+  WS_B_TOKEN=$(e2e_mint_test_token "$WS_B_ID" 2>/dev/null || true)
+  [ -n "$WS_B_TOKEN" ] && WS_B_AUTH=(-H "Authorization: Bearer $WS_B_TOKEN")
+fi

 # external/connection returns the install-snippet. The per-workspace
 # fix (mc#1535) derives the MCP name as molecule-<slug>; mc#1536 extends
@@ -91,8 +109,10 @@ WS_B_ID=$(echo "$R" | python3 -c "import sys,json; print(json.load(sys.stdin).ge
 # grep the `claude mcp add` line, and assert the names differ.
 if [ -n "$WS_A_ID" ] && [ -n "$WS_B_ID" ]; then
  SNIPPET_A=$(curl -s --max-time "$TIMEOUT" \
+    "${WS_A_AUTH[@]}" \
    "$BASE/workspaces/$WS_A_ID/external/connection")
  SNIPPET_B=$(curl -s --max-time "$TIMEOUT" \
+    "${WS_B_AUTH[@]}" \
    "$BASE/workspaces/$WS_B_ID/external/connection")

  MCP_A=$(echo "$SNIPPET_A" | python3 -c "
@@ -151,7 +171,11 @@ import sys, json, re
 d=json.load(sys.stdin)
 def find(o):
  if isinstance(o,str):
-    m=re.search(r'\[mcp_servers\.([^\]]+)\]',o); return m.group(1) if m else None
+    for m in re.finditer(r'\[mcp_servers\.([^\]]+)\]',o):
+      name=m.group(1)
+      if name.startswith('molecule-') and '<' not in name:
+        return name
+    return None
  if isinstance(o,dict):
    for v in o.values():
      r=find(v)
@@ -168,7 +192,11 @@ import sys, json, re
 d=json.load(sys.stdin)
 def find(o):
  if isinstance(o,str):
-    m=re.search(r'\[mcp_servers\.([^\]]+)\]',o); return m.group(1) if m else None
+    for m in re.finditer(r'\[mcp_servers\.([^\]]+)\]',o):
+      name=m.group(1)
+      if name.startswith('molecule-') and '<' not in name:
+        return name
+    return None
  if isinstance(o,dict):
    for v in o.values():
      r=find(v)
@@ -212,7 +240,7 @@ echo "--- B. GIT_ASKPASS + GIT_HTTP_* env injection (mc#1525 + mc#1542) ---"
 if [ -n "${WS_A_ID:-}" ]; then
  # Wait briefly for provisioning to expose the container.
  for _ in 1 2 3 4 5 6 7 8 9 10; do
-    R=$(curl -s "$BASE/workspaces/$WS_A_ID")
+    R=$(curl -s "${ADMIN_AUTH[@]}" "$BASE/workspaces/$WS_A_ID")
    STATUS=$(echo "$R" | python3 -c "import sys,json; print(json.load(sys.stdin).get('status',''))" 2>/dev/null)
    [ "$STATUS" = "online" ] && break
    sleep 1
@@ -225,7 +253,7 @@ if [ -n "${WS_A_ID:-}" ]; then
  # acceptable for the dev platform). The point is that the KEYS are
  # propagated by the post-#1542 provisioner — pre-#1542 these keys
  # were absent entirely.
-  DEBUG=$(curl -s "$BASE/admin/workspaces/$WS_A_ID/debug" 2>/dev/null || true)
+  DEBUG=$(curl -s "${ADMIN_AUTH[@]}" "$BASE/admin/workspaces/$WS_A_ID/debug" 2>/dev/null || true)
  if [ -n "$DEBUG" ] && echo "$DEBUG" | grep -q "workspace_secrets"; then
    # Presence-only check: KEY in the secrets map, value MAY be empty
    # in dev where no persona is bound.
@@ -261,6 +289,7 @@ if [ -n "${WS_A_ID:-}" ]; then
  # The expected response shape post-fix is a structured failure (HTTP
  # 4xx or success:false JSON) — NOT a queued task that round-trips.
  R=$(curl -s --max-time 10 -X POST "$BASE/workspaces/$WS_A_ID/delegate" \
+    "${WS_A_AUTH[@]}" \
    -H "Content-Type: application/json" \
    -d "{\"target_workspace_id\":\"$WS_A_ID\",\"task\":\"self-echo-test\"}" 2>&1)
  # Either the API gate (delegation.go) rejects, OR the inbox guard
@@ -281,7 +310,7 @@ if [ -n "${WS_A_ID:-}" ]; then
  # an inboxable peer_agent kind. The /activity endpoint is the inbox
  # poller's source-of-truth.
  sleep 2
-  AL=$(curl -s "$BASE/workspaces/$WS_A_ID/activity" 2>/dev/null || echo '[]')
+  AL=$(curl -s "${WS_A_AUTH[@]}" "$BASE/workspaces/$WS_A_ID/activity" 2>/dev/null || echo '[]')
  # Count rows where source_id == workspace_id AND method != "delegate_result".
  ECHO_COUNT=$(echo "$AL" | python3 -c "
 import sys, json
@@ -315,7 +344,15 @@ echo
 echo "--- Cleanup ---"
 for wid in "${WS_A_ID:-}" "${WS_B_ID:-}"; do
  [ -n "$wid" ] || continue
-  curl -s -X DELETE "$BASE/workspaces/$wid?confirm=true" > /dev/null || true
+  DELETE_AUTH=("${ADMIN_AUTH[@]}")
+  if [ -z "$ADMIN_BEARER" ]; then
+    if [ "$wid" = "${WS_A_ID:-}" ]; then
+      DELETE_AUTH=("${WS_A_AUTH[@]}")
+    elif [ "$wid" = "${WS_B_ID:-}" ]; then
+      DELETE_AUTH=("${WS_B_AUTH[@]}")
+    fi
+  fi
+  curl -s -X DELETE "$BASE/workspaces/$wid?confirm=true" "${DELETE_AUTH[@]}" > /dev/null || true
  echo "deleted $wid"
 done

@@ -0,0 +1,193 @@
+"""Tests for `.gitea/scripts/detect-changes.py`."""
+
+from __future__ import annotations
+
+import importlib.util
+from pathlib import Path
+
+
+REPO_ROOT = Path(__file__).resolve().parents[1]
+SCRIPT = REPO_ROOT / ".gitea" / "scripts" / "detect-changes.py"
+
+
+def load_module():
+    spec = importlib.util.spec_from_file_location("detect_changes", SCRIPT)
+    assert spec is not None
+    module = importlib.util.module_from_spec(spec)
+    assert spec.loader is not None
+    spec.loader.exec_module(module)
+    return module
+
+
+def test_ci_profile_classifies_surfaces():
+    mod = load_module()
+
+    assert mod.classify("ci", ["workspace-server/internal/handlers/a2a_proxy.go"]) == {
+        "platform": True,
+        "canvas": False,
+        "python": False,
+        "scripts": False,
+    }
+    assert mod.classify("ci", ["canvas/src/app/page.tsx"]) == {
+        "platform": False,
+        "canvas": True,
+        "python": False,
+        "scripts": False,
+    }
+    assert mod.classify("ci", ["tests/e2e/test_model_slug.sh"]) == {
+        "platform": False,
+        "canvas": False,
+        "python": False,
+        "scripts": True,
+    }
+    assert mod.classify("ci", [".gitea/workflows/ci.yml", "README.md"]) == {
+        "platform": False,
+        "canvas": False,
+        "python": False,
+        "scripts": False,
+    }
+
+
+def test_handlers_postgres_profile_is_narrower_than_workspace_server():
+    mod = load_module()
+
+    assert mod.classify("handlers-postgres", ["workspace-server/internal/handlers/a2a_proxy.go"]) == {
+        "handlers": True,
+    }
+    assert mod.classify("handlers-postgres", ["workspace-server/internal/provisioner/provisioner.go"]) == {
+        "handlers": False,
+    }
+
+
+def test_e2e_api_profile_covers_api_inputs():
+    mod = load_module()
+
+    assert mod.classify("e2e-api", ["workspace-server/internal/handlers/workspace.go"]) == {
+        "api": True,
+    }
+    assert mod.classify("e2e-api", ["tests/e2e/test_api.sh"]) == {"api": True}
+    assert mod.classify("e2e-api", ["canvas/src/app/page.tsx"]) == {"api": False}
+
+
+def test_fail_open_all_true_for_missing_base():
+    mod = load_module()
+
+    assert mod.all_true("ci") == {
+        "platform": True,
+        "canvas": True,
+        "python": True,
+        "scripts": True,
+    }
+
+
+def test_fetch_base_prefers_advertised_base_ref(monkeypatch):
+    mod = load_module()
+    calls: list[list[str]] = []
+    exists_checks = 0
+
+    def fake_base_exists(base: str) -> bool:
+        nonlocal exists_checks
+        exists_checks += 1
+        return exists_checks >= 1
+
+    def fake_run_git(args: list[str], *, timeout: int = 30):
+        calls.append(args)
+
+        class Result:
+            returncode = 0
+            stdout = ""
+            stderr = ""
+
+        return Result()
+
+    monkeypatch.setattr(mod, "base_exists", fake_base_exists)
+    monkeypatch.setattr(mod, "run_git", fake_run_git)
+
+    mod.fetch_base("abc123", "main")
+
+    assert calls == [["fetch", "--depth=1", "origin", "main"]]
+
+
+def test_fetch_base_falls_back_to_sha_when_ref_fetch_does_not_materialize(monkeypatch):
+    mod = load_module()
+    calls: list[list[str]] = []
+
+    monkeypatch.setattr(mod, "base_exists", lambda _base: False)
+
+    def fake_run_git(args: list[str], *, timeout: int = 30):
+        calls.append(args)
+
+        class Result:
+            returncode = 0
+            stdout = ""
+            stderr = ""
+
+        return Result()
+
+    monkeypatch.setattr(mod, "run_git", fake_run_git)
+
+    mod.fetch_base("abc123", "main")
+
+    assert calls == [
+        ["fetch", "--depth=1", "origin", "main"],
+        ["fetch", "--depth=1", "origin", "abc123"],
+    ]
+
+
+def test_changed_paths_uses_merge_base_for_pull_request(monkeypatch):
+    mod = load_module()
+    calls: list[list[str]] = []
+
+    def fake_run_git(args: list[str], *, timeout: int = 30):
+        calls.append(args)
+
+        class Result:
+            returncode = 0
+            stdout = "workspace/agent.py\n"
+            stderr = ""
+
+        if args[0] == "merge-base":
+            Result.stdout = "merge123\n"
+        return Result()
+
+    monkeypatch.setattr(mod, "run_git", fake_run_git)
+
+    assert mod.changed_paths("base123", use_merge_base=True) == ["workspace/agent.py"]
+    assert calls == [
+        ["merge-base", "base123", "HEAD"],
+        ["diff", "--name-only", "merge123", "HEAD"],
+    ]
+
+
+def test_detect_deepens_base_ref_when_pr_merge_base_missing(monkeypatch):
+    mod = load_module()
+    calls: list[tuple[str, str | None]] = []
+    merge_base_calls = 0
+
+    monkeypatch.setattr(mod, "base_exists", lambda _base: True)
+
+    def fake_merge_base(base: str):
+        nonlocal merge_base_calls
+        merge_base_calls += 1
+        if merge_base_calls == 1:
+            return None
+        return "merge123"
+
+    def fake_deepen_base_ref(base_ref: str):
+        calls.append(("deepen", base_ref))
+
+    def fake_changed_paths(base: str, *, use_merge_base: bool):
+        calls.append(("changed", str(use_merge_base)))
+        return [".gitea/workflows/ci.yml"]
+
+    monkeypatch.setattr(mod, "merge_base", fake_merge_base)
+    monkeypatch.setattr(mod, "deepen_base_ref", fake_deepen_base_ref)
+    monkeypatch.setattr(mod, "changed_paths", fake_changed_paths)
+
+    assert mod.detect("ci", "pull_request", "base123", "", "main") == {
+        "platform": False,
+        "canvas": False,
+        "python": False,
+        "scripts": False,
+    }
+    assert calls == [("deepen", "main"), ("changed", "True")]
@@ -0,0 +1,18 @@
+from pathlib import Path
+
+
+ROOT = Path(__file__).resolve().parents[1]
+
+
+def test_staging_e2e_workflows_use_stable_minimax_default() -> None:
+    """Keep cron/push E2E on the same MiniMax model as the smoke-tested script."""
+    workflow_paths = [
+        ".gitea/workflows/e2e-staging-saas.yml",
+        ".gitea/workflows/staging-smoke.yml",
+        ".gitea/workflows/continuous-synth-e2e.yml",
+    ]
+
+    for rel in workflow_paths:
+        text = (ROOT / rel).read_text()
+        assert "MiniMax-M2.7-highspeed" not in text
+        assert "MiniMax-M2" in text
@@ -26,9 +26,11 @@ import re
 import subprocess
 import sys
 import textwrap
+import importlib.util
 from pathlib import Path

 import pytest  # noqa: F401  (declares the dep)
+import yaml

 REPO_ROOT = Path(__file__).resolve().parents[1]
 SCRIPT = REPO_ROOT / ".gitea" / "scripts" / "lint-workflow-yaml.py"
@@ -616,16 +618,24 @@ def test_rule10_docker_info_head_in_separate_step_without_pipefail_passes(tmp_pa

 CI_WORKFLOW = REPO_ROOT / ".gitea" / "workflows" / "ci.yml"
 CI_SURFACES = ("platform", "canvas", "python", "scripts")
+DETECT_CHANGES_SCRIPT = REPO_ROOT / ".gitea" / "scripts" / "detect-changes.py"
+
+
+def _load_detect_changes():
+    spec = importlib.util.spec_from_file_location("detect_changes", DETECT_CHANGES_SCRIPT)
+    assert spec is not None
+    module = importlib.util.module_from_spec(spec)
+    assert spec.loader is not None
+    spec.loader.exec_module(module)
+    return module


 def _ci_change_patterns() -> dict[str, re.Pattern[str]]:
-    text = CI_WORKFLOW.read_text(encoding="utf-8")
-    patterns: dict[str, re.Pattern[str]] = {}
-    for surface, pattern in re.findall(
-        r'echo "(platform|canvas|python|scripts)=.*?grep -qE \'([^\']+)\'',
-        text,
-    ):
-        patterns[surface] = re.compile(pattern)
+    detect_changes = _load_detect_changes()
+    patterns = {
+        surface: re.compile(pattern)
+        for surface, pattern in detect_changes.PROFILES["ci"].items()
+    }
    assert set(patterns) == set(CI_SURFACES)
    return patterns

@@ -693,3 +703,58 @@ def test_ci_change_detector_docs_and_meta_scripts_do_not_trigger_surfaces():
        "python": False,
        "scripts": False,
    }
+
+
+def test_ci_platform_go_steps_are_path_scoped_on_all_events():
+    doc = yaml.safe_load(CI_WORKFLOW.read_text(encoding="utf-8"))
+    platform = doc["jobs"]["platform-build"]
+    assert platform.get("needs") == "changes"
+
+    expensive_steps = [
+        step
+        for step in platform["steps"]
+        if step.get("uses")
+        or step.get("run", "").startswith("go ")
+        or "golangci-lint" in step.get("run", "")
+    ]
+    assert expensive_steps
+    for step in expensive_steps:
+        expr = step.get("if", "")
+        assert "needs.changes.outputs.platform == 'true'" in expr
+        assert "github.event_name != 'pull_request'" not in expr
+
+
+def test_ci_canvas_nextjs_steps_are_path_scoped_on_all_events():
+    doc = yaml.safe_load(CI_WORKFLOW.read_text(encoding="utf-8"))
+    canvas = doc["jobs"]["canvas-build"]
+    assert canvas.get("needs") == "changes"
+
+    expensive_steps = [
+        step
+        for step in canvas["steps"]
+        if step.get("uses")
+        or step.get("run", "").startswith("npm ")
+        or step.get("run", "").startswith("npx ")
+    ]
+    assert expensive_steps
+    for step in expensive_steps:
+        expr = step.get("if", "")
+        assert "needs.changes.outputs.canvas == 'true'" in expr
+        assert "github.event_name != 'pull_request'" not in expr
+
+
+def test_ci_shellcheck_steps_are_path_scoped_on_all_events():
+    doc = yaml.safe_load(CI_WORKFLOW.read_text(encoding="utf-8"))
+    shellcheck = doc["jobs"]["shellcheck"]
+    assert shellcheck.get("needs") == "changes"
+
+    expensive_steps = [
+        step
+        for step in shellcheck["steps"]
+        if step.get("uses") or step.get("run", "").startswith(("bash ", "find ", "shellcheck "))
+    ]
+    assert expensive_steps
+    for step in expensive_steps:
+        expr = step.get("if", "")
+        assert "needs.changes.outputs.scripts == 'true'" in expr
+        assert "github.event_name != 'pull_request'" not in expr
@@ -56,6 +56,21 @@ SCRIPT_PATH = (
 )


+@pytest.fixture(autouse=True)
+def _stub_time_sleep(monkeypatch):
+    """Autouse: stub time.sleep across every test.
+
+    The watchdog's RECHECK_DELAY_SECS (default 90s) is wired into
+    run_once() via time.sleep(). Without this stub, integration-style
+    tests that exercise run_once() would each block for 90s — a
+    pre-fix `pytest -q` ran in ~0.1s; the unstubbed equivalent took
+    >4 minutes (task #394 review evidence). Stubbing here keeps the
+    suite fast and deterministic without requiring every red-path test
+    to remember the patch.
+    """
+    monkeypatch.setattr("time.sleep", lambda s: None)
+
+
@pytest.fixture(scope="module")
 def wd_module():
    """Import the script as a module under a known env."""
@@ -809,3 +824,214 @@ def test_require_runtime_env_exits_when_missing(wd_module, monkeypatch):
    with pytest.raises(SystemExit) as excinfo:
        wd_module._require_runtime_env()
    assert excinfo.value.code == 2
+
+
+# --------------------------------------------------------------------------
+# Action-run status filter + HEAD-recheck (task #394, mc#1597..1630)
+#
+# The existing cancel-cascade filter matched description=='Has been
+# cancelled' EXACTLY, but a 7-day DB sweep on 2026-05-20 showed that
+# only 76/702 (~11%) of action_run.status=3 (Cancelled) entries carry
+# that string — 89% are written as 'Failing after Ns', indistinguishable
+# from real action_run.status=2 (Failure) at the commit_status layer.
+#
+# Gitea 1.22.6 has NO REST endpoint exposing action_run.status, so the
+# canonical filter (status=2 only) cannot run from a Gitea Actions
+# runner. The next-best signal is the HEAD-recheck: re-fetch HEAD SHA
+# (or its combined status) right before filing. If HEAD moved on or
+# combined state recovered, the prior "red" was a transient
+# cancel-cascade and we skip-file.
+#
+# References:
+#   - reference_chronic_red_sweep_cancelled_vs_failed_filter
+#   - feedback_gitea_status_enum_use_helper_not_raw_int
+#   - reference_gitea_action_status_enum_corrected_2026_05_19
+#   - triage evidence 2026-05-21 04:55 (6 cancellation + 1 emission
+#     artifact across mc#1597,1605,1609,1613,1626,1627,1630)
+# --------------------------------------------------------------------------
+def test_head_recheck_skips_file_when_head_moved(wd_module, monkeypatch, capsys):
+    """When initial tick sees red at SHA_A but HEAD has since moved to
+    SHA_B (next commit landed mid-tick), the watchdog must NOT file.
+    Re-evaluation happens on the next cron tick against the new SHA.
+
+    REGRESSION CLASS: this guards mc#1597..#1630 — 7 false-positives
+    filed in 24h because cancel-cascade fired commit_status=failure
+    rows on SHAs that were already superseded by new merges."""
+    SHA_A = SHA_RED
+    SHA_B = SHA_GREEN
+    failed_ctx = [
+        {"context": "ci/test", "status": "failure",
+         "target_url": "/r/runs/100/jobs/0",
+         "description": "Failing after 12s"},
+    ]
+    # First branches read returns SHA_A; the second (recheck) returns SHA_B
+    # → watchdog detects HEAD drift and skip-files.
+    branches_responses = iter([
+        (200, _branches_response(SHA_A)),
+        (200, _branches_response(SHA_B)),
+    ])
+
+    def fake_api(method, path, *, body=None, query=None, expect_json=True):
+        if method == "GET" and path == "/repos/owner/repo/branches/main":
+            return next(branches_responses)
+        if method == "GET" and path == f"/repos/owner/repo/commits/{SHA_A}/status":
+            return (200, _combined_status("failure", failed_ctx))
+        if method == "POST" and path == "/repos/owner/repo/issues":
+            raise AssertionError(
+                "watchdog filed a phantom issue despite HEAD moving away "
+                "from the red SHA (regression: mc#1597..1630)"
+            )
+        if method == "GET" and path == "/repos/owner/repo/issues":
+            return (200, [])
+        raise AssertionError(f"unexpected api call: {method} {path}")
+
+    # Settling delay is no-op'd by the _stub_time_sleep autouse fixture.
+    monkeypatch.setattr(wd_module, "api", fake_api)
+    wd_module.run_once(dry_run=False)
+    captured = capsys.readouterr()
+    assert "head drift" in captured.out.lower() or "head moved" in captured.out.lower(), (
+        f"expected a notice about HEAD drift, got: {captured.out!r}"
+    )
+
+
+def test_head_recheck_skips_file_when_recheck_status_recovered(
+    wd_module, monkeypatch, capsys,
+):
+    """When initial tick sees red at SHA, but the post-settling recheck
+    on the SAME SHA shows combined status recovered (e.g. transient
+    cancel-cascade rolled forward to success on retry), skip-file.
+
+    This catches the mid-flight cancel-cascade window — the second
+    largest false-positive cluster in mc#1597..1630."""
+    failed_ctx_initial = [
+        {"context": "ci/test", "status": "failure",
+         "target_url": "/r/runs/100/jobs/0",
+         "description": "Failing after 12s"},
+    ]
+    recovered_ctx = [
+        {"context": "ci/test", "status": "success",
+         "target_url": "/r/runs/100/jobs/0",
+         "description": "Successful in 30s"},
+    ]
+    # Same SHA across both branch reads; status flips from failure→success
+    # between the two combined-status reads.
+    status_responses = iter([
+        (200, _combined_status("failure", failed_ctx_initial)),
+        (200, _combined_status("success", recovered_ctx)),
+    ])
+
+    def fake_api(method, path, *, body=None, query=None, expect_json=True):
+        if method == "GET" and path == "/repos/owner/repo/branches/main":
+            return (200, _branches_response(SHA_RED))
+        if method == "GET" and path == f"/repos/owner/repo/commits/{SHA_RED}/status":
+            return next(status_responses)
+        if method == "POST" and path == "/repos/owner/repo/issues":
+            raise AssertionError(
+                "watchdog filed a phantom issue despite combined status "
+                "recovering on recheck (mid-flight cancel-cascade window)"
+            )
+        if method == "GET" and path == "/repos/owner/repo/issues":
+            return (200, [])
+        raise AssertionError(f"unexpected api call: {method} {path}")
+
+    monkeypatch.setattr(wd_module, "api", fake_api)
+    wd_module.run_once(dry_run=False)
+    captured = capsys.readouterr()
+    assert "recovered" in captured.out.lower() or "settled" in captured.out.lower(), (
+        f"expected a notice about post-settling recovery, got: {captured.out!r}"
+    )
+
+
+def test_head_recheck_files_when_still_red_after_settling(
+    wd_module, monkeypatch,
+):
+    """When BOTH the initial detection AND the post-settling recheck
+    show the same SHA still red, file the issue. This is the genuine-
+    failure path the watchdog is designed to surface.
+
+    Locks the over-filter: a future change that always-skips after
+    recheck would dismiss real failures."""
+    failed_ctx = [
+        {"context": "ci/test", "status": "failure",
+         "target_url": "/r/runs/100/jobs/0",
+         "description": "Failing after 12s"},
+    ]
+    post_filed = {"value": False}
+
+    def fake_api(method, path, *, body=None, query=None, expect_json=True):
+        if method == "GET" and path == "/repos/owner/repo/branches/main":
+            return (200, _branches_response(SHA_RED))
+        if method == "GET" and path == f"/repos/owner/repo/commits/{SHA_RED}/status":
+            return (200, _combined_status("failure", failed_ctx))
+        if method == "GET" and path == "/repos/owner/repo/issues":
+            return (200, [])
+        if method == "GET" and path == "/repos/owner/repo/labels":
+            return (200, [{"id": 9, "name": "tier:high"}])
+        if method == "POST" and path == "/repos/owner/repo/issues":
+            post_filed["value"] = True
+            return (201, {"number": 999})
+        if method == "POST" and path == "/repos/owner/repo/issues/999/labels":
+            return (200, [])
+        raise AssertionError(f"unexpected api call: {method} {path}")
+
+    monkeypatch.setattr(wd_module, "api", fake_api)
+    wd_module.run_once(dry_run=False)
+    assert post_filed["value"], (
+        "genuine-failure path was skip-filed — head-recheck over-filter "
+        "regression (would suppress all real main-red alarms)"
+    )
+
+
+def test_head_recheck_skips_when_initial_was_only_cancel_cascade(
+    wd_module, monkeypatch,
+):
+    """Belt-and-braces: combined-status failure caused exclusively by
+    description='Has been cancelled' entries should still be filtered
+    by the EXISTING cancel-cascade filter — head-recheck must not
+    accidentally bypass it. Regression guard for the existing mc#1564
+    fix."""
+    failed_ctx = [
+        {"context": "ci/test", "status": "failure",
+         "description": "Has been cancelled"},
+    ]
+
+    def fake_api(method, path, *, body=None, query=None, expect_json=True):
+        if method == "GET" and path == "/repos/owner/repo/branches/main":
+            return (200, _branches_response(SHA_RED))
+        if method == "GET" and path == f"/repos/owner/repo/commits/{SHA_RED}/status":
+            return (200, _combined_status("failure", failed_ctx))
+        if method == "POST" and path == "/repos/owner/repo/issues":
+            raise AssertionError(
+                "cancel-cascade-only entry must be filtered before any "
+                "head-recheck logic runs"
+            )
+        if method == "GET" and path == "/repos/owner/repo/issues":
+            return (200, [])
+        # No commit-status recheck should happen because is_red() returned False
+        raise AssertionError(f"unexpected api call: {method} {path}")
+
+    monkeypatch.setattr(wd_module, "api", fake_api)
+    wd_module.run_once(dry_run=False)
+    # success: no AssertionError raised, no POST
+
+
+def test_resolve_action_run_status_returns_none_on_no_endpoint(wd_module):
+    """The action_run.status REST endpoint does NOT exist in Gitea
+    1.22.6 (verified empirically 2026-05-20 — /api/v1/.../actions/runs/N
+    returns HTTP 404 across all probe variants). The resolver must
+    return None gracefully so callers fall back to the description-
+    string + head-recheck heuristics.
+
+    This pins the extensibility hook: when a future Gitea release (or
+    an op-host proxy) exposes the endpoint, the resolver implementation
+    can be swapped in without touching the caller contract."""
+    # The function exists and is callable
+    assert hasattr(wd_module, "_resolve_action_run_status")
+    # A typical target_url shape from real Gitea commit_status rows:
+    target_url = "/molecule-ai/molecule-core/actions/runs/75020/jobs/0"
+    # Return None when no endpoint available
+    out = wd_module._resolve_action_run_status(target_url)
+    assert out is None, (
+        "resolver must return None when the action_run.status endpoint "
+        "isn't reachable — callers depend on the None-fallback path"
+    )
@@ -442,6 +442,46 @@ def test_reap_preserves_real_push(sr_module, monkeypatch):
    assert calls == []  # NO POST


+def test_reap_compensates_cancelled_real_push_status(sr_module, monkeypatch):
+    """Gitea 1.22.6 maps cancelled push runs to failure statuses.
+
+    A real push workflow with description exactly "Has been cancelled"
+    is cancel-cascade noise, not a defect signal. Status-reaper should
+    compensate it even though the workflow has a push trigger.
+    """
+    calls = []
+
+    def fake_api(method, path, *, body=None, query=None, expect_json=True):
+        calls.append((method, path, body))
+        return (201, {})
+
+    monkeypatch.setattr(sr_module, "api", fake_api)
+
+    workflow_map = {"ci": True}
+    combined = {
+        "state": "failure",
+        "statuses": [
+            {
+                "context": "ci / test (push)",
+                "status": "failure",
+                "description": "Has been cancelled",
+                "target_url": "https://example.test/actions/runs/1",
+            }
+        ],
+    }
+
+    counters = sr_module.reap(workflow_map, combined, SHA, dry_run=False)
+
+    assert counters["compensated"] == 1
+    assert counters["compensated_cancelled_push"] == 1
+    assert counters["preserved_real_push"] == 0
+    assert len(calls) == 1
+    assert calls[0][0] == "POST"
+    assert calls[0][1] == f"/repos/owner/repo/statuses/{SHA}"
+    assert calls[0][2]["context"] == "ci / test (push)"
+    assert calls[0][2]["state"] == "success"
+
+
 def test_reap_preserves_unknown_workflow(sr_module, monkeypatch, capsys):
    """Workflow not in map → ::notice:: + skip (conservative)."""
    monkeypatch.setattr(
@@ -686,11 +686,22 @@ func (h *WorkspaceHandler) resolveAgentURL(ctx context.Context, workspaceID stri
 		_ = db.CacheURL(ctx, workspaceID, agentURL)
 	}

-	// When the platform runs inside Docker, 127.0.0.1:{host_port} is
-	// unreachable (it's the platform container's own localhost, not the
-	// Docker host). Rewrite to the container's Docker-bridge hostname.
+	// When the platform runs inside Docker, a managed workspace's
+	// 127.0.0.1:{host_port} URL points at the Docker host and must be
+	// rewritten to the workspace container's Docker-bridge hostname.
+	// External runtimes are not managed containers; their local test/runtime
+	// URL is the target and must not be synthesized into ws-<id>:8000.
 	if strings.HasPrefix(agentURL, "http://127.0.0.1:") && h.provisioner != nil && platformInDocker {
-		agentURL = provisioner.InternalURL(workspaceID)
+		var wsRuntime string
+		if err := db.DB.QueryRowContext(ctx,
+			`SELECT COALESCE(runtime, 'langgraph') FROM workspaces WHERE id = $1`,
+			workspaceID,
+		).Scan(&wsRuntime); err != nil {
+			log.Printf("ProxyA2A: runtime lookup before Docker URL rewrite failed for %s: %v", workspaceID, err)
+		}
+		if !isExternalLikeRuntime(wsRuntime) {
+			agentURL = provisioner.InternalURL(workspaceID)
+		}
 	}
 	// SSRF defence: reject private/metadata URLs before making outbound call.
 	if err := isSafeURL(agentURL); err != nil {
@@ -1511,6 +1511,35 @@ func TestResolveAgentURL_DockerRewrite(t *testing.T) {
 	}
 }

+func TestResolveAgentURL_ExternalRuntimeLoopbackNotRewrittenInDocker(t *testing.T) {
+	mock := setupTestDB(t)
+	mr := setupTestRedis(t)
+	allowLoopbackForTest(t)
+	handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
+	waitForHandlerAsyncBeforeDBCleanup(t, handler)
+	handler.provisioner = &stubLocalProv{}
+
+	restore := setPlatformInDockerForTest(true)
+	defer restore()
+
+	agentURL := "http://127.0.0.1:55555"
+	mr.Set("ws:ws-external:url", agentURL)
+	mock.ExpectQuery("SELECT COALESCE\\(runtime").
+		WithArgs("ws-external").
+		WillReturnRows(sqlmock.NewRows([]string{"runtime"}).AddRow("external"))
+
+	url, perr := handler.resolveAgentURL(context.Background(), "ws-external")
+	if perr != nil {
+		t.Fatalf("unexpected error: %+v", perr)
+	}
+	if url != agentURL {
+		t.Errorf("external runtime loopback URL must not be rewritten; got %q want %q", url, agentURL)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
 // --- dispatchA2A direct unit tests ---

 func TestDispatchA2A_BuildRequestError(t *testing.T) {
@@ -67,7 +67,213 @@ func NewActivityHandler(b *events.Broadcaster) *ActivityHandler {
 	return &ActivityHandler{broadcaster: b}
 }

-// List handles GET /workspaces/:id/activity?type=&source=&limit=&since_secs=&since_id=
+// extractAttachmentsFromRequestBody walks a JSON-RPC a2a inbound body to
+// surface attachments (file/image/audio/video) as a flat `attachments[]`
+// projection so callers don't have to drill into the request_body shape
+// themselves.
+//
+// Two body shapes are walked in order:
+//
+//  1. a2a-sdk v1 message-part envelope (peer_agent inbound):
+//
+//     {"jsonrpc":"2.0","method":"message/send","params":{
+//        "message":{"parts":[
+//          {"kind":"text", "text":"hi"},
+//          {"kind":"file", "file":{"uri":"workspace:foo.pdf","mime_type":"application/pdf","name":"foo.pdf"}},
+//          {"kind":"image","file":{"uri":"workspace:bar.png","mime_type":"image/png","name":"bar.png"}},
+//        ]}}}
+//
+//  2. canvas chat_upload_receive flat manifest (canvas_user upload):
+//
+//     {"uri":"platform-pending:<ws>/<file>",
+//      "name":"pasted.png",
+//      "size":12345,
+//      "file_id":"<uuid>",
+//      "mimeType":"image/png"}
+//
+//     The canvas upload pipe writes a single manifest directly at the
+//     root of request_body (no JSON-RPC envelope) with camelCase
+//     `mimeType`. We normalize to snake_case `mime_type` on the way out
+//     so every downstream adaptor (channel / telegram / codex / hermes)
+//     sees one wire shape regardless of which inbound shape produced it.
+//
+// Returns nil (omit-from-JSON) when the body has no attachments — the
+// `?include=peer_info` envelope projects this as an array iff non-empty.
+//
+// Defensive on every step: any missing key / wrong-shape value falls
+// through to the next arm or returns nil instead of panicking. The
+// activity_logs row could carry literally any JSON in request_body
+// (legacy formats, future formats); we only commit to the documented
+// shapes and silently skip anything else.
+func extractAttachmentsFromRequestBody(raw []byte) []map[string]interface{} {
+	if len(raw) == 0 {
+		return nil
+	}
+	var body map[string]interface{}
+	if err := json.Unmarshal(raw, &body); err != nil {
+		return nil
+	}
+	if atts := extractAttachmentsFromMessageParts(body); len(atts) > 0 {
+		return atts
+	}
+	if att := extractAttachmentFromFlatUploadManifest(body); att != nil {
+		return []map[string]interface{}{att}
+	}
+	return nil
+}
+
+// extractAttachmentsFromMessageParts handles the a2a-sdk v1 shape:
+// body.params.message.parts[]. Walks file/image/audio parts; honors v1
+// `kind` and v0 `type` discriminators; accepts nested `.file` sub-object
+// or inlined uri/mime_type/name on the part itself.
+func extractAttachmentsFromMessageParts(body map[string]interface{}) []map[string]interface{} {
+	params, ok := body["params"].(map[string]interface{})
+	if !ok {
+		return nil
+	}
+	message, ok := params["message"].(map[string]interface{})
+	if !ok {
+		return nil
+	}
+	parts, ok := message["parts"].([]interface{})
+	if !ok {
+		return nil
+	}
+	out := make([]map[string]interface{}, 0)
+	for _, p := range parts {
+		part, ok := p.(map[string]interface{})
+		if !ok {
+			continue
+		}
+		// a2a-sdk v1 uses "kind"; older v0 callers sent "type". Accept
+		// both for the discriminator — same defensive read pattern as
+		// the runtime-side extract_text helper.
+		kind, _ := part["kind"].(string)
+		if kind == "" {
+			kind, _ = part["type"].(string)
+		}
+		if kind != "file" && kind != "image" && kind != "audio" {
+			continue
+		}
+		// The file sub-object holds uri/mime_type/name. The a2a-sdk v1
+		// shape nests under "file"; some legacy payloads inlined the
+		// fields onto the part itself. Support both.
+		var fileObj map[string]interface{}
+		if f, ok := part["file"].(map[string]interface{}); ok {
+			fileObj = f
+		} else {
+			fileObj = part
+		}
+		uri, _ := fileObj["uri"].(string)
+		mimeType, _ := fileObj["mime_type"].(string)
+		name, _ := fileObj["name"].(string)
+		// At minimum we need either a uri or a name to be useful.
+		// Empty-part entries are skipped (they're a malformed inbound
+		// — surface nothing rather than emit a no-info placeholder).
+		if uri == "" && name == "" {
+			continue
+		}
+		att := map[string]interface{}{"kind": kind}
+		if uri != "" {
+			att["uri"] = uri
+		}
+		if mimeType != "" {
+			att["mime_type"] = mimeType
+		}
+		if name != "" {
+			att["name"] = name
+		}
+		out = append(out, att)
+	}
+	if len(out) == 0 {
+		return nil
+	}
+	return out
+}
+
+// extractAttachmentFromFlatUploadManifest handles the canvas
+// chat_upload_receive shape: a single upload manifest at the root of
+// request_body with no JSON-RPC envelope. Canvas uses camelCase
+// `mimeType`; we normalize to snake_case `mime_type` on emit so the
+// wire shape matches the message-parts arm. Kind is derived from the
+// mime prefix (image/* → "image", audio/* → "audio", video/* → "video",
+// anything else → "file") because the canvas upload row doesn't carry
+// an explicit discriminator. Returns nil if neither `uri` nor `file_id`
+// is present at the root (i.e. not a flat upload manifest).
+func extractAttachmentFromFlatUploadManifest(body map[string]interface{}) map[string]interface{} {
+	uri, _ := body["uri"].(string)
+	fileID, _ := body["file_id"].(string)
+	if uri == "" && fileID == "" {
+		return nil
+	}
+	mimeType, _ := body["mimeType"].(string)
+	if mimeType == "" {
+		// Defensive: future canvas versions might emit snake_case directly.
+		mimeType, _ = body["mime_type"].(string)
+	}
+	name, _ := body["name"].(string)
+	// Apply the same minimum-info rule as the message-parts arm: a
+	// manifest with neither uri nor name is non-actionable; skip.
+	if uri == "" && name == "" {
+		return nil
+	}
+	att := map[string]interface{}{"kind": kindFromMimeType(mimeType)}
+	if uri != "" {
+		att["uri"] = uri
+	}
+	if mimeType != "" {
+		att["mime_type"] = mimeType
+	}
+	if name != "" {
+		att["name"] = name
+	}
+	return att
+}
+
+// kindFromMimeType derives the attachment `kind` discriminator from a
+// MIME type. Used by the flat-upload-manifest arm where the source row
+// has no explicit kind field.
+func kindFromMimeType(mime string) string {
+	switch {
+	case strings.HasPrefix(mime, "image/"):
+		return "image"
+	case strings.HasPrefix(mime, "audio/"):
+		return "audio"
+	case strings.HasPrefix(mime, "video/"):
+		return "video"
+	default:
+		return "file"
+	}
+}
+
+// includeFlagSet returns true iff `flag` appears in the comma-separated
+// `?include=` query value. Whitespace around entries is tolerated.
+// Empty `include` returns false (existing back-compat shape).
+//
+// The comma-separable form lets future fields ("attachments_only",
+// "tool_trace_expanded", etc.) slot in without further URL-param creep.
+func includeFlagSet(includeQuery, flag string) bool {
+	if includeQuery == "" || flag == "" {
+		return false
+	}
+	for _, raw := range strings.Split(includeQuery, ",") {
+		if strings.TrimSpace(raw) == flag {
+			return true
+		}
+	}
+	return false
+}
+
+// List handles GET /workspaces/:id/activity?type=&source=&limit=&since_secs=&since_id=&include=
+//
+// The `include` query param is comma-separable; today the only flag is
+// `peer_info`, which enriches a2a_receive rows with `peer_name`,
+// `peer_role`, `agent_card_url`, and an `attachments[]` projection (see
+// extractAttachmentsFromRequestBody). It's additive + opt-in — existing
+// callers that don't pass `?include=peer_info` see the unchanged shape.
+// Surface for the layered enrichment that lets Claude Code channel
+// pushes carry full sender identity instead of bare UUIDs (sibling
+// repos: molecule-ai-workspace-runtime + molecule-mcp-claude-channel).
 //
 // since_secs filters to activity_logs.created_at >= NOW() - INTERVAL '$N seconds'.
 // Optional, additive — callers that don't pass it get today's behavior (the
@@ -102,6 +308,8 @@ func (h *ActivityHandler) List(c *gin.Context) {
 	sinceSecsStr := c.Query("since_secs")
 	sinceID := c.Query("since_id")
 	beforeTSStr := c.Query("before_ts") // optional RFC3339 — return rows strictly older than this timestamp
+	include := c.Query("include")       // comma-separated; today's only flag is "peer_info"
+	includePeerInfo := includeFlagSet(include, "peer_info")

 	// Validate peer_id as a UUID at the trust boundary so a malformed
 	// caller (the agent or a downstream MCP tool) can't smuggle SQL
@@ -192,22 +400,60 @@ func (h *ActivityHandler) List(c *gin.Context) {
 		usingCursor = true
 	}

-	// Build query with optional filters
-	query := `SELECT id, workspace_id, activity_type, source_id, target_id, method,
-			   summary, request_body, response_body, tool_trace, duration_ms, status, error_detail, created_at
-		FROM activity_logs WHERE workspace_id = $1`
+	// Build query with optional filters. When ?include=peer_info is set,
+	// LEFT JOIN workspaces ON activity_logs.source_id = w.id so we can
+	// surface w.name + w.role on the row. LEFT (not INNER) is required
+	// for two reasons:
+	//   1. Canvas rows have source_id IS NULL — those must still appear
+	//      in the result set (with NULL peer_name/peer_role).
+	//   2. A peer workspace may have been deleted since the row was
+	//      written (no FK constraint on activity_logs.source_id) —
+	//      LEFT JOIN preserves the activity row with NULL peer fields
+	//      rather than silently dropping the row.
+	//
+	// agent_card_url is NOT pulled from the workspaces table; it's
+	// computed server-side from externalPlatformURL + source_id at
+	// projection time (mirrors molecule-ai-workspace-runtime
+	// a2a_client._agent_card_url_for which constructs
+	// {PLATFORM_URL}/registry/discover/{peer_id}).
+	//
+	// Column qualification (`activity_logs.<col>`) is added ONLY when
+	// the JOIN is present — disambiguates `id` / `created_at` which
+	// exist in both tables. When the JOIN is absent, unqualified
+	// column references preserve the exact wire-shape existing callers
+	// + existing test fixtures expect (back-compat).
+	actCol := ""
+	if includePeerInfo {
+		actCol = "activity_logs."
+	}
+	selectClause := `SELECT ` + actCol + `id, ` + actCol + `workspace_id, ` + actCol + `activity_type, ` +
+		actCol + `source_id, ` + actCol + `target_id, ` + actCol + `method, ` +
+		actCol + `summary, ` + actCol + `request_body, ` + actCol + `response_body, ` +
+		actCol + `tool_trace, ` + actCol + `duration_ms, ` + actCol + `status, ` +
+		actCol + `error_detail, ` + actCol + `created_at`
+	fromClause := ` FROM activity_logs`
+	if includePeerInfo {
+		selectClause += `, w.name AS peer_name, w.role AS peer_role`
+		fromClause += ` LEFT JOIN workspaces w ON w.id = activity_logs.source_id`
+	}
+	query := selectClause + fromClause + ` WHERE ` + actCol + `workspace_id = $1`
 	args := []interface{}{workspaceID}
 	argIdx := 2

+	// WHERE/ORDER column refs use the same `actCol` qualifier prefix
+	// computed above — empty string when no JOIN (back-compat with
+	// existing wire shape + sqlmock-regex test fixtures), or
+	// `activity_logs.` when LEFT JOIN'd (disambiguates `id` /
+	// `created_at` between the two tables).
 	if activityType != "" {
-		query += fmt.Sprintf(" AND activity_type = $%d", argIdx)
+		query += fmt.Sprintf(" AND "+actCol+"activity_type = $%d", argIdx)
 		args = append(args, activityType)
 		argIdx++
 	}
 	if source == "canvas" {
-		query += " AND source_id IS NULL"
+		query += " AND " + actCol + "source_id IS NULL"
 	} else if source == "agent" {
-		query += " AND source_id IS NOT NULL"
+		query += " AND " + actCol + "source_id IS NOT NULL"
 	} else if source != "" {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "source must be 'canvas' or 'agent'"})
 		return
@@ -224,7 +470,7 @@ func (h *ActivityHandler) List(c *gin.Context) {
 		// and avoids duplicate parameter binding (some drivers reject the
 		// same arg slot reused, ours is fine but the explicit form is
 		// clearer to read and matches the rest of the builder.)
-		query += fmt.Sprintf(" AND (source_id = $%d OR target_id = $%d)", argIdx, argIdx)
+		query += fmt.Sprintf(" AND ("+actCol+"source_id = $%d OR "+actCol+"target_id = $%d)", argIdx, argIdx)
 		args = append(args, peerID)
 		argIdx++
 	}
@@ -232,7 +478,7 @@ func (h *ActivityHandler) List(c *gin.Context) {
 		// Strictly older — never replay a row with the exact same
 		// timestamp, mirrors the `created_at > cursorTime` shape
 		// `since_id` uses for forward paging.
-		query += fmt.Sprintf(" AND created_at < $%d", argIdx)
+		query += fmt.Sprintf(" AND "+actCol+"created_at < $%d", argIdx)
 		args = append(args, beforeTS)
 		argIdx++
 	}
@@ -241,13 +487,13 @@ func (h *ActivityHandler) List(c *gin.Context) {
 		// interpolated into the SQL string. `make_interval(secs => $N)`
 		// avoids the lib/pq quirk where INTERVAL '$N seconds' won't
 		// substitute a placeholder inside the literal.
-		query += fmt.Sprintf(" AND created_at >= NOW() - make_interval(secs => $%d)", argIdx)
+		query += fmt.Sprintf(" AND "+actCol+"created_at >= NOW() - make_interval(secs => $%d)", argIdx)
 		args = append(args, sinceSecs)
 		argIdx++
 	}
 	if usingCursor {
 		// Strictly after — never replay the cursor row itself.
-		query += fmt.Sprintf(" AND created_at > $%d", argIdx)
+		query += fmt.Sprintf(" AND "+actCol+"created_at > $%d", argIdx)
 		args = append(args, cursorTime)
 		argIdx++
 	}
@@ -257,9 +503,9 @@ func (h *ActivityHandler) List(c *gin.Context) {
 	// since_id) keeps DESC — that's the canvas/UI shape and changing it
 	// would surprise existing callers.
 	if usingCursor {
-		query += fmt.Sprintf(" ORDER BY created_at ASC LIMIT $%d", argIdx)
+		query += fmt.Sprintf(" ORDER BY "+actCol+"created_at ASC LIMIT $%d", argIdx)
 	} else {
-		query += fmt.Sprintf(" ORDER BY created_at DESC LIMIT $%d", argIdx)
+		query += fmt.Sprintf(" ORDER BY "+actCol+"created_at DESC LIMIT $%d", argIdx)
 	}
 	args = append(args, limit)

@@ -272,6 +518,14 @@ func (h *ActivityHandler) List(c *gin.Context) {
 	}
 	defer rows.Close()

+	// agent_card_url base computed once per request so we don't pay the
+	// header-read cost per row. Only meaningful when includePeerInfo is
+	// set; the empty string here is harmless when the flag is off.
+	var platformBase string
+	if includePeerInfo {
+		platformBase = externalPlatformURL(c)
+	}
+
 	activities := make([]map[string]interface{}, 0)
 	for rows.Next() {
 		var id, wsID, actType, status string
@@ -279,10 +533,23 @@ func (h *ActivityHandler) List(c *gin.Context) {
 		var reqBody, respBody, toolTrace []byte
 		var durationMs *int
 		var createdAt time.Time
+		// LEFT JOIN'd peer columns — pointer-string so a NULL row
+		// (canvas message OR deleted peer workspace) decodes as nil
+		// rather than empty-string. Only scanned when includePeerInfo
+		// is set (matched against the SELECT clause above).
+		var peerName, peerRole *string

-		if err := rows.Scan(&id, &wsID, &actType, &sourceID, &targetID, &method,
-			&summary, &reqBody, &respBody, &toolTrace, &durationMs, &status, &errorDetail, &createdAt); err != nil {
-			log.Printf("Activity scan error: %v", err)
+		var scanErr error
+		if includePeerInfo {
+			scanErr = rows.Scan(&id, &wsID, &actType, &sourceID, &targetID, &method,
+				&summary, &reqBody, &respBody, &toolTrace, &durationMs, &status, &errorDetail, &createdAt,
+				&peerName, &peerRole)
+		} else {
+			scanErr = rows.Scan(&id, &wsID, &actType, &sourceID, &targetID, &method,
+				&summary, &reqBody, &respBody, &toolTrace, &durationMs, &status, &errorDetail, &createdAt)
+		}
+		if scanErr != nil {
+			log.Printf("Activity scan error: %v", scanErr)
 			continue
 		}

@@ -308,6 +575,39 @@ func (h *ActivityHandler) List(c *gin.Context) {
 		if toolTrace != nil {
 			entry["tool_trace"] = json.RawMessage(toolTrace)
 		}
+
+		// peer_info enrichment (per ?include=peer_info). Only emit the
+		// new fields when the flag is set — back-compat for callers
+		// that don't request it.
+		if includePeerInfo {
+			// peer_name / peer_role: emit only when present (canvas
+			// rows have source_id IS NULL → peer_name is NULL by JOIN;
+			// also a peer workspace may have been deleted since the
+			// row was written → same NULL outcome). Omit-when-absent
+			// matches the Layer 3 adaptor's "spread when present"
+			// pattern; canvas_user rows legitimately have no peer_*.
+			if peerName != nil && *peerName != "" {
+				entry["peer_name"] = *peerName
+			}
+			if peerRole != nil && *peerRole != "" {
+				entry["peer_role"] = *peerRole
+			}
+			// agent_card_url: constructed server-side from
+			// externalPlatformURL + source_id. Mirrors the runtime-
+			// side helper a2a_client._agent_card_url_for which builds
+			// {PLATFORM_URL}/registry/discover/{peer_id}. Only set
+			// when source_id is present + non-empty.
+			if sourceID != nil && *sourceID != "" && platformBase != "" {
+				entry["agent_card_url"] = platformBase + "/registry/discover/" + *sourceID
+			}
+			// attachments: flatten file/image/audio parts from the
+			// request_body. nil when none — only project when
+			// non-empty so the omit-when-absent rule holds.
+			if atts := extractAttachmentsFromRequestBody(reqBody); len(atts) > 0 {
+				entry["attachments"] = atts
+			}
+		}
+
 		activities = append(activities, entry)
 	}
 	if err := rows.Err(); err != nil {
@@ -0,0 +1,701 @@
+package handlers
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/DATA-DOG/go-sqlmock"
+	"github.com/gin-gonic/gin"
+)
+
+// Tests for the `?include=peer_info` activity-feed enrichment.
+//
+// The enrichment is additive + opt-in. When the flag is absent, the
+// existing tests (TestActivityList_SourceCanvas, etc.) prove the wire
+// shape is unchanged. These tests prove:
+//   - When the flag IS set, the LEFT JOIN is issued and the SELECT
+//     adds w.name + w.role.
+//   - peer_name / peer_role surface from the joined row.
+//   - agent_card_url is composed server-side from
+//     externalPlatformURL + source_id and appears for non-canvas rows
+//     (source_id present).
+//   - attachments[] is projected from request_body.params.message.parts
+//     for file/image/audio parts.
+//   - Canvas rows (source_id NULL) do NOT get peer_name / peer_role /
+//     agent_card_url, but DO still appear in the result set (LEFT JOIN
+//     preserves them with NULL peer fields).
+//   - The `include` query param is comma-separable and only recognizes
+//     known flags.
+
+// ---------- includeFlagSet helper unit tests ----------
+
+func TestIncludeFlagSet(t *testing.T) {
+	cases := []struct {
+		query string
+		flag  string
+		want  bool
+	}{
+		{"", "peer_info", false},
+		{"peer_info", "peer_info", true},
+		{"peer_info,attachments", "peer_info", true},
+		{"attachments,peer_info", "peer_info", true},
+		{"attachments , peer_info ", "peer_info", true},
+		{"peer_infos", "peer_info", false},
+		{"peerinfo", "peer_info", false},
+		{"peer_info", "", false},
+		{",,", "peer_info", false},
+	}
+	for _, tc := range cases {
+		got := includeFlagSet(tc.query, tc.flag)
+		if got != tc.want {
+			t.Errorf("includeFlagSet(%q, %q) = %v, want %v", tc.query, tc.flag, got, tc.want)
+		}
+	}
+}
+
+// ---------- extractAttachmentsFromRequestBody unit tests ----------
+
+func TestExtractAttachmentsFromRequestBody_Empty(t *testing.T) {
+	if got := extractAttachmentsFromRequestBody(nil); got != nil {
+		t.Errorf("nil body: want nil, got %v", got)
+	}
+	if got := extractAttachmentsFromRequestBody([]byte("")); got != nil {
+		t.Errorf("empty body: want nil, got %v", got)
+	}
+	if got := extractAttachmentsFromRequestBody([]byte("not json")); got != nil {
+		t.Errorf("non-json body: want nil, got %v", got)
+	}
+}
+
+func TestExtractAttachmentsFromRequestBody_NoAttachments(t *testing.T) {
+	// Text-only message: no file/image/audio parts → nil
+	body := []byte(`{"jsonrpc":"2.0","method":"message/send","params":{"message":{"parts":[{"kind":"text","text":"hi"}]}}}`)
+	if got := extractAttachmentsFromRequestBody(body); got != nil {
+		t.Errorf("text-only: want nil, got %v", got)
+	}
+}
+
+func TestExtractAttachmentsFromRequestBody_FileKindV1(t *testing.T) {
+	// a2a-sdk v1 shape: kind=file, file:{uri,mime_type,name}
+	body := []byte(`{"jsonrpc":"2.0","method":"message/send","params":{"message":{"parts":[
+		{"kind":"text","text":"see attached"},
+		{"kind":"file","file":{"uri":"workspace:foo.pdf","mime_type":"application/pdf","name":"foo.pdf"}}
+	]}}}`)
+	atts := extractAttachmentsFromRequestBody(body)
+	if len(atts) != 1 {
+		t.Fatalf("want 1 attachment, got %d", len(atts))
+	}
+	if atts[0]["kind"] != "file" {
+		t.Errorf("kind: want file, got %v", atts[0]["kind"])
+	}
+	if atts[0]["uri"] != "workspace:foo.pdf" {
+		t.Errorf("uri mismatch: %v", atts[0]["uri"])
+	}
+	if atts[0]["mime_type"] != "application/pdf" {
+		t.Errorf("mime_type mismatch: %v", atts[0]["mime_type"])
+	}
+	if atts[0]["name"] != "foo.pdf" {
+		t.Errorf("name mismatch: %v", atts[0]["name"])
+	}
+}
+
+func TestExtractAttachmentsFromRequestBody_ImageAndAudio(t *testing.T) {
+	// Mixed image + audio parts; both surface
+	body := []byte(`{"jsonrpc":"2.0","method":"message/send","params":{"message":{"parts":[
+		{"kind":"image","file":{"uri":"workspace:a.png","mime_type":"image/png","name":"a.png"}},
+		{"kind":"audio","file":{"uri":"workspace:b.mp3","mime_type":"audio/mpeg","name":"b.mp3"}}
+	]}}}`)
+	atts := extractAttachmentsFromRequestBody(body)
+	if len(atts) != 2 {
+		t.Fatalf("want 2 attachments, got %d", len(atts))
+	}
+	if atts[0]["kind"] != "image" || atts[1]["kind"] != "audio" {
+		t.Errorf("kind order: got %v / %v", atts[0]["kind"], atts[1]["kind"])
+	}
+}
+
+func TestExtractAttachmentsFromRequestBody_LegacyV0TypeDiscriminator(t *testing.T) {
+	// Legacy v0 shape: type=file (not kind), inlined fields (no nested .file)
+	body := []byte(`{"jsonrpc":"2.0","method":"message/send","params":{"message":{"parts":[
+		{"type":"file","uri":"workspace:legacy.txt","mime_type":"text/plain","name":"legacy.txt"}
+	]}}}`)
+	atts := extractAttachmentsFromRequestBody(body)
+	if len(atts) != 1 {
+		t.Fatalf("want 1 attachment, got %d", len(atts))
+	}
+	if atts[0]["kind"] != "file" || atts[0]["uri"] != "workspace:legacy.txt" || atts[0]["name"] != "legacy.txt" {
+		t.Errorf("v0 part not surfaced: %v", atts[0])
+	}
+}
+
+func TestExtractAttachmentsFromRequestBody_SkipsEmptyParts(t *testing.T) {
+	// A "file" part with no uri AND no name is malformed — skip rather
+	// than emit a no-info entry.
+	body := []byte(`{"jsonrpc":"2.0","method":"message/send","params":{"message":{"parts":[
+		{"kind":"file","file":{}},
+		{"kind":"file","file":{"name":"only-name.bin"}}
+	]}}}`)
+	atts := extractAttachmentsFromRequestBody(body)
+	if len(atts) != 1 {
+		t.Fatalf("want 1 attachment (the named one), got %d", len(atts))
+	}
+	if atts[0]["name"] != "only-name.bin" {
+		t.Errorf("expected only-name.bin, got %v", atts[0])
+	}
+}
+
+func TestExtractAttachmentsFromRequestBody_MalformedShape(t *testing.T) {
+	// Various malformed shapes return nil (defensive)
+	for _, b := range []string{
+		`{}`,
+		`{"params":{}}`,
+		`{"params":{"message":{}}}`,
+		`{"params":{"message":{"parts":"not-a-list"}}}`,
+		`{"params":{"message":{"parts":[null,42,"string"]}}}`,
+	} {
+		if got := extractAttachmentsFromRequestBody([]byte(b)); got != nil {
+			t.Errorf("body %q: want nil, got %v", b, got)
+		}
+	}
+}
+
+// ---------- Activity List ?include=peer_info handler tests ----------
+
+func TestActivityList_IncludePeerInfo_IssuesLeftJoin(t *testing.T) {
+	// When ?include=peer_info is set, the query must:
+	//   1. SELECT include w.name + w.role aliased as peer_name/peer_role
+	//   2. FROM contains LEFT JOIN workspaces w ON w.id = activity_logs.source_id
+	//   3. WHERE uses qualified activity_logs.workspace_id (disambiguates
+	//      from workspaces.id post-JOIN)
+	//
+	// Pin all three so a future refactor can't silently drop the JOIN or
+	// the alias and have the test still pass.
+	mock := setupTestDB(t)
+	broadcaster := newTestBroadcaster()
+	handler := NewActivityHandler(broadcaster)
+
+	peerID := "11111111-2222-3333-4444-555555555555"
+	mock.ExpectQuery(
+		`SELECT .+w\.name AS peer_name, w\.role AS peer_role FROM activity_logs LEFT JOIN workspaces w ON w\.id = activity_logs\.source_id WHERE activity_logs\.workspace_id = .+`,
+	).
+		WithArgs("ws-1", 100).
+		WillReturnRows(sqlmock.NewRows([]string{
+			"id", "workspace_id", "activity_type", "source_id", "target_id",
+			"method", "summary", "request_body", "response_body",
+			"tool_trace", "duration_ms", "status", "error_detail", "created_at",
+			"peer_name", "peer_role",
+		}).
+			AddRow("act-1", "ws-1", "a2a_receive", peerID, "ws-1",
+				"message/send", "Agent message: hello",
+				[]byte(`{"jsonrpc":"2.0","method":"message/send","params":{"message":{"parts":[{"kind":"text","text":"hello"}]}}}`),
+				nil, nil, nil, "ok", nil, time.Now(),
+				"Production Manager", "product manager"))
+
+	gin.SetMode(gin.TestMode)
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "ws-1"}}
+	c.Request = httptest.NewRequest("GET", "/workspaces/ws-1/activity?include=peer_info", nil)
+	c.Request.Host = "platform.test"
+	c.Request.Header.Set("X-Forwarded-Proto", "https")
+	handler.List(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	var resp []map[string]interface{}
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("parse: %v", err)
+	}
+	if len(resp) != 1 {
+		t.Fatalf("want 1 row, got %d", len(resp))
+	}
+	r := resp[0]
+	if r["peer_name"] != "Production Manager" {
+		t.Errorf("peer_name: got %v", r["peer_name"])
+	}
+	if r["peer_role"] != "product manager" {
+		t.Errorf("peer_role: got %v", r["peer_role"])
+	}
+	wantURL := "https://platform.test/registry/discover/" + peerID
+	if r["agent_card_url"] != wantURL {
+		t.Errorf("agent_card_url: got %v, want %v", r["agent_card_url"], wantURL)
+	}
+	// Text-only message has no attachments → omit from envelope
+	if _, present := r["attachments"]; present {
+		t.Errorf("attachments should be omitted on text-only row; got %v", r["attachments"])
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Fatalf("unmet expectations: %v", err)
+	}
+}
+
+func TestActivityList_IncludePeerInfo_CanvasRowHasNoPeerFields(t *testing.T) {
+	// LEFT JOIN preserves canvas rows (source_id NULL) but their
+	// peer_name/peer_role come back as NULL — must omit from the
+	// envelope (not emit empty strings or null literals).
+	mock := setupTestDB(t)
+	broadcaster := newTestBroadcaster()
+	handler := NewActivityHandler(broadcaster)
+
+	mock.ExpectQuery(
+		`LEFT JOIN workspaces w ON w\.id = activity_logs\.source_id`,
+	).
+		WithArgs("ws-1", 100).
+		WillReturnRows(sqlmock.NewRows([]string{
+			"id", "workspace_id", "activity_type", "source_id", "target_id",
+			"method", "summary", "request_body", "response_body",
+			"tool_trace", "duration_ms", "status", "error_detail", "created_at",
+			"peer_name", "peer_role",
+		}).
+			// source_id NULL = canvas message; peer columns also NULL.
+			AddRow("act-canvas", "ws-1", "a2a_receive", nil, "ws-1",
+				"notify", "User said hi",
+				[]byte(`{"params":{"message":{"parts":[{"kind":"text","text":"hi"}]}}}`),
+				nil, nil, nil, "ok", nil, time.Now(),
+				nil, nil))
+
+	gin.SetMode(gin.TestMode)
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "ws-1"}}
+	c.Request = httptest.NewRequest("GET", "/workspaces/ws-1/activity?include=peer_info", nil)
+	handler.List(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	var resp []map[string]interface{}
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("parse: %v", err)
+	}
+	if len(resp) != 1 {
+		t.Fatalf("want 1 row, got %d", len(resp))
+	}
+	r := resp[0]
+	for _, k := range []string{"peer_name", "peer_role", "agent_card_url"} {
+		if _, present := r[k]; present {
+			t.Errorf("%s should be absent on canvas row; got %v", k, r[k])
+		}
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Fatalf("unmet expectations: %v", err)
+	}
+}
+
+func TestActivityList_IncludePeerInfo_AttachmentsSurfaceFromRequestBody(t *testing.T) {
+	// A peer_agent message with an inline file attachment must have
+	// attachments[] populated on the envelope.
+	mock := setupTestDB(t)
+	broadcaster := newTestBroadcaster()
+	handler := NewActivityHandler(broadcaster)
+
+	peerID := "11111111-2222-3333-4444-555555555555"
+	mock.ExpectQuery(`LEFT JOIN workspaces`).
+		WithArgs("ws-1", 100).
+		WillReturnRows(sqlmock.NewRows([]string{
+			"id", "workspace_id", "activity_type", "source_id", "target_id",
+			"method", "summary", "request_body", "response_body",
+			"tool_trace", "duration_ms", "status", "error_detail", "created_at",
+			"peer_name", "peer_role",
+		}).
+			AddRow("act-with-file", "ws-1", "a2a_receive", peerID, "ws-1",
+				"message/send", "Agent message: see attached",
+				[]byte(`{"jsonrpc":"2.0","method":"message/send","params":{"message":{"parts":[
+					{"kind":"text","text":"see attached"},
+					{"kind":"file","file":{"uri":"workspace:foo.pdf","mime_type":"application/pdf","name":"foo.pdf"}}
+				]}}}`),
+				nil, nil, nil, "ok", nil, time.Now(),
+				"Code Reviewer", "code reviewer"))
+
+	gin.SetMode(gin.TestMode)
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "ws-1"}}
+	c.Request = httptest.NewRequest("GET", "/workspaces/ws-1/activity?include=peer_info", nil)
+	handler.List(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	var resp []map[string]interface{}
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("parse: %v", err)
+	}
+	r := resp[0]
+	atts, ok := r["attachments"].([]interface{})
+	if !ok {
+		t.Fatalf("attachments missing or wrong type: %T %v", r["attachments"], r["attachments"])
+	}
+	if len(atts) != 1 {
+		t.Fatalf("want 1 attachment, got %d: %v", len(atts), atts)
+	}
+	att := atts[0].(map[string]interface{})
+	if att["kind"] != "file" || att["uri"] != "workspace:foo.pdf" || att["name"] != "foo.pdf" {
+		t.Errorf("attachment shape: %v", att)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Fatalf("unmet expectations: %v", err)
+	}
+}
+
+func TestActivityList_IncludePeerInfo_Unset_NoJoinNoExtraFields(t *testing.T) {
+	// Back-compat — when ?include=peer_info is NOT passed, the SELECT
+	// uses unqualified column refs (no `activity_logs.` prefix) AND no
+	// JOIN. Existing tests pass this implicitly; this test pins it
+	// explicitly so a future refactor that accidentally turns the JOIN
+	// always-on gets caught.
+	mock := setupTestDB(t)
+	broadcaster := newTestBroadcaster()
+	handler := NewActivityHandler(broadcaster)
+
+	// Regex pinned: "FROM activity_logs WHERE workspace_id" — no JOIN
+	// keyword between FROM and WHERE; no `activity_logs.` qualifier on
+	// workspace_id.
+	mock.ExpectQuery(`SELECT id, workspace_id,.+ FROM activity_logs WHERE workspace_id = .+`).
+		WithArgs("ws-1", 100).
+		WillReturnRows(sqlmock.NewRows([]string{
+			"id", "workspace_id", "activity_type", "source_id", "target_id",
+			"method", "summary", "request_body", "response_body",
+			"tool_trace", "duration_ms", "status", "error_detail", "created_at",
+		}).
+			AddRow("act-1", "ws-1", "a2a_receive", "11111111-2222-3333-4444-555555555555", "ws-1",
+				"message/send", "Hello",
+				nil, nil, nil, nil, "ok", nil, time.Now()))
+
+	gin.SetMode(gin.TestMode)
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "ws-1"}}
+	c.Request = httptest.NewRequest("GET", "/workspaces/ws-1/activity", nil)
+	handler.List(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	var resp []map[string]interface{}
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("parse: %v", err)
+	}
+	if len(resp) != 1 {
+		t.Fatalf("want 1 row, got %d", len(resp))
+	}
+	// Confirm no peer_info enrichment leaks into the default envelope.
+	for _, k := range []string{"peer_name", "peer_role", "agent_card_url", "attachments"} {
+		if _, present := resp[0][k]; present {
+			t.Errorf("%s must NOT appear without ?include=peer_info; got %v", k, resp[0][k])
+		}
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Fatalf("unmet expectations: %v", err)
+	}
+}
+
+func TestActivityList_IncludePeerInfo_UnknownFlagIgnored(t *testing.T) {
+	// ?include=bogus must NOT issue the JOIN — only the recognized
+	// `peer_info` flag triggers enrichment. The unknown flag is silently
+	// ignored (additive, opt-in convention).
+	mock := setupTestDB(t)
+	broadcaster := newTestBroadcaster()
+	handler := NewActivityHandler(broadcaster)
+
+	mock.ExpectQuery(`SELECT id, workspace_id,.+ FROM activity_logs WHERE workspace_id = .+`).
+		WithArgs("ws-1", 100).
+		WillReturnRows(sqlmock.NewRows([]string{
+			"id", "workspace_id", "activity_type", "source_id", "target_id",
+			"method", "summary", "request_body", "response_body",
+			"tool_trace", "duration_ms", "status", "error_detail", "created_at",
+		}))
+
+	gin.SetMode(gin.TestMode)
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "ws-1"}}
+	c.Request = httptest.NewRequest("GET", "/workspaces/ws-1/activity?include=bogus", nil)
+	handler.List(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d", w.Code)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Fatalf("unmet expectations: %v", err)
+	}
+}
+
+// ---------- flat upload manifest (chat_upload_receive) tests ----------
+
+func TestKindFromMimeType(t *testing.T) {
+	cases := []struct {
+		mime string
+		want string
+	}{
+		{"image/png", "image"},
+		{"image/jpeg", "image"},
+		{"image/", "image"}, // prefix-only is still image
+		{"audio/mpeg", "audio"},
+		{"audio/wav", "audio"},
+		{"video/mp4", "video"},
+		{"video/webm", "video"},
+		{"application/pdf", "file"},
+		{"text/plain", "file"},
+		{"", "file"},
+		{"unknown", "file"},
+		{"image", "file"}, // no slash → not a prefix match
+	}
+	for _, tc := range cases {
+		if got := kindFromMimeType(tc.mime); got != tc.want {
+			t.Errorf("kindFromMimeType(%q) = %q, want %q", tc.mime, got, tc.want)
+		}
+	}
+}
+
+func TestExtractAttachmentsFromRequestBody_FlatUpload_Image(t *testing.T) {
+	// Canvas chat_upload_receive shape: flat manifest at request_body
+	// root with camelCase mimeType. The empirical example was a PNG
+	// pasted into the canvas; surfaces here with kind=image,
+	// mime_type=image/png (snake-case normalized), uri preserved.
+	body := []byte(`{
+		"uri":"platform-pending:091a9180-/26111d48-",
+		"name":"pasted-2026-05-21T23-12-25-0-0.png",
+		"size":677133,
+		"file_id":"26111d48-",
+		"mimeType":"image/png"
+	}`)
+	atts := extractAttachmentsFromRequestBody(body)
+	if len(atts) != 1 {
+		t.Fatalf("want 1 attachment, got %d: %v", len(atts), atts)
+	}
+	att := atts[0]
+	if att["kind"] != "image" {
+		t.Errorf("kind: want image, got %v", att["kind"])
+	}
+	if att["uri"] != "platform-pending:091a9180-/26111d48-" {
+		t.Errorf("uri: %v", att["uri"])
+	}
+	if att["mime_type"] != "image/png" {
+		t.Errorf("mime_type normalization (camelCase→snake_case) failed: %v", att["mime_type"])
+	}
+	if att["name"] != "pasted-2026-05-21T23-12-25-0-0.png" {
+		t.Errorf("name: %v", att["name"])
+	}
+	// camelCase `mimeType` MUST NOT leak into the projected envelope —
+	// only snake_case `mime_type` is the wire convention.
+	if _, present := att["mimeType"]; present {
+		t.Errorf("camelCase mimeType leaked into envelope: %v", att)
+	}
+	if _, present := att["file_id"]; present {
+		t.Errorf("file_id should not be surfaced on the attachment envelope (it's a canvas-internal id): %v", att)
+	}
+}
+
+func TestExtractAttachmentsFromRequestBody_FlatUpload_Audio(t *testing.T) {
+	body := []byte(`{"uri":"platform-pending:ws/file","name":"voice.mp3","file_id":"abc","mimeType":"audio/mpeg"}`)
+	atts := extractAttachmentsFromRequestBody(body)
+	if len(atts) != 1 || atts[0]["kind"] != "audio" {
+		t.Fatalf("want audio kind, got %v", atts)
+	}
+	if atts[0]["mime_type"] != "audio/mpeg" {
+		t.Errorf("mime_type: %v", atts[0]["mime_type"])
+	}
+}
+
+func TestExtractAttachmentsFromRequestBody_FlatUpload_Video(t *testing.T) {
+	body := []byte(`{"uri":"platform-pending:ws/file","name":"clip.mp4","file_id":"abc","mimeType":"video/mp4"}`)
+	atts := extractAttachmentsFromRequestBody(body)
+	if len(atts) != 1 || atts[0]["kind"] != "video" {
+		t.Fatalf("want video kind, got %v", atts)
+	}
+}
+
+func TestExtractAttachmentsFromRequestBody_FlatUpload_GenericFile(t *testing.T) {
+	// application/pdf has no image/audio/video prefix → kind=file
+	body := []byte(`{"uri":"platform-pending:ws/file","name":"doc.pdf","file_id":"abc","mimeType":"application/pdf"}`)
+	atts := extractAttachmentsFromRequestBody(body)
+	if len(atts) != 1 || atts[0]["kind"] != "file" {
+		t.Fatalf("want file kind, got %v", atts)
+	}
+}
+
+func TestExtractAttachmentsFromRequestBody_FlatUpload_NoMimeFallsToFile(t *testing.T) {
+	// No mimeType at all — kind defaults to "file", mime_type omitted.
+	body := []byte(`{"uri":"platform-pending:ws/file","name":"unknown.bin","file_id":"abc"}`)
+	atts := extractAttachmentsFromRequestBody(body)
+	if len(atts) != 1 {
+		t.Fatalf("want 1 attachment, got %d", len(atts))
+	}
+	if atts[0]["kind"] != "file" {
+		t.Errorf("kind: want file (default), got %v", atts[0]["kind"])
+	}
+	if _, present := atts[0]["mime_type"]; present {
+		t.Errorf("mime_type should be omitted when source has none, got %v", atts[0]["mime_type"])
+	}
+}
+
+func TestExtractAttachmentsFromRequestBody_FlatUpload_SnakeCaseMimeTypeAccepted(t *testing.T) {
+	// Defensive: a future canvas version (or non-canvas caller) that
+	// already emits snake_case mime_type should still be parsed.
+	body := []byte(`{"uri":"u","name":"n.png","mime_type":"image/png"}`)
+	atts := extractAttachmentsFromRequestBody(body)
+	if len(atts) != 1 {
+		t.Fatalf("want 1 attachment, got %d", len(atts))
+	}
+	if atts[0]["mime_type"] != "image/png" || atts[0]["kind"] != "image" {
+		t.Errorf("snake_case mime_type not honored: %v", atts[0])
+	}
+}
+
+func TestExtractAttachmentsFromRequestBody_FlatUpload_FileIDOnlyIsSkipped(t *testing.T) {
+	// file_id alone (no uri AND no name) is non-actionable — the
+	// downstream adaptor can't render a discoverable file from just an
+	// internal canvas id. Skip per the same minimum-info rule the
+	// message-parts arm applies to empty parts.
+	body := []byte(`{"file_id":"orphan-uuid","mimeType":"image/png"}`)
+	if got := extractAttachmentsFromRequestBody(body); got != nil {
+		t.Errorf("file_id-only manifest must be skipped, got %v", got)
+	}
+}
+
+func TestExtractAttachmentsFromRequestBody_FlatUpload_NameOnlyIsKept(t *testing.T) {
+	// Symmetric with the message-parts arm: a name without uri is still
+	// useful (the downstream adaptor can render "user uploaded foo.png").
+	body := []byte(`{"name":"only-name.bin","file_id":"abc","mimeType":"application/octet-stream"}`)
+	atts := extractAttachmentsFromRequestBody(body)
+	if len(atts) != 1 {
+		t.Fatalf("want 1 attachment, got %d", len(atts))
+	}
+	if atts[0]["name"] != "only-name.bin" {
+		t.Errorf("name not preserved: %v", atts[0])
+	}
+	if _, present := atts[0]["uri"]; present {
+		t.Errorf("uri should be omitted when absent in source, got %v", atts[0]["uri"])
+	}
+}
+
+func TestExtractAttachmentsFromRequestBody_MessagePartsTakesPrecedenceOverFlat(t *testing.T) {
+	// If a single request_body somehow has BOTH params.message.parts[]
+	// AND top-level uri/file_id (a pathological inbound), the
+	// message-parts arm wins — that's the documented inbound shape and
+	// it's been the only one historically extracted. The flat arm is a
+	// fallback for shapes that have NO parts.
+	body := []byte(`{
+		"uri":"platform-pending:should-not-win",
+		"file_id":"x",
+		"mimeType":"image/png",
+		"params":{"message":{"parts":[
+			{"kind":"file","file":{"uri":"workspace:should-win.pdf","mime_type":"application/pdf","name":"win.pdf"}}
+		]}}
+	}`)
+	atts := extractAttachmentsFromRequestBody(body)
+	if len(atts) != 1 {
+		t.Fatalf("want 1 attachment (from parts[]), got %d: %v", len(atts), atts)
+	}
+	if atts[0]["uri"] != "workspace:should-win.pdf" {
+		t.Errorf("message-parts arm did not take precedence: %v", atts[0])
+	}
+}
+
+func TestActivityList_IncludePeerInfo_ChatUploadReceiveCanvasRow(t *testing.T) {
+	// Wire-level integration: a canvas chat_upload_receive row (canvas
+	// user pasted an image) with source_id NULL (canvas message), flat
+	// upload manifest at request_body root. The `?include=peer_info`
+	// projection must surface attachments[] populated from the flat-
+	// upload-manifest arm while peer_name / peer_role / agent_card_url
+	// remain absent (canvas row has no peer).
+	mock := setupTestDB(t)
+	broadcaster := newTestBroadcaster()
+	handler := NewActivityHandler(broadcaster)
+
+	mock.ExpectQuery(`LEFT JOIN workspaces w ON w\.id = activity_logs\.source_id`).
+		WithArgs("ws-1", 100).
+		WillReturnRows(sqlmock.NewRows([]string{
+			"id", "workspace_id", "activity_type", "source_id", "target_id",
+			"method", "summary", "request_body", "response_body",
+			"tool_trace", "duration_ms", "status", "error_detail", "created_at",
+			"peer_name", "peer_role",
+		}).
+			// Empirical shape from 2026-05-21 ~23:12Z agents-team canvas paste.
+			AddRow("act-upload", "ws-1", "chat_upload_receive", nil, "ws-1",
+				"chat_upload_receive", "Canvas upload: pasted-2026-05-21T23-12-25-0-0.png",
+				[]byte(`{
+					"uri":"platform-pending:091a9180-b303-4a20-aefe-3a4a675b8aa4/26111d48-aaaa-bbbb-cccc-dddddddddddd",
+					"name":"pasted-2026-05-21T23-12-25-0-0.png",
+					"size":677133,
+					"file_id":"26111d48-aaaa-bbbb-cccc-dddddddddddd",
+					"mimeType":"image/png"
+				}`),
+				nil, nil, nil, "ok", nil, time.Now(),
+				nil, nil))
+
+	gin.SetMode(gin.TestMode)
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: "ws-1"}}
+	c.Request = httptest.NewRequest("GET", "/workspaces/ws-1/activity?include=peer_info", nil)
+	handler.List(c)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	var resp []map[string]interface{}
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("parse: %v", err)
+	}
+	if len(resp) != 1 {
+		t.Fatalf("want 1 row, got %d", len(resp))
+	}
+	r := resp[0]
+	// Canvas row → no peer fields.
+	for _, k := range []string{"peer_name", "peer_role", "agent_card_url"} {
+		if _, present := r[k]; present {
+			t.Errorf("%s must NOT appear on canvas upload row; got %v", k, r[k])
+		}
+	}
+	// attachments[] populated from the flat-upload arm.
+	atts, ok := r["attachments"].([]interface{})
+	if !ok {
+		t.Fatalf("attachments missing or wrong type: %T %v", r["attachments"], r["attachments"])
+	}
+	if len(atts) != 1 {
+		t.Fatalf("want 1 attachment from flat manifest, got %d: %v", len(atts), atts)
+	}
+	att := atts[0].(map[string]interface{})
+	if att["kind"] != "image" {
+		t.Errorf("kind: want image (image/png prefix), got %v", att["kind"])
+	}
+	if att["mime_type"] != "image/png" {
+		t.Errorf("mime_type wire shape: want snake_case image/png, got %v", att["mime_type"])
+	}
+	if att["uri"] != "platform-pending:091a9180-b303-4a20-aefe-3a4a675b8aa4/26111d48-aaaa-bbbb-cccc-dddddddddddd" {
+		t.Errorf("uri preserved verbatim: got %v", att["uri"])
+	}
+	if att["name"] != "pasted-2026-05-21T23-12-25-0-0.png" {
+		t.Errorf("name: %v", att["name"])
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Fatalf("unmet expectations: %v", err)
+	}
+}
+
+// Sanity test using the existing test broadcaster setup — verifies the
+// extractAttachments helper round-trips through json.Marshal cleanly
+// (no map ordering issues, no type-coercion surprises).
+func TestExtractAttachmentsFromRequestBody_RoundTripsThroughJSON(t *testing.T) {
+	body := []byte(`{"params":{"message":{"parts":[{"kind":"file","file":{"uri":"workspace:r.bin","mime_type":"application/octet-stream","name":"r.bin"}}]}}}`)
+	atts := extractAttachmentsFromRequestBody(body)
+	b, err := json.Marshal(atts)
+	if err != nil {
+		t.Fatalf("marshal: %v", err)
+	}
+	var decoded []map[string]interface{}
+	if err := json.Unmarshal(b, &decoded); err != nil {
+		t.Fatalf("unmarshal: %v", err)
+	}
+	if len(decoded) != 1 || decoded[0]["uri"] != "workspace:r.bin" {
+		t.Fatalf("round-trip mismatch: %v", decoded)
+	}
+	_ = fmt.Sprintf // keep fmt import live if test trimming removes usage
+}
@@ -0,0 +1,72 @@
+package handlers
+
+import (
+	"database/sql"
+	"fmt"
+	"log"
+	"net/http"
+
+	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
+	"github.com/Molecule-AI/molecule-monorepo/platform/internal/wsauth"
+	"github.com/gin-gonic/gin"
+)
+
+// AdminWorkspaceTokenHandler lets tenant admins mint the first workspace
+// bearer for managed SaaS workspaces whose runtime receives its token later
+// through registry registration.
+type AdminWorkspaceTokenHandler struct{}
+
+func NewAdminWorkspaceTokenHandler() *AdminWorkspaceTokenHandler {
+	return &AdminWorkspaceTokenHandler{}
+}
+
+// Create handles POST /admin/workspaces/:id/tokens. The route must be mounted
+// behind AdminAuth; the plaintext token is returned exactly once.
+func (h *AdminWorkspaceTokenHandler) Create(c *gin.Context) {
+	workspaceID := c.Param("id")
+	if !validWorkspaceID(workspaceID) {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid workspace id"})
+		return
+	}
+
+	var existing string
+	err := db.DB.QueryRowContext(c.Request.Context(),
+		`SELECT id FROM workspaces WHERE id = $1 AND status <> 'removed'`,
+		workspaceID).Scan(&existing)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			c.JSON(http.StatusNotFound, gin.H{"error": "workspace not found"})
+			return
+		}
+		log.Printf("admin workspace tokens: workspace lookup failed for %s: %v", workspaceID, err)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "workspace lookup failed"})
+		return
+	}
+
+	var count int
+	if err := db.DB.QueryRowContext(c.Request.Context(),
+		`SELECT COUNT(*) FROM workspace_auth_tokens WHERE workspace_id = $1 AND revoked_at IS NULL`,
+		workspaceID).Scan(&count); err != nil {
+		log.Printf("admin workspace tokens: count failed for %s: %v", workspaceID, err)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to count tokens"})
+		return
+	}
+	if count >= maxTokensPerWorkspace {
+		c.JSON(http.StatusTooManyRequests, gin.H{"error": fmt.Sprintf("maximum %d active tokens per workspace", maxTokensPerWorkspace)})
+		return
+	}
+
+	token, err := wsauth.IssueToken(c.Request.Context(), db.DB, workspaceID)
+	if err != nil {
+		log.Printf("admin workspace tokens: issue failed for %s: %v", workspaceID, err)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to create token"})
+		return
+	}
+
+	log.Printf("admin workspace tokens: issued token for workspace %s", workspaceID)
+	c.JSON(http.StatusCreated, gin.H{
+		"auth_token":   token,
+		"workspace_id": workspaceID,
+		"message":      "Save this token now — it cannot be retrieved again.",
+	})
+}
@@ -0,0 +1,102 @@
+package handlers
+
+import (
+	"encoding/json"
+	"errors"
+	"net/http"
+	"testing"
+
+	"github.com/DATA-DOG/go-sqlmock"
+	"github.com/gin-gonic/gin"
+)
+
+func TestAdminWorkspaceTokenHandler_Create_HappyPath(t *testing.T) {
+	mock, cleanup := withMockDB(t)
+	defer cleanup()
+
+	mock.ExpectQuery(`SELECT id FROM workspaces WHERE id = \$1 AND status <> 'removed'`).
+		WithArgs(wsUUID1).
+		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow(wsUUID1))
+	mock.ExpectQuery(`SELECT COUNT\(\*\) FROM workspace_auth_tokens`).
+		WithArgs(wsUUID1).
+		WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(0))
+	mock.ExpectExec(`INSERT INTO workspace_auth_tokens`).
+		WithArgs(wsUUID1, sqlmock.AnyArg(), sqlmock.AnyArg()).
+		WillReturnResult(sqlmock.NewResult(1, 1))
+
+	w := makeReq(t, NewAdminWorkspaceTokenHandler().Create, "POST",
+		"/admin/workspaces/"+wsUUID1+"/tokens", gin.Params{{Key: "id", Value: wsUUID1}})
+
+	if w.Code != http.StatusCreated {
+		t.Fatalf("expected 201, got %d: %s", w.Code, w.Body.String())
+	}
+	var body struct {
+		AuthToken   string `json:"auth_token"`
+		WorkspaceID string `json:"workspace_id"`
+	}
+	if err := json.Unmarshal(w.Body.Bytes(), &body); err != nil {
+		t.Fatalf("decode: %v", err)
+	}
+	if body.AuthToken == "" || body.WorkspaceID != wsUUID1 {
+		t.Fatalf("unexpected body: %+v", body)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet: %v", err)
+	}
+}
+
+func TestAdminWorkspaceTokenHandler_Create_MissingWorkspace(t *testing.T) {
+	mock, cleanup := withMockDB(t)
+	defer cleanup()
+
+	mock.ExpectQuery(`SELECT id FROM workspaces WHERE id = \$1 AND status <> 'removed'`).
+		WithArgs(wsUUID1).
+		WillReturnRows(sqlmock.NewRows([]string{"id"}))
+
+	w := makeReq(t, NewAdminWorkspaceTokenHandler().Create, "POST",
+		"/admin/workspaces/"+wsUUID1+"/tokens", gin.Params{{Key: "id", Value: wsUUID1}})
+
+	if w.Code != http.StatusNotFound {
+		t.Fatalf("expected 404, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestAdminWorkspaceTokenHandler_Create_RateLimited(t *testing.T) {
+	mock, cleanup := withMockDB(t)
+	defer cleanup()
+
+	mock.ExpectQuery(`SELECT id FROM workspaces WHERE id = \$1 AND status <> 'removed'`).
+		WithArgs(wsUUID1).
+		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow(wsUUID1))
+	mock.ExpectQuery(`SELECT COUNT\(\*\) FROM workspace_auth_tokens`).
+		WithArgs(wsUUID1).
+		WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(maxTokensPerWorkspace))
+
+	w := makeReq(t, NewAdminWorkspaceTokenHandler().Create, "POST",
+		"/admin/workspaces/"+wsUUID1+"/tokens", gin.Params{{Key: "id", Value: wsUUID1}})
+
+	if w.Code != http.StatusTooManyRequests {
+		t.Fatalf("expected 429, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestAdminWorkspaceTokenHandler_Create_IssueFails(t *testing.T) {
+	mock, cleanup := withMockDB(t)
+	defer cleanup()
+
+	mock.ExpectQuery(`SELECT id FROM workspaces WHERE id = \$1 AND status <> 'removed'`).
+		WithArgs(wsUUID1).
+		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow(wsUUID1))
+	mock.ExpectQuery(`SELECT COUNT\(\*\) FROM workspace_auth_tokens`).
+		WithArgs(wsUUID1).
+		WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(0))
+	mock.ExpectExec(`INSERT INTO workspace_auth_tokens`).
+		WillReturnError(errors.New("disk full"))
+
+	w := makeReq(t, NewAdminWorkspaceTokenHandler().Create, "POST",
+		"/admin/workspaces/"+wsUUID1+"/tokens", gin.Params{{Key: "id", Value: wsUUID1}})
+
+	if w.Code != http.StatusInternalServerError {
+		t.Fatalf("expected 500, got %d: %s", w.Code, w.Body.String())
+	}
+}
@@ -216,74 +216,107 @@ curl -fsS -X POST "{{PLATFORM_URL}}/registry/register" \
 const externalChannelTemplate = `# Claude Code channel — bridges this workspace's A2A traffic into your
 # Claude Code session. No tunnel/public URL needed (polling-based).
 #
-# Prereq: Bun installed (channel plugins are Bun scripts).
-#   bun --version    # must print a version number
+# Prereq: Bun 1.3+ installed (channel plugins are Bun scripts).
+#   bun --version    # must print a version (1.3.x or newer)
 #
-# 1. Inside Claude Code, install the channel plugin from its GitHub repo.
-#    The plugin is NOT on Anthropic's default allowlist, so a one-time
-#    marketplace-add is needed before install:
+# 1. Inside Claude Code, install the channel plugin. The plugin lives in
+#    Molecule's own Gitea marketplace (not Anthropic's default), so a
+#    one-time marketplace-add is needed before install:
 #
 #      /plugin marketplace add https://git.moleculesai.app/molecule-ai/molecule-mcp-claude-channel.git
 #      /plugin install molecule@molecule-channel
 #
-#    Then either run /reload-plugins or restart Claude Code so the
-#    plugin is registered.
+#    Then /reload-plugins (or restart Claude Code) so the plugin is
+#    registered.
 #
-# 2. Create the per-watched-workspace config file:
+# 2. Create (or extend) the per-host config file. The canonical SSOT
+#    shape is MOLECULE_WORKSPACES_JSON — a JSON array of
+#    {id, token, platform_url} objects. One plugin instance can watch
+#    many workspaces across many tenants; append more objects to the
+#    array (separate them with commas, NOT a newline):
 mkdir -p ~/.claude/channels/molecule
 cat > ~/.claude/channels/molecule/.env <<'EOF'
-MOLECULE_PLATFORM_URL={{PLATFORM_URL}}
-MOLECULE_WORKSPACE_IDS={{WORKSPACE_ID}}
-MOLECULE_WORKSPACE_TOKENS=<paste auth_token from create response>
+MOLECULE_WORKSPACES_JSON=[{"id":"{{WORKSPACE_ID}}","token":"<paste auth_token from create response>","platform_url":"{{PLATFORM_URL}}"}]
 EOF
 chmod 600 ~/.claude/channels/molecule/.env

-# 3. Launch Claude Code with the channel enabled. Custom (non-Anthropic-
-#    allowlisted) channels need the --dangerously-load-development-channels
-#    flag to opt in — without it, you'll see "not on the approved channels
-#    allowlist" on startup.
-claude --dangerously-load-development-channels \
-  --channels plugin:molecule@molecule-channel
+# (Legacy single-platform shape — MOLECULE_PLATFORM_URL + comma-separated
+# MOLECULE_WORKSPACE_IDS + MOLECULE_WORKSPACE_TOKENS — is still supported
+# for back-compat but does NOT work across multiple tenant URLs. Use
+# MOLECULE_WORKSPACES_JSON above unless you have a specific reason.)
+
+# 3. Launch Claude Code with the channel enabled. The channel spec is the
+#    VALUE of --dangerously-load-development-channels — NOT a separate
+#    --channels flag (that flag does not exist in current Claude Code;
+#    passing it errors with "entries must be tagged: --channels").
+claude --dangerously-load-development-channels plugin:molecule@molecule-channel

 # You should see on stderr:
-#   molecule channel: connected — watching 1 workspace(s) at {{PLATFORM_URL}}
+#   molecule channel: connected — watching N workspace(s) across M platform(s)
+#     targets: <platform_url>: <workspace_id>
 #
-# Inbound A2A messages now surface as conversation turns. Claude's
-# replies route back via the reply_to_workspace MCP tool — no extra
-# wiring on your side.
+# Inbound A2A messages now surface as conversation turns (synthetic
+# <channel ...> tags). Claude's replies route back via the
+# reply_to_workspace / send_message_to_user MCP tools.
+#
+# Multi-workspace note: when watching more than one workspace, every
+# outbound tool call (send_message_to_user, reply_to_workspace,
+# delegate_task, list_peers) MUST pass _as_workspace=<id> so the plugin
+# knows which token to authenticate with. The host returns -32603 if you
+# forget — the synthetic <channel> tag's "watching_as" attribute tells
+# you which id to use.
 #
 # Common errors:
-#   "plugin not installed"            → Step 1 didn't run; run /plugin install
+#   "plugin not installed"            → Step 1 didn't run; run /plugin
+#                                       marketplace add + /plugin install
 #                                       inside Claude Code, then /reload-plugins.
-#   "not on approved channels allowlist" → Add --dangerously-load-development-channels
-#                                       to the launch command (Step 3).
-#   "config-missing"                  → ~/.claude/channels/molecule/.env not
-#                                       readable; re-run Step 2 and check chmod.
+#   "entries must be tagged"          → You passed --channels separately.
+#                                       Put plugin:molecule@molecule-channel
+#                                       directly after
+#                                       --dangerously-load-development-channels.
+#   "not on approved channels allowlist" → Org policy gating. See "managed
+#                                       settings" note below.
+#   "config-missing"                  → ~/.claude/channels/molecule/.env
+#                                       not readable; re-run Step 2 and check
+#                                       chmod 600.
 #
-# Team/Enterprise orgs: the --dangerously-load-development-channels flag is
-# blocked by managed settings. Your admin must set channelsEnabled=true and
-# add the plugin to allowedChannelPlugins in claude.ai admin settings.
+# Team/Enterprise plans: the channel allowlist is gated by org policy
+# AND must be written to the local managed-settings.json file on disk
+# (not the claude.ai web admin UI — there is no web toggle for this).
+# Path per OS:
+#   macOS:   /Library/Application Support/ClaudeCode/managed-settings.json
+#   Linux:   /etc/claude-code/managed-settings.json
+#   Windows: C:\ProgramData\ClaudeCode\managed-settings.json
+# Set channelsEnabled: true and add
+#   { "plugin": "molecule", "marketplace": "molecule-channel" }
+# to allowedChannelPlugins. Restart Claude Code after writing the file.
+# A user-level ~/.claude/settings.json does NOT work on Team/Enterprise
+# — this is the single most common reason a freshly-installed plugin
+# appears to do nothing.
 #
-# Multi-workspace: comma-separate IDs and tokens (same order). See
-# https://git.moleculesai.app/molecule-ai/molecule-mcp-claude-channel for
-# pairing flow, push-mode upgrade, and v0.2 roadmap.
+# Pro/Max plans skip the channelsEnabled gate but still need the
+# allowedChannelPlugins entry in the managed-settings file.

 # Need help?
 #   Documentation: https://doc.moleculesai.app/docs/guides/claude-code-channel-plugin
+#   Full README:   https://git.moleculesai.app/molecule-ai/molecule-mcp-claude-channel
 #   Common errors:
 #     • "plugin not installed" — run /plugin marketplace add then
 #       /plugin install lines above; /reload-plugins or restart.
+#     • "entries must be tagged: --channels" — the launch flag form
+#       changed; use --dangerously-load-development-channels plugin:molecule@molecule-channel
+#       (channel spec is the VALUE, not a separate --channels flag).
 #     • "not on the approved channels allowlist" — custom channels need
-#       --dangerously-load-development-channels; team/enterprise orgs
-#       need admin to set channelsEnabled + allowedChannelPlugins.
+#       allowedChannelPlugins in /Library/Application Support/ClaudeCode/managed-settings.json
+#       (macOS) / equivalent on Linux+Windows. NOT a web setting.
 #     • "Inbound messages not arriving" — stderr should show
 #       "molecule channel: connected — watching N workspace(s)";
-#       verify ~/.claude/channels/molecule/.env has PLATFORM_URL + token.
+#       verify ~/.claude/channels/molecule/.env shape is MOLECULE_WORKSPACES_JSON.
 `

 // externalUniversalMcpTemplate — runtime-agnostic standalone path.
 // Ships as the `molecule-mcp` console script in the
-// molecule-ai-workspace-runtime PyPI wheel (workspace/mcp_cli.py).
+// molecule-ai-workspace-runtime wheel published to the Gitea package registry.
 // Any MCP-aware runtime (Claude Code, hermes, codex, third-party)
 // registers it once and gets the same 8 universal tools that
 // container-bound runtimes use today: delegate_task, list_peers,
@@ -322,7 +355,7 @@ const externalUniversalMcpTemplate = `# Universal MCP — standalone register +

 # 1. Install the workspace runtime wheel (once per machine — safe to
 #    re-run; subsequent workspaces share the same wheel):
-pip install molecule-ai-workspace-runtime
+pip install --index-url https://git.moleculesai.app/api/packages/molecule-ai/pypi/simple/ molecule-ai-workspace-runtime

 # 2. Wire molecule-mcp into your agent's MCP config. Claude Code:
 #    NOTE the server name is workspace-specific ("{{MCP_SERVER_NAME}}") so
@@ -344,7 +377,7 @@ claude mcp add {{MCP_SERVER_NAME}} -s user -- env \
 # needed when calling tools through the MCP server.

 # Need help?
-#   Where to install: https://pypi.org/project/molecule-ai-workspace-runtime/
+#   Where to install: https://git.moleculesai.app/api/packages/molecule-ai/pypi/simple/molecule-ai-workspace-runtime/
 #   Documentation: https://doc.moleculesai.app/docs/guides/mcp-server-setup
 #   Common errors:
 #     • "Tools not appearing in your agent" — run ` + "`claude mcp list`" + ` (or
@@ -359,8 +392,8 @@ claude mcp add {{MCP_SERVER_NAME}} -s user -- env \
 `

 // externalPythonTemplate uses molecule-sdk-python's RemoteAgentClient +
-// A2AServer (PR #13 in that repo). Until the SDK cuts a v0.y release
-// to PyPI the snippet pins git+main.
+// A2AServer. Until the SDK is published to the Gitea package registry the
+// snippet pins git+main.
 const externalPythonTemplate = `# pip install 'git+https://git.moleculesai.app/molecule-ai/molecule-sdk-python.git@main'

 import asyncio
@@ -396,7 +429,7 @@ if __name__ == "__main__":
    asyncio.run(main())

 # Need help?
-#   Where to install: https://pypi.org/project/molecule-ai-workspace-runtime/
+#   Where to install: https://git.moleculesai.app/api/packages/molecule-ai/pypi/simple/molecule-ai-workspace-runtime/
 #   Documentation: https://doc.moleculesai.app/docs/guides/external-agent-registration
 #   Common errors:
 #     • 401 from /heartbeat — AUTH_TOKEN expired or wrong workspace_id.
@@ -445,7 +478,7 @@ const externalHermesChannelTemplate = `# Hermes channel — bridges this workspa
 # also supported via the plugin's dual-mode fallback.
 #
 # 1. Install the runtime + plugin:
-pip install molecule-ai-workspace-runtime
+pip install --index-url https://git.moleculesai.app/api/packages/molecule-ai/pypi/simple/ molecule-ai-workspace-runtime
 pip install 'git+https://git.moleculesai.app/molecule-ai/hermes-channel-molecule.git'

 # 2. Export the workspace credentials:
@@ -528,7 +561,7 @@ const externalCodexTemplate = `# Codex external setup — outbound tools (MCP) +

 # 1. Install codex CLI, the workspace runtime, and the bridge daemon:
 npm install -g @openai/codex@latest
-pip install molecule-ai-workspace-runtime
+pip install --index-url https://git.moleculesai.app/api/packages/molecule-ai/pypi/simple/ molecule-ai-workspace-runtime
 pip install codex-channel-molecule

 # 2. Wire the molecule MCP server into codex's config.toml — this is
@@ -620,7 +653,7 @@ const externalKimiTemplate = `# Kimi CLI external setup — register + heartbeat
 # No public URL needed; runs behind NAT in poll mode.

 # 1. Install the workspace runtime wheel (provides HTTP client):
-pip install molecule-ai-workspace-runtime
+pip install --index-url https://git.moleculesai.app/api/packages/molecule-ai/pypi/simple/ molecule-ai-workspace-runtime

 # 2. Save credentials and the bridge script:
 mkdir -p ~/.molecule-ai/kimi-{{MCP_SERVER_NAME}}
@@ -670,7 +703,15 @@ def heartbeat(client, url, ws, tok, start):
    r.raise_for_status()

 def poll_inbound(client, url, ws, tok, since_id):
-    params = {"since_secs": "30", "limit": "50"}
+    # include=peer_info opts into Layer 1's row-level projection so each
+    # polled activity carries peer_name, peer_role, agent_card_url, and
+    # attachments[] inline (when source_id resolves to a peer / when the
+    # message included a file). Pre-Layer-1 platforms ignore unknown query
+    # params and return the bare row shape, so this is back-compat. Use
+    # the extra fields in your reply logic — e.g. address the sender by
+    # peer_name rather than UUID, or Read attached files via the workspace:
+    # URIs in attachments[].
+    params = {"since_secs": "30", "limit": "50", "include": "peer_info"}
    if since_id:
        params["since_id"] = since_id
    r = client.get(f"{url}/workspaces/{ws}/activity", params=params, headers=hdrs(url, tok))
@@ -737,10 +778,16 @@ python3 ~/.molecule-ai/kimi-{{MCP_SERVER_NAME}}/kimi_bridge.py
 # What the script does:
 #   • Registers the workspace in poll mode (no public URL needed)
 #   • Heartbeats every 20s to keep STATUS = online on the canvas
-#   • Polls /workspaces/:id/activity every 5s for new canvas messages
+#   • Polls /workspaces/:id/activity?include=peer_info every 5s — Layer 1
+#     enrichment surfaces peer_name / peer_role / agent_card_url /
+#     attachments[] inline on each polled row when applicable
 #   • Echo-replies via POST /workspaces/:id/notify
 #
 # To change the reply logic, edit the send_reply() call inside the loop.
+# Each polled item has top-level peer_name / peer_role / agent_card_url
+# fields (peer_agent rows) and attachments[] (any kind) when Layer 1 is
+# enabled on the platform — use them to disambiguate senders and to Read
+# attached files via the workspace: URIs.
 # To send a one-off reply from another terminal:
 #   curl -fsS -X POST "{{PLATFORM_URL}}/workspaces/{{WORKSPACE_ID}}/notify" \
 #     -H "Authorization: Bearer $(cat ~/.molecule-ai/kimi-{{MCP_SERVER_NAME}}/env | grep TOKEN | cut -d= -f2)" \
@@ -779,7 +826,7 @@ const externalOpenClawTemplate = `# OpenClaw MCP config — outbound tool path.
 #    (register-on-startup + 20s heartbeat). Older versions only ship
 #    a2a_mcp_server which does not heartbeat.
 npm install -g openclaw@latest
-pip install "molecule-ai-workspace-runtime>=0.1.999"
+pip install --index-url https://git.moleculesai.app/api/packages/molecule-ai/pypi/simple/ "molecule-ai-workspace-runtime>=0.1.999"

 # 2. Onboard openclaw against your model provider (one-time setup).
 #    --non-interactive needs an explicit --provider + --model so it
@@ -118,3 +118,86 @@ func TestExternalTemplates_NoBrokenMoleculeAIGitHubURLs(t *testing.T) {
 		}
 	}
 }
+
+// TestExternalChannelTemplate_LaunchFlagShape pins the Claude Code channel
+// snippet to the working launch invocation. The channel spec must be the
+// VALUE of --dangerously-load-development-channels, NOT a separate
+// --channels flag. The two-flag form (`--dangerously-load-development-channels
+// --channels plugin:molecule@...`) errors with "entries must be tagged:
+// --channels" on current Claude Code builds (2.1.143+) and silently no-ops
+// on older ones — either way, new users hit a wall on first launch.
+//
+// Empirical: hit by a session walking through this exact snippet 2026-05-21;
+// the broken form was copy-pasted from this template, ran, errored, and
+// confused the operator into believing the plugin install was broken when
+// the snippet itself was the bug.
+func TestExternalChannelTemplate_LaunchFlagShape(t *testing.T) {
+	// The broken two-flag form. If this string ever appears in the
+	// snippet again, the same onboarding pothole returns.
+	bannedFormBroken := "--dangerously-load-development-channels \\\n  --channels plugin:molecule@molecule-channel"
+	if strings.Contains(externalChannelTemplate, bannedFormBroken) {
+		t.Errorf("externalChannelTemplate contains the broken two-flag launch form. " +
+			"Use --dangerously-load-development-channels plugin:molecule@molecule-channel (spec as value, not a separate --channels flag).")
+	}
+
+	// The single-flag form must be present.
+	requiredFormGood := "--dangerously-load-development-channels plugin:molecule@molecule-channel"
+	if !strings.Contains(externalChannelTemplate, requiredFormGood) {
+		t.Errorf("externalChannelTemplate must contain %q so operators see the working launch invocation", requiredFormGood)
+	}
+}
+
+// TestExternalChannelTemplate_CanonicalEnvShape pins the canvas-served
+// .env example to the canonical SSOT shape (MOLECULE_WORKSPACES_JSON)
+// rather than the legacy single-platform shape. The legacy form
+// (MOLECULE_PLATFORM_URL + comma-separated IDs/TOKENS) is still accepted
+// by the channel plugin's parseWorkspaceTargets but is single-tenant
+// only — it silently fails to onboard users who want to watch multiple
+// platforms (e.g. hongming + agents-team from the same plugin instance),
+// which is the post-PR#15 expected use case.
+func TestExternalChannelTemplate_CanonicalEnvShape(t *testing.T) {
+	if !strings.Contains(externalChannelTemplate, "MOLECULE_WORKSPACES_JSON=") {
+		t.Errorf("externalChannelTemplate must use MOLECULE_WORKSPACES_JSON as the canonical .env shape (the post-PR#15 SSOT)")
+	}
+	// The JSON example must contain the workspace_id + platform_url placeholders
+	// so the canvas substitutes them at serve time.
+	for _, ph := range []string{"{{WORKSPACE_ID}}", "{{PLATFORM_URL}}"} {
+		if !strings.Contains(externalChannelTemplate, ph) {
+			t.Errorf("externalChannelTemplate must contain placeholder %q so the canvas substitutes per-workspace values", ph)
+		}
+	}
+}
+
+// TestPollingTemplates_OptIntoPeerInfo pins the invariant that any template
+// which calls /workspaces/:id/activity for inbound delivery requests the
+// Layer 1 enrichment via ?include=peer_info. Without this opt-in, the
+// platform returns bare activity rows and the operator's bridge / channel
+// loses peer_name / peer_role / agent_card_url / attachments[] — they're
+// available on the server but not delivered.
+//
+// Pre-Layer-1 platforms ignore unknown query params (HTTP spec: filters
+// not understood are dropped), so this is back-compat across deploys.
+//
+// The Claude Code channel template doesn't include the poll URL in this
+// snippet — its polling lives in the plugin's own server.ts (handled by
+// molecule-mcp-claude-channel PR#21). The Kimi template DOES include a
+// poll loop in its kimi_bridge.py block, so the invariant applies there.
+func TestPollingTemplates_OptIntoPeerInfo(t *testing.T) {
+	pollingTemplates := map[string]string{
+		"externalKimiTemplate": externalKimiTemplate,
+	}
+	for name, body := range pollingTemplates {
+		// If the snippet polls /activity, it must opt into peer_info.
+		// The detection is intentionally loose ("/activity" appears in
+		// the script) — operators who customize the script keep the
+		// invariant only if the include hint is in the template.
+		if !strings.Contains(body, "/activity") {
+			t.Errorf("%s no longer polls /activity — review whether this test still applies", name)
+			continue
+		}
+		if !strings.Contains(body, `"include": "peer_info"`) && !strings.Contains(body, "include=peer_info") {
+			t.Errorf("%s polls /activity without ?include=peer_info — operators lose Layer 1 enrichment "+
+				"(peer_name / peer_role / agent_card_url / attachments[]). Add the param to the poll URL.", name)
+		}
+	}
+}
@@ -159,7 +159,8 @@ func generateAppInstallationToken() (string, time.Time, error) {
 	req, _ := http.NewRequest("POST", fmt.Sprintf("https://api.github.com/app/installations/%d/access_tokens", installID), nil)
 	req.Header.Set("Authorization", "Bearer "+signed)
 	req.Header.Set("Accept", "application/vnd.github+json")
-	resp, err := http.DefaultClient.Do(req)
+	client := &http.Client{Timeout: 30 * time.Second}
+	resp, err := client.Do(req)
 	if err != nil {
 		return "", time.Time{}, err
 	}
@@ -33,7 +33,7 @@ func TestWorkspaceCreate_WithParentID(t *testing.T) {
 	// Default tier is 3 (Privileged) — see workspace.go create-handler comment.
 	// delivery_mode defaults to "push" when payload omits it (#2339).
 	mock.ExpectExec("INSERT INTO workspaces").
-		WithArgs(sqlmock.AnyArg(), "Child Agent", nil, 3, "langgraph", sqlmock.AnyArg(), &parentID, nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
+		WithArgs(sqlmock.AnyArg(), "Child Agent", nil, 3, "langgraph", sqlmock.AnyArg(), &parentID, nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push", (*string)(nil), (*int)(nil)).
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectCommit()
 	mock.ExpectExec("INSERT INTO canvas_layouts").
@@ -69,7 +69,7 @@ func TestWorkspaceCreate_ExplicitClaudeCodeRuntime(t *testing.T) {
 	mock.ExpectBegin()
 	// delivery_mode defaults to "push" when payload omits it (#2339).
 	mock.ExpectExec("INSERT INTO workspaces").
-		WithArgs(sqlmock.AnyArg(), "CC Agent", nil, 2, "claude-code", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
+		WithArgs(sqlmock.AnyArg(), "CC Agent", nil, 2, "claude-code", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push", (*string)(nil), (*int)(nil)).
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectCommit()
 	mock.ExpectExec("INSERT INTO canvas_layouts").
@@ -291,7 +291,7 @@ func TestWorkspaceCreate_MaxConcurrentTasksOverride(t *testing.T) {

 	mock.ExpectBegin()
 	mock.ExpectExec("INSERT INTO workspaces").
-		WithArgs(sqlmock.AnyArg(), "Leader Agent", nil, 3, "claude-code", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), 3, "push").
+		WithArgs(sqlmock.AnyArg(), "Leader Agent", nil, 3, "claude-code", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), 3, "push", (*string)(nil), (*int)(nil)).
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectCommit()
 	mock.ExpectExec("INSERT INTO canvas_layouts").
@@ -368,7 +368,7 @@ func TestWorkspaceCreate(t *testing.T) {
 	// Default tier is 3 (Privileged) — see workspace.go create-handler comment.
 	// delivery_mode defaults to "push" when payload omits it (#2339).
 	mock.ExpectExec("INSERT INTO workspaces").
-		WithArgs(sqlmock.AnyArg(), "Test Agent", nil, 3, "langgraph", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
+		WithArgs(sqlmock.AnyArg(), "Test Agent", nil, 3, "langgraph", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push", (*string)(nil), (*int)(nil)).
 		WillReturnResult(sqlmock.NewResult(0, 1))

 	// Expect transaction commit (no secrets in this payload)
@@ -84,6 +84,7 @@ type mcpTool struct {
 type MCPHandler struct {
 	database    *sql.DB
 	broadcaster *events.Broadcaster
+	a2aProxy    func(ctx context.Context, workspaceID string, body []byte, callerID string, logActivity bool) (int, []byte, error)

 	// memv2 is the v2 memory plugin wiring (RFC #2728). nil-safe:
 	// every v2 tool calls memoryV2Available() first and returns a
@@ -98,6 +99,14 @@ func NewMCPHandler(database *sql.DB, broadcaster *events.Broadcaster) *MCPHandle
 	return &MCPHandler{database: database, broadcaster: broadcaster}
 }

+func (h *MCPHandler) proxyA2ARequest(ctx context.Context, workspaceID string, body []byte, callerID string, logActivity bool) (int, []byte, error) {
+	if h.a2aProxy != nil {
+		return h.a2aProxy(ctx, workspaceID, body, callerID, logActivity)
+	}
+	wh := NewWorkspaceHandler(h.broadcaster, nil, "", "")
+	return wh.ProxyA2ARequest(ctx, workspaceID, body, callerID, logActivity)
+}
+
 // ─────────────────────────────────────────────────────────────────────────────
 // Tool definitions (mirrors workspace/a2a_mcp_server.py TOOLS list)
 // ─────────────────────────────────────────────────────────────────────────────
@@ -53,6 +53,15 @@ func mcpPost(t *testing.T, h *MCPHandler, workspaceID string, body interface{})
 	return w
 }

+func expectCanCommunicateSiblings(mock sqlmock.Sqlmock, callerID, targetID, parentID string) {
+	mock.ExpectQuery(`SELECT id, parent_id FROM workspaces WHERE id = \$1`).
+		WithArgs(callerID).
+		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow(callerID, parentID))
+	mock.ExpectQuery(`SELECT id, parent_id FROM workspaces WHERE id = \$1`).
+		WithArgs(targetID).
+		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow(targetID, parentID))
+}
+
 // ─────────────────────────────────────────────────────────────────────────────
 // initialize
 // ─────────────────────────────────────────────────────────────────────────────
@@ -178,6 +187,98 @@ func TestMCPHandler_ToolsList_ContainsExpectedTools(t *testing.T) {
 	}
 }

+func TestMCPHandler_DelegateTask_RoutesThroughPlatformA2AProxy(t *testing.T) {
+	h, mock := newMCPHandler(t)
+	callerID := "11111111-1111-1111-1111-111111111111"
+	targetID := "22222222-2222-2222-2222-222222222222"
+	parentID := "33333333-3333-3333-3333-333333333333"
+
+	expectCanCommunicateSiblings(mock, callerID, targetID, parentID)
+	mock.ExpectExec(`(?s)INSERT INTO activity_logs.*'delegation'.*'delegate'`).
+		WithArgs(callerID, callerID, targetID, "Delegating to "+targetID, sqlmock.AnyArg()).
+		WillReturnResult(sqlmock.NewResult(1, 1))
+	mock.ExpectExec(`UPDATE activity_logs`).
+		WithArgs("dispatched", "", callerID, sqlmock.AnyArg()).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	var gotTarget, gotCaller string
+	h.a2aProxy = func(ctx context.Context, workspaceID string, body []byte, callerID string, logActivity bool) (int, []byte, error) {
+		gotTarget = workspaceID
+		gotCaller = callerID
+		if !logActivity {
+			t.Fatal("delegate_task should log through platform A2A proxy")
+		}
+		if !strings.Contains(string(body), "do work") {
+			t.Fatalf("A2A body missing task text: %s", string(body))
+		}
+		return 200, []byte(`{"result":{"message":{"parts":[{"text":"done"}]}}}`), nil
+	}
+
+	out, err := h.toolDelegateTask(context.Background(), callerID, map[string]interface{}{
+		"workspace_id": targetID,
+		"task":         "do work",
+	}, mcpCallTimeout)
+	if err != nil {
+		t.Fatalf("delegate_task returned error: %v", err)
+	}
+	if out != "done" {
+		t.Fatalf("delegate_task response = %q, want done", out)
+	}
+	if gotTarget != targetID || gotCaller != callerID {
+		t.Fatalf("proxy called with target=%q caller=%q, want target=%q caller=%q", gotTarget, gotCaller, targetID, callerID)
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Fatalf("unmet expectations: %v", err)
+	}
+}
+
+func TestMCPHandler_DelegateTaskAsync_RoutesThroughPlatformA2AProxy(t *testing.T) {
+	h, mock := newMCPHandler(t)
+	callerID := "11111111-1111-1111-1111-111111111111"
+	targetID := "22222222-2222-2222-2222-222222222222"
+	parentID := "33333333-3333-3333-3333-333333333333"
+
+	expectCanCommunicateSiblings(mock, callerID, targetID, parentID)
+	mock.ExpectExec(`(?s)INSERT INTO activity_logs.*'delegation'.*'delegate'`).
+		WithArgs(callerID, callerID, targetID, "Delegating to "+targetID, sqlmock.AnyArg()).
+		WillReturnResult(sqlmock.NewResult(1, 1))
+	mock.ExpectExec(`UPDATE activity_logs`).
+		WithArgs("dispatched", "", callerID, sqlmock.AnyArg()).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	called := make(chan struct{}, 1)
+	h.a2aProxy = func(ctx context.Context, workspaceID string, body []byte, proxyCallerID string, logActivity bool) (int, []byte, error) {
+		if workspaceID != targetID || proxyCallerID != callerID {
+			t.Fatalf("unexpected proxy route target=%q caller=%q", workspaceID, proxyCallerID)
+		}
+		if !strings.Contains(string(body), "async work") {
+			t.Fatalf("A2A body missing task text: %s", string(body))
+		}
+		called <- struct{}{}
+		return 200, []byte(`{"result":{"message":{"parts":[{"text":"accepted"}]}}}`), nil
+	}
+
+	out, err := h.toolDelegateTaskAsync(context.Background(), callerID, map[string]interface{}{
+		"workspace_id": targetID,
+		"task":         "async work",
+	})
+	if err != nil {
+		t.Fatalf("delegate_task_async returned error: %v", err)
+	}
+	if !strings.Contains(out, `"status":"dispatched"`) {
+		t.Fatalf("delegate_task_async response = %s", out)
+	}
+	waitGlobalAsyncForTest()
+	select {
+	case <-called:
+	default:
+		t.Fatal("async delegate did not call platform A2A proxy")
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Fatalf("unmet expectations: %v", err)
+	}
+}
+
 // ─────────────────────────────────────────────────────────────────────────────
 // notifications/initialized
 // ─────────────────────────────────────────────────────────────────────────────
@@ -7,24 +7,19 @@ package handlers
 // and A2A response parsing helpers.

 import (
-	"bytes"
 	"context"
 	"database/sql"
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io"
 	"log"
-	"net/http"
 	"os"
-	"strings"
 	"time"

-	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
-	"github.com/Molecule-AI/molecule-monorepo/platform/internal/provisioner"
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/registry"
 	"github.com/google/uuid"
 )
+
 // insertMCPDelegationRow writes a delegation activity row so the canvas
 // Agent Comms tab can show the task text for MCP-initiated delegations.
 // Mirrors insertDelegationRow (delegation.go) for the MCP tool path.
@@ -190,15 +185,6 @@ func (h *MCPHandler) toolDelegateTask(ctx context.Context, callerID string, args
 		// Non-fatal: still make the A2A call even if activity log write fails.
 	}

-	agentURL, err := mcpResolveURL(ctx, h.database, targetID)
-	if err != nil {
-		return "", err
-	}
-	// SSRF defence: reject private/metadata URLs before making outbound call.
-	if err := isSafeURL(agentURL); err != nil {
-		return "", fmt.Errorf("invalid workspace URL: %w", err)
-	}
-
 	a2aBody, err := json.Marshal(map[string]interface{}{
 		"jsonrpc": "2.0",
 		"id":      uuid.New().String(),
@@ -218,36 +204,17 @@ func (h *MCPHandler) toolDelegateTask(ctx context.Context, callerID string, args
 	reqCtx, cancel := context.WithTimeout(ctx, timeout)
 	defer cancel()

-	httpReq, err := http.NewRequestWithContext(reqCtx, "POST", agentURL+"/a2a", bytes.NewReader(a2aBody))
-	if err != nil {
-		return "", fmt.Errorf("failed to create request: %w", err)
-	}
-	httpReq.Header.Set("Content-Type", "application/json")
-	// X-Workspace-ID identifies this caller to the A2A proxy. The /workspaces/:id/a2a
-	// endpoint is intentionally outside WorkspaceAuth (agents do not hold bearer tokens
-	// to peer workspaces). Access control is enforced by CanCommunicate above, which
-	// already validated callerID → targetID before this request is constructed.
-	// callerID was authenticated by WorkspaceAuth on the MCP bridge entry point,
-	// so this header reflects a verified caller identity, not a spoofable value.
-	httpReq.Header.Set("X-Workspace-ID", callerID)
-
-	resp, err := http.DefaultClient.Do(httpReq)
+	status, body, err := h.proxyA2ARequest(reqCtx, targetID, a2aBody, callerID, true)
 	if err != nil {
 		updateMCPDelegationStatus(ctx, h.database, callerID, delegationID, "failed", err.Error())
-		return "", fmt.Errorf("A2A call failed: %w", err)
+		return "", fmt.Errorf("A2A proxy failed: %w", err)
+	}
+	if status < 200 || status >= 300 {
+		updateMCPDelegationStatus(ctx, h.database, callerID, delegationID, "failed", fmt.Sprintf("A2A proxy returned status %d", status))
+		return "", fmt.Errorf("A2A proxy returned status %d", status)
 	}
-	defer func() { _ = resp.Body.Close() }()
-
-	// A 200/500 from the peer still means the call was dispatched — only
-	// network errors are truly "failed". Status 'dispatched' is correct for
-	// any HTTP response (peer's A2A layer handles the actual processing).
 	updateMCPDelegationStatus(ctx, h.database, callerID, delegationID, "dispatched", "")

-	body, err := io.ReadAll(io.LimitReader(resp.Body, 1<<20))
-	if err != nil {
-		return "", fmt.Errorf("failed to read response: %w", err)
-	}
-
 	return extractA2AText(body), nil
 }

@@ -278,24 +245,13 @@ func (h *MCPHandler) toolDelegateTaskAsync(ctx context.Context, callerID string,

 	// Fire and forget in a detached goroutine. Use a background context so
 	// the call is not cancelled when the HTTP request completes.
-	// RFC internal#524 Layer 1: globalGoAsync — the detached call reads
-	// db.DB (mcpResolveURL + updateMCPDelegationStatus) and must be
-	// drained by drainTestAsync before any t.Cleanup-driven db.DB swap.
+	// RFC internal#524 Layer 1: globalGoAsync — the detached call reads db.DB
+	// through the platform A2A proxy and must be drained by drainTestAsync
+	// before any t.Cleanup-driven db.DB swap.
 	globalGoAsync(func() {
 		bgCtx, cancel := context.WithTimeout(context.Background(), mcpAsyncCallTimeout)
 		defer cancel()

-		agentURL, err := mcpResolveURL(bgCtx, h.database, targetID)
-		if err != nil {
-			log.Printf("MCPHandler.delegate_task_async: resolve URL for %s: %v", targetID, err)
-			return
-		}
-		// SSRF defence: reject private/metadata URLs before making outbound call.
-		if err := isSafeURL(agentURL); err != nil {
-			log.Printf("MCPHandler.delegate_task_async: unsafe URL for %s: %v", targetID, err)
-			return
-		}
-
 		a2aBody, _ := json.Marshal(map[string]interface{}{
 			"jsonrpc": "2.0",
 			"id":      delegationID,
@@ -309,22 +265,15 @@ func (h *MCPHandler) toolDelegateTaskAsync(ctx context.Context, callerID string,
 			},
 		})

-		httpReq, err := http.NewRequestWithContext(bgCtx, "POST", agentURL+"/a2a", bytes.NewReader(a2aBody))
-		if err != nil {
-			log.Printf("MCPHandler.delegate_task_async: create request: %v", err)
+		status, _, err := h.proxyA2ARequest(bgCtx, targetID, a2aBody, callerID, true)
+		if err != nil || status < 200 || status >= 300 {
+			if err != nil {
+				log.Printf("MCPHandler.delegate_task_async: A2A proxy to %s: %v", targetID, err)
+			} else {
+				log.Printf("MCPHandler.delegate_task_async: A2A proxy to %s returned status %d", targetID, status)
+			}
 			return
 		}
-		httpReq.Header.Set("Content-Type", "application/json")
-		httpReq.Header.Set("X-Workspace-ID", callerID)
-
-		resp, err := http.DefaultClient.Do(httpReq)
-		if err != nil {
-			log.Printf("MCPHandler.delegate_task_async: A2A call to %s: %v", targetID, err)
-			return
-		}
-		defer func() { _ = resp.Body.Close() }()
-		// Drain response so the connection can be reused.
-		_, _ = io.Copy(io.Discard, resp.Body)
 	})

 	return fmt.Sprintf(`{"task_id":%q,"status":"dispatched","target_id":%q}`, delegationID, targetID), nil
@@ -405,7 +354,6 @@ func (h *MCPHandler) toolSendMessageToUser(ctx context.Context, workspaceID stri
 	return "Message sent.", nil
 }

-
 func (h *MCPHandler) toolCommitMemory(ctx context.Context, workspaceID string, args map[string]interface{}) (string, error) {
 	// PR-6 (RFC #2728) compat shim: when the v2 plugin is wired
 	// (MEMORY_PLUGIN_URL set), translate legacy scope→namespace and
@@ -534,56 +482,6 @@ func (h *MCPHandler) toolRecallMemory(ctx context.Context, workspaceID string, a
 // Helpers
 // ─────────────────────────────────────────────────────────────────────────────

-// mcpResolveURL returns a routable URL for a workspace's A2A server.
-//
-// Resolution order:
-//  1. Docker-internal URL cache (set by provisioner; correct when platform is in Docker)
-//  2. Redis URL cache
-//  3. DB `url` column fallback, with 127.0.0.1→Docker bridge rewrite when in Docker
-//
-// SECURITY (F1083 / #1130): all three paths run the returned URL through
-// validateAgentURL to block SSRF targets (private IPs, loopback, cloud metadata).
-func mcpResolveURL(ctx context.Context, database *sql.DB, workspaceID string) (string, error) {
-	if platformInDocker {
-		if url, err := db.GetCachedInternalURL(ctx, workspaceID); err == nil && url != "" {
-			if err := validateAgentURL(url); err != nil {
-				return "", fmt.Errorf("workspace %s: forbidden URL from internal cache: %w", workspaceID, err)
-			}
-			return url, nil
-		}
-	}
-	if url, err := db.GetCachedURL(ctx, workspaceID); err == nil && url != "" {
-		if platformInDocker && strings.HasPrefix(url, "http://127.0.0.1:") {
-			return provisioner.InternalURL(workspaceID), nil
-		}
-		if err := validateAgentURL(url); err != nil {
-			return "", fmt.Errorf("workspace %s: forbidden URL from Redis cache: %w", workspaceID, err)
-		}
-		return url, nil
-	}
-
-	var urlStr sql.NullString
-	var status string
-	if err := database.QueryRowContext(ctx,
-		`SELECT url, status FROM workspaces WHERE id = $1`, workspaceID,
-	).Scan(&urlStr, &status); err != nil {
-		if err == sql.ErrNoRows {
-			return "", fmt.Errorf("workspace %s not found", workspaceID)
-		}
-		return "", fmt.Errorf("workspace lookup failed: %w", err)
-	}
-	if !urlStr.Valid || urlStr.String == "" {
-		return "", fmt.Errorf("workspace %s has no URL (status: %s)", workspaceID, status)
-	}
-	if platformInDocker && strings.HasPrefix(urlStr.String, "http://127.0.0.1:") {
-		return provisioner.InternalURL(workspaceID), nil
-	}
-	if err := validateAgentURL(urlStr.String); err != nil {
-		return "", fmt.Errorf("workspace %s: forbidden URL from DB: %w", workspaceID, err)
-	}
-	return urlStr.String, nil
-}
-
 // extractA2AText extracts human-readable text from an A2A JSON-RPC response body.
 // Falls back to the raw JSON when no text part can be found.
 func extractA2AText(body []byte) string {
@@ -632,4 +530,3 @@ func extractA2AText(body []byte) string {
 	b, _ := json.Marshal(result)
 	return string(b)
 }
-
@@ -112,7 +112,7 @@ func (h *RegistryHandler) SetQueueDrainFunc(f QueueDrainFunc) {
 // Go's net.ParseIP.To4() before Contains() runs, so the IPv4 rules above
 // catch those without a separate entry.
 //
-// F1083/#1130 (SSRF on mcpResolveURL / a2a_proxy resolveAgentURL): in
+// F1083/#1130 (SSRF on direct A2A URL resolution): in
 // addition to blocking IP literals, DNS names are now resolved and each
 // returned IP is checked against the blocklist. This closes the gap where
 // an attacker could register agent.example.com pointing to 169.254.169.254.
@@ -214,6 +214,11 @@ func (h *WorkspaceHandler) Create(c *gin.Context) {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid workspace fields"})
 		return
 	}
+	// #1686 Phase 1: validate per-workspace compute overrides.
+	if err := models.ValidateComputeConfig(payload.Compute); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}

 	id := uuid.New().String()
 	awarenessNamespace := workspaceAwarenessNamespace(id)
@@ -398,11 +403,22 @@ func (h *WorkspaceHandler) Create(c *gin.Context) {
 	// double-click. Helper retries with " (2)", " (3)", … up to maxNameSuffix,
 	// returns the actually-persisted name (which we MUST thread back into
 	// payload + broadcast so the canvas displays what the DB has).
+	var computeInstanceType *string
+	var computeVolumeRootGB *int
+	if payload.Compute != nil {
+		if payload.Compute.InstanceType != "" {
+			computeInstanceType = &payload.Compute.InstanceType
+		}
+		if payload.Compute.Volume.RootGB != 0 {
+			computeVolumeRootGB = &payload.Compute.Volume.RootGB
+		}
+	}
+
 	const insertWorkspaceSQL = `
-		INSERT INTO workspaces (id, name, role, tier, runtime, awareness_namespace, status, parent_id, workspace_dir, workspace_access, budget_limit, max_concurrent_tasks, delivery_mode)
-		VALUES ($1, $2, $3, $4, $5, $6, 'provisioning', $7, $8, $9, $10, $11, $12)
+		INSERT INTO workspaces (id, name, role, tier, runtime, awareness_namespace, status, parent_id, workspace_dir, workspace_access, budget_limit, max_concurrent_tasks, delivery_mode, compute_instance_type, compute_volume_root_gb)
+		VALUES ($1, $2, $3, $4, $5, $6, 'provisioning', $7, $8, $9, $10, $11, $12, $13, $14)
 	`
-	insertArgs := []any{id, payload.Name, role, payload.Tier, payload.Runtime, awarenessNamespace, payload.ParentID, workspaceDir, workspaceAccess, payload.BudgetLimit, maxConcurrent, deliveryMode}
+	insertArgs := []any{id, payload.Name, role, payload.Tier, payload.Runtime, awarenessNamespace, payload.ParentID, workspaceDir, workspaceAccess, payload.BudgetLimit, maxConcurrent, deliveryMode, computeInstanceType, computeVolumeRootGB}
 	persistedName, currentTx, err := insertWorkspaceWithNameRetry(
 		ctx,
 		tx,
@@ -157,6 +157,8 @@ func TestWorkspaceBudget_Create_WithLimit(t *testing.T) {
 			&budgetVal,       // budget_limit ($10)
 			models.DefaultMaxConcurrentTasks, // max_concurrent_tasks default
 			"push",           // delivery_mode default (#2339)
+			(*string)(nil),   // compute_instance_type default
+			(*int)(nil),      // compute_volume_root_gb default
 		).
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectCommit()
@@ -309,9 +309,31 @@ func (h *WorkspaceHandler) buildProvisionerConfig(
 		// RuntimeImages[Runtime] :latest lookup, which is what the dead
 		// reader's sql.ErrNoRows path was producing already.
 		Image: "",
+		// Compute overrides (nullable — omitted = platform-managed default).
+		// Issue #1686 Phase 1.
+		InstanceType: extractComputeInstanceType(payload.Compute),
+		VolumeRootGB: extractComputeVolumeRootGB(payload.Compute),
 	}
 }

+// extractComputeInstanceType returns the instance type from a ComputeConfig,
+// or nil when cfg is nil or the field is empty.
+func extractComputeInstanceType(cfg *models.ComputeConfig) *string {
+	if cfg != nil && cfg.InstanceType != "" {
+		return &cfg.InstanceType
+	}
+	return nil
+}
+
+// extractComputeVolumeRootGB returns the root volume size from a ComputeConfig,
+// or nil when cfg is nil or the field is zero.
+func extractComputeVolumeRootGB(cfg *models.ComputeConfig) *int {
+	if cfg != nil && cfg.Volume.RootGB != 0 {
+		return &cfg.Volume.RootGB
+	}
+	return nil
+}
+
 // issueAndInjectToken rotates the workspace auth token and injects the
 // plaintext into cfg.ConfigFiles[".auth_token"] so it is written into the
 // /configs volume by WriteFilesToContainer immediately after the container
@@ -779,6 +779,75 @@ func TestBuildProvisionerConfig_WorkspacePathFromEnv(t *testing.T) {
 	}
 }

+// TestBuildProvisionerConfig_ComputeOverrides verifies that #1686 Phase 1
+// compute fields (instance_type + volume.root_gb) are threaded from the
+// create payload into the provisioner config.
+func TestBuildProvisionerConfig_ComputeOverrides(t *testing.T) {
+	mock := setupTestDB(t)
+	mock.ExpectQuery(`SELECT COALESCE\(workspace_dir`).
+		WithArgs("ws-compute").
+		WillReturnRows(sqlmock.NewRows([]string{"workspace_dir", "workspace_access"}).AddRow("", "none"))
+
+	broadcaster := newTestBroadcaster()
+	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+
+	cfg := handler.buildProvisionerConfig(
+		context.Background(),
+		"ws-compute",
+		"",
+		nil,
+		models.CreateWorkspacePayload{
+			Tier:    2,
+			Runtime: "python",
+			Compute: &models.ComputeConfig{
+				InstanceType: "g4dn.xlarge",
+				Volume:       models.ComputeVolume{RootGB: 256},
+			},
+		},
+		nil,
+		"",
+		"workspace:ws-compute",
+	)
+
+	if cfg.InstanceType == nil || *cfg.InstanceType != "g4dn.xlarge" {
+		t.Errorf("InstanceType = %v, want g4dn.xlarge", cfg.InstanceType)
+	}
+	if cfg.VolumeRootGB == nil || *cfg.VolumeRootGB != 256 {
+		t.Errorf("VolumeRootGB = %v, want 256", cfg.VolumeRootGB)
+	}
+}
+
+// TestBuildProvisionerConfig_ComputeNil verifies backward compat: when the
+// payload omits compute, the provisioner config fields are nil so the CP
+// applies its own defaults.
+func TestBuildProvisionerConfig_ComputeNil(t *testing.T) {
+	mock := setupTestDB(t)
+	mock.ExpectQuery(`SELECT COALESCE\(workspace_dir`).
+		WithArgs("ws-no-compute").
+		WillReturnRows(sqlmock.NewRows([]string{"workspace_dir", "workspace_access"}).AddRow("", "none"))
+
+	broadcaster := newTestBroadcaster()
+	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+
+	cfg := handler.buildProvisionerConfig(
+		context.Background(),
+		"ws-no-compute",
+		"",
+		nil,
+		models.CreateWorkspacePayload{Tier: 1, Runtime: "python"},
+		nil,
+		"",
+		"workspace:ws-no-compute",
+	)
+
+	if cfg.InstanceType != nil {
+		t.Errorf("InstanceType = %v, want nil", cfg.InstanceType)
+	}
+	if cfg.VolumeRootGB != nil {
+		t.Errorf("VolumeRootGB = %v, want nil", cfg.VolumeRootGB)
+	}
+}
+
 // ==================== issueAndInjectToken (issue #418) ====================

 // TestIssueAndInjectToken_HappyPath verifies that on a normal (re)provision the
@@ -8,6 +8,7 @@ import (
 	"net/http/httptest"
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 	"time"

@@ -342,7 +343,7 @@ func TestWorkspaceCreate_DBInsertError(t *testing.T) {
 	// Transaction begins, workspace INSERT fails, transaction is rolled back.
 	mock.ExpectBegin()
 	mock.ExpectExec("INSERT INTO workspaces").
-		WithArgs(sqlmock.AnyArg(), "Failing Agent", nil, 3, "langgraph", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
+		WithArgs(sqlmock.AnyArg(), "Failing Agent", nil, 3, "langgraph", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push", (*string)(nil), (*int)(nil)).
 		WillReturnError(sql.ErrConnDone)
 	mock.ExpectRollback()

@@ -364,6 +365,94 @@ func TestWorkspaceCreate_DBInsertError(t *testing.T) {
 	}
 }

+// TestWorkspaceCreate_InvalidCompute verifies #1686 Phase 1 create-time
+// validation: bad instance_type or volume.root_gb returns 400 before any
+// DB call.
+func TestWorkspaceCreate_InvalidCompute(t *testing.T) {
+	broadcaster := newTestBroadcaster()
+	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+
+	cases := []struct {
+		name string
+		body string
+		want string
+	}{
+		{
+			name: "instance_type too long",
+			body: `{"name":"Bad Type","compute":{"instance_type":"` + strings.Repeat("x", 65) + `"}}`,
+			want: "compute.instance_type too long",
+		},
+		{
+			name: "root_gb too small",
+			body: `{"name":"Small Disk","compute":{"volume":{"root_gb":16}}}`,
+			want: "compute.volume.root_gb must be at least 32",
+		},
+		{
+			name: "root_gb too large",
+			body: `{"name":"Big Disk","compute":{"volume":{"root_gb":4096}}}`,
+			want: "compute.volume.root_gb exceeds maximum 2048",
+		},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			w := httptest.NewRecorder()
+			c, _ := gin.CreateTestContext(w)
+			c.Request = httptest.NewRequest("POST", "/workspaces", bytes.NewBufferString(tc.body))
+			c.Request.Header.Set("Content-Type", "application/json")
+
+			handler.Create(c)
+			if w.Code != http.StatusBadRequest {
+				t.Errorf("expected 400, got %d: %s", w.Code, w.Body.String())
+			}
+			if !strings.Contains(w.Body.String(), tc.want) {
+				t.Errorf("body %q should contain %q", w.Body.String(), tc.want)
+			}
+		})
+	}
+}
+
+// TestWorkspaceCreate_WithComputeOverrides verifies that valid #1686 Phase 1
+// compute fields are persisted into the workspaces table.
+func TestWorkspaceCreate_WithComputeOverrides(t *testing.T) {
+	mock := setupTestDB(t)
+	setupTestRedis(t)
+	broadcaster := newTestBroadcaster()
+	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+
+	mock.ExpectBegin()
+	instanceType := "g4dn.xlarge"
+	rootGB := 256
+	mock.ExpectExec("INSERT INTO workspaces").
+		WithArgs(sqlmock.AnyArg(), "GPU Agent", nil, 3, "python", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push", &instanceType, &rootGB).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectCommit()
+
+	mock.ExpectExec("INSERT INTO canvas_layouts").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec("INSERT INTO structure_events").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec("INSERT INTO structure_events").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec(`UPDATE workspaces SET status =`).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec("INSERT INTO workspace_config").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	body := `{"name":"GPU Agent","runtime":"python","compute":{"instance_type":"g4dn.xlarge","volume":{"root_gb":256}}}`
+	c.Request = httptest.NewRequest("POST", "/workspaces", bytes.NewBufferString(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Create(c)
+	if w.Code != http.StatusCreated {
+		t.Errorf("expected 201, got %d: %s", w.Code, w.Body.String())
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations: %v", err)
+	}
+}
+
 func TestWorkspaceCreate_DefaultsApplied(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t)
@@ -375,7 +464,7 @@ func TestWorkspaceCreate_DefaultsApplied(t *testing.T) {
 	// Expect workspace INSERT with defaulted tier=3 (Privileged — the
 	// handler default in workspace.go), runtime="langgraph"
 	mock.ExpectExec("INSERT INTO workspaces").
-		WithArgs(sqlmock.AnyArg(), "Default Agent", nil, 3, "langgraph", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
+		WithArgs(sqlmock.AnyArg(), "Default Agent", nil, 3, "langgraph", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push", (*string)(nil), (*int)(nil)).
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectCommit()

@@ -423,7 +512,7 @@ func TestWorkspaceCreate_SaaSHardForcesTier4(t *testing.T) {

 	mock.ExpectBegin()
 	mock.ExpectExec("INSERT INTO workspaces").
-		WithArgs(sqlmock.AnyArg(), "SaaS External Agent", nil, 4, "external", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
+		WithArgs(sqlmock.AnyArg(), "SaaS External Agent", nil, 4, "external", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push", (*string)(nil), (*int)(nil)).
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectCommit()
 	mock.ExpectExec("INSERT INTO canvas_layouts").
@@ -464,7 +553,7 @@ func TestWorkspaceCreate_WithSecrets_Persists(t *testing.T) {

 	mock.ExpectBegin()
 	mock.ExpectExec("INSERT INTO workspaces").
-		WithArgs(sqlmock.AnyArg(), "Hermes Agent", nil, 3, "hermes", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
+		WithArgs(sqlmock.AnyArg(), "Hermes Agent", nil, 3, "hermes", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push", (*string)(nil), (*int)(nil)).
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	// Secret inserted inside the same transaction.
 	mock.ExpectExec("INSERT INTO workspace_secrets").
@@ -576,7 +665,7 @@ func TestWorkspaceCreate_ExternalURL_SSRFSafe(t *testing.T) {

 	mock.ExpectBegin()
 	mock.ExpectExec("INSERT INTO workspaces").
-		WithArgs(sqlmock.AnyArg(), "Ext Agent", nil, 3, "external", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
+		WithArgs(sqlmock.AnyArg(), "Ext Agent", nil, 3, "external", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push", (*string)(nil), (*int)(nil)).
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectCommit()
 	// External URL update (localhost is explicitly allowed by validateAgentURL).
@@ -615,7 +704,7 @@ func TestWorkspaceCreate_KimiRuntime_PreservesLabel(t *testing.T) {

 	mock.ExpectBegin()
 	mock.ExpectExec("INSERT INTO workspaces").
-		WithArgs(sqlmock.AnyArg(), "Kimi Agent", nil, 3, "kimi", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
+		WithArgs(sqlmock.AnyArg(), "Kimi Agent", nil, 3, "kimi", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push", (*string)(nil), (*int)(nil)).
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectCommit()
 	// Pre-register flow: awaiting_agent + runtime preserved as "kimi"
@@ -1639,7 +1728,7 @@ runtime_config:
 	mock.ExpectExec("INSERT INTO workspaces").
 		WithArgs(
 			sqlmock.AnyArg(), "Hermes Agent", nil, 3, "hermes",
-			sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
+			sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push", (*string)(nil), (*int)(nil)).
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectCommit()
 	mock.ExpectExec("INSERT INTO canvas_layouts").
@@ -1696,7 +1785,7 @@ model: anthropic:claude-sonnet-4-5
 	mock.ExpectExec("INSERT INTO workspaces").
 		WithArgs(
 			sqlmock.AnyArg(), "Legacy Agent", nil, 3, "langgraph",
-			sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
+			sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push", (*string)(nil), (*int)(nil)).
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectCommit()
 	mock.ExpectExec("INSERT INTO canvas_layouts").
@@ -1749,7 +1838,7 @@ runtime_config:
 	mock.ExpectExec("INSERT INTO workspaces").
 		WithArgs(
 			sqlmock.AnyArg(), "Custom Hermes", nil, 3, "hermes",
-			sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
+			sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push", (*string)(nil), (*int)(nil)).
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectCommit()
 	mock.ExpectExec("INSERT INTO canvas_layouts").
@@ -1855,7 +1944,7 @@ func TestWorkspaceCreate_188_NoTemplateNoRuntime_StillDefaultsLanggraph(t *testi

 	mock.ExpectBegin()
 	mock.ExpectExec("INSERT INTO workspaces").
-		WithArgs(sqlmock.AnyArg(), "Plain Default", nil, 3, "langgraph", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
+		WithArgs(sqlmock.AnyArg(), "Plain Default", nil, 3, "langgraph", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push", (*string)(nil), (*int)(nil)).
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectCommit()
 	mock.ExpectExec("INSERT INTO canvas_layouts").
@@ -1890,7 +1979,7 @@ func TestWorkspaceCreate_188_ExplicitRuntimeNoTemplate_OK(t *testing.T) {

 	mock.ExpectBegin()
 	mock.ExpectExec("INSERT INTO workspaces").
-		WithArgs(sqlmock.AnyArg(), "Explicit Codex", nil, 3, "codex", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
+		WithArgs(sqlmock.AnyArg(), "Explicit Codex", nil, 3, "codex", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push", (*string)(nil), (*int)(nil)).
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectCommit()
 	mock.ExpectExec("INSERT INTO canvas_layouts").
@@ -3,6 +3,7 @@ package models
 import (
 	"database/sql"
 	"encoding/json"
+	"fmt"
 	"time"
 )

@@ -45,6 +46,10 @@ type Workspace struct {
 	// forced to route updates through a parent workspace. Default true
 	// (preserves existing behaviour for all workspaces).
 	TalkToUserEnabled  bool            `json:"talk_to_user_enabled" db:"talk_to_user_enabled"`
+	// Compute overrides (nullable — omitted = platform-managed default).
+	// Issue #1686 Phase 1.
+	ComputeInstanceType *string `json:"compute_instance_type,omitempty" db:"compute_instance_type"`
+	ComputeVolumeRootGB *int    `json:"compute_volume_root_gb,omitempty" db:"compute_volume_root_gb"`
 	// Canvas layout fields (from JOIN)
 	X         float64 `json:"x"`
 	Y         float64 `json:"y"`
@@ -154,6 +159,40 @@ type MemorySeed struct {
 	Scope   string `json:"scope" yaml:"scope"` // LOCAL, TEAM, GLOBAL
 }

+// ComputeVolume holds per-workspace disk configuration.
+type ComputeVolume struct {
+	RootGB int `json:"root_gb"`
+}
+
+// ComputeConfig holds per-workspace EC2 compute overrides.
+// Omitted at create time means "use platform-managed defaults".
+type ComputeConfig struct {
+	InstanceType string        `json:"instance_type"`
+	Volume       ComputeVolume `json:"volume"`
+}
+
+// ValidateComputeConfig performs create-time validation on compute overrides.
+// Returns nil when cfg is nil (omitted = platform-managed default).
+func ValidateComputeConfig(cfg *ComputeConfig) error {
+	if cfg == nil {
+		return nil
+	}
+	if cfg.InstanceType != "" {
+		if len(cfg.InstanceType) > 64 {
+			return fmt.Errorf("compute.instance_type too long (max 64 chars)")
+		}
+	}
+	if cfg.Volume.RootGB != 0 {
+		if cfg.Volume.RootGB < 32 {
+			return fmt.Errorf("compute.volume.root_gb must be at least 32")
+		}
+		if cfg.Volume.RootGB > 2048 {
+			return fmt.Errorf("compute.volume.root_gb exceeds maximum 2048")
+		}
+	}
+	return nil
+}
+
 type CreateWorkspacePayload struct {
 	Name     string  `json:"name" binding:"required"`
 	Role     string  `json:"role"`
@@ -180,6 +219,9 @@ type CreateWorkspacePayload struct {
 	// MaxConcurrentTasks caps parallel A2A + cron dispatch. 0 means use
 	// DefaultMaxConcurrentTasks. Leaders typically set 3.
 	MaxConcurrentTasks int `json:"max_concurrent_tasks"`
+	// Compute is an optional per-workspace EC2 shape override.
+	// Omitted = platform-managed default (current behaviour).
+	Compute *ComputeConfig `json:"compute,omitempty"`
 	Canvas   struct {
 		X float64 `json:"x"`
 		Y float64 `json:"y"`
@@ -0,0 +1,90 @@
+package models
+
+import "testing"
+
+func TestValidateComputeConfig_NilIsValid(t *testing.T) {
+	if err := ValidateComputeConfig(nil); err != nil {
+		t.Errorf("nil compute config should be valid, got: %v", err)
+	}
+}
+
+func TestValidateComputeConfig_EmptyIsValid(t *testing.T) {
+	cfg := &ComputeConfig{}
+	if err := ValidateComputeConfig(cfg); err != nil {
+		t.Errorf("empty compute config should be valid, got: %v", err)
+	}
+}
+
+func TestValidateComputeConfig_ValidOverrides(t *testing.T) {
+	cfg := &ComputeConfig{
+		InstanceType: "g4dn.xlarge",
+		Volume:       ComputeVolume{RootGB: 256},
+	}
+	if err := ValidateComputeConfig(cfg); err != nil {
+		t.Errorf("valid overrides should pass, got: %v", err)
+	}
+}
+
+func TestValidateComputeConfig_InstanceTypeTooLong(t *testing.T) {
+	longName := string(make([]byte, 65))
+	for i := range longName {
+		longName = longName[:i] + "x" + longName[i+1:]
+	}
+	cfg := &ComputeConfig{InstanceType: longName}
+	if err := ValidateComputeConfig(cfg); err == nil {
+		t.Error("expected error for instance_type > 64 chars")
+	} else if err.Error() != "compute.instance_type too long (max 64 chars)" {
+		t.Errorf("unexpected error message: %q", err.Error())
+	}
+}
+
+func TestValidateComputeConfig_RootGBTooSmall(t *testing.T) {
+	cfg := &ComputeConfig{Volume: ComputeVolume{RootGB: 31}}
+	if err := ValidateComputeConfig(cfg); err == nil {
+		t.Error("expected error for root_gb < 32")
+	} else if err.Error() != "compute.volume.root_gb must be at least 32" {
+		t.Errorf("unexpected error message: %q", err.Error())
+	}
+}
+
+func TestValidateComputeConfig_RootGBTooLarge(t *testing.T) {
+	cfg := &ComputeConfig{Volume: ComputeVolume{RootGB: 2049}}
+	if err := ValidateComputeConfig(cfg); err == nil {
+		t.Error("expected error for root_gb > 2048")
+	} else if err.Error() != "compute.volume.root_gb exceeds maximum 2048" {
+		t.Errorf("unexpected error message: %q", err.Error())
+	}
+}
+
+func TestValidateComputeConfig_BoundaryValues(t *testing.T) {
+	cases := []struct {
+		name string
+		cfg  ComputeConfig
+		ok   bool
+	}{
+		{"min root_gb", ComputeConfig{Volume: ComputeVolume{RootGB: 32}}, true},
+		{"max root_gb", ComputeConfig{Volume: ComputeVolume{RootGB: 2048}}, true},
+		{"just under min", ComputeConfig{Volume: ComputeVolume{RootGB: 31}}, false},
+		{"just over max", ComputeConfig{Volume: ComputeVolume{RootGB: 2049}}, false},
+		{"exactly 64 char type", ComputeConfig{InstanceType: string(make([]byte, 64))}, true},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			// fill the 64-char case with 'x'
+			if tc.cfg.InstanceType != "" {
+				b := make([]byte, len(tc.cfg.InstanceType))
+				for i := range b {
+					b[i] = 'x'
+				}
+				tc.cfg.InstanceType = string(b)
+			}
+			err := ValidateComputeConfig(&tc.cfg)
+			if tc.ok && err != nil {
+				t.Errorf("expected valid, got: %v", err)
+			}
+			if !tc.ok && err == nil {
+				t.Error("expected invalid, got nil")
+			}
+		})
+	}
+}
@@ -163,6 +163,10 @@ type cpProvisionRequest struct {
 	// collectCPConfigFiles which rejects symlinks and non-regular files
 	// before including them. Serialised as base64 to avoid JSON escaping.
 	ConfigFiles map[string]string `json:"config_files,omitempty"`
+	// Compute overrides (nullable — omitted = platform-managed default).
+	// Issue #1686 Phase 1.
+	InstanceType *string `json:"instance_type,omitempty"`
+	VolumeRootGB *int    `json:"volume_root_gb,omitempty"`
 }

 type cpProvisionResponse struct {
@@ -206,13 +210,15 @@ func (p *CPProvisioner) Start(ctx context.Context, cfg WorkspaceConfig) (string,
 	}

 	req := cpProvisionRequest{
-		OrgID:       p.orgID,
-		WorkspaceID: cfg.WorkspaceID,
-		Runtime:     cfg.Runtime,
-		Tier:        cfg.Tier,
-		PlatformURL: cfg.PlatformURL,
-		Env:         env,
-		ConfigFiles: configFiles,
+		OrgID:        p.orgID,
+		WorkspaceID:  cfg.WorkspaceID,
+		Runtime:      cfg.Runtime,
+		Tier:         cfg.Tier,
+		PlatformURL:  cfg.PlatformURL,
+		Env:          env,
+		ConfigFiles:  configFiles,
+		InstanceType: cfg.InstanceType,
+		VolumeRootGB: cfg.VolumeRootGB,
 	}

 	body, err := json.Marshal(req)
@@ -1062,3 +1062,75 @@ func TestCollectCPConfigFiles_RejectsRootSymlink(t *testing.T) {
 		t.Errorf("expected symlink-related error, got: %v", err)
 	}
 }
+
+// TestStart_ComputeOverrides — when WorkspaceConfig carries InstanceType and
+// VolumeRootGB, they must be forwarded in the cpProvisionRequest body so the
+// CP can pass them to EC2 RunInstances. Regression guard for #1686 Phase 1.
+func TestStart_ComputeOverrides(t *testing.T) {
+	var gotBody cpProvisionRequest
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if err := json.NewDecoder(r.Body).Decode(&gotBody); err != nil {
+			t.Errorf("decode request: %v", err)
+		}
+		w.WriteHeader(http.StatusCreated)
+		_, _ = io.WriteString(w, `{"instance_id":"i-compute","state":"pending"}`)
+	}))
+	defer srv.Close()
+
+	p := &CPProvisioner{baseURL: srv.URL, orgID: "org-1", httpClient: srv.Client()}
+	instanceType := "g4dn.xlarge"
+	volumeRootGB := 256
+	_, err := p.Start(context.Background(), WorkspaceConfig{
+		WorkspaceID:  "ws-1",
+		Runtime:      "python",
+		Tier:         2,
+		PlatformURL:  "http://tenant",
+		InstanceType: &instanceType,
+		VolumeRootGB: &volumeRootGB,
+	})
+	if err != nil {
+		t.Fatalf("Start: %v", err)
+	}
+	if gotBody.InstanceType == nil || *gotBody.InstanceType != "g4dn.xlarge" {
+		t.Errorf("instance_type = %v, want g4dn.xlarge", gotBody.InstanceType)
+	}
+	if gotBody.VolumeRootGB == nil || *gotBody.VolumeRootGB != 256 {
+		t.Errorf("volume_root_gb = %v, want 256", gotBody.VolumeRootGB)
+	}
+}
+
+// TestStart_ComputeOmittedWhenNil — when WorkspaceConfig has no compute
+// overrides, the JSON body must omit the keys entirely (omitempty) so CP
+// applies its own defaults rather than empty/zero values.
+func TestStart_ComputeOmittedWhenNil(t *testing.T) {
+	var raw json.RawMessage
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if err := json.NewDecoder(r.Body).Decode(&raw); err != nil {
+			t.Errorf("decode request: %v", err)
+		}
+		w.WriteHeader(http.StatusCreated)
+		_, _ = io.WriteString(w, `{"instance_id":"i-default","state":"pending"}`)
+	}))
+	defer srv.Close()
+
+	p := &CPProvisioner{baseURL: srv.URL, orgID: "org-1", httpClient: srv.Client()}
+	_, err := p.Start(context.Background(), WorkspaceConfig{
+		WorkspaceID: "ws-1",
+		Runtime:     "python",
+		Tier:        1,
+		PlatformURL: "http://tenant",
+	})
+	if err != nil {
+		t.Fatalf("Start: %v", err)
+	}
+	var decoded map[string]interface{}
+	if err := json.Unmarshal(raw, &decoded); err != nil {
+		t.Fatalf("unmarshal raw body: %v", err)
+	}
+	if _, ok := decoded["instance_type"]; ok {
+		t.Errorf("instance_type should be omitted when nil")
+	}
+	if _, ok := decoded["volume_root_gb"]; ok {
+		t.Errorf("volume_root_gb should be omitted when nil")
+	}
+}
@@ -105,6 +105,11 @@ type WorkspaceConfig struct {
 	WorkspaceAccess    string // #65: "none" (default), "read_only", or "read_write"
 	ResetClaudeSession bool   // #12: if true, discard the claude-sessions volume before start (fresh session dir)

+	// Compute overrides (nullable — omitted = platform-managed default).
+	// Issue #1686 Phase 1.
+	InstanceType *string `json:"instance_type,omitempty"`
+	VolumeRootGB *int    `json:"volume_root_gb,omitempty"`
+
 	// Image, when non-empty, overrides the runtime→image lookup. CP
 	// (molecule-controlplane) is the single SSOT for runtime image digest
 	// pins via its migrations/027_runtime_image_pins table — the pin is
@@ -726,6 +731,16 @@ func buildContainerEnv(cfg WorkspaceConfig) []string {
 		}
 		env = append(env, fmt.Sprintf("%s=%s", k, v))
 	}
+	// #1687: alias GH_PAT → GH_TOKEN / GITHUB_TOKEN on the READ side
+	// (container env assembly). gh CLI and git credential helpers look
+	// for these standard names; by aliasing here we avoid writing the
+	// forbidden keys into tenant-writer surfaces (workspace_secrets,
+	// envVars map, etc.). GH_PAT itself is not an SCM-write credential
+	// and passes through cfg.EnvVars untouched.
+	if pat, hasPAT := cfg.EnvVars["GH_PAT"]; hasPAT && pat != "" {
+		env = append(env, fmt.Sprintf("GH_TOKEN=%s", pat))
+		env = append(env, fmt.Sprintf("GITHUB_TOKEN=%s", pat))
+	}
 	// Inject ADMIN_TOKEN from the platform server's environment so workspace
 	// containers can call /admin/liveness and other admin-gated endpoints
 	// (core#831). cp_provisioner.go handles this separately for SaaS tenants.
@@ -0,0 +1,59 @@
+# T4 privilege contract — generated from
+# molecule-ai/molecule-core workspace-server/internal/provisioner/t4_privilege_contract.go
+# RFC: molecule-ai/internal#456
+# Do NOT edit this file by hand; regenerate via `go run ./cmd/t4-contract-dump > t4_capabilities.yaml`.
+version: 1
+agent_uid: 1000
+capabilities:
+  - name: "agent_home_writable"
+    description: "/agent-home is writable by the agent (Files API split per task #128). The Files API redesign uses /agent-home as the user-writable root; the agent must be able to create files there without sudo."
+    severity: hard
+    source: "task #128 Files API redesign; memory reference_post_suspension_pipeline"
+    probe: "TF=/agent-home/.t4-cap-write-probe-${MOLECULE_T4_PROBE_ID:-$$}; echo ok > \"$TF\" && [ \"$(cat \"$TF\")\" = \"ok\" ] && rm -f \"$TF\""
+  - name: "agent_uid_1000"
+    description: "The container's primary process (the runtime, post-gosu) runs as uid 1000, not root. T4 grants full machine access via privileged + host PID + Docker socket — the WORKLOAD inside that privileged container must still be unprivileged to prevent every untrusted code execution from being trivially root-on-host."
+    severity: hard
+    source: "RFC internal#456 §2.1.2; memory feedback_hermes_listpeers_401_token_root600_unreadable_by_uid1000"
+    probe: "[ \"$(id -u)\" = \"1000\" ]"
+  - name: "auth_token_agent_owned"
+    description: "/configs/.auth_token is owned by uid 1000 (== AgentUID) so the a2a_mcp_server can read its bearer. In SaaS mode molecule-runtime itself writes the token via save_token() — the ownership equals the runtime's exec uid. If the runtime ever runs as root, this fails and list_peers 401s (the Hermes class bug)."
+    severity: hard
+    source: "RFC internal#456 §10; memory feedback_hermes_listpeers_401_token_root600_unreadable_by_uid1000"
+    probe: "[ -e /configs/.auth_token ] && [ \"$(stat -c '%u' /configs/.auth_token)\" = \"1000\" ]"
+  - name: "docker_socket_reachable"
+    description: "/var/run/docker.sock is bind-mounted and host Docker is reachable from the T4 container. The probe enters the host mount+PID namespaces before running docker info so it validates the same host-control path production agents use, instead of depending on the template image's Docker CLI/socket group details."
+    severity: hard
+    source: "provisioner.go applyHostConfig T4 branch (case 4)"
+    probe: "sudo -n nsenter --target 1 --mount --pid -- docker info >/dev/null 2>&1"
+  - name: "host_fs_write_readback"
+    description: "Host filesystem is mounted at /host and the agent can write+read+remove a file there via sudo. Proves real host reach (not just a PID-1 namespace trick on an isolated init)."
+    severity: hard
+    source: "RFC internal#456 §11"
+    probe: "MARKER=\"t4cap-$(date +%s)-$RANDOM\"; PROBE_FILE=\"/host/tmp/.t4-cap-probe-${MOLECULE_T4_PROBE_ID:-$$}\"; sudo -n sh -c \"echo $MARKER > $PROBE_FILE\" && [ \"$(sudo -n cat $PROBE_FILE)\" = \"$MARKER\" ] && sudo -n rm -f $PROBE_FILE"
+  - name: "host_root_reach_via_nsenter"
+    description: "The uid-1000 agent can attain host root via `sudo -n nsenter --target 1 --mount --pid -- id -u` returning 0. This is the T4 escalation leg: full machine access means the agent CAN escalate to host root deliberately, even though it does not run as root by default."
+    severity: hard
+    source: "RFC internal#456 §11; memory reference_per_template_privilege_contract_class_audit_2026_05_16"
+    probe: "[ \"$(sudo -n nsenter --target 1 --mount --pid -- id -u)\" = \"0\" ]"
+  - name: "list_peers_http_200"
+    description: "The platform list_peers HTTP endpoint (served by the in-container a2a_mcp_server) returns HTTP 200 when called from uid 1000 with the bearer from /configs/.auth_token. This proves the WHOLE token-ownership chain end-to-end: token written under correct uid → reader uid matches → bearer non-empty → platform accepts. A self-contained empirical test for the Hermes class bug."
+    severity: hard
+    source: "memory reference_openclaw_fresh_provision_nonfunctional_anthropic_default_unroutable; memory reference_openclaw_mcp_peer_wiring_rootcause"
+    probe: "BEARER=$(cat /configs/.auth_token 2>/dev/null || echo \"\"); [ -n \"$BEARER\" ] || exit 1; PORT=$(cat /configs/.platform_port 2>/dev/null || echo \"8080\"); STATUS=$(curl -sS -o /dev/null -w '%{http_code}' -H \"Authorization: Bearer $BEARER\" \"http://127.0.0.1:${PORT}/list_peers\"); [ \"$STATUS\" = \"200\" ]"
+  - name: "network_egress_https"
+    description: "Generic HTTPS egress works. T4 is unconstrained network; the canonical test target is the Molecule-owned Gitea middleman over its public name. CI must not depend on GitHub or other mirrors for this probe. Any reachable HTTPS endpoint satisfies it — the YAML carries the recommended targets but accepts any 200/301/302."
+    severity: hard
+    source: "task #174 brief"
+    probe: "for U in $MOLECULE_T4_EGRESS_TARGETS; do   C=$(curl -sS -o /dev/null -w '%{http_code}' --max-time 8 \"$U\");   case \"$C\" in 2*|3*) exit 0;; esac; done; exit 1"
+    required_egress:
+      - "https://git.moleculesai.app/api/v1/version"
+  - name: "pid_host_visible"
+    description: "Host PID namespace is shared (--pid=host). The container can see host process 1 (systemd or pid-1 on the EC2 instance). Required for nsenter into host mount/pid namespaces."
+    severity: hard
+    source: "provisioner.go applyHostConfig T4 branch (case 4): hostCfg.PidMode = 'host'"
+    probe: "[ \"$(sudo -n nsenter --target 1 --mount --pid -- id -u)\" = \"0\" ]"
+  - name: "privileged_flag_observable"
+    description: "Container is started with --privileged. Observable from inside via /proc/self/status CapEff containing CAP_SYS_ADMIN. Defense-in-depth for the provisioner emission side."
+    severity: advisory
+    source: "provisioner.go applyHostConfig T4 branch (case 4)"
+    probe: "grep -q '^CapEff:.*ffffffffff' /proc/self/status"
@@ -120,8 +120,8 @@ func T4PrivilegeContract() []T4Capability {
 		},
 		{
 			Name:        "docker_socket_reachable",
-			Description: "/var/run/docker.sock is bind-mounted into the container so the agent can manage other containers (T4 use case: agent-as-orchestrator). Proven by 'docker version' returning a server section, which requires the daemon to answer over the socket.",
-			Probe:       `sudo -n docker version --format '{{.Server.Version}}' >/dev/null 2>&1`,
+			Description: "/var/run/docker.sock is bind-mounted and host Docker is reachable from the T4 container. The probe enters the host mount+PID namespaces before running docker info so it validates the same host-control path production agents use, instead of depending on the template image's Docker CLI/socket group details.",
+			Probe:       `sudo -n nsenter --target 1 --mount --pid -- docker info >/dev/null 2>&1`,
 			Severity:    SeverityHard,
 			Source:      "provisioner.go applyHostConfig T4 branch (case 4)",
 		},
@@ -145,7 +145,7 @@ func T4PrivilegeContract() []T4Capability {
 		},
 		{
 			Name:        "network_egress_https",
-			Description: "Generic HTTPS egress works. T4 is unconstrained network; the canonical test target is the Gitea instance over its public name, which any fork user can also resolve. Any reachable HTTPS endpoint satisfies it — the YAML carries the recommended targets but accepts any 200/301/302.",
+			Description: "Generic HTTPS egress works. T4 is unconstrained network; the canonical test target is the Molecule-owned Gitea middleman over its public name. CI must not depend on GitHub or other mirrors for this probe. Any reachable HTTPS endpoint satisfies it — the YAML carries the recommended targets but accepts any 200/301/302.",
 			Probe: `for U in $MOLECULE_T4_EGRESS_TARGETS; do ` +
 				`  C=$(curl -sS -o /dev/null -w '%{http_code}' --max-time 8 "$U"); ` +
 				`  case "$C" in 2*|3*) exit 0;; esac; ` +
@@ -153,10 +153,9 @@ func T4PrivilegeContract() []T4Capability {
 			Severity: SeverityHard,
 			Source:   "task #174 brief",
 			RequiredEgress: []string{
-				// Public, no auth, returns a small JSON.
+				// Molecule-owned, public, no auth, returns a small JSON.
 				// Adopters override via MOLECULE_T4_EGRESS_TARGETS.
-				"https://api.github.com/zen",
-				"https://www.google.com/generate_204",
+				"https://git.moleculesai.app/api/v1/version",
 			},
 		},
 		{
@@ -169,7 +168,7 @@ func T4PrivilegeContract() []T4Capability {
 		{
 			Name:        "pid_host_visible",
 			Description: "Host PID namespace is shared (--pid=host). The container can see host process 1 (systemd or pid-1 on the EC2 instance). Required for nsenter into host mount/pid namespaces.",
-			Probe:       `[ -d /proc/1/root ] && [ "$(sudo -n readlink /proc/1/ns/pid)" = "$(sudo -n readlink /proc/self/ns/pid)" ]`,
+			Probe:       `[ "$(sudo -n nsenter --target 1 --mount --pid -- id -u)" = "0" ]`,
 			Severity:    SeverityHard,
 			Source:      "provisioner.go applyHostConfig T4 branch (case 4): hostCfg.PidMode = 'host'",
 		},
@@ -1,6 +1,7 @@
 package provisioner

 import (
+	"os"
 	"strings"
 	"testing"
 )
@@ -77,6 +78,19 @@ func TestT4PrivilegeContract_CoreCapabilitiesPresent(t *testing.T) {
 	}
 }

+func TestT4PrivilegeContract_DefaultEgressUsesMoleculeOwnedEndpoint(t *testing.T) {
+	for _, c := range T4PrivilegeContract() {
+		for _, target := range c.RequiredEgress {
+			if strings.Contains(target, "github.com") {
+				t.Errorf("capability %q default egress target must not depend on GitHub mirror/API: %s", c.Name, target)
+			}
+			if strings.Contains(target, "google.com") {
+				t.Errorf("capability %q default egress target must not depend on external Google endpoint: %s", c.Name, target)
+			}
+		}
+	}
+}
+
 // TestT4PrivilegeContract_HardCapabilitiesMajority sanity-checks that
 // the contract is not silently advisory-only. If someone marks
 // everything as "advisory" the gate becomes a no-op without anyone
@@ -142,6 +156,17 @@ func TestAsYAML_EscapesEmbeddedQuotes(t *testing.T) {
 	}
 }

+func TestGeneratedT4CapabilitiesYAMLMatchesSSOT(t *testing.T) {
+	got, err := os.ReadFile("t4_capabilities.yaml")
+	if err != nil {
+		t.Fatalf("read generated t4_capabilities.yaml: %v", err)
+	}
+	want := AsYAML(T4PrivilegeContract())
+	if string(got) != want {
+		t.Fatal("generated t4_capabilities.yaml drifted from T4PrivilegeContract; regenerate with `go run ./cmd/t4-contract-dump > internal/provisioner/t4_capabilities.yaml`")
+	}
+}
+
 // TestAgentUIDConsistency ties the contract to the existing
 // provisioner-side AgentUID const. The probe for "agent_uid_1000"
 // hard-codes `id -u == 1000`; if AgentUID ever changes (no one
@@ -397,6 +397,8 @@ func Setup(hub *ws.Hub, broadcaster *events.Broadcaster, prov *provisioner.Provi
 		wsAuth.GET("/tokens", tokh.List)
 		wsAuth.POST("/tokens", tokh.Create)
 		wsAuth.DELETE("/tokens/:tokenId", tokh.Revoke)
+		adminTokH := handlers.NewAdminWorkspaceTokenHandler()
+		r.POST("/admin/workspaces/:id/tokens", middleware.AdminAuth(db.DB), adminTokH.Create)

 		// Memory
 		memh := handlers.NewMemoryHandler()
@@ -0,0 +1,5 @@
+ALTER TABLE workspaces
+    DROP COLUMN IF EXISTS compute_instance_type;
+
+ALTER TABLE workspaces
+    DROP COLUMN IF EXISTS compute_volume_root_gb;
@@ -0,0 +1,10 @@
+-- Per-workspace EC2 compute configuration (#1686 Phase 1).
+-- Allows callers to override instance_type and root volume size
+-- at workspace creation time. Omitted/null values preserve the
+-- platform-managed default (current behaviour), so this is fully
+-- backwards-compatible.
+ALTER TABLE workspaces
+    ADD COLUMN IF NOT EXISTS compute_instance_type TEXT;
+
+ALTER TABLE workspaces
+    ADD COLUMN IF NOT EXISTS compute_volume_root_gb INTEGER;
@@ -1,13 +0,0 @@
-# coverage.py config — consumed by `pytest --cov` via the pytest-cov
-# plugin. Lives here (not in pytest.ini) because coverage.py only reads
-# .coveragerc / setup.cfg / tox.ini / pyproject.toml — the [coverage:*]
-# sections in pytest.ini are silently ignored. See issue #1817.
-[run]
-omit =
-    */tests/*
-    */__init__.py
-    plugins_registry/*
-
-[report]
-# Skip files at 100% in the term-missing output to keep CI logs readable.
-skip_covered = True
@@ -1,104 +0,0 @@
-FROM python:3.11-slim@sha256:e78299e55776ca065dcb769f80161f48465ad352014240eb5fe4712e22505e9b
-
-WORKDIR /app
-
-# Install Node.js, git, gh CLI in a single layer to minimize image size
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends curl git ca-certificates && \
-    # Node.js 22
-    curl -fsSL https://deb.nodesource.com/setup_22.x | bash - && \
-    apt-get install -y --no-install-recommends nodejs && \
-    # GitHub CLI
-    curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
-      | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg && \
-    echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
-      > /etc/apt/sources.list.d/github-cli.list && \
-    apt-get update && apt-get install -y --no-install-recommends gh && \
-    # Cleanup apt caches and temp files
-    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false && \
-    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
-
-# Create non-root user (claude --dangerously-skip-permissions refuses root)
-RUN useradd -m -s /bin/bash agent
-
-# Install base Python dependencies (A2A SDK + HTTP only)
-COPY requirements.txt .
-RUN pip install --no-cache-dir -r requirements.txt
-
-# Copy runtime code (adapters/ has been removed — adapters now live in standalone
-# template repos and install molecule-ai-workspace-runtime from PyPI)
-COPY *.py ./
-COPY entrypoint.sh ./
-COPY skill_loader/ ./skill_loader/
-COPY builtin_tools/ ./builtin_tools/
-COPY plugins_registry/ ./plugins_registry/
-COPY policies/ ./policies/
-
-# Create CLI aliases
-RUN ln -s /app/a2a_cli.py /usr/local/bin/a2a && chmod +x /app/a2a_cli.py /app/a2a_mcp_server.py && \
-    ln -s /app/molecule_ai_status.py /usr/local/bin/molecule-monorepo-status && chmod +x /app/molecule_ai_status.py
-
-# gh wrapper — auto-prefixes PR / issue titles with the agent role + appends
-# a body footer. Every agent in the template shares one GitHub PAT so plain
-# `gh pr list` can't distinguish workspaces; the wrapper reads GIT_AUTHOR_NAME
-# (set by the platform provisioner, "Molecule AI <Role>") and rewrites the
-# title/body accordingly. Fails open when the env is missing. Anything that
-# isn't `gh pr create` or `gh issue create` passes through untouched.
-# /usr/local/bin is earlier in PATH than /usr/bin/gh so this shadows the
-# real binary without renaming it.
-COPY scripts/gh-wrapper.sh /usr/local/bin/gh
-RUN chmod +x /usr/local/bin/gh
-
-# Copy the git credential helper so entrypoint.sh can register it at boot.
-# molecule-git-token-helper.sh fetches a fresh GitHub App installation token
-# from the platform on every git push/fetch, preventing stale-token failures
-# after the ~60 min GitHub App token TTL (issue #613 / #547).
-COPY scripts/molecule-git-token-helper.sh ./scripts/
-RUN chmod +x ./scripts/molecule-git-token-helper.sh
-
-# Copy the background token refresh daemon. Runs as a background process
-# started by entrypoint.sh — refreshes gh CLI auth and the credential
-# helper cache every 45 min so tokens never expire mid-operation.
-COPY scripts/molecule-gh-token-refresh.sh ./scripts/
-RUN chmod +x ./scripts/molecule-gh-token-refresh.sh
-
-# Generic GIT_ASKPASS helper. Reads HTTPS Basic-Auth credentials from env
-# vars (GIT_HTTP_USERNAME / GIT_HTTP_PASSWORD, with GITEA_USER / GITEA_TOKEN
-# as fallback) and emits them on the git credential-prompt protocol so
-# container-side `git` can authenticate to any private HTTPS remote
-# without on-disk .gitconfig / .git-credentials mutation. The platform
-# provisioner sets GIT_ASKPASS=/usr/local/bin/molecule-askpass via
-# applyAgentGitIdentity (workspace-server/internal/handlers/agent_git_identity.go).
-# Filename is the only project-specific marker; the script body contains
-# no vendor literals and is identical to the script shipped in each
-# open-source workspace template (scripts/git-askpass.sh).
-COPY scripts/molecule-askpass /usr/local/bin/molecule-askpass
-RUN chmod +x /usr/local/bin/molecule-askpass
-
-# Dirs and permissions
-RUN mkdir -p /workspace /plugins /home/agent/.claude /home/agent/.config /home/agent/.local \
-    /home/agent/.molecule-token-cache && \
-    chown -R agent:agent /app /home/agent /workspace
-
-# Install gosu for clean root → agent user handoff in entrypoint.
-# The entrypoint starts as root to fix volume ownership, then exec's
-# as the agent user so Claude Code's --dangerously-skip-permissions works.
-RUN apt-get update && apt-get install -y --no-install-recommends gosu && \
-    rm -rf /var/lib/apt/lists/*
-
-VOLUME /configs
-VOLUME /workspace
-
-EXPOSE 8000
-
-# HEALTHCHECK: probe the A2A agent-card endpoint so orchestrators and
-# container runtimes can detect a live, responsive workspace agent.
-# Uses curl (present in python:3.11-slim base) against the uvicorn server.
-# PORT is injected at runtime via the molecule-runtime entrypoint; the
-# default matches EXPOSE.
-HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
-  CMD curl -sf http://localhost:${PORT:-8000}/agent/card >/dev/null || exit 1
-
-RUN chmod +x /app/entrypoint.sh
-# Start as root — entrypoint fixes volume permissions then drops to agent
-CMD ["./entrypoint.sh"]
@@ -1 +0,0 @@
-# trigger autobump for python-multipart pin (PDF P0 cure)
@@ -1,105 +0,0 @@
-"""OFFSEC-003: A2A peer-result sanitization — shared across delegation tools.
-
-This module is intentionally a LEAF (no imports from the molecule-runtime
-package) to avoid circular dependency cycles. Both ``a2a_tools_delegation``
-and ``a2a_tools`` can import from here without creating import loops.
-
-Trust-boundary design (OFFSEC-003):
-    A2A peer responses are untrusted third-party content. Before passing
-    them to the agent context, they MUST be wrapped in a trust-boundary
-    marker pair so the calling agent knows the content is external.
-
-Boundary markers:
-    - _A2A_BOUNDARY_START = "[A2A_RESULT_FROM_PEER]"
-    - _A2A_BOUNDARY_END   = "[/A2A_RESULT_FROM_PEER]"
-
-The boundary is the PRIMARY security control. A peer that sends
-"[A2A_RESULT_FROM_PEER]evil[/A2A_RESULT_FROM_PEER]safe" can make "safe"
-appear inside the trusted context unless the markers themselves are
-escaped before wrapping — see _escape_boundary_markers() below.
-
-Defense-in-depth (secondary):
-    Known prompt-injection control-words are also escaped so that even
-    if a calling agent ignores the boundary marker, embedded attack
-    patterns (SYSTEM:, OVERRIDE:, etc.) lose their special meaning.
-    This is not a complete injection sanitizer — do not rely on it as
-    the primary control.
-"""
-
-from __future__ import annotations
-
-import re
-
-# ── Trust-boundary markers ────────────────────────────────────────────────────
-
-_A2A_BOUNDARY_START = "[A2A_RESULT_FROM_PEER]"
-_A2A_BOUNDARY_END = "[/A2A_RESULT_FROM_PEER]"
-
-# ── Boundary-marker escaping ─────────────────────────────────────────────────
-# A peer that sends "[/A2A_RESULT_FROM_PEER]evil" can make "evil" appear
-# inside the trusted zone. Escape BOTH boundary markers in the raw text
-# before wrapping so they can never close the boundary early.
-# We use "[/ " as the escape prefix — visually distinct from the real marker.
-_A2A_BOUNDARY_START_ESCAPED = "[/ A2A_RESULT_FROM_PEER]"
-_A2A_BOUNDARY_END_ESCAPED = "[/ /A2A_RESULT_FROM_PEER]"
-
-
-def _escape_boundary_markers(text: str) -> str:
-    """Escape boundary markers inside the raw peer text before wrapping.
-
-    Replaces any occurrence of the boundary start/end markers with a
-    visually-similar escaped form so a malicious peer can never close
-    the boundary early or inject a fake opener.
-    """
-    return (
-        text.replace(_A2A_BOUNDARY_START, _A2A_BOUNDARY_START_ESCAPED)
-        .replace(_A2A_BOUNDARY_END, _A2A_BOUNDARY_END_ESCAPED)
-    )
-
-
-# ── Defense-in-depth: injection pattern escaping ───────────────────────────────
-# These patterns cover common prompt-injection phrasings. They are NOT a
-# complete sanitizer — see module docstring. The boundary marker is the
-# primary control; these are purely defense-in-depth.
-
-_INJECTION_PATTERNS = [
-    # Single-word patterns: anchor to word boundary so they don't match
-    # inside other words (e.g. "SYSTEM" in "mySYSTEMatic").
-    # Single-word patterns: anchor to word boundary so they don't match
-    # inside other words (e.g. "SYSTEM" in "mySYSTEMatic").
-    (re.compile(r"(^|[^\w])SYSTEM\b", re.IGNORECASE), r"\1[ESCAPED_SYSTEM]"),
-    (re.compile(r"(^|[^\w])OVERRIDE\b", re.IGNORECASE), r"\1[ESCAPED_OVERRIDE]"),
-    # "INSTRUCTIONS" may appear at the start of a string or after a newline.
-    (re.compile(r"(^|\n)INSTRUCTIONS?\b", re.IGNORECASE), " [ESCAPED_INSTRUCTIONS]"),
-    (re.compile(r"(^|[^\w])IGNORE\s+ALL\b", re.IGNORECASE), r"\1[ESCAPED_IGNORE_ALL]"),
-    (re.compile(r"(^|[^\w])YOU\s+ARE\s+NOW\b", re.IGNORECASE), r"\1[ESCAPED_YOU_ARE_NOW]"),
-]
-
-
-def sanitize_a2a_result(text: str) -> str:
-    """Sanitize untrusted text from an A2A peer (OFFSEC-003).
-
-    Order of operations:
-      1. Escape boundary markers in the raw text (prevents injection).
-      2. Escape known injection patterns (defense-in-depth).
-
-    Returns the input unchanged if it is empty/None.
-
-    Note: this function does NOT add boundary wrappers — callers that need
-    to establish a trust boundary should wrap the sanitized result with
-    ``[A2A_RESULT_FROM_PEER]\\n{sanitized}\\n[/A2A_RESULT_FROM_PEER]``.
-    See ``a2a_tools_delegation.py:tool_delegate_task`` for the canonical
-    wrapping pattern.
-    """
-    if not text:
-        return text
-
-    # 1. Escape boundary markers so a malicious peer cannot break the
-    #    trust boundary from inside their response.
-    escaped = _escape_boundary_markers(text)
-
-    # 2. Escape known injection control-words (defense-in-depth only).
-    for pattern, replacement in _INJECTION_PATTERNS:
-        escaped = pattern.sub(replacement, escaped)
-
-    return escaped
@@ -1,251 +0,0 @@
-#!/usr/bin/env python3
-"""A2A CLI — command-line tools for inter-workspace communication.
-
-Supports both synchronous and asynchronous delegation:
-  a2a delegate <id> <task>        — Send task, wait for response (sync)
-  a2a delegate --async <id> <task> — Send task, return task ID immediately
-  a2a status <task_id>            — Check task status / get result
-  a2a peers                       — List available peers
-  a2a info                        — Show this workspace's info
-
-Environment variables:
-  WORKSPACE_ID  — this workspace's ID
-  PLATFORM_URL  — platform API base URL
-"""
-
-import asyncio
-import json
-import os
-import sys
-import uuid
-
-import httpx
-
-_WORKSPACE_ID_raw = os.environ.get("WORKSPACE_ID")
-if not _WORKSPACE_ID_raw:
-    raise RuntimeError("WORKSPACE_ID environment variable is required but not set")
-WORKSPACE_ID = _WORKSPACE_ID_raw
-# Platform URL: always host.docker.internal inside containers. The platform API
-# is only reachable via the Docker network mesh from inside a workspace
-# container regardless of the runtime environment (Docker/host).
-PLATFORM_URL = os.environ.get("PLATFORM_URL", "http://host.docker.internal:8080")
-
-
-async def discover(target_id: str) -> dict | None:
-    """Discover a peer workspace's URL."""
-    async with httpx.AsyncClient(timeout=30.0) as client:
-        resp = await client.get(
-            f"{PLATFORM_URL}/registry/discover/{target_id}",
-            headers={"X-Workspace-ID": WORKSPACE_ID},
-        )
-        if resp.status_code == 200:
-            return resp.json()
-        return None
-
-
-async def delegate(target_id: str, task: str, async_mode: bool = False):
-    """Delegate a task to another workspace."""
-    peer = await discover(target_id)
-    if not peer:
-        print(f"Error: cannot reach workspace {target_id} (access denied or offline)", file=sys.stderr)
-        sys.exit(1)
-
-    target_url = peer.get("url", "")
-    if not target_url:
-        print(f"Error: workspace {target_id} has no URL", file=sys.stderr)
-        sys.exit(1)
-
-    task_id = str(uuid.uuid4())
-
-    if async_mode:
-        # Async: send and return immediately, don't wait for response
-        # Use a background task that fires and forgets
-        async with httpx.AsyncClient(timeout=10.0) as client:
-            try:
-                # Send with a short timeout — just confirm receipt
-                resp = await client.post(
-                    target_url,
-                    json={
-                        "jsonrpc": "2.0",
-                        "id": task_id,
-                        "method": "message/send",
-                        "params": {
-                            "message": {
-                                "role": "user",
-                                "messageId": str(uuid.uuid4()),
-                                "parts": [{"kind": "text", "text": task}],
-                            }
-                        },
-                    },
-                )
-                # Even if we timeout, the task is queued on the target
-                print(json.dumps({
-                    "task_id": task_id,
-                    "target": target_id,
-                    "status": "submitted",
-                    "target_url": target_url,
-                }))
-            except httpx.TimeoutException:
-                # Request was sent but we didn't get confirmation — task may or may not have been received
-                print(json.dumps({
-                    "task_id": task_id,
-                    "target": target_id,
-                    "status": "uncertain",
-                    "note": "Request sent but response timed out — delivery unconfirmed. Use 'a2a status' to check.",
-                }), file=sys.stderr)
-        return
-
-    # Sync: wait for full response with retry on rate limit
-    max_retries = 3
-    for attempt in range(max_retries):
-        async with httpx.AsyncClient(timeout=300.0) as client:
-            try:
-                resp = await client.post(
-                    target_url,
-                    json={
-                        "jsonrpc": "2.0",
-                        "id": task_id,
-                        "method": "message/send",
-                        "params": {
-                            "message": {
-                                "role": "user",
-                                "messageId": str(uuid.uuid4()),
-                                "parts": [{"kind": "text", "text": task}],
-                            }
-                        },
-                    },
-                )
-                try:
-                    data = resp.json()
-                except Exception:
-                    print(f"Error: invalid JSON response (status {resp.status_code})", file=sys.stderr)
-                    sys.exit(1)
-                if "result" in data:
-                    parts = data["result"].get("parts", [])
-                    text = parts[0].get("text", "") if parts else ""
-                    if text and text != "(no response generated)":
-                        print(text)
-                        return
-                    # Empty or no-response — might be rate limited, retry
-                    if attempt < max_retries - 1:
-                        delay = 5 * (2 ** attempt)
-                        print(f"(empty response, retrying in {delay}s...)", file=sys.stderr)
-                        await asyncio.sleep(delay)
-                        continue
-                    print(text or "(no response after retries)")
-                elif "error" in data:
-                    error_msg = data['error'].get('message', 'unknown')
-                    if ("rate" in error_msg.lower() or "overloaded" in error_msg.lower()) and attempt < max_retries - 1:
-                        delay = 5 * (2 ** attempt)
-                        print(f"(rate limited, retrying in {delay}s...)", file=sys.stderr)
-                        await asyncio.sleep(delay)
-                        continue
-                    print(f"Error: {error_msg}", file=sys.stderr)
-                    sys.exit(1)
-                return
-            except httpx.TimeoutException:
-                if attempt < max_retries - 1:
-                    delay = 5 * (2 ** attempt)
-                    print(f"(timeout, retrying in {delay}s...)", file=sys.stderr)
-                    await asyncio.sleep(delay)
-                    continue
-                print("Error: request timed out after retries", file=sys.stderr)
-                sys.exit(1)
-
-
-async def check_status(target_id: str, task_id: str):
-    """Check the status of an async task."""
-    peer = await discover(target_id)
-    if not peer:
-        print(f"Error: cannot reach workspace {target_id}", file=sys.stderr)
-        sys.exit(1)
-
-    target_url = peer.get("url", "")
-    async with httpx.AsyncClient(timeout=30.0) as client:
-        resp = await client.post(
-            target_url,
-            json={
-                "jsonrpc": "2.0",
-                "id": str(uuid.uuid4()),
-                "method": "tasks/get",
-                "params": {"id": task_id},
-            },
-        )
-        data = resp.json()
-        if "result" in data:
-            task = data["result"]
-            status = task.get("status", {}).get("state", "unknown")
-            print(f"Status: {status}")
-            if status == "completed":
-                artifacts = task.get("artifacts", [])
-                for a in artifacts:
-                    for p in a.get("parts", []):
-                        if p.get("text"):
-                            print(p["text"])
-        elif "error" in data:
-            print(f"Error: {data['error'].get('message', 'unknown')}")
-
-
-async def peers():
-    """List available peers."""
-    async with httpx.AsyncClient(timeout=10.0) as client:
-        resp = await client.get(f"{PLATFORM_URL}/registry/{WORKSPACE_ID}/peers")
-        if resp.status_code != 200:
-            print("Error: could not fetch peers", file=sys.stderr)
-            sys.exit(1)
-        for p in resp.json():
-            status = p.get("status", "?")
-            role = p.get("role", "")
-            print(f"{p['id']}  {p['name']:30s}  {status:10s}  {role}")
-
-
-async def info():
-    """Get this workspace's info."""
-    async with httpx.AsyncClient(timeout=10.0) as client:
-        resp = await client.get(f"{PLATFORM_URL}/workspaces/{WORKSPACE_ID}")
-        if resp.status_code == 200:
-            d = resp.json()
-            print(f"ID:     {d['id']}")
-            print(f"Name:   {d['name']}")
-            print(f"Role:   {d.get('role', '')}")
-            print(f"Tier:   {d['tier']}")
-            print(f"Status: {d['status']}")
-            print(f"Parent: {d.get('parent_id', '(root)')}")
-
-
-def main():
-    if len(sys.argv) < 2:
-        print("Usage: a2a <command> [args]")
-        print("Commands:")
-        print("  delegate <workspace_id> <task>        — Send task, wait for response")
-        print("  delegate --async <workspace_id> <task> — Send task, return immediately")
-        print("  status <workspace_id> <task_id>       — Check async task status")
-        print("  peers                                 — List available peers")
-        print("  info                                  — Show workspace info")
-        sys.exit(1)
-
-    cmd = sys.argv[1]
-
-    if cmd == "delegate":
-        async_mode = "--async" in sys.argv
-        args = [a for a in sys.argv[2:] if a != "--async"]
-        if len(args) < 2:
-            print("Usage: a2a delegate [--async] <workspace_id> <task>", file=sys.stderr)
-            sys.exit(1)
-        asyncio.run(delegate(args[0], " ".join(args[1:]), async_mode))
-    elif cmd == "status":
-        if len(sys.argv) < 4:
-            print("Usage: a2a status <workspace_id> <task_id>", file=sys.stderr)
-            sys.exit(1)
-        asyncio.run(check_status(sys.argv[2], sys.argv[3]))
-    elif cmd == "peers":
-        asyncio.run(peers())
-    elif cmd == "info":
-        asyncio.run(info())
-    else:
-        print(f"Unknown command: {cmd}", file=sys.stderr)
-        sys.exit(1)
-
-
-if __name__ == "__main__":  # pragma: no cover
-    main()
@@ -1,803 +0,0 @@
-"""A2A protocol client — peer discovery, messaging, and workspace info.
-
-Shared constants (WORKSPACE_ID, PLATFORM_URL) live here so that
-a2a_tools and a2a_mcp_server can import them from a single place.
-"""
-
-import asyncio
-import logging
-import os
-import random
-import re
-import threading
-import time
-import uuid
-from collections import OrderedDict
-from concurrent.futures import ThreadPoolExecutor
-
-import httpx
-
-import a2a_response
-from platform_auth import auth_headers, self_source_headers
-
-logger = logging.getLogger(__name__)
-
-_WORKSPACE_ID_raw = os.environ.get("WORKSPACE_ID")
-if not _WORKSPACE_ID_raw:
-    raise RuntimeError("WORKSPACE_ID environment variable is required but not set")
-WORKSPACE_ID = _WORKSPACE_ID_raw
-# Platform URL: always host.docker.internal inside containers. The platform API
-# is only reachable via the Docker network mesh from inside a workspace
-# container regardless of the runtime environment (Docker/host).
-PLATFORM_URL = os.environ.get("PLATFORM_URL", "http://host.docker.internal:8080")
-
-# Cache workspace ID → name mappings (populated by list_peers calls)
-_peer_names: dict[str, str] = {}
-
-# Cache: peer workspace_id → the source workspace_id whose registry
-# returned that peer. Populated by ``a2a_tools.tool_list_peers`` whenever
-# it queries a specific workspace's peers — so a later
-# ``tool_delegate_task(target)`` can auto-route through the correct
-# source workspace without the agent having to specify
-# ``source_workspace_id`` explicitly.
-#
-# Single-workspace mode: dict stays empty, all delegations fall through
-# to the module-level WORKSPACE_ID (existing behavior).
-#
-# Multi-workspace mode: as the agent calls list_peers, this map is
-# populated with each peer's source. Subsequent delegate_task calls
-# auto-route. If a peer is registered under multiple sources (rare —
-# e.g. an org-wide capability) the LAST observed source wins; the agent
-# can override by passing ``source_workspace_id`` explicitly.
-_peer_to_source: dict[str, str] = {}
-
-# Cache workspace ID → full peer record (id, name, role, status, url, ...).
-# Populated by tool_list_peers and by the lazy registry lookup in
-# enrich_peer_metadata. The notification-callback path (channel envelope
-# enrichment) reads this cache on every inbound peer_agent push, so the
-# read shape stays a dict-like ``__getitem__`` lookup; entries carry
-# their fetched-at timestamp so TTL eviction is in-line with the
-# lookup. ``None`` as the record is the negative-cache sentinel:
-# registry failure is cached for one TTL window so we don't re-fire
-# the 2s-bounded GET on every push from a flaky peer.
-#
-# OrderedDict + maxsize bound (#2482): pre-fix this was an unbounded
-# ``dict``, so a workspace receiving from N distinct peers across its
-# lifetime accumulated ~100 bytes/entry × N indefinitely. At 10K peers
-# that's ~1 MB; at 100K (a chatty platform-wide router) ~10 MB; not
-# crash-class but unbounded. The LRU bound caps memory + the TTL caps
-# per-entry staleness — both gates are needed because a runaway poller
-# touching N new peer_ids per push could grow within a single TTL
-# window.
-#
-# All reads / writes go through ``_peer_metadata_get`` /
-# ``_peer_metadata_set`` so the LRU move-to-end + size-trim invariants
-# stay co-located. Direct mutation is allowed only in test fixtures
-# (clearing for isolation); production code path uses the helpers.
-_PEER_METADATA_MAXSIZE = 1024
-_peer_metadata: "OrderedDict[str, tuple[float, dict | None]]" = OrderedDict()
-_peer_metadata_lock = threading.Lock()
-
-# How long an entry in ``_peer_metadata`` is treated as fresh. 5 minutes
-# is the same window we use for delegation routing — long enough that a
-# busy agent receiving repeated pushes from one peer doesn't hit the
-# registry on every push, short enough that role/name renames propagate
-# within a single agent session.
-_PEER_METADATA_TTL_SECONDS = 300.0
-
-
-def _peer_metadata_get(canon: str) -> tuple[float, dict | None] | None:
-    """Read with LRU touch — moves the entry to the most-recently-used
-    position so steady-state pushes from a busy peer don't get evicted
-    by a cold-start burst from new peers. Returns the raw tuple shape
-    callers expect; TTL eviction stays at the call site.
-    """
-    with _peer_metadata_lock:
-        entry = _peer_metadata.get(canon)
-        if entry is not None:
-            _peer_metadata.move_to_end(canon)
-        return entry
-
-
-def _peer_metadata_set(canon: str, value: tuple[float, dict | None]) -> None:
-    """Write + evict-if-over-maxsize. The eviction is in-process and
-    cheap (popitem(last=False) on an OrderedDict is O(1)). Holding the
-    lock across the trim keeps the size invariant stable under concurrent
-    writes from background enrichment workers.
-    """
-    with _peer_metadata_lock:
-        _peer_metadata[canon] = value
-        _peer_metadata.move_to_end(canon)
-        # Trim the oldest entries until at-or-below maxsize. The bound
-        # is a soft cap — a single overrun (set called when at maxsize)
-        # evicts the LRU entry before returning, never letting size
-        # exceed maxsize.
-        while len(_peer_metadata) > _PEER_METADATA_MAXSIZE:
-            _peer_metadata.popitem(last=False)
-
-
-# Background-fetch executor for enrich_peer_metadata_nonblocking (#2484).
-# A small pool — peers are highly TTL-cached, so the steady-state load
-# is "one fetch per peer per 5 minutes." Two workers handle the cold-
-# start burst when an agent starts receiving pushes from a new peer for
-# the first time without backing up the inbox poller. Daemon threads:
-# the executor must NOT block process exit if the inbox shuts down.
-_enrich_executor: ThreadPoolExecutor | None = None
-_enrich_executor_lock = threading.Lock()
-
-# In-flight peer IDs — guards against a single peer's repeated pushes
-# scheduling N concurrent registry fetches before the first one fills
-# the cache. Set membership is "a worker is currently fetching this
-# peer; subsequent calls should NOT schedule another."
-_enrich_in_flight: set[str] = set()
-_enrich_in_flight_lock = threading.Lock()
-
-
-def _get_enrich_executor() -> ThreadPoolExecutor:
-    """Lazy-init the enrichment worker pool. Lazy because most test
-    fixtures and short-lived CLI invocations don't need it; only the
-    long-running molecule-mcp / inbox-poller path actually schedules
-    background fetches.
-    """
-    global _enrich_executor
-    if _enrich_executor is not None:
-        return _enrich_executor
-    with _enrich_executor_lock:
-        if _enrich_executor is None:
-            _enrich_executor = ThreadPoolExecutor(
-                max_workers=2,
-                thread_name_prefix="enrich-peer",
-            )
-    return _enrich_executor
-
-
-def enrich_peer_metadata_nonblocking(
-    peer_id: str,
-    source_workspace_id: str | None = None,
-) -> dict | None:
-    """Cache-first variant of ``enrich_peer_metadata`` — returns
-    immediately without blocking on a registry GET.
-
-    Behavior:
-      - Cache hit (fresh): return the cached record.
-      - Cache miss or TTL expired: schedule a background fetch via the
-        worker pool, return ``None`` (caller renders bare peer_id).
-        The next push for this peer hits the warm cache and gets the
-        full record.
-
-    Why this exists (#2484): the inbox poller's notification callback
-    in molecule-mcp called the synchronous ``enrich_peer_metadata`` on
-    every push, blocking the poller for up to 2s × N uncached peers
-    per batch. Push-delivery latency was gated on registry latency —
-    the exact thing the negative-cache patch in PR #2471 was supposed
-    to avoid amplifying. Moving the fetch off the poller thread means
-    push delivery is bounded by the inbox poll interval, never by
-    registry RTT.
-
-    Trade-off: the FIRST push from a new peer arrives metadata-light
-    (no name/role). The MCP host renders the bare peer_id. Subsequent
-    pushes (within the 5-min TTL) hit the warm cache and get the full
-    record. Acceptable because:
-      - Channel-envelope enrichment is a UX nicety, not a correctness
-        invariant.
-      - The cold-cache window per peer is bounded to one push.
-      - The TTL is long enough that an active conversation never
-        re-enters the cold state.
-    """
-    canon = _validate_peer_id(peer_id)
-    if canon is None:
-        return None
-    # Cache hit (fresh): return without blocking on a registry GET.
-    # This is the hot path for active peer conversations — avoids
-    # spawning a background thread for every push from a known peer.
-    current = time.monotonic()
-    cached = _peer_metadata_get(canon)
-    if cached is not None:
-        fetched_at, record = cached
-        if current - fetched_at < _PEER_METADATA_TTL_SECONDS:
-            return record
-    # Cache miss or TTL expired: schedule background fetch unless one is
-    # already in flight for this peer. The in-flight set keeps a flurry
-    # of pushes from one peer (e.g., a chatty agent) from spawning N
-    # parallel GETs.
-    with _enrich_in_flight_lock:
-        if canon in _enrich_in_flight:
-            return None
-        _enrich_in_flight.add(canon)
-    try:
-        _get_enrich_executor().submit(
-            _enrich_peer_metadata_worker, canon, source_workspace_id
-        )
-    except RuntimeError:
-        # Executor was shut down (process exit path) — drop the request,
-        # let the caller render bare peer_id.
-        with _enrich_in_flight_lock:
-            _enrich_in_flight.discard(canon)
-    return None
-
-
-def _enrich_peer_metadata_worker(
-    canon: str, source_workspace_id: str | None
-) -> None:
-    """Background-thread body for ``enrich_peer_metadata_nonblocking``.
-    Runs the same fetch logic as the synchronous helper but discards
-    the return value — the cache write is the only output anyone
-    needs. Always clears the in-flight marker so a future cache miss
-    can retry.
-    """
-    try:
-        enrich_peer_metadata(canon, source_workspace_id)
-    except Exception as exc:  # noqa: BLE001
-        # Background workers must not crash the executor — log and
-        # move on. The negative-cache path inside enrich_peer_metadata
-        # already records failures, so a re-attempt is rate-limited
-        # by TTL.
-        logger.debug("_enrich_peer_metadata_worker: %s failed: %s", canon, exc)
-    finally:
-        with _enrich_in_flight_lock:
-            _enrich_in_flight.discard(canon)
-
-
-def _wait_for_enrichment_inflight_for_testing(timeout: float = 2.0) -> None:
-    """Block until all in-flight enrichment workers have completed.
-
-    Test-only helper. Production code never has a reason to wait — the
-    point of the nonblocking path is that callers don't care when the
-    cache fills. Tests that want to assert "after the worker runs, the
-    cache has the record" use this to synchronise without sleeping.
-
-    Polls ``_enrich_in_flight`` rather than holding a Condition because
-    the worker pool is already serializing through ``_enrich_in_flight_lock``;
-    poll keeps the production hot path lock-free.
-    """
-    deadline = time.monotonic() + timeout
-    while time.monotonic() < deadline:
-        with _enrich_in_flight_lock:
-            if not _enrich_in_flight:
-                return
-        time.sleep(0.01)
-
-
-def _peer_in_flight_clear_for_testing() -> None:
-    """Clear the in-flight enrichment set. Test-only helper."""
-    with _enrich_in_flight_lock:
-        _enrich_in_flight.clear()
-
-
-def enrich_peer_metadata(
-    peer_id: str,
-    source_workspace_id: str | None = None,
-    *,
-    now: float | None = None,
-) -> dict | None:
-    """Return cached or freshly-fetched metadata for ``peer_id``.
-
-    Sync helper — safe to call from the inbox poller's notification
-    callback thread (which is not async). Hits the in-process cache
-    first; on miss or TTL expiry, GETs ``/registry/discover/<peer_id>``
-    synchronously with a tight timeout. Returns None on validation
-    failure, network failure, or non-200 response so callers can
-    degrade gracefully (the channel envelope falls back to the raw
-    ``peer_id`` instead of crashing the push path).
-
-    Negative caching: failure outcomes (4xx/5xx/non-JSON/network
-    exception) are stored as ``(now, None)`` and treated as
-    fresh-but-empty for the TTL window. Without this, a peer with a
-    flaky/missing registry record would re-fire the 2s-bounded GET on
-    EVERY push — turning the cache into a no-op for the exact failure
-    scenarios it most needs to defend against.
-
-    The fetched dict is stored as-is, so callers can read whatever
-    fields the platform exposes (currently: ``id``, ``name``, ``role``,
-    ``status``, ``url``). New fields surface automatically without a
-    code change here.
-    """
-    canon = _validate_peer_id(peer_id)
-    if canon is None:
-        return None
-
-    current = now if now is not None else time.monotonic()
-    cached = _peer_metadata_get(canon)
-    if cached is not None:
-        fetched_at, record = cached
-        if current - fetched_at < _PEER_METADATA_TTL_SECONDS:
-            # Fresh entry — return whatever's there. ``None`` is the
-            # negative-cache sentinel: caller treats absence of fields
-            # the same as a registry miss, which is the desired UX.
-            return record
-
-    src = (source_workspace_id or "").strip() or WORKSPACE_ID
-    url = f"{PLATFORM_URL}/registry/discover/{canon}"
-    try:
-        with httpx.Client(timeout=2.0) as client:
-            resp = client.get(url, headers={"X-Workspace-ID": src, **auth_headers(src)})
-    except Exception as exc:  # noqa: BLE001
-        logger.debug("enrich_peer_metadata: GET %s failed: %s", url, exc)
-        _peer_metadata_set(canon, (current, None))
-        return None
-
-    if resp.status_code != 200:
-        logger.debug(
-            "enrich_peer_metadata: %s returned HTTP %d", url, resp.status_code
-        )
-        _peer_metadata_set(canon, (current, None))
-        return None
-
-    try:
-        data = resp.json()
-    except Exception:  # noqa: BLE001
-        _peer_metadata_set(canon, (current, None))
-        return None
-    if not isinstance(data, dict):
-        _peer_metadata_set(canon, (current, None))
-        return None
-
-    _peer_metadata_set(canon, (current, data))
-    if name := data.get("name"):
-        _peer_names[canon] = name
-    return data
-
-
-def _agent_card_url_for(peer_id: str) -> str:
-    """Construct the platform-side agent-card URL for ``peer_id``.
-
-    Returns the empty string when ``peer_id`` is not a UUID — same
-    trust-boundary rationale as ``discover_peer``: never interpolate
-    path-traversal characters into a URL. An invalid id reflected back
-    to the receiving agent as ``…/registry/discover/../../foo`` is a
-    foothold we close at construction time.
-
-    Uses the registry's discovery path so the agent receiving a push
-    can hit a single endpoint to enumerate the sender's capabilities
-    + role + URL. Same shape every workspace exposes regardless of
-    runtime — claude-code, hermes, langchain wrappers all register
-    through ``/registry/register`` and surface through ``/registry/discover``.
-    """
-    safe_id = _validate_peer_id(peer_id)
-    if safe_id is None:
-        return ""
-    return f"{PLATFORM_URL}/registry/discover/{safe_id}"
-
-# Sentinel prefix for errors originating from send_a2a_message / child agents.
-# Used by delegate_task to distinguish real errors from normal response text.
-_A2A_ERROR_PREFIX = "[A2A_ERROR] "
-
-# Sentinel prefix for queued-for-poll-mode-peer outcomes (#2967).
-# When the target workspace is registered as delivery_mode=poll (no
-# public URL — typical for external molecule-mcp standalone runtimes),
-# the platform's a2a_proxy.go:402 short-circuit returns a synthetic
-# {"status":"queued","delivery_mode":"poll","method":"..."} envelope
-# instead of dispatching over HTTP. The message IS delivered (written
-# to the platform's inbox queue); there's just no synchronous reply
-# to relay. Pre-#2967 the client treated this as "unexpected response
-# shape" → caller saw DELEGATION FAILED → retried → recipient saw
-# duplicates. The Queued prefix lets callers branch on this outcome
-# explicitly: "delivered async, no synchronous reply expected" is
-# different from both success-with-text and failure.
-_A2A_QUEUED_PREFIX = "[A2A_QUEUED] "
-
-# Workspace IDs are UUIDs everywhere we generate them (platform's
-# workspaces.id column, /registry/discover/:id route param, etc.) but
-# the agent-facing tool surface receives them as free-form strings via
-# tool args. ``_validate_peer_id`` enforces UUID-shape at the
-# trust boundary so we never interpolate `..` or `/` into a URL path,
-# never silently coerce malformed input into a 404, and surface a
-# clear error to the agent rather than letting an HTTP 4xx bubble up
-# from the platform with a generic error message.
-#
-# Lenient on case + whitespace because real-world peer-id strings
-# come from list_peers/discover_peer responses (canonical lowercase)
-# or hand-typed agent input (mixed-case acceptable). Strict on
-# everything else.
-_UUID_RE = re.compile(
-    r"^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$"
-)
-
-
-def _validate_peer_id(peer_id: str) -> str | None:
-    """Return the canonicalised peer_id if valid, else None.
-
-    Returning None instead of raising so callers in tool surfaces can
-    convert to a friendly agent-facing string ("workspace_id is not a
-    valid UUID") rather than crashing with a stack trace.
-    """
-    if not isinstance(peer_id, str):
-        return None
-    pid = peer_id.strip()
-    if not _UUID_RE.match(pid):
-        return None
-    return pid.lower()
-
-
-async def discover_peer(target_id: str, source_workspace_id: str | None = None) -> dict | None:
-    """Discover a peer workspace's URL via the platform registry.
-
-    Validates ``target_id`` is a UUID before constructing the URL — a
-    malformed id can't reach the platform handler now, which both
-    short-circuits an avoidable round-trip AND ensures we never
-    interpolate path-traversal characters into the URL.
-
-    ``source_workspace_id`` selects which registered workspace asks the
-    question — both the X-Workspace-ID header AND the Authorization
-    bearer token must come from the same workspace, otherwise the
-    platform's TenantGuard rejects the request. Defaults to the
-    module-level WORKSPACE_ID for back-compat with single-workspace
-    callers.
-    """
-    safe_id = _validate_peer_id(target_id)
-    if safe_id is None:
-        return None
-    src = (source_workspace_id or "").strip() or WORKSPACE_ID
-    async with httpx.AsyncClient(timeout=10.0) as client:
-        try:
-            resp = await client.get(
-                f"{PLATFORM_URL}/registry/discover/{safe_id}",
-                headers={"X-Workspace-ID": src, **auth_headers(src)},
-            )
-            if resp.status_code == 200:
-                return resp.json()
-            return None
-        except Exception as e:
-            logger.error(f"Discovery failed for {target_id}: {e}")
-            return None
-
-
-# httpx exception classes that indicate a transient transport-layer
-# failure worth retrying — the request never produced an application
-# response, so a fresh attempt has a real chance of succeeding. Any
-# error not in this tuple is treated as deterministic (HTTP-status,
-# JSON parse, runtime-returned JSON-RPC error, etc.) and surfaced to
-# the caller on the first try.
-#
-# Why each one belongs here:
-#   - ConnectError / ConnectTimeout: peer's listening socket wasn't
-#     ready (mid-restart, not yet bound). Fast failure, fast recovery.
-#   - RemoteProtocolError: peer closed the TCP connection without
-#     writing a response — observed on 2026-04-27 when a peer's prior
-#     in-flight Claude SDK session aborted and the new request's
-#     connection was reset mid-handler.
-#   - ReadError / WriteError: TCP read/write socket error mid-flight,
-#     typically a network blip on the Docker bridge or a peer worker
-#     crash.
-#   - ReadTimeout: peer didn't write ANY response bytes within the
-#     300s read budget. Distinct from "peer is slow but progressing"
-#     (which httpx surfaces as a successful read with chunked bytes).
-#     Retry budget caps the worst case — see _DELEGATE_TOTAL_BUDGET_S.
-_TRANSIENT_HTTP_ERRORS: tuple[type[Exception], ...] = (
-    httpx.ConnectError,
-    httpx.ConnectTimeout,
-    httpx.ReadError,
-    httpx.WriteError,
-    httpx.RemoteProtocolError,
-    httpx.ReadTimeout,
-)
-
-# Retry budget. Up to 5 attempts (1 initial + 4 retries) with
-# exponential backoff (1, 2, 4, 8 seconds), each backoff jittered ±25%
-# to prevent synchronized retry storms across siblings if a peer flaps.
-# _DELEGATE_TOTAL_BUDGET_S caps cumulative wall-clock so a string of
-# ReadTimeouts can't make the caller wait 25 minutes — once the
-# deadline elapses we stop retrying even if attempts remain. 600s = 10
-# minutes is the agreed worst case the caller can tolerate before
-# falling back to "peer unavailable" handling in tool_delegate_task.
-_DELEGATE_MAX_ATTEMPTS = 5
-_DELEGATE_BACKOFF_BASE_S = 1.0
-_DELEGATE_BACKOFF_CAP_S = 16.0
-_DELEGATE_TOTAL_BUDGET_S = 600.0
-
-
-def _delegate_backoff_seconds(attempt_zero_indexed: int) -> float:
-    """Return the (jittered) backoff delay before retrying after the
-    given attempt index (0 = backoff before retry #1).
-
-    Pure function so the schedule is unit-testable without monkey-
-    patching asyncio.sleep. Jitter is symmetric ±25% on top of the
-    capped exponential — enough to break sync across simultaneous
-    callers without making the schedule unpredictable.
-    """
-    base = min(_DELEGATE_BACKOFF_BASE_S * (2 ** attempt_zero_indexed), _DELEGATE_BACKOFF_CAP_S)
-    jitter = base * (0.5 * random.random() - 0.25)
-    return max(0.0, base + jitter)
-
-
-def _format_a2a_error(exc: BaseException, target_url: str) -> str:
-    """Format an httpx exception as an [A2A_ERROR] string.
-
-    Some httpx exceptions stringify to empty (RemoteProtocolError,
-    ConnectionReset variants) — the canvas would then render
-    "[A2A_ERROR] " with no detail and the operator has no signal to
-    act on. Always include the exception class name and the target
-    URL so the activity log + Agent Comms panel have actionable
-    information without a trip through container logs.
-    """
-    msg = str(exc).strip()
-    type_name = type(exc).__name__
-    if not msg:
-        detail = f"{type_name} (no message — likely connection reset or silent timeout)"
-    elif msg.startswith(f"{type_name}:") or msg.startswith(f"{type_name} "):
-        # Already prefixed with the type — don't double-prefix.
-        # Prefix-anchored check (not substring) so a message that
-        # happens to mention some OTHER class name mid-string
-        # (e.g. "got OSError on read") doesn't suppress our own
-        # type prefix and lose the diagnostic signal.
-        detail = msg
-    else:
-        detail = f"{type_name}: {msg}"
-    return f"{_A2A_ERROR_PREFIX}{detail} [target={target_url}]"
-
-
-async def send_a2a_message(peer_id: str, message: str, source_workspace_id: str | None = None) -> str:
-    """Send an A2A ``message/send`` to a peer workspace via the platform proxy.
-
-    The target URL is constructed internally as
-    ``${PLATFORM_URL}/workspaces/{peer_id}/a2a``. Going through the
-    platform's A2A proxy is the only path that works for both
-    in-container and external runtimes — see
-    a2a_tools.tool_delegate_task for the rationale.
-
-    ``source_workspace_id`` is the SENDING workspace — drives both the
-    X-Workspace-ID source-tagging header and the bearer token. Defaults
-    to the module-level WORKSPACE_ID for back-compat. Multi-workspace
-    operators pass it explicitly so each registered workspace's peers
-    are reached via their own auth chain.
-
-    Auto-retries up to _DELEGATE_MAX_ATTEMPTS times on transient
-    transport-layer errors (RemoteProtocolError, ConnectError,
-    ReadTimeout, etc.) with exponential-backoff + jitter, capped by
-    _DELEGATE_TOTAL_BUDGET_S. Application-level failures (HTTP 4xx,
-    JSON-RPC error response, malformed JSON) are NOT retried — they
-    indicate a deterministic problem retry won't fix.
-    """
-    safe_id = _validate_peer_id(peer_id)
-    if safe_id is None:
-        return f"{_A2A_ERROR_PREFIX}invalid peer_id (expected UUID): {peer_id!r}"
-    src = (source_workspace_id or "").strip() or WORKSPACE_ID
-    target_url = f"{PLATFORM_URL}/workspaces/{safe_id}/a2a"
-
-    # Fix F (Cycle 5 / H2 — flagged 5 consecutive audits): timeout=None allowed
-    # a hung upstream to block the agent indefinitely. Use a generous but bounded
-    # timeout: 30s connect + 300s read (long enough for slow LLM responses).
-    timeout_cfg = httpx.Timeout(connect=30.0, read=300.0, write=30.0, pool=30.0)
-    deadline = time.monotonic() + _DELEGATE_TOTAL_BUDGET_S
-    last_exc: BaseException | None = None
-
-    for attempt in range(_DELEGATE_MAX_ATTEMPTS):
-        async with httpx.AsyncClient(timeout=timeout_cfg) as client:
-            try:
-                # self_source_headers() includes X-Workspace-ID so the
-                # platform's a2a_receive logger records source_id =
-                # WORKSPACE_ID. Otherwise peer-A2A messages — including
-                # the case where target_url resolves to this workspace's
-                # own /a2a — get logged with source_id=NULL and surface
-                # in the recipient's My Chat tab as user-typed input.
-                resp = await client.post(
-                    target_url,
-                    headers=self_source_headers(src),
-                    json={
-                        "jsonrpc": "2.0",
-                        "id": str(uuid.uuid4()),
-                        "method": "message/send",
-                        "params": {
-                            "message": {
-                                "role": "user",
-                                "messageId": str(uuid.uuid4()),
-                                "parts": [{"kind": "text", "text": message}],
-                            }
-                        },
-                    },
-                )
-                data = resp.json()
-                # Dispatch via the SSOT response model (a2a_response.py).
-                # All shape detection lives in one place — the parser
-                # never raises and routes unknown shapes to Malformed
-                # so a future server-side change is loud, not silent.
-                variant = a2a_response.parse(data)
-                if isinstance(variant, a2a_response.Result):
-                    # Match legacy semantics:
-                    #   parts non-empty + first part has no text → ""
-                    #   parts empty                              → "(no response)"
-                    # Differentiation matters for callers that assert
-                    # on the empty-string case (test_a2a_client).
-                    if variant.parts:
-                        text = variant.text
-                    else:
-                        text = "(no response)"
-                    # Tag child-reported errors so the caller can
-                    # detect them reliably — agent-side bug surfaces
-                    # text like "Agent error: <traceback>" inside a
-                    # JSON-RPC success envelope.
-                    if text.startswith("Agent error:"):
-                        return f"{_A2A_ERROR_PREFIX}{text}"
-                    return text
-                if isinstance(variant, a2a_response.Queued):
-                    # Poll-mode peer — message accepted into the inbox
-                    # queue, target agent will fetch via poll. NOT a
-                    # failure. Return the queued sentinel so callers
-                    # (delegate_task etc.) can render the outcome
-                    # accurately instead of treating it as an error.
-                    logger.info(
-                        "send_a2a_message: queued for poll-mode peer (target=%s method=%s)",
-                        target_url,
-                        variant.method,
-                    )
-                    return f"{_A2A_QUEUED_PREFIX}target={safe_id} method={variant.method}"
-                if isinstance(variant, a2a_response.Error):
-                    msg = variant.message
-                    code = variant.code
-                    if msg and code is not None:
-                        detail = f"{msg} (code={code})"
-                    elif msg:
-                        detail = msg
-                    elif code is not None:
-                        detail = f"JSON-RPC error with no message (code={code})"
-                    else:
-                        detail = "JSON-RPC error with no message"
-                    if variant.restarting:
-                        # Surface platform-restart-in-progress
-                        # explicitly — caller (UI / delegating agent)
-                        # can render a softer "agent is restarting"
-                        # message rather than a generic failure.
-                        retry = (
-                            f", retry_after={variant.retry_after}s"
-                            if variant.retry_after is not None
-                            else ""
-                        )
-                        detail = f"{detail} (restarting{retry})"
-                    return f"{_A2A_ERROR_PREFIX}{detail} [target={target_url}]"
-                # Malformed — log loud + surface as error so the
-                # operator notices a server change. SSOT refactor
-                # subsumes the inline "queued" check that landed in
-                # the #2972 hotfix; that branch is now the typed
-                # Queued variant above.
-                logger.warning(
-                    "send_a2a_message: malformed response (target=%s body=%.200s)",
-                    target_url,
-                    str(variant.raw),
-                )
-                return (
-                    f"{_A2A_ERROR_PREFIX}unexpected response shape "
-                    f"(no result, error, or queued envelope): "
-                    f"{str(variant.raw)[:200]} [target={target_url}]"
-                )
-            except _TRANSIENT_HTTP_ERRORS as e:
-                last_exc = e
-                attempts_remaining = _DELEGATE_MAX_ATTEMPTS - (attempt + 1)
-                if attempts_remaining <= 0 or time.monotonic() >= deadline:
-                    # Out of attempts OR out of total budget — surface
-                    # the last error to the caller.
-                    break
-                delay = _delegate_backoff_seconds(attempt)
-                # Don't sleep past the deadline — clamp.
-                remaining = deadline - time.monotonic()
-                if delay > remaining:
-                    delay = max(0.0, remaining)
-                logger.warning(
-                    "send_a2a_message: transient %s on attempt %d/%d, retrying in %.1fs (target=%s)",
-                    type(e).__name__,
-                    attempt + 1,
-                    _DELEGATE_MAX_ATTEMPTS,
-                    delay,
-                    target_url,
-                )
-                await asyncio.sleep(delay)
-                continue
-            except Exception as e:
-                # Non-transient (HTTP-status, JSON parse, etc.) — don't retry.
-                return _format_a2a_error(e, target_url)
-    # Retries exhausted (or budget elapsed). last_exc must be set
-    # because we only break out of the loop after assigning it.
-    assert last_exc is not None  # noqa: S101
-    return _format_a2a_error(last_exc, target_url)
-
-
-async def get_peers_with_diagnostic(source_workspace_id: str | None = None) -> tuple[list[dict], str | None]:
-    """Get this workspace's peers, returning (peers, diagnostic).
-
-    diagnostic is None when the call succeeded (status 200, even if the list
-    is empty). When peers is [] for a non-trivial reason (auth failure,
-    workspace-id missing from registry, platform error, network error),
-    diagnostic is a short human-readable string explaining what went wrong
-    so callers can surface it instead of "may be isolated" — see #2397.
-
-    ``source_workspace_id`` selects which registered workspace's peers to
-    enumerate; defaults to the module-level WORKSPACE_ID for
-    single-workspace back-compat. Multi-workspace operators iterate over
-    each registered workspace separately so each set of peers is fetched
-    with the correct auth.
-
-    The legacy get_peers() shim below preserves the bare-list contract for
-    non-tool callers.
-    """
-    src = (source_workspace_id or "").strip() or WORKSPACE_ID
-    url = f"{PLATFORM_URL}/registry/{src}/peers"
-    async with httpx.AsyncClient(timeout=10.0) as client:
-        try:
-            resp = await client.get(
-                url,
-                headers={"X-Workspace-ID": src, **auth_headers(src)},
-            )
-        except Exception as e:
-            return [], f"Cannot reach platform at {PLATFORM_URL}: {e}"
-
-        if resp.status_code == 200:
-            try:
-                data = resp.json()
-            except Exception as e:
-                return [], f"Platform returned 200 but body was not JSON: {e}"
-            if not isinstance(data, list):
-                return [], f"Platform returned 200 but body was not a list: {type(data).__name__}"
-            return data, None
-
-        if resp.status_code in (401, 403):
-            return [], (
-                f"Authentication to platform failed (HTTP {resp.status_code}). "
-                "The workspace bearer token may be invalid — restarting the workspace usually re-mints it."
-            )
-        if resp.status_code == 404:
-            return [], (
-                f"Workspace ID {WORKSPACE_ID} is not registered with the platform (HTTP 404). "
-                "Re-registration via the platform's /registry/register endpoint is needed."
-            )
-        if 500 <= resp.status_code < 600:
-            return [], f"Platform error: HTTP {resp.status_code}."
-        return [], f"Unexpected platform response: HTTP {resp.status_code}."
-
-
-async def get_peers() -> list[dict]:
-    """Get this workspace's peers from the platform registry.
-
-    Bare-list shim over get_peers_with_diagnostic() — discards the diagnostic
-    so callers that don't care about the failure reason (e.g. system-prompt
-    bootstrap formatters) get the same shape they always had.
-    """
-    peers, _ = await get_peers_with_diagnostic()
-    return peers
-
-
-async def get_workspace_info(source_workspace_id: str | None = None) -> dict:
-    """Get this workspace's info from the platform.
-
-    ``source_workspace_id`` selects which registered workspace to
-    introspect when the agent is registered into multiple workspaces
-    (multi-workspace mode). Unset → defaults to the module-level
-    WORKSPACE_ID — single-workspace operators see no behaviour change.
-
-    Distinguishes three failure shapes so callers can handle them
-    distinctly (#2429):
-      - 410 Gone        → workspace was deleted; re-onboard required
-      - 404 / other     → workspace never existed (or transient)
-      - exception       → network / auth failure
-    """
-    src = source_workspace_id or WORKSPACE_ID
-    async with httpx.AsyncClient(timeout=10.0) as client:
-        try:
-            resp = await client.get(
-                f"{PLATFORM_URL}/workspaces/{src}",
-                headers=auth_headers(src),
-            )
-            if resp.status_code == 200:
-                return resp.json()
-            if resp.status_code == 410:
-                # #2429: platform returns 410 when status='removed'.
-                # Surface "removed" + the actionable hint so callers
-                # can prompt re-onboard instead of falling through to
-                # "not found" — which made the 2026-04-30 incident
-                # impossible to diagnose ("workspace not found" with
-                # a workspace_id we KNEW we'd just registered).
-                try:
-                    body = resp.json()
-                except Exception:
-                    body = {}
-                return {
-                    "error": "removed",
-                    "id": body.get("id", src),
-                    "removed_at": body.get("removed_at"),
-                    "hint": body.get(
-                        "hint",
-                        "Workspace was deleted on the platform. "
-                        "Regenerate workspace + token from the canvas → Tokens tab.",
-                    ),
-                }
-            return {"error": "not found"}
-        except Exception as e:
-            return {"error": str(e)}
@@ -1,567 +0,0 @@
-"""Bridge between LangGraph agent and A2A protocol, with SSE streaming support.
-
-SSE streaming architecture
--------------------------
-The A2A SDK (``DefaultRequestHandler`` + ``EventQueue``) owns the SSE transport
-layer.  This executor's job is to push the right event types into the queue as
-work progresses:
-
-  1. ``TaskStatusUpdateEvent(state=working)``       — immediately signals start
-  2. ``TaskArtifactUpdateEvent(chunk, append=…)``   — one per LLM text token
-  3. ``Message(final_text)``                        — terminal event
-
-Client compatibility
--------------------
-*Non-streaming* (``message/send``):
-    ``ResultAggregator.consume_all()`` processes status/artifact events
-    (updating the task in the store) and returns the final ``Message``
-    immediately — backward-compatible with ``a2a_client.py`` which reads
-    ``data["result"]["parts"][0]["text"]``.
-
-*Streaming* (``message/stream``):
-    ``consume_and_emit()`` yields every event above as SSE, letting the client
-    render tokens in real time.
-
-LangGraph integration
---------------------
-Uses ``agent.astream_events(version="v2")`` to receive ``on_chat_model_stream``
-events with ``AIMessageChunk`` payloads.  Text is extracted from both plain
-strings (OpenAI / Groq) and Anthropic-style content-block lists.  Non-text
-content (tool_use, etc.) is silently skipped.  A fresh ``artifact_id`` is
-generated for each new LLM ``run_id`` so tool-call cycles are grouped cleanly.
-"""
-
-import functools
-import logging
-import os
-import uuid
-
-from a2a.server.agent_execution import AgentExecutor, RequestContext
-from a2a.server.events import EventQueue
-from a2a.server.tasks import TaskUpdater
-from a2a.types import Part
-# KI-009: a2a-sdk v1 renames a2a.utils → a2a.helpers; TextPart removed (Part takes text= directly)
-from a2a.helpers import new_text_message
-from shared_runtime import (
-    extract_history as _extract_history,
-    extract_message_text,
-    brief_task,
-    set_current_task,
-)
-from executor_helpers import (
-    collect_outbound_files,
-    extract_attached_files,
-    read_delegation_results,
-    sanitize_agent_error,
-)
-from builtin_tools.telemetry import (
-    A2A_TASK_ID,
-    GEN_AI_OPERATION_NAME,
-    GEN_AI_REQUEST_MODEL,
-    GEN_AI_SYSTEM,
-    WORKSPACE_ID_ATTR,
-    _incoming_trace_context,
-    gen_ai_system_from_model,
-    get_tracer,
-    record_llm_token_usage,
-)
-
-logger = logging.getLogger(__name__)
-
-_WORKSPACE_ID = os.environ.get("WORKSPACE_ID", "unknown")
-
-# LangGraph ReAct cycle budget per turn. Library default is 25; 500 covers
-# PM fan-outs (plan → 6 delegations → 6 awaits → 6 results → synthesize ≈
-# 30+ steps even before retries). Overridable via LANGGRAPH_RECURSION_LIMIT.
-DEFAULT_RECURSION_LIMIT = 500
-
-
-def _parse_recursion_limit() -> int:
-    """Read LANGGRAPH_RECURSION_LIMIT; fall back to DEFAULT_RECURSION_LIMIT
-    with a WARNING log on any unparseable or non-positive value."""
-    raw = os.environ.get("LANGGRAPH_RECURSION_LIMIT", "")
-    if not raw:
-        return DEFAULT_RECURSION_LIMIT
-    try:
-        n = int(raw)
-    except ValueError:
-        logger.warning(
-            "LANGGRAPH_RECURSION_LIMIT=%r is not an integer; using default %d",
-            raw, DEFAULT_RECURSION_LIMIT,
-        )
-        return DEFAULT_RECURSION_LIMIT
-    if n <= 0:
-        logger.warning(
-            "LANGGRAPH_RECURSION_LIMIT=%d is not positive; using default %d",
-            n, DEFAULT_RECURSION_LIMIT,
-        )
-        return DEFAULT_RECURSION_LIMIT
-    return n
-
-# ---------------------------------------------------------------------------
-# Compliance (OWASP Top 10 for Agentic Apps) — optional, lazy-loaded
-# ---------------------------------------------------------------------------
-
-try:
-    from builtin_tools.compliance import (
-        AgencyTracker,
-        ExcessiveAgencyError,
-        PromptInjectionError,
-        redact_pii as _redact_pii,
-        sanitize_input as _sanitize_input,
-    )
-    _COMPLIANCE_AVAILABLE = True
-except ImportError:  # pragma: no cover
-    _COMPLIANCE_AVAILABLE = False
-
-
-@functools.lru_cache(maxsize=1)
-def _get_compliance_cfg():
-    """Return ComplianceConfig or None (cached for process lifetime)."""
-    try:
-        from config import load_config
-        return load_config().compliance
-    except Exception:
-        return None
-
-
-def _extract_chunk_text(content) -> list[str]:
-    """Extract text strings from an LLM streaming chunk's content field.
-
-    Handles both provider content styles:
-    - OpenAI / Groq: ``content`` is a plain ``str`` (empty for tool-call chunks).
-    - Anthropic:     ``content`` is a list of typed blocks, e.g.
-        ``[{"type": "text", "text": "Hello"}, {"type": "tool_use", ...}]``
-
-    Only ``"text"`` blocks are returned; ``tool_use``, ``tool_result``, and
-    other non-text blocks are filtered out so raw tool JSON never appears in
-    the SSE stream.
-
-    Args:
-        content: ``chunk.content`` value from an ``on_chat_model_stream`` event.
-
-    Returns:
-        List of non-empty text strings.
-    """
-    if isinstance(content, str):
-        return [content] if content else []
-    if isinstance(content, list):
-        texts: list[str] = []
-        for block in content:
-            if isinstance(block, dict) and block.get("type") == "text":
-                text = block.get("text", "")
-                if text:
-                    texts.append(text)
-            elif isinstance(block, str) and block:
-                texts.append(block)
-        return texts
-    return []
-
-
-class LangGraphA2AExecutor(AgentExecutor):
-    """Bridges LangGraph agent to A2A event model with SSE streaming support.
-
-    Always uses ``agent.astream_events()`` so that:
-    - Streaming clients (``message/stream``) receive token-level SSE events.
-    - Non-streaming clients (``message/send``) receive the final ``Message``
-      collected from the same stream — no duplicate LLM call, full compat.
-    """
-
-    def __init__(self, agent, heartbeat=None, model: str = "unknown"):
-        self.agent = agent  # Compiled LangGraph graph (create_react_agent output)
-        self._heartbeat = heartbeat
-        self._model = model  # e.g. "anthropic:claude-sonnet-4-6"
-
-    async def execute(self, context: RequestContext, event_queue: EventQueue) -> None:
-        """Execute a task from an A2A request with SSE streaming.
-
-        Routes through the Temporal durable workflow when a global
-        ``TemporalWorkflowWrapper`` is initialised and connected to Temporal;
-        otherwise falls back to ``_core_execute()`` (direct path).
-
-        Event emission sequence:
-          1. TaskStatusUpdateEvent(working)           — immediate start signal
-          2. TaskArtifactUpdateEvent chunks           — token-by-token via astream_events
-          3. Message(final_text)                      — terminal; non-streaming clients
-                                                        return on this; streaming clients
-                                                        also receive it as the last SSE event.
-        """
-        # ── Optional Temporal durable execution wrapper ──────────────────────
-        # When a TemporalWorkflowWrapper is active this routes execution through
-        # a MoleculeAIAgentWorkflow (task_receive → llm_call → task_complete).
-        # Falls back silently to _core_execute() on any error or if Temporal
-        # is unavailable, so the client always receives a response.
-        try:
-            from builtin_tools.temporal_workflow import get_wrapper as _get_temporal_wrapper
-
-            _tw = _get_temporal_wrapper()
-            if _tw is not None and _tw.is_available():
-                return await _tw.run(self, context, event_queue)
-        except Exception:
-            pass  # Never let the wrapper path crash the executor
-
-        await self._core_execute(context, event_queue)
-
-    async def _core_execute(self, context: RequestContext, event_queue: EventQueue) -> str:
-        """Core execution pipeline — called directly or from a Temporal activity.
-
-        This is the original ``execute()`` body, extracted so that the Temporal
-        ``llm_call`` activity can invoke it without re-entering the wrapper
-        check and causing infinite recursion.
-
-        Returns the final response text (empty string on empty input or error).
-
-        Event emission sequence:
-          1. TaskStatusUpdateEvent(working)           — immediate start signal
-          2. TaskArtifactUpdateEvent chunks           — token-by-token via astream_events
-          3. Message(final_text)                      — terminal event
-        """
-        user_input = extract_message_text(context)
-        # Inject delegation results from prior turns. Heartbeat writes
-        # completed delegation rows to DELEGATION_RESULTS_FILE and sends
-        # a self-message to wake the agent; this consumes the file and
-        # surfaces the results as context so the agent can act on them
-        # without needing an explicit check_task_status call.
-        # Results are prepended so they are visible even when the
-        # self-message text is overwritten by a subsequent user message.
-        pending_results = read_delegation_results()
-        if pending_results:
-            logger.info("A2A execute: injecting %d delegation result(s)", pending_results.count("\n") + 1)
-            user_input = f"[Delegation results available]\n{pending_results}\n\n{user_input}"
-        # Pull attached files from A2A message parts (kind: "file") and
-        # append a manifest to the prompt so the agent knows they exist.
-        # LangGraph tools (filesystem, bash, skills) can then open the
-        # files by path — without this the agent silently ignores the
-        # attachments and replies "I'm not sure what you're referring to".
-        _attached_files = extract_attached_files(getattr(context, "message", None))
-        if _attached_files:
-            _manifest = "\n\nAttached files:\n" + "\n".join(
-                f"- {f['name']} ({f['mime_type'] or 'unknown type'}) at {f['path']}"
-                for f in _attached_files
-            )
-            user_input = (user_input + _manifest) if user_input else _manifest.lstrip()
-        if not user_input:
-            parts = getattr(getattr(context, "message", None), "parts", None)
-            logger.warning("A2A execute: no text content in message parts: %s", parts)
-            await event_queue.enqueue_event(
-                new_text_message("Error: message contained no text content.")
-            )
-            return ""
-
-        # ── OA-01: Prompt injection check (OWASP Agentic Top 10) ────────────
-        _compliance_cfg = _get_compliance_cfg() if _COMPLIANCE_AVAILABLE else None
-        if _COMPLIANCE_AVAILABLE and _compliance_cfg and _compliance_cfg.mode == "owasp_agentic":
-            try:
-                user_input = _sanitize_input(
-                    user_input,
-                    prompt_injection_mode=_compliance_cfg.prompt_injection,
-                    context_id=context.context_id or "",
-                )
-            except PromptInjectionError as exc:
-                await event_queue.enqueue_event(
-                    new_text_message(f"Request blocked: {exc}")
-                )
-                return ""
-
-        logger.info("A2A execute: user_input=%s", user_input[:200])
-
-        # ── OTEL: task_receive span ──────────────────────────────────────────
-        parent_ctx = _incoming_trace_context.get()
-        tracer = get_tracer()
-
-        _result: str = ""  # captured inside the span for return after it closes
-
-        with tracer.start_as_current_span("task_receive", context=parent_ctx) as task_span:
-            task_span.set_attribute(WORKSPACE_ID_ATTR, _WORKSPACE_ID)
-            task_span.set_attribute(A2A_TASK_ID, context.context_id or "")
-            task_span.set_attribute("a2a.input_preview", user_input[:256])
-
-            # Resolve IDs — the RequestContextBuilder always sets them, but
-            # we generate fallbacks for safety (e.g. in unit tests).
-            task_id = context.task_id or str(uuid.uuid4())
-            context_id = context.context_id or str(uuid.uuid4())
-
-            # A2A v1 contract (a2a-sdk ≥ 1.0): enqueue a Task event before any
-            # TaskStatusUpdateEvent. The framework only auto-creates the Task
-            # on continuation messages (existing task_id resolves via
-            # task_manager.get_task()). For fresh requests get_task() returns
-            # None and the SDK rejects the first status update with
-            # InvalidAgentResponseError("Agent should enqueue Task before
-            # TaskStatusUpdateEvent event") — see a2a/server/agent_execution/
-            # active_task.py for the validation site. PR #2170 migrated the
-            # surface to v1 but missed this contract; the synth-E2E gate
-            # surfaced it on every run after staging deploy.
-            if getattr(context, "current_task", None) is None:
-                from a2a.types import Task, TaskState, TaskStatus
-                await event_queue.enqueue_event(
-                    Task(
-                        id=task_id,
-                        context_id=context_id,
-                        status=TaskStatus(state=TaskState.TASK_STATE_SUBMITTED),
-                    )
-                )
-
-            updater = TaskUpdater(event_queue, task_id, context_id)
-
-            try:
-                # set_current_task INSIDE the try so active_tasks is always
-                # decremented by the finally block even if CancelledError hits
-                # during the heartbeat HTTP push. Moving it outside the try
-                # created a window where cancellation left active_tasks stuck
-                # at 1, permanently blocking queue drain. (#2026)
-                await set_current_task(self._heartbeat, brief_task(user_input))
-                messages = _extract_history(context)
-                if messages:
-                    logger.info("A2A execute: injecting %d history messages", len(messages))
-                messages.append(("human", user_input))
-
-                # Recursion limit: see DEFAULT_RECURSION_LIMIT and
-                # _parse_recursion_limit() at module top. Re-read on every
-                # call so the env var can be hot-changed between requests.
-                recursion_limit = _parse_recursion_limit()
-                run_config = {
-                    "configurable": {"thread_id": context_id},
-                    "run_name": f"a2a-{context_id[:8]}",
-                    "recursion_limit": recursion_limit,
-                }
-
-                # ── OTEL: llm_call span ──────────────────────────────────────
-                with tracer.start_as_current_span("llm_call") as llm_span:
-                    llm_span.set_attribute(GEN_AI_OPERATION_NAME, "chat")
-                    llm_span.set_attribute(GEN_AI_SYSTEM, gen_ai_system_from_model(self._model))
-                    llm_span.set_attribute(GEN_AI_REQUEST_MODEL, self._model)
-                    llm_span.set_attribute(WORKSPACE_ID_ATTR, _WORKSPACE_ID)
-
-                    # ── Step 1: signal "working" to streaming clients ─────────
-                    await updater.start_work()
-
-                    # ── Step 2: stream tokens via LangGraph astream_events ────
-                    # Each "on_chat_model_stream" event carries an AIMessageChunk.
-                    # We emit one TaskArtifactUpdateEvent per text chunk so SSE
-                    # clients can render tokens in real time.
-                    # artifact_id resets on each new LLM run_id so agent→tool→agent
-                    # cycles each get their own artifact slot.
-
-                    artifact_id = str(uuid.uuid4())
-                    has_streamed = False   # True after first chunk for current artifact
-                    current_run_id = None  # Detects new LLM call in a ReAct cycle
-                    accumulated: list[str] = []    # All text for the final Message
-                    last_ai_message = None          # Saved for token-usage telemetry
-
-                    # ── OA-03: Excessive agency tracker ──────────────────────
-                    _agency = (
-                        AgencyTracker(
-                            max_tool_calls=_compliance_cfg.max_tool_calls_per_task,
-                            max_duration_seconds=float(_compliance_cfg.max_task_duration_seconds),
-                        )
-                        if _COMPLIANCE_AVAILABLE and _compliance_cfg and _compliance_cfg.mode == "owasp_agentic"
-                        else None
-                    )
-
-                    # ── Tool trace: collect every tool invocation for
-                    # platform-level observability ────────────────────
-                    # Keyed by run_id so parallel tool calls (LangGraph
-                    # supports them) pair start→end correctly. Capped at
-                    # MAX_TOOL_TRACE entries to prevent runaway loops from
-                    # ballooning the JSONB payload.
-                    MAX_TOOL_TRACE = 200
-                    tool_trace: list[dict] = []
-                    tool_trace_by_run: dict[str, dict] = {}
-
-                    async for event in self.agent.astream_events(
-                        {"messages": messages},
-                        config=run_config,
-                        version="v2",
-                    ):
-                        kind = event.get("event", "")
-
-                        if kind == "on_chat_model_stream":
-                            run_id = event.get("run_id", "")
-                            if run_id and run_id != current_run_id:
-                                # New LLM run started — fresh artifact slot
-                                current_run_id = run_id
-                                artifact_id = str(uuid.uuid4())
-                                has_streamed = False
-
-                            chunk = event.get("data", {}).get("chunk")
-                            if chunk is not None:
-                                texts = _extract_chunk_text(chunk.content)
-                                for text in texts:
-                                    await updater.add_artifact(
-                                        parts=[Part(text=text)],  # v1: TextPart removed, Part takes text= directly
-                                        artifact_id=artifact_id,
-                                        append=has_streamed,  # False=first, True=append
-                                        last_chunk=False,
-                                    )
-                                    has_streamed = True
-                                    accumulated.append(text)
-
-                        elif kind == "on_tool_start":
-                            tool_name = event.get("name", "?")
-                            tool_input = event.get("data", {}).get("input", "")
-                            tool_run_id = event.get("run_id", "")
-                            logger.debug("SSE: tool start — %s", tool_name)
-                            if len(tool_trace) < MAX_TOOL_TRACE:
-                                entry = {
-                                    "tool": tool_name,
-                                    "input": str(tool_input)[:500] if tool_input else "",
-                                }
-                                tool_trace.append(entry)
-                                if tool_run_id:
-                                    tool_trace_by_run[tool_run_id] = entry
-                            if _agency is not None:
-                                _agency.on_tool_call(
-                                    tool_name=tool_name,
-                                    context_id=context_id,
-                                )
-
-                        elif kind == "on_tool_end":
-                            tool_end_name = event.get("name", "?")
-                            tool_output = event.get("data", {}).get("output", "")
-                            tool_run_id = event.get("run_id", "")
-                            logger.debug("SSE: tool end — %s", tool_end_name)
-                            # Pair via run_id so parallel tool calls don't clobber each other.
-                            entry = tool_trace_by_run.get(tool_run_id) if tool_run_id else None
-                            if entry is not None:
-                                entry["output_preview"] = str(tool_output)[:300] if tool_output else ""
-
-                        elif kind == "on_chat_model_end":
-                            # Capture the last completed AIMessage for token telemetry
-                            output = event.get("data", {}).get("output")
-                            if output is not None:
-                                last_ai_message = output
-
-                    # Record token usage from the last completed LLM call
-                    if last_ai_message is not None:
-                        record_llm_token_usage(llm_span, {"messages": [last_ai_message]})
-
-                # Build final text from all accumulated streaming tokens
-                final_text = "".join(accumulated).strip() or "(no response generated)"
-                logger.info("A2A execute: response length=%d chars", len(final_text))
-
-                # ── OA-02 / OA-06: Output PII redaction ──────────────────────
-                if _COMPLIANCE_AVAILABLE and _compliance_cfg and _compliance_cfg.mode == "owasp_agentic":
-                    final_text, _pii_types = _redact_pii(final_text)
-                    if _pii_types:
-                        from builtin_tools.audit import log_event as _audit_log
-                        _audit_log(
-                            event_type="compliance",
-                            action="pii.redact",
-                            resource="task_output",
-                            outcome="redacted",
-                            pii_types=_pii_types,
-                            context_id=context_id,
-                        )
-
-                # ── OTEL: task_complete span ─────────────────────────────────
-                with tracer.start_as_current_span("task_complete") as done_span:
-                    done_span.set_attribute(WORKSPACE_ID_ATTR, _WORKSPACE_ID)
-                    done_span.set_attribute(A2A_TASK_ID, context_id)
-                    done_span.set_attribute("task.has_response", bool(accumulated))
-                    done_span.set_attribute("task.response_length", len(final_text))
-
-                # ── Step 3: emit final Message ────────────────────────────────
-                # Non-streaming: ResultAggregator.consume_all() returns this
-                #   immediately as the response (a2a_client.py reads .parts[0].text).
-                # Streaming: yielded as the last SSE event in the stream.
-                #
-                # If the reply mentions /workspace/... paths, stage each one
-                # and emit as FileParts alongside the text so the canvas can
-                # render a download button. Same contract the hermes executor
-                # uses — every runtime going through this code path (langgraph,
-                # deepagents, future ReAct variants) inherits it.
-                _outbound = collect_outbound_files(final_text)
-                if _outbound:
-                    # NOTE: do NOT re-import `Part` here. It is already imported
-                    # at module scope (line 42). A function-scope `from a2a.types
-                    # import ... Part ...` would mark `Part` as a local name
-                    # throughout this function under Python's scoping rules,
-                    # making the earlier `Part(text=text)` call (line ~358, inside
-                    # the astream_events loop) raise UnboundLocalError because
-                    # the local binding is not yet in scope at that point.
-                    #
-                    # a2a-sdk 1.x flattened the Part shape: 0.x used
-                    # `Part(root=TextPart(text=...))` / `Part(root=FilePart(file=
-                    # FileWithUri(uri=..., name=..., mimeType=...)))` (Pydantic
-                    # discriminated-union style). 1.x's Part is a single proto
-                    # message with flat fields: text, url, filename, media_type,
-                    # raw, data, metadata. TextPart/FilePart/FileWithUri were
-                    # removed. Same for Message: messageId/taskId/contextId
-                    # camelCase became message_id/task_id/context_id.
-                    from a2a.types import Message, Role
-                    _parts: list[Part] = [Part(text=final_text)] if final_text else []
-                    for f in _outbound:
-                        _parts.append(Part(
-                            url="workspace:" + f["path"],
-                            filename=f["name"],
-                            media_type=f["mime_type"],
-                        ))
-                    msg = Message(
-                        message_id=uuid.uuid4().hex,
-                        # 1.x Role is a protobuf enum: ROLE_UNSPECIFIED,
-                        # ROLE_USER, ROLE_AGENT. Old `Role.agent` (Pydantic
-                        # lowercase enum) doesn't exist anymore.
-                        role=Role.ROLE_AGENT,
-                        parts=_parts,
-                        task_id=task_id,
-                        context_id=context_id,
-                    )
-                else:
-                    msg = new_text_message(final_text, task_id=task_id, context_id=context_id)
-                # Attach tool_trace via metadata when supported. Guarded with
-                # hasattr because some test mocks return a plain string here.
-                if tool_trace and hasattr(msg, "metadata"):
-                    try:
-                        msg.metadata = {"tool_trace": tool_trace}
-                    except (AttributeError, TypeError):
-                        # `new_text_message()` returns a plain string in
-                        # MagicMock paths in tests, where assignment to
-                        # .metadata raises despite hasattr being true (the
-                        # mock has the attribute as a property). Suppression
-                        # is intentional — production Message objects always
-                        # accept the assignment. See #1787 + commit dcbcf19
-                        # for the original test-mock motivation.
-                        logger.debug("metadata attach skipped (non-Message return from new_text_message)")
-                # A2A v1 (a2a-sdk ≥ 1.0): once Task is enqueued (above, PR #2558),
-                # the executor is in task mode and raw Message enqueues are
-                # rejected with InvalidAgentResponseError("Received Message
-                # object in task mode. Use TaskStatusUpdateEvent or
-                # TaskArtifactUpdateEvent instead."). updater.complete()
-                # wraps the Message in a terminal TaskStatusUpdateEvent
-                # (state=COMPLETED, final=True) which both streaming and
-                # non-streaming clients accept.
-                await updater.complete(message=msg)
-                _result = final_text
-
-            except Exception as e:
-                logger.error("A2A execute error: %s", e, exc_info=True)
-                try:
-                    task_span.record_exception(e)
-                    from opentelemetry.trace import StatusCode
-                    task_span.set_status(StatusCode.ERROR, str(e))
-                except Exception:
-                    pass
-                # A2A v1: in task mode, terminal errors must publish a
-                # FAILED TaskStatusUpdateEvent (carrying the error Message)
-                # rather than a raw Message enqueue. updater.failed() does
-                # exactly this — both streaming and non-streaming clients
-                # receive the error and stop polling.
-                await updater.failed(
-                    message=new_text_message(
-                        sanitize_agent_error(exc=e), task_id=task_id, context_id=context_id
-                    )
-                )
-            finally:
-                await set_current_task(self._heartbeat, "")
-
-        return _result
-
-    async def cancel(self, context: RequestContext, event_queue: EventQueue) -> None:
-        """Cancel a running task — emits canceled state to comply with A2A protocol."""
-        from a2a.types import TaskStatus, TaskState, TaskStatusUpdateEvent
-        await event_queue.enqueue_event(
-            TaskStatusUpdateEvent(
-                status=TaskStatus(state=TaskState.TASK_STATE_CANCELED),  # v1: TaskState uses SCREAMING_SNAKE_CASE
-                final=True,
-            )
-        )
@@ -1,263 +0,0 @@
-"""Single source of truth for A2A ``/workspaces/<id>/a2a`` response shapes.
-
-The workspace-server proxy at
-``workspace-server/internal/handlers/a2a_proxy.go`` (the canonical
-emitter) returns one of the following shapes for a single A2A call:
-
-  * **JSON-RPC success** —
-    ``{"jsonrpc": "2.0", "result": {...}, "id": "..."}``
-    The agent's reply, passed through unchanged.
-
-  * **JSON-RPC error** —
-    ``{"jsonrpc": "2.0", "error": {"message": "...", "code": ...}, "id": "..."}``
-    The agent reported a structured error.
-
-  * **Poll-queued** (synthesized at proxy, RFC #2339 PR 2 — see
-    ``a2a_proxy.go:402-406``) —
-    ``{"status": "queued", "delivery_mode": "poll", "method": "..."}``
-    The target is a poll-mode workspace (no public URL); the message
-    was written to the platform's inbox queue. The target agent will
-    fetch it via ``GET /activity?since_id=`` polling. NOT a failure —
-    delivery succeeded, there's just no synchronous reply to relay.
-
-  * **Platform error** — ``{"error": "...", "restarting": true?, "retry_after": int?}``
-    HTTP-level failure synthesized by the proxy when the agent is
-    unreachable, the container is restarting, or some other infrastructure
-    failure happened. ``restarting=true`` flags the platform-initiated
-    container-restart path.
-
-  * **Malformed** — anything else. Surfaced explicitly so a future server
-    change is loud rather than silent.
-
-The ``parse(data)`` function classifies a pre-decoded JSON body into a
-typed variant. Callers ``match`` on the variant and never re-implement
-shape detection — that's the SSOT discipline.
-
-# SSOT contract
-
-This file is the Python half. The Go server emits these shapes today
-via inline ``gin.H{...}`` literals. A future PR can introduce a Go
-mirror (e.g. ``workspace-server/internal/models/a2a_response.go``)
-with a typed marshaller — until then, **any change to the wire shape
-must be reflected here** and gated by ``test_a2a_response.py``'s
-fixture corpus. The corpus exists specifically so a one-sided edit
-breaks CI.
-
-# Why a typed model (vs. dict-key sniffing at every site)
-
-The pre-2967 client at ``a2a_client.py:567-587`` sniffed for ``result``
-or ``error`` keys inline and treated everything else as malformed —
-which silently broke poll-mode peers (the queued envelope has neither
-key). Inline sniffing per call site multiplies the surface area where
-a new shape gets misclassified. A single typed parser with an
-explicit ``Malformed`` escape hatch makes shape additions a
-one-line change here + a fixture entry in the test corpus, instead of
-a hunt through every parsing site in the runtime.
-"""
-from __future__ import annotations
-
-import dataclasses
-import logging
-from typing import Any, Optional, Union
-
-logger = logging.getLogger(__name__)
-
-
-@dataclasses.dataclass(frozen=True)
-class Result:
-    """JSON-RPC success — agent's reply available synchronously.
-
-    ``text`` is the convenience extraction from ``parts[0].text`` (the
-    A2A multipart shape). ``parts`` is the full list, available for
-    callers that need richer rendering (multiple parts, non-text parts).
-    ``raw_result`` preserves the unparsed ``result`` field for any
-    caller that needs it (e.g. activity-row response_body audit).
-    """
-
-    text: str
-    parts: list[dict[str, Any]] = dataclasses.field(default_factory=list)
-    raw_result: Optional[dict[str, Any]] = None
-
-
-@dataclasses.dataclass(frozen=True)
-class Error:
-    """JSON-RPC error or platform-level error response.
-
-    ``code`` is the JSON-RPC integer code when present, else None.
-    ``restarting`` / ``retry_after`` are platform-restart-in-progress
-    metadata: when both are set, the caller knows the container is
-    being recycled and may surface a softer error to the user.
-    """
-
-    message: str
-    code: Optional[int] = None
-    restarting: bool = False
-    retry_after: Optional[int] = None
-
-
-@dataclasses.dataclass(frozen=True)
-class Queued:
-    """Platform poll-mode short-circuit — message accepted, peer will pick up async.
-
-    Returned when the target workspace is registered as
-    ``delivery_mode=poll`` (no public URL — typical for external
-    standalone ``molecule-mcp`` runtimes). The message was written to
-    the platform's inbox queue; the target agent will fetch it via
-    ``GET /activity?since_id=`` polling.
-
-    NOT a failure. Callers that expect a synchronous reply (the agent's
-    response text) won't get one here — they should either:
-
-      * Tolerate the absence of a reply (fire-and-forget semantics).
-      * Fall back to the durable ``/workspaces/:id/delegate`` +
-        ``/delegations`` polling path (see ``a2a_tools_delegation``'s
-        ``_delegate_sync_via_polling``), which writes the same A2A
-        request through the platform's executeDelegation goroutine
-        and lets the caller poll for the result row.
-
-    ``method`` echoes the request method (``message/send``, ``notify``,
-    etc.) so callers can correlate.
-    """
-
-    method: str
-    delivery_mode: str = "poll"
-
-
-@dataclasses.dataclass(frozen=True)
-class Malformed:
-    """Server returned a body the parser can't classify.
-
-    Carries the raw decoded payload for diagnostic logging. Callers
-    typically render this as an error to the user (see
-    ``send_a2a_message``) — but the Malformed variant is a separate
-    type so logging / metrics can distinguish it from genuine
-    JSON-RPC ``Error`` responses.
-    """
-
-    raw: Any  # whatever the server returned: dict / list / str / number / etc.
-
-
-Variant = Union[Result, Error, Queued, Malformed]
-
-
-# Field-name constants — the wire vocabulary. Single source of truth;
-# the parser references these by name so a change here is a
-# one-line edit instead of a hunt through string literals.
-_KEY_RESULT = "result"
-_KEY_ERROR = "error"
-_KEY_STATUS = "status"
-_KEY_DELIVERY_MODE = "delivery_mode"
-_KEY_METHOD = "method"
-_KEY_RESTARTING = "restarting"
-_KEY_RETRY_AFTER = "retry_after"
-
-_STATUS_QUEUED = "queued"
-_DELIVERY_MODE_POLL = "poll"
-
-
-def parse(data: Any) -> Variant:
-    """Classify a pre-decoded ``/a2a`` JSON response into a typed variant.
-
-    Never raises. Every branch is total: any input that doesn't match a
-    known shape routes to ``Malformed`` so the caller can decide how
-    to surface it.
-
-    The order of checks matters:
-
-      1. Non-dict input → Malformed (server contract is dict-shaped).
-      2. Poll-queued envelope is checked BEFORE result/error because a
-         server bug that sets both ``status=queued`` and ``result``
-         should be loud, not silently treated as Result.
-      3. ``result`` → Result (the JSON-RPC success path).
-      4. ``error`` → Error (JSON-RPC error or platform error).
-      5. Anything else → Malformed.
-    """
-    if not isinstance(data, dict):
-        logger.warning(
-            "a2a_response.parse: non-dict body — got %s",
-            type(data).__name__,
-        )
-        return Malformed(raw=data)
-
-    # Push-mode queue envelope — returned when a push-mode workspace
-    # (one with a public URL) is at capacity. The platform queues the
-    # request and returns {"queued": true, "message": "...", "queue_id": "..."}.
-    # Unlike the poll-mode envelope (status=queued + delivery_mode=poll),
-    # this shape has no delivery_mode key — it's distinguishable by
-    # data.get("queued") is True alone. Checked before poll-mode so the
-    # two cases are mutually exclusive even if a buggy server sends both.
-    if data.get("queued") is True:
-        method_raw = data.get(_KEY_METHOD)
-        method = str(method_raw) if method_raw is not None else "message/send"
-        logger.info(
-            "a2a_response.parse: queued for busy push-mode peer (method=%s, queue_id=%s)",
-            method,
-            data.get("queue_id", "?"),
-        )
-        return Queued(method=method, delivery_mode="push")
-
-    # Poll-queued envelope. Both keys must be present — the workspace
-    # server sets them together; if only one is present the body is
-    # ambiguous and we route to Malformed for visibility.
-    if (
-        data.get(_KEY_STATUS) == _STATUS_QUEUED
-        and data.get(_KEY_DELIVERY_MODE) == _DELIVERY_MODE_POLL
-    ):
-        method_raw = data.get(_KEY_METHOD)
-        method = str(method_raw) if method_raw is not None else "unknown"
-        logger.info(
-            "a2a_response.parse: queued for poll-mode peer (method=%s)",
-            method,
-        )
-        return Queued(method=method)
-
-    # JSON-RPC success.
-    if _KEY_RESULT in data:
-        result = data[_KEY_RESULT]
-        if isinstance(result, dict):
-            parts_raw = result.get("parts")
-            parts = parts_raw if isinstance(parts_raw, list) else []
-            text = ""
-            if parts:
-                first = parts[0]
-                if isinstance(first, dict):
-                    text_raw = first.get("text")
-                    text = str(text_raw) if text_raw is not None else ""
-            return Result(text=text, parts=parts, raw_result=result)
-        # ``result`` present but not a dict — unusual but not an error;
-        # surface as a Result with the value rendered to text.
-        return Result(text=str(result), parts=[], raw_result=None)
-
-    # JSON-RPC error or platform error.
-    if _KEY_ERROR in data:
-        err_raw = data[_KEY_ERROR]
-        message = ""
-        code: Optional[int] = None
-        if isinstance(err_raw, dict):
-            msg_raw = err_raw.get("message")
-            if msg_raw is not None:
-                message = str(msg_raw).strip()
-            code_raw = err_raw.get("code")
-            if isinstance(code_raw, int):
-                code = code_raw
-        elif isinstance(err_raw, str):
-            message = err_raw.strip()
-        else:
-            message = str(err_raw)
-
-        restarting = bool(data.get(_KEY_RESTARTING, False))
-        retry_after_raw = data.get(_KEY_RETRY_AFTER)
-        retry_after = retry_after_raw if isinstance(retry_after_raw, int) else None
-
-        return Error(
-            message=message,
-            code=code,
-            restarting=restarting,
-            retry_after=retry_after,
-        )
-
-    logger.warning(
-        "a2a_response.parse: unrecognized shape — keys=%s",
-        sorted(data.keys()),
-    )
-    return Malformed(raw=data)
@@ -1,181 +0,0 @@
-"""A2A MCP tool implementations — the body of each tool handler.
-
-Imports shared client functions and constants from a2a_client.
-"""
-
-import hashlib
-import json
-import mimetypes
-import os
-import uuid
-
-import httpx
-
-from a2a_client import (
-    PLATFORM_URL,
-    WORKSPACE_ID,
-    _A2A_ERROR_PREFIX,
-    _peer_names,
-    _peer_to_source,
-    discover_peer,
-    get_peers,
-    get_peers_with_diagnostic,
-    get_workspace_info,
-    send_a2a_message,
-)
-from builtin_tools.security import _redact_secrets
-from platform_auth import list_registered_workspaces
-
-
-# ---------------------------------------------------------------------------
-# RBAC + auth helpers — extracted to a2a_tools_rbac (RFC #2873 iter 4a).
-# Re-exported here under the legacy underscore names so existing tests'
-# patch("a2a_tools._check_memory_write_permission", …) and call sites
-# inside this module that resolve bare names against the module-level
-# namespace continue to work unchanged.
-# ---------------------------------------------------------------------------
-from a2a_tools_rbac import (  # noqa: E402  (import after the from-a2a_client block)
-    _auth_headers_for_heartbeat,
-    _check_memory_read_permission,
-    _check_memory_write_permission,
-    _get_workspace_tier,
-    _is_root_workspace,
-    _ROLE_PERMISSIONS,
-)
-
-
-# Per-field caps on the heartbeat / activity payload. Borrowed from
-# hermes-agent's design discipline: cap ONCE in the helper, not at every
-# call site, so a future caller adding error_detail can't accidentally
-# DoS activity_logs by pasting a 4MB stack trace + base64 image.
-#
-# Why these specific limits:
-#   - error_detail (4096): hermes' value. Long enough for a multi-frame
-#     stack trace, short enough that 100 errors in 5min is < 500KB total.
-#   - summary (256): summary is a one-liner shown in the canvas card +
-#     activity row. 256 covers UTF-8 emoji + a sentence.
-#   - response_text (NOT capped): this is the agent's actual reply
-#     content. Capping would silently truncate user-visible output.
-_MAX_ERROR_DETAIL_CHARS = 4096
-_MAX_SUMMARY_CHARS = 256
-
-
-async def report_activity(
-    activity_type: str, target_id: str = "", summary: str = "", status: str = "ok",
-    task_text: str = "", response_text: str = "", error_detail: str = "",
-):
-    """Report activity to the platform for live progress tracking."""
-    # Defensive caps in the helper itself so every caller benefits — see
-    # _MAX_ERROR_DETAIL_CHARS / _MAX_SUMMARY_CHARS comments above.
-    if error_detail and len(error_detail) > _MAX_ERROR_DETAIL_CHARS:
-        error_detail = error_detail[:_MAX_ERROR_DETAIL_CHARS]
-    if summary and len(summary) > _MAX_SUMMARY_CHARS:
-        summary = summary[:_MAX_SUMMARY_CHARS]
-    try:
-        async with httpx.AsyncClient(timeout=5.0) as client:
-            payload: dict = {
-                "activity_type": activity_type,
-                "source_id": WORKSPACE_ID,
-                "target_id": target_id,
-                "method": "message/send",
-                "summary": summary,
-                "status": status,
-            }
-            if task_text:
-                payload["request_body"] = {"task": task_text}
-            if response_text:
-                payload["response_body"] = {"result": response_text}
-            if error_detail:
-                # error_detail is a top-level activity row column on the
-                # platform (handlers/activity.go). Surfacing the cleaned
-                # exception string here lets the Activity tab render a
-                # red error chip + the cause without forcing the user
-                # to scroll into the raw response_body JSON.
-                payload["error_detail"] = error_detail
-            await client.post(
-                f"{PLATFORM_URL}/workspaces/{WORKSPACE_ID}/activity",
-                json=payload,
-                headers=_auth_headers_for_heartbeat(),
-            )
-            # Also push current_task via heartbeat for canvas card display
-            if summary:
-                await client.post(
-                    f"{PLATFORM_URL}/registry/heartbeat",
-                    json={
-                        "workspace_id": WORKSPACE_ID,
-                        "current_task": summary,
-                        "active_tasks": 1,
-                        "error_rate": 0,
-                        "sample_error": "",
-                        "uptime_seconds": 0,
-                    },
-                    headers=_auth_headers_for_heartbeat(),
-                )
-    except Exception:
-        pass  # Best-effort — don't block delegation on activity reporting
-
-
-# Delegation tool handlers — extracted to a2a_tools_delegation
-# (RFC #2873 iter 4b). Re-imported here so call sites + tests that
-# reference ``a2a_tools.tool_delegate_task`` /
-# ``a2a_tools._delegate_sync_via_polling`` keep resolving identically.
-from a2a_tools_delegation import (  # noqa: E402  (import after the from-a2a_client block)
-    _SYNC_POLL_BUDGET_S,
-    _SYNC_POLL_INTERVAL_S,
-    _delegate_sync_via_polling,
-    tool_check_task_status,
-    tool_delegate_task,
-    tool_delegate_task_async,
-)
-
-
-# Messaging tool handlers — extracted to a2a_tools_messaging
-# (RFC #2873 iter 4d). Re-imported here so call sites + tests that
-# reference ``a2a_tools.tool_send_message_to_user`` /
-# ``tool_list_peers`` / ``tool_get_workspace_info`` /
-# ``tool_chat_history`` / ``_upload_chat_files`` keep resolving
-# identically.
-from a2a_tools_messaging import (  # noqa: E402  (import after the top-of-module imports)
-    _upload_chat_files,
-    tool_broadcast_message,
-    tool_chat_history,
-    tool_get_workspace_info,
-    tool_list_peers,
-    tool_send_message_to_user,
-)
-
-
-# Memory tool handlers — extracted to a2a_tools_memory (RFC #2873 iter 4c).
-# Re-imported here so call sites + tests that reference
-# ``a2a_tools.tool_commit_memory`` / ``tool_recall_memory`` keep
-# resolving identically.
-from a2a_tools_memory import (  # noqa: E402  (import after the top-of-module imports)
-    tool_commit_memory,
-    tool_recall_memory,
-)
-
-
-# Inbox tool handlers — extracted to a2a_tools_inbox (RFC #2873 iter 4e).
-# Re-imported here so call sites + tests that reference
-# ``a2a_tools.tool_inbox_peek`` / ``tool_inbox_pop`` / ``tool_wait_for_message``
-# / ``_enrich_inbound_for_agent`` / ``_INBOX_NOT_ENABLED_MSG`` keep
-# resolving identically.
-from a2a_tools_inbox import (  # noqa: E402  (import after the top-of-module imports)
-    _INBOX_NOT_ENABLED_MSG,
-    _enrich_inbound_for_agent,
-    tool_inbox_peek,
-    tool_inbox_pop,
-    tool_wait_for_message,
-)
-
-
-# Identity tool handlers — extracted to a2a_tools_identity. Ports the
-# two T4-tier MCP tools (``tool_get_runtime_identity`` +
-# ``tool_update_agent_card``) from molecule-ai-workspace-runtime PR#17.
-# That repo is mirror-only (reference_runtime_repo_is_mirror_only);
-# this is the canonical edit point, and the wheel mirror is
-# regenerated by publish-runtime.yml on merge.
-from a2a_tools_identity import (  # noqa: E402  (import after the top-of-module imports)
-    tool_get_runtime_identity,
-    tool_update_agent_card,
-)
@@ -1,459 +0,0 @@
-"""Delegation tool handlers — single-concern slice of the a2a_tools surface.
-
-Extracted from ``a2a_tools.py`` (RFC #2873 iter 4b). Owns the three
-delegation MCP tools + the RFC #2829 PR-5 sync-via-polling helper they
-share.
-
-Public surface:
-
-* ``tool_delegate_task`` — synchronous delegation, waits for response.
-* ``tool_delegate_task_async`` — fire-and-forget delegation; returns
-  ``{delegation_id, ...}``.
-* ``tool_check_task_status`` — poll the platform's ``/delegations`` log.
-
-Internal:
-
-* ``_delegate_sync_via_polling`` — durable async + poll for terminal
-  status (RFC #2829 PR-5 cutover path; toggled by
-  ``DELEGATION_SYNC_VIA_INBOX=1``).
-* ``_SYNC_POLL_INTERVAL_S`` / ``_SYNC_POLL_BUDGET_S`` constants.
-
-Circular-import note: this module calls ``report_activity`` from
-``a2a_tools`` to emit activity rows around the delegate dispatch.
-``a2a_tools`` imports the public symbols here at module-load time,
-so we use a LAZY import for ``report_activity`` inside the function
-that needs it. Without the lazy hop Python raises an ImportError
-on first ``a2a_tools`` import.
-"""
-from __future__ import annotations
-
-import hashlib
-import json
-import logging
-import os
-
-import httpx
-
-logger = logging.getLogger(__name__)
-
-from a2a_client import (
-    PLATFORM_URL,
-    WORKSPACE_ID,
-    _A2A_ERROR_PREFIX,
-    _A2A_QUEUED_PREFIX,
-    _peer_names,
-    _peer_to_source,
-    discover_peer,
-    send_a2a_message,
-)
-from a2a_tools_rbac import auth_headers_for_heartbeat as _auth_headers_for_heartbeat
-from _sanitize_a2a import (
-    _A2A_BOUNDARY_END,
-    _A2A_BOUNDARY_END_ESCAPED,
-    _A2A_BOUNDARY_START,
-    _A2A_BOUNDARY_START_ESCAPED,
-    sanitize_a2a_result,
-)  # noqa: E402
-
-
-# RFC #2829 PR-5 cutover constants. The poll cadence + timeout are
-# intentionally generous: 3s gives the platform's executeDelegation
-# goroutine room to dispatch + the callee to respond + the result to
-# write to activity_logs without thrashing the platform with rapid
-# polls; the budget matches the legacy DELEGATION_TIMEOUT (300s) so
-# operators don't see behavior change beyond "no more 600s timeouts".
-_SYNC_POLL_INTERVAL_S = 3.0
-_SYNC_POLL_BUDGET_S = float(os.environ.get("DELEGATION_TIMEOUT", "300.0"))
-
-
-async def _delegate_sync_via_polling(
-    workspace_id: str,
-    task: str,
-    src: str,
-) -> str:
-    """RFC #2829 PR-5: durable async delegation + poll for terminal status.
-
-    Sidesteps the platform proxy's blocking `message/send` HTTP path that
-    hits a hard 600s ceiling. Instead:
-
-      1. POST /workspaces/<src>/delegate (async, returns 202 + delegation_id)
-         — platform's executeDelegation goroutine handles A2A dispatch in
-         the background. No client-side timeout dependency on the platform
-         holding a connection open.
-      2. Poll GET /workspaces/<src>/delegations every 3s for a row with
-         matching delegation_id reaching terminal status (completed/failed).
-      3. Return the response_preview text on completed; surface error_detail
-         on failed (with the same _A2A_ERROR_PREFIX wrapping the legacy
-         path uses, so caller error-detection logic is unchanged).
-
-    Both /delegate and /delegations are existing endpoints — this helper
-    just composes them into a polling synchronous facade. The result is
-    available the moment the platform writes the terminal status row;
-    no extra latency vs. the legacy proxy-blocked path on fast cases.
-    """
-    import asyncio
-    import time
-
-    idem_key = hashlib.sha256(f"{src}:{workspace_id}:{task}".encode()).hexdigest()[:32]
-
-    # 1. Dispatch via /delegate (the async, durable path).
-    try:
-        async with httpx.AsyncClient(timeout=10.0) as client:
-            resp = await client.post(
-                f"{PLATFORM_URL}/workspaces/{src}/delegate",
-                json={
-                    "target_id": workspace_id,
-                    "task": task,
-                    "idempotency_key": idem_key,
-                },
-                headers=_auth_headers_for_heartbeat(src),
-            )
-    except Exception as e:  # pylint: disable=broad-except
-        return f"{_A2A_ERROR_PREFIX}delegate dispatch failed: {e}"
-
-    if resp.status_code != 202 and resp.status_code != 200:
-        return f"{_A2A_ERROR_PREFIX}delegate dispatch failed: HTTP {resp.status_code} {resp.text[:200]}"
-
-    try:
-        dispatch = resp.json()
-    except Exception as e:  # pylint: disable=broad-except
-        return f"{_A2A_ERROR_PREFIX}delegate dispatch returned non-JSON: {e}"
-
-    delegation_id = dispatch.get("delegation_id", "")
-    if not delegation_id:
-        return f"{_A2A_ERROR_PREFIX}delegate dispatch missing delegation_id: {dispatch}"
-
-    # 2. Poll for terminal status with a deadline. Each poll is a cheap
-    # /delegations GET — bounded by the platform's existing rate limit.
-    deadline = time.monotonic() + _SYNC_POLL_BUDGET_S
-    last_status = "unknown"
-    while time.monotonic() < deadline:
-        try:
-            async with httpx.AsyncClient(timeout=10.0) as client:
-                poll = await client.get(
-                    f"{PLATFORM_URL}/workspaces/{src}/delegations",
-                    headers=_auth_headers_for_heartbeat(src),
-                )
-        except Exception as e:  # pylint: disable=broad-except
-            # Transient — keep polling. The platform IS holding the
-            # delegation row; we just lost a network request.
-            last_status = f"poll-error: {e}"
-            await asyncio.sleep(_SYNC_POLL_INTERVAL_S)
-            continue
-
-        if poll.status_code != 200:
-            last_status = f"poll HTTP {poll.status_code}"
-            await asyncio.sleep(_SYNC_POLL_INTERVAL_S)
-            continue
-
-        try:
-            rows = poll.json()
-        except Exception as e:  # pylint: disable=broad-except
-            last_status = f"poll non-JSON: {e}"
-            await asyncio.sleep(_SYNC_POLL_INTERVAL_S)
-            continue
-
-        # /delegations returns a flat list of delegation events. Filter to
-        # our delegation_id; pick the first terminal one. The list may
-        # have multiple rows per delegation_id (one for the original
-        # dispatch, one per status update); we want the latest terminal.
-        if not isinstance(rows, list):
-            await asyncio.sleep(_SYNC_POLL_INTERVAL_S)
-            continue
-        terminal = None
-        for r in rows:
-            if not isinstance(r, dict):
-                continue
-            if r.get("delegation_id") != delegation_id:
-                continue
-            status = (r.get("status") or "").lower()
-            last_status = status
-            if status in ("completed", "failed"):
-                terminal = r
-                break
-        if terminal:
-            if (terminal.get("status") or "").lower() == "completed":
-                # OFFSEC-003: sanitize response_preview before returning so
-                # boundary markers injected by a malicious peer cannot escape
-                # the trust boundary.
-                return sanitize_a2a_result(terminal.get("response_preview") or "")
-            # OFFSEC-003: sanitize error_detail / summary before wrapping with
-            # the _A2A_ERROR_PREFIX sentinel so injected markers cannot appear
-            # inside the trusted error block returned to the agent.
-            err_raw = (
-                terminal.get("error_detail")
-                or terminal.get("summary")
-                or "delegation failed"
-            )
-            err = sanitize_a2a_result(err_raw)
-            return f"{_A2A_ERROR_PREFIX}{err}"
-
-        await asyncio.sleep(_SYNC_POLL_INTERVAL_S)
-
-    # Budget exhausted — the platform's row is still in flight (or queued).
-    # Surface as an error so the caller can decide to retry or fall back;
-    # the platform DOES still have the durable row, so the work isn't
-    # lost — it'll complete eventually and a future check_task_status
-    # will surface the result.
-    return (
-        f"{_A2A_ERROR_PREFIX}polling timeout after {_SYNC_POLL_BUDGET_S}s "
-        f"(delegation_id={delegation_id}, last_status={last_status}); "
-        f"the platform is still working on it — call check_task_status('{delegation_id}') to retrieve later"
-    )
-
-
-async def tool_delegate_task(
-    workspace_id: str,
-    task: str,
-    source_workspace_id: str | None = None,
-) -> str:
-    """Delegate a task to another workspace via A2A (synchronous — waits for response).
-
-    ``source_workspace_id`` selects which registered workspace this
-    delegation originates from — drives auth + the X-Workspace-ID source
-    header so the platform's a2a_proxy logs the correct sender. Single-
-    workspace operators leave it None and routing falls back to the
-    module-level WORKSPACE_ID.
-    """
-    if not workspace_id or not task:
-        return "Error: workspace_id and task are required"
-
-    # Self-delegation guard: delegating to your own workspace ID deadlocks —
-    # the sending turn holds _run_lock while the receive handler waits for the
-    # same lock, the request 30s-times-out, and the whole cycle is wasted.
-    # Reject immediately with an actionable message. (effective_src mirrors the
-    # `src or WORKSPACE_ID` resolution used below for routing.)
-    effective_src = source_workspace_id or _peer_to_source.get(workspace_id) or WORKSPACE_ID
-    if workspace_id and workspace_id == effective_src:
-        return (
-            "Error: cannot delegate_task to your own workspace — self-delegation "
-            "deadlocks _run_lock (your sending turn holds it, the receive handler "
-            "waits for it, the request times out). There is no peer who is also you: "
-            "just do the work yourself, or call commit_memory / send_message_to_user directly."
-        )
-
-    # Auto-route: if source not specified, look up which registered
-    # workspace last saw this peer (populated by tool_list_peers). Falls
-    # back to the legacy WORKSPACE_ID for single-workspace operators.
-    src = source_workspace_id or _peer_to_source.get(workspace_id) or None
-
-    # Discover the target. discover_peer is the access-control gate +
-    # name/status lookup. The peer's reported ``url`` field is NOT used
-    # for routing — see send_a2a_message, which constructs the URL via
-    # the platform's A2A proxy.
-    peer = await discover_peer(workspace_id, source_workspace_id=src)
-    if not peer:
-        return f"Error: workspace {workspace_id} not found or not accessible (check access control)"
-
-    if (peer.get("status") or "").lower() == "offline":
-        return f"Error: workspace {workspace_id} is offline"
-
-    # Lazy import: a2a_tools imports this module at top-level, so a
-    # top-level import of report_activity from a2a_tools would create a
-    # circular dependency at first-import time. Lazy resolution inside
-    # the function body breaks the cycle without forcing a ground-up
-    # restructure of the activity-reporting layer.
-    from a2a_tools import report_activity
-
-    # Report delegation start — include the task text for traceability
-    peer_name = peer.get("name") or _peer_names.get(workspace_id) or workspace_id[:8]
-    _peer_names[workspace_id] = peer_name  # cache for future use
-    # Brief summary for canvas display — just the delegation target
-    await report_activity("a2a_send", workspace_id, f"Delegating to {peer_name}", task_text=task)
-
-    # RFC #2829 PR-5: agent-side cutover. When DELEGATION_SYNC_VIA_INBOX=1,
-    # use the platform's durable async delegation API (POST /delegate +
-    # poll /delegations) instead of the proxy-blocked message/send path.
-    # This sidesteps the 600s message/send timeout class that broke
-    # iteration-14/90-style long-running delegations on 2026-05-05.
-    #
-    # Default off — staging-canary first, flip default after PR-2's
-    # result-push flag (DELEGATION_RESULT_INBOX_PUSH) has been on for
-    # ≥1 week without incident.
-    if os.environ.get("DELEGATION_SYNC_VIA_INBOX") == "1":
-        result = await _delegate_sync_via_polling(workspace_id, task, src or WORKSPACE_ID)
-    else:
-        # send_a2a_message routes through ${PLATFORM_URL}/workspaces/{id}/a2a
-        # (the platform proxy) so the same code works for in-container and
-        # external (standalone molecule-mcp) callers.
-        result = await send_a2a_message(workspace_id, task, source_workspace_id=src)
-        # #2967: when the target is a poll-mode peer, the platform's
-        # a2a_proxy short-circuits and returns a queued envelope —
-        # send_a2a_message surfaces that as the _A2A_QUEUED_PREFIX
-        # sentinel. The synchronous proxy path can't deliver a reply
-        # because the target has no public URL; fall back to the
-        # durable /delegate + /delegations polling path which DOES
-        # work for poll-mode peers (the executeDelegation goroutine
-        # writes to the inbox queue and the result row arrives when
-        # the target picks it up + replies).
-        #
-        # This is what makes external-runtime-to-external-runtime
-        # A2A actually deliver synchronous replies — without the
-        # fallback the calling agent sees the queued sentinel as
-        # success-with-no-text and never gets the peer's response.
-        if result.startswith(_A2A_QUEUED_PREFIX):
-            logger.info(
-                "tool_delegate_task: target=%s is poll-mode; "
-                "falling back from message/send to /delegate-poll path",
-                workspace_id,
-            )
-            result = await _delegate_sync_via_polling(
-                workspace_id, task, src or WORKSPACE_ID,
-            )
-
-    # Detect delegation failures — wrap them clearly so the calling agent
-    # can decide to retry, use another peer, or handle the task itself.
-    is_error = result.startswith(_A2A_ERROR_PREFIX)
-    # Strip the sentinel prefix so error_detail is the human-readable
-    # cause directly. The Activity tab's red error chip surfaces this
-    # without the user having to scroll into the raw response JSON.
-    #
-    # Cap at 4096 chars before sending — the platform's
-    # activity_logs.error_detail column is unbounded TEXT and a
-    # malicious or buggy peer could otherwise stream an arbitrarily
-    # large error message into the caller's activity log. 4096 is
-    # comfortably above any real exception traceback we've seen and
-    # well below an obvious-DoS threshold.
-    error_detail = result[len(_A2A_ERROR_PREFIX):].strip()[:4096] if is_error else ""
-    await report_activity(
-        "a2a_receive", workspace_id,
-        f"{peer_name} responded ({len(result)} chars)" if not is_error else f"{peer_name} failed: {error_detail[:120]}",
-        task_text=task, response_text=result,
-        status="error" if is_error else "ok",
-        error_detail=error_detail,
-    )
-    if is_error:
-        return (
-            f"DELEGATION FAILED to {peer_name}: {result}\n"
-            f"You should either: (1) try a different peer, (2) handle this task yourself, "
-            f"or (3) inform the user that {peer_name} is unavailable and provide your best answer."
-        )
-    # OFFSEC-003: escape boundary markers in peer text, then wrap in boundary
-    # markers so the agent can distinguish trusted (own output) from untrusted
-    # (peer-supplied) content.  Explicit wrapping here rather than inside
-    # sanitize_a2a_result preserves a clean separation of concerns.
-    #
-    # Truncate at the closer BEFORE sanitizing so the raw closer (which gets
-    # lost during escaping) is removed from the content.  After truncation,
-    # sanitize the remaining text and wrap with escaped boundary markers.
-    if _A2A_BOUNDARY_END in result:
-        result = result[:result.index(_A2A_BOUNDARY_END)]
-    escaped = sanitize_a2a_result(result)
-    return (
-        f"{_A2A_BOUNDARY_START_ESCAPED}\n"
-        f"{escaped}\n"
-        f"{_A2A_BOUNDARY_END_ESCAPED}"
-    )
-
-
-async def tool_delegate_task_async(
-    workspace_id: str,
-    task: str,
-    source_workspace_id: str | None = None,
-) -> str:
-    """Delegate a task via the platform's async delegation API (fire-and-forget).
-
-    Uses POST /workspaces/:id/delegate which runs the A2A request in the background.
-    Results are tracked in the platform DB and broadcast via WebSocket.
-    Use check_task_status to poll for results.
-
-    ``source_workspace_id`` selects the sending workspace (which one of
-    this agent's registered workspaces gets logged as the originator);
-    auto-routes via the peer→source cache when omitted.
-    """
-    if not workspace_id or not task:
-        return "Error: workspace_id and task are required"
-
-    src = source_workspace_id or _peer_to_source.get(workspace_id) or WORKSPACE_ID
-
-    # Self-delegation guard: even on the async path, queuing a task to your own
-    # workspace just makes you re-process your own dispatch — never useful, and
-    # on the sync path it deadlocks (see tool_delegate_task). Reject early.
-    if workspace_id and workspace_id == src:
-        return (
-            "Error: cannot delegate_task_async to your own workspace — there is no "
-            "peer who is also you. Do the work yourself, or call commit_memory / "
-            "send_message_to_user directly."
-        )
-
-    # Idempotency key: SHA-256 of (source, target, task) so that a
-    # restarted agent firing the same delegation gets the same key and
-    # the platform returns the existing delegation_id instead of
-    # creating a duplicate. Fixes #1456. Source is in the key so the
-    # SAME task delegated from two different registered workspaces
-    # produces two distinct delegations (the right behavior — one per
-    # tenant audit trail).
-    idem_key = hashlib.sha256(f"{src}:{workspace_id}:{task}".encode()).hexdigest()[:32]
-
-    try:
-        async with httpx.AsyncClient(timeout=10.0) as client:
-            resp = await client.post(
-                f"{PLATFORM_URL}/workspaces/{src}/delegate",
-                json={"target_id": workspace_id, "task": task, "idempotency_key": idem_key},
-                headers=_auth_headers_for_heartbeat(src),
-            )
-            if resp.status_code == 202:
-                data = resp.json()
-                return json.dumps({
-                    "delegation_id": data.get("delegation_id", ""),
-                    "workspace_id": workspace_id,
-                    "status": "delegated",
-                    "note": "Task delegated. The platform runs it in the background. Use check_task_status to poll for results.",
-                })
-            else:
-                return f"Error: delegation failed with status {resp.status_code}: {resp.text[:200]}"
-    except Exception as e:
-        return f"Error: delegation failed — {e}"
-
-
-async def tool_check_task_status(
-    workspace_id: str,
-    task_id: str,
-    source_workspace_id: str | None = None,
-) -> str:
-    """Check delegations for this workspace via the platform API.
-
-    Args:
-        workspace_id: Ignored (kept for backward compat). Checks
-            ``source_workspace_id``'s delegations (the workspace that
-            FIRED the delegations), not the target's.
-        task_id: Optional delegation_id to filter. If empty, returns all recent delegations.
-        source_workspace_id: Which registered workspace's delegation log
-            to query. Defaults to the module-level WORKSPACE_ID.
-    """
-    src = source_workspace_id or WORKSPACE_ID
-    try:
-        async with httpx.AsyncClient(timeout=10.0) as client:
-            resp = await client.get(
-                f"{PLATFORM_URL}/workspaces/{src}/delegations",
-                headers=_auth_headers_for_heartbeat(src),
-            )
-            if resp.status_code != 200:
-                return f"Error: failed to check delegations ({resp.status_code})"
-            delegations = resp.json()
-            if task_id:
-                # Filter by delegation_id
-                matching = [d for d in delegations if d.get("delegation_id") == task_id]
-                if matching:
-                    # OFFSEC-003: sanitize peer-supplied fields
-                    d = matching[0]
-                    d["summary"] = sanitize_a2a_result(d.get("summary", ""))
-                    d["response_preview"] = sanitize_a2a_result(d.get("response_preview", ""))
-                    return json.dumps(d)
-                return json.dumps({"status": "not_found", "delegation_id": task_id})
-            # Return all recent delegations
-            summary = []
-            for d in delegations[:10]:
-                preview = d.get("response_preview", "")
-                if preview:
-                    preview = sanitize_a2a_result(preview)
-                summary.append({
-                    "delegation_id": d.get("delegation_id", ""),
-                    "target_id": d.get("target_id", ""),
-                    "status": d.get("status", ""),
-                    "summary": sanitize_a2a_result(d.get("summary", "")),
-                    "response_preview": preview,
-                })
-            return json.dumps({"delegations": summary, "count": len(delegations)})
-    except Exception as e:
-        return f"Error checking delegations: {e}"
@@ -1,187 +0,0 @@
-"""Identity tool handlers — single-concern slice of the a2a_tools surface.
-
-Owns the two MCP tools that close the T4-tier workspace owner-permission
-gaps reported via the canvas:
-
-  * ``tool_get_runtime_identity`` — env-only; returns model, model_provider,
-    molecule_model, anthropic_base_url, tier, workspace_id, runtime
-    (ADAPTER_MODULE). No HTTP call. Always permitted by RBAC — even
-    read-only agents may know what model they are.
-
-  * ``tool_update_agent_card`` — POSTs the card to ``/registry/update-card``
-    with the workspace's own bearer (same auth path as ``tool_commit_memory``
-    via ``a2a_tools_rbac.auth_headers_for_heartbeat``). The platform
-    replaces the stored card and broadcasts an ``agent_card_updated``
-    event so the canvas reflects the new card live. Gated on
-    ``memory.write`` capability via the existing RBAC permission map so
-    read-only roles can't silently rewrite the platform card.
-
-Both originated as a port of molecule-ai-workspace-runtime PR#17
-(``feat(mcp): add update_agent_card + get_runtime_identity tools``).
-The mirror-only PR#17 was closed without merge per
-``reference_runtime_repo_is_mirror_only``; the canonical edit point is
-this monorepo at ``workspace/`` and the wheel mirror is regenerated
-automatically by the publish-runtime workflow.
-
-Imports the auth-header primitive from ``a2a_tools_rbac`` (iter 4a) —
-NOT from ``a2a_tools`` — to avoid a circular import with the
-kitchen-sink re-export module.
-"""
-from __future__ import annotations
-
-import json
-import os
-from typing import Any
-
-import httpx
-
-from a2a_client import PLATFORM_URL
-from a2a_tools_rbac import (
-    auth_headers_for_heartbeat as _auth_headers_for_heartbeat,
-    check_memory_write_permission as _check_memory_write_permission,
-)
-
-
-def _runtime_identity_payload() -> dict[str, Any]:
-    """Build the identity dict — env-only, no I/O.
-
-    Factored out from ``tool_get_runtime_identity`` so tests can assert
-    against the exact key set without re-parsing JSON. The MCP tool
-    handler ``tool_get_runtime_identity`` is the only public caller in
-    production; tests call this helper directly.
-    """
-    return {
-        "model": os.environ.get("MODEL", ""),
-        "model_provider": os.environ.get("MODEL_PROVIDER", ""),
-        "molecule_model": os.environ.get("MOLECULE_MODEL", ""),
-        "anthropic_base_url": os.environ.get("ANTHROPIC_BASE_URL", ""),
-        "tier": os.environ.get("TIER", ""),
-        "workspace_id": os.environ.get("WORKSPACE_ID", ""),
-        # Adapter module is the closest thing the runtime has to a
-        # "template slug" — e.g. "adapter" for claude-code-default,
-        # "hermes" for hermes-template, etc. Picked from
-        # $ADAPTER_MODULE env baked by each template's Dockerfile.
-        "runtime": os.environ.get("ADAPTER_MODULE", ""),
-    }
-
-
-async def tool_get_runtime_identity() -> str:
-    """Return this runtime's identity — model, provider, tier, IDs.
-
-    Env-only; no HTTP call. Useful so the agent can answer "what model
-    am I?" correctly instead of guessing from a stale system prompt
-    that the operator may have changed between boots.
-
-    Returns the identity as a JSON-encoded string (the dispatch contract
-    every MCP tool in this module follows). Tests that want to assert
-    individual fields can call ``_runtime_identity_payload()`` directly,
-    or ``json.loads`` the return value.
-
-    Always permitted by RBAC — there is no sensitive information here
-    that isn't already available to the process via ``os.environ``.
-    The point of the tool is to surface those env values to the agent
-    layer in a stable, documented shape rather than expecting every
-    agent runtime to know to ``echo $MODEL``.
-    """
-    return json.dumps(_runtime_identity_payload(), indent=2)
-
-
-async def tool_update_agent_card(card: Any) -> str:
-    """Update this workspace's agent_card on the platform.
-
-    POSTs the provided card to ``/registry/update-card`` with the
-    workspace's own bearer token (same auth path as ``tool_commit_memory``
-    and ``tool_get_workspace_info``). The platform validates required
-    fields server-side, replaces the stored card, and broadcasts an
-    ``agent_card_updated`` event so the canvas updates live.
-
-    Args:
-        card: A JSON-serialisable object (typically a dict) holding the
-            new card. The platform validates required fields server-side.
-
-    Returns:
-        JSON-encoded string. Body:
-          - ``{"success": true, "status": "updated"}`` on success;
-          - ``{"success": false, "error": "<msg>", "status_code": <int>}``
-            on platform error;
-          - ``{"success": false, "error": "<reason>"}`` on local validation
-            (non-dict card, missing WORKSPACE_ID, network error).
-
-    Permission gate: this tool requires the ``memory.write`` RBAC
-    capability — same gate as ``tool_commit_memory``. The check runs
-    inline rather than at the dispatcher layer to keep ``a2a_mcp_server``
-    permission-agnostic (the gate sits with the implementation, not the
-    transport). Read-only roles get a clear error string back instead
-    of a 403 from the platform.
-
-    We re-check ``isinstance(card, dict)`` here defensively rather than
-    trust the MCP schema validator alone — the schema only constrains
-    the transport, not the in-process call surface used by tests and
-    sibling modules.
-    """
-    payload = await _update_agent_card_impl(card)
-    return json.dumps(payload, indent=2)
-
-
-async def _update_agent_card_impl(card: Any) -> dict[str, Any]:
-    """Dict-returning core of ``tool_update_agent_card``.
-
-    Split out so tests can assert against the raw dict shape (status
-    codes, error messages) without re-parsing JSON on every assertion.
-    The string-returning ``tool_update_agent_card`` is a thin wrapper
-    invoked by the MCP dispatcher.
-    """
-    # RBAC: require memory.write permission. Same gate as
-    # tool_commit_memory (the agent already needs this capability to
-    # persist anything outbound). Read-only roles can still call
-    # get_runtime_identity / get_workspace_info to introspect — those
-    # are env-only / read-only and have no inline gate.
-    if not _check_memory_write_permission():
-        return {
-            "success": False,
-            "error": (
-                "RBAC — this workspace does not have the 'memory.write' "
-                "permission required to update the agent_card."
-            ),
-        }
-    if not isinstance(card, dict):
-        return {
-            "success": False,
-            "error": "card must be a JSON object (dict)",
-        }
-    ws_id = os.environ.get("WORKSPACE_ID", "")
-    if not ws_id:
-        return {
-            "success": False,
-            "error": "WORKSPACE_ID env not set; cannot identify caller",
-        }
-    try:
-        async with httpx.AsyncClient(timeout=10.0) as client:
-            resp = await client.post(
-                f"{PLATFORM_URL}/registry/update-card",
-                json={"workspace_id": ws_id, "agent_card": card},
-                headers=_auth_headers_for_heartbeat(),
-            )
-            if resp.status_code == 200:
-                body: dict[str, Any] = {}
-                try:
-                    body = resp.json()
-                except Exception:
-                    pass
-                return {
-                    "success": True,
-                    "status": body.get("status", "updated"),
-                }
-            # Non-200 — surface what the platform returned.
-            error_msg = ""
-            try:
-                error_msg = resp.json().get("error", "") or resp.text
-            except Exception:
-                error_msg = resp.text
-            return {
-                "success": False,
-                "status_code": resp.status_code,
-                "error": error_msg,
-            }
-    except Exception as e:
-        return {"success": False, "error": f"network error: {e}"}
@@ -1,140 +0,0 @@
-"""Inbox tool handlers — single-concern slice of the a2a_tools surface.
-
-Standalone-runtime path for inbound-message delivery (push-mode runtimes
-get messages via the channel-tag synthesis in a2a_mcp_server). The
-``InboxState`` singleton is set by ``mcp_cli`` before the MCP server
-starts; in-container runtimes never call ``inbox.activate(...)`` so
-``inbox.get_state()`` returns None and these tools surface an
-informational error instead of raising.
-
-When-to-use guidance for agents (mirrored in
-``platform_tools/registry.py``):
-  - ``wait_for_message``: block until a new inbound message arrives, then
-    decide what to do with it; forms the loop ``wait → respond → wait``.
-  - ``inbox_peek``: inspect the queue non-destructively.
-  - ``inbox_pop``: remove a handled message by activity_id.
-
-Extracted from ``a2a_tools.py`` in RFC #2873 iter 4e so the kitchen-sink
-module shrinks to a back-compat shim. The extraction also makes the
-``_enrich_inbound_for_agent`` helper unit-testable in isolation —
-previously it was buried in ``a2a_tools`` and only exercised through
-the inbox wrappers, leaving its peer-id-empty / cache-miss / registry-
-unavailable branches under-covered.
-"""
-from __future__ import annotations
-
-import asyncio
-import json
-
-
-# Surfaced when the inbox subsystem is not initialised. Returned by the
-# three inbox tool wrappers below so the agent gets a clear "this
-# runtime delivers via push" message instead of a NameError.
-_INBOX_NOT_ENABLED_MSG = (
-    "Error: inbox polling is not enabled in this runtime. The standalone "
-    "molecule-mcp wrapper activates it; in-container runtimes receive "
-    "messages via push delivery and do not need these tools."
-)
-
-
-def _enrich_inbound_for_agent(d: dict) -> dict:
-    """Add peer_name / peer_role / agent_card_url to a poll-path message.
-
-    The PUSH path (a2a_mcp_server._build_channel_notification) already
-    enriches the meta dict with these fields, so a Claude Code host
-    with channel-push sees them. The POLL path goes through
-    InboxMessage.to_dict, which is intentionally identity-free (the
-    storage layer doesn't know about the registry cache). Without this
-    helper, every non-Claude-Code MCP client that uses inbox_peek /
-    wait_for_message gets a plain message and the receiving agent
-    can't tell who's writing — breaking the contract documented in
-    a2a_mcp_server.py:303-345 ("In both paths the same fields apply").
-
-    Cache-first non-blocking enrichment (same shape as push): on cache
-    miss the helper returns the bare message; the next call within the
-    5-min TTL hits the warm cache. Failure to enrich is non-fatal —
-    the agent still gets text + peer_id + kind + activity_id, just
-    without the friendly identity.
-    """
-    peer_id = d.get("peer_id") or ""
-    if not peer_id:
-        # canvas_user — no peer to enrich; helper returns the plain
-        # message unchanged so the canvas reply path still works.
-        return d
-    try:
-        from a2a_client import (  # local import — avoid module-load cycle
-            _agent_card_url_for,
-            enrich_peer_metadata_nonblocking,
-        )
-    except Exception:  # noqa: BLE001
-        # If a2a_client is unavailable (test harness, partial install),
-        # degrade gracefully — agent still gets the bare envelope.
-        return d
-    record = enrich_peer_metadata_nonblocking(peer_id)
-    if record is not None:
-        if name := record.get("name"):
-            d["peer_name"] = name
-        if role := record.get("role"):
-            d["peer_role"] = role
-    # agent_card_url is constructable from peer_id alone — surface it
-    # even when registry enrichment misses, so the receiving agent has
-    # a single endpoint to hit for the peer's full capability list.
-    d["agent_card_url"] = _agent_card_url_for(peer_id)
-    return d
-
-
-async def tool_inbox_peek(limit: int = 10) -> str:
-    """Return up to ``limit`` pending inbound messages without removing them."""
-    import inbox  # local import — avoids a circular dep at module load
-
-    state = inbox.get_state()
-    if state is None:
-        return _INBOX_NOT_ENABLED_MSG
-    messages = state.peek(limit=limit if isinstance(limit, int) else 10)
-    return json.dumps([_enrich_inbound_for_agent(m.to_dict()) for m in messages])
-
-
-async def tool_inbox_pop(activity_id: str) -> str:
-    """Remove a message from the inbox queue by activity_id."""
-    import inbox
-
-    state = inbox.get_state()
-    if state is None:
-        return _INBOX_NOT_ENABLED_MSG
-    if not isinstance(activity_id, str) or not activity_id:
-        return "Error: activity_id is required."
-    removed = state.pop(activity_id)
-    if removed is None:
-        return json.dumps({"removed": False, "activity_id": activity_id})
-    return json.dumps({"removed": True, "activity_id": activity_id})
-
-
-async def tool_wait_for_message(timeout_secs: float = 60.0) -> str:
-    """Block until a new message arrives or ``timeout_secs`` elapses.
-
-    Returns the head message non-destructively; the agent decides
-    whether to ``inbox_pop`` it after acting.
-    """
-    import inbox
-
-    state = inbox.get_state()
-    if state is None:
-        return _INBOX_NOT_ENABLED_MSG
-
-    try:
-        timeout = float(timeout_secs)
-    except (TypeError, ValueError):
-        timeout = 60.0
-    # Cap at 300s — Claude Code's default tool timeout is ~10min, and
-    # blocking longer than 5min wastes the prompt cache window for
-    # nothing useful. Operators who want longer can call repeatedly.
-    timeout = max(0.0, min(timeout, 300.0))
-
-    # The threading.Event-based wait would block the asyncio loop.
-    # Run it on the default executor so the MCP server can keep
-    # processing other JSON-RPC requests while we sleep.
-    loop = asyncio.get_running_loop()
-    message = await loop.run_in_executor(None, state.wait, timeout)
-    if message is None:
-        return json.dumps({"timeout": True, "timeout_secs": timeout})
-    return json.dumps(_enrich_inbound_for_agent(message.to_dict()))
@@ -1,141 +0,0 @@
-"""Memory tool handlers — single-concern slice of the a2a_tools surface.
-
-Extracted from ``a2a_tools.py`` (RFC #2873 iter 4c). Owns the two
-agent-memory MCP tools:
-
-  * ``tool_commit_memory`` — write to the workspace's persistent memory.
-  * ``tool_recall_memory`` — search the workspace's persistent memory.
-
-Both go through the platform's ``/workspaces/:id/memories`` endpoint;
-the platform is the source of truth for namespace isolation + audit
-trail. Local responsibility here is RBAC enforcement BEFORE hitting
-the network so a denied operation surfaces a clear in-band error
-instead of an opaque platform 403.
-
-Imports the RBAC primitives from ``a2a_tools_rbac`` (iter 4a).
-"""
-from __future__ import annotations
-
-import json
-
-import httpx
-
-from a2a_client import PLATFORM_URL, WORKSPACE_ID
-from a2a_tools_rbac import (
-    auth_headers_for_heartbeat as _auth_headers_for_heartbeat,
-    check_memory_read_permission as _check_memory_read_permission,
-    check_memory_write_permission as _check_memory_write_permission,
-    is_root_workspace as _is_root_workspace,
-)
-from builtin_tools.security import _redact_secrets
-
-
-async def tool_commit_memory(
-    content: str,
-    scope: str = "LOCAL",
-    source_workspace_id: str | None = None,
-) -> str:
-    """Save important information to persistent memory.
-
-    GLOBAL scope is writable only by root workspaces (tier == 0).
-    RBAC memory.write permission is required for all scope levels.
-    The source workspace_id is embedded in every record so the platform
-    can enforce cross-workspace isolation and audit trail.
-
-    ``source_workspace_id`` selects which registered workspace this
-    memory belongs to when the agent is registered into multiple
-    workspaces (PR-1 / multi-workspace mode). When unset, falls back
-    to the module-level WORKSPACE_ID — single-workspace operators see
-    no behaviour change.
-    """
-    if not content:
-        return "Error: content is required"
-    content = _redact_secrets(content)
-    scope = scope.upper()
-    if scope not in ("LOCAL", "TEAM", "GLOBAL"):
-        scope = "LOCAL"
-
-    # RBAC: require memory.write permission (mirrors builtin_tools/memory.py)
-    if not _check_memory_write_permission():
-        return (
-            "Error: RBAC — this workspace does not have the 'memory.write' "
-            "permission for this operation."
-        )
-
-    # Scope enforcement: only root workspaces (tier 0) can write GLOBAL memory.
-    # This prevents tenant workspaces from poisoning org-wide memory (GH#1610).
-    if scope == "GLOBAL" and not _is_root_workspace():
-        return (
-            "Error: RBAC — only root workspaces (tier 0) can write to GLOBAL scope. "
-            "Non-root workspaces may use LOCAL or TEAM scope."
-        )
-
-    src = source_workspace_id or WORKSPACE_ID
-    try:
-        async with httpx.AsyncClient(timeout=10.0) as client:
-            resp = await client.post(
-                f"{PLATFORM_URL}/workspaces/{src}/memories",
-                json={
-                    "content": content,
-                    "scope": scope,
-                    # Embed source workspace so the platform can namespace-isolate
-                    # and audit cross-workspace writes (GH#1610 fix).
-                    "workspace_id": src,
-                },
-                headers=_auth_headers_for_heartbeat(src),
-            )
-            data = resp.json()
-            if resp.status_code in (200, 201):
-                return json.dumps({"success": True, "id": data.get("id"), "scope": scope})
-            return f"Error: {data.get('error', resp.text)}"
-    except Exception as e:
-        return f"Error saving memory: {e}"
-
-
-async def tool_recall_memory(
-    query: str = "",
-    scope: str = "",
-    source_workspace_id: str | None = None,
-) -> str:
-    """Search persistent memory for previously saved information.
-
-    RBAC memory.read permission is required (mirrors builtin_tools/memory.py).
-    The workspace_id is sent as a query parameter so the platform can
-    cross-validate it against the auth token and defend against any future
-    path traversal / cross-tenant read bugs in the platform itself.
-
-    ``source_workspace_id`` selects which registered workspace's memories
-    to search when the agent is registered into multiple workspaces.
-    Unset → defaults to the module-level WORKSPACE_ID.
-    """
-    # RBAC: require memory.read permission (mirrors builtin_tools/memory.py)
-    if not _check_memory_read_permission():
-        return (
-            "Error: RBAC — this workspace does not have the 'memory.read' "
-            "permission for this operation."
-        )
-
-    src = source_workspace_id or WORKSPACE_ID
-    params: dict[str, str] = {"workspace_id": src}
-    if query:
-        params["q"] = query
-    if scope:
-        params["scope"] = scope.upper()
-    try:
-        async with httpx.AsyncClient(timeout=10.0) as client:
-            resp = await client.get(
-                f"{PLATFORM_URL}/workspaces/{src}/memories",
-                params=params,
-                headers=_auth_headers_for_heartbeat(src),
-            )
-            data = resp.json()
-            if isinstance(data, list):
-                if not data:
-                    return "No memories found."
-                lines = []
-                for m in data:
-                    lines.append(f"[{m.get('scope', '?')}] {m.get('content', '')}")
-                return "\n".join(lines)
-            return json.dumps(data)
-    except Exception as e:
-        return f"Error recalling memory: {e}"
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				`# trigger autobump for python-multipart pin (PDF P0 cure)`